Sprint 3: Polar payments + lifecycle emails + storage purge

Polar end-to-end (lights up when you paste credentials tomorrow):
- lib/polar.ts: client, product slug → tier mapping, isPolarConfigured()
- /api/polar/checkout: creates a checkout URL for the signed-in user;
  passes externalCustomerId=user.id and metadata={user_id, tier}
- /api/polar/webhook: standardwebhooks signature verification;
  handles subscription.{created,updated,active,canceled,revoked} and
  order.{created,paid} (Lifetime). Upserts subscriptions row with
  provider, provider_customer_id, provider_subscription_id, tier,
  status, current_period_end, cancel_at_period_end.
- /api/polar/portal: creates a customer portal session by externalCustomerId
- components/pricing-cta.tsx + manage-subscription-button.tsx:
  client-side wrappers that call the routes above
- /pricing: CTAs route to checkout when Polar is configured, fall back
  to "Coming soon" when env is missing; unauth users get redirected
  to /sign-in?next=/pricing first
- /dashboard: tier badge + "Manage subscription" button for paying users

Lifecycle emails (cron-driven, retention engine):
- lib/lifecycle.ts: Day 0/1/3/7/14/30 + 60-day winback templates,
  pickStage() picks the right one given days-since-signup +
  days-since-last-analysis
- /api/cron/lifecycle-emails: pulls from public.user_lifecycle view,
  dedupes via lifecycle_sends table, sends via Resend
- .github/workflows/cron-lifecycle-emails.yml: daily 14:00 UTC

Storage purge:
- /api/cron/storage-purge: deletes Storage objects whose documents.purge_at
  is in the past (status in ready/failed). Marks rows status=purged.
- analyze route now sets purge_at to T+1 day for free tier and T+30 days
  for paid tier so the cron recovers free-tier space quickly.
- .github/workflows/cron-storage-purge.yml: daily 03:30 UTC

Email contacts migrated to @iammara.com:
- lib/email.ts default FROM = noreply@iammara.com, replyTo = support@iammara.com
- SECURITY.md: security@iammara.com
- CODE_OF_CONDUCT.md: conduct@iammara.com
- marketing/lifecycle-emails.md: sender persona updated

Schema:
- lifecycle_sends table (user_id, stage primary key) for dedupe
- public.user_lifecycle view: signup-age + last-analysis-age per user

Tests: 30 passing (was 19)
- lib/__tests__/polar.test.ts: 5 tests for product mapping + isConfigured
- lib/__tests__/lifecycle.test.ts: 6 tests for pickStage transitions

Local CI green: typecheck, lint, 30 tests, build (15 routes).

https://claude.ai/code/session_01W3qcAmw65K9Dagi9keNp8i

Author: claude

.github/workflows/cron-lifecycle-emails.yml

@@ -0,0 +1,48 @@
+name: cron-lifecycle-emails
+
+on:
+  schedule:
+    - cron: "0 14 * * *"  # 14:00 UTC daily — sweet spot for global inbox open rates
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  issues: write
+
+env:
+  TARGET_URL: https://printer-olive.vercel.app
+
+jobs:
+  send:
+    name: send
+    runs-on: ubuntu-latest
+    steps:
+      - name: Call lifecycle-emails route
+        id: call
+        env:
+          CRON_SECRET: ${{ secrets.CRON_SECRET }}
+        run: |
+          set +e
+          if [ -z "${CRON_SECRET:-}" ]; then
+            echo "CRON_SECRET not set; skipping"
+            echo "skipped=true" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+          code=$(curl -sS -o /tmp/out -w '%{http_code}' \
+            -H "x-cron-secret: $CRON_SECRET" \
+            "$TARGET_URL/api/cron/lifecycle-emails")
+          cat /tmp/out
+          echo
+          [ "$code" = "200" ] || [ "$code" = "404" ]
+      - name: Alert on real failure
+        if: failure() && steps.call.outputs.skipped != 'true'
+        uses: actions/github-script@v9
+        with:
+          script: |
+            await github.rest.issues.create({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              title: "cron-lifecycle-emails failing",
+              labels: ["incident", "auto", "cron"],
+              body: `Run: ${process.env.GITHUB_SERVER_URL}/${process.env.GITHUB_REPOSITORY}/actions/runs/${process.env.GITHUB_RUN_ID}`,
+            });

.github/workflows/cron-storage-purge.yml

@@ -0,0 +1,48 @@
+name: cron-storage-purge
+
+on:
+  schedule:
+    - cron: "30 3 * * *"  # 03:30 UTC daily
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  issues: write
+
+env:
+  TARGET_URL: https://printer-olive.vercel.app
+
+jobs:
+  purge:
+    name: purge
+    runs-on: ubuntu-latest
+    steps:
+      - name: Call storage-purge route
+        id: call
+        env:
+          CRON_SECRET: ${{ secrets.CRON_SECRET }}
+        run: |
+          set +e
+          if [ -z "${CRON_SECRET:-}" ]; then
+            echo "CRON_SECRET not set; skipping"
+            echo "skipped=true" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+          code=$(curl -sS -o /tmp/out -w '%{http_code}' \
+            -H "x-cron-secret: $CRON_SECRET" \
+            "$TARGET_URL/api/cron/storage-purge")
+          cat /tmp/out
+          echo
+          [ "$code" = "200" ] || [ "$code" = "404" ]
+      - name: Alert on real failure
+        if: failure() && steps.call.outputs.skipped != 'true'
+        uses: actions/github-script@v9
+        with:
+          script: |
+            await github.rest.issues.create({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              title: "cron-storage-purge failing",
+              labels: ["incident", "auto", "cron"],
+              body: `Run: ${process.env.GITHUB_SERVER_URL}/${process.env.GITHUB_REPOSITORY}/actions/runs/${process.env.GITHUB_RUN_ID}`,
+            });

CODE_OF_CONDUCT.md

@@ -24,10 +24,9 @@ identity.
 
 ## Enforcement
 
-Reports go to **conduct@paperlens.app** (pre-domain: open a private
-GitHub Security Advisory). Maintainers will review and respond within
-7 days. Decisions are at the maintainers' discretion and may include
-warnings, temporary bans, or permanent bans.
+Reports go to **conduct@iammara.com**. Maintainers will review and
+respond within 7 days. Decisions are at the maintainers' discretion
+and may include warnings, temporary bans, or permanent bans.
 
 The full Contributor Covenant text is at:
 https://www.contributor-covenant.org/version/2/1/code_of_conduct/

SECURITY.md

@@ -4,15 +4,16 @@
 
 Please do **not** open a public GitHub issue for security problems.
 
-Instead, email **security@paperlens.app** with:
+Instead, email **security@iammara.com** with:
 - A description of the issue
 - Steps to reproduce
 - The affected version / commit SHA
 - Your contact details (so we can credit you, if you want)
 
 If the email above is not yet active (we are still pre-domain), open
 a draft GitHub Security Advisory at:
-`https://github.com/mara-org/printer/security/advisories/new`
+`https://github.com/mara-org/printer/security/advisories/new` — or
+use **conduct@iammara.com** as the secondary inbox.
 
 We aim to acknowledge within **72 hours** and to ship a fix within
 **14 days** for high-severity issues.

app/api/analyze/route.ts

@@ -84,6 +84,10 @@ export async function POST(req: Request) {
   const mimeType = dl.data.type || "application/pdf";
 
   // 7. Insert a `documents` row (admin client; RLS would also allow it but we already verified ownership).
+  // Set purge_at tighter for free tier (1 day) than paid (30 days) so the storage-purge cron
+  // recovers space quickly from abuse / casual one-off uploads.
+  const purgeDays = quota.tier === "free" ? 1 : 30;
+  const purgeAt = new Date(Date.now() + purgeDays * 24 * 60 * 60 * 1000).toISOString();
   const admin = supabaseAdmin();
   const { data: docRow, error: docErr } = await admin
     .from("documents")
@@ -94,6 +98,7 @@ export async function POST(req: Request) {
       byte_size: arrayBuf.byteLength,
       source_locale: body.output_locale,
       status: "analyzing",
+      purge_at: purgeAt,
     })
     .select("id")
     .single();

app/api/cron/lifecycle-emails/route.ts

@@ -0,0 +1,71 @@
+import { NextResponse } from "next/server";
+import { isCronAuthorized } from "@/lib/cron-auth";
+import { supabaseAdmin } from "@/lib/supabase-server";
+import { pickStage, sendLifecycle } from "@/lib/lifecycle";
+
+export const runtime = "nodejs";
+export const dynamic = "force-dynamic";
+
+const BATCH_LIMIT = 100;
+
+export async function GET(req: Request) {
+  if (!isCronAuthorized(req)) return NextResponse.json({ error: "unauthorized" }, { status: 401 });
+  if (!process.env.RESEND_API_KEY) {
+    return NextResponse.json({ ok: true, skipped: "no_resend_key" });
+  }
+
+  const sb = supabaseAdmin();
+
+  // Pull a batch of users likely to need a lifecycle email.
+  // The view handles the date math; we send at most one email per user per cron run.
+  const { data: rows, error } = await sb
+    .from("user_lifecycle")
+    .select("user_id, email, days_since_signup, days_since_last_analysis")
+    .not("email", "is", null)
+    .lte("days_since_signup", 90)
+    .limit(BATCH_LIMIT);
+
+  if (error) return NextResponse.json({ error: error.message }, { status: 500 });
+  if (!rows || rows.length === 0) {
+    return NextResponse.json({ ok: true, sent: 0, considered: 0 });
+  }
+
+  const userIds = rows.map((r) => r.user_id).filter((v): v is string => typeof v === "string");
+  const { data: alreadySent } = await sb
+    .from("lifecycle_sends")
+    .select("user_id, stage")
+    .in("user_id", userIds);
+
+  const sentSet = new Set((alreadySent ?? []).map((r) => `${r.user_id}:${r.stage}`));
+
+  let sent = 0;
+  let skipped = 0;
+
+  for (const r of rows) {
+    if (!r.user_id || !r.email) {
+      skipped++;
+      continue;
+    }
+    const stage = pickStage(
+      r.days_since_signup ?? 0,
+      r.days_since_last_analysis === null ? null : (r.days_since_last_analysis ?? null),
+    );
+    if (!stage) {
+      skipped++;
+      continue;
+    }
+    const key = `${r.user_id}:${stage}`;
+    if (sentSet.has(key)) {
+      skipped++;
+      continue;
+    }
+
+    const ok = await sendLifecycle(r.email, stage);
+    if (!ok) continue;
+
+    await sb.from("lifecycle_sends").upsert({ user_id: r.user_id, stage, sent_at: new Date().toISOString() });
+    sent++;
+  }
+
+  return NextResponse.json({ ok: true, sent, considered: rows.length, skipped });
+}

app/api/cron/storage-purge/route.ts

@@ -0,0 +1,40 @@
+import { NextResponse } from "next/server";
+import { isCronAuthorized } from "@/lib/cron-auth";
+import { supabaseAdmin } from "@/lib/supabase-server";
+
+export const runtime = "nodejs";
+export const dynamic = "force-dynamic";
+
+const BATCH = 200;
+
+export async function GET(req: Request) {
+  if (!isCronAuthorized(req)) return NextResponse.json({ error: "unauthorized" }, { status: 401 });
+
+  const sb = supabaseAdmin();
+  const now = new Date().toISOString();
+
+  // Documents whose purge_at is in the past and that have an analysis row OR failed status.
+  // Keep documents that are still pending (not yet analyzed) so we don't delete in-flight uploads.
+  const { data: docs, error } = await sb
+    .from("documents")
+    .select("id, storage_path, status")
+    .lte("purge_at", now)
+    .in("status", ["ready", "failed"])
+    .limit(BATCH);
+
+  if (error) return NextResponse.json({ error: error.message }, { status: 500 });
+  if (!docs || docs.length === 0) return NextResponse.json({ ok: true, deleted: 0 });
+
+  const paths = docs.map((d) => d.storage_path).filter((p): p is string => typeof p === "string");
+  let storageRemoved = 0;
+  if (paths.length > 0) {
+    const { data: removed } = await sb.storage.from("documents").remove(paths);
+    storageRemoved = removed?.length ?? 0;
+  }
+
+  // Mark rows purged (don't delete; we keep the analyses row for user history).
+  const ids = docs.map((d) => d.id);
+  await sb.from("documents").update({ status: "purged", storage_path: "" }).in("id", ids);
+
+  return NextResponse.json({ ok: true, considered: docs.length, storageRemoved });
+}

app/api/polar/checkout/route.ts

@@ -0,0 +1,52 @@
+import { NextResponse } from "next/server";
+import { z } from "zod";
+import { supabaseServer } from "@/lib/supabase-server";
+import { getProductId, isPolarConfigured, polarClient } from "@/lib/polar";
+
+export const runtime = "nodejs";
+export const dynamic = "force-dynamic";
+
+const Body = z.object({
+  product: z.enum(["pro", "power", "lifetime"]),
+});
+
+export async function POST(req: Request) {
+  if (!isPolarConfigured()) {
+    return NextResponse.json({ error: "polar_not_configured" }, { status: 503 });
+  }
+
+  const sb = supabaseServer();
+  const {
+    data: { user },
+  } = await sb.auth.getUser();
+  if (!user) return NextResponse.json({ error: "unauthenticated" }, { status: 401 });
+
+  let body: z.infer<typeof Body>;
+  try {
+    body = Body.parse(await req.json());
+  } catch (err) {
+    return NextResponse.json({ error: "bad_request", detail: (err as Error).message }, { status: 400 });
+  }
+
+  const productId = getProductId(body.product);
+  if (!productId) {
+    return NextResponse.json({ error: "product_not_configured" }, { status: 503 });
+  }
+
+  const origin = new URL(req.url).origin;
+  try {
+    const checkout = await polarClient().checkouts.create({
+      products: [productId],
+      successUrl: `${origin}/dashboard?upgraded=1`,
+      customerEmail: user.email ?? undefined,
+      externalCustomerId: user.id,
+      metadata: { user_id: user.id, tier: body.product },
+    });
+    return NextResponse.json({ url: checkout.url });
+  } catch (err) {
+    return NextResponse.json(
+      { error: "checkout_failed", detail: (err as Error).message },
+      { status: 502 },
+    );
+  }
+}

app/api/polar/portal/route.ts

@@ -0,0 +1,30 @@
+import { NextResponse } from "next/server";
+import { supabaseServer } from "@/lib/supabase-server";
+import { isPolarConfigured, polarClient } from "@/lib/polar";
+
+export const runtime = "nodejs";
+export const dynamic = "force-dynamic";
+
+export async function POST(req: Request) {
+  if (!isPolarConfigured()) {
+    return NextResponse.json({ error: "polar_not_configured" }, { status: 503 });
+  }
+
+  const sb = supabaseServer();
+  const {
+    data: { user },
+  } = await sb.auth.getUser();
+  if (!user) return NextResponse.json({ error: "unauthenticated" }, { status: 401 });
+
+  try {
+    const session = await polarClient().customerSessions.create({
+      externalCustomerId: user.id,
+    });
+    return NextResponse.json({ url: session.customerPortalUrl });
+  } catch (err) {
+    return NextResponse.json(
+      { error: "portal_failed", detail: (err as Error).message },
+      { status: 502 },
+    );
+  }
+}