jettypod 4.4.116 → 4.4.120

package/apps/update-server/src/index.ts

@@ -0,0 +1,1085 @@
+export interface Env {
+  RELEASE_ARTIFACTS: R2Bucket;
+  STRIPE_SECRET_KEY: string;
+  STRIPE_WEBHOOK_SECRET: string;
+  STRIPE_MONTHLY_PRICE_ID: string;
+  STRIPE_LIFETIME_PRICE_ID: string;
+  ENVIRONMENT: string;
+  // Auth bindings
+  AUTH_DB: D1Database;
+  AUTH_KV: KVNamespace;
+  GOOGLE_CLIENT_ID: string;
+  GOOGLE_CLIENT_SECRET: string;
+  JWT_SECRET: string;
+  RESEND_API_KEY: string;
+}
+
+// ─── Types ──────────────────────────────────────────────────────────
+
+interface User {
+  id: string;
+  email: string;
+  name: string | null;
+  avatar_url: string | null;
+  auth_provider: string;
+  google_id: string | null;
+  stripe_customer_id: string | null;
+  plan: string;
+  created_at: string;
+  updated_at: string;
+}
+
+interface JWTPayload {
+  sub: string;
+  email: string;
+  plan: string;
+  iat: number;
+  exp: number;
+}
+
+interface StripeEvent {
+  type: string;
+  data: {
+    object: {
+      id: string;
+      customer: string;
+      status: string;
+      mode?: string;
+      metadata?: Record<string, string>;
+    };
+  };
+}
+
+interface StripeCheckoutSession {
+  id: string;
+  url: string;
+  customer: string;
+  payment_status: string;
+  subscription: string;
+}
+
+// ─── JWT ────────────────────────────────────────────────────────────
+
+const JWT_EXPIRY = 30 * 24 * 60 * 60; // 30 days
+
+async function signJWT(payload: JWTPayload, secret: string): Promise<string> {
+  const header = { alg: 'HS256', typ: 'JWT' };
+  const encode = (obj: unknown) =>
+    btoa(JSON.stringify(obj)).replace(/=/g, '').replace(/\+/g, '-').replace(/\//g, '_');
+
+  const headerB64 = encode(header);
+  const payloadB64 = encode(payload);
+  const signingInput = `${headerB64}.${payloadB64}`;
+
+  const key = await crypto.subtle.importKey(
+    'raw',
+    new TextEncoder().encode(secret),
+    { name: 'HMAC', hash: 'SHA-256' },
+    false,
+    ['sign']
+  );
+  const sig = await crypto.subtle.sign('HMAC', key, new TextEncoder().encode(signingInput));
+  const sigB64 = btoa(String.fromCharCode(...new Uint8Array(sig)))
+    .replace(/=/g, '').replace(/\+/g, '-').replace(/\//g, '_');
+
+  return `${signingInput}.${sigB64}`;
+}
+
+async function verifyJWT(token: string, secret: string): Promise<JWTPayload | null> {
+  const parts = token.split('.');
+  if (parts.length !== 3) return null;
+
+  const [headerB64, payloadB64, sigB64] = parts;
+  const signingInput = `${headerB64}.${payloadB64}`;
+
+  const key = await crypto.subtle.importKey(
+    'raw',
+    new TextEncoder().encode(secret),
+    { name: 'HMAC', hash: 'SHA-256' },
+    false,
+    ['verify']
+  );
+
+  const sigBytes = Uint8Array.from(
+    atob(sigB64.replace(/-/g, '+').replace(/_/g, '/')),
+    (c) => c.charCodeAt(0)
+  );
+  const valid = await crypto.subtle.verify(
+    'HMAC',
+    key,
+    sigBytes,
+    new TextEncoder().encode(signingInput)
+  );
+  if (!valid) return null;
+
+  const payload = JSON.parse(
+    atob(payloadB64.replace(/-/g, '+').replace(/_/g, '/'))
+  ) as JWTPayload;
+
+  if (payload.exp < Math.floor(Date.now() / 1000)) return null;
+
+  return payload;
+}
+
+function issueJWT(user: User, secret: string): Promise<string> {
+  const now = Math.floor(Date.now() / 1000);
+  return signJWT(
+    {
+      sub: user.id,
+      email: user.email,
+      plan: user.plan,
+      iat: now,
+      exp: now + JWT_EXPIRY,
+    },
+    secret
+  );
+}
+
+// ─── Auth Middleware ─────────────────────────────────────────────────
+
+async function authenticateUser(
+  request: Request,
+  env: Env
+): Promise<{ user: JWTPayload } | { error: Response }> {
+  const auth = request.headers.get('Authorization');
+  if (!auth?.startsWith('Bearer ')) {
+    return { error: Response.json({ error: 'Missing Authorization header' }, { status: 401 }) };
+  }
+
+  const token = auth.slice(7);
+
+  if (token.startsWith('cus_')) {
+    return { error: Response.json({ error: 'Please update JettyPod to use the new login system' }, { status: 401 }) };
+  }
+
+  const payload = await verifyJWT(token, env.JWT_SECRET);
+  if (!payload) {
+    return { error: Response.json({ error: 'Invalid or expired token' }, { status: 401 }) };
+  }
+
+  return { user: payload };
+}
+
+// ─── Legacy Stripe Auth (for update endpoints) ─────────────────────
+
+function getBearerToken(request: Request): string | null {
+  const auth = request.headers.get('Authorization');
+  if (!auth?.startsWith('Bearer ')) return null;
+  return auth.slice(7);
+}
+
+async function validateAccess(
+  customerId: string,
+  env: Env
+): Promise<{ valid: boolean; error?: string }> {
+  if (!customerId.startsWith('cus_')) {
+    return { valid: false, error: 'Invalid customer token' };
+  }
+
+  const plan = await determinePlanFromStripe(customerId, env);
+  if (plan !== 'free') {
+    return { valid: true };
+  }
+
+  return { valid: false, error: 'No active subscription or purchase found' };
+}
+
+/** Auth middleware for update endpoints — accepts JWT (paid) OR legacy cus_ token */
+async function authenticateUpdateRequest(
+  request: Request,
+  env: Env
+): Promise<Response | null> {
+  const token = getBearerToken(request);
+  if (!token) {
+    return Response.json({ error: 'Missing Authorization header' }, { status: 401 });
+  }
+
+  // New path: JWT token — verify and check paid plan
+  if (!token.startsWith('cus_')) {
+    const payload = await verifyJWT(token, env.JWT_SECRET);
+    if (!payload) {
+      return Response.json({ error: 'Invalid or expired token' }, { status: 401 });
+    }
+    if (payload.plan === 'free') {
+      return Response.json({ error: 'Paid plan required for updates' }, { status: 403 });
+    }
+    return null; // Authenticated paid user
+  }
+
+  // Legacy path: Stripe customer ID
+  const result = await validateAccess(token, env);
+  if (!result.valid) {
+    return Response.json(
+      { error: result.error ?? 'Invalid or expired subscription' },
+      { status: 403 }
+    );
+  }
+
+  return null;
+}
+
+// ─── Google OAuth ───────────────────────────────────────────────────
+
+function googleAuthRedirect(env: Env, origin: string): Response {
+  const params = new URLSearchParams({
+    client_id: env.GOOGLE_CLIENT_ID,
+    redirect_uri: `${origin}/auth/google/callback`,
+    response_type: 'code',
+    scope: 'openid email profile',
+    access_type: 'offline',
+    prompt: 'select_account',
+  });
+
+  return Response.redirect(`https://accounts.google.com/o/oauth2/v2/auth?${params}`, 302);
+}
+
+async function googleAuthCallback(request: Request, env: Env): Promise<Response> {
+  const url = new URL(request.url);
+  const code = url.searchParams.get('code');
+  if (!code) {
+    return Response.json({ error: 'Missing code parameter' }, { status: 400 });
+  }
+
+  const tokenResponse = await fetch('https://oauth2.googleapis.com/token', {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+    body: new URLSearchParams({
+      code,
+      client_id: env.GOOGLE_CLIENT_ID,
+      client_secret: env.GOOGLE_CLIENT_SECRET,
+      redirect_uri: `${url.origin}/auth/google/callback`,
+      grant_type: 'authorization_code',
+    }),
+  });
+
+  if (!tokenResponse.ok) {
+    return Response.json({ error: 'Google token exchange failed' }, { status: 400 });
+  }
+
+  const tokens = (await tokenResponse.json()) as { id_token: string };
+
+  const idPayload = JSON.parse(
+    atob(tokens.id_token.split('.')[1].replace(/-/g, '+').replace(/_/g, '/'))
+  ) as { sub: string; email: string; name: string; picture: string };
+
+  const user = await findOrCreateGoogleUser(env.AUTH_DB, {
+    googleId: idPayload.sub,
+    email: idPayload.email,
+    name: idPayload.name,
+    avatarUrl: idPayload.picture,
+  });
+
+  const jwt = await issueJWT(user, env.JWT_SECRET);
+
+  return new Response(
+    `<!DOCTYPE html>
+<html><head><title>Signing in...</title></head>
+<body>
+<script>
+  window.location.href = 'jettypod://auth/callback?token=${jwt}';
+  setTimeout(() => {
+    document.body.innerHTML = '<p>Signed in! You can close this tab and return to JettyPod.</p>';
+  }, 1000);
+</script>
+</body></html>`,
+    { headers: { 'Content-Type': 'text/html' } }
+  );
+}
+
+// ─── Email OTP ──────────────────────────────────────────────────────
+
+const OTP_TTL = 300; // 5 minutes
+const OTP_LENGTH = 6;
+const OTP_SEND_RATE_LIMIT = 5; // max sends per window
+const OTP_VERIFY_RATE_LIMIT = 10; // max verify attempts per window
+const RATE_LIMIT_WINDOW = 900; // 15 minutes
+
+async function checkRateLimit(kv: KVNamespace, key: string, limit: number): Promise<boolean> {
+  const current = parseInt(await kv.get(key) || '0', 10);
+  if (current >= limit) return false;
+  await kv.put(key, String(current + 1), { expirationTtl: RATE_LIMIT_WINDOW });
+  return true;
+}
+
+function generateOTP(): string {
+  const array = new Uint32Array(1);
+  crypto.getRandomValues(array);
+  return String(array[0] % 1000000).padStart(OTP_LENGTH, '0');
+}
+
+async function handleSendOTP(request: Request, env: Env): Promise<Response> {
+  let body: { email?: string };
+  try {
+    body = (await request.json()) as { email?: string };
+  } catch {
+    return Response.json({ error: 'Invalid request body' }, { status: 400 });
+  }
+  const email = body.email?.trim().toLowerCase();
+
+  if (!email || !email.includes('@')) {
+    return Response.json({ error: 'Valid email required' }, { status: 400 });
+  }
+
+  const allowed = await checkRateLimit(env.AUTH_KV, `rate:otp-send:${email}`, OTP_SEND_RATE_LIMIT);
+  if (!allowed) {
+    return Response.json({ error: 'Too many requests. Try again later.' }, { status: 429 });
+  }
+
+  const code = generateOTP();
+
+  await env.AUTH_KV.put(`otp:${email}`, code, { expirationTtl: OTP_TTL });
+
+  await fetch('https://api.resend.com/emails', {
+    method: 'POST',
+    headers: {
+      Authorization: `Bearer ${env.RESEND_API_KEY}`,
+      'Content-Type': 'application/json',
+    },
+    body: JSON.stringify({
+      from: 'JettyPod <hello@tx.jettypod.com>',
+      to: [email],
+      subject: 'Your JettyPod sign-in code',
+      html: `<p>Your sign-in code is: <strong>${code}</strong></p><p>It expires in 5 minutes.</p>`,
+    }),
+  });
+
+  return Response.json({ sent: true });
+}
+
+async function handleVerifyOTP(request: Request, env: Env): Promise<Response> {
+  let body: { email?: string; code?: string };
+  try {
+    body = (await request.json()) as { email?: string; code?: string };
+  } catch {
+    return Response.json({ error: 'Invalid request body' }, { status: 400 });
+  }
+  const email = body.email?.trim().toLowerCase();
+  const code = body.code?.trim();
+
+  if (!email || !code) {
+    return Response.json({ error: 'Email and code required' }, { status: 400 });
+  }
+
+  const allowed = await checkRateLimit(env.AUTH_KV, `rate:otp-verify:${email}`, OTP_VERIFY_RATE_LIMIT);
+  if (!allowed) {
+    return Response.json({ error: 'Too many attempts. Try again later.' }, { status: 429 });
+  }
+
+  const storedCode = await env.AUTH_KV.get(`otp:${email}`);
+  if (!storedCode || storedCode !== code) {
+    return Response.json({ error: 'Invalid or expired code' }, { status: 401 });
+  }
+
+  await env.AUTH_KV.delete(`otp:${email}`);
+
+  const user = await findOrCreateEmailUser(env.AUTH_DB, email);
+  const jwt = await issueJWT(user, env.JWT_SECRET);
+
+  return Response.json({ token: jwt, user: { id: user.id, email: user.email, plan: user.plan } });
+}
+
+// ─── User Management ────────────────────────────────────────────────
+
+async function findOrCreateGoogleUser(
+  db: D1Database,
+  profile: { googleId: string; email: string; name: string; avatarUrl: string }
+): Promise<User> {
+  let user = await db
+    .prepare('SELECT * FROM users WHERE google_id = ?')
+    .bind(profile.googleId)
+    .first<User>();
+
+  if (user) {
+    await db
+      .prepare("UPDATE users SET name = ?, avatar_url = ?, updated_at = datetime('now') WHERE id = ?")
+      .bind(profile.name, profile.avatarUrl, user.id)
+      .run();
+    return user;
+  }
+
+  // Check if email already exists (account linking: email OTP → Google)
+  user = await db.prepare('SELECT * FROM users WHERE email = ?').bind(profile.email).first<User>();
+
+  if (user) {
+    await db
+      .prepare(
+        "UPDATE users SET google_id = ?, name = ?, avatar_url = ?, auth_provider = 'google', updated_at = datetime('now') WHERE id = ?"
+      )
+      .bind(profile.googleId, profile.name, profile.avatarUrl, user.id)
+      .run();
+    return { ...user, google_id: profile.googleId, name: profile.name, avatar_url: profile.avatarUrl };
+  }
+
+  const id = crypto.randomUUID();
+  await db
+    .prepare(
+      "INSERT INTO users (id, email, name, avatar_url, auth_provider, google_id, plan) VALUES (?, ?, ?, ?, 'google', ?, 'free')"
+    )
+    .bind(id, profile.email, profile.name, profile.avatarUrl, profile.googleId)
+    .run();
+
+  return {
+    id,
+    email: profile.email,
+    name: profile.name,
+    avatar_url: profile.avatarUrl,
+    auth_provider: 'google',
+    google_id: profile.googleId,
+    stripe_customer_id: null,
+    plan: 'free',
+    created_at: new Date().toISOString(),
+    updated_at: new Date().toISOString(),
+  };
+}
+
+async function findOrCreateEmailUser(db: D1Database, email: string): Promise<User> {
+  const user = await db.prepare('SELECT * FROM users WHERE email = ?').bind(email).first<User>();
+  if (user) return user;
+
+  const id = crypto.randomUUID();
+  await db
+    .prepare("INSERT INTO users (id, email, auth_provider, plan) VALUES (?, ?, 'email', 'free')")
+    .bind(id, email)
+    .run();
+
+  return {
+    id,
+    email,
+    name: null,
+    avatar_url: null,
+    auth_provider: 'email',
+    google_id: null,
+    stripe_customer_id: null,
+    plan: 'free',
+    created_at: new Date().toISOString(),
+    updated_at: new Date().toISOString(),
+  };
+}
+
+// ─── Usage Tracking ─────────────────────────────────────────────────
+
+const FREE_WEEKLY_LIMIT = 20;
+
+function getCurrentWeekStart(): string {
+  const now = new Date();
+  const day = now.getUTCDay();
+  const diff = day === 0 ? -6 : 1 - day;
+  const monday = new Date(now);
+  monday.setUTCDate(now.getUTCDate() + diff);
+  return monday.toISOString().split('T')[0];
+}
+
+async function checkUsageLimit(
+  db: D1Database,
+  userId: string,
+  plan: string
+): Promise<{ allowed: boolean; used: number; limit: number; remaining: number }> {
+  if (plan !== 'free') {
+    return { allowed: true, used: 0, limit: Infinity, remaining: Infinity };
+  }
+
+  const weekStart = getCurrentWeekStart();
+  const row = await db
+    .prepare('SELECT work_items_created FROM usage WHERE user_id = ? AND week_start = ?')
+    .bind(userId, weekStart)
+    .first<{ work_items_created: number }>();
+
+  const used = row?.work_items_created ?? 0;
+  const remaining = Math.max(0, FREE_WEEKLY_LIMIT - used);
+
+  return { allowed: remaining > 0, used, limit: FREE_WEEKLY_LIMIT, remaining };
+}
+
+async function incrementUsage(db: D1Database, userId: string): Promise<void> {
+  const weekStart = getCurrentWeekStart();
+  await db
+    .prepare(
+      `INSERT INTO usage (user_id, week_start, work_items_created)
+       VALUES (?, ?, 1)
+       ON CONFLICT(user_id, week_start)
+       DO UPDATE SET work_items_created = work_items_created + 1`
+    )
+    .bind(userId, weekStart)
+    .run();
+}
+
+// ─── Authenticated Route Handlers ───────────────────────────────────
+
+async function handleGetMe(user: JWTPayload, env: Env): Promise<Response> {
+  // Check D1 for current plan (may differ from JWT if webhook updated it)
+  const dbUser = await env.AUTH_DB.prepare('SELECT * FROM users WHERE id = ?').bind(user.sub).first<User>();
+  const currentPlan = dbUser?.plan || user.plan;
+
+  const usage = await checkUsageLimit(env.AUTH_DB, user.sub, currentPlan);
+
+  const response: Record<string, unknown> = {
+    user: { id: user.sub, email: user.email, plan: currentPlan },
+    usage: { used: usage.used, limit: usage.limit, remaining: usage.remaining, allowed: usage.allowed },
+  };
+
+  // Issue a new JWT if plan changed (e.g., webhook upgraded from free to paid)
+  if (dbUser && currentPlan !== user.plan) {
+    response.token = await issueJWT(dbUser, env.JWT_SECRET);
+  }
+
+  return Response.json(response);
+}
+
+async function handleUsageCheck(user: JWTPayload, env: Env): Promise<Response> {
+  const usage = await checkUsageLimit(env.AUTH_DB, user.sub, user.plan);
+  return Response.json(usage);
+}
+
+async function handleUsageIncrement(user: JWTPayload, env: Env): Promise<Response> {
+  const usage = await checkUsageLimit(env.AUTH_DB, user.sub, user.plan);
+  if (!usage.allowed) {
+    return Response.json({ error: 'Weekly limit reached', ...usage }, { status: 429 });
+  }
+
+  await incrementUsage(env.AUTH_DB, user.sub);
+  return Response.json({ used: usage.used + 1, limit: usage.limit, remaining: usage.remaining - 1 });
+}
+
+async function handleLinkStripe(request: Request, user: JWTPayload, env: Env): Promise<Response> {
+  let body: { customerId?: string };
+  try {
+    body = (await request.json()) as { customerId?: string };
+  } catch {
+    return Response.json({ error: 'Invalid request body' }, { status: 400 });
+  }
+  const customerId = body.customerId;
+
+  if (!customerId?.startsWith('cus_')) {
+    return Response.json({ error: 'Invalid customer ID' }, { status: 400 });
+  }
+
+  const plan = await determinePlanFromStripe(customerId, env);
+
+  await env.AUTH_DB
+    .prepare("UPDATE users SET stripe_customer_id = ?, plan = ?, updated_at = datetime('now') WHERE id = ?")
+    .bind(customerId, plan, user.sub)
+    .run();
+
+  const updatedUser = await env.AUTH_DB.prepare('SELECT * FROM users WHERE id = ?').bind(user.sub).first<User>();
+  if (!updatedUser) {
+    return Response.json({ error: 'User not found' }, { status: 404 });
+  }
+
+  const newToken = await issueJWT(updatedUser, env.JWT_SECRET);
+  return Response.json({ token: newToken, plan });
+}
+
+async function determinePlanFromStripe(customerId: string, env: Env): Promise<string> {
+  const headers = { Authorization: `Bearer ${env.STRIPE_SECRET_KEY}` };
+
+  const subRes = await fetch(
+    `https://api.stripe.com/v1/customers/${encodeURIComponent(customerId)}/subscriptions?status=active&limit=1`,
+    { headers }
+  );
+  if (subRes.ok) {
+    const subData = (await subRes.json()) as { data: unknown[] };
+    if (subData.data?.length > 0) return 'monthly';
+  }
+
+  const chargeRes = await fetch(
+    `https://api.stripe.com/v1/charges?customer=${encodeURIComponent(customerId)}&limit=1`,
+    { headers }
+  );
+  if (chargeRes.ok) {
+    const chargeData = (await chargeRes.json()) as {
+      data: Array<{ paid: boolean; refunded: boolean }>;
+    };
+    if (chargeData.data?.some((c) => c.paid && !c.refunded)) return 'lifetime';
+  }
+
+  return 'free';
+}
+
+// ─── Existing Route Handlers ────────────────────────────────────────
+
+async function handleUpdateManifest(env: Env): Promise<Response> {
+  const object = await env.RELEASE_ARTIFACTS.get('latest-mac.yml');
+  if (!object) {
+    return Response.json({ error: 'Update manifest not found' }, { status: 404 });
+  }
+
+  return new Response(object.body, {
+    headers: {
+      'Content-Type': 'text/yaml',
+      'Cache-Control': 'no-cache',
+      'ETag': object.httpEtag,
+    },
+  });
+}
+
+async function handleArtifactDownload(pathname: string, env: Env): Promise<Response> {
+  const filename = pathname.replace('/updates/download/', '');
+  if (!filename || filename.includes('/')) {
+    return Response.json({ error: 'Invalid filename' }, { status: 400 });
+  }
+
+  const object = await env.RELEASE_ARTIFACTS.get(filename);
+  if (!object) {
+    return Response.json({ error: 'Artifact not found' }, { status: 404 });
+  }
+
+  const contentType = filename.endsWith('.dmg')
+    ? 'application/x-apple-diskimage'
+    : filename.endsWith('.zip')
+      ? 'application/zip'
+      : filename.endsWith('.yml') || filename.endsWith('.yaml')
+        ? 'text/yaml'
+        : 'application/octet-stream';
+
+  return new Response(object.body, {
+    headers: {
+      'Content-Type': contentType,
+      'Content-Length': object.size.toString(),
+      'Content-Disposition': `attachment; filename="${filename}"`,
+      'ETag': object.httpEtag,
+    },
+  });
+}
+
+async function handlePublicDownload(arch: string, env: Env): Promise<Response> {
+  // Parse latest-mac.yml to find current filenames
+  const manifest = await env.RELEASE_ARTIFACTS.get('latest-mac.yml');
+  if (!manifest) {
+    return Response.json({ error: 'No releases available' }, { status: 404 });
+  }
+
+  const yml = await manifest.text();
+  // Find DMG filenames from the manifest
+  const dmgFiles = [...yml.matchAll(/url:\s*(\S+\.dmg)/g)].map(m => m[1]);
+
+  let filename: string | undefined;
+  if (arch === 'arm64') {
+    filename = dmgFiles.find(f => f.includes('arm64'));
+  } else {
+    // x64 — the one without arm64
+    filename = dmgFiles.find(f => !f.includes('arm64'));
+  }
+
+  if (!filename) {
+    return Response.json({ error: `No DMG found for arch: ${arch}` }, { status: 404 });
+  }
+
+  const object = await env.RELEASE_ARTIFACTS.get(filename);
+  if (!object) {
+    return Response.json({ error: 'Artifact not found' }, { status: 404 });
+  }
+
+  return new Response(object.body, {
+    headers: {
+      'Content-Type': 'application/x-apple-diskimage',
+      'Content-Length': object.size.toString(),
+      'Content-Disposition': `attachment; filename="${filename}"`,
+      'Cache-Control': 'public, max-age=86400',
+      'ETag': object.httpEtag,
+    },
+  });
+}
+
+async function verifyStripeSignature(
+  payload: string,
+  sigHeader: string,
+  secret: string
+): Promise<boolean> {
+  const parts = Object.fromEntries(
+    sigHeader.split(',').map((part) => {
+      const [key, value] = part.split('=');
+      return [key, value];
+    })
+  );
+
+  const timestamp = parts['t'];
+  const signature = parts['v1'];
+  if (!timestamp || !signature) return false;
+
+  const age = Math.floor(Date.now() / 1000) - parseInt(timestamp, 10);
+  if (age > 300) return false;
+
+  const signedPayload = `${timestamp}.${payload}`;
+  const key = await crypto.subtle.importKey(
+    'raw',
+    new TextEncoder().encode(secret),
+    { name: 'HMAC', hash: 'SHA-256' },
+    false,
+    ['sign']
+  );
+  const sig = await crypto.subtle.sign(
+    'HMAC',
+    key,
+    new TextEncoder().encode(signedPayload)
+  );
+  const expected = Array.from(new Uint8Array(sig))
+    .map((b) => b.toString(16).padStart(2, '0'))
+    .join('');
+
+  return expected === signature;
+}
+
+async function handleStripeWebhook(request: Request, env: Env): Promise<Response> {
+  const sigHeader = request.headers.get('Stripe-Signature');
+  if (!sigHeader) {
+    return Response.json({ error: 'Missing Stripe-Signature header' }, { status: 400 });
+  }
+
+  const body = await request.text();
+  const valid = await verifyStripeSignature(body, sigHeader, env.STRIPE_WEBHOOK_SECRET);
+  if (!valid) {
+    return Response.json({ error: 'Invalid signature' }, { status: 400 });
+  }
+
+  const event = JSON.parse(body) as StripeEvent;
+
+  switch (event.type) {
+    case 'checkout.session.completed': {
+      const session = event.data.object;
+      const userId = session.metadata?.user_id;
+      const customerId = session.customer;
+
+      if (userId && customerId) {
+        const plan = session.mode === 'subscription' ? 'monthly' : 'lifetime';
+
+        await env.AUTH_DB
+          .prepare("UPDATE users SET stripe_customer_id = ?, plan = ?, updated_at = datetime('now') WHERE id = ?")
+          .bind(customerId, plan, userId)
+          .run();
+
+        console.log(`Webhook: checkout.session.completed | user=${userId} customer=${customerId} plan=${plan}`);
+      } else {
+        console.log(`Webhook: checkout.session.completed | missing user_id or customer, skipping link`);
+      }
+      break;
+    }
+    case 'customer.subscription.created':
+    case 'customer.subscription.updated':
+    case 'customer.subscription.deleted':
+      console.log(
+        `Webhook: ${event.type} | customer=${event.data.object.customer} status=${event.data.object.status}`
+      );
+      break;
+    default:
+      console.log(`Webhook: unhandled event type ${event.type}`);
+  }
+
+  return Response.json({ received: true });
+}
+
+async function handleCreateCheckout(request: Request, env: Env): Promise<Response> {
+  let plan = 'monthly';
+  try {
+    const reqBody = (await request.json()) as { plan?: string };
+    if (reqBody.plan === 'lifetime') plan = 'lifetime';
+  } catch {
+    // Default to monthly if no body
+  }
+
+  // Extract user ID from JWT if authenticated
+  let userId: string | null = null;
+  const authHeader = request.headers.get('Authorization');
+  if (authHeader?.startsWith('Bearer ')) {
+    const token = authHeader.slice(7);
+    if (!token.startsWith('cus_')) {
+      const payload = await verifyJWT(token, env.JWT_SECRET);
+      if (payload) {
+        userId = payload.sub;
+      }
+    }
+  }
+
+  const isLifetime = plan === 'lifetime';
+  const priceId = isLifetime ? env.STRIPE_LIFETIME_PRICE_ID : env.STRIPE_MONTHLY_PRICE_ID;
+  const mode = isLifetime ? 'payment' : 'subscription';
+
+  const body = new URLSearchParams({
+    'mode': mode,
+    'line_items[0][price]': priceId,
+    'line_items[0][quantity]': '1',
+    'success_url': `${new URL(request.url).origin}/checkout/success?session_id={CHECKOUT_SESSION_ID}`,
+    'cancel_url': `${new URL(request.url).origin}/checkout/cancelled`,
+  });
+
+  // Include user ID in checkout session metadata if authenticated
+  if (userId) {
+    body.append('metadata[user_id]', userId);
+  }
+
+  const response = await fetch('https://api.stripe.com/v1/checkout/sessions', {
+    method: 'POST',
+    headers: {
+      Authorization: `Bearer ${env.STRIPE_SECRET_KEY}`,
+      'Content-Type': 'application/x-www-form-urlencoded',
+    },
+    body: body.toString(),
+  });
+
+  if (!response.ok) {
+    return Response.json({ error: 'Failed to create checkout session' }, { status: 500 });
+  }
+
+  const session = (await response.json()) as StripeCheckoutSession;
+  return Response.json({ url: session.url });
+}
+
+async function handleCheckoutSuccess(url: URL, env: Env): Promise<Response> {
+  const sessionId = url.searchParams.get('session_id');
+  if (!sessionId) {
+    return new Response('Missing session_id', { status: 400 });
+  }
+
+  const response = await fetch(
+    `https://api.stripe.com/v1/checkout/sessions/${encodeURIComponent(sessionId)}`,
+    {
+      headers: {
+        Authorization: `Bearer ${env.STRIPE_SECRET_KEY}`,
+      },
+    }
+  );
+
+  if (!response.ok) {
+    return new Response('Invalid session', { status: 400 });
+  }
+
+  return new Response(
+    `<!DOCTYPE html>
+<html>
+<head>
+<meta charset="utf-8">
+<meta name="viewport" content="width=device-width, initial-scale=1">
+<title>JettyPod \u2014 Subscription Activated</title>
+<style>
+  body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', sans-serif; display: flex; justify-content: center; align-items: center; min-height: 100vh; margin: 0; background: #F6F5F0; }
+  .card { background: white; padding: 48px 56px; border-radius: 16px; box-shadow: 0 1px 2px rgba(0,0,0,0.06), 0 4px 16px rgba(0,0,0,0.06); text-align: center; max-width: 440px; }
+  .check { width: 56px; height: 56px; background: #E8EEEF; border-radius: 50%; display: flex; align-items: center; justify-content: center; margin: 0 auto 24px; }
+  .check svg { width: 28px; height: 28px; color: #4A6365; }
+  h1 { color: #18181b; margin: 0 0 12px; font-size: 24px; letter-spacing: -0.025em; }
+  p { color: #52525b; line-height: 1.6; margin: 0; font-size: 15px; }
+  .cta { display: inline-block; margin-top: 32px; background: #819D9F; color: white; text-decoration: none; padding: 12px 32px; border-radius: 12px; font-size: 15px; font-weight: 500; box-shadow: 0 1px 2px rgba(0,0,0,0.06), 0 4px 12px rgba(129,157,159,0.2); transition: filter 0.15s; }
+  .cta:hover { filter: brightness(1.05); }
+</style>
+</head>
+<body>
+<div class="card">
+  <div class="check"><svg fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2.5"><path stroke-linecap="round" stroke-linejoin="round" d="M5 13l4 4L19 7"/></svg></div>
+  <h1>You're all set!</h1>
+  <p>Your subscription is active. Head back to JettyPod to get started.</p>
+  <a class="cta" href="jettypod://subscription/activated">Open JettyPod</a>
+</div>
+</body></html>`,
+    { headers: { 'Content-Type': 'text/html; charset=utf-8' } }
+  );
+}
+
+async function handleValidateSubscription(request: Request, env: Env): Promise<Response> {
+  let customerId: string;
+  try {
+    const body = (await request.json()) as { customerId?: string };
+    customerId = body.customerId ?? '';
+  } catch {
+    return Response.json({ error: 'Invalid request body' }, { status: 400 });
+  }
+
+  if (!customerId) {
+    return Response.json({ error: 'customerId is required' }, { status: 400 });
+  }
+
+  const result = await validateAccess(customerId, env);
+  return Response.json(result);
+}
+
+// ─── Billing Portal ─────────────────────────────────────────────────
+
+async function handleBillingPortal(user: JWTPayload, env: Env): Promise<Response> {
+  const dbUser = await env.AUTH_DB
+    .prepare('SELECT * FROM users WHERE id = ?')
+    .bind(user.sub)
+    .first<User>();
+
+  if (!dbUser?.stripe_customer_id) {
+    return Response.json({ error: 'No billing info on file' }, { status: 404 });
+  }
+
+  const portalResponse = await fetch('https://api.stripe.com/v1/billing_portal/sessions', {
+    method: 'POST',
+    headers: {
+      'Authorization': `Bearer ${env.STRIPE_SECRET_KEY}`,
+      'Content-Type': 'application/x-www-form-urlencoded',
+    },
+    body: new URLSearchParams({
+      'customer': dbUser.stripe_customer_id,
+      'return_url': 'https://jettypod.com',
+    }).toString(),
+  });
+
+  if (!portalResponse.ok) {
+    return Response.json({ error: 'Failed to create portal session' }, { status: 500 });
+  }
+
+  const session = (await portalResponse.json()) as { url: string };
+  return Response.json({ url: session.url });
+}
+
+// ─── CORS ───────────────────────────────────────────────────────────
+
+const CORS_HEADERS: Record<string, string> = {
+  'Access-Control-Allow-Origin': '*',
+  'Access-Control-Allow-Methods': 'GET, POST, OPTIONS',
+  'Access-Control-Allow-Headers': 'Content-Type, Authorization',
+  'Access-Control-Max-Age': '86400',
+};
+
+function withCors(response: Response): Response {
+  const headers = new Headers(response.headers);
+  for (const [key, value] of Object.entries(CORS_HEADERS)) {
+    headers.set(key, value);
+  }
+  return new Response(response.body, {
+    status: response.status,
+    statusText: response.statusText,
+    headers,
+  });
+}
+
+// ─── Request Router ─────────────────────────────────────────────────
+
+async function handleRequest(request: Request, url: URL, pathname: string, env: Env): Promise<Response> {
+  // Health check — no auth required
+  if (request.method === 'GET' && pathname === '/health') {
+    return Response.json({
+      status: 'ok',
+      service: 'jettypod-update-server',
+      environment: env.ENVIRONMENT,
+    });
+  }
+
+  // ── Auth routes (public, no JWT required) ──────────────────────
+
+  // Google OAuth — redirect to Google consent screen
+  if (request.method === 'GET' && pathname === '/auth/google') {
+    return googleAuthRedirect(env, url.origin);
+  }
+
+  // Google OAuth — callback from Google
+  if (request.method === 'GET' && pathname === '/auth/google/callback') {
+    return googleAuthCallback(request, env);
+  }
+
+  // Email OTP — send code
+  if (request.method === 'POST' && pathname === '/auth/otp/send') {
+    return handleSendOTP(request, env);
+  }
+
+  // Email OTP — verify code and get JWT
+  if (request.method === 'POST' && pathname === '/auth/otp/verify') {
+    return handleVerifyOTP(request, env);
+  }
+
+  // ── Authenticated routes (JWT required) ────────────────────────
+
+  // Get current user info + usage
+  if (request.method === 'GET' && pathname === '/auth/me') {
+    const auth = await authenticateUser(request, env);
+    if ('error' in auth) return auth.error;
+    return handleGetMe(auth.user, env);
+  }
+
+  // Check usage limit
+  if (request.method === 'POST' && pathname === '/usage/check') {
+    const auth = await authenticateUser(request, env);
+    if ('error' in auth) return auth.error;
+    return handleUsageCheck(auth.user, env);
+  }
+
+  // Record work item creation
+  if (request.method === 'POST' && pathname === '/usage/increment') {
+    const auth = await authenticateUser(request, env);
+    if ('error' in auth) return auth.error;
+    return handleUsageIncrement(auth.user, env);
+  }
+
+  // Link Stripe customer to user account
+  if (request.method === 'POST' && pathname === '/auth/link-stripe') {
+    const auth = await authenticateUser(request, env);
+    if ('error' in auth) return auth.error;
+    return handleLinkStripe(request, auth.user, env);
+  }
+
+  // Create Stripe billing portal session
+  if (request.method === 'POST' && pathname === '/billing/customer-portal') {
+    const auth = await authenticateUser(request, env);
+    if ('error' in auth) return auth.error;
+    return handleBillingPortal(auth.user, env);
+  }
+
+  // ── Public download routes (no auth) ───────────────────────────
+
+  if (request.method === 'GET' && pathname === '/download/mac') {
+    return handlePublicDownload('x64', env);
+  }
+
+  if (request.method === 'GET' && pathname === '/download/mac/arm64') {
+    return handlePublicDownload('arm64', env);
+  }
+
+  // ── Update routes (paid plan or legacy cus_ token) ─────────────
+
+  // Update manifest
+  if (request.method === 'GET' && pathname === '/updates/latest-mac.yml') {
+    const authError = await authenticateUpdateRequest(request, env);
+    if (authError) return authError;
+    return handleUpdateManifest(env);
+  }
+
+  // Release artifact download
+  if (request.method === 'GET' && pathname.startsWith('/updates/download/')) {
+    const authError = await authenticateUpdateRequest(request, env);
+    if (authError) return authError;
+    return handleArtifactDownload(pathname, env);
+  }
+
+  // ── Stripe/checkout routes (existing) ──────────────────────────
+
+  if (request.method === 'POST' && pathname === '/checkout/create-session') {
+    return handleCreateCheckout(request, env);
+  }
+
+  if (request.method === 'GET' && pathname === '/checkout/success') {
+    return handleCheckoutSuccess(url, env);
+  }
+
+  if (request.method === 'GET' && pathname === '/checkout/cancelled') {
+    return new Response(
+      '<!DOCTYPE html><html><head><title>Cancelled</title><style>body{font-family:-apple-system,sans-serif;display:flex;justify-content:center;align-items:center;min-height:100vh;margin:0;background:#fafafa;}.card{background:white;padding:48px;border-radius:16px;box-shadow:0 2px 8px rgba(0,0,0,0.08);text-align:center;}h1{color:#1a1a1a;}p{color:#666;}</style></head><body><div class="card"><h1>Checkout Cancelled</h1><p>You can close this tab and try again from the JettyPod app.</p></div></body></html>',
+      { headers: { 'Content-Type': 'text/html' } }
+    );
+  }
+
+  if (request.method === 'POST' && pathname === '/subscription/validate') {
+    return handleValidateSubscription(request, env);
+  }
+
+  if (request.method === 'POST' && pathname === '/webhooks/stripe') {
+    return handleStripeWebhook(request, env);
+  }
+
+  return new Response('Not Found', { status: 404 });
+}
+
+// ─── Main Fetch Handler ─────────────────────────────────────────────
+
+export default {
+  async fetch(request: Request, env: Env): Promise<Response> {
+    const url = new URL(request.url);
+    const { pathname } = url;
+
+    // CORS preflight
+    if (request.method === 'OPTIONS') {
+      return new Response(null, { status: 204, headers: CORS_HEADERS });
+    }
+
+    const response = await handleRequest(request, url, pathname, env);
+    return withCors(response);
+  },
+} satisfies ExportedHandler<Env>;