feat(api): catch-all router, modular handlers, wallet slug route

- Add api/[...path].ts dispatcher and api/_handlers/* for serverless routes
- Consolidate envelope helpers under api/_lib; add api/wallet/[slug].ts
- Remove legacy flat api/*.ts and api/wallet/* entrypoints
- Update vercel.json, README, backlog, GCP KMS/auth docs
- Add security/wallet design texts; Datadog process export script; ignore local export file

Made-with: Cursor

Author: anriltine

.gitignore

@@ -49,6 +49,9 @@ app-example
 # local scratch / temp
 .tmp/
 
+# Datadog: local process export (scripts/datadog-export-processes.ps1)
+dd-processes-sample.txt
+
 .vercel
 
 # Terraform / GCP (local state and SA keys)

README.md

@@ -97,6 +97,7 @@ Before local deploy / cloud deploy, prepare these env-backed services:
      - `DATABASE_URL`
      - `OPENAI_API_KEY`
      - `BOT_TOKEN` (or `TELEGRAM_BOT_TOKEN`)
+     - Optional — **Google Cloud KMS** (wallet envelope API): **`GCP_SERVICE_ACCOUNT_JSON`** — see [below](#gcp_service_account_json-google-cloud-kms).
    - Pull envs locally when needed with `vercel env pull .env.local`.
 5. **Vercel CLI login (required for `npm run start`)**  
    The default dev command runs **`vercel dev`** (local API). That needs a **valid Vercel CLI session**, not only project env vars in the dashboard.
@@ -105,6 +106,35 @@ Before local deploy / cloud deploy, prepare these env-backed services:
    - From the repo root, run **`vercel link`** if prompted so this directory is tied to your Vercel project (team/project scope).
    - If you see **`The specified token is not valid`**, your stored token expired or was revoked: run **`vercel login`** again to refresh it. Do not set a broken **`VERCEL_TOKEN`** in `.env` unless it is a current deploy token from the Vercel dashboard.
 
+### GCP_SERVICE_ACCOUNT_JSON (Google Cloud KMS)
+
+Serverless routes under [`api/`](./api) that call **Cloud KMS** (wallet envelope KEK) read credentials from the env var **`GCP_SERVICE_ACCOUNT_JSON`**. The value must be the **full JSON object** of a Google Cloud **service account key** whose identity is allowed to use the KMS crypto key (see [`infra/gcp/kms.env.example`](./infra/gcp/kms.env.example)). The app passes this JSON in-process to the Google client — **no** key file is required on Vercel.
+
+**How to get the JSON**
+
+1. Open [Google Cloud Console](https://console.cloud.google.com/), select project **`hyperlinksspacebot`**.
+2. Go to **IAM & Admin → Service Accounts** and open **`wallet-kms-unwrap@hyperlinksspacebot.iam.gserviceaccount.com`** (the account permitted for your key; adjust if you use a different project or SA).
+3. **Keys → Add key → Create new key → JSON**. A `.json` file downloads.
+
+   **CLI alternative** (with [`gcloud`](https://cloud.google.com/sdk/gcloud) installed and authorized):
+
+   ```bash
+   gcloud iam service-accounts keys create ./wallet-kms-unwrap-sa-key.json \
+     --iam-account=wallet-kms-unwrap@hyperlinksspacebot.iam.gserviceaccount.com \
+     --project=hyperlinksspacebot
+   ```
+
+**What to put in `GCP_SERVICE_ACCOUNT_JSON`**
+
+- The **entire file contents** of that key — the single JSON object with `"type": "service_account"`, `"client_email"`, `"private_key"`, etc. Paste into Vercel as one variable (minified or multi-line per the dashboard; the value must remain valid JSON).
+
+**Where to configure**
+
+- **Vercel (production):** Project → **Settings → Environment Variables** → add **`GCP_SERVICE_ACCOUNT_JSON`**, assign to **Production** (and **Preview** if needed), **Redeploy** so serverless functions see the new value.
+- **Local dev:** Prefer a file and `GOOGLE_APPLICATION_CREDENTIALS`, or put the same JSON string in `.env.local` — details in [`infra/gcp/backend-authentication.md`](./infra/gcp/backend-authentication.md).
+
+The downloaded key is a **secret** (like a password): do **not** commit it to git; add `wallet-kms-unwrap-sa-key.json` to `.gitignore` if you keep a local copy.
+
 Copy env template locally:
 
 ```bash

api/[...path].ts

@@ -0,0 +1,94 @@
+/**
+ * Single Vercel serverless entry for all /api/* routes (Hobby plan function limit).
+ * Concrete handlers live in api/_handlers/* (private — not deployed as separate routes).
+ */
+
+import aiHandler from './_handlers/ai.js';
+import blockchainHandler from './_handlers/blockchain.js';
+import botHandler from './_handlers/bot.js';
+import pingHandler from './_handlers/ping.js';
+import releasesHandler from './_handlers/releases.js';
+import telegramHandler from './_handlers/telegram.js';
+import walletEnvelopePingHandler from './_handlers/wallet-envelope-ping.js';
+import walletEnvelopeProbeHandler from './_handlers/wallet-envelope-probe.js';
+import walletEnvelopeRoundtripHandler from './_handlers/wallet-envelope-roundtrip.js';
+
+type NodeRes = {
+  setHeader(name: string, value: string): void;
+  status(code: number): void;
+  end(body?: string): void;
+};
+
+type ApiHandler = (
+  request: Request,
+  res?: NodeRes,
+) => Promise<Response | void>;
+
+const ROUTES: Record<string, ApiHandler> = {
+  ping: pingHandler as ApiHandler,
+  bot: botHandler as ApiHandler,
+  ai: aiHandler as ApiHandler,
+  blockchain: blockchainHandler as ApiHandler,
+  telegram: telegramHandler as ApiHandler,
+  releases: releasesHandler as ApiHandler,
+  'wallet-envelope-ping': walletEnvelopePingHandler as ApiHandler,
+  'wallet-envelope-probe': walletEnvelopeProbeHandler as ApiHandler,
+  'wallet-envelope-roundtrip': walletEnvelopeRoundtripHandler as ApiHandler,
+  /** Public short paths from vercel.json rewrites (request URL may still show these segments). */
+  kmsping: walletEnvelopePingHandler as ApiHandler,
+  kmsprobe: walletEnvelopeProbeHandler as ApiHandler,
+  'kms-roundtrip': walletEnvelopeRoundtripHandler as ApiHandler,
+  'kms/ping': walletEnvelopePingHandler as ApiHandler,
+  'kms-ping': walletEnvelopePingHandler as ApiHandler,
+};
+
+function routeKeyFromUrl(request: Request): string {
+  const raw = request.url;
+  if (!raw) return '';
+  let pathname: string;
+  try {
+    pathname = new URL(raw).pathname;
+  } catch {
+    pathname = raw.split('?')[0] ?? '';
+  }
+  const segments = pathname
+    .replace(/^\/api\/?/i, '')
+    .split('/')
+    .filter(Boolean);
+  return segments.join('/');
+}
+
+async function router(
+  request: Request,
+  res?: NodeRes,
+): Promise<Response | void> {
+  const key = routeKeyFromUrl(request);
+  const handler = ROUTES[key];
+  if (!handler) {
+    const body = JSON.stringify({
+      ok: false,
+      error: 'not_found',
+      path: key || '(empty)',
+      hint: 'All API routes are served from this single function; see api/_handlers/',
+    });
+    if (res) {
+      res.setHeader('Content-Type', 'application/json; charset=utf-8');
+      res.status(404);
+      res.end(body);
+      return;
+    }
+    return new Response(body, {
+      status: 404,
+      headers: { 'Content-Type': 'application/json; charset=utf-8' },
+    });
+  }
+  return handler(request, res);
+}
+
+export default router;
+export const GET = router;
+export const POST = router;
+export const OPTIONS = router;
+export const PUT = router;
+export const PATCH = router;
+export const DELETE = router;

api/ai.ts api/_handlers/ai.tsapi/ai.ts renamed to api/_handlers/ai.ts

@@ -8,7 +8,7 @@
  * - Legacy Node style (req, res)
  */
 
-import { transmit, type AiRequest } from "../ai/transmitter.js";
+import { transmit, type AiRequest } from "../../ai/transmitter.js";
 
 type NodeRes = {
   setHeader(name: string, value: string): void;

api/blockchain.ts api/_handlers/blockchain.tsapi/blockchain.ts renamed to api/_handlers/blockchain.ts

@@ -7,7 +7,7 @@
  * - Legacy Node style (req, res)
  */
 
-import { handleBlockchainRequest } from "../blockchain/router.js";
+import { handleBlockchainRequest } from "../../blockchain/router.js";
 
 type NodeRes = {
   setHeader(name: string, value: string): void;

api/bot.ts api/_handlers/bot.tsapi/bot.ts renamed to api/_handlers/bot.ts

@@ -1,11 +1,11 @@
 /**
- * Vercel API route: named GET/POST so Telegram webhook POST is handled.
- * Forwards to app/bot/webhook so only this file is a route (avoids 12-function limit).
+ * Telegram webhook: GET/POST forwarded to bot/webhook.
+ * Mounted from api/[...path].ts (single Vercel serverless function).
  */
 import webhookHandler, {
   type NodeReq,
   type NodeRes,
-} from '../bot/webhook.js';
+} from '../../bot/webhook.js';
 
 async function handler(
   request: Request | NodeReq,

api/ping.ts api/_handlers/ping.tsapi/ping.ts renamed to api/_handlers/ping.ts

@@ -39,7 +39,7 @@ async function handler(
     return new Response('Method Not Allowed', { status: 405 });
   }
   try {
-    const { handlePost } = await import('../telegram/post.js');
+    const { handlePost } = await import('../../telegram/post.js');
     const response = await handlePost(request);
     if (res) {
       res.status(response.status);

api/releases.ts api/_handlers/releases.tsapi/releases.ts renamed to api/_handlers/releases.ts

@@ -9,11 +9,13 @@
  */
 
 import {
+  getKmsCredentialSource,
   getKmsKeyName,
   getKmsUsesRestTransport,
   hasExplicitKmsJsonCredentials,
+  parseGcpServiceAccountJson,
   resolveServiceAccountKeyPath,
-} from './lib/envelope-env.js';
+} from '../_lib/envelope-env.js';
 
 const JSON_HEADERS = { 'Content-Type': 'application/json' };
 
@@ -82,14 +84,20 @@ async function handler(
 
   if (url.searchParams.get('diag') === '1') {
     const keyPath = resolveServiceAccountKeyPath();
+    const jsonParse = parseGcpServiceAccountJson();
     return sendJson(
       res,
       {
         ok: true,
         diag: true,
         cwd: process.cwd(),
         vercelEnv: process.env.VERCEL_ENV ?? null,
+        credentialSource: getKmsCredentialSource(),
         hasGcpServiceAccountJson: hasExplicitKmsJsonCredentials(),
+        gcpServiceAccountJson:
+          jsonParse.ok ? 'ok' : jsonParse.error === 'missing' ? 'absent' : 'invalid',
+        gcpServiceAccountJsonError:
+          jsonParse.ok || jsonParse.error === 'missing' ? null : jsonParse.message,
         resolvedKeyPath: keyPath ?? null,
         keyFileExists: Boolean(keyPath),
         kmsTransport: getKmsUsesRestTransport() ? 'rest' : 'grpc',
@@ -114,7 +122,7 @@ async function handler(
         ok: false,
         error: 'wrong_route',
         message:
-          'KMS lives in api/wallet-envelope-roundtrip.ts (public /api/kms-roundtrip). Call:',
+          'KMS lives in route wallet-envelope-roundtrip / public /api/kms-roundtrip. Call:',
         url: dest.toString(),
         curl: `curl -s --max-time 120 "${dest.toString()}"`,
       },
@@ -127,9 +135,9 @@ async function handler(
     {
       ok: true,
       usage: true,
-      handler: 'api/wallet-envelope-ping.ts',
+      handler: 'api/[...path].ts (wallet-envelope-ping)',
       message:
-        'KMS crypto is in api/wallet-envelope-roundtrip.ts; lib uses envelope-*.ts paths for vercel dev.',
+        'KMS crypto is in route wallet-envelope-roundtrip (api/[...path].ts); shared code in api/_lib/envelope-*.ts.',
       try: {
         probe: '/api/kmsping?probe=1',
         diag: '/api/kmsping?diag=1',