feat: add D1-backed auth, tiered access, usage metering, and policy engine (Phase B)

Phase B of the auth/metering/pricing plan:

1. D1 auth middleware (src/middleware/auth-d1.ts):
   - resolveAuth(): Bearer header → SHA-256 hash → D1 lookup → AuthContext
   - LRU cache (1024 entries, 60s TTL) reduces D1 queries
   - D1 failure: stale LRU preserves paid tier for known keys
   - Unknown keys degrade to anonymous (not 500)

2. Policy engine (src/middleware/tier-gate.ts):
   - buildPolicy(): AuthContext → PolicyDecision (what resources are allowed)
   - checkPolicy(): validates request params against policy
   - policyHeaders(): X-RateLimit-Limit/Remaining, X-Request-Cost headers

3. Usage metering (src/handlers/usage.ts):
   - In-memory buffer with ctx.waitUntil() batch flush to D1
   - ON CONFLICT UPDATE for atomic upsert of daily aggregates
   - Denormalized monthly_credits_used on accounts table
   - GET /api/usage endpoint for per-key usage data

4. D1 schema (schema.sql): accounts, api_keys, usage_daily, sessions, paddle_events
5. Type system: AuthContext, PolicyDecision, Tier, TIER_QUOTAS
6. Graceful degradation: quota exceeded serves cached content + X-Quota-Exceeded header
7. Dual auth path: D1 (when AUTH_DB configured) or legacy single-token (backward compatible)
8. All 566 tests pass with mock ExecutionContext

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: Digidai

schema.sql

@@ -0,0 +1,52 @@
+-- md-genedai Auth & Metering schema (D1)
+-- Run: wrangler d1 execute AUTH_DB --file=schema.sql
+
+CREATE TABLE IF NOT EXISTS accounts (
+  id TEXT PRIMARY KEY,
+  email TEXT NOT NULL UNIQUE,
+  github_id TEXT,
+  tier TEXT NOT NULL DEFAULT 'free',
+  paddle_customer_id TEXT,
+  paddle_subscription_id TEXT,
+  monthly_credits_used INTEGER NOT NULL DEFAULT 0,
+  monthly_credits_reset_at TEXT NOT NULL,
+  created_at TEXT NOT NULL,
+  updated_at TEXT NOT NULL
+);
+
+CREATE TABLE IF NOT EXISTS api_keys (
+  id TEXT PRIMARY KEY,
+  account_id TEXT NOT NULL REFERENCES accounts(id),
+  prefix TEXT NOT NULL,
+  key_hash TEXT NOT NULL,
+  name TEXT,
+  revoked_at TEXT,
+  created_at TEXT NOT NULL
+);
+CREATE INDEX IF NOT EXISTS idx_api_keys_hash ON api_keys(key_hash);
+CREATE INDEX IF NOT EXISTS idx_api_keys_account ON api_keys(account_id);
+
+CREATE TABLE IF NOT EXISTS usage_daily (
+  key_id TEXT NOT NULL REFERENCES api_keys(id),
+  date TEXT NOT NULL,
+  requests INTEGER NOT NULL DEFAULT 0,
+  credits INTEGER NOT NULL DEFAULT 0,
+  browser_calls INTEGER NOT NULL DEFAULT 0,
+  cache_hits INTEGER NOT NULL DEFAULT 0,
+  PRIMARY KEY (key_id, date)
+);
+
+CREATE TABLE IF NOT EXISTS sessions (
+  id TEXT PRIMARY KEY,
+  account_id TEXT NOT NULL REFERENCES accounts(id),
+  token_hash TEXT NOT NULL,
+  expires_at TEXT NOT NULL,
+  created_at TEXT NOT NULL
+);
+CREATE INDEX IF NOT EXISTS idx_sessions_account ON sessions(account_id);
+CREATE INDEX IF NOT EXISTS idx_sessions_expires ON sessions(expires_at);
+
+CREATE TABLE IF NOT EXISTS paddle_events (
+  event_id TEXT PRIMARY KEY,
+  processed_at TEXT NOT NULL
+);

src/__tests__/cf-integration.test.ts

@@ -1,5 +1,5 @@
 import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
-import { createMockEnv } from "./test-helpers";
+import { createMockEnv, mockCtx } from "./test-helpers";
 
 const mocked = vi.hoisted(() => {
   // Sentinel object used to verify genericAdapter identity checks
@@ -175,7 +175,7 @@ describe("CF REST API integration in convertUrl", () => {
     const req = new Request("https://md.example.com/https://example.com/page?raw=true&engine=cf", {
       headers: { Accept: "text/markdown", Authorization: "Bearer test-token" },
     });
-    const res = await worker.fetch(req, env);
+    const res = await worker.fetch(req, env, mockCtx());
 
     expect(res.status).toBe(200);
     const text = await res.text();
@@ -189,7 +189,7 @@ describe("CF REST API integration in convertUrl", () => {
     const req = new Request("https://md.example.com/https://example.com/page?raw=true", {
       headers: { Accept: "text/markdown" },
     });
-    const res = await worker.fetch(req, env);
+    const res = await worker.fetch(req, env, mockCtx());
 
     expect(res.status).toBe(200);
     expect(res.headers.get("X-Markdown-Method")).toBe("cf");
@@ -211,7 +211,7 @@ describe("CF REST API integration in convertUrl", () => {
     const req = new Request("https://md.example.com/https://mp.weixin.qq.com/s/abc?raw=true", {
       headers: { Accept: "text/markdown" },
     });
-    const res = await worker.fetch(req, env);
+    const res = await worker.fetch(req, env, mockCtx());
 
     expect(res.status).toBe(200);
     expect(mocked.cfRest.fetchViaCfMarkdown).not.toHaveBeenCalled();
@@ -231,7 +231,7 @@ describe("CF REST API integration in convertUrl", () => {
     const req = new Request("https://md.example.com/https://example.com/paywalled?raw=true", {
       headers: { Accept: "text/markdown" },
     });
-    const res = await worker.fetch(req, env);
+    const res = await worker.fetch(req, env, mockCtx());
 
     expect(res.status).toBe(200);
     expect(mocked.cfRest.fetchViaCfMarkdown).not.toHaveBeenCalled();
@@ -255,7 +255,7 @@ describe("CF REST API integration in convertUrl", () => {
     const req = new Request("https://md.example.com/https://example.com/blocked?raw=true", {
       headers: { Accept: "text/markdown" },
     });
-    const res = await worker.fetch(req, env);
+    const res = await worker.fetch(req, env, mockCtx());
 
     expect(res.status).toBe(200);
     expect(mocked.cfRest.fetchViaCfMarkdown).not.toHaveBeenCalled();
@@ -279,7 +279,7 @@ describe("CF REST API integration in convertUrl", () => {
     const req = new Request("https://md.example.com/https://example.com/cf-empty?raw=true", {
       headers: { Accept: "text/markdown" },
     });
-    const res = await worker.fetch(req, env);
+    const res = await worker.fetch(req, env, mockCtx());
 
     expect(res.status).toBe(200);
     // Should have attempted CF, then fallen back
@@ -304,7 +304,7 @@ describe("CF REST API integration in convertUrl", () => {
     const req = new Request("https://md.example.com/https://example.com/cf-error?raw=true", {
       headers: { Accept: "text/markdown" },
     });
-    const res = await worker.fetch(req, env);
+    const res = await worker.fetch(req, env, mockCtx());
 
     expect(res.status).toBe(200);
     expect(mocked.cfRest.fetchViaCfMarkdown).toHaveBeenCalledTimes(1);
@@ -317,7 +317,7 @@ describe("CF REST API integration in convertUrl", () => {
     const req = new Request("https://md.example.com/https://example.com/cacheable?raw=true&engine=cf", {
       headers: { Accept: "text/markdown", Authorization: "Bearer test-token" },
     });
-    await worker.fetch(req, env);
+    await worker.fetch(req, env, mockCtx());
 
     expect(mocked.cache.setCache).toHaveBeenCalledTimes(1);
     const setCacheArgs = mocked.cache.setCache.mock.calls[0];
@@ -337,7 +337,7 @@ describe("CF REST API integration in convertUrl", () => {
     const req = new Request("https://md.example.com/https://example.com/no-cf?raw=true", {
       headers: { Accept: "text/markdown" },
     });
-    const res = await worker.fetch(req, env);
+    const res = await worker.fetch(req, env, mockCtx());
 
     expect(res.status).toBe(200);
     expect(mocked.cfRest.fetchViaCfMarkdown).not.toHaveBeenCalled();
@@ -358,7 +358,7 @@ describe("CF integration in batch handler", () => {
         urls: ["https://example.com/a", "https://example.com/b"],
       }),
     });
-    const res = await worker.fetch(req, env);
+    const res = await worker.fetch(req, env, mockCtx());
 
     expect(res.status).toBe(200);
     const body = await res.json() as any;
@@ -398,7 +398,7 @@ describe("CF integration in batch handler", () => {
         ],
       }),
     });
-    const res = await worker.fetch(req, env);
+    const res = await worker.fetch(req, env, mockCtx());
 
     expect(res.status).toBe(200);
     const body = await res.json() as any;

src/__tests__/index-batch.test.ts

@@ -5,7 +5,7 @@ vi.mock("cloudflare:sockets", () => ({
 }));
 
 import worker from "../index";
-import { createMockEnv } from "./test-helpers";
+import { createMockEnv, mockCtx } from "./test-helpers";
 
 afterEach(() => {
   vi.restoreAllMocks();
@@ -31,7 +31,7 @@ function batchRequest(
 describe("POST /api/batch", () => {
   it("returns 503 when API_TOKEN is missing", async () => {
     const req = batchRequest({ urls: ["https://example.com"] }, "token");
-    const res = await worker.fetch(req, createMockEnv().env);
+    const res = await worker.fetch(req, createMockEnv().env, mockCtx());
     const payload = await res.json() as { error?: string };
 
     expect(res.status).toBe(503);
@@ -41,7 +41,7 @@ describe("POST /api/batch", () => {
   it("returns 401 for invalid bearer token", async () => {
     const { env } = createMockEnv({ API_TOKEN: "correct-token" });
     const req = batchRequest({ urls: ["https://example.com"] }, "wrong-token");
-    const res = await worker.fetch(req, env);
+    const res = await worker.fetch(req, env, mockCtx());
     const payload = await res.json() as { error?: string };
 
     expect(res.status).toBe(401);
@@ -55,7 +55,7 @@ describe("POST /api/batch", () => {
       "token",
       { "Content-Length": "100001" },
     );
-    const res = await worker.fetch(req, env);
+    const res = await worker.fetch(req, env, mockCtx());
     const payload = await res.json() as { error?: string };
 
     expect(res.status).toBe(413);
@@ -66,7 +66,7 @@ describe("POST /api/batch", () => {
     const { env } = createMockEnv({ API_TOKEN: "token" });
     const oversizedBody = `{"urls":["https://example.com/${"a".repeat(110_000)}"]}`;
     const req = batchRequest(oversizedBody, "token", { "Content-Length": "0" });
-    const res = await worker.fetch(req, env);
+    const res = await worker.fetch(req, env, mockCtx());
     const payload = await res.json() as { error?: string };
 
     expect(res.status).toBe(413);
@@ -77,7 +77,7 @@ describe("POST /api/batch", () => {
     const { env } = createMockEnv({ API_TOKEN: "token" });
     const consoleSpy = vi.spyOn(console, "error").mockImplementation(() => {});
     const req = batchRequest("{invalid-json", "token");
-    const res = await worker.fetch(req, env);
+    const res = await worker.fetch(req, env, mockCtx());
     const payload = await res.json() as { error?: string };
 
     expect(res.status).toBe(400);
@@ -99,7 +99,7 @@ describe("POST /api/batch", () => {
 
     const { env } = createMockEnv({ API_TOKEN: "token" });
     const req = batchRequest({ urls: ["https://example.com/internal-error-case"] }, "token");
-    const res = await worker.fetch(req, env);
+    const res = await worker.fetch(req, env, mockCtx());
     const payload = await res.json() as { error?: string; message?: string };
 
     expect(res.status).toBe(500);
@@ -110,7 +110,7 @@ describe("POST /api/batch", () => {
   it("returns 400 when urls is missing", async () => {
     const { env } = createMockEnv({ API_TOKEN: "token" });
     const req = batchRequest({ foo: "bar" }, "token");
-    const res = await worker.fetch(req, env);
+    const res = await worker.fetch(req, env, mockCtx());
     const payload = await res.json() as { error?: string };
 
     expect(res.status).toBe(400);
@@ -121,7 +121,7 @@ describe("POST /api/batch", () => {
     const { env } = createMockEnv({ API_TOKEN: "token" });
     const urls = Array.from({ length: 11 }, (_, i) => `https://example.com/${i}`);
     const req = batchRequest({ urls }, "token");
-    const res = await worker.fetch(req, env);
+    const res = await worker.fetch(req, env, mockCtx());
     const payload = await res.json() as { error?: string };
 
     expect(res.status).toBe(400);
@@ -136,7 +136,7 @@ describe("POST /api/batch", () => {
     const req = batchRequest({
       urls: ["https://example.com/a", 123, { bad: "item" }],
     }, "token");
-    const res = await worker.fetch(req, env);
+    const res = await worker.fetch(req, env, mockCtx());
     const payload = await res.json() as { error?: string };
 
     expect(res.status).toBe(400);
@@ -152,7 +152,7 @@ describe("POST /api/batch", () => {
     const req = batchRequest({
       urls: ["   ", { url: "   ", format: "markdown" }],
     }, "token");
-    const res = await worker.fetch(req, env);
+    const res = await worker.fetch(req, env, mockCtx());
     const payload = await res.json() as { error?: string };
 
     expect(res.status).toBe(400);
@@ -180,7 +180,7 @@ describe("POST /api/batch", () => {
         },
       ],
     }, "token");
-    const res = await worker.fetch(req, env);
+    const res = await worker.fetch(req, env, mockCtx());
     const payload = await res.json() as {
       results?: Array<{
         url?: string;
@@ -215,7 +215,7 @@ describe("POST /api/batch", () => {
         },
       ],
     }, "token");
-    const res = await worker.fetch(req, env);
+    const res = await worker.fetch(req, env, mockCtx());
     const payload = await res.json() as {
       results?: Array<{ error?: string; content?: string }>;
     };
@@ -233,7 +233,7 @@ describe("POST /api/batch", () => {
     const req = batchRequest({
       urls: ["not-a-url", "http://127.0.0.1/private"],
     }, "token");
-    const res = await worker.fetch(req, env);
+    const res = await worker.fetch(req, env, mockCtx());
     const payload = await res.json() as {
       results?: Array<{ url?: string; error?: string }>;
     };
@@ -254,7 +254,7 @@ describe("POST /api/batch", () => {
 
     const { env } = createMockEnv({ API_TOKEN: "token" });
     const req = batchRequest({ urls: ["https://example.com/a"] }, "token");
-    const res = await worker.fetch(req, env);
+    const res = await worker.fetch(req, env, mockCtx());
     const payload = await res.json() as {
       results?: Array<{
         url?: string;
@@ -304,7 +304,7 @@ describe("POST /api/batch", () => {
       signal: controller.signal,
     });
 
-    const responsePromise = worker.fetch(req, env);
+    const responsePromise = worker.fetch(req, env, mockCtx());
     setTimeout(() => controller.abort(), 20);
 
     const race = await Promise.race([