@agentlensai/server 0.10.0 → 0.11.0

package/dist/cloud/auth/oauth.js

@@ -0,0 +1,120 @@
+/**
+ * OAuth provider integration (Google + GitHub).
+ *
+ * This module handles:
+ * 1. Generating OAuth authorization URLs
+ * 2. Exchanging authorization codes for tokens
+ * 3. Fetching user profile from OAuth providers
+ * 4. Creating/linking user records on first login
+ * 5. Issuing JWT session cookies
+ */
+// ═══════════════════════════════════════════
+// Google OAuth
+// ═══════════════════════════════════════════
+const GOOGLE_AUTH_URL = 'https://accounts.google.com/o/oauth2/v2/auth';
+const GOOGLE_TOKEN_URL = 'https://oauth2.googleapis.com/token';
+const GOOGLE_USERINFO_URL = 'https://www.googleapis.com/oauth2/v2/userinfo';
+export function getGoogleAuthUrl(config, state) {
+    const params = new URLSearchParams({
+        client_id: config.clientId,
+        redirect_uri: config.redirectUri,
+        response_type: 'code',
+        scope: 'openid email profile',
+        state,
+        access_type: 'offline',
+    });
+    return `${GOOGLE_AUTH_URL}?${params}`;
+}
+export async function exchangeGoogleCode(config, code) {
+    const resp = await fetch(GOOGLE_TOKEN_URL, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+        body: new URLSearchParams({
+            client_id: config.clientId,
+            client_secret: config.clientSecret,
+            redirect_uri: config.redirectUri,
+            code,
+            grant_type: 'authorization_code',
+        }),
+    });
+    if (!resp.ok)
+        throw new Error(`Google token exchange failed: ${resp.status}`);
+    const data = await resp.json();
+    return { accessToken: data.access_token };
+}
+export async function getGoogleProfile(accessToken) {
+    const resp = await fetch(GOOGLE_USERINFO_URL, {
+        headers: { Authorization: `Bearer ${accessToken}` },
+    });
+    if (!resp.ok)
+        throw new Error(`Google profile fetch failed: ${resp.status}`);
+    const data = await resp.json();
+    return {
+        provider: 'google',
+        providerId: data.id,
+        email: data.email,
+        name: data.name ?? null,
+        avatarUrl: data.picture ?? null,
+    };
+}
+// ═══════════════════════════════════════════
+// GitHub OAuth
+// ═══════════════════════════════════════════
+const GITHUB_AUTH_URL = 'https://github.com/login/oauth/authorize';
+const GITHUB_TOKEN_URL = 'https://github.com/login/oauth/access_token';
+const GITHUB_USER_URL = 'https://api.github.com/user';
+const GITHUB_EMAILS_URL = 'https://api.github.com/user/emails';
+export function getGithubAuthUrl(config, state) {
+    const params = new URLSearchParams({
+        client_id: config.clientId,
+        redirect_uri: config.redirectUri,
+        scope: 'user:email',
+        state,
+    });
+    return `${GITHUB_AUTH_URL}?${params}`;
+}
+export async function exchangeGithubCode(config, code) {
+    const resp = await fetch(GITHUB_TOKEN_URL, {
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/json',
+            Accept: 'application/json',
+        },
+        body: JSON.stringify({
+            client_id: config.clientId,
+            client_secret: config.clientSecret,
+            code,
+        }),
+    });
+    if (!resp.ok)
+        throw new Error(`GitHub token exchange failed: ${resp.status}`);
+    const data = await resp.json();
+    if (data.error)
+        throw new Error(`GitHub OAuth error: ${data.error_description || data.error}`);
+    return { accessToken: data.access_token };
+}
+export async function getGithubProfile(accessToken) {
+    const [userResp, emailsResp] = await Promise.all([
+        fetch(GITHUB_USER_URL, { headers: { Authorization: `Bearer ${accessToken}`, Accept: 'application/json' } }),
+        fetch(GITHUB_EMAILS_URL, { headers: { Authorization: `Bearer ${accessToken}`, Accept: 'application/json' } }),
+    ]);
+    if (!userResp.ok)
+        throw new Error(`GitHub user fetch failed: ${userResp.status}`);
+    const user = await userResp.json();
+    let email = user.email;
+    if (!email && emailsResp.ok) {
+        const emails = await emailsResp.json();
+        const primary = emails.find((e) => e.primary && e.verified);
+        email = primary?.email ?? emails[0]?.email;
+    }
+    if (!email)
+        throw new Error('No email found from GitHub');
+    return {
+        provider: 'github',
+        providerId: String(user.id),
+        email,
+        name: user.name ?? user.login ?? null,
+        avatarUrl: user.avatar_url ?? null,
+    };
+}
+//# sourceMappingURL=oauth.js.map

package/dist/cloud/auth/oauth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth.js","sourceRoot":"","sources":["../../../src/cloud/auth/oauth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAqBH,8CAA8C;AAC9C,eAAe;AACf,8CAA8C;AAE9C,MAAM,eAAe,GAAG,8CAA8C,CAAC;AACvE,MAAM,gBAAgB,GAAG,qCAAqC,CAAC;AAC/D,MAAM,mBAAmB,GAAG,+CAA+C,CAAC;AAE5E,MAAM,UAAU,gBAAgB,CAAC,MAA2B,EAAE,KAAa;IACzE,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;QACjC,SAAS,EAAE,MAAM,CAAC,QAAQ;QAC1B,YAAY,EAAE,MAAM,CAAC,WAAW;QAChC,aAAa,EAAE,MAAM;QACrB,KAAK,EAAE,sBAAsB;QAC7B,KAAK;QACL,WAAW,EAAE,SAAS;KACvB,CAAC,CAAC;IACH,OAAO,GAAG,eAAe,IAAI,MAAM,EAAE,CAAC;AACxC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,MAA2B,EAC3B,IAAY;IAEZ,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,gBAAgB,EAAE;QACzC,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;QAChE,IAAI,EAAE,IAAI,eAAe,CAAC;YACxB,SAAS,EAAE,MAAM,CAAC,QAAQ;YAC1B,aAAa,EAAE,MAAM,CAAC,YAAY;YAClC,YAAY,EAAE,MAAM,CAAC,WAAW;YAChC,IAAI;YACJ,UAAU,EAAE,oBAAoB;SACjC,CAAC;KACH,CAAC,CAAC;IACH,IAAI,CAAC,IAAI,CAAC,EAAE;QAAE,MAAM,IAAI,KAAK,CAAC,iCAAiC,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;IAC9E,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;IAC/B,OAAO,EAAE,WAAW,EAAE,IAAI,CAAC,YAAY,EAAE,CAAC;AAC5C,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,WAAmB;IACxD,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,mBAAmB,EAAE;QAC5C,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,WAAW,EAAE,EAAE;KACpD,CAAC,CAAC;IACH,IAAI,CAAC,IAAI,CAAC,EAAE;QAAE,MAAM,IAAI,KAAK,CAAC,gCAAgC,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;IAC7E,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;IAC/B,OAAO;QACL,QAAQ,EAAE,QAAQ;QAClB,UAAU,EAAE,IAAI,CAAC,EAAE;QACnB,KAAK,EAAE,IAAI,CAAC,KAAK;QACjB,IAAI,EAAE,IAAI,CAAC,IAAI,IAAI,IAAI;QACvB,SAAS,EAAE,IAAI,CAAC,OAAO,IAAI,IAAI;KAChC,CAAC;AACJ,CAAC;AAED,8CAA8C;AAC9C,eAAe;AACf,8CAA8C;AAE9C,MAAM,eAAe,GAAG,0CAA0C,CAAC;AACnE,MAAM,gBAAgB,GAAG,6CAA6C,CAAC;AACvE,MAAM,eAAe,GAAG,6BAA6B,CAAC;AACtD,MAAM,iBAAiB,GAAG,oCAAoC,CAAC;AAE/D,MAAM,UAAU,gBAAgB,CAAC,MAA2B,EAAE,KAAa;IACzE,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;QACjC,SAAS,EAAE,MAAM,CAAC,QAAQ;QAC1B,YAAY,EAAE,MAAM,CAAC,WAAW;QAChC,KAAK,EAAE,YAAY;QACnB,KAAK;KACN,CAAC,CAAC;IACH,OAAO,GAAG,eAAe,IAAI,MAAM,EAAE,CAAC;AACxC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,MAA2B,EAC3B,IAAY;IAEZ,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,gBAAgB,EAAE;QACzC,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,cAAc,EAAE,kBAAkB;YAClC,MAAM,EAAE,kBAAkB;SAC3B;QACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;YACnB,SAAS,EAAE,MAAM,CAAC,QAAQ;YAC1B,aAAa,EAAE,MAAM,CAAC,YAAY;YAClC,IAAI;SACL,CAAC;KACH,CAAC,CAAC;IACH,IAAI,CAAC,IAAI,CAAC,EAAE;QAAE,MAAM,IAAI,KAAK,CAAC,iCAAiC,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;IAC9E,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;IAC/B,IAAI,IAAI,CAAC,KAAK;QAAE,MAAM,IAAI,KAAK,CAAC,uBAAuB,IAAI,CAAC,iBAAiB,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC;IAC/F,OAAO,EAAE,WAAW,EAAE,IAAI,CAAC,YAAY,EAAE,CAAC;AAC5C,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,WAAmB;IACxD,MAAM,CAAC,QAAQ,EAAE,UAAU,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;QAC/C,KAAK,CAAC,eAAe,EAAE,EAAE,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,WAAW,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE,EAAE,CAAC;QAC3G,KAAK,CAAC,iBAAiB,EAAE,EAAE,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,WAAW,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE,EAAE,CAAC;KAC9G,CAAC,CAAC;IAEH,IAAI,CAAC,QAAQ,CAAC,EAAE;QAAE,MAAM,IAAI,KAAK,CAAC,6BAA6B,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;IAClF,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;IAEnC,IAAI,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;IACvB,IAAI,CAAC,KAAK,IAAI,UAAU,CAAC,EAAE,EAAE,CAAC;QAC5B,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,IAAI,EAAE,CAAC;QACvC,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,QAAQ,CAAC,CAAC;QACjE,KAAK,GAAG,OAAO,EAAE,KAAK,IAAI,MAAM,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC;IAC7C,CAAC;IACD,IAAI,CAAC,KAAK;QAAE,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC;IAE1D,OAAO;QACL,QAAQ,EAAE,QAAQ;QAClB,UAAU,EAAE,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;QAC3B,KAAK;QACL,IAAI,EAAE,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,KAAK,IAAI,IAAI;QACrC,SAAS,EAAE,IAAI,CAAC,UAAU,IAAI,IAAI;KACnC,CAAC;AACJ,CAAC"}

package/dist/cloud/auth/passwords.d.ts

@@ -0,0 +1,25 @@
+/**
+ * Password hashing and validation utilities.
+ * Uses Node.js built-in crypto (scrypt) — no external dependencies.
+ */
+/**
+ * Hash a password using scrypt.
+ * Returns "salt:hash" in hex encoding.
+ */
+export declare function hashPassword(password: string): Promise<string>;
+/**
+ * Verify a password against a stored hash.
+ */
+export declare function verifyPassword(password: string, storedHash: string): Promise<boolean>;
+/**
+ * Password complexity requirements:
+ * - Min 8 characters
+ * - At least 1 uppercase letter
+ * - At least 1 lowercase letter
+ * - At least 1 digit
+ */
+export declare function validatePasswordComplexity(password: string): {
+    valid: boolean;
+    errors: string[];
+};
+//# sourceMappingURL=passwords.d.ts.map

package/dist/cloud/auth/passwords.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"passwords.d.ts","sourceRoot":"","sources":["../../../src/cloud/auth/passwords.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAUH;;;GAGG;AACH,wBAAsB,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAIpE;AAED;;GAEG;AACH,wBAAsB,cAAc,CAAC,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAO3F;AAED;;;;;;GAMG;AACH,wBAAgB,0BAA0B,CAAC,QAAQ,EAAE,MAAM,GAAG;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE,MAAM,EAAE,CAAA;CAAE,CAOjG"}

package/dist/cloud/auth/passwords.js

@@ -0,0 +1,50 @@
+/**
+ * Password hashing and validation utilities.
+ * Uses Node.js built-in crypto (scrypt) — no external dependencies.
+ */
+import { scrypt, randomBytes, timingSafeEqual } from 'node:crypto';
+import { promisify } from 'node:util';
+const scryptAsync = promisify(scrypt);
+const SALT_LENGTH = 32;
+const KEY_LENGTH = 64;
+/**
+ * Hash a password using scrypt.
+ * Returns "salt:hash" in hex encoding.
+ */
+export async function hashPassword(password) {
+    const salt = randomBytes(SALT_LENGTH);
+    const derived = (await scryptAsync(password, salt, KEY_LENGTH));
+    return `${salt.toString('hex')}:${derived.toString('hex')}`;
+}
+/**
+ * Verify a password against a stored hash.
+ */
+export async function verifyPassword(password, storedHash) {
+    const [saltHex, hashHex] = storedHash.split(':');
+    if (!saltHex || !hashHex)
+        return false;
+    const salt = Buffer.from(saltHex, 'hex');
+    const stored = Buffer.from(hashHex, 'hex');
+    const derived = (await scryptAsync(password, salt, KEY_LENGTH));
+    return timingSafeEqual(stored, derived);
+}
+/**
+ * Password complexity requirements:
+ * - Min 8 characters
+ * - At least 1 uppercase letter
+ * - At least 1 lowercase letter
+ * - At least 1 digit
+ */
+export function validatePasswordComplexity(password) {
+    const errors = [];
+    if (password.length < 8)
+        errors.push('Password must be at least 8 characters');
+    if (!/[A-Z]/.test(password))
+        errors.push('Password must contain at least 1 uppercase letter');
+    if (!/[a-z]/.test(password))
+        errors.push('Password must contain at least 1 lowercase letter');
+    if (!/\d/.test(password))
+        errors.push('Password must contain at least 1 digit');
+    return { valid: errors.length === 0, errors };
+}
+//# sourceMappingURL=passwords.js.map

package/dist/cloud/auth/passwords.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"passwords.js","sourceRoot":"","sources":["../../../src/cloud/auth/passwords.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AACnE,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AAEtC,MAAM,WAAW,GAAG,SAAS,CAAC,MAAM,CAAC,CAAC;AAEtC,MAAM,WAAW,GAAG,EAAE,CAAC;AACvB,MAAM,UAAU,GAAG,EAAE,CAAC;AAEtB;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,QAAgB;IACjD,MAAM,IAAI,GAAG,WAAW,CAAC,WAAW,CAAC,CAAC;IACtC,MAAM,OAAO,GAAG,CAAC,MAAM,WAAW,CAAC,QAAQ,EAAE,IAAI,EAAE,UAAU,CAAC,CAAW,CAAC;IAC1E,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;AAC9D,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,QAAgB,EAAE,UAAkB;IACvE,MAAM,CAAC,OAAO,EAAE,OAAO,CAAC,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACjD,IAAI,CAAC,OAAO,IAAI,CAAC,OAAO;QAAE,OAAO,KAAK,CAAC;IACvC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;IACzC,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;IAC3C,MAAM,OAAO,GAAG,CAAC,MAAM,WAAW,CAAC,QAAQ,EAAE,IAAI,EAAE,UAAU,CAAC,CAAW,CAAC;IAC1E,OAAO,eAAe,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;AAC1C,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,0BAA0B,CAAC,QAAgB;IACzD,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC;QAAE,MAAM,CAAC,IAAI,CAAC,wCAAwC,CAAC,CAAC;IAC/E,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC;QAAE,MAAM,CAAC,IAAI,CAAC,mDAAmD,CAAC,CAAC;IAC9F,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC;QAAE,MAAM,CAAC,IAAI,CAAC,mDAAmD,CAAC,CAAC;IAC9F,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC;QAAE,MAAM,CAAC,IAAI,CAAC,wCAAwC,CAAC,CAAC;IAChF,OAAO,EAAE,KAAK,EAAE,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;AAChD,CAAC"}

package/dist/cloud/auth/rbac.d.ts

@@ -0,0 +1,51 @@
+/**
+ * RBAC Middleware (S-2.5)
+ *
+ * Role-based access control for dashboard API routes.
+ * Permission matrix:
+ *   Owner  = all actions
+ *   Admin  = all except billing, org deletion, ownership transfer
+ *   Member = read dashboard, create sessions/benchmarks (no API keys, team mgmt, billing, settings)
+ *   Viewer = read-only dashboard data
+ */
+import type { AuditLogService } from './audit-log.js';
+export type Role = 'owner' | 'admin' | 'member' | 'viewer';
+export type ActionCategory = 'read' | 'write' | 'manage' | 'billing';
+/**
+ * Permission matrix: which roles can perform which action categories.
+ */
+export declare const PERMISSION_MATRIX: Record<ActionCategory, readonly Role[]>;
+/**
+ * Map a route/action description to an action category.
+ * Used internally and exposed for testing.
+ */
+export declare function categorizeAction(action: string): ActionCategory;
+export interface RbacRequest {
+    orgId: string;
+    userId: string;
+    role: Role;
+    path?: string;
+    ip?: string;
+}
+export interface RbacResult {
+    allowed: boolean;
+    statusCode?: number;
+    error?: string;
+}
+/**
+ * Check if a role is allowed to perform an action category.
+ */
+export declare function isRoleAllowed(role: Role, category: ActionCategory): boolean;
+/**
+ * Create a requireRole middleware function.
+ *
+ * @param allowedRoles - Roles that are permitted for this route
+ * @param auditLog - Optional audit log service to log denials
+ * @returns Middleware-style check function
+ */
+export declare function requireRole(allowedRoles: Role[], auditLog?: AuditLogService): (req: RbacRequest) => Promise<RbacResult>;
+/**
+ * Convenience: create a requireRole check by action category.
+ */
+export declare function requireActionCategory(category: ActionCategory, auditLog?: AuditLogService): (req: RbacRequest) => Promise<RbacResult>;
+//# sourceMappingURL=rbac.d.ts.map

package/dist/cloud/auth/rbac.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rbac.d.ts","sourceRoot":"","sources":["../../../src/cloud/auth/rbac.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AAEtD,MAAM,MAAM,IAAI,GAAG,OAAO,GAAG,OAAO,GAAG,QAAQ,GAAG,QAAQ,CAAC;AAE3D,MAAM,MAAM,cAAc,GACtB,MAAM,GACN,OAAO,GACP,QAAQ,GACR,SAAS,CAAC;AAEd;;GAEG;AACH,eAAO,MAAM,iBAAiB,EAAE,MAAM,CAAC,cAAc,EAAE,SAAS,IAAI,EAAE,CAK5D,CAAC;AAEX;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,MAAM,GAAG,cAAc,CAa/D;AAED,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,IAAI,CAAC;IACX,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,EAAE,CAAC,EAAE,MAAM,CAAC;CACb;AAED,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,OAAO,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,IAAI,EAAE,IAAI,EAAE,QAAQ,EAAE,cAAc,GAAG,OAAO,CAE3E;AAED;;;;;;GAMG;AACH,wBAAgB,WAAW,CACzB,YAAY,EAAE,IAAI,EAAE,EACpB,QAAQ,CAAC,EAAE,eAAe,GACzB,CAAC,GAAG,EAAE,WAAW,KAAK,OAAO,CAAC,UAAU,CAAC,CA+B3C;AAED;;GAEG;AACH,wBAAgB,qBAAqB,CACnC,QAAQ,EAAE,cAAc,EACxB,QAAQ,CAAC,EAAE,eAAe,GACzB,CAAC,GAAG,EAAE,WAAW,KAAK,OAAO,CAAC,UAAU,CAAC,CAE3C"}

package/dist/cloud/auth/rbac.js

@@ -0,0 +1,89 @@
+/**
+ * RBAC Middleware (S-2.5)
+ *
+ * Role-based access control for dashboard API routes.
+ * Permission matrix:
+ *   Owner  = all actions
+ *   Admin  = all except billing, org deletion, ownership transfer
+ *   Member = read dashboard, create sessions/benchmarks (no API keys, team mgmt, billing, settings)
+ *   Viewer = read-only dashboard data
+ */
+/**
+ * Permission matrix: which roles can perform which action categories.
+ */
+export const PERMISSION_MATRIX = {
+    read: ['owner', 'admin', 'member', 'viewer'],
+    write: ['owner', 'admin', 'member'],
+    manage: ['owner', 'admin'],
+    billing: ['owner'],
+};
+/**
+ * Map a route/action description to an action category.
+ * Used internally and exposed for testing.
+ */
+export function categorizeAction(action) {
+    // Billing and destructive org ops
+    if (/billing|invoice|upgrade|downgrade|portal/.test(action))
+        return 'billing';
+    if (/org.*delete|delete.*org|org.*transfer|transfer.*ownership/.test(action))
+        return 'billing';
+    // Management actions
+    if (/api[_-]?key|member|invitation|invite|settings|audit|export|import|role/.test(action))
+        return 'manage';
+    // Write actions
+    if (/create|update|patch|post|put|configure/.test(action))
+        return 'write';
+    // Default: read
+    return 'read';
+}
+/**
+ * Check if a role is allowed to perform an action category.
+ */
+export function isRoleAllowed(role, category) {
+    return PERMISSION_MATRIX[category].includes(role);
+}
+/**
+ * Create a requireRole middleware function.
+ *
+ * @param allowedRoles - Roles that are permitted for this route
+ * @param auditLog - Optional audit log service to log denials
+ * @returns Middleware-style check function
+ */
+export function requireRole(allowedRoles, auditLog) {
+    return async (req) => {
+        if (allowedRoles.includes(req.role)) {
+            return { allowed: true };
+        }
+        // Log permission denied to audit log
+        if (auditLog) {
+            try {
+                await auditLog.write({
+                    org_id: req.orgId,
+                    actor_type: 'user',
+                    actor_id: req.userId,
+                    action: 'permission.denied',
+                    resource_type: 'route',
+                    resource_id: req.path ?? null,
+                    details: { role: req.role, required_roles: allowedRoles },
+                    ip_address: req.ip ?? null,
+                    result: 'failure',
+                });
+            }
+            catch {
+                // Don't fail the request if audit logging fails
+            }
+        }
+        return {
+            allowed: false,
+            statusCode: 403,
+            error: 'Insufficient permissions',
+        };
+    };
+}
+/**
+ * Convenience: create a requireRole check by action category.
+ */
+export function requireActionCategory(category, auditLog) {
+    return requireRole([...PERMISSION_MATRIX[category]], auditLog);
+}
+//# sourceMappingURL=rbac.js.map

package/dist/cloud/auth/rbac.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rbac.js","sourceRoot":"","sources":["../../../src/cloud/auth/rbac.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAYH;;GAEG;AACH,MAAM,CAAC,MAAM,iBAAiB,GAA4C;IACxE,IAAI,EAAK,CAAC,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,QAAQ,CAAC;IAC/C,KAAK,EAAI,CAAC,OAAO,EAAE,OAAO,EAAE,QAAQ,CAAC;IACrC,MAAM,EAAG,CAAC,OAAO,EAAE,OAAO,CAAC;IAC3B,OAAO,EAAE,CAAC,OAAO,CAAC;CACV,CAAC;AAEX;;;GAGG;AACH,MAAM,UAAU,gBAAgB,CAAC,MAAc;IAC7C,kCAAkC;IAClC,IAAI,0CAA0C,CAAC,IAAI,CAAC,MAAM,CAAC;QAAE,OAAO,SAAS,CAAC;IAC9E,IAAI,2DAA2D,CAAC,IAAI,CAAC,MAAM,CAAC;QAAE,OAAO,SAAS,CAAC;IAE/F,qBAAqB;IACrB,IAAI,wEAAwE,CAAC,IAAI,CAAC,MAAM,CAAC;QAAE,OAAO,QAAQ,CAAC;IAE3G,gBAAgB;IAChB,IAAI,wCAAwC,CAAC,IAAI,CAAC,MAAM,CAAC;QAAE,OAAO,OAAO,CAAC;IAE1E,gBAAgB;IAChB,OAAO,MAAM,CAAC;AAChB,CAAC;AAgBD;;GAEG;AACH,MAAM,UAAU,aAAa,CAAC,IAAU,EAAE,QAAwB;IAChE,OAAQ,iBAAiB,CAAC,QAAQ,CAAuB,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;AAC3E,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,WAAW,CACzB,YAAoB,EACpB,QAA0B;IAE1B,OAAO,KAAK,EAAE,GAAgB,EAAuB,EAAE;QACrD,IAAI,YAAY,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;YACpC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;QAC3B,CAAC;QAED,qCAAqC;QACrC,IAAI,QAAQ,EAAE,CAAC;YACb,IAAI,CAAC;gBACH,MAAM,QAAQ,CAAC,KAAK,CAAC;oBACnB,MAAM,EAAE,GAAG,CAAC,KAAK;oBACjB,UAAU,EAAE,MAAM;oBAClB,QAAQ,EAAE,GAAG,CAAC,MAAM;oBACpB,MAAM,EAAE,mBAAmB;oBAC3B,aAAa,EAAE,OAAO;oBACtB,WAAW,EAAE,GAAG,CAAC,IAAI,IAAI,IAAI;oBAC7B,OAAO,EAAE,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,cAAc,EAAE,YAAY,EAAE;oBACzD,UAAU,EAAE,GAAG,CAAC,EAAE,IAAI,IAAI;oBAC1B,MAAM,EAAE,SAAS;iBAClB,CAAC,CAAC;YACL,CAAC;YAAC,MAAM,CAAC;gBACP,gDAAgD;YAClD,CAAC;QACH,CAAC;QAED,OAAO;YACL,OAAO,EAAE,KAAK;YACd,UAAU,EAAE,GAAG;YACf,KAAK,EAAE,0BAA0B;SAClC,CAAC;IACJ,CAAC,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,qBAAqB,CACnC,QAAwB,EACxB,QAA0B;IAE1B,OAAO,WAAW,CAAC,CAAC,GAAG,iBAAiB,CAAC,QAAQ,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC;AACjE,CAAC"}

package/dist/cloud/auth/tokens.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Token utilities for email verification and password reset.
+ * Uses crypto.randomBytes for secure token generation.
+ */
+/**
+ * Generate a secure random token (URL-safe).
+ */
+export declare function generateToken(bytes?: number): string;
+/**
+ * Hash a token for storage (SHA-256).
+ * We store the hash, not the raw token — same pattern as API keys.
+ */
+export declare function hashToken(token: string): string;
+/**
+ * Verify a raw token against its stored hash.
+ */
+export declare function verifyToken(token: string, storedHash: string): boolean;
+//# sourceMappingURL=tokens.d.ts.map

package/dist/cloud/auth/tokens.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tokens.d.ts","sourceRoot":"","sources":["../../../src/cloud/auth/tokens.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAIH;;GAEG;AACH,wBAAgB,aAAa,CAAC,KAAK,SAAK,GAAG,MAAM,CAEhD;AAED;;;GAGG;AACH,wBAAgB,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAE/C;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAKtE"}

package/dist/cloud/auth/tokens.js

@@ -0,0 +1,29 @@
+/**
+ * Token utilities for email verification and password reset.
+ * Uses crypto.randomBytes for secure token generation.
+ */
+import { randomBytes, createHash, timingSafeEqual } from 'node:crypto';
+/**
+ * Generate a secure random token (URL-safe).
+ */
+export function generateToken(bytes = 32) {
+    return randomBytes(bytes).toString('base64url');
+}
+/**
+ * Hash a token for storage (SHA-256).
+ * We store the hash, not the raw token — same pattern as API keys.
+ */
+export function hashToken(token) {
+    return createHash('sha256').update(token).digest('hex');
+}
+/**
+ * Verify a raw token against its stored hash.
+ */
+export function verifyToken(token, storedHash) {
+    const computed = Buffer.from(hashToken(token), 'hex');
+    const stored = Buffer.from(storedHash, 'hex');
+    if (computed.length !== stored.length)
+        return false;
+    return timingSafeEqual(computed, stored);
+}
+//# sourceMappingURL=tokens.js.map

package/dist/cloud/auth/tokens.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tokens.js","sourceRoot":"","sources":["../../../src/cloud/auth/tokens.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAEvE;;GAEG;AACH,MAAM,UAAU,aAAa,CAAC,KAAK,GAAG,EAAE;IACtC,OAAO,WAAW,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AAClD,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,SAAS,CAAC,KAAa;IACrC,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAC1D,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,WAAW,CAAC,KAAa,EAAE,UAAkB;IAC3D,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,EAAE,KAAK,CAAC,CAAC;IACtD,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC;IAC9C,IAAI,QAAQ,CAAC,MAAM,KAAK,MAAM,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IACpD,OAAO,eAAe,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;AAC3C,CAAC"}

package/dist/cloud/billing/billing-service.d.ts

@@ -0,0 +1,44 @@
+/**
+ * Billing Service (S-6.1)
+ *
+ * Handles Stripe customer lifecycle, subscription management,
+ * and webhook processing.
+ */
+import type { IStripeClient, TierName, StripeWebhookEvent } from './stripe-client.js';
+import type { MigrationClient } from '../migrate.js';
+export interface BillingServiceDeps {
+    stripe: IStripeClient;
+    db: MigrationClient;
+}
+export interface WebhookResult {
+    handled: boolean;
+    action?: string;
+    error?: string;
+}
+export declare class BillingService {
+    private deps;
+    constructor(deps: BillingServiceDeps);
+    /**
+     * Create a Stripe customer for an org (called on org creation).
+     * Stores stripe_customer_id on the orgs table.
+     */
+    createCustomerForOrg(orgId: string, email: string, name: string): Promise<string>;
+    /**
+     * Upgrade an org to a paid plan. Creates a Stripe subscription.
+     */
+    upgradePlan(orgId: string, newTier: TierName): Promise<void>;
+    /**
+     * Downgrade an org (cancels at period end, schedules free tier).
+     */
+    downgradePlan(orgId: string): Promise<void>;
+    /**
+     * Process a Stripe webhook event.
+     */
+    handleWebhook(event: StripeWebhookEvent): Promise<WebhookResult>;
+    private handleInvoicePaid;
+    private handlePaymentFailed;
+    private handleSubscriptionUpdated;
+    private handleSubscriptionDeleted;
+    private getOrg;
+}
+//# sourceMappingURL=billing-service.d.ts.map

package/dist/cloud/billing/billing-service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"billing-service.d.ts","sourceRoot":"","sources":["../../../src/cloud/billing/billing-service.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,QAAQ,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAEtF,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAErD,MAAM,WAAW,kBAAkB;IACjC,MAAM,EAAE,aAAa,CAAC;IACtB,EAAE,EAAE,eAAe,CAAC;CACrB;AAED,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,qBAAa,cAAc;IACb,OAAO,CAAC,IAAI;gBAAJ,IAAI,EAAE,kBAAkB;IAE5C;;;OAGG;IACG,oBAAoB,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAWvF;;OAEG;IACG,WAAW,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,QAAQ,GAAG,OAAO,CAAC,IAAI,CAAC;IAmClE;;OAEG;IACG,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAgBjD;;OAEG;IACG,aAAa,CAAC,KAAK,EAAE,kBAAkB,GAAG,OAAO,CAAC,aAAa,CAAC;YAqBxD,iBAAiB;YA2BjB,mBAAmB;YAqBnB,yBAAyB;YA6BzB,yBAAyB;YAuBzB,MAAM;CAcrB"}

package/dist/cloud/billing/billing-service.js

@@ -0,0 +1,153 @@
+/**
+ * Billing Service (S-6.1)
+ *
+ * Handles Stripe customer lifecycle, subscription management,
+ * and webhook processing.
+ */
+import { TIER_CONFIG } from './stripe-client.js';
+export class BillingService {
+    deps;
+    constructor(deps) {
+        this.deps = deps;
+    }
+    /**
+     * Create a Stripe customer for an org (called on org creation).
+     * Stores stripe_customer_id on the orgs table.
+     */
+    async createCustomerForOrg(orgId, email, name) {
+        const customer = await this.deps.stripe.createCustomer(email, name, orgId);
+        await this.deps.db.query(`UPDATE orgs SET stripe_customer_id = $1 WHERE id = $2`, [customer.id, orgId]);
+        return customer.id;
+    }
+    /**
+     * Upgrade an org to a paid plan. Creates a Stripe subscription.
+     */
+    async upgradePlan(orgId, newTier) {
+        if (newTier === 'free') {
+            throw new Error('Cannot upgrade to free tier. Use downgradePlan instead.');
+        }
+        const tierConfig = TIER_CONFIG[newTier];
+        const org = await this.getOrg(orgId);
+        if (!org.stripe_customer_id) {
+            throw new Error('Org has no Stripe customer. Call createCustomerForOrg first.');
+        }
+        // Cancel existing subscription if any
+        if (org.stripe_subscription_id) {
+            await this.deps.stripe.cancelSubscription(org.stripe_subscription_id, false);
+        }
+        // Create new subscription
+        const items = [{ price: tierConfig.price_id }];
+        if (tierConfig.overage_price_id) {
+            items.push({ price: tierConfig.overage_price_id });
+        }
+        const subscription = await this.deps.stripe.createSubscription({
+            customer: org.stripe_customer_id,
+            items,
+        });
+        await this.deps.db.query(`UPDATE orgs SET plan = $1, stripe_subscription_id = $2, event_quota = $3, updated_at = now()
+       WHERE id = $4`, [newTier, subscription.id, tierConfig.event_quota, orgId]);
+    }
+    /**
+     * Downgrade an org (cancels at period end, schedules free tier).
+     */
+    async downgradePlan(orgId) {
+        const org = await this.getOrg(orgId);
+        if (org.stripe_subscription_id) {
+            await this.deps.stripe.cancelSubscription(org.stripe_subscription_id, true);
+        }
+        // Mark as pending downgrade — actual tier change happens via webhook
+        // when subscription period ends. For immediate effect in tests/mock:
+        await this.deps.db.query(`UPDATE orgs SET settings = jsonb_set(COALESCE(settings, '{}'), '{pending_downgrade}', '"free"'), updated_at = now()
+       WHERE id = $1`, [orgId]);
+    }
+    /**
+     * Process a Stripe webhook event.
+     */
+    async handleWebhook(event) {
+        try {
+            switch (event.type) {
+                case 'invoice.paid':
+                    return await this.handleInvoicePaid(event);
+                case 'invoice.payment_failed':
+                    return await this.handlePaymentFailed(event);
+                case 'customer.subscription.updated':
+                    return await this.handleSubscriptionUpdated(event);
+                case 'customer.subscription.deleted':
+                    return await this.handleSubscriptionDeleted(event);
+                default:
+                    return { handled: false, action: 'ignored' };
+            }
+        }
+        catch (err) {
+            return { handled: false, error: String(err) };
+        }
+    }
+    // ── Webhook handlers ──
+    async handleInvoicePaid(event) {
+        const invoice = event.data.object;
+        const stripeInvoiceId = invoice.id;
+        const customerId = invoice.customer;
+        const amountPaid = invoice.amount_paid;
+        const periodStart = invoice.period_start;
+        const periodEnd = invoice.period_end;
+        // Find org by stripe_customer_id
+        const orgResult = await this.deps.db.query(`SELECT id FROM orgs WHERE stripe_customer_id = $1`, [customerId]);
+        const org = orgResult.rows[0];
+        if (!org)
+            return { handled: false, error: 'org_not_found' };
+        // Upsert invoice record
+        await this.deps.db.query(`INSERT INTO invoices (org_id, stripe_invoice_id, period_start, period_end, base_amount_cents, total_amount_cents, status)
+       VALUES ($1, $2, to_timestamp($3), to_timestamp($4), $5, $5, 'paid')
+       ON CONFLICT (stripe_invoice_id) DO UPDATE SET status = 'paid', total_amount_cents = $5`, [org.id, stripeInvoiceId, periodStart, periodEnd, amountPaid]);
+        return { handled: true, action: 'invoice_recorded' };
+    }
+    async handlePaymentFailed(event) {
+        const invoice = event.data.object;
+        const customerId = invoice.customer;
+        const orgResult = await this.deps.db.query(`SELECT id FROM orgs WHERE stripe_customer_id = $1`, [customerId]);
+        const org = orgResult.rows[0];
+        if (!org)
+            return { handled: false, error: 'org_not_found' };
+        // Mark org as past_due in settings
+        await this.deps.db.query(`UPDATE orgs SET settings = jsonb_set(COALESCE(settings, '{}'), '{payment_status}', '"past_due"')
+       WHERE id = $1`, [org.id]);
+        return { handled: true, action: 'payment_failed_recorded' };
+    }
+    async handleSubscriptionUpdated(event) {
+        const sub = event.data.object;
+        const customerId = sub.customer;
+        const subId = sub.id;
+        const cancelAtPeriodEnd = sub.cancel_at_period_end;
+        const orgResult = await this.deps.db.query(`SELECT id FROM orgs WHERE stripe_customer_id = $1`, [customerId]);
+        const org = orgResult.rows[0];
+        if (!org)
+            return { handled: false, error: 'org_not_found' };
+        await this.deps.db.query(`UPDATE orgs SET stripe_subscription_id = $1, updated_at = now() WHERE id = $2`, [subId, org.id]);
+        if (cancelAtPeriodEnd) {
+            await this.deps.db.query(`UPDATE orgs SET settings = jsonb_set(COALESCE(settings, '{}'), '{pending_downgrade}', '"free"')
+         WHERE id = $1`, [org.id]);
+        }
+        return { handled: true, action: 'subscription_updated' };
+    }
+    async handleSubscriptionDeleted(event) {
+        const sub = event.data.object;
+        const customerId = sub.customer;
+        const orgResult = await this.deps.db.query(`SELECT id FROM orgs WHERE stripe_customer_id = $1`, [customerId]);
+        const org = orgResult.rows[0];
+        if (!org)
+            return { handled: false, error: 'org_not_found' };
+        // Downgrade to free
+        await this.deps.db.query(`UPDATE orgs SET plan = 'free', stripe_subscription_id = NULL,
+       event_quota = $1, updated_at = now() WHERE id = $2`, [TIER_CONFIG.free.event_quota, org.id]);
+        return { handled: true, action: 'downgraded_to_free' };
+    }
+    // ── Helpers ──
+    async getOrg(orgId) {
+        const result = await this.deps.db.query(`SELECT id, plan, stripe_customer_id, stripe_subscription_id FROM orgs WHERE id = $1`, [orgId]);
+        const org = result.rows[0];
+        if (!org)
+            throw new Error(`Org ${orgId} not found`);
+        return org;
+    }
+}
+//# sourceMappingURL=billing-service.js.map

package/dist/cloud/billing/billing-service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"billing-service.js","sourceRoot":"","sources":["../../../src/cloud/billing/billing-service.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AAcjD,MAAM,OAAO,cAAc;IACL;IAApB,YAAoB,IAAwB;QAAxB,SAAI,GAAJ,IAAI,CAAoB;IAAG,CAAC;IAEhD;;;OAGG;IACH,KAAK,CAAC,oBAAoB,CAAC,KAAa,EAAE,KAAa,EAAE,IAAY;QACnE,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC,KAAK,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC;QAE3E,MAAM,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,KAAK,CACtB,uDAAuD,EACvD,CAAC,QAAQ,CAAC,EAAE,EAAE,KAAK,CAAC,CACrB,CAAC;QAEF,OAAO,QAAQ,CAAC,EAAE,CAAC;IACrB,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,WAAW,CAAC,KAAa,EAAE,OAAiB;QAChD,IAAI,OAAO,KAAK,MAAM,EAAE,CAAC;YACvB,MAAM,IAAI,KAAK,CAAC,yDAAyD,CAAC,CAAC;QAC7E,CAAC;QAED,MAAM,UAAU,GAAG,WAAW,CAAC,OAAO,CAAC,CAAC;QACxC,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAErC,IAAI,CAAC,GAAG,CAAC,kBAAkB,EAAE,CAAC;YAC5B,MAAM,IAAI,KAAK,CAAC,8DAA8D,CAAC,CAAC;QAClF,CAAC;QAED,sCAAsC;QACtC,IAAI,GAAG,CAAC,sBAAsB,EAAE,CAAC;YAC/B,MAAM,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,kBAAkB,CAAC,GAAG,CAAC,sBAAsB,EAAE,KAAK,CAAC,CAAC;QAC/E,CAAC;QAED,0BAA0B;QAC1B,MAAM,KAAK,GAA6B,CAAC,EAAE,KAAK,EAAE,UAAU,CAAC,QAAQ,EAAE,CAAC,CAAC;QACzE,IAAI,UAAU,CAAC,gBAAgB,EAAE,CAAC;YAChC,KAAK,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,UAAU,CAAC,gBAAgB,EAAE,CAAC,CAAC;QACrD,CAAC;QAED,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,kBAAkB,CAAC;YAC7D,QAAQ,EAAE,GAAG,CAAC,kBAAkB;YAChC,KAAK;SACN,CAAC,CAAC;QAEH,MAAM,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,KAAK,CACtB;qBACe,EACf,CAAC,OAAO,EAAE,YAAY,CAAC,EAAE,EAAE,UAAU,CAAC,WAAW,EAAE,KAAK,CAAC,CAC1D,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,aAAa,CAAC,KAAa;QAC/B,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAErC,IAAI,GAAG,CAAC,sBAAsB,EAAE,CAAC;YAC/B,MAAM,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,kBAAkB,CAAC,GAAG,CAAC,sBAAsB,EAAE,IAAI,CAAC,CAAC;QAC9E,CAAC;QAED,qEAAqE;QACrE,qEAAqE;QACrE,MAAM,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,KAAK,CACtB;qBACe,EACf,CAAC,KAAK,CAAC,CACR,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,aAAa,CAAC,KAAyB;QAC3C,IAAI,CAAC;YACH,QAAQ,KAAK,CAAC,IAAI,EAAE,CAAC;gBACnB,KAAK,cAAc;oBACjB,OAAO,MAAM,IAAI,CAAC,iBAAiB,CAAC,KAAK,CAAC,CAAC;gBAC7C,KAAK,wBAAwB;oBAC3B,OAAO,MAAM,IAAI,CAAC,mBAAmB,CAAC,KAAK,CAAC,CAAC;gBAC/C,KAAK,+BAA+B;oBAClC,OAAO,MAAM,IAAI,CAAC,yBAAyB,CAAC,KAAK,CAAC,CAAC;gBACrD,KAAK,+BAA+B;oBAClC,OAAO,MAAM,IAAI,CAAC,yBAAyB,CAAC,KAAK,CAAC,CAAC;gBACrD;oBACE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC;YACjD,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;QAChD,CAAC;IACH,CAAC;IAED,yBAAyB;IAEjB,KAAK,CAAC,iBAAiB,CAAC,KAAyB;QACvD,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC,MAAiC,CAAC;QAC7D,MAAM,eAAe,GAAG,OAAO,CAAC,EAAY,CAAC;QAC7C,MAAM,UAAU,GAAG,OAAO,CAAC,QAAkB,CAAC;QAC9C,MAAM,UAAU,GAAG,OAAO,CAAC,WAAqB,CAAC;QACjD,MAAM,WAAW,GAAG,OAAO,CAAC,YAAsB,CAAC;QACnD,MAAM,SAAS,GAAG,OAAO,CAAC,UAAoB,CAAC;QAE/C,iCAAiC;QACjC,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,KAAK,CACxC,mDAAmD,EACnD,CAAC,UAAU,CAAC,CACb,CAAC;QACF,MAAM,GAAG,GAAI,SAAS,CAAC,IAAc,CAAC,CAAC,CAAC,CAAC;QACzC,IAAI,CAAC,GAAG;YAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,eAAe,EAAE,CAAC;QAE5D,wBAAwB;QACxB,MAAM,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,KAAK,CACtB;;8FAEwF,EACxF,CAAC,GAAG,CAAC,EAAE,EAAE,eAAe,EAAE,WAAW,EAAE,SAAS,EAAE,UAAU,CAAC,CAC9D,CAAC;QAEF,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,kBAAkB,EAAE,CAAC;IACvD,CAAC;IAEO,KAAK,CAAC,mBAAmB,CAAC,KAAyB;QACzD,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC,MAAiC,CAAC;QAC7D,MAAM,UAAU,GAAG,OAAO,CAAC,QAAkB,CAAC;QAE9C,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,KAAK,CACxC,mDAAmD,EACnD,CAAC,UAAU,CAAC,CACb,CAAC;QACF,MAAM,GAAG,GAAI,SAAS,CAAC,IAAc,CAAC,CAAC,CAAC,CAAC;QACzC,IAAI,CAAC,GAAG;YAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,eAAe,EAAE,CAAC;QAE5D,mCAAmC;QACnC,MAAM,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,KAAK,CACtB;qBACe,EACf,CAAC,GAAG,CAAC,EAAE,CAAC,CACT,CAAC;QAEF,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,yBAAyB,EAAE,CAAC;IAC9D,CAAC;IAEO,KAAK,CAAC,yBAAyB,CAAC,KAAyB;QAC/D,MAAM,GAAG,GAAG,KAAK,CAAC,IAAI,CAAC,MAAiC,CAAC;QACzD,MAAM,UAAU,GAAG,GAAG,CAAC,QAAkB,CAAC;QAC1C,MAAM,KAAK,GAAG,GAAG,CAAC,EAAY,CAAC;QAC/B,MAAM,iBAAiB,GAAG,GAAG,CAAC,oBAA+B,CAAC;QAE9D,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,KAAK,CACxC,mDAAmD,EACnD,CAAC,UAAU,CAAC,CACb,CAAC;QACF,MAAM,GAAG,GAAI,SAAS,CAAC,IAAc,CAAC,CAAC,CAAC,CAAC;QACzC,IAAI,CAAC,GAAG;YAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,eAAe,EAAE,CAAC;QAE5D,MAAM,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,KAAK,CACtB,+EAA+E,EAC/E,CAAC,KAAK,EAAE,GAAG,CAAC,EAAE,CAAC,CAChB,CAAC;QAEF,IAAI,iBAAiB,EAAE,CAAC;YACtB,MAAM,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,KAAK,CACtB;uBACe,EACf,CAAC,GAAG,CAAC,EAAE,CAAC,CACT,CAAC;QACJ,CAAC;QAED,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,sBAAsB,EAAE,CAAC;IAC3D,CAAC;IAEO,KAAK,CAAC,yBAAyB,CAAC,KAAyB;QAC/D,MAAM,GAAG,GAAG,KAAK,CAAC,IAAI,CAAC,MAAiC,CAAC;QACzD,MAAM,UAAU,GAAG,GAAG,CAAC,QAAkB,CAAC;QAE1C,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,KAAK,CACxC,mDAAmD,EACnD,CAAC,UAAU,CAAC,CACb,CAAC;QACF,MAAM,GAAG,GAAI,SAAS,CAAC,IAAc,CAAC,CAAC,CAAC,CAAC;QACzC,IAAI,CAAC,GAAG;YAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,eAAe,EAAE,CAAC;QAE5D,oBAAoB;QACpB,MAAM,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,KAAK,CACtB;0DACoD,EACpD,CAAC,WAAW,CAAC,IAAI,CAAC,WAAW,EAAE,GAAG,CAAC,EAAE,CAAC,CACvC,CAAC;QAEF,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,oBAAoB,EAAE,CAAC;IACzD,CAAC;IAED,gBAAgB;IAER,KAAK,CAAC,MAAM,CAAC,KAAa;QAMhC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,KAAK,CACrC,qFAAqF,EACrF,CAAC,KAAK,CAAC,CACR,CAAC;QACF,MAAM,GAAG,GAAI,MAAM,CAAC,IAAc,CAAC,CAAC,CAAC,CAAC;QACtC,IAAI,CAAC,GAAG;YAAE,MAAM,IAAI,KAAK,CAAC,OAAO,KAAK,YAAY,CAAC,CAAC;QACpD,OAAO,GAAG,CAAC;IACb,CAAC;CACF"}

package/dist/cloud/billing/index.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Billing Module Index (S-6.1 through S-6.6)
+ */
+export { type IStripeClient, type StripeCustomer, type StripeSubscription, type StripeSubscriptionItem, type StripeInvoice, type StripeWebhookEvent, type CreateSubscriptionParams, type UsageRecordParams, type TierName, TIER_CONFIG, MockStripeClient, createStripeClient, } from './stripe-client.js';
+export { BillingService, type BillingServiceDeps, type WebhookResult } from './billing-service.js';
+export { UsageAccumulator, UsageQuery, reportOverageToStripe, type UsageMeteringDeps, type UsageSummary, type RedisUsageStore, } from './usage-metering.js';
+export { QuotaEnforcer, type QuotaCheckResult, type QuotaEnforcerDeps, type OrgQuotaInfo, } from './quota-enforcement.js';
+export { PlanManager, ANNUAL_PRICE_IDS, type PlanManagementDeps, type PlanChangeResult, } from './plan-management.js';
+export { InvoiceService, ANNUAL_DISCOUNT, calculateAnnualPrice, type InvoiceServiceDeps, type InvoiceRecord, type InvoiceLineItem, } from './invoice-service.js';
+export { TrialService, TRIAL_DURATION_DAYS, type TrialServiceDeps, type TrialStatus, } from './trial-service.js';
+//# sourceMappingURL=index.d.ts.map