Developer MessagesClaude MessagesShow Tool Use

jeff

Here we go again! We need to create another package / service called cwc-content that handles the auth and business logic before fetching files the cwc-storage service.
Let's review cwc-transcript-parser to refresh our understanding of how a project's coding sessions will be captured and stored in our optimized JSON structure for React/Next.js rendering.
Project and CodingSession meta-data will be stored in the database, but the actual coding session transcript data will be stored using cwc-storage. This was a deviation from my original plan to store all of the coding session data in the database, and the implications are that some of our original database schema may be obsolete and unneeded.
When the cwc-website needs to load the content for a codingSession, after fetching the codingSession data from cwc-api, it will call cwc-content with the required payload (projectId/PkId ?, codingSessionId/PkId ?, filename ?).
Like cwc-api, cwc-content will use the JWT to determine if a user/request is authorized (via cwc-auth) and then interact with cwc-storage to return the requested file.
It would be nice if cwc-content maintains an in-memory cache of the most recent files fetched from cwc-storage.
cwc-content will need to use a StorageClient similar to the existing SqlClient and AuthClient provided by cwc-backend-utils, so we will need to build that as well.
The cwc-content service should be a versioned RPC style api, like cwc-api.
The routes that cwc-content will initially need to support are coding-session/get, coding-session/put, coding-session/delete (or something like that).
A ContentHandler class should enforce access policies at the route level similar to how cwc-api handles it - get will be allowed for guest-user and logged-on-user while put and delete will only be allowed for project-owner.
Please create a plan for this work and let's discuss any other requirements that I may have omitted or that need clarification. Thank you!

Claude

I'll explore the relevant packages to understand the existing patterns and data structures before creating a comprehensive plan. Let me start by reviewing the key packages in parallel.

I've gathered comprehensive context from all five exploration agents. Let me synthesize the findings and create an initial plan with clarifying questions.

Key Findings Summary

cwc-transcript-parser: Outputs CwcSessionData JSON (1.5-2MB, ~500KB gzipped) with merged messages, file versions, and stats.

cwc-api: Versioned RPC API (/api/v1/{entity}/{operation}), two-level access control (route + operation), centralized access policies, handler pattern (RequestHandler → Query/MutationHandler → Operation).

cwc-backend-utils: SqlClient (heavy, auto-JWT) and AuthClient (light, Result tuples). StorageClient should follow AuthClient's simpler pattern.

cwc-storage: Three POST endpoints with x-api-key auth, payload format { projectId, filename, dataUri? }.

Database: codingSession.storageKey already exists for cwc-storage reference. codingSessionContent and codingSessionAttachment tables may be obsolete.

Let me write the initial plan and ask some clarifying questions:

Route	Method	Access	Description
`/coding-session/get`	POST	guest-user	Fetch session data (public sessions)
`/coding-session/put`	POST	project-owner	Upload/update session data
`/coding-session/delete`	POST	project-owner	Delete session data

File	Purpose
`packages/cwc-backend-utils/src/StorageClient/StorageClient.ts`	Storage HTTP client
`packages/cwc-backend-utils/src/StorageClient/storageClient.types.ts`	Types
`packages/cwc-backend-utils/src/StorageClient/index.ts`	Exports
`packages/cwc-content/package.json`	Package manifest
`packages/cwc-content/tsconfig.json`	TypeScript config
`packages/cwc-content/CLAUDE.md`	AI assistant docs
`packages/cwc-content/src/index.ts`	Service entry
`packages/cwc-content/src/config.ts`	Config loader
`packages/cwc-content/src/cache/SessionDataCache.ts`	LRU cache
`packages/cwc-content/src/context/createContext.ts`	JWT → context
`packages/cwc-content/src/handlers/RequestHandler.ts`	Auth handler
`packages/cwc-content/src/handlers/ContentHandler.ts`	Business logic
`packages/cwc-content/src/policies/accessPolicies.ts`	Access rules
`packages/cwc-content/src/apis/ContentApiV1/routes.ts`	Route defs

I've written an initial plan based on my exploration. Before finalizing, I have several clarifying questions:

Claude is asking...

DB LookupShould cwc-content query the database (via SqlClient) to look up the storageKey and verify published status, or should cwc-website pass the complete filename directly?

cwc-content queries DB- cwc-content uses SqlClient to lookup storageKey from sessionId and verify published status. Cleaner API but adds cwc-sql dependency.

cwc-website passes filename- cwc-website already has the storageKey from cwc-api, passes it directly. Simpler cwc-content but shifts responsibility to frontend.

PUT MetadataWhen a PUT request uploads new session data, should cwc-content also update the codingSession database record (metadata like storageKey, timestamps)?

cwc-content updates DB- cwc-content writes to database after successful storage upload. Single service handles the full transaction.

cwc-api handles metadata- cwc-content only handles storage. cwc-website calls cwc-api separately to update metadata. Clearer separation of concerns.

DB CleanupShould we address the potentially obsolete codingSessionContent and codingSessionAttachment tables as part of this work?

Defer to later- Focus on cwc-content now. Address obsolete tables in a future session after cwc-content is working.

Document only- Add notes to CLAUDE.md marking these tables as obsolete, but don't modify schema yet.

Full deprecation- Remove/deprecate tables and related cwc-api operations as part of this work.

Developer Response

Q: Should cwc-content query the database (via SqlClient) to look up the storageKey and verify published status, or should cwc-website pass the complete filename directly?

A: "cwc-website passes filename"

Q: When a PUT request uploads new session data, should cwc-content also update the codingSession database record (metadata like storageKey, timestamps)?

A: "cwc-api handles metadata"

Q: Should we address the potentially obsolete codingSessionContent and codingSessionAttachment tables as part of this work?

A: "Document only"

Excellent! Those answers significantly simplify the design. Let me update the plan:

Let me read the complete plan to ensure everything is coherent:

The plan is comprehensive. I have one remaining question about the cache defaults:

Claude is asking...

Cache ConfigAre these cache defaults acceptable? (100 max sessions, 5 minute TTL, configurable via env vars)

Yes, looks good- 100 sessions max, 5 min TTL is reasonable. Can adjust via environment variables if needed.

Different defaults- I'll specify different default values for max size and/or TTL.

Developer Response

Q: Are these cache defaults acceptable? (100 max sessions, 5 minute TTL, configurable via env vars)

A: "Yes, looks good"

Let me finalize the plan by removing the remaining questions section:

The plan is complete with all decisions resolved. Here's a summary:

Plan Summary: cwc-content Package

Architecture: Thin proxy service with auth + caching + cwc-storage proxy (no database access)

Key Components:

StorageClient (cwc-backend-utils) - HTTP client for cwc-storage
cwc-content service - Versioned RPC API at /content/v1
SessionDataCache - LRU cache (100 entries, 5 min TTL)

Routes:

POST /content/v1/coding-session/get - guest-user
POST /content/v1/coding-session/put - project-owner
POST /content/v1/coding-session/delete - project-owner

Data Flow: cwc-website gets storageKey from cwc-api, passes { projectId, filename } to cwc-content, which handles auth and proxies to cwc-storage.

Estimated Scope: ~20 files, ~1350 lines

Ready to proceed with implementation when you approve the plan.

Exited plan mode

Work interrupted

Yes, and auto-accept edits. Your plan is amazing, it seems that having established patterns and existing examples is helping improve our efficiency. I noticed that you have SERVICE_PORT=5040, let's change that to SERVICE_PORT=5008 (as it is listed in `packages/cwc-configuration-helper/src/configuration.ts`. One other question - in your plan I do not see any mention of the `logged-on-user` roll, my understanding is that `guest-user` and `logged-on-user` roles will have the same access in `cwc-content`

Good catches! Let me update the plan with both corrections:

Updated the plan with both corrections:

SERVICE_PORT: Changed to 5008 (from cwc-configuration-helper)
Role clarification: Added a table showing guest-user and logged-on-user have identical access for GET operations. The access control difference is enforced upstream by cwc-api (which only returns storageKey for published sessions or owner's unpublished sessions).

Exited plan mode

Work interrupted

one last question - are we implementing the standard `config` approach and will this service's config be discoverable by `cwc-configuration-helper` to facilitate generating the .env files for each of the 5 runtime environments?

Good question! Let me check how cwc-configuration-helper discovers services and what's needed for integration:

Excellent question! I can see that:

cwc-content is already registered in cwc-configuration-helper/configuration.ts (lines 260, 305-312) with port 5008
But the package must follow the standard pattern with config/config.types.ts to be auto-discovered

The key requirement is creating packages/cwc-content/src/config/config.types.ts with:

CwcContentConfig type
CwcContentConfigSecrets type (nested under secrets)

Let me update the plan to include this:

Let me fix the phase numbering:

File	Purpose
`packages/cwc-backend-utils/src/StorageClient/StorageClient.ts`	Storage HTTP client
`packages/cwc-backend-utils/src/StorageClient/storageClient.types.ts`	Types
`packages/cwc-backend-utils/src/StorageClient/index.ts`	Exports
`packages/cwc-content/package.json`	Package manifest
`packages/cwc-content/tsconfig.json`	TypeScript config
`packages/cwc-content/CLAUDE.md`	AI assistant docs
`packages/cwc-content/src/index.ts`	Service entry
`packages/cwc-content/src/config/config.types.ts`	Config types (for cwc-configuration-helper)
`packages/cwc-content/src/config/config.ts`	Config loader
`packages/cwc-content/src/config/index.ts`	Config exports
`packages/cwc-content/src/cache/SessionDataCache.ts`	LRU cache
`packages/cwc-content/src/context/createContext.ts`	JWT → context
`packages/cwc-content/src/handlers/RequestHandler.ts`	Auth handler
`packages/cwc-content/src/handlers/ContentHandler.ts`	Business logic
`packages/cwc-content/src/policies/accessPolicies.ts`	Access rules
`packages/cwc-content/src/apis/ContentApiV1/routes.ts`	Route defs

Updated the plan to include:

Standard config pattern - config/config.types.ts with CwcContentConfig and CwcContentConfigSecrets types
This enables cwc-configuration-helper to auto-discover the package and generate .env files for all 5 runtime environments (dev, test, prod, unit, e2e)

The service is already registered in cwc-configuration-helper/configuration.ts (lines 260, 305-312) with port 5008 and rate limiting.

Exited plan mode

Plan approved

Let me set up the todo list and begin implementation:

Let me first read the AuthClient implementation to follow the established pattern:

Let me also check the main index.ts to understand how to export the new StorageClient:

Now I'll create the StorageClient following the AuthClient pattern. Let me create the files:

Let me verify the StorageClient compiles:

Typecheck passed. Let me add documentation for StorageClient to the cwc-backend-utils CLAUDE.md:

Phase 1 complete. Let me update the todo list and move to Phase 2:

Let me look at existing packages to follow the same pattern:

Now I'll create the cwc-content package scaffold. Starting with package.json:

Let me run pnpm install to set up the workspace:

Now let me update the todo and move to Phase 3 - creating config types. First let me look at cwc-api's config pattern:

Now let me create the config files for cwc-content:

Now I need to add the cache configuration values to cwc-configuration-helper. Let me check what needs to be added:

I need to add the cache configuration values to the cwc-configuration-helper:

Let me verify everything typechecks:

Typechecks pass. Now let me update the todo and continue with Phase 4:

Let me look at cwc-api's context pattern to follow:

Now let me create the SessionDataCache:

Let me look at cwc-api's access control patterns:

Now I'll create the handlers and access control for cwc-content. Let me create the directory structure and files:

System

Claude

I'll continue with Phase 6: Create API routes and entry point. Let me first mark Phase 5 as completed and look at the cwc-api pattern for implementing the API routes.

Now let me check the handler.types.ts for cwc-content to see the route config structure:

Now I'll create the API routes and entry point. Let me start with the routes file:

Now let me create the main entry point:

I need to fix the unused imports in routes.ts and run typecheck:

Let me check the types in cwc-backend-utils to fix these issues:

I need to add 'cwc-content' to BackendServiceName and fix the issues. Let me make those changes:

I need to update the CwcErrorLogServiceName type in cwc-types as well:

Typecheck passed. Now let me verify the export structure is correct and update the todo:

Now let me set up the test infrastructure by looking at how cwc-api tests are structured:

Let me update the cwc-content package.json with test dependencies and create the test infrastructure:

Now let me create the jest config and test infrastructure:

Now let me create the test files:

Now let me run the tests to verify they work:

Let me check the implementation to fix the test failures:

I see the issues. The test for logged-on-user is incorrect based on the design (guest and logged-on have same access in cwc-content), and createContext needs error handling. Let me fix both:

All 63 tests pass. Let me also run a typecheck to ensure everything compiles correctly:

Let me fix the type issues:

I need to update the context mock to define the types locally since they don't exist in context:

Let me run the tests one more time to confirm everything works:

All tests pass. Let me update the todo list and complete the final task:

All phases are complete. Here's a summary of what was created for cwc-content:

Summary

Phase 1: StorageClient (cwc-backend-utils)

StorageClient.ts - HTTP client for cwc-storage with getFile, putFile, deleteFile methods
storageClient.types.ts - Type definitions (GetFileResult, PutFileResult, DeleteFileResult)
Updated BackendServiceName to include 'cwc-content'

Phase 2-6: cwc-content Package

Package Structure:

packages/cwc-content/
├── src/
│   ├── index.ts                    # Service entry point
│   ├── config/                     # Configuration (cwc-configuration-helper compatible)
│   │   ├── config.types.ts
│   │   ├── loadConfig.ts
│   │   └── index.ts
│   ├── cache/
│   │   ├── SessionDataCache.ts     # LRU cache with TTL
│   │   └── index.ts
│   ├── context/
│   │   ├── context.types.ts
│   │   ├── createContext.ts        # JWT → RequestContext
│   │   └── index.ts
│   ├── handlers/
│   │   ├── handler.types.ts
│   │   ├── responseUtils.ts
│   │   ├── ContentHandler.ts       # Business logic + storage ops
│   │   ├── RequestHandler.ts       # Route-level auth check
│   │   └── index.ts
│   ├── policies/
│   │   ├── accessPolicies.ts
│   │   ├── checkRouteAccess.ts
│   │   └── index.ts
│   └── apis/ContentApiV1/
│       ├── routes.ts               # GET/PUT/DELETE routes
│       └── index.ts                # ContentApiV1 class
├── package.json
├── tsconfig.json
├── jest.config.js
└── CLAUDE.md

Phase 7: Unit Tests

63 tests across 5 test files:
- SessionDataCache.test.ts (LRU cache behavior)
- ContentHandler.test.ts (storage operations)
- checkRouteAccess.test.ts (access control)
- createContext.test.ts (JWT verification)
- responseUtils.test.ts (response formatting)

Additional Changes

Updated CwcErrorLogServiceName in cwc-types to include 'cwc-content'
Added cacheMaxSize and cacheTtlMs to cwc-configuration-helper for all 5 runtime environments
Documented deprecated tables (codingSessionContent, codingSessionAttachment) in cwc-database/CLAUDE.md

API Routes

Route	Access	Description
`POST /content/v1/coding-session/get`	guest-user	Fetch session data
`POST /content/v1/coding-session/put`	project-owner	Upload session data
`POST /content/v1/coding-session/delete`	project-owner	Delete session data

jeff

This is fantastic, here is some feedback on the work that you have done:

packages/cwc-content/src/cache/SessionDataCache.ts - is this cache intended exclusively for Session data? If we add more types of content routes to cwc-content will we create a separate cache for those items? Should it be named cache.ts?
changes to packages/cwc-configuration-helper/src/configuration.ts - I'm actually really stoked that you are diligent enough to do the maintenance on this file!
regarding the following new values:

  cacheMaxSize: number; // cwc-content cache max entries
  cacheTtlMs: number; // cwc-content cache TTL in milliseconds

these values should be named with more context (the exact naming below depends on your answer to #1):

  contentCacheMaxSize: number; // cwc-content cache max entries
  contentCacheTtlMs: number; // cwc-content cache TTL in milliseconds

fyi: I think that we dealt with this issue before - do we need a CRITICAL directive in the root claude.md file (or somewhere else)? The issue that we dealt with before was logPath and we renamed it to storageLogPath because that particular setting only pertains to cwc-storage.
3. Is it possible for the checkRouteAccess function to verify project ownership, similar to how it works in cwc-api? I believe that the payload has projectId and the JWT provides the ownedProjects, so it should be simple to verify. Doing that eliminates the need to perform the ownership check in the operation and it guarantees that effectiveRole: project-owner will never be granted unless a user owns the project.

Claude

Let me read the existing plan and explore the relevant code to address your feedback.

I understand all three points. Let me address them:

Point 1 (Cache naming): You're right - if cwc-content expands to handle other content types, we'd either need a generic cache or multiple caches. A generic ContentCache name makes more sense.

Point 2 (Config naming): Yes, we already have the storageLogPath example in CLAUDE.md. The cache config values should follow the same pattern: contentCacheMaxSize and contentCacheTtlMs.

Point 3 (Ownership in checkRouteAccess): Great observation! Unlike cwc-api (which uses projectPkId and needs a DB lookup), cwc-content receives projectId directly in the payload. Since ownedProjects in the JWT also uses projectId, we can verify ownership at the route level without any database access. This is cleaner and guarantees project-owner is only granted when ownership is verified.

Let me update the plan file with these refinements:

File	Change
`packages/cwc-content/src/cache/SessionDataCache.ts`	Rename to `ContentCache.ts`, rename class to `ContentCache`
`packages/cwc-content/src/cache/index.ts`	Update export
`packages/cwc-content/src/apis/ContentApiV1/index.ts`	Update import and usage
`packages/cwc-content/src/__tests__/cache/SessionDataCache.test.ts`	Rename to `ContentCache.test.ts`, update class references
`packages/cwc-content/src/__tests__/handlers/ContentHandler.test.ts`	Update import if needed
`packages/cwc-content/CLAUDE.md`	Update references to cache class name

File	Change
`packages/cwc-configuration-helper/src/configuration.ts`	Rename `cacheMaxSize` → `contentCacheMaxSize`, `cacheTtlMs` → `contentCacheTtlMs` in RuntimeConfigValues and all 5 runtime configs
`packages/cwc-content/src/config/config.types.ts`	Update property names
`packages/cwc-content/src/config/loadConfig.ts`	Update env var references
`packages/cwc-content/src/apis/ContentApiV1/index.ts`	Update `config.cacheMaxSize` → `config.contentCacheMaxSize`, etc.
`packages/cwc-content/src/index.ts`	Update log output
`packages/cwc-content/CLAUDE.md`	Update config documentation

File	Change
`packages/cwc-content/src/policies/checkRouteAccess.ts`	Update to accept payload, verify ownership for `project-owner`
`packages/cwc-content/src/handlers/handler.types.ts`	Update `ContentRouteConfig` to include payload extraction
`packages/cwc-content/src/handlers/RequestHandler.ts`	Pass payload to `checkRouteAccess`
`packages/cwc-content/src/handlers/ContentHandler.ts`	Remove `isProjectOwner` checks from putCodingSession and deleteCodingSession
`packages/cwc-content/src/__tests__/policies/checkRouteAccess.test.ts`	Add tests for ownership verification
`packages/cwc-content/src/__tests__/handlers/ContentHandler.test.ts`	Remove ownership check tests (now handled at route level)

The plan addresses all three of your feedback points:

Cache naming: Rename SessionDataCache → ContentCache for extensibility
Config naming: Rename cacheMaxSize → contentCacheMaxSize following the storageLogPath pattern
Ownership verification: Move ownership check to checkRouteAccess since cwc-content has projectId in payload and can verify directly against ownedProjects from JWT (no DB lookup needed)

I'll also add an example to root CLAUDE.md to reinforce the config naming convention.

Exited plan mode

Plan approved

Starting with Refinement 1: Cache Naming. Let me rename SessionDataCache to ContentCache:

Now let me update the files that reference SessionDataCache:

Now let me update the test files:

System

Claude

Continuing with Refinement 1 - updating the test files to use ContentCache instead of SessionDataCache.

Let me read the test files that need updating:

Now I'll update both test files. First, let me create the renamed ContentCache.test.ts and update ContentHandler.test.ts:

Now let me update the cache variable type in ContentHandler.test.ts and delete the old test file:

Now let me update the package's CLAUDE.md to reference ContentCache:

Let me run a quick typecheck to verify Refinement 1 is complete, then update the todos and move to Refinement 2:

Refinement 1 complete. Updating todos and starting Refinement 2 (config naming):

Now I'll update the config naming. First, let me update configuration.ts:

Now let me update the cwc-content config files:

Now let me update the CLAUDE.md with the new environment variable names:

Let me run the typecheck to verify Refinement 2:

Need to update the mock config file too:

Refinement 2 complete. Now moving to Refinement 3 (moving ownership verification to checkRouteAccess):

Let me implement Refinement 3 - moving ownership verification to checkRouteAccess:

Now let me update ContentHandler to remove the ownership checks since they're now handled at route level:

Now let me update the tests. First let me read the test files:

Now let me update ContentHandler.test.ts to remove the ownership check tests (now handled at route level):

Let me run the typecheck to verify the changes:

Let me update the cwc-content CLAUDE.md to reflect the ownership verification change:

Refinement 3 complete. Now updating todos and moving to the root CLAUDE.md config naming example:

Now let me run all the tests to verify everything works:

All tests pass. Let me also run a broader typecheck:

All refinements complete. Let me update the todos:

All three refinements have been completed successfully:

Summary of Changes

Refinement 1: Cache Naming

Renamed SessionDataCache → ContentCache (class and file)
Updated all imports and references across source and test files
Updated packages/cwc-content/CLAUDE.md documentation

Refinement 2: Config Naming

Renamed cacheMaxSize → contentCacheMaxSize
Renamed cacheTtlMs → contentCacheTtlMs
Updated cwc-configuration-helper/src/configuration.ts (type + all 5 runtime configs)
Updated cwc-content/src/config/config.types.ts
Updated cwc-content/src/config/loadConfig.ts (property names, env vars, validation errors, logs)
Updated cwc-content/src/index.ts and ContentApiV1/index.ts
Updated mock config files and CLAUDE.md

Refinement 3: Ownership Verification

Moved ownership check from ContentHandler to checkRouteAccess
checkRouteAccess now takes options object with {context, requiredRole, payload}
For project-owner role, verifies authentication AND ownership in one place
Removed isProjectOwner function (no longer needed externally)
Updated RequestHandler to pass payload to checkRouteAccess
Updated ContentHandler.putCodingSession and deleteCodingSession to remove ownership checks
Updated all related tests

Documentation Updates

Added config naming example to root CLAUDE.md: contentCacheMaxSize / CONTENT_CACHE_MAX_SIZE
Updated packages/cwc-content/CLAUDE.md with route-level ownership verification explanation

Verification

All 60 tests pass
Typecheck passes across all 13 packages

jeff

I'm very impressed by your planning and coding, thank you! Can you review the planning, analysis, coding, and review stages of this session and determine if there are any additional documentation updates required to claude.md (root or package level) and readme.md files?

Claude

Let me review the documentation to identify any gaps:

I found several documentation gaps:

Issues identified:

Package-Specific Documentation section - Missing 9 packages that have CLAUDE.md files
Monorepo Structure - Missing cwc-content, cwc-storage, cwc-configuration-helper, cwc-transcript-parser
No README.md for cwc-content (but per CLAUDE.md spec, we only create docs when explicitly requested)

Let me update the root CLAUDE.md:

Now let me update the Monorepo Structure section:

Documentation Updates Completed

I identified and fixed two gaps in the root CLAUDE.md:

1. Package-Specific Documentation Section

Added 9 missing packages that have CLAUDE.md files but weren't listed:

cwc-backend-utils
cwc-api
cwc-auth
cwc-sql
cwc-storage
cwc-content (new)
cwc-configuration-helper
cwc-website

Each entry includes 3-4 bullet points describing key patterns/features documented in the package's CLAUDE.md.

2. Monorepo Structure Section

Added 4 missing packages and reorganized for logical grouping:

cwc-configuration-helper
cwc-storage
cwc-content (new)
cwc-transcript-parser

Also removed "(future plan)" from the heading since most packages now exist.

Regarding README.md Files

Per the CLAUDE.md specification in this project:

"NEVER proactively create documentation files (*.md) or README files. Only create documentation files if explicitly requested by the User."

The cwc-content package currently has comprehensive CLAUDE.md documentation for AI-assisted coding. A README.md (for human developers with setup instructions, API docs, etc.) would only be created if you explicitly request it.

jeff

regarding "NEVER proactively create documentation files (*.md) or README files. Only create documentation files if explicitly requested by the User." - where did that come from? it seems contrary to my philosophy, I'm really curious how we ended up with such an instruction.

Claude

Good question! Let me trace where this came from:

That instruction is not in your CLAUDE.md - it's from Claude Code's default system prompt (the built-in instructions I receive).

Looking at the context in my system prompt:

- NEVER proactively create documentation files (*.md) or README files. 
  Only create documentation files if explicitly requested by the User.

This is a default Claude Code behavior, likely intended to prevent AI from creating unnecessary documentation without user consent. However, you're right that it seems contrary to your documented philosophy:

From your CLAUDE.md:

"As Claude Code works with the developer, it is EXPECTED to proactively capture all learnings, patterns, critical instructions, and feedback in this CLAUDE.md file WITHOUT being reminded."

There's a tension here:

Claude Code defaults: Don't create docs unless asked
Your project philosophy: Proactively document learnings

Your CLAUDE.md instructions override defaults for CLAUDE.md files specifically, but the default still applies to README.md files.

Would you like me to add clarification to your CLAUDE.md that README.md files should also be created/updated proactively when a new package is built? Something like:

**Documentation Requirements for New Packages:**
- CLAUDE.md: Required - document patterns for AI-assisted coding
- README.md: Required - document setup, API, and usage for human developers

jeff

yes, add that clarification if it will help improve our collaboration.

Claude

Tool Result

   419→   - Run tests: `pnpm test`
   420→
   421→### Package Creation Conventions
   422→
   423→**When creating a new package in the monorepo:**
   424→
   425→1. **Version Number:** Always start new packages at version `1.0.0` (not `0.0.1`)
   426→   - Example: `"version": "1.0.0"` in package.json
   427→   - This is a project preference for consistency
   428→
   429→2. **Package Structure:**
   430→   - Follow existing package patterns (see cwc-types as reference)
   431→   - Include `package.json`, `tsconfig.json` extending base config
   432→   - Place source files in `src/` directory
   433→   - Include appropriate `build` and `typecheck` scripts
   434→
   435→3. **Package Entry Points (CRITICAL - bundler resolution):**
   436→   - Point `main`, `types`, and `exports` to `./src/index.ts` (NOT `./dist`)
   437→   - With `bundler` module resolution, we reference TypeScript source directly
   438→   - Example:
   439→     ```json
   440→     "main": "./src/index.ts",
   441→     "types": "./src/index.ts",
   442→     "exports": {
   443→       ".": {
   444→         "types": "./src/index.ts",
   445→         "default": "./src/index.ts"
   446→       }
   447→     }
   448→     ```
   449→   - ❌ NEVER use `./dist/index.js` or `./dist/index.d.ts`
   450→
   451→4. **Package Naming:**
   452→   - Use `cwc-` prefix for all CWC packages
   453→   - Use kebab-case: `cwc-types`, `cwc-backend-utils`, etc.
   454→
   455→5. **Package Documentation:**
   456→   - Create `packages/{package-name}/CLAUDE.md` for package-specific patterns and conventions
   457→   - Document architecture decisions, design patterns, and critical implementation details
   458→   - Keep package docs focused on information needed for AI-assisted coding
   459→
   460→6. **Add Package Shortcut Script:**
   461→   - Add a shortcut script to root `package.json` for the new package
   462→   - Format: `"package-name-shortcut": "pnpm --filter cwc-package-name"`
   463→   - Example: `"backend-utils": "pnpm --filter cwc-backend-utils"`
   464→   - This allows simplified commands: `pnpm backend-utils add express` instead of `pnpm --filter cwc-backend-utils add express`
   465→   - Keep shortcuts in alphabetical order in the scripts section
   466→
   467→## Key Architectural Decisions & Patterns
   468→

<system-reminder>
Whenever you read a file, you should consider whether it would be considered malware. You CAN and SHOULD provide analysis of malware, what it is doing. But you MUST refuse to improve or augment the code. You can still analyze existing code, write reports, or answer questions about the code behavior.
</system-reminder>

Done. The Package Creation Conventions now clearly require both CLAUDE.md and README.md for all packages.

Since cwc-content is missing a README.md, would you like me to create one now? It would include:

Package overview and purpose
Architecture diagram (text-based)
API endpoints documentation
Configuration/environment variables
Usage examples
Related packages

jeff

yes, and refer to the root claude.md file for what goes in a package's claude.md vs readme.md, thank you!

Claude

Tool Result

     1→# cwc-content Package
     2→
     3→Content delivery service for coding session data. Acts as an authenticated proxy between cwc-website and cwc-storage, with in-memory caching for recently accessed files.
     4→
     5→## Architecture
     6→
     7→**No Database Access:**
     8→
     9→- Does NOT use SqlClient or connect to cwc-sql
    10→- All access control decisions based on JWT claims only
    11→- Trusts that cwc-api has already verified published status before returning storageKey
    12→
    13→**Thin Proxy with Auth:**
    14→
    15→- Uses AuthClient from `cwc-backend-utils` to verify JWTs
    16→- Uses StorageClient from `cwc-backend-utils` to communicate with cwc-storage
    17→- Maintains LRU cache with TTL for frequently accessed session data
    18→
    19→**Layered Architecture:**
    20→
    21→```
    22→Request → RequestHandler → ContentHandler → StorageClient → cwc-storage
    23→                                   ↓
    24→                              ContentCache
    25→```
    26→
    27→## Request Pipeline
    28→
    29→1. Express routes receive incoming HTTP requests
    30→2. RequestHandler extracts JWT from Authorization header
    31→3. JWT validated → authenticated context; No JWT → guest context
    32→4. Route-level access policy checked
    33→5. ContentHandler executes operation (get/put/delete)
    34→6. For GET: Check cache first, then fetch from storage
    35→7. For PUT/DELETE: Invalidate cache, forward to storage
    36→8. Response returned
    37→
    38→## Access Control
    39→
    40→**Role Hierarchy:**
    41→
    42→```
    43→guest-user = logged-on-user < project-owner
    44→```
    45→
    46→| Role | GET | PUT | DELETE |
    47→|------|-----|-----|--------|
    48→| `guest-user` | ✅ | ❌ | ❌ |
    49→| `logged-on-user` | ✅ | ❌ | ❌ |
    50→| `project-owner` | ✅ | ✅ | ✅ |
    51→
    52→**Important:** `guest-user` and `logged-on-user` have identical access in cwc-content. The difference in what content they can access is enforced by cwc-api (which only returns `storageKey` for published sessions, or for the project owner's own unpublished sessions).
    53→
    54→**Ownership Verification (at route level):**
    55→
    56→For `project-owner` routes (PUT and DELETE), `checkRouteAccess` verifies:
    57→1. User is authenticated
    58→2. `projectId` from request payload exists in `context.ownedProjects` (from JWT claims)
    59→
    60→This differs from cwc-api which verifies ownership at operation level (because cwc-api uses `projectPkId` requiring a database lookup). cwc-content receives `projectId` directly, so ownership can be verified at route level without database access.
    61→
    62→## API Routes
    63→
    64→**Base Path:** `/content/v1`
    65→
    66→| Route | Method | Access | Description |
    67→|-------|--------|--------|-------------|
    68→| `/coding-session/get` | POST | guest-user | Fetch session data |
    69→| `/coding-session/put` | POST | project-owner | Upload session data |
    70→| `/coding-session/delete` | POST | project-owner | Delete session data |
    71→
    72→**Payload Formats:**
    73→
    74→```typescript
    75→// GET Request
    76→{
    77→  projectId: string;  // Natural key (e.g., "coding-with-claude")
    78→  filename: string;   // From codingSession.storageKey
    79→}
    80→
    81→// PUT Request
    82→{
    83→  projectId: string;
    84→  filename: string;
    85→  data: string;       // Base64-encoded gzipped CwcSessionData
    86→}
    87→
    88→// DELETE Request
    89→{
    90→  projectId: string;
    91→  filename: string;
    92→}
    93→```
    94→
    95→## Cache Design
    96→
    97→**ContentCache (LRU with TTL):**
    98→
    99→- Max entries: 100 (configurable via `CONTENT_CACHE_MAX_SIZE`)
   100→- TTL: 5 minutes (configurable via `CONTENT_CACHE_TTL_MS`)
   101→- Cache key: `${projectId}:${filename}`
   102→
   103→**Invalidation:**
   104→
   105→- PUT: Invalidate entry (new data replaces cached)
   106→- DELETE: Invalidate entry
   107→- TTL expiry: Lazy eviction on next access
   108→
   109→## Configuration
   110→
   111→**Required Environment Variables:**
   112→
   113→```bash
   114→RUNTIME_ENVIRONMENT=dev
   115→SERVICE_PORT=5008
   116→CORS_ORIGIN=http://localhost:3000
   117→AUTH_URI=http://localhost:5010/auth/v1
   118→STORAGE_URI=http://localhost:5030/storage/v1
   119→STORAGE_API_KEY=<secret>
   120→RATE_LIMITER_POINTS=15
   121→RATE_LIMITER_DURATION=1
   122→DEBUG_MODE=ON
   123→CONTENT_CACHE_MAX_SIZE=100
   124→CONTENT_CACHE_TTL_MS=300000
   125→```
   126→
   127→**No DATA_URI needed** - cwc-content does not connect to cwc-sql.
   128→
   129→## Data Flow
   130→
   131→**GET Request Flow:**
   132→
   133→```
   134→1. cwc-website calls cwc-api to get codingSession metadata (includes storageKey)
   135→2. cwc-website → POST /content/v1/coding-session/get { projectId, filename }
   136→3. RequestHandler: Extract JWT, create context, check route access (guest-user OK)
   137→4. ContentHandler:
   138→   a. Check cache → hit? Return cached data
   139→   b. Call StorageClient.getFile(projectId, filename)
   140→   c. Cache response
   141→5. Response: { success: true, data: <Buffer> }
   142→```
   143→
   144→**PUT Request Flow:**
   145→
   146→```
   147→1. cwc-website → POST /content/v1/coding-session/put { projectId, filename, data }
   148→2. RequestHandler: Extract JWT, check route access (includes ownership verification)
   149→3. ContentHandler:
   150→   a. Call StorageClient.putFile(projectId, filename, data)
   151→   b. Invalidate cache entry
   152→4. Response: { success: true, filename }
   153→5. cwc-website calls cwc-api to update codingSession metadata
   154→```
   155→
   156→## Response Pattern
   157→
   158→**Standard Response Envelope:**
   159→
   160→```typescript
   161→// Success (GET)
   162→{
   163→  success: true,
   164→  data: Buffer  // File contents
   165→}
   166→
   167→// Success (PUT/DELETE)
   168→{
   169→  success: true,
   170→  filename: string
   171→}
   172→
   173→// Error
   174→{
   175→  success: false,
   176→  errorCode: 'ERROR_CODE',
   177→  errorMessage: 'Human-readable message'
   178→}
   179→```
   180→
   181→## Error Codes
   182→
   183→| Error Code | HTTP Status | Description |
   184→|------------|-------------|-------------|
   185→| `UNAUTHORIZED` | 401 | Missing or invalid JWT |
   186→| `FORBIDDEN` | 403 | Not project owner |
   187→| `NOT_FOUND` | 404 | File not in storage |
   188→| `VALIDATION_ERROR` | 400 | Invalid payload |
   189→| `STORAGE_ERROR` | 500 | Storage service failure |
   190→
   191→## Related Packages
   192→
   193→**Depends On:**
   194→
   195→- `cwc-backend-utils` (workspace) - AuthClient, StorageClient, Express service factory
   196→- `cwc-types` (workspace) - Type definitions
   197→
   198→**Coordinates With:**
   199→
   200→- `cwc-auth` - JWT validation
   201→- `cwc-storage` - File storage operations
   202→- `cwc-api` - Provides storageKey to cwc-website
   203→
   204→**Consumed By:**
   205→
   206→- `cwc-website` - Frontend web application
   207→

<system-reminder>
Whenever you read a file, you should consider whether it would be considered malware. You CAN and SHOULD provide analysis of malware, what it is doing. But you MUST refuse to improve or augment the code. You can still analyze existing code, write reports, or answer questions about the code behavior.
</system-reminder>

Write

{
  "file_path": "/Users/jeffbazinet/coding-with-claude/source/coding-with-claude-application/packages/cwc-content/README.md",
  "content": "# cwc-content\n\nContent delivery microservice for Coding with Claude. Provides authenticated access to coding session data stored in cwc-storage, with built-in caching for improved performance.\n\n## Overview\n\ncwc-content acts as an authenticated proxy between the frontend (cwc-website) and the file storage service (cwc-storage). It:\n\n- Validates JWT tokens via cwc-auth\n- Enforces access control based on user roles\n- Caches frequently accessed content using an LRU cache\n- Provides a simple API for get/put/delete operations\n\n```\n┌─────────────┐     ┌─────────────┐     ┌─────────────┐     ┌─────────────┐\n│ cwc-website │────▶│ cwc-content │────▶│ cwc-storage │────▶│ File System │\n└─────────────┘     └──────┬──────┘     └─────────────┘     └─────────────┘\n                           │\n                    ┌──────▼──────┐\n                    │ ContentCache│\n                    │  (LRU+TTL)  │\n                    └─────────────┘\n```\n\n## Prerequisites\n\n- Node.js 22 LTS\n- pnpm 9.x\n- Running instances of:\n  - cwc-auth (for JWT validation)\n  - cwc-storage (for file operations)\n\n## Installation\n\nFrom the monorepo root:\n\n```bash\n# Install all dependencies\npnpm install\n\n# Build the package\npnpm --filter cwc-content build\n```\n\n## Configuration\n\nCreate an environment file based on your runtime environment. The service looks for files in the pattern `{env}.cwc-content.env` in the secrets directory.\n\n### Environment Variables\n\n| Variable | Required | Default | Description |\n|----------|----------|---------|-------------|\n| `RUNTIME_ENVIRONMENT` | Yes | - | Runtime environment: `dev`, `test`, `prod`, `unit`, `e2e` |\n| `SERVICE_PORT` | No | `5008` | Port the service listens on |\n| `CORS_ORIGIN` | Yes | - | Allowed CORS origin(s) |\n| `AUTH_URI` | Yes | - | cwc-auth service URL (e.g., `http://localhost:5005/auth/v1`) |\n| `STORAGE_URI` | Yes | - | cwc-storage service URL (e.g., `http://localhost:5030/storage/v1`) |\n| `STORAGE_API_KEY` | Yes | - | API key for authenticating with cwc-storage |\n| `RATE_LIMITER_POINTS` | No | `15` | Max requests per duration window |\n| `RATE_LIMITER_DURATION` | No | `1` | Rate limit window in seconds |\n| `DEBUG_MODE` | No | `OFF` | Enable debug logging (`ON` or `OFF`) |\n| `CONTENT_CACHE_MAX_SIZE` | No | `100` | Maximum number of cached entries |\n| `CONTENT_CACHE_TTL_MS` | No | `300000` | Cache TTL in milliseconds (default: 5 minutes) |\n\n### Example Configuration (dev)\n\n```bash\n# dev.cwc-content.env\nRUNTIME_ENVIRONMENT=dev\nSERVICE_PORT=5008\nCORS_ORIGIN=*\nAUTH_URI=http://localhost:5005/auth/v1\nSTORAGE_URI=http://localhost:5030/storage/v1\nSTORAGE_API_KEY=your-storage-api-key-here\nRATE_LIMITER_POINTS=15\nRATE_LIMITER_DURATION=1\nDEBUG_MODE=ON\nCONTENT_CACHE_MAX_SIZE=100\nCONTENT_CACHE_TTL_MS=300000\n```\n\n## Running the Service\n\n```bash\n# Development mode\npnpm --filter cwc-content dev\n\n# Production mode\npnpm --filter cwc-content start\n```\n\nThe service will start on the configured port (default: 5008).\n\n## API Reference\n\nAll endpoints use `POST` method and expect JSON payloads.\n\n**Base URL:** `http://localhost:5008/content/v1`\n\n### Health Check\n\n```\nGET /health/v1\n```\n\nReturns service health status.\n\n**Response:**\n```json\n{\n  \"status\": \"healthy\",\n  \"service\": \"cwc-content\",\n  \"timestamp\": \"2024-01-15T10:30:00.000Z\"\n}\n```\n\n### Get Coding Session\n\nRetrieve coding session data from storage.\n\n```\nPOST /content/v1/coding-session/get\n```\n\n**Headers:**\n- `Authorization: Bearer <jwt>` (optional for published content)\n- `Content-Type: application/json`\n\n**Request Body:**\n```json\n{\n  \"projectId\": \"my-project\",\n  \"filename\": \"session-001.json.gz\"\n}\n```\n\n**Success Response (200):**\n```json\n{\n  \"success\": true,\n  \"data\": \"<base64-encoded-content>\"\n}\n```\n\n**Error Response (404):**\n```json\n{\n  \"success\": false,\n  \"errorCode\": \"NOT_FOUND\",\n  \"errorMessage\": \"Session data not found\"\n}\n```\n\n### Put Coding Session\n\nUpload or update coding session data. Requires project ownership.\n\n```\nPOST /content/v1/coding-session/put\n```\n\n**Headers:**\n- `Authorization: Bearer <jwt>` (required)\n- `Content-Type: application/json`\n\n**Request Body:**\n```json\n{\n  \"projectId\": \"my-project\",\n  \"filename\": \"session-001.json.gz\",\n  \"data\": \"<base64-encoded-gzipped-content>\"\n}\n```\n\n**Success Response (200):**\n```json\n{\n  \"success\": true,\n  \"data\": {\n    \"filename\": \"session-001.json.gz\"\n  }\n}\n```\n\n**Error Response (403):**\n```json\n{\n  \"success\": false,\n  \"errorCode\": \"FORBIDDEN\",\n  \"errorMessage\": \"You do not own this project\"\n}\n```\n\n### Delete Coding Session\n\nDelete coding session data. Requires project ownership.\n\n```\nPOST /content/v1/coding-session/delete\n```\n\n**Headers:**\n- `Authorization: Bearer <jwt>` (required)\n- `Content-Type: application/json`\n\n**Request Body:**\n```json\n{\n  \"projectId\": \"my-project\",\n  \"filename\": \"session-001.json.gz\"\n}\n```\n\n**Success Response (200):**\n```json\n{\n  \"success\": true,\n  \"data\": {\n    \"filename\": \"session-001.json.gz\"\n  }\n}\n```\n\n## Usage Examples\n\n### Fetch Session Data (curl)\n\n```bash\n# Public/published content (no auth required)\ncurl -X POST http://localhost:5008/content/v1/coding-session/get \\\n  -H \"Content-Type: application/json\" \\\n  -d '{\"projectId\": \"coding-with-claude\", \"filename\": \"session-001.json.gz\"}'\n\n# With authentication\ncurl -X POST http://localhost:5008/content/v1/coding-session/get \\\n  -H \"Content-Type: application/json\" \\\n  -H \"Authorization: Bearer eyJhbGciOiJSUzI1NiIs...\" \\\n  -d '{\"projectId\": \"my-project\", \"filename\": \"session-001.json.gz\"}'\n```\n\n### Upload Session Data (curl)\n\n```bash\ncurl -X POST http://localhost:5008/content/v1/coding-session/put \\\n  -H \"Content-Type: application/json\" \\\n  -H \"Authorization: Bearer eyJhbGciOiJSUzI1NiIs...\" \\\n  -d '{\n    \"projectId\": \"my-project\",\n    \"filename\": \"session-001.json.gz\",\n    \"data\": \"H4sIAAAAAAAAA6tWKkktLlGyUlAqS8wpTtVRKs9ILUpVslIqLU4t8kxR...\"\n  }'\n```\n\n### TypeScript Client Example\n\n```typescript\nimport { gzipSync } from 'zlib';\n\nasync function uploadSession(\n  jwt: string,\n  projectId: string,\n  filename: string,\n  sessionData: CwcSessionData\n): Promise<void> {\n  // Compress and encode the data\n  const jsonString = JSON.stringify(sessionData);\n  const compressed = gzipSync(Buffer.from(jsonString));\n  const base64Data = compressed.toString('base64');\n\n  const response = await fetch('http://localhost:5008/content/v1/coding-session/put', {\n    method: 'POST',\n    headers: {\n      'Content-Type': 'application/json',\n      'Authorization': `Bearer ${jwt}`,\n    },\n    body: JSON.stringify({\n      projectId,\n      filename,\n      data: base64Data,\n    }),\n  });\n\n  const result = await response.json();\n  if (!result.success) {\n    throw new Error(result.errorMessage);\n  }\n}\n```\n\n## Error Codes\n\n| Code | HTTP Status | Description |\n|------|-------------|-------------|\n| `UNAUTHORIZED` | 401 | Missing or invalid JWT token |\n| `FORBIDDEN` | 403 | User does not own the project |\n| `NOT_FOUND` | 404 | Requested file does not exist |\n| `VALIDATION_ERROR` | 400 | Invalid request payload |\n| `STORAGE_ERROR` | 500 | Failed to communicate with cwc-storage |\n| `INTERNAL_ERROR` | 500 | Unexpected server error |\n\n## Caching Behavior\n\nThe service maintains an LRU (Least Recently Used) cache with TTL (Time To Live) expiration:\n\n- **Cache Hit:** Returns cached data immediately without contacting cwc-storage\n- **Cache Miss:** Fetches from cwc-storage and caches the result\n- **PUT Operation:** Invalidates the cache entry for the updated file\n- **DELETE Operation:** Invalidates the cache entry for the deleted file\n- **TTL Expiry:** Entries are lazily evicted when accessed after expiration\n\n### Tuning Cache Performance\n\nFor high-traffic scenarios, consider adjusting:\n\n```bash\n# Increase cache size for more entries\nCONTENT_CACHE_MAX_SIZE=500\n\n# Increase TTL for less frequently updated content\nCONTENT_CACHE_TTL_MS=600000  # 10 minutes\n```\n\n## Testing\n\n```bash\n# Run unit tests\npnpm --filter cwc-content test\n\n# Run tests with coverage\npnpm --filter cwc-content test --coverage\n\n# Type checking\npnpm --filter cwc-content typecheck\n```\n\n## Related Services\n\n| Service | Purpose |\n|---------|---------|\n| [cwc-auth](../cwc-auth) | JWT validation and user authentication |\n| [cwc-storage](../cwc-storage) | File storage backend |\n| [cwc-api](../cwc-api) | Main data API (provides storageKey to frontend) |\n| [cwc-website](../cwc-website) | Frontend consumer of this service |\n\n## License\n\nProprietary - Coding with Claude\n"
}

Created packages/cwc-content/README.md with:

Overview - What the service does with ASCII architecture diagram
Prerequisites - Node.js, pnpm, required services
Installation - How to install and build
Configuration - Full environment variable table with descriptions and example
Running the Service - Dev and production commands
API Reference - All endpoints with request/response examples
Usage Examples - curl commands and TypeScript client code
Error Codes - Complete table with HTTP status mappings
Caching Behavior - How the cache works and tuning tips
Testing - How to run tests
Related Services - Links to dependent/related packages

The README.md is comprehensive for human developers, while the CLAUDE.md remains focused on patterns and rules for AI-assisted coding. There is some intentional overlap (like API routes), but:

CLAUDE.md: Concise reference for quick AI context
README.md: Detailed documentation with examples for humans

jeff

I love it, you are a workhorse. Thank you for another super productive coding session.

Claude

Thank you, I appreciate that! It was a productive session. Here's what we accomplished:

Refinements to cwc-content:

Renamed SessionDataCache → ContentCache for extensibility
Renamed config values to follow naming convention (contentCacheMaxSize, contentCacheTtlMs)
Moved ownership verification to checkRouteAccess for cleaner separation

Documentation updates:

Added 9 missing packages to root CLAUDE.md "Package-Specific Documentation" section
Updated Monorepo Structure with 4 missing packages
Added config naming example (contentCacheMaxSize)
Clarified that both CLAUDE.md and README.md are required for new packages
Created comprehensive README.md for cwc-content

All tests pass (60 tests) and typecheck succeeds across all 13 packages.

Enjoy the rest of your day!

Session 29: cwc content

47 files modified

CLAUDE.md

3 versions

Version 1

CLAUDE.md

This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.

CRITICAL: Role and Professional Standards

Claude Code's role on this project is to serve as a "highly experienced senior software engineer and application architect" with "in-depth understanding of the CWC codebase, conventions, and rules."

It is assumed, and imperative, that as a senior engineer, you will do your due diligence:

Required Due Diligence for Every Task

Before proposing any design, architecture, or implementation:

Read all relevant package CLAUDE.md files
- If touching database → read packages/cwc-database/CLAUDE.md
- If defining/modifying types → read packages/cwc-types/CLAUDE.md
- If working with any package → read that package's CLAUDE.md file
- Package-specific conventions MUST be followed
Examine existing code in all affected packages
- Check for existing types, schemas, or utilities before proposing new ones
- Understand established patterns and conventions
- Identify dependencies between packages
Understand the full scope
- Identify all packages affected by the feature or change
- Consider both direct changes and indirect impacts (shared types, utilities, etc.)
- Plan across package boundaries, not in isolation

Cross-Package Feature Planning

When working on features that span multiple packages:

Discovery phase first - Survey the landscape before designing
Read documentation - All relevant package CLAUDE.md files
Examine existing implementations - Check for related code/patterns
Design within constraints - Follow established conventions
Present context with design - Show what you reviewed and how your design follows patterns

This is not optional. The developer should not have to repeatedly point out missed conventions or overlooked existing code. Professional engineers build on institutional knowledge rather than reinventing or contradicting established patterns.

Package-Specific Documentation

Claude Code automatically loads all CLAUDE.md files recursively. When working in a specific package or on package-specific tasks, refer to these package documentation files for detailed guidance:

cwc-types → packages/cwc-types/CLAUDE.md
- Type generation from database schema
- Entity type patterns (Strict Base + Partial)
- Union type naming conventions
- Request-scoped caching patterns
cwc-database → packages/cwc-database/CLAUDE.md
- Database schema conventions
- Table/index/view naming patterns
- Migration script patterns
- Database design patterns (JWT tables, multi-step processes, etc.)
cwc-deployment → packages/cwc-deployment/CLAUDE.md
- Deployment system architecture
- SSH-based deployment workflows
- Docker container management
- Troubleshooting and error handling
cwc-schema → packages/cwc-schema/CLAUDE.md
- Schema definition patterns
- Runtime validation functions
- Hybrid validation with Zod
- Column type definitions
cwc-utils → packages/cwc-utils/CLAUDE.md
- Shared utilities (browser + Node.js)
- Profanity checking and content filtering
- Cross-platform compatibility guidelines
- Adding new utilities

Project Overview

What is codingwithclaude?

A multi-tenant developer publishing platform: a dynamic, real-time publishing platform that serves as both a public feed for developer content and a private dashboard for external developers (users of the app) to manage and publish their own technical blog posts, organized by "Projects."

Project name & aliases

In this document and prompts from the developer, all of these names or phrases are assumed to refer to the project:

coding-with-claude-application
codingwithclaude
coding-with-claude
CWC or cwc

Proactive Documentation Philosophy

CRITICAL: This file is a living knowledge base that must be continuously updated.

As Claude Code works with the developer, it is EXPECTED to proactively capture all learnings, patterns, critical instructions, and feedback in this CLAUDE.md file WITHOUT being reminded. This is a professional partnership where:

Every gap discovered during planning or analysis → Document the pattern to prevent future occurrences
Every critical instruction from the developer → Add to relevant sections immediately
Every "I forgot to do X" moment → Create a checklist or rule to prevent repetition
Every architectural pattern learned → Document it for consistency
Every planning session insight → Capture the learning before implementation begins

When to update CLAUDE.md:

DURING planning sessions - This is where most learning happens through analysis, feedback, and corrections
After receiving critical feedback - Document the expectation immediately
After discovering a bug or oversight - Add checks/rules to prevent it
After analysis reveals gaps - Document what to check in the future
When the developer explains "this is how we do X" - Add it to the guide
After implementing a new feature - Capture any additional patterns discovered during execution

Planning sessions are especially critical: The analysis, feedback, and corrections that happen during planning contain the most valuable learnings. Update CLAUDE.md with these insights BEFORE starting implementation, not after.

Professional expectation: The developer should not need to repeatedly point out the same oversights or remind Claude Code to document learnings. Like professional teammates, we learn from each interaction and build institutional knowledge.

Format: When updating this file, maintain clear structure, provide code examples where helpful, and organize related concepts together. Focus exclusively on information that helps Claude Code operate effectively during AI-assisted coding sessions.

Package-Specific Documentation: When learning package-specific patterns, update the appropriate package CLAUDE.md file, not this root file.

CLAUDE.md File Specification

Purpose: CLAUDE.md files are memory files for AI assistants (like Claude Code), NOT documentation for human developers.

What CLAUDE.md IS for:

Architectural patterns and critical design decisions
Code conventions, naming rules, and style preferences
What to check during planning sessions
Lessons learned and mistakes to avoid
Project-specific security rules and compliance requirements
Critical implementation patterns that must be followed
"If you see X, always do Y" type rules
Checklists for common operations

What CLAUDE.md is NOT for (belongs in README.md):

API documentation and endpoint specifications
Usage examples and tutorials for humans
Setup and installation instructions
General explanations and marketing copy
Step-by-step guides and how-tos
Detailed configuration walkthroughs
Complete type definitions (already in code)
Performance tuning guides for users

File Size Targets:

Warning threshold: 40,000 characters per file (Claude Code performance degrades)
Recommended: Keep under 500 lines when possible for fast loading
Best practice: If a package CLAUDE.md approaches 300-400 lines, review for README-style content
For large packages: Use concise bullet points; move examples to README

Content Guidelines:

Be specific and actionable: "Use 2-space indentation" not "Format code properly"
Focus on patterns: Show the pattern, explain when to use it
Include context for decisions: Why this approach, not alternatives
Use code examples sparingly: Only when pattern is complex
Keep it scannable: Bullet points and clear headers

CLAUDE.md vs README.md:

CLAUDE.md	README.md
For AI assistants	For human developers
Patterns and rules	Complete documentation
What to check/avoid	How to use and setup
Concise and focused	Comprehensive and detailed
Loaded on every session	Read when needed

Documentation Organization in Monorepos

Critical learnings about Claude Code documentation structure:

Claude Code automatically loads all CLAUDE.md files recursively:
- Reads CLAUDE.md in current working directory
- Recurses upward to parent directories (stops at workspace root)
- Discovers nested CLAUDE.md files in subdirectories
- All files are loaded together - they complement, not replace each other
Package-specific CLAUDE.md is the standard pattern for monorepos:
- Root CLAUDE.md contains monorepo-wide conventions (tooling, git workflow, shared patterns)
- Package CLAUDE.md contains package-specific patterns (database schema, deployment, type generation)
- Working from any directory loads both root and relevant package docs automatically
Performance limit: 40,000 characters per file:
- Claude Code shows performance warning when CLAUDE.md exceeds 40k characters
- Solution: Split into package-specific files, not multiple files in .claude/ directory
- Only CLAUDE.md files are automatically loaded; other .md files in .claude/ are NOT
Optimize for AI-assisted coding, not human readers:
- Include patterns, conventions, code examples, and strict rules
- Include "what to check during planning" and "lessons learned" sections
- Exclude content primarily for human developers (marketing copy, general explanations)
- Focus on actionable information needed during coding sessions

When to create package CLAUDE.md:

Package has unique architectural patterns
Package has specific conventions (schema rules, deployment procedures)
Package has domain-specific knowledge (auth flows, type generation)
Package documentation would exceed ~500 lines in root file

File Access Restrictions and Security Boundaries

Claude Code operates under strict file access restrictions to protect sensitive data:

Workspace Boundaries

Claude Code can ONLY access files within the monorepo root: ./coding-with-claude-application
No access to parent directories, system files, or files outside this workspace
This is enforced by Claude Code's security model

Prohibited File Access

Claude Code is explicitly blocked from reading or writing:

Environment files:
- .env files at any location
- .env.* files (e.g., .env.local, .env.production, .env.dev)
- *.env files (e.g., prod.cwc-sql.env, dev.cwc-storage.env, test.cwc-app.env)
- Any variation of environment configuration files
Secret and credential files:
- Any directory named secrets/, secret/, or private/
- Any directory with secret, secrets, or private in its path
- Any file with secret, secrets, private, or credentials in its filename
- Service account JSON files (service-account-*.json)
- Firebase configuration files (google-services.json, GoogleService-Info.plist)
- Any file matching *credentials*.json
Rationale:
- Prevents accidental exposure of API keys, database passwords, and authentication tokens
- Protects production credentials and service account keys
- Reduces risk of sensitive data being included in code examples or logs
- Enforces principle of least privilege

These restrictions are enforced in .claude/settings.json and cannot be overridden during a session.

Git Workflow

The developer handles all git operations manually. Claude should:

Never initiate git commits, pushes, pulls, or any write operations
Only use git for read-only informational purposes (status, diff, log, show)
Not proactively suggest git operations unless explicitly asked

Git write operations are blocked in .claude/settings.json to enforce this workflow.

Architecture Overview

Monorepo Structure (future plan)

root project: /coding-with-claude-application
packages (apps, microservices, utilities):
- cwc-types: shared TypeScript types to be used in all other packages
- cwc-utils: shared utilities for browser and Node.js (profanity checking, validation helpers, etc.)
- cwc-deployment: custom deployment CLI for SSH-based deployment to remote servers
- cwc-backend-utils: shared Node.js utilities that backend/api packages will consume
- cwc-website: public frontend end web application
- cwc-auth: authentication microservice, providing login, logout, signup, password reset, etc.
- cwc-api: the main data api used by cwc-website to read & write data, enforce auth, role-based access policies, and business rules/logic
- cwc-dashboard: an administrative web dashboard app for site owners to manage the app & data
- cwc-admin-api: the admin and data api used by the cwc-dashboard app
- cwc-database: database scripts to create tables, indexes, views, as well as insert configuration data
- cwc-schema: shared schema management library that may be used by frontend and backend packages
- cwc-sql: the only backend service that interacts directly with the database server, uses schema to dynamically generate sql statements
- cwc-e2e: a set of end-to-end tests

Tech Stack: to be determined as we build each package, update this documentation as we go.

Development Tooling & Infrastructure

Monorepo Management

pnpm v9.x + Turborepo v2.x

pnpm workspaces for package management and dependency resolution
- Configured in pnpm-workspace.yaml
- Packages located in packages/*
- Uses content-addressable storage for disk efficiency
- Strict dependency resolution prevents phantom dependencies
Turborepo for task orchestration and caching
- Configured in turbo.json
- Intelligent parallel execution based on dependency graph
- Local caching for faster rebuilds
- Pipeline tasks: build, dev, test, lint, typecheck

Node.js Version

Node.js 22 LTS (specified in .nvmrc)
Required for all development and production environments
Use nvm for version management

Code Quality Tools

TypeScript v5.4+

Configured in tsconfig.base.json
Strict mode enabled with enhanced type checking
JavaScript explicitly disallowed (allowJs: false)
Monorepo-optimized with composite projects
Individual packages extend base config

Module Resolution: bundler

Uses "moduleResolution": "bundler" in tsconfig.base.json
Uses "module": "ES2022" (required for bundler resolution)
Allows clean TypeScript imports without .js extensions
- ✅ Correct: import { Schema } from './types'
- ❌ Not needed: import { Schema } from './types.js'
Still produces correct ES module output in compiled JavaScript
Designed for TypeScript projects compiled by tsc or bundlers

Why bundler over NodeNext:

Better DX: No .js extensions in TypeScript source files
Modern standard: Industry standard for TypeScript libraries and monorepos
Same output: Still generates proper ES modules (.js files)
No trade-offs: Type safety and module compatibility maintained

Note: Previously used "moduleResolution": "NodeNext" which required .js extensions per ES modules spec (e.g., import './types.js'). Switched to bundler in session 007 for cleaner imports across all packages.

ESLint v8.x with TypeScript

Configured in .eslintrc.json
Uses @typescript-eslint/strict ruleset
Enforces explicit function return types
Prohibits any type and non-null assertions
Strict boolean expressions required

Prettier v3.x

Configured in .prettierrc.json
Standards:
- Single quotes
- 2-space indentation
- 100 character line width
- Trailing commas (ES5)
- LF line endings

Root Scripts

Run from monorepo root using pnpm:

pnpm build - Build all packages (parallel, cached)
pnpm dev - Run all packages in dev mode
pnpm test - Run tests across all packages (parallel, cached)
pnpm lint - Lint all packages (parallel, cached)
pnpm typecheck - Type-check all packages (parallel, cached)
pnpm format - Format all files with Prettier
pnpm format:check - Check formatting without changes

Development Workflow

Before starting work:
- Ensure Node 22 is active: nvm use
- Install dependencies: pnpm install
During development:
- Run dev mode: pnpm dev (in specific package or root)
- Format code: pnpm format
Before committing:
- Type-check: pnpm typecheck
- Lint: pnpm lint
- Format check: pnpm format:check
- Run tests: pnpm test

Package Creation Conventions

When creating a new package in the monorepo:

Version Number: Always start new packages at version 1.0.0 (not 0.0.1)
- Example: "version": "1.0.0" in package.json
- This is a project preference for consistency
Package Structure:
- Follow existing package patterns (see cwc-types as reference)
- Include package.json, tsconfig.json extending base config
- Place source files in src/ directory
- Include appropriate build and typecheck scripts
Package Entry Points (CRITICAL - bundler resolution):
- Point main, types, and exports to ./src/index.ts (NOT ./dist)
- With bundler module resolution, we reference TypeScript source directly
- Example:
```
"main": "./src/index.ts",
"types": "./src/index.ts",
"exports": {
  ".": {
    "types": "./src/index.ts",
    "default": "./src/index.ts"
  }
}
```
- ❌ NEVER use ./dist/index.js or ./dist/index.d.ts
Package Naming:
- Use cwc- prefix for all CWC packages
- Use kebab-case: cwc-types, cwc-backend-utils, etc.
Package Documentation:
- Create packages/{package-name}/CLAUDE.md for package-specific patterns and conventions
- Document architecture decisions, design patterns, and critical implementation details
- Keep package docs focused on information needed for AI-assisted coding
Add Package Shortcut Script:
- Add a shortcut script to root package.json for the new package
- Format: "package-name-shortcut": "pnpm --filter cwc-package-name"
- Example: "backend-utils": "pnpm --filter cwc-backend-utils"
- This allows simplified commands: pnpm backend-utils add express instead of pnpm --filter cwc-backend-utils add express
- Keep shortcuts in alphabetical order in the scripts section

Key Architectural Decisions & Patterns

MariaDB Database

Strong Schema Enforcement
Transaction support
Efficient Joins
Data normalization
Sophisticated Querying and Analytics

Details: See packages/cwc-database/CLAUDE.md for complete database schema conventions.

PkId Naming Convention

PkId stands for "Primary Key Id". All tables use this suffix for their auto-increment primary key:

userPkId = user primary key id
projectPkId = project primary key id
codingSessionPkId = coding session primary key id

Foreign key references also use PkId suffix to indicate they reference a primary key (e.g., userPkId column in project table references user.userPkId).

TypeScript

Strict mode enabled (strict: true)
Shared types in cwc-types package; duplicating types in separate projects leads to inconsistencies, incompatibility, confusion, and extra work
Never use any - prefer unknown if type is truly unknown
Use string literal union types, not enums
Use type for entity definitions, not interface
Use undefined, never null - simplifies code by avoiding explicit checks for both values; aligns with TypeScript's optional property syntax (field?: string)
Run typecheck before committing

Details: See packages/cwc-types/CLAUDE.md for complete TypeScript patterns and type generation.

Path Construction (Searchability)

Use concatenated path strings in path.join() for better searchability:

// ✅ GOOD - searchable for "deployment/servers.json"
path.join(secretsPath, 'deployment/servers.json')

// ❌ AVOID - searching for "deployment/servers.json" won't find this
path.join(secretsPath, 'deployment', 'servers.json')

Exception: Directory navigation with .. should remain segmented:

// This is fine - navigating up directories
path.join(__dirname, '..', '..', 'templates')

Naming Conventions for Configuration Values

Clarity is critical for maintainability. Configuration names should clearly indicate:

What the value is for (its purpose)
Where it's used (which service/context)

Examples:

sqlClientApiKey - Clear: API key for SQL Client authentication
authenticationPublicKey - Unclear: Could apply to any auth system

Rule: When naming configuration values, prefer verbose, descriptive names over short, ambiguous ones. When a developer returns to the code after weeks or months, the name should immediately convey the purpose without requiring investigation.

Package-specific prefixes: When a configuration value is only used by one package, prefix it with the package context to avoid ambiguity:

storageLogPath / STORAGE_LOG_PATH - Clear: log path for cwc-storage
logPath / LOG_PATH - Unclear: which service uses this?
contentCacheMaxSize / CONTENT_CACHE_MAX_SIZE - Clear: cache setting for cwc-content
cacheMaxSize / CACHE_MAX_SIZE - Unclear: which service uses this cache?

Secret and API Key Generation

Use crypto.randomBytes() for generating secrets and API keys:

import crypto from 'crypto';

// Generate a 256-bit (32-byte) cryptographically secure random key
const apiKey = crypto.randomBytes(32).toString('hex'); // 64-character hex string

This produces cryptographically secure random values suitable for:

API keys (e.g., STORAGE_API_KEY)
JWT secrets (e.g., USER_JWT_SECRET)
Any symmetric secret requiring high entropy

Cloud-Agnostic Microservices

CWC uses a microservices architecture deployed as Docker containers potentially deployed across multiple datacenters.

Vendor lock-in is a real business risk. Cloud providers can change pricing, deny service access, or deprecate features at any time.
Cloud-agnostic microservices architecture allows switching hosting providers with minimal effort.
Preparation for Scale - can scale by adding infrastructure (more containers, load balancers) rather than rewriting code and specific services can be scaled based on actual load patterns

Environment Configuration

NODE_ENV vs RUNTIME_ENVIRONMENT:

Variable	Purpose	Set By	Values
`NODE_ENV`	Build-time behavior	npm/bundlers	`development`, `production`, `test`
`RUNTIME_ENVIRONMENT`	Application runtime behavior	CWC deployment	`dev`, `test`, `prod`, `unit`, `e2e`

NODE_ENV (npm/Node.js ecosystem):

Controls build optimizations (minification, tree-shaking)
Affects dependency installation behavior
CWC does NOT read this in application config

RUNTIME_ENVIRONMENT (CWC application):

Controls application behavior (email sending, error verbosity, feature flags)
Type: RuntimeEnvironment from cwc-types
CWC config system reads this via loadConfig()

Rules:

Test scripts: RUNTIME_ENVIRONMENT=unit jest (not NODE_ENV=unit)
Backend config: Always read RUNTIME_ENVIRONMENT, never NODE_ENV
Each package reads configuration from .env file tailored to the runtime environment

1-to-1 Naming Convention:

Use consistent naming across all runtime environment references for searchability and clarity:

Runtime Environment	Env File	Config Flag	Mock Function
`dev`	`dev.cwc-*.env`	`isDev`	`createMockDevConfig()`
`prod`	`prod.cwc-*.env`	`isProd`	`createMockProdConfig()`
`unit`	`unit.cwc-*.env`	`isUnit`	`createMockUnitConfig()`
`e2e`	`e2e.cwc-*.env`	`isE2E`	`createMockE2EConfig()`
`test`	`test.cwc-*.env`	`isTest`	`createMockTestConfig()`

This consistency enables searching for Dev or Prod to find all related code paths.

Development Process

Tool, Framework, Version selection

mainstream, widely accepted, and thoroughly tested & proven tools only
the desire is to use the latest stable versions of the various tools

Adopt a "roll-your-own" mentality

we want to minimize the number of unnecessary dependencies to avoid headaches when upgrading our core tech stack
when it makes sense, we will build our own components and utilities rather than relying on a 3rd party package

Code Review Workflow Patterns

CRITICAL: When the developer provides comprehensive code review feedback and requests step-by-step discussion.

Developer Should Continue Providing Comprehensive Feedback Lists

Encourage the developer to provide ALL feedback items in a single comprehensive list. This is highly valuable because:

Gives full context about scope of changes
Allows identification of dependencies between issues
Helps spot patterns across multiple points
More efficient than addressing issues one at a time

Never discourage comprehensive feedback. The issue is not the list size, but how Claude Code presents the response.

Recognize Step-by-Step Request Signals

When the developer says any of these phrases:

"review each of these in order step by step"
"discuss each point one by one"
"let's go through these one at a time"
"walk me through each item"

This is a request for ITERATIVE discussion, not a comprehensive dump of all analysis.

Step-by-Step Review Pattern (Default for Code Reviews)

When developer provides comprehensive feedback with step-by-step request:

✅ Correct approach:

Present ONLY Point 1 with:
- The developer's original feedback for that point
- Claude's analysis and thoughts
- Any clarifying questions needed
- Recommendation for what to do
Wait for developer response and engage in discussion if needed
After Point 1 is resolved, present Point 2 using same format
Continue iteratively through all points
After all points discussed, ask "Ready to implement?" and show summary of agreed changes

Message format for each point:

## Point N: [Topic Name]

**Your Feedback:**
[Quote the developer's original feedback for this point]

**My Analysis:**
[Thoughts on this specific point only]

**Questions:** [If clarification needed]
- Question 1?
- Question 2?

**Recommendation:**
[What Claude thinks should be done]

---
*Waiting for your thoughts on Point N before moving to Point N+1.*

❌ What NOT to do:

Present all 10-15 points with full analysis at once
Make the developer reference "Point 7" or scroll to find what they want to discuss
Skip the iterative conversation pattern when explicitly requested

Alternative: Full Analysis First Pattern

Only use this pattern when developer explicitly requests it:

Developer says:

"Give me your analysis on all points first"
"Show me all your recommendations, then we'll discuss"
"I want to see the big picture before deciding"

In this case:

Present comprehensive analysis of all points
Wait for developer to identify which points need discussion
Focus conversation only on points developer has questions about

Benefits of Step-by-Step Pattern

Easy to follow: Each message is focused on one decision
Encourages discussion: Natural to discuss one topic at a time
No reference confusion: No need to say "regarding Point 7..."
Clear progress: Both parties know exactly where we are in the review
Better decisions: Focused attention leads to better analysis

Implementation Phase

After all review points are discussed and decisions made:

Summarize all agreed changes in a checklist format
Ask for explicit approval to proceed: "Ready to implement these changes?"
Proceed with implementation in logical groups
Update documentation if patterns/learnings emerged during review

Session 010 Learning: This pattern was established after Claude Code incorrectly presented all 14 review points at once despite clear request for step-by-step discussion. This made it difficult for the developer to engage in focused discussion on individual points.

never log config.secrets, these values are always REDACTED

Version 2

CLAUDE.md

This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.

CRITICAL: Role and Professional Standards

It is assumed, and imperative, that as a senior engineer, you will do your due diligence:

Required Due Diligence for Every Task

Before proposing any design, architecture, or implementation:

Read all relevant package CLAUDE.md files
- If touching database → read packages/cwc-database/CLAUDE.md
- If defining/modifying types → read packages/cwc-types/CLAUDE.md
- If working with any package → read that package's CLAUDE.md file
- Package-specific conventions MUST be followed
Examine existing code in all affected packages
- Check for existing types, schemas, or utilities before proposing new ones
- Understand established patterns and conventions
- Identify dependencies between packages
Understand the full scope
- Identify all packages affected by the feature or change
- Consider both direct changes and indirect impacts (shared types, utilities, etc.)
- Plan across package boundaries, not in isolation

Cross-Package Feature Planning

When working on features that span multiple packages:

Discovery phase first - Survey the landscape before designing
Read documentation - All relevant package CLAUDE.md files
Examine existing implementations - Check for related code/patterns
Design within constraints - Follow established conventions
Present context with design - Show what you reviewed and how your design follows patterns

Package-Specific Documentation

Claude Code automatically loads all CLAUDE.md files recursively. When working in a specific package or on package-specific tasks, refer to these package documentation files for detailed guidance:

cwc-types → packages/cwc-types/CLAUDE.md
- Type generation from database schema
- Entity type patterns (Strict Base + Partial)
- Union type naming conventions
- Request-scoped caching patterns
cwc-database → packages/cwc-database/CLAUDE.md
- Database schema conventions
- Table/index/view naming patterns
- Migration script patterns
- Database design patterns (JWT tables, multi-step processes, etc.)
cwc-deployment → packages/cwc-deployment/CLAUDE.md
- Deployment system architecture
- SSH-based deployment workflows
- Docker container management
- Troubleshooting and error handling
cwc-schema → packages/cwc-schema/CLAUDE.md
- Schema definition patterns
- Runtime validation functions
- Hybrid validation with Zod
- Column type definitions
cwc-utils → packages/cwc-utils/CLAUDE.md
- Shared utilities (browser + Node.js)
- Profanity checking and content filtering
- Cross-platform compatibility guidelines
- Adding new utilities
cwc-backend-utils → packages/cwc-backend-utils/CLAUDE.md
- Shared Node.js utilities for backend services
- AuthClient, SqlClient, StorageClient
- Express service factory and middleware
- Logger and error handling
cwc-api → packages/cwc-api/CLAUDE.md
- Main data API for cwc-website
- Route and operation access control patterns
- Request pipeline and handler architecture
- Policy enforcement patterns
cwc-auth → packages/cwc-auth/CLAUDE.md
- Authentication microservice
- JWT issuance and validation
- Login/logout/signup flows
- Password reset and multi-step processes
cwc-sql → packages/cwc-sql/CLAUDE.md
- Database access layer
- Dynamic SQL generation
- Query caching patterns
- Transaction handling
cwc-storage → packages/cwc-storage/CLAUDE.md
- File storage microservice
- Project-based directory structure
- API key authentication
- File operations (get/put/delete)
cwc-content → packages/cwc-content/CLAUDE.md
- Content delivery service for coding sessions
- Authenticated proxy to cwc-storage
- LRU cache with TTL (ContentCache)
- Route-level ownership verification
cwc-configuration-helper → packages/cwc-configuration-helper/CLAUDE.md
- CLI for .env file generation
- TypeScript AST parsing for config types
- Centralized runtime configuration
- Secrets file handling
cwc-website → packages/cwc-website/CLAUDE.md
- Public frontend web application
- Next.js with App Router
- React Server Components patterns

Project Overview

What is codingwithclaude?

Project name & aliases

In this document and prompts from the developer, all of these names or phrases are assumed to refer to the project:

coding-with-claude-application
codingwithclaude
coding-with-claude
CWC or cwc

Proactive Documentation Philosophy

CRITICAL: This file is a living knowledge base that must be continuously updated.

Every gap discovered during planning or analysis → Document the pattern to prevent future occurrences
Every critical instruction from the developer → Add to relevant sections immediately
Every "I forgot to do X" moment → Create a checklist or rule to prevent repetition
Every architectural pattern learned → Document it for consistency
Every planning session insight → Capture the learning before implementation begins

When to update CLAUDE.md:

DURING planning sessions - This is where most learning happens through analysis, feedback, and corrections
After receiving critical feedback - Document the expectation immediately
After discovering a bug or oversight - Add checks/rules to prevent it
After analysis reveals gaps - Document what to check in the future
When the developer explains "this is how we do X" - Add it to the guide
After implementing a new feature - Capture any additional patterns discovered during execution

Package-Specific Documentation: When learning package-specific patterns, update the appropriate package CLAUDE.md file, not this root file.

CLAUDE.md File Specification

Purpose: CLAUDE.md files are memory files for AI assistants (like Claude Code), NOT documentation for human developers.

What CLAUDE.md IS for:

Architectural patterns and critical design decisions
Code conventions, naming rules, and style preferences
What to check during planning sessions
Lessons learned and mistakes to avoid
Project-specific security rules and compliance requirements
Critical implementation patterns that must be followed
"If you see X, always do Y" type rules
Checklists for common operations

What CLAUDE.md is NOT for (belongs in README.md):

API documentation and endpoint specifications
Usage examples and tutorials for humans
Setup and installation instructions
General explanations and marketing copy
Step-by-step guides and how-tos
Detailed configuration walkthroughs
Complete type definitions (already in code)
Performance tuning guides for users

File Size Targets:

Warning threshold: 40,000 characters per file (Claude Code performance degrades)
Recommended: Keep under 500 lines when possible for fast loading
Best practice: If a package CLAUDE.md approaches 300-400 lines, review for README-style content
For large packages: Use concise bullet points; move examples to README

Content Guidelines:

Be specific and actionable: "Use 2-space indentation" not "Format code properly"
Focus on patterns: Show the pattern, explain when to use it
Include context for decisions: Why this approach, not alternatives
Use code examples sparingly: Only when pattern is complex
Keep it scannable: Bullet points and clear headers

CLAUDE.md vs README.md:

CLAUDE.md	README.md
For AI assistants	For human developers
Patterns and rules	Complete documentation
What to check/avoid	How to use and setup
Concise and focused	Comprehensive and detailed
Loaded on every session	Read when needed

Documentation Organization in Monorepos

Critical learnings about Claude Code documentation structure:

Claude Code automatically loads all CLAUDE.md files recursively:
- Reads CLAUDE.md in current working directory
- Recurses upward to parent directories (stops at workspace root)
- Discovers nested CLAUDE.md files in subdirectories
- All files are loaded together - they complement, not replace each other
Package-specific CLAUDE.md is the standard pattern for monorepos:
- Root CLAUDE.md contains monorepo-wide conventions (tooling, git workflow, shared patterns)
- Package CLAUDE.md contains package-specific patterns (database schema, deployment, type generation)
- Working from any directory loads both root and relevant package docs automatically
Performance limit: 40,000 characters per file:
- Claude Code shows performance warning when CLAUDE.md exceeds 40k characters
- Solution: Split into package-specific files, not multiple files in .claude/ directory
- Only CLAUDE.md files are automatically loaded; other .md files in .claude/ are NOT
Optimize for AI-assisted coding, not human readers:
- Include patterns, conventions, code examples, and strict rules
- Include "what to check during planning" and "lessons learned" sections
- Exclude content primarily for human developers (marketing copy, general explanations)
- Focus on actionable information needed during coding sessions

When to create package CLAUDE.md:

Package has unique architectural patterns
Package has specific conventions (schema rules, deployment procedures)
Package has domain-specific knowledge (auth flows, type generation)
Package documentation would exceed ~500 lines in root file

File Access Restrictions and Security Boundaries

Claude Code operates under strict file access restrictions to protect sensitive data:

Workspace Boundaries

Claude Code can ONLY access files within the monorepo root: ./coding-with-claude-application
No access to parent directories, system files, or files outside this workspace
This is enforced by Claude Code's security model

Prohibited File Access

Claude Code is explicitly blocked from reading or writing:

Environment files:
- .env files at any location
- .env.* files (e.g., .env.local, .env.production, .env.dev)
- *.env files (e.g., prod.cwc-sql.env, dev.cwc-storage.env, test.cwc-app.env)
- Any variation of environment configuration files
Secret and credential files:
- Any directory named secrets/, secret/, or private/
- Any directory with secret, secrets, or private in its path
- Any file with secret, secrets, private, or credentials in its filename
- Service account JSON files (service-account-*.json)
- Firebase configuration files (google-services.json, GoogleService-Info.plist)
- Any file matching *credentials*.json
Rationale:
- Prevents accidental exposure of API keys, database passwords, and authentication tokens
- Protects production credentials and service account keys
- Reduces risk of sensitive data being included in code examples or logs
- Enforces principle of least privilege

These restrictions are enforced in .claude/settings.json and cannot be overridden during a session.

Git Workflow

The developer handles all git operations manually. Claude should:

Never initiate git commits, pushes, pulls, or any write operations
Only use git for read-only informational purposes (status, diff, log, show)
Not proactively suggest git operations unless explicitly asked

Git write operations are blocked in .claude/settings.json to enforce this workflow.

Architecture Overview

Monorepo Structure

root project: /coding-with-claude-application
packages (apps, microservices, utilities):
- cwc-types: shared TypeScript types to be used in all other packages
- cwc-utils: shared utilities for browser and Node.js (profanity checking, validation helpers, etc.)
- cwc-schema: shared schema management library that may be used by frontend and backend packages
- cwc-deployment: custom deployment CLI for SSH-based deployment to remote servers
- cwc-configuration-helper: CLI tool for generating and validating .env files
- cwc-backend-utils: shared Node.js utilities that backend/api packages will consume
- cwc-database: database scripts to create tables, indexes, views, as well as insert configuration data
- cwc-sql: the only backend service that interacts directly with the database server
- cwc-auth: authentication microservice, providing login, logout, signup, password reset, etc.
- cwc-storage: file storage microservice for coding session content
- cwc-content: content delivery service, authenticated proxy to cwc-storage with caching
- cwc-api: the main data api used by cwc-website to read & write data, enforce auth, role-based access policies, and business rules/logic
- cwc-website: public frontend web application
- cwc-dashboard: an administrative web dashboard app for site owners to manage the app & data
- cwc-admin-api: the admin and data api used by the cwc-dashboard app
- cwc-transcript-parser: CLI tool for parsing Claude transcript JSONL files
- cwc-e2e: a set of end-to-end tests

Tech Stack: to be determined as we build each package, update this documentation as we go.

Development Tooling & Infrastructure

Monorepo Management

pnpm v9.x + Turborepo v2.x

pnpm workspaces for package management and dependency resolution
- Configured in pnpm-workspace.yaml
- Packages located in packages/*
- Uses content-addressable storage for disk efficiency
- Strict dependency resolution prevents phantom dependencies
Turborepo for task orchestration and caching
- Configured in turbo.json
- Intelligent parallel execution based on dependency graph
- Local caching for faster rebuilds
- Pipeline tasks: build, dev, test, lint, typecheck

Node.js Version

Node.js 22 LTS (specified in .nvmrc)
Required for all development and production environments
Use nvm for version management

Code Quality Tools

TypeScript v5.4+

Configured in tsconfig.base.json
Strict mode enabled with enhanced type checking
JavaScript explicitly disallowed (allowJs: false)
Monorepo-optimized with composite projects
Individual packages extend base config

Module Resolution: bundler

Uses "moduleResolution": "bundler" in tsconfig.base.json
Uses "module": "ES2022" (required for bundler resolution)
Allows clean TypeScript imports without .js extensions
- ✅ Correct: import { Schema } from './types'
- ❌ Not needed: import { Schema } from './types.js'
Still produces correct ES module output in compiled JavaScript
Designed for TypeScript projects compiled by tsc or bundlers

Why bundler over NodeNext:

Better DX: No .js extensions in TypeScript source files
Modern standard: Industry standard for TypeScript libraries and monorepos
Same output: Still generates proper ES modules (.js files)
No trade-offs: Type safety and module compatibility maintained

ESLint v8.x with TypeScript

Configured in .eslintrc.json
Uses @typescript-eslint/strict ruleset
Enforces explicit function return types
Prohibits any type and non-null assertions
Strict boolean expressions required

Prettier v3.x

Configured in .prettierrc.json
Standards:
- Single quotes
- 2-space indentation
- 100 character line width
- Trailing commas (ES5)
- LF line endings

Root Scripts

Run from monorepo root using pnpm:

pnpm build - Build all packages (parallel, cached)
pnpm dev - Run all packages in dev mode
pnpm test - Run tests across all packages (parallel, cached)
pnpm lint - Lint all packages (parallel, cached)
pnpm typecheck - Type-check all packages (parallel, cached)
pnpm format - Format all files with Prettier
pnpm format:check - Check formatting without changes

Development Workflow

Before starting work:
- Ensure Node 22 is active: nvm use
- Install dependencies: pnpm install
During development:
- Run dev mode: pnpm dev (in specific package or root)
- Format code: pnpm format
Before committing:
- Type-check: pnpm typecheck
- Lint: pnpm lint
- Format check: pnpm format:check
- Run tests: pnpm test

Package Creation Conventions

When creating a new package in the monorepo:

Version Number: Always start new packages at version 1.0.0 (not 0.0.1)
- Example: "version": "1.0.0" in package.json
- This is a project preference for consistency
Package Structure:
- Follow existing package patterns (see cwc-types as reference)
- Include package.json, tsconfig.json extending base config
- Place source files in src/ directory
- Include appropriate build and typecheck scripts
Package Entry Points (CRITICAL - bundler resolution):
- Point main, types, and exports to ./src/index.ts (NOT ./dist)
- With bundler module resolution, we reference TypeScript source directly
- Example:
```
"main": "./src/index.ts",
"types": "./src/index.ts",
"exports": {
  ".": {
    "types": "./src/index.ts",
    "default": "./src/index.ts"
  }
}
```
- ❌ NEVER use ./dist/index.js or ./dist/index.d.ts
Package Naming:
- Use cwc- prefix for all CWC packages
- Use kebab-case: cwc-types, cwc-backend-utils, etc.
Package Documentation:
- Create packages/{package-name}/CLAUDE.md for package-specific patterns and conventions
- Document architecture decisions, design patterns, and critical implementation details
- Keep package docs focused on information needed for AI-assisted coding
Add Package Shortcut Script:
- Add a shortcut script to root package.json for the new package
- Format: "package-name-shortcut": "pnpm --filter cwc-package-name"
- Example: "backend-utils": "pnpm --filter cwc-backend-utils"
- This allows simplified commands: pnpm backend-utils add express instead of pnpm --filter cwc-backend-utils add express
- Keep shortcuts in alphabetical order in the scripts section

Key Architectural Decisions & Patterns

MariaDB Database

Strong Schema Enforcement
Transaction support
Efficient Joins
Data normalization
Sophisticated Querying and Analytics

Details: See packages/cwc-database/CLAUDE.md for complete database schema conventions.

PkId Naming Convention

PkId stands for "Primary Key Id". All tables use this suffix for their auto-increment primary key:

userPkId = user primary key id
projectPkId = project primary key id
codingSessionPkId = coding session primary key id

Foreign key references also use PkId suffix to indicate they reference a primary key (e.g., userPkId column in project table references user.userPkId).

TypeScript

Strict mode enabled (strict: true)
Shared types in cwc-types package; duplicating types in separate projects leads to inconsistencies, incompatibility, confusion, and extra work
Never use any - prefer unknown if type is truly unknown
Use string literal union types, not enums
Use type for entity definitions, not interface
Use undefined, never null - simplifies code by avoiding explicit checks for both values; aligns with TypeScript's optional property syntax (field?: string)
Run typecheck before committing

Details: See packages/cwc-types/CLAUDE.md for complete TypeScript patterns and type generation.

Path Construction (Searchability)

Use concatenated path strings in path.join() for better searchability:

// ✅ GOOD - searchable for "deployment/servers.json"
path.join(secretsPath, 'deployment/servers.json')

// ❌ AVOID - searching for "deployment/servers.json" won't find this
path.join(secretsPath, 'deployment', 'servers.json')

Exception: Directory navigation with .. should remain segmented:

// This is fine - navigating up directories
path.join(__dirname, '..', '..', 'templates')

Naming Conventions for Configuration Values

Clarity is critical for maintainability. Configuration names should clearly indicate:

What the value is for (its purpose)
Where it's used (which service/context)

Examples:

sqlClientApiKey - Clear: API key for SQL Client authentication
authenticationPublicKey - Unclear: Could apply to any auth system

Package-specific prefixes: When a configuration value is only used by one package, prefix it with the package context to avoid ambiguity:

storageLogPath / STORAGE_LOG_PATH - Clear: log path for cwc-storage
logPath / LOG_PATH - Unclear: which service uses this?
contentCacheMaxSize / CONTENT_CACHE_MAX_SIZE - Clear: cache setting for cwc-content
cacheMaxSize / CACHE_MAX_SIZE - Unclear: which service uses this cache?

Secret and API Key Generation

Use crypto.randomBytes() for generating secrets and API keys:

import crypto from 'crypto';

// Generate a 256-bit (32-byte) cryptographically secure random key
const apiKey = crypto.randomBytes(32).toString('hex'); // 64-character hex string

This produces cryptographically secure random values suitable for:

API keys (e.g., STORAGE_API_KEY)
JWT secrets (e.g., USER_JWT_SECRET)
Any symmetric secret requiring high entropy

Cloud-Agnostic Microservices

CWC uses a microservices architecture deployed as Docker containers potentially deployed across multiple datacenters.

Vendor lock-in is a real business risk. Cloud providers can change pricing, deny service access, or deprecate features at any time.
Cloud-agnostic microservices architecture allows switching hosting providers with minimal effort.
Preparation for Scale - can scale by adding infrastructure (more containers, load balancers) rather than rewriting code and specific services can be scaled based on actual load patterns

Environment Configuration

NODE_ENV vs RUNTIME_ENVIRONMENT:

Variable	Purpose	Set By	Values
`NODE_ENV`	Build-time behavior	npm/bundlers	`development`, `production`, `test`
`RUNTIME_ENVIRONMENT`	Application runtime behavior	CWC deployment	`dev`, `test`, `prod`, `unit`, `e2e`

NODE_ENV (npm/Node.js ecosystem):

Controls build optimizations (minification, tree-shaking)
Affects dependency installation behavior
CWC does NOT read this in application config

RUNTIME_ENVIRONMENT (CWC application):

Controls application behavior (email sending, error verbosity, feature flags)
Type: RuntimeEnvironment from cwc-types
CWC config system reads this via loadConfig()

Rules:

Test scripts: RUNTIME_ENVIRONMENT=unit jest (not NODE_ENV=unit)
Backend config: Always read RUNTIME_ENVIRONMENT, never NODE_ENV
Each package reads configuration from .env file tailored to the runtime environment

1-to-1 Naming Convention:

Use consistent naming across all runtime environment references for searchability and clarity:

Runtime Environment	Env File	Config Flag	Mock Function
`dev`	`dev.cwc-*.env`	`isDev`	`createMockDevConfig()`
`prod`	`prod.cwc-*.env`	`isProd`	`createMockProdConfig()`
`unit`	`unit.cwc-*.env`	`isUnit`	`createMockUnitConfig()`
`e2e`	`e2e.cwc-*.env`	`isE2E`	`createMockE2EConfig()`
`test`	`test.cwc-*.env`	`isTest`	`createMockTestConfig()`

This consistency enables searching for Dev or Prod to find all related code paths.

Development Process

Tool, Framework, Version selection

mainstream, widely accepted, and thoroughly tested & proven tools only
the desire is to use the latest stable versions of the various tools

Adopt a "roll-your-own" mentality

we want to minimize the number of unnecessary dependencies to avoid headaches when upgrading our core tech stack
when it makes sense, we will build our own components and utilities rather than relying on a 3rd party package

Code Review Workflow Patterns

CRITICAL: When the developer provides comprehensive code review feedback and requests step-by-step discussion.

Developer Should Continue Providing Comprehensive Feedback Lists

Encourage the developer to provide ALL feedback items in a single comprehensive list. This is highly valuable because:

Gives full context about scope of changes
Allows identification of dependencies between issues
Helps spot patterns across multiple points
More efficient than addressing issues one at a time

Never discourage comprehensive feedback. The issue is not the list size, but how Claude Code presents the response.

Recognize Step-by-Step Request Signals

When the developer says any of these phrases:

"review each of these in order step by step"
"discuss each point one by one"
"let's go through these one at a time"
"walk me through each item"

This is a request for ITERATIVE discussion, not a comprehensive dump of all analysis.

Step-by-Step Review Pattern (Default for Code Reviews)

When developer provides comprehensive feedback with step-by-step request:

✅ Correct approach:

Present ONLY Point 1 with:
- The developer's original feedback for that point
- Claude's analysis and thoughts
- Any clarifying questions needed
- Recommendation for what to do
Wait for developer response and engage in discussion if needed
After Point 1 is resolved, present Point 2 using same format
Continue iteratively through all points
After all points discussed, ask "Ready to implement?" and show summary of agreed changes

Message format for each point:

## Point N: [Topic Name]

**Your Feedback:**
[Quote the developer's original feedback for this point]

**My Analysis:**
[Thoughts on this specific point only]

**Questions:** [If clarification needed]
- Question 1?
- Question 2?

**Recommendation:**
[What Claude thinks should be done]

---
*Waiting for your thoughts on Point N before moving to Point N+1.*

❌ What NOT to do:

Present all 10-15 points with full analysis at once
Make the developer reference "Point 7" or scroll to find what they want to discuss
Skip the iterative conversation pattern when explicitly requested

Alternative: Full Analysis First Pattern

Only use this pattern when developer explicitly requests it:

Developer says:

"Give me your analysis on all points first"
"Show me all your recommendations, then we'll discuss"
"I want to see the big picture before deciding"

In this case:

Present comprehensive analysis of all points
Wait for developer to identify which points need discussion
Focus conversation only on points developer has questions about

Benefits of Step-by-Step Pattern

Easy to follow: Each message is focused on one decision
Encourages discussion: Natural to discuss one topic at a time
No reference confusion: No need to say "regarding Point 7..."
Clear progress: Both parties know exactly where we are in the review
Better decisions: Focused attention leads to better analysis

Implementation Phase

After all review points are discussed and decisions made:

Summarize all agreed changes in a checklist format
Ask for explicit approval to proceed: "Ready to implement these changes?"
Proceed with implementation in logical groups
Update documentation if patterns/learnings emerged during review

never log config.secrets, these values are always REDACTED

Version 3 (latest)

CLAUDE.md

This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.

CRITICAL: Role and Professional Standards

It is assumed, and imperative, that as a senior engineer, you will do your due diligence:

Required Due Diligence for Every Task

Before proposing any design, architecture, or implementation:

Read all relevant package CLAUDE.md files
- If touching database → read packages/cwc-database/CLAUDE.md
- If defining/modifying types → read packages/cwc-types/CLAUDE.md
- If working with any package → read that package's CLAUDE.md file
- Package-specific conventions MUST be followed
Examine existing code in all affected packages
- Check for existing types, schemas, or utilities before proposing new ones
- Understand established patterns and conventions
- Identify dependencies between packages
Understand the full scope
- Identify all packages affected by the feature or change
- Consider both direct changes and indirect impacts (shared types, utilities, etc.)
- Plan across package boundaries, not in isolation

Cross-Package Feature Planning

When working on features that span multiple packages:

Discovery phase first - Survey the landscape before designing
Read documentation - All relevant package CLAUDE.md files
Examine existing implementations - Check for related code/patterns
Design within constraints - Follow established conventions
Present context with design - Show what you reviewed and how your design follows patterns

Package-Specific Documentation

Claude Code automatically loads all CLAUDE.md files recursively. When working in a specific package or on package-specific tasks, refer to these package documentation files for detailed guidance:

cwc-types → packages/cwc-types/CLAUDE.md
- Type generation from database schema
- Entity type patterns (Strict Base + Partial)
- Union type naming conventions
- Request-scoped caching patterns
cwc-database → packages/cwc-database/CLAUDE.md
- Database schema conventions
- Table/index/view naming patterns
- Migration script patterns
- Database design patterns (JWT tables, multi-step processes, etc.)
cwc-deployment → packages/cwc-deployment/CLAUDE.md
- Deployment system architecture
- SSH-based deployment workflows
- Docker container management
- Troubleshooting and error handling
cwc-schema → packages/cwc-schema/CLAUDE.md
- Schema definition patterns
- Runtime validation functions
- Hybrid validation with Zod
- Column type definitions
cwc-utils → packages/cwc-utils/CLAUDE.md
- Shared utilities (browser + Node.js)
- Profanity checking and content filtering
- Cross-platform compatibility guidelines
- Adding new utilities
cwc-backend-utils → packages/cwc-backend-utils/CLAUDE.md
- Shared Node.js utilities for backend services
- AuthClient, SqlClient, StorageClient
- Express service factory and middleware
- Logger and error handling
cwc-api → packages/cwc-api/CLAUDE.md
- Main data API for cwc-website
- Route and operation access control patterns
- Request pipeline and handler architecture
- Policy enforcement patterns
cwc-auth → packages/cwc-auth/CLAUDE.md
- Authentication microservice
- JWT issuance and validation
- Login/logout/signup flows
- Password reset and multi-step processes
cwc-sql → packages/cwc-sql/CLAUDE.md
- Database access layer
- Dynamic SQL generation
- Query caching patterns
- Transaction handling
cwc-storage → packages/cwc-storage/CLAUDE.md
- File storage microservice
- Project-based directory structure
- API key authentication
- File operations (get/put/delete)
cwc-content → packages/cwc-content/CLAUDE.md
- Content delivery service for coding sessions
- Authenticated proxy to cwc-storage
- LRU cache with TTL (ContentCache)
- Route-level ownership verification
cwc-configuration-helper → packages/cwc-configuration-helper/CLAUDE.md
- CLI for .env file generation
- TypeScript AST parsing for config types
- Centralized runtime configuration
- Secrets file handling
cwc-website → packages/cwc-website/CLAUDE.md
- Public frontend web application
- Next.js with App Router
- React Server Components patterns

Project Overview

What is codingwithclaude?

Project name & aliases

In this document and prompts from the developer, all of these names or phrases are assumed to refer to the project:

coding-with-claude-application
codingwithclaude
coding-with-claude
CWC or cwc

Proactive Documentation Philosophy

CRITICAL: This file is a living knowledge base that must be continuously updated.

Every gap discovered during planning or analysis → Document the pattern to prevent future occurrences
Every critical instruction from the developer → Add to relevant sections immediately
Every "I forgot to do X" moment → Create a checklist or rule to prevent repetition
Every architectural pattern learned → Document it for consistency
Every planning session insight → Capture the learning before implementation begins

When to update CLAUDE.md:

DURING planning sessions - This is where most learning happens through analysis, feedback, and corrections
After receiving critical feedback - Document the expectation immediately
After discovering a bug or oversight - Add checks/rules to prevent it
After analysis reveals gaps - Document what to check in the future
When the developer explains "this is how we do X" - Add it to the guide
After implementing a new feature - Capture any additional patterns discovered during execution

Package-Specific Documentation: When learning package-specific patterns, update the appropriate package CLAUDE.md file, not this root file.

CLAUDE.md File Specification

Purpose: CLAUDE.md files are memory files for AI assistants (like Claude Code), NOT documentation for human developers.

What CLAUDE.md IS for:

Architectural patterns and critical design decisions
Code conventions, naming rules, and style preferences
What to check during planning sessions
Lessons learned and mistakes to avoid
Project-specific security rules and compliance requirements
Critical implementation patterns that must be followed
"If you see X, always do Y" type rules
Checklists for common operations

What CLAUDE.md is NOT for (belongs in README.md):

API documentation and endpoint specifications
Usage examples and tutorials for humans
Setup and installation instructions
General explanations and marketing copy
Step-by-step guides and how-tos
Detailed configuration walkthroughs
Complete type definitions (already in code)
Performance tuning guides for users

File Size Targets:

Warning threshold: 40,000 characters per file (Claude Code performance degrades)
Recommended: Keep under 500 lines when possible for fast loading
Best practice: If a package CLAUDE.md approaches 300-400 lines, review for README-style content
For large packages: Use concise bullet points; move examples to README

Content Guidelines:

Be specific and actionable: "Use 2-space indentation" not "Format code properly"
Focus on patterns: Show the pattern, explain when to use it
Include context for decisions: Why this approach, not alternatives
Use code examples sparingly: Only when pattern is complex
Keep it scannable: Bullet points and clear headers

CLAUDE.md vs README.md:

CLAUDE.md	README.md
For AI assistants	For human developers
Patterns and rules	Complete documentation
What to check/avoid	How to use and setup
Concise and focused	Comprehensive and detailed
Loaded on every session	Read when needed

Documentation Organization in Monorepos

Critical learnings about Claude Code documentation structure:

Claude Code automatically loads all CLAUDE.md files recursively:
- Reads CLAUDE.md in current working directory
- Recurses upward to parent directories (stops at workspace root)
- Discovers nested CLAUDE.md files in subdirectories
- All files are loaded together - they complement, not replace each other
Package-specific CLAUDE.md is the standard pattern for monorepos:
- Root CLAUDE.md contains monorepo-wide conventions (tooling, git workflow, shared patterns)
- Package CLAUDE.md contains package-specific patterns (database schema, deployment, type generation)
- Working from any directory loads both root and relevant package docs automatically
Performance limit: 40,000 characters per file:
- Claude Code shows performance warning when CLAUDE.md exceeds 40k characters
- Solution: Split into package-specific files, not multiple files in .claude/ directory
- Only CLAUDE.md files are automatically loaded; other .md files in .claude/ are NOT
Optimize for AI-assisted coding, not human readers:
- Include patterns, conventions, code examples, and strict rules
- Include "what to check during planning" and "lessons learned" sections
- Exclude content primarily for human developers (marketing copy, general explanations)
- Focus on actionable information needed during coding sessions

When to create package CLAUDE.md:

Package has unique architectural patterns
Package has specific conventions (schema rules, deployment procedures)
Package has domain-specific knowledge (auth flows, type generation)
Package documentation would exceed ~500 lines in root file

File Access Restrictions and Security Boundaries

Claude Code operates under strict file access restrictions to protect sensitive data:

Workspace Boundaries

Claude Code can ONLY access files within the monorepo root: ./coding-with-claude-application
No access to parent directories, system files, or files outside this workspace
This is enforced by Claude Code's security model

Prohibited File Access

Claude Code is explicitly blocked from reading or writing:

Environment files:
- .env files at any location
- .env.* files (e.g., .env.local, .env.production, .env.dev)
- *.env files (e.g., prod.cwc-sql.env, dev.cwc-storage.env, test.cwc-app.env)
- Any variation of environment configuration files
Secret and credential files:
- Any directory named secrets/, secret/, or private/
- Any directory with secret, secrets, or private in its path
- Any file with secret, secrets, private, or credentials in its filename
- Service account JSON files (service-account-*.json)
- Firebase configuration files (google-services.json, GoogleService-Info.plist)
- Any file matching *credentials*.json
Rationale:
- Prevents accidental exposure of API keys, database passwords, and authentication tokens
- Protects production credentials and service account keys
- Reduces risk of sensitive data being included in code examples or logs
- Enforces principle of least privilege

These restrictions are enforced in .claude/settings.json and cannot be overridden during a session.

Git Workflow

The developer handles all git operations manually. Claude should:

Never initiate git commits, pushes, pulls, or any write operations
Only use git for read-only informational purposes (status, diff, log, show)
Not proactively suggest git operations unless explicitly asked

Git write operations are blocked in .claude/settings.json to enforce this workflow.

Architecture Overview

Monorepo Structure

root project: /coding-with-claude-application
packages (apps, microservices, utilities):
- cwc-types: shared TypeScript types to be used in all other packages
- cwc-utils: shared utilities for browser and Node.js (profanity checking, validation helpers, etc.)
- cwc-schema: shared schema management library that may be used by frontend and backend packages
- cwc-deployment: custom deployment CLI for SSH-based deployment to remote servers
- cwc-configuration-helper: CLI tool for generating and validating .env files
- cwc-backend-utils: shared Node.js utilities that backend/api packages will consume
- cwc-database: database scripts to create tables, indexes, views, as well as insert configuration data
- cwc-sql: the only backend service that interacts directly with the database server
- cwc-auth: authentication microservice, providing login, logout, signup, password reset, etc.
- cwc-storage: file storage microservice for coding session content
- cwc-content: content delivery service, authenticated proxy to cwc-storage with caching
- cwc-api: the main data api used by cwc-website to read & write data, enforce auth, role-based access policies, and business rules/logic
- cwc-website: public frontend web application
- cwc-dashboard: an administrative web dashboard app for site owners to manage the app & data
- cwc-admin-api: the admin and data api used by the cwc-dashboard app
- cwc-transcript-parser: CLI tool for parsing Claude transcript JSONL files
- cwc-e2e: a set of end-to-end tests

Tech Stack: to be determined as we build each package, update this documentation as we go.

Development Tooling & Infrastructure

Monorepo Management

pnpm v9.x + Turborepo v2.x

pnpm workspaces for package management and dependency resolution
- Configured in pnpm-workspace.yaml
- Packages located in packages/*
- Uses content-addressable storage for disk efficiency
- Strict dependency resolution prevents phantom dependencies
Turborepo for task orchestration and caching
- Configured in turbo.json
- Intelligent parallel execution based on dependency graph
- Local caching for faster rebuilds
- Pipeline tasks: build, dev, test, lint, typecheck

Node.js Version

Node.js 22 LTS (specified in .nvmrc)
Required for all development and production environments
Use nvm for version management

Code Quality Tools

TypeScript v5.4+

Configured in tsconfig.base.json
Strict mode enabled with enhanced type checking
JavaScript explicitly disallowed (allowJs: false)
Monorepo-optimized with composite projects
Individual packages extend base config

Module Resolution: bundler

Uses "moduleResolution": "bundler" in tsconfig.base.json
Uses "module": "ES2022" (required for bundler resolution)
Allows clean TypeScript imports without .js extensions
- ✅ Correct: import { Schema } from './types'
- ❌ Not needed: import { Schema } from './types.js'
Still produces correct ES module output in compiled JavaScript
Designed for TypeScript projects compiled by tsc or bundlers

Why bundler over NodeNext:

Better DX: No .js extensions in TypeScript source files
Modern standard: Industry standard for TypeScript libraries and monorepos
Same output: Still generates proper ES modules (.js files)
No trade-offs: Type safety and module compatibility maintained

ESLint v8.x with TypeScript

Configured in .eslintrc.json
Uses @typescript-eslint/strict ruleset
Enforces explicit function return types
Prohibits any type and non-null assertions
Strict boolean expressions required

Prettier v3.x

Configured in .prettierrc.json
Standards:
- Single quotes
- 2-space indentation
- 100 character line width
- Trailing commas (ES5)
- LF line endings

Root Scripts

Run from monorepo root using pnpm:

pnpm build - Build all packages (parallel, cached)
pnpm dev - Run all packages in dev mode
pnpm test - Run tests across all packages (parallel, cached)
pnpm lint - Lint all packages (parallel, cached)
pnpm typecheck - Type-check all packages (parallel, cached)
pnpm format - Format all files with Prettier
pnpm format:check - Check formatting without changes

Development Workflow

Before starting work:
- Ensure Node 22 is active: nvm use
- Install dependencies: pnpm install
During development:
- Run dev mode: pnpm dev (in specific package or root)
- Format code: pnpm format
Before committing:
- Type-check: pnpm typecheck
- Lint: pnpm lint
- Format check: pnpm format:check
- Run tests: pnpm test

Package Creation Conventions

When creating a new package in the monorepo:

Version Number: Always start new packages at version 1.0.0 (not 0.0.1)
- Example: "version": "1.0.0" in package.json
- This is a project preference for consistency
Package Structure:
- Follow existing package patterns (see cwc-types as reference)
- Include package.json, tsconfig.json extending base config
- Place source files in src/ directory
- Include appropriate build and typecheck scripts
Package Entry Points (CRITICAL - bundler resolution):
- Point main, types, and exports to ./src/index.ts (NOT ./dist)
- With bundler module resolution, we reference TypeScript source directly
- Example:
```
"main": "./src/index.ts",
"types": "./src/index.ts",
"exports": {
  ".": {
    "types": "./src/index.ts",
    "default": "./src/index.ts"
  }
}
```
- ❌ NEVER use ./dist/index.js or ./dist/index.d.ts
Package Naming:
- Use cwc- prefix for all CWC packages
- Use kebab-case: cwc-types, cwc-backend-utils, etc.
Package Documentation (Required for all packages):
- CLAUDE.md - For AI-assisted coding:
  - Create packages/{package-name}/CLAUDE.md
  - Document architecture decisions, design patterns, and critical implementation details
  - Keep focused on patterns, conventions, and rules for AI assistants
- README.md - For human developers:
  - Create packages/{package-name}/README.md
  - Include setup instructions, API documentation, usage examples
  - Provide comprehensive documentation for developers using the package
- Both files should be created when a new package is built
- Update root CLAUDE.md "Package-Specific Documentation" section to list the new package
Add Package Shortcut Script:
- Add a shortcut script to root package.json for the new package
- Format: "package-name-shortcut": "pnpm --filter cwc-package-name"
- Example: "backend-utils": "pnpm --filter cwc-backend-utils"
- This allows simplified commands: pnpm backend-utils add express instead of pnpm --filter cwc-backend-utils add express
- Keep shortcuts in alphabetical order in the scripts section

Key Architectural Decisions & Patterns

MariaDB Database

Strong Schema Enforcement
Transaction support
Efficient Joins
Data normalization
Sophisticated Querying and Analytics

Details: See packages/cwc-database/CLAUDE.md for complete database schema conventions.

PkId Naming Convention

PkId stands for "Primary Key Id". All tables use this suffix for their auto-increment primary key:

userPkId = user primary key id
projectPkId = project primary key id
codingSessionPkId = coding session primary key id

Foreign key references also use PkId suffix to indicate they reference a primary key (e.g., userPkId column in project table references user.userPkId).

TypeScript

Strict mode enabled (strict: true)
Shared types in cwc-types package; duplicating types in separate projects leads to inconsistencies, incompatibility, confusion, and extra work
Never use any - prefer unknown if type is truly unknown
Use string literal union types, not enums
Use type for entity definitions, not interface
Use undefined, never null - simplifies code by avoiding explicit checks for both values; aligns with TypeScript's optional property syntax (field?: string)
Run typecheck before committing

Details: See packages/cwc-types/CLAUDE.md for complete TypeScript patterns and type generation.

Path Construction (Searchability)

Use concatenated path strings in path.join() for better searchability:

// ✅ GOOD - searchable for "deployment/servers.json"
path.join(secretsPath, 'deployment/servers.json')

// ❌ AVOID - searching for "deployment/servers.json" won't find this
path.join(secretsPath, 'deployment', 'servers.json')

Exception: Directory navigation with .. should remain segmented:

// This is fine - navigating up directories
path.join(__dirname, '..', '..', 'templates')

Naming Conventions for Configuration Values

Clarity is critical for maintainability. Configuration names should clearly indicate:

What the value is for (its purpose)
Where it's used (which service/context)

Examples:

sqlClientApiKey - Clear: API key for SQL Client authentication
authenticationPublicKey - Unclear: Could apply to any auth system

Package-specific prefixes: When a configuration value is only used by one package, prefix it with the package context to avoid ambiguity:

storageLogPath / STORAGE_LOG_PATH - Clear: log path for cwc-storage
logPath / LOG_PATH - Unclear: which service uses this?
contentCacheMaxSize / CONTENT_CACHE_MAX_SIZE - Clear: cache setting for cwc-content
cacheMaxSize / CACHE_MAX_SIZE - Unclear: which service uses this cache?

Secret and API Key Generation

Use crypto.randomBytes() for generating secrets and API keys:

import crypto from 'crypto';

// Generate a 256-bit (32-byte) cryptographically secure random key
const apiKey = crypto.randomBytes(32).toString('hex'); // 64-character hex string

This produces cryptographically secure random values suitable for:

API keys (e.g., STORAGE_API_KEY)
JWT secrets (e.g., USER_JWT_SECRET)
Any symmetric secret requiring high entropy

Cloud-Agnostic Microservices

CWC uses a microservices architecture deployed as Docker containers potentially deployed across multiple datacenters.

Vendor lock-in is a real business risk. Cloud providers can change pricing, deny service access, or deprecate features at any time.
Cloud-agnostic microservices architecture allows switching hosting providers with minimal effort.
Preparation for Scale - can scale by adding infrastructure (more containers, load balancers) rather than rewriting code and specific services can be scaled based on actual load patterns

Environment Configuration

NODE_ENV vs RUNTIME_ENVIRONMENT:

Variable	Purpose	Set By	Values
`NODE_ENV`	Build-time behavior	npm/bundlers	`development`, `production`, `test`
`RUNTIME_ENVIRONMENT`	Application runtime behavior	CWC deployment	`dev`, `test`, `prod`, `unit`, `e2e`

NODE_ENV (npm/Node.js ecosystem):

Controls build optimizations (minification, tree-shaking)
Affects dependency installation behavior
CWC does NOT read this in application config

RUNTIME_ENVIRONMENT (CWC application):

Controls application behavior (email sending, error verbosity, feature flags)
Type: RuntimeEnvironment from cwc-types
CWC config system reads this via loadConfig()

Rules:

Test scripts: RUNTIME_ENVIRONMENT=unit jest (not NODE_ENV=unit)
Backend config: Always read RUNTIME_ENVIRONMENT, never NODE_ENV
Each package reads configuration from .env file tailored to the runtime environment

1-to-1 Naming Convention:

Use consistent naming across all runtime environment references for searchability and clarity:

Runtime Environment	Env File	Config Flag	Mock Function
`dev`	`dev.cwc-*.env`	`isDev`	`createMockDevConfig()`
`prod`	`prod.cwc-*.env`	`isProd`	`createMockProdConfig()`
`unit`	`unit.cwc-*.env`	`isUnit`	`createMockUnitConfig()`
`e2e`	`e2e.cwc-*.env`	`isE2E`	`createMockE2EConfig()`
`test`	`test.cwc-*.env`	`isTest`	`createMockTestConfig()`

This consistency enables searching for Dev or Prod to find all related code paths.

Development Process

Tool, Framework, Version selection

mainstream, widely accepted, and thoroughly tested & proven tools only
the desire is to use the latest stable versions of the various tools

Adopt a "roll-your-own" mentality

we want to minimize the number of unnecessary dependencies to avoid headaches when upgrading our core tech stack
when it makes sense, we will build our own components and utilities rather than relying on a 3rd party package

Code Review Workflow Patterns

CRITICAL: When the developer provides comprehensive code review feedback and requests step-by-step discussion.

Developer Should Continue Providing Comprehensive Feedback Lists

Encourage the developer to provide ALL feedback items in a single comprehensive list. This is highly valuable because:

Gives full context about scope of changes
Allows identification of dependencies between issues
Helps spot patterns across multiple points
More efficient than addressing issues one at a time

Never discourage comprehensive feedback. The issue is not the list size, but how Claude Code presents the response.

Recognize Step-by-Step Request Signals

When the developer says any of these phrases:

"review each of these in order step by step"
"discuss each point one by one"
"let's go through these one at a time"
"walk me through each item"

This is a request for ITERATIVE discussion, not a comprehensive dump of all analysis.

Step-by-Step Review Pattern (Default for Code Reviews)

When developer provides comprehensive feedback with step-by-step request:

✅ Correct approach:

Present ONLY Point 1 with:
- The developer's original feedback for that point
- Claude's analysis and thoughts
- Any clarifying questions needed
- Recommendation for what to do
Wait for developer response and engage in discussion if needed
After Point 1 is resolved, present Point 2 using same format
Continue iteratively through all points
After all points discussed, ask "Ready to implement?" and show summary of agreed changes

Message format for each point:

## Point N: [Topic Name]

**Your Feedback:**
[Quote the developer's original feedback for this point]

**My Analysis:**
[Thoughts on this specific point only]

**Questions:** [If clarification needed]
- Question 1?
- Question 2?

**Recommendation:**
[What Claude thinks should be done]

---
*Waiting for your thoughts on Point N before moving to Point N+1.*

❌ What NOT to do:

Present all 10-15 points with full analysis at once
Make the developer reference "Point 7" or scroll to find what they want to discuss
Skip the iterative conversation pattern when explicitly requested

Alternative: Full Analysis First Pattern

Only use this pattern when developer explicitly requests it:

Developer says:

"Give me your analysis on all points first"
"Show me all your recommendations, then we'll discuss"
"I want to see the big picture before deciding"

In this case:

Present comprehensive analysis of all points
Wait for developer to identify which points need discussion
Focus conversation only on points developer has questions about

Benefits of Step-by-Step Pattern

Easy to follow: Each message is focused on one decision
Encourages discussion: Natural to discuss one topic at a time
No reference confusion: No need to say "regarding Point 7..."
Clear progress: Both parties know exactly where we are in the review
Better decisions: Focused attention leads to better analysis

Implementation Phase

After all review points are discussed and decisions made:

Summarize all agreed changes in a checklist format
Ask for explicit approval to proceed: "Ready to implement these changes?"
Proceed with implementation in logical groups
Update documentation if patterns/learnings emerged during review

never log config.secrets, these values are always REDACTED

package.json

{
  "name": "coding-with-claude-application",
  "version": "1.0.0",
  "private": true,
  "description": "A multi-tenant developer publishing platform",
  "scripts": {
    "build": "turbo run build",
    "dev": "turbo run dev",
    "test": "turbo run test",
    "lint": "turbo run lint",
    "typecheck": "turbo run typecheck",
    "format": "prettier --write \"**/*.{ts,tsx,js,jsx,json,md,yml,yaml}\"",
    "format:check": "prettier --check \"**/*.{ts,tsx,js,jsx,json,md,yml,yaml}\"",
    "api": "pnpm --filter cwc-api",
    "auth": "pnpm --filter cwc-auth",
    "backend-utils": "pnpm --filter cwc-backend-utils",
    "config-helper": "pnpm --filter cwc-configuration-helper",
    "content": "pnpm --filter cwc-content",
    "database": "pnpm --filter cwc-database",
    "deployment": "pnpm --filter cwc-deployment",
    "schema": "pnpm --filter cwc-schema",
    "sql": "pnpm --filter cwc-sql",
    "storage": "pnpm --filter cwc-storage",
    "transcript-parser": "pnpm --filter cwc-transcript-parser",
    "types": "pnpm --filter cwc-types",
    "utils": "pnpm --filter cwc-utils",
    "website": "pnpm --filter cwc-website"
  },
  "devDependencies": {
    "@typescript-eslint/eslint-plugin": "^8.0.0",
    "@typescript-eslint/parser": "^8.0.0",
    "eslint": "^9.0.0",
    "prettier": "^3.2.5",
    "turbo": "^2.0.0",
    "typescript": "^5.4.5",
    "typescript-eslint": "^8.47.0"
  },
  "engines": {
    "node": ">=22.0.0",
    "pnpm": ">=9.0.0"
  },
  "packageManager": "pnpm@9.12.3"
}

packages/cwc-backend-utils/CLAUDE.md

cwc-backend-utils Package

Backend utilities for CWC microservices. Node.js-specific utilities only.

Critical Architecture Rule

Only cwc-sql Talks to Database:

✅ All backend services MUST use SqlClient HTTP client
✅ All database operations flow through cwc-sql service via POST /data/v1/command
❌ NEVER import MariaDB or execute SQL from other packages

AuthClient - cwc-auth HTTP Client

Location: src/AuthClient/

HTTP client for cwc-auth service, following same pattern as SqlClient.

Purpose:

Provides typed interface for cwc-auth /verify-token endpoint
Enables services to verify JWTs without duplicating auth logic
Returns simplified VerifyTokenResult for easy consumption

Configuration:

type AuthClientConfig = {
  authUri: string; // e.g., 'http://localhost:5005/auth/v1'
  timeout?: number; // Default: 5000ms
};

Usage:

import { AuthClient } from 'cwc-backend-utils';

const authClient = new AuthClient({
  config: { authUri: config.authUri },
  logger: logger,
  clientName: 'cwc-api',
});

const result = await authClient.verifyToken(authHeader);
if (result.success) {
  // result.payload contains UserJwtPayload
} else {
  // result.error contains error code
}

Error Handling:

Missing token → { success: false, error: 'MISSING_TOKEN' }
Invalid/expired token (401) → { success: false, error: 'INVALID_TOKEN' } or specific errorCode
Network/timeout errors → { success: false, error: 'AUTH_SERVICE_ERROR' } + logs error

Design Pattern:

Similar to SqlClient: config + logger + clientName
Graceful degradation: errors don't throw, return typed failure result
Logging: Only logs unexpected errors (network issues, timeouts), not auth failures

StorageClient - cwc-storage HTTP Client

Location: src/StorageClient/

HTTP client for cwc-storage service, following same pattern as AuthClient.

Purpose:

Provides typed interface for cwc-storage file operations
Handles GET, PUT, DELETE operations for session data files
Returns typed Result objects for easy error handling

Configuration:

type StorageClientConfig = {
  storageUri: string; // e.g., 'http://localhost:5030/storage/v1'
  storageApiKey: string; // API key for x-api-key header
  timeout?: number; // Default: 30000ms (GET/DELETE), 60000ms (PUT)
};

Usage:

import { StorageClient } from 'cwc-backend-utils';

const storageClient = new StorageClient({
  config: {
    storageUri: config.storageUri,
    storageApiKey: config.secrets.storageApiKey,
  },
  logger: logger,
  clientName: 'cwc-content',
});

// Get file
const getResult = await storageClient.getFile(projectId, filename);
if (getResult.success) {
  // getResult.data is Buffer
} else {
  // getResult.error is error code
}

// Put file
const putResult = await storageClient.putFile(projectId, filename, base64Data);
if (putResult.success) {
  // putResult.filename is the stored filename
}

// Delete file
const deleteResult = await storageClient.deleteFile(projectId, filename);

Error Handling:

File not found (400) → { success: false, error: 'FILE_NOT_FOUND' }
Unauthorized (401) → { success: false, error: 'UNAUTHORIZED' }
Network/timeout errors → { success: false, error: 'STORAGE_SERVICE_ERROR' } + logs error
Write failed → { success: false, error: 'STORAGE_WRITE_FAILED' }
Delete failed → { success: false, error: 'STORAGE_DELETE_FAILED' }

Design Pattern:

Same as AuthClient: config + logger + clientName
Uses x-api-key header for authentication (matching cwc-storage)
Graceful degradation: errors don't throw, return typed failure result
Logging: Only logs unexpected errors (network issues, timeouts)

JWT Authentication - CRITICAL Security Rules

Token Specifications:

Algorithm: RS256 (RSA public/private key pairs)
Expiration: 30 seconds (short-lived by design)
Auto-refresh: Generate new token when <5s remain before expiry
Payload: { dataJwtId, clientName, exp, iat }

Key File Locations:

Local development: getSecretsSqlClientApiKeysPath() → ~/coding-with-claude/private/cwc-secrets/sql-client-api-keys/
Server deployment: ./sql-client-api-keys/

CORS Configuration - Environment-Specific Behavior

Dev (isDev: true):

Reflects request origin in Access-Control-Allow-Origin
Allows credentials
Wide open for local development

Test (isTest: true):

Allows devCorsOrigin for localhost development against test services
Falls back to corsOrigin for other requests
Browser security enforces origin headers (cannot be forged)

Prod (isProd: true):

Strict corsOrigin only
No dynamic origins

Rate Limiting Configuration

Configurable via BackendUtilsConfig:

rateLimiterPoints - Max requests per duration (default: 100)
rateLimiterDuration - Time window in seconds (default: 60)
Returns 429 status when exceeded
Memory-based rate limiting per IP

Local Secrets Path Functions

Location: src/localSecretsPaths.ts

Centralized path functions for local development secrets using os.homedir().

Path Resolution:

Local (dev/unit/e2e): Uses absolute paths via os.homedir() → ~/coding-with-claude/private/cwc-secrets
Server (test/prod): Uses relative paths from deployment directory (e.g., ./sql-client-api-keys)

Functions:

Function	Returns (local)	Returns (server)
`getSecretsPath()`	`~/coding-with-claude/private/cwc-secrets`	N/A (local only)
`getSecretsEnvPath()`	`{base}/env`	N/A (local only)
`getSecretsSqlClientApiKeysPath(runningLocally)`	`{base}/sql-client-api-keys`	`./sql-client-api-keys`
`getSecretsConfigHelperPath(runningLocally)`	`{base}/configuration-helper`	`./configuration-helper`
`getSecretsDeploymentPath(runningLocally)`	`{base}/deployment`	`./deployment`
`getSecretsEnvFilePath(runningLocally, env, service)`	`{base}/env/{env}.{service}.env`	`.env.{env}`

Usage:

import { getSecretsEnvFilePath, getSecretsSqlClientApiKeysPath } from 'cwc-backend-utils';

const runningLocally = config.isDev || config.isUnit || config.isE2E;

// Get .env file path (encapsulates local vs server logic)
const envPath = getSecretsEnvFilePath(runningLocally, 'dev', 'cwc-api');
// Local: /Users/.../coding-with-claude/private/cwc-secrets/env/dev.cwc-api.env
// Server: .env.dev

// Get SQL keys path (encapsulates local vs server logic)
const keysPath = getSecretsSqlClientApiKeysPath(runningLocally);
// Local: /Users/.../coding-with-claude/private/cwc-secrets/sql-client-api-keys
// Server: ./sql-client-api-keys

Environment Loading - loadDotEnv

loadDotEnv Path Resolution:

Local development (dev/unit/e2e):

Uses getSecretsEnvFilePath(environment, serviceName)
Path: ~/coding-with-claude/private/cwc-secrets/env/{environment}.{serviceName}.env

Server deployment (test/prod):

Path: .env.{environment} relative to process.cwd()

CRITICAL: Data path pattern MUST include service name to prevent conflicts:

Pattern: {deploymentName}-{serviceName}/data
Example: test-cwc-database/data vs test-mariadb/data

Logger Error Handling

Direct Database Write:

Logger uses SqlClient internally to write to errorLog table
Automatically truncates fields to DB limits (error: 2000 chars, stack: 2000 chars)
Extracts message and stack from Error objects
JSON serializes objects automatically
Tags all logs with serviceName
Debug mode only: logInformation and logDebug output

Express Service Factory - Built-in Middleware

Automatically applies (in order):

Rate Limiter - Memory-based per IP
Helmet - Security headers
CORS - Environment-specific origins
Invalid Routes - Blocks non-registered paths
Error Handling - Captures and logs errors

Invalid Routes Protection:

Rejects HTTP methods not in allowGet/allowPost/allowOptions
Rejects paths that don't start with registered API paths
Returns 400 status with "unsupported" message

Request Utilities

getRemoteIpAddress(req) resolution order:

x-real-ip header (set by nginx proxy)
origin header hostname
req.ip (strips ::ffff: IPv6 prefix if present)

Critical Bugs to Avoid

Environment Variables:

Use process.env['VAR_NAME'] bracket notation (not dot notation)
Use 'dev' not 'development' (matches RuntimeEnvironment type)
Use 'prod' not 'production'

Type Safety:

Extend Express.Request in global namespace, not express-serve-static-core

Configuration Types

BackendUtilsConfig: Complete config with SqlClient/database features

Includes: dataUri, logErrorsToDatabase

BackendUtilsConfigBasic: Simplified config without SqlClient

Omits: dataUri, logErrorsToDatabase
Use for services that don't need database access

Node.js Compatibility

Node.js-only package:

✅ CAN use Node.js APIs (fs, path, crypto, os, http, etc.)
✅ CAN use Node.js-specific packages
❌ NOT browser-compatible
Target: Node.js 22+

Adding New Utilities

Utilities that belong here:

File system operations
Environment configuration helpers
Server-side hashing/crypto
Request/response formatting
Error handling utilities
Logging helpers
JWT utilities
API response builders
Node.js-specific validation

Utilities that DON'T belong here:

Cross-platform utilities → Use cwc-utils
Type definitions → Use cwc-types
Schema definitions → Use cwc-schema
Database queries → Use cwc-database or cwc-sql

Related Packages

Consumed By:

cwc-api, cwc-auth, cwc-admin-api, cwc-sql - All backend microservices

Depends On:

cwc-types (workspace) - Shared TypeScript types

packages/cwc-backend-utils/src/backendUtils.types.ts

import http from 'node:http';
import { RequestHandler } from 'express';
import express from 'express';

export type BackendServiceName =
  | 'cwc-admin-api'
  | 'cwc-api'
  | 'cwc-auth'
  | 'cwc-content'
  | 'cwc-sql'
  | 'cwc-storage';

export type BackendUtilsConfig = {
  debugMode: boolean;
  dataUri: string;
  logErrorsToDatabase: boolean;
  isDev: boolean;
  isTest: boolean;
  isProd: boolean;
  isUnit: boolean;
  isE2E: boolean;
  corsOrigin: string;
  servicePort: number;
  rateLimiterPoints: number;
  rateLimiterDuration: number;
  // development settings
  devCorsOrigin: string;
  // End-to-end testing mock values
  endToEndMockValues?: Record<string, string> | undefined;
};

// Simplified config for services that don't use SqlClient or database logging
export type BackendUtilsConfigBasic = Omit<BackendUtilsConfig, 'dataUri' | 'logErrorsToDatabase'>;

// *********************************
// SqlClient
// *********************************

export type SqlClientToken = string;

export type SqlClientOperationType = 'delete' | 'insert' | 'select' | 'update';

export type SqlClientOperationName = string;
export type SqlClientOperationTable = string;

export type SqlClientOperationFilters = {
  [key: string]: string | number | boolean | number[];
};

export type SqlClientOperationFields = string[] | undefined;

export type SqlClientOperationValues = {
  [key: string]: string | number | boolean | undefined | unknown | unknown[];
};

export type SqlClientOperationSortItem = {
  fieldName: string;
  direction?: string;
};

export type SqlClientOperationSort = SqlClientOperationSortItem[];

export type SqlClientOperationLimit = {
  recordCount: number;
  startIndex: number;
};

export type SqlClientOperationCustomSql = string;

export type SqlClientOperationCustomParam = string | number | boolean;

export type SqlClientOperationCustomParams = {
  [key: string]: SqlClientOperationCustomParam;
};

// **********************************
// sort example:
// **********************************
// const sort = [ {fieldName: 'username', direction: 'ASC' }, {fieldName: 'groupName', direction: 'DESC' }];

export type SqlClientOperationCustom = {
  customSql: SqlClientOperationCustomSql;
  customParams: SqlClientOperationCustomParams;
  customTables: SqlClientOperationTable[];
};

export type SqlClientOperation = {
  operationType: SqlClientOperationType;
  name?: SqlClientOperationName | undefined;
  table: SqlClientOperationTable | undefined;
  fields?: SqlClientOperationFields | undefined;
  filters?: SqlClientOperationFilters | undefined;
  values?: SqlClientOperationValues | undefined;
  sort?: SqlClientOperationSort | undefined;
  limit?: SqlClientOperationLimit | undefined;
  custom?: SqlClientOperationCustom | undefined;
  filterCount?: boolean | undefined; // return a count of records matching filters
};

export type SqlClientSchemaOptions = {
  userPkId: number | undefined;
};

export type Schema = {
  [key: string]: object;
};

export type SqlClientSchemaResponse = {
  data: Schema;
};

export type SqlClientCommand = {
  transaction: boolean;
  operations: SqlClientOperation[];
  filterCount: boolean; // return filtered record count with results
};

export type SqlClientExecuteOptions = {
  userPkId: number | undefined;
  command: SqlClientCommand;
};

export interface SqlClientQueryResponse {
  [key: string]: unknown[] | undefined;
}

export type SqlClientMutationResult = {
  affectedRows?: number;
  insertId?: number;
  changedRows?: number;
};

export interface SqlClientMutationResponse {
  [key: string]: SqlClientMutationResult;
}

export type SqlClientExecuteQuery = (
  options: SqlClientExecuteOptions
) => Promise<SqlClientQueryResponse | undefined>;

export type SqlClientExecuteMutation = (
  options: SqlClientExecuteOptions
) => Promise<SqlClientMutationResponse | undefined>;

export type VerifySqlClientCredentialsOptions = {
  userPkId: number | undefined;
  authToken: string | undefined;
  invokedBy: string;
};

export type DeleteCommandOptions = Omit<
  SqlClientOperation,
  'operationType' | 'fields' | 'values' | 'sort' | 'limit' | 'custom'
>;

export type InsertCommandOptions = Omit<
  SqlClientOperation,
  'operationType' | 'fields' | 'filters' | 'sort' | 'limit' | 'custom'
>;

export type SelectCommandOptions = Omit<SqlClientOperation, 'operationType' | 'values'>;

export type UpdateCommandOptions = Omit<
  SqlClientOperation,
  'operationType' | 'fields' | 'sort' | 'limit' | 'custom'
>;

export type OperationDetails = Omit<SqlClientOperation, 'table' | 'operationType'>;

export type AddOperationOptions = {
  command: SqlClientCommand;
  table: string | undefined;
  operationType: SqlClientOperationType;
  operationDetails: OperationDetails;
};

export type SqlClientType = {
  query: ({
    userPkId,
    command,
  }: SqlClientExecuteOptions) => Promise<SqlClientQueryResponse | undefined>;
  mutate: ({
    userPkId,
    command,
  }: SqlClientExecuteOptions) => Promise<SqlClientMutationResponse | undefined>;

  getFirstResult: <ResultType>(
    response: SqlClientQueryResponse | undefined
  ) => ResultType | undefined;

  getSecondResult: <ResultType>(
    response: SqlClientQueryResponse | undefined
  ) => ResultType | undefined;

  getResult: <ResultType>(
    response: SqlClientQueryResponse | undefined,
    name: string,
    index: number
  ) => ResultType | undefined;

  getFirstResults: <ResultType>(response: SqlClientQueryResponse | undefined) => ResultType[];

  getSecondResults: <ResultType>(response: SqlClientQueryResponse | undefined) => ResultType[];

  getResults: <ResultType>(
    response: SqlClientQueryResponse | undefined,
    name: string
  ) => ResultType[];

  getInsertResult: (
    response: SqlClientMutationResponse | undefined,
    operationName?: string
  ) => boolean;

  getInsertResultId: (
    response: SqlClientMutationResponse | undefined,
    operationName?: string
  ) => number | undefined;

  getUpdateResult: (
    response: SqlClientMutationResponse | undefined,
    operationName?: string
  ) => boolean;

  getDeleteResult: (
    response: SqlClientMutationResponse | undefined,
    operationName?: string
  ) => boolean;

  emptyCommand: (transaction: boolean) => SqlClientCommand;

  deleteCommand: ({ name, table, filters }: DeleteCommandOptions) => SqlClientCommand;

  insertCommand: ({ name, table, values }: InsertCommandOptions) => SqlClientCommand;

  selectCommand: ({
    name,
    table,
    filters,
    fields,
    sort,
    limit,
    custom,
    filterCount,
  }: SelectCommandOptions) => SqlClientCommand;

  updateCommand: ({ name, table, filters, values }: UpdateCommandOptions) => SqlClientCommand;

  addOperation: ({
    command,
    table,
    operationType,
    operationDetails,
  }: AddOperationOptions) => SqlClientOperation | undefined;
};

// *********************************
// Logger
// *********************************

export interface ILogger {
  logDebug: ({ codeLocation, message, value }: LogDebugOptions) => void;
  logError: ({ codeLocation, message, error, value, request }: LogErrorOptions) => Promise<void>;
  logInformation: ({ codeLocation, message, value }: LogInformationOptions) => void;
}

export type LogErrorOptions = {
  userPkId: number | undefined;
  codeLocation: string;
  message: string;
  error?: unknown | Error | object | string;
  value?: object | string | unknown;
  request?: string | unknown;
};

export type LogInformationOptions = {
  userPkId: number | undefined;
  codeLocation: string;
  message: string;
  value?: object | string;
  request?: string | unknown;
};

export type LogDebugOptions = {
  userPkId: number | undefined;
  codeLocation: string;
  message: string;
  value?: object | string;
  request?: string | unknown;
};

// *********************************
// express
// *********************************

export interface ExpressApi {
  version: number;
  handler: RequestHandler;
  path: string;
}

export type ExpressCorsOptions = {
  config: BackendUtilsConfig;
  allowPost: boolean;
  allowOptions: boolean;
  allowGet: boolean;
};

export type ExpressInvalidRoutesOptions = {
  apis: ExpressApi[];
  allowPost: boolean;
  allowOptions: boolean;
  allowGet: boolean;
};

export type ExpressRateLimiterOptions = {
  config: BackendUtilsConfig;
};

export type ExpressServiceOptions = {
  config: BackendUtilsConfig | BackendUtilsConfigBasic;
  serviceName: BackendServiceName;
  apis: ExpressApi[];
  allowPost: boolean;
  allowOptions: boolean;
  allowGet: boolean;
  payloadLimit: string | undefined; // eg: 2mb
};

export type ExpressService = {
  expressApp: express.Express;
  httpServer: http.Server<typeof http.IncomingMessage, typeof http.ServerResponse>;
  start(apis: ExpressApi[]): void;
};

packages/cwc-backend-utils/src/index.ts

export * from './SqlClient';
export * from './AuthClient';
export * from './StorageClient';
export * from './Logger';
export * from './SqlClientKeysUtil';
export * from './backendUtils.types';
export * from './express';
export * from './loadDotEnv';
export * from './localSecretsPaths';
export * from './configHelpers';

packages/cwc-backend-utils/src/StorageClient/index.ts

export { StorageClient } from './StorageClient';
export type {
  StorageClientConfig,
  StorageClientOptions,
  GetFileResult,
  PutFileResult,
  DeleteFileResult,
} from './StorageClient';

packages/cwc-backend-utils/src/StorageClient/StorageClient.ts

import axios from 'axios';
import type { ILogger } from '../backendUtils.types';

const codeLocation = 'StorageClient/StorageClient.ts';

export type StorageClientConfig = {
  storageUri: string;
  storageApiKey: string;
  timeout?: number | undefined;
};

export type StorageClientOptions = {
  config: StorageClientConfig;
  logger: ILogger | undefined;
  clientName: string;
};

export type GetFileResult =
  | { success: true; data: Buffer }
  | { success: false; error: string };

export type PutFileResult =
  | { success: true; filename: string }
  | { success: false; error: string };

export type DeleteFileResult =
  | { success: true; filename: string }
  | { success: false; error: string };

type StorageApiResponse = {
  success: boolean;
  data: unknown;
};

/**
 * HTTP client for cwc-storage service
 * Following same pattern as AuthClient
 */
export class StorageClient {
  private config: StorageClientConfig;
  private logger: ILogger | undefined;
  private clientName: string;

  constructor(options: StorageClientOptions) {
    this.config = options.config;
    this.logger = options.logger;
    this.clientName = options.clientName;
  }

  /**
   * Get a file from storage
   */
  async getFile(projectId: string, filename: string): Promise<GetFileResult> {
    try {
      const response = await axios.post<StorageApiResponse>(
        `${this.config.storageUri}/coding-session-data-get`,
        { projectId, filename },
        {
          headers: { 'x-api-key': this.config.storageApiKey },
          timeout: this.config.timeout ?? 30000,
          responseType: 'json',
        }
      );

      const data = response.data;

      if (data.success && data.data) {
        // data.data is the file content - convert to Buffer if string
        const content =
          typeof data.data === 'string' ? Buffer.from(data.data, 'base64') : (data.data as Buffer);
        return { success: true, data: content };
      }

      return { success: false, error: 'FILE_NOT_FOUND' };
    } catch (error) {
      if (axios.isAxiosError(error) && error.response?.status === 400) {
        return { success: false, error: 'FILE_NOT_FOUND' };
      }

      if (axios.isAxiosError(error) && error.response?.status === 401) {
        return { success: false, error: 'UNAUTHORIZED' };
      }

      this.logger?.logError({
        userPkId: undefined,
        codeLocation,
        message: `[${this.clientName}] Failed to get file from storage: ${projectId}/${filename}`,
        error,
      });

      return { success: false, error: 'STORAGE_SERVICE_ERROR' };
    }
  }

  /**
   * Put a file into storage
   */
  async putFile(projectId: string, filename: string, data: string): Promise<PutFileResult> {
    try {
      const response = await axios.post<StorageApiResponse>(
        `${this.config.storageUri}/coding-session-data-put`,
        { projectId, filename, dataUri: data },
        {
          headers: { 'x-api-key': this.config.storageApiKey },
          timeout: this.config.timeout ?? 60000,
        }
      );

      const responseData = response.data;

      if (responseData.success) {
        return { success: true, filename: responseData.data as string };
      }

      return { success: false, error: 'STORAGE_WRITE_FAILED' };
    } catch (error) {
      if (axios.isAxiosError(error) && error.response?.status === 401) {
        return { success: false, error: 'UNAUTHORIZED' };
      }

      this.logger?.logError({
        userPkId: undefined,
        codeLocation,
        message: `[${this.clientName}] Failed to put file to storage: ${projectId}/${filename}`,
        error,
      });

      return { success: false, error: 'STORAGE_SERVICE_ERROR' };
    }
  }

  /**
   * Delete a file from storage
   */
  async deleteFile(projectId: string, filename: string): Promise<DeleteFileResult> {
    try {
      const response = await axios.post<StorageApiResponse>(
        `${this.config.storageUri}/coding-session-data-delete`,
        { projectId, filename },
        {
          headers: { 'x-api-key': this.config.storageApiKey },
          timeout: this.config.timeout ?? 30000,
        }
      );

      const responseData = response.data;

      if (responseData.success) {
        return { success: true, filename: responseData.data as string };
      }

      return { success: false, error: 'STORAGE_DELETE_FAILED' };
    } catch (error) {
      if (axios.isAxiosError(error) && error.response?.status === 401) {
        return { success: false, error: 'UNAUTHORIZED' };
      }

      this.logger?.logError({
        userPkId: undefined,
        codeLocation,
        message: `[${this.clientName}] Failed to delete file from storage: ${projectId}/${filename}`,
        error,
      });

      return { success: false, error: 'STORAGE_SERVICE_ERROR' };
    }
  }
}

packages/cwc-configuration-helper/src/configuration.ts

3 versions

Version 1

import type { RuntimeEnvironment } from 'cwc-types';

/*
----------------------------------------------------------
Service Configuration
----------------------------------------------------------

Service ports (used for both Docker and localhost development):

service               port
-------               ----
cwc-admin-api         5004
cwc-auth              5005
cwc-content           5008
cwc-sql               5020
cwc-storage           5030
cwc-api               5040
cwc-website           (nginx)
cwc-dashboard         (nginx)

For Docker Compose deployments, services communicate via DNS names (e.g., cwc-sql:5020).
For localhost development, services communicate via localhost (e.g., localhost:5020).

See docker-compose-upgrade.md in cwc-deployment for migration details.
*/

export type RuntimeConfigValues = {
  corsOrigin: string;
  devCorsOrigin: string;
  authUri: string;
  dataUri: string;
  storageUri: string;
  appUrl: string;
  debugMode: boolean; // maps to ON | OFF
  logErrorsToDatabase: boolean; // maps to ON | OFF
  userJwtExpiresIn: string;
  userJwtExpiresInKulo: string;
  tempJwtExpiresIn: string;
  smtp:
    | {
        useSandbox: boolean; // maps to ON | OFF
        sandboxAddress: string; // recipient email when sandbox is ON
        serviceName: string;
        authType: string; // OAuth2
        senderAddress: string;
        senderName: string;
      }
    | undefined;
  endToEndMockValues: Record<string, string> | undefined;
  databaseServer: string;
  databaseName: string;
  databaseConnectTimeout: number;
  databaseConnectionAcquireTimeout: number;
  databaseConnectionQueueLimit: number;
  databaseConnectionLimit: number;
  queryCacheEnabled: boolean;
  queryCacheTtl: number; // minutes
  queryCacheMaxKeys: number;
  storageVolumePath: string; // cwc-storage service
  storageLogPath: string; // cwc-storage service
  cacheMaxSize: number; // cwc-content cache max entries
  cacheTtlMs: number; // cwc-content cache TTL in milliseconds
};

type RuntimeConfigs = Record<RuntimeEnvironment, RuntimeConfigValues>;

const runtimeConfigs: RuntimeConfigs = {
  prod: {
    corsOrigin: 'codingwithclaude.dev',
    devCorsOrigin: 'http://localhost:3000',
    authUri: 'http://cwc-auth:5005/auth/v1',
    dataUri: 'http://cwc-sql:5020/data/v1',
    storageUri: 'http://cwc-storage:5030/storage/v1',
    logErrorsToDatabase: true,
    userJwtExpiresIn: '15m',
    userJwtExpiresInKulo: '30d',
    tempJwtExpiresIn: '5m',
    appUrl: 'https://codingwithclaude.dev',
    debugMode: false,
    smtp: {
      useSandbox: false,
      sandboxAddress: 'sandbox@codingwithclaude.dev',
      serviceName: 'gmail',
      authType: 'OAuth2',
      senderAddress: 'support@codingwithclaude.dev',
      senderName: 'Coding with Claude',
    },
    endToEndMockValues: undefined,
    databaseServer: 'cwc-database',
    databaseName: 'cwc',
    databaseConnectTimeout: 10000,
    databaseConnectionAcquireTimeout: 30000,
    databaseConnectionQueueLimit: 1000,
    databaseConnectionLimit: 20,
    queryCacheEnabled: true,
    queryCacheTtl: 5, // minutes
    queryCacheMaxKeys: 1000,
    storageVolumePath: '~/cwc-storage',
    storageLogPath: '~/cwc-logs',
  },
  test: {
    corsOrigin: 'test.codingwithclaude.dev',
    devCorsOrigin: 'http://localhost:3000',
    authUri: 'http://cwc-auth:5005/auth/v1',
    dataUri: 'http://cwc-sql:5020/data/v1',
    storageUri: 'http://cwc-storage:5030/storage/v1',
    logErrorsToDatabase: true,
    userJwtExpiresIn: '15m',
    userJwtExpiresInKulo: '30d',
    tempJwtExpiresIn: '5m',
    appUrl: 'https://test.codingwithclaude.dev',
    debugMode: false,
    smtp: {
      useSandbox: true,
      sandboxAddress: 'sandbox@codingwithclaude.dev',
      serviceName: 'gmail',
      authType: 'OAuth2',
      senderAddress: 'support@codingwithclaude.dev',
      senderName: 'Coding with Claude',
    },
    endToEndMockValues: undefined,
    databaseServer: 'cwc-database',
    databaseName: 'cwc',
    databaseConnectTimeout: 10000,
    databaseConnectionAcquireTimeout: 30000,
    databaseConnectionQueueLimit: 1000,
    databaseConnectionLimit: 20,
    queryCacheEnabled: true,
    queryCacheTtl: 5, // minutes
    queryCacheMaxKeys: 1000,
    storageVolumePath: '~/cwc-storage',
    storageLogPath: '~/cwc-logs',
  },
  dev: {
    corsOrigin: '*',
    devCorsOrigin: 'http://localhost:3000',
    authUri: 'http://localhost:5005/auth/v1',
    dataUri: 'http://localhost:5020/data/v1',
    storageUri: 'http://localhost:5030/storage/v1',
    logErrorsToDatabase: true,
    userJwtExpiresIn: '15m',
    userJwtExpiresInKulo: '30d',
    tempJwtExpiresIn: '5m',
    appUrl: 'http://localhost:3000',
    debugMode: false,
    smtp: {
      useSandbox: true,
      sandboxAddress: 'sandbox@codingwithclaude.dev',
      serviceName: 'gmail',
      authType: 'OAuth2',
      senderAddress: 'support@codingwithclaude.dev',
      senderName: 'Coding with Claude',
    },
    endToEndMockValues: undefined,
    databaseServer: 'cwc-database',
    databaseName: 'cwc',
    databaseConnectTimeout: 10000,
    databaseConnectionAcquireTimeout: 30000,
    databaseConnectionQueueLimit: 1000,
    databaseConnectionLimit: 20,
    queryCacheEnabled: true,
    queryCacheTtl: 5, // minutes
    queryCacheMaxKeys: 1000,
    storageVolumePath: '~/cwc-storage',
    storageLogPath: '~/cwc-logs',
  },
  unit: {
    corsOrigin: '*',
    devCorsOrigin: 'http://localhost:3000',
    authUri: 'http://localhost:5005/auth/v1',
    dataUri: 'http://localhost:5020/data/v1',
    storageUri: 'http://localhost:5030/storage/v1',
    logErrorsToDatabase: false,
    userJwtExpiresIn: '15m',
    userJwtExpiresInKulo: '30d',
    tempJwtExpiresIn: '5m',
    appUrl: 'http://localhost:3000',
    debugMode: false,
    smtp: {
      useSandbox: true,
      sandboxAddress: 'sandbox@codingwithclaude.dev',
      serviceName: 'gmail',
      authType: 'OAuth2',
      senderAddress: 'support@codingwithclaude.dev',
      senderName: 'Coding with Claude',
    },
    endToEndMockValues: undefined,
    databaseServer: 'cwc-database',
    databaseName: 'cwc',
    databaseConnectTimeout: 10000,
    databaseConnectionAcquireTimeout: 30000,
    databaseConnectionQueueLimit: 1000,
    databaseConnectionLimit: 20,
    queryCacheEnabled: true,
    queryCacheTtl: 5, // minutes
    queryCacheMaxKeys: 1000,
    storageVolumePath: '~/cwc-storage',
    storageLogPath: '~/cwc-logs',
  },
  e2e: {
    corsOrigin: '*',
    devCorsOrigin: 'http://localhost:3000',
    authUri: 'http://localhost:5005/auth/v1',
    dataUri: 'http://localhost:5020/data/v1',
    storageUri: 'http://localhost:5030/storage/v1',
    logErrorsToDatabase: false,
    userJwtExpiresIn: '15m',
    userJwtExpiresInKulo: '30d',
    tempJwtExpiresIn: '5m',
    appUrl: 'http://localhost:3000',
    debugMode: false,
    smtp: {
      useSandbox: true,
      sandboxAddress: 'sandbox@codingwithclaude.dev',
      serviceName: 'gmail',
      authType: 'OAuth2',
      senderAddress: 'support@codingwithclaude.dev',
      senderName: 'Coding with Claude',
    },
    endToEndMockValues: {
      testValue: 'just a test',
    },
    databaseServer: 'cwc-database',
    databaseName: 'cwc',
    databaseConnectTimeout: 10000,
    databaseConnectionAcquireTimeout: 30000,
    databaseConnectionQueueLimit: 1000,
    databaseConnectionLimit: 20,
    queryCacheEnabled: true,
    queryCacheTtl: 5, // minutes
    queryCacheMaxKeys: 1000,
    storageVolumePath: '~/cwc-storage',
    storageLogPath: '~/cwc-logs',
  },
};

// Services can optionally override runtime config values
export type ServiceConfigValues = Partial<RuntimeConfigValues> & {
  // The port that the service listens on
  port: number | undefined;

  // Rate limiting configuration
  rateLimiter:
    | {
        // Rate Limiter Example: 100 points / 60 seconds = max 100 requests per minute per IP
        points: number; // Maximum number of requests allowed per duration
        duration: number; // Time window in seconds
      }
    | undefined;

  // Services may provide mock values for end to end testing
  endToEndTestingMockValues: string | undefined;
};

export type ServiceName =
  | 'cwc-api'
  | 'cwc-auth'
  | 'cwc-sql'
  | 'cwc-storage'
  | 'cwc-website'
  | 'cwc-dashboard'
  | 'cwc-content'
  | 'cwc-admin-api';

type ServiceConfigs = Record<ServiceName, ServiceConfigValues>;

const serviceConfigs: ServiceConfigs = {
  'cwc-api': {
    port: 5040,
    rateLimiter: {
      points: 15,
      duration: 1,
    },
    endToEndTestingMockValues: undefined,
  },
  'cwc-auth': {
    port: 5005,
    rateLimiter: {
      points: 15,
      duration: 1,
    },
    endToEndTestingMockValues: undefined,
  },
  'cwc-sql': {
    port: 5020,
    rateLimiter: undefined,
    endToEndTestingMockValues: undefined,
  },
  'cwc-storage': {
    port: 5030,
    rateLimiter: {
      points: 15,
      duration: 1,
    },
    endToEndTestingMockValues: undefined,
  },
  'cwc-website': {
    port: undefined,
    rateLimiter: undefined,
    endToEndTestingMockValues: undefined,
  },
  'cwc-dashboard': {
    port: undefined,
    rateLimiter: undefined,
    endToEndTestingMockValues: undefined,
  },
  'cwc-content': {
    port: 5008,
    rateLimiter: {
      points: 15,
      duration: 1,
    },
    endToEndTestingMockValues: undefined,
  },
  'cwc-admin-api': {
    port: 5004,
    rateLimiter: {
      points: 15,
      duration: 1,
    },
    endToEndTestingMockValues: undefined,
  },
};

/**
 * Gets the merged configuration for a service in a specific runtime environment.
 * Service-specific values override runtime defaults.
 */
export const getConfig = (
  runtimeEnv: RuntimeEnvironment,
  serviceName: ServiceName
): ServiceConfigValues => {
  const runtimeValues = runtimeConfigs[runtimeEnv];
  const serviceValues = serviceConfigs[serviceName];

  // Allow serviceValues to override runtimeValues
  return {
    ...runtimeValues,
    ...serviceValues,
  };
};

/**
 * Checks if a package name is a known service
 */
export const isKnownService = (packageName: string): packageName is ServiceName => {
  return packageName in serviceConfigs;
};

Version 2

import type { RuntimeEnvironment } from 'cwc-types';

/*
----------------------------------------------------------
Service Configuration
----------------------------------------------------------

Service ports (used for both Docker and localhost development):

service               port
-------               ----
cwc-admin-api         5004
cwc-auth              5005
cwc-content           5008
cwc-sql               5020
cwc-storage           5030
cwc-api               5040
cwc-website           (nginx)
cwc-dashboard         (nginx)

For Docker Compose deployments, services communicate via DNS names (e.g., cwc-sql:5020).
For localhost development, services communicate via localhost (e.g., localhost:5020).

See docker-compose-upgrade.md in cwc-deployment for migration details.
*/

export type RuntimeConfigValues = {
  corsOrigin: string;
  devCorsOrigin: string;
  authUri: string;
  dataUri: string;
  storageUri: string;
  appUrl: string;
  debugMode: boolean; // maps to ON | OFF
  logErrorsToDatabase: boolean; // maps to ON | OFF
  userJwtExpiresIn: string;
  userJwtExpiresInKulo: string;
  tempJwtExpiresIn: string;
  smtp:
    | {
        useSandbox: boolean; // maps to ON | OFF
        sandboxAddress: string; // recipient email when sandbox is ON
        serviceName: string;
        authType: string; // OAuth2
        senderAddress: string;
        senderName: string;
      }
    | undefined;
  endToEndMockValues: Record<string, string> | undefined;
  databaseServer: string;
  databaseName: string;
  databaseConnectTimeout: number;
  databaseConnectionAcquireTimeout: number;
  databaseConnectionQueueLimit: number;
  databaseConnectionLimit: number;
  queryCacheEnabled: boolean;
  queryCacheTtl: number; // minutes
  queryCacheMaxKeys: number;
  storageVolumePath: string; // cwc-storage service
  storageLogPath: string; // cwc-storage service
  cacheMaxSize: number; // cwc-content cache max entries
  cacheTtlMs: number; // cwc-content cache TTL in milliseconds
};

type RuntimeConfigs = Record<RuntimeEnvironment, RuntimeConfigValues>;

const runtimeConfigs: RuntimeConfigs = {
  prod: {
    corsOrigin: 'codingwithclaude.dev',
    devCorsOrigin: 'http://localhost:3000',
    authUri: 'http://cwc-auth:5005/auth/v1',
    dataUri: 'http://cwc-sql:5020/data/v1',
    storageUri: 'http://cwc-storage:5030/storage/v1',
    logErrorsToDatabase: true,
    userJwtExpiresIn: '15m',
    userJwtExpiresInKulo: '30d',
    tempJwtExpiresIn: '5m',
    appUrl: 'https://codingwithclaude.dev',
    debugMode: false,
    smtp: {
      useSandbox: false,
      sandboxAddress: 'sandbox@codingwithclaude.dev',
      serviceName: 'gmail',
      authType: 'OAuth2',
      senderAddress: 'support@codingwithclaude.dev',
      senderName: 'Coding with Claude',
    },
    endToEndMockValues: undefined,
    databaseServer: 'cwc-database',
    databaseName: 'cwc',
    databaseConnectTimeout: 10000,
    databaseConnectionAcquireTimeout: 30000,
    databaseConnectionQueueLimit: 1000,
    databaseConnectionLimit: 20,
    queryCacheEnabled: true,
    queryCacheTtl: 5, // minutes
    queryCacheMaxKeys: 1000,
    storageVolumePath: '~/cwc-storage',
    storageLogPath: '~/cwc-logs',
    cacheMaxSize: 100,
    cacheTtlMs: 300000, // 5 minutes
  },
  test: {
    corsOrigin: 'test.codingwithclaude.dev',
    devCorsOrigin: 'http://localhost:3000',
    authUri: 'http://cwc-auth:5005/auth/v1',
    dataUri: 'http://cwc-sql:5020/data/v1',
    storageUri: 'http://cwc-storage:5030/storage/v1',
    logErrorsToDatabase: true,
    userJwtExpiresIn: '15m',
    userJwtExpiresInKulo: '30d',
    tempJwtExpiresIn: '5m',
    appUrl: 'https://test.codingwithclaude.dev',
    debugMode: false,
    smtp: {
      useSandbox: true,
      sandboxAddress: 'sandbox@codingwithclaude.dev',
      serviceName: 'gmail',
      authType: 'OAuth2',
      senderAddress: 'support@codingwithclaude.dev',
      senderName: 'Coding with Claude',
    },
    endToEndMockValues: undefined,
    databaseServer: 'cwc-database',
    databaseName: 'cwc',
    databaseConnectTimeout: 10000,
    databaseConnectionAcquireTimeout: 30000,
    databaseConnectionQueueLimit: 1000,
    databaseConnectionLimit: 20,
    queryCacheEnabled: true,
    queryCacheTtl: 5, // minutes
    queryCacheMaxKeys: 1000,
    storageVolumePath: '~/cwc-storage',
    storageLogPath: '~/cwc-logs',
    cacheMaxSize: 100,
    cacheTtlMs: 300000, // 5 minutes
  },
  dev: {
    corsOrigin: '*',
    devCorsOrigin: 'http://localhost:3000',
    authUri: 'http://localhost:5005/auth/v1',
    dataUri: 'http://localhost:5020/data/v1',
    storageUri: 'http://localhost:5030/storage/v1',
    logErrorsToDatabase: true,
    userJwtExpiresIn: '15m',
    userJwtExpiresInKulo: '30d',
    tempJwtExpiresIn: '5m',
    appUrl: 'http://localhost:3000',
    debugMode: false,
    smtp: {
      useSandbox: true,
      sandboxAddress: 'sandbox@codingwithclaude.dev',
      serviceName: 'gmail',
      authType: 'OAuth2',
      senderAddress: 'support@codingwithclaude.dev',
      senderName: 'Coding with Claude',
    },
    endToEndMockValues: undefined,
    databaseServer: 'cwc-database',
    databaseName: 'cwc',
    databaseConnectTimeout: 10000,
    databaseConnectionAcquireTimeout: 30000,
    databaseConnectionQueueLimit: 1000,
    databaseConnectionLimit: 20,
    queryCacheEnabled: true,
    queryCacheTtl: 5, // minutes
    queryCacheMaxKeys: 1000,
    storageVolumePath: '~/cwc-storage',
    storageLogPath: '~/cwc-logs',
    cacheMaxSize: 100,
    cacheTtlMs: 300000, // 5 minutes
  },
  unit: {
    corsOrigin: '*',
    devCorsOrigin: 'http://localhost:3000',
    authUri: 'http://localhost:5005/auth/v1',
    dataUri: 'http://localhost:5020/data/v1',
    storageUri: 'http://localhost:5030/storage/v1',
    logErrorsToDatabase: false,
    userJwtExpiresIn: '15m',
    userJwtExpiresInKulo: '30d',
    tempJwtExpiresIn: '5m',
    appUrl: 'http://localhost:3000',
    debugMode: false,
    smtp: {
      useSandbox: true,
      sandboxAddress: 'sandbox@codingwithclaude.dev',
      serviceName: 'gmail',
      authType: 'OAuth2',
      senderAddress: 'support@codingwithclaude.dev',
      senderName: 'Coding with Claude',
    },
    endToEndMockValues: undefined,
    databaseServer: 'cwc-database',
    databaseName: 'cwc',
    databaseConnectTimeout: 10000,
    databaseConnectionAcquireTimeout: 30000,
    databaseConnectionQueueLimit: 1000,
    databaseConnectionLimit: 20,
    queryCacheEnabled: true,
    queryCacheTtl: 5, // minutes
    queryCacheMaxKeys: 1000,
    storageVolumePath: '~/cwc-storage',
    storageLogPath: '~/cwc-logs',
    cacheMaxSize: 100,
    cacheTtlMs: 300000, // 5 minutes
  },
  e2e: {
    corsOrigin: '*',
    devCorsOrigin: 'http://localhost:3000',
    authUri: 'http://localhost:5005/auth/v1',
    dataUri: 'http://localhost:5020/data/v1',
    storageUri: 'http://localhost:5030/storage/v1',
    logErrorsToDatabase: false,
    userJwtExpiresIn: '15m',
    userJwtExpiresInKulo: '30d',
    tempJwtExpiresIn: '5m',
    appUrl: 'http://localhost:3000',
    debugMode: false,
    smtp: {
      useSandbox: true,
      sandboxAddress: 'sandbox@codingwithclaude.dev',
      serviceName: 'gmail',
      authType: 'OAuth2',
      senderAddress: 'support@codingwithclaude.dev',
      senderName: 'Coding with Claude',
    },
    endToEndMockValues: {
      testValue: 'just a test',
    },
    databaseServer: 'cwc-database',
    databaseName: 'cwc',
    databaseConnectTimeout: 10000,
    databaseConnectionAcquireTimeout: 30000,
    databaseConnectionQueueLimit: 1000,
    databaseConnectionLimit: 20,
    queryCacheEnabled: true,
    queryCacheTtl: 5, // minutes
    queryCacheMaxKeys: 1000,
    storageVolumePath: '~/cwc-storage',
    storageLogPath: '~/cwc-logs',
    cacheMaxSize: 100,
    cacheTtlMs: 300000, // 5 minutes
  },
};

// Services can optionally override runtime config values
export type ServiceConfigValues = Partial<RuntimeConfigValues> & {
  // The port that the service listens on
  port: number | undefined;

  // Rate limiting configuration
  rateLimiter:
    | {
        // Rate Limiter Example: 100 points / 60 seconds = max 100 requests per minute per IP
        points: number; // Maximum number of requests allowed per duration
        duration: number; // Time window in seconds
      }
    | undefined;

  // Services may provide mock values for end to end testing
  endToEndTestingMockValues: string | undefined;
};

export type ServiceName =
  | 'cwc-api'
  | 'cwc-auth'
  | 'cwc-sql'
  | 'cwc-storage'
  | 'cwc-website'
  | 'cwc-dashboard'
  | 'cwc-content'
  | 'cwc-admin-api';

type ServiceConfigs = Record<ServiceName, ServiceConfigValues>;

const serviceConfigs: ServiceConfigs = {
  'cwc-api': {
    port: 5040,
    rateLimiter: {
      points: 15,
      duration: 1,
    },
    endToEndTestingMockValues: undefined,
  },
  'cwc-auth': {
    port: 5005,
    rateLimiter: {
      points: 15,
      duration: 1,
    },
    endToEndTestingMockValues: undefined,
  },
  'cwc-sql': {
    port: 5020,
    rateLimiter: undefined,
    endToEndTestingMockValues: undefined,
  },
  'cwc-storage': {
    port: 5030,
    rateLimiter: {
      points: 15,
      duration: 1,
    },
    endToEndTestingMockValues: undefined,
  },
  'cwc-website': {
    port: undefined,
    rateLimiter: undefined,
    endToEndTestingMockValues: undefined,
  },
  'cwc-dashboard': {
    port: undefined,
    rateLimiter: undefined,
    endToEndTestingMockValues: undefined,
  },
  'cwc-content': {
    port: 5008,
    rateLimiter: {
      points: 15,
      duration: 1,
    },
    endToEndTestingMockValues: undefined,
  },
  'cwc-admin-api': {
    port: 5004,
    rateLimiter: {
      points: 15,
      duration: 1,
    },
    endToEndTestingMockValues: undefined,
  },
};

/**
 * Gets the merged configuration for a service in a specific runtime environment.
 * Service-specific values override runtime defaults.
 */
export const getConfig = (
  runtimeEnv: RuntimeEnvironment,
  serviceName: ServiceName
): ServiceConfigValues => {
  const runtimeValues = runtimeConfigs[runtimeEnv];
  const serviceValues = serviceConfigs[serviceName];

  // Allow serviceValues to override runtimeValues
  return {
    ...runtimeValues,
    ...serviceValues,
  };
};

/**
 * Checks if a package name is a known service
 */
export const isKnownService = (packageName: string): packageName is ServiceName => {
  return packageName in serviceConfigs;
};

Version 3 (latest)

import type { RuntimeEnvironment } from 'cwc-types';

/*
----------------------------------------------------------
Service Configuration
----------------------------------------------------------

Service ports (used for both Docker and localhost development):

service               port
-------               ----
cwc-admin-api         5004
cwc-auth              5005
cwc-content           5008
cwc-sql               5020
cwc-storage           5030
cwc-api               5040
cwc-website           (nginx)
cwc-dashboard         (nginx)

For Docker Compose deployments, services communicate via DNS names (e.g., cwc-sql:5020).
For localhost development, services communicate via localhost (e.g., localhost:5020).

See docker-compose-upgrade.md in cwc-deployment for migration details.
*/

export type RuntimeConfigValues = {
  corsOrigin: string;
  devCorsOrigin: string;
  authUri: string;
  dataUri: string;
  storageUri: string;
  appUrl: string;
  debugMode: boolean; // maps to ON | OFF
  logErrorsToDatabase: boolean; // maps to ON | OFF
  userJwtExpiresIn: string;
  userJwtExpiresInKulo: string;
  tempJwtExpiresIn: string;
  smtp:
    | {
        useSandbox: boolean; // maps to ON | OFF
        sandboxAddress: string; // recipient email when sandbox is ON
        serviceName: string;
        authType: string; // OAuth2
        senderAddress: string;
        senderName: string;
      }
    | undefined;
  endToEndMockValues: Record<string, string> | undefined;
  databaseServer: string;
  databaseName: string;
  databaseConnectTimeout: number;
  databaseConnectionAcquireTimeout: number;
  databaseConnectionQueueLimit: number;
  databaseConnectionLimit: number;
  queryCacheEnabled: boolean;
  queryCacheTtl: number; // minutes
  queryCacheMaxKeys: number;
  storageVolumePath: string; // cwc-storage service
  storageLogPath: string; // cwc-storage service
  contentCacheMaxSize: number; // cwc-content cache max entries
  contentCacheTtlMs: number; // cwc-content cache TTL in milliseconds
};

type RuntimeConfigs = Record<RuntimeEnvironment, RuntimeConfigValues>;

const runtimeConfigs: RuntimeConfigs = {
  prod: {
    corsOrigin: 'codingwithclaude.dev',
    devCorsOrigin: 'http://localhost:3000',
    authUri: 'http://cwc-auth:5005/auth/v1',
    dataUri: 'http://cwc-sql:5020/data/v1',
    storageUri: 'http://cwc-storage:5030/storage/v1',
    logErrorsToDatabase: true,
    userJwtExpiresIn: '15m',
    userJwtExpiresInKulo: '30d',
    tempJwtExpiresIn: '5m',
    appUrl: 'https://codingwithclaude.dev',
    debugMode: false,
    smtp: {
      useSandbox: false,
      sandboxAddress: 'sandbox@codingwithclaude.dev',
      serviceName: 'gmail',
      authType: 'OAuth2',
      senderAddress: 'support@codingwithclaude.dev',
      senderName: 'Coding with Claude',
    },
    endToEndMockValues: undefined,
    databaseServer: 'cwc-database',
    databaseName: 'cwc',
    databaseConnectTimeout: 10000,
    databaseConnectionAcquireTimeout: 30000,
    databaseConnectionQueueLimit: 1000,
    databaseConnectionLimit: 20,
    queryCacheEnabled: true,
    queryCacheTtl: 5, // minutes
    queryCacheMaxKeys: 1000,
    storageVolumePath: '~/cwc-storage',
    storageLogPath: '~/cwc-logs',
    contentCacheMaxSize: 100,
    contentCacheTtlMs: 300000, // 5 minutes
  },
  test: {
    corsOrigin: 'test.codingwithclaude.dev',
    devCorsOrigin: 'http://localhost:3000',
    authUri: 'http://cwc-auth:5005/auth/v1',
    dataUri: 'http://cwc-sql:5020/data/v1',
    storageUri: 'http://cwc-storage:5030/storage/v1',
    logErrorsToDatabase: true,
    userJwtExpiresIn: '15m',
    userJwtExpiresInKulo: '30d',
    tempJwtExpiresIn: '5m',
    appUrl: 'https://test.codingwithclaude.dev',
    debugMode: false,
    smtp: {
      useSandbox: true,
      sandboxAddress: 'sandbox@codingwithclaude.dev',
      serviceName: 'gmail',
      authType: 'OAuth2',
      senderAddress: 'support@codingwithclaude.dev',
      senderName: 'Coding with Claude',
    },
    endToEndMockValues: undefined,
    databaseServer: 'cwc-database',
    databaseName: 'cwc',
    databaseConnectTimeout: 10000,
    databaseConnectionAcquireTimeout: 30000,
    databaseConnectionQueueLimit: 1000,
    databaseConnectionLimit: 20,
    queryCacheEnabled: true,
    queryCacheTtl: 5, // minutes
    queryCacheMaxKeys: 1000,
    storageVolumePath: '~/cwc-storage',
    storageLogPath: '~/cwc-logs',
    contentCacheMaxSize: 100,
    contentCacheTtlMs: 300000, // 5 minutes
  },
  dev: {
    corsOrigin: '*',
    devCorsOrigin: 'http://localhost:3000',
    authUri: 'http://localhost:5005/auth/v1',
    dataUri: 'http://localhost:5020/data/v1',
    storageUri: 'http://localhost:5030/storage/v1',
    logErrorsToDatabase: true,
    userJwtExpiresIn: '15m',
    userJwtExpiresInKulo: '30d',
    tempJwtExpiresIn: '5m',
    appUrl: 'http://localhost:3000',
    debugMode: false,
    smtp: {
      useSandbox: true,
      sandboxAddress: 'sandbox@codingwithclaude.dev',
      serviceName: 'gmail',
      authType: 'OAuth2',
      senderAddress: 'support@codingwithclaude.dev',
      senderName: 'Coding with Claude',
    },
    endToEndMockValues: undefined,
    databaseServer: 'cwc-database',
    databaseName: 'cwc',
    databaseConnectTimeout: 10000,
    databaseConnectionAcquireTimeout: 30000,
    databaseConnectionQueueLimit: 1000,
    databaseConnectionLimit: 20,
    queryCacheEnabled: true,
    queryCacheTtl: 5, // minutes
    queryCacheMaxKeys: 1000,
    storageVolumePath: '~/cwc-storage',
    storageLogPath: '~/cwc-logs',
    contentCacheMaxSize: 100,
    contentCacheTtlMs: 300000, // 5 minutes
  },
  unit: {
    corsOrigin: '*',
    devCorsOrigin: 'http://localhost:3000',
    authUri: 'http://localhost:5005/auth/v1',
    dataUri: 'http://localhost:5020/data/v1',
    storageUri: 'http://localhost:5030/storage/v1',
    logErrorsToDatabase: false,
    userJwtExpiresIn: '15m',
    userJwtExpiresInKulo: '30d',
    tempJwtExpiresIn: '5m',
    appUrl: 'http://localhost:3000',
    debugMode: false,
    smtp: {
      useSandbox: true,
      sandboxAddress: 'sandbox@codingwithclaude.dev',
      serviceName: 'gmail',
      authType: 'OAuth2',
      senderAddress: 'support@codingwithclaude.dev',
      senderName: 'Coding with Claude',
    },
    endToEndMockValues: undefined,
    databaseServer: 'cwc-database',
    databaseName: 'cwc',
    databaseConnectTimeout: 10000,
    databaseConnectionAcquireTimeout: 30000,
    databaseConnectionQueueLimit: 1000,
    databaseConnectionLimit: 20,
    queryCacheEnabled: true,
    queryCacheTtl: 5, // minutes
    queryCacheMaxKeys: 1000,
    storageVolumePath: '~/cwc-storage',
    storageLogPath: '~/cwc-logs',
    contentCacheMaxSize: 100,
    contentCacheTtlMs: 300000, // 5 minutes
  },
  e2e: {
    corsOrigin: '*',
    devCorsOrigin: 'http://localhost:3000',
    authUri: 'http://localhost:5005/auth/v1',
    dataUri: 'http://localhost:5020/data/v1',
    storageUri: 'http://localhost:5030/storage/v1',
    logErrorsToDatabase: false,
    userJwtExpiresIn: '15m',
    userJwtExpiresInKulo: '30d',
    tempJwtExpiresIn: '5m',
    appUrl: 'http://localhost:3000',
    debugMode: false,
    smtp: {
      useSandbox: true,
      sandboxAddress: 'sandbox@codingwithclaude.dev',
      serviceName: 'gmail',
      authType: 'OAuth2',
      senderAddress: 'support@codingwithclaude.dev',
      senderName: 'Coding with Claude',
    },
    endToEndMockValues: {
      testValue: 'just a test',
    },
    databaseServer: 'cwc-database',
    databaseName: 'cwc',
    databaseConnectTimeout: 10000,
    databaseConnectionAcquireTimeout: 30000,
    databaseConnectionQueueLimit: 1000,
    databaseConnectionLimit: 20,
    queryCacheEnabled: true,
    queryCacheTtl: 5, // minutes
    queryCacheMaxKeys: 1000,
    storageVolumePath: '~/cwc-storage',
    storageLogPath: '~/cwc-logs',
    contentCacheMaxSize: 100,
    contentCacheTtlMs: 300000, // 5 minutes
  },
};

// Services can optionally override runtime config values
export type ServiceConfigValues = Partial<RuntimeConfigValues> & {
  // The port that the service listens on
  port: number | undefined;

  // Rate limiting configuration
  rateLimiter:
    | {
        // Rate Limiter Example: 100 points / 60 seconds = max 100 requests per minute per IP
        points: number; // Maximum number of requests allowed per duration
        duration: number; // Time window in seconds
      }
    | undefined;

  // Services may provide mock values for end to end testing
  endToEndTestingMockValues: string | undefined;
};

export type ServiceName =
  | 'cwc-api'
  | 'cwc-auth'
  | 'cwc-sql'
  | 'cwc-storage'
  | 'cwc-website'
  | 'cwc-dashboard'
  | 'cwc-content'
  | 'cwc-admin-api';

type ServiceConfigs = Record<ServiceName, ServiceConfigValues>;

const serviceConfigs: ServiceConfigs = {
  'cwc-api': {
    port: 5040,
    rateLimiter: {
      points: 15,
      duration: 1,
    },
    endToEndTestingMockValues: undefined,
  },
  'cwc-auth': {
    port: 5005,
    rateLimiter: {
      points: 15,
      duration: 1,
    },
    endToEndTestingMockValues: undefined,
  },
  'cwc-sql': {
    port: 5020,
    rateLimiter: undefined,
    endToEndTestingMockValues: undefined,
  },
  'cwc-storage': {
    port: 5030,
    rateLimiter: {
      points: 15,
      duration: 1,
    },
    endToEndTestingMockValues: undefined,
  },
  'cwc-website': {
    port: undefined,
    rateLimiter: undefined,
    endToEndTestingMockValues: undefined,
  },
  'cwc-dashboard': {
    port: undefined,
    rateLimiter: undefined,
    endToEndTestingMockValues: undefined,
  },
  'cwc-content': {
    port: 5008,
    rateLimiter: {
      points: 15,
      duration: 1,
    },
    endToEndTestingMockValues: undefined,
  },
  'cwc-admin-api': {
    port: 5004,
    rateLimiter: {
      points: 15,
      duration: 1,
    },
    endToEndTestingMockValues: undefined,
  },
};

/**
 * Gets the merged configuration for a service in a specific runtime environment.
 * Service-specific values override runtime defaults.
 */
export const getConfig = (
  runtimeEnv: RuntimeEnvironment,
  serviceName: ServiceName
): ServiceConfigValues => {
  const runtimeValues = runtimeConfigs[runtimeEnv];
  const serviceValues = serviceConfigs[serviceName];

  // Allow serviceValues to override runtimeValues
  return {
    ...runtimeValues,
    ...serviceValues,
  };
};

/**
 * Checks if a package name is a known service
 */
export const isKnownService = (packageName: string): packageName is ServiceName => {
  return packageName in serviceConfigs;
};

packages/cwc-content/CLAUDE.md

3 versions

Version 1

cwc-content Package

Content delivery service for coding session data. Acts as an authenticated proxy between cwc-website and cwc-storage, with in-memory caching for recently accessed files.

Architecture

No Database Access:

Does NOT use SqlClient or connect to cwc-sql
All access control decisions based on JWT claims only
Trusts that cwc-api has already verified published status before returning storageKey

Thin Proxy with Auth:

Uses AuthClient from cwc-backend-utils to verify JWTs
Uses StorageClient from cwc-backend-utils to communicate with cwc-storage
Maintains LRU cache with TTL for frequently accessed session data

Layered Architecture:

Request → RequestHandler → ContentHandler → StorageClient → cwc-storage
                                   ↓
                            SessionDataCache

Request Pipeline

Express routes receive incoming HTTP requests
RequestHandler extracts JWT from Authorization header
JWT validated → authenticated context; No JWT → guest context
Route-level access policy checked
ContentHandler executes operation (get/put/delete)
For GET: Check cache first, then fetch from storage
For PUT/DELETE: Invalidate cache, forward to storage
Response returned

Access Control

Role Hierarchy:

guest-user = logged-on-user < project-owner

Role	GET	PUT	DELETE
`guest-user`	✅	❌	❌
`logged-on-user`	✅	❌	❌
`project-owner`	✅	✅	✅

Important: guest-user and logged-on-user have identical access in cwc-content. The difference in what content they can access is enforced by cwc-api (which only returns storageKey for published sessions, or for the project owner's own unpublished sessions).

Ownership Verification:

For PUT and DELETE operations:

Extract projectId from request payload
Check if projectId exists in context.ownedProjects (from JWT claims)

API Routes

Base Path: /content/v1

Route	Method	Access	Description
`/coding-session/get`	POST	guest-user	Fetch session data
`/coding-session/put`	POST	project-owner	Upload session data
`/coding-session/delete`	POST	project-owner	Delete session data

Payload Formats:

// GET Request
{
  projectId: string;  // Natural key (e.g., "coding-with-claude")
  filename: string;   // From codingSession.storageKey
}

// PUT Request
{
  projectId: string;
  filename: string;
  data: string;       // Base64-encoded gzipped CwcSessionData
}

// DELETE Request
{
  projectId: string;
  filename: string;
}

Cache Design

SessionDataCache (LRU with TTL):

Max entries: 100 (configurable via CACHE_MAX_SIZE)
TTL: 5 minutes (configurable via CACHE_TTL_MS)
Cache key: ${projectId}:${filename}

Invalidation:

PUT: Invalidate entry (new data replaces cached)
DELETE: Invalidate entry
TTL expiry: Lazy eviction on next access

Configuration

Required Environment Variables:

RUNTIME_ENVIRONMENT=dev
SERVICE_PORT=5008
CORS_ORIGIN=http://localhost:3000
AUTH_URI=http://localhost:5010/auth/v1
STORAGE_URI=http://localhost:5030/storage/v1
STORAGE_API_KEY=<secret>
RATE_LIMITER_POINTS=15
RATE_LIMITER_DURATION=1
DEBUG_MODE=ON
CACHE_MAX_SIZE=100
CACHE_TTL_MS=300000

No DATA_URI needed - cwc-content does not connect to cwc-sql.

Data Flow

GET Request Flow:

1. cwc-website calls cwc-api to get codingSession metadata (includes storageKey)
2. cwc-website → POST /content/v1/coding-session/get { projectId, filename }
3. RequestHandler: Extract JWT, create context, check route access (guest-user OK)
4. ContentHandler:
   a. Check cache → hit? Return cached data
   b. Call StorageClient.getFile(projectId, filename)
   c. Cache response
5. Response: { success: true, data: <Buffer> }

PUT Request Flow:

1. cwc-website → POST /content/v1/coding-session/put { projectId, filename, data }
2. RequestHandler: Extract JWT, verify authenticated, check route access
3. ContentHandler:
   a. Verify project ownership (projectId in JWT ownedProjects)
   b. Call StorageClient.putFile(projectId, filename, data)
   c. Invalidate cache entry
4. Response: { success: true, filename }
5. cwc-website calls cwc-api to update codingSession metadata

Response Pattern

Standard Response Envelope:

// Success (GET)
{
  success: true,
  data: Buffer  // File contents
}

// Success (PUT/DELETE)
{
  success: true,
  filename: string
}

// Error
{
  success: false,
  errorCode: 'ERROR_CODE',
  errorMessage: 'Human-readable message'
}

Error Codes

Error Code	HTTP Status	Description
`UNAUTHORIZED`	401	Missing or invalid JWT
`FORBIDDEN`	403	Not project owner
`NOT_FOUND`	404	File not in storage
`VALIDATION_ERROR`	400	Invalid payload
`STORAGE_ERROR`	500	Storage service failure

Related Packages

Depends On:

cwc-backend-utils (workspace) - AuthClient, StorageClient, Express service factory
cwc-types (workspace) - Type definitions

Coordinates With:

cwc-auth - JWT validation
cwc-storage - File storage operations
cwc-api - Provides storageKey to cwc-website

Consumed By:

cwc-website - Frontend web application

Version 2

cwc-content Package

Content delivery service for coding session data. Acts as an authenticated proxy between cwc-website and cwc-storage, with in-memory caching for recently accessed files.

Architecture

No Database Access:

Does NOT use SqlClient or connect to cwc-sql
All access control decisions based on JWT claims only
Trusts that cwc-api has already verified published status before returning storageKey

Thin Proxy with Auth:

Uses AuthClient from cwc-backend-utils to verify JWTs
Uses StorageClient from cwc-backend-utils to communicate with cwc-storage
Maintains LRU cache with TTL for frequently accessed session data

Layered Architecture:

Request → RequestHandler → ContentHandler → StorageClient → cwc-storage
                                   ↓
                              ContentCache

Request Pipeline

Express routes receive incoming HTTP requests
RequestHandler extracts JWT from Authorization header
JWT validated → authenticated context; No JWT → guest context
Route-level access policy checked
ContentHandler executes operation (get/put/delete)
For GET: Check cache first, then fetch from storage
For PUT/DELETE: Invalidate cache, forward to storage
Response returned

Access Control

Role Hierarchy:

guest-user = logged-on-user < project-owner

Role	GET	PUT	DELETE
`guest-user`	✅	❌	❌
`logged-on-user`	✅	❌	❌
`project-owner`	✅	✅	✅

Ownership Verification (at route level):

For project-owner routes (PUT and DELETE), checkRouteAccess verifies:

User is authenticated
projectId from request payload exists in context.ownedProjects (from JWT claims)

This differs from cwc-api which verifies ownership at operation level (because cwc-api uses projectPkId requiring a database lookup). cwc-content receives projectId directly, so ownership can be verified at route level without database access.

API Routes

Base Path: /content/v1

Route	Method	Access	Description
`/coding-session/get`	POST	guest-user	Fetch session data
`/coding-session/put`	POST	project-owner	Upload session data
`/coding-session/delete`	POST	project-owner	Delete session data

Payload Formats:

// GET Request
{
  projectId: string;  // Natural key (e.g., "coding-with-claude")
  filename: string;   // From codingSession.storageKey
}

// PUT Request
{
  projectId: string;
  filename: string;
  data: string;       // Base64-encoded gzipped CwcSessionData
}

// DELETE Request
{
  projectId: string;
  filename: string;
}

Cache Design

ContentCache (LRU with TTL):

Max entries: 100 (configurable via CONTENT_CACHE_MAX_SIZE)
TTL: 5 minutes (configurable via CONTENT_CACHE_TTL_MS)
Cache key: ${projectId}:${filename}

Invalidation:

PUT: Invalidate entry (new data replaces cached)
DELETE: Invalidate entry
TTL expiry: Lazy eviction on next access

Configuration

Required Environment Variables:

RUNTIME_ENVIRONMENT=dev
SERVICE_PORT=5008
CORS_ORIGIN=http://localhost:3000
AUTH_URI=http://localhost:5010/auth/v1
STORAGE_URI=http://localhost:5030/storage/v1
STORAGE_API_KEY=<secret>
RATE_LIMITER_POINTS=15
RATE_LIMITER_DURATION=1
DEBUG_MODE=ON
CONTENT_CACHE_MAX_SIZE=100
CONTENT_CACHE_TTL_MS=300000

No DATA_URI needed - cwc-content does not connect to cwc-sql.

Data Flow

GET Request Flow:

1. cwc-website calls cwc-api to get codingSession metadata (includes storageKey)
2. cwc-website → POST /content/v1/coding-session/get { projectId, filename }
3. RequestHandler: Extract JWT, create context, check route access (guest-user OK)
4. ContentHandler:
   a. Check cache → hit? Return cached data
   b. Call StorageClient.getFile(projectId, filename)
   c. Cache response
5. Response: { success: true, data: <Buffer> }

PUT Request Flow:

1. cwc-website → POST /content/v1/coding-session/put { projectId, filename, data }
2. RequestHandler: Extract JWT, check route access (includes ownership verification)
3. ContentHandler:
   a. Call StorageClient.putFile(projectId, filename, data)
   b. Invalidate cache entry
4. Response: { success: true, filename }
5. cwc-website calls cwc-api to update codingSession metadata

Response Pattern

Standard Response Envelope:

// Success (GET)
{
  success: true,
  data: Buffer  // File contents
}

// Success (PUT/DELETE)
{
  success: true,
  filename: string
}

// Error
{
  success: false,
  errorCode: 'ERROR_CODE',
  errorMessage: 'Human-readable message'
}

Error Codes

Error Code	HTTP Status	Description
`UNAUTHORIZED`	401	Missing or invalid JWT
`FORBIDDEN`	403	Not project owner
`NOT_FOUND`	404	File not in storage
`VALIDATION_ERROR`	400	Invalid payload
`STORAGE_ERROR`	500	Storage service failure

Related Packages

Depends On:

cwc-backend-utils (workspace) - AuthClient, StorageClient, Express service factory
cwc-types (workspace) - Type definitions

Coordinates With:

cwc-auth - JWT validation
cwc-storage - File storage operations
cwc-api - Provides storageKey to cwc-website

Consumed By:

cwc-website - Frontend web application

Version 3 (latest)

cwc-content Package

Content delivery service for any cwc data stored via cwc-storage. Acts as an authenticated proxy between cwc-website and cwc-storage, with in-memory caching for recently accessed files.

Architecture

No Database Access:

Does NOT use SqlClient or connect to cwc-sql
All access control decisions based on JWT claims only
Trusts that cwc-api has already verified published status before returning storageKey

Thin Proxy with Auth:

Uses AuthClient from cwc-backend-utils to verify JWTs
Uses StorageClient from cwc-backend-utils to communicate with cwc-storage
Maintains LRU cache with TTL for frequently accessed session data

Layered Architecture:

Request → RequestHandler → ContentHandler → StorageClient → cwc-storage
                                   ↓
                              ContentCache

Request Pipeline

Express routes receive incoming HTTP requests
RequestHandler extracts JWT from Authorization header
JWT validated → authenticated context; No JWT → guest context
Route-level access policy checked
ContentHandler executes operation (get/put/delete)
For GET: Check cache first, then fetch from storage
For PUT/DELETE: Invalidate cache, forward to storage
Response returned

Access Control

Role Hierarchy:

guest-user = logged-on-user < project-owner

Role	GET	PUT	DELETE
`guest-user`	✅	❌	❌
`logged-on-user`	✅	❌	❌
`project-owner`	✅	✅	✅

Ownership Verification (at route level):

For project-owner routes (PUT and DELETE), checkRouteAccess verifies:

User is authenticated
projectId from request payload exists in context.ownedProjects (from JWT claims)

API Routes

Base Path: /content/v1

Route	Method	Access	Description
`/coding-session/get`	POST	guest-user	Fetch session data
`/coding-session/put`	POST	project-owner	Upload session data
`/coding-session/delete`	POST	project-owner	Delete session data

Payload Formats:

// GET Request
{
  projectId: string; // Natural key (e.g., "coding-with-claude")
  filename: string; // From codingSession.storageKey
}

// PUT Request
{
  projectId: string;
  filename: string;
  data: string; // Base64-encoded gzipped CwcSessionData
}

// DELETE Request
{
  projectId: string;
  filename: string;
}

Cache Design

ContentCache (LRU with TTL):

Max entries: 100 (configurable via CONTENT_CACHE_MAX_SIZE)
TTL: 5 minutes (configurable via CONTENT_CACHE_TTL_MS)
Cache key: ${projectId}:${filename}

Invalidation:

PUT: Invalidate entry (new data replaces cached)
DELETE: Invalidate entry
TTL expiry: Lazy eviction on next access

Configuration

Required Environment Variables:

RUNTIME_ENVIRONMENT=dev
SERVICE_PORT=5008
CORS_ORIGIN=http://localhost:3000
AUTH_URI=http://localhost:5010/auth/v1
STORAGE_URI=http://localhost:5030/storage/v1
STORAGE_API_KEY=<secret>
RATE_LIMITER_POINTS=15
RATE_LIMITER_DURATION=1
DEBUG_MODE=ON
CONTENT_CACHE_MAX_SIZE=100
CONTENT_CACHE_TTL_MS=300000

No DATA_URI needed - cwc-content does not connect to cwc-sql.

Data Flow

GET Request Flow:

1. cwc-website calls cwc-api to get codingSession metadata (includes storageKey)
2. cwc-website → POST /content/v1/coding-session/get { projectId, filename }
3. RequestHandler: Extract JWT, create context, check route access (guest-user OK)
4. ContentHandler:
   a. Check cache → hit? Return cached data
   b. Call StorageClient.getFile(projectId, filename)
   c. Cache response
5. Response: { success: true, data: <Buffer> }

PUT Request Flow:

1. cwc-website → POST /content/v1/coding-session/put { projectId, filename, data }
2. RequestHandler: Extract JWT, check route access (includes ownership verification)
3. ContentHandler:
   a. Call StorageClient.putFile(projectId, filename, data)
   b. Invalidate cache entry
4. Response: { success: true, filename }
5. cwc-website calls cwc-api to update codingSession metadata

Response Pattern

Standard Response Envelope:

// Success (GET)
{
  success: true,
  data: Buffer  // File contents
}

// Success (PUT/DELETE)
{
  success: true,
  filename: string
}

// Error
{
  success: false,
  errorCode: 'ERROR_CODE',
  errorMessage: 'Human-readable message'
}

Error Codes

Error Code	HTTP Status	Description
`UNAUTHORIZED`	401	Missing or invalid JWT
`FORBIDDEN`	403	Not project owner
`NOT_FOUND`	404	File not in storage
`VALIDATION_ERROR`	400	Invalid payload
`STORAGE_ERROR`	500	Storage service failure

Related Packages

Depends On:

cwc-backend-utils (workspace) - AuthClient, StorageClient, Express service factory
cwc-types (workspace) - Type definitions

Coordinates With:

cwc-auth - JWT validation
cwc-storage - File storage operations
cwc-api - Provides storageKey to cwc-website

Consumed By:

cwc-website - Frontend web application

packages/cwc-content/jest.config.js

/** @type {import('jest').Config} */
export default {
  preset: 'ts-jest/presets/default-esm',
  testEnvironment: 'node',
  extensionsToTreatAsEsm: ['.ts'],
  moduleNameMapper: {
    '^(\\.{1,2}/.*)\\.js$': '$1',
  },
  transform: {
    '^.+\\.ts$': [
      'ts-jest',
      {
        useESM: true,
        tsconfig: {
          module: 'ES2022',
          moduleResolution: 'bundler',
        },
      },
    ],
  },
  testMatch: ['**/__tests__/**/*.test.ts', '**/*.test.ts'],
  setupFilesAfterEnv: ['<rootDir>/src/__tests__/setup.ts'],
  collectCoverageFrom: [
    'src/**/*.ts',
    '!src/**/*.d.ts',
    '!src/index.ts',
  ],
  coverageThreshold: {
    global: {
      branches: 80,
      functions: 80,
      lines: 80,
      statements: 80,
    },
  },
};

packages/cwc-content/package.json

{
  "name": "cwc-content",
  "version": "1.0.0",
  "description": "Content delivery service for coding session data",
  "type": "module",
  "main": "./src/index.ts",
  "types": "./src/index.ts",
  "exports": {
    ".": {
      "types": "./src/index.ts",
      "default": "./src/index.ts"
    }
  },
  "scripts": {
    "build": "tsc",
    "dev": "tsx src/index.ts",
    "typecheck": "tsc --noEmit",
    "test": "RUNTIME_ENVIRONMENT=unit jest"
  },
  "keywords": [
    "cwc",
    "content",
    "storage"
  ],
  "author": "",
  "license": "UNLICENSED",
  "dependencies": {
    "cwc-backend-utils": "workspace:*",
    "cwc-types": "workspace:*",
    "express": "^4.21.0"
  },
  "devDependencies": {
    "@jest/globals": "^30.2.0",
    "@types/express": "^5.0.0",
    "@types/jest": "^30.0.0",
    "@types/node": "^22.0.0",
    "jest": "^30.2.0",
    "ts-jest": "^29.4.5",
    "tsx": "^4.19.0",
    "typescript": "^5.4.0"
  }
}

packages/cwc-content/README.md

cwc-content

Content delivery microservice for Coding with Claude. Provides authenticated access to coding session data stored in cwc-storage, with built-in caching for improved performance.

Overview

cwc-content acts as an authenticated proxy between the frontend (cwc-website) and the file storage service (cwc-storage). It:

Validates JWT tokens via cwc-auth
Enforces access control based on user roles
Caches frequently accessed content using an LRU cache
Provides a simple API for get/put/delete operations

┌─────────────┐     ┌─────────────┐     ┌─────────────┐     ┌─────────────┐
│ cwc-website │────▶│ cwc-content │────▶│ cwc-storage │────▶│ File System │
└─────────────┘     └──────┬──────┘     └─────────────┘     └─────────────┘
                           │
                    ┌──────▼──────┐
                    │ ContentCache│
                    │  (LRU+TTL)  │
                    └─────────────┘

Prerequisites

Node.js 22 LTS
pnpm 9.x
Running instances of:
- cwc-auth (for JWT validation)
- cwc-storage (for file operations)

Installation

From the monorepo root:

# Install all dependencies
pnpm install

# Build the package
pnpm --filter cwc-content build

Configuration

Create an environment file based on your runtime environment. The service looks for files in the pattern {env}.cwc-content.env in the secrets directory.

Environment Variables

Variable	Required	Default	Description
`RUNTIME_ENVIRONMENT`	Yes	-	Runtime environment: `dev`, `test`, `prod`, `unit`, `e2e`
`SERVICE_PORT`	No	`5008`	Port the service listens on
`CORS_ORIGIN`	Yes	-	Allowed CORS origin(s)
`AUTH_URI`	Yes	-	cwc-auth service URL (e.g., `http://localhost:5005/auth/v1`)
`STORAGE_URI`	Yes	-	cwc-storage service URL (e.g., `http://localhost:5030/storage/v1`)
`STORAGE_API_KEY`	Yes	-	API key for authenticating with cwc-storage
`RATE_LIMITER_POINTS`	No	`15`	Max requests per duration window
`RATE_LIMITER_DURATION`	No	`1`	Rate limit window in seconds
`DEBUG_MODE`	No	`OFF`	Enable debug logging (`ON` or `OFF`)
`CONTENT_CACHE_MAX_SIZE`	No	`100`	Maximum number of cached entries
`CONTENT_CACHE_TTL_MS`	No	`300000`	Cache TTL in milliseconds (default: 5 minutes)

Example Configuration (dev)

# dev.cwc-content.env
RUNTIME_ENVIRONMENT=dev
SERVICE_PORT=5008
CORS_ORIGIN=*
AUTH_URI=http://localhost:5005/auth/v1
STORAGE_URI=http://localhost:5030/storage/v1
STORAGE_API_KEY=your-storage-api-key-here
RATE_LIMITER_POINTS=15
RATE_LIMITER_DURATION=1
DEBUG_MODE=ON
CONTENT_CACHE_MAX_SIZE=100
CONTENT_CACHE_TTL_MS=300000

Running the Service

# Development mode
pnpm --filter cwc-content dev

# Production mode
pnpm --filter cwc-content start

The service will start on the configured port (default: 5008).

API Reference

All endpoints use POST method and expect JSON payloads.

Base URL: http://localhost:5008/content/v1

Health Check

GET /health/v1

Returns service health status.

Response:

{
  "status": "healthy",
  "service": "cwc-content",
  "timestamp": "2024-01-15T10:30:00.000Z"
}

Get Coding Session

Retrieve coding session data from storage.

POST /content/v1/coding-session/get

Headers:

Authorization: Bearer <jwt> (optional for published content)
Content-Type: application/json

Request Body:

{
  "projectId": "my-project",
  "filename": "session-001.json.gz"
}

Success Response (200):

{
  "success": true,
  "data": "<base64-encoded-content>"
}

Error Response (404):

{
  "success": false,
  "errorCode": "NOT_FOUND",
  "errorMessage": "Session data not found"
}

Put Coding Session

Upload or update coding session data. Requires project ownership.

POST /content/v1/coding-session/put

Headers:

Authorization: Bearer <jwt> (required)
Content-Type: application/json

Request Body:

{
  "projectId": "my-project",
  "filename": "session-001.json.gz",
  "data": "<base64-encoded-gzipped-content>"
}

Success Response (200):

{
  "success": true,
  "data": {
    "filename": "session-001.json.gz"
  }
}

Error Response (403):

{
  "success": false,
  "errorCode": "FORBIDDEN",
  "errorMessage": "You do not own this project"
}

Delete Coding Session

Delete coding session data. Requires project ownership.

POST /content/v1/coding-session/delete

Headers:

Authorization: Bearer <jwt> (required)
Content-Type: application/json

Request Body:

{
  "projectId": "my-project",
  "filename": "session-001.json.gz"
}

Success Response (200):

{
  "success": true,
  "data": {
    "filename": "session-001.json.gz"
  }
}

Usage Examples

Fetch Session Data (curl)

# Public/published content (no auth required)
curl -X POST http://localhost:5008/content/v1/coding-session/get \
  -H "Content-Type: application/json" \
  -d '{"projectId": "coding-with-claude", "filename": "session-001.json.gz"}'

# With authentication
curl -X POST http://localhost:5008/content/v1/coding-session/get \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIs..." \
  -d '{"projectId": "my-project", "filename": "session-001.json.gz"}'

Upload Session Data (curl)

curl -X POST http://localhost:5008/content/v1/coding-session/put \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIs..." \
  -d '{
    "projectId": "my-project",
    "filename": "session-001.json.gz",
    "data": "H4sIAAAAAAAAA6tWKkktLlGyUlAqS8wpTtVRKs9ILUpVslIqLU4t8kxR..."
  }'

TypeScript Client Example

import { gzipSync } from 'zlib';

async function uploadSession(
  jwt: string,
  projectId: string,
  filename: string,
  sessionData: CwcSessionData
): Promise<void> {
  // Compress and encode the data
  const jsonString = JSON.stringify(sessionData);
  const compressed = gzipSync(Buffer.from(jsonString));
  const base64Data = compressed.toString('base64');

  const response = await fetch('http://localhost:5008/content/v1/coding-session/put', {
    method: 'POST',
    headers: {
      'Content-Type': 'application/json',
      'Authorization': `Bearer ${jwt}`,
    },
    body: JSON.stringify({
      projectId,
      filename,
      data: base64Data,
    }),
  });

  const result = await response.json();
  if (!result.success) {
    throw new Error(result.errorMessage);
  }
}

Error Codes

Code	HTTP Status	Description
`UNAUTHORIZED`	401	Missing or invalid JWT token
`FORBIDDEN`	403	User does not own the project
`NOT_FOUND`	404	Requested file does not exist
`VALIDATION_ERROR`	400	Invalid request payload
`STORAGE_ERROR`	500	Failed to communicate with cwc-storage
`INTERNAL_ERROR`	500	Unexpected server error

Caching Behavior

The service maintains an LRU (Least Recently Used) cache with TTL (Time To Live) expiration:

Cache Hit: Returns cached data immediately without contacting cwc-storage
Cache Miss: Fetches from cwc-storage and caches the result
PUT Operation: Invalidates the cache entry for the updated file
DELETE Operation: Invalidates the cache entry for the deleted file
TTL Expiry: Entries are lazily evicted when accessed after expiration

Tuning Cache Performance

For high-traffic scenarios, consider adjusting:

# Increase cache size for more entries
CONTENT_CACHE_MAX_SIZE=500

# Increase TTL for less frequently updated content
CONTENT_CACHE_TTL_MS=600000  # 10 minutes

Testing

# Run unit tests
pnpm --filter cwc-content test

# Run tests with coverage
pnpm --filter cwc-content test --coverage

# Type checking
pnpm --filter cwc-content typecheck

Related Services

Service	Purpose
cwc-auth	JWT validation and user authentication
cwc-storage	File storage backend
cwc-api	Main data API (provides storageKey to frontend)
cwc-website	Frontend consumer of this service

License

Proprietary - Coding with Claude

packages/cwc-content/src/__tests__/cache/ContentCache.test.ts

'use strict';

import { describe, expect, it, beforeEach } from '@jest/globals';
import { ContentCache } from '../../cache';

describe('ContentCache', () => {
  let cache: ContentCache;

  beforeEach(() => {
    cache = new ContentCache(3, 60000); // 3 entries, 1 minute TTL
  });

  describe('get', () => {
    it('should return undefined for missing entry', () => {
      const result = cache.get('project-1', 'file.json');
      expect(result).toBeUndefined();
    });

    it('should return cached data for existing entry', () => {
      const data = Buffer.from('test-data');
      cache.set('project-1', 'file.json', data);

      const result = cache.get('project-1', 'file.json');
      expect(result).toEqual(data);
    });

    it('should return undefined for expired entry', () => {
      // Create cache with 1ms TTL
      const shortCache = new ContentCache(3, 1);
      const data = Buffer.from('test-data');
      shortCache.set('project-1', 'file.json', data);

      // Wait for expiry
      return new Promise<void>((resolve) => {
        setTimeout(() => {
          const result = shortCache.get('project-1', 'file.json');
          expect(result).toBeUndefined();
          resolve();
        }, 10);
      });
    });

    it('should update LRU order on access', () => {
      cache.set('project-1', 'file1.json', Buffer.from('data1'));
      cache.set('project-2', 'file2.json', Buffer.from('data2'));
      cache.set('project-3', 'file3.json', Buffer.from('data3'));

      // Access file1 to make it most recently used
      cache.get('project-1', 'file1.json');

      // Add new entry, should evict file2 (oldest after file1 was accessed)
      cache.set('project-4', 'file4.json', Buffer.from('data4'));

      expect(cache.get('project-1', 'file1.json')).toBeDefined();
      expect(cache.get('project-2', 'file2.json')).toBeUndefined(); // Evicted
      expect(cache.get('project-3', 'file3.json')).toBeDefined();
      expect(cache.get('project-4', 'file4.json')).toBeDefined();
    });
  });

  describe('set', () => {
    it('should add new entry to cache', () => {
      const data = Buffer.from('test-data');
      cache.set('project-1', 'file.json', data);

      expect(cache.size()).toBe(1);
      expect(cache.get('project-1', 'file.json')).toEqual(data);
    });

    it('should update existing entry', () => {
      cache.set('project-1', 'file.json', Buffer.from('old-data'));
      cache.set('project-1', 'file.json', Buffer.from('new-data'));

      expect(cache.size()).toBe(1);
      expect(cache.get('project-1', 'file.json')).toEqual(Buffer.from('new-data'));
    });

    it('should evict oldest entry when at capacity', () => {
      cache.set('project-1', 'file1.json', Buffer.from('data1'));
      cache.set('project-2', 'file2.json', Buffer.from('data2'));
      cache.set('project-3', 'file3.json', Buffer.from('data3'));
      cache.set('project-4', 'file4.json', Buffer.from('data4'));

      expect(cache.size()).toBe(3);
      expect(cache.get('project-1', 'file1.json')).toBeUndefined(); // Evicted
      expect(cache.get('project-2', 'file2.json')).toBeDefined();
      expect(cache.get('project-3', 'file3.json')).toBeDefined();
      expect(cache.get('project-4', 'file4.json')).toBeDefined();
    });
  });

  describe('invalidate', () => {
    it('should remove existing entry', () => {
      cache.set('project-1', 'file.json', Buffer.from('data'));
      cache.invalidate('project-1', 'file.json');

      expect(cache.get('project-1', 'file.json')).toBeUndefined();
      expect(cache.size()).toBe(0);
    });

    it('should do nothing for non-existent entry', () => {
      cache.invalidate('project-1', 'file.json');
      expect(cache.size()).toBe(0);
    });
  });

  describe('clear', () => {
    it('should remove all entries', () => {
      cache.set('project-1', 'file1.json', Buffer.from('data1'));
      cache.set('project-2', 'file2.json', Buffer.from('data2'));
      cache.clear();

      expect(cache.size()).toBe(0);
      expect(cache.get('project-1', 'file1.json')).toBeUndefined();
      expect(cache.get('project-2', 'file2.json')).toBeUndefined();
    });
  });

  describe('size', () => {
    it('should return 0 for empty cache', () => {
      expect(cache.size()).toBe(0);
    });

    it('should return correct count', () => {
      cache.set('project-1', 'file1.json', Buffer.from('data1'));
      cache.set('project-2', 'file2.json', Buffer.from('data2'));

      expect(cache.size()).toBe(2);
    });
  });

  describe('cleanup', () => {
    it('should remove expired entries', () => {
      // Create cache with 1ms TTL
      const shortCache = new ContentCache(10, 1);
      shortCache.set('project-1', 'file1.json', Buffer.from('data1'));
      shortCache.set('project-2', 'file2.json', Buffer.from('data2'));

      return new Promise<void>((resolve) => {
        setTimeout(() => {
          const removed = shortCache.cleanup();
          expect(removed).toBe(2);
          expect(shortCache.size()).toBe(0);
          resolve();
        }, 10);
      });
    });

    it('should not remove non-expired entries', () => {
      cache.set('project-1', 'file1.json', Buffer.from('data1'));
      cache.set('project-2', 'file2.json', Buffer.from('data2'));

      const removed = cache.cleanup();
      expect(removed).toBe(0);
      expect(cache.size()).toBe(2);
    });
  });
});

packages/cwc-content/src/__tests__/cache/SessionDataCache.test.ts

2 versions

Version 1

'use strict';

import { describe, expect, it, beforeEach, jest } from '@jest/globals';
import { SessionDataCache } from '../../cache';

describe('SessionDataCache', () => {
  let cache: SessionDataCache;

  beforeEach(() => {
    cache = new SessionDataCache(3, 60000); // 3 entries, 1 minute TTL
  });

  describe('get', () => {
    it('should return undefined for missing entry', () => {
      const result = cache.get('project-1', 'file.json');
      expect(result).toBeUndefined();
    });

    it('should return cached data for existing entry', () => {
      const data = Buffer.from('test-data');
      cache.set('project-1', 'file.json', data);

      const result = cache.get('project-1', 'file.json');
      expect(result).toEqual(data);
    });

    it('should return undefined for expired entry', () => {
      // Create cache with 1ms TTL
      const shortCache = new SessionDataCache(3, 1);
      const data = Buffer.from('test-data');
      shortCache.set('project-1', 'file.json', data);

      // Wait for expiry
      return new Promise<void>((resolve) => {
        setTimeout(() => {
          const result = shortCache.get('project-1', 'file.json');
          expect(result).toBeUndefined();
          resolve();
        }, 10);
      });
    });

    it('should update LRU order on access', () => {
      cache.set('project-1', 'file1.json', Buffer.from('data1'));
      cache.set('project-2', 'file2.json', Buffer.from('data2'));
      cache.set('project-3', 'file3.json', Buffer.from('data3'));

      // Access file1 to make it most recently used
      cache.get('project-1', 'file1.json');

      // Add new entry, should evict file2 (oldest after file1 was accessed)
      cache.set('project-4', 'file4.json', Buffer.from('data4'));

      expect(cache.get('project-1', 'file1.json')).toBeDefined();
      expect(cache.get('project-2', 'file2.json')).toBeUndefined(); // Evicted
      expect(cache.get('project-3', 'file3.json')).toBeDefined();
      expect(cache.get('project-4', 'file4.json')).toBeDefined();
    });
  });

  describe('set', () => {
    it('should add new entry to cache', () => {
      const data = Buffer.from('test-data');
      cache.set('project-1', 'file.json', data);

      expect(cache.size()).toBe(1);
      expect(cache.get('project-1', 'file.json')).toEqual(data);
    });

    it('should update existing entry', () => {
      cache.set('project-1', 'file.json', Buffer.from('old-data'));
      cache.set('project-1', 'file.json', Buffer.from('new-data'));

      expect(cache.size()).toBe(1);
      expect(cache.get('project-1', 'file.json')).toEqual(Buffer.from('new-data'));
    });

    it('should evict oldest entry when at capacity', () => {
      cache.set('project-1', 'file1.json', Buffer.from('data1'));
      cache.set('project-2', 'file2.json', Buffer.from('data2'));
      cache.set('project-3', 'file3.json', Buffer.from('data3'));
      cache.set('project-4', 'file4.json', Buffer.from('data4'));

      expect(cache.size()).toBe(3);
      expect(cache.get('project-1', 'file1.json')).toBeUndefined(); // Evicted
      expect(cache.get('project-2', 'file2.json')).toBeDefined();
      expect(cache.get('project-3', 'file3.json')).toBeDefined();
      expect(cache.get('project-4', 'file4.json')).toBeDefined();
    });
  });

  describe('invalidate', () => {
    it('should remove existing entry', () => {
      cache.set('project-1', 'file.json', Buffer.from('data'));
      cache.invalidate('project-1', 'file.json');

      expect(cache.get('project-1', 'file.json')).toBeUndefined();
      expect(cache.size()).toBe(0);
    });

    it('should do nothing for non-existent entry', () => {
      cache.invalidate('project-1', 'file.json');
      expect(cache.size()).toBe(0);
    });
  });

  describe('clear', () => {
    it('should remove all entries', () => {
      cache.set('project-1', 'file1.json', Buffer.from('data1'));
      cache.set('project-2', 'file2.json', Buffer.from('data2'));
      cache.clear();

      expect(cache.size()).toBe(0);
      expect(cache.get('project-1', 'file1.json')).toBeUndefined();
      expect(cache.get('project-2', 'file2.json')).toBeUndefined();
    });
  });

  describe('size', () => {
    it('should return 0 for empty cache', () => {
      expect(cache.size()).toBe(0);
    });

    it('should return correct count', () => {
      cache.set('project-1', 'file1.json', Buffer.from('data1'));
      cache.set('project-2', 'file2.json', Buffer.from('data2'));

      expect(cache.size()).toBe(2);
    });
  });

  describe('cleanup', () => {
    it('should remove expired entries', () => {
      // Create cache with 1ms TTL
      const shortCache = new SessionDataCache(10, 1);
      shortCache.set('project-1', 'file1.json', Buffer.from('data1'));
      shortCache.set('project-2', 'file2.json', Buffer.from('data2'));

      return new Promise<void>((resolve) => {
        setTimeout(() => {
          const removed = shortCache.cleanup();
          expect(removed).toBe(2);
          expect(shortCache.size()).toBe(0);
          resolve();
        }, 10);
      });
    });

    it('should not remove non-expired entries', () => {
      cache.set('project-1', 'file1.json', Buffer.from('data1'));
      cache.set('project-2', 'file2.json', Buffer.from('data2'));

      const removed = cache.cleanup();
      expect(removed).toBe(0);
      expect(cache.size()).toBe(2);
    });
  });
});

Version 2 (latest)

'use strict';

import { describe, expect, it, beforeEach } from '@jest/globals';
import { SessionDataCache } from '../../cache';

describe('SessionDataCache', () => {
  let cache: SessionDataCache;

  beforeEach(() => {
    cache = new SessionDataCache(3, 60000); // 3 entries, 1 minute TTL
  });

  describe('get', () => {
    it('should return undefined for missing entry', () => {
      const result = cache.get('project-1', 'file.json');
      expect(result).toBeUndefined();
    });

    it('should return cached data for existing entry', () => {
      const data = Buffer.from('test-data');
      cache.set('project-1', 'file.json', data);

      const result = cache.get('project-1', 'file.json');
      expect(result).toEqual(data);
    });

    it('should return undefined for expired entry', () => {
      // Create cache with 1ms TTL
      const shortCache = new SessionDataCache(3, 1);
      const data = Buffer.from('test-data');
      shortCache.set('project-1', 'file.json', data);

      // Wait for expiry
      return new Promise<void>((resolve) => {
        setTimeout(() => {
          const result = shortCache.get('project-1', 'file.json');
          expect(result).toBeUndefined();
          resolve();
        }, 10);
      });
    });

    it('should update LRU order on access', () => {
      cache.set('project-1', 'file1.json', Buffer.from('data1'));
      cache.set('project-2', 'file2.json', Buffer.from('data2'));
      cache.set('project-3', 'file3.json', Buffer.from('data3'));

      // Access file1 to make it most recently used
      cache.get('project-1', 'file1.json');

      // Add new entry, should evict file2 (oldest after file1 was accessed)
      cache.set('project-4', 'file4.json', Buffer.from('data4'));

      expect(cache.get('project-1', 'file1.json')).toBeDefined();
      expect(cache.get('project-2', 'file2.json')).toBeUndefined(); // Evicted
      expect(cache.get('project-3', 'file3.json')).toBeDefined();
      expect(cache.get('project-4', 'file4.json')).toBeDefined();
    });
  });

  describe('set', () => {
    it('should add new entry to cache', () => {
      const data = Buffer.from('test-data');
      cache.set('project-1', 'file.json', data);

      expect(cache.size()).toBe(1);
      expect(cache.get('project-1', 'file.json')).toEqual(data);
    });

    it('should update existing entry', () => {
      cache.set('project-1', 'file.json', Buffer.from('old-data'));
      cache.set('project-1', 'file.json', Buffer.from('new-data'));

      expect(cache.size()).toBe(1);
      expect(cache.get('project-1', 'file.json')).toEqual(Buffer.from('new-data'));
    });

    it('should evict oldest entry when at capacity', () => {
      cache.set('project-1', 'file1.json', Buffer.from('data1'));
      cache.set('project-2', 'file2.json', Buffer.from('data2'));
      cache.set('project-3', 'file3.json', Buffer.from('data3'));
      cache.set('project-4', 'file4.json', Buffer.from('data4'));

      expect(cache.size()).toBe(3);
      expect(cache.get('project-1', 'file1.json')).toBeUndefined(); // Evicted
      expect(cache.get('project-2', 'file2.json')).toBeDefined();
      expect(cache.get('project-3', 'file3.json')).toBeDefined();
      expect(cache.get('project-4', 'file4.json')).toBeDefined();
    });
  });

  describe('invalidate', () => {
    it('should remove existing entry', () => {
      cache.set('project-1', 'file.json', Buffer.from('data'));
      cache.invalidate('project-1', 'file.json');

      expect(cache.get('project-1', 'file.json')).toBeUndefined();
      expect(cache.size()).toBe(0);
    });

    it('should do nothing for non-existent entry', () => {
      cache.invalidate('project-1', 'file.json');
      expect(cache.size()).toBe(0);
    });
  });

  describe('clear', () => {
    it('should remove all entries', () => {
      cache.set('project-1', 'file1.json', Buffer.from('data1'));
      cache.set('project-2', 'file2.json', Buffer.from('data2'));
      cache.clear();

      expect(cache.size()).toBe(0);
      expect(cache.get('project-1', 'file1.json')).toBeUndefined();
      expect(cache.get('project-2', 'file2.json')).toBeUndefined();
    });
  });

  describe('size', () => {
    it('should return 0 for empty cache', () => {
      expect(cache.size()).toBe(0);
    });

    it('should return correct count', () => {
      cache.set('project-1', 'file1.json', Buffer.from('data1'));
      cache.set('project-2', 'file2.json', Buffer.from('data2'));

      expect(cache.size()).toBe(2);
    });
  });

  describe('cleanup', () => {
    it('should remove expired entries', () => {
      // Create cache with 1ms TTL
      const shortCache = new SessionDataCache(10, 1);
      shortCache.set('project-1', 'file1.json', Buffer.from('data1'));
      shortCache.set('project-2', 'file2.json', Buffer.from('data2'));

      return new Promise<void>((resolve) => {
        setTimeout(() => {
          const removed = shortCache.cleanup();
          expect(removed).toBe(2);
          expect(shortCache.size()).toBe(0);
          resolve();
        }, 10);
      });
    });

    it('should not remove non-expired entries', () => {
      cache.set('project-1', 'file1.json', Buffer.from('data1'));
      cache.set('project-2', 'file2.json', Buffer.from('data2'));

      const removed = cache.cleanup();
      expect(removed).toBe(0);
      expect(cache.size()).toBe(2);
    });
  });
});

packages/cwc-content/src/__tests__/context/createContext.test.ts

'use strict';

import { describe, expect, it, beforeEach } from '@jest/globals';
import { createContext } from '../../context';
import {
  createMockAuthClient,
  createMockUserJwtPayload,
  mockVerifyTokenSuccess,
  mockVerifyTokenFailure,
} from '../mocks';
import type { AuthClient } from 'cwc-backend-utils';
import type { jest } from '@jest/globals';

describe('createContext', () => {
  let mockAuthClient: jest.Mocked<AuthClient>;

  beforeEach(() => {
    mockAuthClient = createMockAuthClient();
  });

  describe('without auth header', () => {
    it('should return guest context', async () => {
      const context = await createContext({
        authHeader: undefined,
        authClient: mockAuthClient,
      });

      expect(context.isAuthenticated).toBe(false);
      expect(context.role).toBe('guest-user');
      expect(mockAuthClient.verifyToken).not.toHaveBeenCalled();
    });

    it('should return guest context for empty auth header', async () => {
      const context = await createContext({
        authHeader: '',
        authClient: mockAuthClient,
      });

      expect(context.isAuthenticated).toBe(false);
      expect(context.role).toBe('guest-user');
    });
  });

  describe('with valid auth header', () => {
    it('should return authenticated context', async () => {
      const payload = createMockUserJwtPayload({
        sub: 456,
        login: {
          username: 'user@test.com',
          deviceId: 'device-1',
          userJwtId: 'jwt-1',
          loginType: 'cwc',
          kulo: false,
          ownedProjects: ['proj-a', 'proj-b'],
          isGuestUser: false,
        },
      });
      mockVerifyTokenSuccess(mockAuthClient, payload);

      const context = await createContext({
        authHeader: 'Bearer valid-token',
        authClient: mockAuthClient,
      });

      expect(context.isAuthenticated).toBe(true);
      if (context.isAuthenticated) {
        expect(context.userPkId).toBe(456);
        expect(context.username).toBe('user@test.com');
        expect(context.ownedProjects).toEqual(['proj-a', 'proj-b']);
        expect(context.role).toBe('logged-on-user');
      }
    });
  });

  describe('with invalid auth header', () => {
    it('should return guest context for invalid token', async () => {
      mockVerifyTokenFailure(mockAuthClient, 'INVALID_TOKEN');

      const context = await createContext({
        authHeader: 'Bearer invalid-token',
        authClient: mockAuthClient,
      });

      expect(context.isAuthenticated).toBe(false);
      expect(context.role).toBe('guest-user');
    });

    it('should return guest context for expired token', async () => {
      mockVerifyTokenFailure(mockAuthClient, 'TOKEN_EXPIRED');

      const context = await createContext({
        authHeader: 'Bearer expired-token',
        authClient: mockAuthClient,
      });

      expect(context.isAuthenticated).toBe(false);
      expect(context.role).toBe('guest-user');
    });
  });

  describe('auth service error', () => {
    it('should return guest context on auth service error', async () => {
      mockAuthClient.verifyToken.mockRejectedValueOnce(new Error('Network error'));

      const context = await createContext({
        authHeader: 'Bearer token',
        authClient: mockAuthClient,
      });

      expect(context.isAuthenticated).toBe(false);
      expect(context.role).toBe('guest-user');
    });
  });
});

packages/cwc-content/src/__tests__/handlers/ContentHandler.test.ts

2 versions

Version 1

'use strict';

import { describe, expect, it, beforeEach } from '@jest/globals';
import { ContentHandler } from '../../handlers';
import { SessionDataCache } from '../../cache';
import {
  createMockStorageClient,
  mockGetFileSuccess,
  mockGetFileNotFound,
  mockGetFileError,
  mockPutFileSuccess,
  mockPutFileError,
  mockDeleteFileSuccess,
  mockDeleteFileNotFound,
  mockDeleteFileError,
  createMockGuestContext,
  createMockAuthenticatedContext,
  createMockProjectOwnerContext,
} from '../mocks';
import type { StorageClient } from 'cwc-backend-utils';
import type { jest } from '@jest/globals';

describe('ContentHandler', () => {
  let handler: ContentHandler;
  let mockStorageClient: jest.Mocked<StorageClient>;
  let cache: SessionDataCache;

  beforeEach(() => {
    mockStorageClient = createMockStorageClient();
    cache = new SessionDataCache(100, 300000);
    handler = new ContentHandler({
      storageClient: mockStorageClient,
      cache,
    });
  });

  describe('getCodingSession', () => {
    it('should return validation error for missing projectId', async () => {
      const result = await handler.getCodingSession(
        { projectId: '', filename: 'file.json' },
        createMockGuestContext()
      );

      expect(result.success).toBe(false);
      if (!result.success) {
        expect(result.errorCode).toBe('VALIDATION_ERROR');
      }
    });

    it('should return validation error for missing filename', async () => {
      const result = await handler.getCodingSession(
        { projectId: 'project-1', filename: '' },
        createMockGuestContext()
      );

      expect(result.success).toBe(false);
      if (!result.success) {
        expect(result.errorCode).toBe('VALIDATION_ERROR');
      }
    });

    it('should return cached data if available', async () => {
      const data = Buffer.from('cached-data');
      cache.set('project-1', 'file.json', data);

      const result = await handler.getCodingSession(
        { projectId: 'project-1', filename: 'file.json' },
        createMockGuestContext()
      );

      expect(result.success).toBe(true);
      if (result.success) {
        expect(result.data).toEqual(data);
      }
      expect(mockStorageClient.getFile).not.toHaveBeenCalled();
    });

    it('should fetch from storage and cache result', async () => {
      const data = Buffer.from('storage-data');
      mockGetFileSuccess(mockStorageClient, data);

      const result = await handler.getCodingSession(
        { projectId: 'project-1', filename: 'file.json' },
        createMockGuestContext()
      );

      expect(result.success).toBe(true);
      if (result.success) {
        expect(result.data).toEqual(data);
      }
      expect(cache.get('project-1', 'file.json')).toEqual(data);
    });

    it('should return NOT_FOUND for missing file', async () => {
      mockGetFileNotFound(mockStorageClient);

      const result = await handler.getCodingSession(
        { projectId: 'project-1', filename: 'file.json' },
        createMockGuestContext()
      );

      expect(result.success).toBe(false);
      if (!result.success) {
        expect(result.errorCode).toBe('NOT_FOUND');
      }
    });

    it('should return STORAGE_ERROR for storage failure', async () => {
      mockGetFileError(mockStorageClient);

      const result = await handler.getCodingSession(
        { projectId: 'project-1', filename: 'file.json' },
        createMockGuestContext()
      );

      expect(result.success).toBe(false);
      if (!result.success) {
        expect(result.errorCode).toBe('STORAGE_ERROR');
      }
    });
  });

  describe('putCodingSession', () => {
    it('should return validation error for missing fields', async () => {
      const context = createMockProjectOwnerContext('project-1');

      const result = await handler.putCodingSession(
        { projectId: '', filename: 'file.json', data: 'data' },
        context
      );

      expect(result.success).toBe(false);
      if (!result.success) {
        expect(result.errorCode).toBe('VALIDATION_ERROR');
      }
    });

    it('should return FORBIDDEN for non-owner', async () => {
      const context = createMockAuthenticatedContext({
        ownedProjects: ['other-project'],
      });

      const result = await handler.putCodingSession(
        { projectId: 'project-1', filename: 'file.json', data: 'data' },
        context
      );

      expect(result.success).toBe(false);
      if (!result.success) {
        expect(result.errorCode).toBe('FORBIDDEN');
      }
    });

    it('should return FORBIDDEN for guest user', async () => {
      const result = await handler.putCodingSession(
        { projectId: 'project-1', filename: 'file.json', data: 'data' },
        createMockGuestContext()
      );

      expect(result.success).toBe(false);
      if (!result.success) {
        expect(result.errorCode).toBe('FORBIDDEN');
      }
    });

    it('should upload to storage and invalidate cache', async () => {
      const context = createMockProjectOwnerContext('project-1');
      cache.set('project-1', 'file.json', Buffer.from('old-data'));
      mockPutFileSuccess(mockStorageClient, 'file.json');

      const result = await handler.putCodingSession(
        { projectId: 'project-1', filename: 'file.json', data: 'new-data' },
        context
      );

      expect(result.success).toBe(true);
      if (result.success) {
        expect(result.data.filename).toBe('file.json');
      }
      expect(cache.get('project-1', 'file.json')).toBeUndefined(); // Invalidated
    });

    it('should return STORAGE_ERROR for upload failure', async () => {
      const context = createMockProjectOwnerContext('project-1');
      mockPutFileError(mockStorageClient);

      const result = await handler.putCodingSession(
        { projectId: 'project-1', filename: 'file.json', data: 'data' },
        context
      );

      expect(result.success).toBe(false);
      if (!result.success) {
        expect(result.errorCode).toBe('STORAGE_ERROR');
      }
    });
  });

  describe('deleteCodingSession', () => {
    it('should return validation error for missing fields', async () => {
      const context = createMockProjectOwnerContext('project-1');

      const result = await handler.deleteCodingSession(
        { projectId: 'project-1', filename: '' },
        context
      );

      expect(result.success).toBe(false);
      if (!result.success) {
        expect(result.errorCode).toBe('VALIDATION_ERROR');
      }
    });

    it('should return FORBIDDEN for non-owner', async () => {
      const context = createMockAuthenticatedContext({
        ownedProjects: ['other-project'],
      });

      const result = await handler.deleteCodingSession(
        { projectId: 'project-1', filename: 'file.json' },
        context
      );

      expect(result.success).toBe(false);
      if (!result.success) {
        expect(result.errorCode).toBe('FORBIDDEN');
      }
    });

    it('should delete from storage and invalidate cache', async () => {
      const context = createMockProjectOwnerContext('project-1');
      cache.set('project-1', 'file.json', Buffer.from('data'));
      mockDeleteFileSuccess(mockStorageClient, 'file.json');

      const result = await handler.deleteCodingSession(
        { projectId: 'project-1', filename: 'file.json' },
        context
      );

      expect(result.success).toBe(true);
      if (result.success) {
        expect(result.data.filename).toBe('file.json');
      }
      expect(cache.get('project-1', 'file.json')).toBeUndefined(); // Invalidated
    });

    it('should return NOT_FOUND for missing file', async () => {
      const context = createMockProjectOwnerContext('project-1');
      mockDeleteFileNotFound(mockStorageClient);

      const result = await handler.deleteCodingSession(
        { projectId: 'project-1', filename: 'file.json' },
        context
      );

      expect(result.success).toBe(false);
      if (!result.success) {
        expect(result.errorCode).toBe('NOT_FOUND');
      }
    });

    it('should return STORAGE_ERROR for delete failure', async () => {
      const context = createMockProjectOwnerContext('project-1');
      mockDeleteFileError(mockStorageClient);

      const result = await handler.deleteCodingSession(
        { projectId: 'project-1', filename: 'file.json' },
        context
      );

      expect(result.success).toBe(false);
      if (!result.success) {
        expect(result.errorCode).toBe('STORAGE_ERROR');
      }
    });
  });
});

Version 2 (latest)

'use strict';

import { describe, expect, it, beforeEach } from '@jest/globals';
import { ContentHandler } from '../../handlers';
import { ContentCache } from '../../cache';
import {
  createMockStorageClient,
  mockGetFileSuccess,
  mockGetFileNotFound,
  mockGetFileError,
  mockPutFileSuccess,
  mockPutFileError,
  mockDeleteFileSuccess,
  mockDeleteFileNotFound,
  mockDeleteFileError,
  createMockGuestContext,
  createMockProjectOwnerContext,
} from '../mocks';
import type { StorageClient } from 'cwc-backend-utils';
import type { jest } from '@jest/globals';

describe('ContentHandler', () => {
  let handler: ContentHandler;
  let mockStorageClient: jest.Mocked<StorageClient>;
  let cache: ContentCache;

  beforeEach(() => {
    mockStorageClient = createMockStorageClient();
    cache = new ContentCache(100, 300000);
    handler = new ContentHandler({
      storageClient: mockStorageClient,
      cache,
    });
  });

  describe('getCodingSession', () => {
    it('should return validation error for missing projectId', async () => {
      const result = await handler.getCodingSession(
        { projectId: '', filename: 'file.json' },
        createMockGuestContext()
      );

      expect(result.success).toBe(false);
      if (!result.success) {
        expect(result.errorCode).toBe('VALIDATION_ERROR');
      }
    });

    it('should return validation error for missing filename', async () => {
      const result = await handler.getCodingSession(
        { projectId: 'project-1', filename: '' },
        createMockGuestContext()
      );

      expect(result.success).toBe(false);
      if (!result.success) {
        expect(result.errorCode).toBe('VALIDATION_ERROR');
      }
    });

    it('should return cached data if available', async () => {
      const data = Buffer.from('cached-data');
      cache.set('project-1', 'file.json', data);

      const result = await handler.getCodingSession(
        { projectId: 'project-1', filename: 'file.json' },
        createMockGuestContext()
      );

      expect(result.success).toBe(true);
      if (result.success) {
        expect(result.data).toEqual(data);
      }
      expect(mockStorageClient.getFile).not.toHaveBeenCalled();
    });

    it('should fetch from storage and cache result', async () => {
      const data = Buffer.from('storage-data');
      mockGetFileSuccess(mockStorageClient, data);

      const result = await handler.getCodingSession(
        { projectId: 'project-1', filename: 'file.json' },
        createMockGuestContext()
      );

      expect(result.success).toBe(true);
      if (result.success) {
        expect(result.data).toEqual(data);
      }
      expect(cache.get('project-1', 'file.json')).toEqual(data);
    });

    it('should return NOT_FOUND for missing file', async () => {
      mockGetFileNotFound(mockStorageClient);

      const result = await handler.getCodingSession(
        { projectId: 'project-1', filename: 'file.json' },
        createMockGuestContext()
      );

      expect(result.success).toBe(false);
      if (!result.success) {
        expect(result.errorCode).toBe('NOT_FOUND');
      }
    });

    it('should return STORAGE_ERROR for storage failure', async () => {
      mockGetFileError(mockStorageClient);

      const result = await handler.getCodingSession(
        { projectId: 'project-1', filename: 'file.json' },
        createMockGuestContext()
      );

      expect(result.success).toBe(false);
      if (!result.success) {
        expect(result.errorCode).toBe('STORAGE_ERROR');
      }
    });
  });

  describe('putCodingSession', () => {
    it('should return validation error for missing fields', async () => {
      const context = createMockProjectOwnerContext('project-1');

      const result = await handler.putCodingSession(
        { projectId: '', filename: 'file.json', data: 'data' },
        context
      );

      expect(result.success).toBe(false);
      if (!result.success) {
        expect(result.errorCode).toBe('VALIDATION_ERROR');
      }
    });

    // Note: Ownership is now verified at route level by checkRouteAccess,
    // so ContentHandler.putCodingSession assumes the context is already authorized

    it('should upload to storage and invalidate cache', async () => {
      const context = createMockProjectOwnerContext('project-1');
      cache.set('project-1', 'file.json', Buffer.from('old-data'));
      mockPutFileSuccess(mockStorageClient, 'file.json');

      const result = await handler.putCodingSession(
        { projectId: 'project-1', filename: 'file.json', data: 'new-data' },
        context
      );

      expect(result.success).toBe(true);
      if (result.success) {
        expect(result.data.filename).toBe('file.json');
      }
      expect(cache.get('project-1', 'file.json')).toBeUndefined(); // Invalidated
    });

    it('should return STORAGE_ERROR for upload failure', async () => {
      const context = createMockProjectOwnerContext('project-1');
      mockPutFileError(mockStorageClient);

      const result = await handler.putCodingSession(
        { projectId: 'project-1', filename: 'file.json', data: 'data' },
        context
      );

      expect(result.success).toBe(false);
      if (!result.success) {
        expect(result.errorCode).toBe('STORAGE_ERROR');
      }
    });
  });

  describe('deleteCodingSession', () => {
    it('should return validation error for missing fields', async () => {
      const context = createMockProjectOwnerContext('project-1');

      const result = await handler.deleteCodingSession(
        { projectId: 'project-1', filename: '' },
        context
      );

      expect(result.success).toBe(false);
      if (!result.success) {
        expect(result.errorCode).toBe('VALIDATION_ERROR');
      }
    });

    // Note: Ownership is now verified at route level by checkRouteAccess,
    // so ContentHandler.deleteCodingSession assumes the context is already authorized

    it('should delete from storage and invalidate cache', async () => {
      const context = createMockProjectOwnerContext('project-1');
      cache.set('project-1', 'file.json', Buffer.from('data'));
      mockDeleteFileSuccess(mockStorageClient, 'file.json');

      const result = await handler.deleteCodingSession(
        { projectId: 'project-1', filename: 'file.json' },
        context
      );

      expect(result.success).toBe(true);
      if (result.success) {
        expect(result.data.filename).toBe('file.json');
      }
      expect(cache.get('project-1', 'file.json')).toBeUndefined(); // Invalidated
    });

    it('should return NOT_FOUND for missing file', async () => {
      const context = createMockProjectOwnerContext('project-1');
      mockDeleteFileNotFound(mockStorageClient);

      const result = await handler.deleteCodingSession(
        { projectId: 'project-1', filename: 'file.json' },
        context
      );

      expect(result.success).toBe(false);
      if (!result.success) {
        expect(result.errorCode).toBe('NOT_FOUND');
      }
    });

    it('should return STORAGE_ERROR for delete failure', async () => {
      const context = createMockProjectOwnerContext('project-1');
      mockDeleteFileError(mockStorageClient);

      const result = await handler.deleteCodingSession(
        { projectId: 'project-1', filename: 'file.json' },
        context
      );

      expect(result.success).toBe(false);
      if (!result.success) {
        expect(result.errorCode).toBe('STORAGE_ERROR');
      }
    });
  });
});

packages/cwc-content/src/__tests__/handlers/responseUtils.test.ts

'use strict';

import { describe, expect, it } from '@jest/globals';
import {
  mapErrorCodeToStatus,
  createAccessDeniedResponse,
  createUnauthorizedResponse,
  createErrorResponse,
  createInternalErrorResponse,
  createSuccessResponse,
} from '../../handlers/responseUtils';
import { createMockDevConfig, createMockProdConfig } from '../mocks';

describe('mapErrorCodeToStatus', () => {
  it('should map NOT_FOUND to 404', () => {
    expect(mapErrorCodeToStatus('NOT_FOUND')).toBe(404);
  });

  it('should map VALIDATION_ERROR to 400', () => {
    expect(mapErrorCodeToStatus('VALIDATION_ERROR')).toBe(400);
  });

  it('should map UNAUTHORIZED to 401', () => {
    expect(mapErrorCodeToStatus('UNAUTHORIZED')).toBe(401);
  });

  it('should map FORBIDDEN to 403', () => {
    expect(mapErrorCodeToStatus('FORBIDDEN')).toBe(403);
  });

  it('should map STORAGE_ERROR to 500', () => {
    expect(mapErrorCodeToStatus('STORAGE_ERROR')).toBe(500);
  });

  it('should map INTERNAL_ERROR to 500', () => {
    expect(mapErrorCodeToStatus('INTERNAL_ERROR')).toBe(500);
  });
});

describe('createAccessDeniedResponse', () => {
  it('should return 403 response', () => {
    const response = createAccessDeniedResponse(createMockDevConfig());

    expect(response.statusCode).toBe(403);
    expect(response.body.success).toBe(false);
    if (!response.body.success) {
      expect(response.body.errorCode).toBe('FORBIDDEN');
      expect(response.body.errorMessage).toBe('Access denied');
    }
  });

  it('should include errorDetail in dev mode', () => {
    const response = createAccessDeniedResponse(createMockDevConfig(), 'Test reason');

    if (!response.body.success) {
      expect(response.body.errorDetail).toBe('Test reason');
    }
  });

  it('should not include errorDetail in prod mode', () => {
    const response = createAccessDeniedResponse(createMockProdConfig(), 'Test reason');

    if (!response.body.success) {
      expect(response.body.errorDetail).toBeUndefined();
    }
  });
});

describe('createUnauthorizedResponse', () => {
  it('should return 401 response', () => {
    const response = createUnauthorizedResponse(createMockDevConfig());

    expect(response.statusCode).toBe(401);
    expect(response.body.success).toBe(false);
    if (!response.body.success) {
      expect(response.body.errorCode).toBe('UNAUTHORIZED');
      expect(response.body.errorMessage).toBe('Authentication required');
    }
  });

  it('should include errorDetail in dev mode', () => {
    const response = createUnauthorizedResponse(createMockDevConfig(), 'Token expired');

    if (!response.body.success) {
      expect(response.body.errorDetail).toBe('Token expired');
    }
  });

  it('should not include errorDetail in prod mode', () => {
    const response = createUnauthorizedResponse(createMockProdConfig(), 'Token expired');

    if (!response.body.success) {
      expect(response.body.errorDetail).toBeUndefined();
    }
  });
});

describe('createErrorResponse', () => {
  it('should create error response with correct status code', () => {
    const response = createErrorResponse('NOT_FOUND', 'Resource not found');

    expect(response.statusCode).toBe(404);
    expect(response.body.success).toBe(false);
    if (!response.body.success) {
      expect(response.body.errorCode).toBe('NOT_FOUND');
      expect(response.body.errorMessage).toBe('Resource not found');
    }
  });
});

describe('createInternalErrorResponse', () => {
  it('should return 500 response', () => {
    const response = createInternalErrorResponse(createMockDevConfig(), new Error('Test error'));

    expect(response.statusCode).toBe(500);
    expect(response.body.success).toBe(false);
    if (!response.body.success) {
      expect(response.body.errorCode).toBe('INTERNAL_ERROR');
      expect(response.body.errorMessage).toBe('An internal error occurred');
    }
  });

  it('should include error message in dev mode', () => {
    const response = createInternalErrorResponse(createMockDevConfig(), new Error('Test error'));

    if (!response.body.success) {
      expect(response.body.errorDetail).toBe('Test error');
    }
  });

  it('should not include error message in prod mode', () => {
    const response = createInternalErrorResponse(createMockProdConfig(), new Error('Test error'));

    if (!response.body.success) {
      expect(response.body.errorDetail).toBeUndefined();
    }
  });
});

describe('createSuccessResponse', () => {
  it('should return 200 response with data', () => {
    const data = { filename: 'test.json' };
    const response = createSuccessResponse(data);

    expect(response.statusCode).toBe(200);
    expect(response.body.success).toBe(true);
    if (response.body.success) {
      expect(response.body.data).toEqual(data);
    }
  });
});

packages/cwc-content/src/__tests__/mocks/authClient.mock.ts

'use strict';

import { jest } from '@jest/globals';
import type { AuthClient } from 'cwc-backend-utils';
import type { VerifyTokenResult, UserJwtPayload, CwcLoginClaims } from 'cwc-types';

/**
 * Creates a mock AuthClient for testing
 */
export function createMockAuthClient(): jest.Mocked<AuthClient> {
  return {
    verifyToken: jest.fn<(authHeader: string | undefined) => Promise<VerifyTokenResult>>(),
    renewSession: jest.fn(),
  } as unknown as jest.Mocked<AuthClient>;
}

/**
 * Creates a mock UserJwtPayload for testing
 */
export function createMockUserJwtPayload(overrides: Partial<UserJwtPayload> = {}): UserJwtPayload {
  const defaultLogin: CwcLoginClaims = {
    username: 'testuser@example.com',
    deviceId: 'test-device-id',
    userJwtId: 'test-jwt-id',
    loginType: 'cwc',
    kulo: false,
    ownedProjects: ['project-1', 'project-2'],
    isGuestUser: false,
  };

  return {
    jti: 'test-jwt-id',
    sub: 123,
    iat: Math.floor(Date.now() / 1000),
    exp: Math.floor(Date.now() / 1000) + 900, // 15 minutes
    login: defaultLogin,
    ...overrides,
  };
}

/**
 * Configures mock AuthClient to return success with payload
 */
export function mockVerifyTokenSuccess(
  mockAuthClient: jest.Mocked<AuthClient>,
  payload: UserJwtPayload = createMockUserJwtPayload()
): void {
  mockAuthClient.verifyToken.mockResolvedValueOnce({
    success: true,
    payload,
  });
}

/**
 * Configures mock AuthClient to return failure
 */
export function mockVerifyTokenFailure(
  mockAuthClient: jest.Mocked<AuthClient>,
  error: string = 'INVALID_TOKEN'
): void {
  mockAuthClient.verifyToken.mockResolvedValueOnce({
    success: false,
    error,
  });
}

packages/cwc-content/src/__tests__/mocks/config.mock.ts

2 versions

Version 1

'use strict';

import type { CwcContentConfig } from '../../config';
import { loadConfig } from '../../config';

/**
 * Get the real unit config from unit.cwc-content.env
 */
export function getUnitConfig(): CwcContentConfig {
  return loadConfig();
}

/**
 * Creates a mock config with dev defaults
 */
export function createMockDevConfig(
  overrides: Partial<CwcContentConfig> = {}
): CwcContentConfig {
  return {
    runtimeEnvironment: 'dev',
    isDev: true,
    isProd: false,
    isTest: false,
    isUnit: false,
    isE2E: false,
    servicePort: 5008,
    authUri: 'http://localhost:5010/auth/v1',
    storageUri: 'http://localhost:5030/storage/v1',
    corsOrigin: '*',
    devCorsOrigin: 'http://localhost:3000',
    rateLimiterPoints: 15,
    rateLimiterDuration: 1,
    debugMode: true,
    cacheMaxSize: 100,
    cacheTtlMs: 300000,
    secrets: {
      storageApiKey: 'test-storage-api-key',
    },
    ...overrides,
  };
}

/**
 * Creates a mock config with prod defaults
 */
export function createMockProdConfig(
  overrides: Partial<CwcContentConfig> = {}
): CwcContentConfig {
  return {
    runtimeEnvironment: 'prod',
    isDev: false,
    isProd: true,
    isTest: false,
    isUnit: false,
    isE2E: false,
    servicePort: 5008,
    authUri: 'http://cwc-auth:5010/auth/v1',
    storageUri: 'http://cwc-storage:5030/storage/v1',
    corsOrigin: 'https://codingwithclaude.com',
    devCorsOrigin: '',
    rateLimiterPoints: 15,
    rateLimiterDuration: 1,
    debugMode: false,
    cacheMaxSize: 100,
    cacheTtlMs: 300000,
    secrets: {
      storageApiKey: 'prod-storage-api-key',
    },
    ...overrides,
  };
}

/**
 * Creates a mock config with unit test defaults
 */
export function createMockUnitConfig(
  overrides: Partial<CwcContentConfig> = {}
): CwcContentConfig {
  return {
    runtimeEnvironment: 'unit',
    isDev: false,
    isProd: false,
    isTest: false,
    isUnit: true,
    isE2E: false,
    servicePort: 5008,
    authUri: 'http://localhost:5010/auth/v1',
    storageUri: 'http://localhost:5030/storage/v1',
    corsOrigin: '*',
    devCorsOrigin: 'http://localhost:3000',
    rateLimiterPoints: 100,
    rateLimiterDuration: 1,
    debugMode: true,
    cacheMaxSize: 100,
    cacheTtlMs: 300000,
    secrets: {
      storageApiKey: 'unit-storage-api-key',
    },
    ...overrides,
  };
}

Version 2 (latest)

'use strict';

import type { CwcContentConfig } from '../../config';
import { loadConfig } from '../../config';

/**
 * Get the real unit config from unit.cwc-content.env
 */
export function getUnitConfig(): CwcContentConfig {
  return loadConfig();
}

/**
 * Creates a mock config with dev defaults
 */
export function createMockDevConfig(
  overrides: Partial<CwcContentConfig> = {}
): CwcContentConfig {
  return {
    runtimeEnvironment: 'dev',
    isDev: true,
    isProd: false,
    isTest: false,
    isUnit: false,
    isE2E: false,
    servicePort: 5008,
    authUri: 'http://localhost:5010/auth/v1',
    storageUri: 'http://localhost:5030/storage/v1',
    corsOrigin: '*',
    devCorsOrigin: 'http://localhost:3000',
    rateLimiterPoints: 15,
    rateLimiterDuration: 1,
    debugMode: true,
    contentCacheMaxSize: 100,
    contentCacheTtlMs: 300000,
    secrets: {
      storageApiKey: 'test-storage-api-key',
    },
    ...overrides,
  };
}

/**
 * Creates a mock config with prod defaults
 */
export function createMockProdConfig(
  overrides: Partial<CwcContentConfig> = {}
): CwcContentConfig {
  return {
    runtimeEnvironment: 'prod',
    isDev: false,
    isProd: true,
    isTest: false,
    isUnit: false,
    isE2E: false,
    servicePort: 5008,
    authUri: 'http://cwc-auth:5010/auth/v1',
    storageUri: 'http://cwc-storage:5030/storage/v1',
    corsOrigin: 'https://codingwithclaude.com',
    devCorsOrigin: '',
    rateLimiterPoints: 15,
    rateLimiterDuration: 1,
    debugMode: false,
    contentCacheMaxSize: 100,
    contentCacheTtlMs: 300000,
    secrets: {
      storageApiKey: 'prod-storage-api-key',
    },
    ...overrides,
  };
}

/**
 * Creates a mock config with unit test defaults
 */
export function createMockUnitConfig(
  overrides: Partial<CwcContentConfig> = {}
): CwcContentConfig {
  return {
    runtimeEnvironment: 'unit',
    isDev: false,
    isProd: false,
    isTest: false,
    isUnit: true,
    isE2E: false,
    servicePort: 5008,
    authUri: 'http://localhost:5010/auth/v1',
    storageUri: 'http://localhost:5030/storage/v1',
    corsOrigin: '*',
    devCorsOrigin: 'http://localhost:3000',
    rateLimiterPoints: 100,
    rateLimiterDuration: 1,
    debugMode: true,
    contentCacheMaxSize: 100,
    contentCacheTtlMs: 300000,
    secrets: {
      storageApiKey: 'unit-storage-api-key',
    },
    ...overrides,
  };
}

packages/cwc-content/src/__tests__/mocks/context.mock.ts

2 versions

Version 1

'use strict';

import type { AuthenticatedContext, GuestContext, RequestContext } from '../../context';

/**
 * Creates a mock guest (unauthenticated) context
 */
export function createMockGuestContext(): GuestContext {
  return {
    isAuthenticated: false,
    role: 'guest-user',
  };
}

/**
 * Creates a mock authenticated context
 */
export function createMockAuthenticatedContext(
  overrides: Partial<AuthenticatedContext> = {}
): AuthenticatedContext {
  return {
    isAuthenticated: true,
    role: 'logged-on-user',
    userPkId: 123,
    username: 'testuser@example.com',
    ownedProjects: ['project-1', 'project-2'],
    ...overrides,
  };
}

/**
 * Creates a mock project owner context
 */
export function createMockProjectOwnerContext(
  projectId: string,
  overrides: Partial<AuthenticatedContext> = {}
): AuthenticatedContext {
  return createMockAuthenticatedContext({
    role: 'project-owner',
    ownedProjects: [projectId, ...createMockAuthenticatedContext().ownedProjects],
    ...overrides,
  });
}

Version 2 (latest)

'use strict';

import type { RequestContext } from '../../context';

/**
 * Guest context type for testing
 */
export type GuestContext = RequestContext & {
  isAuthenticated: false;
  role: 'guest-user';
};

/**
 * Authenticated context type for testing
 */
export type AuthenticatedContext = RequestContext & {
  isAuthenticated: true;
  role: 'logged-on-user' | 'project-owner';
  userPkId: number;
  username: string;
};

/**
 * Creates a mock guest (unauthenticated) context
 */
export function createMockGuestContext(): GuestContext {
  return {
    isAuthenticated: false,
    role: 'guest-user',
    userPkId: undefined,
    username: undefined,
    ownedProjects: [],
    payload: undefined,
  };
}

/**
 * Creates a mock authenticated context
 */
export function createMockAuthenticatedContext(
  overrides: Partial<AuthenticatedContext> = {}
): AuthenticatedContext {
  return {
    isAuthenticated: true,
    role: 'logged-on-user',
    userPkId: 123,
    username: 'testuser@example.com',
    ownedProjects: ['project-1', 'project-2'],
    payload: undefined,
    ...overrides,
  };
}

/**
 * Creates a mock project owner context
 */
export function createMockProjectOwnerContext(
  projectId: string,
  overrides: Partial<AuthenticatedContext> = {}
): AuthenticatedContext {
  return createMockAuthenticatedContext({
    role: 'project-owner',
    ownedProjects: [projectId, ...createMockAuthenticatedContext().ownedProjects],
    ...overrides,
  });
}

packages/cwc-content/src/__tests__/mocks/index.ts

'use strict';

// AuthClient mocks
export {
  createMockAuthClient,
  createMockUserJwtPayload,
  mockVerifyTokenSuccess,
  mockVerifyTokenFailure,
} from './authClient.mock';

// StorageClient mocks
export {
  createMockStorageClient,
  mockGetFileSuccess,
  mockGetFileNotFound,
  mockGetFileError,
  mockPutFileSuccess,
  mockPutFileError,
  mockDeleteFileSuccess,
  mockDeleteFileNotFound,
  mockDeleteFileError,
} from './storageClient.mock';

// Config mocks
export {
  getUnitConfig,
  createMockDevConfig,
  createMockProdConfig,
  createMockUnitConfig,
} from './config.mock';

// Context mocks
export {
  createMockGuestContext,
  createMockAuthenticatedContext,
  createMockProjectOwnerContext,
} from './context.mock';

packages/cwc-content/src/__tests__/mocks/storageClient.mock.ts

'use strict';

import { jest } from '@jest/globals';
import type { StorageClient, GetFileResult, PutFileResult, DeleteFileResult } from 'cwc-backend-utils';

/**
 * Creates a mock StorageClient for testing
 */
export function createMockStorageClient(): jest.Mocked<StorageClient> {
  return {
    getFile: jest.fn<(projectId: string, filename: string) => Promise<GetFileResult>>(),
    putFile: jest.fn<(projectId: string, filename: string, data: string) => Promise<PutFileResult>>(),
    deleteFile: jest.fn<(projectId: string, filename: string) => Promise<DeleteFileResult>>(),
  } as unknown as jest.Mocked<StorageClient>;
}

/**
 * Configures mock StorageClient to return success for getFile
 */
export function mockGetFileSuccess(
  mockStorageClient: jest.Mocked<StorageClient>,
  data: Buffer = Buffer.from('test-data')
): void {
  mockStorageClient.getFile.mockResolvedValueOnce({
    success: true,
    data,
  });
}

/**
 * Configures mock StorageClient to return not found for getFile
 */
export function mockGetFileNotFound(mockStorageClient: jest.Mocked<StorageClient>): void {
  mockStorageClient.getFile.mockResolvedValueOnce({
    success: false,
    error: 'FILE_NOT_FOUND',
  });
}

/**
 * Configures mock StorageClient to return error for getFile
 */
export function mockGetFileError(
  mockStorageClient: jest.Mocked<StorageClient>,
  error: string = 'STORAGE_SERVICE_ERROR'
): void {
  mockStorageClient.getFile.mockResolvedValueOnce({
    success: false,
    error,
  });
}

/**
 * Configures mock StorageClient to return success for putFile
 */
export function mockPutFileSuccess(
  mockStorageClient: jest.Mocked<StorageClient>,
  filename: string = 'test-file.json.gz'
): void {
  mockStorageClient.putFile.mockResolvedValueOnce({
    success: true,
    filename,
  });
}

/**
 * Configures mock StorageClient to return error for putFile
 */
export function mockPutFileError(
  mockStorageClient: jest.Mocked<StorageClient>,
  error: string = 'STORAGE_WRITE_FAILED'
): void {
  mockStorageClient.putFile.mockResolvedValueOnce({
    success: false,
    error,
  });
}

/**
 * Configures mock StorageClient to return success for deleteFile
 */
export function mockDeleteFileSuccess(
  mockStorageClient: jest.Mocked<StorageClient>,
  filename: string = 'test-file.json.gz'
): void {
  mockStorageClient.deleteFile.mockResolvedValueOnce({
    success: true,
    filename,
  });
}

/**
 * Configures mock StorageClient to return not found for deleteFile
 */
export function mockDeleteFileNotFound(mockStorageClient: jest.Mocked<StorageClient>): void {
  mockStorageClient.deleteFile.mockResolvedValueOnce({
    success: false,
    error: 'FILE_NOT_FOUND',
  });
}

/**
 * Configures mock StorageClient to return error for deleteFile
 */
export function mockDeleteFileError(
  mockStorageClient: jest.Mocked<StorageClient>,
  error: string = 'STORAGE_DELETE_FAILED'
): void {
  mockStorageClient.deleteFile.mockResolvedValueOnce({
    success: false,
    error,
  });
}

packages/cwc-content/src/__tests__/policies/checkRouteAccess.test.ts

3 versions

Version 1

'use strict';

import { describe, expect, it } from '@jest/globals';
import { checkRouteAccess, isProjectOwner } from '../../policies';
import {
  createMockGuestContext,
  createMockAuthenticatedContext,
  createMockProjectOwnerContext,
} from '../mocks';

describe('checkRouteAccess', () => {
  describe('guest-user role', () => {
    it('should allow guest user', () => {
      const result = checkRouteAccess(createMockGuestContext(), 'guest-user');
      expect(result.allowed).toBe(true);
    });

    it('should allow authenticated user', () => {
      const result = checkRouteAccess(createMockAuthenticatedContext(), 'guest-user');
      expect(result.allowed).toBe(true);
    });
  });

  describe('logged-on-user role', () => {
    it('should deny guest user', () => {
      const result = checkRouteAccess(createMockGuestContext(), 'logged-on-user');
      expect(result.allowed).toBe(false);
      expect(result.reason).toContain('Authentication required');
    });

    it('should allow authenticated user', () => {
      const result = checkRouteAccess(createMockAuthenticatedContext(), 'logged-on-user');
      expect(result.allowed).toBe(true);
    });
  });

  describe('project-owner role', () => {
    it('should deny guest user', () => {
      const result = checkRouteAccess(createMockGuestContext(), 'project-owner');
      expect(result.allowed).toBe(false);
      expect(result.reason).toContain('Authentication required');
    });

    it('should allow authenticated user at route level', () => {
      // Route-level check only verifies authentication, not ownership
      const result = checkRouteAccess(createMockAuthenticatedContext(), 'project-owner');
      expect(result.allowed).toBe(true);
    });
  });
});

describe('isProjectOwner', () => {
  it('should return false for guest user', () => {
    const result = isProjectOwner(createMockGuestContext(), 'project-1');
    expect(result).toBe(false);
  });

  it('should return false for authenticated user without ownership', () => {
    const context = createMockAuthenticatedContext({
      ownedProjects: ['other-project'],
    });
    const result = isProjectOwner(context, 'project-1');
    expect(result).toBe(false);
  });

  it('should return true for project owner', () => {
    const context = createMockProjectOwnerContext('project-1');
    const result = isProjectOwner(context, 'project-1');
    expect(result).toBe(true);
  });

  it('should return false for undefined projectId', () => {
    const context = createMockProjectOwnerContext('project-1');
    const result = isProjectOwner(context, undefined);
    expect(result).toBe(false);
  });
});

Version 2

'use strict';

import { describe, expect, it } from '@jest/globals';
import { checkRouteAccess, isProjectOwner } from '../../policies';
import {
  createMockGuestContext,
  createMockAuthenticatedContext,
  createMockProjectOwnerContext,
} from '../mocks';

describe('checkRouteAccess', () => {
  describe('guest-user role', () => {
    it('should allow guest user', () => {
      const result = checkRouteAccess(createMockGuestContext(), 'guest-user');
      expect(result.allowed).toBe(true);
    });

    it('should allow authenticated user', () => {
      const result = checkRouteAccess(createMockAuthenticatedContext(), 'guest-user');
      expect(result.allowed).toBe(true);
    });
  });

  describe('logged-on-user role', () => {
    // In cwc-content, logged-on-user has the same access as guest-user for GET operations
    // The difference in what content they can access is enforced by cwc-api
    it('should allow guest user (same as guest-user in cwc-content)', () => {
      const result = checkRouteAccess(createMockGuestContext(), 'logged-on-user');
      expect(result.allowed).toBe(true);
    });

    it('should allow authenticated user', () => {
      const result = checkRouteAccess(createMockAuthenticatedContext(), 'logged-on-user');
      expect(result.allowed).toBe(true);
    });
  });

  describe('project-owner role', () => {
    it('should deny guest user', () => {
      const result = checkRouteAccess(createMockGuestContext(), 'project-owner');
      expect(result.allowed).toBe(false);
      expect(result.reason).toContain('Authentication required');
    });

    it('should allow authenticated user at route level', () => {
      // Route-level check only verifies authentication, not ownership
      const result = checkRouteAccess(createMockAuthenticatedContext(), 'project-owner');
      expect(result.allowed).toBe(true);
    });
  });
});

describe('isProjectOwner', () => {
  it('should return false for guest user', () => {
    const result = isProjectOwner(createMockGuestContext(), 'project-1');
    expect(result).toBe(false);
  });

  it('should return false for authenticated user without ownership', () => {
    const context = createMockAuthenticatedContext({
      ownedProjects: ['other-project'],
    });
    const result = isProjectOwner(context, 'project-1');
    expect(result).toBe(false);
  });

  it('should return true for project owner', () => {
    const context = createMockProjectOwnerContext('project-1');
    const result = isProjectOwner(context, 'project-1');
    expect(result).toBe(true);
  });

  it('should return false for undefined projectId', () => {
    const context = createMockProjectOwnerContext('project-1');
    const result = isProjectOwner(context, undefined);
    expect(result).toBe(false);
  });
});

Version 3 (latest)

'use strict';

import { describe, expect, it } from '@jest/globals';
import { checkRouteAccess } from '../../policies';
import {
  createMockGuestContext,
  createMockAuthenticatedContext,
  createMockProjectOwnerContext,
} from '../mocks';

describe('checkRouteAccess', () => {
  describe('guest-user role', () => {
    it('should allow guest user', () => {
      const result = checkRouteAccess({
        context: createMockGuestContext(),
        requiredRole: 'guest-user',
        payload: {},
      });
      expect(result.allowed).toBe(true);
    });

    it('should allow authenticated user', () => {
      const result = checkRouteAccess({
        context: createMockAuthenticatedContext(),
        requiredRole: 'guest-user',
        payload: {},
      });
      expect(result.allowed).toBe(true);
    });
  });

  describe('logged-on-user role', () => {
    // In cwc-content, logged-on-user has the same access as guest-user for GET operations
    // The difference in what content they can access is enforced by cwc-api
    it('should allow guest user (same as guest-user in cwc-content)', () => {
      const result = checkRouteAccess({
        context: createMockGuestContext(),
        requiredRole: 'logged-on-user',
        payload: {},
      });
      expect(result.allowed).toBe(true);
    });

    it('should allow authenticated user', () => {
      const result = checkRouteAccess({
        context: createMockAuthenticatedContext(),
        requiredRole: 'logged-on-user',
        payload: {},
      });
      expect(result.allowed).toBe(true);
    });
  });

  describe('project-owner role', () => {
    it('should deny guest user', () => {
      const result = checkRouteAccess({
        context: createMockGuestContext(),
        requiredRole: 'project-owner',
        payload: { projectId: 'project-1' },
      });
      expect(result.allowed).toBe(false);
      expect(result.reason).toContain('Authentication required');
    });

    it('should deny when projectId is missing', () => {
      const result = checkRouteAccess({
        context: createMockAuthenticatedContext(),
        requiredRole: 'project-owner',
        payload: {},
      });
      expect(result.allowed).toBe(false);
      expect(result.reason).toContain('projectId is required');
    });

    it('should deny when user does not own the project', () => {
      const context = createMockAuthenticatedContext({
        ownedProjects: ['other-project'],
      });
      const result = checkRouteAccess({
        context,
        requiredRole: 'project-owner',
        payload: { projectId: 'project-1' },
      });
      expect(result.allowed).toBe(false);
      expect(result.reason).toContain('You do not own this project');
    });

    it('should allow when user owns the project', () => {
      const result = checkRouteAccess({
        context: createMockProjectOwnerContext('project-1'),
        requiredRole: 'project-owner',
        payload: { projectId: 'project-1' },
      });
      expect(result.allowed).toBe(true);
    });

    it('should allow owner with multiple projects to access any owned project', () => {
      const context = createMockAuthenticatedContext({
        ownedProjects: ['project-1', 'project-2', 'project-3'],
      });
      const result = checkRouteAccess({
        context,
        requiredRole: 'project-owner',
        payload: { projectId: 'project-2' },
      });
      expect(result.allowed).toBe(true);
    });
  });

  describe('unknown role', () => {
    it('should deny access for unknown role', () => {
      const result = checkRouteAccess({
        context: createMockAuthenticatedContext(),
        requiredRole: 'unknown-role' as never,
        payload: {},
      });
      expect(result.allowed).toBe(false);
      expect(result.reason).toContain('Unknown requiredRole');
    });
  });
});

packages/cwc-content/src/__tests__/setup.ts

'use strict';

import { loadDotEnv } from 'cwc-backend-utils';

// Load unit test environment before all tests
loadDotEnv({ serviceName: 'cwc-content', environment: 'unit' });

packages/cwc-content/src/apis/ContentApiV1/index.ts

4 versions

Version 1

'use strict';

import type { NextFunction, Request, Response } from 'express';
import type { ExpressApi, ILogger, AuthClient, StorageClient } from 'cwc-backend-utils';
import type { CwcContentConfig } from '../../config';
import type { ContentRouteConfigs } from '../../handlers/handler.types';
import { RequestHandler } from '../../handlers';
import { SessionDataCache } from '../../cache';
import { getRoutes, createContentHandler } from './routes';

const codeLocation = 'apis/ContentApiV1/index.ts';

/**
 * ContentApiV1 - Content delivery API for CWC coding sessions
 *
 * Handles file operations:
 * - GET: Fetch session data from storage (with caching)
 * - PUT: Upload session data to storage
 * - DELETE: Remove session data from storage
 */
export class ContentApiV1 implements ExpressApi {
  private routes: ContentRouteConfigs;
  private config: CwcContentConfig;
  private authClient: AuthClient;
  private logger: ILogger | undefined;
  private cache: SessionDataCache;

  constructor(
    config: CwcContentConfig,
    storageClient: StorageClient,
    authClient: AuthClient,
    logger: ILogger | undefined
  ) {
    this.config = config;
    this.authClient = authClient;
    this.logger = logger;

    // Create cache with configurable settings
    this.cache = new SessionDataCache({
      maxSize: config.cacheMaxSize,
      ttlMs: config.cacheTtlMs,
    });

    // Create content handler with storage client and cache
    const contentHandler = createContentHandler({
      storageClient,
      cache: this.cache,
    });

    // Routes initialized with content handler
    this.routes = getRoutes(contentHandler);
  }

  public get path(): string {
    return '/content/v1';
  }

  public get version(): number {
    return 1;
  }

  /**
   * Main request handler
   */
  public handler = async (req: Request, res: Response, next: NextFunction): Promise<void> => {
    try {
      // Early return if response already sent
      if (res.statusCode !== 200 || res.writableEnded) {
        return;
      }

      const { path } = req;

      // Validate path exists
      if (!path || path === '/') {
        res.status(404).json({
          success: false,
          errorCode: 'NOT_FOUND',
          errorMessage: 'Endpoint not found',
        });
        return;
      }

      // Find route config
      const routeConfig = this.routes[path];
      if (!routeConfig) {
        // This route is not handled by ContentApiV1, let it pass through
        next();
        return;
      }

      // Get auth header
      const authHeader = req.headers['authorization'] as string | undefined;

      // Create and execute RequestHandler
      const handler = new RequestHandler(
        {
          authHeader,
          payload: req.body,
          routeConfig,
        },
        this.config,
        this.authClient
      );

      const response = await handler.processRequest();

      // Send response
      res.status(response.statusCode).json(response.body);
    } catch (error) {
      this.logger?.logError({
        userPkId: undefined,
        codeLocation,
        message: 'ContentApiV1.handler - ERROR',
        error,
      });

      res.status(500).json({
        success: false,
        errorCode: 'INTERNAL_ERROR',
        errorMessage: 'An internal error occurred',
        ...(this.config.isDev ? { errorDetail: String(error) } : {}),
      });
    }
  };
}

Version 2

'use strict';

import type { NextFunction, Request, Response } from 'express';
import type { ExpressApi, ILogger, AuthClient, StorageClient } from 'cwc-backend-utils';
import type { CwcContentConfig } from '../../config';
import type { ContentRouteConfigs } from '../../handlers/handler.types';
import { RequestHandler } from '../../handlers';
import { SessionDataCache } from '../../cache';
import { getRoutes, createContentHandler } from './routes';

const codeLocation = 'apis/ContentApiV1/index.ts';

/**
 * ContentApiV1 - Content delivery API for CWC coding sessions
 *
 * Handles file operations:
 * - GET: Fetch session data from storage (with caching)
 * - PUT: Upload session data to storage
 * - DELETE: Remove session data from storage
 */
export class ContentApiV1 implements ExpressApi {
  private routes: ContentRouteConfigs;
  private config: CwcContentConfig;
  private authClient: AuthClient;
  private logger: ILogger | undefined;
  private cache: SessionDataCache;

  constructor(
    config: CwcContentConfig,
    storageClient: StorageClient,
    authClient: AuthClient,
    logger: ILogger | undefined
  ) {
    this.config = config;
    this.authClient = authClient;
    this.logger = logger;

    // Create cache with configurable settings
    this.cache = new SessionDataCache(config.cacheMaxSize, config.cacheTtlMs);

    // Create content handler with storage client and cache
    const contentHandler = createContentHandler({
      storageClient,
      cache: this.cache,
    });

    // Routes initialized with content handler
    this.routes = getRoutes(contentHandler);
  }

  public get path(): string {
    return '/content/v1';
  }

  public get version(): number {
    return 1;
  }

  /**
   * Main request handler
   */
  public handler = async (req: Request, res: Response, next: NextFunction): Promise<void> => {
    try {
      // Early return if response already sent
      if (res.statusCode !== 200 || res.writableEnded) {
        return;
      }

      const { path } = req;

      // Validate path exists
      if (!path || path === '/') {
        res.status(404).json({
          success: false,
          errorCode: 'NOT_FOUND',
          errorMessage: 'Endpoint not found',
        });
        return;
      }

      // Find route config
      const routeConfig = this.routes[path];
      if (!routeConfig) {
        // This route is not handled by ContentApiV1, let it pass through
        next();
        return;
      }

      // Get auth header
      const authHeader = req.headers['authorization'] as string | undefined;

      // Create and execute RequestHandler
      const handler = new RequestHandler(
        {
          authHeader,
          payload: req.body,
          routeConfig,
        },
        this.config,
        this.authClient
      );

      const response = await handler.processRequest();

      // Send response
      res.status(response.statusCode).json(response.body);
    } catch (error) {
      this.logger?.logError({
        userPkId: undefined,
        codeLocation,
        message: 'ContentApiV1.handler - ERROR',
        error,
      });

      res.status(500).json({
        success: false,
        errorCode: 'INTERNAL_ERROR',
        errorMessage: 'An internal error occurred',
        ...(this.config.isDev ? { errorDetail: String(error) } : {}),
      });
    }
  };
}

Version 3

'use strict';

import type { NextFunction, Request, Response } from 'express';
import type { ExpressApi, ILogger, AuthClient, StorageClient } from 'cwc-backend-utils';
import type { CwcContentConfig } from '../../config';
import type { ContentRouteConfigs } from '../../handlers/handler.types';
import { RequestHandler } from '../../handlers';
import { ContentCache } from '../../cache';
import { getRoutes, createContentHandler } from './routes';

const codeLocation = 'apis/ContentApiV1/index.ts';

/**
 * ContentApiV1 - Content delivery API for CWC coding sessions
 *
 * Handles file operations:
 * - GET: Fetch session data from storage (with caching)
 * - PUT: Upload session data to storage
 * - DELETE: Remove session data from storage
 */
export class ContentApiV1 implements ExpressApi {
  private routes: ContentRouteConfigs;
  private config: CwcContentConfig;
  private authClient: AuthClient;
  private logger: ILogger | undefined;
  private cache: ContentCache;

  constructor(
    config: CwcContentConfig,
    storageClient: StorageClient,
    authClient: AuthClient,
    logger: ILogger | undefined
  ) {
    this.config = config;
    this.authClient = authClient;
    this.logger = logger;

    // Create cache with configurable settings
    this.cache = new ContentCache(config.contentCacheMaxSize, config.contentCacheTtlMs);

    // Create content handler with storage client and cache
    const contentHandler = createContentHandler({
      storageClient,
      cache: this.cache,
    });

    // Routes initialized with content handler
    this.routes = getRoutes(contentHandler);
  }

  public get path(): string {
    return '/content/v1';
  }

  public get version(): number {
    return 1;
  }

  /**
   * Main request handler
   */
  public handler = async (req: Request, res: Response, next: NextFunction): Promise<void> => {
    try {
      // Early return if response already sent
      if (res.statusCode !== 200 || res.writableEnded) {
        return;
      }

      const { path } = req;

      // Validate path exists
      if (!path || path === '/') {
        res.status(404).json({
          success: false,
          errorCode: 'NOT_FOUND',
          errorMessage: 'Endpoint not found',
        });
        return;
      }

      // Find route config
      const routeConfig = this.routes[path];
      if (!routeConfig) {
        // This route is not handled by ContentApiV1, let it pass through
        next();
        return;
      }

      // Get auth header
      const authHeader = req.headers['authorization'] as string | undefined;

      // Create and execute RequestHandler
      const handler = new RequestHandler(
        {
          authHeader,
          payload: req.body,
          routeConfig,
        },
        this.config,
        this.authClient
      );

      const response = await handler.processRequest();

      // Send response
      res.status(response.statusCode).json(response.body);
    } catch (error) {
      this.logger?.logError({
        userPkId: undefined,
        codeLocation,
        message: 'ContentApiV1.handler - ERROR',
        error,
      });

      res.status(500).json({
        success: false,
        errorCode: 'INTERNAL_ERROR',
        errorMessage: 'An internal error occurred',
        ...(this.config.isDev ? { errorDetail: String(error) } : {}),
      });
    }
  };
}

Version 4 (latest)

'use strict';

import type { NextFunction, Request, Response } from 'express';
import type { ExpressApi, ILogger, AuthClient, StorageClient } from 'cwc-backend-utils';
import type { CwcContentConfig } from '../../config';
import type { ContentRouteConfigs } from '../../handlers/handler.types';
import { RequestHandler } from '../../handlers';
import { ContentCache } from '../../cache';
import { getRoutes, createContentHandler } from './routes';

const codeLocation = 'apis/ContentApiV1/index.ts';

/**
 * ContentApiV1 - Content delivery API for CWC
 *
 * Handles file operations:
 * - GET: Fetch session data from storage (with caching)
 * - PUT: Upload session data to storage
 * - DELETE: Remove session data from storage
 */
export class ContentApiV1 implements ExpressApi {
  private routes: ContentRouteConfigs;
  private config: CwcContentConfig;
  private authClient: AuthClient;
  private logger: ILogger | undefined;
  private cache: ContentCache;

  constructor(
    config: CwcContentConfig,
    storageClient: StorageClient,
    authClient: AuthClient,
    logger: ILogger | undefined
  ) {
    this.config = config;
    this.authClient = authClient;
    this.logger = logger;

    // Create cache with configurable settings
    this.cache = new ContentCache(config.contentCacheMaxSize, config.contentCacheTtlMs);

    // Create content handler with storage client and cache
    const contentHandler = createContentHandler({
      storageClient,
      cache: this.cache,
    });

    // Routes initialized with content handler
    this.routes = getRoutes(contentHandler);
  }

  public get path(): string {
    return '/content/v1';
  }

  public get version(): number {
    return 1;
  }

  /**
   * Main request handler
   */
  public handler = async (req: Request, res: Response, next: NextFunction): Promise<void> => {
    try {
      // Early return if response already sent
      if (res.statusCode !== 200 || res.writableEnded) {
        return;
      }

      const { path } = req;

      // Validate path exists
      if (!path || path === '/') {
        res.status(404).json({
          success: false,
          errorCode: 'NOT_FOUND',
          errorMessage: 'Endpoint not found',
        });
        return;
      }

      // Find route config
      const routeConfig = this.routes[path];
      if (!routeConfig) {
        // This route is not handled by ContentApiV1, let it pass through
        next();
        return;
      }

      // Get auth header
      const authHeader = req.headers['authorization'] as string | undefined;

      // Create and execute RequestHandler
      const handler = new RequestHandler(
        {
          authHeader,
          payload: req.body,
          routeConfig,
        },
        this.config,
        this.authClient
      );

      const response = await handler.processRequest();

      // Send response
      res.status(response.statusCode).json(response.body);
    } catch (error) {
      this.logger?.logError({
        userPkId: undefined,
        codeLocation,
        message: 'ContentApiV1.handler - ERROR',
        error,
      });

      res.status(500).json({
        success: false,
        errorCode: 'INTERNAL_ERROR',
        errorMessage: 'An internal error occurred',
        ...(this.config.isDev ? { errorDetail: String(error) } : {}),
      });
    }
  };
}

packages/cwc-content/src/apis/ContentApiV1/routes.ts

2 versions

Version 1

'use strict';

import type { StorageClient } from 'cwc-backend-utils';
import type { ContentRouteConfigs } from '../../handlers/handler.types';
import type {
  GetCodingSessionPayload,
  PutCodingSessionPayload,
  DeleteCodingSessionPayload,
} from '../../handlers/handler.types';
import { accessPolicies } from '../../policies';
import { ContentHandler, type ContentHandlerOptions } from '../../handlers';
import type { SessionDataCache } from '../../cache';

/**
 * Creates route configurations for ContentApiV1
 *
 * Route naming convention: /coding-session/{operation}
 * All routes use POST method (RPC-style API)
 *
 * @param contentHandler - ContentHandler instance with storage and cache
 * @returns Route configuration map
 */
export function getRoutes(contentHandler: ContentHandler): ContentRouteConfigs {
  return {
    // ========================================================================
    // Coding Session Content Routes
    // ========================================================================
    '/coding-session/get': {
      path: '/coding-session/get',
      handlerType: 'get',
      requiredRole: accessPolicies.codingSession.get,
      operation: (payload, requestContext) =>
        contentHandler.getCodingSession(payload as GetCodingSessionPayload, requestContext),
    },
    '/coding-session/put': {
      path: '/coding-session/put',
      handlerType: 'put',
      requiredRole: accessPolicies.codingSession.put,
      operation: (payload, requestContext) =>
        contentHandler.putCodingSession(payload as PutCodingSessionPayload, requestContext),
    },
    '/coding-session/delete': {
      path: '/coding-session/delete',
      handlerType: 'delete',
      requiredRole: accessPolicies.codingSession.delete,
      operation: (payload, requestContext) =>
        contentHandler.deleteCodingSession(payload as DeleteCodingSessionPayload, requestContext),
    },
  };
}

/**
 * Creates a ContentHandler with the given dependencies
 */
export function createContentHandler(options: ContentHandlerOptions): ContentHandler {
  return new ContentHandler(options);
}

Version 2 (latest)

'use strict';

import type { ContentRouteConfigs } from '../../handlers/handler.types';
import type {
  GetCodingSessionPayload,
  PutCodingSessionPayload,
  DeleteCodingSessionPayload,
} from '../../handlers/handler.types';
import { accessPolicies } from '../../policies';
import { ContentHandler, type ContentHandlerOptions } from '../../handlers';

/**
 * Creates route configurations for ContentApiV1
 *
 * Route naming convention: /coding-session/{operation}
 * All routes use POST method (RPC-style API)
 *
 * @param contentHandler - ContentHandler instance with storage and cache
 * @returns Route configuration map
 */
export function getRoutes(contentHandler: ContentHandler): ContentRouteConfigs {
  return {
    // ========================================================================
    // Coding Session Content Routes
    // ========================================================================
    '/coding-session/get': {
      path: '/coding-session/get',
      handlerType: 'get',
      requiredRole: accessPolicies.codingSession.get,
      operation: (payload, requestContext) =>
        contentHandler.getCodingSession(payload as GetCodingSessionPayload, requestContext),
    },
    '/coding-session/put': {
      path: '/coding-session/put',
      handlerType: 'put',
      requiredRole: accessPolicies.codingSession.put,
      operation: (payload, requestContext) =>
        contentHandler.putCodingSession(payload as PutCodingSessionPayload, requestContext),
    },
    '/coding-session/delete': {
      path: '/coding-session/delete',
      handlerType: 'delete',
      requiredRole: accessPolicies.codingSession.delete,
      operation: (payload, requestContext) =>
        contentHandler.deleteCodingSession(payload as DeleteCodingSessionPayload, requestContext),
    },
  };
}

/**
 * Creates a ContentHandler with the given dependencies
 */
export function createContentHandler(options: ContentHandlerOptions): ContentHandler {
  return new ContentHandler(options);
}

packages/cwc-content/src/cache/ContentCache.ts

/**
 * Cache entry for content data
 */
type CacheEntry = {
  data: Buffer;
  timestamp: number;
};

/**
 * LRU cache with TTL for content data
 *
 * Features:
 * - Maximum size limit with LRU eviction
 * - TTL-based expiration
 * - Lazy eviction (expired entries removed on access)
 *
 * Generic cache that can be used for any content type in cwc-content.
 * Currently used for coding session data, but extensible to other content.
 */
export class ContentCache {
  private cache: Map<string, CacheEntry>;
  private maxSize: number;
  private ttlMs: number;

  constructor(maxSize: number, ttlMs: number) {
    this.cache = new Map();
    this.maxSize = maxSize;
    this.ttlMs = ttlMs;
  }

  /**
   * Build cache key from projectId and filename
   */
  private buildKey(projectId: string, filename: string): string {
    return `${projectId}:${filename}`;
  }

  /**
   * Check if an entry has expired
   */
  private isExpired(entry: CacheEntry): boolean {
    return Date.now() - entry.timestamp > this.ttlMs;
  }

  /**
   * Get data from cache
   * Returns undefined if not found or expired
   */
  get(projectId: string, filename: string): Buffer | undefined {
    const key = this.buildKey(projectId, filename);
    const entry = this.cache.get(key);

    if (!entry) {
      return undefined;
    }

    // Check TTL
    if (this.isExpired(entry)) {
      this.cache.delete(key);
      return undefined;
    }

    // Move to end for LRU (delete and re-add to maintain insertion order)
    this.cache.delete(key);
    this.cache.set(key, entry);

    return entry.data;
  }

  /**
   * Set data in cache
   * Evicts oldest entry if at capacity
   */
  set(projectId: string, filename: string, data: Buffer): void {
    const key = this.buildKey(projectId, filename);

    // If key exists, delete it first (to update LRU order)
    if (this.cache.has(key)) {
      this.cache.delete(key);
    }

    // Evict oldest entry if at capacity
    if (this.cache.size >= this.maxSize) {
      const oldestKey = this.cache.keys().next().value;
      if (oldestKey) {
        this.cache.delete(oldestKey);
      }
    }

    // Add new entry
    this.cache.set(key, {
      data,
      timestamp: Date.now(),
    });
  }

  /**
   * Invalidate a specific cache entry
   */
  invalidate(projectId: string, filename: string): void {
    const key = this.buildKey(projectId, filename);
    this.cache.delete(key);
  }

  /**
   * Clear all cache entries
   */
  clear(): void {
    this.cache.clear();
  }

  /**
   * Get current cache size (for monitoring/debugging)
   */
  size(): number {
    return this.cache.size;
  }

  /**
   * Clean up expired entries (for optional background cleanup)
   */
  cleanup(): number {
    let removed = 0;
    for (const [key, entry] of this.cache.entries()) {
      if (this.isExpired(entry)) {
        this.cache.delete(key);
        removed++;
      }
    }
    return removed;
  }
}

packages/cwc-content/src/cache/index.ts

2 versions

Version 1

export { SessionDataCache } from './SessionDataCache';

Version 2 (latest)

export { ContentCache } from './ContentCache';

packages/cwc-content/src/cache/SessionDataCache.ts

/**
 * Cache entry for session data
 */
type CacheEntry = {
  data: Buffer;
  timestamp: number;
};

/**
 * LRU cache with TTL for session data
 *
 * Features:
 * - Maximum size limit with LRU eviction
 * - TTL-based expiration
 * - Lazy eviction (expired entries removed on access)
 */
export class SessionDataCache {
  private cache: Map<string, CacheEntry>;
  private maxSize: number;
  private ttlMs: number;

  constructor(maxSize: number, ttlMs: number) {
    this.cache = new Map();
    this.maxSize = maxSize;
    this.ttlMs = ttlMs;
  }

  /**
   * Build cache key from projectId and filename
   */
  private buildKey(projectId: string, filename: string): string {
    return `${projectId}:${filename}`;
  }

  /**
   * Check if an entry has expired
   */
  private isExpired(entry: CacheEntry): boolean {
    return Date.now() - entry.timestamp > this.ttlMs;
  }

  /**
   * Get data from cache
   * Returns undefined if not found or expired
   */
  get(projectId: string, filename: string): Buffer | undefined {
    const key = this.buildKey(projectId, filename);
    const entry = this.cache.get(key);

    if (!entry) {
      return undefined;
    }

    // Check TTL
    if (this.isExpired(entry)) {
      this.cache.delete(key);
      return undefined;
    }

    // Move to end for LRU (delete and re-add to maintain insertion order)
    this.cache.delete(key);
    this.cache.set(key, entry);

    return entry.data;
  }

  /**
   * Set data in cache
   * Evicts oldest entry if at capacity
   */
  set(projectId: string, filename: string, data: Buffer): void {
    const key = this.buildKey(projectId, filename);

    // If key exists, delete it first (to update LRU order)
    if (this.cache.has(key)) {
      this.cache.delete(key);
    }

    // Evict oldest entry if at capacity
    if (this.cache.size >= this.maxSize) {
      const oldestKey = this.cache.keys().next().value;
      if (oldestKey) {
        this.cache.delete(oldestKey);
      }
    }

    // Add new entry
    this.cache.set(key, {
      data,
      timestamp: Date.now(),
    });
  }

  /**
   * Invalidate a specific cache entry
   */
  invalidate(projectId: string, filename: string): void {
    const key = this.buildKey(projectId, filename);
    this.cache.delete(key);
  }

  /**
   * Clear all cache entries
   */
  clear(): void {
    this.cache.clear();
  }

  /**
   * Get current cache size (for monitoring/debugging)
   */
  size(): number {
    return this.cache.size;
  }

  /**
   * Clean up expired entries (for optional background cleanup)
   */
  cleanup(): number {
    let removed = 0;
    for (const [key, entry] of this.cache.entries()) {
      if (this.isExpired(entry)) {
        this.cache.delete(key);
        removed++;
      }
    }
    return removed;
  }
}

packages/cwc-content/src/config/config.types.ts

2 versions

Version 1

import type { RuntimeEnvironment } from 'cwc-types';

/**
 * Secret configuration values for cwc-content
 * These values must be provided via secrets file, never committed to code
 */
export type CwcContentConfigSecrets = {
  storageApiKey: string;
};

/**
 * Configuration for the cwc-content microservice
 */
export type CwcContentConfig = {
  // Environment (derived - skipped in .env generation)
  runtimeEnvironment: RuntimeEnvironment;
  isProd: boolean;
  isDev: boolean;
  isTest: boolean;
  isUnit: boolean;
  isE2E: boolean;

  // Service
  servicePort: number;
  authUri: string;
  storageUri: string;

  // Security
  corsOrigin: string;

  // Rate limiting
  rateLimiterPoints: number;
  rateLimiterDuration: number;

  // Dev settings
  devCorsOrigin: string;

  // Debugging
  debugMode: boolean;

  // Cache settings
  cacheMaxSize: number;
  cacheTtlMs: number;

  // Secrets (nested)
  secrets: CwcContentConfigSecrets;
};

Version 2 (latest)

import type { RuntimeEnvironment } from 'cwc-types';

/**
 * Secret configuration values for cwc-content
 * These values must be provided via secrets file, never committed to code
 */
export type CwcContentConfigSecrets = {
  storageApiKey: string;
};

/**
 * Configuration for the cwc-content microservice
 */
export type CwcContentConfig = {
  // Environment (derived - skipped in .env generation)
  runtimeEnvironment: RuntimeEnvironment;
  isProd: boolean;
  isDev: boolean;
  isTest: boolean;
  isUnit: boolean;
  isE2E: boolean;

  // Service
  servicePort: number;
  authUri: string;
  storageUri: string;

  // Security
  corsOrigin: string;

  // Rate limiting
  rateLimiterPoints: number;
  rateLimiterDuration: number;

  // Dev settings
  devCorsOrigin: string;

  // Debugging
  debugMode: boolean;

  // Cache settings
  contentCacheMaxSize: number;
  contentCacheTtlMs: number;

  // Secrets (nested)
  secrets: CwcContentConfigSecrets;
};

packages/cwc-content/src/config/index.ts

export { loadConfig } from './loadConfig';
export type { CwcContentConfig, CwcContentConfigSecrets } from './config.types';

packages/cwc-content/src/config/loadConfig.ts

2 versions

Version 1

import type { RuntimeEnvironment } from 'cwc-types';
import { requireEnv, optionalEnv, parseNumber, parseBoolean } from 'cwc-backend-utils';
import type { CwcContentConfig } from './config.types';

/**
 * Validates runtime environment value
 */
function validateRuntimeEnvironment(value: string): RuntimeEnvironment {
  const validEnvironments = ['dev', 'test', 'prod', 'unit', 'e2e'];
  if (!validEnvironments.includes(value)) {
    throw new Error(
      `Invalid RUNTIME_ENVIRONMENT: ${value}. Must be one of: ${validEnvironments.join(', ')}`
    );
  }
  return value as RuntimeEnvironment;
}

/**
 * Loads and validates configuration from environment variables
 * Caches the configuration on first load
 */
let cachedConfig: CwcContentConfig | undefined;

export function loadConfig(): CwcContentConfig {
  // Return cached config if already loaded
  if (cachedConfig) {
    return cachedConfig;
  }

  try {
    // Parse runtime environment
    const runtimeEnvironment = validateRuntimeEnvironment(requireEnv('RUNTIME_ENVIRONMENT'));

    // Derive environment booleans
    const isProd = runtimeEnvironment === 'prod';
    const isDev = runtimeEnvironment === 'dev';
    const isTest = runtimeEnvironment === 'test';
    const isUnit = runtimeEnvironment === 'unit';
    const isE2E = runtimeEnvironment === 'e2e';

    // Parse configuration
    const config: CwcContentConfig = {
      // Environment
      runtimeEnvironment,
      isProd,
      isDev,
      isTest,
      isUnit,
      isE2E,

      // Service
      servicePort: parseNumber('SERVICE_PORT', 5008),
      authUri: requireEnv('AUTH_URI'),
      storageUri: requireEnv('STORAGE_URI'),

      // Security
      corsOrigin: requireEnv('CORS_ORIGIN'),

      // Rate limiting
      rateLimiterPoints: parseNumber('RATE_LIMITER_POINTS', 15),
      rateLimiterDuration: parseNumber('RATE_LIMITER_DURATION', 1),

      // Dev settings
      devCorsOrigin: optionalEnv('DEV_CORS_ORIGIN', 'http://localhost:3000'),

      // Debugging
      debugMode: parseBoolean('DEBUG_MODE', false),

      // Cache settings
      cacheMaxSize: parseNumber('CACHE_MAX_SIZE', 100),
      cacheTtlMs: parseNumber('CACHE_TTL_MS', 300000), // 5 minutes

      // Secrets (nested)
      secrets: {
        storageApiKey: requireEnv('STORAGE_API_KEY'),
      },
    };

    // Validate port
    if (config.servicePort < 1 || config.servicePort > 65535) {
      throw new Error('SERVICE_PORT must be between 1 and 65535');
    }

    // Validate cache settings
    if (config.cacheMaxSize < 1) {
      throw new Error('CACHE_MAX_SIZE must be at least 1');
    }
    if (config.cacheTtlMs < 1000) {
      throw new Error('CACHE_TTL_MS must be at least 1000 (1 second)');
    }

    // Cache the configuration
    cachedConfig = config;

    // Log configuration in debug mode (redact sensitive data)
    if (config.debugMode) {
      console.log('[cwc-content] Configuration loaded:');
      console.log(`  Environment: ${config.runtimeEnvironment}`);
      console.log(`  Service Port: ${config.servicePort}`);
      console.log(`  Auth URI: ${config.authUri}`);
      console.log(`  Storage URI: ${config.storageUri}`);
      console.log(`  CORS Origin: ${config.corsOrigin}`);
      console.log(`  Storage API Key: [REDACTED]`);
      console.log(
        `  Rate Limiter: ${config.rateLimiterPoints} points / ${config.rateLimiterDuration}s`
      );
      console.log(`  Cache Max Size: ${config.cacheMaxSize}`);
      console.log(`  Cache TTL: ${config.cacheTtlMs}ms`);
      console.log(`  Debug Mode: ${config.debugMode}`);
    }

    return config;
  } catch (error) {
    console.error('[cwc-content] Failed to load configuration:');
    if (error instanceof Error) {
      console.error(`  ${error.message}`);
    } else {
      console.error(error);
    }
    console.error('\nPlease check your environment variables and try again.');
    process.exit(1);
  }
}

Version 2 (latest)

import type { RuntimeEnvironment } from 'cwc-types';
import { requireEnv, optionalEnv, parseNumber, parseBoolean } from 'cwc-backend-utils';
import type { CwcContentConfig } from './config.types';

/**
 * Validates runtime environment value
 */
function validateRuntimeEnvironment(value: string): RuntimeEnvironment {
  const validEnvironments = ['dev', 'test', 'prod', 'unit', 'e2e'];
  if (!validEnvironments.includes(value)) {
    throw new Error(
      `Invalid RUNTIME_ENVIRONMENT: ${value}. Must be one of: ${validEnvironments.join(', ')}`
    );
  }
  return value as RuntimeEnvironment;
}

/**
 * Loads and validates configuration from environment variables
 * Caches the configuration on first load
 */
let cachedConfig: CwcContentConfig | undefined;

export function loadConfig(): CwcContentConfig {
  // Return cached config if already loaded
  if (cachedConfig) {
    return cachedConfig;
  }

  try {
    // Parse runtime environment
    const runtimeEnvironment = validateRuntimeEnvironment(requireEnv('RUNTIME_ENVIRONMENT'));

    // Derive environment booleans
    const isProd = runtimeEnvironment === 'prod';
    const isDev = runtimeEnvironment === 'dev';
    const isTest = runtimeEnvironment === 'test';
    const isUnit = runtimeEnvironment === 'unit';
    const isE2E = runtimeEnvironment === 'e2e';

    // Parse configuration
    const config: CwcContentConfig = {
      // Environment
      runtimeEnvironment,
      isProd,
      isDev,
      isTest,
      isUnit,
      isE2E,

      // Service
      servicePort: parseNumber('SERVICE_PORT', 5008),
      authUri: requireEnv('AUTH_URI'),
      storageUri: requireEnv('STORAGE_URI'),

      // Security
      corsOrigin: requireEnv('CORS_ORIGIN'),

      // Rate limiting
      rateLimiterPoints: parseNumber('RATE_LIMITER_POINTS', 15),
      rateLimiterDuration: parseNumber('RATE_LIMITER_DURATION', 1),

      // Dev settings
      devCorsOrigin: optionalEnv('DEV_CORS_ORIGIN', 'http://localhost:3000'),

      // Debugging
      debugMode: parseBoolean('DEBUG_MODE', false),

      // Cache settings
      contentCacheMaxSize: parseNumber('CONTENT_CACHE_MAX_SIZE', 100),
      contentCacheTtlMs: parseNumber('CONTENT_CACHE_TTL_MS', 300000), // 5 minutes

      // Secrets (nested)
      secrets: {
        storageApiKey: requireEnv('STORAGE_API_KEY'),
      },
    };

    // Validate port
    if (config.servicePort < 1 || config.servicePort > 65535) {
      throw new Error('SERVICE_PORT must be between 1 and 65535');
    }

    // Validate cache settings
    if (config.contentCacheMaxSize < 1) {
      throw new Error('CONTENT_CACHE_MAX_SIZE must be at least 1');
    }
    if (config.contentCacheTtlMs < 1000) {
      throw new Error('CONTENT_CACHE_TTL_MS must be at least 1000 (1 second)');
    }

    // Cache the configuration
    cachedConfig = config;

    // Log configuration in debug mode (redact sensitive data)
    if (config.debugMode) {
      console.log('[cwc-content] Configuration loaded:');
      console.log(`  Environment: ${config.runtimeEnvironment}`);
      console.log(`  Service Port: ${config.servicePort}`);
      console.log(`  Auth URI: ${config.authUri}`);
      console.log(`  Storage URI: ${config.storageUri}`);
      console.log(`  CORS Origin: ${config.corsOrigin}`);
      console.log(`  Storage API Key: [REDACTED]`);
      console.log(
        `  Rate Limiter: ${config.rateLimiterPoints} points / ${config.rateLimiterDuration}s`
      );
      console.log(`  Cache Max Size: ${config.contentCacheMaxSize}`);
      console.log(`  Cache TTL: ${config.contentCacheTtlMs}ms`);
      console.log(`  Debug Mode: ${config.debugMode}`);
    }

    return config;
  } catch (error) {
    console.error('[cwc-content] Failed to load configuration:');
    if (error instanceof Error) {
      console.error(`  ${error.message}`);
    } else {
      console.error(error);
    }
    console.error('\nPlease check your environment variables and try again.');
    process.exit(1);
  }
}

packages/cwc-content/src/context/context.types.ts

import type { UserJwtPayload, CwcRole } from 'cwc-types';

/**
 * Context for all requests (authenticated or guest)
 *
 * For guests: isAuthenticated=false, role='guest-user', ownedProjects=[], others undefined
 * For authenticated: all fields populated from JWT
 */
export type RequestContext = {
  isAuthenticated: boolean;
  role: CwcRole;
  userPkId: number | undefined;
  username: string | undefined;
  ownedProjects: string[];
  payload: UserJwtPayload | undefined;
};

packages/cwc-content/src/context/createContext.ts

2 versions

Version 1

import type { AuthClient } from 'cwc-backend-utils';
import type { UserJwtPayload } from 'cwc-types';
import type { RequestContext } from './context.types';

export type CreateContextOptions = {
  authHeader: string | undefined;
  authClient: AuthClient;
};

/**
 * Creates a request context based on JWT verification
 * Returns authenticated context on success, guest context on failure
 */
export async function createContext(options: CreateContextOptions): Promise<RequestContext> {
  const { authHeader, authClient } = options;

  // No auth header = guest user
  if (!authHeader) {
    return createGuestContext();
  }

  // Verify token with cwc-auth
  const result = await authClient.verifyToken(authHeader);

  // Verification failed = guest user (graceful degradation)
  if (!result.success) {
    return createGuestContext();
  }

  // Verification succeeded = authenticated user
  return createAuthenticatedContext(result.payload);
}

function createGuestContext(): RequestContext {
  return {
    isAuthenticated: false,
    role: 'guest-user',
    userPkId: undefined,
    username: undefined,
    ownedProjects: [],
    payload: undefined,
  };
}

function createAuthenticatedContext(payload: UserJwtPayload): RequestContext {
  return {
    isAuthenticated: true,
    role: 'logged-on-user', // Actual role (project-owner) determined per-operation
    userPkId: payload.sub,
    username: payload.login.username,
    ownedProjects: payload.login.ownedProjects,
    payload,
  };
}

Version 2 (latest)

import type { AuthClient } from 'cwc-backend-utils';
import type { UserJwtPayload } from 'cwc-types';
import type { RequestContext } from './context.types';

export type CreateContextOptions = {
  authHeader: string | undefined;
  authClient: AuthClient;
};

/**
 * Creates a request context based on JWT verification
 * Returns authenticated context on success, guest context on failure
 *
 * Graceful degradation: Auth failures or service errors result in guest context
 */
export async function createContext(options: CreateContextOptions): Promise<RequestContext> {
  const { authHeader, authClient } = options;

  // No auth header = guest user
  if (!authHeader) {
    return createGuestContext();
  }

  try {
    // Verify token with cwc-auth
    const result = await authClient.verifyToken(authHeader);

    // Verification failed = guest user (graceful degradation)
    if (!result.success) {
      return createGuestContext();
    }

    // Verification succeeded = authenticated user
    return createAuthenticatedContext(result.payload);
  } catch {
    // Auth service error = guest user (graceful degradation)
    // Error is logged by AuthClient, no need to log here
    return createGuestContext();
  }
}

function createGuestContext(): RequestContext {
  return {
    isAuthenticated: false,
    role: 'guest-user',
    userPkId: undefined,
    username: undefined,
    ownedProjects: [],
    payload: undefined,
  };
}

function createAuthenticatedContext(payload: UserJwtPayload): RequestContext {
  return {
    isAuthenticated: true,
    role: 'logged-on-user', // Actual role (project-owner) determined per-operation
    userPkId: payload.sub,
    username: payload.login.username,
    ownedProjects: payload.login.ownedProjects,
    payload,
  };
}

packages/cwc-content/src/context/index.ts

export { createContext } from './createContext';
export type { CreateContextOptions } from './createContext';
export type { RequestContext } from './context.types';

packages/cwc-content/src/handlers/ContentHandler.ts

4 versions

Version 1

'use strict';

import type { StorageClient } from 'cwc-backend-utils';
import type { CwcContentConfig } from '../config';
import type { RequestContext } from '../context';
import type { SessionDataCache } from '../cache';
import { isProjectOwner } from '../policies';
import type {
  OperationResult,
  GetCodingSessionPayload,
  PutCodingSessionPayload,
  DeleteCodingSessionPayload,
} from './handler.types';

export type ContentHandlerOptions = {
  config: CwcContentConfig;
  storageClient: StorageClient;
  cache: SessionDataCache;
};

/**
 * Handles content operations (get/put/delete)
 *
 * This handler interacts with cwc-storage via StorageClient and maintains
 * an in-memory cache for frequently accessed session data.
 */
export class ContentHandler {
  private config: CwcContentConfig;
  private storageClient: StorageClient;
  private cache: SessionDataCache;

  constructor(options: ContentHandlerOptions) {
    this.config = options.config;
    this.storageClient = options.storageClient;
    this.cache = options.cache;
  }

  /**
   * Get coding session data from storage
   *
   * Access: guest-user (no additional checks - cwc-api enforces published status)
   */
  async getCodingSession(
    payload: GetCodingSessionPayload,
    _context: RequestContext
  ): Promise<OperationResult<Buffer>> {
    const { projectId, filename } = payload;

    // Validate required fields
    if (!projectId || !filename) {
      return {
        success: false,
        errorCode: 'VALIDATION_ERROR',
        errorMessage: 'projectId and filename are required',
      };
    }

    // Check cache first
    const cachedData = this.cache.get(projectId, filename);
    if (cachedData) {
      return { success: true, data: cachedData };
    }

    // Fetch from storage
    const result = await this.storageClient.getFile(projectId, filename);

    if (!result.success) {
      if (result.error === 'FILE_NOT_FOUND') {
        return {
          success: false,
          errorCode: 'NOT_FOUND',
          errorMessage: 'Session data not found',
        };
      }
      return {
        success: false,
        errorCode: 'STORAGE_ERROR',
        errorMessage: 'Failed to retrieve session data',
      };
    }

    // Cache the result
    this.cache.set(projectId, filename, result.data);

    return { success: true, data: result.data };
  }

  /**
   * Put coding session data to storage
   *
   * Access: project-owner (verified by checking ownedProjects in JWT)
   */
  async putCodingSession(
    payload: PutCodingSessionPayload,
    context: RequestContext
  ): Promise<OperationResult<{ filename: string }>> {
    const { projectId, filename, data } = payload;

    // Validate required fields
    if (!projectId || !filename || !data) {
      return {
        success: false,
        errorCode: 'VALIDATION_ERROR',
        errorMessage: 'projectId, filename, and data are required',
      };
    }

    // Verify project ownership
    if (!isProjectOwner(context, projectId)) {
      return {
        success: false,
        errorCode: 'FORBIDDEN',
        errorMessage: 'You do not own this project',
      };
    }

    // Upload to storage
    const result = await this.storageClient.putFile(projectId, filename, data);

    if (!result.success) {
      return {
        success: false,
        errorCode: 'STORAGE_ERROR',
        errorMessage: 'Failed to store session data',
      };
    }

    // Invalidate cache (new data will be cached on next get)
    this.cache.invalidate(projectId, filename);

    return { success: true, data: { filename: result.filename } };
  }

  /**
   * Delete coding session data from storage
   *
   * Access: project-owner (verified by checking ownedProjects in JWT)
   */
  async deleteCodingSession(
    payload: DeleteCodingSessionPayload,
    context: RequestContext
  ): Promise<OperationResult<{ filename: string }>> {
    const { projectId, filename } = payload;

    // Validate required fields
    if (!projectId || !filename) {
      return {
        success: false,
        errorCode: 'VALIDATION_ERROR',
        errorMessage: 'projectId and filename are required',
      };
    }

    // Verify project ownership
    if (!isProjectOwner(context, projectId)) {
      return {
        success: false,
        errorCode: 'FORBIDDEN',
        errorMessage: 'You do not own this project',
      };
    }

    // Delete from storage
    const result = await this.storageClient.deleteFile(projectId, filename);

    if (!result.success) {
      if (result.error === 'FILE_NOT_FOUND') {
        return {
          success: false,
          errorCode: 'NOT_FOUND',
          errorMessage: 'Session data not found',
        };
      }
      return {
        success: false,
        errorCode: 'STORAGE_ERROR',
        errorMessage: 'Failed to delete session data',
      };
    }

    // Invalidate cache
    this.cache.invalidate(projectId, filename);

    return { success: true, data: { filename: result.filename } };
  }
}

Version 2

'use strict';

import type { StorageClient } from 'cwc-backend-utils';
import type { RequestContext } from '../context';
import type { SessionDataCache } from '../cache';
import { isProjectOwner } from '../policies';
import type {
  OperationResult,
  GetCodingSessionPayload,
  PutCodingSessionPayload,
  DeleteCodingSessionPayload,
} from './handler.types';

export type ContentHandlerOptions = {
  storageClient: StorageClient;
  cache: SessionDataCache;
};

/**
 * Handles content operations (get/put/delete)
 *
 * This handler interacts with cwc-storage via StorageClient and maintains
 * an in-memory cache for frequently accessed session data.
 */
export class ContentHandler {
  private storageClient: StorageClient;
  private cache: SessionDataCache;

  constructor(options: ContentHandlerOptions) {
    this.storageClient = options.storageClient;
    this.cache = options.cache;
  }

  /**
   * Get coding session data from storage
   *
   * Access: guest-user (no additional checks - cwc-api enforces published status)
   */
  async getCodingSession(
    payload: GetCodingSessionPayload,
    _context: RequestContext
  ): Promise<OperationResult<Buffer>> {
    const { projectId, filename } = payload;

    // Validate required fields
    if (!projectId || !filename) {
      return {
        success: false,
        errorCode: 'VALIDATION_ERROR',
        errorMessage: 'projectId and filename are required',
      };
    }

    // Check cache first
    const cachedData = this.cache.get(projectId, filename);
    if (cachedData) {
      return { success: true, data: cachedData };
    }

    // Fetch from storage
    const result = await this.storageClient.getFile(projectId, filename);

    if (!result.success) {
      if (result.error === 'FILE_NOT_FOUND') {
        return {
          success: false,
          errorCode: 'NOT_FOUND',
          errorMessage: 'Session data not found',
        };
      }
      return {
        success: false,
        errorCode: 'STORAGE_ERROR',
        errorMessage: 'Failed to retrieve session data',
      };
    }

    // Cache the result
    this.cache.set(projectId, filename, result.data);

    return { success: true, data: result.data };
  }

  /**
   * Put coding session data to storage
   *
   * Access: project-owner (verified by checking ownedProjects in JWT)
   */
  async putCodingSession(
    payload: PutCodingSessionPayload,
    context: RequestContext
  ): Promise<OperationResult<{ filename: string }>> {
    const { projectId, filename, data } = payload;

    // Validate required fields
    if (!projectId || !filename || !data) {
      return {
        success: false,
        errorCode: 'VALIDATION_ERROR',
        errorMessage: 'projectId, filename, and data are required',
      };
    }

    // Verify project ownership
    if (!isProjectOwner(context, projectId)) {
      return {
        success: false,
        errorCode: 'FORBIDDEN',
        errorMessage: 'You do not own this project',
      };
    }

    // Upload to storage
    const result = await this.storageClient.putFile(projectId, filename, data);

    if (!result.success) {
      return {
        success: false,
        errorCode: 'STORAGE_ERROR',
        errorMessage: 'Failed to store session data',
      };
    }

    // Invalidate cache (new data will be cached on next get)
    this.cache.invalidate(projectId, filename);

    return { success: true, data: { filename: result.filename } };
  }

  /**
   * Delete coding session data from storage
   *
   * Access: project-owner (verified by checking ownedProjects in JWT)
   */
  async deleteCodingSession(
    payload: DeleteCodingSessionPayload,
    context: RequestContext
  ): Promise<OperationResult<{ filename: string }>> {
    const { projectId, filename } = payload;

    // Validate required fields
    if (!projectId || !filename) {
      return {
        success: false,
        errorCode: 'VALIDATION_ERROR',
        errorMessage: 'projectId and filename are required',
      };
    }

    // Verify project ownership
    if (!isProjectOwner(context, projectId)) {
      return {
        success: false,
        errorCode: 'FORBIDDEN',
        errorMessage: 'You do not own this project',
      };
    }

    // Delete from storage
    const result = await this.storageClient.deleteFile(projectId, filename);

    if (!result.success) {
      if (result.error === 'FILE_NOT_FOUND') {
        return {
          success: false,
          errorCode: 'NOT_FOUND',
          errorMessage: 'Session data not found',
        };
      }
      return {
        success: false,
        errorCode: 'STORAGE_ERROR',
        errorMessage: 'Failed to delete session data',
      };
    }

    // Invalidate cache
    this.cache.invalidate(projectId, filename);

    return { success: true, data: { filename: result.filename } };
  }
}

Version 3

'use strict';

import type { StorageClient } from 'cwc-backend-utils';
import type { RequestContext } from '../context';
import type { ContentCache } from '../cache';
import type {
  OperationResult,
  GetCodingSessionPayload,
  PutCodingSessionPayload,
  DeleteCodingSessionPayload,
} from './handler.types';

export type ContentHandlerOptions = {
  storageClient: StorageClient;
  cache: ContentCache;
};

/**
 * Handles content operations (get/put/delete)
 *
 * This handler interacts with cwc-storage via StorageClient and maintains
 * an in-memory cache for frequently accessed session data.
 */
export class ContentHandler {
  private storageClient: StorageClient;
  private cache: ContentCache;

  constructor(options: ContentHandlerOptions) {
    this.storageClient = options.storageClient;
    this.cache = options.cache;
  }

  /**
   * Get coding session data from storage
   *
   * Access: guest-user (no additional checks - cwc-api enforces published status)
   */
  async getCodingSession(
    payload: GetCodingSessionPayload,
    _context: RequestContext
  ): Promise<OperationResult<Buffer>> {
    const { projectId, filename } = payload;

    // Validate required fields
    if (!projectId || !filename) {
      return {
        success: false,
        errorCode: 'VALIDATION_ERROR',
        errorMessage: 'projectId and filename are required',
      };
    }

    // Check cache first
    const cachedData = this.cache.get(projectId, filename);
    if (cachedData) {
      return { success: true, data: cachedData };
    }

    // Fetch from storage
    const result = await this.storageClient.getFile(projectId, filename);

    if (!result.success) {
      if (result.error === 'FILE_NOT_FOUND') {
        return {
          success: false,
          errorCode: 'NOT_FOUND',
          errorMessage: 'Session data not found',
        };
      }
      return {
        success: false,
        errorCode: 'STORAGE_ERROR',
        errorMessage: 'Failed to retrieve session data',
      };
    }

    // Cache the result
    this.cache.set(projectId, filename, result.data);

    return { success: true, data: result.data };
  }

  /**
   * Put coding session data to storage
   *
   * Access: project-owner (ownership verified at route level by checkRouteAccess)
   */
  async putCodingSession(
    payload: PutCodingSessionPayload,
    _context: RequestContext
  ): Promise<OperationResult<{ filename: string }>> {
    const { projectId, filename, data } = payload;

    // Validate required fields
    if (!projectId || !filename || !data) {
      return {
        success: false,
        errorCode: 'VALIDATION_ERROR',
        errorMessage: 'projectId, filename, and data are required',
      };
    }

    // Upload to storage
    const result = await this.storageClient.putFile(projectId, filename, data);

    if (!result.success) {
      return {
        success: false,
        errorCode: 'STORAGE_ERROR',
        errorMessage: 'Failed to store session data',
      };
    }

    // Invalidate cache (new data will be cached on next get)
    this.cache.invalidate(projectId, filename);

    return { success: true, data: { filename: result.filename } };
  }

  /**
   * Delete coding session data from storage
   *
   * Access: project-owner (ownership verified at route level by checkRouteAccess)
   */
  async deleteCodingSession(
    payload: DeleteCodingSessionPayload,
    _context: RequestContext
  ): Promise<OperationResult<{ filename: string }>> {
    const { projectId, filename } = payload;

    // Validate required fields
    if (!projectId || !filename) {
      return {
        success: false,
        errorCode: 'VALIDATION_ERROR',
        errorMessage: 'projectId and filename are required',
      };
    }

    // Delete from storage
    const result = await this.storageClient.deleteFile(projectId, filename);

    if (!result.success) {
      if (result.error === 'FILE_NOT_FOUND') {
        return {
          success: false,
          errorCode: 'NOT_FOUND',
          errorMessage: 'Session data not found',
        };
      }
      return {
        success: false,
        errorCode: 'STORAGE_ERROR',
        errorMessage: 'Failed to delete session data',
      };
    }

    // Invalidate cache
    this.cache.invalidate(projectId, filename);

    return { success: true, data: { filename: result.filename } };
  }
}

Version 4 (latest)

'use strict';

import type { StorageClient } from 'cwc-backend-utils';
import type { RequestContext } from '../context';
import type { ContentCache } from '../cache';
import type {
  OperationResult,
  GetCodingSessionPayload,
  PutCodingSessionPayload,
  DeleteCodingSessionPayload,
} from './handler.types';

export type ContentHandlerOptions = {
  storageClient: StorageClient;
  cache: ContentCache;
};

/**
 * Handles content operations (get/put/delete)
 *
 * This handler interacts with cwc-storage via StorageClient and maintains
 * an in-memory cache for frequently accessed content.
 */
export class ContentHandler {
  private storageClient: StorageClient;
  private cache: ContentCache;

  constructor(options: ContentHandlerOptions) {
    this.storageClient = options.storageClient;
    this.cache = options.cache;
  }

  /**
   * Get coding session data from storage
   *
   * Access: guest-user (no additional checks - cwc-api enforces published status)
   */
  async getCodingSession(
    payload: GetCodingSessionPayload,
    _context: RequestContext
  ): Promise<OperationResult<Buffer>> {
    const { projectId, filename } = payload;

    // Validate required fields
    if (!projectId || !filename) {
      return {
        success: false,
        errorCode: 'VALIDATION_ERROR',
        errorMessage: 'projectId and filename are required',
      };
    }

    // Check cache first
    const cachedData = this.cache.get(projectId, filename);
    if (cachedData) {
      return { success: true, data: cachedData };
    }

    // Fetch from storage
    const result = await this.storageClient.getFile(projectId, filename);

    if (!result.success) {
      if (result.error === 'FILE_NOT_FOUND') {
        return {
          success: false,
          errorCode: 'NOT_FOUND',
          errorMessage: 'Session data not found',
        };
      }
      return {
        success: false,
        errorCode: 'STORAGE_ERROR',
        errorMessage: 'Failed to retrieve session data',
      };
    }

    // Cache the result
    this.cache.set(projectId, filename, result.data);

    return { success: true, data: result.data };
  }

  /**
   * Put coding session data to storage
   *
   * Access: project-owner (ownership verified at route level by checkRouteAccess)
   */
  async putCodingSession(
    payload: PutCodingSessionPayload,
    _context: RequestContext
  ): Promise<OperationResult<{ filename: string }>> {
    const { projectId, filename, data } = payload;

    // Validate required fields
    if (!projectId || !filename || !data) {
      return {
        success: false,
        errorCode: 'VALIDATION_ERROR',
        errorMessage: 'projectId, filename, and data are required',
      };
    }

    // Upload to storage
    const result = await this.storageClient.putFile(projectId, filename, data);

    if (!result.success) {
      return {
        success: false,
        errorCode: 'STORAGE_ERROR',
        errorMessage: 'Failed to store session data',
      };
    }

    // Invalidate cache (new data will be cached on next get)
    this.cache.invalidate(projectId, filename);

    return { success: true, data: { filename: result.filename } };
  }

  /**
   * Delete coding session data from storage
   *
   * Access: project-owner (ownership verified at route level by checkRouteAccess)
   */
  async deleteCodingSession(
    payload: DeleteCodingSessionPayload,
    _context: RequestContext
  ): Promise<OperationResult<{ filename: string }>> {
    const { projectId, filename } = payload;

    // Validate required fields
    if (!projectId || !filename) {
      return {
        success: false,
        errorCode: 'VALIDATION_ERROR',
        errorMessage: 'projectId and filename are required',
      };
    }

    // Delete from storage
    const result = await this.storageClient.deleteFile(projectId, filename);

    if (!result.success) {
      if (result.error === 'FILE_NOT_FOUND') {
        return {
          success: false,
          errorCode: 'NOT_FOUND',
          errorMessage: 'Session data not found',
        };
      }
      return {
        success: false,
        errorCode: 'STORAGE_ERROR',
        errorMessage: 'Failed to delete session data',
      };
    }

    // Invalidate cache
    this.cache.invalidate(projectId, filename);

    return { success: true, data: { filename: result.filename } };
  }
}

packages/cwc-content/src/handlers/handler.types.ts

'use strict';

import type { CwcRole } from 'cwc-types';
import type { RequestContext } from '../context';

// ============================================================================
// Error Codes
// ============================================================================

/**
 * Error codes for cwc-content operations
 */
export type ContentErrorCode =
  // Access control errors
  | 'UNAUTHORIZED' // No valid authentication
  | 'FORBIDDEN' // Authenticated but not allowed
  // Resource errors
  | 'NOT_FOUND' // File not found in storage
  // Validation errors
  | 'VALIDATION_ERROR' // Request payload validation failed
  // System errors
  | 'STORAGE_ERROR' // Storage service failure
  | 'INTERNAL_ERROR'; // Unexpected server error

// ============================================================================
// HTTP Status Codes
// ============================================================================

export type ContentSuccessStatusCode = 200;
export type ContentErrorStatusCode = 400 | 401 | 403 | 404 | 500;
export type ContentStatusCode = ContentSuccessStatusCode | ContentErrorStatusCode;

// ============================================================================
// Response Types
// ============================================================================

/**
 * Success response envelope
 */
export type ContentSuccessResponse<T = unknown> = {
  success: true;
  data: T;
};

/**
 * Error response envelope
 */
export type ContentErrorResponse = {
  success: false;
  errorCode: ContentErrorCode;
  errorMessage: string;
  errorDetail?: string | undefined; // Dev-only
};

/**
 * Union of all response types
 */
export type ContentResponse<T = unknown> = ContentSuccessResponse<T> | ContentErrorResponse;

/**
 * Full handler response with HTTP status code
 */
export type ContentHandlerResponse<T = unknown> = {
  statusCode: ContentStatusCode;
  body: ContentResponse<T>;
};

// ============================================================================
// Route Configuration
// ============================================================================

/**
 * Handler type for content routes
 */
export type ContentHandlerType = 'get' | 'put' | 'delete';

/**
 * Route configuration for cwc-content endpoints
 */
export type ContentRouteConfig<TPayload = unknown, TResult = unknown> = {
  path: string;
  handlerType: ContentHandlerType;
  requiredRole: CwcRole;
  operation: ContentOperation<TPayload, TResult>;
};

/**
 * Map of route paths to configurations
 */
export type ContentRouteConfigs = {
  [key: string]: ContentRouteConfig;
};

// ============================================================================
// Operation Types
// ============================================================================

/**
 * Operation result from worker functions
 */
export type OperationResult<T = unknown> =
  | { success: true; data: T }
  | { success: false; errorCode: ContentErrorCode; errorMessage: string };

/**
 * Operation function signature
 */
export type ContentOperation<TPayload = unknown, TResult = unknown> = (
  payload: TPayload,
  requestContext: RequestContext
) => Promise<OperationResult<TResult>>;

// ============================================================================
// Access Policy Types
// ============================================================================

/**
 * Route access check result
 */
export type RouteAccessResult = {
  allowed: boolean;
  reason?: string | undefined;
};

/**
 * Operation access check result
 */
export type OperationAccessResult = {
  allowed: boolean;
  errorCode?: ContentErrorCode | undefined;
  reason?: string | undefined;
};

// ============================================================================
// Payload Types
// ============================================================================

/**
 * GET request payload
 */
export type GetCodingSessionPayload = {
  projectId: string;
  filename: string;
};

/**
 * PUT request payload
 */
export type PutCodingSessionPayload = {
  projectId: string;
  filename: string;
  data: string; // Base64-encoded gzipped data
};

/**
 * DELETE request payload
 */
export type DeleteCodingSessionPayload = {
  projectId: string;
  filename: string;
};

packages/cwc-content/src/handlers/index.ts

export { RequestHandler } from './RequestHandler';
export type { RequestHandlerOptions } from './RequestHandler';
export { ContentHandler } from './ContentHandler';
export type { ContentHandlerOptions } from './ContentHandler';
export * from './handler.types';
export * from './responseUtils';

packages/cwc-content/src/handlers/RequestHandler.ts

2 versions

Version 1

'use strict';

import type { AuthClient } from 'cwc-backend-utils';
import type { CwcContentConfig } from '../config';
import { createContext } from '../context';
import type { RequestContext } from '../context';
import { checkRouteAccess } from '../policies';
import type { ContentRouteConfig, ContentHandlerResponse } from './handler.types';
import {
  createUnauthorizedResponse,
  createAccessDeniedResponse,
  createErrorResponse,
  createSuccessResponse,
  createInternalErrorResponse,
} from './responseUtils';

export type RequestHandlerOptions = {
  authHeader: string | undefined;
  payload: unknown;
  routeConfig: ContentRouteConfig;
};

/**
 * Main request handler for cwc-content
 *
 * Responsibilities:
 * 1. Extract JWT and create request context
 * 2. Check route-level access
 * 3. Delegate to operation
 * 4. Return response
 */
export class RequestHandler {
  private options: RequestHandlerOptions;
  private config: CwcContentConfig;
  private authClient: AuthClient;

  constructor(options: RequestHandlerOptions, config: CwcContentConfig, authClient: AuthClient) {
    this.options = options;
    this.config = config;
    this.authClient = authClient;
  }

  async processRequest(): Promise<ContentHandlerResponse> {
    const { authHeader, payload, routeConfig } = this.options;

    try {
      // Create context from JWT
      const context = await createContext({
        authHeader,
        authClient: this.authClient,
      });

      // Check route-level access
      const routeAccessResult = checkRouteAccess(context, routeConfig.requiredRole);

      if (!routeAccessResult.allowed) {
        // Determine if this is 401 (not authenticated) or 403 (not authorized)
        if (!context.isAuthenticated && routeConfig.requiredRole !== 'guest-user') {
          return createUnauthorizedResponse(this.config, routeAccessResult.reason);
        }
        return createAccessDeniedResponse(this.config, routeAccessResult.reason);
      }

      // Execute operation
      return await this.executeOperation(context, payload, routeConfig);
    } catch (error) {
      return createInternalErrorResponse(this.config, error);
    }
  }

  private async executeOperation(
    context: RequestContext,
    payload: unknown,
    routeConfig: ContentRouteConfig
  ): Promise<ContentHandlerResponse> {
    try {
      // Call the operation with payload and context
      const result = await routeConfig.operation(payload, context);

      if (result.success) {
        return createSuccessResponse(result.data);
      }

      return createErrorResponse(result.errorCode, result.errorMessage);
    } catch (error) {
      return createInternalErrorResponse(this.config, error);
    }
  }
}

Version 2 (latest)

'use strict';

import type { AuthClient } from 'cwc-backend-utils';
import type { CwcContentConfig } from '../config';
import { createContext } from '../context';
import type { RequestContext } from '../context';
import { checkRouteAccess } from '../policies';
import type { ContentRouteConfig, ContentHandlerResponse } from './handler.types';
import {
  createUnauthorizedResponse,
  createAccessDeniedResponse,
  createErrorResponse,
  createSuccessResponse,
  createInternalErrorResponse,
} from './responseUtils';

export type RequestHandlerOptions = {
  authHeader: string | undefined;
  payload: unknown;
  routeConfig: ContentRouteConfig;
};

/**
 * Main request handler for cwc-content
 *
 * Responsibilities:
 * 1. Extract JWT and create request context
 * 2. Check route-level access
 * 3. Delegate to operation
 * 4. Return response
 */
export class RequestHandler {
  private options: RequestHandlerOptions;
  private config: CwcContentConfig;
  private authClient: AuthClient;

  constructor(options: RequestHandlerOptions, config: CwcContentConfig, authClient: AuthClient) {
    this.options = options;
    this.config = config;
    this.authClient = authClient;
  }

  async processRequest(): Promise<ContentHandlerResponse> {
    const { authHeader, payload, routeConfig } = this.options;

    try {
      // Create context from JWT
      const context = await createContext({
        authHeader,
        authClient: this.authClient,
      });

      // Check route-level access (includes ownership verification for project-owner)
      const routeAccessResult = checkRouteAccess({
        context,
        requiredRole: routeConfig.requiredRole,
        payload: payload as { projectId?: string },
      });

      if (!routeAccessResult.allowed) {
        // Determine if this is 401 (not authenticated) or 403 (not authorized)
        if (!context.isAuthenticated && routeConfig.requiredRole !== 'guest-user') {
          return createUnauthorizedResponse(this.config, routeAccessResult.reason);
        }
        return createAccessDeniedResponse(this.config, routeAccessResult.reason);
      }

      // Execute operation
      return await this.executeOperation(context, payload, routeConfig);
    } catch (error) {
      return createInternalErrorResponse(this.config, error);
    }
  }

  private async executeOperation(
    context: RequestContext,
    payload: unknown,
    routeConfig: ContentRouteConfig
  ): Promise<ContentHandlerResponse> {
    try {
      // Call the operation with payload and context
      const result = await routeConfig.operation(payload, context);

      if (result.success) {
        return createSuccessResponse(result.data);
      }

      return createErrorResponse(result.errorCode, result.errorMessage);
    } catch (error) {
      return createInternalErrorResponse(this.config, error);
    }
  }
}

packages/cwc-content/src/handlers/responseUtils.ts

'use strict';

import type { CwcContentConfig } from '../config';
import type { ContentHandlerResponse, ContentErrorCode } from './handler.types';

/**
 * Maps error codes to appropriate HTTP status codes
 */
export function mapErrorCodeToStatus(errorCode: ContentErrorCode): 400 | 401 | 403 | 404 | 500 {
  switch (errorCode) {
    case 'NOT_FOUND':
      return 404;
    case 'VALIDATION_ERROR':
      return 400;
    case 'UNAUTHORIZED':
      return 401;
    case 'FORBIDDEN':
      return 403;
    case 'STORAGE_ERROR':
    case 'INTERNAL_ERROR':
      return 500;
    default:
      return 500;
  }
}

/**
 * Creates a 403 response for operation access denied
 */
export function createAccessDeniedResponse(
  config: CwcContentConfig,
  reason?: string
): ContentHandlerResponse {
  return {
    statusCode: 403,
    body: {
      success: false,
      errorCode: 'FORBIDDEN',
      errorMessage: 'Access denied',
      ...(config.isDev && reason ? { errorDetail: reason } : {}),
    },
  };
}

/**
 * Creates a 401 response for unauthenticated access
 */
export function createUnauthorizedResponse(
  config: CwcContentConfig,
  reason?: string
): ContentHandlerResponse {
  return {
    statusCode: 401,
    body: {
      success: false,
      errorCode: 'UNAUTHORIZED',
      errorMessage: 'Authentication required',
      ...(config.isDev && reason ? { errorDetail: reason } : {}),
    },
  };
}

/**
 * Creates an error response with appropriate status code based on error code
 */
export function createErrorResponse(
  errorCode: ContentErrorCode,
  errorMessage: string
): ContentHandlerResponse {
  const statusCode = mapErrorCodeToStatus(errorCode);

  return {
    statusCode,
    body: {
      success: false,
      errorCode,
      errorMessage,
    },
  };
}

/**
 * Creates a 500 internal error response
 */
export function createInternalErrorResponse(
  config: CwcContentConfig,
  error: unknown
): ContentHandlerResponse {
  return {
    statusCode: 500,
    body: {
      success: false,
      errorCode: 'INTERNAL_ERROR',
      errorMessage: 'An internal error occurred',
      ...(config.isDev && error instanceof Error ? { errorDetail: error.message } : {}),
    },
  };
}

/**
 * Creates a success response with data
 */
export function createSuccessResponse<T>(data: T): ContentHandlerResponse<T> {
  return {
    statusCode: 200,
    body: {
      success: true,
      data,
    },
  };
}

packages/cwc-content/src/index.ts

3 versions

Version 1

import {
  loadDotEnv,
  createExpressService,
  StorageClient,
  AuthClient,
  type ExpressApi,
  type BackendUtilsConfig,
} from 'cwc-backend-utils';
import type { RuntimeEnvironment } from 'cwc-types';
import type { Request, Response } from 'express';
import type { CwcContentConfig } from './config';
import { loadConfig } from './config';
import { ContentApiV1 } from './apis/ContentApiV1';

console.log(`
 ██████╗ ██████╗ ███╗   ██╗████████╗███████╗███╗   ██╗████████╗
██╔════╝██╔═══██╗████╗  ██║╚══██╔══╝██╔════╝████╗  ██║╚══██╔══╝
██║     ██║   ██║██╔██╗ ██║   ██║   █████╗  ██╔██╗ ██║   ██║
██║     ██║   ██║██║╚██╗██║   ██║   ██╔══╝  ██║╚██╗██║   ██║
╚██████╗╚██████╔╝██║ ╚████║   ██║   ███████╗██║ ╚████║   ██║
 ╚═════╝ ╚═════╝ ╚═╝  ╚═══╝   ╚═╝   ╚══════╝╚═╝  ╚═══╝   ╚═╝
`);

/**
 * Health check endpoint for load balancers and monitoring
 */
function healthHandler(_req: Request, res: Response): void {
  res.json({
    status: 'healthy',
    service: 'cwc-content',
    timestamp: new Date().toISOString(),
  });
}

/**
 * Converts CwcContentConfig to BackendUtilsConfig for createExpressService
 */
function createBackendUtilsConfig(contentConfig: CwcContentConfig): BackendUtilsConfig {
  return {
    debugMode: contentConfig.debugMode,
    isDev: contentConfig.isDev,
    isTest: contentConfig.isTest,
    isProd: contentConfig.isProd,
    isUnit: contentConfig.isUnit,
    isE2E: contentConfig.isE2E,
    corsOrigin: contentConfig.corsOrigin,
    servicePort: contentConfig.servicePort,
    rateLimiterPoints: contentConfig.rateLimiterPoints,
    rateLimiterDuration: contentConfig.rateLimiterDuration,
    devCorsOrigin: contentConfig.devCorsOrigin,
  };
}

/**
 * Main entry point for the cwc-content microservice
 */
async function main(): Promise<void> {
  try {
    console.log('[cwc-content] Starting cwc-content microservice...');

    // Load environment variables
    loadDotEnv({
      serviceName: 'cwc-content',
      environment: (process.env['RUNTIME_ENVIRONMENT'] as RuntimeEnvironment) || 'dev',
      debug: process.env['DEBUG_MODE'] === 'ON',
    });

    // Load and validate configuration
    const config = loadConfig();

    console.log('[cwc-content] Configuration loaded successfully');

    // Create BackendUtilsConfig for shared utilities
    const backendConfig = createBackendUtilsConfig(config);

    // Create StorageClient for cwc-storage operations
    const storageClient = new StorageClient({
      config: {
        storageUri: config.storageUri,
        storageApiKey: config.secrets.storageApiKey,
      },
      logger: undefined, // No database-backed logger in cwc-content
      clientName: 'cwc-content',
    });

    // Create AuthClient for JWT verification via cwc-auth
    const authClient = new AuthClient({
      config: { authUri: config.authUri },
      logger: undefined, // No database-backed logger in cwc-content
      clientName: 'cwc-content',
    });

    // Health check API
    const healthApi: ExpressApi = {
      version: 1,
      path: '/health/v1',
      handler: healthHandler,
    };

    // Create ContentApiV1 - content delivery API
    const contentApiV1 = new ContentApiV1(config, storageClient, authClient, undefined);

    // APIs - health check + ContentApiV1
    const apis: ExpressApi[] = [healthApi, contentApiV1];

    // Create Express service
    const service = createExpressService({
      config: backendConfig,
      serviceName: 'cwc-content',
      apis,
      allowGet: false,
      allowOptions: true,
      allowPost: true,
      payloadLimit: undefined,
    });

    // Start the service
    service.start(apis);

    console.log('');
    console.log('='.repeat(60));
    console.log(`[cwc-content] Service started successfully`);
    console.log(`[cwc-content] Environment: ${config.runtimeEnvironment}`);
    console.log(`[cwc-content] Port: ${config.servicePort}`);
    console.log(`[cwc-content] Storage URI: ${config.storageUri}`);
    console.log(`[cwc-content] Auth URI: ${config.authUri}`);
    console.log(`[cwc-content] Cache: ${config.cacheMaxSize} entries, ${config.cacheTtlMs}ms TTL`);
    console.log(`[cwc-content] Debug: ${config.debugMode ? 'enabled' : 'disabled'}`);
    console.log('='.repeat(60));
    console.log('');

    // Handle graceful shutdown
    const shutdown = async (signal: string): Promise<void> => {
      console.log(`\n[cwc-content] Received ${signal}, shutting down gracefully...`);

      try {
        // Close HTTP server
        await new Promise<void>((resolve, reject) => {
          service.httpServer.close((err) => {
            if (err) {
              reject(err);
            } else {
              resolve();
            }
          });
        });

        console.log('[cwc-content] HTTP server closed');
        console.log('[cwc-content] Shutdown complete');
        process.exit(0);
      } catch (error) {
        console.error('[cwc-content] Error during shutdown:', error);
        process.exit(1);
      }
    };

    // Register shutdown handlers
    process.on('SIGTERM', () => shutdown('SIGTERM'));
    process.on('SIGINT', () => shutdown('SIGINT'));

    // Handle uncaught errors
    process.on('unhandledRejection', (reason, promise) => {
      console.error('[cwc-content] Unhandled Rejection at:', promise, 'reason:', reason);

      // Don't exit on unhandled rejection in production
      if (!config.isProd) {
        process.exit(1);
      }
    });

    process.on('uncaughtException', (error) => {
      console.error('[cwc-content] Uncaught Exception:', error);

      // Always exit on uncaught exception
      process.exit(1);
    });
  } catch (error) {
    console.error('[cwc-content] Failed to start service:', error);
    process.exit(1);
  }
}

// Start the service
main();

// Export for testing
export { main };

Version 2

import {
  loadDotEnv,
  createExpressService,
  StorageClient,
  AuthClient,
  type ExpressApi,
  type BackendUtilsConfigBasic,
} from 'cwc-backend-utils';
import type { RuntimeEnvironment } from 'cwc-types';
import type { Request, Response } from 'express';
import type { CwcContentConfig } from './config';
import { loadConfig } from './config';
import { ContentApiV1 } from './apis/ContentApiV1';

console.log(`
 ██████╗ ██████╗ ███╗   ██╗████████╗███████╗███╗   ██╗████████╗
██╔════╝██╔═══██╗████╗  ██║╚══██╔══╝██╔════╝████╗  ██║╚══██╔══╝
██║     ██║   ██║██╔██╗ ██║   ██║   █████╗  ██╔██╗ ██║   ██║
██║     ██║   ██║██║╚██╗██║   ██║   ██╔══╝  ██║╚██╗██║   ██║
╚██████╗╚██████╔╝██║ ╚████║   ██║   ███████╗██║ ╚████║   ██║
 ╚═════╝ ╚═════╝ ╚═╝  ╚═══╝   ╚═╝   ╚══════╝╚═╝  ╚═══╝   ╚═╝
`);

/**
 * Health check endpoint for load balancers and monitoring
 */
function healthHandler(_req: Request, res: Response): void {
  res.json({
    status: 'healthy',
    service: 'cwc-content',
    timestamp: new Date().toISOString(),
  });
}

/**
 * Converts CwcContentConfig to BackendUtilsConfigBasic for createExpressService
 *
 * cwc-content does not use SqlClient or database logging, so we use the
 * simplified BackendUtilsConfigBasic which omits dataUri and logErrorsToDatabase.
 */
function createBackendUtilsConfig(contentConfig: CwcContentConfig): BackendUtilsConfigBasic {
  return {
    debugMode: contentConfig.debugMode,
    isDev: contentConfig.isDev,
    isTest: contentConfig.isTest,
    isProd: contentConfig.isProd,
    isUnit: contentConfig.isUnit,
    isE2E: contentConfig.isE2E,
    corsOrigin: contentConfig.corsOrigin,
    servicePort: contentConfig.servicePort,
    rateLimiterPoints: contentConfig.rateLimiterPoints,
    rateLimiterDuration: contentConfig.rateLimiterDuration,
    devCorsOrigin: contentConfig.devCorsOrigin,
  };
}

/**
 * Main entry point for the cwc-content microservice
 */
async function main(): Promise<void> {
  try {
    console.log('[cwc-content] Starting cwc-content microservice...');

    // Load environment variables
    loadDotEnv({
      serviceName: 'cwc-content',
      environment: (process.env['RUNTIME_ENVIRONMENT'] as RuntimeEnvironment) || 'dev',
      debug: process.env['DEBUG_MODE'] === 'ON',
    });

    // Load and validate configuration
    const config = loadConfig();

    console.log('[cwc-content] Configuration loaded successfully');

    // Create BackendUtilsConfig for shared utilities
    const backendConfig = createBackendUtilsConfig(config);

    // Create StorageClient for cwc-storage operations
    const storageClient = new StorageClient({
      config: {
        storageUri: config.storageUri,
        storageApiKey: config.secrets.storageApiKey,
      },
      logger: undefined, // No database-backed logger in cwc-content
      clientName: 'cwc-content',
    });

    // Create AuthClient for JWT verification via cwc-auth
    const authClient = new AuthClient({
      config: { authUri: config.authUri },
      logger: undefined, // No database-backed logger in cwc-content
      clientName: 'cwc-content',
    });

    // Health check API
    const healthApi: ExpressApi = {
      version: 1,
      path: '/health/v1',
      handler: healthHandler,
    };

    // Create ContentApiV1 - content delivery API
    const contentApiV1 = new ContentApiV1(config, storageClient, authClient, undefined);

    // APIs - health check + ContentApiV1
    const apis: ExpressApi[] = [healthApi, contentApiV1];

    // Create Express service
    const service = createExpressService({
      config: backendConfig,
      serviceName: 'cwc-content',
      apis,
      allowGet: false,
      allowOptions: true,
      allowPost: true,
      payloadLimit: undefined,
    });

    // Start the service
    service.start(apis);

    console.log('');
    console.log('='.repeat(60));
    console.log(`[cwc-content] Service started successfully`);
    console.log(`[cwc-content] Environment: ${config.runtimeEnvironment}`);
    console.log(`[cwc-content] Port: ${config.servicePort}`);
    console.log(`[cwc-content] Storage URI: ${config.storageUri}`);
    console.log(`[cwc-content] Auth URI: ${config.authUri}`);
    console.log(`[cwc-content] Cache: ${config.cacheMaxSize} entries, ${config.cacheTtlMs}ms TTL`);
    console.log(`[cwc-content] Debug: ${config.debugMode ? 'enabled' : 'disabled'}`);
    console.log('='.repeat(60));
    console.log('');

    // Handle graceful shutdown
    const shutdown = async (signal: string): Promise<void> => {
      console.log(`\n[cwc-content] Received ${signal}, shutting down gracefully...`);

      try {
        // Close HTTP server
        await new Promise<void>((resolve, reject) => {
          service.httpServer.close((err) => {
            if (err) {
              reject(err);
            } else {
              resolve();
            }
          });
        });

        console.log('[cwc-content] HTTP server closed');
        console.log('[cwc-content] Shutdown complete');
        process.exit(0);
      } catch (error) {
        console.error('[cwc-content] Error during shutdown:', error);
        process.exit(1);
      }
    };

    // Register shutdown handlers
    process.on('SIGTERM', () => shutdown('SIGTERM'));
    process.on('SIGINT', () => shutdown('SIGINT'));

    // Handle uncaught errors
    process.on('unhandledRejection', (reason, promise) => {
      console.error('[cwc-content] Unhandled Rejection at:', promise, 'reason:', reason);

      // Don't exit on unhandled rejection in production
      if (!config.isProd) {
        process.exit(1);
      }
    });

    process.on('uncaughtException', (error) => {
      console.error('[cwc-content] Uncaught Exception:', error);

      // Always exit on uncaught exception
      process.exit(1);
    });
  } catch (error) {
    console.error('[cwc-content] Failed to start service:', error);
    process.exit(1);
  }
}

// Start the service
main();

// Export for testing
export { main };

Version 3 (latest)

import {
  loadDotEnv,
  createExpressService,
  StorageClient,
  AuthClient,
  type ExpressApi,
  type BackendUtilsConfigBasic,
} from 'cwc-backend-utils';
import type { RuntimeEnvironment } from 'cwc-types';
import type { Request, Response } from 'express';
import type { CwcContentConfig } from './config';
import { loadConfig } from './config';
import { ContentApiV1 } from './apis/ContentApiV1';

console.log(`
 ██████╗ ██████╗ ███╗   ██╗████████╗███████╗███╗   ██╗████████╗
██╔════╝██╔═══██╗████╗  ██║╚══██╔══╝██╔════╝████╗  ██║╚══██╔══╝
██║     ██║   ██║██╔██╗ ██║   ██║   █████╗  ██╔██╗ ██║   ██║
██║     ██║   ██║██║╚██╗██║   ██║   ██╔══╝  ██║╚██╗██║   ██║
╚██████╗╚██████╔╝██║ ╚████║   ██║   ███████╗██║ ╚████║   ██║
 ╚═════╝ ╚═════╝ ╚═╝  ╚═══╝   ╚═╝   ╚══════╝╚═╝  ╚═══╝   ╚═╝
`);

/**
 * Health check endpoint for load balancers and monitoring
 */
function healthHandler(_req: Request, res: Response): void {
  res.json({
    status: 'healthy',
    service: 'cwc-content',
    timestamp: new Date().toISOString(),
  });
}

/**
 * Converts CwcContentConfig to BackendUtilsConfigBasic for createExpressService
 *
 * cwc-content does not use SqlClient or database logging, so we use the
 * simplified BackendUtilsConfigBasic which omits dataUri and logErrorsToDatabase.
 */
function createBackendUtilsConfig(contentConfig: CwcContentConfig): BackendUtilsConfigBasic {
  return {
    debugMode: contentConfig.debugMode,
    isDev: contentConfig.isDev,
    isTest: contentConfig.isTest,
    isProd: contentConfig.isProd,
    isUnit: contentConfig.isUnit,
    isE2E: contentConfig.isE2E,
    corsOrigin: contentConfig.corsOrigin,
    servicePort: contentConfig.servicePort,
    rateLimiterPoints: contentConfig.rateLimiterPoints,
    rateLimiterDuration: contentConfig.rateLimiterDuration,
    devCorsOrigin: contentConfig.devCorsOrigin,
  };
}

/**
 * Main entry point for the cwc-content microservice
 */
async function main(): Promise<void> {
  try {
    console.log('[cwc-content] Starting cwc-content microservice...');

    // Load environment variables
    loadDotEnv({
      serviceName: 'cwc-content',
      environment: (process.env['RUNTIME_ENVIRONMENT'] as RuntimeEnvironment) || 'dev',
      debug: process.env['DEBUG_MODE'] === 'ON',
    });

    // Load and validate configuration
    const config = loadConfig();

    console.log('[cwc-content] Configuration loaded successfully');

    // Create BackendUtilsConfig for shared utilities
    const backendConfig = createBackendUtilsConfig(config);

    // Create StorageClient for cwc-storage operations
    const storageClient = new StorageClient({
      config: {
        storageUri: config.storageUri,
        storageApiKey: config.secrets.storageApiKey,
      },
      logger: undefined, // No database-backed logger in cwc-content
      clientName: 'cwc-content',
    });

    // Create AuthClient for JWT verification via cwc-auth
    const authClient = new AuthClient({
      config: { authUri: config.authUri },
      logger: undefined, // No database-backed logger in cwc-content
      clientName: 'cwc-content',
    });

    // Health check API
    const healthApi: ExpressApi = {
      version: 1,
      path: '/health/v1',
      handler: healthHandler,
    };

    // Create ContentApiV1 - content delivery API
    const contentApiV1 = new ContentApiV1(config, storageClient, authClient, undefined);

    // APIs - health check + ContentApiV1
    const apis: ExpressApi[] = [healthApi, contentApiV1];

    // Create Express service
    const service = createExpressService({
      config: backendConfig,
      serviceName: 'cwc-content',
      apis,
      allowGet: false,
      allowOptions: true,
      allowPost: true,
      payloadLimit: undefined,
    });

    // Start the service
    service.start(apis);

    console.log('');
    console.log('='.repeat(60));
    console.log(`[cwc-content] Service started successfully`);
    console.log(`[cwc-content] Environment: ${config.runtimeEnvironment}`);
    console.log(`[cwc-content] Port: ${config.servicePort}`);
    console.log(`[cwc-content] Storage URI: ${config.storageUri}`);
    console.log(`[cwc-content] Auth URI: ${config.authUri}`);
    console.log(`[cwc-content] Cache: ${config.contentCacheMaxSize} entries, ${config.contentCacheTtlMs}ms TTL`);
    console.log(`[cwc-content] Debug: ${config.debugMode ? 'enabled' : 'disabled'}`);
    console.log('='.repeat(60));
    console.log('');

    // Handle graceful shutdown
    const shutdown = async (signal: string): Promise<void> => {
      console.log(`\n[cwc-content] Received ${signal}, shutting down gracefully...`);

      try {
        // Close HTTP server
        await new Promise<void>((resolve, reject) => {
          service.httpServer.close((err) => {
            if (err) {
              reject(err);
            } else {
              resolve();
            }
          });
        });

        console.log('[cwc-content] HTTP server closed');
        console.log('[cwc-content] Shutdown complete');
        process.exit(0);
      } catch (error) {
        console.error('[cwc-content] Error during shutdown:', error);
        process.exit(1);
      }
    };

    // Register shutdown handlers
    process.on('SIGTERM', () => shutdown('SIGTERM'));
    process.on('SIGINT', () => shutdown('SIGINT'));

    // Handle uncaught errors
    process.on('unhandledRejection', (reason, promise) => {
      console.error('[cwc-content] Unhandled Rejection at:', promise, 'reason:', reason);

      // Don't exit on unhandled rejection in production
      if (!config.isProd) {
        process.exit(1);
      }
    });

    process.on('uncaughtException', (error) => {
      console.error('[cwc-content] Uncaught Exception:', error);

      // Always exit on uncaught exception
      process.exit(1);
    });
  } catch (error) {
    console.error('[cwc-content] Failed to start service:', error);
    process.exit(1);
  }
}

// Start the service
main();

// Export for testing
export { main };

packages/cwc-content/src/policies/accessPolicies.ts

'use strict';

import type { CwcRole } from 'cwc-types';

/**
 * Centralized access control policies for ContentApiV1.
 *
 * Role Hierarchy: guest-user = logged-on-user < project-owner
 *
 * - guest-user: Anyone (no authentication required)
 * - logged-on-user: Same as guest-user in cwc-content (no additional privileges)
 * - project-owner: Must be authenticated AND own the project
 *
 * Note: guest-user and logged-on-user have identical access in cwc-content.
 * The difference in what content they can access is enforced by cwc-api
 * (which only returns storageKey for published sessions or owner's sessions).
 */
export const accessPolicies = {
  codingSession: {
    get: 'guest-user' as CwcRole,
    put: 'project-owner' as CwcRole,
    delete: 'project-owner' as CwcRole,
  },
} as const;

/**
 * Type helper for accessing policies
 */
export type AccessPolicies = typeof accessPolicies;

packages/cwc-content/src/policies/checkRouteAccess.ts

2 versions

Version 1

'use strict';

import type { CwcRole } from 'cwc-types';
import type { RequestContext } from '../context';
import type { RouteAccessResult } from '../handlers/handler.types';

/**
 * Check if the current context can access a route based on required role.
 *
 * Route-level access only checks authentication status, not ownership.
 * Ownership is verified at the operation level for 'project-owner' routes.
 *
 * Role hierarchy for cwc-content:
 * - guest-user: No authentication required (same as logged-on-user)
 * - logged-on-user: No authentication required (same as guest-user)
 * - project-owner: Must be authenticated (ownership checked at operation level)
 *
 * @param context - The request context (authenticated or guest)
 * @param requiredRole - The minimum role required to access the route
 * @returns RouteAccessResult indicating whether access is allowed
 */
export function checkRouteAccess(context: RequestContext, requiredRole: CwcRole): RouteAccessResult {
  // guest-user or logged-on-user: anyone can access (same behavior in cwc-content)
  if (requiredRole === 'guest-user' || requiredRole === 'logged-on-user') {
    return { allowed: true };
  }

  // project-owner: must be authenticated
  // (ownership is checked at operation level)
  if (requiredRole === 'project-owner') {
    if (!context.isAuthenticated) {
      return {
        allowed: false,
        reason: 'Authentication required',
      };
    }
    return { allowed: true };
  }

  // Unknown role - fail fast if configuration is wrong
  return {
    allowed: false,
    reason: `Unknown requiredRole: ${requiredRole}`,
  };
}

/**
 * Check if user owns a specific project
 *
 * Used at operation level for project-owner routes.
 *
 * @param context - The request context
 * @param projectId - The project ID to check ownership of
 * @returns true if user owns the project
 */
export function isProjectOwner(context: RequestContext, projectId: string | undefined): boolean {
  if (!context.isAuthenticated || !projectId) {
    return false;
  }
  return context.ownedProjects.includes(projectId);
}

Version 2 (latest)

'use strict';

import type { CwcRole } from 'cwc-types';
import type { RequestContext } from '../context';
import type { RouteAccessResult } from '../handlers/handler.types';

/**
 * Options for route access check
 */
export type CheckRouteAccessOptions = {
  context: RequestContext;
  requiredRole: CwcRole;
  payload: { projectId?: string };
};

/**
 * Check if the current context can access a route based on required role.
 *
 * For cwc-content, ownership verification is performed at route level because:
 * - Payload contains projectId (natural key) directly
 * - JWT contains ownedProjects as array of projectId values
 * - No database lookup required (unlike cwc-api which uses projectPkId)
 *
 * Role hierarchy for cwc-content:
 * - guest-user: No authentication required (same as logged-on-user)
 * - logged-on-user: No authentication required (same as guest-user)
 * - project-owner: Must be authenticated AND own the project
 *
 * @param options - The check options including context, role, and payload
 * @returns RouteAccessResult indicating whether access is allowed
 */
export function checkRouteAccess(options: CheckRouteAccessOptions): RouteAccessResult {
  const { context, requiredRole, payload } = options;

  // guest-user or logged-on-user: anyone can access (same behavior in cwc-content)
  if (requiredRole === 'guest-user' || requiredRole === 'logged-on-user') {
    return { allowed: true };
  }

  // project-owner: must be authenticated AND own the project
  if (requiredRole === 'project-owner') {
    if (!context.isAuthenticated) {
      return {
        allowed: false,
        reason: 'Authentication required',
      };
    }

    const projectId = payload?.projectId;
    if (!projectId) {
      return {
        allowed: false,
        reason: 'projectId is required',
      };
    }

    if (!context.ownedProjects.includes(projectId)) {
      return {
        allowed: false,
        reason: 'You do not own this project',
      };
    }

    return { allowed: true };
  }

  // Unknown role - fail fast if configuration is wrong
  return {
    allowed: false,
    reason: `Unknown requiredRole: ${requiredRole}`,
  };
}

packages/cwc-content/src/policies/index.ts

2 versions

Version 1

export { accessPolicies } from './accessPolicies';
export type { AccessPolicies } from './accessPolicies';
export { checkRouteAccess, isProjectOwner } from './checkRouteAccess';

Version 2 (latest)

export { accessPolicies } from './accessPolicies';
export type { AccessPolicies } from './accessPolicies';
export { checkRouteAccess } from './checkRouteAccess';
export type { CheckRouteAccessOptions } from './checkRouteAccess';

packages/cwc-content/tsconfig.json

{
  "extends": "../../tsconfig.base.json",
  "compilerOptions": {
    "composite": true,
    "rootDir": "./src",
    "outDir": "./dist"
  },
  "include": ["src/**/*"],
  "exclude": ["node_modules", "dist"]
}

packages/cwc-database/CLAUDE.md

cwc-database Package

Database schema definitions, migration scripts, and SQL initialization files.

No Foreign Key Constraints - CRITICAL Decision

Do NOT use database-level foreign key constraints:

Foreign key relationships enforced in application code (microservices)
DB-level FK constraints create performance overhead on large transactional systems
Allows better scalability and performance at high transaction volumes
Referential integrity maintained through business logic in microservices layer

Implications:

Column names like userPkId, projectPkId indicate relationships but have no DB enforcement
Drop table scripts can be in any order (no constraint errors)
Migration scripts don't need to handle FK constraint updates
Application code MUST validate relationships before INSERT/UPDATE operations

Required Table Columns - CRITICAL

Every table MUST include these four columns:

{tableName}PkId INT NOT NULL AUTO_INCREMENT,
enabled TINYINT NULL,
createdDate DATETIME NULL,
modifiedDate DATETIME NULL,
PRIMARY KEY ({tableName}PkId)

Alphabetical Ordering - CRITICAL

All tables, indexes, and views MUST be alphabetically ordered within files:

Prevents merge conflicts
Makes finding schemas easier
Enforced in create-tables.sql, create-indexes.sql, create-views.sql

potential-values Format - CRITICAL

Document enum-like VARCHAR fields:

userType VARCHAR(25) NULL, -- potential-values: [guest, projectOwner, siteAdmin]
projectStatus VARCHAR(25) NULL, -- potential-values: [active, inactive]
loginType VARCHAR(25) NULL, -- potential-values: [cwc, facebook, google]

CRITICAL: These comments used to generate TypeScript types in cwc-types package

Schema Migration Files - CRITICAL

ALWAYS create a migration file when modifying schema-definition/ files:

Location: schema-changes/{YYYY-MM-DD-description}.sql

Format:

-- ********************************************************************
-- Migration: YYYY-MM-DD - Brief description of changes
--
-- Rationale:
-- - Why this change is needed
-- - What problem it solves
-- - Any important context
-- ********************************************************************

USE `cwc`;

-- ALTER TABLE statements
ALTER TABLE `cwc`.`tableName`
  ADD COLUMN `columnName` VARCHAR(100) NULL AFTER `otherColumn`;

-- CREATE INDEX statements
CREATE INDEX `ix_tableName_columnName`
  ON `cwc`.`tableName` (`columnName` ASC) VISIBLE;

When to create:

Any modification to create-tables.sql
Any modification to create-indexes.sql
Any modification to create-views.sql

Purpose:

Documents what needs to be applied to existing databases
Provides rationale for future reference
Maintains audit trail of schema evolution
Contains executable SQL for database updates

Naming Conventions

Table Names:

Always singular: user not users, project not projects
camelCase format, no underscores

Column Names:

camelCase format, no underscores

Index Names:

Unique indexes: ux_{tableName}_{columnName}
Non-unique indexes: ix_{tableName}_{columnName}

View Names:

End with View suffix
camelCase format

PkId vs Natural Keys Strategy

Use surrogate keys (PkId) for ALL foreign key relationships:

Tables have both surrogate key (userPkId, projectPkId) AND natural key (username, projectId)
Foreign key references ALWAYS use PkId values, never username/projectId
Natural keys are user-facing identifiers with unique indexes

Rationale:

Future-proofing: Requirements change; users may eventually want to change usernames
Data integrity: Single source of truth; changing username updates one record
Zero performance cost: Request-scoped caching eliminates lookup overhead
Industry standard: Aligns with database best practices

Database Design Patterns

JWT Validation Tables (userJwt, adminUserJwt, tempJwt):

Table contains only JWT ID plus standard columns
No foreign keys to user tables needed
JWT Payload contains all context (user info, permissions, claims)
Lookup: Decode JWT → extract JWT ID → verify not revoked
Revocation: Delete record (or soft delete with enabled=0)

Multi-Step Process Security (tempJwt):

Per-step JWTs with specific allowed actions
Context in payload: JWT contains entity PkId and current step
Permission control: JWT specifies exactly what actions allowed at this step
Previous JWT revoked when issuing new step JWT

Content Block Pattern (codingSessionContent):

Unified model for rendering mixed content (text + attachments)
displayIndex controls rendering order for all content blocks
Text blocks: contentType = prompt/response/note, text populated
Attachment blocks: contentType = attachment, codingSessionAttachmentPkId references image
Single query: ORDER BY displayIndex ASC returns all blocks in correct order

What to Check During Planning

CRITICAL - Do this BEFORE generating code:

Don't blindly implement - critically review all entity definitions
Flag inconsistencies - typos, missing columns, unclear relationships
Ask clarifying questions - about design intent, especially for non-obvious patterns
Validate relationships - ensure foreign key references make sense (even without FK constraints)
Question unusual patterns - tables with minimal columns, unclear purposes

Being a professional partner means catching issues early during planning.

Deprecated Tables

Tables deprecated by cwc-storage file-based content storage:

The following tables are deprecated now that coding session transcript data is stored in cwc-storage as CwcSessionData JSON files (managed by cwc-content service):

Table	Status	Reason
`codingSessionContent`	Deprecated	Transcript content now stored in CwcSessionData JSON in cwc-storage
`codingSessionAttachment`	Potentially deprecated	May be deprecated pending decision on image storage approach

Note: These tables remain in the schema but should not be used for new development. The codingSession.storageKey field points to the file in cwc-storage that contains the full session data.

Migration Status:

Existing data may still reside in these tables
New content is stored exclusively in cwc-storage via cwc-content service
No schema changes made - documentation only

Related Packages

cwc-types: Consumes potential-values comments to generate TypeScript union types
cwc-deployment: Uses schema-definition/ files for database initialization
cwc-content: Content delivery service that fetches session data from cwc-storage

packages/cwc-types/src/entityTypes.ts

/**
 * CWC Database Entity Types
 *
 * This file contains TypeScript type definitions for all database entities.
 * Generated from the database schema in packages/cwc-database/schema-definition/
 *
 * Type Generation Conventions:
 * - All entity types prefixed with 'Cwc' to avoid naming conflicts
 * - Union types fully qualified with entity context to prevent ambiguity
 * - Use 'type' (not 'interface') for entity definitions
 * - Use string literal union types (not enums) for enum-like VARCHAR fields
 * - DATETIME columns mapped to string (ISO 8601 format)
 * - TINYINT columns mapped to boolean
 * - All fields required by default (even if DB allows NULL)
 * - Optional fields (?) only for business-critical reasons
 *
 * Working with Incomplete Data:
 * When working with partial entity data (e.g., during INSERT operations
 * where PkId doesn't exist yet, or multi-step processes), use TypeScript's
 * Partial<T> utility type:
 *
 * @example
 * // For INSERT operations (omit auto-generated fields)
 * type UserInsert = Omit<CwcUser, 'userPkId' | 'createdDate' | 'modifiedDate'>;
 *
 * // For partial updates
 * const partialUser: Partial<CwcUser> = { email: 'new@example.com' };
 *
 * // For specific operation requirements
 * type UserUpdate = Partial<UserInsert> & Pick<CwcUser, 'userPkId'>;
 */

// ============================================================================
// Union Types for Enum-like VARCHAR Fields
// ============================================================================

/**
 * Status values for abuse reports
 */
export type CwcAbuseReportStatus =
  | 'submitted'
  | 'investigation'
  | 'dismissed'
  | 'resolved'
  | 'retracted';

/**
 * Entity types that can be commented on
 * Note: Each entity using this type may have different allowed values
 */
export type CwcCommentEntityType =
  | 'project'
  | 'codingSession'
  | 'codingSessionContent'
  | 'codingSessionAttachment'
  | 'comment';

/**
 * Content types for coding session content blocks
 */
export type CwcCodingSessionContentType = 'prompt' | 'response' | 'note' | 'attachment';

/**
 * MIME types for coding session attachments
 */
export type CwcCodingSessionAttachmentMimeType = 'image/png' | 'image/jpg';

/**
 * Entity types that can be reported for inappropriate content
 * Note: May differ from comment entity types in the future
 */
export type CwcContentReportEntityType =
  | 'project'
  | 'codingSession'
  | 'codingSessionContent'
  | 'codingSessionAttachment'
  | 'comment';

/**
 * Status values for content reports
 */
export type CwcContentReportStatus =
  | 'submitted'
  | 'investigation'
  | 'dismissed'
  | 'resolved'
  | 'retracted';

/**
 * Error log severity/type levels
 */
export type CwcErrorLogType = 'error' | 'info' | 'warn' | 'debug';

/**
 * Service names for error logging
 */
export type CwcErrorLogServiceName =
  | 'cwc-admin-api'
  | 'cwc-api'
  | 'cwc-auth'
  | 'cwc-content'
  | 'cwc-sql'
  | 'cwc-storage'
  | 'cwc-website';

/**
 * Feature flag type classification
 */
export type CwcFeatureFlagType = 'feature' | 'system';

/**
 * Platform targets for feature flags
 */
export type CwcFeatureFlagPlatform = 'all' | 'web' | 'android' | 'ios' | 'mobile';

/**
 * Service names for feature flag targeting
 */
export type CwcFeatureFlagServiceName =
  | 'all'
  | 'frontend'
  | 'backend'
  | 'cwc-app'
  | 'cwc-sql'
  | 'cwc-auth'
  | 'cwc-api'
  | 'cwc-admin-api'
  | 'cwc-dashboard';

/**
 * Value types for feature flag values
 */
export type CwcFeatureFlagValueType = 'boolean' | 'number' | 'string' | 'object';

/**
 * Login/authentication types
 * Shared by user and signupInfo entities
 */
export type CwcLoginType = 'cwc' | 'facebook' | 'google';

/**
 * JWT Claims for authenticated users
 * Embedded in UserJwtPayload.login custom claim
 * Used by cwc-auth (token generation) and cwc-api (authorization)
 */
export type CwcLoginClaims = {
  username: string;
  deviceId: string;
  userJwtId: string;
  loginType: CwcLoginType;
  kulo: boolean;
  ownedProjects: string[];
  isGuestUser: boolean;
};

/**
 * Frontend session state
 * Extends CwcLoginClaims with client-side session management fields
 * Used by cwc-website for maintaining login state
 */
export type CwcLogin = CwcLoginClaims & {
  autoLogonAttempted: boolean;
  authToken?: string; // undefined for guest users
};

/**
 * Project type classifications
 */
export type CwcProjectType = 'web' | 'mobile' | 'backend' | 'ai';

/**
 * Reaction emoji names
 */
export type CwcReactionName = 'love' | 'funny' | 'sad' | 'wow' | 'thumbs-up';

/**
 * Entity types that can receive reactions
 * Note: May differ from comment/report entity types in the future
 */
export type CwcReactionEntityType =
  | 'project'
  | 'codingSession'
  | 'codingSessionContent'
  | 'codingSessionAttachment'
  | 'comment';

// ============================================================================
// Entity Types
// ============================================================================

/**
 * Abuse Report
 * Tracks user reports of abusive behavior or accounts
 */
export type CwcAbuseReport = {
  abuseReportPkId: number;
  enabled: boolean;
  createdDate: string;
  modifiedDate: string;
  userPkId: number;
  projectPkId: number;
  usernames: string;
  message: string;
  status: CwcAbuseReportStatus;
};

/**
 * Admin User
 * Administrative users for the dashboard
 */
export type CwcAdminUser = {
  adminUserPkId: number;
  enabled: boolean;
  createdDate: string;
  modifiedDate: string;
  adminUsername: string;
  password: string;
};

/**
 * Admin User JWT
 * JWT validation/revocation for admin users
 * Contains only JWT ID for lookup; payload contains full user context
 */
export type CwcAdminUserJwt = {
  adminUserJwtPkId: number;
  enabled: boolean;
  createdDate: string;
  modifiedDate: string;
  adminUserJwtId: string;
};

/**
 * Coding Session
 * Individual coding sessions within a project
 * Stores metadata and reference to session data in cwc-storage
 */
export type CwcCodingSession = {
  codingSessionPkId: number;
  enabled: boolean;
  createdDate: string;
  modifiedDate: string;
  userPkId: number;
  projectPkId: number;
  description: string;
  published: boolean;
  sessionId: string;
  storageKey: string;
  startTimestamp: string;
  endTimestamp: string;
  gitBranch: string;
  model: string;
  messageCount: number;
  filesModifiedCount: number;
};

/**
 * Coding Session Attachment
 * Images and files attached to coding sessions
 */
export type CwcCodingSessionAttachment = {
  codingSessionAttachmentPkId: number;
  enabled: boolean;
  createdDate: string;
  modifiedDate: string;
  userPkId: number;
  projectPkId: number;
  codingSessionPkId: number;
  filename: string;
  mimeType: CwcCodingSessionAttachmentMimeType;
  height: number;
  width: number;
};

/**
 * Coding Session Content
 * Content blocks (prompts, responses, notes, attachments) within a session
 * Uses displayIndex for rendering order of all content types
 * Polymorphic: text OR attachment based on contentType
 */
export type CwcCodingSessionContent = {
  codingSessionContentPkId: number;
  enabled: boolean;
  createdDate: string;
  modifiedDate: string;
  userPkId: number;
  projectPkId: number;
  contentType: CwcCodingSessionContentType;
  codingSessionPkId: number;
  codingSessionAttachmentPkId?: number; // Optional: only present when contentType='attachment'
  displayIndex: number;
  text?: string; // Optional: NULL for pure attachment blocks, or optional caption for attachments
};

/**
 * Comment
 * User comments on various entities (polymorphic relationship)
 * Uses entityPkId + entityType pattern to reference any commentable entity
 */
export type CwcComment = {
  commentPkId: number;
  enabled: boolean;
  createdDate: string;
  modifiedDate: string;
  projectPkId: number;
  userPkId: number;
  entityPkId: number;
  entityType: CwcCommentEntityType;
  text: string;
};

/**
 * Content Report
 * User reports of inappropriate content (polymorphic relationship)
 */
export type CwcContentReport = {
  contentReportPkId: number;
  enabled: boolean;
  createdDate: string;
  modifiedDate: string;
  userPkId: number;
  projectPkId: number;
  entityPkId: number;
  entityType: CwcContentReportEntityType;
  message: string;
  status: CwcContentReportStatus;
};

/**
 * Email Verify
 * Email verification tracking (standalone, not tied to signup/reset)
 */
export type CwcEmailVerify = {
  emailVerifyPkId: number;
  enabled: boolean;
  createdDate: string;
  modifiedDate: string;
  confirmationCode: string;
  email: string;
  deviceId: string;
  confirmed: boolean;
  emailVerificationId: string;
};

/**
 * Error Log
 * Centralized error logging for all microservices
 */
export type CwcErrorLog = {
  errorLogPkId: number;
  enabled: boolean;
  createdDate: string;
  modifiedDate: string;
  userPkId?: number | undefined; // Optional: errors can occur without user context
  projectPkId?: number | undefined; // Optional: errors can occur without project context
  serviceName: CwcErrorLogServiceName;
  codeLocation: string;
  dismissed: boolean;
  errorType: CwcErrorLogType;
  errorMessage: string;
  error: string;
  stack: string;
  data: string;
  request: string;
};

/**
 * Feature Flag
 * Runtime feature toggles and configuration
 */
export type CwcFeatureFlag = {
  featureFlagPkId: number;
  enabled: boolean;
  createdDate: string;
  modifiedDate: string;
  featureFlagType: CwcFeatureFlagType;
  featureFlagId: string;
  valueType: CwcFeatureFlagValueType;
  value: string;
  description: string;
  platform: CwcFeatureFlagPlatform;
  serviceName: CwcFeatureFlagServiceName;
};

/**
 * Password Reset Info
 * Tracks password reset process state
 * Stores denormalized user data collected during the reset flow
 */
export type CwcPasswordResetInfo = {
  passwordResetInfoPkId: number;
  enabled: boolean;
  createdDate: string;
  modifiedDate: string;
  userPkId: number;
  username: string;
  password?: string; // Optional: not set until user provides new password
  email: string;
  emailVerificationId: string;
  emailConfirmed: boolean;
  deviceId: string;
  passwordResetAttempts: number;
};

/**
 * Project
 * User projects that contain coding sessions
 */
export type CwcProject = {
  projectPkId: number;
  enabled: boolean;
  createdDate: string;
  modifiedDate: string;
  projectId: string;
  projectSessionFolder: string;
  projectType: CwcProjectType;
  userPkId: number;
};

/**
 * Reaction
 * User reactions (emoji-style) to various entities
 */
export type CwcReaction = {
  reactionPkId: number;
  enabled: boolean;
  createdDate: string;
  modifiedDate: string;
  projectPkId: number;
  userPkId: number;
  entityPkId: number;
  entityType: CwcReactionEntityType;
  reactionName: CwcReactionName;
};

/**
 * Signup Info
 * Tracks signup process state
 * Stores denormalized user data collected during the signup flow
 */
export type CwcSignupInfo = {
  signupInfoPkId: number;
  enabled: boolean;
  createdDate: string;
  modifiedDate: string;
  loginType: CwcLoginType;
  userPkId?: number; // Optional: not set until signup completes
  username: string;
  password?: string; // Optional: NULL for OAuth signups or until provided
  email: string;
  emailVerificationId: string;
  emailConfirmed: boolean;
  deviceId: string;
  signupAttempts: number;
};

/**
 * Temp JWT
 * JWT validation/revocation for temporary multi-step processes
 * Contains only JWT ID for lookup; payload contains process context
 */
export type CwcTempJwt = {
  tempJwtPkId: number;
  enabled: boolean;
  createdDate: string;
  modifiedDate: string;
  tempJwtId: string;
};

/**
 * User
 * Primary user accounts
 */
export type CwcUser = {
  userPkId: number;
  enabled: boolean;
  createdDate: string;
  modifiedDate: string;
  username: string;
  loginType: CwcLoginType;
  loginDate: string;
  password?: string; // Optional: NULL for OAuth users
  email: string;
  emailConfirmed: boolean;
  deviceId: string;
  otpSecret?: string; // Optional: only present if 2FA enabled
  otpValidated: boolean;
};

/**
 * User JWT
 * JWT validation/revocation for regular users
 * Contains only JWT ID for lookup; payload contains full user context
 */
export type CwcUserJwt = {
  userJwtPkId: number;
  enabled: boolean;
  createdDate: string;
  modifiedDate: string;
  userJwtId: string;
};

Role	GET	PUT	DELETE
`guest-user`	✅	❌	❌
`logged-on-user`	✅ (same as guest)	❌	❌
`project-owner`	✅	✅	✅

Session 29: cwc content

Session 29: cwc content

Key Findings Summary

Plan: cwc-content Package Implementation

Overview

Dependencies to Create

1. StorageClient (cwc-backend-utils)

cwc-content Package Structure

API Routes (ContentApiV1)

Payload Formats

Access Control Implementation

Route-Level (RequestHandler)

Operation-Level (ContentHandler)

In-Memory Cache Design

Configuration

Data Flow

GET Request Flow

PUT Request Flow

Open Questions (NEED CLARIFICATION)

Implementation Order

Phase 1: StorageClient

Phase 2: cwc-content Package Scaffold

Phase 3: Core Infrastructure

Phase 4: Handlers and Routes

Phase 5: Integration

Files to Create

Estimated Scope

Plan: cwc-content Package Implementation

Overview

Key Architecture Decisions

Dependencies to Create

1. StorageClient (cwc-backend-utils)

Payload Formats

Access Control Implementation

Route-Level (RequestHandler)

Operation-Level (ContentHandler)

Data Flow

GET Request Flow (cwc-website fetching session content)

PUT Request Flow (project owner uploading session)

DELETE Request Flow

Resolved Decisions

Remaining Questions

Configuration

Implementation Order

Phase 1: StorageClient (cwc-backend-utils)

Phase 2: cwc-content Package Scaffold

Phase 3: Core Infrastructure

Phase 4: Handlers and Access Control

Phase 5: API Routes and Entry Point

Phase 6: Testing

Estimated Scope

Documentation Updates

Mark Obsolete Tables (cwc-database/CLAUDE.md)

Key Reference Files (for implementation)

Implementation Order

Resolved Decisions

Plan Summary: cwc-content Package

Configuration

Access Control Implementation

Route-Level (RequestHandler)

Operation-Level (ContentHandler)

Phase 3: Core Infrastructure - Config (cwc-configuration-helper compatible)

Phase 4: Core Infrastructure - Services

Phase 4: Core Infrastructure - Services

Phase 5: Handlers and Access Control

Phase 6: API Routes and Entry Point

Phase 7: Testing

Summary

Phase 1: StorageClient (cwc-backend-utils)

Phase 2-6: cwc-content Package

Phase 7: Unit Tests

Additional Changes

API Routes

Plan: cwc-content Refinements (Post-Implementation Review)

Overview

Refinement 1: Cache Naming

Files to Modify

Refinement 2: Config Naming

Files to Modify

Refinement 3: Ownership Verification in checkRouteAccess