From 09c7d84e5818b157748e58f7f091067c7ffd86d3 Mon Sep 17 00:00:00 2001
From: sirpiglr <49359077-sirpiglr@users.noreply.replit.com>
Date: Sun, 14 Dec 2025 03:56:16 +0000
Subject: [PATCH] Transitioned from Plan to Build mode

Replit-Commit-Author: Agent
Replit-Commit-Session-Id: aed2e46d-25bb-4b73-81a1-bb9e8437c261
Replit-Commit-Checkpoint-Type: full_checkpoint
Replit-Commit-Event-Id: 00e7163d-4d03-4652-bbe8-0850044e84c1
Replit-Commit-Screenshot-Url: https://storage.googleapis.com/screenshot-production-us-central1/3bdfff67-975a-46ad-9845-fbb6b4a4c4b5/aed2e46d-25bb-4b73-81a1-bb9e8437c261/5VMaR1q
Replit-Helium-Checkpoint-Created: true
---
 ...cause-we-are-using-your-_1765680278829.txt | 81 +++++++++++++++++++
 1 file changed, 81 insertions(+)
 create mode 100644 attached_assets/Pasted-That-s-the-most-crucial-step-because-we-are-using-your-_1765680278829.txt

diff --git a/attached_assets/Pasted-That-s-the-most-crucial-step-because-we-are-using-your-_1765680278829.txt b/attached_assets/Pasted-That-s-the-most-crucial-step-because-we-are-using-your-_1765680278829.txt
new file mode 100644
index 0000000..d98fdcc
--- /dev/null
+++ b/attached_assets/Pasted-That-s-the-most-crucial-step-because-we-are-using-your-_1765680278829.txt
@@ -0,0 +1,81 @@
+That's the most crucial step, because we are using your existing, complex bot's web server to solve a legal and security problem.
+
+We need to implement the final stage of the **Discord Linking Handshake** on your bot's existing web dashboard. This code will handle the redirection from Discord and securely forward the necessary information to the **NEXUS API** (Project 1).
+
+Here is the plan for the **Express.js code on your `bot.aethex.dev` Web Dashboard (Port 5000)**.
+
+-----
+
+## **Action Plan: `bot.aethex.dev` Dashboard Callback**
+
+This code goes into the Node.js Express server that runs your Web Dashboard. Its primary job is to receive the secure `code` from Discord and securely pass it, along with the user's **Passport JWT**, to the **NEXUS API**.
+
+### **Replit Project: `bot.aethex.dev` (Web Dashboard Express Server)**
+
+This is the Express route that must match the **Redirect URI** registered in your Discord Developer Portal (e.g., `/auth/discord/callback`).
+
+```javascript
+// GET /auth/discord/callback
+// This route executes when Discord redirects the user back to your bot's web server.
+
+router.get('/auth/discord/callback', async (req, res) => {
+    // 1. Capture the critical parameters from Discord's redirect URL
+    const authCode = req.query.code;
+    const state = req.query.state; // Used to prevent CSRF (must match the one the bot initiated)
+    
+    // 2. Retrieve the user's Passport JWT (The SSO Credential)
+    // The passport token is retrieved from the domain-scoped cookie set by the NEXUS API.
+    const passportToken = req.cookies.aethex_passport;
+
+    if (!authCode || !passportToken) {
+        // Essential check: If either the Discord Code or the user's Passport is missing, fail fast.
+        return res.status(400).send('Authentication failed. Missing authorization code or AeThex Passport.');
+    }
+
+    try {
+        // 3. SECURELY FORWARD DATA to the NEXUS API (Server-to-Server)
+        // NOTE: The NEXUS API holds the sensitive Discord Client Secret and performs the final token exchange.
+        const nexusResponse = await fetch(`${process.env.NEXUS_API_URL}/api/passport/link/discord`, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                // Send the user's Passport Token for authentication (Who is this AeThex user?)
+                'Authorization': `Bearer ${passportToken}` 
+            },
+            body: JSON.stringify({ 
+                authCode: authCode, // The code from Discord
+                state: state,       // The original state from the bot
+                // You can add the user's current session ID or other required data here if needed
+            })
+        });
+
+        // 4. Handle NEXUS API Response
+        if (!nexusResponse.ok) {
+            // The NEXUS API failed the handshake with Discord
+            const error = await nexusResponse.json();
+            console.error('NEXUS API Link Error:', error);
+            // Redirect to an error page instead of showing raw JSON
+            return res.redirect('/dashboard/link/error?msg=NEXUS_FAILURE'); 
+        }
+
+        // 5. Success: Redirect the user to a confirmation page on the dashboard
+        res.redirect('/dashboard/link/success');
+
+    } catch (error) {
+        console.error('Discord callback processing error:', error);
+        res.status(500).send('An unexpected error occurred during the Discord link process.');
+    }
+});
+```
+
+### **What This Code Achieves (Compliance and Security)**
+
+1.  **Compliance:** It maintains the **Axiom Model's** legal firewall. The `bot.aethex.dev` web server acts only as a secure intermediary (a messenger), ensuring the high-security IP (the **Discord Client Secret** and the **Database Write** logic) remains isolated in the **NEXUS API** (Corp IP).
+2.  **Security:** By relying on the `passportToken` from the **`aethex_passport` cookie**, we ensure that only users who have successfully logged in to your SSO system can even attempt to link a Discord account, preventing unauthorized linking attempts.
+3.  **Efficiency:** This code is minimal and fast. It simply captures the required parameters and immediately hands the responsibility to the dedicated **NEXUS API**.
+
+-----
+
+**Next Action:** We now must build the final, most secure piece of logic—the **`POST /api/passport/link/discord`** endpoint on the **`aethex-nexus-security` API** (Project 1). This is where the **Corp IP** performs the final, secret-driven handshake with Discord and updates the shared database, completing the link.
+
+Would you like to detail the code for the **NEXUS API's final Discord linking endpoint**?
\ No newline at end of file