blockmatic · gaboesquivel · Mar 10, 2026 · Mar 9, 2026 · Mar 9, 2026 · Mar 9, 2026
diff --git a/.cursor/rules/frontend/stack.mdc b/.cursor/rules/frontend/stack.mdc
@@ -7,7 +7,7 @@ See @apps/docu/content/docs/architecture/frontend-stack.mdx for complete documen
 
 ## Core Libraries
 - `@tanstack/react-query`: Data fetching/async (use `@lukemorales/query-key-factory`)
-- `@repo/react`: Generated React Query hooks from Hey API clients
+- `@repo/react`: React Query hooks and helpers only—never UI components. Route-specific UI (e.g. login form) lives in apps, collocated by route
 - `nuqs`: URL-based state (search/filters/tabs/pagination)
 - `zod`: Schema validation
 - `@repo/lib`: Utility library

diff --git a/.gitleaks.toml b/.gitleaks.toml
@@ -15,6 +15,7 @@ paths = [
   '''\.env\.example$''',
   '''\.env\.test\.example$''',
   '''\.env-sample$''',
+  '''^apps/next/\.env\.local\.example$''',
   '''\.env\.sample$''',
   '''\.env\.schema$''',
   '''\.env\.test$''',

diff --git a/apps/docu/content/docs/architecture/authentication.mdx b/apps/docu/content/docs/architecture/authentication.mdx
@@ -85,7 +85,13 @@ Passkeys use WebAuthn for passwordless registration and sign-in. Registration cr
 
 ### Magic link (implemented)
 
-Magic link sign-in issues a **single-use token** over email, then exchanges it for JWTs.
+Magic link sign-in issues a **6-digit login code** over email, then exchanges it for JWTs. Users can either type the code into the login form or click the magic link button in the email.
+
+**Flow:**
+1. User enters email → `POST /auth/magiclink/request` → email sent with subject `{code} - {APP_NAME} verification code`
+2. Email contains the 6-digit code prominently and a "Sign in" button (magic link)
+3. **Option A (manual):** User types the 6-digit code in the login form → `POST /auth/magiclink/verify` with `{ token: code }` → JWTs returned
+4. **Option B (link):** User clicks the button in email → callback page receives `?token={code}` → verify → cookies set, redirect
 
 ### OAuth (GitHub)
 
@@ -393,26 +399,35 @@ sequenceDiagram
 
 ## Magic link flow (web)
 
-The email link points to the callback page, which exchanges the token for JWTs and sets cookies.
+A 6-digit code is sent by email. Users can enter the code on the login page or click the magic link in the email. Both paths exchange the code for JWTs.
 
 ```mermaid
 sequenceDiagram
   participant Browser
+  participant LoginForm
   participant CallbackPage as /auth/callback/magiclink
   participant FastifyAPI as Fastify API
   participant DB as PostgreSQL
   participant Email as Email provider
 
   Browser->>FastifyAPI: POST /auth/magiclink/request (email, callbackUrl)
-  FastifyAPI->>DB: upsert user + store verification token
-  FastifyAPI->>Email: send email with callbackUrl?token=...
-  Email-->>Browser: magic link
-
-  Browser->>CallbackPage: GET /auth/callback/magiclink?token=...&callbackURL=...
-  CallbackPage->>FastifyAPI: POST /auth/magiclink/verify (token)
-  FastifyAPI->>DB: consume token, create session
-  FastifyAPI-->>CallbackPage: { token, refreshToken }
-  CallbackPage->>CallbackPage: set cookies, redirect to callbackURL
+  FastifyAPI->>DB: upsert user + store hash(6-digit code)
+  FastifyAPI->>Email: send email (code + magic link button)
+  Email-->>Browser: email with code and link
+
+  alt Manual code entry
+    Browser->>LoginForm: User enters 6-digit code
+    LoginForm->>FastifyAPI: POST /auth/magiclink/verify (token: code)
+    FastifyAPI->>DB: consume code, create session
+    FastifyAPI-->>LoginForm: { token, refreshToken }
+    LoginForm->>LoginForm: updateAuthTokens, redirect
+  else Link click
+    Browser->>CallbackPage: GET /auth/callback/magiclink?token={code}&callbackUrl=...
+    CallbackPage->>FastifyAPI: POST /auth/magiclink/verify (token)
+    FastifyAPI->>DB: consume code, create session
+    FastifyAPI-->>CallbackPage: { token, refreshToken }
+    CallbackPage->>CallbackPage: set cookies, redirect to callbackUrl
+  end
 
   Browser->>FastifyAPI: GET /auth/session/user (Bearer from cookie)
   FastifyAPI-->>Browser: { user }

diff --git a/apps/docu/content/docs/architecture/frontend-stack.mdx b/apps/docu/content/docs/architecture/frontend-stack.mdx
@@ -8,7 +8,7 @@ Core technology choices and patterns for frontend apps. See [Frontend Architectu
 ## Data fetching & async state
 
 - **`@tanstack/react-query`**: default choice for async data and server state (caching, dedupe, retries)
-- **`@repo/react`**: generated React Query hooks and integration for the OpenAPI client surface
+- **`@repo/react`**: React Query hooks and helpers only (no UI components). Route-specific UI (e.g. login form) lives in apps, collocated by route
 - **`@repo/core`**: generated, runtime-agnostic API client and types
 - **`@lukemorales/query-key-factory`**: centralized query key factories (for hand-written queries)
 

diff --git a/apps/docu/content/docs/development/package-conventions.mdx b/apps/docu/content/docs/development/package-conventions.mdx
@@ -28,7 +28,7 @@ The key idea:
 - **Fastify routes + TypeBox schemas** are the source of truth.
 - The **OpenAPI spec** is generated from routes.
 - `@repo/core` contains the **generated client + types** and a small wrapper API.
-- `@repo/react` is a **React Query layer** on top of `@repo/core` (handwritten hooks/components).
+- `@repo/react` is a **React Query layer** on top of `@repo/core` (handwritten hooks and helpers only—no UI components).
 
 ## Workspace layout
 
@@ -122,10 +122,11 @@ React-only helpers using **TanStack Query**.
 
 - React Query hooks that call `@repo/core` (handwritten)
 - Shared provider/context to supply a core client instance to hooks
-- Small React utilities/components that are reusable across apps
+- Hooks and helpers only—no UI components (login forms, cards, etc.). UI lives in apps, collocated by route
 
 **Hard rules**
 
+* ✅ Hooks and helpers only—never add UI components to `@repo/react`
 * ✅ React-only dependencies live here
 * ✅ `@tanstack/react-query` is a peer dependency (apps own the version)
 

diff --git a/apps/docu/content/docs/development/packages.mdx b/apps/docu/content/docs/development/packages.mdx
@@ -101,7 +101,6 @@ React-only helpers built on top of `@repo/core`.
 - `useUser`
 - `useHealthCheck`
 - `useMagicLink`
-- `LoginForm`
 - `createReactApiConfig`
 
 **Usage** (minimal):

diff --git a/apps/fastify/.env-sample b/apps/fastify/.env-sample
@@ -11,6 +11,9 @@ OLLAMA_BASE_URL=https://ollama.example.com
 # Optional: Override default model. Ollama: qwen2.5:3b. Open Router: openrouter/free
 # AI_DEFAULT_MODEL=qwen2.5:3b
 
+# JWT signing secret. Must match Next.js. Min 32 chars.
+JWT_SECRET=default-jwt-secret-min-32-chars-for-dev
+
 # Database (PGLITE=true uses in-memory PGLite; when false, DATABASE_URL is required)
 PGLITE=false
 DATABASE_URL=postgresql://postgres:postgres@127.0.0.1:54322/postgres

diff --git a/apps/fastify/.gitignore b/apps/fastify/.gitignore
@@ -52,8 +52,11 @@ profile-*
 .vscode
 *code-workspace
 
-# clinic
-profile*
+# clinic (profile-*.json etc; exclude account profile route)
+profile-*.json
+profile-*.txt
+!src/routes/account/profile/
+!src/routes/account/profile/**
 *clinic*
 *flamegraph*
 

diff --git a/apps/fastify/openapi/openapi.json b/apps/fastify/openapi/openapi.json
@@ -1749,6 +1749,156 @@
         }
       }
     },
+    "/account/profile/": {
+      "patch": {
+        "operationId": "accountProfileUpdate",
+        "summary": "Update profile",
+        "tags": [
+          "account"
+        ],
+        "description": "Update profile (name, username)",
+        "requestBody": {
+          "required": true,
+          "content": {
+            "application/json": {
+              "schema": {
+                "type": "object",
+                "properties": {
+                  "name": {
+                    "minLength": 1,
+                    "maxLength": 32,
+                    "type": "string"
+                  },
+                  "username": {
+                    "anyOf": [
+                      {
+                        "minLength": 1,
+                        "maxLength": 48,
+                        "pattern": "^[a-zA-Z0-9_-]{1,48}$",
+                        "type": "string"
+                      },
+                      {
+                        "type": "null"
+                      }
+                    ]
+                  }
+                }
+              }
+            }
+          }
+        },
+        "security": [
+          {
+            "bearerAuth": []
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "Default Response",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "required": [
+                    "user"
+                  ],
+                  "properties": {
+                    "user": {
+                      "type": "object",
+                      "required": [
+                        "id",
+                        "email",
+                        "name",
+                        "username"
+                      ],
+                      "properties": {
+                        "id": {
+                          "type": "string"
+                        },
+                        "email": {
+                          "anyOf": [
+                            {
+                              "type": "string"
+                            },
+                            {
+                              "type": "null"
+                            }
+                          ]
+                        },
+                        "name": {
+                          "anyOf": [
+                            {
+                              "type": "string"
+                            },
+                            {
+                              "type": "null"
+                            }
+                          ]
+                        },
+                        "username": {
+                          "anyOf": [
+                            {
+                              "type": "string"
+                            },
+                            {
+                              "type": "null"
+                            }
+                          ]
+                        }
+                      }
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "401": {
+            "description": "Default Response",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "required": [
+                    "code",
+                    "message"
+                  ],
+                  "properties": {
+                    "code": {
+                      "type": "string"
+                    },
+                    "message": {
+                      "type": "string"
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "409": {
+            "description": "Default Response",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "required": [
+                    "code",
+                    "message"
+                  ],
+                  "properties": {
+                    "code": {
+                      "type": "string"
+                    },
+                    "message": {
+                      "type": "string"
+                    }
+                  }
+                }
+              }
+            }
+          }
+        }
+      }
+    },
     "/ai/chat": {
       "post": {
         "operationId": "chat",
@@ -2025,6 +2175,8 @@
                 ],
                 "properties": {
                   "token": {
+                    "pattern": "^\\d{6}$",
+                    "description": "6-digit code",
                     "type": "string"
                   }
                 }
@@ -2056,6 +2208,28 @@
               }
             }
           },
+          "400": {
+            "description": "Default Response",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "required": [
+                    "code",
+                    "message"
+                  ],
+                  "properties": {
+                    "code": {
+                      "type": "string"
+                    },
+                    "message": {
+                      "type": "string"
+                    }
+                  }
+                }
+              }
+            }
+          },
           "401": {
             "description": "Default Response",
             "content": {
@@ -2099,6 +2273,28 @@
                 }
               }
             }
+          },
+          "429": {
+            "description": "Default Response",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "required": [
+                    "code",
+                    "message"
+                  ],
+                  "properties": {
+                    "code": {
+                      "type": "string"
+                    },
+                    "message": {
+                      "type": "string"
+                    }
+                  }
+                }
+              }
+            }
           }
         }
       }
@@ -3653,6 +3849,7 @@
                         "id",
                         "email",
                         "name",
+                        "username",
                         "emailVerified",
                         "linkedWallets",
                         "totpEnabled",
@@ -3682,6 +3879,16 @@
                             }
                           ]
                         },
+                        "username": {
+                          "anyOf": [
+                            {
+                              "type": "string"
+                            },
+                            {
+                              "type": "null"
+                            }
+                          ]
+                        },
                         "emailVerified": {
                           "anyOf": [
                             {

diff --git a/apps/fastify/package.json b/apps/fastify/package.json
@@ -79,7 +79,8 @@
     "siwe": "^3.0.0",
     "tweetnacl": "^1.0.3",
     "viem": "^2.45.3",
-    "zod": "^4.3.6"
+    "zod": "^4.3.6",
+    "@faker-js/faker": "^9.4.0"
   },
   "devDependencies": {
     "@electric-sql/pglite": "^0.3.15",