Enforce plan limits across entire app and fix cold starts

Backend:
- Gate audit endpoints behind "admin" feature (Pro/Business only)
- Gate danger zone (wipe-logs, full-reset) behind "admin" feature
- Enforce camera cap during node registration (skip new cameras over limit)
- Persist org plan in DB via webhooks for API-key-auth lookups
- Add get_plan_limits_for_org() helper for non-JWT endpoints

Frontend:
- Add reusable UpgradeModal with plan comparison table
- Admin page shows upgrade prompt for free tier users
- Settings: Add Node button shows UpgradeModal when at node limit
- Settings: Danger zone locked with upgrade prompt for free tier
- Dashboard: Camera limit banners trigger UpgradeModal
- Dashboard: Warning banner at 80% camera capacity

Infrastructure:
- Disable auto_stop_machines (was "stop", now "off") to eliminate
  cold start delays for this always-on security camera app

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: Sbussiso

backend/app/api/audit.py

@@ -1,6 +1,6 @@
 from datetime import datetime, timedelta
 from typing import Optional
-from fastapi import APIRouter, Depends, Query
+from fastapi import APIRouter, Depends, HTTPException, Query
 from sqlalchemy.orm import Session
 
 from app.core.database import get_db
@@ -10,6 +10,15 @@
 router = APIRouter(prefix="/api", tags=["audit"])
 
 
+def _require_admin_feature(user: AuthUser):
+    """Raise 403 if the org's plan doesn't include the admin feature."""
+    if "admin" not in user.features:
+        raise HTTPException(
+            status_code=403,
+            detail="Audit dashboard requires a Pro or Business plan. Upgrade at /pricing.",
+        )
+
+
 @router.get("/audit/stream-logs")
 async def get_stream_logs(
     camera_id: Optional[str] = None,
@@ -24,6 +33,7 @@ async def get_stream_logs(
     Only org admins can access this endpoint.
     Logs are automatically cleaned up after the retention period.
     """
+    _require_admin_feature(admin)
     query = db.query(StreamAccessLog).filter(StreamAccessLog.org_id == admin.org_id)
 
     if camera_id:
@@ -62,6 +72,7 @@ async def get_stream_stats(
     Get stream access statistics for the admin's organization.
     Returns counts by camera, user, and day.
     """
+    _require_admin_feature(admin)
     from sqlalchemy import func
 
     since = datetime.utcnow() - timedelta(days=days)

backend/app/api/cameras.py

@@ -432,6 +432,11 @@ async def wipe_stream_logs(
     db: Session = Depends(get_db),
 ):
     """Permanently delete all stream access logs for this organization."""
+    if "admin" not in user.features:
+        raise HTTPException(
+            status_code=403,
+            detail="Danger zone requires a Pro or Business plan.",
+        )
     from app.models import StreamAccessLog
 
     count = db.query(StreamAccessLog).filter_by(org_id=user.org_id).delete()
@@ -449,6 +454,11 @@ async def full_reset(
     Full organization reset: wipe all nodes (with CloudNode notification),
     delete Tigris storage, clear stream logs, clear settings.
     """
+    if "admin" not in user.features:
+        raise HTTPException(
+            status_code=403,
+            detail="Danger zone requires a Pro or Business plan.",
+        )
     from app.models import StreamAccessLog, CameraNode
     from app.services.storage import get_storage
 

backend/app/api/nodes.py

@@ -8,7 +8,7 @@
 from app.core.database import get_db
 from app.core.auth import AuthUser, require_admin, get_current_user
 from app.core.limiter import limiter
-from app.core.plans import get_plan_limits, get_plan_display_name
+from app.core.plans import get_plan_limits, get_plan_limits_for_org, get_plan_display_name
 from app.models.models import CameraNode, Camera
 from app.schemas.schemas import NodeRegister, NodeHeartbeat, CameraReport, NodeCreate
 from app.services.storage import get_storage
@@ -92,8 +92,14 @@ async def register_node(
             existing_node.audio_codec = data.audio_codec
             existing_node.codec_detected_at = datetime.utcnow()
 
+        # Enforce camera cap: count existing org cameras vs plan limit
+        org_id = existing_node.org_id
+        limits = get_plan_limits_for_org(db, org_id)
+        current_cameras = db.query(Camera).filter_by(org_id=org_id).count()
+
         # Map device_path to camera_id for response
         camera_mapping = {}
+        new_camera_count = 0
 
         for cam_data in data.cameras or []:
             # Generate camera_id from node_id and device_path
@@ -122,6 +128,15 @@ async def register_node(
                     existing_cam.video_codec = data.video_codec
                     existing_cam.audio_codec = data.audio_codec
             else:
+                # Check camera cap before creating
+                if current_cameras + new_camera_count >= limits["max_cameras"]:
+                    plan_name = get_plan_display_name(limits.get("_plan", "free_org"))
+                    logger.warning(
+                        "Camera limit reached for org %s (%d/%d on %s plan), skipping camera %s",
+                        org_id, current_cameras + new_camera_count, limits["max_cameras"], plan_name, camera_id,
+                    )
+                    continue
+
                 logger.debug("Creating new camera %s", camera_id)
                 new_cam = Camera(
                     camera_id=camera_id,
@@ -139,6 +154,7 @@ async def register_node(
                     codec_detected_at=datetime.utcnow() if data.video_codec else None,
                 )
                 db.add(new_cam)
+                new_camera_count += 1
 
         # Remove stale camera records that are no longer reported by this node.
         # This handles cases where old camera_ids (e.g. with spaces) linger after

backend/app/api/webhooks.py

@@ -1,8 +1,11 @@
 import logging
-from fastapi import APIRouter, Request, HTTPException, status
+from fastapi import APIRouter, Request, HTTPException, status, Depends
+from sqlalchemy.orm import Session
 from svix.webhooks import Webhook, WebhookVerificationError
 from app.core.config import settings
 from app.core.clerk import clerk
+from app.core.database import get_db
+from app.models.models import Setting
 
 logger = logging.getLogger(__name__)
 
@@ -35,7 +38,7 @@ def get_active_plan_slug(items: list) -> str:
 
 
 @router.post("/clerk")
-async def clerk_webhook(request: Request):
+async def clerk_webhook(request: Request, db: Session = Depends(get_db)):
     payload = await request.body()
     headers = dict(request.headers)
 
@@ -61,6 +64,8 @@ async def clerk_webhook(request: Request):
             plan_slug = get_active_plan_slug(data.get("items", []))
             limit = PLAN_MEMBER_LIMITS.get(plan_slug, PLAN_MEMBER_LIMITS["free_org"])
             set_org_member_limit(org_id, limit)
+            # Persist plan in DB so API-key-authenticated endpoints can look it up
+            Setting.set(db, org_id, "org_plan", plan_slug)
             logger.info("Org %s subscription active on plan '%s'", org_id, plan_slug)
 
     # ── Payment failure ─────────────────────────────────────────────
@@ -78,6 +83,7 @@ async def clerk_webhook(request: Request):
             # Clerk auto-assigns the free default plan on cancellation,
             # so the JWT pla claim will revert. Just reset member limit.
             set_org_member_limit(org_id, PLAN_MEMBER_LIMITS["free_org"])
+            Setting.set(db, org_id, "org_plan", "free_org")
             logger.info("Org %s subscription canceled — reverted to free limits", org_id)
 
     # ── Free trial ending soon ──────────────────────────────────────

backend/app/core/plans.py

@@ -28,6 +28,21 @@ def get_plan_limits(plan: str) -> dict:
     return PLAN_LIMITS.get(plan, PLAN_LIMITS["free_org"])
 
 
+def get_plan_limits_for_org(db, org_id: str) -> dict:
+    """Look up an org's plan from the database and return its limits.
+
+    Used by endpoints that authenticate via API key (e.g. node registration)
+    where JWT claims are not available.  The plan is stored as a Setting
+    by the Clerk webhook handler whenever a subscription changes.
+    """
+    from app.models.models import Setting
+
+    plan = Setting.get(db, org_id, "org_plan", "free_org")
+    limits = get_plan_limits(plan)
+    # Attach the plan slug so callers can show a display name
+    return {**limits, "_plan": plan}
+
+
 def get_plan_display_name(plan: str) -> str:
     """Human-readable plan name."""
     names = {

fly.toml

@@ -21,7 +21,7 @@ primary_region = "sjc"
 [http_service]
   internal_port = 8000
   force_https = true
-  auto_stop_machines = "stop"
+  auto_stop_machines = "off"
   auto_start_machines = true
   min_machines_running = 1
   processes = ["app"]

frontend/src/components/UpgradeModal.jsx

@@ -0,0 +1,106 @@
+import { Link } from "react-router-dom"
+
+const UPGRADE_MESSAGES = {
+  nodes: {
+    title: "Node Limit Reached",
+    icon: "🖥️",
+    description: "You've hit the maximum number of camera nodes on your current plan.",
+    benefit: "Upgrade to connect more nodes and expand your security coverage.",
+  },
+  cameras: {
+    title: "Camera Limit Reached",
+    icon: "📹",
+    description: "You've reached the maximum number of cameras for your plan.",
+    benefit: "Upgrade to monitor more cameras across all your locations.",
+  },
+  admin: {
+    title: "Pro Feature",
+    icon: "📊",
+    description: "The Admin Dashboard with stream access logs and analytics is a Pro feature.",
+    benefit: "Upgrade to get full visibility into who's accessing your streams.",
+  },
+  "danger-zone": {
+    title: "Pro Feature",
+    icon: "⚙️",
+    description: "Advanced management tools like log wiping and full resets are Pro features.",
+    benefit: "Upgrade for complete control over your organization data.",
+  },
+}
+
+const PLAN_COMPARISON = [
+  { label: "Cameras", free: "2", pro: "10", business: "50" },
+  { label: "Nodes", free: "1", pro: "5", business: "Unlimited" },
+  { label: "Admin Dashboard", free: false, pro: true, business: true },
+  { label: "Stream Analytics", free: false, pro: true, business: true },
+  { label: "Danger Zone Tools", free: false, pro: true, business: true },
+  { label: "Priority Support", free: false, pro: false, business: true },
+]
+
+function UpgradeModal({ isOpen, onClose, feature, currentPlan }) {
+  if (!isOpen) return null
+
+  const msg = UPGRADE_MESSAGES[feature] || UPGRADE_MESSAGES.nodes
+  const planName = currentPlan === "free_org" ? "Free" : currentPlan === "pro" ? "Pro" : "Business"
+
+  return (
+    <div className="modal-overlay" onClick={onClose}>
+      <div className="modal-content upgrade-modal" onClick={(e) => e.stopPropagation()}>
+        <div className="modal-header">
+          <h2>{msg.title}</h2>
+          <button className="modal-close" onClick={onClose}>&times;</button>
+        </div>
+
+        <div className="modal-body">
+          <div className="upgrade-modal-hero">
+            <div className="upgrade-modal-icon">{msg.icon}</div>
+            <p className="upgrade-modal-desc">{msg.description}</p>
+            <p className="upgrade-modal-benefit">{msg.benefit}</p>
+            <div className="upgrade-modal-current">
+              Currently on the <strong>{planName}</strong> plan
+            </div>
+          </div>
+
+          <div className="upgrade-comparison">
+            <table className="comparison-table">
+              <thead>
+                <tr>
+                  <th></th>
+                  <th className={currentPlan === "free_org" ? "current-col" : ""}>Free</th>
+                  <th className={currentPlan === "pro" ? "current-col" : "highlight-col"}>Pro</th>
+                  <th className={currentPlan === "business" ? "current-col" : ""}>Business</th>
+                </tr>
+              </thead>
+              <tbody>
+                {PLAN_COMPARISON.map((row) => (
+                  <tr key={row.label}>
+                    <td className="comparison-label">{row.label}</td>
+                    <td className={currentPlan === "free_org" ? "current-col" : ""}>
+                      {typeof row.free === "boolean" ? (row.free ? "✓" : "—") : row.free}
+                    </td>
+                    <td className={currentPlan === "pro" ? "current-col" : "highlight-col"}>
+                      {typeof row.pro === "boolean" ? (row.pro ? "✓" : "—") : row.pro}
+                    </td>
+                    <td className={currentPlan === "business" ? "current-col" : ""}>
+                      {typeof row.business === "boolean" ? (row.business ? "✓" : "—") : row.business}
+                    </td>
+                  </tr>
+                ))}
+              </tbody>
+            </table>
+          </div>
+
+          <div className="modal-actions">
+            <button className="btn btn-secondary" onClick={onClose}>
+              Maybe Later
+            </button>
+            <Link to="/pricing" className="btn btn-primary" onClick={onClose}>
+              View Plans
+            </Link>
+          </div>
+        </div>
+      </div>
+    </div>
+  )
+}
+
+export default UpgradeModal