This document is the engineering reference for AXIOM internals: architecture, module contracts, API behavior, data model, runtime configuration, and operational procedures.
AXIOM is a monorepo application composed of:
client: Vite + React applicationserver: Express API backed by SQL.js (SQLite)
Primary product surfaces:
- Daily command center dashboard
- DSA system with multi-sheet tracking and review scheduling
- OSS contribution intelligence with GitHub OAuth
- GSOC planning and reminders
- Education, interview prep, jobs/posts, and developer community chat
- Profile management and public portfolio route (
/u/:username)
graph TD
CLIENT["React Client"] --> API["Express API"]
CLIENT --> FBSDK["Firebase JS SDK"]
API --> AUTH["Auth Middleware"]
AUTH --> FBREST["Firebase Identity Toolkit"]
API --> DB["SQL.js SQLite"]
API --> GITHUB["GitHub OAuth + REST"]
API --> CDN["Cloudinary (optional)"]
API --> RL["Rate Limiting Layer"]
RL --> CTRL["Domain Controllers"]
CTRL --> DB
flowchart LR
A["Browser request"] --> B["Vite /api proxy in dev"]
B --> C["Express server"]
C --> D{"Protected route?"}
D -- "No" --> E["Controller"]
D -- "Yes" --> F["requireVerifiedUser"]
F --> G{"Token or local fallback valid?"}
G -- "No" --> H["401/403"]
G -- "Yes" --> E
E --> I["DB + service logic"]
I --> J["JSON response"]
App router is defined in /Users/kammatiaditya/AXIOM/client/src/App.jsx.
Public routes:
//docs/pricing/u/:username/login/signup
Protected routes under /app:
/appdashboard/app/dsaDSA home/app/dsa/:sheetIdDSA sheet detail/app/oss/app/gsoc/app/education/app/interview/app/connect/app/jobs/app/posts/app/profile/app/settings
React Router v7 future flags are enabled on BrowserRouter:
v7_startTransitionv7_relativeSplatPath
Primary client state modules:
useStore(client/src/store/useStore.js): DSA solved state and mutation trackinguseDsaData(client/src/hooks/useDsaData.js): catalog + progress aggregation + sheet statsuseUserStore(client/src/stores/useUserStore.js): profile hydration with in-flight dedupe and cache semanticsAuthContext(client/src/contexts/AuthContext.jsx): Firebase auth lifecycle + backend sync
client/src/lib/api.js includes:
- token acquisition with auth readiness wait
- typed auth errors (
AUTH_MISSING_TOKEN,AUTH_INVALID_TOKEN,AUTH_EMAIL_MISMATCH) - GET request de-duplication
- bounded retry for GET
429 - global cooldown behavior for burst
429 - backend unavailable cooldown behavior for proxy/downstream failure
- stale GET response caching for resilience
Server bootstrap in /Users/kammatiaditya/AXIOM/server/index.js applies:
helmet- read/write rate limiters (configurable)
compressionmorgancorsexpress.json- request sanitation (
sanitizeBody)
Auth middleware: /Users/kammatiaditya/AXIOM/server/middleware/auth.js.
Key behaviors:
- verifies Firebase bearer tokens via Identity Toolkit API
- derives authoritative identity from token email (
req.authEmail) - rejects cross-email access with
403 - supports explicit local dev fallback behavior via env toggles
Production contract:
- fail-closed token verification
- no unauthenticated bypass behavior
Limiter is split by request class:
- read limiter for
GET/HEAD/OPTIONS - write limiter for mutating methods
Key controls:
ENABLE_DEV_RATE_LIMITALLOW_LOCAL_RATE_LIMIT_BYPASSDISABLE_RATE_LIMIT
/health includes limiter diagnostics in non-production mode.
Purpose:
- consolidated daily command center for DSA and OSS momentum
Main endpoints:
GET /api/progress/dashboard/:emailGET /api/progress/heatmap/:email?days=365&tz=<IANA>GET /api/progress/focus/:email?limit=<n>&tz=<IANA>
Notable behaviors:
- heatmap uses DSA solved counts per day
- focus limit is enforced server-side by plan entitlement
Routes:
GET /api/progress/catalog(public)GET /api/progress/:emailPOST /api/progress/problemGET /api/progress/problem-meta/:emailPOST /api/progress/problem-metaGET /api/progress/review/:emailPOST /api/progress/review/completeGET /api/progress/heatmap/:email
Catalog characteristics:
- 3 sheets: Love 450, Striver SDE, Striver A2Z
- 99 topics, 1096 entries
- deterministic problem IDs
- legacy ID compatibility map
Data integrity behaviors:
- solve operation auto-seeds journal row (if missing)
- unsolve path canonicalizes aliases and cleans review/journal consistency
- streaks are recomputed from solved history by day keys
- study-time aggregation is delta-based from journal updates
Routes:
GET /api/oss/github/connect-urlGET /api/oss/github/callbackGET /api/oss/github/profile/:emailGET /api/oss/sync-status/:emailPOST /api/oss/sync/:emailPOST /api/oss/github/disconnectGET /api/oss/contributions/:emailGET /api/oss/activity/:emailGET /api/oss/issue/:email
Behavior:
- OAuth callback triggers initial sync workflow
- contribution summaries and PR history are persisted for dashboarding
- issue recommendation logic combines skill and DSA signal sources
Routes:
GET /api/gsoc/timelineGET /api/gsoc/orgsGET /api/gsoc/readiness/:emailGET /api/gsoc/reminders/:email?includeDismissed=true|falsePOST /api/gsoc/reminders/dismissPOST /api/gsoc/reminders/restore
Behavior:
- readiness score combines DSA and OSS metrics
- reminders support active + dismissed state management
Routes:
GET /api/chat/channelsPOST /api/chat/channelsGET /api/chat/messages/:channelIdGET /api/chat/messages/:channelId/newPOST /api/chat/messagesDELETE /api/chat/messages/:idGET /api/chat/channels/:channelId/membersPOST /api/chat/channels/:channelId/invitePOST /api/chat/channels/:channelId/members/removeGET /api/chat/online
Private room model:
- owner + accepted members can read/write private channels
- non-members are denied
Education:
GET /api/education/catalog(public)GET /api/education/progress/:emailPOST /api/education/watchedPOST /api/education/progressGET /api/education/topics/:emailGET /api/education/recent/:email
Interview:
GET /api/interview/resources(public)GET /api/interview/progress/:emailPOST /api/interview/resources/:id/complete
Jobs:
- listing endpoints are public
- user save/apply endpoints are protected
Posts:
- public feed and comments
- protected vote/save/comment/create actions
Settings:
GET /api/settings/:emailPOST /api/settingsPOST /api/settings/themePOST /api/settings/notifications
Users:
GET /api/users/public/:username(public)- protected profile, ATS, username updates, create-or-get user
Core schema file:
/Users/kammatiaditya/AXIOM/server/migrations/001_sqlite_schema.sql
Runtime schema backfills:
/Users/kammatiaditya/AXIOM/server/config/db.js
| Domain | Tables |
|---|---|
| Identity/Profile | users, user_settings |
| DSA | solved_problems, dsa_problem_journal, user_progress, user_activity |
| OSS | github_connections, github_pull_requests, github_contribution_daily, good_first_issue_cache |
| GSOC | gsoc_reminder_state |
| Education | education_progress |
| Interview | interview_resources, user_interview_progress |
| Community | chat_channels, chat_room_members, chat_messages, posts, post_comments, post_interactions |
| Jobs | jobs, saved_jobs, applied_jobs |
npm run dev:safeNODE_ENV=development- local rate-limit bypass enabled
- dev rate-limit disabled
npm run dev:strictNODE_ENV=development- local bypass disabled
- dev throttling enabled
- startup fails when Firebase API key is missing
- production auth is fail-closed
- rate limiting is active and split by method class
sequenceDiagram
participant UI as "Client"
participant FB as "Firebase Auth"
participant API as "API /api/users"
participant DB as "SQLite"
UI->>FB: "Sign in"
FB-->>UI: "idToken + user"
UI->>API: "POST /api/users (Bearer token)"
API->>DB: "Upsert user"
DB-->>API: "User row"
API-->>UI: "User profile payload"
sequenceDiagram
participant UI as "DSA Sheet UI"
participant API as "POST /api/progress/problem"
participant DB as "SQLite"
participant DASH as "Dashboard/Heatmap Fetch"
UI->>API: "Toggle problem solved"
API->>DB: "Canonicalize id + upsert/delete solved row"
API->>DB: "Sync journal/activity/streak snapshot"
API-->>UI: "Updated solvedProblems"
DASH->>API: "GET /api/progress/heatmap/:email"
API->>DB: "Aggregate daily solved counts"
API-->>DASH: "rows + timezone + date range"
Common API statuses:
200: success400: validation/input errors401: missing or invalid token403: authenticated user/email mismatch404: route not found429: rate limited500: internal error
Client-side resilience patterns:
- no silent mutation retries for non-idempotent writes
- GET retry limited to one attempt for transient
429 - global cooldown to avoid request storms
- stale data fallback when live fetch is temporarily blocked
cd /Users/kammatiaditya/AXIOM
npm run dev:server
npm run dev:clientcd /Users/kammatiaditya/AXIOM/server && npm run smoke
cd /Users/kammatiaditya/AXIOM/client && npm run lint && npm run build- API root:
http://localhost:3000/ - API health:
http://localhost:3000/health - Client:
http://localhost:5173/
- verify Firebase env values in client
- verify server Firebase key exists
- verify request email matches signed-in token email
- confirm local fallback settings if intentionally developing without token verification
- run backend in
dev:safe - avoid strict mode unless intentionally load-testing limiter behavior
- inspect
/healthlimiter diagnostics in non-production mode
- confirm backend process is running
- inspect server logs for controller stack trace
- run smoke test to isolate contract regression
- verify auth sync and profile store dedupe are active
- ensure backend is healthy before opening multiple protected pages in parallel
- verify no stale remote
VITE_API_URLis forcing unreachable backend in dev
npm run checkpasses from repo root- backend auth behavior validated (
401,403, and success paths) - DSA toggles persist and survive refresh
- dashboard and DSA heatmaps reflect solved changes
- OSS connect/sync/disconnect roundtrip validated
- GSOC reminder dismiss/restore validated
- no disconnected routes/assets remain