@wopr-network/platform-core 1.12.2 → 1.13.1

package/dist/api/routes/incident-response.js

@@ -0,0 +1,148 @@
+import { Hono } from "hono";
+import { z } from "zod";
+import { getCustomerTemplate, getInternalTemplate } from "../../monetization/incident/communication-templates.js";
+import { getEscalationMatrix } from "../../monetization/incident/escalation.js";
+import { generatePostMortemTemplate } from "../../monetization/incident/postmortem.js";
+import { getResponseProcedure } from "../../monetization/incident/response-procedures.js";
+import { classifySeverity } from "../../monetization/incident/severity.js";
+const severitySchema = z.enum(["SEV1", "SEV2", "SEV3"]);
+/**
+ * Create admin incident response routes.
+ *
+ * All imports come from platform-core's monetization/incident module.
+ * No external dependencies needed.
+ */
+export function createIncidentResponseRoutes() {
+    const routes = new Hono();
+    /**
+     * POST /severity
+     * Classify severity from provided signals.
+     */
+    routes.post("/severity", async (c) => {
+        try {
+            const body = await c.req.json();
+            const parsed = z
+                .object({
+                stripeReachable: z.boolean(),
+                webhooksReceiving: z.boolean().nullable(),
+                gatewayErrorRate: z.number(),
+                creditDeductionFailures: z.number(),
+                dlqDepth: z.number(),
+                tenantsWithNegativeBalance: z.number(),
+                autoTopupFailures: z.number(),
+                firingAlertCount: z.number(),
+            })
+                .parse(body);
+            const result = classifySeverity(parsed);
+            return c.json({ success: true, ...result });
+        }
+        catch (err) {
+            if (err instanceof z.ZodError) {
+                return c.json({ success: false, error: "Invalid signals payload", details: err.issues }, 400);
+            }
+            return c.json({ success: false, error: err instanceof Error ? err.message : "Unknown error" }, 500);
+        }
+    });
+    /**
+     * GET /escalation/:severity
+     * Get escalation matrix for a severity level.
+     */
+    routes.get("/escalation/:severity", async (c) => {
+        const rawSeverity = c.req.param("severity");
+        const parsed = severitySchema.safeParse(rawSeverity);
+        if (!parsed.success) {
+            return c.json({ success: false, error: "Invalid severity. Must be SEV1, SEV2, or SEV3" }, 400);
+        }
+        const contacts = getEscalationMatrix(parsed.data);
+        return c.json({ success: true, severity: parsed.data, contacts });
+    });
+    /**
+     * GET /procedure/:severity
+     * Get response procedure for a severity level.
+     */
+    routes.get("/procedure/:severity", async (c) => {
+        const rawSeverity = c.req.param("severity");
+        const parsed = severitySchema.safeParse(rawSeverity);
+        if (!parsed.success) {
+            return c.json({ success: false, error: "Invalid severity. Must be SEV1, SEV2, or SEV3" }, 400);
+        }
+        const procedure = getResponseProcedure(parsed.data);
+        return c.json({ success: true, procedure });
+    });
+    /**
+     * POST /communicate
+     * Generate communication templates for an incident.
+     */
+    routes.post("/communicate", async (c) => {
+        try {
+            const body = await c.req.json();
+            const parsed = z
+                .object({
+                severity: severitySchema,
+                incidentId: z.string().min(1),
+                startedAt: z.string().datetime(),
+                affectedSystems: z.array(z.string()),
+                customerImpact: z.string(),
+                currentStatus: z.string(),
+            })
+                .parse(body);
+            const context = {
+                incidentId: parsed.incidentId,
+                startedAt: new Date(parsed.startedAt),
+                affectedSystems: parsed.affectedSystems,
+                customerImpact: parsed.customerImpact,
+                currentStatus: parsed.currentStatus,
+            };
+            const customer = getCustomerTemplate(parsed.severity, context);
+            const internal = getInternalTemplate(parsed.severity, context);
+            return c.json({ success: true, templates: { customer, internal } });
+        }
+        catch (err) {
+            if (err instanceof z.ZodError) {
+                return c.json({ success: false, error: "Invalid payload", details: err.issues }, 400);
+            }
+            return c.json({ success: false, error: err instanceof Error ? err.message : "Unknown error" }, 500);
+        }
+    });
+    /**
+     * POST /postmortem
+     * Generate a post-mortem template for an incident.
+     */
+    routes.post("/postmortem", async (c) => {
+        try {
+            const body = await c.req.json();
+            const parsed = z
+                .object({
+                incidentId: z.string().min(1),
+                severity: severitySchema,
+                title: z.string().min(1),
+                startedAt: z.string().datetime(),
+                detectedAt: z.string().datetime(),
+                resolvedAt: z.string().datetime().nullable(),
+                affectedSystems: z.array(z.string()),
+                affectedTenantCount: z.number().int().min(0),
+                revenueImpactCents: z.number().int().nullable(),
+            })
+                .parse(body);
+            const report = generatePostMortemTemplate({
+                incidentId: parsed.incidentId,
+                severity: parsed.severity,
+                title: parsed.title,
+                startedAt: new Date(parsed.startedAt),
+                detectedAt: new Date(parsed.detectedAt),
+                resolvedAt: parsed.resolvedAt ? new Date(parsed.resolvedAt) : null,
+                affectedSystems: parsed.affectedSystems,
+                affectedTenantCount: parsed.affectedTenantCount,
+                revenueImpactCents: parsed.revenueImpactCents,
+            });
+            return c.json({ success: true, report });
+        }
+        catch (err) {
+            if (err instanceof z.ZodError) {
+                return c.json({ success: false, error: "Invalid payload", details: err.issues }, 400);
+            }
+            return c.json({ success: false, error: err instanceof Error ? err.message : "Unknown error" }, 500);
+        }
+    });
+    return routes;
+}

package/dist/api/routes/internal-gpu.d.ts

@@ -0,0 +1,12 @@
+import { Hono } from "hono";
+export interface GpuNodeStageUpdater {
+    updateStage(nodeId: string, stage: string): Promise<void>;
+    updateStatus(nodeId: string, status: string): Promise<void>;
+}
+/**
+ * Create internal GPU routes for node provisioning status updates.
+ *
+ * @param gpuSecretFactory - returns the GPU_NODE_SECRET (lazy to avoid env read at load time)
+ * @param repoFactory - returns the GPU node repository
+ */
+export declare function createInternalGpuRoutes(gpuSecretFactory: () => string | undefined, repoFactory: () => GpuNodeStageUpdater): Hono;

package/dist/api/routes/internal-gpu.js

@@ -0,0 +1,70 @@
+import { timingSafeEqual } from "node:crypto";
+import { Hono } from "hono";
+import { logger } from "../../config/logger.js";
+const VALID_STAGES = [
+    "installing_drivers",
+    "installing_docker",
+    "downloading_models",
+    "starting_services",
+    "registering",
+    "done",
+];
+/**
+ * Create internal GPU routes for node provisioning status updates.
+ *
+ * @param gpuSecretFactory - returns the GPU_NODE_SECRET (lazy to avoid env read at load time)
+ * @param repoFactory - returns the GPU node repository
+ */
+export function createInternalGpuRoutes(gpuSecretFactory, repoFactory) {
+    const routes = new Hono();
+    routes.post("/register", async (c) => {
+        const gpuSecret = gpuSecretFactory();
+        if (!gpuSecret) {
+            logger.warn("GPU_NODE_SECRET not configured");
+            return c.json({ success: false, error: "Unauthorized" }, 401);
+        }
+        const authHeader = c.req.header("Authorization");
+        const bearer = authHeader?.replace(/^Bearer\s+/i, "");
+        if (!bearer) {
+            return c.json({ success: false, error: "Unauthorized" }, 401);
+        }
+        const a = Buffer.from(bearer);
+        const b = Buffer.from(gpuSecret);
+        if (a.length !== b.length || !timingSafeEqual(a, b)) {
+            return c.json({ success: false, error: "Unauthorized" }, 401);
+        }
+        const stage = c.req.query("stage");
+        if (!stage || !VALID_STAGES.includes(stage)) {
+            return c.json({ success: false, error: `Invalid or missing stage. Valid: ${VALID_STAGES.join(", ")}` }, 400);
+        }
+        let rawBody;
+        try {
+            rawBody = await c.req.json();
+        }
+        catch {
+            return c.json({ success: false, error: "Invalid JSON body" }, 400);
+        }
+        if (typeof rawBody !== "object" ||
+            rawBody === null ||
+            typeof rawBody.nodeId !== "string") {
+            return c.json({ success: false, error: "Missing required field: nodeId" }, 400);
+        }
+        const { nodeId } = rawBody;
+        const repo = repoFactory();
+        try {
+            await repo.updateStage(nodeId, stage);
+            if (stage === "done") {
+                await repo.updateStatus(nodeId, "active");
+            }
+        }
+        catch (err) {
+            if (err instanceof Error && err.message.includes("not found")) {
+                return c.json({ success: false, error: `GPU node not found: ${nodeId}` }, 404);
+            }
+            throw err;
+        }
+        logger.info(`GPU node ${nodeId} stage updated to ${stage}`);
+        return c.json({ success: true });
+    });
+    return routes;
+}

package/dist/api/routes/internal-nodes.d.ts

@@ -0,0 +1,41 @@
+import { Hono } from "hono";
+import type { NodeRegistration } from "../../fleet/repository-types.js";
+export interface INodeRegistrar {
+    register(registration: NodeRegistration): Promise<unknown>;
+    registerSelfHosted(registration: NodeRegistration & {
+        ownerUserId: string;
+        label: string | null;
+        nodeSecretHash: string;
+    }): Promise<unknown>;
+}
+export interface INodeRepoForRegistration {
+    getBySecret(secret: string): Promise<{
+        id: string;
+    } | null>;
+}
+export interface IRegistrationTokenStore {
+    consume(token: string, nodeId: string): Promise<{
+        userId: string;
+        label: string | null;
+    } | null>;
+}
+export type HostValidator = (host: string) => void;
+export interface InternalNodeDeps {
+    nodeRegistrar: () => INodeRegistrar;
+    nodeRepo: () => INodeRepoForRegistration;
+    registrationTokenStore: () => IRegistrationTokenStore;
+    validateNodeHost: HostValidator;
+    logger?: {
+        info(msg: string): void;
+    };
+    /** Prefix for self-hosted node IDs. Default: "self" */
+    nodeIdPrefix?: string;
+    /** Prefix for node secrets. Default: "wopr_node_" */
+    nodeSecretPrefix?: string;
+}
+/**
+ * Create internal node registration routes.
+ *
+ * These are machine-to-machine routes used by node agents, not dashboard UI.
+ */
+export declare function createInternalNodeRoutes(deps: InternalNodeDeps): Hono;

package/dist/api/routes/internal-nodes.js

@@ -0,0 +1,105 @@
+import { createHash, randomUUID } from "node:crypto";
+import { Hono } from "hono";
+import { z } from "zod";
+const RegisterNodeSchema = z.object({
+    node_id: z
+        .string()
+        .min(1)
+        .max(128)
+        .regex(/^[a-zA-Z0-9_-]+$/),
+    host: z
+        .string()
+        .min(1)
+        .max(253)
+        .regex(/^[a-zA-Z0-9._-]+$/),
+    capacity_mb: z.number().int().positive().max(1_048_576),
+    agent_version: z.string().min(1).max(32),
+});
+/**
+ * Create internal node registration routes.
+ *
+ * These are machine-to-machine routes used by node agents, not dashboard UI.
+ */
+export function createInternalNodeRoutes(deps) {
+    const routes = new Hono();
+    /**
+     * POST /register
+     * Node registration (called on agent boot).
+     *
+     * Supports 2 auth paths:
+     * 1. Per-node persistent secret (returning self-hosted agent)
+     * 2. One-time registration token (new self-hosted node, UUID format)
+     */
+    routes.post("/register", async (c) => {
+        const authHeader = c.req.header("Authorization");
+        const bearer = authHeader?.replace(/^Bearer\s+/i, "");
+        if (!bearer) {
+            return c.json({ success: false, error: "Unauthorized" }, 401);
+        }
+        let rawBody;
+        try {
+            rawBody = await c.req.json();
+        }
+        catch {
+            return c.json({ success: false, error: "Invalid registration data" }, 400);
+        }
+        const parsed = RegisterNodeSchema.safeParse(rawBody);
+        if (!parsed.success) {
+            return c.json({ success: false, error: "Invalid registration data", details: parsed.error.flatten() }, 400);
+        }
+        const body = parsed.data;
+        try {
+            deps.validateNodeHost(body.host);
+        }
+        catch (err) {
+            return c.json({ success: false, error: err.message }, 400);
+        }
+        const registrar = deps.nodeRegistrar();
+        const nodeRepo = deps.nodeRepo();
+        // Map snake_case HTTP body to camelCase domain type
+        const registration = {
+            nodeId: body.node_id,
+            host: body.host,
+            capacityMb: body.capacity_mb,
+            agentVersion: body.agent_version,
+        };
+        // Path 1: Per-node persistent secret (returning agent)
+        const uuidPattern = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+        if (!uuidPattern.test(bearer)) {
+            const existingNode = await nodeRepo.getBySecret(bearer);
+            if (existingNode) {
+                await registrar.register({ ...registration, nodeId: existingNode.id });
+                deps.logger?.info(`Node re-registered via per-node secret: ${existingNode.id}`);
+                return c.json({ success: true });
+            }
+            return c.json({ success: false, error: "Unauthorized" }, 401);
+        }
+        // Path 2: One-time registration token (UUID format = registration token)
+        const tokenStore = deps.registrationTokenStore();
+        const prefix = deps.nodeIdPrefix ?? "self";
+        const nodeId = `${prefix}-${randomUUID().slice(0, 8)}`;
+        const consumed = await tokenStore.consume(bearer, nodeId);
+        if (!consumed) {
+            return c.json({ success: false, error: "Invalid or expired token" }, 401);
+        }
+        // Generate persistent per-node secret
+        const secretPrefix = deps.nodeSecretPrefix ?? "wopr_node_";
+        const nodeSecret = `${secretPrefix}${randomUUID().replace(/-/g, "")}`;
+        const hashedSecret = createHash("sha256").update(nodeSecret).digest("hex");
+        // Register self-hosted node via registrar
+        await registrar.registerSelfHosted({
+            ...registration,
+            nodeId,
+            ownerUserId: consumed.userId,
+            label: consumed.label,
+            nodeSecretHash: hashedSecret,
+        });
+        deps.logger?.info(`Self-hosted node registered: ${nodeId} for user ${consumed.userId}`);
+        return c.json({
+            success: true,
+            node_id: nodeId,
+            node_secret: nodeSecret, // Agent saves this — only returned once
+        });
+    });
+    return routes;
+}

package/dist/api/routes/login-history.d.ts

@@ -0,0 +1,11 @@
+import { Hono } from "hono";
+import type { AuthEnv } from "../../auth/index.js";
+import type { ILoginHistoryRepository } from "../../auth/login-history-repository.js";
+/**
+ * Create login history routes.
+ *
+ * Returns recent login sessions for the authenticated user.
+ * Query params:
+ *   - limit: max results (default 20, max 100)
+ */
+export declare function createLoginHistoryRoutes(repoFactory: () => ILoginHistoryRepository): Hono<AuthEnv>;

package/dist/api/routes/login-history.js

@@ -0,0 +1,22 @@
+import { Hono } from "hono";
+/**
+ * Create login history routes.
+ *
+ * Returns recent login sessions for the authenticated user.
+ * Query params:
+ *   - limit: max results (default 20, max 100)
+ */
+export function createLoginHistoryRoutes(repoFactory) {
+    const routes = new Hono();
+    routes.get("/", async (c) => {
+        const user = c.get("user");
+        if (!user)
+            return c.json({ error: "Unauthorized" }, 401);
+        const limitRaw = c.req.query("limit");
+        const limit = limitRaw ? Math.min(Math.max(1, Number.parseInt(limitRaw, 10) || 20), 100) : 20;
+        const repo = repoFactory();
+        const entries = await repo.findByUserId(user.id, limit);
+        return c.json(entries);
+    });
+    return routes;
+}

package/dist/api/routes/public-pricing.d.ts

@@ -0,0 +1,9 @@
+import { Hono } from "hono";
+import type { RateStore } from "../../admin/rates/rate-store.js";
+/**
+ * Create public pricing routes.
+ *
+ * Public, unauthenticated endpoint returning active sell rates grouped by capability.
+ * Used by pricing pages to display current rates.
+ */
+export declare function createPublicPricingRoutes(storeFactory: () => RateStore): Hono;

package/dist/api/routes/public-pricing.js

@@ -0,0 +1,32 @@
+import { Hono } from "hono";
+/**
+ * Create public pricing routes.
+ *
+ * Public, unauthenticated endpoint returning active sell rates grouped by capability.
+ * Used by pricing pages to display current rates.
+ */
+export function createPublicPricingRoutes(storeFactory) {
+    const routes = new Hono();
+    routes.get("/", async (c) => {
+        try {
+            const store = storeFactory();
+            const rates = await store.listPublicRates();
+            // Group by capability for the UI
+            const grouped = {};
+            for (const rate of rates) {
+                if (!grouped[rate.capability])
+                    grouped[rate.capability] = [];
+                grouped[rate.capability].push({
+                    name: rate.display_name,
+                    unit: rate.unit,
+                    price: rate.price_usd,
+                });
+            }
+            return c.json({ rates: grouped });
+        }
+        catch {
+            return c.json({ error: "Internal server error" }, 500);
+        }
+    });
+    return routes;
+}

package/dist/api/routes/quota.d.ts

@@ -0,0 +1,8 @@
+import { Hono } from "hono";
+import type { ICreditLedger } from "../../credits/credit-ledger.js";
+/**
+ * Create quota routes.
+ *
+ * @param ledgerFactory - Factory returning the credit ledger
+ */
+export declare function createQuotaRoutes(ledgerFactory: () => ICreditLedger): Hono;

package/dist/api/routes/quota.js

@@ -0,0 +1,113 @@
+import { Hono } from "hono";
+import { checkInstanceQuota, DEFAULT_INSTANCE_LIMITS } from "../../monetization/quotas/quota-check.js";
+import { buildResourceLimits, DEFAULT_RESOURCE_CONFIG } from "../../monetization/quotas/resource-limits.js";
+/**
+ * Create quota routes.
+ *
+ * @param ledgerFactory - Factory returning the credit ledger
+ */
+export function createQuotaRoutes(ledgerFactory) {
+    const routes = new Hono();
+    /**
+     * GET /
+     *
+     * Returns the authenticated tenant's credit balance and resource limits.
+     */
+    routes.get("/", async (c) => {
+        const tenantId = c.req.query("tenant");
+        if (!tenantId) {
+            return c.json({ error: "tenant query param is required" }, 400);
+        }
+        const activeRaw = c.req.query("activeInstances");
+        const activeInstances = activeRaw != null ? Number.parseInt(activeRaw, 10) : 0;
+        if (Number.isNaN(activeInstances) || activeInstances < 0) {
+            return c.json({ error: "Invalid activeInstances parameter" }, 400);
+        }
+        const balance = await ledgerFactory().balance(tenantId);
+        return c.json({
+            balanceCents: balance.toCentsRounded(),
+            instances: {
+                current: activeInstances,
+                max: DEFAULT_INSTANCE_LIMITS.maxInstances,
+                remaining: DEFAULT_INSTANCE_LIMITS.maxInstances === 0
+                    ? -1
+                    : Math.max(0, DEFAULT_INSTANCE_LIMITS.maxInstances - activeInstances),
+            },
+            resources: DEFAULT_RESOURCE_CONFIG,
+        });
+    });
+    /**
+     * POST /check
+     *
+     * Check whether an instance creation would be allowed.
+     */
+    routes.post("/check", async (c) => {
+        let body;
+        try {
+            body = (await c.req.json());
+        }
+        catch {
+            return c.json({ error: "Invalid JSON body" }, 400);
+        }
+        const tenantId = body.tenant;
+        if (!tenantId) {
+            return c.json({ error: "tenant is required" }, 400);
+        }
+        const activeInstances = Number(body.activeInstances ?? 0);
+        const softCap = Boolean(body.softCap);
+        if (Number.isNaN(activeInstances) || activeInstances < 0) {
+            return c.json({ error: "Invalid activeInstances" }, 400);
+        }
+        // Check credit balance
+        const balance = await ledgerFactory().balance(tenantId);
+        if (balance.isNegative() || balance.isZero()) {
+            return c.json({
+                allowed: false,
+                reason: "Insufficient credit balance",
+                currentBalanceCents: balance.toCentsRounded(),
+                purchaseUrl: "/settings/billing",
+            }, 402);
+        }
+        const result = checkInstanceQuota(DEFAULT_INSTANCE_LIMITS, activeInstances, {
+            softCapEnabled: softCap,
+            gracePeriodMs: 7 * 24 * 60 * 60 * 1000,
+        });
+        const status = result.allowed ? 200 : 403;
+        return c.json(result, status);
+    });
+    /**
+     * GET /balance/:tenant
+     *
+     * Get a tenant's credit balance.
+     */
+    routes.get("/balance/:tenant", async (c) => {
+        const tenantId = c.req.param("tenant");
+        const balance = await ledgerFactory().balance(tenantId);
+        return c.json({ tenantId, balanceCents: balance.toCentsRounded() });
+    });
+    /**
+     * GET /history/:tenant
+     *
+     * Get a tenant's credit transaction history.
+     */
+    routes.get("/history/:tenant", async (c) => {
+        const tenantId = c.req.param("tenant");
+        const limitRaw = c.req.query("limit");
+        const offsetRaw = c.req.query("offset");
+        const type = c.req.query("type");
+        const limit = limitRaw != null ? Number.parseInt(limitRaw, 10) : 50;
+        const offset = offsetRaw != null ? Number.parseInt(offsetRaw, 10) : 0;
+        const transactions = await ledgerFactory().history(tenantId, { limit, offset, type: type || undefined });
+        return c.json({ transactions });
+    });
+    /**
+     * GET /resource-limits
+     *
+     * Get default Docker resource constraints for bot containers.
+     */
+    routes.get("/resource-limits", (c) => {
+        const limits = buildResourceLimits();
+        return c.json(limits);
+    });
+    return routes;
+}

package/dist/api/routes/secret-audit.d.ts

@@ -0,0 +1,12 @@
+import { Hono } from "hono";
+import type { AuditEnv } from "../../audit/types.js";
+import type { CredentialSummaryRow, ISecretAuditRepository } from "../../security/index.js";
+type GetCredentialOwner = (id: string) => Promise<CredentialSummaryRow | null>;
+/**
+ * Create secret audit routes.
+ *
+ * @param getRepo - factory for the secret audit repository (lazy init)
+ * @param getCredentialOwner - lookup function to find credential and check ownership
+ */
+export declare function createSecretAuditRoutes(getRepo: () => ISecretAuditRepository, getCredentialOwner: GetCredentialOwner): Hono<AuditEnv>;
+export {};

package/dist/api/routes/secret-audit.js

@@ -0,0 +1,41 @@
+import { Hono } from "hono";
+/**
+ * Create secret audit routes.
+ *
+ * @param getRepo - factory for the secret audit repository (lazy init)
+ * @param getCredentialOwner - lookup function to find credential and check ownership
+ */
+export function createSecretAuditRoutes(getRepo, getCredentialOwner) {
+    const routes = new Hono();
+    routes.get("/:id/audit", async (c) => {
+        const user = c.get("user");
+        if (!user)
+            return c.json({ error: "Unauthorized" }, 401);
+        const credentialId = c.req.param("id");
+        // Verify credential exists and is owned by this user
+        const credential = await getCredentialOwner(credentialId);
+        if (!credential || credential.createdBy !== user.id) {
+            return c.json({ error: "Not found" }, 404);
+        }
+        const limitRaw = c.req.query("limit") ? Number(c.req.query("limit")) : 50;
+        const offsetRaw = c.req.query("offset") ? Number(c.req.query("offset")) : 0;
+        const limit = Number.isFinite(limitRaw) ? limitRaw : 50;
+        const offset = Number.isFinite(offsetRaw) ? offsetRaw : 0;
+        const repo = getRepo();
+        const [events, total] = await Promise.all([
+            repo.listByCredentialId(credentialId, { limit, offset }),
+            repo.countByCredentialId(credentialId),
+        ]);
+        return c.json({
+            events: events.map((e) => ({
+                id: e.id,
+                accessedAt: new Date(e.accessedAt).toISOString(),
+                accessedBy: e.accessedBy,
+                action: e.action,
+                ...(e.ip !== null ? { ip: e.ip } : {}),
+            })),
+            total,
+        });
+    });
+    return routes;
+}

package/dist/api/routes/secrets.d.ts

@@ -0,0 +1,31 @@
+import { Hono } from "hono";
+import type { AuthEnv } from "../../auth/index.js";
+import { decrypt as defaultDecrypt, deriveInstanceKey as defaultDeriveInstanceKey } from "../../security/encryption.js";
+import { forwardSecretsToInstance as defaultForwardSecrets, writeEncryptedSeed as defaultWriteSeed } from "../../security/key-injection.js";
+import { validateProviderKey as defaultValidateKey } from "../../security/key-validation.js";
+export interface IProfileLookup {
+    getInstanceTenantId(instanceId: string): Promise<string | undefined>;
+}
+export interface SecretsSecurityFns {
+    decrypt: typeof defaultDecrypt;
+    deriveInstanceKey: typeof defaultDeriveInstanceKey;
+    writeEncryptedSeed: typeof defaultWriteSeed;
+    forwardSecretsToInstance: typeof defaultForwardSecrets;
+    validateProviderKey: typeof defaultValidateKey;
+}
+export interface SecretsDeps {
+    profileLookup: IProfileLookup;
+    platformSecret?: string;
+    instanceDataDir?: string;
+    logger?: {
+        error(msg: string, meta?: Record<string, unknown>): void;
+    };
+    /** Override security functions (useful for testing). Falls back to platform-core defaults. */
+    security?: Partial<SecretsSecurityFns>;
+}
+/**
+ * Create secrets management routes.
+ *
+ * @param deps - Dependencies for secret operations
+ */
+export declare function createSecretsRoutes(deps: SecretsDeps): Hono<AuthEnv>;