@wopr-network/platform-core 1.67.1 → 1.69.0

package/dist/server/routes/__tests__/admin.test.js

@@ -0,0 +1,267 @@
+import { beforeEach, describe, expect, it, vi } from "vitest";
+import { createCallerFactory, router, setTrpcOrgMemberRepo } from "../../../trpc/init.js";
+import { createTestContainer } from "../../test-container.js";
+import { createAdminRouter } from "../admin.js";
+// ---------------------------------------------------------------------------
+// Mocks
+// ---------------------------------------------------------------------------
+// Mock global fetch for OpenRouter API calls
+const mockFetch = vi.fn();
+vi.stubGlobal("fetch", mockFetch);
+function makeMockOrgRepo() {
+    return {
+        listMembers: vi.fn().mockResolvedValue([]),
+        addMember: vi.fn().mockResolvedValue(undefined),
+        updateMemberRole: vi.fn().mockResolvedValue(undefined),
+        removeMember: vi.fn().mockResolvedValue(undefined),
+        findMember: vi.fn().mockResolvedValue(null),
+        countAdminsAndOwners: vi.fn().mockResolvedValue(0),
+        listInvites: vi.fn().mockResolvedValue([]),
+        createInvite: vi.fn().mockResolvedValue(undefined),
+        findInviteById: vi.fn().mockResolvedValue(null),
+        findInviteByToken: vi.fn().mockResolvedValue(null),
+        deleteInvite: vi.fn().mockResolvedValue(undefined),
+        deleteAllMembers: vi.fn().mockResolvedValue(undefined),
+        deleteAllInvites: vi.fn().mockResolvedValue(undefined),
+        listOrgsByUser: vi.fn().mockResolvedValue([]),
+        markInviteAccepted: vi.fn().mockResolvedValue(undefined),
+    };
+}
+const adminCtx = {
+    user: { id: "admin-1", roles: ["platform_admin"] },
+    tenantId: undefined,
+};
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+function makeCaller(container, config) {
+    const adminRouter = createAdminRouter(container, config);
+    const appRouter = router({ admin: adminRouter });
+    const createCaller = createCallerFactory(appRouter);
+    return createCaller(adminCtx);
+}
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+describe("createAdminRouter", () => {
+    beforeEach(() => {
+        setTrpcOrgMemberRepo(makeMockOrgRepo());
+        mockFetch.mockReset();
+    });
+    // -------------------------------------------------------------------------
+    // Model list endpoint
+    // -------------------------------------------------------------------------
+    describe("listAvailableModels", () => {
+        it("returns cached models from OpenRouter API", async () => {
+            const container = createTestContainer();
+            const models = [
+                {
+                    id: "openai/gpt-4",
+                    name: "GPT-4",
+                    context_length: 8192,
+                    pricing: { prompt: "0.03", completion: "0.06" },
+                },
+                {
+                    id: "anthropic/claude-3",
+                    name: "Claude 3",
+                    context_length: 200000,
+                    pricing: { prompt: "0.015", completion: "0.075" },
+                },
+            ];
+            mockFetch.mockResolvedValueOnce({
+                ok: true,
+                json: async () => ({ data: models }),
+            });
+            const caller = makeCaller(container, { openRouterApiKey: "sk-test-key" });
+            const result = await caller.admin.listAvailableModels();
+            expect(result.models).toHaveLength(2);
+            expect(result.models[0].id).toBe("anthropic/claude-3");
+            expect(result.models[1].id).toBe("openai/gpt-4");
+            expect(mockFetch).toHaveBeenCalledOnce();
+            // Second call should use cache (no additional fetch)
+            const result2 = await caller.admin.listAvailableModels();
+            expect(result2.models).toHaveLength(2);
+            expect(mockFetch).toHaveBeenCalledOnce();
+        });
+        it("returns empty list when no API key configured", async () => {
+            const container = createTestContainer();
+            const caller = makeCaller(container); // no config = no API key
+            const result = await caller.admin.listAvailableModels();
+            expect(result.models).toEqual([]);
+            expect(mockFetch).not.toHaveBeenCalled();
+        });
+        it("returns stale cache on fetch failure", async () => {
+            // First call seeds the cache
+            const container = createTestContainer();
+            mockFetch.mockResolvedValueOnce({
+                ok: true,
+                json: async () => ({
+                    data: [{ id: "model/a", name: "A", context_length: 100, pricing: { prompt: "1", completion: "2" } }],
+                }),
+            });
+            const caller = makeCaller(container, { openRouterApiKey: "sk-test-key" });
+            await caller.admin.listAvailableModels();
+            // Advance past 60s cache TTL so the next call triggers a fetch
+            vi.useFakeTimers();
+            vi.advanceTimersByTime(61_000);
+            mockFetch.mockRejectedValueOnce(new Error("Network error"));
+            const result = await caller.admin.listAvailableModels();
+            // On failure, falls back to stale cache
+            expect(result.models).toHaveLength(1);
+            expect(result.models[0].id).toBe("model/a");
+            vi.useRealTimers();
+        });
+    });
+    // -------------------------------------------------------------------------
+    // Fleet instance listing
+    // -------------------------------------------------------------------------
+    describe("listAllInstances", () => {
+        it("lists instances using container.fleet", async () => {
+            const mockProfiles = [
+                { id: "inst-1", name: "Bot A", tenantId: "t1", image: "img:latest" },
+                { id: "inst-2", name: "Bot B", tenantId: "t2", image: "img:v2" },
+            ];
+            const mockStatus = {
+                state: "running",
+                health: "healthy",
+                uptime: 3600,
+                containerId: "abc123",
+                startedAt: "2026-01-01T00:00:00Z",
+            };
+            const container = createTestContainer({
+                fleet: {
+                    manager: {
+                        status: vi.fn().mockResolvedValue(mockStatus),
+                    },
+                    docker: {},
+                    proxy: {},
+                    profileStore: {
+                        list: vi.fn().mockResolvedValue(mockProfiles),
+                        init: vi.fn(),
+                        save: vi.fn(),
+                        get: vi.fn(),
+                        delete: vi.fn(),
+                    },
+                    serviceKeyRepo: {},
+                },
+            });
+            const caller = makeCaller(container);
+            const result = await caller.admin.listAllInstances();
+            expect(result.instances).toHaveLength(2);
+            expect(result.instances[0]).toEqual({
+                id: "inst-1",
+                name: "Bot A",
+                tenantId: "t1",
+                image: "img:latest",
+                state: "running",
+                health: "healthy",
+                uptime: 3600,
+                containerId: "abc123",
+                startedAt: "2026-01-01T00:00:00Z",
+            });
+        });
+        it("returns error when fleet not configured", async () => {
+            const container = createTestContainer({ fleet: null });
+            const caller = makeCaller(container);
+            const result = await caller.admin.listAllInstances();
+            expect(result.instances).toEqual([]);
+            expect(result.error).toBe("Fleet not configured");
+        });
+        it("returns error state for instances that fail status check", async () => {
+            const mockProfiles = [{ id: "inst-bad", name: "Bad Bot", tenantId: "t1", image: "img:latest" }];
+            const container = createTestContainer({
+                fleet: {
+                    manager: {
+                        status: vi.fn().mockRejectedValue(new Error("container not found")),
+                    },
+                    docker: {},
+                    proxy: {},
+                    profileStore: {
+                        list: vi.fn().mockResolvedValue(mockProfiles),
+                        init: vi.fn(),
+                        save: vi.fn(),
+                        get: vi.fn(),
+                        delete: vi.fn(),
+                    },
+                    serviceKeyRepo: {},
+                },
+            });
+            const caller = makeCaller(container);
+            const result = await caller.admin.listAllInstances();
+            expect(result.instances).toHaveLength(1);
+            expect(result.instances[0].state).toBe("error");
+            expect(result.instances[0].health).toBeNull();
+        });
+    });
+    // -------------------------------------------------------------------------
+    // Credit balance query
+    // -------------------------------------------------------------------------
+    describe("billingOverview", () => {
+        it("queries credit balance via container pool", async () => {
+            const mockPool = {
+                query: vi
+                    .fn()
+                    .mockResolvedValueOnce({ rows: [{ totalRaw: "50000000" }] }) // credit_entry sum (50M microdollars = 5000 cents)
+                    .mockResolvedValueOnce({ rows: [{ count: "3" }] }) // payment methods
+                    .mockResolvedValueOnce({ rows: [{ count: "5" }] }), // orgs
+                end: vi.fn(),
+            };
+            const container = createTestContainer({
+                pool: mockPool,
+                gateway: null, // no gateway = skip service key count
+            });
+            const caller = makeCaller(container);
+            const result = await caller.admin.billingOverview();
+            expect(result.totalBalanceCents).toBe(5000);
+            expect(result.activeKeyCount).toBe(0); // gateway not configured
+            expect(result.paymentMethodCount).toBe(3);
+            expect(result.orgCount).toBe(5);
+        });
+        it("counts active service keys when gateway is configured", async () => {
+            const mockPool = {
+                query: vi
+                    .fn()
+                    .mockResolvedValueOnce({ rows: [{ totalRaw: "0" }] }) // credit_entry
+                    .mockResolvedValueOnce({ rows: [{ count: "7" }] }) // service_keys
+                    .mockResolvedValueOnce({ rows: [{ count: "0" }] }) // payment methods
+                    .mockResolvedValueOnce({ rows: [{ count: "0" }] }), // orgs
+                end: vi.fn(),
+            };
+            const container = createTestContainer({
+                pool: mockPool,
+                gateway: {
+                    serviceKeyRepo: {},
+                },
+            });
+            const caller = makeCaller(container);
+            const result = await caller.admin.billingOverview();
+            expect(result.activeKeyCount).toBe(7);
+        });
+        it("returns zeros when tables do not exist", async () => {
+            const mockPool = {
+                query: vi.fn().mockRejectedValue(new Error('relation "credit_entry" does not exist')),
+                end: vi.fn(),
+            };
+            const container = createTestContainer({
+                pool: mockPool,
+            });
+            const caller = makeCaller(container);
+            const result = await caller.admin.billingOverview();
+            expect(result.totalBalanceCents).toBe(0);
+            expect(result.activeKeyCount).toBe(0);
+            expect(result.paymentMethodCount).toBe(0);
+            expect(result.orgCount).toBe(0);
+        });
+    });
+    // -------------------------------------------------------------------------
+    // Auth guard
+    // -------------------------------------------------------------------------
+    it("rejects non-admin users", async () => {
+        const container = createTestContainer();
+        const adminRouter = createAdminRouter(container);
+        const appRouter = router({ admin: adminRouter });
+        const createCaller = createCallerFactory(appRouter);
+        const caller = createCaller({ user: { id: "u1", roles: ["user"] }, tenantId: undefined });
+        await expect(caller.admin.listAvailableModels()).rejects.toThrow("Platform admin role required");
+    });
+});

package/dist/server/routes/__tests__/crypto-webhook.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/server/routes/__tests__/crypto-webhook.test.js

@@ -0,0 +1,137 @@
+import { describe, expect, it, vi } from "vitest";
+import { createTestContainer } from "../../test-container.js";
+import { createCryptoWebhookRoutes } from "../crypto-webhook.js";
+// ---------------------------------------------------------------------------
+// Mock the key-server-webhook handler so we never hit real billing logic
+// ---------------------------------------------------------------------------
+vi.mock("../../../billing/crypto/key-server-webhook.js", () => ({
+    handleKeyServerWebhook: vi.fn().mockResolvedValue({
+        handled: true,
+        creditedCents: 500,
+    }),
+}));
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+const SECRET = "test-provision-secret";
+const CRYPTO_KEY = "test-crypto-service-key";
+function makeConfig(overrides) {
+    return {
+        provisionSecret: SECRET,
+        cryptoServiceKey: CRYPTO_KEY,
+        ...overrides,
+    };
+}
+function makeCrypto() {
+    return {
+        chargeRepo: {},
+        webhookSeenRepo: {},
+    };
+}
+const validPayload = {
+    chargeId: "ch_123",
+    chain: "ETH",
+    address: "0xabc",
+    status: "confirmed",
+};
+function buildApp(opts) {
+    const container = createTestContainer({
+        crypto: opts?.crypto !== undefined ? opts.crypto : makeCrypto(),
+    });
+    const config = makeConfig(opts?.config);
+    return createCryptoWebhookRoutes(container, config);
+}
+async function post(app, body, headers) {
+    const init = {
+        method: "POST",
+        headers: {
+            "Content-Type": "application/json",
+            ...headers,
+        },
+    };
+    if (body !== undefined) {
+        init.body = typeof body === "string" ? body : JSON.stringify(body);
+    }
+    return app.request("/", init);
+}
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+describe("createCryptoWebhookRoutes", () => {
+    // 1. No auth header
+    it("returns 401 without auth header", async () => {
+        const app = buildApp();
+        const res = await post(app, validPayload);
+        expect(res.status).toBe(401);
+        const json = await res.json();
+        expect(json.error).toBe("Unauthorized");
+    });
+    // 2. Wrong Bearer token
+    it("returns 401 with wrong Bearer token", async () => {
+        const app = buildApp();
+        const res = await post(app, validPayload, {
+            Authorization: "Bearer wrong-token",
+        });
+        expect(res.status).toBe(401);
+        const json = await res.json();
+        expect(json.error).toBe("Unauthorized");
+    });
+    // 3. Invalid JSON
+    it("returns 400 on invalid JSON", async () => {
+        const app = buildApp();
+        const res = await app.request("/", {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/json",
+                Authorization: `Bearer ${SECRET}`,
+            },
+            body: "not-valid-json{{{",
+        });
+        expect(res.status).toBe(400);
+        const json = await res.json();
+        expect(json.error).toBe("Invalid JSON");
+    });
+    // 4. Zod validation failure (missing required fields)
+    it("returns 400 on payload that fails Zod validation", async () => {
+        const app = buildApp();
+        const res = await post(app, { chargeId: "ch_123" }, // missing chain, address, status
+        { Authorization: `Bearer ${SECRET}` });
+        expect(res.status).toBe(400);
+        const json = await res.json();
+        expect(json.error).toBe("Invalid payload");
+        expect(json.issues).toBeDefined();
+        expect(json.issues.length).toBeGreaterThan(0);
+    });
+    // 5. Container crypto is null -> 501
+    it("returns 501 when container.crypto is null", async () => {
+        const app = buildApp({ crypto: null });
+        const res = await post(app, validPayload, {
+            Authorization: `Bearer ${SECRET}`,
+        });
+        expect(res.status).toBe(501);
+        const json = await res.json();
+        expect(json.error).toBe("Crypto payments not configured");
+    });
+    // 6. Valid Bearer matching provision secret
+    it("accepts valid Bearer token matching provision secret", async () => {
+        const app = buildApp();
+        const res = await post(app, validPayload, {
+            Authorization: `Bearer ${SECRET}`,
+        });
+        expect(res.status).toBe(200);
+        const json = await res.json();
+        expect(json.handled).toBe(true);
+        expect(json.creditedCents).toBe(500);
+    });
+    // 7. Valid Bearer matching crypto service key
+    it("accepts valid Bearer token matching crypto service key", async () => {
+        const app = buildApp();
+        const res = await post(app, validPayload, {
+            Authorization: `Bearer ${CRYPTO_KEY}`,
+        });
+        expect(res.status).toBe(200);
+        const json = await res.json();
+        expect(json.handled).toBe(true);
+        expect(json.creditedCents).toBe(500);
+    });
+});

package/dist/server/routes/__tests__/provision-webhook.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/server/routes/__tests__/provision-webhook.test.js

@@ -0,0 +1,212 @@
+import { describe, expect, it, vi } from "vitest";
+import { createTestContainer } from "../../test-container.js";
+import { createProvisionWebhookRoutes } from "../provision-webhook.js";
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+const SECRET = "test-provision-secret-1234";
+function makeConfig(overrides) {
+    return {
+        provisionSecret: SECRET,
+        instanceImage: "ghcr.io/test/app:latest",
+        containerPort: 3000,
+        maxInstancesPerTenant: 5,
+        gatewayUrl: "http://gateway:4000",
+        containerPrefix: "test",
+        ...overrides,
+    };
+}
+function makeFleet() {
+    return {
+        manager: {
+            create: vi.fn().mockResolvedValue({
+                id: "inst-001",
+                containerId: "docker-abc",
+                containerName: "test-myapp",
+                url: "http://test-myapp:3000",
+                profile: { id: "inst-001", name: "myapp", tenantId: "tenant-1" },
+            }),
+            remove: vi.fn().mockResolvedValue(undefined),
+            status: vi.fn().mockResolvedValue({
+                id: "inst-001",
+                name: "myapp",
+                state: "running",
+            }),
+        },
+        docker: {},
+        proxy: {
+            addRoute: vi.fn().mockResolvedValue(undefined),
+            removeRoute: vi.fn(),
+            updateHealth: vi.fn(),
+            getRoutes: vi.fn().mockReturnValue([]),
+            start: vi.fn().mockResolvedValue(undefined),
+            stop: vi.fn().mockResolvedValue(undefined),
+            reload: vi.fn().mockResolvedValue(undefined),
+        },
+        profileStore: {
+            init: vi.fn().mockResolvedValue(undefined),
+            save: vi.fn().mockResolvedValue(undefined),
+            get: vi.fn().mockResolvedValue(null),
+            list: vi.fn().mockResolvedValue([]),
+            delete: vi.fn().mockResolvedValue(true),
+        },
+        serviceKeyRepo: {
+            generate: vi.fn().mockResolvedValue("key-abc"),
+            resolve: vi.fn().mockResolvedValue(null),
+            revokeByInstance: vi.fn().mockResolvedValue(undefined),
+            revokeByTenant: vi.fn().mockResolvedValue(undefined),
+        },
+    };
+}
+function buildApp(opts) {
+    const container = createTestContainer({
+        fleet: opts?.fleet !== undefined ? opts.fleet : makeFleet(),
+    });
+    const config = makeConfig(opts?.config);
+    return createProvisionWebhookRoutes(container, config);
+}
+async function request(app, method, path, body, headers) {
+    const init = {
+        method,
+        headers: {
+            "Content-Type": "application/json",
+            ...headers,
+        },
+    };
+    if (body !== undefined) {
+        init.body = JSON.stringify(body);
+    }
+    return app.request(path, init);
+}
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+describe("createProvisionWebhookRoutes", () => {
+    // ---- Auth tests (apply to all endpoints) ----
+    it("returns 401 without authorization header", async () => {
+        const app = buildApp();
+        const res = await request(app, "POST", "/create", { tenantId: "t1", subdomain: "test" });
+        expect(res.status).toBe(401);
+        const json = await res.json();
+        expect(json.error).toBe("Unauthorized");
+    });
+    it("returns 401 with wrong secret", async () => {
+        const app = buildApp();
+        const res = await request(app, "POST", "/create", { tenantId: "t1", subdomain: "test" }, {
+            Authorization: "Bearer wrong-secret",
+        });
+        expect(res.status).toBe(401);
+        const json = await res.json();
+        expect(json.error).toBe("Unauthorized");
+    });
+    // ---- Fleet not configured ----
+    it("returns 501 when fleet not configured (container.fleet is null)", async () => {
+        const app = buildApp({ fleet: null });
+        const res = await request(app, "POST", "/create", { tenantId: "t1", subdomain: "test" }, {
+            Authorization: `Bearer ${SECRET}`,
+        });
+        expect(res.status).toBe(501);
+        const json = await res.json();
+        expect(json.error).toBe("Fleet management not configured");
+    });
+    it("returns 501 on destroy when fleet not configured", async () => {
+        const app = buildApp({ fleet: null });
+        const res = await request(app, "POST", "/destroy", { instanceId: "inst-001" }, {
+            Authorization: `Bearer ${SECRET}`,
+        });
+        expect(res.status).toBe(501);
+    });
+    it("returns 501 on budget when fleet not configured", async () => {
+        const app = buildApp({ fleet: null });
+        const res = await request(app, "PUT", "/budget", { instanceId: "inst-001", tenantEntityId: "te-1", budgetCents: 1000 }, { Authorization: `Bearer ${SECRET}` });
+        expect(res.status).toBe(501);
+    });
+    // ---- Create endpoint ----
+    it("handles create webhook with valid auth and payload", async () => {
+        const fleet = makeFleet();
+        const app = buildApp({ fleet });
+        const res = await request(app, "POST", "/create", { tenantId: "tenant-1", subdomain: "myapp" }, { Authorization: `Bearer ${SECRET}` });
+        expect(res.status).toBe(201);
+        const json = await res.json();
+        expect(json.ok).toBe(true);
+        expect(json.instanceId).toBe("inst-001");
+        expect(json.subdomain).toBe("myapp");
+        expect(json.containerUrl).toBe("http://test-myapp:3000");
+        // Verify fleet.create was called with generic env var names
+        expect(fleet.manager.create).toHaveBeenCalledTimes(1);
+        const createCall = fleet.manager.create.mock.calls[0][0];
+        expect(createCall.env.HOSTED_MODE).toBe("true");
+        expect(createCall.env.DEPLOYMENT_MODE).toBe("hosted_proxy");
+        expect(createCall.env.DEPLOYMENT_EXPOSURE).toBe("private");
+        expect(createCall.env.MIGRATION_AUTO_APPLY).toBe("true");
+        // Verify NO product-specific prefixes
+        expect(createCall.env.PAPERCLIP_HOSTED_MODE).toBeUndefined();
+        expect(createCall.env.PAPERCLIP_DEPLOYMENT_MODE).toBeUndefined();
+        // Verify proxy route was registered
+        expect(fleet.proxy.addRoute).toHaveBeenCalledTimes(1);
+    });
+    it("returns 422 on create when required fields are missing", async () => {
+        const app = buildApp();
+        const res = await request(app, "POST", "/create", { tenantId: "tenant-1" }, // missing subdomain
+        { Authorization: `Bearer ${SECRET}` });
+        expect(res.status).toBe(422);
+        const json = await res.json();
+        expect(json.error).toContain("Missing required fields");
+    });
+    // ---- Destroy endpoint ----
+    it("handles destroy webhook with valid auth and instanceId", async () => {
+        const fleet = makeFleet();
+        const app = buildApp({ fleet });
+        const res = await request(app, "POST", "/destroy", { instanceId: "inst-001" }, { Authorization: `Bearer ${SECRET}` });
+        expect(res.status).toBe(200);
+        const json = await res.json();
+        expect(json.ok).toBe(true);
+        expect(fleet.serviceKeyRepo.revokeByInstance).toHaveBeenCalledWith("inst-001");
+        expect(fleet.manager.remove).toHaveBeenCalledWith("inst-001");
+        expect(fleet.proxy.removeRoute).toHaveBeenCalledWith("inst-001");
+    });
+    it("returns 422 on destroy when instanceId is missing", async () => {
+        const app = buildApp();
+        const res = await request(app, "POST", "/destroy", {}, {
+            Authorization: `Bearer ${SECRET}`,
+        });
+        expect(res.status).toBe(422);
+        const json = await res.json();
+        expect(json.error).toContain("Missing required field");
+    });
+    // ---- Budget endpoint ----
+    it("handles budget webhook with valid auth and payload", async () => {
+        const fleet = makeFleet();
+        const app = buildApp({ fleet });
+        const res = await request(app, "PUT", "/budget", { instanceId: "inst-001", tenantEntityId: "te-1", budgetCents: 5000 }, { Authorization: `Bearer ${SECRET}` });
+        expect(res.status).toBe(200);
+        const json = await res.json();
+        expect(json.ok).toBe(true);
+        expect(json.budgetCents).toBe(5000);
+    });
+    it("returns 422 on budget when required fields are missing", async () => {
+        const app = buildApp();
+        const res = await request(app, "PUT", "/budget", { instanceId: "inst-001" }, // missing tenantEntityId, budgetCents
+        { Authorization: `Bearer ${SECRET}` });
+        expect(res.status).toBe(422);
+        const json = await res.json();
+        expect(json.error).toContain("Missing required fields");
+    });
+    // ---- Generic env var names ----
+    it("uses generic env var names with no PAPERCLIP_ prefix anywhere", async () => {
+        const fleet = makeFleet();
+        const app = buildApp({ fleet });
+        await request(app, "POST", "/create", { tenantId: "tenant-1", subdomain: "myapp" }, { Authorization: `Bearer ${SECRET}` });
+        const createCall = fleet.manager.create.mock.calls[0][0];
+        const envKeys = Object.keys(createCall.env);
+        for (const key of envKeys) {
+            expect(key).not.toMatch(/^PAPERCLIP_/);
+        }
+        // Verify expected generic names are present
+        expect(envKeys).toContain("HOSTED_MODE");
+        expect(envKeys).toContain("DEPLOYMENT_MODE");
+        expect(envKeys).toContain("DEPLOYMENT_EXPOSURE");
+        expect(envKeys).toContain("MIGRATION_AUTO_APPLY");
+        expect(envKeys).toContain("PROVISION_SECRET");
+    });
+});

package/dist/server/routes/__tests__/stripe-webhook.test.d.ts

@@ -0,0 +1 @@
+export {};