cloudcost-cli 0.1.0__py3-none-any.whl

backend/app/main.py

@@ -0,0 +1,833 @@
+import json
+import logging
+import re
+import hashlib
+import hmac
+import html
+import os
+from contextlib import asynccontextmanager
+from pathlib import Path
+from typing import Any
+from urllib.parse import quote
+
+import httpx
+from fastapi import Depends, FastAPI, Header, HTTPException, Request, Response, status
+from fastapi.responses import FileResponse, HTMLResponse, JSONResponse, RedirectResponse
+from fastapi.staticfiles import StaticFiles
+
+from backend.app.auth import (
+    LoginRequest,
+    ResendSignupOtpRequest,
+    SignupRequest,
+    VerifySignupRequest,
+    generate_otp_code,
+    hash_password,
+    new_session_token,
+    normalize_email,
+    public_user,
+    session_expires_at,
+    verify_password,
+)
+from backend.app.comments import format_error_comment, format_infracost_comment, format_no_plan_comment
+from backend.app.config import Settings, get_settings
+from backend.app.database import (
+    append_usage_event,
+    append_waitlist_record,
+    create_email_otp,
+    create_or_update_signup_user,
+    create_session,
+    delete_session,
+    get_user_by_email,
+    get_user_for_session,
+    init_app_database,
+    read_usage_event_records,
+    verify_email_otp,
+)
+from backend.app.emailer import send_signup_otp, send_waitlist_confirmation, waitlist_confirmation_available
+from backend.app.github_client import (
+    GitHubAppClient,
+    GitHubInstallationClient,
+    PullRequestContext,
+    find_terraform_plan_file,
+)
+from backend.app.infracost import InfracostClient
+from backend.app.litellm_admin import LiteLLMAdminClient, VirtualKeyRequest
+from backend.app.model_pricing import get_model_rates
+from backend.app.security import verify_github_signature
+from backend.app.usage import UsageEvent, sanitize_usage_payload, summarize_usage
+
+
+SUPPORTED_PULL_REQUEST_ACTIONS = {"opened", "reopened", "synchronize", "ready_for_review"}
+EMAIL_PATTERN = re.compile(r"^[^@\s]+@[^@\s]+\.[^@\s]+$")
+WAITLIST_ALLOWED_FIELDS = {"email"}
+logger = logging.getLogger(__name__)
+
+
+@asynccontextmanager
+async def lifespan(app: FastAPI):
+    init_app_database(get_settings())
+    yield
+
+
+app = FastAPI(title="CloudCost AI", version="0.1.0", lifespan=lifespan)
+app.mount("/assets", StaticFiles(directory="assets"), name="assets")
+app.mount("/docs", StaticFiles(directory="docs"), name="docs")
+
+
+def configured_services(settings: Settings) -> dict[str, bool]:
+    return {
+        "github_app": settings.github_app_configured,
+        "infracost": settings.infracost_configured,
+        "litellm": bool(settings.litellm_master_key),
+        "database": bool(settings.backend_database_url),
+    }
+
+
+def github_manifest_state(settings: Settings) -> str:
+    secret = settings.require_manifest_state_secret().encode("utf-8")
+    message = f"cloudcost-github-manifest:{settings.public_base_url}".encode("utf-8")
+    return hmac.new(secret, message, hashlib.sha256).hexdigest()
+
+
+def github_app_manifest(settings: Settings) -> dict[str, Any]:
+    base_url = settings.public_base_url.rstrip("/")
+    host = base_url.replace("https://", "").replace("http://", "").split("/", 1)[0]
+    return {
+        "name": f"CloudCost AI {host}",
+        "url": base_url,
+        "hook_attributes": {
+            "url": f"{base_url}/api/github/webhook",
+            "active": True,
+        },
+        "redirect_url": f"{base_url}/api/github/manifest/callback",
+        "callback_urls": [f"{base_url}/dashboard"],
+        "setup_url": f"{base_url}/dashboard",
+        "public": False,
+        "default_permissions": {
+            "contents": "read",
+            "metadata": "read",
+            "issues": "write",
+            "pull_requests": "write",
+        },
+        "default_events": ["pull_request"],
+    }
+
+
+def store_github_manifest_config(settings: Settings, payload: dict[str, Any]) -> dict[str, Any]:
+    config_path = Path(settings.github_manifest_config_path)
+    config_path.parent.mkdir(parents=True, exist_ok=True)
+    key_path = config_path.parent / "github-app-private-key.pem"
+    pem = str(payload.get("pem") or "")
+    if not pem:
+        raise RuntimeError("GitHub did not return a private key.")
+
+    key_path.write_text(pem, encoding="utf-8")
+    try:
+        os.chmod(key_path, 0o600)
+    except OSError:
+        pass
+
+    config = {
+        "id": payload.get("id"),
+        "client_id": payload.get("client_id"),
+        "slug": payload.get("slug"),
+        "name": payload.get("name"),
+        "html_url": payload.get("html_url"),
+        "webhook_secret": payload.get("webhook_secret"),
+        "private_key_path": str(key_path),
+    }
+    config_path.write_text(json.dumps(config, indent=2), encoding="utf-8")
+    try:
+        os.chmod(config_path, 0o600)
+    except OSError:
+        pass
+    get_settings.cache_clear()
+    return config
+
+
+async def pricing_api_probe(settings: Settings) -> dict[str, Any]:
+    mode = settings.infracost_mode.strip().lower()
+    pricing_mode = settings.infracost_pricing_mode.strip().lower()
+    endpoint = settings.infracost_pricing_api_endpoint
+    if mode != "cli":
+        return {
+            "ready": bool(settings.infracost_api_key),
+            "detail": "Hosted Plan JSON API mode",
+            "endpoint": settings.infracost_api_url,
+        }
+    if pricing_mode == "cloudcost":
+        return {
+            "ready": bool(endpoint and settings.infracost_api_key),
+            "detail": "Using CloudCost hosted pricing service.",
+            "endpoint": endpoint,
+        }
+    if not endpoint:
+        return {
+            "ready": False,
+            "detail": "Set INFRACOST_PRICING_API_ENDPOINT for self-hosted CLI mode.",
+            "endpoint": None,
+        }
+
+    health_url = endpoint.rstrip("/") + "/health"
+    try:
+        async with httpx.AsyncClient(timeout=2.0) as client:
+            response = await client.get(health_url)
+        ready = response.status_code == 200
+        detail = f"Health check returned HTTP {response.status_code}."
+        try:
+            payload = response.json()
+            if payload.get("status"):
+                detail = f"Health check returned {payload['status']}."
+        except ValueError:
+            pass
+        return {"ready": ready, "detail": detail, "endpoint": endpoint}
+    except httpx.HTTPError as exc:
+        detail = str(exc) or exc.__class__.__name__
+        return {"ready": False, "detail": detail, "endpoint": endpoint}
+
+
+@app.get("/")
+async def landing_page(
+    request: Request,
+    settings: Settings = Depends(get_settings),
+):
+    if get_user_for_session(settings, request.cookies.get(settings.auth_session_cookie)):
+        return RedirectResponse(url="/dashboard", status_code=status.HTTP_302_FOUND)
+    return FileResponse("index.html")
+
+
+@app.get("/login")
+async def login_page() -> FileResponse:
+    return FileResponse("future_auth/auth.html")
+
+
+@app.get("/signup")
+async def signup_page() -> FileResponse:
+    return FileResponse("future_auth/auth.html")
+
+
+@app.get("/dashboard")
+async def dashboard_page() -> FileResponse:
+    return FileResponse("future_auth/dashboard.html")
+
+
+@app.get("/get-started")
+async def get_started_page() -> FileResponse:
+    return FileResponse("get-started.html")
+
+
+@app.get("/tester-dashboard")
+async def tester_dashboard_page() -> FileResponse:
+    return FileResponse("dashboard.html")
+
+
+@app.get("/install/github")
+async def github_manifest_install_page(settings: Settings = Depends(get_settings)) -> HTMLResponse:
+    state = github_manifest_state(settings)
+    manifest = json.dumps(github_app_manifest(settings), separators=(",", ":"))
+    manifest_attr = html.escape(manifest, quote=True)
+    state_attr = quote(state)
+    base_url = settings.public_base_url.rstrip("/")
+    personal_action = f"https://github.com/settings/apps/new?state={state_attr}"
+    org_action_base = f"https://github.com/organizations/__ORG__/settings/apps/new?state={state_attr}"
+    body = f"""<!doctype html>
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <title>Install CloudCost AI on GitHub</title>
+  <style>
+    :root {{ --paper:#ffffff; --soft:#f6f7f3; --surface-soft:#f0f3ed; --ink:#172019; --muted:#68736b; --line:#dfe5dc; --green:#1f6f4a; --blue:#365f78; --gold:#b8842f; --shadow:0 22px 58px rgba(23,32,25,.10); --glow:rgba(31,111,74,.07); --radius:8px; }}
+    body.theme-dark {{ color-scheme:dark; --paper:#111315; --soft:#090a0c; --surface-soft:#181b1e; --ink:#f3f4f2; --muted:#9ca3a0; --line:#2a2f33; --green:#8bd7a0; --blue:#8fb8d0; --gold:#d6a853; --shadow:0 18px 46px rgba(0,0,0,.34); --glow:rgba(255,255,255,.035); }}
+    * {{ box-sizing:border-box; }}
+    body {{ margin:0; min-height:100vh; background:linear-gradient(135deg,#fbfcf8 0%,#f1f5ef 56%,#e8eef2 100%); color:var(--ink); font-family:Inter,system-ui,sans-serif; transition:background-color .18s ease,color .18s ease; }}
+    body.theme-dark {{ background:radial-gradient(circle at top left, var(--glow), transparent 320px),var(--soft); }}
+    .topbar {{ min-height:78px; display:flex; align-items:center; justify-content:space-between; padding:0 28px; border-bottom:1px solid var(--line); background:color-mix(in srgb, var(--paper) 82%, transparent); }}
+    body.theme-dark .topbar {{ background:color-mix(in srgb, var(--paper) 84%, transparent); }}
+    .brand {{ display:inline-flex; align-items:center; gap:10px; text-decoration:none; color:var(--ink); font-size:13px; font-weight:950; letter-spacing:.12em; text-transform:uppercase; }}
+    .brand-mark {{ width:32px; height:32px; display:grid; place-items:center; border:1px solid var(--line); border-radius:var(--radius); background:var(--ink); color:var(--paper); box-shadow:none; }}
+    body.theme-dark .brand-mark {{ color:#090a0c; background:var(--green); border-color:var(--green); }}
+    .top-actions {{ display:flex; align-items:center; gap:14px; font-size:12px; font-weight:900; text-transform:uppercase; letter-spacing:.08em; }}
+    .top-actions a {{ color:var(--muted); text-decoration:none; }}
+    .theme-toggle {{ position:relative; width:64px; height:34px; display:inline-flex; align-items:center; justify-content:space-between; padding:0 9px; border:1px solid var(--line); border-radius:999px; background:var(--paper); color:var(--muted); cursor:pointer; box-shadow:inset 0 0 0 1px rgba(255,255,255,.08); }}
+    .theme-toggle .theme-icon {{ position:relative; z-index:1; width:14px; height:14px; display:block; opacity:.7; }}
+    .theme-toggle .theme-sun {{ border:2px solid currentColor; border-radius:999px; box-shadow:0 -6px 0 -5px currentColor,0 6px 0 -5px currentColor,6px 0 0 -5px currentColor,-6px 0 0 -5px currentColor; }}
+    .theme-toggle .theme-moon {{ border-radius:999px; box-shadow:inset 5px -2px 0 0 currentColor; }}
+    .theme-toggle .theme-knob {{ position:absolute; top:4px; left:4px; width:24px; height:24px; border-radius:999px; background:var(--green); box-shadow:0 4px 12px rgba(0,0,0,.18); transition:transform .18s ease,background .18s ease; }}
+    body.theme-dark .theme-toggle {{ background:var(--surface-soft); border-color:var(--line); color:var(--ink); box-shadow:0 0 0 3px rgba(139,215,160,.08); }}
+    body.theme-dark .theme-toggle .theme-knob {{ transform:translateX(30px); background:var(--green); }}
+    body.theme-dark .theme-toggle .theme-moon {{ opacity:1; }}
+    body:not(.theme-dark) .theme-toggle .theme-sun {{ opacity:1; }}
+    .shell {{ width:min(1060px, calc(100% - 40px)); margin:clamp(42px,7vh,76px) auto 80px; }}
+    .hero {{ display:grid; grid-template-columns:minmax(0,1fr) 290px; gap:0; overflow:hidden; border:1px solid var(--line); border-radius:var(--radius); background:var(--paper); box-shadow:var(--shadow); }}
+    .hero-main {{ padding:38px; background:linear-gradient(180deg,#ffffff 0%,#f2f6ef 100%); }}
+    body.theme-dark .hero-main {{ background:linear-gradient(180deg,#101214 0%,#0c0e10 100%); }}
+    .eyebrow {{ margin:0 0 12px; color:var(--muted); font-size:12px; font-weight:900; text-transform:uppercase; letter-spacing:.16em; }}
+    h1 {{ margin:0; font-size:clamp(40px,5vw,64px); line-height:1; font-weight:780; letter-spacing:0; }}
+    p {{ color:var(--muted); line-height:1.6; }}
+    .summary {{ padding:26px; border-left:1px solid var(--line); background:var(--surface-soft); }}
+    body.theme-dark .summary {{ background:var(--surface-soft); }}
+    .summary strong {{ display:block; margin-bottom:8px; }}
+    .panel {{ margin-top:18px; padding:24px; border:1px solid var(--line); border-radius:var(--radius); background:var(--paper); box-shadow:var(--shadow); }}
+    .grid {{ display:grid; grid-template-columns:repeat(3,minmax(0,1fr)); gap:12px; margin:18px 0; }}
+    .step {{ padding:14px; border:1px solid var(--line); border-radius:var(--radius); background:var(--surface-soft); }}
+    .step span {{ display:block; color:var(--green); font-size:11px; font-weight:900; text-transform:uppercase; letter-spacing:.12em; }}
+    .step strong {{ display:block; margin-top:4px; }}
+    label {{ display:block; margin:22px 0 8px; font-weight:900; font-size:12px; text-transform:uppercase; color:var(--blue); letter-spacing:.12em; }}
+    input[type=text] {{ width:100%; min-height:48px; padding:0 12px; border:1px solid #cfd9d0; border-radius:var(--radius); background:#ffffff; color:var(--ink); font:inherit; }}
+    body.theme-dark input[type=text] {{ border-color:var(--line); background:#111315; }}
+    button {{ min-height:48px; padding:0 18px; border:1px solid var(--ink); border-radius:var(--radius); background:var(--ink); color:var(--paper); font-weight:900; text-transform:uppercase; letter-spacing:.08em; cursor:pointer; }}
+    body.theme-dark button {{ border-color:var(--green); background:var(--green); color:#090a0c; }}
+    code {{ font-family:Consolas,monospace; background:color-mix(in srgb, var(--soft) 76%, transparent); padding:2px 5px; }}
+    @media (max-width:760px) {{ .hero{{grid-template-columns:1fr}} .hero-main{{padding:26px}} .summary{{border-left:0;border-top:1px solid var(--line)}} .grid{{grid-template-columns:1fr}} }}
+  </style>
+</head>
+<body>
+  <header class="topbar"><a class="brand" href="/dashboard"><span class="brand-mark">$</span><span>CloudCost AI</span></a><nav class="top-actions" aria-label="Top navigation"><button class="theme-toggle" id="theme-toggle" type="button" aria-label="Switch to dark mode" aria-pressed="false"><span class="theme-icon theme-sun" aria-hidden="true"></span><span class="theme-icon theme-moon" aria-hidden="true"></span><span class="theme-knob" aria-hidden="true"></span></button><a href="/get-started">Get started</a></nav></header>
+  <main class="shell">
+    <section class="hero">
+      <div class="hero-main">
+        <p class="eyebrow">GitHub App install</p>
+        <h1>Create the app without manual settings.</h1>
+        <p>This creates a customer-owned GitHub App with the exact webhook, events, and permissions CloudCost needs. GitHub returns the App ID, webhook secret, and private key to this server automatically.</p>
+      </div>
+      <aside class="summary">
+        <strong>What GitHub will approve</strong>
+        <p>Pull request events, read access for repository contents, and write access for PR timeline comments.</p>
+      </aside>
+    </section>
+    <section class="panel">
+      <div class="grid">
+        <div class="step"><span>01</span><strong>Approve manifest</strong></div>
+        <div class="step"><span>02</span><strong>Choose repositories</strong></div>
+        <div class="step"><span>03</span><strong>Receive PR comments</strong></div>
+      </div>
+      <form id="manifest-form" action="{personal_action}" method="post">
+        <input type="hidden" name="manifest" value="{manifest_attr}">
+        <label for="org">Organization owner, optional</label>
+        <input id="org" type="text" placeholder="Leave blank for personal account">
+        <p><button type="submit">Install on GitHub</button></p>
+      </form>
+      <p>Webhook URL: <code>{html.escape(base_url)}/api/github/webhook</code></p>
+    </section>
+  </main>
+  <script>
+    const form = document.getElementById("manifest-form");
+    const org = document.getElementById("org");
+    const personalAction = {json.dumps(personal_action)};
+    const orgActionBase = {json.dumps(org_action_base)};
+    form.addEventListener("submit", () => {{
+      const value = org.value.trim();
+      form.action = value ? orgActionBase.replace("__ORG__", encodeURIComponent(value)) : personalAction;
+    }});
+  </script>
+  <script src="/assets/theme.js"></script>
+</body>
+</html>"""
+    return HTMLResponse(body)
+
+
+@app.get("/api/github/manifest/callback")
+async def github_manifest_callback(
+    code: str,
+    state: str | None = None,
+    settings: Settings = Depends(get_settings),
+) -> HTMLResponse:
+    expected_state = github_manifest_state(settings)
+    if not state or not hmac.compare_digest(state, expected_state):
+        raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="Invalid manifest state.")
+
+    url = f"{settings.github_api_url}/app-manifests/{code}/conversions"
+    async with httpx.AsyncClient(timeout=30.0) as client:
+        response = await client.post(
+            url,
+            headers={
+                "Accept": "application/vnd.github+json",
+                "X-GitHub-Api-Version": settings.github_api_version,
+            },
+        )
+    response.raise_for_status()
+    config = store_github_manifest_config(settings, response.json())
+    slug = str(config.get("slug") or "")
+    install_url = f"https://github.com/apps/{quote(slug)}/installations/new" if slug else "/dashboard"
+    return HTMLResponse(
+        f"""<!doctype html>
+<html lang="en">
+<head><meta charset="utf-8"><meta name="viewport" content="width=device-width, initial-scale=1"><title>GitHub App Created</title>
+<style>
+:root {{ --paper:#ffffff; --soft:#f6f7f3; --surface-soft:#f0f3ed; --ink:#172019; --muted:#68736b; --line:#dfe5dc; --green:#1f6f4a; --blue:#365f78; --gold:#b8842f; --shadow:0 22px 58px rgba(23,32,25,.10); --glow:rgba(31,111,74,.07); --radius:8px; }}
+body.theme-dark {{ color-scheme:dark; --paper:#111315; --soft:#090a0c; --surface-soft:#181b1e; --ink:#f3f4f2; --muted:#9ca3a0; --line:#2a2f33; --green:#8bd7a0; --blue:#8fb8d0; --gold:#d6a853; --shadow:0 18px 46px rgba(0,0,0,.34); --glow:rgba(255,255,255,.035); }}
+body {{ margin:0; min-height:100vh; display:grid; place-items:center; background:linear-gradient(135deg,#fbfcf8 0%,#f1f5ef 56%,#e8eef2 100%); color:var(--ink); font-family:Inter,system-ui,sans-serif; transition:background-color .18s ease,color .18s ease; }}
+body.theme-dark {{ background:radial-gradient(circle at top left, var(--glow), transparent 320px),var(--soft); }}
+main {{ width:min(760px,calc(100% - 32px)); overflow:hidden; background:var(--paper); border:1px solid var(--line); border-radius:var(--radius); padding:0; box-shadow:var(--shadow); }}
+.content {{ padding:34px; background:linear-gradient(180deg,#ffffff 0%,#f2f6ef 100%); }}
+body.theme-dark .content {{ background:linear-gradient(180deg,#101214 0%,#0c0e10 100%); }}
+.theme-toggle {{ position:fixed; top:18px; right:18px; width:64px; height:34px; display:inline-flex; align-items:center; justify-content:space-between; padding:0 9px; border:1px solid var(--line); border-radius:999px; background:var(--paper); color:var(--muted); cursor:pointer; box-shadow:inset 0 0 0 1px rgba(255,255,255,.08); }}
+.theme-toggle .theme-icon {{ position:relative; z-index:1; width:14px; height:14px; display:block; opacity:.7; }}
+.theme-toggle .theme-sun {{ border:2px solid currentColor; border-radius:999px; box-shadow:0 -6px 0 -5px currentColor,0 6px 0 -5px currentColor,6px 0 0 -5px currentColor,-6px 0 0 -5px currentColor; }}
+.theme-toggle .theme-moon {{ border-radius:999px; box-shadow:inset 5px -2px 0 0 currentColor; }}
+.theme-toggle .theme-knob {{ position:absolute; top:4px; left:4px; width:24px; height:24px; border-radius:999px; background:var(--green); box-shadow:0 4px 12px rgba(0,0,0,.18); transition:transform .18s ease,background .18s ease; }}
+body.theme-dark .theme-toggle {{ background:var(--surface-soft); border-color:var(--line); color:var(--ink); box-shadow:0 0 0 3px rgba(139,215,160,.08); }}
+body.theme-dark .theme-toggle .theme-knob {{ transform:translateX(30px); background:var(--green); }}
+body.theme-dark .theme-toggle .theme-moon {{ opacity:1; }}
+body:not(.theme-dark) .theme-toggle .theme-sun {{ opacity:1; }}
+.eyebrow {{ margin:0 0 12px; color:var(--muted); font-size:12px; font-weight:900; text-transform:uppercase; letter-spacing:.16em; }}
+h1 {{ margin:0 0 12px; font-size:clamp(40px,5vw,64px); line-height:1; font-weight:780; }}
+p {{ color:var(--muted); line-height:1.6; }}
+.actions {{ display:flex; gap:12px; flex-wrap:wrap; margin-top:20px; }}
+a.button {{ display:inline-flex; align-items:center; min-height:46px; padding:0 18px; border:1px solid var(--ink); border-radius:var(--radius); background:var(--ink); color:var(--paper); text-decoration:none; font-weight:900; text-transform:uppercase; letter-spacing:.08em; }}
+body.theme-dark a.button {{ border-color:var(--green); background:var(--green); color:#090a0c; }}
+a.secondary {{ background:transparent; color:var(--ink); }}
+</style></head>
+<body>
+<button class="theme-toggle" id="theme-toggle" type="button" aria-label="Switch to dark mode" aria-pressed="false"><span class="theme-icon theme-sun" aria-hidden="true"></span><span class="theme-icon theme-moon" aria-hidden="true"></span><span class="theme-knob" aria-hidden="true"></span></button>
+<main>
+<div class="content">
+<p class="eyebrow">GitHub App ready</p>
+<h1>Now choose repositories.</h1>
+<p>CloudCost saved the App ID, webhook secret, and private key on this server. The final step is choosing which repositories the app can access.</p>
+<div class="actions"><a class="button" href="{html.escape(install_url, quote=True)}">Choose repositories</a><a class="button secondary" href="/dashboard">Return to dashboard</a></div>
+</div>
+</main>
+<script src="/assets/theme.js"></script>
+</body>
+</html>"""
+    )
+
+
+@app.get("/og-image.png")
+async def og_image() -> FileResponse:
+    return FileResponse("assets/cloudcost-hero.png")
+
+
+@app.get("/healthz")
+async def healthz(settings: Settings = Depends(get_settings)) -> dict[str, Any]:
+    return {
+        "ok": True,
+        "service": settings.app_name,
+        "environment": settings.environment,
+        "configured": configured_services(settings),
+    }
+
+
+def set_session_cookie(response: Response, settings: Settings, token: str) -> None:
+    response.set_cookie(
+        key=settings.auth_session_cookie,
+        value=token,
+        max_age=settings.auth_session_days * 24 * 60 * 60,
+        path="/",
+        httponly=True,
+        secure=settings.auth_cookie_secure,
+        samesite="lax",
+    )
+
+
+def clear_session_cookie(response: Response, settings: Settings) -> None:
+    response.delete_cookie(
+        key=settings.auth_session_cookie,
+        path="/",
+        secure=settings.auth_cookie_secure,
+        httponly=True,
+        samesite="lax",
+    )
+
+
+def require_current_user(
+    request: Request,
+    settings: Settings = Depends(get_settings),
+) -> dict[str, Any]:
+    token = request.cookies.get(settings.auth_session_cookie)
+    user = get_user_for_session(settings, token)
+    if not user:
+        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Sign in required.")
+    return user
+
+
+async def create_verified_session(
+    response: Response,
+    settings: Settings,
+    user: dict[str, Any],
+) -> dict[str, Any]:
+    token = new_session_token()
+    create_session(settings, user_id=user["id"], token=token, expires_at=session_expires_at(settings))
+    set_session_cookie(response, settings, token)
+    return {"ok": True, "user": public_user(user), "redirect": "/dashboard"}
+
+
+@app.post("/api/auth/signup")
+async def signup(
+    payload: SignupRequest,
+    settings: Settings = Depends(get_settings),
+) -> dict[str, Any]:
+    try:
+        email = normalize_email(payload.email)
+        user = create_or_update_signup_user(
+            settings,
+            email=email,
+            password_hash=hash_password(payload.password),
+            full_name=(payload.full_name or "").strip() or None,
+            company=(payload.company or "").strip() or None,
+        )
+        code = generate_otp_code()
+        create_email_otp(settings, user_id=user["id"], email=email, code=code)
+        delivery = await send_signup_otp(settings, email, code)
+    except ValueError as exc:
+        raise HTTPException(status_code=status.HTTP_409_CONFLICT, detail=str(exc)) from exc
+    except RuntimeError as exc:
+        raise HTTPException(status_code=status.HTTP_500_INTERNAL_SERVER_ERROR, detail=str(exc)) from exc
+
+    return {"ok": True, "email": email, "delivery_mode": delivery["mode"]}
+
+
+@app.post("/api/auth/verify-signup")
+async def verify_signup(
+    payload: VerifySignupRequest,
+    response: Response,
+    settings: Settings = Depends(get_settings),
+) -> dict[str, Any]:
+    try:
+        email = normalize_email(payload.email)
+    except ValueError as exc:
+        raise HTTPException(status_code=status.HTTP_422_UNPROCESSABLE_ENTITY, detail=str(exc)) from exc
+
+    user = verify_email_otp(settings, email=email, code=payload.code.strip())
+    if not user:
+        raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="Invalid or expired code.")
+    return await create_verified_session(response, settings, user)
+
+
+@app.post("/api/auth/resend-signup-otp")
+async def resend_signup_otp(
+    payload: ResendSignupOtpRequest,
+    settings: Settings = Depends(get_settings),
+) -> dict[str, Any]:
+    try:
+        email = normalize_email(payload.email)
+    except ValueError as exc:
+        raise HTTPException(status_code=status.HTTP_422_UNPROCESSABLE_ENTITY, detail=str(exc)) from exc
+
+    user = get_user_by_email(settings, email)
+    if not user or user.get("email_verified_at"):
+        return {"ok": True, "email": email, "delivery_mode": "skipped"}
+
+    code = generate_otp_code()
+    create_email_otp(settings, user_id=user["id"], email=email, code=code)
+    delivery = await send_signup_otp(settings, email, code)
+    return {"ok": True, "email": email, "delivery_mode": delivery["mode"]}
+
+
+@app.post("/api/auth/login")
+async def login(
+    payload: LoginRequest,
+    response: Response,
+    settings: Settings = Depends(get_settings),
+) -> dict[str, Any]:
+    try:
+        email = normalize_email(payload.email)
+    except ValueError as exc:
+        raise HTTPException(status_code=status.HTTP_422_UNPROCESSABLE_ENTITY, detail=str(exc)) from exc
+
+    user = get_user_by_email(settings, email)
+    if not user or not verify_password(payload.password, user.get("password_hash")):
+        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid email or password.")
+    if not user.get("email_verified_at"):
+        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Verify your email before signing in.")
+
+    return await create_verified_session(response, settings, user)
+
+
+@app.post("/api/auth/logout")
+async def logout(
+    request: Request,
+    response: Response,
+    settings: Settings = Depends(get_settings),
+) -> dict[str, Any]:
+    delete_session(settings, request.cookies.get(settings.auth_session_cookie))
+    clear_session_cookie(response, settings)
+    return {"ok": True}
+
+
+@app.get("/api/auth/me")
+async def auth_me(user: dict[str, Any] = Depends(require_current_user)) -> dict[str, Any]:
+    return {"ok": True, "user": public_user(user)}
+
+
+@app.get("/api/dashboard/summary")
+async def dashboard_summary(
+    user: dict[str, Any] = Depends(require_current_user),
+    settings: Settings = Depends(get_settings),
+) -> dict[str, Any]:
+    configured = configured_services(settings)
+    usage_summary = summarize_usage(read_usage_event_records(settings, limit=1000))
+    return {
+        "ok": True,
+        "user": public_user(user),
+        "llm_usage": usage_summary,
+        "configured": configured,
+        "integrations": {
+            "github_webhook": f"{settings.public_base_url.rstrip('/')}/api/github/webhook",
+            "infracost_mode": settings.infracost_mode,
+            "litellm_base_url": settings.litellm_base_url,
+        },
+    }
+
+
+@app.get("/api/dashboard/tutorial-status")
+async def dashboard_tutorial_status(settings: Settings = Depends(get_settings)) -> dict[str, Any]:
+    configured = configured_services(settings)
+    pricing = await pricing_api_probe(settings)
+    webhook_url = f"{settings.public_base_url.rstrip('/')}/api/github/webhook"
+    systems = [
+        {
+            "id": "backend",
+            "label": "FastAPI backend",
+            "ready": True,
+            "detail": "Serving the dashboard and webhook.",
+            "next_step": "Keep the backend process running on port 8000.",
+        },
+        {
+            "id": "github",
+            "label": "GitHub App",
+            "ready": configured["github_app"],
+            "detail": f"Webhook URL: {webhook_url}",
+            "next_step": "Install the app, subscribe to pull_request, and allow Issues/Pull requests write access.",
+        },
+        {
+            "id": "infracost",
+            "label": "Infracost CLI",
+            "ready": configured["infracost"],
+            "detail": f"Mode: {settings.infracost_mode}; CLI: {settings.infracost_cli_path}",
+            "next_step": "Install the CLI or set INFRACOST_CLI_PATH to a working binary.",
+        },
+        {
+            "id": "pricing",
+            "label": "Pricing API",
+            "ready": pricing["ready"],
+            "detail": pricing["detail"],
+            "endpoint": pricing["endpoint"],
+            "next_step": "Use CloudCost hosted pricing or start the self-hosted pricing API.",
+        },
+        {
+            "id": "database",
+            "label": "Database",
+            "ready": configured["database"],
+            "detail": "Neon/Postgres configured." if configured["database"] else "JSONL fallback or DATABASE_URL missing.",
+            "next_step": "Set DATABASE_URL or APP_DATABASE_URL for persistent shared state.",
+        },
+        {
+            "id": "litellm",
+            "label": "LiteLLM",
+            "ready": configured["litellm"],
+            "detail": f"Base URL: {settings.litellm_base_url}",
+            "next_step": "Start LiteLLM and set LITELLM_MASTER_KEY.",
+        },
+    ]
+    ready_count = sum(1 for item in systems if item["ready"])
+    return {
+        "ok": True,
+        "ready_count": ready_count,
+        "total_count": len(systems),
+        "systems": systems,
+        "trial_goal": "Open or update a GitHub pull request containing Terraform plan JSON and confirm CloudCost posts one PR comment.",
+        "install": {
+            "github_manifest_url": "/install/github",
+            "webhook_url": webhook_url,
+        },
+        "docs": {
+            "tester_guide": "/docs/new-user-tutorial.md",
+            "self_hosted_infracost": "/docs/pricing-api.html",
+            "vps_one_click": "/docs/vps-install.html",
+        },
+    }
+
+
+@app.get("/api/mechanism")
+async def mechanism(settings: Settings = Depends(get_settings)) -> dict[str, Any]:
+    return {
+        "ai_spend_proxy": {
+            "proxy": "LiteLLM",
+            "base_url": settings.litellm_base_url,
+            "virtual_key_endpoint": "/api/llm/keys",
+            "usage_ingest_endpoint": "/api/llm/usage",
+            "privacy": "Only metadata, token counts, tags, and cost are accepted by the backend usage store.",
+        },
+        "github_app": {
+            "webhook_endpoint": "/api/github/webhook",
+            "events": ["pull_request"],
+            "actions": sorted(SUPPORTED_PULL_REQUEST_ACTIONS),
+            "costing": "Find Terraform plan JSON in PR files, call Infracost, and upsert a PR timeline comment.",
+        },
+        "database": {
+            "backend_store": "postgres" if settings.backend_database_url else "jsonl",
+            "litellm_key_store": "postgres via DATABASE_URL",
+            "tables": ["cloudcost_waitlist", "cloudcost_usage_events"],
+        },
+    }
+
+
+@app.get("/api/pricing/models")
+async def pricing_models() -> dict[str, Any]:
+    rates, source = get_model_rates()
+    return {
+        "unit": "USD per 1M tokens",
+        "source": source,
+        "note": "Calculator rates are read from the local LiteLLM pricing map when available.",
+        "models": rates,
+    }
+
+
+@app.post("/api/waitlist")
+async def join_waitlist(
+    request: Request,
+    settings: Settings = Depends(get_settings),
+):
+    content_type = request.headers.get("content-type", "")
+    if "application/json" in content_type:
+        payload = await request.json()
+    else:
+        form = await request.form()
+        payload = dict(form)
+
+    if not isinstance(payload, dict):
+        raise HTTPException(status_code=422, detail="Submit only an email address.")
+
+    extra_fields = set(payload) - WAITLIST_ALLOWED_FIELDS
+    if extra_fields:
+        raise HTTPException(status_code=422, detail="Submit only an email address.")
+
+    email = str(payload.get("email", "")).strip().lower()
+    if len(email) > 254 or not EMAIL_PATTERN.fullmatch(email):
+        raise HTTPException(status_code=422, detail="Enter a valid work email.")
+
+    inserted = append_waitlist_record(
+        settings,
+        {
+            "email": email,
+            "source": "landing_page",
+            "plan": "early_access",
+        },
+    )
+
+    if inserted:
+        try:
+            await send_waitlist_confirmation(settings, email)
+        except Exception as exc:
+            logger.warning("Waitlist confirmation email failed: %s", exc.__class__.__name__)
+
+    wants_json = "application/json" in request.headers.get("accept", "")
+    if wants_json:
+        message = (
+            "Your early access request is in. If this address is new, a confirmation email is on the way."
+            if waitlist_confirmation_available(settings)
+            else "Your early access request is in."
+        )
+        return JSONResponse({"ok": True, "email": email, "message": message})
+
+    return RedirectResponse(url="/?waitlist=joined#waitlist", status_code=status.HTTP_303_SEE_OTHER)
+
+
+@app.post("/api/github/webhook")
+async def github_webhook(
+    request: Request,
+    x_github_event: str | None = Header(default=None),
+    x_hub_signature_256: str | None = Header(default=None),
+    settings: Settings = Depends(get_settings),
+) -> dict[str, Any]:
+    raw_body = await request.body()
+    if not verify_github_signature(
+        raw_body,
+        settings.require_github_webhook_secret(),
+        x_hub_signature_256,
+    ):
+        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid GitHub signature.")
+
+    payload = json.loads(raw_body.decode("utf-8"))
+    if x_github_event == "ping":
+        return {"ok": True, "event": "ping"}
+    if x_github_event != "pull_request":
+        return {"ok": True, "ignored": True, "reason": f"Unsupported event: {x_github_event}"}
+
+    action = payload.get("action")
+    if action not in SUPPORTED_PULL_REQUEST_ACTIONS:
+        return {"ok": True, "ignored": True, "reason": f"Unsupported pull_request action: {action}"}
+
+    pr = PullRequestContext.from_payload(payload)
+    if pr.is_draft:
+        return {"ok": True, "ignored": True, "reason": "Draft pull request."}
+
+    async with httpx.AsyncClient(timeout=60.0) as client:
+        app_client = GitHubAppClient(settings, client=client)
+        token = await app_client.create_installation_token(pr.installation_id)
+        gh = GitHubInstallationClient(settings, token=token, client=client)
+        files = await gh.list_pull_files(pr.owner, pr.repo, pr.number)
+        plan_file = find_terraform_plan_file(files, settings)
+        plan_source = "pull_request_files"
+        if plan_file is None:
+            repository_files = await gh.list_repository_tree_files(pr.owner, pr.repo, pr.head_sha)
+            plan_file = find_terraform_plan_file(repository_files, settings)
+            plan_source = "repository_tree"
+
+        if plan_file is None:
+            if settings.comment_when_no_plan:
+                await gh.upsert_pr_comment(pr.owner, pr.repo, pr.number, format_no_plan_comment(pr.title))
+            return {"ok": True, "estimated": False, "reason": "No Terraform plan JSON found."}
+
+        try:
+            plan_json = await gh.fetch_blob(pr.owner, pr.repo, plan_file.sha)
+            estimate = await InfracostClient(settings, client=client).estimate_plan_json(
+                plan_json,
+                filename=plan_file.path.rsplit("/", 1)[-1],
+            )
+            body = format_infracost_comment(
+                plan_path=plan_file.path,
+                diff_total_monthly_cost=estimate.diff_total_monthly_cost,
+                total_monthly_cost=estimate.total_monthly_cost,
+                past_total_monthly_cost=estimate.past_total_monthly_cost,
+                pr_title=pr.title,
+            )
+            await gh.upsert_pr_comment(pr.owner, pr.repo, pr.number, body)
+            return {
+                "ok": True,
+                "estimated": True,
+                "repo": pr.full_name,
+                "pull_request": pr.number,
+                "plan_path": plan_file.path,
+                "plan_source": plan_source,
+                "diff_total_monthly_cost": estimate.diff_total_monthly_cost,
+            }
+        except Exception as exc:
+            await gh.upsert_pr_comment(pr.owner, pr.repo, pr.number, format_error_comment(pr.title, str(exc)))
+            raise
+
+
+@app.post("/api/llm/keys")
+async def create_llm_virtual_key(
+    payload: VirtualKeyRequest,
+    settings: Settings = Depends(get_settings),
+) -> dict[str, Any]:
+    return await LiteLLMAdminClient(settings).create_virtual_key(payload)
+
+
+@app.post("/api/llm/usage")
+async def ingest_llm_usage(
+    request: Request,
+    x_cloudcost_token: str | None = Header(default=None),
+    settings: Settings = Depends(get_settings),
+) -> dict[str, Any]:
+    if settings.usage_ingest_token and x_cloudcost_token != settings.usage_ingest_token:
+        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid usage ingest token.")
+
+    raw_payload = await request.json()
+    clean_payload = sanitize_usage_payload(raw_payload)
+    event = UsageEvent.model_validate(clean_payload)
+    append_usage_event(settings, event.model_dump(mode="json"))
+    return {"ok": True}
+
+
+@app.get("/api/llm/usage/summary")
+async def llm_usage_summary(
+    limit: int = 1000,
+    settings: Settings = Depends(get_settings),
+) -> dict[str, Any]:
+    events = read_usage_event_records(settings, limit=limit)
+    return summarize_usage(events)