@hachej/boring-core 0.1.45 → 0.1.46

package/dist/{PostgresMeteringStore-CzNv6xil.d.ts → PostgresMeteringStore-DhOVVtau.d.ts}

@@ -59,6 +59,9 @@ interface ReserveInput {
 }
 interface ReserveResult {
     reservationId: string;
+    /** false when an existing active reservation for this run was returned (idempotent
+     * retry), true when a new hold was placed. Lets callers avoid double-counting. */
+    created: boolean;
 }
 interface RecordUsageInput {
     /** Stable idempotency key; a second insert with the same id is a no-op. */
@@ -120,6 +123,7 @@ declare class PostgresMeteringStore {
         variantId?: string;
     }): Promise<{
         granted: boolean;
+        refundAppliedMicros?: number;
     }>;
     /**
      * Revoke a refunded/disputed purchase. Under the same per-order advisory lock

package/dist/app/front/index.d.ts

@@ -9,12 +9,25 @@ interface ChatFirstPublicShellOptions {
     emptyState?: {
         eyebrow?: string;
         title?: string;
-        description?: string;
+        description?: ReactNode;
         footer?: ReactNode;
     };
     suggestions?: ChatSuggestion[];
     /**
-     * Hand-drawn "Your agent" / "Your remote computer" annotations point at the
+     * Predefined models for the composer's model picker. When provided, the
+     * composer settings row (model + thinking pickers) is shown in the no-auth
+     * hero, mirroring a regular chat session. The no-auth shell can't fetch the
+     * model list from the server (server resources are disabled), so it must be
+     * passed in here. `available` defaults to `true`.
+     */
+    models?: Array<{
+        provider: string;
+        id: string;
+        label: string;
+        available?: boolean;
+    }>;
+    /**
+     * Hand-drawn "Ask your AI here" / "Review its work here" annotations point at the
      * composer and the workspace surface to teach the empty public shell. Apps
      * that open a center panel on load (e.g. a landing page) should disable them,
      * otherwise the fixed-position arrows overlay the open panel. Defaults to on.

package/dist/app/front/index.js

@@ -54,7 +54,7 @@ function ChatFirstAuthenticatedShell({
       ...workspaceProps,
       workspaceId,
       appTitle,
-      topBarLeft: null,
+      topBarLeft: workspaceProps.topBarLeft ?? null,
       sessions: [],
       activeSessionId: null,
       onSwitchSession: () => void 0,
@@ -264,6 +264,8 @@ function ChatFirstPublicShell({
   const promptedDraft = new URLSearchParams(location.search).get("prompt")?.trim() ?? "";
   const pendingReturnTo = promptedDraft ? "/" : returnTo;
   const workspaceId = intendedWorkspaceId || "public";
+  const publicModels = (publicShell?.models ?? []).map((m) => ({ ...m, available: m.available ?? true }));
+  const showComposerSettings = publicModels.length > 0;
   const openAuth = (draft = readComposerDraftFromDom()) => {
     writePendingChatEntry({ draft, returnTo: pendingReturnTo, ...intendedWorkspaceId ? { intendedWorkspaceId } : {} });
     setModalOpen(true);
@@ -356,7 +358,7 @@ function ChatFirstPublicShell({
   return /* @__PURE__ */ jsxs3("div", { className: "public-chat-first-shell relative h-screen min-h-0 bg-background", children: [
     publicShell?.showTeachingArrows !== false && /* @__PURE__ */ jsxs3(Fragment2, { children: [
       /* @__PURE__ */ jsxs3("div", { className: "public-arrow public-arrow-computer", "aria-hidden": "true", children: [
-        /* @__PURE__ */ jsx4("span", { className: "public-arrow-label", children: "Your remote computer" }),
+        /* @__PURE__ */ jsx4("span", { className: "public-arrow-label", children: "Review its work here" }),
         /* @__PURE__ */ jsxs3("svg", { className: "public-arrow-svg", viewBox: "0 0 190 140", fill: "none", children: [
           /* @__PURE__ */ jsx4(
             "path",
@@ -381,7 +383,7 @@ function ChatFirstPublicShell({
           /* @__PURE__ */ jsx4("path", { className: "paw-stroke", d: "M76 10 C 70 16 62 19 53 20" }),
           /* @__PURE__ */ jsx4("path", { className: "paw-stroke", d: "M76 10 C 82 14 87 21 90 29" })
         ] }),
-        /* @__PURE__ */ jsx4("span", { className: "public-arrow-label", children: "Your agent" })
+        /* @__PURE__ */ jsx4("span", { className: "public-arrow-label", children: "Ask your AI here" })
       ] })
     ] }),
     /* @__PURE__ */ jsx4("aside", { className: "pointer-events-none fixed bottom-6 left-6 z-20 w-[300px]", children: /* @__PURE__ */ jsx4("div", { className: "pointer-events-auto", children: /* @__PURE__ */ jsx4(AuthCard, { returnTo }) }) }),
@@ -393,16 +395,38 @@ function ChatFirstPublicShell({
         showComposerBlocker: false,
         workspaceProps: {
           ...workspaceProps,
+          // No-auth landing should open with the workspace surface closed —
+          // a fresh load/hard refresh shows just the hero, not a re-opened
+          // panel. The /landing-page command still opens it on demand.
+          defaultSurfaceOpen: false,
           topBarRight: /* @__PURE__ */ jsx4("button", { type: "button", className: "rounded-md border border-border px-3 py-1.5 text-sm font-medium hover:bg-muted", onClick: () => openAuth(), children: "Sign in" }),
+          // No-auth shell has no real session yet — show just the brand, hide the
+          // "· New session" placeholder that the default TopBar would render.
+          topBarLeft: /* @__PURE__ */ jsxs3(Fragment2, { children: [
+            /* @__PURE__ */ jsx4(
+              "span",
+              {
+                "aria-hidden": "true",
+                className: "grid size-[22px] shrink-0 place-items-center rounded-sm bg-foreground text-[11px] font-semibold leading-none tracking-tight text-background",
+                children: (appTitle?.[0] ?? "B").toUpperCase()
+              }
+            ),
+            /* @__PURE__ */ jsx4("span", { className: "truncate text-[13px] font-medium leading-none tracking-tight text-foreground", children: appTitle })
+          ] }),
           className: workspaceProps.className,
           surfaceButtonBottomOffset: 456,
           chatParams: {
             ...workspaceProps.chatParams,
             emptyPlacement: "hero",
             composerPlaceholder: publicShell?.composerPlaceholder ?? "Type /landing-page or /reach-out",
-            hideComposerSettings: true,
+            hideComposerSettings: !showComposerSettings,
             suppressPreSubmitCancelledWarning: true,
-            thinkingControl: false,
+            thinkingControl: showComposerSettings,
+            ...showComposerSettings ? {
+              availableModels: publicModels,
+              hideDefaultModelOption: true,
+              defaultModel: { provider: publicModels[0].provider, id: publicModels[0].id }
+            } : {},
             initialDraft: promptedDraft || void 0,
             emptyState: {
               ...defaultPublicEmptyState,

package/dist/app/server/index.d.ts

@@ -4,7 +4,7 @@ import { WorkspaceServerPlugin } from '@hachej/boring-workspace/server';
 import { FastifyInstance } from 'fastify';
 import { C as CoreConfig } from '../../types-CWtJ4kgd.js';
 import { TelemetrySink } from '../../shared/index.js';
-import { B as BetterAuthInstance, L as LoadConfigOptions } from '../../authHook-CzBsMwwM.js';
+import { B as BetterAuthInstance, L as LoadConfigOptions } from '../../authHook-DtzhSmqS.js';
 import { D as Database, U as UserStore, W as WorkspaceStore } from '../../connection-C5SiqoNc.js';
 import { IncomingMessage, ServerResponse } from 'node:http';
 import 'better-auth';
@@ -16,6 +16,9 @@ type CoreWorkspaceAgentServer = FastifyInstance & {
     db: Database;
     userStore: UserStore;
     workspaceStore: WorkspaceStore;
+    /** Best-effort telemetry sink (DB-backed when BORING_TELEMETRY_ENABLED=true, else noop).
+     * Consumed by request hooks and the credit service to emit product events. */
+    telemetry: TelemetrySink;
 };
 type CoreWorkspaceAgentServerPlugin = WorkspaceServerPlugin & {
     provisioning?: RuntimeProvisioningContribution;

package/dist/app/server/index.js

@@ -9,13 +9,13 @@ import {
   registerRoutes,
   registerSettingsRoutes,
   registerWorkspaceRoutes
-} from "../../chunk-FZICNVJW.js";
+} from "../../chunk-6GAQRQKO.js";
 import {
   PostgresUserStore,
   PostgresWorkspaceStore,
   createDatabase,
   telemetryEvents
-} from "../../chunk-I56OTSPB.js";
+} from "../../chunk-FZC3VL5D.js";
 import {
   noopTelemetry,
   safeCapture
@@ -82,7 +82,13 @@ var ALLOWED_PROPERTY_KEYS = /* @__PURE__ */ new Set([
   "skillCount",
   "templateDirCount",
   "packageName",
-  "packageVersion"
+  "packageVersion",
+  // Credits / billing (provider/pack/currency/reason are slugs; creditMicros is a non-negative int).
+  "provider",
+  "packId",
+  "currency",
+  "reason",
+  "creditMicros"
 ]);
 function createDatabaseTelemetryFromEnv(db, options, env = process.env) {
   if (env.BORING_TELEMETRY_ENABLED !== "true") return noopTelemetry;
@@ -135,6 +141,9 @@ function sanitizeTelemetryProperty(key, value) {
   if (key.endsWith("Count")) {
     return typeof value === "number" && Number.isInteger(value) && value >= 0 ? value : void 0;
   }
+  if (key.endsWith("Micros")) {
+    return typeof value === "number" && Number.isInteger(value) && value >= 0 ? value : void 0;
+  }
   if (key === "status" && typeof value === "number") {
     return Number.isInteger(value) && value >= 100 && value <= 599 ? value : void 0;
   }
@@ -171,6 +180,11 @@ function sanitizeTelemetryString(key, value) {
       return SAFE_PACKAGE_NAME_PATTERN.test(value) ? value : void 0;
     case "packageVersion":
       return SAFE_PACKAGE_VERSION_PATTERN.test(value) ? value : void 0;
+    case "provider":
+    case "packId":
+    case "currency":
+    case "reason":
+      return SAFE_SLUG_PATTERN.test(value) ? value : void 0;
     default:
       return void 0;
   }
@@ -443,12 +457,20 @@ function captureAppOpened(telemetry, requestId) {
 }
 function registerTelemetryHooks(app, telemetry) {
   app.addHook("onResponse", async (request, reply) => {
-    if (reply.statusCode < 500) return;
+    const status = reply.statusCode;
+    if (status === 429) {
+      safeCapture(telemetry, {
+        name: "server.request.rate_limited",
+        properties: { requestId: request.id }
+      });
+      return;
+    }
+    if (status < 500) return;
     safeCapture(telemetry, {
       name: "server.request.failed",
       properties: {
         requestId: request.id,
-        status: reply.statusCode,
+        status,
         errorCode: ERROR_CODES.INTERNAL_ERROR
       }
     });
@@ -481,7 +503,7 @@ async function registerFrontendFallback(app, appRoot, telemetry) {
     return serveFrontendShell(request, reply, indexPath, telemetry);
   });
 }
-async function createCoreRuntime(config) {
+async function createCoreRuntime(config, customTelemetry) {
   if (config.stores !== "postgres") {
     throw new Error("createCoreWorkspaceAgentServer currently supports only CORE_STORES=postgres");
   }
@@ -493,18 +515,19 @@ async function createCoreRuntime(config) {
     config.encryption.workspaceSettingsKey
   );
   const app = await createCoreApp(config);
-  const auth = createAuth(config, db, {
-    workspaceStore,
-    logger: app.log
-  });
+  const telemetry = customTelemetry ?? createDatabaseTelemetryFromEnv(db, { appId: config.appId }, process.env);
+  const telemetrySource = customTelemetry ? "custom" : process.env.BORING_TELEMETRY_ENABLED === "true" ? "db-env" : "noop-env";
+  app.log.debug({ telemetry: { source: telemetrySource } }, "resolved telemetry sink");
+  const auth = createAuth(config, db, { workspaceStore, logger: app.log, telemetry });
   app.decorate("db", db);
   app.decorate("auth", auth);
   app.decorate("userStore", userStore);
   app.decorate("workspaceStore", workspaceStore);
+  app.decorate("telemetry", telemetry);
   app.addHook("onClose", async () => {
     await sql.end();
   });
-  return { app, sql, db, userStore, workspaceStore };
+  return { app, sql, db, userStore, workspaceStore, telemetry };
 }
 async function registerCoreRoutes({
   app,
@@ -534,14 +557,11 @@ async function createCoreWorkspaceAgentServer(options = {}) {
   }
   assertCoreStaticPluginEntries(options.plugins);
   const config = options.config ?? await loadConfig(resolveCoreLoadConfigOptions(options));
-  const { app, sql, db, userStore, workspaceStore } = await createCoreRuntime(config);
+  const { app, sql, db, userStore, workspaceStore, telemetry } = await createCoreRuntime(config, options.telemetry);
   const appRoot = options.appRoot;
   const serveFrontend = options.serveFrontend ?? (process.env.NODE_ENV !== "development" && Boolean(appRoot));
   const pluginWorkspaceRoot = process.cwd();
   const workspaceRoot = options.workspaceRoot ?? process.env.BORING_AGENT_WORKSPACE_ROOT ?? process.cwd();
-  const telemetrySource = options.telemetry ? "custom" : process.env.BORING_TELEMETRY_ENABLED === "true" ? "db-env" : "noop-env";
-  const telemetry = options.telemetry ?? createDatabaseTelemetryFromEnv(db, { appId: config.appId }, process.env);
-  app.log.debug({ telemetry: { source: telemetrySource } }, "resolved telemetry sink");
   registerTelemetryHooks(app, telemetry);
   await registerCoreRoutes({ app, sql, db, userStore, workspaceStore });
   if (serveFrontend && appRoot) {

package/dist/{authHook-CzBsMwwM.d.ts → authHook-DtzhSmqS.d.ts}

@@ -2,6 +2,7 @@ import { C as CoreConfig, R as RuntimeConfig } from './types-CWtJ4kgd.js';
 import { FastifyPluginAsync } from 'fastify';
 import { Auth } from 'better-auth';
 import { W as WorkspaceStore, D as Database } from './connection-C5SiqoNc.js';
+import { TelemetrySink } from './shared/index.js';
 
 interface LoadConfigOptions {
     tomlPath?: string;
@@ -21,6 +22,8 @@ interface CreateAuthOptions {
     logger?: {
         warn: (obj: Record<string, unknown>, msg: string) => void;
     };
+    /** Telemetry sink for auth.signed_up / auth.session_started (defaults to noop). */
+    telemetry?: TelemetrySink;
 }
 declare function createAuth(config: CoreConfig, db: Database, opts?: CreateAuthOptions): Auth<any>;
 type BetterAuthInstance = Auth<any>;

package/dist/{chunk-FZICNVJW.js → chunk-6GAQRQKO.js}

@@ -12,7 +12,11 @@ import {
   workspaceRuntimes,
   workspaceSettings,
   workspaces
-} from "./chunk-I56OTSPB.js";
+} from "./chunk-FZC3VL5D.js";
+import {
+  noopTelemetry,
+  safeCapture
+} from "./chunk-AQBXNPMD.js";
 import {
   ConfigValidationError,
   ERROR_CODES,
@@ -1742,6 +1746,7 @@ function buildMailTransport(config) {
 }
 function createAuth(config, db, opts) {
   const transport = buildMailTransport(config);
+  const telemetry = opts?.telemetry ?? noopTelemetry;
   const emailVerificationConfig = transport ? {
     sendOnSignUp: true,
     sendVerificationEmail: async (data) => {
@@ -1802,13 +1807,35 @@ function createAuth(config, db, opts) {
     baseURL: config.auth.url,
     basePath: "/auth",
     trustedOrigins: config.cors.origins,
-    databaseHooks: postSignupHook ? {
+    databaseHooks: {
       user: {
         create: {
-          after: postSignupHook
+          // auth.signed_up is emitted here (not in postSignupHook) so it fires for ALL
+          // signups, independent of whether workspace post-signup setup is wired.
+          // distinctId = user id; no properties (no PII, nothing the DB sink would drop).
+          after: async (user, ctx) => {
+            safeCapture(telemetry, {
+              name: "auth.signed_up",
+              distinctId: typeof user?.id === "string" ? user.id : void 0
+            });
+            if (postSignupHook) await postSignupHook(user, ctx);
+          }
+        }
+      },
+      // Fires for every new session — sign-in AND the session minted on sign-up — so the
+      // name reflects that (a true returning-sign-in count = session_started minus the
+      // first session per user, derivable in SQL). distinctId = user id; no properties.
+      session: {
+        create: {
+          after: async (session) => {
+            safeCapture(telemetry, {
+              name: "auth.session_started",
+              distinctId: typeof session?.userId === "string" ? session.userId : void 0
+            });
+          }
         }
       }
-    } : void 0,
+    },
     advanced: {
       database: {
         generateId: "uuid"

package/dist/{chunk-I56OTSPB.js → chunk-FZC3VL5D.js}

@@ -1890,7 +1890,7 @@ var PostgresMeteringStore = class {
             metadata: { kind: "purchase_refund", orderId: input.orderId, refundedToMicros: revoke, appliedAtGrant: true }
           });
         }
-        return { granted: true };
+        return { granted: true, refundAppliedMicros: revoke > 0 ? revoke : void 0 };
       }
       await tx.insert(creditPurchases).values({
         orderId: input.orderId,
@@ -2090,7 +2090,7 @@ var PostgresMeteringStore = class {
         eq3(usageReservations.status, "active")
       )).limit(1);
       const existingId = existing[0]?.id;
-      if (existingId) return { reservationId: existingId };
+      if (existingId) return { reservationId: existingId, created: false };
       const balance = await this.computeBalance(tx, input.userId, now);
       if (balance.availableMicros < minAvailable) {
         throw new InsufficientCreditError(balance.availableMicros, minAvailable);
@@ -2107,7 +2107,7 @@ var PostgresMeteringStore = class {
       }).returning({ id: usageReservations.id });
       const reservationId = rows[0]?.id;
       if (!reservationId) throw new Error("reservation insert returned no id");
-      return { reservationId };
+      return { reservationId, created: true };
     });
   }
   /** Idempotent ledger insert; returns whether a new row was written. Serialized

package/dist/server/db/index.d.ts

@@ -1,6 +1,6 @@
 import { U as UserStore, W as WorkspaceStore } from '../../connection-C5SiqoNc.js';
 export { D as Database, c as createDatabase } from '../../connection-C5SiqoNc.js';
-export { F as FinishReservationInput, G as GrantOnceInput, I as InsufficientCreditError, M as MeteringBalance, P as PostgresMeteringStore, R as RecordUsageInput, a as RecordUsageResult, b as ReservationFinalStatus, c as ReserveInput, d as ReserveResult, e as RunMigrationsOptions, r as runMigrations } from '../../PostgresMeteringStore-CzNv6xil.js';
+export { F as FinishReservationInput, G as GrantOnceInput, I as InsufficientCreditError, M as MeteringBalance, P as PostgresMeteringStore, R as RecordUsageInput, a as RecordUsageResult, b as ReservationFinalStatus, c as ReserveInput, d as ReserveResult, e as RunMigrationsOptions, r as runMigrations } from '../../PostgresMeteringStore-DhOVVtau.js';
 import { U as User, W as Workspace, E as ERROR_CODES, M as MemberRole, a as WorkspaceMember, b as WorkspaceInvite, c as WorkspaceRuntime, d as WorkspaceRuntimeResourceSelector, e as WorkspaceRuntimeResource, f as WorkspaceRuntimeResourceInput } from '../../types-CWtJ4kgd.js';
 import { PostgresJsDatabase } from 'drizzle-orm/postgres-js';
 import 'postgres';

package/dist/server/db/index.js

@@ -7,7 +7,7 @@ import {
   PostgresWorkspaceStore,
   createDatabase,
   runMigrations
-} from "../../chunk-I56OTSPB.js";
+} from "../../chunk-FZC3VL5D.js";
 import "../../chunk-LIBHVT7V.js";
 import "../../chunk-MLKGABMK.js";
 export {

package/dist/server/index.d.ts

@@ -1,5 +1,5 @@
-import { L as LoadConfigOptions } from '../authHook-CzBsMwwM.js';
-export { A as AuthHookOptions, B as BetterAuthInstance, C as CreateAuthOptions, a as authHook, b as buildRuntimeConfigPayload, c as createAuth, l as loadConfig, v as validateConfig, d as validatePasswordStrength } from '../authHook-CzBsMwwM.js';
+import { L as LoadConfigOptions } from '../authHook-DtzhSmqS.js';
+export { A as AuthHookOptions, B as BetterAuthInstance, C as CreateAuthOptions, a as authHook, b as buildRuntimeConfigPayload, c as createAuth, l as loadConfig, v as validateConfig, d as validatePasswordStrength } from '../authHook-DtzhSmqS.js';
 import { z } from 'zod';
 import { C as CoreConfig, M as MemberRole, d as WorkspaceRuntimeResourceSelector, e as WorkspaceRuntimeResource, f as WorkspaceRuntimeResourceInput } from '../types-CWtJ4kgd.js';
 import * as fastify from 'fastify';
@@ -9,8 +9,9 @@ import { IncomingMessage } from 'node:http';
 import { C as CreateCoreAppOptions, D as Database, U as UserStore, W as WorkspaceStore, a as WorkspaceProvisioner } from '../connection-C5SiqoNc.js';
 export { A as AuthProvider, b as CapabilitiesContributor, P as ProvisionContext, d as ProvisionResult, c as createDatabase } from '../connection-C5SiqoNc.js';
 import postgres from 'postgres';
-import { P as PostgresMeteringStore, C as CreditLedgerEntry } from '../PostgresMeteringStore-CzNv6xil.js';
-export { F as FinishReservationInput, G as GrantOnceInput, I as InsufficientCreditError, M as MeteringBalance, R as RecordUsageInput, a as RecordUsageResult, b as ReservationFinalStatus, c as ReserveInput, d as ReserveResult, r as runMigrations } from '../PostgresMeteringStore-CzNv6xil.js';
+import { P as PostgresMeteringStore, C as CreditLedgerEntry } from '../PostgresMeteringStore-DhOVVtau.js';
+export { F as FinishReservationInput, G as GrantOnceInput, I as InsufficientCreditError, M as MeteringBalance, R as RecordUsageInput, a as RecordUsageResult, b as ReservationFinalStatus, c as ReserveInput, d as ReserveResult, r as runMigrations } from '../PostgresMeteringStore-DhOVVtau.js';
+import { TelemetrySink } from '../shared/index.js';
 import { AgentMeteringSink } from '@hachej/boring-agent/server';
 import 'better-auth';
 import 'drizzle-orm/postgres-js';
@@ -600,9 +601,10 @@ declare class CreditsService {
     private readonly store;
     readonly config: CreditsConfig;
     private readonly log?;
+    private readonly telemetry;
     /** Users whose signup grant was ensured this process; avoids an INSERT per balance poll. */
     private readonly signupGrantedUsers;
-    constructor(store: CreditsMeteringStore, config?: CreditsConfig, log?: CreditsLogger | undefined);
+    constructor(store: CreditsMeteringStore, config?: CreditsConfig, log?: CreditsLogger | undefined, telemetry?: TelemetrySink);
     /** Idempotently grant the free starter credits (call from the post-signup hook
      * and lazily on first balance/reserve). The grant NEVER expires: an expiring
      * grant would drop from grantedMicros on expiry while spent usage stayed, turning
@@ -999,6 +1001,11 @@ interface CreditsRoutesOptions {
     lemonSqueezy?: LemonSqueezyRouteOptions;
     stripe?: StripeRouteOptions;
     log?: (message: string, fields?: Record<string, unknown>) => void;
+    /** Best-effort telemetry sink (default noop). Currently emits checkout.started /
+     * purchase.webhook_rejected for the STRIPE routes only (the live provider); Lemon
+     * Squeezy parity is a follow-up if it ships. purchase.completed/refunded + run.*
+     * events come from CreditsService regardless of provider. */
+    telemetry?: TelemetrySink;
 }
 /**
  * Register the credit balance endpoint and (optionally) the Lemon Squeezy

package/dist/server/index.js

@@ -24,13 +24,17 @@ import {
   requireWorkspaceMember,
   validateConfig,
   validatePasswordStrength
-} from "../chunk-FZICNVJW.js";
+} from "../chunk-6GAQRQKO.js";
 import {
   InsufficientCreditError,
   PostgresMeteringStore,
   createDatabase,
   runMigrations
-} from "../chunk-I56OTSPB.js";
+} from "../chunk-FZC3VL5D.js";
+import {
+  noopTelemetry,
+  safeCapture
+} from "../chunk-AQBXNPMD.js";
 import {
   ERROR_CODES
 } from "../chunk-LIBHVT7V.js";
@@ -238,10 +242,11 @@ function disabledBalance(userId) {
   };
 }
 var CreditsService = class {
-  constructor(store, config = DEFAULT_CREDITS_CONFIG, log) {
+  constructor(store, config = DEFAULT_CREDITS_CONFIG, log, telemetry = noopTelemetry) {
     this.store = store;
     this.config = config;
     this.log = log;
+    this.telemetry = telemetry;
     if (!config.enabled) return;
     validatePricingConfig(config.pricing);
     const posInt = (n) => Number.isSafeInteger(n) && n > 0;
@@ -260,6 +265,7 @@ var CreditsService = class {
   store;
   config;
   log;
+  telemetry;
   /** Users whose signup grant was ensured this process; avoids an INSERT per balance poll. */
   signupGrantedUsers = /* @__PURE__ */ new Set();
   /** Idempotently grant the free starter credits (call from the post-signup hook
@@ -282,7 +288,21 @@ var CreditsService = class {
    * optional provider identity is persisted for audit/refund reconciliation. */
   async grantPurchase(userId, orderId, amountMicros, identity) {
     if (!this.config.enabled) return { created: false };
-    const { granted } = await this.store.grantPurchaseOnce({ userId, orderId, amountMicros, ...identity });
+    const { granted, refundAppliedMicros } = await this.store.grantPurchaseOnce({ userId, orderId, amountMicros, ...identity });
+    if (granted) {
+      safeCapture(this.telemetry, {
+        name: "purchase.completed",
+        distinctId: userId,
+        properties: {
+          creditMicros: amountMicros,
+          currency: identity?.currency,
+          packId: identity?.variantId
+        }
+      });
+    }
+    if (refundAppliedMicros && refundAppliedMicros > 0) {
+      safeCapture(this.telemetry, { name: "purchase.refunded" });
+    }
     return { created: granted };
   }
   /** Revoke a refunded/disputed purchase. `refundFraction` is the cumulative
@@ -293,13 +313,15 @@ var CreditsService = class {
    * Idempotent per cumulative level. */
   async revokePurchase(orderId, opts = {}) {
     if (!this.config.enabled) return { revoked: false };
-    return this.store.revokePurchase(orderId, {
+    const result = await this.store.revokePurchase(orderId, {
       refundFraction: opts.refundFraction,
       allowTombstone: opts.allowTombstone,
       expectedStoreId: opts.expectedStoreId,
       expectedTestMode: opts.expectedTestMode,
       expectedCurrency: opts.expectedCurrency
     });
+    if (result.revoked) safeCapture(this.telemetry, { name: "purchase.refunded" });
+    return result;
   }
   async getBalance(userId) {
     if (!this.config.enabled) return disabledBalance(userId);
@@ -332,7 +354,7 @@ var CreditsService = class {
     if (!this.config.enabled) return void 0;
     await this.grantSignupCredits(input.userId);
     try {
-      const { reservationId } = await this.store.reserve({
+      const { reservationId, created } = await this.store.reserve({
         userId: input.userId,
         workspaceId: input.workspaceId,
         sessionId: input.sessionId,
@@ -344,9 +366,11 @@ var CreditsService = class {
         // is admitted only when available ≥ hold + floor (matches the config doc).
         minAvailableMicros: this.config.runReservationMicros + this.config.minBalanceMicros
       });
+      if (created) safeCapture(this.telemetry, { name: "run.started", distinctId: input.userId });
       return reservationId;
     } catch (error) {
       if (error instanceof InsufficientCreditError) {
+        safeCapture(this.telemetry, { name: "credits.exhausted", distinctId: input.userId });
         throw new CreditExhaustedError(await this.getBalance(input.userId));
       }
       throw error;
@@ -402,7 +426,8 @@ var CreditsService = class {
   }
   async settleRun(userId, runId, reservationId) {
     if (!this.config.enabled) return;
-    await this.store.finishReservation(reservationId ? { reservationId } : { runId, userId }, "settled");
+    const { updated } = await this.store.finishReservation(reservationId ? { reservationId } : { runId, userId }, "settled");
+    if (updated) safeCapture(this.telemetry, { name: "run.completed", distinctId: userId });
   }
   async releaseRun(userId, runId, reservationId) {
     if (!this.config.enabled) return;
@@ -435,10 +460,11 @@ var CreditsService = class {
         metadata: { kind: metaKind, reservationId: input.reservationId ?? null, alreadyBilledMicros: alreadyBilled, currency: "credits" }
       });
     }
-    await this.store.finishReservation(
+    const { updated } = await this.store.finishReservation(
       input.reservationId ? { reservationId: input.reservationId } : { runId: input.runId, userId: input.userId },
       "settled"
     );
+    if (updated) safeCapture(this.telemetry, { name: "run.completed", distinctId: input.userId });
     this.log?.("credits: fallback hold charge \u2014 topped up to the hold and settled (reconcile against missing/non-billable usage)", {
       kind: metaKind,
       runId: input.runId,
@@ -1163,6 +1189,7 @@ function defaultGetUserId(request) {
 }
 function registerCreditsRoutes(app, options) {
   const getUserId = options.getUserId ?? defaultGetUserId;
+  const telemetry = options.telemetry ?? noopTelemetry;
   const balancePath = options.balancePath ?? "/api/credits/balance";
   if (options.lemonSqueezy && options.stripe) {
     throw new Error("credits: configure at most one purchase provider (lemonSqueezy OR stripe), not both");
@@ -1197,7 +1224,7 @@ function registerCreditsRoutes(app, options) {
     if (!options.service.config.enabled) {
       throw new Error("credits: cannot register Stripe checkout/webhook with a disabled credits service (paid orders would be acknowledged without crediting)");
     }
-    registerStripeRoutes(app, options.service, getUserId, stripeOpts, options.log);
+    registerStripeRoutes(app, options.service, getUserId, stripeOpts, options.log, telemetry);
     return;
   }
   const ls = options.lemonSqueezy;
@@ -1392,7 +1419,7 @@ function registerCreditsRoutes(app, options) {
     });
   });
 }
-function registerStripeRoutes(app, service, getUserId, stripe, log) {
+function registerStripeRoutes(app, service, getUserId, stripe, log, telemetry = noopTelemetry) {
   const creditMicrosPerUnit = service.config.pricing.creditMicrosPerUnit;
   const requireCurrency = (stripe.requireCurrency ?? "EUR").toUpperCase();
   if (NON_TWO_DECIMAL_CURRENCIES.has(requireCurrency)) {
@@ -1487,6 +1514,7 @@ function registerStripeRoutes(app, service, getUserId, stripe, log) {
           email: typeof email === "string" ? email : void 0,
           redirectUrl: checkout.redirectUrl
         });
+        safeCapture(telemetry, { name: "checkout.started", distinctId: userId, properties: { provider: "stripe", packId } });
         return reply.send({ url });
       } catch (error) {
         log?.("credits: stripe checkout creation failed", { error: String(error) });
@@ -1539,7 +1567,17 @@ function registerStripeRoutes(app, service, getUserId, stripe, log) {
           }),
           log
         }
-      );
+      ).catch((error) => {
+        safeCapture(telemetry, { name: "purchase.webhook_rejected", properties: { provider: "stripe", reason: "handler_error" } });
+        throw error;
+      });
+      if (result.status >= 400) {
+        const reason = result.body?.reason;
+        safeCapture(telemetry, {
+          name: "purchase.webhook_rejected",
+          properties: { provider: "stripe", reason: typeof reason === "string" ? reason : void 0 }
+        });
+      }
       return reply.code(result.status).send(result.body);
     });
   });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hachej/boring-core",
-  "version": "0.1.45",
+  "version": "0.1.46",
   "type": "module",
   "license": "MIT",
   "description": "Foundation package for boring-ui-v2 apps: DB, auth, config, HTTP app factory, and frontend app shell.",
@@ -79,9 +79,9 @@
     "react-router-dom": "^7.14.2",
     "smol-toml": "^1.6.1",
     "zod": "^3.25.76",
-    "@hachej/boring-ui-kit": "0.1.45",
-    "@hachej/boring-workspace": "0.1.45",
-    "@hachej/boring-agent": "0.1.45"
+    "@hachej/boring-agent": "0.1.46",
+    "@hachej/boring-ui-kit": "0.1.46",
+    "@hachej/boring-workspace": "0.1.46"
   },
   "devDependencies": {
     "@testing-library/jest-dom": "^6.9.1",