@anton.andrusenko/shopify-mcp-admin 2.3.0 → 2.4.0

package/dist/index.js

@@ -1,5 +1,6 @@
 #!/usr/bin/env node
 import {
+  captureError,
   clearFallbackContext,
   correlationMiddleware,
   createLogger,
@@ -18,6 +19,7 @@ import {
   getStorePolicies,
   getStoreShipping,
   getStoreTaxes,
+  getToolExecutionLogger,
   initSentry,
   isMultiTenantContext,
   registerAllTools,
@@ -28,21 +30,22 @@ import {
   setCurrentContextKey,
   setFallbackContext,
   validateShopifyToken
-} from "./chunk-RBXQOPVF.js";
+} from "./chunk-UMNIRP6T.js";
 import {
   disconnectPrisma,
   getPrismaClient,
   prisma,
-  sessionStore
-} from "./chunk-JU5IFCVJ.js";
+  sessionStore,
+  warmupDatabase
+} from "./chunk-CJXPHNYT.js";
 import {
   createJsonRpcError
-} from "./chunk-EQUN4XCH.js";
+} from "./chunk-H36XQ6QK.js";
 import {
   getConfig,
   log,
   sanitizeLogMessage
-} from "./chunk-5QMYOO4B.js";
+} from "./chunk-CZJ7LSEO.js";
 import {
   getShutdownDrainMs,
   isLazyLoadingEnabled,
@@ -1191,6 +1194,7 @@ var ApiKeyService = class {
 };
 
 // src/api/tenants.ts
+var logger2 = createLogger("api/tenants");
 var BCRYPT_COST_FACTOR = 12;
 var INITIAL_API_KEY_NAME = "Initial API Key";
 var registerSchema = z.object({
@@ -1307,7 +1311,7 @@ function createTenantsRouter(options) {
       };
       return res.status(201).json(response);
     } catch (error) {
-      console.error("[TENANT API] Registration error:", error);
+      logger2.error("Tenant registration failed", error instanceof Error ? error : void 0);
       return res.status(500).json({
         error: "Internal Server Error",
         message: "An unexpected error occurred during registration"
@@ -1347,7 +1351,9 @@ function createTenantsRouter(options) {
         createdAt: tenant.createdAt.toISOString()
       });
     } catch (error) {
-      console.error("[TENANT API] Get tenant error:", error);
+      logger2.error("Get tenant failed", error instanceof Error ? error : void 0, {
+        tenantId: req.tenantContext?.tenantId
+      });
       return res.status(500).json({
         error: "Internal Server Error",
         message: "An unexpected error occurred"
@@ -1411,7 +1417,9 @@ function createTenantsRouter(options) {
         updatedAt: updatedTenant.updatedAt.toISOString()
       });
     } catch (error) {
-      console.error("[TENANT API] Update tenant error:", error);
+      logger2.error("Update tenant failed", error instanceof Error ? error : void 0, {
+        tenantId: req.tenantContext?.tenantId
+      });
       return res.status(500).json({
         error: "Internal Server Error",
         message: "An unexpected error occurred"
@@ -1460,7 +1468,7 @@ function createTenantsRouter(options) {
         where: { id: tenantId },
         data: { passwordHash: newPasswordHash }
       });
-      const { sessionStore: sessionStore2 } = await import("./store-JK2ZU6DR.js");
+      const { sessionStore: sessionStore2 } = await import("./store-5NJBYK45.js");
       await sessionStore2.deleteByTenantId(tenantId);
       await auditLogger2.log(tenantId, {
         action: "tenant.password_change",
@@ -1469,7 +1477,9 @@ function createTenantsRouter(options) {
       });
       return res.status(204).send();
     } catch (error) {
-      console.error("[TENANT API] Password change error:", error);
+      logger2.error("Password change failed", error instanceof Error ? error : void 0, {
+        tenantId: req.tenantContext?.tenantId
+      });
       return res.status(500).json({
         error: "Internal Server Error",
         message: "An unexpected error occurred"
@@ -1641,9 +1651,67 @@ var CredentialEncryptionService = class _CredentialEncryptionService {
     }
     return rotatedCount;
   }
+  /**
+   * Validate encryption key on startup by testing decryption of existing tokens
+   *
+   * This should be called during server initialization to catch ENCRYPTION_KEY
+   * mismatches early, before users encounter "Request context not available" errors.
+   *
+   * @param prisma - Prisma client instance
+   * @returns Validation result with counts of successful/failed decryptions
+   *
+   * @example
+   * ```typescript
+   * const result = await cryptoService.validateEncryptionKeyOnStartup(prisma);
+   * if (result.failedCount > 0) {
+   *   log.error(`CRITICAL: ${result.failedCount} tokens cannot be decrypted!`);
+   *   // Alert Sentry, mark affected shops, etc.
+   * }
+   * ```
+   */
+  async validateEncryptionKeyOnStartup(prisma2) {
+    const result = {
+      totalCount: 0,
+      successCount: 0,
+      failedCount: 0,
+      failedShopIds: []
+    };
+    const tenantShops = await prisma2.tenantShop.findMany({
+      where: { uninstalledAt: null },
+      select: { id: true, shopDomain: true, encryptedAccessToken: true }
+    });
+    result.totalCount = tenantShops.length;
+    for (const shop of tenantShops) {
+      try {
+        this.decrypt(shop.encryptedAccessToken);
+        result.successCount++;
+      } catch {
+        result.failedCount++;
+        result.failedShopIds.push(shop.id);
+      }
+    }
+    return result;
+  }
+  /**
+   * Mark shops with decryption failures as needing re-authentication
+   *
+   * Called when validateEncryptionKeyOnStartup finds shops that can't be decrypted.
+   * Updates their tokenStatus to 'needs_reauth' so users get clear feedback.
+   *
+   * @param prisma - Prisma client instance
+   * @param shopIds - Array of shop IDs to mark
+   */
+  async markShopsAsNeedingReauth(prisma2, shopIds) {
+    if (shopIds.length === 0) return;
+    await prisma2.tenantShop.updateMany({
+      where: { id: { in: shopIds } },
+      data: { tokenStatus: "needs_reauth" }
+    });
+  }
 };
 
 // src/api/shops.ts
+var logger3 = createLogger("api/shops");
 var SHOP_DOMAIN_PATTERN = /^[a-zA-Z0-9][a-zA-Z0-9-]*\.myshopify\.com$/;
 var ACCESS_TOKEN_PATTERN = /^shp(at|ua)_[a-f0-9]+$/i;
 var manualConnectSchema = z2.object({
@@ -1759,7 +1827,9 @@ function createShopsRouter(options) {
       };
       return res.status(201).json(response);
     } catch (error) {
-      console.error("[SHOPS API] Connection error:", error);
+      logger3.error("Shop connection failed", error instanceof Error ? error : void 0, {
+        tenantId: req.tenantContext?.tenantId
+      });
       return res.status(500).json({
         error: "Internal Server Error",
         message: "An unexpected error occurred during shop connection"
@@ -1818,7 +1888,9 @@ function createShopsRouter(options) {
       });
       return res.json({ shops: shopList });
     } catch (error) {
-      console.error("[SHOPS API] List error:", error);
+      logger3.error("Shop listing failed", error instanceof Error ? error : void 0, {
+        tenantId: req.tenantContext?.tenantId
+      });
       return res.status(500).json({
         error: "Internal Server Error",
         message: "An unexpected error occurred while listing shops"
@@ -1871,7 +1943,10 @@ function createShopsRouter(options) {
       });
       return res.status(204).send();
     } catch (error) {
-      console.error("[SHOPS API] Disconnect error:", error);
+      logger3.error("Shop disconnect failed", error instanceof Error ? error : void 0, {
+        tenantId: req.tenantContext?.tenantId,
+        shopId: req.params.shopId
+      });
       return res.status(500).json({
         error: "Internal Server Error",
         message: "An unexpected error occurred while disconnecting shop"
@@ -1884,7 +1959,7 @@ function createShopsRouter(options) {
 // src/api/keys.ts
 import { Router as Router3 } from "express";
 import { z as z3 } from "zod";
-var logger2 = createLogger("api/keys");
+var logger4 = createLogger("api/keys");
 var DEFAULT_SCOPES = ["*"];
 var createKeySchema = z3.object({
   name: z3.string().min(1, "Name is required").max(100, "Name must be 100 characters or less"),
@@ -1938,7 +2013,9 @@ function createKeysRouter(options) {
       };
       return res.status(201).json(response);
     } catch (error) {
-      console.error("[KEYS API] Creation error:", error);
+      logger4.error("API key creation failed", error instanceof Error ? error : void 0, {
+        tenantId: req.tenantContext?.tenantId
+      });
       return res.status(500).json({
         error: "Internal Server Error",
         message: "An unexpected error occurred during key creation"
@@ -1976,13 +2053,120 @@ function createKeysRouter(options) {
       }));
       return res.json({ keys: keyList });
     } catch (error) {
-      console.error("[KEYS API] List error:", error);
+      logger4.error("API key listing failed", error instanceof Error ? error : void 0, {
+        tenantId: req.tenantContext?.tenantId
+      });
       return res.status(500).json({
         error: "Internal Server Error",
         message: "An unexpected error occurred while listing keys"
       });
     }
   });
+  router.get("/metrics/batch", async (req, res) => {
+    try {
+      const tenantId = req.tenantContext?.tenantId;
+      if (!tenantId) {
+        return res.status(401).json({
+          error: "Unauthorized",
+          message: "Tenant context not found"
+        });
+      }
+      const keys = await prisma2.apiKey.findMany({
+        where: {
+          tenantId,
+          revokedAt: null
+        },
+        select: { id: true }
+      });
+      if (keys.length === 0) {
+        return res.json({ metrics: {} });
+      }
+      let tableExists = true;
+      try {
+        await prisma2.$queryRaw`SELECT 1 FROM tool_execution_logs LIMIT 1`;
+      } catch (error) {
+        if (error instanceof Error && (error.message.includes("does not exist") || error.message.includes("relation") || error.message.includes("table"))) {
+          tableExists = false;
+        } else {
+          throw error;
+        }
+      }
+      if (!tableExists) {
+        const emptyMetrics = {};
+        for (const key of keys) {
+          emptyMetrics[key.id] = {
+            calls7d: 0,
+            calls30d: 0,
+            successRate: 0,
+            avgDurationMs: 0,
+            lastUsedAt: null
+          };
+        }
+        return res.json({ metrics: emptyMetrics });
+      }
+      const now = /* @__PURE__ */ new Date();
+      const sevenDaysAgo = new Date(now);
+      sevenDaysAgo.setDate(sevenDaysAgo.getDate() - 7);
+      const thirtyDaysAgo = new Date(now);
+      thirtyDaysAgo.setDate(thirtyDaysAgo.getDate() - 30);
+      const keyIds = keys.map((k) => k.id);
+      const queryStartTime = Date.now();
+      const metricsRaw = await prisma2.$queryRaw`
+        SELECT
+          api_key_id,
+          COUNT(*) FILTER (WHERE created_at >= ${sevenDaysAgo})::bigint AS calls_7d,
+          COUNT(*)::bigint AS calls_30d,
+          COUNT(*) FILTER (WHERE created_at >= ${sevenDaysAgo} AND status = 'SUCCESS')::bigint AS success_count_7d,
+          COUNT(*) FILTER (WHERE created_at >= ${sevenDaysAgo})::bigint AS total_count_7d,
+          AVG(duration_ms) FILTER (WHERE created_at >= ${sevenDaysAgo})::numeric AS avg_duration_ms,
+          MAX(created_at) AS last_used_at
+        FROM tool_execution_logs
+        WHERE tenant_id = ${tenantId}
+          AND api_key_id = ANY(${keyIds})
+          AND created_at >= ${thirtyDaysAgo}
+        GROUP BY api_key_id
+      `;
+      const metricsMap = {};
+      for (const key of keys) {
+        metricsMap[key.id] = {
+          calls7d: 0,
+          calls30d: 0,
+          successRate: 0,
+          avgDurationMs: 0,
+          lastUsedAt: null
+        };
+      }
+      for (const row of metricsRaw) {
+        const totalCount = Number(row.total_count_7d);
+        const successCount = Number(row.success_count_7d);
+        const successRate = totalCount > 0 ? successCount / totalCount * 100 : 0;
+        metricsMap[row.api_key_id] = {
+          calls7d: Number(row.calls_7d),
+          calls30d: Number(row.calls_30d),
+          successRate: Math.round(successRate * 10) / 10,
+          avgDurationMs: Math.round(row.avg_duration_ms ?? 0),
+          lastUsedAt: row.last_used_at?.toISOString() ?? null
+        };
+      }
+      const queryDuration = Date.now() - queryStartTime;
+      if (queryDuration > 500) {
+        logger4.warn("Batch API key metrics query exceeded 500ms", {
+          tenantId,
+          keyCount: keys.length,
+          durationMs: queryDuration
+        });
+      }
+      return res.json({ metrics: metricsMap });
+    } catch (error) {
+      logger4.error("batch metrics endpoint error", error, {
+        correlationId: req.headers["x-correlation-id"]
+      });
+      return res.status(500).json({
+        error: "Internal Server Error",
+        message: "Failed to compute API key metrics"
+      });
+    }
+  });
   router.get("/:keyId/metrics", async (req, res) => {
     try {
       const tenantId = req.tenantContext?.tenantId;
@@ -2007,6 +2191,25 @@ function createKeysRouter(options) {
           message: "API key not found"
         });
       }
+      let tableExists = true;
+      try {
+        await prisma2.$queryRaw`SELECT 1 FROM tool_execution_logs LIMIT 1`;
+      } catch (error) {
+        if (error instanceof Error && (error.message.includes("does not exist") || error.message.includes("relation") || error.message.includes("table"))) {
+          tableExists = false;
+        } else {
+          throw error;
+        }
+      }
+      if (!tableExists) {
+        return res.json({
+          calls7d: 0,
+          calls30d: 0,
+          successRate: 0,
+          avgDurationMs: 0,
+          lastUsedAt: null
+        });
+      }
       const now = /* @__PURE__ */ new Date();
       const sevenDaysAgo = new Date(now);
       sevenDaysAgo.setDate(sevenDaysAgo.getDate() - 7);
@@ -2066,7 +2269,7 @@ function createKeysRouter(options) {
       const successRate = totalCalls > 0 ? successCount / totalCalls * 100 : 0;
       const queryDuration = Date.now() - queryStartTime;
       if (queryDuration > 200) {
-        logger2.warn("API key metrics query exceeded 200ms", {
+        logger4.warn("API key metrics query exceeded 200ms", {
           keyId,
           tenantId,
           durationMs: queryDuration
@@ -2082,7 +2285,7 @@ function createKeysRouter(options) {
       };
       return res.json(response);
     } catch (error) {
-      logger2.error("metrics endpoint error", error, {
+      logger4.error("metrics endpoint error", error, {
         correlationId: req.headers["x-correlation-id"]
       });
       return res.status(500).json({
@@ -2125,7 +2328,10 @@ function createKeysRouter(options) {
       });
       return res.status(204).send();
     } catch (error) {
-      console.error("[KEYS API] Revocation error:", error);
+      logger4.error("API key revocation failed", error instanceof Error ? error : void 0, {
+        tenantId: req.tenantContext?.tenantId,
+        keyId: req.params.keyId
+      });
       return res.status(500).json({
         error: "Internal Server Error",
         message: "An unexpected error occurred during key revocation"
@@ -2143,6 +2349,7 @@ import bcrypt3 from "bcrypt";
 import { Router as Router4 } from "express";
 import rateLimit2 from "express-rate-limit";
 import { z as z4 } from "zod";
+var logger5 = createLogger("api/auth");
 var loginSchema = z4.object({
   email: z4.string().email("Invalid email format"),
   password: z4.string().min(1, "Password is required")
@@ -2261,7 +2468,7 @@ function createAuthRouter(_config) {
         }
       });
     } catch (error) {
-      console.error("[POST /auth/login] Unexpected error:", error);
+      logger5.error("Login failed", error instanceof Error ? error : void 0);
       res.status(500).json({
         error: "Internal Server Error",
         message: "An unexpected error occurred"
@@ -2325,7 +2532,7 @@ function createAuthRouter(_config) {
       }
       res.status(204).send();
     } catch (error) {
-      console.error("[POST /auth/logout] Unexpected error:", error);
+      logger5.error("Logout failed", error instanceof Error ? error : void 0);
       res.status(500).json({
         error: "Internal Server Error",
         message: "An unexpected error occurred"
@@ -2338,7 +2545,7 @@ function createAuthRouter(_config) {
 // src/api/activity.ts
 import { Router as Router5 } from "express";
 import { z as z5 } from "zod";
-var logger3 = createLogger("api/activity");
+var logger6 = createLogger("api/activity");
 var usageSummaryQuerySchema = z5.object({
   months: z5.coerce.number().int().min(1).max(24).default(6)
 });
@@ -2430,7 +2637,7 @@ function createActivityRouter() {
       };
       return res.json(response);
     } catch (error) {
-      logger3.error("usage-summary error", error);
+      logger6.error("usage-summary error", error);
       return res.status(500).json({
         error: "Internal Server Error",
         message: "Failed to compute usage summary"
@@ -2466,6 +2673,28 @@ function createActivityRouter() {
         startDate,
         endDate
       } = parsed.data;
+      let tableExists = true;
+      try {
+        await prisma2.$queryRaw`SELECT 1 FROM tool_execution_logs LIMIT 1`;
+      } catch (error) {
+        if (error instanceof Error && (error.message.includes("does not exist") || error.message.includes("relation") || error.message.includes("table"))) {
+          tableExists = false;
+        } else {
+          throw error;
+        }
+      }
+      if (!tableExists) {
+        const response2 = {
+          logs: [],
+          pagination: {
+            page,
+            limit,
+            total: 0,
+            hasMore: false
+          }
+        };
+        return res.json(response2);
+      }
       const where = {
         tenantId,
         ...toolName && { toolName },
@@ -2505,10 +2734,10 @@ function createActivityRouter() {
         prisma2.toolExecutionLog.count({ where })
       ]);
       const clientIds = /* @__PURE__ */ new Set();
-      logs.forEach((log3) => {
+      for (const log3 of logs) {
         if (log3.oauthClientId) clientIds.add(log3.oauthClientId);
         if (log3.apiKeyId) clientIds.add(log3.apiKeyId);
-      });
+      }
       const [oauthClients, apiKeys] = await Promise.all([
         clientIds.size > 0 && logs.some((log3) => log3.oauthClientId) ? prisma2.oAuthClient.findMany({
           where: {
@@ -2525,13 +2754,13 @@ function createActivityRouter() {
         }) : Promise.resolve([])
       ]);
       const clientNameMap = /* @__PURE__ */ new Map();
-      oauthClients.forEach((client) => {
+      for (const client of oauthClients) {
         clientNameMap.set(client.id, client.clientName);
-      });
-      apiKeys.forEach((key) => {
+      }
+      for (const key of apiKeys) {
         clientNameMap.set(key.id, key.name);
-      });
-      const responseLogs = logs.filter((log3) => log3.createdAt && !isNaN(new Date(log3.createdAt).getTime())).map((log3) => ({
+      }
+      const responseLogs = logs.filter((log3) => log3.createdAt && !Number.isNaN(new Date(log3.createdAt).getTime())).map((log3) => ({
         id: log3.id,
         toolName: log3.toolName,
         toolModule: log3.toolModule ?? void 0,
@@ -2553,7 +2782,7 @@ function createActivityRouter() {
       };
       return res.json(response);
     } catch (error) {
-      logger3.error("logs endpoint error", error, {
+      logger6.error("logs endpoint error", error, {
         correlationId: req.headers["x-correlation-id"]
       });
       return res.status(500).json({
@@ -2562,6 +2791,107 @@ function createActivityRouter() {
       });
     }
   });
+  router.get("/logs/:id", async (req, res) => {
+    try {
+      const tenantId = req.tenantContext?.tenantId;
+      if (!tenantId) {
+        return res.status(401).json({
+          error: "Unauthorized",
+          message: "Tenant context not found"
+        });
+      }
+      const logId = req.params.id;
+      const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+      if (!uuidRegex.test(logId)) {
+        return res.status(400).json({
+          error: "Validation Error",
+          message: "Invalid log ID format"
+        });
+      }
+      let tableExists = true;
+      try {
+        await prisma2.$queryRaw`SELECT 1 FROM tool_execution_logs LIMIT 1`;
+      } catch {
+        tableExists = false;
+      }
+      if (!tableExists) {
+        return res.status(404).json({
+          error: "Not Found",
+          message: "Log entry not found"
+        });
+      }
+      const log3 = await prisma2.toolExecutionLog.findFirst({
+        where: {
+          id: logId,
+          tenantId
+          // Ensure tenant isolation
+        },
+        select: {
+          id: true,
+          toolName: true,
+          toolModule: true,
+          status: true,
+          clientType: true,
+          oauthClientId: true,
+          apiKeyId: true,
+          shopDomain: true,
+          durationMs: true,
+          createdAt: true,
+          inputParams: true,
+          outputSummary: true,
+          correlationId: true,
+          errorCode: true,
+          errorMessage: true
+        }
+      });
+      if (!log3) {
+        return res.status(404).json({
+          error: "Not Found",
+          message: "Log entry not found"
+        });
+      }
+      let clientName;
+      if (log3.oauthClientId) {
+        const oauthClient = await prisma2.oAuthClient.findUnique({
+          where: { id: log3.oauthClientId },
+          select: { clientName: true }
+        });
+        clientName = oauthClient?.clientName;
+      } else if (log3.apiKeyId) {
+        const apiKey = await prisma2.apiKey.findUnique({
+          where: { id: log3.apiKeyId, tenantId },
+          select: { name: true }
+        });
+        clientName = apiKey?.name;
+      }
+      const response = {
+        id: log3.id,
+        toolName: log3.toolName,
+        toolModule: log3.toolModule ?? void 0,
+        status: log3.status,
+        clientType: log3.clientType,
+        clientName,
+        shopDomain: log3.shopDomain ?? void 0,
+        durationMs: log3.durationMs ?? void 0,
+        createdAt: new Date(log3.createdAt).toISOString(),
+        inputParams: log3.inputParams ?? void 0,
+        outputSummary: log3.outputSummary ?? void 0,
+        correlationId: log3.correlationId ?? void 0,
+        errorCode: log3.errorCode ?? void 0,
+        errorMessage: log3.errorMessage ?? void 0
+      };
+      return res.json(response);
+    } catch (error) {
+      logger6.error("log details endpoint error", error, {
+        correlationId: req.headers["x-correlation-id"],
+        logId: req.params.id
+      });
+      return res.status(500).json({
+        error: "Internal Server Error",
+        message: "Failed to fetch log details"
+      });
+    }
+  });
   router.get("/stats", async (req, res) => {
     try {
       const tenantId = req.tenantContext?.tenantId;
@@ -2588,7 +2918,30 @@ function createActivityRouter() {
         tenantId,
         createdAt: { gte: startDate }
       };
-      const [totalCalls, successCount, avgDuration, topTools, byClientGroup, byShopGroup] = await Promise.all([
+      let tableExists = true;
+      try {
+        await prisma2.$queryRaw`SELECT 1 FROM tool_execution_logs LIMIT 1`;
+      } catch (error) {
+        if (error instanceof Error && (error.message.includes("does not exist") || error.message.includes("relation") || error.message.includes("table"))) {
+          tableExists = false;
+        } else {
+          throw error;
+        }
+      }
+      if (!tableExists) {
+        const response2 = {
+          period,
+          totalCalls: 0,
+          successRate: 0,
+          avgDurationMs: 0,
+          topTools: [],
+          byClient: [],
+          byShop: [],
+          byDay: []
+        };
+        return res.json(response2);
+      }
+      const [totalCalls, successCount, avgDuration, topTools, byClientGroup, byShopRaw] = await Promise.all([
         // Total calls
         prisma2.toolExecutionLog.count({ where: baseWhere }),
         // Success count
@@ -2617,32 +2970,37 @@ function createActivityRouter() {
           where: baseWhere,
           _count: { id: true }
         }),
-        // By shop
-        prisma2.toolExecutionLog.groupBy({
-          by: ["shopDomain"],
-          where: {
-            ...baseWhere,
-            shopDomain: { not: null }
-          },
-          _count: { id: true }
-        })
+        // By shop - using raw SQL for better aggregation
+        tableExists ? prisma2.$queryRaw`
+                SELECT 
+                  shop_domain AS "shopDomain",
+                  COUNT(*)::bigint AS calls,
+                  COUNT(*) FILTER (WHERE status = 'SUCCESS')::bigint AS "successCount",
+                  AVG(duration_ms)::numeric AS "avgDuration"
+                FROM tool_execution_logs
+                WHERE tenant_id = ${tenantId}
+                  AND created_at >= ${startDate}
+                  AND shop_domain IS NOT NULL
+                GROUP BY shop_domain
+                ORDER BY calls DESC
+              ` : Promise.resolve([])
       ]);
-      const byDayRaw = await prisma2.$queryRaw`
-        SELECT 
-          date_trunc('day', created_at)::date AS date,
-          COUNT(*)::bigint AS calls,
-          COUNT(*) FILTER (WHERE status != 'SUCCESS')::bigint AS errors
-        FROM tool_execution_logs
-        WHERE tenant_id = ${tenantId}
-          AND created_at >= ${startDate}
-        GROUP BY 1
-        ORDER BY 1 ASC
-      `;
+      const byDayRaw = tableExists ? await prisma2.$queryRaw`
+            SELECT 
+              date_trunc('day', created_at)::date AS date,
+              COUNT(*)::bigint AS calls,
+              COUNT(*) FILTER (WHERE status != 'SUCCESS')::bigint AS errors
+            FROM tool_execution_logs
+            WHERE tenant_id = ${tenantId}
+              AND created_at >= ${startDate}
+            GROUP BY 1
+            ORDER BY 1 ASC
+          ` : [];
       const clientIds = /* @__PURE__ */ new Set();
-      byClientGroup.forEach((group) => {
+      for (const group of byClientGroup) {
         if (group.oauthClientId) clientIds.add(group.oauthClientId);
         if (group.apiKeyId) clientIds.add(group.apiKeyId);
-      });
+      }
       const [oauthClients, apiKeys] = await Promise.all([
         clientIds.size > 0 && byClientGroup.some((g) => g.oauthClientId) ? prisma2.oAuthClient.findMany({
           where: {
@@ -2659,12 +3017,12 @@ function createActivityRouter() {
         }) : Promise.resolve([])
       ]);
       const clientNameMap = /* @__PURE__ */ new Map();
-      oauthClients.forEach((client) => {
+      for (const client of oauthClients) {
         clientNameMap.set(client.id, client.clientName);
-      });
-      apiKeys.forEach((key) => {
+      }
+      for (const key of apiKeys) {
         clientNameMap.set(key.id, key.name);
-      });
+      }
       const successRate = totalCalls > 0 ? successCount / totalCalls * 100 : 0;
       const avgDurationMs = avgDuration._avg.durationMs ?? 0;
       const topToolsFormatted = topTools.map((tool) => ({
@@ -2679,11 +3037,20 @@ function createActivityRouter() {
         type: group.clientType === "oauth_client" ? "oauth" : "api_key",
         calls: group._count.id
       }));
-      const byShopFormatted = byShopGroup.filter((group) => group.shopDomain).map((group) => ({
-        shopDomain: group.shopDomain,
-        calls: group._count.id
-      }));
-      const byDayFormatted = byDayRaw.filter((row) => row.date && !isNaN(new Date(row.date).getTime())).map((row) => ({
+      const byShopFormatted = byShopRaw.filter((row) => row.shopDomain).map((row) => {
+        const calls = Number(row.calls);
+        const successCount2 = Number(row.successCount ?? 0);
+        const successRate2 = calls > 0 ? successCount2 / calls * 100 : 0;
+        const avgDurationMs2 = row.avgDuration ? Number(row.avgDuration) : null;
+        return {
+          shopDomain: row.shopDomain,
+          calls,
+          successRate: Math.round(successRate2 * 100) / 100,
+          // Round to 2 decimal places
+          avgDurationMs: avgDurationMs2 ? Math.round(avgDurationMs2) : void 0
+        };
+      });
+      const byDayFormatted = byDayRaw.filter((row) => row.date && !Number.isNaN(new Date(row.date).getTime())).map((row) => ({
         date: new Date(row.date).toISOString().split("T")[0],
         // YYYY-MM-DD
         calls: Number(row.calls),
@@ -2702,7 +3069,7 @@ function createActivityRouter() {
       };
       return res.json(response);
     } catch (error) {
-      logger3.error("stats endpoint error", error, {
+      logger6.error("stats endpoint error", error, {
         correlationId: req.headers["x-correlation-id"]
       });
       return res.status(500).json({
@@ -2716,7 +3083,7 @@ function createActivityRouter() {
 
 // src/api/oauth-clients.ts
 import { Router as Router6 } from "express";
-var logger4 = createLogger("api/oauth-clients");
+var logger7 = createLogger("api/oauth-clients");
 var OAUTH_CLIENT_REVOKE_ACTION = "oauth_client:revoke";
 function createOAuthClientsRouter(options) {
   const { auditLogger: auditLogger2 } = options;
@@ -2734,13 +3101,163 @@ function createOAuthClientsRouter(options) {
       const clients = await getAuthorizedClients(prisma2, tenantId);
       return res.json({ clients });
     } catch (error) {
-      console.error("[OAUTH-CLIENTS API] List error:", error);
+      logger7.error("OAuth clients listing failed", error instanceof Error ? error : void 0, {
+        tenantId: req.tenantContext?.tenantId
+      });
       return res.status(500).json({
         error: "Internal Server Error",
         message: "An unexpected error occurred while listing OAuth clients"
       });
     }
   });
+  router.get("/metrics/batch", async (req, res) => {
+    try {
+      const tenantId = req.tenantContext?.tenantId;
+      if (!tenantId) {
+        return res.status(401).json({
+          error: "Unauthorized",
+          message: "Tenant context not found"
+        });
+      }
+      const activeTokens = await prisma2.oAuthRefreshToken.findMany({
+        where: {
+          tenantId,
+          revokedAt: null
+        },
+        select: {
+          clientId: true,
+          // This is the external clientId string
+          client: {
+            select: { id: true }
+            // This is the database CUID
+          }
+        },
+        distinct: ["clientId"]
+      });
+      if (activeTokens.length === 0) {
+        return res.json({ metrics: {} });
+      }
+      let tableExists = true;
+      try {
+        await prisma2.$queryRaw`SELECT 1 FROM tool_execution_logs LIMIT 1`;
+      } catch (error) {
+        if (error instanceof Error && (error.message.includes("does not exist") || error.message.includes("relation") || error.message.includes("table"))) {
+          tableExists = false;
+        } else {
+          throw error;
+        }
+      }
+      if (!tableExists) {
+        const emptyMetrics = {};
+        for (const token of activeTokens) {
+          emptyMetrics[token.clientId] = {
+            calls7d: 0,
+            calls30d: 0,
+            successRate: 0,
+            avgDurationMs: 0,
+            topTools: [],
+            lastUsedAt: null
+          };
+        }
+        return res.json({ metrics: emptyMetrics });
+      }
+      const now = /* @__PURE__ */ new Date();
+      const sevenDaysAgo = new Date(now);
+      sevenDaysAgo.setDate(sevenDaysAgo.getDate() - 7);
+      const thirtyDaysAgo = new Date(now);
+      thirtyDaysAgo.setDate(thirtyDaysAgo.getDate() - 30);
+      const clientIdToDbId = /* @__PURE__ */ new Map();
+      const dbIdToClientId = /* @__PURE__ */ new Map();
+      const dbIds = [];
+      for (const token of activeTokens) {
+        clientIdToDbId.set(token.clientId, token.client.id);
+        dbIdToClientId.set(token.client.id, token.clientId);
+        dbIds.push(token.client.id);
+      }
+      const queryStartTime = Date.now();
+      const metricsRaw = await prisma2.$queryRaw`
+        SELECT
+          oauth_client_id,
+          COUNT(*) FILTER (WHERE created_at >= ${sevenDaysAgo})::bigint AS calls_7d,
+          COUNT(*)::bigint AS calls_30d,
+          COUNT(*) FILTER (WHERE created_at >= ${sevenDaysAgo} AND status = 'SUCCESS')::bigint AS success_count_7d,
+          COUNT(*) FILTER (WHERE created_at >= ${sevenDaysAgo})::bigint AS total_count_7d,
+          AVG(duration_ms) FILTER (WHERE created_at >= ${sevenDaysAgo})::numeric AS avg_duration_ms,
+          MAX(created_at) AS last_used_at
+        FROM tool_execution_logs
+        WHERE tenant_id = ${tenantId}
+          AND oauth_client_id = ANY(${dbIds})
+          AND created_at >= ${thirtyDaysAgo}
+        GROUP BY oauth_client_id
+      `;
+      const topToolsRaw = await prisma2.$queryRaw`
+        WITH ranked_tools AS (
+          SELECT
+            oauth_client_id,
+            tool_name,
+            COUNT(*)::bigint AS call_count,
+            ROW_NUMBER() OVER (PARTITION BY oauth_client_id ORDER BY COUNT(*) DESC) AS rn
+          FROM tool_execution_logs
+          WHERE tenant_id = ${tenantId}
+            AND oauth_client_id = ANY(${dbIds})
+            AND created_at >= ${sevenDaysAgo}
+          GROUP BY oauth_client_id, tool_name
+        )
+        SELECT oauth_client_id, tool_name, call_count
+        FROM ranked_tools
+        WHERE rn <= 3
+      `;
+      const topToolsByDbId = /* @__PURE__ */ new Map();
+      for (const row of topToolsRaw) {
+        const existing = topToolsByDbId.get(row.oauth_client_id) ?? [];
+        existing.push({ name: row.tool_name, calls: Number(row.call_count) });
+        topToolsByDbId.set(row.oauth_client_id, existing);
+      }
+      const metricsMap = {};
+      for (const token of activeTokens) {
+        metricsMap[token.clientId] = {
+          calls7d: 0,
+          calls30d: 0,
+          successRate: 0,
+          avgDurationMs: 0,
+          topTools: [],
+          lastUsedAt: null
+        };
+      }
+      for (const row of metricsRaw) {
+        const externalClientId = dbIdToClientId.get(row.oauth_client_id);
+        if (!externalClientId) continue;
+        const totalCount = Number(row.total_count_7d);
+        const successCount = Number(row.success_count_7d);
+        const successRate = totalCount > 0 ? successCount / totalCount * 100 : 0;
+        metricsMap[externalClientId] = {
+          calls7d: Number(row.calls_7d),
+          calls30d: Number(row.calls_30d),
+          successRate: Math.round(successRate * 10) / 10,
+          avgDurationMs: Math.round(row.avg_duration_ms ?? 0),
+          topTools: topToolsByDbId.get(row.oauth_client_id) ?? [],
+          lastUsedAt: row.last_used_at?.toISOString() ?? null
+        };
+      }
+      const queryDuration = Date.now() - queryStartTime;
+      if (queryDuration > 500) {
+        logger7.warn("Batch OAuth client metrics query exceeded 500ms", {
+          tenantId,
+          clientCount: activeTokens.length,
+          durationMs: queryDuration
+        });
+      }
+      return res.json({ metrics: metricsMap });
+    } catch (error) {
+      logger7.error("batch metrics endpoint error", error, {
+        correlationId: req.headers["x-correlation-id"]
+      });
+      return res.status(500).json({
+        error: "Internal Server Error",
+        message: "Failed to compute OAuth client metrics"
+      });
+    }
+  });
   router.get("/:clientId/metrics", async (req, res) => {
     try {
       const tenantId = req.tenantContext?.tenantId;
@@ -2751,19 +3268,45 @@ function createOAuthClientsRouter(options) {
         });
       }
       const { clientId } = req.params;
-      const clientExists = await prisma2.oAuthRefreshToken.findFirst({
+      const clientRecord = await prisma2.oAuthRefreshToken.findFirst({
         where: {
           clientId,
           tenantId,
           revokedAt: null
+        },
+        include: {
+          client: {
+            select: { id: true }
+          }
         }
       });
-      if (!clientExists) {
+      if (!clientRecord) {
         return res.status(404).json({
           error: "Not Found",
           message: "OAuth client not found or no active tokens"
         });
       }
+      const oauthClientDbId = clientRecord.client.id;
+      let tableExists = true;
+      try {
+        await prisma2.$queryRaw`SELECT 1 FROM tool_execution_logs LIMIT 1`;
+      } catch (error) {
+        if (error instanceof Error && (error.message.includes("does not exist") || error.message.includes("relation") || error.message.includes("table"))) {
+          tableExists = false;
+        } else {
+          throw error;
+        }
+      }
+      if (!tableExists) {
+        return res.json({
+          calls7d: 0,
+          calls30d: 0,
+          successRate: 0,
+          avgDurationMs: 0,
+          topTools: [],
+          lastUsedAt: null
+        });
+      }
       const now = /* @__PURE__ */ new Date();
       const sevenDaysAgo = new Date(now);
       sevenDaysAgo.setDate(sevenDaysAgo.getDate() - 7);
@@ -2771,7 +3314,7 @@ function createOAuthClientsRouter(options) {
       thirtyDaysAgo.setDate(thirtyDaysAgo.getDate() - 30);
       const baseWhere = {
         tenantId,
-        oauthClientId: clientId
+        oauthClientId: oauthClientDbId
       };
       const queryStartTime = Date.now();
       const [calls7d, calls30d, totalCalls, successCount, avgDuration, topTools, lastUsed] = await Promise.all([
@@ -2838,7 +3381,7 @@ function createOAuthClientsRouter(options) {
       }));
       const queryDuration = Date.now() - queryStartTime;
       if (queryDuration > 200) {
-        logger4.warn("OAuth client metrics query exceeded 200ms", {
+        logger7.warn("OAuth client metrics query exceeded 200ms", {
           clientId,
           tenantId,
           durationMs: queryDuration
@@ -2855,7 +3398,7 @@ function createOAuthClientsRouter(options) {
       };
       return res.json(response);
     } catch (error) {
-      logger4.error("metrics endpoint error", error, {
+      logger7.error("metrics endpoint error", error, {
         correlationId: req.headers["x-correlation-id"]
       });
       return res.status(500).json({
@@ -2921,7 +3464,10 @@ function createOAuthClientsRouter(options) {
       });
       return res.status(204).send();
     } catch (error) {
-      console.error("[OAUTH-CLIENTS API] Revocation error:", error);
+      logger7.error("OAuth client revocation failed", error instanceof Error ? error : void 0, {
+        tenantId: req.tenantContext?.tenantId,
+        clientId: req.params.clientId
+      });
       return res.status(500).json({
         error: "Internal Server Error",
         message: "An unexpected error occurred during revocation"
@@ -3014,7 +3560,7 @@ var oauthClientsRouter = createOAuthClientsRouter({
 });
 
 // src/lifecycle/shutdown.ts
-var logger5 = createLogger("lifecycle/shutdown");
+var logger8 = createLogger("lifecycle/shutdown");
 var ShutdownManager = class {
   /** Current shutdown state */
   _state = "running";
@@ -3144,20 +3690,20 @@ var ShutdownManager = class {
    */
   registerSignalHandlers() {
     process.on("SIGTERM", () => {
-      logger5.info("Received SIGTERM signal");
+      logger8.info("Received SIGTERM signal");
       this.initiateShutdown().catch((error) => {
-        logger5.error("Shutdown failed", error instanceof Error ? error : void 0);
+        logger8.error("Shutdown failed", error instanceof Error ? error : void 0);
         process.exit(1);
       });
     });
     process.on("SIGINT", () => {
-      logger5.info("Received SIGINT signal");
+      logger8.info("Received SIGINT signal");
       this.initiateShutdown().catch((error) => {
-        logger5.error("Shutdown failed", error instanceof Error ? error : void 0);
+        logger8.error("Shutdown failed", error instanceof Error ? error : void 0);
         process.exit(1);
       });
     });
-    logger5.debug("Signal handlers registered (SIGTERM, SIGINT)");
+    logger8.debug("Signal handlers registered (SIGTERM, SIGINT)");
   }
   /**
    * Initiate graceful shutdown
@@ -3175,13 +3721,13 @@ var ShutdownManager = class {
    */
   async initiateShutdown() {
     if (this.shutdownInProgress) {
-      logger5.debug("Shutdown already in progress, ignoring duplicate call");
+      logger8.debug("Shutdown already in progress, ignoring duplicate call");
       return;
     }
     this.shutdownInProgress = true;
     this._state = "draining";
     this.drainingStartedAt = /* @__PURE__ */ new Date();
-    logger5.info("Shutdown initiated", {
+    logger8.info("Shutdown initiated", {
       drainTimeoutMs: this.drainTimeoutMs,
       activeConnections: this.getRemainingConnections()
     });
@@ -3197,11 +3743,11 @@ var ShutdownManager = class {
     }
     if (this.mcpSessionsCleanup) {
       try {
-        logger5.debug("Closing MCP sessions");
+        logger8.debug("Closing MCP sessions");
         await this.withTimeout(this.mcpSessionsCleanup(), 5e3, "MCP sessions cleanup");
-        logger5.debug("MCP sessions closed");
+        logger8.debug("MCP sessions closed");
       } catch (error) {
-        logger5.error("Failed to close MCP sessions", error instanceof Error ? error : void 0);
+        logger8.error("Failed to close MCP sessions", error instanceof Error ? error : void 0);
       }
     }
     const summary = await this.runCleanupCallbacks();
@@ -3219,14 +3765,14 @@ var ShutdownManager = class {
         resolve();
         return;
       }
-      logger5.debug("Stopping HTTP server from accepting new connections");
+      logger8.debug("Stopping HTTP server from accepting new connections");
       this.httpServer.close((error) => {
         if (error) {
           if (error.code !== "ERR_SERVER_NOT_RUNNING") {
-            logger5.warn("HTTP server close error", { error: error.message });
+            logger8.warn("HTTP server close error", { error: error.message });
           }
         }
-        logger5.debug("HTTP server stopped accepting connections");
+        logger8.debug("HTTP server stopped accepting connections");
         resolve();
       });
     });
@@ -3239,7 +3785,7 @@ var ShutdownManager = class {
     while (this.getRemainingConnections() > 0) {
       await new Promise((resolve) => setTimeout(resolve, pollInterval));
     }
-    logger5.debug("All connections drained");
+    logger8.debug("All connections drained");
   }
   /**
    * Create drain timeout promise
@@ -3247,7 +3793,7 @@ var ShutdownManager = class {
   createDrainTimeout() {
     return new Promise((resolve) => {
       this.drainTimeoutTimer = setTimeout(() => {
-        logger5.warn("Drain timeout reached, proceeding with shutdown", {
+        logger8.warn("Drain timeout reached, proceeding with shutdown", {
           remainingConnections: this.getRemainingConnections(),
           drainTimeoutMs: this.drainTimeoutMs
         });
@@ -3262,7 +3808,7 @@ var ShutdownManager = class {
   async runCleanupCallbacks() {
     const drainTimeMs = this.drainingStartedAt ? Date.now() - this.drainingStartedAt.getTime() : 0;
     let cleanupErrors = 0;
-    logger5.debug("Running cleanup callbacks", {
+    logger8.debug("Running cleanup callbacks", {
       count: this.cleanupCallbacks.length
     });
     for (let i = 0; i < this.cleanupCallbacks.length; i++) {
@@ -3275,7 +3821,7 @@ var ShutdownManager = class {
         );
       } catch (error) {
         cleanupErrors++;
-        logger5.error(
+        logger8.error(
           `Cleanup callback ${i + 1} failed`,
           error instanceof Error ? error : void 0
         );
@@ -3309,7 +3855,7 @@ var ShutdownManager = class {
    * Log final shutdown summary
    */
   logShutdownSummary(summary) {
-    logger5.info("Shutdown complete", {
+    logger8.info("Shutdown complete", {
       drainTimeMs: summary.drainTimeMs,
       cleanupCallbacksRun: summary.cleanupCallbacksRun,
       cleanupErrors: summary.cleanupErrors,
@@ -5457,6 +6003,18 @@ var TokenRefreshService = class {
     } catch (error) {
       const errorMessage = error instanceof Error ? error.message : "Unknown error during refresh";
       log.error(`Token refresh error: ${errorMessage}`);
+      const isDecryptionFailure = errorMessage.includes("Decryption failed") || errorMessage.includes("invalid key") || errorMessage.includes("corrupted data");
+      if (isDecryptionFailure) {
+        log.error(
+          `CRITICAL: Cannot decrypt tokens for shop ${shop.shopDomain.substring(0, 20)}. This likely means ENCRYPTION_KEY was changed. Shop must reconnect.`
+        );
+        await this.updateTokenStatus(shop.id, "needs_reauth" /* NEEDS_REAUTH */);
+        return {
+          success: false,
+          error: `Token expired and refresh failed for shop ${shop.shopDomain.substring(0, 20)}.... Please reconnect the shop.`,
+          status: "needs_reauth" /* NEEDS_REAUTH */
+        };
+      }
       return {
         success: false,
         error: errorMessage,
@@ -6290,6 +6848,104 @@ function createGDPRWebhooksRouter(options) {
   return router;
 }
 
+// src/transports/http/health-endpoints.ts
+var FAVICON_PNG_BASE64 = "iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAIAAAD8GO2jAAAAKklEQVR42u3NQQkAAAgEsItnQutYzRQ+hMH+S0+dikAgEAgEAoFAIPgSLM8edFuULS3fAAAAAElFTkSuQmCC";
+var FAVICON_SVG = `<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 32 32" width="32" height="32">
+  <rect width="32" height="32" rx="6" fill="#96BF48"/>
+  <path d="M10 8h12l2 6v12a2 2 0 0 1-2 2H10a2 2 0 0 1-2-2V14l2-6z" fill="white" stroke="white" stroke-width="1"/>
+  <path d="M12 8v-2a4 4 0 0 1 8 0v2" fill="none" stroke="#96BF48" stroke-width="2" stroke-linecap="round"/>
+</svg>`;
+function registerHealthEndpoints(app, config) {
+  let oauthStatus = null;
+  if (isRemoteMode(config)) {
+    const shopifyClientId = config.SHOPIFY_CLIENT_ID;
+    const shopifyClientSecret = config.SHOPIFY_CLIENT_SECRET;
+    const appUrl = config.APP_URL || `http://localhost:${config.PORT}`;
+    oauthStatus = {
+      enabled: !!(shopifyClientId && shopifyClientSecret),
+      hasClientId: !!shopifyClientId,
+      hasClientSecret: !!shopifyClientSecret,
+      hasAppUrl: !!config.APP_URL,
+      redirectUri: shopifyClientId && shopifyClientSecret ? `${appUrl}/oauth/callback` : void 0
+    };
+  }
+  app.get("/metrics", async (_req, res) => {
+    if (!isMetricsEnabled(config)) {
+      res.status(404).json({
+        error: "Not Found",
+        message: "Metrics endpoint is disabled"
+      });
+      return;
+    }
+    try {
+      const metrics = await getMetricsOutput();
+      res.setHeader("Content-Type", getMetricsContentType());
+      res.send(metrics);
+    } catch (error) {
+      const message = error instanceof Error ? error.message : "Failed to collect metrics";
+      log.error("Metrics collection failed", error instanceof Error ? error : void 0);
+      res.status(500).json({
+        error: "Internal Server Error",
+        message
+      });
+    }
+  });
+  app.get("/health", async (_req, res) => {
+    try {
+      let drainingInfo;
+      if (shutdownManager.isDraining()) {
+        const info = shutdownManager.getDrainingInfo();
+        if (info) {
+          drainingInfo = {
+            startedAt: info.startedAt,
+            remainingConnections: shutdownManager.getRemainingConnections(),
+            shutdownDeadline: info.shutdownDeadline
+          };
+        }
+      }
+      const health = await checkHealth({ drainingInfo });
+      const statusCode = health.status === "draining" ? 503 : 200;
+      log.debug(`Health check: ${health.status}`);
+      const healthResponse = {
+        ...health,
+        ...isRemoteMode(config) && oauthStatus ? { oauth: oauthStatus } : {}
+      };
+      res.status(statusCode).json(healthResponse);
+    } catch (error) {
+      const message = error instanceof Error ? error.message : "Health check failed unexpectedly";
+      log.warn(`Health check failed unexpectedly: ${message}`);
+      res.status(503).json({
+        status: "unhealthy",
+        version: getVersion(),
+        shopify: {
+          connected: false,
+          error: "Health check failed unexpectedly"
+        },
+        timestamp: (/* @__PURE__ */ new Date()).toISOString()
+      });
+    }
+  });
+  app.get("/favicon.ico", (_req, res) => {
+    const faviconBuffer = Buffer.from(FAVICON_PNG_BASE64, "base64");
+    res.setHeader("Content-Type", "image/png");
+    res.setHeader("Content-Length", faviconBuffer.length.toString());
+    res.setHeader("Cache-Control", "public, max-age=86400");
+    res.send(faviconBuffer);
+  });
+  app.get("/favicon.png", (_req, res) => {
+    const faviconBuffer = Buffer.from(FAVICON_PNG_BASE64, "base64");
+    res.setHeader("Content-Type", "image/png");
+    res.setHeader("Content-Length", faviconBuffer.length.toString());
+    res.setHeader("Cache-Control", "public, max-age=86400");
+    res.send(faviconBuffer);
+  });
+  app.get("/favicon.svg", (_req, res) => {
+    res.setHeader("Content-Type", "image/svg+xml");
+    res.setHeader("Cache-Control", "public, max-age=86400");
+    res.send(FAVICON_SVG);
+  });
+}
+
 // src/transports/http.ts
 async function createHttpTransport(server) {
   const app = express();
@@ -6305,7 +6961,7 @@ async function createHttpTransport(server) {
   }
   app.use(sentryRequestMiddleware);
   if (isRemoteMode(config)) {
-    const { createCorsMiddleware } = await import("./security-44M6F2QU.js");
+    const { createCorsMiddleware } = await import("./security-6CNKRY2G.js");
     const { getAllowedOrigins } = await import("./schema-SOWYIQIV.js");
     const allowedOrigins = getAllowedOrigins(config);
     app.use(
@@ -6316,8 +6972,19 @@ async function createHttpTransport(server) {
     );
     log.info(`CORS middleware enabled with ${allowedOrigins.length} allowed origin(s)`);
     app.use((req, res, next) => {
-      const isOAuthRelatedPage = req.path.startsWith("/oauth/authorize") || req.path.startsWith("/app/oauth/") || req.path.startsWith("/app/login") || req.path === "/app" || req.path === "/app/";
-      const frameAncestors = isOAuthRelatedPage ? "frame-ancestors 'self' https://claude.ai https://*.anthropic.com https://*.claude.ai" : "frame-ancestors 'none'";
+      const isShopifyEmbeddedPage = req.path.startsWith("/app");
+      const isOAuthRelatedPage = req.path.startsWith("/oauth/authorize") || req.path.startsWith("/app/oauth/") || req.path.startsWith("/app/login");
+      let frameAncestors;
+      if (isShopifyEmbeddedPage) {
+        frameAncestors = "frame-ancestors 'self' https://admin.shopify.com https://*.myshopify.com https://claude.ai https://*.anthropic.com https://*.claude.ai";
+      } else if (isOAuthRelatedPage) {
+        frameAncestors = "frame-ancestors 'self' https://claude.ai https://*.anthropic.com https://*.claude.ai";
+      } else {
+        frameAncestors = "frame-ancestors 'none'";
+      }
+      if (isShopifyEmbeddedPage || isOAuthRelatedPage) {
+        res.locals.allowIframeEmbedding = true;
+      }
       res.setHeader(
         "Content-Security-Policy",
         [
@@ -6341,15 +7008,53 @@ async function createHttpTransport(server) {
   let clientPool = null;
   let auditLogger2 = null;
   let cryptoService = null;
+  let keepAliveInterval = null;
   if (isRemoteMode(config)) {
     log.info("Remote mode: enabling tenant onboarding API routes");
+    try {
+      await warmupDatabase();
+    } catch (error) {
+      log.error("Database warmup failed, server may experience cold-start delays");
+    }
     const prisma2 = getPrismaClient();
     const encryptionKey = requireEncryptionKey(config);
     cryptoService = new CredentialEncryptionService(encryptionKey);
     auditLogger2 = new AuditLogger(prisma2);
+    getToolExecutionLogger(prisma2);
+    log.info("ToolExecutionLogger initialized for activity logging");
     apiKeyService = new ApiKeyService(prisma2);
     clientPool = new TenantClientPool(cryptoService, prisma2);
     log.info("TenantClientPool initialized for multi-tenant MCP");
+    try {
+      const validationResult = await cryptoService.validateEncryptionKeyOnStartup(prisma2);
+      if (validationResult.totalCount > 0) {
+        if (validationResult.failedCount > 0) {
+          log.error(
+            `CRITICAL: ENCRYPTION_KEY MISMATCH DETECTED! ${validationResult.failedCount}/${validationResult.totalCount} shop tokens cannot be decrypted. Affected shops will need to reconnect.`
+          );
+          captureError(
+            new Error(
+              `Encryption key mismatch: ${validationResult.failedCount} tokens cannot be decrypted`
+            ),
+            {
+              totalCount: validationResult.totalCount,
+              failedCount: validationResult.failedCount,
+              failedShopIds: validationResult.failedShopIds
+            }
+          );
+          await cryptoService.markShopsAsNeedingReauth(prisma2, validationResult.failedShopIds);
+          log.warn(`Marked ${validationResult.failedCount} shops as needing re-authentication`);
+        } else {
+          log.info(
+            `Encryption key validation passed: ${validationResult.successCount} shop tokens verified`
+          );
+        }
+      }
+    } catch (validationError) {
+      log.error(
+        `Failed to validate encryption key on startup: ${validationError instanceof Error ? validationError.message : "Unknown"}`
+      );
+    }
     if (config.SHOPIFY_CLIENT_ID && config.SHOPIFY_CLIENT_SECRET) {
       const tokenRefreshService = initializeTokenRefreshService(prisma2, cryptoService, {
         clientId: config.SHOPIFY_CLIENT_ID,
@@ -6473,7 +7178,7 @@ async function createHttpTransport(server) {
     }
     if (apiKeyService) {
       try {
-        const { validateMcpBearerToken } = await import("./mcp-auth-CWOWKID3.js");
+        const { validateMcpBearerToken } = await import("./mcp-auth-54BVOYFJ.js");
         const authResult = await validateMcpBearerToken(
           `Bearer ${bearerToken}`,
           apiKeyService,
@@ -6543,7 +7248,7 @@ async function createHttpTransport(server) {
           }
           if (sessionContext && methodRequiresShop && isRemote && apiKeyService && clientPool && prisma2 && (!sessionContext.requestContext?.client || !sessionContext.requestContext?.shopDomain)) {
             log.debug(`[mcp] Lazy loading context for existing session: ${sessionPrefix}...`);
-            const { validateMcpBearerToken } = await import("./mcp-auth-CWOWKID3.js");
+            const { validateMcpBearerToken } = await import("./mcp-auth-54BVOYFJ.js");
             const authResult = await validateMcpBearerToken(
               req.headers.authorization,
               apiKeyService,
@@ -6562,7 +7267,12 @@ async function createHttpTransport(server) {
                     authResult.tenant.defaultShop.domain,
                     authResult.tenant.tenantId,
                     authResult.tenant.apiKeyId || "",
-                    authResult.tenant.allowedShops
+                    authResult.tenant.allowedShops,
+                    {
+                      oauthClientId: authResult.tenant.oauthClientId,
+                      oauthClientName: authResult.tenant.oauthClientName,
+                      correlationId
+                    }
                   ),
                   correlationId
                 };
@@ -6647,7 +7357,7 @@ async function createHttpTransport(server) {
       let shopifyClient;
       let multiTenantContext;
       if (isRemote && apiKeyService && clientPool && prisma2) {
-        const { validateMcpBearerToken } = await import("./mcp-auth-CWOWKID3.js");
+        const { validateMcpBearerToken } = await import("./mcp-auth-54BVOYFJ.js");
         const authResult = await validateMcpBearerToken(
           req.headers.authorization,
           apiKeyService,
@@ -6728,7 +7438,12 @@ async function createHttpTransport(server) {
               mcpTenantContext.defaultShop.domain,
               mcpTenantContext.tenantId,
               mcpTenantContext.apiKeyId || "",
-              mcpTenantContext.allowedShops
+              mcpTenantContext.allowedShops,
+              {
+                oauthClientId: mcpTenantContext.oauthClientId,
+                oauthClientName: mcpTenantContext.oauthClientName,
+                correlationId
+              }
             ),
             correlationId
           };
@@ -6930,7 +7645,7 @@ async function createHttpTransport(server) {
     let shopifyClient;
     let multiTenantContext;
     if (isRemote && apiKeyService && clientPool && prisma2) {
-      const { validateMcpBearerToken } = await import("./mcp-auth-CWOWKID3.js");
+      const { validateMcpBearerToken } = await import("./mcp-auth-54BVOYFJ.js");
       const authResult = await validateMcpBearerToken(
         req.headers.authorization,
         apiKeyService,
@@ -7095,7 +7810,7 @@ data: ${JSON.stringify({
     const isRemote = isRemoteMode(config);
     const prisma2 = isRemote ? getPrismaClient() : null;
     if (isRemote && apiKeyService && prisma2) {
-      const { validateMcpBearerToken } = await import("./mcp-auth-CWOWKID3.js");
+      const { validateMcpBearerToken } = await import("./mcp-auth-54BVOYFJ.js");
       const authResult = await validateMcpBearerToken(
         req.headers.authorization,
         apiKeyService,
@@ -7146,7 +7861,7 @@ data: ${JSON.stringify({
         return;
       }
       if (body.method === "tools/list") {
-        const { getRegisteredTools } = await import("./tools-BCI3Z2AW.js");
+        const { getRegisteredTools } = await import("./tools-SVKPHJYW.js");
         const tools = getRegisteredTools();
         const response = {
           jsonrpc: "2.0",
@@ -7184,7 +7899,7 @@ data: ${JSON.stringify({
         return;
       }
       if (body.method === "tools/call" && isRemote && apiKeyService && clientPool && prisma2) {
-        const { validateMcpBearerToken } = await import("./mcp-auth-CWOWKID3.js");
+        const { validateMcpBearerToken } = await import("./mcp-auth-54BVOYFJ.js");
         const authResult = await validateMcpBearerToken(
           req.headers.authorization,
           apiKeyService,
@@ -7241,7 +7956,7 @@ data: ${JSON.stringify({
             ),
             correlationId
           };
-          const { getToolByName } = await import("./tools-BCI3Z2AW.js");
+          const { getToolByName } = await import("./tools-SVKPHJYW.js");
           const params = body.params;
           const rawToolName = params?.name;
           const toolArgs = params?.arguments || {};
@@ -7365,27 +8080,7 @@ data: ${JSON.stringify({
     const queryString = Object.keys(req.query).length ? `?${new URLSearchParams(req.query).toString()}` : "";
     res.redirect(307, `/sse${queryString}`);
   });
-  app.get("/metrics", async (_req, res) => {
-    if (!isMetricsEnabled(config)) {
-      res.status(404).json({
-        error: "Not Found",
-        message: "Metrics endpoint is disabled"
-      });
-      return;
-    }
-    try {
-      const metrics = await getMetricsOutput();
-      res.setHeader("Content-Type", getMetricsContentType());
-      res.send(metrics);
-    } catch (error) {
-      const message = error instanceof Error ? error.message : "Failed to collect metrics";
-      log.error("Metrics collection failed", error instanceof Error ? error : void 0);
-      res.status(500).json({
-        error: "Internal Server Error",
-        message
-      });
-    }
-  });
+  registerHealthEndpoints(app, config);
   let oauthStatus = null;
   if (isRemoteMode(config)) {
     const shopifyClientId = config.SHOPIFY_CLIENT_ID;
@@ -7399,66 +8094,6 @@ data: ${JSON.stringify({
       redirectUri: shopifyClientId && shopifyClientSecret ? `${appUrl}/oauth/callback` : void 0
     };
   }
-  app.get("/health", async (_req, res) => {
-    try {
-      let drainingInfo;
-      if (shutdownManager.isDraining()) {
-        const info = shutdownManager.getDrainingInfo();
-        if (info) {
-          drainingInfo = {
-            startedAt: info.startedAt,
-            remainingConnections: shutdownManager.getRemainingConnections(),
-            shutdownDeadline: info.shutdownDeadline
-          };
-        }
-      }
-      const health = await checkHealth({ drainingInfo });
-      const statusCode = health.status === "draining" ? 503 : 200;
-      log.debug(`Health check: ${health.status}`);
-      const healthResponse = {
-        ...health,
-        ...isRemoteMode(config) && oauthStatus ? { oauth: oauthStatus } : {}
-      };
-      res.status(statusCode).json(healthResponse);
-    } catch (error) {
-      const message = error instanceof Error ? error.message : "Health check failed unexpectedly";
-      log.warn(`Health check failed unexpectedly: ${message}`);
-      res.status(503).json({
-        status: "unhealthy",
-        version: getVersion(),
-        shopify: {
-          connected: false,
-          error: "Health check failed unexpectedly"
-        },
-        timestamp: (/* @__PURE__ */ new Date()).toISOString()
-      });
-    }
-  });
-  const faviconPngBase64 = "iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAIAAAD8GO2jAAAAKklEQVR42u3NQQkAAAgEsItnQutYzRQ+hMH+S0+dikAgEAgEAoFAIPgSLM8edFuULS3fAAAAAElFTkSuQmCC";
-  app.get("/favicon.ico", (_req, res) => {
-    const faviconBuffer = Buffer.from(faviconPngBase64, "base64");
-    res.setHeader("Content-Type", "image/png");
-    res.setHeader("Content-Length", faviconBuffer.length.toString());
-    res.setHeader("Cache-Control", "public, max-age=86400");
-    res.send(faviconBuffer);
-  });
-  app.get("/favicon.png", (_req, res) => {
-    const faviconBuffer = Buffer.from(faviconPngBase64, "base64");
-    res.setHeader("Content-Type", "image/png");
-    res.setHeader("Content-Length", faviconBuffer.length.toString());
-    res.setHeader("Cache-Control", "public, max-age=86400");
-    res.send(faviconBuffer);
-  });
-  app.get("/favicon.svg", (_req, res) => {
-    const svgFavicon = `<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 32 32" width="32" height="32">
-      <rect width="32" height="32" rx="6" fill="#96BF48"/>
-      <path d="M10 8h12l2 6v12a2 2 0 0 1-2 2H10a2 2 0 0 1-2-2V14l2-6z" fill="white" stroke="white" stroke-width="1"/>
-      <path d="M12 8v-2a4 4 0 0 1 8 0v2" fill="none" stroke="#96BF48" stroke-width="2" stroke-linecap="round"/>
-    </svg>`;
-    res.setHeader("Content-Type", "image/svg+xml");
-    res.setHeader("Cache-Control", "public, max-age=86400");
-    res.send(svgFavicon);
-  });
   const oauthDiscoveryService = createOAuthDiscoveryService(discoveryBaseUrl);
   app.get("/.well-known/oauth-authorization-server", (_req, res) => {
     const metadata = oauthDiscoveryService.getAuthorizationServerMetadata();
@@ -8089,6 +8724,13 @@ data: ${JSON.stringify({
       log.debug("Disconnecting Prisma");
       await disconnectPrisma();
     });
+    shutdownManager.onShutdown(() => {
+      if (keepAliveInterval) {
+        log.debug("Stopping database keep-alive");
+        clearInterval(keepAliveInterval);
+        keepAliveInterval = null;
+      }
+    });
   }
   return {
     app,
@@ -8097,6 +8739,21 @@ data: ${JSON.stringify({
       shutdownManager.setHttpServer(httpServer);
       shutdownManager.registerSignalHandlers();
       log.info("Graceful shutdown handlers registered");
+      if (isRemoteMode(config)) {
+        const KEEP_ALIVE_INTERVAL_MS = 4 * 60 * 1e3;
+        keepAliveInterval = setInterval(async () => {
+          try {
+            const prisma2 = getPrismaClient();
+            await prisma2.$queryRaw`SELECT 1`;
+            log.debug("Database keep-alive ping successful");
+          } catch (error) {
+            const message = error instanceof Error ? error.message : "Unknown error";
+            log.warn(`Database keep-alive ping failed: ${message}`);
+          }
+        }, KEEP_ALIVE_INTERVAL_MS);
+        keepAliveInterval.unref();
+        log.info("Database keep-alive started (interval: 4 minutes)");
+      }
       return httpServer;
     }
   };