@chimerai/cli 0.2.73

package/dist/templates/api-routes.js

@@ -0,0 +1,1219 @@
+"use strict";
+/**
+ * API route templates for admin and provider management
+ * Generates CRUD endpoints for users, roles, and model providers
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generateAdminUsersRoute = generateAdminUsersRoute;
+exports.generateAdminUsersIdRoute = generateAdminUsersIdRoute;
+exports.generateAdminRolesRoute = generateAdminRolesRoute;
+exports.generateAdminRolesIdRoute = generateAdminRolesIdRoute;
+exports.generateProvidersRoute = generateProvidersRoute;
+exports.generatePromptsRoute = generatePromptsRoute;
+exports.generatePromptsIdRoute = generatePromptsIdRoute;
+exports.generatePromptsSetDefaultRoute = generatePromptsSetDefaultRoute;
+exports.generateHealthRoute = generateHealthRoute;
+exports.generateModelsRoute = generateModelsRoute;
+exports.generateV1ModelsRoute = generateV1ModelsRoute;
+exports.generateAuditLogRoute = generateAuditLogRoute;
+exports.generateGdprDataExportRoute = generateGdprDataExportRoute;
+exports.generateGdprAccountDeleteRoute = generateGdprAccountDeleteRoute;
+exports.generateAdminSettingsRoute = generateAdminSettingsRoute;
+exports.generateAppSettingsRoute = generateAppSettingsRoute;
+/**
+ * Generates the admin users API route (GET, POST)
+ * GET: Lists all users with permission check
+ * POST: Creates new user with password hashing
+ * @returns TypeScript content for app/api/admin/users/route.ts
+ */
+function generateAdminUsersRoute() {
+    return `// @chimerai component=AdminUsersRoute version=1.0
+// @ts-nocheck
+import { NextRequest, NextResponse } from 'next/server';
+import { prisma } from '@/lib/prisma';
+import bcrypt from 'bcryptjs';
+import { requirePermission } from '@/lib/auth/require-permission';
+import { logAuditAction } from '@/lib/audit';
+import { getServerSession } from 'next-auth';
+import { authOptions } from '@/lib/auth';
+
+export async function GET(req: NextRequest) {
+  const permissionError = await requirePermission('users:read');
+  if (permissionError) return permissionError;
+
+  try {
+    const users = await prisma.user.findMany({
+      select: {
+        id: true,
+        email: true,
+        name: true,
+        image: true,
+        emailVerified: true,
+        createdAt: true,
+        roles: {
+          select: {
+            role: {
+              select: { id: true, name: true }
+            }
+          }
+        }
+      },
+      orderBy: { email: 'asc' }
+    });
+
+    // Flatten roles for easier frontend consumption
+    const usersWithRoles = users.map(u => ({
+      ...u,
+      roles: u.roles.map((r: any) => r.role),
+    }));
+
+    return NextResponse.json(usersWithRoles);
+  } catch (error) {
+    console.error('GET /api/admin/users error:', error);
+    return NextResponse.json({ error: 'Failed to fetch users' }, { status: 500 });
+  }
+}
+
+export async function POST(req: NextRequest) {
+  const permissionError = await requirePermission('users:write');
+  if (permissionError) return permissionError;
+
+  try {
+    const body = await req.json();
+    const { email, name, password, roleIds } = body;
+
+    if (!email || !password) {
+      return NextResponse.json({ error: 'Email and password required' }, { status: 400 });
+    }
+
+    const hashedPassword = await bcrypt.hash(password, 10);
+
+    const user = await prisma.user.create({
+      data: {
+        email,
+        name: name || null,
+        password: hashedPassword
+      }
+    });
+
+    // Assign roles if provided
+    if (Array.isArray(roleIds) && roleIds.length > 0) {
+      await prisma.userRole.createMany({
+        data: roleIds.map((roleId: string) => ({
+          userId: user.id,
+          roleId,
+        })),
+        skipDuplicates: true,
+      });
+    }
+
+    // Audit log
+    const session = await getServerSession(authOptions);
+    if (session?.user?.id) {
+      await logAuditAction({
+        action: 'user.create',
+        userId: session.user.id,
+        targetType: 'user',
+        targetId: user.id,
+        metadata: { email: user.email, name: user.name },
+      });
+    }
+
+    return NextResponse.json({ id: user.id, email: user.email, name: user.name });
+  } catch (error) {
+    console.error('POST /api/admin/users error:', error);
+    return NextResponse.json({
+      error: 'Failed to create user',
+      details: error instanceof Error ? error.message : String(error)
+    }, { status: 500 });
+  }
+}
+`;
+}
+/**
+ * Generates the admin users/:id API route (PUT, DELETE)
+ * PUT: Updates user email and name
+ * DELETE: Deletes user by ID
+ * @returns TypeScript content for app/api/admin/users/[id]/route.ts
+ */
+function generateAdminUsersIdRoute() {
+    return `// @chimerai component=AdminUsersIdRoute version=1.0
+// @ts-nocheck
+import { NextRequest, NextResponse } from 'next/server';
+import { prisma } from '@/lib/prisma';
+import { requirePermission } from '@/lib/auth/require-permission';
+import { logAuditAction } from '@/lib/audit';
+import { getServerSession } from 'next-auth';
+import { authOptions } from '@/lib/auth';
+
+export async function PATCH(
+  req: NextRequest,
+  { params }: { params: Promise<{ id: string }> }
+) {
+  const { id } = await params;
+  const permissionError = await requirePermission('users:write');
+  if (permissionError) return permissionError;
+
+  try {
+    const body = await req.json();
+    const { email, name, roleIds } = body;
+
+    const user = await prisma.user.update({
+      where: { id: id },
+      data: {
+        email,
+        name: name || null
+      }
+    });
+
+    // Sync roles if provided
+    if (Array.isArray(roleIds)) {
+      await prisma.userRole.deleteMany({ where: { userId: id } });
+      if (roleIds.length > 0) {
+        await prisma.userRole.createMany({
+          data: roleIds.map((roleId: string) => ({
+            userId: id,
+            roleId,
+          })),
+          skipDuplicates: true,
+        });
+      }
+    }
+
+    // Audit log
+    const session = await getServerSession(authOptions);
+    if (session?.user?.id) {
+      await logAuditAction({
+        action: 'user.update',
+        userId: session.user.id,
+        targetType: 'user',
+        targetId: id,
+        metadata: { email, name },
+      });
+    }
+
+    return NextResponse.json({ id: user.id, email: user.email, name: user.name });
+  } catch (error) {
+    console.error('PUT /api/admin/users/[id] error:', error);
+    return NextResponse.json({
+      error: 'Failed to update user',
+      details: error instanceof Error ? error.message : String(error)
+    }, { status: 500 });
+  }
+}
+
+export async function DELETE(
+  req: NextRequest,
+  { params }: { params: Promise<{ id: string }> }
+) {
+  const { id } = await params;
+  const permissionError = await requirePermission('users:delete');
+  if (permissionError) return permissionError;
+
+  try {
+    await prisma.user.delete({
+      where: { id: id }
+    });
+
+    // Audit log
+    const session = await getServerSession(authOptions);
+    if (session?.user?.id) {
+      await logAuditAction({
+        action: 'user.delete',
+        userId: session.user.id,
+        targetType: 'user',
+        targetId: id,
+      });
+    }
+
+    return NextResponse.json({ success: true });
+  } catch (error) {
+    console.error('DELETE /api/admin/users/[id] error:', error);
+    return NextResponse.json({
+      error: 'Failed to delete user',
+      details: error instanceof Error ? error.message : String(error)
+    }, { status: 500 });
+  }
+}
+`;
+}
+/**
+ * Generates the admin roles API route (GET, POST)
+ * GET: Lists all roles with permission check
+ * POST: Creates new role with permissions array
+ * @returns TypeScript content for app/api/admin/roles/route.ts
+ */
+function generateAdminRolesRoute() {
+    return `// @chimerai component=AdminRolesRoute version=1.0
+import { NextRequest, NextResponse } from 'next/server';
+import { prisma } from '@/lib/prisma';
+import { requirePermission } from '@/lib/auth/require-permission';
+import { logAuditAction } from '@/lib/audit';
+import { getServerSession } from 'next-auth';
+import { authOptions } from '@/lib/auth';
+
+export async function GET(req: NextRequest) {
+  const permissionError = await requirePermission('roles:read');
+  if (permissionError) return permissionError;
+
+  try {
+    const roles = await prisma.role.findMany({
+      orderBy: { name: 'asc' }
+    });
+
+    return NextResponse.json(roles);
+  } catch (error) {
+    console.error('GET /api/admin/roles error:', error);
+    return NextResponse.json({ error: 'Failed to fetch roles' }, { status: 500 });
+  }
+}
+
+export async function POST(req: NextRequest) {
+  const permissionError = await requirePermission('roles:write');
+  if (permissionError) return permissionError;
+
+  try {
+    const body = await req.json();
+    const { name, description, permissions } = body;
+
+    if (!name) {
+      return NextResponse.json({ error: 'Name required' }, { status: 400 });
+    }
+
+    const role = await prisma.role.create({
+      data: {
+        name,
+        description: description || null,
+        permissions: permissions || []
+      }
+    });
+
+    // Audit log
+    const session = await getServerSession(authOptions);
+    if (session?.user?.id) {
+      await logAuditAction({
+        action: 'role.create',
+        userId: session.user.id,
+        targetType: 'role',
+        targetId: role.id,
+        metadata: { name: role.name },
+      });
+    }
+
+    return NextResponse.json(role);
+  } catch (error) {
+    console.error('POST /api/admin/roles error:', error);
+    return NextResponse.json({
+      error: 'Failed to create role',
+      details: error instanceof Error ? error.message : String(error)
+    }, { status: 500 });
+  }
+}
+`;
+}
+/**
+ * Generates the admin roles/:id API route (PUT, DELETE)
+ * PUT: Updates role name, description, and permissions
+ * DELETE: Deletes role by ID
+ * @returns TypeScript content for app/api/admin/roles/[id]/route.ts
+ */
+function generateAdminRolesIdRoute() {
+    return `// @chimerai component=AdminRolesIdRoute version=1.0
+import { NextRequest, NextResponse } from 'next/server';
+import { prisma } from '@/lib/prisma';
+import { requirePermission } from '@/lib/auth/require-permission';
+import { logAuditAction } from '@/lib/audit';
+import { getServerSession } from 'next-auth';
+import { authOptions } from '@/lib/auth';
+
+export async function PUT(
+  req: NextRequest,
+  { params }: { params: Promise<{ id: string }> }
+) {
+  const { id } = await params;
+  const permissionError = await requirePermission('roles:write');
+  if (permissionError) return permissionError;
+
+  try {
+    const body = await req.json();
+    const { name, description, permissions } = body;
+
+    const role = await prisma.role.update({
+      where: { id: id },
+      data: {
+        name,
+        description: description || null,
+        permissions: permissions || []
+      }
+    });
+
+    // Audit log
+    const session = await getServerSession(authOptions);
+    if (session?.user?.id) {
+      await logAuditAction({
+        action: 'role.update',
+        userId: session.user.id,
+        targetType: 'role',
+        targetId: role.id,
+        metadata: { name: role.name },
+      });
+    }
+
+    return NextResponse.json(role);
+  } catch (error) {
+    console.error('PUT /api/admin/roles/[id] error:', error);
+    return NextResponse.json({
+      error: 'Failed to update role',
+      details: error instanceof Error ? error.message : String(error)
+    }, { status: 500 });
+  }
+}
+
+export async function DELETE(
+  req: NextRequest,
+  { params }: { params: Promise<{ id: string }> }
+) {
+  const { id } = await params;
+  const permissionError = await requirePermission('roles:delete');
+  if (permissionError) return permissionError;
+
+  try {
+    await prisma.role.delete({
+      where: { id: id }
+    });
+
+    // Audit log
+    const session = await getServerSession(authOptions);
+    if (session?.user?.id) {
+      await logAuditAction({
+        action: 'role.delete',
+        userId: session.user.id,
+        targetType: 'role',
+        targetId: id,
+      });
+    }
+
+    return NextResponse.json({ success: true });
+  } catch (error) {
+    console.error('DELETE /api/admin/roles/[id] error:', error);
+    return NextResponse.json({
+      error: 'Failed to delete role',
+      details: error instanceof Error ? error.message : String(error)
+    }, { status: 500 });
+  }
+}
+`;
+}
+/**
+ * Generates the model providers API route (GET, POST, PUT, DELETE)
+ * Handles CRUD for AI model provider configurations
+ * Includes API key encryption/decryption for security
+ * @returns TypeScript content for app/api/providers/route.ts
+ */
+function generateProvidersRoute() {
+    return `// @chimerai component=ProvidersRoute version=1.0
+// Model Providers API Route
+import { NextRequest, NextResponse } from 'next/server';
+import { getServerSession } from 'next-auth';
+import { authOptions } from '@/lib/auth';
+import { prisma } from '@/lib/prisma';
+import { encrypt, decrypt } from '@/lib/encryption';
+
+export async function GET(req: NextRequest) {
+  const session = await getServerSession(authOptions);
+
+  if (!session?.user?.id) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+  }
+
+  try {
+    const providers = await prisma.modelProvider.findMany({
+      where: { userId: session.user.id },
+      orderBy: { createdAt: 'desc' },
+    });
+
+    const decryptedProviders = providers.map((p) => ({
+      ...p,
+      apiKey: p.apiKey ? decrypt(p.apiKey) : undefined,
+    }));
+
+    return NextResponse.json(decryptedProviders);
+  } catch (error: any) {
+    console.error('Error fetching providers:', error);
+    return NextResponse.json({ error: 'Failed to fetch providers' }, { status: 500 });
+  }
+}
+
+export async function POST(req: NextRequest) {
+  const session = await getServerSession(authOptions);
+
+  if (!session?.user?.id) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+  }
+
+  try {
+    const body = await req.json();
+    const encryptedKey = body.apiKey ? encrypt(body.apiKey) : undefined;
+
+    const provider = await prisma.modelProvider.create({
+      data: {
+        ...body,
+        apiKey: encryptedKey,
+        userId: session.user.id,
+      },
+    });
+
+    return NextResponse.json(provider, { status: 201 });
+  } catch (error: any) {
+    console.error('Error creating provider:', error);
+    return NextResponse.json({ error: 'Failed to create provider' }, { status: 500 });
+  }
+}
+
+export async function PUT(req: NextRequest) {
+  const session = await getServerSession(authOptions);
+
+  if (!session?.user?.id) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+  }
+
+  try {
+    const body = await req.json();
+    const { id, apiKey, ...updateData } = body;
+
+    const encryptedKey = apiKey ? encrypt(apiKey) : undefined;
+
+    const provider = await prisma.modelProvider.update({
+      where: {
+        id,
+        userId: session.user.id,
+      },
+      data: {
+        ...updateData,
+        ...(encryptedKey && { apiKey: encryptedKey }),
+      },
+    });
+
+    return NextResponse.json(provider);
+  } catch (error: any) {
+    console.error('Error updating provider:', error);
+    return NextResponse.json({ error: 'Failed to update provider' }, { status: 500 });
+  }
+}
+
+export async function DELETE(req: NextRequest) {
+  const session = await getServerSession(authOptions);
+
+  if (!session?.user?.id) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+  }
+
+  try {
+    const body = await req.json();
+    const { id } = body;
+
+    await prisma.modelProvider.delete({
+      where: {
+        id,
+        userId: session.user.id,
+      },
+    });
+
+    return NextResponse.json({ success: true });
+  } catch (error: any) {
+    console.error('Error deleting provider:', error);
+    return NextResponse.json({ error: 'Failed to delete provider' }, { status: 500 });
+  }
+}
+`;
+}
+/**
+ * Generates the prompt templates API route (GET, POST)
+ * v2: JSON serialization fix, user scoping, auto-extract variables
+ * @returns TypeScript content for app/api/prompts/route.ts
+ */
+function generatePromptsRoute() {
+    return `// @chimerai component=PromptsRoute version=2.0
+import { NextRequest, NextResponse } from 'next/server';
+import { getServerSession } from 'next-auth';
+import { authOptions } from '@/lib/auth';
+import { prisma } from '@/lib/prisma';
+
+/** Parse JSON string fields (variables, tags) from SQLite storage back to arrays */
+function parseTemplate(t: any) {
+  return {
+    ...t,
+    variables: (() => { try { return JSON.parse(t.variables || '[]'); } catch { return []; } })(),
+    tags: (() => { try { return JSON.parse(t.tags || '[]'); } catch { return []; } })(),
+  };
+}
+
+/** Auto-extract {{variable}} names from template content */
+function extractVariables(content: string): string[] {
+  const matches = content.match(/{{(\\w+)}}/g) || [];
+  return [...new Set(matches.map((m: string) => m.replace(/{{|}}/g, '')))];
+}
+
+export async function GET(req: NextRequest) {
+  const session = await getServerSession(authOptions);
+  if (!session?.user?.id) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+  }
+
+  try {
+    const { searchParams } = new URL(req.url);
+    const category = searchParams.get('category');
+    const search = searchParams.get('search');
+
+    // User sees their own templates + system/seed templates (createdBy: null)
+    const andClauses: any[] = [
+      {
+        OR: [
+          { createdBy: session.user.id },
+          { createdBy: null },
+        ],
+      },
+    ];
+    if (category && category !== 'all') {
+      andClauses.push({ category });
+    }
+    if (search) {
+      andClauses.push({
+        OR: [
+          { name: { contains: search } },
+          { description: { contains: search } },
+        ],
+      });
+    }
+
+    const raw = await prisma.promptTemplate.findMany({
+      where: { AND: andClauses },
+      orderBy: [{ isDefault: 'desc' }, { updatedAt: 'desc' }],
+    });
+
+    return NextResponse.json(raw.map(parseTemplate));
+  } catch (error: any) {
+    console.error('Error fetching prompts:', error);
+    return NextResponse.json({ error: 'Failed to fetch prompts' }, { status: 500 });
+  }
+}
+
+export async function POST(req: NextRequest) {
+  const session = await getServerSession(authOptions);
+  if (!session?.user?.id) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+  }
+
+  try {
+    const body = await req.json();
+
+    const template = await prisma.promptTemplate.create({
+      data: {
+        name: body.name,
+        category: body.category,
+        description: body.description || null,
+        content: body.content,
+        variables: JSON.stringify(extractVariables(body.content || '')),
+        language: body.language || 'en',
+        tags: JSON.stringify(body.tags || []),
+        createdBy: session.user.id,
+      },
+    });
+
+    return NextResponse.json(parseTemplate(template), { status: 201 });
+  } catch (error: any) {
+    console.error('Error creating prompt:', error);
+    if (error.code === 'P2002') {
+      return NextResponse.json({ error: 'A prompt with this name already exists' }, { status: 409 });
+    }
+    return NextResponse.json({ error: 'Failed to create prompt' }, { status: 500 });
+  }
+}
+`;
+}
+/**
+ * Generates the prompt templates ID API route (GET, PUT, DELETE)
+ * v2: JSON serialization fix, ownership checks (user can only edit/delete own templates)
+ * @returns TypeScript content for app/api/prompts/[id]/route.ts
+ */
+function generatePromptsIdRoute() {
+    return `// @chimerai component=PromptsIdRoute version=2.0
+import { NextRequest, NextResponse } from 'next/server';
+import { getServerSession } from 'next-auth';
+import { authOptions } from '@/lib/auth';
+import { prisma } from '@/lib/prisma';
+
+function parseTemplate(t: any) {
+  return {
+    ...t,
+    variables: (() => { try { return JSON.parse(t.variables || '[]'); } catch { return []; } })(),
+    tags: (() => { try { return JSON.parse(t.tags || '[]'); } catch { return []; } })(),
+  };
+}
+
+function extractVariables(content: string): string[] {
+  const matches = content.match(/{{(\\w+)}}/g) || [];
+  return [...new Set(matches.map((m: string) => m.replace(/{{|}}/g, '')))];
+}
+
+export async function GET(
+  req: NextRequest,
+  { params }: { params: Promise<{ id: string }> }
+) {
+  const { id } = await params;
+  const session = await getServerSession(authOptions);
+  if (!session?.user?.id) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+  }
+
+  try {
+    const template = await prisma.promptTemplate.findFirst({
+      where: {
+        id,
+        OR: [{ createdBy: session.user.id }, { createdBy: null }],
+      },
+    });
+    if (!template) {
+      return NextResponse.json({ error: 'Prompt not found' }, { status: 404 });
+    }
+    return NextResponse.json(parseTemplate(template));
+  } catch (error: any) {
+    console.error('Error fetching prompt:', error);
+    return NextResponse.json({ error: 'Failed to fetch prompt' }, { status: 500 });
+  }
+}
+
+export async function PUT(
+  req: NextRequest,
+  { params }: { params: Promise<{ id: string }> }
+) {
+  const { id } = await params;
+  const session = await getServerSession(authOptions);
+  if (!session?.user?.id) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+  }
+
+  try {
+    const body = await req.json();
+
+    // Ownership check — only the creator can edit (system templates have createdBy: null)
+    const existing = await prisma.promptTemplate.findFirst({
+      where: { id, createdBy: session.user.id },
+    });
+    if (!existing) {
+      return NextResponse.json({ error: 'Not found or not authorized' }, { status: 404 });
+    }
+
+    const template = await prisma.promptTemplate.update({
+      where: { id },
+      data: {
+        name: body.name,
+        category: body.category,
+        description: body.description ?? null,
+        content: body.content,
+        variables: JSON.stringify(extractVariables(body.content || '')),
+        language: body.language,
+        tags: JSON.stringify(body.tags || []),
+        version: { increment: 1 },
+      },
+    });
+
+    return NextResponse.json(parseTemplate(template));
+  } catch (error: any) {
+    console.error('Error updating prompt:', error);
+    if (error.code === 'P2025') {
+      return NextResponse.json({ error: 'Prompt not found' }, { status: 404 });
+    }
+    return NextResponse.json({ error: 'Failed to update prompt' }, { status: 500 });
+  }
+}
+
+export async function DELETE(
+  req: NextRequest,
+  { params }: { params: Promise<{ id: string }> }
+) {
+  const { id } = await params;
+  const session = await getServerSession(authOptions);
+  if (!session?.user?.id) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+  }
+
+  try {
+    // Only the creator can delete — system templates (createdBy: null) are protected
+    const existing = await prisma.promptTemplate.findFirst({
+      where: { id, createdBy: session.user.id },
+    });
+    if (!existing) {
+      return NextResponse.json({ error: 'Not found or not authorized' }, { status: 404 });
+    }
+
+    await prisma.promptTemplate.delete({ where: { id } });
+    return NextResponse.json({ success: true });
+  } catch (error: any) {
+    console.error('Error deleting prompt:', error);
+    if (error.code === 'P2025') {
+      return NextResponse.json({ error: 'Prompt not found' }, { status: 404 });
+    }
+    return NextResponse.json({ error: 'Failed to delete prompt' }, { status: 500 });
+  }
+}
+`;
+}
+/**
+ * Generates the set-default route for prompt templates
+ * POST /api/prompts/[id]/set-default — atomically sets one template as default for its category
+ * @returns TypeScript content for app/api/prompts/[id]/set-default/route.ts
+ */
+function generatePromptsSetDefaultRoute() {
+    return `// @chimerai component=PromptsSetDefaultRoute version=1.0
+import { NextRequest, NextResponse } from 'next/server';
+import { getServerSession } from 'next-auth';
+import { authOptions } from '@/lib/auth';
+import { prisma } from '@/lib/prisma';
+
+export async function POST(
+  req: NextRequest,
+  { params }: { params: Promise<{ id: string }> }
+) {
+  const { id } = await params;
+  const session = await getServerSession(authOptions);
+  if (!session?.user?.id) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+  }
+
+  try {
+    // Find the template (user's own OR system template)
+    const template = await prisma.promptTemplate.findFirst({
+      where: {
+        id,
+        OR: [{ createdBy: session.user.id }, { createdBy: null }],
+      },
+    });
+    if (!template) {
+      return NextResponse.json({ error: 'Prompt not found' }, { status: 404 });
+    }
+
+    // Atomically: unset all defaults in this category, then set this one
+    await prisma.$transaction([
+      prisma.promptTemplate.updateMany({
+        where: { category: template.category, isDefault: true },
+        data: { isDefault: false },
+      }),
+      prisma.promptTemplate.update({
+        where: { id },
+        data: { isDefault: true },
+      }),
+    ]);
+
+    return NextResponse.json({ success: true });
+  } catch (error: any) {
+    console.error('Error setting default prompt:', error);
+    return NextResponse.json({ error: 'Failed to set default prompt' }, { status: 500 });
+  }
+}
+`;
+}
+/**
+ * Generates the /api/health endpoint for Docker healthchecks
+ * Returns a simple JSON status response
+ * @returns TypeScript content for app/api/health/route.ts
+ */
+function generateHealthRoute() {
+    return `// @chimerai component=HealthRoute version=1.0
+import { NextResponse } from 'next/server';
+
+export async function GET() {
+  return NextResponse.json({ status: 'ok', timestamp: new Date().toISOString() });
+}
+`;
+}
+/**
+ * Generates the /api/models endpoint.
+ * Lists all models from active providers for the chat ModelSelector.
+ * @returns TypeScript content for app/api/models/route.ts
+ */
+function generateModelsRoute() {
+    return `// @chimerai component=ModelsRoute version=1.0
+import { NextResponse } from 'next/server';
+import { getServerSession } from 'next-auth';
+import { authOptions } from '@/lib/auth';
+import { prisma } from '@/lib/prisma';
+
+export async function GET() {
+  const session = await getServerSession(authOptions);
+  if (!session?.user) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+  }
+
+  try {
+    const models = await (prisma as any).model.findMany({
+      where: {
+        provider: {
+          status: 'active',
+        },
+      },
+      include: {
+        provider: {
+          select: {
+            id: true,
+            name: true,
+            type: true,
+          },
+        },
+      },
+      orderBy: [
+        { provider: { priority: 'asc' } },
+        { name: 'asc' },
+      ],
+    });
+
+    // Filter to chat-capable models only (exclude embedding-only models)
+    const chatModels = models.filter((m: any) => {
+      const caps = Array.isArray(m.capabilities)
+        ? m.capabilities
+        : (() => { try { return JSON.parse(m.capabilities || '[]'); } catch { return []; } })();
+      return caps.includes('chat') || caps.includes('vision') || caps.length === 0;
+    });
+
+    const result = chatModels.map((m: any) => ({
+      id: m.id,
+      modelId: m.modelId,
+      name: m.name,
+      providerId: m.providerId,
+      providerType: m.provider.type,
+      contextWindow: m.contextWindow || 0,
+      inputCost: m.inputCost || 0,
+      outputCost: m.outputCost || 0,
+      capabilities: m.capabilities || [],
+      provider: m.provider,
+    }));
+
+    return NextResponse.json(result);
+  } catch (error) {
+    console.error('Failed to fetch models:', error);
+    return NextResponse.json({ error: 'Failed to fetch models' }, { status: 500 });
+  }
+}
+`;
+}
+/**
+ * Generates the /api/v1/models endpoint with dual-auth (Session OR API-Key).
+ * External apps and widgets can query available models via API-Key.
+ * Internal web UI can use it via session auth.
+ * @returns TypeScript content for app/api/v1/models/route.ts
+ */
+function generateV1ModelsRoute() {
+    return `// @chimerai component=V1ModelsRoute version=1.0
+import { NextRequest, NextResponse } from 'next/server';
+import { resolveAuth } from '@/lib/auth/resolve-auth';
+import { prisma } from '@/lib/prisma';
+
+export const dynamic = 'force-dynamic';
+
+export async function GET(request: NextRequest) {
+  try {
+    let auth;
+    try {
+      auth = await resolveAuth(request);
+    } catch (error: any) {
+      return NextResponse.json({ error: 'Unauthorized' }, { status: error.status || 401 });
+    }
+
+    // API-Key scope check: requires 'chat' or '*' scope
+    if (auth.authMethod === 'api-key' && auth.scopes) {
+      const hasChat = auth.scopes.includes('chat') || auth.scopes.includes('*') || auth.scopes.length === 0;
+      if (!hasChat) {
+        return NextResponse.json({ error: 'Insufficient scope. Required: chat' }, { status: 403 });
+      }
+    }
+
+    const models = await (prisma as any).model.findMany({
+      where: {
+        provider: {
+          status: 'active',
+        },
+      },
+      include: {
+        provider: {
+          select: {
+            id: true,
+            name: true,
+            type: true,
+          },
+        },
+      },
+      orderBy: [
+        { provider: { priority: 'asc' } },
+        { name: 'asc' },
+      ],
+    });
+
+    const result = models.map((m: any) => ({
+      id: m.id,
+      modelId: m.modelId,
+      name: m.name,
+      providerId: m.providerId,
+      providerType: m.provider.type,
+      contextWindow: m.contextWindow || 0,
+      inputCost: m.inputCost || 0,
+      outputCost: m.outputCost || 0,
+      capabilities: m.capabilities || [],
+      provider: m.provider,
+    }));
+
+    // Filter to chat-capable models only (exclude embedding-only models)
+    const chatModels = result.filter((m: any) => {
+      const caps = Array.isArray(m.capabilities)
+        ? m.capabilities
+        : (() => { try { return JSON.parse(m.capabilities || '[]'); } catch { return []; } })();
+      return caps.includes('chat') || caps.includes('vision') || caps.length === 0;
+    });
+
+    return NextResponse.json(chatModels);
+  } catch (error) {
+    console.error('Failed to fetch models:', error);
+    return NextResponse.json({ error: 'Failed to fetch models' }, { status: 500 });
+  }
+}
+`;
+}
+/**
+ * Generates the admin audit logs API route.
+ * GET with pagination and action filter.
+ * @returns TypeScript content for app/api/admin/audit-logs/route.ts
+ */
+function generateAuditLogRoute() {
+    return `// @chimerai component=AuditLogRoute version=1.0
+import { NextRequest, NextResponse } from 'next/server';
+import { getServerSession } from 'next-auth';
+import { authOptions } from '@/lib/auth';
+import { prisma } from '@/lib/prisma';
+
+export async function GET(request: NextRequest) {
+  const session = await getServerSession(authOptions);
+  if (!session?.user?.id) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+  }
+
+  const { searchParams } = new URL(request.url);
+  const page = parseInt(searchParams.get('page') || '1', 10);
+  const pageSize = Math.min(parseInt(searchParams.get('pageSize') || '25', 10), 100);
+  const actionFilter = searchParams.get('action') || undefined;
+
+  const where: any = {};
+  if (actionFilter) {
+    where.action = actionFilter;
+  }
+
+  const [logs, total] = await Promise.all([
+    (prisma as any).auditLog.findMany({
+      where,
+      include: {
+        user: {
+          select: { name: true, email: true },
+        },
+      },
+      orderBy: { createdAt: 'desc' },
+      skip: (page - 1) * pageSize,
+      take: pageSize,
+    }),
+    (prisma as any).auditLog.count({ where }),
+  ]);
+
+  return NextResponse.json({ logs, total, page, pageSize });
+}
+`;
+}
+/**
+ * Generates the GDPR data export route.
+ * GET /api/user/data-export — returns all user data as JSON.
+ * @returns TypeScript content for app/api/user/data-export/route.ts
+ */
+function generateGdprDataExportRoute() {
+    return `// @chimerai component=GdprDataExportRoute version=1.0
+import { NextResponse } from 'next/server';
+import { getServerSession } from 'next-auth';
+import { authOptions } from '@/lib/auth';
+import { exportUserData } from '@/lib/gdpr';
+
+export async function GET() {
+  const session = await getServerSession(authOptions);
+  if (!session?.user?.id) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+  }
+
+  const userId = session.user.id;
+  const exportData = await exportUserData(userId);
+
+  return new NextResponse(JSON.stringify(exportData, null, 2), {
+    headers: {
+      'Content-Type': 'application/json',
+      'Content-Disposition': \`attachment; filename="data-export-\${userId}.json"\`,
+    },
+  });
+}
+`;
+}
+/**
+ * Generates the GDPR account deletion route.
+ * DELETE /api/user/account — deletes user account with cascade.
+ * @returns TypeScript content for app/api/user/account/route.ts
+ */
+function generateGdprAccountDeleteRoute() {
+    return `// @chimerai component=GdprAccountDeleteRoute version=1.0
+import { NextRequest, NextResponse } from 'next/server';
+import { getServerSession } from 'next-auth';
+import { authOptions } from '@/lib/auth';
+import { deleteUserData } from '@/lib/gdpr';
+
+export async function DELETE(request: NextRequest) {
+  const session = await getServerSession(authOptions);
+  if (!session?.user?.id) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+  }
+
+  const userId = session.user.id;
+
+  try {
+    const body = await request.json();
+    if (body.confirmation !== session.user.email) {
+      return NextResponse.json(
+        { error: 'Please confirm by typing your email address' },
+        { status: 400 }
+      );
+    }
+  } catch {
+    return NextResponse.json(
+      { error: 'Invalid request body. Send { confirmation: "your-email" }' },
+      { status: 400 }
+    );
+  }
+
+  await deleteUserData(userId);
+
+  return NextResponse.json({ success: true, message: 'Account deleted successfully' });
+}
+`;
+}
+/**
+ * Generates the admin settings API route (GET, PUT)
+ * GET: Lists all system settings
+ * PUT: Updates system settings with upsert
+ * @returns TypeScript content for app/api/admin/settings/route.ts
+ */
+function generateAdminSettingsRoute() {
+    return `// @chimerai component=AdminSettingsAPI version=1.1
+import { NextRequest, NextResponse } from 'next/server';
+import { prisma } from '@/lib/prisma';
+import { requirePermission } from '@/lib/auth/require-permission';
+import { logAuditAction } from '@/lib/audit';
+import { getServerSession } from 'next-auth';
+import { authOptions } from '@/lib/auth';
+
+const ALLOWED_KEYS = ['app.name', 'app.language', 'app.maintenanceMode'];
+
+// GET /api/admin/settings — fetch all settings
+export async function GET(req: NextRequest) {
+  const permissionError = await requirePermission('settings:read');
+  if (permissionError) return permissionError;
+
+  try {
+    const settings = await prisma.systemSetting.findMany();
+
+    const settingsMap: Record<string, string> = {};
+    for (const s of settings) {
+      settingsMap[s.key] = s.value;
+    }
+
+    const result = {
+      'app.name': settingsMap['app.name'] || 'ChimerAI',
+      'app.language': settingsMap['app.language'] || 'en',
+      'app.maintenanceMode': settingsMap['app.maintenanceMode'] || 'false',
+    };
+
+    return NextResponse.json(result);
+  } catch (error) {
+    console.error('Failed to fetch settings:', error);
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 });
+  }
+}
+
+// PUT /api/admin/settings — update settings
+export async function PUT(req: NextRequest) {
+  const permissionError = await requirePermission('settings:write');
+  if (permissionError) return permissionError;
+
+  try {
+    const session = await getServerSession(authOptions);
+    const body = await req.json();
+
+    const updates: { key: string; value: string }[] = [];
+
+    for (const [key, value] of Object.entries(body)) {
+      if (ALLOWED_KEYS.includes(key) && typeof value === 'string') {
+        updates.push({ key, value });
+      }
+    }
+
+    if (updates.length === 0) {
+      return NextResponse.json({ error: 'No valid settings provided' }, { status: 400 });
+    }
+
+    for (const { key, value } of updates) {
+      await prisma.systemSetting.upsert({
+        where: { key },
+        update: { value },
+        create: { key, value },
+      });
+    }
+
+    await logAuditAction({
+      action: 'settings.update',
+      userId: session?.user?.id || 'unknown',
+      metadata: { keys: updates.map((u) => u.key) },
+    });
+
+    return NextResponse.json({ success: true, updated: updates.map((u) => u.key) });
+  } catch (error) {
+    console.error('Failed to update settings:', error);
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 });
+  }
+}
+`;
+}
+/**
+ * Generates the public app settings API route (GET)
+ * Public endpoint — no auth needed (reads app name and language)
+ * @returns TypeScript content for app/api/app-settings/route.ts
+ */
+function generateAppSettingsRoute() {
+    return `// @chimerai component=AppSettingsAPI version=1.1
+import { NextResponse } from 'next/server';
+import { prisma } from '@/lib/prisma';
+
+// Force dynamic rendering — Next.js caches static GET routes by default,
+// which would serve stale app-name values after admin changes.
+export const dynamic = 'force-dynamic';
+
+// Public endpoint — no auth needed (just reads app name)
+export async function GET() {
+  try {
+    const settings = await prisma.systemSetting.findMany({
+      where: { key: { in: ['app.name', 'app.language'] } },
+    });
+
+    const map: Record<string, string> = {};
+    for (const s of settings) {
+      map[s.key] = s.value;
+    }
+
+    return NextResponse.json({
+      appName: map['app.name'] || 'ChimerAI',
+      language: map['app.language'] || 'en',
+    });
+  } catch {
+    return NextResponse.json({ appName: 'ChimerAI', language: 'en' });
+  }
+}
+`;
+}