ef30baf52a
All checks were successful
Deploy to Production / deploy (push) Successful in 57s
Legal (Swiss minimum, no individual named): - Impressum page (UWG Art. 3 lit. s) — provider, contact via support panel, no email required, jurisdiction = Switzerland - AGB page — subscription terms, payment, cancellation, suspension on payment fail, 14-day money-back, AI-processing-per-tier disclosure, Swiss law + Swiss venue, modeled after typical Schweizer SaaS terms - Privacy: Stripe added as subprocessor with full data-flow disclosure Support panel replaces email contact entirely: - @bmm/db: support_status enum + support_tickets + support_messages tables, migration applied to prod DB - @bmm/api: support routes (user create/list/view/reply, admin list/view/reply /set-status), public /v1/contact for logged-out visitors with per-IP rate limit of 3 submissions/day to prevent spam-flood - Web: /settings/support (list + new), /settings/support/[id] (conversation), /admin/support, /admin/support/[id] - Public /contact form with email collection for guest tickets Data rights (DSG Art. 25 / GDPR Art. 15+20): - /v1/account/export returns user-scoped JSON of profile, org, servers, builds, audit, support tickets and messages — excludes hashes, encrypted secrets, other-user data - /settings/account: download button + deletion-via-ticket workflow Production-readiness gaps closed: - org.suspended now blocks /v1/servers POST and /v1/servers/preview (402); webhook flagged this state but enforcement was missing - Cookie banner: minimal, essential-cookies-only disclosure (Swiss DSG + GDPR compliant without dark-pattern consent UI), mounts on both layouts Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
81 lines
3.3 KiB
TypeScript
81 lines
3.3 KiB
TypeScript
'use client';
|
|
|
|
import { Button } from '@/components/ui/button';
|
|
import { apiUrl } from '@/lib/api';
|
|
import Link from 'next/link';
|
|
import { useState } from 'react';
|
|
|
|
export default function AccountPage() {
|
|
const [downloading, setDownloading] = useState(false);
|
|
|
|
async function downloadExport() {
|
|
setDownloading(true);
|
|
try {
|
|
// Trigger a same-origin attachment download. The cookie ships with the
|
|
// request because we're same-credentials with the API origin via CORS.
|
|
window.location.href = apiUrl('/v1/account/export');
|
|
} finally {
|
|
setTimeout(() => setDownloading(false), 1500);
|
|
}
|
|
}
|
|
|
|
return (
|
|
<div className="mx-auto max-w-3xl px-6 py-10">
|
|
<h1 className="text-[22px] font-semibold tracking-tight">Account</h1>
|
|
<p className="mt-1 text-[13px] text-[--color-fg-muted]">
|
|
Your data, your rights. Swiss DSG Art. 25 / GDPR Art. 15 + 20.
|
|
</p>
|
|
|
|
<div className="mt-8 space-y-4">
|
|
<section className="panel p-5">
|
|
<h2 className="text-[14px] font-semibold tracking-tight">Download your data</h2>
|
|
<p className="mt-2 text-[12.5px] leading-relaxed text-[--color-fg-muted]">
|
|
One JSON file with everything we hold for your account: profile, organization, MCP
|
|
servers, build history (last 1000 entries), audit log (last 1000 events) and your
|
|
support-ticket history. Excludes password hashes, encrypted secrets and other
|
|
users' data.
|
|
</p>
|
|
<div className="mt-4">
|
|
<Button variant="primary" size="md" onClick={downloadExport} disabled={downloading}>
|
|
{downloading ? 'Preparing…' : 'Download .json'}
|
|
</Button>
|
|
</div>
|
|
</section>
|
|
|
|
<section className="panel p-5">
|
|
<h2 className="text-[14px] font-semibold tracking-tight">Delete account</h2>
|
|
<p className="mt-2 text-[12.5px] leading-relaxed text-[--color-fg-muted]">
|
|
We don't do one-click account deletion yet — too easy to fat-finger and lose
|
|
paid-tier server configs. Open a ticket and we'll wipe everything within 30
|
|
days (servers, secrets, audit, tickets) per Swiss DSG Art. 32 / GDPR Art. 17.
|
|
</p>
|
|
<div className="mt-4">
|
|
<Link href="/settings/support">
|
|
<Button variant="secondary" size="md">
|
|
Open deletion ticket
|
|
</Button>
|
|
</Link>
|
|
</div>
|
|
</section>
|
|
|
|
<section className="panel p-5">
|
|
<h2 className="text-[14px] font-semibold tracking-tight">Cookies on this site</h2>
|
|
<p className="mt-2 text-[12.5px] leading-relaxed text-[--color-fg-muted]">
|
|
We use only strictly-necessary cookies: a session cookie (
|
|
<span className="mono">bmm_session</span>, httpOnly, 30 days) and a short-lived
|
|
OAuth-CSRF state cookie (<span className="mono">bmm_oauth_state</span>, 10 minutes
|
|
during a third-party login flow). No analytics, no tracking, no third-party cookies on
|
|
this domain.
|
|
</p>
|
|
</section>
|
|
</div>
|
|
|
|
<div className="mt-10 text-[12px] text-[--color-fg-subtle]">
|
|
<Link href="/privacy" className="hover:text-[--color-fg]">
|
|
← Privacy policy
|
|
</Link>
|
|
</div>
|
|
</div>
|
|
);
|
|
}
|