improve font

.devcontainer/build.sh

@@ -13,3 +13,6 @@ yarn workspace @affine/server-native build
 
 # Create database
 yarn workspace @affine/server prisma db push
+
+# Create user username: affine, password: affine
+echo "INSERT INTO \"users\"(\"id\",\"name\",\"email\",\"email_verified\",\"created_at\",\"password\") VALUES('99f3ad04-7c9b-441e-a6db-79f73aa64db9','affine','affine@affine.pro','2024-02-26 15:54:16.974','2024-02-26 15:54:16.974+00','\$argon2id\$v=19\$m=19456,t=2,p=1\$esDS3QCHRH0Kmeh87YPm5Q\$9S+jf+xzw2Hicj6nkWltvaaaXX3dQIxAFwCfFa9o38A');" | yarn workspace @affine/server prisma db execute --stdin

.env.template

@@ -1,4 +1,5 @@
 CHANGELOG_URL=
+ENABLE_PRELOADING=
 ENABLE_NEW_SETTING_UNSTABLE_API=
 ENABLE_CAPTCHA=
 CAPTCHA_SITE_KEY=

.eslintignore

@@ -12,5 +12,4 @@ static
 web-static
 public
 packages/frontend/i18n/src/i18n-generated.ts
-packages/frontend/i18n/src/i18n-completenesses.json
 packages/frontend/templates/*.gen.ts

.eslintrc.js

@@ -34,8 +34,8 @@ const createPattern = packageName => [
   {
     group: ['@affine/env/constant'],
     message:
-      'Do not import from @affine/env/constant. Use `BUILD_CONFIG.isElectron` instead',
-    importNames: ['isElectron'],
+      'Do not import from @affine/env/constant. Use `environment.isDesktop` instead',
+    importNames: ['isDesktop'],
   },
 ];
 
@@ -43,14 +43,11 @@ const allPackages = [
   'packages/backend/server',
   'packages/frontend/component',
   'packages/frontend/core',
-  'packages/frontend/apps/electron',
-  'packages/frontend/apps/web',
-  'packages/frontend/apps/mobile',
+  'packages/frontend/electron',
   'packages/frontend/graphql',
   'packages/frontend/i18n',
   'packages/frontend/native',
   'packages/frontend/templates',
-  'packages/frontend/track',
   'packages/common/debug',
   'packages/common/env',
   'packages/common/infra',
@@ -251,7 +248,7 @@ const config = {
           'warn',
           {
             additionalHooks:
-              '(useAsyncCallback|useCatchEventCallback|useDraggable|useDropTarget|useRefEffect)',
+              '(useAsyncCallback|useCatchEventCallback|useDraggable|useDropTarget)',
           },
         ],
       },

.github/actions/build-rust/action.yml

@@ -49,7 +49,7 @@ runs:
     - name: Build
       shell: bash
       run: |
-        yarn workspace ${{ inputs.package }} build --target ${{ inputs.target }} --use-napi-cross
+        yarn workspace ${{ inputs.package }} nx build ${{ inputs.package }} -- --target ${{ inputs.target }} --use-napi-cross
       env:
         NX_CLOUD_ACCESS_TOKEN: ${{ inputs.nx_token }}
         DEBUG: 'napi:*'

.github/actions/cluster-auth/action.yml

@@ -1,36 +0,0 @@
-name: 'Auth to Cluster'
-description: 'Auth to the GCP Cluster'
-inputs:
-  gcp-project-number:
-    description: 'GCP project number'
-    required: true
-  gcp-project-id:
-    description: 'GCP project id'
-    required: true
-  service-account:
-    description: 'Service account'
-  cluster-name:
-    description: 'Cluster name'
-  cluster-location:
-    description: 'Cluster location'
-
-runs:
-  using: 'composite'
-  steps:
-    - id: auth
-      uses: google-github-actions/auth@v2
-      with:
-        workload_identity_provider: 'projects/${{ inputs.gcp-project-number }}/locations/global/workloadIdentityPools/github-actions/providers/github-actions-helm-deploy'
-        service_account: '${{ inputs.service-account }}'
-        token_format: 'access_token'
-        project_id: '${{ inputs.gcp-project-id }}'
-
-    - name: 'Setup gcloud cli'
-      uses: 'google-github-actions/setup-gcloud@v2'
-      with:
-        install_components: 'gke-gcloud-auth-plugin'
-
-    - id: get-gke-credentials
-      shell: bash
-      run: |
-        gcloud container clusters get-credentials ${{ inputs.cluster-name }} --region ${{ inputs.cluster-location }} --project ${{ inputs.gcp-project-id }}

.github/actions/copilot-test/action.yml

@@ -1,36 +0,0 @@
-name: 'Run Copilot E2E Test'
-description: 'Run Copilot E2E Test'
-inputs:
-  script:
-    description: 'Script to run'
-    default: 'yarn workspace @affine-test/affine-cloud-copilot e2e --forbid-only'
-    required: false
-  openai-key:
-    description: 'OpenAI secret key'
-    required: true
-  fal-key:
-    description: 'Fal secret key'
-    required: true
-
-runs:
-  using: 'composite'
-  steps:
-    - name: Prepare Server Test Environment
-      uses: ./.github/actions/server-test-env
-
-    - name: Server Copilot E2E Test
-      shell: bash
-      run: ${{ inputs.script }}
-      env:
-        COPILOT: true
-        DEV_SERVER_URL: http://localhost:8080
-        COPILOT_OPENAI_API_KEY: ${{ inputs.openai-key }}
-        COPILOT_FAL_API_KEY: ${{ inputs.fal-key }}
-
-    - name: Upload test results
-      if: ${{ failure() }}
-      uses: actions/upload-artifact@v4
-      with:
-        name: test-results-e2e-server-copilot
-        path: ./test-results
-        if-no-files-found: ignore

.github/actions/deploy/action.yml

@@ -24,14 +24,24 @@ runs:
       shell: bash
       run: |
         echo "GIT_SHORT_HASH=$(git rev-parse --short HEAD)" >> "$GITHUB_ENV"
-    - name: 'Auth to cluster'
-      uses: './.github/actions/cluster-auth'
+    - uses: azure/setup-helm@v4
+    - id: auth
+      uses: google-github-actions/auth@v2
       with:
-        gcp-project-number: '${{ inputs.gcp-project-number }}'
-        gcp-project-id: '${{ inputs.gcp-project-id }}'
-        service-account: '${{ inputs.service-account }}'
-        cluster-name: '${{ inputs.cluster-name }}'
-        cluster-location: '${{ inputs.cluster-location }}'
+        workload_identity_provider: 'projects/${{ inputs.gcp-project-number }}/locations/global/workloadIdentityPools/github-actions/providers/github-actions-helm-deploy'
+        service_account: '${{ inputs.service-account }}'
+        token_format: 'access_token'
+        project_id: '${{ inputs.gcp-project-id }}'
+
+    - name: 'Setup gcloud cli'
+      uses: 'google-github-actions/setup-gcloud@v2'
+      with:
+        install_components: 'gke-gcloud-auth-plugin'
+
+    - id: get-gke-credentials
+      shell: bash
+      run: |
+        gcloud container clusters get-credentials ${{ inputs.cluster-name }} --region ${{ inputs.cluster-location }} --project ${{ inputs.gcp-project-id }}
 
     - name: Deploy
       shell: bash

.github/actions/deploy/deploy.mjs

@@ -40,42 +40,6 @@ const isProduction = buildType === 'stable';
 const isBeta = buildType === 'beta';
 const isInternal = buildType === 'internal';
 
-const replicaConfig = {
-  production: {
-    web: 3,
-    graphql: Number(process.env.PRODUCTION_GRAPHQL_REPLICA) || 3,
-    sync: Number(process.env.PRODUCTION_SYNC_REPLICA) || 3,
-    renderer: Number(process.env.PRODUCTION_RENDERER_REPLICA) || 3,
-  },
-  beta: {
-    web: 2,
-    graphql: Number(process.env.BETA_GRAPHQL_REPLICA) || 2,
-    sync: Number(process.env.BETA_SYNC_REPLICA) || 2,
-    renderer: Number(process.env.BETA_RENDERER_REPLICA) || 2,
-  },
-  canary: {
-    web: 2,
-    graphql: 2,
-    sync: 2,
-    renderer: 2,
-  },
-};
-
-const cpuConfig = {
-  beta: {
-    web: '300m',
-    graphql: '1',
-    sync: '1',
-    renderer: '300m',
-  },
-  canary: {
-    web: '300m',
-    graphql: '1',
-    sync: '1',
-    renderer: '300m',
-  },
-};
-
 const createHelmCommand = ({ isDryRun }) => {
   const flag = isDryRun ? '--dry-run' : '--atomic';
   const imageTag = `${buildType}-${GIT_SHORT_HASH}`;
@@ -103,18 +67,17 @@ const createHelmCommand = ({ isDryRun }) => {
           `--set-json   cloud-sql-proxy.nodeSelector=\"{ \\"iam.gke.io/gke-metadata-server-enabled\\": \\"true\\" }\"`,
         ]
       : [];
-
-  const cpu = cpuConfig[buildType];
-  const resources = cpu
-    ? [
-        `--set        web.resources.requests.cpu="${cpu.web}"`,
-        `--set        graphql.resources.requests.cpu="${cpu.graphql}"`,
-        `--set        sync.resources.requests.cpu="${cpu.sync}"`,
-      ]
-    : [];
-
-  const replica = replicaConfig[buildType] || replicaConfig.canary;
-
+  const webReplicaCount = isProduction ? 3 : isBeta ? 2 : 2;
+  const graphqlReplicaCount = isProduction
+    ? Number(process.env.PRODUCTION_GRAPHQL_REPLICA) || 3
+    : isBeta
+      ? Number(process.env.isBeta_GRAPHQL_REPLICA) || 2
+      : 2;
+  const syncReplicaCount = isProduction
+    ? Number(process.env.PRODUCTION_SYNC_REPLICA) || 3
+    : isBeta
+      ? Number(process.env.BETA_SYNC_REPLICA) || 2
+      : 2;
   const namespace = isProduction
     ? 'production'
     : isBeta
@@ -127,19 +90,14 @@ const createHelmCommand = ({ isDryRun }) => {
   const deployCommand = [
     `helm upgrade --install affine .github/helm/affine`,
     `--namespace  ${namespace}`,
-    `--set-string global.app.buildType="${buildType}"`,
     `--set        global.ingress.enabled=true`,
     `--set-json   global.ingress.annotations=\"{ \\"kubernetes.io/ingress.class\\": \\"gce\\", \\"kubernetes.io/ingress.allow-http\\": \\"true\\", \\"kubernetes.io/ingress.global-static-ip-name\\": \\"${STATIC_IP_NAME}\\" }\"`,
     `--set-string global.ingress.host="${host}"`,
-    `--set        global.objectStorage.r2.enabled=true`,
-    `--set-string global.objectStorage.r2.accountId="${R2_ACCOUNT_ID}"`,
-    `--set-string global.objectStorage.r2.accessKeyId="${R2_ACCESS_KEY_ID}"`,
-    `--set-string global.objectStorage.r2.secretAccessKey="${R2_SECRET_ACCESS_KEY}"`,
     `--set-string global.version="${APP_VERSION}"`,
     ...redisAndPostgres,
-    `--set        web.replicaCount=${replica.web}`,
+    `--set        web.replicaCount=${webReplicaCount}`,
     `--set-string web.image.tag="${imageTag}"`,
-    `--set        graphql.replicaCount=${replica.graphql}`,
+    `--set        graphql.replicaCount=${graphqlReplicaCount}`,
     `--set-string graphql.image.tag="${imageTag}"`,
     `--set        graphql.app.host=${host}`,
     `--set        graphql.app.captcha.enabled=true`,
@@ -148,6 +106,10 @@ const createHelmCommand = ({ isDryRun }) => {
     `--set-string graphql.app.copilot.openai.key="${COPILOT_OPENAI_API_KEY}"`,
     `--set-string graphql.app.copilot.fal.key="${COPILOT_FAL_API_KEY}"`,
     `--set-string graphql.app.copilot.unsplash.key="${COPILOT_UNSPLASH_API_KEY}"`,
+    `--set        graphql.app.objectStorage.r2.enabled=true`,
+    `--set-string graphql.app.objectStorage.r2.accountId="${R2_ACCOUNT_ID}"`,
+    `--set-string graphql.app.objectStorage.r2.accessKeyId="${R2_ACCESS_KEY_ID}"`,
+    `--set-string graphql.app.objectStorage.r2.secretAccessKey="${R2_SECRET_ACCESS_KEY}"`,
     `--set-string graphql.app.mailer.sender="${MAILER_SENDER}"`,
     `--set-string graphql.app.mailer.user="${MAILER_USER}"`,
     `--set-string graphql.app.mailer.password="${MAILER_PASSWORD}"`,
@@ -161,13 +123,9 @@ const createHelmCommand = ({ isDryRun }) => {
     `--set        graphql.app.experimental.enableJwstCodec=${namespace === 'dev'}`,
     `--set        graphql.app.features.earlyAccessPreview=false`,
     `--set        graphql.app.features.syncClientVersionCheck=true`,
-    `--set        sync.replicaCount=${replica.sync}`,
+    `--set        sync.replicaCount=${syncReplicaCount}`,
     `--set-string sync.image.tag="${imageTag}"`,
-    `--set-string renderer.image.tag="${imageTag}"`,
-    `--set        renderer.app.host=${host}`,
-    `--set        renderer.replicaCount=${replica.renderer}`,
     ...serviceAnnotations,
-    ...resources,
     `--timeout 10m`,
     flag,
   ].join(' ');

.github/actions/server-test-env/action.yml

@@ -1,21 +0,0 @@
-name: 'Prepare Server Test Environment'
-description: 'Prepare Server Test Environment'
-
-runs:
-  using: 'composite'
-  steps:
-    - name: Initialize database
-      shell: bash
-      run: |
-        psql -h localhost -U postgres -c "CREATE DATABASE affine;"
-        psql -h localhost -U postgres -c "CREATE USER affine WITH PASSWORD 'affine';"
-        psql -h localhost -U postgres -c "ALTER USER affine WITH SUPERUSER;"
-      env:
-        PGPASSWORD: affine
-
-    - name: Run init-db script
-      shell: bash
-      run: |
-        yarn workspace @affine/server exec prisma generate
-        yarn workspace @affine/server exec prisma db push
-        yarn workspace @affine/server data-migration run

.github/actions/setup-node/action.yml

@@ -17,10 +17,6 @@ inputs:
     description: 'Download the Electron binary'
     required: false
     default: 'true'
-  corepack-install:
-    description: 'Install CorePack'
-    required: false
-    default: 'false'
   hard-link-nm:
     description: 'set nmMode to hardlinks-local in .yarnrc.yml'
     required: false
@@ -46,11 +42,6 @@ runs:
         registry-url: https://npm.pkg.github.com
         scope: '@toeverything'
 
-    - name: Init CorePack
-      if: ${{ inputs.corepack-install == 'true' }}
-      shell: bash
-      run: corepack enable
-
     - name: Set nmMode
       if: ${{ inputs.hard-link-nm == 'false' }}
       shell: bash
@@ -165,7 +156,7 @@ runs:
     - name: Install Playwright's dependencies
       shell: bash
       if: inputs.playwright-install == 'true'
-      run: yarn playwright install --with-deps chromium webkit
+      run: yarn playwright install --with-deps chromium
       env:
         PLAYWRIGHT_BROWSERS_PATH: ${{ github.workspace }}/node_modules/.cache/ms-playwright
 

.github/deployment/front/Dockerfile

@@ -1,8 +1,7 @@
-FROM openresty/openresty:1.27.1.1-0-buster
+FROM openresty/openresty:1.25.3.1-0-buster
 WORKDIR /app
-COPY ./packages/frontend/apps/web/dist ./dist
+COPY ./packages/frontend/web/dist ./dist
 COPY ./packages/frontend/admin/dist ./admin
-COPY ./packages/frontend/apps/mobile/dist ./mobile
 COPY ./.github/deployment/front/nginx.conf /usr/local/openresty/nginx/conf/nginx.conf
 COPY ./.github/deployment/front/affine.nginx.conf /etc/nginx/conf.d/affine.nginx.conf
 

.github/deployment/front/affine.nginx.conf

@@ -6,33 +6,15 @@ server {
     try_files $uri/index.html $uri/ $uri /admin/index.html;
   }
 
-  set $app_root_path /app/dist/;
-  set $mobile_root /app/dist/;
-  set_by_lua $affine_env 'return os.getenv("AFFINE_ENV")';
-
-  if ($affine_env = "dev") {
-    set $mobile_root /app/mobile/;
-  }
-
-  # https://gist.github.com/mariusom/6683dc52b1cad1a1f372e908bdb209d0
-  if ($http_user_agent ~* "(android|bb\d+|meego).+mobile|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|kindle|lge |maemo|midp|mmp|mobile.+firefox|netfront|opera m(ob|in)i|palm( os)?|phone|p(ixi|re)\/|plucker|pocket|psp|series(4|6)0|symbian|treo|up\.(browser|link)|vodafone|wap|windows ce|xda|xiino") {
-    set $app_root_path $mobile_root;
-  }
-
-  if ($http_user_agent ~* "^(1207|6310|6590|3gso|4thp|50[1-6]i|770s|802s|a wa|abac|ac(er|oo|s\-)|ai(ko|rn)|al(av|ca|co)|amoi|an(ex|ny|yw)|aptu|ar(ch|go)|as(te|us)|attw|au(di|\-m|r |s )|avan|be(ck|ll|nq)|bi(lb|rd)|bl(ac|az)|br(e|v)w|bumb|bw\-(n|u)|c55\/|capi|ccwa|cdm\-|cell|chtm|cldc|cmd\-|co(mp|nd)|craw|da(it|ll|ng)|dbte|dc\-s|devi|dica|dmob|do(c|p)o|ds(12|\-d)|el(49|ai)|em(l2|ul)|er(ic|k0)|esl8|ez([4-7]0|os|wa|ze)|fetc|fly(\-|_)|g1 u|g560|gene|gf\-5|g\-mo|go(\.w|od)|gr(ad|un)|haie|hcit|hd\-(m|p|t)|hei\-|hi(pt|ta)|hp( i|ip)|hs\-c|ht(c(\-| |_|a|g|p|s|t)|tp)|hu(aw|tc)|i\-(20|go|ma)|i230|iac( |\-|\/)|ibro|idea|ig01|ikom|im1k|inno|ipaq|iris|ja(t|v)a|jbro|jemu|jigs|kddi|keji|kgt( |\/)|klon|kpt |kwc\-|kyo(c|k)|le(no|xi)|lg( g|\/(k|l|u)|50|54|\-[a-w])|libw|lynx|m1\-w|m3ga|m50\/|ma(te|ui|xo)|mc(01|21|ca)|m\-cr|me(rc|ri)|mi(o8|oa|ts)|mmef|mo(01|02|bi|de|do|t(\-| |o|v)|zz)|mt(50|p1|v )|mwbp|mywa|n10[0-2]|n20[2-3]|n30(0|2)|n50(0|2|5)|n7(0(0|1)|10)|ne((c|m)\-|on|tf|wf|wg|wt)|nok(6|i)|nzph|o2im|op(ti|wv)|oran|owg1|p800|pan(a|d|t)|pdxg|pg(13|\-([1-8]|c))|phil|pire|pl(ay|uc)|pn\-2|po(ck|rt|se)|prox|psio|pt\-g|qa\-a|qc(07|12|21|32|60|\-[2-7]|i\-)|qtek|r380|r600|raks|rim9|ro(ve|zo)|s55\/|sa(ge|ma|mm|ms|ny|va)|sc(01|h\-|oo|p\-)|sdk\/|se(c(\-|0|1)|47|mc|nd|ri)|sgh\-|shar|sie(\-|m)|sk\-0|sl(45|id)|sm(al|ar|b3|it|t5)|so(ft|ny)|sp(01|h\-|v\-|v )|sy(01|mb)|t2(18|50)|t6(00|10|18)|ta(gt|lk)|tcl\-|tdg\-|tel(i|m)|tim\-|t\-mo|to(pl|sh)|ts(70|m\-|m3|m5)|tx\-9|up(\.b|g1|si)|utst|v400|v750|veri|vi(rg|te)|vk(40|5[0-3]|\-v)|vm40|voda|vulc|vx(52|53|60|61|70|80|81|83|85|98)|w3c(\-| )|webc|whit|wi(g |nc|nw)|wmlb|wonu|x700|yas\-|your|zeto|zte\-)") {
-    set $app_root_path $mobile_root;
-  }
-
   location ~ ^/(_plugin|assets|imgs|js|plugins|static)/ {
-    root $app_root_path;
+    root /app/dist/;
     try_files $uri $uri/ =404;
   }
 
   location / {
-    root $app_root_path;
+    root /app/dist/;
     index index.html;
     try_files $uri $uri/ /index.html;
-    add_header Cache-Control "private, no-cache, no-store, max-age=0, must-revalidate";
   }
 
   error_page 404 /404.html;

.github/deployment/front/nginx.conf

@@ -1,15 +1,14 @@
-worker_processes 4;
+worker_processes  4;
 error_log /var/log/nginx/error.log warn;
 pcre_jit on;
-env AFFINE_ENV;
 events {
-  worker_connections 1024;
+    worker_connections 1024;
 }
 http {
-  include mime.types;
-  log_format main '$remote_addr [$time_local] "$request" '
-  '$status $body_bytes_sent "$http_referer" '
-  '"$http_user_agent" "$http_x_forwarded_for"';
-  access_log /var/log/nginx/access.log main;
-  include /etc/nginx/conf.d/*.conf;
+    include       mime.types;
+    log_format    main  '$remote_addr [$time_local] "$request" '
+                        '$status $body_bytes_sent "$http_referer" '
+                        '"$http_user_agent" "$http_x_forwarded_for"';
+    access_log    /var/log/nginx/access.log  main;
+    include /etc/nginx/conf.d/*.conf;
 }

.github/deployment/node/Dockerfile

@@ -1,9 +1,8 @@
 FROM node:20-bookworm-slim
 
 COPY ./packages/backend/server /app
-COPY ./packages/frontend/apps/web/dist /app/static
+COPY ./packages/frontend/web/dist /app/static
 COPY ./packages/frontend/admin/dist /app/static/admin
-COPY ./packages/frontend/apps/mobile/dist /app/static/mobile
 WORKDIR /app
 
 RUN apt-get update && \

.github/deployment/self-host/compose.yaml

@@ -28,6 +28,8 @@ services:
       - REDIS_SERVER_HOST=redis
       - DATABASE_URL=postgres://affine:affine@postgres:5432/affine
       - NODE_ENV=production
+      - AFFINE_ADMIN_EMAIL=${AFFINE_ADMIN_EMAIL}
+      - AFFINE_ADMIN_PASSWORD=${AFFINE_ADMIN_PASSWORD}
       # Telemetry allows us to collect data on how you use the affine. This data will helps us improve the app and provide better features.
       # Uncomment next line if you wish to quit telemetry.
       # - TELEMETRY_ENABLE=false
@@ -43,7 +45,7 @@ services:
       timeout: 5s
       retries: 5
   postgres:
-    image: postgres:16
+    image: postgres
     container_name: affine_postgres
     restart: unless-stopped
     volumes:

.github/helm/affine/Chart.yaml

@@ -3,4 +3,4 @@ name: affine
 description: AFFiNE cloud chart
 type: application
 version: 0.0.0
-appVersion: "0.17.0"
+appVersion: "0.16.0"

.github/helm/affine/charts/graphql/Chart.yaml

@@ -3,7 +3,7 @@ name: graphql
 description: AFFiNE GraphQL server
 type: application
 version: 0.0.0
-appVersion: "0.17.0"
+appVersion: "0.16.0"
 dependencies:
   - name: gcloud-sql-proxy
     version: 0.0.0

.github/helm/affine/charts/graphql/templates/deployment.yaml

@@ -76,7 +76,9 @@ spec:
           - name: AFFINE_SERVER_HTTPS
             value: "{{ .Values.app.https }}"
           - name: ENABLE_R2_OBJECT_STORAGE
-            value: "{{ .Values.global.objectStorage.r2.enabled }}"
+            value: "{{ .Values.app.objectStorage.r2.enabled }}"
+          - name: ENABLE_CAPTCHA
+            value: "{{ .Values.app.captcha.enabled }}"
           - name: FEATURES_EARLY_ACCESS_PREVIEW
             value: "{{ .Values.app.features.earlyAccessPreview }}"
           - name: FEATURES_SYNC_CLIENT_VERSION_CHECK
@@ -122,21 +124,21 @@ spec:
           - name: DOC_MERGE_USE_JWST_CODEC
             value: "true"
           {{ end }}
-          {{ if .Values.global.objectStorage.r2.enabled }}
+          {{ if .Values.app.objectStorage.r2.enabled }}
           - name: R2_OBJECT_STORAGE_ACCOUNT_ID
             valueFrom:
               secretKeyRef:
-                name: "{{ .Values.global.objectStorage.r2.secretName }}"
+                name: "{{ .Values.app.objectStorage.r2.secretName }}"
                 key: accountId
           - name: R2_OBJECT_STORAGE_ACCESS_KEY_ID
             valueFrom:
               secretKeyRef:
-                name: "{{ .Values.global.objectStorage.r2.secretName }}"
+                name: "{{ .Values.app.objectStorage.r2.secretName }}"
                 key: accessKeyId
           - name: R2_OBJECT_STORAGE_SECRET_ACCESS_KEY
             valueFrom:
               secretKeyRef:
-                name: "{{ .Values.global.objectStorage.r2.secretName }}"
+                name: "{{ .Values.app.objectStorage.r2.secretName }}"
                 key: secretAccessKey
           {{ end }}
           {{ if .Values.app.captcha.enabled }}

.github/helm/affine/charts/graphql/templates/migration.yaml

@@ -37,21 +37,21 @@ spec:
           - name: DATABASE_URL
             value: postgres://{{ .Values.global.database.user }}:$(DATABASE_PASSWORD)@{{ .Values.global.database.gcloud.cloudSqlInternal }}:{{ .Values.global.database.port }}/{{ .Values.global.database.name }}
           {{ end }}
-          {{ if .Values.global.objectStorage.r2.enabled }}
+          {{ if .Values.app.objectStorage.r2.enabled }}
           - name: R2_OBJECT_STORAGE_ACCOUNT_ID
             valueFrom:
               secretKeyRef:
-                name: "{{ .Values.global.objectStorage.r2.secretName }}"
+                name: "{{ .Values.app.objectStorage.r2.secretName }}"
                 key: accountId
           - name: R2_OBJECT_STORAGE_ACCESS_KEY_ID
             valueFrom:
               secretKeyRef:
-                name: "{{ .Values.global.objectStorage.r2.secretName }}"
+                name: "{{ .Values.app.objectStorage.r2.secretName }}"
                 key: accessKeyId
           - name: R2_OBJECT_STORAGE_SECRET_ACCESS_KEY
             valueFrom:
               secretKeyRef:
-                name: "{{ .Values.global.objectStorage.r2.secretName }}"
+                name: "{{ .Values.app.objectStorage.r2.secretName }}"
                 key: secretAccessKey
           {{ end }}
         resources:

.github/helm/affine/charts/graphql/templates/r2-secret.yaml

@@ -0,0 +1,11 @@
+{{- if .Values.app.objectStorage.r2.enabled -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "{{ .Values.app.objectStorage.r2.secretName }}"
+type: Opaque
+data:
+  accountId: {{ .Values.app.objectStorage.r2.accountId | b64enc }}
+  accessKeyId: {{ .Values.app.objectStorage.r2.accessKeyId | b64enc }}
+  secretAccessKey: {{ .Values.app.objectStorage.r2.secretAccessKey | b64enc }}
+{{- end }}

.github/helm/affine/charts/graphql/values.yaml

@@ -29,7 +29,14 @@ app:
     secretName: copilot
     openai:
       key: ''
-  oauth:
+  objectStorage:
+    r2:
+      enabled: false
+      secretName: r2
+      accountId: ''
+      accessKeyId: ''
+      secretAccessKey: ''
+  oauth: 
     google:
       enabled: false
       secretName: oauth-google

.github/helm/affine/charts/renderer/Chart.yaml

@@ -1,11 +0,0 @@
-apiVersion: v2
-name: renderer
-description: AFFiNE renderer server
-type: application
-version: 0.0.0
-appVersion: "0.16.0"
-dependencies:
-  - name: gcloud-sql-proxy
-    version: 0.0.0
-    repository: "file://../gcloud-sql-proxy"
-    condition: .global.database.gcloud.enabled

.github/helm/affine/charts/renderer/templates/NOTES.txt

@@ -1,16 +0,0 @@
-1. Get the application URL by running these commands:
-{{- if contains "NodePort" .Values.service.type }}
-  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "renderer.fullname" . }})
-  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
-  echo http://$NODE_IP:$NODE_PORT
-{{- else if contains "LoadBalancer" .Values.service.type }}
-     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
-           You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "renderer.fullname" . }}'
-  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "renderer.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
-  echo http://$SERVICE_IP:{{ .Values.service.port }}
-{{- else if contains "ClusterIP" .Values.service.type }}
-  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "renderer.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
-  export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
-  echo "Visit http://127.0.0.1:8080 to use your application"
-  kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
-{{- end }}

.github/helm/affine/charts/renderer/templates/_helpers.tpl

@@ -1,63 +0,0 @@
-{{/*
-Expand the name of the chart.
-*/}}
-{{- define "renderer.name" -}}
-{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{/*
-Create a default fully qualified app name.
-We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
-If release name contains chart name it will be used as a full name.
-*/}}
-{{- define "renderer.fullname" -}}
-{{- if .Values.fullnameOverride }}
-{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- $name := default .Chart.Name .Values.nameOverride }}
-{{- if contains $name .Release.Name }}
-{{- .Release.Name | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
-{{- end }}
-{{- end }}
-{{- end }}
-
-{{/*
-Create chart name and version as used by the chart label.
-*/}}
-{{- define "renderer.chart" -}}
-{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{/*
-Common labels
-*/}}
-{{- define "renderer.labels" -}}
-helm.sh/chart: {{ include "renderer.chart" . }}
-{{ include "renderer.selectorLabels" . }}
-{{- if .Chart.AppVersion }}
-app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
-{{- end }}
-app.kubernetes.io/managed-by: {{ .Release.Service }}
-monitoring: enabled
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "renderer.selectorLabels" -}}
-app.kubernetes.io/name: {{ include "renderer.name" . }}
-app.kubernetes.io/instance: {{ .Release.Name }}
-{{- end }}
-
-{{/*
-Create the name of the service account to use
-*/}}
-{{- define "renderer.serviceAccountName" -}}
-{{- if .Values.serviceAccount.create }}
-{{- default (include "renderer.fullname" .) .Values.serviceAccount.name }}
-{{- else }}
-{{- default "default" .Values.serviceAccount.name }}
-{{- end }}
-{{- end }}

.github/helm/affine/charts/renderer/templates/deployment.yaml

@@ -1,124 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: {{ include "renderer.fullname" . }}
-  labels:
-    {{- include "renderer.labels" . | nindent 4 }}
-spec:
-  replicas: {{ .Values.replicaCount }}
-  selector:
-    matchLabels:
-      {{- include "renderer.selectorLabels" . | nindent 6 }}
-  template:
-    metadata:
-      {{- with .Values.podAnnotations }}
-      annotations:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      labels:
-        {{- include "renderer.selectorLabels" . | nindent 8 }}
-    spec:
-      {{- with .Values.imagePullSecrets }}
-      imagePullSecrets:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      serviceAccountName: {{ include "renderer.serviceAccountName" . }}
-      containers:
-        - name: {{ .Chart.Name }}
-          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
-          env:
-          - name: AFFINE_PRIVATE_KEY
-            valueFrom:
-              secretKeyRef:
-                name: "{{ .Values.global.secret.secretName }}"
-                key: key
-          - name: NODE_ENV
-            value: "{{ .Values.env }}"
-          - name: NODE_OPTIONS
-            value: "--max-old-space-size=4096"
-          - name: NO_COLOR
-            value: "1"
-          - name: DEPLOYMENT_TYPE
-            value: "affine"
-          - name: SERVER_FLAVOR
-            value: "renderer"
-          - name: AFFINE_ENV
-            value: "{{ .Release.Namespace }}"
-          - name: DATABASE_PASSWORD
-            valueFrom:
-              secretKeyRef:
-                name: pg-postgresql
-                key: postgres-password
-          - name: DATABASE_URL
-            value: postgres://{{ .Values.global.database.user }}:$(DATABASE_PASSWORD)@{{ .Values.global.database.url }}:{{ .Values.global.database.port }}/{{ .Values.global.database.name }}
-          - name: REDIS_SERVER_ENABLED
-            value: "true"
-          - name: REDIS_SERVER_HOST
-            value: "{{ .Values.global.redis.host }}"
-          - name: REDIS_SERVER_PORT
-            value: "{{ .Values.global.redis.port }}"
-          - name: REDIS_SERVER_USER
-            value: "{{ .Values.global.redis.username }}"
-          - name: REDIS_SERVER_PASSWORD
-            valueFrom:
-              secretKeyRef:
-                name: redis
-                key: redis-password
-          - name: REDIS_SERVER_DATABASE
-            value: "{{ .Values.global.redis.database }}"
-          - name: AFFINE_SERVER_PORT
-            value: "{{ .Values.service.port }}"
-          - name: AFFINE_SERVER_SUB_PATH
-            value: "{{ .Values.app.path }}"
-          - name: AFFINE_SERVER_HOST
-            value: "{{ .Values.app.host }}"
-          - name: AFFINE_SERVER_HTTPS
-            value: "{{ .Values.app.https }}"
-          - name: ENABLE_R2_OBJECT_STORAGE
-            value: "{{ .Values.global.objectStorage.r2.enabled }}"
-          {{ if .Values.global.objectStorage.r2.enabled }}
-          - name: R2_OBJECT_STORAGE_ACCOUNT_ID
-            valueFrom:
-              secretKeyRef:
-                name: "{{ .Values.global.objectStorage.r2.secretName }}"
-                key: accountId
-          - name: R2_OBJECT_STORAGE_ACCESS_KEY_ID
-            valueFrom:
-              secretKeyRef:
-                name: "{{ .Values.global.objectStorage.r2.secretName }}"
-                key: accessKeyId
-          - name: R2_OBJECT_STORAGE_SECRET_ACCESS_KEY
-            valueFrom:
-              secretKeyRef:
-                name: "{{ .Values.global.objectStorage.r2.secretName }}"
-                key: secretAccessKey
-          {{ end }}
-          ports:
-            - name: http
-              containerPort: {{ .Values.service.port }}
-              protocol: TCP
-          livenessProbe:
-            httpGet:
-              path: /info
-              port: http
-            initialDelaySeconds: {{ .Values.probe.initialDelaySeconds }}
-          readinessProbe:
-            httpGet:
-              path: /info
-              port: http
-            initialDelaySeconds: {{ .Values.probe.initialDelaySeconds }}
-          resources:
-            {{- toYaml .Values.resources | nindent 12 }}
-      {{- with .Values.nodeSelector }}
-      nodeSelector:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.affinity }}
-      affinity:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.tolerations }}
-      tolerations:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}

.github/helm/affine/charts/renderer/templates/service.yaml

@@ -1,19 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: {{ include "graphql.fullname" . }}
-  labels:
-    {{- include "graphql.labels" . | nindent 4 }}
-  {{- with .Values.service.annotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-spec:
-  type: {{ .Values.service.type }}
-  ports:
-    - port: {{ .Values.service.port }}
-      targetPort: http
-      protocol: TCP
-      name: http
-  selector:
-    {{- include "graphql.selectorLabels" . | nindent 4 }}

.github/helm/affine/charts/renderer/templates/serviceaccount.yaml

@@ -1,12 +0,0 @@
-{{- if .Values.serviceAccount.create -}}
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ include "graphql.serviceAccountName" . }}
-  labels:
-    {{- include "graphql.labels" . | nindent 4 }}
-  {{- with .Values.serviceAccount.annotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-{{- end }}

.github/helm/affine/charts/renderer/templates/tests/test-connection.yaml

@@ -1,15 +0,0 @@
-apiVersion: v1
-kind: Pod
-metadata:
-  name: "{{ include "renderer.fullname" . }}-test-connection"
-  labels:
-    {{- include "renderer.labels" . | nindent 4 }}
-  annotations:
-    "helm.sh/hook": test
-spec:
-  containers:
-    - name: wget
-      image: busybox
-      command: ['wget']
-      args: ['{{ include "renderer.fullname" . }}:{{ .Values.service.port }}']
-  restartPolicy: Never

.github/helm/affine/charts/renderer/values.yaml

@@ -1,38 +0,0 @@
-replicaCount: 1
-image:
-  repository: ghcr.io/toeverything/affine-graphql
-  pullPolicy: IfNotPresent
-  tag: ''
-
-imagePullSecrets: []
-nameOverride: ''
-fullnameOverride: ''
-# map to NODE_ENV environment variable
-env: 'production'
-app:
-  # AFFINE_SERVER_SUB_PATH
-  path: ''
-  # AFFINE_SERVER_HOST
-  host: '0.0.0.0'
-  https: true
-serviceAccount:
-  create: true
-  annotations: {}
-  name: 'affine-renderer'
-
-podAnnotations: {}
-
-podSecurityContext:
-  fsGroup: 2000
-
-resources:
-  requests:
-    cpu: '4'
-    memory: 4Gi
-
-probe:
-  initialDelaySeconds: 20
-
-nodeSelector: {}
-tolerations: []
-affinity: {}

.github/helm/affine/charts/sync/Chart.yaml

@@ -3,7 +3,7 @@ name: sync
 description: AFFiNE Sync Server
 type: application
 version: 0.0.0
-appVersion: "0.17.0"
+appVersion: "0.16.0"
 dependencies:
   - name: gcloud-sql-proxy
     version: 0.0.0

.github/helm/affine/charts/web/templates/deployment.yaml

@@ -27,9 +27,6 @@ spec:
         - name: {{ .Chart.Name }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
-          env:
-          - name: AFFINE_ENV
-            value: "{{ .Release.Namespace }}"
           ports:
             - name: http
               containerPort: {{ .Values.service.port }}

.github/helm/affine/templates/configmap.yaml

@@ -1,9 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: {{ .Release.Name }}-runtime-config
-data:
-  web-assets-manifest: |-
-    {{ .Files.Get "web-assets-manifest.json" | nindent 4 }}
-  mobile-assets-manifest: |-
-    {{ .Files.Get "mobile-assets-manifest.json" | nindent 4 }}

.github/helm/affine/templates/ingress.yaml

@@ -60,13 +60,13 @@ spec:
                 name: affine-graphql
                 port:
                   number: {{ .Values.graphql.service.port }}
-          - path: /workspace
+          - path: /oauth
             pathType: Prefix
             backend:
               service:
-                name: affine-renderer
+                name: affine-graphql
                 port:
-                  number: {{ .Values.renderer.service.port }}
+                  number: {{ .Values.graphql.service.port }}
           - path: /
             pathType: Prefix
             backend:
@@ -74,4 +74,11 @@ spec:
                 name: affine-web
                 port:
                   number: {{ .Values.web.service.port }}
+          - path: /js/worker.(.+).js
+            pathType: ImplementationSpecific
+            backend:
+              service:
+                name: affine-web
+                port:
+                  number: {{ .Values.web.service.port }}
 {{- end }}

.github/helm/affine/templates/r2-secret.yaml

@@ -1,11 +0,0 @@
-{{- if .Values.global.objectStorage.r2.enabled -}}
-apiVersion: v1
-kind: Secret
-metadata:
-  name: "{{ .Values.global.objectStorage.r2.secretName }}"
-type: Opaque
-data:
-  accountId: {{ .Values.global.objectStorage.r2.accountId | b64enc }}
-  accessKeyId: {{ .Values.global.objectStorage.r2.accessKeyId | b64enc }}
-  secretAccessKey: {{ .Values.global.objectStorage.r2.secretAccessKey | b64enc }}
-{{- end }}

.github/helm/affine/values.yaml

@@ -1,6 +1,4 @@
 global:
-  app:
-    buildType: 'stable'
   ingress:
     enabled: false
     className: ''
@@ -30,13 +28,6 @@ global:
     username: ''
     password: ''
     database: 0
-  objectStorage:
-    r2:
-      enabled: false
-      secretName: r2
-      accountId: ''
-      accessKeyId: ''
-      secretAccessKey: ''
   gke:
     enabled: true
 
@@ -54,13 +45,6 @@ sync:
     annotations:
       cloud.google.com/backend-config: '{"default": "affine-api-backendconfig"}'
 
-renderer:
-  service:
-    type: ClusterIP
-    port: 3000
-    annotations:
-      cloud.google.com/backend-config: '{"default": "affine-api-backendconfig"}'
-
 web:
   service:
     type: ClusterIP

.github/labeler.yml

@@ -77,7 +77,7 @@ app:core:
 app:electron:
   - changed-files:
       - any-glob-to-any-file:
-          - 'packages/frontend/apps/electron/**/*'
+          - 'packages/frontend/electron/**/*'
 
 app:server:
   - changed-files:

.github/renovate.json

@@ -23,11 +23,12 @@
       "groupName": "oxlint"
     },
     {
-      "groupName": "blocksuite",
+      "groupName": "blocksuite-canary",
       "matchPackagePatterns": ["^@blocksuite"],
       "excludePackageNames": ["@blocksuite/icons"],
       "rangeStrategy": "replace",
-      "changelogUrl": "https://github.com/toeverything/blocksuite/blob/master/packages/blocks/CHANGELOG.md"
+      "followTag": "canary",
+      "enabled": false
     },
     {
       "groupName": "all non-major dependencies",
@@ -40,10 +41,6 @@
       "groupName": "rust toolchain",
       "matchManagers": ["custom.regex"],
       "matchDepNames": ["rustc"]
-    },
-    {
-      "groupName": "nestjs",
-      "matchPackagePatterns": ["^@nestjs"]
     }
   ],
   "commitMessagePrefix": "chore: ",

.github/workflows/build-selfhost-image.yml

@@ -20,6 +20,6 @@ permissions:
 jobs:
   build-image:
     name: Build Image
-    uses: ./.github/workflows/build-images.yml
+    uses: ./.github/workflows/build-server-image.yml
     with:
       flavor: ${{ github.event.inputs.flavor }}

.github/workflows/build-server-image.yml

@@ -6,6 +6,11 @@ on:
       flavor:
         type: string
         required: true
+  workflow_dispatch:
+    inputs:
+      flavor:
+        type: string
+        required: false
 
 env:
   NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
@@ -38,8 +43,8 @@ jobs:
           path: ./packages/backend/server/dist
           if-no-files-found: error
 
-  build-web:
-    name: Build @affine/web
+  build-web-selfhost:
+    name: Build @affine/web selfhost
     runs-on: ubuntu-latest
     environment: ${{ github.event.inputs.flavor }}
     steps:
@@ -52,27 +57,21 @@ jobs:
       - name: Build Core
         run: yarn nx build @affine/web --skip-nx-cache
         env:
-          R2_ACCOUNT_ID: ${{ secrets.R2_ACCOUNT_ID }}
-          R2_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }}
-          R2_SECRET_ACCESS_KEY: ${{ secrets.R2_SECRET_ACCESS_KEY }}
           BUILD_TYPE: ${{ github.event.inputs.flavor }}
-          CAPTCHA_SITE_KEY: ${{ secrets.CAPTCHA_SITE_KEY }}
-          SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
-          SENTRY_PROJECT: 'affine-web'
-          SENTRY_RELEASE: ${{ steps.version.outputs.APP_VERSION }}
-          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
-          SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
-          PERFSEE_TOKEN: ${{ secrets.PERFSEE_TOKEN }}
+          PUBLIC_PATH: '/'
+          SELF_HOSTED: true
           MIXPANEL_TOKEN: ${{ secrets.MIXPANEL_TOKEN }}
+      - name: Download selfhost fonts
+        run: node ./scripts/download-blocksuite-fonts.mjs
       - name: Upload web artifact
         uses: actions/upload-artifact@v4
         with:
-          name: web
-          path: ./packages/frontend/apps/web/dist
+          name: selfhost-web
+          path: ./packages/frontend/web/dist
           if-no-files-found: error
 
-  build-admin:
-    name: Build @affine/admin
+  build-admin-selfhost:
+    name: Build @affine/admin selfhost
     runs-on: ubuntu-latest
     environment: ${{ github.event.inputs.flavor }}
     steps:
@@ -82,59 +81,20 @@ jobs:
         uses: ./.github/actions/setup-version
       - name: Setup Node.js
         uses: ./.github/actions/setup-node
-      - name: Build Admin
+      - name: Build Core
         run: yarn nx build @affine/admin --skip-nx-cache
         env:
-          R2_ACCOUNT_ID: ${{ secrets.R2_ACCOUNT_ID }}
-          R2_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }}
-          R2_SECRET_ACCESS_KEY: ${{ secrets.R2_SECRET_ACCESS_KEY }}
           BUILD_TYPE: ${{ github.event.inputs.flavor }}
-          CAPTCHA_SITE_KEY: ${{ secrets.CAPTCHA_SITE_KEY }}
-          SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
-          SENTRY_PROJECT: 'affine-admin'
-          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
-          SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
-          PERFSEE_TOKEN: ${{ secrets.PERFSEE_TOKEN }}
+          PUBLIC_PATH: '/admin/'
+          SELF_HOSTED: true
           MIXPANEL_TOKEN: ${{ secrets.MIXPANEL_TOKEN }}
       - name: Upload admin artifact
         uses: actions/upload-artifact@v4
         with:
-          name: admin
+          name: selfhost-admin
           path: ./packages/frontend/admin/dist
           if-no-files-found: error
 
-  build-mobile:
-    name: Build @affine/mobile
-    runs-on: ubuntu-latest
-    environment: ${{ github.event.inputs.flavor }}
-    steps:
-      - uses: actions/checkout@v4
-      - name: Setup Version
-        id: version
-        uses: ./.github/actions/setup-version
-      - name: Setup Node.js
-        uses: ./.github/actions/setup-node
-      - name: Build Mobile
-        run: yarn nx build @affine/mobile --skip-nx-cache
-        env:
-          R2_ACCOUNT_ID: ${{ secrets.R2_ACCOUNT_ID }}
-          R2_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }}
-          R2_SECRET_ACCESS_KEY: ${{ secrets.R2_SECRET_ACCESS_KEY }}
-          BUILD_TYPE: ${{ github.event.inputs.flavor }}
-          CAPTCHA_SITE_KEY: ${{ secrets.CAPTCHA_SITE_KEY }}
-          SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
-          SENTRY_PROJECT: 'affine-mobile'
-          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
-          SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
-          PERFSEE_TOKEN: ${{ secrets.PERFSEE_TOKEN }}
-          MIXPANEL_TOKEN: ${{ secrets.MIXPANEL_TOKEN }}
-      - name: Upload mobile artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: mobile
-          path: ./packages/frontend/apps/mobile/dist
-          if-no-files-found: error
-
   build-server-native:
     name: Build Server native - ${{ matrix.targets.name }}
     runs-on: ubuntu-latest
@@ -171,14 +131,13 @@ jobs:
           path: ./packages/backend/native/server-native.node
           if-no-files-found: error
 
-  build-images:
-    name: Build Images
+  build-docker:
+    name: Build Docker
     runs-on: ubuntu-latest
     needs:
       - build-server
-      - build-web
-      - build-mobile
-      - build-admin
+      - build-web-selfhost
+      - build-admin-selfhost
       - build-server-native
     steps:
       - uses: actions/checkout@v4
@@ -236,22 +195,16 @@ jobs:
           registry-url: https://npm.pkg.github.com
           scope: '@toeverything'
 
-      - name: Download web artifact
+      - name: Download selfhost web artifact
         uses: actions/download-artifact@v4
         with:
-          name: web
-          path: ./packages/frontend/apps/web/dist
+          name: selfhost-web
+          path: ./packages/frontend/web/dist
 
-      - name: Download mobile artifact
+      - name: Download selfhost admin artifact
         uses: actions/download-artifact@v4
         with:
-          name: mobile
-          path: ./packages/frontend/apps/mobile/dist
-
-      - name: Download admin artifact
-        uses: actions/download-artifact@v4
-        with:
-          name: admin
+          name: selfhost-admin
           path: ./packages/frontend/admin/dist
 
       - name: Install Node.js dependencies
@@ -267,17 +220,6 @@ jobs:
         id: version
         uses: ./.github/actions/setup-version
 
-      - name: Build front Dockerfile
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          push: true
-          pull: true
-          platforms: linux/amd64,linux/arm64
-          provenance: true
-          file: .github/deployment/front/Dockerfile
-          tags: ghcr.io/toeverything/affine-front:${{env.RELEASE_FLAVOR}}-${{ env.GIT_SHORT_HASH }},ghcr.io/toeverything/affine-front:${{env.RELEASE_FLAVOR}}
-
       - name: Build graphql Dockerfile
         uses: docker/build-push-action@v6
         with:

.github/workflows/build-test.yml

@@ -90,7 +90,7 @@ jobs:
           electron-install: false
           full-cache: true
       - name: Run i18n codegen
-        run: yarn workspace @affine/i18n build
+        run: yarn i18n-codegen gen
       - name: Run ESLint
         run: yarn lint:eslint --max-warnings=0
       - name: Run Prettier
@@ -117,7 +117,7 @@ jobs:
     name: E2E Test
     runs-on: ubuntu-latest
     env:
-      DISTRIBUTION: web
+      DISTRIBUTION: browser
       IN_CI_TEST: true
     strategy:
       fail-fast: false
@@ -143,41 +143,11 @@ jobs:
           path: ./test-results
           if-no-files-found: ignore
 
-  e2e-mobile-test:
-    name: E2E Mobile Test
-    runs-on: ubuntu-latest
-    env:
-      DISTRIBUTION: mobile
-      IN_CI_TEST: true
-    strategy:
-      fail-fast: false
-      matrix:
-        shard: [1, 2, 3, 4, 5]
-    steps:
-      - uses: actions/checkout@v4
-      - name: Setup Node.js
-        uses: ./.github/actions/setup-node
-        with:
-          playwright-install: true
-          electron-install: false
-          full-cache: true
-
-      - name: Run playwright tests
-        run: yarn workspace @affine-test/affine-mobile e2e --forbid-only --shard=${{ matrix.shard }}/${{ strategy.job-total }}
-
-      - name: Upload test results
-        if: ${{ failure() }}
-        uses: actions/upload-artifact@v4
-        with:
-          name: test-results-e2e-mobile-${{ matrix.shard }}
-          path: ./test-results
-          if-no-files-found: ignore
-
   e2e-migration-test:
     name: E2E Migration Test
     runs-on: ubuntu-latest
     env:
-      DISTRIBUTION: web
+      DISTRIBUTION: browser
     steps:
       - uses: actions/checkout@v4
       - name: Setup Node.js
@@ -204,7 +174,7 @@ jobs:
     needs:
       - build-native
     env:
-      DISTRIBUTION: web
+      DISTRIBUTION: browser
     steps:
       - uses: actions/checkout@v4
       - name: Setup Node.js
@@ -296,8 +266,8 @@ jobs:
           path: ./packages/backend/native/server-native.node
           if-no-files-found: error
 
-  build-electron-renderer:
-    name: Build @affine/electron renderer
+  build-web:
+    name: Build @affine/web
     runs-on: ubuntu-latest
 
     steps:
@@ -307,13 +277,13 @@ jobs:
         with:
           electron-install: false
           full-cache: true
-      - name: Build Electron renderer
+      - name: Build Web
         # always skip cache because its fast, and cache configuration is always changing
-        run: yarn build
+        run: yarn nx build @affine/web --skip-nx-cache
         env:
-          DISTRIBUTION: desktop
+          DISTRIBUTION: 'desktop'
       - name: zip web
-        run: tar -czf dist.tar.gz --directory=packages/frontend/apps/electron/renderer/dist .
+        run: tar -czf dist.tar.gz --directory=packages/frontend/electron/renderer/dist .
       - name: Upload web artifact
         uses: actions/upload-artifact@v4
         with:
@@ -327,8 +297,7 @@ jobs:
     needs: build-server-native
     env:
       NODE_ENV: test
-      DISTRIBUTION: web
-      DATABASE_URL: postgresql://affine:affine@localhost:5432/affine
+      DISTRIBUTION: browser
     services:
       postgres:
         image: postgres
@@ -361,13 +330,27 @@ jobs:
           name: server-native.node
           path: ./packages/backend/server
 
-      - name: Prepare Server Test Environment
-        uses: ./.github/actions/server-test-env
+      - name: Initialize database
+        run: |
+          psql -h localhost -U postgres -c "CREATE DATABASE affine;"
+          psql -h localhost -U postgres -c "CREATE USER affine WITH PASSWORD 'affine';"
+          psql -h localhost -U postgres -c "ALTER USER affine WITH SUPERUSER;"
+        env:
+          PGPASSWORD: affine
+
+      - name: Run init-db script
+        run: |
+          yarn workspace @affine/server exec prisma generate
+          yarn workspace @affine/server exec prisma db push
+          yarn workspace @affine/server data-migration run
+        env:
+          DATABASE_URL: postgresql://affine:affine@localhost:5432/affine
 
       - name: Run server tests
         run: yarn workspace @affine/server test:coverage
         env:
           CARGO_TARGET_DIR: '${{ github.workspace }}/target'
+          DATABASE_URL: postgresql://affine:affine@localhost:5432/affine
           COPILOT_OPENAI_API_KEY: 'use_fake_openai_api_key'
 
       - name: Upload server test coverage results
@@ -379,157 +362,11 @@ jobs:
           name: affine
           fail_ci_if_error: false
 
-  copilot-api-test:
-    name: Server Copilot Api Test
-    runs-on: ubuntu-latest
-    needs:
-      - build-server-native
-    env:
-      NODE_ENV: test
-      DISTRIBUTION: web
-      DATABASE_URL: postgresql://affine:affine@localhost:5432/affine
-    services:
-      postgres:
-        image: postgres
-        env:
-          POSTGRES_PASSWORD: affine
-        options: >-
-          --health-cmd pg_isready
-          --health-interval 10s
-          --health-timeout 5s
-          --health-retries 5
-        ports:
-          - 5432:5432
-      mailer:
-        image: mailhog/mailhog
-        ports:
-          - 1025:1025
-          - 8025:8025
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Check blocksuite update
-        id: check-blocksuite-update
-        env:
-          BASE_REF: ${{ github.base_ref }}
-        run: |
-          if node ./scripts/detect-blocksuite-update.mjs "$BASE_REF"; then
-            echo "skip=false" >> $GITHUB_OUTPUT
-          else
-            echo "skip=true" >> $GITHUB_OUTPUT
-          fi
-
-      - uses: dorny/paths-filter@v3
-        id: filter
-        with:
-          filters: |
-            backend:
-              - 'packages/backend/server/src/**'
-
-      - name: Setup Node.js
-        if: ${{ steps.check-blocksuite-update.outputs.skip != 'true' || steps.filter.outputs.backend == 'true' }}
-        uses: ./.github/actions/setup-node
-        with:
-          electron-install: false
-          full-cache: true
-
-      - name: Download server-native.node
-        if: ${{ steps.check-blocksuite-update.outputs.skip != 'true' || steps.filter.outputs.backend == 'true' }}
-        uses: actions/download-artifact@v4
-        with:
-          name: server-native.node
-          path: ./packages/backend/server
-
-      - name: Prepare Server Test Environment
-        if: ${{ steps.check-blocksuite-update.outputs.skip != 'true' || steps.filter.outputs.backend == 'true' }}
-        uses: ./.github/actions/server-test-env
-
-      - name: Run server tests
-        if: ${{ steps.check-blocksuite-update.outputs.skip != 'true' || steps.filter.outputs.backend == 'true' }}
-        run: yarn workspace @affine/server test:copilot:coverage --forbid-only
-        env:
-          CARGO_TARGET_DIR: '${{ github.workspace }}/target'
-          COPILOT_OPENAI_API_KEY: ${{ secrets.COPILOT_OPENAI_API_KEY }}
-          COPILOT_FAL_API_KEY: ${{ secrets.COPILOT_FAL_API_KEY }}
-
-      - name: Upload server test coverage results
-        if: ${{ steps.check-blocksuite-update.outputs.skip != 'true' || steps.filter.outputs.backend == 'true' }}
-        uses: codecov/codecov-action@v4
-        with:
-          token: ${{ secrets.CODECOV_TOKEN }}
-          files: ./packages/backend/server/.coverage/lcov.info
-          flags: server-test
-          name: affine
-          fail_ci_if_error: false
-
-  copilot-e2e-test:
-    name: Server Copilot E2E Test
-    runs-on: ubuntu-latest
-    env:
-      DISTRIBUTION: web
-      DATABASE_URL: postgresql://affine:affine@localhost:5432/affine
-      IN_CI_TEST: true
-    strategy:
-      fail-fast: false
-      matrix:
-        shardIndex: [1, 2, 3]
-        shardTotal: [3]
-    needs:
-      - build-server-native
-    services:
-      postgres:
-        image: postgres
-        env:
-          POSTGRES_PASSWORD: affine
-        options: >-
-          --health-cmd pg_isready
-          --health-interval 10s
-          --health-timeout 5s
-          --health-retries 5
-        ports:
-          - 5432:5432
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Check blocksuite update
-        id: check-blocksuite-update
-        env:
-          BASE_REF: ${{ github.base_ref }}
-        run: |
-          if node ./scripts/detect-blocksuite-update.mjs "$BASE_REF"; then
-            echo "skip=false" >> $GITHUB_OUTPUT
-          else
-            echo "skip=true" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Setup Node.js
-        if: ${{ steps.check-blocksuite-update.outputs.skip != 'true' }}
-        uses: ./.github/actions/setup-node
-        with:
-          playwright-install: true
-          electron-install: false
-          hard-link-nm: false
-
-      - name: Download server-native.node
-        if: ${{ steps.check-blocksuite-update.outputs.skip != 'true' }}
-        uses: actions/download-artifact@v4
-        with:
-          name: server-native.node
-          path: ./packages/backend/server
-
-      - name: Run Copilot E2E Test ${{ matrix.shardIndex }}/${{ matrix.shardTotal }}
-        if: ${{ steps.check-blocksuite-update.outputs.skip != 'true' }}
-        uses: ./.github/actions/copilot-test
-        with:
-          script: yarn workspace @affine-test/affine-cloud-copilot e2e --forbid-only --shard=${{ matrix.shardIndex }}/${{ matrix.shardTotal }}
-          openai-key: ${{ secrets.COPILOT_OPENAI_API_KEY }}
-          fal-key: ${{ secrets.COPILOT_FAL_API_KEY }}
-
   server-e2e-test:
     name: ${{ matrix.tests.name }}
     runs-on: ubuntu-latest
     env:
-      DISTRIBUTION: web
+      DISTRIBUTION: browser
       DATABASE_URL: postgresql://affine:affine@localhost:5432/affine
       IN_CI_TEST: true
     strategy:
@@ -545,10 +382,6 @@ jobs:
           - name: 'Server Desktop E2E Test'
             script: |
               yarn workspace @affine/electron build:dev
-              # Workaround for Electron apps failing to initialize on Ubuntu 24.04 due to AppArmor restrictions
-              # Disables unprivileged user namespaces restriction to allow Electron apps to run
-              # Reference: https://github.com/electron/electron/issues/42510
-              sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
               xvfb-run --auto-servernum --server-args="-screen 0 1280x960x24" -- yarn workspace @affine-test/affine-desktop-cloud e2e
     needs:
       - build-server-native
@@ -591,8 +424,19 @@ jobs:
           name: affine.linux-x64-gnu.node
           path: ./packages/frontend/native
 
-      - name: Prepare Server Test Environment
-        uses: ./.github/actions/server-test-env
+      - name: Initialize database
+        run: |
+          psql -h localhost -U postgres -c "CREATE DATABASE affine;"
+          psql -h localhost -U postgres -c "CREATE USER affine WITH PASSWORD 'affine';"
+          psql -h localhost -U postgres -c "ALTER USER affine WITH SUPERUSER;"
+        env:
+          PGPASSWORD: affine
+
+      - name: Run init-db script
+        run: |
+          yarn workspace @affine/server exec prisma generate
+          yarn workspace @affine/server exec prisma db push
+          yarn workspace @affine/server data-migration run
 
       - name: ${{ matrix.tests.name }}
         run: |
@@ -646,7 +490,7 @@ jobs:
               test: true,
             }
     needs:
-      - build-electron-renderer
+      - build-web
       - build-native
     steps:
       - uses: actions/checkout@v4
@@ -680,25 +524,20 @@ jobs:
       - name: Download web artifact
         uses: ./.github/actions/download-web
         with:
-          path: packages/frontend/apps/electron/resources/web-static
+          path: packages/frontend/electron/resources/web-static
 
       - name: Build Desktop Layers
         run: yarn workspace @affine/electron build
 
       - name: Run desktop tests
         if: ${{ matrix.spec.os == 'ubuntu-latest' }}
-        run: |
-          # Workaround for Electron apps failing to initialize on Ubuntu 24.04 due to AppArmor restrictions
-          # Disables unprivileged user namespaces restriction to allow Electron apps to run
-          # Reference: https://github.com/electron/electron/issues/42510
-          sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
-          xvfb-run --auto-servernum --server-args="-screen 0 1280x960x24" -- yarn workspace @affine-test/affine-desktop e2e
+        run: xvfb-run --auto-servernum --server-args="-screen 0 1280x960x24" -- yarn workspace @affine-test/affine-desktop e2e
 
       - name: Run desktop tests
         if: ${{ matrix.spec.test && matrix.spec.os != 'ubuntu-latest' }}
         run: yarn workspace @affine-test/affine-desktop e2e
 
-      - name: Make bundle (macOS)
+      - name: Make bundle
         if: ${{ matrix.spec.target == 'aarch64-apple-darwin' }}
         env:
           SKIP_BUNDLE: true
@@ -706,15 +545,8 @@ jobs:
           HOIST_NODE_MODULES: 1
         run: yarn workspace @affine/electron package --platform=darwin --arch=arm64
 
-      - name: Make Bundle (Linux)
-        run: |
-          sudo add-apt-repository universe
-          sudo apt install -y libfuse2 elfutils flatpak flatpak-builder
-          flatpak remote-add --user --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
-          flatpak update
-          # some flatpak deps need git protocol.file.allow
-          git config --global protocol.file.allow always
-          yarn workspace @affine/electron make --platform=linux --arch=x64
+      - name: Make AppImage
+        run: yarn workspace @affine/electron make --platform=linux --arch=x64
         if: ${{ matrix.spec.target == 'x86_64-unknown-linux-gnu' }}
         env:
           SKIP_WEB_BUILD: 1
@@ -733,32 +565,17 @@ jobs:
           path: ./test-results
           if-no-files-found: ignore
 
-  test-build-mobile-app:
-    uses: ./.github/workflows/release-mobile.yml
-    with:
-      build-type: canary
-      build-target: development
-    secrets: inherit
-    permissions:
-      id-token: 'write'
-
   test-done:
     needs:
       - analyze
       - lint
       - check-yarn-binary
       - e2e-test
-      - e2e-mobile-test
       - e2e-migration-test
       - unit-test
-      - build-native
-      - build-server-native
-      - build-electron-renderer
       - server-test
-      - copilot-e2e-test
       - server-e2e-test
       - desktop-test
-      - test-build-mobile-app
     if: always()
     runs-on: ubuntu-latest
     name: 3, 2, 1 Launch

.github/workflows/copilot-test-automatically.yml

@@ -1,29 +0,0 @@
-name: Copilot Test Automatically
-
-on:
-  push:
-    tags:
-      - 'v[0-9]+.[0-9]+.[0-9]+-canary.[0-9]+'
-  schedule:
-    - cron: '0 8 * * *'
-  workflow_dispatch:
-
-permissions:
-  actions: write
-
-jobs:
-  dispatch-test:
-    runs-on: ubuntu-latest
-    name: Setup Test
-    steps:
-      - name: dispatch test by tag
-        if: ${{ github.event_name == 'push' || github.event_name == 'workflow_dispatch' }}
-        uses: benc-uk/workflow-dispatch@v1
-        with:
-          workflow: copilot-test.yml
-      - name: dispatch test by schedule
-        if: ${{ github.event_name == 'schedule' }}
-        uses: benc-uk/workflow-dispatch@v1
-        with:
-          workflow: copilot-test.yml
-          ref: canary

.github/workflows/copilot-test.yml

@@ -1,190 +0,0 @@
-name: Copilot Cron Test
-
-on:
-  workflow_dispatch:
-
-env:
-  NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
-  PLAYWRIGHT_BROWSERS_PATH: ${{ github.workspace }}/node_modules/.cache/ms-playwright
-
-jobs:
-  build-server-native:
-    name: Build Server native
-    runs-on: ubuntu-latest
-    env:
-      CARGO_PROFILE_RELEASE_DEBUG: '1'
-    steps:
-      - uses: actions/checkout@v4
-      - name: Setup Node.js
-        uses: ./.github/actions/setup-node
-        with:
-          extra-flags: workspaces focus @affine/server-native
-          electron-install: false
-      - name: Build Rust
-        uses: ./.github/actions/build-rust
-        with:
-          target: 'x86_64-unknown-linux-gnu'
-          package: '@affine/server-native'
-          nx_token: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
-      - name: Upload server-native.node
-        uses: actions/upload-artifact@v4
-        with:
-          name: server-native.node
-          path: ./packages/backend/native/server-native.node
-          if-no-files-found: error
-
-  copilot-api-test:
-    name: Server Copilot Api Test
-    runs-on: ubuntu-latest
-    needs:
-      - build-server-native
-    env:
-      NODE_ENV: test
-      DISTRIBUTION: web
-      DATABASE_URL: postgresql://affine:affine@localhost:5432/affine
-    services:
-      postgres:
-        image: postgres
-        env:
-          POSTGRES_PASSWORD: affine
-        options: >-
-          --health-cmd pg_isready
-          --health-interval 10s
-          --health-timeout 5s
-          --health-retries 5
-        ports:
-          - 5432:5432
-      mailer:
-        image: mailhog/mailhog
-        ports:
-          - 1025:1025
-          - 8025:8025
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Setup Node.js
-        uses: ./.github/actions/setup-node
-        with:
-          playwright-install: true
-          electron-install: false
-          full-cache: true
-
-      - name: Download server-native.node
-        uses: actions/download-artifact@v4
-        with:
-          name: server-native.node
-          path: ./packages/backend/server
-
-      - name: Prepare Server Test Environment
-        uses: ./.github/actions/server-test-env
-
-      - name: Run server tests
-        run: yarn workspace @affine/server test:copilot:coverage --forbid-only
-        env:
-          CARGO_TARGET_DIR: '${{ github.workspace }}/target'
-          COPILOT_OPENAI_API_KEY: ${{ secrets.COPILOT_OPENAI_API_KEY }}
-          COPILOT_FAL_API_KEY: ${{ secrets.COPILOT_FAL_API_KEY }}
-
-      - name: Upload server test coverage results
-        uses: codecov/codecov-action@v4
-        with:
-          token: ${{ secrets.CODECOV_TOKEN }}
-          files: ./packages/backend/server/.coverage/lcov.info
-          flags: server-test
-          name: affine
-          fail_ci_if_error: false
-
-  copilot-e2e-test:
-    name: Server Copilot E2E Test
-    runs-on: ubuntu-latest
-    env:
-      DISTRIBUTION: web
-      DATABASE_URL: postgresql://affine:affine@localhost:5432/affine
-      IN_CI_TEST: true
-    strategy:
-      fail-fast: false
-      matrix:
-        shardIndex: [1, 2, 3]
-        shardTotal: [3]
-    needs:
-      - build-server-native
-    services:
-      postgres:
-        image: postgres
-        env:
-          POSTGRES_PASSWORD: affine
-        options: >-
-          --health-cmd pg_isready
-          --health-interval 10s
-          --health-timeout 5s
-          --health-retries 5
-        ports:
-          - 5432:5432
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Setup Node.js
-        uses: ./.github/actions/setup-node
-        with:
-          playwright-install: true
-          electron-install: false
-          hard-link-nm: false
-
-      - name: Download server-native.node
-        uses: actions/download-artifact@v4
-        with:
-          name: server-native.node
-          path: ./packages/backend/server
-
-      - name: Run Copilot E2E Test ${{ matrix.shardIndex }}/${{ matrix.shardTotal }}
-        uses: ./.github/actions/copilot-test
-        with:
-          script: yarn workspace @affine-test/affine-cloud-copilot e2e --forbid-only --shard=${{ matrix.shardIndex }}/${{ matrix.shardTotal }}
-          openai-key: ${{ secrets.COPILOT_OPENAI_API_KEY }}
-          fal-key: ${{ secrets.COPILOT_FAL_API_KEY }}
-
-  test-done:
-    needs:
-      - copilot-api-test
-      - copilot-e2e-test
-    if: always()
-    runs-on: ubuntu-latest
-    name: Post test result message
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-      - name: Setup Node.js
-        uses: ./.github/actions/setup-node
-        with:
-          extra-flags: 'workspaces focus @affine/copilot-result'
-          electron-install: false
-      - name: Post Success event to a Slack channel
-        if: ${{ always() && !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled') }}
-        run: node ./tools/copilot-result/index.js
-        env:
-          CHANNEL_ID: ${{ secrets.RELEASE_SLACK_CHNNEL_ID }}
-          SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
-          BRANCH_SHA: ${{ github.sha }}
-          BRANCH_NAME: ${{ github.ref }}
-          COPILOT_RESULT: success
-      - name: Post Failed event to a Slack channel
-        id: failed-slack
-        if: ${{ always() && contains(needs.*.result, 'failure') }}
-        run: node ./tools/copilot-result/index.js
-        env:
-          CHANNEL_ID: ${{ secrets.RELEASE_SLACK_CHNNEL_ID }}
-          SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
-          BRANCH_SHA: ${{ github.sha }}
-          BRANCH_NAME: ${{ github.ref }}
-          COPILOT_RESULT: failed
-      - name: Post Cancel event to a Slack channel
-        id: cancel-slack
-        if: ${{ always() && contains(needs.*.result, 'cancelled') && !contains(needs.*.result, 'failure') }}
-        run: node ./tools/copilot-result/index.js
-        env:
-          CHANNEL_ID: ${{ secrets.RELEASE_SLACK_CHNNEL_ID }}
-          SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
-          BRANCH_SHA: ${{ github.sha }}
-          BRANCH_NAME: ${{ github.ref }}
-          COPILOT_RESULT: canceled

.github/workflows/deploy.yml

@@ -21,60 +21,133 @@ permissions:
   packages: 'write'
 
 jobs:
-  output-prev-version:
-    name: Output previous version
-    runs-on: ubuntu-latest
-    environment: ${{ github.event.inputs.flavor }}
-    outputs:
-      prev: ${{ steps.print.outputs.version }}
-      namespace: ${{ steps.print.outputs.namespace }}
-    steps:
-      - uses: actions/checkout@v4
-      - name: Auth to Cluster
-        uses: './.github/actions/cluster-auth'
-        with:
-          gcp-project-number: ${{ secrets.GCP_PROJECT_NUMBER }}
-          gcp-project-id: ${{ secrets.GCP_PROJECT_ID }}
-          service-account: ${{ secrets.GCP_HELM_DEPLOY_SERVICE_ACCOUNT }}
-          cluster-name: ${{ secrets.GCP_CLUSTER_NAME }}
-          cluster-location: ${{ secrets.GCP_CLUSTER_LOCATION }}
-      - name: Output previous version
-        id: print
-        run: |
-          namespace=""
-          if [ "${{ github.event.inputs.flavor }}" = "canary" ]; then
-            namespace="dev"
-          elif [ "${{ github.event.inputs.flavor }}" = "beta" ]; then
-            namespace="beta"
-          elif [ "${{ github.event.inputs.flavor }}" = "stable" ]; then
-            namespace="production"
-          else
-            echo "Invalid flavor: ${{ github.event.inputs.flavor }}"
-            exit 1
-          fi
-
-          echo "Namespace set to: $namespace"
-
-          # Get the previous version from the deployment
-          prev_version=$(kubectl get deployment -n $namespace affine-graphql -o=jsonpath='{.spec.template.spec.containers[0].image}' | awk -F '-' '{print $3}')
-
-          echo "Previous version: $prev_version"
-          echo "version=$prev_version" >> $GITHUB_OUTPUT
-          echo "namesapce=$namespace" >> $GITHUB_OUTPUT
-
-  build-images:
-    name: Build Images
-    uses: ./.github/workflows/build-images.yml
-    secrets: inherit
+  build-server-image:
+    name: Build Server Image
+    uses: ./.github/workflows/build-server-image.yml
     with:
       flavor: ${{ github.event.inputs.flavor }}
 
+  build-web:
+    name: Build @affine/web
+    runs-on: ubuntu-latest
+    environment: ${{ github.event.inputs.flavor }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: Setup Version
+        id: version
+        uses: ./.github/actions/setup-version
+      - name: Setup Node.js
+        uses: ./.github/actions/setup-node
+      - name: Build Core
+        run: yarn nx build @affine/web --skip-nx-cache
+        env:
+          R2_ACCOUNT_ID: ${{ secrets.R2_ACCOUNT_ID }}
+          R2_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }}
+          R2_SECRET_ACCESS_KEY: ${{ secrets.R2_SECRET_ACCESS_KEY }}
+          BUILD_TYPE: ${{ github.event.inputs.flavor }}
+          CAPTCHA_SITE_KEY: ${{ secrets.CAPTCHA_SITE_KEY }}
+          SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
+          SENTRY_PROJECT: 'affine-web'
+          SENTRY_RELEASE: ${{ steps.version.outputs.APP_VERSION }}
+          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
+          SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
+          PERFSEE_TOKEN: ${{ secrets.PERFSEE_TOKEN }}
+          MIXPANEL_TOKEN: ${{ secrets.MIXPANEL_TOKEN }}
+      - name: Upload web artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: web
+          path: ./packages/frontend/web/dist
+          if-no-files-found: error
+
+  build-admin:
+    name: Build @affine/admin
+    runs-on: ubuntu-latest
+    environment: ${{ github.event.inputs.flavor }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: Setup Version
+        id: version
+        uses: ./.github/actions/setup-version
+      - name: Setup Node.js
+        uses: ./.github/actions/setup-node
+      - name: Build Core
+        run: yarn nx build @affine/admin --skip-nx-cache
+        env:
+          R2_ACCOUNT_ID: ${{ secrets.R2_ACCOUNT_ID }}
+          R2_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }}
+          R2_SECRET_ACCESS_KEY: ${{ secrets.R2_SECRET_ACCESS_KEY }}
+          BUILD_TYPE: ${{ github.event.inputs.flavor }}
+          CAPTCHA_SITE_KEY: ${{ secrets.CAPTCHA_SITE_KEY }}
+          SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
+          SENTRY_PROJECT: 'affine-admin'
+          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
+          SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
+          PERFSEE_TOKEN: ${{ secrets.PERFSEE_TOKEN }}
+          MIXPANEL_TOKEN: ${{ secrets.MIXPANEL_TOKEN }}
+      - name: Upload admin artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: admin
+          path: ./packages/frontend/admin/dist
+          if-no-files-found: error
+
+  build-frontend-image:
+    name: Build Frontend Image
+    runs-on: ubuntu-latest
+    needs:
+      - build-web
+      - build-admin
+    steps:
+      - uses: actions/checkout@v4
+      - name: Download web artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: web
+          path: ./packages/frontend/web/dist
+      - name: Download admin artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: admin
+          path: ./packages/frontend/admin/dist
+      - name: Setup env
+        run: |
+          echo "GIT_SHORT_HASH=$(git rev-parse --short HEAD)" >> "$GITHUB_ENV"
+          if [ -z "${{ inputs.flavor }}" ]
+          then
+            echo "RELEASE_FLAVOR=canary" >> "$GITHUB_ENV"
+          else
+            echo "RELEASE_FLAVOR=${{ inputs.flavor }}" >> "$GITHUB_ENV"
+          fi
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          logout: false
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Build front Dockerfile
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: true
+          pull: true
+          platforms: linux/amd64,linux/arm64
+          provenance: true
+          file: .github/deployment/front/Dockerfile
+          tags: ghcr.io/toeverything/affine-front:${{env.RELEASE_FLAVOR}}-${{ env.GIT_SHORT_HASH }},ghcr.io/toeverything/affine-front:${{env.RELEASE_FLAVOR}}
+
   deploy:
     name: Deploy to cluster
     if: ${{ github.event_name == 'workflow_dispatch' }}
     environment: ${{ github.event.inputs.flavor }}
     needs:
-      - build-images
+      - build-frontend-image
+      - build-server-image
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -120,94 +193,3 @@ jobs:
           STRIPE_API_KEY: ${{ secrets.STRIPE_API_KEY }}
           STRIPE_WEBHOOK_KEY: ${{ secrets.STRIPE_WEBHOOK_KEY }}
           STATIC_IP_NAME: ${{ secrets.STATIC_IP_NAME }}
-
-  deploy-done:
-    needs:
-      - output-prev-version
-      - build-images
-      - deploy
-    if: always()
-    runs-on: ubuntu-latest
-    name: Post deploy message
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-      - uses: actions/checkout@v4
-        with:
-          repository: toeverything/blocksuite
-          path: blocksuite
-          fetch-depth: 0
-          fetch-tags: true
-      - name: Setup Node.js
-        uses: ./.github/actions/setup-node
-        with:
-          extra-flags: 'workspaces focus @affine/changelog'
-          electron-install: false
-      - name: Output deployed info
-        if: ${{ always() && !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled') }}
-        id: set_info
-        run: |
-          if [ "${{ github.event.inputs.flavor }}" = "canary" ]; then
-            echo "deployed_url=https://affine.fail" >> $GITHUB_OUTPUT
-          elif [ "${{ github.event.inputs.flavor }}" = "beta" ]; then
-            echo "deployed_url=https://insider.affine.pro" >> $GITHUB_OUTPUT
-          elif [ "${{ github.event.inputs.flavor }}" = "stable" ]; then
-            echo "deployed_url=https://app.affine.pro" >> $GITHUB_OUTPUT
-          else
-            exit 1
-          fi
-        env:
-          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
-      - name: Post Success event to a Slack channel
-        if: ${{ always() && !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled') }}
-        run: node ./tools/changelog/index.js
-        env:
-          CHANNEL_ID: ${{ secrets.RELEASE_SLACK_CHNNEL_ID }}
-          SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
-          DEPLOYED_URL: ${{ steps.set_info.outputs.deployed_url }}
-          PREV_VERSION: ${{ needs.output-prev-version.outputs.prev }}
-          NAMESPACE: ${{ needs.output-prev-version.outputs.namespace }}
-          DEPLOYMENT: 'SERVER'
-          FLAVOR: ${{ github.event.inputs.flavor }}
-          BLOCKSUITE_REPO_PATH: ${{ github.workspace }}/blocksuite
-      - name: Post Failed event to a Slack channel
-        id: failed-slack
-        uses: slackapi/slack-github-action@v1.27.0
-        if: ${{ always() && contains(needs.*.result, 'failure') }}
-        with:
-          channel-id: ${{ secrets.RELEASE_SLACK_CHNNEL_ID }}
-          payload: |
-            {
-              "blocks": [
-                {
-                  "type": "section",
-                  "text": {
-                    "text": "<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|Backend deploy failed `${{ github.event.inputs.flavor }}`>",
-                    "type": "mrkdwn"
-                  }
-                }
-              ]
-            }
-        env:
-          SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
-      - name: Post Cancel event to a Slack channel
-        id: cancel-slack
-        uses: slackapi/slack-github-action@v1.27.0
-        if: ${{ always() && contains(needs.*.result, 'cancelled') && !contains(needs.*.result, 'failure') }}
-        with:
-          channel-id: ${{ secrets.RELEASE_SLACK_CHNNEL_ID }}
-          payload: |
-            {
-              "blocks": [
-                {
-                  "type": "section",
-                  "text": {
-                    "text": "<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|Backend deploy cancelled `${{ github.event.inputs.flavor }}`>",
-                    "type": "mrkdwn"
-                  }
-                }
-              ]
-            }
-        env:
-          SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}

.github/workflows/languages-sync.yml

@@ -0,0 +1,35 @@
+name: Languages Sync
+
+on:
+  push:
+    branches: ['canary']
+    paths:
+      - 'packages/frontend/i18n/**'
+      - '.github/workflows/languages-sync.yml'
+      - '!.github/actions/setup-node/action.yml'
+  pull_request_target:
+    branches: ['canary']
+    paths:
+      - 'packages/frontend/i18n/**'
+      - '.github/workflows/languages-sync.yml'
+      - '!.github/actions/setup-node/action.yml'
+  workflow_dispatch:
+
+jobs:
+  main:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Setup Node.js
+        uses: ./.github/actions/setup-node
+      - name: Check Language Key
+        if: github.ref != 'refs/heads/canary'
+        run: yarn workspace @affine/i18n run sync-languages:check
+        env:
+          TOLGEE_API_KEY: ${{ secrets.TOLGEE_API_KEY }}
+
+      - name: Sync Languages
+        if: github.ref == 'refs/heads/canary'
+        run: yarn workspace @affine/i18n run sync-languages
+        env:
+          TOLGEE_API_KEY: ${{ secrets.TOLGEE_API_KEY }}

.github/workflows/release-desktop-automatically.yml

@@ -1,4 +1,4 @@
-name: Release Desktop/Mobile Automatically
+name: Release Desktop Automatically
 
 on:
   push:
@@ -23,7 +23,6 @@ jobs:
         with:
           workflow: release-desktop.yml
           inputs: '{ "build-type": "canary", "is-draft": false, "is-pre-release": true }'
-
       - name: dispatch desktop release by schedule
         if: ${{ github.event_name == 'schedule' }}
         uses: benc-uk/workflow-dispatch@v1
@@ -31,8 +30,3 @@ jobs:
           workflow: release-desktop.yml
           inputs: '{ "build-type": "canary", "is-draft": false, "is-pre-release": true }'
           ref: canary
-      - name: dispatch desktop release by tag
-        uses: benc-uk/workflow-dispatch@v1
-        with:
-          workflow: release-mobile.yml
-          inputs: '{ "build-type": "canary", "build-target": "distribution" }'

.github/workflows/release-desktop.yml

@@ -67,7 +67,7 @@ jobs:
         uses: actions/upload-artifact@v4
         with:
           name: web
-          path: packages/frontend/apps/electron/resources/web-static
+          path: packages/frontend/electron/resources/web-static
 
   make-distribution:
     strategy:
@@ -119,7 +119,7 @@ jobs:
       - uses: actions/download-artifact@v4
         with:
           name: web
-          path: packages/frontend/apps/electron/resources/web-static
+          path: packages/frontend/electron/resources/web-static
 
       - name: Build Desktop Layers
         run: yarn workspace @affine/electron build
@@ -131,42 +131,35 @@ jobs:
           p12-file-base64: ${{ secrets.CERTIFICATES_P12 }}
           p12-password: ${{ secrets.CERTIFICATES_P12_PASSWORD }}
 
-      - name: Install additional dependencies on Linux
+      - name: Install fuse on Linux (for patching AppImage)
         if: ${{ matrix.spec.platform == 'linux' }}
         run: |
           sudo add-apt-repository universe
-          sudo apt install -y libfuse2 elfutils flatpak flatpak-builder
-          flatpak remote-add --user --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
-          flatpak update
-          # some flatpak deps need git protocol.file.allow
-          git config --global protocol.file.allow always
+          sudo apt install libfuse2 -y
 
       - name: make
         run: yarn workspace @affine/electron make --platform=${{ matrix.spec.platform }} --arch=${{ matrix.spec.arch }}
         env:
           SKIP_WEB_BUILD: 1
           HOIST_NODE_MODULES: 1
-          DEBUG: '*'
 
       - name: signing DMG
         if: ${{ matrix.spec.platform == 'darwin' }}
         run: |
-          codesign --force --sign "Developer ID Application: TOEVERYTHING PTE. LTD." packages/frontend/apps/electron/out/${{ env.BUILD_TYPE }}/make/AFFiNE.dmg
+          codesign --force --sign "Developer ID Application: TOEVERYTHING PTE. LTD." packages/frontend/electron/out/${{ env.BUILD_TYPE }}/make/AFFiNE.dmg
 
       - name: Save artifacts (mac)
         if: ${{ matrix.spec.platform == 'darwin' }}
         run: |
           mkdir -p builds
-          mv packages/frontend/apps/electron/out/*/make/*.dmg ./builds/affine-${{ needs.before-make.outputs.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-macos-${{ matrix.spec.arch }}.dmg
-          mv packages/frontend/apps/electron/out/*/make/zip/darwin/${{ matrix.spec.arch }}/*.zip ./builds/affine-${{ needs.before-make.outputs.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-macos-${{ matrix.spec.arch }}.zip
+          mv packages/frontend/electron/out/*/make/*.dmg ./builds/affine-${{ needs.before-make.outputs.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-macos-${{ matrix.spec.arch }}.dmg
+          mv packages/frontend/electron/out/*/make/zip/darwin/${{ matrix.spec.arch }}/*.zip ./builds/affine-${{ needs.before-make.outputs.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-macos-${{ matrix.spec.arch }}.zip
       - name: Save artifacts (linux)
         if: ${{ matrix.spec.platform == 'linux' }}
         run: |
           mkdir -p builds
-          mv packages/frontend/apps/electron/out/*/make/zip/linux/x64/*.zip ./builds/affine-${{ needs.before-make.outputs.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-linux-x64.zip
-          mv packages/frontend/apps/electron/out/*/make/*.AppImage ./builds/affine-${{ needs.before-make.outputs.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-linux-x64.appimage
-          mv packages/frontend/apps/electron/out/*/make/deb/x64/*.deb ./builds/affine-${{ needs.before-make.outputs.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-linux-x64.deb
-          mv packages/frontend/apps/electron/out/*/make/flatpak/*/*.flatpak ./builds/affine-${{ needs.before-make.outputs.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-linux-x64.flatpak
+          mv packages/frontend/electron/out/*/make/zip/linux/x64/*.zip ./builds/affine-${{ needs.before-make.outputs.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-linux-x64.zip
+          mv packages/frontend/electron/out/*/make/*.AppImage ./builds/affine-${{ needs.before-make.outputs.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-linux-x64.appimage
 
       - uses: actions/attest-build-provenance@v1
         if: ${{ matrix.spec.platform == 'darwin' }}
@@ -181,7 +174,7 @@ jobs:
           subject-path: |
             ./builds/affine-${{ needs.before-make.outputs.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-linux-x64.zip
             ./builds/affine-${{ needs.before-make.outputs.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-linux-x64.appimage
-            ./builds/affine-${{ needs.before-make.outputs.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-linux-x64.deb
+
       - name: Upload Artifact
         uses: actions/upload-artifact@v4
         with:
@@ -228,7 +221,7 @@ jobs:
       - uses: actions/download-artifact@v4
         with:
           name: web
-          path: packages/frontend/apps/electron/resources/web-static
+          path: packages/frontend/electron/resources/web-static
 
       - name: Build Desktop Layers
         run: yarn workspace @affine/electron build
@@ -242,12 +235,12 @@ jobs:
       - name: get all files to be signed
         id: get_files_to_be_signed
         run: |
-          Set-Variable -Name FILES_TO_BE_SIGNED -Value ((Get-ChildItem -Path packages/frontend/apps/electron/out -Recurse -File | Where-Object { $_.Extension -in @(".exe", ".node", ".dll", ".msi") } | ForEach-Object { '"' + $_.FullName.Replace((Get-Location).Path + '\packages\frontend\apps\electron\out\', '') + '"' }) -join ' ')
+          Set-Variable -Name FILES_TO_BE_SIGNED -Value ((Get-ChildItem -Path packages/frontend/electron/out -Recurse -File | Where-Object { $_.Extension -in @(".exe", ".node", ".dll", ".msi") } | ForEach-Object { '"' + $_.FullName.Replace((Get-Location).Path + '\packages\frontend\electron\out\', '') + '"' }) -join ' ')
           "FILES_TO_BE_SIGNED=$FILES_TO_BE_SIGNED" >> $env:GITHUB_OUTPUT
           echo $FILES_TO_BE_SIGNED
 
       - name: Zip artifacts for faster upload
-        run: Compress-Archive -CompressionLevel Fastest -Path packages/frontend/apps/electron/out/* -DestinationPath archive.zip
+        run: Compress-Archive -CompressionLevel Fastest -Path packages/frontend/electron/out/* -DestinationPath archive.zip
 
       - name: Save packaged artifacts for signing
         uses: actions/upload-artifact@v4
@@ -294,7 +287,7 @@ jobs:
           name: signed-packaged-${{ matrix.spec.platform }}-${{ matrix.spec.arch }}
           path: .
       - name: unzip file
-        run: Expand-Archive -Path signed.zip -DestinationPath packages/frontend/apps/electron/out
+        run: Expand-Archive -Path signed.zip -DestinationPath packages/frontend/electron/out
 
       - name: Make squirrel.windows installer
         run: yarn workspace @affine/electron make-squirrel --platform=${{ matrix.spec.platform }} --arch=${{ matrix.spec.arch }}
@@ -303,12 +296,12 @@ jobs:
         run: yarn workspace @affine/electron make-nsis --platform=${{ matrix.spec.platform }} --arch=${{ matrix.spec.arch }}
 
       - name: Zip artifacts for faster upload
-        run: Compress-Archive -CompressionLevel Fastest -Path packages/frontend/apps/electron/out/${{ env.BUILD_TYPE }}/make/* -DestinationPath archive.zip
+        run: Compress-Archive -CompressionLevel Fastest -Path packages/frontend/electron/out/${{ env.BUILD_TYPE }}/make/* -DestinationPath archive.zip
 
       - name: get all files to be signed
         id: get_files_to_be_signed
         run: |
-          Set-Variable -Name FILES_TO_BE_SIGNED -Value ((Get-ChildItem -Path packages/frontend/apps/electron/out/${{ env.BUILD_TYPE }}/make -Recurse -File | Where-Object { $_.Extension -in @(".exe", ".node", ".dll", ".msi") } | ForEach-Object { '"' + $_.FullName.Replace((Get-Location).Path + '\packages\frontend\apps\electron\out\${{ env.BUILD_TYPE }}\make\', '') + '"' }) -join ' ')
+          Set-Variable -Name FILES_TO_BE_SIGNED -Value ((Get-ChildItem -Path packages/frontend/electron/out/${{ env.BUILD_TYPE }}/make -Recurse -File | Where-Object { $_.Extension -in @(".exe", ".node", ".dll", ".msi") } | ForEach-Object { '"' + $_.FullName.Replace((Get-Location).Path + '\packages\frontend\electron\out\${{ env.BUILD_TYPE }}\make\', '') + '"' }) -join ' ')
           "FILES_TO_BE_SIGNED=$FILES_TO_BE_SIGNED" >> $env:GITHUB_OUTPUT
           echo $FILES_TO_BE_SIGNED
 
@@ -342,14 +335,14 @@ jobs:
           name: signed-installer-${{ matrix.spec.platform }}-${{ matrix.spec.arch }}
           path: .
       - name: unzip file
-        run: Expand-Archive -Path signed.zip -DestinationPath packages/frontend/apps/electron/out/${{ env.BUILD_TYPE }}/make
+        run: Expand-Archive -Path signed.zip -DestinationPath packages/frontend/electron/out/${{ env.BUILD_TYPE }}/make
 
       - name: Save artifacts
         run: |
           mkdir -p builds
-          mv packages/frontend/apps/electron/out/*/make/zip/win32/x64/AFFiNE*-win32-x64-*.zip ./builds/affine-${{ needs.before-make.outputs.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-windows-x64.zip
-          mv packages/frontend/apps/electron/out/*/make/squirrel.windows/x64/*.exe ./builds/affine-${{ needs.before-make.outputs.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-windows-x64.exe
-          mv packages/frontend/apps/electron/out/*/make/nsis.windows/x64/*.exe ./builds/affine-${{ needs.before-make.outputs.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-windows-x64.nsis.exe
+          mv packages/frontend/electron/out/*/make/zip/win32/x64/AFFiNE*-win32-x64-*.zip ./builds/affine-${{ needs.before-make.outputs.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-windows-x64.zip
+          mv packages/frontend/electron/out/*/make/squirrel.windows/x64/*.exe ./builds/affine-${{ needs.before-make.outputs.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-windows-x64.exe
+          mv packages/frontend/electron/out/*/make/nsis.windows/x64/*.exe ./builds/affine-${{ needs.before-make.outputs.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-windows-x64.nsis.exe
 
       - uses: actions/attest-build-provenance@v1
         with:
@@ -401,7 +394,7 @@ jobs:
           node-version: 20
       - name: Generate Release yml
         run: |
-          node ./packages/frontend/apps/electron/scripts/generate-yml.js
+          node ./packages/frontend/electron/scripts/generate-yml.js
         env:
           RELEASE_VERSION: ${{ needs.before-make.outputs.RELEASE_VERSION }}
       - name: Create Release Draft
@@ -418,8 +411,6 @@ jobs:
             ./*.dmg
             ./*.exe
             ./*.appimage
-            ./*.deb
-            ./*.flatpak
             ./*.apk
             ./*.yml
       - name: Create Nightly Release Draft
@@ -442,7 +433,5 @@ jobs:
             ./*.dmg
             ./*.exe
             ./*.appimage
-            ./*.deb
             ./*.apk
-            ./*.flatpak
             ./*.yml

.github/workflows/release-mobile.yml

@@ -1,211 +0,0 @@
-name: Release Mobile App
-
-on:
-  workflow_call:
-    inputs:
-      build-target:
-        description: 'Build Target'
-        type: string
-        required: true
-      build-type:
-        description: 'Build Type'
-        type: string
-        required: true
-  workflow_dispatch:
-    inputs:
-      build-target:
-        description: 'Build Target'
-        type: choice
-        required: true
-        default: distribution
-        options:
-          - development
-          - distribution
-      build-type:
-        description: 'Build Type'
-        type: choice
-        required: true
-        default: canary
-        options:
-          - canary
-          - beta
-          - stable
-env:
-  BUILD_TYPE: ${{ inputs.build-type || github.event.inputs.build-type }}
-  BUILD_TARGET: ${{ inputs.build-target || github.event.inputs.build-target }}
-  DEBUG: napi:*
-  KEYCHAIN_NAME: ${{ github.workspace }}/signing_temp
-
-jobs:
-  build-ios-web:
-    runs-on: ubuntu-latest
-    environment: ${{ inputs.build-type || github.event.inputs.build-type }}
-    outputs:
-      RELEASE_VERSION: ${{ steps.version.outputs.APP_VERSION }}
-    steps:
-      - uses: actions/checkout@v4
-      - name: Setup Version
-        id: version
-        uses: ./.github/actions/setup-version
-      - name: Setup Node.js
-        uses: ./.github/actions/setup-node
-      - name: Setup @sentry/cli
-        uses: ./.github/actions/setup-sentry
-      - name: Build Mobile
-        run: yarn nx build @affine/ios --skip-nx-cache
-        env:
-          PUBLIC_PATH: '/'
-          MIXPANEL_TOKEN: ${{ secrets.MIXPANEL_TOKEN }}
-          SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
-          SENTRY_PROJECT: 'affine'
-          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
-          SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
-          SENTRY_RELEASE: ${{ steps.version.outputs.APP_VERSION }}
-          RELEASE_VERSION: ${{ steps.version.outputs.APP_VERSION }}
-          SKIP_NX_CACHE: 'true'
-      - name: Upload ios artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: ios
-          path: packages/frontend/apps/ios/dist
-
-  build-android-web:
-    runs-on: ubuntu-latest
-    environment: ${{ github.event.inputs.build-type || inputs.build-type }}
-    outputs:
-      RELEASE_VERSION: ${{ steps.version.outputs.APP_VERSION }}
-    steps:
-      - uses: actions/checkout@v4
-      - name: Setup Version
-        id: version
-        uses: ./.github/actions/setup-version
-      - name: Setup Node.js
-        uses: ./.github/actions/setup-node
-      - name: Setup @sentry/cli
-        uses: ./.github/actions/setup-sentry
-      - name: Build Mobile
-        run: yarn nx build @affine/android --skip-nx-cache
-        env:
-          PUBLIC_PATH: '/'
-          MIXPANEL_TOKEN: ${{ secrets.MIXPANEL_TOKEN }}
-          SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
-          SENTRY_PROJECT: 'affine'
-          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
-          SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
-          SENTRY_RELEASE: ${{ steps.version.outputs.APP_VERSION }}
-          RELEASE_VERSION: ${{ steps.version.outputs.APP_VERSION }}
-          SKIP_NX_CACHE: 'true'
-      - name: Upload android artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: android
-          path: packages/frontend/apps/android/dist
-
-  ios:
-    runs-on: macos-latest
-    needs:
-      - build-ios-web
-    steps:
-      - uses: actions/checkout@v4
-      - name: Download mobile artifact
-        uses: actions/download-artifact@v4
-        with:
-          name: ios
-          path: packages/frontend/apps/ios/dist
-      - name: Setup Node.js
-        uses: ./.github/actions/setup-node
-        timeout-minutes: 10
-        with:
-          extra-flags: workspaces focus @affine/ios
-          playwright-install: false
-          electron-install: false
-          hard-link-nm: false
-          enableScripts: false
-      - name: Cap sync
-        run: yarn workspace @affine/ios cap sync
-      - name: Signing By Apple Developer ID
-        uses: apple-actions/import-codesign-certs@v3
-        id: import-codesign-certs
-        with:
-          p12-file-base64: ${{ secrets.CERTIFICATES_P12_MOBILE }}
-          p12-password: ${{ secrets.CERTIFICATES_P12_PASSWORD_MOBILE }}
-      - uses: maxim-lobanov/setup-xcode@v1
-        with:
-          xcode-version: latest-stable
-      - name: Testflight
-        if: ${{ env.BUILD_TYPE != 'stable' }}
-        working-directory: packages/frontend/apps/ios/App
-        run: |
-          echo -n "${{ env.BUILD_PROVISION_PROFILE }}" | base64 --decode -o $PP_PATH
-          mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles
-          cp $PP_PATH ~/Library/MobileDevice/Provisioning\ Profiles
-          fastlane beta
-        env:
-          BUILD_PROVISION_PROFILE: ${{ secrets.BUILD_PROVISION_PROFILE }}
-          PP_PATH: ${{ runner.temp }}/build_pp.mobileprovision
-          APPLE_STORE_CONNECT_API_KEY_ID: ${{ secrets.APPLE_STORE_CONNECT_API_KEY_ID }}
-          APPLE_STORE_CONNECT_API_ISSUER_ID: ${{ secrets.APPLE_STORE_CONNECT_API_ISSUER_ID }}
-          APPLE_STORE_CONNECT_API_KEY: ${{ secrets.APPLE_STORE_CONNECT_API_KEY }}
-
-  android:
-    runs-on: ubuntu-latest
-    permissions:
-      id-token: 'write'
-    needs:
-      - build-android-web
-    steps:
-      - uses: actions/checkout@v4
-      - name: Download mobile artifact
-        uses: actions/download-artifact@v4
-        with:
-          name: android
-          path: packages/frontend/apps/android/dist
-      - name: Setup Node.js
-        uses: ./.github/actions/setup-node
-        timeout-minutes: 10
-        with:
-          extra-flags: workspaces focus @affine/android @affine/playstore-auto-bump
-          playwright-install: false
-          electron-install: false
-          hard-link-nm: false
-          enableScripts: false
-      - name: Cap sync
-        run: yarn workspace @affine/android cap sync
-      - name: Auth gcloud
-        id: auth
-        uses: google-github-actions/auth@v2
-        if: ${{ env.BUILD_TARGET == 'distribution' }}
-        with:
-          workload_identity_provider: 'projects/${{ secrets.GCP_PROJECT_NUMBER }}/locations/global/workloadIdentityPools/github-actions/providers/github-actions-helm-deploy'
-          service_account: '${{ secrets.GCP_HELM_DEPLOY_SERVICE_ACCOUNT }}'
-          token_format: 'access_token'
-          project_id: '${{ secrets.GCP_PROJECT_ID }}'
-          access_token_scopes: 'https://www.googleapis.com/auth/androidpublisher'
-      - uses: actions/setup-java@v4
-        with:
-          distribution: 'temurin'
-          java-version: '17'
-      - name: Auto increment version code
-        id: bump
-        if: ${{ env.BUILD_TARGET == 'distribution' }}
-        run: yarn workspace @affine/playstore-auto-bump bump
-        env:
-          GOOGLE_APPLICATION_CREDENTIALS: ${{ steps.auth.outputs.credentials_file_path }}
-      - name: Build
-        run: |
-          echo -n "${{ env.AFFINE_ANDROID_SIGN_KEYSTORE }}" | base64 --decode > packages/frontend/apps/android/affine.keystore
-          yarn workspace @affine/android cap build android
-        env:
-          AFFINE_ANDROID_KEYSTORE_PASSWORD: ${{ secrets.AFFINE_ANDROID_KEYSTORE_PASSWORD }}
-          AFFINE_ANDROID_KEYSTORE_ALIAS_PASSWORD: ${{ secrets.AFFINE_ANDROID_KEYSTORE_ALIAS_PASSWORD }}
-          AFFINE_ANDROID_SIGN_KEYSTORE: ${{ secrets.AFFINE_ANDROID_SIGN_KEYSTORE }}
-      - name: Upload to Google Play
-        uses: r0adkll/upload-google-play@v1
-        if: ${{ env.BUILD_TARGET == 'distribution' }}
-        with:
-          serviceAccountJson: ${{ steps.auth.outputs.credentials_file_path }}
-          packageName: app.affine.pro
-          releaseFiles: packages/frontend/apps/android/App/app/build/outputs/bundle/release/app-release-signed.aab
-          track: internal
-          status: draft
-          existingEditId: ${{ steps.bump.outputs.EDIT_ID }}

.github/workflows/sync-i18n.yml

@@ -1,42 +0,0 @@
-name: Sync I18n with Crowdin
-
-on:
-  push:
-    branches:
-      - canary
-    paths:
-      - 'packages/frontend/i18n/**'
-  workflow_dispatch:
-
-jobs:
-  synchronize-with-crowdin:
-    runs-on: ubuntu-latest
-
-    permissions:
-      contents: write
-      pull-requests: write
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Crowdin action
-        uses: crowdin/github-action@v2
-        with:
-          upload_sources: true
-          upload_translations: true
-          download_translations: true
-          auto_approve_imported: true
-          import_eq_suggestions: true
-          export_only_approved: true
-          skip_untranslated_strings: true
-          localization_branch_name: l10n_crowdin_translations
-          create_pull_request: true
-          pull_request_title: 'chore(i18n): sync translations'
-          pull_request_body: 'New Crowdin translations by [Crowdin GH Action](https://github.com/crowdin/github-action)'
-          pull_request_base_branch_name: 'canary'
-          config: packages/frontend/i18n/crowdin.yml
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          CROWDIN_PROJECT_ID: ${{ secrets.CROWDIN_PROJECT_ID }}
-          CROWDIN_PERSONAL_TOKEN: ${{ secrets.CROWDIN_PERSONAL_TOKEN }}

.github/workflows/workers.yml

@@ -15,7 +15,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - name: Publish
-        uses: cloudflare/wrangler-action@v3.12.0
+        uses: cloudflare/wrangler-action@v3.7.0
         with:
           apiToken: ${{ secrets.CF_API_TOKEN }}
           accountId: ${{ secrets.CF_ACCOUNT_ID }}

.gitignore

@@ -59,6 +59,7 @@ Thumbs.db
 .vercel
 out/
 storybook-static
+i18n-generated.ts
 
 test-results
 playwright-report

.i18n-codegen.json

@@ -3,8 +3,8 @@
   "version": 1,
   "list": [
     {
-      "input": "./src/resources/en.json",
-      "output": "./src/i18n-generated",
+      "input": "./packages/frontend/i18n/src/resources/en.json",
+      "output": "./packages/frontend/i18n/src/i18n-generated",
       "parser": {
         "type": "i18next",
         "contextSeparator": "$",

.nvmrc

@@ -1 +1 @@
-20.18.0
+20.15.1

.prettierignore

@@ -14,7 +14,6 @@ public
 packages/backend/server/src/schema.gql
 packages/backend/server/src/fundamentals/error/errors.gen.ts
 packages/frontend/i18n/src/i18n-generated.ts
-packages/frontend/i18n/src/i18n-completenesses.json
 packages/frontend/graphql/src/graphql/index.ts
 tests/affine-legacy/**/static
 .yarnrc.yml

.yarnrc.yml

@@ -12,4 +12,4 @@ npmPublishAccess: public
 
 npmPublishRegistry: "https://registry.npmjs.org"
 
-yarnPath: .yarn/releases/yarn-4.5.1.cjs
+yarnPath: .yarn/releases/yarn-4.4.0.cjs

Cargo.toml

@@ -3,27 +3,26 @@ members  = ["./packages/backend/native", "./packages/frontend/native", "./packag
 resolver = "2"
 
 [workspace.dependencies]
-anyhow       = "1"
-chrono       = "0.4"
-dotenv       = "0.15"
-file-format  = { version = "0.25", features = ["reader"] }
-mimalloc     = "0.1"
-napi         = { version = "3.0.0-alpha.12", features = ["async", "chrono_date", "error_anyhow", "napi9", "serde"] }
-napi-build   = { version = "2" }
-napi-derive  = { version = "3.0.0-alpha.12" }
-notify       = { version = "7", features = ["serde"] }
-once_cell    = "1"
-parking_lot  = "0.12"
-rand         = "0.8"
-serde        = "1"
-serde_json   = "1"
-sha3         = "0.10"
-sqlx         = { version = "0.8", default-features = false, features = ["chrono", "macros", "migrate", "runtime-tokio", "sqlite", "tls-rustls"] }
-tiktoken-rs  = "0.6"
-tokio        = "1.37"
-uuid         = "1.8"
-v_htmlescape = "0.15"
-y-octo       = { git = "https://github.com/y-crdt/y-octo.git", branch = "main" }
+anyhow      = "1"
+chrono      = "0.4"
+dotenv      = "0.15"
+file-format = { version = "0.25", features = ["reader"] }
+mimalloc    = "0.1"
+napi        = { version = "3.0.0-alpha.1", features = ["async", "chrono_date", "error_anyhow", "napi9", "serde"] }
+napi-build  = { version = "2" }
+napi-derive = { version = "3.0.0-alpha.1" }
+notify      = { version = "6", features = ["serde"] }
+once_cell   = "1"
+parking_lot = "0.12"
+rand        = "0.8"
+serde       = "1"
+serde_json  = "1"
+sha3        = "0.10"
+sqlx        = { version = "0.7", default-features = false, features = ["chrono", "macros", "migrate", "runtime-tokio", "sqlite", "tls-rustls"] }
+tiktoken-rs = "0.5"
+tokio       = "1.37"
+uuid        = "1.8"
+y-octo      = { git = "https://github.com/y-crdt/y-octo.git", branch = "main" }
 
 [profile.dev.package.sqlx-macros]
 opt-level = 3

README.md

@@ -1,7 +1,7 @@
 <div align="center">
 
 <h1 style="border-bottom: none">
-    <b><a href="https://affine.pro">AFFiNE.Pro</a></b><br />
+    <b><a href="https://affine.pro">AFFiNE.PRO</a></b><br />
     Write, Draw and Plan All at Once
     <br>
 </h1>
@@ -33,6 +33,7 @@
 [![Releases](https://img.shields.io/github/downloads/toeverything/AFFiNE/total)](https://github.com/toeverything/AFFiNE/releases/latest)
 [![All Contributors][all-contributors-badge]](#contributors)
 [![TypeScript-version-icon]](https://www.typescriptlang.org/)
+[![Rust-version-icon]](https://www.rust-lang.org/)
 
 </div>
 
@@ -54,7 +55,7 @@ Star us, and you will receive all release notifications from GitHub without any
 
 ## What is AFFiNE
 
-[AFFiNE](https://affine.pro) is an open-source, all-in-one workspace and an operating system for all the building blocks that assemble your knowledge base and much more -- wiki, knowledge management, presentation and digital assets. It's a better alternative to Notion and Miro.
+AFFiNE is an open-source, all-in-one workspace and an operating system for all the building blocks that assemble your knowledge base and much more -- wiki, knowledge management, presentation and digital assets. It's a better alternative to Notion and Miro.
 
 ## Features
 
@@ -64,7 +65,7 @@ Star us, and you will receive all release notifications from GitHub without any
 
 **Multimodal AI partner ready to kick in any work**
 
-- Write up professional work report? Turn an outline into expressive and presentable slides? Summary an article into a well-structured mindmap? Sorting your job plan and backlog for tasks? Or... draw and code prototype apps and web pages directly all with one prompt? With you, [AFFiNE AI](https://affine.pro/ai) pushes your creativity to the edge of your imagination,just like [Canvas AI](https://affine.pro/blog/best-canvas-ai) to generate mind map for brainstorming.
+- Write up professional work report? Turn an outline into expressive and presentable slides? Summary an article into a well-structured mindmap? Sorting your job plan and backlog for tasks? Or... draw and code prototype apps and web pages directly all with one prompt? With you, AFFiNE AI pushes your creativity to the edge of your imagination.
 
 **Local-first & Real-time collaborative**
 
@@ -107,37 +108,6 @@ Looking for **other ways to contribute** and wondering where to start? Check out
 
 If you have questions, you are welcome to contact us. One of the best places to get more info and learn more is in the [AFFiNE Community](https://community.affine.pro) where you can engage with other like-minded individuals.
 
-## Templates
-
-AFFiNE now provides pre-built [templates](https://affine.pro/templates) from our team. Following are the Top 10 most popular templates among AFFiNE users,if you want to contribute, you can contribute your own template so other people can use it too.
-
-- [vision board template](https://affine.pro/templates/category-vision-board-template)
-- [one pager template](https://affine.pro/templates/category-one-pager-template-free)
-- [sample lesson plan math template](https://affine.pro/templates/sample-lesson-plan-math-template)
-- [grr lesson plan template free](https://affine.pro/templates/grr-lesson-plan-template-free)
-- [free editable lesson plan template for pre k](https://affine.pro/templates/free-editable-lesson-plan-template-for-pre-k)
-- [high note collection planners](https://affine.pro/templates/high-note-collection-planners)
-- [digital planner](https://affine.pro/templates/category-digital-planner)
-- [ADHD Planner](https://affine.pro/templates/adhd-planner)
-- [Reading Log](https://affine.pro/templates/reading-log)
-- [Cornell Notes Template](https://affine.pro/templates/category-cornell-notes-template)
-
-## Blog
-
-Welcome to the AFFiNE blog section! Here, you’ll find the latest insights, tips, and guides on how to maximize your experience with AFFiNE and AFFiNE AI, the leading Canvas AI tool for flexible note-taking and creative organization.
-
-- [vision board template](https://affine.pro/blog/8-free-printable-vision-board-templates-examples-2023)
-- [itinerary template](https://affine.pro/blog/free-customized-travel-itinerary-planner-templates)
-- [one pager template](https://affine.pro/blog/top-12-one-pager-examples-how-to-create-your-own)
-- [cornell notes template](https://affine.pro/blog/the-cornell-notes-template-and-system-learning-tips)
-- [swot chart template](https://affine.pro/blog/top-10-free-editable-swot-analysis-template-examples)
-- [apps like luna task](https://affine.pro/blog/apps-like-luna-task)
-- [note taking ai from rough notes to mind map](https://affine.pro/blog/dynamic-AI-notes)
-- [canvas ai](https://affine.pro/blog/best-canvas-ai)
-- [one pager](https://affine.pro/blog/top-12-one-pager-examples-how-to-create-your-own)
-- [SOP Template](https://affine.pro/blog/how-to-write-sop-step-by-step-guide-5-best-free-tools-templates)
-- [Chore Chart](https://affine.pro/blog/10-best-free-chore-chart-templates-kids-adults)
-
 ## Ecosystem
 
 | Name                                             |                            |                                                                                                                                         |
@@ -221,6 +191,7 @@ See [LICENSE] for details.
 [jobs available]: ./docs/jobs.md
 [latest packages]: https://github.com/toeverything/AFFiNE/pkgs/container/affine-self-hosted
 [contributor license agreement]: https://github.com/toeverything/affine/edit/canary/.github/CLA.md
+[rust-version-icon]: https://img.shields.io/badge/Rust-1.79.0-dea584
 [stars-icon]: https://img.shields.io/github/stars/toeverything/AFFiNE.svg?style=flat&logo=github&colorB=red&label=stars
 [codecov]: https://codecov.io/gh/toeverything/affine/branch/canary/graphs/badge.svg?branch=canary
 [node-version-icon]: https://img.shields.io/badge/node-%3E=18.16.1-success

SECURITY.md

@@ -6,8 +6,8 @@ We recommend users to always use the latest major version. Security updates will
 
 | Version         | Supported          |
 | --------------- | ------------------ |
-| 0.17.x (stable) | :white_check_mark: |
-| < 0.17.x        | :x:                |
+| 0.15.x (stable) | :white_check_mark: |
+| < 0.15.x        | :x:                |
 
 ## Reporting a Vulnerability
 

docs/developing-server.md

@@ -29,7 +29,7 @@ docker run --rm --name mailhog -p 1025:1025 -p 8025:8025 mailhog/mailhog
 
 ```
 docker ps
-docker exec -it affine-postgres psql -U postgres ## `affine-postgres` is the container name from the previous step
+docker exec -it CONTAINER_ID psql -U postgres ## change container_id
 ```
 
 ### in the terminal, following the example to user & table
@@ -96,12 +96,6 @@ yarn workspace @affine/native build
 yarn workspace @affine/server dev
 ```
 
-when server started, it will created a default user:
-
-email: dev@affine.pro
-name: Dev User
-password: dev
-
 ## start core (web)
 
 ```

docs/reference/package.json

@@ -19,5 +19,5 @@
     ],
     "ext": "ts,md,json"
   },
-  "version": "0.17.0"
+  "version": "0.16.0"
 }

nx.json

@@ -11,7 +11,9 @@
       }
     }
   },
-  "defaultBase": "canary",
+  "affected": {
+    "defaultBase": "canary"
+  },
   "namedInputs": {
     "default": ["{projectRoot}/**/*", "sharedGlobals"],
     "sharedGlobals": [
@@ -79,6 +81,9 @@
     "test": {
       "outputs": ["{workspaceRoot}/.nyc_output"],
       "inputs": [
+        {
+          "env": "ENABLE_PRELOADING"
+        },
         {
           "env": "COVERAGE"
         }
@@ -87,6 +92,9 @@
     "test:ui": {
       "outputs": ["{workspaceRoot}/.nyc_output"],
       "inputs": [
+        {
+          "env": "ENABLE_PRELOADING"
+        },
         {
           "env": "COVERAGE"
         }
@@ -94,7 +102,11 @@
     },
     "test:coverage": {
       "outputs": ["{workspaceRoot}/.nyc_output"],
-      "inputs": []
+      "inputs": [
+        {
+          "env": "ENABLE_PRELOADING"
+        }
+      ]
     }
   }
 }

oxlint.json

@@ -1,8 +1,4 @@
 {
-  "categories": {
-    "correctness": "error",
-    "perf": "error"
-  },
   "rules": {
     // allow
     "import/named": "allow",

package.json

@@ -1,13 +1,12 @@
 {
   "name": "@affine/monorepo",
-  "version": "0.17.0",
+  "version": "0.16.0",
   "private": true,
   "author": "toeverything",
   "license": "MIT",
   "workspaces": [
     ".",
     "packages/*/*",
-    "packages/frontend/apps/*",
     "tools/*",
     "docs/reference",
     "tools/@types/*",
@@ -19,8 +18,8 @@
   },
   "scripts": {
     "dev": "yarn workspace @affine/cli dev",
-    "build": "yarn workspace @affine/cli bundle",
     "dev:electron": "yarn workspace @affine/electron dev",
+    "build": "yarn nx build @affine/web",
     "build:electron": "yarn nx build @affine/electron",
     "build:server-native": "yarn nx run-many -t build -p @affine/server-native",
     "start:web-static": "yarn workspace @affine/web static-server",
@@ -29,14 +28,14 @@
     "lint:eslint:fix": "yarn lint:eslint --fix",
     "lint:prettier": "prettier --ignore-unknown --cache --check .",
     "lint:prettier:fix": "prettier --ignore-unknown --cache --write .",
-    "lint:ox": "oxlint -c oxlint.json --deny-warnings --import-plugin",
+    "lint:ox": "oxlint -c oxlint.json --deny-warnings --import-plugin -D correctness -D perf",
     "lint": "yarn lint:eslint && yarn lint:prettier",
     "lint:fix": "yarn lint:eslint:fix && yarn lint:prettier:fix",
     "test": "vitest --run",
     "test:ui": "vitest --ui",
     "test:coverage": "vitest run --coverage",
     "typecheck": "tsc -b tsconfig.json",
-    "postinstall": "node ./scripts/check-version.mjs && yarn workspace @affine/i18n i18n-codegen gen && yarn husky install",
+    "postinstall": "node ./scripts/check-version.mjs && yarn i18n-codegen gen && yarn husky install",
     "prepare": "husky"
   },
   "lint-staged": {
@@ -53,24 +52,30 @@
     ]
   },
   "devDependencies": {
+    "@affine-test/kit": "workspace:*",
     "@affine/cli": "workspace:*",
-    "@capacitor/cli": "^6.1.2",
-    "@faker-js/faker": "^9.0.0",
+    "@commitlint/cli": "^19.2.1",
+    "@commitlint/config-conventional": "^19.1.0",
+    "@faker-js/faker": "^8.4.1",
     "@istanbuljs/schema": "^0.1.3",
     "@magic-works/i18n-codegen": "^0.6.0",
-    "@playwright/test": "=1.48.2",
+    "@nx/vite": "^19.5.3",
+    "@playwright/test": "=1.44.1",
     "@taplo/cli": "^0.7.0",
+    "@testing-library/react": "^16.0.0",
     "@toeverything/infra": "workspace:*",
     "@types/affine__env": "workspace:*",
-    "@types/eslint": "^9.0.0",
+    "@types/eslint": "^8.56.7",
     "@types/node": "^20.12.7",
     "@typescript-eslint/eslint-plugin": "^7.6.0",
     "@typescript-eslint/parser": "^7.6.0",
     "@vanilla-extract/vite-plugin": "^4.0.7",
-    "@vitest/coverage-istanbul": "2.1.4",
-    "@vitest/ui": "2.1.4",
+    "@vanilla-extract/webpack-plugin": "^2.3.7",
+    "@vitejs/plugin-react-swc": "^3.6.0",
+    "@vitest/coverage-istanbul": "1.6.0",
+    "@vitest/ui": "1.6.0",
     "cross-env": "^7.0.3",
-    "electron": "^33.0.0",
+    "electron": "^31.0.0",
     "eslint": "^8.57.0",
     "eslint-config-prettier": "^9.1.0",
     "eslint-plugin-import-x": "^0.5.0",
@@ -81,22 +86,31 @@
     "eslint-plugin-sonarjs": "^0.25.1",
     "eslint-plugin-unicorn": "^52.0.0",
     "eslint-plugin-unused-imports": "^3.1.0",
-    "happy-dom": "^15.0.0",
+    "eslint-plugin-vue": "^9.24.1",
+    "fake-indexeddb": "6.0.0",
+    "happy-dom": "^14.7.1",
     "husky": "^9.0.11",
     "lint-staged": "^15.2.2",
     "msw": "^2.3.0",
-    "nx": "^20.0.3",
-    "nx-cloud": "^19.1.0",
-    "oxlint": "0.11.0",
+    "nanoid": "^5.0.7",
+    "nx": "^19.0.0",
+    "nyc": "^17.0.0",
+    "oxlint": "0.7.1",
     "prettier": "^3.3.3",
     "semver": "^7.6.0",
     "serve": "^14.2.1",
-    "typescript": "^5.6.3",
+    "string-width": "^7.1.0",
+    "ts-node": "^10.9.2",
+    "typescript": "^5.4.5",
     "unplugin-swc": "^1.4.5",
     "vite": "^5.2.8",
-    "vitest": "2.1.4"
+    "vite-plugin-istanbul": "^6.0.0",
+    "vite-plugin-static-copy": "^1.0.2",
+    "vitest": "1.6.0",
+    "vitest-fetch-mock": "^0.3.0",
+    "vitest-mock-extended": "^2.0.0"
   },
-  "packageManager": "yarn@4.5.1",
+  "packageManager": "yarn@4.4.0",
   "resolutions": {
     "array-buffer-byte-length": "npm:@nolyfill/array-buffer-byte-length@latest",
     "array-includes": "npm:@nolyfill/array-includes@latest",
@@ -153,7 +167,7 @@
     "unbox-primitive": "npm:@nolyfill/unbox-primitive@latest",
     "which-boxed-primitive": "npm:@nolyfill/which-boxed-primitive@latest",
     "which-typed-array": "npm:@nolyfill/which-typed-array@latest",
-    "@reforged/maker-appimage/@electron-forge/maker-base": "7.5.0",
+    "@reforged/maker-appimage/@electron-forge/maker-base": "7.4.0",
     "macos-alias": "npm:@napi-rs/macos-alias@0.0.4",
     "fs-xattr": "npm:@napi-rs/xattr@latest"
   }

packages/backend/native/Cargo.toml

@@ -7,15 +7,14 @@ version = "1.0.0"
 crate-type = ["cdylib"]
 
 [dependencies]
-chrono       = { workspace = true }
-file-format  = { workspace = true }
-napi         = { workspace = true }
-napi-derive  = { workspace = true }
-rand         = { workspace = true }
-sha3         = { workspace = true }
-tiktoken-rs  = { workspace = true }
-v_htmlescape = { workspace = true }
-y-octo       = { workspace = true }
+chrono      = { workspace = true }
+file-format = { workspace = true }
+napi        = { workspace = true }
+napi-derive = { workspace = true }
+rand        = { workspace = true }
+sha3        = { workspace = true }
+tiktoken-rs = { workspace = true }
+y-octo      = { workspace = true }
 
 [target.'cfg(not(target_os = "linux"))'.dependencies]
 mimalloc = { workspace = true }

packages/backend/native/benchmark/index.js

@@ -7,7 +7,6 @@ import { fromModelName } from '../index.js';
 
 const bench = new Bench({
   iterations: 100,
-  warmup: true,
 });
 
 const FIXTURE = `Please extract the items that can be used as tasks from the following content, and send them to me in the format provided by the template. The extracted items should cover as much of the following content as possible.
@@ -37,6 +36,7 @@ bench
     fromModelName('gpt-4o').count(FIXTURE);
   });
 
+await bench.warmup();
 await bench.run();
 
 console.table(bench.table());

packages/backend/native/index.d.ts

@@ -8,8 +8,6 @@ export declare function fromModelName(modelName: string): Tokenizer | null
 
 export declare function getMime(input: Uint8Array): string
 
-export declare function htmlSanitize(input: string): string
-
 /**
  * Merge updates in form like `Y.applyUpdate(doc, update)` way and return the
  * result binary.

packages/backend/native/index.js

@@ -11,4 +11,3 @@ export const mintChallengeResponse = binding.mintChallengeResponse;
 export const getMime = binding.getMime;
 export const Tokenizer = binding.Tokenizer;
 export const fromModelName = binding.fromModelName;
-export const htmlSanitize = binding.htmlSanitize;

packages/backend/native/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@affine/server-native",
-  "version": "0.17.0",
+  "version": "0.16.0",
   "engines": {
     "node": ">= 10.16.0 < 11 || >= 11.8.0"
   },
@@ -33,12 +33,12 @@
     "build:debug": "napi build"
   },
   "devDependencies": {
-    "@napi-rs/cli": "3.0.0-alpha.64",
+    "@napi-rs/cli": "3.0.0-alpha.60",
     "lib0": "^0.2.93",
-    "nx": "^20.0.3",
-    "nx-cloud": "^19.1.0",
+    "nx": "^19.0.0",
+    "nx-cloud": "^19.0.0",
     "tiktoken": "^1.0.15",
-    "tinybench": "^3.0.0",
+    "tinybench": "^2.8.0",
     "yjs": "patch:yjs@npm%3A13.6.18#~/.yarn/patches/yjs-npm-13.6.18-ad0d5f7c43.patch"
   }
 }

packages/backend/native/project.json

@@ -12,18 +12,12 @@
         "script": "build"
       },
       "inputs": [
-        { "fileset": "{workspaceRoot}/rust-toolchain.toml" },
-        { "fileset": "{workspaceRoot}/Cargo.lock" },
-        { "fileset": "{workspaceRoot}/packages/backend/native/**/*.rs" },
-        { "fileset": "{workspaceRoot}/packages/backend/native/Cargo.toml" },
-        {
-          "runtime": "rustc --version"
-        },
-        {
-          "externalDependencies": ["nx"]
-        }
+        { "runtime": "rustc --version" },
+        { "runtime": "node -v" },
+        { "runtime": "clang --version" },
+        { "runtime": "cargo tree" }
       ],
-      "outputs": ["{projectRoot}/*.node"]
+      "outputs": ["{projectRoot}/*.node", "{workspaceRoot}/*.node"]
     }
   }
 }

packages/backend/native/src/html_sanitize.rs

@@ -1,4 +0,0 @@
-#[napi]
-pub fn html_sanitize(input: String) -> String {
-  v_htmlescape::escape(&input).to_string()
-}

packages/backend/native/src/lib.rs

@@ -2,7 +2,6 @@
 
 pub mod file_type;
 pub mod hashcash;
-pub mod html_sanitize;
 pub mod tiktoken;
 
 use std::fmt::{Debug, Display};

packages/backend/server/migrations/20240815064332_userspace/migration.sql

@@ -1,13 +0,0 @@
--- CreateTable
-CREATE TABLE "user_snapshots" (
-    "user_id" VARCHAR NOT NULL,
-    "id" VARCHAR NOT NULL,
-    "blob" BYTEA NOT NULL,
-    "created_at" TIMESTAMPTZ(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
-    "updated_at" TIMESTAMPTZ(3) NOT NULL,
-
-    CONSTRAINT "user_snapshots_pkey" PRIMARY KEY ("user_id","id")
-);
-
--- AddForeignKey
-ALTER TABLE "user_snapshots" ADD CONSTRAINT "user_snapshots_user_id_fkey" FOREIGN KEY ("user_id") REFERENCES "users"("id") ON DELETE CASCADE ON UPDATE CASCADE;

packages/backend/server/migrations/20240815084618_update_doc_tables/migration.sql

@@ -1,14 +0,0 @@
-/*
-  Warnings:
-
-  - The primary key for the `updates` table will be changed. If it partially fails, the table could be left without primary key constraint.
-
-*/
--- AlterTable
-ALTER TABLE "snapshots" ALTER COLUMN "seq" DROP NOT NULL;
-
--- AlterTable
-ALTER TABLE "updates" DROP CONSTRAINT "updates_pkey",
-ALTER COLUMN "created_at" DROP DEFAULT,
-ALTER COLUMN "seq" DROP NOT NULL,
-ADD CONSTRAINT "updates_pkey" PRIMARY KEY ("workspace_id", "guid", "created_at");

packages/backend/server/migrations/20240826033024_editor_record/migration.sql

@@ -1,21 +0,0 @@
--- AlterTable
-ALTER TABLE "snapshot_histories" ADD COLUMN     "created_by" VARCHAR;
-
--- AlterTable
-ALTER TABLE "snapshots" ADD COLUMN     "created_by" VARCHAR,
-ADD COLUMN     "updated_by" VARCHAR;
-
--- AlterTable
-ALTER TABLE "updates" ADD COLUMN     "created_by" VARCHAR;
-
--- AddForeignKey
-ALTER TABLE "snapshots" ADD CONSTRAINT "snapshots_created_by_fkey" FOREIGN KEY ("created_by") REFERENCES "users"("id") ON DELETE SET NULL ON UPDATE CASCADE;
-
--- AddForeignKey
-ALTER TABLE "snapshots" ADD CONSTRAINT "snapshots_updated_by_fkey" FOREIGN KEY ("updated_by") REFERENCES "users"("id") ON DELETE SET NULL ON UPDATE CASCADE;
-
--- AddForeignKey
-ALTER TABLE "updates" ADD CONSTRAINT "updates_created_by_fkey" FOREIGN KEY ("created_by") REFERENCES "users"("id") ON DELETE SET NULL ON UPDATE CASCADE;
-
--- AddForeignKey
-ALTER TABLE "snapshot_histories" ADD CONSTRAINT "snapshot_histories_created_by_fkey" FOREIGN KEY ("created_by") REFERENCES "users"("id") ON DELETE SET NULL ON UPDATE CASCADE;

packages/backend/server/migrations/20240903033137_workspace_url_preview/migration.sql

@@ -1,2 +0,0 @@
--- AlterTable
-ALTER TABLE "workspaces" ADD COLUMN     "enable_url_preview" BOOLEAN NOT NULL DEFAULT false;

packages/backend/server/migrations/20240908111944_index_permission_user_id/migration.sql

@@ -1,2 +0,0 @@
--- CreateIndex
-CREATE INDEX "workspace_user_permissions_user_id_idx" ON "workspace_user_permissions"("user_id");

packages/backend/server/migrations/20240908130725_add_workspace_level_snapshot_index/migration.sql

@@ -1,12 +0,0 @@
-/*
-  Warnings:
-
-  - The primary key for the `snapshots` table will be changed. If it partially fails, the table could be left without primary key constraint.
-
-*/
--- AlterTable
-ALTER TABLE "snapshots" DROP CONSTRAINT "snapshots_pkey",
-ADD CONSTRAINT "snapshots_pkey" PRIMARY KEY ("workspace_id", "guid");
-
--- CreateIndex
-CREATE INDEX "snapshots_workspace_id_updated_at_idx" ON "snapshots"("workspace_id", "updated_at");

packages/backend/server/migrations/20240909090850_ai_table_index/migration.sql

@@ -1,8 +0,0 @@
--- CreateIndex
-CREATE INDEX "ai_sessions_messages_session_id_idx" ON "ai_sessions_messages"("session_id");
-
--- CreateIndex
-CREATE INDEX "ai_sessions_metadata_user_id_idx" ON "ai_sessions_metadata"("user_id");
-
--- CreateIndex
-CREATE INDEX "ai_sessions_metadata_user_id_workspace_id_idx" ON "ai_sessions_metadata"("user_id", "workspace_id");

packages/backend/server/migrations/20240909100000_lower_index_user_email/migration.sql

@@ -1,2 +0,0 @@
--- CreateIndex
-CREATE INDEX "users_email_lowercase_idx" ON "users"(lower("email"))

packages/backend/server/migrations/20240924024058_onetime_payment_subscription/migration.sql

@@ -1,2 +0,0 @@
--- AlterTable
-ALTER TABLE "user_subscriptions" ADD COLUMN     "variant" VARCHAR(20);

packages/backend/server/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@affine/server",
   "private": true,
-  "version": "0.17.0",
+  "version": "0.16.0",
   "description": "Affine Node.js server",
   "type": "module",
   "bin": {
@@ -12,9 +12,7 @@
     "start": "node --loader ts-node/esm/transpile-only.mjs ./src/index.ts",
     "dev": "nodemon ./src/index.ts",
     "test": "ava --concurrency 1 --serial",
-    "test:copilot": "ava --concurrency 1 --serial \"tests/**/copilot-*.e2e.ts\"",
     "test:coverage": "c8 ava --concurrency 1 --serial",
-    "test:copilot:coverage": "c8 ava --timeout=5m --concurrency 1 --serial \"tests/**/copilot-*.e2e.ts\"",
     "postinstall": "prisma generate",
     "data-migration": "node --loader ts-node/esm/transpile-only.mjs ./src/data/index.ts",
     "predeploy": "yarn prisma migrate deploy && node --import ./scripts/register.js ./dist/data/index.js run",
@@ -23,10 +21,11 @@
   "dependencies": {
     "@apollo/server": "^4.10.2",
     "@aws-sdk/client-s3": "^3.620.0",
-    "@fal-ai/serverless-client": "^0.15.0",
-    "@google-cloud/opentelemetry-cloud-monitoring-exporter": "^0.20.0",
+    "@fal-ai/serverless-client": "^0.13.0",
+    "@google-cloud/opentelemetry-cloud-monitoring-exporter": "^0.19.0",
     "@google-cloud/opentelemetry-cloud-trace-exporter": "^2.2.0",
     "@google-cloud/opentelemetry-resource-util": "^2.2.0",
+    "@keyv/redis": "^2.8.4",
     "@nestjs/apollo": "^12.1.0",
     "@nestjs/common": "^10.3.7",
     "@nestjs/core": "^10.3.7",
@@ -35,24 +34,25 @@
     "@nestjs/platform-express": "^10.3.7",
     "@nestjs/platform-socket.io": "^10.3.7",
     "@nestjs/schedule": "^4.0.1",
-    "@nestjs/throttler": "6.2.1",
+    "@nestjs/throttler": "5.2.0",
     "@nestjs/websockets": "^10.3.7",
-    "@node-rs/argon2": "^2.0.0",
+    "@node-rs/argon2": "^1.8.0",
     "@node-rs/crc32": "^1.10.0",
+    "@node-rs/jsonwebtoken": "^0.5.2",
     "@opentelemetry/api": "^1.9.0",
     "@opentelemetry/core": "^1.25.0",
-    "@opentelemetry/exporter-prometheus": "^0.54.0",
+    "@opentelemetry/exporter-prometheus": "^0.52.0",
     "@opentelemetry/exporter-zipkin": "^1.25.0",
     "@opentelemetry/host-metrics": "^0.35.2",
-    "@opentelemetry/instrumentation": "^0.54.0",
-    "@opentelemetry/instrumentation-graphql": "^0.44.0",
-    "@opentelemetry/instrumentation-http": "^0.54.0",
-    "@opentelemetry/instrumentation-ioredis": "^0.44.0",
-    "@opentelemetry/instrumentation-nestjs-core": "^0.41.0",
-    "@opentelemetry/instrumentation-socket.io": "^0.43.0",
+    "@opentelemetry/instrumentation": "^0.52.0",
+    "@opentelemetry/instrumentation-graphql": "^0.42.0",
+    "@opentelemetry/instrumentation-http": "^0.52.0",
+    "@opentelemetry/instrumentation-ioredis": "^0.42.0",
+    "@opentelemetry/instrumentation-nestjs-core": "^0.39.0",
+    "@opentelemetry/instrumentation-socket.io": "^0.41.0",
     "@opentelemetry/resources": "^1.25.0",
     "@opentelemetry/sdk-metrics": "^1.25.0",
-    "@opentelemetry/sdk-node": "^0.54.0",
+    "@opentelemetry/sdk-node": "^0.52.0",
     "@opentelemetry/sdk-trace-node": "^1.25.0",
     "@opentelemetry/semantic-conventions": "^1.25.0",
     "@prisma/client": "^5.15.0",
@@ -60,42 +60,50 @@
     "@socket.io/redis-adapter": "^8.3.0",
     "cookie-parser": "^1.4.6",
     "dotenv": "^16.4.5",
+    "dotenv-cli": "^7.4.1",
     "express": "^4.19.2",
     "fast-xml-parser": "^4.4.0",
     "get-stream": "^9.0.1",
     "graphql": "^16.8.1",
     "graphql-scalars": "^1.23.0",
-    "graphql-upload": "^17.0.0",
+    "graphql-type-json": "^0.3.2",
+    "graphql-upload": "^16.0.2",
     "html-validate": "^8.20.1",
     "ioredis": "^5.3.2",
-    "is-mobile": "^5.0.0",
-    "keyv": "^5.0.0",
+    "keyv": "^4.5.4",
     "lodash-es": "^4.17.21",
     "mixpanel": "^0.18.0",
     "mustache": "^4.2.0",
     "nanoid": "^5.0.7",
     "nest-commander": "^3.12.5",
-    "nestjs-throttler-storage-redis": "^0.5.0",
+    "nestjs-throttler-storage-redis": "^0.4.1",
     "nodemailer": "^6.9.13",
     "on-headers": "^1.0.2",
     "openai": "^4.33.0",
+    "parse-duration": "^1.1.0",
     "piscina": "^4.5.1",
+    "pretty-time": "^1.1.0",
     "prisma": "^5.12.1",
+    "prom-client": "^15.1.1",
     "reflect-metadata": "^0.2.2",
     "rxjs": "^7.8.1",
+    "semver": "^7.6.0",
     "ses": "^1.4.1",
     "socket.io": "^4.7.5",
-    "stripe": "^17.0.0",
+    "stripe": "^16.0.0",
     "ts-node": "^10.9.2",
-    "typescript": "^5.6.3",
+    "typescript": "^5.4.5",
+    "ws": "^8.16.0",
     "yjs": "patch:yjs@npm%3A13.6.18#~/.yarn/patches/yjs-npm-13.6.18-ad0d5f7c43.patch",
     "zod": "^3.22.4"
   },
   "devDependencies": {
     "@affine-test/kit": "workspace:*",
     "@affine/server-native": "workspace:*",
+    "@napi-rs/image": "^1.9.1",
     "@nestjs/testing": "^10.3.7",
     "@types/cookie-parser": "^1.4.7",
+    "@types/engine.io": "^3.1.10",
     "@types/express": "^4.17.21",
     "@types/graphql-upload": "^16.0.7",
     "@types/keyv": "^4.2.0",
@@ -105,12 +113,14 @@
     "@types/node": "^20.12.7",
     "@types/nodemailer": "^6.4.14",
     "@types/on-headers": "^1.0.3",
+    "@types/pretty-time": "^1.1.5",
     "@types/sinon": "^17.0.3",
     "@types/supertest": "^6.0.2",
+    "@types/ws": "^8.5.10",
     "ava": "^6.1.2",
     "c8": "^10.0.0",
     "nodemon": "^3.1.0",
-    "sinon": "^19.0.0",
+    "sinon": "^18.0.0",
     "supertest": "^7.0.0"
   },
   "ava": {

packages/backend/server/schema.prisma

@@ -32,11 +32,6 @@ model User {
   sessions              UserSession[]
   aiSessions            AiSession[]
   updatedRuntimeConfigs RuntimeConfig[]
-  userSnapshots         UserSnapshot[]
-  createdSnapshot       Snapshot[]                    @relation("createdSnapshot")
-  updatedSnapshot       Snapshot[]                    @relation("updatedSnapshot")
-  createdUpdate         Update[]                      @relation("createdUpdate")
-  createdHistory        SnapshotHistory[]             @relation("createdHistory")
 
   @@index([email])
   @@map("users")
@@ -62,12 +57,11 @@ model ConnectedAccount {
 }
 
 model Session {
-  id           String        @id @default(uuid()) @db.VarChar
-  createdAt    DateTime      @default(now()) @map("created_at") @db.Timestamptz(3)
-  userSessions UserSession[]
+  id        String    @id @default(uuid()) @db.VarChar
+  expiresAt DateTime? @map("expires_at") @db.Timestamptz(3)
+  createdAt DateTime  @default(now()) @map("created_at") @db.Timestamptz(3)
 
-  // @deprecated use [UserSession.expiresAt]
-  deprecated_expiresAt DateTime? @map("expires_at") @db.Timestamptz(3)
+  userSessions UserSession[]
 
   @@map("multiple_users_sessions")
 }
@@ -97,10 +91,9 @@ model VerificationToken {
 }
 
 model Workspace {
-  id               String   @id @default(uuid()) @db.VarChar
-  public           Boolean
-  enableUrlPreview Boolean  @default(false) @map("enable_url_preview")
-  createdAt        DateTime @default(now()) @map("created_at") @db.Timestamptz(3)
+  id        String   @id @default(uuid()) @db.VarChar
+  public    Boolean
+  createdAt DateTime @default(now()) @map("created_at") @db.Timestamptz(3)
 
   pages           WorkspacePage[]
   permissions     WorkspaceUserPermission[]
@@ -142,8 +135,6 @@ model WorkspaceUserPermission {
   workspace Workspace @relation(fields: [workspaceId], references: [id], onDelete: Cascade)
 
   @@unique([workspaceId, userId])
-  // optimize for quering user's workspace permissions
-  @@index(userId)
   @@map("workspace_user_permissions")
 }
 
@@ -244,61 +235,25 @@ model Snapshot {
   workspaceId String   @map("workspace_id") @db.VarChar
   id          String   @default(uuid()) @map("guid") @db.VarChar
   blob        Bytes    @db.ByteA
+  seq         Int      @default(0) @db.Integer
   state       Bytes?   @db.ByteA
   createdAt   DateTime @default(now()) @map("created_at") @db.Timestamptz(3)
   // the `updated_at` field will not record the time of record changed,
   // but the created time of last seen update that has been merged into snapshot.
   updatedAt   DateTime @map("updated_at") @db.Timestamptz(3)
-  createdBy   String?  @map("created_by") @db.VarChar
-  updatedBy   String?  @map("updated_by") @db.VarChar
 
-  // should not delete origin snapshot even if user is deleted
-  // we only delete the snapshot if the workspace is deleted
-  createdByUser User? @relation(name: "createdSnapshot", fields: [createdBy], references: [id], onDelete: SetNull)
-  updatedByUser User? @relation(name: "updatedSnapshot", fields: [updatedBy], references: [id], onDelete: SetNull)
-
-  // @deprecated use updatedAt only
-  seq Int? @default(0) @db.Integer
-
-  // we need to clear all hanging updates and snapshots before enable the foreign key on workspaceId
-  // workspace Workspace @relation(fields: [workspaceId], references: [id], onDelete: Cascade)
-
-  @@id([workspaceId, id])
-  @@index([workspaceId, updatedAt])
+  @@id([id, workspaceId])
   @@map("snapshots")
 }
 
-// user snapshots are special snapshots for user storage like personal app settings, distinguished from workspace snapshots
-// basically they share the same structure with workspace snapshots
-// but for convenience, we don't fork the updates queue and hisotry for user snapshots, until we have to
-// which means all operation on user snapshot will happen in-pace
-model UserSnapshot {
-  userId    String   @map("user_id") @db.VarChar
-  id        String   @map("id") @db.VarChar
-  blob      Bytes    @db.ByteA
-  createdAt DateTime @default(now()) @map("created_at") @db.Timestamptz(3)
-  updatedAt DateTime @updatedAt @map("updated_at") @db.Timestamptz(3)
-
-  user User @relation(fields: [userId], references: [id], onDelete: Cascade)
-
-  @@id([userId, id])
-  @@map("user_snapshots")
-}
-
 model Update {
   workspaceId String   @map("workspace_id") @db.VarChar
   id          String   @map("guid") @db.VarChar
+  seq         Int      @db.Integer
   blob        Bytes    @db.ByteA
-  createdAt   DateTime @map("created_at") @db.Timestamptz(3)
-  createdBy   String?  @map("created_by") @db.VarChar
+  createdAt   DateTime @default(now()) @map("created_at") @db.Timestamptz(3)
 
-  // will delete createor record if createor's account is deleted
-  createdByUser User? @relation(name: "createdUpdate", fields: [createdBy], references: [id], onDelete: SetNull)
-
-  // @deprecated use createdAt only
-  seq Int? @db.Integer
-
-  @@id([workspaceId, id, createdAt])
+  @@id([workspaceId, id, seq])
   @@map("updates")
 }
 
@@ -309,10 +264,6 @@ model SnapshotHistory {
   blob        Bytes    @db.ByteA
   state       Bytes?   @db.ByteA
   expiredAt   DateTime @map("expired_at") @db.Timestamptz(3)
-  createdBy   String?  @map("created_by") @db.VarChar
-
-  // will delete createor record if creator's account is deleted
-  createdByUser User? @relation(name: "createdHistory", fields: [createdBy], references: [id], onDelete: SetNull)
 
   @@id([workspaceId, id, timestamp])
   @@map("snapshot_histories")
@@ -332,11 +283,9 @@ model UserSubscription {
   id                   Int       @id @default(autoincrement()) @db.Integer
   userId               String    @map("user_id") @db.VarChar
   plan                 String    @db.VarChar(20)
-  // yearly/monthly/lifetime
+  // yearly/monthly
   recurring            String    @db.VarChar(20)
-  // onetime subscription or anything else
-  variant              String?    @db.VarChar(20)
-  // subscription.id, null for linefetime payment or one time payment subscription
+  // subscription.id, null for linefetime payment
   stripeSubscriptionId String?   @unique @map("stripe_subscription_id")
   // subscription.status, active/past_due/canceled/unpaid...
   status               String    @db.VarChar(20)
@@ -440,7 +389,6 @@ model AiSessionMessage {
 
   session AiSession @relation(fields: [sessionId], references: [id], onDelete: Cascade)
 
-  @@index([sessionId])
   @@map("ai_sessions_messages")
 }
 
@@ -461,8 +409,6 @@ model AiSession {
   prompt   AiPrompt           @relation(fields: [promptName], references: [name], onDelete: Cascade)
   messages AiSessionMessage[]
 
-  @@index([userId])
-  @@index([userId, workspaceId])
   @@map("ai_sessions_metadata")
 }
 

packages/backend/server/src/app.module.ts

@@ -10,8 +10,7 @@ import { get } from 'lodash-es';
 import { AppController } from './app.controller';
 import { AuthModule } from './core/auth';
 import { ADD_ENABLED_FEATURES, ServerConfigModule } from './core/config';
-import { DocStorageModule } from './core/doc';
-import { DocRendererModule } from './core/doc-renderer';
+import { DocModule } from './core/doc';
 import { FeatureModule } from './core/features';
 import { PermissionModule } from './core/permission';
 import { QuotaModule } from './core/quota';
@@ -156,7 +155,7 @@ export function buildAppModule() {
     .use(UserModule, AuthModule, PermissionModule)
 
     // business modules
-    .use(FeatureModule, QuotaModule, DocStorageModule)
+    .use(DocModule)
 
     // sync server only
     .useIf(config => config.flavor.sync, SyncModule)
@@ -168,12 +167,13 @@ export function buildAppModule() {
       GqlModule,
       StorageModule,
       ServerConfigModule,
-      WorkspaceModule
+      WorkspaceModule,
+      FeatureModule,
+      QuotaModule
     )
 
     // self hosted server only
-    .useIf(config => config.isSelfhosted, SelfhostModule)
-    .useIf(config => config.flavor.renderer, DocRendererModule);
+    .useIf(config => config.isSelfhosted, SelfhostModule);
 
   // plugin modules
   ENABLED_PLUGINS.forEach(name => {

packages/backend/server/src/app.ts

@@ -5,7 +5,6 @@ import cookieParser from 'cookie-parser';
 import graphqlUploadExpress from 'graphql-upload/graphqlUploadExpress.mjs';
 
 import { AuthGuard } from './core/auth';
-import { ENABLED_FEATURES } from './core/config/server-feature';
 import {
   CacheInterceptor,
   CloudThrottlerGuard,
@@ -24,10 +23,6 @@ export async function createApp() {
     logger: AFFiNE.affine.stable ? ['log'] : ['verbose'],
   });
 
-  if (AFFiNE.server.path) {
-    app.setGlobalPrefix(AFFiNE.server.path);
-  }
-
   app.use(serverTimingAndCache);
 
   app.use(
@@ -61,7 +56,6 @@ export async function createApp() {
       .init(AFFiNE.metrics.telemetry.token)
       .track('selfhost-server-started', {
         version: AFFiNE.version,
-        features: Array.from(ENABLED_FEATURES),
       });
   }
 

packages/backend/server/src/config/affine.env.ts

@@ -25,7 +25,6 @@ AFFiNE.ENV_MAP = {
   OAUTH_OIDC_CLAIM_MAP_EMAIL: 'plugins.oauth.providers.oidc.args.claim_email',
   OAUTH_OIDC_CLAIM_MAP_NAME: 'plugins.oauth.providers.oidc.args.claim_name',
   METRICS_CUSTOMER_IO_TOKEN: ['metrics.customerIo.token', 'string'],
-  CAPTCHA_TURNSTILE_SECRET: ['plugins.captcha.turnstile.secret', 'string'],
   COPILOT_OPENAI_API_KEY: 'plugins.copilot.openai.apiKey',
   COPILOT_FAL_API_KEY: 'plugins.copilot.fal.apiKey',
   COPILOT_UNSPLASH_API_KEY: 'plugins.copilot.unsplashKey',

packages/backend/server/src/config/affine.self.ts

@@ -71,14 +71,6 @@ AFFiNE.use('payment', {
 });
 AFFiNE.use('oauth');
 
-/* Captcha Plugin Default Config */
-AFFiNE.use('captcha', {
-  turnstile: {},
-  challenge: {
-    bits: 20,
-  },
-});
-
 if (AFFiNE.deploy) {
   AFFiNE.mailer = {
     service: 'gmail',

packages/backend/server/src/config/affine.ts

@@ -95,15 +95,6 @@ AFFiNE.server.port = 3010;
 // });
 //
 //
-// /* Captcha Plugin Default Config */
-// AFFiNE.plugins.use('captcha', {
-//   turnstile: {},
-//   challenge: {
-//     bits: 20,
-//   },
-// });
-//
-//
 // /* Cloudflare R2 Plugin */
 // /* Enable if you choose to store workspace blobs or user avatars in Cloudflare R2 Storage Service */
 // AFFiNE.use('cloudflare-r2', {

packages/backend/server/src/core/auth/config.ts

@@ -40,11 +40,6 @@ export interface AuthRuntimeConfigurations {
    */
   allowSignup: boolean;
 
-  /**
-   * Whether require email domain record verification before access restricted resources
-   */
-  requireEmailDomainVerification: boolean;
-
   /**
    * Whether require email verification before access restricted resources
    */
@@ -81,10 +76,6 @@ defineRuntimeConfig('auth', {
     desc: 'Whether allow new registrations',
     default: true,
   },
-  requireEmailDomainVerification: {
-    desc: 'Whether require email domain record verification before accessing restricted resources',
-    default: false,
-  },
   requireEmailVerification: {
     desc: 'Whether require email verification before accessing restricted resources',
     default: true,

packages/backend/server/src/core/auth/controller.ts

@@ -1,4 +1,4 @@
-import { resolveMx, resolveTxt, setServers } from 'node:dns/promises';
+import { randomUUID } from 'node:crypto';
 
 import {
   Body,
@@ -18,34 +18,26 @@ import {
   EarlyAccessRequired,
   EmailTokenNotFound,
   InternalServerError,
-  InvalidEmail,
   InvalidEmailToken,
   SignUpForbidden,
   Throttle,
   URLHelper,
-  UseNamedGuard,
 } from '../../fundamentals';
 import { UserService } from '../user';
 import { validators } from '../utils/validators';
+import { CurrentUser } from './current-user';
 import { Public } from './guard';
-import { AuthService } from './service';
-import { CurrentUser, Session } from './session';
+import { AuthService, parseAuthUserSeqNum } from './service';
 import { TokenService, TokenType } from './token';
 
-interface PreflightResponse {
-  registered: boolean;
-  hasPassword: boolean;
-}
-
-interface SignInCredential {
-  email: string;
+class SignInCredential {
+  email!: string;
   password?: string;
-  callbackUrl?: string;
 }
 
-interface MagicLinkCredential {
-  email: string;
-  token: string;
+class MagicLinkCredential {
+  email!: string;
+  token!: string;
 }
 
 @Throttle('strict')
@@ -57,56 +49,16 @@ export class AuthController {
     private readonly user: UserService,
     private readonly token: TokenService,
     private readonly config: Config
-  ) {
-    if (config.node.dev) {
-      // set DNS servers in dev mode
-      // NOTE: some network debugging software uses DNS hijacking
-      // to better debug traffic, but their DNS servers may not
-      // handle the non dns query(like txt, mx) correctly, so we
-      // set a public DNS server here to avoid this issue.
-      setServers(['1.1.1.1', '8.8.8.8']);
-    }
-  }
+  ) {}
 
   @Public()
-  @Post('/preflight')
-  async preflight(
-    @Body() params?: { email: string }
-  ): Promise<PreflightResponse> {
-    if (!params?.email) {
-      throw new InvalidEmail();
-    }
-    validators.assertValidEmail(params.email);
-
-    const user = await this.user.findUserWithHashedPasswordByEmail(
-      params.email
-    );
-
-    if (!user) {
-      return {
-        registered: false,
-        hasPassword: false,
-      };
-    }
-
-    return {
-      registered: user.registered,
-      hasPassword: !!user.password,
-    };
-  }
-
-  @Public()
-  @UseNamedGuard('captcha')
   @Post('/sign-in')
   @Header('content-type', 'application/json')
   async signIn(
     @Req() req: Request,
     @Res() res: Response,
     @Body() credential: SignInCredential,
-    /**
-     * @deprecated
-     */
-    @Query('redirect_uri') redirectUri?: string
+    @Query('redirect_uri') redirectUri = this.url.home
   ) {
     validators.assertValidEmail(credential.email);
     const canSignIn = await this.auth.canSignIn(credential.email);
@@ -115,117 +67,80 @@ export class AuthController {
     }
 
     if (credential.password) {
-      await this.passwordSignIn(
-        req,
-        res,
+      const user = await this.auth.signIn(
         credential.email,
         credential.password
       );
+
+      await this.auth.setCookie(req, res, user);
+      res.status(HttpStatus.OK).send(user);
     } else {
-      await this.sendMagicLink(
-        req,
-        res,
-        credential.email,
-        credential.callbackUrl,
+      // send email magic link
+      const user = await this.user.findUserByEmail(credential.email);
+      if (!user) {
+        const allowSignup = await this.config.runtime.fetch('auth/allowSignup');
+        if (!allowSignup) {
+          throw new SignUpForbidden();
+        }
+      }
+
+      const result = await this.sendSignInEmail(
+        { email: credential.email, signUp: !user },
         redirectUri
       );
+
+      if (result.rejected.length) {
+        throw new InternalServerError('Failed to send sign-in email.');
+      }
+
+      res.status(HttpStatus.OK).send({
+        email: credential.email,
+      });
     }
   }
 
-  async passwordSignIn(
-    req: Request,
-    res: Response,
-    email: string,
-    password: string
+  async sendSignInEmail(
+    { email, signUp }: { email: string; signUp: boolean },
+    redirectUri: string
   ) {
-    const user = await this.auth.signIn(email, password);
-
-    await this.auth.setCookies(req, res, user.id);
-    res.status(HttpStatus.OK).send(user);
-  }
-
-  async sendMagicLink(
-    _req: Request,
-    res: Response,
-    email: string,
-    callbackUrl = '/magic-link',
-    redirectUrl?: string
-  ) {
-    // send email magic link
-    const user = await this.user.findUserByEmail(email);
-    if (!user) {
-      const allowSignup = await this.config.runtime.fetch('auth/allowSignup');
-      if (!allowSignup) {
-        throw new SignUpForbidden();
-      }
-
-      const requireEmailDomainVerification = await this.config.runtime.fetch(
-        'auth/requireEmailDomainVerification'
-      );
-      if (requireEmailDomainVerification) {
-        // verify domain has MX, SPF, DMARC records
-        const [name, domain, ...rest] = email.split('@');
-        if (rest.length || !domain) {
-          throw new InvalidEmail();
-        }
-        const [mx, spf, dmarc] = await Promise.allSettled([
-          resolveMx(domain).then(t => t.map(mx => mx.exchange).filter(Boolean)),
-          resolveTxt(domain).then(t =>
-            t.map(([k]) => k).filter(txt => txt.includes('v=spf1'))
-          ),
-          resolveTxt('_dmarc.' + domain).then(t =>
-            t.map(([k]) => k).filter(txt => txt.includes('v=DMARC1'))
-          ),
-        ]).then(t => t.filter(t => t.status === 'fulfilled').map(t => t.value));
-        if (!mx?.length || !spf?.length || !dmarc?.length) {
-          throw new InvalidEmail();
-        }
-        // filter out alias emails
-        if (name.includes('+') || name.includes('.')) {
-          throw new InvalidEmail();
-        }
-      }
-    }
-
     const token = await this.token.createToken(TokenType.SignIn, email);
 
-    const magicLink = this.url.link(callbackUrl, {
+    const magicLink = this.url.link('/magic-link', {
       token,
       email,
-      ...(redirectUrl
-        ? {
-            redirect_uri: redirectUrl,
-          }
-        : {}),
+      redirect_uri: redirectUri,
     });
 
-    const result = await this.auth.sendSignInEmail(email, magicLink, !user);
+    const result = await this.auth.sendSignInEmail(email, magicLink, signUp);
 
-    if (result.rejected.length) {
-      throw new InternalServerError('Failed to send sign-in email.');
-    }
-
-    res.status(HttpStatus.OK).send({
-      email: email,
-    });
+    return result;
   }
 
-  @Public()
   @Get('/sign-out')
   async signOut(
+    @Req() req: Request,
     @Res() res: Response,
-    @Session() session: Session | undefined,
-    @Query('user_id') userId: string | undefined
+    @Query('redirect_uri') redirectUri?: string
   ) {
-    if (!session) {
-      res.status(HttpStatus.OK).send({});
-      return;
+    const session = await this.auth.signOut(
+      req.cookies[AuthService.sessionCookieName],
+      parseAuthUserSeqNum(req.headers[AuthService.authUserSeqHeaderName])
+    );
+
+    if (session) {
+      res.cookie(AuthService.sessionCookieName, session.id, {
+        expires: session.expiresAt ?? void 0, // expiredAt is `string | null`
+        ...this.auth.cookieOptions,
+      });
+    } else {
+      res.clearCookie(AuthService.sessionCookieName);
     }
 
-    await this.auth.signOut(session.sessionId, userId);
-    await this.auth.refreshCookies(res, session.sessionId);
-
-    res.status(HttpStatus.OK).send({});
+    if (redirectUri) {
+      return this.url.safeRedirect(res, redirectUri);
+    } else {
+      return res.send(null);
+    }
   }
 
   @Public()
@@ -241,11 +156,11 @@ export class AuthController {
 
     validators.assertValidEmail(email);
 
-    const tokenRecord = await this.token.verifyToken(TokenType.SignIn, token, {
+    const valid = await this.token.verifyToken(TokenType.SignIn, token, {
       credential: email,
     });
 
-    if (!tokenRecord) {
+    if (!valid) {
       throw new InvalidEmailToken();
     }
 
@@ -254,8 +169,9 @@ export class AuthController {
       registered: true,
     });
 
-    await this.auth.setCookies(req, res, user.id);
-    res.send({ id: user.id });
+    await this.auth.setCookie(req, res, user);
+
+    res.send({ id: user.id, email: user.email, name: user.name });
   }
 
   @Throttle('default', { limit: 1200 })
@@ -282,4 +198,14 @@ export class AuthController {
       users: await this.auth.getUserList(token),
     };
   }
+
+  @Public()
+  @Get('/challenge')
+  async challenge() {
+    // TODO(@darksky): impl in following PR
+    return {
+      challenge: randomUUID(),
+      resource: randomUUID(),
+    };
+  }
 }

packages/backend/server/src/core/auth/current-user.ts

@@ -4,6 +4,10 @@ import { User, UserSession } from '@prisma/client';
 
 import { getRequestResponseFromContext } from '../../fundamentals';
 
+function getUserFromContext(context: ExecutionContext) {
+  return getRequestResponseFromContext(context).req.user;
+}
+
 /**
  * Used to fetch current user from the request context.
  *
@@ -40,7 +44,7 @@ import { getRequestResponseFromContext } from '../../fundamentals';
 // eslint-disable-next-line no-redeclare
 export const CurrentUser = createParamDecorator(
   (_: unknown, context: ExecutionContext) => {
-    return getRequestResponseFromContext(context).req.session?.user;
+    return getUserFromContext(context);
   }
 );
 
@@ -50,14 +54,4 @@ export interface CurrentUser
   emailVerified: boolean;
 }
 
-// interface and variable don't conflict
-// eslint-disable-next-line no-redeclare
-export const Session = createParamDecorator(
-  (_: unknown, context: ExecutionContext) => {
-    return getRequestResponseFromContext(context).req.session;
-  }
-);
-
-export type Session = UserSession & {
-  user: CurrentUser;
-};
+export { type UserSession };

packages/backend/server/src/core/auth/guard.ts

@@ -4,20 +4,28 @@ import type {
   FactoryProvider,
   OnModuleInit,
 } from '@nestjs/common';
-import { Injectable, SetMetadata } from '@nestjs/common';
+import { Injectable, SetMetadata, UseGuards } from '@nestjs/common';
 import { ModuleRef, Reflector } from '@nestjs/core';
-import type { Request, Response } from 'express';
-import { Socket } from 'socket.io';
+import type { Request } from 'express';
 
 import {
   AuthenticationRequired,
   Config,
   getRequestResponseFromContext,
+  mapAnyError,
   parseCookies,
 } from '../../fundamentals';
 import { WEBSOCKET_OPTIONS } from '../../fundamentals/websocket';
-import { AuthService } from './service';
-import { Session } from './session';
+import { CurrentUser, UserSession } from './current-user';
+import { AuthService, parseAuthUserSeqNum } from './service';
+
+function extractTokenFromHeader(authorization: string) {
+  if (!/^Bearer\s/i.test(authorization)) {
+    return;
+  }
+
+  return authorization.substring(7);
+}
 
 const PUBLIC_ENTRYPOINT_SYMBOL = Symbol('public');
 
@@ -37,9 +45,9 @@ export class AuthGuard implements CanActivate, OnModuleInit {
   async canActivate(context: ExecutionContext) {
     const { req, res } = getRequestResponseFromContext(context);
 
-    const userSession = await this.signIn(req, res);
-    if (res && userSession && userSession.expiresAt) {
-      await this.auth.refreshUserSessionIfNeeded(res, userSession);
+    const userSession = await this.signIn(req);
+    if (res && userSession && userSession.session.expiresAt) {
+      await this.auth.refreshUserSessionIfNeeded(req, res, userSession.session);
     }
 
     // api is public
@@ -52,28 +60,43 @@ export class AuthGuard implements CanActivate, OnModuleInit {
       return true;
     }
 
-    if (!userSession) {
+    if (!req.user) {
       throw new AuthenticationRequired();
     }
-
     return true;
   }
 
-  async signIn(req: Request, res?: Response): Promise<Session | null> {
-    if (req.session) {
-      return req.session;
+  async signIn(
+    req: Request
+  ): Promise<{ user: CurrentUser; session: UserSession } | null> {
+    if (req.user && req.session) {
+      return {
+        user: req.user,
+        session: req.session,
+      };
     }
 
-    // TODO(@forehalo): a cache for user session
-    const userSession = await this.auth.getUserSessionFromRequest(req, res);
+    parseCookies(req);
+    let sessionToken: string | undefined =
+      req.cookies[AuthService.sessionCookieName];
 
-    if (userSession) {
-      req.session = {
-        ...userSession.session,
-        user: userSession.user,
-      };
+    if (!sessionToken && req.headers.authorization) {
+      sessionToken = extractTokenFromHeader(req.headers.authorization);
+    }
 
-      return req.session;
+    if (sessionToken) {
+      const userSeq = parseAuthUserSeqNum(
+        req.headers[AuthService.authUserSeqHeaderName]
+      );
+
+      const userSession = await this.auth.getUserSession(sessionToken, userSeq);
+
+      if (userSession) {
+        req.session = userSession.session;
+        req.user = userSession.user;
+      }
+
+      return userSession;
     }
 
     return null;
@@ -81,8 +104,26 @@ export class AuthGuard implements CanActivate, OnModuleInit {
 }
 
 /**
- * Mark api to be public accessible
+ * This guard is used to protect routes/queries/mutations that require a user to be logged in.
+ *
+ * The `@CurrentUser()` parameter decorator used in a `Auth` guarded queries would always give us the user because the `Auth` guard will
+ * fast throw if user is not logged in.
+ *
+ * @example
+ *
+ * ```typescript
+ * \@Auth()
+ * \@Query(() => UserType)
+ * user(@CurrentUser() user: CurrentUser) {
+ *   return user;
+ * }
+ * ```
  */
+export const Auth = () => {
+  return UseGuards(AuthGuard);
+};
+
+// api is public accessible
 export const Public = () => SetMetadata(PUBLIC_ENTRYPOINT_SYMBOL, true);
 
 export const AuthWebsocketOptionsProvider: FactoryProvider = {
@@ -90,22 +131,27 @@ export const AuthWebsocketOptionsProvider: FactoryProvider = {
   useFactory: (config: Config, guard: AuthGuard) => {
     return {
       ...config.websocket,
-      canActivate: async (socket: Socket) => {
-        const upgradeReq = socket.client.request as Request;
-        const handshake = socket.handshake;
+      allowRequest: async (
+        req: any,
+        pass: (err: string | null | undefined, success: boolean) => void
+      ) => {
+        if (!config.websocket.requireAuthentication) {
+          return pass(null, true);
+        }
 
-        // compatibility with websocket request
-        parseCookies(upgradeReq);
+        try {
+          const authentication = await guard.signIn(req);
 
-        upgradeReq.cookies = {
-          [AuthService.sessionCookieName]: handshake.auth.token,
-          [AuthService.userCookieName]: handshake.auth.userId,
-          ...upgradeReq.cookies,
-        };
-
-        const session = await guard.signIn(upgradeReq);
-
-        return !!session;
+          if (authentication) {
+            return pass(null, true);
+          } else {
+            return pass('unauthenticated', false);
+          }
+        } catch (e) {
+          const error = mapAnyError(e);
+          error.log('Websocket');
+          return pass('unauthenticated', false);
+        }
       },
     };
   },

packages/backend/server/src/core/auth/index.ts

@@ -20,7 +20,7 @@ import { TokenService, TokenType } from './token';
     AuthGuard,
     AuthWebsocketOptionsProvider,
   ],
-  exports: [AuthService, AuthGuard, AuthWebsocketOptionsProvider, TokenService],
+  exports: [AuthService, AuthGuard, AuthWebsocketOptionsProvider],
   controllers: [AuthController],
 })
 export class AuthModule {}
@@ -28,4 +28,4 @@ export class AuthModule {}
 export * from './guard';
 export { ClientTokenType } from './resolver';
 export { AuthService, TokenService, TokenType };
-export * from './session';
+export * from './current-user';

packages/backend/server/src/core/auth/resolver.ts

@@ -11,6 +11,7 @@ import {
 
 import {
   ActionForbidden,
+  Config,
   EmailAlreadyUsed,
   EmailTokenNotFound,
   EmailVerificationRequired,
@@ -25,9 +26,9 @@ import { Admin } from '../common';
 import { UserService } from '../user';
 import { UserType } from '../user/types';
 import { validators } from '../utils/validators';
+import { CurrentUser } from './current-user';
 import { Public } from './guard';
 import { AuthService } from './service';
-import { CurrentUser } from './session';
 import { TokenService, TokenType } from './token';
 
 @ObjectType('tokenType')
@@ -46,6 +47,7 @@ export class ClientTokenType {
 @Resolver(() => UserType)
 export class AuthResolver {
   constructor(
+    private readonly config: Config,
     private readonly url: URLHelper,
     private readonly auth: AuthService,
     private readonly user: UserService,
@@ -65,7 +67,7 @@ export class AuthResolver {
 
   @ResolveField(() => ClientTokenType, {
     name: 'token',
-    deprecationReason: 'use [/api/auth/sign-in?native=true] instead',
+    deprecationReason: 'use [/api/auth/authorize]',
   })
   async clientToken(
     @CurrentUser() currentUser: CurrentUser,
@@ -75,11 +77,15 @@ export class AuthResolver {
       throw new ActionForbidden();
     }
 
-    const userSession = await this.auth.createUserSession(user.id);
+    const session = await this.auth.createUserSession(
+      user,
+      undefined,
+      this.config.auth.accessToken.ttl
+    );
 
     return {
-      sessionToken: userSession.sessionId,
-      token: userSession.sessionId,
+      sessionToken: session.sessionId,
+      token: session.sessionId,
       refresh: '',
     };
   }
@@ -95,6 +101,14 @@ export class AuthResolver {
       throw new LinkExpired();
     }
 
+    const config = await this.config.runtime.fetchAll({
+      'auth/password.max': true,
+      'auth/password.min': true,
+    });
+    validators.assertValidPassword(newPassword, {
+      min: config['auth/password.min'],
+      max: config['auth/password.max'],
+    });
     // NOTE: Set & Change password are using the same token type.
     const valid = await this.token.verifyToken(
       TokenType.ChangePassword,
@@ -120,6 +134,7 @@ export class AuthResolver {
     @Args('token') token: string,
     @Args('email') email: string
   ) {
+    validators.assertValidEmail(email);
     // @see [sendChangeEmail]
     const valid = await this.token.verifyToken(TokenType.VerifyEmail, token, {
       credential: user.id,
@@ -142,11 +157,8 @@ export class AuthResolver {
   async sendChangePasswordEmail(
     @CurrentUser() user: CurrentUser,
     @Args('callbackUrl') callbackUrl: string,
-    @Args('email', {
-      nullable: true,
-      deprecationReason: 'fetched from signed in user',
-    })
-    _email?: string
+    // @deprecated
+    @Args('email', { nullable: true }) _email?: string
   ) {
     if (!user.emailVerified) {
       throw new EmailVerificationRequired();
@@ -168,11 +180,7 @@ export class AuthResolver {
   async sendSetPasswordEmail(
     @CurrentUser() user: CurrentUser,
     @Args('callbackUrl') callbackUrl: string,
-    @Args('email', {
-      nullable: true,
-      deprecationReason: 'fetched from signed in user',
-    })
-    _email?: string
+    @Args('email', { nullable: true }) _email?: string
   ) {
     return this.sendChangePasswordEmail(user, callbackUrl);
   }

packages/backend/server/src/core/auth/service.ts

@@ -5,12 +5,35 @@ import { PrismaClient } from '@prisma/client';
 import type { CookieOptions, Request, Response } from 'express';
 import { assign, pick } from 'lodash-es';
 
-import { Config, MailService, SignUpForbidden } from '../../fundamentals';
+import { Config, EmailAlreadyUsed, MailService } from '../../fundamentals';
 import { FeatureManagementService } from '../features/management';
 import { QuotaService } from '../quota/service';
 import { QuotaType } from '../quota/types';
 import { UserService } from '../user/service';
-import type { CurrentUser } from './session';
+import type { CurrentUser } from './current-user';
+
+export function parseAuthUserSeqNum(value: any) {
+  let seq: number = 0;
+  switch (typeof value) {
+    case 'number': {
+      seq = value;
+      break;
+    }
+    case 'string': {
+      const result = value.match(/^([\d{0, 10}])$/);
+      if (result?.[1]) {
+        seq = Number(result[1]);
+      }
+      break;
+    }
+
+    default: {
+      seq = 0;
+    }
+  }
+
+  return Math.max(0, seq);
+}
 
 export function sessionUser(
   user: Pick<
@@ -25,14 +48,6 @@ export function sessionUser(
   });
 }
 
-function extractTokenFromHeader(authorization: string) {
-  if (!/^Bearer\s/i.test(authorization)) {
-    return;
-  }
-
-  return authorization.substring(7);
-}
-
 @Injectable()
 export class AuthService implements OnApplicationBootstrap {
   readonly cookieOptions: CookieOptions = {
@@ -42,7 +57,7 @@ export class AuthService implements OnApplicationBootstrap {
     secure: this.config.server.https,
   };
   static readonly sessionCookieName = 'affine_session';
-  static readonly userCookieName = 'affine_user_id';
+  static readonly authUserSeqHeaderName = 'x-auth-user';
 
   constructor(
     private readonly config: Config,
@@ -68,7 +83,7 @@ export class AuthService implements OnApplicationBootstrap {
         await this.quota.switchUserQuota(devUser.id, QuotaType.ProPlanV1);
         await this.feature.addAdmin(devUser.id);
         await this.feature.addCopilot(devUser.id);
-      } catch {
+      } catch (e) {
         // ignore
       }
     }
@@ -78,71 +93,58 @@ export class AuthService implements OnApplicationBootstrap {
     return this.feature.canEarlyAccess(email);
   }
 
-  /**
-   * This is a test only helper to quickly signup a user, do not use in production
-   */
-  async signUp(email: string, password: string): Promise<CurrentUser> {
-    if (!this.config.node.test) {
-      throw new SignUpForbidden(
-        'sign up helper is forbidden for non-test environment'
-      );
+  async signUp(
+    name: string,
+    email: string,
+    password: string
+  ): Promise<CurrentUser> {
+    const user = await this.user.findUserByEmail(email);
+
+    if (user) {
+      throw new EmailAlreadyUsed();
     }
 
     return this.user
-      .createUser_without_verification({
+      .createUser({
+        name,
         email,
         password,
       })
       .then(sessionUser);
   }
 
-  async signIn(email: string, password: string): Promise<CurrentUser> {
-    return this.user.signIn(email, password).then(sessionUser);
-  }
+  async signIn(email: string, password: string) {
+    const user = await this.user.signIn(email, password);
 
-  async signOut(sessionId: string, userId?: string) {
-    // sign out all users in the session
-    if (!userId) {
-      await this.db.session.deleteMany({
-        where: {
-          id: sessionId,
-        },
-      });
-    } else {
-      await this.db.userSession.deleteMany({
-        where: {
-          sessionId,
-          userId,
-        },
-      });
-    }
+    return sessionUser(user);
   }
 
   async getUserSession(
-    sessionId: string,
-    userId?: string
+    token: string,
+    seq = 0
   ): Promise<{ user: CurrentUser; session: UserSession } | null> {
-    const sessions = await this.getUserSessions(sessionId);
+    const session = await this.getSession(token);
 
-    if (!sessions.length) {
+    // no such session
+    if (!session) {
       return null;
     }
 
-    let userSession: UserSession | undefined;
+    const userSession = session.userSessions.at(seq);
 
-    // try read from user provided cookies.userId
-    if (userId) {
-      userSession = sessions.find(s => s.userId === userId);
-    }
-
-    // fallback to the first valid session if user provided userId is invalid
+    // no such user session
     if (!userSession) {
-      // checked
-      // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
-      userSession = sessions.at(-1)!;
+      return null;
     }
 
-    const user = await this.user.findUserById(userSession.userId);
+    // user session expired
+    if (userSession.expiresAt && userSession.expiresAt <= new Date()) {
+      return null;
+    }
+
+    const user = await this.db.user.findUnique({
+      where: { id: userSession.userId },
+    });
 
     if (!user) {
       return null;
@@ -151,102 +153,101 @@ export class AuthService implements OnApplicationBootstrap {
     return { user: sessionUser(user), session: userSession };
   }
 
-  async getUserSessions(sessionId: string) {
-    return this.db.userSession.findMany({
+  async getUserList(token: string) {
+    const session = await this.getSession(token);
+
+    if (!session || !session.userSessions.length) {
+      return [];
+    }
+
+    const users = await this.db.user.findMany({
       where: {
-        sessionId,
-        OR: [{ expiresAt: { gt: new Date() } }, { expiresAt: null }],
-      },
-      orderBy: {
-        createdAt: 'asc',
+        id: {
+          in: session.userSessions.map(({ userId }) => userId),
+        },
       },
     });
+
+    // TODO(@forehalo): need to separate expired session, same for [getUser]
+    // Session
+    //   | { user: LimitedUser { email, avatarUrl }, expired: true }
+    //   | { user: User, expired: false }
+    return session.userSessions
+      .map(userSession => {
+        // keep users in the same order as userSessions
+        const user = users.find(({ id }) => id === userSession.userId);
+        if (!user) {
+          return null;
+        }
+        return sessionUser(user);
+      })
+      .filter(Boolean) as CurrentUser[];
   }
 
-  async createUserSession(
-    userId: string,
-    sessionId?: string,
-    ttl = this.config.auth.session.ttl
-  ) {
-    // check whether given session is valid
-    if (sessionId) {
-      const session = await this.db.session.findFirst({
+  async signOut(token: string, seq = 0) {
+    const session = await this.getSession(token);
+
+    if (session) {
+      // overflow the logged in user
+      if (session.userSessions.length <= seq) {
+        return session;
+      }
+
+      await this.db.userSession.deleteMany({
+        where: { id: session.userSessions[seq].id },
+      });
+
+      // no more user session active, delete the whole session
+      if (session.userSessions.length === 1) {
+        await this.db.session.delete({ where: { id: session.id } });
+        return null;
+      }
+
+      return session;
+    }
+
+    return null;
+  }
+
+  async getSession(token: string) {
+    if (!token) {
+      return null;
+    }
+
+    return this.db.$transaction(async tx => {
+      const session = await tx.session.findUnique({
         where: {
-          id: sessionId,
+          id: token,
+        },
+        include: {
+          userSessions: {
+            orderBy: {
+              createdAt: 'asc',
+            },
+          },
         },
       });
 
       if (!session) {
-        sessionId = undefined;
+        return null;
       }
-    }
 
-    if (!sessionId) {
-      const session = await this.createSession();
-      sessionId = session.id;
-    }
-
-    const expiresAt = new Date(Date.now() + ttl * 1000);
-
-    return this.db.userSession.upsert({
-      where: {
-        sessionId_userId: {
-          sessionId,
-          userId,
-        },
-      },
-      update: {
-        expiresAt,
-      },
-      create: {
-        sessionId,
-        userId,
-        expiresAt,
-      },
-    });
-  }
-
-  async getUserList(sessionId: string) {
-    const sessions = await this.db.userSession.findMany({
-      where: {
-        sessionId,
-        OR: [
-          {
-            expiresAt: null,
+      if (session.expiresAt && session.expiresAt <= new Date()) {
+        await tx.session.delete({
+          where: {
+            id: session.id,
           },
-          {
-            expiresAt: {
-              gt: new Date(),
-            },
-          },
-        ],
-      },
-      include: {
-        user: true,
-      },
-      orderBy: {
-        createdAt: 'asc',
-      },
-    });
+        });
 
-    return sessions.map(({ user }) => sessionUser(user));
-  }
+        return null;
+      }
 
-  async createSession() {
-    return this.db.session.create({
-      data: {},
-    });
-  }
-
-  async getSession(sessionId: string) {
-    return this.db.session.findFirst({
-      where: {
-        id: sessionId,
-      },
+      return session;
     });
   }
 
   async refreshUserSessionIfNeeded(
+    _req: Request,
     res: Response,
     session: UserSession,
     ttr = this.config.auth.session.ttr
@@ -280,96 +281,70 @@ export class AuthService implements OnApplicationBootstrap {
     return true;
   }
 
-  async revokeUserSessions(userId: string) {
+  async createUserSession(
+    user: { id: string },
+    existingSession?: string,
+    ttl = this.config.auth.session.ttl
+  ) {
+    const session = existingSession
+      ? await this.getSession(existingSession)
+      : null;
+
+    const expiresAt = new Date(Date.now() + ttl * 1000);
+    if (session) {
+      return this.db.userSession.upsert({
+        where: {
+          sessionId_userId: {
+            sessionId: session.id,
+            userId: user.id,
+          },
+        },
+        update: {
+          expiresAt,
+        },
+        create: {
+          sessionId: session.id,
+          userId: user.id,
+          expiresAt,
+        },
+      });
+    } else {
+      return this.db.userSession.create({
+        data: {
+          expiresAt,
+          session: {
+            create: {},
+          },
+          user: {
+            connect: {
+              id: user.id,
+            },
+          },
+        },
+      });
+    }
+  }
+
+  async revokeUserSessions(userId: string, sessionId?: string) {
     return this.db.userSession.deleteMany({
       where: {
         userId,
+        sessionId,
       },
     });
   }
 
-  getSessionOptionsFromRequest(req: Request) {
-    let sessionId: string | undefined =
-      req.cookies[AuthService.sessionCookieName];
+  async setCookie(_req: Request, res: Response, user: { id: string }) {
+    const session = await this.createUserSession(
+      user
+      // TODO(@forehalo): enable multi user session
+      // req.cookies[AuthService.sessionCookieName]
+    );
 
-    if (!sessionId && req.headers.authorization) {
-      sessionId = extractTokenFromHeader(req.headers.authorization);
-    }
-
-    const userId: string | undefined =
-      req.cookies[AuthService.userCookieName] ||
-      req.headers[AuthService.userCookieName.replaceAll('_', '-')];
-
-    return {
-      sessionId,
-      userId,
-    };
-  }
-
-  async setCookies(req: Request, res: Response, userId: string) {
-    const { sessionId } = this.getSessionOptionsFromRequest(req);
-
-    const userSession = await this.createUserSession(userId, sessionId);
-
-    res.cookie(AuthService.sessionCookieName, userSession.sessionId, {
+    res.cookie(AuthService.sessionCookieName, session.sessionId, {
+      expires: session.expiresAt ?? void 0,
       ...this.cookieOptions,
-      expires: userSession.expiresAt ?? void 0,
     });
-
-    this.setUserCookie(res, userId);
-  }
-
-  async refreshCookies(res: Response, sessionId?: string) {
-    if (sessionId) {
-      const users = await this.getUserList(sessionId);
-      const candidateUser = users.at(-1);
-
-      if (candidateUser) {
-        this.setUserCookie(res, candidateUser.id);
-        return;
-      }
-    }
-
-    this.clearCookies(res);
-  }
-
-  private clearCookies(res: Response<any, Record<string, any>>) {
-    res.clearCookie(AuthService.sessionCookieName);
-    res.clearCookie(AuthService.userCookieName);
-  }
-
-  setUserCookie(res: Response, userId: string) {
-    res.cookie(AuthService.userCookieName, userId, {
-      ...this.cookieOptions,
-      // user cookie is client readable & writable for fast user switch if there are multiple users in one session
-      // it safe to be non-secure & non-httpOnly because server will validate it by `cookie[AuthService.sessionCookieName]`
-      httpOnly: false,
-      secure: false,
-    });
-  }
-
-  async getUserSessionFromRequest(req: Request, res?: Response) {
-    const { sessionId, userId } = this.getSessionOptionsFromRequest(req);
-
-    if (!sessionId) {
-      return null;
-    }
-
-    const session = await this.getUserSession(sessionId, userId);
-
-    if (res) {
-      if (session) {
-        // set user id cookie for fast authentication
-        if (!userId || userId !== session.user.id) {
-          this.setUserCookie(res, session.user.id);
-        }
-      } else if (sessionId) {
-        // clear invalid cookies.session and cookies.userId
-        this.clearCookies(res);
-      }
-    }
-
-    return session;
   }
 
   async changePassword(
@@ -418,16 +393,24 @@ export class AuthService implements OnApplicationBootstrap {
 
   async sendSignInEmail(email: string, link: string, signUp: boolean) {
     return signUp
-      ? await this.mailer.sendSignUpMail(link, {
+      ? await this.mailer.sendSignUpMail(link.toString(), {
           to: email,
         })
-      : await this.mailer.sendSignInMail(link, {
+      : await this.mailer.sendSignInMail(link.toString(), {
           to: email,
         });
   }
 
   @Cron(CronExpression.EVERY_DAY_AT_MIDNIGHT)
   async cleanExpiredSessions() {
+    await this.db.session.deleteMany({
+      where: {
+        expiresAt: {
+          lte: new Date(),
+        },
+      },
+    });
+
     await this.db.userSession.deleteMany({
       where: {
         expiresAt: {

packages/backend/server/src/core/auth/token.ts

@@ -40,48 +40,6 @@ export class TokenService {
     return this.crypto.encrypt(token);
   }
 
-  /**
-   * get token by type
-   *
-   * token will be revoked if expired or keep is not set
-   */
-  async getToken(type: TokenType, token: string, keep?: boolean) {
-    token = this.crypto.decrypt(token);
-    const record = await this.db.verificationToken.findUnique({
-      where: {
-        type_token: {
-          token,
-          type,
-        },
-      },
-    });
-
-    if (!record) {
-      return null;
-    }
-
-    const expired = record.expiresAt <= new Date();
-
-    // always revoke expired token
-    if (expired || !keep) {
-      const deleted = await this.revokeToken(type, token);
-
-      // already deleted, means token has been used
-      if (!deleted.count) {
-        return null;
-      }
-    }
-
-    return !expired ? record : null;
-  }
-
-  /**
-   * get token and verify credential
-   *
-   * if credential is not provided, it will be failed
-   *
-   * token will be revoked if expired or keep is not set
-   */
   async verifyToken(
     type: TokenType,
     token: string,
@@ -111,9 +69,13 @@ export class TokenService {
     const valid =
       !expired && (!record.credential || record.credential === credential);
 
-    // always revoke expired token
-    if (expired || (valid && !keep)) {
-      const deleted = await this.revokeToken(type, token);
+    if ((expired || valid) && !keep) {
+      const deleted = await this.db.verificationToken.deleteMany({
+        where: {
+          token,
+          type,
+        },
+      });
 
       // already deleted, means token has been used
       if (!deleted.count) {
@@ -124,15 +86,6 @@ export class TokenService {
     return valid ? record : null;
   }
 
-  async revokeToken(type: TokenType, token: string) {
-    return await this.db.verificationToken.deleteMany({
-      where: {
-        token,
-        type,
-      },
-    });
-  }
-
   @Cron(CronExpression.EVERY_DAY_AT_MIDNIGHT)
   async cleanExpiredTokens() {
     await this.db.verificationToken.deleteMany({

packages/backend/server/src/core/common/admin-guard.ts

@@ -10,7 +10,7 @@ import {
   ActionForbidden,
   getRequestResponseFromContext,
 } from '../../fundamentals';
-import { FeatureManagementService } from '../features/management';
+import { FeatureManagementService } from '../features';
 
 @Injectable()
 export class AdminGuard implements CanActivate, OnModuleInit {
@@ -25,8 +25,8 @@ export class AdminGuard implements CanActivate, OnModuleInit {
   async canActivate(context: ExecutionContext) {
     const { req } = getRequestResponseFromContext(context);
     let allow = false;
-    if (req.session) {
-      allow = await this.feature.isAdmin(req.session.user.id);
+    if (req.user) {
+      allow = await this.feature.isAdmin(req.user.id);
     }
 
     if (!allow) {