Claude/build website builder 7p1p y

README.md

@@ -98,6 +98,7 @@ builders.
   - [ ] Leave comments
 - [ ] Advanced AI capabilities
   - [x] Queue multiple messages at once
+  - [x] Cynthia Design Auditor - AI-powered UDEC scoring across 13 design axes
   - [ ] Use Images as references and as assets in a project
   - [ ] Setup and use MCPs in projects
   - [ ] Allow Onlook to use itself as a toolcall for branch creation and iteration

apps/backend/supabase/migrations/2025_12_19_add_audit_fields_to_build_sessions.sql

@@ -0,0 +1,41 @@
+-- PHASE 3: Add Audit Fields to Build Sessions
+-- Created: 2025-12-19
+-- Purpose: Wire build sessions to real Cynthia audits
+
+-- ============================================================
+-- ENUMS
+-- ============================================================
+
+-- Build session audit status enum
+CREATE TYPE build_session_audit_status AS ENUM (
+    'pending',
+    'running',
+    'completed',
+    'failed'
+);
+
+-- ============================================================
+-- ALTER TABLES
+-- ============================================================
+
+-- Add audit fields to build_sessions
+ALTER TABLE build_sessions
+ADD COLUMN audit_id UUID REFERENCES cynthia_audits(id) ON DELETE SET NULL ON UPDATE CASCADE,
+ADD COLUMN audit_status build_session_audit_status DEFAULT 'pending';
+
+-- ============================================================
+-- INDEXES
+-- ============================================================
+
+-- Index on build_sessions.audit_id for audit lookups
+CREATE INDEX idx_build_sessions_audit_id ON build_sessions(audit_id);
+
+-- Index on build_sessions.audit_status for filtering by status
+CREATE INDEX idx_build_sessions_audit_status ON build_sessions(audit_status);
+
+-- ============================================================
+-- COMMENTS
+-- ============================================================
+
+COMMENT ON COLUMN build_sessions.audit_id IS 'Phase 3: Links to real Cynthia audit (nullable until audit completes)';
+COMMENT ON COLUMN build_sessions.audit_status IS 'Phase 3: Tracks audit processing state (pending → running → completed/failed)';

apps/backend/supabase/migrations/2025_12_19_add_build_sessions_and_preview_links.sql

@@ -0,0 +1,194 @@
+-- PHASE 2: Build Sessions & Preview Links
+-- Created: 2025-12-19
+-- Purpose: Add tables for "Build My Site" viral wedge functionality
+
+-- ============================================================
+-- ENUMS
+-- ============================================================
+
+-- Build session status enum
+CREATE TYPE build_session_status AS ENUM (
+    'created',
+    'previewed',
+    'locked',
+    'converted'
+);
+
+-- Build session input type enum
+CREATE TYPE build_session_input_type AS ENUM (
+    'idea',
+    'url'
+);
+
+-- ============================================================
+-- TABLES
+-- ============================================================
+
+-- Build sessions table
+-- Stores each "Build My Site" session (anonymous or authenticated)
+CREATE TABLE IF NOT EXISTS build_sessions (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+
+    -- Session data
+    language TEXT NOT NULL DEFAULT 'en', -- 'en' | 'es'
+    input_type build_session_input_type NOT NULL,
+    input_value TEXT NOT NULL,
+
+    -- Audit results (static for Phase 2, real in Phase 3)
+    teaser_score INTEGER,
+    teaser_summary JSONB,
+
+    -- Status tracking
+    status build_session_status NOT NULL DEFAULT 'created',
+
+    -- User relationship (nullable - anonymous sessions allowed)
+    user_id UUID REFERENCES auth.users(id) ON DELETE SET NULL ON UPDATE CASCADE
+);
+
+-- Preview links table
+-- Public shareable links for build sessions
+CREATE TABLE IF NOT EXISTS preview_links (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+
+    -- Build session relationship
+    build_session_id UUID NOT NULL REFERENCES build_sessions(id) ON DELETE CASCADE ON UPDATE CASCADE,
+
+    -- Public slug for sharing (unguessable)
+    slug TEXT NOT NULL UNIQUE,
+
+    -- Optional expiration
+    expires_at TIMESTAMPTZ
+);
+
+-- ============================================================
+-- INDEXES
+-- ============================================================
+
+-- Index on preview_links.slug for fast lookup
+CREATE INDEX idx_preview_links_slug ON preview_links(slug);
+
+-- Index on build_sessions.user_id for user session queries
+CREATE INDEX idx_build_sessions_user_id ON build_sessions(user_id);
+
+-- Index on build_sessions.status for status filtering
+CREATE INDEX idx_build_sessions_status ON build_sessions(status);
+
+-- ============================================================
+-- ROW LEVEL SECURITY (RLS) POLICIES
+-- ============================================================
+
+-- Enable RLS on both tables
+ALTER TABLE build_sessions ENABLE ROW LEVEL SECURITY;
+ALTER TABLE preview_links ENABLE ROW LEVEL SECURITY;
+
+-- ============================================================
+-- BUILD_SESSIONS POLICIES
+-- ============================================================
+
+-- RLS Policy: Public insert allowed (anonymous users can create sessions)
+-- Rationale: "No signup to start" - anyone can create a build session
+DROP POLICY IF EXISTS "build_sessions_insert_policy" ON build_sessions;
+CREATE POLICY "build_sessions_insert_policy" ON build_sessions
+FOR INSERT
+TO anon, authenticated
+WITH CHECK (true);
+
+-- RLS Policy: Public select DENIED (no public listing of sessions)
+-- Rationale: Sessions are private by default, only accessible via preview link
+DROP POLICY IF EXISTS "build_sessions_select_anon_policy" ON build_sessions;
+CREATE POLICY "build_sessions_select_anon_policy" ON build_sessions
+FOR SELECT
+TO anon
+USING (false);
+
+-- RLS Policy: Owner select allowed (users can see their own sessions)
+-- Rationale: Authenticated users can view sessions they created
+DROP POLICY IF EXISTS "build_sessions_select_owner_policy" ON build_sessions;
+CREATE POLICY "build_sessions_select_owner_policy" ON build_sessions
+FOR SELECT
+TO authenticated
+USING (user_id = auth.uid());
+
+-- RLS Policy: Owner update allowed (users can update their own sessions)
+-- Rationale: Users can change status or claim anonymous sessions
+DROP POLICY IF EXISTS "build_sessions_update_owner_policy" ON build_sessions;
+CREATE POLICY "build_sessions_update_owner_policy" ON build_sessions
+FOR UPDATE
+TO authenticated
+USING (user_id = auth.uid() OR user_id IS NULL)
+WITH CHECK (user_id = auth.uid());
+
+-- ============================================================
+-- PREVIEW_LINKS POLICIES
+-- ============================================================
+
+-- RLS Policy: Public select by slug allowed (anyone can view via preview link)
+-- Rationale: Preview links are publicly shareable - this is the viral mechanic
+DROP POLICY IF EXISTS "preview_links_select_by_slug_policy" ON preview_links;
+CREATE POLICY "preview_links_select_by_slug_policy" ON preview_links
+FOR SELECT
+TO anon, authenticated
+USING (true);
+
+-- RLS Policy: No public insert (only server/authenticated can create)
+-- Rationale: Prevent spam, only app can generate preview links
+DROP POLICY IF EXISTS "preview_links_insert_policy" ON preview_links;
+CREATE POLICY "preview_links_insert_policy" ON preview_links
+FOR INSERT
+TO authenticated
+WITH CHECK (true);
+
+-- RLS Policy: No public update (immutable once created)
+-- Rationale: Preview links should not change after creation
+DROP POLICY IF EXISTS "preview_links_update_policy" ON preview_links;
+CREATE POLICY "preview_links_update_policy" ON preview_links
+FOR UPDATE
+TO authenticated
+USING (false);
+
+-- RLS Policy: No public delete (only via cascade from build_session)
+-- Rationale: Cleanup happens automatically when session is deleted
+DROP POLICY IF EXISTS "preview_links_delete_policy" ON preview_links;
+CREATE POLICY "preview_links_delete_policy" ON preview_links
+FOR DELETE
+TO authenticated
+USING (
+    EXISTS (
+        SELECT 1 FROM build_sessions
+        WHERE build_sessions.id = preview_links.build_session_id
+        AND build_sessions.user_id = auth.uid()
+    )
+);
+
+-- ============================================================
+-- SECURITY NOTES
+-- ============================================================
+--
+-- build_sessions:
+--   - Public INSERT: Anyone can create (viral onboarding)
+--   - Public SELECT: DENIED (no data leaks)
+--   - Owner SELECT/UPDATE: User can see and update their own sessions
+--   - Anonymous sessions can be "claimed" by authenticated users
+--
+-- preview_links:
+--   - Public SELECT: Anyone with slug can view (shareable)
+--   - Public INSERT: DENIED (only app creates)
+--   - Public UPDATE/DELETE: DENIED (immutable)
+--   - No listing endpoint (must know exact slug)
+--
+-- Privacy guarantees:
+--   - Slug must be unguessable (min 8 chars, random)
+--   - No enumeration attack possible (no public list)
+--   - User data not exposed via preview (sanitized in query)
+--   - Expired links can be checked client-side before rendering
+--
+-- ============================================================
+
+-- Add comment metadata
+COMMENT ON TABLE build_sessions IS 'Phase 2: Build My Site sessions (anonymous or authenticated)';
+COMMENT ON TABLE preview_links IS 'Phase 2: Public shareable preview links for build sessions';
+COMMENT ON COLUMN build_sessions.user_id IS 'Nullable - anonymous sessions allowed, can be claimed later';
+COMMENT ON COLUMN preview_links.slug IS 'Unguessable random slug for public sharing (min 8 chars)';

apps/backend/supabase/migrations/2025_12_19_add_credits_and_fix_packs.sql

@@ -0,0 +1,146 @@
+-- PHASE 4: Add Credit Balances and Fix Packs
+-- Created: 2025-12-19
+-- Purpose: Monetization, credits, and Fix Pack application
+
+-- ============================================================
+-- ENUMS
+-- ============================================================
+
+-- Cynthia plan enum
+CREATE TYPE cynthia_plan AS ENUM (
+    'free',
+    'starter',
+    'pro',
+    'agency'
+);
+
+-- Fix pack type enum
+CREATE TYPE fix_pack_type AS ENUM (
+    'token',
+    'layout',
+    'component',
+    'motion',
+    'content'
+);
+
+-- ============================================================
+-- TABLES
+-- ============================================================
+
+-- Credit balances table
+CREATE TABLE credit_balances (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    created_at TIMESTAMPTZ NOT NULL DEFAULT now(),
+    updated_at TIMESTAMPTZ NOT NULL DEFAULT now(),
+    user_id UUID NOT NULL UNIQUE REFERENCES auth.users(id) ON DELETE CASCADE ON UPDATE CASCADE,
+    plan cynthia_plan NOT NULL DEFAULT 'free',
+    monthly_credits INTEGER NOT NULL DEFAULT 0,
+    used_credits INTEGER NOT NULL DEFAULT 0,
+    reset_at TIMESTAMPTZ NOT NULL
+);
+
+-- Fix packs table
+CREATE TABLE fix_packs (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    created_at TIMESTAMPTZ NOT NULL DEFAULT now(),
+    updated_at TIMESTAMPTZ NOT NULL DEFAULT now(),
+    audit_id UUID NOT NULL REFERENCES cynthia_audits(id) ON DELETE CASCADE ON UPDATE CASCADE,
+    user_id UUID NOT NULL REFERENCES auth.users(id) ON DELETE CASCADE ON UPDATE CASCADE,
+    type fix_pack_type NOT NULL,
+    title TEXT NOT NULL,
+    description TEXT NOT NULL,
+    patch_preview JSONB NOT NULL,
+    files_affected JSONB NOT NULL,
+    issues_fixed JSONB NOT NULL,
+    applied_at TIMESTAMPTZ
+);
+
+-- ============================================================
+-- INDEXES
+-- ============================================================
+
+-- Credit balances indexes
+CREATE INDEX idx_credit_balances_user_id ON credit_balances(user_id);
+CREATE INDEX idx_credit_balances_reset_at ON credit_balances(reset_at);
+
+-- Fix packs indexes
+CREATE INDEX idx_fix_packs_audit_id ON fix_packs(audit_id);
+CREATE INDEX idx_fix_packs_user_id ON fix_packs(user_id);
+CREATE INDEX idx_fix_packs_type ON fix_packs(type);
+CREATE INDEX idx_fix_packs_applied_at ON fix_packs(applied_at);
+
+-- ============================================================
+-- ROW LEVEL SECURITY (RLS)
+-- ============================================================
+
+-- Enable RLS on credit_balances
+ALTER TABLE credit_balances ENABLE ROW LEVEL SECURITY;
+
+-- Credit balances: Users can view their own balance
+CREATE POLICY "credit_balances_select_own_policy" ON credit_balances
+FOR SELECT TO authenticated
+USING (user_id = auth.uid());
+
+-- Credit balances: No public insert (only system/admin)
+CREATE POLICY "credit_balances_insert_policy" ON credit_balances
+FOR INSERT TO authenticated
+WITH CHECK (false); -- System only
+
+-- Credit balances: No public update (only system/admin)
+CREATE POLICY "credit_balances_update_policy" ON credit_balances
+FOR UPDATE TO authenticated
+USING (false); -- System only
+
+-- Enable RLS on fix_packs
+ALTER TABLE fix_packs ENABLE ROW LEVEL SECURITY;
+
+-- Fix packs: Users can view their own fix packs
+CREATE POLICY "fix_packs_select_own_policy" ON fix_packs
+FOR SELECT TO authenticated
+USING (user_id = auth.uid());
+
+-- Fix packs: No public insert (only system)
+CREATE POLICY "fix_packs_insert_policy" ON fix_packs
+FOR INSERT TO authenticated
+WITH CHECK (false); -- System only
+
+-- Fix packs: No public update
+CREATE POLICY "fix_packs_update_policy" ON fix_packs
+FOR UPDATE TO authenticated
+USING (false); -- System only
+
+-- ============================================================
+-- FUNCTIONS
+-- ============================================================
+
+-- Function to reset monthly credits (for cron job)
+CREATE OR REPLACE FUNCTION reset_monthly_credits()
+RETURNS void
+LANGUAGE plpgsql
+SECURITY DEFINER
+AS $$
+BEGIN
+    UPDATE credit_balances
+    SET
+        used_credits = 0,
+        reset_at = reset_at + INTERVAL '1 month',
+        updated_at = now()
+    WHERE reset_at <= now();
+END;
+$$;
+
+-- ============================================================
+-- COMMENTS
+-- ============================================================
+
+COMMENT ON TABLE credit_balances IS 'Phase 4: Tracks Cynthia Build My Site credit balances per user';
+COMMENT ON TABLE fix_packs IS 'Phase 4: Stores generated fix packs from Cynthia audits';
+
+COMMENT ON COLUMN credit_balances.plan IS 'Cynthia plan tier: free (0), starter (10), pro (50), agency (200)';
+COMMENT ON COLUMN credit_balances.monthly_credits IS 'Total credits allocated per month based on plan';
+COMMENT ON COLUMN credit_balances.used_credits IS 'Credits consumed in current period';
+COMMENT ON COLUMN credit_balances.reset_at IS 'Next monthly reset date';
+
+COMMENT ON COLUMN fix_packs.type IS 'Fix pack type: token, layout, component, motion, or content';
+COMMENT ON COLUMN fix_packs.patch_preview IS 'Code diff preview (read-only in Phase 4)';
+COMMENT ON COLUMN fix_packs.applied_at IS 'NULL = not applied yet, timestamp = applied (Phase 5 will populate)';