Source Of Truth
src/app/api/v1/**is the public backend surface for web, mobile, desktop, and extension clients.src/server/app-api/v1/**holds the route orchestration behind those Next route wrappers.src/server/**holds server-only auth, billing, storage, AI, tools, route services, and provider adapters.src/shared/**holds isomorphic contracts and client-safe helpers.src/features/**holds web feature containers and feature-local helpers.convex/**owns durable app state, domain mutations, scheduled work, and Stripe webhook handling.packages/overlay-app-core/**holds shared cross-surface contracts and UI settings types.packages/overlay-api-client/**holds typed transport wrappers for/api/v1/**.
Auth
- Browser auth uses the signed httpOnly
overlay_sessioncookie. - Native/mobile/desktop auth uses supported bearer access tokens against the same
/api/v1/*backend. - Internal server-to-server calls use short-lived service auth from
src/server/auth/service-auth.ts. - Shared route authentication flows through the API boundary helpers in
src/server/auth/app-api-auth.ts.
/api/v1/* route should reject requests that lack a valid browser session, mobile bearer token, or service auth token.
App Bootstrap
GET /api/v1/bootstrap is the canonical signed-in startup call. It returns user info, entitlements, UI settings, model catalogs, feature flags, navigation destinations, and defaults.
New clients should start from this route and reuse existing API contracts before adding client-specific endpoints.
Billing
Stripe is the hosted billing provider for subscriptions, top-ups, auto top-up preferences, customer portal sessions, and webhook events. Private deployments can disable billing with runtime config. Convex is the durable entitlement/usage source of truth after webhook processing. Important code:src/shared/billing/billing-pricing.tssrc/server/billing/billing-runtime.tssrc/server/billing/stripe-billing.tssrc/server/billing/BillingCustomerService.tssrc/server/billing/BillingCheckoutService.tssrc/server/billing/providers/stripe-billing-provider.tsconvex/billing/subscriptions.tsconvex/platform/usage.tsconvex/billing/stripe.tsconvex/billing/stripeSync.ts
Storage
Uploaded files and generated assets are stored through server-mediated flows. R2 and S3-compatible object access must remain private and owner-scoped; users should only receive short-lived, validated access.Convex
Development commonly uses a separate dev deployment from production. After editingconvex/, push both deployments:
.env.local to production Convex deploy commands; that can point deploys at the dev slug.