Replace SSE with WebSocket (Bun.serve), JWT auth, remove env-based admin

[Copilot]

Migrate real-time transport from SSE to WebSocket, switch to Bun runtime, replace session-token auth with JWT, and move admin user management fully into the database.

WebSocket via Bun.serve()

• server.ts — single entry point: Next.js HTTP on :3000, Bun.serve() WebSocket on :3001
• store.ts notifySubscribers() broadcasts to globalThis.__wsClients shared between Next.js and the WS server in-process
• Client reconnects with exponential backoff (1s → 30s cap)
• Deleted SSE endpoint (/api/messages/stream)

JWT authentication

• src/lib/jwt.ts — HMAC-SHA256 sign/verify with timing-safe comparison
• auth.ts verifies JWT from cookie directly — no DB session lookup
• loginUser() returns a signed JWT; getUserBySession()/logoutSession() removed
• JWT_SECRET required in production, dev fallback provided

Admin stored in DB, not env

• Removed ADMIN_USERNAME / ADMIN_PASSWORD_HASH_SHA256 env seeding from db.ts
• First registered user is auto-promoted to admin + approved

Bun runtime

• Scripts: bun server.ts (dev/start), bun next build
• Kept better-sqlite3 (bun:sqlite incompatible with Next.js build workers)

CSS transitions removed

• Stripped all transition-* Tailwind classes and inline style.transition assignments across all components

// server.ts — Bun.serve WebSocket with JWT auth
Bun.serve<WsData>({
  port: WS_PORT,
  fetch(req, server) {
    const cookies = parseCookies(req.headers.get("cookie") || "");
    const payload = verifyJwt(cookies[SESSION_COOKIE]);
    if (!payload || payload.status !== "approved") {
      return new Response("Unauthorized", { status: 401 });
    }
    if (server.upgrade(req, { data: { username: payload.sub } })) {
      return undefined;
    }
    return new Response("WebSocket upgrade failed", { status: 426 });
  },
  websocket: {
    open(ws)  { globalThis.__wsClients.add(ws); },
    close(ws) { globalThis.__wsClients.delete(ws); },
    message() {},
  },
});

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh gh auth status r (http block)
• https://api.github.com/user
  • Triggering command: /usr/bin/gh gh api user -main/dist/ripgrep/bin/linux-x64/rg (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.