@wopr-network/platform-core 1.67.1 → 1.69.0

package/dist/server/middleware/__tests__/tenant-proxy.test.js

@@ -0,0 +1,268 @@
+import { Hono } from "hono";
+import { beforeEach, describe, expect, it, vi } from "vitest";
+import { createTestContainer } from "../../test-container.js";
+import { buildUpstreamHeaders, createTenantProxyMiddleware, extractTenantSubdomain, } from "../tenant-proxy.js";
+// ---------------------------------------------------------------------------
+// extractTenantSubdomain unit tests
+// ---------------------------------------------------------------------------
+describe("extractTenantSubdomain", () => {
+    const domain = "example.com";
+    it("extracts a valid subdomain", () => {
+        expect(extractTenantSubdomain("alice.example.com", domain)).toBe("alice");
+    });
+    it("returns null for the root domain", () => {
+        expect(extractTenantSubdomain("example.com", domain)).toBeNull();
+    });
+    it("returns null for reserved subdomains", () => {
+        expect(extractTenantSubdomain("app.example.com", domain)).toBeNull();
+        expect(extractTenantSubdomain("api.example.com", domain)).toBeNull();
+        expect(extractTenantSubdomain("admin.example.com", domain)).toBeNull();
+    });
+    it("returns null for nested subdomains", () => {
+        expect(extractTenantSubdomain("deep.alice.example.com", domain)).toBeNull();
+    });
+    it("strips port before matching", () => {
+        expect(extractTenantSubdomain("alice.example.com:3000", domain)).toBe("alice");
+    });
+    it("returns null for non-matching domain", () => {
+        expect(extractTenantSubdomain("alice.other.com", domain)).toBeNull();
+    });
+    it("returns null for invalid subdomain characters", () => {
+        expect(extractTenantSubdomain("al!ce.example.com", domain)).toBeNull();
+    });
+});
+// ---------------------------------------------------------------------------
+// buildUpstreamHeaders unit tests
+// ---------------------------------------------------------------------------
+describe("buildUpstreamHeaders", () => {
+    it("copies only allowlisted headers and injects platform headers", () => {
+        const incoming = new Headers({
+            "content-type": "application/json",
+            "x-evil-header": "should-not-pass",
+            host: "alice.example.com",
+        });
+        const user = { id: "u1", email: "a@b.com", name: "Alice" };
+        const result = buildUpstreamHeaders(incoming, user, "alice");
+        expect(result.get("content-type")).toBe("application/json");
+        expect(result.get("x-evil-header")).toBeNull();
+        expect(result.get("x-platform-user-id")).toBe("u1");
+        expect(result.get("x-platform-tenant")).toBe("alice");
+        expect(result.get("x-platform-user-email")).toBe("a@b.com");
+        expect(result.get("x-platform-user-name")).toBe("Alice");
+        expect(result.get("host")).toBe("alice.example.com");
+    });
+});
+// ---------------------------------------------------------------------------
+// createTenantProxyMiddleware integration tests
+// ---------------------------------------------------------------------------
+describe("createTenantProxyMiddleware", () => {
+    const DOMAIN = "example.com";
+    let resolveUser;
+    let config;
+    beforeEach(() => {
+        resolveUser = vi.fn();
+        config = { platformDomain: DOMAIN, resolveUser };
+    });
+    function createApp(container) {
+        const app = new Hono();
+        app.use("/*", createTenantProxyMiddleware(container, config));
+        app.get("/fallthrough", (c) => c.json({ fallthrough: true }));
+        return app;
+    }
+    it("passes through non-tenant requests (no subdomain)", async () => {
+        const container = createTestContainer();
+        const app = createApp(container);
+        const res = await app.request("http://example.com/fallthrough");
+        expect(res.status).toBe(200);
+        const body = await res.json();
+        expect(body.fallthrough).toBe(true);
+        // resolveUser should not be called for non-tenant requests
+        expect(resolveUser).not.toHaveBeenCalled();
+    });
+    it("returns 401 for unauthenticated tenant requests", async () => {
+        const container = createTestContainer({
+            fleet: {
+                profileStore: { list: vi.fn().mockResolvedValue([]) },
+                proxy: { getRoutes: vi.fn().mockReturnValue([]) },
+                manager: {},
+                docker: {},
+                serviceKeyRepo: {},
+            },
+        });
+        resolveUser.mockResolvedValue(undefined);
+        const app = createApp(container);
+        const res = await app.request("http://alice.example.com/dashboard", {
+            headers: { host: "alice.example.com" },
+        });
+        expect(res.status).toBe(401);
+        const body = await res.json();
+        expect(body.error).toContain("Authentication required");
+    });
+    it("returns 503 when fleet services are not available", async () => {
+        const container = createTestContainer({ fleet: null });
+        const app = createApp(container);
+        const res = await app.request("http://alice.example.com/dashboard", {
+            headers: { host: "alice.example.com" },
+        });
+        expect(res.status).toBe(503);
+        const body = await res.json();
+        expect(body.error).toContain("Fleet services unavailable");
+    });
+    it("returns 403 when user is not a member of the tenant", async () => {
+        const mockProfile = { name: "alice", tenantId: "tenant-1" };
+        const container = createTestContainer({
+            fleet: {
+                profileStore: { list: vi.fn().mockResolvedValue([mockProfile]) },
+                proxy: {
+                    getRoutes: vi
+                        .fn()
+                        .mockReturnValue([{ subdomain: "alice", upstreamHost: "127.0.0.1", upstreamPort: 4000, healthy: true }]),
+                },
+                manager: {},
+                docker: {},
+                serviceKeyRepo: {},
+            },
+            orgMemberRepo: {
+                findMember: vi.fn().mockResolvedValue(null),
+                listMembers: vi.fn(),
+                addMember: vi.fn(),
+                updateMemberRole: vi.fn(),
+                removeMember: vi.fn(),
+                countAdminsAndOwners: vi.fn(),
+                listInvites: vi.fn(),
+                createInvite: vi.fn(),
+                findInviteById: vi.fn(),
+                findInviteByToken: vi.fn(),
+                deleteInvite: vi.fn(),
+                deleteAllMembers: vi.fn(),
+                deleteAllInvites: vi.fn(),
+                listOrgsByUser: vi.fn(),
+                markInviteAccepted: vi.fn(),
+            },
+        });
+        resolveUser.mockResolvedValue({ id: "user-99", email: "user@test.com" });
+        const app = createApp(container);
+        const res = await app.request("http://alice.example.com/dashboard", {
+            headers: { host: "alice.example.com" },
+        });
+        expect(res.status).toBe(403);
+        const body = await res.json();
+        expect(body.error).toContain("not a member");
+    });
+    it("proxies correctly when authorized", async () => {
+        const mockProfile = { name: "alice", tenantId: "tenant-1" };
+        const upstreamRoute = {
+            instanceId: "inst-1",
+            subdomain: "alice",
+            upstreamHost: "127.0.0.1",
+            upstreamPort: 4000,
+            healthy: true,
+        };
+        const container = createTestContainer({
+            fleet: {
+                profileStore: { list: vi.fn().mockResolvedValue([mockProfile]) },
+                proxy: { getRoutes: vi.fn().mockReturnValue([upstreamRoute]) },
+                manager: {},
+                docker: {},
+                serviceKeyRepo: {},
+            },
+            orgMemberRepo: {
+                findMember: vi.fn().mockResolvedValue({ orgId: "tenant-1", userId: "user-1", role: "member" }),
+                listMembers: vi.fn(),
+                addMember: vi.fn(),
+                updateMemberRole: vi.fn(),
+                removeMember: vi.fn(),
+                countAdminsAndOwners: vi.fn(),
+                listInvites: vi.fn(),
+                createInvite: vi.fn(),
+                findInviteById: vi.fn(),
+                findInviteByToken: vi.fn(),
+                deleteInvite: vi.fn(),
+                deleteAllMembers: vi.fn(),
+                deleteAllInvites: vi.fn(),
+                listOrgsByUser: vi.fn(),
+                markInviteAccepted: vi.fn(),
+            },
+        });
+        resolveUser.mockResolvedValue({ id: "user-1", email: "user@test.com" });
+        // Mock global fetch to simulate upstream response
+        const originalFetch = globalThis.fetch;
+        globalThis.fetch = vi.fn().mockResolvedValue(new Response(JSON.stringify({ upstream: true }), {
+            status: 200,
+            headers: { "content-type": "application/json" },
+        }));
+        try {
+            const app = createApp(container);
+            const res = await app.request("http://alice.example.com/api/data?q=1", {
+                headers: { host: "alice.example.com" },
+            });
+            expect(res.status).toBe(200);
+            const body = await res.json();
+            expect(body.upstream).toBe(true);
+            // Verify fetch was called with the correct upstream URL
+            const fetchCall = globalThis.fetch.mock.calls[0];
+            expect(fetchCall[0]).toBe("http://127.0.0.1:4000/api/data?q=1");
+            // Verify platform headers were injected
+            const headers = fetchCall[1].headers;
+            expect(headers.get("x-platform-user-id")).toBe("user-1");
+            expect(headers.get("x-platform-tenant")).toBe("alice");
+        }
+        finally {
+            globalThis.fetch = originalFetch;
+        }
+    });
+    it("returns 502 when upstream fetch fails", async () => {
+        const mockProfile = { name: "bob", tenantId: "user-1" };
+        const upstreamRoute = {
+            instanceId: "inst-2",
+            subdomain: "bob",
+            upstreamHost: "127.0.0.1",
+            upstreamPort: 4001,
+            healthy: true,
+        };
+        const container = createTestContainer({
+            fleet: {
+                profileStore: { list: vi.fn().mockResolvedValue([mockProfile]) },
+                proxy: { getRoutes: vi.fn().mockReturnValue([upstreamRoute]) },
+                manager: {},
+                docker: {},
+                serviceKeyRepo: {},
+            },
+        });
+        // tenantId === userId means personal tenant, so validateTenantAccess returns true
+        resolveUser.mockResolvedValue({ id: "user-1" });
+        const originalFetch = globalThis.fetch;
+        globalThis.fetch = vi.fn().mockRejectedValue(new Error("ECONNREFUSED"));
+        try {
+            const app = createApp(container);
+            const res = await app.request("http://bob.example.com/test", {
+                headers: { host: "bob.example.com" },
+            });
+            expect(res.status).toBe(502);
+            const body = await res.json();
+            expect(body.error).toContain("Bad Gateway");
+        }
+        finally {
+            globalThis.fetch = originalFetch;
+        }
+    });
+    it("returns 404 when subdomain has no upstream route", async () => {
+        const container = createTestContainer({
+            fleet: {
+                profileStore: { list: vi.fn().mockResolvedValue([]) },
+                proxy: { getRoutes: vi.fn().mockReturnValue([]) },
+                manager: {},
+                docker: {},
+                serviceKeyRepo: {},
+            },
+        });
+        resolveUser.mockResolvedValue({ id: "user-1" });
+        const app = createApp(container);
+        const res = await app.request("http://ghost.example.com/test", {
+            headers: { host: "ghost.example.com" },
+        });
+        expect(res.status).toBe(404);
+        const body = await res.json();
+        expect(body.error).toContain("Tenant not found");
+    });
+});

package/dist/server/middleware/admin-auth.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Admin auth middleware — timing-safe API key verification.
+ *
+ * Factory function that creates a Hono middleware handler requiring
+ * a valid admin API key in the Authorization header. Uses
+ * `crypto.timingSafeEqual` to prevent timing side-channel attacks.
+ */
+import type { MiddlewareHandler } from "hono";
+export interface AdminAuthConfig {
+    adminApiKey: string;
+}
+/**
+ * Create an admin auth middleware that validates Bearer tokens
+ * against the configured admin API key using timing-safe comparison.
+ *
+ * Fail-closed: if the key is empty or missing, all requests are rejected.
+ */
+export declare function createAdminAuthMiddleware(config: AdminAuthConfig): MiddlewareHandler;

package/dist/server/middleware/admin-auth.js

@@ -0,0 +1,38 @@
+/**
+ * Admin auth middleware — timing-safe API key verification.
+ *
+ * Factory function that creates a Hono middleware handler requiring
+ * a valid admin API key in the Authorization header. Uses
+ * `crypto.timingSafeEqual` to prevent timing side-channel attacks.
+ */
+import { timingSafeEqual } from "node:crypto";
+/**
+ * Create an admin auth middleware that validates Bearer tokens
+ * against the configured admin API key using timing-safe comparison.
+ *
+ * Fail-closed: if the key is empty or missing, all requests are rejected.
+ */
+export function createAdminAuthMiddleware(config) {
+    const { adminApiKey } = config;
+    return async (c, next) => {
+        // Fail closed: if no admin key is configured, reject everything
+        if (!adminApiKey) {
+            return c.json({ error: "Admin authentication not configured" }, 503);
+        }
+        const authHeader = c.req.header("authorization");
+        if (!authHeader || !authHeader.startsWith("Bearer ")) {
+            return c.json({ error: "Unauthorized: admin authentication required" }, 401);
+        }
+        const token = authHeader.slice("Bearer ".length).trim();
+        if (!token) {
+            return c.json({ error: "Unauthorized: admin authentication required" }, 401);
+        }
+        // Timing-safe comparison: both buffers must be the same length
+        const tokenBuf = Buffer.from(token);
+        const keyBuf = Buffer.from(adminApiKey);
+        if (tokenBuf.length !== keyBuf.length || !timingSafeEqual(tokenBuf, keyBuf)) {
+            return c.json({ error: "Unauthorized: invalid admin credentials" }, 401);
+        }
+        return next();
+    };
+}

package/dist/server/middleware/tenant-proxy.d.ts

@@ -0,0 +1,56 @@
+/**
+ * Tenant subdomain proxy middleware.
+ *
+ * Extracts the tenant subdomain from the Host header, authenticates
+ * the user, verifies tenant membership via orgMemberRepo, resolves
+ * the fleet container URL, and proxies the request upstream.
+ *
+ * Ported from paperclip-platform with fail-closed semantics:
+ * - If fleet services are unavailable, returns 503 (not silent skip)
+ * - Auth check runs before tenant ownership check
+ * - Upstream headers are sanitized via allowlist
+ */
+import type { MiddlewareHandler } from "hono";
+import type { PlatformContainer } from "../container.js";
+/** Resolved user identity for upstream header injection. */
+export interface ProxyUserInfo {
+    id: string;
+    email?: string;
+    name?: string;
+}
+export interface TenantProxyConfig {
+    /** The platform root domain (e.g. "runpaperclip.com"). */
+    platformDomain: string;
+    /**
+     * Resolve the authenticated user from the request.
+     * Products wire this to their auth system (BetterAuth, etc.).
+     */
+    resolveUser: (req: Request) => Promise<ProxyUserInfo | undefined>;
+}
+/**
+ * Extract the tenant subdomain from a Host header value.
+ *
+ * "alice.example.com" -> "alice"
+ * "example.com"       -> null (root domain)
+ * "app.example.com"   -> null (reserved)
+ */
+export declare function extractTenantSubdomain(host: string, platformDomain: string): string | null;
+/**
+ * Build sanitized headers for upstream requests.
+ *
+ * Only allowlisted headers are forwarded. All x-platform-* headers are
+ * injected server-side from the authenticated session -- never copied from
+ * the incoming request -- to prevent spoofing.
+ */
+export declare function buildUpstreamHeaders(incoming: Headers, user: ProxyUserInfo, tenantSubdomain: string): Headers;
+/**
+ * Create a tenant subdomain proxy middleware.
+ *
+ * If the request Host identifies a tenant subdomain, authenticates the user,
+ * resolves the fleet container URL, and proxies the request. Non-tenant
+ * requests (root domain, reserved subdomains) pass through to next().
+ *
+ * Fail-closed: if fleet services or orgMemberRepo are unavailable, returns
+ * 503 instead of silently skipping checks.
+ */
+export declare function createTenantProxyMiddleware(container: PlatformContainer, config: TenantProxyConfig): MiddlewareHandler;

package/dist/server/middleware/tenant-proxy.js

@@ -0,0 +1,162 @@
+/**
+ * Tenant subdomain proxy middleware.
+ *
+ * Extracts the tenant subdomain from the Host header, authenticates
+ * the user, verifies tenant membership via orgMemberRepo, resolves
+ * the fleet container URL, and proxies the request upstream.
+ *
+ * Ported from paperclip-platform with fail-closed semantics:
+ * - If fleet services are unavailable, returns 503 (not silent skip)
+ * - Auth check runs before tenant ownership check
+ * - Upstream headers are sanitized via allowlist
+ */
+/** Reserved subdomains that should never resolve to a tenant. */
+const RESERVED_SUBDOMAINS = new Set(["app", "api", "staging", "www", "mail", "admin", "dashboard", "status", "docs"]);
+/** DNS label rules (RFC 1123). */
+const SUBDOMAIN_RE = /^[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?$/;
+/**
+ * Headers safe to forward to upstream containers.
+ *
+ * This is an allowlist -- only these headers are copied from the incoming
+ * request. All x-platform-* headers are injected server-side after auth
+ * resolution, preventing client-side spoofing.
+ */
+const FORWARDED_HEADERS = [
+    "content-type",
+    "accept",
+    "accept-language",
+    "accept-encoding",
+    "content-length",
+    "x-request-id",
+    "user-agent",
+    "origin",
+    "referer",
+    "cookie",
+];
+/**
+ * Extract the tenant subdomain from a Host header value.
+ *
+ * "alice.example.com" -> "alice"
+ * "example.com"       -> null (root domain)
+ * "app.example.com"   -> null (reserved)
+ */
+export function extractTenantSubdomain(host, platformDomain) {
+    const hostname = host.split(":")[0].toLowerCase();
+    const suffix = `.${platformDomain}`;
+    if (!hostname.endsWith(suffix))
+        return null;
+    const subdomain = hostname.slice(0, -suffix.length);
+    if (!subdomain || subdomain.includes("."))
+        return null;
+    if (RESERVED_SUBDOMAINS.has(subdomain))
+        return null;
+    if (!SUBDOMAIN_RE.test(subdomain))
+        return null;
+    return subdomain;
+}
+/**
+ * Build sanitized headers for upstream requests.
+ *
+ * Only allowlisted headers are forwarded. All x-platform-* headers are
+ * injected server-side from the authenticated session -- never copied from
+ * the incoming request -- to prevent spoofing.
+ */
+export function buildUpstreamHeaders(incoming, user, tenantSubdomain) {
+    const headers = new Headers();
+    for (const key of FORWARDED_HEADERS) {
+        const val = incoming.get(key);
+        if (val)
+            headers.set(key, val);
+    }
+    // Forward original Host so upstream hostname allowlist doesn't reject
+    const host = incoming.get("host");
+    if (host)
+        headers.set("host", host);
+    headers.set("x-platform-user-id", user.id);
+    headers.set("x-platform-tenant", tenantSubdomain);
+    if (user.email)
+        headers.set("x-platform-user-email", user.email);
+    if (user.name)
+        headers.set("x-platform-user-name", user.name);
+    return headers;
+}
+/**
+ * Resolve the upstream container URL for a tenant subdomain from the
+ * proxy route table. Returns null if no route exists or is unhealthy.
+ */
+function resolveContainerUrl(container, subdomain) {
+    if (!container.fleet)
+        return null;
+    const routes = container.fleet.proxy.getRoutes();
+    const route = routes.find((r) => r.subdomain === subdomain);
+    if (!route || !route.healthy)
+        return null;
+    return `http://${route.upstreamHost}:${route.upstreamPort}`;
+}
+/**
+ * Create a tenant subdomain proxy middleware.
+ *
+ * If the request Host identifies a tenant subdomain, authenticates the user,
+ * resolves the fleet container URL, and proxies the request. Non-tenant
+ * requests (root domain, reserved subdomains) pass through to next().
+ *
+ * Fail-closed: if fleet services or orgMemberRepo are unavailable, returns
+ * 503 instead of silently skipping checks.
+ */
+export function createTenantProxyMiddleware(container, config) {
+    const { platformDomain, resolveUser } = config;
+    return async (c, next) => {
+        const host = c.req.header("host");
+        if (!host)
+            return next();
+        const subdomain = extractTenantSubdomain(host, platformDomain);
+        if (!subdomain)
+            return next();
+        // --- Fail-closed checks ---
+        // Fleet services must be available for tenant proxying
+        if (!container.fleet) {
+            return c.json({ error: "Fleet services unavailable" }, 503);
+        }
+        // Authenticate -- reject unauthenticated requests
+        const user = await resolveUser(c.req.raw);
+        if (!user) {
+            return c.json({ error: "Authentication required" }, 401);
+        }
+        // Verify tenant ownership -- user must belong to the org that owns this subdomain
+        const profiles = await container.fleet.profileStore.list();
+        const profile = profiles.find((p) => p.name === subdomain);
+        if (!profile) {
+            return c.json({ error: "Tenant not found" }, 404);
+        }
+        const { validateTenantAccess } = await import("../../auth/index.js");
+        const hasAccess = await validateTenantAccess(user.id, profile.tenantId, container.orgMemberRepo);
+        if (!hasAccess) {
+            return c.json({ error: "Forbidden: not a member of this tenant" }, 403);
+        }
+        // Resolve fleet container URL via proxy route table
+        const upstream = resolveContainerUrl(container, subdomain);
+        if (!upstream) {
+            return c.json({ error: "Tenant not found" }, 404);
+        }
+        const url = new URL(c.req.url);
+        const targetUrl = `${upstream}${url.pathname}${url.search}`;
+        const upstreamHeaders = buildUpstreamHeaders(c.req.raw.headers, user, subdomain);
+        let response;
+        try {
+            response = await fetch(targetUrl, {
+                method: c.req.method,
+                headers: upstreamHeaders,
+                body: c.req.method !== "GET" && c.req.method !== "HEAD" ? c.req.raw.body : undefined,
+                // @ts-expect-error duplex needed for streaming request bodies
+                duplex: "half",
+            });
+        }
+        catch {
+            return c.json({ error: "Bad Gateway: upstream container unavailable" }, 502);
+        }
+        return new Response(response.body, {
+            status: response.status,
+            headers: response.headers,
+        });
+    };
+}

package/dist/server/mount-routes.d.ts

@@ -0,0 +1,30 @@
+/**
+ * mountRoutes — wire shared HTTP routes and middleware onto a Hono app.
+ *
+ * Mounts routes conditionally based on which feature sub-containers are
+ * present on the PlatformContainer. Products call this after building the
+ * container; tRPC routers (admin, fleet-update, etc.) are mounted
+ * separately by products since they need product-specific auth context.
+ */
+import type { Hono } from "hono";
+import type { RoutePlugin } from "./boot-config.js";
+import type { PlatformContainer } from "./container.js";
+export interface MountConfig {
+    provisionSecret: string;
+    cryptoServiceKey?: string;
+    platformDomain: string;
+}
+/**
+ * Mount all shared routes and middleware onto a Hono app based on the
+ * container's enabled feature slices.
+ *
+ * Mount order:
+ *   1. CORS middleware (from productConfig domain list)
+ *   2. Health endpoint (always)
+ *   3. Crypto webhook (if crypto enabled)
+ *   4. Stripe webhook (if stripe enabled)
+ *   5. Provision webhook (if fleet enabled)
+ *   6. Product-specific route plugins
+ *   7. Tenant proxy middleware (catch-all — must be last)
+ */
+export declare function mountRoutes(app: Hono, container: PlatformContainer, config: MountConfig, plugins?: RoutePlugin[]): void;

package/dist/server/mount-routes.js

@@ -0,0 +1,74 @@
+/**
+ * mountRoutes — wire shared HTTP routes and middleware onto a Hono app.
+ *
+ * Mounts routes conditionally based on which feature sub-containers are
+ * present on the PlatformContainer. Products call this after building the
+ * container; tRPC routers (admin, fleet-update, etc.) are mounted
+ * separately by products since they need product-specific auth context.
+ */
+import { cors } from "hono/cors";
+import { deriveCorsOrigins } from "../product-config/repository-types.js";
+import { createTenantProxyMiddleware } from "./middleware/tenant-proxy.js";
+import { createCryptoWebhookRoutes } from "./routes/crypto-webhook.js";
+import { createProvisionWebhookRoutes } from "./routes/provision-webhook.js";
+import { createStripeWebhookRoutes } from "./routes/stripe-webhook.js";
+// ---------------------------------------------------------------------------
+// mountRoutes
+// ---------------------------------------------------------------------------
+/**
+ * Mount all shared routes and middleware onto a Hono app based on the
+ * container's enabled feature slices.
+ *
+ * Mount order:
+ *   1. CORS middleware (from productConfig domain list)
+ *   2. Health endpoint (always)
+ *   3. Crypto webhook (if crypto enabled)
+ *   4. Stripe webhook (if stripe enabled)
+ *   5. Provision webhook (if fleet enabled)
+ *   6. Product-specific route plugins
+ *   7. Tenant proxy middleware (catch-all — must be last)
+ */
+export function mountRoutes(app, container, config, plugins = []) {
+    // 1. CORS middleware
+    const origins = deriveCorsOrigins(container.productConfig.product, container.productConfig.domains);
+    app.use("*", cors({
+        origin: origins,
+        allowMethods: ["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"],
+        allowHeaders: ["Content-Type", "Authorization", "X-Request-ID"],
+        credentials: true,
+    }));
+    // 2. Health endpoint (always available)
+    app.get("/health", (c) => c.json({ ok: true }));
+    // 3. Crypto webhook (when crypto payments are enabled)
+    if (container.crypto) {
+        app.route("/api/webhooks/crypto", createCryptoWebhookRoutes(container, {
+            provisionSecret: config.provisionSecret,
+            cryptoServiceKey: config.cryptoServiceKey,
+        }));
+    }
+    // 4. Stripe webhook (when stripe billing is enabled)
+    if (container.stripe) {
+        app.route("/api/webhooks/stripe", createStripeWebhookRoutes(container));
+    }
+    // 5. Provision webhook (when fleet management is enabled)
+    if (container.fleet) {
+        const fleetConfig = container.productConfig.fleet;
+        app.route("/api/provision", createProvisionWebhookRoutes(container, {
+            provisionSecret: config.provisionSecret,
+            instanceImage: fleetConfig?.containerImage ?? "ghcr.io/default:latest",
+            containerPort: fleetConfig?.containerPort ?? 3000,
+            maxInstancesPerTenant: fleetConfig?.maxInstances ?? 5,
+        }));
+    }
+    // 6. Product-specific route plugins
+    for (const plugin of plugins) {
+        app.route(plugin.path, plugin.handler(container));
+    }
+    // 7. Tenant proxy middleware (catch-all — MUST be last)
+    if (container.fleet) {
+        app.use("*", createTenantProxyMiddleware(container, {
+            platformDomain: config.platformDomain,
+            resolveUser: async () => undefined, // Products override via plugin or direct middleware
+        }));
+    }
+}

package/dist/server/routes/__tests__/admin.test.d.ts

@@ -0,0 +1 @@
+export {};