feat(sesh_rep): add limits to session replays

we block new creations of session replays when limit is hit.
Session replays refresh monthly

Author: nams1570

apps/backend/prisma/seed.ts

@@ -133,6 +133,7 @@ export async function seed() {
               [ITEM_IDS.emailsPerMonth]: { quantity: PLAN_LIMITS.free.emailsPerMonth, repeat: [1, "month"] as any, expires: "when-repeated" as const },
               [ITEM_IDS.analyticsTimeoutSeconds]: { quantity: PLAN_LIMITS.free.analyticsTimeoutSeconds, repeat: "never" as const, expires: "when-purchase-expires" as const },
               [ITEM_IDS.analyticsEvents]: { quantity: PLAN_LIMITS.free.analyticsEvents, repeat: "never" as const, expires: "when-purchase-expires" as const },
+              [ITEM_IDS.sessionReplays]: { quantity: PLAN_LIMITS.free.sessionReplays, repeat: [1, "month"] as any, expires: "when-repeated" as const },
             },
           },
           team: {
@@ -154,6 +155,7 @@ export async function seed() {
               [ITEM_IDS.emailsPerMonth]: { quantity: PLAN_LIMITS.team.emailsPerMonth, repeat: [1, "month"] as any, expires: "when-repeated" as const },
               [ITEM_IDS.analyticsTimeoutSeconds]: { quantity: PLAN_LIMITS.team.analyticsTimeoutSeconds, repeat: "never" as const, expires: "when-purchase-expires" as const },
               [ITEM_IDS.analyticsEvents]: { quantity: PLAN_LIMITS.team.analyticsEvents, repeat: "never" as const, expires: "when-purchase-expires" as const },
+              [ITEM_IDS.sessionReplays]: { quantity: PLAN_LIMITS.team.sessionReplays, repeat: [1, "month"] as any, expires: "when-repeated" as const },
             },
           },
           growth: {
@@ -175,6 +177,7 @@ export async function seed() {
               [ITEM_IDS.emailsPerMonth]: { quantity: PLAN_LIMITS.growth.emailsPerMonth, repeat: [1, "month"] as any, expires: "when-repeated" as const },
               [ITEM_IDS.analyticsTimeoutSeconds]: { quantity: PLAN_LIMITS.growth.analyticsTimeoutSeconds, repeat: "never" as const, expires: "when-purchase-expires" as const },
               [ITEM_IDS.analyticsEvents]: { quantity: PLAN_LIMITS.growth.analyticsEvents, repeat: "never" as const, expires: "when-purchase-expires" as const },
+              [ITEM_IDS.sessionReplays]: { quantity: PLAN_LIMITS.growth.sessionReplays, repeat: [1, "month"] as any, expires: "when-repeated" as const },
             },
           },
           "extra-seats": {
@@ -205,6 +208,7 @@ export async function seed() {
           [ITEM_IDS.emailsPerMonth]: { displayName: "Emails per Month", customerType: "team" as const },
           [ITEM_IDS.analyticsTimeoutSeconds]: { displayName: "Analytics Timeout (seconds)", customerType: "team" as const },
           [ITEM_IDS.analyticsEvents]: { displayName: "Analytics Events", customerType: "team" as const },
+          [ITEM_IDS.sessionReplays]: { displayName: "Session Replays", customerType: "team" as const },
         },
       },
       apps: {

apps/backend/src/app/api/latest/session-replays/batch/route.tsx

@@ -2,8 +2,11 @@ import { getPrismaClientForTenancy } from "@/prisma-client";
 import { uploadBytes } from "@/s3";
 import { createSmartRouteHandler } from "@/route-handlers/smart-route-handler";
 import { Prisma } from "@/generated/prisma/client";
+import { getBillingTeamId } from "@/lib/plan-entitlements";
 import { findRecentSessionReplay } from "@/lib/session-replays";
+import { getStackServerApp } from "@/stack";
 import { KnownErrors } from "@stackframe/stack-shared";
+import { ITEM_IDS } from "@stackframe/stack-shared/dist/plans";
 import { adaptSchema, clientOrHigherAuthTypeSchema, yupArray, yupMixed, yupNumber, yupObject, yupString } from "@stackframe/stack-shared/dist/schema-fields";
 import { StatusError } from "@stackframe/stack-shared/dist/utils/errors";
 import { randomUUID } from "node:crypto";
@@ -106,6 +109,17 @@ export const POST = createSmartRouteHandler({
     const prisma = await getPrismaClientForTenancy(auth.tenancy);
     const recentSession = await findRecentSessionReplay(prisma, { tenancyId, refreshTokenId });
 
+    const app = getStackServerApp();
+
+    const isNewSession = recentSession == null;
+    const billingTeamId = getBillingTeamId(auth.tenancy.project);
+    if (isNewSession && billingTeamId != null) {
+      const replaysItem = await app.getItem({ itemId: ITEM_IDS.sessionReplays, teamId: billingTeamId });
+      if (replaysItem.quantity <= 0) {
+        throw new KnownErrors.ItemQuantityInsufficientAmount(ITEM_IDS.sessionReplays, billingTeamId, replaysItem.quantity);
+      }
+    }
+
     const replayId = recentSession?.id ?? randomUUID();
     const s3Key = `session-replays/${projectId}/${branchId}/${replayId}/${batchId}.json.gz`;
 
@@ -197,6 +211,11 @@ export const POST = createSmartRouteHandler({
       throw e;
     }
 
+    if (isNewSession && billingTeamId != null) {
+      const replaysItem = await app.getItem({ itemId: ITEM_IDS.sessionReplays, teamId: billingTeamId });
+      await replaysItem.decreaseQuantity(1);
+    }
+
     return {
       statusCode: 200,
       bodyType: "json",

apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/analytics/replays/page-client.tsx

@@ -26,7 +26,7 @@ import { TeamSearchTable } from "@/components/data-table/team-search-table";
 import { AppEnabledGuard } from "../../app-enabled-guard";
 import { PageLayout } from "../../page-layout";
 import { useAdminApp } from "../../use-admin-app";
-import { AnalyticsEventLimitBanner } from "../shared";
+import { AnalyticsEventLimitBanner, SessionReplayLimitBanner } from "../shared";
 import {
   createInitialState,
   replayReducer,
@@ -1386,6 +1386,7 @@ export default function PageClient() {
     <AppEnabledGuard appId="analytics">
       <PageLayout title="Session Replays" fillWidth>
         <AnalyticsEventLimitBanner />
+        <SessionReplayLimitBanner />
         <PanelGroup direction="horizontal" className="!h-[calc(100vh-180px)] min-h-[520px] rounded-xl border border-border/40 overflow-hidden bg-background">
           <Panel defaultSize={25} minSize={16}>
             <div className="h-full flex flex-col">

apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/analytics/shared.tsx

@@ -349,6 +349,58 @@ export function AnalyticsEventLimitBanner() {
   return <AnalyticsEventLimitBannerInner team={ownerTeam} />;
 }
 
+/**
+ * Shows a warning banner when session replay usage is at 80%+ or 100%.
+ * Since the limit is the same across all plans, no upgrade button is shown.
+ */
+export function SessionReplayLimitBanner() {
+  const adminApp = useAdminApp();
+  const project = adminApp.useProject();
+  const user = useUser({ or: "redirect", projectIdMustMatch: "internal" });
+  const teams = user.useTeams();
+
+  const ownerTeam = useMemo(
+    () => teams.find(t => t.id === project.ownerTeamId),
+    [teams, project.ownerTeamId],
+  );
+
+  if (ownerTeam == null) {
+    return null;
+  }
+
+  return <SessionReplayLimitBannerInner team={ownerTeam} />;
+}
+
+function SessionReplayLimitBannerInner({ team }: { team: { useItem: (itemId: string) => { quantity: number }, useProducts: () => Array<{ id: string | null, type: string }> } }) {
+  const replaysItem = team.useItem("session_replays");
+  const products = team.useProducts();
+  const planId = resolvePlanId(products);
+  const totalAllocation = PLAN_LIMITS[planId].sessionReplays;
+  const used = totalAllocation - replaysItem.quantity;
+  const usagePercent = totalAllocation > 0 ? (used / totalAllocation) * 100 : 0;
+
+  if (usagePercent < 80) {
+    return null;
+  }
+
+  const isExhausted = replaysItem.quantity <= 0;
+
+  return (
+    <Alert
+      variant={isExhausted ? "destructive" : "default"}
+      className={isExhausted ? undefined : "border-amber-500/50 text-amber-700 dark:text-amber-400 bg-amber-500/5 [&>svg]:text-amber-500"}
+    >
+      <WarningCircleIcon className="h-4 w-4" />
+      <AlertDescription>
+        {isExhausted
+          ? "You've reached your session replay limit for this month. New session replays are no longer being recorded."
+          : "You're approaching your session replay limit for this month."
+        }
+      </AlertDescription>
+    </Alert>
+  );
+}
+
 function AnalyticsEventLimitBannerInner({ team }: { team: { useItem: (itemId: string) => { quantity: number }, useProducts: () => Array<{ id: string | null, type: string }>, createCheckoutUrl: (options: { productId: string, returnUrl: string }) => Promise<string> } }) {
   const eventsItem = team.useItem("analytics_events");
   const products = team.useProducts();

apps/e2e/tests/backend/endpoints/api/v1/session-replays.test.ts

@@ -1,7 +1,8 @@
 import { randomUUID } from "node:crypto";
+import { PLAN_LIMITS } from "@stackframe/stack-shared/dist/plans";
 import { wait } from "@stackframe/stack-shared/dist/utils/promises";
 import { it } from "../../../../helpers";
-import { Auth, Project, Team, backendContext, bumpEmailAddress, niceBackendFetch } from "../../../backend-helpers";
+import { Auth, InternalProjectKeys, Project, Team, backendContext, bumpEmailAddress, niceBackendFetch } from "../../../backend-helpers";
 
 async function uploadBatch(options: {
   browserSessionId: string,
@@ -1382,3 +1383,134 @@ it("admin list session replays rejects invalid filter parameters", async ({ expe
     }
   `);
 });
+
+// ============================================================================
+// Session replay limit enforcement tests
+// ============================================================================
+
+async function withInternalProject<T>(fn: () => Promise<T>): Promise<T> {
+  const savedKeys = backendContext.value.projectKeys;
+  const savedUserAuth = backendContext.value.userAuth;
+  backendContext.set({ projectKeys: InternalProjectKeys, userAuth: null });
+  try {
+    return await fn();
+  } finally {
+    backendContext.set({ projectKeys: savedKeys, userAuth: savedUserAuth });
+  }
+}
+
+async function getSessionReplayItemQuantity(ownerTeamId: string) {
+  return await withInternalProject(async () => {
+    const response = await niceBackendFetch(`/api/v1/payments/items/team/${ownerTeamId}/session_replays`, {
+      accessType: "server",
+    });
+    if (response.status !== 200) {
+      throw new Error(`Failed to get session_replays item: ${JSON.stringify(response.body)}`);
+    }
+    return response.body.quantity as number;
+  });
+}
+
+async function setSessionReplayItemQuantity(ownerTeamId: string, quantity: number) {
+  const currentQuantity = await getSessionReplayItemQuantity(ownerTeamId);
+  const delta = quantity - currentQuantity;
+
+  await withInternalProject(async () => {
+    const response = await niceBackendFetch(`/api/v1/payments/items/team/${ownerTeamId}/session_replays/update-quantity?allow_negative=true`, {
+      method: "POST",
+      accessType: "server",
+      body: { delta },
+    });
+    if (response.status !== 200) {
+      throw new Error(`Failed to set session_replays quantity: ${JSON.stringify(response.body)}`);
+    }
+  });
+}
+
+it("free plan starts with correct session replay allocation", async ({ expect }) => {
+  const { createProjectResponse } = await Project.createAndSwitch({ config: { magic_link_enabled: true } });
+  const ownerTeamId = createProjectResponse.body.owner_team_id;
+
+  const quantity = await getSessionReplayItemQuantity(ownerTeamId);
+  expect(quantity).toBe(PLAN_LIMITS.free.sessionReplays);
+});
+
+it("rejects new session replay when quota is exhausted", async ({ expect }) => {
+  const { createProjectResponse } = await Project.createAndSwitch({ config: { magic_link_enabled: true } });
+  await Project.updateConfig({ apps: { installed: { analytics: { enabled: true } } } });
+  const ownerTeamId = createProjectResponse.body.owner_team_id;
+
+  await Auth.Otp.signIn();
+  await setSessionReplayItemQuantity(ownerTeamId, 0);
+
+  const now = Date.now();
+  const res = await uploadBatch({
+    browserSessionId: randomUUID(),
+    batchId: randomUUID(),
+    startedAtMs: now,
+    sentAtMs: now + 500,
+    events: [{ type: 2, timestamp: now + 100 }],
+  });
+
+  expect(res.status).toBe(400);
+  expect(res.body.code).toBe("ITEM_QUANTITY_INSUFFICIENT_AMOUNT");
+});
+
+it("accepts new session replay and debits quota by 1", async ({ expect }) => {
+  const { createProjectResponse } = await Project.createAndSwitch({ config: { magic_link_enabled: true } });
+  await Project.updateConfig({ apps: { installed: { analytics: { enabled: true } } } });
+  const ownerTeamId = createProjectResponse.body.owner_team_id;
+
+  await Auth.Otp.signIn();
+
+  const quantityBefore = await getSessionReplayItemQuantity(ownerTeamId);
+
+  const now = Date.now();
+  const res = await uploadBatch({
+    browserSessionId: randomUUID(),
+    batchId: randomUUID(),
+    startedAtMs: now,
+    sentAtMs: now + 500,
+    events: [{ type: 2, timestamp: now + 100 }],
+  });
+
+  expect(res.status).toBe(200);
+  expect(res.body.deduped).toBe(false);
+
+  const quantityAfter = await getSessionReplayItemQuantity(ownerTeamId);
+  expect(quantityAfter).toBe(quantityBefore - 1);
+});
+
+it("does not debit quota when appending chunks to an existing session replay", async ({ expect }) => {
+  const { createProjectResponse } = await Project.createAndSwitch({ config: { magic_link_enabled: true } });
+  await Project.updateConfig({ apps: { installed: { analytics: { enabled: true } } } });
+  const ownerTeamId = createProjectResponse.body.owner_team_id;
+
+  await Auth.Otp.signIn();
+
+  const now = Date.now();
+  const firstBatch = await uploadBatch({
+    browserSessionId: randomUUID(),
+    batchId: randomUUID(),
+    startedAtMs: now,
+    sentAtMs: now + 500,
+    events: [{ type: 2, timestamp: now + 100 }],
+  });
+  expect(firstBatch.status).toBe(200);
+  expect(firstBatch.body.deduped).toBe(false);
+
+  const quantityAfterFirst = await getSessionReplayItemQuantity(ownerTeamId);
+
+  const secondBatch = await uploadBatch({
+    browserSessionId: randomUUID(),
+    batchId: randomUUID(),
+    startedAtMs: now,
+    sentAtMs: now + 1000,
+    events: [{ type: 3, timestamp: now + 500 }],
+  });
+  expect(secondBatch.status).toBe(200);
+  expect(secondBatch.body.session_replay_id).toBe(firstBatch.body.session_replay_id);
+
+  const quantityAfterSecond = await getSessionReplayItemQuantity(ownerTeamId);
+  expect(quantityAfterSecond).toBe(quantityAfterFirst);
+});

packages/stack-shared/src/plans.ts

@@ -16,6 +16,7 @@ export const ITEM_IDS = {
   emailsPerMonth: "emails_per_month",
   analyticsTimeoutSeconds: "analytics_timeout_seconds",
   analyticsEvents: "analytics_events",
+  sessionReplays: "session_replays",
 } as const;
 
 export type ItemId = typeof ITEM_IDS[keyof typeof ITEM_IDS];
@@ -29,6 +30,7 @@ export type PlanProductOfferings = {
   emailsPerMonth: number,
   analyticsTimeoutSeconds: number,
   analyticsEvents: number,
+  sessionReplays: number,
 };
 
 /**
@@ -45,20 +47,23 @@ export const PLAN_LIMITS: {
     emailsPerMonth: 1_000,
     analyticsTimeoutSeconds: 10,
     analyticsEvents: 100_000,
+    sessionReplays: 2_500,
   },
   team: {
     seats: 4,
     authUsers: 50_000,
     emailsPerMonth: 25_000,
     analyticsTimeoutSeconds: 60,
     analyticsEvents: 500_000,
+    sessionReplays: 2_500,
   },
   growth: {
     seats: 4,
     authUsers: UNLIMITED,
     emailsPerMonth: 25_000,
     analyticsTimeoutSeconds: 300,
     analyticsEvents: 1_000_000,
+    sessionReplays: 2_500,
   },
 };