feat: add referral credits, API tiering, and Pro upsell emails

Growth features:
- Referral system: users get unique referral code, earn +5 AI credits per
  signup, credits consumed before daily tier limits in AI rate limiter
- Referral card on account page showing credits, referral count, and link
- Email capture form now passes ref parameter for referral tracking
- API rate limit middleware: 60/hr anonymous, 1,000/hr free key, 10,000/hr Pro
- API key generation/management endpoints (POST/GET/DELETE /me/api-key)
- Pro upsell email: auto-sent when free user hits AI limit (max 1/day)
- Server-side colors.js synced with expanded 3,066 color set

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: JasonYeYuhe

server/ai-rate-limit.js

@@ -2,6 +2,19 @@ const crypto = require("crypto");
 const db = require("./db");
 const { getSessionUser } = require("./auth");
 
+// Lazy-load email to avoid circular deps
+let sendProUpsellEmail = null;
+function getSendProUpsellEmail() {
+  if (!sendProUpsellEmail) {
+    try {
+      sendProUpsellEmail = require("./email").sendProUpsellEmail;
+    } catch {
+      sendProUpsellEmail = () => {};
+    }
+  }
+  return sendProUpsellEmail;
+}
+
 // Limits per tier per day
 const TIER_LIMITS = {
   anonymous: 3,
@@ -30,19 +43,30 @@ function incrementUsage(identifier, date) {
   ).run(identifier, date);
 }
 
+function getUserCredits(userId) {
+  const row = db.prepare("SELECT credits FROM users WHERE id = ?").get(userId);
+  return row ? row.credits : 0;
+}
+
+function consumeCredit(userId) {
+  db.prepare("UPDATE users SET credits = MAX(credits - 1, 0) WHERE id = ?").run(userId);
+}
+
 /**
  * Express middleware that enforces AI generation rate limits.
- * Attaches req.aiTier and req.aiIdentifier for downstream use.
+ * Credits are consumed first before falling back to tier limits.
  * Returns 429 when limit is exceeded.
  */
 function aiRateLimit(req, res, next) {
   const user = getSessionUser(req);
   let tier = "anonymous";
   let identifier;
+  let userId = null;
 
   if (user) {
     tier = user.tier || "free";
     identifier = "user:" + user.id;
+    userId = user.id;
   } else {
     identifier = ipHash(req);
   }
@@ -52,6 +76,35 @@ function aiRateLimit(req, res, next) {
   const used = getUsage(identifier, dateKey);
 
   if (used >= limit) {
+    // Check if user has credits to spend
+    if (userId) {
+      const credits = getUserCredits(userId);
+      if (credits > 0) {
+        consumeCredit(userId);
+        incrementUsage(identifier, dateKey);
+        req.aiTier = tier;
+        req.aiIdentifier = identifier;
+        req.aiUsed = used + 1;
+        req.aiLimit = limit;
+        req.aiCreditsUsed = true;
+        return next();
+      }
+    }
+
+    // Trigger Pro upsell email for free-tier users (max 1/day, fire-and-forget)
+    if (userId && tier === "free") {
+      const upsellKey = `upsell:${userId}`;
+      const alreadySent = getUsage(upsellKey, dateKey);
+      if (alreadySent === 0) {
+        incrementUsage(upsellKey, dateKey);
+        const userRow = db.prepare("SELECT email FROM users WHERE id = ?").get(userId);
+        if (userRow) {
+          const send = getSendProUpsellEmail();
+          if (send) send(userRow.email).catch(() => {});
+        }
+      }
+    }
+
     return res.status(429).json({
       error: "Daily AI generation limit reached.",
       limit: true,

server/api-rate-limit.js

@@ -0,0 +1,89 @@
+const crypto = require("crypto");
+const db = require("./db");
+
+// API rate limits per hour
+const API_TIER_LIMITS = {
+  anonymous: 60,     // No API key, IP-based
+  free: 1000,        // Free API key
+  pro: 10000,        // Pro API key
+};
+
+function ipHash(req) {
+  const ip = req.headers["x-forwarded-for"]?.split(",")[0]?.trim() || req.socket.remoteAddress || "unknown";
+  return "api_ip:" + crypto.createHash("sha256").update(ip).digest("hex").slice(0, 16);
+}
+
+function currentHour() {
+  const d = new Date();
+  return `${d.toISOString().slice(0, 13)}`;
+}
+
+// Reuse ai_usage table with "api:" prefix for identifiers
+function getApiUsage(identifier, hour) {
+  const row = db.prepare("SELECT count FROM ai_usage WHERE identifier = ? AND date = ?").get(identifier, hour);
+  return row ? row.count : 0;
+}
+
+function incrementApiUsage(identifier, hour) {
+  db.prepare(
+    `INSERT INTO ai_usage (identifier, date, count) VALUES (?, ?, 1)
+     ON CONFLICT(identifier, date) DO UPDATE SET count = count + 1`
+  ).run(identifier, hour);
+}
+
+function lookupApiKey(key) {
+  if (!key) return null;
+  return db.prepare("SELECT id, tier FROM users WHERE api_key = ?").get(key);
+}
+
+/**
+ * Express middleware for API rate limiting.
+ * Checks API key from Authorization header or query param.
+ * Sets X-RateLimit-* headers on response.
+ */
+function apiRateLimit(req, res, next) {
+  // Extract API key
+  const authHeader = req.headers.authorization;
+  const key = authHeader?.startsWith("Bearer ") ? authHeader.slice(7) : req.query.api_key;
+
+  let tier = "anonymous";
+  let identifier;
+
+  if (key) {
+    const user = lookupApiKey(key);
+    if (user) {
+      tier = user.tier || "free";
+      identifier = "api_user:" + user.id;
+    } else {
+      return res.status(401).json({ error: "Invalid API key." });
+    }
+  } else {
+    identifier = ipHash(req);
+  }
+
+  const limit = API_TIER_LIMITS[tier] ?? API_TIER_LIMITS.anonymous;
+  const hour = currentHour();
+  const used = getApiUsage(identifier, hour);
+  const remaining = Math.max(0, limit - used);
+
+  // Set rate limit headers
+  res.setHeader("X-RateLimit-Limit", String(limit));
+  res.setHeader("X-RateLimit-Remaining", String(remaining));
+  res.setHeader("X-RateLimit-Reset", new Date(new Date().setMinutes(60, 0, 0)).toISOString());
+
+  if (used >= limit) {
+    res.setHeader("Retry-After", "3600");
+    return res.status(429).json({
+      error: "API rate limit exceeded.",
+      limit,
+      used,
+      tier,
+      retryAfter: 3600,
+    });
+  }
+
+  incrementApiUsage(identifier, hour);
+  return next();
+}
+
+module.exports = { apiRateLimit, API_TIER_LIMITS };

server/colors.js

@@ -1,6 +1,6 @@
 /**
  * Server-side color dataset — mirrors src/data/colors.ts
- * Generates all 2016 colors algorithmically (36 hues × 14 lightness × 4 chroma).
+ * Generates 3,066 colors algorithmically (36 hues × 14 lightness × 6 chroma + 3 neutral groups × 14 lightness).
  */
 
 const hueCatalog = [
@@ -29,8 +29,15 @@ const lightBands = [
 ];
 
 const chromaBands = [
-  { label: "Muted", saturation: 18 }, { label: "Soft", saturation: 34 },
-  { label: "Clear", saturation: 54 }, { label: "Vivid", saturation: 74 },
+  { label: "Faint", saturation: 10 }, { label: "Muted", saturation: 18 },
+  { label: "Soft", saturation: 34 }, { label: "Clear", saturation: 54 },
+  { label: "Vivid", saturation: 74 }, { label: "Pure", saturation: 92 },
+];
+
+const neutralCatalog = [
+  { root: "Warm Gray", hue: 30, saturation: 6 },
+  { root: "Cool Gray", hue: 210, saturation: 6 },
+  { root: "True Gray", hue: 0, saturation: 0 },
 ];
 
 function hslToRgb(hue, saturation, lightness) {
@@ -79,8 +86,8 @@ function createColorId(name) {
   return name.toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/(^-|-$)/g, "");
 }
 
-// Generate all 2016 colors
-const colors = hueCatalog.flatMap(({ hue, root }) =>
+// Generate chromatic colors (36 × 14 × 6 = 3,024)
+const chromaticColors = hueCatalog.flatMap(({ hue, root }) =>
   lightBands.flatMap(({ label: lightLabel, lightness }) =>
     chromaBands.map(({ label: chromaLabel, saturation }) => {
       const name = `${root} ${lightLabel} ${chromaLabel}`;
@@ -98,6 +105,25 @@ const colors = hueCatalog.flatMap(({ hue, root }) =>
   )
 );
 
+// Generate neutral grays (3 × 14 = 42)
+const neutralColors = neutralCatalog.flatMap(({ root, hue, saturation }) =>
+  lightBands.map(({ label, lightness }) => {
+    const name = `${root} ${label}`;
+    const rgb = hslToRgb(hue, saturation, lightness);
+    return {
+      id: createColorId(name),
+      name,
+      hex: rgbToHex(rgb),
+      hue,
+      saturation,
+      lightness,
+      family: getColorFamily(hue),
+    };
+  })
+);
+
+const colors = [...chromaticColors, ...neutralColors];
+
 // Collection definitions (color IDs only — resolved at runtime)
 const collectionDefs = [
   {

server/db.js

@@ -107,6 +107,11 @@ ensureColumn("subscribers", "cotd_last_sent TEXT");
 
 ensureColumn("users", "tier TEXT DEFAULT 'free'");
 ensureColumn("users", "pro_expires_at TEXT");
+ensureColumn("users", "credits INTEGER DEFAULT 0");
+ensureColumn("users", "referral_code TEXT");
+ensureColumn("users", "api_key TEXT");
+
+ensureColumn("subscribers", "referred_by TEXT");
 
 // AI usage tracking — per user (or IP hash) per day
 db.exec(`

server/email.js

@@ -943,6 +943,43 @@ async function sendCotdEmail(to, color, dateStr) {
   return result;
 }
 
+async function sendProUpsellEmail(email) {
+  if (!resend) return;
+  const result = await resend.emails.send({
+    from: FROM_EMAIL,
+    to: email,
+    subject: "You've hit your daily limit — unlock unlimited AI with Pro",
+    html: `
+      <div style="font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,sans-serif;max-width:480px;margin:0 auto;padding:32px 24px;">
+        <p style="color:#1a1a2e;font-size:15px;line-height:1.6;">
+          Hey there,
+        </p>
+        <p style="color:#555;font-size:14px;line-height:1.6;">
+          You've used all your free AI generations for today. That means you're getting real value from ColorArchive — nice!
+        </p>
+        <p style="color:#555;font-size:14px;line-height:1.6;">
+          With <strong>Pro</strong>, you get <strong>unlimited</strong> AI palette generations, exports, WCAG reports, and more — for just $4.99/month.
+        </p>
+        <div style="text-align:center;margin:24px 0;">
+          <a href="https://colorarchive.me/pro" style="display:inline-block;background:#6366f1;color:#fff;padding:12px 28px;border-radius:12px;text-decoration:none;font-weight:600;font-size:14px;">
+            Upgrade to Pro
+          </a>
+        </div>
+        <p style="color:#999;font-size:12px;line-height:1.5;">
+          Your free generations reset tomorrow. Or share your referral link to earn bonus AI credits!
+        </p>
+        <p style="color:#ccc;font-size:11px;margin-top:24px;">
+          ColorArchive · hello@colorarchive.me
+        </p>
+      </div>
+    `,
+  });
+  if (result.error) {
+    console.error("Resend error (pro upsell):", JSON.stringify(result.error));
+  }
+  return result;
+}
+
 module.exports = {
   sendFreePackEmail,
   sendFollowUp3DayEmail,
@@ -955,4 +992,5 @@ module.exports = {
   sendWaitlistConfirmationEmail,
   sendNewsletterIssueAlert,
   sendCotdEmail,
+  sendProUpsellEmail,
 };

server/routes/me.js

@@ -1,4 +1,5 @@
 const express = require("express");
+const crypto = require("crypto");
 const router = express.Router();
 const db = require("../db");
 const {
@@ -148,4 +149,62 @@ router.post("/orders/:orderId/resend", async (req, res) => {
   }
 });
 
+// --- Referral System ---
+
+function ensureReferralCode(userId) {
+  const user = db.prepare("SELECT referral_code FROM users WHERE id = ?").get(userId);
+  if (user.referral_code) return user.referral_code;
+  const code = crypto.randomBytes(4).toString("hex");
+  db.prepare("UPDATE users SET referral_code = ? WHERE id = ?").run(code, userId);
+  return code;
+}
+
+router.get("/referral", (req, res) => {
+  const code = ensureReferralCode(req.user.id);
+  const user = db.prepare("SELECT credits FROM users WHERE id = ?").get(req.user.id);
+
+  // Count referrals
+  const referrals = db
+    .prepare("SELECT COUNT(*) as count FROM subscribers WHERE referred_by = ?")
+    .get(code);
+
+  return res.json({
+    code,
+    credits: user.credits || 0,
+    referrals: referrals.count,
+    link: `https://colorarchive.me/?ref=${code}`,
+  });
+});
+
+router.post("/referral/share", (req, res) => {
+  // Award credits for sharing (best-effort, called when share intent fires)
+  const SHARE_CREDITS = 2;
+  db.prepare("UPDATE users SET credits = credits + ? WHERE id = ?").run(SHARE_CREDITS, req.user.id);
+  const user = db.prepare("SELECT credits FROM users WHERE id = ?").get(req.user.id);
+  return res.json({ ok: true, credits: user.credits });
+});
+
+// --- API Key Management ---
+
+router.get("/api-key", (req, res) => {
+  const user = db.prepare("SELECT api_key FROM users WHERE id = ?").get(req.user.id);
+  return res.json({ apiKey: user.api_key || null });
+});
+
+router.post("/api-key", (req, res) => {
+  const existing = db.prepare("SELECT api_key FROM users WHERE id = ?").get(req.user.id);
+  if (existing.api_key) {
+    return res.json({ apiKey: existing.api_key });
+  }
+
+  const key = `ca_${crypto.randomBytes(16).toString("hex")}`;
+  db.prepare("UPDATE users SET api_key = ? WHERE id = ?").run(key, req.user.id);
+  return res.json({ apiKey: key });
+});
+
+router.delete("/api-key", (req, res) => {
+  db.prepare("UPDATE users SET api_key = NULL WHERE id = ?").run(req.user.id);
+  return res.json({ ok: true });
+});
+
 module.exports = router;

server/routes/subscribe.js

@@ -16,6 +16,7 @@ router.post("/", async (req, res) => {
     cotd = false,
     landingPath,
     referrer,
+    ref,
     utmSource,
     utmMedium,
     utmCampaign,
@@ -70,6 +71,18 @@ router.post("/", async (req, res) => {
         .run(email.trim().toLowerCase());
     }
 
+    // Referral credit: if ref code provided, credit the referrer +5 AI credits
+    const refCode = sanitizeString(ref, 20);
+    if (refCode) {
+      db.prepare("UPDATE subscribers SET referred_by = ? WHERE email = ?")
+        .run(refCode, email.trim().toLowerCase());
+      // Credit the referrer (find user by referral_code)
+      const referrerUser = db.prepare("SELECT id FROM users WHERE referral_code = ?").get(refCode);
+      if (referrerUser) {
+        db.prepare("UPDATE users SET credits = credits + 5 WHERE id = ?").run(referrerUser.id);
+      }
+    }
+
     if (source === "waitlist") {
       await sendWaitlistConfirmationEmail(email);
     } else {