agent-relay 1.2.3 → 1.3.1

package/dist/cloud/api/admin.js

@@ -0,0 +1,212 @@
+/**
+ * Admin API Routes
+ *
+ * Administrative endpoints for managing workspaces at scale.
+ * Protected by admin secret (ADMIN_API_SECRET environment variable).
+ */
+import { Router } from 'express';
+import { getConfig } from '../config.js';
+import { getProvisioner, WorkspaceProvisioner } from '../provisioner/index.js';
+export const adminRouter = Router();
+/**
+ * Middleware to authenticate admin requests
+ * Requires ADMIN_API_SECRET header to match environment variable
+ */
+async function requireAdminAuth(req, res, next) {
+    const authHeader = req.headers['x-admin-secret'] || req.headers.authorization;
+    const adminSecret = process.env.ADMIN_API_SECRET;
+    if (!adminSecret) {
+        res.status(503).json({ error: 'Admin API not configured' });
+        return;
+    }
+    // Support both x-admin-secret header and Bearer token
+    const providedSecret = authHeader?.toString().replace('Bearer ', '');
+    if (!providedSecret || providedSecret !== adminSecret) {
+        res.status(401).json({ error: 'Invalid admin credentials' });
+        return;
+    }
+    next();
+}
+// Apply admin auth to all routes
+adminRouter.use(requireAdminAuth);
+/**
+ * POST /api/admin/workspaces/update-image
+ *
+ * Gracefully update workspace images across all or specific workspaces.
+ *
+ * Request body:
+ * - image: New Docker image to deploy (required)
+ * - workspaceIds?: Array of specific workspace IDs to update
+ * - userIds?: Array of user IDs whose workspaces to update
+ * - force?: Force update even if agents are active (default: false)
+ * - skipRestart?: Update config without restarting (default: false)
+ * - batchSize?: Number of concurrent updates (default: 5)
+ *
+ * Response:
+ * - summary: { total, updated, pendingRestart, skippedActiveAgents, skippedNotRunning, errors }
+ * - results: Array of per-workspace results
+ */
+adminRouter.post('/workspaces/update-image', async (req, res) => {
+    const { image, workspaceIds, userIds, force = false, skipRestart = false, batchSize = 5, } = req.body;
+    if (!image) {
+        res.status(400).json({ error: 'image is required' });
+        return;
+    }
+    console.log(`[admin] Starting workspace image update to ${image}`, {
+        workspaceIds: workspaceIds?.length ?? 'all',
+        userIds: userIds?.length ?? 'all',
+        force,
+        skipRestart,
+        batchSize,
+    });
+    try {
+        const provisioner = getProvisioner();
+        const result = await provisioner.gracefulUpdateAllImages(image, {
+            workspaceIds,
+            userIds,
+            force,
+            skipRestart,
+            batchSize,
+        });
+        res.json(result);
+    }
+    catch (error) {
+        console.error('[admin] Error updating workspace images:', error);
+        res.status(500).json({
+            error: 'Failed to update workspace images',
+            details: error.message,
+        });
+    }
+});
+/**
+ * POST /api/admin/workspaces/:id/update-image
+ *
+ * Gracefully update a single workspace's image.
+ *
+ * Request body:
+ * - image: New Docker image to deploy (required)
+ * - force?: Force update even if agents are active (default: false)
+ * - skipRestart?: Update config without restarting (default: false)
+ *
+ * Response:
+ * - result: Update result code
+ * - workspaceId: Workspace ID
+ * - machineState?: Current machine state
+ * - agentCount?: Number of active agents (if applicable)
+ * - error?: Error message (if applicable)
+ */
+adminRouter.post('/workspaces/:id/update-image', async (req, res) => {
+    const { id } = req.params;
+    const { image, force = false, skipRestart = false, } = req.body;
+    if (!image) {
+        res.status(400).json({ error: 'image is required' });
+        return;
+    }
+    console.log(`[admin] Updating workspace ${id} image to ${image}`, { force, skipRestart });
+    try {
+        const provisioner = getProvisioner();
+        const result = await provisioner.gracefulUpdateImage(id, image, {
+            force,
+            skipRestart,
+        });
+        // Return appropriate status code based on result
+        if (result.result === WorkspaceProvisioner.UpdateResult.ERROR) {
+            res.status(500).json(result);
+        }
+        else if (result.result === WorkspaceProvisioner.UpdateResult.NOT_SUPPORTED) {
+            res.status(400).json(result);
+        }
+        else {
+            res.json(result);
+        }
+    }
+    catch (error) {
+        console.error(`[admin] Error updating workspace ${id}:`, error);
+        res.status(500).json({
+            error: 'Failed to update workspace image',
+            details: error.message,
+        });
+    }
+});
+/**
+ * GET /api/admin/workspaces/:id/agents
+ *
+ * Check active agents in a workspace.
+ * Useful for pre-flight checks before updates.
+ *
+ * Response:
+ * - hasActiveAgents: boolean
+ * - agentCount: number
+ * - agents: Array of { name, status }
+ */
+adminRouter.get('/workspaces/:id/agents', async (req, res) => {
+    const { id } = req.params;
+    try {
+        // Query workspace directly from DB and check agents via daemon API
+        const workspace = await (await import('../db/index.js')).db.workspaces.findById(id);
+        if (!workspace) {
+            res.status(404).json({ error: 'Workspace not found' });
+            return;
+        }
+        if (workspace.computeProvider !== 'fly') {
+            res.status(400).json({ error: 'Only Fly.io workspaces support agent checking' });
+            return;
+        }
+        // Query the workspace daemon directly
+        const baseUrl = workspace.publicUrl;
+        if (!baseUrl) {
+            res.json({ hasActiveAgents: false, agentCount: 0, agents: [] });
+            return;
+        }
+        try {
+            const response = await fetch(`${baseUrl}/api/agents`, {
+                method: 'GET',
+                headers: { 'Accept': 'application/json' },
+                signal: AbortSignal.timeout(10_000),
+            });
+            if (!response.ok) {
+                res.json({ hasActiveAgents: false, agentCount: 0, agents: [], error: `Daemon returned ${response.status}` });
+                return;
+            }
+            const data = await response.json();
+            const agents = data.agents || [];
+            const activeAgents = agents.filter(a => a.status === 'running' || a.activityState === 'active' || a.activityState === 'idle');
+            res.json({
+                hasActiveAgents: activeAgents.length > 0,
+                agentCount: activeAgents.length,
+                agents: agents.map(a => ({ name: a.name, status: a.status || a.activityState || 'unknown' })),
+            });
+        }
+        catch (error) {
+            // Workspace might be stopped
+            res.json({
+                hasActiveAgents: false,
+                agentCount: 0,
+                agents: [],
+                error: `Could not reach workspace: ${error.message}`,
+            });
+        }
+    }
+    catch (error) {
+        console.error(`[admin] Error checking agents for workspace ${id}:`, error);
+        res.status(500).json({
+            error: 'Failed to check workspace agents',
+            details: error.message,
+        });
+    }
+});
+/**
+ * GET /api/admin/health
+ *
+ * Health check for admin API.
+ */
+adminRouter.get('/health', (_req, res) => {
+    res.json({
+        status: 'ok',
+        timestamp: new Date().toISOString(),
+        config: {
+            computeProvider: getConfig().compute.provider,
+        },
+    });
+});
+//# sourceMappingURL=admin.js.map

package/dist/cloud/api/auth.js

@@ -105,6 +105,13 @@ authRouter.get('/session', async (req, res) => {
                 message: 'User account not found. Please log in again.',
             });
         }
+        // Get connected providers
+        const credentials = await db.credentials.findByUserId(user.id);
+        const connectedProviders = credentials.map((c) => ({
+            provider: c.provider,
+            email: c.providerAccountEmail,
+            connectedAt: c.createdAt,
+        }));
         res.json({
             authenticated: true,
             user: {
@@ -114,6 +121,7 @@ authRouter.get('/session', async (req, res) => {
                 avatarUrl: user.avatarUrl,
                 plan: user.plan,
             },
+            connectedProviders,
         });
     }
     catch (error) {

package/dist/cloud/api/billing.d.ts

@@ -3,15 +3,5 @@
  *
  * REST API for subscription and billing management.
  */
-declare module 'express-session' {
-    interface SessionData {
-        user?: {
-            id: string;
-            email: string;
-            name?: string;
-            stripeCustomerId?: string;
-        };
-    }
-}
 export declare const billingRouter: import("express-serve-static-core").Router;
 //# sourceMappingURL=billing.d.ts.map

package/dist/cloud/api/billing.js

@@ -5,25 +5,121 @@
  */
 import { Router } from 'express';
 import { getBillingService, getAllPlans, getPlan, comparePlans } from '../billing/index.js';
-import { getConfig } from '../config.js';
+import { getConfig, isAdminUser } from '../config.js';
 import { db } from '../db/index.js';
+import { requireAuth } from './auth.js';
+import { getProvisioner, RESOURCE_TIERS } from '../provisioner/index.js';
+import { getResourceTierForPlan } from '../services/planLimits.js';
 export const billingRouter = Router();
 /**
- * Middleware to require authentication
+ * Get the count of connected agents in a running workspace
+ * Returns 0 if workspace is not reachable or has no agents
  */
-function requireAuth(req, res, next) {
-    if (!req.session?.user) {
-        res.status(401).json({ error: 'Authentication required' });
-        return;
+async function getWorkspaceAgentCount(publicUrl) {
+    try {
+        const controller = new AbortController();
+        const timeout = setTimeout(() => controller.abort(), 5000);
+        const response = await fetch(`${publicUrl}/agents`, {
+            signal: controller.signal,
+        });
+        clearTimeout(timeout);
+        if (!response.ok)
+            return 0;
+        const data = await response.json();
+        return data.agents?.length ?? 0;
+    }
+    catch {
+        // Workspace not reachable or error - assume no agents
+        return 0;
+    }
+}
+/**
+ * Resize user's workspaces to match their new plan tier
+ * Called after plan upgrade/downgrade to adjust compute resources
+ *
+ * Strategy:
+ * - Stopped workspaces: Resize immediately (no disruption)
+ * - Running workspaces with no agents: Resize immediately (safe to restart)
+ * - Running workspaces with agents: Save config for next restart (no agent disruption)
+ *
+ * Returns info about which workspaces were deferred so we can inform the user.
+ */
+async function resizeWorkspacesForPlan(userId, newPlan) {
+    const result = { resized: 0, deferred: [], failed: 0 };
+    try {
+        const workspaces = await db.workspaces.findByUserId(userId);
+        if (workspaces.length === 0)
+            return result;
+        const provisioner = getProvisioner();
+        const targetTierName = getResourceTierForPlan(newPlan);
+        const targetTier = RESOURCE_TIERS[targetTierName];
+        console.log(`[billing] Upgrading ${workspaces.length} workspace(s) for user ${userId.substring(0, 8)} to ${targetTierName}`);
+        for (const workspace of workspaces) {
+            if (workspace.status !== 'running' && workspace.status !== 'stopped') {
+                console.log(`[billing] Skipping workspace ${workspace.id.substring(0, 8)} (status: ${workspace.status})`);
+                continue;
+            }
+            try {
+                let skipRestart = false;
+                let agentCount = 0;
+                // For running workspaces: check if there are active agents
+                if (workspace.status === 'running' && workspace.publicUrl) {
+                    agentCount = await getWorkspaceAgentCount(workspace.publicUrl);
+                    if (agentCount > 0) {
+                        // Has active agents - don't disrupt them
+                        skipRestart = true;
+                        console.log(`[billing] Workspace ${workspace.id.substring(0, 8)} has ${agentCount} active agent(s), deferring resize`);
+                    }
+                    else {
+                        // No active agents - safe to restart immediately
+                        console.log(`[billing] Workspace ${workspace.id.substring(0, 8)} has no active agents, proceeding with immediate resize`);
+                    }
+                }
+                await provisioner.resize(workspace.id, targetTier, skipRestart);
+                if (skipRestart) {
+                    console.log(`[billing] Queued resize for workspace ${workspace.id.substring(0, 8)} to ${targetTierName} (will apply on next restart)`);
+                    result.deferred.push({
+                        workspaceId: workspace.id,
+                        workspaceName: workspace.name,
+                        agentCount,
+                    });
+                }
+                else {
+                    console.log(`[billing] Resized workspace ${workspace.id.substring(0, 8)} to ${targetTierName}`);
+                    result.resized++;
+                }
+            }
+            catch (error) {
+                console.error(`[billing] Failed to resize workspace ${workspace.id}:`, error);
+                result.failed++;
+                // Continue with other workspaces even if one fails
+            }
+        }
     }
-    next();
+    catch (error) {
+        console.error('[billing] Failed to resize workspaces:', error);
+    }
+    return result;
 }
 /**
  * GET /api/billing/plans
  * Get all available billing plans
  */
 billingRouter.get('/plans', (req, res) => {
-    const plans = getAllPlans();
+    const rawPlans = getAllPlans();
+    // Transform plans to frontend format
+    const plans = rawPlans.map((plan) => ({
+        tier: plan.id,
+        name: plan.name,
+        description: plan.description,
+        price: {
+            monthly: plan.priceMonthly / 100, // Convert cents to dollars
+            yearly: plan.priceYearly / 100,
+        },
+        features: plan.features,
+        limits: plan.limits,
+        recommended: plan.id === 'pro',
+    }));
     // Add publishable key for frontend
     const config = getConfig();
     res.json({
@@ -68,15 +164,38 @@ billingRouter.get('/compare', (req, res) => {
  * Get current user's subscription status
  */
 billingRouter.get('/subscription', requireAuth, async (req, res) => {
-    const user = req.session.user;
-    const billing = getBillingService();
+    const userId = req.session.userId;
     try {
+        // Fetch user from database
+        const user = await db.users.findById(userId);
+        if (!user) {
+            return res.status(404).json({ error: 'User not found' });
+        }
+        // Admin users have special status - show their current plan without Stripe
+        if (isAdminUser(user.githubUsername)) {
+            return res.json({
+                tier: user.plan || 'enterprise',
+                subscription: null,
+                customer: null,
+                isAdmin: true,
+            });
+        }
+        // If user doesn't have a Stripe customer ID, use the database plan value
+        // This handles manually-set plans and prevents hanging on Stripe API calls
+        if (!user.stripeCustomerId) {
+            return res.json({
+                tier: user.plan || 'free',
+                subscription: null,
+                customer: null,
+            });
+        }
+        const billing = getBillingService();
         // Get or create Stripe customer
         const customerId = user.stripeCustomerId ||
-            await billing.getOrCreateCustomer(user.id, user.email, user.name);
-        // Save customer ID to session if newly created
+            await billing.getOrCreateCustomer(user.id, user.email || '', user.githubUsername);
+        // Save customer ID to database if newly created
         if (!user.stripeCustomerId) {
-            req.session.user.stripeCustomerId = customerId;
+            await db.users.update(userId, { stripeCustomerId: customerId });
         }
         // Get customer details
         const customer = await billing.getCustomer(customerId);
@@ -88,8 +207,11 @@ billingRouter.get('/subscription', requireAuth, async (req, res) => {
             });
             return;
         }
+        // Use Stripe subscription tier if active, otherwise fall back to database plan value
+        // This allows manual plan overrides in the database to take effect
+        const tier = customer.subscription?.tier || user.plan || 'free';
         res.json({
-            tier: customer.subscription?.tier || 'free',
+            tier,
             subscription: customer.subscription,
             customer: {
                 id: customer.id,
@@ -110,7 +232,7 @@ billingRouter.get('/subscription', requireAuth, async (req, res) => {
  * Create a checkout session for subscription
  */
 billingRouter.post('/checkout', requireAuth, async (req, res) => {
-    const user = req.session.user;
+    const userId = req.session.userId;
     const { tier, interval = 'month' } = req.body;
     if (!tier || !['pro', 'team', 'enterprise'].includes(tier)) {
         res.status(400).json({ error: 'Invalid tier' });
@@ -120,18 +242,44 @@ billingRouter.post('/checkout', requireAuth, async (req, res) => {
         res.status(400).json({ error: 'Invalid billing interval' });
         return;
     }
-    const billing = getBillingService();
     const config = getConfig();
     try {
+        // Fetch user from database
+        const user = await db.users.findById(userId);
+        if (!user) {
+            return res.status(404).json({ error: 'User not found' });
+        }
+        // Admin users get free upgrades - skip Stripe entirely
+        if (isAdminUser(user.githubUsername)) {
+            // Update user plan directly
+            await db.users.update(userId, { plan: tier });
+            console.log(`[billing] Admin user ${user.githubUsername} upgraded to ${tier} (free)`);
+            // Resize workspaces to match new plan (wait for result to inform user)
+            const resizeResult = await resizeWorkspacesForPlan(userId, tier);
+            // Build success URL with deferred workspace info if any
+            let successUrl = `${config.appUrl}/billing/success?admin=true`;
+            if (resizeResult.deferred.length > 0) {
+                // Encode deferred workspaces info for the frontend to display
+                const deferredInfo = encodeURIComponent(JSON.stringify(resizeResult.deferred));
+                successUrl += `&deferred=${deferredInfo}`;
+            }
+            // Return a fake session that redirects to success
+            return res.json({
+                sessionId: 'admin-upgrade',
+                checkoutUrl: successUrl,
+                resizeResult, // Also include in response for API consumers
+            });
+        }
+        const billing = getBillingService();
         // Get or create customer
         const customerId = user.stripeCustomerId ||
-            await billing.getOrCreateCustomer(user.id, user.email, user.name);
-        // Save customer ID to session
+            await billing.getOrCreateCustomer(user.id, user.email || '', user.githubUsername);
+        // Save customer ID to database
         if (!user.stripeCustomerId) {
-            req.session.user.stripeCustomerId = customerId;
+            await db.users.update(userId, { stripeCustomerId: customerId });
         }
         // Create checkout session
-        const session = await billing.createCheckoutSession(customerId, tier, interval, `${config.publicUrl}/billing/success?session_id={CHECKOUT_SESSION_ID}`, `${config.publicUrl}/billing/canceled`);
+        const session = await billing.createCheckoutSession(customerId, tier, interval, `${config.appUrl}/billing/success?session_id={CHECKOUT_SESSION_ID}`, `${config.appUrl}/billing/canceled`);
         res.json(session);
     }
     catch (error) {
@@ -144,15 +292,19 @@ billingRouter.post('/checkout', requireAuth, async (req, res) => {
  * Create a billing portal session for managing subscription
  */
 billingRouter.post('/portal', requireAuth, async (req, res) => {
-    const user = req.session.user;
-    if (!user.stripeCustomerId) {
-        res.status(400).json({ error: 'No billing account found' });
-        return;
-    }
-    const billing = getBillingService();
-    const config = getConfig();
+    const userId = req.session.userId;
     try {
-        const session = await billing.createPortalSession(user.stripeCustomerId, `${config.publicUrl}/billing`);
+        const user = await db.users.findById(userId);
+        if (!user) {
+            return res.status(404).json({ error: 'User not found' });
+        }
+        if (!user.stripeCustomerId) {
+            res.status(400).json({ error: 'No billing account found' });
+            return;
+        }
+        const billing = getBillingService();
+        const config = getConfig();
+        const session = await billing.createPortalSession(user.stripeCustomerId, `${config.appUrl}/billing`);
         res.json(session);
     }
     catch (error) {
@@ -165,18 +317,22 @@ billingRouter.post('/portal', requireAuth, async (req, res) => {
  * Change subscription tier
  */
 billingRouter.post('/change', requireAuth, async (req, res) => {
-    const user = req.session.user;
+    const userId = req.session.userId;
     const { tier, interval = 'month' } = req.body;
     if (!tier || !['free', 'pro', 'team', 'enterprise'].includes(tier)) {
         res.status(400).json({ error: 'Invalid tier' });
         return;
     }
-    if (!user.stripeCustomerId) {
-        res.status(400).json({ error: 'No billing account found' });
-        return;
-    }
-    const billing = getBillingService();
     try {
+        const user = await db.users.findById(userId);
+        if (!user) {
+            return res.status(404).json({ error: 'User not found' });
+        }
+        if (!user.stripeCustomerId) {
+            res.status(400).json({ error: 'No billing account found' });
+            return;
+        }
+        const billing = getBillingService();
         // Get current subscription
         const customer = await billing.getCustomer(user.stripeCustomerId);
         if (!customer?.subscription) {
@@ -203,13 +359,17 @@ billingRouter.post('/change', requireAuth, async (req, res) => {
  * Cancel subscription at period end
  */
 billingRouter.post('/cancel', requireAuth, async (req, res) => {
-    const user = req.session.user;
-    if (!user.stripeCustomerId) {
-        res.status(400).json({ error: 'No billing account found' });
-        return;
-    }
-    const billing = getBillingService();
+    const userId = req.session.userId;
     try {
+        const user = await db.users.findById(userId);
+        if (!user) {
+            return res.status(404).json({ error: 'User not found' });
+        }
+        if (!user.stripeCustomerId) {
+            res.status(400).json({ error: 'No billing account found' });
+            return;
+        }
+        const billing = getBillingService();
         const customer = await billing.getCustomer(user.stripeCustomerId);
         if (!customer?.subscription) {
             res.status(400).json({ error: 'No active subscription' });
@@ -231,13 +391,17 @@ billingRouter.post('/cancel', requireAuth, async (req, res) => {
  * Resume a canceled subscription
  */
 billingRouter.post('/resume', requireAuth, async (req, res) => {
-    const user = req.session.user;
-    if (!user.stripeCustomerId) {
-        res.status(400).json({ error: 'No billing account found' });
-        return;
-    }
-    const billing = getBillingService();
+    const userId = req.session.userId;
     try {
+        const user = await db.users.findById(userId);
+        if (!user) {
+            return res.status(404).json({ error: 'User not found' });
+        }
+        if (!user.stripeCustomerId) {
+            res.status(400).json({ error: 'No billing account found' });
+            return;
+        }
+        const billing = getBillingService();
         const customer = await billing.getCustomer(user.stripeCustomerId);
         if (!customer?.subscription) {
             res.status(400).json({ error: 'No subscription to resume' });
@@ -260,13 +424,17 @@ billingRouter.post('/resume', requireAuth, async (req, res) => {
  * Get user's invoices
  */
 billingRouter.get('/invoices', requireAuth, async (req, res) => {
-    const user = req.session.user;
-    if (!user.stripeCustomerId) {
-        res.json({ invoices: [] });
-        return;
-    }
-    const billing = getBillingService();
+    const userId = req.session.userId;
     try {
+        const user = await db.users.findById(userId);
+        if (!user) {
+            return res.status(404).json({ error: 'User not found' });
+        }
+        // No Stripe customer = no invoices, skip Stripe call entirely
+        if (!user.stripeCustomerId) {
+            return res.json({ invoices: [] });
+        }
+        const billing = getBillingService();
         const customer = await billing.getCustomer(user.stripeCustomerId);
         res.json({ invoices: customer?.invoices || [] });
     }
@@ -280,13 +448,17 @@ billingRouter.get('/invoices', requireAuth, async (req, res) => {
  * Get upcoming invoice preview
  */
 billingRouter.get('/upcoming', requireAuth, async (req, res) => {
-    const user = req.session.user;
-    if (!user.stripeCustomerId) {
-        res.json({ invoice: null });
-        return;
-    }
-    const billing = getBillingService();
+    const userId = req.session.userId;
     try {
+        const user = await db.users.findById(userId);
+        if (!user) {
+            return res.status(404).json({ error: 'User not found' });
+        }
+        if (!user.stripeCustomerId) {
+            res.json({ invoice: null });
+            return;
+        }
+        const billing = getBillingService();
         const invoice = await billing.getUpcomingInvoice(user.stripeCustomerId);
         res.json({ invoice });
     }
@@ -345,6 +517,20 @@ billingRouter.post('/webhook',
                     // Update user's plan in database
                     await db.users.update(billingEvent.userId, { plan: tier });
                     console.log(`Updated user ${billingEvent.userId} plan to: ${tier}`);
+                    // Resize workspaces to match new plan (async, don't block webhook)
+                    resizeWorkspacesForPlan(billingEvent.userId, tier).then((result) => {
+                        if (result.deferred.length > 0) {
+                            console.log(`[billing] User ${billingEvent.userId} upgrade: ${result.resized} resized, ${result.deferred.length} deferred (have active agents)`);
+                            result.deferred.forEach((d) => {
+                                console.log(`[billing]   - "${d.workspaceName}" has ${d.agentCount} agent(s), will resize on next restart`);
+                            });
+                        }
+                        else {
+                            console.log(`[billing] User ${billingEvent.userId} upgrade: all ${result.resized} workspace(s) resized immediately`);
+                        }
+                    }).catch((err) => {
+                        console.error(`Failed to resize workspaces for user ${billingEvent.userId}:`, err);
+                    });
                 }
                 else {
                     console.warn('Subscription event received without userId:', billingEvent.id);
@@ -356,6 +542,10 @@ billingRouter.post('/webhook',
                 if (billingEvent.userId) {
                     await db.users.update(billingEvent.userId, { plan: 'free' });
                     console.log(`User ${billingEvent.userId} subscription canceled, reset to free plan`);
+                    // Resize workspaces down to free tier (async)
+                    resizeWorkspacesForPlan(billingEvent.userId, 'free').catch((err) => {
+                        console.error(`Failed to resize workspaces for user ${billingEvent.userId}:`, err);
+                    });
                 }
                 break;
             }