responses-proxy 0.1.0

package/dist/audit-log.test.js

@@ -0,0 +1,480 @@
+import assert from "node:assert/strict";
+import { mkdtempSync, rmSync } from "node:fs";
+import os from "node:os";
+import path from "node:path";
+import test from "node:test";
+import { AuditLogRepository } from "./audit-log.js";
+import { BillingRepository } from "./billing.js";
+import { CustomerKeyRepository } from "./customer-keys.js";
+import { registerApiKeyCommand } from "./telegram-bot/commands/apikey.js";
+import { registerGrantCommand } from "./telegram-bot/commands/grant.js";
+import { registerRenewUserCommand } from "./telegram-bot/commands/renew-user.js";
+import { BotIdentityRepository } from "./telegram-bot/bot-identity-repository.js";
+import { CustomerWorkspaceRepository } from "./telegram-bot/customer-workspace-repository.js";
+import { grantCustomerAccess } from "./telegram-bot/grants.js";
+function createConfig(overrides = {}) {
+    return {
+        telegramBotToken: "token",
+        allowedUserIds: new Set(),
+        allowedChatIds: new Set(),
+        ownerUserIds: new Set(["1"]),
+        adminUserIds: new Set(),
+        botMode: "polling",
+        proxyAdminBaseUrl: "http://127.0.0.1:8318",
+        defaultModel: "gpt-5.5",
+        publicSignupEnabled: true,
+        requireAdminApproval: false,
+        defaultCustomerRoute: "customers",
+        publicResponsesBaseUrl: "http://127.0.0.1:8318/v1",
+        proxyRequestTimeoutMs: 30_000,
+        sessionDbPath: ":memory:",
+        sessionTtlMs: 900_000,
+        rateLimitWindowMs: 60_000,
+        rateLimitMaxRequests: 12,
+        logLevel: "info",
+        ...overrides,
+    };
+}
+function createMockProxyClient() {
+    let routeKeys = [];
+    return {
+        client: {
+            async getClientConfigs() {
+                return {
+                    clientRoutes: [{ key: "customers", apiKeys: [...routeKeys] }],
+                };
+            },
+            async setClientRouteApiKeys(input) {
+                if (input.client === "customers") {
+                    routeKeys = [...input.apiKeys];
+                }
+                return { ok: true };
+            },
+        },
+    };
+}
+function createBotHarness() {
+    const handlers = new Map();
+    const messageTextHandlers = [];
+    const callbackHandlers = [];
+    return {
+        bot: {
+            command(name, handler) {
+                handlers.set(name, handler);
+            },
+            callbackQuery(pattern, handler) {
+                callbackHandlers.push({ pattern, handler });
+            },
+            on(filter, handler) {
+                if (filter === "message:text") {
+                    messageTextHandlers.push(handler);
+                }
+            },
+        },
+        handler(name) {
+            const handler = handlers.get(name);
+            assert.ok(handler);
+            return handler;
+        },
+        callbackHandler(data) {
+            for (const entry of callbackHandlers) {
+                if (typeof entry.pattern === "string") {
+                    if (entry.pattern === data) {
+                        return { handler: entry.handler, match: [data] };
+                    }
+                    continue;
+                }
+                const match = data.match(entry.pattern);
+                if (match) {
+                    return { handler: entry.handler, match };
+                }
+            }
+            assert.fail(`No callback handler for ${data}`);
+        },
+        async runText(ctx) {
+            let index = 0;
+            const next = async () => {
+                const handler = messageTextHandlers[index++];
+                if (handler) {
+                    await handler(ctx, next);
+                }
+            };
+            await next();
+        },
+    };
+}
+function createContext(input) {
+    const replies = [];
+    const replyMarkups = [];
+    const answeredCallbacks = [];
+    const sentMessages = [];
+    const sentDocuments = [];
+    return {
+        from: { id: input.fromId, is_bot: false, first_name: "User" },
+        chat: input.chatType === "private"
+            ? { id: input.chatId, type: "private", first_name: "User" }
+            : { id: input.chatId, type: "group", title: "Ops" },
+        message: {
+            message_id: 1,
+            date: 0,
+            chat: input.chatType === "private"
+                ? { id: input.chatId, type: "private", first_name: "User" }
+                : { id: input.chatId, type: "group", title: "Ops" },
+            text: `/${input.command} ${input.match}`.trim(),
+        },
+        match: input.match,
+        callbackQuery: {
+            id: "callback-id",
+            from: { id: input.fromId, is_bot: false, first_name: "User" },
+            data: input.match,
+            chat_instance: "chat-instance",
+        },
+        replies,
+        replyMarkups,
+        answeredCallbacks,
+        sentMessages,
+        sentDocuments,
+        reply(text, options) {
+            replies.push(text);
+            replyMarkups.push(options?.reply_markup);
+            return Promise.resolve({});
+        },
+        answerCallbackQuery(payload) {
+            answeredCallbacks.push(payload ?? {});
+            return Promise.resolve(true);
+        },
+        api: {
+            async sendMessage(_chatId, text) {
+                sentMessages.push(text);
+                return {};
+            },
+            async sendDocument(chatId, document) {
+                sentDocuments.push({
+                    chatId,
+                    filename: document.filename,
+                    content: document.fileData ? Buffer.from(document.fileData).toString("utf8") : "",
+                });
+                return {};
+            },
+        },
+    };
+}
+async function withRepos(fn) {
+    const dir = mkdtempSync(path.join(os.tmpdir(), "audit-log-"));
+    try {
+        const dbFile = path.join(dir, "bot.sqlite");
+        const proxy = createMockProxyClient();
+        await fn({
+            identities: BotIdentityRepository.create(dbFile),
+            workspaces: CustomerWorkspaceRepository.create(dbFile),
+            customerKeys: CustomerKeyRepository.create(dbFile),
+            billing: BillingRepository.create(dbFile),
+            auditLog: AuditLogRepository.create(dbFile),
+            deps: {
+                config: createConfig({ sessionDbPath: dbFile }),
+                proxyClient: proxy.client,
+            },
+        });
+    }
+    finally {
+        rmSync(dir, { recursive: true, force: true });
+    }
+}
+test("AuditLogRepository redacts full API keys in metadata", () => {
+    const dir = mkdtempSync(path.join(os.tmpdir(), "audit-redaction-"));
+    try {
+        const repo = AuditLogRepository.create(path.join(dir, "audit.sqlite"));
+        repo.record({
+            event: "api_key.revealed",
+            actor: { type: "admin", id: "1" },
+            subjectType: "customer_api_key",
+            subjectId: "key-1",
+            metadata: {
+                apiKey: "sk-customer-secret-value",
+                keyPreview: "sk-customer-...value",
+            },
+        });
+        const event = repo.listEvents({ event: "api_key.revealed", limit: 1 })[0];
+        assert.ok(event);
+        assert.equal(event.metadata.apiKey, "[redacted]");
+        assert.equal(event.metadata.keyPreview, "sk-customer-...value");
+    }
+    finally {
+        rmSync(dir, { recursive: true, force: true });
+    }
+});
+test("grantCustomerAccess writes audit events for lifecycle mutations", async () => {
+    await withRepos(async ({ identities, workspaces, customerKeys, billing, auditLog, deps }) => {
+        await grantCustomerAccess({
+            telegramUserId: "1283361952",
+            planId: "basic",
+            days: 30,
+            defaultClientRoute: "customers",
+            identities,
+            workspaces,
+            customerKeys,
+            billing,
+            proxyClient: deps.proxyClient,
+            auditLog,
+            actor: { type: "admin", id: "1" },
+        });
+        const events = auditLog.listEvents();
+        const names = new Set(events.map((event) => event.event));
+        assert.equal(names.has("user.created"), true);
+        assert.equal(names.has("workspace.created"), true);
+        assert.equal(names.has("api_key.created"), true);
+        assert.equal(names.has("subscription.granted"), true);
+    });
+});
+test("apikey issue writes redacted reveal audit metadata", async () => {
+    await withRepos(async ({ workspaces, customerKeys, billing, auditLog, deps }) => {
+        const workspace = workspaces.ensureDefaultWorkspace({
+            ownerTelegramUserId: "42",
+            defaultClientRoute: "customers",
+            status: "active",
+        });
+        billing.grantSubscription({
+            workspaceId: workspace.id,
+            planId: "basic",
+            days: 30,
+        });
+        const harness = createBotHarness();
+        registerApiKeyCommand(harness.bot, deps, customerKeys, workspaces, billing, auditLog);
+        const ctx = createContext({
+            command: "apikey",
+            fromId: 1,
+            chatId: 1,
+            chatType: "private",
+            match: "issue 42 customers",
+        });
+        await harness.handler("apikey")(ctx);
+        const event = auditLog.listEvents({ event: "api_key.revealed", limit: 1 })[0];
+        assert.ok(event);
+        assert.equal(event.metadata.apiKey, "[redacted]");
+        assert.equal(customerKeys.getActiveKeyForUser("42")?.status, "active");
+        assert.equal(ctx.replies[0]?.includes("api_key:"), true);
+        const customerCtx = createContext({
+            command: "apikey",
+            fromId: 42,
+            chatId: 42,
+            chatType: "private",
+            match: "",
+        });
+        await harness.handler("apikey")(customerCtx);
+        assert.equal(customerCtx.sentMessages[0]?.includes("api_key:"), false);
+        assert.equal(customerCtx.sentMessages[0]?.includes("curl -fsSL"), true);
+        assert.deepEqual(customerCtx.sentDocuments.map((document) => document.filename), ["config.toml", "auth.json"]);
+        assert.match(customerCtx.sentDocuments[0]?.content ?? "", /base_url = "http:\/\/127\.0\.0\.1:8318\/v1"/);
+        assert.match(customerCtx.sentDocuments[0]?.content ?? "", /api_key = "sk-/);
+        assert.equal(customerCtx.sentMessages[0]?.includes("full_key: unavailable_for_legacy_key"), false);
+    });
+});
+test("admin can list, show, suspend, activate, and rotate customer API keys", async () => {
+    await withRepos(async ({ workspaces, customerKeys, billing, auditLog, deps }) => {
+        const workspace = workspaces.ensureDefaultWorkspace({
+            ownerTelegramUserId: "42",
+            defaultClientRoute: "customers",
+            status: "active",
+        });
+        billing.grantSubscription({
+            workspaceId: workspace.id,
+            planId: "basic",
+            days: 30,
+        });
+        const harness = createBotHarness();
+        registerApiKeyCommand(harness.bot, deps, customerKeys, workspaces, billing, auditLog);
+        const issueCtx = createContext({
+            command: "apikey",
+            fromId: 1,
+            chatId: 1,
+            chatType: "private",
+            match: "issue 42 customers",
+        });
+        await harness.handler("apikey")(issueCtx);
+        const firstKey = customerKeys.getActiveKeyForUser("42");
+        assert.ok(firstKey);
+        const listCtx = createContext({
+            command: "apikey",
+            fromId: 1,
+            chatId: 1,
+            chatType: "private",
+            match: "list 42",
+        });
+        await harness.handler("apikey")(listCtx);
+        assert.equal(listCtx.replies[0]?.includes(firstKey.id), true);
+        assert.equal(listCtx.replies[0]?.includes("status=active"), true);
+        assert.ok(listCtx.replyMarkups[0]);
+        const listKeyboard = JSON.parse(JSON.stringify(listCtx.replyMarkups[0]));
+        assert.equal(listKeyboard.inline_keyboard?.[0]?.[0]?.copy_text?.text, firstKey.id);
+        const pasteCtx = createContext({
+            command: "message",
+            fromId: 1,
+            chatId: 1,
+            chatType: "private",
+            match: firstKey.id,
+        });
+        pasteCtx.message.text = firstKey.id;
+        await harness.runText(pasteCtx);
+        assert.equal(pasteCtx.replies[0]?.includes("Customer API key"), true);
+        assert.equal(pasteCtx.replies[0]?.includes(`key_id: ${firstKey.id}`), true);
+        assert.ok(pasteCtx.replyMarkups[0]);
+        const callbackShow = harness.callbackHandler(`v1:apikey:show:${firstKey.id}`);
+        const callbackShowCtx = createContext({
+            command: "callback",
+            fromId: 1,
+            chatId: 1,
+            chatType: "private",
+            match: `v1:apikey:show:${firstKey.id}`,
+        });
+        callbackShowCtx.match = callbackShow.match;
+        await callbackShow.handler(callbackShowCtx);
+        assert.equal(callbackShowCtx.answeredCallbacks[0]?.text, "Key details loaded");
+        assert.equal(callbackShowCtx.replies[0]?.includes("api_key:"), true);
+        assert.ok(callbackShowCtx.replyMarkups[0]);
+        const showCtx = createContext({
+            command: "apikey",
+            fromId: 1,
+            chatId: 1,
+            chatType: "private",
+            match: `show ${firstKey.id}`,
+        });
+        await harness.handler("apikey")(showCtx);
+        assert.equal(showCtx.replies[0]?.includes("api_key:"), true);
+        assert.equal(auditLog.listEvents({ event: "api_key.revealed", limit: 1 })[0]?.metadata.apiKey, "[redacted]");
+        const suspendFound = harness.callbackHandler(`v1:apikey:suspend:${firstKey.id}`);
+        const suspendCtx = createContext({
+            command: "callback",
+            fromId: 1,
+            chatId: 1,
+            chatType: "private",
+            match: `v1:apikey:suspend:${firstKey.id}`,
+        });
+        suspendCtx.match = suspendFound.match;
+        await suspendFound.handler(suspendCtx);
+        assert.equal(customerKeys.getById(firstKey.id)?.status, "suspended");
+        assert.equal(suspendCtx.answeredCallbacks[0]?.text, "Key suspended");
+        assert.equal(suspendCtx.replies[0]?.includes("proxy_sync: removed_from_route"), true);
+        const activateFound = harness.callbackHandler(`v1:apikey:activate:${firstKey.id}`);
+        const activateCtx = createContext({
+            command: "callback",
+            fromId: 1,
+            chatId: 1,
+            chatType: "private",
+            match: `v1:apikey:activate:${firstKey.id}`,
+        });
+        activateCtx.match = activateFound.match;
+        await activateFound.handler(activateCtx);
+        assert.equal(customerKeys.getById(firstKey.id)?.status, "active");
+        assert.equal(activateCtx.answeredCallbacks[0]?.text, "Key activated");
+        assert.equal(activateCtx.replies[0]?.includes("proxy_sync: added_to_route"), true);
+        const rotateFound = harness.callbackHandler(`v1:apikey:rotate:${firstKey.id}`);
+        const rotateCtx = createContext({
+            command: "callback",
+            fromId: 1,
+            chatId: 1,
+            chatType: "private",
+            match: `v1:apikey:rotate:${firstKey.id}`,
+        });
+        rotateCtx.match = rotateFound.match;
+        await rotateFound.handler(rotateCtx);
+        const nextKey = customerKeys.getActiveKeyForUser("42");
+        assert.ok(nextKey);
+        assert.notEqual(nextKey.id, firstKey.id);
+        assert.equal(customerKeys.getById(firstKey.id)?.status, "revoked");
+        assert.equal(rotateCtx.answeredCallbacks[0]?.text, "Key rotated");
+        assert.equal(rotateCtx.replies[0]?.includes(`new_key_id: ${nextKey.id}`), true);
+        assert.equal(rotateCtx.replies[0]?.includes("api_key:"), true);
+    });
+});
+test("grant in admin group does not print the full key in the group", async () => {
+    await withRepos(async ({ identities, workspaces, customerKeys, billing, auditLog, deps }) => {
+        const harness = createBotHarness();
+        registerGrantCommand(harness.bot, deps, identities, workspaces, customerKeys, billing, auditLog);
+        const ctx = createContext({
+            command: "grant",
+            fromId: 1,
+            chatId: -1001,
+            chatType: "group",
+            match: "42 basic 30",
+        });
+        await harness.handler("grant")(ctx);
+        assert.equal(ctx.replies[0]?.includes("api_key:"), false);
+        assert.equal(ctx.replies[0]?.includes("Full key: shown only in private admin chat"), true);
+        const revealEvent = auditLog.listEvents({ event: "api_key.revealed", limit: 1 })[0];
+        assert.ok(revealEvent);
+        assert.equal(revealEvent.metadata.audience, "customer_private_chat");
+        assert.equal(revealEvent.metadata.apiKey, "[redacted]");
+    });
+});
+test("apikey issue in admin group without explicit key is rejected before creating a secret", async () => {
+    await withRepos(async ({ workspaces, customerKeys, billing, auditLog, deps }) => {
+        const workspace = workspaces.ensureDefaultWorkspace({
+            ownerTelegramUserId: "42",
+            defaultClientRoute: "customers",
+            status: "active",
+        });
+        billing.grantSubscription({
+            workspaceId: workspace.id,
+            planId: "basic",
+            days: 30,
+        });
+        const harness = createBotHarness();
+        registerApiKeyCommand(harness.bot, deps, customerKeys, workspaces, billing, auditLog);
+        const ctx = createContext({
+            command: "apikey",
+            fromId: 1,
+            chatId: -1001,
+            chatType: "group",
+            match: "issue 42 customers",
+        });
+        await harness.handler("apikey")(ctx);
+        assert.equal(ctx.replies[0], "Run /apikey issue in a private admin chat when generating a new key, or provide an explicit apiKey.");
+        assert.equal(customerKeys.listKeysByWorkspace(workspace.id).length, 0);
+        assert.equal(auditLog.listEvents({ event: "api_key.revealed", limit: 1 }).length, 0);
+    });
+});
+test("apikey issue respects the workspace maxApiKeys limit", async () => {
+    await withRepos(async ({ identities, workspaces, customerKeys, billing, auditLog, deps }) => {
+        await grantCustomerAccess({
+            telegramUserId: "42",
+            planId: "basic",
+            days: 30,
+            defaultClientRoute: "customers",
+            identities,
+            workspaces,
+            customerKeys,
+            billing,
+            proxyClient: deps.proxyClient,
+            auditLog,
+            actor: { type: "admin", id: "1" },
+        });
+        const harness = createBotHarness();
+        registerApiKeyCommand(harness.bot, deps, customerKeys, workspaces, billing, auditLog);
+        const ctx = createContext({
+            command: "apikey",
+            fromId: 1,
+            chatId: 1,
+            chatType: "private",
+            match: "issue 42 customers",
+        });
+        await harness.handler("apikey")(ctx);
+        assert.equal(ctx.replies[0], "API key limit reached for this workspace (1/1). Revoke or rotate an existing key first.");
+        assert.equal(customerKeys.listKeysByWorkspace(workspaces.getDefaultWorkspace("42").id).length, 1);
+    });
+});
+test("failed authorization does not write success audit events", async () => {
+    await withRepos(async ({ identities, workspaces, customerKeys, billing, auditLog, deps }) => {
+        const harness = createBotHarness();
+        registerRenewUserCommand(harness.bot, deps, identities, workspaces, customerKeys, billing, auditLog);
+        const ctx = createContext({
+            command: "renewuser",
+            fromId: 2,
+            chatId: 2,
+            chatType: "private",
+            match: "42 basic 30",
+        });
+        await harness.handler("renewuser")(ctx);
+        assert.equal(ctx.replies[0], "Only admins can renew customer access.");
+        assert.equal(auditLog.listEvents().length, 0);
+    });
+});

package/dist/billing-expiration.js

@@ -0,0 +1,70 @@
+export async function runBillingExpiration(args) {
+    const now = args.now ?? new Date();
+    const expiredEntitlements = args.billing.expireEntitlements(now);
+    let suspendedWorkspaces = 0;
+    let suspendedKeys = 0;
+    let notificationsSent = 0;
+    let notificationsFailed = 0;
+    for (const workspace of args.workspaces.listWorkspaces()) {
+        const activeEntitlement = args.billing.getActiveEntitlementForWorkspace(workspace.id, now);
+        if (activeEntitlement) {
+            continue;
+        }
+        const latestEntitlement = args.billing.getLatestEntitlementForWorkspace(workspace.id);
+        if (!latestEntitlement) {
+            continue;
+        }
+        let workspaceChanged = false;
+        if (workspace.status !== "suspended") {
+            args.workspaces.setStatus(workspace.id, "suspended", now);
+            suspendedWorkspaces += 1;
+            workspaceChanged = true;
+        }
+        let workspaceSuspendedKeys = 0;
+        for (const key of args.customerKeys.listKeysByWorkspace(workspace.id)) {
+            if (key.status !== "active") {
+                continue;
+            }
+            args.customerKeys.setStatus(key.id, "suspended", { now });
+            args.auditLog?.record({
+                event: "api_key.suspended",
+                actor: { type: "system", id: "billing-expiration-worker" },
+                subjectType: "customer_api_key",
+                subjectId: key.id,
+                metadata: {
+                    workspaceId: workspace.id,
+                    telegramUserId: workspace.ownerTelegramUserId,
+                    keyPreview: key.apiKeyPreview,
+                    reason: "no_active_entitlement",
+                },
+            });
+            suspendedKeys += 1;
+            workspaceSuspendedKeys += 1;
+        }
+        if ((workspaceChanged || workspaceSuspendedKeys > 0) && args.notifyCustomer) {
+            try {
+                await args.notifyCustomer({
+                    telegramUserId: workspace.ownerTelegramUserId,
+                    text: [
+                        "Your Responses access has expired.",
+                        `workspace_id: ${workspace.id}`,
+                        `client_route: ${workspace.defaultClientRoute}`,
+                        `expired_at: ${latestEntitlement.validUntil}`,
+                        "Contact admin to renew your plan.",
+                    ].join("\n"),
+                });
+                notificationsSent += 1;
+            }
+            catch {
+                notificationsFailed += 1;
+            }
+        }
+    }
+    return {
+        expiredEntitlements,
+        suspendedWorkspaces,
+        suspendedKeys,
+        notificationsSent,
+        notificationsFailed,
+    };
+}

package/dist/billing-expiration.test.js

@@ -0,0 +1,114 @@
+import assert from "node:assert/strict";
+import { mkdtempSync, rmSync } from "node:fs";
+import os from "node:os";
+import path from "node:path";
+import test from "node:test";
+import { BillingRepository } from "./billing.js";
+import { runBillingExpiration } from "./billing-expiration.js";
+import { CustomerKeyRepository } from "./customer-keys.js";
+import { CustomerWorkspaceRepository } from "./telegram-bot/customer-workspace-repository.js";
+async function withRepos(fn) {
+    const dir = mkdtempSync(path.join(os.tmpdir(), "billing-expiration-"));
+    try {
+        const dbFile = path.join(dir, "bot.sqlite");
+        await fn({
+            billing: BillingRepository.create(dbFile),
+            customerKeys: CustomerKeyRepository.create(dbFile),
+            workspaces: CustomerWorkspaceRepository.create(dbFile),
+        });
+    }
+    finally {
+        rmSync(dir, { recursive: true, force: true });
+    }
+}
+test("expired subscription becomes expired and active key becomes suspended", async () => {
+    await withRepos(async ({ billing, customerKeys, workspaces }) => {
+        const workspace = workspaces.ensureDefaultWorkspace({
+            ownerTelegramUserId: "42",
+            defaultClientRoute: "customers",
+            status: "active",
+            now: new Date("2026-04-20T00:00:00.000Z"),
+        });
+        const granted = billing.grantSubscription({
+            workspaceId: workspace.id,
+            planId: "basic",
+            days: 1,
+            now: new Date("2026-04-20T00:00:00.000Z"),
+        });
+        const created = customerKeys.createKey({
+            workspaceId: workspace.id,
+            telegramUserId: "42",
+            clientRoute: "customers",
+            now: new Date("2026-04-20T00:00:00.000Z"),
+        });
+        const notifications = [];
+        const summary = await runBillingExpiration({
+            billing,
+            customerKeys,
+            workspaces,
+            now: new Date("2026-04-22T00:00:00.000Z"),
+            notifyCustomer: async (input) => {
+                notifications.push(input);
+            },
+        });
+        assert.equal(summary.expiredEntitlements, 1);
+        assert.equal(summary.suspendedWorkspaces, 1);
+        assert.equal(summary.suspendedKeys, 1);
+        assert.equal(summary.notificationsSent, 1);
+        assert.equal(billing.getLatestSubscriptionForWorkspace(workspace.id)?.status, "expired");
+        assert.equal(billing.getLatestEntitlementForWorkspace(workspace.id)?.status, "expired");
+        assert.equal(workspaces.getById(workspace.id)?.status, "suspended");
+        assert.equal(customerKeys.getById(created.record.id)?.status, "suspended");
+        assert.equal(notifications[0]?.telegramUserId, "42");
+        assert.equal(notifications[0]?.text.includes(granted.entitlement.validUntil), true);
+    });
+});
+test("running billing expiration twice is idempotent", async () => {
+    await withRepos(async ({ billing, customerKeys, workspaces }) => {
+        const workspace = workspaces.ensureDefaultWorkspace({
+            ownerTelegramUserId: "77",
+            defaultClientRoute: "customers",
+            status: "active",
+            now: new Date("2026-04-20T00:00:00.000Z"),
+        });
+        customerKeys.createKey({
+            workspaceId: workspace.id,
+            telegramUserId: "77",
+            clientRoute: "customers",
+            now: new Date("2026-04-20T00:00:00.000Z"),
+        });
+        billing.grantSubscription({
+            workspaceId: workspace.id,
+            planId: "basic",
+            days: 1,
+            now: new Date("2026-04-20T00:00:00.000Z"),
+        });
+        const sent = [];
+        const first = await runBillingExpiration({
+            billing,
+            customerKeys,
+            workspaces,
+            now: new Date("2026-04-22T00:00:00.000Z"),
+            notifyCustomer: async ({ telegramUserId }) => {
+                sent.push(telegramUserId);
+            },
+        });
+        const second = await runBillingExpiration({
+            billing,
+            customerKeys,
+            workspaces,
+            now: new Date("2026-04-22T00:00:00.000Z"),
+            notifyCustomer: async ({ telegramUserId }) => {
+                sent.push(telegramUserId);
+            },
+        });
+        assert.equal(first.suspendedWorkspaces, 1);
+        assert.equal(first.suspendedKeys, 1);
+        assert.equal(first.notificationsSent, 1);
+        assert.equal(second.expiredEntitlements, 0);
+        assert.equal(second.suspendedWorkspaces, 0);
+        assert.equal(second.suspendedKeys, 0);
+        assert.equal(second.notificationsSent, 0);
+        assert.deepEqual(sent, ["77"]);
+    });
+});