availsync 0.1.0

package/src/routes/billing.ts

@@ -0,0 +1,406 @@
+import express from 'express';
+import Stripe from 'stripe';
+import { z } from 'zod';
+import pool from '../db/client';
+import { requireWorkspaceSession, type WorkspaceAuthenticatedRequest } from '../middleware/auth';
+import { log } from '../lib/logger';
+import { billingUpgradesEnabled } from '../lib/billingConfig';
+import { requestIdFrom } from '../middleware/requestId';
+import {
+  PLAN_CONFIG,
+  applyPlanToOrg,
+  getPlanConfig,
+  getPlanUsage,
+  paidPlanIds,
+  parsePlan,
+  serializableLimits,
+  upgradeReasons,
+  type PlanId,
+} from '../lib/plans';
+
+const router = express.Router();
+
+const PaidPlanSchema = z.enum(paidPlanIds() as ['individual', 'team']);
+const AnyPlanSchema = z.enum(['free', 'individual', 'team']);
+
+type StripeMetadata = Record<string, string> | null | undefined;
+type StripeEvent = {
+  id?: string;
+  type: string;
+  data: {
+    object: {
+      id?: string;
+      customer?: string;
+      subscription?: string;
+      customer_email?: string;
+      customer_details?: { email?: string | null } | null;
+      metadata?: StripeMetadata;
+      status?: string;
+      current_period_start?: number;
+      current_period_end?: number;
+      cancel_at_period_end?: boolean;
+    };
+  };
+};
+
+const CheckoutSchema = z.object({
+  plan: PaidPlanSchema,
+  org_id: z.string().uuid().optional(),
+  email: z.string().email().optional(),
+});
+
+function getStripe(secret: string) {
+  return new Stripe(secret);
+}
+
+function parsePlanMetadata(metadata: StripeMetadata) {
+  const orgId = metadata?.org_id;
+  const planResult = AnyPlanSchema.safeParse(metadata?.plan);
+  if (!orgId || !planResult.success) {
+    return null;
+  }
+  return { orgId, plan: planResult.data };
+}
+
+function stripeTimestamp(value: number | undefined) {
+  return typeof value === 'number' ? new Date(value * 1000) : null;
+}
+
+async function updateSubscriptionState(input: {
+  org_id: string;
+  plan: PlanId;
+  subscription_status: string;
+  stripe_customer_id?: string | null;
+  stripe_subscription_id?: string | null;
+  current_period_start?: Date | null;
+  current_period_end?: Date | null;
+  cancel_at_period_end?: boolean;
+  billing_email?: string | null;
+}) {
+  await applyPlanToOrg(pool, input.org_id, input.plan);
+  await pool.query(
+    `UPDATE orgs
+     SET subscription_status = $1,
+         stripe_customer_id = COALESCE($2, stripe_customer_id),
+         stripe_subscription_id = COALESCE($3, stripe_subscription_id),
+         current_period_start = COALESCE($4, current_period_start),
+         current_period_end = COALESCE($5, current_period_end),
+         cancel_at_period_end = $6,
+         billing_email = COALESCE($7, billing_email)
+     WHERE id = $8`,
+    [
+      input.subscription_status,
+      input.stripe_customer_id ?? null,
+      input.stripe_subscription_id ?? null,
+      input.current_period_start ?? null,
+      input.current_period_end ?? null,
+      input.cancel_at_period_end ?? false,
+      input.billing_email ?? null,
+      input.org_id,
+    ],
+  );
+}
+
+// POST /v1/billing/checkout (auth required)
+router.post('/billing/checkout', requireWorkspaceSession, async (req, res) => {
+  const parsed = CheckoutSchema.safeParse(req.body);
+  if (!parsed.success) {
+    return res.status(422).json({ error: 'validation_error', details: parsed.error.flatten() });
+  }
+
+  const authReq = req as WorkspaceAuthenticatedRequest;
+  const orgId = parsed.data.org_id || authReq.org.id;
+  if (orgId !== authReq.org.id) {
+    return res.status(403).json({ error: 'forbidden', message: 'Organization is outside your workspace' });
+  }
+
+  if (!billingUpgradesEnabled()) {
+    return res.status(403).json({
+      error: 'billing_upgrades_disabled',
+      message: 'Paid upgrades are currently waitlist-only.',
+      waitlist_url: '/pricing#waitlist',
+    });
+  }
+
+  const secret = process.env.STRIPE_SECRET_KEY;
+  const appUrl = process.env.APP_URL || process.env.FRONTEND_URL || 'http://localhost:3001';
+  const priceEnv = PLAN_CONFIG[parsed.data.plan].stripe_price_env;
+  const price = priceEnv ? process.env[priceEnv] : undefined;
+
+  if (!secret || !price) {
+    return res.status(501).json({
+      error: 'billing_not_configured',
+      message: 'Stripe is not configured for this environment',
+    });
+  }
+
+  try {
+    const stripe = getStripe(secret);
+
+    // Look up or create Stripe customer
+    const orgResult = await pool.query('SELECT id, stripe_customer_id FROM orgs WHERE id = $1', [orgId]);
+    if (orgResult.rows.length === 0) {
+      return res.status(404).json({ error: 'org_not_found', message: 'Organization not found' });
+    }
+
+    let stripeCustomerId = orgResult.rows[0].stripe_customer_id;
+    if (!stripeCustomerId) {
+      const customer = await stripe.customers.create({
+        email: parsed.data.email,
+        metadata: { org_id: orgId },
+      });
+      stripeCustomerId = customer.id;
+      await pool.query('UPDATE orgs SET stripe_customer_id = $1 WHERE id = $2', [stripeCustomerId, orgId]);
+    }
+
+    const metadata = { org_id: orgId, plan: parsed.data.plan };
+    const session = await stripe.checkout.sessions.create({
+      mode: 'subscription',
+      customer: stripeCustomerId,
+      line_items: [{ price, quantity: 1 }],
+      success_url: `${appUrl}/app/settings?tab=billing&checkout=success`,
+      cancel_url: `${appUrl}/pricing`,
+      metadata,
+      subscription_data: { metadata },
+      allow_promotion_codes: true,
+    });
+
+    return res.json({ url: session.url });
+  } catch (err) {
+    log.error('[billing] checkout error', { error: (err as Error).message });
+    return res.status(500).json({ error: 'internal_error', message: 'An unexpected error occurred' });
+  }
+});
+
+// GET /v1/billing/portal (auth required)
+router.get('/billing/portal', requireWorkspaceSession, async (req, res) => {
+  const authReq = req as WorkspaceAuthenticatedRequest;
+  const secret = process.env.STRIPE_SECRET_KEY;
+  const appUrl = process.env.APP_URL || process.env.FRONTEND_URL || 'http://localhost:3001';
+
+  if (!secret) {
+    return res.status(501).json({
+      error: 'billing_not_configured',
+      message: 'Stripe is not configured for this environment',
+    });
+  }
+
+  try {
+    const orgResult = await pool.query('SELECT stripe_customer_id FROM orgs WHERE id = $1', [authReq.org.id]);
+    const stripeCustomerId = orgResult.rows[0]?.stripe_customer_id;
+
+    if (!stripeCustomerId) {
+      return res.status(400).json({ error: 'no_stripe_customer', message: 'No billing account found. Subscribe to a plan first.' });
+    }
+
+    const stripe = getStripe(secret);
+    const portalSession = await stripe.billingPortal.sessions.create({
+      customer: stripeCustomerId,
+      return_url: `${appUrl}/app/settings?tab=billing`,
+    });
+
+    return res.json({ url: portalSession.url });
+  } catch (err) {
+    log.error('[billing] portal error', { error: (err as Error).message });
+    return res.status(500).json({ error: 'internal_error', message: 'An unexpected error occurred' });
+  }
+});
+
+// GET /v1/billing/status (auth required)
+router.get('/billing/status', requireWorkspaceSession, async (req, res) => {
+  const authReq = req as WorkspaceAuthenticatedRequest;
+
+  try {
+    const orgResult = await pool.query(
+      `SELECT
+         plan,
+         agent_limit,
+         stripe_customer_id,
+         stripe_subscription_id,
+         subscription_status,
+         current_period_end,
+         cancel_at_period_end,
+         billing_email
+       FROM orgs
+       WHERE id = $1`,
+      [authReq.org.id],
+    );
+    const org = orgResult.rows[0];
+    const plan = parsePlan(org.plan);
+    const usage = await getPlanUsage(authReq.org.id);
+    const limits = serializableLimits(plan);
+
+    const response: Record<string, unknown> = {
+      plan,
+      subscription_status: org.subscription_status ?? (plan === 'free' ? 'free' : 'active'),
+      renewal_date: org.current_period_end?.toISOString?.() ?? null,
+      cancel_at_period_end: Boolean(org.cancel_at_period_end),
+      billing_email: org.billing_email,
+      limits,
+      usage: {
+        ...usage,
+        activity_retention_days: limits.activity_retention_days,
+      },
+      upgrade_reasons: upgradeReasons(plan, usage),
+      agents_used: usage.agents,
+      agent_limit: getPlanConfig(plan).db_agent_limit,
+      stripe_customer_id: Boolean(org.stripe_customer_id),
+      stripe_subscription_id: Boolean(org.stripe_subscription_id),
+      billing_upgrades_enabled: billingUpgradesEnabled(),
+    };
+
+    if (!response.renewal_date && org.stripe_subscription_id && process.env.STRIPE_SECRET_KEY) {
+      try {
+        const stripe = getStripe(process.env.STRIPE_SECRET_KEY);
+        const sub = await stripe.subscriptions.retrieve(org.stripe_subscription_id) as unknown as { current_period_end: number };
+        response.renewal_date = new Date(sub.current_period_end * 1000).toISOString();
+      } catch {
+        // Non-fatal — just omit renewal_date
+      }
+    }
+
+    return res.json(response);
+  } catch (err) {
+    log.error('[billing] status error', { error: (err as Error).message });
+    return res.status(500).json({ error: 'internal_error', message: 'An unexpected error occurred' });
+  }
+});
+
+// GET /v1/billing/subscription/:org_id (legacy, kept for compatibility)
+router.get('/billing/subscription/:org_id', async (req, res) => {
+  const org = await pool.query('SELECT id, plan, agent_limit FROM orgs WHERE id = $1', [
+    req.params.org_id,
+  ]);
+  if (org.rows.length === 0) {
+    return res.status(404).json({ error: 'org_not_found', message: 'Organization not found' });
+  }
+
+  return res.json({
+    org_id: org.rows[0].id,
+    status: org.rows[0].plan === 'free' ? 'free' : 'active',
+    plan: org.rows[0].plan,
+    agent_limit: org.rows[0].agent_limit,
+  });
+});
+
+// Webhook handler (exported for use in index.ts with raw body)
+export async function handleStripeWebhook(req: express.Request, res: express.Response) {
+  const secret = process.env.STRIPE_SECRET_KEY;
+  const webhookSecret = process.env.STRIPE_WEBHOOK_SECRET;
+  const signature = req.header('stripe-signature');
+
+  if (!secret || !webhookSecret) {
+    return res.status(501).json({
+      error: 'billing_not_configured',
+      message: 'Stripe webhook is not configured for this environment',
+    });
+  }
+
+  if (!signature) {
+    return res.status(400).json({ error: 'missing_signature' });
+  }
+
+  const stripe = getStripe(secret);
+  let event: StripeEvent;
+  try {
+    event = stripe.webhooks.constructEvent(req.body, signature, webhookSecret) as StripeEvent;
+  } catch {
+    return res.status(400).json({ error: 'invalid_signature' });
+  }
+
+  try {
+    log.info('[billing] webhook received', {
+      request_id: requestIdFrom(res),
+      event_type: event.type,
+      event_id: (event as { id?: string }).id ?? null,
+    });
+
+    if (event.type === 'checkout.session.completed') {
+      const obj = event.data.object;
+      const metadata = parsePlanMetadata(obj.metadata);
+      if (metadata) {
+        await updateSubscriptionState({
+          org_id: metadata.orgId,
+          plan: parsePlan(metadata.plan),
+          subscription_status: 'active',
+          stripe_customer_id: typeof obj.customer === 'string' ? obj.customer : null,
+          stripe_subscription_id: typeof obj.subscription === 'string' ? obj.subscription : null,
+          billing_email: obj.customer_details?.email ?? obj.customer_email ?? null,
+        });
+
+        log.info('[billing] checkout completed', {
+          request_id: requestIdFrom(res),
+          org_id: metadata.orgId,
+          plan: metadata.plan,
+          event_type: event.type,
+        });
+      }
+    }
+
+    if (event.type === 'customer.subscription.updated') {
+      const subscription = event.data.object;
+      const metadata = parsePlanMetadata(subscription.metadata);
+      if (metadata) {
+        const status = subscription.status ?? 'active';
+        await updateSubscriptionState({
+          org_id: metadata.orgId,
+          plan: parsePlan(metadata.plan),
+          subscription_status: status,
+          stripe_customer_id: typeof subscription.customer === 'string' ? subscription.customer : null,
+          stripe_subscription_id: subscription.id ?? null,
+          current_period_start: stripeTimestamp(subscription.current_period_start),
+          current_period_end: stripeTimestamp(subscription.current_period_end),
+          cancel_at_period_end: Boolean(subscription.cancel_at_period_end),
+        });
+        log.info('[billing] subscription updated', {
+          request_id: requestIdFrom(res),
+          org_id: metadata.orgId,
+          status,
+          event_type: event.type,
+        });
+      }
+    }
+
+    if (event.type === 'customer.subscription.deleted') {
+      const subscription = event.data.object;
+      const metadata = parsePlanMetadata(subscription.metadata);
+      if (metadata) {
+        await applyPlanToOrg(pool, metadata.orgId, 'free');
+        await pool.query(
+          `UPDATE orgs
+           SET stripe_subscription_id = NULL,
+               subscription_status = 'canceled',
+               current_period_start = NULL,
+               current_period_end = NULL,
+               cancel_at_period_end = false
+           WHERE id = $1`,
+          [metadata.orgId],
+        );
+        log.info('[billing] subscription deleted', {
+          request_id: requestIdFrom(res),
+          org_id: metadata.orgId,
+          event_type: event.type,
+        });
+      }
+    }
+
+    if (event.type === 'invoice.payment_failed') {
+      const invoice = event.data.object;
+      log.warn('[billing] invoice payment failed', {
+        request_id: requestIdFrom(res),
+        customer: invoice.customer,
+        event_type: event.type,
+      });
+    }
+  } catch (err) {
+    log.error('[billing] webhook processing error', {
+      request_id: requestIdFrom(res),
+      error: (err as Error).message,
+      event_type: event.type,
+    });
+  }
+
+  return res.json({ received: true });
+}
+
+export default router;

package/src/routes/conflicts.ts

@@ -0,0 +1,131 @@
+import express from 'express';
+import { addDays } from 'date-fns';
+import { z } from 'zod';
+import pool from '../db/client';
+import { getAvailableSlots } from '../core/availability';
+import { previewConflict } from '../core/conflict';
+import {
+  canAccessAgent,
+  requireWorkspaceOrAgent,
+  type AnyAuthenticatedRequest,
+} from '../middleware/auth';
+import { log } from '../lib/logger';
+import { actorFromAuth, durationSince, logActivity } from '../lib/activity';
+import { enforcePlanLimit } from '../lib/plans';
+import type { Hold } from '../types';
+
+const router = express.Router();
+
+const ConflictCheckSchema = z
+  .object({
+    agent_id: z.string().uuid(),
+    start_at: z.string().datetime({ offset: true }),
+    end_at: z.string().datetime({ offset: true }),
+    reason: z.string().max(500).optional(),
+    metadata: z.record(z.string(), z.unknown()).optional(),
+  })
+  .refine((data) => new Date(data.end_at) > new Date(data.start_at), {
+    path: ['end_at'],
+    message: 'end_at must be after start_at',
+  });
+
+async function getAgentInOrg(agentId: string, orgId: string) {
+  const result = await pool.query('SELECT * FROM agents WHERE id = $1 AND org_id = $2', [
+    agentId,
+    orgId,
+  ]);
+  return result.rows[0];
+}
+
+function explanation(status: 'available' | 'would_win' | 'would_lose', rule: string) {
+  if (status === 'available') return 'No confirmed holds overlap this request.';
+  if (status === 'would_win') return `This agent would win the overlap by ${rule}.`;
+  return `An existing hold would keep the slot by ${rule}.`;
+}
+
+router.post('/conflicts/check', requireWorkspaceOrAgent, async (req, res) => {
+  const startedAt = Date.now();
+  const parsed = ConflictCheckSchema.safeParse(req.body);
+  if (!parsed.success) {
+    return res.status(422).json({ error: 'validation_error', details: parsed.error.flatten() });
+  }
+
+  const authReq = req as AnyAuthenticatedRequest;
+  const startAt = new Date(parsed.data.start_at);
+  const endAt = new Date(parsed.data.end_at);
+
+  try {
+    if (!(await getAgentInOrg(parsed.data.agent_id, authReq.org.id))) {
+      return res.status(403).json({ error: 'forbidden', message: 'Agent is outside your org' });
+    }
+    if (!canAccessAgent(authReq, parsed.data.agent_id)) {
+      return res.status(403).json({ error: 'forbidden', message: 'Agent key cannot act for another agent' });
+    }
+    if (!(await enforcePlanLimit({
+      org_id: authReq.org.id,
+      limit_type: 'api_calls_month',
+      res,
+    }))) {
+      return;
+    }
+
+    const newHold: Omit<Hold, 'id' | 'created_at'> = {
+      agent_id: parsed.data.agent_id,
+      org_id: authReq.org.id,
+      start_at: startAt,
+      end_at: endAt,
+      reason: parsed.data.reason,
+      status: 'confirmed',
+      metadata: parsed.data.metadata,
+    };
+    const result = await previewConflict(newHold, pool as never);
+    const alternatives =
+      result.status === 'would_lose'
+        ? await getAvailableSlots({
+            agent_id: parsed.data.agent_id,
+            org_id: authReq.org.id,
+            from: startAt,
+            to: addDays(startAt, 7),
+            duration_minutes: Math.ceil((endAt.getTime() - startAt.getTime()) / 60000),
+            include_competing_agents: true,
+          })
+        : [];
+
+    await logActivity({
+      org_id: authReq.org.id,
+      agent_id: parsed.data.agent_id,
+      activity_type: 'conflict_preview',
+      endpoint: '/v1/conflicts/check',
+      method: 'POST',
+      status_code: 200,
+      status: 'success',
+      ...actorFromAuth(authReq),
+      latency_ms: durationSince(startedAt),
+      metadata: {
+        start_at: startAt.toISOString(),
+        end_at: endAt.toISOString(),
+        result_status: result.status,
+        rule_applied: result.rule_applied,
+      },
+    });
+
+    return res.json({
+      status: result.status,
+      would_create_hold: result.status !== 'would_lose',
+      winning_hold_id: result.winning_hold_id,
+      losing_hold_ids: result.losing_hold_ids,
+      rule_applied: result.rule_applied,
+      explanation: explanation(result.status, result.rule_applied),
+      suggested_alternatives: alternatives.slice(0, 3).map((slot) => ({
+        start: slot.start.toISOString(),
+        end: slot.end.toISOString(),
+        confidence: slot.confidence,
+      })),
+    });
+  } catch (err) {
+    log.error('[conflicts] unexpected error', { error: (err as Error).message });
+    return res.status(500).json({ error: 'internal_error', message: 'An unexpected error occurred' });
+  }
+});
+
+export default router;