fix: use Convex for desktop auth relay and add terms/privacy pages

Replace in-memory Map in /api/auth/desktop-relay with Convex
desktopAuthCodes table — the Map didn't work on Vercel serverless
since each request can hit a different instance. Add missing /terms
and /privacy pages linked from the login page.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: thedaviddias

apps/web/app/api/auth/desktop-relay/route.ts

@@ -1,18 +1,7 @@
+import { api } from '@/lib/convex-api'
+import { fetchMutation } from 'convex/nextjs'
 import { type NextRequest, NextResponse } from 'next/server'
 
-const CODE_TTL_MS = 5 * 60 * 1000 // 5 minutes
-
-const store = new Map<string, { code: string; createdAt: number }>()
-
-function cleanExpired() {
-  const now = Date.now()
-  for (const [key, entry] of store) {
-    if (now - entry.createdAt > CODE_TTL_MS) {
-      store.delete(key)
-    }
-  }
-}
-
 /**
  * POST /api/auth/desktop-relay
  * Stores an OAuth auth code for a desktop session.
@@ -26,8 +15,7 @@ export async function POST(request: NextRequest) {
     return NextResponse.json({ error: 'Missing session or code' }, { status: 400 })
   }
 
-  cleanExpired()
-  store.set(session, { code, createdAt: Date.now() })
+  await fetchMutation(api.desktopAuthCodes.store, { session, code })
 
   return NextResponse.json({ ok: true })
 }
@@ -44,13 +32,11 @@ export async function GET(request: NextRequest) {
     return NextResponse.json({ error: 'Missing session' }, { status: 400 })
   }
 
-  cleanExpired()
-  const entry = store.get(session)
+  const result = await fetchMutation(api.desktopAuthCodes.consume, { session })
 
-  if (!entry) {
+  if (!result) {
     return NextResponse.json({ code: null }, { status: 404 })
   }
 
-  store.delete(session)
-  return NextResponse.json({ code: entry.code })
+  return NextResponse.json({ code: result.code })
 }

apps/web/app/privacy/page.tsx

@@ -0,0 +1,136 @@
+import { Breadcrumb } from '@/components/layout/breadcrumb'
+import { PageContainer } from '@/components/layout/page-container'
+import { BreadcrumbSchema } from '@/components/seo/json-ld'
+import { ROUTES } from '@/lib/routes'
+import { createMetadata } from '@/lib/seo'
+import Link from 'next/link'
+
+export const metadata = createMetadata({
+  title: 'Privacy Policy',
+  description: 'Privacy Policy for souls.directory — how we handle your data.',
+  path: '/privacy',
+  noSuffix: true,
+})
+
+export default function PrivacyPage() {
+  return (
+    <>
+      <BreadcrumbSchema items={[{ name: 'Privacy Policy', url: '/privacy' }]} />
+      <main className="min-h-screen">
+        <PageContainer paddingY="hero">
+          <Breadcrumb items={[{ name: 'Privacy Policy' }]} className="mb-8" />
+
+          <header className="text-center mb-16">
+            <h1 className="text-2xl md:text-3xl font-medium text-text mb-4">Privacy Policy</h1>
+            <p className="text-sm text-text-secondary">Last updated: March 16, 2026</p>
+          </header>
+
+          <article className="max-w-2xl mx-auto space-y-10 text-sm text-text-secondary leading-relaxed">
+            <section>
+              <h2 className="text-lg font-medium text-text mb-3">What we collect</h2>
+              <div className="space-y-4">
+                <div>
+                  <h3 className="text-sm font-medium text-text mb-1">Without an account</h3>
+                  <p>
+                    Privacy-friendly analytics (page views, referrers, browser/OS) via OpenPanel. No
+                    personal data is collected. No cookies are used for tracking.
+                  </p>
+                </div>
+                <div>
+                  <h3 className="text-sm font-medium text-text mb-1">With a GitHub account</h3>
+                  <ul className="list-disc list-inside space-y-1">
+                    <li>GitHub username, email, and avatar (from GitHub OAuth)</li>
+                    <li>Souls you create, star, or comment on</li>
+                    <li>Profile information you choose to add (bio, website, social handles)</li>
+                  </ul>
+                </div>
+              </div>
+            </section>
+
+            <section>
+              <h2 className="text-lg font-medium text-text mb-3">How we use it</h2>
+              <ul className="list-disc list-inside space-y-2">
+                <li>To provide the service (display your souls, profile, and activity)</li>
+                <li>To understand how the site is used and improve it</li>
+                <li>To prevent abuse and enforce our terms</li>
+              </ul>
+            </section>
+
+            <section>
+              <h2 className="text-lg font-medium text-text mb-3">What we don&apos;t do</h2>
+              <ul className="list-disc list-inside space-y-2">
+                <li>We don&apos;t sell or share your data with third parties</li>
+                <li>We don&apos;t use your data for advertising</li>
+                <li>We don&apos;t track you across other websites</li>
+              </ul>
+            </section>
+
+            <section>
+              <h2 className="text-lg font-medium text-text mb-3">Where data is stored</h2>
+              <p>
+                Data is stored in Convex (database) and Vercel (hosting). Both are US-based
+                services. Analytics are processed by OpenPanel.
+              </p>
+            </section>
+
+            <section>
+              <h2 className="text-lg font-medium text-text mb-3">Data retention</h2>
+              <p>
+                Your data is kept as long as your account is active. You can delete your account and
+                associated data by contacting us on GitHub.
+              </p>
+            </section>
+
+            <section>
+              <h2 className="text-lg font-medium text-text mb-3">Third-party services</h2>
+              <ul className="list-disc list-inside space-y-2">
+                <li>
+                  <strong className="text-text">GitHub</strong> &mdash; authentication (OAuth)
+                </li>
+                <li>
+                  <strong className="text-text">Convex</strong> &mdash; database and backend
+                </li>
+                <li>
+                  <strong className="text-text">Vercel</strong> &mdash; hosting and deployment
+                </li>
+                <li>
+                  <strong className="text-text">OpenPanel</strong> &mdash; privacy-friendly
+                  analytics
+                </li>
+                <li>
+                  <strong className="text-text">Sentry</strong> &mdash; error monitoring
+                </li>
+              </ul>
+            </section>
+
+            <section>
+              <h2 className="text-lg font-medium text-text mb-3">Changes</h2>
+              <p>
+                We may update this policy. Significant changes will be noted with an updated date.
+              </p>
+            </section>
+
+            <section className="pt-6 border-t border-border">
+              <p>
+                Questions? Reach out on{' '}
+                <a
+                  href="https://github.com/thedaviddias/souls-directory"
+                  target="_blank"
+                  rel="noopener noreferrer"
+                  className="text-text hover:underline"
+                >
+                  GitHub
+                </a>
+                . See also our{' '}
+                <Link href={ROUTES.terms} className="text-text hover:underline">
+                  Terms of Service
+                </Link>
+                .
+              </p>
+            </section>
+          </article>
+        </PageContainer>
+      </main>
+    </>
+  )
+}

apps/web/app/terms/page.tsx

@@ -0,0 +1,123 @@
+import { Breadcrumb } from '@/components/layout/breadcrumb'
+import { PageContainer } from '@/components/layout/page-container'
+import { BreadcrumbSchema } from '@/components/seo/json-ld'
+import { ROUTES } from '@/lib/routes'
+import { createMetadata } from '@/lib/seo'
+import Link from 'next/link'
+
+export const metadata = createMetadata({
+  title: 'Terms of Service',
+  description: 'Terms of Service for souls.directory — rules for using the platform.',
+  path: '/terms',
+  noSuffix: true,
+})
+
+export default function TermsPage() {
+  return (
+    <>
+      <BreadcrumbSchema items={[{ name: 'Terms of Service', url: '/terms' }]} />
+      <main className="min-h-screen">
+        <PageContainer paddingY="hero">
+          <Breadcrumb items={[{ name: 'Terms of Service' }]} className="mb-8" />
+
+          <header className="text-center mb-16">
+            <h1 className="text-2xl md:text-3xl font-medium text-text mb-4">Terms of Service</h1>
+            <p className="text-sm text-text-secondary">Last updated: March 16, 2026</p>
+          </header>
+
+          <article className="max-w-2xl mx-auto space-y-10 text-sm text-text-secondary leading-relaxed">
+            <section>
+              <h2 className="text-lg font-medium text-text mb-3">1. Acceptance</h2>
+              <p>
+                By using souls.directory you agree to these terms. If you don&apos;t agree, please
+                don&apos;t use the site.
+              </p>
+            </section>
+
+            <section>
+              <h2 className="text-lg font-medium text-text mb-3">2. What the service is</h2>
+              <p>
+                souls.directory is a community directory for browsing, uploading, and sharing
+                SOUL.md personality templates. We are not affiliated with OpenClaw.
+              </p>
+            </section>
+
+            <section>
+              <h2 className="text-lg font-medium text-text mb-3">3. Accounts</h2>
+              <p>
+                You sign in with GitHub OAuth. You&apos;re responsible for your account activity. We
+                may suspend or remove accounts that violate these terms.
+              </p>
+            </section>
+
+            <section>
+              <h2 className="text-lg font-medium text-text mb-3">4. Content you submit</h2>
+              <ul className="list-disc list-inside space-y-2">
+                <li>
+                  Souls you publish are licensed under{' '}
+                  <strong className="text-text">MIT License</strong> and credited to you.
+                </li>
+                <li>You must have the right to share any content you upload.</li>
+                <li>
+                  Don&apos;t submit content that is illegal, harmful, harassing, or infringes on
+                  others&apos; rights.
+                </li>
+              </ul>
+            </section>
+
+            <section>
+              <h2 className="text-lg font-medium text-text mb-3">5. Moderation</h2>
+              <p>
+                We reserve the right to remove content or accounts that violate these terms, at our
+                discretion and without notice.
+              </p>
+            </section>
+
+            <section>
+              <h2 className="text-lg font-medium text-text mb-3">6. No warranty</h2>
+              <p>
+                The service is provided &quot;as is&quot; without warranties of any kind. We
+                don&apos;t guarantee uptime, accuracy, or fitness for any purpose.
+              </p>
+            </section>
+
+            <section>
+              <h2 className="text-lg font-medium text-text mb-3">7. Limitation of liability</h2>
+              <p>
+                To the maximum extent permitted by law, souls.directory and its maintainers are not
+                liable for any damages arising from your use of the service.
+              </p>
+            </section>
+
+            <section>
+              <h2 className="text-lg font-medium text-text mb-3">8. Changes</h2>
+              <p>
+                We may update these terms. Continued use after changes means you accept the new
+                terms.
+              </p>
+            </section>
+
+            <section className="pt-6 border-t border-border">
+              <p>
+                Questions? Reach out on{' '}
+                <a
+                  href="https://github.com/thedaviddias/souls-directory"
+                  target="_blank"
+                  rel="noopener noreferrer"
+                  className="text-text hover:underline"
+                >
+                  GitHub
+                </a>
+                . See also our{' '}
+                <Link href={ROUTES.privacy} className="text-text hover:underline">
+                  Privacy Policy
+                </Link>
+                .
+              </p>
+            </section>
+          </article>
+        </PageContainer>
+      </main>
+    </>
+  )
+}

apps/web/components/auth/desktop-auth-relay.tsx

@@ -93,9 +93,7 @@ export function DesktopAuthRelay() {
         <p className="text-lg font-medium text-text">Returning to Soul Studio...</p>
 
         {!showFallback ? (
-          <p className="text-sm text-text-secondary">
-            Opening the desktop app...
-          </p>
+          <p className="text-sm text-text-secondary">Opening the desktop app...</p>
         ) : (
           <div className="space-y-3">
             <p className="text-sm text-text-secondary">

apps/web/convex/_generated/api.d.ts

@@ -14,6 +14,7 @@ import type * as collections from "../collections.js";
 import type * as comments from "../comments.js";
 import type * as crons from "../crons.js";
 import type * as debug from "../debug.js";
+import type * as desktopAuthCodes from "../desktopAuthCodes.js";
 import type * as http from "../http.js";
 import type * as lib_access from "../lib/access.js";
 import type * as lib_sanitizeSoulContent from "../lib/sanitizeSoulContent.js";
@@ -42,6 +43,7 @@ declare const fullApi: ApiFromModules<{
   comments: typeof comments;
   crons: typeof crons;
   debug: typeof debug;
+  desktopAuthCodes: typeof desktopAuthCodes;
   http: typeof http;
   "lib/access": typeof lib_access;
   "lib/sanitizeSoulContent": typeof lib_sanitizeSoulContent;

apps/web/convex/desktopAuthCodes.ts

@@ -0,0 +1,57 @@
+import { v } from 'convex/values'
+import { mutation } from './_generated/server'
+
+const CODE_TTL_MS = 5 * 60 * 1000 // 5 minutes
+
+/**
+ * Store an OAuth auth code for a desktop session.
+ * Replaces any existing entry for the same session (handles retries).
+ */
+export const store = mutation({
+  args: {
+    session: v.string(),
+    code: v.string(),
+  },
+  handler: async (ctx, args) => {
+    const existing = await ctx.db
+      .query('desktopAuthCodes')
+      .withIndex('by_session', (q) => q.eq('session', args.session))
+      .first()
+    if (existing) {
+      await ctx.db.delete(existing._id)
+    }
+    await ctx.db.insert('desktopAuthCodes', {
+      session: args.session,
+      code: args.code,
+      createdAt: Date.now(),
+    })
+  },
+})
+
+/**
+ * Retrieve and delete the stored auth code (one-time retrieval).
+ * Returns null if not found or expired.
+ */
+export const consume = mutation({
+  args: {
+    session: v.string(),
+  },
+  handler: async (ctx, args) => {
+    const entry = await ctx.db
+      .query('desktopAuthCodes')
+      .withIndex('by_session', (q) => q.eq('session', args.session))
+      .first()
+
+    if (!entry) return null
+
+    // Check TTL
+    if (Date.now() - entry.createdAt > CODE_TTL_MS) {
+      await ctx.db.delete(entry._id)
+      return null
+    }
+
+    // One-time retrieval: delete after reading
+    await ctx.db.delete(entry._id)
+    return { code: entry.code }
+  },
+})