@hachej/boring-core 0.1.42 → 0.1.44

package/dist/server/index.js

@@ -24,12 +24,16 @@ import {
   requireWorkspaceMember,
   validateConfig,
   validatePasswordStrength
-} from "../chunk-GZVKZD4P.js";
+} from "../chunk-UM5SHYIS.js";
 import {
+  InsufficientCreditError,
+  PostgresMeteringStore,
   createDatabase,
   runMigrations
-} from "../chunk-C3YMOITB.js";
-import "../chunk-H5KU6R6Y.js";
+} from "../chunk-I56OTSPB.js";
+import {
+  ERROR_CODES
+} from "../chunk-LIBHVT7V.js";
 import "../chunk-MLKGABMK.js";
 
 // src/server/security/safeRedirect.ts
@@ -102,21 +106,1476 @@ function createFsProvisioner(opts) {
     }
   };
 }
+
+// src/server/credits/pricing.ts
+var CONSERVATIVE_DEFAULT_RATE = { inputPerMillion: 3, outputPerMillion: 15 };
+var DEFAULT_MODEL_RATES = [
+  // Kimi K2 (public token pricing) for Ollama-hosted demo parity.
+  [/kimi-k2/i, { inputPerMillion: 0.6, outputPerMillion: 2.5 }],
+  // Claude (public API list prices) as a fallback if ever routed there. Opus is
+  // listed FIRST and matches any opus SKU shape (3-opus / opus-4 / 4-opus) so an
+  // expensive Opus id is never undercharged at the Sonnet rate. The Sonnet entry
+  // deliberately does NOT include a bare "4" (which would catch claude-4-opus).
+  [/claude-(?:[0-9.-]*opus|opus[0-9.-]*)/i, { inputPerMillion: 15, outputPerMillion: 75 }],
+  [/claude-(?:sonnet|3-5-sonnet|3-7-sonnet|sonnet-4|4-sonnet|4-5-sonnet)/i, { inputPerMillion: 3, outputPerMillion: 15 }],
+  [/claude-3-haiku/i, { inputPerMillion: 0.25, outputPerMillion: 1.25 }]
+];
+function clampTokens(value) {
+  return typeof value === "number" && Number.isFinite(value) && value > 0 ? Math.trunc(value) : 0;
+}
+function effectiveRateTable(config) {
+  return config.rates ? [...config.rates, ...DEFAULT_MODEL_RATES] : DEFAULT_MODEL_RATES;
+}
+function rateForModel(modelId, config) {
+  return effectiveRateTable(config).find(([pattern]) => pattern.test(modelId))?.[1] ?? null;
+}
+function maxEffectiveRate(config) {
+  return maxRateOver(effectiveRateTable(config), config);
+}
+function maxServedRate(config) {
+  return maxRateOver(config.rates ?? [], config);
+}
+function maxRateOver(table, config) {
+  const fallback = config.defaultRate ?? CONSERVATIVE_DEFAULT_RATE;
+  let inputPerMillion = fallback.inputPerMillion;
+  let outputPerMillion = fallback.outputPerMillion;
+  for (const [, rate] of table) {
+    inputPerMillion = Math.max(inputPerMillion, rate.inputPerMillion);
+    outputPerMillion = Math.max(outputPerMillion, rate.outputPerMillion);
+  }
+  return { inputPerMillion, outputPerMillion };
+}
+function estimateProviderCost(modelId, inputTokens, outputTokens, config) {
+  const matched = rateForModel(modelId, config);
+  const rate = matched ?? config.defaultRate ?? maxEffectiveRate(config);
+  const units = inputTokens / 1e6 * rate.inputPerMillion + outputTokens / 1e6 * rate.outputPerMillion;
+  return { units, usedDefault: matched === null };
+}
+function usageToCredits(usage, model, config) {
+  const inputTokens = clampTokens(usage.inputTokens);
+  const outputTokens = clampTokens(usage.outputTokens);
+  const cacheReadTokens = clampTokens(usage.cacheReadTokens);
+  const cacheWriteTokens = clampTokens(usage.cacheWriteTokens);
+  const modelId = [model.provider, model.id].filter(Boolean).join("/") || "unknown";
+  const reported = usage.providerReportedCost;
+  const reportedUnits = typeof reported === "number" && Number.isFinite(reported) && reported > 0 ? reported : 0;
+  const estimated = estimateProviderCost(
+    modelId,
+    inputTokens + cacheReadTokens + cacheWriteTokens,
+    outputTokens,
+    config
+  );
+  const useReported = config.preferProviderReportedCost === true && reportedUnits > 0;
+  const providerUnits = useReported ? reportedUnits : estimated.units;
+  const margin = Number.isFinite(config.margin) && config.margin > 0 ? config.margin : 1;
+  const providerCostMicros = Math.ceil(providerUnits * config.creditMicrosPerUnit);
+  const billedCreditMicros = Math.ceil(providerUnits * margin * config.creditMicrosPerUnit);
+  return {
+    inputTokens,
+    outputTokens,
+    cacheReadTokens,
+    cacheWriteTokens,
+    providerCostMicros,
+    billedCreditMicros,
+    // Only "default-priced" when token pricing was used AND it fell back to the
+    // default rate (a trusted reported cost or a matched rate is authoritative).
+    pricedFromDefault: !useReported && estimated.usedDefault
+  };
+}
+
+// src/server/credits/creditsService.ts
+function validatePricingConfig(p) {
+  if (!Number.isSafeInteger(p.creditMicrosPerUnit) || p.creditMicrosPerUnit <= 0) {
+    throw new Error("credits pricing.creditMicrosPerUnit must be a positive safe integer");
+  }
+  if (!Number.isFinite(p.margin) || p.margin < 1) {
+    throw new Error("credits pricing.margin must be a finite number >= 1 (never bill below provider cost)");
+  }
+  const checkRate = (rate, label) => {
+    if (!Number.isFinite(rate.inputPerMillion) || rate.inputPerMillion <= 0 || !Number.isFinite(rate.outputPerMillion) || rate.outputPerMillion <= 0) {
+      throw new Error(`credits pricing ${label} rate must have positive input/output rates`);
+    }
+  };
+  for (const [, rate] of p.rates ?? []) checkRate(rate, "configured");
+  if (p.defaultRate) checkRate(p.defaultRate, "default");
+}
+var SIGNUP_GRANT_REASON = "signup_grant";
+var DEFAULT_CREDITS_CONFIG = {
+  enabled: true,
+  signupGrantMicros: 2e6,
+  // €2
+  signupGrantExpiresAfterDays: null,
+  // €1 hold — covers a worst-case single run so a run rarely overshoots its hold.
+  runReservationMicros: 1e6,
+  reservationTtlSeconds: 2 * 60 * 60,
+  minBalanceMicros: 5e4,
+  // €0.05
+  // No explicit defaultRate ⇒ an unmatched model bills at the highest effective
+  // rate (fail closed), not a cheap fallback.
+  pricing: { margin: 1.3, creditMicrosPerUnit: 1e6 }
+};
+var CreditExhaustedError = class extends Error {
+  statusCode = 402;
+  code = "PAYMENT_REQUIRED";
+  details;
+  constructor(balance) {
+    super("You're out of credits. Top up your balance to keep going.");
+    this.name = "CreditExhaustedError";
+    this.details = { balance };
+  }
+};
+function disabledBalance(userId) {
+  return {
+    enabled: false,
+    userId,
+    grantedMicros: 0,
+    usedMicros: 0,
+    activeReservedMicros: 0,
+    remainingMicros: Number.MAX_SAFE_INTEGER,
+    availableMicros: Number.MAX_SAFE_INTEGER,
+    debtMicros: 0,
+    currency: "credits"
+  };
+}
+var CreditsService = class {
+  constructor(store, config = DEFAULT_CREDITS_CONFIG, log) {
+    this.store = store;
+    this.config = config;
+    this.log = log;
+    if (!config.enabled) return;
+    validatePricingConfig(config.pricing);
+    const posInt = (n) => Number.isSafeInteger(n) && n > 0;
+    const nonNegInt = (n) => Number.isSafeInteger(n) && n >= 0;
+    if (!nonNegInt(config.signupGrantMicros)) throw new Error("credits: signupGrantMicros must be a non-negative safe integer");
+    if (!posInt(config.runReservationMicros)) throw new Error("credits: runReservationMicros must be a positive safe integer");
+    if (!nonNegInt(config.minBalanceMicros)) throw new Error("credits: minBalanceMicros must be a non-negative safe integer");
+    if (!posInt(config.reservationTtlSeconds)) throw new Error("credits: reservationTtlSeconds must be a positive safe integer");
+    if (!Number.isSafeInteger(config.runReservationMicros + config.minBalanceMicros)) {
+      throw new Error("credits: runReservationMicros + minBalanceMicros exceeds the safe integer range");
+    }
+    if (config.signupGrantExpiresAfterDays !== null) {
+      throw new Error("credits: signupGrantExpiresAfterDays is not supported yet (an expiring grant turns a partly-spent trial into debt); use null");
+    }
+  }
+  store;
+  config;
+  log;
+  /** Users whose signup grant was ensured this process; avoids an INSERT per balance poll. */
+  signupGrantedUsers = /* @__PURE__ */ new Set();
+  /** Idempotently grant the free starter credits (call from the post-signup hook
+   * and lazily on first balance/reserve). The grant NEVER expires: an expiring
+   * grant would drop from grantedMicros on expiry while spent usage stayed, turning
+   * a partly-spent trial into debt. (Proper expiry must cap/allocate usage against
+   * the promo balance — a tracked follow-up; the expiry config is rejected up front.) */
+  async grantSignupCredits(userId) {
+    if (!this.config.enabled || this.config.signupGrantMicros <= 0) return;
+    if (this.signupGrantedUsers.has(userId)) return;
+    await this.store.grantOnce({
+      userId,
+      reason: SIGNUP_GRANT_REASON,
+      amountMicros: this.config.signupGrantMicros
+    });
+    this.signupGrantedUsers.add(userId);
+  }
+  /** Credit a completed purchase. Globally idempotent per order id (safe on
+   * webhook retry, and the same order can never be credited to two users). The
+   * optional provider identity is persisted for audit/refund reconciliation. */
+  async grantPurchase(userId, orderId, amountMicros, identity) {
+    if (!this.config.enabled) return { created: false };
+    const { granted } = await this.store.grantPurchaseOnce({ userId, orderId, amountMicros, ...identity });
+    return { created: granted };
+  }
+  /** Revoke a refunded/disputed purchase. `refundFraction` is the cumulative
+   * fraction of the order refunded (LS refunded_amount / total) for partial
+   * refunds; omit for a full refund. `allowTombstone` permits writing a pre-grant
+   * refund tombstone for an order not yet credited (set only when the refund
+   * validates as a credit order); an already-credited order is always revocable.
+   * Idempotent per cumulative level. */
+  async revokePurchase(orderId, opts = {}) {
+    if (!this.config.enabled) return { revoked: false };
+    return this.store.revokePurchase(orderId, {
+      refundFraction: opts.refundFraction,
+      allowTombstone: opts.allowTombstone,
+      expectedStoreId: opts.expectedStoreId,
+      expectedTestMode: opts.expectedTestMode,
+      expectedCurrency: opts.expectedCurrency
+    });
+  }
+  async getBalance(userId) {
+    if (!this.config.enabled) return disabledBalance(userId);
+    await this.grantSignupCredits(userId);
+    const balance = await this.store.getBalance(userId);
+    return {
+      enabled: true,
+      userId,
+      grantedMicros: balance.grantedMicros,
+      usedMicros: balance.usedMicros,
+      activeReservedMicros: balance.activeReservedMicros,
+      // remaining = granted − used (ledger). available = remaining − active holds.
+      remainingMicros: Math.max(0, balance.remainingMicros),
+      availableMicros: Math.max(0, balance.availableMicros),
+      // Owed when the raw ledger is negative (refund of already-spent credits).
+      debtMicros: Math.max(0, -balance.remainingMicros),
+      currency: "credits"
+    };
+  }
+  /** Recent credit ledger (grants/purchases + usage/refund debits) for the account
+   * activity view, newest first, capped (clamped 1..50 in the store). Empty when
+   * credits are disabled. */
+  async listLedger(userId, limit = 20) {
+    if (!this.config.enabled) return [];
+    return this.store.listLedger(userId, limit);
+  }
+  /** Reserve a per-run hold. Returns the reservation id; throws
+   * CreditExhaustedError (402) below the floor. */
+  async reserveRun(input) {
+    if (!this.config.enabled) return void 0;
+    await this.grantSignupCredits(input.userId);
+    try {
+      const { reservationId } = await this.store.reserve({
+        userId: input.userId,
+        workspaceId: input.workspaceId,
+        sessionId: input.sessionId,
+        runId: input.runId,
+        source: "pi-chat",
+        amountMicros: this.config.runReservationMicros,
+        ttlSeconds: this.config.reservationTtlSeconds,
+        // Must keep minBalanceMicros available AFTER placing the hold, so a run
+        // is admitted only when available ≥ hold + floor (matches the config doc).
+        minAvailableMicros: this.config.runReservationMicros + this.config.minBalanceMicros
+      });
+      return reservationId;
+    } catch (error) {
+      if (error instanceof InsufficientCreditError) {
+        throw new CreditExhaustedError(await this.getBalance(input.userId));
+      }
+      throw error;
+    }
+  }
+  /** Charge native usage, priced token→credits with margin. Returns the billed
+   * credit micros (0 when disabled or the usage priced to nothing) so the caller can
+   * decide billability from the ACTUAL charge, not raw provider fields — e.g. a
+   * cost-only row prices to 0 unless preferProviderReportedCost is set. */
+  async recordUsage(input) {
+    if (!this.config.enabled) return { billedMicros: 0 };
+    const model = { provider: input.provider, id: input.model };
+    const cost = usageToCredits(
+      {
+        inputTokens: input.usage.input,
+        outputTokens: input.usage.output,
+        cacheReadTokens: input.usage.cacheRead,
+        cacheWriteTokens: input.usage.cacheWrite,
+        providerReportedCost: input.usage.cost.total
+      },
+      model,
+      this.config.pricing
+    );
+    if (cost.pricedFromDefault) {
+      this.log?.("credits: model billed at default rate (no configured rate)", {
+        model: input.model,
+        provider: input.provider,
+        billedCostMicros: cost.billedCreditMicros
+      });
+    }
+    await this.store.recordUsage({
+      usageId: input.usageId,
+      userId: input.userId,
+      workspaceId: input.workspaceId,
+      sessionId: input.sessionId,
+      runId: input.runId,
+      messageId: input.messageId,
+      source: "pi-chat",
+      provider: input.provider,
+      model: input.model,
+      inputTokens: cost.inputTokens,
+      outputTokens: cost.outputTokens,
+      cacheReadTokens: cost.cacheReadTokens,
+      cacheWriteTokens: cost.cacheWriteTokens,
+      providerCostMicros: cost.providerCostMicros,
+      billedCostMicros: cost.billedCreditMicros,
+      stopReason: input.stopReason,
+      // reservationId tags the row to THIS run attempt so the fallback top-up can
+      // scope to the current reservation (runId is reused on client-nonce replay).
+      metadata: { currency: "credits", ...input.reservationId ? { reservationId: input.reservationId } : {} }
+    });
+    return { billedMicros: cost.billedCreditMicros };
+  }
+  async settleRun(userId, runId, reservationId) {
+    if (!this.config.enabled) return;
+    await this.store.finishReservation(reservationId ? { reservationId } : { runId, userId }, "settled");
+  }
+  async releaseRun(userId, runId, reservationId) {
+    if (!this.config.enabled) return;
+    await this.store.finishReservation(reservationId ? { reservationId } : { runId, userId }, "released");
+  }
+  /**
+   * Fail-closed billing for a completed run whose usage write failed: a run that
+   * already executed must never go free. Charge the per-run hold (worst-case)
+   * as a conservative, idempotent debit, then settle the reservation. Tagged
+   * source 'pi-chat-fallback' so it's reconcilable against the missing real
+   * usage row. Over-charges rather than risk free usage.
+   */
+  async chargeFallbackUsage(input) {
+    if (!this.config.enabled) return;
+    const key = input.reservationId ?? input.runId;
+    const metaKind = input.kind === "no_billable_usage" ? "no_billable_usage_fallback" : "usage_write_failed_fallback";
+    if (input.reservationId) {
+      await this.store.markReservationFallbackCharge(input.userId, input.reservationId);
+    }
+    const alreadyBilled = input.reservationId ? await this.store.billedMicrosForReservation(input.userId, input.reservationId) : await this.store.billedMicrosForRun(input.userId, input.runId);
+    const topUp = Math.max(0, this.config.runReservationMicros - alreadyBilled);
+    if (topUp > 0) {
+      await this.store.recordUsage({
+        usageId: `usage-fallback:${key}`,
+        userId: input.userId,
+        runId: input.runId,
+        source: "pi-chat-fallback",
+        billedCostMicros: topUp,
+        providerCostMicros: 0,
+        metadata: { kind: metaKind, reservationId: input.reservationId ?? null, alreadyBilledMicros: alreadyBilled, currency: "credits" }
+      });
+    }
+    await this.store.finishReservation(
+      input.reservationId ? { reservationId: input.reservationId } : { runId: input.runId, userId: input.userId },
+      "settled"
+    );
+    this.log?.("credits: fallback hold charge \u2014 topped up to the hold and settled (reconcile against missing/non-billable usage)", {
+      kind: metaKind,
+      runId: input.runId,
+      reservationId: input.reservationId,
+      alreadyBilledMicros: alreadyBilled,
+      topUpMicros: topUp
+    });
+  }
+};
+
+// src/server/credits/meteringSink.ts
+function authRequiredError() {
+  return Object.assign(new Error("authentication required"), { statusCode: 401, code: "UNAUTHORIZED" });
+}
+function createCreditsMeteringSink(getService) {
+  return {
+    async reserveRun(input) {
+      const service = getService();
+      if (!service.config.enabled) return {};
+      if (!input.userId) throw authRequiredError();
+      const reservationId = await service.reserveRun({
+        userId: input.userId,
+        workspaceId: input.workspaceId,
+        sessionId: input.sessionId,
+        runId: input.runId
+      });
+      return { reservationId };
+    },
+    async recordUsage(input) {
+      if (!input.userId) return { billedMicros: 0 };
+      return getService().recordUsage({
+        usageId: input.usageId,
+        userId: input.userId,
+        workspaceId: input.workspaceId,
+        sessionId: input.sessionId,
+        runId: input.runId,
+        messageId: input.messageId,
+        reservationId: input.reservationId,
+        provider: input.model?.provider,
+        model: input.model?.id,
+        usage: input.usage,
+        stopReason: input.stopReason
+      });
+    },
+    async settleRun(input) {
+      if (!input.userId) return;
+      await getService().settleRun(input.userId, input.runId, input.reservationId);
+    },
+    async releaseRun(input) {
+      if (!input.userId) return;
+      if (input.reason === "usage-write-failed" || input.reason === "fallback-hold-charge") {
+        await getService().chargeFallbackUsage({
+          userId: input.userId,
+          runId: input.runId,
+          reservationId: input.reservationId,
+          // Carry the cause through to the ledger metadata/log for honest audit.
+          kind: input.reason === "usage-write-failed" ? "usage_write_failed" : "no_billable_usage"
+        });
+        return;
+      }
+      await getService().releaseRun(input.userId, input.runId, input.reservationId);
+    }
+  };
+}
+
+// src/server/credits/lemonSqueezy.ts
+import { createHmac, timingSafeEqual } from "crypto";
+function verifyLemonSqueezySignature(rawBody, signatureHeader, secret) {
+  if (!signatureHeader || !secret) return false;
+  const expected = createHmac("sha256", secret).update(rawBody).digest("hex");
+  const a = Buffer.from(expected, "utf8");
+  const b = Buffer.from(signatureHeader, "utf8");
+  if (a.length !== b.length) return false;
+  return timingSafeEqual(a, b);
+}
+function signUserAttribution(userId, secret) {
+  return createHmac("sha256", secret).update(`credit-user:${userId}`).digest("hex");
+}
+function verifyUserAttribution(userId, token, secret) {
+  if (!userId || !token) return false;
+  const actual = Buffer.from(token, "utf8");
+  const secrets = typeof secret === "string" ? [secret] : secret;
+  return secrets.some((s) => {
+    if (!s) return false;
+    const expected = Buffer.from(signUserAttribution(userId, s), "utf8");
+    if (expected.length !== actual.length) return false;
+    return timingSafeEqual(expected, actual);
+  });
+}
+function asRecord(value) {
+  return typeof value === "object" && value !== null && !Array.isArray(value) ? value : void 0;
+}
+function asString(value) {
+  return typeof value === "string" && value.length > 0 ? value : void 0;
+}
+function asNumber(value) {
+  return typeof value === "number" && Number.isFinite(value) ? value : 0;
+}
+function asOptionalNumber(value) {
+  return typeof value === "number" && Number.isFinite(value) ? value : void 0;
+}
+function asOptionalId(value) {
+  if (value === null || value === void 0) return void 0;
+  const s = String(value);
+  return s.length > 0 ? s : void 0;
+}
+function parseLemonSqueezyOrder(payload) {
+  const root = asRecord(payload);
+  const meta = asRecord(root?.meta);
+  const data = asRecord(root?.data);
+  const attrs = asRecord(data?.attributes);
+  const eventName = asString(meta?.event_name);
+  const orderId = asString(data?.id);
+  if (!eventName || !orderId || !attrs) return null;
+  const customData = asRecord(meta?.custom_data);
+  const firstItem = asRecord(attrs.first_order_item);
+  return {
+    eventName,
+    orderId,
+    userId: asString(customData?.user_id),
+    userAttributionToken: asString(customData?.uat),
+    userEmail: asString(attrs.user_email),
+    status: asString(attrs.status),
+    testMode: typeof attrs.test_mode === "boolean" ? attrs.test_mode : void 0,
+    storeId: asOptionalId(attrs.store_id),
+    currency: asString(attrs.currency),
+    subtotalCents: asOptionalNumber(attrs.subtotal),
+    discountTotalCents: asOptionalNumber(attrs.discount_total),
+    totalCents: asOptionalNumber(attrs.total),
+    taxCents: asNumber(attrs.tax),
+    refunded: attrs.refunded === true,
+    refundedAmountCents: asNumber(attrs.refunded_amount),
+    variantId: asOptionalId(firstItem?.variant_id),
+    quantity: (() => {
+      const q = asNumber(firstItem?.quantity);
+      return Number.isInteger(q) && q > 0 ? q : 1;
+    })(),
+    productName: asString(firstItem?.product_name)
+  };
+}
+async function handleLemonSqueezyWebhook(rawBody, signatureHeader, options) {
+  if (!verifyLemonSqueezySignature(rawBody, signatureHeader, options.secret)) {
+    return { status: 401, body: { ok: false, reason: "invalid_signature" } };
+  }
+  let payload;
+  try {
+    payload = JSON.parse(typeof rawBody === "string" ? rawBody : rawBody.toString("utf8"));
+  } catch {
+    return { status: 400, body: { ok: false, reason: "invalid_json" } };
+  }
+  const order = parseLemonSqueezyOrder(payload);
+  if (!order) {
+    return { status: 400, body: { ok: false, reason: "unparseable_order" } };
+  }
+  const refundEvents = options.refundEvents ?? ["order_refunded"];
+  if (refundEvents.includes(order.eventName)) {
+    if (options.isRefundForOurStore && !options.isRefundForOurStore(order)) {
+      options.log?.("lemonsqueezy refund payload is not for our store/mode/currency \u2014 ignoring", {
+        orderId: order.orderId,
+        storeId: order.storeId,
+        currency: order.currency,
+        testMode: order.testMode
+      });
+      return { status: 200, body: { ok: true, reason: "refund_not_our_store", orderId: order.orderId } };
+    }
+    const { revoked } = await options.onRefund(order);
+    options.log?.("lemonsqueezy refund processed", { orderId: order.orderId, revoked });
+    return { status: 200, body: { ok: true, reason: revoked ? "refund_revoked" : "refund_noop", orderId: order.orderId } };
+  }
+  const creditable = options.creditableEvents ?? ["order_created"];
+  if (!creditable.includes(order.eventName)) {
+    return { status: 200, body: { ok: true, reason: "ignored_event", orderId: order.orderId } };
+  }
+  if (order.status !== "paid") {
+    const statusMissing = !order.status;
+    const looksLikeOurCreditOrder = options.isCreditOrder(order) || Boolean(options.isOurStoreOrder?.(order)) || Boolean(options.isUnverifiedCreditOrder?.(order));
+    if (statusMissing && looksLikeOurCreditOrder) {
+      options.log?.("lemonsqueezy recognized credit order has a missing/unparseable status \u2014 failing loud so a possibly-paid order is not dropped", {
+        orderId: order.orderId,
+        variantId: order.variantId,
+        currency: order.currency,
+        testMode: order.testMode
+      });
+      return { status: 500, body: { ok: false, reason: "order_status_missing", orderId: order.orderId } };
+    }
+    return { status: 200, body: { ok: true, reason: `order_status_${order.status ?? "unknown"}`, orderId: order.orderId } };
+  }
+  if (!options.isCreditOrder(order)) {
+    if (options.isUnverifiedCreditOrder?.(order)) {
+      options.log?.("lemonsqueezy paid order for a known credit variant has incomplete store/mode/currency identity \u2014 not crediting, retrying", {
+        orderId: order.orderId,
+        variantId: order.variantId,
+        currency: order.currency,
+        testMode: order.testMode,
+        storeId: order.storeId
+      });
+      return { status: 500, body: { ok: false, reason: "unverified_credit_order", orderId: order.orderId } };
+    }
+    if (options.isOurStoreOrder?.(order)) {
+      options.log?.("lemonsqueezy paid order on our store has an unrecognized credit variant \u2014 not crediting", {
+        orderId: order.orderId,
+        variantId: order.variantId,
+        currency: order.currency,
+        testMode: order.testMode,
+        storeId: order.storeId
+      });
+      return { status: 500, body: { ok: false, reason: "unrecognized_credit_variant", orderId: order.orderId } };
+    }
+    options.log?.("lemonsqueezy paid order is not a recognized credit pack", {
+      orderId: order.orderId,
+      variantId: order.variantId,
+      currency: order.currency,
+      testMode: order.testMode
+    });
+    return { status: 200, body: { ok: true, reason: "not_a_credit_order", orderId: order.orderId } };
+  }
+  if (options.attributionSecret !== void 0) {
+    const provided = typeof options.attributionSecret === "string" ? [options.attributionSecret] : options.attributionSecret;
+    const attributionSecrets = provided.filter((s) => typeof s === "string" && s.length > 0);
+    const effectiveSecrets = attributionSecrets.length > 0 ? attributionSecrets : [options.secret];
+    if (!verifyUserAttribution(order.userId, order.userAttributionToken, effectiveSecrets)) {
+      options.log?.("lemonsqueezy order user attribution token invalid/missing \u2014 not crediting", { orderId: order.orderId });
+      return { status: 500, body: { ok: false, reason: "untrusted_attribution", orderId: order.orderId } };
+    }
+  }
+  const userId = (options.resolveUserId ?? ((o) => o.userId))(order);
+  if (!userId) {
+    options.log?.("lemonsqueezy PAID credit order missing user id \u2014 not crediting; returning 500 so LS retries", { orderId: order.orderId });
+    return { status: 500, body: { ok: false, reason: "missing_user_id", orderId: order.orderId } };
+  }
+  if (options.userExists && !await options.userExists(userId)) {
+    options.log?.("lemonsqueezy credit order for a non-existent (deleted) user \u2014 not crediting (no PII resurrection)", { orderId: order.orderId, userId });
+    return { status: 200, body: { ok: true, reason: "user_not_found", orderId: order.orderId } };
+  }
+  const amountMicros = options.creditsForOrder(order);
+  if (!Number.isSafeInteger(amountMicros) || amountMicros <= 0) {
+    options.log?.("lemonsqueezy recognized credit order resolved to non-positive credits \u2014 config bug", { orderId: order.orderId, amountMicros });
+    return { status: 500, body: { ok: false, reason: "no_credit_amount", orderId: order.orderId } };
+  }
+  if (typeof options.creditMicrosPerUnit === "number" && options.creditMicrosPerUnit > 0) {
+    const { subtotalCents, discountTotalCents, totalCents, taxCents } = order;
+    if (subtotalCents === void 0 || discountTotalCents === void 0 || totalCents === void 0) {
+      options.log?.("lemonsqueezy order is MISSING a required money field (subtotal/discount/total) \u2014 not granting", {
+        orderId: order.orderId,
+        subtotalCents,
+        discountTotalCents,
+        totalCents
+      });
+      return { status: 500, body: { ok: false, reason: "invalid_money_fields", orderId: order.orderId } };
+    }
+    const netFromSubtotal = subtotalCents - discountTotalCents;
+    const netFromTotal = totalCents - taxCents;
+    const moneySane = subtotalCents >= 0 && discountTotalCents >= 0 && totalCents > 0 && Number.isFinite(taxCents) && taxCents >= 0 && subtotalCents >= discountTotalCents && totalCents >= taxCents && netFromSubtotal <= netFromTotal + 1;
+    if (!moneySane) {
+      options.log?.("lemonsqueezy order has inconsistent money fields \u2014 not granting", {
+        orderId: order.orderId,
+        subtotalCents,
+        discountTotalCents,
+        totalCents,
+        taxCents
+      });
+      return { status: 500, body: { ok: false, reason: "invalid_money_fields", orderId: order.orderId } };
+    }
+    const oneCentMicros = options.creditMicrosPerUnit / 100;
+    const netPaidMicros = Math.max(0, netFromSubtotal) * oneCentMicros;
+    if (netPaidMicros + oneCentMicros <= amountMicros) {
+      options.log?.("lemonsqueezy order underpaid for the credits it maps to \u2014 not granting", {
+        orderId: order.orderId,
+        amountMicros,
+        netPaidMicros,
+        subtotalCents: order.subtotalCents,
+        discountTotalCents: order.discountTotalCents
+      });
+      return { status: 500, body: { ok: false, reason: "underpaid_order", orderId: order.orderId } };
+    }
+  }
+  const { created } = await options.grant(
+    {
+      userId,
+      orderId: order.orderId,
+      reason: `purchase:${order.orderId}`,
+      amountMicros
+    },
+    order
+  );
+  return { status: 200, body: { ok: true, orderId: order.orderId, created } };
+}
+
+// src/server/credits/lemonSqueezyCheckout.ts
+var LS_API = "https://api.lemonsqueezy.com/v1/checkouts";
+function buildCheckoutRequestBody(input) {
+  const numericVariant = Number(input.variantId);
+  if (!Number.isInteger(numericVariant) || numericVariant <= 0) {
+    throw new Error(`Lemon Squeezy variantId must be a positive integer, got "${input.variantId}"`);
+  }
+  const enabledVariants = [numericVariant];
+  return {
+    data: {
+      type: "checkouts",
+      attributes: {
+        ...input.testMode !== void 0 ? { test_mode: input.testMode } : {},
+        checkout_data: {
+          ...input.email ? { email: input.email } : {},
+          // Lock the purchased quantity to exactly 1 so a buyer can't pay for N
+          // packs and receive one pack's credits (the webhook credits the fixed
+          // per-variant value; this keeps order quantity == 1).
+          variant_quantities: [{ variant_id: numericVariant, quantity: 1 }],
+          // Custom data is echoed back on the order webhook as meta.custom_data.
+          // uat binds the user id to this server-created checkout (verified by the
+          // webhook), so a buyer can't credit an arbitrary account via a crafted URL.
+          custom: {
+            user_id: input.userId,
+            ...input.attributionSecret ? { uat: signUserAttribution(input.userId, input.attributionSecret) } : {}
+          }
+        },
+        // Disable discount codes: credits are granted on the net pre-tax amount,
+        // and a discount must never let a buyer pay less than the credited value.
+        checkout_options: { discount: false },
+        // Lock the checkout to EXACTLY the server-selected variant — without
+        // enabled_variants, LS may let the buyer switch to another variant of the
+        // product, which would then mis-credit or not credit at all.
+        product_options: {
+          enabled_variants: enabledVariants,
+          ...input.redirectUrl ? { redirect_url: input.redirectUrl } : {}
+        }
+      },
+      relationships: {
+        store: { data: { type: "stores", id: input.storeId } },
+        variant: { data: { type: "variants", id: input.variantId } }
+      }
+    }
+  };
+}
+function extractCheckoutUrl(payload) {
+  if (typeof payload !== "object" || payload === null) return null;
+  const data = payload.data;
+  const url = data?.attributes?.url;
+  return typeof url === "string" && url.length > 0 ? url : null;
+}
+async function createLemonSqueezyCheckout(input, fetchImpl = fetch) {
+  const res = await fetchImpl(LS_API, {
+    method: "POST",
+    headers: {
+      Authorization: `Bearer ${input.apiKey}`,
+      Accept: "application/vnd.api+json",
+      "Content-Type": "application/vnd.api+json"
+    },
+    body: JSON.stringify(buildCheckoutRequestBody(input))
+  });
+  if (!res.ok) {
+    const detail = await res.text().catch(() => "");
+    throw new Error(`lemon squeezy checkout failed (${res.status}): ${detail.slice(0, 300)}`);
+  }
+  const url = extractCheckoutUrl(await res.json());
+  if (!url) throw new Error("lemon squeezy checkout returned no url");
+  return { url };
+}
+
+// src/server/credits/stripe.ts
+import { createHmac as createHmac2, timingSafeEqual as timingSafeEqual2 } from "crypto";
+var DEFAULT_TOLERANCE_SECONDS = 300;
+function signStripeAttribution(userId, packId, secret) {
+  return createHmac2("sha256", secret).update(`credit:${userId}:${packId}`).digest("hex");
+}
+function verifyStripeAttribution(userId, packId, token, secret) {
+  if (!userId || !packId || !token) return false;
+  const actual = Buffer.from(token, "utf8");
+  const secrets = typeof secret === "string" ? [secret] : secret;
+  return secrets.some((s) => {
+    if (!s) return false;
+    const expected = Buffer.from(signStripeAttribution(userId, packId, s), "utf8");
+    if (expected.length !== actual.length) return false;
+    return timingSafeEqual2(expected, actual);
+  });
+}
+function parseSignatureHeader(header) {
+  let t = null;
+  const v1 = [];
+  for (const part of header.split(",")) {
+    const idx = part.indexOf("=");
+    if (idx <= 0) continue;
+    const key = part.slice(0, idx).trim();
+    const value = part.slice(idx + 1).trim();
+    if (key === "t") {
+      const n = Number(value);
+      if (Number.isFinite(n)) t = n;
+    } else if (key === "v1" && value) {
+      v1.push(value);
+    }
+  }
+  return { t, v1 };
+}
+function timingSafeHexEqual(aHex, bHex) {
+  const a = Buffer.from(aHex, "utf8");
+  const b = Buffer.from(bHex, "utf8");
+  if (a.length !== b.length) return false;
+  return timingSafeEqual2(a, b);
+}
+function verifyStripeSignature(rawBody, signatureHeader, secret, opts = {}) {
+  if (!signatureHeader || !secret) return false;
+  const { t, v1 } = parseSignatureHeader(signatureHeader);
+  if (t === null || v1.length === 0) return false;
+  const tolerance = opts.toleranceSeconds ?? DEFAULT_TOLERANCE_SECONDS;
+  if (tolerance > 0) {
+    const nowSec = (opts.now ?? Date.now()) / 1e3;
+    if (Math.abs(nowSec - t) > tolerance) return false;
+  }
+  const body = typeof rawBody === "string" ? rawBody : rawBody.toString("utf8");
+  const expected = createHmac2("sha256", secret).update(`${t}.${body}`).digest("hex");
+  return v1.some((sig) => timingSafeHexEqual(expected, sig));
+}
+function asRecord2(value) {
+  return typeof value === "object" && value !== null && !Array.isArray(value) ? value : void 0;
+}
+function asString2(value) {
+  return typeof value === "string" && value.length > 0 ? value : void 0;
+}
+function asOptionalNumber2(value) {
+  return typeof value === "number" && Number.isFinite(value) ? value : void 0;
+}
+function asId(value) {
+  if (typeof value === "string") return value.length > 0 ? value : void 0;
+  const id = asRecord2(value)?.id;
+  return typeof id === "string" && id.length > 0 ? id : void 0;
+}
+function stripeNetPaidMinor(order) {
+  const sub = order.amountSubtotalMinor;
+  const total = order.amountTotalMinor;
+  const disc = order.amountDiscountMinor;
+  const tax = order.amountTaxMinor;
+  if (typeof sub !== "number" || typeof total !== "number" || typeof disc !== "number" || typeof tax !== "number") return null;
+  const netFromSubtotal = sub - disc;
+  const netFromTotal = total - tax;
+  const sane = sub >= 0 && disc >= 0 && total >= 0 && tax >= 0 && sub >= disc && total >= tax && netFromSubtotal <= netFromTotal + 1;
+  if (!sane) return null;
+  return Math.max(0, netFromSubtotal);
+}
+function parseStripeEvent(payload) {
+  const root = asRecord2(payload);
+  const eventType = asString2(root?.type);
+  const object = asRecord2(asRecord2(root?.data)?.object);
+  if (!eventType || !object) return null;
+  if (eventType.startsWith("checkout.session.")) {
+    const meta = asRecord2(object.metadata);
+    const totals = asRecord2(object.total_details);
+    return {
+      eventType,
+      paymentIntentId: asId(object.payment_intent),
+      sessionId: asString2(object.id),
+      userId: asString2(meta?.user_id) ?? asString2(object.client_reference_id),
+      userAttributionToken: asString2(meta?.uat),
+      paymentStatus: asString2(object.payment_status),
+      livemode: typeof object.livemode === "boolean" ? object.livemode : void 0,
+      currency: asString2(object.currency)?.toLowerCase(),
+      amountSubtotalMinor: asOptionalNumber2(object.amount_subtotal),
+      amountTotalMinor: asOptionalNumber2(object.amount_total),
+      amountDiscountMinor: asOptionalNumber2(totals?.amount_discount),
+      amountTaxMinor: asOptionalNumber2(totals?.amount_tax),
+      packId: asString2(meta?.pack_id)
+    };
+  }
+  if (eventType === "charge.refunded" || eventType === "charge.dispute.created") {
+    return {
+      eventType,
+      paymentIntentId: asId(object.payment_intent),
+      currency: asString2(object.currency)?.toLowerCase(),
+      livemode: typeof object.livemode === "boolean" ? object.livemode : void 0,
+      amountMinor: asOptionalNumber2(object.amount),
+      amountRefundedMinor: asOptionalNumber2(object.amount_refunded)
+    };
+  }
+  return { eventType };
+}
+async function handleStripeWebhook(rawBody, signatureHeader, options) {
+  if (!verifyStripeSignature(rawBody, signatureHeader, options.secret, { now: options.now, toleranceSeconds: options.toleranceSeconds })) {
+    return { status: 401, body: { ok: false, reason: "invalid_signature" } };
+  }
+  let payload;
+  try {
+    payload = JSON.parse(typeof rawBody === "string" ? rawBody : rawBody.toString("utf8"));
+  } catch {
+    return { status: 400, body: { ok: false, reason: "invalid_json" } };
+  }
+  const order = parseStripeEvent(payload);
+  if (!order) return { status: 400, body: { ok: false, reason: "unparseable_event" } };
+  const refundEvents = options.refundEvents ?? ["charge.refunded", "charge.dispute.created"];
+  if (refundEvents.includes(order.eventType)) {
+    if (options.isRefundForOurStore && !options.isRefundForOurStore(order)) {
+      options.log?.("stripe refund not for our mode/currency \u2014 ignoring", { paymentIntentId: order.paymentIntentId, currency: order.currency, livemode: order.livemode });
+      return { status: 200, body: { ok: true, reason: "refund_not_our_store", orderId: order.paymentIntentId } };
+    }
+    if (!order.paymentIntentId) {
+      options.log?.("stripe refund/dispute for our store has no payment_intent to map to a grant \u2014 failing loud", { eventType: order.eventType, currency: order.currency, livemode: order.livemode });
+      return { status: 500, body: { ok: false, reason: "refund_unmappable" } };
+    }
+    const { revoked } = await options.onRefund(order);
+    options.log?.("stripe refund processed", { paymentIntentId: order.paymentIntentId, revoked });
+    return { status: 200, body: { ok: true, reason: revoked ? "refund_revoked" : "refund_noop", orderId: order.paymentIntentId } };
+  }
+  const creditable = options.creditableEvents ?? ["checkout.session.completed", "checkout.session.async_payment_succeeded"];
+  if (!creditable.includes(order.eventType)) {
+    return { status: 200, body: { ok: true, reason: "ignored_event" } };
+  }
+  if (order.paymentStatus !== "paid") {
+    const statusMissing = !order.paymentStatus;
+    const looksOurs = options.isCreditOrder(order) || Boolean(options.isOurStoreOrder?.(order)) || Boolean(options.isUnverifiedCreditOrder?.(order));
+    if (statusMissing && looksOurs) {
+      options.log?.("stripe recognized credit session missing payment_status \u2014 failing loud", { sessionId: order.sessionId, paymentIntentId: order.paymentIntentId });
+      return { status: 500, body: { ok: false, reason: "payment_status_missing", orderId: order.paymentIntentId } };
+    }
+    return { status: 200, body: { ok: true, reason: `payment_status_${order.paymentStatus ?? "unknown"}`, orderId: order.paymentIntentId } };
+  }
+  if (!options.isCreditOrder(order)) {
+    if (options.isUnverifiedCreditOrder?.(order)) {
+      options.log?.("stripe paid session for a known pack has incomplete mode/currency identity \u2014 not crediting, retrying", { paymentIntentId: order.paymentIntentId, packId: order.packId, currency: order.currency, livemode: order.livemode });
+      return { status: 500, body: { ok: false, reason: "unverified_credit_order", orderId: order.paymentIntentId } };
+    }
+    if (options.isOurStoreOrder?.(order)) {
+      options.log?.("stripe paid session on our account has an unrecognized pack \u2014 not crediting", { paymentIntentId: order.paymentIntentId, packId: order.packId });
+      return { status: 500, body: { ok: false, reason: "unrecognized_credit_pack", orderId: order.paymentIntentId } };
+    }
+    return { status: 200, body: { ok: true, reason: "not_a_credit_order", orderId: order.paymentIntentId } };
+  }
+  if (options.attributionSecret !== void 0) {
+    const provided = typeof options.attributionSecret === "string" ? [options.attributionSecret] : options.attributionSecret;
+    const secrets = provided.filter((s) => typeof s === "string" && s.length > 0);
+    if (secrets.length === 0 || !verifyStripeAttribution(order.userId, order.packId, order.userAttributionToken, secrets)) {
+      options.log?.("stripe paid known-pack session has an invalid/missing attribution token \u2014 not crediting", { paymentIntentId: order.paymentIntentId, packId: order.packId });
+      return { status: 500, body: { ok: false, reason: "untrusted_attribution", orderId: order.paymentIntentId } };
+    }
+  }
+  if (!order.paymentIntentId) {
+    options.log?.("stripe paid credit session missing payment_intent \u2014 cannot key the grant, retrying", { sessionId: order.sessionId });
+    return { status: 500, body: { ok: false, reason: "missing_payment_intent", orderId: order.sessionId } };
+  }
+  const userId = (options.resolveUserId ?? ((o) => o.userId))(order);
+  if (!userId) {
+    options.log?.("stripe PAID credit order missing user id \u2014 not crediting; 500 so Stripe retries", { paymentIntentId: order.paymentIntentId });
+    return { status: 500, body: { ok: false, reason: "missing_user_id", orderId: order.paymentIntentId } };
+  }
+  if (options.userExists && !await options.userExists(userId)) {
+    options.log?.("stripe credit order for a non-existent (deleted) user \u2014 not crediting (no PII resurrection)", { paymentIntentId: order.paymentIntentId, userId });
+    return { status: 200, body: { ok: true, reason: "user_not_found", orderId: order.paymentIntentId } };
+  }
+  const amountMicros = options.creditsForOrder(order);
+  if (!Number.isSafeInteger(amountMicros) || amountMicros <= 0) {
+    options.log?.("stripe recognized credit order resolved to non-positive credits \u2014 config bug", { paymentIntentId: order.paymentIntentId, amountMicros });
+    return { status: 500, body: { ok: false, reason: "no_credit_amount", orderId: order.paymentIntentId } };
+  }
+  if (typeof options.creditMicrosPerUnit === "number" && options.creditMicrosPerUnit > 0) {
+    const netPaidMinor = stripeNetPaidMinor(order);
+    if (netPaidMinor === null) {
+      options.log?.("stripe order has missing/inconsistent money fields \u2014 not granting", { paymentIntentId: order.paymentIntentId, amountSubtotalMinor: order.amountSubtotalMinor, amountTotalMinor: order.amountTotalMinor, amountDiscountMinor: order.amountDiscountMinor, amountTaxMinor: order.amountTaxMinor });
+      return { status: 500, body: { ok: false, reason: "invalid_money_fields", orderId: order.paymentIntentId } };
+    }
+    const oneUnitMinorMicros = options.creditMicrosPerUnit / 100;
+    const netPaidMicros = netPaidMinor * oneUnitMinorMicros;
+    if (netPaidMicros + oneUnitMinorMicros <= amountMicros) {
+      options.log?.("stripe order underpaid for the credits it maps to \u2014 not granting", { paymentIntentId: order.paymentIntentId, amountMicros, netPaidMicros, netPaidMinor });
+      return { status: 500, body: { ok: false, reason: "underpaid_order", orderId: order.paymentIntentId } };
+    }
+  }
+  const { created } = await options.grant(
+    { userId, orderId: order.paymentIntentId, reason: `purchase:${order.paymentIntentId}`, amountMicros },
+    order
+  );
+  return { status: 200, body: { ok: true, orderId: order.paymentIntentId, created } };
+}
+
+// src/server/credits/stripeCheckout.ts
+var STRIPE_CHECKOUT_API = "https://api.stripe.com/v1/checkout/sessions";
+function appendCheckoutMarker(url, value) {
+  const sep = url.includes("?") ? "&" : "?";
+  return `${url}${sep}checkout=${value}`;
+}
+function buildStripeCheckoutForm(input) {
+  if (!/^price_[A-Za-z0-9]+$/.test(input.priceId)) {
+    throw new Error(`Stripe priceId must look like "price_\u2026", got "${input.priceId}"`);
+  }
+  if (!input.packId) throw new Error("Stripe checkout requires a packId");
+  const params = [
+    ["mode", "payment"],
+    ["line_items[0][price]", input.priceId],
+    ["line_items[0][quantity]", "1"],
+    // Lock quantity: buyer can't change it on the hosted page (so a fixed pack's
+    // amount == price; a custom pack collects its amount via custom_unit_amount).
+    ["line_items[0][adjustable_quantity][enabled]", "false"],
+    // Disable Adaptive Pricing: it can localize the session into another currency,
+    // which our webhook's strict currency gate would then reject — leaving the buyer
+    // charged but uncredited. Pin the currency to the configured one.
+    ["adaptive_pricing[enabled]", "false"],
+    // Buyer attribution (server-set). Both client_reference_id and metadata carry it
+    // so the webhook can read it off the session regardless of Stripe shape changes.
+    ["client_reference_id", input.userId],
+    ["metadata[user_id]", input.userId],
+    ["metadata[pack_id]", input.packId],
+    // Mirror onto the PaymentIntent so a refund (charge→payment_intent) can be traced
+    // back for audit even though we key revocation by the payment_intent id itself.
+    ["payment_intent_data[metadata][user_id]", input.userId],
+    ["payment_intent_data[metadata][pack_id]", input.packId]
+  ];
+  if (input.attributionSecret) {
+    params.push(["metadata[uat]", signStripeAttribution(input.userId, input.packId, input.attributionSecret)]);
+  }
+  if (input.email) params.push(["customer_email", input.email]);
+  if (input.redirectUrl) {
+    params.push(["success_url", appendCheckoutMarker(input.redirectUrl, "return")]);
+    params.push(["cancel_url", appendCheckoutMarker(input.redirectUrl, "cancelled")]);
+  }
+  return params.map(([k, v]) => `${encodeURIComponent(k)}=${encodeURIComponent(v)}`).join("&");
+}
+function extractCheckoutUrl2(payload) {
+  if (typeof payload !== "object" || payload === null) return null;
+  const url = payload.url;
+  return typeof url === "string" && url.length > 0 ? url : null;
+}
+async function createStripeCheckout(input, fetchImpl = fetch) {
+  const res = await fetchImpl(STRIPE_CHECKOUT_API, {
+    method: "POST",
+    headers: {
+      Authorization: `Bearer ${input.apiKey}`,
+      "Content-Type": "application/x-www-form-urlencoded"
+      // Idempotency on retried checkout *creation* is not required for money-safety
+      // (only paid orders mint credits, deduped by payment_intent), so it's omitted.
+    },
+    body: buildStripeCheckoutForm(input)
+  });
+  if (!res.ok) {
+    const detail = await res.text().catch(() => "");
+    throw new Error(`stripe checkout failed (${res.status}): ${detail.slice(0, 300)}`);
+  }
+  const url = extractCheckoutUrl2(await res.json());
+  if (!url) throw new Error("stripe checkout returned no url");
+  return { url };
+}
+
+// src/server/credits/routes.ts
+var NON_TWO_DECIMAL_CURRENCIES = /* @__PURE__ */ new Set([
+  // 0-decimal
+  "BIF",
+  "CLP",
+  "DJF",
+  "GNF",
+  "JPY",
+  "KMF",
+  "KRW",
+  "MGA",
+  "PYG",
+  "RWF",
+  "UGX",
+  "VND",
+  "VUV",
+  "XAF",
+  "XOF",
+  "XPF",
+  // 3-decimal
+  "BHD",
+  "IQD",
+  "JOD",
+  "KWD",
+  "LYD",
+  "OMR",
+  "TND"
+]);
+function buildCreditPacks(ls, locale) {
+  const checkout = ls.checkout;
+  if (!checkout) return [];
+  const credits = ls.creditMicrosByVariant ?? {};
+  const currency = ls.requireCurrency ?? "EUR";
+  const packs = [];
+  for (const [packId, variantId] of Object.entries(checkout.variants)) {
+    const major = Number(packId);
+    const creditMicros = credits[variantId];
+    if (!Number.isFinite(major) || major <= 0 || typeof creditMicros !== "number" || creditMicros <= 0) continue;
+    const priceMinor = Math.round(major * 100);
+    packs.push({
+      id: packId,
+      creditMicros,
+      priceMinor,
+      currency,
+      label: new Intl.NumberFormat(locale, { style: "currency", currency, maximumFractionDigits: 0 }).format(major),
+      isDefault: packId === checkout.defaultPack
+    });
+  }
+  return packs;
+}
+function buildStripePacks(stripe, locale) {
+  const checkout = stripe.checkout;
+  if (!checkout) return [];
+  const credits = stripe.creditMicrosByPack ?? {};
+  const currency = (stripe.requireCurrency ?? "EUR").toUpperCase();
+  const packs = [];
+  for (const [packId] of Object.entries(checkout.variants)) {
+    const major = Number(packId);
+    const creditMicros = credits[packId];
+    if (!Number.isFinite(major) || major <= 0 || typeof creditMicros !== "number" || creditMicros <= 0) continue;
+    packs.push({
+      id: packId,
+      creditMicros,
+      priceMinor: Math.round(major * 100),
+      currency,
+      label: new Intl.NumberFormat(locale, { style: "currency", currency, maximumFractionDigits: 0 }).format(major),
+      isDefault: packId === checkout.defaultPack
+    });
+  }
+  if (stripe.customPack && checkout.customPriceId) {
+    packs.push({
+      id: stripe.customPack.id,
+      creditMicros: 0,
+      priceMinor: stripe.customPack.minMinor,
+      currency,
+      label: "Custom amount",
+      isDefault: stripe.customPack.id === checkout.defaultPack,
+      custom: true
+    });
+  }
+  return packs;
+}
+function defaultGetUserId(request) {
+  const user = request.user;
+  return typeof user?.id === "string" && user.id ? user.id : void 0;
+}
+function registerCreditsRoutes(app, options) {
+  const getUserId = options.getUserId ?? defaultGetUserId;
+  const balancePath = options.balancePath ?? "/api/credits/balance";
+  if (options.lemonSqueezy && options.stripe) {
+    throw new Error("credits: configure at most one purchase provider (lemonSqueezy OR stripe), not both");
+  }
+  const stripeReady = Boolean(options.stripe?.checkout && options.stripe?.webhookSecret);
+  const checkoutEnabled = Boolean(options.lemonSqueezy?.checkout) || stripeReady;
+  const packs = options.lemonSqueezy ? buildCreditPacks(options.lemonSqueezy) : stripeReady ? buildStripePacks(options.stripe) : [];
+  app.get(balancePath, async (request, reply) => {
+    const userId = getUserId(request);
+    if (!userId) {
+      return reply.code(401).send({ error: { code: ERROR_CODES.UNAUTHORIZED, message: "authentication required" } });
+    }
+    return reply.send({
+      ...await options.service.getBalance(userId),
+      checkoutEnabled,
+      ...packs.length > 0 ? { packs } : {}
+    });
+  });
+  const historyPath = options.historyPath ?? "/api/credits/history";
+  app.get(historyPath, async (request, reply) => {
+    const userId = getUserId(request);
+    if (!userId) {
+      return reply.code(401).send({ error: { code: ERROR_CODES.UNAUTHORIZED, message: "authentication required" } });
+    }
+    const raw = request.query?.limit;
+    const parsed = typeof raw === "string" ? Number.parseInt(raw, 10) : typeof raw === "number" ? raw : NaN;
+    const limit = Number.isFinite(parsed) ? Math.min(50, Math.max(1, Math.trunc(parsed))) : 20;
+    return reply.send({ entries: await options.service.listLedger(userId, limit) });
+  });
+  const stripeOpts = options.stripe;
+  if (stripeOpts) {
+    if (!options.service.config.enabled) {
+      throw new Error("credits: cannot register Stripe checkout/webhook with a disabled credits service (paid orders would be acknowledged without crediting)");
+    }
+    registerStripeRoutes(app, options.service, getUserId, stripeOpts, options.log);
+    return;
+  }
+  const ls = options.lemonSqueezy;
+  if (!ls) return;
+  if (!options.service.config.enabled) {
+    throw new Error("credits: cannot register Lemon Squeezy checkout/webhook with a disabled credits service (paid orders would be acknowledged without crediting)");
+  }
+  if (ls.creditVariantIds.length === 0) {
+    throw new Error("credits: Lemon Squeezy webhook requires a non-empty creditVariantIds (else every paid order is acknowledged without crediting)");
+  }
+  const rawAttributionSecrets = ls.attributionSecret === void 0 ? [ls.webhookSecret] : typeof ls.attributionSecret === "string" ? [ls.attributionSecret] : ls.attributionSecret;
+  const filteredAttributionSecrets = rawAttributionSecrets.filter((s) => typeof s === "string" && s.length > 0);
+  const attributionSecrets = filteredAttributionSecrets.length > 0 ? filteredAttributionSecrets : [ls.webhookSecret];
+  const attributionSigningSecret = attributionSecrets[0];
+  if (ls.checkout) {
+    const checkout = ls.checkout;
+    const checkoutCreditVariants = new Set(ls.creditVariantIds);
+    for (const [packId, variantId] of Object.entries(checkout.variants)) {
+      if (!checkoutCreditVariants.has(variantId)) {
+        throw new Error(`credits: checkout pack "${packId}" maps to variant "${variantId}", which is not a configured credit variant (creditVariantIds) \u2014 a paid checkout for it would not be credited by the webhook`);
+      }
+      const micros = ls.creditMicrosByVariant?.[variantId];
+      if (typeof micros !== "number" || !Number.isSafeInteger(micros) || micros <= 0) {
+        throw new Error(`credits: checkout pack "${packId}" variant "${variantId}" has no positive creditMicrosByVariant entry \u2014 a paid checkout for it could not be credited`);
+      }
+    }
+    if (!(checkout.defaultPack in checkout.variants)) {
+      throw new Error(`credits: checkout defaultPack "${checkout.defaultPack}" is not one of the configured checkout variants`);
+    }
+    if (ls.expectedStoreId !== void 0 && checkout.storeId !== ls.expectedStoreId) {
+      throw new Error(`credits: checkout storeId "${checkout.storeId}" does not match the webhook's expectedStoreId "${ls.expectedStoreId}" \u2014 orders from this checkout would not be credited`);
+    }
+    if (checkout.testMode !== ls.expectedTestMode) {
+      throw new Error(`credits: checkout testMode (${checkout.testMode}) must be set and match the webhook's expectedTestMode (${ls.expectedTestMode}) \u2014 otherwise orders from this checkout would be classified in the wrong mode and not credited`);
+    }
+    app.post(ls.checkoutPath ?? "/api/credits/checkout", async (request, reply) => {
+      const userId = getUserId(request);
+      if (!userId) {
+        return reply.code(401).send({ error: { code: ERROR_CODES.UNAUTHORIZED, message: "authentication required" } });
+      }
+      const pack = request.body?.pack;
+      if (pack !== void 0 && pack !== null && (typeof pack !== "string" || !(pack in checkout.variants))) {
+        return reply.code(400).send({ error: { code: ERROR_CODES.INVALID_PACK, message: "unknown credit pack" } });
+      }
+      const packId = typeof pack === "string" && pack in checkout.variants ? pack : checkout.defaultPack;
+      const variantId = checkout.variants[packId];
+      if (!variantId) {
+        return reply.code(400).send({ error: { code: ERROR_CODES.INVALID_PACK, message: "unknown credit pack" } });
+      }
+      const email = request.user?.email;
+      try {
+        const { url } = await createLemonSqueezyCheckout({
+          apiKey: checkout.apiKey,
+          storeId: checkout.storeId,
+          variantId,
+          userId,
+          // Sign the attribution token with the (current) attribution secret so the
+          // webhook can verify the buyer id came from this server-created checkout.
+          attributionSecret: attributionSigningSecret,
+          email: typeof email === "string" ? email : void 0,
+          redirectUrl: checkout.redirectUrl,
+          testMode: checkout.testMode
+        });
+        return reply.send({ url });
+      } catch (error) {
+        options.log?.("credits: checkout creation failed", { error: String(error) });
+        return reply.code(502).send({ error: { code: ERROR_CODES.CHECKOUT_FAILED, message: "could not create checkout" } });
+      }
+    });
+  }
+  const webhookPath = ls.webhookPath ?? "/api/credits/webhooks/lemonsqueezy";
+  const creditMicrosPerUnit = options.service.config.pricing.creditMicrosPerUnit;
+  const purchaseKey = (order) => `ls:${ls.expectedStoreId ?? "default"}:${ls.expectedTestMode ? "test" : "live"}:${order.orderId}`;
+  const variantCredits = ls.creditMicrosByVariant ?? {};
+  if (!ls.creditMicrosByVariant) {
+    throw new Error("credits: creditMicrosByVariant is required for the Lemon Squeezy webhook (fixed per-variant credit values; no order-amount fallback)");
+  }
+  for (const variantId of ls.creditVariantIds) {
+    const value = variantCredits[variantId];
+    if (typeof value !== "number" || !Number.isSafeInteger(value) || value <= 0) {
+      throw new Error(`credits: creditMicrosByVariant must be a positive safe integer for credit variant "${variantId}"`);
+    }
+  }
+  const creditsForOrder = (order) => {
+    const perUnit = order.variantId !== void 0 ? variantCredits[order.variantId] ?? 0 : 0;
+    return perUnit * Math.max(1, order.quantity);
+  };
+  const creditVariantIds = new Set(ls.creditVariantIds);
+  const requireCurrency = (ls.requireCurrency ?? "EUR").toUpperCase();
+  const isOurStoreOrder = (order) => {
+    if (!order.currency || order.currency.toUpperCase() !== requireCurrency) return false;
+    if (order.testMode !== ls.expectedTestMode) return false;
+    if (ls.expectedStoreId && order.storeId !== ls.expectedStoreId) return false;
+    return true;
+  };
+  const isRefundForOurStore = (order) => {
+    if (order.currency != null && order.currency.toUpperCase() !== requireCurrency) return false;
+    if (order.testMode != null && order.testMode !== ls.expectedTestMode) return false;
+    if (order.storeId != null && ls.expectedStoreId != null && order.storeId !== ls.expectedStoreId) return false;
+    return true;
+  };
+  const isCreditVariant = (order) => order.variantId != null && creditVariantIds.has(order.variantId);
+  const isCreditOrder = (order) => {
+    if (creditVariantIds.size === 0) return false;
+    if (!isCreditVariant(order)) return false;
+    return isOurStoreOrder(order);
+  };
+  const isUnverifiedCreditOrder = (order) => isCreditVariant(order) && !isOurStoreOrder(order) && isRefundForOurStore(order);
+  const creditOnlyStore = ls.creditOnlyStore !== false;
+  app.register(async (scope) => {
+    scope.addContentTypeParser("application/json", { parseAs: "buffer" }, (_req, body, done) => {
+      done(null, body);
+    });
+    scope.post(webhookPath, async (request, reply) => {
+      const rawBody = request.body;
+      const signature = request.headers["x-signature"];
+      const result = await handleLemonSqueezyWebhook(
+        rawBody,
+        typeof signature === "string" ? signature : Array.isArray(signature) ? signature[0] : void 0,
+        {
+          secret: ls.webhookSecret,
+          creditsForOrder,
+          // Don't resurrect a deleted user's PII via a stale order_created webhook.
+          userExists: ls.userExists,
+          isCreditOrder,
+          // Credit-only store (the DEFAULT): an unknown-variant PAID order on our store
+          // is a pack misconfiguration → retryable 500. Use the LENIENT identity check
+          // (isRefundForOurStore: missing store/mode/currency still counts as ours; only
+          // a PRESENT contradiction is exempt) so a misconfigured new pack whose payload
+          // omits store_id isn't silently 200-dropped. Mixed store (explicit
+          // creditOnlyStore: false): omit this predicate so the handler 200-ignores an
+          // unknown variant (a different product — no infinite retry on legit sales).
+          isOurStoreOrder: creditOnlyStore ? isRefundForOurStore : void 0,
+          // Known credit variant with incomplete identity → retryable 500, not a
+          // silent 200 drop (a paid pack we can't safely attribute must fail loud).
+          // Fires regardless of creditOnlyStore (it's a recognized pack either way).
+          isUnverifiedCreditOrder,
+          // Lenient: a refund whose payload omits store/mode/currency still revokes
+          // a credited order; only a present-and-mismatched field is rejected.
+          isRefundForOurStore,
+          // Bind buyer attribution to a server-created checkout (custom_data.uat).
+          // Verify against current + previous secrets so a rotation doesn't reject
+          // in-flight checkout links.
+          attributionSecret: attributionSecrets,
+          // Refuse to grant a fixed pack value the buyer didn't actually pay for.
+          creditMicrosPerUnit,
+          grant: (input, order) => options.service.grantPurchase(input.userId, purchaseKey(order), input.amountMicros, {
+            storeId: order.storeId,
+            testMode: order.testMode,
+            currency: order.currency,
+            variantId: order.variantId
+          }),
+          // Refunds/disputes revoke the order's credits. A PARTIAL refund passes
+          // the cumulative refunded fraction (refunded_amount / total); a full
+          // refund passes undefined. allowTombstone gates writing a pre-grant
+          // tombstone for an order we HAVEN'T credited yet: only when the refund
+          // still validates as a credit order (prevents a cross-store/mode refund
+          // from tombstoning by order id). An order we already credited is always
+          // revocable regardless (reconciled by order id in the store).
+          onRefund: (order) => options.service.revokePurchase(purchaseKey(order), {
+            // A partial refund passes the fraction refunded; a missing/zero total
+            // (totalCents undefined) or refunded amount falls back to a full refund.
+            refundFraction: order.refundedAmountCents > 0 && order.totalCents !== void 0 && order.totalCents > 0 ? order.refundedAmountCents / order.totalCents : void 0,
+            // Tombstone an unknown order when the refund is compatible with our
+            // store/mode (lenient: missing fields OK). This leniency is DELIBERATE:
+            // Lemon Squeezy refund payloads routinely omit the variant id (and often
+            // store/mode), so requiring strict identity here would SKIP the tombstone
+            // for a refund-before-grant whose payload lacks the variant — reintroducing
+            // the bug where the later order_created then grants credits for an order
+            // already refunded (the refund fired first, found nothing to revoke, and
+            // never re-fires). Safe because: (a) the per-store webhook secret already
+            // proves the refund is from our store; (b) the composite purchase key is
+            // namespaced by CONFIG store+mode (not the payload), so the tombstone lands
+            // in our namespace; (c) order ids are globally unique, so a tombstone can
+            // only ever net a FUTURE grant for that SAME order — exactly the intended
+            // refund-before-grant behaviour, never a different legitimate order.
+            allowTombstone: isRefundForOurStore(order),
+            // Match the credited row against the CONFIGURED identity (not the
+            // payload's maybe-missing fields). The per-store/mode webhook secret
+            // already proves the refund is from our store+mode; the row's stored
+            // identity equals config for legit grants, so a colliding order id
+            // from another store can't reach here (HMAC) and a legit refund whose
+            // payload omits store_id still revokes.
+            expectedStoreId: ls.expectedStoreId,
+            expectedTestMode: ls.expectedTestMode,
+            expectedCurrency: requireCurrency
+          }),
+          log: options.log
+        }
+      );
+      return reply.code(result.status).send(result.body);
+    });
+  });
+}
+function registerStripeRoutes(app, service, getUserId, stripe, log) {
+  const creditMicrosPerUnit = service.config.pricing.creditMicrosPerUnit;
+  const requireCurrency = (stripe.requireCurrency ?? "EUR").toUpperCase();
+  if (NON_TWO_DECIMAL_CURRENCIES.has(requireCurrency)) {
+    throw new Error(`credits: Stripe currency "${requireCurrency}" is not a 2-decimal currency; the credit math assumes 100 minor units per major unit. Use a 2-decimal currency (e.g. EUR/USD/GBP/CHF).`);
+  }
+  const expectedLiveMode = !stripe.expectedTestMode;
+  const creditOnlyStore = stripe.creditOnlyStore !== false;
+  const fixedPackMicros = stripe.creditMicrosByPack ?? {};
+  const customPackId = stripe.customPack?.id;
+  if (stripe.checkout && !stripe.webhookSecret) {
+    throw new Error("credits: Stripe checkout is configured but no webhookSecret \u2014 buyers would be charged without being credited (no fulfillment webhook). Set BORING_CREDITS_STRIPE_WEBHOOK_SECRET.");
+  }
+  const webhookSecret = stripe.webhookSecret;
+  if (!webhookSecret) return;
+  const rawAttribution = stripe.attributionSecret === void 0 ? [webhookSecret] : typeof stripe.attributionSecret === "string" ? [stripe.attributionSecret] : stripe.attributionSecret;
+  const attributionSecrets = rawAttribution.filter((s) => typeof s === "string" && s.length > 0);
+  const effectiveAttributionSecrets = attributionSecrets.length > 0 ? attributionSecrets : [webhookSecret];
+  const attributionSigningSecret = effectiveAttributionSecrets[0];
+  if (stripe.checkout) {
+    const checkout = stripe.checkout;
+    if (!checkout.redirectUrl) {
+      throw new Error("credits: Stripe checkout requires a redirect URL (BORING_CREDITS_STRIPE_REDIRECT_URL) \u2014 Stripe rejects payment-mode sessions without a success_url");
+    }
+    for (const [packId, priceId] of Object.entries(checkout.variants)) {
+      const micros = fixedPackMicros[packId];
+      if (typeof micros !== "number" || !Number.isSafeInteger(micros) || micros <= 0) {
+        throw new Error(`credits: stripe checkout pack "${packId}" (price ${priceId}) has no positive creditMicrosByPack entry`);
+      }
+    }
+    const defaultIsCustom = customPackId != null && checkout.defaultPack === customPackId && checkout.customPriceId != null;
+    if (!(checkout.defaultPack in checkout.variants) && !defaultIsCustom) {
+      throw new Error(`credits: stripe checkout defaultPack "${checkout.defaultPack}" is not one of the configured packs (or the custom pack)`);
+    }
+    if (customPackId && customPackId in checkout.variants) {
+      throw new Error(`credits: stripe custom pack id "${customPackId}" collides with a fixed pack id`);
+    }
+  }
+  const isFixedPack = (packId) => packId != null && packId in fixedPackMicros;
+  const isCustomPack = (packId) => customPackId != null && packId === customPackId;
+  const isKnownPack = (packId) => isFixedPack(packId) || isCustomPack(packId);
+  const ratePerMinor = creditMicrosPerUnit / 100;
+  const customMinMinor = stripe.customPack?.minMinor ?? 0;
+  const creditsForOrder = (order) => {
+    if (isCustomPack(order.packId)) {
+      const net = stripeNetPaidMinor(order);
+      if (net === null || net <= 0 || net < customMinMinor) return 0;
+      return Math.floor(net * ratePerMinor);
+    }
+    if (isFixedPack(order.packId)) return fixedPackMicros[order.packId] ?? 0;
+    return 0;
+  };
+  const isOurStoreOrder = (order) => order.livemode === expectedLiveMode && order.currency != null && order.currency.toUpperCase() === requireCurrency;
+  const isRefundForOurStore = (order) => {
+    if (order.livemode != null && order.livemode !== expectedLiveMode) return false;
+    if (order.currency != null && order.currency.toUpperCase() !== requireCurrency) return false;
+    return true;
+  };
+  const isCreditOrder = (order) => isKnownPack(order.packId) && isOurStoreOrder(order);
+  const isUnverifiedCreditOrder = (order) => isKnownPack(order.packId) && !isOurStoreOrder(order);
+  const purchaseKey = (paymentIntentId) => `stripe:${stripe.expectedTestMode ? "test" : "live"}:${paymentIntentId}`;
+  if (stripe.checkout) {
+    const checkout = stripe.checkout;
+    app.post(stripe.checkoutPath ?? "/api/credits/checkout", async (request, reply) => {
+      const userId = getUserId(request);
+      if (!userId) {
+        return reply.code(401).send({ error: { code: ERROR_CODES.UNAUTHORIZED, message: "authentication required" } });
+      }
+      const pack = request.body?.pack;
+      let packId;
+      let priceId;
+      if (pack === void 0 || pack === null) {
+        packId = checkout.defaultPack;
+        priceId = isCustomPack(packId) && checkout.customPriceId ? checkout.customPriceId : checkout.variants[packId];
+      } else if (typeof pack === "string" && pack in checkout.variants) {
+        packId = pack;
+        priceId = checkout.variants[pack];
+      } else if (typeof pack === "string" && isCustomPack(pack) && checkout.customPriceId) {
+        packId = pack;
+        priceId = checkout.customPriceId;
+      } else {
+        return reply.code(400).send({ error: { code: ERROR_CODES.INVALID_PACK, message: "unknown credit pack" } });
+      }
+      const email = request.user?.email;
+      try {
+        const { url } = await createStripeCheckout({
+          apiKey: checkout.apiKey,
+          priceId,
+          userId,
+          packId,
+          // Sign (user, pack) so the webhook can confirm THIS adapter created the session.
+          attributionSecret: attributionSigningSecret,
+          email: typeof email === "string" ? email : void 0,
+          redirectUrl: checkout.redirectUrl
+        });
+        return reply.send({ url });
+      } catch (error) {
+        log?.("credits: stripe checkout creation failed", { error: String(error) });
+        return reply.code(502).send({ error: { code: ERROR_CODES.CHECKOUT_FAILED, message: "could not create checkout" } });
+      }
+    });
+  }
+  const webhookPath = stripe.webhookPath ?? "/api/credits/webhooks/stripe";
+  app.register(async (scope) => {
+    scope.addContentTypeParser("application/json", { parseAs: "buffer" }, (_req, body, done) => {
+      done(null, body);
+    });
+    scope.post(webhookPath, async (request, reply) => {
+      const rawBody = request.body;
+      const signature = request.headers["stripe-signature"];
+      const result = await handleStripeWebhook(
+        rawBody,
+        typeof signature === "string" ? signature : Array.isArray(signature) ? signature[0] : void 0,
+        {
+          secret: webhookSecret,
+          creditsForOrder,
+          userExists: stripe.userExists,
+          isCreditOrder,
+          // Credit-only store (default): a paid session that's ours but an unknown pack →
+          // retryable 500 (lenient identity) rather than a silent drop. Mixed store: omit.
+          isOurStoreOrder: creditOnlyStore ? isRefundForOurStore : void 0,
+          isUnverifiedCreditOrder,
+          isRefundForOurStore,
+          creditMicrosPerUnit,
+          // Verify the session was created by THIS adapter (metadata.uat). Verify against
+          // ALL attribution secrets (current + previous) so a rotation doesn't reject
+          // in-flight checkouts. Defends a mixed Stripe account from a colliding pack_id.
+          attributionSecret: effectiveAttributionSecrets,
+          grant: (input, order) => service.grantPurchase(input.userId, purchaseKey(order.paymentIntentId), input.amountMicros, {
+            testMode: stripe.expectedTestMode,
+            currency: order.currency?.toUpperCase(),
+            variantId: order.packId
+          }),
+          onRefund: (order) => service.revokePurchase(purchaseKey(order.paymentIntentId), {
+            // charge.refunded carries amount_refunded/amount → a proportional fraction
+            // for partial refunds. charge.dispute.created carries neither, so the fraction
+            // is undefined ⇒ FULL revoke. That's deliberate and safe: a dispute withholds
+            // the funds immediately, so revoking the whole order's credits is the
+            // conservative direction (a rare partial dispute over-revokes, recoverable by
+            // re-grant, vs. the worse alternative of leaving clawed-back funds credited).
+            refundFraction: order.amountRefundedMinor !== void 0 && order.amountRefundedMinor > 0 && order.amountMinor !== void 0 && order.amountMinor > 0 ? order.amountRefundedMinor / order.amountMinor : void 0,
+            allowTombstone: isRefundForOurStore(order),
+            expectedTestMode: stripe.expectedTestMode,
+            expectedCurrency: requireCurrency
+          }),
+          log
+        }
+      );
+      return reply.code(result.status).send(result.body);
+    });
+  });
+}
 export {
+  CONSERVATIVE_DEFAULT_RATE,
+  CreditExhaustedError,
+  CreditsService,
+  DEFAULT_CREDITS_CONFIG,
+  DEFAULT_MODEL_RATES,
+  InsufficientCreditError,
   MailDeliveryError,
+  PostgresMeteringStore,
+  SIGNUP_GRANT_REASON,
   WorkspaceRuntimeSandboxHandleStore,
   authHook,
+  buildCheckoutRequestBody,
   buildRuntimeConfigPayload,
   coreConfigSchema,
   createAuth,
   createCoreApp,
+  createCreditsMeteringSink,
   createDatabase,
   createDrizzleIdempotencyStore,
   createFsProvisioner,
   createIdempotencyMiddleware,
+  createLemonSqueezyCheckout,
   createMailTransport,
   createPostSignupHook,
+  estimateProviderCost,
+  handleLemonSqueezyWebhook,
   loadConfig,
+  maxEffectiveRate,
+  maxServedRate,
+  parseLemonSqueezyOrder,
+  registerCreditsRoutes,
   registerInviteRoutes,
   registerMemberRoutes,
   registerRoutes,
@@ -131,6 +1590,10 @@ export {
   runCoreMigrationsFromEnv,
   runMigrations,
   safeRedirect,
+  signUserAttribution,
+  usageToCredits,
   validateConfig,
-  validatePasswordStrength
+  validatePasswordStrength,
+  verifyLemonSqueezySignature,
+  verifyUserAttribution
 };