server.js

'use strict';

// ─────────────────────────────────────────────────────────────────────────────
// FreemanNotes – Production Runtime Server (Phase 10)
//
// Serves the Vite build output, hosts the Yjs WebSocket sync endpoint, and
// integrates PostgreSQL persistence (via Prisma) as the canonical source of
// truth for all document state. Optional Redis for caching + pub/sub.
//
// Architecture:
//   HTTP (same port) ─┬─ Static files from ./dist (SPA fallback)
//                     ├─ REST API (/api/*, /healthz, /readyz)
//                     └─ WebSocket upgrade /yjs/* → y-websocket rooms
//
// Persistence modes (selected via environment variables):
//   1. Relay-only (no DATABASE_URL, no YPERSISTENCE) — pure in-memory relay.
//   2. LevelDB (YPERSISTENCE=/path) — y-websocket's built-in LevelDB (legacy).
//   3. PostgreSQL (DATABASE_URL=...) — Prisma-based durable persistence.
//      Optional: REDIS_URL for fast doc-state caching layer.
//
// Prisma schema uses the `Document` model (mapped to the `document` table)
// to store Yjs binary state. Workspace scoping provides a lightweight
// tenant boundary ready for Phase 11 auth.
//
// Docker / Unraid:
//   - Set DATABASE_URL to your PostgreSQL connection string.
//   - Optionally set REDIS_URL for Redis caching.
//   - Startup automatically syncs schema (defaults to `npx prisma migrate deploy`
//     when prisma/migrations exist). Override with DB_SCHEMA_SYNC=deploy|push|none.
//
// ─────────────────────────────────────────────────────────────────────────────

// ── Load environment (.env) before anything reads process.env ─────────────
try {
	require('dotenv').config();
} catch {
	// ignore if dotenv isn't installed
}

// ── Core Node.js modules ─────────────────────────────────────────────────
const http = require('http');
const fs = require('fs');
const path = require('path');
const {
	logEvent,
	getRoomDebugContext,
	registerRoomSession,
	unregisterRoomSession,
	attachPrismaDebugLogging,
	instrumentRedisClient,
	DEBUG_LOGGING_ENABLED,
} = require('./server/debugLogger');

// ── Configuration (read from environment) ────────────────────────────────
const YPERSISTENCE = String(process.env.YPERSISTENCE || '').trim();
const DATABASE_URL = String(process.env.DATABASE_URL || '').trim();
const REDIS_URL = String(process.env.REDIS_URL || '').trim();
const PORT = Number(process.env.PORT || 27015);
const HOST = String(process.env.HOST || '0.0.0.0').trim() || '0.0.0.0';
const APP_URL = String(process.env.APP_URL || '').trim();
const PGTIMEZONE = String(process.env.PGTIMEZONE || '').trim();
const DIST_DIR = path.join(__dirname, 'dist');
const UPLOAD_DIR = String(process.env.UPLOAD_DIR || path.join(__dirname, 'uploads')).trim();
const APP_VERSION_STRING = (() => { try { return String(require('./package.json').version || 'dev'); } catch { return 'dev'; } })();

// ── y-websocket LevelDB persistence normalization ────────────────────────
// y-websocket reads process.env.YPERSISTENCE at import time.
// Normalize empty/whitespace values before requiring it.
if (YPERSISTENCE.length > 0) {
	process.env.YPERSISTENCE = YPERSISTENCE;
} else {
	delete process.env.YPERSISTENCE;
}

// ── WebSocket + y-websocket ──────────────────────────────────────────────
const WebSocket = require('ws');
const Y = require('yjs');
const syncProtocol = require('y-protocols/sync');
const awarenessProtocol = require('y-protocols/awareness');
const encoding = require('lib0/encoding');
const decoding = require('lib0/decoding');
const { getYDoc, docs, getPersistence } = require('y-websocket/bin/utils');
const {
	normalizeWorkspaceMetadataEvent,
	publishWorkspaceMetadataEvent,
	subscribeToWorkspaceMetadataEvents,
} = require('./server/workspaceMetadataEvents');
const { findLiveWorkspaceMembership } = require('./server/workspaceAccess');
const { splitDocRoomId } = require('./server/noteShareRouter');
const { canEditWorkspaceContent, normalizeWorkspaceRole } = require('./server/workspaceRoles');

// ── Phase 11 auth helpers (JWT cookie sessions) ───────────────────────
const { getSessionFromRequest } = require('./server/auth');

const MESSAGE_SYNC = 0;
const MESSAGE_AWARENESS = 1;
const WS_READY_STATE_CONNECTING = 0;
const WS_READY_STATE_OPEN = 1;
const PING_TIMEOUT_MS = 30_000;

if (DEBUG_LOGGING_ENABLED) {
	logEvent('SERVER_EVENT', {
		event: 'startup',
		pid: process.pid,
		nodeEnv: String(process.env.NODE_ENV || 'development'),
	});
}

function closeRoleAwareConn(doc, conn) {
	logEvent('WS_EVENT', {
		...getRoomDebugContext(doc && doc.name ? doc.name : null),
		event: 'close-connection',
	});
	if (doc.conns.has(conn)) {
		const controlledIds = doc.conns.get(conn);
		doc.conns.delete(conn);
		awarenessProtocol.removeAwarenessStates(doc.awareness, Array.from(controlledIds || []), null);
		const persistence = getPersistence();
		if (doc.conns.size === 0 && persistence !== null) {
			persistence.writeState(doc.name, doc).then(() => {
				doc.destroy();
			});
			docs.delete(doc.name);
		}
	}
	conn.close();
}

function sendRoleAware(doc, conn, message) {
	logEvent('WS_EVENT', {
		...getRoomDebugContext(doc && doc.name ? doc.name : null),
		event: 'send',
		size: message ? message.length ?? message.byteLength ?? 0 : 0,
	});
	if (conn.readyState !== WS_READY_STATE_CONNECTING && conn.readyState !== WS_READY_STATE_OPEN) {
		closeRoleAwareConn(doc, conn);
		return;
	}
	try {
		conn.send(message, {}, (err) => {
			if (err != null) closeRoleAwareConn(doc, conn);
		});
	} catch {
		closeRoleAwareConn(doc, conn);
	}
}

function setupRoleAwareWSConnection(conn, req, { docName = (req.url || '').slice(1).split('?')[0], gc = true, readOnly = false } = {}) {
	conn.binaryType = 'arraybuffer';
	const doc = getYDoc(docName, gc);
	doc.conns.set(conn, new Set());

	conn.on('message', (message) => {
		try {
			logEvent('WS_EVENT', {
				...getRoomDebugContext(docName),
				event: 'receive',
				size: message ? message.length ?? message.byteLength ?? 0 : 0,
			});
			const encoder = encoding.createEncoder();
			const decoder = decoding.createDecoder(new Uint8Array(message));
			const messageType = decoding.readVarUint(decoder);
			switch (messageType) {
				case MESSAGE_SYNC: {
					const syncMessageType = decoding.readVarUint(decoder);
					// Only updates are write operations — close read-only connections that attempt one.
					// SyncStep2 is the client's required response to the server's own SyncStep1 and
					// is part of the normal handshake.  Closing on SyncStep2 would put the Yjs
					// provider into an infinite reconnect loop because the server itself requested it.
					if (readOnly && syncMessageType === syncProtocol.messageYjsUpdate) {
						console.warn('[ws] read-only client attempted write update, closing:', docName);
						conn.close(1008, 'read-only');
						return;
					}
					encoding.writeVarUint(encoder, MESSAGE_SYNC);
					if (syncMessageType === syncProtocol.messageYjsSyncStep1) {
						syncProtocol.readSyncStep1(decoder, encoder, doc);
					} else if (syncMessageType === syncProtocol.messageYjsSyncStep2) {
						if (readOnly) {
							// Consume bytes without applying to the doc.  Read-only clients must not
							// push their local state to the server document.
							decoding.readVarUint8Array(decoder);
						} else {
							syncProtocol.readSyncStep2(decoder, doc, conn);
						}
					} else if (syncMessageType === syncProtocol.messageYjsUpdate) {
						syncProtocol.readUpdate(decoder, doc, conn);
					}
					if (encoding.length(encoder) > 1) {
						sendRoleAware(doc, conn, encoding.toUint8Array(encoder));
					}
					break;
				}
				case MESSAGE_AWARENESS:
					awarenessProtocol.applyAwarenessUpdate(doc.awareness, decoding.readVarUint8Array(decoder), conn);
					break;
			}
		} catch (err) {
			console.error(err);
			doc.emit('error', [err]);
		}
	});

	let pongReceived = true;
	const pingInterval = setInterval(() => {
		if (!pongReceived) {
			if (doc.conns.has(conn)) {
				closeRoleAwareConn(doc, conn);
			}
			clearInterval(pingInterval);
		} else if (doc.conns.has(conn)) {
			pongReceived = false;
			try {
				conn.ping();
			} catch {
				closeRoleAwareConn(doc, conn);
				clearInterval(pingInterval);
			}
		}
	}, PING_TIMEOUT_MS);

	conn.on('close', (code, reason) => {
		logEvent('WS_EVENT', {
			...getRoomDebugContext(docName),
			event: 'socket-close',
		});
		closeRoleAwareConn(doc, conn);
		clearInterval(pingInterval);
	});
	conn.on('pong', () => {
		logEvent('WS_EVENT', {
			...getRoomDebugContext(docName),
			event: 'pong',
		});
		pongReceived = true;
	});

	const syncEncoder = encoding.createEncoder();
	encoding.writeVarUint(syncEncoder, MESSAGE_SYNC);
	syncProtocol.writeSyncStep1(syncEncoder, doc);
	sendRoleAware(doc, conn, encoding.toUint8Array(syncEncoder));
	const awarenessStates = doc.awareness.getStates();
	if (awarenessStates.size > 0) {
		const awarenessEncoder = encoding.createEncoder();
		encoding.writeVarUint(awarenessEncoder, MESSAGE_AWARENESS);
		encoding.writeVarUint8Array(awarenessEncoder, awarenessProtocol.encodeAwarenessUpdate(doc.awareness, Array.from(awarenessStates.keys())));
		sendRoleAware(doc, conn, encoding.toUint8Array(awarenessEncoder));
	}
}

// ─────────────────────────────────────────────────────────────────────────────
// Prisma + Redis initialization (conditional — only when DATABASE_URL is set).
// When DATABASE_URL is absent, the server runs in relay-only mode (legacy).
// ─────────────────────────────────────────────────────────────────────────────

/** @type {import('@prisma/client').PrismaClient | null} */
let prisma = null;

/** @type {import('ioredis').Redis | null} */
let redis = null;

/** @type {import('ioredis').Redis | null} */
let redisSubscriber = null;

let unsubscribeWorkspaceMetadataEvents = async () => {};

const SERVER_INSTANCE_ID = `${process.pid}:${Math.random().toString(36).slice(2, 10)}`;

/** @type {import('./server/YjsPersistenceAdapter').YjsPersistenceAdapter | null} */
let persistAdapter = null;

/** @type {ReturnType<import('./server/apiRouter').createApiRouter> | null} */
let apiRouter = null;

/** @type {ReturnType<import('./server/authRouter').createApiAuthRouter> | null} */
let authRouter = null;

/** @type {ReturnType<import('./server/workspaceRouter').createWorkspaceRouter> | null} */
let workspaceRouter = null;

/** @type {ReturnType<import('./server/inviteRouter').createInviteRouter> | null} */
let inviteRouter = null;

/** @type {ReturnType<import('./server/shareRouter').createShareRouter> | null} */
let shareRouter = null;

/** @type {ReturnType<import('./server/noteShareRouter').createNoteShareRouter> | null} */
let noteShareRouter = null;

/** @type {ReturnType<import('./server/profileRouter').createProfileRouter> | null} */
let profileRouter = null;

/** @type {ReturnType<import('./server/noteMediaRouter').createNoteMediaRouter> | null} */
let noteMediaRouter = null;

/** @type {ReturnType<import('./server/adminRouter').createAdminRouter> | null} */
let adminRouter = null;

/** @type {ReturnType<import('./server/preferencesRouter').createPreferencesRouter> | null} */
let preferencesRouter = null;

/** @type {ReturnType<import('./server/pushRouter').createPushRouter> | null} */
let pushRouter = null;

/** @type {ReturnType<import('./server/trashCleanup').createTrashCleanup> | null} */
let trashCleanup = null;

/** @type {ReturnType<import('./server/workspaceCleanup').createWorkspaceCleanup> | null} */
let workspaceCleanup = null;

if (DATABASE_URL.length > 0) {
	// ── PostgreSQL via Prisma ─────────────────────────────────────────────
	try {
		const { PrismaClient } = require('@prisma/client');
		prisma = new PrismaClient({
			// Log warn/error in all environments; opt-in to query logging via LOG_PRISMA_QUERIES=true.
			log: process.env.LOG_PRISMA_QUERIES === 'true'
				? ['query', 'warn', 'error']
				: ['warn', 'error'],
		});
		attachPrismaDebugLogging(prisma);
		console.info('[server] Prisma client initialized (DATABASE_URL is set)');

		// Log PGTIMEZONE if configured. The actual SET timezone = '...' runs
		// in the async boot sequence after database provisioning, so it takes
		// effect before any timestamp-returning queries execute.
		if (PGTIMEZONE.length > 0) {
			console.info(`[server] PGTIMEZONE configured: ${PGTIMEZONE}`);
		}
	} catch (err) {
		console.error('[server] Failed to initialize Prisma client:', err.message);
		console.error('[server] PostgreSQL persistence will be DISABLED.');
		prisma = null;
	}

	// ── Redis (optional, only if REDIS_URL is set) ───────────────────────
	if (REDIS_URL.length > 0) {
		try {
			const Redis = require('ioredis');
			const redisClient = new Redis(REDIS_URL, {
				// Reconnect automatically with exponential backoff (max 10 s).
				retryStrategy: (times) => Math.min(times * 200, 10_000),
				// ── Key resilience settings ──
				// null = commands queue indefinitely until Redis reconnects instead
				// of failing after N attempts. This prevents unhandled rejections
				// from crashing the process during transient network outages.
				maxRetriesPerRequest: null,
				// Keep the offline queue enabled (default true) — pending commands are
				// buffered and replayed automatically once the connection is restored.
				enableOfflineQueue: true,
				lazyConnect: false,
				// Automatically reconnect when the server sends a read-only or
				// connection-reset error (ECONNRESET, READONLY, etc.).
				reconnectOnError: (err) => {
					const msg = err.message || '';
					return msg.includes('READONLY') || msg.includes('ECONNRESET');
				},
			});
			redisClient.on('connect', () => console.info('[server] Redis connected'));
			redisClient.on('ready', () => console.info('[server] Redis ready'));
			redisClient.on('close', () => console.warn('[server] Redis connection closed'));
			redisClient.on('reconnecting', (ms) => console.info(`[server] Redis reconnecting in ${ms}ms`));
			redisClient.on('error', (err) => console.warn('[server] Redis error:', err.message));
			const subscriberClient = redisClient.duplicate();
			subscriberClient.on('connect', () => console.info('[server] Redis subscriber connected'));
			subscriberClient.on('ready', () => console.info('[server] Redis subscriber ready'));
			subscriberClient.on('close', () => console.warn('[server] Redis subscriber connection closed'));
			subscriberClient.on('reconnecting', (ms) => console.info(`[server] Redis subscriber reconnecting in ${ms}ms`));
			subscriberClient.on('error', (err) => console.warn('[server] Redis subscriber error:', err.message));
			redis = instrumentRedisClient(redisClient, 'redis');
			redisSubscriber = instrumentRedisClient(subscriberClient, 'redis-subscriber');
			console.info('[server] Redis client initialized (REDIS_URL is set)');
		} catch (err) {
			console.error('[server] Failed to initialize Redis client:', err.message);
			console.error('[server] Redis caching will be DISABLED.');
			redis = null;
		}
	}

	// ── Persistence adapter + API router (only with valid Prisma) ────────
	if (prisma) {
		// Guard: if Prisma Client is stale (schema changed but `prisma generate` wasn't run),
		// model delegates will be missing and device-scoped preference persistence will fail.
		if (!prisma.userDevicePreference) {
			console.error('[server] Prisma Client is missing model delegate: userDevicePreference');
			console.error('[server] This usually means the schema changed but Prisma Client was not regenerated.');
			console.error('[server] Fix: stop the dev server, run `npm run db:generate`, then restart.');
			throw new Error('Stale Prisma Client: missing userDevicePreference delegate');
		}
		// Persistence adapter is optional; auth/workspaces should still work even
		// if persistence fails to initialize.
		try {
			const { YjsPersistenceAdapter } = require('./server/YjsPersistenceAdapter');
			persistAdapter = new YjsPersistenceAdapter(prisma, {
				redis: redis || null,
				workspaceName: 'default',
				debounceMs: 2000,
			});
			console.info('[server] YjsPersistenceAdapter initialized');
		} catch (err) {
			console.error('[server] Failed to initialize persistence adapter:', err && err.stack ? err.stack : err.message);
			persistAdapter = null;
		}

		// REST API router requires persistence adapter.
		if (persistAdapter) {
			try {
				const { createApiRouter } = require('./server/apiRouter');
				apiRouter = createApiRouter({
					prisma,
					adapter: persistAdapter,
					timezone: PGTIMEZONE || null,
					onWorkspaceMetadataChanged: async (event) => {
						const normalized = normalizeWorkspaceMetadataEvent({
							...event,
							type: 'workspace-metadata-changed',
							origin: SERVER_INSTANCE_ID,
						});
						if (!normalized) return;
						broadcastWorkspaceMetadataChanged(normalized);
						if (redis) {
							await publishWorkspaceMetadataEvent(redis, normalized);
						}
					},
				});
				console.info('[server] REST API router initialized');
			} catch (err) {
				console.error('[server] Failed to initialize REST API router:', err.message);
				apiRouter = null;
			}
		}

		// Auth + tenancy routers should come up whenever Prisma is available.
		try {
			const { createApiAuthRouter } = require('./server/authRouter');
			authRouter = createApiAuthRouter({ prisma });
			console.info('[server] Auth API router initialized');
		} catch (err) {
			console.error('[server] Failed to initialize Auth API router:', err.message);
			authRouter = null;
		}

		try {
			const { createWorkspaceRouter } = require('./server/workspaceRouter');
			workspaceRouter = createWorkspaceRouter({
				prisma,
				onWorkspaceMetadataChanged: async (event) => {
					const normalized = normalizeWorkspaceMetadataEvent({
						...event,
						type: 'workspace-metadata-changed',
						origin: SERVER_INSTANCE_ID,
					});
					if (!normalized) return;
					broadcastWorkspaceMetadataChanged(normalized);
					if (redis) {
						await publishWorkspaceMetadataEvent(redis, normalized);
					}
				},
			});
			console.info('[server] Workspace API router initialized');
		} catch (err) {
			console.error('[server] Failed to initialize Workspace API router:', err.message);
			workspaceRouter = null;
		}

		try {
			const { createInviteRouter } = require('./server/inviteRouter');
			inviteRouter = createInviteRouter({
				prisma,
				onWorkspaceMetadataChanged: async (event) => {
					const normalized = normalizeWorkspaceMetadataEvent({
						...event,
						type: 'workspace-metadata-changed',
						origin: SERVER_INSTANCE_ID,
					});
					if (!normalized) return;
					broadcastWorkspaceMetadataChanged(normalized);
					if (redis) {
						await publishWorkspaceMetadataEvent(redis, normalized);
					}
				},
			});
			console.info('[server] Invite API router initialized');
		} catch (err) {
			console.error('[server] Failed to initialize Invite API router:', err.message);
			inviteRouter = null;
		}

		try {
			const { createShareRouter } = require('./server/shareRouter');
			shareRouter = createShareRouter({ prisma, timezone: PGTIMEZONE || null });
			console.info('[server] Share API router initialized');
		} catch (err) {
			console.error('[server] Failed to initialize Share API router:', err.message);
			shareRouter = null;
		}

		try {
			const { createNoteShareRouter } = require('./server/noteShareRouter');
			noteShareRouter = createNoteShareRouter({
				prisma,
				onWorkspaceMetadataChanged: async (event) => {
					const normalized = normalizeWorkspaceMetadataEvent({
						...event,
						type: 'workspace-metadata-changed',
						origin: SERVER_INSTANCE_ID,
					});
					if (!normalized) return;
					broadcastWorkspaceMetadataChanged(normalized);
					if (redis) {
						await publishWorkspaceMetadataEvent(redis, normalized);
					}
				},
			});
			console.info('[server] Note share API router initialized');
		} catch (err) {
			console.error('[server] Failed to initialize Note share API router:', err.message);
			noteShareRouter = null;
		}

		try {
			const { createProfileRouter } = require('./server/profileRouter');
			profileRouter = createProfileRouter({
				prisma,
				uploadDir: UPLOAD_DIR,
				onWorkspaceMetadataChanged: async (event) => {
					const normalized = normalizeWorkspaceMetadataEvent({
						...event,
						type: 'workspace-metadata-changed',
						origin: SERVER_INSTANCE_ID,
					});
					if (!normalized) return;
					broadcastWorkspaceMetadataChanged(normalized);
					if (redis) {
						await publishWorkspaceMetadataEvent(redis, normalized);
					}
				},
			});
			console.info('[server] Profile API router initialized');
		} catch (err) {
			console.error('[server] Failed to initialize Profile API router:', err.message);
			profileRouter = null;
		}

		try {
			const { createNoteMediaRouter } = require('./server/noteMediaRouter');
			noteMediaRouter = createNoteMediaRouter({
				prisma,
				uploadDir: UPLOAD_DIR,
				onWorkspaceMetadataChanged: async (event) => {
					const normalized = normalizeWorkspaceMetadataEvent({
						...event,
						type: 'workspace-metadata-changed',
						origin: SERVER_INSTANCE_ID,
					});
					if (!normalized) return;
					broadcastWorkspaceMetadataChanged(normalized);
					if (redis) {
						await publishWorkspaceMetadataEvent(redis, normalized);
					}
				},
			});
			console.info('[server] Note media API router initialized');
		} catch (err) {
			console.error('[server] Failed to initialize Note media API router:', err.message);
			noteMediaRouter = null;
		}

		try {
			const { createAdminRouter } = require('./server/adminRouter');
			adminRouter = createAdminRouter({ prisma });
			console.info('[server] Admin API router initialized');
		} catch (err) {
			console.error('[server] Failed to initialize Admin API router:', err.message);
			adminRouter = null;
		}

		try {
			const { createPreferencesRouter } = require('./server/preferencesRouter');
			preferencesRouter = createPreferencesRouter({
				prisma,
				timezone: PGTIMEZONE || null,
				onUserPreferencesChanged: async (userId) => {
					const normalized = normalizeWorkspaceMetadataEvent({
						type: 'workspace-metadata-changed',
						reason: 'user-preferences-changed',
						userIds: [userId],
						origin: SERVER_INSTANCE_ID,
					});
					if (!normalized) return;
					broadcastWorkspaceMetadataChanged(normalized);
					if (redis) {
						await publishWorkspaceMetadataEvent(redis, normalized);
					}
				},
			});
			console.info('[server] Preferences API router initialized');
		} catch (err) {
			console.error('[server] Failed to initialize Preferences API router:', err.message);
			preferencesRouter = null;
		}

		try {
			const { createPushRouter } = require('./server/pushRouter');
			pushRouter = createPushRouter({ prisma, redis });
			console.info('[server] Push notification router initialized');
		} catch (err) {
			console.error('[server] Failed to initialize Push notification router:', err.message);
			pushRouter = null;
		}

		// Start reminder scheduler — fires push notifications for due note reminders.
		try {
			const { startReminderScheduler } = require('./server/pushService');
			// Pass a broadcast callback that (a) directly notifies WS clients in this
			// process so the bell badge refreshes even without Redis, and (b) publishes
			// to Redis for cross-instance delivery in multi-instance deployments.
			// Using origin: SERVER_INSTANCE_ID prevents the Redis subscriber from
			// re-broadcasting the event on this instance (no double delivery).
			startReminderScheduler(prisma, redis, async ({ userId, workspaceId }) => {
				const normalized = normalizeWorkspaceMetadataEvent({
					type: 'workspace-metadata-changed',
					reason: 'reminder-fired',
					userIds: [userId],
					workspaceId,
					origin: SERVER_INSTANCE_ID,
				});
				if (!normalized) return;
				broadcastWorkspaceMetadataChanged(normalized);
				if (redis) {
					await publishWorkspaceMetadataEvent(redis, normalized);
				}
			});
		} catch (err) {
			console.warn('[server] Reminder scheduler failed to start:', err.message);
		}
	}
} else {
	console.info('[server] DATABASE_URL not set — running in relay-only mode (no PostgreSQL persistence)');
}

// ─────────────────────────────────────────────────────────────────────────────
// y-websocket custom persistence binding.
//
// When the PostgreSQL persistence adapter is active, we register it as
// y-websocket's persistence layer. This replaces the built-in LevelDB
// persistence (YPERSISTENCE env var) when both are configured — PostgreSQL
// takes precedence.
// ─────────────────────────────────────────────────────────────────────────────
if (persistAdapter) {
	// y-websocket's utils.js exposes `setPersistence(persistence)` which
	// accepts an object with { bindState, writeState } methods. This is the
	// official extension point for custom persistence backends.
	try {
		const { setPersistence } = require('y-websocket/bin/utils');
		setPersistence({
			bindState: (docName, yDoc) => persistAdapter.bindState(docName, yDoc),
			writeState: (docName, yDoc) => persistAdapter.writeState(docName, yDoc),
		});
		console.info('[server] y-websocket persistence bound to PostgreSQL adapter');
	} catch (err) {
		console.error('[server] Failed to bind y-websocket persistence:', err.message);
		console.error('[server] Falling back to default y-websocket persistence (LevelDB or none).');
	}
}

// ─────────────────────────────────────────────────────────────────────────────
// URL / path helpers (unchanged from original server.js)
// ─────────────────────────────────────────────────────────────────────────────

function normalizedAppUrl() {
	if (APP_URL.length === 0) {
		return `http://localhost:${PORT}`;
	}
	try {
		const u = new URL(APP_URL);
		u.pathname = '/';
		u.search = '';
		u.hash = '';
		return String(u).replace(/\/$/, '');
	} catch {
		return `http://localhost:${PORT}`;
	}
}

function wsUrlFromAppUrl(baseUrl) {
	try {
		const u = new URL(baseUrl);
		const wsProtocol = u.protocol === 'https:' ? 'wss:' : 'ws:';
		return `${wsProtocol}//${u.host}/yjs/<room>`;
	} catch {
		return `ws://localhost:${PORT}/yjs/<room>`;
	}
}

function safePathFromUrl(urlPathname) {
	const pathname = decodeURIComponent(urlPathname.split('?')[0]);
	// Prevent path traversal.
	const resolved = path.resolve(DIST_DIR, '.' + pathname);
	if (!resolved.startsWith(DIST_DIR)) return null;
	return resolved;
}

function contentTypeFor(filePath) {
	const ext = path.extname(filePath).toLowerCase();
	if (ext === '.html') return 'text/html; charset=utf-8';
	if (ext === '.js') return 'text/javascript; charset=utf-8';
	if (ext === '.mjs') return 'text/javascript; charset=utf-8';
	if (ext === '.css') return 'text/css; charset=utf-8';
	if (ext === '.json') return 'application/json; charset=utf-8';
	if (ext === '.svg') return 'image/svg+xml';
	if (ext === '.png') return 'image/png';
	if (ext === '.jpg' || ext === '.jpeg') return 'image/jpeg';
	if (ext === '.webp') return 'image/webp';
	if (ext === '.ico') return 'image/x-icon';
	if (ext === '.txt') return 'text/plain; charset=utf-8';
	return 'application/octet-stream';
}

// ─────────────────────────────────────────────────────────────────────────────
// HTTP server — serves static files, REST API, and SPA fallback.
// ─────────────────────────────────────────────────────────────────────────────

const server = http.createServer((req, res) => {
	try {
		// Attach auth context (if session cookie is present).
		req.auth = getSessionFromRequest(req);

		const url = new URL(req.url || '/', `http://${req.headers.host || 'localhost'}`);

		if (req.method === 'POST' && url.pathname === '/api/debug-log') {
			const chunks = [];
			req.on('data', (chunk) => chunks.push(chunk));
			req.on('end', () => {
				try {
					const body = JSON.parse(Buffer.concat(chunks).toString('utf-8') || '{}');
					const events = Array.isArray(body)
						? body
						: Array.isArray(body?.events)
							? body.events
							: [body];
					for (const entry of events) {
						if (!entry || typeof entry !== 'object') continue;
						const eventType = typeof entry.type === 'string' && entry.type.trim() ? entry.type.trim() : 'CLIENT_EVENT';
						logEvent(eventType, {
							source: 'client',
							ip: req.socket.remoteAddress || null,
							...entry,
						});
					}
					res.writeHead(200, { 'Content-Type': 'application/json; charset=utf-8', 'Cache-Control': 'no-store' });
					res.end('{"ok":true}');
				} catch (err) {
					logEvent('CLIENT_EVENT_ERROR', {
						source: 'client',
						ip: req.socket.remoteAddress || null,
						error: err && err.message ? err.message : String(err),
					});
					res.writeHead(400);
					res.end('Bad Request');
				}
			});
			req.on('error', () => {
				res.writeHead(400);
				res.end('Bad Request');
			});
			return;
		}

		// ── Auth API router ──────────────────────────────────────────────
		if (authRouter && authRouter(req, res)) {
			return;
		}

		// ── Workspaces API router ───────────────────────────────────────
		if (workspaceRouter && workspaceRouter(req, res)) {
			return;
		}

		// ── Invites API router ──────────────────────────────────────────
		if (inviteRouter && inviteRouter(req, res)) {
			return;
		}

		// ── Share API router ────────────────────────────────────────────
		if (shareRouter && shareRouter(req, res)) {
			return;
		}

		// ── Note-share collaboration router ─────────────────────────────
		if (noteShareRouter && noteShareRouter(req, res)) {
			return;
		}

		// ── Profile API router ──────────────────────────────────────────
		if (profileRouter && profileRouter(req, res)) {
			return;
		}

		if (noteMediaRouter && noteMediaRouter(req, res)) {
			return;
		}

		// ── Admin API router ────────────────────────────────────────────
		if (adminRouter && adminRouter(req, res)) {
			return;
		}

		// ── REST API router (when PostgreSQL persistence is active) ──────
		// Try the API router first. If it handles the request, we're done.
		if (apiRouter && apiRouter(req, res)) {
			return;
		}

		// ── Preferences API router ───────────────────────────────────────
		// Handles /api/user/preferences GET and POST endpoints.
		if (preferencesRouter && preferencesRouter(req, res)) {
			return;
		}

		// ── Push notification router ─────────────────────────────────────
		// Handles /api/push/* — subscription management, test push, reminders.
		if (pushRouter && pushRouter(req, res)) {
			return;
		}

		// ── Method guard ─────────────────────────────────────────────────
		if (req.method !== 'GET' && req.method !== 'HEAD') {
			res.writeHead(405);
			res.end('Method Not Allowed');
			return;
		}

		// ── Health endpoint (always available, even without PostgreSQL) ──
		if (url.pathname === '/healthz') {
			res.writeHead(200, { 'Content-Type': 'text/plain; charset=utf-8' });
			res.end('ok');
			return;
		}

		// ── Version endpoint (unauthenticated — used by PWA update polling) ──
		// Returns the running server build version so the client can detect
		// when a new deployment is available without relying solely on the
		// service-worker update mechanism (unreliable on iOS standalone PWA).
		if (url.pathname === '/api/version') {
			res.writeHead(200, { 'Content-Type': 'application/json; charset=utf-8', 'Cache-Control': 'no-store' });
			res.end(JSON.stringify({ version: APP_VERSION_STRING }));
			return;
		}

		// ── Static file serving from dist ────────────────────────────────
		// IMPORTANT:
		// This server assumes Vite has produced a complete dist/ directory
		// containing index.html plus the hashed assets/ bundle. If a build is
		// interrupted, or Vite clears dist/ and then fails before rewriting the
		// shell, the reverse-proxied site can appear "down" at / even though the
		// Node process and /healthz still respond normally.
		//
		// In practice that means operators should avoid swapping in a partially
		// written dist/, and should prefer building to a fresh outDir before
		// replacing the live dist/ contents when diagnosing Windows file-lock or
		// deployment issues.
		if (url.pathname.startsWith('/uploads/')) {
			// Serve uploaded profile images from UPLOAD_DIR.
			const resolved = path.resolve(UPLOAD_DIR, '.' + decodeURIComponent(url.pathname.slice('/uploads'.length)));
			const base = path.resolve(UPLOAD_DIR);
			if (!resolved.startsWith(base + path.sep) && resolved !== base) {
				res.writeHead(400);
				res.end('Bad Request');
				return;
			}
			if (!fs.existsSync(resolved)) {
				res.writeHead(404);
				res.end('Not Found');
				return;
			}
			const stat = fs.statSync(resolved);
			if (!stat.isFile()) {
				res.writeHead(404);
				res.end('Not Found');
				return;
			}
			res.setHeader('Content-Type', contentTypeFor(resolved));
			res.setHeader('Cache-Control', 'public, max-age=86400');
			if (req.method === 'HEAD') {
				res.writeHead(200);
				res.end();
				return;
			}
			fs.createReadStream(resolved)
				.on('error', () => {
					res.writeHead(500);
					res.end('Internal Server Error');
				})
				.pipe(res);
			return;
		}

		let filePath = safePathFromUrl(url.pathname);
		if (!filePath) {
			res.writeHead(400);
			res.end('Bad Request');
			return;
		}

		// Directory → index.html
		if (url.pathname.endsWith('/')) {
			filePath = path.join(filePath, 'index.html');
		}

		// SPA fallback: if file doesn't exist and it isn't an asset, serve index.html.
		// If dist/index.html itself is missing because of an incomplete frontend
		// build, root requests will fail here even though the API server is up.
		const looksLikeFile = path.extname(filePath).length > 0;
		if (!fs.existsSync(filePath)) {
			if (!looksLikeFile) {
				filePath = path.join(DIST_DIR, 'index.html');
			} else {
				res.writeHead(404);
				res.end('Not Found');
				return;
			}
		}

		const stat = fs.statSync(filePath);
		if (!stat.isFile()) {
			res.writeHead(404);
			res.end('Not Found');
			return;
		}

		res.setHeader('Content-Type', contentTypeFor(filePath));
		// Cache policy:
		// - Hashed build assets: immutable
		// - Service worker + HTML shell: no-store (fast updates; SW handles offline)
		// - Everything else: revalidate
		if (filePath.includes(path.sep + 'assets' + path.sep)) {
			res.setHeader('Cache-Control', 'public, max-age=31536000, immutable');
		} else if (path.basename(filePath) === 'sw.js' || path.extname(filePath).toLowerCase() === '.html') {
			res.setHeader('Cache-Control', 'no-store');
		} else {
			res.setHeader('Cache-Control', 'no-cache');
		}

		if (req.method === 'HEAD') {
			res.writeHead(200);
			res.end();
			return;
		}

		fs.createReadStream(filePath)
			.on('error', () => {
				// If the stream errors after we've started sending the file,
				// we cannot change headers/status. Just terminate the response.
				if (res.headersSent || res.writableEnded) {
					try {
						res.destroy();
					} catch {
						// ignore
					}
					return;
				}
				res.writeHead(500);
				res.end('Internal Server Error');
			})
			.pipe(res);
	} catch {
		if (!res.headersSent) {
			res.writeHead(500);
		}
		if (!res.writableEnded) {
			res.end('Internal Server Error');
		}
	}
});

server.on('error', (err) => {
	console.error('[server] http error:', err);
});

// ─────────────────────────────────────────────────────────────────────────────
// WebSocket server for Yjs, attached to same HTTP server.
//
// Server-side ping/pong keep-alive:
//   Every 30 s the server sends a WebSocket ping frame to each connected
//   client. If no pong is received within 10 s the connection is considered
//   dead and is terminated. This is critical for mobile clients on cellular
//   networks where TCP connections can die silently (NAT timeout, cell tower
//   handoff) without either side receiving a FIN. Without server-side pings
//   the dead socket would linger until y-websocket's internal 30 s idle
//   check fires, wasting memory and blocking Yjs awareness cleanup.
//
//   The `ws` library (v8+) handles pong responses automatically on the
//   client side — no application-level code needed.
// ─────────────────────────────────────────────────────────────────────────────

const WS_PING_INTERVAL_MS = 30_000;
const WS_PONG_TIMEOUT_MS = 10_000;

const wss = new WebSocket.Server({ noServer: true });
const metadataWss = new WebSocket.Server({ noServer: true });

const metadataClientSessionMap = new WeakMap();

// ── Server-side ping/pong keep-alive ─────────────────────────────────────
// Track liveness per connection so we can terminate unresponsive clients.
const wsAliveMap = new WeakMap();

function broadcastWorkspaceMetadataChanged(rawEvent) {
	const event = normalizeWorkspaceMetadataEvent(rawEvent);
	if (!event) return;
	const allowedUserIds = event.userIds.length > 0 ? new Set(event.userIds) : null;
	const payload = JSON.stringify({
		type: 'workspace-metadata-changed',
		reason: event.reason,
		workspaceId: event.workspaceId,
		docId: event.docId,
		occurredAt: event.occurredAt,
	});
	for (const ws of metadataWss.clients) {
		if (ws.readyState !== WebSocket.OPEN) continue;
		const session = metadataClientSessionMap.get(ws);
		if (allowedUserIds && (!session || !allowedUserIds.has(session.userId))) continue;
		try {
			ws.send(payload);
		} catch {
			// Ignore per-socket send failures; liveness tracking will clean them up.
		}
	}
}

const wsPingInterval = setInterval(() => {
	for (const serverInstance of [wss, metadataWss]) {
		for (const ws of serverInstance.clients) {
			if (wsAliveMap.get(ws) === false) {
				// No pong received since last ping — connection is dead.
				ws.terminate();
				continue;
			}
			wsAliveMap.set(ws, false);
			ws.ping();
		}
	}
}, WS_PING_INTERVAL_MS);

// Clean up the interval when the WebSocket server closes.
wss.on('close', () => {
	clearInterval(wsPingInterval);
});

metadataWss.on('close', () => {
	clearInterval(wsPingInterval);
});

server.on('upgrade', (req, socket, head) => {
	socket.on('error', () => {
		// ignore (ECONNRESET etc)
	});

	const url = req.url || '/';
	if (url.startsWith('/ws/metadata')) {
		try {
			metadataWss.handleUpgrade(req, socket, head, (conn) => {
				metadataWss.emit('connection', conn, req);
			});
		} catch {
			try {
				socket.destroy();
			} catch {
				// ignore
			}
		}
		return;
	}
	if (!url.startsWith('/yjs')) return;

	try {
		wss.handleUpgrade(req, socket, head, (conn) => {
			wss.emit('connection', conn, req);
		});
	} catch {
		try {
			socket.destroy();
		} catch {
			// ignore
		}
	}
});

metadataWss.on('connection', (conn, req) => {
	wsAliveMap.set(conn, true);
	conn.on('pong', () => {
		wsAliveMap.set(conn, true);
	});

	const session = getSessionFromRequest(req);
	if (!session || !session.userId) {
		conn.close(1008, 'unauthorized');
		return;
	}

	metadataClientSessionMap.set(conn, { userId: session.userId });

	conn.on('close', () => {
		metadataClientSessionMap.delete(conn);
	});

	conn.on('error', (err) => {
		console.warn('[ws-metadata] socket error:', err.message);
	});

	try {
		conn.send(JSON.stringify({ type: 'workspace-metadata-ready' }));
	} catch {
		// Ignore eager send failures.
	}
});

wss.on('connection', (conn, req) => {
	// ── Ping/pong liveness tracking ──────────────────────────────────────
	// Mark this connection as alive. The wsPingInterval periodically sets
	// alive=false then sends a ping; if no pong arrives before the next
	// cycle the connection is terminated.
	wsAliveMap.set(conn, true);
	conn.on('pong', () => {
		wsAliveMap.set(conn, true);
	});

	// ── Yjs WebSocket setup (Phase 11: auth + workspace isolation) ───────
	(async () => {
		try {
			const cookieHeader = String(req.headers.cookie || '');
			const session = getSessionFromRequest(req);
			if (!session || !session.userId || !session.workspaceId) {
				console.warn(
					'[ws] close unauthorized',
					JSON.stringify({
						hasCookie: cookieHeader.length > 0,
						userId: session && session.userId ? String(session.userId) : null,
						workspaceId: session && session.workspaceId ? String(session.workspaceId) : null,
						path: String(req.url || ''),
					})
				);
				conn.close(1008, 'unauthorized');
				return;
			}
			if (!prisma) {
				console.warn(
					'[ws] close server not ready',
					JSON.stringify({
						hasPrisma: false,
						hasPersistAdapter: Boolean(persistAdapter),
						userId: session.userId,
						workspaceId: session.workspaceId,
						path: String(req.url || ''),
					})
				);
				conn.close(1011, 'server not ready');
				return;
			}
			if (!persistAdapter) {
				console.warn(
					'[ws] persistence adapter unavailable; running relay-only for this connection',
					JSON.stringify({
						userId: session.userId,
						workspaceId: session.workspaceId,
						path: String(req.url || ''),
					})
				);
			}

			const requestUrl = new URL(req.url || '/', 'http://localhost');
			const clientSessionId = String(requestUrl.searchParams.get('sessionId') || '').trim();

			// Extract raw room from /yjs/<room>
			const raw = String(requestUrl.pathname || '/').replace(/^\/yjs\/?/, '').replace(/^\/+/, '');
			if (!raw) {
				console.warn('[ws] close invalid room', JSON.stringify({ path: String(req.url || '') }));
				conn.close(1008, 'invalid room');
				return;
			}

			// Verify workspace membership against a non-deleted workspace so stale
			// offline/session state cannot reattach to tombstoned workspaces.
			const member = await findLiveWorkspaceMembership(prisma, session.userId, session.workspaceId, { role: true });
			if (!member) {
				console.warn(
					'[ws] close forbidden',
					JSON.stringify({
						userId: session.userId,
						workspaceId: session.workspaceId,
						rawRoom: raw,
					})
				);
				conn.close(1008, 'forbidden');
				return;
			}
			let readOnly = !canEditWorkspaceContent(normalizeWorkspaceRole(member.role, 'VIEWER'));

			// Namespace the room so shared IDs like "__notes_registry__" don't collide
			// across workspaces.
			//
			// The client may already namespace the room ("<workspaceId>:<docId>") so
			// we must avoid double-prefixing ("<ws>:<ws>:<docId>").
			let docName = raw;
			const expectedPrefix = `${session.workspaceId}:`;
			const hasNamespace = raw.includes(':');
			if (hasNamespace) {
				if (!raw.startsWith(expectedPrefix)) {
					const foreignRoom = splitDocRoomId(raw);

					// A user legitimately has multiple browser tabs open on different
					// workspaces.  When they switch workspaces in one tab the JWT cookie
					// is updated to the newly-active workspace; the other tab's Yjs
					// providers reconnect carrying the new JWT but with the old workspace's
					// room prefix.  Allow the connection if the user is a member of the
					// room's workspace — membership is the correct security boundary, not
					// which workspace happens to be "active" in the session cookie.
					const foreignWorkspaceMember = foreignRoom
						? await findLiveWorkspaceMembership(prisma, session.userId, foreignRoom.sourceWorkspaceId, { role: true })
						: null;

					if (foreignWorkspaceMember) {
						// User is a member of the room's workspace — grant access with the
						// role they hold in that workspace.
						readOnly = !canEditWorkspaceContent(normalizeWorkspaceRole(foreignWorkspaceMember.role, 'VIEWER'));
					} else {
						// Not a member of the room's workspace — check whether this is a
						// note that was explicitly shared with this user (cross-workspace
						// collaboration).
						const foreignCollaborator = foreignRoom
							? await prisma.noteCollaborator.findFirst({
								where: {
									docId: raw,
									userId: session.userId,
									revokedAt: null,
								},
								select: { id: true, role: true },
							})
							: null;
						if (!foreignCollaborator) {
							console.warn(
								'[ws] close forbidden namespace',
								JSON.stringify({
									userId: session.userId,
									workspaceId: session.workspaceId,
									rawRoom: raw,
								})
							);
							conn.close(1008, 'forbidden');
							return;
						}
						readOnly = foreignCollaborator.role === 'VIEWER';
					}
				}
			} else {
				docName = `${session.workspaceId}:${raw}`;
			}
			const room = splitDocRoomId(docName);
			persistAdapter?.registerDocWorkspace(docName, room ? room.sourceWorkspaceId : session.workspaceId);
			if (clientSessionId) {
				registerRoomSession(docName, clientSessionId, {
					userId: session.userId,
					workspaceId: session.workspaceId,
				});
				conn.on('close', () => {
					unregisterRoomSession(docName, clientSessionId);
				});
			}
			logEvent('WS_EVENT', {
				...getRoomDebugContext(docName, {
					sessionId: clientSessionId || null,
					userId: session.userId,
				}),
				event: 'connection-open',
				readOnly,
			});

			// y-websocket expects req.url === '/<room>'
			req.url = `/${docName}`;
			setupRoleAwareWSConnection(conn, req, { gc: true, readOnly });
		} catch (err) {
			console.error('[ws] connection setup error:', err.message);
			try {
				conn.close(1011, 'internal error');
			} catch {
				// ignore
			}
		}
	})();
});

// ─────────────────────────────────────────────────────────────────────────────
// Graceful shutdown — flush all persisted docs before exit.
// ─────────────────────────────────────────────────────────────────────────────

/**
 * Performs a clean shutdown: flushes all active Yjs docs to PostgreSQL,
 * disconnects Redis, closes the Prisma client, and stops the HTTP server.
 *
 * @param {string} signal — The signal that triggered the shutdown (e.g. "SIGTERM").
 */
async function gracefulShutdown(signal) {
	console.info(`[server] ${signal} received — starting graceful shutdown...`);

	// 1. Stop the trash cleanup scheduler (no more periodic cycles).
	if (trashCleanup) {
		try {
			trashCleanup.stop();
		} catch (err) {
			console.error('[server] Error stopping trash cleanup:', err.message);
		}
	}

	if (workspaceCleanup) {
		try {
			workspaceCleanup.stop();
		} catch (err) {
			console.error('[server] Error stopping workspace cleanup:', err.message);
		}
	}

	// 2. Flush all active docs to PostgreSQL.
	if (persistAdapter) {
		try {
			await persistAdapter.destroy();
			console.info('[server] Persistence adapter flushed and destroyed');
		} catch (err) {
			console.error('[server] Error flushing persistence adapter:', err.message);
		}
	}

	// 3. Disconnect Prisma client.
	if (prisma) {
		try {
			await prisma.$disconnect();
			console.info('[server] Prisma client disconnected');
		} catch (err) {
			console.error('[server] Error disconnecting Prisma:', err.message);
		}
	}

	try {
		await unsubscribeWorkspaceMetadataEvents();
	} catch (err) {
		console.error('[server] Error unsubscribing workspace metadata events:', err.message);
	}

	if (redisSubscriber) {
		try {
			redisSubscriber.disconnect();
			console.info('[server] Redis subscriber disconnected');
		} catch (err) {
			console.error('[server] Error disconnecting Redis subscriber:', err.message);
		}
	}

	// 4. Close the HTTP + WebSocket server.
	try {
		// Terminate all active WebSocket connections so server.close() doesn't
		// hang waiting for long-lived WS connections to drain naturally.
		for (const client of wss.clients) {
			client.terminate();
		}
		for (const client of metadataWss.clients) {
			client.terminate();
		}
		wss.close();
		metadataWss.close();
		// Force-close any remaining HTTP keep-alive connections (Node 18.2+).
		if (typeof server.closeAllConnections === 'function') {
			server.closeAllConnections();
		}
		server.close(() => {
			console.info('[server] HTTP server closed');
			process.exit(0);
		});
	} catch {
		process.exit(1);
	}

	// Safety net: force exit after 10 seconds if graceful shutdown stalls.
	setTimeout(() => {
		console.error('[server] Forced exit after timeout');
		process.exit(1);
	}, 10000).unref();
}

process.on('SIGTERM', () => gracefulShutdown('SIGTERM'));
process.on('SIGINT', () => gracefulShutdown('SIGINT'));

// ── Safety net: prevent unhandled rejections from crashing the process ────
// Redis (and other async subsystems) can produce promise rejections that
// escape all try/catch guards during edge-case timing scenarios. Since Redis
// is a non-critical cache layer, these should never bring down the server.
process.on('unhandledRejection', (reason) => {
	console.error('[server] Unhandled promise rejection (server continues):', reason);
});

// ── Safety net: prevent uncaught synchronous exceptions from crashing ────
// Any throw that escapes all try/catch guards would otherwise terminate the
// process with exit code 1. Log it and keep running.
process.on('uncaughtException', (err) => {
	console.error('[server] Uncaught exception (server continues):', err);
});

// ─────────────────────────────────────────────────────────────────────────────
// Start listening
// ─────────────────────────────────────────────────────────────────────────────

// ─────────────────────────────────────────────────────────────────────────────
// Async boot sequence:
//   1. If DATABASE_URL is set → ensure the database exists & schema is current.
//   2. Initialize the default workspace so it's ready before any client connects.
//   3. Start listening for HTTP / WebSocket connections.
//
// All database work happens BEFORE the server starts accepting traffic. This
// guarantees that the first client connection has a fully-provisioned backend.
// ─────────────────────────────────────────────────────────────────────────────

(async function boot() {
	// ── Step 1: Automatic database provisioning ─────────────────────────
	// Creates the database if it doesn't exist and syncs the Prisma schema
	// without data loss. Safe to run on every startup (idempotent).
	if (DATABASE_URL.length > 0) {
		try {
			const { ensureDatabase } = require('./server/dbInit');
			await ensureDatabase(DATABASE_URL);
		} catch (err) {
			console.error('[server] Database initialization failed:', err.message);
			console.error('[server] Startup requires a valid, migrated database. Exiting.');
			process.exit(1);
		}

		// ── Set PostgreSQL session timezone ───────────────────────────
		// Must happen after ensureDatabase (schema may not exist yet) and
		// before any Prisma queries that return timestamps. The SET command
		// applies to the current connection and affects all subsequent
		// timestamptz → text conversions in query results.
		if (prisma && PGTIMEZONE.length > 0) {
			try {
				await prisma.$executeRawUnsafe(`SET timezone = '${PGTIMEZONE.replace(/'/g, "''")}';`);
				console.info(`[server] PostgreSQL session timezone set to: ${PGTIMEZONE}`);
			} catch (err) {
				console.warn('[server] Failed to set PostgreSQL timezone:', err.message);
				console.warn('[server] Timestamps will be returned in UTC.');
			}
		}
	}

	// ── Step 2: Eagerly resolve the default workspace ───────────────────
	// The workspace row is needed before any Yjs doc can be persisted.
	// We do this after schema sync so the workspace table is guaranteed to exist.
	if (persistAdapter) {
		try {
			await persistAdapter._ensureWorkspace();
			console.info('[server] Default workspace initialized');
		} catch (err) {
			console.error('[server] WARNING: workspace initialization failed:', err.message);
			console.error('[server] PostgreSQL may not be reachable. Persistence writes will fail until resolved.');
		}
	}

	// ── Step 3: Start the trash cleanup scheduler ──────────────────────
	// Automatically deletes notes where trashed=true and trashedAt is older
	// than the user's deleteAfterDays preference. Runs periodically in the
	// background. Must start after workspace initialization so the adapter
	// has a valid workspace ID.
	if (persistAdapter && prisma) {
		try {
			const { createTrashCleanup } = require('./server/trashCleanup');
			trashCleanup = createTrashCleanup({
				prisma,
				adapter: persistAdapter,
				redis: redis || null,
				// Default: run every 60 minutes. Can be overridden via env var.
				intervalMs: Number(process.env.TRASH_CLEANUP_INTERVAL_MS) || 60 * 60 * 1000,
			});
			console.info('[server] Trash cleanup scheduler initialized');
		} catch (err) {
			console.error('[server] Failed to initialize trash cleanup:', err.message);
		}
	}

	// ── Step 4: Start the workspace cleanup scheduler ──────────────────
	// Soft-deleted workspaces are hard-deleted only after a grace period so
	// active websocket/Yjs sessions have time to disconnect naturally.
	if (prisma) {
		try {
			const { createWorkspaceCleanup } = require('./server/workspaceCleanup');
			workspaceCleanup = createWorkspaceCleanup({
				prisma,
				intervalMs: Number(process.env.WORKSPACE_CLEANUP_INTERVAL_MS) || 60 * 60 * 1000,
				gracePeriodMs: Number(process.env.WORKSPACE_CLEANUP_GRACE_MS) || 24 * 60 * 60 * 1000,
			});
			console.info('[server] Workspace cleanup scheduler initialized');
		} catch (err) {
			console.error('[server] Failed to initialize workspace cleanup:', err.message);
		}
	}

	if (redisSubscriber) {
		try {
			unsubscribeWorkspaceMetadataEvents = await subscribeToWorkspaceMetadataEvents(redisSubscriber, (event) => {
				if (event.origin && event.origin === SERVER_INSTANCE_ID) return;
				broadcastWorkspaceMetadataChanged(event);
			});
			console.info('[server] Workspace metadata Redis subscription initialized');
		} catch (err) {
			console.error('[server] Failed to subscribe to workspace metadata events:', err.message);
		}
	}

	// ── Step 4: Start the HTTP + WebSocket server ──────────────────────
	server.listen(PORT, HOST, () => {
		const publicBaseUrl = normalizedAppUrl();
		console.log(`[server] listening on ${HOST}:${PORT}`);
		console.log(`[server] http ${publicBaseUrl}`);
		console.log(`[server] yjs websocket ${wsUrlFromAppUrl(publicBaseUrl)}`);

		// ── Persistence status log ────────────────────────────────────
		if (persistAdapter) {
			console.log('[server] persistence: PostgreSQL (Prisma)');
			if (redis) {
				console.log('[server] cache: Redis');
			}
		} else if (YPERSISTENCE.length > 0) {
			console.log(`[server] persistence: LevelDB at ${YPERSISTENCE}`);
		} else {
			console.log('[server] persistence: NONE (relay-only)');
		}
	});
})().catch((err) => {
	// Catch-all for unexpected boot errors. Log and exit with non-zero code
	// so Docker/systemd can detect the failure and restart.
	console.error('[server] Fatal boot error:', err);
	process.exit(1);
});