Cap retention days

.github/workflows/cicd.yml

@@ -1,4 +1,4 @@
-name: Public Pipeline
+name: Public CICD Pipeline
 
 # CI/CD workflow for building, publishing, mirroring, signing container images and building release binaries.
 # Actions are pinned to specific SHAs to reduce supply-chain risk. This workflow triggers on tag push events.

.github/workflows/test.yml

@@ -37,7 +37,7 @@ jobs:
         run: npm run db:generate
 
       - name: Apply database migrations
-        run: npm run db:sqlite:push
+        run: npm run db:push
 
       - name: Test with tsc
         run: npx tsc --noEmit

.gitignore

@@ -51,4 +51,5 @@ dynamic/
 scratch/
 tsconfig.json
 hydrateSaas.ts
-CLAUDE.md
+CLAUDE.md
+drizzle.config.ts

Dockerfile

@@ -16,7 +16,7 @@ COPY . .
 RUN if [ "$BUILD" = "oss" ]; then rm -rf server/private; fi && \
     npm run set:$DATABASE && \
     npm run set:$BUILD && \
-    npm run db:$DATABASE:generate && \
+    npm run db:generate && \
     npm run build && \
     npm run build:cli
 

drizzle.config.ts

@@ -1,14 +0,0 @@
-import { defineConfig } from "drizzle-kit";
-import path from "path";
-
-const schema = [path.join("server", "db", "pg", "schema")];
-
-export default defineConfig({
-    dialect: "postgresql",
-    schema: schema,
-    out: path.join("server", "migrations"),
-    verbose: true,
-    dbCredentials: {
-        url: process.env.DATABASE_URL as string
-    }
-});

package.json

@@ -13,13 +13,10 @@
     "scripts": {
         "dev": "NODE_ENV=development ENVIRONMENT=dev tsx watch server/index.ts",
         "dev:check": "npx tsc --noEmit && npm run format:check",
-        "dev:setup": "cp config/config.example.yml config/config.yml && npm run set:oss && npm run set:sqlite && npm run db:generate && npm run db:sqlite:push",
-        "db:pg:generate": "drizzle-kit generate --config=./drizzle.pg.config.ts",
-        "db:sqlite:generate": "drizzle-kit generate --config=./drizzle.sqlite.config.ts",
-        "db:pg:push": "npx tsx server/db/pg/migrate.ts",
-        "db:sqlite:push": "npx tsx server/db/sqlite/migrate.ts",
-        "db:pg:studio": "drizzle-kit studio --config=./drizzle.pg.config.ts",
-        "db:sqlite:studio": "drizzle-kit studio --config=./drizzle.sqlite.config.ts",
+        "dev:setup": "cp config/config.example.yml config/config.yml && npm run set:oss && npm run set:sqlite && npm run db:sqlite:generate && npm run db:sqlite:push",
+        "db:generate": "drizzle-kit generate --config=./drizzle.config.ts",
+        "db:push": "npx tsx server/db/pg/migrate.ts",
+        "db:studio": "drizzle-kit studio --config=./drizzle.config.ts",
         "db:clear-migrations": "rm -rf server/migrations",
         "set:oss": "echo 'export const build = \"oss\" as \"saas\" | \"enterprise\" | \"oss\";' > server/build.ts && cp tsconfig.oss.json tsconfig.json",
         "set:saas": "echo 'export const build = \"saas\" as \"saas\" | \"enterprise\" | \"oss\";' > server/build.ts && cp tsconfig.saas.json tsconfig.json",

server/db/README.md

@@ -56,15 +56,15 @@ Ensure drizzle-kit is installed.
 You must have a connection string in your config file, as shown above.
 
 ```bash
-npm run db:pg:generate
-npm run db:pg:push
+npm run db:generate
+npm run db:push
 ```
 
 ### SQLite
 
 ```bash
-npm run db:sqlite:generate
-npm run db:sqlite:push
+npm run db:generate
+npm run db:push
 ```
 
 ## Build Time

server/db/migrate.ts

@@ -0,0 +1,3 @@
+import { runMigrations } from "./";
+
+await runMigrations();

server/db/pg/index.ts

@@ -1,3 +1,4 @@
 export * from "./driver";
 export * from "./schema/schema";
 export * from "./schema/privateSchema";
+export * from "./migrate";

server/db/pg/migrate.ts

@@ -4,7 +4,7 @@ import path from "path";
 
 const migrationsFolder = path.join("server/migrations");
 
-const runMigrations = async () => {
+export const runMigrations = async () => {
     console.log("Running migrations...");
     try {
         await migrate(db as any, {
@@ -17,5 +17,3 @@ const runMigrations = async () => {
         process.exit(1);
     }
 };
-
-runMigrations();

server/db/sqlite/index.ts

@@ -1,3 +1,4 @@
 export * from "./driver";
 export * from "./schema/schema";
 export * from "./schema/privateSchema";
+export * from "./migrate";

server/db/sqlite/migrate.ts

@@ -4,7 +4,7 @@ import path from "path";
 
 const migrationsFolder = path.join("server/migrations");
 
-const runMigrations = async () => {
+export const runMigrations = async () => {
     console.log("Running migrations...");
     try {
         migrate(db as any, {
@@ -16,5 +16,3 @@ const runMigrations = async () => {
         process.exit(1);
     }
 };
-
-runMigrations();

server/private/routers/billing/featureLifecycle.ts

@@ -18,6 +18,113 @@ import logger from "@server/logger";
 import { db, idp, idpOrg, loginPage, loginPageBranding, loginPageBrandingOrg, loginPageOrg, orgs, resources, roles } from "@server/db";
 import { eq } from "drizzle-orm";
 
+/**
+ * Get the maximum allowed retention days for a given tier
+ * Returns null for enterprise tier (unlimited)
+ */
+function getMaxRetentionDaysForTier(tier: Tier | null): number | null {
+    if (!tier) {
+        return 3; // Free tier
+    }
+
+    switch (tier) {
+        case "tier1":
+            return 7;
+        case "tier2":
+            return 30;
+        case "tier3":
+            return 90;
+        case "enterprise":
+            return null; // No limit
+        default:
+            return 3; // Default to free tier limit
+    }
+}
+
+/**
+ * Cap retention days to the maximum allowed for the given tier
+ */
+async function capRetentionDays(
+    orgId: string,
+    tier: Tier | null
+): Promise<void> {
+    const maxRetentionDays = getMaxRetentionDaysForTier(tier);
+
+    // If there's no limit (enterprise tier), no capping needed
+    if (maxRetentionDays === null) {
+        logger.debug(
+            `No retention day limit for org ${orgId} on tier ${tier || "free"}`
+        );
+        return;
+    }
+
+    // Get current org settings
+    const [org] = await db
+        .select()
+        .from(orgs)
+        .where(eq(orgs.orgId, orgId));
+
+    if (!org) {
+        logger.warn(`Org ${orgId} not found when capping retention days`);
+        return;
+    }
+
+    const updates: Partial<typeof orgs.$inferInsert> = {};
+    let needsUpdate = false;
+
+    // Cap request log retention if it exceeds the limit
+    if (
+        org.settingsLogRetentionDaysRequest !== null &&
+        org.settingsLogRetentionDaysRequest > maxRetentionDays
+    ) {
+        updates.settingsLogRetentionDaysRequest = maxRetentionDays;
+        needsUpdate = true;
+        logger.info(
+            `Capping request log retention from ${org.settingsLogRetentionDaysRequest} to ${maxRetentionDays} days for org ${orgId}`
+        );
+    }
+
+    // Cap access log retention if it exceeds the limit
+    if (
+        org.settingsLogRetentionDaysAccess !== null &&
+        org.settingsLogRetentionDaysAccess > maxRetentionDays
+    ) {
+        updates.settingsLogRetentionDaysAccess = maxRetentionDays;
+        needsUpdate = true;
+        logger.info(
+            `Capping access log retention from ${org.settingsLogRetentionDaysAccess} to ${maxRetentionDays} days for org ${orgId}`
+        );
+    }
+
+    // Cap action log retention if it exceeds the limit
+    if (
+        org.settingsLogRetentionDaysAction !== null &&
+        org.settingsLogRetentionDaysAction > maxRetentionDays
+    ) {
+        updates.settingsLogRetentionDaysAction = maxRetentionDays;
+        needsUpdate = true;
+        logger.info(
+            `Capping action log retention from ${org.settingsLogRetentionDaysAction} to ${maxRetentionDays} days for org ${orgId}`
+        );
+    }
+
+    // Apply updates if needed
+    if (needsUpdate) {
+        await db
+            .update(orgs)
+            .set(updates)
+            .where(eq(orgs.orgId, orgId));
+
+        logger.info(
+            `Successfully capped retention days for org ${orgId} to max ${maxRetentionDays} days`
+        );
+    } else {
+        logger.debug(
+            `No retention day capping needed for org ${orgId}`
+        );
+    }
+}
+
 export async function handleTierChange(
     orgId: string,
     newTier: SubscriptionType | null,
@@ -40,6 +147,9 @@ export async function handleTierChange(
         logger.info(
             `Org ${orgId} is reverting to free tier, disabling all paid features`
         );
+        // Cap retention days to free tier limits
+        await capRetentionDays(orgId, null);
+
         // Disable all features in the tier matrix
         for (const [featureKey] of Object.entries(tierMatrix)) {
             const feature = featureKey as TierFeature;
@@ -57,6 +167,9 @@ export async function handleTierChange(
     // Get the tier (cast as Tier since we've ruled out "license" and null)
     const tier = newTier as Tier;
 
+    // Cap retention days to the new tier's limits
+    await capRetentionDays(orgId, tier);
+
     // Check each feature in the tier matrix
     for (const [featureKey, allowedTiers] of Object.entries(tierMatrix)) {
         const feature = featureKey as TierFeature;

server/private/routers/generatedLicense/generateNewEnterpriseLicense.ts

@@ -113,7 +113,7 @@ export async function generateNewEnterpriseLicense(
         }
 
         const tier = licenseData.tier === "big_license" ? LicenseId.BIG_LICENSE : LicenseId.SMALL_LICENSE;
-        const tierPrice = getLicensePriceSet()[tier]
+        const tierPrice = getLicensePriceSet()[tier];
 
         const session = await stripe!.checkout.sessions.create({
             client_reference_id: keyId.toString(),

server/setup/.gitignore

@@ -0,0 +1 @@
+migrations.ts

server/setup/migrations.ts

@@ -1,162 +0,0 @@
-#! /usr/bin/env node
-import { migrate } from "drizzle-orm/node-postgres/migrator";
-import { db } from "../db/pg";
-import semver from "semver";
-import { versionMigrations } from "../db/pg";
-import { __DIRNAME, APP_VERSION } from "@server/lib/consts";
-import path from "path";
-import m1 from "./scriptsPg/1.6.0";
-import m2 from "./scriptsPg/1.7.0";
-import m3 from "./scriptsPg/1.8.0";
-import m4 from "./scriptsPg/1.9.0";
-import m5 from "./scriptsPg/1.10.0";
-import m6 from "./scriptsPg/1.10.2";
-import m7 from "./scriptsPg/1.11.0";
-import m8 from "./scriptsPg/1.11.1";
-import m9 from "./scriptsPg/1.12.0";
-import m10 from "./scriptsPg/1.13.0";
-import m11 from "./scriptsPg/1.14.0";
-import m12 from "./scriptsPg/1.15.0";
-
-// THIS CANNOT IMPORT ANYTHING FROM THE SERVER
-// EXCEPT FOR THE DATABASE AND THE SCHEMA
-
-// Define the migration list with versions and their corresponding functions
-const migrations = [
-    { version: "1.6.0", run: m1 },
-    { version: "1.7.0", run: m2 },
-    { version: "1.8.0", run: m3 },
-    { version: "1.9.0", run: m4 },
-    { version: "1.10.0", run: m5 },
-    { version: "1.10.2", run: m6 },
-    { version: "1.11.0", run: m7 },
-    { version: "1.11.1", run: m8 },
-    { version: "1.12.0", run: m9 },
-    { version: "1.13.0", run: m10 },
-    { version: "1.14.0", run: m11 },
-    { version: "1.15.0", run: m12 }
-    // Add new migrations here as they are created
-] as {
-    version: string;
-    run: () => Promise<void>;
-}[];
-
-await run();
-
-async function run() {
-    // run the migrations
-    await runMigrations();
-}
-
-export async function runMigrations() {
-    if (process.env.DISABLE_MIGRATIONS) {
-        console.log("Migrations are disabled. Skipping...");
-        return;
-    }
-    try {
-        const appVersion = APP_VERSION;
-
-        // determine if the migrations table exists
-        const exists = await db
-            .select()
-            .from(versionMigrations)
-            .limit(1)
-            .execute()
-            .then((res) => res.length > 0)
-            .catch(() => false);
-
-        if (exists) {
-            console.log("Migrations table exists, running scripts...");
-            await executeScripts();
-        } else {
-            console.log("Migrations table does not exist, creating it...");
-            console.log("Running migrations...");
-            try {
-                await migrate(db, {
-                    migrationsFolder: path.join(__DIRNAME, "init") // put here during the docker build
-                });
-                console.log("Migrations completed successfully.");
-            } catch (error) {
-                console.error("Error running migrations:", error);
-            }
-
-            await db
-                .insert(versionMigrations)
-                .values({
-                    version: appVersion,
-                    executedAt: Date.now()
-                })
-                .execute();
-        }
-    } catch (e) {
-        console.error("Error running migrations:", e);
-        await new Promise((resolve) =>
-            setTimeout(resolve, 1000 * 60 * 60 * 24 * 1)
-        );
-    }
-}
-
-async function executeScripts() {
-    try {
-        // Get the last executed version from the database
-        const lastExecuted = await db.select().from(versionMigrations);
-
-        // Filter and sort migrations
-        const pendingMigrations = lastExecuted
-            .map((m) => m)
-            .sort((a, b) => semver.compare(b.version, a.version));
-        const startVersion = pendingMigrations[0]?.version ?? "0.0.0";
-        console.log(`Starting migrations from version ${startVersion}`);
-
-        const migrationsToRun = migrations.filter((migration) =>
-            semver.gt(migration.version, startVersion)
-        );
-
-        console.log(
-            "Migrations to run:",
-            migrationsToRun.map((m) => m.version).join(", ")
-        );
-
-        // Run migrations in order
-        for (const migration of migrationsToRun) {
-            console.log(`Running migration ${migration.version}`);
-
-            try {
-                await migration.run();
-
-                // Update version in database
-                await db
-                    .insert(versionMigrations)
-                    .values({
-                        version: migration.version,
-                        executedAt: Date.now()
-                    })
-                    .execute();
-
-                console.log(
-                    `Successfully completed migration ${migration.version}`
-                );
-            } catch (e) {
-                if (
-                    e instanceof Error &&
-                    typeof (e as any).code === "string" &&
-                    (e as any).code === "23505"
-                ) {
-                    console.error("Migration has already run! Skipping...");
-                    continue; // or return, depending on context
-                }
-
-                console.error(
-                    `Failed to run migration ${migration.version}:`,
-                    e
-                );
-                throw e;
-            }
-        }
-
-        console.log("All migrations completed successfully");
-    } catch (error) {
-        console.error("Migration process failed:", error);
-        throw error;
-    }
-}

src/components/CreateInternalResourceDialog.tsx

@@ -303,7 +303,7 @@ export default function CreateInternalResourceDialog({
     const [udpCustomPorts, setUdpCustomPorts] = useState<string>("");
 
     const availableSites = sites.filter(
-        (site) => site.type === "newt" && site.subnet
+        (site) => site.type === "newt"
     );
 
     const form = useForm<FormData>({

src/components/EditInternalResourceDialog.tsx

@@ -397,7 +397,7 @@ export default function EditInternalResourceDialog({
     );
 
     const availableSites = sites.filter(
-        (site) => site.type === "newt" && site.subnet
+        (site) => site.type === "newt"
     );
 
     const form = useForm<FormData>({