zeroauth 1.0.0

package/dist/api/index.js

@@ -0,0 +1,722 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.validateEnvironmentVariables = validateEnvironmentVariables;
+const logger_1 = require("../logger");
+const dal_1 = require("../db/dal");
+const express_1 = __importDefault(require("express"));
+const cors_1 = __importDefault(require("cors"));
+const axios_1 = __importDefault(require("axios"));
+const jwks_rsa_1 = __importDefault(require("jwks-rsa"));
+const jwt = __importStar(require("jsonwebtoken"));
+const catalog_1 = require("../data/catalog");
+const billing_1 = require("./services/billing");
+logger_1.log.info("=== ZeroAuth API starting ===");
+logger_1.log.info("Environment:", process.env.NODE_ENV);
+logger_1.log.info("AWS Lambda function name:", process.env.AWS_LAMBDA_FUNCTION_NAME);
+logger_1.log.info("Port:", process.env.PORT || 8080);
+const app = (0, express_1.default)();
+const PORT = process.env.PORT || 8080;
+app.use((0, cors_1.default)());
+app.use(express_1.default.json({ limit: "50mb" }));
+app.use(express_1.default.urlencoded({ limit: "50mb", extended: true }));
+// Initialize curated catalog for routing
+try {
+    catalog_1.catalogLoader.loadCatalog();
+    logger_1.log.info("✅ Curated catalog loaded successfully");
+}
+catch (error) {
+    logger_1.log.error("❌ Failed to load curated catalog:", error);
+}
+// --- ADD THIS AUTHENTICATION MIDDLEWARE ---
+// Keep constants for use throughout the module
+const jwksUri = process.env.OIDC_JWKS_URL;
+const issuer = process.env.OIDC_ISSUER_URL;
+const audience = process.env.OIDC_AUDIENCE;
+const internalSecret = process.env.CLOUDFRONT_INTERNAL_SECRET;
+// Extract validation logic for testing - check current env vars each time
+function validateEnvironmentVariables() {
+    const currentJwksUri = process.env.OIDC_JWKS_URL;
+    const currentIssuer = process.env.OIDC_ISSUER_URL;
+    const currentAudience = process.env.OIDC_AUDIENCE;
+    const currentInternalSecret = process.env.CLOUDFRONT_INTERNAL_SECRET;
+    if (!currentJwksUri ||
+        !currentIssuer ||
+        !currentAudience ||
+        !currentInternalSecret) {
+        console.error("Missing required OIDC/Secret env vars");
+        return false;
+    }
+    return true;
+}
+// Create a JWKS client
+const jwksClient = (0, jwks_rsa_1.default)({
+    jwksUri: jwksUri,
+});
+// Function to get the signing key
+function getKey(header, callback) {
+    if (!header.kid) {
+        callback(new Error("No KID in JWT header"), undefined);
+        return;
+    }
+    jwksClient.getSigningKey(header.kid, (err, key) => {
+        if (err) {
+            callback(err, undefined);
+            return;
+        }
+        const signingKey = key.getPublicKey();
+        callback(null, signingKey);
+    });
+}
+// Middleware 1: Check for the CloudFront secret
+const verifyCloudFrontSecret = (req, res, next) => {
+    const secret = req.headers["x-internal-secret"];
+    logger_1.log.info("=== CloudFront Secret Check ===");
+    logger_1.log.info(`Headers received: ${JSON.stringify(Object.keys(req.headers))}`);
+    logger_1.log.info(`x-internal-secret present: ${!!secret}`);
+    logger_1.log.info(`Expected secret: ${internalSecret ? "set" : "NOT SET"}`);
+    logger_1.log.info(`Host: ${req.get("host")}`);
+    logger_1.log.info(`Request path: ${req.path}`);
+    // Allow requests with correct secret
+    if (secret === internalSecret) {
+        logger_1.log.info("✅ CloudFront secret verified - allowing request");
+        next();
+        return;
+    }
+    // Allow localhost requests for local development
+    const host = req.get("host");
+    const isTestEnvironment = process.env.NODE_ENV === "test";
+    if (!isTestEnvironment &&
+        host &&
+        (host.startsWith("localhost") || host.startsWith("127.0.0.1"))) {
+        logger_1.log.info("✅ Localhost request - allowing without CloudFront secret");
+        next();
+        return;
+    }
+    logger_1.log.warn(`❌ CloudFront secret check failed - received: ${secret}, expected: ${internalSecret}`);
+    logger_1.log.warn("Blocking request with missing/invalid secret");
+    return res.status(403).json({ error: "Forbidden" });
+};
+// Middleware 2: Check for the Clerk JWT
+const authenticate = (req, res, next) => {
+    logger_1.log.info("=== JWT Authentication Check ===");
+    logger_1.log.info(`Headers: ${JSON.stringify(Object.keys(req.headers))}`);
+    // Check both standard Authorization header and x-authorization (CloudFront workaround)
+    const authHeader = (req.headers.authorization ||
+        req.headers["x-authorization"]);
+    logger_1.log.info(`Auth header found: ${!!authHeader}`);
+    logger_1.log.info(`Auth header starts with Bearer: ${authHeader?.startsWith("Bearer ") || false}`);
+    if (!authHeader || !authHeader.startsWith("Bearer ")) {
+        logger_1.log.warn("❌ JWT auth failed - missing or invalid auth header");
+        return res.status(401).json({ error: "Unauthorized: Missing token" });
+    }
+    const token = authHeader.split(" ")[1];
+    jwt.verify(token, getKey, {
+        issuer: issuer,
+        audience: audience,
+    }, async (err, decoded) => {
+        if (err) {
+            console.error("JWT verification failed:", err.message);
+            return res.status(401).json({ error: `Unauthorized: ${err.message}` });
+        }
+        // Identity Resolution for Billing
+        try {
+            const claims = decoded;
+            const clerkUserId = claims.sub;
+            if (clerkUserId) {
+                const userIdentity = await (0, dal_1.findOrCreateUserIdentity)(clerkUserId);
+                const organizationId = userIdentity.securityProfile.organization_id;
+                req.customer = organizationId;
+                // Ensure customer exists at signup/authentication
+                const email = claims.email || claims.preferred_username;
+                const name = claims.name;
+                // Fire and forget (optional, but ensureCustomer is idempotent and fast if exists)
+                billing_1.BillingService.ensureCustomer(organizationId, email, name).catch((err) => logger_1.log.error({ err, organizationId }, "Failed to ensure Stripe customer in middleware"));
+                logger_1.log.info(`✅ Resolved Customer ID from User Identity: ${req.customer}`);
+            }
+        }
+        catch (dbError) {
+            logger_1.log.error("Failed to resolve user identity from DB:", dbError);
+            // We allow the request to proceed for now, but billing might fail later
+        }
+        next();
+    });
+};
+// ... (Rest of middleware) ...
+// --- ADD NEW WORKLOAD IDENTITY MIDDLEWARE ---
+const authenticateWorkloadIdentity = async (req, res, next) => {
+    logger_1.log.info("Attempting Workload Identity authentication...");
+    // Check both standard Authorization header and x-authorization (CloudFront workaround)
+    const authHeader = (req.headers.authorization ||
+        req.headers["x-authorization"]);
+    const host = req.get("host"); // Get the host header
+    if (!authHeader) {
+        logger_1.log.warn("Workload Identity auth failed: Missing Authorization or x-authorization header");
+        return res.status(401).json({ error: "Unauthorized: Missing credentials" });
+    }
+    try {
+        let customerId = null;
+        // Route auth logic based on host header
+        if (host === "aws.iam.zeroauth.ai") {
+            // <-- Check for the new CNAME
+            // --- AWS SigV4 Auth ---
+            if (!authHeader.startsWith("AWS4-HMAC-SHA256")) {
+                logger_1.log.warn("AWS host detected but auth header is not SigV4.");
+                return res.status(401).json({ error: "Invalid AWS credentials" });
+            }
+            logger_1.log.info("Detected AWS SigV4 credentials for host aws.iam.zeroauth.ai.");
+            // TODO: Implement full SigV4 signature validation here
+            // FULL AWS SIGV4 SIGNATURE VALIDATION IMPLEMENTATION
+            logger_1.log.info("Performing full AWS SigV4 signature validation...");
+            // Parse AWS SigV4 Authorization header components
+            const authParts = {
+                algorithm: "",
+                credential: "",
+                signedHeaders: "",
+                signature: "",
+            };
+            // Parse Authorization header components
+            logger_1.log.info(`Parsing authorization header: ${authHeader}`);
+            const authComponents = authHeader.split(",").map((part) => part.trim());
+            logger_1.log.info(`Auth components after split and trim: ${JSON.stringify(authComponents, null, 2)}`);
+            for (const component of authComponents) {
+                logger_1.log.info(`Processing component: "${component}"`);
+                if (component.startsWith("AWS4-HMAC-SHA256")) {
+                    authParts.algorithm = "AWS4-HMAC-SHA256";
+                    logger_1.log.info(`Found algorithm: ${authParts.algorithm}`);
+                    // Extract credential from the first component (AWS4-HMAC-SHA256 Credential=...)
+                    const credentialMatch = component.match(/Credential=(.+)/);
+                    if (credentialMatch) {
+                        authParts.credential = credentialMatch[1];
+                        logger_1.log.info(`Extracted credential from first component: ${authParts.credential}`);
+                    }
+                }
+                else if (component.startsWith("Credential=")) {
+                    authParts.credential = component.substring(10);
+                    logger_1.log.info(`Found credential: ${authParts.credential}`);
+                }
+                else if (component.startsWith("SignedHeaders=")) {
+                    authParts.signedHeaders = component.substring(14);
+                    logger_1.log.info(`Found signed headers: ${authParts.signedHeaders}`);
+                }
+                else if (component.startsWith("Signature=")) {
+                    authParts.signature = component.substring(10);
+                    logger_1.log.info(`Found signature: ${authParts.signature}`);
+                }
+            }
+            logger_1.log.info(`Parsed auth parts: ${JSON.stringify(authParts, null, 2)}`);
+            if (!authParts.algorithm ||
+                !authParts.credential ||
+                !authParts.signature) {
+                logger_1.log.warn("Missing required AWS SigV4 authorization components");
+                return res
+                    .status(401)
+                    .json({ error: "Invalid AWS SigV4 authorization header" });
+            }
+            // Parse credential scope: access_key/date/region/service/aws4_request
+            const credentialParts = authParts.credential.split("/");
+            if (credentialParts.length < 5) {
+                logger_1.log.warn("Invalid AWS SigV4 credential scope");
+                return res.status(401).json({ error: "Invalid AWS credential scope" });
+            }
+            const accessKey = credentialParts[0];
+            const dateStamp = credentialParts[1];
+            const region = credentialParts[2];
+            const service = credentialParts[3];
+            logger_1.log.info(`AWS SigV4 - Access Key: ${accessKey}, Region: ${region}, Service: ${service}, Date: ${dateStamp}`);
+            // Build canonical request for signature validation
+            const httpMethod = req.method;
+            const canonicalUri = req.path;
+            const canonicalQueryString = ""; // No query parameters for API Gateway
+            const canonicalHeaders = buildCanonicalHeaders(req, authParts.signedHeaders);
+            const payloadHash = calculatePayloadHash(req.body);
+            const canonicalRequest = [
+                httpMethod,
+                canonicalUri,
+                canonicalQueryString,
+                canonicalHeaders,
+                authParts.signedHeaders,
+                payloadHash,
+            ].join("\n");
+            logger_1.log.info(`Canonical request:\n${canonicalRequest}`);
+            // Build string to sign
+            const algorithm = "AWS4-HMAC-SHA256";
+            const credentialScope = `${dateStamp}/${region}/${service}/aws4_request`;
+            const hashedCanonicalRequest = await sha256Hex(canonicalRequest);
+            const stringToSign = [
+                algorithm,
+                req.headers["x-amz-date"],
+                credentialScope,
+                hashedCanonicalRequest,
+            ].join("\n");
+            logger_1.log.info(`String to sign:\n${stringToSign}`);
+            // Use AWS SDK to validate credentials and get caller identity
+            try {
+                // Use AWS SDK to validate the credentials by calling STS
+                const AWS = require("aws-sdk");
+                // Configure AWS with the provided credentials
+                AWS.config.update({
+                    accessKeyId: accessKey,
+                    region: region,
+                });
+                // Handle session token for STS temporary credentials
+                const sessionToken = req.headers["x-amz-security-token"];
+                if (sessionToken) {
+                    AWS.config.update({
+                        sessionToken: sessionToken,
+                    });
+                }
+                const sts = new AWS.STS();
+                // Get caller identity to validate the credentials and get actual ARN
+                const callerIdentity = await sts.getCallerIdentity().promise();
+                logger_1.log.info(`✅ AWS STS GetCallerIdentity successful for ARN: ${callerIdentity.Arn}`);
+                // Use the actual ARN from STS for database lookup
+                const actualArn = callerIdentity.Arn;
+                // Database lookup using the actual AWS ARN
+                const workloadIdentity = await (0, dal_1.findWorkloadIdentity)("AWS", actualArn);
+                if (workloadIdentity) {
+                    customerId = workloadIdentity.securityProfile.organization_id;
+                    logger_1.log.info(`✅ Successfully validated AWS SigV4 and found workload identity for ARN: ${actualArn}`);
+                }
+                else {
+                    logger_1.log.warn(`⚠️ AWS SigV4 valid but no workload identity found in database for ARN: ${actualArn}`);
+                }
+            }
+            catch (error) {
+                logger_1.log.error(`AWS STS validation failed: ${error instanceof Error ? error.message : String(error)}`);
+                return res.status(401).json({ error: "Invalid AWS credentials" });
+            }
+            // Helper functions for AWS SigV4 validation
+            function buildCanonicalHeaders(req, signedHeaders) {
+                const headers = req.headers;
+                const canonicalHeaders = [];
+                const signedHeaderList = signedHeaders.split(";");
+                for (const headerName of signedHeaderList) {
+                    const headerValue = headers[headerName.toLowerCase()] || "";
+                    const cleanHeaderName = headerName.toLowerCase().trim();
+                    const cleanHeaderValue = String(headerValue)
+                        .replace(/\s+/g, " ")
+                        .trim();
+                    canonicalHeaders.push(`${cleanHeaderName}:${cleanHeaderValue}`);
+                }
+                return canonicalHeaders.join("\n");
+            }
+            function calculatePayloadHash(body) {
+                const payload = JSON.stringify(body);
+                return require("crypto")
+                    .createHash("sha256")
+                    .update(payload)
+                    .digest("hex");
+            }
+            function sha256Hex(data) {
+                return Promise.resolve(require("crypto").createHash("sha256").update(data).digest("hex"));
+            }
+        }
+        else if (host === "gcp.iam.zeroauth.ai" ||
+            host === "azure.iam.zeroauth.ai") {
+            //
+            // --- GCP/Azure OIDC Auth ---
+            if (!authHeader.startsWith("Bearer ")) {
+                logger_1.log.warn("GCP/Azure host detected but auth header is not Bearer token.");
+                return res.status(401).json({ error: "Invalid OIDC token" });
+            }
+            logger_1.log.info(`Detected Bearer token for OIDC host: ${host}.`);
+            const token = authHeader.split(" ")[1];
+            // STUBBED LOGIC: Decode token to find claims
+            const claims = jwt.decode(token);
+            let identity = null;
+            if (claims &&
+                claims.iss &&
+                claims.iss.includes("accounts.google.com") &&
+                host === "gcp.iam.zeroauth.ai") {
+                identity = claims.sub; // Or relevant claim for Project ID
+                logger_1.log.info(`GCP OIDC validation stub: Using identity: ${identity}`);
+                // Database lookup for GCP workload identity
+                if (identity) {
+                    const workloadIdentity = await (0, dal_1.findWorkloadIdentity)("GCP", identity);
+                    if (workloadIdentity) {
+                        const organizationId = workloadIdentity.securityProfile.organization_id;
+                        customerId = organizationId;
+                        // Ensure customer exists at "signup" (first workload discovery)
+                        billing_1.BillingService.ensureCustomer(organizationId).catch((err) => logger_1.log.error({ err, organizationId }, "Failed to ensure Stripe customer for workload"));
+                        logger_1.log.info(`Found GCP workload identity in database for: ${identity}`);
+                    }
+                }
+            }
+            else if (claims &&
+                claims.iss &&
+                claims.iss.includes("sts.windows.net") &&
+                host === "azure.iam.zeroauth.ai") {
+                identity = claims.tid; // Tenant ID
+                logger_1.log.info(`Azure OIDC validation stub: Using identity: ${identity}`);
+                // Database lookup for Azure workload identity
+                if (identity) {
+                    const workloadIdentity = await (0, dal_1.findWorkloadIdentity)("AZURE", identity);
+                    if (workloadIdentity) {
+                        customerId = workloadIdentity.securityProfile.organization_id;
+                        logger_1.log.info(`Found Azure workload identity in database for: ${identity}`);
+                    }
+                }
+            }
+        }
+        else {
+            // Host does not match any known workload identity CNAME
+            logger_1.log.warn(`Workload Identity auth failed: Host header '${host}' does not match a known identity gateway.`);
+            return res.status(403).json({ error: "Forbidden: Invalid host" });
+        }
+        // --- Authorization Check ---
+        if (customerId) {
+            logger_1.log.info(`Workload Identity validated. Customer: ${customerId}`);
+            req.customer = customerId; // Attach customer to request
+            next(); //
+        }
+        else {
+            logger_1.log.warn("Workload Identity authentication failed: Identity not found in database.");
+            return res.status(403).json({ error: "Forbidden: Unknown identity" });
+        }
+    }
+    catch (error) {
+        logger_1.log.error("Error during Workload Identity authentication:", error.message);
+        return res.status(401).json({ error: `Unauthorized: ${error.message}` });
+    }
+};
+// --- END NEW MIDDLEWARE ---
+// --- UPDATED: Point to LiteLLM Proxy service ---
+const LITELLM_PROXY_URL = process.env.LITELLM_PROXY_URL ||
+    "http://zeroauth-prod-litellm.513e62d22d8a40c69d66ec687a54a0dd.svc.cluster.local";
+// Waitlist endpoint (no authentication required)
+app.post("/waitlist", async (req, res) => {
+    logger_1.log.info("=== Processing POST /waitlist ===");
+    try {
+        const { email } = req.body;
+        if (!email) {
+            return res.status(400).json({ error: "Email is required" });
+        }
+        // Basic email validation
+        const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+        if (!emailRegex.test(email)) {
+            return res.status(400).json({ error: "Invalid email format" });
+        }
+        // Import Prisma client
+        const { PrismaClient } = require("@prisma/client");
+        const prisma = new PrismaClient();
+        try {
+            // Try to create the waitlist entry
+            await prisma.waitlistEntry.create({
+                data: {
+                    email: email.toLowerCase().trim(),
+                },
+            });
+            logger_1.log.info(`Added email to waitlist: ${email}`);
+            res
+                .status(200)
+                .json({ success: true, message: "Email added to waitlist" });
+        }
+        catch (dbError) {
+            // Handle unique constraint violation (email already exists)
+            if (dbError.code === "P2002") {
+                logger_1.log.info(`Email already exists in waitlist: ${email}`);
+                return res
+                    .status(200)
+                    .json({ success: true, message: "You're already on our waitlist!" });
+            }
+            // Other database errors
+            logger_1.log.error("Database error:", dbError);
+            throw dbError;
+        }
+        finally {
+            await prisma.$disconnect();
+        }
+    }
+    catch (error) {
+        logger_1.log.error("Error in waitlist endpoint:", error);
+        res.status(500).json({ error: "Internal server error" });
+    }
+});
+// Apply the secret checker to API routes (but not to waitlist)
+app.use(verifyCloudFrontSecret);
+// Routes
+app.get("/v1/models", async (req, res) => {
+    logger_1.log.info("=== Processing GET /v1/models ===");
+    try {
+        logger_1.log.info("Forwarding request to:", `${LITELLM_PROXY_URL}/models`);
+        const response = await axios_1.default.get(`${LITELLM_PROXY_URL}/models`, {
+            headers: {
+                Authorization: "Bearer sk-zeroauth-dev", // Use master key from proxy-config.yaml
+            },
+            timeout: 30000,
+        });
+        logger_1.log.info("Response received from LiteLLM:", response.status, response.statusText);
+        logger_1.log.info("Response data:", JSON.stringify(response.data, null, 2));
+        res.json(response.data);
+    }
+    catch (error) {
+        console.error("Error fetching models:", error.message);
+        res.status(500).json({ error: "Could not fetch model list." });
+    }
+});
+// Middleware: Set default Free Developer Profile (no compliance checks)
+const setDefaultProfile = (req, res, next) => {
+    // Hardcode the Free Developer Profile for all requests (PoC)
+    req.complianceProfile = catalog_1.catalogLoader.getDefaultProfile();
+    logger_1.log.info("📋 Applied default Free Developer Profile (no compliance checks)");
+    next();
+};
+// This handler has all your proxy logic
+const chatCompletionsHandler = async (req, res) => {
+    logger_1.log.info(`=== Processing ${req.path} ===`);
+    logger_1.log.info("Request body:", JSON.stringify(req.body, null, 2));
+    logger_1.log.info("Model:", req.body.model);
+    logger_1.log.info("Stream:", req.body.stream);
+    logger_1.log.info("All body keys:", Object.keys(req.body));
+    logger_1.log.info("LITELLM_PROXY_URL:", LITELLM_PROXY_URL);
+    logger_1.log.info("LITELLM_PROXY_URL:", LITELLM_PROXY_URL);
+    logger_1.log.info("Checking if LITELLM_PROXY_URL is reachable...");
+    // Add health check before making the request
+    try {
+        const healthCheck = await axios_1.default.get(`${LITELLM_PROXY_URL}/health`, {
+            headers: {
+                Authorization: "Bearer sk-zeroauth-dev",
+            },
+            timeout: 5000,
+        });
+        logger_1.log.info("LiteLLM health check response:", healthCheck.status);
+    }
+    catch (healthError) {
+        logger_1.log.error("LiteLLM health check failed:", healthError.message);
+        logger_1.log.error("Health check error details:", healthError.code, healthError.response?.status);
+    }
+    logger_1.log.info("Proceeding with chat completions request...");
+    // Billing Hook: Ensure customer exists (Lazy check)
+    const customerId = req.customer;
+    if (!customerId) {
+        logger_1.log.warn("⚠️ No Customer ID found in request. Billing usage will NOT be recorded.");
+    }
+    try {
+        const requestBody = { ...req.body };
+        const originalModel = requestBody.model;
+        logger_1.log.info("Original request body copied");
+        logger_1.log.info("Original model parameter:", originalModel);
+        // Implement static file-based intent routing
+        let routingType = "direct";
+        let intentAlias = null;
+        let targetModel = originalModel;
+        // Check for intent: prefix
+        if (originalModel &&
+            typeof originalModel === "string" &&
+            originalModel.startsWith("intent:")) {
+            const intent = originalModel.substring(7); // Remove "intent:" prefix
+            logger_1.log.info(`🔍 Detected intent request: ${intent}`);
+            // Look up intent in curated catalog
+            const catalogEntry = catalog_1.catalogLoader.findModelByIntent(`intent:${intent}`);
+            if (catalogEntry) {
+                targetModel = catalogEntry.model_name;
+                intentAlias = `intent:${intent}`;
+                routingType = "intent_to_group";
+                logger_1.log.info(`✅ Intent resolved: ${intentAlias} → ${targetModel}`);
+            }
+            else {
+                // Invalid intent - return helpful error
+                const availableIntents = catalog_1.catalogLoader.getAvailableIntents();
+                logger_1.log.warn(`❌ Invalid intent: ${intent}`);
+                return res.status(400).json({
+                    error: {
+                        message: `Invalid intent: "${intent}". Available intents: ${availableIntents.join(", ")}`,
+                        type: "invalid_request_error",
+                        code: "invalid_intent",
+                        zeroauth_help: {
+                            available_intents: availableIntents,
+                            example: 'Use model: "intent:budget" for cost-effective models',
+                        },
+                    },
+                });
+            }
+        }
+        else {
+            // Direct model name - pass through unchanged
+            logger_1.log.info("📋 Direct model request - no routing needed");
+        }
+        requestBody.model = targetModel;
+        logger_1.log.info("🎯 Routing decision:", {
+            original: originalModel,
+            target: targetModel,
+            routingType,
+            intent: intentAlias,
+        });
+        logger_1.log.info("Final transformed request body:", JSON.stringify(requestBody, null, 2));
+        logger_1.log.info("Making request to:", `${LITELLM_PROXY_URL}/chat/completions`);
+        if (requestBody.stream) {
+            logger_1.log.info("Handling streaming request");
+            const response = await axios_1.default.post(`${LITELLM_PROXY_URL}/chat/completions`, requestBody, {
+                headers: {
+                    "Content-Type": "application/json",
+                    Authorization: "Bearer sk-zeroauth-dev", // Use master key from proxy-config.yaml
+                },
+                responseType: "stream",
+                timeout: 300000, // Increase timeout for potentially long AI responses
+            });
+            logger_1.log.info("Stream response received, status:", response.status);
+            logger_1.log.info("Stream response headers:", JSON.stringify(response.headers, null, 2));
+            res.setHeader("Content-Type", "text/event-stream");
+            res.setHeader("Cache-Control", "no-cache");
+            res.setHeader("Connection", "keep-alive");
+            response.data.pipe(res);
+            response.data.on("error", (err) => {
+                logger_1.log.error("Stream error:", err);
+                if (!res.headersSent) {
+                    res.status(500).json({ error: "Stream error" });
+                }
+            });
+            response.data.on("end", () => {
+                logger_1.log.info("Stream ended");
+                res.end();
+            });
+        }
+        else {
+            logger_1.log.info("Handling non-streaming request");
+            const response = await axios_1.default.post(`${LITELLM_PROXY_URL}/chat/completions`, requestBody, {
+                headers: {
+                    "Content-Type": "application/json",
+                    Authorization: "Bearer sk-zeroauth-dev", // Use master key from proxy-config.yaml
+                },
+                timeout: 300000, // Increase timeout for potentially long AI responses
+            });
+            logger_1.log.info("Non-streaming response received, status:", response.status);
+            logger_1.log.info("Non-streaming response headers:", JSON.stringify(response.headers, null, 2));
+            logger_1.log.info("Response data:", JSON.stringify(response.data, null, 2));
+            // Add ZeroAuth routing metadata to response
+            const responseData = response.data;
+            // BILLING HOOK: Record Usage
+            if (responseData.usage && customerId) {
+                const totalTokens = responseData.usage.total_tokens || 0;
+                logger_1.log.info({ customerId, totalTokens }, "Recording usage for billing");
+                // Fire and forget (don't await to reduce latency)
+                billing_1.BillingService.recordUsage(customerId, totalTokens).catch(err => logger_1.log.error({ err }, "Background usage recording failed"));
+            }
+            if (routingType === "intent_to_group") {
+                responseData.zeroauth = {
+                    routed: true,
+                    original_intent: intentAlias,
+                    target_model_group: targetModel,
+                    routing_type: routingType,
+                };
+            }
+            res.json(responseData);
+        }
+    }
+    catch (error) {
+        logger_1.log.error(`=== Error in ${req.path} ===`);
+        logger_1.log.error("Error message:", error.message);
+        logger_1.log.error("Error code:", error.code);
+        logger_1.log.error("Error response status:", error.response?.status);
+        logger_1.log.error("Error response headers:", JSON.stringify(error.response?.headers, null, 2));
+        logger_1.log.error("Error response data:", JSON.stringify(error.response?.data, null, 2));
+        logger_1.log.error("Request config:", JSON.stringify(error.config, null, 2));
+        logger_1.log.error("Full error:", error);
+        // Parse the actual error message from LiteLLM response
+        let actualErrorMessage = error.message;
+        if (error.response?.data?.error) {
+            const errorData = error.response.data.error;
+            if (typeof errorData === "object" && errorData.message) {
+                if (typeof errorData.message === "string" &&
+                    errorData.message.startsWith("{'error':")) {
+                    try {
+                        const match = errorData.message.match(/'error':\s*'([^']+)'/);
+                        if (match) {
+                            actualErrorMessage = match[1];
+                        }
+                        else {
+                            actualErrorMessage = errorData.message;
+                        }
+                    }
+                    catch {
+                        actualErrorMessage = errorData.message;
+                    }
+                }
+                else {
+                    actualErrorMessage = errorData.message;
+                }
+            }
+            else if (typeof errorData === "string") {
+                actualErrorMessage = errorData;
+            }
+        }
+        logger_1.log.error("Parsed error message:", actualErrorMessage);
+        logger_1.log.error("Full error:", error);
+        // Propagate the actual LiteLLM error details
+        const status = error.response?.status || 500;
+        const errorData = error.response?.data;
+        if (errorData && typeof errorData === "object") {
+            // If LiteLLM returns structured error data, pass it through
+            res.status(status).json(errorData);
+        }
+        else {
+            // Fallback to generic error with details
+            res.status(status).json({
+                error: errorData || "Error forwarding request to LiteLLM proxy",
+                details: error.message,
+            });
+        }
+    }
+};
+// Developer (JWT) Route
+app.post("/v1/chat/completions", authenticate, // This one checks the JWT
+setDefaultProfile, // Set Free Developer Profile
+chatCompletionsHandler);
+// Production (IAM) Route
+app.post("/v1/iam/chat/completions", authenticateWorkloadIdentity, // <-- ADDED: Validate SigV4/OIDC token based on Host header
+setDefaultProfile, // Set Free Developer Profile
+chatCompletionsHandler);
+// Start server
+// In Lambda environment, always start the server for Lambda Web Adapter
+logger_1.log.info("Checking if we should start the server...");
+logger_1.log.info("require.main === module:", require.main === module);
+logger_1.log.info("process.env.AWS_LAMBDA_FUNCTION_NAME:", process.env.AWS_LAMBDA_FUNCTION_NAME);
+if (require.main === module || process.env.AWS_LAMBDA_FUNCTION_NAME) {
+    logger_1.log.info(`Starting server on port ${PORT}...`);
+    app.listen(PORT, () => {
+        logger_1.log.info(`ZeroAuth API server running on port ${PORT}.`);
+    });
+}
+else {
+    logger_1.log.info("Not starting server - not main module and not in Lambda environment");
+    // Check environment variables on startup using current values
+    validateEnvironmentVariables();
+}
+exports.default = app;
+//# sourceMappingURL=index.js.map