@wopr-network/platform-core 1.13.1 → 1.13.3

package/dist/api/routes/admin-audit-helper.d.ts

@@ -1,7 +1,7 @@
 import type { AuditEntry } from "../../admin/audit-log.js";
 /** Minimal interface for admin audit logging in route factories. */
 export interface AdminAuditLogger {
-    log(entry: AuditEntry): void | Promise<void>;
+    log(entry: AuditEntry): void | Promise<unknown>;
 }
 /** Safely log an admin audit entry — never throws. */
 export declare function safeAuditLog(logger: (() => AdminAuditLogger) | undefined, entry: AuditEntry): void;

package/dist/db/schema/gateway-service-keys.d.ts

@@ -0,0 +1,109 @@
+export declare const gatewayServiceKeys: import("drizzle-orm/pg-core").PgTableWithColumns<{
+    name: "gateway_service_keys";
+    schema: undefined;
+    columns: {
+        id: import("drizzle-orm/pg-core").PgColumn<{
+            name: "id";
+            tableName: "gateway_service_keys";
+            dataType: "string";
+            columnType: "PgText";
+            data: string;
+            driverParam: string;
+            notNull: true;
+            hasDefault: false;
+            isPrimaryKey: true;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+        keyHash: import("drizzle-orm/pg-core").PgColumn<{
+            name: "key_hash";
+            tableName: "gateway_service_keys";
+            dataType: "string";
+            columnType: "PgText";
+            data: string;
+            driverParam: string;
+            notNull: true;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+        tenantId: import("drizzle-orm/pg-core").PgColumn<{
+            name: "tenant_id";
+            tableName: "gateway_service_keys";
+            dataType: "string";
+            columnType: "PgText";
+            data: string;
+            driverParam: string;
+            notNull: true;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+        instanceId: import("drizzle-orm/pg-core").PgColumn<{
+            name: "instance_id";
+            tableName: "gateway_service_keys";
+            dataType: "string";
+            columnType: "PgText";
+            data: string;
+            driverParam: string;
+            notNull: true;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+        createdAt: import("drizzle-orm/pg-core").PgColumn<{
+            name: "created_at";
+            tableName: "gateway_service_keys";
+            dataType: "number";
+            columnType: "PgBigInt53";
+            data: number;
+            driverParam: string | number;
+            notNull: true;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: undefined;
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+        revokedAt: import("drizzle-orm/pg-core").PgColumn<{
+            name: "revoked_at";
+            tableName: "gateway_service_keys";
+            dataType: "number";
+            columnType: "PgBigInt53";
+            data: number;
+            driverParam: string | number;
+            notNull: false;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: undefined;
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+    };
+    dialect: "pg";
+}>;

package/dist/db/schema/gateway-service-keys.js

@@ -0,0 +1,18 @@
+import { bigint, index, pgTable, text, uniqueIndex } from "drizzle-orm/pg-core";
+export const gatewayServiceKeys = pgTable("gateway_service_keys", {
+    id: text("id").primaryKey(),
+    /** SHA-256 hex digest of the raw service key. Raw key is NEVER stored. */
+    keyHash: text("key_hash").notNull(),
+    /** Tenant this key bills against. */
+    tenantId: text("tenant_id").notNull(),
+    /** Instance ID this key was issued for (one key per instance). */
+    instanceId: text("instance_id").notNull(),
+    /** Unix epoch ms. */
+    createdAt: bigint("created_at", { mode: "number" }).notNull(),
+    /** Unix epoch ms. Null = not revoked. */
+    revokedAt: bigint("revoked_at", { mode: "number" }),
+}, (table) => [
+    uniqueIndex("idx_gateway_service_keys_hash").on(table.keyHash),
+    index("idx_gateway_service_keys_tenant").on(table.tenantId),
+    index("idx_gateway_service_keys_instance").on(table.instanceId),
+]);

package/dist/db/schema/index.d.ts

@@ -21,6 +21,7 @@ export * from "./email-notifications.js";
 export * from "./fleet-event-history.js";
 export * from "./fleet-events.js";
 export * from "./gateway-metrics.js";
+export * from "./gateway-service-keys.js";
 export * from "./gpu-allocations.js";
 export * from "./gpu-configurations.js";
 export * from "./gpu-nodes.js";

package/dist/db/schema/index.js

@@ -21,6 +21,7 @@ export * from "./email-notifications.js";
 export * from "./fleet-event-history.js";
 export * from "./fleet-events.js";
 export * from "./gateway-metrics.js";
+export * from "./gateway-service-keys.js";
 export * from "./gpu-allocations.js";
 export * from "./gpu-configurations.js";
 export * from "./gpu-nodes.js";

package/dist/gateway/gateway-routes.test.js

@@ -55,7 +55,7 @@ function buildTestConfig(overrides = {}) {
     }));
     return {
         meter: meter,
-        budgetChecker: budgetChecker,
+        budgetChecker,
         creditLedger,
         providers: { openrouter: { apiKey: "or-test-key" } },
         fetchFn,

package/dist/gateway/index.d.ts

@@ -16,6 +16,8 @@ export { anthropicToOpenAI, createAnthropicRoutes, createOpenAIRoutes, estimateA
 export { buildProxyDeps, type ProxyDeps, phoneNumberList, phoneNumberProvision, phoneNumberRelease, smsDeliveryStatus, smsInbound, smsOutbound, } from "./proxy.js";
 export { createGatewayRoutes } from "./routes.js";
 export { type GatewayAuthEnv, serviceKeyAuth } from "./service-key-auth.js";
+export type { IServiceKeyRepository } from "./service-key-repository.js";
+export { DrizzleServiceKeyRepository } from "./service-key-repository.js";
 export { type SpendingCapConfig, type SpendingCaps, spendingCapCheck } from "./spending-cap.js";
 export type { ISpendingCapStore, SpendingCapRecord } from "./spending-cap-store.js";
 export { proxySSEStream } from "./streaming.js";

package/dist/gateway/index.js

@@ -16,6 +16,7 @@ export { anthropicToOpenAI, createAnthropicRoutes, createOpenAIRoutes, estimateA
 export { buildProxyDeps, phoneNumberList, phoneNumberProvision, phoneNumberRelease, smsDeliveryStatus, smsInbound, smsOutbound, } from "./proxy.js";
 export { createGatewayRoutes } from "./routes.js";
 export { serviceKeyAuth } from "./service-key-auth.js";
+export { DrizzleServiceKeyRepository } from "./service-key-repository.js";
 export { spendingCapCheck } from "./spending-cap.js";
 export { proxySSEStream } from "./streaming.js";
 export { validateTwilioSignature } from "./twilio-signature.js";

package/dist/gateway/protocol/anthropic.js

@@ -46,7 +46,7 @@ function anthropicAuth(resolveServiceKey) {
                 },
             }, 401);
         }
-        const tenant = resolveServiceKey(key);
+        const tenant = await resolveServiceKey(key);
         if (!tenant) {
             logger.warn("Invalid service key attempted (anthropic handler)");
             return c.json({

package/dist/gateway/protocol/deps.d.ts

@@ -7,7 +7,7 @@
 import type { Credit, ICreditLedger } from "@wopr-network/platform-core/credits";
 import type { MeterEmitter } from "@wopr-network/platform-core/metering";
 import type { IRateLimitRepository } from "../../api/rate-limit-repository.js";
-import type { BudgetChecker } from "../../monetization/budget/budget-checker.js";
+import type { IBudgetChecker } from "../../monetization/budget/budget-checker.js";
 import type { CapabilityRateLimitConfig } from "../capability-rate-limit.js";
 import type { CircuitBreakerConfig } from "../circuit-breaker.js";
 import type { ICircuitBreakerRepository } from "../circuit-breaker-repository.js";
@@ -15,14 +15,14 @@ import type { SellRateLookupFn } from "../rate-lookup.js";
 import type { FetchFn, GatewayTenant, ProviderConfig } from "../types.js";
 export interface ProtocolDeps {
     meter: MeterEmitter;
-    budgetChecker: BudgetChecker;
+    budgetChecker: IBudgetChecker;
     creditLedger?: ICreditLedger;
     topUpUrl: string;
     graceBufferCents?: number;
     providers: ProviderConfig;
     defaultMargin: number;
     fetchFn: FetchFn;
-    resolveServiceKey: (key: string) => GatewayTenant | null;
+    resolveServiceKey: (key: string) => GatewayTenant | null | Promise<GatewayTenant | null>;
     /** Apply margin to a cost. Defaults to withMargin from adapters/types. */
     withMarginFn: (cost: Credit, margin: number) => Credit;
     rateLookupFn?: SellRateLookupFn;

package/dist/gateway/protocol/openai.js

@@ -53,7 +53,7 @@ function openaiAuth(resolveServiceKey) {
                 },
             }, 401);
         }
-        const tenant = resolveServiceKey(key);
+        const tenant = await resolveServiceKey(key);
         if (!tenant) {
             logger.warn("Invalid service key attempted (openai handler)", {
                 keyPrefix: `${key.slice(0, 8)}...`,

package/dist/gateway/proxy.d.ts

@@ -12,14 +12,14 @@
 import type { ICreditLedger } from "@wopr-network/platform-core/credits";
 import type { MeterEmitter } from "@wopr-network/platform-core/metering";
 import type { Context } from "hono";
-import type { BudgetChecker } from "../monetization/budget/budget-checker.js";
+import type { IBudgetChecker } from "../monetization/budget/budget-checker.js";
 import type { SellRateLookupFn } from "./rate-lookup.js";
 import type { GatewayAuthEnv } from "./service-key-auth.js";
 import type { FetchFn, GatewayConfig, ProviderConfig } from "./types.js";
 /** Shared state for all proxy handlers. */
 export interface ProxyDeps {
     meter: MeterEmitter;
-    budgetChecker: BudgetChecker;
+    budgetChecker: IBudgetChecker;
     creditLedger?: ICreditLedger;
     topUpUrl: string;
     graceBufferCents?: number;

package/dist/gateway/route-mounting.test.js

@@ -51,7 +51,7 @@ function buildTestConfig(overrides = {}) {
     }));
     return {
         meter: meter,
-        budgetChecker: budgetChecker,
+        budgetChecker,
         creditLedger,
         providers: { openrouter: { apiKey: "or-test-key" } },
         fetchFn,

package/dist/gateway/service-key-auth.d.ts

@@ -22,7 +22,7 @@ export interface GatewayAuthEnv {
  *
  * @param resolveServiceKey - Function that maps a service key to a tenant (or null)
  */
-export declare function serviceKeyAuth(resolveServiceKey: (key: string) => GatewayTenant | null): (c: Context<GatewayAuthEnv>, next: Next) => Promise<void | (Response & import("hono").TypedResponse<{
+export declare function serviceKeyAuth(resolveServiceKey: (key: string) => GatewayTenant | null | Promise<GatewayTenant | null>): (c: Context<GatewayAuthEnv>, next: Next) => Promise<void | (Response & import("hono").TypedResponse<{
     error: {
         message: string;
         type: string;

package/dist/gateway/service-key-auth.js

@@ -47,7 +47,7 @@ export function serviceKeyAuth(resolveServiceKey) {
                 },
             }, 401);
         }
-        const tenant = resolveServiceKey(serviceKey);
+        const tenant = await resolveServiceKey(serviceKey);
         if (!tenant) {
             logger.warn("Invalid service key attempted", {
                 keyPrefix: `${serviceKey.slice(0, 8)}...`,

package/dist/gateway/service-key-repository.d.ts

@@ -0,0 +1,27 @@
+/**
+ * Gateway service key repository.
+ *
+ * Stores SHA-256 hashes of per-instance service keys used to authenticate
+ * tenant containers against the metered inference gateway. Raw keys are
+ * NEVER stored — only hashes.
+ */
+import type { PlatformDb } from "../db/index.js";
+import type { GatewayTenant } from "./types.js";
+export interface IServiceKeyRepository {
+    /** Generate a new service key for an instance. Returns the raw key (caller must store it). */
+    generate(tenantId: string, instanceId: string): Promise<string>;
+    /** Resolve a raw bearer token to a GatewayTenant. Returns null if not found or revoked. */
+    resolve(rawKey: string): Promise<GatewayTenant | null>;
+    /** Revoke the service key for a specific instance. */
+    revokeByInstance(instanceId: string): Promise<void>;
+    /** Revoke all service keys for a tenant (used when tenant is deleted). */
+    revokeByTenant(tenantId: string): Promise<void>;
+}
+export declare class DrizzleServiceKeyRepository implements IServiceKeyRepository {
+    private readonly db;
+    constructor(db: PlatformDb);
+    generate(tenantId: string, instanceId: string): Promise<string>;
+    resolve(rawKey: string): Promise<GatewayTenant | null>;
+    revokeByInstance(instanceId: string): Promise<void>;
+    revokeByTenant(tenantId: string): Promise<void>;
+}

package/dist/gateway/service-key-repository.js

@@ -0,0 +1,64 @@
+/**
+ * Gateway service key repository.
+ *
+ * Stores SHA-256 hashes of per-instance service keys used to authenticate
+ * tenant containers against the metered inference gateway. Raw keys are
+ * NEVER stored — only hashes.
+ */
+import { createHash, randomBytes } from "node:crypto";
+import { and, eq, isNull } from "drizzle-orm";
+import { gatewayServiceKeys } from "../db/schema/gateway-service-keys.js";
+/** Hash a raw key for storage/lookup. */
+function hashKey(raw) {
+    return createHash("sha256").update(raw).digest("hex");
+}
+export class DrizzleServiceKeyRepository {
+    db;
+    constructor(db) {
+        this.db = db;
+    }
+    async generate(tenantId, instanceId) {
+        const raw = randomBytes(32).toString("hex");
+        const hash = hashKey(raw);
+        const id = randomBytes(16).toString("hex");
+        await this.db.insert(gatewayServiceKeys).values({
+            id,
+            keyHash: hash,
+            tenantId,
+            instanceId,
+            createdAt: Date.now(),
+        });
+        return raw;
+    }
+    async resolve(rawKey) {
+        const hash = hashKey(rawKey);
+        const rows = await this.db
+            .select({
+            tenantId: gatewayServiceKeys.tenantId,
+            instanceId: gatewayServiceKeys.instanceId,
+        })
+            .from(gatewayServiceKeys)
+            .where(and(eq(gatewayServiceKeys.keyHash, hash), isNull(gatewayServiceKeys.revokedAt)))
+            .limit(1);
+        const row = rows[0];
+        if (!row)
+            return null;
+        return {
+            id: row.tenantId,
+            instanceId: row.instanceId,
+            spendLimits: { maxSpendPerHour: null, maxSpendPerMonth: null },
+        };
+    }
+    async revokeByInstance(instanceId) {
+        await this.db
+            .update(gatewayServiceKeys)
+            .set({ revokedAt: Date.now() })
+            .where(and(eq(gatewayServiceKeys.instanceId, instanceId), isNull(gatewayServiceKeys.revokedAt)));
+    }
+    async revokeByTenant(tenantId) {
+        await this.db
+            .update(gatewayServiceKeys)
+            .set({ revokedAt: Date.now() })
+            .where(and(eq(gatewayServiceKeys.tenantId, tenantId), isNull(gatewayServiceKeys.revokedAt)));
+    }
+}

package/dist/gateway/types.d.ts

@@ -8,7 +8,7 @@
 import type { ICreditLedger } from "@wopr-network/platform-core/credits";
 import type { MeterEmitter } from "@wopr-network/platform-core/metering";
 import type { IRateLimitRepository } from "../api/rate-limit-repository.js";
-import type { BudgetChecker, SpendLimits } from "../monetization/budget/budget-checker.js";
+import type { IBudgetChecker, SpendLimits } from "../monetization/budget/budget-checker.js";
 import type { CapabilityRateLimitConfig } from "./capability-rate-limit.js";
 import type { CircuitBreakerConfig } from "./circuit-breaker.js";
 import type { ICircuitBreakerRepository } from "./circuit-breaker-repository.js";
@@ -101,7 +101,7 @@ export interface GatewayConfig {
     /** MeterEmitter instance for usage tracking */
     meter: MeterEmitter;
     /** BudgetChecker instance for pre-call budget validation */
-    budgetChecker: BudgetChecker;
+    budgetChecker: IBudgetChecker;
     /** CreditLedger instance for deducting credits after proxy calls (optional — if absent, credit deduction is skipped) */
     creditLedger?: ICreditLedger;
     /** URL to direct users to when they need to add credits (default: "/dashboard/credits") */
@@ -119,7 +119,7 @@ export interface GatewayConfig {
     /** Optional cached rate lookup for model-specific token pricing (WOP-646) */
     rateLookupFn?: import("./rate-lookup.js").SellRateLookupFn;
     /** Function to resolve a service key to a tenant */
-    resolveServiceKey: (key: string) => GatewayTenant | null;
+    resolveServiceKey: (key: string) => GatewayTenant | null | Promise<GatewayTenant | null>;
     /** Base URL for Twilio webhook signature verification (e.g., https://api.wopr.network/v1). Required for Twilio/Telnyx webhook endpoints. */
     webhookBaseUrl?: string;
     /** Resolve a tenant from an inbound webhook request (e.g., from a tenantId URL path param). Required when webhookBaseUrl is set. */

package/dist/monetization/socket/socket.d.ts

@@ -12,12 +12,12 @@
 import type { MeterEmitter } from "@wopr-network/platform-core/metering";
 import type { AdapterCapability, ProviderAdapter } from "../adapters/types.js";
 import type { ArbitrageRouter } from "../arbitrage/router.js";
-import type { BudgetChecker, SpendLimits } from "../budget/budget-checker.js";
+import type { IBudgetChecker, SpendLimits } from "../budget/budget-checker.js";
 export interface SocketConfig {
     /** MeterEmitter instance for usage tracking */
     meter: MeterEmitter;
-    /** BudgetChecker instance for pre-call budget validation */
-    budgetChecker?: BudgetChecker;
+    /** IBudgetChecker instance for pre-call budget validation */
+    budgetChecker?: IBudgetChecker;
     /** Default margin multiplier (default: 1.3) */
     defaultMargin?: number;
     /** ArbitrageRouter for cost-optimized routing (GPU-first, cheapest, 5xx failover) */

package/drizzle/migrations/0002_gateway_service_keys.sql

@@ -0,0 +1,14 @@
+CREATE TABLE "gateway_service_keys" (
+  "id" text PRIMARY KEY NOT NULL,
+  "key_hash" text NOT NULL,
+  "tenant_id" text NOT NULL,
+  "instance_id" text NOT NULL,
+  "created_at" bigint NOT NULL,
+  "revoked_at" bigint
+);
+--> statement-breakpoint
+CREATE UNIQUE INDEX "idx_gateway_service_keys_hash" ON "gateway_service_keys" USING btree ("key_hash");
+--> statement-breakpoint
+CREATE INDEX "idx_gateway_service_keys_tenant" ON "gateway_service_keys" USING btree ("tenant_id");
+--> statement-breakpoint
+CREATE INDEX "idx_gateway_service_keys_instance" ON "gateway_service_keys" USING btree ("instance_id");

package/drizzle/migrations/meta/_journal.json

@@ -15,6 +15,13 @@
       "when": 1773279600000,
       "tag": "0001_infrastructure_extraction",
       "breakpoints": true
+    },
+    {
+      "idx": 2,
+      "version": "7",
+      "when": 1741795200000,
+      "tag": "0002_gateway_service_keys",
+      "breakpoints": true
     }
   ]
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wopr-network/platform-core",
-  "version": "1.13.1",
+  "version": "1.13.3",
   "type": "module",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",

package/src/api/routes/admin-audit-helper.ts

@@ -2,7 +2,7 @@ import type { AuditEntry } from "../../admin/audit-log.js";
 
 /** Minimal interface for admin audit logging in route factories. */
 export interface AdminAuditLogger {
-  log(entry: AuditEntry): void | Promise<void>;
+  log(entry: AuditEntry): void | Promise<unknown>;
 }
 
 /** Safely log an admin audit entry — never throws. */

package/src/db/schema/gateway-service-keys.ts

@@ -0,0 +1,23 @@
+import { bigint, index, pgTable, text, uniqueIndex } from "drizzle-orm/pg-core";
+
+export const gatewayServiceKeys = pgTable(
+  "gateway_service_keys",
+  {
+    id: text("id").primaryKey(),
+    /** SHA-256 hex digest of the raw service key. Raw key is NEVER stored. */
+    keyHash: text("key_hash").notNull(),
+    /** Tenant this key bills against. */
+    tenantId: text("tenant_id").notNull(),
+    /** Instance ID this key was issued for (one key per instance). */
+    instanceId: text("instance_id").notNull(),
+    /** Unix epoch ms. */
+    createdAt: bigint("created_at", { mode: "number" }).notNull(),
+    /** Unix epoch ms. Null = not revoked. */
+    revokedAt: bigint("revoked_at", { mode: "number" }),
+  },
+  (table) => [
+    uniqueIndex("idx_gateway_service_keys_hash").on(table.keyHash),
+    index("idx_gateway_service_keys_tenant").on(table.tenantId),
+    index("idx_gateway_service_keys_instance").on(table.instanceId),
+  ],
+);

package/src/db/schema/index.ts

@@ -21,6 +21,7 @@ export * from "./email-notifications.js";
 export * from "./fleet-event-history.js";
 export * from "./fleet-events.js";
 export * from "./gateway-metrics.js";
+export * from "./gateway-service-keys.js";
 export * from "./gpu-allocations.js";
 export * from "./gpu-configurations.js";
 export * from "./gpu-nodes.js";

package/src/gateway/gateway-routes.test.ts

@@ -69,7 +69,7 @@ function buildTestConfig(overrides: Partial<GatewayConfig> = {}): GatewayConfig
 
   return {
     meter: meter as unknown as import("@wopr-network/platform-core/metering").MeterEmitter,
-    budgetChecker: budgetChecker as unknown as import("../monetization/budget/budget-checker.js").BudgetChecker,
+    budgetChecker,
     creditLedger,
     providers: { openrouter: { apiKey: "or-test-key" } },
     fetchFn,

package/src/gateway/index.ts

@@ -51,6 +51,8 @@ export {
 } from "./proxy.js";
 export { createGatewayRoutes } from "./routes.js";
 export { type GatewayAuthEnv, serviceKeyAuth } from "./service-key-auth.js";
+export type { IServiceKeyRepository } from "./service-key-repository.js";
+export { DrizzleServiceKeyRepository } from "./service-key-repository.js";
 export { type SpendingCapConfig, type SpendingCaps, spendingCapCheck } from "./spending-cap.js";
 export type { ISpendingCapStore, SpendingCapRecord } from "./spending-cap-store.js";
 export { proxySSEStream } from "./streaming.js";

package/src/gateway/protocol/anthropic.ts

@@ -46,7 +46,7 @@ function anthropicErrorResponse(status: number, body: AnthropicError): Response
 // Auth middleware — Anthropic SDK sends x-api-key instead of Authorization
 // ---------------------------------------------------------------------------
 
-function anthropicAuth(resolveServiceKey: (key: string) => GatewayTenant | null) {
+function anthropicAuth(resolveServiceKey: (key: string) => GatewayTenant | null | Promise<GatewayTenant | null>) {
   return async (c: Context<GatewayAuthEnv>, next: Next) => {
     // Anthropic SDK uses x-api-key header
     const apiKey = c.req.header("x-api-key");
@@ -70,7 +70,7 @@ function anthropicAuth(resolveServiceKey: (key: string) => GatewayTenant | null)
       );
     }
 
-    const tenant = resolveServiceKey(key);
+    const tenant = await resolveServiceKey(key);
     if (!tenant) {
       logger.warn("Invalid service key attempted (anthropic handler)");
       return c.json(

package/src/gateway/protocol/deps.ts

@@ -8,7 +8,7 @@
 import type { Credit, ICreditLedger } from "@wopr-network/platform-core/credits";
 import type { MeterEmitter } from "@wopr-network/platform-core/metering";
 import type { IRateLimitRepository } from "../../api/rate-limit-repository.js";
-import type { BudgetChecker } from "../../monetization/budget/budget-checker.js";
+import type { IBudgetChecker } from "../../monetization/budget/budget-checker.js";
 import type { CapabilityRateLimitConfig } from "../capability-rate-limit.js";
 import type { CircuitBreakerConfig } from "../circuit-breaker.js";
 import type { ICircuitBreakerRepository } from "../circuit-breaker-repository.js";
@@ -17,14 +17,14 @@ import type { FetchFn, GatewayTenant, ProviderConfig } from "../types.js";
 
 export interface ProtocolDeps {
   meter: MeterEmitter;
-  budgetChecker: BudgetChecker;
+  budgetChecker: IBudgetChecker;
   creditLedger?: ICreditLedger;
   topUpUrl: string;
   graceBufferCents?: number;
   providers: ProviderConfig;
   defaultMargin: number;
   fetchFn: FetchFn;
-  resolveServiceKey: (key: string) => GatewayTenant | null;
+  resolveServiceKey: (key: string) => GatewayTenant | null | Promise<GatewayTenant | null>;
   /** Apply margin to a cost. Defaults to withMargin from adapters/types. */
   withMarginFn: (cost: Credit, margin: number) => Credit;
   rateLookupFn?: SellRateLookupFn;

package/src/gateway/protocol/openai.ts

@@ -26,7 +26,7 @@ import type { ProtocolDeps } from "./deps.js";
 // Auth middleware — OpenAI SDK sends Authorization: Bearer
 // ---------------------------------------------------------------------------
 
-function openaiAuth(resolveServiceKey: (key: string) => GatewayTenant | null) {
+function openaiAuth(resolveServiceKey: (key: string) => GatewayTenant | null | Promise<GatewayTenant | null>) {
   return async (c: Context<GatewayAuthEnv>, next: Next) => {
     const authHeader = c.req.header("Authorization");
 
@@ -73,7 +73,7 @@ function openaiAuth(resolveServiceKey: (key: string) => GatewayTenant | null) {
       );
     }
 
-    const tenant = resolveServiceKey(key);
+    const tenant = await resolveServiceKey(key);
     if (!tenant) {
       logger.warn("Invalid service key attempted (openai handler)", {
         keyPrefix: `${key.slice(0, 8)}...`,

package/src/gateway/proxy.ts

@@ -19,7 +19,7 @@ import { logger } from "../config/logger.js";
 import type { TTSOutput } from "../monetization/adapters/types.js";
 import { withMargin } from "../monetization/adapters/types.js";
 import { NoProviderAvailableError } from "../monetization/arbitrage/types.js";
-import type { BudgetChecker } from "../monetization/budget/budget-checker.js";
+import type { IBudgetChecker } from "../monetization/budget/budget-checker.js";
 import { PHONE_NUMBER_MONTHLY_COST } from "../monetization/credits/phone-billing.js";
 import { creditBalanceCheck, debitCredits } from "./credit-gate.js";
 import { mapBudgetError, mapProviderError } from "./error-mapping.js";
@@ -62,7 +62,7 @@ const smsDeliveryStatusBodySchema = z.object({
 /** Shared state for all proxy handlers. */
 export interface ProxyDeps {
   meter: MeterEmitter;
-  budgetChecker: BudgetChecker;
+  budgetChecker: IBudgetChecker;
   creditLedger?: ICreditLedger;
   topUpUrl: string;
   graceBufferCents?: number;

package/src/gateway/route-mounting.test.ts

@@ -65,7 +65,7 @@ function buildTestConfig(overrides: Partial<GatewayConfig> = {}): GatewayConfig
 
   return {
     meter: meter as unknown as import("@wopr-network/platform-core/metering").MeterEmitter,
-    budgetChecker: budgetChecker as unknown as import("../monetization/budget/budget-checker.js").BudgetChecker,
+    budgetChecker,
     creditLedger,
     providers: { openrouter: { apiKey: "or-test-key" } },
     fetchFn,

package/src/gateway/service-key-auth.ts

@@ -26,7 +26,9 @@ export interface GatewayAuthEnv {
  *
  * @param resolveServiceKey - Function that maps a service key to a tenant (or null)
  */
-export function serviceKeyAuth(resolveServiceKey: (key: string) => GatewayTenant | null) {
+export function serviceKeyAuth(
+  resolveServiceKey: (key: string) => GatewayTenant | null | Promise<GatewayTenant | null>,
+) {
   return async (c: Context<GatewayAuthEnv>, next: Next) => {
     const authHeader = c.req.header("Authorization");
     if (!authHeader) {
@@ -70,7 +72,7 @@ export function serviceKeyAuth(resolveServiceKey: (key: string) => GatewayTenant
       );
     }
 
-    const tenant = resolveServiceKey(serviceKey);
+    const tenant = await resolveServiceKey(serviceKey);
     if (!tenant) {
       logger.warn("Invalid service key attempted", {
         keyPrefix: `${serviceKey.slice(0, 8)}...`,

package/src/gateway/service-key-repository.ts

@@ -0,0 +1,87 @@
+/**
+ * Gateway service key repository.
+ *
+ * Stores SHA-256 hashes of per-instance service keys used to authenticate
+ * tenant containers against the metered inference gateway. Raw keys are
+ * NEVER stored — only hashes.
+ */
+
+import { createHash, randomBytes } from "node:crypto";
+import { and, eq, isNull } from "drizzle-orm";
+import type { PlatformDb } from "../db/index.js";
+import { gatewayServiceKeys } from "../db/schema/gateway-service-keys.js";
+import type { GatewayTenant } from "./types.js";
+
+/** Hash a raw key for storage/lookup. */
+function hashKey(raw: string): string {
+  return createHash("sha256").update(raw).digest("hex");
+}
+
+export interface IServiceKeyRepository {
+  /** Generate a new service key for an instance. Returns the raw key (caller must store it). */
+  generate(tenantId: string, instanceId: string): Promise<string>;
+
+  /** Resolve a raw bearer token to a GatewayTenant. Returns null if not found or revoked. */
+  resolve(rawKey: string): Promise<GatewayTenant | null>;
+
+  /** Revoke the service key for a specific instance. */
+  revokeByInstance(instanceId: string): Promise<void>;
+
+  /** Revoke all service keys for a tenant (used when tenant is deleted). */
+  revokeByTenant(tenantId: string): Promise<void>;
+}
+
+export class DrizzleServiceKeyRepository implements IServiceKeyRepository {
+  constructor(private readonly db: PlatformDb) {}
+
+  async generate(tenantId: string, instanceId: string): Promise<string> {
+    const raw = randomBytes(32).toString("hex");
+    const hash = hashKey(raw);
+    const id = randomBytes(16).toString("hex");
+
+    await this.db.insert(gatewayServiceKeys).values({
+      id,
+      keyHash: hash,
+      tenantId,
+      instanceId,
+      createdAt: Date.now(),
+    });
+
+    return raw;
+  }
+
+  async resolve(rawKey: string): Promise<GatewayTenant | null> {
+    const hash = hashKey(rawKey);
+    const rows = await this.db
+      .select({
+        tenantId: gatewayServiceKeys.tenantId,
+        instanceId: gatewayServiceKeys.instanceId,
+      })
+      .from(gatewayServiceKeys)
+      .where(and(eq(gatewayServiceKeys.keyHash, hash), isNull(gatewayServiceKeys.revokedAt)))
+      .limit(1);
+
+    const row = rows[0];
+    if (!row) return null;
+
+    return {
+      id: row.tenantId,
+      instanceId: row.instanceId,
+      spendLimits: { maxSpendPerHour: null, maxSpendPerMonth: null },
+    };
+  }
+
+  async revokeByInstance(instanceId: string): Promise<void> {
+    await this.db
+      .update(gatewayServiceKeys)
+      .set({ revokedAt: Date.now() })
+      .where(and(eq(gatewayServiceKeys.instanceId, instanceId), isNull(gatewayServiceKeys.revokedAt)));
+  }
+
+  async revokeByTenant(tenantId: string): Promise<void> {
+    await this.db
+      .update(gatewayServiceKeys)
+      .set({ revokedAt: Date.now() })
+      .where(and(eq(gatewayServiceKeys.tenantId, tenantId), isNull(gatewayServiceKeys.revokedAt)));
+  }
+}

package/src/gateway/types.ts

@@ -9,7 +9,7 @@
 import type { ICreditLedger } from "@wopr-network/platform-core/credits";
 import type { MeterEmitter } from "@wopr-network/platform-core/metering";
 import type { IRateLimitRepository } from "../api/rate-limit-repository.js";
-import type { BudgetChecker, SpendLimits } from "../monetization/budget/budget-checker.js";
+import type { IBudgetChecker, SpendLimits } from "../monetization/budget/budget-checker.js";
 import type { CapabilityRateLimitConfig } from "./capability-rate-limit.js";
 import type { CircuitBreakerConfig } from "./circuit-breaker.js";
 import type { ICircuitBreakerRepository } from "./circuit-breaker-repository.js";
@@ -97,7 +97,7 @@ export interface GatewayConfig {
   /** MeterEmitter instance for usage tracking */
   meter: MeterEmitter;
   /** BudgetChecker instance for pre-call budget validation */
-  budgetChecker: BudgetChecker;
+  budgetChecker: IBudgetChecker;
   /** CreditLedger instance for deducting credits after proxy calls (optional — if absent, credit deduction is skipped) */
   creditLedger?: ICreditLedger;
   /** URL to direct users to when they need to add credits (default: "/dashboard/credits") */
@@ -115,7 +115,7 @@ export interface GatewayConfig {
   /** Optional cached rate lookup for model-specific token pricing (WOP-646) */
   rateLookupFn?: import("./rate-lookup.js").SellRateLookupFn;
   /** Function to resolve a service key to a tenant */
-  resolveServiceKey: (key: string) => GatewayTenant | null;
+  resolveServiceKey: (key: string) => GatewayTenant | null | Promise<GatewayTenant | null>;
   /** Base URL for Twilio webhook signature verification (e.g., https://api.wopr.network/v1). Required for Twilio/Telnyx webhook endpoints. */
   webhookBaseUrl?: string;
   /** Resolve a tenant from an inbound webhook request (e.g., from a tenantId URL path param). Required when webhookBaseUrl is set. */

package/src/monetization/socket/socket.ts

@@ -15,13 +15,13 @@ import type { MeterEmitter } from "@wopr-network/platform-core/metering";
 import type { AdapterCapability, AdapterResult, ProviderAdapter } from "../adapters/types.js";
 import { withMargin } from "../adapters/types.js";
 import type { ArbitrageRouter } from "../arbitrage/router.js";
-import type { BudgetChecker, SpendLimits } from "../budget/budget-checker.js";
+import type { IBudgetChecker, SpendLimits } from "../budget/budget-checker.js";
 
 export interface SocketConfig {
   /** MeterEmitter instance for usage tracking */
   meter: MeterEmitter;
-  /** BudgetChecker instance for pre-call budget validation */
-  budgetChecker?: BudgetChecker;
+  /** IBudgetChecker instance for pre-call budget validation */
+  budgetChecker?: IBudgetChecker;
   /** Default margin multiplier (default: 1.3) */
   defaultMargin?: number;
   /** ArbitrageRouter for cost-optimized routing (GPU-first, cheapest, 5xx failover) */
@@ -65,7 +65,7 @@ const CAPABILITY_METHOD: Record<AdapterCapability, keyof ProviderAdapter> = {
 export class AdapterSocket {
   private readonly adapters = new Map<string, ProviderAdapter>();
   private readonly meter: MeterEmitter;
-  private readonly budgetChecker?: BudgetChecker;
+  private readonly budgetChecker?: IBudgetChecker;
   private readonly defaultMargin: number;
   private readonly router?: ArbitrageRouter;