@wopr-network/platform-core 1.68.0 → 1.70.0

package/src/server/middleware/tenant-proxy.ts

@@ -0,0 +1,192 @@
+/**
+ * Tenant subdomain proxy middleware.
+ *
+ * Extracts the tenant subdomain from the Host header, authenticates
+ * the user, verifies tenant membership via orgMemberRepo, resolves
+ * the fleet container URL, and proxies the request upstream.
+ *
+ * Ported from paperclip-platform with fail-closed semantics:
+ * - If fleet services are unavailable, returns 503 (not silent skip)
+ * - Auth check runs before tenant ownership check
+ * - Upstream headers are sanitized via allowlist
+ */
+
+import type { MiddlewareHandler } from "hono";
+import type { PlatformContainer } from "../container.js";
+
+/** Reserved subdomains that should never resolve to a tenant. */
+const RESERVED_SUBDOMAINS = new Set(["app", "api", "staging", "www", "mail", "admin", "dashboard", "status", "docs"]);
+
+/** DNS label rules (RFC 1123). */
+const SUBDOMAIN_RE = /^[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?$/;
+
+/**
+ * Headers safe to forward to upstream containers.
+ *
+ * This is an allowlist -- only these headers are copied from the incoming
+ * request. All x-platform-* headers are injected server-side after auth
+ * resolution, preventing client-side spoofing.
+ */
+const FORWARDED_HEADERS = [
+  "content-type",
+  "accept",
+  "accept-language",
+  "accept-encoding",
+  "content-length",
+  "x-request-id",
+  "user-agent",
+  "origin",
+  "referer",
+  "cookie",
+];
+
+/** Resolved user identity for upstream header injection. */
+export interface ProxyUserInfo {
+  id: string;
+  email?: string;
+  name?: string;
+}
+
+export interface TenantProxyConfig {
+  /** The platform root domain (e.g. "runpaperclip.com"). */
+  platformDomain: string;
+
+  /**
+   * Resolve the authenticated user from the request.
+   * Products wire this to their auth system (BetterAuth, etc.).
+   */
+  resolveUser: (req: Request) => Promise<ProxyUserInfo | undefined>;
+}
+
+/**
+ * Extract the tenant subdomain from a Host header value.
+ *
+ * "alice.example.com" -> "alice"
+ * "example.com"       -> null (root domain)
+ * "app.example.com"   -> null (reserved)
+ */
+export function extractTenantSubdomain(host: string, platformDomain: string): string | null {
+  const hostname = host.split(":")[0].toLowerCase();
+  const suffix = `.${platformDomain}`;
+  if (!hostname.endsWith(suffix)) return null;
+
+  const subdomain = hostname.slice(0, -suffix.length);
+  if (!subdomain || subdomain.includes(".")) return null;
+  if (RESERVED_SUBDOMAINS.has(subdomain)) return null;
+  if (!SUBDOMAIN_RE.test(subdomain)) return null;
+
+  return subdomain;
+}
+
+/**
+ * Build sanitized headers for upstream requests.
+ *
+ * Only allowlisted headers are forwarded. All x-platform-* headers are
+ * injected server-side from the authenticated session -- never copied from
+ * the incoming request -- to prevent spoofing.
+ */
+export function buildUpstreamHeaders(incoming: Headers, user: ProxyUserInfo, tenantSubdomain: string): Headers {
+  const headers = new Headers();
+  for (const key of FORWARDED_HEADERS) {
+    const val = incoming.get(key);
+    if (val) headers.set(key, val);
+  }
+  // Forward original Host so upstream hostname allowlist doesn't reject
+  const host = incoming.get("host");
+  if (host) headers.set("host", host);
+  headers.set("x-platform-user-id", user.id);
+  headers.set("x-platform-tenant", tenantSubdomain);
+  if (user.email) headers.set("x-platform-user-email", user.email);
+  if (user.name) headers.set("x-platform-user-name", user.name);
+  return headers;
+}
+
+/**
+ * Resolve the upstream container URL for a tenant subdomain from the
+ * proxy route table. Returns null if no route exists or is unhealthy.
+ */
+function resolveContainerUrl(container: PlatformContainer, subdomain: string): string | null {
+  if (!container.fleet) return null;
+  const routes = container.fleet.proxy.getRoutes();
+  const route = routes.find((r) => r.subdomain === subdomain);
+  if (!route || !route.healthy) return null;
+  return `http://${route.upstreamHost}:${route.upstreamPort}`;
+}
+
+/**
+ * Create a tenant subdomain proxy middleware.
+ *
+ * If the request Host identifies a tenant subdomain, authenticates the user,
+ * resolves the fleet container URL, and proxies the request. Non-tenant
+ * requests (root domain, reserved subdomains) pass through to next().
+ *
+ * Fail-closed: if fleet services or orgMemberRepo are unavailable, returns
+ * 503 instead of silently skipping checks.
+ */
+export function createTenantProxyMiddleware(
+  container: PlatformContainer,
+  config: TenantProxyConfig,
+): MiddlewareHandler {
+  const { platformDomain, resolveUser } = config;
+
+  return async (c, next) => {
+    const host = c.req.header("host");
+    if (!host) return next();
+
+    const subdomain = extractTenantSubdomain(host, platformDomain);
+    if (!subdomain) return next();
+
+    // --- Fail-closed checks ---
+
+    // Fleet services must be available for tenant proxying
+    if (!container.fleet) {
+      return c.json({ error: "Fleet services unavailable" }, 503);
+    }
+
+    // Authenticate -- reject unauthenticated requests
+    const user = await resolveUser(c.req.raw);
+    if (!user) {
+      return c.json({ error: "Authentication required" }, 401);
+    }
+
+    // Verify tenant ownership -- user must belong to the org that owns this subdomain
+    const profiles = await container.fleet.profileStore.list();
+    const profile = profiles.find((p) => p.name === subdomain);
+    if (!profile) {
+      return c.json({ error: "Tenant not found" }, 404);
+    }
+    const { validateTenantAccess } = await import("../../auth/index.js");
+    const hasAccess = await validateTenantAccess(user.id, profile.tenantId, container.orgMemberRepo);
+    if (!hasAccess) {
+      return c.json({ error: "Forbidden: not a member of this tenant" }, 403);
+    }
+
+    // Resolve fleet container URL via proxy route table
+    const upstream = resolveContainerUrl(container, subdomain);
+    if (!upstream) {
+      return c.json({ error: "Tenant not found" }, 404);
+    }
+
+    const url = new URL(c.req.url);
+    const targetUrl = `${upstream}${url.pathname}${url.search}`;
+    const upstreamHeaders = buildUpstreamHeaders(c.req.raw.headers, user, subdomain);
+
+    let response: Response;
+    try {
+      response = await fetch(targetUrl, {
+        method: c.req.method,
+        headers: upstreamHeaders,
+        body: c.req.method !== "GET" && c.req.method !== "HEAD" ? c.req.raw.body : undefined,
+        // @ts-expect-error duplex needed for streaming request bodies
+        duplex: "half",
+      });
+    } catch {
+      return c.json({ error: "Bad Gateway: upstream container unavailable" }, 502);
+    }
+
+    return new Response(response.body, {
+      status: response.status,
+      headers: response.headers,
+    });
+  };
+}

package/src/server/mount-routes.ts

@@ -0,0 +1,113 @@
+/**
+ * mountRoutes — wire shared HTTP routes and middleware onto a Hono app.
+ *
+ * Mounts routes conditionally based on which feature sub-containers are
+ * present on the PlatformContainer. Products call this after building the
+ * container; tRPC routers (admin, fleet-update, etc.) are mounted
+ * separately by products since they need product-specific auth context.
+ */
+
+import type { Hono } from "hono";
+import { cors } from "hono/cors";
+import { deriveCorsOrigins } from "../product-config/repository-types.js";
+import type { RoutePlugin } from "./boot-config.js";
+import type { PlatformContainer } from "./container.js";
+import { createTenantProxyMiddleware } from "./middleware/tenant-proxy.js";
+import { createCryptoWebhookRoutes } from "./routes/crypto-webhook.js";
+import { createProvisionWebhookRoutes } from "./routes/provision-webhook.js";
+import { createStripeWebhookRoutes } from "./routes/stripe-webhook.js";
+
+// ---------------------------------------------------------------------------
+// Config accepted at mount time
+// ---------------------------------------------------------------------------
+
+export interface MountConfig {
+  provisionSecret: string;
+  cryptoServiceKey?: string;
+  platformDomain: string;
+}
+
+// ---------------------------------------------------------------------------
+// mountRoutes
+// ---------------------------------------------------------------------------
+
+/**
+ * Mount all shared routes and middleware onto a Hono app based on the
+ * container's enabled feature slices.
+ *
+ * Mount order:
+ *   1. CORS middleware (from productConfig domain list)
+ *   2. Health endpoint (always)
+ *   3. Crypto webhook (if crypto enabled)
+ *   4. Stripe webhook (if stripe enabled)
+ *   5. Provision webhook (if fleet enabled)
+ *   6. Product-specific route plugins
+ *   7. Tenant proxy middleware (catch-all — must be last)
+ */
+export function mountRoutes(
+  app: Hono,
+  container: PlatformContainer,
+  config: MountConfig,
+  plugins: RoutePlugin[] = [],
+): void {
+  // 1. CORS middleware
+  const origins = deriveCorsOrigins(container.productConfig.product, container.productConfig.domains);
+  app.use(
+    "*",
+    cors({
+      origin: origins,
+      allowMethods: ["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"],
+      allowHeaders: ["Content-Type", "Authorization", "X-Request-ID"],
+      credentials: true,
+    }),
+  );
+
+  // 2. Health endpoint (always available)
+  app.get("/health", (c) => c.json({ ok: true }));
+
+  // 3. Crypto webhook (when crypto payments are enabled)
+  if (container.crypto) {
+    app.route(
+      "/api/webhooks/crypto",
+      createCryptoWebhookRoutes(container, {
+        provisionSecret: config.provisionSecret,
+        cryptoServiceKey: config.cryptoServiceKey,
+      }),
+    );
+  }
+
+  // 4. Stripe webhook (when stripe billing is enabled)
+  if (container.stripe) {
+    app.route("/api/webhooks/stripe", createStripeWebhookRoutes(container));
+  }
+
+  // 5. Provision webhook (when fleet management is enabled)
+  if (container.fleet) {
+    const fleetConfig = container.productConfig.fleet;
+    app.route(
+      "/api/provision",
+      createProvisionWebhookRoutes(container, {
+        provisionSecret: config.provisionSecret,
+        instanceImage: fleetConfig?.containerImage ?? "ghcr.io/default:latest",
+        containerPort: fleetConfig?.containerPort ?? 3000,
+        maxInstancesPerTenant: fleetConfig?.maxInstances ?? 5,
+      }),
+    );
+  }
+
+  // 6. Product-specific route plugins
+  for (const plugin of plugins) {
+    app.route(plugin.path, plugin.handler(container));
+  }
+
+  // 7. Tenant proxy middleware (catch-all — MUST be last)
+  if (container.fleet) {
+    app.use(
+      "*",
+      createTenantProxyMiddleware(container, {
+        platformDomain: config.platformDomain,
+        resolveUser: async () => undefined, // Products override via plugin or direct middleware
+      }),
+    );
+  }
+}

package/src/server/routes/__tests__/admin.test.ts

@@ -0,0 +1,320 @@
+import { beforeEach, describe, expect, it, vi } from "vitest";
+import type { IOrgMemberRepository } from "../../../tenancy/org-member-repository.js";
+import { createCallerFactory, router, setTrpcOrgMemberRepo } from "../../../trpc/init.js";
+import type { PlatformContainer } from "../../container.js";
+import { createTestContainer } from "../../test-container.js";
+import type { AdminRouterConfig } from "../admin.js";
+import { createAdminRouter } from "../admin.js";
+
+// ---------------------------------------------------------------------------
+// Mocks
+// ---------------------------------------------------------------------------
+
+// Mock global fetch for OpenRouter API calls
+const mockFetch = vi.fn();
+vi.stubGlobal("fetch", mockFetch);
+
+function makeMockOrgRepo(): IOrgMemberRepository {
+  return {
+    listMembers: vi.fn().mockResolvedValue([]),
+    addMember: vi.fn().mockResolvedValue(undefined),
+    updateMemberRole: vi.fn().mockResolvedValue(undefined),
+    removeMember: vi.fn().mockResolvedValue(undefined),
+    findMember: vi.fn().mockResolvedValue(null),
+    countAdminsAndOwners: vi.fn().mockResolvedValue(0),
+    listInvites: vi.fn().mockResolvedValue([]),
+    createInvite: vi.fn().mockResolvedValue(undefined),
+    findInviteById: vi.fn().mockResolvedValue(null),
+    findInviteByToken: vi.fn().mockResolvedValue(null),
+    deleteInvite: vi.fn().mockResolvedValue(undefined),
+    deleteAllMembers: vi.fn().mockResolvedValue(undefined),
+    deleteAllInvites: vi.fn().mockResolvedValue(undefined),
+    listOrgsByUser: vi.fn().mockResolvedValue([]),
+    markInviteAccepted: vi.fn().mockResolvedValue(undefined),
+  } as unknown as IOrgMemberRepository;
+}
+
+const adminCtx = {
+  user: { id: "admin-1", roles: ["platform_admin"] },
+  tenantId: undefined,
+};
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+function makeCaller(container: PlatformContainer, config?: AdminRouterConfig) {
+  const adminRouter = createAdminRouter(container, config);
+  const appRouter = router({ admin: adminRouter });
+  const createCaller = createCallerFactory(appRouter);
+  return createCaller(adminCtx);
+}
+
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+
+describe("createAdminRouter", () => {
+  beforeEach(() => {
+    setTrpcOrgMemberRepo(makeMockOrgRepo());
+    mockFetch.mockReset();
+  });
+
+  // -------------------------------------------------------------------------
+  // Model list endpoint
+  // -------------------------------------------------------------------------
+
+  describe("listAvailableModels", () => {
+    it("returns cached models from OpenRouter API", async () => {
+      const container = createTestContainer();
+      const models = [
+        {
+          id: "openai/gpt-4",
+          name: "GPT-4",
+          context_length: 8192,
+          pricing: { prompt: "0.03", completion: "0.06" },
+        },
+        {
+          id: "anthropic/claude-3",
+          name: "Claude 3",
+          context_length: 200000,
+          pricing: { prompt: "0.015", completion: "0.075" },
+        },
+      ];
+
+      mockFetch.mockResolvedValueOnce({
+        ok: true,
+        json: async () => ({ data: models }),
+      });
+
+      const caller = makeCaller(container, { openRouterApiKey: "sk-test-key" });
+      const result = await caller.admin.listAvailableModels();
+
+      expect(result.models).toHaveLength(2);
+      expect(result.models[0].id).toBe("anthropic/claude-3");
+      expect(result.models[1].id).toBe("openai/gpt-4");
+      expect(mockFetch).toHaveBeenCalledOnce();
+
+      // Second call should use cache (no additional fetch)
+      const result2 = await caller.admin.listAvailableModels();
+      expect(result2.models).toHaveLength(2);
+      expect(mockFetch).toHaveBeenCalledOnce();
+    });
+
+    it("returns empty list when no API key configured", async () => {
+      const container = createTestContainer();
+      const caller = makeCaller(container); // no config = no API key
+
+      const result = await caller.admin.listAvailableModels();
+
+      expect(result.models).toEqual([]);
+      expect(mockFetch).not.toHaveBeenCalled();
+    });
+
+    it("returns stale cache on fetch failure", async () => {
+      // First call seeds the cache
+      const container = createTestContainer();
+      mockFetch.mockResolvedValueOnce({
+        ok: true,
+        json: async () => ({
+          data: [{ id: "model/a", name: "A", context_length: 100, pricing: { prompt: "1", completion: "2" } }],
+        }),
+      });
+      const caller = makeCaller(container, { openRouterApiKey: "sk-test-key" });
+      await caller.admin.listAvailableModels();
+
+      // Advance past 60s cache TTL so the next call triggers a fetch
+      vi.useFakeTimers();
+      vi.advanceTimersByTime(61_000);
+
+      mockFetch.mockRejectedValueOnce(new Error("Network error"));
+      const result = await caller.admin.listAvailableModels();
+
+      // On failure, falls back to stale cache
+      expect(result.models).toHaveLength(1);
+      expect(result.models[0].id).toBe("model/a");
+
+      vi.useRealTimers();
+    });
+  });
+
+  // -------------------------------------------------------------------------
+  // Fleet instance listing
+  // -------------------------------------------------------------------------
+
+  describe("listAllInstances", () => {
+    it("lists instances using container.fleet", async () => {
+      const mockProfiles = [
+        { id: "inst-1", name: "Bot A", tenantId: "t1", image: "img:latest" },
+        { id: "inst-2", name: "Bot B", tenantId: "t2", image: "img:v2" },
+      ];
+
+      const mockStatus = {
+        state: "running",
+        health: "healthy",
+        uptime: 3600,
+        containerId: "abc123",
+        startedAt: "2026-01-01T00:00:00Z",
+      };
+
+      const container = createTestContainer({
+        fleet: {
+          manager: {
+            status: vi.fn().mockResolvedValue(mockStatus),
+          } as never,
+          docker: {} as never,
+          proxy: {} as never,
+          profileStore: {
+            list: vi.fn().mockResolvedValue(mockProfiles),
+            init: vi.fn(),
+            save: vi.fn(),
+            get: vi.fn(),
+            delete: vi.fn(),
+          },
+          serviceKeyRepo: {} as never,
+        },
+      });
+
+      const caller = makeCaller(container);
+      const result = await caller.admin.listAllInstances();
+
+      expect(result.instances).toHaveLength(2);
+      expect(result.instances[0]).toEqual({
+        id: "inst-1",
+        name: "Bot A",
+        tenantId: "t1",
+        image: "img:latest",
+        state: "running",
+        health: "healthy",
+        uptime: 3600,
+        containerId: "abc123",
+        startedAt: "2026-01-01T00:00:00Z",
+      });
+    });
+
+    it("returns error when fleet not configured", async () => {
+      const container = createTestContainer({ fleet: null });
+      const caller = makeCaller(container);
+      const result = await caller.admin.listAllInstances();
+
+      expect(result.instances).toEqual([]);
+      expect(result.error).toBe("Fleet not configured");
+    });
+
+    it("returns error state for instances that fail status check", async () => {
+      const mockProfiles = [{ id: "inst-bad", name: "Bad Bot", tenantId: "t1", image: "img:latest" }];
+
+      const container = createTestContainer({
+        fleet: {
+          manager: {
+            status: vi.fn().mockRejectedValue(new Error("container not found")),
+          } as never,
+          docker: {} as never,
+          proxy: {} as never,
+          profileStore: {
+            list: vi.fn().mockResolvedValue(mockProfiles),
+            init: vi.fn(),
+            save: vi.fn(),
+            get: vi.fn(),
+            delete: vi.fn(),
+          },
+          serviceKeyRepo: {} as never,
+        },
+      });
+
+      const caller = makeCaller(container);
+      const result = await caller.admin.listAllInstances();
+
+      expect(result.instances).toHaveLength(1);
+      expect(result.instances[0].state).toBe("error");
+      expect(result.instances[0].health).toBeNull();
+    });
+  });
+
+  // -------------------------------------------------------------------------
+  // Credit balance query
+  // -------------------------------------------------------------------------
+
+  describe("billingOverview", () => {
+    it("queries credit balance via container pool", async () => {
+      const mockPool = {
+        query: vi
+          .fn()
+          .mockResolvedValueOnce({ rows: [{ totalRaw: "50000000" }] }) // credit_entry sum (50M microdollars = 5000 cents)
+          .mockResolvedValueOnce({ rows: [{ count: "3" }] }) // payment methods
+          .mockResolvedValueOnce({ rows: [{ count: "5" }] }), // orgs
+        end: vi.fn(),
+      };
+
+      const container = createTestContainer({
+        pool: mockPool as never,
+        gateway: null, // no gateway = skip service key count
+      });
+
+      const caller = makeCaller(container);
+      const result = await caller.admin.billingOverview();
+
+      expect(result.totalBalanceCents).toBe(5000);
+      expect(result.activeKeyCount).toBe(0); // gateway not configured
+      expect(result.paymentMethodCount).toBe(3);
+      expect(result.orgCount).toBe(5);
+    });
+
+    it("counts active service keys when gateway is configured", async () => {
+      const mockPool = {
+        query: vi
+          .fn()
+          .mockResolvedValueOnce({ rows: [{ totalRaw: "0" }] }) // credit_entry
+          .mockResolvedValueOnce({ rows: [{ count: "7" }] }) // service_keys
+          .mockResolvedValueOnce({ rows: [{ count: "0" }] }) // payment methods
+          .mockResolvedValueOnce({ rows: [{ count: "0" }] }), // orgs
+        end: vi.fn(),
+      };
+
+      const container = createTestContainer({
+        pool: mockPool as never,
+        gateway: {
+          serviceKeyRepo: {} as never,
+        },
+      });
+
+      const caller = makeCaller(container);
+      const result = await caller.admin.billingOverview();
+
+      expect(result.activeKeyCount).toBe(7);
+    });
+
+    it("returns zeros when tables do not exist", async () => {
+      const mockPool = {
+        query: vi.fn().mockRejectedValue(new Error('relation "credit_entry" does not exist')),
+        end: vi.fn(),
+      };
+
+      const container = createTestContainer({
+        pool: mockPool as never,
+      });
+
+      const caller = makeCaller(container);
+      const result = await caller.admin.billingOverview();
+
+      expect(result.totalBalanceCents).toBe(0);
+      expect(result.activeKeyCount).toBe(0);
+      expect(result.paymentMethodCount).toBe(0);
+      expect(result.orgCount).toBe(0);
+    });
+  });
+
+  // -------------------------------------------------------------------------
+  // Auth guard
+  // -------------------------------------------------------------------------
+
+  it("rejects non-admin users", async () => {
+    const container = createTestContainer();
+    const adminRouter = createAdminRouter(container);
+    const appRouter = router({ admin: adminRouter });
+    const createCaller = createCallerFactory(appRouter);
+    const caller = createCaller({ user: { id: "u1", roles: ["user"] }, tenantId: undefined });
+
+    await expect(caller.admin.listAvailableModels()).rejects.toThrow("Platform admin role required");
+  });
+});