spine-framework-portal 0.2.16 → 0.2.18

package/functions/custom_anonymous-sessions.ts

@@ -0,0 +1,342 @@
+// Anonymous Session Functions
+// Uses ONLY Spine APIs (ctx.db) - NO direct database access
+// Handles stitch operation: anonymous session → identified account
+
+import { createHandler } from './_shared/middleware'
+import { calculateRecency, calculateRawScore } from './custom_funnel-scoring'
+
+// Type IDs from migration
+const TYPE_IDS = {
+  anonymous_session: '1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d',
+  funnel_signal: '0923f7a2-3ccd-4499-986f-28c6fd0597d9',
+  opportunity_queue: '2b3c4d5e-6f7a-8b9c-0d1e-2f3a4b5c6d7e'
+}
+
+const LINK_TYPE_IDS = {
+  account_signals: '4d5e6f7a-8b9c-0d1e-2f3a-4b5c6d7e8f9a',
+  account_opportunities: '5e6f7a8b-9c0d-1e2f-3a4b-5c6d7e8f9a0b'
+}
+
+// ============================================
+// STITCH: Anonymous Session → Identified Account
+// ============================================
+
+export const stitchAnonymousToAccount = createHandler(async (ctx, body) => {
+  const { anonymous_id, person_id, account_id } = body
+
+  if (!anonymous_id || !person_id || !account_id) {
+    return { status: 'error', error: 'Missing required fields: anonymous_id, person_id, account_id' }
+  }
+
+  const now = new Date().toISOString()
+
+  try {
+    // 1. Get anonymous session using ctx.db
+    const { data: session, error: sessionError } = await ctx.db
+      .from('items')
+      .select('id, data')
+      .eq('type_id', TYPE_IDS.anonymous_session)
+      .eq('data->identity->>anonymous_id', anonymous_id)
+      .eq('is_active', true)
+      .order('created_at', { ascending: false })
+      .limit(1)
+      .single()
+
+    if (sessionError || !session) {
+      return { status: 'error', error: 'Anonymous session not found' }
+    }
+
+    const sessionData = session.data || {}
+
+    // Check if already stitched
+    if (sessionData.lifecycle?.stitched_at) {
+      return { status: 'error', error: 'Session already stitched' }
+    }
+
+    // 2. Get account using ctx.db
+    const { data: account, error: accountError } = await ctx.db
+      .from('accounts')
+      .select('id, data')
+      .eq('id', account_id)
+      .single()
+
+    if (accountError || !account) {
+      return { status: 'error', error: 'Account not found' }
+    }
+
+    // 3. Update all signals with account_id and person_id using ctx.db
+    const { error: signalsError } = await ctx.db
+      .from('items')
+      .update({
+        account_id: account_id,
+        'data->identity->>person_id': person_id,
+        'data->processing->>stitched_at': now,
+        'data->processing->>stitched_to_account_id': account_id,
+        updated_at: now
+      })
+      .eq('type_id', TYPE_IDS.funnel_signal)
+      .eq('data->identity->>anonymous_id', anonymous_id)
+      .is('account_id', null)
+
+    if (signalsError) {
+      console.error(`[Stitch] Failed to update signals: ${signalsError.message}`)
+    }
+
+    // 4. Get updated signals for recalculation
+    const { data: updatedSignals } = await ctx.db
+      .from('items')
+      .select('data')
+      .eq('type_id', TYPE_IDS.funnel_signal)
+      .eq('account_id', account_id)
+      .eq('data->classification->>stage', 'identified')
+      .eq('is_active', true)
+
+    // 5. Recalculate identified rating with newly-stitched signals
+    let identifiedRating = { rating: 0, raw_score: 0, calculated_at: now, best_signal_id: null as string | null }
+
+    if (updatedSignals && updatedSignals.length > 0) {
+      let bestSignal = updatedSignals[0]
+      let bestScore = bestSignal.data?.scoring_components?.raw_score?.calculated || 0
+
+      for (const signal of updatedSignals) {
+        const score = signal.data?.scoring_components?.raw_score?.calculated || 0
+        if (score > bestScore) {
+          bestScore = score
+          bestSignal = signal
+        }
+      }
+
+      // Recalculate with current recency
+      const signalDate = new Date(bestSignal.data?.processing?.scored_at || now)
+      const recency = calculateRecency(signalDate, new Date(), 'identified')
+
+      if (recency.divisor) {
+        const newScore = calculateRawScore(
+          bestSignal.data?.action?.action_value || 1,
+          bestSignal.data?.scoring_components?.engagement?.type || 1,
+          recency.divisor
+        )
+
+        identifiedRating = {
+          rating: newScore.rating,
+          raw_score: newScore.calculated,
+          calculated_at: now,
+          best_signal_id: bestSignal.data?.id || null
+        }
+      }
+    }
+
+    // 6. Update account with stitched data using ctx.db
+    const currentFunnel = account.data?.funnel || {}
+    const anonymousRating = sessionData.scoring?.ratings?.anonymous
+
+    const updatedFunnel = {
+      ...currentFunnel,
+      current_stage: 'identified',
+      ratings: {
+        ...currentFunnel.ratings,
+        anonymous: anonymousRating ? {
+          ...anonymousRating,
+          stitched_at: now,
+          archived: true
+        } : currentFunnel.ratings?.anonymous,
+        identified: identifiedRating
+      },
+      attribution: {
+        ...currentFunnel.attribution,
+        anonymous_first_touch: sessionData.attribution?.first_touch
+      },
+      stage_history: [
+        ...(currentFunnel.stage_history || []),
+        { from: 'anonymous', to: 'identified', at: now }
+      ]
+    }
+
+    await ctx.db
+      .from('accounts')
+      .update({
+        data: { ...account.data, funnel: updatedFunnel }
+      })
+      .eq('id', account_id)
+
+    // 7. Mark session as stitched using ctx.db
+    const updatedSessionData = {
+      ...sessionData,
+      lifecycle: {
+        ...sessionData.lifecycle,
+        stitched_at: now,
+        stitched_to_account_id: account_id,
+        stitched_to_person_id: person_id
+      }
+    }
+
+    await ctx.db
+      .from('items')
+      .update({
+        data: updatedSessionData,
+        updated_at: now
+      })
+      .eq('id', session.id)
+
+    // 8. Check for immediate queue entry (strong anonymous activity)
+    let queueEntry = null
+    if (anonymousRating?.rating >= 4) {
+      const inference = { type: 'implementation', confidence: 'high' }
+
+      const queueData = {
+        identity: {
+          account_id: account_id,
+          person_id: person_id
+        },
+        trigger: {
+          source_signal_id: anonymousRating.best_signal_id,
+          trigger_stage: 'anonymous',
+          trigger_rating: anonymousRating.rating,
+          trigger_raw_score: anonymousRating.raw_score,
+          trigger_reason: 'High engagement during anonymous phase'
+        },
+        recommendation: {
+          opportunity_type: inference.type,
+          confidence: inference.confidence,
+          suggested_priority: anonymousRating.rating
+        },
+        review: {
+          status: 'pending',
+          reviewed_by: null,
+          reviewed_at: null,
+          conversion_opportunity_id: null
+        },
+        notes: {
+          reviewer_notes: null,
+          auto_reason: 'Stitched from anonymous session with high engagement'
+        }
+      }
+
+      const { data: queueItem } = await ctx.db
+        .from('items')
+        .insert({
+          type_id: TYPE_IDS.opportunity_queue,
+          title: `${inference.type} - Stitched Session`,
+          account_id: account_id,
+          data: queueData
+        })
+        .select('id')
+        .single()
+
+      if (queueItem) {
+        queueEntry = { id: queueItem.id }
+
+        // Create link to account
+        await ctx.db
+          .from('links')
+          .insert({
+            link_type_id: LINK_TYPE_IDS.account_opportunities,
+            source_type: 'account',
+            source_id: account_id,
+            target_type: 'item',
+            target_id: queueItem.id
+          })
+
+        // Update account queue reference
+        await ctx.db
+          .from('accounts')
+          .update({
+            data: {
+              ...account.data,
+              funnel: {
+                ...updatedFunnel,
+                queue: { pending_queue_entry_id: queueItem.id }
+              }
+            }
+          })
+          .eq('id', account_id)
+      }
+    }
+
+    // 9. Create links between account and all stitched signals
+    const { data: stitchedSignals } = await ctx.db
+      .from('items')
+      .select('id')
+      .eq('type_id', TYPE_IDS.funnel_signal)
+      .eq('account_id', account_id)
+      .eq('data->processing->>stitched_at', now)
+
+    for (const signal of stitchedSignals || []) {
+      await ctx.db
+        .from('links')
+        .insert({
+          link_type_id: LINK_TYPE_IDS.account_signals,
+          source_type: 'account',
+          source_id: account_id,
+          target_type: 'item',
+          target_id: signal.id,
+          data: { created_at: now, stitched: true }
+        })
+    }
+
+    return {
+      status: 'success',
+      session_id: session.id,
+      account_id,
+      person_id,
+      stitched_signals: stitchedSignals?.length || 0,
+      queue_entry: queueEntry,
+      anonymous_rating: anonymousRating?.rating || 0,
+      identified_rating: identifiedRating.rating
+    }
+
+  } catch (err) {
+    console.error('[Stitch] Error:', err)
+    return { status: 'error', error: err instanceof Error ? err.message : 'Unknown error' }
+  }
+})
+
+// ============================================
+// GET ANONYMOUS SESSION DETAILS
+// ============================================
+
+export const getAnonymousSession = createHandler(async (ctx, body) => {
+  const { anonymous_id } = body
+
+  if (!anonymous_id) {
+    return { status: 'error', error: 'Missing anonymous_id' }
+  }
+
+  // Get session using ctx.db
+  const { data: session, error } = await ctx.db
+    .from('items')
+    .select('id, data, created_at, updated_at')
+    .eq('type_id', TYPE_IDS.anonymous_session)
+    .eq('data->identity->>anonymous_id', anonymous_id)
+    .eq('is_active', true)
+    .order('created_at', { ascending: false })
+    .limit(1)
+    .single()
+
+  if (error || !session) {
+    return { status: 'error', error: 'Session not found' }
+  }
+
+  // Get associated signals using ctx.db
+  const { data: signals } = await ctx.db
+    .from('items')
+    .select('id, data, created_at')
+    .eq('type_id', TYPE_IDS.funnel_signal)
+    .eq('data->identity->>anonymous_id', anonymous_id)
+    .eq('is_active', true)
+    .order('created_at', { ascending: false })
+
+  return {
+    status: 'success',
+    session: {
+      id: session.id,
+      anonymous_id,
+      attribution: session.data?.attribution,
+      scoring: session.data?.scoring,
+      lifecycle: session.data?.lifecycle,
+      created_at: session.created_at,
+      updated_at: session.updated_at
+    },
+    signals: signals || []
+  }
+})

package/functions/custom_claim-instance.ts

@@ -0,0 +1,201 @@
+/**
+ * Claim Instance Handler
+ * Validates install serial and generates JWT response for CLI claim flow
+ *
+ * Endpoint: POST /.netlify/functions/custom_claim-instance
+ * Body: { serial: string }
+ * Response: { response_code: string (JWT), expires_at: string }
+ */
+
+import { createHandler, CoreContext } from './_shared/middleware'
+import { adminDb } from './_shared/db'
+import { resolveTypeId, resolveLinkTypeId } from './_shared/resolve-ids'
+import { update } from './admin-data'
+
+// @ts-ignore - jsonwebtoken types not available
+import jwt from 'jsonwebtoken'
+
+// Helper: call admin-data.update as a nested import (entity+id go in ctx.query)
+function adminDataUpdate(ctx: CoreContext, entity: string, id: string, fields: Record<string, any>) {
+  return update({ ...ctx, query: { ...((ctx as any).query || {}), entity, id } } as any, fields)
+}
+
+// Rate limiting (in-memory, per function instance)
+const rateLimits = new Map<string, { count: number; resetAt: number }>()
+
+function checkRateLimit(ip: string): boolean {
+  const now = Date.now()
+  const windowMs = 60 * 1000 // 1 minute
+  const maxRequests = 5
+
+  const current = rateLimits.get(ip)
+
+  if (!current || now > current.resetAt) {
+    rateLimits.set(ip, { count: 1, resetAt: now + windowMs })
+    return true
+  }
+
+  if (current.count >= maxRequests) return false
+  current.count++
+  return true
+}
+
+const signClaimToken = (payload: any): string => {
+  const secret = process.env.PORTAL_CLAIM_SECRET
+  if (!secret) throw new Error('PORTAL_CLAIM_SECRET not configured')
+  return jwt.sign(payload, secret, { algorithm: 'HS256', expiresIn: '10m' })
+}
+
+export const handler = createHandler(async (ctx, body) => {
+  const { serial } = body || {}
+  const personId = ctx.principal?.person_id
+  const accountId = ctx.principal?.account_id
+  const clientIp = (ctx as any).requestContext?.identity?.sourceIp || 'unknown'
+
+  if (!serial) {
+    const err: any = new Error('serial is required'); err.statusCode = 400; throw err
+  }
+
+  if (!personId || !accountId) {
+    const err: any = new Error('Authentication required'); err.statusCode = 401; throw err
+  }
+
+  if (!checkRateLimit(clientIp)) {
+    const err: any = new Error('Rate limit exceeded. Please try again in 1 minute.'); err.statusCode = 429; throw err
+  }
+
+  if (!/^sf_inst_[a-z0-9-]+$/.test(serial)) {
+    const err: any = new Error('Invalid serial format'); err.statusCode = 400; throw err
+  }
+
+  // Resolve type and link IDs dynamically
+  const [spine_instance_type_id, funnel_signal_type_id, account_cli_instances_link_type_id] = await Promise.all([
+    resolveTypeId('item', 'spine_instance'),
+    resolveTypeId('item', 'funnel_signal'),
+    resolveLinkTypeId('account_cli_instances')
+  ])
+
+  const now = new Date().toISOString()
+
+  // Lookup spine_instance by serial
+  const { data: instance, error: instanceError } = await adminDb
+    .from('items')
+    .select('id, account_id, data')
+    .eq('type_id', spine_instance_type_id)
+    .eq('data->>serial', serial)
+    .single()
+
+  if (instanceError || !instance) {
+    const err: any = new Error('Serial not found. Please install the package first.')
+    err.statusCode = 404; throw err
+  }
+
+  if (instance.account_id && instance.account_id !== accountId) {
+    const err: any = new Error('This installation is already claimed to another account')
+    err.statusCode = 409; throw err
+  }
+
+  // Update instance with claim info
+  const result = await adminDataUpdate(ctx, 'items', instance.id, {
+    account_id: accountId,
+    data: {
+      ...instance.data,
+      claimed_by_person_id: personId,
+      claimed_at: now,
+      claimed_to_account_id: accountId
+    }
+  })
+
+  if (!result) {
+    const err: any = new Error('Failed to claim installation'); err.statusCode = 500; throw err
+  }
+
+  // Create link: account → instance (links has no design_schema — direct is fine)
+  const { error: linkError } = await adminDb
+    .from('links')
+    .upsert({
+      link_type_id: account_cli_instances_link_type_id,
+      source_type: 'account',
+      source_id: accountId,
+      target_type: 'item',
+      target_id: instance.id,
+      data: { created_at: now, claimed_by: personId }
+    }, { onConflict: 'link_type_id,source_id,target_id' })
+
+  if (linkError) {
+    console.error('[ClaimInstance] Failed to create link:', linkError)
+  }
+
+  // Stitch existing signals to account (queued, one per record through admin-data)
+  const { data: signals } = await adminDb
+    .from('items')
+    .select('id, data')
+    .eq('type_id', funnel_signal_type_id)
+    .eq('data->>serial', serial)
+    .is('account_id', null)
+
+  if (signals && signals.length > 0) {
+    for (const signal of signals) {
+      await adminDataUpdate(
+        { ...ctx, accountId },
+        'items',
+        signal.id,
+        {
+          account_id: accountId,
+          data: { ...signal.data, stitched_at: now }
+        }
+      )
+    }
+  }
+
+  // Update account data with instance count
+  const { data: account } = await adminDb
+    .from('accounts')
+    .select('data')
+    .eq('id', accountId)
+    .single()
+
+  if (account) {
+    await adminDataUpdate(ctx, 'accounts', accountId, {
+      data: {
+        ...account.data,
+        cli_instance_count: (account.data?.cli_instance_count || 0) + 1,
+        last_cli_claim_at: now
+      }
+    })
+  }
+
+  // Generate JWT response
+  const expiresAt = Math.floor(Date.now() / 1000) + (10 * 60)
+
+  let responseCode: string
+  try {
+    responseCode = signClaimToken({
+      account_id: accountId,
+      person_id: personId,
+      serial_suffix: serial.slice(-4),
+      instance_id: instance.id,
+      iat: Math.floor(Date.now() / 1000),
+      exp: expiresAt
+    })
+  } catch (e) {
+    console.error('[ClaimInstance] JWT signing failed:', e)
+    const err: any = new Error('Failed to generate claim code'); err.statusCode = 500; throw err
+  }
+
+  return {
+    status: 'success',
+    response_code: responseCode,
+    expires_at: new Date(expiresAt * 1000).toISOString(),
+    instance: {
+      serial: truncateSerial(serial),
+      app_slug: instance.data?.app_slug,
+      version: instance.data?.version
+    }
+  }
+})
+
+function truncateSerial(serial: string): string {
+  if (!serial || serial.length < 20) return serial
+  return `${serial.slice(0, 8)}***${serial.slice(-6)}`
+}