feat: plan limits (#14)

* feat: add string billing support

* fix: failing builds

* fix: lint, type erorrs and database typing

* feat: enable plan limits

Author: krakenhavoc

backend/src/auth/auth.service.spec.ts

@@ -30,6 +30,7 @@ describe('AuthService', () => {
     findOne: jest.Mock;
     find: jest.Mock;
     delete: jest.Mock;
+    count: jest.Mock;
   };
   let mockUserRepo: { findOne: jest.Mock; create: jest.Mock; save: jest.Mock };
 
@@ -40,6 +41,7 @@ describe('AuthService', () => {
       findOne: jest.fn(),
       find: jest.fn(),
       delete: jest.fn(),
+      count: jest.fn().mockResolvedValue(0),
     };
     mockUserRepo = {
       findOne: jest.fn(),

backend/src/auth/auth.service.ts

@@ -1,4 +1,9 @@
-import { Injectable, Logger, NotFoundException } from '@nestjs/common';
+import {
+  Injectable,
+  Logger,
+  NotFoundException,
+  HttpException,
+} from '@nestjs/common';
 import { ConfigService } from '@nestjs/config';
 import { Repository } from 'typeorm';
 import { UserApiKey } from './entities/user-api-key.entity';
@@ -9,10 +14,12 @@ import { Domain } from '../domains/entities/domain.entity';
 import { TlsCrt } from '../certs/tls/entities/tls-crt.entity';
 import { UpdateProfileDto } from './dto/update-profile.dto';
 import { BillingService } from '../billing/billing.service';
+import { PLAN_LIMITS } from '../billing/constants/plan-limits';
 import type {
   ApiKey,
   AuthCallbackResponse,
   CreateApiKeyResponse,
+  SubscriptionPlan,
   UserProfile,
 } from '@krakenkey/shared';
 
@@ -163,6 +170,28 @@ export class AuthService {
    * The raw key is returned only once - it cannot be retrieved later.
    */
   async createApiKey(userId: string, name: string, expiresAt?: string) {
+    // Plan-based API key limit check
+    const plan = (await this.billingService.resolveUserTier(
+      userId,
+    )) as SubscriptionPlan;
+    const limits = PLAN_LIMITS[plan] ?? PLAN_LIMITS.free;
+    if (limits.apiKeys !== Infinity) {
+      const count = await this.userApiKeyRepo.count({
+        where: { userId },
+      });
+      if (count >= limits.apiKeys) {
+        throw new HttpException(
+          {
+            message: 'API key limit reached',
+            limit: limits.apiKeys,
+            current: count,
+            plan,
+          },
+          402,
+        );
+      }
+    }
+
     const rawKey = `kk_${randomBytes(24).toString('hex')}`;
     const hash = createHash('sha256').update(rawKey).digest('hex');
 

backend/src/billing/constants/plan-limits.ts

@@ -0,0 +1,53 @@
+import type { SubscriptionPlan } from '@krakenkey/shared';
+
+export interface PlanLimits {
+  domains: number;
+  apiKeys: number;
+  certsPerMonth: number;
+  totalActiveCerts: number;
+  concurrentPending: number;
+  renewalWindowDays: number;
+}
+
+export const PLAN_LIMITS: Record<SubscriptionPlan, PlanLimits> = {
+  free: {
+    domains: 3,
+    apiKeys: 2,
+    certsPerMonth: 5,
+    totalActiveCerts: 10,
+    concurrentPending: 2,
+    renewalWindowDays: 5,
+  },
+  starter: {
+    domains: 10,
+    apiKeys: 5,
+    certsPerMonth: 50,
+    totalActiveCerts: 75,
+    concurrentPending: 5,
+    renewalWindowDays: 30,
+  },
+  team: {
+    domains: 25,
+    apiKeys: 10,
+    certsPerMonth: 250,
+    totalActiveCerts: 375,
+    concurrentPending: 25,
+    renewalWindowDays: 30,
+  },
+  business: {
+    domains: 75,
+    apiKeys: 25,
+    certsPerMonth: 1000,
+    totalActiveCerts: 1500,
+    concurrentPending: 100,
+    renewalWindowDays: 30,
+  },
+  enterprise: {
+    domains: Infinity,
+    apiKeys: Infinity,
+    certsPerMonth: Infinity,
+    totalActiveCerts: Infinity,
+    concurrentPending: Infinity,
+    renewalWindowDays: 30,
+  },
+} as const;

backend/src/certs/tls/services/cert-monitor.service.spec.ts

@@ -6,6 +6,7 @@ import { TlsCrt } from '../entities/tls-crt.entity';
 import { CertStatus } from '@krakenkey/shared';
 import { MetricsService } from '../../../metrics/metrics.service';
 import { EmailService } from '../../../notifications/email.service';
+import { BillingService } from '../../../billing/billing.service';
 
 describe('CertMonitorService', () => {
   let service: CertMonitorService;
@@ -14,9 +15,10 @@ describe('CertMonitorService', () => {
 
   const expiringCert = {
     id: 1,
+    userId: 'user-123',
     status: 'issued',
     autoRenew: true,
-    expiresAt: new Date(Date.now() + 15 * 24 * 60 * 60 * 1000), // 15 days from now
+    expiresAt: new Date(Date.now() + 3 * 24 * 60 * 60 * 1000), // 3 days from now (within free tier 5-day window)
   } as TlsCrt;
 
   beforeEach(async () => {
@@ -53,6 +55,10 @@ describe('CertMonitorService', () => {
             sendCertExpiryWarning: jest.fn(),
           },
         },
+        {
+          provide: BillingService,
+          useValue: { resolveUserTier: jest.fn().mockResolvedValue('free') },
+        },
       ],
     }).compile();
 

backend/src/certs/tls/services/cert-monitor.service.ts

@@ -5,8 +5,11 @@ import { LessThan, Repository } from 'typeorm';
 import { TlsCrt } from '../entities/tls-crt.entity';
 import { TlsService } from '../tls.service';
 import { CertStatus } from '@krakenkey/shared';
+import type { SubscriptionPlan } from '@krakenkey/shared';
 import { MetricsService } from '../../../metrics/metrics.service';
 import { EmailService } from '../../../notifications/email.service';
+import { BillingService } from '../../../billing/billing.service';
+import { PLAN_LIMITS } from '../../../billing/constants/plan-limits';
 
 @Injectable()
 export class CertMonitorService {
@@ -18,14 +21,17 @@ export class CertMonitorService {
     private readonly tlsService: TlsService,
     private readonly metricsService: MetricsService,
     private readonly emailService: EmailService,
+    private readonly billingService: BillingService,
   ) {}
 
   /**
-   * Runs daily at 6 AM. Finds all issued certificates expiring within 30 days
-   * and queues a renewal job for each via BullMQ.
+   * Runs daily at 6 AM. Finds all issued certificates expiring within their
+   * tier-specific renewal window and queues a renewal job for each via BullMQ.
+   * Free tier: 5-day window, paid tiers: 30-day window.
    */
   @Cron(CronExpression.EVERY_DAY_AT_6AM)
   async checkExpiringCertificates(): Promise<void> {
+    // Use max window (30 days) for the DB query, then filter per-user by tier
     const threshold = new Date();
     threshold.setDate(threshold.getDate() + 30);
 
@@ -60,11 +66,31 @@ export class CertMonitorService {
       `Certificate expiry check: ${expiring.length} certificate(s) expiring within 30 days`,
     );
 
+    // Cache plan lookups to avoid redundant calls for certs owned by the same user
+    const planCache = new Map<string, SubscriptionPlan>();
+
     for (const cert of expiring) {
-      if (cert.user && cert.expiresAt) {
-        const daysUntilExpiry = Math.floor(
-          (cert.expiresAt.getTime() - Date.now()) / 86_400_000,
-        );
+      if (!cert.expiresAt) continue;
+
+      const daysUntilExpiry = Math.floor(
+        (cert.expiresAt.getTime() - Date.now()) / 86_400_000,
+      );
+
+      // Determine tier-specific renewal window (cached per user)
+      let userPlan = planCache.get(cert.userId);
+      if (!userPlan) {
+        userPlan = (await this.billingService.resolveUserTier(
+          cert.userId,
+        )) as SubscriptionPlan;
+        planCache.set(cert.userId, userPlan);
+      }
+      const windowDays =
+        (PLAN_LIMITS[userPlan] ?? PLAN_LIMITS.free).renewalWindowDays;
+
+      // Skip certs outside this user's renewal window
+      if (daysUntilExpiry > windowDays) continue;
+
+      if (cert.user) {
         const commonName =
           (cert.parsedCsr?.subject?.find((a) => a.shortName === 'CN')
             ?.value as string) ??

backend/src/certs/tls/tls.module.ts

@@ -13,6 +13,7 @@ import { Route53DnsStrategy } from './strategies/route53-dns.strategy';
 import { ConfigService } from '@nestjs/config';
 import { DnsProvider } from './interfaces/dns-provider.interface';
 import { DomainsModule } from '../../domains/domains.module';
+import { BillingModule } from '../../billing/billing.module';
 import { CertMonitorService } from './services/cert-monitor.service';
 
 @Module({
@@ -22,6 +23,7 @@ import { CertMonitorService } from './services/cert-monitor.service';
       name: 'tlsCertIssuance',
     }),
     DomainsModule,
+    BillingModule,
   ],
   controllers: [TlsController],
   providers: [

backend/src/certs/tls/tls.service.spec.ts

@@ -14,6 +14,7 @@ import { TlsCrt } from './entities/tls-crt.entity';
 import { getQueueToken } from '@nestjs/bullmq';
 import type { ParsedCsr } from '@krakenkey/shared';
 import { EmailService } from '../../notifications/email.service';
+import { BillingService } from '../../billing/billing.service';
 
 describe('TlsService', () => {
   let service: TlsService;
@@ -35,6 +36,7 @@ describe('TlsService', () => {
       findOneBy: jest.fn().mockResolvedValue(null),
       update: jest.fn().mockResolvedValue({ affected: 1 }),
       delete: jest.fn().mockResolvedValue({ affected: 1 }),
+      count: jest.fn().mockResolvedValue(0),
     };
 
     mockQueue = {
@@ -105,8 +107,13 @@ describe('TlsService', () => {
             sendCertExpiryWarning: jest.fn(),
             sendCertFailed: jest.fn(),
             sendCertRevoked: jest.fn(),
+            sendPlanLimitReached: jest.fn(),
           },
         },
+        {
+          provide: BillingService,
+          useValue: { resolveUserTier: jest.fn().mockResolvedValue('free') },
+        },
       ],
     }).compile();