Skip to content

Auto-PR: feature(saas): per-customer OpenRouter key provisioning + single-tenant instance lifecycle doc#88

Merged
ncimino merged 2 commits into
mainfrom
feature/nik-concierge-saas-kit
Jul 15, 2026
Merged

Auto-PR: feature(saas): per-customer OpenRouter key provisioning + single-tenant instance lifecycle doc#88
ncimino merged 2 commits into
mainfrom
feature/nik-concierge-saas-kit

Conversation

@weown-bot

@weown-bot weown-bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

🤖 Automated Pull Request — authored by weown-bot (ecosystem service account)

Opened by: @ncimino
Last pushed by: @ncimino
Branch: feature/nik-concierge-saas-kitmain

Contributors on this branch:


📋 Human Review Checklist — NIST CSF 2.0 Functions

Review per the 6 NIST CSF Functions. Frameworks referenced: NIST CSF 2.0, CIS Controls v8 IG1, CSA CCM v4, ISO/IEC 27001:2022, SOC 2, ISO/IEC 42001:2023. See docs/COMPLIANCE_ROADMAP.md.

🏛️ Govern (GV)

  • CODEOWNERS correct for affected paths (.github/CODEOWNERS)
  • ADR required/updated if an architectural decision is introduced
  • Policy impact considered and documented
  • All Copilot AI review comments addressed or explicitly deferred with rationale

🔍 Identify (ID)

  • New assets inventoried (Helm values, container images, dependencies)
  • SBOM regenerated if dependencies changed
  • Risk register / threat model touched if threat surface changed (.github/SECURITY_ASSESSMENT.md)

🛡️ Protect (PR)

  • Least privilege: RBAC, ServiceAccounts, scoped PATs (NIST PR.AC, CIS 5/6, ISO A.5.15-A.5.18)
  • Secrets managed via Infisical (never --from-literal, never /tmp, always $(mktemp) — ISO A.8.24)
  • NetworkPolicy present for new deployments (NIST PR.AC-5, CIS 12, CSA IVS)
  • TLS 1.3 with strong cipher suites where applicable (NIST PR.DS-1, CIS 3)
  • Container security: non-root UID 1000+, Pod Security restricted (NIST PR.IP, CIS 4)

🕵️ Detect (DE)

  • Logs / metrics added for new components (NIST DE.CM, CIS 8/13)
  • Alert rules updated if thresholds change
  • Health checks (livenessProbe + readinessProbe) configured

🚨 Respond (RS)

  • Runbook updated if operational behavior changes (.github/INCIDENT_RESPONSE.md)
  • Incident response impact considered (escalation paths, on-call)

♻️ Recover (RC)

  • Backup strategy covers new persistent data (NIST RC.RP, CIS 11, ISO A.8.13)
  • Rollback procedure tested or documented
  • DR impact assessed for new critical components

📚 Documentation & Versioning

  • Relevant CHANGELOG.md updated (per-directory or repo-level /CHANGELOG.md)
  • #WeOwnVer version bumped per docs/VERSIONING_WEOWNVER.md
  • READMEs / ADRs / inline comments updated

📝 Recent Commits (full bodies for Copilot context)

8a75949 docs(saas): managed-service role model — customer is manager, WeOwn holds admin

Author: Nik
Date: Wed Jul 15 10:09:46 2026 -0600

Corrects the customer-account role: on a managed single-tenant instance WeOwn
keeps the AnythingLLM 'admin' account (LLM/embedder/vector/infra) and the customer
gets 'manager' (docs/workspaces/team). Notes that multi-user mode has no email
password reset (recovery codes + operator support instead).


1e58b7b feature(saas): per-customer OpenRouter key provisioning + single-tenant instance lifecycle doc

Author: Nik
Date: Wed Jul 15 00:24:16 2026 -0600

Automates the previously-manual per-customer LLM key step and documents the
single-tenant customer-instance lifecycle (provision -> deploy -> operate ->
deprovision) on top of the existing anythingllm-docker stack.

  • scripts/provision-openrouter-key.sh: mint a per-customer, monthly-budget-capped
    OpenRouter key via the Management API and store it in the customer's Infisical
    project as OPENROUTER_API_KEY. Value never touches terminal/disk/history;
    provisioning key sourced in-process; refuses to orphan a live key without --force.
  • docs/CUSTOMER_INSTANCE_PROVISIONING.md: technical lifecycle only (commercial/GTM
    flow deliberately kept out of this public repo).
  • CHANGELOG: [Unreleased] Added entry.

Verified: bash -n + shellcheck clean.



🔍 Copilot AI Review: Copilot is configured to auto-request review for bot-authored PRs. If an auto-created PR opens without an initial Copilot review, push a follow-up commit to the same open PR (review_on_push: true) to trigger review automatically.

👥 Required Reviewers: human approval enforced by branch protection + CODEOWNERS. @ncimino requested automatically.

📚 Review Guidelines: .github/copilot-instructions.md (phase-aware compliance directives)

🛠️ Workflow Operations: .github/workflows/README.md

Auto-generated by .github/workflows/auto-pr-to-main.yml

…nt instance lifecycle doc

Automates the previously-manual per-customer LLM key step and documents the
single-tenant customer-instance lifecycle (provision -> deploy -> operate ->
deprovision) on top of the existing anythingllm-docker stack.

- scripts/provision-openrouter-key.sh: mint a per-customer, monthly-budget-capped
  OpenRouter key via the Management API and store it in the customer's Infisical
  project as OPENROUTER_API_KEY. Value never touches terminal/disk/history;
  provisioning key sourced in-process; refuses to orphan a live key without --force.
- docs/CUSTOMER_INSTANCE_PROVISIONING.md: technical lifecycle only (commercial/GTM
  flow deliberately kept out of this public repo).
- CHANGELOG: [Unreleased] Added entry.

Verified: bash -n + shellcheck clean.
@weown-bot weown-bot requested a review from ncimino as a code owner July 15, 2026 06:28
@weown-bot weown-bot requested review from Copilot and removed request for Copilot July 15, 2026 06:28
…olds admin

Corrects the customer-account role: on a managed single-tenant instance WeOwn
keeps the AnythingLLM 'admin' account (LLM/embedder/vector/infra) and the customer
gets 'manager' (docs/workspaces/team). Notes that multi-user mode has no email
password reset (recovery codes + operator support instead).
Copilot AI review requested due to automatic review settings July 15, 2026 16:09

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds an operator workflow for provisioning per-customer OpenRouter API keys (with a monthly spend cap) and documents the single-tenant customer-instance lifecycle for AnythingLLM deployments, tying together existing deployment pieces into a clear provision → deploy → operate → deprovision flow.

Changes:

  • Added scripts/provision-openrouter-key.sh to mint an OpenRouter key via the Management API and store it in the customer’s Infisical project as OPENROUTER_API_KEY.
  • Added docs/CUSTOMER_INSTANCE_PROVISIONING.md to document the end-to-end lifecycle for dedicated customer instances and the managed-service role split (WeOwn admin, customer manager).
  • Updated CHANGELOG.md with an [Unreleased] entry describing the new automation + documentation.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 7 comments.

File Description
scripts/provision-openrouter-key.sh New provisioning script to create a capped OpenRouter key and write it into the customer’s Infisical project.
docs/CUSTOMER_INSTANCE_PROVISIONING.md New lifecycle doc sequencing infra provisioning, key minting, deployment, validation, and teardown steps for single-tenant instances.
CHANGELOG.md Adds an [Unreleased] entry documenting the new script + lifecycle documentation.

# never on disk, in shell history, or on the network. That is acceptable on a
# single-operator laptop. On a shared host, run with --dry-run to mint nothing and
# set the value in the Infisical UI instead, or wrap this in the Infisical API.
set -uo pipefail
Comment on lines +26 to +32
# Usage:
# bash scripts/provision-openrouter-key.sh \
# --customer <slug> \
# --project-id <site Infisical project id> \
# [--limit-usd 50] [--env prod] [--operator-project operator-tools] [--force]
#
# Prereqs: infisical CLI (logged in), curl, jq.
Comment on lines +139 to +142
HTTP_RESP="$(curl -sS -o - -w $'\n%{http_code}' -X POST "$OPENROUTER_KEYS_API" \
-H "Authorization: Bearer ${PROV_KEY}" \
-H "Content-Type: application/json" \
-d "$REQ_BODY" 2>/dev/null || true)"
Comment on lines +164 to +166
if infisical secrets set "OPENROUTER_API_KEY=${CUSTOMER_KEY}" \
--projectId="$PROJECT_ID" --env="$ENV_SLUG" --path=/ >/dev/null 2>&1; then
echo " ✓ set OPENROUTER_API_KEY in project $PROJECT_ID"
Comment on lines +1 to +2
# Provisioning a Single-Tenant Customer Instance

Comment on lines +124 to +125
1. **Final backup** — `./scripts/backup.sh root@<ip>` (lands in
`s3://weown-prod-backups/<project>/`; retained per GFS).
Comment on lines +128 to +129
3. **Deprovision** (final) — `cd sites/<domain>/terraform && ./itofu.sh` destroy
the droplet + reserved IP + firewall, **revoke the customer's OpenRouter key**
@ncimino ncimino merged commit c6ac48a into main Jul 15, 2026
19 checks passed
@ncimino ncimino deleted the feature/nik-concierge-saas-kit branch July 15, 2026 16:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants