@wopr-network/platform-core 1.68.0 → 1.70.0

package/dist/server/routes/__tests__/crypto-webhook.test.js

@@ -0,0 +1,137 @@
+import { describe, expect, it, vi } from "vitest";
+import { createTestContainer } from "../../test-container.js";
+import { createCryptoWebhookRoutes } from "../crypto-webhook.js";
+// ---------------------------------------------------------------------------
+// Mock the key-server-webhook handler so we never hit real billing logic
+// ---------------------------------------------------------------------------
+vi.mock("../../../billing/crypto/key-server-webhook.js", () => ({
+    handleKeyServerWebhook: vi.fn().mockResolvedValue({
+        handled: true,
+        creditedCents: 500,
+    }),
+}));
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+const SECRET = "test-provision-secret";
+const CRYPTO_KEY = "test-crypto-service-key";
+function makeConfig(overrides) {
+    return {
+        provisionSecret: SECRET,
+        cryptoServiceKey: CRYPTO_KEY,
+        ...overrides,
+    };
+}
+function makeCrypto() {
+    return {
+        chargeRepo: {},
+        webhookSeenRepo: {},
+    };
+}
+const validPayload = {
+    chargeId: "ch_123",
+    chain: "ETH",
+    address: "0xabc",
+    status: "confirmed",
+};
+function buildApp(opts) {
+    const container = createTestContainer({
+        crypto: opts?.crypto !== undefined ? opts.crypto : makeCrypto(),
+    });
+    const config = makeConfig(opts?.config);
+    return createCryptoWebhookRoutes(container, config);
+}
+async function post(app, body, headers) {
+    const init = {
+        method: "POST",
+        headers: {
+            "Content-Type": "application/json",
+            ...headers,
+        },
+    };
+    if (body !== undefined) {
+        init.body = typeof body === "string" ? body : JSON.stringify(body);
+    }
+    return app.request("/", init);
+}
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+describe("createCryptoWebhookRoutes", () => {
+    // 1. No auth header
+    it("returns 401 without auth header", async () => {
+        const app = buildApp();
+        const res = await post(app, validPayload);
+        expect(res.status).toBe(401);
+        const json = await res.json();
+        expect(json.error).toBe("Unauthorized");
+    });
+    // 2. Wrong Bearer token
+    it("returns 401 with wrong Bearer token", async () => {
+        const app = buildApp();
+        const res = await post(app, validPayload, {
+            Authorization: "Bearer wrong-token",
+        });
+        expect(res.status).toBe(401);
+        const json = await res.json();
+        expect(json.error).toBe("Unauthorized");
+    });
+    // 3. Invalid JSON
+    it("returns 400 on invalid JSON", async () => {
+        const app = buildApp();
+        const res = await app.request("/", {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/json",
+                Authorization: `Bearer ${SECRET}`,
+            },
+            body: "not-valid-json{{{",
+        });
+        expect(res.status).toBe(400);
+        const json = await res.json();
+        expect(json.error).toBe("Invalid JSON");
+    });
+    // 4. Zod validation failure (missing required fields)
+    it("returns 400 on payload that fails Zod validation", async () => {
+        const app = buildApp();
+        const res = await post(app, { chargeId: "ch_123" }, // missing chain, address, status
+        { Authorization: `Bearer ${SECRET}` });
+        expect(res.status).toBe(400);
+        const json = await res.json();
+        expect(json.error).toBe("Invalid payload");
+        expect(json.issues).toBeDefined();
+        expect(json.issues.length).toBeGreaterThan(0);
+    });
+    // 5. Container crypto is null -> 501
+    it("returns 501 when container.crypto is null", async () => {
+        const app = buildApp({ crypto: null });
+        const res = await post(app, validPayload, {
+            Authorization: `Bearer ${SECRET}`,
+        });
+        expect(res.status).toBe(501);
+        const json = await res.json();
+        expect(json.error).toBe("Crypto payments not configured");
+    });
+    // 6. Valid Bearer matching provision secret
+    it("accepts valid Bearer token matching provision secret", async () => {
+        const app = buildApp();
+        const res = await post(app, validPayload, {
+            Authorization: `Bearer ${SECRET}`,
+        });
+        expect(res.status).toBe(200);
+        const json = await res.json();
+        expect(json.handled).toBe(true);
+        expect(json.creditedCents).toBe(500);
+    });
+    // 7. Valid Bearer matching crypto service key
+    it("accepts valid Bearer token matching crypto service key", async () => {
+        const app = buildApp();
+        const res = await post(app, validPayload, {
+            Authorization: `Bearer ${CRYPTO_KEY}`,
+        });
+        expect(res.status).toBe(200);
+        const json = await res.json();
+        expect(json.handled).toBe(true);
+        expect(json.creditedCents).toBe(500);
+    });
+});

package/dist/server/routes/__tests__/provision-webhook.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/server/routes/__tests__/provision-webhook.test.js

@@ -0,0 +1,212 @@
+import { describe, expect, it, vi } from "vitest";
+import { createTestContainer } from "../../test-container.js";
+import { createProvisionWebhookRoutes } from "../provision-webhook.js";
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+const SECRET = "test-provision-secret-1234";
+function makeConfig(overrides) {
+    return {
+        provisionSecret: SECRET,
+        instanceImage: "ghcr.io/test/app:latest",
+        containerPort: 3000,
+        maxInstancesPerTenant: 5,
+        gatewayUrl: "http://gateway:4000",
+        containerPrefix: "test",
+        ...overrides,
+    };
+}
+function makeFleet() {
+    return {
+        manager: {
+            create: vi.fn().mockResolvedValue({
+                id: "inst-001",
+                containerId: "docker-abc",
+                containerName: "test-myapp",
+                url: "http://test-myapp:3000",
+                profile: { id: "inst-001", name: "myapp", tenantId: "tenant-1" },
+            }),
+            remove: vi.fn().mockResolvedValue(undefined),
+            status: vi.fn().mockResolvedValue({
+                id: "inst-001",
+                name: "myapp",
+                state: "running",
+            }),
+        },
+        docker: {},
+        proxy: {
+            addRoute: vi.fn().mockResolvedValue(undefined),
+            removeRoute: vi.fn(),
+            updateHealth: vi.fn(),
+            getRoutes: vi.fn().mockReturnValue([]),
+            start: vi.fn().mockResolvedValue(undefined),
+            stop: vi.fn().mockResolvedValue(undefined),
+            reload: vi.fn().mockResolvedValue(undefined),
+        },
+        profileStore: {
+            init: vi.fn().mockResolvedValue(undefined),
+            save: vi.fn().mockResolvedValue(undefined),
+            get: vi.fn().mockResolvedValue(null),
+            list: vi.fn().mockResolvedValue([]),
+            delete: vi.fn().mockResolvedValue(true),
+        },
+        serviceKeyRepo: {
+            generate: vi.fn().mockResolvedValue("key-abc"),
+            resolve: vi.fn().mockResolvedValue(null),
+            revokeByInstance: vi.fn().mockResolvedValue(undefined),
+            revokeByTenant: vi.fn().mockResolvedValue(undefined),
+        },
+    };
+}
+function buildApp(opts) {
+    const container = createTestContainer({
+        fleet: opts?.fleet !== undefined ? opts.fleet : makeFleet(),
+    });
+    const config = makeConfig(opts?.config);
+    return createProvisionWebhookRoutes(container, config);
+}
+async function request(app, method, path, body, headers) {
+    const init = {
+        method,
+        headers: {
+            "Content-Type": "application/json",
+            ...headers,
+        },
+    };
+    if (body !== undefined) {
+        init.body = JSON.stringify(body);
+    }
+    return app.request(path, init);
+}
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+describe("createProvisionWebhookRoutes", () => {
+    // ---- Auth tests (apply to all endpoints) ----
+    it("returns 401 without authorization header", async () => {
+        const app = buildApp();
+        const res = await request(app, "POST", "/create", { tenantId: "t1", subdomain: "test" });
+        expect(res.status).toBe(401);
+        const json = await res.json();
+        expect(json.error).toBe("Unauthorized");
+    });
+    it("returns 401 with wrong secret", async () => {
+        const app = buildApp();
+        const res = await request(app, "POST", "/create", { tenantId: "t1", subdomain: "test" }, {
+            Authorization: "Bearer wrong-secret",
+        });
+        expect(res.status).toBe(401);
+        const json = await res.json();
+        expect(json.error).toBe("Unauthorized");
+    });
+    // ---- Fleet not configured ----
+    it("returns 501 when fleet not configured (container.fleet is null)", async () => {
+        const app = buildApp({ fleet: null });
+        const res = await request(app, "POST", "/create", { tenantId: "t1", subdomain: "test" }, {
+            Authorization: `Bearer ${SECRET}`,
+        });
+        expect(res.status).toBe(501);
+        const json = await res.json();
+        expect(json.error).toBe("Fleet management not configured");
+    });
+    it("returns 501 on destroy when fleet not configured", async () => {
+        const app = buildApp({ fleet: null });
+        const res = await request(app, "POST", "/destroy", { instanceId: "inst-001" }, {
+            Authorization: `Bearer ${SECRET}`,
+        });
+        expect(res.status).toBe(501);
+    });
+    it("returns 501 on budget when fleet not configured", async () => {
+        const app = buildApp({ fleet: null });
+        const res = await request(app, "PUT", "/budget", { instanceId: "inst-001", tenantEntityId: "te-1", budgetCents: 1000 }, { Authorization: `Bearer ${SECRET}` });
+        expect(res.status).toBe(501);
+    });
+    // ---- Create endpoint ----
+    it("handles create webhook with valid auth and payload", async () => {
+        const fleet = makeFleet();
+        const app = buildApp({ fleet });
+        const res = await request(app, "POST", "/create", { tenantId: "tenant-1", subdomain: "myapp" }, { Authorization: `Bearer ${SECRET}` });
+        expect(res.status).toBe(201);
+        const json = await res.json();
+        expect(json.ok).toBe(true);
+        expect(json.instanceId).toBe("inst-001");
+        expect(json.subdomain).toBe("myapp");
+        expect(json.containerUrl).toBe("http://test-myapp:3000");
+        // Verify fleet.create was called with generic env var names
+        expect(fleet.manager.create).toHaveBeenCalledTimes(1);
+        const createCall = fleet.manager.create.mock.calls[0][0];
+        expect(createCall.env.HOSTED_MODE).toBe("true");
+        expect(createCall.env.DEPLOYMENT_MODE).toBe("hosted_proxy");
+        expect(createCall.env.DEPLOYMENT_EXPOSURE).toBe("private");
+        expect(createCall.env.MIGRATION_AUTO_APPLY).toBe("true");
+        // Verify NO product-specific prefixes
+        expect(createCall.env.PAPERCLIP_HOSTED_MODE).toBeUndefined();
+        expect(createCall.env.PAPERCLIP_DEPLOYMENT_MODE).toBeUndefined();
+        // Verify proxy route was registered
+        expect(fleet.proxy.addRoute).toHaveBeenCalledTimes(1);
+    });
+    it("returns 422 on create when required fields are missing", async () => {
+        const app = buildApp();
+        const res = await request(app, "POST", "/create", { tenantId: "tenant-1" }, // missing subdomain
+        { Authorization: `Bearer ${SECRET}` });
+        expect(res.status).toBe(422);
+        const json = await res.json();
+        expect(json.error).toContain("Missing required fields");
+    });
+    // ---- Destroy endpoint ----
+    it("handles destroy webhook with valid auth and instanceId", async () => {
+        const fleet = makeFleet();
+        const app = buildApp({ fleet });
+        const res = await request(app, "POST", "/destroy", { instanceId: "inst-001" }, { Authorization: `Bearer ${SECRET}` });
+        expect(res.status).toBe(200);
+        const json = await res.json();
+        expect(json.ok).toBe(true);
+        expect(fleet.serviceKeyRepo.revokeByInstance).toHaveBeenCalledWith("inst-001");
+        expect(fleet.manager.remove).toHaveBeenCalledWith("inst-001");
+        expect(fleet.proxy.removeRoute).toHaveBeenCalledWith("inst-001");
+    });
+    it("returns 422 on destroy when instanceId is missing", async () => {
+        const app = buildApp();
+        const res = await request(app, "POST", "/destroy", {}, {
+            Authorization: `Bearer ${SECRET}`,
+        });
+        expect(res.status).toBe(422);
+        const json = await res.json();
+        expect(json.error).toContain("Missing required field");
+    });
+    // ---- Budget endpoint ----
+    it("handles budget webhook with valid auth and payload", async () => {
+        const fleet = makeFleet();
+        const app = buildApp({ fleet });
+        const res = await request(app, "PUT", "/budget", { instanceId: "inst-001", tenantEntityId: "te-1", budgetCents: 5000 }, { Authorization: `Bearer ${SECRET}` });
+        expect(res.status).toBe(200);
+        const json = await res.json();
+        expect(json.ok).toBe(true);
+        expect(json.budgetCents).toBe(5000);
+    });
+    it("returns 422 on budget when required fields are missing", async () => {
+        const app = buildApp();
+        const res = await request(app, "PUT", "/budget", { instanceId: "inst-001" }, // missing tenantEntityId, budgetCents
+        { Authorization: `Bearer ${SECRET}` });
+        expect(res.status).toBe(422);
+        const json = await res.json();
+        expect(json.error).toContain("Missing required fields");
+    });
+    // ---- Generic env var names ----
+    it("uses generic env var names with no PAPERCLIP_ prefix anywhere", async () => {
+        const fleet = makeFleet();
+        const app = buildApp({ fleet });
+        await request(app, "POST", "/create", { tenantId: "tenant-1", subdomain: "myapp" }, { Authorization: `Bearer ${SECRET}` });
+        const createCall = fleet.manager.create.mock.calls[0][0];
+        const envKeys = Object.keys(createCall.env);
+        for (const key of envKeys) {
+            expect(key).not.toMatch(/^PAPERCLIP_/);
+        }
+        // Verify expected generic names are present
+        expect(envKeys).toContain("HOSTED_MODE");
+        expect(envKeys).toContain("DEPLOYMENT_MODE");
+        expect(envKeys).toContain("DEPLOYMENT_EXPOSURE");
+        expect(envKeys).toContain("MIGRATION_AUTO_APPLY");
+        expect(envKeys).toContain("PROVISION_SECRET");
+    });
+});

package/dist/server/routes/__tests__/stripe-webhook.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/server/routes/__tests__/stripe-webhook.test.js

@@ -0,0 +1,65 @@
+import { Hono } from "hono";
+import { describe, expect, it, vi } from "vitest";
+import { createTestContainer } from "../../test-container.js";
+import { createStripeWebhookRoutes } from "../stripe-webhook.js";
+function makeApp(stripeOverride) {
+    const container = createTestContainer(stripeOverride !== undefined ? { stripe: stripeOverride } : {});
+    const app = new Hono();
+    app.route("/api/webhooks/stripe", createStripeWebhookRoutes(container));
+    return app;
+}
+describe("stripe webhook route", () => {
+    it("returns 501 when stripe not configured", async () => {
+        const app = makeApp(null);
+        const res = await app.request("/api/webhooks/stripe", { method: "POST" });
+        expect(res.status).toBe(501);
+    });
+    it("returns 400 when stripe-signature header missing", async () => {
+        const app = makeApp({
+            stripe: {},
+            webhookSecret: "whsec_test",
+            customerRepo: {},
+            processor: { handleWebhook: vi.fn() },
+        });
+        const res = await app.request("/api/webhooks/stripe", {
+            method: "POST",
+            body: "{}",
+        });
+        expect(res.status).toBe(400);
+        const body = await res.json();
+        expect(body.error).toBe("Missing stripe-signature header");
+    });
+    it("returns 200 on valid webhook", async () => {
+        const handleWebhook = vi.fn().mockResolvedValue({ handled: true, event_type: "checkout.session.completed" });
+        const app = makeApp({
+            stripe: {},
+            webhookSecret: "whsec_test",
+            customerRepo: {},
+            processor: { handleWebhook },
+        });
+        const res = await app.request("/api/webhooks/stripe", {
+            method: "POST",
+            headers: { "stripe-signature": "t=123,v1=abc" },
+            body: '{"type":"checkout.session.completed"}',
+        });
+        expect(res.status).toBe(200);
+        expect(handleWebhook).toHaveBeenCalledOnce();
+    });
+    it("returns 400 when processor throws (bad signature)", async () => {
+        const handleWebhook = vi.fn().mockRejectedValue(new Error("Signature verification failed"));
+        const app = makeApp({
+            stripe: {},
+            webhookSecret: "whsec_test",
+            customerRepo: {},
+            processor: { handleWebhook },
+        });
+        const res = await app.request("/api/webhooks/stripe", {
+            method: "POST",
+            headers: { "stripe-signature": "t=123,v1=bad" },
+            body: "invalid",
+        });
+        expect(res.status).toBe(400);
+        const body = await res.json();
+        expect(body.error).toBe("Webhook processing failed");
+    });
+});

package/dist/server/routes/admin.d.ts

@@ -0,0 +1,129 @@
+/**
+ * Admin tRPC router factory — platform-wide settings for the operator.
+ *
+ * All endpoints require platform_admin role (via adminProcedure).
+ * Dependencies are injected via PlatformContainer rather than module-level
+ * singletons, enabling clean testing and per-product composition.
+ */
+import type { PlatformContainer } from "../container.js";
+type CachedModel = {
+    id: string;
+    name: string;
+    contextLength: number;
+    promptPrice: string;
+    completionPrice: string;
+};
+/**
+ * Synchronous model resolver for the gateway proxy.
+ * Returns the cached DB value, or null to fall back to env var.
+ * The cache is refreshed asynchronously every 5 seconds.
+ */
+export declare function resolveGatewayModel(): string | null;
+/** Seed the cache on startup so the first request doesn't miss. */
+export declare function warmModelCache(container: PlatformContainer): Promise<void>;
+export interface AdminRouterConfig {
+    openRouterApiKey?: string;
+}
+export declare function createAdminRouter(container: PlatformContainer, config?: AdminRouterConfig): import("@trpc/server").TRPCBuiltRouter<{
+    ctx: import("../../trpc/init.js").TRPCContext;
+    meta: object;
+    errorShape: import("@trpc/server").TRPCDefaultErrorShape;
+    transformer: false;
+}, import("@trpc/server").TRPCDecorateCreateRouterOptions<{
+    /** Get the current gateway model setting. */
+    getGatewayModel: import("@trpc/server").TRPCQueryProcedure<{
+        input: void;
+        output: {
+            model: string;
+            updatedAt: string;
+        };
+        meta: object;
+    }>;
+    /** Set the gateway model. Takes effect within 5 seconds. */
+    setGatewayModel: import("@trpc/server").TRPCMutationProcedure<{
+        input: {
+            model: string;
+        };
+        output: {
+            ok: boolean;
+            model: string;
+        };
+        meta: object;
+    }>;
+    /** List available OpenRouter models for the gateway model dropdown. */
+    listAvailableModels: import("@trpc/server").TRPCQueryProcedure<{
+        input: void;
+        output: {
+            models: CachedModel[];
+        };
+        meta: object;
+    }>;
+    /** List ALL instances across all tenants with health status. */
+    listAllInstances: import("@trpc/server").TRPCQueryProcedure<{
+        input: void;
+        output: {
+            instances: never[];
+            error: string;
+        } | {
+            instances: {
+                id: string;
+                name: string;
+                tenantId: string;
+                image: string;
+                state: "paused" | "error" | "running" | "stopped" | "pulling" | "created" | "restarting" | "exited" | "dead";
+                health: string | null;
+                uptime: string | null;
+                containerId: string | null;
+                startedAt: string | null;
+            }[];
+            error?: undefined;
+        };
+        meta: object;
+    }>;
+    /** List all organizations with member counts and instance counts. */
+    listAllOrgs: import("@trpc/server").TRPCQueryProcedure<{
+        input: void;
+        output: {
+            orgs: {
+                id: string;
+                name: string;
+                slug: string | null;
+                createdAt: string;
+                memberCount: number;
+                instanceCount: number;
+                balanceCents: number;
+            }[];
+        };
+        meta: object;
+    }>;
+    /** Get platform billing summary: total credits, active service keys, payment method count. */
+    billingOverview: import("@trpc/server").TRPCQueryProcedure<{
+        input: void;
+        output: {
+            totalBalanceCents: number;
+            activeKeyCount: number;
+            paymentMethodCount: number;
+            orgCount: number;
+        };
+        meta: object;
+    }>;
+    getPoolConfig: import("@trpc/server").TRPCQueryProcedure<{
+        input: void;
+        output: {
+            enabled: boolean;
+            poolSize: number;
+            warmCount: number;
+        };
+        meta: object;
+    }>;
+    setPoolSize: import("@trpc/server").TRPCMutationProcedure<{
+        input: {
+            size: number;
+        };
+        output: {
+            poolSize: number;
+        };
+        meta: object;
+    }>;
+}>>;
+export {};