@cat-factory/integrations 0.6.0

package/dist/modules/providers/ApiKeyService.js

@@ -0,0 +1,122 @@
+import { ConflictError } from '@cat-factory/kernel';
+import { DEFAULT_USAGE_WINDOW_MS, chooseToken } from './providers.logic.js';
+// ApiKeyService: owns the direct-provider API-key pool (OpenAI/Anthropic/Qwen/
+// DeepSeek/Moonshot). Keys are onboarded via the UI and stored *encrypted* (a
+// SecretCipher envelope — never plaintext), replacing the old deployment-env
+// onboarding. A key lives at one of three SCOPES — account, workspace, or user.
+//
+// When a run in a workspace needs a provider key, the candidate pool is the UNION
+// of the workspace's keys, its owning account's keys, and the run initiator's own
+// user keys; leasing is usage-aware (least-loaded wins, see providers.logic).
+// Mirrors ProviderSubscriptionService, with a scope dimension instead of a vendor.
+// Upper bound on live keys per (scope, scopeId, provider). The rotation pool is
+// meant to hold a handful of keys for quota headroom; a generous ceiling keeps the
+// feature usable while bounding accidental/abusive unbounded growth.
+const MAX_KEYS_PER_PROVIDER = 25;
+export class ApiKeyService {
+    deps;
+    constructor(deps) {
+        this.deps = deps;
+    }
+    get windowMs() {
+        return this.deps.usageWindowMs ?? DEFAULT_USAGE_WINDOW_MS;
+    }
+    /** Add a key to a scope's pool. */
+    async addKey(scope, scopeId, input) {
+        const existing = await this.deps.providerApiKeyRepository.listByScope(scope, scopeId, input.provider);
+        if (existing.length >= MAX_KEYS_PER_PROVIDER) {
+            throw new ConflictError(`This ${scope} already has the maximum of ${MAX_KEYS_PER_PROVIDER} ` +
+                `${input.provider} API keys; remove one before adding another`);
+        }
+        const keyCipher = await this.deps.secretCipher.encrypt(input.key);
+        const now = this.deps.clock.now();
+        const record = {
+            id: this.deps.idGenerator.next('apikey'),
+            scope,
+            scopeId,
+            provider: input.provider,
+            label: input.label,
+            keyCipher,
+            createdAt: now,
+            lastUsedAt: null,
+            windowStartedAt: null,
+            inputTokens: 0,
+            outputTokens: 0,
+            requestCount: 0,
+            deletedAt: null,
+        };
+        await this.deps.providerApiKeyRepository.add(record);
+        return toSummary(record);
+    }
+    /** All live keys for a scope (optionally filtered by provider), metadata only. */
+    async listKeys(scope, scopeId, provider) {
+        const rows = await this.deps.providerApiKeyRepository.listByScope(scope, scopeId, provider);
+        return rows.map(toSummary);
+    }
+    /** Remove a key from its scope's pool. */
+    async removeKey(scope, scopeId, id) {
+        await this.deps.providerApiKeyRepository.softDelete(scope, scopeId, id, this.deps.clock.now());
+    }
+    /**
+     * The merged candidate scope segments for a run: the workspace, its owning
+     * account (resolved when not supplied), and the initiator's user, in that order.
+     */
+    async poolScopes(workspaceId, opts) {
+        const scopes = [{ scope: 'workspace', scopeId: workspaceId }];
+        const accountId = opts?.accountId === undefined
+            ? await this.deps.workspaceRepository.accountOf(workspaceId)
+            : opts.accountId;
+        if (accountId)
+            scopes.push({ scope: 'account', scopeId: accountId });
+        if (opts?.userId)
+            scopes.push({ scope: 'user', scopeId: opts.userId });
+        return scopes;
+    }
+    /** Whether the merged pool has at least one live key for a provider. */
+    async hasKey(workspaceId, provider, opts) {
+        const scopes = await this.poolScopes(workspaceId, opts);
+        const rows = await this.deps.providerApiKeyRepository.listForPool(scopes, provider);
+        return rows.length > 0;
+    }
+    /** Distinct providers with at least one live key across the merged pool. */
+    async configuredProviders(workspaceId, opts) {
+        const scopes = await this.poolScopes(workspaceId, opts);
+        return this.deps.providerApiKeyRepository.listConfiguredProviders(scopes);
+    }
+    /**
+     * Lease the least-loaded live key for a provider across the merged pool and
+     * return its decrypted secret. Throws ConflictError when the pool is empty so the
+     * caller can surface a clear "add an API key" error rather than failing deep in
+     * the SDK. Rotation is best-effort, not transactional (see ProviderSubscriptionService).
+     */
+    async lease(workspaceId, provider, opts) {
+        const scopes = await this.poolScopes(workspaceId, opts);
+        const rows = await this.deps.providerApiKeyRepository.listForPool(scopes, provider);
+        const chosen = chooseToken(rows, this.deps.clock.now(), this.windowMs);
+        if (!chosen) {
+            throw new ConflictError(`No ${provider} API key is configured for this workspace, its account, or your user`);
+        }
+        await this.deps.providerApiKeyRepository.markLeased(chosen.id, this.deps.clock.now());
+        const secret = await this.deps.secretCipher.decrypt(chosen.keyCipher);
+        return { keyId: chosen.id, provider, secret };
+    }
+    /** Fold a completed call's usage into the leased key's rolling-window counters. */
+    async recordUsage(keyId, usage) {
+        await this.deps.providerApiKeyRepository.recordUsage(keyId, usage, this.deps.clock.now(), this.windowMs);
+    }
+}
+function toSummary(record) {
+    return {
+        id: record.id,
+        scope: record.scope,
+        scopeId: record.scopeId,
+        provider: record.provider,
+        label: record.label,
+        createdAt: record.createdAt,
+        lastUsedAt: record.lastUsedAt,
+        inputTokens: record.inputTokens,
+        outputTokens: record.outputTokens,
+        requestCount: record.requestCount,
+    };
+}
+//# sourceMappingURL=ApiKeyService.js.map

package/dist/modules/providers/ApiKeyService.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ApiKeyService.js","sourceRoot":"","sources":["../../../src/modules/providers/ApiKeyService.ts"],"names":[],"mappings":"AAWA,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAA;AACnD,OAAO,EAAE,uBAAuB,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAA;AAE3E,+EAA+E;AAC/E,8EAA8E;AAC9E,6EAA6E;AAC7E,gFAAgF;AAChF,EAAE;AACF,kFAAkF;AAClF,kFAAkF;AAClF,8EAA8E;AAC9E,mFAAmF;AAEnF,gFAAgF;AAChF,mFAAmF;AACnF,qEAAqE;AACrE,MAAM,qBAAqB,GAAG,EAAE,CAAA;AAyChC,MAAM,OAAO,aAAa;IACK,IAAI;IAAjC,YAA6B,IAA+B;oBAA/B,IAAI;IAA8B,CAAC;IAEhE,IAAY,QAAQ;QAClB,OAAO,IAAI,CAAC,IAAI,CAAC,aAAa,IAAI,uBAAuB,CAAA;IAC3D,CAAC;IAED,mCAAmC;IACnC,KAAK,CAAC,MAAM,CACV,KAAkB,EAClB,OAAe,EACf,KAA+D;QAE/D,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,wBAAwB,CAAC,WAAW,CACnE,KAAK,EACL,OAAO,EACP,KAAK,CAAC,QAAQ,CACf,CAAA;QACD,IAAI,QAAQ,CAAC,MAAM,IAAI,qBAAqB,EAAE,CAAC;YAC7C,MAAM,IAAI,aAAa,CACrB,QAAQ,KAAK,+BAA+B,qBAAqB,GAAG;gBAClE,GAAG,KAAK,CAAC,QAAQ,6CAA6C,CACjE,CAAA;QACH,CAAC;QACD,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;QACjE,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,EAAE,CAAA;QACjC,MAAM,MAAM,GAAyB;YACnC,EAAE,EAAE,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC;YACxC,KAAK;YACL,OAAO;YACP,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,KAAK,EAAE,KAAK,CAAC,KAAK;YAClB,SAAS;YACT,SAAS,EAAE,GAAG;YACd,UAAU,EAAE,IAAI;YAChB,eAAe,EAAE,IAAI;YACrB,WAAW,EAAE,CAAC;YACd,YAAY,EAAE,CAAC;YACf,YAAY,EAAE,CAAC;YACf,SAAS,EAAE,IAAI;SAChB,CAAA;QACD,MAAM,IAAI,CAAC,IAAI,CAAC,wBAAwB,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;QACpD,OAAO,SAAS,CAAC,MAAM,CAAC,CAAA;IAC1B,CAAC;IAED,kFAAkF;IAClF,KAAK,CAAC,QAAQ,CACZ,KAAkB,EAClB,OAAe,EACf,QAAyB;QAEzB,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,wBAAwB,CAAC,WAAW,CAAC,KAAK,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAA;QAC3F,OAAO,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,CAAA;IAC5B,CAAC;IAED,0CAA0C;IAC1C,KAAK,CAAC,SAAS,CAAC,KAAkB,EAAE,OAAe,EAAE,EAAU;QAC7D,MAAM,IAAI,CAAC,IAAI,CAAC,wBAAwB,CAAC,UAAU,CAAC,KAAK,EAAE,OAAO,EAAE,EAAE,EAAE,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAA;IAChG,CAAC;IAED;;;OAGG;IACK,KAAK,CAAC,UAAU,CAAC,WAAmB,EAAE,IAAoB;QAChE,MAAM,MAAM,GAAqB,CAAC,EAAE,KAAK,EAAE,WAAW,EAAE,OAAO,EAAE,WAAW,EAAE,CAAC,CAAA;QAC/E,MAAM,SAAS,GACb,IAAI,EAAE,SAAS,KAAK,SAAS;YAC3B,CAAC,CAAC,MAAM,IAAI,CAAC,IAAI,CAAC,mBAAmB,CAAC,SAAS,CAAC,WAAW,CAAC;YAC5D,CAAC,CAAC,IAAI,CAAC,SAAS,CAAA;QACpB,IAAI,SAAS;YAAE,MAAM,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,SAAS,EAAE,OAAO,EAAE,SAAS,EAAE,CAAC,CAAA;QACpE,IAAI,IAAI,EAAE,MAAM;YAAE,MAAM,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,CAAC,MAAM,EAAE,CAAC,CAAA;QACtE,OAAO,MAAM,CAAA;IACf,CAAC;IAED,wEAAwE;IACxE,KAAK,CAAC,MAAM,CACV,WAAmB,EACnB,QAAwB,EACxB,IAAoB;QAEpB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,WAAW,EAAE,IAAI,CAAC,CAAA;QACvD,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,wBAAwB,CAAC,WAAW,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAA;QACnF,OAAO,IAAI,CAAC,MAAM,GAAG,CAAC,CAAA;IACxB,CAAC;IAED,4EAA4E;IAC5E,KAAK,CAAC,mBAAmB,CAAC,WAAmB,EAAE,IAAoB;QACjE,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,WAAW,EAAE,IAAI,CAAC,CAAA;QACvD,OAAO,IAAI,CAAC,IAAI,CAAC,wBAAwB,CAAC,uBAAuB,CAAC,MAAM,CAAC,CAAA;IAC3E,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,KAAK,CACT,WAAmB,EACnB,QAAwB,EACxB,IAAoB;QAEpB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,WAAW,EAAE,IAAI,CAAC,CAAA;QACvD,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,wBAAwB,CAAC,WAAW,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAA;QACnF,MAAM,MAAM,GAAG,WAAW,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,EAAE,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAA;QACtE,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,aAAa,CACrB,MAAM,QAAQ,sEAAsE,CACrF,CAAA;QACH,CAAC;QACD,MAAM,IAAI,CAAC,IAAI,CAAC,wBAAwB,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,EAAE,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAA;QACrF,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,CAAA;QACrE,OAAO,EAAE,KAAK,EAAE,MAAM,CAAC,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAA;IAC/C,CAAC;IAED,mFAAmF;IACnF,KAAK,CAAC,WAAW,CACf,KAAa,EACb,KAAoD;QAEpD,MAAM,IAAI,CAAC,IAAI,CAAC,wBAAwB,CAAC,WAAW,CAClD,KAAK,EACL,KAAK,EACL,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,EAAE,EACrB,IAAI,CAAC,QAAQ,CACd,CAAA;IACH,CAAC;CACF;AAED,SAAS,SAAS,CAAC,MAA4B;IAC7C,OAAO;QACL,EAAE,EAAE,MAAM,CAAC,EAAE;QACb,KAAK,EAAE,MAAM,CAAC,KAAK;QACnB,OAAO,EAAE,MAAM,CAAC,OAAO;QACvB,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,KAAK,EAAE,MAAM,CAAC,KAAK;QACnB,SAAS,EAAE,MAAM,CAAC,SAAS;QAC3B,UAAU,EAAE,MAAM,CAAC,UAAU;QAC7B,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,YAAY,EAAE,MAAM,CAAC,YAAY;QACjC,YAAY,EAAE,MAAM,CAAC,YAAY;KAClC,CAAA;AACH,CAAC"}

package/dist/modules/providers/LocalModelEndpointService.d.ts

@@ -0,0 +1,52 @@
+import type { Clock, LocalModelEndpointRepository, SecretCipher } from '@cat-factory/kernel';
+import type { LocalModelEndpoint, LocalModelEndpointTestResult, LocalRunner, TestLocalModelEndpointInput, UpsertLocalModelEndpointInput } from '@cat-factory/contracts';
+export interface LocalModelEndpointServiceDependencies {
+    localModelEndpointRepository: LocalModelEndpointRepository;
+    /** System encryption layer (master key) for the optional bearer key at rest. */
+    secretCipher: SecretCipher;
+    clock: Clock;
+    /** Injected for tests; defaults to the global fetch. */
+    fetch?: typeof fetch;
+}
+/** A resolved endpoint for the run-time path: base URL + the decrypted optional key. */
+export interface ResolvedLocalEndpoint {
+    provider: LocalRunner;
+    baseUrl: string;
+    apiKey: string | null;
+}
+export declare class LocalModelEndpointService {
+    private readonly deps;
+    constructor(deps: LocalModelEndpointServiceDependencies);
+    /** Every endpoint the user has configured (key-free wire shape). */
+    list(userId: string): Promise<LocalModelEndpoint[]>;
+    /** Create or replace the user's endpoint for a runner. */
+    upsert(userId: string, input: UpsertLocalModelEndpointInput): Promise<LocalModelEndpoint>;
+    /** Remove the user's endpoint for a runner. */
+    remove(userId: string, provider: LocalRunner): Promise<void>;
+    /**
+     * The set of local-runner providers the user has configured with ≥1 enabled model,
+     * plus the enabled models per provider — the input to the per-user model catalog.
+     */
+    capabilitiesFor(userId: string): Promise<{
+        provider: LocalRunner;
+        label: string;
+        models: string[];
+    }[]>;
+    /**
+     * Resolve a user's endpoint for run-time forwarding: base URL + decrypted optional key.
+     * Used by the LLM proxy, keyed by the run initiator + the locked provider.
+     */
+    resolve(userId: string, provider: string): Promise<ResolvedLocalEndpoint | null>;
+    /**
+     * All of a user's endpoints resolved for run-time forwarding (base URL + decrypted
+     * optional key). Used by the inline model provider to register the user's runners.
+     */
+    listResolved(userId: string): Promise<ResolvedLocalEndpoint[]>;
+    /**
+     * Probe a runner's OpenAI-compatible `/models` endpoint server-side, returning
+     * reachability + the model ids it serves. Never throws — failures are reported as
+     * `{ reachable: false, error }` so the UI can surface them.
+     */
+    testConnection(input: TestLocalModelEndpointInput): Promise<LocalModelEndpointTestResult>;
+}
+//# sourceMappingURL=LocalModelEndpointService.d.ts.map

package/dist/modules/providers/LocalModelEndpointService.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"LocalModelEndpointService.d.ts","sourceRoot":"","sources":["../../../src/modules/providers/LocalModelEndpointService.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,KAAK,EAEL,4BAA4B,EAC5B,YAAY,EACb,MAAM,qBAAqB,CAAA;AAE5B,OAAO,KAAK,EACV,kBAAkB,EAClB,4BAA4B,EAC5B,WAAW,EACX,2BAA2B,EAC3B,6BAA6B,EAC9B,MAAM,wBAAwB,CAAA;AAe/B,MAAM,WAAW,qCAAqC;IACpD,4BAA4B,EAAE,4BAA4B,CAAA;IAC1D,gFAAgF;IAChF,YAAY,EAAE,YAAY,CAAA;IAC1B,KAAK,EAAE,KAAK,CAAA;IACZ,wDAAwD;IACxD,KAAK,CAAC,EAAE,OAAO,KAAK,CAAA;CACrB;AAED,wFAAwF;AACxF,MAAM,WAAW,qBAAqB;IACpC,QAAQ,EAAE,WAAW,CAAA;IACrB,OAAO,EAAE,MAAM,CAAA;IACf,MAAM,EAAE,MAAM,GAAG,IAAI,CAAA;CACtB;AAED,qBAAa,yBAAyB;IACxB,OAAO,CAAC,QAAQ,CAAC,IAAI;IAAjC,YAA6B,IAAI,EAAE,qCAAqC,EAAI;IAE5E,oEAAoE;IAC9D,IAAI,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,EAAE,CAAC,CAGxD;IAED,0DAA0D;IACpD,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,6BAA6B,GAAG,OAAO,CAAC,kBAAkB,CAAC,CA8B9F;IAED,+CAA+C;IACzC,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,CAEjE;IAED;;;OAGG;IACG,eAAe,CACnB,MAAM,EAAE,MAAM,GACb,OAAO,CAAC;QAAE,QAAQ,EAAE,WAAW,CAAC;QAAC,KAAK,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,EAAE,CAAA;KAAE,EAAE,CAAC,CAKvE;IAED;;;OAGG;IACG,OAAO,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,qBAAqB,GAAG,IAAI,CAAC,CAUrF;IAED;;;OAGG;IACG,YAAY,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,qBAAqB,EAAE,CAAC,CAUnE;IAED;;;;OAIG;IACG,cAAc,CAAC,KAAK,EAAE,2BAA2B,GAAG,OAAO,CAAC,4BAA4B,CAAC,CAsB9F;CACF"}

package/dist/modules/providers/LocalModelEndpointService.js

@@ -0,0 +1,131 @@
+import { getErrorMessage, ValidationError } from '@cat-factory/kernel';
+import { LOCAL_RUNNER_LABELS } from '@cat-factory/contracts';
+import { localRunnerUrlError } from './localModelUrl.js';
+export class LocalModelEndpointService {
+    deps;
+    constructor(deps) {
+        this.deps = deps;
+    }
+    /** Every endpoint the user has configured (key-free wire shape). */
+    async list(userId) {
+        const rows = await this.deps.localModelEndpointRepository.listByUser(userId);
+        return rows.map((r) => toWire(r));
+    }
+    /** Create or replace the user's endpoint for a runner. */
+    async upsert(userId, input) {
+        // SSRF guard: the stored base URL is later forwarded to server-side (the LLM proxy +
+        // inline provider resolve it by the run initiator), so reject a non-local host here at
+        // the write boundary — the run-time paths then trust the persisted URL.
+        const urlError = localRunnerUrlError(input.baseUrl);
+        if (urlError)
+            throw new ValidationError(urlError);
+        const now = this.deps.clock.now();
+        const existing = await this.deps.localModelEndpointRepository.getByUserProvider(userId, input.provider);
+        // An omitted apiKey keeps the stored one; an explicit empty string clears it.
+        const apiKeyCipher = input.apiKey === undefined
+            ? (existing?.apiKeyCipher ?? null)
+            : input.apiKey.length > 0
+                ? await this.deps.secretCipher.encrypt(input.apiKey)
+                : null;
+        const record = {
+            userId,
+            provider: input.provider,
+            label: input.label?.trim() || LOCAL_RUNNER_LABELS[input.provider],
+            baseUrl: input.baseUrl,
+            apiKeyCipher,
+            models: dedupe(input.models),
+            createdAt: existing?.createdAt ?? now,
+            updatedAt: now,
+        };
+        await this.deps.localModelEndpointRepository.upsert(record);
+        return toWire(record);
+    }
+    /** Remove the user's endpoint for a runner. */
+    async remove(userId, provider) {
+        await this.deps.localModelEndpointRepository.remove(userId, provider);
+    }
+    /**
+     * The set of local-runner providers the user has configured with ≥1 enabled model,
+     * plus the enabled models per provider — the input to the per-user model catalog.
+     */
+    async capabilitiesFor(userId) {
+        const rows = await this.deps.localModelEndpointRepository.listByUser(userId);
+        return rows
+            .filter((r) => r.models.length > 0)
+            .map((r) => ({ provider: r.provider, label: r.label, models: r.models }));
+    }
+    /**
+     * Resolve a user's endpoint for run-time forwarding: base URL + decrypted optional key.
+     * Used by the LLM proxy, keyed by the run initiator + the locked provider.
+     */
+    async resolve(userId, provider) {
+        const record = await this.deps.localModelEndpointRepository.getByUserProvider(userId, provider);
+        if (!record)
+            return null;
+        const apiKey = record.apiKeyCipher
+            ? await this.deps.secretCipher.decrypt(record.apiKeyCipher)
+            : null;
+        return { provider: record.provider, baseUrl: record.baseUrl, apiKey };
+    }
+    /**
+     * All of a user's endpoints resolved for run-time forwarding (base URL + decrypted
+     * optional key). Used by the inline model provider to register the user's runners.
+     */
+    async listResolved(userId) {
+        const rows = await this.deps.localModelEndpointRepository.listByUser(userId);
+        const out = [];
+        for (const record of rows) {
+            const apiKey = record.apiKeyCipher
+                ? await this.deps.secretCipher.decrypt(record.apiKeyCipher)
+                : null;
+            out.push({ provider: record.provider, baseUrl: record.baseUrl, apiKey });
+        }
+        return out;
+    }
+    /**
+     * Probe a runner's OpenAI-compatible `/models` endpoint server-side, returning
+     * reachability + the model ids it serves. Never throws — failures are reported as
+     * `{ reachable: false, error }` so the UI can surface them.
+     */
+    async testConnection(input) {
+        // SSRF guard: this probe forwards to a user-supplied URL server-side, so refuse a
+        // non-local host before issuing the fetch (same allow-list as `upsert`).
+        const urlError = localRunnerUrlError(input.baseUrl);
+        if (urlError)
+            return { reachable: false, models: [], error: urlError };
+        const doFetch = this.deps.fetch ?? fetch;
+        const url = `${input.baseUrl.replace(/\/+$/, '')}/models`;
+        try {
+            const headers = {};
+            if (input.apiKey)
+                headers.authorization = `Bearer ${input.apiKey}`;
+            const res = await doFetch(url, { headers, signal: AbortSignal.timeout(8000) });
+            if (!res.ok) {
+                return { reachable: false, models: [], error: `Runner returned HTTP ${res.status}` };
+            }
+            const body = (await res.json());
+            const models = Array.isArray(body.data)
+                ? body.data.map((m) => String(m?.id ?? '')).filter(Boolean)
+                : [];
+            return { reachable: true, models };
+        }
+        catch (err) {
+            return { reachable: false, models: [], error: getErrorMessage(err) };
+        }
+    }
+}
+function toWire(record) {
+    return {
+        provider: record.provider,
+        label: record.label,
+        baseUrl: record.baseUrl,
+        hasApiKey: record.apiKeyCipher !== null,
+        models: record.models,
+        createdAt: record.createdAt,
+        updatedAt: record.updatedAt,
+    };
+}
+function dedupe(models) {
+    return [...new Set(models.map((m) => m.trim()).filter(Boolean))];
+}
+//# sourceMappingURL=LocalModelEndpointService.js.map

package/dist/modules/providers/LocalModelEndpointService.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"LocalModelEndpointService.js","sourceRoot":"","sources":["../../../src/modules/providers/LocalModelEndpointService.ts"],"names":[],"mappings":"AAMA,OAAO,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAA;AAQtE,OAAO,EAAE,mBAAmB,EAAE,MAAM,wBAAwB,CAAA;AAC5D,OAAO,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAA;AA6BxD,MAAM,OAAO,yBAAyB;IACP,IAAI;IAAjC,YAA6B,IAA2C;oBAA3C,IAAI;IAA0C,CAAC;IAE5E,oEAAoE;IACpE,KAAK,CAAC,IAAI,CAAC,MAAc;QACvB,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,4BAA4B,CAAC,UAAU,CAAC,MAAM,CAAC,CAAA;QAC5E,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAA;IACnC,CAAC;IAED,0DAA0D;IAC1D,KAAK,CAAC,MAAM,CAAC,MAAc,EAAE,KAAoC;QAC/D,qFAAqF;QACrF,uFAAuF;QACvF,wEAAwE;QACxE,MAAM,QAAQ,GAAG,mBAAmB,CAAC,KAAK,CAAC,OAAO,CAAC,CAAA;QACnD,IAAI,QAAQ;YAAE,MAAM,IAAI,eAAe,CAAC,QAAQ,CAAC,CAAA;QACjD,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,EAAE,CAAA;QACjC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,4BAA4B,CAAC,iBAAiB,CAC7E,MAAM,EACN,KAAK,CAAC,QAAQ,CACf,CAAA;QACD,8EAA8E;QAC9E,MAAM,YAAY,GAChB,KAAK,CAAC,MAAM,KAAK,SAAS;YACxB,CAAC,CAAC,CAAC,QAAQ,EAAE,YAAY,IAAI,IAAI,CAAC;YAClC,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC;gBACvB,CAAC,CAAC,MAAM,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC;gBACpD,CAAC,CAAC,IAAI,CAAA;QACZ,MAAM,MAAM,GAA6B;YACvC,MAAM;YACN,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,IAAI,EAAE,IAAI,mBAAmB,CAAC,KAAK,CAAC,QAAQ,CAAC;YACjE,OAAO,EAAE,KAAK,CAAC,OAAO;YACtB,YAAY;YACZ,MAAM,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC;YAC5B,SAAS,EAAE,QAAQ,EAAE,SAAS,IAAI,GAAG;YACrC,SAAS,EAAE,GAAG;SACf,CAAA;QACD,MAAM,IAAI,CAAC,IAAI,CAAC,4BAA4B,CAAC,MAAM,CAAC,MAAM,CAAC,CAAA;QAC3D,OAAO,MAAM,CAAC,MAAM,CAAC,CAAA;IACvB,CAAC;IAED,+CAA+C;IAC/C,KAAK,CAAC,MAAM,CAAC,MAAc,EAAE,QAAqB;QAChD,MAAM,IAAI,CAAC,IAAI,CAAC,4BAA4B,CAAC,MAAM,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAA;IACvE,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,eAAe,CACnB,MAAc;QAEd,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,4BAA4B,CAAC,UAAU,CAAC,MAAM,CAAC,CAAA;QAC5E,OAAO,IAAI;aACR,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC;aAClC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,QAAQ,EAAE,CAAC,CAAC,QAAQ,EAAE,KAAK,EAAE,CAAC,CAAC,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,CAAA;IAC7E,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,OAAO,CAAC,MAAc,EAAE,QAAgB;QAC5C,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,4BAA4B,CAAC,iBAAiB,CAC3E,MAAM,EACN,QAAuB,CACxB,CAAA;QACD,IAAI,CAAC,MAAM;YAAE,OAAO,IAAI,CAAA;QACxB,MAAM,MAAM,GAAG,MAAM,CAAC,YAAY;YAChC,CAAC,CAAC,MAAM,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,MAAM,CAAC,YAAY,CAAC;YAC3D,CAAC,CAAC,IAAI,CAAA;QACR,OAAO,EAAE,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE,OAAO,EAAE,MAAM,CAAC,OAAO,EAAE,MAAM,EAAE,CAAA;IACvE,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,YAAY,CAAC,MAAc;QAC/B,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,4BAA4B,CAAC,UAAU,CAAC,MAAM,CAAC,CAAA;QAC5E,MAAM,GAAG,GAA4B,EAAE,CAAA;QACvC,KAAK,MAAM,MAAM,IAAI,IAAI,EAAE,CAAC;YAC1B,MAAM,MAAM,GAAG,MAAM,CAAC,YAAY;gBAChC,CAAC,CAAC,MAAM,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,MAAM,CAAC,YAAY,CAAC;gBAC3D,CAAC,CAAC,IAAI,CAAA;YACR,GAAG,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE,OAAO,EAAE,MAAM,CAAC,OAAO,EAAE,MAAM,EAAE,CAAC,CAAA;QAC1E,CAAC;QACD,OAAO,GAAG,CAAA;IACZ,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,cAAc,CAAC,KAAkC;QACrD,kFAAkF;QAClF,yEAAyE;QACzE,MAAM,QAAQ,GAAG,mBAAmB,CAAC,KAAK,CAAC,OAAO,CAAC,CAAA;QACnD,IAAI,QAAQ;YAAE,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,EAAE,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAA;QACtE,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,KAAK,IAAI,KAAK,CAAA;QACxC,MAAM,GAAG,GAAG,GAAG,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,SAAS,CAAA;QACzD,IAAI,CAAC;YACH,MAAM,OAAO,GAA2B,EAAE,CAAA;YAC1C,IAAI,KAAK,CAAC,MAAM;gBAAE,OAAO,CAAC,aAAa,GAAG,UAAU,KAAK,CAAC,MAAM,EAAE,CAAA;YAClE,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,GAAG,EAAE,EAAE,OAAO,EAAE,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,CAAA;YAC9E,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;gBACZ,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,EAAE,EAAE,EAAE,KAAK,EAAE,wBAAwB,GAAG,CAAC,MAAM,EAAE,EAAE,CAAA;YACtF,CAAC;YACD,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAkC,CAAA;YAChE,MAAM,MAAM,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC;gBACrC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC;gBAC3D,CAAC,CAAC,EAAE,CAAA;YACN,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,MAAM,EAAE,CAAA;QACpC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,EAAE,EAAE,EAAE,KAAK,EAAE,eAAe,CAAC,GAAG,CAAC,EAAE,CAAA;QACtE,CAAC;IACH,CAAC;CACF;AAED,SAAS,MAAM,CAAC,MAAgC;IAC9C,OAAO;QACL,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,KAAK,EAAE,MAAM,CAAC,KAAK;QACnB,OAAO,EAAE,MAAM,CAAC,OAAO;QACvB,SAAS,EAAE,MAAM,CAAC,YAAY,KAAK,IAAI;QACvC,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,SAAS,EAAE,MAAM,CAAC,SAAS;QAC3B,SAAS,EAAE,MAAM,CAAC,SAAS;KAC5B,CAAA;AACH,CAAC;AAED,SAAS,MAAM,CAAC,MAAgB;IAC9B,OAAO,CAAC,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,CAAA;AAClE,CAAC"}

package/dist/modules/providers/PersonalSubscriptionService.d.ts

@@ -0,0 +1,94 @@
+import type { Clock, IdGenerator, PersonalSecretCipher, PersonalSubscriptionRecord, PersonalSubscriptionRepository, SecretCipher, SubscriptionActivationRepository, SubscriptionVendor } from '@cat-factory/kernel';
+import type { PersonalSubscriptionStatus, StorePersonalSubscriptionInput } from '@cat-factory/contracts';
+/**
+ * Default per-run activation lifetime (~12h). This bounds the window in which the
+ * raw token is recoverable with the SYSTEM key alone (the activation has no password
+ * layer), so it is kept deliberately short. It does NOT need to cover a long run: a
+ * healthy run deletes its activation the moment it finishes, and any run a user keeps
+ * tending transparently RE-MINTS the activation on each interaction (resolve/approve/
+ * retry) from the password cached client-side — so the user is only re-prompted once
+ * that cache lapses, never because the activation TTL did. 12h is simply long enough to
+ * cover a fully-autonomous run (no human touch-points to re-mint at) while keeping the
+ * stuck/abandoned-run exposure window an order of magnitude tighter than a week.
+ */
+export declare const DEFAULT_ACTIVATION_TTL_MS: number;
+/** Surface "renew your subscription" once it expires within this horizon (~7 days). */
+export declare const DEFAULT_RENEW_WARNING_MS: number;
+export interface PersonalSubscriptionServiceDependencies {
+    personalSubscriptionRepository: PersonalSubscriptionRepository;
+    subscriptionActivationRepository: SubscriptionActivationRepository;
+    /** System encryption layer (master key); applied OUTSIDE the password layer. */
+    secretCipher: SecretCipher;
+    /** Password-derived encryption layer; the password is never stored. */
+    personalCipher: PersonalSecretCipher;
+    idGenerator: IdGenerator;
+    clock: Clock;
+    activationTtlMs?: number;
+    renewWarningMs?: number;
+}
+/** A leased personal credential for a run step — the decrypted raw token. */
+export interface LeasedPersonalToken {
+    vendor: SubscriptionVendor;
+    secret: string;
+}
+export declare class PersonalSubscriptionService {
+    private readonly deps;
+    constructor(deps: PersonalSubscriptionServiceDependencies);
+    private get activationTtlMs();
+    private get renewWarningMs();
+    private assertIndividual;
+    /** Store (or replace) the user's personal credential for an individual-usage vendor. */
+    store(userId: string, input: StorePersonalSubscriptionInput): Promise<PersonalSubscriptionStatus>;
+    /**
+     * Enforce ONE personal password across all of a user's individual-usage subscriptions.
+     * The run gate unlocks every vendor a single run touches with the SAME password (and the
+     * client caches just one), so a second credential sealed under a different password would
+     * be silently un-unlockable in any run that uses both. Rather than let that latent
+     * dead-end ship, we verify the new password decrypts an existing (non-expired) credential
+     * and reject up-front otherwise. No-op for the user's first credential. The check unlocks
+     * an arbitrary existing credential purely to compare the password — nothing is persisted.
+     */
+    private assertSamePasswordAsOthers;
+    /** Every personal subscription the user has, metadata only (never the secret). */
+    list(userId: string): Promise<PersonalSubscriptionStatus[]>;
+    /** Whether the user has a live personal credential for the vendor. */
+    has(userId: string, vendor: SubscriptionVendor): Promise<boolean>;
+    /** Remove the user's personal credential for a vendor. */
+    remove(userId: string, vendor: SubscriptionVendor): Promise<void>;
+    /**
+     * Decrypt the user's credential with their password, returning the raw token.
+     * Throws a {@link CredentialRequiredError} when there's no credential, the
+     * subscription has lapsed, or the password is wrong. Does NOT persist anything.
+     */
+    unlock(userId: string, vendor: SubscriptionVendor, password: string): Promise<string>;
+    /**
+     * Mint a per-run activation: unlock the credential with the password, re-encrypt the
+     * raw token with the system key only, and store it scoped to the run with a TTL so
+     * every (async) step of that run can use it without the password. Idempotent —
+     * replaces any prior activation for the run+user+vendor.
+     */
+    activateForRun(executionId: string, userId: string, vendor: SubscriptionVendor, password: string): Promise<void>;
+    /**
+     * Lease the run's activated token for a step. Throws a {@link CredentialRequiredError}
+     * (`password_required`) when the run has no live activation — the dispatch path turns
+     * that into a clear, retriable failure (the user re-enters their password on retry).
+     */
+    leaseForRun(executionId: string, userId: string, vendor: SubscriptionVendor): Promise<LeasedPersonalToken>;
+    /** Whether the run currently has a live activation for the user+vendor. */
+    hasActivation(executionId: string, userId: string, vendor: SubscriptionVendor): Promise<boolean>;
+    /**
+     * On user interaction with a run (approve/retry/etc.), extend its activation TTL when
+     * it is at least half spent, so an actively-tended long run doesn't lapse. No-op when
+     * the run has no activation.
+     */
+    refreshActivations(executionId: string, userId: string): Promise<void>;
+    private activatedVendors;
+    /** Delete every activation for a finished run (called when a run terminates). */
+    clearRun(executionId: string): Promise<void>;
+    /** Delete activations whose TTL has passed. Returns the count (for the sweep log). */
+    sweepExpiredActivations(): Promise<number>;
+    /** Live subscriptions expiring within the renewal-warning horizon (for the nudge sweep). */
+    expiringSubscriptions(): Promise<PersonalSubscriptionRecord[]>;
+    private toStatus;
+}
+//# sourceMappingURL=PersonalSubscriptionService.d.ts.map

package/dist/modules/providers/PersonalSubscriptionService.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"PersonalSubscriptionService.d.ts","sourceRoot":"","sources":["../../../src/modules/providers/PersonalSubscriptionService.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,KAAK,EACL,WAAW,EACX,oBAAoB,EACpB,0BAA0B,EAC1B,8BAA8B,EAC9B,YAAY,EAEZ,gCAAgC,EAChC,kBAAkB,EACnB,MAAM,qBAAqB,CAAA;AAQ5B,OAAO,KAAK,EACV,0BAA0B,EAC1B,8BAA8B,EAC/B,MAAM,wBAAwB,CAAA;AAa/B;;;;;;;;;;GAUG;AACH,eAAO,MAAM,yBAAyB,QAAsB,CAAA;AAC5D,uFAAuF;AACvF,eAAO,MAAM,wBAAwB,QAA0B,CAAA;AAE/D,MAAM,WAAW,uCAAuC;IACtD,8BAA8B,EAAE,8BAA8B,CAAA;IAC9D,gCAAgC,EAAE,gCAAgC,CAAA;IAClE,gFAAgF;IAChF,YAAY,EAAE,YAAY,CAAA;IAC1B,uEAAuE;IACvE,cAAc,EAAE,oBAAoB,CAAA;IACpC,WAAW,EAAE,WAAW,CAAA;IACxB,KAAK,EAAE,KAAK,CAAA;IACZ,eAAe,CAAC,EAAE,MAAM,CAAA;IACxB,cAAc,CAAC,EAAE,MAAM,CAAA;CACxB;AAED,6EAA6E;AAC7E,MAAM,WAAW,mBAAmB;IAClC,MAAM,EAAE,kBAAkB,CAAA;IAC1B,MAAM,EAAE,MAAM,CAAA;CACf;AAED,qBAAa,2BAA2B;IAC1B,OAAO,CAAC,QAAQ,CAAC,IAAI;IAAjC,YAA6B,IAAI,EAAE,uCAAuC,EAAI;IAE9E,OAAO,KAAK,eAAe,GAE1B;IACD,OAAO,KAAK,cAAc,GAEzB;IAED,OAAO,CAAC,gBAAgB;IASxB,wFAAwF;IAClF,KAAK,CACT,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,8BAA8B,GACpC,OAAO,CAAC,0BAA0B,CAAC,CAwBrC;IAED;;;;;;;;OAQG;YACW,0BAA0B;IAsBxC,kFAAkF;IAC5E,IAAI,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,0BAA0B,EAAE,CAAC,CAIhE;IAED,sEAAsE;IAChE,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,kBAAkB,GAAG,OAAO,CAAC,OAAO,CAAC,CAEtE;IAED,0DAA0D;IACpD,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,kBAAkB,GAAG,OAAO,CAAC,IAAI,CAAC,CAEtE;IAED;;;;OAIG;IACG,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,kBAAkB,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAwB1F;IAED;;;;;OAKG;IACG,cAAc,CAClB,WAAW,EAAE,MAAM,EACnB,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,kBAAkB,EAC1B,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,IAAI,CAAC,CAef;IAED;;;;OAIG;IACG,WAAW,CACf,WAAW,EAAE,MAAM,EACnB,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,kBAAkB,GACzB,OAAO,CAAC,mBAAmB,CAAC,CAgB9B;IAED,2EAA2E;IACrE,aAAa,CACjB,WAAW,EAAE,MAAM,EACnB,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,kBAAkB,GACzB,OAAO,CAAC,OAAO,CAAC,CASlB;IAED;;;;OAIG;IACG,kBAAkB,CAAC,WAAW,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAU3E;YAEa,gBAAgB;IAqB9B,iFAAiF;IAC3E,QAAQ,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAEjD;IAED,sFAAsF;IAChF,uBAAuB,IAAI,OAAO,CAAC,MAAM,CAAC,CAE/C;IAED,4FAA4F;IACtF,qBAAqB,IAAI,OAAO,CAAC,0BAA0B,EAAE,CAAC,CAGnE;IAED,OAAO,CAAC,QAAQ;CAiBjB"}

package/dist/modules/providers/PersonalSubscriptionService.js

@@ -0,0 +1,218 @@
+import { CredentialRequiredError, getErrorMessage, INDIVIDUAL_VENDORS, isIndividualVendor, ValidationError, } from '@cat-factory/kernel';
+// PersonalSubscriptionService: owns each USER's individual-usage subscription
+// credentials (Claude / GLM / Codex) — the per-user analogue of the per-workspace
+// ProviderSubscriptionService pool. The credential is stored DOUBLE-encrypted
+// (`secretCipher.encrypt(personalCipher.seal(token, password))`), so it cannot be
+// recovered without BOTH the system key AND the user's personal password. To let
+// asynchronous container steps use it without the user present, the user supplies
+// their password at task start/retry to mint a short-lived, per-run ACTIVATION
+// (the token re-encrypted with the system key only), which the run's steps lease.
+//
+// See docs/individual-subscription-usage.md for the full model + safeguards.
+/**
+ * Default per-run activation lifetime (~12h). This bounds the window in which the
+ * raw token is recoverable with the SYSTEM key alone (the activation has no password
+ * layer), so it is kept deliberately short. It does NOT need to cover a long run: a
+ * healthy run deletes its activation the moment it finishes, and any run a user keeps
+ * tending transparently RE-MINTS the activation on each interaction (resolve/approve/
+ * retry) from the password cached client-side — so the user is only re-prompted once
+ * that cache lapses, never because the activation TTL did. 12h is simply long enough to
+ * cover a fully-autonomous run (no human touch-points to re-mint at) while keeping the
+ * stuck/abandoned-run exposure window an order of magnitude tighter than a week.
+ */
+export const DEFAULT_ACTIVATION_TTL_MS = 12 * 60 * 60 * 1000;
+/** Surface "renew your subscription" once it expires within this horizon (~7 days). */
+export const DEFAULT_RENEW_WARNING_MS = 7 * 24 * 60 * 60 * 1000;
+export class PersonalSubscriptionService {
+    deps;
+    constructor(deps) {
+        this.deps = deps;
+    }
+    get activationTtlMs() {
+        return this.deps.activationTtlMs ?? DEFAULT_ACTIVATION_TTL_MS;
+    }
+    get renewWarningMs() {
+        return this.deps.renewWarningMs ?? DEFAULT_RENEW_WARNING_MS;
+    }
+    assertIndividual(vendor) {
+        if (!isIndividualVendor(vendor)) {
+            throw new CredentialRequiredError(`Vendor '${vendor}' is not an individual-usage subscription; use the workspace credential pool instead.`, { vendor, reason: 'no_subscription' });
+        }
+    }
+    /** Store (or replace) the user's personal credential for an individual-usage vendor. */
+    async store(userId, input) {
+        this.assertIndividual(input.vendor);
+        await this.assertSamePasswordAsOthers(userId, input.vendor, input.password);
+        const sealed = await this.deps.personalCipher.seal(input.token, input.password);
+        const tokenCipher = await this.deps.secretCipher.encrypt(sealed);
+        const now = this.deps.clock.now();
+        const existing = await this.deps.personalSubscriptionRepository.getByUserVendor(userId, input.vendor);
+        const record = {
+            id: existing?.id ?? this.deps.idGenerator.next('psub'),
+            userId,
+            vendor: input.vendor,
+            label: input.label,
+            tokenCipher,
+            expiresAt: input.expiresAt ?? null,
+            createdAt: existing?.createdAt ?? now,
+            updatedAt: now,
+            lastUsedAt: existing?.lastUsedAt ?? null,
+            deletedAt: null,
+        };
+        await this.deps.personalSubscriptionRepository.upsert(record);
+        return this.toStatus(record, now);
+    }
+    /**
+     * Enforce ONE personal password across all of a user's individual-usage subscriptions.
+     * The run gate unlocks every vendor a single run touches with the SAME password (and the
+     * client caches just one), so a second credential sealed under a different password would
+     * be silently un-unlockable in any run that uses both. Rather than let that latent
+     * dead-end ship, we verify the new password decrypts an existing (non-expired) credential
+     * and reject up-front otherwise. No-op for the user's first credential. The check unlocks
+     * an arbitrary existing credential purely to compare the password — nothing is persisted.
+     */
+    async assertSamePasswordAsOthers(userId, vendor, password) {
+        const now = this.deps.clock.now();
+        const other = (await this.deps.personalSubscriptionRepository.listByUser(userId)).find((r) => r.vendor !== vendor && (r.expiresAt === null || r.expiresAt > now));
+        if (!other)
+            return;
+        const sealed = await this.deps.secretCipher.decrypt(other.tokenCipher);
+        try {
+            await this.deps.personalCipher.open(sealed, password);
+        }
+        catch {
+            throw new ValidationError(`This personal password doesn't match your other connected subscription(s). Use the ` +
+                `same personal password for all of them — one run unlocks every individual-usage ` +
+                `vendor it touches with a single password — or remove the others first.`);
+        }
+    }
+    /** Every personal subscription the user has, metadata only (never the secret). */
+    async list(userId) {
+        const now = this.deps.clock.now();
+        const rows = await this.deps.personalSubscriptionRepository.listByUser(userId);
+        return rows.map((r) => this.toStatus(r, now));
+    }
+    /** Whether the user has a live personal credential for the vendor. */
+    async has(userId, vendor) {
+        return (await this.deps.personalSubscriptionRepository.getByUserVendor(userId, vendor)) !== null;
+    }
+    /** Remove the user's personal credential for a vendor. */
+    async remove(userId, vendor) {
+        await this.deps.personalSubscriptionRepository.softDelete(userId, vendor, this.deps.clock.now());
+    }
+    /**
+     * Decrypt the user's credential with their password, returning the raw token.
+     * Throws a {@link CredentialRequiredError} when there's no credential, the
+     * subscription has lapsed, or the password is wrong. Does NOT persist anything.
+     */
+    async unlock(userId, vendor, password) {
+        const record = await this.deps.personalSubscriptionRepository.getByUserVendor(userId, vendor);
+        if (!record) {
+            throw new CredentialRequiredError(`No personal ${vendor} subscription is connected for this user.`, { vendor, reason: 'no_subscription' });
+        }
+        const now = this.deps.clock.now();
+        if (record.expiresAt !== null && record.expiresAt <= now) {
+            throw new CredentialRequiredError(`Your ${vendor} subscription expired; renew it before starting runs that use it.`, { vendor, reason: 'subscription_expired' });
+        }
+        const sealed = await this.deps.secretCipher.decrypt(record.tokenCipher);
+        try {
+            return await this.deps.personalCipher.open(sealed, password);
+        }
+        catch (error) {
+            throw new CredentialRequiredError(`Incorrect personal password for your ${vendor} subscription (${getErrorMessage(error)}).`, { vendor, reason: 'wrong_password' });
+        }
+    }
+    /**
+     * Mint a per-run activation: unlock the credential with the password, re-encrypt the
+     * raw token with the system key only, and store it scoped to the run with a TTL so
+     * every (async) step of that run can use it without the password. Idempotent —
+     * replaces any prior activation for the run+user+vendor.
+     */
+    async activateForRun(executionId, userId, vendor, password) {
+        const token = await this.unlock(userId, vendor, password);
+        const now = this.deps.clock.now();
+        const tokenCipher = await this.deps.secretCipher.encrypt(token);
+        const record = {
+            id: this.deps.idGenerator.next('act'),
+            executionId,
+            userId,
+            vendor,
+            tokenCipher,
+            createdAt: now,
+            expiresAt: now + this.activationTtlMs,
+        };
+        await this.deps.subscriptionActivationRepository.upsert(record);
+        await this.deps.personalSubscriptionRepository.markUsed(userId, vendor, now);
+    }
+    /**
+     * Lease the run's activated token for a step. Throws a {@link CredentialRequiredError}
+     * (`password_required`) when the run has no live activation — the dispatch path turns
+     * that into a clear, retriable failure (the user re-enters their password on retry).
+     */
+    async leaseForRun(executionId, userId, vendor) {
+        const now = this.deps.clock.now();
+        const activation = await this.deps.subscriptionActivationRepository.get(executionId, userId, vendor, now);
+        if (!activation) {
+            throw new CredentialRequiredError(`This run has no active ${vendor} credential; re-enter your personal password to continue.`, { vendor, reason: 'password_required' });
+        }
+        const secret = await this.deps.secretCipher.decrypt(activation.tokenCipher);
+        return { vendor, secret };
+    }
+    /** Whether the run currently has a live activation for the user+vendor. */
+    async hasActivation(executionId, userId, vendor) {
+        return ((await this.deps.subscriptionActivationRepository.get(executionId, userId, vendor, this.deps.clock.now())) !== null);
+    }
+    /**
+     * On user interaction with a run (approve/retry/etc.), extend its activation TTL when
+     * it is at least half spent, so an actively-tended long run doesn't lapse. No-op when
+     * the run has no activation.
+     */
+    async refreshActivations(executionId, userId) {
+        const now = this.deps.clock.now();
+        for (const vendor of await this.activatedVendors(executionId, userId, now)) {
+            await this.deps.subscriptionActivationRepository.refresh(executionId, userId, vendor, now + this.activationTtlMs);
+        }
+    }
+    async activatedVendors(executionId, userId, now) {
+        const out = [];
+        // Only individual-usage vendors are ever activated; refresh those that are present
+        // and at least half through their TTL. Driven off INDIVIDUAL_VENDORS (the kernel's
+        // single source of truth) so a newly individual-only vendor is covered automatically.
+        for (const vendor of INDIVIDUAL_VENDORS) {
+            const a = await this.deps.subscriptionActivationRepository.get(executionId, userId, vendor, now);
+            if (a && a.expiresAt - now <= this.activationTtlMs / 2)
+                out.push(vendor);
+        }
+        return out;
+    }
+    /** Delete every activation for a finished run (called when a run terminates). */
+    async clearRun(executionId) {
+        await this.deps.subscriptionActivationRepository.deleteByExecution(executionId);
+    }
+    /** Delete activations whose TTL has passed. Returns the count (for the sweep log). */
+    async sweepExpiredActivations() {
+        return this.deps.subscriptionActivationRepository.deleteExpired(this.deps.clock.now());
+    }
+    /** Live subscriptions expiring within the renewal-warning horizon (for the nudge sweep). */
+    async expiringSubscriptions() {
+        const now = this.deps.clock.now();
+        return this.deps.personalSubscriptionRepository.listExpiring(now, now + this.renewWarningMs);
+    }
+    toStatus(record, now) {
+        const expiresInDays = record.expiresAt === null
+            ? null
+            : Math.floor((record.expiresAt - now) / (24 * 60 * 60 * 1000));
+        return {
+            vendor: record.vendor,
+            label: record.label,
+            createdAt: record.createdAt,
+            updatedAt: record.updatedAt,
+            lastUsedAt: record.lastUsedAt,
+            expiresAt: record.expiresAt,
+            expiresInDays,
+            expired: record.expiresAt !== null && record.expiresAt <= now,
+            renewSoon: record.expiresAt !== null && record.expiresAt <= now + this.renewWarningMs,
+        };
+    }
+}
+//# sourceMappingURL=PersonalSubscriptionService.js.map