neuron-technologies/neuron-web
2
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

Sync stage fixes into dev #11

Merged
will.anderson merged 14 commits from sync/dev-stage into dev 2026-05-07 06:05:54 +00:00
Conversation 0 Commits 14 Files Changed 9
+289 -178
9 changed files with 289 additions and 178 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitea/workflows/stage.yaml
+1
View File
@@ -2,6 +2,7 @@ name: Stage — Build, push & deploy to marketing-stage
# Pipeline: build → push → deploy marketing-stage → smoke test.
# STOPS HERE. No prod deploy. Merge to main when stage looks good.
# Triggered: 2026-05-05 (promote fix/gallery-layout-account-otp)
on:
push:
Dockerfile.stage
+8 -1
View File
@@ -25,7 +25,14 @@ RUN apt-get update \
WORKDIR /build
COPY runtime/el_runtime.c runtime/el_runtime.h ./
RUN cc -O2 -c el_runtime.c -I. -o el_runtime.o
# Pre-compile el_runtime as a separate cached layer.
# el_runtime.c changes rarely; main.c changes every run.
# Splitting this out means el_runtime.o is cached across builds when only main.c changes.
# -DHAVE_CURL: the staged el_runtime.c (from el.git) guards the OTLP observability
# section (emit_metric, emit_log, trace_span_*) behind #ifdef HAVE_CURL.
# libcurl IS installed above, so define HAVE_CURL to enable those functions.
RUN cc -O2 -DHAVE_CURL -c el_runtime.c -I. -o el_runtime.o
COPY dist/soul-demo.c dist/vessel_stubs.c ./
dist/soul-demo.c
Vendored
+121 -122
View File
File diff suppressed because one or more lines are too long
src/checkout.el
+18 -8
View File
@@ -94,14 +94,14 @@ fn checkout_page(plan: String, pub_key: String) -> String {
<div class="checkout-form-wrap">
<!-- Auth section: visible immediately for free, collapsed (optional) for paid plans -->
<div id="auth-section" {#if is_free}{#else}style="display:none;"{/if}>
{#if is_free}
<p class="label" style="margin-bottom: 1.5rem; color: var(--navy);">Create your account.</p>
<p class="checkout-auth-hint" style="margin-bottom: 2rem;">No charge today. Add your card to reserve your spot - you won&#39;t be billed until you upgrade.</p>
{#else}
<p class="label" style="margin-bottom: 1.25rem;">Sign in (optional)</p>
<p class="checkout-auth-hint">Sign in to link this purchase to an existing account. Or skip and create one later - we'll match it to your email.</p>
{/if}
<div id=\"auth-section\" " + (if is_free { "" } else { "style=\"display:none;\"" }) + ">
" + (if is_free { "
<p class=\"label\" style=\"margin-bottom: 1.5rem; color: var(--navy);\">Create your account.</p>
<p class=\"checkout-auth-hint\" style=\"margin-bottom: 2rem;\">No card required. Your account is free, forever.</p>
" } else { "
<p class=\"label\" style=\"margin-bottom: 1.25rem;\">Sign in (optional)</p>
<p class=\"checkout-auth-hint\">Sign in to link this purchase to an existing account. Or skip and create one later - we'll match it to your email.</p>
" }) + "
<div class="checkout-social-btns">
<button type="button" class="checkout-social-btn" id="btn-google" onclick="signInWith('google')">
@@ -135,6 +135,16 @@ fn checkout_page(plan: String, pub_key: String) -> String {
</div>
</div>
<!-- Free-tier success panel: shown after account creation, no card needed -->
" + (if is_free { "
<div id=\"free-success\" style=\"display:none; text-align:center; padding: 2.5rem 1rem;\">
<div style=\"font-size:2.5rem; margin-bottom:1.25rem;\">&#10003;</div>
<p class=\"label\" style=\"margin-bottom:.75rem; color:var(--navy);\">You&#39;re in.</p>
<p class=\"checkout-auth-hint\" style=\"margin-bottom:2rem;\">Your free account is ready. Download Neuron to get started.</p>
<a href=\"/marketplace\" class=\"checkout-submit\" style=\"display:inline-block; text-decoration:none; padding:.875rem 2rem;\">Go to your account &#8594;</a>
</div>
" } else { "" }) + "
<!-- Payment form (visible immediately - no auth wall) -->
<div id="payment-section" {#if is_free}style="display:none;"{/if}>
<div id="auth-badge" style="display:none; margin-bottom: 1.5rem;"></div>
src/js/checkout-auth.el
+10 -5
View File
@@ -33,8 +33,11 @@ fn main() -> Void {
if (user && user.id) { window._neuronSupaId = user.id; }
var auth = document.getElementById('auth-section');
if (auth) auth.style.display = 'none';
var payment = document.getElementById('payment-section');
if (payment) payment.style.display = '';
var isFree = (window.NEURON_CFG || {}).plan === 'free';
if (!isFree) {
var payment = document.getElementById('payment-section');
if (payment) payment.style.display = '';
}
if (user) {
var badge = document.getElementById('auth-badge');
@@ -55,9 +58,11 @@ fn main() -> Void {
if (emailEl) emailEl.value = user.email;
}
var userEmail = user ? (user.email || '') : '';
var userName = user ? ((user.user_metadata && user.user_metadata.full_name) || '') : '';
if (typeof initStripe === 'function') initStripe(userEmail, userName);
if (!isFree) {
var userEmail = user ? (user.email || '') : '';
var userName = user ? ((user.user_metadata && user.user_metadata.full_name) || '') : '';
if (typeof window.initStripe === 'function') window.initStripe(userEmail, userName);
}
}
function checkExistingSession() {
src/js/checkout-free.el
+8 -5
View File
@@ -1,15 +1,18 @@
// checkout-free.el -- Free plan: reveal payment section after auth completes.
// Watches the auth-badge element; when it becomes visible, shows payment-section.
// checkout-free.el -- Free plan: show success panel after auth completes.
// Watches the auth-badge element; when it becomes visible, hides the auth
// section and shows the free-success panel. No card required for free tier.
// Compiled with: elc --target=js --bundle --minify --obfuscate
fn main() -> Void {
native_js("(function() {
var pay = document.getElementById('payment-section');
if (!pay) return;
var success = document.getElementById('free-success');
var auth = document.getElementById('auth-section');
if (!success) return;
var timer = setInterval(function() {
var badge = document.getElementById('auth-badge');
if (badge && badge.offsetParent !== null) {
pay.style.display = '';
if (auth) auth.style.display = 'none';
success.style.display = '';
clearInterval(timer);
}
}, 150);
src/js/checkout-stripe.el
+17 -6
View File
@@ -31,8 +31,13 @@ fn main() -> Void {
if (spinner) spinner.style.display = loading ? '' : 'none';
}
// Free plan has no payment form bail out entirely.
if (str_eq(PLAN, 'free')) return;
window._neuronMode = 'payment';
var paymentEl = null;
var userEmail = '';
var userName = '';
function appearance() {
return {
@@ -80,7 +85,7 @@ fn main() -> Void {
return fetch('/api/payment-intent', {
method: 'POST',
headers: {'Content-Type': 'application/json'},
body: JSON.stringify({ plan: PLAN, timing: timing })
body: JSON.stringify({ plan: PLAN, timing: timing, email: userEmail, name: userName })
})
.then(function(r) { return r.json(); })
.then(function(data) {
@@ -117,11 +122,17 @@ fn main() -> Void {
});
}
fetchAndMount();
var tNow = document.getElementById('timing-now');
var tLater = document.getElementById('timing-later');
if (tNow) tNow.addEventListener('change', fetchAndMount);
if (tLater) tLater.addEventListener('change', fetchAndMount);
// Don't init Stripe at page load wait for auth.
// checkout-auth.el calls window.initStripe(email, name) after sign-in.
window.initStripe = function(email, name) {
userEmail = email || '';
userName = name || '';
fetchAndMount();
var tNow = document.getElementById('timing-now');
var tLater = document.getElementById('timing-later');
if (tNow) tNow.addEventListener('change', fetchAndMount);
if (tLater) tLater.addEventListener('change', fetchAndMount);
};
var form = document.getElementById('payment-form');
if (form) form.addEventListener('submit', async function(e) {
src/main.el
+104 -29
View File
@@ -485,7 +485,7 @@ fn config_get(key: String) -> String {
// function - it serves __html_file__ directly with text/html.
// This handler covers /api/* and /brand/* routes.
fn handle_request(method: String, path: String, body: String) -> String {
fn handle_request_inner(method: String, path: String, body: String) -> String {
let src_dir: String = state_get("__src_dir__")
// Root serve El-generated landing page
@@ -503,7 +503,7 @@ fn handle_request(method: String, path: String, body: String) -> String {
// robots.txt
if str_eq(path, "/robots.txt") {
return "User-agent: *\nAllow: /\nSitemap: https://neurontechnologies.ai/sitemap.xml\n"
return "User-agent: *\nAllow: /\n"
}
// About page
@@ -567,23 +567,9 @@ fn handle_request(method: String, path: String, body: String) -> String {
}
let timing: String = json_get_string(body, "timing")
if str_eq(timing, "") { let timing = "now" }
// Free tier: SetupIntent save card details without charging.
// Card is stored on a Stripe Customer; billing begins only if the
// user later upgrades to a paid plan.
// Free tier: no card required. Return immediately no Stripe interaction.
if str_eq(plan, "free") {
let si_body: String = "automatic_payment_methods[enabled]=true"
+ "&usage=off_session"
+ "&metadata[plan]=free"
let auth_header: String = "Bearer " + stripe_key
let si_resp: String = http_post_form_auth(
"https://api.stripe.com/v1/setup_intents",
si_body,
auth_header)
if str_starts_with(si_resp, "{") {
let inner: String = str_slice(si_resp, 1, str_len(si_resp))
return "{\"setup_mode\":true,\"plan\":\"free\"," + inner
}
return si_resp
return "{\"plan\":\"free\",\"free\":true,\"no_payment_required\":true}"
}
// Hard cap: block founding checkouts when 1,000 spots are filled
if str_eq(plan, "founding") {
@@ -595,6 +581,27 @@ fn handle_request(method: String, path: String, body: String) -> String {
}
let auth_header: String = "Bearer " + stripe_key
// Find-or-create Stripe Customer by email upfront so every intent
// is attached to an existing customer prevents duplicate customers.
let pi_email: String = json_get_string(body, "email")
let pi_name: String = json_get_string(body, "name")
let pi_cus_id: String = ""
if !str_eq(pi_email, "") {
let pi_email_enc: String = str_replace(str_replace(pi_email, "@", "%40"), "+", "%2B")
let pi_search_url: String = "https://api.stripe.com/v1/customers/search?query=email%3A%22" + pi_email_enc + "%22&limit=1"
let pi_search: String = http_get_auth(pi_search_url, auth_header)
let pi_cus_id = json_get_string(pi_search, "id")
if str_eq(pi_cus_id, "") {
let pi_name_enc: String = str_replace(pi_name, " ", "%20")
let pi_cus_body: String = "email=" + pi_email_enc
+ "&name=" + pi_name_enc
+ "&metadata[plan]=" + plan
+ "&metadata[source]=neuron-checkout"
let pi_cus_resp: String = http_post_form_auth("https://api.stripe.com/v1/customers", pi_cus_body, auth_header)
let pi_cus_id = json_get_string(pi_cus_resp, "id")
}
}
// Setup-mode path: save payment method, do not charge. Only valid
// for Professional (Founding is one-shot lifetime, charges immediately).
if str_eq(plan, "professional") && str_eq(timing, "later") {
@@ -603,6 +610,7 @@ fn handle_request(method: String, path: String, body: String) -> String {
+ "&metadata[plan]=" + plan
+ "&metadata[hold_until]=launch"
+ "&metadata[launch_target]=2026-09-01"
let si_body = if !str_eq(pi_cus_id, "") { si_body + "&customer=" + pi_cus_id } else { si_body }
let si_resp: String = http_post_form_auth(
"https://api.stripe.com/v1/setup_intents",
si_body,
@@ -625,6 +633,7 @@ fn handle_request(method: String, path: String, body: String) -> String {
+ "&automatic_payment_methods[enabled]=true"
+ "&metadata[plan]=" + plan
+ "&metadata[timing]=" + timing
let pi_body = if !str_eq(pi_cus_id, "") { pi_body + "&customer=" + pi_cus_id } else { pi_body }
let response: String = http_post_form_auth(
"https://api.stripe.com/v1/payment_intents",
pi_body,
@@ -973,12 +982,18 @@ fn handle_request(method: String, path: String, body: String) -> String {
let ua_safe: String = str_replace(str_replace(attest_ua, "\\", "\\\\"), "\"", "\\\"")
// Write to Supabase waitlist (attestation in dedicated column)
waitlist_upsert(attest_email, attest_name, attest_plan, "founding-attestation", attest_text, attest_ua, 0)
// Also save to GCS as immutable legal record
// Also save to GCS as immutable legal record.
// Written to the dedicated attestations bucket (GCS_ATTEST_BUCKET) which
// is private and separate from the public-read shares bucket.
let record: String = "{\"plan\":\"" + attest_plan + "\",\"name\":\"" + n_safe + "\",\"email\":\"" + e_safe + "\",\"timestamp\":\"" + attest_ts + "\",\"attestation\":\"" + t_safe + "\",\"user_agent\":\"" + ua_safe + "\"}"
let gcs_bucket: String = env("GCS_SHARE_BUCKET")
if !str_eq(gcs_bucket, "") {
let attest_key: String = "attestations/" + attest_ts + "-" + attest_email + ".json"
let gcs_ok: String = gcs_write(gcs_bucket, attest_key, record)
let attest_bucket: String = env("GCS_ATTEST_BUCKET")
if str_eq(attest_bucket, "") {
// Fall back to share bucket with attestations/ prefix for legacy deploys
let attest_bucket = env("GCS_SHARE_BUCKET")
}
if !str_eq(attest_bucket, "") {
let attest_key: String = attest_ts + "-" + attest_email + ".json"
let gcs_ok: String = gcs_write(attest_bucket, attest_key, record)
println("[attest] gcs write " + attest_key + " -> " + gcs_ok)
}
// Email notification
@@ -1100,15 +1115,21 @@ fn handle_request(method: String, path: String, body: String) -> String {
}
state_set(rl_key, int_to_str(rl_count + 1) + "|" + int_to_str(today_day))
}
// Turnstile: verify on first message only (tokens are single-use).
// Per-message verification breaks chat flow. Forms get full verification.
// Turnstile: server-side verification is mandatory on every first
// message (tokens are single-use; per-message verification would
// break streaming chat flow so only the first message carries one).
// Requests without a cf_token are rejected outright the widget
// must execute successfully before the first POST is sent.
let cf_token: String = json_get(body, "cf_token")
if !str_eq(cf_token, "") {
let ts_secret: String = "0x4AAAAAADHAZTok46L-l2sa9biSGpgN3GY"
let ts_secret: String = state_get("__turnstile_secret_key__")
if str_eq(cf_token, "") && !str_eq(ts_secret, "") {
return "{\"error\":\"Bot check required. Please complete the challenge.\"}"
}
if !str_eq(cf_token, "") && !str_eq(ts_secret, "") {
let verify_body: String = "secret=" + ts_secret + "&response=" + cf_token
let verify_resp: String = http_post("https://challenges.cloudflare.com/turnstile/v0/siteverify", verify_body)
let verify_resp: String = http_post("https://challenges.cloudflare.com/turnstile/v1/siteverify", verify_body)
let is_valid: String = json_get(verify_resp, "success")
if str_eq(is_valid, "false") {
if !str_eq(is_valid, "true") {
return "{\"error\":\"Bot check failed. Please try again.\"}"
}
}
@@ -1600,9 +1621,15 @@ fn handle_request(method: String, path: String, body: String) -> String {
} else {
let share_html = fs_read(src_dir + "/shares/" + id + ".html")
}
// Guard against empty responses and GCS error JSON (e.g. {"error":...}).
// A valid share card always starts with "<" (HTML). Anything else is
// treated as a missing card to avoid leaking bucket names or GCS details.
if str_eq(share_html, "") {
return "{\"__status__\":404,\"error\":\"not found\"}"
}
if !str_starts_with(share_html, "<") {
return "{\"__status__\":404,\"error\":\"not found\"}"
}
return share_html
}
@@ -1810,6 +1837,52 @@ fn handle_request(method: String, path: String, body: String) -> String {
return "{\"__status__\":404,\"error\":\"not found\"}"
}
// Security header wrapper
//
// Injects mandatory security headers on every response. Called by
// handle_request which is the actual http_set_handler target; the inner
// dispatcher (handle_request_inner) returns plain bodies so all the existing
// route code is unchanged.
//
// Headers applied:
// Strict-Transport-Security forces HTTPS for 2 years + preload
// X-Content-Type-Options no MIME sniffing
// X-Frame-Options no framing except same origin
// Referrer-Policy full URL within origin, origin-only cross-site
// Permissions-Policy deny geo/mic/camera
// Content-Security-Policy allow self + trusted CDNs used by the app
fn sec_headers_json() -> String {
"{\"Strict-Transport-Security\":\"max-age=63072000; includeSubDomains; preload\","
+ "\"X-Content-Type-Options\":\"nosniff\","
+ "\"X-Frame-Options\":\"SAMEORIGIN\","
+ "\"Referrer-Policy\":\"strict-origin-when-cross-origin\","
+ "\"Permissions-Policy\":\"geolocation=(), microphone=(), camera=()\","
+ "\"Content-Security-Policy\":\"default-src 'self'; script-src 'self' 'unsafe-inline' https://challenges.cloudflare.com https://cdn.jsdelivr.net https://www.googletagmanager.com https://www.google-analytics.com; style-src 'self' 'unsafe-inline'; frame-src https://challenges.cloudflare.com; connect-src 'self' https://api.stripe.com https://*.supabase.co; img-src 'self' data: https:; font-src 'self' data:\"}"
}
fn handle_request(method: String, path: String, body: String) -> String {
let inner_resp: String = handle_request_inner(method, path, body)
// Detect envelope already set by inner handler (starts with
// {"el_http_response":1). If so, let it pass through unmodified
// the status code it carries takes precedence and we must not
// double-wrap. (Currently inner never returns an envelope, but guard
// defensively so a future route returning http_response(...) still works.)
if str_starts_with(inner_resp, "{\"el_http_response\":1") {
return inner_resp
}
// Detect the __status__ convention used by many routes so we can forward
// the correct HTTP status code while still injecting security headers.
let status_code: Int = 200
if str_starts_with(inner_resp, "{\"__status__\":") {
let status_str: String = json_get(inner_resp, "__status__")
if !str_eq(status_str, "") {
let status_code = str_to_int(status_str)
}
}
http_response(status_code, sec_headers_json(), inner_resp)
}
// Startup
//
// Order matters:
@@ -1839,6 +1912,7 @@ let resend_api_key: String = env("RESEND_API_KEY")
let supabase_anon_key: String = env("SUPABASE_ANON_KEY")
let supabase_service_key: String = env("SUPABASE_SERVICE_KEY")
let supabase_project_url: String = "https://ocojsghaonltunidkzpw.supabase.co"
let turnstile_secret_key: String = env("TURNSTILE_SECRET_KEY")
// Origin drives Stripe redirect URLs; never hardcoded to localhost.
let neuron_origin_env: String = env("NEURON_ORIGIN")
@@ -1886,6 +1960,7 @@ state_set("__origin__", neuron_origin)
state_set("__founding_sold_file__", sold_file)
state_set("__founding_sold__", int_to_str(real_sold))
state_set("__founding_total__", int_to_str(FOUNDING_TOTAL))
state_set("__turnstile_secret_key__", turnstile_secret_key)
persist_founding_count(real_sold)
println(color_bold("Neuron") + " - " + neuron_origin)
src/styles.el
+2 -2
View File
@@ -1828,8 +1828,8 @@ fn page_open() -> String {
button[disabled] { opacity: 0.6; cursor: not-allowed; }
</style>
<script src="https://cdn.jsdelivr.net/npm/marked/marked.min.js"></script>
<script src="https://challenges.cloudflare.com/turnstile/v0/api.js" async defer></script>
<script src=\"https://cdn.jsdelivr.net/npm/marked/marked.min.js\" integrity=\"sha384-948ahk4ZmxYVYOc+rxN1H2gM1EJ2Duhp7uHtZ4WSLkV4Vtx5MUqnV+l7u9B+jFv+\" crossorigin=\"anonymous\"></script>
<script src=\"https://challenges.cloudflare.com/turnstile/v0/api.js\" async defer></script>
<noscript><style>.reveal { opacity: 1 !important; transform: none !important; }</style></noscript>
<!-- Google Analytics -->