chore: remove abbey-wood helm chart (#5464)

![CleanShot 2023-12-28 at 18.17.50@2x.png](https://graphite-user-uploaded-assets-prod.s3.amazonaws.com/T2klNLEk0wxLh4NRDzhk/43733a5b-d1b4-40d5-b9d4-f86896cc0598.png)

.eslintignore

@@ -11,6 +11,4 @@ e2e-dist-*
 static
 web-static
 public
-packages/common/sdk/src/*.d.ts
-packages/common/sdk/src/*.js
 packages/frontend/i18n/src/i18n-generated.ts

.eslintrc.js

@@ -69,10 +69,8 @@ const allPackages = [
   'packages/common/debug',
   'packages/common/env',
   'packages/common/infra',
-  'packages/common/sdk',
   'packages/common/theme',
   'packages/common/y-indexeddb',
-  'packages/plugins/copilot',
   'tools/cli',
   'tests/storybook',
 ];

.github/actions/deploy/deploy.mjs

@@ -28,6 +28,7 @@ const {
   REDIS_PASSWORD,
   STRIPE_API_KEY,
   STRIPE_WEBHOOK_KEY,
+  STATIC_IP_NAME,
 } = process.env;
 
 // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
@@ -35,17 +36,13 @@ const buildType = BUILD_TYPE || 'canary';
 
 const isProduction = buildType === 'stable';
 const isBeta = buildType === 'beta';
+const isInternal = buildType === 'internal';
 
 const createHelmCommand = ({ isDryRun }) => {
   const flag = isDryRun ? '--dry-run' : '--atomic';
   const imageTag = `${buildType}-${GIT_SHORT_HASH}`;
-  const staticIpName = isProduction
-    ? 'affine-cluster-production'
-    : isBeta
-      ? 'affine-cluster-beta'
-      : 'affine-cluster-dev';
   const redisAndPostgres =
-    isProduction || isBeta
+    isProduction || isBeta || isInternal
       ? [
           `--set-string global.database.url=${DATABASE_URL}`,
           `--set-string global.database.user=${DATABASE_USERNAME}`,
@@ -59,26 +56,32 @@ const createHelmCommand = ({ isDryRun }) => {
         ]
       : [];
   const serviceAnnotations =
-    isProduction || isBeta
+    isProduction || isBeta || isInternal
       ? [
           `--set-json   web.service.annotations=\"{ \\"cloud.google.com/neg\\": \\"{\\\\\\"ingress\\\\\\": true}\\" }\"`,
-          `--set-json   graphql.serviceAccount.annotations=\"{ \\"iam.gke.io/gcp-service-account\\": \\"${CLOUD_SQL_IAM_ACCOUNT}\\" }\"`,
           `--set-json   graphql.service.annotations=\"{ \\"cloud.google.com/neg\\": \\"{\\\\\\"ingress\\\\\\": true}\\" }\"`,
-          `--set-json   sync.serviceAccount.annotations=\"{ \\"iam.gke.io/gcp-service-account\\": \\"${CLOUD_SQL_IAM_ACCOUNT}\\" }\"`,
           `--set-json   sync.service.annotations=\"{ \\"cloud.google.com/neg\\": \\"{\\\\\\"ingress\\\\\\": true}\\" }\"`,
+          `--set-json   cloud-sql-proxy.serviceAccount.annotations=\"{ \\"iam.gke.io/gcp-service-account\\": \\"${CLOUD_SQL_IAM_ACCOUNT}\\" }\"`,
+          `--set-json   cloud-sql-proxy.nodeSelector=\"{ \\"iam.gke.io/gke-metadata-server-enabled\\": \\"true\\" }\"`,
         ]
       : [];
   const webReplicaCount = isProduction ? 3 : isBeta ? 2 : 2;
   const graphqlReplicaCount = isProduction ? 10 : isBeta ? 5 : 2;
   const syncReplicaCount = isProduction ? 10 : isBeta ? 5 : 2;
-  const namespace = isProduction ? 'production' : isBeta ? 'beta' : 'dev';
+  const namespace = isProduction
+    ? 'production'
+    : isBeta
+      ? 'beta'
+      : isInternal
+        ? 'internal'
+        : 'dev';
   // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
   const host = DEPLOY_HOST || CANARY_DEPLOY_HOST;
   const deployCommand = [
     `helm upgrade --install affine .github/helm/affine`,
     `--namespace  ${namespace}`,
     `--set        global.ingress.enabled=true`,
-    `--set-json   global.ingress.annotations=\"{ \\"kubernetes.io/ingress.class\\": \\"gce\\", \\"kubernetes.io/ingress.allow-http\\": \\"true\\", \\"kubernetes.io/ingress.global-static-ip-name\\": \\"${staticIpName}\\" }\"`,
+    `--set-json   global.ingress.annotations=\"{ \\"kubernetes.io/ingress.class\\": \\"gce\\", \\"kubernetes.io/ingress.allow-http\\": \\"true\\", \\"kubernetes.io/ingress.global-static-ip-name\\": \\"${STATIC_IP_NAME}\\" }\"`,
     `--set-string global.ingress.host="${host}"`,
     `--set-string global.version="${APP_VERSION}"`,
     ...redisAndPostgres,

.github/actions/download-core/action.yml

@@ -9,7 +9,7 @@ runs:
   using: 'composite'
   steps:
     - name: Download tar.gz
-      uses: actions/download-artifact@v3
+      uses: actions/download-artifact@v4
       with:
         name: core
         path: .

.github/actions/setup-node/action.yml

@@ -21,14 +21,6 @@ inputs:
     description: 'set nmMode to hardlinks-local in .yarnrc.yml'
     required: false
     default: 'true'
-  build-infra:
-    description: 'Build infra'
-    required: false
-    default: 'true'
-  build-plugins:
-    description: 'Build plugins'
-    required: false
-    default: 'true'
   nmHoistingLimits:
     description: 'Set nmHoistingLimits in .yarnrc.yml'
     required: false
@@ -190,13 +182,3 @@ runs:
       run: node ./node_modules/electron/install.js
       env:
         electron_config_cache: ./node_modules/.cache/electron
-
-    - name: Build Infra
-      shell: bash
-      if: inputs.build-infra == 'true'
-      run: yarn run build:infra
-
-    - name: Build Plugins
-      if: inputs.build-plugins == 'true'
-      shell: bash
-      run: yarn run build:plugins

.github/actions/setup-version/action.yml

@@ -0,0 +1,24 @@
+name: Setup Version
+description: 'Setup Version'
+outputs:
+  APP_VERSION:
+    description: 'App Version'
+    value: ${{ steps.version.outputs.APP_VERSION }}
+runs:
+  using: 'composite'
+  steps:
+    - name: 'Write Version'
+      id: version
+      shell: bash
+      run: |
+        if [ "${{ github.ref_type }}" == "tag" ]; then
+          APP_VERSION=$(echo "${{ github.ref_name }}" | sed 's/^v//')
+        else
+          PACKAGE_VERSION=$(node -p "require('./package.json').version")
+          TIME_VERSION=$(date +%Y%m%d%H%M)
+          GIT_SHORT_HASH=$(git rev-parse --short HEAD)
+          APP_VERSION=$PACKAGE_VERSION-nightly-$TIME_VERSION-$GIT_SHORT_HASH
+        fi
+        echo $APP_VERSION
+        echo "APP_VERSION=$APP_VERSION" >> "$GITHUB_OUTPUT"
+        ./scripts/set-version.sh $APP_VERSION

.github/deployment/front/Dockerfile

@@ -1,4 +1,4 @@
-FROM openresty/openresty:1.21.4.1-0-buster
+FROM openresty/openresty:1.21.4.3-0-buster
 WORKDIR /app
 COPY ./packages/frontend/core/dist ./dist
 COPY ./.github/deployment/front/nginx.conf /usr/local/openresty/nginx/conf/nginx.conf

.github/helm/affine-cloud/.gitignore

@@ -1 +0,0 @@
-charts/

.github/helm/affine-cloud/Chart.lock

@@ -1,6 +0,0 @@
-dependencies:
-- name: postgresql
-  repository: https://charts.bitnami.com/bitnami
-  version: 13.2.23
-digest: sha256:5b64538509bd067bb0f67bf082847a2c5d66dc37d0b9d7948a40405d9c446400
-generated: "2023-12-05T03:04:57.997927753Z"

.github/helm/affine-cloud/Chart.yaml

@@ -1,12 +0,0 @@
-apiVersion: v2
-name: affine-cloud
-description: A Helm chart for AFFiNE Cloud
-
-type: application
-version: 0.6.1
-appVersion: '0.6.1'
-
-dependencies:
-  - name: postgresql
-    version: 13.2.23
-    repository: https://charts.bitnami.com/bitnami

.github/helm/affine-cloud/readme.md

@@ -1,30 +0,0 @@
-# Helm Chart Configuration
-
-The following table lists the configurable parameters of this Helm chart and their default values.
-
-## AFFiNE Cloud Server parameters
-
-| Parameter                      | Description                                        | Default            |
-| ------------------------------ | -------------------------------------------------- | ------------------ |
-| `affineCloud.tag`              | The Docker tag of the AffineCloud image to be used | `'nightly-latest'` |
-| `affineCloud.resources.cpu`    | The CPU resources allocated for AffineCloud        | `'250m'`           |
-| `affineCloud.resources.memory` | The memory resources allocated for AffineCloud     | `'0.5Gi'`          |
-| `affineCloud.signKey`          | The key used to sign the JWT tokens                | `'c2VjcmV0'`       |
-| `affineCloud.service.type`     | The type of the Kubernetes service                 | `'ClusterIP'`      |
-| `affineCloud.service.port`     | The port of the Kubernetes service                 | `'http'`           |
-| `affineCloud.mail.account`     | The email account used to send emails              | `''`               |
-| `affineCloud.mail.password`    | The password of the email account                  | `''`               |
-
-## PostgreSQL parameters
-
-| Parameter                                    | Description                                                                           | Default      |
-| -------------------------------------------- | ------------------------------------------------------------------------------------- | ------------ |
-| `postgresql.auth.username`                   | Username for the PostgreSQL database                                                  | `'affine'`   |
-| `postgresql.auth.password`                   | Password for the PostgreSQL database. Please change this for production environments. | `'password'` |
-| `postgresql.auth.database`                   | The name of the default database that will be created on image startup                | `'affine'`   |
-| `postgresql.primary.resources.limits.cpu`    | The CPU resources allocated for the PostgreSQL primary node                           | `'500m'`     |
-| `postgresql.primary.resources.limits.memory` | The memory resources allocated for the PostgreSQL primary node                        | `'0.5Gi'`    |
-
-For more postgres parameters, please refer to: https://artifacthub.io/packages/helm/bitnami/postgresql
-
-Please note that for the `postgresql.auth.password`, you should provide your own password for production environments. The default value is provided only for demonstration purposes.

.github/helm/affine-cloud/templates/deployment.yaml

@@ -1,51 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: "{{ include "affine-cloud.fullname" . }}"
-  labels:
-    {{- include "affine-cloud.labels" . | nindent 4 }}
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      {{- include "affine-cloud.selectorLabels" . | nindent 6 }}
-  strategy:
-    type: RollingUpdate
-    rollingUpdate:
-      maxUnavailable: 2
-  template:
-    metadata:
-      labels:
-        {{- include "affine-cloud.selectorLabels" . | nindent 8 }}
-    spec:
-      restartPolicy: Always
-      containers:
-      - name: affine-cloud
-        image: "ghcr.io/toeverything/cloud-self-hosted:{{ .Values.affineCloud.tag | default .Chart.AppVersion }}"
-        env:
-        - name: PG_USER
-          value: "{{ .Values.postgresql.auth.username }}"
-        - name: PG_PASS
-          value: "{{ .Values.postgresql.auth.password }}"
-        - name: PG_DATABASE
-          value: "{{ .Values.postgresql.auth.database }}"
-        - name: PG_HOST
-          value: "{{ .Values.postgresql.fullnameOverride | default (printf "%s-postgresql" .Release.Name) }}"
-        - name: DATABASE_URL
-          value: "{{ .Values.affineCloud.databaseUrl | default "postgresql://$(PG_USER):$(PG_PASS)@$(PG_HOST)/$(PG_DATABASE)" }}"
-        envFrom:
-        - secretRef:
-            name: affine-cloud-secret
-        ports:
-        - containerPort: 3000
-        livenessProbe:
-          httpGet:
-            path: /api/healthz
-            port: 3000
-          failureThreshold: 1
-          initialDelaySeconds: 10
-          periodSeconds: 10
-        resources:
-          limits:
-            cpu: "{{ .Values.affineCloud.resources.cpu }}"
-            memory: "{{ .Values.affineCloud.resources.memory }}"

.github/helm/affine-cloud/templates/secret.yaml

@@ -1,9 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  name: affine-cloud-secret
-type: Opaque
-data:
-  SIGN_KEY: "{{ .Values.affineCloud.signKey }}"
-  MAIL_ACCOUNT: "{{ .Values.affineCloud.mail.account }}"
-  MAIL_PASSWORD: "{{ .Values.affineCloud.mail.password }}"

.github/helm/affine-cloud/templates/services.yaml

@@ -1,15 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: "{{ include "affine-cloud.fullname" . }}"
-  labels:
-    {{- include "affine-cloud.labels" . | nindent 4 }}
-spec:
-  type: "{{ .Values.affineCloud.service.type }}"
-  ports:
-    - name: http
-      protocol: TCP
-      port: {{ .Values.affineCloud.service.port }}
-      targetPort: 3000
-  selector:
-    {{- include "affine-cloud.selectorLabels" . | nindent 4 }}

.github/helm/affine-cloud/values.yaml

@@ -1,30 +0,0 @@
-affineCloud:
-  tag: 'canary-5e0d5e0cc65ea46f326fdde12658bfac59b38c9f-0949'
-  # databaseUrl: 'postgresql://affine:password@affine-cloud-postgresql:5432/affine'
-  signKey: TUFtdFdzQTJhdGJuem01TA==
-  mail:
-    account: ''
-    password: ''
-  service:
-    type: ClusterIP
-    port: 80
-  resources:
-    cpu: '250m'
-    memory: 0.5Gi
-postgresql:
-  fullnameOverride: tcp-postgresql
-  auth:
-    # only for demo, please modify it at prod env
-    username: affine
-    password: password
-    database: affine
-  primary:
-    initdb:
-      scripts:
-        01-init.sql: |
-          CREATE DATABASE affine_binary;
-          GRANT ALL PRIVILEGES ON DATABASE affine_binary TO affine;
-    resources:
-      limits:
-        cpu: '500m'
-        memory: 0.5Gi

.github/helm/affine/Chart.yaml

@@ -3,4 +3,4 @@ name: affine
 description: AFFiNE cloud chart
 type: application
 version: 0.0.0
-appVersion: "0.10.4-beta.1"
+appVersion: "0.11.0"

.github/helm/affine/charts/gcloud-sql-proxy/.helmignore

@@ -20,4 +20,4 @@
 .project
 .idea/
 *.tmproj
-.vscode/
+.vscode/

.github/helm/affine/charts/gcloud-sql-proxy/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v2
+name: cloud-sql-proxy
+description: Google Cloud SQL Proxy
+type: application
+version: 0.0.0
+appVersion: "2.8.1"

.github/helm/affine/charts/gcloud-sql-proxy/templates/NOTES.txt

@@ -0,0 +1,18 @@
+{{- if .Values.global.database.gcloud.enabled -}}
+1. Get the application URL by running these commands:
+{{- if contains "NodePort" .Values.service.type }}
+  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "gcloud-sql-proxy.fullname" . }})
+  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+  echo http://$NODE_IP:$NODE_PORT
+{{- else if contains "LoadBalancer" .Values.service.type }}
+     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
+           You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "gcloud-sql-proxy.fullname" . }}'
+  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "gcloud-sql-proxy.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
+  echo http://$SERVICE_IP:{{ .Values.service.port }}
+{{- else if contains "ClusterIP" .Values.service.type }}
+  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "gcloud-sql-proxy.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
+  export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
+  echo "Visit http://127.0.0.1:8080 to use your application"
+  kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
+{{- end }}
+{{- end }}

.github/helm/affine/charts/gcloud-sql-proxy/templates/_helpers.tpl

@@ -1,7 +1,7 @@
 {{/*
 Expand the name of the chart.
 */}}
-{{- define "affine-cloud.name" -}}
+{{- define "gcloud-sql-proxy.name" -}}
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
 {{- end }}
 
@@ -10,7 +10,7 @@ Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
 If release name contains chart name it will be used as a full name.
 */}}
-{{- define "affine-cloud.fullname" -}}
+{{- define "gcloud-sql-proxy.fullname" -}}
 {{- if .Values.fullnameOverride }}
 {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
 {{- else }}
@@ -26,16 +26,16 @@ If release name contains chart name it will be used as a full name.
 {{/*
 Create chart name and version as used by the chart label.
 */}}
-{{- define "affine-cloud.chart" -}}
+{{- define "gcloud-sql-proxy.chart" -}}
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
 {{- end }}
 
 {{/*
 Common labels
 */}}
-{{- define "affine-cloud.labels" -}}
-helm.sh/chart: {{ include "affine-cloud.chart" . }}
-{{ include "affine-cloud.selectorLabels" . }}
+{{- define "gcloud-sql-proxy.labels" -}}
+helm.sh/chart: {{ include "gcloud-sql-proxy.chart" . }}
+{{ include "gcloud-sql-proxy.selectorLabels" . }}
 {{- if .Chart.AppVersion }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
@@ -45,7 +45,18 @@ app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{/*
 Selector labels
 */}}
-{{- define "affine-cloud.selectorLabels" -}}
-app.kubernetes.io/name: {{ include "affine-cloud.name" . }}
+{{- define "gcloud-sql-proxy.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "gcloud-sql-proxy.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "gcloud-sql-proxy.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "gcloud-sql-proxy.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

.github/helm/affine/charts/gcloud-sql-proxy/templates/deployment.yaml

@@ -0,0 +1,132 @@
+{{- if .Values.global.database.gcloud.enabled -}}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "gcloud-sql-proxy.fullname" . }}
+  labels:
+    {{- include "gcloud-sql-proxy.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      {{- include "gcloud-sql-proxy.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "gcloud-sql-proxy.labels" . | nindent 8 }}
+	{{- with .Values.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "gcloud-sql-proxy.serviceAccountName" . }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      containers:
+        - name: {{ .Chart.Name }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: File
+          image: "{{ .Values.image.repository }}:{{ .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          args:
+            - "--address"
+            - "0.0.0.0"
+            - "--structured-logs"
+            - "--auto-iam-authn"
+            - "{{ .Values.global.database.gcloud.connectionName }}"
+          env:
+            # Enable HTTP healthchecks on port 9801. This enables /liveness,
+            # /readiness and /startup health check endpoints. Allow connections
+            # listen for connections on any interface (0.0.0.0) so that the
+            # k8s management components can reach these endpoints.
+            - name: CSQL_PROXY_HEALTH_CHECK
+              value: "true"
+            - name: CSQL_PROXY_HTTP_PORT
+              value: "9801"
+            - name: CSQL_PROXY_HTTP_ADDRESS
+              value: 0.0.0.0
+          ports:
+            - name: cloud-sql-proxy
+              containerPort: {{ .Values.global.database.gcloud.proxyPort }}
+              protocol: TCP
+            - containerPort: 9801
+              protocol: TCP
+          # The /startup probe returns OK when the proxy is ready to receive
+          # connections from the application. In this example, k8s will check
+          # once a second for 60 seconds.
+          startupProbe:
+            failureThreshold: 60
+            httpGet:
+              path: /startup
+              port: 9801
+              scheme: HTTP
+            periodSeconds: 1
+            successThreshold: 1
+            timeoutSeconds: 10
+          # The /liveness probe returns OK as soon as the proxy application has
+          # begun its startup process and continues to return OK until the
+          # process stops.
+          livenessProbe:
+            failureThreshold: 3
+            httpGet:
+              path: /liveness
+              port: 9801
+              scheme: HTTP
+            # The probe will be checked every 10 seconds.
+            periodSeconds: 10
+            # Number of times the probe is allowed to fail before the transition
+            # from healthy to failure state.
+            #
+            # If periodSeconds = 60, 5 tries will result in five minutes of
+            # checks. The proxy starts to refresh a certificate five minutes
+            # before its expiration. If those five minutes lapse without a
+            # successful refresh, the liveness probe will fail and the pod will be
+            # restarted.
+            successThreshold: 1
+            # The probe will fail if it does not respond in 10 seconds
+            timeoutSeconds: 10
+          readinessProbe:
+            # The /readiness probe returns OK when the proxy can establish
+            # a new connections to its databases.
+            httpGet:
+              path: /readiness
+              port: 9801
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            timeoutSeconds: 10
+            # Number of times the probe must report success to transition from failure to healthy state.
+            # Defaults to 1 for readiness probe.
+            successThreshold: 1
+            failureThreshold: 6
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+          {{- with .Values.volumeMounts }}
+          volumeMounts:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+      {{- with .Values.volumes }}
+      volumes:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+{{- end }}

.github/helm/affine/charts/gcloud-sql-proxy/templates/service.yaml

@@ -0,0 +1,17 @@
+{{- if .Values.global.database.gcloud.enabled -}}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "gcloud-sql-proxy.fullname" . }}
+  labels:
+    {{- include "gcloud-sql-proxy.labels" . | nindent 4 }}
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    - port: {{ .Values.global.database.port }}
+      targetPort: cloud-sql-proxy
+      protocol: TCP
+      name: cloud-sql-proxy
+  selector:
+    {{- include "gcloud-sql-proxy.selectorLabels" . | nindent 4 }}
+{{- end }}

.github/helm/affine/charts/gcloud-sql-proxy/templates/serviceaccount.yaml

@@ -0,0 +1,15 @@
+{{- if .Values.global.database.gcloud.enabled -}}
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "gcloud-sql-proxy.serviceAccountName" . }}
+  labels:
+    {{- include "gcloud-sql-proxy.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+automountServiceAccountToken: {{ .Values.serviceAccount.automount }}
+{{- end }}
+{{- end }}

.github/helm/affine/charts/gcloud-sql-proxy/templates/tests/test-connection.yaml

@@ -0,0 +1,17 @@
+{{- if .Values.global.database.gcloud.enabled -}}
+apiVersion: v1
+kind: Pod
+metadata:
+  name: "{{ include "gcloud-sql-proxy.fullname" . }}-test-connection"
+  labels:
+    {{- include "gcloud-sql-proxy.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": test
+spec:
+  containers:
+    - name: wget
+      image: busybox
+      command: ['wget']
+      args: ['{{ include "gcloud-sql-proxy.fullname" . }}:{{ .Values.service.port }}']
+  restartPolicy: Never
+{{- end }}

.github/helm/affine/charts/gcloud-sql-proxy/values.yaml

@@ -0,0 +1,40 @@
+replicaCount: 3
+
+image:
+  # the tag is defined as chart appVersion.
+  repository: gcr.io/cloud-sql-connectors/cloud-sql-proxy
+  pullPolicy: IfNotPresent
+
+imagePullSecrets: []
+nameOverride: ""
+fullnameOverride: ""
+
+serviceAccount:
+  create: true
+  automount: true
+  annotations: {}
+  name: ""
+
+podAnnotations: {}
+podLabels: {}
+
+podSecurityContext:
+  fsGroup: 2000
+
+securityContext:
+  runAsNonRoot: true
+
+service:
+  type: ClusterIP
+  port: 5432
+
+resources:
+  limits:
+    memory: "4Gi"
+    cpu: "2"
+
+volumes: []
+volumeMounts: []
+nodeSelector: {}
+tolerations: []
+affinity: {}

.github/helm/affine/charts/graphql/Chart.yaml

@@ -3,4 +3,9 @@ name: graphql
 description: AFFiNE GraphQL server
 type: application
 version: 0.0.0
-appVersion: "0.10.4-beta.1"
+appVersion: "0.11.0"
+dependencies:
+  - name: gcloud-sql-proxy
+    version: 0.0.0
+    repository: "file://../gcloud-sql-proxy"
+    condition: .global.database.gcloud.enabled

.github/helm/affine/charts/graphql/templates/deployment.yaml

@@ -189,20 +189,6 @@ spec:
             initialDelaySeconds: {{ .Values.probe.initialDelaySeconds }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
-        {{ if .Values.global.database.gcloud.enabled }}
-        - name: cloud-sql-proxy
-          image: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.6.0
-          args:
-            - "--structured-logs"
-            - "--auto-iam-authn"
-            - "{{ .Values.global.database.gcloud.connectionName }}"
-          securityContext:
-            runAsNonRoot: true
-          resources:
-            requests:
-              memory: "2Gi"
-              cpu: "1"
-        {{ end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

.github/helm/affine/charts/sync/Chart.yaml

@@ -1,6 +1,11 @@
 apiVersion: v2
 name: sync
-description: A Helm chart for Kubernetes
+description: AFFiNE Sync Server
 type: application
 version: 0.0.0
-appVersion: "0.10.4-beta.1"
+appVersion: "0.11.0"
+dependencies:
+  - name: gcloud-sql-proxy
+    version: 0.0.0
+    repository: "file://../gcloud-sql-proxy"
+    condition: .global.database.gcloud.enabled

.github/helm/affine/charts/sync/templates/deployment.yaml

@@ -82,20 +82,6 @@ spec:
             initialDelaySeconds: {{ .Values.probe.initialDelaySeconds }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
-        {{ if .Values.global.database.gcloud.enabled }}
-        - name: cloud-sql-proxy
-          image: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.6.0
-          args:
-            - "--structured-logs"
-            - "--auto-iam-authn"
-            - "{{ .Values.global.database.gcloud.connectionName }}"
-          securityContext:
-            runAsNonRoot: true
-          resources:
-            requests:
-              memory: "2Gi"
-              cpu:    "1"
-        {{ end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

.github/helm/affine/values.yaml

@@ -16,6 +16,8 @@ global:
       cloudSqlInternal: ''
       connectionName: ''
       serviceAccount: ''
+      cloudProxyReplicas: 3
+      proxyPort: '5432'
   redis:
     enabled: true
     host: 'redis-master'

.github/helm/deployment_guide.md

@@ -1,60 +0,0 @@
-# Cluster Deployment Guide
-
-This document provides a step-by-step guide for developers on how to deploy services in a Kubernetes cluster. The following content assumes that the reader already has a basic understanding of Kubernetes concepts and operations.
-
-### 1. Configure Service Mesh (Optional)
-
-In the Kubernetes cluster, we optionally use Service Mesh (like Istio and Anthos Service Mesh) to manage the network interactions of microservices. If Service Mesh is already deployed on your cluster or do not need to use the service network, you can skip this step. In this step, we assume that you are using Google Kubernetes Engine (GKE) and have already installed Anthos Service Mesh on your cluster, if you wish to use another Ingress Controller, please refer to the relevant documentation.
-
-To configure your kubectl context to interact with your Kubernetes cluster using the gcloud tool, you need to execute the following commands:
-
-```sh
-export CLUSTER_NAME=your_cluster_name
-export REGION=your_cluster_region
-export PROJECT=your_project_id
-gcloud container clusters get-credentials $CLUSTER_NAME --region $REGION --project $PROJECT
-```
-
-In this command, you should replace `CLUSTER_NAME`, `REGION` and `PROJECT` with the actual name, region and project id of your Kubernetes cluster. This command retrieves the access credentials for your Kubernetes cluster and automatically configures kubectl to use these credentials.
-
-Now, to inject Service Mesh for a specific Namespace, first, set the environment variable `NAMESPACE` that should correspond to your target Kubernetes Namespace. In this example, we use `prod` as the target Namespace:
-
-```sh
-export NAMESPACE=prod
-```
-
-Then, we label the Namespace which will enable Istio to automatically inject the sidecar container for all new Pods under this Namespace:
-
-```sh
-kubectl label namespace $NAMESPACE istio-injection- istio.io/rev=asm-managed --overwrite
-```
-
-Finally, we trigger the Kubernetes Deployment restart mechanism to allow existing Pods to also obtain sidecar container injection:
-
-```sh
-kubectl rollout restart deployment -n $NAMESPACE
-```
-
-### 2. Deploying the Application
-
-Next, we will deploy our application in the Kubernetes cluster through Helm. First, set relevant environment variables:
-
-```sh
-export NAMESPACE=prod
-export RELEASE=affine-cloud-prod
-export PATH=.github/helm/affine-cloud
-```
-
-- `NAMESPACE` should be consistent with the first step, indicating your target Kubernetes Namespace.
-- `RELEASE` is the name of your Helm release.
-- `PATH` is the location of your Helm chart in your file system.
-
-Finally, use the `helm upgrade --install` command to deploy or upgrade your application:
-
-```sh
-helm upgrade --namespace $NAMESPACE --create-namespace --install $RELEASE $PATH
-```
-
-This command creates (if it doesn't already exist) and deploys your Helm chart in the specified Namespace. If the release already exists, it will be upgraded.
-
-The above are the complete steps for deploying an application in a Kubernetes cluster. Make sure all prerequisites are met before deploying, and also ensure that you have the correct permissions for operations in Kubernetes.

.github/labeler.yml

@@ -19,26 +19,11 @@ mod:dev:
           - 'tools/cli/**/*'
           - 'packages/common/debug/**/*'
 
-mod:plugin:
-  - changed-files:
-      - any-glob-to-any-file:
-          - 'packages/plugins/**/*'
-
-plugin:copilot:
-  - changed-files:
-      - any-glob-to-any-file:
-          - 'packages/plugins/copilot/**/*'
-
 mod:infra:
   - changed-files:
       - any-glob-to-any-file:
           - 'packages/common/infra/**/*'
 
-mod:sdk:
-  - changed-files:
-      - any-glob-to-any-file:
-          - 'packages/common/sdk/**/*'
-
 mod:plugin-cli:
   - changed-files:
       - any-glob-to-any-file:

.github/renovate.json

@@ -2,12 +2,18 @@
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": [
     "config:base",
-    "group:allNonMajor",
     ":preserveSemverRanges",
     ":disablePeerDependencies"
   ],
   "labels": ["dependencies"],
   "packageRules": [
+    {
+      "groupName": "all non-major dependencies",
+      "groupSlug": "all-minor-patch",
+      "matchPackagePatterns": ["*"],
+      "matchUpdateTypes": ["minor", "patch"],
+      "excludePackagePatterns": ["^@blocksuite/"]
+    },
     {
       "matchPackageNames": ["napi", "napi-build", "napi-derive"],
       "groupName": "napi-rs"

.github/workflows/build-test.yml

@@ -45,7 +45,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v2
+        uses: github/codeql-action/init@v3
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -58,7 +58,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v2
+        uses: github/codeql-action/autobuild@v3
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -71,7 +71,7 @@ jobs:
       #   ./location_of_script_within_repo/buildscript.sh
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v2
+        uses: github/codeql-action/analyze@v3
   lint:
     name: Lint
     runs-on: ubuntu-latest
@@ -80,7 +80,7 @@ jobs:
       - uses: actions/checkout@v4
       - name: Run oxlint
         # oxlint is fast, so wrong code will fail quickly
-        run: yarn dlx $(node -e "console.log(require('./package.json').scripts['lint:ox'])")
+        run: yarn dlx $(node -e "console.log(require('./package.json').scripts['lint:ox'].replace('oxlint', 'oxlint@' + require('./package.json').devDependencies.oxlint))")
       - name: Setup Node.js
         uses: ./.github/actions/setup-node
         with:
@@ -108,44 +108,6 @@ jobs:
           yarn set version $(node -e "console.log(require('./package.json').packageManager.split('@')[1])")
           git diff --exit-code
 
-  e2e-plugin-test:
-    name: E2E Plugin Test
-    runs-on: ubuntu-latest
-    env:
-      DISTRIBUTION: browser
-    steps:
-      - uses: actions/checkout@v4
-      - name: Setup Node.js
-        uses: ./.github/actions/setup-node
-        with:
-          playwright-install: true
-          electron-install: false
-          full-cache: true
-      - name: Run playwright tests
-        run: yarn e2e --forbid-only
-        working-directory: tests/affine-plugin
-        env:
-          COVERAGE: true
-      - name: Collect code coverage report
-        run: yarn exec nyc report -t .nyc_output --report-dir .coverage --reporter=lcov
-
-      - name: Upload e2e test coverage results
-        uses: codecov/codecov-action@v3
-        with:
-          token: ${{ secrets.CODECOV_TOKEN }}
-          files: ./.coverage/lcov.info
-          flags: e2e-plugin-test
-          name: affine
-          fail_ci_if_error: false
-
-      - name: Upload test results
-        if: ${{ failure() }}
-        uses: actions/upload-artifact@v3
-        with:
-          name: test-results-e2e-plugin
-          path: ./test-results
-          if-no-files-found: ignore
-
   e2e-test:
     name: E2E Test
     runs-on: ubuntu-latest
@@ -169,7 +131,7 @@ jobs:
 
       - name: Upload test results
         if: ${{ failure() }}
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: test-results-e2e-${{ matrix.shard }}
           path: ./test-results
@@ -194,7 +156,7 @@ jobs:
 
       - name: Upload test results
         if: ${{ failure() }}
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: test-results-e2e-migration
           path: ./tests/affine-migration/test-results
@@ -216,7 +178,7 @@ jobs:
           full-cache: true
 
       - name: Download affine.linux-x64-gnu.node
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: affine.linux-x64-gnu.node
           path: ./packages/frontend/native
@@ -254,8 +216,6 @@ jobs:
         with:
           extra-flags: workspaces focus @affine/native
           electron-install: false
-          build-infra: false
-          build-plugins: false
       - name: Setup filename
         id: filename
         shell: bash
@@ -269,7 +229,7 @@ jobs:
           package: '@affine/native'
           nx_token: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
       - name: Upload ${{ steps.filename.outputs.filename }}
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: ${{ steps.filename.outputs.filename }}
           path: ./packages/frontend/native/${{ steps.filename.outputs.filename }}
@@ -287,8 +247,6 @@ jobs:
         with:
           extra-flags: workspaces focus @affine/storage
           electron-install: false
-          build-infra: false
-          build-plugins: false
       - name: Build Rust
         uses: ./.github/actions/build-rust
         with:
@@ -296,7 +254,7 @@ jobs:
           package: '@affine/storage'
           nx_token: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
       - name: Upload storage.node
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: storage.node
           path: ./packages/backend/storage/storage.node
@@ -312,7 +270,6 @@ jobs:
         uses: ./.github/actions/setup-node
         with:
           electron-install: false
-          build-plugins: false
           full-cache: true
       - name: Build Core
         # always skip cache because its fast, and cache configuration is always changing
@@ -320,7 +277,7 @@ jobs:
       - name: zip core
         run: tar -czf dist.tar.gz --directory=packages/frontend/core/dist .
       - name: Upload core artifact
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: core
           path: dist.tar.gz
@@ -374,12 +331,14 @@ jobs:
           DATABASE_URL: postgresql://affine:affine@localhost:5432/affine
 
       - name: Run init-db script
-        run: yarn workspace @affine/server exec node --loader ts-node/esm/transpile-only ./scripts/init-db.ts
+        run: |
+          yarn workspace @affine/server data-migration run
+          yarn workspace @affine/server exec node --loader ts-node/esm/transpile-only ./scripts/init-db.ts
         env:
           DATABASE_URL: postgresql://affine:affine@localhost:5432/affine
 
       - name: Download storage.node
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: storage.node
           path: ./packages/backend/server
@@ -464,15 +423,17 @@ jobs:
           DATABASE_URL: postgresql://affine:affine@localhost:5432/affine
 
       - name: Run init-db script
-        run: yarn workspace @affine/server exec node --loader ts-node/esm/transpile-only ./scripts/init-db.ts
+        run: |
+          yarn workspace @affine/server data-migration run
+          yarn workspace @affine/server exec node --loader ts-node/esm/transpile-only ./scripts/init-db.ts
       - name: Download storage.node
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: storage.node
           path: ./packages/backend/server
 
       - name: Download affine.linux-x64-gnu.node
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: affine.linux-x64-gnu.node
           path: ./packages/frontend/native
@@ -486,7 +447,7 @@ jobs:
 
       - name: Upload test results
         if: ${{ failure() }}
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: test-results-e2e-server
           path: ./tests/affine-cloud/test-results
@@ -550,7 +511,7 @@ jobs:
           echo "filename=affine.$PLATFORM_ARCH_ABI.node" >> "$GITHUB_OUTPUT"
 
       - name: Download ${{ steps.filename.outputs.filename }}
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: ${{ steps.filename.outputs.filename }}
           path: ./packages/frontend/native
@@ -592,7 +553,7 @@ jobs:
 
       - name: Upload test results
         if: ${{ failure() }}
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: test-results-e2e-${{ matrix.spec.os }}-${{ matrix.spec.arch }}
           path: ./test-results

.github/workflows/deploy-automatically.yml

@@ -0,0 +1,27 @@
+name: Deploy Automatically
+
+on:
+  push:
+    tags:
+      - 'v[0-9]+.[0-9]+.[0-9]+-canary.[0-9]+'
+  schedule:
+    - cron: '0 9 * * *'
+
+jobs:
+  dispatch-deploy:
+    runs-on: ubuntu-latest
+    name: Setup Deploy
+    steps:
+      - name: dispatch deploy by tag
+        if: ${{ github.event_name == 'push' }}
+        uses: benc-uk/workflow-dispatch@v1
+        with:
+          workflow: deploy.yml
+          inputs: '{ "flavor": "canary" }'
+      - name: dispatch deploy by schedule
+        if: ${{ github.event_name == 'schedule' }}
+        uses: benc-uk/workflow-dispatch@v1
+        with:
+          workflow: deploy.yml
+          inputs: '{ "flavor": "canary" }'
+          ref: canary

.github/workflows/deploy.yml

@@ -4,10 +4,14 @@ on:
   workflow_dispatch:
     inputs:
       flavor:
-        description: 'Build type (canary, beta, or stable)'
-        type: string
+        description: 'Select what enverionment to deploy to'
+        type: choice
         default: canary
-
+        options:
+          - canary
+          - beta
+          - stable
+          - internal
 env:
   APP_NAME: affine
   NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
@@ -18,6 +22,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+      - name: Setup Version
+        id: version
+        uses: ./.github/actions/setup-version
       - name: Setup Node.js
         uses: ./.github/actions/setup-node
         with:
@@ -25,7 +32,7 @@ jobs:
       - name: Build Server
         run: yarn workspace @affine/server build
       - name: Upload server dist
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: server-dist
           path: ./packages/backend/server/dist
@@ -36,10 +43,11 @@ jobs:
     environment: ${{ github.event.inputs.flavor }}
     steps:
       - uses: actions/checkout@v4
+      - name: Setup Version
+        id: version
+        uses: ./.github/actions/setup-version
       - name: Setup Node.js
         uses: ./.github/actions/setup-node
-      - name: Build Plugins
-        run: yarn run build:plugins
       - name: Build Core
         run: yarn nx build @affine/core --skip-nx-cache
         env:
@@ -55,7 +63,7 @@ jobs:
           SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
           SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
       - name: Upload core artifact
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: core
           path: ./packages/frontend/core/dist
@@ -67,6 +75,9 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+      - name: Setup Version
+        id: version
+        uses: ./.github/actions/setup-version
       - name: Setup Node.js
         uses: ./.github/actions/setup-node
       - name: Build Rust
@@ -76,7 +87,7 @@ jobs:
           package: '@affine/storage'
           nx_token: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
       - name: Upload storage.node
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: storage.node
           path: ./packages/backend/storage/storage.node
@@ -88,6 +99,9 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+      - name: Setup Version
+        id: version
+        uses: ./.github/actions/setup-version
       - name: Setup Node.js
         uses: ./.github/actions/setup-node
       - name: Build Rust
@@ -97,7 +111,7 @@ jobs:
           package: '@affine/storage'
           nx_token: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
       - name: Upload storage.node
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: storage.arm64.node
           path: ./packages/backend/storage/storage.node
@@ -114,22 +128,22 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - name: Download core artifact
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: core
           path: ./packages/frontend/core/dist
       - name: Download server dist
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: server-dist
           path: ./packages/backend/server/dist
       - name: Download storage.node
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: storage.node
           path: ./packages/backend/server
       - name: Download storage.node arm64
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: storage.arm64.node
           path: ./packages/backend/storage
@@ -207,12 +221,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - name: setup deploy version
+      - name: Setup Version
         id: version
-        run: |
-          export APP_VERSION=`node -e "console.log(require('./package.json').version)"`
-          echo $APP_VERSION
-          echo "APP_VERSION=$APP_VERSION" >> "$GITHUB_OUTPUT"
+        uses: ./.github/actions/setup-version
       - name: Deploy to ${{ github.event.inputs.flavor }}
         uses: ./.github/actions/deploy
         with:
@@ -249,3 +260,4 @@ jobs:
           CLOUD_SQL_IAM_ACCOUNT: ${{ secrets.CLOUD_SQL_IAM_ACCOUNT }}
           STRIPE_API_KEY: ${{ secrets.STRIPE_API_KEY }}
           STRIPE_WEBHOOK_KEY: ${{ secrets.STRIPE_WEBHOOK_KEY }}
+          STATIC_IP_NAME: ${{ secrets.STATIC_IP_NAME }}

.github/workflows/dispatch-deploy.yml

@@ -1,30 +0,0 @@
-name: Dispatch Deploy by tag
-
-on:
-  push:
-    tags:
-      - 'v[0-9]+.[0-9]+.[0-9]+-canary.[0-9]+'
-
-jobs:
-  dispatch-deploy-by-tag:
-    runs-on: ubuntu-latest
-    name: Setup deploy environment
-    steps:
-      - uses: actions/checkout@v4
-      - name: Setup Node.js
-        uses: ./.github/actions/setup-node
-        with:
-          extra-flags: 'workspaces focus @affine/monorepo'
-          hard-link-nm: false
-          electron-install: false
-          build-infra: false
-          build-plugins: false
-      - name: Setup output value
-        id: flavor
-        run: |
-          node -e "const env = require('semver').parse('${{ github.ref_name }}').prerelease[0] ?? 'stable'; console.log(`flavor=${env}`)" >> "$GITHUB_OUTPUT"
-      - name: dispatch deploy
-        uses: benc-uk/workflow-dispatch@v1
-        with:
-          workflow: deploy.yml
-          inputs: '{ "flavor": "${{ steps.flavor.outputs.flavor }}" }'

.github/workflows/nightly-build.yml

@@ -1,258 +0,0 @@
-name: Build Canary Desktop App on Staging Branch
-
-on:
-  workflow_dispatch:
-    inputs:
-      channel_override:
-        description: 'channel type (canary, beta, or stable)'
-        type: choice
-        default: beta
-        options:
-          - canary
-          - beta
-          - stable
-  push:
-    branches:
-      # 0.6.x-staging
-      - v[0-9]+.[0-9]+.x-staging
-      # 0.6.1-staging
-      - v[0-9]+.[0-9]+.[0-9]+-staging
-    paths-ignore:
-      - README.md
-      - .github/**
-      - '!.github/workflows/nightly-build.yml'
-      - '!.github/actions/build-rust/action.yml'
-      - '!.github/actions/setup-node/action.yml'
-
-permissions:
-  actions: write
-  contents: write
-  security-events: write
-
-concurrency:
-  # The concurrency group contains the workflow name and the branch name for
-  # pull requests or the commit hash for any other events.
-  group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }}
-  cancel-in-progress: true
-
-env:
-  # BUILD_TYPE => app icon, app name, etc
-  BUILD_TYPE: internal
-  # BUILD_TYPE_OVERRIDE => channel type (canary, beta, or stable) - get the channel type (the api configs)
-  BUILD_TYPE_OVERRIDE: ${{ github.event.inputs.channel_override || 'beta' }}
-
-jobs:
-  set-build-version:
-    runs-on: ubuntu-latest
-    outputs:
-      version: 0.0.0-internal.${{ steps.version.outputs.version }}
-    steps:
-      - uses: actions/checkout@v4
-      - uses: toeverything/set-build-version@latest
-      - id: version
-        run: echo ::set-output name=version::${{ env.BUILD_VERSION }}
-
-  before-make:
-    runs-on: ubuntu-latest
-    needs:
-      - set-build-version
-    steps:
-      - uses: actions/checkout@v4
-      - name: Setup Node.js
-        uses: ./.github/actions/setup-node
-      - name: Setup @sentry/cli
-        uses: ./.github/actions/setup-sentry
-      - name: Replace Version
-        run: ./scripts/set-version.sh ${{ needs.set-build-version.outputs.version }}
-      - name: generate-assets
-        run: yarn workspace @affine/electron generate-assets
-        env:
-          SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
-          SENTRY_PROJECT: ${{ secrets.SENTRY_PROJECT }}
-          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
-          SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
-          RELEASE_VERSION: ${{ needs.set-build-version.outputs.version }}
-          SKIP_PLUGIN_BUILD: 'true'
-          SKIP_NX_CACHE: 'true'
-
-      - name: Upload core artifact
-        uses: actions/upload-artifact@v3
-        with:
-          name: core
-          path: packages/frontend/electron/resources/web-static
-
-  make-distribution:
-    strategy:
-      # all combinations: macos-latest x64, macos-latest arm64, ubuntu-latest x64
-      # For windows, we need a separate approach
-      matrix:
-        spec:
-          - runner: macos-latest
-            platform: darwin
-            arch: x64
-            target: x86_64-apple-darwin
-          - runner: macos-latest
-            platform: darwin
-            arch: arm64
-            target: aarch64-apple-darwin
-          - runner: ubuntu-latest
-            platform: linux
-            arch: x64
-            target: x86_64-unknown-linux-gnu
-          - runner: windows-latest
-            platform: win32
-            arch: x64
-            target: x86_64-pc-windows-msvc
-    runs-on: ${{ matrix.spec.runner }}
-    needs:
-      - before-make
-      - set-build-version
-    env:
-      APPLE_ID: ${{ secrets.APPLE_ID }}
-      APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
-      APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
-      SKIP_GENERATE_ASSETS: 1
-    steps:
-      - uses: actions/checkout@v4
-      - name: Setup Node.js
-        timeout-minutes: 10
-        if: ${{ matrix.spec.platform == 'darwin' }}
-        uses: ./.github/actions/setup-node
-        with:
-          extra-flags: workspaces focus @affine/electron @affine/monorepo
-          hard-link-nm: false
-          build-plugins: false
-          nmHoistingLimits: workspaces
-          enableScripts: false
-      - name: Setup Node.js
-        timeout-minutes: 10
-        if: ${{ matrix.spec.platform != 'darwin' }}
-        uses: ./.github/actions/setup-node
-        with:
-          extra-flags: workspaces focus @affine/electron @affine/monorepo
-          hard-link-nm: false
-          build-plugins: false
-          nmHoistingLimits: workspaces
-      - name: Build AFFiNE native
-        uses: ./.github/actions/build-rust
-        with:
-          target: ${{ matrix.spec.target }}
-          package: '@affine/native'
-          nx_token: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
-      - name: Replace Version
-        run: ./scripts/set-version.sh ${{ needs.set-build-version.outputs.version }}
-      - uses: actions/download-artifact@v3
-        with:
-          name: core
-          path: packages/frontend/electron/resources/web-static
-
-      - name: Build Plugins
-        run: yarn run build:plugins
-
-      - name: Build Desktop Layers
-        run: yarn workspace @affine/electron build
-
-      - name: Signing By Apple Developer ID
-        if: ${{ matrix.spec.platform == 'darwin' }}
-        uses: apple-actions/import-codesign-certs@v2
-        with:
-          p12-file-base64: ${{ secrets.CERTIFICATES_P12 }}
-          p12-password: ${{ secrets.CERTIFICATES_P12_PASSWORD }}
-
-      - name: make
-        run: yarn workspace @affine/electron make --platform=${{ matrix.spec.platform }} --arch=${{ matrix.spec.arch }}
-        env:
-          SKIP_PLUGIN_BUILD: 1
-          SKIP_WEB_BUILD: 1
-          HOIST_NODE_MODULES: 1
-
-      - name: Save artifacts (mac)
-        if: ${{ matrix.spec.platform == 'darwin' }}
-        run: |
-          mkdir -p builds
-          mv packages/frontend/electron/out/*/make/*.dmg ./builds/affine-${{ env.BUILD_TYPE }}-macos-${{ matrix.spec.arch }}.dmg
-          mv packages/frontend/electron/out/*/make/zip/darwin/${{ matrix.spec.arch }}/*.zip ./builds/affine-${{ env.BUILD_TYPE }}-macos-${{ matrix.spec.arch }}.zip
-      - name: Save artifacts (windows)
-        if: ${{ matrix.spec.platform == 'win32' }}
-        run: |
-          mkdir -p builds
-          mv packages/frontend/electron/out/*/make/zip/win32/x64/AFFiNE*-win32-x64-*.zip ./builds/affine-${{ env.BUILD_TYPE }}-windows-x64.zip
-          mv packages/frontend/electron/out/*/make/squirrel.windows/x64/*.exe ./builds/affine-${{ env.BUILD_TYPE }}-windows-x64.exe
-          mv packages/frontend/electron/out/*/make/squirrel.windows/x64/*.msi ./builds/affine-${{ env.BUILD_TYPE }}-windows-x64.msi
-          mv packages/frontend/electron/out/*/make/squirrel.windows/x64/*.nupkg ./builds/affine-${{ env.BUILD_TYPE }}-windows-x64.nupkg
-
-      - name: Save artifacts (linux)
-        if: ${{ matrix.spec.platform == 'linux' }}
-        run: |
-          mkdir -p builds
-          mv packages/frontend/electron/out/*/make/zip/linux/x64/*.zip ./builds/affine-${{ env.BUILD_TYPE }}-linux-x64.zip
-          mv packages/frontend/electron/out/*/make/AppImage/x64/*.AppImage ./builds/affine-${{ env.BUILD_TYPE }}-linux-x64.AppImage
-
-      - name: Upload Artifact
-        uses: actions/upload-artifact@v3
-        with:
-          name: affine-${{ matrix.spec.platform }}-${{ matrix.spec.arch }}-builds
-          path: builds
-
-  release:
-    needs:
-      - make-distribution
-      - set-build-version
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v4
-      - name: Download Artifacts (macos-x64)
-        uses: actions/download-artifact@v3
-        with:
-          name: affine-darwin-x64-builds
-          path: ./
-      - name: Download Artifacts (macos-arm64)
-        uses: actions/download-artifact@v3
-        with:
-          name: affine-darwin-arm64-builds
-          path: ./
-      - name: Download Artifacts (windows-x64)
-        uses: actions/download-artifact@v3
-        with:
-          name: affine-win32-x64-builds
-          path: ./
-      - name: Download Artifacts (linux-x64)
-        uses: actions/download-artifact@v3
-        with:
-          name: affine-linux-x64-builds
-          path: ./
-      - name: Setup Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: 18
-      - name: Generate Release yml
-        run: |
-          node ./packages/frontend/electron/scripts/generate-yml.js
-        env:
-          RELEASE_VERSION: ${{ needs.set-build-version.outputs.version }}
-      - name: Generate SHA512 checksums
-        run: |
-          sha512sum *-linux-* > SHA512SUMS.txt
-          sha512sum *-macos-* >> SHA512SUMS.txt
-          sha512sum *-windows-* >> SHA512SUMS.txt
-      - name: Create Release Draft
-        uses: softprops/action-gh-release@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }}
-        with:
-          repository: 'toeverything/AFFiNE-Releases'
-          name: ${{ needs.set-build-version.outputs.version }}
-          tag_name: ${{ needs.set-build-version.outputs.version }}
-          prerelease: true
-          files: |
-            ./SHA512SUMS.txt
-            ./VERSION
-            ./*.zip
-            ./*.dmg
-            ./*.exe
-            ./*.nupkg
-            ./RELEASES
-            ./*.AppImage
-            ./*.apk
-            ./*.yml

.github/workflows/publish-storybook.yml

@@ -32,8 +32,6 @@ jobs:
         uses: ./.github/actions/setup-node
         with:
           electron-install: false
-      - name: Build Plugins
-        run: yarn run build:plugins
       - uses: chromaui/action-next@v1
         with:
           workingDir: tests/storybook
@@ -44,7 +42,7 @@ jobs:
         env:
           CHROMATIC_PROJECT_TOKEN: ${{ secrets.CHROMATIC_PROJECT_TOKEN }}
           NODE_OPTIONS: ${{ env.NODE_OPTIONS }}
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@v4
         if: always()
         with:
           name: chromatic-build-artifacts-${{ github.run_id }}

.github/workflows/release-desktop-automatically.yml

@@ -0,0 +1,27 @@
+name: Release Desktop Automatically
+
+on:
+  push:
+    tags:
+      - 'v[0-9]+.[0-9]+.[0-9]+-canary.[0-9]+'
+  schedule:
+    - cron: '0 9 * * *'
+
+jobs:
+  dispatch-release-desktop:
+    runs-on: ubuntu-latest
+    name: Setup Release Desktop
+    steps:
+      - name: dispatch desktop release by tag
+        if: ${{ github.event_name == 'push' }}
+        uses: benc-uk/workflow-dispatch@v1
+        with:
+          workflow: release-desktop.yml
+          inputs: '{ "build-type": "canary", "is-draft": false, "is-pre-release": true }'
+      - name: dispatch desktop release by schedule
+        if: ${{ github.event_name == 'schedule' }}
+        uses: benc-uk/workflow-dispatch@v1
+        with:
+          workflow: release-desktop.yml
+          inputs: '{ "build-type": "canary", "is-draft": false, "is-pre-release": true }'
+          ref: canary

.github/workflows/release-desktop.yml

@@ -1,15 +1,17 @@
 name: Release Desktop App
 
 on:
-  push:
-    tags:
-      - 'v[0-9]+.[0-9]+.[0-9]+-canary.[0-9]+'
   workflow_dispatch:
     inputs:
-      version:
-        description: App Version
+      build-type:
+        description: 'Build Type'
+        type: choice
         required: true
-        default: 0.0.0
+        default: canary
+        options:
+          - canary
+          - beta
+          - stable
       is-draft:
         description: 'Draft Release?'
         type: boolean
@@ -20,11 +22,6 @@ on:
         type: boolean
         required: true
         default: true
-      build-type:
-        description: 'Build Type (canary, beta or stable)'
-        type: string
-        required: true
-        default: canary
 
 permissions:
   actions: write
@@ -32,7 +29,7 @@ permissions:
   security-events: write
 
 env:
-  BUILD_TYPE: ${{ github.event.inputs.build-type || (github.ref_type == 'tag' && contains(github.ref, 'canary') && 'canary') }}
+  BUILD_TYPE: ${{ github.event.inputs.build-type }}
   DEBUG: napi:*
   APP_NAME: affine
   MACOSX_DEPLOYMENT_TARGET: '10.13'
@@ -40,26 +37,18 @@ env:
 jobs:
   before-make:
     runs-on: ubuntu-latest
-    environment: ${{ github.event.inputs.build-type || (github.ref_type == 'tag' && contains(github.ref, 'canary') && 'canary') }}
+    environment: ${{ github.event.inputs.build-type }}
     outputs:
-      RELEASE_VERSION: ${{ steps.get-canary-version.outputs.RELEASE_VERSION }}
+      RELEASE_VERSION: ${{ steps.version.outputs.APP_VERSION }}
     steps:
       - uses: actions/checkout@v4
+      - name: Setup Version
+        id: version
+        uses: ./.github/actions/setup-version
       - name: Setup Node.js
         uses: ./.github/actions/setup-node
       - name: Setup @sentry/cli
         uses: ./.github/actions/setup-sentry
-      - name: Get canary version
-        id: get-canary-version
-        if: ${{ github.ref_type == 'tag' }}
-        run: |
-          TAG_VERSION=${GITHUB_REF#refs/tags/v}
-          PACKAGE_VERSION=$(node -p "require('./packages/frontend/electron/package.json').version")
-          if [ "$TAG_VERSION" != "$PACKAGE_VERSION" ]; then
-            echo "Tag version ($TAG_VERSION) does not match package.json version ($PACKAGE_VERSION)"
-            exit 1
-          fi
-          echo "RELEASE_VERSION=$(node -p "require('./packages/frontend/electron/package.json').version")" >> $GITHUB_OUTPUT
       - name: generate-assets
         run: yarn workspace @affine/electron generate-assets
         env:
@@ -67,12 +56,12 @@ jobs:
           SENTRY_PROJECT: ${{ secrets.SENTRY_PROJECT }}
           SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
           SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
-          RELEASE_VERSION: ${{ github.event.inputs.version || steps.get-canary-version.outputs.RELEASE_VERSION }}
+          RELEASE_VERSION: ${{ steps.version.outputs.APP_VERSION }}
           SKIP_PLUGIN_BUILD: 'true'
           SKIP_NX_CACHE: 'true'
 
       - name: Upload core artifact
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: core
           path: packages/frontend/electron/resources/web-static
@@ -104,13 +93,15 @@ jobs:
       SKIP_GENERATE_ASSETS: 1
     steps:
       - uses: actions/checkout@v4
+      - name: Setup Version
+        id: version
+        uses: ./.github/actions/setup-version
       - name: Setup Node.js
         timeout-minutes: 10
         uses: ./.github/actions/setup-node
         with:
           extra-flags: workspaces focus @affine/electron @affine/monorepo
           hard-link-nm: false
-          build-plugins: false
           nmHoistingLimits: workspaces
           enableScripts: false
       - name: Build AFFiNE native
@@ -119,7 +110,7 @@ jobs:
           target: ${{ matrix.spec.target }}
           package: '@affine/native'
           nx_token: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
-      - uses: actions/download-artifact@v3
+      - uses: actions/download-artifact@v4
         with:
           name: core
           path: packages/frontend/electron/resources/web-static
@@ -155,7 +146,7 @@ jobs:
           mv packages/frontend/electron/out/*/make/AppImage/x64/*.AppImage ./builds/affine-${{ env.BUILD_TYPE }}-linux-x64.AppImage
 
       - name: Upload Artifact
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: affine-${{ matrix.spec.platform }}-${{ matrix.spec.arch }}-builds
           path: builds
@@ -178,13 +169,15 @@ jobs:
       SKIP_GENERATE_ASSETS: 1
     steps:
       - uses: actions/checkout@v4
+      - name: Setup Version
+        id: version
+        uses: ./.github/actions/setup-version
       - name: Setup Node.js
         timeout-minutes: 10
         uses: ./.github/actions/setup-node
         with:
           extra-flags: workspaces focus @affine/electron @affine/monorepo
           hard-link-nm: false
-          build-plugins: false
           nmHoistingLimits: workspaces
       - name: Build AFFiNE native
         uses: ./.github/actions/build-rust
@@ -192,14 +185,11 @@ jobs:
           target: ${{ matrix.spec.target }}
           package: '@affine/native'
           nx_token: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
-      - uses: actions/download-artifact@v3
+      - uses: actions/download-artifact@v4
         with:
           name: core
           path: packages/frontend/electron/resources/web-static
 
-      - name: Build Plugins
-        run: yarn run build:plugins
-
       - name: Build Desktop Layers
         run: yarn workspace @affine/electron build
 
@@ -221,7 +211,7 @@ jobs:
         run: Compress-Archive -CompressionLevel Fastest -Path packages/frontend/electron/out/* -DestinationPath archive.zip
 
       - name: Save packaged artifacts for signing
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: packaged-${{ matrix.spec.platform }}-${{ matrix.spec.arch }}
           path: |
@@ -255,7 +245,7 @@ jobs:
         timeout-minutes: 10
         uses: ./.github/actions/setup-node
       - name: Download and overwrite packaged artifacts
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: signed-packaged-${{ matrix.spec.platform }}-${{ matrix.spec.arch }}
           path: .
@@ -276,7 +266,7 @@ jobs:
           echo $FILES_TO_BE_SIGNED
 
       - name: Save installer for signing
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: installer-${{ matrix.spec.platform }}-${{ matrix.spec.arch }}
           path: archive.zip
@@ -302,7 +292,7 @@ jobs:
     runs-on: ${{ matrix.spec.runner }}
     steps:
       - name: Download and overwrite installer artifacts
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: signed-installer-${{ matrix.spec.platform }}-${{ matrix.spec.arch }}
           path: .
@@ -317,7 +307,7 @@ jobs:
           mv packages/frontend/electron/out/*/make/squirrel.windows/x64/*.msi ./builds/affine-${{ env.BUILD_TYPE }}-windows-x64.msi
 
       - name: Upload Artifact
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: affine-${{ matrix.spec.platform }}-${{ matrix.spec.arch }}-builds
           path: builds
@@ -328,29 +318,29 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/download-artifact@v3
+      - uses: actions/download-artifact@v4
         with:
           name: core
           path: web-static
       - name: Zip web-static
         run: zip -r web-static.zip web-static
       - name: Download Artifacts (macos-x64)
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: affine-darwin-x64-builds
           path: ./
       - name: Download Artifacts (macos-arm64)
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: affine-darwin-arm64-builds
           path: ./
       - name: Download Artifacts (windows-x64)
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: affine-win32-x64-builds
           path: ./
       - name: Download Artifacts (linux-x64)
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: affine-linux-x64-builds
           path: ./
@@ -361,14 +351,37 @@ jobs:
         run: |
           node ./packages/frontend/electron/scripts/generate-yml.js
         env:
-          RELEASE_VERSION: ${{ github.event.inputs.version || needs.before-make.outputs.RELEASE_VERSION }}
+          RELEASE_VERSION: ${{ needs.before-make.outputs.RELEASE_VERSION }}
       - name: Create Release Draft
+        if: ${{ github.ref_type == 'tag' }}
         uses: softprops/action-gh-release@v1
         with:
-          name: ${{ github.event.inputs.version || needs.before-make.outputs.RELEASE_VERSION }}
+          name: ${{ needs.before-make.outputs.RELEASE_VERSION }}
           body: ''
-          draft: ${{ github.event.inputs.is-draft || true }}
-          prerelease: ${{ github.event.inputs.is-pre-release || needs.before-make.outputs.version }}
+          draft: ${{ github.event.inputs.is-draft }}
+          prerelease: ${{ github.event.inputs.is-pre-release }}
+          files: |
+            ./VERSION
+            ./*.zip
+            ./*.dmg
+            ./*.exe
+            ./*.AppImage
+            ./*.apk
+            ./*.yml
+      - name: Create Nightly Release Draft
+        if: ${{ github.ref_type == 'branch' }}
+        uses: softprops/action-gh-release@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }}
+        with:
+          # Temporarily, treat release from branch as nightly release, artifact saved to AFFiNE-Releases.
+          # Need to improve internal build and nightly release logic.
+          repository: 'toeverything/AFFiNE-Releases'
+          name: ${{ needs.before-make.outputs.RELEASE_VERSION }}
+          tag_name: ${{ needs.before-make.outputs.RELEASE_VERSION }}
+          body: ''
+          draft: false
+          prerelease: true
           files: |
             ./VERSION
             ./*.zip

.github/workflows/windows-signer.yml

@@ -14,7 +14,7 @@ jobs:
     env:
       ARCHIVE_DIR: ${{ github.run_id }}-${{ github.run_attempt }}-${{ inputs.artifact-name }}
     steps:
-      - uses: actions/download-artifact@v3
+      - uses: actions/download-artifact@v4
         with:
           name: ${{ inputs.artifact-name }}
           path: ${{ env.ARCHIVE_DIR }}
@@ -36,7 +36,7 @@ jobs:
           cd ${{ env.ARCHIVE_DIR }}
           7za a signed.zip .\out\*
       - name: upload
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: signed-${{ inputs.artifact-name }}
           path: ${{ env.ARCHIVE_DIR }}/signed.zip

.github/workflows/workers.yml

@@ -11,11 +11,11 @@ jobs:
   deploy:
     runs-on: ubuntu-latest
     name: Deploy
-    environment: production
+    environment: stable
     steps:
       - uses: actions/checkout@v4
       - name: Publish
-        uses: cloudflare/wrangler-action@v3.3.2
+        uses: cloudflare/wrangler-action@v3.4.0
         with:
           apiToken: ${{ secrets.CF_API_TOKEN }}
           accountId: ${{ secrets.CF_ACCOUNT_ID }}

.prettierignore

@@ -16,6 +16,8 @@ packages/frontend/i18n/src/i18n-generated.ts
 packages/frontend/graphql/src/graphql/index.ts
 tests/affine-legacy/**/static
 .yarnrc.yml
+packages/frontend/templates/templates.gen.ts
+packages/frontend/templates/onboarding
 
 # auto-generated by NAPI-RS
 # fixme(@joooye34): need script to check and generate ignore list here

Cargo.lock

@@ -3318,18 +3318,18 @@ dependencies = [
 
 [[package]]
 name = "zerocopy"
-version = "0.7.26"
+version = "0.7.31"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e97e415490559a91254a2979b4829267a57d2fcd741a98eee8b722fb57289aa0"
+checksum = "1c4061bedbb353041c12f413700357bec76df2c7e2ca8e4df8bac24c6bf68e3d"
 dependencies = [
  "zerocopy-derive",
 ]
 
 [[package]]
 name = "zerocopy-derive"
-version = "0.7.26"
+version = "0.7.31"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "dd7e48ccf166952882ca8bd778a43502c64f33bf94c12ebe2a7f08e5a0f6689f"
+checksum = "b3c129550b3e6de3fd0ba67ba5c81818f9805e58b8d7fee80a3a59d2c9fc601a"
 dependencies = [
  "proc-macro2",
  "quote",

README.md

@@ -113,21 +113,6 @@ If you have questions, you are welcome to contact us. One of the best places to
 | [@toeverything/y-indexeddb](packages/common/y-indexeddb) | IndexedDB database adapter for Yjs | [![](https://img.shields.io/npm/dm/@toeverything/y-indexeddb?style=flat-square&color=eee)](https://www.npmjs.com/package/@toeverything/y-indexeddb) |
 | [@toeverything/theme](packages/common/theme)             | AFFiNE theme                       | [![](https://img.shields.io/npm/dm/@toeverything/theme?style=flat-square&color=eee)](https://www.npmjs.com/package/@toeverything/theme)             |
 
-## Plugins
-
-> Plugins are a way to extend the functionality of AFFiNE. You can use plugins to add new blocks, new features, and even new ways to edit content.
->
-> (Currently, the plugin system is under heavy development. You will see the plugin system in the canary release.)
-
-- [@affine/sdk](./packages/common/sdk) - SDK for developing plugins
-- [@affine/plugin-cli](./tools/plugin-cli) - CLI for developing plugins
-
-| Official Plugin                                                  | Description                               | Status |
-| ---------------------------------------------------------------- | ----------------------------------------- | ------ |
-| [@affine/copilot-plugin](./packages/plugins/copilot)             | AI Copilot that help you document writing | 🚧     |
-| [@affine/image-preview-plugin](./packages/plugins/image-preview) | Component for previewing an image         | ✅     |
-| [@affine/outline](./packages/plugins/outline)                    | Outline for your document                 | ✅     |
-
 ## Upstreams
 
 We would also like to give thanks to open-source projects that make AFFiNE possible:

docs/BUILDING.md

@@ -57,6 +57,29 @@ corepack prepare yarn@stable --activate
 yarn install
 ```
 
+### Clone repository
+
+#### Linux & MacOS
+
+```sh
+git clone https://github.com/toeverything/AFFiNE
+```
+
+#### Windows
+
+In our codebase, we use symbolic links. Due to the security design of Windows, the creation of symbolic links requires administrator privileges. This is part of the security policy settings of Windows, and more information can be found at [Security Policy Settings for Creating Symbolic Links](https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/create-symbolic-links).
+
+For detailed guidance on enabling this feature, please refer to the official documentation: [Enable Developer Mode on Windows](https://learn.microsoft.com/en-us/windows/apps/get-started/enable-your-device-for-development).
+
+Once Developer Mode is enabled, execute the following command with administrator privileges:
+
+```sh
+# Enable symbolic links
+git config --global core.symlinks true
+# Clone the repository, also need to be run with administrator privileges
+git clone https://github.com/toeverything/AFFiNE
+```
+
 ### Build Native Dependencies
 
 Run the following script. It will build the native module at [`/packages/frontend/native`](/packages/frontend/native) and build Node.js binding using [NAPI.rs](https://napi.rs/).
@@ -67,18 +90,6 @@ Note: use `strip` from system instead of `binutils` if you are running MacOS. [s
 yarn workspace @affine/native build
 ```
 
-### Build Infra
-
-```sh
-yarn run build:infra
-```
-
-### Build Plugins
-
-```sh
-yarn run build:plugins
-```
-
 ### Build Server Dependencies
 
 ```sh
@@ -102,7 +113,7 @@ yarn test
 ### E2E Test
 
 ```shell
-# there are `affine-local`, `affine-migration`, `affine-local`, `affine-plugin`, `affine-prototype` e2e tests,
+# there are `affine-local`, `affine-migration`, `affine-local`, `affine-prototype` e2e tests,
 #   which are run under different situations.
 cd tests/affine-local
 yarn e2e

docs/contributing/tutorial.md

@@ -17,7 +17,6 @@ The codebase is organized as follows:
 - `packages/` contains all code running in production.
   - `backend/` contains backend code, more information from <https://github.com/toeverything/OctoBase>.
   - `frontend/` contains frontend code, including the web app, the electron app and business libraries.
-  - `plugins/` contains all build-in plugins.
   - `common` contains the isomorphic code or basic libraries without business.
 - `tools/` contains tools to help developing or CI, not used in production.
 - `tests/` contains testings across different libraries, including e2e testings and integration testings.

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@affine/monorepo",
-  "version": "0.10.4-beta.1",
+  "version": "0.11.0",
   "private": true,
   "author": "toeverything",
   "license": "MIT",
@@ -23,8 +23,6 @@
     "build": "yarn nx build @affine/core",
     "build:electron": "yarn nx build @affine/electron",
     "build:storage": "yarn nx run-many -t build -p @affine/storage",
-    "build:infra": "yarn nx run-many -t build --projects=tag:infra",
-    "build:plugins": "yarn nx run-many -t build --projects=tag:plugin",
     "build:storybook": "yarn nx build @affine/storybook",
     "start:web-static": "yarn workspace @affine/core static-server",
     "start:storybook": "yarn exec serve tests/storybook/storybook-static -l 6006",
@@ -33,7 +31,7 @@
     "lint:eslint:fix": "yarn lint:eslint --fix",
     "lint:prettier": "prettier --ignore-unknown --cache --check .",
     "lint:prettier:fix": "prettier --ignore-unknown --cache --write .",
-    "lint:ox": "oxlint --deny-warnings --import-plugin -D correctness -D nursery -D prefer-array-some -D no-useless-promise-resolve-reject -A no-undef -A consistent-type-exports -A default -A named -A ban-ts-comment",
+    "lint:ox": "oxlint --import-plugin --deny-warnings -D correctness -D nursery -D prefer-array-some -D no-useless-promise-resolve-reject -D perf -A no-undef -A consistent-type-exports -A default -A named -A ban-ts-comment -A export",
     "lint": "yarn lint:eslint && yarn lint:prettier",
     "lint:fix": "yarn lint:eslint:fix && yarn lint:prettier:fix",
     "test": "vitest --run",
@@ -58,13 +56,12 @@
   "devDependencies": {
     "@affine-test/kit": "workspace:*",
     "@affine/cli": "workspace:*",
-    "@affine/plugin-cli": "workspace:*",
     "@commitlint/cli": "^18.4.3",
     "@commitlint/config-conventional": "^18.4.3",
     "@faker-js/faker": "^8.3.1",
     "@istanbuljs/schema": "^0.1.3",
     "@magic-works/i18n-codegen": "^0.5.0",
-    "@nx/vite": "17.1.3",
+    "@nx/vite": "17.2.8",
     "@perfsee/sdk": "^1.9.0",
     "@playwright/test": "^1.40.0",
     "@taplo/cli": "^0.5.2",
@@ -78,8 +75,8 @@
     "@vanilla-extract/vite-plugin": "^3.9.2",
     "@vanilla-extract/webpack-plugin": "^2.3.1",
     "@vitejs/plugin-react-swc": "^3.5.0",
-    "@vitest/coverage-istanbul": "0.34.6",
-    "@vitest/ui": "0.34.6",
+    "@vitest/coverage-istanbul": "1.1.0",
+    "@vitest/ui": "1.1.0",
     "electron": "^27.1.0",
     "eslint": "^8.54.0",
     "eslint-config-prettier": "^9.0.0",
@@ -88,7 +85,7 @@
     "eslint-plugin-react-hooks": "^4.6.0",
     "eslint-plugin-simple-import-sort": "^10.0.0",
     "eslint-plugin-sonarjs": "^0.23.0",
-    "eslint-plugin-unicorn": "^49.0.0",
+    "eslint-plugin-unicorn": "^50.0.0",
     "eslint-plugin-unused-imports": "^3.0.0",
     "eslint-plugin-vue": "^9.18.1",
     "fake-indexeddb": "5.0.1",
@@ -100,7 +97,7 @@
     "nx": "^17.1.3",
     "nx-cloud": "^16.5.2",
     "nyc": "^15.1.0",
-    "oxlint": "^0.0.18",
+    "oxlint": "0.0.22",
     "prettier": "^3.1.0",
     "semver": "^7.5.4",
     "serve": "^14.2.1",
@@ -111,7 +108,7 @@
     "vite-plugin-istanbul": "^5.0.0",
     "vite-plugin-static-copy": "^1.0.0",
     "vite-tsconfig-paths": "^4.2.1",
-    "vitest": "0.34.6",
+    "vitest": "1.1.0",
     "vitest-fetch-mock": "^0.2.2",
     "vitest-mock-extended": "^1.3.1"
   },

packages/backend/server/migrations/20231030104009_user_features/migration.sql

@@ -0,0 +1,45 @@
+/*
+  Warnings:
+
+  - You are about to drop the `user_feature_gates` table. If the table is not empty, all the data it contains will be lost.
+
+*/
+-- DropForeignKey
+ALTER TABLE "user_feature_gates" DROP CONSTRAINT "user_feature_gates_user_id_fkey";
+
+-- DropTable
+DROP TABLE "user_feature_gates";
+
+-- CreateTable
+CREATE TABLE "user_features" (
+    "id" SERIAL NOT NULL,
+    "user_id" VARCHAR(36) NOT NULL,
+    "feature_id" INTEGER NOT NULL,
+    "reason" VARCHAR NOT NULL,
+    "created_at" TIMESTAMPTZ(6) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "expired_at" TIMESTAMPTZ(6),
+    "activated" BOOLEAN NOT NULL DEFAULT false,
+
+    CONSTRAINT "user_features_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateTable
+CREATE TABLE "features" (
+    "id" SERIAL NOT NULL,
+    "feature" VARCHAR NOT NULL,
+    "version" INTEGER NOT NULL DEFAULT 0,
+    "type" INTEGER NOT NULL,
+    "configs" JSON NOT NULL,
+    "created_at" TIMESTAMPTZ(6) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+
+    CONSTRAINT "features_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateIndex
+CREATE UNIQUE INDEX "features_feature_version_key" ON "features"("feature", "version");
+
+-- AddForeignKey
+ALTER TABLE "user_features" ADD CONSTRAINT "user_features_user_id_fkey" FOREIGN KEY ("user_id") REFERENCES "users"("id") ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "user_features" ADD CONSTRAINT "user_features_feature_id_fkey" FOREIGN KEY ("feature_id") REFERENCES "features"("id") ON DELETE CASCADE ON UPDATE CASCADE;

packages/backend/server/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@affine/server",
   "private": true,
-  "version": "0.10.4-beta.1",
+  "version": "0.11.0",
   "description": "Affine Node.js server",
   "type": "module",
   "bin": {
@@ -38,22 +38,22 @@
     "@node-rs/crc32": "^1.7.2",
     "@node-rs/jsonwebtoken": "^0.2.3",
     "@opentelemetry/api": "^1.7.0",
-    "@opentelemetry/core": "^1.18.1",
-    "@opentelemetry/exporter-prometheus": "^0.45.1",
-    "@opentelemetry/exporter-zipkin": "^1.18.1",
+    "@opentelemetry/core": "^1.19.0",
+    "@opentelemetry/exporter-prometheus": "^0.46.0",
+    "@opentelemetry/exporter-zipkin": "^1.19.0",
     "@opentelemetry/host-metrics": "^0.34.0",
-    "@opentelemetry/instrumentation": "^0.45.1",
+    "@opentelemetry/instrumentation": "^0.46.0",
     "@opentelemetry/instrumentation-graphql": "^0.36.0",
-    "@opentelemetry/instrumentation-http": "^0.45.1",
+    "@opentelemetry/instrumentation-http": "^0.46.0",
     "@opentelemetry/instrumentation-ioredis": "^0.36.0",
     "@opentelemetry/instrumentation-nestjs-core": "^0.33.3",
-    "@opentelemetry/instrumentation-socket.io": "^0.34.3",
-    "@opentelemetry/resources": "^1.18.1",
-    "@opentelemetry/sdk-metrics": "^1.18.1",
-    "@opentelemetry/sdk-node": "^0.45.1",
-    "@opentelemetry/sdk-trace-node": "^1.18.1",
-    "@prisma/client": "^5.6.0",
-    "@prisma/instrumentation": "^5.6.0",
+    "@opentelemetry/instrumentation-socket.io": "^0.34.4",
+    "@opentelemetry/resources": "^1.19.0",
+    "@opentelemetry/sdk-metrics": "^1.19.0",
+    "@opentelemetry/sdk-node": "^0.46.0",
+    "@opentelemetry/sdk-trace-node": "^1.19.0",
+    "@prisma/client": "^5.7.1",
+    "@prisma/instrumentation": "^5.7.1",
     "@socket.io/redis-adapter": "^8.2.1",
     "cookie-parser": "^1.4.6",
     "dotenv": "^16.3.1",
@@ -74,15 +74,16 @@
     "on-headers": "^1.0.2",
     "parse-duration": "^1.1.0",
     "pretty-time": "^1.1.0",
-    "prisma": "^5.6.0",
+    "prisma": "^5.7.1",
     "prom-client": "^15.0.0",
-    "reflect-metadata": "^0.1.13",
+    "reflect-metadata": "^0.2.0",
     "rxjs": "^7.8.1",
     "semver": "^7.5.4",
     "socket.io": "^4.7.2",
     "stripe": "^14.5.0",
     "ws": "^8.14.2",
-    "yjs": "^13.6.10"
+    "yjs": "^13.6.10",
+    "zod": "^3.22.4"
   },
   "devDependencies": {
     "@affine-test/kit": "workspace:*",
@@ -100,7 +101,7 @@
     "@types/on-headers": "^1.0.3",
     "@types/pretty-time": "^1.1.5",
     "@types/sinon": "^17.0.2",
-    "@types/supertest": "^2.0.16",
+    "@types/supertest": "^6.0.0",
     "@types/ws": "^8.5.10",
     "ava": "^6.0.0",
     "c8": "^8.0.1",
@@ -135,7 +136,8 @@
       "ENABLE_LOCAL_EMAIL": "true",
       "OAUTH_EMAIL_LOGIN": "noreply@toeverything.info",
       "OAUTH_EMAIL_PASSWORD": "affine",
-      "OAUTH_EMAIL_SENDER": "noreply@toeverything.info"
+      "OAUTH_EMAIL_SENDER": "noreply@toeverything.info",
+      "FEATURES_EARLY_ACCESS_PREVIEW": "false"
     }
   },
   "nodemonConfig": {

packages/backend/server/schema.prisma

@@ -1,7 +1,7 @@
 generator client {
   provider        = "prisma-client-js"
   binaryTargets   = ["native", "debian-openssl-3.0.x", "linux-arm64-openssl-3.0.x"]
-  previewFeatures = ["metrics", "tracing"]
+  previewFeatures = ["metrics", "tracing", "relationJoins", "nativeDistinct"]
 }
 
 datasource db {
@@ -22,7 +22,7 @@ model User {
 
   accounts             Account[]
   sessions             Session[]
-  features             UserFeatureGates[]
+  features             UserFeatures[]
   customer             UserStripeCustomer?
   subscription         UserSubscription?
   invoices             UserInvoice[]
@@ -113,15 +113,48 @@ model WorkspacePageUserPermission {
   @@map("workspace_page_user_permissions")
 }
 
-model UserFeatureGates {
-  id        String   @id @default(uuid()) @db.VarChar
-  userId    String   @map("user_id") @db.VarChar
-  feature   String   @db.VarChar
-  reason    String   @db.VarChar
-  createdAt DateTime @default(now()) @map("created_at") @db.Timestamptz(6)
-  user      User     @relation(fields: [userId], references: [id], onDelete: Cascade)
+// feature gates is a way to enable/disable features for a user
+// for example:
+// - early access is a feature that allow some users to access the insider version
+// - pro plan is a quota that allow some users access to more resources after they pay
+model UserFeatures {
+  id        Int    @id @default(autoincrement())
+  userId    String @map("user_id") @db.VarChar(36)
+  featureId Int    @map("feature_id") @db.Integer
 
-  @@map("user_feature_gates")
+  // we will record the reason why the feature is enabled/disabled
+  // for example:
+  // - pro_plan_v1: "user buy the pro plan"
+  reason    String    @db.VarChar
+  // record the quota enabled time
+  createdAt DateTime  @default(now()) @map("created_at") @db.Timestamptz(6)
+  // record the quota expired time, pay plan is a subscription, so it will expired
+  expiredAt DateTime? @map("expired_at") @db.Timestamptz(6)
+  // whether the feature is activated
+  // for example:
+  // - if we switch the user to another plan, we will set the old plan to deactivated, but dont delete it
+  activated Boolean   @default(false)
+
+  user    User     @relation(fields: [userId], references: [id], onDelete: Cascade)
+  feature Features @relation(fields: [featureId], references: [id], onDelete: Cascade)
+
+  @@map("user_features")
+}
+
+model Features {
+  id        Int      @id @default(autoincrement())
+  feature   String   @db.VarChar
+  version   Int      @default(0) @db.Integer
+  // 0: feature, 1: quota
+  type      Int      @db.Integer
+  // configs, define by feature conntroller
+  configs   Json     @db.Json
+  createdAt DateTime @default(now()) @map("created_at") @db.Timestamptz(6)
+
+  UserFeatureGates UserFeatures[]
+
+  @@unique([feature, version])
+  @@map("features")
 }
 
 model Account {

packages/backend/server/scripts/init-db.ts

@@ -8,6 +8,20 @@ async function main() {
     data: {
       ...userA,
       password: await hash(userA.password),
+      features: {
+        create: {
+          reason: 'created by api sign up',
+          activated: true,
+          feature: {
+            connect: {
+              feature_version: {
+                feature: 'free_plan_v1',
+                version: 1,
+              },
+            },
+          },
+        },
+      },
     },
   });
 }

packages/backend/server/src/app.ts

@@ -1,7 +1,8 @@
 import { Module } from '@nestjs/common';
+import { APP_INTERCEPTOR } from '@nestjs/core';
 
 import { AppController } from './app.controller';
-import { CacheModule } from './cache';
+import { CacheInterceptor, CacheModule } from './cache';
 import { ConfigModule } from './config';
 import { EventModule } from './event';
 import { BusinessModules } from './modules';
@@ -23,6 +24,12 @@ const BasicModules = [
 ];
 
 @Module({
+  providers: [
+    {
+      provide: APP_INTERCEPTOR,
+      useClass: CacheInterceptor,
+    },
+  ],
   imports: [...BasicModules, ...BusinessModules],
   controllers: [AppController],
 })

packages/backend/server/src/cache/index.ts

@@ -22,3 +22,5 @@ const CacheProvider: FactoryProvider = {
 })
 export class CacheModule {}
 export { LocalCache as Cache };
+
+export { CacheInterceptor, MakeCache, PreventCache } from './interceptor';

packages/backend/server/src/cache/interceptor.ts

@@ -0,0 +1,99 @@
+import {
+  CallHandler,
+  ExecutionContext,
+  Injectable,
+  Logger,
+  NestInterceptor,
+  SetMetadata,
+} from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
+import { GqlContextType, GqlExecutionContext } from '@nestjs/graphql';
+import { mergeMap, Observable, of } from 'rxjs';
+
+import { LocalCache } from './cache';
+
+export const MakeCache = (key: string[], args?: string[]) =>
+  SetMetadata('cacheKey', [key, args]);
+export const PreventCache = (key: string[], args?: string[]) =>
+  SetMetadata('preventCache', [key, args]);
+
+type CacheConfig = [string[], string[]?];
+
+@Injectable()
+export class CacheInterceptor implements NestInterceptor {
+  private readonly logger = new Logger(CacheInterceptor.name);
+  constructor(
+    private readonly reflector: Reflector,
+    private readonly cache: LocalCache
+  ) {}
+  async intercept(
+    ctx: ExecutionContext,
+    next: CallHandler<any>
+  ): Promise<Observable<any>> {
+    const key = this.reflector.get<CacheConfig | undefined>(
+      'cacheKey',
+      ctx.getHandler()
+    );
+    const preventKey = this.reflector.get<CacheConfig | undefined>(
+      'preventCache',
+      ctx.getHandler()
+    );
+
+    if (preventKey) {
+      this.logger.debug(`prevent cache: ${JSON.stringify(preventKey)}`);
+      const key = await this.getCacheKey(ctx, preventKey);
+      if (key) {
+        await this.cache.delete(key);
+      }
+
+      return next.handle();
+    } else if (!key) {
+      return next.handle();
+    }
+
+    const cacheKey = await this.getCacheKey(ctx, key);
+
+    if (!cacheKey) {
+      return next.handle();
+    }
+
+    const cachedData = await this.cache.get(cacheKey);
+
+    if (cachedData) {
+      this.logger.debug('cache hit', cacheKey, cachedData);
+      return of(cachedData);
+    } else {
+      return next.handle().pipe(
+        mergeMap(async result => {
+          this.logger.debug('cache miss', cacheKey, result);
+          await this.cache.set(cacheKey, result);
+
+          return result;
+        })
+      );
+    }
+  }
+
+  private async getCacheKey(
+    ctx: ExecutionContext,
+    config: CacheConfig
+  ): Promise<string | null> {
+    const [key, params] = config;
+
+    if (!params) {
+      return key.join(':');
+    } else if (ctx.getType<GqlContextType>() === 'graphql') {
+      const args = GqlExecutionContext.create(ctx).getArgs();
+      const cacheKey = params
+        .map(name => args[name])
+        .filter(v => v)
+        .join(':');
+      if (cacheKey) {
+        return [...key, cacheKey].join(':');
+      } else {
+        return key.join(':');
+      }
+    }
+    return null;
+  }
+}

packages/backend/server/src/config/def.ts

@@ -16,6 +16,8 @@ export enum ExternalAccount {
   firebase = 'firebase',
 }
 
+export type ServerFlavor = 'allinone' | 'graphql' | 'sync' | 'selfhosted';
+
 type EnvConfigType = 'string' | 'int' | 'float' | 'boolean';
 type ConfigPaths = LeafPaths<
   Omit<
@@ -186,11 +188,6 @@ export interface AFFiNEConfig {
     fs: {
       path: string;
     };
-    /**
-     * default storage quota
-     * @default 10 * 1024 * 1024 * 1024 (10GB)
-     */
-    quota: number;
   };
 
   /**
@@ -345,6 +342,11 @@ export interface AFFiNEConfig {
 
   doc: {
     manager: {
+      /**
+       * Whether auto merge updates into doc snapshot.
+       */
+      enableUpdateAutoMerging: boolean;
+
       /**
        * How often the [DocManager] will start a new turn of merging pending updates into doc snapshot.
        *

packages/backend/server/src/config/default.ts

@@ -7,9 +7,12 @@ import { join } from 'node:path';
 import parse from 'parse-duration';
 
 import pkg from '../../package.json' assert { type: 'json' };
-import type { AFFiNEConfig } from './def';
+import type { AFFiNEConfig, ServerFlavor } from './def';
 import { applyEnvToConfig } from './env';
 
+export const SERVER_FLAVOR = (process.env.SERVER_FLAVOR ??
+  'allinone') as ServerFlavor;
+
 // Don't use this in production
 export const examplePrivateKey = `-----BEGIN EC PRIVATE KEY-----
 MHcCAQEEIEtyAJLIULkphVhqXqxk4Nr8Ggty3XLwUJWBxzAWCWTMoAoGCCqGSM49
@@ -55,7 +58,6 @@ export const getDefaultAFFiNEConfig: () => AFFiNEConfig = () => {
       AFFINE_SERVER_HOST: 'host',
       AFFINE_SERVER_SUB_PATH: 'path',
       AFFINE_ENV: 'affineEnv',
-      AFFINE_FREE_USER_QUOTA: 'objectStorage.quota',
       DATABASE_URL: 'db.url',
       ENABLE_R2_OBJECT_STORAGE: ['objectStorage.r2.enabled', 'boolean'],
       R2_OBJECT_STORAGE_ACCOUNT_ID: 'objectStorage.r2.accountId',
@@ -189,8 +191,6 @@ export const getDefaultAFFiNEConfig: () => AFFiNEConfig = () => {
       fs: {
         path: join(homedir(), '.affine-storage'),
       },
-      // 10GB
-      quota: 10 * 1024 * 1024 * 1024,
     },
     rateLimiter: {
       ttl: 60,
@@ -206,6 +206,7 @@ export const getDefaultAFFiNEConfig: () => AFFiNEConfig = () => {
     },
     doc: {
       manager: {
+        enableUpdateAutoMerging: SERVER_FLAVOR !== 'sync',
         updatePollInterval: 3000,
         experimentalMergeWithJwstCodec: false,
       },

packages/backend/server/src/config/index.ts

@@ -73,3 +73,4 @@ export class ConfigModule {
 }
 
 export type { AFFiNEConfig } from './def';
+export { SERVER_FLAVOR } from './default';

packages/backend/server/src/data/commands/run.ts

@@ -14,7 +14,7 @@ interface Migration {
   down: (db: PrismaService) => Promise<void>;
 }
 
-async function collectMigrations(): Promise<Migration[]> {
+export async function collectMigrations(): Promise<Migration[]> {
   const folder = join(fileURLToPath(import.meta.url), '../../migrations');
 
   const migrationFiles = readdirSync(folder)
@@ -64,35 +64,8 @@ export class RunCommand extends CommandRunner {
         continue;
       }
 
-      this.logger.log(`Running ${migration.name}...`);
-      const record = await this.db.dataMigration.create({
-        data: {
-          name: migration.name,
-          startedAt: new Date(),
-        },
-      });
+      await this.runMigration(migration);
 
-      try {
-        await migration.up(this.db);
-      } catch (e) {
-        await this.db.dataMigration.delete({
-          where: {
-            id: record.id,
-          },
-        });
-        await migration.down(this.db);
-        this.logger.error('Failed to run data migration', e);
-        process.exit(1);
-      }
-
-      await this.db.dataMigration.update({
-        where: {
-          id: record.id,
-        },
-        data: {
-          finishedAt: new Date(),
-        },
-      });
       done.push(migration);
     }
 
@@ -101,6 +74,56 @@ export class RunCommand extends CommandRunner {
       this.logger.log(`  ✔ ${migration.name}`);
     });
   }
+
+  async runOne(name: string) {
+    const migrations = await collectMigrations();
+    const migration = migrations.find(m => m.name === name);
+
+    if (!migration) {
+      throw new Error(`Unknown migration name: ${name}.`);
+    }
+    const exists = await this.db.dataMigration.count({
+      where: {
+        name: migration.name,
+      },
+    });
+
+    if (exists) return;
+
+    await this.runMigration(migration);
+  }
+
+  private async runMigration(migration: Migration) {
+    this.logger.log(`Running ${migration.name}...`);
+    const record = await this.db.dataMigration.create({
+      data: {
+        name: migration.name,
+        startedAt: new Date(),
+      },
+    });
+
+    try {
+      await migration.up(this.db);
+    } catch (e) {
+      await this.db.dataMigration.delete({
+        where: {
+          id: record.id,
+        },
+      });
+      await migration.down(this.db);
+      this.logger.error('Failed to run data migration', e);
+      process.exit(1);
+    }
+
+    await this.db.dataMigration.update({
+      where: {
+        id: record.id,
+      },
+      data: {
+        finishedAt: new Date(),
+      },
+    });
+  }
 }
 
 @Command({

packages/backend/server/src/data/migrations/1698652531198-user-features-init.ts

@@ -0,0 +1,122 @@
+import { Prisma } from '@prisma/client';
+
+import {
+  CommonFeature,
+  FeatureKind,
+  Features,
+  FeatureType,
+} from '../../modules/features';
+import { Quotas } from '../../modules/quota/schema';
+import { PrismaService } from '../../prisma';
+
+export class UserFeaturesInit1698652531198 {
+  // do the migration
+  static async up(db: PrismaService) {
+    // upgrade features from lower version to higher version
+    for (const feature of Features) {
+      await upsertFeature(db, feature);
+    }
+    await migrateNewFeatureTable(db);
+
+    for (const quota of Quotas) {
+      await upsertFeature(db, quota);
+    }
+  }
+
+  // revert the migration
+  static async down(_db: PrismaService) {
+    // TODO: revert the migration
+  }
+}
+
+// upgrade features from lower version to higher version
+async function upsertFeature(
+  db: PrismaService,
+  feature: CommonFeature
+): Promise<void> {
+  const hasEqualOrGreaterVersion =
+    (await db.features.count({
+      where: {
+        feature: feature.feature,
+        version: {
+          gte: feature.version,
+        },
+      },
+    })) > 0;
+  // will not update exists version
+  if (!hasEqualOrGreaterVersion) {
+    await db.features.create({
+      data: {
+        feature: feature.feature,
+        type: feature.type,
+        version: feature.version,
+        configs: feature.configs as Prisma.InputJsonValue,
+      },
+    });
+  }
+}
+
+async function migrateNewFeatureTable(prisma: PrismaService) {
+  const waitingList = await prisma.newFeaturesWaitingList.findMany();
+  for (const oldUser of waitingList) {
+    const user = await prisma.user.findFirst({
+      where: {
+        email: oldUser.email,
+      },
+    });
+    if (user) {
+      const hasEarlyAccess = await prisma.userFeatures.count({
+        where: {
+          userId: user.id,
+          feature: {
+            feature: FeatureType.EarlyAccess,
+          },
+          activated: true,
+        },
+      });
+      if (hasEarlyAccess === 0) {
+        await prisma.$transaction(async tx => {
+          const latestFlag = await tx.userFeatures.findFirst({
+            where: {
+              userId: user.id,
+              feature: {
+                feature: FeatureType.EarlyAccess,
+                type: FeatureKind.Feature,
+              },
+              activated: true,
+            },
+            orderBy: {
+              createdAt: 'desc',
+            },
+          });
+          if (latestFlag) {
+            return latestFlag.id;
+          } else {
+            return tx.userFeatures
+              .create({
+                data: {
+                  reason: 'Early access user',
+                  activated: true,
+                  user: {
+                    connect: {
+                      id: user.id,
+                    },
+                  },
+                  feature: {
+                    connect: {
+                      feature_version: {
+                        feature: FeatureType.EarlyAccess,
+                        version: 1,
+                      },
+                      type: FeatureKind.Feature,
+                    },
+                  },
+                },
+              })
+              .then(r => r.id);
+          }
+        });
+      }
+    }
+  }
+}

packages/backend/server/src/data/migrations/1702620653283-old-user-feature.ts

@@ -0,0 +1,37 @@
+import { QuotaType } from '../../modules/quota/types';
+import { PrismaService } from '../../prisma';
+
+export class OldUserFeature1702620653283 {
+  // do the migration
+  static async up(db: PrismaService) {
+    await db.$transaction(async tx => {
+      const latestFreePlan = await tx.features.findFirstOrThrow({
+        where: { feature: QuotaType.FreePlanV1 },
+        orderBy: { version: 'desc' },
+        select: { id: true },
+      });
+
+      // find all users that don't have any features
+      const userIds = await db.user.findMany({
+        where: { NOT: { features: { some: { NOT: { id: { gt: 0 } } } } } },
+        select: { id: true },
+      });
+      console.log(`migrating ${userIds.join('|')} users`);
+
+      await tx.userFeatures.createMany({
+        data: userIds.map(({ id: userId }) => ({
+          userId,
+          featureId: latestFreePlan.id,
+          reason: 'old user feature migration',
+          activated: true,
+        })),
+      });
+    });
+  }
+
+  // revert the migration
+  // WARN: this will drop all user features
+  static async down(db: PrismaService) {
+    await db.userFeatures.deleteMany({});
+  }
+}

packages/backend/server/src/data/migrations/1703756315970-unamed-account.ts

@@ -0,0 +1,31 @@
+import type { UserType } from '../../modules/users';
+import { PrismaService } from '../../prisma';
+
+export class UnamedAccount1703756315970 {
+  // do the migration
+  static async up(db: PrismaService) {
+    await db.$transaction(async tx => {
+      // only find users with empty names
+      const users = await db.$queryRaw<
+        UserType[]
+      >`SELECT * FROM users WHERE name ~ E'^[\\s\\u2000-\\u200F]*$';`;
+      console.log(
+        `renaming ${users.map(({ email }) => email).join('|')} users`
+      );
+
+      await Promise.all(
+        users.map(({ id, email }) =>
+          tx.user.update({
+            where: { id },
+            data: {
+              name: email.split('@')[0],
+            },
+          })
+        )
+      );
+    });
+  }
+
+  // revert the migration
+  static async down(_db: PrismaService) {}
+}

packages/backend/server/src/event/index.ts

@@ -28,12 +28,10 @@ export class EventEmitter {
   }
 }
 
-export const OnEvent = (
+export const OnEvent = RawOnEvent as (
   event: Event,
   opts?: Parameters<typeof RawOnEvent>[1]
-) => {
-  return RawOnEvent(event, opts);
-};
+) => MethodDecorator;
 
 @Global()
 @Module({

packages/backend/server/src/graphql.module.ts

@@ -29,6 +29,7 @@ import { GQLLoggerPlugin } from './graphql/logger-plugin';
           context: ({ req, res }: { req: Request; res: Response }) => ({
             req,
             res,
+            isAdminQuery: false,
           }),
           plugins: [new GQLLoggerPlugin()],
         };

packages/backend/server/src/metrics/opentelemetry.ts

@@ -29,7 +29,9 @@ import {
   SpanExporter,
   TraceIdRatioBasedSampler,
 } from '@opentelemetry/sdk-trace-node';
-import { PrismaInstrumentation } from '@prisma/instrumentation';
+import prismaInstrument from '@prisma/instrumentation';
+
+const { PrismaInstrumentation } = prismaInstrument;
 
 import { PrismaMetricProducer } from './prisma';
 

packages/backend/server/src/modules/auth/mailer/mail.service.ts

@@ -72,15 +72,11 @@ export class MailService {
     invitationInfo.workspace.name
   }</span></p><p style="margin-top:8px;margin-bottom:0;">Click button to join this workspace</p>`;
 
-    const subContent =
-      'Currently, AFFiNE Cloud is in the early access stage. Only Early Access Sponsors can register and log in to AFFiNE Cloud. <a href="https://community.affine.pro/c/insider-general/" style="color: #1e67af" >Please click here for more information.</a>';
-
     const html = emailTemplate({
       title: 'You are invited!',
       content,
       buttonContent: 'Accept & Join',
       buttonUrl,
-      subContent,
     });
 
     return this.sendMail({

packages/backend/server/src/modules/auth/next-auth-options.ts

@@ -11,8 +11,8 @@ import Google from 'next-auth/providers/google';
 import { Config } from '../../config';
 import { PrismaService } from '../../prisma';
 import { SessionService } from '../../session';
-import { NewFeaturesKind } from '../users/types';
-import { isStaff } from '../users/utils';
+import { FeatureType } from '../features';
+import { Quota_FreePlanV1 } from '../quota';
 import { MailService } from './mailer';
 import {
   decode,
@@ -44,6 +44,17 @@ export const NextAuthOptionsProvider: FactoryProvider<NextAuthOptions> = {
         email: data.email,
         avatarUrl: '',
         emailVerified: data.emailVerified,
+        features: {
+          create: {
+            reason: 'created by email sign up',
+            activated: true,
+            feature: {
+              connect: {
+                feature_version: Quota_FreePlanV1,
+              },
+            },
+          },
+        },
       };
       if (data.email && !data.name) {
         userData.name = data.email.split('@')[0];
@@ -223,18 +234,23 @@ export const NextAuthOptionsProvider: FactoryProvider<NextAuthOptions> = {
         }
         const email = profile?.email ?? user.email;
         if (email) {
-          if (isStaff(email)) {
-            return true;
-          }
-          return prisma.newFeaturesWaitingList
-            .findUnique({
+          // FIXME: cannot inject FeatureManagementService here
+          // it will cause prisma.account to be undefined
+          // then prismaAdapter.getUserByAccount will throw error
+          if (email.endsWith('@toeverything.info')) return true;
+          return prisma.userFeatures
+            .count({
               where: {
-                email,
-                type: NewFeaturesKind.EarlyAccess,
+                user: {
+                  email,
+                },
+                feature: {
+                  feature: FeatureType.EarlyAccess,
+                },
+                activated: true,
               },
             })
-            .then(user => !!user)
-            .catch(() => false);
+            .then(count => count > 0);
         }
         return false;
       },
@@ -242,6 +258,10 @@ export const NextAuthOptionsProvider: FactoryProvider<NextAuthOptions> = {
         return url;
       },
     };
+
+    nextAuthOptions.pages = {
+      newUser: '/auth/onboarding',
+    };
     return nextAuthOptions;
   },
   inject: [Config, PrismaService, MailService, SessionService],

packages/backend/server/src/modules/auth/resolver.ts

@@ -19,7 +19,7 @@ import { nanoid } from 'nanoid';
 import { Config } from '../../config';
 import { SessionService } from '../../session';
 import { CloudThrottlerGuard, Throttle } from '../../throttler';
-import { UserType } from '../users/resolver';
+import { UserType } from '../users';
 import { Auth, CurrentUser } from './guard';
 import { AuthService } from './service';
 

packages/backend/server/src/modules/auth/service.ts

@@ -14,6 +14,7 @@ import { nanoid } from 'nanoid';
 import { Config } from '../../config';
 import { PrismaService } from '../../prisma';
 import { verifyChallengeResponse } from '../../storage';
+import { Quota_FreePlanV1 } from '../quota';
 import { MailService } from './mailer';
 
 export type UserClaim = Pick<
@@ -190,6 +191,17 @@ export class AuthService {
         name,
         email,
         password: hashedPassword,
+        features: {
+          create: {
+            reason: 'created by api sign up',
+            activated: true,
+            feature: {
+              connect: {
+                feature_version: Quota_FreePlanV1,
+              },
+            },
+          },
+        },
       },
     });
   }
@@ -209,6 +221,17 @@ export class AuthService {
       data: {
         name: 'Unnamed',
         email,
+        features: {
+          create: {
+            reason: 'created by invite sign up',
+            activated: true,
+            feature: {
+              connect: {
+                feature_version: Quota_FreePlanV1,
+              },
+            },
+          },
+        },
       },
     });
   }
@@ -258,6 +281,7 @@ export class AuthService {
       },
     });
   }
+
   async changeEmail(id: string, newEmail: string): Promise<User> {
     const user = await this.prisma.user.findUnique({
       where: {

packages/backend/server/src/modules/config.ts

@@ -1,7 +1,7 @@
 import { Module } from '@nestjs/common';
 import { Field, ObjectType, Query } from '@nestjs/graphql';
 
-export const { SERVER_FLAVOR } = process.env;
+import { SERVER_FLAVOR } from '../config';
 
 @ObjectType()
 export class ServerConfigType {
@@ -10,6 +10,9 @@ export class ServerConfigType {
 
   @Field({ description: 'server flavor' })
   flavor!: string;
+
+  @Field({ description: 'server base url' })
+  baseUrl!: string;
 }
 
 export class ServerConfigResolver {
@@ -19,7 +22,8 @@ export class ServerConfigResolver {
   serverConfig(): ServerConfigType {
     return {
       version: AFFiNE.version,
-      flavor: SERVER_FLAVOR || 'allinone',
+      flavor: SERVER_FLAVOR,
+      baseUrl: AFFiNE.baseUrl,
     };
   }
 }

packages/backend/server/src/modules/doc/history.ts

@@ -7,7 +7,7 @@ import { Config } from '../../config';
 import { type EventPayload, OnEvent } from '../../event';
 import { metrics } from '../../metrics';
 import { PrismaService } from '../../prisma';
-import { SubscriptionStatus } from '../payment/service';
+import { QuotaService } from '../quota';
 import { Permission } from '../workspaces/types';
 import { isEmptyBuffer } from './manager';
 
@@ -16,7 +16,8 @@ export class DocHistoryManager {
   private readonly logger = new Logger(DocHistoryManager.name);
   constructor(
     private readonly config: Config,
-    private readonly db: PrismaService
+    private readonly db: PrismaService,
+    private readonly quota: QuotaService
   ) {}
 
   @OnEvent('workspace.deleted')
@@ -222,9 +223,6 @@ export class DocHistoryManager {
     return history.timestamp;
   }
 
-  /**
-   * @todo(@darkskygit) refactor with [Usage Control] system
-   */
   async getExpiredDateFromNow(workspaceId: string) {
     const permission = await this.db.workspaceUserPermission.findFirst({
       select: {
@@ -241,25 +239,8 @@ export class DocHistoryManager {
       throw new Error('Workspace owner not found');
     }
 
-    const sub = await this.db.userSubscription.findFirst({
-      select: {
-        id: true,
-      },
-      where: {
-        userId: permission.userId,
-        status: SubscriptionStatus.Active,
-      },
-    });
-
-    return new Date(
-      Date.now() +
-        1000 *
-          60 *
-          60 *
-          24 *
-          // 30 days for subscription user, 7 days for free user
-          (sub ? 30 : 7)
-    );
+    const quota = await this.quota.getUserQuota(permission.userId);
+    return quota.feature.historyPeriodFromNow;
   }
 
   @Cron(CronExpression.EVERY_DAY_AT_MIDNIGHT /* everyday at 12am */)

packages/backend/server/src/modules/doc/index.ts

@@ -1,38 +1,14 @@
-import { DynamicModule } from '@nestjs/common';
+import { Module } from '@nestjs/common';
 
+import { QuotaModule } from '../quota';
 import { DocHistoryManager } from './history';
 import { DocManager } from './manager';
 
-export class DocModule {
-  /**
-   * @param automation whether enable update merging automation logic
-   */
-  private static defModule(automation = true): DynamicModule {
-    return {
-      module: DocModule,
-      providers: [
-        {
-          provide: 'DOC_MANAGER_AUTOMATION',
-          useValue: automation,
-        },
-        DocManager,
-        DocHistoryManager,
-      ],
-      exports: [DocManager, DocHistoryManager],
-    };
-  }
-
-  static forRoot() {
-    return this.defModule();
-  }
-
-  static forSync(): DynamicModule {
-    return this.defModule(false);
-  }
-
-  static forFeature(): DynamicModule {
-    return this.defModule(false);
-  }
-}
+@Module({
+  imports: [QuotaModule],
+  providers: [DocManager, DocHistoryManager],
+  exports: [DocManager, DocHistoryManager],
+})
+export class DocModule {}
 
 export { DocHistoryManager, DocManager };

packages/backend/server/src/modules/doc/manager.ts

@@ -1,5 +1,4 @@
 import {
-  Inject,
   Injectable,
   Logger,
   OnModuleDestroy,
@@ -97,8 +96,6 @@ export class DocManager implements OnModuleInit, OnModuleDestroy {
   private busy = false;
 
   constructor(
-    @Inject('DOC_MANAGER_AUTOMATION')
-    private readonly automation: boolean,
     private readonly db: PrismaService,
     private readonly config: Config,
     private readonly cache: Cache,
@@ -106,7 +103,7 @@ export class DocManager implements OnModuleInit, OnModuleDestroy {
   ) {}
 
   onModuleInit() {
-    if (this.automation) {
+    if (this.config.doc.manager.enableUpdateAutoMerging) {
       this.logger.log('Use Database');
       this.setup();
     }
@@ -464,6 +461,9 @@ export class DocManager implements OnModuleInit, OnModuleDestroy {
     workspaceId: string,
     guid: string,
     doc: Doc,
+    // we always delay the snapshot update to avoid db overload,
+    // so the value of `updatedAt` will not be accurate to user's real action time
+    updatedAt: Date,
     initialSeq?: number
   ) {
     return this.lockSnapshotForUpsert(workspaceId, guid, async () => {
@@ -502,6 +502,7 @@ export class DocManager implements OnModuleInit, OnModuleDestroy {
               data: {
                 blob,
                 state,
+                updatedAt,
               },
             });
 
@@ -521,6 +522,8 @@ export class DocManager implements OnModuleInit, OnModuleDestroy {
               blob,
               state,
               seq: initialSeq,
+              createdAt: updatedAt,
+              updatedAt,
             },
           });
 
@@ -565,7 +568,13 @@ export class DocManager implements OnModuleInit, OnModuleDestroy {
       ...updates.map(u => u.blob)
     );
 
-    const done = await this.upsert(workspaceId, id, doc, last.seq);
+    const done = await this.upsert(
+      workspaceId,
+      id,
+      doc,
+      last.createdAt,
+      last.seq
+    );
 
     if (done) {
       if (snapshot) {

packages/backend/server/src/modules/features/feature.ts

@@ -0,0 +1,78 @@
+import { PrismaService } from '../../prisma';
+import { Feature, FeatureSchema, FeatureType } from './types';
+
+class FeatureConfig {
+  readonly config: Feature;
+
+  constructor(data: any) {
+    const config = FeatureSchema.safeParse(data);
+    if (config.success) {
+      this.config = config.data;
+    } else {
+      throw new Error(`Invalid quota config: ${config.error.message}`);
+    }
+  }
+
+  /// feature name of quota
+  get name() {
+    return this.config.feature;
+  }
+}
+
+export class EarlyAccessFeatureConfig extends FeatureConfig {
+  constructor(data: any) {
+    super(data);
+
+    if (this.config.feature !== FeatureType.EarlyAccess) {
+      throw new Error('Invalid feature config: type is not EarlyAccess');
+    }
+  }
+
+  checkWhiteList(email: string) {
+    for (const domain in this.config.configs.whitelist) {
+      if (email.endsWith(domain)) {
+        return true;
+      }
+    }
+    return false;
+  }
+}
+
+const FeatureConfigMap = {
+  [FeatureType.EarlyAccess]: EarlyAccessFeatureConfig,
+};
+
+const FeatureCache = new Map<
+  number,
+  InstanceType<(typeof FeatureConfigMap)[FeatureType]>
+>();
+
+export async function getFeature(prisma: PrismaService, featureId: number) {
+  const cachedQuota = FeatureCache.get(featureId);
+
+  if (cachedQuota) {
+    return cachedQuota;
+  }
+
+  const feature = await prisma.features.findFirst({
+    where: {
+      id: featureId,
+    },
+  });
+  if (!feature) {
+    // this should unreachable
+    throw new Error(`Quota config ${featureId} not found`);
+  }
+  const ConfigClass = FeatureConfigMap[feature.feature as FeatureType];
+
+  if (!ConfigClass) {
+    throw new Error(`Feature config ${featureId} not found`);
+  }
+
+  const config = new ConfigClass(feature);
+  // we always edit quota config as a new quota config
+  // so we can cache it by featureId
+  FeatureCache.set(featureId, config);
+
+  return config;
+}

packages/backend/server/src/modules/features/index.ts

@@ -0,0 +1,21 @@
+import { Module } from '@nestjs/common';
+
+import { PrismaService } from '../../prisma';
+import { FeatureManagementService } from './management';
+import { FeatureService } from './service';
+
+/**
+ * Feature module provider pre-user feature flag management.
+ * includes:
+ * - feature query/update/permit
+ * - feature statistics
+ */
+@Module({
+  providers: [FeatureService, FeatureManagementService],
+  exports: [FeatureService, FeatureManagementService],
+})
+export class FeatureModule {}
+
+export { type CommonFeature, commonFeatureSchema } from './types';
+export { FeatureKind, Features, FeatureType } from './types';
+export { FeatureManagementService, FeatureService, PrismaService };

packages/backend/server/src/modules/features/management.ts

@@ -0,0 +1,89 @@
+import { Injectable, Logger, OnModuleInit } from '@nestjs/common';
+
+import { Config } from '../../config';
+import { PrismaService } from '../../prisma';
+import { EarlyAccessFeatureConfig } from './feature';
+import { FeatureService } from './service';
+import { FeatureType } from './types';
+
+enum NewFeaturesKind {
+  EarlyAccess,
+}
+
+@Injectable()
+export class FeatureManagementService implements OnModuleInit {
+  protected logger = new Logger(FeatureManagementService.name);
+  private earlyAccessFeature?: EarlyAccessFeatureConfig;
+  constructor(
+    private readonly feature: FeatureService,
+    private readonly prisma: PrismaService,
+    private readonly config: Config
+  ) {}
+  async onModuleInit() {
+    this.earlyAccessFeature = await this.feature.getFeature(
+      FeatureType.EarlyAccess
+    );
+  }
+
+  // ======== Admin ========
+
+  // todo(@darkskygit): replace this with abac
+  isStaff(email: string) {
+    return this.earlyAccessFeature?.checkWhiteList(email) ?? false;
+  }
+
+  // ======== Early Access ========
+
+  async addEarlyAccess(userId: string) {
+    return this.feature.addUserFeature(
+      userId,
+      FeatureType.EarlyAccess,
+      1,
+      'Early access user'
+    );
+  }
+
+  async removeEarlyAccess(userId: string) {
+    return this.feature.removeUserFeature(userId, FeatureType.EarlyAccess);
+  }
+
+  async listEarlyAccess() {
+    return this.feature.listFeatureUsers(FeatureType.EarlyAccess);
+  }
+
+  /// check early access by email
+  async canEarlyAccess(email: string) {
+    if (this.config.featureFlags.earlyAccessPreview && !this.isStaff(email)) {
+      const user = await this.prisma.user.findFirst({
+        where: {
+          email,
+        },
+      });
+      if (user) {
+        const canEarlyAccess = await this.feature
+          .hasFeature(user.id, FeatureType.EarlyAccess)
+          .catch(() => false);
+        if (canEarlyAccess) {
+          return true;
+        }
+
+        // TODO: Outdated, switch to feature gates
+        const oldCanEarlyAccess = await this.prisma.newFeaturesWaitingList
+          .findUnique({
+            where: { email, type: NewFeaturesKind.EarlyAccess },
+          })
+          .then(x => !!x)
+          .catch(() => false);
+        if (oldCanEarlyAccess) {
+          this.logger.warn(
+            `User ${email} has early access in old table but not in new table`
+          );
+        }
+        return oldCanEarlyAccess;
+      }
+      return false;
+    } else {
+      return true;
+    }
+  }
+}

packages/backend/server/src/modules/features/service.ts

@@ -0,0 +1,184 @@
+import { Injectable } from '@nestjs/common';
+
+import { PrismaService } from '../../prisma';
+import { UserType } from '../users/types';
+import { getFeature } from './feature';
+import { FeatureKind, FeatureType } from './types';
+
+@Injectable()
+export class FeatureService {
+  constructor(private readonly prisma: PrismaService) {}
+
+  async getFeaturesVersion() {
+    const features = await this.prisma.features.findMany({
+      where: {
+        type: FeatureKind.Feature,
+      },
+      select: {
+        feature: true,
+        version: true,
+      },
+    });
+    return features.reduce(
+      (acc, feature) => {
+        acc[feature.feature] = feature.version;
+        return acc;
+      },
+      {} as Record<string, number>
+    );
+  }
+
+  async getFeature(feature: FeatureType) {
+    const data = await this.prisma.features.findFirst({
+      where: {
+        feature,
+        type: FeatureKind.Feature,
+      },
+      select: { id: true },
+      orderBy: {
+        version: 'desc',
+      },
+    });
+    if (data) {
+      return getFeature(this.prisma, data.id);
+    }
+    return undefined;
+  }
+
+  async addUserFeature(
+    userId: string,
+    feature: FeatureType,
+    version: number,
+    reason: string,
+    expiredAt?: Date | string
+  ) {
+    return this.prisma.$transaction(async tx => {
+      const latestFlag = await tx.userFeatures.findFirst({
+        where: {
+          userId,
+          feature: {
+            feature,
+            type: FeatureKind.Feature,
+          },
+          activated: true,
+        },
+        orderBy: {
+          createdAt: 'desc',
+        },
+      });
+      if (latestFlag) {
+        return latestFlag.id;
+      } else {
+        return tx.userFeatures
+          .create({
+            data: {
+              reason,
+              expiredAt,
+              activated: true,
+              user: {
+                connect: {
+                  id: userId,
+                },
+              },
+              feature: {
+                connect: {
+                  feature_version: {
+                    feature,
+                    version,
+                  },
+                  type: FeatureKind.Feature,
+                },
+              },
+            },
+          })
+          .then(r => r.id);
+      }
+    });
+  }
+
+  async removeUserFeature(userId: string, feature: FeatureType) {
+    return this.prisma.userFeatures
+      .updateMany({
+        where: {
+          userId,
+          feature: {
+            feature,
+            type: FeatureKind.Feature,
+          },
+          activated: true,
+        },
+        data: {
+          activated: false,
+        },
+      })
+      .then(r => r.count);
+  }
+
+  async getUserFeatures(userId: string) {
+    const features = await this.prisma.userFeatures.findMany({
+      where: {
+        user: { id: userId },
+        feature: {
+          type: FeatureKind.Feature,
+        },
+      },
+      select: {
+        activated: true,
+        reason: true,
+        createdAt: true,
+        expiredAt: true,
+        featureId: true,
+      },
+    });
+
+    const configs = await Promise.all(
+      features.map(async feature => ({
+        ...feature,
+        feature: await getFeature(this.prisma, feature.featureId),
+      }))
+    );
+
+    return configs.filter(feature => !!feature.feature);
+  }
+
+  async listFeatureUsers(feature: FeatureType): Promise<UserType[]> {
+    return this.prisma.userFeatures
+      .findMany({
+        where: {
+          activated: true,
+          feature: {
+            feature: feature,
+            type: FeatureKind.Feature,
+          },
+        },
+        select: {
+          user: {
+            select: {
+              id: true,
+              name: true,
+              avatarUrl: true,
+              email: true,
+              emailVerified: true,
+              createdAt: true,
+            },
+          },
+        },
+      })
+      .then(users => users.map(user => user.user));
+  }
+
+  async hasFeature(userId: string, feature: FeatureType) {
+    return this.prisma.userFeatures
+      .count({
+        where: {
+          userId,
+          activated: true,
+          feature: {
+            feature,
+            type: FeatureKind.Feature,
+          },
+        },
+      })
+      .then(count => count > 0);
+  }
+}

packages/backend/server/src/modules/features/types.ts

@@ -0,0 +1,65 @@
+import { URL } from 'node:url';
+
+import { z } from 'zod';
+
+/// ======== common schema ========
+
+export enum FeatureKind {
+  Feature,
+  Quota,
+}
+
+export const commonFeatureSchema = z.object({
+  feature: z.string(),
+  type: z.nativeEnum(FeatureKind),
+  version: z.number(),
+  configs: z.unknown(),
+});
+
+export type CommonFeature = z.infer<typeof commonFeatureSchema>;
+
+/// ======== feature define ========
+
+export enum FeatureType {
+  EarlyAccess = 'early_access',
+}
+
+function checkHostname(host: string) {
+  try {
+    return new URL(`https://${host}`).hostname === host;
+  } catch (_) {
+    return false;
+  }
+}
+
+const featureEarlyAccess = z.object({
+  feature: z.literal(FeatureType.EarlyAccess),
+  configs: z.object({
+    whitelist: z
+      .string()
+      .startsWith('@')
+      .refine(domain => checkHostname(domain.slice(1)))
+      .array(),
+  }),
+});
+
+export const Features: Feature[] = [
+  {
+    feature: FeatureType.EarlyAccess,
+    type: FeatureKind.Feature,
+    version: 1,
+    configs: {
+      whitelist: ['@toeverything.info'],
+    },
+  },
+];
+
+/// ======== schema infer ========
+
+export const FeatureSchema = commonFeatureSchema
+  .extend({
+    type: z.literal(FeatureKind.Feature),
+  })
+  .and(z.discriminatedUnion('feature', [featureEarlyAccess]));
+
+export type Feature = z.infer<typeof FeatureSchema>;

packages/backend/server/src/modules/index.ts

@@ -1,10 +1,12 @@
 import { DynamicModule, Type } from '@nestjs/common';
 import { ScheduleModule } from '@nestjs/schedule';
 
+import { SERVER_FLAVOR } from '../config';
 import { GqlModule } from '../graphql.module';
-import { SERVER_FLAVOR, ServerConfigModule } from './config';
+import { ServerConfigModule } from './config';
 import { DocModule } from './doc';
 import { PaymentModule } from './payment';
+import { QuotaModule } from './quota';
 import { SelfHostedModule } from './self-hosted';
 import { SyncModule } from './sync';
 import { UsersModule } from './users';
@@ -14,7 +16,7 @@ const BusinessModules: (Type | DynamicModule)[] = [];
 
 switch (SERVER_FLAVOR) {
   case 'sync':
-    BusinessModules.push(SyncModule, DocModule.forSync());
+    BusinessModules.push(SyncModule, DocModule);
     break;
   case 'selfhosted':
     BusinessModules.push(
@@ -25,7 +27,7 @@ switch (SERVER_FLAVOR) {
       WorkspaceModule,
       UsersModule,
       SyncModule,
-      DocModule.forRoot()
+      DocModule
     );
     break;
   case 'graphql':
@@ -35,8 +37,9 @@ switch (SERVER_FLAVOR) {
       GqlModule,
       WorkspaceModule,
       UsersModule,
-      DocModule.forRoot(),
-      PaymentModule
+      DocModule,
+      PaymentModule,
+      QuotaModule
     );
     break;
   case 'allinone':
@@ -47,8 +50,9 @@ switch (SERVER_FLAVOR) {
       GqlModule,
       WorkspaceModule,
       UsersModule,
+      QuotaModule,
       SyncModule,
-      DocModule.forRoot(),
+      DocModule,
       PaymentModule
     );
     break;

packages/backend/server/src/modules/payment/index.ts

@@ -1,6 +1,7 @@
 import { Module } from '@nestjs/common';
 
-import { UsersModule } from '../users';
+import { FeatureModule } from '../features';
+import { QuotaModule } from '../quota';
 import { SubscriptionResolver, UserSubscriptionResolver } from './resolver';
 import { ScheduleManager } from './schedule';
 import { SubscriptionService } from './service';
@@ -8,7 +9,7 @@ import { StripeProvider } from './stripe';
 import { StripeWebhook } from './webhook';
 
 @Module({
-  imports: [UsersModule],
+  imports: [FeatureModule, QuotaModule],
   providers: [
     ScheduleManager,
     StripeProvider,

packages/backend/server/src/modules/payment/resolver.ts

@@ -1,6 +1,7 @@
 import { HttpStatus } from '@nestjs/common';
 import {
   Args,
+  Context,
   Field,
   Int,
   Mutation,
@@ -254,8 +255,13 @@ export class UserSubscriptionResolver {
   constructor(private readonly db: PrismaService) {}
 
   @ResolveField(() => UserSubscriptionType, { nullable: true })
-  async subscription(@CurrentUser() me: User, @Parent() user: User) {
-    if (me.id !== user.id) {
+  async subscription(
+    @Context() ctx: { isAdminQuery: boolean },
+    @CurrentUser() me: User,
+    @Parent() user: User
+  ) {
+    // allow admin to query other user's subscription
+    if (!ctx.isAdminQuery && me.id !== user.id) {
       throw new GraphQLError(
         'You are not allowed to access this subscription',
         {

packages/backend/server/src/modules/payment/service.ts

@@ -11,7 +11,8 @@ import Stripe from 'stripe';
 
 import { Config } from '../../config';
 import { PrismaService } from '../../prisma';
-import { UsersService } from '../users';
+import { FeatureManagementService } from '../features';
+import { QuotaService, QuotaType } from '../quota';
 import { ScheduleManager } from './schedule';
 
 const OnEvent = (
@@ -60,6 +61,11 @@ export enum SubscriptionStatus {
   Trialing = 'trialing',
 }
 
+const SubscriptionActivated: Stripe.Subscription.Status[] = [
+  SubscriptionStatus.Active,
+  SubscriptionStatus.Trialing,
+];
+
 export enum InvoiceStatus {
   Draft = 'draft',
   Open = 'open',
@@ -82,8 +88,9 @@ export class SubscriptionService {
     config: Config,
     private readonly stripe: Stripe,
     private readonly db: PrismaService,
-    private readonly user: UsersService,
-    private readonly scheduleManager: ScheduleManager
+    private readonly scheduleManager: ScheduleManager,
+    private readonly features: FeatureManagementService,
+    private readonly quota: QuotaService
   ) {
     this.paymentConfig = config.payment;
 
@@ -471,6 +478,16 @@ export class SubscriptionService {
     }
   }
 
+  private getPlanQuota(plan: SubscriptionPlan) {
+    if (plan === SubscriptionPlan.Free) {
+      return QuotaType.FreePlanV1;
+    } else if (plan === SubscriptionPlan.Pro) {
+      return QuotaType.ProPlanV1;
+    } else {
+      throw new Error(`Unknown plan: ${plan}`);
+    }
+  }
+
   private async saveSubscription(
     user: User,
     subscription: Stripe.Subscription,
@@ -483,23 +500,28 @@ export class SubscriptionService {
       subscription = await this.stripe.subscriptions.retrieve(subscription.id);
     }
 
-    // get next bill date from upcoming invoice
-    // see https://stripe.com/docs/api/invoices/upcoming
-    let nextBillAt: Date | null = null;
-    if (
-      (subscription.status === SubscriptionStatus.Active ||
-        subscription.status === SubscriptionStatus.Trialing) &&
-      !subscription.canceled_at
-    ) {
-      nextBillAt = new Date(subscription.current_period_end * 1000);
-    }
-
     const price = subscription.items.data[0].price;
     if (!price.lookup_key) {
       throw new Error('Unexpected subscription with no key');
     }
 
     const [plan, recurring] = decodeLookupKey(price.lookup_key);
+    const planActivated = SubscriptionActivated.includes(subscription.status);
+
+    let nextBillAt: Date | null = null;
+    if (planActivated) {
+      // update user's quota if plan activated
+      await this.quota.switchUserQuota(user.id, this.getPlanQuota(plan));
+
+      // get next bill date from upcoming invoice
+      // see https://stripe.com/docs/api/invoices/upcoming
+      if (!subscription.canceled_at) {
+        nextBillAt = new Date(subscription.current_period_end * 1000);
+      }
+    } else {
+      // switch to free plan if subscription is canceled
+      await this.quota.switchUserQuota(user.id, QuotaType.FreePlanV1);
+    }
 
     const commonData = {
       start: new Date(subscription.current_period_start * 1000),
@@ -658,7 +680,7 @@ export class SubscriptionService {
     user: User,
     couponType: CouponType
   ): Promise<string | null> {
-    const earlyAccess = await this.user.isEarlyAccessUser(user.email);
+    const earlyAccess = await this.features.canEarlyAccess(user.email);
     if (earlyAccess) {
       try {
         const coupon = await this.stripe.coupons.retrieve(couponType);

packages/backend/server/src/modules/quota/constant.ts

@@ -0,0 +1,5 @@
+export const OneKB = 1024;
+export const OneMB = OneKB * OneKB;
+export const OneGB = OneKB * OneMB;
+export const OneDay = 1000 * 60 * 60 * 24;
+export const ByteUnit = ['B', 'KB', 'MB', 'GB', 'TB', 'PB', 'EB', 'ZB', 'YB'];

packages/backend/server/src/modules/quota/index.ts

@@ -0,0 +1,21 @@
+import { Module } from '@nestjs/common';
+
+import { PermissionService } from '../workspaces/permission';
+import { QuotaService } from './service';
+import { QuotaManagementService } from './storage';
+
+/**
+ * Quota module provider pre-user quota management.
+ * includes:
+ * - quota query/update/permit
+ * - quota statistics
+ */
+@Module({
+  providers: [PermissionService, QuotaService, QuotaManagementService],
+  exports: [QuotaService, QuotaManagementService],
+})
+export class QuotaModule {}
+
+export { QuotaManagementService, QuotaService };
+export { Quota_FreePlanV1, Quota_ProPlanV1, Quotas } from './schema';
+export { QuotaType } from './types';

packages/backend/server/src/modules/quota/quota.ts

@@ -0,0 +1,81 @@
+import { PrismaService } from '../../prisma';
+import { formatDate, formatSize, Quota, QuotaSchema } from './types';
+
+const QuotaCache = new Map<number, QuotaConfig>();
+
+export class QuotaConfig {
+  readonly config: Quota;
+
+  static async get(prisma: PrismaService, featureId: number) {
+    const cachedQuota = QuotaCache.get(featureId);
+
+    if (cachedQuota) {
+      return cachedQuota;
+    }
+
+    const quota = await prisma.features.findFirst({
+      where: {
+        id: featureId,
+      },
+    });
+
+    if (!quota) {
+      throw new Error(`Quota config ${featureId} not found`);
+    }
+
+    const config = new QuotaConfig(quota);
+    // we always edit quota config as a new quota config
+    // so we can cache it by featureId
+    QuotaCache.set(featureId, config);
+
+    return config;
+  }
+
+  private constructor(data: any) {
+    const config = QuotaSchema.safeParse(data);
+    if (config.success) {
+      this.config = config.data;
+    } else {
+      throw new Error(
+        `Invalid quota config: ${config.error.message}, ${JSON.stringify(
+          data
+        )})}`
+      );
+    }
+  }
+
+  /// feature name of quota
+  get name() {
+    return this.config.feature;
+  }
+
+  get blobLimit() {
+    return this.config.configs.blobLimit;
+  }
+
+  get storageQuota() {
+    return this.config.configs.storageQuota;
+  }
+
+  get historyPeriod() {
+    return this.config.configs.historyPeriod;
+  }
+
+  get historyPeriodFromNow() {
+    return new Date(Date.now() + this.historyPeriod);
+  }
+
+  get memberLimit() {
+    return this.config.configs.memberLimit;
+  }
+
+  get humanReadable() {
+    return {
+      name: this.config.configs.name,
+      blobLimit: formatSize(this.blobLimit),
+      storageQuota: formatSize(this.storageQuota),
+      historyPeriod: formatDate(this.historyPeriod),
+      memberLimit: this.memberLimit.toString(),
+    };
+  }
+}

packages/backend/server/src/modules/quota/schema.ts

@@ -0,0 +1,50 @@
+import { FeatureKind } from '../features';
+import { OneDay, OneGB, OneMB } from './constant';
+import { Quota, QuotaType } from './types';
+
+export const Quotas: Quota[] = [
+  {
+    feature: QuotaType.FreePlanV1,
+    type: FeatureKind.Quota,
+    version: 1,
+    configs: {
+      // quota name
+      name: 'Free',
+      // single blob limit 10MB
+      blobLimit: 10 * OneMB,
+      // total blob limit 10GB
+      storageQuota: 10 * OneGB,
+      // history period of validity 7 days
+      historyPeriod: 7 * OneDay,
+      // member limit 3
+      memberLimit: 3,
+    },
+  },
+  {
+    feature: QuotaType.ProPlanV1,
+    type: FeatureKind.Quota,
+    version: 1,
+    configs: {
+      // quota name
+      name: 'Pro',
+      // single blob limit 100MB
+      blobLimit: 100 * OneMB,
+      // total blob limit 100GB
+      storageQuota: 100 * OneGB,
+      // history period of validity 30 days
+      historyPeriod: 30 * OneDay,
+      // member limit 10
+      memberLimit: 10,
+    },
+  },
+];
+
+export const Quota_FreePlanV1 = {
+  feature: Quotas[0].feature,
+  version: Quotas[0].version,
+};
+
+export const Quota_ProPlanV1 = {
+  feature: Quotas[1].feature,
+  version: Quotas[1].version,
+};

packages/backend/server/src/modules/quota/service.ts

@@ -0,0 +1,147 @@
+import { Injectable } from '@nestjs/common';
+
+import { PrismaService } from '../../prisma';
+import { FeatureKind } from '../features';
+import { QuotaConfig } from './quota';
+import { QuotaType } from './types';
+
+@Injectable()
+export class QuotaService {
+  constructor(private readonly prisma: PrismaService) {}
+
+  // get activated user quota
+  async getUserQuota(userId: string) {
+    const quota = await this.prisma.userFeatures.findFirst({
+      where: {
+        user: {
+          id: userId,
+        },
+        feature: {
+          type: FeatureKind.Quota,
+        },
+        activated: true,
+      },
+      select: {
+        reason: true,
+        createdAt: true,
+        expiredAt: true,
+        featureId: true,
+      },
+    });
+
+    if (!quota) {
+      // this should unreachable
+      throw new Error(`User ${userId} has no quota`);
+    }
+
+    const feature = await QuotaConfig.get(this.prisma, quota.featureId);
+    return { ...quota, feature };
+  }
+
+  // get user all quota records
+  async getUserQuotas(userId: string) {
+    const quotas = await this.prisma.userFeatures.findMany({
+      where: {
+        user: {
+          id: userId,
+        },
+        feature: {
+          type: FeatureKind.Quota,
+        },
+      },
+      select: {
+        activated: true,
+        reason: true,
+        createdAt: true,
+        expiredAt: true,
+        featureId: true,
+      },
+    });
+    const configs = await Promise.all(
+      quotas.map(async quota => {
+        try {
+          return {
+            ...quota,
+            feature: await QuotaConfig.get(this.prisma, quota.featureId),
+          };
+        } catch (_) {}
+        return null as unknown as typeof quota & {
+          feature: QuotaConfig;
+        };
+      })
+    );
+
+    return configs.filter(quota => !!quota);
+  }
+
+  // switch user to a new quota
+  // currently each user can only have one quota
+  async switchUserQuota(
+    userId: string,
+    quota: QuotaType,
+    reason?: string,
+    expiredAt?: Date
+  ) {
+    await this.prisma.$transaction(async tx => {
+      const latestPlanVersion = await tx.features.aggregate({
+        where: {
+          feature: quota,
+        },
+        _max: {
+          version: true,
+        },
+      });
+
+      // we will deactivate all exists quota for this user
+      await tx.userFeatures.updateMany({
+        where: {
+          id: undefined,
+          userId,
+          feature: {
+            type: FeatureKind.Quota,
+          },
+        },
+        data: {
+          activated: false,
+        },
+      });
+
+      await tx.userFeatures.create({
+        data: {
+          user: {
+            connect: {
+              id: userId,
+            },
+          },
+          feature: {
+            connect: {
+              feature_version: {
+                feature: quota,
+                version: latestPlanVersion._max.version || 1,
+              },
+              type: FeatureKind.Quota,
+            },
+          },
+          reason: reason ?? 'switch quota',
+          activated: true,
+          expiredAt,
+        },
+      });
+    });
+  }
+
+  async hasQuota(userId: string, quota: QuotaType) {
+    return this.prisma.userFeatures
+      .count({
+        where: {
+          userId,
+          feature: {
+            feature: quota,
+            type: FeatureKind.Quota,
+          },
+          activated: true,
+        },
+      })
+      .then(count => count > 0);
+  }
+}

packages/backend/server/src/modules/quota/storage.ts

@@ -0,0 +1,54 @@
+import type { Storage } from '@affine/storage';
+import { Inject, Injectable, NotFoundException } from '@nestjs/common';
+
+import { StorageProvide } from '../../storage';
+import { PermissionService } from '../workspaces/permission';
+import { QuotaService } from './service';
+
+@Injectable()
+export class QuotaManagementService {
+  constructor(
+    private readonly quota: QuotaService,
+    private readonly permissions: PermissionService,
+    @Inject(StorageProvide) private readonly storage: Storage
+  ) {}
+
+  async getUserQuota(userId: string) {
+    const quota = await this.quota.getUserQuota(userId);
+
+    return {
+      name: quota.feature.name,
+      reason: quota.reason,
+      createAt: quota.createdAt,
+      expiredAt: quota.expiredAt,
+      blobLimit: quota.feature.blobLimit,
+      storageQuota: quota.feature.storageQuota,
+    };
+  }
+
+  // TODO: lazy calc, need to be optimized with cache
+  async getUserUsage(userId: string) {
+    const workspaces = await this.permissions.getOwnedWorkspaces(userId);
+    return this.storage.blobsSize(workspaces);
+  }
+
+  // get workspace's owner quota and total size of used
+  // quota was apply to owner's account
+  async getWorkspaceUsage(workspaceId: string) {
+    const { user: owner } =
+      await this.permissions.getWorkspaceOwner(workspaceId);
+    if (!owner) throw new NotFoundException('Workspace owner not found');
+    const { storageQuota } = await this.getUserQuota(owner.id);
+    // get all workspaces size of owner used
+    const usageSize = await this.getUserUsage(owner.id);
+
+    return { quota: storageQuota, size: usageSize };
+  }
+
+  async checkBlobQuota(workspaceId: string, size: number) {
+    const { quota, size: usageSize } =
+      await this.getWorkspaceUsage(workspaceId);
+
+    return quota - (size + usageSize);
+  }
+}

packages/backend/server/src/modules/quota/types.ts

@@ -0,0 +1,50 @@
+import { z } from 'zod';
+
+import { commonFeatureSchema, FeatureKind } from '../features';
+import { ByteUnit, OneDay, OneKB } from './constant';
+
+/// ======== quota define ========
+
+export enum QuotaType {
+  FreePlanV1 = 'free_plan_v1',
+  ProPlanV1 = 'pro_plan_v1',
+}
+
+const quotaPlan = z.object({
+  feature: z.enum([QuotaType.FreePlanV1, QuotaType.ProPlanV1]),
+  configs: z.object({
+    name: z.string(),
+    blobLimit: z.number().positive().int(),
+    storageQuota: z.number().positive().int(),
+    historyPeriod: z.number().positive().int(),
+    memberLimit: z.number().positive().int(),
+  }),
+});
+
+/// ======== schema infer ========
+
+export const QuotaSchema = commonFeatureSchema
+  .extend({
+    type: z.literal(FeatureKind.Quota),
+  })
+  .and(z.discriminatedUnion('feature', [quotaPlan]));
+
+export type Quota = z.infer<typeof QuotaSchema>;
+
+/// ======== utils ========
+
+export function formatSize(bytes: number, decimals: number = 2): string {
+  if (bytes === 0) return '0 B';
+
+  const dm = decimals < 0 ? 0 : decimals;
+
+  const i = Math.floor(Math.log(bytes) / Math.log(OneKB));
+
+  return (
+    parseFloat((bytes / Math.pow(OneKB, i)).toFixed(dm)) + ' ' + ByteUnit[i]
+  );
+}
+
+export function formatDate(ms: number): string {
+  return `${(ms / OneDay).toFixed(0)} days`;
+}

packages/backend/server/src/modules/sync/events/events.gateway.ts

@@ -114,8 +114,8 @@ export class EventsGateway implements OnGatewayConnection, OnGatewayDisconnect {
   }
 
   @Auth()
-  @SubscribeMessage('client-handshake')
-  async handleClientHandShake(
+  @SubscribeMessage('client-handshake-sync')
+  async handleClientHandshakeSync(
     @CurrentUser() user: UserType,
     @MessageBody() workspaceId: string,
     @ConnectedSocket() client: Socket
@@ -127,7 +127,7 @@ export class EventsGateway implements OnGatewayConnection, OnGatewayDisconnect {
     );
 
     if (canWrite) {
-      await client.join(workspaceId);
+      await client.join(`${workspaceId}:sync`);
       return {
         data: {
           clientId: client.id,
@@ -140,13 +140,71 @@ export class EventsGateway implements OnGatewayConnection, OnGatewayDisconnect {
     }
   }
 
-  @SubscribeMessage('client-leave')
-  async handleClientLeave(
+  @Auth()
+  @SubscribeMessage('client-handshake-awareness')
+  async handleClientHandshakeAwareness(
+    @CurrentUser() user: UserType,
+    @MessageBody() workspaceId: string,
+    @ConnectedSocket() client: Socket
+  ): Promise<EventResponse<{ clientId: string }>> {
+    const canWrite = await this.permissions.tryCheckWorkspace(
+      workspaceId,
+      user.id,
+      Permission.Write
+    );
+
+    if (canWrite) {
+      await client.join(`${workspaceId}:awareness`);
+      return {
+        data: {
+          clientId: client.id,
+        },
+      };
+    } else {
+      return {
+        error: new AccessDeniedError(workspaceId),
+      };
+    }
+  }
+
+  /**
+   * @deprecated use `client-handshake-sync` and `client-handshake-awareness` instead
+   */
+  @Auth()
+  @SubscribeMessage('client-handshake')
+  async handleClientHandShake(
+    @CurrentUser() user: UserType,
+    @MessageBody()
+    workspaceId: string,
+    @ConnectedSocket() client: Socket
+  ): Promise<EventResponse<{ clientId: string }>> {
+    const canWrite = await this.permissions.tryCheckWorkspace(
+      workspaceId,
+      user.id,
+      Permission.Write
+    );
+
+    if (canWrite) {
+      await client.join([`${workspaceId}:sync`, `${workspaceId}:awareness`]);
+      return {
+        data: {
+          clientId: client.id,
+        },
+      };
+    } else {
+      return {
+        error: new AccessDeniedError(workspaceId),
+      };
+    }
+  }
+
+  @SubscribeMessage('client-leave-sync')
+  async handleLeaveSync(
     @MessageBody() workspaceId: string,
     @ConnectedSocket() client: Socket
   ): Promise<EventResponse> {
-    if (client.rooms.has(workspaceId)) {
-      await client.leave(workspaceId);
+    if (client.rooms.has(`${workspaceId}:sync`)) {
+      await client.leave(`${workspaceId}:sync`);
       return {};
     } else {
       return {
@@ -155,6 +213,38 @@ export class EventsGateway implements OnGatewayConnection, OnGatewayDisconnect {
     }
   }
 
+  @SubscribeMessage('client-leave-awareness')
+  async handleLeaveAwareness(
+    @MessageBody() workspaceId: string,
+    @ConnectedSocket() client: Socket
+  ): Promise<EventResponse> {
+    if (client.rooms.has(`${workspaceId}:awareness`)) {
+      await client.leave(`${workspaceId}:awareness`);
+      return {};
+    } else {
+      return {
+        error: new NotInWorkspaceError(workspaceId),
+      };
+    }
+  }
+
+  /**
+   * @deprecated use `client-leave-sync` and `client-leave-awareness` instead
+   */
+  @SubscribeMessage('client-leave')
+  async handleClientLeave(
+    @MessageBody() workspaceId: string,
+    @ConnectedSocket() client: Socket
+  ): Promise<EventResponse> {
+    if (client.rooms.has(`${workspaceId}:sync`)) {
+      await client.leave(`${workspaceId}:sync`);
+    }
+    if (client.rooms.has(`${workspaceId}:awareness`)) {
+      await client.leave(`${workspaceId}:awareness`);
+    }
+    return {};
+  }
+
   /**
    * This is the old version of the `client-update` event without any data protocol.
    * It only exists for backwards compatibility to adapt older clients.
@@ -175,7 +265,7 @@ export class EventsGateway implements OnGatewayConnection, OnGatewayDisconnect {
     },
     @ConnectedSocket() client: Socket
   ) {
-    if (!client.rooms.has(workspaceId)) {
+    if (!client.rooms.has(`${workspaceId}:sync`)) {
       this.logger.verbose(
         `Client ${client.id} tried to push update to workspace ${workspaceId} without joining it first`
       );
@@ -185,12 +275,12 @@ export class EventsGateway implements OnGatewayConnection, OnGatewayDisconnect {
     const docId = new DocID(guid, workspaceId);
 
     client
-      .to(docId.workspace)
+      .to(`${docId.workspace}:sync`)
       .emit('server-update', { workspaceId, guid, update });
 
     // broadcast to all clients with newer version that only listen to `server-updates`
     client
-      .to(docId.workspace)
+      .to(`${docId.workspace}:sync`)
       .emit('server-updates', { workspaceId, guid, updates: [update] });
 
     const buf = Buffer.from(update, 'base64');
@@ -219,7 +309,7 @@ export class EventsGateway implements OnGatewayConnection, OnGatewayDisconnect {
       stateVector?: string;
     }
   ): Promise<{ missing: string; state?: string } | false> {
-    if (!client.rooms.has(workspaceId)) {
+    if (!client.rooms.has(`${workspaceId}:sync`)) {
       const canRead = await this.permissions.tryCheckWorkspace(
         workspaceId,
         user.id
@@ -264,7 +354,7 @@ export class EventsGateway implements OnGatewayConnection, OnGatewayDisconnect {
     },
     @ConnectedSocket() client: Socket
   ): Promise<EventResponse<{ accepted: true }>> {
-    if (!client.rooms.has(workspaceId)) {
+    if (!client.rooms.has(`${workspaceId}:sync`)) {
       return {
         error: new NotInWorkspaceError(workspaceId),
       };
@@ -272,7 +362,7 @@ export class EventsGateway implements OnGatewayConnection, OnGatewayDisconnect {
 
     const docId = new DocID(guid, workspaceId);
     client
-      .to(docId.workspace)
+      .to(`${docId.workspace}:sync`)
       .emit('server-updates', { workspaceId, guid, updates });
 
     const buffers = updates.map(update => Buffer.from(update, 'base64'));
@@ -301,7 +391,7 @@ export class EventsGateway implements OnGatewayConnection, OnGatewayDisconnect {
       stateVector?: string;
     }
   ): Promise<EventResponse<{ missing: string; state?: string }>> {
-    if (!client.rooms.has(workspaceId)) {
+    if (!client.rooms.has(`${workspaceId}:sync`)) {
       const canRead = await this.permissions.tryCheckWorkspace(
         workspaceId,
         user.id
@@ -343,8 +433,8 @@ export class EventsGateway implements OnGatewayConnection, OnGatewayDisconnect {
     @MessageBody() workspaceId: string,
     @ConnectedSocket() client: Socket
   ): Promise<EventResponse<{ clientId: string }>> {
-    if (client.rooms.has(workspaceId)) {
-      client.to(workspaceId).emit('new-client-awareness-init');
+    if (client.rooms.has(`${workspaceId}:awareness`)) {
+      client.to(`${workspaceId}:awareness`).emit('new-client-awareness-init');
       return {
         data: {
           clientId: client.id,
@@ -362,9 +452,9 @@ export class EventsGateway implements OnGatewayConnection, OnGatewayDisconnect {
     @MessageBody() message: { workspaceId: string; awarenessUpdate: string },
     @ConnectedSocket() client: Socket
   ): Promise<EventResponse> {
-    if (client.rooms.has(message.workspaceId)) {
+    if (client.rooms.has(`${message.workspaceId}:awareness`)) {
       client
-        .to(message.workspaceId)
+        .to(`${message.workspaceId}:awareness`)
         .emit('server-awareness-broadcast', message);
       return {};
     } else {

packages/backend/server/src/modules/sync/events/events.module.ts

@@ -5,7 +5,7 @@ import { PermissionService } from '../../workspaces/permission';
 import { EventsGateway } from './events.gateway';
 
 @Module({
-  imports: [DocModule.forFeature()],
+  imports: [DocModule],
   providers: [EventsGateway, PermissionService],
 })
 export class EventsModule {}

packages/backend/server/src/modules/users/gates.ts

@@ -1,42 +0,0 @@
-type FeatureEarlyAccessPreview = {
-  whitelist: RegExp[];
-};
-
-type FeatureStorageLimit = {
-  storageQuota: number;
-};
-
-type UserFeatureGate = {
-  earlyAccessPreview: FeatureEarlyAccessPreview;
-  freeUser: FeatureStorageLimit;
-  proUser: FeatureStorageLimit;
-};
-
-const UserLevel = {
-  freeUser: {
-    storageQuota: 10 * 1024 * 1024 * 1024,
-  },
-  proUser: {
-    storageQuota: 100 * 1024 * 1024 * 1024,
-  },
-} satisfies Pick<UserFeatureGate, 'freeUser' | 'proUser'>;
-
-export function getStorageQuota(features: string[]) {
-  for (const feature of features) {
-    if (feature in UserLevel) {
-      return UserLevel[feature as keyof typeof UserLevel].storageQuota;
-    }
-  }
-  return null;
-}
-
-const UserType = {
-  earlyAccessPreview: {
-    whitelist: [/@toeverything\.info$/],
-  },
-} satisfies Pick<UserFeatureGate, 'earlyAccessPreview'>;
-
-export const FeatureGates = {
-  ...UserType,
-  ...UserLevel,
-} satisfies UserFeatureGate;

packages/backend/server/src/modules/users/index.ts

@@ -1,15 +1,17 @@
 import { Module } from '@nestjs/common';
 
+import { FeatureModule } from '../features';
+import { QuotaModule } from '../quota';
 import { StorageModule } from '../storage';
 import { UserResolver } from './resolver';
 import { UsersService } from './users';
 
 @Module({
-  imports: [StorageModule],
+  imports: [StorageModule, FeatureModule, QuotaModule],
   providers: [UserResolver, UsersService],
   exports: [UsersService],
 })
 export class UsersModule {}
 
-export { UserType } from './resolver';
+export { UserType } from './types';
 export { UsersService } from './users';

packages/backend/server/src/modules/users/resolver.ts

@@ -6,13 +6,10 @@ import {
 } from '@nestjs/common';
 import {
   Args,
-  Field,
-  ID,
+  Context,
   Int,
   Mutation,
-  ObjectType,
   Query,
-  registerEnumType,
   ResolveField,
   Resolver,
 } from '@nestjs/graphql';
@@ -24,60 +21,12 @@ import { PrismaService } from '../../prisma/service';
 import { CloudThrottlerGuard, Throttle } from '../../throttler';
 import type { FileUpload } from '../../types';
 import { Auth, CurrentUser, Public, Publicable } from '../auth/guard';
+import { AuthService } from '../auth/service';
+import { FeatureManagementService } from '../features';
+import { QuotaService } from '../quota';
 import { StorageService } from '../storage/storage.service';
-import { NewFeaturesKind } from './types';
+import { DeleteAccount, RemoveAvatar, UserQuotaType, UserType } from './types';
 import { UsersService } from './users';
-import { isStaff } from './utils';
-
-registerEnumType(NewFeaturesKind, {
-  name: 'NewFeaturesKind',
-});
-
-@ObjectType()
-export class UserType implements Partial<User> {
-  @Field(() => ID)
-  id!: string;
-
-  @Field({ description: 'User name' })
-  name!: string;
-
-  @Field({ description: 'User email' })
-  email!: string;
-
-  @Field(() => String, { description: 'User avatar url', nullable: true })
-  avatarUrl: string | null = null;
-
-  @Field(() => Date, { description: 'User email verified', nullable: true })
-  emailVerified: Date | null = null;
-
-  @Field({ description: 'User created date', nullable: true })
-  createdAt!: Date;
-
-  @Field(() => Boolean, {
-    description: 'User password has been set',
-    nullable: true,
-  })
-  hasPassword?: boolean;
-}
-
-@ObjectType()
-export class DeleteAccount {
-  @Field()
-  success!: boolean;
-}
-@ObjectType()
-export class RemoveAvatar {
-  @Field()
-  success!: boolean;
-}
-
-@ObjectType()
-export class AddToNewFeaturesWaitingList {
-  @Field()
-  email!: string;
-  @Field(() => NewFeaturesKind, { description: 'New features kind' })
-  type!: NewFeaturesKind;
-}
 
 /**
  * User resolver
@@ -88,9 +37,12 @@ export class AddToNewFeaturesWaitingList {
 @Resolver(() => UserType)
 export class UserResolver {
   constructor(
+    private readonly auth: AuthService,
     private readonly prisma: PrismaService,
     private readonly storage: StorageService,
-    private readonly users: UsersService
+    private readonly users: UsersService,
+    private readonly feature: FeatureManagementService,
+    private readonly quota: QuotaService
   ) {}
 
   @Throttle({
@@ -138,7 +90,7 @@ export class UserResolver {
   })
   @Public()
   async user(@Args('email') email: string) {
-    if (!(await this.users.canEarlyAccess(email))) {
+    if (!(await this.feature.canEarlyAccess(email))) {
       return new GraphQLError(
         `You don't have early access permission\nVisit https://community.affine.pro/c/insider-general/ for more information`,
         {
@@ -158,6 +110,14 @@ export class UserResolver {
     return user;
   }
 
+  @Throttle({ default: { limit: 10, ttl: 60 } })
+  @ResolveField(() => UserQuotaType, { name: 'quota', nullable: true })
+  async getQuota(@CurrentUser() me: User) {
+    const quota = await this.quota.getUserQuota(me.id);
+
+    return quota.feature;
+  }
+
   @Throttle({ default: { limit: 10, ttl: 60 } })
   @ResolveField(() => Int, {
     name: 'invoiceCount',
@@ -233,27 +193,60 @@ export class UserResolver {
       ttl: 60,
     },
   })
-  @Mutation(() => AddToNewFeaturesWaitingList)
-  async addToNewFeaturesWaitingList(
-    @CurrentUser() user: UserType,
-    @Args('type', {
-      type: () => NewFeaturesKind,
-    })
-    type: NewFeaturesKind,
+  @Mutation(() => Int)
+  async addToEarlyAccess(
+    @CurrentUser() currentUser: UserType,
     @Args('email') email: string
-  ): Promise<AddToNewFeaturesWaitingList> {
-    if (!isStaff(user.email)) {
+  ): Promise<number> {
+    if (!this.feature.isStaff(currentUser.email)) {
       throw new ForbiddenException('You are not allowed to do this');
     }
-    await this.prisma.newFeaturesWaitingList.create({
-      data: {
-        email,
-        type,
-      },
-    });
-    return {
-      email,
-      type,
-    };
+    const user = await this.users.findUserByEmail(email);
+    if (user) {
+      return this.feature.addEarlyAccess(user.id);
+    } else {
+      const user = await this.auth.createAnonymousUser(email);
+      return this.feature.addEarlyAccess(user.id);
+    }
+  }
+
+  @Throttle({
+    default: {
+      limit: 10,
+      ttl: 60,
+    },
+  })
+  @Mutation(() => Int)
+  async removeEarlyAccess(
+    @CurrentUser() currentUser: UserType,
+    @Args('email') email: string
+  ): Promise<number> {
+    if (!this.feature.isStaff(currentUser.email)) {
+      throw new ForbiddenException('You are not allowed to do this');
+    }
+    const user = await this.users.findUserByEmail(email);
+    if (!user) {
+      throw new BadRequestException(`User ${email} not found`);
+    }
+    return this.feature.removeEarlyAccess(user.id);
+  }
+
+  @Throttle({
+    default: {
+      limit: 10,
+      ttl: 60,
+    },
+  })
+  @Query(() => [UserType])
+  async earlyAccessUsers(
+    @Context() ctx: { isAdminQuery: boolean },
+    @CurrentUser() user: UserType
+  ): Promise<UserType[]> {
+    if (!this.feature.isStaff(user.email)) {
+      throw new ForbiddenException('You are not allowed to do this');
+    }
+    // allow query other user's subscription
+    ctx.isAdminQuery = true;
+    return this.feature.listEarlyAccess();
   }
 }

packages/backend/server/src/modules/users/types.ts

@@ -1,3 +1,79 @@
-export enum NewFeaturesKind {
-  EarlyAccess,
+import { Field, Float, ID, ObjectType } from '@nestjs/graphql';
+import type { User } from '@prisma/client';
+
+@ObjectType('UserQuotaHumanReadable')
+export class UserQuotaHumanReadableType {
+  @Field({ name: 'name' })
+  name!: string;
+
+  @Field({ name: 'blobLimit' })
+  blobLimit!: string;
+
+  @Field({ name: 'storageQuota' })
+  storageQuota!: string;
+
+  @Field({ name: 'historyPeriod' })
+  historyPeriod!: string;
+
+  @Field({ name: 'memberLimit' })
+  memberLimit!: string;
+}
+
+@ObjectType('UserQuota')
+export class UserQuotaType {
+  @Field({ name: 'name' })
+  name!: string;
+
+  @Field(() => Float, { name: 'blobLimit' })
+  blobLimit!: number;
+
+  @Field(() => Float, { name: 'storageQuota' })
+  storageQuota!: number;
+
+  @Field(() => Float, { name: 'historyPeriod' })
+  historyPeriod!: number;
+
+  @Field({ name: 'memberLimit' })
+  memberLimit!: number;
+
+  @Field({ name: 'humanReadable' })
+  humanReadable!: UserQuotaHumanReadableType;
+}
+
+@ObjectType()
+export class UserType implements Partial<User> {
+  @Field(() => ID)
+  id!: string;
+
+  @Field({ description: 'User name' })
+  name!: string;
+
+  @Field({ description: 'User email' })
+  email!: string;
+
+  @Field(() => String, { description: 'User avatar url', nullable: true })
+  avatarUrl: string | null = null;
+
+  @Field(() => Date, { description: 'User email verified', nullable: true })
+  emailVerified: Date | null = null;
+
+  @Field({ description: 'User created date', nullable: true })
+  createdAt!: Date;
+
+  @Field(() => Boolean, {
+    description: 'User password has been set',
+    nullable: true,
+  })
+  hasPassword?: boolean;
+}
+
+@ObjectType()
+export class DeleteAccount {
+  @Field()
+  success!: boolean;
+}
+@ObjectType()
+export class RemoveAvatar {
+  @Field()
+  success!: boolean;
 }

packages/backend/server/src/modules/users/users.ts

@@ -1,51 +1,10 @@
 import { Injectable } from '@nestjs/common';
 
-import { Config } from '../../config';
 import { PrismaService } from '../../prisma';
-import { getStorageQuota } from './gates';
-import { NewFeaturesKind } from './types';
-import { isStaff } from './utils';
 
 @Injectable()
 export class UsersService {
-  constructor(
-    private readonly prisma: PrismaService,
-    private readonly config: Config
-  ) {}
-
-  async canEarlyAccess(email: string) {
-    if (this.config.featureFlags.earlyAccessPreview && !isStaff(email)) {
-      return this.isEarlyAccessUser(email);
-    } else {
-      return true;
-    }
-  }
-
-  async isEarlyAccessUser(email: string) {
-    return this.prisma.newFeaturesWaitingList
-      .count({
-        where: { email, type: NewFeaturesKind.EarlyAccess },
-      })
-      .then(count => count > 0)
-      .catch(() => false);
-  }
-
-  async getStorageQuotaById(id: string) {
-    const features = await this.prisma.user
-      .findUnique({
-        where: { id },
-        select: {
-          features: {
-            select: {
-              feature: true,
-            },
-          },
-        },
-      })
-      .then(user => user?.features.map(f => f.feature) ?? []);
-
-    return getStorageQuota(features) || this.config.objectStorage.quota;
-  }
+  constructor(private readonly prisma: PrismaService) {}
 
   async findUserByEmail(email: string) {
     return this.prisma.user

packages/backend/server/src/modules/users/utils.ts

@@ -1,3 +0,0 @@
-export function isStaff(email: string) {
-  return email.endsWith('@toeverything.info');
-}

packages/backend/server/src/modules/workspaces/index.ts

@@ -1,6 +1,7 @@
 import { Module } from '@nestjs/common';
 
 import { DocModule } from '../doc';
+import { QuotaModule } from '../quota';
 import { UsersService } from '../users';
 import { WorkspacesController } from './controller';
 import { DocHistoryResolver } from './history.resolver';
@@ -8,7 +9,7 @@ import { PermissionService } from './permission';
 import { PagePermissionResolver, WorkspaceResolver } from './resolver';
 
 @Module({
-  imports: [DocModule.forFeature()],
+  imports: [DocModule, QuotaModule],
   controllers: [WorkspacesController],
   providers: [
     WorkspaceResolver,

packages/backend/server/src/modules/workspaces/permission.ts

@@ -26,6 +26,18 @@ export class PermissionService {
     return data?.type as Permission;
   }
 
+  async getOwnedWorkspaces(userId: string) {
+    return this.prisma.workspaceUserPermission
+      .findMany({
+        where: {
+          userId,
+          accepted: true,
+          type: Permission.Owner,
+        },
+      })
+      .then(data => data.map(({ workspaceId }) => workspaceId));
+  }
+
   async getWorkspaceOwner(workspaceId: string) {
     return this.prisma.workspaceUserPermission.findFirstOrThrow({
       where: {