Mako Refinery
AI-powered content and commerce platform with WebAuthn auth, USPS-rate checkout, and an OpenRouter-driven AI assistant.
Mako Refinery is a full e-commerce + content platform — passkey auth, OpenRouter-backed AI chat with credit metering, products / orders / coupons / tax groups / lab reports, USPS-integrated shipping zones, payment-method configuration, an articles / news CMS, age-verification gating, and a maintenance-mode kill switch with auto-reopen. Python backend, React SPA, deployable as a branded vertical store.
- Python
- React
- Vite
- TypeScript
- WebAuthn
- OpenRouter
- USPS API
- Postmark
- PWA manifest
Mako Refinery is a content-and-commerce platform built for branded vertical storefronts that need more than a Shopify theme — passkey auth on the customer side, OpenRouter-driven AI chat with per-user credit metering, real USPS rate calculation at checkout, age-verified product gates, lab-report attachments per batch, and a full articles CMS so the same instance ships the storefront, the marketing site, and the back-office tooling.
Customer-facing
- Passkey-first auth. WebAuthn is the primary login path; the autofill ceremony surfaces saved credentials on supported browsers, and the fallback flow still works on browsers that don't.
- Storefront with category browsing — All Products, sub-categories, filtering, age-gated detail pages, product images, lab reports, batch numbers.
- USPS-integrated checkout. Shipping zones define geographical bands; carriers and services define rate options; the cart calls the live USPS API at checkout and shows real numbers, with configurable markup. Fallback rates kick in when the API is unavailable.
- AI chat assistant available to logged-in customers — OpenRouter under the hood, multi-model support, credit metering, "AI is typing" status, persistent conversations.
Admin / operator surface
- Dashboard, products, orders, articles, lab reports, tax groups, coupons — full CRUD on every merchandising primitive.
- Shipping configurator — carriers (UPS, USPS, custom), services per carrier, geographical zones, pricing markup, USPS API credential management.
- Payment methods — bank wire, card, custom payment instructions, per-method enable/disable.
- Site controls — basic info + branding, maintenance-mode toggle with custom message and auto-reopen schedule, registration toggles, contact email.
- AI model management — add models, adjust per-user credits, test connections, configure OpenRouter API keys, monitor usage limits.
- Mail system — Postmark API key management, transactional email configuration.
How it's wired
Backend is Python on the server, exposing a JSON API and the WebAuthn ceremonies. Frontend is a React + Vite + TypeScript SPA — single bundle, PWA manifest, standalone display, theme-aware. The deploy is a Vite build dropped behind a reverse proxy with the API on the same host. AI traffic flows through OpenRouter so the platform isn't locked to a single model vendor.
Why "Mako Refinery"
Mako Refinery exists because vertical storefronts (the THCa-style "regulated-product, lab-report-required, age-gated, branded experience" pattern) keep needing the same five integrations — passkeys, real shipping rates, lab-report attachments, AI customer support, and an articles CMS — and none of the off-the-shelf cart frameworks ship all five cleanly. Mako Refinery is what we point at that pattern when a client shows up needing the whole stack.
Straight from the source
The project's own README.
Rendered in place — every link, image, and code block carried over from the repo. The page below is what a contributor would see opening the project for the first time.
Security screen redacted 1 line flagged as potential secrets before publishing.
🛠️ Mako Refinery
A secure, modern AI chat platform featuring passwordless authentication and access to 28+ free AI models. Built with security-first principles and cutting-edge web technologies.
🌟 Features
🔐 Security First
- WebAuthn Passkeys - No passwords, just biometrics and hardware keys
- Zero-Knowledge Architecture - Your data stays yours
- Security Headers - CSRF, XSS, and clickjacking protection
- Encrypted Storage - All sensitive data encrypted at rest
🤖 AI-Powered
- 28+ Free AI Models - Qwen3, DeepSeek R1, Gemma 2, Llama 3.2, and more
- Real-time Streaming - Live responses as they're generated
- Context Aware - Maintains conversation history
- Model Switching - Choose the right AI for each task
🎨 Modern Experience
- Responsive Design - Perfect on desktop, tablet, and mobile
- Dark/Light Themes - Automatic preference detection
- Admin Dashboard - Complete user and system management
- Developer Tools - Comprehensive debugging utilities
🚀 Quick Start
For Users
- Visit https://makorefinery.com
- Register with your passkey (first user becomes admin)
- Start chatting with 28+ free AI models
- Optionally add a passphrase for additional security
For Developers
# Check system status
./scripts/dev-tools.sh db-inspect stats
# Start development server
./scripts/dev-tools.sh start
# Create test admin user
./scripts/dev-tools.sh backdoor
# View all available tools
./scripts/dev-tools.sh
📊 Current Status
- ✅ Core Application - Next.js 15 with App Router, fully configured
- ✅ Authentication System - WebAuthn passkey implementation complete
- ✅ Admin Panel - Complete dashboard with user/model/log management
- ✅ Database - SQLite with Prisma ORM, 28 AI models pre-loaded
- ✅ Security - Comprehensive protection and audit-ready
- ✅ Development Tools - Full debugging and management suite
- ✅ Production Ready - Apache SSL proxy, optimized configuration
🛠️ Development Tools
The project includes a comprehensive suite of development tools:
./scripts/dev-tools.sh- Main development script with all tools- Database Management - Inspect, seed, clear, and reset database
- Authentication Testing - Test auth flows and create backdoor users
- Model Management - Load 28 AI models from JSON configuration
- Development Server - Start/stop with hot reload support
See DEVELOPMENT.md for complete tool documentation.
🏗️ Architecture
Tech Stack
- Frontend: Next.js 15 with App Router, TypeScript, Tailwind CSS
- UI Components: shadcn/ui with custom theming
- Database: SQLite with Prisma ORM (PostgreSQL production-ready)
- Authentication: WebAuthn (passkeys) with secure session management
- AI Integration: OpenRouter API with 28+ free models
- Deployment: Apache reverse proxy with SSL (Let's Encrypt ready)
Database Schema
- Users - Profile and authentication data
- Sessions - Secure session management
- Authenticators - WebAuthn passkey credentials
- Models - AI model metadata and configuration
- ChatLogs - Conversation history and usage tracking
- ApiKeys - Encrypted service credentials
🔧 Configuration
Environment Variables
DATABASE_URL="file:./dev.db"
NODE_ENV="development"
AI Models
Models are configured in models/free-models.json with:
- Model names and descriptions
- Context window sizes (8K - 163K tokens)
- Release dates and OpenRouter links
- Cost information (all free tier)
🎯 Roadmap
Phase 1: Core Chat Features (In Progress)
- ✅ WebAuthn passkey authentication
- ✅ Admin panel and user management
- ✅ Model management system
- 🚧 Chat interface with model selector
- 🚧 Streaming AI responses
- 📋 Chat history and persistence
Phase 2: Enhanced Features (Planned)
- 📋 Real-time notifications
- 📋 Usage analytics and monitoring
- 📋 API rate limiting
- 📋 Bulk model operations
- 📋 Export/import functionality
Phase 3: Production & Scale (Future)
- 📋 PostgreSQL migration
- 📋 Redis session store
- 📋 Container deployment
- 📋 Monitoring integration
- 📋 Performance optimization
🔒 Security
Mako Refinery is built with security-first principles:
- 🔐 WebAuthn Passkeys - Hardware-backed biometric authentication
- 🛡️ Zero Passwords - No password storage or transmission
- 🔒 Encrypted Storage - All sensitive data encrypted at rest
- 🚫 CSRF Protection - Cross-site request forgery prevention
- 🔗 Security Headers - XSS, clickjacking, and injection protection
- 🍪 Secure Sessions - HTTP-only, secure, SameSite cookies
- 📊 Security Audit - Regular security reviews and vulnerability scanning
See SECURITY.md for our complete security policy and reporting procedures.
📖 Documentation
- SECURITY.md - Security policy and vulnerability reporting
- LICENSE - MIT License terms and conditions
- DEVELOPMENT.md - Complete developer guide and tools
- AI-HANDOFF.md - Quick context for AI assistants
- ADMIN.md - Admin panel documentation
- TODO/TODO.md - Project roadmap and status
- scripts/README.md - Development script documentation
🤝 Contributing
We welcome contributions! Please:
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Test your changes with our development tools
- Commit with clear, descriptive messages
- Push to your branch (
git push origin feature/amazing-feature) - Open a Pull Request
Development Workflow
- Setup: Clone repo and install dependencies
- Check Status:
./scripts/dev-tools.sh db-inspect stats - Start Development:
./scripts/dev-tools.sh start - Make Changes: Edit with hot reload
- Test: Use debugging tools and backdoor access
- Commit: Clean, descriptive Git commits
📞 Support & Contact
- 🐛 Bug Reports: GitHub Issues
- 🔒 Security Issues: Security Advisories
- 💬 General Contact: [email protected]
- 🌐 Website: https://makorefinery.com
- 📄 Documentation: Check individual .md files for specific topics
📄 License
This project is licensed under the MIT License - see the LICENSE file for details.
🙋 Author
Timothy John Michael (saintpetejackboy, Deadend Deafchild)
- GitHub: @saintpetejackboy
- Email: [email protected]
🚀 Ready for production! Secure, fast, and feature-complete.
Built with ❤️ and a commitment to security and user privacy.
Gallery
The full set.
Build something like this
Want a tool like this for your shop?
We've shipped this kind of thing before. Twenty-minute intro call, no slides.