fraim-framework 2.0.179 → 2.0.180

package/dist/src/fraim/issues.js

@@ -0,0 +1,152 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.fileFraimIssue = fileFraimIssue;
+exports.listFraimIssuesByReporter = listFraimIssuesByReporter;
+const axios_1 = __importDefault(require("axios"));
+const FRAIM_REPO_OWNER = 'mathursrus';
+const FRAIM_REPO_NAME = 'FRAIM';
+const DEFAULT_LIST_LIMIT = 20;
+const MAX_LIST_LIMIT = 100;
+function normalizeLimit(limit) {
+    if (!Number.isFinite(limit))
+        return DEFAULT_LIST_LIMIT;
+    const parsed = Math.trunc(limit);
+    if (parsed <= 0)
+        return DEFAULT_LIST_LIMIT;
+    return Math.min(parsed, MAX_LIST_LIMIT);
+}
+/**
+ * File an issue in the FRAIM repository
+ *
+ * This function creates issues in the FRAIM repository for bug reports,
+ * feature requests, and workflow contributions.
+ */
+async function fileFraimIssue(params) {
+    const { title, labels, dryRun, reporterEmail } = params;
+    // Prepend reporter line so the close-the-loop job can identify who filed the issue
+    const reporterLine = reporterEmail ? `**Reported by:** ${reporterEmail}\n\n` : '';
+    const body = reporterLine + params.body;
+    // Always target the FRAIM repository
+    const owner = FRAIM_REPO_OWNER;
+    const repo = FRAIM_REPO_NAME;
+    if (dryRun) {
+        return {
+            success: true,
+            dryRun: true,
+            message: `[DRY RUN] Would create GitHub issue: "${title}" in ${owner}/${repo}.`
+        };
+    }
+    try {
+        // Check for GitHub token
+        const token = process.env.GITHUB_TOKEN;
+        if (!token) {
+            return {
+                success: false,
+                message: `GitHub integration requires GITHUB_TOKEN environment variable.
+                
+Please set GITHUB_TOKEN environment variable to file issues in ${owner}/${repo}.`
+            };
+        }
+        // Create the issue in FRAIM repository
+        const url = `https://api.github.com/repos/${owner}/${repo}/issues`;
+        const payload = { title, body };
+        if (labels && labels.length > 0) {
+            payload.labels = labels;
+        }
+        const response = await axios_1.default.post(url, payload, {
+            headers: {
+                'Authorization': `Bearer ${token}`,
+                'Accept': 'application/vnd.github.v3+json',
+                'Content-Type': 'application/json',
+            },
+        });
+        return {
+            success: true,
+            issueNumber: response.data.number,
+            htmlUrl: response.data.html_url
+        };
+    }
+    catch (error) {
+        let errorMessage = 'Unknown error';
+        if (axios_1.default.isAxiosError(error)) {
+            errorMessage = `Status: ${error.response?.status} - ${JSON.stringify(error.response?.data)}`;
+        }
+        else if (error instanceof Error) {
+            errorMessage = error.message;
+        }
+        return {
+            success: false,
+            message: `Failed to create issue in FRAIM repository: ${errorMessage}`
+        };
+    }
+}
+/**
+ * List issues filed into the FRAIM repository by a specific reporter email.
+ *
+ * Uses GitHub search against the existing "Reported by:" marker in issue bodies
+ * so we do not need a second FRAIM-owned index.
+ */
+async function listFraimIssuesByReporter(params) {
+    const { reporterEmail } = params;
+    const limit = normalizeLimit(params.limit);
+    if (!reporterEmail) {
+        return {
+            success: false,
+            message: 'Reporter email is required to list FRAIM GitHub issues.'
+        };
+    }
+    const token = process.env.GITHUB_TOKEN;
+    if (!token) {
+        return {
+            success: false,
+            message: `GitHub integration requires GITHUB_TOKEN environment variable.
+                
+Please set GITHUB_TOKEN environment variable to query issues in ${FRAIM_REPO_OWNER}/${FRAIM_REPO_NAME}.`
+        };
+    }
+    const query = `repo:${FRAIM_REPO_OWNER}/${FRAIM_REPO_NAME} is:issue "Reported by: ${reporterEmail}" in:body`;
+    try {
+        const response = await axios_1.default.get('https://api.github.com/search/issues', {
+            headers: {
+                'Authorization': `Bearer ${token}`,
+                'Accept': 'application/vnd.github+json',
+                'X-GitHub-Api-Version': '2022-11-28'
+            },
+            params: {
+                q: query,
+                sort: 'created',
+                order: 'desc',
+                per_page: limit,
+                page: 1
+            }
+        });
+        const issues = Array.isArray(response.data?.items)
+            ? response.data.items.map((item) => ({
+                issueNumber: item.number,
+                title: item.title,
+                status: item.state === 'closed' ? 'closed' : 'open',
+                createdAt: item.created_at
+            }))
+            : [];
+        return {
+            success: true,
+            issues
+        };
+    }
+    catch (error) {
+        let errorMessage = 'Unknown error';
+        if (axios_1.default.isAxiosError(error)) {
+            errorMessage = `Status: ${error.response?.status} - ${JSON.stringify(error.response?.data)}`;
+        }
+        else if (error instanceof Error) {
+            errorMessage = error.message;
+        }
+        return {
+            success: false,
+            message: `Failed to query issues in the FRAIM repository: ${errorMessage}`
+        };
+    }
+}

package/dist/src/fraim/template-processor.js

@@ -0,0 +1,184 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TemplateEngine = void 0;
+exports.getTemplateEngine = getTemplateEngine;
+const fs_1 = require("fs");
+const path_1 = require("path");
+const provider_utils_1 = require("../core/utils/provider-utils");
+const object_utils_1 = require("../core/utils/object-utils");
+/**
+ * Multi-Provider Template Engine
+ * Processes workflow templates with provider-specific action mappings
+ */
+class TemplateEngine {
+    constructor(registryPath) {
+        this.providers = new Map();
+        this.registryPath = registryPath || (0, path_1.join)(__dirname, '../../registry');
+        this.loadProviders();
+    }
+    loadProviders() {
+        try {
+            // Load GitHub provider templates
+            const githubPath = (0, path_1.join)(this.registryPath, 'providers/github.json');
+            if ((0, fs_1.existsSync)(githubPath)) {
+                const githubTemplates = JSON.parse((0, fs_1.readFileSync)(githubPath, 'utf-8'));
+                this.providers.set('github', githubTemplates);
+            }
+            // Load ADO provider templates
+            const adoPath = (0, path_1.join)(this.registryPath, 'providers/ado.json');
+            if ((0, fs_1.existsSync)(adoPath)) {
+                const adoTemplates = JSON.parse((0, fs_1.readFileSync)(adoPath, 'utf-8'));
+                this.providers.set('ado', adoTemplates);
+            }
+            // Load Jira provider templates
+            const jiraPath = (0, path_1.join)(this.registryPath, 'providers/jira.json');
+            if ((0, fs_1.existsSync)(jiraPath)) {
+                const jiraTemplates = JSON.parse((0, fs_1.readFileSync)(jiraPath, 'utf-8'));
+                this.providers.set('jira', jiraTemplates);
+            }
+            // Load GitLab provider templates
+            const gitlabPath = (0, path_1.join)(this.registryPath, 'providers/gitlab.json');
+            if ((0, fs_1.existsSync)(gitlabPath)) {
+                const gitlabTemplates = JSON.parse((0, fs_1.readFileSync)(gitlabPath, 'utf-8'));
+                this.providers.set('gitlab', gitlabTemplates);
+            }
+            console.log(`✅ Loaded ${this.providers.size} provider templates`);
+        }
+        catch (error) {
+            console.warn('⚠️ Failed to load provider templates:', error);
+        }
+    }
+    /**
+     * Process workflow content with provider actions only
+     */
+    processWorkflow(workflowContent, repositoryInfo) {
+        // Only process provider actions, no client-side config variables
+        return this.processProviderActions(workflowContent, repositoryInfo);
+    }
+    processProviderActions(workflowContent, repositoryInfo) {
+        // Determine code provider from repository info using shared utility
+        const repoData = repositoryInfo?.repository || repositoryInfo;
+        const codeProvider = repoData?.provider || (0, provider_utils_1.detectProvider)(repoData?.url);
+        // Determine issue provider from explicit issueTracking context only
+        const issueProvider = repositoryInfo?.issueTracking?.provider;
+        // Get templates for both providers
+        const codeTemplates = this.providers.get(codeProvider);
+        const issueTemplates = issueProvider ? this.providers.get(issueProvider) : undefined;
+        if (!codeTemplates && !issueTemplates) {
+            console.warn(`⚠️ No templates found for providers: code=${codeProvider}, issue=${issueProvider}`);
+            return workflowContent;
+        }
+        // Process with both providers
+        return this.processWithSplitProviders(workflowContent, codeProvider, issueProvider, repositoryInfo);
+    }
+    processWithSplitProviders(workflowContent, codeProvider, issueProvider, repositoryInfo) {
+        const codeTemplates = this.providers.get(codeProvider);
+        const issueTemplates = issueProvider ? this.providers.get(issueProvider) : undefined;
+        let processed = workflowContent;
+        // Define which actions are code-related vs issue-related
+        const issueActions = new Set([
+            'get_issue', 'update_issue_status', 'add_issue_comment',
+            'create_issue', 'assign_issue', 'search_issues',
+            'close_issue', 'list_issues'
+        ]);
+        const codeActions = new Set([
+            'create_pr', 'get_pr', 'get_pr_comments', 'get_pr_review_comments',
+            'get_pr_reviews', 'add_pr_comment', 'merge_pr', 'create_branch',
+            'switch_branch', 'commit_changes', 'push_branch'
+        ]);
+        // Replace issue actions with issue provider templates
+        if (issueTemplates) {
+            for (const [action, template] of Object.entries(issueTemplates)) {
+                if (issueActions.has(action)) {
+                    const regex = new RegExp(`{{${action}}}`, 'g');
+                    const renderedTemplate = this.renderTemplate(template, repositoryInfo);
+                    processed = processed.replace(regex, renderedTemplate);
+                }
+            }
+        }
+        // Replace code actions with code provider templates
+        if (codeTemplates) {
+            for (const [action, template] of Object.entries(codeTemplates)) {
+                if (codeActions.has(action)) {
+                    const regex = new RegExp(`{{${action}}}`, 'g');
+                    const renderedTemplate = this.renderTemplate(template, repositoryInfo);
+                    processed = processed.replace(regex, renderedTemplate);
+                }
+            }
+        }
+        return processed;
+    }
+    /**
+     * Render template with repository variable substitution
+     */
+    renderTemplate(template, repositoryInfo) {
+        if (!repositoryInfo)
+            return template;
+        return template.replace(/{{([^}]+)}}/g, (match, path) => {
+            const trimmedPath = path.trim();
+            // Handle proxy.repository.* variables
+            if (trimmedPath.startsWith('proxy.repository.')) {
+                const repoPath = trimmedPath.substring('proxy.repository.'.length);
+                let repoData = repositoryInfo.repository || repositoryInfo;
+                const value = (0, object_utils_1.getNestedValue)(repoData, repoPath);
+                return value !== undefined ? String(value) : match;
+            }
+            // Handle proxy.issueTracking.* variables (for split provider mode)
+            if (trimmedPath.startsWith('proxy.issueTracking.')) {
+                const issueTrackingPath = trimmedPath.substring('proxy.issueTracking.'.length);
+                const issueTrackingData = repositoryInfo.issueTracking;
+                if (issueTrackingData) {
+                    const value = (0, object_utils_1.getNestedValue)(issueTrackingData, issueTrackingPath);
+                    return value !== undefined ? String(value) : match;
+                }
+                return match;
+            }
+            return match;
+        });
+    }
+    /**
+     * Get available providers
+     */
+    getAvailableProviders() {
+        return Array.from(this.providers.keys());
+    }
+    /**
+     * Get available actions for a provider
+     */
+    getProviderActions(provider) {
+        const templates = this.providers.get(provider);
+        return templates ? Object.keys(templates) : [];
+    }
+    /**
+     * Validate that all template actions in content are supported
+     */
+    validateWorkflow(workflowContent, provider) {
+        const actionRegex = /{{(\w+)}}/g;
+        const actions = new Set();
+        let match;
+        while ((match = actionRegex.exec(workflowContent)) !== null) {
+            // Skip config variables
+            if (!match[1].startsWith('config.')) {
+                actions.add(match[1]);
+            }
+        }
+        const providerActions = this.getProviderActions(provider);
+        const missingActions = Array.from(actions).filter(action => !providerActions.includes(action));
+        return {
+            valid: missingActions.length === 0,
+            missingActions
+        };
+    }
+}
+exports.TemplateEngine = TemplateEngine;
+// Global template engine instance
+let globalTemplateEngine = null;
+/**
+ * Get or create global template engine instance
+ */
+function getTemplateEngine(registryPath) {
+    if (!globalTemplateEngine || (registryPath && registryPath !== globalTemplateEngine['registryPath'])) {
+        globalTemplateEngine = new TemplateEngine(registryPath);
+    }
+    return globalTemplateEngine;
+}

package/dist/src/fraim/utils/request-utils.js

@@ -0,0 +1,23 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.EMAIL_REGEX = void 0;
+exports.validateEmail = validateEmail;
+exports.getRequestMeta = getRequestMeta;
+/**
+ * Standard email validation regex
+ */
+exports.EMAIL_REGEX = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+/**
+ * Validate an email address
+ */
+function validateEmail(email) {
+    return exports.EMAIL_REGEX.test(email);
+}
+/**
+ * Extract IP and UserAgent from an Express Request
+ */
+function getRequestMeta(req) {
+    const ip = req.headers['x-forwarded-for'] || req.ip || 'unknown';
+    const userAgent = req.headers['user-agent'] || 'unknown';
+    return { ip, userAgent };
+}

package/dist/src/middleware/auth.js

@@ -0,0 +1,266 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthMiddleware = void 0;
+const fs_1 = require("fs");
+const path_1 = require("path");
+const cookie_service_1 = require("../services/cookie-service");
+const audit_log_1 = require("../services/audit-log");
+function resolveFraimProFilePath(fileName) {
+    const candidates = [
+        (0, path_1.join)(process.cwd(), 'fraim-pro', fileName),
+        (0, path_1.resolve)(__dirname, '..', '..', 'fraim-pro', fileName),
+        (0, path_1.resolve)(__dirname, '..', '..', '..', 'fraim-pro', fileName),
+    ];
+    for (const candidate of candidates) {
+        if ((0, fs_1.existsSync)(candidate))
+            return candidate;
+    }
+    return null;
+}
+class AuthMiddleware {
+    constructor(dbService, skipTestBypass = false) {
+        this.dbService = dbService;
+        this.skipTestBypass = skipTestBypass;
+    }
+    /**
+     * Middleware to authenticate requests via API key
+     */
+    async handle(req, res, next) {
+        // Note: Payment routes are registered BEFORE this middleware is applied
+        // Skip auth for public health check, admin routes, website signup, sales inquiries, and self-serve access flow
+        const rawPath = req.path ?? req.originalUrl ?? req.url ?? '';
+        const p = (typeof rawPath === 'string' ? rawPath : '').split('?')[0].replace(/\/$/, '') || '';
+        const publicPrefixes = ['/admin', '/dashboard', '/health', '/pricing', '/fraim-brain', '/api/signup', '/api/sales', '/api/request-access', '/api/installer-key', '/api/installer-download', '/api/installer-availability', '/api/payment/bypass', '/api/pricing', '/api/personas/catalog', '/auth', '/portfolio'];
+        // Analytics dashboard is public, but API routes are protected
+        const isAnalyticsPublic = p === '/analytics' || p === '/analytics/' || p.startsWith('/analytics/') && p.endsWith('.html');
+        // Homepage is public
+        if (p === '' || p === '/')
+            return next();
+        const publicExtensions = ['.css', '.js', '.png', '.jpg', '.jpeg', '.svg', '.ico', '.woff', '.woff2', '.ttf'];
+        const isPublic = publicPrefixes.some(prefix => p === prefix || p.startsWith(prefix + '/'))
+            || publicExtensions.some(ext => p.endsWith(ext))
+            || p.startsWith('/css/') || p.startsWith('/js/') || p.startsWith('/images/')
+            || isAnalyticsPublic;
+        if (isPublic) {
+            return next();
+        }
+        // Header-only API key transport. Query-string transport was removed because credentials
+        // in URLs leak through access logs, browser history, and HTTP Referer headers.
+        // Reject any request that attempts to use ?api-key= so silent fallback to header doesn't mask the misuse.
+        if (req.query && typeof req.query['api-key'] !== 'undefined') {
+            console.error(`[FRAIM AUTH] Rejected query-string api-key for ${req.method} ${req.path}`);
+            return res.status(401).json({
+                jsonrpc: '2.0',
+                error: { code: -32001, message: 'Unauthorized: API keys must be sent in the x-api-key header, not in the query string [AUTH-QUERY-FORBIDDEN]' },
+                id: req.body?.id || null
+            });
+        }
+        // Issue #359 — accept FraimAuthSession via cookie or Authorization: Bearer in addition to x-api-key.
+        // Priority: x-api-key (programmatic clients) → cookie (web) → bearer (mobile/native).
+        const apiKey = req.headers['x-api-key'];
+        const sessionFromCookie = (0, cookie_service_1.readSessionCookie)(req);
+        const sessionFromBearer = (0, cookie_service_1.readBearerToken)(req);
+        const sessionToken = sessionFromCookie || sessionFromBearer;
+        // If a session token is present and there's no API key, resolve it.
+        if (!apiKey && sessionToken) {
+            try {
+                const session = await this.dbService.getAuthSession(sessionToken);
+                if (!session || session.revoked || session.expiresAt < new Date()) {
+                    // MCP clients (claude.ai Connectors, Office add-ins, Claude Design) send the
+                    // FRAIM API key as Authorization: Bearer <key>. The bearer value arrives here
+                    // as sessionToken but is not a session UUID — it's the raw key. Try it as a
+                    // direct API key before returning 401.
+                    if (sessionFromBearer) {
+                        const directKeyData = await this.dbService.verifyApiKey(sessionFromBearer).catch(() => null);
+                        const isDirectKeyValid = directKeyData
+                            && directKeyData.status !== 'suspended'
+                            && !(directKeyData.status === 'expired' || (directKeyData.expiresAt && new Date() > directKeyData.expiresAt));
+                        if (isDirectKeyValid) {
+                            this.dbService.updateApiKeyLastUsed(directKeyData.key).catch(() => undefined);
+                            req.apiKeyData = directKeyData;
+                            req.authSource = 'bearer-api-key';
+                            return next();
+                        }
+                    }
+                    console.error(`[FRAIM AUTH] Invalid/revoked/expired session for ${req.method} ${req.path}`);
+                    if (sessionFromCookie)
+                        (0, cookie_service_1.clearSessionCookie)(res);
+                    (0, audit_log_1.auditLog)('SESSION_REVOKED', {
+                        userId: session?.userId ?? null,
+                        sessionId: sessionToken,
+                        reason: !session ? 'not_found' : session.revoked ? 'revoked' : 'expired',
+                        outcome: 'failure',
+                    }).catch(() => undefined);
+                    return res.status(401).json({
+                        jsonrpc: '2.0',
+                        error: { code: -32001, message: 'Unauthorized: Session expired or revoked [AUTH-SESSION-INVALID]' },
+                        id: req.body?.id || null
+                    });
+                }
+                const apiKeyData = await this.dbService.getApiKeyByUserId(session.userId, false);
+                if (!apiKeyData) {
+                    console.error(`[FRAIM AUTH] Session valid but no API key for user ${session.userId}`);
+                    return res.status(401).json({
+                        jsonrpc: '2.0',
+                        error: { code: -32001, message: 'Unauthorized: No identity for session [AUTH-NO-IDENTITY]' },
+                        id: req.body?.id || null
+                    });
+                }
+                this.dbService.touchAuthSession(session.sessionId).catch(err => {
+                    console.warn('[FRAIM AUTH] Failed to update auth session lastSeenAt:', err);
+                });
+                req.apiKeyData = apiKeyData;
+                req.authSession = session;
+                req.authSource = sessionFromCookie ? 'session-cookie' : 'session-bearer';
+                return next();
+            }
+            catch (err) {
+                const msg = err instanceof Error ? err.message : String(err);
+                console.error('[FRAIM AUTH] Error resolving session:', msg);
+                return res.status(500).json({ error: 'Internal Server Error', details: msg });
+            }
+        }
+        // Mixed-identity check: if both a session AND an api key are presented, they must agree.
+        if (apiKey && sessionToken) {
+            try {
+                const [keyData, session] = await Promise.all([
+                    this.dbService.verifyApiKey(apiKey),
+                    this.dbService.getAuthSession(sessionToken),
+                ]);
+                if (keyData && session && !session.revoked && keyData.userId !== session.userId) {
+                    console.error(`[FRAIM AUTH] MIXED_IDENTITY: api-key user=${keyData.userId} session user=${session.userId}`);
+                    (0, audit_log_1.auditLog)('MIXED_IDENTITY', {
+                        userId: keyData.userId,
+                        sessionId: sessionToken,
+                        outcome: 'failure',
+                        reason: `session_user=${session.userId}`,
+                    }).catch(() => undefined);
+                    return res.status(401).json({
+                        jsonrpc: '2.0',
+                        error: { code: -32001, message: 'Unauthorized: Mixed identity [AUTH-MIXED-IDENTITY]' },
+                        id: req.body?.id || null
+                    });
+                }
+            }
+            catch (err) {
+                console.warn('[FRAIM AUTH] Mixed-identity check failed:', err instanceof Error ? err.message : String(err));
+            }
+        }
+        // Check for missing API key first
+        if (!apiKey) {
+            // For browser navigation (HTML Accept, non-API path), serve 404 page instead of 401 JSON
+            const acceptsHtml = (req.headers.accept || '').includes('text/html');
+            const isApiPath = p.startsWith('/api/') || p.startsWith('/mcp') || p.startsWith('/admin');
+            if (acceptsHtml && !isApiPath) {
+                const page404 = resolveFraimProFilePath('404.html');
+                if (page404)
+                    return res.status(404).sendFile(page404);
+                return res.status(404).send('<h1>404</h1><p>Page not found.</p>');
+            }
+            console.error(`[FRAIM AUTH] Missing API key for ${req.method} ${req.path}`);
+            return res.status(401).json({
+                jsonrpc: '2.0',
+                error: { code: -32001, message: 'Unauthorized: Missing API key [AUTH-MISSING]' },
+                id: req.body?.id || null
+            });
+        }
+        // Auth bypass for Local Sync and Tests
+        const rawAuthMode = req.headers['x-fraim-auth-mode'];
+        const authMode = Array.isArray(rawAuthMode) ? rawAuthMode[0] : rawAuthMode;
+        const strictTestAuth = typeof authMode === 'string' && authMode.toLowerCase() === 'strict';
+        const isTestBypass = process.env.NODE_ENV === 'test' && !this.skipTestBypass && !strictTestAuth && apiKey !== 'invalid-key';
+        const isLocalDev = apiKey === 'local-dev' && process.env.NODE_ENV !== 'production';
+        if (isLocalDev || isTestBypass) {
+            req.apiKeyData = {
+                key: apiKey,
+                userId: isLocalDev ? 'local-dev-user' : 'test-user',
+                orgId: isLocalDev ? 'local-dev-org' : 'test-org',
+                isActive: true
+            };
+            return next();
+        }
+        try {
+            const apiKeyData = await this.dbService.verifyApiKey(apiKey);
+            if (!apiKeyData) {
+                console.error(`❌ FRAIM AUTH: Invalid API key: ${apiKey}`);
+                return res.status(401).json({
+                    jsonrpc: '2.0',
+                    error: { code: -32001, message: 'Unauthorized: Invalid x-api-key [AUTH-INVALID]' },
+                    id: req.body?.id || null
+                });
+            }
+            // Check if key is suspended
+            if (apiKeyData.status === 'suspended') {
+                const reason = apiKeyData.suspensionReason || 'payment failure';
+                console.error(`❌ FRAIM AUTH: Suspended API key: ${apiKey} (reason: ${reason})`);
+                return res.status(402).json({
+                    jsonrpc: '2.0',
+                    error: {
+                        code: -32002,
+                        message: `API key suspended due to ${reason}. Please update your payment method.`,
+                        data: {
+                            status: 'suspended',
+                            reason,
+                            paymentUrl: process.env.STRIPE_BILLING_PORTAL_URL || 'https://fraimworks.ai/billing'
+                        }
+                    },
+                    id: req.body?.id || null
+                });
+            }
+            // Check if key is expired
+            if (apiKeyData.status === 'expired' || (apiKeyData.expiresAt && new Date() > apiKeyData.expiresAt)) {
+                // Update status to expired if not already
+                if (apiKeyData.status !== 'expired') {
+                    await this.dbService.updateApiKey(apiKey, { status: 'expired' });
+                }
+                const tier = apiKeyData.tier;
+                const message = tier === 'trial'
+                    ? 'Your 14-day free trial has expired. Please upgrade to continue using FRAIM.'
+                    : 'Your subscription has expired. Please renew to continue using FRAIM.';
+                console.error(`❌ FRAIM AUTH: Expired API key: ${apiKey} (tier: ${tier})`);
+                return res.status(402).json({
+                    jsonrpc: '2.0',
+                    error: {
+                        code: -32003,
+                        message,
+                        data: {
+                            status: 'expired',
+                            tier,
+                            expiresAt: apiKeyData.expiresAt?.toISOString(),
+                            paymentUrl: tier === 'trial'
+                                ? (process.env.STRIPE_CHECKOUT_URL || 'https://fraimworks.ai/pricing')
+                                : (process.env.STRIPE_BILLING_PORTAL_URL || 'https://fraimworks.ai/billing')
+                        }
+                    },
+                    id: req.body?.id || null
+                });
+            }
+            // Update last used timestamp (async, don't await)
+            this.dbService.updateApiKeyLastUsed(apiKey).catch(err => {
+                console.warn('[FRAIM AUTH] Failed to update lastUsedAt:', err);
+            });
+            req.apiKeyData = apiKeyData;
+            return next();
+        }
+        catch (error) {
+            const msg = error instanceof Error ? error.message : String(error);
+            console.error('❌ FRAIM AUTH: Error during verification:', msg);
+            if (error instanceof Error && error.stack)
+                console.error(error.stack);
+            return res.status(500).json({ error: 'Internal Server Error', details: msg });
+        }
+    }
+    handleAdmin(req, res, next) {
+        const adminKey = process.env.FRAIM_ADMIN_KEY;
+        if (!adminKey) {
+            console.error('⚠️ FRAIM_ADMIN_KEY not configured on server');
+            return res.status(503).json({ error: 'Management API disabled (key not set)' });
+        }
+        const providedKey = req.headers['x-admin-key'];
+        if (providedKey !== adminKey) {
+            return res.status(403).json({ error: 'Forbidden: Invalid admin key' });
+        }
+        return next();
+    }
+}
+exports.AuthMiddleware = AuthMiddleware;