@wopr-network/platform-core 1.12.2 → 1.13.1

package/dist/api/routes/secrets.js

@@ -0,0 +1,135 @@
+import { Hono } from "hono";
+import { validateTenantOwnership } from "../../auth/index.js";
+import { decrypt as defaultDecrypt, deriveInstanceKey as defaultDeriveInstanceKey } from "../../security/encryption.js";
+import { forwardSecretsToInstance as defaultForwardSecrets, writeEncryptedSeed as defaultWriteSeed, } from "../../security/key-injection.js";
+import { validateProviderKey as defaultValidateKey } from "../../security/key-validation.js";
+import { validateKeyRequestSchema, writeSecretsRequestSchema } from "../../security/types.js";
+/** Allowlist: only alphanumeric, hyphens, and underscores. */
+const INSTANCE_ID_RE = /^[a-zA-Z0-9_-]+$/;
+function isValidInstanceId(id) {
+    return INSTANCE_ID_RE.test(id);
+}
+/**
+ * Create secrets management routes.
+ *
+ * @param deps - Dependencies for secret operations
+ */
+export function createSecretsRoutes(deps) {
+    const routes = new Hono();
+    const instanceDataDir = deps.instanceDataDir ?? "/data/instances";
+    // Resolve security functions with defaults
+    const decryptFn = deps.security?.decrypt ?? defaultDecrypt;
+    const deriveInstanceKeyFn = deps.security?.deriveInstanceKey ?? defaultDeriveInstanceKey;
+    const writeEncryptedSeedFn = deps.security?.writeEncryptedSeed ?? defaultWriteSeed;
+    const forwardSecretsFn = deps.security?.forwardSecretsToInstance ?? defaultForwardSecrets;
+    const validateKeyFn = deps.security?.validateProviderKey ?? defaultValidateKey;
+    /**
+     * PUT /instances/:id/config/secrets
+     *
+     * Writes secrets to a running instance by forwarding the body opaquely,
+     * or writes an encrypted seed file if the instance is not running.
+     */
+    routes.put("/instances/:id/config/secrets", async (c) => {
+        const instanceId = c.req.param("id");
+        if (!isValidInstanceId(instanceId)) {
+            return c.json({ error: "Invalid instance ID" }, 400);
+        }
+        // Validate tenant ownership of the instance
+        const tenantId = await deps.profileLookup.getInstanceTenantId(instanceId);
+        const ownershipError = validateTenantOwnership(c, instanceId, tenantId);
+        if (ownershipError) {
+            return ownershipError;
+        }
+        const mode = c.req.query("mode") || "proxy";
+        if (mode === "seed") {
+            // Pre-boot: parse body to encrypt, then discard plaintext
+            let body;
+            try {
+                body = await c.req.json();
+            }
+            catch {
+                return c.json({ error: "Invalid JSON body" }, 400);
+            }
+            const parsed = writeSecretsRequestSchema.safeParse(body);
+            if (!parsed.success) {
+                return c.json({ error: "Validation failed", details: parsed.error.flatten() }, 400);
+            }
+            if (!deps.platformSecret) {
+                return c.json({ error: "Platform secret not configured" }, 500);
+            }
+            try {
+                const instanceKey = deriveInstanceKeyFn(instanceId, deps.platformSecret);
+                const woprHome = `${instanceDataDir}/${instanceId}`;
+                await writeEncryptedSeedFn(woprHome, parsed.data, instanceKey);
+                return c.json({ ok: true, mode: "seed" });
+            }
+            catch (err) {
+                const message = err instanceof Error ? err.message : "Failed to write seed";
+                deps.logger?.error("Failed to write encrypted seed", { instanceId, error: message });
+                return c.json({ error: "Failed to write encrypted seed" }, 500);
+            }
+        }
+        // Default: proxy mode — forward body opaquely to the instance container
+        const rawBody = await c.req.text();
+        const instanceUrl = `http://wopr-${instanceId}:3000`;
+        const authHeader = c.req.header("Authorization") || "";
+        const sessionToken = authHeader.replace(/^Bearer\s+/i, "");
+        const result = await forwardSecretsFn(instanceUrl, sessionToken, rawBody);
+        if (result.ok) {
+            return c.json({ ok: true, mode: "proxy" });
+        }
+        const status = result.status === 502 ? 502 : result.status === 503 ? 503 : result.status === 404 ? 404 : 500;
+        return c.json({ error: result.error || "Proxy failed" }, status);
+    });
+    /**
+     * POST /validate-key
+     *
+     * Validates a provider API key without logging or persisting it.
+     */
+    routes.post("/validate-key", async (c) => {
+        let body;
+        try {
+            body = await c.req.json();
+        }
+        catch {
+            return c.json({ error: "Invalid JSON body" }, 400);
+        }
+        const parsed = validateKeyRequestSchema.safeParse(body);
+        if (!parsed.success) {
+            return c.json({ error: "Validation failed", details: parsed.error.flatten() }, 400);
+        }
+        const { provider, encryptedKey } = parsed.data;
+        // Decrypt the key in memory
+        let plaintextKey;
+        try {
+            const encryptedPayload = JSON.parse(encryptedKey);
+            const instanceId = c.req.query("instanceId");
+            if (!instanceId) {
+                return c.json({ error: "instanceId query parameter required" }, 400);
+            }
+            if (!isValidInstanceId(instanceId)) {
+                return c.json({ error: "Invalid instance ID" }, 400);
+            }
+            // Validate tenant ownership of the instance
+            const tenantId = await deps.profileLookup.getInstanceTenantId(instanceId);
+            const ownershipError = validateTenantOwnership(c, instanceId, tenantId);
+            if (ownershipError) {
+                return ownershipError;
+            }
+            if (!deps.platformSecret) {
+                return c.json({ error: "Platform secret not configured" }, 500);
+            }
+            const instanceKey = deriveInstanceKeyFn(instanceId, deps.platformSecret);
+            plaintextKey = decryptFn(encryptedPayload, instanceKey);
+        }
+        catch {
+            return c.json({ error: "Failed to decrypt key payload" }, 400);
+        }
+        // Validate against the provider API
+        const result = await validateKeyFn(provider, plaintextKey);
+        // Explicitly discard the key reference
+        plaintextKey = "";
+        return c.json({ valid: result.valid, error: result.error });
+    });
+    return routes;
+}

package/dist/api/routes/tenant-keys.d.ts

@@ -0,0 +1,16 @@
+import { Hono } from "hono";
+import type { ITenantKeyRepository } from "../../security/tenant-keys/tenant-key-repository.js";
+export interface TenantKeyDeps {
+    repo: () => ITenantKeyRepository;
+    /** Platform secret for key derivation. If not provided, encrypt operations will fail with 500. */
+    platformSecret?: string;
+    logger?: {
+        warn(msg: string): void;
+    };
+}
+/**
+ * Create tenant key management routes.
+ *
+ * @param deps - Dependencies for tenant key operations
+ */
+export declare function createTenantKeyRoutes(deps: TenantKeyDeps): Hono;

package/dist/api/routes/tenant-keys.js

@@ -0,0 +1,142 @@
+import { createHmac } from "node:crypto";
+import { Hono } from "hono";
+import { z } from "zod";
+import { encrypt } from "../../security/encryption.js";
+import { providerSchema } from "../../security/types.js";
+// ---------------------------------------------------------------------------
+// Request schemas
+// ---------------------------------------------------------------------------
+const storeKeySchema = z.object({
+    provider: providerSchema,
+    apiKey: z.string().min(1, "API key is required"),
+    label: z.string().max(100).optional(),
+});
+/** Derive a per-tenant encryption key from tenant ID and platform secret. */
+function deriveTenantKey(tenantId, platformSecret) {
+    return createHmac("sha256", platformSecret).update(`tenant:${tenantId}`).digest();
+}
+/**
+ * Create tenant key management routes.
+ *
+ * @param deps - Dependencies for tenant key operations
+ */
+export function createTenantKeyRoutes(deps) {
+    const routes = new Hono();
+    /**
+     * GET /
+     *
+     * List all API keys for the authenticated tenant.
+     * Returns metadata only (never the encrypted key material).
+     */
+    routes.get("/", async (c) => {
+        const tenantId = getTenantId(c);
+        if (!tenantId) {
+            return c.json({ error: "Tenant context required" }, 400);
+        }
+        const keys = await deps.repo().listForTenant(tenantId);
+        return c.json({ keys });
+    });
+    /**
+     * GET /:provider
+     *
+     * Check whether the tenant has a stored key for a specific provider.
+     * Returns metadata only.
+     */
+    routes.get("/:provider", async (c) => {
+        const tenantId = getTenantId(c);
+        if (!tenantId) {
+            return c.json({ error: "Tenant context required" }, 400);
+        }
+        const provider = c.req.param("provider");
+        const parsed = providerSchema.safeParse(provider);
+        if (!parsed.success) {
+            return c.json({ error: "Invalid provider" }, 400);
+        }
+        const record = await deps.repo().get(tenantId, parsed.data);
+        if (!record) {
+            return c.json({ error: "No key stored for this provider" }, 404);
+        }
+        // Return metadata only, never the encrypted key
+        return c.json({
+            id: record.id,
+            tenant_id: record.tenant_id,
+            provider: record.provider,
+            label: record.label,
+            created_at: record.created_at,
+            updated_at: record.updated_at,
+        });
+    });
+    /**
+     * PUT /:provider
+     *
+     * Store or replace a tenant's API key for a provider.
+     * The key is encrypted at rest using AES-256-GCM with a tenant-derived key.
+     */
+    routes.put("/:provider", async (c) => {
+        const tenantId = getTenantId(c);
+        if (!tenantId) {
+            return c.json({ error: "Tenant context required" }, 400);
+        }
+        const provider = c.req.param("provider");
+        const providerParsed = providerSchema.safeParse(provider);
+        if (!providerParsed.success) {
+            return c.json({ error: "Invalid provider" }, 400);
+        }
+        let body;
+        try {
+            body = await c.req.json();
+        }
+        catch {
+            return c.json({ error: "Invalid JSON body" }, 400);
+        }
+        const parsed = storeKeySchema.safeParse(body);
+        if (!parsed.success) {
+            return c.json({ error: "Validation failed", details: parsed.error.flatten() }, 400);
+        }
+        if (parsed.data.provider !== providerParsed.data) {
+            return c.json({ error: "Provider in body must match URL parameter" }, 400);
+        }
+        if (!deps.platformSecret) {
+            return c.json({ error: "Platform secret not configured" }, 500);
+        }
+        // Encrypt the key in memory, then discard the plaintext
+        const tenantKey = deriveTenantKey(tenantId, deps.platformSecret);
+        const encryptedPayload = encrypt(parsed.data.apiKey, tenantKey);
+        const id = await deps.repo().upsert(tenantId, providerParsed.data, encryptedPayload, parsed.data.label ?? "");
+        return c.json({ ok: true, id, provider: providerParsed.data });
+    });
+    /**
+     * DELETE /:provider
+     *
+     * Delete a tenant's stored API key for a provider.
+     */
+    routes.delete("/:provider", async (c) => {
+        const tenantId = getTenantId(c);
+        if (!tenantId) {
+            return c.json({ error: "Tenant context required" }, 400);
+        }
+        const provider = c.req.param("provider");
+        const parsed = providerSchema.safeParse(provider);
+        if (!parsed.success) {
+            return c.json({ error: "Invalid provider" }, 400);
+        }
+        const deleted = await deps.repo().delete(tenantId, parsed.data);
+        if (!deleted) {
+            return c.json({ error: "No key stored for this provider" }, 404);
+        }
+        return c.json({ ok: true, provider: parsed.data });
+    });
+    return routes;
+}
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+/** Extract the tenant ID from the auth context. */
+function getTenantId(c) {
+    try {
+        return c.get("tokenTenantId");
+    }
+    catch {
+        return undefined;
+    }
+}

package/dist/api/routes/verify-email.d.ts

@@ -0,0 +1,19 @@
+import { Hono } from "hono";
+import type { Pool } from "pg";
+import type { ICreditLedger } from "../../credits/index.js";
+export interface VerifyEmailRouteDeps {
+    pool: Pool;
+    creditLedger: ICreditLedger;
+}
+export interface VerifyEmailRouteConfig {
+    /** UI origin for redirect URLs (default: http://localhost:3001) */
+    uiOrigin?: string;
+}
+/**
+ * Create verify-email routes with explicit dependencies (for testing).
+ */
+export declare function createVerifyEmailRoutes(deps: VerifyEmailRouteDeps, config?: VerifyEmailRouteConfig): Hono;
+/**
+ * Create verify-email routes with factory functions (for lazy init).
+ */
+export declare function createVerifyEmailRoutesLazy(poolFactory: () => Pool, creditLedgerFactory: () => ICreditLedger, config?: VerifyEmailRouteConfig): Hono;

package/dist/api/routes/verify-email.js

@@ -0,0 +1,70 @@
+import { Hono } from "hono";
+import { logger } from "../../config/logger.js";
+import { grantSignupCredits } from "../../credits/index.js";
+import { getEmailClient } from "../../email/client.js";
+import { verifyToken, welcomeTemplate } from "../../email/index.js";
+/**
+ * Create verify-email routes with explicit dependencies (for testing).
+ */
+export function createVerifyEmailRoutes(deps, config) {
+    return buildRoutes(() => deps.pool, () => deps.creditLedger, config);
+}
+/**
+ * Create verify-email routes with factory functions (for lazy init).
+ */
+export function createVerifyEmailRoutesLazy(poolFactory, creditLedgerFactory, config) {
+    return buildRoutes(poolFactory, creditLedgerFactory, config);
+}
+function buildRoutes(poolFactory, creditLedgerFactory, config) {
+    const uiOrigin = config?.uiOrigin ?? process.env.UI_ORIGIN ?? "http://localhost:3001";
+    const routes = new Hono();
+    routes.get("/verify", async (c) => {
+        const token = c.req.query("token");
+        if (!token) {
+            return c.redirect(`${uiOrigin}/auth/verify?status=error&reason=missing_token`);
+        }
+        const pool = poolFactory();
+        const result = await verifyToken(pool, token);
+        if (!result) {
+            return c.redirect(`${uiOrigin}/auth/verify?status=error&reason=invalid_or_expired`);
+        }
+        // Grant $5 signup credit (idempotent — safe on link re-click)
+        try {
+            const ledger = creditLedgerFactory();
+            const granted = await grantSignupCredits(ledger, result.userId);
+            if (granted) {
+                logger.info("Signup credit granted", { userId: result.userId });
+            }
+            else {
+                logger.info("Signup credit already granted, skipping", { userId: result.userId });
+            }
+        }
+        catch (err) {
+            logger.error("Failed to grant signup credit", {
+                userId: result.userId,
+                error: err instanceof Error ? err.message : String(err),
+            });
+            // Don't block verification if credit grant fails
+        }
+        // Send welcome email
+        try {
+            const emailClient = getEmailClient();
+            const template = welcomeTemplate(result.email);
+            await emailClient.send({
+                to: result.email,
+                ...template,
+                userId: result.userId,
+                templateName: "welcome",
+            });
+        }
+        catch (err) {
+            logger.error("Failed to send welcome email", {
+                userId: result.userId,
+                error: err instanceof Error ? err.message : String(err),
+            });
+            // Don't block verification if welcome email fails
+        }
+        return c.redirect(`${uiOrigin}/auth/verify?status=success`);
+    });
+    return routes;
+}

package/dist/api/routes/ws-auth.d.ts

@@ -0,0 +1,21 @@
+export interface WsAuthRequest {
+    nodeId: string;
+    authHeader: string | undefined;
+}
+export interface WsAuthResult {
+    authenticated: boolean;
+    nodeId?: string;
+    reason?: string;
+}
+export interface NodeSecretVerifier {
+    verifyNodeSecret(nodeId: string, secret: string): Promise<boolean | null>;
+}
+/**
+ * Authenticate a WebSocket upgrade request for a node agent connection.
+ *
+ * The bearer token resolves to a specific node via per-node persistent secret;
+ * the resolved nodeId must match the URL nodeId.
+ *
+ * @param verifier - object with verifyNodeSecret method (typically a node repository)
+ */
+export declare function authenticateWebSocketUpgrade(req: WsAuthRequest, verifier: NodeSecretVerifier): Promise<WsAuthResult>;

package/dist/api/routes/ws-auth.js

@@ -0,0 +1,24 @@
+/**
+ * Authenticate a WebSocket upgrade request for a node agent connection.
+ *
+ * The bearer token resolves to a specific node via per-node persistent secret;
+ * the resolved nodeId must match the URL nodeId.
+ *
+ * @param verifier - object with verifyNodeSecret method (typically a node repository)
+ */
+export async function authenticateWebSocketUpgrade(req, verifier) {
+    const { nodeId, authHeader } = req;
+    const bearer = authHeader?.replace(/^Bearer\s+/i, "");
+    // Per-node persistent secret — timing-safe comparison via verifyNodeSecret
+    if (bearer) {
+        const verified = await verifier.verifyNodeSecret(nodeId, bearer);
+        if (verified === true) {
+            return { authenticated: true, nodeId };
+        }
+    }
+    // No valid auth
+    if (!bearer) {
+        return { authenticated: false, reason: "unauthorized" };
+    }
+    return { authenticated: false, reason: "unauthorized" };
+}

package/dist/monetization/adapters/bootstrap.d.ts

@@ -11,7 +11,7 @@
  *   - text-generation (DeepSeek, Gemini, MiniMax, Kimi, OpenRouter)
  *   - tts (Chatterbox GPU, ElevenLabs)
  *   - transcription (Deepgram)
- *   - embeddings (OpenRouter)
+ *   - embeddings (Ollama GPU, OpenRouter)
  *   - image-generation (Replicate, Nano Banana)
  */
 import { type EmbeddingsFactoryConfig } from "./embeddings-factory.js";
@@ -74,7 +74,7 @@ export declare function bootstrapAdapters(config: BootstrapConfig): BootstrapRes
  *   - DEEPSEEK_API_KEY, GEMINI_API_KEY, MINIMAX_API_KEY, KIMI_API_KEY, OPENROUTER_API_KEY (text-gen)
  *   - CHATTERBOX_BASE_URL, ELEVENLABS_API_KEY (TTS)
  *   - DEEPGRAM_API_KEY (transcription)
- *   - OPENROUTER_API_KEY (embeddings)
+ *   - OLLAMA_BASE_URL, OPENROUTER_API_KEY (embeddings)
  *   - REPLICATE_API_TOKEN, NANO_BANANA_API_KEY (image-gen)
  *
  * Accepts optional per-capability config overrides.

package/dist/monetization/adapters/bootstrap.js

@@ -11,7 +11,7 @@
  *   - text-generation (DeepSeek, Gemini, MiniMax, Kimi, OpenRouter)
  *   - tts (Chatterbox GPU, ElevenLabs)
  *   - transcription (Deepgram)
- *   - embeddings (OpenRouter)
+ *   - embeddings (Ollama GPU, OpenRouter)
  *   - image-generation (Replicate, Nano Banana)
  */
 import { createEmbeddingsAdapters } from "./embeddings-factory.js";
@@ -76,7 +76,7 @@ export function bootstrapAdapters(config) {
  *   - DEEPSEEK_API_KEY, GEMINI_API_KEY, MINIMAX_API_KEY, KIMI_API_KEY, OPENROUTER_API_KEY (text-gen)
  *   - CHATTERBOX_BASE_URL, ELEVENLABS_API_KEY (TTS)
  *   - DEEPGRAM_API_KEY (transcription)
- *   - OPENROUTER_API_KEY (embeddings)
+ *   - OLLAMA_BASE_URL, OPENROUTER_API_KEY (embeddings)
  *   - REPLICATE_API_TOKEN, NANO_BANANA_API_KEY (image-gen)
  *
  * Accepts optional per-capability config overrides.
@@ -101,6 +101,7 @@ export function bootstrapAdaptersFromEnv(overrides) {
             ...overrides?.transcription,
         },
         embeddings: {
+            ollamaBaseUrl: process.env.OLLAMA_BASE_URL,
             openrouterApiKey: process.env.OPENROUTER_API_KEY,
             ...overrides?.embeddings,
         },

package/dist/monetization/adapters/bootstrap.test.js

@@ -18,6 +18,7 @@ describe("bootstrapAdapters", () => {
                 deepgramApiKey: "sk-dg",
             },
             embeddings: {
+                ollamaBaseUrl: "http://ollama:11434",
                 openrouterApiKey: "sk-or",
             },
             imageGen: {
@@ -25,9 +26,9 @@ describe("bootstrapAdapters", () => {
                 geminiApiKey: "sk-gem",
             },
         });
-        // 5 text-gen + 2 TTS + 1 transcription + 1 embeddings + 2 image-gen = 11
-        expect(result.adapters).toHaveLength(11);
-        expect(result.summary.total).toBe(11);
+        // 5 text-gen + 2 TTS + 1 transcription + 2 embeddings + 2 image-gen = 12
+        expect(result.adapters).toHaveLength(12);
+        expect(result.summary.total).toBe(12);
         expect(result.summary.skipped).toBe(0);
     });
     it("allows duplicate provider names across capabilities", () => {
@@ -64,7 +65,7 @@ describe("bootstrapAdapters", () => {
         });
         expect(result.skipped.tts).toEqual(["chatterbox-tts", "elevenlabs"]);
         expect(result.skipped.transcription).toEqual(["deepgram"]);
-        expect(result.skipped.embeddings).toEqual(["openrouter"]);
+        expect(result.skipped.embeddings).toEqual(["ollama-embeddings", "openrouter"]);
         expect(result.skipped["text-generation"]).toEqual(["gemini", "minimax", "kimi", "openrouter"]);
         expect(result.skipped["image-generation"]).toEqual(["replicate", "nano-banana"]);
     });
@@ -117,12 +118,13 @@ describe("bootstrapAdaptersFromEnv", () => {
         vi.stubEnv("CHATTERBOX_BASE_URL", "http://chatterbox:8000");
         vi.stubEnv("ELEVENLABS_API_KEY", "env-el");
         vi.stubEnv("DEEPGRAM_API_KEY", "env-dg");
+        vi.stubEnv("OLLAMA_BASE_URL", "http://ollama:11434");
         vi.stubEnv("REPLICATE_API_TOKEN", "r8-rep");
         vi.stubEnv("NANO_BANANA_API_KEY", "env-nb");
         const result = bootstrapAdaptersFromEnv();
-        // 5 text-gen + 2 TTS + 1 transcription + 1 embeddings + 2 image-gen = 11
-        expect(result.adapters).toHaveLength(11);
-        expect(result.summary.total).toBe(11);
+        // 5 text-gen + 2 TTS + 1 transcription + 2 embeddings + 2 image-gen = 12
+        expect(result.adapters).toHaveLength(12);
+        expect(result.summary.total).toBe(12);
     });
     it("returns empty when no env vars set", () => {
         vi.stubEnv("DEEPSEEK_API_KEY", "");
@@ -133,6 +135,7 @@ describe("bootstrapAdaptersFromEnv", () => {
         vi.stubEnv("CHATTERBOX_BASE_URL", "");
         vi.stubEnv("ELEVENLABS_API_KEY", "");
         vi.stubEnv("DEEPGRAM_API_KEY", "");
+        vi.stubEnv("OLLAMA_BASE_URL", "");
         vi.stubEnv("REPLICATE_API_TOKEN", "");
         vi.stubEnv("NANO_BANANA_API_KEY", "");
         const result = bootstrapAdaptersFromEnv();
@@ -148,6 +151,7 @@ describe("bootstrapAdaptersFromEnv", () => {
         vi.stubEnv("CHATTERBOX_BASE_URL", "");
         vi.stubEnv("ELEVENLABS_API_KEY", "");
         vi.stubEnv("DEEPGRAM_API_KEY", "");
+        vi.stubEnv("OLLAMA_BASE_URL", "");
         vi.stubEnv("REPLICATE_API_TOKEN", "");
         vi.stubEnv("NANO_BANANA_API_KEY", "");
         const result = bootstrapAdaptersFromEnv({

package/dist/monetization/adapters/embeddings-factory.d.ts

@@ -7,16 +7,20 @@
  * registers with an ArbitrageRouter or AdapterSocket.
  *
  * Priority order (cheapest first, when all adapters available):
- *   self-hosted-embeddings (GPU, cheapest — not yet implemented)
+ *   Ollama (GPU, cheapest — $0.005/1M tokens amortized)
  *   → OpenRouter ($0.02/1M tokens via text-embedding-3-small)
  */
+import { type OllamaEmbeddingsAdapterConfig } from "./ollama-embeddings.js";
 import { type OpenRouterAdapterConfig } from "./openrouter.js";
 import type { ProviderAdapter } from "./types.js";
-/** Top-level factory config. Only providers with an API key are instantiated. */
+/** Top-level factory config. Only providers with a key/URL are instantiated. */
 export interface EmbeddingsFactoryConfig {
+    /** Ollama base URL (e.g., "http://ollama:11434"). Omit or empty string to skip. */
+    ollamaBaseUrl?: string;
     /** OpenRouter API key. Omit or empty string to skip. */
     openrouterApiKey?: string;
     /** Per-adapter config overrides */
+    ollama?: Omit<Partial<OllamaEmbeddingsAdapterConfig>, "baseUrl">;
     openrouter?: Omit<Partial<OpenRouterAdapterConfig>, "apiKey">;
 }
 /** Result of the factory — adapters + metadata for observability. */
@@ -31,16 +35,17 @@ export interface EmbeddingsFactoryResult {
 /**
  * Create embeddings adapters from the provided config.
  *
- * Returns only adapters whose API key is present and non-empty.
+ * Returns only adapters whose key/URL is present and non-empty.
  * Order matches arbitrage priority: cheapest first.
  */
 export declare function createEmbeddingsAdapters(config: EmbeddingsFactoryConfig): EmbeddingsFactoryResult;
 /**
  * Create embeddings adapters from environment variables.
  *
- * Reads API keys from:
+ * Reads config from:
+ *   - OLLAMA_BASE_URL (for self-hosted Ollama embeddings)
  *   - OPENROUTER_API_KEY
  *
  * Accepts optional per-adapter overrides.
  */
-export declare function createEmbeddingsAdaptersFromEnv(overrides?: Omit<EmbeddingsFactoryConfig, "openrouterApiKey">): EmbeddingsFactoryResult;
+export declare function createEmbeddingsAdaptersFromEnv(overrides?: Omit<EmbeddingsFactoryConfig, "ollamaBaseUrl" | "openrouterApiKey">): EmbeddingsFactoryResult;

package/dist/monetization/adapters/embeddings-factory.js

@@ -7,19 +7,31 @@
  * registers with an ArbitrageRouter or AdapterSocket.
  *
  * Priority order (cheapest first, when all adapters available):
- *   self-hosted-embeddings (GPU, cheapest — not yet implemented)
+ *   Ollama (GPU, cheapest — $0.005/1M tokens amortized)
  *   → OpenRouter ($0.02/1M tokens via text-embedding-3-small)
  */
+import { createOllamaEmbeddingsAdapter } from "./ollama-embeddings.js";
 import { createOpenRouterAdapter } from "./openrouter.js";
 /**
  * Create embeddings adapters from the provided config.
  *
- * Returns only adapters whose API key is present and non-empty.
+ * Returns only adapters whose key/URL is present and non-empty.
  * Order matches arbitrage priority: cheapest first.
  */
 export function createEmbeddingsAdapters(config) {
     const adapters = [];
     const skipped = [];
+    // Ollama — $0.005/1M tokens (self-hosted GPU, cheapest)
+    if (config.ollamaBaseUrl) {
+        adapters.push(createOllamaEmbeddingsAdapter({
+            baseUrl: config.ollamaBaseUrl,
+            costPerUnit: 0.000000005,
+            ...config.ollama,
+        }));
+    }
+    else {
+        skipped.push("ollama-embeddings");
+    }
     // OpenRouter — $0.02/1M tokens (text-embedding-3-small via OpenAI)
     if (config.openrouterApiKey) {
         adapters.push(createOpenRouterAdapter({ ...config.openrouter, apiKey: config.openrouterApiKey }));
@@ -27,7 +39,6 @@ export function createEmbeddingsAdapters(config) {
     else {
         skipped.push("openrouter");
     }
-    // Future: self-hosted-embeddings will go BEFORE openrouter (GPU tier, cheapest)
     const adapterMap = new Map();
     for (const adapter of adapters) {
         adapterMap.set(adapter.name, adapter);
@@ -37,13 +48,15 @@ export function createEmbeddingsAdapters(config) {
 /**
  * Create embeddings adapters from environment variables.
  *
- * Reads API keys from:
+ * Reads config from:
+ *   - OLLAMA_BASE_URL (for self-hosted Ollama embeddings)
  *   - OPENROUTER_API_KEY
  *
  * Accepts optional per-adapter overrides.
  */
 export function createEmbeddingsAdaptersFromEnv(overrides) {
     return createEmbeddingsAdapters({
+        ollamaBaseUrl: process.env.OLLAMA_BASE_URL,
         openrouterApiKey: process.env.OPENROUTER_API_KEY,
         ...overrides,
     });