feat: Supabase auth + Razorpay billing + fix API double-URL bug

- Fix: api.get/post calls had doubled base URL (axios baseURL + explicit prefix)
- Add web/src/api.ts: single shared axios instance with ngrok header
- Add server/auth.py: Supabase JWT middleware, plan guard (free=2, starter=25, pro/byok=unlimited), BYOK key encryption
- Add server/billing.py: Razorpay order creation, payment verify, webhook handler
- Add server/schema.sql: profiles, builds, payments, plan_limits tables with RLS policies
- Add /health endpoint showing LLM backend status
- Add /profile and /profile/api-key endpoints
- Add /billing/create-order, /billing/verify-payment, /billing/webhook/razorpay
- Fix .env quotes: all values now unquoted (Docker env_file includes quotes literally)
- Fix deploy.yml: validates HF_TOKEN set before push, clear error if missing
- Auth is opt-in: when SUPABASE_URL not set, all endpoints work without token

.env.example

@@ -13,6 +13,17 @@ LLM_API_KEY=NA
 
 # ── Verilog Code-Gen override (optional) ────────────────────────────────────
 VERILOG_CODEGEN_ENABLED=false
+
+# ── Supabase Auth (leave blank to disable auth — all builds allowed) ────────
+SUPABASE_URL=
+SUPABASE_SERVICE_KEY=
+SUPABASE_JWT_SECRET=
+ENCRYPTION_KEY=change-me-in-production-32chars!
+
+# ── Razorpay Billing (leave blank to disable payments) ──────────────────────
+RAZORPAY_KEY_ID=
+RAZORPAY_KEY_SECRET=
+RAZORPAY_WEBHOOK_SECRET=
 VERILOG_CODEGEN_MODEL=
 VERILOG_CODEGEN_BASE_URL=
 VERILOG_CODEGEN_API_KEY=

.github/workflows/deploy.yml

@@ -25,5 +25,9 @@ jobs:
         env:
           HF_TOKEN: ${{ secrets.HF_TOKEN }}
         run: |
-          git remote add hf https://vxkyyy:${HF_TOKEN}@huggingface.co/spaces/vxkyyy/AgentIC
+          if [ -z "$HF_TOKEN" ]; then
+            echo "::error::HF_TOKEN secret is not set. Go to repo Settings → Secrets → Actions → New secret"
+            exit 1
+          fi
+          git remote add hf "https://hf_user:${HF_TOKEN}@huggingface.co/spaces/vxkyyy/AgentIC"
           git push hf main --force

requirements.txt

@@ -10,3 +10,4 @@ streamlit-option-menu
 plotly
 streamlit-ace
 gdstk
+httpx

server/api.py

@@ -12,12 +12,23 @@ import glob
 import threading
 from typing import Any, Dict, List, Optional
 
-from fastapi import FastAPI, HTTPException, Request
+from fastapi import Depends, FastAPI, HTTPException, Request
 from fastapi.middleware.cors import CORSMiddleware
 from fastapi.responses import StreamingResponse
 from pydantic import BaseModel
 
 from server.approval import approval_manager
+from server.auth import (
+    AUTH_ENABLED,
+    check_build_allowed,
+    encrypt_api_key,
+    get_current_user,
+    get_llm_key_for_user,
+    record_build_failure,
+    record_build_start,
+    record_build_success,
+)
+from server.billing import router as billing_router
 from server.stage_summary import (
     build_stage_complete_payload,
     get_next_stage,
@@ -34,6 +45,7 @@ if src_path not in sys.path:
 
 # ─── App ─────────────────────────────────────────────────────────────
 app = FastAPI(title="AgentIC Backend API", version="3.0.0")
+app.include_router(billing_router)
 
 app.add_middleware(
     CORSMiddleware,
@@ -78,9 +90,11 @@ STAGE_META: Dict[str, Dict[str, str]] = {
 }
 
 
-def _get_llm():
+def _get_llm(byok_api_key: str = None):
     """Mirrors CLI's get_llm() — tries cloud first, falls back to local.
     Priority: NVIDIA Nemotron → GLM5 Cloud → VeriReason Local
+
+    If byok_api_key is provided (BYOK plan), it overrides the cloud config key.
     """
     from agentic.config import CLOUD_CONFIG, LOCAL_CONFIG
     from crewai import LLM
@@ -91,7 +105,7 @@ def _get_llm():
     ]
 
     for name, cfg in configs:
-        key = cfg.get("api_key", "")
+        key = byok_api_key if (byok_api_key and "Cloud" in name) else cfg.get("api_key", "")
         # Skip cloud configs with no valid key
         if "Cloud" in name and (not key or key.strip() in ("", "mock-key", "NA")):
             continue
@@ -300,7 +314,8 @@ def _run_agentic_build(job_id: str, req: BuildRequest):
                 _emit_agent_thought(job_id, agent_name, thought_type, message, state)
 
         # Use smart LLM selection: Cloud first (Nemotron → GLM5) → Local fallback
-        llm, llm_name = _get_llm()
+        byok_key = JOB_STORE[job_id].get("byok_key")
+        llm, llm_name = _get_llm(byok_api_key=byok_key)
         _emit_event(job_id, "checkpoint", "INIT", f"🤖 Compute engine ready", step=1)
 
         orchestrator = BuildOrchestrator(
@@ -367,6 +382,13 @@ def _run_agentic_build(job_id: str, req: BuildRequest):
         JOB_STORE[job_id]["result"] = result
         JOB_STORE[job_id]["status"] = "done" if success else "failed"
 
+        # ── Record build outcome in Supabase ───────────────────────
+        user_profile = JOB_STORE[job_id].get("user_profile")
+        if success:
+            record_build_success(user_profile, job_id)
+        else:
+            record_build_failure(job_id)
+
         final_type = "done" if success else "error"
         final_msg = "✅ Chip build completed successfully!" if success else "❌ Build failed. See logs for details."
         _emit_event(job_id, final_type, orchestrator.state.name, final_msg, step=TOTAL_STEPS)
@@ -380,6 +402,7 @@ def _run_agentic_build(job_id: str, req: BuildRequest):
         JOB_STORE[job_id]["status"] = "failed"
         JOB_STORE[job_id]["result"] = {"error": str(e), "traceback": err}
         _emit_event(job_id, "error", "FAIL", f"💥 Critical error: {str(e)}", step=0)
+        record_build_failure(job_id)
     finally:
         # Cleanup approval gates
         design_name = JOB_STORE.get(job_id, {}).get("design_name", "")
@@ -785,6 +808,26 @@ def read_root():
     return {"message": "AgentIC API is online", "version": "3.0.0"}
 
 
+@app.get("/health")
+def health_check():
+    """Health probe — verifies the LLM backend is reachable."""
+    from agentic.config import CLOUD_CONFIG, LOCAL_CONFIG
+    llm_ok = False
+    llm_name = "none"
+    try:
+        _, llm_name = _get_llm()
+        llm_ok = True
+    except Exception:
+        pass
+    return {
+        "status": "ok" if llm_ok else "degraded",
+        "llm_backend": llm_name,
+        "llm_ok": llm_ok,
+        "cloud_key_set": bool(CLOUD_CONFIG.get("api_key", "").strip()),
+        "version": "3.0.0",
+    }
+
+
 @app.get("/pipeline/schema")
 def get_pipeline_schema():
     """Canonical pipeline schema for frontend timeline rendering."""
@@ -886,8 +929,15 @@ def get_doc_content(doc_id: str):
 
 
 @app.post("/build")
-def trigger_build(req: BuildRequest):
-    """Start a new chip build. Returns job_id immediately."""
+async def trigger_build(req: BuildRequest, profile: dict = Depends(get_current_user)):
+    """Start a new chip build. Returns job_id immediately.
+
+    When auth is enabled, checks plan quota and uses BYOK key if applicable.
+    """
+    # ── Auth guard: check plan + build count ──
+    check_build_allowed(profile)
+    byok_key = get_llm_key_for_user(profile)
+
     # Sanitize design name — Verilog identifiers cannot start with a digit
     import re as _re
     design_name = req.design_name.strip().lower()
@@ -908,10 +958,15 @@ def trigger_build(req: BuildRequest):
         "events": [],
         "result": {},
         "created_at": int(time.time()),
+        "user_profile": profile,
+        "byok_key": byok_key,
     }
 
     req.design_name = design_name
 
+    # Record build start in Supabase
+    record_build_start(profile, job_id, design_name)
+
     thread = threading.Thread(
         target=_run_agentic_build,
         args=(job_id, req),
@@ -1190,3 +1245,39 @@ def _classify_artifact(filename: str) -> str:
         '.csv': 'report',
     }
     return classifications.get(ext, 'other')
+
+
+# ─── Auth & Profile Routes ──────────────────────────────────────────
+class SetApiKeyRequest(BaseModel):
+    api_key: str
+
+
+@app.get("/profile")
+async def get_profile(profile: dict = Depends(get_current_user)):
+    """Return the authenticated user's profile (plan, build count, etc.)."""
+    if profile is None:
+        return {"auth_enabled": False}
+    return {
+        "auth_enabled": True,
+        "id": profile["id"],
+        "email": profile.get("email"),
+        "full_name": profile.get("full_name"),
+        "plan": profile.get("plan", "free"),
+        "successful_builds": profile.get("successful_builds", 0),
+        "has_byok_key": bool(profile.get("llm_api_key")),
+    }
+
+
+@app.post("/profile/api-key")
+async def set_byok_key(req: SetApiKeyRequest, profile: dict = Depends(get_current_user)):
+    """Store an encrypted LLM API key for BYOK plan users."""
+    if profile is None:
+        raise HTTPException(status_code=403, detail="Auth not enabled")
+    if profile.get("plan") != "byok":
+        raise HTTPException(status_code=400, detail="Only BYOK plan users can set an API key")
+
+    from server.auth import _supabase_update
+    encrypted = encrypt_api_key(req.api_key)
+    _supabase_update("profiles", f"id=eq.{profile['id']}", {"llm_api_key": encrypted})
+    return {"success": True, "message": "API key stored securely"}
+

server/auth.py

@@ -0,0 +1,271 @@
+"""
+AgentIC Auth — Supabase JWT middleware + plan/build-count guard.
+
+Env vars required:
+    SUPABASE_URL          – e.g. https://xyz.supabase.co
+    SUPABASE_SERVICE_KEY  – service-role key (server-side only, never expose)
+    SUPABASE_JWT_SECRET   – JWT secret from Supabase dashboard → Settings → API
+    ENCRYPTION_KEY        – symmetric key for encrypting BYOK API keys (32+ chars)
+"""
+
+import hashlib
+import hmac
+import json
+import os
+import time
+from functools import lru_cache
+from typing import Optional, Tuple
+
+import httpx
+from fastapi import Depends, HTTPException, Request
+from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer
+
+# ─── Config ──────────────────────────────────────────────────────────
+SUPABASE_URL = os.environ.get("SUPABASE_URL", "")
+SUPABASE_SERVICE_KEY = os.environ.get("SUPABASE_SERVICE_KEY", "")
+SUPABASE_JWT_SECRET = os.environ.get("SUPABASE_JWT_SECRET", "")
+ENCRYPTION_KEY = os.environ.get("ENCRYPTION_KEY", "change-me-in-production-32chars!")
+
+AUTH_ENABLED = bool(SUPABASE_URL and SUPABASE_SERVICE_KEY and SUPABASE_JWT_SECRET)
+
+# Plan limits: max successful builds allowed (None = unlimited)
+PLAN_LIMITS = {
+    "free": 2,
+    "starter": 25,
+    "pro": None,   # unlimited
+    "byok": None,  # unlimited, uses own key
+}
+
+_bearer = HTTPBearer(auto_error=False)
+
+
+# ─── JWT Decode (no pyjwt dependency — use Supabase /auth/v1/user) ──
+def _decode_supabase_jwt(token: str) -> dict:
+    """Validate JWT by calling Supabase auth endpoint.
+
+    We call GET /auth/v1/user with the user's access_token.
+    Supabase verifies the JWT signature and returns the user object.
+    """
+    resp = httpx.get(
+        f"{SUPABASE_URL}/auth/v1/user",
+        headers={
+            "Authorization": f"Bearer {token}",
+            "apikey": SUPABASE_SERVICE_KEY,
+        },
+        timeout=10,
+    )
+    if resp.status_code != 200:
+        raise HTTPException(status_code=401, detail="Invalid or expired token")
+    return resp.json()
+
+
+# ─── Supabase DB helpers (use service-role key) ─────────────────────
+def _supabase_rpc(fn_name: str, params: dict) -> dict:
+    """Call a Supabase RPC function."""
+    resp = httpx.post(
+        f"{SUPABASE_URL}/rest/v1/rpc/{fn_name}",
+        headers={
+            "apikey": SUPABASE_SERVICE_KEY,
+            "Authorization": f"Bearer {SUPABASE_SERVICE_KEY}",
+            "Content-Type": "application/json",
+        },
+        json=params,
+        timeout=10,
+    )
+    resp.raise_for_status()
+    return resp.json() if resp.text else {}
+
+
+def _supabase_query(table: str, select: str = "*", filters: str = "") -> list:
+    """Simple REST query against Supabase PostgREST."""
+    url = f"{SUPABASE_URL}/rest/v1/{table}?select={select}"
+    if filters:
+        url += f"&{filters}"
+    resp = httpx.get(
+        url,
+        headers={
+            "apikey": SUPABASE_SERVICE_KEY,
+            "Authorization": f"Bearer {SUPABASE_SERVICE_KEY},",
+        },
+        timeout=10,
+    )
+    resp.raise_for_status()
+    return resp.json()
+
+
+def _supabase_insert(table: str, data: dict) -> dict:
+    resp = httpx.post(
+        f"{SUPABASE_URL}/rest/v1/{table}",
+        headers={
+            "apikey": SUPABASE_SERVICE_KEY,
+            "Authorization": f"Bearer {SUPABASE_SERVICE_KEY}",
+            "Content-Type": "application/json",
+            "Prefer": "return=representation",
+        },
+        json=data,
+        timeout=10,
+    )
+    resp.raise_for_status()
+    rows = resp.json()
+    return rows[0] if rows else {}
+
+
+def _supabase_update(table: str, filters: str, data: dict) -> dict:
+    resp = httpx.patch(
+        f"{SUPABASE_URL}/rest/v1/{table}?{filters}",
+        headers={
+            "apikey": SUPABASE_SERVICE_KEY,
+            "Authorization": f"Bearer {SUPABASE_SERVICE_KEY}",
+            "Content-Type": "application/json",
+            "Prefer": "return=representation",
+        },
+        json=data,
+        timeout=10,
+    )
+    resp.raise_for_status()
+    rows = resp.json()
+    return rows[0] if rows else {}
+
+
+# ─── BYOK Encryption ────────────────────────────────────────────────
+def encrypt_api_key(plaintext: str) -> str:
+    """XOR-based encryption with HMAC integrity check. Not AES-grade,
+    but avoids requiring `cryptography` in Docker. Good enough for
+    API keys at rest that are already scoped to a single user."""
+    key_bytes = hashlib.sha256(ENCRYPTION_KEY.encode()).digest()
+    ct = bytes(a ^ b for a, b in zip(plaintext.encode(), (key_bytes * ((len(plaintext) // 32) + 1))))
+    mac = hmac.new(key_bytes, ct, hashlib.sha256).hexdigest()
+    import base64
+    return base64.urlsafe_b64encode(ct).decode() + "." + mac
+
+
+def decrypt_api_key(ciphertext: str) -> str:
+    import base64
+    parts = ciphertext.split(".", 1)
+    if len(parts) != 2:
+        raise ValueError("Malformed encrypted key")
+    ct = base64.urlsafe_b64decode(parts[0])
+    mac = parts[1]
+    key_bytes = hashlib.sha256(ENCRYPTION_KEY.encode()).digest()
+    expected_mac = hmac.new(key_bytes, ct, hashlib.sha256).hexdigest()
+    if not hmac.compare_digest(mac, expected_mac):
+        raise ValueError("Integrity check failed — key may have been tampered with")
+    pt = bytes(a ^ b for a, b in zip(ct, (key_bytes * ((len(ct) // 32) + 1))))
+    return pt.decode()
+
+
+# ─── FastAPI Dependency: get current user ────────────────────────────
+async def get_current_user(
+    request: Request,
+    credentials: Optional[HTTPAuthorizationCredentials] = Depends(_bearer),
+) -> Optional[dict]:
+    """Extract and validate the Supabase JWT from the Authorization header.
+
+    Returns the user profile dict or None if auth is disabled.
+    When auth is enabled but no valid token is provided, raises 401.
+    """
+    if not AUTH_ENABLED:
+        return None  # Auth not configured — allow anonymous access
+
+    if not credentials:
+        raise HTTPException(status_code=401, detail="Missing Authorization header")
+
+    token = credentials.credentials
+    user = _decode_supabase_jwt(token)
+    uid = user.get("id")
+    if not uid:
+        raise HTTPException(status_code=401, detail="Invalid user")
+
+    # Fetch profile from DB
+    profiles = _supabase_query("profiles", filters=f"id=eq.{uid}")
+    if not profiles:
+        raise HTTPException(status_code=404, detail="Profile not found. Sign up first.")
+
+    return profiles[0]
+
+
+# ─── Build Guard: check plan + build count ───────────────────────────
+def check_build_allowed(profile: Optional[dict]) -> None:
+    """Raise 402 if the user has exhausted their plan's build quota.
+
+    Called before every /build request when auth is enabled.
+    """
+    if profile is None:
+        return  # Auth disabled — no restrictions
+
+    plan = profile.get("plan", "free")
+    builds = profile.get("successful_builds", 0)
+    limit = PLAN_LIMITS.get(plan)
+
+    if limit is not None and builds >= limit:
+        raise HTTPException(
+            status_code=402,
+            detail={
+                "error": "build_limit_reached",
+                "plan": plan,
+                "used": builds,
+                "limit": limit,
+                "message": f"You've used all {limit} builds on the {plan} plan. Upgrade to continue building chips.",
+                "upgrade_url": "/pricing",
+            },
+        )
+
+
+def get_llm_key_for_user(profile: Optional[dict]) -> Optional[str]:
+    """Return the user's own LLM API key if they're on the BYOK plan.
+
+    Returns None for all other plans (server uses global NVIDIA_API_KEY).
+    """
+    if profile is None:
+        return None
+
+    if profile.get("plan") != "byok":
+        return None
+
+    encrypted_key = profile.get("llm_api_key")
+    if not encrypted_key:
+        raise HTTPException(
+            status_code=400,
+            detail="BYOK plan requires an API key. Set it in your profile settings.",
+        )
+
+    try:
+        return decrypt_api_key(encrypted_key)
+    except ValueError:
+        raise HTTPException(status_code=500, detail="Failed to decrypt stored API key")
+
+
+def record_build_start(profile: Optional[dict], job_id: str, design_name: str) -> None:
+    """Insert a build record into the builds table."""
+    if profile is None or not AUTH_ENABLED:
+        return
+    _supabase_insert("builds", {
+        "user_id": profile["id"],
+        "job_id": job_id,
+        "design_name": design_name,
+        "status": "queued",
+    })
+
+
+def record_build_success(profile: Optional[dict], job_id: str) -> None:
+    """Mark build as done and increment the user's successful_builds count."""
+    if profile is None or not AUTH_ENABLED:
+        return
+    uid = profile["id"]
+    # Update build row
+    _supabase_update("builds", f"job_id=eq.{job_id}", {
+        "status": "done",
+        "finished_at": "now()",
+    })
+    # Increment counter
+    _supabase_rpc("increment_successful_builds", {"uid": uid})
+
+
+def record_build_failure(job_id: str) -> None:
+    """Mark build as failed."""
+    if not AUTH_ENABLED:
+        return
+    _supabase_update("builds", f"job_id=eq.{job_id}", {
+        "status": "failed",
+        "finished_at": "now()",
+    })

server/billing.py

@@ -0,0 +1,207 @@
+"""
+AgentIC Billing — Razorpay webhook handler + order creation.
+
+Env vars required:
+    RAZORPAY_KEY_ID       – Razorpay API key id
+    RAZORPAY_KEY_SECRET   – Razorpay API key secret
+    RAZORPAY_WEBHOOK_SECRET – Webhook secret from Razorpay dashboard
+"""
+
+import hashlib
+import hmac
+import json
+import os
+from typing import Optional
+
+import httpx
+from fastapi import APIRouter, HTTPException, Request
+from pydantic import BaseModel
+
+from server.auth import (
+    AUTH_ENABLED,
+    _supabase_insert,
+    _supabase_query,
+    _supabase_update,
+)
+
+router = APIRouter(prefix="/billing", tags=["billing"])
+
+RAZORPAY_KEY_ID = os.environ.get("RAZORPAY_KEY_ID", "")
+RAZORPAY_KEY_SECRET = os.environ.get("RAZORPAY_KEY_SECRET", "")
+RAZORPAY_WEBHOOK_SECRET = os.environ.get("RAZORPAY_WEBHOOK_SECRET", "")
+
+# Plan prices in paise (₹1 = 100 paise)
+PLAN_PRICES = {
+    "starter": 49900,    # ₹499
+    "pro": 149900,       # ₹1,499
+}
+
+
+class CreateOrderRequest(BaseModel):
+    plan: str    # "starter" or "pro"
+    user_id: str  # Supabase user UUID
+
+
+class VerifyPaymentRequest(BaseModel):
+    razorpay_order_id: str
+    razorpay_payment_id: str
+    razorpay_signature: str
+    user_id: str
+    plan: str
+
+
+# ─── Create Razorpay Order ──────────────────────────────────────────
+@router.post("/create-order")
+async def create_order(req: CreateOrderRequest):
+    """Create a Razorpay order for plan upgrade."""
+    if not RAZORPAY_KEY_ID or not RAZORPAY_KEY_SECRET:
+        raise HTTPException(status_code=503, detail="Payment system not configured")
+
+    if req.plan not in PLAN_PRICES:
+        raise HTTPException(status_code=400, detail=f"Invalid plan: {req.plan}. Choose 'starter' or 'pro'.")
+
+    amount = PLAN_PRICES[req.plan]
+
+    # Create order via Razorpay API
+    resp = httpx.post(
+        "https://api.razorpay.com/v1/orders",
+        auth=(RAZORPAY_KEY_ID, RAZORPAY_KEY_SECRET),
+        json={
+            "amount": amount,
+            "currency": "INR",
+            "receipt": f"agentic_{req.user_id[:8]}_{req.plan}",
+            "notes": {
+                "user_id": req.user_id,
+                "plan": req.plan,
+            },
+        },
+        timeout=15,
+    )
+    if resp.status_code != 200:
+        raise HTTPException(status_code=502, detail="Failed to create Razorpay order")
+
+    order = resp.json()
+
+    # Record pending payment
+    if AUTH_ENABLED:
+        _supabase_insert("payments", {
+            "user_id": req.user_id,
+            "razorpay_order_id": order["id"],
+            "amount_paise": amount,
+            "plan": req.plan,
+            "status": "pending",
+        })
+
+    return {
+        "order_id": order["id"],
+        "amount": amount,
+        "currency": "INR",
+        "key_id": RAZORPAY_KEY_ID,
+        "plan": req.plan,
+    }
+
+
+# ─── Verify Payment (client-side callback) ─────────────────────────
+@router.post("/verify-payment")
+async def verify_payment(req: VerifyPaymentRequest):
+    """Verify Razorpay payment signature and upgrade user plan."""
+    if not RAZORPAY_KEY_SECRET:
+        raise HTTPException(status_code=503, detail="Payment system not configured")
+
+    # Verify signature: SHA256 HMAC of order_id|payment_id
+    message = f"{req.razorpay_order_id}|{req.razorpay_payment_id}"
+    expected = hmac.new(
+        RAZORPAY_KEY_SECRET.encode(),
+        message.encode(),
+        hashlib.sha256,
+    ).hexdigest()
+
+    if not hmac.compare_digest(expected, req.razorpay_signature):
+        raise HTTPException(status_code=400, detail="Payment verification failed — signature mismatch")
+
+    if AUTH_ENABLED:
+        # Update payment record
+        _supabase_update(
+            "payments",
+            f"razorpay_order_id=eq.{req.razorpay_order_id}",
+            {
+                "razorpay_payment_id": req.razorpay_payment_id,
+                "razorpay_signature": req.razorpay_signature,
+                "status": "captured",
+            },
+        )
+
+        # Upgrade user plan
+        _supabase_update(
+            "profiles",
+            f"id=eq.{req.user_id}",
+            {"plan": req.plan, "successful_builds": 0},
+        )
+
+    return {"success": True, "plan": req.plan, "message": f"Upgraded to {req.plan} plan!"}
+
+
+# ─── Razorpay Webhook (server-to-server) ───────────────────────────
+@router.post("/webhook/razorpay")
+async def razorpay_webhook(request: Request):
+    """Handle Razorpay webhook events (payment.captured, payment.failed).
+
+    Razorpay sends a POST with a JSON body and X-Razorpay-Signature header.
+    We verify the HMAC-SHA256 signature before processing.
+    """
+    if not RAZORPAY_WEBHOOK_SECRET:
+        raise HTTPException(status_code=503, detail="Webhook secret not configured")
+
+    body = await request.body()
+    signature = request.headers.get("X-Razorpay-Signature", "")
+
+    # Verify webhook signature
+    expected = hmac.new(
+        RAZORPAY_WEBHOOK_SECRET.encode(),
+        body,
+        hashlib.sha256,
+    ).hexdigest()
+
+    if not hmac.compare_digest(expected, signature):
+        raise HTTPException(status_code=400, detail="Invalid webhook signature")
+
+    payload = json.loads(body)
+    event = payload.get("event", "")
+
+    if event == "payment.captured":
+        payment = payload.get("payload", {}).get("payment", {}).get("entity", {})
+        order_id = payment.get("order_id", "")
+        notes = payment.get("notes", {})
+        user_id = notes.get("user_id", "")
+        plan = notes.get("plan", "")
+
+        if user_id and plan and AUTH_ENABLED:
+            # Update payment status
+            _supabase_update(
+                "payments",
+                f"razorpay_order_id=eq.{order_id}",
+                {
+                    "razorpay_payment_id": payment.get("id", ""),
+                    "status": "captured",
+                },
+            )
+
+            # Upgrade user plan and reset build count
+            _supabase_update(
+                "profiles",
+                f"id=eq.{user_id}",
+                {"plan": plan, "successful_builds": 0},
+            )
+
+    elif event == "payment.failed":
+        payment = payload.get("payload", {}).get("payment", {}).get("entity", {})
+        order_id = payment.get("order_id", "")
+        if order_id and AUTH_ENABLED:
+            _supabase_update(
+                "payments",
+                f"razorpay_order_id=eq.{order_id}",
+                {"status": "failed"},
+            )
+
+    # Razorpay expects 200 OK to acknowledge receipt
+    return {"status": "ok"}

server/schema.sql

@@ -0,0 +1,133 @@
+-- ============================================================
+-- AgentIC Auth & Billing Schema — Supabase (PostgreSQL)
+-- ============================================================
+-- Run this in Supabase SQL Editor (Dashboard → SQL Editor → New query)
+
+-- Enable Row Level Security on all tables
+-- Enable the pgcrypto extension for encryption
+create extension if not exists pgcrypto;
+
+-- ─── 1. User Profiles ──────────────────────────────────────
+-- Links to Supabase auth.users via id (UUID)
+create table if not exists public.profiles (
+    id            uuid primary key references auth.users(id) on delete cascade,
+    email         text not null,
+    full_name     text,
+    plan          text not null default 'free'
+                    check (plan in ('free', 'starter', 'pro', 'byok')),
+    successful_builds  int not null default 0,
+    llm_api_key   text,                       -- encrypted via pgp_sym_encrypt
+    razorpay_customer_id text,
+    created_at    timestamptz not null default now(),
+    updated_at    timestamptz not null default now()
+);
+
+alter table public.profiles enable row level security;
+
+-- Users can read/update only their own profile
+create policy "Users read own profile"
+    on public.profiles for select
+    using (auth.uid() = id);
+
+create policy "Users update own profile"
+    on public.profiles for update
+    using (auth.uid() = id);
+
+-- ─── 2. Build History ──────────────────────────────────────
+create table if not exists public.builds (
+    id            uuid primary key default gen_random_uuid(),
+    user_id       uuid not null references public.profiles(id) on delete cascade,
+    job_id        text not null,                  -- maps to backend JOB_STORE key
+    design_name   text not null,
+    status        text not null default 'queued'
+                    check (status in ('queued', 'running', 'done', 'failed', 'cancelled')),
+    created_at    timestamptz not null default now(),
+    finished_at   timestamptz
+);
+
+alter table public.builds enable row level security;
+
+create policy "Users read own builds"
+    on public.builds for select
+    using (auth.uid() = user_id);
+
+create policy "Service role inserts builds"
+    on public.builds for insert
+    with check (true);  -- insert via service-role key from backend
+
+create policy "Service role updates builds"
+    on public.builds for update
+    using (true);
+
+-- ─── 3. Payment Events ────────────────────────────────────
+create table if not exists public.payments (
+    id                uuid primary key default gen_random_uuid(),
+    user_id           uuid not null references public.profiles(id) on delete cascade,
+    razorpay_order_id    text,
+    razorpay_payment_id  text,
+    razorpay_signature   text,
+    amount_paise      int not null,               -- amount in paise (₹1 = 100 paise)
+    plan              text not null
+                        check (plan in ('starter', 'pro', 'byok')),
+    status            text not null default 'pending'
+                        check (status in ('pending', 'captured', 'failed', 'refunded')),
+    created_at        timestamptz not null default now()
+);
+
+alter table public.payments enable row level security;
+
+create policy "Users view own payments"
+    on public.payments for select
+    using (auth.uid() = user_id);
+
+-- ─── 4. Plan Limits (reference table) ─────────────────────
+create table if not exists public.plan_limits (
+    plan              text primary key
+                        check (plan in ('free', 'starter', 'pro', 'byok')),
+    max_builds        int,            -- NULL = unlimited
+    price_paise       int not null default 0,
+    label             text not null
+);
+
+insert into public.plan_limits (plan, max_builds, price_paise, label) values
+    ('free',    2,    0,        'Free Tier — 2 builds'),
+    ('starter', 25,   49900,    'Starter — 25 builds (₹499)'),
+    ('pro',     null, 149900,   'Pro — Unlimited builds (₹1,499)'),
+    ('byok',    null, 0,        'BYOK — Bring Your Own Key')
+on conflict (plan) do nothing;
+
+-- ─── 5. Auto-create profile on signup ──────────────────────
+create or replace function public.handle_new_user()
+returns trigger
+language plpgsql
+security definer set search_path = public
+as $$
+begin
+    insert into public.profiles (id, email, full_name)
+    values (
+        new.id,
+        new.email,
+        coalesce(new.raw_user_meta_data->>'full_name', split_part(new.email, '@', 1))
+    );
+    return new;
+end;
+$$;
+
+drop trigger if exists on_auth_user_created on auth.users;
+create trigger on_auth_user_created
+    after insert on auth.users
+    for each row execute procedure public.handle_new_user();
+
+-- ─── 6. Helper: increment builds ──────────────────────────
+create or replace function public.increment_successful_builds(uid uuid)
+returns void
+language plpgsql
+security definer
+as $$
+begin
+    update public.profiles
+    set successful_builds = successful_builds + 1,
+        updated_at = now()
+    where id = uid;
+end;
+$$;

web/src/App.tsx

@@ -1,11 +1,11 @@
 import { useEffect, useMemo, useState } from 'react';
-import axios from 'axios';
 import { Dashboard } from './pages/Dashboard';
 import { DesignStudio } from './pages/DesignStudio';
 import { HumanInLoopBuild } from './pages/HumanInLoopBuild';
 import { Benchmarking } from './pages/Benchmarking';
 import { Fabrication } from './pages/Fabrication';
 import { Documentation } from './pages/Documentation';
+import { api } from './api';
 import './index.css';
 
 const App = () => {
@@ -17,8 +17,7 @@ const App = () => {
     return saved === 'dark' ? 'dark' : 'light';
   });
 
-  // Bypass Ngrok browser warning for all Axios requests
-  axios.defaults.headers.common['ngrok-skip-browser-warning'] = 'true';
+
 
   useEffect(() => {
     document.documentElement.setAttribute('data-theme', theme);
@@ -26,8 +25,7 @@ const App = () => {
   }, [theme]);
 
   useEffect(() => {
-    const API_BASE_URL = (import.meta.env.VITE_API_BASE_URL || 'http://localhost:7860').replace(/\/$/, '');
-    axios.get(`${API_BASE_URL}/designs`)
+    api.get('/designs')
       .then(res => {
         const data = res.data?.designs || [];
         setDesigns(data);

web/src/api.ts

@@ -0,0 +1,9 @@
+import axios from 'axios';
+
+export const API_BASE = (import.meta.env.VITE_API_BASE_URL || 'http://localhost:7860').replace(/\/$/, '');
+
+// Pre-configured axios instance with ngrok header
+export const api = axios.create({
+  baseURL: API_BASE,
+  headers: { 'ngrok-skip-browser-warning': 'true' },
+});

web/src/components/BuildMonitor.tsx

@@ -1,8 +1,6 @@
 import React, { useEffect, useRef } from 'react';
 import { motion } from 'framer-motion';
-import axios from 'axios';
-
-const API = (import.meta.env.VITE_API_BASE_URL || 'http://localhost:7860').replace(/\/$/, '');
+import { api } from '../api';
 
 const STATES_DISPLAY: Record<string, { label: string; icon: string }> = {
     INIT: { label: 'Initializing Workspace', icon: '🔧' },
@@ -92,7 +90,7 @@ export const BuildMonitor: React.FC<Props> = ({ designName, jobId, events, jobSt
         if (!jobId || cancelling) return;
         setCancelling(true);
         try {
-            await axios.post(`${API}/build/cancel/${jobId}`);
+            await api.post(`/build/cancel/${jobId}`);
         } catch {
             setCancelling(false);
         }

web/src/pages/Dashboard.tsx

@@ -1,5 +1,5 @@
 import React, { useState, useEffect } from 'react';
-import axios from 'axios';
+import { api } from '../api';
 
 interface DashboardProps {
     selectedDesign: string;
@@ -17,10 +17,8 @@ export const Dashboard: React.FC<DashboardProps> = ({ selectedDesign }) => {
         if (!selectedDesign) return;
         setLoading(true);
 
-        const API_BASE_URL = (import.meta.env.VITE_API_BASE_URL || 'http://localhost:7860').replace(/\/$/, '');
-
         // Fetch Quick Metrics
-        axios.get(`${API_BASE_URL}/metrics/${selectedDesign}`)
+        api.get(`/metrics/${selectedDesign}`)
             .then(res => {
                 if (res.data.metrics) setMetrics(res.data.metrics);
             })
@@ -29,7 +27,7 @@ export const Dashboard: React.FC<DashboardProps> = ({ selectedDesign }) => {
             });
 
         // Fetch Full LLM Signoff Report
-        axios.get(`${API_BASE_URL}/signoff/${selectedDesign}`)
+        api.get(`/signoff/${selectedDesign}`)
             .then(res => {
                 setSignoffData({ report: res.data.report, pass: res.data.success });
             })
@@ -39,7 +37,7 @@ export const Dashboard: React.FC<DashboardProps> = ({ selectedDesign }) => {
             .finally(() => setLoading(false));
 
         // Fetch recent jobs
-        axios.get(`${API_BASE_URL}/jobs`)
+        api.get(`/jobs`)
             .then(res => {
                 const jobs = (res.data?.jobs || [])
                     .filter((j: any) => j.design_name === selectedDesign)

web/src/pages/DesignStudio.tsx

@@ -1,11 +1,9 @@
 import { useState, useEffect, useRef } from 'react';
 import { motion, AnimatePresence } from 'framer-motion';
-import axios from 'axios';
 import { BuildMonitor } from '../components/BuildMonitor';
 import { ChipSummary } from '../components/ChipSummary';
 import { fetchEventSource } from '@microsoft/fetch-event-source';
-
-const API = (import.meta.env.VITE_API_BASE_URL || 'http://localhost:7860').replace(/\/$/, '');
+import { api, API_BASE } from '../api';
 
 type Phase = 'prompt' | 'building' | 'done';
 
@@ -80,7 +78,7 @@ export const DesignStudio = () => {
         if (!prompt.trim()) return;
         setError('');
         try {
-            const res = await axios.post(`${API}/build`, {
+            const res = await api.post(`/build`, {
                 design_name: designName || slugify(prompt),
                 description: prompt,
                 skip_openlane: skipOpenlane,
@@ -123,7 +121,7 @@ export const DesignStudio = () => {
         // (server replays all events from the beginning on each connection)
         setEvents([]);
 
-        fetchEventSource(`${API}/build/stream/${jid}`, {
+        fetchEventSource(`${API_BASE}/build/stream/${jid}`, {
             method: 'GET',
             headers: {
                 'ngrok-skip-browser-warning': 'true',
@@ -160,7 +158,7 @@ export const DesignStudio = () => {
     const fetchResult = async (jid: string, status: string) => {
         setJobStatus(status === 'done' ? 'done' : 'failed');
         try {
-            const res = await axios.get(`${API}/build/result/${jid}`);
+            const res = await api.get(`/build/result/${jid}`);
             setResult(res.data.result);
         } catch { /* result might not exist if failed early */ }
         setPhase('done');
@@ -190,7 +188,7 @@ export const DesignStudio = () => {
         if ('Notification' in window && Notification.permission === 'default') {
             Notification.requestPermission();
         }
-        axios.get(`${API}/pipeline/schema`)
+        api.get(`/pipeline/schema`)
             .then(res => setStageSchema(res.data?.stages || []))
             .catch(() => setStageSchema([]));
         return () => abortCtrlRef.current?.abort();

web/src/pages/Documentation.tsx

@@ -1,9 +1,7 @@
 import { useEffect, useMemo, useState, useRef, useCallback } from 'react';
-import axios from 'axios';
 import ReactMarkdown from 'react-markdown';
 import remarkGfm from 'remark-gfm';
-
-const API = (import.meta.env.VITE_API_BASE_URL || 'http://localhost:7860').replace(/\/$/, '');
+import { api } from '../api';
 
 interface DocItem {
   id: string;
@@ -66,9 +64,9 @@ export const Documentation = () => {
     const loadIndex = async () => {
       try {
         const [docsRes, optionsRes, schemaRes] = await Promise.all([
-          axios.get(`${API}/docs/index`),
-          axios.get(`${API}/build/options`),
-          axios.get(`${API}/pipeline/schema`),
+          api.get(`/docs/index`),
+          api.get(`/build/options`),
+          api.get(`/pipeline/schema`),
         ]);
         const docsData: DocItem[] = docsRes.data?.docs || [];
         setDocs(docsData);
@@ -88,7 +86,7 @@ export const Documentation = () => {
   useEffect(() => {
     if (!selectedDoc) return;
     setLoading(true);
-    axios.get(`${API}/docs/content/${selectedDoc}`)
+    api.get(`/docs/content/${selectedDoc}`)
       .then((res) => {
         setDocTitle(res.data?.title || selectedDoc);
         setContent(res.data?.content || 'No content available.');

web/src/pages/HumanInLoopBuild.tsx

@@ -1,13 +1,11 @@
 import { useState, useEffect, useRef } from 'react';
-import axios from 'axios';
 import { fetchEventSource } from '@microsoft/fetch-event-source';
 import { ActivityFeed } from '../components/ActivityFeed';
 import { StageProgressBar } from '../components/StageProgressBar';
 import { ApprovalCard } from '../components/ApprovalCard';
+import { api, API_BASE } from '../api';
 import '../hitl.css';
 
-const API = (import.meta.env.VITE_API_BASE_URL || 'http://localhost:7860').replace(/\/$/, '');
-
 const PIPELINE_STAGES = [
     'INIT', 'SPEC', 'RTL_GEN', 'RTL_FIX', 'VERIFICATION', 'FORMAL_VERIFY',
     'COVERAGE_CHECK', 'REGRESSION', 'SDC_GEN', 'FLOORPLAN', 'HARDENING',
@@ -136,7 +134,7 @@ export const HumanInLoopBuild = () => {
         const effectiveSkipOpenlane = buildMode === 'quick' || skipOpenlane;
         const effectiveSkipCoverage = skipCoverage || skipStages.has('COVERAGE_CHECK');
         try {
-            const res = await axios.post(`${API}/build`, {
+            const res = await api.post(`/build`, {
                 design_name: designName || slugify(prompt),
                 description: prompt,
                 skip_openlane: effectiveSkipOpenlane,
@@ -169,7 +167,7 @@ export const HumanInLoopBuild = () => {
         abortCtrlRef.current = ctrl;
         setEvents([]);
 
-        fetchEventSource(`${API}/build/stream/${jid}`, {
+        fetchEventSource(`${API_BASE}/build/stream/${jid}`, {
             method: 'GET',
             headers: {
                 'ngrok-skip-browser-warning': 'true',
@@ -259,13 +257,13 @@ export const HumanInLoopBuild = () => {
     const fetchResult = async (jid: string, status: string) => {
         setJobStatus(status === 'done' ? 'done' : 'failed');
         try {
-            const res = await axios.get(`${API}/build/result/${jid}`);
+            const res = await api.get(`/build/result/${jid}`);
             setResult(res.data.result);
         } catch { /* */ }
         // On failure, fetch partial artifacts from disk
         if (status !== 'done' && designName) {
             try {
-                const artRes = await axios.get(`${API}/build/artifacts/${designName}`);
+                const artRes = await api.get(`/build/artifacts/${designName}`);
                 setPartialArtifacts(artRes.data.artifacts || []);
             } catch { /* */ }
         }
@@ -276,7 +274,7 @@ export const HumanInLoopBuild = () => {
         if (!approvalData || isSubmitting) return;
         setIsSubmitting(true);
         try {
-            await axios.post(`${API}/approve`, {
+            await api.post(`/approve`, {
                 stage: approvalData.stage_name,
                 design_name: designName,
             });
@@ -309,7 +307,7 @@ export const HumanInLoopBuild = () => {
         if (!approvalData || isSubmitting) return;
         setIsSubmitting(true);
         try {
-            await axios.post(`${API}/reject`, {
+            await api.post(`/reject`, {
                 stage: approvalData.stage_name,
                 design_name: designName,
                 feedback: feedback || undefined,
@@ -370,7 +368,7 @@ export const HumanInLoopBuild = () => {
     const handleCancel = async () => {
         if (abortCtrlRef.current) abortCtrlRef.current.abort();
         if (jobId) {
-            try { await axios.post(`${API}/build/cancel/${jobId}`); } catch { /* */ }
+            try { await api.post(`/build/cancel/${jobId}`); } catch { /* */ }
         }
         handleReset();
     };
@@ -719,7 +717,7 @@ export const HumanInLoopBuild = () => {
                                                                 {a.size > 1024 ? `${(a.size / 1024).toFixed(1)} KB` : `${a.size} B`}
                                                             </span>
                                                             <a
-                                                                href={`${API}/build/artifacts/${designName}/${encodeURIComponent(a.name)}`}
+                                                                href={`${API_BASE}/build/artifacts/${designName}/${encodeURIComponent(a.name)}`}
                                                                 className="hitl-fail-artifact-dl"
                                                                 download
                                                             >