Add initial Portal version

src/app/api/auth/[...nextauth]/route.ts

@@ -0,0 +1,2 @@
+import { handlers } from "@/lib/auth";
+export const { GET, POST } = handlers;

src/app/api/packages/route.ts

@@ -0,0 +1,12 @@
+import { NextResponse } from "next/server";
+import { auth } from "@/lib/auth";
+import { PACKAGE_CATALOG } from "@/lib/packages";
+
+export async function GET() {
+  const session = await auth();
+  if (!session?.user) {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+  }
+
+  return NextResponse.json(PACKAGE_CATALOG);
+}

src/app/api/tenants/[name]/route.ts

@@ -0,0 +1,95 @@
+import { NextRequest, NextResponse } from "next/server";
+import { auth } from "@/lib/auth";
+import { getTenant, patchTenantSpec } from "@/lib/k8s";
+
+function isPlatformRole(roles: string[]): boolean {
+  return roles.some((r) =>
+    ["platform_admin", "platform_operator"].includes(r)
+  );
+}
+
+export async function GET(
+  _req: NextRequest,
+  { params }: { params: Promise<{ name: string }> }
+) {
+  const session = await auth();
+  if (!session?.user) {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+  }
+
+  const { name } = await params;
+  const { orgId, roles } = session.user as any;
+
+  try {
+    const tenant = await getTenant(name);
+    if (!tenant) {
+      return NextResponse.json({ error: "Not found" }, { status: 404 });
+    }
+
+    // Scope check: non-platform users can only see their own org's tenants
+    if (
+      !isPlatformRole(roles || []) &&
+      tenant.metadata?.labels?.["zitadel-org-id"] !== orgId
+    ) {
+      return NextResponse.json({ error: "Forbidden" }, { status: 403 });
+    }
+
+    return NextResponse.json(tenant);
+  } catch (e: any) {
+    return NextResponse.json(
+      { error: "K8s API error", detail: e.message },
+      { status: e.statusCode || 500 }
+    );
+  }
+}
+
+export async function PATCH(
+  req: NextRequest,
+  { params }: { params: Promise<{ name: string }> }
+) {
+  const session = await auth();
+  if (!session?.user) {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+  }
+
+  const { name } = await params;
+  const { orgId, roles } = session.user as any;
+  const body = await req.json();
+  const userRoles = roles || [];
+
+  // Only owner or platform roles can patch
+  if (!isPlatformRole(userRoles) && !userRoles.includes("owner")) {
+    return NextResponse.json({ error: "Forbidden" }, { status: 403 });
+  }
+
+  try {
+    // Ownership check
+    const existing = await getTenant(name);
+    if (!existing) {
+      return NextResponse.json({ error: "Not found" }, { status: 404 });
+    }
+    if (
+      !isPlatformRole(userRoles) &&
+      existing.metadata?.labels?.["zitadel-org-id"] !== orgId
+    ) {
+      return NextResponse.json({ error: "Forbidden" }, { status: 403 });
+    }
+
+    // Build partial spec — only allow specific fields
+    const specPatch: Record<string, any> = {};
+    if (body.packages !== undefined) specPatch.packages = body.packages;
+    if (body.workspaceFiles !== undefined)
+      specPatch.workspaceFiles = body.workspaceFiles;
+    if (body.displayName !== undefined)
+      specPatch.displayName = body.displayName;
+    if (body.agentName !== undefined) specPatch.agentName = body.agentName;
+
+    const updated = await patchTenantSpec(name, specPatch);
+    return NextResponse.json(updated);
+  } catch (e: any) {
+    return NextResponse.json(
+      { error: "Patch failed", detail: e.message },
+      { status: e.statusCode || 500 }
+    );
+  }
+}

src/app/api/tenants/[name]/secrets/route.ts

@@ -0,0 +1,100 @@
+import { NextRequest, NextResponse } from "next/server";
+import { auth } from "@/lib/auth";
+import { getTenant } from "@/lib/k8s";
+import { writePackageSecrets } from "@/lib/openbao";
+import { getPackageDef } from "@/lib/packages";
+
+export async function POST(
+  req: NextRequest,
+  { params }: { params: Promise<{ name: string }> }
+) {
+  const session = await auth();
+  if (!session?.user) {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+  }
+
+  const { name } = await params;
+  const { orgId, roles } = session.user as any;
+  const userRoles = roles || [];
+
+  const isPlatform = userRoles.some((r: string) =>
+    ["platform_admin", "platform_operator"].includes(r)
+  );
+
+  if (!isPlatform && !userRoles.includes("owner")) {
+    return NextResponse.json({ error: "Forbidden" }, { status: 403 });
+  }
+
+  const body = await req.json();
+  const { packageId, secrets } = body as {
+    packageId: string;
+    secrets: Record<string, string>;
+  };
+
+  if (!packageId || !secrets || typeof secrets !== "object") {
+    return NextResponse.json(
+      { error: "Missing packageId or secrets" },
+      { status: 400 }
+    );
+  }
+
+  // Validate package exists and requires secrets
+  const pkgDef = getPackageDef(packageId);
+  if (!pkgDef) {
+    return NextResponse.json(
+      { error: "Unknown package" },
+      { status: 400 }
+    );
+  }
+  if (!pkgDef.requiresSecrets) {
+    return NextResponse.json(
+      { error: "Package does not require secrets" },
+      { status: 400 }
+    );
+  }
+
+  // Verify all required secret keys are present
+  const requiredKeys = (pkgDef.secrets || []).map((s) => s.key);
+  const missingKeys = requiredKeys.filter((k) => !secrets[k]?.trim());
+  if (missingKeys.length > 0) {
+    return NextResponse.json(
+      { error: `Missing required secrets: ${missingKeys.join(", ")}` },
+      { status: 400 }
+    );
+  }
+
+  // Verify tenant ownership
+  try {
+    const tenant = await getTenant(name);
+    if (!tenant) {
+      return NextResponse.json(
+        { error: "Tenant not found" },
+        { status: 404 }
+      );
+    }
+    if (
+      !isPlatform &&
+      tenant.metadata?.labels?.["zitadel-org-id"] !== orgId
+    ) {
+      return NextResponse.json({ error: "Forbidden" }, { status: 403 });
+    }
+  } catch (e: any) {
+    return NextResponse.json(
+      { error: "Tenant lookup failed" },
+      { status: e.statusCode || 500 }
+    );
+  }
+
+  // Write to OpenBao
+  try {
+    await writePackageSecrets(name, packageId, secrets);
+  } catch (err: any) {
+    console.error("OpenBao write error:", err.message);
+    return NextResponse.json(
+      { error: "Failed to store secrets" },
+      { status: 500 }
+    );
+  }
+
+  return NextResponse.json({ ok: true });
+}

src/app/api/tenants/route.ts

@@ -0,0 +1,56 @@
+import { NextResponse } from "next/server";
+import { getSessionUser } from "@/lib/session";
+import { listTenants, getTenant, createTenant } from "@/lib/k8s";
+import type { PiecedTenantSpec } from "@/types";
+
+export async function GET() {
+  const user = await getSessionUser();
+  if (!user)
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+
+  const tenants = await listTenants();
+
+  if (user.isPlatform) {
+    return NextResponse.json(tenants);
+  }
+
+  // Customers see only their own tenant
+  const own = tenants.filter(
+    (t) => t.metadata.labels?.["pieced.ch/zitadel-org-id"] === user.orgId
+  );
+  return NextResponse.json(own);
+}
+
+export async function POST(request: Request) {
+  const user = await getSessionUser();
+  if (!user)
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+  if (!user.isPlatform && !user.roles.includes("owner")) {
+    return NextResponse.json({ error: "Forbidden" }, { status: 403 });
+  }
+
+  const body = (await request.json()) as {
+    name: string;
+    spec: PiecedTenantSpec;
+  };
+
+  if (!/^[a-z0-9][a-z0-9-]*[a-z0-9]$/.test(body.name) || body.name.length > 63) {
+    return NextResponse.json(
+      { error: "Invalid tenant name: lowercase alphanumeric and hyphens, 2-63 chars" },
+      { status: 400 }
+    );
+  }
+
+  const existing = await getTenant(body.name);
+  if (existing) {
+    return NextResponse.json(
+      { error: "Tenant already exists" },
+      { status: 409 }
+    );
+  }
+
+  const tenant = await createTenant(body.name, body.spec, {
+    "pieced.ch/zitadel-org-id": user.orgId,
+  });
+  return NextResponse.json(tenant, { status: 201 });
+}

src/app/api/usage/route.ts

@@ -0,0 +1,107 @@
+import { NextRequest, NextResponse } from "next/server";
+import { auth } from "@/lib/auth";
+import { getTeamInfo, getTeamSpendLogs } from "@/lib/litellm";
+
+// Pricing constants (CHF)
+const INPUT_RATE = 3; // CHF per MTok
+const OUTPUT_RATE = 15; // CHF per MTok
+
+export async function GET(req: NextRequest) {
+  const session = await auth();
+  if (!session?.user) {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+  }
+
+  const { orgId } = session.user as any;
+  if (!orgId) {
+    return NextResponse.json(
+      { error: "No org context" },
+      { status: 400 }
+    );
+  }
+
+  // The LiteLLM team_id maps to the tenant name, which is derived from orgId
+  // Convention: team_id = "pieced-{orgId}" or looked up from the tenant CR
+  const searchParams = req.nextUrl.searchParams;
+  const teamId = searchParams.get("teamId");
+
+  if (!teamId) {
+    return NextResponse.json(
+      { error: "teamId query param required" },
+      { status: 400 }
+    );
+  }
+
+  try {
+    // Current period info
+    const teamInfo = await getTeamInfo(teamId);
+
+    // Historical spend logs (last 30 days)
+    const endDate = new Date();
+    const startDate = new Date();
+    startDate.setDate(startDate.getDate() - 30);
+
+    const spendLogs = await getTeamSpendLogs(
+      teamId,
+      startDate.toISOString().split("T")[0],
+      endDate.toISOString().split("T")[0]
+    );
+
+    // Calculate CHF costs from token counts
+    const dailyUsage = (spendLogs || []).map((day: any) => ({
+      date: day.date || day.day,
+      inputTokens: day.prompt_tokens || 0,
+      outputTokens: day.completion_tokens || 0,
+      inputCostCHF:
+        ((day.prompt_tokens || 0) / 1_000_000) * INPUT_RATE,
+      outputCostCHF:
+        ((day.completion_tokens || 0) / 1_000_000) * OUTPUT_RATE,
+      totalCostCHF:
+        ((day.prompt_tokens || 0) / 1_000_000) * INPUT_RATE +
+        ((day.completion_tokens || 0) / 1_000_000) * OUTPUT_RATE,
+    }));
+
+    // Totals for current period
+    const totalInputTokens = dailyUsage.reduce(
+      (s: number, d: any) => s + d.inputTokens,
+      0
+    );
+    const totalOutputTokens = dailyUsage.reduce(
+      (s: number, d: any) => s + d.outputTokens,
+      0
+    );
+    const totalCostCHF = dailyUsage.reduce(
+      (s: number, d: any) => s + d.totalCostCHF,
+      0
+    );
+
+    return NextResponse.json({
+      teamId,
+      currentPeriod: {
+        inputTokens: totalInputTokens,
+        outputTokens: totalOutputTokens,
+        inputCostCHF: (totalInputTokens / 1_000_000) * INPUT_RATE,
+        outputCostCHF: (totalOutputTokens / 1_000_000) * OUTPUT_RATE,
+        totalCostCHF,
+      },
+      budget: {
+        maxBudget: teamInfo?.max_budget ?? null,
+        spend: teamInfo?.spend ?? 0,
+        remaining: teamInfo?.max_budget
+          ? teamInfo.max_budget - (teamInfo.spend ?? 0)
+          : null,
+      },
+      rateLimits: {
+        rpm: teamInfo?.rpm_limit ?? null,
+        tpm: teamInfo?.tpm_limit ?? null,
+      },
+      dailyUsage,
+    });
+  } catch (err: any) {
+    console.error("Usage fetch error:", err.message);
+    return NextResponse.json(
+      { error: "Failed to fetch usage data" },
+      { status: 500 }
+    );
+  }
+}