npm - @wopr-network/platform-core - Versions diffs - 1.67.1 → 1.69.0 - Mend

@wopr-network/platform-core 1.67.1 → 1.69.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (81) hide show

package/dist/auth/better-auth.js +7 -0
package/dist/backup/types.d.ts +1 -1
package/dist/email/client.js +16 -0
package/dist/server/__tests__/build-container.test.d.ts +1 -0
package/dist/server/__tests__/build-container.test.js +339 -0
package/dist/server/__tests__/container.test.d.ts +1 -0
package/dist/server/__tests__/container.test.js +170 -0
package/dist/server/__tests__/lifecycle.test.d.ts +1 -0
package/dist/server/__tests__/lifecycle.test.js +90 -0
package/dist/server/__tests__/mount-routes.test.d.ts +1 -0
package/dist/server/__tests__/mount-routes.test.js +151 -0
package/dist/server/boot-config.d.ts +51 -0
package/dist/server/boot-config.js +7 -0
package/dist/server/container.d.ts +81 -0
package/dist/server/container.js +134 -0
package/dist/server/index.d.ts +33 -0
package/dist/server/index.js +66 -0
package/dist/server/lifecycle.d.ts +25 -0
package/dist/server/lifecycle.js +46 -0
package/dist/server/middleware/__tests__/admin-auth.test.d.ts +1 -0
package/dist/server/middleware/__tests__/admin-auth.test.js +59 -0
package/dist/server/middleware/__tests__/tenant-proxy.test.d.ts +1 -0
package/dist/server/middleware/__tests__/tenant-proxy.test.js +268 -0
package/dist/server/middleware/admin-auth.d.ts +18 -0
package/dist/server/middleware/admin-auth.js +38 -0
package/dist/server/middleware/tenant-proxy.d.ts +56 -0
package/dist/server/middleware/tenant-proxy.js +162 -0
package/dist/server/mount-routes.d.ts +30 -0
package/dist/server/mount-routes.js +74 -0
package/dist/server/routes/__tests__/admin.test.d.ts +1 -0
package/dist/server/routes/__tests__/admin.test.js +267 -0
package/dist/server/routes/__tests__/crypto-webhook.test.d.ts +1 -0
package/dist/server/routes/__tests__/crypto-webhook.test.js +137 -0
package/dist/server/routes/__tests__/provision-webhook.test.d.ts +1 -0
package/dist/server/routes/__tests__/provision-webhook.test.js +212 -0
package/dist/server/routes/__tests__/stripe-webhook.test.d.ts +1 -0
package/dist/server/routes/__tests__/stripe-webhook.test.js +65 -0
package/dist/server/routes/admin.d.ts +111 -0
package/dist/server/routes/admin.js +273 -0
package/dist/server/routes/crypto-webhook.d.ts +23 -0
package/dist/server/routes/crypto-webhook.js +82 -0
package/dist/server/routes/provision-webhook.d.ts +38 -0
package/dist/server/routes/provision-webhook.js +160 -0
package/dist/server/routes/stripe-webhook.d.ts +10 -0
package/dist/server/routes/stripe-webhook.js +29 -0
package/dist/server/test-container.d.ts +15 -0
package/dist/server/test-container.js +103 -0
package/dist/trpc/auth-helpers.d.ts +17 -0
package/dist/trpc/auth-helpers.js +26 -0
package/dist/trpc/container-factories.d.ts +300 -0
package/dist/trpc/container-factories.js +80 -0
package/dist/trpc/index.d.ts +2 -0
package/dist/trpc/index.js +2 -0
package/package.json +8 -3
package/src/auth/better-auth.ts +8 -0
package/src/email/client.ts +18 -0
package/src/server/__tests__/build-container.test.ts +402 -0
package/src/server/__tests__/container.test.ts +204 -0
package/src/server/__tests__/lifecycle.test.ts +106 -0
package/src/server/__tests__/mount-routes.test.ts +169 -0
package/src/server/boot-config.ts +84 -0
package/src/server/container.ts +237 -0
package/src/server/index.ts +92 -0
package/src/server/lifecycle.ts +62 -0
package/src/server/middleware/__tests__/admin-auth.test.ts +67 -0
package/src/server/middleware/__tests__/tenant-proxy.test.ts +308 -0
package/src/server/middleware/admin-auth.ts +51 -0
package/src/server/middleware/tenant-proxy.ts +192 -0
package/src/server/mount-routes.ts +113 -0
package/src/server/routes/__tests__/admin.test.ts +320 -0
package/src/server/routes/__tests__/crypto-webhook.test.ts +167 -0
package/src/server/routes/__tests__/provision-webhook.test.ts +323 -0
package/src/server/routes/__tests__/stripe-webhook.test.ts +73 -0
package/src/server/routes/admin.ts +334 -0
package/src/server/routes/crypto-webhook.ts +110 -0
package/src/server/routes/provision-webhook.ts +212 -0
package/src/server/routes/stripe-webhook.ts +36 -0
package/src/server/test-container.ts +120 -0
package/src/trpc/auth-helpers.ts +28 -0
package/src/trpc/container-factories.ts +114 -0
package/src/trpc/index.ts +9 -0

package/src/server/middleware/__tests__/tenant-proxy.test.ts ADDED Viewed

@@ -0,0 +1,308 @@
+import { Hono } from "hono";
+import { beforeEach, describe, expect, it, type Mock, vi } from "vitest";
+import type { ProxyRoute } from "../../../proxy/types.js";
+import { createTestContainer } from "../../test-container.js";
+import {
+  buildUpstreamHeaders,
+  createTenantProxyMiddleware,
+  extractTenantSubdomain,
+  type ProxyUserInfo,
+  type TenantProxyConfig,
+} from "../tenant-proxy.js";
+// ---------------------------------------------------------------------------
+// extractTenantSubdomain unit tests
+// ---------------------------------------------------------------------------
+describe("extractTenantSubdomain", () => {
+  const domain = "example.com";
+  it("extracts a valid subdomain", () => {
+    expect(extractTenantSubdomain("alice.example.com", domain)).toBe("alice");
+  });
+  it("returns null for the root domain", () => {
+    expect(extractTenantSubdomain("example.com", domain)).toBeNull();
+  });
+  it("returns null for reserved subdomains", () => {
+    expect(extractTenantSubdomain("app.example.com", domain)).toBeNull();
+    expect(extractTenantSubdomain("api.example.com", domain)).toBeNull();
+    expect(extractTenantSubdomain("admin.example.com", domain)).toBeNull();
+  });
+  it("returns null for nested subdomains", () => {
+    expect(extractTenantSubdomain("deep.alice.example.com", domain)).toBeNull();
+  });
+  it("strips port before matching", () => {
+    expect(extractTenantSubdomain("alice.example.com:3000", domain)).toBe("alice");
+  });
+  it("returns null for non-matching domain", () => {
+    expect(extractTenantSubdomain("alice.other.com", domain)).toBeNull();
+  });
+  it("returns null for invalid subdomain characters", () => {
+    expect(extractTenantSubdomain("al!ce.example.com", domain)).toBeNull();
+  });
+});
+// ---------------------------------------------------------------------------
+// buildUpstreamHeaders unit tests
+// ---------------------------------------------------------------------------
+describe("buildUpstreamHeaders", () => {
+  it("copies only allowlisted headers and injects platform headers", () => {
+    const incoming = new Headers({
+      "content-type": "application/json",
+      "x-evil-header": "should-not-pass",
+      host: "alice.example.com",
+    });
+    const user: ProxyUserInfo = { id: "u1", email: "a@b.com", name: "Alice" };
+    const result = buildUpstreamHeaders(incoming, user, "alice");
+    expect(result.get("content-type")).toBe("application/json");
+    expect(result.get("x-evil-header")).toBeNull();
+    expect(result.get("x-platform-user-id")).toBe("u1");
+    expect(result.get("x-platform-tenant")).toBe("alice");
+    expect(result.get("x-platform-user-email")).toBe("a@b.com");
+    expect(result.get("x-platform-user-name")).toBe("Alice");
+    expect(result.get("host")).toBe("alice.example.com");
+  });
+});
+// ---------------------------------------------------------------------------
+// createTenantProxyMiddleware integration tests
+// ---------------------------------------------------------------------------
+describe("createTenantProxyMiddleware", () => {
+  const DOMAIN = "example.com";
+  let resolveUser: Mock<(req: Request) => Promise<ProxyUserInfo | undefined>>;
+  let config: TenantProxyConfig;
+  beforeEach(() => {
+    resolveUser = vi.fn<(req: Request) => Promise<ProxyUserInfo | undefined>>();
+    config = { platformDomain: DOMAIN, resolveUser };
+  });
+  function createApp(container: ReturnType<typeof createTestContainer>) {
+    const app = new Hono();
+    app.use("/*", createTenantProxyMiddleware(container, config));
+    app.get("/fallthrough", (c) => c.json({ fallthrough: true }));
+    return app;
+  }
+  it("passes through non-tenant requests (no subdomain)", async () => {
+    const container = createTestContainer();
+    const app = createApp(container);
+    const res = await app.request("http://example.com/fallthrough");
+    expect(res.status).toBe(200);
+    const body = await res.json();
+    expect(body.fallthrough).toBe(true);
+    // resolveUser should not be called for non-tenant requests
+    expect(resolveUser).not.toHaveBeenCalled();
+  });
+  it("returns 401 for unauthenticated tenant requests", async () => {
+    const container = createTestContainer({
+      fleet: {
+        profileStore: { list: vi.fn().mockResolvedValue([]) } as never,
+        proxy: { getRoutes: vi.fn().mockReturnValue([]) } as never,
+        manager: {} as never,
+        docker: {} as never,
+        serviceKeyRepo: {} as never,
+      },
+    });
+    resolveUser.mockResolvedValue(undefined);
+    const app = createApp(container);
+    const res = await app.request("http://alice.example.com/dashboard", {
+      headers: { host: "alice.example.com" },
+    });
+    expect(res.status).toBe(401);
+    const body = await res.json();
+    expect(body.error).toContain("Authentication required");
+  });
+  it("returns 503 when fleet services are not available", async () => {
+    const container = createTestContainer({ fleet: null });
+    const app = createApp(container);
+    const res = await app.request("http://alice.example.com/dashboard", {
+      headers: { host: "alice.example.com" },
+    });
+    expect(res.status).toBe(503);
+    const body = await res.json();
+    expect(body.error).toContain("Fleet services unavailable");
+  });
+  it("returns 403 when user is not a member of the tenant", async () => {
+    const mockProfile = { name: "alice", tenantId: "tenant-1" };
+    const container = createTestContainer({
+      fleet: {
+        profileStore: { list: vi.fn().mockResolvedValue([mockProfile]) } as never,
+        proxy: {
+          getRoutes: vi
+            .fn()
+            .mockReturnValue([{ subdomain: "alice", upstreamHost: "127.0.0.1", upstreamPort: 4000, healthy: true }]),
+        } as never,
+        manager: {} as never,
+        docker: {} as never,
+        serviceKeyRepo: {} as never,
+      },
+      orgMemberRepo: {
+        findMember: vi.fn().mockResolvedValue(null),
+        listMembers: vi.fn(),
+        addMember: vi.fn(),
+        updateMemberRole: vi.fn(),
+        removeMember: vi.fn(),
+        countAdminsAndOwners: vi.fn(),
+        listInvites: vi.fn(),
+        createInvite: vi.fn(),
+        findInviteById: vi.fn(),
+        findInviteByToken: vi.fn(),
+        deleteInvite: vi.fn(),
+        deleteAllMembers: vi.fn(),
+        deleteAllInvites: vi.fn(),
+        listOrgsByUser: vi.fn(),
+        markInviteAccepted: vi.fn(),
+      },
+    });
+    resolveUser.mockResolvedValue({ id: "user-99", email: "user@test.com" });
+    const app = createApp(container);
+    const res = await app.request("http://alice.example.com/dashboard", {
+      headers: { host: "alice.example.com" },
+    });
+    expect(res.status).toBe(403);
+    const body = await res.json();
+    expect(body.error).toContain("not a member");
+  });
+  it("proxies correctly when authorized", async () => {
+    const mockProfile = { name: "alice", tenantId: "tenant-1" };
+    const upstreamRoute: ProxyRoute = {
+      instanceId: "inst-1",
+      subdomain: "alice",
+      upstreamHost: "127.0.0.1",
+      upstreamPort: 4000,
+      healthy: true,
+    };
+    const container = createTestContainer({
+      fleet: {
+        profileStore: { list: vi.fn().mockResolvedValue([mockProfile]) } as never,
+        proxy: { getRoutes: vi.fn().mockReturnValue([upstreamRoute]) } as never,
+        manager: {} as never,
+        docker: {} as never,
+        serviceKeyRepo: {} as never,
+      },
+      orgMemberRepo: {
+        findMember: vi.fn().mockResolvedValue({ orgId: "tenant-1", userId: "user-1", role: "member" }),
+        listMembers: vi.fn(),
+        addMember: vi.fn(),
+        updateMemberRole: vi.fn(),
+        removeMember: vi.fn(),
+        countAdminsAndOwners: vi.fn(),
+        listInvites: vi.fn(),
+        createInvite: vi.fn(),
+        findInviteById: vi.fn(),
+        findInviteByToken: vi.fn(),
+        deleteInvite: vi.fn(),
+        deleteAllMembers: vi.fn(),
+        deleteAllInvites: vi.fn(),
+        listOrgsByUser: vi.fn(),
+        markInviteAccepted: vi.fn(),
+      },
+    });
+    resolveUser.mockResolvedValue({ id: "user-1", email: "user@test.com" });
+    // Mock global fetch to simulate upstream response
+    const originalFetch = globalThis.fetch;
+    globalThis.fetch = vi.fn().mockResolvedValue(
+      new Response(JSON.stringify({ upstream: true }), {
+        status: 200,
+        headers: { "content-type": "application/json" },
+      }),
+    );
+    try {
+      const app = createApp(container);
+      const res = await app.request("http://alice.example.com/api/data?q=1", {
+        headers: { host: "alice.example.com" },
+      });
+      expect(res.status).toBe(200);
+      const body = await res.json();
+      expect(body.upstream).toBe(true);
+      // Verify fetch was called with the correct upstream URL
+      const fetchCall = (globalThis.fetch as Mock).mock.calls[0];
+      expect(fetchCall[0]).toBe("http://127.0.0.1:4000/api/data?q=1");
+      // Verify platform headers were injected
+      const headers = fetchCall[1].headers as Headers;
+      expect(headers.get("x-platform-user-id")).toBe("user-1");
+      expect(headers.get("x-platform-tenant")).toBe("alice");
+    } finally {
+      globalThis.fetch = originalFetch;
+    }
+  });
+  it("returns 502 when upstream fetch fails", async () => {
+    const mockProfile = { name: "bob", tenantId: "user-1" };
+    const upstreamRoute: ProxyRoute = {
+      instanceId: "inst-2",
+      subdomain: "bob",
+      upstreamHost: "127.0.0.1",
+      upstreamPort: 4001,
+      healthy: true,
+    };
+    const container = createTestContainer({
+      fleet: {
+        profileStore: { list: vi.fn().mockResolvedValue([mockProfile]) } as never,
+        proxy: { getRoutes: vi.fn().mockReturnValue([upstreamRoute]) } as never,
+        manager: {} as never,
+        docker: {} as never,
+        serviceKeyRepo: {} as never,
+      },
+    });
+    // tenantId === userId means personal tenant, so validateTenantAccess returns true
+    resolveUser.mockResolvedValue({ id: "user-1" });
+    const originalFetch = globalThis.fetch;
+    globalThis.fetch = vi.fn().mockRejectedValue(new Error("ECONNREFUSED"));
+    try {
+      const app = createApp(container);
+      const res = await app.request("http://bob.example.com/test", {
+        headers: { host: "bob.example.com" },
+      });
+      expect(res.status).toBe(502);
+      const body = await res.json();
+      expect(body.error).toContain("Bad Gateway");
+    } finally {
+      globalThis.fetch = originalFetch;
+    }
+  });
+  it("returns 404 when subdomain has no upstream route", async () => {
+    const container = createTestContainer({
+      fleet: {
+        profileStore: { list: vi.fn().mockResolvedValue([]) } as never,
+        proxy: { getRoutes: vi.fn().mockReturnValue([]) } as never,
+        manager: {} as never,
+        docker: {} as never,
+        serviceKeyRepo: {} as never,
+      },
+    });
+    resolveUser.mockResolvedValue({ id: "user-1" });
+    const app = createApp(container);
+    const res = await app.request("http://ghost.example.com/test", {
+      headers: { host: "ghost.example.com" },
+    });
+    expect(res.status).toBe(404);
+    const body = await res.json();
+    expect(body.error).toContain("Tenant not found");
+  });
+});

package/src/server/middleware/admin-auth.ts ADDED Viewed

@@ -0,0 +1,51 @@
+/**
+ * Admin auth middleware — timing-safe API key verification.
+ *
+ * Factory function that creates a Hono middleware handler requiring
+ * a valid admin API key in the Authorization header. Uses
+ * `crypto.timingSafeEqual` to prevent timing side-channel attacks.
+ */
+import { timingSafeEqual } from "node:crypto";
+import type { MiddlewareHandler } from "hono";
+export interface AdminAuthConfig {
+  adminApiKey: string;
+}
+/**
+ * Create an admin auth middleware that validates Bearer tokens
+ * against the configured admin API key using timing-safe comparison.
+ *
+ * Fail-closed: if the key is empty or missing, all requests are rejected.
+ */
+export function createAdminAuthMiddleware(config: AdminAuthConfig): MiddlewareHandler {
+  const { adminApiKey } = config;
+  return async (c, next) => {
+    // Fail closed: if no admin key is configured, reject everything
+    if (!adminApiKey) {
+      return c.json({ error: "Admin authentication not configured" }, 503);
+    }
+    const authHeader = c.req.header("authorization");
+    if (!authHeader || !authHeader.startsWith("Bearer ")) {
+      return c.json({ error: "Unauthorized: admin authentication required" }, 401);
+    }
+    const token = authHeader.slice("Bearer ".length).trim();
+    if (!token) {
+      return c.json({ error: "Unauthorized: admin authentication required" }, 401);
+    }
+    // Timing-safe comparison: both buffers must be the same length
+    const tokenBuf = Buffer.from(token);
+    const keyBuf = Buffer.from(adminApiKey);
+    if (tokenBuf.length !== keyBuf.length || !timingSafeEqual(tokenBuf, keyBuf)) {
+      return c.json({ error: "Unauthorized: invalid admin credentials" }, 401);
+    }
+    return next();
+  };
+}

package/src/server/middleware/tenant-proxy.ts ADDED Viewed

@@ -0,0 +1,192 @@
+/**
+ * Tenant subdomain proxy middleware.
+ *
+ * Extracts the tenant subdomain from the Host header, authenticates
+ * the user, verifies tenant membership via orgMemberRepo, resolves
+ * the fleet container URL, and proxies the request upstream.
+ *
+ * Ported from paperclip-platform with fail-closed semantics:
+ * - If fleet services are unavailable, returns 503 (not silent skip)
+ * - Auth check runs before tenant ownership check
+ * - Upstream headers are sanitized via allowlist
+ */
+import type { MiddlewareHandler } from "hono";
+import type { PlatformContainer } from "../container.js";
+/** Reserved subdomains that should never resolve to a tenant. */
+const RESERVED_SUBDOMAINS = new Set(["app", "api", "staging", "www", "mail", "admin", "dashboard", "status", "docs"]);
+/** DNS label rules (RFC 1123). */
+const SUBDOMAIN_RE = /^[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?$/;
+/**
+ * Headers safe to forward to upstream containers.
+ *
+ * This is an allowlist -- only these headers are copied from the incoming
+ * request. All x-platform-* headers are injected server-side after auth
+ * resolution, preventing client-side spoofing.
+ */
+const FORWARDED_HEADERS = [
+  "content-type",
+  "accept",
+  "accept-language",
+  "accept-encoding",
+  "content-length",
+  "x-request-id",
+  "user-agent",
+  "origin",
+  "referer",
+  "cookie",
+];
+/** Resolved user identity for upstream header injection. */
+export interface ProxyUserInfo {
+  id: string;
+  email?: string;
+  name?: string;
+}
+export interface TenantProxyConfig {
+  /** The platform root domain (e.g. "runpaperclip.com"). */
+  platformDomain: string;
+  /**
+   * Resolve the authenticated user from the request.
+   * Products wire this to their auth system (BetterAuth, etc.).
+   */
+  resolveUser: (req: Request) => Promise<ProxyUserInfo | undefined>;
+}
+/**
+ * Extract the tenant subdomain from a Host header value.
+ *
+ * "alice.example.com" -> "alice"
+ * "example.com"       -> null (root domain)
+ * "app.example.com"   -> null (reserved)
+ */
+export function extractTenantSubdomain(host: string, platformDomain: string): string | null {
+  const hostname = host.split(":")[0].toLowerCase();
+  const suffix = `.${platformDomain}`;
+  if (!hostname.endsWith(suffix)) return null;
+  const subdomain = hostname.slice(0, -suffix.length);
+  if (!subdomain || subdomain.includes(".")) return null;
+  if (RESERVED_SUBDOMAINS.has(subdomain)) return null;
+  if (!SUBDOMAIN_RE.test(subdomain)) return null;
+  return subdomain;
+}
+/**
+ * Build sanitized headers for upstream requests.
+ *
+ * Only allowlisted headers are forwarded. All x-platform-* headers are
+ * injected server-side from the authenticated session -- never copied from
+ * the incoming request -- to prevent spoofing.
+ */
+export function buildUpstreamHeaders(incoming: Headers, user: ProxyUserInfo, tenantSubdomain: string): Headers {
+  const headers = new Headers();
+  for (const key of FORWARDED_HEADERS) {
+    const val = incoming.get(key);
+    if (val) headers.set(key, val);
+  }
+  // Forward original Host so upstream hostname allowlist doesn't reject
+  const host = incoming.get("host");
+  if (host) headers.set("host", host);
+  headers.set("x-platform-user-id", user.id);
+  headers.set("x-platform-tenant", tenantSubdomain);
+  if (user.email) headers.set("x-platform-user-email", user.email);
+  if (user.name) headers.set("x-platform-user-name", user.name);
+  return headers;
+}
+/**
+ * Resolve the upstream container URL for a tenant subdomain from the
+ * proxy route table. Returns null if no route exists or is unhealthy.
+ */
+function resolveContainerUrl(container: PlatformContainer, subdomain: string): string | null {
+  if (!container.fleet) return null;
+  const routes = container.fleet.proxy.getRoutes();
+  const route = routes.find((r) => r.subdomain === subdomain);
+  if (!route || !route.healthy) return null;
+  return `http://${route.upstreamHost}:${route.upstreamPort}`;
+}
+/**
+ * Create a tenant subdomain proxy middleware.
+ *
+ * If the request Host identifies a tenant subdomain, authenticates the user,
+ * resolves the fleet container URL, and proxies the request. Non-tenant
+ * requests (root domain, reserved subdomains) pass through to next().
+ *
+ * Fail-closed: if fleet services or orgMemberRepo are unavailable, returns
+ * 503 instead of silently skipping checks.
+ */
+export function createTenantProxyMiddleware(
+  container: PlatformContainer,
+  config: TenantProxyConfig,
+): MiddlewareHandler {
+  const { platformDomain, resolveUser } = config;
+  return async (c, next) => {
+    const host = c.req.header("host");
+    if (!host) return next();
+    const subdomain = extractTenantSubdomain(host, platformDomain);
+    if (!subdomain) return next();
+    // --- Fail-closed checks ---
+    // Fleet services must be available for tenant proxying
+    if (!container.fleet) {
+      return c.json({ error: "Fleet services unavailable" }, 503);
+    }
+    // Authenticate -- reject unauthenticated requests
+    const user = await resolveUser(c.req.raw);
+    if (!user) {
+      return c.json({ error: "Authentication required" }, 401);
+    }
+    // Verify tenant ownership -- user must belong to the org that owns this subdomain
+    const profiles = await container.fleet.profileStore.list();
+    const profile = profiles.find((p) => p.name === subdomain);
+    if (!profile) {
+      return c.json({ error: "Tenant not found" }, 404);
+    }
+    const { validateTenantAccess } = await import("../../auth/index.js");
+    const hasAccess = await validateTenantAccess(user.id, profile.tenantId, container.orgMemberRepo);
+    if (!hasAccess) {
+      return c.json({ error: "Forbidden: not a member of this tenant" }, 403);
+    }
+    // Resolve fleet container URL via proxy route table
+    const upstream = resolveContainerUrl(container, subdomain);
+    if (!upstream) {
+      return c.json({ error: "Tenant not found" }, 404);
+    }
+    const url = new URL(c.req.url);
+    const targetUrl = `${upstream}${url.pathname}${url.search}`;
+    const upstreamHeaders = buildUpstreamHeaders(c.req.raw.headers, user, subdomain);
+    let response: Response;
+    try {
+      response = await fetch(targetUrl, {
+        method: c.req.method,
+        headers: upstreamHeaders,
+        body: c.req.method !== "GET" && c.req.method !== "HEAD" ? c.req.raw.body : undefined,
+        // @ts-expect-error duplex needed for streaming request bodies
+        duplex: "half",
+      });
+    } catch {
+      return c.json({ error: "Bad Gateway: upstream container unavailable" }, 502);
+    }
+    return new Response(response.body, {
+      status: response.status,
+      headers: response.headers,
+    });
+  };
+}

package/src/server/mount-routes.ts ADDED Viewed

@@ -0,0 +1,113 @@
+/**
+ * mountRoutes — wire shared HTTP routes and middleware onto a Hono app.
+ *
+ * Mounts routes conditionally based on which feature sub-containers are
+ * present on the PlatformContainer. Products call this after building the
+ * container; tRPC routers (admin, fleet-update, etc.) are mounted
+ * separately by products since they need product-specific auth context.
+ */
+import type { Hono } from "hono";
+import { cors } from "hono/cors";
+import { deriveCorsOrigins } from "../product-config/repository-types.js";
+import type { RoutePlugin } from "./boot-config.js";
+import type { PlatformContainer } from "./container.js";
+import { createTenantProxyMiddleware } from "./middleware/tenant-proxy.js";
+import { createCryptoWebhookRoutes } from "./routes/crypto-webhook.js";
+import { createProvisionWebhookRoutes } from "./routes/provision-webhook.js";
+import { createStripeWebhookRoutes } from "./routes/stripe-webhook.js";
+// ---------------------------------------------------------------------------
+// Config accepted at mount time
+// ---------------------------------------------------------------------------
+export interface MountConfig {
+  provisionSecret: string;
+  cryptoServiceKey?: string;
+  platformDomain: string;
+}
+// ---------------------------------------------------------------------------
+// mountRoutes
+// ---------------------------------------------------------------------------
+/**
+ * Mount all shared routes and middleware onto a Hono app based on the
+ * container's enabled feature slices.
+ *
+ * Mount order:
+ *   1. CORS middleware (from productConfig domain list)
+ *   2. Health endpoint (always)
+ *   3. Crypto webhook (if crypto enabled)
+ *   4. Stripe webhook (if stripe enabled)
+ *   5. Provision webhook (if fleet enabled)
+ *   6. Product-specific route plugins
+ *   7. Tenant proxy middleware (catch-all — must be last)
+ */
+export function mountRoutes(
+  app: Hono,
+  container: PlatformContainer,
+  config: MountConfig,
+  plugins: RoutePlugin[] = [],
+): void {
+  // 1. CORS middleware
+  const origins = deriveCorsOrigins(container.productConfig.product, container.productConfig.domains);
+  app.use(
+    "*",
+    cors({
+      origin: origins,
+      allowMethods: ["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"],
+      allowHeaders: ["Content-Type", "Authorization", "X-Request-ID"],
+      credentials: true,
+    }),
+  );
+  // 2. Health endpoint (always available)
+  app.get("/health", (c) => c.json({ ok: true }));
+  // 3. Crypto webhook (when crypto payments are enabled)
+  if (container.crypto) {
+    app.route(
+      "/api/webhooks/crypto",
+      createCryptoWebhookRoutes(container, {
+        provisionSecret: config.provisionSecret,
+        cryptoServiceKey: config.cryptoServiceKey,
+      }),
+    );
+  }
+  // 4. Stripe webhook (when stripe billing is enabled)
+  if (container.stripe) {
+    app.route("/api/webhooks/stripe", createStripeWebhookRoutes(container));
+  }
+  // 5. Provision webhook (when fleet management is enabled)
+  if (container.fleet) {
+    const fleetConfig = container.productConfig.fleet;
+    app.route(
+      "/api/provision",
+      createProvisionWebhookRoutes(container, {
+        provisionSecret: config.provisionSecret,
+        instanceImage: fleetConfig?.containerImage ?? "ghcr.io/default:latest",
+        containerPort: fleetConfig?.containerPort ?? 3000,
+        maxInstancesPerTenant: fleetConfig?.maxInstances ?? 5,
+      }),
+    );
+  }
+  // 6. Product-specific route plugins
+  for (const plugin of plugins) {
+    app.route(plugin.path, plugin.handler(container));
+  }
+  // 7. Tenant proxy middleware (catch-all — MUST be last)
+  if (container.fleet) {
+    app.use(
+      "*",
+      createTenantProxyMiddleware(container, {
+        platformDomain: config.platformDomain,
+        resolveUser: async () => undefined, // Products override via plugin or direct middleware
+      }),
+    );
+  }
+}