Add pre-job credit check, user tracking, admin tools, and enable login

turinglabsorg · claude · turinglabsorg · commit 0ac9e0171e64 · 2026-02-19T17:54:57.000+01:00
- Agent: check credit balance before running jobs, fail with comment if
  user has no credits remaining
- Webhook: attach userId from webhook registration to new jobs so credits
  can be tracked per-user
- API: add POST /admin/grant-credits endpoint for admin credit grants
- CLI: add grant-credits.ts script for command-line credit management
- Frontend: add CSRF token to mutating API requests, enable GitHub login
  button (remove "coming soon" placeholder)
- Shared: add getUserByLogin() to state manager

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/agent/src/index.ts b/agent/src/index.ts
@@ -11,6 +11,7 @@ import {
   getBuffer,
   subscribe,
   pushLine,
+  postComment,
   getInstallationToken,
   clearTokenCache,
   getAppInfo,
@@ -658,6 +659,22 @@ async function main() {
       running++;
       log.info(`Claimed job ${job.id} (running: ${running}/${config.maxConcurrentJobs})`);
 
+      // Pre-job credit check
+      if (config.billingEnabled && job.userId) {
+        const balance = await state.getCreditBalance(job.userId);
+        if (!balance || balance.credits <= 0) {
+          const now = new Date().toISOString();
+          await state.upsertJob({ ...job, status: "failed", failureReason: "Insufficient credits", updatedAt: now });
+          await postComment(
+            job.owner, job.repo, job.issueNumber,
+            "This job cannot run because you have no credits remaining. Please purchase credits to continue.",
+            config
+          );
+          running--;
+          return;
+        }
+      }
+
       // Build the QueuedJob from the claimed JobState
       const queuedJob = await buildQueuedJob(job, config, state);
       if (!queuedJob) {
diff --git a/agent/src/webhook.ts b/agent/src/webhook.ts
@@ -110,6 +110,8 @@ async function handleIssueComment(
     return;
   }
 
+  const reg = await state.getWebhookByRepoId(`${owner}/${repo}`);
+
   const jobId = `${owner}/${repo}#${issueNumber}`;
   const now = new Date().toISOString();
   const jobState: JobState = {
@@ -121,6 +123,7 @@ async function handleIssueComment(
     branch: `grog/issue-${issueNumber}`,
     issueTitle: payload.issue.title,
     triggerCommentId: payload.comment.id,
+    userId: reg?.userId,
     startedAt: now,
     updatedAt: now,
   };
@@ -198,6 +201,8 @@ async function handleIssuesEvent(
 
   log.info(`Auto-solving new issue ${owner}/${repo}#${payload.issue.number}`);
 
+  const reg = await state.getWebhookByRepoId(`${owner}/${repo}`);
+
   const jobId = `${owner}/${repo}#${payload.issue.number}`;
   const now = new Date().toISOString();
   const jobState: JobState = {
@@ -209,6 +214,7 @@ async function handleIssuesEvent(
     branch: `grog/issue-${payload.issue.number}`,
     issueTitle: payload.issue.title,
     triggerCommentId: 0,
+    userId: reg?.userId,
     startedAt: now,
     updatedAt: now,
   };
diff --git a/api/cli/grant-credits.ts b/api/cli/grant-credits.ts
@@ -0,0 +1,51 @@
+import { loadConfig, StateManager } from "@grog/shared";
+
+async function main() {
+  const [target, amountStr] = process.argv.slice(2);
+
+  if (!target || !amountStr) {
+    console.error("Usage: npx tsx cli/grant-credits.ts <github-login-or-id> <amount>");
+    process.exit(1);
+  }
+
+  const amount = parseInt(amountStr, 10);
+  if (!Number.isFinite(amount) || amount <= 0) {
+    console.error("Error: amount must be a positive integer");
+    process.exit(1);
+  }
+
+  const config = loadConfig();
+  const state = await StateManager.connect(config.mongodbUri);
+
+  // Determine if target is a numeric GitHub ID or a login string
+  const isNumeric = /^\d+$/.test(target);
+  const user = isNumeric
+    ? await state.getUserByGithubId(parseInt(target, 10))
+    : await state.getUserByLogin(target);
+
+  if (!user) {
+    console.error(`Error: user not found: ${target}`);
+    process.exit(1);
+  }
+
+  const balance = await state.addCredits(user.githubId, amount);
+
+  await state.recordCreditTransaction({
+    id: `grant-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`,
+    userId: user.githubId,
+    type: "grant",
+    amount,
+    balanceAfter: balance.credits,
+    description: `CLI grant of ${amount} credits`,
+    createdAt: new Date().toISOString(),
+  });
+
+  console.log(`Granted ${amount} credits to ${user.login} (GitHub ID: ${user.githubId})`);
+  console.log(`New balance: ${balance.credits} credits`);
+  process.exit(0);
+}
+
+main().catch((err) => {
+  console.error(`Failed: ${err}`);
+  process.exit(1);
+});
diff --git a/api/src/index.ts b/api/src/index.ts
@@ -49,6 +49,40 @@ async function main() {
     res.json(await state.getStats());
   });
 
+  // Admin grant credits
+  app.post("/admin/grant-credits", requireAuth(config, state), requireAdmin(config), async (req, res) => {
+    const { login, amount } = req.body as { login?: string; amount?: number };
+
+    if (!login || typeof login !== "string") {
+      res.status(400).json({ error: "login is required" });
+      return;
+    }
+    if (!amount || typeof amount !== "number" || amount <= 0 || !Number.isInteger(amount)) {
+      res.status(400).json({ error: "amount must be a positive integer" });
+      return;
+    }
+
+    const user = await state.getUserByLogin(login);
+    if (!user) {
+      res.status(404).json({ error: `User not found: ${login}` });
+      return;
+    }
+
+    const balance = await state.addCredits(user.githubId, amount);
+    await state.recordCreditTransaction({
+      id: `grant-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`,
+      userId: user.githubId,
+      type: "grant",
+      amount,
+      balanceAfter: balance.credits,
+      description: `Admin grant of ${amount} credits`,
+      createdAt: new Date().toISOString(),
+    });
+
+    log.info(`Admin granted ${amount} credits to ${login} (${user.githubId})`);
+    res.json({ login, githubId: user.githubId, credits: balance.credits });
+  });
+
   // Health check
   app.get("/health", (_req, res) => {
     res.json({ status: "ok" });
diff --git a/app/src/api.ts b/app/src/api.ts
@@ -1,9 +1,25 @@
 const API_BASE = "";
 
+function getCsrfToken(): string | undefined {
+  const match = document.cookie.match(/(?:^|;\s*)grog_csrf=([^;]*)/);
+  return match ? match[1] : undefined;
+}
+
 export async function apiFetch<T>(path: string, init?: RequestInit): Promise<T> {
+  const method = init?.method?.toUpperCase() ?? "GET";
+  const headers = new Headers(init?.headers);
+
+  if (["POST", "PUT", "PATCH", "DELETE"].includes(method)) {
+    const csrf = getCsrfToken();
+    if (csrf) {
+      headers.set("X-CSRF-Token", csrf);
+    }
+  }
+
   const res = await fetch(`${API_BASE}${path}`, {
     credentials: "include",
     ...init,
+    headers,
   });
   if (!res.ok) throw new Error(`API ${res.status}: ${res.statusText}`);
   return res.json() as Promise<T>;
diff --git a/app/src/components/Header.module.css b/app/src/components/Header.module.css
@@ -80,11 +80,16 @@
   font-weight: 600;
   text-decoration: none;
   font-family: var(--font-mono);
-  cursor: default;
+  cursor: pointer;
   position: relative;
   transition: border-color 0.3s;
 }
 
+.loginBtn:hover {
+  border-color: var(--cyan);
+  color: var(--text-primary);
+}
+
 .comingSoon {
   font-size: 9px;
   text-transform: uppercase;
diff --git a/app/src/components/Header.tsx b/app/src/components/Header.tsx
@@ -29,13 +29,12 @@ export function Header({ user }: Props) {
             </button>
           </>
         ) : (
-          <span className={styles.loginBtn}>
+          <a href="/auth/github" className={styles.loginBtn}>
             <svg viewBox="0 0 16 16" width="18" height="18" fill="currentColor">
               <path d="M8 0C3.58 0 0 3.58 0 8c0 3.54 2.29 6.53 5.47 7.59.4.07.55-.17.55-.38 0-.19-.01-.82-.01-1.49-2.01.37-2.53-.49-2.69-.94-.09-.23-.48-.94-.82-1.13-.28-.15-.68-.52-.01-.53.63-.01 1.08.58 1.23.82.72 1.21 1.87.87 2.33.66.07-.52.28-.87.51-1.07-1.78-.2-3.64-.89-3.64-3.95 0-.87.31-1.59.82-2.15-.08-.2-.36-1.02.08-2.12 0 0 .67-.21 2.2.82.64-.18 1.32-.27 2-.27.68 0 1.36.09 2 .27 1.53-1.04 2.2-.82 2.2-.82.44 1.1.16 1.92.08 2.12.51.56.82 1.27.82 2.15 0 3.07-1.87 3.75-3.65 3.95.29.25.54.73.54 1.48 0 1.07-.01 1.93-.01 2.2 0 .21.15.46.55.38A8.013 8.013 0 0016 8c0-4.42-3.58-8-8-8z" />
             </svg>
             Login with GitHub
-            <span className={styles.comingSoon}>coming soon</span>
-          </span>
+          </a>
         )}
       </div>
     </header>
diff --git a/shared/src/state.ts b/shared/src/state.ts
@@ -221,6 +221,14 @@ export class StateManager {
     return doc ?? undefined;
   }
 
+  async getUserByLogin(login: string): Promise<GrogUser | undefined> {
+    const doc = await this.usersCollection.findOne(
+      { login },
+      { projection: { _id: 0 } }
+    );
+    return doc ?? undefined;
+  }
+
   // --- Webhook Registrations ---
 
   async upsertWebhookRegistration(reg: WebhookRegistration): Promise<void> {
