feat: add NEO Shortener page

apps/db/supabase/migrations/20260320000000_add_link_shortener.sql

@@ -0,0 +1,180 @@
+create table "public"."shortened_links" (
+  "id" uuid not null default gen_random_uuid(),
+  "link" text not null,
+  "slug" text not null,
+  "domain" text not null,
+  "password_hash" text,
+  "password_hint" text,
+  "creator_id" uuid not null,
+  "created_at" timestamp with time zone not null default now()
+);
+
+alter table "public"."shortened_links" enable row level security;
+
+create or replace function extract_domain(url text)
+returns text as $$
+begin
+  return case
+    when url ~ '^https?://' then
+      regexp_replace(regexp_replace(url, '^https?://', ''), '/.*$', '')
+    when url ~ '^//' then
+      regexp_replace(regexp_replace(url, '^//', ''), '/.*$', '')
+    else
+      regexp_replace(url, '/.*$', '')
+  end;
+end;
+$$ language plpgsql immutable;
+
+create unique index "shortened_links_pkey"
+  on "public"."shortened_links" using btree (id);
+
+create unique index "shortened_links_slug_key"
+  on "public"."shortened_links" using btree (slug);
+
+create index "idx_shortened_links_creator_id"
+  on "public"."shortened_links" using btree (creator_id)
+  where creator_id is not null;
+
+alter table "public"."shortened_links"
+  add constraint "shortened_links_pkey"
+  primary key using index "shortened_links_pkey";
+
+alter table "public"."shortened_links"
+  add constraint "shortened_links_slug_key"
+  unique using index "shortened_links_slug_key";
+
+alter table "public"."shortened_links"
+  add constraint "shortened_links_creator_id_fkey"
+  foreign key (creator_id)
+  references "public"."users"(id)
+  on update cascade
+  on delete set default;
+
+alter table "public"."shortened_links"
+  add constraint "shortened_links_password_hint_length"
+  check (password_hint is null or char_length(password_hint) <= 200);
+
+create or replace function set_shortened_links_domain()
+returns trigger
+language plpgsql
+as $$
+begin
+  new.domain := regexp_replace(
+    regexp_replace(new.link, '^https?://|^//', ''),
+    '/.*$',
+    ''
+  );
+  return new;
+end;
+$$;
+
+create trigger "trg_set_shortened_links_domain"
+before insert or update of link
+on "public"."shortened_links"
+for each row
+execute function set_shortened_links_domain();
+
+create or replace function "public"."enforce_shortened_links_limit"()
+returns trigger
+language plpgsql
+security definer
+set search_path = public, pg_temp
+as $$
+declare
+  current_link_count integer;
+begin
+  if new.creator_id is null then
+    raise exception 'creator_id is required';
+  end if;
+
+  -- prevent race condition
+  perform pg_advisory_xact_lock(hashtext(new.creator_id::text));
+
+  select count(*)::integer
+  into current_link_count
+  from "public"."shortened_links"
+  where "creator_id" = new.creator_id;
+
+  if current_link_count >= 30 then
+    raise exception 'You have reached the 30-link limit for your account'
+      using errcode = 'P0001';
+  end if;
+
+  return new;
+end;
+$$;
+
+create trigger "trg_enforce_shortened_links_limit"
+before insert
+on "public"."shortened_links"
+for each row
+execute function "public"."enforce_shortened_links_limit"();
+
+grant delete on table "public"."shortened_links" to "anon";
+grant insert on table "public"."shortened_links" to "anon";
+grant references on table "public"."shortened_links" to "anon";
+grant select on table "public"."shortened_links" to "anon";
+grant trigger on table "public"."shortened_links" to "anon";
+grant truncate on table "public"."shortened_links" to "anon";
+grant update on table "public"."shortened_links" to "anon";
+
+grant delete on table "public"."shortened_links" to "authenticated";
+grant insert on table "public"."shortened_links" to "authenticated";
+grant references on table "public"."shortened_links" to "authenticated";
+grant select on table "public"."shortened_links" to "authenticated";
+grant trigger on table "public"."shortened_links" to "authenticated";
+grant truncate on table "public"."shortened_links" to "authenticated";
+grant update on table "public"."shortened_links" to "authenticated";
+
+grant delete on table "public"."shortened_links" to "service_role";
+grant insert on table "public"."shortened_links" to "service_role";
+grant references on table "public"."shortened_links" to "service_role";
+grant select on table "public"."shortened_links" to "service_role";
+grant trigger on table "public"."shortened_links" to "service_role";
+grant truncate on table "public"."shortened_links" to "service_role";
+grant update on table "public"."shortened_links" to "service_role";
+
+create policy "Allow users to select"
+on "public"."shortened_links"
+as permissive
+for select
+to authenticated
+using (
+  creator_id = auth.uid()
+);
+
+create policy "Allow users to insert"
+on "public"."shortened_links"
+as permissive
+for insert
+to authenticated
+with check (
+  creator_id = auth.uid()
+);
+
+create policy "Allow users to update"
+on "public"."shortened_links"
+as permissive
+for update
+to authenticated
+using (
+  creator_id = auth.uid()
+)
+with check (
+  creator_id = auth.uid()
+);
+
+create policy "Allow users to delete"
+on "public"."shortened_links"
+as permissive
+for delete
+to authenticated
+using (
+  creator_id = auth.uid()
+);
+
+comment on column "public"."shortened_links"."password_hash" is
+  'bcrypt-hashed password for link protection. NULL means no password protection.';
+
+comment on column "public"."shortened_links"."password_hint" is
+  'Optional plaintext hint to help users remember the password. Max 200 characters.';

apps/db/supabase/migrations/20260423000000_harden_shortened_links_privileges.sql

@@ -0,0 +1,4 @@
+revoke all privileges on table "public"."shortened_links" from "anon";
+
+revoke references, trigger, truncate on table "public"."shortened_links"
+from "authenticated";

apps/shortener/.env.example

@@ -0,0 +1,5 @@
+# Required environment variables
+# for both development and production
+NEXT_PUBLIC_SUPABASE_URL=YOUR_SUPABASE_URL
+NEXT_PUBLIC_SUPABASE_ANON_KEY=YOUR_SUPABASE_ANON_KEY
+SUPABASE_SERVICE_KEY=YOUR_SUPABASE_SERVICE_KEY

apps/shortener/.gitignore

@@ -0,0 +1,3 @@
+# Sentry Auth Token
+.sentryclirc
+certificates

apps/shortener/README.md

@@ -0,0 +1,34 @@
+This is a [Next.js](https://nextjs.org) project bootstrapped with [`create-next-app`](https://nextjs.org/docs/app/api-reference/cli/create-next-app).
+
+## Getting Started
+
+First, run the development server:
+
+```bash
+npm run dev
+# or
+yarn dev
+# or
+bun dev
+```
+
+Open [http://localhost:3000](http://localhost:3000) with your browser to see the result.
+
+You can start editing the page by modifying `app/page.tsx`. The page auto-updates as you edit the file.
+
+This project uses [`next/font`](https://nextjs.org/docs/app/building-your-application/optimizing/fonts) to automatically optimize and load [Geist](https://vercel.com/font), a new font family for Vercel.
+
+## Learn More
+
+To learn more about Next.js, take a look at the following resources:
+
+- [Next.js Documentation](https://nextjs.org/docs) - learn about Next.js features and API.
+- [Learn Next.js](https://nextjs.org/learn) - an interactive Next.js tutorial.
+
+You can check out [the Next.js GitHub repository](https://github.com/vercel/next.js) - your feedback and contributions are welcome!
+
+## Deploy on Vercel
+
+The easiest way to deploy your Next.js app is to use the [Vercel Platform](https://vercel.com/new?utm_medium=default-template&filter=next.js&utm_source=create-next-app&utm_campaign=create-next-app-readme) from the creators of Next.js.
+
+Check out our [Next.js deployment documentation](https://nextjs.org/docs/app/building-your-application/deploying) for more details.

apps/shortener/biome.json

@@ -0,0 +1,10 @@
+{
+  "root": false,
+  "$schema": "https://biomejs.dev/schemas/2.4.8/schema.json",
+  "extends": "//",
+  "linter": {
+    "domains": {
+      "next": "recommended"
+    }
+  }
+}

apps/shortener/next.config.ts

@@ -0,0 +1,86 @@
+import type { NextConfig } from 'next';
+
+const isDev = process.env.NODE_ENV === 'development';
+
+const nextConfig: NextConfig = {
+  reactStrictMode: true,
+  poweredByHeader: false,
+  transpilePackages: ['@ncthub/ui'],
+  images: {
+    remotePatterns: [
+      {
+        protocol: 'http',
+        hostname: 'localhost',
+      },
+      {
+        protocol: 'http',
+        hostname: '127.0.0.1',
+      },
+      {
+        protocol: 'https',
+        hostname: '**.supabase.co',
+      },
+      {
+        protocol: 'https',
+        hostname: 'avatars.githubusercontent.com',
+      },
+    ],
+  },
+
+  async headers() {
+    return [
+      {
+        // Setting CORS headers for all routes
+        source: '/:path*',
+        headers: [
+          { key: 'Access-Control-Allow-Credentials', value: 'true' },
+          // Use wildcard in development, which is more permissive
+          {
+            key: 'Access-Control-Allow-Origin',
+            value: isDev ? '*' : 'https://nct.gg',
+          },
+          {
+            key: 'Access-Control-Allow-Methods',
+            value: 'GET,DELETE,PATCH,POST,PUT,OPTIONS',
+          },
+          {
+            key: 'Access-Control-Allow-Headers',
+            value:
+              'X-CSRF-Token, X-Requested-With, Accept, Accept-Version, Content-Length, Content-MD5, Content-Type, Date, X-Api-Version, rsc, RSC, Next-Router-State-Tree, Next-Router-Prefetch, Next-Url',
+          },
+          {
+            key: 'Access-Control-Max-Age',
+            value: '86400',
+          },
+        ],
+      },
+      {
+        // Setting CORS headers for API routes
+        source: '/api/:path*',
+        headers: [
+          { key: 'Access-Control-Allow-Credentials', value: 'true' },
+          // Use wildcard in development, which is more permissive
+          {
+            key: 'Access-Control-Allow-Origin',
+            value: isDev ? '*' : 'https://nct.gg',
+          },
+          {
+            key: 'Access-Control-Allow-Methods',
+            value: 'GET,DELETE,PATCH,POST,PUT,OPTIONS',
+          },
+          {
+            key: 'Access-Control-Allow-Headers',
+            value:
+              'X-CSRF-Token, X-Requested-With, Accept, Accept-Version, Content-Length, Content-MD5, Content-Type, Date, X-Api-Version, rsc, RSC, Next-Router-State-Tree, Next-Router-Prefetch, Next-Url',
+          },
+          {
+            key: 'Access-Control-Max-Age',
+            value: '86400',
+          },
+        ],
+      },
+    ];
+  },
+};
+
+export default nextConfig;

apps/shortener/package.json

@@ -0,0 +1,53 @@
+{
+  "name": "@ncthub/shortener",
+  "version": "0.1.0",
+  "private": true,
+  "scripts": {
+    "dev": "next dev -p 3002 --turbopack",
+    "devx": "bun sb:stop && bun sb:start && bun dev",
+    "devrs": "bun sb:stop && bun sb:start && bun sb:reset && bun dev",
+    "build": "next build --turbopack",
+    "start": "next start",
+    "preview": "next build --turbopack && next start -p 3002 --turbopack",
+    "type-check": "tsc --build",
+    "stop": "cd ../db && bun sb:stop",
+    "sb:status": "cd ../db && bun sb:status",
+    "sb:start": "cd ../db && bun sb:start",
+    "sb:stop": "cd ../db && bun sb:stop",
+    "sb:sync": "cd ../db && bun sb:sync",
+    "sb:reset": "cd ../db && bun sb:reset",
+    "sb:diff": "cd ../db && bun sb:diff",
+    "sb:new": "cd ../db && bun sb:new",
+    "sb:up": "cd ../db && bun sb:up",
+    "sb:typegen": "cd ../db && bun sb:typegen",
+    "ui:add": "bunx shadcn-ui@latest add",
+    "ui:diff": "bunx shadcn-ui@latest diff"
+  },
+  "dependencies": {
+    "@ncthub/ai": "workspace:*",
+    "@ncthub/supabase": "workspace:*",
+    "@ncthub/types": "workspace:*",
+    "@ncthub/ui": "workspace:*",
+    "@ncthub/utils": "workspace:*",
+    "@vercel/analytics": "^2.0.1",
+    "bcrypt": "^6.0.0",
+    "dayjs": "^1.11.20",
+    "nanoid": "^5.1.7",
+    "next": "^16.2.0",
+    "react": "^19.2.4",
+    "react-dom": "^19.2.4",
+    "zod": "^4.3.6"
+  },
+  "devDependencies": {
+    "@tailwindcss/postcss": "^4.2.2",
+    "@ncthub/typescript-config": "workspace:*",
+    "@types/bcrypt": "^6.0.0",
+    "@types/node": "^25.5.0",
+    "@types/react": "^19.2.14",
+    "@types/react-dom": "^19.2.3",
+    "babel-plugin-react-compiler": "^1.0.0",
+    "postcss": "^8.5.8",
+    "typescript": "^5.9.3"
+  },
+  "packageManager": "bun@1.3.11"
+}

apps/shortener/postcss.config.mjs

@@ -0,0 +1 @@
+export { default } from '@ncthub/ui/postcss.config';

apps/shortener/src/app/[slug]/page.tsx

@@ -0,0 +1,9 @@
+import ServerPage from './server-page';
+
+interface RedirectPageProps {
+  params: Promise<{ slug: string }>;
+}
+
+export default async function RedirectPage({ params }: RedirectPageProps) {
+  return <ServerPage params={params} />;
+}