claude-code-limiter-server 1.0.0

package/src/server/routes/admin-api.js

@@ -0,0 +1,386 @@
+'use strict';
+
+const express = require('express');
+const router = express.Router();
+const db = require('../db');
+const { verifyPassword, hashPassword, createJWT, adminAuth } = require('../services/auth');
+const { getUsageSummary, getCreditBalance } = require('../services/usage');
+const { broadcast } = require('../ws');
+
+/**
+ * POST /api/admin/login
+ * Verify admin password, return JWT.
+ * Body: { password }
+ */
+router.post('/login', (req, res) => {
+  try {
+    const { password } = req.body;
+    if (!password) {
+      return res.status(400).json({ error: 'Password required' });
+    }
+
+    const team = db.getDefaultTeam();
+    if (!team) {
+      return res.status(500).json({ error: 'No team configured' });
+    }
+
+    if (!verifyPassword(password, team.admin_password)) {
+      return res.status(401).json({ error: 'Invalid password' });
+    }
+
+    const token = createJWT({ teamId: team.id });
+
+    // Set cookie and return token
+    res.cookie('jwt', token, {
+      httpOnly: true,
+      sameSite: 'lax',
+      maxAge: 24 * 60 * 60 * 1000, // 24 hours
+    });
+
+    res.json({
+      token,
+      team: {
+        id: team.id,
+        name: team.name,
+        credit_weights: JSON.parse(team.credit_weights),
+      },
+    });
+  } catch (err) {
+    console.error('POST /login error:', err);
+    res.status(500).json({ error: 'Internal server error' });
+  }
+});
+
+// All routes below require admin auth
+router.use(adminAuth);
+
+/**
+ * GET /api/admin/users
+ * List all users with live usage.
+ */
+router.get('/users', (req, res) => {
+  try {
+    const team = req.team;
+    const creditWeights = JSON.parse(team.credit_weights);
+    const users = db.getAllUsers(team.id);
+
+    const result = users.map(user => {
+      const limits = db.getLimitRules(user.id);
+      const usageSummary = getUsageSummary(user.id);
+
+      // Credit info
+      const creditRule = limits.find(r => r.type === 'credits');
+      let creditBalance = null;
+      let creditBudget = null;
+      if (creditRule) {
+        const cb = getCreditBalance(user.id, creditWeights, creditRule.window, creditRule.value);
+        creditBalance = cb.balance;
+        creditBudget = cb.budget;
+      }
+
+      return {
+        id: user.id,
+        slug: user.slug,
+        name: user.name,
+        status: user.status,
+        killed_at: user.killed_at,
+        last_seen: user.last_seen,
+        created_at: user.created_at,
+        limits,
+        usage: usageSummary,
+        credit_balance: creditBalance,
+        credit_budget: creditBudget,
+      };
+    });
+
+    res.json({ users: result });
+  } catch (err) {
+    console.error('GET /users error:', err);
+    res.status(500).json({ error: 'Internal server error' });
+  }
+});
+
+/**
+ * POST /api/admin/users
+ * Create a user and generate an install code.
+ * Body: { name, slug, limits? }
+ */
+router.post('/users', (req, res) => {
+  try {
+    const team = req.team;
+    const { name, slug, limits } = req.body;
+
+    if (!name || !slug) {
+      return res.status(400).json({ error: 'name and slug are required' });
+    }
+
+    // Check slug uniqueness
+    const existing = db.getUserBySlug(team.id, slug);
+    if (existing) {
+      return res.status(409).json({ error: `User with slug "${slug}" already exists` });
+    }
+
+    // Create user
+    const user = db.createUser({ teamId: team.id, slug, name });
+
+    // Create limit rules if provided
+    if (limits && Array.isArray(limits)) {
+      for (const rule of limits) {
+        db.createLimitRule({
+          userId: user.id,
+          type: rule.type,
+          model: rule.model,
+          window: rule.window,
+          value: rule.value,
+          schedule_start: rule.schedule_start,
+          schedule_end: rule.schedule_end,
+          schedule_tz: rule.schedule_tz,
+        });
+      }
+    }
+
+    // Generate install code
+    const installCode = db.createInstallCode(user.id);
+
+    // Get the full user with limits
+    const fullLimits = db.getLimitRules(user.id);
+
+    res.status(201).json({
+      user: {
+        id: user.id,
+        slug: user.slug,
+        name: user.name,
+        status: user.status,
+        auth_token: user.auth_token,
+        created_at: user.created_at,
+      },
+      limits: fullLimits,
+      install_code: installCode,
+    });
+  } catch (err) {
+    console.error('POST /users error:', err);
+    res.status(500).json({ error: 'Internal server error' });
+  }
+});
+
+/**
+ * PUT /api/admin/users/:id
+ * Update a user (name, slug, status, limits).
+ * Body: { name?, slug?, status?, limits? }
+ */
+router.put('/users/:id', (req, res) => {
+  try {
+    const userId = req.params.id;
+    const user = db.getUser(userId);
+
+    if (!user) {
+      return res.status(404).json({ error: 'User not found' });
+    }
+
+    // Verify user belongs to this team
+    if (user.team_id !== req.teamId) {
+      return res.status(403).json({ error: 'User does not belong to your team' });
+    }
+
+    const { name, slug, status, limits } = req.body;
+    const updates = {};
+    if (name !== undefined) updates.name = name;
+    if (slug !== undefined) updates.slug = slug;
+    if (status !== undefined) updates.status = status;
+
+    if (Object.keys(updates).length > 0) {
+      db.updateUser(userId, updates);
+    }
+
+    // Replace limits if provided
+    if (limits !== undefined && Array.isArray(limits)) {
+      db.deleteLimitRulesForUser(userId);
+      for (const rule of limits) {
+        db.createLimitRule({
+          userId,
+          type: rule.type,
+          model: rule.model,
+          window: rule.window,
+          value: rule.value,
+          schedule_start: rule.schedule_start,
+          schedule_end: rule.schedule_end,
+          schedule_tz: rule.schedule_tz,
+        });
+      }
+    }
+
+    const updatedUser = db.getUser(userId);
+    const updatedLimits = db.getLimitRules(userId);
+
+    // Broadcast status change
+    if (status && status !== user.status) {
+      const eventType = status === 'killed' ? 'user_killed' : 'user_status_change';
+      broadcast({
+        type: eventType,
+        userId: updatedUser.id,
+        userName: updatedUser.name,
+        oldStatus: user.status,
+        newStatus: status,
+        timestamp: new Date().toISOString(),
+      });
+    }
+
+    res.json({
+      user: {
+        id: updatedUser.id,
+        slug: updatedUser.slug,
+        name: updatedUser.name,
+        status: updatedUser.status,
+        killed_at: updatedUser.killed_at,
+        last_seen: updatedUser.last_seen,
+        created_at: updatedUser.created_at,
+      },
+      limits: updatedLimits,
+    });
+  } catch (err) {
+    console.error('PUT /users/:id error:', err);
+    res.status(500).json({ error: 'Internal server error' });
+  }
+});
+
+/**
+ * DELETE /api/admin/users/:id
+ * Remove a user and all related data.
+ */
+router.delete('/users/:id', (req, res) => {
+  try {
+    const userId = req.params.id;
+    const user = db.getUser(userId);
+
+    if (!user) {
+      return res.status(404).json({ error: 'User not found' });
+    }
+
+    if (user.team_id !== req.teamId) {
+      return res.status(403).json({ error: 'User does not belong to your team' });
+    }
+
+    db.deleteUser(userId);
+
+    res.json({ deleted: true, userId });
+  } catch (err) {
+    console.error('DELETE /users/:id error:', err);
+    res.status(500).json({ error: 'Internal server error' });
+  }
+});
+
+/**
+ * GET /api/admin/usage
+ * Usage history data for charts.
+ * Query: ?user_id=X&window=daily&days=30
+ */
+router.get('/usage', (req, res) => {
+  try {
+    const team = req.team;
+    const { user_id, window: windowType, days } = req.query;
+    const numDays = parseInt(days, 10) || 30;
+
+    if (user_id) {
+      // Verify user belongs to team
+      const user = db.getUser(user_id);
+      if (!user || user.team_id !== team.id) {
+        return res.status(404).json({ error: 'User not found' });
+      }
+
+      const usageSummary = getUsageSummary(user_id);
+
+      // Get daily breakdown for chart
+      const since = new Date(Date.now() - numDays * 24 * 60 * 60 * 1000).toISOString();
+      const dailyRows = db.getDb().prepare(
+        `SELECT DATE(timestamp) AS day, model, COUNT(*) AS count, SUM(credit_cost) AS credits
+         FROM usage_event
+         WHERE user_id = ? AND timestamp >= ?
+         GROUP BY DATE(timestamp), model
+         ORDER BY day ASC`
+      ).all(user_id, since);
+
+      res.json({ user_id, summary: usageSummary, daily: dailyRows });
+    } else {
+      // All users
+      const users = db.getAllUsers(team.id);
+      const since = new Date(Date.now() - numDays * 24 * 60 * 60 * 1000).toISOString();
+
+      const dailyRows = db.getDb().prepare(
+        `SELECT DATE(e.timestamp) AS day, e.user_id, u.name AS user_name, e.model, COUNT(*) AS count, SUM(e.credit_cost) AS credits
+         FROM usage_event e
+         JOIN user u ON e.user_id = u.id
+         WHERE u.team_id = ? AND e.timestamp >= ?
+         GROUP BY DATE(e.timestamp), e.user_id, e.model
+         ORDER BY day ASC`
+      ).all(team.id, since);
+
+      res.json({ daily: dailyRows });
+    }
+  } catch (err) {
+    console.error('GET /usage error:', err);
+    res.status(500).json({ error: 'Internal server error' });
+  }
+});
+
+/**
+ * GET /api/admin/events
+ * Recent usage events.
+ * Query: ?limit=50&user_id=X
+ */
+router.get('/events', (req, res) => {
+  try {
+    const team = req.team;
+    const limit = parseInt(req.query.limit, 10) || 50;
+    const userId = req.query.user_id;
+
+    const events = db.getRecentEvents({
+      userId: userId || null,
+      teamId: team.id,
+      limit,
+    });
+
+    res.json({ events });
+  } catch (err) {
+    console.error('GET /events error:', err);
+    res.status(500).json({ error: 'Internal server error' });
+  }
+});
+
+/**
+ * PUT /api/admin/settings
+ * Update team settings.
+ * Body: { name?, credit_weights?, admin_password? }
+ */
+router.put('/settings', (req, res) => {
+  try {
+    const team = req.team;
+    const { name, credit_weights, admin_password } = req.body;
+
+    const updates = {};
+    if (name !== undefined) updates.name = name;
+    if (credit_weights !== undefined) updates.credit_weights = credit_weights;
+    if (admin_password !== undefined) {
+      updates.admin_password = hashPassword(admin_password);
+    }
+
+    if (Object.keys(updates).length === 0) {
+      return res.status(400).json({ error: 'No fields to update' });
+    }
+
+    db.updateTeam(team.id, updates);
+
+    const updatedTeam = db.getTeam(team.id);
+    res.json({
+      team: {
+        id: updatedTeam.id,
+        name: updatedTeam.name,
+        credit_weights: JSON.parse(updatedTeam.credit_weights),
+      },
+    });
+  } catch (err) {
+    console.error('PUT /settings error:', err);
+    res.status(500).json({ error: 'Internal server error' });
+  }
+});
+
+module.exports = router;

package/src/server/routes/hook-api.js

@@ -0,0 +1,312 @@
+'use strict';
+
+const express = require('express');
+const router = express.Router();
+const db = require('../db');
+const { hookAuth } = require('../services/auth');
+const { evaluateLimits } = require('../services/limiter');
+const { recordEvent, getUsageSummary, getCreditBalance } = require('../services/usage');
+const { broadcast } = require('../ws');
+
+/**
+ * POST /api/v1/sync
+ * SessionStart: sync config, report model/machine, update last_seen.
+ * Body: { auth_token, model, hostname?, platform? }
+ */
+router.post('/sync', hookAuth, (req, res) => {
+  try {
+    const user = req.user;
+    const team = req.team;
+    const creditWeights = JSON.parse(team.credit_weights);
+
+    // Update last_seen
+    db.updateUser(user.id, { last_seen: new Date().toISOString() });
+
+    // Get limits and usage
+    const limits = db.getLimitRules(user.id);
+    const result = evaluateLimits(user, req.body.model || 'default', creditWeights);
+
+    // Build usage counts for the primary window (daily by default)
+    const usageSummary = getUsageSummary(user.id);
+    const usage = usageSummary.daily ? usageSummary.daily.counts : {};
+
+    // Find credit budget if any
+    const creditRule = limits.find(r => r.type === 'credits');
+    let creditBalance = null;
+    let creditBudget = null;
+    if (creditRule) {
+      const cb = getCreditBalance(user.id, creditWeights, creditRule.window, creditRule.value);
+      creditBalance = cb.balance;
+      creditBudget = cb.budget;
+    }
+
+    broadcast({
+      type: 'user_status',
+      userId: user.id,
+      userName: user.name,
+      status: user.status,
+      model: req.body.model,
+      hostname: req.body.hostname,
+      timestamp: new Date().toISOString(),
+    });
+
+    res.json({
+      status: user.status,
+      limits: limits.map(sanitizeRule),
+      credit_weights: creditWeights,
+      usage,
+      credit_balance: creditBalance,
+      credit_budget: creditBudget,
+      message: null,
+    });
+  } catch (err) {
+    console.error('POST /sync error:', err);
+    res.status(500).json({ error: 'Internal server error' });
+  }
+});
+
+/**
+ * POST /api/v1/check
+ * UserPromptSubmit: check if prompt is allowed, sync local usage.
+ * Body: { auth_token, model, local_usage? }
+ */
+router.post('/check', hookAuth, (req, res) => {
+  try {
+    const user = req.user;
+    const team = req.team;
+    const model = req.body.model || 'default';
+    const creditWeights = JSON.parse(team.credit_weights);
+
+    // Update last_seen
+    db.updateUser(user.id, { last_seen: new Date().toISOString() });
+
+    // Evaluate limits
+    const result = evaluateLimits(user, model, creditWeights);
+
+    // Get limits for response
+    const limits = db.getLimitRules(user.id);
+
+    // Build usage
+    const usageSummary = getUsageSummary(user.id);
+    const usage = usageSummary.daily ? usageSummary.daily.counts : {};
+
+    // Credit info
+    const creditRule = limits.find(r => r.type === 'credits');
+    let creditBalance = result.credit_balance;
+    let creditBudget = result.credit_budget;
+    if (creditRule && creditBalance == null) {
+      const cb = getCreditBalance(user.id, creditWeights, creditRule.window, creditRule.value);
+      creditBalance = cb.balance;
+      creditBudget = cb.budget;
+    }
+
+    // Broadcast event
+    if (!result.allowed) {
+      broadcast({
+        type: 'user_blocked',
+        userId: user.id,
+        userName: user.name,
+        model,
+        reason: result.reason,
+        timestamp: new Date().toISOString(),
+      });
+    } else {
+      broadcast({
+        type: 'user_check',
+        userId: user.id,
+        userName: user.name,
+        model,
+        timestamp: new Date().toISOString(),
+      });
+    }
+
+    res.json({
+      allowed: result.allowed,
+      reason: result.reason || null,
+      status: user.status,
+      limits: limits.map(sanitizeRule),
+      usage,
+      credit_balance: creditBalance,
+      credit_budget: creditBudget,
+      message: null,
+    });
+  } catch (err) {
+    console.error('POST /check error:', err);
+    res.status(500).json({ error: 'Internal server error' });
+  }
+});
+
+/**
+ * POST /api/v1/count
+ * Stop: record a completed turn.
+ * Body: { auth_token, model, timestamp? }
+ */
+router.post('/count', hookAuth, (req, res) => {
+  try {
+    const user = req.user;
+    const team = req.team;
+    const model = req.body.model || 'default';
+    const timestamp = req.body.timestamp || new Date().toISOString();
+    const creditWeights = JSON.parse(team.credit_weights);
+
+    // Calculate credit cost
+    const creditCost = creditWeights[model] || creditWeights['default'] || 1;
+
+    // Record the event
+    recordEvent(user.id, model, creditCost, timestamp, 'hook');
+
+    // Recalculate credit balance
+    const limits = db.getLimitRules(user.id);
+    const creditRule = limits.find(r => r.type === 'credits');
+    let newBalance = null;
+    if (creditRule) {
+      const cb = getCreditBalance(user.id, creditWeights, creditRule.window, creditRule.value);
+      newBalance = cb.balance;
+    }
+
+    // Broadcast
+    broadcast({
+      type: 'user_counted',
+      userId: user.id,
+      userName: user.name,
+      model,
+      creditCost,
+      timestamp,
+    });
+
+    res.json({
+      recorded: true,
+      new_balance: newBalance,
+    });
+  } catch (err) {
+    console.error('POST /count error:', err);
+    res.status(500).json({ error: 'Internal server error' });
+  }
+});
+
+/**
+ * GET /api/v1/status
+ * CLI status command: full dashboard data.
+ */
+router.get('/status', hookAuth, (req, res) => {
+  try {
+    const user = req.user;
+    const team = req.team;
+    const creditWeights = JSON.parse(team.credit_weights);
+
+    const limits = db.getLimitRules(user.id);
+    const usageSummary = getUsageSummary(user.id);
+
+    // Credit info
+    const creditRule = limits.find(r => r.type === 'credits');
+    let creditBalance = null;
+    let creditBudget = null;
+    if (creditRule) {
+      const cb = getCreditBalance(user.id, creditWeights, creditRule.window, creditRule.value);
+      creditBalance = cb.balance;
+      creditBudget = cb.budget;
+    }
+
+    // Per-model limits with current counts
+    const perModelStatus = {};
+    const perModelRules = limits.filter(r => r.type === 'per_model');
+    for (const rule of perModelRules) {
+      const mdl = rule.model || 'all';
+      if (!perModelStatus[mdl]) perModelStatus[mdl] = {};
+      const windowUsage = usageSummary[rule.window];
+      const count = windowUsage ? (windowUsage.counts[mdl] || 0) : 0;
+      perModelStatus[mdl][rule.window] = {
+        used: count,
+        limit: rule.value,
+        remaining: rule.value === -1 ? -1 : Math.max(0, rule.value - count),
+      };
+    }
+
+    res.json({
+      user: {
+        id: user.id,
+        name: user.name,
+        slug: user.slug,
+        status: user.status,
+      },
+      credit_weights: creditWeights,
+      credit_balance: creditBalance,
+      credit_budget: creditBudget,
+      limits: limits.map(sanitizeRule),
+      per_model: perModelStatus,
+      usage: usageSummary,
+    });
+  } catch (err) {
+    console.error('GET /status error:', err);
+    res.status(500).json({ error: 'Internal server error' });
+  }
+});
+
+/**
+ * POST /api/v1/register
+ * Exchange an install code for auth_token + config.
+ * Body: { code }
+ */
+router.post('/register', (req, res) => {
+  try {
+    const { code } = req.body;
+    if (!code) {
+      return res.status(400).json({ error: 'Install code required' });
+    }
+
+    const installCode = db.useInstallCode(code);
+    if (!installCode) {
+      return res.status(404).json({ error: 'Invalid or already used install code' });
+    }
+
+    const user = db.getUser(installCode.user_id);
+    if (!user) {
+      return res.status(404).json({ error: 'User not found for this install code' });
+    }
+
+    const team = db.getTeam(user.team_id);
+    const creditWeights = JSON.parse(team.credit_weights);
+    const limits = db.getLimitRules(user.id);
+
+    res.json({
+      auth_token: user.auth_token,
+      user: {
+        id: user.id,
+        name: user.name,
+        slug: user.slug,
+        status: user.status,
+      },
+      limits: limits.map(sanitizeRule),
+      credit_weights: creditWeights,
+    });
+  } catch (err) {
+    console.error('POST /register error:', err);
+    res.status(500).json({ error: 'Internal server error' });
+  }
+});
+
+/**
+ * GET /api/v1/health
+ * Simple health check for Docker/load balancer.
+ */
+router.get('/health', (req, res) => {
+  res.json({ status: 'ok', timestamp: new Date().toISOString() });
+});
+
+/**
+ * Strip internal fields from a limit rule for API responses.
+ */
+function sanitizeRule(rule) {
+  return {
+    id: rule.id,
+    type: rule.type,
+    model: rule.model,
+    window: rule.window,
+    value: rule.value,
+    schedule_start: rule.schedule_start,
+    schedule_end: rule.schedule_end,
+    schedule_tz: rule.schedule_tz,
+  };
+}
+
+module.exports = router;