@equilateral_ai/mindmeld 3.3.1 → 3.5.0

package/src/handlers/standards/standardsTransition.js

@@ -1,17 +1,95 @@
 /**
  * Standards Transition Handler
- * Executes lifecycle state transitions on standards
+ * Executes lifecycle state transitions on standards and discoveries
  *
  * POST /api/standards/transition
- * Body: { standard_id, action: 'approve'|'disable'|'deprecate'|'delete'|'enable'|'cancel_deprecation', reason? }
+ * Body: { standard_id, action: 'approve'|'reject'|'observe'|'disable'|'deprecate'|'delete'|'enable'|'cancel_deprecation', reason?, reason_code? }
  * Auth: Cognito JWT required
+ *
+ * For discovery IDs (from onboarding_discoveries table):
+ *   approve  → creates pattern + marks discovery approved
+ *   reject   → marks discovery rejected
+ *   observe  → marks discovery as observing (deferred review)
  */
 
-const { wrapHandler, createSuccessResponse, createErrorResponse } = require('./helpers');
+const { wrapHandler, executeQuery, createSuccessResponse, createErrorResponse } = require('./helpers');
 const { StandardLifecycle } = require('./core/StandardLifecycle');
 
 const lifecycle = new StandardLifecycle();
 
+const DISCOVERY_ACTIONS = ['approve', 'reject', 'observe'];
+
+/**
+ * Handle transitions for onboarding discoveries
+ */
+async function transitionDiscovery(discoveryId, action, email, reason, reasonCode) {
+    const discovery = await executeQuery(`
+        SELECT discovery_id, project_id, discovery_type, pattern_name, pattern_description, confidence, evidence, status
+        FROM rapport.onboarding_discoveries
+        WHERE discovery_id = $1
+    `, [discoveryId]);
+
+    if (discovery.rowCount === 0) {
+        return null; // Not a discovery either
+    }
+
+    const row = discovery.rows[0];
+    const oldStatus = row.status;
+
+    if (action === 'approve') {
+        // Create pattern from discovery
+        const patternId = `pat_${row.project_id}_${Date.now()}`;
+        await executeQuery(`
+            INSERT INTO rapport.patterns (
+                pattern_id, project_id, intent, constraints, outcome_criteria,
+                maturity, discovered_by, pattern_data
+            ) VALUES ($1, $2, $3, $4, $5, 'provisional', $6, $7)
+        `, [
+            patternId,
+            row.project_id,
+            row.pattern_name,
+            JSON.stringify([row.pattern_description || '']),
+            JSON.stringify([`Discovered via onboarding: ${row.discovery_type}`]),
+            email,
+            JSON.stringify({
+                source: 'discovery_review',
+                discovery_type: row.discovery_type,
+                evidence: row.evidence
+            })
+        ]);
+
+        await executeQuery(`
+            UPDATE rapport.onboarding_discoveries
+            SET status = 'approved', reviewed_at = NOW(), updated_at = NOW(), pattern_id = $1
+            WHERE discovery_id = $2
+        `, [patternId, discoveryId]);
+
+        return { old_state: oldStatus, new_state: 'approved', pattern_id: patternId };
+    }
+
+    if (action === 'reject') {
+        await executeQuery(`
+            UPDATE rapport.onboarding_discoveries
+            SET status = 'rejected', reviewed_at = NOW(), updated_at = NOW(), reason = $1, reason_code = $2
+            WHERE discovery_id = $3
+        `, [reason || null, reasonCode || null, discoveryId]);
+
+        return { old_state: oldStatus, new_state: 'rejected' };
+    }
+
+    if (action === 'observe') {
+        await executeQuery(`
+            UPDATE rapport.onboarding_discoveries
+            SET status = 'observing', updated_at = NOW()
+            WHERE discovery_id = $1
+        `, [discoveryId]);
+
+        return { old_state: oldStatus, new_state: 'observing' };
+    }
+
+    return null;
+}
+
 async function transitionStandard({ body, requestContext }) {
     try {
         const email = requestContext.authorizer?.claims?.email || requestContext.authorizer?.jwt?.claims?.email;
@@ -20,7 +98,7 @@ async function transitionStandard({ body, requestContext }) {
             return createErrorResponse(401, 'Authentication required');
         }
 
-        const { standard_id: id, action, reason } = body || {};
+        const { standard_id: id, action, reason, reason_code: reasonCode } = body || {};
 
         if (!id) {
             return createErrorResponse(400, 'standard_id is required');
@@ -28,25 +106,44 @@ async function transitionStandard({ body, requestContext }) {
 
         if (!action) {
             return createErrorResponse(400, 'action is required', {
-                valid_actions: ['propose', 'approve', 'reject', 'disable', 'deprecate', 'delete', 'enable', 'cancel_deprecation']
+                valid_actions: ['propose', 'approve', 'reject', 'observe', 'disable', 'deprecate', 'delete', 'enable', 'cancel_deprecation']
             });
         }
 
-        // Execute the transition
-        const result = await lifecycle.transition(id, action, email, reason);
+        // Try standard lifecycle transition first
+        try {
+            const result = await lifecycle.transition(id, action, email, reason);
+
+            return createSuccessResponse({
+                standard_id: result.standard_id,
+                old_state: result.old_state,
+                new_state: result.new_state,
+                action: result.action,
+                audit_entry: result.audit_entry
+            }, `Standard transitioned from '${result.old_state}' to '${result.new_state}'`);
+        } catch (lifecycleError) {
+            // If pattern not found and action is valid for discoveries, try discovery transition
+            if (lifecycleError.message.includes('not found') && DISCOVERY_ACTIONS.includes(action)) {
+                const discoveryResult = await transitionDiscovery(id, action, email, reason, reasonCode);
 
-        return createSuccessResponse({
-            standard_id: result.standard_id,
-            old_state: result.old_state,
-            new_state: result.new_state,
-            action: result.action,
-            audit_entry: result.audit_entry
-        }, `Standard transitioned from '${result.old_state}' to '${result.new_state}'`);
+                if (discoveryResult) {
+                    return createSuccessResponse({
+                        standard_id: id,
+                        old_state: discoveryResult.old_state,
+                        new_state: discoveryResult.new_state,
+                        action,
+                        pattern_id: discoveryResult.pattern_id || null
+                    }, `Discovery transitioned from '${discoveryResult.old_state}' to '${discoveryResult.new_state}'`);
+                }
+            }
+
+            // Re-throw if not handled
+            throw lifecycleError;
+        }
 
     } catch (error) {
         console.error('Standards Transition Error:', error);
 
-        // Return user-friendly messages for known validation errors
         if (error.message.includes('Invalid action')) {
             return createErrorResponse(400, error.message);
         }

package/src/handlers/stripe/billingPortalPost.js

@@ -67,7 +67,7 @@ async function createBillingPortal({ body: requestBody = {}, requestContext }) {
         // Create billing portal session
         const session = await stripe.billingPortal.sessions.create({
             customer: client.stripe_customer_id,
-            return_url: returnUrl || `${process.env.APP_URL || 'https://mindmeld.dev'}/settings/billing`
+            return_url: returnUrl || `${process.env.APP_URL || 'https://app.mindmeld.dev'}/settings/billing`
         });
 
         return createSuccessResponse(

package/src/handlers/stripe/enterpriseCheckoutPost.js

@@ -159,8 +159,8 @@ async function createEnterpriseCheckout({ body: requestBody = {}, requestContext
             payment_method_types: ['card'],
             customer_email: email,
             line_items: lineItems,
-            success_url: `${process.env.APP_URL || 'https://mindmeld.dev'}/enterprise/success?session_id={CHECKOUT_SESSION_ID}`,
-            cancel_url: `${process.env.APP_URL || 'https://mindmeld.dev'}/enterprise/cancel`,
+            success_url: `${process.env.APP_URL || 'https://app.mindmeld.dev'}/enterprise/success?session_id={CHECKOUT_SESSION_ID}`,
+            cancel_url: `${process.env.APP_URL || 'https://app.mindmeld.dev'}/enterprise/cancel`,
             metadata: {
                 client_id: user.client_id,
                 user_email: email,

package/src/handlers/stripe/subscriptionCreatePost.js

@@ -118,8 +118,8 @@ async function createSubscription({ body: requestBody = {}, requestContext }) {
                 price: priceId,
                 quantity: tierConfig.perUser ? userCount : 1
             }],
-            success_url: `${process.env.APP_URL || 'https://mindmeld.dev'}/subscription/success?session_id={CHECKOUT_SESSION_ID}`,
-            cancel_url: `${process.env.APP_URL || 'https://mindmeld.dev'}/subscription/cancel`,
+            success_url: `${process.env.APP_URL || 'https://app.mindmeld.dev'}/dashboard?checkout=success`,
+            cancel_url: `${process.env.APP_URL || 'https://app.mindmeld.dev'}/signup`,
             metadata: {
                 client_id: user.client_id,
                 user_email: email,

package/src/handlers/stripe/webhookPost.js

@@ -72,18 +72,22 @@ async function handleCheckoutCompleted(session) {
     const { client_id, tier, user_email, enterprise_package, seat_count, addons } = session.metadata || {};
 
     if (!client_id) {
-        console.warn('Missing client_id in session metadata');
-        return;
+        console.error('[webhookPost] CRITICAL: Missing client_id in checkout session metadata — subscription will not activate');
+        throw new Error('Missing client_id in checkout session metadata');
     }
 
     // Parse enterprise metadata
     const isEnterprise = tier === 'enterprise';
     const seatCountNum = seat_count ? parseInt(seat_count, 10) : 1;
-    const addonsList = addons ? JSON.parse(addons) : [];
+    let addonsList = [];
+    if (addons) {
+        try { addonsList = JSON.parse(addons); }
+        catch { console.warn('Failed to parse addons metadata:', addons); }
+    }
 
     // Update client with subscription
     if (isEnterprise) {
-        await executeQuery(`
+        const updateResult = await executeQuery(`
             UPDATE rapport.clients
             SET stripe_customer_id = $2,
                 stripe_subscription_id = $3,
@@ -96,6 +100,11 @@ async function handleCheckoutCompleted(session) {
             WHERE client_id = $1
         `, [client_id, session.customer, session.subscription, enterprise_package, seatCountNum, JSON.stringify(addonsList)]);
 
+        if (updateResult.rowCount === 0) {
+            console.error(`[webhookPost] CRITICAL: Client ${client_id} not found in DB — subscription paid but not activated`);
+            throw new Error(`Client ${client_id} not found — subscription activation failed`);
+        }
+
         // Create addon entitlements if any
         if (addonsList.length > 0) {
             for (const addonId of addonsList) {
@@ -112,7 +121,7 @@ async function handleCheckoutCompleted(session) {
 
         console.log('Enterprise checkout completed:', { client_id, enterprise_package, seat_count: seatCountNum, addons: addonsList });
     } else {
-        await executeQuery(`
+        const updateResult = await executeQuery(`
             UPDATE rapport.clients
             SET stripe_customer_id = $2,
                 stripe_subscription_id = $3,
@@ -122,6 +131,11 @@ async function handleCheckoutCompleted(session) {
             WHERE client_id = $1
         `, [client_id, session.customer, session.subscription, tier || 'team']);
 
+        if (updateResult.rowCount === 0) {
+            console.error(`[webhookPost] CRITICAL: Client ${client_id} not found in DB — subscription paid but not activated`);
+            throw new Error(`Client ${client_id} not found — subscription activation failed`);
+        }
+
         console.log('Checkout completed:', { client_id, tier, customer: session.customer });
     }
 
@@ -160,7 +174,11 @@ async function handleSubscriptionUpdated(subscription) {
     // Parse enterprise metadata
     const isEnterprise = tier === 'enterprise';
     const seatCountNum = seat_count ? parseInt(seat_count, 10) : null;
-    const addonsList = addons ? JSON.parse(addons) : null;
+    let addonsList = null;
+    if (addons) {
+        try { addonsList = JSON.parse(addons); }
+        catch { console.warn('Failed to parse addons metadata in subscription update:', addons); }
+    }
 
     // Build update query based on what changed
     if (isEnterprise) {
@@ -424,15 +442,25 @@ async function handler(event, context) {
             console.error('Error processing webhook:', processError);
 
             // Record error
-            await executeQuery(`
-                UPDATE rapport.stripe_webhook_events
-                SET handled = false,
-                    error = $2,
-                    processed_at = CURRENT_TIMESTAMP
-                WHERE event_id = $1
-            `, [stripeEvent.id, processError.message]);
+            try {
+                await executeQuery(`
+                    UPDATE rapport.stripe_webhook_events
+                    SET handled = false,
+                        error = $2,
+                        processed_at = CURRENT_TIMESTAMP
+                    WHERE event_id = $1
+                `, [stripeEvent.id, processError.message]);
+            } catch (recordErr) {
+                console.error('Failed to record webhook error:', recordErr.message);
+            }
 
-            // Still return 200 to prevent Stripe retries for business logic errors
+            // Return 500 for critical failures so Stripe retries
+            // (missing client, DB connection errors, subscription not activated)
+            return {
+                statusCode: 500,
+                headers: { 'Content-Type': 'application/json' },
+                body: JSON.stringify({ error: processError.message })
+            };
         }
 
         return {

package/src/handlers/user/apiTokenCreate.js

@@ -0,0 +1,71 @@
+/**
+ * API Token Create Handler
+ *
+ * Creates a new MCP API token for the authenticated user.
+ * Token plaintext is returned ONCE — only the SHA-256 hash is stored.
+ *
+ * POST /api/user/api-tokens
+ * Auth: Cognito JWT required
+ * Body: { name?: string }
+ */
+
+const { wrapHandler, executeQuery, createSuccessResponse, createErrorResponse } = require('./helpers');
+const crypto = require('crypto');
+
+async function apiTokenCreate({ body, requestContext }) {
+    const email = requestContext.authorizer?.claims?.email
+        || requestContext.authorizer?.jwt?.claims?.email;
+
+    if (!email) {
+        return createErrorResponse(401, 'Authentication required');
+    }
+
+    const tokenName = body.name || 'Default';
+
+    // Look up user's client and company
+    const userResult = await executeQuery(`
+        SELECT u.client_id, ue.company_id
+        FROM rapport.users u
+        LEFT JOIN rapport.user_entitlements ue ON u.email_address = ue.email_address
+        WHERE u.email_address = $1
+        LIMIT 1
+    `, [email]);
+
+    if (userResult.rows.length === 0) {
+        return createErrorResponse(404, 'User not found');
+    }
+
+    const { client_id, company_id } = userResult.rows[0];
+
+    // Verify active subscription
+    const clientResult = await executeQuery(
+        'SELECT subscription_tier FROM rapport.clients WHERE client_id = $1',
+        [client_id]
+    );
+
+    if (clientResult.rows.length === 0 || !clientResult.rows[0].subscription_tier || clientResult.rows[0].subscription_tier === 'free') {
+        return createErrorResponse(403, 'Active MindMeld subscription required to create API tokens');
+    }
+
+    // Generate token: mm_live_ + 40 random hex chars
+    const tokenId = crypto.randomUUID();
+    const tokenRandom = crypto.randomBytes(20).toString('hex');
+    const plaintext = `mm_live_${tokenRandom}`;
+    const tokenPrefix = plaintext.substring(0, 12);
+    const tokenHash = crypto.createHash('sha256').update(plaintext).digest('hex');
+
+    await executeQuery(`
+        INSERT INTO rapport.api_tokens (token_id, token_hash, token_prefix, email_address, client_id, company_id, token_name)
+        VALUES ($1, $2, $3, $4, $5, $6, $7)
+    `, [tokenId, tokenHash, tokenPrefix, email, client_id, company_id || null, tokenName]);
+
+    return createSuccessResponse({
+        token_id: tokenId,
+        token: plaintext,
+        token_prefix: tokenPrefix,
+        name: tokenName,
+        message: 'Save this token — it will not be shown again.'
+    }, 'API token created');
+}
+
+exports.handler = wrapHandler(apiTokenCreate);

package/src/handlers/user/apiTokenList.js

@@ -0,0 +1,64 @@
+/**
+ * API Token List/Revoke Handler
+ *
+ * GET /api/user/api-tokens — List tokens (prefix only, never plaintext)
+ * DELETE /api/user/api-tokens?token_id=xxx — Revoke a token
+ *
+ * Auth: Cognito JWT required
+ */
+
+const { wrapHandler, executeQuery, createSuccessResponse, createErrorResponse } = require('./helpers');
+
+async function apiTokenList({ body, queryParams, requestContext, httpMethod }) {
+    const email = requestContext.authorizer?.claims?.email
+        || requestContext.authorizer?.jwt?.claims?.email;
+
+    if (!email) {
+        return createErrorResponse(401, 'Authentication required');
+    }
+
+    // DELETE — revoke a token
+    if (httpMethod === 'DELETE') {
+        const tokenId = queryParams.token_id || body.token_id;
+        if (!tokenId) {
+            return createErrorResponse(400, 'token_id is required');
+        }
+
+        const result = await executeQuery(`
+            UPDATE rapport.api_tokens
+            SET status = 'revoked', revoked_at = NOW()
+            WHERE token_id = $1 AND email_address = $2 AND status = 'active'
+            RETURNING token_id
+        `, [tokenId, email]);
+
+        if (result.rows.length === 0) {
+            return createErrorResponse(404, 'Token not found or already revoked');
+        }
+
+        return createSuccessResponse({ token_id: tokenId }, 'Token revoked');
+    }
+
+    // GET — list tokens
+    const result = await executeQuery(`
+        SELECT token_id, token_prefix, token_name, status,
+               last_used_at, request_count, created_at, revoked_at
+        FROM rapport.api_tokens
+        WHERE email_address = $1
+        ORDER BY created_at DESC
+    `, [email]);
+
+    return createSuccessResponse({
+        tokens: result.rows.map(r => ({
+            token_id: r.token_id,
+            prefix: r.token_prefix,
+            name: r.token_name,
+            status: r.status,
+            last_used: r.last_used_at,
+            request_count: r.request_count,
+            created_at: r.created_at,
+            revoked_at: r.revoked_at
+        }))
+    }, `${result.rows.length} token(s) found`);
+}
+
+exports.handler = wrapHandler(apiTokenList);