npm - @wopr-network/platform-core - Versions diffs - 1.68.0 → 1.70.0 - Mend

@wopr-network/platform-core 1.68.0 → 1.70.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (93) hide show

package/dist/backup/types.d.ts +1 -1
package/dist/db/schema/pool-config.d.ts +41 -0
package/dist/db/schema/pool-config.js +5 -0
package/dist/db/schema/pool-instances.d.ts +126 -0
package/dist/db/schema/pool-instances.js +10 -0
package/dist/server/__tests__/build-container.test.d.ts +1 -0
package/dist/server/__tests__/build-container.test.js +339 -0
package/dist/server/__tests__/container.test.d.ts +1 -0
package/dist/server/__tests__/container.test.js +173 -0
package/dist/server/__tests__/lifecycle.test.d.ts +1 -0
package/dist/server/__tests__/lifecycle.test.js +90 -0
package/dist/server/__tests__/mount-routes.test.d.ts +1 -0
package/dist/server/__tests__/mount-routes.test.js +151 -0
package/dist/server/boot-config.d.ts +51 -0
package/dist/server/boot-config.js +7 -0
package/dist/server/container.d.ts +97 -0
package/dist/server/container.js +148 -0
package/dist/server/index.d.ts +33 -0
package/dist/server/index.js +66 -0
package/dist/server/lifecycle.d.ts +25 -0
package/dist/server/lifecycle.js +56 -0
package/dist/server/middleware/__tests__/admin-auth.test.d.ts +1 -0
package/dist/server/middleware/__tests__/admin-auth.test.js +59 -0
package/dist/server/middleware/__tests__/tenant-proxy.test.d.ts +1 -0
package/dist/server/middleware/__tests__/tenant-proxy.test.js +268 -0
package/dist/server/middleware/admin-auth.d.ts +18 -0
package/dist/server/middleware/admin-auth.js +38 -0
package/dist/server/middleware/tenant-proxy.d.ts +56 -0
package/dist/server/middleware/tenant-proxy.js +162 -0
package/dist/server/mount-routes.d.ts +30 -0
package/dist/server/mount-routes.js +74 -0
package/dist/server/routes/__tests__/admin.test.d.ts +1 -0
package/dist/server/routes/__tests__/admin.test.js +267 -0
package/dist/server/routes/__tests__/crypto-webhook.test.d.ts +1 -0
package/dist/server/routes/__tests__/crypto-webhook.test.js +137 -0
package/dist/server/routes/__tests__/provision-webhook.test.d.ts +1 -0
package/dist/server/routes/__tests__/provision-webhook.test.js +212 -0
package/dist/server/routes/__tests__/stripe-webhook.test.d.ts +1 -0
package/dist/server/routes/__tests__/stripe-webhook.test.js +65 -0
package/dist/server/routes/admin.d.ts +129 -0
package/dist/server/routes/admin.js +294 -0
package/dist/server/routes/crypto-webhook.d.ts +23 -0
package/dist/server/routes/crypto-webhook.js +82 -0
package/dist/server/routes/provision-webhook.d.ts +38 -0
package/dist/server/routes/provision-webhook.js +160 -0
package/dist/server/routes/stripe-webhook.d.ts +10 -0
package/dist/server/routes/stripe-webhook.js +29 -0
package/dist/server/services/hot-pool-claim.d.ts +30 -0
package/dist/server/services/hot-pool-claim.js +92 -0
package/dist/server/services/hot-pool.d.ts +25 -0
package/dist/server/services/hot-pool.js +129 -0
package/dist/server/services/pool-repository.d.ts +44 -0
package/dist/server/services/pool-repository.js +72 -0
package/dist/server/test-container.d.ts +15 -0
package/dist/server/test-container.js +103 -0
package/dist/trpc/auth-helpers.d.ts +17 -0
package/dist/trpc/auth-helpers.js +26 -0
package/dist/trpc/container-factories.d.ts +300 -0
package/dist/trpc/container-factories.js +80 -0
package/dist/trpc/index.d.ts +2 -0
package/dist/trpc/index.js +2 -0
package/drizzle/migrations/0025_hot_pool_tables.sql +29 -0
package/package.json +5 -1
package/src/db/schema/pool-config.ts +6 -0
package/src/db/schema/pool-instances.ts +11 -0
package/src/server/__tests__/build-container.test.ts +402 -0
package/src/server/__tests__/container.test.ts +207 -0
package/src/server/__tests__/lifecycle.test.ts +106 -0
package/src/server/__tests__/mount-routes.test.ts +169 -0
package/src/server/boot-config.ts +84 -0
package/src/server/container.ts +264 -0
package/src/server/index.ts +92 -0
package/src/server/lifecycle.ts +72 -0
package/src/server/middleware/__tests__/admin-auth.test.ts +67 -0
package/src/server/middleware/__tests__/tenant-proxy.test.ts +308 -0
package/src/server/middleware/admin-auth.ts +51 -0
package/src/server/middleware/tenant-proxy.ts +192 -0
package/src/server/mount-routes.ts +113 -0
package/src/server/routes/__tests__/admin.test.ts +320 -0
package/src/server/routes/__tests__/crypto-webhook.test.ts +167 -0
package/src/server/routes/__tests__/provision-webhook.test.ts +323 -0
package/src/server/routes/__tests__/stripe-webhook.test.ts +73 -0
package/src/server/routes/admin.ts +360 -0
package/src/server/routes/crypto-webhook.ts +110 -0
package/src/server/routes/provision-webhook.ts +212 -0
package/src/server/routes/stripe-webhook.ts +36 -0
package/src/server/services/hot-pool-claim.ts +130 -0
package/src/server/services/hot-pool.ts +174 -0
package/src/server/services/pool-repository.ts +107 -0
package/src/server/test-container.ts +120 -0
package/src/trpc/auth-helpers.ts +28 -0
package/src/trpc/container-factories.ts +114 -0
package/src/trpc/index.ts +9 -0

package/dist/server/middleware/admin-auth.d.ts ADDED Viewed

@@ -0,0 +1,18 @@
+/**
+ * Admin auth middleware — timing-safe API key verification.
+ *
+ * Factory function that creates a Hono middleware handler requiring
+ * a valid admin API key in the Authorization header. Uses
+ * `crypto.timingSafeEqual` to prevent timing side-channel attacks.
+ */
+import type { MiddlewareHandler } from "hono";
+export interface AdminAuthConfig {
+    adminApiKey: string;
+}
+/**
+ * Create an admin auth middleware that validates Bearer tokens
+ * against the configured admin API key using timing-safe comparison.
+ *
+ * Fail-closed: if the key is empty or missing, all requests are rejected.
+ */
+export declare function createAdminAuthMiddleware(config: AdminAuthConfig): MiddlewareHandler;

package/dist/server/middleware/admin-auth.js ADDED Viewed

@@ -0,0 +1,38 @@
+/**
+ * Admin auth middleware — timing-safe API key verification.
+ *
+ * Factory function that creates a Hono middleware handler requiring
+ * a valid admin API key in the Authorization header. Uses
+ * `crypto.timingSafeEqual` to prevent timing side-channel attacks.
+ */
+import { timingSafeEqual } from "node:crypto";
+/**
+ * Create an admin auth middleware that validates Bearer tokens
+ * against the configured admin API key using timing-safe comparison.
+ *
+ * Fail-closed: if the key is empty or missing, all requests are rejected.
+ */
+export function createAdminAuthMiddleware(config) {
+    const { adminApiKey } = config;
+    return async (c, next) => {
+        // Fail closed: if no admin key is configured, reject everything
+        if (!adminApiKey) {
+            return c.json({ error: "Admin authentication not configured" }, 503);
+        }
+        const authHeader = c.req.header("authorization");
+        if (!authHeader || !authHeader.startsWith("Bearer ")) {
+            return c.json({ error: "Unauthorized: admin authentication required" }, 401);
+        }
+        const token = authHeader.slice("Bearer ".length).trim();
+        if (!token) {
+            return c.json({ error: "Unauthorized: admin authentication required" }, 401);
+        }
+        // Timing-safe comparison: both buffers must be the same length
+        const tokenBuf = Buffer.from(token);
+        const keyBuf = Buffer.from(adminApiKey);
+        if (tokenBuf.length !== keyBuf.length || !timingSafeEqual(tokenBuf, keyBuf)) {
+            return c.json({ error: "Unauthorized: invalid admin credentials" }, 401);
+        }
+        return next();
+    };
+}

package/dist/server/middleware/tenant-proxy.d.ts ADDED Viewed

@@ -0,0 +1,56 @@
+/**
+ * Tenant subdomain proxy middleware.
+ *
+ * Extracts the tenant subdomain from the Host header, authenticates
+ * the user, verifies tenant membership via orgMemberRepo, resolves
+ * the fleet container URL, and proxies the request upstream.
+ *
+ * Ported from paperclip-platform with fail-closed semantics:
+ * - If fleet services are unavailable, returns 503 (not silent skip)
+ * - Auth check runs before tenant ownership check
+ * - Upstream headers are sanitized via allowlist
+ */
+import type { MiddlewareHandler } from "hono";
+import type { PlatformContainer } from "../container.js";
+/** Resolved user identity for upstream header injection. */
+export interface ProxyUserInfo {
+    id: string;
+    email?: string;
+    name?: string;
+}
+export interface TenantProxyConfig {
+    /** The platform root domain (e.g. "runpaperclip.com"). */
+    platformDomain: string;
+    /**
+     * Resolve the authenticated user from the request.
+     * Products wire this to their auth system (BetterAuth, etc.).
+     */
+    resolveUser: (req: Request) => Promise<ProxyUserInfo | undefined>;
+}
+/**
+ * Extract the tenant subdomain from a Host header value.
+ *
+ * "alice.example.com" -> "alice"
+ * "example.com"       -> null (root domain)
+ * "app.example.com"   -> null (reserved)
+ */
+export declare function extractTenantSubdomain(host: string, platformDomain: string): string | null;
+/**
+ * Build sanitized headers for upstream requests.
+ *
+ * Only allowlisted headers are forwarded. All x-platform-* headers are
+ * injected server-side from the authenticated session -- never copied from
+ * the incoming request -- to prevent spoofing.
+ */
+export declare function buildUpstreamHeaders(incoming: Headers, user: ProxyUserInfo, tenantSubdomain: string): Headers;
+/**
+ * Create a tenant subdomain proxy middleware.
+ *
+ * If the request Host identifies a tenant subdomain, authenticates the user,
+ * resolves the fleet container URL, and proxies the request. Non-tenant
+ * requests (root domain, reserved subdomains) pass through to next().
+ *
+ * Fail-closed: if fleet services or orgMemberRepo are unavailable, returns
+ * 503 instead of silently skipping checks.
+ */
+export declare function createTenantProxyMiddleware(container: PlatformContainer, config: TenantProxyConfig): MiddlewareHandler;

package/dist/server/middleware/tenant-proxy.js ADDED Viewed

@@ -0,0 +1,162 @@
+/**
+ * Tenant subdomain proxy middleware.
+ *
+ * Extracts the tenant subdomain from the Host header, authenticates
+ * the user, verifies tenant membership via orgMemberRepo, resolves
+ * the fleet container URL, and proxies the request upstream.
+ *
+ * Ported from paperclip-platform with fail-closed semantics:
+ * - If fleet services are unavailable, returns 503 (not silent skip)
+ * - Auth check runs before tenant ownership check
+ * - Upstream headers are sanitized via allowlist
+ */
+/** Reserved subdomains that should never resolve to a tenant. */
+const RESERVED_SUBDOMAINS = new Set(["app", "api", "staging", "www", "mail", "admin", "dashboard", "status", "docs"]);
+/** DNS label rules (RFC 1123). */
+const SUBDOMAIN_RE = /^[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?$/;
+/**
+ * Headers safe to forward to upstream containers.
+ *
+ * This is an allowlist -- only these headers are copied from the incoming
+ * request. All x-platform-* headers are injected server-side after auth
+ * resolution, preventing client-side spoofing.
+ */
+const FORWARDED_HEADERS = [
+    "content-type",
+    "accept",
+    "accept-language",
+    "accept-encoding",
+    "content-length",
+    "x-request-id",
+    "user-agent",
+    "origin",
+    "referer",
+    "cookie",
+];
+/**
+ * Extract the tenant subdomain from a Host header value.
+ *
+ * "alice.example.com" -> "alice"
+ * "example.com"       -> null (root domain)
+ * "app.example.com"   -> null (reserved)
+ */
+export function extractTenantSubdomain(host, platformDomain) {
+    const hostname = host.split(":")[0].toLowerCase();
+    const suffix = `.${platformDomain}`;
+    if (!hostname.endsWith(suffix))
+        return null;
+    const subdomain = hostname.slice(0, -suffix.length);
+    if (!subdomain || subdomain.includes("."))
+        return null;
+    if (RESERVED_SUBDOMAINS.has(subdomain))
+        return null;
+    if (!SUBDOMAIN_RE.test(subdomain))
+        return null;
+    return subdomain;
+}
+/**
+ * Build sanitized headers for upstream requests.
+ *
+ * Only allowlisted headers are forwarded. All x-platform-* headers are
+ * injected server-side from the authenticated session -- never copied from
+ * the incoming request -- to prevent spoofing.
+ */
+export function buildUpstreamHeaders(incoming, user, tenantSubdomain) {
+    const headers = new Headers();
+    for (const key of FORWARDED_HEADERS) {
+        const val = incoming.get(key);
+        if (val)
+            headers.set(key, val);
+    }
+    // Forward original Host so upstream hostname allowlist doesn't reject
+    const host = incoming.get("host");
+    if (host)
+        headers.set("host", host);
+    headers.set("x-platform-user-id", user.id);
+    headers.set("x-platform-tenant", tenantSubdomain);
+    if (user.email)
+        headers.set("x-platform-user-email", user.email);
+    if (user.name)
+        headers.set("x-platform-user-name", user.name);
+    return headers;
+}
+/**
+ * Resolve the upstream container URL for a tenant subdomain from the
+ * proxy route table. Returns null if no route exists or is unhealthy.
+ */
+function resolveContainerUrl(container, subdomain) {
+    if (!container.fleet)
+        return null;
+    const routes = container.fleet.proxy.getRoutes();
+    const route = routes.find((r) => r.subdomain === subdomain);
+    if (!route || !route.healthy)
+        return null;
+    return `http://${route.upstreamHost}:${route.upstreamPort}`;
+}
+/**
+ * Create a tenant subdomain proxy middleware.
+ *
+ * If the request Host identifies a tenant subdomain, authenticates the user,
+ * resolves the fleet container URL, and proxies the request. Non-tenant
+ * requests (root domain, reserved subdomains) pass through to next().
+ *
+ * Fail-closed: if fleet services or orgMemberRepo are unavailable, returns
+ * 503 instead of silently skipping checks.
+ */
+export function createTenantProxyMiddleware(container, config) {
+    const { platformDomain, resolveUser } = config;
+    return async (c, next) => {
+        const host = c.req.header("host");
+        if (!host)
+            return next();
+        const subdomain = extractTenantSubdomain(host, platformDomain);
+        if (!subdomain)
+            return next();
+        // --- Fail-closed checks ---
+        // Fleet services must be available for tenant proxying
+        if (!container.fleet) {
+            return c.json({ error: "Fleet services unavailable" }, 503);
+        }
+        // Authenticate -- reject unauthenticated requests
+        const user = await resolveUser(c.req.raw);
+        if (!user) {
+            return c.json({ error: "Authentication required" }, 401);
+        }
+        // Verify tenant ownership -- user must belong to the org that owns this subdomain
+        const profiles = await container.fleet.profileStore.list();
+        const profile = profiles.find((p) => p.name === subdomain);
+        if (!profile) {
+            return c.json({ error: "Tenant not found" }, 404);
+        }
+        const { validateTenantAccess } = await import("../../auth/index.js");
+        const hasAccess = await validateTenantAccess(user.id, profile.tenantId, container.orgMemberRepo);
+        if (!hasAccess) {
+            return c.json({ error: "Forbidden: not a member of this tenant" }, 403);
+        }
+        // Resolve fleet container URL via proxy route table
+        const upstream = resolveContainerUrl(container, subdomain);
+        if (!upstream) {
+            return c.json({ error: "Tenant not found" }, 404);
+        }
+        const url = new URL(c.req.url);
+        const targetUrl = `${upstream}${url.pathname}${url.search}`;
+        const upstreamHeaders = buildUpstreamHeaders(c.req.raw.headers, user, subdomain);
+        let response;
+        try {
+            response = await fetch(targetUrl, {
+                method: c.req.method,
+                headers: upstreamHeaders,
+                body: c.req.method !== "GET" && c.req.method !== "HEAD" ? c.req.raw.body : undefined,
+                // @ts-expect-error duplex needed for streaming request bodies
+                duplex: "half",
+            });
+        }
+        catch {
+            return c.json({ error: "Bad Gateway: upstream container unavailable" }, 502);
+        }
+        return new Response(response.body, {
+            status: response.status,
+            headers: response.headers,
+        });
+    };
+}

package/dist/server/mount-routes.d.ts ADDED Viewed

@@ -0,0 +1,30 @@
+/**
+ * mountRoutes — wire shared HTTP routes and middleware onto a Hono app.
+ *
+ * Mounts routes conditionally based on which feature sub-containers are
+ * present on the PlatformContainer. Products call this after building the
+ * container; tRPC routers (admin, fleet-update, etc.) are mounted
+ * separately by products since they need product-specific auth context.
+ */
+import type { Hono } from "hono";
+import type { RoutePlugin } from "./boot-config.js";
+import type { PlatformContainer } from "./container.js";
+export interface MountConfig {
+    provisionSecret: string;
+    cryptoServiceKey?: string;
+    platformDomain: string;
+}
+/**
+ * Mount all shared routes and middleware onto a Hono app based on the
+ * container's enabled feature slices.
+ *
+ * Mount order:
+ *   1. CORS middleware (from productConfig domain list)
+ *   2. Health endpoint (always)
+ *   3. Crypto webhook (if crypto enabled)
+ *   4. Stripe webhook (if stripe enabled)
+ *   5. Provision webhook (if fleet enabled)
+ *   6. Product-specific route plugins
+ *   7. Tenant proxy middleware (catch-all — must be last)
+ */
+export declare function mountRoutes(app: Hono, container: PlatformContainer, config: MountConfig, plugins?: RoutePlugin[]): void;

package/dist/server/mount-routes.js ADDED Viewed

@@ -0,0 +1,74 @@
+/**
+ * mountRoutes — wire shared HTTP routes and middleware onto a Hono app.
+ *
+ * Mounts routes conditionally based on which feature sub-containers are
+ * present on the PlatformContainer. Products call this after building the
+ * container; tRPC routers (admin, fleet-update, etc.) are mounted
+ * separately by products since they need product-specific auth context.
+ */
+import { cors } from "hono/cors";
+import { deriveCorsOrigins } from "../product-config/repository-types.js";
+import { createTenantProxyMiddleware } from "./middleware/tenant-proxy.js";
+import { createCryptoWebhookRoutes } from "./routes/crypto-webhook.js";
+import { createProvisionWebhookRoutes } from "./routes/provision-webhook.js";
+import { createStripeWebhookRoutes } from "./routes/stripe-webhook.js";
+// ---------------------------------------------------------------------------
+// mountRoutes
+// ---------------------------------------------------------------------------
+/**
+ * Mount all shared routes and middleware onto a Hono app based on the
+ * container's enabled feature slices.
+ *
+ * Mount order:
+ *   1. CORS middleware (from productConfig domain list)
+ *   2. Health endpoint (always)
+ *   3. Crypto webhook (if crypto enabled)
+ *   4. Stripe webhook (if stripe enabled)
+ *   5. Provision webhook (if fleet enabled)
+ *   6. Product-specific route plugins
+ *   7. Tenant proxy middleware (catch-all — must be last)
+ */
+export function mountRoutes(app, container, config, plugins = []) {
+    // 1. CORS middleware
+    const origins = deriveCorsOrigins(container.productConfig.product, container.productConfig.domains);
+    app.use("*", cors({
+        origin: origins,
+        allowMethods: ["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"],
+        allowHeaders: ["Content-Type", "Authorization", "X-Request-ID"],
+        credentials: true,
+    }));
+    // 2. Health endpoint (always available)
+    app.get("/health", (c) => c.json({ ok: true }));
+    // 3. Crypto webhook (when crypto payments are enabled)
+    if (container.crypto) {
+        app.route("/api/webhooks/crypto", createCryptoWebhookRoutes(container, {
+            provisionSecret: config.provisionSecret,
+            cryptoServiceKey: config.cryptoServiceKey,
+        }));
+    }
+    // 4. Stripe webhook (when stripe billing is enabled)
+    if (container.stripe) {
+        app.route("/api/webhooks/stripe", createStripeWebhookRoutes(container));
+    }
+    // 5. Provision webhook (when fleet management is enabled)
+    if (container.fleet) {
+        const fleetConfig = container.productConfig.fleet;
+        app.route("/api/provision", createProvisionWebhookRoutes(container, {
+            provisionSecret: config.provisionSecret,
+            instanceImage: fleetConfig?.containerImage ?? "ghcr.io/default:latest",
+            containerPort: fleetConfig?.containerPort ?? 3000,
+            maxInstancesPerTenant: fleetConfig?.maxInstances ?? 5,
+        }));
+    }
+    // 6. Product-specific route plugins
+    for (const plugin of plugins) {
+        app.route(plugin.path, plugin.handler(container));
+    }
+    // 7. Tenant proxy middleware (catch-all — MUST be last)
+    if (container.fleet) {
+        app.use("*", createTenantProxyMiddleware(container, {
+            platformDomain: config.platformDomain,
+            resolveUser: async () => undefined, // Products override via plugin or direct middleware
+        }));
+    }
+}

package/dist/server/routes/__tests__/admin.test.d.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ export {};

package/dist/server/routes/__tests__/admin.test.js ADDED Viewed

@@ -0,0 +1,267 @@
+import { beforeEach, describe, expect, it, vi } from "vitest";
+import { createCallerFactory, router, setTrpcOrgMemberRepo } from "../../../trpc/init.js";
+import { createTestContainer } from "../../test-container.js";
+import { createAdminRouter } from "../admin.js";
+// ---------------------------------------------------------------------------
+// Mocks
+// ---------------------------------------------------------------------------
+// Mock global fetch for OpenRouter API calls
+const mockFetch = vi.fn();
+vi.stubGlobal("fetch", mockFetch);
+function makeMockOrgRepo() {
+    return {
+        listMembers: vi.fn().mockResolvedValue([]),
+        addMember: vi.fn().mockResolvedValue(undefined),
+        updateMemberRole: vi.fn().mockResolvedValue(undefined),
+        removeMember: vi.fn().mockResolvedValue(undefined),
+        findMember: vi.fn().mockResolvedValue(null),
+        countAdminsAndOwners: vi.fn().mockResolvedValue(0),
+        listInvites: vi.fn().mockResolvedValue([]),
+        createInvite: vi.fn().mockResolvedValue(undefined),
+        findInviteById: vi.fn().mockResolvedValue(null),
+        findInviteByToken: vi.fn().mockResolvedValue(null),
+        deleteInvite: vi.fn().mockResolvedValue(undefined),
+        deleteAllMembers: vi.fn().mockResolvedValue(undefined),
+        deleteAllInvites: vi.fn().mockResolvedValue(undefined),
+        listOrgsByUser: vi.fn().mockResolvedValue([]),
+        markInviteAccepted: vi.fn().mockResolvedValue(undefined),
+    };
+}
+const adminCtx = {
+    user: { id: "admin-1", roles: ["platform_admin"] },
+    tenantId: undefined,
+};
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+function makeCaller(container, config) {
+    const adminRouter = createAdminRouter(container, config);
+    const appRouter = router({ admin: adminRouter });
+    const createCaller = createCallerFactory(appRouter);
+    return createCaller(adminCtx);
+}
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+describe("createAdminRouter", () => {
+    beforeEach(() => {
+        setTrpcOrgMemberRepo(makeMockOrgRepo());
+        mockFetch.mockReset();
+    });
+    // -------------------------------------------------------------------------
+    // Model list endpoint
+    // -------------------------------------------------------------------------
+    describe("listAvailableModels", () => {
+        it("returns cached models from OpenRouter API", async () => {
+            const container = createTestContainer();
+            const models = [
+                {
+                    id: "openai/gpt-4",
+                    name: "GPT-4",
+                    context_length: 8192,
+                    pricing: { prompt: "0.03", completion: "0.06" },
+                },
+                {
+                    id: "anthropic/claude-3",
+                    name: "Claude 3",
+                    context_length: 200000,
+                    pricing: { prompt: "0.015", completion: "0.075" },
+                },
+            ];
+            mockFetch.mockResolvedValueOnce({
+                ok: true,
+                json: async () => ({ data: models }),
+            });
+            const caller = makeCaller(container, { openRouterApiKey: "sk-test-key" });
+            const result = await caller.admin.listAvailableModels();
+            expect(result.models).toHaveLength(2);
+            expect(result.models[0].id).toBe("anthropic/claude-3");
+            expect(result.models[1].id).toBe("openai/gpt-4");
+            expect(mockFetch).toHaveBeenCalledOnce();
+            // Second call should use cache (no additional fetch)
+            const result2 = await caller.admin.listAvailableModels();
+            expect(result2.models).toHaveLength(2);
+            expect(mockFetch).toHaveBeenCalledOnce();
+        });
+        it("returns empty list when no API key configured", async () => {
+            const container = createTestContainer();
+            const caller = makeCaller(container); // no config = no API key
+            const result = await caller.admin.listAvailableModels();
+            expect(result.models).toEqual([]);
+            expect(mockFetch).not.toHaveBeenCalled();
+        });
+        it("returns stale cache on fetch failure", async () => {
+            // First call seeds the cache
+            const container = createTestContainer();
+            mockFetch.mockResolvedValueOnce({
+                ok: true,
+                json: async () => ({
+                    data: [{ id: "model/a", name: "A", context_length: 100, pricing: { prompt: "1", completion: "2" } }],
+                }),
+            });
+            const caller = makeCaller(container, { openRouterApiKey: "sk-test-key" });
+            await caller.admin.listAvailableModels();
+            // Advance past 60s cache TTL so the next call triggers a fetch
+            vi.useFakeTimers();
+            vi.advanceTimersByTime(61_000);
+            mockFetch.mockRejectedValueOnce(new Error("Network error"));
+            const result = await caller.admin.listAvailableModels();
+            // On failure, falls back to stale cache
+            expect(result.models).toHaveLength(1);
+            expect(result.models[0].id).toBe("model/a");
+            vi.useRealTimers();
+        });
+    });
+    // -------------------------------------------------------------------------
+    // Fleet instance listing
+    // -------------------------------------------------------------------------
+    describe("listAllInstances", () => {
+        it("lists instances using container.fleet", async () => {
+            const mockProfiles = [
+                { id: "inst-1", name: "Bot A", tenantId: "t1", image: "img:latest" },
+                { id: "inst-2", name: "Bot B", tenantId: "t2", image: "img:v2" },
+            ];
+            const mockStatus = {
+                state: "running",
+                health: "healthy",
+                uptime: 3600,
+                containerId: "abc123",
+                startedAt: "2026-01-01T00:00:00Z",
+            };
+            const container = createTestContainer({
+                fleet: {
+                    manager: {
+                        status: vi.fn().mockResolvedValue(mockStatus),
+                    },
+                    docker: {},
+                    proxy: {},
+                    profileStore: {
+                        list: vi.fn().mockResolvedValue(mockProfiles),
+                        init: vi.fn(),
+                        save: vi.fn(),
+                        get: vi.fn(),
+                        delete: vi.fn(),
+                    },
+                    serviceKeyRepo: {},
+                },
+            });
+            const caller = makeCaller(container);
+            const result = await caller.admin.listAllInstances();
+            expect(result.instances).toHaveLength(2);
+            expect(result.instances[0]).toEqual({
+                id: "inst-1",
+                name: "Bot A",
+                tenantId: "t1",
+                image: "img:latest",
+                state: "running",
+                health: "healthy",
+                uptime: 3600,
+                containerId: "abc123",
+                startedAt: "2026-01-01T00:00:00Z",
+            });
+        });
+        it("returns error when fleet not configured", async () => {
+            const container = createTestContainer({ fleet: null });
+            const caller = makeCaller(container);
+            const result = await caller.admin.listAllInstances();
+            expect(result.instances).toEqual([]);
+            expect(result.error).toBe("Fleet not configured");
+        });
+        it("returns error state for instances that fail status check", async () => {
+            const mockProfiles = [{ id: "inst-bad", name: "Bad Bot", tenantId: "t1", image: "img:latest" }];
+            const container = createTestContainer({
+                fleet: {
+                    manager: {
+                        status: vi.fn().mockRejectedValue(new Error("container not found")),
+                    },
+                    docker: {},
+                    proxy: {},
+                    profileStore: {
+                        list: vi.fn().mockResolvedValue(mockProfiles),
+                        init: vi.fn(),
+                        save: vi.fn(),
+                        get: vi.fn(),
+                        delete: vi.fn(),
+                    },
+                    serviceKeyRepo: {},
+                },
+            });
+            const caller = makeCaller(container);
+            const result = await caller.admin.listAllInstances();
+            expect(result.instances).toHaveLength(1);
+            expect(result.instances[0].state).toBe("error");
+            expect(result.instances[0].health).toBeNull();
+        });
+    });
+    // -------------------------------------------------------------------------
+    // Credit balance query
+    // -------------------------------------------------------------------------
+    describe("billingOverview", () => {
+        it("queries credit balance via container pool", async () => {
+            const mockPool = {
+                query: vi
+                    .fn()
+                    .mockResolvedValueOnce({ rows: [{ totalRaw: "50000000" }] }) // credit_entry sum (50M microdollars = 5000 cents)
+                    .mockResolvedValueOnce({ rows: [{ count: "3" }] }) // payment methods
+                    .mockResolvedValueOnce({ rows: [{ count: "5" }] }), // orgs
+                end: vi.fn(),
+            };
+            const container = createTestContainer({
+                pool: mockPool,
+                gateway: null, // no gateway = skip service key count
+            });
+            const caller = makeCaller(container);
+            const result = await caller.admin.billingOverview();
+            expect(result.totalBalanceCents).toBe(5000);
+            expect(result.activeKeyCount).toBe(0); // gateway not configured
+            expect(result.paymentMethodCount).toBe(3);
+            expect(result.orgCount).toBe(5);
+        });
+        it("counts active service keys when gateway is configured", async () => {
+            const mockPool = {
+                query: vi
+                    .fn()
+                    .mockResolvedValueOnce({ rows: [{ totalRaw: "0" }] }) // credit_entry
+                    .mockResolvedValueOnce({ rows: [{ count: "7" }] }) // service_keys
+                    .mockResolvedValueOnce({ rows: [{ count: "0" }] }) // payment methods
+                    .mockResolvedValueOnce({ rows: [{ count: "0" }] }), // orgs
+                end: vi.fn(),
+            };
+            const container = createTestContainer({
+                pool: mockPool,
+                gateway: {
+                    serviceKeyRepo: {},
+                },
+            });
+            const caller = makeCaller(container);
+            const result = await caller.admin.billingOverview();
+            expect(result.activeKeyCount).toBe(7);
+        });
+        it("returns zeros when tables do not exist", async () => {
+            const mockPool = {
+                query: vi.fn().mockRejectedValue(new Error('relation "credit_entry" does not exist')),
+                end: vi.fn(),
+            };
+            const container = createTestContainer({
+                pool: mockPool,
+            });
+            const caller = makeCaller(container);
+            const result = await caller.admin.billingOverview();
+            expect(result.totalBalanceCents).toBe(0);
+            expect(result.activeKeyCount).toBe(0);
+            expect(result.paymentMethodCount).toBe(0);
+            expect(result.orgCount).toBe(0);
+        });
+    });
+    // -------------------------------------------------------------------------
+    // Auth guard
+    // -------------------------------------------------------------------------
+    it("rejects non-admin users", async () => {
+        const container = createTestContainer();
+        const adminRouter = createAdminRouter(container);
+        const appRouter = router({ admin: adminRouter });
+        const createCaller = createCallerFactory(appRouter);
+        const caller = createCaller({ user: { id: "u1", roles: ["user"] }, tenantId: undefined });
+        await expect(caller.admin.listAvailableModels()).rejects.toThrow("Platform admin role required");
+    });
+});

package/dist/server/routes/__tests__/crypto-webhook.test.d.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ export {};