Initial deployment setup for Hugging Face Spaces

.dockerignore

@@ -0,0 +1,65 @@
+# Git
+.git
+.gitignore
+
+# Dependencies
+node_modules
+**/node_modules
+
+# Build outputs
+dist
+build
+.next
+out
+
+# Development
+.env
+.env.local
+.env.*.local
+*.log
+
+# IDE
+.vscode
+.idea
+*.swp
+*.swo
+*~
+
+# OS
+.DS_Store
+Thumbs.db
+
+# Test
+coverage
+.nyc_output
+
+# Replit specific
+.replit
+.replitignore
+replit.md
+.replit-artifact
+
+# Vercel
+.vercel
+vercel.json
+
+# Attached assets
+attached_assets
+
+# Config
+.config
+
+# Agents
+.agents
+
+# Scripts
+scripts
+
+# Mockup sandbox (不需要部署)
+artifacts/mockup-sandbox
+
+# Turnstile solver (單獨部署)
+artifacts/turnstile-solver
+
+# API route (Vercel 專用)
+api

.env.example

@@ -0,0 +1,25 @@
+# Hugging Face Space 環境變數範例
+# 複製此檔案為 .env 並填入實際值
+
+# 伺服器設定
+PORT=7860
+NODE_ENV=production
+
+# 資料庫 (SQLite)
+DATABASE_URL=file:/data/sqlite.db
+
+# JWT 認證密鑰 (請更換為隨機字串，至少 32 字元)
+JWT_SECRET=your-random-jwt-secret-key-change-this-in-production
+
+# 加密密鑰 (必須是 32 字元，用於加密敏感資料)
+ENCRYPTION_KEY=your-32-character-encryption-key
+
+# 暫存儲存路徑
+TEMP_STORAGE_PATH=/app/temp-storage
+
+# Turnstile 驗證碼服務 (可選，如果有部署 turnstile-solver)
+# TURNSTILE_SOLVER_URL=https://your-turnstile-solver.vercel.app
+
+# 站點配置 (可選)
+# SITE_NAME=AI Generator
+# SITE_DESCRIPTION=AI Image & Video Generator

.gitattributes

@@ -0,0 +1,6 @@
+*.png filter=lfs diff=lfs merge=lfs -text
+*.jpg filter=lfs diff=lfs merge=lfs -text
+*.jpeg filter=lfs diff=lfs merge=lfs -text
+*.gif filter=lfs diff=lfs merge=lfs -text
+*.svg filter=lfs diff=lfs merge=lfs -text
+*.webp filter=lfs diff=lfs merge=lfs -text

.npmrc

@@ -0,0 +1,2 @@
+auto-install-peers=false
+strict-peer-dependencies=false

DEPLOYMENT.md

@@ -0,0 +1,218 @@
+# Hugging Face Spaces 部署指南
+
+本指南說明如何將此專案部署到 Hugging Face Spaces 免費版。
+
+## 前置準備
+
+1. 註冊 [Hugging Face](https://huggingface.co/) 帳號
+2. 準備 geminigen.ai 帳號憑證
+
+## 部署步驟
+
+### 1. 建立 Space
+
+1. 前往 https://huggingface.co/new-space
+2. 填寫資訊：
+   - **Space name**: 自訂名稱（例如：ai-image-generator）
+   - **License**: MIT
+   - **Select the Space SDK**: Docker
+   - **Space hardware**: CPU basic (免費)
+3. 點擊 "Create Space"
+
+### 2. 上傳專案檔案
+
+#### 方式 A: 使用 Git (推薦)
+
+```bash
+# 克隆 Space 倉庫
+git clone https://huggingface.co/spaces/YOUR_USERNAME/YOUR_SPACE_NAME
+cd YOUR_SPACE_NAME
+
+# 複製專案檔案（排除不需要的檔案）
+cp -r /path/to/project/* .
+
+# 確保包含以下關鍵檔案：
+# - Dockerfile
+# - README.md (Space 配置)
+# - artifacts/
+# - lib/
+# - package.json
+# - pnpm-lock.yaml
+# - pnpm-workspace.yaml
+# - tsconfig.base.json
+# - tsconfig.json
+
+# 提交並推送
+git add .
+git commit -m "Initial deployment"
+git push
+```
+
+#### 方式 B: 使用 Web 介面
+
+1. 在 Space 頁面點擊 "Files" 標籤
+2. 點擊 "Add file" → "Upload files"
+3. 上傳所有必要檔案
+
+### 3. 設定環境變數
+
+在 Space 的 "Settings" 標籤中設定以下環境變數：
+
+#### 必要變數
+
+```bash
+# JWT 密鑰（請生成隨機字串）
+JWT_SECRET=your-random-jwt-secret-key-at-least-32-characters
+
+# 加密密鑰（必須是 32 字元）
+ENCRYPTION_KEY=your-32-character-encryption-key
+```
+
+#### 可選變數
+
+```bash
+# 資料庫路徑（預設值已足夠）
+DATABASE_URL=file:/data/sqlite.db
+
+# 暫存路徑（預設值已足夠）
+TEMP_STORAGE_PATH=/app/temp-storage
+
+# Turnstile 驗證碼服務（如果有部署）
+TURNSTILE_SOLVER_URL=https://your-turnstile-solver.vercel.app
+```
+
+### 4. 啟用 Persistent Storage (重要)
+
+為了保存資料庫和用戶資料：
+
+1. 在 Space Settings 中找到 "Persistent Storage"
+2. 點擊 "Enable Persistent Storage"
+3. 設定掛載路徑為 `/data`
+
+**注意**: 免費版 Persistent Storage 有容量限制，請定期清理舊檔案。
+
+### 5. 等待建置完成
+
+Space 會自動開始建置 Docker 映像，這可能需要 10-15 分鐘。
+
+建置完成後，Space 會自動啟動，您可以在 "App" 標籤中看到應用程式。
+
+## 首次使用
+
+1. 訪問您的 Space URL（例如：https://huggingface.co/spaces/YOUR_USERNAME/YOUR_SPACE_NAME）
+2. 點擊右上角「註冊」按鈕
+3. 第一個註冊的用戶會自動成為管理員
+4. 登入後，進入「管理後台」
+5. 設定 geminigen.ai 憑證：
+   - Email
+   - Password
+6. 點擊「儲存憑證」
+7. 開始使用！
+
+## 常見問題
+
+### Q: 建置失敗怎麼辦？
+
+A: 檢查以下項目：
+- 確認 Dockerfile 格式正確
+- 確認所有依賴檔案都已上傳
+- 查看 Space 的 "Logs" 標籤了解錯誤訊息
+
+### Q: 應用程式無法啟動？
+
+A: 檢查：
+- 環境變數是否正確設定
+- Persistent Storage 是否已啟用
+- 查看 "Logs" 標籤的錯誤訊息
+
+### Q: 資料庫資料遺失？
+
+A: 確保：
+- Persistent Storage 已啟用並掛載到 `/data`
+- DATABASE_URL 指向 `/data/sqlite.db`
+
+### Q: 圖片/影片無法顯示？
+
+A: 本地暫存模式下：
+- 檔案會在 24 小時後自動清理
+- 重啟 Space 會清空暫存
+- 這是免費版的限制，如需永久儲存請考慮外部儲存服務
+
+### Q: 如何更新應用程式？
+
+A: 使用 Git 推送更新：
+
+```bash
+cd YOUR_SPACE_NAME
+git pull origin main  # 拉取最新變更
+# 修改檔案...
+git add .
+git commit -m "Update application"
+git push
+```
+
+### Q: 效能不足怎麼辦？
+
+A: 免費版 CPU basic 有限制：
+- 考慮升級到付費硬體
+- 優化資料庫查詢
+- 減少同時處理的請求數
+
+## 進階配置
+
+### 使用外部資料庫
+
+如果需要更穩定的資料庫，可以使用外部服務：
+
+1. 註冊 [Supabase](https://supabase.com/) 或 [Neon](https://neon.tech/)（都有免費額度）
+2. 建立 PostgreSQL 資料庫
+3. 修改環境變數：
+   ```bash
+   DATABASE_URL=postgresql://user:pass@host:5432/dbname
+   ```
+4. 修改 `lib/db/drizzle.config.ts` 和 `lib/db/src/index.ts` 改回 PostgreSQL 配置
+
+### 使用外部儲存
+
+整合 Cloudflare R2 或其他 S3 相容服務：
+
+1. 註冊服務並取得憑證
+2. 修改 `artifacts/api-server/src/lib/objectStorage.ts`
+3. 設定相關環境變數
+
+## 監控與維護
+
+### 查看日誌
+
+在 Space 的 "Logs" 標籤可以查看即時日誌。
+
+### 重啟 Space
+
+在 Settings 中點擊 "Factory reboot" 可以重啟 Space。
+
+### 備份資料
+
+定期下載 `/data/sqlite.db` 進行備份：
+
+```bash
+# 使用 Hugging Face CLI
+huggingface-cli download spaces/YOUR_USERNAME/YOUR_SPACE_NAME data/sqlite.db --repo-type=space
+```
+
+## 成本估算
+
+- **免費版**: CPU basic，適合個人使用或測試
+- **付費版**: 
+  - CPU upgrade: $0.03/hour
+  - GPU T4: $0.60/hour
+  - Persistent Storage: 免費 50GB
+
+## 支援
+
+如有問題，請查看：
+- [Hugging Face Spaces 文件](https://huggingface.co/docs/hub/spaces)
+- [專案 GitHub Issues](https://github.com/your-repo/issues)
+
+## 授權
+
+MIT License

DEPLOYMENT_CHECKLIST.md

@@ -0,0 +1,217 @@
+# Hugging Face Spaces 部署檢查清單
+
+## 部署前檢查
+
+### 必要檔案
+- [ ] `Dockerfile` - Docker 建置配置
+- [ ] `README.md` - Space 配置檔（包含 YAML front matter）
+- [ ] `.dockerignore` - 排除不需要的檔案
+- [ ] `.env.example` - 環境變數範例
+- [ ] `DEPLOYMENT.md` - 部署指南
+
+### 專案檔案
+- [ ] `package.json` - 根目錄 workspace 配置
+- [ ] `pnpm-lock.yaml` - 依賴鎖定檔
+- [ ] `pnpm-workspace.yaml` - Workspace 配置
+- [ ] `tsconfig.base.json` - TypeScript 基礎配置
+- [ ] `tsconfig.json` - TypeScript 配置
+
+### 後端檔案
+- [ ] `artifacts/api-server/` - 完整後端程式碼
+- [ ] `artifacts/api-server/src/index.ts` - 已移除背景 token refresh
+- [ ] `artifacts/api-server/src/lib/localTempStorage.ts` - 本地暫存邏輯
+
+### 前端檔案
+- [ ] `artifacts/image-gen/` - 完整前端程式碼
+- [ ] `artifacts/image-gen/dist/` - 建置後會自動生成
+
+### 資料庫檔案
+- [ ] `lib/db/` - 資料庫層
+- [ ] `lib/db/package.json` - 已更新為 better-sqlite3
+- [ ] `lib/db/drizzle.config.ts` - 已改為 SQLite 配置
+- [ ] `lib/db/src/index.ts` - 已改為 SQLite 連接
+
+### 共享庫
+- [ ] `lib/api-client-react/` - React API 客戶端
+- [ ] `lib/api-spec/` - OpenAPI 規格
+- [ ] `lib/api-zod/` - Zod 驗證
+
+## 環境變數設定
+
+### 必要變數（在 Space Settings 中設定）
+- [ ] `JWT_SECRET` - JWT 密鑰（至少 32 字元隨機字串）
+- [ ] `ENCRYPTION_KEY` - 加密密鑰（必須是 32 字元）
+
+### 可選變數
+- [ ] `DATABASE_URL` - 資料庫路徑（預設：file:/data/sqlite.db）
+- [ ] `TEMP_STORAGE_PATH` - 暫存路徑（預設：/app/temp-storage）
+- [ ] `TURNSTILE_SOLVER_URL` - Turnstile 服務 URL（如有）
+
+## Space 設定
+
+### 基本設定
+- [ ] Space SDK 選擇 "Docker"
+- [ ] Space hardware 選擇 "CPU basic"（免費）
+- [ ] License 設定為 "MIT"
+
+### Persistent Storage
+- [ ] 啟用 Persistent Storage
+- [ ] 掛載路徑設定為 `/data`
+- [ ] 確認容量足夠（免費版有限制）
+
+## 建置檢查
+
+### Docker 建置
+- [ ] Dockerfile 語法正確
+- [ ] 所有依賴都能正確安裝
+- [ ] 前端建置成功
+- [ ] 後端建置成功
+- [ ] 暴露端口 7860
+
+### 執行時檢查
+- [ ] 伺服器能正常啟動
+- [ ] 資料庫檔案能正確建立
+- [ ] 暫存目錄能正確建立
+- [ ] 日誌輸出正常
+
+## 功能測試
+
+### 基本功能
+- [ ] 首頁能正常載入
+- [ ] 用戶註冊功能正常
+- [ ] 用戶登入功能正常
+- [ ] 第一個用戶成為管理員
+
+### 管理功能
+- [ ] 能進入管理後台
+- [ ] 能設定 geminigen.ai 憑證
+- [ ] 能查看系統狀態
+- [ ] 能管理用戶
+
+### 圖像生成
+- [ ] 能輸入提示詞
+- [ ] 能選擇模型
+- [ ] 能選擇風格和比例
+- [ ] 能上傳參考圖像
+- [ ] 能成功生成圖像
+- [ ] 圖像能正常顯示
+
+### 影片生成
+- [ ] 能輸入提示詞
+- [ ] 能選擇模型（Grok-3 / Veo 3.1）
+- [ ] 能設定進階選項
+- [ ] 能上傳參考圖像
+- [ ] 能成功生成影片
+- [ ] 進度追蹤正常
+- [ ] 影片能正常播放
+
+### 歷史記錄
+- [ ] 圖像歷史能正常顯示
+- [ ] 影片歷史能正常顯示
+- [ ] 能刪除記錄
+- [ ] 私密/公開過濾正常
+
+## 效能檢查
+
+### 資源使用
+- [ ] CPU 使用率合理
+- [ ] 記憶體使用率合理
+- [ ] 磁碟空間足夠
+
+### 回應時間
+- [ ] 頁面載入速度可接受
+- [ ] API 回應時間合理
+- [ ] 圖像生成時間正常
+- [ ] 影片生成時間正常
+
+## 維護檢查
+
+### 自動清理
+- [ ] 舊檔案能自動清理（24 小時）
+- [ ] 清理日誌正常輸出
+- [ ] 磁碟空間不會持續增長
+
+### 日誌監控
+- [ ] 能在 Space Logs 查看日誌
+- [ ] 錯誤日誌清晰可讀
+- [ ] 無異常錯誤持續出現
+
+### 備份
+- [ ] 知道如何備份資料庫
+- [ ] 知道如何還原資料庫
+- [ ] 定期備份計畫已建立
+
+## 安全檢查
+
+### 憑證安全
+- [ ] JWT_SECRET 是隨機生成的
+- [ ] ENCRYPTION_KEY 是隨機生成的
+- [ ] 不在程式碼中硬編碼敏感資訊
+- [ ] .env 檔案已加入 .gitignore
+
+### 存取控制
+- [ ] 管理功能需要管理員權限
+- [ ] 私密內容只有擁有者能查看
+- [ ] API 端點有適當的認證
+
+## 文件檢查
+
+### 使用者文件
+- [ ] README.md 說明清楚
+- [ ] DEPLOYMENT.md 步驟完整
+- [ ] .env.example 註解清楚
+
+### 開發文件
+- [ ] 程式碼註解充足
+- [ ] 關鍵邏輯有說明
+- [ ] 已知限制有記錄
+
+## 部署後驗證
+
+### 立即檢查
+- [ ] Space 狀態為 "Running"
+- [ ] 能訪問 Space URL
+- [ ] 首頁正常顯示
+- [ ] 無 JavaScript 錯誤
+
+### 24 小時後檢查
+- [ ] Space 仍在運行
+- [ ] 資料庫資料保存正常
+- [ ] 舊檔案已自動清理
+- [ ] 無記憶體洩漏
+
+### 一週後檢查
+- [ ] 長期穩定性良好
+- [ ] 磁碟空間使用穩定
+- [ ] 無異常錯誤累積
+- [ ] 用戶回饋正面
+
+## 問題排查
+
+### 常見問題
+- [ ] 知道如何查看日誌
+- [ ] 知道如何重啟 Space
+- [ ] 知道如何還原資料
+- [ ] 知道如何聯繫支援
+
+### 緊急處理
+- [ ] 有備份還原計畫
+- [ ] 有降級方案
+- [ ] 有聯繫管道
+
+## 完成確認
+
+- [ ] 所有檢查項目都已完成
+- [ ] 所有功能都正常運作
+- [ ] 文件都已更新
+- [ ] 團隊成員都已知悉
+
+---
+
+**部署日期**: _______________
+
+**部署人員**: _______________
+
+**Space URL**: _______________
+
+**備註**: 

Dockerfile

@@ -0,0 +1,57 @@
+FROM node:20-slim
+
+# 安裝 pnpm 和必要工具
+RUN npm install -g pnpm && \
+    apt-get update && \
+    apt-get install -y python3 make g++ && \
+    rm -rf /var/lib/apt/lists/*
+
+WORKDIR /app
+
+# 複製 pnpm 配置
+COPY .npmrc ./
+
+# 複製 workspace 配置（使用 HF 優化版本）
+COPY package.json pnpm-lock.yaml ./
+COPY pnpm-workspace-hf.yaml ./pnpm-workspace.yaml
+COPY tsconfig.base.json tsconfig.json ./
+
+# 複製所有 packages
+COPY artifacts ./artifacts
+COPY lib ./lib
+
+# 安裝依賴
+RUN pnpm install --no-frozen-lockfile
+
+# 驗證關鍵依賴
+RUN echo "=== Checking esbuild ===" && pnpm list esbuild || echo "esbuild not found"
+RUN echo "=== Checking vite ===" && pnpm list vite || echo "vite not found"
+RUN echo "=== Checking typescript ===" && pnpm list typescript || echo "typescript not found"
+
+# 建置前端
+RUN echo "=== Starting frontend build ===" && \
+    cd artifacts/image-gen && \
+    pnpm run build && \
+    echo "=== Frontend build completed ==="
+
+# 建置後端
+RUN echo "=== Starting backend build ===" && \
+    cd artifacts/api-server && \
+    pnpm run build && \
+    echo "=== Backend build completed ==="
+
+# 建立資料和暫存目錄
+RUN mkdir -p /data /app/temp-storage && \
+    chmod 777 /data /app/temp-storage
+
+# 設定環境變數
+ENV NODE_ENV=production
+ENV PORT=7860
+ENV DATABASE_URL=file:/data/sqlite.db
+ENV TEMP_STORAGE_PATH=/app/temp-storage
+
+# 暴露 Hugging Face Spaces 預設端口
+EXPOSE 7860
+
+# 啟動命令
+CMD ["node", "artifacts/api-server/dist/index.js"]

README.md

@@ -0,0 +1,70 @@
+---
+title: AI Image & Video Generator
+emoji: 🎨
+colorFrom: purple
+colorTo: pink
+sdk: docker
+pinned: false
+app_port: 7860
+---
+
+# AI Image & Video Generator
+
+基於 geminigen.ai API 的圖像與影片生成平台，支援多種 AI 模型。
+
+## 功能特色
+
+- 🖼️ **圖像生成**: 支援 Grok, Meta, Imagen Pro/4/Flash, Nano Banana 等模型
+- 🎬 **影片生成**: 支援 Grok-3 和 Veo 3.1 Fast 模型
+- 🎨 **多種風格**: Photorealistic, Anime, Digital Art 等
+- 📐 **自訂比例**: 1:1, 16:9, 9:16, 4:3, 3:4
+- 🔐 **用戶系統**: JWT 認證、點數管理
+- 🖼️ **圖生圖**: 支援參考圖像生成
+- 🎥 **圖生影片**: 支援圖像轉影片
+
+## 環境變數設定
+
+在 Space Settings 中設定以下環境變數：
+
+```bash
+# 資料庫 (自動使用 SQLite)
+DATABASE_URL=file:/data/sqlite.db
+
+# JWT 密鑰 (請更換為隨機字串)
+JWT_SECRET=your-random-secret-key-here
+
+# 加密密鑰 (32 字元，請更換)
+ENCRYPTION_KEY=your-32-character-encryption-key
+
+# Turnstile 驗證碼服務 (可選)
+TURNSTILE_SOLVER_URL=https://your-turnstile-solver.vercel.app
+
+# 伺服器設定
+PORT=7860
+NODE_ENV=production
+```
+
+## 首次使用
+
+1. 訪問應用後，點擊右上角「註冊」
+2. 第一個註冊的用戶會自動成為管理員
+3. 進入「管理後台」設定 geminigen.ai 憑證
+4. 開始生成圖像和影片！
+
+## 技術架構
+
+- **前端**: React + TypeScript + Vite + shadcn/ui
+- **後端**: Express.js + TypeScript
+- **資料庫**: SQLite (Drizzle ORM)
+- **儲存**: 本地暫存 (定期清理)
+- **認證**: JWT + bcrypt
+
+## 限制說明
+
+- 免費版使用本地暫存，舊檔案會定期清理
+- 建議使用 Persistent Storage 保存資料庫
+- 影片僅提供臨時連結，不做永久儲存
+
+## 授權
+
+MIT License

artifacts/api-server/.replit-artifact/artifact.toml

@@ -0,0 +1,32 @@
+kind = "api"
+previewPath = "/api" # TODO - should be excluded from preview in the first place
+title = "API Server"
+version = "1.0.0"
+id = "3B4_FFSkEVBkAeYMFRJ2e"
+
+[[services]]
+localPort = 8080
+name = "API Server"
+paths = ["/api"]
+
+[services.development]
+run = "pnpm --filter @workspace/api-server run dev"
+
+[services.production]
+
+[services.production.build]
+args = ["pnpm", "--filter", "@workspace/api-server", "run", "build"]
+
+[services.production.build.env]
+NODE_ENV = "production"
+
+[services.production.run]
+# we don't run through pnpm to make startup faster in production
+args = ["node", "--enable-source-maps", "artifacts/api-server/dist/index.mjs"]
+
+[services.production.run.env]
+PORT = "8080"
+NODE_ENV = "production"
+
+[services.production.health.startup]
+path = "/api/healthz"

artifacts/api-server/build.mjs

@@ -0,0 +1,126 @@
+import { createRequire } from "node:module";
+import path from "node:path";
+import { fileURLToPath } from "node:url";
+import { build as esbuild } from "esbuild";
+import esbuildPluginPino from "esbuild-plugin-pino";
+import { rm } from "node:fs/promises";
+
+// Plugins (e.g. 'esbuild-plugin-pino') may use `require` to resolve dependencies
+globalThis.require = createRequire(import.meta.url);
+
+const artifactDir = path.dirname(fileURLToPath(import.meta.url));
+
+async function buildAll() {
+  const distDir = path.resolve(artifactDir, "dist");
+  await rm(distDir, { recursive: true, force: true });
+
+  await esbuild({
+    entryPoints: [path.resolve(artifactDir, "src/index.ts")],
+    platform: "node",
+    bundle: true,
+    format: "esm",
+    outdir: distDir,
+    outExtension: { ".js": ".mjs" },
+    logLevel: "info",
+    // Some packages may not be bundleable, so we externalize them, we can add more here as needed.
+    // Some of the packages below may not be imported or installed, but we're adding them in case they are in the future.
+    // Examples of unbundleable packages:
+    // - uses native modules and loads them dynamically (e.g. sharp)
+    // - use path traversal to read files (e.g. @google-cloud/secret-manager loads sibling .proto files)
+    external: [
+      "*.node",
+      "sharp",
+      "better-sqlite3",
+      "sqlite3",
+      "canvas",
+      "bcrypt",
+      "argon2",
+      "fsevents",
+      "re2",
+      "farmhash",
+      "xxhash-addon",
+      "bufferutil",
+      "utf-8-validate",
+      "ssh2",
+      "cpu-features",
+      "dtrace-provider",
+      "isolated-vm",
+      "lightningcss",
+      "pg-native",
+      "oracledb",
+      "mongodb-client-encryption",
+      "nodemailer",
+      "handlebars",
+      "knex",
+      "typeorm",
+      "protobufjs",
+      "onnxruntime-node",
+      "@tensorflow/*",
+      "@prisma/client",
+      "@mikro-orm/*",
+      "@grpc/*",
+      "@swc/*",
+      "@aws-sdk/*",
+      "@azure/*",
+      "@opentelemetry/*",
+      "@google-cloud/*",
+      "@google/*",
+      "googleapis",
+      "firebase-admin",
+      "@parcel/watcher",
+      "@sentry/profiling-node",
+      "@tree-sitter/*",
+      "aws-sdk",
+      "classic-level",
+      "dd-trace",
+      "ffi-napi",
+      "grpc",
+      "hiredis",
+      "kerberos",
+      "leveldown",
+      "miniflare",
+      "mysql2",
+      "newrelic",
+      "odbc",
+      "piscina",
+      "realm",
+      "ref-napi",
+      "rocksdb",
+      "sass-embedded",
+      "sequelize",
+      "serialport",
+      "snappy",
+      "tinypool",
+      "usb",
+      "workerd",
+      "wrangler",
+      "zeromq",
+      "zeromq-prebuilt",
+      "playwright",
+      "puppeteer",
+      "puppeteer-core",
+      "electron",
+    ],
+    sourcemap: "linked",
+    plugins: [
+      // pino relies on workers to handle logging, instead of externalizing it we use a plugin to handle it
+      esbuildPluginPino({ transports: ["pino-pretty"] })
+    ],
+    // Make sure packages that are cjs only (e.g. express) but are bundled continue to work in our esm output file
+    banner: {
+      js: `import { createRequire as __bannerCrReq } from 'node:module';
+import __bannerPath from 'node:path';
+import __bannerUrl from 'node:url';
+
+globalThis.require = __bannerCrReq(import.meta.url);
+globalThis.__filename = __bannerUrl.fileURLToPath(import.meta.url);
+globalThis.__dirname = __bannerPath.dirname(globalThis.__filename);
+    `,
+    },
+  });
+}
+
+buildAll().catch((err) => {
+  console.error(err);
+  process.exit(1);
+});

artifacts/api-server/dist/thread-stream-worker.mjs

@@ -0,0 +1,228 @@
+import { createRequire as __bannerCrReq } from 'node:module';
+import __bannerPath from 'node:path';
+import __bannerUrl from 'node:url';
+
+globalThis.require = __bannerCrReq(import.meta.url);
+globalThis.__filename = __bannerUrl.fileURLToPath(import.meta.url);
+globalThis.__dirname = __bannerPath.dirname(globalThis.__filename);
+    
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require : typeof Proxy !== "undefined" ? new Proxy(x, {
+  get: (a, b) => (typeof require !== "undefined" ? require : a)[b]
+}) : x)(function(x) {
+  if (typeof require !== "undefined") return require.apply(this, arguments);
+  throw Error('Dynamic require of "' + x + '" is not supported');
+});
+var __commonJS = (cb, mod) => function __require2() {
+  return mod || (0, cb[__getOwnPropNames(cb)[0]])((mod = { exports: {} }).exports, mod), mod.exports;
+};
+
+// ../../node_modules/.pnpm/real-require@0.2.0/node_modules/real-require/src/index.js
+var require_src = __commonJS({
+  "../../node_modules/.pnpm/real-require@0.2.0/node_modules/real-require/src/index.js"(exports, module) {
+    var realImport2 = new Function("modulePath", "return import(modulePath)");
+    function realRequire2(modulePath) {
+      if (typeof __non_webpack__require__ === "function") {
+        return __non_webpack__require__(modulePath);
+      }
+      return __require(modulePath);
+    }
+    module.exports = { realImport: realImport2, realRequire: realRequire2 };
+  }
+});
+
+// ../../node_modules/.pnpm/thread-stream@3.1.0/node_modules/thread-stream/lib/indexes.js
+var require_indexes = __commonJS({
+  "../../node_modules/.pnpm/thread-stream@3.1.0/node_modules/thread-stream/lib/indexes.js"(exports, module) {
+    "use strict";
+    var WRITE_INDEX2 = 4;
+    var READ_INDEX2 = 8;
+    module.exports = {
+      WRITE_INDEX: WRITE_INDEX2,
+      READ_INDEX: READ_INDEX2
+    };
+  }
+});
+
+// ../../node_modules/.pnpm/thread-stream@3.1.0/node_modules/thread-stream/lib/wait.js
+var require_wait = __commonJS({
+  "../../node_modules/.pnpm/thread-stream@3.1.0/node_modules/thread-stream/lib/wait.js"(exports, module) {
+    "use strict";
+    var MAX_TIMEOUT = 1e3;
+    function wait(state2, index, expected, timeout, done) {
+      const max = Date.now() + timeout;
+      let current = Atomics.load(state2, index);
+      if (current === expected) {
+        done(null, "ok");
+        return;
+      }
+      let prior = current;
+      const check = (backoff) => {
+        if (Date.now() > max) {
+          done(null, "timed-out");
+        } else {
+          setTimeout(() => {
+            prior = current;
+            current = Atomics.load(state2, index);
+            if (current === prior) {
+              check(backoff >= MAX_TIMEOUT ? MAX_TIMEOUT : backoff * 2);
+            } else {
+              if (current === expected) done(null, "ok");
+              else done(null, "not-equal");
+            }
+          }, backoff);
+        }
+      };
+      check(1);
+    }
+    function waitDiff2(state2, index, expected, timeout, done) {
+      const max = Date.now() + timeout;
+      let current = Atomics.load(state2, index);
+      if (current !== expected) {
+        done(null, "ok");
+        return;
+      }
+      const check = (backoff) => {
+        if (Date.now() > max) {
+          done(null, "timed-out");
+        } else {
+          setTimeout(() => {
+            current = Atomics.load(state2, index);
+            if (current !== expected) {
+              done(null, "ok");
+            } else {
+              check(backoff >= MAX_TIMEOUT ? MAX_TIMEOUT : backoff * 2);
+            }
+          }, backoff);
+        }
+      };
+      check(1);
+    }
+    module.exports = { wait, waitDiff: waitDiff2 };
+  }
+});
+
+// ../../node_modules/.pnpm/thread-stream@3.1.0/node_modules/thread-stream/lib/worker.js
+var { realImport, realRequire } = require_src();
+var { workerData, parentPort } = __require("worker_threads");
+var { WRITE_INDEX, READ_INDEX } = require_indexes();
+var { waitDiff } = require_wait();
+var {
+  dataBuf,
+  filename,
+  stateBuf
+} = workerData;
+var destination;
+var state = new Int32Array(stateBuf);
+var data = Buffer.from(dataBuf);
+async function start() {
+  let worker;
+  try {
+    if (filename.endsWith(".ts") || filename.endsWith(".cts")) {
+      if (!process[/* @__PURE__ */ Symbol.for("ts-node.register.instance")]) {
+        realRequire("ts-node/register");
+      } else if (process.env.TS_NODE_DEV) {
+        realRequire("ts-node-dev");
+      }
+      worker = realRequire(decodeURIComponent(filename.replace(process.platform === "win32" ? "file:///" : "file://", "")));
+    } else {
+      worker = await realImport(filename);
+    }
+  } catch (error) {
+    if ((error.code === "ENOTDIR" || error.code === "ERR_MODULE_NOT_FOUND") && filename.startsWith("file://")) {
+      worker = realRequire(decodeURIComponent(filename.replace("file://", "")));
+    } else if (error.code === void 0 || error.code === "ERR_VM_DYNAMIC_IMPORT_CALLBACK_MISSING") {
+      try {
+        worker = realRequire(decodeURIComponent(filename.replace(process.platform === "win32" ? "file:///" : "file://", "")));
+      } catch {
+        throw error;
+      }
+    } else {
+      throw error;
+    }
+  }
+  if (typeof worker === "object") worker = worker.default;
+  if (typeof worker === "object") worker = worker.default;
+  destination = await worker(workerData.workerData);
+  destination.on("error", function(err) {
+    Atomics.store(state, WRITE_INDEX, -2);
+    Atomics.notify(state, WRITE_INDEX);
+    Atomics.store(state, READ_INDEX, -2);
+    Atomics.notify(state, READ_INDEX);
+    parentPort.postMessage({
+      code: "ERROR",
+      err
+    });
+  });
+  destination.on("close", function() {
+    const end = Atomics.load(state, WRITE_INDEX);
+    Atomics.store(state, READ_INDEX, end);
+    Atomics.notify(state, READ_INDEX);
+    setImmediate(() => {
+      process.exit(0);
+    });
+  });
+}
+start().then(function() {
+  parentPort.postMessage({
+    code: "READY"
+  });
+  process.nextTick(run);
+});
+function run() {
+  const current = Atomics.load(state, READ_INDEX);
+  const end = Atomics.load(state, WRITE_INDEX);
+  if (end === current) {
+    if (end === data.length) {
+      waitDiff(state, READ_INDEX, end, Infinity, run);
+    } else {
+      waitDiff(state, WRITE_INDEX, end, Infinity, run);
+    }
+    return;
+  }
+  if (end === -1) {
+    destination.end();
+    return;
+  }
+  const toWrite = data.toString("utf8", current, end);
+  const res = destination.write(toWrite);
+  if (res) {
+    Atomics.store(state, READ_INDEX, end);
+    Atomics.notify(state, READ_INDEX);
+    setImmediate(run);
+  } else {
+    destination.once("drain", function() {
+      Atomics.store(state, READ_INDEX, end);
+      Atomics.notify(state, READ_INDEX);
+      run();
+    });
+  }
+}
+process.on("unhandledRejection", function(err) {
+  parentPort.postMessage({
+    code: "ERROR",
+    err
+  });
+  process.exit(1);
+});
+process.on("uncaughtException", function(err) {
+  parentPort.postMessage({
+    code: "ERROR",
+    err
+  });
+  process.exit(1);
+});
+process.once("exit", (exitCode) => {
+  if (exitCode !== 0) {
+    process.exit(exitCode);
+    return;
+  }
+  if (destination?.writableNeedDrain && !destination?.writableEnded) {
+    parentPort.postMessage({
+      code: "WARNING",
+      err: new Error("ThreadStream: process exited before destination stream was drained. this may indicate that the destination stream try to write to a another missing stream")
+    });
+  }
+  process.exit(0);
+});
+//# sourceMappingURL=thread-stream-worker.mjs.map

artifacts/api-server/dist/thread-stream-worker.mjs.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../node_modules/.pnpm/real-require@0.2.0/node_modules/real-require/src/index.js", "../../../node_modules/.pnpm/thread-stream@3.1.0/node_modules/thread-stream/lib/indexes.js", "../../../node_modules/.pnpm/thread-stream@3.1.0/node_modules/thread-stream/lib/wait.js", "../../../node_modules/.pnpm/thread-stream@3.1.0/node_modules/thread-stream/lib/worker.js"],
+  "sourcesContent": ["/* eslint-disable no-new-func, camelcase */\n/* globals __non_webpack__require__ */\n\nconst realImport = new Function('modulePath', 'return import(modulePath)')\n\nfunction realRequire(modulePath) {\n  if (typeof __non_webpack__require__ === 'function') {\n    return __non_webpack__require__(modulePath)\n  }\n\n  return require(modulePath)\n}\n\nmodule.exports = { realImport, realRequire }\n", "'use strict'\n\nconst WRITE_INDEX = 4\nconst READ_INDEX = 8\n\nmodule.exports = {\n  WRITE_INDEX,\n  READ_INDEX\n}\n", "'use strict'\n\nconst MAX_TIMEOUT = 1000\n\nfunction wait (state, index, expected, timeout, done) {\n  const max = Date.now() + timeout\n  let current = Atomics.load(state, index)\n  if (current === expected) {\n    done(null, 'ok')\n    return\n  }\n  let prior = current\n  const check = (backoff) => {\n    if (Date.now() > max) {\n      done(null, 'timed-out')\n    } else {\n      setTimeout(() => {\n        prior = current\n        current = Atomics.load(state, index)\n        if (current === prior) {\n          check(backoff >= MAX_TIMEOUT ? MAX_TIMEOUT : backoff * 2)\n        } else {\n          if (current === expected) done(null, 'ok')\n          else done(null, 'not-equal')\n        }\n      }, backoff)\n    }\n  }\n  check(1)\n}\n\n// let waitDiffCount = 0\nfunction waitDiff (state, index, expected, timeout, done) {\n  // const id = waitDiffCount++\n  // process._rawDebug(`>>> waitDiff ${id}`)\n  const max = Date.now() + timeout\n  let current = Atomics.load(state, index)\n  if (current !== expected) {\n    done(null, 'ok')\n    return\n  }\n  const check = (backoff) => {\n    // process._rawDebug(`${id} ${index} current ${current} expected ${expected}`)\n    // process._rawDebug('' + backoff)\n    if (Date.now() > max) {\n      done(null, 'timed-out')\n    } else {\n      setTimeout(() => {\n        current = Atomics.load(state, index)\n        if (current !== expected) {\n          done(null, 'ok')\n        } else {\n          check(backoff >= MAX_TIMEOUT ? MAX_TIMEOUT : backoff * 2)\n        }\n      }, backoff)\n    }\n  }\n  check(1)\n}\n\nmodule.exports = { wait, waitDiff }\n", "'use strict'\n\nconst { realImport, realRequire } = require('real-require')\nconst { workerData, parentPort } = require('worker_threads')\nconst { WRITE_INDEX, READ_INDEX } = require('./indexes')\nconst { waitDiff } = require('./wait')\n\nconst {\n  dataBuf,\n  filename,\n  stateBuf\n} = workerData\n\nlet destination\n\nconst state = new Int32Array(stateBuf)\nconst data = Buffer.from(dataBuf)\n\nasync function start () {\n  let worker\n  try {\n    if (filename.endsWith('.ts') || filename.endsWith('.cts')) {\n      // TODO: add support for the TSM modules loader ( https://github.com/lukeed/tsm ).\n      if (!process[Symbol.for('ts-node.register.instance')]) {\n        realRequire('ts-node/register')\n      } else if (process.env.TS_NODE_DEV) {\n        realRequire('ts-node-dev')\n      }\n      // TODO: Support ES imports once tsc, tap & ts-node provide better compatibility guarantees.\n      // Remove extra forwardslash on Windows\n      worker = realRequire(decodeURIComponent(filename.replace(process.platform === 'win32' ? 'file:///' : 'file://', '')))\n    } else {\n      worker = (await realImport(filename))\n    }\n  } catch (error) {\n    // A yarn user that tries to start a ThreadStream for an external module\n    // provides a filename pointing to a zip file.\n    // eg. require.resolve('pino-elasticsearch') // returns /foo/pino-elasticsearch-npm-6.1.0-0c03079478-6915435172.zip/bar.js\n    // The `import` will fail to try to load it.\n    // This catch block executes the `require` fallback to load the module correctly.\n    // In fact, yarn modifies the `require` function to manage the zipped path.\n    // More details at https://github.com/pinojs/pino/pull/1113\n    // The error codes may change based on the node.js version (ENOTDIR > 12, ERR_MODULE_NOT_FOUND <= 12 )\n    if ((error.code === 'ENOTDIR' || error.code === 'ERR_MODULE_NOT_FOUND') &&\n     filename.startsWith('file://')) {\n      worker = realRequire(decodeURIComponent(filename.replace('file://', '')))\n    } else if (error.code === undefined || error.code === 'ERR_VM_DYNAMIC_IMPORT_CALLBACK_MISSING') {\n      // When bundled with pkg, an undefined error is thrown when called with realImport\n      // When bundled with pkg and using node v20, an ERR_VM_DYNAMIC_IMPORT_CALLBACK_MISSING error is thrown when called with realImport\n      // More info at: https://github.com/pinojs/thread-stream/issues/143\n      try {\n        worker = realRequire(decodeURIComponent(filename.replace(process.platform === 'win32' ? 'file:///' : 'file://', '')))\n      } catch {\n        throw error\n      }\n    } else {\n      throw error\n    }\n  }\n\n  // Depending on how the default export is performed, and on how the code is\n  // transpiled, we may find cases of two nested \"default\" objects.\n  // See https://github.com/pinojs/pino/issues/1243#issuecomment-982774762\n  if (typeof worker === 'object') worker = worker.default\n  if (typeof worker === 'object') worker = worker.default\n\n  destination = await worker(workerData.workerData)\n\n  destination.on('error', function (err) {\n    Atomics.store(state, WRITE_INDEX, -2)\n    Atomics.notify(state, WRITE_INDEX)\n\n    Atomics.store(state, READ_INDEX, -2)\n    Atomics.notify(state, READ_INDEX)\n\n    parentPort.postMessage({\n      code: 'ERROR',\n      err\n    })\n  })\n\n  destination.on('close', function () {\n    // process._rawDebug('worker close emitted')\n    const end = Atomics.load(state, WRITE_INDEX)\n    Atomics.store(state, READ_INDEX, end)\n    Atomics.notify(state, READ_INDEX)\n    setImmediate(() => {\n      process.exit(0)\n    })\n  })\n}\n\n// No .catch() handler,\n// in case there is an error it goes\n// to unhandledRejection\nstart().then(function () {\n  parentPort.postMessage({\n    code: 'READY'\n  })\n\n  process.nextTick(run)\n})\n\nfunction run () {\n  const current = Atomics.load(state, READ_INDEX)\n  const end = Atomics.load(state, WRITE_INDEX)\n\n  // process._rawDebug(`pre state ${current} ${end}`)\n\n  if (end === current) {\n    if (end === data.length) {\n      waitDiff(state, READ_INDEX, end, Infinity, run)\n    } else {\n      waitDiff(state, WRITE_INDEX, end, Infinity, run)\n    }\n    return\n  }\n\n  // process._rawDebug(`post state ${current} ${end}`)\n\n  if (end === -1) {\n    // process._rawDebug('end')\n    destination.end()\n    return\n  }\n\n  const toWrite = data.toString('utf8', current, end)\n  // process._rawDebug('worker writing: ' + toWrite)\n\n  const res = destination.write(toWrite)\n\n  if (res) {\n    Atomics.store(state, READ_INDEX, end)\n    Atomics.notify(state, READ_INDEX)\n    setImmediate(run)\n  } else {\n    destination.once('drain', function () {\n      Atomics.store(state, READ_INDEX, end)\n      Atomics.notify(state, READ_INDEX)\n      run()\n    })\n  }\n}\n\nprocess.on('unhandledRejection', function (err) {\n  parentPort.postMessage({\n    code: 'ERROR',\n    err\n  })\n  process.exit(1)\n})\n\nprocess.on('uncaughtException', function (err) {\n  parentPort.postMessage({\n    code: 'ERROR',\n    err\n  })\n  process.exit(1)\n})\n\nprocess.once('exit', exitCode => {\n  if (exitCode !== 0) {\n    process.exit(exitCode)\n    return\n  }\n  if (destination?.writableNeedDrain && !destination?.writableEnded) {\n    parentPort.postMessage({\n      code: 'WARNING',\n      err: new Error('ThreadStream: process exited before destination stream was drained. this may indicate that the destination stream try to write to a another missing stream')\n    })\n  }\n\n  process.exit(0)\n})\n"],
+  "mappings": ";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAGA,QAAMA,cAAa,IAAI,SAAS,cAAc,2BAA2B;AAEzE,aAASC,aAAY,YAAY;AAC/B,UAAI,OAAO,6BAA6B,YAAY;AAClD,eAAO,yBAAyB,UAAU;AAAA,MAC5C;AAEA,aAAO,UAAQ,UAAU;AAAA,IAC3B;AAEA,WAAO,UAAU,EAAE,YAAAD,aAAY,aAAAC,aAAY;AAAA;AAAA;;;ACb3C;AAAA;AAAA;AAEA,QAAMC,eAAc;AACpB,QAAMC,cAAa;AAEnB,WAAO,UAAU;AAAA,MACf,aAAAD;AAAA,MACA,YAAAC;AAAA,IACF;AAAA;AAAA;;;ACRA;AAAA;AAAA;AAEA,QAAM,cAAc;AAEpB,aAAS,KAAMC,QAAO,OAAO,UAAU,SAAS,MAAM;AACpD,YAAM,MAAM,KAAK,IAAI,IAAI;AACzB,UAAI,UAAU,QAAQ,KAAKA,QAAO,KAAK;AACvC,UAAI,YAAY,UAAU;AACxB,aAAK,MAAM,IAAI;AACf;AAAA,MACF;AACA,UAAI,QAAQ;AACZ,YAAM,QAAQ,CAAC,YAAY;AACzB,YAAI,KAAK,IAAI,IAAI,KAAK;AACpB,eAAK,MAAM,WAAW;AAAA,QACxB,OAAO;AACL,qBAAW,MAAM;AACf,oBAAQ;AACR,sBAAU,QAAQ,KAAKA,QAAO,KAAK;AACnC,gBAAI,YAAY,OAAO;AACrB,oBAAM,WAAW,cAAc,cAAc,UAAU,CAAC;AAAA,YAC1D,OAAO;AACL,kBAAI,YAAY,SAAU,MAAK,MAAM,IAAI;AAAA,kBACpC,MAAK,MAAM,WAAW;AAAA,YAC7B;AAAA,UACF,GAAG,OAAO;AAAA,QACZ;AAAA,MACF;AACA,YAAM,CAAC;AAAA,IACT;AAGA,aAASC,UAAUD,QAAO,OAAO,UAAU,SAAS,MAAM;AAGxD,YAAM,MAAM,KAAK,IAAI,IAAI;AACzB,UAAI,UAAU,QAAQ,KAAKA,QAAO,KAAK;AACvC,UAAI,YAAY,UAAU;AACxB,aAAK,MAAM,IAAI;AACf;AAAA,MACF;AACA,YAAM,QAAQ,CAAC,YAAY;AAGzB,YAAI,KAAK,IAAI,IAAI,KAAK;AACpB,eAAK,MAAM,WAAW;AAAA,QACxB,OAAO;AACL,qBAAW,MAAM;AACf,sBAAU,QAAQ,KAAKA,QAAO,KAAK;AACnC,gBAAI,YAAY,UAAU;AACxB,mBAAK,MAAM,IAAI;AAAA,YACjB,OAAO;AACL,oBAAM,WAAW,cAAc,cAAc,UAAU,CAAC;AAAA,YAC1D;AAAA,UACF,GAAG,OAAO;AAAA,QACZ;AAAA,MACF;AACA,YAAM,CAAC;AAAA,IACT;AAEA,WAAO,UAAU,EAAE,MAAM,UAAAC,UAAS;AAAA;AAAA;;;AC1DlC,IAAM,EAAE,YAAY,YAAY,IAAI;AACpC,IAAM,EAAE,YAAY,WAAW,IAAI,UAAQ,gBAAgB;AAC3D,IAAM,EAAE,aAAa,WAAW,IAAI;AACpC,IAAM,EAAE,SAAS,IAAI;AAErB,IAAM;AAAA,EACJ;AAAA,EACA;AAAA,EACA;AACF,IAAI;AAEJ,IAAI;AAEJ,IAAM,QAAQ,IAAI,WAAW,QAAQ;AACrC,IAAM,OAAO,OAAO,KAAK,OAAO;AAEhC,eAAe,QAAS;AACtB,MAAI;AACJ,MAAI;AACF,QAAI,SAAS,SAAS,KAAK,KAAK,SAAS,SAAS,MAAM,GAAG;AAEzD,UAAI,CAAC,QAAQ,uBAAO,IAAI,2BAA2B,CAAC,GAAG;AACrD,oBAAY,kBAAkB;AAAA,MAChC,WAAW,QAAQ,IAAI,aAAa;AAClC,oBAAY,aAAa;AAAA,MAC3B;AAGA,eAAS,YAAY,mBAAmB,SAAS,QAAQ,QAAQ,aAAa,UAAU,aAAa,WAAW,EAAE,CAAC,CAAC;AAAA,IACtH,OAAO;AACL,eAAU,MAAM,WAAW,QAAQ;AAAA,IACrC;AAAA,EACF,SAAS,OAAO;AASd,SAAK,MAAM,SAAS,aAAa,MAAM,SAAS,2BAC/C,SAAS,WAAW,SAAS,GAAG;AAC/B,eAAS,YAAY,mBAAmB,SAAS,QAAQ,WAAW,EAAE,CAAC,CAAC;AAAA,IAC1E,WAAW,MAAM,SAAS,UAAa,MAAM,SAAS,0CAA0C;AAI9F,UAAI;AACF,iBAAS,YAAY,mBAAmB,SAAS,QAAQ,QAAQ,aAAa,UAAU,aAAa,WAAW,EAAE,CAAC,CAAC;AAAA,MACtH,QAAQ;AACN,cAAM;AAAA,MACR;AAAA,IACF,OAAO;AACL,YAAM;AAAA,IACR;AAAA,EACF;AAKA,MAAI,OAAO,WAAW,SAAU,UAAS,OAAO;AAChD,MAAI,OAAO,WAAW,SAAU,UAAS,OAAO;AAEhD,gBAAc,MAAM,OAAO,WAAW,UAAU;AAEhD,cAAY,GAAG,SAAS,SAAU,KAAK;AACrC,YAAQ,MAAM,OAAO,aAAa,EAAE;AACpC,YAAQ,OAAO,OAAO,WAAW;AAEjC,YAAQ,MAAM,OAAO,YAAY,EAAE;AACnC,YAAQ,OAAO,OAAO,UAAU;AAEhC,eAAW,YAAY;AAAA,MACrB,MAAM;AAAA,MACN;AAAA,IACF,CAAC;AAAA,EACH,CAAC;AAED,cAAY,GAAG,SAAS,WAAY;AAElC,UAAM,MAAM,QAAQ,KAAK,OAAO,WAAW;AAC3C,YAAQ,MAAM,OAAO,YAAY,GAAG;AACpC,YAAQ,OAAO,OAAO,UAAU;AAChC,iBAAa,MAAM;AACjB,cAAQ,KAAK,CAAC;AAAA,IAChB,CAAC;AAAA,EACH,CAAC;AACH;AAKA,MAAM,EAAE,KAAK,WAAY;AACvB,aAAW,YAAY;AAAA,IACrB,MAAM;AAAA,EACR,CAAC;AAED,UAAQ,SAAS,GAAG;AACtB,CAAC;AAED,SAAS,MAAO;AACd,QAAM,UAAU,QAAQ,KAAK,OAAO,UAAU;AAC9C,QAAM,MAAM,QAAQ,KAAK,OAAO,WAAW;AAI3C,MAAI,QAAQ,SAAS;AACnB,QAAI,QAAQ,KAAK,QAAQ;AACvB,eAAS,OAAO,YAAY,KAAK,UAAU,GAAG;AAAA,IAChD,OAAO;AACL,eAAS,OAAO,aAAa,KAAK,UAAU,GAAG;AAAA,IACjD;AACA;AAAA,EACF;AAIA,MAAI,QAAQ,IAAI;AAEd,gBAAY,IAAI;AAChB;AAAA,EACF;AAEA,QAAM,UAAU,KAAK,SAAS,QAAQ,SAAS,GAAG;AAGlD,QAAM,MAAM,YAAY,MAAM,OAAO;AAErC,MAAI,KAAK;AACP,YAAQ,MAAM,OAAO,YAAY,GAAG;AACpC,YAAQ,OAAO,OAAO,UAAU;AAChC,iBAAa,GAAG;AAAA,EAClB,OAAO;AACL,gBAAY,KAAK,SAAS,WAAY;AACpC,cAAQ,MAAM,OAAO,YAAY,GAAG;AACpC,cAAQ,OAAO,OAAO,UAAU;AAChC,UAAI;AAAA,IACN,CAAC;AAAA,EACH;AACF;AAEA,QAAQ,GAAG,sBAAsB,SAAU,KAAK;AAC9C,aAAW,YAAY;AAAA,IACrB,MAAM;AAAA,IACN;AAAA,EACF,CAAC;AACD,UAAQ,KAAK,CAAC;AAChB,CAAC;AAED,QAAQ,GAAG,qBAAqB,SAAU,KAAK;AAC7C,aAAW,YAAY;AAAA,IACrB,MAAM;AAAA,IACN;AAAA,EACF,CAAC;AACD,UAAQ,KAAK,CAAC;AAChB,CAAC;AAED,QAAQ,KAAK,QAAQ,cAAY;AAC/B,MAAI,aAAa,GAAG;AAClB,YAAQ,KAAK,QAAQ;AACrB;AAAA,EACF;AACA,MAAI,aAAa,qBAAqB,CAAC,aAAa,eAAe;AACjE,eAAW,YAAY;AAAA,MACrB,MAAM;AAAA,MACN,KAAK,IAAI,MAAM,4JAA4J;AAAA,IAC7K,CAAC;AAAA,EACH;AAEA,UAAQ,KAAK,CAAC;AAChB,CAAC;",
+  "names": ["realImport", "realRequire", "WRITE_INDEX", "READ_INDEX", "state", "waitDiff"]
+}

artifacts/api-server/package.json

@@ -0,0 +1,45 @@
+{
+  "name": "@workspace/api-server",
+  "version": "0.0.0",
+  "private": true,
+  "type": "module",
+  "scripts": {
+    "dev": "export NODE_ENV=development && pnpm run build && pnpm run start",
+    "build": "node ./build.mjs",
+    "start": "node --enable-source-maps ./dist/index.mjs",
+    "typecheck": "tsc -p tsconfig.json --noEmit"
+  },
+  "dependencies": {
+    "@aws-sdk/client-s3": "^3.1024.0",
+    "@aws-sdk/lib-storage": "^3.1024.0",
+    "@clerk/express": "^2.0.8",
+    "@google-cloud/storage": "^7.19.0",
+    "@workspace/api-zod": "workspace:*",
+    "@workspace/db": "workspace:*",
+    "bcryptjs": "^3.0.3",
+    "cookie-parser": "^1.4.7",
+    "cors": "^2",
+    "crypto": "^1.0.1",
+    "drizzle-orm": "catalog:",
+    "express": "^5",
+    "google-auth-library": "^10.6.2",
+    "http-proxy-middleware": "^3.0.5",
+    "jsonwebtoken": "^9.0.3",
+    "multer": "^2.1.1",
+    "pino": "^9",
+    "pino-http": "^10"
+  },
+  "devDependencies": {
+    "@types/bcryptjs": "^3.0.0",
+    "@types/cookie-parser": "^1.4.10",
+    "@types/cors": "^2.8.19",
+    "@types/express": "^5.0.6",
+    "@types/jsonwebtoken": "^9.0.10",
+    "@types/multer": "^2.1.0",
+    "@types/node": "catalog:",
+    "esbuild": "^0.27.3",
+    "esbuild-plugin-pino": "^2.3.3",
+    "pino-pretty": "^13",
+    "thread-stream": "3.1.0"
+  }
+}

artifacts/api-server/src/app.ts

@@ -0,0 +1,44 @@
+import express, { type Express } from "express";
+import cors from "cors";
+import cookieParser from "cookie-parser";
+import pinoHttp from "pino-http";
+import router from "./routes";
+import openaiRouter from "./routes/openai";
+import publicRouter from "./routes/public";
+import accountsRouter from "./routes/accounts";
+import { logger } from "./lib/logger";
+
+const app: Express = express();
+
+app.use(
+  pinoHttp({
+    logger,
+    serializers: {
+      req(req) {
+        return {
+          id: req.id,
+          method: req.method,
+          url: req.url?.split("?")[0],
+        };
+      },
+      res(res) {
+        return {
+          statusCode: res.statusCode,
+        };
+      },
+    },
+  }),
+);
+
+app.use(cors({ credentials: true, origin: true }));
+app.use(cookieParser());
+app.use(express.json({ limit: "20mb" }));
+app.use(express.urlencoded({ extended: true, limit: "20mb" }));
+
+app.use("/api/public", publicRouter);
+app.use("/api/admin/accounts", accountsRouter);
+app.use("/api", router);
+app.use("/v1", openaiRouter);
+app.use("/api/v1", openaiRouter);
+
+export default app;

artifacts/api-server/src/captcha.ts

@@ -0,0 +1,298 @@
+/**
+ * Turnstile token resolver — 三層優先策略：
+ *
+ *  1. 自建 Playwright 求解器（playwright_solver_url 已設定）
+ *  2. CapSolver API（capsolver_api_key 已設定）
+ *  3. 回退 bypass token（必然失敗，但有清楚錯誤訊息）
+ *
+ * Token 快取 4.5 分鐘（geminigen.ai Turnstile token 約 5 分鐘有效）。
+ */
+
+import { db, configTable } from "@workspace/db";
+import { eq } from "drizzle-orm";
+
+const CAPSOLVER_URL = "https://api.capsolver.com";
+const YESCAPTCHA_URL = "https://api.yescaptcha.com";
+const TURNSTILE_SITE_KEY = "0x4AAAAAACDBydnKT0zYzh2H";
+const TURNSTILE_PAGE_URL = "https://geminigen.ai";
+const TOKEN_TTL_MS = 270_000; // 4.5 minutes
+
+interface CachedToken {
+  token: string;
+  expiresAt: number;
+}
+
+let cachedToken: CachedToken | null = null;
+
+// ─── DB helper ────────────────────────────────────────────────────────────────
+
+async function getConfig(key: string): Promise<string | null> {
+  try {
+    const rows = await db
+      .select()
+      .from(configTable)
+      .where(eq(configTable.key, key))
+      .limit(1);
+    return rows[0]?.value?.trim() || null;
+  } catch {
+    return null;
+  }
+}
+
+// ─── Strategy 1: Self-hosted Playwright solver ────────────────────────────────
+
+async function solveWithPlaywright(solverUrl: string): Promise<string | null> {
+  try {
+    const solverSecret = await getConfig("playwright_solver_secret");
+    const headers: Record<string, string> = {
+      "Content-Type": "application/json",
+    };
+    if (solverSecret) headers["X-Solver-Secret"] = solverSecret;
+
+    console.log(`[captcha] Calling Playwright solver: ${solverUrl}`);
+    const resp = await fetch(solverUrl, {
+      method: "POST",
+      headers,
+      body: JSON.stringify({}),
+      signal: AbortSignal.timeout(55_000),
+    });
+
+    const data = (await resp.json()) as {
+      token?: string;
+      cached?: boolean;
+      solvedInMs?: number;
+      error?: string;
+    };
+
+    if (!resp.ok || !data.token) {
+      console.error(
+        `[captcha] Playwright solver error (${resp.status}): ${data.error || "no token"}`
+      );
+      return null;
+    }
+
+    console.log(
+      `[captcha] Playwright solved — cached=${data.cached}, ms=${data.solvedInMs ?? "N/A"}`
+    );
+    return data.token;
+  } catch (err: any) {
+    console.error(`[captcha] Playwright solver fetch error: ${err?.message}`);
+    return null;
+  }
+}
+
+// ─── Strategy 2: CapSolver API ────────────────────────────────────────────────
+
+async function solveWithCapsolver(apiKey: string): Promise<string | null> {
+  try {
+    const createResp = await fetch(`${CAPSOLVER_URL}/createTask`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        clientKey: apiKey,
+        task: {
+          type: "AntiTurnstileTaskProxyless",
+          websiteURL: TURNSTILE_PAGE_URL,
+          websiteKey: TURNSTILE_SITE_KEY,
+        },
+      }),
+    });
+
+    const createData = (await createResp.json()) as {
+      errorId?: number;
+      errorCode?: string;
+      errorDescription?: string;
+      taskId?: string;
+    };
+
+    if (createData.errorId || !createData.taskId) {
+      console.error(
+        `[captcha] CapSolver create error: ${createData.errorCode} — ${createData.errorDescription}`
+      );
+      return null;
+    }
+
+    const taskId = createData.taskId;
+    console.log(`[captcha] CapSolver task created: ${taskId}`);
+
+    const maxWait = 120_000;
+    const start = Date.now();
+    while (Date.now() - start < maxWait) {
+      await new Promise((r) => setTimeout(r, 3000));
+
+      const resultResp = await fetch(`${CAPSOLVER_URL}/getTaskResult`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ clientKey: apiKey, taskId }),
+      });
+
+      const resultData = (await resultResp.json()) as {
+        errorId?: number;
+        errorCode?: string;
+        status?: string;
+        solution?: { token?: string };
+      };
+
+      if (resultData.errorId) {
+        console.error(`[captcha] CapSolver result error: ${resultData.errorCode}`);
+        return null;
+      }
+
+      if (resultData.status === "ready") {
+        const token = resultData.solution?.token;
+        if (token) {
+          console.log(`[captcha] CapSolver solved! Token: ${token.substring(0, 20)}...`);
+          return token;
+        }
+        return null;
+      }
+    }
+
+    console.error("[captcha] CapSolver timed out after 120s");
+    return null;
+  } catch (err: any) {
+    console.error(`[captcha] CapSolver error: ${err?.message}`);
+    return null;
+  }
+}
+
+// ─── Strategy 3: YesCaptcha API ──��───────────────────────────────────────────
+
+async function solveWithYesCaptcha(apiKey: string): Promise<string | null> {
+  try {
+    const createResp = await fetch(`${YESCAPTCHA_URL}/createTask`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        clientKey: apiKey,
+        task: {
+          type: "TurnstileTaskProxylessM1",
+          websiteURL: TURNSTILE_PAGE_URL,
+          websiteKey: TURNSTILE_SITE_KEY,
+        },
+      }),
+    });
+
+    const createData = (await createResp.json()) as {
+      errorId?: number;
+      errorCode?: string;
+      errorDescription?: string;
+      taskId?: string;
+    };
+
+    if (createData.errorId || !createData.taskId) {
+      console.error(
+        `[captcha] YesCaptcha create error: ${createData.errorCode} — ${createData.errorDescription}`
+      );
+      return null;
+    }
+
+    const taskId = createData.taskId;
+    console.log(`[captcha] YesCaptcha task created: ${taskId}`);
+
+    const maxWait = 120_000;
+    const start = Date.now();
+    while (Date.now() - start < maxWait) {
+      await new Promise((r) => setTimeout(r, 3000));
+
+      const resultResp = await fetch(`${YESCAPTCHA_URL}/getTaskResult`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ clientKey: apiKey, taskId }),
+      });
+
+      const resultData = (await resultResp.json()) as {
+        errorId?: number;
+        errorCode?: string;
+        status?: string;
+        solution?: { token?: string };
+      };
+
+      if (resultData.errorId) {
+        console.error(`[captcha] YesCaptcha result error: ${resultData.errorCode}`);
+        return null;
+      }
+
+      if (resultData.status === "ready") {
+        const token = resultData.solution?.token;
+        if (token) {
+          console.log(`[captcha] YesCaptcha solved! Token: ${token.substring(0, 20)}...`);
+          return token;
+        }
+        return null;
+      }
+    }
+
+    console.error("[captcha] YesCaptcha timed out after 120s");
+    return null;
+  } catch (err: any) {
+    console.error(`[captcha] YesCaptcha error: ${err?.message}`);
+    return null;
+  }
+}
+
+// ─── Public API ───────────────────────────────────────────────────────────────
+
+/**
+ * Get a valid Cloudflare Turnstile token for geminigen.ai.
+ *
+ * Priority:
+ *   1. Self-hosted Playwright solver  (playwright_solver_url in config)  — 免費
+ *   2. YesCaptcha API                 (yescaptcha_api_key in config)     — 有免費額度
+ *   3. CapSolver API                  (capsolver_api_key in config)      — 付費備援
+ *   4. Bypass placeholder             (will fail — no solver configured)
+ */
+export async function getTurnstileToken(): Promise<string> {
+  if (cachedToken && cachedToken.expiresAt > Date.now()) {
+    console.log("[captcha] Using cached Turnstile token");
+    return cachedToken.token;
+  }
+
+  let token: string | null = null;
+
+  // Strategy 1: Self-hosted Playwright solver
+  const solverUrl = await getConfig("playwright_solver_url");
+  if (solverUrl) {
+    token = await solveWithPlaywright(solverUrl);
+    if (token) {
+      cachedToken = { token, expiresAt: Date.now() + TOKEN_TTL_MS };
+      return token;
+    }
+    console.warn("[captcha] Playwright solver failed — trying YesCaptcha");
+  }
+
+  // Strategy 2: YesCaptcha
+  const yescaptchaKey = await getConfig("yescaptcha_api_key");
+  if (yescaptchaKey) {
+    token = await solveWithYesCaptcha(yescaptchaKey);
+    if (token) {
+      cachedToken = { token, expiresAt: Date.now() + TOKEN_TTL_MS };
+      return token;
+    }
+    console.warn("[captcha] YesCaptcha failed — trying CapSolver");
+  }
+
+  // Strategy 3: CapSolver
+  const capsolverKey = await getConfig("capsolver_api_key");
+  if (capsolverKey) {
+    token = await solveWithCapsolver(capsolverKey);
+    if (token) {
+      cachedToken = { token, expiresAt: Date.now() + TOKEN_TTL_MS };
+      return token;
+    }
+    console.warn("[captcha] CapSolver failed — no further fallback");
+  }
+
+  if (!solverUrl && !yescaptchaKey && !capsolverKey) {
+    console.warn(
+      "[captcha] No Turnstile solver configured — set playwright_solver_url, yescaptcha_api_key, or capsolver_api_key in Admin → Config"
+    );
+  }
+
+  return "TURNSTILE_BYPASS";
+}
+
+/** Force-clear the cached token (e.g., if geminigen.ai rejects it) */
+export function invalidateTurnstileToken(): void {
+  cachedToken = null;
+}

artifacts/api-server/src/guardId.ts

@@ -0,0 +1,91 @@
+/**
+ * geminigen.ai x-guard-id header generator
+ *
+ * Reverse-engineered from geminigen.ai/_nuxt/nBh81x6X.js
+ * Constants extracted from: window.__NUXT__.config.public.antibot
+ *
+ * Algorithm:
+ *   stableId   = 22-char alphanumeric string (persistent per server instance)
+ *   timeBucket = Math.floor(Date.now() / 60000)  — changes every 60 seconds
+ *   domFp      = "0".repeat(32)                  — server has no DOM
+ *
+ *   hmacKey    = SHA256(`${SECRET_KEY}:${stableId}`).slice(0, 32)
+ *   signHash   = SHA256(`${path}:${METHOD}:${hmacKey}:${timeBucket}:${SECRET_KEY}`)
+ *
+ *   payload    = [0x01, ...hexBytes(hmacKey),   // 16 bytes
+ *                       ...uint32BE(timeBucket), //  4 bytes
+ *                       ...hexBytes(signHash),   // 32 bytes
+ *                       ...hexBytes(domFp)]      // 16 bytes  → 69 bytes total
+ *
+ *   x-guard-id = base64url(payload)  (no padding)
+ */
+
+import { createHash, randomBytes } from "crypto";
+
+const SECRET_KEY      = "45NPBH$&";
+const TIME_BUCKET_MS  = 60_000;
+const STABLE_ID_LEN   = 22;
+const DOM_FP          = "0".repeat(32); // 32 hex zeros → 16 zero bytes
+
+// ── One stable-id per server instance ────────────────────────────────────────
+function makeStableId(): string {
+  const rand  = randomBytes(16).toString("hex");
+  const hash  = createHash("sha256").update(`server:${rand}`).digest("hex");
+  // Take alphanumeric chars from the hex (all are [0-9a-f] so fine for [A-Za-z0-9])
+  return hash.slice(0, STABLE_ID_LEN);
+}
+
+let _stableId: string = makeStableId();
+
+/** Replace the stable-id (e.g., if you want to rotate it). */
+export function rotateStableId(): void { _stableId = makeStableId(); }
+
+// ── Helpers ───────────────────────────────────────────────────────────────────
+
+/** SHA-256 of a UTF-8 string → lowercase hex (64 chars). */
+function sha256(str: string): string {
+  return createHash("sha256").update(str, "utf8").digest("hex");
+}
+
+/** Convert a hex string to a byte array (every 2 hex chars → 1 byte). */
+function hexToBytes(hex: string): number[] {
+  const bytes: number[] = [];
+  for (let i = 0; i < hex.length; i += 2) {
+    bytes.push(parseInt(hex.substring(i, 2 + i), 16));
+  }
+  return bytes;
+}
+
+/** Encode uint32 as 4 big-endian bytes. */
+function uint32BE(n: number): number[] {
+  return [(n >>> 24) & 255, (n >>> 16) & 255, (n >>> 8) & 255, n & 255];
+}
+
+// ── Public API ─────────────────────────────────────────────────────────────────
+
+/**
+ * Generate the `x-guard-id` header value for a given API path + HTTP method.
+ *
+ * @param path   e.g. "/api/video-gen/grok-stream"
+ * @param method e.g. "post"
+ */
+export function generateGuardId(path: string, method: string): string {
+  const stableId   = _stableId;
+  const timeBucket = Math.floor(Date.now() / TIME_BUCKET_MS);
+
+  // hmacKey: first 32 hex chars of SHA256("${SECRET_KEY}:${stableId}") → 16 bytes
+  const hmacKey  = sha256(`${SECRET_KEY}:${stableId}`).slice(0, 32);
+
+  // signHash: full 64-hex SHA256 → 32 bytes
+  const signHash = sha256(`${path}:${method.toUpperCase()}:${hmacKey}:${timeBucket}:${SECRET_KEY}`);
+
+  const payload: number[] = [
+    1,                              // version byte (LK = 1)
+    ...hexToBytes(hmacKey),         // 16 bytes
+    ...uint32BE(timeBucket),        // 4 bytes
+    ...hexToBytes(signHash),        // 32 bytes
+    ...hexToBytes(DOM_FP),          // 16 bytes
+  ];
+
+  return Buffer.from(payload).toString("base64url"); // Node ≥ 16, no trailing =
+}

artifacts/api-server/src/index.ts

@@ -0,0 +1,20 @@
+import app from "./app";
+import { logger } from "./lib/logger";
+
+const rawPort = process.env["PORT"] || "7860";
+
+const port = Number(rawPort);
+
+if (Number.isNaN(port) || port <= 0) {
+  throw new Error(`Invalid PORT value: "${rawPort}"`);
+}
+
+app.listen(port, async (err) => {
+  if (err) {
+    logger.error({ err }, "Error listening on port");
+    process.exit(1);
+  }
+
+  logger.info({ port }, "Server listening on Hugging Face Space");
+  logger.info("Token refresh is handled on-demand (no background loop)");
+});

artifacts/api-server/src/lib/localTempStorage.ts

@@ -0,0 +1,167 @@
+import { randomUUID } from "crypto";
+import fs from "fs";
+import path from "path";
+import { Readable } from "stream";
+
+const TEMP_STORAGE_PATH = process.env.TEMP_STORAGE_PATH || "/app/temp-storage";
+const MAX_FILE_AGE_MS = 24 * 60 * 60 * 1000; // 24 小時
+
+export class ObjectNotFoundError extends Error {
+  constructor() {
+    super("Object not found");
+    this.name = "ObjectNotFoundError";
+    Object.setPrototypeOf(this, ObjectNotFoundError.prototype);
+  }
+}
+
+export interface LocalFile {
+  path: string;
+  url: string;
+  exists(): Promise<boolean>;
+  delete(): Promise<void>;
+  getMetadata(): Promise<{ contentType: string; size: number }>;
+  createReadStream(): fs.ReadStream;
+}
+
+export class LocalTempStorageService {
+  private storagePath: string;
+
+  constructor() {
+    this.storagePath = TEMP_STORAGE_PATH;
+    this.ensureStorageDir();
+    this.startCleanupInterval();
+  }
+
+  private ensureStorageDir(): void {
+    if (!fs.existsSync(this.storagePath)) {
+      fs.mkdirSync(this.storagePath, { recursive: true });
+    }
+  }
+
+  // 定期清理舊檔案
+  private startCleanupInterval(): void {
+    setInterval(() => {
+      this.cleanupOldFiles().catch((err) => {
+        console.error("[LocalTempStorage] Cleanup error:", err);
+      });
+    }, 60 * 60 * 1000); // 每小時執行一次
+  }
+
+  private async cleanupOldFiles(): Promise<void> {
+    try {
+      const now = Date.now();
+      const files = fs.readdirSync(this.storagePath);
+      
+      let deletedCount = 0;
+      for (const file of files) {
+        const filePath = path.join(this.storagePath, file);
+        const stats = fs.statSync(filePath);
+        
+        if (now - stats.mtimeMs > MAX_FILE_AGE_MS) {
+          fs.unlinkSync(filePath);
+          deletedCount++;
+        }
+      }
+      
+      if (deletedCount > 0) {
+        console.log(`[LocalTempStorage] Cleaned up ${deletedCount} old files`);
+      }
+    } catch (error) {
+      console.error("[LocalTempStorage] Error during cleanup:", error);
+    }
+  }
+
+  async saveFile(buffer: Buffer, filename: string, contentType: string = "application/octet-stream"): Promise<LocalFile> {
+    const fileId = randomUUID();
+    const ext = path.extname(filename) || "";
+    const savedFilename = `${fileId}${ext}`;
+    const filePath = path.join(this.storagePath, savedFilename);
+    
+    fs.writeFileSync(filePath, buffer);
+    
+    // 儲存 metadata
+    const metadataPath = `${filePath}.meta`;
+    fs.writeFileSync(metadataPath, JSON.stringify({ contentType, originalName: filename }));
+    
+    return this.getFile(savedFilename);
+  }
+
+  getFile(filename: string): LocalFile {
+    const filePath = path.join(this.storagePath, filename);
+    const url = `/api/temp-storage/${filename}`;
+    
+    return {
+      path: filePath,
+      url,
+      async exists() {
+        return fs.existsSync(filePath);
+      },
+      async delete() {
+        if (fs.existsSync(filePath)) {
+          fs.unlinkSync(filePath);
+        }
+        const metadataPath = `${filePath}.meta`;
+        if (fs.existsSync(metadataPath)) {
+          fs.unlinkSync(metadataPath);
+        }
+      },
+      async getMetadata() {
+        const metadataPath = `${filePath}.meta`;
+        if (fs.existsSync(metadataPath)) {
+          const meta = JSON.parse(fs.readFileSync(metadataPath, "utf-8"));
+          const stats = fs.statSync(filePath);
+          return {
+            contentType: meta.contentType || "application/octet-stream",
+            size: stats.size,
+          };
+        }
+        const stats = fs.statSync(filePath);
+        return {
+          contentType: "application/octet-stream",
+          size: stats.size,
+        };
+      },
+      createReadStream() {
+        return fs.createReadStream(filePath);
+      },
+    };
+  }
+
+  async downloadFile(file: LocalFile): Promise<Response> {
+    const exists = await file.exists();
+    if (!exists) {
+      throw new ObjectNotFoundError();
+    }
+
+    const metadata = await file.getMetadata();
+    const nodeStream = file.createReadStream();
+    const webStream = Readable.toWeb(nodeStream) as ReadableStream;
+
+    const headers: Record<string, string> = {
+      "Content-Type": metadata.contentType,
+      "Content-Length": String(metadata.size),
+      "Cache-Control": "public, max-age=3600",
+    };
+
+    return new Response(webStream, { headers });
+  }
+
+  // 從 URL 提取檔案名稱
+  extractFilenameFromUrl(url: string): string | null {
+    const match = url.match(/\/api\/temp-storage\/([^?]+)/);
+    return match ? match[1] : null;
+  }
+
+  // 清理所有檔案 (用於測試或維護)
+  async cleanupAll(): Promise<void> {
+    const files = fs.readdirSync(this.storagePath);
+    for (const file of files) {
+      const filePath = path.join(this.storagePath, file);
+      fs.unlinkSync(filePath);
+    }
+    console.log(`[LocalTempStorage] Cleaned up all ${files.length} files`);
+  }
+}
+
+// 單例實例
+export const localTempStorage = new LocalTempStorageService();

artifacts/api-server/src/lib/logger.ts

@@ -0,0 +1,20 @@
+import pino from "pino";
+
+const isProduction = process.env.NODE_ENV === "production";
+
+export const logger = pino({
+  level: process.env.LOG_LEVEL ?? "info",
+  redact: [
+    "req.headers.authorization",
+    "req.headers.cookie",
+    "res.headers['set-cookie']",
+  ],
+  ...(isProduction
+    ? {}
+    : {
+        transport: {
+          target: "pino-pretty",
+          options: { colorize: true },
+        },
+      }),
+});

artifacts/api-server/src/lib/objectAcl.ts

@@ -0,0 +1,137 @@
+import { File } from "@google-cloud/storage";
+
+const ACL_POLICY_METADATA_KEY = "custom:aclPolicy";
+
+// Can be flexibly defined according to the use case.
+//
+// Examples:
+// - USER_LIST: the users from a list stored in the database;
+// - EMAIL_DOMAIN: the users whose email is in a specific domain;
+// - GROUP_MEMBER: the users who are members of a specific group;
+// - SUBSCRIBER: the users who are subscribers of a specific service / content
+//   creator.
+export enum ObjectAccessGroupType {}
+
+export interface ObjectAccessGroup {
+  type: ObjectAccessGroupType;
+  // The logic id that identifies qualified group members. Format depends on the
+  // ObjectAccessGroupType — e.g. a user-list DB id, an email domain, a group id.
+  id: string;
+}
+
+export enum ObjectPermission {
+  READ = "read",
+  WRITE = "write",
+}
+
+export interface ObjectAclRule {
+  group: ObjectAccessGroup;
+  permission: ObjectPermission;
+}
+
+// Stored as object custom metadata under "custom:aclPolicy" (JSON string).
+export interface ObjectAclPolicy {
+  owner: string;
+  visibility: "public" | "private";
+  aclRules?: Array<ObjectAclRule>;
+}
+
+function isPermissionAllowed(
+  requested: ObjectPermission,
+  granted: ObjectPermission,
+): boolean {
+  if (requested === ObjectPermission.READ) {
+    return [ObjectPermission.READ, ObjectPermission.WRITE].includes(granted);
+  }
+  return granted === ObjectPermission.WRITE;
+}
+
+abstract class BaseObjectAccessGroup implements ObjectAccessGroup {
+  constructor(
+    public readonly type: ObjectAccessGroupType,
+    public readonly id: string,
+  ) {}
+
+  public abstract hasMember(userId: string): Promise<boolean>;
+}
+
+function createObjectAccessGroup(
+  group: ObjectAccessGroup,
+): BaseObjectAccessGroup {
+  switch (group.type) {
+    // Implement per access group type, e.g.:
+    // case "USER_LIST":
+    //   return new UserListAccessGroup(group.id);
+    default:
+      throw new Error(`Unknown access group type: ${group.type}`);
+  }
+}
+
+export async function setObjectAclPolicy(
+  objectFile: File,
+  aclPolicy: ObjectAclPolicy,
+): Promise<void> {
+  const [exists] = await objectFile.exists();
+  if (!exists) {
+    throw new Error(`Object not found: ${objectFile.name}`);
+  }
+
+  await objectFile.setMetadata({
+    metadata: {
+      [ACL_POLICY_METADATA_KEY]: JSON.stringify(aclPolicy),
+    },
+  });
+}
+
+export async function getObjectAclPolicy(
+  objectFile: File,
+): Promise<ObjectAclPolicy | null> {
+  const [metadata] = await objectFile.getMetadata();
+  const aclPolicy = metadata?.metadata?.[ACL_POLICY_METADATA_KEY];
+  if (!aclPolicy) {
+    return null;
+  }
+  return JSON.parse(aclPolicy as string);
+}
+
+export async function canAccessObject({
+  userId,
+  objectFile,
+  requestedPermission,
+}: {
+  userId?: string;
+  objectFile: File;
+  requestedPermission: ObjectPermission;
+}): Promise<boolean> {
+  const aclPolicy = await getObjectAclPolicy(objectFile);
+  if (!aclPolicy) {
+    return false;
+  }
+
+  if (
+    aclPolicy.visibility === "public" &&
+    requestedPermission === ObjectPermission.READ
+  ) {
+    return true;
+  }
+
+  if (!userId) {
+    return false;
+  }
+
+  if (aclPolicy.owner === userId) {
+    return true;
+  }
+
+  for (const rule of aclPolicy.aclRules || []) {
+    const accessGroup = createObjectAccessGroup(rule.group);
+    if (
+      (await accessGroup.hasMember(userId)) &&
+      isPermissionAllowed(requestedPermission, rule.permission)
+    ) {
+      return true;
+    }
+  }
+
+  return false;
+}

artifacts/api-server/src/lib/objectStorage.ts

@@ -0,0 +1,267 @@
+import { Storage, File } from "@google-cloud/storage";
+import { Readable } from "stream";
+import { randomUUID } from "crypto";
+import {
+  ObjectAclPolicy,
+  ObjectPermission,
+  canAccessObject,
+  getObjectAclPolicy,
+  setObjectAclPolicy,
+} from "./objectAcl";
+
+const REPLIT_SIDECAR_ENDPOINT = "http://127.0.0.1:1106";
+
+export const objectStorageClient = new Storage({
+  credentials: {
+    audience: "replit",
+    subject_token_type: "access_token",
+    token_url: `${REPLIT_SIDECAR_ENDPOINT}/token`,
+    type: "external_account",
+    credential_source: {
+      url: `${REPLIT_SIDECAR_ENDPOINT}/credential`,
+      format: {
+        type: "json",
+        subject_token_field_name: "access_token",
+      },
+    },
+    universe_domain: "googleapis.com",
+  },
+  projectId: "",
+});
+
+export class ObjectNotFoundError extends Error {
+  constructor() {
+    super("Object not found");
+    this.name = "ObjectNotFoundError";
+    Object.setPrototypeOf(this, ObjectNotFoundError.prototype);
+  }
+}
+
+export class ObjectStorageService {
+  constructor() {}
+
+  getPublicObjectSearchPaths(): Array<string> {
+    const pathsStr = process.env.PUBLIC_OBJECT_SEARCH_PATHS || "";
+    const paths = Array.from(
+      new Set(
+        pathsStr
+          .split(",")
+          .map((path) => path.trim())
+          .filter((path) => path.length > 0)
+      )
+    );
+    if (paths.length === 0) {
+      throw new Error(
+        "PUBLIC_OBJECT_SEARCH_PATHS not set. Create a bucket in 'Object Storage' " +
+          "tool and set PUBLIC_OBJECT_SEARCH_PATHS env var (comma-separated paths)."
+      );
+    }
+    return paths;
+  }
+
+  getPrivateObjectDir(): string {
+    const dir = process.env.PRIVATE_OBJECT_DIR || "";
+    if (!dir) {
+      throw new Error(
+        "PRIVATE_OBJECT_DIR not set. Create a bucket in 'Object Storage' " +
+          "tool and set PRIVATE_OBJECT_DIR env var."
+      );
+    }
+    return dir;
+  }
+
+  async searchPublicObject(filePath: string): Promise<File | null> {
+    for (const searchPath of this.getPublicObjectSearchPaths()) {
+      const fullPath = `${searchPath}/${filePath}`;
+
+      const { bucketName, objectName } = parseObjectPath(fullPath);
+      const bucket = objectStorageClient.bucket(bucketName);
+      const file = bucket.file(objectName);
+
+      const [exists] = await file.exists();
+      if (exists) {
+        return file;
+      }
+    }
+
+    return null;
+  }
+
+  async downloadObject(file: File, cacheTtlSec: number = 3600): Promise<Response> {
+    const [metadata] = await file.getMetadata();
+    const aclPolicy = await getObjectAclPolicy(file);
+    const isPublic = aclPolicy?.visibility === "public";
+
+    const nodeStream = file.createReadStream();
+    const webStream = Readable.toWeb(nodeStream) as ReadableStream;
+
+    const headers: Record<string, string> = {
+      "Content-Type": (metadata.contentType as string) || "application/octet-stream",
+      "Cache-Control": `${isPublic ? "public" : "private"}, max-age=${cacheTtlSec}`,
+    };
+    if (metadata.size) {
+      headers["Content-Length"] = String(metadata.size);
+    }
+
+    return new Response(webStream, { headers });
+  }
+
+  async getObjectEntityUploadURL(): Promise<string> {
+    const privateObjectDir = this.getPrivateObjectDir();
+    if (!privateObjectDir) {
+      throw new Error(
+        "PRIVATE_OBJECT_DIR not set. Create a bucket in 'Object Storage' " +
+          "tool and set PRIVATE_OBJECT_DIR env var."
+      );
+    }
+
+    const objectId = randomUUID();
+    const fullPath = `${privateObjectDir}/uploads/${objectId}`;
+
+    const { bucketName, objectName } = parseObjectPath(fullPath);
+
+    return signObjectURL({
+      bucketName,
+      objectName,
+      method: "PUT",
+      ttlSec: 900,
+    });
+  }
+
+  async getObjectEntityFile(objectPath: string): Promise<File> {
+    if (!objectPath.startsWith("/objects/")) {
+      throw new ObjectNotFoundError();
+    }
+
+    const parts = objectPath.slice(1).split("/");
+    if (parts.length < 2) {
+      throw new ObjectNotFoundError();
+    }
+
+    const entityId = parts.slice(1).join("/");
+    let entityDir = this.getPrivateObjectDir();
+    if (!entityDir.endsWith("/")) {
+      entityDir = `${entityDir}/`;
+    }
+    const objectEntityPath = `${entityDir}${entityId}`;
+    const { bucketName, objectName } = parseObjectPath(objectEntityPath);
+    const bucket = objectStorageClient.bucket(bucketName);
+    const objectFile = bucket.file(objectName);
+    const [exists] = await objectFile.exists();
+    if (!exists) {
+      throw new ObjectNotFoundError();
+    }
+    return objectFile;
+  }
+
+  normalizeObjectEntityPath(rawPath: string): string {
+    if (!rawPath.startsWith("https://storage.googleapis.com/")) {
+      return rawPath;
+    }
+
+    const url = new URL(rawPath);
+    const rawObjectPath = url.pathname;
+
+    let objectEntityDir = this.getPrivateObjectDir();
+    if (!objectEntityDir.endsWith("/")) {
+      objectEntityDir = `${objectEntityDir}/`;
+    }
+
+    if (!rawObjectPath.startsWith(objectEntityDir)) {
+      return rawObjectPath;
+    }
+
+    const entityId = rawObjectPath.slice(objectEntityDir.length);
+    return `/objects/${entityId}`;
+  }
+
+  async trySetObjectEntityAclPolicy(
+    rawPath: string,
+    aclPolicy: ObjectAclPolicy
+  ): Promise<string> {
+    const normalizedPath = this.normalizeObjectEntityPath(rawPath);
+    if (!normalizedPath.startsWith("/")) {
+      return normalizedPath;
+    }
+
+    const objectFile = await this.getObjectEntityFile(normalizedPath);
+    await setObjectAclPolicy(objectFile, aclPolicy);
+    return normalizedPath;
+  }
+
+  async canAccessObjectEntity({
+    userId,
+    objectFile,
+    requestedPermission,
+  }: {
+    userId?: string;
+    objectFile: File;
+    requestedPermission?: ObjectPermission;
+  }): Promise<boolean> {
+    return canAccessObject({
+      userId,
+      objectFile,
+      requestedPermission: requestedPermission ?? ObjectPermission.READ,
+    });
+  }
+}
+
+function parseObjectPath(path: string): {
+  bucketName: string;
+  objectName: string;
+} {
+  if (!path.startsWith("/")) {
+    path = `/${path}`;
+  }
+  const pathParts = path.split("/");
+  if (pathParts.length < 3) {
+    throw new Error("Invalid path: must contain at least a bucket name");
+  }
+
+  const bucketName = pathParts[1];
+  const objectName = pathParts.slice(2).join("/");
+
+  return {
+    bucketName,
+    objectName,
+  };
+}
+
+async function signObjectURL({
+  bucketName,
+  objectName,
+  method,
+  ttlSec,
+}: {
+  bucketName: string;
+  objectName: string;
+  method: "GET" | "PUT" | "DELETE" | "HEAD";
+  ttlSec: number;
+}): Promise<string> {
+  const request = {
+    bucket_name: bucketName,
+    object_name: objectName,
+    method,
+    expires_at: new Date(Date.now() + ttlSec * 1000).toISOString(),
+  };
+  const response = await fetch(
+    `${REPLIT_SIDECAR_ENDPOINT}/object-storage/signed-object-url`,
+    {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+      },
+      body: JSON.stringify(request),
+      signal: AbortSignal.timeout(30_000),
+    }
+  );
+  if (!response.ok) {
+    throw new Error(
+      `Failed to sign object URL, errorcode: ${response.status}, ` +
+        `make sure you're running on Replit`
+    );
+  }
+
+  const { signed_url: signedURL } = await response.json();
+  return signedURL;
+}

artifacts/api-server/src/lib/videoStorage.ts

@@ -0,0 +1,264 @@
+/**
+ * videoStorage.ts
+ *
+ * Downloads generated videos from Grok CDN and stores them in an
+ * S3-compatible object storage (hi168.com OSS).
+ *
+ * Upload: @aws-sdk/lib-storage  (multipart, handles large files)
+ * Download / stream: @aws-sdk/client-s3 (GetObject)
+ */
+import {
+  S3Client,
+  CreateBucketCommand,
+  HeadBucketCommand,
+  GetObjectCommand,
+  HeadObjectCommand,
+} from "@aws-sdk/client-s3";
+import { Upload } from "@aws-sdk/lib-storage";
+import { Readable } from "stream";
+import { randomUUID } from "crypto";
+
+// ─── S3 configuration ────────────────────────────────────────────────────────
+
+const S3_ENDPOINT = process.env.S3_ENDPOINT ?? "";
+const S3_BUCKET   = process.env.S3_BUCKET   ?? "starforge-videos";
+const S3_REGION   = process.env.S3_REGION   ?? "us-east-1";
+const ACCESS_KEY  = process.env.S3_ACCESS_KEY ?? "";
+const SECRET_KEY  = process.env.S3_SECRET_KEY ?? "";
+
+let s3: S3Client | null = null;
+
+function getS3(): S3Client {
+  if (!s3) {
+    s3 = new S3Client({
+      endpoint: S3_ENDPOINT,
+      region: S3_REGION,
+      credentials: { accessKeyId: ACCESS_KEY, secretAccessKey: SECRET_KEY },
+      forcePathStyle: true,   // required for most non-AWS S3 endpoints
+    });
+  }
+  return s3;
+}
+
+/** Returns true if S3 credentials are configured. */
+export function isStorageReady(): boolean {
+  return !!(S3_ENDPOINT && ACCESS_KEY && SECRET_KEY);
+}
+
+// ─── Bucket init (create if missing) ─────────────────────────────────────────
+
+let bucketReady = false;
+
+async function ensureBucket(): Promise<void> {
+  if (bucketReady) return;
+  const client = getS3();
+  try {
+    await client.send(new HeadBucketCommand({ Bucket: S3_BUCKET }));
+    bucketReady = true;
+    console.log(`[video-storage] bucket "${S3_BUCKET}" exists`);
+  } catch (err: any) {
+    if (err.$metadata?.httpStatusCode === 404 || err.name === "NoSuchBucket" || err.name === "NotFound") {
+      try {
+        await client.send(new CreateBucketCommand({ Bucket: S3_BUCKET }));
+        bucketReady = true;
+        console.log(`[video-storage] bucket "${S3_BUCKET}" created`);
+      } catch (createErr: any) {
+        console.error("[video-storage] bucket create error:", createErr?.message ?? createErr);
+      }
+    } else {
+      // treat unknown errors as "bucket exists, proceed"
+      console.warn("[video-storage] HeadBucket warn (proceeding):", err?.message ?? err);
+      bucketReady = true;
+    }
+  }
+}
+
+// ─── Helpers ──────────────────────────────────────────────────────────────────
+
+const USER_AGENT =
+  "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 " +
+  "(KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36";
+
+// ─── Upload ───────────────────────────────────────────────────────────────────
+
+/**
+ * Download a video from remoteUrl and upload it to S3.
+ *
+ * Returns the serving path `/api/videos/stored/<id>.mp4`, or null on failure.
+ */
+export async function downloadAndStoreVideo(
+  remoteUrl: string,
+  bearerToken: string | null,
+  ext = "mp4",
+): Promise<string | null> {
+  if (!isStorageReady()) {
+    console.warn("[video-storage] S3 not configured — skipping download");
+    return null;
+  }
+
+  await ensureBucket();
+
+  const id = randomUUID();
+  const key = `videos/${id}.${ext}`;
+
+  let hostname = "";
+  try { hostname = new URL(remoteUrl).hostname; } catch { /* ok */ }
+
+  // Cloudflare R2 pre-signed URLs are publicly accessible — no auth needed.
+  const isR2 = hostname.endsWith(".r2.cloudflarestorage.com");
+  // assets.grok.com is behind Cloudflare; use grok.com as Referer+Origin.
+  const isGrokCdn = hostname === "assets.grok.com";
+  const referer = isGrokCdn ? "https://grok.com/" : "https://geminigen.ai/";
+  const origin  = isGrokCdn ? "https://grok.com"  : "https://geminigen.ai";
+
+  const baseHeaders: Record<string, string> = {
+    "User-Agent": USER_AGENT,
+    Accept: "video/mp4,video/*,*/*",
+    ...(isR2 ? {} : { Referer: referer, Origin: origin }),
+  };
+
+  // R2 pre-signed URLs work without any auth; try without token first.
+  // For other CDNs, try with Bearer token first.
+  const strategies: Array<Record<string, string>> = isR2
+    ? [{ ...baseHeaders }]
+    : [
+        ...(bearerToken ? [{ ...baseHeaders, Authorization: `Bearer ${bearerToken}` }] : []),
+        { ...baseHeaders },
+      ];
+
+  let videoBuffer: Buffer | null = null;
+  let contentType = "video/mp4";
+
+  for (const headers of strategies) {
+    try {
+      const resp = await fetch(remoteUrl, { headers });
+      console.log(
+        `[video-storage] fetch �� ${resp.status} from ${new URL(remoteUrl).hostname}`,
+      );
+      if (resp.ok) {
+        const ab = await resp.arrayBuffer();
+        videoBuffer = Buffer.from(ab);
+        const ct = resp.headers.get("content-type");
+        if (ct && ct.startsWith("video/")) contentType = ct;
+        break;
+      }
+    } catch (err) {
+      console.warn(
+        "[video-storage] fetch error:",
+        err instanceof Error ? err.message : err,
+      );
+    }
+  }
+
+  if (!videoBuffer || videoBuffer.length < 1024) {
+    console.warn("[video-storage] all download strategies failed");
+    return null;
+  }
+
+  try {
+    const upload = new Upload({
+      client: getS3(),
+      params: {
+        Bucket: S3_BUCKET,
+        Key: key,
+        Body: videoBuffer,
+        ContentType: contentType,
+      },
+    });
+    await upload.done();
+    console.log(`[video-storage] uploaded ${videoBuffer.length} bytes → s3://${S3_BUCKET}/${key}`);
+    return `/api/videos/stored/${id}.${ext}`;
+  } catch (err) {
+    console.error(
+      "[video-storage] S3 upload error:",
+      err instanceof Error ? err.message : err,
+    );
+    return null;
+  }
+}
+
+// ─── Stream / serve ───────────────────────────────────────────────────────────
+
+/**
+ * Serve a stored video from S3 to an Express response.
+ * objectPath: the `<id>.mp4` portion after /api/videos/stored/
+ */
+export async function streamStoredVideo(
+  objectPath: string,
+  res: import("express").Response,
+  rangeHeader?: string,
+): Promise<void> {
+  if (!isStorageReady()) {
+    res.status(503).json({ error: "Storage not configured" });
+    return;
+  }
+
+  const key = `videos/${objectPath}`;
+
+  try {
+    const client = getS3();
+
+    // HEAD to get size & content-type
+    let size = 0;
+    let contentType = "video/mp4";
+    try {
+      const head = await client.send(
+        new HeadObjectCommand({ Bucket: S3_BUCKET, Key: key }),
+      );
+      size = Number(head.ContentLength ?? 0);
+      contentType = head.ContentType ?? contentType;
+    } catch {
+      // fallback: stream without size
+    }
+
+    res.setHeader("Content-Type", contentType);
+    res.setHeader("Accept-Ranges", "bytes");
+    res.setHeader("Cache-Control", "public, max-age=86400");
+
+    let byteRange: { start: number; end: number } | undefined;
+
+    if (rangeHeader && size) {
+      const m = /bytes=(\d*)-(\d*)/.exec(rangeHeader);
+      if (m) {
+        const start = m[1] ? parseInt(m[1]) : 0;
+        const end   = m[2] ? parseInt(m[2]) : size - 1;
+        byteRange = { start, end };
+        res.setHeader("Content-Range", `bytes ${start}-${end}/${size}`);
+        res.setHeader("Content-Length", end - start + 1);
+        res.status(206);
+      }
+    } else if (size) {
+      res.setHeader("Content-Length", size);
+      res.status(200);
+    } else {
+      res.status(200);
+    }
+
+    const getCmd = new GetObjectCommand({
+      Bucket: S3_BUCKET,
+      Key: key,
+      ...(byteRange
+        ? { Range: `bytes=${byteRange.start}-${byteRange.end}` }
+        : {}),
+    });
+
+    const obj = await client.send(getCmd);
+    if (!obj.Body) {
+      throw new Error("Empty body from S3");
+    }
+
+    // obj.Body is a SdkStreamMixin — convert to Node.js Readable
+    const stream = obj.Body as Readable;
+    stream.pipe(res);
+    stream.on("error", (err) => {
+      console.error("[video-storage] stream pipe error:", err.message);
+      if (!res.headersSent) res.status(500).end();
+    });
+  } catch (err) {
+    console.error(
+      "[video-storage] stream error:",
+      err instanceof Error ? err.message : err,
+    );
+    if (!res.headersSent) res.status(404).json({ error: "Video not found in storage" });
+  }
+}

artifacts/api-server/src/middlewares/clerkProxyMiddleware.ts

@@ -0,0 +1,61 @@
+/**
+ * Clerk Frontend API Proxy Middleware
+ *
+ * Proxies Clerk Frontend API requests through your domain, enabling Clerk
+ * authentication on custom domains and .replit.app deployments without
+ * requiring CNAME DNS configuration.
+ *
+ * See: https://clerk.com/docs/guides/dashboard/dns-domains/proxy-fapi
+ *
+ * IMPORTANT:
+ * - Only active in production (Clerk proxying doesn't work for dev instances)
+ * - Must be mounted BEFORE express.json() middleware
+ *
+ * Usage in app.ts:
+ *   import { CLERK_PROXY_PATH, clerkProxyMiddleware } from "./middlewares/clerkProxyMiddleware";
+ *   app.use(CLERK_PROXY_PATH, clerkProxyMiddleware());
+ */
+
+import { createProxyMiddleware } from "http-proxy-middleware";
+import type { RequestHandler } from "express";
+
+const CLERK_FAPI = "https://frontend-api.clerk.dev";
+export const CLERK_PROXY_PATH = "/api/__clerk";
+
+export function clerkProxyMiddleware(): RequestHandler {
+  // Only run proxy in production — Clerk proxying doesn't work for dev instances
+  if (process.env.NODE_ENV !== "production") {
+    return (_req, _res, next) => next();
+  }
+
+  const secretKey = process.env.CLERK_SECRET_KEY;
+  if (!secretKey) {
+    return (_req, _res, next) => next();
+  }
+
+  return createProxyMiddleware({
+    target: CLERK_FAPI,
+    changeOrigin: true,
+    pathRewrite: (path: string) =>
+      path.replace(new RegExp(`^${CLERK_PROXY_PATH}`), ""),
+    on: {
+      proxyReq: (proxyReq, req) => {
+        const protocol = req.headers["x-forwarded-proto"] || "https";
+        const host = req.headers.host || "";
+        const proxyUrl = `${protocol}://${host}${CLERK_PROXY_PATH}`;
+
+        proxyReq.setHeader("Clerk-Proxy-Url", proxyUrl);
+        proxyReq.setHeader("Clerk-Secret-Key", secretKey);
+
+        const xff = req.headers["x-forwarded-for"];
+        const clientIp =
+          (Array.isArray(xff) ? xff[0] : xff)?.split(",")[0]?.trim() ||
+          req.socket?.remoteAddress ||
+          "";
+        if (clientIp) {
+          proxyReq.setHeader("X-Forwarded-For", clientIp);
+        }
+      },
+    },
+  }) as RequestHandler;
+}

artifacts/api-server/src/routes/accounts.ts

@@ -0,0 +1,85 @@
+import { Router } from "express";
+import { db, geminiAccountsTable } from "@workspace/db";
+import { eq, desc } from "drizzle-orm";
+import { requireAdmin } from "./admin";
+import { requireJwtAuth } from "./auth";
+
+const router = Router();
+
+router.use(requireJwtAuth);
+
+router.get("/", requireAdmin, async (_req, res) => {
+  const rows = await db
+    .select()
+    .from(geminiAccountsTable)
+    .orderBy(desc(geminiAccountsTable.createdAt));
+
+  res.json(
+    rows.map((r) => ({
+      id: r.id,
+      label: r.label,
+      tokenPreview: r.bearerToken ? r.bearerToken.substring(0, 12) + "..." : null,
+      hasRefreshToken: !!r.refreshToken,
+      isActive: r.isActive,
+      lastUsedAt: r.lastUsedAt?.toISOString() ?? null,
+      createdAt: r.createdAt.toISOString(),
+    }))
+  );
+});
+
+router.post("/", requireAdmin, async (req, res) => {
+  const { label, bearerToken, refreshToken } = req.body as {
+    label?: string;
+    bearerToken?: string;
+    refreshToken?: string;
+  };
+
+  if (!bearerToken?.trim()) {
+    return res.status(400).json({ error: "bearerToken is required" });
+  }
+
+  const [inserted] = await db
+    .insert(geminiAccountsTable)
+    .values({
+      label: (label || "帳戶").trim(),
+      bearerToken: bearerToken.trim(),
+      refreshToken: refreshToken?.trim() || null,
+      isActive: true,
+    })
+    .returning();
+
+  res.json({
+    id: inserted.id,
+    label: inserted.label,
+    tokenPreview: inserted.bearerToken.substring(0, 12) + "...",
+    isActive: inserted.isActive,
+    createdAt: inserted.createdAt.toISOString(),
+  });
+});
+
+router.patch("/:id/label", requireAdmin, async (req, res) => {
+  const id = Number(req.params.id);
+  const { label } = req.body as { label?: string };
+  if (!label?.trim()) return res.status(400).json({ error: "label is required" });
+
+  await db.update(geminiAccountsTable).set({ label: label.trim() }).where(eq(geminiAccountsTable.id, id));
+  res.json({ success: true });
+});
+
+router.patch("/:id/toggle", requireAdmin, async (req, res) => {
+  const id = Number(req.params.id);
+  const rows = await db.select().from(geminiAccountsTable).where(eq(geminiAccountsTable.id, id)).limit(1);
+  if (!rows.length) return res.status(404).json({ error: "Account not found" });
+
+  const newActive = !rows[0].isActive;
+  await db.update(geminiAccountsTable).set({ isActive: newActive }).where(eq(geminiAccountsTable.id, id));
+  res.json({ success: true, isActive: newActive });
+});
+
+router.delete("/:id", requireAdmin, async (req, res) => {
+  const id = Number(req.params.id);
+  await db.delete(geminiAccountsTable).where(eq(geminiAccountsTable.id, id));
+  res.json({ success: true });
+});
+
+export default router;

artifacts/api-server/src/routes/admin.ts

@@ -0,0 +1,316 @@
+import { Router } from "express";
+import bcrypt from "bcryptjs";
+import { randomUUID } from "crypto";
+import { db, usersTable, imagesTable, apiKeysTable, configTable, creditTransactionsTable } from "@workspace/db";
+import { eq, count, desc, sql, inArray } from "drizzle-orm";
+import { requireJwtAuth } from "./auth";
+import { refreshAccessToken, encrypt, getStoredCredentials } from "./config";
+import multer from "multer";
+import { S3Client, PutObjectCommand } from "@aws-sdk/client-s3";
+
+const s3 = new S3Client({
+  endpoint: process.env.S3_ENDPOINT || "https://s3.hi168.com",
+  region: "us-east-1",
+  credentials: {
+    accessKeyId: process.env.S3_ACCESS_KEY || "",
+    secretAccessKey: process.env.S3_SECRET_KEY || "",
+  },
+  forcePathStyle: true,
+});
+const S3_BUCKET = process.env.DEFAULT_OBJECT_STORAGE_BUCKET_ID || "hi168-25517-1756t1kf";
+const S3_PUBLIC_BASE = `${process.env.S3_ENDPOINT || "https://s3.hi168.com"}/${S3_BUCKET}`;
+
+const upload = multer({ storage: multer.memoryStorage(), limits: { fileSize: 5 * 1024 * 1024 } });
+
+const OTP_KEY = "bookmarklet_otp";
+
+const router = Router();
+
+async function requireAdmin(req: any, res: any, next: any) {
+  const user = await db
+    .select({ isAdmin: usersTable.isAdmin })
+    .from(usersTable)
+    .where(eq(usersTable.id, req.jwtUserId))
+    .limit(1);
+  if (!user[0]?.isAdmin) {
+    return res.status(403).json({ error: "Forbidden" });
+  }
+  next();
+}
+
+router.use(requireJwtAuth);
+router.use(requireAdmin);
+
+router.get("/stats", async (_req, res) => {
+  const [userCount] = await db.select({ count: count() }).from(usersTable);
+  const [imageCount] = await db.select({ count: count() }).from(imagesTable);
+  const [apiKeyCount] = await db.select({ count: count() }).from(apiKeysTable);
+  res.json({
+    users: Number(userCount.count),
+    images: Number(imageCount.count),
+    apiKeys: Number(apiKeyCount.count),
+  });
+});
+
+router.get("/users", async (_req, res) => {
+  const users = await db
+    .select({
+      id: usersTable.id,
+      email: usersTable.email,
+      displayName: usersTable.displayName,
+      isAdmin: usersTable.isAdmin,
+      createdAt: usersTable.createdAt,
+    })
+    .from(usersTable)
+    .orderBy(desc(usersTable.createdAt));
+  res.json({ users });
+});
+
+router.put("/users/:id", async (req, res) => {
+  const id = Number(req.params.id);
+  const { displayName, isAdmin, password } = req.body as {
+    displayName?: string;
+    isAdmin?: boolean;
+    password?: string;
+  };
+
+  const updates: Partial<typeof usersTable.$inferInsert> = {};
+  if (typeof displayName !== "undefined") updates.displayName = displayName || null;
+  if (typeof isAdmin === "boolean") updates.isAdmin = isAdmin;
+  if (password) {
+    if (password.length < 6) return res.status(400).json({ error: "Password must be at least 6 characters" });
+    updates.passwordHash = await bcrypt.hash(password, 12);
+  }
+
+  if (Object.keys(updates).length === 0) {
+    return res.status(400).json({ error: "Nothing to update" });
+  }
+
+  const [updated] = await db
+    .update(usersTable)
+    .set(updates)
+    .where(eq(usersTable.id, id))
+    .returning({
+      id: usersTable.id,
+      email: usersTable.email,
+      displayName: usersTable.displayName,
+      isAdmin: usersTable.isAdmin,
+    });
+
+  if (!updated) return res.status(404).json({ error: "User not found" });
+  res.json(updated);
+});
+
+router.delete("/users/:id", async (req, res) => {
+  const id = Number(req.params.id);
+  if (id === req.jwtUserId) {
+    return res.status(400).json({ error: "Cannot delete yourself" });
+  }
+  await db.delete(apiKeysTable).where(eq(apiKeysTable.userId, String(id)));
+  const deleted = await db.delete(usersTable).where(eq(usersTable.id, id)).returning({ id: usersTable.id });
+  if (!deleted.length) return res.status(404).json({ error: "User not found" });
+  res.json({ success: true });
+});
+
+router.get("/config", async (_req, res) => {
+  const rows = await db.select().from(configTable).orderBy(configTable.key);
+  res.json({ config: rows });
+});
+
+const CONFIG_KEY_MAP: Record<string, string> = {
+  refresh_token: "geminigen_refresh_token",
+  access_token: "geminigen_bearer_token",
+  capsolver_api_key: "capsolver_api_key",
+  playwright_solver_url: "playwright_solver_url",
+  playwright_solver_secret: "playwright_solver_secret",
+  yescaptcha_api_key: "yescaptcha_api_key",
+};
+
+router.put("/config", async (req, res) => {
+  const { key, value } = req.body as { key?: string; value?: string };
+  if (!key || typeof value === "undefined") {
+    return res.status(400).json({ error: "key and value are required" });
+  }
+  const dbKey = CONFIG_KEY_MAP[key];
+  if (!dbKey) {
+    return res.status(400).json({ error: "Invalid config key" });
+  }
+  await db
+    .insert(configTable)
+    .values({ key: dbKey, value, updatedAt: new Date() })
+    .onConflictDoUpdate({ target: configTable.key, set: { value, updatedAt: new Date() } });
+  res.json({ success: true });
+});
+
+router.get("/setup-status", async (_req, res) => {
+  const row = await db
+    .select({ key: configTable.key })
+    .from(configTable)
+    .where(eq(configTable.key, "geminigen_refresh_token"))
+    .limit(1);
+  res.json({ refreshTokenConfigured: row.length > 0 });
+});
+
+router.post("/setup", async (req, res) => {
+  const { refreshToken } = req.body as { refreshToken?: string };
+  if (!refreshToken?.trim()) {
+    return res.status(400).json({ error: "refreshToken is required" });
+  }
+  const value = refreshToken.trim();
+  if (value.length < 20) {
+    return res.status(400).json({ error: "Token seems too short — please copy the full refresh_token value." });
+  }
+  await db
+    .insert(configTable)
+    .values({ key: "geminigen_refresh_token", value, updatedAt: new Date() })
+    .onConflictDoUpdate({ target: configTable.key, set: { value, updatedAt: new Date() } });
+  refreshAccessToken().catch(() => {});
+  res.json({ success: true });
+});
+
+// Save geminigen.ai credentials for auto-renewal
+router.post("/credentials", requireJwtAuth, requireAdmin, async (req, res) => {
+  const { username, password } = req.body as { username?: string; password?: string };
+  if (!username?.trim() || !password?.trim()) {
+    return res.status(400).json({ error: "username and password are required" });
+  }
+  await db
+    .insert(configTable)
+    .values({ key: "geminigen_username", value: username.trim(), updatedAt: new Date() })
+    .onConflictDoUpdate({ target: configTable.key, set: { value: username.trim(), updatedAt: new Date() } });
+  const encPass = encrypt(password.trim());
+  await db
+    .insert(configTable)
+    .values({ key: "geminigen_password_enc", value: encPass, updatedAt: new Date() })
+    .onConflictDoUpdate({ target: configTable.key, set: { value: encPass, updatedAt: new Date() } });
+
+  // Try to login with new credentials in background (may fail if Turnstile solver not configured)
+  // Do NOT block saving credentials on login success — Turnstile may prevent immediate login
+  refreshAccessToken().then((tok) => {
+    if (tok) console.log("[admin] Credential login succeeded after save");
+    else console.warn("[admin] Credential login failed after save (Turnstile may be required — token will refresh later)");
+  }).catch(() => {});
+  res.json({ success: true, note: "Credentials saved. Token will refresh automatically." });
+});
+
+// Check credential configuration status
+router.get("/credentials", requireJwtAuth, requireAdmin, async (_req, res) => {
+  const creds = await getStoredCredentials();
+  res.json({
+    configured: !!creds,
+    username: creds?.username ?? null,
+  });
+});
+
+// Delete stored credentials
+router.delete("/credentials", requireJwtAuth, requireAdmin, async (_req, res) => {
+  await db.delete(configTable).where(eq(configTable.key, "geminigen_username"));
+  await db.delete(configTable).where(eq(configTable.key, "geminigen_password_enc"));
+  res.json({ success: true });
+});
+
+// Generate a short-lived OTP for the bookmarklet token sync
+router.post("/bookmarklet-otp", async (_req, res) => {
+  const otp = randomUUID();
+  const expiresAt = Date.now() + 10 * 60 * 1000; // 10 minutes
+  await db
+    .insert(configTable)
+    .values({ key: OTP_KEY, value: `${otp}:${expiresAt}`, updatedAt: new Date() })
+    .onConflictDoUpdate({ target: configTable.key, set: { value: `${otp}:${expiresAt}`, updatedAt: new Date() } });
+  res.json({ otp, expiresInSeconds: 600 });
+});
+
+// ── Site Config (logo, google ads, credits settings) ─────────────────────────
+const SITE_CONFIG_KEYS = [
+  "logo_url", "site_name",
+  "enable_credits", "image_gen_cost", "video_gen_cost", "signup_credits",
+  "google_ads_enabled", "google_ads_client", "google_ads_slot",
+];
+
+router.get("/site-config", async (_req, res) => {
+  const rows = await db
+    .select()
+    .from(configTable)
+    .where(inArray(configTable.key, SITE_CONFIG_KEYS));
+  const config: Record<string, string> = {};
+  for (const row of rows) config[row.key] = row.value;
+  res.json(config);
+});
+
+router.put("/site-config", async (req, res) => {
+  const updates = req.body as Record<string, string>;
+  for (const [key, value] of Object.entries(updates)) {
+    if (!SITE_CONFIG_KEYS.includes(key)) continue;
+    await db
+      .insert(configTable)
+      .values({ key, value: String(value), updatedAt: new Date() })
+      .onConflictDoUpdate({ target: configTable.key, set: { value: String(value), updatedAt: new Date() } });
+  }
+  res.json({ success: true });
+});
+
+// ── Logo upload ───────────────────────────────────────────────────────────────
+router.post("/logo", upload.single("logo"), async (req, res) => {
+  const file = (req as any).file as Express.Multer.File | undefined;
+  if (!file) return res.status(400).json({ error: "No file uploaded" });
+
+  const ext = file.originalname.split(".").pop()?.toLowerCase() || "png";
+  const key = `logos/site-logo.${ext}`;
+
+  await s3.send(new PutObjectCommand({
+    Bucket: S3_BUCKET,
+    Key: key,
+    Body: file.buffer,
+    ContentType: file.mimetype,
+    ACL: "public-read",
+  }));
+
+  const url = `${S3_PUBLIC_BASE}/${key}?t=${Date.now()}`;
+  await db
+    .insert(configTable)
+    .values({ key: "logo_url", value: url, updatedAt: new Date() })
+    .onConflictDoUpdate({ target: configTable.key, set: { value: url, updatedAt: new Date() } });
+
+  res.json({ success: true, url });
+});
+
+// ── Credits management ────────────────────────────────────────────────────────
+router.get("/credits", async (_req, res) => {
+  const users = await db
+    .select({
+      id: usersTable.id,
+      email: usersTable.email,
+      displayName: usersTable.displayName,
+      credits: usersTable.credits,
+      isAdmin: usersTable.isAdmin,
+    })
+    .from(usersTable)
+    .orderBy(desc(usersTable.createdAt));
+  res.json({ users });
+});
+
+router.post("/credits/:userId/adjust", async (req, res) => {
+  const userId = Number(req.params.userId);
+  const { amount, description } = req.body as { amount?: number; description?: string };
+  if (!amount || isNaN(amount)) return res.status(400).json({ error: "amount is required" });
+
+  const [user] = await db
+    .update(usersTable)
+    .set({ credits: sql`GREATEST(0, ${usersTable.credits} + ${amount})` })
+    .where(eq(usersTable.id, userId))
+    .returning({ credits: usersTable.credits });
+
+  if (!user) return res.status(404).json({ error: "User not found" });
+
+  await db.insert(creditTransactionsTable).values({
+    userId,
+    amount,
+    type: amount > 0 ? "grant" : "deduct",
+    description: description || (amount > 0 ? "管理員手動增加" : "管理員手動扣除"),
+  });
+
+  res.json({ success: true, newBalance: user.credits });
+});
+
+export { OTP_KEY, requireAdmin, SITE_CONFIG_KEYS };
+export default router;

artifacts/api-server/src/routes/apiKeys.ts

@@ -0,0 +1,56 @@
+import { Router } from "express";
+import { createHash, randomBytes } from "crypto";
+import { requireJwtAuth } from "./auth";
+import { db, apiKeysTable } from "@workspace/db";
+import { eq, and } from "drizzle-orm";
+
+const router = Router();
+
+router.get("/", requireJwtAuth, async (req: any, res) => {
+  const keys = await db
+    .select({
+      id: apiKeysTable.id,
+      name: apiKeysTable.name,
+      keyPrefix: apiKeysTable.keyPrefix,
+      createdAt: apiKeysTable.createdAt,
+      lastUsedAt: apiKeysTable.lastUsedAt,
+    })
+    .from(apiKeysTable)
+    .where(eq(apiKeysTable.userId, String(req.jwtUserId)));
+
+  res.json({ keys });
+});
+
+router.post("/", requireJwtAuth, async (req: any, res) => {
+  const name = (req.body?.name as string)?.trim() || "Default Key";
+  const rawKey = `sk-sf-${randomBytes(24).toString("hex")}`;
+  const keyHash = createHash("sha256").update(rawKey).digest("hex");
+  const keyPrefix = rawKey.slice(0, 12) + "...";
+
+  const [inserted] = await db
+    .insert(apiKeysTable)
+    .values({ userId: String(req.jwtUserId), keyHash, keyPrefix, name })
+    .returning({
+      id: apiKeysTable.id,
+      name: apiKeysTable.name,
+      keyPrefix: apiKeysTable.keyPrefix,
+      createdAt: apiKeysTable.createdAt,
+    });
+
+  res.json({ key: rawKey, ...inserted });
+});
+
+router.delete("/:id", requireJwtAuth, async (req: any, res) => {
+  const id = Number(req.params.id);
+  if (isNaN(id)) return res.status(400).json({ error: "Invalid ID" });
+
+  const deleted = await db
+    .delete(apiKeysTable)
+    .where(and(eq(apiKeysTable.id, id), eq(apiKeysTable.userId, String(req.jwtUserId))))
+    .returning();
+
+  if (!deleted.length) return res.status(404).json({ error: "Not found" });
+  res.json({ success: true });
+});
+
+export default router;

artifacts/api-server/src/routes/auth.ts

@@ -0,0 +1,154 @@
+import { Router } from "express";
+import bcrypt from "bcryptjs";
+import jwt from "jsonwebtoken";
+import { db, usersTable, configTable, creditTransactionsTable } from "@workspace/db";
+import { eq, count } from "drizzle-orm";
+
+const router = Router();
+const JWT_SECRET = process.env.SESSION_SECRET || "dev-secret-change-me";
+const COOKIE_NAME = "sf_auth";
+const COOKIE_OPTS = {
+  httpOnly: true,
+  sameSite: "lax" as const,
+  secure: process.env.NODE_ENV === "production",
+  maxAge: 30 * 24 * 60 * 60 * 1000,
+  path: "/",
+};
+
+function signToken(userId: number, email: string) {
+  return jwt.sign({ userId, email }, JWT_SECRET, { expiresIn: "30d" });
+}
+
+async function isFirstUser(): Promise<boolean> {
+  const [row] = await db.select({ count: count() }).from(usersTable);
+  return Number(row.count) === 0;
+}
+
+router.post("/signup", async (req, res) => {
+  const { email, password, displayName } = req.body as {
+    email?: string;
+    password?: string;
+    displayName?: string;
+  };
+
+  if (!email || !password) {
+    return res.status(400).json({ error: "Email and password are required" });
+  }
+  if (password.length < 6) {
+    return res.status(400).json({ error: "Password must be at least 6 characters" });
+  }
+  if (!/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email)) {
+    return res.status(400).json({ error: "Invalid email format" });
+  }
+
+  const existing = await db.select({ id: usersTable.id }).from(usersTable).where(eq(usersTable.email, email.toLowerCase())).limit(1);
+  if (existing.length > 0) {
+    return res.status(409).json({ error: "Email already registered" });
+  }
+
+  const firstUser = await isFirstUser();
+  const passwordHash = await bcrypt.hash(password, 12);
+  const [user] = await db.insert(usersTable).values({
+    email: email.toLowerCase(),
+    passwordHash,
+    displayName: displayName?.trim() || null,
+    isAdmin: firstUser,
+  }).returning({
+    id: usersTable.id,
+    email: usersTable.email,
+    displayName: usersTable.displayName,
+    isAdmin: usersTable.isAdmin,
+  });
+
+  // Grant signup credits from config
+  const signupCreditRow = await db.select({ value: configTable.value }).from(configTable).where(eq(configTable.key, "signup_credits")).limit(1);
+  const signupCredits = Number(signupCreditRow[0]?.value) || 0;
+  if (signupCredits > 0) {
+    await db.update(usersTable).set({ credits: signupCredits }).where(eq(usersTable.id, user.id));
+    await db.insert(creditTransactionsTable).values({ userId: user.id, amount: signupCredits, type: "signup", description: "新用戶註冊贈點" });
+  }
+
+  const token = signToken(user.id, user.email);
+  res.cookie(COOKIE_NAME, token, COOKIE_OPTS);
+  res.json({ id: user.id, email: user.email, displayName: user.displayName, isAdmin: user.isAdmin, credits: signupCredits });
+});
+
+router.post("/login", async (req, res) => {
+  const { email, password } = req.body as { email?: string; password?: string };
+
+  if (!email || !password) {
+    return res.status(400).json({ error: "Email and password are required" });
+  }
+
+  const [user] = await db.select().from(usersTable).where(eq(usersTable.email, email.toLowerCase())).limit(1);
+  if (!user) {
+    return res.status(401).json({ error: "Invalid email or password" });
+  }
+
+  const valid = await bcrypt.compare(password, user.passwordHash);
+  if (!valid) {
+    return res.status(401).json({ error: "Invalid email or password" });
+  }
+
+  const token = signToken(user.id, user.email);
+  res.cookie(COOKIE_NAME, token, COOKIE_OPTS);
+  res.json({ id: user.id, email: user.email, displayName: user.displayName, isAdmin: user.isAdmin });
+});
+
+router.post("/logout", (_req, res) => {
+  res.clearCookie(COOKIE_NAME, { path: "/" });
+  res.json({ success: true });
+});
+
+router.get("/me", async (req, res) => {
+  const token = req.cookies?.[COOKIE_NAME];
+  if (!token) return res.status(401).json({ error: "Not authenticated" });
+
+  try {
+    const payload = jwt.verify(token, JWT_SECRET) as { userId: number; email: string };
+    const [user] = await db
+      .select({ id: usersTable.id, email: usersTable.email, displayName: usersTable.displayName, isAdmin: usersTable.isAdmin })
+      .from(usersTable)
+      .where(eq(usersTable.id, payload.userId))
+      .limit(1);
+    if (!user) {
+      res.clearCookie(COOKIE_NAME, { path: "/" });
+      return res.status(401).json({ error: "User not found" });
+    }
+    res.json(user);
+  } catch {
+    res.clearCookie(COOKIE_NAME, { path: "/" });
+    res.status(401).json({ error: "Session expired" });
+  }
+});
+
+export function requireJwtAuth(req: any, res: any, next: any) {
+  const token = req.cookies?.[COOKIE_NAME];
+  if (!token) return res.status(401).json({ error: "Unauthorized" });
+
+  try {
+    const payload = jwt.verify(token, JWT_SECRET) as { userId: number; email: string };
+    req.jwtUserId = payload.userId;
+    req.jwtEmail = payload.email;
+    next();
+  } catch {
+    res.clearCookie(COOKIE_NAME, { path: "/" });
+    res.status(401).json({ error: "Session expired" });
+  }
+}
+
+export function optionalJwtAuth(req: any, _res: any, next: any) {
+  const token = req.cookies?.[COOKIE_NAME];
+  if (token) {
+    try {
+      const payload = jwt.verify(token, JWT_SECRET) as { userId: number; email: string };
+      req.jwtUserId = payload.userId;
+      req.jwtEmail = payload.email;
+    } catch {
+      // invalid token, continue as guest
+    }
+  }
+  next();
+}
+
+export default router;

artifacts/api-server/src/routes/config.ts

@@ -0,0 +1,285 @@
+import { Router } from "express";
+import { db, configTable, geminiAccountsTable } from "@workspace/db";
+import { eq, asc, isNull, and, notInArray } from "drizzle-orm";
+import { createCipheriv, createDecipheriv, randomBytes, scryptSync } from "crypto";
+import { getTurnstileToken, invalidateTurnstileToken } from "../captcha.js";
+import { generateGuardId } from "../guardId.js";
+
+const router = Router();
+
+const TOKEN_KEY = "geminigen_bearer_token";
+const REFRESH_TOKEN_KEY = "geminigen_refresh_token";
+const USERNAME_KEY = "geminigen_username";
+const PASSWORD_KEY = "geminigen_password_enc";
+const GEMINIGEN_BASE = "https://api.geminigen.ai/api";
+const GEMINIGEN_REFRESH_URL = `${GEMINIGEN_BASE}/refresh-token`;
+const GEMINIGEN_SIGNIN_URL = `${GEMINIGEN_BASE}/login-v2`;
+const UA = "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/124.0.6367.111 Mobile/15E148 Safari/604.1";
+
+// ── Encryption helpers (AES-256-GCM) ─────────────────────────────────────────
+function getEncKey(): Buffer {
+  const secret = process.env.SESSION_SECRET || "starforge-default-secret-change-me";
+  return scryptSync(secret, "starforge-salt", 32);
+}
+
+export function encrypt(text: string): string {
+  const iv = randomBytes(12);
+  const cipher = createCipheriv("aes-256-gcm", getEncKey(), iv);
+  const enc = Buffer.concat([cipher.update(text, "utf8"), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  return iv.toString("hex") + ":" + tag.toString("hex") + ":" + enc.toString("hex");
+}
+
+export function decrypt(encoded: string): string {
+  const [ivHex, tagHex, encHex] = encoded.split(":");
+  const decipher = createDecipheriv("aes-256-gcm", getEncKey(), Buffer.from(ivHex, "hex"));
+  decipher.setAuthTag(Buffer.from(tagHex, "hex"));
+  return decipher.update(Buffer.from(encHex, "hex")).toString("utf8") + decipher.final("utf8");
+}
+
+// ── DB helpers ────────────────────────────────────────────────────────────────
+async function getConfig(key: string): Promise<string | null> {
+  const row = await db.select().from(configTable).where(eq(configTable.key, key)).limit(1);
+  return row.length > 0 ? row[0].value : null;
+}
+
+async function setConfig(key: string, value: string): Promise<void> {
+  await db
+    .insert(configTable)
+    .values({ key, value, updatedAt: new Date() })
+    .onConflictDoUpdate({ target: configTable.key, set: { value, updatedAt: new Date() } });
+}
+
+// ── Public helpers ────────────────────────────────────────────────────────────
+export async function getStoredToken(): Promise<string | null> {
+  return getConfig(TOKEN_KEY);
+}
+
+export async function getStoredRefreshToken(): Promise<string | null> {
+  return getConfig(REFRESH_TOKEN_KEY);
+}
+
+/**
+ * On-demand token getter that proactively refreshes if the stored token is
+ * older than 50 minutes. Safe to call in serverless environments where there
+ * is no background refresh loop running.
+ */
+export async function getValidBearerToken(): Promise<string | null> {
+  const rows = await db
+    .select()
+    .from(configTable)
+    .where(eq(configTable.key, TOKEN_KEY))
+    .limit(1);
+
+  if (!rows.length) return null;
+
+  const row = rows[0];
+  const ageMs = Date.now() - new Date(row.updatedAt).getTime();
+  const fiftyMinutes = 50 * 60 * 1000;
+
+  if (ageMs > fiftyMinutes) {
+    console.log("[token] Token age > 50 min, proactively refreshing...");
+    const fresh = await refreshAccessToken();
+    if (fresh) return fresh;
+  }
+
+  return row.value;
+}
+
+export async function getStoredCredentials(): Promise<{ username: string; password: string } | null> {
+  const [username, passwordEnc] = await Promise.all([getConfig(USERNAME_KEY), getConfig(PASSWORD_KEY)]);
+  if (!username || !passwordEnc) return null;
+  try {
+    return { username, password: decrypt(passwordEnc) };
+  } catch {
+    return null;
+  }
+}
+
+// ── Login with email/password → get fresh access+refresh tokens ───────────────
+async function loginWithCredentials(): Promise<{ accessToken: string; refreshToken: string } | null> {
+  const creds = await getStoredCredentials();
+  if (!creds) return null;
+
+  try {
+    console.log("[token-refresh] Trying credential re-login via /login-v2...");
+    // /api/login-v2 requires: username, password, turnstile_token (JSON body)
+    const turnstileToken = await getTurnstileToken();
+    const resp = await fetch(GEMINIGEN_SIGNIN_URL, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "User-Agent": UA,
+        "x-guard-id": generateGuardId("/api/login-v2", "post"),
+      },
+      body: JSON.stringify({ username: creds.username, password: creds.password, turnstile_token: turnstileToken }),
+    });
+
+    const text = await resp.text();
+    console.log(`[token-refresh] signin → HTTP ${resp.status}: ${text.slice(0, 200)}`);
+
+    if (!resp.ok) {
+      invalidateTurnstileToken(); // force fresh token next attempt
+      return null;
+    }
+    const data = JSON.parse(text) as { access_token?: string; refresh_token?: string };
+    if (!data.access_token) return null;
+
+    return { accessToken: data.access_token, refreshToken: data.refresh_token || "" };
+  } catch (e: any) {
+    console.log(`[token-refresh] signin threw: ${e?.message}`);
+    return null;
+  }
+}
+
+// ── Core: refresh access token (with auto-login fallback) ─────────────────────
+export async function refreshAccessToken(): Promise<string | null> {
+  const refreshToken = await getStoredRefreshToken();
+
+  // ① Try native refresh endpoint if we have a refresh_token
+  if (refreshToken) {
+    try {
+      console.log("[token-refresh] Trying refresh_token endpoint...");
+      const resp = await fetch(GEMINIGEN_REFRESH_URL, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "User-Agent": UA,
+          "x-guard-id": generateGuardId("/api/refresh-token", "post"),
+        },
+        body: JSON.stringify({ refresh_token: refreshToken }),
+      });
+
+      const text = await resp.text();
+      console.log(`[token-refresh] refresh → HTTP ${resp.status}: ${text.slice(0, 200)}`);
+
+      if (resp.ok) {
+        const data = JSON.parse(text) as { access_token?: string; refresh_token?: string };
+        if (data.access_token) {
+          await setConfig(TOKEN_KEY, data.access_token);
+          if (data.refresh_token) await setConfig(REFRESH_TOKEN_KEY, data.refresh_token);
+          console.log("[token-refresh] Success via refresh_token");
+          return data.access_token;
+        }
+      }
+
+      const isExpired = text.includes("REFRESH_TOKEN_EXPIRED") || text.includes("expired");
+      if (!isExpired) {
+        console.warn("[token-refresh] Refresh failed for unknown reason — won't try credentials");
+        return null;
+      }
+      console.log("[token-refresh] Refresh token expired — falling back to credential login");
+    } catch (e: any) {
+      console.log(`[token-refresh] refresh threw: ${e?.message}`);
+    }
+  } else {
+    console.log("[token-refresh] No refresh token stored — trying credential login directly");
+  }
+
+  // ② Fallback: login with stored email/password
+  const result = await loginWithCredentials();
+  if (!result) {
+    console.warn("[token-refresh] All strategies failed — no credentials stored or login failed");
+    return null;
+  }
+
+  await setConfig(TOKEN_KEY, result.accessToken);
+  if (result.refreshToken) await setConfig(REFRESH_TOKEN_KEY, result.refreshToken);
+  console.log("[token-refresh] Success via credential re-login");
+  return result.accessToken;
+}
+
+// ── Token Pool helpers ────────────────────────────────────────────────────────
+
+const GEMINIGEN_REFRESH = "https://api.geminigen.ai/api/refresh-token";
+
+/** Get the least-recently-used active account from the pool. Returns null if pool is empty. */
+export async function getPoolToken(excludeIds: number[] = []): Promise<{ token: string; accountId: number } | null> {
+  const query = db
+    .select()
+    .from(geminiAccountsTable)
+    .where(
+      excludeIds.length > 0
+        ? and(eq(geminiAccountsTable.isActive, true), notInArray(geminiAccountsTable.id, excludeIds))
+        : eq(geminiAccountsTable.isActive, true)
+    )
+    .orderBy(asc(geminiAccountsTable.lastUsedAt))
+    .limit(1);
+
+  const rows = await query;
+  if (!rows.length) return null;
+  const account = rows[0];
+  return { token: account.bearerToken, accountId: account.id };
+}
+
+/** Mark an account as just used (update lastUsedAt). */
+export async function markAccountUsed(accountId: number): Promise<void> {
+  await db
+    .update(geminiAccountsTable)
+    .set({ lastUsedAt: new Date() })
+    .where(eq(geminiAccountsTable.id, accountId));
+}
+
+/** Try to refresh a specific pool account's token via its refresh_token. Returns new token or null. */
+export async function tryRefreshPoolAccount(accountId: number): Promise<string | null> {
+  const rows = await db.select().from(geminiAccountsTable).where(eq(geminiAccountsTable.id, accountId)).limit(1);
+  if (!rows.length) return null;
+  const account = rows[0];
+  if (!account.refreshToken) return null;
+
+  try {
+    const resp = await fetch(GEMINIGEN_REFRESH, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "User-Agent": UA,
+        "x-guard-id": generateGuardId("/api/refresh-token", "post"),
+      },
+      body: JSON.stringify({ refresh_token: account.refreshToken }),
+    });
+    if (!resp.ok) return null;
+    const data = await resp.json() as { access_token?: string; refresh_token?: string };
+    if (!data.access_token) return null;
+
+    await db.update(geminiAccountsTable).set({
+      bearerToken: data.access_token,
+      ...(data.refresh_token ? { refreshToken: data.refresh_token } : {}),
+    }).where(eq(geminiAccountsTable.id, accountId));
+
+    console.log(`[pool] Account ${accountId} token refreshed`);
+    return data.access_token;
+  } catch {
+    return null;
+  }
+}
+
+/** Disable an account in the pool (e.g., when all refresh strategies fail). */
+export async function disablePoolAccount(accountId: number): Promise<void> {
+  await db.update(geminiAccountsTable).set({ isActive: false }).where(eq(geminiAccountsTable.id, accountId));
+  console.warn(`[pool] Account ${accountId} disabled — token unrecoverable`);
+}
+
+// ── Routes ────────────────────────────────────────────────────────────────────
+router.get("/token", async (_req, res) => {
+  const token = await getConfig(TOKEN_KEY);
+  if (!token) return res.json({ configured: false, token: null });
+  return res.json({ configured: true, token: token.substring(0, 10) + "..." });
+});
+
+router.post("/token", async (req, res) => {
+  const { token, refreshToken } = req.body as { token?: string; refreshToken?: string };
+  if (!token?.trim()) return res.status(400).json({ error: "INVALID_TOKEN", message: "Token is required" });
+
+  await setConfig(TOKEN_KEY, token.trim());
+  if (refreshToken?.trim()) await setConfig(REFRESH_TOKEN_KEY, refreshToken.trim());
+
+  res.json({ success: true, message: "Token saved successfully" });
+});
+
+router.delete("/token", async (_req, res) => {
+  await db.delete(configTable).where(eq(configTable.key, TOKEN_KEY));
+  await db.delete(configTable).where(eq(configTable.key, REFRESH_TOKEN_KEY));
+  res.json({ success: true, message: "Token removed" });
+});
+
+export default router;

artifacts/api-server/src/routes/health.ts

@@ -0,0 +1,11 @@
+import { Router, type IRouter } from "express";
+import { HealthCheckResponse } from "@workspace/api-zod";
+
+const router: IRouter = Router();
+
+router.get("/healthz", (_req, res) => {
+  const data = HealthCheckResponse.parse({ status: "ok" });
+  res.json(data);
+});
+
+export default router;

artifacts/api-server/src/routes/images.ts

@@ -0,0 +1,457 @@
+import { Router } from "express";
+import { db, imagesTable, usersTable, configTable, creditTransactionsTable } from "@workspace/db";
+import {
+  GenerateImageBody,
+  GetImageHistoryQueryParams,
+  DeleteImageParams,
+} from "@workspace/api-zod";
+import { desc, eq, count, and, or, isNull, sql } from "drizzle-orm";
+import {
+  getValidBearerToken, refreshAccessToken,
+  getPoolToken, markAccountUsed, tryRefreshPoolAccount, disablePoolAccount,
+} from "./config";
+import { optionalJwtAuth } from "./auth";
+import { generateGuardId } from "../guardId";
+
+const router = Router();
+
+const GEMINIGEN_BASE = "https://api.geminigen.ai/api";
+
+const STYLE_PROMPTS: Record<string, string> = {
+  realistic: "photorealistic, high quality, detailed, 8k resolution",
+  anime: "anime style, manga art style, japanese animation",
+  artistic: "artistic, fine art, expressive brushwork",
+  cartoon: "cartoon style, colorful, fun illustration",
+  sketch: "pencil sketch, hand drawn, black and white drawing",
+  oil_painting: "oil painting, classical art style, textured canvas",
+  watercolor: "watercolor painting, soft colors, fluid brushstrokes",
+  digital_art: "digital art, concept art, highly detailed digital illustration",
+};
+
+const ORIENTATION_MAP: Record<string, string> = {
+  "1:1": "square",
+  "16:9": "landscape",
+  "9:16": "portrait",
+  "4:3": "landscape",
+  "3:4": "portrait",
+  "2:3": "portrait",
+  "3:2": "landscape",
+};
+
+const USER_AGENT = "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/124.0.6367.111 Mobile/15E148 Safari/604.1";
+
+function base64ToBlob(base64: string, mime: string): Blob {
+  const binary = Buffer.from(base64, "base64");
+  return new Blob([binary], { type: mime });
+}
+
+async function pollForImage(uuid: string, token: string, maxWaitMs = 120000): Promise<string | null> {
+  const interval = 3000;
+  const start = Date.now();
+
+  while (Date.now() - start < maxWaitMs) {
+    await new Promise((r) => setTimeout(r, interval));
+
+    const resp = await fetch(`${GEMINIGEN_BASE}/history/${uuid}`, {
+      headers: {
+        Authorization: `Bearer ${token}`,
+        "x-guard-id": generateGuardId("/api/history/" + uuid, "get"),
+        "User-Agent": USER_AGENT,
+        Accept: "application/json",
+      },
+    });
+
+    if (!resp.ok) break;
+
+    const data = await resp.json() as {
+      status?: number;
+      generated_image?: Array<{ image_url?: string }>;
+    };
+
+    if (data.status === 2 || data.status === 3) {
+      return data.generated_image?.[0]?.image_url || null;
+    }
+
+    if (typeof data.status === "number" && data.status > 3) break;
+  }
+
+  return null;
+}
+
+async function callGrokEndpoint(prompt: string, orientation: string, token: string, refImageBase64?: string, refImageMime?: string) {
+  const form = new FormData();
+  form.append("prompt", prompt);
+  form.append("orientation", orientation);
+  form.append("num_result", "1");
+
+  if (refImageBase64 && refImageMime) {
+    const blob = base64ToBlob(refImageBase64, refImageMime);
+    form.append("files", blob, "reference.jpg");
+  }
+
+  const resp = await fetch(`${GEMINIGEN_BASE}/imagen/grok`, {
+    method: "POST",
+    headers: { Authorization: `Bearer ${token}`, "x-guard-id": generateGuardId("/api/imagen/grok", "post"), "User-Agent": USER_AGENT, Accept: "application/json" },
+    body: form,
+  });
+
+  const body = await resp.json().catch(async () => ({ raw: await resp.text().catch(() => "") }));
+  return { status: resp.status, body };
+}
+
+async function callMetaEndpoint(prompt: string, orientation: string, token: string, refImageBase64?: string, refImageMime?: string) {
+  const form = new FormData();
+  form.append("prompt", prompt);
+  form.append("orientation", orientation);
+  form.append("num_result", "1");
+
+  if (refImageBase64 && refImageMime) {
+    const blob = base64ToBlob(refImageBase64, refImageMime);
+    form.append("files", blob, "reference.jpg");
+  }
+
+  const resp = await fetch(`${GEMINIGEN_BASE}/meta_ai/generate`, {
+    method: "POST",
+    headers: { Authorization: `Bearer ${token}`, "x-guard-id": generateGuardId("/api/meta_ai/generate", "post"), "User-Agent": USER_AGENT, Accept: "application/json" },
+    body: form,
+  });
+
+  const body = await resp.json().catch(async () => ({ raw: await resp.text().catch(() => "") }));
+  return { status: resp.status, body };
+}
+
+async function callImagenEndpoint(model: string, prompt: string, aspectRatio: string, style: string, token: string, refImageBase64?: string, refImageMime?: string, resolution?: string) {
+  const form = new FormData();
+  form.append("prompt", prompt);
+  form.append("model", model);
+  form.append("aspect_ratio", aspectRatio);
+  form.append("output_format", "jpg");
+  if (resolution) form.append("resolution", resolution);
+
+  if (refImageBase64 && refImageMime) {
+    const blob = base64ToBlob(refImageBase64, refImageMime);
+    form.append("files", blob, "reference.jpg");
+  }
+
+  const resp = await fetch(`${GEMINIGEN_BASE}/generate_image`, {
+    method: "POST",
+    headers: { Authorization: `Bearer ${token}`, "x-guard-id": generateGuardId("/api/generate_image", "post"), "User-Agent": USER_AGENT, Accept: "application/json" },
+    body: form,
+  });
+
+  const body = await resp.json().catch(async () => ({ raw: await resp.text().catch(() => "") }));
+  return { status: resp.status, body };
+}
+
+// ── Credit helpers ─────────────────────────────────────────────────────────────
+async function getConfigVal(key: string): Promise<string | null> {
+  const rows = await db.select({ value: configTable.value }).from(configTable).where(eq(configTable.key, key)).limit(1);
+  return rows[0]?.value ?? null;
+}
+
+async function checkAndDeductCredits(userId: number, cost: number, description: string): Promise<{ ok: boolean; balance?: number }> {
+  const enabled = await getConfigVal("enable_credits");
+  if (enabled !== "true") return { ok: true };
+
+  const [user] = await db.select({ credits: usersTable.credits }).from(usersTable).where(eq(usersTable.id, userId)).limit(1);
+  if (!user) return { ok: false };
+  if (user.credits < cost) return { ok: false, balance: user.credits };
+
+  const [updated] = await db
+    .update(usersTable)
+    .set({ credits: sql`${usersTable.credits} - ${cost}` })
+    .where(eq(usersTable.id, userId))
+    .returning({ credits: usersTable.credits });
+
+  await db.insert(creditTransactionsTable).values({
+    userId,
+    amount: -cost,
+    type: "spend",
+    description,
+  });
+
+  return { ok: true, balance: updated.credits };
+}
+
+router.post("/generate", optionalJwtAuth, async (req, res) => {
+  const bodyResult = GenerateImageBody.safeParse(req.body);
+  if (!bodyResult.success) {
+    return res.status(400).json({ error: "VALIDATION_ERROR", message: "Invalid request body" });
+  }
+
+  const {
+    prompt,
+    style = "realistic",
+    aspectRatio = "1:1",
+    model = "grok",
+    resolution,
+    referenceImageBase64,
+    referenceImageMime,
+    isPrivate = false,
+  } = bodyResult.data as any;
+
+  const userId: number | null = (req as any).jwtUserId ?? null;
+
+  // ── Credits check ────────────────────────────────────────────────────────────
+  if (userId !== null) {
+    const costStr = await getConfigVal("image_gen_cost");
+    const cost = Number(costStr) || 0;
+    if (cost > 0) {
+      const creditResult = await checkAndDeductCredits(userId, cost, `圖片生成（${model}）`);
+      if (!creditResult.ok) {
+        return res.status(402).json({
+          error: "INSUFFICIENT_CREDITS",
+          message: `點數不足，此操作需要 ${cost} 點`,
+          balance: creditResult.balance ?? 0,
+        });
+      }
+    }
+  }
+
+  const stylePrompt = style === "none" ? "" : (STYLE_PROMPTS[style] || "");
+  const fullPrompt = stylePrompt ? `${prompt}, ${stylePrompt}` : prompt;
+  const orientation = ORIENTATION_MAP[aspectRatio] || "square";
+
+  const isImagenModel = model === "imagen-pro" || model === "imagen-4" || model === "imagen-flash" || model === "nano-banana-pro" || model === "nano-banana-2";
+  const apiModelId = isImagenModel ? model : model;
+
+  let imageUrl = "";
+  let usedFallback = false;
+  let fallbackReason = "";
+  let responseStatus = 0;
+  let responseBody: unknown = {};
+  let pollResult: Record<string, unknown> = {};
+  const startTime = Date.now();
+
+  // ── Pool-aware token selection ──────────────────────────────────────────────
+  const failedPoolIds: number[] = [];
+  let currentAccountId: number | null = null;
+
+  async function pickToken(): Promise<string | null> {
+    const poolEntry = await getPoolToken(failedPoolIds);
+    if (poolEntry) {
+      currentAccountId = poolEntry.accountId;
+      return poolEntry.token;
+    }
+    currentAccountId = null;
+    return getValidBearerToken();
+  }
+
+  async function handleTokenExpiry(): Promise<string | null> {
+    if (currentAccountId !== null) {
+      const refreshed = await tryRefreshPoolAccount(currentAccountId);
+      if (refreshed) return refreshed;
+      failedPoolIds.push(currentAccountId);
+      const next = await getPoolToken(failedPoolIds);
+      if (next) {
+        currentAccountId = next.accountId;
+        return next.token;
+      }
+    }
+    return refreshAccessToken();
+  }
+
+  let token = await pickToken();
+
+  const requestInfo = {
+    url: isImagenModel
+      ? `${GEMINIGEN_BASE}/generate_image`
+      : model === "meta"
+      ? `${GEMINIGEN_BASE}/meta_ai/generate`
+      : `${GEMINIGEN_BASE}/imagen/grok`,
+    model: isImagenModel ? apiModelId : model,
+    fields: isImagenModel
+      ? { prompt: fullPrompt, model: apiModelId, aspect_ratio: aspectRatio, output_format: "jpg", ...(resolution ? { resolution } : {}), hasReferenceImage: !!referenceImageBase64 }
+      : { prompt: fullPrompt, orientation, num_result: "1", hasReferenceImage: !!referenceImageBase64 },
+  };
+
+  try {
+    if (!token) throw new Error("未設定 API Token，請到設定頁面輸入 token");
+
+    let result: { status: number; body: unknown };
+
+    if (model === "grok") {
+      result = await callGrokEndpoint(fullPrompt, orientation, token, referenceImageBase64, referenceImageMime);
+    } else if (model === "meta") {
+      result = await callMetaEndpoint(fullPrompt, orientation, token, referenceImageBase64, referenceImageMime);
+    } else {
+      result = await callImagenEndpoint(apiModelId, fullPrompt, aspectRatio, style, token, referenceImageBase64, referenceImageMime, resolution);
+    }
+
+    if (result.status === 401) {
+      const newToken = await handleTokenExpiry();
+      if (!newToken) throw new Error("Token 已過期且無法自動刷新");
+      token = newToken;
+
+      if (model === "grok") result = await callGrokEndpoint(fullPrompt, orientation, token, referenceImageBase64, referenceImageMime);
+      else if (model === "meta") result = await callMetaEndpoint(fullPrompt, orientation, token, referenceImageBase64, referenceImageMime);
+      else result = await callImagenEndpoint(apiModelId, fullPrompt, aspectRatio, style, token, referenceImageBase64, referenceImageMime, resolution);
+    }
+
+    responseStatus = result.status;
+    responseBody = result.body;
+
+    const data = result.body as { uuid?: string; base64_images?: string; generated_image?: Array<{ image_url?: string }>; detail?: { error_code?: string; error_message?: string } };
+
+    const errMsg = (data?.detail?.error_message || "").toLowerCase();
+    const isTokenExpired = result.status === 401 || result.status === 403
+      || data?.detail?.error_code === "TOKEN_EXPIRED"
+      || errMsg.includes("expired") || errMsg.includes("token");
+
+    if (isTokenExpired) {
+      const newToken = await handleTokenExpiry();
+      if (!newToken) throw new Error("Token 已過期且無法自動刷新，請重新取得");
+      token = newToken;
+
+      let retryResult: { status: number; body: unknown };
+      if (model === "grok") retryResult = await callGrokEndpoint(fullPrompt, orientation, token, referenceImageBase64, referenceImageMime);
+      else if (model === "meta") retryResult = await callMetaEndpoint(fullPrompt, orientation, token, referenceImageBase64, referenceImageMime);
+      else retryResult = await callImagenEndpoint(apiModelId, fullPrompt, aspectRatio, style, token, referenceImageBase64, referenceImageMime, resolution);
+
+      responseStatus = retryResult.status;
+      responseBody = retryResult.body;
+      Object.assign(data, retryResult.body);
+    }
+
+    if (!result.status.toString().startsWith("2") && !isTokenExpired) {
+      const msg = (data as any)?.detail?.error_message || (data as any)?.detail?.error_code || `HTTP ${result.status}`;
+      throw new Error(`API 錯誤：${msg}`);
+    }
+
+    const finalData = responseBody as typeof data;
+
+    if ((finalData as any)?.detail?.error_code && (finalData as any)?.detail?.error_code !== "TOKEN_EXPIRED") {
+      const msg = (finalData as any)?.detail?.error_message || (finalData as any)?.detail?.error_code;
+      throw new Error(`API 錯誤：${msg}`);
+    }
+
+    if (data.base64_images) {
+      imageUrl = `data:image/png;base64,${data.base64_images}`;
+      pollResult = { type: "immediate_base64" };
+    } else if (data.generated_image?.[0]?.image_url) {
+      imageUrl = data.generated_image[0].image_url;
+      pollResult = { type: "immediate_url" };
+    } else if (data.uuid) {
+      pollResult.uuid = data.uuid;
+      const polledUrl = await pollForImage(data.uuid, token);
+      if (!polledUrl) throw new Error("圖片生成逾時或未返回結果");
+      imageUrl = polledUrl;
+      pollResult.imageUrl = imageUrl;
+      pollResult.status = "completed";
+    } else {
+      throw new Error("API 未返回圖片或任務 UUID");
+    }
+  } catch (err: unknown) {
+    const errMsg = err instanceof Error ? err.message : String(err);
+    req.log.warn({ err }, "Image generation failed, using fallback");
+    usedFallback = true;
+    fallbackReason = errMsg;
+
+    const fallbackSizes: Record<string, string> = {
+      "1:1": "1024/1024", "16:9": "1344/768", "9:16": "768/1344",
+      "4:3": "1152/896", "3:4": "896/1152", "2:3": "768/1152", "3:2": "1152/768",
+    };
+    const seed = Math.floor(Math.random() * 1000000);
+    imageUrl = `https://picsum.photos/seed/${seed}/${fallbackSizes[aspectRatio] || "1024/1024"}`;
+  }
+
+  const durationMs = Date.now() - startTime;
+  const isTokenError = usedFallback && (
+    fallbackReason?.includes("Token 已過期") ||
+    fallbackReason?.includes("無法自動刷新") ||
+    fallbackReason?.includes("未設定 API Token") ||
+    fallbackReason?.includes("REFRESH_TOKEN_EXPIRED")
+  );
+
+  // Mark the pool account as used (after successful generation)
+  if (currentAccountId !== null) {
+    markAccountUsed(currentAccountId).catch(() => {});
+  }
+
+  const [inserted] = await db
+    .insert(imagesTable)
+    .values({ imageUrl, prompt, style, aspectRatio, model, isPrivate: !!isPrivate, userId })
+    .returning();
+
+  res.json({
+    id: inserted.id,
+    imageUrl: inserted.imageUrl,
+    prompt: inserted.prompt,
+    style: inserted.style,
+    aspectRatio: inserted.aspectRatio,
+    model: inserted.model,
+    createdAt: inserted.createdAt.toISOString(),
+    ...(usedFallback ? { error: fallbackReason, tokenExpired: isTokenError } : {}),
+    apiDebug: {
+      requestUrl: requestInfo.url,
+      requestMethod: "POST",
+      requestContentType: "multipart/form-data",
+      requestHeaders: {
+        Authorization: token ? "Bearer ****" : "(無 Token)",
+        "User-Agent": USER_AGENT,
+        Accept: "application/json",
+      },
+      requestBody: requestInfo.fields,
+      responseStatus,
+      responseBody,
+      pollResult,
+      durationMs,
+      usedFallback,
+      ...(fallbackReason ? { fallbackReason } : {}),
+    },
+  });
+});
+
+router.get("/history", optionalJwtAuth, async (req, res) => {
+  const paramsResult = GetImageHistoryQueryParams.safeParse({
+    limit: req.query.limit ? Number(req.query.limit) : 20,
+    offset: req.query.offset ? Number(req.query.offset) : 0,
+  });
+
+  const { limit = 20, offset = 0 } = paramsResult.success ? paramsResult.data : {};
+  const currentUserId: number | null = (req as any).jwtUserId ?? null;
+
+  // Visibility filter:
+  // - Public images are always visible
+  // - Private images are only visible to their owner
+  const visibilityFilter = currentUserId
+    ? or(eq(imagesTable.isPrivate, false), and(eq(imagesTable.isPrivate, true), eq(imagesTable.userId, currentUserId)))
+    : eq(imagesTable.isPrivate, false);
+
+  const [images, [{ value: total }]] = await Promise.all([
+    db.select().from(imagesTable).where(visibilityFilter).orderBy(desc(imagesTable.createdAt)).limit(limit).offset(offset),
+    db.select({ value: count() }).from(imagesTable).where(visibilityFilter),
+  ]);
+
+  res.json({
+    images: images.map((img) => ({
+      id: img.id,
+      imageUrl: img.imageUrl,
+      prompt: img.prompt,
+      style: img.style,
+      aspectRatio: img.aspectRatio,
+      model: img.model,
+      isPrivate: img.isPrivate,
+      userId: img.userId,
+      createdAt: img.createdAt.toISOString(),
+    })),
+    total: Number(total),
+  });
+});
+
+router.delete("/:id", async (req, res) => {
+  const paramsResult = DeleteImageParams.safeParse({ id: Number(req.params.id) });
+  if (!paramsResult.success) {
+    return res.status(400).json({ error: "INVALID_ID", message: "Invalid image ID" });
+  }
+
+  const deleted = await db.delete(imagesTable).where(eq(imagesTable.id, paramsResult.data.id)).returning();
+
+  if (deleted.length === 0) {
+    return res.status(404).json({ error: "NOT_FOUND", message: "Image not found" });
+  }
+
+  res.json({ success: true, message: "Image deleted successfully" });
+});
+
+export default router;

artifacts/api-server/src/routes/index.ts

@@ -0,0 +1,20 @@
+import { Router, type IRouter } from "express";
+import healthRouter from "./health";
+import imagesRouter from "./images";
+import videosRouter from "./videos";
+import configRouter from "./config";
+import apiKeysRouter from "./apiKeys";
+import authRouter from "./auth";
+import adminRouter from "./admin";
+
+const router: IRouter = Router();
+
+router.use(healthRouter);
+router.use("/images", imagesRouter);
+router.use("/videos", videosRouter);
+router.use("/config", configRouter);
+router.use("/apikeys", apiKeysRouter);
+router.use("/auth", authRouter);
+router.use("/admin", adminRouter);
+
+export default router;

artifacts/api-server/src/routes/openai.ts

@@ -0,0 +1,220 @@
+import { Router } from "express";
+import { createHash } from "crypto";
+import { db, apiKeysTable } from "@workspace/db";
+import { eq } from "drizzle-orm";
+import { getValidBearerToken, refreshAccessToken, getPoolToken, markAccountUsed, tryRefreshPoolAccount } from "./config";
+
+const router = Router();
+
+const GEMINIGEN_BASE = "https://api.geminigen.ai/api";
+const USER_AGENT = "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/124.0.6367.111 Mobile/15E148 Safari/604.1";
+
+const SUPPORTED_MODELS = [
+  "grok", "meta", "imagen-pro", "imagen-4", "imagen-flash", "nano-banana-pro", "nano-banana-2",
+];
+
+const ALIAS_MAP: Record<string, string> = {
+  "dall-e-3": "grok",
+  "dall-e-2": "grok",
+  "gpt-image-1": "grok",
+};
+
+const SIZE_TO_ASPECT: Record<string, string> = {
+  "256x256": "1:1",
+  "512x512": "1:1",
+  "1024x1024": "1:1",
+  "1792x1024": "16:9",
+  "1024x1792": "9:16",
+};
+
+const ORIENTATION_MAP: Record<string, string> = {
+  "1:1": "square", "16:9": "landscape", "9:16": "portrait",
+  "4:3": "landscape", "3:4": "portrait", "2:3": "portrait", "3:2": "landscape",
+};
+
+async function validateApiKey(req: any, res: any, next: any) {
+  const auth = req.headers.authorization as string | undefined;
+  if (!auth?.startsWith("Bearer ")) {
+    return res.status(401).json({ error: { message: "No API key provided.", type: "invalid_request_error", code: "invalid_api_key" } });
+  }
+  const raw = auth.slice(7);
+  const hash = createHash("sha256").update(raw).digest("hex");
+  const [apiKey] = await db.select().from(apiKeysTable).where(eq(apiKeysTable.keyHash, hash)).limit(1);
+  if (!apiKey) {
+    return res.status(401).json({ error: { message: "Invalid API key.", type: "invalid_request_error", code: "invalid_api_key" } });
+  }
+  db.update(apiKeysTable).set({ lastUsedAt: new Date() }).where(eq(apiKeysTable.id, apiKey.id)).catch(() => {});
+  req.apiKeyRecord = apiKey;
+  next();
+}
+
+async function callGrokEndpoint(prompt: string, orientation: string, token: string) {
+  const form = new FormData();
+  form.append("prompt", prompt);
+  form.append("orientation", orientation);
+  form.append("num_result", "1");
+  const resp = await fetch(`${GEMINIGEN_BASE}/imagen/grok`, {
+    method: "POST",
+    headers: { Authorization: `Bearer ${token}`, "User-Agent": USER_AGENT, Accept: "application/json" },
+    body: form,
+  });
+  const body = await resp.json().catch(async () => ({ raw: await resp.text().catch(() => "") }));
+  return { status: resp.status, body };
+}
+
+async function callMetaEndpoint(prompt: string, orientation: string, token: string) {
+  const form = new FormData();
+  form.append("prompt", prompt);
+  form.append("orientation", orientation);
+  form.append("num_result", "1");
+  const resp = await fetch(`${GEMINIGEN_BASE}/meta_ai/generate`, {
+    method: "POST",
+    headers: { Authorization: `Bearer ${token}`, "User-Agent": USER_AGENT, Accept: "application/json" },
+    body: form,
+  });
+  const body = await resp.json().catch(async () => ({ raw: await resp.text().catch(() => "") }));
+  return { status: resp.status, body };
+}
+
+async function callImagenEndpoint(model: string, prompt: string, aspectRatio: string, token: string) {
+  const form = new FormData();
+  form.append("prompt", prompt);
+  form.append("model", model);
+  form.append("aspect_ratio", aspectRatio);
+  form.append("output_format", "jpg");
+  const resp = await fetch(`${GEMINIGEN_BASE}/generate_image`, {
+    method: "POST",
+    headers: { Authorization: `Bearer ${token}`, "User-Agent": USER_AGENT, Accept: "application/json" },
+    body: form,
+  });
+  const body = await resp.json().catch(async () => ({ raw: await resp.text().catch(() => "") }));
+  return { status: resp.status, body };
+}
+
+async function pollForImage(uuid: string, token: string, maxWaitMs = 120000): Promise<string | null> {
+  const interval = 3000;
+  const start = Date.now();
+  while (Date.now() - start < maxWaitMs) {
+    await new Promise((r) => setTimeout(r, interval));
+    const resp = await fetch(`${GEMINIGEN_BASE}/history/${uuid}`, {
+      headers: { Authorization: `Bearer ${token}`, "User-Agent": USER_AGENT, Accept: "application/json" },
+    });
+    if (!resp.ok) break;
+    const data = await resp.json() as { status?: number; generated_image?: Array<{ image_url?: string }> };
+    if (data.status === 2 || data.status === 3) return data.generated_image?.[0]?.image_url || null;
+    if (typeof data.status === "number" && data.status > 3) break;
+  }
+  return null;
+}
+
+router.get("/models", validateApiKey, (_req, res) => {
+  const created = Math.floor(Date.now() / 1000);
+  res.json({
+    object: "list",
+    data: SUPPORTED_MODELS.map((id) => ({
+      id,
+      object: "model",
+      created,
+      owned_by: "starforge",
+    })),
+  });
+});
+
+router.post("/images/generations", validateApiKey, async (req, res) => {
+  const {
+    model: rawModel = "grok",
+    prompt,
+    n = 1,
+    size = "1024x1024",
+    response_format = "url",
+  } = req.body as {
+    model?: string;
+    prompt?: string;
+    n?: number;
+    size?: string;
+    response_format?: string;
+  };
+
+  if (!prompt) {
+    return res.status(400).json({ error: { message: "prompt is required", type: "invalid_request_error" } });
+  }
+
+  const model = ALIAS_MAP[rawModel] || (SUPPORTED_MODELS.includes(rawModel) ? rawModel : "grok");
+  const aspectRatio = SIZE_TO_ASPECT[size] || "1:1";
+  const orientation = ORIENTATION_MAP[aspectRatio] || "square";
+  const isImagenModel = ["imagen-pro", "imagen-4", "imagen-flash", "nano-banana-pro", "nano-banana-2"].includes(model);
+
+  // Pool-aware token selection
+  const failedPoolIds: number[] = [];
+  let currentAccountId: number | null = null;
+
+  async function pickToken(): Promise<string | null> {
+    const poolEntry = await getPoolToken(failedPoolIds);
+    if (poolEntry) { currentAccountId = poolEntry.accountId; return poolEntry.token; }
+    currentAccountId = null;
+    return getValidBearerToken();
+  }
+
+  async function handleExpiry(): Promise<string | null> {
+    if (currentAccountId !== null) {
+      const refreshed = await tryRefreshPoolAccount(currentAccountId);
+      if (refreshed) return refreshed;
+      failedPoolIds.push(currentAccountId);
+      const next = await getPoolToken(failedPoolIds);
+      if (next) { currentAccountId = next.accountId; return next.token; }
+    }
+    return refreshAccessToken();
+  }
+
+  let token = await pickToken();
+  if (!token) return res.status(503).json({ error: { message: "Service not configured.", type: "server_error" } });
+
+  const images: { url?: string; b64_json?: string }[] = [];
+  const count = Math.min(Math.max(Number(n) || 1, 1), 4);
+
+  try {
+    for (let i = 0; i < count; i++) {
+      let result: { status: number; body: unknown };
+
+      if (model === "grok") result = await callGrokEndpoint(prompt, orientation, token);
+      else if (model === "meta") result = await callMetaEndpoint(prompt, orientation, token);
+      else result = await callImagenEndpoint(model, prompt, aspectRatio, token);
+
+      if (result.status === 401) {
+        const newToken = await handleExpiry();
+        if (!newToken) throw new Error("Token expired");
+        token = newToken;
+        if (model === "grok") result = await callGrokEndpoint(prompt, orientation, token);
+        else if (model === "meta") result = await callMetaEndpoint(prompt, orientation, token);
+        else result = await callImagenEndpoint(model, prompt, aspectRatio, token);
+      }
+
+      const data = result.body as { uuid?: string; base64_images?: string; generated_image?: Array<{ image_url?: string }> };
+
+      let imageUrl = "";
+      if (data.base64_images) {
+        imageUrl = `data:image/png;base64,${data.base64_images}`;
+      } else if (data.generated_image?.[0]?.image_url) {
+        imageUrl = data.generated_image[0].image_url;
+      } else if (data.uuid) {
+        const polled = await pollForImage(data.uuid, token);
+        if (!polled) throw new Error("Generation timed out");
+        imageUrl = polled;
+      }
+
+      if (response_format === "b64_json" && imageUrl.startsWith("data:")) {
+        images.push({ b64_json: imageUrl.split(",")[1] });
+      } else {
+        images.push({ url: imageUrl });
+      }
+    }
+  } catch (err: unknown) {
+    const msg = err instanceof Error ? err.message : String(err);
+    return res.status(500).json({ error: { message: msg, type: "server_error" } });
+  }
+
+  if (currentAccountId !== null) markAccountUsed(currentAccountId).catch(() => {});
+  res.json({ created: Math.floor(Date.now() / 1000), data: images });
+});
+
+export default router;

artifacts/api-server/src/routes/public.ts

@@ -0,0 +1,83 @@
+import { Router } from "express";
+import { db, configTable, geminiAccountsTable } from "@workspace/db";
+import { eq, sql } from "drizzle-orm";
+import { OTP_KEY, SITE_CONFIG_KEYS } from "./admin";
+
+const router = Router();
+
+const TOKEN_KEY = "geminigen_bearer_token";
+const REFRESH_TOKEN_KEY = "geminigen_refresh_token";
+
+router.post("/receive-tokens", async (req, res) => {
+  const { otp, access_token, refresh_token, label } = req.body as {
+    otp?: string;
+    access_token?: string;
+    refresh_token?: string;
+    label?: string;
+  };
+
+  if (!otp || !access_token) {
+    return res.status(400).json({ error: "otp 和 access_token 為必填" });
+  }
+
+  const row = await db
+    .select()
+    .from(configTable)
+    .where(eq(configTable.key, OTP_KEY))
+    .limit(1);
+
+  if (!row.length) {
+    return res.status(401).json({ error: "OTP 無效或已過期，請重新產生書籤" });
+  }
+
+  const [storedOtp, expiresAtStr] = row[0].value.split(":");
+  const expiresAt = Number(expiresAtStr);
+
+  if (storedOtp !== otp || Date.now() > expiresAt) {
+    return res.status(401).json({ error: "OTP 無效或已過期，請重新產生書籤" });
+  }
+
+  // Delete OTP (one-time use)
+  await db.delete(configTable).where(eq(configTable.key, OTP_KEY));
+
+  if (label) {
+    // Save to pool as a new account
+    await db.insert(geminiAccountsTable).values({
+      label: label.trim(),
+      bearerToken: access_token,
+      refreshToken: refresh_token || null,
+      isActive: true,
+    });
+    return res.json({ success: true, message: `帳戶「${label}」已加入 Token 池！` });
+  }
+
+  // Legacy: save as single token in config
+  await db
+    .insert(configTable)
+    .values({ key: TOKEN_KEY, value: access_token, updatedAt: new Date() })
+    .onConflictDoUpdate({ target: configTable.key, set: { value: access_token, updatedAt: new Date() } });
+
+  if (refresh_token) {
+    await db
+      .insert(configTable)
+      .values({ key: REFRESH_TOKEN_KEY, value: refresh_token, updatedAt: new Date() })
+      .onConflictDoUpdate({ target: configTable.key, set: { value: refresh_token, updatedAt: new Date() } });
+  }
+
+  return res.json({ success: true, message: "Token 已成功同步！" });
+});
+
+// ── Public site config (logo, Google Ads) ─────────────────────────────────────
+const PUBLIC_SITE_KEYS = ["logo_url", "site_name", "google_ads_enabled", "google_ads_client", "google_ads_slot"];
+
+router.get("/site-config", async (_req, res) => {
+  const rows = await db
+    .select()
+    .from(configTable)
+    .where(sql`${configTable.key} = ANY(ARRAY[${sql.raw(PUBLIC_SITE_KEYS.map(k => `'${k}'`).join(","))}]::text[])`);
+  const config: Record<string, string> = {};
+  for (const row of rows) config[row.key] = row.value;
+  res.json(config);
+});
+
+export default router;

artifacts/api-server/src/routes/videos.ts

@@ -0,0 +1,1297 @@
+import { Router, type Response as ExpressResponse, type Request } from "express";
+import { db, videosTable, usersTable, configTable, creditTransactionsTable } from "@workspace/db";
+import { desc, eq, and, or, sql } from "drizzle-orm";
+import { randomUUID } from "crypto";
+import {
+  getValidBearerToken,
+  refreshAccessToken,
+  getPoolToken,
+  tryRefreshPoolAccount,
+} from "./config";
+import { getTurnstileToken, invalidateTurnstileToken } from "../captcha";
+import { generateGuardId } from "../guardId";
+import { optionalJwtAuth } from "./auth";
+import { downloadAndStoreVideo, streamStoredVideo, isStorageReady } from "../lib/videoStorage";
+
+const router = Router();
+
+const GEMINIGEN_BASE    = "https://api.geminigen.ai";
+const GROK_ENDPOINT     = `${GEMINIGEN_BASE}/api/video-gen/grok-stream`;
+const VEO_ENDPOINT      = `${GEMINIGEN_BASE}/api/video-gen/veo`;
+const USER_AGENT =
+  "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36";
+
+// ── In-memory task store ─────────────────────────────────────────────────────
+// Tasks live here between POST /generate (which creates them) and the
+// SSE /progress/:taskId endpoint which a client subscribes to.
+
+type TaskStatus = "pending" | "complete" | "failed";
+
+interface ProgressEvent {
+  type: "start" | "progress" | "complete" | "error";
+  message?: string;
+  status?: number;
+  uuid?: string;
+  video?: unknown;
+  errorCode?: string;
+}
+
+interface Task {
+  status: TaskStatus;
+  createdAt: number;
+  buffered: ProgressEvent[];                  // events buffered before client connects
+  clients: Set<(e: ProgressEvent) => void>;  // active SSE listeners
+}
+
+const tasks = new Map<string, Task>();
+
+// Clean up tasks older than 30 min
+setInterval(() => {
+  const cutoff = Date.now() - 30 * 60 * 1000;
+  for (const [id, t] of tasks) {
+    if (t.createdAt < cutoff) tasks.delete(id);
+  }
+}, 5 * 60 * 1000);
+
+function createTask(): string {
+  const id = randomUUID();
+  tasks.set(id, { status: "pending", createdAt: Date.now(), buffered: [], clients: new Set() });
+  return id;
+}
+
+function broadcast(task: Task, event: ProgressEvent): void {
+  if (task.status === "pending") task.buffered.push(event);
+  for (const client of task.clients) {
+    try { client(event); } catch { /* ignore broken pipe */ }
+  }
+}
+
+function finishTask(task: Task, status: TaskStatus, final: ProgressEvent): void {
+  task.status = status;
+  task.buffered.push(final);
+  for (const client of task.clients) {
+    try { client(final); } catch {}
+  }
+  task.clients.clear();
+}
+
+// ── Video generation options ──────────────────────────────────────────────────
+export type VideoModel = "grok-3" | "veo-3-fast";
+
+export interface VideoGenOptions {
+  model: VideoModel;
+  prompt: string;
+  negativePrompt?: string;
+  aspectRatio: "16:9" | "9:16" | "1:1" | "3:4" | "4:3";
+  resolution: "480p" | "720p" | "1080p";
+  duration: 5 | 6 | 8 | 10;
+  enhancePrompt: boolean;
+  refImageBase64?: string;
+  refImageMime?: string;
+}
+
+// ── Model constraints ─────────────────────────────────────────────────────────
+// Grok-3 limits (API confirmed)
+const GROK3_MAX_DURATION   = 6;
+const GROK3_MAX_RESOLUTION = "720p";
+
+// Veo 3.1 Fast limits (API confirmed)
+// duration: 8s only, aspect ratios: 16:9 / 9:16 only
+const VEO_VALID_ASPECT_RATIOS = new Set(["16:9", "9:16"]);
+const VEO_DURATION = 8 as const;
+
+// Grok-3 aspect ratio mapping: raw user ratio → API keyword
+const GROK_ASPECT_RATIO_MAP: Record<string, string> = {
+  "16:9": "landscape",
+  "4:3":  "landscape",
+  "3:2":  "3:2",
+  "9:16": "portrait",
+  "3:4":  "portrait",
+  "2:3":  "2:3",
+  "1:1":  "square",
+};
+
+const VALID_ASPECT_RATIOS = new Set(["16:9", "9:16", "1:1", "3:4", "4:3"]);
+const VALID_RESOLUTIONS   = new Set(["480p", "720p", "1080p"]);
+const VALID_DURATIONS     = new Set([5, 6, 8, 10]);
+const RESOLUTION_RANK: Record<string, number> = { "480p": 0, "720p": 1, "1080p": 2 };
+
+export function parseVideoOptions(body: Record<string, unknown>, prompt: string): VideoGenOptions {
+  const model: VideoModel = body.model === "veo-3-fast" ? "veo-3-fast" : "grok-3";
+
+  let aspectRatio = VALID_ASPECT_RATIOS.has(body.aspectRatio as string)
+    ? (body.aspectRatio as VideoGenOptions["aspectRatio"]) : "16:9";
+
+  let resolution = VALID_RESOLUTIONS.has(body.resolution as string)
+    ? (body.resolution as VideoGenOptions["resolution"]) : "480p";
+
+  let duration = VALID_DURATIONS.has(Number(body.duration))
+    ? (Number(body.duration) as VideoGenOptions["duration"]) : 6;
+
+  if (model === "grok-3") {
+    // Clamp resolution to max 720p
+    if (RESOLUTION_RANK[resolution] > RESOLUTION_RANK[GROK3_MAX_RESOLUTION]) {
+      resolution = GROK3_MAX_RESOLUTION;
+    }
+    // Clamp duration to max 6s
+    if (duration > GROK3_MAX_DURATION) {
+      duration = GROK3_MAX_DURATION as VideoGenOptions["duration"];
+    }
+  } else if (model === "veo-3-fast") {
+    // Force duration to 8s
+    duration = VEO_DURATION;
+    // Restrict to 16:9 / 9:16
+    if (!VEO_VALID_ASPECT_RATIOS.has(aspectRatio)) {
+      aspectRatio = "16:9";
+    }
+  }
+
+  const negativePrompt = typeof body.negativePrompt === "string" && body.negativePrompt.trim()
+    ? body.negativePrompt.trim() : undefined;
+  const enhancePrompt = body.enhancePrompt !== false;
+
+  return { model, prompt, negativePrompt, aspectRatio, resolution, duration, enhancePrompt };
+}
+
+// ── Helper: build FormData ───────────────────────────────────────────────────
+function base64ToBlob(base64: string, mime: string): Blob {
+  const binary = Buffer.from(base64, "base64");
+  return new Blob([binary], { type: mime });
+}
+
+// ── Grok-3 form builder ───────────────────────────────────────────────────────
+function buildGrokForm(turnstileToken: string, opts: VideoGenOptions): FormData {
+  const form = new FormData();
+  form.append("prompt", opts.prompt);
+  form.append("model", "grok-3");
+  form.append("model_name", "grok-3");
+  // Aspect ratio: API expects 'landscape'|'portrait'|'square'|'3:2'|'2:3'
+  const apiAspectRatio = GROK_ASPECT_RATIO_MAP[opts.aspectRatio] ?? "landscape";
+  form.append("aspect_ratio", apiAspectRatio);
+  form.append("resolution", opts.resolution);
+  form.append("duration", opts.duration.toString());
+  form.append("num_result", "1");
+  form.append("enhance_prompt", opts.enhancePrompt ? "true" : "false");
+  form.append("turnstile_token", turnstileToken);
+  if (opts.negativePrompt) form.append("negative_prompt", opts.negativePrompt);
+  if (opts.refImageBase64 && opts.refImageMime) {
+    // Presence of 'files' tells the API this is image-to-video.
+    // Do NOT set mode='image_to_video' — the 'mode' field is a creativity level
+    // (normal | custom | extremely-crazy | extremely-spicy-or-crazy).
+    form.append("files", base64ToBlob(opts.refImageBase64, opts.refImageMime), "reference.jpg");
+    form.append("mode", "custom");
+  }
+  return form;
+}
+
+// ── Veo form builder ──────────────────────────────────────────────────────────
+function buildVeoForm(turnstileToken: string, opts: VideoGenOptions): FormData {
+  const form = new FormData();
+  form.append("prompt", opts.prompt);
+  form.append("model", "veo-3-fast");
+  // Veo uses raw ratio strings directly ('16:9' or '9:16')
+  form.append("aspect_ratio", opts.aspectRatio);
+  form.append("duration", opts.duration.toString());
+  form.append("enhance_prompt", opts.enhancePrompt ? "true" : "false");
+  form.append("turnstile_token", turnstileToken);
+  if (opts.negativePrompt) form.append("negative_prompt", opts.negativePrompt);
+  if (opts.refImageBase64 && opts.refImageMime) {
+    form.append("ref_images", base64ToBlob(opts.refImageBase64, opts.refImageMime), "reference.jpg");
+    form.append("mode_image", "image_to_video");
+  }
+  return form;
+}
+
+// ── Grok-3 SSE endpoint ───────────────────────────────────────────────────────
+async function callGrokEndpoint(
+  bearerToken: string,
+  turnstileToken: string,
+  opts: VideoGenOptions,
+): Promise<Response> {
+  const guardId = generateGuardId("/api/video-gen/grok-stream", "post");
+  return fetch(GROK_ENDPOINT, {
+    method: "POST",
+    headers: {
+      Authorization: `Bearer ${bearerToken}`,
+      "x-guard-id": guardId,
+      "User-Agent": USER_AGENT,
+      Accept: "text/event-stream, application/json",
+    },
+    body: buildGrokForm(turnstileToken, opts),
+  });
+}
+
+// ── Veo POST endpoint (returns {uuid}, then poll) ─────────────────────────────
+async function callVeoEndpoint(
+  bearerToken: string,
+  turnstileToken: string,
+  opts: VideoGenOptions,
+): Promise<{ uuid: string }> {
+  const guardId = generateGuardId("/api/video-gen/veo", "post");
+  const resp = await fetch(VEO_ENDPOINT, {
+    method: "POST",
+    headers: {
+      Authorization: `Bearer ${bearerToken}`,
+      "x-guard-id": guardId,
+      "User-Agent": USER_AGENT,
+      Accept: "application/json",
+    },
+    body: buildVeoForm(turnstileToken, opts),
+  });
+  if (!resp.ok) {
+    const raw = await resp.text().catch(() => "");
+    const { code, msg } = parseErrBody(raw);
+    throw Object.assign(new Error(msg || `HTTP ${resp.status}`), { code, status: resp.status, raw });
+  }
+  const data = await resp.json() as { uuid?: string; history_uuid?: string; task_id?: string; id?: string };
+  console.log("[veo-submit] response:", JSON.stringify(data).slice(0, 300));
+  const uuid = data.uuid || data.history_uuid || data.task_id || data.id;
+  if (!uuid) throw new Error(`Veo API did not return a UUID. Response: ${JSON.stringify(data).slice(0, 200)}`);
+  return { uuid };
+}
+
+// ── One-shot history fetch: get the R2 pre-signed URL after generation ────────
+// geminigen.ai stores completed videos to Cloudflare R2 and returns a 7-day
+// pre-signed URL in generated_video[0].video_url.  This works without any
+// additional auth, unlike the intermediate assets.grok.com CDN URL.
+async function fetchHistoryVideoUrl(
+  uuid: string,
+  bearerToken: string,
+): Promise<{ videoUrl: string; thumbnailUrl: string | null } | null> {
+  try {
+    const guardId = generateGuardId("/api/history/" + uuid, "get");
+    const resp = await fetch(`${GEMINIGEN_BASE}/api/history/${uuid}`, {
+      headers: {
+        Authorization: `Bearer ${bearerToken}`,
+        "x-guard-id": guardId,
+        "User-Agent": USER_AGENT,
+        Accept: "application/json",
+      },
+    });
+    if (!resp.ok) {
+      console.warn("[history-fetch] HTTP", resp.status, "for uuid", uuid);
+      return null;
+    }
+    const data = await resp.json() as {
+      status?: number;
+      generated_video?: Array<{ video_url?: string; thumbnail_url?: string }>;
+    };
+    const vid = data.generated_video?.[0];
+    const videoUrl = vid?.video_url ?? null;
+    const thumbnailUrl = vid?.thumbnail_url ?? null;
+    if (videoUrl) {
+      console.log("[history-fetch] got R2 URL:", videoUrl.slice(0, 120));
+      return { videoUrl, thumbnailUrl };
+    }
+    return null;
+  } catch (err) {
+    console.warn("[history-fetch] error:", err instanceof Error ? err.message : err);
+    return null;
+  }
+}
+
+// ── Veo polling: GET /api/history/{uuid} until status 2/3 ────────────────────
+// Veo generation typically takes 2–8 minutes on geminigen.ai; we poll up to
+// 12 minutes with a 20s interval (first check after 15s to catch fast results).
+async function pollVeoHistory(
+  uuid: string,
+  bearerToken: string,
+  onProgress: (msg: string) => void,
+  maxWaitMs = 720_000, // 12 minutes
+): Promise<{ videoUrl: string; thumbnailUrl: string | null } | null> {
+  const start = Date.now();
+  let attempt = 0;
+  let waitMs = 15_000; // first check sooner; subsequent checks every 20s
+
+  while (Date.now() - start < maxWaitMs) {
+    await new Promise((r) => setTimeout(r, waitMs));
+    waitMs = 20_000; // steady-state interval
+    attempt++;
+    const elapsed = Math.round((Date.now() - start) / 1000);
+    onProgress(`Veo 生成中，第 ${attempt} 次確認... (已等待 ${elapsed}s)`);
+
+    const guardId = generateGuardId("/api/history/" + uuid, "get");
+    let resp: Response;
+    try {
+      resp = await fetch(`${GEMINIGEN_BASE}/api/history/${uuid}`, {
+        headers: {
+          Authorization: `Bearer ${bearerToken}`,
+          "x-guard-id": guardId,
+          "User-Agent": USER_AGENT,
+          Accept: "application/json",
+        },
+        signal: AbortSignal.timeout(15_000),
+      });
+    } catch (fetchErr) {
+      console.warn("[veo-poll] fetch error on attempt", attempt, ":", fetchErr instanceof Error ? fetchErr.message : fetchErr);
+      continue;
+    }
+
+    if (!resp.ok) {
+      console.warn("[veo-poll] history HTTP", resp.status, "for uuid", uuid, "attempt", attempt);
+      continue;
+    }
+
+    let data: {
+      status?: number;
+      generated_video?: Array<{ video_url?: string; thumbnail_url?: string; media_url?: string }>;
+      video_url?: string;
+    };
+    try {
+      data = await resp.json();
+    } catch {
+      console.warn("[veo-poll] JSON parse failed on attempt", attempt);
+      continue;
+    }
+
+    console.log("[veo-poll] attempt", attempt, "status=", data.status,
+      "has_video=", !!(data.generated_video?.[0]?.video_url || data.video_url));
+
+    if (data.status === 2) {
+      const vid = data.generated_video?.[0];
+      // Try multiple possible URL fields
+      const videoUrl = vid?.video_url || vid?.media_url || data.video_url || null;
+      const thumbnailUrl = vid?.thumbnail_url ?? null;
+      if (videoUrl) {
+        console.log("[veo-poll] completed with video URL:", videoUrl.slice(0, 120));
+        return { videoUrl, thumbnailUrl };
+      }
+      // Status 2 but no URL — wait a bit and try once more
+      console.warn("[veo-poll] status=2 but no video URL, retrying in 10s...");
+      await new Promise((r) => setTimeout(r, 10_000));
+      const guardId2 = generateGuardId("/api/history/" + uuid, "get");
+      const resp2 = await fetch(`${GEMINIGEN_BASE}/api/history/${uuid}`, {
+        headers: { Authorization: `Bearer ${bearerToken}`, "x-guard-id": guardId2,
+          "User-Agent": USER_AGENT, Accept: "application/json" },
+      }).catch(() => null);
+      if (resp2?.ok) {
+        const data2 = await resp2.json().catch(() => ({})) as typeof data;
+        const vid2 = data2.generated_video?.[0];
+        const videoUrl2 = vid2?.video_url || vid2?.media_url || data2.video_url || null;
+        if (videoUrl2) return { videoUrl: videoUrl2, thumbnailUrl: vid2?.thumbnail_url ?? null };
+      }
+      return null; // complete but no URL
+    }
+
+    if (data.status === 3) {
+      console.warn("[veo-poll] status=3 (failed) for uuid", uuid);
+      return null; // failed
+    }
+
+    // status 1 = still generating; any other status: continue polling
+  }
+
+  console.warn("[veo-poll] timed out after", maxWaitMs / 1000, "s for uuid", uuid);
+  return null; // timeout
+}
+
+// ── Helper: parse error body ─────────────────────────────────────────────────
+function parseErrBody(text: string): { code: string; msg: string } {
+  try {
+    const d = JSON.parse(text) as { detail?: { error_code?: string; error_message?: string } };
+    return {
+      code: d?.detail?.error_code || "",
+      msg: (d?.detail?.error_message || "").toLowerCase(),
+    };
+  } catch {
+    return { code: "", msg: text.toLowerCase() };
+  }
+}
+
+// ── SSE stream reader ─────────────────────────────────────────────────────────
+interface StreamResult {
+  videoUrl: string | null;
+  thumbnailUrl: string | null;
+  uuid: string | null;
+  lastEvent: unknown;
+  errorCode: string | null;
+  errorMsg: string | null;
+}
+
+/**
+ * Resolve a potentially-relative video URL to an absolute URL.
+ *
+ * geminigen.ai's SSE stream returns a field like:
+ *   "videoUrl": "users/{userId}/generated/{videoId}/gen_xxx.mp4?signed=..."
+ * which needs to be prefixed with the R2 CDN base, or it may already be a
+ * full https:// signed URL (if the JSON was not truncated in our logs).
+ *
+ * NOTE: confirmed from production logs — video files are served from
+ *   https://assets.grok.com/  NOT from https://api.geminigen.ai/
+ */
+const VIDEO_CDN_BASE = "https://assets.grok.com/";
+
+function resolveVideoUrl(rawUrl: string): string {
+  if (!rawUrl) return rawUrl;
+  if (rawUrl.startsWith("http://") || rawUrl.startsWith("https://")) return rawUrl;
+  // Relative path → prepend CDN base
+  return VIDEO_CDN_BASE + rawUrl;
+}
+
+/**
+ * Extract the geminigen.ai streaming video generation response from a parsed
+ * SSE event.  The structure (confirmed from production logs) is:
+ *
+ *   parsed.data.result.response.streamingVideoGenerationResponse
+ *     .progress   : 0–100
+ *     .videoUrl   : relative or absolute URL (only when progress === 100)
+ */
+function extractSVGR(parsed: Record<string, unknown>): Record<string, unknown> | null {
+  try {
+    const data = parsed.data as Record<string, unknown> | undefined;
+    const result = data?.result as Record<string, unknown> | undefined;
+    const response = result?.response as Record<string, unknown> | undefined;
+    const svgr = response?.streamingVideoGenerationResponse as Record<string, unknown> | undefined;
+    return svgr ?? null;
+  } catch {
+    return null;
+  }
+}
+
+async function readVideoStream(
+  resp: Response,
+  onEvent: (parsed: Record<string, unknown>) => void,
+  maxWaitMs = 300_000,
+): Promise<StreamResult> {
+  const decoder = new TextDecoder();
+  const reader = resp.body?.getReader();
+  const empty: StreamResult = {
+    videoUrl: null, thumbnailUrl: null, uuid: null, lastEvent: null, errorCode: null, errorMsg: null,
+  };
+  if (!reader) return empty;
+
+  let videoUrl: string | null = null;
+  let thumbnailUrl: string | null = null;
+  let uuid: string | null = null;
+  let lastEvent: unknown = null;
+  let errorCode: string | null = null;
+  let errorMsg: string | null = null;
+  let buffer = "";
+  let historyUuid: string | null = null;
+  const deadline = Date.now() + maxWaitMs;
+
+  try {
+    while (Date.now() < deadline) {
+      const { done, value } = await reader.read();
+      if (done) break;
+
+      buffer += decoder.decode(value, { stream: true });
+      const lines = buffer.split("\n");
+      buffer = lines.pop() ?? "";
+
+      for (const line of lines) {
+        const trimmed = line.trim();
+        if (!trimmed || trimmed === "data: [DONE]") continue;
+
+        const jsonStr = trimmed.startsWith("data:") ? trimmed.slice(5).trim() : trimmed;
+
+        let parsed: Record<string, unknown>;
+        try {
+          parsed = JSON.parse(jsonStr);
+        } catch {
+          continue;
+        }
+
+        lastEvent = parsed;
+        // Log full event (no truncation — we need the complete video URL)
+        console.log("[video-stream]", JSON.stringify(parsed));
+
+        // ── Error detection ───────────────────────────────────────────────────
+        // Pattern A: {"detail":{"error_code":"..."}}
+        const detail = parsed.detail as Record<string, string> | undefined;
+        if (detail?.error_code) {
+          errorCode = detail.error_code;
+          errorMsg = detail.error_message || detail.error_code;
+          console.error(`[video-stream] error: ${errorCode} — ${errorMsg}`);
+          return { videoUrl: null, thumbnailUrl: null, uuid, lastEvent, errorCode, errorMsg };
+        }
+        // Pattern B: top-level error_code
+        if (typeof parsed.error_code === "string" && parsed.error_code) {
+          errorCode = parsed.error_code;
+          errorMsg = (parsed.error_message as string) || parsed.error_code;
+          return { videoUrl: null, thumbnailUrl: null, uuid, lastEvent, errorCode, errorMsg };
+        }
+        // Pattern C: top-level error string (no status field)
+        if (typeof parsed.error === "string" && parsed.error && typeof parsed.status === "undefined") {
+          errorCode = "STREAM_ERROR";
+          errorMsg = parsed.error;
+          return { videoUrl: null, thumbnailUrl: null, uuid, lastEvent, errorCode, errorMsg };
+        }
+
+        // ── Initial event: {"success":true,"message":"Video generation started",
+        //                    "history_id":...,"history_uuid":"...","status":1} ──
+        if (parsed.success === true && typeof parsed.history_uuid === "string") {
+          historyUuid = parsed.history_uuid;
+          uuid = historyUuid;
+          if (parsed.message === "Video generation started") {
+            onEvent({ type: "started", historyUuid });
+            continue;
+          }
+        }
+
+        // ── Completion signal: {"success":true,"message":"Video generation complete..."} ──
+        if (parsed.success === true && typeof parsed.message === "string"
+            && parsed.message.includes("Video generation complete")) {
+          console.log("[video-stream] generation complete signal received");
+          return { videoUrl, thumbnailUrl, uuid, lastEvent, errorCode: null, errorMsg: null };
+        }
+
+        // ── HD URL event: {"success":true,"data":{"video_id":"...","hdMediaUrl":"https://assets.grok.com/..."}} ──
+        // Prefer this over the relative videoUrl from SVGR since it's already absolute and higher quality.
+        {
+          const d = parsed.data as Record<string, unknown> | undefined;
+          if (d && typeof d.hdMediaUrl === "string" && d.hdMediaUrl.startsWith("https://")) {
+            console.log("[video-url] using hdMediaUrl:", d.hdMediaUrl.slice(0, 120));
+            videoUrl = d.hdMediaUrl;
+          }
+        }
+
+        // ── Progress events: data.result.response.streamingVideoGenerationResponse ──
+        const svgr = extractSVGR(parsed);
+        if (svgr) {
+          const progress = typeof svgr.progress === "number" ? svgr.progress : null;
+          const rawUrl = typeof svgr.videoUrl === "string" ? svgr.videoUrl : null;
+          const videoId = typeof svgr.videoId === "string" ? svgr.videoId : undefined;
+
+          if (rawUrl) {
+            videoUrl = resolveVideoUrl(rawUrl);
+            try {
+              const u = new URL(videoUrl);
+              console.log("[video-url] origin:", u.origin);
+              console.log("[video-url] path:", u.pathname);
+              const qs = u.search;
+              for (let i = 0; i < qs.length; i += 200) {
+                console.log("[video-url] qs[" + Math.floor(i / 200) + "]:", qs.slice(i, i + 200));
+              }
+              console.log("[video-url] total_length:", videoUrl.length, "| raw_length:", rawUrl.length);
+            } catch {
+              console.log("[video-url] raw (non-URL):", rawUrl.slice(0, 200));
+            }
+          }
+
+          // Extract thumbnail URL (only present at progress=100)
+          const rawThumb = typeof svgr.thumbnailImageUrl === "string" ? svgr.thumbnailImageUrl : null;
+          if (rawThumb) thumbnailUrl = resolveVideoUrl(rawThumb);
+
+          onEvent({ type: "progress", progress, videoId, videoUrl });
+
+          if (progress === 100 && videoUrl) {
+            console.log("[video-stream] progress=100, video ready");
+            // Don't return yet — wait for the "Video generation complete" signal
+            // which ensures the backend has finished processing.
+            // But if no more events come, videoUrl is set so we'll return at stream end.
+          }
+          continue;
+        }
+
+        // ── Legacy format fallback ─────────────────────────────────────────────
+        // In case geminigen.ai changes format back, still check old fields
+        if (!uuid && typeof parsed.uuid === "string") uuid = parsed.uuid;
+        const legacyCandidate =
+          (parsed.video_url as string | undefined) ||
+          (parsed.generated_video as Array<{ video_url?: string }> | undefined)?.[0]?.video_url ||
+          null;
+        if (legacyCandidate) videoUrl = resolveVideoUrl(legacyCandidate);
+
+        if (typeof parsed.status === "number" && (parsed.status === 2 || parsed.status === 3)) {
+          return { videoUrl, thumbnailUrl, uuid, lastEvent, errorCode: null, errorMsg: null };
+        }
+        if (typeof parsed.status === "number" && parsed.status > 3) {
+          errorCode = "GEN_FAILED";
+          errorMsg = (parsed.message as string) || `status=${parsed.status}`;
+          return { videoUrl: null, thumbnailUrl: null, uuid, lastEvent, errorCode, errorMsg };
+        }
+      }
+    }
+  } finally {
+    reader.cancel().catch(() => {});
+  }
+
+  // Stream ended naturally — if we have a videoUrl it's a success
+  return { videoUrl, thumbnailUrl, uuid, lastEvent, errorCode, errorMsg };
+}
+
+// ── Shared token helpers ──────────────────────────────────────────────────────
+function makeTokenHelpers() {
+  const failedPoolIds: number[] = [];
+  let currentAccountId: number | null = null;
+
+  async function pickToken(): Promise<string | null> {
+    const poolEntry = await getPoolToken(failedPoolIds);
+    if (poolEntry) { currentAccountId = poolEntry.accountId; return poolEntry.token; }
+    currentAccountId = null;
+    return getValidBearerToken();
+  }
+
+  async function handleTokenExpiry(): Promise<string | null> {
+    if (currentAccountId !== null) {
+      const refreshed = await tryRefreshPoolAccount(currentAccountId);
+      if (refreshed) return refreshed;
+      failedPoolIds.push(currentAccountId);
+      const next = await getPoolToken(failedPoolIds);
+      if (next) { currentAccountId = next.accountId; return next.token; }
+    }
+    return refreshAccessToken();
+  }
+
+  return { pickToken, handleTokenExpiry };
+}
+
+// ── Grok-3 background task runner (SSE streaming) ────────────────────────────
+async function runGrokTask(
+  taskId: string,
+  opts: VideoGenOptions,
+  isPrivate: boolean,
+  userId: number | null,
+): Promise<void> {
+  const task = tasks.get(taskId);
+  if (!task) return;
+
+  const { pickToken, handleTokenExpiry } = makeTokenHelpers();
+
+  try {
+    broadcast(task, { type: "start", message: "正在取得 Turnstile 驗證碼..." });
+    let turnstileToken = await getTurnstileToken();
+
+    broadcast(task, { type: "start", message: "正在取得 Bearer Token..." });
+    let token = await pickToken();
+
+    if (!token) {
+      finishTask(task, "failed", { type: "error", errorCode: "NO_TOKEN", message: "未設定 API Token，請到管理後台設定" });
+      return;
+    }
+
+    broadcast(task, { type: "start", message: "正在連接 geminigen.ai (Grok-3)..." });
+
+    let resp = await callGrokEndpoint(token, turnstileToken, opts);
+
+    // ── Handle HTTP-level errors ─────────────────────────────────────────────
+    if (!resp.ok) {
+      const rawText = await resp.text().catch(() => "");
+      const { code, msg } = parseErrBody(rawText);
+
+      const isCaptcha = msg.includes("captcha") || msg.includes("turnstile")
+        || code === "CAPTCHA_ERROR" || code === "INVALID_CAPTCHA";
+
+      if (isCaptcha) {
+        broadcast(task, { type: "start", message: "Turnstile 拒絕，正在重新取得..." });
+        invalidateTurnstileToken();
+        turnstileToken = await getTurnstileToken();
+        resp = await callGrokEndpoint(token, turnstileToken, opts);
+      } else {
+        const isExpired = resp.status === 401 || resp.status === 403
+          || code === "TOKEN_EXPIRED" || code === "INVALID_CREDENTIALS"
+          || msg.includes("token") || msg.includes("expired") || msg.includes("credential");
+        if (isExpired) {
+          broadcast(task, { type: "start", message: "Token 過期，正在刷新..." });
+          const newToken = await handleTokenExpiry();
+          if (!newToken) {
+            finishTask(task, "failed", {
+              type: "error", errorCode: "TOKEN_EXPIRED",
+              message: "Token 已過期且無法自動刷新，請到管理後台更新 Token",
+            });
+            return;
+          }
+          token = newToken;
+          resp = await callGrokEndpoint(token, turnstileToken, opts);
+        }
+      }
+
+      if (!resp.ok) {
+        const raw2 = await resp.text().catch(() => "");
+        const { code: c2, msg: m2 } = parseErrBody(raw2);
+        finishTask(task, "failed", {
+          type: "error",
+          errorCode: c2 || "API_ERROR",
+          message: m2 || `HTTP ${resp.status}`,
+        });
+        return;
+      }
+    }
+
+    broadcast(task, { type: "start", message: "AI 正在生成影片，這可能需要 1–5 分鐘..." });
+
+    // ── Read SSE stream ──────────────────────────────────────────────────────
+    const makeProgressHandler = (label: string) => (parsed: Record<string, unknown>) => {
+      // New format: { type: "progress", progress: 0-100 }
+      if (parsed.type === "progress") {
+        const pct = typeof parsed.progress === "number" ? parsed.progress : null;
+        const pctStr = pct !== null ? ` (${pct}%)` : "";
+        broadcast(task, { type: "progress", progress: pct, message: `${label}${pctStr}` });
+      } else if (parsed.type === "started") {
+        broadcast(task, { type: "progress", message: "AI 開始生成..." });
+      } else {
+        // Legacy / fallback
+        const u = typeof parsed.uuid === "string" ? parsed.uuid : undefined;
+        broadcast(task, { type: "progress", uuid: u, message: label });
+      }
+    };
+
+    let streamResult = await readVideoStream(resp, makeProgressHandler("AI 生成中"));
+
+    // ── Retry logic for stream-level errors ──────────────────────────────────
+    if (!streamResult.videoUrl && streamResult.errorCode) {
+      const ec = streamResult.errorCode;
+      const em = (streamResult.errorMsg || "").toLowerCase();
+
+      const isStreamCaptcha = ec === "CAPTCHA_ERROR" || ec === "INVALID_CAPTCHA"
+        || em.includes("captcha") || em.includes("turnstile");
+
+      const isStreamToken = ec === "TOKEN_EXPIRED" || ec === "INVALID_CREDENTIALS"
+        || ec === "UNAUTHORIZED" || em.includes("token") || em.includes("expired")
+        || em.includes("credentials") || em.includes("invalid credential");
+
+      if (isStreamCaptcha) {
+        broadcast(task, { type: "start", message: "Turnstile 在串流中拒絕，重新取得並重試..." });
+        invalidateTurnstileToken();
+        turnstileToken = await getTurnstileToken();
+        const retryResp = await callGrokEndpoint(token, turnstileToken, opts);
+        if (retryResp.ok) {
+          streamResult = await readVideoStream(retryResp, makeProgressHandler("AI 生成中（重試）"));
+        }
+      } else if (isStreamToken) {
+        broadcast(task, { type: "start", message: `Token 錯誤 (${ec})，重新刷新並重試...` });
+        const newToken = await handleTokenExpiry();
+        if (!newToken) {
+          finishTask(task, "failed", {
+            type: "error", errorCode: "TOKEN_EXPIRED",
+            message: "Token 已過期且無法自動刷新，請到管理後台更新 Token",
+          });
+          return;
+        }
+        token = newToken;
+        const retryResp = await callGrokEndpoint(token, turnstileToken, opts);
+        if (retryResp.ok) {
+          streamResult = await readVideoStream(retryResp, makeProgressHandler("AI 生成中（重試）"));
+        }
+      }
+    }
+
+    let { videoUrl, thumbnailUrl, uuid, errorCode: finalCode, errorMsg: finalMsg } = streamResult;
+
+    if (!videoUrl && !uuid) {
+      const msg = finalMsg ? `生成失敗：${finalMsg}` : "未取得影片 URL，生成可能已失敗或超時";
+      finishTask(task, "failed", { type: "error", errorCode: finalCode || "NO_VIDEO", message: msg });
+      return;
+    }
+
+    // ── Step 2: Fetch R2 pre-signed URL from history API ─────────────────────
+    // The SSE stream gives us an assets.grok.com URL (requires auth + Cloudflare cookies).
+    // The history API returns a Cloudflare R2 pre-signed URL (7-day, publicly accessible).
+    // Always try to get the R2 URL regardless of whether SSE already gave us a URL.
+    if (uuid) {
+      broadcast(task, { type: "progress", progress: 100, message: "正在取得影片下載連結..." });
+      const historyResult = await fetchHistoryVideoUrl(uuid, token);
+      if (historyResult?.videoUrl) {
+        videoUrl = historyResult.videoUrl;
+        if (historyResult.thumbnailUrl) thumbnailUrl = historyResult.thumbnailUrl;
+        console.log("[grok-task] using R2 URL from history API");
+      }
+    }
+
+    if (!videoUrl) {
+      const msg = finalMsg ? `生成失敗：${finalMsg}` : "未取得影片 URL，生成可能已失敗或超時";
+      finishTask(task, "failed", { type: "error", errorCode: finalCode || "NO_VIDEO", message: msg });
+      return;
+    }
+
+    // Store the URL (R2 pre-signed if available, falls back to assets.grok.com).
+    const [saved] = await db
+      .insert(videosTable)
+      .values({
+        videoUrl,
+        thumbnailUrl: thumbnailUrl ?? null,
+        prompt: opts.prompt,
+        negativePrompt: opts.negativePrompt ?? null,
+        model: opts.model,
+        aspectRatio: opts.aspectRatio,
+        resolution: opts.resolution,
+        duration: opts.duration,
+        hasRefImage: !!(opts.refImageBase64 && opts.refImageMime),
+        isPrivate,
+        userId,
+      })
+      .returning();
+
+    finishTask(task, "complete", { type: "complete", video: saved, uuid: uuid ?? undefined });
+
+    // ── Background: download video to S3 for permanent storage ───────────────
+    // R2 pre-signed URLs expire in 7 days; S3 copy is permanent.
+    if (isStorageReady()) {
+      (async () => {
+        try {
+          const storedPath = await downloadAndStoreVideo(videoUrl!, token);
+          if (storedPath) {
+            await db.update(videosTable).set({ videoUrl: storedPath }).where(eq(videosTable.id, saved.id));
+            console.log(`[grok-task] video cached in storage: ${storedPath}`);
+          }
+        } catch (e) {
+          console.warn("[grok-task] background storage failed:", e instanceof Error ? e.message : e);
+        }
+      })();
+    }
+  } catch (err: unknown) {
+    const msg = err instanceof Error ? err.message : String(err);
+    console.error("[grok-task] unexpected error:", msg);
+    finishTask(task, "failed", { type: "error", errorCode: "INTERNAL_ERROR", message: msg });
+  }
+}
+
+// ── Veo 3.1 Fast background task runner (POST + polling) ─────────────────────
+async function runVeoTask(
+  taskId: string,
+  opts: VideoGenOptions,
+  isPrivate: boolean,
+  userId: number | null,
+): Promise<void> {
+  const task = tasks.get(taskId);
+  if (!task) return;
+
+  const { pickToken, handleTokenExpiry } = makeTokenHelpers();
+
+  try {
+    broadcast(task, { type: "start", message: "正在取得 Turnstile 驗證碼..." });
+    let turnstileToken = await getTurnstileToken();
+
+    broadcast(task, { type: "start", message: "正在取得 Bearer Token..." });
+    let token = await pickToken();
+
+    if (!token) {
+      finishTask(task, "failed", { type: "error", errorCode: "NO_TOKEN", message: "未設定 API Token，請到管理後台設定" });
+      return;
+    }
+
+    broadcast(task, { type: "start", message: "正在提交 Veo 3.1 Fast 任務..." });
+
+    // Submit to Veo endpoint (returns UUID immediately)
+    let veoResult: { uuid: string };
+    try {
+      veoResult = await callVeoEndpoint(token, turnstileToken, opts);
+    } catch (err: unknown) {
+      const e = err as Error & { code?: string; status?: number };
+      const code = e.code ?? "";
+      const msg = (e.message ?? "").toLowerCase();
+
+      const isCaptcha = msg.includes("captcha") || msg.includes("turnstile")
+        || code === "CAPTCHA_ERROR" || code === "INVALID_CAPTCHA";
+      const isExpired = e.status === 401 || e.status === 403
+        || code === "TOKEN_EXPIRED" || msg.includes("token") || msg.includes("expired");
+
+      if (isCaptcha) {
+        broadcast(task, { type: "start", message: "Turnstile 拒絕，重新取得並重試..." });
+        invalidateTurnstileToken();
+        turnstileToken = await getTurnstileToken();
+        veoResult = await callVeoEndpoint(token, turnstileToken, opts);
+      } else if (isExpired) {
+        broadcast(task, { type: "start", message: "Token 過期，正在刷新..." });
+        const newToken = await handleTokenExpiry();
+        if (!newToken) {
+          finishTask(task, "failed", { type: "error", errorCode: "TOKEN_EXPIRED", message: "Token 過期且無法自動刷新，請到管理後台更新 Token" });
+          return;
+        }
+        token = newToken;
+        veoResult = await callVeoEndpoint(token, turnstileToken, opts);
+      } else {
+        throw err;
+      }
+    }
+
+    const { uuid } = veoResult;
+    broadcast(task, {
+      type: "progress",
+      progress: 5,
+      message: `Veo 任務已提交 (UUID: ${uuid.slice(0, 8)}...)，等待生成（每 30 秒確認一次）...`,
+    });
+
+    // Poll until done (max 5 minutes, every 30s)
+    const pollResult = await pollVeoHistory(
+      uuid,
+      token,
+      (msg) => broadcast(task, { type: "progress", progress: null, message: msg }),
+    );
+
+    if (!pollResult || !pollResult.videoUrl) {
+      finishTask(task, "failed", { type: "error", errorCode: "NO_VIDEO", message: "Veo 未返回影片 URL，可能生成失敗或超時" });
+      return;
+    }
+
+    const { videoUrl, thumbnailUrl } = pollResult;
+
+    const absVideoUrl = resolveVideoUrl(videoUrl);
+    const absThumbUrl = thumbnailUrl ? resolveVideoUrl(thumbnailUrl) : null;
+
+    // Store raw CDN URL immediately; background GCS download follows.
+    const [saved] = await db
+      .insert(videosTable)
+      .values({
+        videoUrl: absVideoUrl,
+        thumbnailUrl: absThumbUrl ?? null,
+        prompt: opts.prompt,
+        negativePrompt: opts.negativePrompt ?? null,
+        model: opts.model,
+        aspectRatio: opts.aspectRatio,
+        resolution: opts.resolution,
+        duration: opts.duration,
+        hasRefImage: !!(opts.refImageBase64 && opts.refImageMime),
+        isPrivate,
+        userId,
+      })
+      .returning();
+
+    finishTask(task, "complete", { type: "complete", video: saved, uuid });
+
+    // ── Background: download video to GCS ────────────────────────────────────
+    if (isStorageReady()) {
+      (async () => {
+        try {
+          const storedPath = await downloadAndStoreVideo(absVideoUrl, token);
+          if (storedPath) {
+            await db.update(videosTable).set({ videoUrl: storedPath }).where(eq(videosTable.id, saved.id));
+            console.log(`[veo-task] video cached in storage: ${storedPath}`);
+          }
+        } catch (e) {
+          console.warn("[veo-task] background storage failed:", e instanceof Error ? e.message : e);
+        }
+      })();
+    }
+  } catch (err: unknown) {
+    const msg = err instanceof Error ? err.message : String(err);
+    console.error("[veo-task] unexpected error:", msg);
+    finishTask(task, "failed", { type: "error", errorCode: "INTERNAL_ERROR", message: msg });
+  }
+}
+
+// ── Credit helpers ─────────────────────────────────────────────────────────────
+async function getVideoConfigVal(key: string): Promise<string | null> {
+  const rows = await db.select({ value: configTable.value }).from(configTable).where(eq(configTable.key, key)).limit(1);
+  return rows[0]?.value ?? null;
+}
+
+async function checkAndDeductVideoCredits(userId: number, cost: number, description: string): Promise<{ ok: boolean; balance?: number }> {
+  const enabled = await getVideoConfigVal("enable_credits");
+  if (enabled !== "true") return { ok: true };
+
+  const [user] = await db.select({ credits: usersTable.credits }).from(usersTable).where(eq(usersTable.id, userId)).limit(1);
+  if (!user) return { ok: false };
+  if (user.credits < cost) return { ok: false, balance: user.credits };
+
+  const [updated] = await db
+    .update(usersTable)
+    .set({ credits: sql`${usersTable.credits} - ${cost}` })
+    .where(eq(usersTable.id, userId))
+    .returning({ credits: usersTable.credits });
+
+  await db.insert(creditTransactionsTable).values({ userId, amount: -cost, type: "spend", description });
+  return { ok: true, balance: updated.credits };
+}
+
+// ── POST /api/videos/generate ─────────────────────────────────────────────────
+// Returns taskId immediately; generation runs in background.
+router.post("/generate", optionalJwtAuth, async (req, res) => {
+  const body = req.body as Record<string, unknown>;
+
+  const prompt = typeof body.prompt === "string" ? body.prompt.trim() : "";
+  if (!prompt || prompt.length < 1 || prompt.length > 2000) {
+    return res.status(400).json({ error: "INVALID_BODY", message: "prompt is required (1-2000 chars)" });
+  }
+  const isPrivate = body.isPrivate === true;
+
+  // Parse video options (aspectRatio, resolution, duration, negativePrompt, enhancePrompt)
+  const opts = parseVideoOptions(body, prompt);
+
+  // Attach reference image if provided
+  const refImageBase64 = typeof body.referenceImageBase64 === "string" ? body.referenceImageBase64 : undefined;
+  const refImageMime = typeof body.referenceImageMime === "string" ? body.referenceImageMime : undefined;
+  if (refImageBase64 && refImageMime) {
+    opts.refImageBase64 = refImageBase64;
+    opts.refImageMime = refImageMime;
+  }
+
+  const userId: number | null = (req as any).jwtUserId ?? null;
+
+  // ── Credits check ────────────────────────────────────────────────────────────
+  if (userId !== null) {
+    const costStr = await getVideoConfigVal("video_gen_cost");
+    const cost = Number(costStr) || 0;
+    if (cost > 0) {
+      const creditResult = await checkAndDeductVideoCredits(userId, cost, `影片生成（${opts.model}）`);
+      if (!creditResult.ok) {
+        return res.status(402).json({
+          error: "INSUFFICIENT_CREDITS",
+          message: `點數不足，此操作需要 ${cost} 點`,
+          balance: creditResult.balance ?? 0,
+        });
+      }
+    }
+  }
+
+  const taskId = createTask();
+  res.json({ taskId });
+
+  // Dispatch to the correct runner based on model
+  const runner = opts.model === "veo-3-fast" ? runVeoTask : runGrokTask;
+  runner(taskId, opts, isPrivate, userId).catch((err) => {
+    console.error("[video-task] uncaught:", err);
+    const t = tasks.get(taskId);
+    if (t && t.status === "pending") {
+      finishTask(t, "failed", { type: "error", errorCode: "INTERNAL_ERROR", message: String(err) });
+    }
+  });
+});
+
+// ── GET /api/videos/progress/:taskId  (SSE) ──────────────────────────────────
+router.get("/progress/:taskId", (req, res: ExpressResponse) => {
+  const task = tasks.get(req.params.taskId);
+  if (!task) return res.status(404).json({ error: "TASK_NOT_FOUND" });
+
+  res.writeHead(200, {
+    "Content-Type": "text/event-stream",
+    "Cache-Control": "no-cache",
+    Connection: "keep-alive",
+    "X-Accel-Buffering": "no",
+  });
+  res.flushHeaders();
+
+  const send = (event: ProgressEvent) => {
+    res.write(`data: ${JSON.stringify(event)}\n\n`);
+  };
+
+  // Replay buffered events
+  for (const ev of task.buffered) {
+    send(ev);
+  }
+
+  // If already done, close immediately
+  if (task.status !== "pending") {
+    res.write("data: {\"type\":\"done\"}\n\n");
+    res.end();
+    return;
+  }
+
+  // Subscribe to future events
+  task.clients.add(send);
+
+  // Heartbeat every 20s to prevent proxy / CDN from closing idle SSE connections
+  const heartbeat = setInterval(() => {
+    try { res.write(": heartbeat\n\n"); } catch { clearInterval(heartbeat); }
+  }, 20_000);
+
+  const onClose = () => {
+    clearInterval(heartbeat);
+    task.clients.delete(send);
+  };
+  req.on("close", onClose);
+  req.on("end", onClose);
+});
+
+// Helper: rewrite raw geminigen URLs to proxy URL for backward compatibility.
+// assets.grok.com URLs are returned as-is (browser plays directly).
+// /api/videos/stored/ URLs are returned as-is (GCS).
+function toProxyUrl(url: string | null): string | null {
+  if (!url) return null;
+  if (url.startsWith("/api/videos/proxy")) return url;
+  if (url.startsWith("/api/videos/stored")) return url;
+  try {
+    const u = new URL(url);
+    // Cloudflare R2 pre-signed URLs (*.r2.cloudflarestorage.com) are publicly
+    // accessible — no proxy needed.  Browser plays them directly.
+    if (u.hostname.endsWith(".r2.cloudflarestorage.com")) return url;
+    // assets.grok.com requires auth/cookies — route through our proxy.
+    if (u.hostname === "api.geminigen.ai" || u.hostname === "assets.grok.com") {
+      return `/api/videos/proxy?url=${encodeURIComponent(url)}`;
+    }
+  } catch { /* relative path or non-URL */ }
+  return url;
+}
+
+// ── GET /api/videos/stored/<id>.mp4 ──────────────────────────────────────────
+// Serve videos that were downloaded from CDN and stored in GCS.
+router.get(/^\/stored\/(.+)$/, async (req, res) => {
+  const objectPath = (req.params as Record<string, string>)[0];
+  if (!objectPath) return res.status(400).json({ error: "Missing objectPath" });
+  await streamStoredVideo(objectPath, res, req.headers.range);
+});
+
+// ── GET /api/videos/history ───────────────────────────────────────────────────
+router.get("/history", optionalJwtAuth, async (req, res) => {
+  const userId: number | null = (req as any).jwtUserId ?? null;
+  const limit = Math.min(Number(req.query.limit) || 20, 50);
+  const offset = Number(req.query.offset) || 0;
+
+  const visibilityFilter = userId
+    ? or(eq(videosTable.isPrivate, false), and(eq(videosTable.isPrivate, true), eq(videosTable.userId, userId)))
+    : eq(videosTable.isPrivate, false);
+
+  const rows = await db
+    .select()
+    .from(videosTable)
+    .where(visibilityFilter)
+    .orderBy(desc(videosTable.createdAt))
+    .limit(limit)
+    .offset(offset);
+
+  // Rewrite any legacy direct geminigen URLs to proxy URLs
+  const videos = rows.map((v) => ({
+    ...v,
+    videoUrl: toProxyUrl(v.videoUrl) ?? v.videoUrl,
+    thumbnailUrl: toProxyUrl(v.thumbnailUrl),
+  }));
+
+  return res.json({ videos, limit, offset });
+});
+
+// ── GET /api/videos/proxy ─────────────────────────────────────────────────────
+// Proxy geminigen.ai video/thumbnail files with Bearer token auth.
+// Supports HTTP Range requests so the browser's <video> player can seek.
+router.get("/proxy", async (req, res) => {
+  const raw = typeof req.query.url === "string" ? req.query.url : "";
+  if (!raw) return res.status(400).json({ error: "Missing url param" });
+
+  // Only proxy geminigen.ai and Grok CDN assets
+  let targetUrl: URL;
+  try {
+    targetUrl = new URL(raw);
+  } catch {
+    return res.status(400).json({ error: "Invalid url" });
+  }
+  const ALLOWED_PROXY_HOSTS = ["api.geminigen.ai", "assets.grok.com"];
+  if (!ALLOWED_PROXY_HOSTS.includes(targetUrl.hostname)) {
+    return res.status(403).json({ error: "URL not allowed" });
+  }
+
+  // Forward Range header if present (needed for video seeking)
+  const rangeHeader = req.headers.range;
+
+  /**
+   * assets.grok.com is the Grok CDN.  It appears to be a public CDN that does
+   * NOT accept the geminigen.ai JWT as auth (returns 403 if you send it).
+   * Strategy: try first WITHOUT Authorization, fall back to with-token if needed.
+   *
+   * api.geminigen.ai requires Bearer auth as before.
+   */
+  const isGrokCdn = targetUrl.hostname === "assets.grok.com";
+
+  // For assets.grok.com, use Referer=https://grok.com/ (same origin as the CDN).
+  // For geminigen.ai, use Referer=https://geminigen.ai/.
+  const referer = isGrokCdn ? "https://grok.com/" : "https://geminigen.ai/";
+
+  const buildHeaders = (token?: string | null): Record<string, string> => {
+    const h: Record<string, string> = {
+      "User-Agent": USER_AGENT,
+      Accept: "video/mp4,video/*,*/*",
+      Referer: referer,
+      Origin: isGrokCdn ? "https://grok.com" : "https://geminigen.ai",
+    };
+    if (rangeHeader) h["Range"] = rangeHeader;
+    if (token) h["Authorization"] = `Bearer ${token}`;
+    return h;
+  };
+
+  try {
+    // Always fetch the Bearer token (needed for both geminigen.ai and assets.grok.com)
+    const poolResult = await getPoolToken();
+    const bearerToken = poolResult?.token ?? await getValidBearerToken();
+
+    // 1. First attempt: with Bearer token for both endpoints
+    let upstream = await fetch(targetUrl.toString(), {
+      headers: buildHeaders(bearerToken),
+    });
+
+    // 2. If first attempt fails, try without auth (in case token is wrong for CDN)
+    if (!upstream.ok && upstream.status !== 206) {
+      console.warn(`[video-proxy] first attempt ${upstream.status} for ${targetUrl.hostname}${targetUrl.pathname}`);
+
+      if (isGrokCdn) {
+        // Try without auth as fallback
+        upstream = await fetch(targetUrl.toString(), { headers: buildHeaders(null) });
+
+        if (!upstream.ok && upstream.status !== 206) {
+          // Refresh token and try again
+          const newToken = await refreshAccessToken();
+          if (newToken) {
+            upstream = await fetch(targetUrl.toString(), { headers: buildHeaders(newToken) });
+          }
+        }
+      } else {
+        // geminigen.ai rejected token — refresh and retry
+        if (!bearerToken) {
+          console.error("[video-proxy] no token available");
+          return res.status(502).json({ error: "No bearer token available for proxy" });
+        }
+        if ((upstream.status === 401 || upstream.status === 403)) {
+          console.warn(`[video-proxy] refreshing token after ${upstream.status}...`);
+          const newToken = await refreshAccessToken();
+          if (newToken) {
+            upstream = await fetch(targetUrl.toString(), { headers: buildHeaders(newToken) });
+          }
+        }
+      }
+    }
+
+    console.log(`[video-proxy] final status ${upstream.status} for ${targetUrl.hostname}${targetUrl.pathname}`);
+
+    if (!upstream.ok && upstream.status !== 206) {
+      console.error(`[video-proxy] upstream ${upstream.status} for ${targetUrl.pathname}`);
+      return res.status(upstream.status).json({ error: "Upstream error", status: upstream.status });
+    }
+
+    // Forward response headers
+    const ct = upstream.headers.get("content-type");
+    const cl = upstream.headers.get("content-length");
+    const cr = upstream.headers.get("content-range");
+    const ac = upstream.headers.get("accept-ranges");
+
+    if (ct) res.setHeader("Content-Type", ct);
+    if (cl) res.setHeader("Content-Length", cl);
+    if (cr) res.setHeader("Content-Range", cr);
+    if (ac) res.setHeader("Accept-Ranges", ac);
+    else res.setHeader("Accept-Ranges", "bytes");
+
+    // Cache for 1 hour (videos don't change)
+    res.setHeader("Cache-Control", "public, max-age=3600");
+
+    res.status(upstream.status);
+
+    if (!upstream.body) {
+      return res.end();
+    }
+
+    // Stream the body
+    const reader = upstream.body.getReader();
+    const pump = async () => {
+      const { done, value } = await reader.read();
+      if (done) { res.end(); return; }
+      if (!res.write(value)) {
+        // Backpressure: wait for drain
+        await new Promise<void>((r) => res.once("drain", r));
+      }
+      await pump();
+    };
+
+    req.on("close", () => reader.cancel().catch(() => {}));
+    await pump();
+  } catch (err) {
+    console.error("[video-proxy] fetch error:", err);
+    if (!res.headersSent) res.status(502).json({ error: "Proxy fetch failed" });
+  }
+});
+
+// ── DELETE /api/videos/:id ────────────────────────────────────────────────────
+router.delete("/:id", optionalJwtAuth, async (req, res) => {
+  const id = Number(req.params.id);
+  if (isNaN(id)) return res.status(400).json({ error: "INVALID_ID" });
+
+  const userId: number | null = (req as any).jwtUserId ?? null;
+  const rows = await db.select().from(videosTable).where(eq(videosTable.id, id)).limit(1);
+  if (!rows.length) return res.status(404).json({ error: "NOT_FOUND" });
+
+  const video = rows[0];
+  if (video.userId !== null && video.userId !== userId) {
+    return res.status(403).json({ error: "FORBIDDEN" });
+  }
+
+  await db.delete(videosTable).where(eq(videosTable.id, id));
+  return res.json({ success: true });
+});
+
+export default router;

artifacts/api-server/tsconfig.json

@@ -0,0 +1,17 @@
+{
+  "extends": "../../tsconfig.base.json",
+  "compilerOptions": {
+    "outDir": "dist",
+    "rootDir": "src",
+    "types": ["node"]
+  },
+  "include": ["src"],
+  "references": [
+    {
+      "path": "../../lib/db"
+    },
+    {
+      "path": "../../lib/api-zod"
+    }
+  ]
+}

artifacts/image-gen/.replit-artifact/artifact.toml

@@ -0,0 +1,31 @@
+kind = "web"
+previewPath = "/"
+title = "AI 生圖工具"
+version = "1.0.0"
+id = "artifacts/image-gen"
+router = "path"
+
+[[integratedSkills]]
+name = "react-vite"
+version = "1.0.0"
+
+[[services]]
+name = "web"
+paths = [ "/" ]
+localPort = 22062
+
+[services.development]
+run = "pnpm --filter @workspace/image-gen run dev"
+
+[services.production]
+build = [ "pnpm", "--filter", "@workspace/image-gen", "run", "build" ]
+publicDir = "artifacts/image-gen/dist/public"
+serve = "static"
+
+[[services.production.rewrites]]
+from = "/*"
+to = "/index.html"
+
+[services.env]
+PORT = "22062"
+BASE_PATH = "/"

artifacts/image-gen/components.json

@@ -0,0 +1,20 @@
+{
+    "$schema": "https://ui.shadcn.com/schema.json",
+    "style": "new-york",
+    "rsc": false,
+    "tsx": true,
+    "tailwind": {
+      "config": "",
+      "css": "src/index.css",
+      "baseColor": "neutral",
+      "cssVariables": true,
+      "prefix": ""
+    },
+    "aliases": {
+      "components": "@/components",
+      "utils": "@/lib/utils",
+      "ui": "@/components/ui",
+      "lib": "@/lib",
+      "hooks": "@/hooks"
+    }
+}

artifacts/image-gen/index.html

@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1" />
+    <title>AI 生圖工具</title>
+    <link rel="icon" type="image/svg+xml" href="/favicon.svg" />
+    <link rel="preconnect" href="https://fonts.googleapis.com">
+    <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+    <link href="https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600;700&display=swap" rel="stylesheet">
+  </head>
+  <body>
+    <div id="root"></div>
+    <script type="module" src="/src/main.tsx"></script>
+  </body>
+</html>

artifacts/image-gen/package.json

@@ -0,0 +1,78 @@
+{
+  "name": "@workspace/image-gen",
+  "version": "0.0.0",
+  "private": true,
+  "type": "module",
+  "scripts": {
+    "dev": "vite --config vite.config.ts --host 0.0.0.0",
+    "build": "vite build --config vite.config.ts",
+    "build:vercel": "vite build --config vite.config.vercel.ts",
+    "serve": "vite preview --config vite.config.ts --host 0.0.0.0",
+    "typecheck": "tsc -p tsconfig.json --noEmit"
+  },
+  "devDependencies": {
+    "@hookform/resolvers": "^3.10.0",
+    "@radix-ui/react-accordion": "^1.2.4",
+    "@radix-ui/react-alert-dialog": "^1.1.7",
+    "@radix-ui/react-aspect-ratio": "^1.1.3",
+    "@radix-ui/react-avatar": "^1.1.4",
+    "@radix-ui/react-checkbox": "^1.1.5",
+    "@radix-ui/react-collapsible": "^1.1.4",
+    "@radix-ui/react-context-menu": "^2.2.7",
+    "@radix-ui/react-dialog": "^1.1.7",
+    "@radix-ui/react-dropdown-menu": "^2.1.7",
+    "@radix-ui/react-hover-card": "^1.1.7",
+    "@radix-ui/react-label": "^2.1.3",
+    "@radix-ui/react-menubar": "^1.1.7",
+    "@radix-ui/react-navigation-menu": "^1.2.6",
+    "@radix-ui/react-popover": "^1.1.7",
+    "@radix-ui/react-progress": "^1.1.3",
+    "@radix-ui/react-radio-group": "^1.2.4",
+    "@radix-ui/react-scroll-area": "^1.2.4",
+    "@radix-ui/react-select": "^2.1.7",
+    "@radix-ui/react-separator": "^1.1.3",
+    "@radix-ui/react-slider": "^1.2.4",
+    "@radix-ui/react-slot": "^1.2.0",
+    "@radix-ui/react-switch": "^1.1.4",
+    "@radix-ui/react-tabs": "^1.1.4",
+    "@radix-ui/react-toast": "^1.2.7",
+    "@radix-ui/react-toggle": "^1.1.3",
+    "@radix-ui/react-toggle-group": "^1.1.3",
+    "@radix-ui/react-tooltip": "^1.2.0",
+    "@replit/vite-plugin-cartographer": "catalog:",
+    "@replit/vite-plugin-dev-banner": "catalog:",
+    "@replit/vite-plugin-runtime-error-modal": "catalog:",
+    "@tailwindcss/typography": "^0.5.15",
+    "@tailwindcss/vite": "catalog:",
+    "@tanstack/react-query": "catalog:",
+    "@types/node": "catalog:",
+    "@types/react": "catalog:",
+    "@types/react-dom": "catalog:",
+    "@vitejs/plugin-react": "catalog:",
+    "@workspace/api-client-react": "workspace:*",
+    "class-variance-authority": "catalog:",
+    "clsx": "catalog:",
+    "cmdk": "^1.1.1",
+    "date-fns": "^3.6.0",
+    "embla-carousel-react": "^8.6.0",
+    "framer-motion": "catalog:",
+    "input-otp": "^1.4.2",
+    "lucide-react": "catalog:",
+    "next-themes": "^0.4.6",
+    "react": "catalog:",
+    "react-day-picker": "^9.11.1",
+    "react-dom": "catalog:",
+    "react-hook-form": "^7.55.0",
+    "react-icons": "^5.4.0",
+    "react-resizable-panels": "^2.1.7",
+    "recharts": "^2.15.2",
+    "sonner": "^2.0.7",
+    "tailwind-merge": "catalog:",
+    "tailwindcss": "catalog:",
+    "tw-animate-css": "^1.4.0",
+    "vaul": "^1.1.2",
+    "vite": "catalog:",
+    "wouter": "^3.3.5",
+    "zod": "catalog:"
+  }
+}