Files
infiplot-web/app/api/stories/save/route.ts
T
Zonghao Yuan 0e4c2ebef4 feat(engine): merge cloudflare-migration — paradigm D engine, BYOK proxy, story persistence (#95)
Squash-merge the cloudflare-migration branch (7 commits by Kai ki) into
staging with conflict resolution, feature integration, and bug fixes.

Engine:
- Paradigm D: single-stream Writer replacing dual-phase Plan/Beats
- Delete Architect agent; story bible generated via Writer <plan> tag
- Modular prompt architecture (segments/registry/builder)
- StreamRouter for tagged stream splitting (<plan>/<story>/<choices>)

Infrastructure:
- Cloudflare Workers deployment (wrangler.jsonc, OpenNext adapter)
- D1 database schema + Drizzle ORM (scaffolded, not yet active)
- R2 storage helpers (scaffolded, not yet active)
- Story persistence API routes + client-side persistence

BYOK (Bring Your Own Key):
- /api/llm/user-proxy with SSRF-protected LLM proxy (+ requireUser auth)
- CORS-aware fetch in ai-client: auto-detect CORS failure, fallback to
  server proxy transparently via OpenAI SDK custom fetch
- BYO config support added to classify-freeform and vision routes
- SettingsModal CORS privacy notice (keys never logged/stored)

SSE streaming:
- engineClient.ts: fetchSSE helper for progressive scene events
- startSession/requestScene accept optional emit callback
- Fix SSE error event field name (error → message) in scene/start routes

i18n integration:
- Wire buildLanguageDirective into paradigm D's prompt builder
- Update corsNotice i18n keys (zh-CN/en/ja) with CORS proxy privacy text
- Preserve Session.language + LanguageSwitcher from i18n commit

Co-authored-by: Kai ki <155355644+zbf1009@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
2026-06-18 18:05:38 +08:00

28 lines
1.1 KiB
TypeScript

import { NextResponse } from "next/server";
export const runtime = "nodejs";
/**
* POST /api/stories/save — TEMPORARILY DISABLED (2026-06-09)
*
* D1 persistence is disabled until an authentication system (better-auth) is
* integrated. Without auth, anonymous writes to D1 have no rate limiting,
* per-user quota, or ownership verification — an abuse/DoS risk on a public,
* registration-less site. The client (lib/clientStoryPersistence.ts) now
* persists stories to localStorage only; this 503 keeps the contract intact
* for any caller that still hits the endpoint.
*
* The full D1 implementation lives in StoryRepository (lib/db/repositories/
* storyRepo.ts), which is untouched. To re-enable after auth integration:
* restore the handler to validate input + call `repo.save(...)` (see the
* task-10 implementation log) and gate it behind an authenticated session.
*
* See: ARCHITECTURE_DESIGN.md Phase 2, memory tech_d1_anonymous_write_risk
*/
export async function POST(_req: Request) {
return NextResponse.json(
{ error: "Server persistence temporarily disabled - using local storage" },
{ status: 503 },
);
}