@nordsym/apiclaw 2.1.0 → 2.2.1

package/convex/workspaces.ts

@@ -1,1331 +0,0 @@
-import { mutation, query } from "./_generated/server";
-import { internal } from "./_generated/api";
-import { v } from "convex/values";
-
-// ============================================
-// OTP AUTH FOR WORKSPACES (terminal-native)
-// ============================================
-
-function generateOTP(): string {
-  const digits = "0123456789";
-  let code = "";
-  for (let i = 0; i < 6; i++) {
-    code += digits.charAt(Math.floor(Math.random() * digits.length));
-  }
-  return code;
-}
-
-// Create OTP code and return it (MCP server sends the email)
-export const createOTP = mutation({
-  args: {
-    email: v.string(),
-    fingerprint: v.optional(v.string()),
-  },
-  handler: async (ctx, { email, fingerprint }) => {
-    const normalizedEmail = email.toLowerCase().trim();
-
-    // Invalidate any existing unused OTPs for this email
-    const existing = await ctx.db
-      .query("otpCodes")
-      .withIndex("by_email", (q) => q.eq("email", normalizedEmail))
-      .collect();
-    for (const otp of existing) {
-      if (!otp.usedAt && otp.expiresAt > Date.now()) {
-        await ctx.db.patch(otp._id, { expiresAt: 0 }); // expire it
-      }
-    }
-
-    const code = generateOTP();
-    const expiresAt = Date.now() + 10 * 60 * 1000; // 10 minutes
-
-    await ctx.db.insert("otpCodes", {
-      email: normalizedEmail,
-      code,
-      fingerprint,
-      expiresAt,
-      usedAt: undefined,
-      attempts: 0,
-      createdAt: Date.now(),
-    });
-
-    return { code, expiresAt };
-  },
-});
-
-// Verify OTP code, create/activate workspace, return session
-export const verifyOTP = mutation({
-  args: {
-    email: v.string(),
-    code: v.string(),
-    fingerprint: v.optional(v.string()),
-  },
-  handler: async (ctx, { email, code, fingerprint }) => {
-    const normalizedEmail = email.toLowerCase().trim();
-
-    const otpRecord = await ctx.db
-      .query("otpCodes")
-      .withIndex("by_email_code", (q) =>
-        q.eq("email", normalizedEmail).eq("code", code)
-      )
-      .first();
-
-    if (!otpRecord) {
-      return { success: false, error: "invalid_code", message: "Invalid verification code." };
-    }
-
-    if (otpRecord.usedAt) {
-      return { success: false, error: "code_used", message: "Code already used." };
-    }
-
-    if (otpRecord.expiresAt < Date.now()) {
-      return { success: false, error: "code_expired", message: "Code expired. Run register_owner again to get a new code." };
-    }
-
-    if (otpRecord.attempts >= 5) {
-      return { success: false, error: "too_many_attempts", message: "Too many failed attempts. Run register_owner again." };
-    }
-
-    // Mark OTP as used
-    await ctx.db.patch(otpRecord._id, { usedAt: Date.now() });
-
-    // Find or create workspace
-    let workspace = await ctx.db
-      .query("workspaces")
-      .withIndex("by_email", (q) => q.eq("email", normalizedEmail))
-      .first();
-
-    let isNewUser = false;
-    if (!workspace) {
-      isNewUser = true;
-      // Generate referral code
-      let referralCode: string;
-      let attempts = 0;
-      do {
-        const chars = "ABCDEFGHJKLMNPQRSTUVWXYZ23456789";
-        let rc = "";
-        for (let i = 0; i < 6; i++) {
-          rc += chars.charAt(Math.floor(Math.random() * chars.length));
-        }
-        referralCode = `CLAW-${rc}`;
-        const existingRef = await ctx.db
-          .query("workspaces")
-          .withIndex("by_referralCode", (q) => q.eq("referralCode", referralCode))
-          .first();
-        if (!existingRef) break;
-        attempts++;
-      } while (attempts < 10);
-
-      const workspaceId = await ctx.db.insert("workspaces", {
-        email: normalizedEmail,
-        status: "active",
-        tier: "free",
-        usageCount: 0,
-        usageLimit: 50,
-        weeklyUsageCount: 0,
-        weeklyUsageLimit: 50,
-        lastWeeklyResetAt: Date.now(),
-        hourlyUsageCount: 0,
-        lastHourlyResetAt: Date.now(),
-        referralCode: referralCode!,
-        createdAt: Date.now(),
-        updatedAt: Date.now(),
-      });
-      workspace = await ctx.db.get(workspaceId);
-    } else if (workspace.status === "pending") {
-      // Activate pending workspace
-      await ctx.db.patch(workspace._id, { status: "active" });
-      workspace = await ctx.db.get(workspace._id);
-    }
-
-    if (!workspace) {
-      return { success: false, error: "workspace_error", message: "Failed to create workspace." };
-    }
-
-    // Create agent session
-    const sessionToken = generateToken();
-    await ctx.db.insert("agentSessions", {
-      workspaceId: workspace._id,
-      sessionToken,
-      fingerprint: fingerprint || "unknown",
-      lastUsedAt: Date.now(),
-      createdAt: Date.now(),
-    });
-
-    return {
-      success: true,
-      isNewUser,
-      sessionToken,
-      workspace: {
-        id: workspace._id,
-        email: workspace.email,
-        tier: workspace.tier,
-        status: "active",
-        usageCount: workspace.usageCount,
-        usageLimit: workspace.usageLimit,
-      },
-    };
-  },
-});
-
-// Increment failed OTP attempt counter
-export const incrementOTPAttempt = mutation({
-  args: {
-    email: v.string(),
-    code: v.string(),
-  },
-  handler: async (ctx, { email, code }) => {
-    const normalizedEmail = email.toLowerCase().trim();
-    const otpRecord = await ctx.db
-      .query("otpCodes")
-      .withIndex("by_email_code", (q) =>
-        q.eq("email", normalizedEmail).eq("code", code)
-      )
-      .first();
-    if (otpRecord && !otpRecord.usedAt) {
-      await ctx.db.patch(otpRecord._id, { attempts: otpRecord.attempts + 1 });
-    }
-  },
-});
-
-// ============================================
-// MAGIC LINK AUTH FOR WORKSPACES
-// ============================================
-
-// Create magic link for workspace email auth
-export const createMagicLink = mutation({
-  args: { 
-    email: v.string(),
-    fingerprint: v.optional(v.string()),
-  },
-  handler: async (ctx, { email, fingerprint }) => {
-    const token = generateToken();
-    const expiresAt = Date.now() + 15 * 60 * 1000; // 15 minutes
-
-    await ctx.db.insert("workspaceMagicLinks", {
-      email: email.toLowerCase(),
-      token,
-      sessionFingerprint: fingerprint,
-      expiresAt,
-      createdAt: Date.now(),
-    });
-
-    return { token, expiresAt };
-  },
-});
-
-// Generate a unique referral code (CLAW-XXXXXX format)
-function generateReferralCode(): string {
-  const chars = "ABCDEFGHJKLMNPQRSTUVWXYZ23456789";
-  let code = "";
-  for (let i = 0; i < 6; i++) {
-    code += chars.charAt(Math.floor(Math.random() * chars.length));
-  }
-  return `CLAW-${code}`;
-}
-
-// Verify magic link and create workspace + session
-export const verifyMagicLink = mutation({
-  args: { 
-    token: v.string(),
-    fingerprint: v.optional(v.string()),
-    referralCode: v.optional(v.string()), // Referral code from signup URL
-  },
-  handler: async (ctx, { token, fingerprint, referralCode }) => {
-    const magicLink = await ctx.db
-      .query("workspaceMagicLinks")
-      .withIndex("by_token", (q) => q.eq("token", token))
-      .first();
-
-    if (!magicLink) {
-      return { success: false, error: "Invalid token" };
-    }
-
-    if (magicLink.expiresAt < Date.now()) {
-      return { success: false, error: "Token expired" };
-    }
-
-    if (magicLink.usedAt) {
-      return { success: false, error: "Token already used" };
-    }
-
-    // Mark as used
-    await ctx.db.patch(magicLink._id, { usedAt: Date.now() });
-
-    // Find or create workspace
-    let workspace = await ctx.db
-      .query("workspaces")
-      .withIndex("by_email", (q) => q.eq("email", magicLink.email))
-      .first();
-
-    let isNewUser = false;
-    if (!workspace) {
-      isNewUser = true;
-
-      // Generate unique referral code for new user
-      let newReferralCode: string;
-      let attempts = 0;
-      do {
-        newReferralCode = generateReferralCode();
-        const existing = await ctx.db
-          .query("workspaces")
-          .withIndex("by_referralCode", (q) => q.eq("referralCode", newReferralCode))
-          .first();
-        if (!existing) break;
-        attempts++;
-      } while (attempts < 10);
-
-      // Create new workspace with free tier + referral code
-      const workspaceId = await ctx.db.insert("workspaces", {
-        email: magicLink.email,
-        status: "active",
-        tier: "free",
-        usageCount: 0,
-        usageLimit: 50, // 50 calls/month for free tier
-        weeklyUsageCount: 0,
-        weeklyUsageLimit: 50, // Monthly limit (field name is legacy)
-        hourlyUsageCount: 0,
-        referralCode: newReferralCode!,
-        createdAt: Date.now(),
-        updatedAt: Date.now(),
-      });
-      workspace = await ctx.db.get(workspaceId);
-    }
-
-    // REFERRAL DISABLED (2026-03-01): Risk of abuse with awesome-list exposure
-    // Tracking referredBy for analytics only, no credit bonus
-    if (isNewUser && referralCode) {
-      const referrer = await ctx.db
-        .query("workspaces")
-        .withIndex("by_referralCode", (q) => q.eq("referralCode", referralCode))
-        .first();
-
-      if (referrer && referrer._id !== workspace!._id) {
-        // Track referral for analytics only
-        await ctx.db.patch(workspace!._id, {
-          referredBy: referrer._id,
-          updatedAt: Date.now(),
-        });
-        // No credit bonus - referral rewards disabled
-      }
-    }
-
-    // Reuse existing session for same machine (fix: no more duplicate sessions per login)
-    const sessionToken = generateToken();
-    const userFingerprint2 = fingerprint || magicLink.sessionFingerprint;
-
-    const existingSession = userFingerprint2
-      ? await ctx.db
-          .query("agentSessions")
-          .withIndex("by_workspaceId", (q) => q.eq("workspaceId", workspace!._id))
-          .filter((q) => q.eq(q.field("fingerprint"), userFingerprint2))
-          .first()
-      : null;
-
-    if (existingSession) {
-      // Refresh existing session instead of creating duplicate
-      await ctx.db.patch(existingSession._id, {
-        sessionToken,
-        lastUsedAt: Date.now(),
-      });
-    } else {
-      await ctx.db.insert("agentSessions", {
-        workspaceId: workspace!._id,
-        sessionToken,
-        fingerprint: userFingerprint2 || undefined,
-        lastUsedAt: Date.now(),
-        createdAt: Date.now(),
-      });
-    }
-
-    // Link agent record to workspace (if agent exists for this fingerprint)
-    if (userFingerprint2) {
-      const agentForFingerprint = await ctx.db
-        .query("agents")
-        .filter((q) => q.eq(q.field("fingerprint"), userFingerprint2))
-        .first();
-
-      if (agentForFingerprint && !agentForFingerprint.workspaceId) {
-        await ctx.db.patch(agentForFingerprint._id, {
-          workspaceId: workspace!._id,
-        });
-      }
-    }
-
-    // Claim anonymous usage history
-    const userFingerprint = fingerprint || magicLink.sessionFingerprint;
-    if (userFingerprint) {
-      try {
-        // Find all analytics records with matching fingerprint and no workspaceId
-        const analyticsRecords = await ctx.db
-          .query("analytics")
-          .withIndex("by_identifier", (q) => q.eq("identifier", userFingerprint))
-          .collect();
-
-        // Filter to only unclaimed records
-        const unclaimedRecords = analyticsRecords.filter((r) => !r.workspaceId);
-
-        // Update each record to link it to the workspace
-        for (const record of unclaimedRecords) {
-          await ctx.db.patch(record._id, { workspaceId: workspace!._id });
-        }
-      } catch (err) {
-        // Non-critical error, just log it
-        console.error('Failed to claim anonymous usage:', err);
-      }
-    }
-
-    // Notify Inbound Net (ALERTS) — async, non-blocking
-    await ctx.scheduler.runAfter(0, internal.inbound.notifySignup, {
-      email: workspace!.email,
-      workspaceId: workspace!._id,
-      tier: workspace!.tier,
-      isNewUser,
-      timestamp: Date.now(),
-    });
-
-    return {
-      success: true,
-      sessionToken,
-      workspace: {
-        id: workspace!._id,
-        email: workspace!.email,
-        tier: workspace!.tier,
-        referralCode: workspace!.referralCode,
-      },
-    };
-  },
-});
-
-// Get session from token
-export const getSession = query({
-  args: { token: v.string() },
-  handler: async (ctx, { token }) => {
-    const session = await ctx.db
-      .query("agentSessions")
-      .withIndex("by_sessionToken", (q) => q.eq("sessionToken", token))
-      .first();
-
-    if (!session) {
-      return null;
-    }
-
-    const workspace = await ctx.db.get(session.workspaceId);
-    if (!workspace) return null;
-
-    return {
-      workspaceId: workspace._id,
-      email: workspace.email,
-      tier: workspace.tier,
-      status: workspace.status,
-      usageCount: workspace.usageCount,
-      usageLimit: workspace.usageLimit,
-    };
-  },
-});
-
-// ============================================
-// DASHBOARD QUERIES
-// ============================================
-
-// Get full workspace dashboard data
-export const getWorkspaceDashboard = query({
-  args: { token: v.string() },
-  handler: async (ctx, { token }) => {
-    // Verify session
-    const session = await ctx.db
-      .query("agentSessions")
-      .withIndex("by_sessionToken", (q) => q.eq("sessionToken", token))
-      .first();
-
-    if (!session) {
-      return null;
-    }
-
-    // Note: lastUsedAt is updated via touchSession mutation separately
-
-    const workspace = await ctx.db.get(session.workspaceId);
-    if (!workspace) return null;
-
-    // Get all agent sessions for this workspace
-    const agentSessions = await ctx.db
-      .query("agentSessions")
-      .withIndex("by_workspaceId", (q) => q.eq("workspaceId", session.workspaceId))
-      .collect();
-
-    // Count agents: 1 main agent (if exists) + subagents
-    const hasMainAgent = workspace.mainAgentId ? 1 : 0;
-    const subagents = await ctx.db
-      .query("subagents")
-      .withIndex("by_workspaceId", (q) => q.eq("workspaceId", session.workspaceId))
-      .collect();
-    
-    const totalAgentCount = hasMainAgent + subagents.length;
-
-    // Get usage logs for this workspace (via agent credits or purchases)
-    const credits = await ctx.db
-      .query("agentCredits")
-      .collect();
-    
-    // Filter credits that belong to this workspace's agents
-    const workspaceCredits = credits.filter(c => 
-      agentSessions.some(s => c.agentId === s.sessionToken)
-    );
-
-    // Get purchases for workspace agents
-    const purchases = await ctx.db
-      .query("purchases")
-      .collect();
-    
-    const workspacePurchases = purchases.filter(p =>
-      agentSessions.some(s => p.agentId === s.sessionToken)
-    );
-
-    // Calculate usage remaining -- paid tiers have high limits
-    const now = Date.now();
-    const isPaidTier = ["pro", "scale", "usage_based", "partner", "founder"].includes(workspace.tier);
-    const effectiveLimit = isPaidTier ? -1 : workspace.usageLimit; // -1 = unlimited
-    const usageRemaining = isPaidTier ? -1 : Math.max(0, workspace.usageLimit - workspace.usageCount);
-    const usagePercentage = isPaidTier ? 0 : (workspace.usageCount / workspace.usageLimit) * 100;
-
-    // Budget status (PRD 2.6)
-    const monthStart = getMonthStartForBudget();
-    let currentSpend = workspace.monthlySpendCents || 0;
-    if (!workspace.lastSpendResetAt || workspace.lastSpendResetAt < monthStart) {
-      currentSpend = 0;
-    }
-    const budgetCap = workspace.budgetCap || null;
-
-    return {
-      workspace: {
-        id: workspace._id,
-        email: workspace.email,
-        workspaceName: workspace.workspaceName,
-        tier: workspace.tier,
-        status: workspace.status,
-        usageCount: workspace.usageCount,
-        usageLimit: effectiveLimit,
-        usageRemaining,
-        usagePercentage,
-        stripeCustomerId: workspace.stripeCustomerId,
-        createdAt: workspace.createdAt,
-        mainAgentName: workspace.mainAgentName,
-        mainAgentId: workspace.mainAgentId,
-      },
-      stats: {
-        totalAgents: totalAgentCount,
-        totalCredits: workspaceCredits.reduce((sum, c) => sum + c.balanceUsd, 0),
-        totalPurchases: workspacePurchases.length,
-      },
-      budget: {
-        budgetCapCents: budgetCap,
-        budgetCapUsd: budgetCap ? budgetCap / 100 : null,
-        currentSpendCents: currentSpend,
-        currentSpendUsd: currentSpend / 100,
-        remainingCents: budgetCap ? Math.max(0, budgetCap - currentSpend) : null,
-        remainingUsd: budgetCap ? Math.max(0, (budgetCap - currentSpend) / 100) : null,
-        budgetPercentage: budgetCap ? Math.min(100, (currentSpend / budgetCap) * 100) : null,
-        pauseOnBudgetExceeded: workspace.pauseOnBudgetExceeded || false,
-        isOverBudget: budgetCap ? currentSpend >= budgetCap : false,
-        isNearBudget: budgetCap ? currentSpend >= budgetCap * 0.8 : false,
-      },
-    };
-  },
-});
-
-// Helper for budget month start
-function getMonthStartForBudget(): number {
-  const now = new Date();
-  return new Date(now.getUTCFullYear(), now.getUTCMonth(), 1, 0, 0, 0, 0).getTime();
-}
-
-// Get connected agents for workspace
-export const getConnectedAgents = query({
-  args: { token: v.string() },
-  handler: async (ctx, { token }) => {
-    const session = await ctx.db
-      .query("agentSessions")
-      .withIndex("by_sessionToken", (q) => q.eq("sessionToken", token))
-      .first();
-
-    if (!session) {
-      return [];
-    }
-
-    const agentSessions = await ctx.db
-      .query("agentSessions")
-      .withIndex("by_workspaceId", (q) => q.eq("workspaceId", session.workspaceId))
-      .collect();
-
-    return agentSessions.map((s) => ({
-      id: s._id,
-      fingerprint: s.fingerprint || "Unknown",
-      customName: s.customName || null,
-      name: s.customName || s.fingerprint || "Unknown",
-      lastUsedAt: s.lastUsedAt,
-      createdAt: s.createdAt,
-      isCurrent: s.sessionToken === token,
-    }));
-  },
-});
-
-// Admin: Delete session by ID (for cleanup)
-export const adminDeleteSession = mutation({
-  args: { sessionId: v.id("agentSessions") },
-  handler: async (ctx, { sessionId }) => {
-    await ctx.db.delete(sessionId);
-    return { success: true };
-  },
-});
-
-// Debug: Get sessions by workspace email
-export const getSessionsByEmail = query({
-  args: { email: v.string() },
-  handler: async (ctx, { email }) => {
-    const workspace = await ctx.db
-      .query("workspaces")
-      .withIndex("by_email", (q) => q.eq("email", email.toLowerCase()))
-      .first();
-
-    if (!workspace) {
-      return { error: "Workspace not found", sessions: [] };
-    }
-
-    const sessions = await ctx.db
-      .query("agentSessions")
-      .withIndex("by_workspaceId", (q) => q.eq("workspaceId", workspace._id))
-      .collect();
-
-    return {
-      workspaceId: workspace._id,
-      email: workspace.email,
-      sessions: sessions.map(s => ({
-        id: s._id,
-        fingerprint: s.fingerprint,
-        createdAt: s.createdAt,
-        lastUsedAt: s.lastUsedAt,
-      })),
-    };
-  },
-});
-
-// Rename an agent session
-export const renameAgent = mutation({
-  args: {
-    token: v.string(),
-    sessionId: v.id("agentSessions"),
-    name: v.string(),
-  },
-  handler: async (ctx, { token, sessionId, name }) => {
-    // Verify the requesting session
-    const session = await ctx.db
-      .query("agentSessions")
-      .withIndex("by_sessionToken", (q) => q.eq("sessionToken", token))
-      .first();
-
-    if (!session) {
-      throw new Error("Invalid session");
-    }
-
-    // Get the session to rename
-    const targetSession = await ctx.db.get(sessionId);
-    if (!targetSession || targetSession.workspaceId !== session.workspaceId) {
-      throw new Error("Session not found or access denied");
-    }
-
-    // Update the name (stored as customName field)
-    await ctx.db.patch(sessionId, { customName: name });
-
-    return { success: true };
-  },
-});
-
-// Get usage breakdown by provider
-export const getUsageBreakdown = query({
-  args: { token: v.string() },
-  handler: async (ctx, { token }) => {
-    const session = await ctx.db
-      .query("agentSessions")
-      .withIndex("by_sessionToken", (q) => q.eq("sessionToken", token))
-      .first();
-
-    if (!session) {
-      return { byProvider: [], byDay: [], total: 0 };
-    }
-
-    // Get all sessions for this workspace
-    const agentSessions = await ctx.db
-      .query("agentSessions")
-      .withIndex("by_workspaceId", (q) => q.eq("workspaceId", session.workspaceId))
-      .collect();
-
-    const sessionTokens = agentSessions.map(s => s.sessionToken);
-
-    // Get purchases for these agents
-    const allPurchases = await ctx.db.query("purchases").collect();
-    const workspacePurchases = allPurchases.filter(p => sessionTokens.includes(p.agentId));
-
-    // Get usage for purchases
-    const allUsage = await ctx.db.query("usage").collect();
-    const purchaseIds = workspacePurchases.map(p => p._id);
-    const workspaceUsage = allUsage.filter(u => purchaseIds.includes(u.purchaseId));
-
-    // Aggregate by provider
-    const byProvider: Record<string, { calls: number; cost: number }> = {};
-    for (const usage of workspaceUsage) {
-      if (!byProvider[usage.providerId]) {
-        byProvider[usage.providerId] = { calls: 0, cost: 0 };
-      }
-      byProvider[usage.providerId].calls += usage.unitsUsed;
-      byProvider[usage.providerId].cost += usage.costIncurredUsd;
-    }
-
-    // Aggregate by day (last 14 days)
-    const now = Date.now();
-    const fourteenDaysAgo = now - 14 * 24 * 60 * 60 * 1000;
-    const byDay: Record<string, number> = {};
-    
-    for (const usage of workspaceUsage) {
-      if (usage.lastUsedAt >= fourteenDaysAgo) {
-        const day = new Date(usage.lastUsedAt).toISOString().split("T")[0];
-        byDay[day] = (byDay[day] || 0) + usage.unitsUsed;
-      }
-    }
-
-    return {
-      byProvider: Object.entries(byProvider).map(([provider, data]) => ({
-        provider,
-        calls: data.calls,
-        cost: data.cost,
-      })),
-      byDay: Object.entries(byDay)
-        .map(([date, calls]) => ({ date, calls }))
-        .sort((a, b) => a.date.localeCompare(b.date)),
-      total: workspaceUsage.reduce((sum, u) => sum + u.unitsUsed, 0),
-    };
-  },
-});
-
-// ============================================
-// AGENT MANAGEMENT
-// ============================================
-
-// Revoke an agent session
-export const revokeAgentSession = mutation({
-  args: {
-    token: v.string(),
-    sessionId: v.id("agentSessions"),
-  },
-  handler: async (ctx, { token, sessionId }) => {
-    // Verify the requesting session
-    const session = await ctx.db
-      .query("agentSessions")
-      .withIndex("by_sessionToken", (q) => q.eq("sessionToken", token))
-      .first();
-
-    if (!session) {
-      throw new Error("Unauthorized");
-    }
-
-    // Get the session to revoke
-    const targetSession = await ctx.db.get(sessionId);
-    if (!targetSession) {
-      throw new Error("Session not found");
-    }
-
-    // Verify same workspace
-    if (targetSession.workspaceId !== session.workspaceId) {
-      throw new Error("Unauthorized");
-    }
-
-    // Prevent revoking current session
-    if (targetSession.sessionToken === token) {
-      throw new Error("Cannot revoke current session");
-    }
-
-    // Delete the session
-    await ctx.db.delete(sessionId);
-
-    return { success: true };
-  },
-});
-
-// Logout (delete current session)
-export const logout = mutation({
-  args: { token: v.string() },
-  handler: async (ctx, { token }) => {
-    const session = await ctx.db
-      .query("agentSessions")
-      .withIndex("by_sessionToken", (q) => q.eq("sessionToken", token))
-      .first();
-
-    if (session) {
-      await ctx.db.delete(session._id);
-    }
-
-    return { success: true };
-  },
-});
-
-// ============================================
-// WORKSPACE MANAGEMENT
-// ============================================
-
-// Update workspace tier (for Stripe webhooks)
-export const updateTier = mutation({
-  args: {
-    workspaceId: v.id("workspaces"),
-    tier: v.string(),
-    usageLimit: v.number(),
-    stripeCustomerId: v.optional(v.string()),
-  },
-  handler: async (ctx, { workspaceId, tier, usageLimit, stripeCustomerId }) => {
-    const updates: Record<string, unknown> = {
-      tier,
-      usageLimit,
-      updatedAt: Date.now(),
-    };
-
-    if (stripeCustomerId) {
-      updates.stripeCustomerId = stripeCustomerId;
-    }
-
-    await ctx.db.patch(workspaceId, updates);
-    return { success: true };
-  },
-});
-
-// Increment usage count
-// Constants for rate limiting
-const FREE_WEEKLY_LIMIT = 50;
-const FREE_HOURLY_LIMIT = 10;
-// Rate limiting constants
-
-// Helper: Get start of current week (Monday 00:00 UTC)
-function getWeekStart(): number {
-  const now = new Date();
-  const dayOfWeek = now.getUTCDay();
-  const diff = dayOfWeek === 0 ? 6 : dayOfWeek - 1; // Monday = 0
-  const monday = new Date(now);
-  monday.setUTCDate(now.getUTCDate() - diff);
-  monday.setUTCHours(0, 0, 0, 0);
-  return monday.getTime();
-}
-
-// Helper: Get start of current hour
-function getHourStart(): number {
-  const now = new Date();
-  now.setUTCMinutes(0, 0, 0);
-  return now.getTime();
-}
-
-export const incrementUsage = mutation({
-  args: {
-    workspaceId: v.id("workspaces"),
-    amount: v.optional(v.number()),
-  },
-  handler: async (ctx, { workspaceId, amount = 1 }) => {
-    const workspace = await ctx.db.get(workspaceId);
-    if (!workspace) {
-      throw new Error("Workspace not found");
-    }
-
-    const now = Date.now();
-    const weekStart = getWeekStart();
-    const hourStart = getHourStart();
-    
-    // Check if paid tier (unlimited usage)
-    const isPaid = ["pro", "scale", "usage_based", "partner", "founder"].includes(workspace.tier);
-    
-    // Initialize weekly/hourly counters if needed
-    let weeklyCount = workspace.weeklyUsageCount || 0;
-    let hourlyCount = workspace.hourlyUsageCount || 0;
-    
-    // Reset weekly counter if new week
-    if (!workspace.lastWeeklyResetAt || workspace.lastWeeklyResetAt < weekStart) {
-      weeklyCount = 0;
-    }
-    
-    // Reset hourly counter if new hour
-    if (!workspace.lastHourlyResetAt || workspace.lastHourlyResetAt < hourStart) {
-      hourlyCount = 0;
-    }
-    
-    // Check rate limits for free tier
-    if (!isPaid && workspace.tier !== "enterprise") {
-      // Check hourly limit (10/hour for free)
-      if (hourlyCount + amount > FREE_HOURLY_LIMIT) {
-        throw new Error(`Hourly rate limit exceeded (${FREE_HOURLY_LIMIT}/hour). Upgrade to Pro for unlimited.`);
-      }
-
-      // Check weekly limit (50/week for free)
-      if (weeklyCount + amount > FREE_WEEKLY_LIMIT) {
-        throw new Error(`Weekly limit exceeded (${FREE_WEEKLY_LIMIT}/week). Upgrade to Pro for unlimited.`);
-      }
-    }
-
-    const newTotalCount = workspace.usageCount + amount;
-    const newWeeklyCount = weeklyCount + amount;
-    const newHourlyCount = hourlyCount + amount;
-
-    await ctx.db.patch(workspaceId, {
-      usageCount: newTotalCount,
-      weeklyUsageCount: newWeeklyCount,
-      hourlyUsageCount: newHourlyCount,
-      lastWeeklyResetAt: weekStart,
-      lastHourlyResetAt: hourStart,
-      updatedAt: now,
-    });
-
-    // Calculate remaining for free tier
-    const weeklyRemaining = isPaid ? Infinity : Math.max(0, FREE_WEEKLY_LIMIT - newWeeklyCount);
-    const hourlyRemaining = isPaid ? Infinity : Math.max(0, FREE_HOURLY_LIMIT - newHourlyCount);
-
-    return {
-      success: true,
-      usageCount: newTotalCount,
-      weeklyUsageCount: newWeeklyCount,
-      weeklyRemaining,
-      hourlyRemaining,
-      isPaid,
-    };
-  },
-});
-
-// ============================================
-// POLLING & VERIFICATION ENDPOINTS (for HTTP API)
-// ============================================
-
-// Poll magic link status (for agents to check if user clicked)
-export const pollMagicLink = query({
-  args: { token: v.string() },
-  handler: async (ctx, { token }) => {
-    const magicLink = await ctx.db
-      .query("workspaceMagicLinks")
-      .withIndex("by_token", (q) => q.eq("token", token))
-      .first();
-
-    if (!magicLink) {
-      return { status: "not_found" };
-    }
-
-    const now = Date.now();
-
-    if (magicLink.usedAt) {
-      // Get the workspace and session
-      const workspace = await ctx.db
-        .query("workspaces")
-        .withIndex("by_email", (q) => q.eq("email", magicLink.email))
-        .first();
-
-      // Get the latest session for this workspace
-      const session = workspace
-        ? await ctx.db
-            .query("agentSessions")
-            .withIndex("by_workspaceId", (q) => q.eq("workspaceId", workspace._id))
-            .order("desc")
-            .first()
-        : null;
-
-      return {
-        status: "verified",
-        workspace: workspace
-          ? {
-              id: workspace._id,
-              email: workspace.email,
-              tier: workspace.tier,
-              usageCount: workspace.usageCount,
-              usageLimit: workspace.usageLimit,
-            }
-          : null,
-        sessionToken: session?.sessionToken,
-      };
-    }
-
-    if (magicLink.expiresAt < now) {
-      return { status: "expired" };
-    }
-
-    return {
-      status: "pending",
-      expiresAt: magicLink.expiresAt,
-    };
-  },
-});
-
-// Verify session token (for HTTP API)
-export const verifySession = query({
-  args: { sessionToken: v.string() },
-  handler: async (ctx, { sessionToken }) => {
-    const session = await ctx.db
-      .query("agentSessions")
-      .withIndex("by_sessionToken", (q) => q.eq("sessionToken", sessionToken))
-      .first();
-
-    if (!session) {
-      return null;
-    }
-
-    const workspace = await ctx.db.get(session.workspaceId);
-    if (!workspace || workspace.status !== "active") {
-      return null;
-    }
-
-    return {
-      workspaceId: workspace._id,
-      email: workspace.email,
-      tier: workspace.tier,
-      usageCount: workspace.usageCount,
-      usageLimit: workspace.usageLimit,
-    };
-  },
-});
-
-// Get workspace by email (for HTTP API)
-export const getByEmail = query({
-  args: { email: v.string() },
-  handler: async (ctx, { email }) => {
-    const workspace = await ctx.db
-      .query("workspaces")
-      .withIndex("by_email", (q) => q.eq("email", email.toLowerCase()))
-      .first();
-
-    if (!workspace) {
-      return null;
-    }
-
-    return {
-      id: workspace._id,
-      email: workspace.email,
-      status: workspace.status,
-      tier: workspace.tier,
-      usageCount: workspace.usageCount,
-      usageLimit: workspace.usageLimit,
-    };
-  },
-});
-
-// Touch session (update lastUsedAt)
-export const touchSession = mutation({
-  args: { sessionToken: v.string() },
-  handler: async (ctx, { sessionToken }) => {
-    const session = await ctx.db
-      .query("agentSessions")
-      .withIndex("by_sessionToken", (q) => q.eq("sessionToken", sessionToken))
-      .first();
-
-    if (session) {
-      await ctx.db.patch(session._id, { lastUsedAt: Date.now() });
-    }
-  },
-});
-
-// ============================================
-// MCP WORKSPACE FUNCTIONS
-// ============================================
-
-// Create a new workspace (called from MCP register_owner)
-export const createWorkspace = mutation({
-  args: { email: v.string() },
-  handler: async (ctx, { email }) => {
-    const normalizedEmail = email.toLowerCase().trim();
-    
-    // Check if workspace exists
-    const existing = await ctx.db
-      .query("workspaces")
-      .withIndex("by_email", (q) => q.eq("email", normalizedEmail))
-      .first();
-    
-    if (existing) {
-      return { 
-        success: false, 
-        error: "workspace_exists",
-        workspaceId: existing._id,
-        status: existing.status,
-      };
-    }
-    
-    // Create new workspace
-    const workspaceId = await ctx.db.insert("workspaces", {
-      email: normalizedEmail,
-      status: "pending",
-      tier: "free",
-      usageCount: 0,
-      usageLimit: 50, // Free tier limit
-      createdAt: Date.now(),
-      updatedAt: Date.now(),
-    });
-    
-    return { success: true, workspaceId };
-  },
-});
-
-// Update workspace name
-export const updateWorkspaceName = mutation({
-  args: {
-    token: v.string(),
-    name: v.string(),
-  },
-  handler: async (ctx, { token, name }) => {
-    const session = await ctx.db
-      .query("agentSessions")
-      .withIndex("by_sessionToken", (q) => q.eq("sessionToken", token))
-      .first();
-    if (!session) throw new Error("Invalid session");
-
-    const trimmed = name.trim();
-    if (trimmed.length < 1 || trimmed.length > 100) {
-      throw new Error("Name must be between 1 and 100 characters");
-    }
-
-    await ctx.db.patch(session.workspaceId, {
-      workspaceName: trimmed,
-      updatedAt: Date.now(),
-    });
-
-    return { success: true, name: trimmed };
-  },
-});
-
-// Set or update password
-export const setPassword = mutation({
-  args: {
-    token: v.string(),
-    password: v.string(),
-  },
-  handler: async (ctx, { token, password }) => {
-    const session = await ctx.db
-      .query("agentSessions")
-      .withIndex("by_sessionToken", (q) => q.eq("sessionToken", token))
-      .first();
-    if (!session) throw new Error("Invalid session");
-
-    if (password.length < 8) throw new Error("Password must be at least 8 characters");
-
-    // Simple hash using built-in crypto
-    const encoder = new TextEncoder();
-    const data = encoder.encode(password + "apiclaw-salt-v1");
-    const hashBuffer = await crypto.subtle.digest("SHA-256", data);
-    const hashArray = Array.from(new Uint8Array(hashBuffer));
-    const hashHex = hashArray.map(b => b.toString(16).padStart(2, "0")).join("");
-
-    await ctx.db.patch(session.workspaceId, {
-      passwordHash: hashHex,
-      updatedAt: Date.now(),
-    });
-
-    return { success: true };
-  },
-});
-
-// Create agent session for workspace (called from MCP after verification)
-export const createAgentSession = mutation({
-  args: { 
-    workspaceId: v.id("workspaces"),
-    fingerprint: v.optional(v.string()),
-  },
-  handler: async (ctx, { workspaceId, fingerprint }) => {
-    const workspace = await ctx.db.get(workspaceId);
-    if (!workspace) {
-      return { success: false, error: "workspace_not_found" };
-    }
-    
-    if (workspace.status !== "active") {
-      return { success: false, error: "workspace_not_active" };
-    }
-    
-    const sessionToken = "apiclaw_" + generateToken();
-    
-    await ctx.db.insert("agentSessions", {
-      workspaceId,
-      sessionToken,
-      fingerprint,
-      lastUsedAt: Date.now(),
-      createdAt: Date.now(),
-    });
-    
-    return { success: true, sessionToken };
-  },
-});
-
-// ============================================
-// HELPER FUNCTIONS
-// ============================================
-
-function generateToken(): string {
-  const chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
-  let result = "";
-  for (let i = 0; i < 48; i++) {
-    result += chars.charAt(Math.floor(Math.random() * chars.length));
-  }
-  return result;
-}
-
-// Get workspace status (for MCP check_workspace_status tool)
-export const getWorkspaceStatus = query({
-  args: {
-    sessionToken: v.string(),
-  },
-  handler: async (ctx, args) => {
-    const session = await ctx.db
-      .query("agentSessions")
-      .withIndex("by_sessionToken", (q) => q.eq("sessionToken", args.sessionToken))
-      .first();
-    
-    if (!session) {
-      return { authenticated: false };
-    }
-    
-    const workspace = await ctx.db.get(session.workspaceId);
-    if (!workspace) {
-      return { authenticated: false };
-    }
-    
-    const usageRemaining = workspace.usageLimit > 0 
-      ? workspace.usageLimit - workspace.usageCount 
-      : -1; // -1 = unlimited
-    
-    return {
-      authenticated: true,
-      email: workspace.email,
-      status: workspace.status,
-      tier: workspace.tier,
-      usageCount: workspace.usageCount,
-      usageLimit: workspace.usageLimit,
-      usageRemaining,
-      hasStripe: !!workspace.stripeCustomerId,
-      createdAt: workspace.createdAt,
-    };
-  },
-});
-
-// Admin functions for Hivr integration
-export const adminActivateWorkspace = mutation({
-  args: { workspaceId: v.id("workspaces") },
-  handler: async (ctx, { workspaceId }) => {
-    const workspace = await ctx.db.get(workspaceId);
-    if (!workspace) {
-      return { success: false, error: "not_found" };
-    }
-    
-    await ctx.db.patch(workspaceId, {
-      status: "active",
-      tier: "pro",
-      weeklyUsageLimit: 999999,
-      updatedAt: Date.now(),
-    });
-    
-    return { success: true };
-  },
-});
-
-export const adminCreateSession = mutation({
-  args: { workspaceId: v.id("workspaces") },
-  handler: async (ctx, { workspaceId }) => {
-    const workspace = await ctx.db.get(workspaceId);
-    if (!workspace || workspace.status !== "active") {
-      return { success: false, error: "workspace_not_active" };
-    }
-    
-    const chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
-    let token = '';
-    for (let i = 0; i < 32; i++) {
-      token += chars.charAt(Math.floor(Math.random() * chars.length));
-    }
-    const sessionToken = "apiclaw_" + token;
-    
-    await ctx.db.insert("agentSessions", {
-      workspaceId,
-      sessionToken,
-      fingerprint: "hivr-bees",
-      lastUsedAt: Date.now(),
-      createdAt: Date.now(),
-    });
-    
-    return { success: true, sessionToken };
-  },
-});
-
-// TEMP: Admin query to debug workspace data
-export const adminGetFullWorkspace = query({
-  args: { email: v.string() },
-  handler: async (ctx, { email }) => {
-    const workspace = await ctx.db
-      .query("workspaces")
-      .withIndex("by_email", (q) => q.eq("email", email.toLowerCase()))
-      .first();
-
-    if (!workspace) {
-      return null;
-    }
-
-    return {
-      _id: workspace._id,
-      email: workspace.email,
-      status: workspace.status,
-      tier: workspace.tier,
-      mainAgentId: workspace.mainAgentId || null,
-      mainAgentName: workspace.mainAgentName || null,
-      aiBackend: workspace.aiBackend || null,
-      usageCount: workspace.usageCount,
-      usageLimit: workspace.usageLimit,
-      createdAt: workspace.createdAt,
-      updatedAt: workspace.updatedAt,
-    };
-  },
-});
-
-/**
- * Claim anonymous usage history when a user registers
- * Links all analytics records with matching fingerprint to the workspace
- */
-export const claimAnonymousUsage = mutation({
-  args: {
-    workspaceId: v.id("workspaces"),
-    machineFingerprint: v.string(),
-  },
-  handler: async (ctx, { workspaceId, machineFingerprint }) => {
-    // Verify workspace exists
-    const workspace = await ctx.db.get(workspaceId);
-    if (!workspace) {
-      return { success: false, error: "Workspace not found" };
-    }
-
-    // Find all analytics records with matching fingerprint and no workspaceId
-    const analyticsRecords = await ctx.db
-      .query("analytics")
-      .withIndex("by_identifier", (q) => q.eq("identifier", machineFingerprint))
-      .collect();
-
-    // Filter to only unclaimed records
-    const unclaimedRecords = analyticsRecords.filter((r) => !r.workspaceId);
-
-    // Update each record to link it to the workspace
-    let claimedCount = 0;
-    for (const record of unclaimedRecords) {
-      await ctx.db.patch(record._id, { workspaceId });
-      claimedCount++;
-    }
-
-    return {
-      success: true,
-      claimedCount,
-      message: `Claimed ${claimedCount} anonymous usage records`,
-    };
-  },
-});
-
-export const adminUpdateEmail = mutation({
-  args: { workspaceId: v.id("workspaces"), newEmail: v.string() },
-  handler: async (ctx, { workspaceId, newEmail }) => {
-    await ctx.db.patch(workspaceId, { email: newEmail });
-    return { success: true, email: newEmail };
-  },
-});
-
-export const adminSetTier = mutation({
-  args: { workspaceId: v.id("workspaces"), tier: v.string() },
-  handler: async (ctx, { workspaceId, tier }) => {
-    await ctx.db.patch(workspaceId, { tier, updatedAt: Date.now() });
-    return { success: true, tier };
-  },
-});