@bod.ee/db 0.7.0

package/admin/server.ts

@@ -0,0 +1,523 @@
+import { BodDB } from '../src/server/BodDB.ts';
+import { join } from 'path';
+import { statSync } from 'fs';
+import { cpus, totalmem } from 'os';
+import { rules } from './rules.ts';
+
+const DB_PATH = process.env.DB_PATH ?? join(import.meta.dir, '../.tmp/bod-db-admin.sqlite');
+const PORT = process.env.PORT ? Number(process.env.PORT) : 4400;
+
+import { increment, serverTimestamp, arrayUnion, arrayRemove } from '../src/shared/transforms.ts';
+
+const ADMIN_TOKEN = process.env.ADMIN_TOKEN;
+const db = new BodDB({ path: DB_PATH, rules, sweepInterval: 60000, fts: {}, vectors: { dimensions: 384 } });
+console.log(`DB: ${DB_PATH}`);
+
+// Seed only if empty
+if (!db.get('users/alice')) {
+  db.set('users/alice', { name: 'Alice', age: 30, role: 'admin' });
+  db.set('users/bob', { name: 'Bob', age: 25, role: 'user' });
+  db.set('users/carol', { name: 'Carol', age: 28, role: 'user' });
+  db.set('settings/theme', 'dark');
+  db.set('settings/lang', 'en');
+  // Seed push, FTS, and vector data
+  db.push('logs', { level: 'info', msg: 'Server started', ts: Date.now() });
+  db.set('counters/likes', 0);
+  db.set('counters/views', 0);
+  // FTS seed
+  db.index('users/alice', 'Alice is an admin user who manages the system');
+  db.index('users/bob', 'Bob is a regular user who writes articles');
+  db.index('users/carol', 'Carol is a user interested in design and UX');
+  db.set('_fts/users_alice', { path: 'users/alice', content: 'Alice is an admin user who manages the system', indexedAt: Date.now() });
+  db.set('_fts/users_bob', { path: 'users/bob', content: 'Bob is a regular user who writes articles', indexedAt: Date.now() });
+  db.set('_fts/users_carol', { path: 'users/carol', content: 'Carol is a user interested in design and UX', indexedAt: Date.now() });
+  // Vector seed (384d — simple deterministic embeddings for demo)
+  const makeEmb = (seed: number) => Array.from({length: 384}, (_, i) => Math.sin((i + seed) * 0.1) * 0.5);
+  db.vectors!.store('users/alice', makeEmb(0));
+  db.vectors!.store('users/bob', makeEmb(10));
+  db.vectors!.store('users/carol', makeEmb(20));
+  db.set('_vectors/users_alice', { path: 'users/alice', dimensions: 384, storedAt: Date.now() });
+  db.set('_vectors/users_bob', { path: 'users/bob', dimensions: 384, storedAt: Date.now() });
+  db.set('_vectors/users_carol', { path: 'users/carol', dimensions: 384, storedAt: Date.now() });
+  // Stream seed
+  db.push('events/orders', { orderId: 'o1', amount: 99, status: 'completed' });
+  db.push('events/orders', { orderId: 'o2', amount: 42, status: 'pending' });
+  db.push('events/orders', { orderId: 'o3', amount: 150, status: 'completed' });
+  // MQ seed
+  db.mq.push('queues/jobs', { type: 'email', to: 'alice@example.com', subject: 'Welcome' });
+  db.mq.push('queues/jobs', { type: 'sms', to: '+1234567890', body: 'Your code is 1234' });
+  db.mq.push('queues/jobs', { type: 'webhook', url: 'https://example.com/hook', payload: { event: 'signup' } });
+}
+
+// ── Stats written into BodDB ───────────────────────────────────────────────────
+let lastCpuUsage = process.cpuUsage();
+let lastCpuTime = performance.now();
+let lastOsCpus = cpus();
+
+function systemCpuPercent(): number {
+  const cur = cpus();
+  let idleDelta = 0, totalDelta = 0;
+  for (let i = 0; i < cur.length; i++) {
+    const prev = lastOsCpus[i]?.times ?? cur[i].times;
+    const c = cur[i].times;
+    idleDelta += c.idle - prev.idle;
+    totalDelta += (c.user + c.nice + c.sys + c.irq + c.idle) - (prev.user + prev.nice + prev.sys + prev.irq + prev.idle);
+  }
+  lastOsCpus = cur;
+  return totalDelta > 0 ? +((1 - idleDelta / totalDelta) * 100).toFixed(1) : 0;
+}
+
+function publishStats() {
+  if (!db.subs.subscriberCount('_admin')) return;
+  const now = performance.now();
+  const cpu = process.cpuUsage();
+  const elapsedUs = (now - lastCpuTime) * 1000;
+  const cpuPercent = +((cpu.user - lastCpuUsage.user + cpu.system - lastCpuUsage.system) / elapsedUs * 100).toFixed(1);
+  lastCpuUsage = cpu; lastCpuTime = now;
+
+  const mem = process.memoryUsage();
+  const nodeCount = (db.storage.db.query('SELECT COUNT(*) as n FROM nodes WHERE mq_status IS NULL').get() as any).n;
+  let dbSizeMb = 0;
+  try { dbSizeMb = +(statSync(DB_PATH).size / 1024 / 1024).toFixed(2); } catch {}
+
+  db.set('_admin/stats', {
+    process: {
+      cpuPercent,
+      heapUsedMb: +(mem.heapUsed / 1024 / 1024).toFixed(2),
+      rssMb: +(mem.rss / 1024 / 1024).toFixed(2),
+      uptimeSec: Math.floor(process.uptime()),
+    },
+    db: { nodeCount, sizeMb: dbSizeMb },
+    system: { cpuCores: cpus().length, totalMemMb: +(totalmem() / 1024 / 1024).toFixed(0), cpuPercent: systemCpuPercent() },
+    subs: db.subs.subscriberCount(),
+    clients: wsClients.size,
+    ts: Date.now(),
+  });
+}
+
+setInterval(publishStats, 1000);
+publishStats();
+
+// ── Server (WS + REST /db/* + UI) ─────────────────────────────────────────────
+const UI_PATH = join(import.meta.dir, 'ui.html');
+import type { Server, ServerWebSocket } from 'bun';
+import type { ClientMessage } from '../src/shared/protocol.ts';
+import { Errors } from '../src/shared/errors.ts';
+import { normalizePath, reconstruct } from '../src/shared/pathUtils.ts';
+
+interface WsData {
+  auth: Record<string, unknown> | null;
+  valueSubs: Map<string, () => void>;
+  childSubs: Map<string, () => void>;
+  streamSubs: Map<string, () => void>;
+}
+
+const wsClients = new Set<ServerWebSocket<WsData>>();
+const server = Bun.serve({
+  port: PORT,
+  fetch(req, server) {
+    const url = new URL(req.url);
+
+    // WebSocket upgrade (must be before UI/REST handlers)
+    if (req.headers.get('upgrade') === 'websocket') {
+      if (server.upgrade(req, { data: { auth: null, valueSubs: new Map(), childSubs: new Map(), streamSubs: new Map() } as WsData })) return;
+      return new Response('WS upgrade failed', { status: 400 });
+    }
+
+    // Serve UI
+    if (url.pathname === '/' || url.pathname === '/ui.html') {
+      return new Response(Bun.file(UI_PATH));
+    }
+
+    // REST: GET /rules
+    if (req.method === 'GET' && url.pathname === '/rules') {
+      const summary = Object.entries(rules).map(([pattern, rule]) => ({
+        pattern,
+        read: rule.read === undefined ? null : rule.read === false ? false : rule.read === true ? true : rule.read.toString(),
+        write: rule.write === undefined ? null : rule.write === false ? false : rule.write === true ? true : rule.write.toString(),
+      }));
+      return Response.json({ ok: true, rules: summary });
+    }
+
+    // REST: GET /db/<path>?shallow=true — shallow returns only immediate child keys
+    if (req.method === 'GET' && url.pathname.startsWith('/db/')) {
+      const path = normalizePath(url.pathname.slice(4));
+      const shallow = url.searchParams.get('shallow') === 'true';
+
+      if (shallow) {
+        return Response.json({ ok: true, children: db.getShallow(path || undefined) });
+      }
+
+      if (!path) {
+        const rows = db.storage.db.query("SELECT path, value FROM nodes ORDER BY path").all() as Array<{ path: string; value: string }>;
+        const data = rows.length ? reconstruct('', rows) : {};
+        return Response.json({ ok: true, data });
+      }
+      return Response.json({ ok: true, data: db.get(path) });
+    }
+
+    // REST: PUT /db/<path>
+    if (req.method === 'PUT' && url.pathname.startsWith('/db/')) {
+      const path = normalizePath(url.pathname.slice(4));
+      return (async () => {
+        db.set(path, await req.json());
+        return Response.json({ ok: true });
+      })();
+    }
+
+    // REST: DELETE /db/<path>
+    if (req.method === 'DELETE' && url.pathname.startsWith('/db/')) {
+      const path = normalizePath(url.pathname.slice(4));
+      db.delete(path);
+      return Response.json({ ok: true });
+    }
+
+    // REST: POST /transform — apply a transform sentinel
+    if (req.method === 'POST' && url.pathname === '/transform') {
+      return (async () => {
+        const { path, type, value } = await req.json() as { path: string; type: string; value?: unknown };
+        let sentinel: unknown;
+        switch (type) {
+          case 'increment': sentinel = increment(value as number); break;
+          case 'serverTimestamp': sentinel = serverTimestamp(); break;
+          case 'arrayUnion': sentinel = arrayUnion(...(Array.isArray(value) ? value : [value])); break;
+          case 'arrayRemove': sentinel = arrayRemove(...(Array.isArray(value) ? value : [value])); break;
+          default: return Response.json({ ok: false, error: `Unknown transform: ${type}` }, { status: 400 });
+        }
+        db.set(path, sentinel);
+        return Response.json({ ok: true, data: db.get(path) });
+      })();
+    }
+
+    // REST: POST /set-ttl — set a value with TTL
+    if (req.method === 'POST' && url.pathname === '/set-ttl') {
+      return (async () => {
+        const { path, value, ttl } = await req.json() as { path: string; value: unknown; ttl: number };
+        db.set(path, value, { ttl });
+        return Response.json({ ok: true });
+      })();
+    }
+
+    // REST: POST /sweep — manual TTL sweep
+    if (req.method === 'POST' && url.pathname === '/sweep') {
+      const expired = db.sweep();
+      return Response.json({ ok: true, expired });
+    }
+
+    // REST: POST /fts/index — index text for FTS
+    if (req.method === 'POST' && url.pathname === '/fts/index') {
+      return (async () => {
+        const { path, content } = await req.json() as { path: string; content: string };
+        db.index(path, content);
+        return Response.json({ ok: true });
+      })();
+    }
+
+    // REST: GET /fts/search?text=...&path=...&limit=...
+    if (req.method === 'GET' && url.pathname === '/fts/search') {
+      const text = url.searchParams.get('text') ?? '';
+      const pathFilter = url.searchParams.get('path') ?? undefined;
+      const limit = url.searchParams.get('limit') ? Number(url.searchParams.get('limit')) : undefined;
+      const results = db.search({ text, path: pathFilter, limit });
+      return Response.json({ ok: true, data: results });
+    }
+
+    // REST: POST /vectors/store — store an embedding
+    if (req.method === 'POST' && url.pathname === '/vectors/store') {
+      return (async () => {
+        const { path, embedding } = await req.json() as { path: string; embedding: number[] };
+        db.vectors!.store(path, embedding);
+        return Response.json({ ok: true });
+      })();
+    }
+
+    // REST: POST /vectors/search — vector similarity search
+    if (req.method === 'POST' && url.pathname === '/vectors/search') {
+      return (async () => {
+        const { query, path: pathFilter, limit, threshold } = await req.json() as { query: number[]; path?: string; limit?: number; threshold?: number };
+        const results = db.vectorSearch({ query, path: pathFilter, limit, threshold });
+        return Response.json({ ok: true, data: results });
+      })();
+    }
+
+    return new Response('Not found', { status: 404 });
+  },
+  websocket: {
+    open(ws: ServerWebSocket<WsData>) {
+      wsClients.add(ws);
+      console.log(`[WS] client connected (${wsClients.size} total)`);
+    },
+    close(ws: ServerWebSocket<WsData>) {
+      wsClients.delete(ws);
+      const vn = ws.data.valueSubs.size, cn = ws.data.childSubs.size, sn = ws.data.streamSubs.size;
+      for (const off of ws.data.valueSubs.values()) off();
+      for (const off of ws.data.childSubs.values()) off();
+      for (const off of ws.data.streamSubs.values()) off();
+      console.log(`[WS] client disconnected (${wsClients.size} total) — cleaned up ${vn + cn + sn} subs`);
+    },
+    async message(ws: ServerWebSocket<WsData>, raw: string | Buffer) {
+      let msg: ClientMessage;
+      try { msg = JSON.parse(typeof raw === 'string' ? raw : raw.toString()); }
+      catch { ws.send(JSON.stringify({ id: '?', ok: false, error: 'Invalid JSON', code: Errors.INTERNAL })); return; }
+
+      const { id } = msg;
+      const reply = (data: unknown) => ws.send(JSON.stringify({ id, ok: true, data }));
+      const error = (err: string, code: string) => {
+        console.warn(`[WS] error op=${msg.op} — ${err}`);
+        ws.send(JSON.stringify({ id, ok: false, error: err, code }));
+      };
+
+      const checkRule = (op: 'read' | 'write', path: string, newData?: unknown) => {
+        if (!db.rules.check(op, path, ws.data.auth, db.get(path), newData))
+          throw new Error(`Permission denied: ${op} ${path}`);
+      };
+
+      try {
+        switch (msg.op) {
+          case 'auth': {
+            if (ADMIN_TOKEN && msg.token === ADMIN_TOKEN) {
+              ws.data.auth = { role: 'admin' };
+              console.log(`[AUTH] authenticated as admin`);
+              return reply({ role: 'admin' });
+            }
+            if (typeof msg.token === 'string' && msg.token.startsWith('user:')) {
+              const uid = msg.token.slice(5);
+              ws.data.auth = { role: 'user', uid };
+              console.log(`[AUTH] authenticated as user:${uid}`);
+              return reply({ role: 'user', uid });
+            }
+            ws.data.auth = null;
+            return error('Invalid token', Errors.PERMISSION_DENIED);
+          }
+          case 'get': {
+            if (msg.shallow) return reply(db.getShallow(msg.path || undefined));
+            checkRule('read', msg.path); return reply(db.get(msg.path));
+          }
+          case 'set': checkRule('write', msg.path, msg.value); if (!msg.path.startsWith('_admin') && !msg.path.startsWith('stress/')) console.log(`[DB] set ${msg.path}`); db.set(msg.path, msg.value); return reply(null);
+          case 'update': {
+            for (const [p, v] of Object.entries(msg.updates)) checkRule('write', p, v);
+            console.log(`[DB] update ${Object.keys(msg.updates).join(', ')}`); db.update(msg.updates); return reply(null);
+          }
+          case 'delete': checkRule('write', msg.path); console.log(`[DB] delete ${msg.path}`); db.delete(msg.path); return reply(null);
+          case 'query': {
+            let q = db.query(msg.path);
+            if (msg.filters) for (const f of msg.filters) q = q.where(f.field, f.op, f.value);
+            if (msg.order) q = q.order(msg.order.field, msg.order.dir);
+            if (msg.limit) q = q.limit(msg.limit);
+            if (msg.offset) q = q.offset(msg.offset);
+            const result = q.get();
+            console.log(`[DB] query ${msg.path} → ${Array.isArray(result) ? result.length + ' rows' : typeof result}`);
+            return reply(result);
+          }
+          case 'sub': {
+            const key = `${msg.event}:${msg.path}`;
+            if (msg.event === 'value') {
+              if (ws.data.valueSubs.has(key)) return reply(null);
+              const off = db.on(msg.path, (snap) => ws.send(JSON.stringify({ type: 'value', path: snap.path, data: snap.val() })));
+              ws.data.valueSubs.set(key, off);
+            } else if (msg.event === 'child') {
+              if (ws.data.childSubs.has(key)) return reply(null);
+              const off = db.onChild(msg.path, (ev) => ws.send(JSON.stringify({ type: 'child', path: msg.path, key: ev.key, data: ev.val(), event: ev.type })));
+              ws.data.childSubs.set(key, off);
+            }
+            if (!msg.path.startsWith('_admin')) console.log(`[SUB] +${msg.event} ${msg.path}`);
+            return reply(null);
+          }
+          case 'unsub': {
+            const key = `${msg.event}:${msg.path}`;
+            if (msg.event === 'value') { ws.data.valueSubs.get(key)?.(); ws.data.valueSubs.delete(key); }
+            else { ws.data.childSubs.get(key)?.(); ws.data.childSubs.delete(key); }
+            if (!msg.path.startsWith('_admin')) console.log(`[SUB] -${msg.event} ${msg.path}`);
+            return reply(null);
+          }
+          case 'batch': {
+            const results: unknown[] = [];
+            db.transaction((tx) => {
+              for (const batchOp of msg.operations) {
+                switch (batchOp.op) {
+                  case 'set': checkRule('write', batchOp.path, batchOp.value); tx.set(batchOp.path, batchOp.value); break;
+                  case 'update':
+                    for (const p of Object.keys(batchOp.updates)) checkRule('write', p);
+                    tx.update(batchOp.updates); break;
+                  case 'delete': checkRule('write', batchOp.path); tx.delete(batchOp.path); break;
+                  case 'push': {
+                    checkRule('write', batchOp.path);
+                    const key = db.push(batchOp.path, batchOp.value);
+                    results.push(key);
+                    break;
+                  }
+                }
+              }
+            });
+            console.log(`[DB] batch ${msg.operations.length} ops`);
+            return reply(results.length ? results : null);
+          }
+          case 'push': {
+            checkRule('write', msg.path);
+            const key = db.push(msg.path, msg.value, (msg as any).idempotencyKey ? { idempotencyKey: (msg as any).idempotencyKey } : undefined);
+            console.log(`[DB] push ${msg.path} → ${key}`);
+            return reply(key);
+          }
+          case 'stream-read': {
+            const { path: srPath, groupId, limit: srLimit } = msg as any;
+            const events = db.stream.read(srPath, groupId, srLimit);
+            console.log(`[STREAM] read ${srPath}:${groupId} → ${events.length} events`);
+            return reply(events);
+          }
+          case 'stream-ack': {
+            const { path: saPath, groupId: saGroup, key: saKey } = msg as any;
+            db.stream.ack(saPath, saGroup, saKey);
+            console.log(`[STREAM] ack ${saPath}:${saGroup} → ${saKey}`);
+            return reply(null);
+          }
+          case 'stream-sub': {
+            const { path: ssPath, groupId: ssGroup } = msg as any;
+            const streamKey = `${ssPath}:${ssGroup}`;
+            ws.data.streamSubs.get(streamKey)?.();
+            const unsub = db.stream.subscribe(ssPath, ssGroup, (events) => {
+              ws.send(JSON.stringify({ type: 'stream', path: ssPath, groupId: ssGroup, events }));
+            });
+            ws.data.streamSubs.set(streamKey, unsub);
+            console.log(`[STREAM] +sub ${ssPath}:${ssGroup}`);
+            return reply(null);
+          }
+          case 'stream-unsub': {
+            const { path: suPath, groupId: suGroup } = msg as any;
+            const suKey = `${suPath}:${suGroup}`;
+            ws.data.streamSubs.get(suKey)?.();
+            ws.data.streamSubs.delete(suKey);
+            console.log(`[STREAM] -sub ${suPath}:${suGroup}`);
+            return reply(null);
+          }
+          case 'stream-compact': {
+            const { path: scPath, maxAge, maxCount, keepKey } = msg as any;
+            const opts: Record<string, unknown> = {};
+            if (maxAge != null) opts.maxAge = maxAge;
+            if (maxCount != null) opts.maxCount = maxCount;
+            if (keepKey) opts.keepKey = keepKey;
+            const result = db.stream.compact(scPath, opts as any);
+            console.log(`[STREAM] compact ${scPath} → deleted ${result.deleted}, snapshot ${result.snapshotSize} keys`);
+            return reply(result);
+          }
+          case 'stream-reset': {
+            const { path: srPath } = msg as any;
+            db.stream.reset(srPath);
+            console.log(`[STREAM] reset ${srPath}`);
+            return reply(null);
+          }
+          case 'stream-snapshot': {
+            const { path: snPath } = msg as any;
+            const snap = db.stream.snapshot(snPath);
+            return reply(snap);
+          }
+          case 'stream-materialize': {
+            const { path: smPath, keepKey: smKey } = msg as any;
+            const view = db.stream.materialize(smPath, smKey ? { keepKey: smKey } : undefined);
+            return reply(view);
+          }
+          // Admin-specific ops
+          case 'transform': {
+            const { path: tPath, type, value: tVal } = msg as any;
+            let sentinel: unknown;
+            switch (type) {
+              case 'increment': sentinel = increment(tVal as number); break;
+              case 'serverTimestamp': sentinel = serverTimestamp(); break;
+              case 'arrayUnion': sentinel = arrayUnion(...(Array.isArray(tVal) ? tVal : [tVal])); break;
+              case 'arrayRemove': sentinel = arrayRemove(...(Array.isArray(tVal) ? tVal : [tVal])); break;
+              default: return error(`Unknown transform: ${type}`, Errors.INTERNAL);
+            }
+            db.set(tPath, sentinel);
+            return reply(db.get(tPath));
+          }
+          case 'set-ttl': {
+            const { path: ttlPath, value: ttlVal, ttl } = msg as any;
+            db.set(ttlPath, ttlVal, { ttl });
+            return reply(null);
+          }
+          case 'sweep': {
+            const expired = db.sweep();
+            return reply(expired);
+          }
+          case 'fts-index': {
+            const { path: fPath, content } = msg as any;
+            db.index(fPath, content);
+            db.set(`_fts/${fPath.replace(/\//g, '_')}`, { path: fPath, content, indexedAt: Date.now() });
+            return reply(null);
+          }
+          case 'fts-search': {
+            const { text, path: fPrefix, limit: fLimit } = msg as any;
+            return reply(db.search({ text, path: fPrefix, limit: fLimit }));
+          }
+          case 'vec-store': {
+            const { path: vPath, embedding } = msg as any;
+            db.vectors!.store(vPath, embedding);
+            db.set(`_vectors/${vPath.replace(/\//g, '_')}`, { path: vPath, dimensions: embedding.length, storedAt: Date.now() });
+            return reply(null);
+          }
+          case 'vec-search': {
+            const { query: vQuery, path: vPrefix, limit: vLimit, threshold } = msg as any;
+            return reply(db.vectorSearch({ query: vQuery, path: vPrefix, limit: vLimit, threshold }));
+          }
+          // MQ ops
+          case 'mq-push': {
+            const { path: mqPath, value: mqVal, idempotencyKey: mqIdem } = msg as any;
+            const mqKey = db.mq.push(mqPath, mqVal, mqIdem ? { idempotencyKey: mqIdem } : undefined);
+            console.log(`[MQ] push ${mqPath} → ${mqKey}`);
+            return reply(mqKey);
+          }
+          case 'mq-fetch': {
+            const { path: mqfPath, count: mqfCount } = msg as any;
+            const msgs = db.mq.fetch(mqfPath, mqfCount);
+            console.log(`[MQ] fetch ${mqfPath} → ${msgs.length} msgs`);
+            return reply(msgs);
+          }
+          case 'mq-ack': {
+            const { path: mqaPath, key: mqaKey } = msg as any;
+            db.mq.ack(mqaPath, mqaKey);
+            console.log(`[MQ] ack ${mqaPath}/${mqaKey}`);
+            return reply(null);
+          }
+          case 'mq-nack': {
+            const { path: mqnPath, key: mqnKey } = msg as any;
+            db.mq.nack(mqnPath, mqnKey);
+            console.log(`[MQ] nack ${mqnPath}/${mqnKey}`);
+            return reply(null);
+          }
+          case 'mq-peek': {
+            const { path: mqpPath, count: mqpCount } = msg as any;
+            const peeked = db.mq.peek(mqpPath, mqpCount);
+            console.log(`[MQ] peek ${mqpPath} → ${peeked.length} msgs`);
+            return reply(peeked);
+          }
+          case 'mq-dlq': {
+            const { path: mqdPath } = msg as any;
+            const dlqMsgs = db.mq.dlq(mqdPath);
+            console.log(`[MQ] dlq ${mqdPath} → ${dlqMsgs.length} msgs`);
+            return reply(dlqMsgs);
+          }
+          case 'mq-purge': {
+            const { path: mqpurgePath, all: mqpurgeAll } = msg as any;
+            const purged = db.mq.purge(mqpurgePath, { all: mqpurgeAll });
+            console.log(`[MQ] purge ${mqpurgePath} → ${purged} deleted`);
+            return reply(purged);
+          }
+          case 'get-rules': {
+            const summary = Object.entries(rules).map(([pattern, rule]) => ({
+              pattern,
+              read: rule.read === undefined ? null : rule.read === false ? false : rule.read === true ? true : rule.read.toString(),
+              write: rule.write === undefined ? null : rule.write === false ? false : rule.write === true ? true : rule.write.toString(),
+            }));
+            return reply(summary);
+          }
+          default: return error('Unknown op', Errors.INTERNAL);
+        }
+      } catch (e: unknown) {
+        return error(e instanceof Error ? e.message : 'Internal error', Errors.INTERNAL);
+      }
+    },
+  },
+});
+
+console.log(`BodDB Admin UI → http://localhost:${server.port}`);
+if (ADMIN_TOKEN) console.log(`Auth: ADMIN_TOKEN set — use "user:<uid>" for user tokens`);
+else console.log(`Auth: ADMIN_TOKEN not set — admin auth disabled, user:<uid> tokens still work`);