feat(coding-plans): implement managed MiniMax lifecycle

Author: jeanduplessis

apps/web/src/app/api/cron/coding-plans-billing/route.ts

@@ -0,0 +1,36 @@
+import { NextResponse } from 'next/server';
+
+import { db } from '@/lib/drizzle';
+import { CRON_SECRET } from '@/lib/config.server';
+import { sentryLogger } from '@/lib/utils.server';
+import { runCodingPlanBillingLifecycleCron } from '@/lib/coding-plans/billing-lifecycle-cron';
+
+if (!CRON_SECRET) {
+  throw new Error('CRON_SECRET is not configured in environment variables');
+}
+
+export async function GET(request: Request) {
+  const authHeader = request.headers.get('authorization');
+  const expectedAuth = `Bearer ${CRON_SECRET}`;
+  if (authHeader !== expectedAuth) {
+    sentryLogger(
+      'cron',
+      'warning'
+    )(
+      'SECURITY: Invalid coding-plans-billing CRON authorization attempt: ' +
+        (authHeader ? 'Invalid authorization header' : 'Missing authorization header')
+    );
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+  }
+
+  const summary = await runCodingPlanBillingLifecycleCron(db);
+
+  return NextResponse.json(
+    {
+      success: true,
+      summary,
+      timestamp: new Date().toISOString(),
+    },
+    { status: 200 }
+  );
+}

apps/web/src/lib/ai-gateway/byok/coding-plan-entitlement.test.ts

@@ -0,0 +1,59 @@
+/* eslint-disable drizzle/enforce-delete-with-where */
+import { encryptApiKey } from '@/lib/ai-gateway/byok/encryption';
+import { getBYOKforUser } from '@/lib/ai-gateway/byok';
+import { BYOK_ENCRYPTION_KEY } from '@/lib/config.server';
+import { db } from '@/lib/drizzle';
+import { insertTestUser } from '@/tests/helpers/user.helper';
+import { byok_api_keys, kilocode_users } from '@kilocode/db/schema';
+import { eq } from 'drizzle-orm';
+
+async function seedMiniMaxKey(managementSource: 'user' | 'coding_plan', isEnabled = true) {
+  const user = await insertTestUser();
+  await db.insert(byok_api_keys).values({
+    kilo_user_id: user.id,
+    provider_id: 'minimax',
+    encrypted_api_key: encryptApiKey(`minimax-${crypto.randomUUID()}`, BYOK_ENCRYPTION_KEY),
+    management_source: managementSource,
+    is_enabled: isEnabled,
+    created_by: user.id,
+  });
+  return user;
+}
+
+afterEach(async () => {
+  await db.delete(byok_api_keys);
+  await db.delete(kilocode_users);
+});
+
+describe('Coding Plan MiniMax BYOK routing', () => {
+  it('loads a Token Plan Plus-installed key through ordinary MiniMax routing', async () => {
+    const user = await seedMiniMaxKey('coding_plan');
+
+    const byok = await getBYOKforUser(db, user.id, ['minimax']);
+
+    expect(byok).toHaveLength(1);
+    expect(byok?.[0].providerId).toBe('minimax');
+  });
+
+  it('uses a subscriber replacement as ordinary MiniMax BYOK', async () => {
+    const user = await seedMiniMaxKey('user');
+
+    const byok = await getBYOKforUser(db, user.id, ['minimax']);
+
+    expect(byok).toHaveLength(1);
+    expect(byok?.[0].providerId).toBe('minimax');
+  });
+
+  it('does not route a disabled MiniMax BYOK key', async () => {
+    const user = await seedMiniMaxKey('coding_plan', false);
+
+    expect(await getBYOKforUser(db, user.id, ['minimax'])).toBeNull();
+  });
+
+  it('does not route after the configured MiniMax key is deleted', async () => {
+    const user = await seedMiniMaxKey('coding_plan');
+    await db.delete(byok_api_keys).where(eq(byok_api_keys.kilo_user_id, user.id));
+
+    expect(await getBYOKforUser(db, user.id, ['minimax'])).toBeNull();
+  });
+});

apps/web/src/lib/ai-gateway/byok/index.ts

@@ -1,6 +1,6 @@
 import { type db } from '@/lib/drizzle';
 import { byok_api_keys } from '@kilocode/db/schema';
-import { eq, and, inArray } from 'drizzle-orm';
+import { and, eq, inArray } from 'drizzle-orm';
 import type { EncryptedData } from '@/lib/ai-gateway/byok/encryption';
 import { decryptApiKey } from '@/lib/ai-gateway/byok/encryption';
 import { BYOK_ENCRYPTION_KEY } from '@/lib/config.server';
@@ -19,7 +19,7 @@ export async function getModelUserByokProviders(modelId: string): Promise<UserBy
     return ['codestral'];
   }
   const vercelModelMetadata = await getVercelModelsMetadata();
-  if (Object.keys(vercelModelMetadata).length == 0) {
+  if (Object.keys(vercelModelMetadata).length === 0) {
     console.error('[getModelUserByokProviders] no Vercel model metadata in the database');
     return [];
   }
@@ -53,6 +53,9 @@ export async function getBYOKforUser(
   userId: string,
   providerIds: UserByokProviderId[]
 ): Promise<BYOKResult[] | null> {
+  if (providerIds.length === 0) {
+    return null;
+  }
   const rows = await fromDb
     .select({
       encrypted_api_key: byok_api_keys.encrypted_api_key,
@@ -68,18 +71,17 @@ export async function getBYOKforUser(
     )
     .orderBy(byok_api_keys.created_at);
 
-  if (rows.length === 0) {
-    return null;
-  }
-
-  return rows.map(row => decryptByokRow(row));
+  return rows.length === 0 ? null : rows.map(row => decryptByokRow(row));
 }
 
 export async function getBYOKforOrganization(
   fromDb: typeof db,
   organizationId: string,
   providerIds: UserByokProviderId[]
 ): Promise<BYOKResult[] | null> {
+  if (providerIds.length === 0) {
+    return null;
+  }
   const rows = await fromDb
     .select({
       encrypted_api_key: byok_api_keys.encrypted_api_key,
@@ -95,9 +97,5 @@ export async function getBYOKforOrganization(
     )
     .orderBy(byok_api_keys.created_at);
 
-  if (rows.length === 0) {
-    return null;
-  }
-
-  return rows.map(row => decryptByokRow(row));
+  return rows.length === 0 ? null : rows.map(row => decryptByokRow(row));
 }

apps/web/src/lib/ai-gateway/byok/types.ts

@@ -1,10 +1,12 @@
+import { UserByokProviderIdSchema } from '@/lib/ai-gateway/providers/openrouter/inference-provider-id';
 import * as z from 'zod';
 
 // API response type (never includes decrypted key)
 export type BYOKApiKeyResponse = {
   id: string;
   provider_id: string;
   provider_name: string;
+  management_source: 'user' | 'coding_plan';
   is_enabled: boolean;
   created_at: string;
   updated_at: string;
@@ -20,7 +22,7 @@ const OptionalOrganizationIdSchema = z.object({
 // Note: organizationId is optional - if provided, enforces org owner/billing access
 // If not provided, uses the authenticated user's kilo_user_id
 export const CreateBYOKKeyInputSchema = OptionalOrganizationIdSchema.extend({
-  provider_id: z.string().min(1),
+  provider_id: UserByokProviderIdSchema,
   api_key: z.string().min(1),
 });
 
@@ -49,6 +51,7 @@ export const BYOKApiKeyResponseSchema = z.object({
   id: z.string().uuid(),
   provider_id: z.string(),
   provider_name: z.string(),
+  management_source: z.enum(['user', 'coding_plan']),
   is_enabled: z.boolean(),
   created_at: z.string(),
   updated_at: z.string(),