@wopr-network/platform-core 1.0.0 → 1.0.2

package/src/metering/reconciliation-cron.test.ts

@@ -1,11 +1,11 @@
 import crypto from "node:crypto";
 import type { PGlite } from "@electric-sql/pglite";
 import { afterAll, beforeAll, beforeEach, describe, expect, it, vi } from "vitest";
+import { Credit } from "../credits/credit.js";
+import { CreditLedger } from "../credits/credit-ledger.js";
 import type { PlatformDb } from "../db/index.js";
 import { usageSummaries } from "../db/schema/meter-events.js";
 import { createTestDb, truncateAllTables } from "../test/db.js";
-import { Credit } from "../credits/credit.js";
-import { CreditLedger } from "../credits/credit-ledger.js";
 import { runReconciliation } from "./reconciliation-cron.js";
 import { DrizzleAdapterUsageRepository, DrizzleUsageSummaryRepository } from "./reconciliation-repository.js";
 

package/src/metering/reconciliation-repository.test.ts

@@ -1,10 +1,10 @@
 import crypto from "node:crypto";
 import type { PGlite } from "@electric-sql/pglite";
 import { afterAll, beforeAll, beforeEach, describe, expect, it } from "vitest";
-import type { PlatformDb } from "../db/index.js";
-import { createTestDb, seedUsageSummary, truncateAllTables } from "../test/db.js";
 import { Credit } from "../credits/credit.js";
 import { CreditLedger } from "../credits/credit-ledger.js";
+import type { PlatformDb } from "../db/index.js";
+import { createTestDb, seedUsageSummary, truncateAllTables } from "../test/db.js";
 import { DrizzleAdapterUsageRepository, DrizzleUsageSummaryRepository } from "./reconciliation-repository.js";
 
 let pool: PGlite;

package/src/middleware/index.ts

@@ -1,12 +1,12 @@
-export type { IRateLimitRepository, RateLimitEntry } from "./rate-limit-repository.js";
+export { type CsrfOptions, csrfProtection, validateCsrfOrigin } from "./csrf.js";
 export { DrizzleRateLimitRepository } from "./drizzle-rate-limit-repository.js";
+export { getClientIpFromContext } from "./get-client-ip.js";
 export {
-  rateLimit,
-  rateLimitByRoute,
   getClientIp,
   parseTrustedProxies,
   type RateLimitConfig,
   type RateLimitRule,
+  rateLimit,
+  rateLimitByRoute,
 } from "./rate-limit.js";
-export { getClientIpFromContext } from "./get-client-ip.js";
-export { csrfProtection, validateCsrfOrigin, type CsrfOptions } from "./csrf.js";
+export type { IRateLimitRepository, RateLimitEntry } from "./rate-limit-repository.js";

package/src/middleware/rate-limit.test.ts

@@ -10,7 +10,6 @@ import { afterAll, afterEach, beforeAll, beforeEach, describe, expect, it, vi }
 import type { PlatformDb } from "../db/index.js";
 import { createTestDb, truncateAllTables } from "../test/db.js";
 import { DrizzleRateLimitRepository } from "./drizzle-rate-limit-repository.js";
-import type { IRateLimitRepository } from "./rate-limit-repository.js";
 import {
   getClientIp,
   parseTrustedProxies,
@@ -19,6 +18,7 @@ import {
   rateLimit,
   rateLimitByRoute,
 } from "./rate-limit.js";
+import type { IRateLimitRepository } from "./rate-limit-repository.js";
 
 // ---------------------------------------------------------------------------
 // Helpers

package/src/middleware/rate-limit.ts

@@ -10,8 +10,8 @@
  */
 
 import type { Context, MiddlewareHandler, Next } from "hono";
-import type { IRateLimitRepository } from "./rate-limit-repository.js";
 import { getClientIpFromContext } from "./get-client-ip.js";
+import type { IRateLimitRepository } from "./rate-limit-repository.js";
 
 export { getClientIp, parseTrustedProxies } from "./get-client-ip.js";
 

package/src/security/credential-vault/index.ts

@@ -1,12 +1,12 @@
-export type { SecretAuditEvent, ISecretAuditRepository } from "./audit-repository.js";
+export type { ISecretAuditRepository, SecretAuditEvent } from "./audit-repository.js";
 export { DrizzleSecretAuditRepository } from "./audit-repository.js";
 export type {
   CredentialRow,
   CredentialSummaryRow,
-  InsertCredentialRow,
   ICredentialMigrationAccess,
   ICredentialRepository,
   IMigrationTenantKeyAccess,
+  InsertCredentialRow,
 } from "./credential-repository.js";
 export { DrizzleCredentialRepository, DrizzleMigrationTenantKeyAccess } from "./credential-repository.js";
 export type { RotationResult } from "./key-rotation.js";

package/src/security/index.ts

@@ -1,59 +1,64 @@
-export type { EncryptedPayload, Provider, ValidateKeyRequest, ValidateKeyResponse, WriteSecretsRequest, ProviderEndpoint } from "./types.js";
-export { providerSchema, validateKeyRequestSchema, writeSecretsRequestSchema } from "./types.js";
-export { deriveInstanceKey, generateInstanceKey, encrypt, decrypt } from "./encryption.js";
-export { validateNodeHost } from "./host-validation.js";
-export { assertSafeRedirectUrl } from "./redirect-allowlist.js";
-export type { KeyLeakMatch } from "./key-audit.js";
-export { scanForKeyLeaks } from "./key-audit.js";
-export { writeEncryptedSeed, forwardSecretsToInstance } from "./key-injection.js";
-export { PROVIDER_ENDPOINTS, validateProviderKey } from "./key-validation.js";
-
 // Credential vault
 export {
-  type SecretAuditEvent,
-  type ISecretAuditRepository,
-  DrizzleSecretAuditRepository,
+  type AuthType,
+  auditCredentialEncryption,
+  type CreateCredentialInput,
   type CredentialRow,
+  type CredentialSummary,
   type CredentialSummaryRow,
-  type InsertCredentialRow,
+  CredentialVaultStore,
+  type DecryptedCredential,
+  DrizzleCredentialRepository,
+  DrizzleMigrationTenantKeyAccess,
+  DrizzleSecretAuditRepository,
+  getVaultEncryptionKey,
   type ICredentialMigrationAccess,
   type ICredentialRepository,
+  type ICredentialVaultStore,
   type IMigrationTenantKeyAccess,
-  DrizzleCredentialRepository,
-  DrizzleMigrationTenantKeyAccess,
-  type RotationResult,
-  reEncryptAllCredentials,
+  type InsertCredentialRow,
+  type ISecretAuditRepository,
   type MigrationResult,
   migratePlaintextCredentials,
   type PlaintextFinding,
-  auditCredentialEncryption,
-  type AuthType,
-  type CreateCredentialInput,
-  type CredentialSummary,
-  type DecryptedCredential,
-  type ICredentialVaultStore,
   type RotateCredentialInput,
-  CredentialVaultStore,
-  getVaultEncryptionKey,
+  type RotationResult,
+  reEncryptAllCredentials,
+  type SecretAuditEvent,
 } from "./credential-vault/index.js";
-
+export { decrypt, deriveInstanceKey, encrypt, generateInstanceKey } from "./encryption.js";
+export { validateNodeHost } from "./host-validation.js";
+export type { KeyLeakMatch } from "./key-audit.js";
+export { scanForKeyLeaks } from "./key-audit.js";
+export { forwardSecretsToInstance, writeEncryptedSeed } from "./key-injection.js";
+export { PROVIDER_ENDPOINTS, validateProviderKey } from "./key-validation.js";
+export { assertSafeRedirectUrl } from "./redirect-allowlist.js";
 // Tenant keys
 export {
-  type IKeyResolutionRepository,
-  DrizzleKeyResolutionRepository,
-  type ResolvedKey,
-  resolveApiKey,
+  ALL_CAPABILITIES,
   buildPooledKeysMap,
-  type TenantApiKey,
-  type ITenantKeyRepository,
-  TenantKeyRepository,
   type CapabilityName,
-  type TenantCapabilitySetting,
-  type ICapabilitySettingsRepository,
-  ALL_CAPABILITIES,
   CapabilitySettingsStore,
+  DrizzleKeyResolutionRepository,
+  DrizzleOrgMembershipRepository,
+  type ICapabilitySettingsRepository,
+  type IKeyResolutionRepository,
   type IOrgMembershipRepository,
+  type ITenantKeyRepository,
   type OrgResolvedKey,
-  DrizzleOrgMembershipRepository,
+  type ResolvedKey,
+  resolveApiKey,
   resolveApiKeyWithOrgFallback,
+  type TenantApiKey,
+  type TenantCapabilitySetting,
+  TenantKeyRepository,
 } from "./tenant-keys/index.js";
+export type {
+  EncryptedPayload,
+  Provider,
+  ProviderEndpoint,
+  ValidateKeyRequest,
+  ValidateKeyResponse,
+  WriteSecretsRequest,
+} from "./types.js";
+export { providerSchema, validateKeyRequestSchema, writeSecretsRequestSchema } from "./types.js";

package/src/security/redirect-allowlist.ts

@@ -1,10 +1,13 @@
-const ALLOWED_REDIRECT_ORIGINS: string[] = [
-  "https://app.wopr.bot",
-  "https://wopr.network",
-  ...(process.env.NODE_ENV !== "production" ? ["http://localhost:3000", "http://localhost:3001"] : []),
-  ...(process.env.PLATFORM_UI_URL ? [process.env.PLATFORM_UI_URL] : []),
-  ...(process.env.NODE_ENV !== "production" ? ["https://example.com"] : []),
-];
+const STATIC_ORIGINS: string[] = ["https://app.wopr.bot", "https://wopr.network"];
+
+function getAllowedOrigins(): string[] {
+  return [
+    ...STATIC_ORIGINS,
+    ...(process.env.NODE_ENV !== "production" ? ["http://localhost:3000", "http://localhost:3001"] : []),
+    ...(process.env.PLATFORM_UI_URL ? [process.env.PLATFORM_UI_URL] : []),
+    ...(process.env.NODE_ENV !== "production" ? ["https://example.com"] : []),
+  ];
+}
 
 /**
  * Throws if `url` is not rooted at one of the allowed origins.
@@ -22,7 +25,7 @@ export function assertSafeRedirectUrl(url: string): void {
     throw new Error("Invalid redirect URL");
   }
   const origin = parsed.origin;
-  const allowed = ALLOWED_REDIRECT_ORIGINS.some((o) => {
+  const allowed = getAllowedOrigins().some((o) => {
     try {
       return origin === new URL(o).origin;
     } catch {

package/src/security/tenant-keys/index.ts

@@ -1,10 +1,14 @@
+export type {
+  CapabilityName,
+  ICapabilitySettingsRepository,
+  TenantCapabilitySetting,
+} from "./capability-settings-store.js";
+export { ALL_CAPABILITIES, CapabilitySettingsStore } from "./capability-settings-store.js";
+export type { ResolvedKey } from "./key-resolution.js";
+export { buildPooledKeysMap, resolveApiKey } from "./key-resolution.js";
 export type { IKeyResolutionRepository } from "./key-resolution-repository.js";
 export { DrizzleKeyResolutionRepository } from "./key-resolution-repository.js";
-export type { ResolvedKey } from "./key-resolution.js";
-export { resolveApiKey, buildPooledKeysMap } from "./key-resolution.js";
-export type { TenantApiKey, ITenantKeyRepository } from "./tenant-key-repository.js";
-export { TenantKeyRepository } from "./tenant-key-repository.js";
-export type { CapabilityName, TenantCapabilitySetting, ICapabilitySettingsRepository } from "./capability-settings-store.js";
-export { ALL_CAPABILITIES, CapabilitySettingsStore } from "./capability-settings-store.js";
 export type { IOrgMembershipRepository, OrgResolvedKey } from "./org-key-resolution.js";
 export { DrizzleOrgMembershipRepository, resolveApiKeyWithOrgFallback } from "./org-key-resolution.js";
+export type { ITenantKeyRepository, TenantApiKey } from "./tenant-key-repository.js";
+export { TenantKeyRepository } from "./tenant-key-repository.js";

package/src/tenancy/index.ts

@@ -1,6 +1,6 @@
-export type { Tenant, IOrgRepository } from "./drizzle-org-repository.js";
+export type { IOrgRepository, Tenant } from "./drizzle-org-repository.js";
 export { DrizzleOrgRepository } from "./drizzle-org-repository.js";
-export type { OrgMemberRow, OrgInviteRow, IOrgMemberRepository } from "./org-member-repository.js";
+export type { IOrgMemberRepository, OrgInviteRow, OrgMemberRow } from "./org-member-repository.js";
 export { DrizzleOrgMemberRepository } from "./org-member-repository.js";
-export type { OrgWithMembers, OrgMemberWithUser, OrgInvitePublic, OrgServiceOptions } from "./org-service.js";
+export type { OrgInvitePublic, OrgMemberWithUser, OrgServiceOptions, OrgWithMembers } from "./org-service.js";
 export { OrgService } from "./org-service.js";

package/src/tenancy/org-service.test.ts

@@ -2,9 +2,9 @@ import type { PGlite } from "@electric-sql/pglite";
 import { TRPCError } from "@trpc/server";
 import { afterAll, beforeAll, beforeEach, describe, expect, it, vi } from "vitest";
 import type { PlatformDb } from "../db/index.js";
-import { DrizzleOrgMemberRepository } from "./org-member-repository.js";
 import { createTestDb, truncateAllTables } from "../test/db.js";
 import { DrizzleOrgRepository } from "./drizzle-org-repository.js";
+import { DrizzleOrgMemberRepository } from "./org-member-repository.js";
 import { OrgService } from "./org-service.js";
 
 async function setup(db: PlatformDb) {

package/src/tenancy/org-service.ts

@@ -10,8 +10,8 @@ import { eq } from "drizzle-orm";
 import { logger } from "../config/logger.js";
 import type { PlatformDb } from "../db/index.js";
 import { organizationInvites, organizationMembers, tenants } from "../db/schema/index.js";
-import type { IOrgMemberRepository, OrgInviteRow } from "./org-member-repository.js";
 import type { IOrgRepository, Tenant } from "./drizzle-org-repository.js";
+import type { IOrgMemberRepository, OrgInviteRow } from "./org-member-repository.js";
 
 // ---------------------------------------------------------------------------
 // Types

package/src/trpc/index.ts

@@ -1,11 +1,11 @@
 export {
-  router,
-  createCallerFactory,
-  publicProcedure,
-  protectedProcedure,
   adminProcedure,
-  tenantProcedure,
+  createCallerFactory,
   orgMemberProcedure,
+  protectedProcedure,
+  publicProcedure,
+  router,
   setTrpcOrgMemberRepo,
   type TRPCContext,
+  tenantProcedure,
 } from "./init.js";

package/src/trpc/init.test.ts

@@ -1,14 +1,14 @@
-import { describe, expect, it, vi, beforeEach } from "vitest";
+import { beforeEach, describe, expect, it, vi } from "vitest";
 import type { IOrgMemberRepository } from "../tenancy/org-member-repository.js";
 import {
-  router,
-  createCallerFactory,
-  publicProcedure,
-  protectedProcedure,
   adminProcedure,
-  tenantProcedure,
+  createCallerFactory,
   orgMemberProcedure,
+  protectedProcedure,
+  publicProcedure,
+  router,
   setTrpcOrgMemberRepo,
+  tenantProcedure,
 } from "./init.js";
 
 // ---------------------------------------------------------------------------
@@ -41,9 +41,7 @@ const appRouter = router({
   protectedHello: protectedProcedure.query(() => "protected-ok"),
   adminHello: adminProcedure.query(() => "admin-ok"),
   tenantHello: tenantProcedure.query(() => "tenant-ok"),
-  orgAction: orgMemberProcedure
-    .input((v: unknown) => v as { orgId: string })
-    .mutation(() => "org-ok"),
+  orgAction: orgMemberProcedure.input((v: unknown) => v as { orgId: string }).mutation(() => "org-ok"),
 });
 
 const createCaller = createCallerFactory(appRouter);
@@ -172,7 +170,7 @@ describe("tRPC procedure builders", () => {
 
     it("rejects when orgId is missing from input", async () => {
       const caller = createCaller({ user: { id: "u1", roles: ["user"] }, tenantId: undefined });
-      await expect(caller.orgAction({} as any)).rejects.toThrow("orgId is required");
+      await expect(caller.orgAction({} as unknown as { orgId: string })).rejects.toThrow("orgId is required");
     });
 
     it("rejects non-members", async () => {

package/vitest.config.ts

@@ -4,5 +4,9 @@ export default defineConfig({
   test: {
     testTimeout: 30000,
     include: ["src/**/*.test.ts"],
+    coverage: {
+      provider: "v8",
+      reporter: ["text", "json-summary", "json"],
+    },
   },
 });