feat: add Stripe billing, plan gating, pricing page, and billing settings

- Migration 040: Stripe customer/subscription columns on users, subscription_events table
- lib/plans.ts: centralized plan limits (free/pro/enterprise) with getUserPlan, requirePlan, checkCountLimit
- Stripe API routes: checkout session, webhook handler (checkout.session.completed, invoice.paid, subscription.updated/deleted), customer portal redirect
- Plan gating enforced on webhooks, budgets, teams, exports, Slack install, SLA dashboard
- Pricing page with 3-tier comparison, monthly/yearly toggle, Stripe checkout CTAs
- Billing section in dashboard settings: plan badge, period end, manage billing portal link
- User profile API extended to return plan, plan_period_end, plan_cancel_at_period_end

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: AgentMulder404

app/api/admin/sla/route.ts

@@ -5,6 +5,7 @@
 import { NextResponse } from "next/server";
 import { createSupabaseCookieClient } from "@/lib/supabase-server";
 import { createSupabaseServerClient } from "@/lib/supabase-client";
+import { requirePlan } from "@/lib/plans";
 
 export const runtime = "edge";
 
@@ -27,6 +28,15 @@ export async function GET() {
     return NextResponse.json({ error: "Forbidden" }, { status: 403 });
   }
 
+  // SLA dashboard requires Enterprise plan
+  const planCheck = await requirePlan(user.id, "sla_dashboard");
+  if (!planCheck.allowed) {
+    return NextResponse.json(
+      { error: planCheck.reason, upgrade_to: planCheck.upgrade_to },
+      { status: 403 }
+    );
+  }
+
   const supabase = createSupabaseServerClient();
   const now = new Date();
   const thirtyDaysAgo = new Date(

app/api/budgets/route.ts

@@ -5,6 +5,7 @@
 import { NextRequest, NextResponse } from "next/server";
 import { createSupabaseCookieClient } from "@/lib/supabase-server";
 import { createSupabaseServerClient } from "@/lib/supabase-client";
+import { checkCountLimit } from "@/lib/plans";
 
 export const runtime = "edge";
 
@@ -76,6 +77,17 @@ export async function POST(req: NextRequest) {
     );
   }
 
+  // Plan limit check
+  const supabaseCount = createSupabaseServerClient();
+  const { count: budgetCount } = await supabaseCount
+    .from("budgets")
+    .select("id", { count: "exact", head: true })
+    .eq("user_id", user.id);
+  const limitCheck = await checkCountLimit(user.id, "max_budgets", budgetCount ?? 0);
+  if (!limitCheck.allowed) {
+    return NextResponse.json({ error: limitCheck.reason, limit: limitCheck.limit }, { status: 403 });
+  }
+
   const supabase = createSupabaseServerClient();
 
   const { data, error } = await supabase

app/api/integrations/slack/install/route.ts

@@ -5,6 +5,7 @@
 import { NextRequest, NextResponse } from "next/server";
 import { createSupabaseCookieClient } from "@/lib/supabase-server";
 import { createSupabaseServerClient } from "@/lib/supabase-client";
+import { requirePlan } from "@/lib/plans";
 
 export const runtime = "edge";
 
@@ -29,6 +30,15 @@ export async function GET(req: NextRequest) {
     return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
   }
 
+  // Plan gate: Slack requires Pro+
+  const planCheck = await requirePlan(user.id, "slack_integration");
+  if (!planCheck.allowed) {
+    return NextResponse.json(
+      { error: planCheck.reason, upgrade_to: planCheck.upgrade_to },
+      { status: 403 }
+    );
+  }
+
   const code = req.nextUrl.searchParams.get("code");
 
   // Step 1: If no code, redirect to Slack OAuth authorization page

app/api/settings/export/route.ts

@@ -4,6 +4,7 @@
 import { NextRequest, NextResponse } from "next/server";
 import { createSupabaseCookieClient } from "@/lib/supabase-server";
 import { createSupabaseServerClient } from "@/lib/supabase-client";
+import { checkCountLimit } from "@/lib/plans";
 
 export const runtime = "edge";
 
@@ -62,6 +63,17 @@ export async function POST(req: NextRequest) {
     gcs_credentials,
   } = body;
 
+  // Plan limit check
+  const supabaseCount = createSupabaseServerClient();
+  const { count: exportCount } = await supabaseCount
+    .from("export_configs")
+    .select("id", { count: "exact", head: true })
+    .eq("user_id", user.id);
+  const limitCheck = await checkCountLimit(user.id, "max_export_configs", exportCount ?? 0);
+  if (!limitCheck.allowed) {
+    return NextResponse.json({ error: limitCheck.reason, limit: limitCheck.limit }, { status: 403 });
+  }
+
   if (!provider || !["s3", "gcs"].includes(provider)) {
     return NextResponse.json(
       { error: "provider must be 's3' or 'gcs'" },

app/api/stripe/checkout/route.ts

@@ -0,0 +1,94 @@
+// POST /api/stripe/checkout — create a Stripe Checkout session for plan upgrade
+export const runtime = "edge";
+
+import { NextRequest, NextResponse } from "next/server";
+import Stripe from "stripe";
+import { createSupabaseCookieClient } from "@/lib/supabase-server";
+import { createSupabaseServerClient } from "@/lib/supabase-client";
+import { STRIPE_PRICES, type PlanTier } from "@/lib/plans";
+
+const stripe = new Stripe(process.env.STRIPE_SECRET_KEY ?? "", {
+  apiVersion: "2024-12-18.acacia",
+});
+
+export async function POST(req: NextRequest) {
+  try {
+    const supabaseCookie = await createSupabaseCookieClient();
+    const {
+      data: { user },
+    } = await supabaseCookie.auth.getUser();
+    if (!user) {
+      return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+    }
+
+    const body = await req.json();
+    const { plan, interval } = body as {
+      plan: PlanTier;
+      interval: "monthly" | "yearly";
+    };
+
+    if (!plan || !["pro", "enterprise"].includes(plan)) {
+      return NextResponse.json(
+        { error: "Invalid plan. Must be pro or enterprise." },
+        { status: 400 }
+      );
+    }
+    if (!interval || !["monthly", "yearly"].includes(interval)) {
+      return NextResponse.json(
+        { error: "Invalid interval. Must be monthly or yearly." },
+        { status: 400 }
+      );
+    }
+
+    const priceKey = `${plan}_${interval}` as keyof typeof STRIPE_PRICES;
+    const priceId = STRIPE_PRICES[priceKey];
+    if (!priceId) {
+      return NextResponse.json(
+        { error: "Stripe price not configured for this plan/interval" },
+        { status: 500 }
+      );
+    }
+
+    // Get or create Stripe customer
+    const supabase = createSupabaseServerClient();
+    const { data: userData } = await supabase
+      .from("users")
+      .select("stripe_customer_id, email")
+      .eq("id", user.id)
+      .single();
+
+    let customerId = userData?.stripe_customer_id;
+
+    if (!customerId) {
+      const customer = await stripe.customers.create({
+        email: userData?.email ?? user.email,
+        metadata: { user_id: user.id },
+      });
+      customerId = customer.id;
+
+      await supabase
+        .from("users")
+        .update({ stripe_customer_id: customerId })
+        .eq("id", user.id);
+    }
+
+    const origin = req.headers.get("origin") ?? process.env.NEXT_PUBLIC_APP_URL ?? "https://www.aluminatai.com";
+
+    const session = await stripe.checkout.sessions.create({
+      customer: customerId,
+      mode: "subscription",
+      line_items: [{ price: priceId, quantity: 1 }],
+      success_url: `${origin}/dashboard/settings?billing=success`,
+      cancel_url: `${origin}/dashboard/settings?billing=cancel`,
+      metadata: { user_id: user.id, plan },
+      subscription_data: {
+        metadata: { user_id: user.id, plan },
+      },
+    });
+
+    return NextResponse.json({ url: session.url });
+  } catch (err: unknown) {
+    const message = err instanceof Error ? err.message : "Unknown error";
+    return NextResponse.json({ error: message }, { status: 500 });
+  }
+}

app/api/stripe/portal/route.ts

@@ -0,0 +1,49 @@
+// POST /api/stripe/portal — redirect user to Stripe Customer Portal
+export const runtime = "edge";
+
+import { NextRequest, NextResponse } from "next/server";
+import Stripe from "stripe";
+import { createSupabaseCookieClient } from "@/lib/supabase-server";
+import { createSupabaseServerClient } from "@/lib/supabase-client";
+
+const stripe = new Stripe(process.env.STRIPE_SECRET_KEY ?? "", {
+  apiVersion: "2024-12-18.acacia",
+});
+
+export async function POST(req: NextRequest) {
+  try {
+    const supabaseCookie = await createSupabaseCookieClient();
+    const {
+      data: { user },
+    } = await supabaseCookie.auth.getUser();
+    if (!user) {
+      return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+    }
+
+    const supabase = createSupabaseServerClient();
+    const { data: userData } = await supabase
+      .from("users")
+      .select("stripe_customer_id")
+      .eq("id", user.id)
+      .single();
+
+    if (!userData?.stripe_customer_id) {
+      return NextResponse.json(
+        { error: "No billing account found. Subscribe to a plan first." },
+        { status: 400 }
+      );
+    }
+
+    const origin = req.headers.get("origin") ?? process.env.NEXT_PUBLIC_APP_URL ?? "https://www.aluminatai.com";
+
+    const session = await stripe.billingPortal.sessions.create({
+      customer: userData.stripe_customer_id,
+      return_url: `${origin}/dashboard/settings`,
+    });
+
+    return NextResponse.json({ url: session.url });
+  } catch (err: unknown) {
+    const message = err instanceof Error ? err.message : "Unknown error";
+    return NextResponse.json({ error: message }, { status: 500 });
+  }
+}