neuron-technologies/neuron-web
2
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

merge into: neuron-technologies/neuron-web:fix/entrypoint-k3s-nonblocking
Branches Tags
neuron-technologies/neuron-web:main neuron-technologies/neuron-web:stage neuron-technologies/neuron-web:dev neuron-technologies/neuron-web:fix/csp-analytics neuron-technologies/neuron-web:fix/syntax-error-and-csp neuron-technologies/neuron-web:fix/devices-count-v2 neuron-technologies/neuron-web:fix/devices-count neuron-technologies/neuron-web:fix/account-el-meta neuron-technologies/neuron-web:fix/magic-link-flow neuron-technologies/neuron-web:fix/free-plan-setup-intent neuron-technologies/neuron-web:fix/about-rendering neuron-technologies/neuron-web:fix/stripe-dedup-attestation neuron-technologies/neuron-web:fix/webhook-initstripe-textarea neuron-technologies/neuron-web:fix/greeting-history-load neuron-technologies/neuron-web:fix/question-timer-pricing-clarity neuron-technologies/neuron-web:fix/binary-assets-checkout-layout neuron-technologies/neuron-web:fix/zero-pi-setup-future-usage neuron-technologies/neuron-web:fix/free-plan-payment-intent neuron-technologies/neuron-web:fix/free-checkout-stripe neuron-technologies/neuron-web:fix/stage-full-build neuron-technologies/neuron-web:ci/touch-dist neuron-technologies/neuron-web:ci/trigger-rebuild neuron-technologies/neuron-web:fix/force-full-rebuild neuron-technologies/neuron-web:fix/stage-ci-paths neuron-technologies/neuron-web:feat/checkout-comprehensive-tests neuron-technologies/neuron-web:fix/checkout-auth-reveal neuron-technologies/neuron-web:fix/entrypoint-k3s-nonblocking neuron-technologies/neuron-web:fix/single-stage-dockerfile neuron-technologies/neuron-web:fix/stage-source-check neuron-technologies/neuron-web:fix/payment-page-heredoc-escape neuron-technologies/neuron-web:feat/k3s-embedded-soul neuron-technologies/neuron-web:feat/native-el-ui neuron-technologies/neuron-web:fix/ci-elb neuron-technologies/neuron-web:fix/ci-pr-triggers neuron-technologies/neuron-web:fix/stage-source-enforcement neuron-technologies/neuron-web:sync/dev-stage neuron-technologies/neuron-web:fix/have-curl-define neuron-technologies/neuron-web:fix/soul-demo-emit-metric neuron-technologies/neuron-web:fix/pentest-security-hardening neuron-technologies/neuron-web:fix/gallery-layout-account-otp
...
pull from: neuron-technologies/neuron-web:fix/checkout-auth-reveal
Branches Tags
neuron-technologies/neuron-web:stage neuron-technologies/neuron-web:dev neuron-technologies/neuron-web:fix/csp-analytics neuron-technologies/neuron-web:fix/syntax-error-and-csp neuron-technologies/neuron-web:fix/devices-count-v2 neuron-technologies/neuron-web:fix/devices-count neuron-technologies/neuron-web:fix/account-el-meta neuron-technologies/neuron-web:fix/magic-link-flow neuron-technologies/neuron-web:fix/free-plan-setup-intent neuron-technologies/neuron-web:fix/about-rendering neuron-technologies/neuron-web:fix/stripe-dedup-attestation neuron-technologies/neuron-web:fix/webhook-initstripe-textarea neuron-technologies/neuron-web:fix/greeting-history-load neuron-technologies/neuron-web:fix/question-timer-pricing-clarity neuron-technologies/neuron-web:fix/binary-assets-checkout-layout neuron-technologies/neuron-web:fix/zero-pi-setup-future-usage neuron-technologies/neuron-web:fix/free-plan-payment-intent neuron-technologies/neuron-web:fix/free-checkout-stripe neuron-technologies/neuron-web:fix/stage-full-build neuron-technologies/neuron-web:ci/touch-dist neuron-technologies/neuron-web:ci/trigger-rebuild neuron-technologies/neuron-web:fix/force-full-rebuild neuron-technologies/neuron-web:main neuron-technologies/neuron-web:fix/stage-ci-paths neuron-technologies/neuron-web:feat/checkout-comprehensive-tests neuron-technologies/neuron-web:fix/checkout-auth-reveal neuron-technologies/neuron-web:fix/entrypoint-k3s-nonblocking neuron-technologies/neuron-web:fix/single-stage-dockerfile neuron-technologies/neuron-web:fix/stage-source-check neuron-technologies/neuron-web:fix/payment-page-heredoc-escape neuron-technologies/neuron-web:feat/k3s-embedded-soul neuron-technologies/neuron-web:feat/native-el-ui neuron-technologies/neuron-web:fix/ci-elb neuron-technologies/neuron-web:fix/ci-pr-triggers neuron-technologies/neuron-web:fix/stage-source-enforcement neuron-technologies/neuron-web:sync/dev-stage neuron-technologies/neuron-web:fix/have-curl-define neuron-technologies/neuron-web:fix/soul-demo-emit-metric neuron-technologies/neuron-web:fix/pentest-security-hardening neuron-technologies/neuron-web:fix/gallery-layout-account-otp

12 Commits
fix/entrypoint-k3s-nonblocking ... fix/checkout-auth-reveal

Author SHA1 Message Date
will.anderson cac7bd5727 test: full Playwright + API test suite for stage
Dev — Build & local smoke test / build-smoke (pull_request) Successful in 1m52s
Details 
159 tests across three Playwright projects (api, chromium, mobile):
- tests/api/security.test.ts: security headers, CORS on /api/supabase-config
  (origin allowlist enforced), auth gate on /api/demo, Stripe webhook
  signature enforcement, source file leakage, path traversal, input
  validation (8000-char message cap)
- tests/api/endpoints.test.ts: /api/health, /api/founding-count shape
  invariants, /api/supabase-config JWT shape, sitemap.xml, robots.txt,
  /llms.txt, /api/soul-health internal gate, 404 for unknown routes
- tests/e2e/landing.spec.ts: title, h1 count, meta description, OG tags,
  canonical (no stage leak), JSON-LD schema, demo widget DOM presence,
  JS error filtering (known GTM/CSP noise excluded)
- tests/e2e/seo.spec.ts: per-page title patterns, noindex on checkout,
  canonical URLs, sitemap production-URL enforcement
- tests/e2e/checkout.spec.ts: all three plan variants, auth section, payment
  element, canonical
- tests/e2e/chat.spec.ts: widget DOM structure, auth gate (send button
  disabled without session), API-level auth rejection
- tests/e2e/navigation.spec.ts: all public routes return 200, 404s for
  removed/old paths (/terms, /enterprise-terms, /gallery), static files

All 159 pass against stage. CI step added to stage.yaml after smoke test.
 2026-05-11 00:28:33 -05:00
will.anderson 43e1245306 seo: full audit fixes — meta, og, schema, canonical, sitemap, headings, alts
Dev — Build & local smoke test / build-smoke (pull_request) Successful in 1m57s
Details 
- Per-page title/description/canonical/OG tags: about, checkout (per-plan),
  terms, enterprise-terms, success all get unique SEO blocks
- Homepage title updated to em-dash form; meta description adds CTA
- og:site_name added to all pages
- noindex/nofollow on checkout, success, account pages
- Sitemap (/sitemap.xml) with all public pages; robots.txt updated with
  Sitemap directive and Disallow for private paths
- Schema: WebSite type added, Organization gains logo ImageObject, SoftwareApplication
  gains url field, billingIncrement corrected to billingPeriod (ISO 8601 P1M),
  sameAs gains x.com/neurontechai alongside GitHub
- marked.min.js given defer attribute (was render-blocking)
- page_head refactored into page_head_base + page_seo_block + page_open_seo
  for clean inner-page overrides without duplicating the CSS/script block
 2026-05-10 23:56:40 -05:00
will.anderson 3f3c5cf149 security: penetration test fixes — headers, cors, path traversal, info leakage 
- Switch to http_serve_v2/http_set_handler_v2 so request headers are available
  to El handler code (prerequisite for all header-based security checks)

- Stripe webhook (CVE-class): add HMAC-SHA256 signature verification against
  Stripe-Signature header using STRIPE_WEBHOOK_SECRET env var. Previously any
  unauthenticated POST could forge a payment_intent.succeeded event and
  increment the founding counter or trigger Supabase account provisioning for
  arbitrary emails.

- CORS on /api/supabase-config: restrict to neurontechnologies.ai and localhost
  origins only. Cross-origin requests now get 403.

- /api/soul-health: require X-Internal: true header; otherwise return 404.
  Endpoint was publicly accessible and leaked internal soul service URL,
  network topology, and raw probe responses.

- Static asset / JS headers: add X-Frame-Options, Referrer-Policy,
  Permissions-Policy, and Content-Security-Policy to static_asset_headers_json
  and js_headers_json. These were only present on HTML/API responses before.

- Fix state key bug: share_card_page read state_get("__neuron_origin__") but
  the key registered at startup is "__origin__", causing empty base URLs in
  share card og: meta tags.
 2026-05-10 23:56:31 -05:00
will.anderson fe418bf3f7 feat: auth-gate demo chat + budget circuit breaker
Dev — Build & local smoke test / build-smoke (pull_request) Successful in 2m10s
Details 
Gate the demo chat behind Supabase auth: the widget now fetches Supabase
config on open, shows a compact sign-in pane (Google OAuth or email/password)
when the user is unauthenticated, and passes the access_token to /api/demo.
The server verifies the token via supabase_auth_user() before any processing
and uses the verified user ID as the rate-limit key.

Add a budget kill switch: a demo_config table in Supabase holds a
demo_enabled flag that /api/demo polls every 60s (cached, fails open).
A Cloud Function (demo-budget-guard) is triggered by a GCP Pub/Sub budget
alert and sets demo_enabled = 'false' when spend crosses 90% of the $150
daily budget. Budget and topic are provisioned; function is live in
us-central1.
 2026-05-10 23:44:54 -05:00
will.anderson bdb6ddc581 feat: scale fixes — max-instances, asset caching, shared rate limits, global cap
Dev — Build & local smoke test / build-smoke (pull_request) Successful in 2m0s
Details 
- soul-demo-stage: raise max-instances 10 → 50
- marketing-stage: explicitly set max-instances 200
- /assets/* and /brand/*: return Cache-Control: public, max-age=31536000, immutable
  so Cloudflare caches static assets at the edge (eliminates Cloud Run hit per request)
- /js/*: bump from max-age=3600 to max-age=31536000, immutable (same policy)
- Per-uid demo rate limit: replace in-process state with Supabase demo_rate_limits table
  so the 10-chats/day cap is enforced across all Cloud Run instances; falls back to
  in-process for local dev when SUPABASE_SERVICE_KEY is absent
- Global circuit breaker: trip if any single instance handles ≥2000 demo requests/UTC day
 2026-05-10 22:12:09 -05:00
will.anderson 93f9ea2be2 feat: extract soul-demo into standalone Cloud Run service
Dev — Build & local smoke test / build-smoke (pull_request) Successful in 2m19s
Details
2026-05-10 21:08:46 -05:00
will.anderson feee40c34b ci: fix HAVE_CURL verification — use strings check not nm
Dev — Build & local smoke test / build-smoke (pull_request) Successful in 1m54s
Details
2026-05-10 20:07:21 -05:00
will.anderson 8b8cb2f580 ci: relink neuron-web with HAVE_CURL after elb build
Dev — Build & local smoke test / build-smoke (pull_request) Successful in 1m45s
Details 
elb does not pass -DHAVE_CURL when compiling el_runtime.c, so all
http_get/http_post calls from El code return the no-op error string
instead of making real HTTP requests. This breaks the chat proxy to
soul-demo at localhost:7772.

After elb runs (and generates all intermediate .c files in dist/),
recompile el_runtime.c with -DHAVE_CURL and relink the entire binary
from those generated files. Verifies curl_easy_init is present in the
output binary before proceeding.
 2026-05-10 20:03:00 -05:00
will.anderson cd1c6737e8 Replace k3s with direct soul-demo watchdog in Cloud Run container
Dev — Build & local smoke test / build-smoke (pull_request) Successful in 2m11s
Details 
Cloud Run gen2 doesn't provide eth0 with a unicast IP, causing k3s flannel
to crash on every container start. k3s was also wrong architecture for
Cloud Run (HPA inside a container, k3s overhead for one process).

Changes:
- entrypoint.sh: replace k3s server with a bash watchdog loop that starts
  soul-demo directly and restarts it on crash (3s backoff)
- Dockerfile.stage: remove k3s binary, soul-demo-image.tar, k3s manifests
  and their associated dirs/envvars; keep soul-demo binary only
- stage.yaml: remove 'Download k3s binary' step; rename and simplify
  soul-demo build step to compile binary only (no OCI image/tar)
- dev.yaml: update soul-demo placeholder step (binary not tar)
- manifest.el: document HAVE_CURL requirement since manifest.el has no
  c_flags/link_flags directive support
 2026-05-10 19:46:35 -05:00
will.anderson 0433fe8c0f Fix http_response() truncating envelope via stale _tl_fs_read_len
Dev — Build & local smoke test / build-smoke (pull_request) Failing after 2m22s
Details 
http_response() builds a JSON envelope wrapping the body. If the caller
previously called fs_read() (which sets _tl_fs_read_len = file_size),
http_worker used that stale value as the response copy length — truncating
the larger envelope to the original file size before it reached
http_send_response. The truncated envelope had the body field cut mid-string;
jp_parse_string_raw failed, env_body = "", and http_send_all sent file_size
bytes of garbage past the empty string.

Fix: reset _tl_fs_read_len = 0 at the start of http_response(). The hint
was set for the raw file bytes; the envelope is a new string and must use
strlen() for its length.
 2026-05-10 19:23:10 -05:00
will.anderson c99ca82302 Fix JS files served as raw JSON envelope instead of JavaScript
Dev — Build & local smoke test / build-smoke (pull_request) Failing after 1m36s
Details 
http_parse_envelope() called json_parse() on the entire response envelope
(~47KB when body is obfuscated JS). The parser failed on large/complex content,
so is_envelope=0 and the raw JSON was sent — browsers got {"el_http_response":1,...}
instead of executable JavaScript, silently breaking all client-side code.

Fix: replace json_parse-of-full-envelope with a direct field scanner:
- "status" extracted via strtol
- "headers" object extracted via brace-depth scan, then json_parse only that
  small substring (always safe — headers are simple k/v string pairs < 1KB)
- "body" string extracted via jp_parse_string_raw — no intermediate allocation

Also: /js/* route now returns http_response(200, js_headers_json(), content)
with explicit Content-Type: application/javascript so the browser doesn't
apply the json-heuristic (obfuscated JS starting with '[' was detected as JSON,
which with X-Content-Type-Options: nosniff blocks script execution).
 2026-05-10 17:32:45 -05:00
will.anderson 0263e51407 Fix checkout: show free-success when logged in; init Stripe without auth on paid plans
Dev — Build & local smoke test / build-smoke (pull_request) Failing after 1m47s
Details 
- revealPaymentForm: for free plan, show #free-success panel (was doing nothing,
  leaving page blank when user already had a Supabase session)
- checkExistingSession: for paid plans with no session, call initStripe immediately —
  auth is optional, the payment form shouldn't wait indefinitely
- Guard _formRevealed: prevent double-call from handleAuthRedirect + checkExistingSession
 2026-05-10 16:59:51 -05:00
30 changed files with 1844 additions and 229 deletions
Expand all files Collapse all files
.gitea/workflows/dev.yaml
+6 -5
View File
@@ -172,11 +172,12 @@ jobs:
- name: Touch HTML placeholder files
run: touch src/index.html src/about.html src/terms.html src/enterprise-terms.html
- name: Create soul-demo-image.tar placeholder
# Dockerfile.stage COPYs this file (used by k3s at runtime).
# We only need the COPY to succeed here; real tar is built by
# build-stage.sh in the deploy pipeline.
run: touch dist/soul-demo-image.tar
- name: Create soul-demo placeholder
# Dockerfile.stage COPYs dist/soul-demo. We only need the binary to exist
# for the Docker build to succeed; the real binary is compiled in stage CI.
run: |
touch dist/soul-demo
chmod +x dist/soul-demo
- name: Build Docker image (local only — no push)
run: |
.gitea/workflows/stage.yaml
+111 -22
View File
@@ -12,6 +12,7 @@ on:
- 'dist/**'
- 'runtime/**'
- 'Dockerfile.stage'
- 'Dockerfile.soul-demo'
- 'build-stage.sh'
- '.gitea/workflows/stage.yaml'
@@ -148,6 +149,46 @@ jobs:
--runtime="$EL_RUNTIME"
echo "Binary: $(ls -lh dist/neuron-landing)"
- name: Relink neuron-web with HAVE_CURL
# elb does not pass -DHAVE_CURL when compiling el_runtime.c, so
# http_get/http_post return {"error":"not built with HAVE_CURL"}.
# Fix: after elb generates all intermediate .c files in dist/, recompile
# el_runtime.c with -DHAVE_CURL and relink the whole binary manually.
# All component .c files (nav.c, hero.c, etc.) are generated by elb and
# remain in dist/ after the build — we collect them here, exclude the
# separate soul-demo.c binary, and relink with libcurl.
if: steps.changetype.outputs.asset_only != 'true'
run: |
set -euo pipefail
# Compile el_runtime.c with full curl support
cc -O2 -DHAVE_CURL -c runtime/el_runtime.c -I runtime/ -o /tmp/el_runtime_curl.o
echo "el_runtime_curl.o compiled: $(ls -lh /tmp/el_runtime_curl.o)"
# Collect every neuron-web .c file elb deposited in dist/
# (both committed stubs and freshly-generated component files)
mapfile -t C_SRCS < <(find dist/ -maxdepth 1 -name '*.c' ! -name 'soul-demo.c')
echo "Relinking ${#C_SRCS[@]} C files..."
cc -O2 -rdynamic \
-I runtime/ -I dist/ \
-o dist/neuron-landing \
"${C_SRCS[@]}" /tmp/el_runtime_curl.o \
-lcurl -lpthread -ldl -lm -lssl -lcrypto
echo "Relinked: $(ls -lh dist/neuron-landing)"
# Verification: if compiled WITHOUT HAVE_CURL the stub string
# "not built with HAVE_CURL" is baked into the binary's rodata.
# Its absence confirms curl code is compiled in.
if strings dist/neuron-landing | grep -q 'not built with HAVE_CURL'; then
echo "ERROR: no-curl stub string still in binary — HAVE_CURL not compiled"
exit 1
fi
# Confirm curl symbols visible in dynamic table
nm -D dist/neuron-landing | grep curl_easy_init || \
nm dist/neuron-landing | grep curl || true
echo "HAVE_CURL verified ✓"
# ── Compile JS client sources ─────────────────────────────────────────
- name: Compile JS El sources
@@ -173,15 +214,15 @@ jobs:
# ── Docker build + push ───────────────────────────────────────────────
- name: Build soul-demo image tar
# Dockerfile.stage COPYs dist/soul-demo-image.tar so k3s can import
# soul-demo:local at runtime. We compile soul-demo from source on the
# host runner (ci-base has gcc), build a minimal OCI image, and save it.
- name: Build soul-demo binary
# Compile soul-demo directly on the host runner (ci-base has gcc).
# Cloud Run runs soul-demo as a direct subprocess with a watchdog loop —
# no k3s, no OCI image needed. One binary per container; Cloud Run
# handles horizontal scaling.
# Moved AFTER JS compilation to avoid Docker memory pressure killing elc.
if: steps.changetype.outputs.asset_only != 'true'
run: |
set -euo pipefail
# Compile el_runtime.o and soul-demo on the host runner
cc -O2 -DHAVE_CURL -c runtime/el_runtime.c -I runtime/ -o /tmp/el_runtime.o
cc -O2 -rdynamic -DEL_SOUL_DEMO_BUILD \
-I runtime/ \
@@ -189,26 +230,49 @@ jobs:
dist/soul-demo.c dist/vessel_stubs.c /tmp/el_runtime.o \
-lcurl -lpthread -ldl -lm -lssl -lcrypto
echo "soul-demo compiled: $(ls -lh dist/soul-demo)"
# Package as minimal OCI image for k3s import
# --no-cache: prevents reuse of corrupted overlay2 layers from prior failed runs
docker build --no-cache -f dist/Dockerfile.soul-demo -t soul-demo:local dist/
docker save soul-demo:local -o dist/soul-demo-image.tar
echo "soul-demo-image.tar: $(du -sh dist/soul-demo-image.tar | cut -f1)"
docker rmi soul-demo:local 2>/dev/null || true
- name: Download k3s binary
# Pre-download k3s on the host runner so Dockerfile.stage can COPY it
# directly. Previously k3s was downloaded inside the Docker builder stage,
# which combined with build-essential and C compilation caused RWLayer nil
# corruption on the runner's overlay2 driver. Host-runner download is safe.
- name: Build and push soul-demo image
if: steps.changetype.outputs.asset_only != 'true'
id: soul-image
run: |
set -euo pipefail
curl -fL --retry 3 --retry-delay 10 \
https://github.com/k3s-io/k3s/releases/download/v1.32.4%2Bk3s1/k3s \
-o dist/k3s
chmod +x dist/k3s
echo "k3s: $(ls -lh dist/k3s)"
SOUL_IMAGE="us-central1-docker.pkg.dev/neuron-785695/neuron-marketing/soul-demo:${{ steps.tag.outputs.tag }}"
docker build --no-cache \
-f Dockerfile.soul-demo \
-t "soul-demo:${{ steps.tag.outputs.tag }}" \
.
docker tag "soul-demo:${{ steps.tag.outputs.tag }}" "$SOUL_IMAGE"
docker tag "soul-demo:${{ steps.tag.outputs.tag }}" \
"us-central1-docker.pkg.dev/neuron-785695/neuron-marketing/soul-demo:stage-latest"
docker push "$SOUL_IMAGE"
docker push "us-central1-docker.pkg.dev/neuron-785695/neuron-marketing/soul-demo:stage-latest"
echo "soul_image=${SOUL_IMAGE}" >> "$GITHUB_OUTPUT"
echo "Soul-demo image: ${SOUL_IMAGE}"
- name: Deploy soul-demo-stage
if: steps.changetype.outputs.asset_only != 'true'
id: deploy-soul
run: |
set -euo pipefail
gcloud run deploy soul-demo-stage \
--image "${{ steps.soul-image.outputs.soul_image }}" \
--region us-central1 \
--project neuron-785695 \
--service-account neuron-marketing-sa@neuron-785695.iam.gserviceaccount.com \
--update-env-vars "NEURON_LLM_0_FORMAT=anthropic,NEURON_LLM_0_MODEL=claude-sonnet-4-5,NEURON_LLM_0_URL=https://api.anthropic.com/v1/messages" \
--update-secrets "NEURON_LLM_0_KEY=anthropic-api-key:latest,ANTHROPIC_API_KEY=anthropic-api-key:latest" \
--min-instances 1 \
--max-instances 50 \
--concurrency 20 \
--port 8080 \
--allow-unauthenticated \
--quiet
SOUL_URL=$(gcloud run services describe soul-demo-stage \
--region us-central1 --project neuron-785695 \
--format 'value(status.url)')
echo "soul_url=${SOUL_URL}" >> "$GITHUB_OUTPUT"
echo "Soul-demo URL: ${SOUL_URL}"
- name: Build and tag image
if: steps.changetype.outputs.asset_only != 'true'
@@ -255,6 +319,21 @@ jobs:
docker push "${LATEST%:*}:stage-latest"
echo "Fast asset build complete"
- name: Resolve soul-demo URL
id: soul-url
run: |
set -euo pipefail
# For full builds: soul_url comes from deploy-soul step output.
# For asset-only builds (soul-demo not redeployed): describe existing service.
SOUL_URL="${{ steps.deploy-soul.outputs.soul_url }}"
if [ -z "$SOUL_URL" ]; then
SOUL_URL=$(gcloud run services describe soul-demo-stage \
--region us-central1 --project neuron-785695 \
--format 'value(status.url)' 2>/dev/null || echo "")
fi
echo "soul_url=${SOUL_URL}" >> "$GITHUB_OUTPUT"
echo "Resolved SOUL_URL: ${SOUL_URL}"
- name: Deploy to marketing-stage
id: deploy-stage
env:
@@ -267,7 +346,8 @@ jobs:
--region us-central1 \
--project neuron-785695 \
--service-account neuron-marketing-sa@neuron-785695.iam.gserviceaccount.com \
--update-env-vars "NODE_ENV=production,STRIPE_PUBLISHABLE_KEY=pk_test_51TPoHnJg9Fv1D3AUp1FEMcy4MGlKRZqs4scW66kjQFQjWofmNc2rottzXzDaXekHvuw1OQpyp2WCIsc7O5fXIG0G00HQQrkdGX,GCS_SHARE_BUCKET=neuron-shares-prod,SUPABASE_ANON_KEY=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6Im9jb2pzZ2hhb25sdHVuaWRrenB3Iiwicm9sZSI6ImFub24iLCJpYXQiOjE3Nzc2NDIxNjgsImV4cCI6MjA5MzIxODE2OH0.e0FVFw1aahnrBVvnkR5R8a-RxCx095U8o_gsk7Quq3E,NEURON_LLM_0_FORMAT=anthropic,NEURON_LLM_0_MODEL=claude-sonnet-4-5,NEURON_LLM_0_URL=https://api.anthropic.com/v1/messages" \
--max-instances 200 \
--update-env-vars "NODE_ENV=production,STRIPE_PUBLISHABLE_KEY=pk_test_51TPoHnJg9Fv1D3AUp1FEMcy4MGlKRZqs4scW66kjQFQjWofmNc2rottzXzDaXekHvuw1OQpyp2WCIsc7O5fXIG0G00HQQrkdGX,GCS_SHARE_BUCKET=neuron-shares-prod,SUPABASE_ANON_KEY=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6Im9jb2pzZ2hhb25sdHVuaWRrenB3Iiwicm9sZSI6ImFub24iLCJpYXQiOjE3Nzc2NDIxNjgsImV4cCI6MjA5MzIxODE2OH0.e0FVFw1aahnrBVvnkR5R8a-RxCx095U8o_gsk7Quq3E,NEURON_LLM_0_FORMAT=anthropic,NEURON_LLM_0_MODEL=claude-sonnet-4-5,NEURON_LLM_0_URL=https://api.anthropic.com/v1/messages,SOUL_URL=${{ steps.soul-url.outputs.soul_url }}" \
--update-secrets "SUPABASE_SERVICE_KEY=supabase-service-key:latest,NEURON_LLM_0_KEY=anthropic-api-key:latest,ANTHROPIC_API_KEY=anthropic-api-key:latest,STRIPE_SECRET_KEY=stripe-secret-key-stage:latest,STRIPE_WEBHOOK_SECRET=stripe-webhook-secret-stage:latest,STRIPE_PRICE_PROFESSIONAL=stripe-price-professional-stage:latest,STRIPE_PRICE_FOUNDING=stripe-price-founding-stage:latest,STRIPE_PRICE_FAMILY_CHILD=stripe-price-family-child:latest,RESEND_API_KEY=resend-api-key:latest,DOCUSEAL_WEBHOOK_TOKEN=docuseal-webhook-token:latest" \
--allow-unauthenticated \
--quiet
@@ -301,3 +381,12 @@ jobs:
echo "Stage smoke test FAILED"
exit 1
- name: Run automated test suite
run: |
set -euo pipefail
cd $GITHUB_WORKSPACE
npm ci --prefer-offline 2>/dev/null || npm install
npx playwright install chromium --with-deps
BASE_URL="${{ steps.deploy-stage.outputs.stage_url }}" \
npx playwright test --reporter=list
.gitignore
+5
View File
@@ -41,3 +41,8 @@ src/assets/js/
dist/soul-demo
dist/soul-demo-snapshot.json
dist/soul-demo-image.tar
# Playwright
node_modules/
test-results/
playwright-report/
Dockerfile.soul-demo
+32
View File
@@ -0,0 +1,32 @@
# Dockerfile.soul-demo — Soul-demo as a standalone Cloud Run service.
# Decoupled from neuron-web so it can scale independently.
# Built from repo root. soul-demo binary compiled by CI before this runs.
FROM ubuntu:24.04
ENV DEBIAN_FRONTEND=noninteractive
RUN apt-get update \
&& apt-get install -y --no-install-recommends \
libcurl4t64 \
libssl3t64 \
ca-certificates \
&& rm -rf /var/lib/apt/lists/* \
&& groupadd -r soul && useradd -r -g soul soul \
&& mkdir -p /srv/soul/engram-demo \
&& chown -R soul:soul /srv/soul
COPY dist/soul-demo /usr/local/bin/soul-demo
RUN chmod +x /usr/local/bin/soul-demo
COPY dist/engram-snapshot.json /srv/soul/engram-demo/snapshot.json
RUN chown soul:soul /srv/soul/engram-demo/snapshot.json
USER soul
ENV NEURON_HOME=/srv/soul/engram-demo
ENV NEURON_PORT=8080
EXPOSE 8080
CMD ["/usr/local/bin/soul-demo"]
Dockerfile.stage
+7 -39
View File
@@ -1,18 +1,14 @@
# Dockerfile.stage — Stage build: landing server + soul-demo in one image.
# Dockerfile.stage — Stage build: landing server only.
#
# Both processes run in the same container:
# - neuron-web on port 8080 (landing page server)
# - soul-demo on port 7772 (demo chat, localhost only)
# neuron-web runs on port 8080 (landing page server).
# soul-demo is now a separate Cloud Run service (soul-demo-stage).
#
# All binaries (neuron-web, soul-demo, k3s) are pre-built by CI on the host
# runner before this Dockerfile runs. This keeps the Docker build single-stage
# with no compilation and no network downloads, eliminating the multi-stage
# complexity that caused RWLayer corruption on the runner's overlay2 driver.
# neuron-web binary is pre-built by CI on the host runner before this
# Dockerfile runs. This keeps the Docker build single-stage with no
# compilation and no network downloads.
#
# CI pre-build steps (in stage.yaml):
# - neuron-web: built by `elb build` → dist/neuron-landing
# - soul-demo: compiled by cc on host → dist/soul-demo
# - k3s: downloaded by curl on host → dist/k3s
FROM ubuntu:24.04
@@ -26,34 +22,12 @@ RUN apt-get update \
&& rm -rf /var/lib/apt/lists/* \
&& groupadd -r landing && useradd -r -g landing landing \
&& mkdir -p /srv/landing/assets /srv/landing/js /srv/landing/shares \
&& mkdir -p /srv/soul/engram-demo \
&& chown -R landing:landing /srv/landing /srv/soul \
&& mkdir -p /var/lib/rancher/k3s /tmp/k3s \
&& chown -R landing:landing /var/lib/rancher /tmp/k3s
&& chown -R landing:landing /srv/landing
# neuron-web binary — produced by `elb build` in CI (linux/amd64)
COPY dist/neuron-landing /usr/local/bin/neuron-web
RUN chmod +x /usr/local/bin/neuron-web
# soul-demo binary — compiled by cc on host runner in CI
COPY dist/soul-demo /usr/local/bin/soul-demo
RUN chmod +x /usr/local/bin/soul-demo
# k3s binary — downloaded from GitHub releases by CI
COPY dist/k3s /usr/local/bin/k3s
RUN chmod +x /usr/local/bin/k3s
# soul-demo OCI image tar — k3s imports this at startup (no registry needed)
RUN mkdir -p /var/lib/rancher/k3s/agent/images
COPY dist/soul-demo-image.tar /var/lib/rancher/k3s/agent/images/soul-demo.tar
# k3s manifests — auto-applied when k3s starts
RUN mkdir -p /var/lib/rancher/k3s/server/manifests
COPY dist/k3s-soul-demo.yaml /var/lib/rancher/k3s/server/manifests/soul-demo.yaml
# Engram snapshot — baked in so soul has memory from cold start
COPY dist/engram-snapshot.json /srv/soul/engram-demo/snapshot.json
COPY src/assets /srv/landing/assets
COPY dist/js /srv/landing/js
COPY src/llms.txt /srv/landing/llms.txt
@@ -71,13 +45,7 @@ RUN chmod +x /usr/local/bin/entrypoint.sh
ENV LANDING_ROOT=/srv/landing
ENV PORT=8080
ENV NEURON_HOME=/srv/soul/engram-demo
ENV NEURON_PORT=7772
ENV K3S_DATA_DIR=/var/lib/rancher/k3s
ENV KUBECONFIG=/var/lib/rancher/k3s/server/cred/admin.kubeconfig
# k3s requires root to create network namespaces and mount cgroups.
# Cloud Run gen2 sandbox is the security boundary here.
EXPOSE 8080
CMD ["/usr/local/bin/entrypoint.sh"]
cloud-functions/demo-budget-guard/main.py
+35
View File
@@ -0,0 +1,35 @@
import json
import base64
import os
import requests
from datetime import datetime, timezone
def budget_alert(event, context):
"""Triggered by a Pub/Sub budget alert. Disables demo if threshold exceeded."""
data = base64.b64decode(event['data']).decode('utf-8')
alert = json.loads(data)
# Only act on threshold exceeded alerts (not forecasts)
cost_amount = alert.get('costAmount', 0)
budget_amount = alert.get('budgetAmount', 1)
threshold = cost_amount / budget_amount if budget_amount else 0
if threshold < 0.9:
print(f"Threshold {threshold:.1%} below 90%, no action")
return
supabase_url = os.environ['SUPABASE_URL']
service_key = os.environ['SUPABASE_SERVICE_KEY']
resp = requests.patch(
f"{supabase_url}/rest/v1/demo_config?key=eq.demo_enabled",
headers={
'Authorization': f'Bearer {service_key}',
'apikey': service_key,
'Content-Type': 'application/json',
'Prefer': 'return=minimal',
},
json={'value': 'false', 'updated_at': datetime.now(timezone.utc).isoformat()}
)
print(f"Demo disabled — budget at {threshold:.1%}. Supabase: {resp.status_code}")
cloud-functions/demo-budget-guard/requirements.txt
+1
View File
@@ -0,0 +1 @@
requests==2.31.0
dist/entrypoint.sh
Vendored
+1 -38
View File
@@ -1,41 +1,4 @@
#!/bin/sh
set -e
# SKIP_K3S=1 — bypass k3s/soul-demo startup and go straight to neuron-web.
# Used by the dev CI smoke test where the container runtime doesn't support
# the kernel capabilities k3s requires (overlayfs / privileged mode).
if [ "${SKIP_K3S:-0}" = "1" ]; then
echo "[entrypoint] SKIP_K3S=1: starting neuron-web directly (no k3s/soul-demo)."
exec /usr/local/bin/neuron-web
fi
echo "[entrypoint] Starting k3s server (embedded soul-demo orchestrator)..."
# k3s server — single-node mode, disable unused components
# --disable traefik,servicelb: we don't need an ingress or LB
# --disable metrics-server: saves ~50MB RAM
# --write-kubeconfig-mode=644: allow non-root reads
# --data-dir: use the pre-chowned dir
# --flannel-iface=eth0: explicitly set the network interface.
# Cloud Run gen2 provides eth0 but k3s default IP detection walks the routing
# table looking for a default route, which fails in Cloud Run's network sandbox.
# Pinning to eth0 bypasses that detection and lets k3s bind correctly.
k3s server \
--disable traefik \
--disable servicelb \
--disable metrics-server \
--write-kubeconfig-mode=644 \
--data-dir /var/lib/rancher/k3s \
--node-name soul-node \
--flannel-iface=eth0 &
K3S_PID=$!
# Start neuron-web immediately — do NOT block on k3s becoming ready.
# Cloud Run's startup probe requires port 8080 to be listening within the
# startup timeout. k3s may take 30-60s to initialise; blocking here causes
# probe failures and container termination before neuron-web ever starts.
# soul-demo becomes available asynchronously once k3s is ready. neuron-web
# handles soul-demo being temporarily unavailable gracefully.
echo "[entrypoint] Starting neuron-web on port ${PORT:-8080} (k3s initialising in background)..."
echo "[entrypoint] Starting neuron-web on port ${PORT:-8080}..."
exec /usr/local/bin/neuron-web
dist/page_close.c
Vendored
+1 -1
View File
File diff suppressed because one or more lines are too long
dist/page_css.c
Vendored
+85
View File
@@ -1794,6 +1794,91 @@ el_val_t page_css(void) {
" }\n"
" #neuron-demo-send:hover { background: #0078D4; }\n"
" #neuron-demo-send:disabled { opacity: 0.5; cursor: not-allowed; }\n"
" #neuron-demo-auth {\n"
" flex-direction: column;\n"
" align-items: center;\n"
" gap: 0.75rem;\n"
" padding: 1.5rem 1.25rem;\n"
" flex: 1;\n"
" }\n"
" .demo-auth-heading {\n"
" font-family: var(--body);\n"
" font-size: 0.85rem;\n"
" font-weight: 600;\n"
" color: var(--t1);\n"
" text-align: center;\n"
" margin: 0 0 0.25rem;\n"
" }\n"
" .demo-auth-google-btn {\n"
" display: flex;\n"
" align-items: center;\n"
" gap: 0.6rem;\n"
" width: 100%;\n"
" padding: 0.65rem 1rem;\n"
" font-family: var(--body);\n"
" font-size: 0.82rem;\n"
" font-weight: 500;\n"
" color: var(--t1);\n"
" background: #fff;\n"
" border: 1px solid var(--border);\n"
" border-radius: 6px;\n"
" cursor: pointer;\n"
" justify-content: center;\n"
" transition: border-color 180ms, box-shadow 180ms;\n"
" }\n"
" .demo-auth-google-btn:hover {\n"
" border-color: rgba(0,82,160,0.45);\n"
" box-shadow: 0 0 0 3px rgba(0,82,160,0.08);\n"
" }\n"
" .demo-auth-email-toggle {\n"
" background: none;\n"
" border: none;\n"
" cursor: pointer;\n"
" font-family: var(--body);\n"
" font-size: 0.78rem;\n"
" color: var(--t3);\n"
" text-decoration: underline;\n"
" padding: 0;\n"
" }\n"
" .demo-auth-email-form {\n"
" display: none;\n"
" flex-direction: column;\n"
" gap: 0.5rem;\n"
" width: 100%;\n"
" }\n"
" .demo-auth-email-form input {\n"
" width: 100%;\n"
" padding: 0.6rem 0.75rem;\n"
" font-family: var(--body);\n"
" font-size: 0.82rem;\n"
" color: var(--t1);\n"
" background: var(--bg);\n"
" border: 1px solid var(--border);\n"
" border-radius: 6px;\n"
" outline: none;\n"
" }\n"
" .demo-auth-email-form input:focus { border-color: var(--navy); }\n"
" .demo-auth-submit-btn {\n"
" width: 100%;\n"
" padding: 0.6rem 1rem;\n"
" font-family: var(--body);\n"
" font-size: 0.82rem;\n"
" font-weight: 600;\n"
" color: #fff;\n"
" background: var(--navy);\n"
" border: none;\n"
" border-radius: 6px;\n"
" cursor: pointer;\n"
" transition: background 180ms;\n"
" }\n"
" .demo-auth-submit-btn:hover { background: #0078D4; }\n"
" .demo-auth-submit-btn:disabled { opacity: 0.5; cursor: not-allowed; }\n"
" .demo-auth-msg {\n"
" font-family: var(--body);\n"
" font-size: 0.75rem;\n"
" margin: 0;\n"
" text-align: center;\n"
" }\n"
" @media (max-width: 600px) {\n"
" #neuron-demo-text { font-size: 1rem; padding: 1rem; }\n"
" #neuron-demo-send { padding: 1rem 1.25rem; min-width: 64px; }\n"
dist/page_schema.c
Vendored
+16 -3
View File
@@ -10,9 +10,18 @@ el_val_t page_schema(void) {
" \"@context\": \"https://schema.org\",\n"
" \"@graph\": [\n"
" {\n"
" \"@type\": \"WebSite\",\n"
" \"name\": \"Neuron\",\n"
" \"url\": \"https://neurontechnologies.ai\"\n"
" },\n"
" {\n"
" \"@type\": \"Organization\",\n"
" \"name\": \"Neuron, LLC\",\n"
" \"url\": \"https://neurontechnologies.ai\",\n"
" \"logo\": {\n"
" \"@type\": \"ImageObject\",\n"
" \"url\": \"https://neurontechnologies.ai/assets/brand/neuron-wordmark-on-light@2x.png\"\n"
" },\n"
" \"founder\": {\n"
" \"@type\": \"Person\",\n"
" \"name\": \"Will Anderson\",\n"
@@ -20,11 +29,15 @@ el_val_t page_schema(void) {
" },\n"
" \"description\": \"Neuron builds AI that runs on your machine, builds a memory over time, and gets sharper the longer you use it. One builder. Built different.\",\n"
" \"foundingDate\": \"2026\",\n"
" \"sameAs\": [\"https://github.com/neuron-technologies\"]\n"
" \"sameAs\": [\n"
" \"https://github.com/neuron-technologies\",\n"
" \"https://x.com/neurontechai\"\n"
" ]\n"
" },\n"
" {\n"
" \"@type\": \"SoftwareApplication\",\n"
" \"name\": \"Neuron\",\n"
" \"url\": \"https://neurontechnologies.ai\",\n"
" \"applicationCategory\": \"AIApplication\",\n"
" \"operatingSystem\": \"macOS, Windows, Linux\",\n"
" \"offers\": [\n"
@@ -39,7 +52,7 @@ el_val_t page_schema(void) {
" \"name\": \"Professional\",\n"
" \"price\": \"19\",\n"
" \"priceCurrency\": \"USD\",\n"
" \"billingIncrement\": \"monthly\"\n"
" \"billingPeriod\": \"P1M\"\n"
" },\n"
" {\n"
" \"@type\": \"Offer\",\n"
@@ -67,7 +80,7 @@ el_val_t page_schema(void) {
" \"name\": \"What is Neuron?\",\n"
" \"acceptedAnswer\": {\n"
" \"@type\": \"Answer\",\n"
" \"text\": \"Neuron is an AI that runs on your machine and builds a persistent memory over time. Every other AI forgets you when you close the tab. Neuron doesn&#39;t. The longer you use it, the less you have to explain.\"\n"
" \"text\": \"Neuron is an AI that runs on your machine and builds a persistent memory over time. Every other AI forgets you when you close the tab. Neuron doesn't. The longer you use it, the less you have to explain.\"\n"
" }\n"
" },\n"
" {\n"
manifest.el
+8
View File
@@ -16,4 +16,12 @@ build {
c_source "dist/page_css.c"
c_source "dist/page_ga.c"
c_source "dist/page_schema.c"
// NOTE: neuron-web requires el_runtime.c to be compiled with -DHAVE_CURL
// so that http_get/http_post forward to libcurl instead of returning
// {"error":"not built with HAVE_CURL"}. The elb binary in ci-base:dev
// hardcodes -DHAVE_CURL in its cc invocation, but older elb versions may
// not. manifest.el does not support c_flags or link_flags directives
// if upgrading elb breaks HTTP, ensure ci-base:dev ships an elb built
// with HAVE_CURL enabled in its hardcoded cc command, or pre-compile
// el_runtime.o with -DHAVE_CURL on the host and pass it as a c_source.
}
migrations/20260510000000_demo_config.sql
+22
View File
@@ -0,0 +1,22 @@
-- 20260510000000_demo_config.sql
--
-- Kill switch for the demo chat endpoint. Backs the budget-alert Cloud Function
-- that flips demo_enabled to 'false' when GCP spend crosses 90% of the daily
-- budget threshold. The web tier polls this table with a 60s TTL cache so the
-- demo is disabled within one minute of a budget alert firing.
--
-- Service-role bypasses RLS. Public anon has no access (policy USING (false)).
CREATE TABLE IF NOT EXISTS public.demo_config (
key text PRIMARY KEY,
value text NOT NULL,
updated_at timestamptz DEFAULT now()
);
ALTER TABLE public.demo_config ENABLE ROW LEVEL SECURITY;
CREATE POLICY "service only" ON public.demo_config USING (false);
-- Seed the kill switch as enabled
INSERT INTO public.demo_config (key, value) VALUES ('demo_enabled', 'true')
ON CONFLICT (key) DO NOTHING;
package-lock.json
Generated
+78
View File
@@ -0,0 +1,78 @@
{
"name": "neuron-marketing-web",
"version": "1.0.0",
"lockfileVersion": 3,
"requires": true,
"packages": {
"": {
"name": "neuron-marketing-web",
"version": "1.0.0",
"devDependencies": {
"@playwright/test": "^1.44.0"
}
},
"node_modules/@playwright/test": {
"version": "1.59.1",
"resolved": "https://registry.npmjs.org/@playwright/test/-/test-1.59.1.tgz",
"integrity": "sha512-PG6q63nQg5c9rIi4/Z5lR5IVF7yU5MqmKaPOe0HSc0O2cX1fPi96sUQu5j7eo4gKCkB2AnNGoWt7y4/Xx3Kcqg==",
"dev": true,
"license": "Apache-2.0",
"dependencies": {
"playwright": "1.59.1"
},
"bin": {
"playwright": "cli.js"
},
"engines": {
"node": ">=18"
}
},
"node_modules/fsevents": {
"version": "2.3.2",
"resolved": "https://registry.npmjs.org/fsevents/-/fsevents-2.3.2.tgz",
"integrity": "sha512-xiqMQR4xAeHTuB9uWm+fFRcIOgKBMiOBP+eXiyT7jsgVCq1bkVygt00oASowB7EdtpOHaaPgKt812P9ab+DDKA==",
"dev": true,
"hasInstallScript": true,
"license": "MIT",
"optional": true,
"os": [
"darwin"
],
"engines": {
"node": "^8.16.0 || ^10.6.0 || >=11.0.0"
}
},
"node_modules/playwright": {
"version": "1.59.1",
"resolved": "https://registry.npmjs.org/playwright/-/playwright-1.59.1.tgz",
"integrity": "sha512-C8oWjPR3F81yljW9o5OxcWzfh6avkVwDD2VYdwIGqTkl+OGFISgypqzfu7dOe4QNLL2aqcWBmI3PMtLIK233lw==",
"dev": true,
"license": "Apache-2.0",
"dependencies": {
"playwright-core": "1.59.1"
},
"bin": {
"playwright": "cli.js"
},
"engines": {
"node": ">=18"
},
"optionalDependencies": {
"fsevents": "2.3.2"
}
},
"node_modules/playwright-core": {
"version": "1.59.1",
"resolved": "https://registry.npmjs.org/playwright-core/-/playwright-core-1.59.1.tgz",
"integrity": "sha512-HBV/RJg81z5BiiZ9yPzIiClYV/QMsDCKUyogwH9p3MCP6IYjUFu/MActgYAvK0oWyV9NlwM3GLBjADyWgydVyg==",
"dev": true,
"license": "Apache-2.0",
"bin": {
"playwright-core": "cli.js"
},
"engines": {
"node": ">=18"
}
}
}
}
package.json
+13
View File
@@ -0,0 +1,13 @@
{
"name": "neuron-marketing-web",
"version": "1.0.0",
"private": true,
"devDependencies": {
"@playwright/test": "^1.44.0"
},
"scripts": {
"test": "playwright test",
"test:api": "playwright test tests/api/",
"test:e2e": "playwright test tests/e2e/"
}
}
playwright.config.ts
+19
View File
@@ -0,0 +1,19 @@
import { defineConfig, devices } from '@playwright/test';
const BASE_URL = process.env.BASE_URL || 'https://marketing-stage-r4tfklscwq-uc.a.run.app';
export default defineConfig({
testDir: './tests',
timeout: 30_000,
retries: process.env.CI ? 2 : 0,
reporter: [['list'], ['html', { open: 'never' }]],
use: {
baseURL: BASE_URL,
extraHTTPHeaders: {},
},
projects: [
{ name: 'api', testDir: './tests/api', use: { ...devices['Desktop Chrome'] } },
{ name: 'chromium', testDir: './tests/e2e', use: { ...devices['Desktop Chrome'] } },
{ name: 'mobile', testDir: './tests/e2e', use: { ...devices['Pixel 7'] } },
],
});
runtime/el_runtime.c
+98 -30
View File
@@ -1331,12 +1331,19 @@ static void http_emit_headers_from_map(JsonBuf* b, el_val_t headers_map,
/* Parse the envelope produced by http_response(). On success returns 1 and
* populates *out_status, *out_headers_map (an ElMap el_val_t caller must
* el_release), and *out_body (allocated). On failure returns 0.
* el_release via out_parsed_root), and *out_body (malloc'd, caller frees).
* On failure returns 0.
*
* Implementation: feeds the entire envelope through the recursive-descent
* JSON parser (which builds proper ElMap/ElList values), then pulls the
* three top-level fields by name. Avoids re-stringifying the headers map
* since json_stringify() does not support nested objects. */
* Implementation: manual field scanner does NOT run json_parse on the full
* envelope. Running the recursive-descent JSON parser on a 4050 KB envelope
* (common when the body contains minified/obfuscated JavaScript) fails because
* the parser allocates intermediate ElMap nodes for the whole structure.
* Instead we scan directly:
* "status" strtol scan
* "headers" brace-depth scan to extract the object literal, then
* json_parse only that small substring (always < 1 KB)
* "body" jp_parse_string_raw to unescape the JSON string in one pass,
* without building any intermediate data structures */
static int http_parse_envelope(const char* s, int* out_status,
el_val_t* out_headers_map, char** out_body,
el_val_t* out_parsed_root) {
@@ -1344,37 +1351,91 @@ static int http_parse_envelope(const char* s, int* out_status,
if (strncmp(s, EL_HTTP_RESPONSE_TAG,
sizeof(EL_HTTP_RESPONSE_TAG) - 1) != 0) return 0;
el_val_t parsed = json_parse(EL_STR(s));
if (parsed == EL_NULL) return 0;
int status = 200;
el_val_t hmap = 0;
char* body = NULL;
el_val_t sv = el_map_get(parsed, EL_STR("status"));
if (sv != 0) {
/* status comes back as an integer — el_val_t holds it directly. */
long sc = (long)sv;
if (sc >= 100 && sc <= 599) status = (int)sc;
/* ── status ──────────────────────────────────────────────────────────── */
int status = 200;
{
const char* sp = strstr(s, "\"status\":");
if (sp) {
const char* np = sp + 9;
while (*np == ' ' || *np == '\t') np++;
long sc = strtol(np, NULL, 10);
if (sc >= 100 && sc <= 599) status = (int)sc;
}
}
el_val_t hv = el_map_get(parsed, EL_STR("headers"));
if (hv != 0) {
ElMap* hm = (ElMap*)(uintptr_t)hv;
if (hm && hm->hdr.magic == EL_MAGIC_MAP) hmap = hv;
/* ── headers ─────────────────────────────────────────────────────────── */
el_val_t hmap = 0;
el_val_t parsed_hdrs = EL_NULL;
{
const char* hp = strstr(s, "\"headers\":");
if (hp) {
hp += 10;
while (*hp == ' ' || *hp == '\t') hp++;
if (*hp == '{') {
/* Scan for matching '}', honouring nested objects and strings */
const char* hobj_start = hp;
const char* cp = hp + 1;
int depth = 1, in_str = 0;
while (*cp && depth > 0) {
if (in_str) {
if (*cp == '\\' && *(cp + 1)) { cp += 2; continue; }
if (*cp == '"') in_str = 0;
} else {
if (*cp == '"') in_str = 1;
else if (*cp == '{') depth++;
else if (*cp == '}') { if (--depth == 0) break; }
}
cp++;
}
if (depth == 0) {
/* cp points at the closing '}'; extract the object literal */
size_t hlen = (size_t)(cp - hobj_start + 1);
char* hobj = malloc(hlen + 1);
if (hobj) {
memcpy(hobj, hobj_start, hlen);
hobj[hlen] = '\0';
/* Headers are always simple k/v string pairs — json_parse
* is safe on this small substring (typically < 1 KB). */
parsed_hdrs = json_parse(EL_STR(hobj));
free(hobj);
if (parsed_hdrs != EL_NULL) {
ElMap* hm = (ElMap*)(uintptr_t)parsed_hdrs;
if (hm && hm->hdr.magic == EL_MAGIC_MAP) hmap = parsed_hdrs;
}
}
}
}
}
}
el_val_t bv = el_map_get(parsed, EL_STR("body"));
if (bv != 0) {
const char* bs = EL_CSTR(bv);
if (bs) body = el_strdup(bs);
/* ── body ────────────────────────────────────────────────────────────── */
/* Search forward so we don't accidentally match "body": inside a header
* value. http_response() always appends the body field last. */
char* body = NULL;
{
const char* bp = strstr(s, "\"body\":");
if (bp) {
bp += 7;
while (*bp == ' ' || *bp == '\t') bp++;
if (*bp == '"') {
/* jp_parse_string_raw unescapes a JSON string in one pass,
* producing a plain malloc'd C string. Caller frees it. */
JsonParser jp = { .p = bp, .end = bp + strlen(bp), .err = 0 };
char* parsed = jp_parse_string_raw(&jp);
if (!jp.err) {
body = parsed;
} else {
free(parsed);
}
}
}
if (!body) body = strdup("");
}
if (!body) body = el_strdup("");
*out_status = status;
*out_headers_map = hmap;
*out_body = body;
*out_parsed_root = parsed; /* caller releases to free hmap + entries */
*out_status = status;
*out_headers_map = hmap;
*out_body = body;
*out_parsed_root = parsed_hdrs; /* caller el_release()s to free hmap */
return 1;
}
@@ -1900,6 +1961,13 @@ el_val_t http_response(el_val_t status, el_val_t headers_json, el_val_t body) {
const char* b = EL_CSTR(body);
if (!b) b = "";
/* Clear the fs_read binary-length hint: the envelope we're about to build
* is a fresh JSON string, not the raw file bytes. Without this reset,
* http_worker would use the stale _tl_fs_read_len (= original file size)
* to copy the response truncating the larger envelope before it reaches
* http_send_response and http_parse_envelope. */
_tl_fs_read_len = 0;
JsonBuf out; jb_init(&out);
jb_puts(&out, EL_HTTP_RESPONSE_TAG); /* {"el_http_response":1 */
jb_puts(&out, ",\"status\":");
src/enterprise_terms.el
+8 -2
View File
@@ -1,7 +1,7 @@
// components/enterprise_terms.el - Enterprise Agreement page.
// Returns complete HTML using the shared page shell from styles.el.
from styles import { page_open, page_close }
from styles import { page_open_seo, page_close }
from nav import { nav }
extern fn el_div(attrs: String, children: String) -> String
@@ -15,7 +15,13 @@ extern fn el_li(attrs: String, children: String) -> String
extern fn el_em(children: String) -> String
fn enterprise_terms_page() -> String {
page_open() + enterprise_terms_body() + page_close()
page_open_seo(
"Enterprise Agreement — Neuron",
"The Neuron Enterprise Agreement governs enterprise deployments of Neuron software. Review licensing terms, data handling, and compliance provisions.",
"/legal/enterprise-terms",
"The Neuron Enterprise Agreement — governing enterprise deployments, licensing, data handling, and compliance.",
"false"
) + enterprise_terms_body() + page_close()
}
fn et_section(num: String, title: String, body: String) -> String {
src/js/chat-widget.el
+186 -32
View File
@@ -1,9 +1,9 @@
// chat-widget.el -- Neuron demo chat widget with Turnstile, session persistence,
// local engram graph, and share-pill.
// chat-widget.el -- Neuron demo chat widget with Supabase auth, Turnstile,
// session persistence, local engram graph, and share-pill.
// Compiled with: elc --target=js --bundle --minify --obfuscate
//
// Exposed globals: neuronDemoToggle(), neuronDemoSend(), neuronDemoReset()
// Required CDN: marked.js, Cloudflare Turnstile
// Required CDN: marked.js, Cloudflare Turnstile, Supabase JS
fn main() -> Void {
native_js("(function() {
@@ -15,6 +15,126 @@ fn main() -> Void {
var isOpen = false;
var MAX = 10;
// Supabase auth state
var supabaseClient = null;
var _supabaseSession = null; // current session (null = not authenticated)
function initSupabaseWidget(cb) {
if (supabaseClient) { cb(); return; }
fetch('/api/supabase-config')
.then(function(r) { return r.json(); })
.then(function(cfg) {
supabaseClient = window.supabase.createClient(cfg.url, cfg.anon_key, {
auth: { flowType: 'implicit' }
});
supabaseClient.auth.getSession().then(function(res) {
if (res.data && res.data.session) {
_supabaseSession = res.data.session;
}
// Listen for sign-in from OAuth redirect
supabaseClient.auth.onAuthStateChange(function(event, session) {
if (session) {
_supabaseSession = session;
_onWidgetAuthenticated();
}
});
cb();
});
})
.catch(function() { cb(); });
}
function _onWidgetAuthenticated() {
var authPane = document.getElementById('neuron-demo-auth');
var gate = document.getElementById('neuron-demo-gate');
var msgs = document.getElementById('neuron-demo-messages');
var inputRow = document.getElementById('neuron-demo-input-row');
if (authPane) authPane.style.display = 'none';
// Only reveal chat UI if Turnstile has also passed
if (turnstileVerified) {
if (gate) gate.style.display = 'none';
if (msgs) msgs.style.display = 'flex';
if (inputRow) inputRow.style.display = 'flex';
var msgs2 = document.getElementById('neuron-demo-messages');
if (msgs2 && msgs2.children.length === 0) {
if (session && session.messages && session.messages.length > 0) {
session.messages.forEach(function(m) { addMsg(m.role, m.text, true); });
} else if (!session.greeted) {
addMsg('ai', 'Hey. What is on your mind?', true);
session.greeted = true;
saveSession(session);
}
}
var inp = document.getElementById('neuron-demo-text');
if (inp) inp.focus();
}
}
function _renderWidgetAuthPane() {
var authPane = document.getElementById('neuron-demo-auth');
if (!authPane) return;
authPane.innerHTML = '';
authPane.style.display = 'flex';
var heading = document.createElement('p');
heading.className = 'demo-auth-heading';
heading.textContent = 'Sign in to chat with Neuron';
authPane.appendChild(heading);
var googleBtn = document.createElement('button');
googleBtn.className = 'demo-auth-google-btn';
googleBtn.innerHTML = '<svg width=\"18\" height=\"18\" viewBox=\"0 0 48 48\"><path fill=\"#EA4335\" d=\"M24 9.5c3.14 0 5.95 1.08 8.17 2.84l6.09-6.09C34.46 3.19 29.53 1 24 1 14.62 1 6.68 6.84 3.32 15.09l7.1 5.52C12.16 14.02 17.6 9.5 24 9.5z\"/><path fill=\"#4285F4\" d=\"M46.5 24.5c0-1.64-.15-3.22-.42-4.75H24v9h12.7c-.55 2.99-2.2 5.53-4.68 7.24l7.19 5.59C43.07 37.23 46.5 31.3 46.5 24.5z\"/><path fill=\"#FBBC05\" d=\"M10.42 28.39A14.6 14.6 0 0 1 9.5 24c0-1.52.26-3 .72-4.39l-7.1-5.52A23.5 23.5 0 0 0 .5 24c0 3.78.88 7.36 2.44 10.56l7.48-6.17z\"/><path fill=\"#34A853\" d=\"M24 47c5.53 0 10.17-1.83 13.56-4.97l-7.19-5.59C28.56 37.88 26.38 38.5 24 38.5c-6.4 0-11.84-4.52-13.58-10.61l-7.48 6.17C6.68 43.16 14.62 47 24 47z\"/><path fill=\"none\" d=\"M0 0h48v48H0z\"/></svg> Continue with Google';
googleBtn.onclick = function() {
if (!supabaseClient) return;
supabaseClient.auth.signInWithOAuth({
provider: 'google',
options: { redirectTo: window.location.href }
});
};
authPane.appendChild(googleBtn);
var emailToggle = document.createElement('button');
emailToggle.className = 'demo-auth-email-toggle';
emailToggle.textContent = 'or continue with email';
authPane.appendChild(emailToggle);
var emailForm = document.createElement('div');
emailForm.className = 'demo-auth-email-form';
emailForm.style.display = 'none';
emailForm.innerHTML = '<input type=\"email\" id=\"demo-auth-email\" placeholder=\"Email\" autocomplete=\"email\" />'
+ '<input type=\"password\" id=\"demo-auth-password\" placeholder=\"Password\" autocomplete=\"current-password\" />'
+ '<button class=\"demo-auth-submit-btn\" id=\"demo-auth-submit\">Sign in</button>'
+ '<p class=\"demo-auth-msg\" id=\"demo-auth-msg\" style=\"display:none\"></p>';
authPane.appendChild(emailForm);
emailToggle.onclick = function() {
emailForm.style.display = emailForm.style.display === 'none' ? 'flex' : 'none';
};
var submitBtn = emailForm.querySelector('#demo-auth-submit');
if (submitBtn) {
submitBtn.onclick = function() {
var email = (document.getElementById('demo-auth-email') || {}).value || '';
var pass = (document.getElementById('demo-auth-password') || {}).value || '';
var msgEl = document.getElementById('demo-auth-msg');
if (!email || !pass) {
if (msgEl) { msgEl.textContent = 'Email and password required.'; msgEl.style.display = ''; msgEl.style.color = '#e53e3e'; }
return;
}
submitBtn.disabled = true;
supabaseClient.auth.signInWithPassword({ email: email, password: pass }).then(function(res) {
if (res.error) {
if (msgEl) { msgEl.textContent = res.error.message || 'Sign in failed.'; msgEl.style.display = ''; msgEl.style.color = '#e53e3e'; }
submitBtn.disabled = false;
} else {
_supabaseSession = res.data.session;
_onWidgetAuthenticated();
}
}).catch(function() { submitBtn.disabled = false; });
};
}
}
function loadSession() {
try {
var s = localStorage.getItem('neuron_demo_session');
@@ -148,7 +268,7 @@ fn main() -> Void {
var btn = document.getElementById('neuron-demo-btn');
if (btn) btn.style.display = isOpen ? 'none' : '';
var msgs = document.getElementById('neuron-demo-messages');
if (isOpen && turnstileVerified && msgs && msgs.style.display !== 'none' && msgs.children.length === 0) {
if (isOpen && turnstileVerified && _supabaseSession && msgs && msgs.style.display !== 'none' && msgs.children.length === 0) {
if (session.messages && session.messages.length > 0) {
session.messages.forEach(function(m) { addMsg(m.role, m.text, true); });
var remaining = MAX - msgCount;
@@ -165,36 +285,50 @@ fn main() -> Void {
var input = document.getElementById('neuron-demo-text');
if (isOpen && input && !input.disabled) input.focus();
updateCountdown();
if (isOpen && !turnstileWidgetId && typeof turnstile !== 'undefined') {
var container = document.getElementById('neuron-demo-turnstile');
if (container) {
turnstileWidgetId = turnstile.render(container, {
sitekey: TURNSTILE_SITE_KEY,
size: 'compact',
callback: function(token) {
turnstileToken = token;
turnstileVerified = true;
if (typeof turnstile !== 'undefined' && turnstileWidgetId !== null) {
try { turnstile.remove(turnstileWidgetId); } catch(e) {}
turnstileWidgetId = null;
if (isOpen) {
// Initialize Supabase on first open, then decide what to show
initSupabaseWidget(function() {
if (!_supabaseSession) {
// Not authenticated show auth pane, hide Turnstile gate
var gate = document.getElementById('neuron-demo-gate');
if (gate) gate.style.display = 'none';
_renderWidgetAuthPane();
} else {
// Authenticated proceed with Turnstile gate as normal
if (!turnstileWidgetId && typeof turnstile !== 'undefined') {
var container = document.getElementById('neuron-demo-turnstile');
if (container) {
turnstileWidgetId = turnstile.render(container, {
sitekey: TURNSTILE_SITE_KEY,
size: 'compact',
callback: function(token) {
turnstileToken = token;
turnstileVerified = true;
if (typeof turnstile !== 'undefined' && turnstileWidgetId !== null) {
try { turnstile.remove(turnstileWidgetId); } catch(e) {}
turnstileWidgetId = null;
}
var gate = document.getElementById('neuron-demo-gate');
var msgs = document.getElementById('neuron-demo-messages');
var inputRow = document.getElementById('neuron-demo-input-row');
if (gate) gate.style.display = 'none';
if (msgs) msgs.style.display = 'flex';
if (inputRow) inputRow.style.display = 'flex';
addMsg('ai', 'Hey. What is on your mind?', true);
updateCountdown();
var inp = document.getElementById('neuron-demo-text');
if (inp) inp.focus();
},
'expired-callback': function() {
turnstileToken = '';
turnstileVerified = false;
}
});
}
var gate = document.getElementById('neuron-demo-gate');
var msgs = document.getElementById('neuron-demo-messages');
var inputRow = document.getElementById('neuron-demo-input-row');
if (gate) gate.style.display = 'none';
if (msgs) msgs.style.display = 'flex';
if (inputRow) inputRow.style.display = 'flex';
addMsg('ai', 'Hey. What is on your mind?', true);
updateCountdown();
var inp = document.getElementById('neuron-demo-text');
if (inp) inp.focus();
},
'expired-callback': function() {
turnstileToken = '';
turnstileVerified = false;
}
});
}
}
});
}
};
@@ -310,6 +444,7 @@ fn main() -> Void {
});
var activated_nodes = _ra(session._m, msg);
var questionsRemaining = Math.max(0, (MAX - msgCount) - 1);
var accessToken = (_supabaseSession && _supabaseSession.access_token) ? _supabaseSession.access_token : '';
var r = await fetch('/api/demo', {
method: 'POST',
headers: {'Content-Type': 'application/json'},
@@ -318,6 +453,7 @@ fn main() -> Void {
history: hist,
cf_token: turnstileVerified && !session._cfSent ? turnstileToken : '',
uid: session.uid || '',
access_token: accessToken,
activated_nodes: activated_nodes,
engram_node_count: (session._m && session._m.nodes) ? session._m.nodes.length : 0,
questions_remaining: questionsRemaining,
@@ -361,6 +497,24 @@ fn main() -> Void {
return;
}
// Auth required show auth pane again
if (d.auth_required) {
addMsg('ai', 'Please sign in to continue chatting with Neuron.');
_renderWidgetAuthPane();
var msgs2 = document.getElementById('neuron-demo-messages');
var inputRow2 = document.getElementById('neuron-demo-input-row');
if (msgs2) msgs2.style.display = 'none';
if (inputRow2) inputRow2.style.display = 'none';
return;
}
// Demo disabled by budget circuit breaker
if (d.disabled) {
addMsg('ai', d.error || 'The demo is temporarily unavailable. Check back soon.');
if (input) { input.disabled = true; input.placeholder = 'Demo unavailable'; }
if (btn) { btn.disabled = true; }
return;
}
_um(session, d.sn, d.se);
var reply = d.response || d.reply || d.message || '';
var isError = !reply || reply === 'Stepped out for a moment. Try again.';
src/js/checkout-auth.el
+18 -2
View File
@@ -29,12 +29,19 @@ fn main() -> Void {
el.style.color = isError ? '#c0392b' : '#2ecc71';
}
var _formRevealed = false;
function revealPaymentForm(user) {
if (_formRevealed) return;
_formRevealed = true;
if (user && user.id) { window._neuronSupaId = user.id; }
var auth = document.getElementById('auth-section');
if (auth) auth.style.display = 'none';
var isFree = (window.NEURON_CFG || {}).plan === 'free';
if (!isFree) {
if (isFree) {
// Free plan: show the success panel (user is signed in or just signed up)
var freeSuccess = document.getElementById('free-success');
if (freeSuccess) freeSuccess.style.display = '';
} else {
var payment = document.getElementById('payment-section');
if (payment) payment.style.display = '';
}
@@ -68,7 +75,16 @@ fn main() -> Void {
function checkExistingSession() {
initSupabase(function() {
supabaseClient.auth.getUser().then(function(res) {
if (res.data && res.data.user) { revealPaymentForm(res.data.user); }
if (res.data && res.data.user) {
revealPaymentForm(res.data.user);
} else {
// No existing session for paid plans, init Stripe immediately.
// Auth is optional on paid plans; the user can link their account later.
var isFree = (window.NEURON_CFG || {}).plan === 'free';
if (!isFree && typeof window.initStripe === 'function') {
window.initStripe('', '');
}
}
});
});
}
src/main.el
+294 -41
View File
@@ -78,7 +78,7 @@ from pricing import { pricing }
from marketplace import { marketplace }
from viral import { viral }
from footer import { footer }
from styles import { page_open, page_close }
from styles import { page_open, page_open_seo, page_close }
from about import { about_page }
from founding_badge import { founding_badge, founding_badge_css }
from terms import { terms_page }
@@ -224,7 +224,7 @@ fn share_card_page(question: String, answer_plain: String, answer_html_in: Strin
// Use plaintext for og:description so social previews are readable.
let answer: String = answer_plain
let og_desc: String = str_slice(answer, 0, 140)
let base_url: String = state_get("__neuron_origin__")
let base_url: String = state_get("__origin__")
let card_url: String = base_url + "/share/" + id
// Pre-built share hrefs ID is digits so no URL encoding needed
let share_text: String = "The+AI+that+remembers+you+%E2%80%94+things+it+said%3A"
@@ -554,7 +554,7 @@ fn config_get(key: String) -> String {
// function - it serves __html_file__ directly with text/html.
// This handler covers /api/* and /brand/* routes.
fn handle_request_inner(method: String, path: String, body: String) -> String {
fn handle_request_inner(method: String, path: String, headers: Map, body: String) -> String {
let src_dir: String = state_get("__src_dir__")
// Root serve El-generated landing page
@@ -572,7 +572,19 @@ fn handle_request_inner(method: String, path: String, body: String) -> String {
// robots.txt
if str_eq(path, "/robots.txt") {
return "User-agent: *\nAllow: /\n"
return "User-agent: *\nAllow: /\nDisallow: /checkout\nDisallow: /account\nDisallow: /api/\nSitemap: https://neurontechnologies.ai/sitemap.xml\n"
}
// sitemap.xml
if str_eq(path, "/sitemap.xml") {
let sitemap_body: String = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n"
+ "<urlset xmlns=\"http://www.sitemaps.org/schemas/sitemap/0.9\">\n"
+ " <url><loc>https://neurontechnologies.ai/</loc><changefreq>weekly</changefreq><priority>1.0</priority></url>\n"
+ " <url><loc>https://neurontechnologies.ai/about</loc><changefreq>monthly</changefreq><priority>0.8</priority></url>\n"
+ " <url><loc>https://neurontechnologies.ai/legal/terms</loc><changefreq>monthly</changefreq><priority>0.3</priority></url>\n"
+ " <url><loc>https://neurontechnologies.ai/legal/enterprise-terms</loc><changefreq>monthly</changefreq><priority>0.3</priority></url>\n"
+ "</urlset>\n"
return http_response(200, "{\"Content-Type\":\"application/xml; charset=utf-8\"}", sitemap_body)
}
// About page
@@ -612,7 +624,25 @@ fn handle_request_inner(method: String, path: String, body: String) -> String {
plan = "free"
}
let pub_key: String = state_get("__stripe_publishable_key__")
return page_open() + checkout_page(plan, pub_key) + page_close()
let checkout_title: String = if str_eq(plan, "founding") {
"Founding Member Checkout — Neuron"
} else {
if str_eq(plan, "free") {
"Get Started Free — Neuron"
} else {
"Professional Plan Checkout — Neuron"
}
}
let checkout_desc: String = if str_eq(plan, "founding") {
"Secure your Founding Member spot. Pay once, $199 lifetime — Neuron inference included at launch, priced below the major APIs. First 1,000 only."
} else {
if str_eq(plan, "free") {
"Create your free Neuron account. No credit card required. Your AI that remembers you — runs on your machine, never resets."
} else {
"Subscribe to Neuron Professional for $19/month. The AI that remembers you — persistent memory, runs locally, bring your own API keys."
}
}
return page_open_seo(checkout_title, checkout_desc, "/checkout", checkout_desc, "true") + checkout_page(plan, pub_key) + page_close()
}
// Stripe payment intent / setup intent
@@ -894,6 +924,8 @@ fn handle_request_inner(method: String, path: String, body: String) -> String {
}
// Static assets: /assets/*
// Returns Cache-Control: public, max-age=31536000, immutable so Cloudflare
// caches these at the edge and never forwards subsequent requests to Cloud Run.
if str_starts_with(path, "/assets/") {
let rel: String = str_slice(path, 8, str_len(path))
let abs: String = src_dir + "/assets/" + rel
@@ -901,12 +933,16 @@ fn handle_request_inner(method: String, path: String, body: String) -> String {
if str_eq(content, "") {
return "{\"__status__\":404,\"error\":\"not found\"}"
}
return content
return http_response(200, static_asset_headers_json(), content)
}
// Compiled client-side JS: /js/*
// Served from dist/js/ (compiled by elc --target=js at build time).
// LANDING_ROOT/js maps to the dist/js output directory in the image.
// Returns an http_response envelope with explicit Content-Type so the
// browser executes the file as JavaScript http_detect_content_type()
// mis-identifies minified/obfuscated JS as JSON because many obfuscated
// bundles start with '[' (which is also a JSON array opener).
if str_starts_with(path, "/js/") {
let rel: String = str_slice(path, 4, str_len(path))
let abs: String = src_dir + "/js/" + rel
@@ -914,10 +950,11 @@ fn handle_request_inner(method: String, path: String, body: String) -> String {
if str_eq(content, "") {
return "{\"__status__\":404,\"error\":\"not found\"}"
}
return content
return http_response(200, js_headers_json(), content)
}
// Brand assets: /brand/*
// Same long-lived cache policy as /assets/* served from edge, not Cloud Run.
if str_starts_with(path, "/brand/") {
let rel: String = str_slice(path, 7, str_len(path))
let abs: String = src_dir + "/brand/" + rel
@@ -925,7 +962,7 @@ fn handle_request_inner(method: String, path: String, body: String) -> String {
if str_eq(content, "") {
return "{\"__status__\":404,\"error\":\"not found\"}"
}
return content
return http_response(200, static_asset_headers_json(), content)
}
// Stripe checkout
@@ -1109,14 +1146,33 @@ fn handle_request_inner(method: String, path: String, body: String) -> String {
}
// Supabase public config
// CORS-gated: only requests from neurontechnologies.ai origins or localhost
// may fetch the anon key. Restricting this reduces the blast radius of any
// future Supabase RLS misconfiguration an attacker on an arbitrary origin
// would not be able to silently obtain the key to make authenticated calls.
if str_eq(path, "/api/supabase-config") {
let req_origin: String = map_get(headers, "origin")
let origin_ok: Bool = str_eq(req_origin, "")
|| str_eq(req_origin, "https://neurontechnologies.ai")
|| str_eq(req_origin, "https://www.neurontechnologies.ai")
|| str_starts_with(req_origin, "http://localhost:")
|| str_starts_with(req_origin, "http://127.0.0.1:")
if !origin_ok {
return "{\"__status__\":403,\"error\":\"forbidden\"}"
}
let proj_url: String = "https://ocojsghaonltunidkzpw.supabase.co"
let anon_key: String = state_get("__supabase_anon_key__")
return "{\"url\":\"" + proj_url + "\",\"anon_key\":\"" + anon_key + "\"}"
}
// Soul health diagnostic surfaces raw signal from in-container soul
// Requires X-Internal: true header to prevent public exposure of internal
// service topology, soul URL, and probe responses.
if str_eq(path, "/api/soul-health") {
let x_internal: String = map_get(headers, "x-internal")
if !str_eq(x_internal, "true") {
return "{\"__status__\":404,\"error\":\"not found\"}"
}
if str_eq(method, "GET") {
let soul_base: String = state_get("__soul_url__")
// Probe 1: bare GET / does ANYTHING listen?
@@ -1157,36 +1213,143 @@ fn handle_request_inner(method: String, path: String, body: String) -> String {
if str_len(msg) > 8000 {
return "{\"error\":\"Message too long. Please keep your message under 8000 characters.\"}"
}
// Rate limit: 10 chats per uid per day (UTC day, keyed by uid).
// State key: "__rl_<uid>" "<count>|<day_number>"
// day_number = unix_timestamp / 86400 (integer UTC day)
// Returns rate_limited JSON with reset_at (next midnight UTC) so
// the frontend can show a real countdown.
let rate_uid: String = json_get(body, "uid")
if !str_eq(rate_uid, "") {
let now_ts: Int = unix_timestamp()
let today_day: Int = now_ts / 86400
let next_reset: Int = (today_day + 1) * 86400
let rl_key: String = "__rl_" + rate_uid
let rl_val: String = state_get(rl_key)
let rl_count: Int = 0
let rl_day: Int = 0
if !str_eq(rl_val, "") {
// format: "count|day"
let parts: [String] = str_split(rl_val, "|")
if native_list_len(parts) >= 2 {
let rl_count = str_to_int(native_list_get(parts, 0))
let rl_day = str_to_int(native_list_get(parts, 1))
// Kill switch budget circuit breaker (Supabase demo_config)
// Polls demo_config.demo_enabled every 60s. Fails open on error so
// a Supabase hiccup does not break the demo for legitimate users.
let ks_sb_url: String = state_get("__supabase_project_url__")
let ks_sb_key: String = state_get("__supabase_service_key__")
let ks_now: Int = unix_timestamp()
let ks_checked_at: String = state_get("__demo_enabled_checked_at__")
let ks_checked_n: Int = if str_eq(ks_checked_at, "") { 0 } else { str_to_int(ks_checked_at) }
let ks_enabled: String = state_get("__demo_enabled_cache__")
// On first boot set defaults
if str_eq(ks_enabled, "") {
state_set("__demo_enabled_cache__", "true")
let ks_enabled = "true"
}
// Refresh cache if >60s old and service key is present
if (ks_now - ks_checked_n) > 60 && !str_eq(ks_sb_key, "") {
let ks_resp: String = supabase_get(ks_sb_url, ks_sb_key,
"demo_config?key=eq.demo_enabled&select=value&limit=1")
let ks_row: String = json_array_get(ks_resp, 0)
if !str_eq(ks_row, "") {
let ks_val: String = json_get(ks_row, "value")
if !str_eq(ks_val, "") {
state_set("__demo_enabled_cache__", ks_val)
let ks_enabled = ks_val
}
}
// Reset count if it's a new day
if rl_day != today_day {
let rl_count = 0
state_set("__demo_enabled_checked_at__", int_to_str(ks_now))
}
if str_eq(ks_enabled, "false") {
return "{\"error\":\"The demo is temporarily unavailable. Check back soon.\",\"disabled\":true}"
}
// Global circuit breaker
// Caps total demo requests per Cloud Run instance per UTC day to 2000.
// This bounds per-instance API spend regardless of uid diversity.
// Stored in process state (in-memory) intentionally per-instance
// so no cross-instance coordination is needed for this coarse cap.
let now_ts_cb: Int = unix_timestamp()
let today_day_cb: Int = now_ts_cb / 86400
let global_day_s: String = state_get("__global_demo_day__")
let global_cnt_s: String = state_get("__global_demo_count__")
let global_day: Int = if str_eq(global_day_s, "") { 0 } else { str_to_int(global_day_s) }
let global_cnt: Int = if str_eq(global_cnt_s, "") { 0 } else { str_to_int(global_cnt_s) }
// Reset on new UTC day
if global_day != today_day_cb {
state_set("__global_demo_day__", int_to_str(today_day_cb))
state_set("__global_demo_count__", "0")
let global_cnt = 0
}
if global_cnt >= 2000 {
return "{\"error\":\"Demo is temporarily busy. Try again in a few minutes.\",\"busy\":true}"
}
state_set("__global_demo_count__", int_to_str(global_cnt + 1))
// Auth: verify Supabase access_token
// The widget sends an access_token from the signed-in Supabase session.
// Verify it against the Supabase auth API to get the verified user ID.
// Reject unauthenticated requests outright.
let access_token: String = json_get(body, "access_token")
let auth_sb_url: String = state_get("__supabase_project_url__")
let auth_anon: String = state_get("__supabase_anon_key__")
let verified_uid: String = ""
if str_eq(access_token, "") {
return "{\"error\":\"Sign in required to use the demo.\",\"auth_required\":true}"
}
// supabase_auth_user calls GET /auth/v1/user with both Authorization
// (user's Bearer token) and apikey (anon key) headers.
let auth_resp: String = supabase_auth_user(auth_sb_url, auth_anon, access_token)
let auth_uid: String = json_get(auth_resp, "id")
if str_eq(auth_uid, "") {
return "{\"error\":\"Sign in required to use the demo.\",\"auth_required\":true}"
}
let verified_uid = auth_uid
// Per-uid rate limit (Supabase shared across all instances)
// Uses demo_rate_limits table: uid (PK), count, day_number, updated_at.
// Falls back to in-process state_get/state_set when the service key is
// absent (local dev without SUPABASE_SERVICE_KEY set).
// Returns rate_limited JSON with reset_at (next midnight UTC) so
// the frontend can show a real countdown.
let rate_uid: String = verified_uid
let now_ts: Int = unix_timestamp()
let today_day: Int = now_ts / 86400
let next_reset: Int = (today_day + 1) * 86400
if !str_eq(rate_uid, "") {
let rl_sb_url: String = state_get("__supabase_project_url__")
let rl_sb_key: String = state_get("__supabase_service_key__")
if str_eq(rl_sb_key, "") {
// Local dev fallback: in-process rate limiting
let rl_key: String = "__rl_" + rate_uid
let rl_val: String = state_get(rl_key)
let rl_count: Int = 0
let rl_day: Int = 0
if !str_eq(rl_val, "") {
let parts: [String] = str_split(rl_val, "|")
if native_list_len(parts) >= 2 {
let rl_count = str_to_int(native_list_get(parts, 0))
let rl_day = str_to_int(native_list_get(parts, 1))
}
}
if rl_day != today_day {
let rl_count = 0
}
if rl_count >= 10 {
return "{\"rate_limited\":true,\"reset_at\":" + int_to_str(next_reset) + "}"
}
state_set(rl_key, int_to_str(rl_count + 1) + "|" + int_to_str(today_day))
} else {
// Production: read current count from Supabase
let rl_resp: String = supabase_get(rl_sb_url, rl_sb_key,
"demo_rate_limits?uid=eq." + rate_uid + "&select=count,day_number&limit=1")
let rl_row: String = json_array_get(rl_resp, 0)
let rl_count: Int = 0
let rl_day: Int = 0
if !str_eq(rl_row, "") {
let rl_count_s: String = json_get(rl_row, "count")
let rl_day_s: String = json_get(rl_row, "day_number")
if !str_eq(rl_count_s, "") {
let rl_count = str_to_int(rl_count_s)
}
if !str_eq(rl_day_s, "") {
let rl_day = str_to_int(rl_day_s)
}
}
// Reset count on new UTC day
if rl_day != today_day {
let rl_count = 0
}
if rl_count >= 10 {
return "{\"rate_limited\":true,\"reset_at\":" + int_to_str(next_reset) + "}"
}
// Upsert new count supabase_insert uses Prefer: resolution=merge-duplicates
let new_count: Int = rl_count + 1
let rl_row_json: String = "{\"uid\":\"" + rate_uid
+ "\",\"count\":" + int_to_str(new_count)
+ ",\"day_number\":" + int_to_str(today_day) + "}"
let _rl_upsert: String = supabase_insert(rl_sb_url, rl_sb_key, "demo_rate_limits", rl_row_json)
}
if rl_count >= 10 {
return "{\"rate_limited\":true,\"reset_at\":" + int_to_str(next_reset) + "}"
}
state_set(rl_key, int_to_str(rl_count + 1) + "|" + int_to_str(today_day))
}
// Turnstile: server-side verification is mandatory on every first
// message (tokens are single-use; per-message verification would
@@ -1282,7 +1445,51 @@ fn handle_request_inner(method: String, path: String, body: String) -> String {
// magic-link invite email so the buyer can sign in and see their
// plan on /account. Idempotent: existing users get a fresh link.
// 4. Forwards to license API for key provisioning when configured.
//
// SECURITY: Stripe-Signature header is verified via HMAC-SHA256 before
// any processing occurs. Without this check an attacker could POST a
// forged payment_intent.succeeded event and increment the founding counter
// or trigger account provisioning for an arbitrary email.
//
// Stripe signature format: "t=<timestamp>,v1=<hex_sig>[,v1=...]"
// Signed payload: "<timestamp>.<raw_body>"
// Key: STRIPE_WEBHOOK_SECRET (whsec_... value from Stripe dashboard)
if str_eq(path, "/api/webhooks/stripe") {
let wh_secret: String = state_get("__stripe_webhook_secret__")
if !str_eq(wh_secret, "") {
let sig_header: String = map_get(headers, "stripe-signature")
if str_eq(sig_header, "") {
println("[webhook] rejected: missing Stripe-Signature header")
return "{\"__status__\":400,\"error\":\"missing signature\"}"
}
// Extract t= value from sig header
let t_idx: Int = str_index_of(sig_header, "t=")
let t_val: String = ""
if t_idx >= 0 {
let t_tail: String = str_slice(sig_header, t_idx + 2, str_len(sig_header))
let t_comma: Int = str_index_of(t_tail, ",")
let t_val = if t_comma >= 0 { str_slice(t_tail, 0, t_comma) } else { t_tail }
}
// Extract v1= value from sig header
let v1_idx: Int = str_index_of(sig_header, "v1=")
let v1_val: String = ""
if v1_idx >= 0 {
let v1_tail: String = str_slice(sig_header, v1_idx + 3, str_len(sig_header))
let v1_comma: Int = str_index_of(v1_tail, ",")
let v1_val = if v1_comma >= 0 { str_slice(v1_tail, 0, v1_comma) } else { v1_tail }
}
if str_eq(t_val, "") || str_eq(v1_val, "") {
println("[webhook] rejected: malformed Stripe-Signature header")
return "{\"__status__\":400,\"error\":\"invalid signature format\"}"
}
// Compute expected HMAC: HMAC-SHA256(secret, "<t_val>.<body>")
let signed_payload: String = t_val + "." + body
let expected_sig: String = hmac_sha256_hex(wh_secret, signed_payload)
if !str_eq(expected_sig, v1_val) {
println("[webhook] rejected: signature mismatch")
return "{\"__status__\":400,\"error\":\"signature verification failed\"}"
}
}
let is_session_done: Bool = str_contains(body, "checkout.session.completed")
let is_pi_done: Bool = str_contains(body, "payment_intent.succeeded")
let is_si_done: Bool = str_contains(body, "setup_intent.succeeded")
@@ -1727,7 +1934,13 @@ fn handle_request_inner(method: String, path: String, body: String) -> String {
+ el_a("/", "class=\"btn-ghost\"", "Back to home")
)
)
return page_open() + badge_css + success_body + page_close()
return page_open_seo(
"Welcome to Neuron — Your Membership is Confirmed",
"Your Neuron membership is confirmed. Download the app and let the AI that remembers you get to work.",
"/marketplace/success",
"Your Neuron membership is confirmed. Download the app and let the AI that remembers you get to work.",
"true"
) + badge_css + success_body + page_close()
}
// Account dashboard
@@ -1936,8 +2149,40 @@ fn sec_headers_json() -> String {
+ "\"Content-Security-Policy\":\"default-src 'self'; script-src 'self' 'unsafe-inline' https://challenges.cloudflare.com https://cdn.jsdelivr.net https://www.googletagmanager.com https://www.google-analytics.com; style-src 'self' 'unsafe-inline'; frame-src https://challenges.cloudflare.com; connect-src 'self' https://api.stripe.com https://*.supabase.co; img-src 'self' data: https:; font-src 'self' data:\"}"
}
fn handle_request(method: String, path: String, body: String) -> String {
let inner_resp: String = handle_request_inner(method, path, body)
// Headers for compiled JS assets. Explicitly sets Content-Type so the browser
// treats them as JavaScript regardless of what http_detect_content_type()
// infers from the content (minified/obfuscated JS can trip the JSON heuristic).
// Cache-Control bumped to 1 year + immutable: JS bundles are content-addressed
// (hash in filename) so safe for Cloudflare to cache indefinitely at the edge.
fn js_headers_json() -> String {
"{\"Content-Type\":\"application/javascript; charset=utf-8\","
+ "\"Cache-Control\":\"public, max-age=31536000, immutable\","
+ "\"Strict-Transport-Security\":\"max-age=63072000; includeSubDomains; preload\","
+ "\"X-Content-Type-Options\":\"nosniff\","
+ "\"X-Frame-Options\":\"SAMEORIGIN\","
+ "\"Referrer-Policy\":\"strict-origin-when-cross-origin\","
+ "\"Permissions-Policy\":\"geolocation=(), microphone=(), camera=()\","
+ "\"Content-Security-Policy\":\"default-src 'self'; script-src 'self' 'unsafe-inline' https://challenges.cloudflare.com https://cdn.jsdelivr.net https://www.googletagmanager.com https://www.google-analytics.com; style-src 'self' 'unsafe-inline'; frame-src https://challenges.cloudflare.com; connect-src 'self' https://api.stripe.com https://*.supabase.co; img-src 'self' data: https:; font-src 'self' data:\"}"
}
// Headers for static assets under /assets/ and /brand/.
// max-age=31536000 (1 year) + immutable tells Cloudflare to cache at the edge
// and never revalidate assets are versioned by filename or content so stale
// delivery is not a risk. This eliminates Cloud Run hits for every image/font/svg.
// Security headers are included so asset responses are equally hardened even
// when served directly (e.g. Cloudflare bypass or direct origin fetch).
fn static_asset_headers_json() -> String {
"{\"Cache-Control\":\"public, max-age=31536000, immutable\","
+ "\"Strict-Transport-Security\":\"max-age=63072000; includeSubDomains; preload\","
+ "\"X-Content-Type-Options\":\"nosniff\","
+ "\"X-Frame-Options\":\"SAMEORIGIN\","
+ "\"Referrer-Policy\":\"strict-origin-when-cross-origin\","
+ "\"Permissions-Policy\":\"geolocation=(), microphone=(), camera=()\","
+ "\"Content-Security-Policy\":\"default-src 'self'; script-src 'self' 'unsafe-inline' https://challenges.cloudflare.com https://cdn.jsdelivr.net https://www.googletagmanager.com https://www.google-analytics.com; style-src 'self' 'unsafe-inline'; frame-src https://challenges.cloudflare.com; connect-src 'self' https://api.stripe.com https://*.supabase.co; img-src 'self' data: https:; font-src 'self' data:\"}"
}
fn handle_request(method: String, path: String, headers: Map, body: String) -> String {
let inner_resp: String = handle_request_inner(method, path, headers, body)
// Detect envelope already set by inner handler (starts with
// {"el_http_response":1). If so, let it pass through unmodified
// the status code it carries takes precedence and we must not
@@ -1982,6 +2227,7 @@ let stripe_pub_key: String = env("STRIPE_PUBLISHABLE_KEY")
let stripe_price_founding: String = env("STRIPE_PRICE_FOUNDING")
let stripe_price_professional: String = env("STRIPE_PRICE_PROFESSIONAL")
let family_child_price: String = env("STRIPE_PRICE_FAMILY_CHILD")
let stripe_webhook_secret: String = env("STRIPE_WEBHOOK_SECRET")
let license_api_url: String = env("NEURON_LICENSE_API_URL")
let resend_api_key: String = env("RESEND_API_KEY")
let supabase_anon_key: String = env("SUPABASE_ANON_KEY")
@@ -2006,7 +2252,13 @@ fs_write(html_path, page_html)
// Generate about page HTML.
let about_html_path: String = src_dir + "/about.html"
let about_html: String = page_open() + about_page() + page_close()
let about_html: String = page_open_seo(
"About Will Anderson — Neuron",
"Neuron was built by one person. Will Anderson — engineer, founder, and the sole author of every line of Neuron's code. This is his story.",
"/about",
"Neuron was built by one person. Will Anderson spent nearly two years building the AI that remembers you — the memory architecture, the inference infrastructure, everything from the ground up.",
"false"
) + about_page() + page_close()
fs_write(about_html_path, about_html)
// Generate terms pages HTML.
@@ -2036,6 +2288,7 @@ state_set("__founding_sold_file__", sold_file)
state_set("__founding_sold__", int_to_str(real_sold))
state_set("__founding_total__", int_to_str(FOUNDING_TOTAL))
state_set("__turnstile_secret_key__", turnstile_secret_key)
state_set("__stripe_webhook_secret__", stripe_webhook_secret)
persist_founding_count(real_sold)
println(color_bold("Neuron") + " - " + neuron_origin)
@@ -2062,5 +2315,5 @@ println(" GET /api/supabase-config → public Supabase config (URL + a
println("")
let port: Int = if str_eq(env("PORT"), "") { 3001 } else { str_to_int(env("PORT")) }
http_set_handler("handle_request")
http_serve(port, "handle_request")
http_set_handler_v2("handle_request")
http_serve_v2(port, "handle_request")
src/styles.el
+57 -12
View File
@@ -30,35 +30,80 @@ extern fn el_script_src(src: String, defer_load: Bool) -> String
extern fn el_script_inline(js: String) -> String
extern fn el_title(text: String) -> String
fn page_head() -> String {
// Shared head infrastructure
// page_head_base() emits charset, viewport, favicons, fonts, CSS, scripts.
// page_seo_block() emits the SEO/OG/canonical block for a given page.
// page_head() assembles both for the homepage.
// page_open_seo() is the variant used by inner pages with custom meta.
fn page_head_base() -> String {
return el_meta_charset("UTF-8")
+ el_meta("viewport", "width=device-width, initial-scale=1.0")
+ el_title("Neuron - The AI That Remembers You")
+ el_meta("description", "Every AI resets when you close the tab. Neuron doesn't. Runs on your machine. Remembers everything. Cheaper than ChatGPT on day one.")
+ "<link rel=\"icon\" type=\"image/png\" sizes=\"16x16\" href=\"/assets/favicon-16.png\">"
+ "<link rel=\"icon\" type=\"image/png\" sizes=\"32x32\" href=\"/assets/favicon-32.png\">"
+ "<link rel=\"preconnect\" href=\"https://fonts.googleapis.com\">"
+ "<link rel=\"preconnect\" href=\"https://fonts.gstatic.com\" crossorigin>"
+ el_link_stylesheet("https://fonts.googleapis.com/css2?family=Playfair+Display:ital,wght@0,400;0,500;0,600;1,400;1,500&family=IBM+Plex+Sans:wght@300;400;500;600&display=swap")
+ page_css()
+ "<script src=\"https://cdn.jsdelivr.net/npm/marked/marked.min.js\" integrity=\"sha384-948ahk4ZmxYVYOc+rxN1H2gM1EJ2Duhp7uHtZ4WSLkV4Vtx5MUqnV+l7u9B+jFv+\" crossorigin=\"anonymous\"></script>"
+ "<script src=\"https://cdn.jsdelivr.net/npm/marked/marked.min.js\" integrity=\"sha384-948ahk4ZmxYVYOc+rxN1H2gM1EJ2Duhp7uHtZ4WSLkV4Vtx5MUqnV+l7u9B+jFv+\" crossorigin=\"anonymous\" defer></script>"
+ "<script src=\"https://cdn.jsdelivr.net/npm/@supabase/supabase-js@2\" defer></script>"
+ "<script src=\"https://challenges.cloudflare.com/turnstile/v0/api.js\" async defer></script>"
+ "<noscript><style>.reveal { opacity: 1 !important; transform: none !important; }</style></noscript>"
+ "<script async src=\"https://www.googletagmanager.com/gtag/js?id=G-Y1EE43X9RN\"></script>"
+ page_ga_script()
}
// page_seo_block emits title, description, canonical, OG, and Twitter Card
// for a given page. Pass the production canonical path (e.g. "/" or "/about").
fn page_seo_block(title: String, description: String, canonical_path: String, og_description: String) -> String {
let base: String = "https://neurontechnologies.ai"
let canonical: String = base + canonical_path
let og_image: String = base + "/assets/brand/neuron-wordmark-on-light@2x.png"
return el_title(title)
+ el_meta("description", description)
+ "<meta property=\"og:type\" content=\"website\">"
+ "<meta property=\"og:url\" content=\"https://neurontechnologies.ai\">"
+ "<meta property=\"og:title\" content=\"Neuron - The AI That Remembers You\">"
+ "<meta property=\"og:description\" content=\"Every other AI forgets you. Neuron doesn&#39;t. Runs on your machine, builds a memory over time, and gets sharper the longer you use it. Built by one person. April 22, 2026 \xe2\x80\x94 the meeting. April 25 \xe2\x80\x94 you&#39;re looking at the proof.\">"
+ "<meta property=\"og:image\" content=\"https://neurontechnologies.ai/assets/brand/neuron-wordmark-on-light@2x.png\">"
+ "<meta property=\"og:url\" content=\"" + canonical + "\">"
+ "<meta property=\"og:title\" content=\"" + title + "\">"
+ "<meta property=\"og:description\" content=\"" + og_description + "\">"
+ "<meta property=\"og:image\" content=\"" + og_image + "\">"
+ "<meta property=\"og:site_name\" content=\"Neuron\">"
+ "<meta name=\"twitter:card\" content=\"summary_large_image\">"
+ "<meta name=\"twitter:title\" content=\"Neuron - The AI That Remembers You\">"
+ "<meta name=\"twitter:description\" content=\"Every other AI forgets you. Neuron doesn&#39;t. Runs on your machine. Remembers everything. $19/mo or $199 founding member (first 1,000).\">"
+ "<meta name=\"twitter:image\" content=\"https://neurontechnologies.ai/assets/brand/neuron-wordmark-on-light@2x.png\">"
+ "<link rel=\"canonical\" href=\"https://neurontechnologies.ai\">"
+ "<meta name=\"twitter:title\" content=\"" + title + "\">"
+ "<meta name=\"twitter:description\" content=\"" + og_description + "\">"
+ "<meta name=\"twitter:image\" content=\"" + og_image + "\">"
+ "<link rel=\"canonical\" href=\"" + canonical + "\">"
}
fn page_head() -> String {
return page_head_base()
+ page_seo_block(
"Neuron — The AI That Remembers You",
"Every AI resets when you close the tab. Neuron doesn&#39;t. Runs on your machine. Remembers everything. Start free — no credit card required.",
"/",
"Every other AI forgets you. Neuron doesn&#39;t. Runs on your machine, builds a persistent memory over time, and gets sharper the longer you use it. Free tier available."
)
+ page_schema()
}
fn page_open() -> String {
return "<!DOCTYPE html><html lang=\"en\"><head>" + page_head() + "</head><body>"
}
// page_open_seo page shell for inner pages with unique per-page SEO.
// title: full <title> tag text
// description: meta description (120160 chars)
// canonical_path: path component, e.g. "/about" or "/checkout"
// og_description: OG/Twitter description (can differ from meta description)
// noindex: pass "true" to add noindex for non-public pages (e.g. checkout)
fn page_open_seo(title: String, description: String, canonical_path: String, og_description: String, noindex: String) -> String {
let robots_tag: String = if str_eq(noindex, "true") {
"<meta name=\"robots\" content=\"noindex, nofollow\">"
} else {
""
}
return "<!DOCTYPE html><html lang=\"en\"><head>"
+ page_head_base()
+ page_seo_block(title, description, canonical_path, og_description)
+ robots_tag
+ "</head><body>"
}
src/terms.el
+8 -2
View File
@@ -1,7 +1,7 @@
// components/terms.el - Consumer Terms of Service page.
// Returns complete HTML using the shared page shell from styles.el.
from styles import { page_open, page_close }
from styles import { page_open_seo, page_close }
from nav import { nav }
extern fn el_div(attrs: String, children: String) -> String
@@ -13,7 +13,13 @@ extern fn el_a(href: String, attrs: String, children: String) -> String
extern fn el_strong(children: String) -> String
fn terms_page() -> String {
page_open() + nav() + terms_body() + page_close()
page_open_seo(
"Terms of Service — Neuron",
"Read the Neuron Terms of Service. Governs your use of Neuron software and services provided by Neuron, LLC.",
"/legal/terms",
"The Neuron Terms of Service — governing your use of Neuron software and services provided by Neuron, LLC.",
"false"
) + nav() + terms_body() + page_close()
}
fn terms_section_head(num: String, title: String) -> String {
tests/api/endpoints.test.ts
+150
View File
@@ -0,0 +1,150 @@
import { test, expect } from '@playwright/test';
const BASE = process.env.BASE_URL || 'https://marketing-stage-r4tfklscwq-uc.a.run.app';
const get = (path: string, headers: Record<string, string> = {}) =>
fetch(`${BASE}${path}`, { headers });
// ── /api/health ───────────────────────────────────────────────────────────────
test('/api/health — returns 200 with status:ok', async () => {
const r = await get('/api/health');
expect(r.status).toBe(200);
const body = await r.json() as Record<string, string>;
expect(body.status).toBe('ok');
expect(body.service).toBe('neuron-web');
});
test('/api/health — content-type is application/json', async () => {
const r = await get('/api/health');
expect(r.headers.get('content-type')).toContain('application/json');
});
// ── /api/founding-count ───────────────────────────────────────────────────────
test('/api/founding-count — returns numeric fields', async () => {
const r = await get('/api/founding-count');
expect(r.status).toBe(200);
const body = await r.json() as Record<string, number>;
expect(typeof body.sold).toBe('number');
expect(typeof body.total).toBe('number');
expect(typeof body.remaining).toBe('number');
// Invariants
expect(body.total).toBe(1000);
expect(body.sold).toBeGreaterThanOrEqual(0);
expect(body.remaining).toBe(body.total - body.sold);
});
// ── /api/supabase-config ──────────────────────────────────────────────────────
// Requires a permitted Origin. See security.test.ts for CORS tests.
test('/api/supabase-config — returns url and anon_key for allowed origin', async () => {
const r = await get('/api/supabase-config', { Origin: 'https://neurontechnologies.ai' });
expect(r.status).toBe(200);
const body = await r.json() as Record<string, string>;
expect(body.url).toMatch(/supabase\.co/);
expect(typeof body.anon_key).toBe('string');
expect(body.anon_key.length).toBeGreaterThan(20);
});
test('/api/supabase-config — anon_key is a valid JWT shape', async () => {
const r = await get('/api/supabase-config', { Origin: 'https://neurontechnologies.ai' });
const body = await r.json() as Record<string, string>;
// Supabase anon key is a JWT: three base64 segments separated by dots
const parts = body.anon_key.split('.');
expect(parts).toHaveLength(3);
});
// ── /sitemap.xml ──────────────────────────────────────────────────────────────
test('/sitemap.xml — returns valid XML with production URLs', async () => {
const r = await get('/sitemap.xml');
expect(r.status).toBe(200);
expect(r.headers.get('content-type')).toContain('xml');
const text = await r.text();
expect(text).toContain('<urlset');
expect(text).toContain('neurontechnologies.ai');
// Must not leak stage URL
expect(text).not.toContain('run.app');
expect(text).not.toContain('stage');
});
test('/sitemap.xml — includes all major pages', async () => {
const r = await get('/sitemap.xml');
const text = await r.text();
expect(text).toContain('neurontechnologies.ai/');
expect(text).toContain('neurontechnologies.ai/about');
expect(text).toContain('neurontechnologies.ai/legal/terms');
expect(text).toContain('neurontechnologies.ai/legal/enterprise-terms');
});
// ── /robots.txt ───────────────────────────────────────────────────────────────
test('/robots.txt — accessible with correct directives', async () => {
const r = await get('/robots.txt');
expect(r.status).toBe(200);
const text = await r.text();
expect(text).toContain('User-agent');
// Private paths are disallowed
expect(text).toContain('Disallow: /checkout');
expect(text).toContain('Disallow: /account');
expect(text).toContain('Disallow: /api/');
// Sitemap link points to production
expect(text).toContain('Sitemap: https://neurontechnologies.ai/sitemap.xml');
});
// ── /llms.txt ─────────────────────────────────────────────────────────────────
test('/llms.txt — accessible', async () => {
const r = await get('/llms.txt');
expect(r.status).toBe(200);
const text = await r.text();
expect(text.length).toBeGreaterThan(0);
});
// ── 404 handling ─────────────────────────────────────────────────────────────
test('Unknown route returns 404', async () => {
const r = await get('/this-route-xyz-does-not-exist-abc123');
expect(r.status).toBe(404);
});
// ── /api/webhooks/stripe — POST-only, requires valid signature ────────────────
test('/api/webhooks/stripe — rejects missing Stripe-Signature with 400', async () => {
const r = await fetch(`${BASE}/api/webhooks/stripe`, {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ type: 'payment_intent.succeeded' }),
});
expect(r.status).toBe(400);
});
// ── /api/demo — POST only, auth-gated ────────────────────────────────────────
test('/api/demo — missing access_token returns auth_required', async () => {
const r = await fetch(`${BASE}/api/demo`, {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ message: 'hello' }),
});
const body = await r.json() as Record<string, unknown>;
expect(body.auth_required).toBe(true);
});
// ── /api/soul-health — internal gate ─────────────────────────────────────────
// The probe responses embedded in the JSON body may contain literal newlines
// (control characters), so we test via text matching, not JSON.parse.
test('/api/soul-health — 404 without X-Internal header', async () => {
const r = await get('/api/soul-health');
expect(r.status).toBe(404);
});
test('/api/soul-health — 200 with X-Internal: true, body contains soul_url', async () => {
const r = await get('/api/soul-health', { 'X-Internal': 'true' });
expect(r.status).toBe(200);
const text = await r.text();
expect(text).toContain('"soul_url"');
expect(text).toMatch(/soul_url.*https?:\/\//);
});
tests/api/security.test.ts
+212
View File
@@ -0,0 +1,212 @@
import { test, expect } from '@playwright/test';
const BASE = process.env.BASE_URL || 'https://marketing-stage-r4tfklscwq-uc.a.run.app';
async function get(path: string, headers: Record<string, string> = {}) {
return fetch(`${BASE}${path}`, { headers, redirect: 'manual' });
}
async function post(path: string, body: unknown, headers: Record<string, string> = {}) {
return fetch(`${BASE}${path}`, {
method: 'POST',
headers: { 'Content-Type': 'application/json', ...headers },
body: JSON.stringify(body),
});
}
// ── Security headers ──────────────────────────────────────────────────────────
// All HTML pages and API responses carry the full security header suite.
// The El runtime's handle_request wrapper applies sec_headers_json() to every
// response, so we can assert the same set on both HTML pages and JSON APIs.
test.describe('Security headers', () => {
const htmlPages = ['/', '/about', '/checkout?plan=professional'];
for (const path of htmlPages) {
test(`HTML ${path} — required security headers present`, async () => {
const r = await get(path);
expect(r.headers.get('x-content-type-options')).toBe('nosniff');
expect(r.headers.get('x-frame-options')).toMatch(/DENY|SAMEORIGIN/i);
expect(r.headers.get('referrer-policy')).toBeTruthy();
expect(r.headers.get('content-security-policy')).toBeTruthy();
});
}
test('API responses carry x-content-type-options', async () => {
const r = await get('/api/health');
expect(r.headers.get('x-content-type-options')).toBe('nosniff');
});
test('permissions-policy header is present', async () => {
const r = await get('/');
expect(r.headers.get('permissions-policy')).toBeTruthy();
});
});
// ── CORS enforcement on /api/supabase-config ──────────────────────────────────
// This endpoint enforces an explicit origin allowlist:
// - empty Origin (server-side / curl): BLOCKED (403)
// - https://neurontechnologies.ai: ALLOWED
// - https://www.neurontechnologies.ai: ALLOWED
// - http://localhost:*: ALLOWED (dev)
// - anything else (e.g. evil.com): BLOCKED (403)
test.describe('CORS enforcement — /api/supabase-config', () => {
test('Rejects requests with no Origin header', async () => {
// No Origin = not from a browser context — the server treats this as
// an unknown caller and returns 403 to prevent server-side exfiltration.
const r = await get('/api/supabase-config');
expect(r.status).toBe(403);
});
test('Rejects evil origin', async () => {
const r = await get('/api/supabase-config', { Origin: 'https://evil.com' });
expect(r.status).toBe(403);
});
test('Allows neurontechnologies.ai origin', async () => {
const r = await get('/api/supabase-config', { Origin: 'https://neurontechnologies.ai' });
expect(r.status).toBe(200);
const body = await r.json() as Record<string, string>;
expect(body.url).toMatch(/supabase\.co/);
expect(typeof body.anon_key).toBe('string');
expect(body.anon_key.length).toBeGreaterThan(20);
});
test('Allows www.neurontechnologies.ai origin', async () => {
const r = await get('/api/supabase-config', { Origin: 'https://www.neurontechnologies.ai' });
expect(r.status).toBe(200);
});
test('Allows localhost origin (dev)', async () => {
const r = await get('/api/supabase-config', { Origin: 'http://localhost:3001' });
expect(r.status).toBe(200);
});
});
// ── Auth enforcement on /api/demo ─────────────────────────────────────────────
// All requests require a valid Supabase access_token.
// Missing or invalid tokens return {"auth_required":true}.
test.describe('Auth enforcement — /api/demo', () => {
test('Rejects POST with no access_token', async () => {
const r = await post('/api/demo', { message: 'hello' });
const body = await r.json() as Record<string, unknown>;
expect(body.auth_required).toBe(true);
});
test('Rejects POST with invalid access_token', async () => {
const r = await post('/api/demo', { message: 'hello', access_token: 'invalid.token.here' });
const body = await r.json() as Record<string, unknown>;
expect(body.auth_required).toBe(true);
});
test('Rejects empty message (length guard fires after auth check)', async () => {
// With no token, auth check fires first
const r = await post('/api/demo', { message: '', access_token: 'invalid' });
const body = await r.json() as Record<string, unknown>;
expect(body.auth_required || body.error).toBeTruthy();
});
});
// ── Stripe webhook signature enforcement ──────────────────────────────────────
test.describe('Stripe webhook security', () => {
test('Rejects POST with no Stripe-Signature header', async () => {
const r = await post('/api/webhooks/stripe', {
type: 'payment_intent.succeeded',
data: { object: { amount: 9900 } },
});
expect(r.status).toBe(400);
});
test('Rejects POST with malformed Stripe-Signature', async () => {
const r = await post(
'/api/webhooks/stripe',
{ type: 'payment_intent.succeeded', data: { object: {} } },
{ 'Stripe-Signature': 't=1234,v1=fakesignature' },
);
expect(r.status).toBe(400);
});
});
// ── Information leakage — source and build files must not be exposed ──────────
// The Docker image copies only compiled artifacts and static assets into
// /srv/landing/. Source files (.el, Makefile, Dockerfile) never land there,
// so all these paths should 404.
test.describe('Information leakage — source files not served', () => {
const leakyPaths = [
'/src/main.el',
'/.env',
'/Dockerfile.stage',
'/runtime/el_runtime.c',
'/.gitea/workflows/stage.yaml',
'/dist/neuron-landing',
];
for (const path of leakyPaths) {
test(`${path} returns 404`, async () => {
const r = await get(path);
expect(r.status).toBe(404);
});
}
});
// ── /api/soul-health — internal-only diagnostic ───────────────────────────────
// Returns 404 without the X-Internal: true header.
// Returns 200 with the header (allows in-container health probing).
test.describe('Soul health — internal gate', () => {
test('Returns 404 without X-Internal header', async () => {
const r = await get('/api/soul-health');
expect(r.status).toBe(404);
});
test('Returns 200 with X-Internal: true and includes soul_url', async () => {
const r = await get('/api/soul-health', { 'X-Internal': 'true' });
expect(r.status).toBe(200);
// The response embeds raw probe output which may contain literal newlines
// inside JSON strings (invalid JSON). Check via text search to avoid
// JSON.parse failure on the control characters.
const text = await r.text();
expect(text).toContain('"soul_url"');
expect(text).toMatch(/soul_url.*https?:\/\//);
});
});
// ── Path traversal ────────────────────────────────────────────────────────────
// The El runtime only serves files from whitelisted paths (src/assets/,
// src/shares/, src/js/). Any traversal attempt resolves to 404 — the
// runtime never reads outside its served directories.
test.describe('Path traversal blocked', () => {
const traversals = [
'/assets/../../../etc/passwd',
'/assets/%2e%2e%2f%2e%2e%2fetc%2fpasswd',
'/js/../../../etc/passwd',
];
for (const path of traversals) {
test(`Traversal blocked: ${path}`, async () => {
const r = await get(path);
expect(r.status).toBe(404);
const text = await r.text();
// Must not contain any /etc/passwd content
expect(text).not.toContain('root:');
});
}
});
// ── Input validation — /api/demo message length cap ──────────────────────────
// Messages over 8000 chars are rejected before any auth or LLM call.
test.describe('Input validation', () => {
test('Oversized message (>8000 chars) is rejected with error', async () => {
const r = await post('/api/demo', {
message: 'A'.repeat(10000),
access_token: 'test',
});
const body = await r.json() as Record<string, unknown>;
// Length guard fires before auth check in server code
expect(typeof body.error).toBe('string');
expect((body.error as string).toLowerCase()).toMatch(/long|length|8000/i);
});
});
tests/e2e/chat.spec.ts
+75
View File
@@ -0,0 +1,75 @@
import { test, expect } from '@playwright/test';
// The demo widget is rendered server-side via El components and injected into
// the landing page. Element IDs are stable: #neuron-demo-panel, #neuron-demo-btn,
// #neuron-demo-auth, #neuron-demo-text, #neuron-demo-send, etc.
test.describe('Demo chat widget — structure', () => {
test.beforeEach(async ({ page }) => {
await page.goto('/');
await page.waitForLoadState('networkidle');
});
test('Demo panel (#neuron-demo-panel) is in the DOM', async ({ page }) => {
await expect(page.locator('#neuron-demo-panel')).toBeAttached();
});
test('Demo open button (#neuron-demo-btn) is in the DOM', async ({ page }) => {
await expect(page.locator('#neuron-demo-btn')).toBeAttached();
});
test('Demo auth section (#neuron-demo-auth) is in the DOM', async ({ page }) => {
await expect(page.locator('#neuron-demo-auth')).toBeAttached();
});
test('Demo text input (#neuron-demo-text) is in the DOM', async ({ page }) => {
await expect(page.locator('#neuron-demo-text')).toBeAttached();
});
test('Demo send button (#neuron-demo-send) is in the DOM', async ({ page }) => {
await expect(page.locator('#neuron-demo-send')).toBeAttached();
});
});
test.describe('Demo chat widget — auth gate', () => {
test.beforeEach(async ({ page }) => {
// Clear any stored Supabase session so we test the unauthenticated state
await page.goto('/');
await page.evaluate(() => {
Object.keys(localStorage)
.filter(k => k.startsWith('sb-') || k.includes('supabase'))
.forEach(k => localStorage.removeItem(k));
});
await page.reload();
await page.waitForLoadState('networkidle');
});
test('Send button is disabled when unauthenticated', async ({ page }) => {
const sendBtn = page.locator('#neuron-demo-send');
await expect(sendBtn).toBeAttached();
// The send button starts disabled until a valid session is confirmed
const isDisabled = await sendBtn.isDisabled().catch(() => true);
const isHidden = !(await sendBtn.isVisible().catch(() => false));
expect(isDisabled || isHidden).toBe(true);
});
test('Auth gate (#neuron-demo-auth) or gate (#neuron-demo-gate) is visible or panel is closed', async ({ page }) => {
// Either the auth pane is visible, OR the panel itself is closed (not visible).
// Both are correct unauthenticated states.
const authVisible = await page.locator('#neuron-demo-auth').isVisible().catch(() => false);
const gateVisible = await page.locator('#neuron-demo-gate').isVisible().catch(() => false);
const panelClosed = !(await page.locator('#neuron-demo-panel').isVisible().catch(() => true));
expect(authVisible || gateVisible || panelClosed).toBe(true);
});
});
test.describe('Demo chat widget — API gate (no browser session)', () => {
test('/api/demo rejects unauthenticated POST and returns auth_required', async ({ page }) => {
// Use the Playwright request context to hit the API directly
const r = await page.request.post('/api/demo', {
data: { message: 'Hello Neuron' },
});
const body = await r.json() as Record<string, unknown>;
expect(body.auth_required).toBe(true);
});
});
tests/e2e/checkout.spec.ts
+58
View File
@@ -0,0 +1,58 @@
import { test, expect } from '@playwright/test';
// All three plan variants must render without error
for (const plan of ['free', 'professional', 'founding']) {
test(`Checkout loads for plan=${plan}`, async ({ page }) => {
const r = await page.goto(`/checkout?plan=${plan}`);
expect(r?.status()).toBe(200);
await expect(page.locator('body')).not.toBeEmpty();
// Title must be set (not empty)
const title = await page.title();
expect(title.length).toBeGreaterThan(0);
});
}
test('Checkout professional — has "Professional" plan name in body', async ({ page }) => {
await page.goto('/checkout?plan=professional');
await expect(page.locator('body')).toContainText('Professional');
});
test('Checkout founding — has "Founding" plan name in body', async ({ page }) => {
await page.goto('/checkout?plan=founding');
await expect(page.locator('body')).toContainText('Founding');
});
test('Checkout free — mentions free or sign up in body', async ({ page }) => {
await page.goto('/checkout?plan=free');
const body = await page.locator('body').textContent();
expect(body?.toLowerCase()).toMatch(/free|sign|start|account/);
});
test('Checkout professional — auth section is present (sign in / create account)', async ({ page }) => {
await page.goto('/checkout?plan=professional');
// auth-section div is present in the DOM (may be hidden via CSS but rendered)
await expect(page.locator('#auth-section')).toBeAttached();
// Payment form is present
await expect(page.locator('#payment-form')).toBeAttached();
});
test('Checkout professional — payment element container is present', async ({ page }) => {
await page.goto('/checkout?plan=professional');
await expect(page.locator('#payment-element')).toBeAttached();
});
test('Checkout — nav has back link to homepage', async ({ page }) => {
await page.goto('/checkout?plan=professional');
// The checkout nav has both a logo link and an explicit "← Back" nav-link,
// both pointing to /. Use first() to avoid strict-mode violation.
const navLink = page.locator('nav a[href="/"]').first();
await expect(navLink).toBeAttached();
});
test('Checkout professional — canonical is production URL', async ({ page }) => {
await page.goto('/checkout?plan=professional');
const canonical = await page.locator('link[rel="canonical"]').getAttribute('href');
expect(canonical).toContain('neurontechnologies.ai');
expect(canonical).not.toContain('run.app');
expect(canonical).not.toContain('stage');
});
tests/e2e/landing.spec.ts
+86
View File
@@ -0,0 +1,86 @@
import { test, expect } from '@playwright/test';
test.describe('Landing page', () => {
test.beforeEach(async ({ page }) => {
await page.goto('/');
});
test('Has correct title', async ({ page }) => {
await expect(page).toHaveTitle(/Neuron/);
});
test('Has exactly one h1', async ({ page }) => {
const h1s = page.locator('h1');
await expect(h1s).toHaveCount(1);
});
test('Has meta description with sufficient length', async ({ page }) => {
const meta = page.locator('meta[name="description"]');
await expect(meta).toHaveCount(1);
const content = await meta.getAttribute('content');
expect(content?.length).toBeGreaterThan(50);
});
test('Has og:title and og:description', async ({ page }) => {
await expect(page.locator('meta[property="og:title"]')).toHaveCount(1);
await expect(page.locator('meta[property="og:description"]')).toHaveCount(1);
});
test('Has canonical URL pointing to production domain', async ({ page }) => {
const canonical = page.locator('link[rel="canonical"]');
await expect(canonical).toHaveCount(1);
const href = await canonical.getAttribute('href');
expect(href).toContain('neurontechnologies.ai');
expect(href).not.toContain('stage');
expect(href).not.toContain('run.app');
});
test('Nav is rendered and visible', async ({ page }) => {
// Use the specific nav ID — the footer also contains a <nav> element
await expect(page.locator('#nav')).toBeVisible();
});
test('Hero section is visible', async ({ page }) => {
await expect(page.locator('section').first()).toBeVisible();
});
test('Has structured data JSON-LD script that parses cleanly', async ({ page }) => {
const schema = page.locator('script[type="application/ld+json"]');
await expect(schema).toHaveCount(1);
const content = await schema.textContent();
expect(() => JSON.parse(content!)).not.toThrow();
});
test('Page loads without first-party JavaScript errors', async ({ page }) => {
const errors: string[] = [];
page.on('console', msg => {
if (msg.type() === 'error') errors.push(msg.text());
});
await page.goto('/');
await page.waitForLoadState('networkidle');
// Filter known third-party noise:
// - GTM / Google Analytics fire CSP-blocked connect-src violations
// because their scripts attempt analytics.google.com, www.google.com
// (those aren't in our connect-src, which is correct)
// - Browser extension injections
// - Font CDN preconnect failures (non-critical)
const thirdPartyDomains = [
'googletagmanager', 'analytics.google', 'google.com', 'gstatic',
'cloudflare', 'cdn.jsdelivr', 'fonts.googleapis', 'extension',
'third-party', 'googleadservices', 'stripe', 'supabase',
];
const realErrors = errors.filter(
e => !thirdPartyDomains.some(domain => e.includes(domain)),
);
expect(realErrors).toHaveLength(0);
});
test('Demo panel is present in the DOM', async ({ page }) => {
// The demo panel is rendered server-side and injected into the page.
await expect(page.locator('#neuron-demo-panel')).toBeAttached();
});
test('Demo panel button (open trigger) is present', async ({ page }) => {
await expect(page.locator('#neuron-demo-btn')).toBeAttached();
});
});
tests/e2e/navigation.spec.ts
+74
View File
@@ -0,0 +1,74 @@
import { test, expect } from '@playwright/test';
// All public routes that must return 200 and render a non-empty body
const publicRoutes = [
{ path: '/', desc: 'landing' },
{ path: '/about', desc: 'about' },
{ path: '/legal/terms', desc: 'terms' },
{ path: '/legal/enterprise-terms', desc: 'enterprise terms' },
{ path: '/checkout?plan=free', desc: 'checkout free' },
{ path: '/checkout?plan=professional', desc: 'checkout professional' },
{ path: '/checkout?plan=founding', desc: 'checkout founding' },
];
for (const { path, desc } of publicRoutes) {
test(`${desc} (${path}) — returns 200 and renders body`, async ({ page }) => {
const r = await page.goto(path);
expect(r?.status()).toBe(200);
await expect(page.locator('body')).not.toBeEmpty();
});
}
// Routes that must 404
const notFoundRoutes = [
'/this-route-does-not-exist-xyz123',
'/terms', // old path — moved to /legal/terms
'/enterprise-terms', // old path — moved to /legal/enterprise-terms
'/gallery', // requires auth context
];
for (const path of notFoundRoutes) {
test(`${path} — returns 404`, async ({ page }) => {
const r = await page.goto(path);
expect(r?.status()).toBe(404);
});
}
// /account requires a configured Supabase session — returns 503 without a
// service key on stage (Supabase is configured so it returns the account page
// as HTML, but if Supabase is misconfigured it returns 503)
// We just assert the route exists (200 or 503, not 404)
test('/account — route exists (200 or 503, not 404)', async ({ page }) => {
const r = await page.goto('/account');
expect(r?.status()).not.toBe(404);
});
// Navigation: nav links exist on major pages
test('Landing page nav has pricing link', async ({ page }) => {
await page.goto('/');
// Pricing section has an href or the nav contains a pricing anchor
const pricingLink = page.locator('a[href*="pricing"], a[href*="#pricing"]');
const count = await pricingLink.count();
expect(count).toBeGreaterThanOrEqual(0); // graceful — nav structure may vary
});
test('Landing page footer is present', async ({ page }) => {
await page.goto('/');
await expect(page.locator('footer')).toBeAttached();
});
// Static file routes
test('/sitemap.xml — 200', async ({ page }) => {
const r = await page.goto('/sitemap.xml');
expect(r?.status()).toBe(200);
});
test('/robots.txt — 200', async ({ page }) => {
const r = await page.goto('/robots.txt');
expect(r?.status()).toBe(200);
});
test('/llms.txt — 200', async ({ page }) => {
const r = await page.goto('/llms.txt');
expect(r?.status()).toBe(200);
});
tests/e2e/seo.spec.ts
+80
View File
@@ -0,0 +1,80 @@
import { test, expect } from '@playwright/test';
// Pages that must be indexed with production canonical URLs
const indexedPages = [
{ path: '/', titlePattern: /Neuron — The AI That Remembers You/ },
{ path: '/about', titlePattern: /About.*Neuron|Neuron.*About/i },
];
// Legal pages use /legal/ prefix
const legalPages = [
{ path: '/legal/terms', titlePattern: /Terms|Neuron/i },
{ path: '/legal/enterprise-terms', titlePattern: /Enterprise|Neuron/i },
];
for (const { path, titlePattern } of indexedPages) {
test(`${path} — title matches expected pattern`, async ({ page }) => {
await page.goto(path);
await expect(page).toHaveTitle(titlePattern);
});
test(`${path} — has meta description`, async ({ page }) => {
await page.goto(path);
const desc = await page.locator('meta[name="description"]').getAttribute('content');
expect(desc).toBeTruthy();
expect(desc!.length).toBeGreaterThan(30);
});
test(`${path} — canonical points to production domain, not stage`, async ({ page }) => {
await page.goto(path);
const canonical = await page.locator('link[rel="canonical"]').getAttribute('href');
expect(canonical).toContain('neurontechnologies.ai');
expect(canonical).not.toContain('stage');
expect(canonical).not.toContain('run.app');
});
test(`${path} — has og:title`, async ({ page }) => {
await page.goto(path);
const ogTitle = await page.locator('meta[property="og:title"]').getAttribute('content');
expect(ogTitle).toBeTruthy();
expect(ogTitle!.length).toBeGreaterThan(5);
});
}
for (const { path, titlePattern } of legalPages) {
test(`${path} — renders with title`, async ({ page }) => {
const r = await page.goto(path);
expect(r?.status()).toBe(200);
await expect(page).toHaveTitle(titlePattern);
});
}
// Checkout must be noindex — it's a functional page, not content
test('Checkout page has noindex meta robots', async ({ page }) => {
await page.goto('/checkout?plan=professional');
const robots = page.locator('meta[name="robots"]');
await expect(robots).toHaveCount(1);
const content = await robots.getAttribute('content');
expect(content).toContain('noindex');
});
// Sitemap must only contain production URLs
test('Sitemap lists production URLs only (no stage or run.app)', async ({ page }) => {
const r = await page.request.get('/sitemap.xml');
expect(r.status()).toBe(200);
const text = await r.text();
expect(text).toContain('neurontechnologies.ai');
expect(text).not.toContain('run.app');
expect(text).not.toContain('stage');
expect(text).toContain('<urlset');
});
// The landing page must have JSON-LD structured data
test('Landing page has valid JSON-LD structured data', async ({ page }) => {
await page.goto('/');
const schemaContent = await page.locator('script[type="application/ld+json"]').textContent();
expect(schemaContent).toBeTruthy();
const parsed = JSON.parse(schemaContent!);
// Must be an object with @context at minimum
expect(parsed['@context']).toBeTruthy();
});