feat(engine): merge cloudflare-migration — paradigm D engine, BYOK proxy, story persistence (#95)
Squash-merge the cloudflare-migration branch (7 commits by Kai ki) into staging with conflict resolution, feature integration, and bug fixes. Engine: - Paradigm D: single-stream Writer replacing dual-phase Plan/Beats - Delete Architect agent; story bible generated via Writer <plan> tag - Modular prompt architecture (segments/registry/builder) - StreamRouter for tagged stream splitting (<plan>/<story>/<choices>) Infrastructure: - Cloudflare Workers deployment (wrangler.jsonc, OpenNext adapter) - D1 database schema + Drizzle ORM (scaffolded, not yet active) - R2 storage helpers (scaffolded, not yet active) - Story persistence API routes + client-side persistence BYOK (Bring Your Own Key): - /api/llm/user-proxy with SSRF-protected LLM proxy (+ requireUser auth) - CORS-aware fetch in ai-client: auto-detect CORS failure, fallback to server proxy transparently via OpenAI SDK custom fetch - BYO config support added to classify-freeform and vision routes - SettingsModal CORS privacy notice (keys never logged/stored) SSE streaming: - engineClient.ts: fetchSSE helper for progressive scene events - startSession/requestScene accept optional emit callback - Fix SSE error event field name (error → message) in scene/start routes i18n integration: - Wire buildLanguageDirective into paradigm D's prompt builder - Update corsNotice i18n keys (zh-CN/en/ja) with CORS proxy privacy text - Preserve Session.language + LanguageSwitcher from i18n commit Co-authored-by: Kai ki <155355644+zbf1009@users.noreply.github.com> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -0,0 +1,27 @@
|
||||
import { NextResponse } from "next/server";
|
||||
|
||||
export const runtime = "nodejs";
|
||||
|
||||
/**
|
||||
* POST /api/stories/save — TEMPORARILY DISABLED (2026-06-09)
|
||||
*
|
||||
* D1 persistence is disabled until an authentication system (better-auth) is
|
||||
* integrated. Without auth, anonymous writes to D1 have no rate limiting,
|
||||
* per-user quota, or ownership verification — an abuse/DoS risk on a public,
|
||||
* registration-less site. The client (lib/clientStoryPersistence.ts) now
|
||||
* persists stories to localStorage only; this 503 keeps the contract intact
|
||||
* for any caller that still hits the endpoint.
|
||||
*
|
||||
* The full D1 implementation lives in StoryRepository (lib/db/repositories/
|
||||
* storyRepo.ts), which is untouched. To re-enable after auth integration:
|
||||
* restore the handler to validate input + call `repo.save(...)` (see the
|
||||
* task-10 implementation log) and gate it behind an authenticated session.
|
||||
*
|
||||
* See: ARCHITECTURE_DESIGN.md Phase 2, memory tech_d1_anonymous_write_risk
|
||||
*/
|
||||
export async function POST(_req: Request) {
|
||||
return NextResponse.json(
|
||||
{ error: "Server persistence temporarily disabled - using local storage" },
|
||||
{ status: 503 },
|
||||
);
|
||||
}
|
||||
Reference in New Issue
Block a user