@littlebearapps/platform-admin-sdk 1.4.2 → 2.0.0

package/templates/shared/dashboard/src/layouts/DashboardLayout.astro

@@ -0,0 +1,37 @@
+---
+import Nav from '../components/Nav.astro';
+import Header from '../components/Header.astro';
+import '../styles/global.css';
+
+interface Props {
+  title: string;
+}
+
+const { title } = Astro.props;
+---
+
+<!doctype html>
+<html lang="en" class="h-full">
+  <head>
+    <meta charset="utf-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <title>{title} | Platform Dashboard</title>
+    <script is:inline>
+      if (localStorage.getItem('theme') === 'dark' ||
+          (!localStorage.getItem('theme') && window.matchMedia('(prefers-color-scheme: dark)').matches)) {
+        document.documentElement.classList.add('dark');
+      }
+    </script>
+  </head>
+  <body class="h-full bg-gray-50 dark:bg-gray-900">
+    <div class="flex h-full">
+      <Nav />
+      <div class="flex-1 flex flex-col min-w-0">
+        <Header />
+        <main class="flex-1 overflow-y-auto p-4 lg:p-6">
+          <slot />
+        </main>
+      </div>
+    </div>
+  </body>
+</html>

package/templates/shared/dashboard/src/lib/cloudflare/costs.ts

@@ -0,0 +1,21 @@
+/** Workers Paid Plan monthly allowances (used to compute net costs). */
+export const CF_PAID_ALLOWANCES: Record<string, number> = {
+  d1_reads: 25_000_000_000,
+  d1_writes: 50_000_000,
+  kv_reads: 10_000_000,
+  kv_writes: 1_000_000,
+  worker_requests: 10_000_000,
+  r2_reads: 10_000_000,
+  r2_writes: 1_000_000,
+};
+
+/** Per-unit pricing after allowances are exhausted (USD). */
+export const CF_PRICING: Record<string, number> = {
+  d1_reads: 0.001 / 4_000_000,    // $0.001 per 4M rows
+  d1_writes: 1.0 / 1_000_000,     // $1.00 per 1M rows
+  kv_reads: 0.50 / 1_000_000,     // $0.50 per 1M reads
+  kv_writes: 5.0 / 1_000_000,     // $5.00 per 1M writes
+  worker_requests: 0.30 / 1_000_000, // $0.30 per 1M requests
+  r2_reads: 0.36 / 1_000_000,     // $0.36 per 1M Class B
+  r2_writes: 4.50 / 1_000_000,    // $4.50 per 1M Class A
+};

package/templates/shared/dashboard/src/lib/fetch.ts

@@ -0,0 +1,29 @@
+const inflight = new Map<string, Promise<unknown>>();
+
+export async function fetchWithDedup<T>(url: string, init?: RequestInit): Promise<T> {
+  const key = `${init?.method ?? 'GET'}:${url}`;
+
+  if (inflight.has(key)) {
+    return inflight.get(key) as Promise<T>;
+  }
+
+  const promise = (async () => {
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), 10000);
+
+    try {
+      const res = await fetch(url, { ...init, signal: controller.signal });
+      clearTimeout(timeout);
+      if (!res.ok) throw new Error(`HTTP ${res.status}`);
+      return (await res.json()) as T;
+    } catch (error) {
+      clearTimeout(timeout);
+      throw error;
+    } finally {
+      inflight.delete(key);
+    }
+  })();
+
+  inflight.set(key, promise);
+  return promise;
+}

package/templates/shared/dashboard/src/lib/types.ts

@@ -0,0 +1,72 @@
+export interface OverviewSummary {
+  health: {
+    servicesTotal: number;
+    servicesUp: number;
+    servicesDown: number;
+    uptimePct: number;
+    lastAuditScore: number | null;
+    lastAuditDate: string | null;
+  };
+  errors: {
+    p0Count: number;
+    p1Count: number;
+    p2Count: number;
+    p3Count: number;
+    p4Count: number;
+    newToday: number;
+    dailyTrend: number[];
+    topErrors: Array<{
+      fingerprint: string;
+      message: string;
+      script_name: string;
+      priority: string;
+      occurrence_count: number;
+    }>;
+  };
+  costs: {
+    mtdSpend: number;
+    dailyBurnRate: number;
+    projectedMonthly: number;
+    budgetPct: number;
+    monthlyBudget: number;
+    dailyTrend: number[];
+  };
+  activity: {
+    notifications: Array<{
+      id: string;
+      title: string;
+      category: string;
+      priority: string;
+      source: string;
+      created_at: number;
+      action_url: string | null;
+    }>;
+    pendingPatterns: number;
+  };
+  alerts: {
+    hasP0P1: boolean;
+    trippedBreakers: number;
+    warningBreakers: number;
+    servicesDown: number;
+  };
+  dataQuality?: {
+    latestSnapshot: string | null;
+    snapshotAgeMinutes: number;
+    status: 'fresh' | 'stale' | 'unknown';
+  };
+}
+
+export interface CircuitBreakerState {
+  key: string;
+  feature: string;
+  status: string;
+  reason: string | null;
+  trippedAt: string | null;
+}
+
+export interface UsageStatus {
+  status: string;
+  latestSnapshot: string | null;
+  latestCost: number;
+  trackedFeatures: number;
+}

package/templates/shared/dashboard/src/middleware/auth.ts

@@ -0,0 +1,100 @@
+import type { MiddlewareHandler } from 'astro';
+import { createRemoteJWKSet, jwtVerify } from 'jose';
+
+type AccessEnv = {
+  CF_ACCESS_AUD?: string;
+  CF_ACCESS_ISSUER?: string;
+  CF_ACCESS_TEAM_DOMAIN?: string;
+};
+
+const jwksCache = new Map<string, ReturnType<typeof createRemoteJWKSet>>();
+
+function resolveIssuer(env: AccessEnv): string | null {
+  if (env.CF_ACCESS_ISSUER) {
+    return env.CF_ACCESS_ISSUER.replace(/\/$/, '');
+  }
+  if (env.CF_ACCESS_TEAM_DOMAIN) {
+    const domain = env.CF_ACCESS_TEAM_DOMAIN.replace(/https?:\/\//, '').replace(/\/$/, '');
+    return `https://${domain}`;
+  }
+  return null;
+}
+
+function parseAudiences(env: AccessEnv): string[] {
+  if (!env.CF_ACCESS_AUD) return [];
+  return env.CF_ACCESS_AUD.split(',').map((aud) => aud.trim()).filter(Boolean);
+}
+
+function getRemoteJwks(issuer: string) {
+  if (!jwksCache.has(issuer)) {
+    const jwksUrl = new URL('/cdn-cgi/access/certs', issuer);
+    jwksCache.set(issuer, createRemoteJWKSet(jwksUrl));
+  }
+  return jwksCache.get(issuer)!;
+}
+
+function isDevelopment() {
+  return typeof import.meta !== 'undefined' && import.meta.env && import.meta.env.DEV;
+}
+
+export const onRequest: MiddlewareHandler = async (context, next) => {
+  const url = new URL(context.request.url);
+  const pathname = url.pathname;
+
+  // Allow API routes to handle their own auth if needed
+  if (pathname.startsWith('/api/')) {
+    return next();
+  }
+
+  const runtimeEnv = (context.locals.runtime?.env ?? {}) as AccessEnv;
+  const issuer = resolveIssuer(runtimeEnv);
+  const audiences = parseAudiences(runtimeEnv);
+
+  // Bypass auth during build/prerender
+  if (!issuer && audiences.length === 0) {
+    const jwt = context.request.headers.get('cf-access-jwt-assertion');
+    if (!jwt) {
+      return next();
+    }
+  }
+
+  const jwt =
+    context.request.headers.get('cf-access-jwt-assertion') ??
+    context.request.headers.get('Cf-Access-Jwt-Assertion');
+
+  if (!jwt) {
+    if (isDevelopment() && !issuer) {
+      console.warn('[auth] Missing Access JWT in development; skipping validation');
+      return next();
+    }
+    return new Response('Unauthorized', { status: 401 });
+  }
+
+  if (!issuer || audiences.length === 0) {
+    if (isDevelopment()) {
+      console.warn('[auth] Missing Access configuration in development; skipping validation');
+      return next();
+    }
+    console.error('[auth] Access configuration missing: expected CF_ACCESS_ISSUER (or CF_ACCESS_TEAM_DOMAIN) and CF_ACCESS_AUD');
+    return new Response('Server configuration error', { status: 500 });
+  }
+
+  try {
+    const jwks = getRemoteJwks(issuer);
+    const verification = await jwtVerify(jwt, jwks, { issuer, audience: audiences });
+    const payload = verification.payload as Record<string, unknown>;
+
+    context.locals.user = {
+      email: typeof payload.email === 'string' ? payload.email : undefined,
+      name: typeof payload.name === 'string' ? payload.name : undefined,
+      sub: typeof payload.sub === 'string' ? payload.sub : undefined,
+      audience: payload.aud,
+      issuer: payload.iss,
+    };
+
+    return next();
+  } catch (error) {
+    console.error('[auth] Access JWT validation failed', error);
+    return new Response('Unauthorized', { status: 401 });
+  }
+};

package/templates/shared/dashboard/src/middleware/index.ts

@@ -0,0 +1 @@
+export { onRequest } from './auth';

package/templates/shared/dashboard/src/pages/api/costs/overview.ts

@@ -0,0 +1,65 @@
+import type { APIRoute } from 'astro';
+import { CF_PAID_ALLOWANCES, CF_PRICING } from '../../../lib/cloudflare/costs';
+
+interface Env {
+  PLATFORM_DB?: D1Database;
+}
+
+interface CostLine {
+  resource: string;
+  used: number;
+  allowance: number;
+  overage: number;
+  cost: number;
+}
+
+export const GET: APIRoute = async ({ locals }) => {
+  const env = locals.runtime?.env as Env | undefined;
+  const db = env?.PLATFORM_DB;
+
+  const overview = {
+    lines: [] as CostLine[],
+    totalCost: 0,
+    period: 'mtd',
+    billingStart: '',
+  };
+
+  const now = new Date();
+  overview.billingStart = new Date(now.getFullYear(), now.getMonth(), 1).toISOString().slice(0, 10);
+
+  if (db) {
+    try {
+      const result = await db
+        .prepare(
+          `SELECT SUM(d1_reads) as d1_reads, SUM(d1_writes) as d1_writes,
+                  SUM(kv_reads) as kv_reads, SUM(kv_writes) as kv_writes,
+                  SUM(worker_requests) as worker_requests,
+                  SUM(r2_reads) as r2_reads, SUM(r2_writes) as r2_writes
+           FROM daily_usage_rollups
+           WHERE project = 'all' AND snapshot_date >= ?
+           LIMIT 1`
+        )
+        .bind(overview.billingStart)
+        .first<Record<string, number>>();
+
+      if (result) {
+        for (const [resource, allowance] of Object.entries(CF_PAID_ALLOWANCES)) {
+          const used = result[resource] ?? 0;
+          const overage = Math.max(0, used - allowance);
+          const unitPrice = CF_PRICING[resource] ?? 0;
+          const cost = Math.round(overage * unitPrice * 100) / 100;
+
+          overview.lines.push({ resource, used, allowance, overage, cost });
+          overview.totalCost += cost;
+        }
+        overview.totalCost = Math.round(overview.totalCost * 100) / 100;
+      }
+    } catch {
+      // Table may not exist
+    }
+  }
+
+  return new Response(JSON.stringify(overview), {
+    headers: { 'Content-Type': 'application/json', 'Cache-Control': 'max-age=300' },
+  });
+};

package/templates/shared/dashboard/src/pages/api/costs/providers.ts

@@ -0,0 +1,47 @@
+import type { APIRoute } from 'astro';
+
+interface Env {
+  PLATFORM_DB?: D1Database;
+}
+
+export const GET: APIRoute = async ({ locals }) => {
+  const env = locals.runtime?.env as Env | undefined;
+  const db = env?.PLATFORM_DB;
+
+  const providers: Array<{
+    provider: string;
+    mtd_cost: number;
+    latest_date: string;
+  }> = [];
+
+  if (db) {
+    try {
+      const monthStart = new Date();
+      monthStart.setDate(1);
+      const cutoff = monthStart.toISOString().slice(0, 10);
+
+      const result = await db
+        .prepare(
+          `SELECT provider,
+                  SUM(cost_usd) as mtd_cost,
+                  MAX(snapshot_date) as latest_date
+           FROM third_party_usage
+           WHERE snapshot_date >= ?
+           GROUP BY provider
+           ORDER BY mtd_cost DESC
+           LIMIT 20`
+        )
+        .bind(cutoff)
+        .all();
+      if (result.results) {
+        providers.push(...(result.results as typeof providers));
+      }
+    } catch {
+      // Table may not exist
+    }
+  }
+
+  return new Response(JSON.stringify({ providers }), {
+    headers: { 'Content-Type': 'application/json', 'Cache-Control': 'max-age=300' },
+  });
+};

package/templates/shared/dashboard/src/pages/api/infrastructure/services.ts

@@ -0,0 +1,55 @@
+import type { APIRoute } from 'astro';
+
+interface Env {
+  PLATFORM_DB?: D1Database;
+  PLATFORM_CACHE?: KVNamespace;
+}
+
+export const GET: APIRoute = async ({ locals }) => {
+  const env = locals.runtime?.env as Env | undefined;
+  const db = env?.PLATFORM_DB;
+  const kv = env?.PLATFORM_CACHE;
+
+  let services: Array<{
+    name: string;
+    type: string;
+    project: string;
+    status: string;
+  }> = [];
+
+  // Try KV first
+  if (kv) {
+    try {
+      const registry = await kv.get('SERVICE_REGISTRY', 'json');
+      if (registry && Array.isArray(registry)) {
+        services = registry as typeof services;
+      }
+    } catch {
+      // KV may not be available
+    }
+  }
+
+  // Fall back to D1
+  if (services.length === 0 && db) {
+    try {
+      const result = await db
+        .prepare(
+          `SELECT resource_name as name, resource_type as type,
+                  project_id as project, 'deployed' as status
+           FROM resource_project_mapping
+           ORDER BY project_id, resource_type
+           LIMIT 200`
+        )
+        .all();
+      if (result.results) {
+        services = result.results as typeof services;
+      }
+    } catch {
+      // Table may not exist
+    }
+  }
+
+  return new Response(JSON.stringify({ services }), {
+    headers: { 'Content-Type': 'application/json', 'Cache-Control': 'max-age=120' },
+  });
+};

package/templates/shared/dashboard/src/pages/api/infrastructure/stats.ts

@@ -0,0 +1,99 @@
+import type { APIRoute } from 'astro';
+
+interface Env {
+  PLATFORM_DB?: D1Database;
+  PLATFORM_CACHE?: KVNamespace;
+}
+
+export const GET: APIRoute = async ({ locals }) => {
+  const env = locals.runtime?.env as Env | undefined;
+  const db = env?.PLATFORM_DB;
+  const kv = env?.PLATFORM_CACHE;
+
+  const stats = {
+    services: {
+      total: 0,
+      byStatus: { deployed: 0, development: 0, deprecated: 0, paused: 0 },
+      byType: {} as Record<string, number>,
+      byProject: {} as Record<string, number>,
+    },
+    alerts: {
+      total: 0,
+      unacknowledged: 0,
+      critical: 0,
+    },
+  };
+
+  // Try KV first (faster, populated by sync-config)
+  if (kv) {
+    try {
+      const services = await kv.get('SERVICE_REGISTRY', 'json');
+      if (services && Array.isArray(services)) {
+        stats.services.total = services.length;
+        for (const s of services as Array<{ status: string; type: string; project: string }>) {
+          const status = s.status as keyof typeof stats.services.byStatus;
+          if (status in stats.services.byStatus) {
+            stats.services.byStatus[status]++;
+          }
+          stats.services.byType[s.type] = (stats.services.byType[s.type] || 0) + 1;
+          stats.services.byProject[s.project] = (stats.services.byProject[s.project] || 0) + 1;
+        }
+      }
+    } catch {
+      // KV may not be available
+    }
+  }
+
+  // Fall back to D1 if KV had nothing
+  if (stats.services.total === 0 && db) {
+    try {
+      const rows = await db
+        .prepare(
+          `SELECT resource_type, project_id, COUNT(*) as cnt
+           FROM resource_project_mapping
+           GROUP BY resource_type, project_id
+           LIMIT 200`
+        )
+        .all<{ resource_type: string; project_id: string; cnt: number }>();
+      if (rows.results) {
+        for (const row of rows.results) {
+          stats.services.total += row.cnt;
+          stats.services.byStatus.deployed += row.cnt;
+          stats.services.byType[row.resource_type] = (stats.services.byType[row.resource_type] || 0) + row.cnt;
+          stats.services.byProject[row.project_id] = (stats.services.byProject[row.project_id] || 0) + row.cnt;
+        }
+      }
+    } catch {
+      // Table may not exist
+    }
+  }
+
+  // Alert stats from notifications
+  if (db) {
+    try {
+      const alertResult = await db
+        .prepare(
+          `SELECT
+             COUNT(*) as total,
+             SUM(CASE WHEN category IN ('error', 'warning') THEN 1 ELSE 0 END) as unacknowledged,
+             SUM(CASE WHEN priority IN ('critical', 'high') AND category = 'error' THEN 1 ELSE 0 END) as critical
+           FROM notifications
+           WHERE created_at > unixepoch() - 86400 * 7
+             AND (expires_at IS NULL OR expires_at > unixepoch())
+           LIMIT 1`
+        )
+        .first<{ total: number; unacknowledged: number; critical: number }>();
+      if (alertResult) {
+        stats.alerts.total = alertResult.total || 0;
+        stats.alerts.unacknowledged = alertResult.unacknowledged || 0;
+        stats.alerts.critical = alertResult.critical || 0;
+      }
+    } catch {
+      // Table may not exist
+    }
+  }
+
+  return new Response(JSON.stringify(stats), {
+    headers: { 'Content-Type': 'application/json', 'Cache-Control': 'max-age=120' },
+  });
+};