diff --git a/.build.hash b/.build.hash
index deeecf0..b81397b 100644
--- a/.build.hash
+++ b/.build.hash
@@ -1 +1 @@
-b5aad6117f63426726be6ae9a07e5aaa938f14ff-372bcf506971f56c4911b429b9f5de5bc37ed008-e9eccd451b778829eb2f2c9752c670b707e1268b
+33fb91d4b60b7f14d236f83e44c9db42fa1d440f-372bcf506971f56c4911b429b9f5de5bc37ed008-e9eccd451b778829eb2f2c9752c670b707e1268b
diff --git a/backend/server1.js b/backend/server1.js
index 9e5277f..9ea454e 100755
--- a/backend/server1.js
+++ b/backend/server1.js
@@ -811,14 +811,21 @@ app.post('/api/auth/verify/email/confirm', requireAuth, verifyConfirmLimiter, as
------------------------------------------------------------------ */
app.post('/api/auth/verify/phone/send', requireAuth, verifySendLimiter, async (req, res) => {
try {
- const { phone_e164 } = req.body || {};
+ const { phone_e164, consent } = req.body || {};
if (!phone_e164 || !/^\+1\d{10}$/.test(phone_e164)) {
return res.status(400).json({ error: 'Phone must be +1 followed by 10 digits' });
}
- // persist/overwrite phone on file
- await (pool.raw || pool).query('UPDATE user_profile SET phone_e164=? WHERE id=?', [phone_e164, req.userId]);
+ if (!consent) return res.status(400).json({ error: 'consent_required' });
+ /// persist phone + record explicit consent using existing flag
+ await (pool.raw || pool).query(
+ 'UPDATE user_profile SET phone_e164=?, sms_opt_in=1 WHERE id=?',
+ [phone_e164, req.userId]
+ );
const code = String(Math.floor(100000 + Math.random() * 900000));
- await sendSMS({ to: phone_e164, body: `AptivaAI security code: ${code}. Expires in 10 minutes.` });
+ await sendSMS({
+ to: phone_e164,
+ body: `AptivaAI code: ${code}. Expires in 10 minutes. Reply STOP to cancel, HELP for help.`
+ });
// store short-lived challenge in HttpOnly cookie (10 min)
const tok = jwt.sign({ sub: String(req.userId), prp: 'verify_phone', code }, JWT_SECRET, { expiresIn: '10m' });
@@ -852,7 +859,11 @@ app.post('/api/auth/verify/phone/confirm', requireAuth, verifyConfirmLimiter, as
res.clearCookie('aptiva_phone_vc', sessionCookieOptions());
return res.status(200).json({ ok: !!r?.affectedRows });
} catch (e) {
- console.error('[verify/phone/confirm]', e?.message || e);
+ if (String(e?.code) === '21610') { // Twilio: user replied STOP
+ try { await (pool.raw || pool).query('UPDATE user_profile SET sms_opt_in=0 WHERE id=?', [req.userId]); } catch {}
+ return res.status(409).json({ error: 'user_opted_out' });
+ }
+ console.error('[verify/phone/send]', e?.message || e);
return res.status(500).json({ error: 'Failed to confirm phone' });
}
});
diff --git a/backend/server3.js b/backend/server3.js
index 6903bcf..afda958 100644
--- a/backend/server3.js
+++ b/backend/server3.js
@@ -208,6 +208,9 @@ const EXEMPT_PATHS = [
// server3
/^\/api\/premium\/resume\/optimize$/, // multer (multipart/form-data)
/^\/api\/premium\/stripe\/webhook$/, // Stripe (express.raw)
+ // Twilio webhooks (form-encoded)
+ /^\/api\/auth\/sms\/inbound$/,
+ /^\/api\/auth\/sms\/status$/
// add others if truly needed
];
@@ -681,6 +684,30 @@ app.use(helmet({ contentSecurityPolicy:false, crossOriginEmbedderPolicy:false })
app.use(express.json({ limit: '5mb' }));
+// --- Twilio webhooks ---
+const twilioForm = express.urlencoded({ extended: false });
+
+app.post('/api/auth/sms/inbound', twilioForm, async (req, res) => {
+ const body = String(req.body?.Body || '').trim().toUpperCase();
+ if (body === 'HELP') {
+ const twiml = `AptivaAI: Help with SMS. Email admin@aptivaai.com. Msg&Data rates may apply. Reply STOP to cancel. AptivaAI – A2P 10DLC Campaign Verification
+
+
+
+ AptivaAI – A2P 10DLC Campaign Verification
+ Last updated: Sep 13, 2025
+
+ Program & Use Case
+
+
Program name: AptivaAI Reminders
+
Use case: Two-Factor Authentication (2FA) / account security only. No marketing or promotional content.
+
+ Frequency: varies by user activityFees: Message & data rates may applyOpt-out: Reply STOP to cancel; HELP for helpContact: support@aptivaai.com
+
Call to Action (CTA) & Consent
+ Users opt in inside their account by entering a mobile number, checking a non-prechecked consent box linking to our
+ SMS Terms , Privacy Policy , and
+ Terms , then requesting an SMS code. We verify number ownership with a one-time passcode before enabling SMS.
+
+
+
+ In-app CTA and consent (verify screen)
+
+
+ Public SMS Terms: fees, frequency, STOP/HELP, contact, links
+
+
Message Flow (2FA)
+
+ User toggles SMS and requests a code (after checking consent).
+ We send a one-time passcode; user enters it to verify the number.
+ User may reply STOP any time to opt out; START re-subscribes; HELP returns support info.
+
+
+ Sample Messages
+
+
All samples include brand and opt-out/help language; no shortened links or phone numbers in 2FA content.
+
+ AptivaAI code: 123456. Expires in 10 minutes. Reply STOP to cancel, HELP for help.AptivaAI sign-in code: 654321. If you didn’t request this, change your password.AptivaAI password reset code: 112233. Expires in 10 minutes. Reply STOP to cancel.
+
STOP/HELP Handling
+
+ STOP: Delivery is blocked and we mark the user opted-out. Users can re-enable via START or account settings.HELP: We respond with: “AptivaAI: For help email support@aptivaai.com. Msg&Data rates may apply. Reply STOP to cancel.”
+
+ Public Policies
+
+
+ Screenshots for Vetting
+ High-resolution screenshots are hosted here for reviewers:
+
+
+ Consent checkbox (non-prechecked) linking to policies
+
+
+ Example OTP SMS
+
+
Carriers are not liable for delayed or undelivered messages.
+
+
diff --git a/public/legal/privacy/index.html b/public/legal/privacy/index.html
new file mode 100644
index 0000000..ac5d9a9
--- /dev/null
+++ b/public/legal/privacy/index.html
@@ -0,0 +1,14 @@
+
+Privacy – AptivaAI
+
+Privacy Policy
+We collect account information (name, email), an optional phone number to enable SMS, and usage data. We use this information to provide and secure the service, including sending SMS you enable (e.g., verification codes). We share data with processors under contracts that limit use to our instructions. You can opt out of SMS by replying STOP .
+Contact: support@aptivaai.com
+Last updated: Sep 13, 2025
diff --git a/public/legal/terms/index.html b/public/legal/terms/index.html
new file mode 100644
index 0000000..eeb5995
--- /dev/null
+++ b/public/legal/terms/index.html
@@ -0,0 +1,13 @@
+
+Terms – AptivaAI
+
+Terms of Service
+The service is provided “as is.” Liability is limited to fees paid in the prior 12 months. If you enable SMS, you consent to receive 2FA/security texts as described in the SMS Terms . Message & data rates may apply. Reply STOP to cancel, HELP for help.
+Last updated: Sep 13, 2025
diff --git a/public/sms-consent.html b/public/sms-consent.html
deleted file mode 100644
index 969ca10..0000000
--- a/public/sms-consent.html
+++ /dev/null
@@ -1,15 +0,0 @@
-SMS Consent & Opt-In Terms
-
-
-When you check the box “Send me SMS task-reminder texts (standard rates apply)” during Premium
-onboarding, you agree to receive recurring, automated text messages from AptivaAI at the phone number
-you provided. Message frequency depends on your task schedule. Message and data rates may apply.
-
-
-
-Reply STOP at any time to cancel, or HELP for help. You can also toggle SMS
-reminders off inside your account settings. For more details, see our
-Privacy Policy and Terms of Service .
-
-
-Questions? Email support@aptiva.com.
diff --git a/public/sms/index.html b/public/sms/index.html
new file mode 100644
index 0000000..67ff8ad
--- /dev/null
+++ b/public/sms/index.html
@@ -0,0 +1,20 @@
+
+AptivaAI SMS Terms
+
+SMS Consent & Opt-In Terms
+When you check the box “Send me SMS texts” in your account, you agree to receive account security and verification messages from AptivaAI at the number you provide. Message frequency varies. Message & data rates may apply.
+
+ Opt-in: Enable SMS in your account and verify your number.Opt-out: Reply STOP to cancel. Reply HELP for help.Support: support@aptivaai.com Carriers: Not liable for delayed or undelivered messages.
+See our Privacy Policy and Terms of Service .
+Last updated: Sep 13, 2025
diff --git a/src/components/Verify.js b/src/components/Verify.js
index 53aca63..8bd46f9 100644
--- a/src/components/Verify.js
+++ b/src/components/Verify.js
@@ -45,10 +45,15 @@ export default function Verify() {
if (sendingSms) return;
setSendingSms(true);
try {
- await api.post('/api/auth/verify/phone/send', { phone_e164: phone });
+ await api.post('/api/auth/verify/phone/send', { phone_e164: phone, consent: smsConsent });
setMsg('SMS code sent.');
- } catch {
- setMsg('Could not send SMS code.');
+ } catch (e) {
+ const err = e?.response?.data?.error || '';
+ setMsg(err === 'consent_required'
+ ? 'Please check the consent box first.'
+ : err === 'user_opted_out'
+ ? 'This number opted out by replying STOP. Text START to re-enable, then try again.'
+ : 'Could not send SMS code.');
} finally {
// re-enable after 30s; avoids hammering the endpoint
setTimeout(() => setSendingSms(false), 30000);
@@ -120,10 +125,14 @@ export default function Verify() {
checked={smsConsent}
onChange={e => setSmsConsent(e.target.checked)}
/>
-
- By requesting a code, you agree to receive one-time security texts from AptivaAI to verify your account.
- Reply STOP to opt out. Msg & data rates may apply.
+
+ By requesting a code, you agree to the{' '}
+ SMS Terms ,{' '}
+ Privacy Policy ,{' '}
+ and Terms .{' '}
+ Reply STOP to opt out. Msg & data rates may apply.
+
+ 
+ 
+ 
+