@doccov/api 0.3.6 → 0.4.0

package/CHANGELOG.md

@@ -1,5 +1,18 @@
 # @doccov/api
 
+## 0.4.0
+
+### Minor Changes
+
+- feat: add platform auth, billing, org management & coverage tracking
+
+## 0.3.7
+
+### Patch Changes
+
+- Updated dependencies
+  - @doccov/sdk@0.15.0
+
 ## 0.3.6
 
 ### Patch Changes

package/api/index.ts

@@ -183,7 +183,6 @@ function wrapLocalBinary(
         return { cmd: 'yarn', args: [cmd, ...args] }; // yarn runs local bins directly
       case 'bun':
         return { cmd: 'bunx', args: [cmd, ...args] };
-      case 'npm':
       default:
         return { cmd: 'npx', args: [cmd, ...args] };
     }
@@ -670,7 +669,11 @@ async function handleExecute(req: VercelRequest, res: VercelResponse): Promise<v
 
       try {
         const normalizedCwd = normalizeCwd(step.cwd);
-        const { cmd, args } = wrapLocalBinary(step.command, step.args, plan.environment.packageManager);
+        const { cmd, args } = wrapLocalBinary(
+          step.command,
+          step.args,
+          plan.environment.packageManager,
+        );
         const result = await sandbox.runCommand({
           cmd,
           args,
@@ -711,7 +714,7 @@ async function handleExecute(req: VercelRequest, res: VercelResponse): Promise<v
     const analyzeCwd = normalizeCwd(plan.target.rootPath);
 
     // If running in a subdirectory (rootPath), strip the rootPath prefix from entryPoint
-    if (plan.target.rootPath && entryPoint.startsWith(plan.target.rootPath + '/')) {
+    if (plan.target.rootPath && entryPoint.startsWith(`${plan.target.rootPath}/`)) {
       entryPoint = entryPoint.slice(plan.target.rootPath.length + 1);
     }
 
@@ -837,7 +840,11 @@ async function handleExecuteStream(req: VercelRequest, res: VercelResponse): Pro
 
       try {
         const normalizedCwd = normalizeCwd(step.cwd);
-        const { cmd, args } = wrapLocalBinary(step.command, step.args, plan.environment.packageManager);
+        const { cmd, args } = wrapLocalBinary(
+          step.command,
+          step.args,
+          plan.environment.packageManager,
+        );
         const result = await sandbox.runCommand({
           cmd,
           args,
@@ -891,7 +898,7 @@ async function handleExecuteStream(req: VercelRequest, res: VercelResponse): Pro
 
     // If running in a subdirectory (rootPath), strip the rootPath prefix from entryPoint
     // e.g., rootPath="packages/v0-sdk", entryPoint="packages/v0-sdk/src/index.ts" -> "src/index.ts"
-    if (plan.target.rootPath && entryPoint.startsWith(plan.target.rootPath + '/')) {
+    if (plan.target.rootPath && entryPoint.startsWith(`${plan.target.rootPath}/`)) {
       entryPoint = entryPoint.slice(plan.target.rootPath.length + 1);
     }
 

package/migrations/001_initial.ts

@@ -0,0 +1,151 @@
+import type { Kysely } from 'kysely';
+
+export async function up(db: Kysely<unknown>): Promise<void> {
+  // Users (Better Auth)
+  await db.schema
+    .createTable('users')
+    .addColumn('id', 'text', (col) => col.primaryKey())
+    .addColumn('email', 'text', (col) => col.notNull().unique())
+    .addColumn('email_verified', 'boolean', (col) => col.defaultTo(false))
+    .addColumn('name', 'text')
+    .addColumn('image', 'text')
+    .addColumn('github_id', 'text', (col) => col.unique())
+    .addColumn('github_username', 'text')
+    .addColumn('plan', 'text', (col) => col.defaultTo('free'))
+    .addColumn('stripe_customer_id', 'text')
+    .addColumn('created_at', 'timestamptz', (col) => col.defaultTo(db.fn('now')))
+    .addColumn('updated_at', 'timestamptz', (col) => col.defaultTo(db.fn('now')))
+    .execute();
+
+  // Sessions (Better Auth)
+  await db.schema
+    .createTable('sessions')
+    .addColumn('id', 'text', (col) => col.primaryKey())
+    .addColumn('user_id', 'text', (col) => col.notNull().references('users.id').onDelete('cascade'))
+    .addColumn('token', 'text', (col) => col.notNull().unique())
+    .addColumn('expires_at', 'timestamptz', (col) => col.notNull())
+    .addColumn('ip_address', 'text')
+    .addColumn('user_agent', 'text')
+    .addColumn('created_at', 'timestamptz', (col) => col.defaultTo(db.fn('now')))
+    .addColumn('updated_at', 'timestamptz', (col) => col.defaultTo(db.fn('now')))
+    .execute();
+
+  // Accounts (Better Auth OAuth)
+  await db.schema
+    .createTable('accounts')
+    .addColumn('id', 'text', (col) => col.primaryKey())
+    .addColumn('user_id', 'text', (col) => col.notNull().references('users.id').onDelete('cascade'))
+    .addColumn('account_id', 'text', (col) => col.notNull())
+    .addColumn('provider_id', 'text', (col) => col.notNull())
+    .addColumn('access_token', 'text')
+    .addColumn('refresh_token', 'text')
+    .addColumn('access_token_expires_at', 'timestamptz')
+    .addColumn('refresh_token_expires_at', 'timestamptz')
+    .addColumn('scope', 'text')
+    .addColumn('id_token', 'text')
+    .addColumn('created_at', 'timestamptz', (col) => col.defaultTo(db.fn('now')))
+    .addColumn('updated_at', 'timestamptz', (col) => col.defaultTo(db.fn('now')))
+    .execute();
+
+  // Organizations
+  await db.schema
+    .createTable('organizations')
+    .addColumn('id', 'text', (col) => col.primaryKey())
+    .addColumn('name', 'text', (col) => col.notNull())
+    .addColumn('slug', 'text', (col) => col.notNull().unique())
+    .addColumn('is_personal', 'boolean', (col) => col.defaultTo(false))
+    .addColumn('github_org', 'text')
+    .addColumn('github_installation_id', 'text')
+    .addColumn('plan', 'text', (col) => col.defaultTo('free'))
+    .addColumn('stripe_subscription_id', 'text')
+    .addColumn('ai_calls_used', 'integer', (col) => col.defaultTo(0))
+    .addColumn('ai_calls_reset_at', 'timestamptz')
+    .addColumn('created_at', 'timestamptz', (col) => col.defaultTo(db.fn('now')))
+    .execute();
+
+  // Org Members
+  await db.schema
+    .createTable('org_members')
+    .addColumn('id', 'text', (col) => col.primaryKey())
+    .addColumn('org_id', 'text', (col) =>
+      col.notNull().references('organizations.id').onDelete('cascade'),
+    )
+    .addColumn('user_id', 'text', (col) => col.notNull().references('users.id').onDelete('cascade'))
+    .addColumn('role', 'text', (col) => col.defaultTo('member'))
+    .addColumn('created_at', 'timestamptz', (col) => col.defaultTo(db.fn('now')))
+    .execute();
+
+  // API Keys
+  await db.schema
+    .createTable('api_keys')
+    .addColumn('id', 'text', (col) => col.primaryKey())
+    .addColumn('org_id', 'text', (col) =>
+      col.notNull().references('organizations.id').onDelete('cascade'),
+    )
+    .addColumn('name', 'text', (col) => col.notNull())
+    .addColumn('key_hash', 'text', (col) => col.notNull())
+    .addColumn('key_prefix', 'text', (col) => col.notNull())
+    .addColumn('scopes', 'text')
+    .addColumn('last_used_at', 'timestamptz')
+    .addColumn('expires_at', 'timestamptz')
+    .addColumn('created_at', 'timestamptz', (col) => col.defaultTo(db.fn('now')))
+    .execute();
+
+  // Projects
+  await db.schema
+    .createTable('projects')
+    .addColumn('id', 'text', (col) => col.primaryKey())
+    .addColumn('org_id', 'text', (col) =>
+      col.notNull().references('organizations.id').onDelete('cascade'),
+    )
+    .addColumn('name', 'text', (col) => col.notNull())
+    .addColumn('full_name', 'text', (col) => col.notNull())
+    .addColumn('is_private', 'boolean', (col) => col.defaultTo(false))
+    .addColumn('default_branch', 'text', (col) => col.defaultTo('main'))
+    .addColumn('coverage_score', 'integer')
+    .addColumn('drift_count', 'integer')
+    .addColumn('last_analyzed_at', 'timestamptz')
+    .addColumn('created_at', 'timestamptz', (col) => col.defaultTo(db.fn('now')))
+    .execute();
+
+  // Usage Records
+  await db.schema
+    .createTable('usage_records')
+    .addColumn('id', 'text', (col) => col.primaryKey())
+    .addColumn('org_id', 'text', (col) =>
+      col.notNull().references('organizations.id').onDelete('cascade'),
+    )
+    .addColumn('feature', 'text', (col) => col.notNull())
+    .addColumn('count', 'integer', (col) => col.defaultTo(1))
+    .addColumn('metadata', 'text')
+    .addColumn('created_at', 'timestamptz', (col) => col.defaultTo(db.fn('now')))
+    .execute();
+
+  // Indexes
+  await db.schema.createIndex('idx_sessions_user_id').on('sessions').column('user_id').execute();
+  await db.schema.createIndex('idx_sessions_token').on('sessions').column('token').execute();
+  await db.schema.createIndex('idx_accounts_user_id').on('accounts').column('user_id').execute();
+  await db.schema
+    .createIndex('idx_org_members_org_id')
+    .on('org_members')
+    .column('org_id')
+    .execute();
+  await db.schema
+    .createIndex('idx_org_members_user_id')
+    .on('org_members')
+    .column('user_id')
+    .execute();
+  await db.schema.createIndex('idx_projects_org_id').on('projects').column('org_id').execute();
+  await db.schema.createIndex('idx_api_keys_org_id').on('api_keys').column('org_id').execute();
+}
+
+export async function down(db: Kysely<unknown>): Promise<void> {
+  await db.schema.dropTable('usage_records').execute();
+  await db.schema.dropTable('projects').execute();
+  await db.schema.dropTable('api_keys').execute();
+  await db.schema.dropTable('org_members').execute();
+  await db.schema.dropTable('organizations').execute();
+  await db.schema.dropTable('accounts').execute();
+  await db.schema.dropTable('sessions').execute();
+  await db.schema.dropTable('users').execute();
+}

package/migrations/002_polar_billing.ts

@@ -0,0 +1,17 @@
+import type { Kysely } from 'kysely';
+
+export async function up(db: Kysely<unknown>): Promise<void> {
+  await db.schema
+    .alterTable('organizations')
+    .addColumn('polar_customer_id', 'text')
+    .addColumn('polar_subscription_id', 'text')
+    .execute();
+}
+
+export async function down(db: Kysely<unknown>): Promise<void> {
+  await db.schema
+    .alterTable('organizations')
+    .dropColumn('polar_customer_id')
+    .dropColumn('polar_subscription_id')
+    .execute();
+}

package/migrations/003_verification_table.ts

@@ -0,0 +1,18 @@
+import type { Kysely } from 'kysely';
+
+export async function up(db: Kysely<unknown>): Promise<void> {
+  // Verification table required by better-auth for OAuth state
+  await db.schema
+    .createTable('verification')
+    .addColumn('id', 'text', (col) => col.primaryKey())
+    .addColumn('identifier', 'text', (col) => col.notNull())
+    .addColumn('value', 'text', (col) => col.notNull())
+    .addColumn('expires_at', 'timestamptz', (col) => col.notNull())
+    .addColumn('created_at', 'timestamptz', (col) => col.defaultTo(db.fn('now')))
+    .addColumn('updated_at', 'timestamptz', (col) => col.defaultTo(db.fn('now')))
+    .execute();
+}
+
+export async function down(db: Kysely<unknown>): Promise<void> {
+  await db.schema.dropTable('verification').execute();
+}

package/migrations/004_rename_tables_singular.ts

@@ -0,0 +1,14 @@
+import type { Kysely } from 'kysely';
+
+export async function up(db: Kysely<unknown>): Promise<void> {
+  // Better-auth expects singular table names
+  await db.schema.alterTable('users').renameTo('user').execute();
+  await db.schema.alterTable('sessions').renameTo('session').execute();
+  await db.schema.alterTable('accounts').renameTo('account').execute();
+}
+
+export async function down(db: Kysely<unknown>): Promise<void> {
+  await db.schema.alterTable('user').renameTo('users').execute();
+  await db.schema.alterTable('session').renameTo('sessions').execute();
+  await db.schema.alterTable('account').renameTo('accounts').execute();
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@doccov/api",
-  "version": "0.3.6",
+  "version": "0.4.0",
   "description": "DocCov API - Badge endpoint and coverage services",
   "keywords": [
     "doccov",
@@ -19,25 +19,36 @@
   "author": "Ryan Waits",
   "type": "module",
   "scripts": {
-    "dev": "bun run --hot src/index.ts",
+    "dev": "bun run --hot src/server.ts",
     "start": "bun run src/index.ts",
+    "server": "bun run src/server.ts",
+    "migrate": "bun run src/db/migrate.ts",
     "lint": "biome check src/ api/",
     "lint:fix": "biome check --write src/ api/",
     "format": "biome format --write src/ api/"
   },
   "dependencies": {
     "@ai-sdk/anthropic": "^2.0.55",
-    "@doccov/sdk": "^0.13.0",
+    "@doccov/db": "workspace:*",
+    "@doccov/sdk": "^0.15.0",
+    "@hono/node-server": "^1.14.3",
     "@openpkg-ts/spec": "^0.9.0",
+    "@polar-sh/hono": "^0.5.3",
     "@vercel/sandbox": "^1.0.3",
     "ai": "^5.0.111",
+    "better-auth": "^1.2.8",
+    "hono": "^4.7.10",
+    "kysely": "^0.27.4",
     "ms": "^2.1.3",
+    "nanoid": "^5.0.0",
+    "pg": "^8.13.0",
     "zod": "^3.25.0"
   },
   "devDependencies": {
     "@types/bun": "latest",
     "@types/ms": "^0.7.34",
     "@types/node": "^20.0.0",
+    "@types/pg": "^8.11.0",
     "@vercel/node": "^3.0.0",
     "typescript": "^5.0.0"
   }

package/src/auth/config.ts

@@ -0,0 +1,53 @@
+import { betterAuth } from 'better-auth';
+import { db } from '../db/client';
+import { createPersonalOrg } from './hooks';
+
+export const auth = betterAuth({
+  basePath: '/auth',
+
+  database: {
+    db,
+    type: 'postgres',
+  },
+
+  emailAndPassword: {
+    enabled: false,
+  },
+
+  socialProviders: {
+    github: {
+      clientId: process.env.GITHUB_CLIENT_ID!,
+      clientSecret: process.env.GITHUB_CLIENT_SECRET!,
+      scope: ['user:email', 'read:org'],
+    },
+  },
+
+  session: {
+    expiresIn: 60 * 60 * 24 * 30, // 30 days
+    updateAge: 60 * 60 * 24, // 24 hours
+  },
+
+  user: {
+    additionalFields: {
+      githubId: { type: 'string', required: false },
+      githubUsername: { type: 'string', required: false },
+      plan: { type: 'string', defaultValue: 'free' },
+      stripeCustomerId: { type: 'string', required: false },
+    },
+  },
+
+  databaseHooks: {
+    user: {
+      create: {
+        after: async (user) => {
+          // Create personal org for new users
+          await createPersonalOrg(user.id, user.name, user.email);
+        },
+      },
+    },
+  },
+
+  trustedOrigins: [process.env.SITE_URL || 'http://localhost:3000'],
+});
+
+export type Auth = typeof auth;

package/src/auth/hooks.ts

@@ -0,0 +1,45 @@
+import { nanoid } from 'nanoid';
+import { db } from '../db/client';
+
+export async function createPersonalOrg(userId: string, userName: string | null, email: string) {
+  const orgId = nanoid(21);
+  const baseName = userName || email.split('@')[0];
+  const slug = baseName
+    .toLowerCase()
+    .replace(/[^a-z0-9]+/g, '-')
+    .replace(/^-|-$/g, '')
+    .slice(0, 32);
+
+  // Ensure unique slug
+  const existing = await db
+    .selectFrom('organizations')
+    .where('slug', '=', slug)
+    .select('id')
+    .executeTakeFirst();
+
+  const finalSlug = existing ? `${slug}-${nanoid(6)}` : slug;
+
+  await db
+    .insertInto('organizations')
+    .values({
+      id: orgId,
+      name: baseName,
+      slug: finalSlug,
+      isPersonal: true,
+      plan: 'free',
+      aiCallsUsed: 0,
+    })
+    .execute();
+
+  await db
+    .insertInto('org_members')
+    .values({
+      id: nanoid(21),
+      orgId: orgId,
+      userId: userId,
+      role: 'owner',
+    })
+    .execute();
+
+  return orgId;
+}

package/src/db/client.ts

@@ -0,0 +1,15 @@
+import type { Database } from '@doccov/db';
+import { CamelCasePlugin, Kysely, PostgresDialect } from 'kysely';
+import { Pool } from 'pg';
+
+const pool = new Pool({
+  connectionString: process.env.DATABASE_URL,
+  max: 10,
+});
+
+export const db = new Kysely<Database>({
+  dialect: new PostgresDialect({ pool }),
+  plugins: [new CamelCasePlugin()],
+});
+
+export type DB = typeof db;

package/src/db/migrate.ts

@@ -0,0 +1,38 @@
+import { promises as fs } from 'node:fs';
+import path from 'node:path';
+import { FileMigrationProvider, Migrator } from 'kysely';
+import { db } from './client';
+
+const migrator = new Migrator({
+  db,
+  provider: new FileMigrationProvider({
+    fs,
+    path,
+    migrationFolder: path.join(import.meta.dirname, '../../migrations'),
+  }),
+});
+
+export async function runMigrations() {
+  const { error, results } = await migrator.migrateToLatest();
+
+  results?.forEach((it) => {
+    if (it.status === 'Success') {
+      console.log(`Migration "${it.migrationName}" executed successfully`);
+    } else if (it.status === 'Error') {
+      console.error(`Migration "${it.migrationName}" failed`);
+    }
+  });
+
+  if (error) {
+    console.error('Migration failed:', error);
+    process.exit(1);
+  }
+}
+
+// CLI entry point
+if (import.meta.main) {
+  runMigrations().then(() => {
+    console.log('Migrations complete');
+    process.exit(0);
+  });
+}

package/src/index.ts

@@ -1,13 +1,28 @@
 import { Hono } from 'hono';
 import { cors } from 'hono/cors';
+import { logger } from 'hono/logger';
+import { requireApiKey } from './middleware/api-key-auth';
+import { orgRateLimit } from './middleware/org-rate-limit';
 import { rateLimit } from './middleware/rate-limit';
+import { apiKeysRoute } from './routes/api-keys';
+import { authRoute } from './routes/auth';
 import { badgeRoute } from './routes/badge';
+import { billingRoute } from './routes/billing';
+import { coverageRoute } from './routes/coverage';
+import { orgsRoute } from './routes/orgs';
 import { planRoute } from './routes/plan';
 
 const app = new Hono();
 
 // Middleware
-app.use('*', cors());
+app.use('*', logger());
+app.use(
+  '*',
+  cors({
+    origin: process.env.SITE_URL || 'http://localhost:3000',
+    credentials: true,
+  }),
+);
 
 // Rate limit /plan endpoint: 10 requests per minute per IP
 app.use(
@@ -23,12 +38,16 @@ app.use(
 app.get('/', (c) => {
   return c.json({
     name: 'DocCov API',
-    version: '0.4.0',
+    version: '0.5.0',
     endpoints: {
+      auth: '/auth/*',
+      apiKeys: '/api-keys/*',
       badge: '/badge/:owner/:repo',
+      billing: '/billing/*',
+      coverage: '/coverage/*',
+      orgs: '/orgs/*',
       plan: '/plan',
-      execute: '/execute',
-      'execute-stream': '/execute-stream',
+      v1: '/v1/* (API key required)',
       health: '/health',
     },
   });
@@ -38,9 +57,20 @@ app.get('/health', (c) => {
   return c.json({ status: 'ok', timestamp: new Date().toISOString() });
 });
 
-// Routes
+// Public endpoints (no auth)
 app.route('/badge', badgeRoute);
+
+// Dashboard endpoints (session auth)
+app.route('/auth', authRoute);
+app.route('/api-keys', apiKeysRoute);
+app.route('/billing', billingRoute);
+app.route('/coverage', coverageRoute);
+app.route('/orgs', orgsRoute);
 app.route('/plan', planRoute);
 
+// API endpoints (API key required)
+app.use('/v1/*', requireApiKey(), orgRateLimit());
+// TODO: app.route('/v1/analyze', analyzeRoute);
+
 // Vercel serverless handler + Bun auto-serves this export
 export default app;

package/src/middleware/api-key-auth.ts

@@ -0,0 +1,94 @@
+import type { Context, MiddlewareHandler, Next } from 'hono';
+import { db } from '../db/client';
+import { hashApiKey, isValidKeyFormat } from '../utils/api-keys';
+
+export interface ApiKeyContext {
+  apiKey: { id: string; orgId: string; name: string };
+  org: { id: string; plan: string; aiCallsUsed: number; aiCallsResetAt: Date | null };
+}
+
+/**
+ * Required API key authentication for /v1/* endpoints
+ * Rejects requests without valid API key
+ */
+export function requireApiKey(): MiddlewareHandler {
+  return async (c: Context, next: Next) => {
+    const authHeader = c.req.header('Authorization');
+
+    if (!authHeader) {
+      return c.json(
+        {
+          error: 'API key required',
+          docs: 'https://docs.doccov.com/api-keys',
+        },
+        401,
+      );
+    }
+
+    if (!authHeader.startsWith('Bearer ')) {
+      return c.json({ error: 'Invalid Authorization header. Use: Bearer <api_key>' }, 401);
+    }
+
+    const key = authHeader.slice(7);
+
+    if (!isValidKeyFormat(key)) {
+      return c.json({ error: 'Invalid API key format' }, 401);
+    }
+
+    const keyHash = hashApiKey(key);
+
+    const result = await db
+      .selectFrom('api_keys')
+      .innerJoin('organizations', 'organizations.id', 'api_keys.orgId')
+      .where('api_keys.keyHash', '=', keyHash)
+      .where((eb) =>
+        eb.or([eb('api_keys.expiresAt', 'is', null), eb('api_keys.expiresAt', '>', new Date())]),
+      )
+      .select([
+        'api_keys.id as keyId',
+        'api_keys.orgId',
+        'api_keys.name as keyName',
+        'organizations.plan',
+        'organizations.aiCallsUsed',
+        'organizations.aiCallsResetAt',
+      ])
+      .executeTakeFirst();
+
+    if (!result) {
+      return c.json({ error: 'Invalid or expired API key' }, 401);
+    }
+
+    // Free tier shouldn't have API keys, but guard anyway
+    if (result.plan === 'free') {
+      return c.json(
+        {
+          error: 'API access requires a paid plan',
+          upgrade: 'https://doccov.com/pricing',
+        },
+        403,
+      );
+    }
+
+    // Update last used (async, don't block)
+    db.updateTable('api_keys')
+      .set({ lastUsedAt: new Date() })
+      .where('id', '=', result.keyId)
+      .execute()
+      .catch(console.error);
+
+    c.set('apiKey', {
+      id: result.keyId,
+      orgId: result.orgId,
+      name: result.keyName,
+    });
+
+    c.set('org', {
+      id: result.orgId,
+      plan: result.plan,
+      aiCallsUsed: result.aiCallsUsed,
+      aiCallsResetAt: result.aiCallsResetAt,
+    });
+
+    await next();
+  };
+}