@wopr-network/platform-core 1.68.0 → 1.69.0

package/src/server/routes/admin.ts

@@ -0,0 +1,334 @@
+/**
+ * Admin tRPC router factory — platform-wide settings for the operator.
+ *
+ * All endpoints require platform_admin role (via adminProcedure).
+ * Dependencies are injected via PlatformContainer rather than module-level
+ * singletons, enabling clean testing and per-product composition.
+ */
+
+import { eq } from "drizzle-orm";
+import { z } from "zod";
+import { tenantModelSelection } from "../../db/schema/tenant-model-selection.js";
+import { adminProcedure, router } from "../../trpc/init.js";
+import type { PlatformContainer } from "../container.js";
+
+// ---------------------------------------------------------------------------
+// OpenRouter model list cache (module-level — safe for a cache)
+// ---------------------------------------------------------------------------
+
+type CachedModel = {
+  id: string;
+  name: string;
+  contextLength: number;
+  promptPrice: string;
+  completionPrice: string;
+};
+let modelListCache: CachedModel[] | null = null;
+let modelListCacheExpiry = 0;
+
+/** Well-known tenant ID for the global platform model setting. */
+const GLOBAL_TENANT_ID = "__platform__";
+
+// ---------------------------------------------------------------------------
+// Gateway model cache (short-TTL, refreshed per-request for the proxy)
+// ---------------------------------------------------------------------------
+
+const CACHE_TTL_MS = 5_000;
+let cachedModel: string | null = null;
+let modelCacheExpiry = 0;
+
+/** Container ref stashed by `warmModelCache` so the background refresh can use it. */
+let _container: PlatformContainer | null = null;
+
+/**
+ * Synchronous model resolver for the gateway proxy.
+ * Returns the cached DB value, or null to fall back to env var.
+ * The cache is refreshed asynchronously every 5 seconds.
+ */
+export function resolveGatewayModel(): string | null {
+  const now = Date.now();
+  if (now > modelCacheExpiry && _container) {
+    // Refresh cache in the background — don't block the request
+    refreshModelCache(_container).catch(() => {});
+  }
+  return cachedModel;
+}
+
+async function refreshModelCache(container: PlatformContainer): Promise<void> {
+  try {
+    const row = await container.db
+      .select({ defaultModel: tenantModelSelection.defaultModel })
+      .from(tenantModelSelection)
+      .where(eq(tenantModelSelection.tenantId, GLOBAL_TENANT_ID))
+      .then((rows) => rows[0] ?? null);
+    cachedModel = row?.defaultModel ?? null;
+    modelCacheExpiry = Date.now() + CACHE_TTL_MS;
+  } catch {
+    // DB error — keep stale cache, retry next time
+  }
+}
+
+/** Seed the cache on startup so the first request doesn't miss. */
+export async function warmModelCache(container: PlatformContainer): Promise<void> {
+  _container = container;
+  await refreshModelCache(container);
+}
+
+// ---------------------------------------------------------------------------
+// Config shape needed by the OpenRouter model listing
+// ---------------------------------------------------------------------------
+
+export interface AdminRouterConfig {
+  openRouterApiKey?: string;
+}
+
+// ---------------------------------------------------------------------------
+// Router factory
+// ---------------------------------------------------------------------------
+
+export function createAdminRouter(container: PlatformContainer, config?: AdminRouterConfig) {
+  return router({
+    /** Get the current gateway model setting. */
+    getGatewayModel: adminProcedure.query(async () => {
+      const row = await container.db
+        .select({
+          defaultModel: tenantModelSelection.defaultModel,
+          updatedAt: tenantModelSelection.updatedAt,
+        })
+        .from(tenantModelSelection)
+        .where(eq(tenantModelSelection.tenantId, GLOBAL_TENANT_ID))
+        .then((rows) => rows[0] ?? null);
+      return {
+        model: row?.defaultModel ?? null,
+        updatedAt: row?.updatedAt ?? null,
+      };
+    }),
+
+    /** Set the gateway model. Takes effect within 5 seconds. */
+    setGatewayModel: adminProcedure
+      .input(z.object({ model: z.string().min(1).max(200) }))
+      .mutation(async ({ input }) => {
+        const now = new Date().toISOString();
+        await container.db
+          .insert(tenantModelSelection)
+          .values({
+            tenantId: GLOBAL_TENANT_ID,
+            defaultModel: input.model,
+            updatedAt: now,
+          })
+          .onConflictDoUpdate({
+            target: tenantModelSelection.tenantId,
+            set: { defaultModel: input.model, updatedAt: now },
+          });
+        // Immediately update the in-memory cache.
+        cachedModel = input.model;
+        modelCacheExpiry = Date.now() + CACHE_TTL_MS;
+        return { ok: true, model: input.model };
+      }),
+
+    /** List available OpenRouter models for the gateway model dropdown. */
+    listAvailableModels: adminProcedure.query(async () => {
+      const apiKey = config?.openRouterApiKey;
+      if (!apiKey) return { models: [] };
+
+      const now = Date.now();
+      if (modelListCache && modelListCacheExpiry > now) return { models: modelListCache };
+
+      try {
+        const res = await fetch("https://openrouter.ai/api/v1/models", {
+          headers: { Authorization: `Bearer ${apiKey}` },
+          signal: AbortSignal.timeout(10_000),
+        });
+        if (!res.ok) return { models: modelListCache ?? [] };
+        const json = (await res.json()) as {
+          data: Array<{
+            id: string;
+            name: string;
+            context_length?: number;
+            pricing?: { prompt?: string; completion?: string };
+          }>;
+        };
+        const models = json.data
+          .map((m) => ({
+            id: m.id,
+            name: m.name,
+            contextLength: m.context_length ?? 0,
+            promptPrice: m.pricing?.prompt ?? "0",
+            completionPrice: m.pricing?.completion ?? "0",
+          }))
+          .sort((a, b) => a.id.localeCompare(b.id));
+        modelListCache = models;
+        modelListCacheExpiry = now + 60_000;
+        return { models };
+      } catch {
+        return { models: modelListCache ?? [] };
+      }
+    }),
+
+    // -----------------------------------------------------------------------
+    // Platform-wide instance overview (all tenants)
+    // -----------------------------------------------------------------------
+
+    /** List ALL instances across all tenants with health status. */
+    listAllInstances: adminProcedure.query(async () => {
+      if (!container.fleet) {
+        return { instances: [], error: "Fleet not configured" };
+      }
+
+      const fleet = container.fleet;
+      const profiles = await fleet.profileStore.list();
+
+      const instances = await Promise.all(
+        profiles.map(async (profile) => {
+          try {
+            const status = await fleet.manager.status(profile.id);
+            return {
+              id: profile.id,
+              name: profile.name,
+              tenantId: profile.tenantId,
+              image: profile.image,
+              state: status.state,
+              health: status.health,
+              uptime: status.uptime,
+              containerId: status.containerId ?? null,
+              startedAt: status.startedAt ?? null,
+            };
+          } catch {
+            return {
+              id: profile.id,
+              name: profile.name,
+              tenantId: profile.tenantId,
+              image: profile.image,
+              state: "error" as const,
+              health: null,
+              uptime: null,
+              containerId: null,
+              startedAt: null,
+            };
+          }
+        }),
+      );
+
+      return { instances };
+    }),
+
+    // -----------------------------------------------------------------------
+    // Platform-wide tenant/org overview
+    // -----------------------------------------------------------------------
+
+    /** List all organizations with member counts and instance counts. */
+    listAllOrgs: adminProcedure.query(async () => {
+      const orgs = await container.pool.query<{
+        id: string;
+        name: string;
+        slug: string | null;
+        createdAt: string;
+        memberCount: string;
+      }>(`
+        SELECT
+          o.id,
+          o.name,
+          o.slug,
+          o.created_at as "createdAt",
+          (SELECT COUNT(*) FROM org_member om WHERE om.org_id = o.id) as "memberCount"
+        FROM organization o
+        ORDER BY o.created_at DESC
+      `);
+
+      // Count instances per tenant from fleet profiles
+      const instanceCountByTenant = new Map<string, number>();
+      if (container.fleet) {
+        const profiles = await container.fleet.profileStore.list();
+        for (const p of profiles) {
+          instanceCountByTenant.set(p.tenantId, (instanceCountByTenant.get(p.tenantId) ?? 0) + 1);
+        }
+      }
+
+      const result = await Promise.all(
+        orgs.rows.map(async (org) => {
+          let balanceCents = 0;
+          try {
+            const balance = await container.creditLedger.balance(org.id);
+            balanceCents = (balance as { toCentsRounded(): number }).toCentsRounded();
+          } catch {
+            // Ledger may not have an entry for this org
+          }
+          return {
+            id: org.id,
+            name: org.name,
+            slug: org.slug,
+            createdAt: org.createdAt,
+            memberCount: Number(org.memberCount),
+            instanceCount: instanceCountByTenant.get(org.id) ?? 0,
+            balanceCents,
+          };
+        }),
+      );
+
+      return { orgs: result };
+    }),
+
+    // -----------------------------------------------------------------------
+    // Platform-wide billing summary
+    // -----------------------------------------------------------------------
+
+    /** Get platform billing summary: total credits, active service keys, payment method count. */
+    billingOverview: adminProcedure.query(async () => {
+      // Total credit balance across all tenants
+      let totalBalanceCents = 0;
+      try {
+        const balanceResult = await container.pool.query<{ totalRaw: string }>(`
+          SELECT COALESCE(SUM(amount), 0) as "totalRaw"
+          FROM credit_entry
+        `);
+        const rawTotal = Number(balanceResult.rows[0]?.totalRaw ?? 0);
+        // credit_entry.amount is in microdollars (10^-6), convert to cents
+        totalBalanceCents = Math.round(rawTotal / 10_000);
+      } catch {
+        // Table may not exist yet
+      }
+
+      // Count active service keys
+      let activeKeyCount = 0;
+      if (container.gateway) {
+        try {
+          const keyResult = await container.pool.query<{ count: string }>(
+            `SELECT COUNT(*) as "count" FROM service_keys WHERE revoked_at IS NULL`,
+          );
+          activeKeyCount = Number(keyResult.rows[0]?.count ?? 0);
+        } catch {
+          // Table may not exist
+        }
+      }
+
+      // Count payment methods across all tenants
+      let paymentMethodCount = 0;
+      try {
+        const pmResult = await container.pool.query<{ count: string }>(`
+          SELECT COUNT(*) as "count" FROM payment_methods WHERE enabled = true
+        `);
+        paymentMethodCount = Number(pmResult.rows[0]?.count ?? 0);
+      } catch {
+        // Table may not exist
+      }
+
+      // Count total orgs
+      let orgCount = 0;
+      try {
+        const orgCountResult = await container.pool.query<{ count: string }>(
+          `SELECT COUNT(*) as "count" FROM organization`,
+        );
+        orgCount = Number(orgCountResult.rows[0]?.count ?? 0);
+      } catch {
+        // Table may not exist
+      }
+
+      return {
+        totalBalanceCents,
+        activeKeyCount,
+        paymentMethodCount,
+        orgCount,
+      };
+    }),
+  });
+}

package/src/server/routes/crypto-webhook.ts

@@ -0,0 +1,110 @@
+/**
+ * Crypto webhook route — accepts payment confirmations from the key server.
+ *
+ * Extracted from paperclip-platform into platform-core so every product
+ * gets the same timing-safe auth, Zod validation, and idempotent handler
+ * without copy-pasting.
+ */
+
+import { timingSafeEqual } from "node:crypto";
+import { Hono } from "hono";
+import { z } from "zod";
+import type { CryptoWebhookPayload } from "../../billing/crypto/index.js";
+import { handleKeyServerWebhook } from "../../billing/crypto/key-server-webhook.js";
+
+import type { PlatformContainer } from "../container.js";
+
+// ---------------------------------------------------------------------------
+// Zod schema for incoming webhook payloads
+// ---------------------------------------------------------------------------
+
+const cryptoWebhookSchema = z.object({
+  chargeId: z.string().min(1),
+  chain: z.string().min(1),
+  address: z.string().min(1),
+  amountUsdCents: z.number().optional(),
+  amountReceivedCents: z.number().optional(),
+  status: z.string().min(1),
+  txHash: z.string().optional(),
+  amountReceived: z.string().optional(),
+  confirmations: z.number().optional(),
+  confirmationsRequired: z.number().optional(),
+});
+
+// ---------------------------------------------------------------------------
+// Config accepted at mount time
+// ---------------------------------------------------------------------------
+
+export interface CryptoWebhookConfig {
+  provisionSecret: string;
+  cryptoServiceKey?: string;
+}
+
+// ---------------------------------------------------------------------------
+// Timing-safe secret validation
+// ---------------------------------------------------------------------------
+
+function assertSecret(authHeader: string | undefined, config: CryptoWebhookConfig): boolean {
+  if (!authHeader?.startsWith("Bearer ")) return false;
+  const token = authHeader.slice("Bearer ".length).trim();
+
+  const secrets = [config.provisionSecret, config.cryptoServiceKey].filter((s): s is string => !!s);
+
+  for (const secret of secrets) {
+    if (token.length === secret.length && timingSafeEqual(Buffer.from(token), Buffer.from(secret))) {
+      return true;
+    }
+  }
+  return false;
+}
+
+// ---------------------------------------------------------------------------
+// Route factory
+// ---------------------------------------------------------------------------
+
+/**
+ * Create the crypto webhook Hono sub-app.
+ *
+ * Mount it at `/api/webhooks/crypto` (or wherever the product prefers).
+ *
+ * ```ts
+ * app.route("/api/webhooks/crypto", createCryptoWebhookRoutes(container, config));
+ * ```
+ */
+export function createCryptoWebhookRoutes(container: PlatformContainer, config: CryptoWebhookConfig): Hono {
+  const app = new Hono();
+
+  app.post("/", async (c) => {
+    if (!assertSecret(c.req.header("authorization"), config)) {
+      return c.json({ error: "Unauthorized" }, 401);
+    }
+
+    if (!container.crypto) {
+      return c.json({ error: "Crypto payments not configured" }, 501);
+    }
+
+    let payload: CryptoWebhookPayload;
+    try {
+      const raw = await c.req.json();
+      payload = cryptoWebhookSchema.parse(raw) as CryptoWebhookPayload;
+    } catch (err) {
+      if (err instanceof z.ZodError) {
+        return c.json({ error: "Invalid payload", issues: err.issues }, 400);
+      }
+      return c.json({ error: "Invalid JSON" }, 400);
+    }
+
+    const result = await handleKeyServerWebhook(
+      {
+        chargeStore: container.crypto.chargeRepo,
+        creditLedger: container.creditLedger,
+        replayGuard: container.crypto.webhookSeenRepo,
+      },
+      payload,
+    );
+
+    return c.json(result, 200);
+  });
+
+  return app;
+}

package/src/server/routes/provision-webhook.ts

@@ -0,0 +1,212 @@
+/**
+ * Provision webhook routes — instance lifecycle management.
+ *
+ * POST /create  — spin up a new container and configure it
+ * POST /destroy — tear down a container
+ * PUT  /budget  — update a container's spending budget
+ *
+ * Extracted from product-specific implementations into platform-core so
+ * every product gets the same timing-safe auth and DI-based fleet access
+ * without copy-pasting.
+ *
+ * All env var names are generic (no product-specific prefixes).
+ */
+
+import { timingSafeEqual } from "node:crypto";
+import { Hono } from "hono";
+
+import type { PlatformContainer } from "../container.js";
+
+// ---------------------------------------------------------------------------
+// Config accepted at mount time
+// ---------------------------------------------------------------------------
+
+export interface ProvisionWebhookConfig {
+  provisionSecret: string;
+  /** Docker image to provision for new instances. */
+  instanceImage: string;
+  /** Port the provisioned container listens on. */
+  containerPort: number;
+  /** Maximum instances per tenant (0 = unlimited). */
+  maxInstancesPerTenant: number;
+  /** URL of the metered inference gateway (passed to provisioned containers). */
+  gatewayUrl?: string;
+  /** Container prefix for naming (e.g. "wopr" → "wopr-<subdomain>"). */
+  containerPrefix?: string;
+}
+
+// ---------------------------------------------------------------------------
+// Timing-safe secret validation (same pattern as crypto-webhook)
+// ---------------------------------------------------------------------------
+
+function assertSecret(authHeader: string | undefined, secret: string): boolean {
+  if (!authHeader?.startsWith("Bearer ")) return false;
+  const token = authHeader.slice("Bearer ".length).trim();
+  if (token.length !== secret.length) return false;
+  return timingSafeEqual(Buffer.from(token), Buffer.from(secret));
+}
+
+// ---------------------------------------------------------------------------
+// Route factory
+// ---------------------------------------------------------------------------
+
+/**
+ * Create the provision webhook Hono sub-app.
+ *
+ * Mount it at `/api/provision` (or wherever the product prefers).
+ *
+ * ```ts
+ * app.route("/api/provision", createProvisionWebhookRoutes(container, config));
+ * ```
+ */
+export function createProvisionWebhookRoutes(container: PlatformContainer, config: ProvisionWebhookConfig): Hono {
+  const app = new Hono();
+
+  // ------------------------------------------------------------------
+  // POST /create — create a new managed instance
+  // ------------------------------------------------------------------
+  app.post("/create", async (c) => {
+    if (!assertSecret(c.req.header("authorization"), config.provisionSecret)) {
+      return c.json({ error: "Unauthorized" }, 401);
+    }
+
+    if (!container.fleet) {
+      return c.json({ error: "Fleet management not configured" }, 501);
+    }
+
+    const body = await c.req.json();
+    const { tenantId, subdomain } = body;
+
+    if (!tenantId || !subdomain) {
+      return c.json({ error: "Missing required fields: tenantId, subdomain" }, 422);
+    }
+
+    // Billing gate — require positive credit balance before provisioning
+    const balance = await container.creditLedger.balance(tenantId);
+    if (typeof balance === "object" && "isZero" in balance) {
+      const bal = balance as { isZero(): boolean; isNegative(): boolean };
+      if (bal.isZero() || bal.isNegative()) {
+        return c.json({ error: "Insufficient credits: add funds before creating an instance" }, 402);
+      }
+    }
+
+    // Instance limit gate
+    const { profileStore, manager: fleet, proxy } = container.fleet;
+
+    if (config.maxInstancesPerTenant > 0) {
+      const profiles = await profileStore.list();
+      const tenantInstances = profiles.filter((p) => p.tenantId === tenantId);
+      if (tenantInstances.length >= config.maxInstancesPerTenant) {
+        return c.json({ error: `Instance limit reached: maximum ${config.maxInstancesPerTenant} per tenant` }, 403);
+      }
+    }
+
+    // Create the Docker container
+    const instance = await fleet.create({
+      tenantId,
+      name: subdomain,
+      description: `Managed instance for ${subdomain}`,
+      image: config.instanceImage,
+      env: {
+        PORT: String(config.containerPort),
+        PROVISION_SECRET: config.provisionSecret,
+        HOSTED_MODE: "true",
+        DEPLOYMENT_MODE: "hosted_proxy",
+        DEPLOYMENT_EXPOSURE: "private",
+        MIGRATION_AUTO_APPLY: "true",
+      },
+      restartPolicy: "unless-stopped",
+      releaseChannel: "stable",
+      updatePolicy: "manual",
+    });
+
+    // Register proxy route — container name must match FleetManager naming convention
+    const prefix = config.containerPrefix ?? "wopr";
+    const containerName = `${prefix}-${subdomain}`;
+    await proxy.addRoute({
+      instanceId: instance.id,
+      subdomain,
+      upstreamHost: containerName,
+      upstreamPort: config.containerPort,
+      healthy: true,
+    });
+
+    return c.json(
+      {
+        ok: true,
+        instanceId: instance.id,
+        subdomain,
+        containerUrl: `http://${containerName}:${config.containerPort}`,
+      },
+      201,
+    );
+  });
+
+  // ------------------------------------------------------------------
+  // POST /destroy — tear down a managed instance
+  // ------------------------------------------------------------------
+  app.post("/destroy", async (c) => {
+    if (!assertSecret(c.req.header("authorization"), config.provisionSecret)) {
+      return c.json({ error: "Unauthorized" }, 401);
+    }
+
+    if (!container.fleet) {
+      return c.json({ error: "Fleet management not configured" }, 501);
+    }
+
+    const body = await c.req.json();
+    const { instanceId } = body;
+
+    if (!instanceId) {
+      return c.json({ error: "Missing required field: instanceId" }, 422);
+    }
+
+    const { manager: fleet, proxy, serviceKeyRepo } = container.fleet;
+
+    // Revoke gateway service key
+    await serviceKeyRepo.revokeByInstance(instanceId);
+
+    // Remove the Docker container
+    try {
+      await fleet.remove(instanceId);
+    } catch {
+      // Container may already be gone — continue cleanup
+    }
+
+    // Remove proxy route
+    proxy.removeRoute(instanceId);
+
+    return c.json({ ok: true });
+  });
+
+  // ------------------------------------------------------------------
+  // PUT /budget — update a container's spending budget
+  // ------------------------------------------------------------------
+  app.put("/budget", async (c) => {
+    if (!assertSecret(c.req.header("authorization"), config.provisionSecret)) {
+      return c.json({ error: "Unauthorized" }, 401);
+    }
+
+    if (!container.fleet) {
+      return c.json({ error: "Fleet management not configured" }, 501);
+    }
+
+    const body = await c.req.json();
+    const { instanceId, tenantEntityId, budgetCents } = body;
+
+    if (!instanceId || !tenantEntityId || budgetCents === undefined) {
+      return c.json({ error: "Missing required fields: instanceId, tenantEntityId, budgetCents" }, 422);
+    }
+
+    const { manager: fleet } = container.fleet;
+
+    const status = await fleet.status(instanceId);
+    if (status.state !== "running") {
+      return c.json({ error: "Instance not running" }, 503);
+    }
+
+    return c.json({ ok: true, instanceId, budgetCents });
+  });
+
+  return app;
+}

package/src/server/routes/stripe-webhook.ts

@@ -0,0 +1,36 @@
+import { Hono } from "hono";
+
+import type { PlatformContainer } from "../container.js";
+
+/**
+ * Stripe webhook route factory.
+ *
+ * Delegates to `container.stripe.processor.handleWebhook()` which
+ * calls `stripe.webhooks.constructEvent()` internally for signature
+ * verification.
+ */
+export function createStripeWebhookRoutes(container: PlatformContainer): Hono {
+  const routes = new Hono();
+
+  routes.post("/", async (c) => {
+    if (!container.stripe) {
+      return c.json({ error: "Stripe not configured" }, 501);
+    }
+
+    const rawBody = Buffer.from(await c.req.arrayBuffer());
+    const sig = c.req.header("stripe-signature");
+
+    if (!sig) {
+      return c.json({ error: "Missing stripe-signature header" }, 400);
+    }
+
+    try {
+      const result = await container.stripe.processor.handleWebhook(rawBody, sig);
+      return c.json({ ok: true, result }, 200);
+    } catch {
+      return c.json({ error: "Webhook processing failed" }, 400);
+    }
+  });
+
+  return routes;
+}