refactor

app.py

@@ -108,7 +108,7 @@ async def lifespan(app: FastAPI):
         logger.info("✅ Database initialized")
     
     # Start background job worker
-    from services.gemini_job_worker import start_worker, stop_worker
+    from services.gemini_service import start_worker, stop_worker
     await start_worker()
     logger.info("Background job worker started")
     

dependencies.py

@@ -9,7 +9,7 @@ from sqlalchemy.ext.asyncio import AsyncSession
 
 from core.database import get_db
 from core.models import User, RateLimit
-from services.jwt_service import (
+from services.auth_service.jwt_provider import (
     verify_access_token,
     TokenExpiredError,
     InvalidTokenError,

routers/auth.py

@@ -22,17 +22,14 @@ from core.schemas import (
     TokenRefreshRequest,
     TokenRefreshResponse
 )
-from services.google_auth_service import (
+from services.auth_service.google_provider import (
     GoogleAuthService,
-    InvalidTokenError as GoogleInvalidTokenError,
-    ConfigurationError as GoogleConfigError,
-    get_google_auth_service
+    GoogleUserInfo,
+    InvalidTokenError,
 )
-from services.jwt_service import (
+from services.auth_service.jwt_provider import (
     JWTService,
     create_access_token,
-    get_jwt_service,
-    InvalidTokenError as JWTInvalidTokenError
 )
 from dependencies import check_rate_limit, get_current_user
 from services.drive_service import DriveService

services/credit_service.py

@@ -1,257 +0,0 @@
-"""
-Credit Service - Manages credit reservation, confirmation, and refunding.
-
-Implements the Credit Reservation Pattern:
-1. Reserve credits when job is created (deduct from user, track in job)
-2. Confirm credits only on successful completion
-3. Refund credits on refundable errors (server-side issues)
-4. Keep credits on non-refundable errors (user-caused issues)
-"""
-import logging
-from typing import Optional
-from sqlalchemy.ext.asyncio import AsyncSession
-from sqlalchemy import select
-
-logger = logging.getLogger(__name__)
-
-
-# =============================================================================
-# Error Categories for Refund Decisions
-# =============================================================================
-
-# Refundable errors - User gets credits back (server/API issues)
-REFUNDABLE_ERROR_PATTERNS = [
-    "API_KEY_INVALID",
-    "QUOTA_EXCEEDED",
-    "INTERNAL_ERROR", 
-    "CONNECTION_FAILED",
-    "SERVER_SHUTDOWN",
-    "TIMEOUT",
-    "Server Authentication Error",
-    "Network error",
-    "Connection refused",
-    "Connection reset",
-    "Service unavailable",
-    "503",
-    "500",
-    "429",  # Rate limit (our quota, not user's fault)
-]
-
-# Non-refundable error patterns - User's input/content issue
-NON_REFUNDABLE_ERROR_PATTERNS = [
-    "safety",
-    "blocked",
-    "SAFETY_FILTER",
-    "INVALID_INPUT",
-    "Invalid image",
-    "Bad request",
-    "400",
-    "cancelled",
-    "User cancelled",
-]
-
-
-def is_refundable_error(error_message: Optional[str]) -> bool:
-    """
-    Determine if an error should result in a credit refund.
-    
-    Args:
-        error_message: The error message from the failed job
-        
-    Returns:
-        True if the error is refundable (server/API issue)
-        False if non-refundable (user's fault) or no error message
-    """
-    if not error_message:
-        return False
-    
-    error_lower = error_message.lower()
-    
-    # Check for REFUNDABLE patterns FIRST (specific server errors take precedence)
-    # This ensures API_KEY_INVALID is caught before generic "400" matcher
-    for pattern in REFUNDABLE_ERROR_PATTERNS:
-        if pattern.lower() in error_lower:
-            logger.debug(f"Error matched refundable pattern '{pattern}': {error_message[:100]}")
-            return True
-    
-    # Check for non-refundable patterns (user-caused issues)
-    for pattern in NON_REFUNDABLE_ERROR_PATTERNS:
-        if pattern.lower() in error_lower:
-            logger.debug(f"Error matched non-refundable pattern '{pattern}': {error_message[:100]}")
-            return False
-    
-    # Default: Max retries exceeded is refundable (we consumed API resources trying)
-    if "max retries" in error_lower:
-        return True
-    
-    # Default: Unknown errors are NOT refundable to prevent abuse
-    # If it's an unknown error, it's more likely user-caused
-    logger.debug(f"Unknown error (not refundable): {error_message[:100]}")
-    return False
-
-
-async def reserve_credit(session: AsyncSession, user, amount: int = 1) -> bool:
-    """
-    Reserve credits for a job (deduct from user's balance).
-    
-    The credits are deducted but tracked in the job's credits_reserved field.
-    If the job fails with a refundable error, they can be restored.
-    
-    Args:
-        session: Database session
-        user: User model instance
-        amount: Number of credits to reserve (default: 1)
-        
-    Returns:
-        True if credits were successfully reserved
-        False if user has insufficient credits
-    """
-    if user.credits < amount:
-        logger.warning(f"User {user.user_id} has insufficient credits ({user.credits}) to reserve {amount}")
-        return False
-    
-    user.credits -= amount
-    logger.info(f"Reserved {amount} credit(s) for user {user.user_id}. Remaining: {user.credits}")
-    # Note: Don't commit here - let caller handle transaction
-    return True
-
-
-async def confirm_credit(session: AsyncSession, job) -> None:
-    """
-    Confirm that credits were legitimately used for a completed job.
-    
-    This is called when a job completes successfully. The credits stay
-    deducted (they were already deducted during reservation).
-    
-    Args:
-        session: Database session
-        job: GeminiJob model instance
-    """
-    if job.credits_reserved > 0:
-        # Credits were used - clear the reservation tracking
-        credits_used = job.credits_reserved
-        job.credits_reserved = 0
-        logger.info(f"Confirmed {credits_used} credit(s) used for job {job.job_id}")
-    # Note: Don't commit here - let caller handle transaction
-
-
-async def refund_credit(session: AsyncSession, job, reason: str) -> bool:
-    """
-    Refund reserved credits back to the user.
-    
-    Called when a job fails due to a refundable error (server-side issue).
-    
-    Args:
-        session: Database session  
-        job: GeminiJob model instance
-        reason: Reason for the refund (for logging)
-        
-    Returns:
-        True if credits were refunded
-        False if no credits to refund or already refunded
-    """
-    if job.credits_reserved <= 0:
-        logger.debug(f"Job {job.job_id} has no credits to refund")
-        return False
-    
-    if job.credits_refunded:
-        logger.warning(f"Job {job.job_id} was already refunded")
-        return False
-    
-    # Get the user to restore credits
-    from core.models import User
-    
-    result = await session.execute(
-        select(User).where(User.id == job.user_id)
-    )
-    user = result.scalar_one_or_none()
-    
-    if not user:
-        logger.error(f"Cannot refund job {job.job_id}: User {job.user_id} not found")
-        return False
-    
-    # Restore credits
-    credits_to_refund = job.credits_reserved
-    user.credits += credits_to_refund
-    job.credits_reserved = 0
-    job.credits_refunded = True
-    
-    logger.info(
-        f"Refunded {credits_to_refund} credit(s) to user {user.user_id} for job {job.job_id}. "
-        f"Reason: {reason[:100]}. New balance: {user.credits}"
-    )
-    
-    # Note: Don't commit here - let caller handle transaction
-    return True
-
-
-async def handle_job_completion(session: AsyncSession, job) -> None:
-    """
-    Handle credit finalization when a job completes or fails.
-    
-    This is the main entry point called by the job worker.
-    
-    Args:
-        session: Database session
-        job: GeminiJob model instance with final status
-    """
-    if job.status == "completed":
-        # Success - confirm credits were used
-        await confirm_credit(session, job)
-        
-    elif job.status == "failed":
-        # Failure - check if refundable
-        if is_refundable_error(job.error_message):
-            await refund_credit(session, job, job.error_message or "Unknown error")
-        else:
-            # Non-refundable - confirm credits were used (user's fault)
-            await confirm_credit(session, job)
-            logger.info(f"Job {job.job_id} failed with non-refundable error, credits kept")
-            
-    elif job.status == "cancelled":
-        # Cancelled jobs get refunds only if they were never started
-        if job.started_at is None:
-            await refund_credit(session, job, "Job cancelled before processing")
-        else:
-            # Was processing - keep credits (API may have been consumed)
-            await confirm_credit(session, job)
-            logger.info(f"Job {job.job_id} cancelled during processing, credits kept")
-
-
-async def refund_orphaned_jobs(session: AsyncSession) -> int:
-    """
-    Refund credits for jobs that were abandoned due to server shutdown.
-    
-    Called during graceful shutdown to ensure no credits are lost.
-    
-    Args:
-        session: Database session
-        
-    Returns:
-        Number of jobs that were refunded
-    """
-    from core.models import GeminiJob
-    
-    # Find jobs that are still processing with reserved credits
-    result = await session.execute(
-        select(GeminiJob).where(
-            GeminiJob.status == "processing",
-            GeminiJob.credits_reserved > 0,
-            GeminiJob.credits_refunded == False
-        )
-    )
-    orphaned_jobs = result.scalars().all()
-    
-    refund_count = 0
-    for job in orphaned_jobs:
-        if await refund_credit(session, job, "SERVER_SHUTDOWN: Job orphaned during server shutdown"):
-            # Mark job as failed
-            job.status = "failed"
-            job.error_message = "Server shutdown during processing. Credits refunded."
-            refund_count += 1
-    
-    if refund_count > 0:
-        await session.commit()
-        logger.info(f"Refunded {refund_count} orphaned job(s) during shutdown")
-    
-    return refund_count

services/google_auth_service.py

@@ -1,232 +0,0 @@
-"""
-Modular Google OAuth Service
-
-A self-contained, plug-and-play service for verifying Google ID tokens.
-Can be used in any Python application with minimal configuration.
-
-Usage:
-    from services.google_auth_service import GoogleAuthService, GoogleUserInfo
-    
-    # Initialize with client ID
-    auth_service = GoogleAuthService(client_id="your-google-client-id")
-    
-    # Or use environment variable GOOGLE_CLIENT_ID
-    auth_service = GoogleAuthService()
-    
-    # Verify a Google ID token
-    user_info = auth_service.verify_token(id_token)
-    print(user_info.email, user_info.google_id, user_info.name)
-
-Environment Variables:
-    GOOGLE_CLIENT_ID: Your Google OAuth 2.0 Client ID
-
-Dependencies:
-    google-auth>=2.0.0
-    google-auth-oauthlib>=1.0.0
-"""
-
-import os
-import logging
-from dataclasses import dataclass
-from typing import Optional
-from google.oauth2 import id_token as google_id_token
-from google.auth.transport import requests as google_requests
-
-logger = logging.getLogger(__name__)
-
-
-@dataclass
-class GoogleUserInfo:
-    """
-    User information extracted from a verified Google ID token.
-    
-    Attributes:
-        google_id: Unique Google user identifier (sub claim)
-        email: User's email address
-        email_verified: Whether Google has verified the email
-        name: User's display name (may be None)
-        picture: URL to user's profile picture (may be None)
-        given_name: User's first name (may be None)
-        family_name: User's last name (may be None)
-        locale: User's locale preference (may be None)
-    """
-    google_id: str
-    email: str
-    email_verified: bool = True
-    name: Optional[str] = None
-    picture: Optional[str] = None
-    given_name: Optional[str] = None
-    family_name: Optional[str] = None
-    locale: Optional[str] = None
-
-
-class GoogleAuthError(Exception):
-    """Base exception for Google Auth errors."""
-    pass
-
-
-class InvalidTokenError(GoogleAuthError):
-    """Raised when the token is invalid or expired."""
-    pass
-
-
-class ConfigurationError(GoogleAuthError):
-    """Raised when the service is not properly configured."""
-    pass
-
-
-class GoogleAuthService:
-    """
-    Service for verifying Google OAuth ID tokens.
-    
-    This service validates ID tokens issued by Google Sign-In and extracts
-    user information. It's designed to be modular and reusable across
-    different applications.
-    
-    Example:
-        service = GoogleAuthService()
-        try:
-            user_info = service.verify_token(token_from_frontend)
-            print(f"Welcome {user_info.name}!")
-        except InvalidTokenError:
-            print("Invalid or expired token")
-    """
-    
-    def __init__(
-        self,
-        client_id: Optional[str] = None,
-        clock_skew_seconds: int = 0
-    ):
-        """
-        Initialize the Google Auth Service.
-        
-        Args:
-            client_id: Google OAuth 2.0 Client ID. If not provided,
-                      falls back to GOOGLE_CLIENT_ID environment variable.
-            clock_skew_seconds: Allowed clock skew in seconds for token
-                               validation (default: 0).
-        
-        Raises:
-            ConfigurationError: If no client_id is provided or found.
-        """
-        self.client_id = client_id or os.getenv("AUTH_SIGN_IN_GOOGLE_CLIENT_ID")
-        self.clock_skew_seconds = clock_skew_seconds
-        
-        if not self.client_id:
-            raise ConfigurationError(
-                "Google Client ID is required. Either pass client_id parameter "
-                "or set GOOGLE_CLIENT_ID environment variable."
-            )
-        
-        logger.info(f"GoogleAuthService initialized with client_id: {self.client_id[:20]}...")
-    
-    def verify_token(self, id_token: str) -> GoogleUserInfo:
-        """
-        Verify a Google ID token and extract user information.
-        
-        Args:
-            id_token: The ID token received from the frontend after
-                     Google Sign-In.
-        
-        Returns:
-            GoogleUserInfo: Dataclass containing user's Google profile info.
-        
-        Raises:
-            InvalidTokenError: If the token is invalid, expired, or
-                              doesn't match the expected client ID.
-        """
-        if not id_token:
-            raise InvalidTokenError("Token cannot be empty")
-        
-        try:
-            # Verify the token with Google
-            idinfo = google_id_token.verify_oauth2_token(
-                id_token,
-                google_requests.Request(),
-                self.client_id,
-                clock_skew_in_seconds=self.clock_skew_seconds
-            )
-            
-            # Validate issuer
-            if idinfo.get("iss") not in ["accounts.google.com", "https://accounts.google.com"]:
-                raise InvalidTokenError("Invalid token issuer")
-            
-            # Validate audience
-            if idinfo.get("aud") != self.client_id:
-                raise InvalidTokenError("Token was not issued for this application")
-            
-            # Extract user info
-            return GoogleUserInfo(
-                google_id=idinfo["sub"],
-                email=idinfo["email"],
-                email_verified=idinfo.get("email_verified", False),
-                name=idinfo.get("name"),
-                picture=idinfo.get("picture"),
-                given_name=idinfo.get("given_name"),
-                family_name=idinfo.get("family_name"),
-                locale=idinfo.get("locale")
-            )
-            
-        except ValueError as e:
-            logger.warning(f"Token verification failed: {e}")
-            raise InvalidTokenError(f"Token verification failed: {str(e)}")
-        except Exception as e:
-            logger.error(f"Unexpected error during token verification: {e}")
-            raise InvalidTokenError(f"Token verification error: {str(e)}")
-    
-    def verify_token_safe(self, id_token: str) -> Optional[GoogleUserInfo]:
-        """
-        Verify a Google ID token without raising exceptions.
-        
-        Useful for cases where you want to check validity without
-        exception handling.
-        
-        Args:
-            id_token: The ID token to verify.
-        
-        Returns:
-            GoogleUserInfo if valid, None if invalid.
-        """
-        try:
-            return self.verify_token(id_token)
-        except GoogleAuthError:
-            return None
-
-
-# Singleton instance for convenience (initialized on first use)
-_default_service: Optional[GoogleAuthService] = None
-
-
-def get_google_auth_service() -> GoogleAuthService:
-    """
-    Get the default GoogleAuthService instance.
-    
-    Creates a singleton instance using environment variables.
-    
-    Returns:
-        GoogleAuthService: The default service instance.
-    
-    Raises:
-        ConfigurationError: If GOOGLE_CLIENT_ID is not set.
-    """
-    global _default_service
-    if _default_service is None:
-        _default_service = GoogleAuthService()
-    return _default_service
-
-
-def verify_google_token(id_token: str) -> GoogleUserInfo:
-    """
-    Convenience function to verify a token using the default service.
-    
-    Args:
-        id_token: The Google ID token to verify.
-    
-    Returns:
-        GoogleUserInfo: Verified user information.
-    
-    Raises:
-        InvalidTokenError: If verification fails.
-        ConfigurationError: If service is not configured.
-    """
-    return get_google_auth_service().verify_token(id_token)

services/jwt_service.py

@@ -1,386 +0,0 @@
-"""
-Modular JWT Service
-
-A self-contained, plug-and-play service for creating and verifying JWT tokens.
-Can be used in any Python application with minimal configuration.
-
-Usage:
-    from services.jwt_service import JWTService, TokenPayload
-    
-    # Initialize with secret key
-    jwt_service = JWTService(secret_key="your-secret-key")
-    
-    # Or use environment variable JWT_SECRET
-    jwt_service = JWTService()
-    
-    # Create a token
-    token = jwt_service.create_token(user_id="user123", email="user@example.com")
-    
-    # Verify a token
-    payload = jwt_service.verify_token(token)
-    print(payload.user_id, payload.email)
-
-Environment Variables:
-    JWT_SECRET: Your secret key for signing tokens (required)
-    JWT_EXPIRY_HOURS: Token expiry in hours (default: 168 = 7 days)
-    JWT_ALGORITHM: Algorithm to use (default: HS256)
-
-Dependencies:
-    PyJWT>=2.8.0
-
-Generate a secure secret:
-    python -c "import secrets; print(secrets.token_urlsafe(64))"
-"""
-
-import os
-import logging
-from dataclasses import dataclass
-from datetime import datetime, timedelta
-from typing import Optional, Dict, Any
-import jwt
-
-logger = logging.getLogger(__name__)
-
-
-@dataclass
-class TokenPayload:
-    """
-    Payload extracted from a verified JWT token.
-    
-    Attributes:
-        user_id: The user's unique identifier (sub claim)
-        email: The user's email address
-        issued_at: When the token was issued
-        expires_at: When the token expires
-        token_version: Version number for token invalidation
-        extra: Any additional claims in the token
-    """
-    user_id: str
-    email: str
-    issued_at: datetime
-    expires_at: datetime
-    token_version: int = 1
-    extra: Dict[str, Any] = None
-    
-    def __post_init__(self):
-        if self.extra is None:
-            self.extra = {}
-    
-    @property
-    def is_expired(self) -> bool:
-        """Check if the token has expired."""
-        return datetime.utcnow() > self.expires_at
-    
-    @property
-    def time_until_expiry(self) -> timedelta:
-        """Get time remaining until expiry."""
-        return self.expires_at - datetime.utcnow()
-
-
-class JWTError(Exception):
-    """Base exception for JWT errors."""
-    pass
-
-
-class TokenExpiredError(JWTError):
-    """Raised when the token has expired."""
-    pass
-
-
-class InvalidTokenError(JWTError):
-    """Raised when the token is invalid."""
-    pass
-
-
-class ConfigurationError(JWTError):
-    """Raised when the service is not properly configured."""
-    pass
-
-
-class JWTService:
-    """
-    Service for creating and verifying JWT tokens.
-    
-    This service handles JWT token lifecycle for authentication.
-    It's designed to be modular and reusable across different applications.
-    
-    Example:
-        service = JWTService(secret_key="my-secret")
-        
-        # Create token
-        token = service.create_token(user_id="u123", email="a@b.com")
-        
-        # Verify token
-        try:
-            payload = service.verify_token(token)
-            print(f"User: {payload.user_id}")
-        except TokenExpiredError:
-            print("Token expired, please login again")
-        except InvalidTokenError:
-            print("Invalid token")
-    """
-    
-    # Default configuration
-    DEFAULT_ALGORITHM = "HS256"
-    DEFAULT_EXPIRY_HOURS = 168  # 7 days
-    
-    def __init__(
-        self,
-        secret_key: Optional[str] = None,
-        algorithm: Optional[str] = None,
-        expiry_hours: Optional[int] = None
-    ):
-        """
-        Initialize the JWT Service.
-        
-        Args:
-            secret_key: Secret key for signing tokens. If not provided,
-                       falls back to JWT_SECRET environment variable.
-            algorithm: JWT algorithm (default: HS256).
-            expiry_hours: Token expiry in hours (default: 168 = 7 days).
-        
-        Raises:
-            ConfigurationError: If no secret_key is provided or found.
-        """
-        self.secret_key = secret_key or os.getenv("JWT_SECRET")
-        self.algorithm = algorithm or os.getenv("JWT_ALGORITHM", self.DEFAULT_ALGORITHM)
-        self.expiry_hours = expiry_hours or int(
-            os.getenv("JWT_EXPIRY_HOURS", str(self.DEFAULT_EXPIRY_HOURS))
-        )
-        
-        if not self.secret_key:
-            raise ConfigurationError(
-                "JWT secret key is required. Either pass secret_key parameter "
-                "or set JWT_SECRET environment variable. "
-                "Generate one with: python -c \"import secrets; print(secrets.token_urlsafe(64))\""
-            )
-        
-        # Warn if secret is too short
-        if len(self.secret_key) < 32:
-            logger.warning(
-                "JWT secret key is short (< 32 chars). "
-                "Consider using a longer secret for better security."
-            )
-        
-        logger.info(
-            f"JWTService initialized (algorithm={self.algorithm}, "
-            f"expiry={self.expiry_hours}h)"
-        )
-    
-    def create_token(
-        self,
-        user_id: str,
-        email: str,
-        token_version: int = 1,
-        extra_claims: Optional[Dict[str, Any]] = None,
-        expiry_hours: Optional[int] = None
-    ) -> str:
-        """
-        Create a JWT token for a user.
-        
-        Args:
-            user_id: The user's unique identifier.
-            email: The user's email address.
-            token_version: User's current token version for invalidation.
-            extra_claims: Additional claims to include in the token.
-            expiry_hours: Custom expiry for this token (overrides default).
-        
-        Returns:
-            str: The encoded JWT token.
-        """
-        now = datetime.utcnow()
-        expiry = expiry_hours or self.expiry_hours
-        
-        payload = {
-            "sub": user_id,
-            "email": email,
-            "tv": token_version,  # Token version for invalidation
-            "iat": now,
-            "exp": now + timedelta(hours=expiry),
-        }
-        
-        if extra_claims:
-            payload.update(extra_claims)
-        
-        token = jwt.encode(payload, self.secret_key, algorithm=self.algorithm)
-        
-        logger.debug(f"Created token for user_id={user_id} (version={token_version})")
-        return token
-    
-    def verify_token(self, token: str) -> TokenPayload:
-        """
-        Verify a JWT token and extract the payload.
-        
-        Args:
-            token: The JWT token to verify.
-        
-        Returns:
-            TokenPayload: Dataclass containing the verified payload.
-        
-        Raises:
-            TokenExpiredError: If the token has expired.
-            InvalidTokenError: If the token is invalid or malformed.
-        """
-        if not token:
-            raise InvalidTokenError("Token cannot be empty")
-        
-        try:
-            payload = jwt.decode(
-                token,
-                self.secret_key,
-                algorithms=[self.algorithm]
-            )
-            
-            # Extract standard claims
-            user_id = payload.get("sub")
-            email = payload.get("email")
-            token_version = payload.get("tv", 1)  # Default to 1 for backward compatibility
-            iat = payload.get("iat")
-            exp = payload.get("exp")
-            
-            if not user_id or not email:
-                raise InvalidTokenError("Token missing required claims (sub, email)")
-            
-            # Convert timestamps to datetime
-            issued_at = datetime.utcfromtimestamp(iat) if isinstance(iat, (int, float)) else iat
-            expires_at = datetime.utcfromtimestamp(exp) if isinstance(exp, (int, float)) else exp
-            
-            # Extract extra claims
-            standard_claims = {"sub", "email", "tv", "iat", "exp"}
-            extra = {k: v for k, v in payload.items() if k not in standard_claims}
-            
-            return TokenPayload(
-                user_id=user_id,
-                email=email,
-                issued_at=issued_at,
-                expires_at=expires_at,
-                token_version=token_version,
-                extra=extra
-            )
-            
-        except jwt.ExpiredSignatureError:
-            logger.debug("Token verification failed: expired")
-            raise TokenExpiredError("Token has expired")
-        except jwt.InvalidTokenError as e:
-            logger.debug(f"Token verification failed: {e}")
-            raise InvalidTokenError(f"Invalid token: {str(e)}")
-        except Exception as e:
-            logger.error(f"Unexpected error during token verification: {e}")
-            raise InvalidTokenError(f"Token verification error: {str(e)}")
-    
-    def verify_token_safe(self, token: str) -> Optional[TokenPayload]:
-        """
-        Verify a JWT token without raising exceptions.
-        
-        Args:
-            token: The JWT token to verify.
-        
-        Returns:
-            TokenPayload if valid, None if invalid or expired.
-        """
-        try:
-            return self.verify_token(token)
-        except JWTError:
-            return None
-    
-    def refresh_token(
-        self,
-        token: str,
-        expiry_hours: Optional[int] = None
-    ) -> str:
-        """
-        Refresh a token by creating a new one with the same claims.
-        
-        Args:
-            token: The current (possibly expired) token.
-            expiry_hours: Custom expiry for the new token.
-        
-        Returns:
-            str: A new JWT token with updated expiry.
-        
-        Raises:
-            InvalidTokenError: If the token is malformed.
-        """
-        try:
-            # Decode without verifying expiry
-            payload = jwt.decode(
-                token,
-                self.secret_key,
-                algorithms=[self.algorithm],
-                options={"verify_exp": False}
-            )
-            
-            user_id = payload.get("sub")
-            email = payload.get("email")
-            
-            if not user_id or not email:
-                raise InvalidTokenError("Token missing required claims")
-            
-            # Preserve extra claims
-            standard_claims = {"sub", "email", "iat", "exp"}
-            extra = {k: v for k, v in payload.items() if k not in standard_claims}
-            
-            return self.create_token(
-                user_id=user_id,
-                email=email,
-                extra_claims=extra,
-                expiry_hours=expiry_hours
-            )
-            
-        except jwt.InvalidTokenError as e:
-            raise InvalidTokenError(f"Cannot refresh invalid token: {str(e)}")
-
-
-# Singleton instance for convenience
-_default_service: Optional[JWTService] = None
-
-
-def get_jwt_service() -> JWTService:
-    """
-    Get the default JWTService instance.
-    
-    Creates a singleton instance using environment variables.
-    
-    Returns:
-        JWTService: The default service instance.
-    
-    Raises:
-        ConfigurationError: If JWT_SECRET is not set.
-    """
-    global _default_service
-    if _default_service is None:
-        _default_service = JWTService()
-    return _default_service
-
-
-def create_access_token(user_id: str, email: str, token_version: int = 1, **kwargs) -> str:
-    """
-    Convenience function to create a token using the default service.
-    
-    Args:
-        user_id: The user's unique identifier.
-        email: The user's email address.
-        token_version: User's current token version for invalidation.
-        **kwargs: Additional arguments passed to create_token.
-    
-    Returns:
-        str: The encoded JWT token.
-    """
-    return get_jwt_service().create_token(user_id, email, token_version, **kwargs)
-
-
-def verify_access_token(token: str) -> TokenPayload:
-    """
-    Convenience function to verify a token using the default service.
-    
-    Args:
-        token: The JWT token to verify.
-    
-    Returns:
-        TokenPayload: Verified token payload.
-    
-    Raises:
-        TokenExpiredError: If the token has expired.
-        InvalidTokenError: If the token is invalid.
-    """
-    return get_jwt_service().verify_token(token)

services/priority_worker_pool.py

@@ -378,7 +378,7 @@ class PriorityWorker(Generic[JobType]):
             return
         
         try:
-            from services.credit_service import handle_job_completion
+            from services.credit_service.credit_manager import handle_job_completion
             await handle_job_completion(session, job)
         except ImportError:
             # Credit service not available - skip
@@ -519,7 +519,7 @@ class PriorityWorkerPool(Generic[JobType]):
     async def _refund_orphaned_jobs(self):
         """Refund credits for jobs abandoned during shutdown."""
         try:
-            from services.credit_service import refund_orphaned_jobs
+            from services.credit_service.credit_manager import refund_orphaned_jobs
             async with self.session_maker() as session:
                 refund_count = await refund_orphaned_jobs(session)
                 if refund_count > 0: