Auto-PR: feature(saas): per-customer OpenRouter key provisioning + single-tenant instance lifecycle doc#88
Merged
Merged
Conversation
…nt instance lifecycle doc Automates the previously-manual per-customer LLM key step and documents the single-tenant customer-instance lifecycle (provision -> deploy -> operate -> deprovision) on top of the existing anythingllm-docker stack. - scripts/provision-openrouter-key.sh: mint a per-customer, monthly-budget-capped OpenRouter key via the Management API and store it in the customer's Infisical project as OPENROUTER_API_KEY. Value never touches terminal/disk/history; provisioning key sourced in-process; refuses to orphan a live key without --force. - docs/CUSTOMER_INSTANCE_PROVISIONING.md: technical lifecycle only (commercial/GTM flow deliberately kept out of this public repo). - CHANGELOG: [Unreleased] Added entry. Verified: bash -n + shellcheck clean.
…olds admin Corrects the customer-account role: on a managed single-tenant instance WeOwn keeps the AnythingLLM 'admin' account (LLM/embedder/vector/infra) and the customer gets 'manager' (docs/workspaces/team). Notes that multi-user mode has no email password reset (recovery codes + operator support instead).
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds an operator workflow for provisioning per-customer OpenRouter API keys (with a monthly spend cap) and documents the single-tenant customer-instance lifecycle for AnythingLLM deployments, tying together existing deployment pieces into a clear provision → deploy → operate → deprovision flow.
Changes:
- Added
scripts/provision-openrouter-key.shto mint an OpenRouter key via the Management API and store it in the customer’s Infisical project asOPENROUTER_API_KEY. - Added
docs/CUSTOMER_INSTANCE_PROVISIONING.mdto document the end-to-end lifecycle for dedicated customer instances and the managed-service role split (WeOwnadmin, customermanager). - Updated
CHANGELOG.mdwith an[Unreleased]entry describing the new automation + documentation.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 7 comments.
| File | Description |
|---|---|
| scripts/provision-openrouter-key.sh | New provisioning script to create a capped OpenRouter key and write it into the customer’s Infisical project. |
| docs/CUSTOMER_INSTANCE_PROVISIONING.md | New lifecycle doc sequencing infra provisioning, key minting, deployment, validation, and teardown steps for single-tenant instances. |
| CHANGELOG.md | Adds an [Unreleased] entry documenting the new script + lifecycle documentation. |
| # never on disk, in shell history, or on the network. That is acceptable on a | ||
| # single-operator laptop. On a shared host, run with --dry-run to mint nothing and | ||
| # set the value in the Infisical UI instead, or wrap this in the Infisical API. | ||
| set -uo pipefail |
Comment on lines
+26
to
+32
| # Usage: | ||
| # bash scripts/provision-openrouter-key.sh \ | ||
| # --customer <slug> \ | ||
| # --project-id <site Infisical project id> \ | ||
| # [--limit-usd 50] [--env prod] [--operator-project operator-tools] [--force] | ||
| # | ||
| # Prereqs: infisical CLI (logged in), curl, jq. |
Comment on lines
+139
to
+142
| HTTP_RESP="$(curl -sS -o - -w $'\n%{http_code}' -X POST "$OPENROUTER_KEYS_API" \ | ||
| -H "Authorization: Bearer ${PROV_KEY}" \ | ||
| -H "Content-Type: application/json" \ | ||
| -d "$REQ_BODY" 2>/dev/null || true)" |
Comment on lines
+164
to
+166
| if infisical secrets set "OPENROUTER_API_KEY=${CUSTOMER_KEY}" \ | ||
| --projectId="$PROJECT_ID" --env="$ENV_SLUG" --path=/ >/dev/null 2>&1; then | ||
| echo " ✓ set OPENROUTER_API_KEY in project $PROJECT_ID" |
Comment on lines
+1
to
+2
| # Provisioning a Single-Tenant Customer Instance | ||
|
|
Comment on lines
+124
to
+125
| 1. **Final backup** — `./scripts/backup.sh root@<ip>` (lands in | ||
| `s3://weown-prod-backups/<project>/`; retained per GFS). |
Comment on lines
+128
to
+129
| 3. **Deprovision** (final) — `cd sites/<domain>/terraform && ./itofu.sh` destroy | ||
| the droplet + reserved IP + firewall, **revoke the customer's OpenRouter key** |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🤖 Automated Pull Request — authored by
weown-bot(ecosystem service account)Opened by: @ncimino
Last pushed by: @ncimino
Branch:
feature/nik-concierge-saas-kit→mainContributors on this branch:
📋 Human Review Checklist — NIST CSF 2.0 Functions
Review per the 6 NIST CSF Functions. Frameworks referenced: NIST CSF 2.0, CIS Controls v8 IG1, CSA CCM v4, ISO/IEC 27001:2022, SOC 2, ISO/IEC 42001:2023. See
docs/COMPLIANCE_ROADMAP.md.🏛️ Govern (GV)
.github/CODEOWNERS)🔍 Identify (ID)
.github/SECURITY_ASSESSMENT.md)🛡️ Protect (PR)
--from-literal, never/tmp, always$(mktemp)— ISO A.8.24)restricted(NIST PR.IP, CIS 4)🕵️ Detect (DE)
livenessProbe+readinessProbe) configured🚨 Respond (RS)
.github/INCIDENT_RESPONSE.md)♻️ Recover (RC)
📚 Documentation & Versioning
CHANGELOG.mdupdated (per-directory or repo-level/CHANGELOG.md)#WeOwnVerversion bumped perdocs/VERSIONING_WEOWNVER.md📝 Recent Commits (full bodies for Copilot context)
8a75949 docs(saas): managed-service role model — customer is manager, WeOwn holds admin
Author: Nik
Date: Wed Jul 15 10:09:46 2026 -0600
Corrects the customer-account role: on a managed single-tenant instance WeOwn
keeps the AnythingLLM 'admin' account (LLM/embedder/vector/infra) and the customer
gets 'manager' (docs/workspaces/team). Notes that multi-user mode has no email
password reset (recovery codes + operator support instead).
1e58b7b feature(saas): per-customer OpenRouter key provisioning + single-tenant instance lifecycle doc
Author: Nik
Date: Wed Jul 15 00:24:16 2026 -0600
Automates the previously-manual per-customer LLM key step and documents the
single-tenant customer-instance lifecycle (provision -> deploy -> operate ->
deprovision) on top of the existing anythingllm-docker stack.
OpenRouter key via the Management API and store it in the customer's Infisical
project as OPENROUTER_API_KEY. Value never touches terminal/disk/history;
provisioning key sourced in-process; refuses to orphan a live key without --force.
flow deliberately kept out of this public repo).
Verified: bash -n + shellcheck clean.
🔍 Copilot AI Review: Copilot is configured to auto-request review for bot-authored PRs. If an auto-created PR opens without an initial Copilot review, push a follow-up commit to the same open PR (
review_on_push: true) to trigger review automatically.👥 Required Reviewers: human approval enforced by branch protection + CODEOWNERS.
@nciminorequested automatically.📚 Review Guidelines:
.github/copilot-instructions.md(phase-aware compliance directives)🛠️ Workflow Operations:
.github/workflows/README.mdAuto-generated by
.github/workflows/auto-pr-to-main.yml