npm - @wopr-network/platform-core - Versions diffs - 1.68.0 → 1.70.0 - Mend

@wopr-network/platform-core 1.68.0 → 1.70.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (93) hide show

package/dist/backup/types.d.ts +1 -1
package/dist/db/schema/pool-config.d.ts +41 -0
package/dist/db/schema/pool-config.js +5 -0
package/dist/db/schema/pool-instances.d.ts +126 -0
package/dist/db/schema/pool-instances.js +10 -0
package/dist/server/__tests__/build-container.test.d.ts +1 -0
package/dist/server/__tests__/build-container.test.js +339 -0
package/dist/server/__tests__/container.test.d.ts +1 -0
package/dist/server/__tests__/container.test.js +173 -0
package/dist/server/__tests__/lifecycle.test.d.ts +1 -0
package/dist/server/__tests__/lifecycle.test.js +90 -0
package/dist/server/__tests__/mount-routes.test.d.ts +1 -0
package/dist/server/__tests__/mount-routes.test.js +151 -0
package/dist/server/boot-config.d.ts +51 -0
package/dist/server/boot-config.js +7 -0
package/dist/server/container.d.ts +97 -0
package/dist/server/container.js +148 -0
package/dist/server/index.d.ts +33 -0
package/dist/server/index.js +66 -0
package/dist/server/lifecycle.d.ts +25 -0
package/dist/server/lifecycle.js +56 -0
package/dist/server/middleware/__tests__/admin-auth.test.d.ts +1 -0
package/dist/server/middleware/__tests__/admin-auth.test.js +59 -0
package/dist/server/middleware/__tests__/tenant-proxy.test.d.ts +1 -0
package/dist/server/middleware/__tests__/tenant-proxy.test.js +268 -0
package/dist/server/middleware/admin-auth.d.ts +18 -0
package/dist/server/middleware/admin-auth.js +38 -0
package/dist/server/middleware/tenant-proxy.d.ts +56 -0
package/dist/server/middleware/tenant-proxy.js +162 -0
package/dist/server/mount-routes.d.ts +30 -0
package/dist/server/mount-routes.js +74 -0
package/dist/server/routes/__tests__/admin.test.d.ts +1 -0
package/dist/server/routes/__tests__/admin.test.js +267 -0
package/dist/server/routes/__tests__/crypto-webhook.test.d.ts +1 -0
package/dist/server/routes/__tests__/crypto-webhook.test.js +137 -0
package/dist/server/routes/__tests__/provision-webhook.test.d.ts +1 -0
package/dist/server/routes/__tests__/provision-webhook.test.js +212 -0
package/dist/server/routes/__tests__/stripe-webhook.test.d.ts +1 -0
package/dist/server/routes/__tests__/stripe-webhook.test.js +65 -0
package/dist/server/routes/admin.d.ts +129 -0
package/dist/server/routes/admin.js +294 -0
package/dist/server/routes/crypto-webhook.d.ts +23 -0
package/dist/server/routes/crypto-webhook.js +82 -0
package/dist/server/routes/provision-webhook.d.ts +38 -0
package/dist/server/routes/provision-webhook.js +160 -0
package/dist/server/routes/stripe-webhook.d.ts +10 -0
package/dist/server/routes/stripe-webhook.js +29 -0
package/dist/server/services/hot-pool-claim.d.ts +30 -0
package/dist/server/services/hot-pool-claim.js +92 -0
package/dist/server/services/hot-pool.d.ts +25 -0
package/dist/server/services/hot-pool.js +129 -0
package/dist/server/services/pool-repository.d.ts +44 -0
package/dist/server/services/pool-repository.js +72 -0
package/dist/server/test-container.d.ts +15 -0
package/dist/server/test-container.js +103 -0
package/dist/trpc/auth-helpers.d.ts +17 -0
package/dist/trpc/auth-helpers.js +26 -0
package/dist/trpc/container-factories.d.ts +300 -0
package/dist/trpc/container-factories.js +80 -0
package/dist/trpc/index.d.ts +2 -0
package/dist/trpc/index.js +2 -0
package/drizzle/migrations/0025_hot_pool_tables.sql +29 -0
package/package.json +5 -1
package/src/db/schema/pool-config.ts +6 -0
package/src/db/schema/pool-instances.ts +11 -0
package/src/server/__tests__/build-container.test.ts +402 -0
package/src/server/__tests__/container.test.ts +207 -0
package/src/server/__tests__/lifecycle.test.ts +106 -0
package/src/server/__tests__/mount-routes.test.ts +169 -0
package/src/server/boot-config.ts +84 -0
package/src/server/container.ts +264 -0
package/src/server/index.ts +92 -0
package/src/server/lifecycle.ts +72 -0
package/src/server/middleware/__tests__/admin-auth.test.ts +67 -0
package/src/server/middleware/__tests__/tenant-proxy.test.ts +308 -0
package/src/server/middleware/admin-auth.ts +51 -0
package/src/server/middleware/tenant-proxy.ts +192 -0
package/src/server/mount-routes.ts +113 -0
package/src/server/routes/__tests__/admin.test.ts +320 -0
package/src/server/routes/__tests__/crypto-webhook.test.ts +167 -0
package/src/server/routes/__tests__/provision-webhook.test.ts +323 -0
package/src/server/routes/__tests__/stripe-webhook.test.ts +73 -0
package/src/server/routes/admin.ts +360 -0
package/src/server/routes/crypto-webhook.ts +110 -0
package/src/server/routes/provision-webhook.ts +212 -0
package/src/server/routes/stripe-webhook.ts +36 -0
package/src/server/services/hot-pool-claim.ts +130 -0
package/src/server/services/hot-pool.ts +174 -0
package/src/server/services/pool-repository.ts +107 -0
package/src/server/test-container.ts +120 -0
package/src/trpc/auth-helpers.ts +28 -0
package/src/trpc/container-factories.ts +114 -0
package/src/trpc/index.ts +9 -0

package/dist/server/container.js ADDED Viewed

@@ -0,0 +1,148 @@
+/**
+ * PlatformContainer — the central DI container for platform-core.
+ *
+ * Products compose a container at boot time, enabling only the feature
+ * slices they need. Nullable sub-containers (fleet, crypto, stripe,
+ * gateway, hotPool) let each product opt in without pulling unused deps.
+ */
+// ---------------------------------------------------------------------------
+// buildContainer — construct a PlatformContainer from a BootConfig
+// ---------------------------------------------------------------------------
+/**
+ * Build a fully-wired PlatformContainer from a declarative BootConfig.
+ *
+ * Construction order mirrors the proven boot sequence from product index.ts
+ * files: DB pool -> Drizzle -> migrations -> productConfig -> credit ledger
+ * -> org repos -> org service -> user role repo -> feature services.
+ *
+ * Feature sub-containers (fleet, crypto, stripe, gateway) are only
+ * constructed when their corresponding feature flag is enabled in
+ * `bootConfig.features`. Disabled features yield `null`.
+ */
+export async function buildContainer(bootConfig) {
+    if (!bootConfig.databaseUrl) {
+        throw new Error("buildContainer: databaseUrl is required");
+    }
+    // 1. Database pool
+    const { Pool: PgPool } = await import("pg");
+    const pool = new PgPool({ connectionString: bootConfig.databaseUrl });
+    // 2. Drizzle ORM instance
+    const { createDb } = await import("../db/index.js");
+    const db = createDb(pool);
+    // 3. Run Drizzle migrations
+    const { migrate } = await import("drizzle-orm/node-postgres/migrator");
+    const path = await import("node:path");
+    const migrationsFolder = path.resolve(path.dirname(new URL(import.meta.url).pathname), "../../drizzle");
+    await migrate(db, { migrationsFolder });
+    // 4. Bootstrap product config from DB (auto-seeds from presets if needed)
+    const { platformBoot } = await import("../product-config/boot.js");
+    const { config: productConfig } = await platformBoot({ slug: bootConfig.slug, db });
+    // 5. Credit ledger
+    const { DrizzleLedger } = await import("../credits/ledger.js");
+    const creditLedger = new DrizzleLedger(db);
+    await creditLedger.seedSystemAccounts();
+    // 6. Org repositories + OrgService
+    const { DrizzleOrgMemberRepository } = await import("../tenancy/org-member-repository.js");
+    const { DrizzleOrgRepository } = await import("../tenancy/drizzle-org-repository.js");
+    const { OrgService: OrgServiceClass } = await import("../tenancy/org-service.js");
+    const { BetterAuthUserRepository } = await import("../db/auth-user-repository.js");
+    const orgMemberRepo = new DrizzleOrgMemberRepository(db);
+    const orgRepo = new DrizzleOrgRepository(db);
+    const authUserRepo = new BetterAuthUserRepository(pool);
+    const orgService = new OrgServiceClass(orgRepo, orgMemberRepo, db, {
+        userRepo: authUserRepo,
+    });
+    // 7. User role repository
+    const { DrizzleUserRoleRepository } = await import("../auth/user-role-repository.js");
+    const userRoleRepo = new DrizzleUserRoleRepository(db);
+    // 8. Fleet services (when enabled)
+    let fleet = null;
+    if (bootConfig.features.fleet) {
+        const { FleetManager: FleetManagerClass } = await import("../fleet/fleet-manager.js");
+        const { ProfileStore } = await import("../fleet/profile-store.js");
+        const { ProxyManager } = await import("../proxy/manager.js");
+        const { DrizzleServiceKeyRepository } = await import("../gateway/service-key-repository.js");
+        const DockerModule = await import("dockerode");
+        const DockerClass = DockerModule.default ?? DockerModule;
+        const docker = new DockerClass();
+        const fleetDataDir = productConfig.fleet?.fleetDataDir ?? "/data/fleet";
+        const profileStore = new ProfileStore(fleetDataDir);
+        const proxy = new ProxyManager();
+        const serviceKeyRepo = new DrizzleServiceKeyRepository(db);
+        const manager = new FleetManagerClass(docker, profileStore, undefined, // platformDiscovery
+        undefined, // networkPolicy
+        proxy);
+        fleet = { manager, docker, proxy, profileStore, serviceKeyRepo };
+    }
+    // 9. Crypto services (when enabled)
+    let crypto = null;
+    if (bootConfig.features.crypto) {
+        const { DrizzleCryptoChargeRepository } = await import("../billing/crypto/charge-store.js");
+        const { DrizzleWebhookSeenRepository } = await import("../billing/drizzle-webhook-seen-repository.js");
+        const chargeRepo = new DrizzleCryptoChargeRepository(db);
+        const webhookSeenRepo = new DrizzleWebhookSeenRepository(db);
+        crypto = { chargeRepo, webhookSeenRepo };
+    }
+    // 10. Stripe services (when enabled)
+    let stripe = null;
+    if (bootConfig.features.stripe && bootConfig.stripeSecretKey) {
+        const StripeModule = await import("stripe");
+        const StripeClass = StripeModule.default;
+        const stripeClient = new StripeClass(bootConfig.stripeSecretKey);
+        const { DrizzleTenantCustomerRepository } = await import("../billing/stripe/tenant-store.js");
+        const { loadCreditPriceMap } = await import("../billing/stripe/credit-prices.js");
+        const { StripePaymentProcessor } = await import("../billing/stripe/stripe-payment-processor.js");
+        const customerRepo = new DrizzleTenantCustomerRepository(db);
+        const priceMap = loadCreditPriceMap();
+        const processor = new StripePaymentProcessor({
+            stripe: stripeClient,
+            tenantRepo: customerRepo,
+            webhookSecret: bootConfig.stripeWebhookSecret ?? "",
+            priceMap,
+            creditLedger,
+        });
+        stripe = {
+            stripe: stripeClient,
+            webhookSecret: bootConfig.stripeWebhookSecret ?? "",
+            customerRepo,
+            processor,
+        };
+    }
+    // 11. Gateway services (when enabled)
+    let gateway = null;
+    if (bootConfig.features.gateway) {
+        const { DrizzleServiceKeyRepository } = await import("../gateway/service-key-repository.js");
+        const serviceKeyRepo = new DrizzleServiceKeyRepository(db);
+        gateway = { serviceKeyRepo };
+    }
+    // 12. Build the container (hotPool bound after construction)
+    const result = {
+        db,
+        pool,
+        productConfig,
+        creditLedger,
+        orgMemberRepo,
+        orgService,
+        userRoleRepo,
+        fleet,
+        crypto,
+        stripe,
+        gateway,
+        hotPool: null,
+    };
+    // Bind hot pool after container construction (closures need the full container)
+    if (bootConfig.features.hotPool && fleet) {
+        const { startHotPool, setPoolSize: setSize, getPoolSize: getSize } = await import("./services/hot-pool.js");
+        const { claimPoolInstance } = await import("./services/hot-pool-claim.js");
+        const { DrizzlePoolRepository } = await import("./services/pool-repository.js");
+        const poolRepo = new DrizzlePoolRepository(pool);
+        const hotPoolConfig = { provisionSecret: bootConfig.provisionSecret };
+        result.hotPool = {
+            start: () => startHotPool(result, poolRepo, hotPoolConfig),
+            claim: (name, tenantId, adminUser) => claimPoolInstance(result, poolRepo, name, tenantId, adminUser, hotPoolConfig),
+            getPoolSize: () => getSize(poolRepo),
+            setPoolSize: (size) => setSize(poolRepo, size),
+        };
+    }
+    return result;
+}

package/dist/server/index.d.ts ADDED Viewed

@@ -0,0 +1,33 @@
+/**
+ * platform-core server entry point.
+ *
+ * Re-exports types, the test helper, and provides bootPlatformServer() —
+ * the single-call boot function products use to go from a declarative
+ * BootConfig to a running Hono server with DI container.
+ */
+import type { BootConfig, BootResult } from "./boot-config.js";
+export type { BootConfig, BootResult, FeatureFlags, RoutePlugin } from "./boot-config.js";
+export type { CryptoServices, FleetServices, GatewayServices, HotPoolServices, PlatformContainer, StripeServices, } from "./container.js";
+export { buildContainer } from "./container.js";
+export { type BackgroundHandles, gracefulShutdown, startBackgroundServices } from "./lifecycle.js";
+export { type MountConfig, mountRoutes } from "./mount-routes.js";
+export { createTestContainer } from "./test-container.js";
+/**
+ * Boot a fully-wired platform server from a declarative config.
+ *
+ * 1. Builds the DI container (DB, migrations, product config, feature slices)
+ * 2. Creates a Hono app and mounts shared routes
+ * 3. Returns start/stop lifecycle hooks
+ *
+ * Products call this from their index.ts:
+ * ```ts
+ * const { app, container, start, stop } = await bootPlatformServer({
+ *   slug: "paperclip",
+ *   databaseUrl: process.env.DATABASE_URL!,
+ *   provisionSecret: process.env.PROVISION_SECRET!,
+ *   features: { fleet: true, crypto: true, stripe: true, gateway: true, hotPool: false },
+ * });
+ * await start();
+ * ```
+ */
+export declare function bootPlatformServer(config: BootConfig): Promise<BootResult>;

package/dist/server/index.js ADDED Viewed

@@ -0,0 +1,66 @@
+/**
+ * platform-core server entry point.
+ *
+ * Re-exports types, the test helper, and provides bootPlatformServer() —
+ * the single-call boot function products use to go from a declarative
+ * BootConfig to a running Hono server with DI container.
+ */
+import { Hono } from "hono";
+import { buildContainer } from "./container.js";
+import { gracefulShutdown, startBackgroundServices } from "./lifecycle.js";
+import { mountRoutes } from "./mount-routes.js";
+export { buildContainer } from "./container.js";
+export { gracefulShutdown, startBackgroundServices } from "./lifecycle.js";
+export { mountRoutes } from "./mount-routes.js";
+export { createTestContainer } from "./test-container.js";
+// ---------------------------------------------------------------------------
+// bootPlatformServer
+// ---------------------------------------------------------------------------
+/**
+ * Boot a fully-wired platform server from a declarative config.
+ *
+ * 1. Builds the DI container (DB, migrations, product config, feature slices)
+ * 2. Creates a Hono app and mounts shared routes
+ * 3. Returns start/stop lifecycle hooks
+ *
+ * Products call this from their index.ts:
+ * ```ts
+ * const { app, container, start, stop } = await bootPlatformServer({
+ *   slug: "paperclip",
+ *   databaseUrl: process.env.DATABASE_URL!,
+ *   provisionSecret: process.env.PROVISION_SECRET!,
+ *   features: { fleet: true, crypto: true, stripe: true, gateway: true, hotPool: false },
+ * });
+ * await start();
+ * ```
+ */
+export async function bootPlatformServer(config) {
+    const container = await buildContainer(config);
+    const app = new Hono();
+    mountRoutes(app, container, {
+        provisionSecret: config.provisionSecret,
+        cryptoServiceKey: config.cryptoServiceKey,
+        platformDomain: container.productConfig.product?.domain ?? "localhost",
+    }, config.routes);
+    let handles = null;
+    let server = null;
+    return {
+        app,
+        container,
+        start: async (port) => {
+            const { serve } = await import("@hono/node-server");
+            const listenPort = port ?? config.port ?? 3001;
+            const hostname = config.host ?? "0.0.0.0";
+            server = serve({ fetch: app.fetch, hostname, port: listenPort }, async () => {
+                handles = await startBackgroundServices(container);
+            });
+        },
+        stop: async () => {
+            if (server)
+                server.close();
+            if (handles) {
+                await gracefulShutdown(container, handles);
+            }
+        },
+    };
+}

package/dist/server/lifecycle.d.ts ADDED Viewed

@@ -0,0 +1,25 @@
+/**
+ * Lifecycle management — background services and graceful shutdown.
+ *
+ * Products currently handle background tasks in their serve() callbacks.
+ * This module provides a standard interface for starting and stopping
+ * those tasks so bootPlatformServer can manage them uniformly.
+ */
+import type { PlatformContainer } from "./container.js";
+export interface BackgroundHandles {
+    intervals: ReturnType<typeof setInterval>[];
+    unsubscribes: (() => void)[];
+}
+/**
+ * Start background services that run after the server is listening.
+ *
+ * Currently a thin scaffold — the hooks exist so products can migrate their
+ * background tasks (fleet updater, notification worker, caddy hydration,
+ * health monitor) incrementally without changing the boot contract.
+ */
+export declare function startBackgroundServices(container: PlatformContainer): Promise<BackgroundHandles>;
+/**
+ * Graceful shutdown: clear intervals, call unsubscribe hooks, close the
+ * database connection pool.
+ */
+export declare function gracefulShutdown(container: PlatformContainer, handles: BackgroundHandles): Promise<void>;

package/dist/server/lifecycle.js ADDED Viewed

@@ -0,0 +1,56 @@
+/**
+ * Lifecycle management — background services and graceful shutdown.
+ *
+ * Products currently handle background tasks in their serve() callbacks.
+ * This module provides a standard interface for starting and stopping
+ * those tasks so bootPlatformServer can manage them uniformly.
+ */
+// ---------------------------------------------------------------------------
+// startBackgroundServices
+// ---------------------------------------------------------------------------
+/**
+ * Start background services that run after the server is listening.
+ *
+ * Currently a thin scaffold — the hooks exist so products can migrate their
+ * background tasks (fleet updater, notification worker, caddy hydration,
+ * health monitor) incrementally without changing the boot contract.
+ */
+export async function startBackgroundServices(container) {
+    const handles = { intervals: [], unsubscribes: [] };
+    // Caddy proxy hydration (if fleet + proxy are enabled)
+    if (container.fleet?.proxy) {
+        try {
+            await container.fleet.proxy.start?.();
+        }
+        catch {
+            // Non-fatal — proxy sync will retry on next health tick
+        }
+    }
+    // Hot pool manager (if enabled)
+    if (container.hotPool) {
+        try {
+            const poolHandles = await container.hotPool.start();
+            handles.unsubscribes.push(poolHandles.stop);
+        }
+        catch {
+            // Non-fatal — pool will be empty but claiming falls back to cold create
+        }
+    }
+    return handles;
+}
+// ---------------------------------------------------------------------------
+// gracefulShutdown
+// ---------------------------------------------------------------------------
+/**
+ * Graceful shutdown: clear intervals, call unsubscribe hooks, close the
+ * database connection pool.
+ */
+export async function gracefulShutdown(container, handles) {
+    for (const interval of handles.intervals) {
+        clearInterval(interval);
+    }
+    for (const unsub of handles.unsubscribes) {
+        unsub();
+    }
+    await container.pool.end();
+}

package/dist/server/middleware/__tests__/admin-auth.test.d.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ export {};

package/dist/server/middleware/__tests__/admin-auth.test.js ADDED Viewed

@@ -0,0 +1,59 @@
+import { Hono } from "hono";
+import { describe, expect, it } from "vitest";
+import { createAdminAuthMiddleware } from "../admin-auth.js";
+function createApp(adminApiKey) {
+    const app = new Hono();
+    app.use("/admin/*", createAdminAuthMiddleware({ adminApiKey }));
+    app.get("/admin/status", (c) => c.json({ ok: true }));
+    return app;
+}
+describe("createAdminAuthMiddleware", () => {
+    const API_KEY = "test-admin-key-abc123";
+    it("returns 401 without Authorization header", async () => {
+        const app = createApp(API_KEY);
+        const res = await app.request("/admin/status");
+        expect(res.status).toBe(401);
+        const body = await res.json();
+        expect(body.error).toContain("Unauthorized");
+    });
+    it("returns 401 with wrong API key", async () => {
+        const app = createApp(API_KEY);
+        const res = await app.request("/admin/status", {
+            headers: { authorization: "Bearer wrong-key" },
+        });
+        expect(res.status).toBe(401);
+        const body = await res.json();
+        expect(body.error).toContain("invalid admin credentials");
+    });
+    it("passes through with correct API key (timing-safe)", async () => {
+        const app = createApp(API_KEY);
+        const res = await app.request("/admin/status", {
+            headers: { authorization: `Bearer ${API_KEY}` },
+        });
+        expect(res.status).toBe(200);
+        const body = await res.json();
+        expect(body.ok).toBe(true);
+    });
+    it("rejects keys of different length (timing-safe length check)", async () => {
+        const app = createApp(API_KEY);
+        // Key with same prefix but different length
+        const res = await app.request("/admin/status", {
+            headers: { authorization: `Bearer ${API_KEY}extra` },
+        });
+        expect(res.status).toBe(401);
+    });
+    it("returns 503 when admin key is not configured (fail-closed)", async () => {
+        const app = createApp("");
+        const res = await app.request("/admin/status", {
+            headers: { authorization: "Bearer anything" },
+        });
+        expect(res.status).toBe(503);
+    });
+    it("rejects non-Bearer auth schemes", async () => {
+        const app = createApp(API_KEY);
+        const res = await app.request("/admin/status", {
+            headers: { authorization: `Basic ${API_KEY}` },
+        });
+        expect(res.status).toBe(401);
+    });
+});

package/dist/server/middleware/__tests__/tenant-proxy.test.d.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ export {};

package/dist/server/middleware/__tests__/tenant-proxy.test.js ADDED Viewed

@@ -0,0 +1,268 @@
+import { Hono } from "hono";
+import { beforeEach, describe, expect, it, vi } from "vitest";
+import { createTestContainer } from "../../test-container.js";
+import { buildUpstreamHeaders, createTenantProxyMiddleware, extractTenantSubdomain, } from "../tenant-proxy.js";
+// ---------------------------------------------------------------------------
+// extractTenantSubdomain unit tests
+// ---------------------------------------------------------------------------
+describe("extractTenantSubdomain", () => {
+    const domain = "example.com";
+    it("extracts a valid subdomain", () => {
+        expect(extractTenantSubdomain("alice.example.com", domain)).toBe("alice");
+    });
+    it("returns null for the root domain", () => {
+        expect(extractTenantSubdomain("example.com", domain)).toBeNull();
+    });
+    it("returns null for reserved subdomains", () => {
+        expect(extractTenantSubdomain("app.example.com", domain)).toBeNull();
+        expect(extractTenantSubdomain("api.example.com", domain)).toBeNull();
+        expect(extractTenantSubdomain("admin.example.com", domain)).toBeNull();
+    });
+    it("returns null for nested subdomains", () => {
+        expect(extractTenantSubdomain("deep.alice.example.com", domain)).toBeNull();
+    });
+    it("strips port before matching", () => {
+        expect(extractTenantSubdomain("alice.example.com:3000", domain)).toBe("alice");
+    });
+    it("returns null for non-matching domain", () => {
+        expect(extractTenantSubdomain("alice.other.com", domain)).toBeNull();
+    });
+    it("returns null for invalid subdomain characters", () => {
+        expect(extractTenantSubdomain("al!ce.example.com", domain)).toBeNull();
+    });
+});
+// ---------------------------------------------------------------------------
+// buildUpstreamHeaders unit tests
+// ---------------------------------------------------------------------------
+describe("buildUpstreamHeaders", () => {
+    it("copies only allowlisted headers and injects platform headers", () => {
+        const incoming = new Headers({
+            "content-type": "application/json",
+            "x-evil-header": "should-not-pass",
+            host: "alice.example.com",
+        });
+        const user = { id: "u1", email: "a@b.com", name: "Alice" };
+        const result = buildUpstreamHeaders(incoming, user, "alice");
+        expect(result.get("content-type")).toBe("application/json");
+        expect(result.get("x-evil-header")).toBeNull();
+        expect(result.get("x-platform-user-id")).toBe("u1");
+        expect(result.get("x-platform-tenant")).toBe("alice");
+        expect(result.get("x-platform-user-email")).toBe("a@b.com");
+        expect(result.get("x-platform-user-name")).toBe("Alice");
+        expect(result.get("host")).toBe("alice.example.com");
+    });
+});
+// ---------------------------------------------------------------------------
+// createTenantProxyMiddleware integration tests
+// ---------------------------------------------------------------------------
+describe("createTenantProxyMiddleware", () => {
+    const DOMAIN = "example.com";
+    let resolveUser;
+    let config;
+    beforeEach(() => {
+        resolveUser = vi.fn();
+        config = { platformDomain: DOMAIN, resolveUser };
+    });
+    function createApp(container) {
+        const app = new Hono();
+        app.use("/*", createTenantProxyMiddleware(container, config));
+        app.get("/fallthrough", (c) => c.json({ fallthrough: true }));
+        return app;
+    }
+    it("passes through non-tenant requests (no subdomain)", async () => {
+        const container = createTestContainer();
+        const app = createApp(container);
+        const res = await app.request("http://example.com/fallthrough");
+        expect(res.status).toBe(200);
+        const body = await res.json();
+        expect(body.fallthrough).toBe(true);
+        // resolveUser should not be called for non-tenant requests
+        expect(resolveUser).not.toHaveBeenCalled();
+    });
+    it("returns 401 for unauthenticated tenant requests", async () => {
+        const container = createTestContainer({
+            fleet: {
+                profileStore: { list: vi.fn().mockResolvedValue([]) },
+                proxy: { getRoutes: vi.fn().mockReturnValue([]) },
+                manager: {},
+                docker: {},
+                serviceKeyRepo: {},
+            },
+        });
+        resolveUser.mockResolvedValue(undefined);
+        const app = createApp(container);
+        const res = await app.request("http://alice.example.com/dashboard", {
+            headers: { host: "alice.example.com" },
+        });
+        expect(res.status).toBe(401);
+        const body = await res.json();
+        expect(body.error).toContain("Authentication required");
+    });
+    it("returns 503 when fleet services are not available", async () => {
+        const container = createTestContainer({ fleet: null });
+        const app = createApp(container);
+        const res = await app.request("http://alice.example.com/dashboard", {
+            headers: { host: "alice.example.com" },
+        });
+        expect(res.status).toBe(503);
+        const body = await res.json();
+        expect(body.error).toContain("Fleet services unavailable");
+    });
+    it("returns 403 when user is not a member of the tenant", async () => {
+        const mockProfile = { name: "alice", tenantId: "tenant-1" };
+        const container = createTestContainer({
+            fleet: {
+                profileStore: { list: vi.fn().mockResolvedValue([mockProfile]) },
+                proxy: {
+                    getRoutes: vi
+                        .fn()
+                        .mockReturnValue([{ subdomain: "alice", upstreamHost: "127.0.0.1", upstreamPort: 4000, healthy: true }]),
+                },
+                manager: {},
+                docker: {},
+                serviceKeyRepo: {},
+            },
+            orgMemberRepo: {
+                findMember: vi.fn().mockResolvedValue(null),
+                listMembers: vi.fn(),
+                addMember: vi.fn(),
+                updateMemberRole: vi.fn(),
+                removeMember: vi.fn(),
+                countAdminsAndOwners: vi.fn(),
+                listInvites: vi.fn(),
+                createInvite: vi.fn(),
+                findInviteById: vi.fn(),
+                findInviteByToken: vi.fn(),
+                deleteInvite: vi.fn(),
+                deleteAllMembers: vi.fn(),
+                deleteAllInvites: vi.fn(),
+                listOrgsByUser: vi.fn(),
+                markInviteAccepted: vi.fn(),
+            },
+        });
+        resolveUser.mockResolvedValue({ id: "user-99", email: "user@test.com" });
+        const app = createApp(container);
+        const res = await app.request("http://alice.example.com/dashboard", {
+            headers: { host: "alice.example.com" },
+        });
+        expect(res.status).toBe(403);
+        const body = await res.json();
+        expect(body.error).toContain("not a member");
+    });
+    it("proxies correctly when authorized", async () => {
+        const mockProfile = { name: "alice", tenantId: "tenant-1" };
+        const upstreamRoute = {
+            instanceId: "inst-1",
+            subdomain: "alice",
+            upstreamHost: "127.0.0.1",
+            upstreamPort: 4000,
+            healthy: true,
+        };
+        const container = createTestContainer({
+            fleet: {
+                profileStore: { list: vi.fn().mockResolvedValue([mockProfile]) },
+                proxy: { getRoutes: vi.fn().mockReturnValue([upstreamRoute]) },
+                manager: {},
+                docker: {},
+                serviceKeyRepo: {},
+            },
+            orgMemberRepo: {
+                findMember: vi.fn().mockResolvedValue({ orgId: "tenant-1", userId: "user-1", role: "member" }),
+                listMembers: vi.fn(),
+                addMember: vi.fn(),
+                updateMemberRole: vi.fn(),
+                removeMember: vi.fn(),
+                countAdminsAndOwners: vi.fn(),
+                listInvites: vi.fn(),
+                createInvite: vi.fn(),
+                findInviteById: vi.fn(),
+                findInviteByToken: vi.fn(),
+                deleteInvite: vi.fn(),
+                deleteAllMembers: vi.fn(),
+                deleteAllInvites: vi.fn(),
+                listOrgsByUser: vi.fn(),
+                markInviteAccepted: vi.fn(),
+            },
+        });
+        resolveUser.mockResolvedValue({ id: "user-1", email: "user@test.com" });
+        // Mock global fetch to simulate upstream response
+        const originalFetch = globalThis.fetch;
+        globalThis.fetch = vi.fn().mockResolvedValue(new Response(JSON.stringify({ upstream: true }), {
+            status: 200,
+            headers: { "content-type": "application/json" },
+        }));
+        try {
+            const app = createApp(container);
+            const res = await app.request("http://alice.example.com/api/data?q=1", {
+                headers: { host: "alice.example.com" },
+            });
+            expect(res.status).toBe(200);
+            const body = await res.json();
+            expect(body.upstream).toBe(true);
+            // Verify fetch was called with the correct upstream URL
+            const fetchCall = globalThis.fetch.mock.calls[0];
+            expect(fetchCall[0]).toBe("http://127.0.0.1:4000/api/data?q=1");
+            // Verify platform headers were injected
+            const headers = fetchCall[1].headers;
+            expect(headers.get("x-platform-user-id")).toBe("user-1");
+            expect(headers.get("x-platform-tenant")).toBe("alice");
+        }
+        finally {
+            globalThis.fetch = originalFetch;
+        }
+    });
+    it("returns 502 when upstream fetch fails", async () => {
+        const mockProfile = { name: "bob", tenantId: "user-1" };
+        const upstreamRoute = {
+            instanceId: "inst-2",
+            subdomain: "bob",
+            upstreamHost: "127.0.0.1",
+            upstreamPort: 4001,
+            healthy: true,
+        };
+        const container = createTestContainer({
+            fleet: {
+                profileStore: { list: vi.fn().mockResolvedValue([mockProfile]) },
+                proxy: { getRoutes: vi.fn().mockReturnValue([upstreamRoute]) },
+                manager: {},
+                docker: {},
+                serviceKeyRepo: {},
+            },
+        });
+        // tenantId === userId means personal tenant, so validateTenantAccess returns true
+        resolveUser.mockResolvedValue({ id: "user-1" });
+        const originalFetch = globalThis.fetch;
+        globalThis.fetch = vi.fn().mockRejectedValue(new Error("ECONNREFUSED"));
+        try {
+            const app = createApp(container);
+            const res = await app.request("http://bob.example.com/test", {
+                headers: { host: "bob.example.com" },
+            });
+            expect(res.status).toBe(502);
+            const body = await res.json();
+            expect(body.error).toContain("Bad Gateway");
+        }
+        finally {
+            globalThis.fetch = originalFetch;
+        }
+    });
+    it("returns 404 when subdomain has no upstream route", async () => {
+        const container = createTestContainer({
+            fleet: {
+                profileStore: { list: vi.fn().mockResolvedValue([]) },
+                proxy: { getRoutes: vi.fn().mockReturnValue([]) },
+                manager: {},
+                docker: {},
+                serviceKeyRepo: {},
+            },
+        });
+        resolveUser.mockResolvedValue({ id: "user-1" });
+        const app = createApp(container);
+        const res = await app.request("http://ghost.example.com/test", {
+            headers: { host: "ghost.example.com" },
+        });
+        expect(res.status).toBe(404);
+        const body = await res.json();
+        expect(body.error).toContain("Tenant not found");
+    });
+});