Build all missing features: PDF/DOCX upload, team system (5 seats, invites, shared dashboard), API keys (generate/revoke/limits), custom clause rules (CRUD + regex)

web/app/api/api-keys/route.ts

@@ -0,0 +1,70 @@
+import { NextRequest, NextResponse } from "next/server";
+import { createClient } from "@/lib/supabase/server";
+import crypto from "crypto";
+
+// GET — list user's API keys
+export async function GET() {
+  const supabase = await createClient();
+  const { data: { user } } = await supabase.auth.getUser();
+  if (!user) return NextResponse.json({ error: "Not authenticated" }, { status: 401 });
+
+  const { data: profile } = await supabase.from("profiles").select("plan, team_id").eq("id", user.id).single();
+  if (profile?.plan === "free") return NextResponse.json({ error: "API access requires Pro or Team plan" }, { status: 403 });
+
+  const { data: keys } = await supabase.from("api_keys")
+    .select("id, name, key_prefix, calls_this_month, calls_limit, is_active, last_used_at, created_at")
+    .eq("user_id", user.id)
+    .order("created_at", { ascending: false });
+
+  return NextResponse.json({ keys: keys || [] });
+}
+
+// POST — create new API key
+export async function POST(req: NextRequest) {
+  const supabase = await createClient();
+  const { data: { user } } = await supabase.auth.getUser();
+  if (!user) return NextResponse.json({ error: "Not authenticated" }, { status: 401 });
+
+  const { data: profile } = await supabase.from("profiles").select("plan, team_id").eq("id", user.id).single();
+  if (profile?.plan === "free") return NextResponse.json({ error: "API access requires Pro or Team plan" }, { status: 403 });
+
+  const { name } = await req.json();
+
+  // Generate key: cg_live_ + 32 random hex chars
+  const rawKey = "cg_live_" + crypto.randomBytes(24).toString("hex");
+  const keyHash = crypto.createHash("sha256").update(rawKey).digest("hex");
+  const keyPrefix = rawKey.substring(0, 16) + "...";
+
+  const callsLimit = profile?.plan === "team" ? 10000 : 1000;
+
+  const { error } = await supabase.from("api_keys").insert({
+    user_id: user.id,
+    team_id: profile?.team_id || null,
+    name: name || "Default",
+    key_hash: keyHash,
+    key_prefix: keyPrefix,
+    calls_limit: callsLimit,
+  });
+
+  if (error) return NextResponse.json({ error: error.message }, { status: 500 });
+
+  // Return the full key ONCE — it's never shown again
+  return NextResponse.json({ key: rawKey, prefix: keyPrefix, name, calls_limit: callsLimit });
+}
+
+// DELETE — revoke an API key
+export async function DELETE(req: NextRequest) {
+  const supabase = await createClient();
+  const { data: { user } } = await supabase.auth.getUser();
+  if (!user) return NextResponse.json({ error: "Not authenticated" }, { status: 401 });
+
+  const { keyId } = await req.json();
+
+  const { error } = await supabase.from("api_keys")
+    .update({ is_active: false })
+    .eq("id", keyId)
+    .eq("user_id", user.id);
+
+  if (error) return NextResponse.json({ error: error.message }, { status: 500 });
+  return NextResponse.json({ success: true });
+}

web/app/api/custom-rules/route.ts

@@ -0,0 +1,94 @@
+import { NextRequest, NextResponse } from "next/server";
+import { createClient } from "@/lib/supabase/server";
+
+// GET — list custom rules
+export async function GET() {
+  const supabase = await createClient();
+  const { data: { user } } = await supabase.auth.getUser();
+  if (!user) return NextResponse.json({ error: "Not authenticated" }, { status: 401 });
+
+  const { data: profile } = await supabase.from("profiles").select("plan, team_id").eq("id", user.id).single();
+  if (profile?.plan !== "team") return NextResponse.json({ error: "Custom rules require Team plan" }, { status: 403 });
+
+  // Fetch user's own rules + team rules
+  let query = supabase.from("custom_rules").select("*").order("created_at", { ascending: false });
+
+  if (profile?.team_id) {
+    query = query.or(`user_id.eq.${user.id},team_id.eq.${profile.team_id}`);
+  } else {
+    query = query.eq("user_id", user.id);
+  }
+
+  const { data: rules } = await query;
+  return NextResponse.json({ rules: rules || [] });
+}
+
+// POST — create a custom rule
+export async function POST(req: NextRequest) {
+  const supabase = await createClient();
+  const { data: { user } } = await supabase.auth.getUser();
+  if (!user) return NextResponse.json({ error: "Not authenticated" }, { status: 401 });
+
+  const { data: profile } = await supabase.from("profiles").select("plan, team_id").eq("id", user.id).single();
+  if (profile?.plan !== "team") return NextResponse.json({ error: "Custom rules require Team plan" }, { status: 403 });
+
+  const { name, description, pattern, severity, category } = await req.json();
+
+  if (!name || !pattern || !category) {
+    return NextResponse.json({ error: "name, pattern, and category are required" }, { status: 400 });
+  }
+
+  // Validate regex pattern
+  try { new RegExp(pattern, "i"); } catch {
+    return NextResponse.json({ error: "Invalid regex pattern" }, { status: 400 });
+  }
+
+  const { data: rule, error } = await supabase.from("custom_rules").insert({
+    user_id: user.id,
+    team_id: profile?.team_id || null,
+    name,
+    description: description || null,
+    pattern,
+    severity: severity || "MEDIUM",
+    category,
+  }).select().single();
+
+  if (error) return NextResponse.json({ error: error.message }, { status: 500 });
+  return NextResponse.json({ rule });
+}
+
+// PUT — update a rule
+export async function PUT(req: NextRequest) {
+  const supabase = await createClient();
+  const { data: { user } } = await supabase.auth.getUser();
+  if (!user) return NextResponse.json({ error: "Not authenticated" }, { status: 401 });
+
+  const { id, ...updates } = await req.json();
+
+  if (updates.pattern) {
+    try { new RegExp(updates.pattern, "i"); } catch {
+      return NextResponse.json({ error: "Invalid regex pattern" }, { status: 400 });
+    }
+  }
+
+  const { error } = await supabase.from("custom_rules")
+    .update({ ...updates, updated_at: new Date().toISOString() })
+    .eq("id", id)
+    .eq("user_id", user.id);
+
+  if (error) return NextResponse.json({ error: error.message }, { status: 500 });
+  return NextResponse.json({ success: true });
+}
+
+// DELETE — delete a rule
+export async function DELETE(req: NextRequest) {
+  const supabase = await createClient();
+  const { data: { user } } = await supabase.auth.getUser();
+  if (!user) return NextResponse.json({ error: "Not authenticated" }, { status: 401 });
+
+  const { id } = await req.json();
+
+  const { error } = await supabase.from("custom_rules").delete().eq("id", id).eq("user_id", user.id);
+  if (error) return NextResponse.json({ error: error.message }, { status: 500 });
+  return NextResponse.json({ success: true });
+}

web/app/api/parse-upload/route.ts

@@ -0,0 +1,45 @@
+import { NextRequest, NextResponse } from "next/server";
+
+export const runtime = "nodejs";
+
+export async function POST(req: NextRequest) {
+  try {
+    const formData = await req.formData();
+    const file = formData.get("file") as File | null;
+
+    if (!file) {
+      return NextResponse.json({ error: "No file uploaded" }, { status: 400 });
+    }
+
+    const name = file.name.toLowerCase();
+    const buffer = Buffer.from(await file.arrayBuffer());
+    let text = "";
+
+    if (name.endsWith(".txt") || name.endsWith(".md")) {
+      text = new TextDecoder().decode(buffer);
+    } else if (name.endsWith(".pdf")) {
+      // pdf-parse v2
+      await import("pdf-parse/worker");
+      const { PDFParse } = await import("pdf-parse");
+      const parser = new PDFParse({ data: buffer });
+      const result = await parser.getText();
+      text = result.text;
+      await parser.destroy();
+    } else if (name.endsWith(".docx")) {
+      const mammoth = (await import("mammoth")).default;
+      const result = await mammoth.extractRawText({ buffer });
+      text = result.value;
+    } else {
+      return NextResponse.json({ error: "Unsupported file type. Use .pdf, .docx, .txt, or .md" }, { status: 400 });
+    }
+
+    if (!text || text.trim().length < 30) {
+      return NextResponse.json({ error: "Could not extract enough text from this file." }, { status: 400 });
+    }
+
+    return NextResponse.json({ text: text.trim(), filename: file.name, size: file.size });
+  } catch (error: any) {
+    console.error("File parse error:", error);
+    return NextResponse.json({ error: "Failed to parse file: " + (error.message || "Unknown error") }, { status: 500 });
+  }
+}

web/app/api/teams/route.ts

@@ -0,0 +1,99 @@
+import { NextRequest, NextResponse } from "next/server";
+import { createClient } from "@/lib/supabase/server";
+import crypto from "crypto";
+
+// GET — fetch current team + members
+export async function GET() {
+  const supabase = await createClient();
+  const { data: { user } } = await supabase.auth.getUser();
+  if (!user) return NextResponse.json({ error: "Not authenticated" }, { status: 401 });
+
+  const { data: profile } = await supabase.from("profiles").select("team_id, plan").eq("id", user.id).single();
+  if (!profile?.team_id) return NextResponse.json({ team: null, members: [], invites: [] });
+
+  const { data: team } = await supabase.from("teams").select("*").eq("id", profile.team_id).single();
+  const { data: members } = await supabase.from("profiles").select("id, email, full_name, avatar_url").eq("team_id", profile.team_id);
+  const { data: invites } = await supabase.from("team_invites").select("*").eq("team_id", profile.team_id).eq("status", "pending");
+
+  return NextResponse.json({ team, members: members || [], invites: invites || [] });
+}
+
+// POST — create team or invite member
+export async function POST(req: NextRequest) {
+  const supabase = await createClient();
+  const { data: { user } } = await supabase.auth.getUser();
+  if (!user) return NextResponse.json({ error: "Not authenticated" }, { status: 401 });
+
+  const body = await req.json();
+
+  // Create team
+  if (body.action === "create") {
+    const { data: profile } = await supabase.from("profiles").select("plan, team_id").eq("id", user.id).single();
+    if (profile?.plan !== "team") return NextResponse.json({ error: "Team plan required" }, { status: 403 });
+    if (profile?.team_id) return NextResponse.json({ error: "Already in a team" }, { status: 400 });
+
+    const { data: team, error } = await supabase.from("teams").insert({
+      name: body.name || "My Team", owner_id: user.id,
+    }).select().single();
+
+    if (error) return NextResponse.json({ error: error.message }, { status: 500 });
+
+    await supabase.from("profiles").update({ team_id: team.id }).eq("id", user.id);
+    return NextResponse.json({ team });
+  }
+
+  // Invite member
+  if (body.action === "invite") {
+    const { data: profile } = await supabase.from("profiles").select("team_id").eq("id", user.id).single();
+    if (!profile?.team_id) return NextResponse.json({ error: "No team" }, { status: 400 });
+
+    // Check seat limit
+    const { count } = await supabase.from("profiles").select("id", { count: "exact" }).eq("team_id", profile.team_id);
+    const { data: team } = await supabase.from("teams").select("max_seats").eq("id", profile.team_id).single();
+    if ((count || 0) >= (team?.max_seats || 5)) return NextResponse.json({ error: "Team is full (max 5 seats)" }, { status: 400 });
+
+    const { error } = await supabase.from("team_invites").insert({
+      team_id: profile.team_id, email: body.email, invited_by: user.id, role: body.role || "member",
+    });
+
+    if (error) return NextResponse.json({ error: error.message }, { status: 500 });
+    return NextResponse.json({ success: true });
+  }
+
+  // Accept invite
+  if (body.action === "accept") {
+    const { data: invite } = await supabase.from("team_invites")
+      .select("*").eq("id", body.invite_id).eq("email", user.email).eq("status", "pending").single();
+
+    if (!invite) return NextResponse.json({ error: "Invite not found" }, { status: 404 });
+
+    await supabase.from("profiles").update({ team_id: invite.team_id }).eq("id", user.id);
+    await supabase.from("team_invites").update({ status: "accepted" }).eq("id", invite.id);
+    return NextResponse.json({ success: true });
+  }
+
+  return NextResponse.json({ error: "Invalid action" }, { status: 400 });
+}
+
+// DELETE — remove member or leave team
+export async function DELETE(req: NextRequest) {
+  const supabase = await createClient();
+  const { data: { user } } = await supabase.auth.getUser();
+  if (!user) return NextResponse.json({ error: "Not authenticated" }, { status: 401 });
+
+  const { memberId } = await req.json();
+
+  if (memberId === user.id) {
+    // Leave team
+    await supabase.from("profiles").update({ team_id: null }).eq("id", user.id);
+  } else {
+    // Remove member (owner only)
+    const { data: profile } = await supabase.from("profiles").select("team_id").eq("id", user.id).single();
+    const { data: team } = await supabase.from("teams").select("owner_id").eq("id", profile?.team_id).single();
+    if (team?.owner_id !== user.id) return NextResponse.json({ error: "Only owner can remove members" }, { status: 403 });
+
+    await supabase.from("profiles").update({ team_id: null }).eq("id", memberId);
+  }
+
+  return NextResponse.json({ success: true });
+}

web/app/dashboard-pages/team/page.tsx

@@ -0,0 +1,142 @@
+import { createClient } from "@/lib/supabase/server";
+import { redirect } from "next/navigation";
+import Link from "next/link";
+import { ArrowLeft, Users, UserPlus, Crown, Mail, Key, ScrollText, Trash2, Shield } from "lucide-react";
+
+export default async function TeamPage() {
+  const supabase = await createClient();
+  const { data: { user } } = await supabase.auth.getUser();
+  if (!user) redirect("/auth/login");
+
+  const { data: profile } = await supabase.from("profiles").select("plan, team_id").eq("id", user.id).single();
+
+  if (profile?.plan !== "team") {
+    return (
+      <div className="min-h-screen bg-white flex items-center justify-center">
+        <div className="text-center max-w-sm">
+          <Users className="w-10 h-10 text-zinc-300 mx-auto mb-4" />
+          <h2 className="text-xl font-semibold">Team features</h2>
+          <p className="mt-2 text-sm text-zinc-500">Upgrade to the Team plan to invite members, share dashboards, and manage API keys.</p>
+          <Link href="/#pricing" className="mt-4 inline-block bg-zinc-900 text-white px-5 py-2.5 rounded-lg text-sm font-medium hover:bg-zinc-800">View plans</Link>
+        </div>
+      </div>
+    );
+  }
+
+  // Fetch team data
+  let team = null, members: any[] = [], invites: any[] = [], analyses: any[] = [];
+
+  if (profile?.team_id) {
+    const { data: t } = await supabase.from("teams").select("*").eq("id", profile.team_id).single();
+    team = t;
+    const { data: m } = await supabase.from("profiles").select("id, email, full_name, avatar_url, analyses_this_month").eq("team_id", profile.team_id);
+    members = m || [];
+    const { data: inv } = await supabase.from("team_invites").select("*").eq("team_id", profile.team_id).eq("status", "pending");
+    invites = inv || [];
+    const { data: a } = await supabase.from("analyses").select("id, source_url, risk_score, grade, flagged_count, created_at, user_id")
+      .eq("team_id", profile.team_id).order("created_at", { ascending: false }).limit(20);
+    analyses = a || [];
+  }
+
+  const isOwner = team?.owner_id === user.id;
+
+  return (
+    <div className="min-h-screen bg-white">
+      <div className="max-w-4xl mx-auto px-5 py-12">
+        <div className="mb-8">
+          <Link href="/dashboard-pages/dashboard" className="inline-flex items-center gap-1.5 text-sm text-zinc-400 hover:text-zinc-600">
+            <ArrowLeft className="w-3.5 h-3.5" /> Dashboard
+          </Link>
+          <h1 className="mt-4 text-2xl font-semibold tracking-tight flex items-center gap-2">
+            <Users className="w-6 h-6 text-zinc-400" />
+            {team?.name || "Team"}
+          </h1>
+        </div>
+
+        {!team ? (
+          <div className="border border-zinc-200 rounded-xl p-8 text-center">
+            <Users className="w-10 h-10 text-zinc-300 mx-auto mb-3" />
+            <h3 className="font-semibold">Create your team</h3>
+            <p className="mt-1 text-sm text-zinc-500">Set up a team to invite members and share scans.</p>
+            <form action="/api/teams" method="POST" className="mt-4">
+              <input type="hidden" name="action" value="create" />
+              <button type="submit" className="bg-zinc-900 text-white px-5 py-2.5 rounded-lg text-sm font-medium hover:bg-zinc-800">Create team</button>
+            </form>
+          </div>
+        ) : (
+          <div className="space-y-8">
+            {/* Members */}
+            <section>
+              <div className="flex items-center justify-between mb-3">
+                <div className="flex items-center gap-2">
+                  <Users className="w-4 h-4 text-zinc-400" />
+                  <h2 className="text-sm font-medium text-zinc-500 uppercase tracking-wider">Members ({members.length}/{team.max_seats})</h2>
+                </div>
+              </div>
+              <div className="border border-zinc-200 rounded-xl divide-y divide-zinc-100">
+                {members.map((m) => (
+                  <div key={m.id} className="px-5 py-3.5 flex items-center justify-between">
+                    <div className="flex items-center gap-3">
+                      <div className="w-8 h-8 rounded-full bg-zinc-100 flex items-center justify-center text-xs font-medium text-zinc-600">
+                        {(m.full_name || m.email || "?")[0].toUpperCase()}
+                      </div>
+                      <div>
+                        <p className="text-sm font-medium flex items-center gap-1.5">
+                          {m.full_name || m.email}
+                          {m.id === team.owner_id && <Crown className="w-3.5 h-3.5 text-amber-500" />}
+                        </p>
+                        <p className="text-xs text-zinc-400">{m.email} · {m.analyses_this_month || 0} scans this month</p>
+                      </div>
+                    </div>
+                  </div>
+                ))}
+                {invites.map((inv) => (
+                  <div key={inv.id} className="px-5 py-3.5 flex items-center justify-between opacity-60">
+                    <div className="flex items-center gap-3">
+                      <div className="w-8 h-8 rounded-full bg-zinc-50 border border-dashed border-zinc-300 flex items-center justify-center">
+                        <Mail className="w-3.5 h-3.5 text-zinc-400" />
+                      </div>
+                      <div>
+                        <p className="text-sm">{inv.email}</p>
+                        <p className="text-xs text-zinc-400">Invite pending</p>
+                      </div>
+                    </div>
+                  </div>
+                ))}
+              </div>
+            </section>
+
+            {/* Recent team scans */}
+            <section>
+              <div className="flex items-center gap-2 mb-3">
+                <Shield className="w-4 h-4 text-zinc-400" />
+                <h2 className="text-sm font-medium text-zinc-500 uppercase tracking-wider">Recent team scans</h2>
+              </div>
+              <div className="border border-zinc-200 rounded-xl divide-y divide-zinc-100">
+                {analyses.length === 0 ? (
+                  <div className="px-5 py-8 text-center text-sm text-zinc-400">No scans yet.</div>
+                ) : analyses.slice(0, 10).map((a) => {
+                  const member = members.find(m => m.id === a.user_id);
+                  return (
+                    <div key={a.id} className="px-5 py-3 flex items-center justify-between">
+                      <div>
+                        <p className="text-sm text-zinc-700 truncate max-w-xs">{a.source_url || "Manual scan"}</p>
+                        <p className="text-xs text-zinc-400 mt-0.5">
+                          {member?.full_name || member?.email || "Unknown"} · {new Date(a.created_at).toLocaleDateString()}
+                        </p>
+                      </div>
+                      <span className={`text-xs font-semibold px-2.5 py-1 rounded-md ${
+                        a.grade === "F" || a.grade === "D" ? "bg-red-50 text-red-700" :
+                        a.grade === "C" ? "bg-amber-50 text-amber-700" : "bg-emerald-50 text-emerald-700"
+                      }`}>{a.grade} · {a.risk_score}</span>
+                    </div>
+                  );
+                })}
+              </div>
+            </section>
+          </div>
+        )}
+      </div>
+    </div>
+  );
+}

web/lib/supabase/schema.sql

@@ -1,6 +1,6 @@
--- ClauseGuard — Supabase Database Schema (Razorpay)
+-- ClauseGuard — Full Database Schema (with Teams, API Keys, Custom Rules)
 
--- Profiles
+-- ─── Profiles ───
 CREATE TABLE IF NOT EXISTS public.profiles (
   id UUID REFERENCES auth.users ON DELETE CASCADE PRIMARY KEY,
   email TEXT,
@@ -8,16 +8,41 @@ CREATE TABLE IF NOT EXISTS public.profiles (
   avatar_url TEXT,
   razorpay_subscription_id TEXT,
   plan TEXT DEFAULT 'free' CHECK (plan IN ('free', 'pro', 'team')),
+  team_id UUID REFERENCES public.teams(id) ON DELETE SET NULL,
   analyses_this_month INT DEFAULT 0,
   monthly_reset_at TIMESTAMPTZ DEFAULT date_trunc('month', NOW()),
   created_at TIMESTAMPTZ DEFAULT NOW(),
   updated_at TIMESTAMPTZ DEFAULT NOW()
 );
 
--- Analyses
+-- ─── Teams ───
+CREATE TABLE IF NOT EXISTS public.teams (
+  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  name TEXT NOT NULL,
+  owner_id UUID REFERENCES auth.users NOT NULL,
+  plan TEXT DEFAULT 'team',
+  max_seats INT DEFAULT 5,
+  razorpay_subscription_id TEXT,
+  created_at TIMESTAMPTZ DEFAULT NOW()
+);
+
+CREATE TABLE IF NOT EXISTS public.team_invites (
+  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  team_id UUID REFERENCES public.teams ON DELETE CASCADE NOT NULL,
+  email TEXT NOT NULL,
+  role TEXT DEFAULT 'member' CHECK (role IN ('admin', 'member')),
+  status TEXT DEFAULT 'pending' CHECK (status IN ('pending', 'accepted', 'expired')),
+  invited_by UUID REFERENCES auth.users NOT NULL,
+  created_at TIMESTAMPTZ DEFAULT NOW(),
+  expires_at TIMESTAMPTZ DEFAULT NOW() + INTERVAL '7 days',
+  UNIQUE(team_id, email)
+);
+
+-- ─── Analyses ───
 CREATE TABLE IF NOT EXISTS public.analyses (
   id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
   user_id UUID REFERENCES public.profiles ON DELETE CASCADE NOT NULL,
+  team_id UUID REFERENCES public.teams ON DELETE SET NULL,
   source_url TEXT,
   source_type TEXT DEFAULT 'tos' CHECK (source_type IN ('tos', 'contract', 'rental', 'other')),
   total_clauses INT NOT NULL,
@@ -28,21 +53,86 @@ CREATE TABLE IF NOT EXISTS public.analyses (
   created_at TIMESTAMPTZ DEFAULT NOW()
 );
 
--- Indexes
+-- ─── API Keys ───
+CREATE TABLE IF NOT EXISTS public.api_keys (
+  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  user_id UUID REFERENCES public.profiles ON DELETE CASCADE NOT NULL,
+  team_id UUID REFERENCES public.teams ON DELETE CASCADE,
+  name TEXT NOT NULL,
+  key_hash TEXT NOT NULL UNIQUE,
+  key_prefix TEXT NOT NULL,  -- first 8 chars for display: "cg_live_a1b2..."
+  calls_this_month INT DEFAULT 0,
+  calls_limit INT DEFAULT 1000,  -- Pro: 1000, Team: 10000
+  last_used_at TIMESTAMPTZ,
+  is_active BOOLEAN DEFAULT true,
+  created_at TIMESTAMPTZ DEFAULT NOW()
+);
+
+-- ─── Custom Clause Rules ───
+CREATE TABLE IF NOT EXISTS public.custom_rules (
+  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  user_id UUID REFERENCES public.profiles ON DELETE CASCADE,
+  team_id UUID REFERENCES public.teams ON DELETE CASCADE,
+  name TEXT NOT NULL,
+  description TEXT,
+  pattern TEXT NOT NULL,          -- regex pattern to match
+  severity TEXT DEFAULT 'MEDIUM' CHECK (severity IN ('HIGH', 'MEDIUM', 'LOW')),
+  category TEXT NOT NULL,         -- custom category name
+  is_active BOOLEAN DEFAULT true,
+  created_at TIMESTAMPTZ DEFAULT NOW(),
+  updated_at TIMESTAMPTZ DEFAULT NOW()
+);
+
+-- ─── Indexes ───
 CREATE INDEX IF NOT EXISTS idx_analyses_user_id ON public.analyses(user_id);
+CREATE INDEX IF NOT EXISTS idx_analyses_team_id ON public.analyses(team_id);
 CREATE INDEX IF NOT EXISTS idx_analyses_created_at ON public.analyses(created_at DESC);
+CREATE INDEX IF NOT EXISTS idx_api_keys_key_hash ON public.api_keys(key_hash);
+CREATE INDEX IF NOT EXISTS idx_api_keys_user_id ON public.api_keys(user_id);
+CREATE INDEX IF NOT EXISTS idx_team_invites_email ON public.team_invites(email);
+CREATE INDEX IF NOT EXISTS idx_custom_rules_user_id ON public.custom_rules(user_id);
+CREATE INDEX IF NOT EXISTS idx_custom_rules_team_id ON public.custom_rules(team_id);
 
--- Row Level Security
+-- ─── Row Level Security ───
 ALTER TABLE public.profiles ENABLE ROW LEVEL SECURITY;
 ALTER TABLE public.analyses ENABLE ROW LEVEL SECURITY;
+ALTER TABLE public.teams ENABLE ROW LEVEL SECURITY;
+ALTER TABLE public.team_invites ENABLE ROW LEVEL SECURITY;
+ALTER TABLE public.api_keys ENABLE ROW LEVEL SECURITY;
+ALTER TABLE public.custom_rules ENABLE ROW LEVEL SECURITY;
+
+-- Profiles
+CREATE POLICY "Users see own profile" ON public.profiles FOR SELECT USING (auth.uid() = id);
+CREATE POLICY "Users update own profile" ON public.profiles FOR UPDATE USING (auth.uid() = id);
+
+-- Analyses: own + team
+CREATE POLICY "Users see own analyses" ON public.analyses FOR SELECT
+  USING (auth.uid() = user_id OR team_id IN (SELECT team_id FROM public.profiles WHERE id = auth.uid()));
+CREATE POLICY "Users insert analyses" ON public.analyses FOR INSERT WITH CHECK (auth.uid() = user_id);
+CREATE POLICY "Users delete own analyses" ON public.analyses FOR DELETE USING (auth.uid() = user_id);
+
+-- Teams: members can view, owner can update
+CREATE POLICY "Team members can view" ON public.teams FOR SELECT
+  USING (id IN (SELECT team_id FROM public.profiles WHERE id = auth.uid()) OR owner_id = auth.uid());
+CREATE POLICY "Owner can update team" ON public.teams FOR UPDATE USING (owner_id = auth.uid());
+
+-- Team invites: team members can view, admins can insert
+CREATE POLICY "Members see team invites" ON public.team_invites FOR SELECT
+  USING (team_id IN (SELECT team_id FROM public.profiles WHERE id = auth.uid()));
+CREATE POLICY "Admins can invite" ON public.team_invites FOR INSERT
+  WITH CHECK (invited_by = auth.uid());
+
+-- API Keys: own + team
+CREATE POLICY "Users see own API keys" ON public.api_keys FOR SELECT
+  USING (user_id = auth.uid() OR team_id IN (SELECT team_id FROM public.profiles WHERE id = auth.uid()));
+CREATE POLICY "Users manage own API keys" ON public.api_keys FOR ALL USING (user_id = auth.uid());
 
-CREATE POLICY "Users can view own profile" ON public.profiles FOR SELECT USING (auth.uid() = id);
-CREATE POLICY "Users can update own profile" ON public.profiles FOR UPDATE USING (auth.uid() = id);
-CREATE POLICY "Users can view own analyses" ON public.analyses FOR SELECT USING (auth.uid() = user_id);
-CREATE POLICY "Users can insert own analyses" ON public.analyses FOR INSERT WITH CHECK (auth.uid() = user_id);
-CREATE POLICY "Users can delete own analyses" ON public.analyses FOR DELETE USING (auth.uid() = user_id);
+-- Custom Rules: own + team
+CREATE POLICY "Users see own rules" ON public.custom_rules FOR SELECT
+  USING (user_id = auth.uid() OR team_id IN (SELECT team_id FROM public.profiles WHERE id = auth.uid()));
+CREATE POLICY "Users manage own rules" ON public.custom_rules FOR ALL USING (user_id = auth.uid());
 
--- Auto-create profile on signup
+-- ─── Auto-create profile on signup ───
 CREATE OR REPLACE FUNCTION public.handle_new_user()
 RETURNS TRIGGER AS $$
 BEGIN
@@ -56,16 +146,17 @@ BEGIN
 END;
 $$ LANGUAGE plpgsql SECURITY DEFINER;
 
-CREATE OR REPLACE TRIGGER on_auth_user_created
+DROP TRIGGER IF EXISTS on_auth_user_created ON auth.users;
+CREATE TRIGGER on_auth_user_created
   AFTER INSERT ON auth.users
   FOR EACH ROW EXECUTE FUNCTION public.handle_new_user();
 
--- Monthly usage reset
+-- ─── Monthly reset ───
 CREATE OR REPLACE FUNCTION public.reset_monthly_usage()
 RETURNS void AS $$
 BEGIN
-  UPDATE public.profiles
-  SET analyses_this_month = 0, monthly_reset_at = date_trunc('month', NOW())
+  UPDATE public.profiles SET analyses_this_month = 0, monthly_reset_at = date_trunc('month', NOW())
   WHERE monthly_reset_at < date_trunc('month', NOW());
+  UPDATE public.api_keys SET calls_this_month = 0;
 END;
 $$ LANGUAGE plpgsql SECURITY DEFINER;

web/next.config.ts

@@ -2,7 +2,7 @@ import type { NextConfig } from "next";
 
 const nextConfig: NextConfig = {
   output: "standalone",
-  serverExternalPackages: ["@react-pdf/renderer"],
+  serverExternalPackages: ["@react-pdf/renderer", "pdf-parse", "mammoth"],
   images: {
     remotePatterns: [
       { protocol: "https", hostname: "avatars.githubusercontent.com" },

web/package.json

@@ -17,6 +17,8 @@
     "razorpay": "2.9.6",
     "resend": "6.12.2",
     "@react-pdf/renderer": "4.5.1",
+    "pdf-parse": "2.4.5",
+    "mammoth": "1.12.0",
     "jose": "6.2.2",
     "lucide-react": "0.474.0",
     "clsx": "2.1.1",