@logboard/cli 1.0.0

package/lib/utils.js

@@ -0,0 +1,44 @@
+'use strict';
+const fs = require('fs');
+const path = require('path');
+
+const SAFE_APP = /^[a-zA-Z0-9._-]{1,64}$/;
+const SAFE_DATE = /^\d{4}-\d{2}-\d{2}$/;
+
+function ensureDir (dir) { if (!fs.existsSync(dir)) { fs.mkdirSync(dir, { recursive: true }); } }
+
+function getToday () { return new Date().toISOString().slice(0, 10); }
+
+function sanitizeAppName (v) {
+	if (typeof v !== 'string' || !v.trim()) { throw new RangeError(`Invalid appName: "${v}"`); }
+	// Normalise: replace spaces with hyphens, strip unsafe chars, collapse repeats
+	v = v.trim().replace(/\s+/g, '-').replace(/[^a-zA-Z0-9._-]/g, '-').replace(/-{2,}/g, '-').slice(0, 64);
+	if (!SAFE_APP.test(v)) { throw new RangeError(`Invalid appName after normalisation: "${v}"`); }
+	const RESERVED = ['app', 'unknown', '_archive', '_tmp', 'logboard', 'system'];
+	if (RESERVED.includes(v.toLowerCase())) { throw new RangeError(`Reserved appName: "${v}" — use a specific service name`); }
+	return v;
+}
+
+function sanitizeDate (v) {
+	if (typeof v !== 'string' || !SAFE_DATE.test(v)) { throw new RangeError(`Invalid date: "${v}"`); }
+	return v;
+}
+
+function safeLogPath (baseDir, appName, date) {
+	const app = sanitizeAppName(appName);
+	const d = sanitizeDate(date);
+	const resolved = path.resolve(baseDir, app, `${d}.log`);
+	if (!resolved.startsWith(path.resolve(baseDir) + path.sep)) { throw new RangeError('Path traversal detected'); }
+	return resolved;
+}
+
+/** Format bytes to human-readable string */
+function formatBytes (bytes) {
+	if (bytes === 0) { return '0 B'; }
+	const k = 1024;
+	const sizes = ['B', 'KB', 'MB', 'GB'];
+	const i = Math.floor(Math.log(bytes) / Math.log(k));
+	return `${(bytes / Math.pow(k, i)).toFixed(1)} ${sizes[i]}`;
+}
+
+module.exports = { ensureDir, getToday, sanitizeAppName, sanitizeDate, safeLogPath, formatBytes };

package/middleware/apiKey.js

@@ -0,0 +1,82 @@
+'use strict';
+const ApiKeyService = require('../services/ApiKeyService');
+const config = require('../config');
+const svc = new ApiKeyService();
+
+/**
+ * validateApiKey(requiredScope?)
+ * Supports: blq_... multi-keys (from api-keys.json, SHA-256 hashed)
+ * Falls back to single legacy API_KEY env var for backward compat.
+ * Attaches req.apiKey = { id, name, scopes[] } on success.
+ */
+function validateApiKey (requiredScope) {
+	return async function (req, res, next) {
+		const raw = req.headers['x-api-key'];
+		if (!raw) { return res.status(403).json({ error: 'X-Api-Key header required' }); }
+
+		// Legacy fallback — also attach default org so logs go to correct path
+		if (!raw.startsWith('blq_')) {
+			if (raw !== config.API_KEY) { return res.status(403).json({ error: 'Invalid API key' }); }
+			req.apiKey = { id: 'legacy', name: 'legacy', scopes: ['logs:write', 'logs:read'], orgSlug: 'default' };
+			// Attach default org
+			try {
+				const OrgService = require('../services/OrgService');
+				const defOrg = await OrgService.getOrg('default');
+				if (defOrg) req.org = defOrg;
+				else {
+					// Pre-migration fallback: build org paths from flat config
+					const path = require('path');
+					// logsDir must point to logs/default/ (org-scoped), not logs/
+				const _orgDataDir = require('path').join(config.DATA_DIR, 'orgs', 'default');
+				req.org = {
+					slug: 'default', name: 'Default',
+					dataDir: _orgDataDir,
+					logsDir: require('path').join(config.LOG_BASE_DIR, 'default'),
+					usersFile:         require('path').join(_orgDataDir, 'users.json'),
+					settingsFile:      require('path').join(_orgDataDir, 'settings.json'),
+					rolesFile:         require('path').join(_orgDataDir, 'role-config.json'),
+					apiKeysFile:       require('path').join(_orgDataDir, 'api-keys.json'),
+					auditFile:         require('path').join(_orgDataDir, 'audit.ndjson'),
+					alertsFile:        require('path').join(_orgDataDir, 'alerts.json'),
+					bookmarksFile:     require('path').join(_orgDataDir, 'bookmarks.json'),
+					savedSearchesFile: require('path').join(_orgDataDir, 'saved-searches.json'),
+					notificationsFile: require('path').join(_orgDataDir, 'notifications.json'),
+					invitesFile:       require('path').join(_orgDataDir, 'invites.json'),
+				};
+				}
+			} catch {}
+			return next();
+		}
+
+		try {
+			// Search all orgs for this API key
+			const OrgService = require('../services/OrgService');
+			const ApiKeyService = require('../services/ApiKeyService');
+			let key = null, orgSlug = 'default';
+			const orgs = await OrgService.getOrgs().catch(()=>({}));
+			for (const slug of Object.keys(orgs)) {
+				const orgPaths = OrgService.orgPaths(slug);
+				const keySvc   = new ApiKeyService(orgPaths);
+				const found    = await keySvc.validate(raw).catch(()=>null);
+				if (found) { key = found; orgSlug = slug; break; }
+			}
+			if (!key) {
+				// Fallback: try flat file
+				key = await svc.validate(raw);
+			}
+			if (!key) { return res.status(403).json({ error: 'Invalid or expired API key' }); }
+			if (requiredScope && !key.scopes.includes(requiredScope)) { return res.status(403).json({ error: `Key missing scope: ${requiredScope}` }); }
+			req.apiKey = { ...key, orgSlug };
+			// Attach org to request
+			if (!req.org) {
+				try {
+					const org = await OrgService.getOrg(orgSlug);
+					if (org) req.org = org;
+				} catch {}
+			}
+			next();
+		} catch (err) { res.status(500).json({ error: 'Key validation error: ' + err.message }); }
+	};
+}
+
+module.exports = validateApiKey;

package/middleware/auth.js

@@ -0,0 +1,55 @@
+'use strict';
+const jwt = require('jsonwebtoken');
+const config = require('../config');
+
+async function _attachOrg (req) {
+	if (!req.user) { return; }
+	// Super-admins have no org — they cross all orgs
+	if (req.user.role === 'super-admin') { req.org = null; return; }
+	const slug = req.user.orgSlug || 'default';
+	try {
+		const OrgService = require('../services/OrgService');
+		let org = await OrgService.getOrg(slug);
+		if (!org && slug === 'default') {
+			const path = require('path');
+			org = {
+				slug: 'default', name: 'Default',
+				dataDir: config.DATA_DIR, logsDir: config.LOG_BASE_DIR,
+				usersFile: config.USERS_FILE, settingsFile: config.SETTINGS_FILE,
+				rolesFile: config.ROLES_FILE, apiKeysFile: config.API_KEYS_FILE,
+				auditFile: config.AUDIT_FILE, alertsFile: config.ALERTS_FILE,
+				bookmarksFile: config.BOOKMARKS_FILE,
+				savedSearchesFile: config.SAVED_SEARCHES_FILE,
+				notificationsFile: config.NOTIFICATIONS_FILE,
+				invitesFile: path.join(config.DATA_DIR, 'invites.json'),
+			};
+		}
+		req.org = org;
+	} catch { req.org = null; }
+}
+
+function authenticate (req, res, next) {
+	const token = req.cookies[config.SESSION_NAME] || (req.headers.authorization || '').replace('Bearer ', '');
+	if (!token) { return res.status(401).json({ error: 'Unauthorized — no session' }); }
+	try {
+		req.user = jwt.verify(token, config.JWT_SECRET);
+		if (!req.user.orgSlug) { req.user.orgSlug = 'default'; }
+		_attachOrg(req).then(() => next()).catch(() => next());
+	} catch {
+		res.status(401).json({ error: 'Unauthorized — invalid or expired token' });
+	}
+}
+
+function authenticateUI (req, res, next) {
+	const token = req.cookies[config.SESSION_NAME];
+	if (!token) { return res.redirect('/login'); }
+	try {
+		req.user = jwt.verify(token, config.JWT_SECRET);
+		if (!req.user.orgSlug) { req.user.orgSlug = 'default'; }
+		_attachOrg(req).then(() => next()).catch(() => next());
+	} catch {
+		res.redirect('/login');
+	}
+}
+
+module.exports = { authenticate, authenticateUI };

package/middleware/ipWhitelist.js

@@ -0,0 +1,59 @@
+'use strict';
+const fsP = require('fs').promises;
+const config = require('../config');
+const logger = require('../lib/logger');
+
+let _cache = null,
+	_cacheTime = 0;
+const TTL = 30000;
+
+async function getList (settingsFile) {
+	const file = settingsFile || config.SETTINGS_FILE;
+	// Use a cache key per file path
+	const cacheKey = file;
+	if (_cache && _cache._key === cacheKey && Date.now() - _cacheTime < TTL) {
+		return _cache._list;
+	}
+	try {
+		const s = JSON.parse(await fsP.readFile(file, 'utf8'));
+		const list = Array.isArray(s.ipWhitelist)
+			? s.ipWhitelist.map((x) => x.trim()).filter(Boolean)
+			: [];
+		_cache = { _key: cacheKey, _list: list };
+		_cacheTime = Date.now();
+		return list;
+	} catch {
+		return [];
+	}
+}
+
+function bustCache () {
+	_cache = null;
+}
+
+function ipWhitelist () {
+	return async function ipWhitelistMiddleware (req, res, next) {
+		// Use org-aware settings file if available
+		const settingsFile = req.org ? req.org.settingsFile : config.SETTINGS_FILE;
+		const list = await getList(settingsFile);
+		if (!list.length) {
+			return next();
+		}
+		const raw = (req.headers['x-forwarded-for'] || req.ip || '')
+			.split(',')[0]
+			.trim()
+			.replace('::ffff:', '');
+		const ok = list.some((e) =>
+			e.endsWith('/24')
+				? raw.startsWith(`${e.slice(0, e.lastIndexOf('.'))}`)
+				: raw === e,
+		);
+		if (!ok) {
+			logger.warn(`[IPWhitelist] Blocked ${raw} ${req.method} ${req.path}`);
+			return res.status(403).json({ error: 'IP not whitelisted' });
+		}
+		next();
+	};
+}
+
+module.exports = { ipWhitelist, bustCache };

package/middleware/org.js

@@ -0,0 +1,85 @@
+'use strict';
+const OrgService = require('../services/OrgService');
+const config = require('../config');
+
+/**
+ * Attach req.org to every authenticated request.
+ * If the org doesn't exist yet (pre-migration), auto-bootstraps 'default' org
+ * using flat config paths so existing installs keep working without migration.
+ */
+async function orgMiddleware (req, res, next) {
+	if (!req.user) { return next(); }
+	const slug = req.user.orgSlug || 'default';
+	try {
+		let org = await OrgService.getOrg(slug);
+
+		// ── Auto-bootstrap for pre-migration installs ──────────────────────────
+		if (!org) {
+			if (slug === 'default') {
+				// Use flat config paths — no migration needed, works out of the box
+				org = {
+					slug: 'default',
+					name: 'Default',
+					dataDir: config.DATA_DIR,
+					logsDir: config.LOG_BASE_DIR,
+					usersFile: config.USERS_FILE,
+					settingsFile: config.SETTINGS_FILE,
+					rolesFile: config.ROLES_FILE,
+					apiKeysFile: config.API_KEYS_FILE,
+					auditFile: config.AUDIT_FILE,
+					alertsFile: config.ALERTS_FILE,
+					bookmarksFile: config.BOOKMARKS_FILE,
+					savedSearchesFile: config.SAVED_SEARCHES_FILE,
+					notificationsFile: config.NOTIFICATIONS_FILE,
+					invitesFile: require('path').join(config.DATA_DIR, 'invites.json'),
+				};
+			} else {
+				// Unknown org — clear session
+				res.clearCookie(config.SESSION_NAME);
+				return res.status(401).json({ error: 'Org not found — please log in again' });
+			}
+		}
+		req.org = org;
+		next();
+	} catch (e) {
+		// Don't block the request on org middleware failure — degrade gracefully
+		req.org = null;
+		next();
+	}
+}
+
+async function orgMiddlewareUI (req, res, next) {
+	if (!req.user) { return next(); }
+	const slug = req.user.orgSlug || 'default';
+	try {
+		let org = await OrgService.getOrg(slug);
+		if (!org && slug === 'default') {
+			org = {
+				slug: 'default', name: 'Default',
+				dataDir: config.DATA_DIR, logsDir: config.LOG_BASE_DIR,
+				usersFile: config.USERS_FILE, settingsFile: config.SETTINGS_FILE,
+				rolesFile: config.ROLES_FILE, apiKeysFile: config.API_KEYS_FILE,
+				auditFile: config.AUDIT_FILE, alertsFile: config.ALERTS_FILE,
+				bookmarksFile: config.BOOKMARKS_FILE,
+				savedSearchesFile: config.SAVED_SEARCHES_FILE,
+				notificationsFile: config.NOTIFICATIONS_FILE,
+				invitesFile: require('path').join(config.DATA_DIR, 'invites.json'),
+			};
+		} else if (!org) {
+			res.clearCookie(config.SESSION_NAME);
+			return res.redirect('/login?error=org_not_found');
+		}
+		req.org = org;
+		next();
+	} catch (e) {
+		req.org = null;
+		next();
+	}
+}
+
+function requireSuperAdmin (req, res, next) {
+	if (!req.user || req.user.role !== 'super-admin') { return res.status(403).json({ error: 'Super-admin access required' }); }
+	next();
+}
+
+module.exports = { orgMiddleware, orgMiddlewareUI, requireSuperAdmin };

package/middleware/pageAccess.js

@@ -0,0 +1,20 @@
+'use strict';
+const { RoleConfigService } = require('../services/RoleConfigService');
+const svc = new RoleConfigService();
+
+function requirePage (pageId) {
+	return async function pageAccessMiddleware (req, res, next) {
+		if (!req.user) { return res.redirect('/login'); }
+		try {
+			const ok = await svc.canAccessPage(req.user.role, pageId);
+			if (!ok) {
+				// Don't redirect to /dashboard if that's the page being denied (loop!)
+				if (pageId === 'dashboard') { return res.redirect('/login'); }
+				return res.redirect('/dashboard?denied=1');
+			}
+			next();
+		} catch { next(); }
+	};
+}
+
+module.exports = { requirePage };

package/middleware/rateLimit.js

@@ -0,0 +1,29 @@
+'use strict';
+
+function rateLimit ({ windowMs = 60_000, max = 60, message = 'Too many requests' } = {}) {
+	const store = new Map();
+	setInterval(() => {
+		const now = Date.now();
+		for (const [ip, times] of store) {
+			const fresh = times.filter((t) => now - t < windowMs);
+			if (!fresh.length) { store.delete(ip); } else { store.set(ip, fresh); }
+		}
+	}, windowMs).unref();
+
+	return function rateLimitMiddleware (req, res, next) {
+		const ip = req.ip || 'unknown';
+		const now = Date.now();
+		const hits = (store.get(ip) || []).filter((t) => now - t < windowMs);
+		hits.push(now);
+		store.set(ip, hits);
+		res.setHeader('X-RateLimit-Limit', max);
+		res.setHeader('X-RateLimit-Remaining', Math.max(0, max - hits.length));
+		if (hits.length > max) {
+			res.setHeader('Retry-After', Math.ceil(windowMs / 1000));
+			return res.status(429).json({ error: message });
+		}
+		next();
+	};
+}
+
+module.exports = rateLimit;

package/middleware/roles.js

@@ -0,0 +1,11 @@
+'use strict';
+
+function requireRole (...roles) {
+	return function roleMiddleware (req, res, next) {
+		if (!req.user) { return res.status(401).json({ error: 'Unauthorized' }); }
+		if (!roles.includes(req.user.role)) { return res.status(403).json({ error: `Forbidden — requires role: ${ roles.join(' or ')}` }); }
+		next();
+	};
+}
+
+module.exports = requireRole;

package/package.json

@@ -0,0 +1,77 @@
+{
+  "name": "@logboard/cli",
+  "version": "1.0.0",
+  "description": "LogBoard - Production-grade open-source log aggregator. One-command install on macOS, Linux & Windows.",
+  "main": "server.js",
+  "bin": {
+    "logboard": "./bin/logboard"
+  },
+  "scripts": {
+    "start": "node server.js",
+    "dev": "nodemon server.js",
+    "setup": "node setup.js",
+    "postinstall": "node setup.js",
+    "lint:fix": "eslint --fix ."
+  },
+  "files": [
+    "bin/",
+    "client/",
+    "config/",
+    "controllers/",
+    "lib/",
+    "middleware/",
+    "routes/",
+    "services/",
+    "views/",
+    "server.js",
+    "config.js",
+    "setup.js",
+    ".env.example",
+    "README.md"
+  ],
+  "keywords": [
+    "logboard",
+    "logging",
+    "log-aggregator",
+    "rbac",
+    "observability",
+    "monitoring",
+    "saas",
+    "open-source",
+    "log-management",
+    "devops",
+    "dashboard",
+    "real-time",
+    "alerting"
+  ],
+  "license": "MIT",
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "preferGlobal": true,
+  "publishConfig": {
+    "access": "public"
+  },
+  "dependencies": {
+    "archiver": "^7.0.1",
+    "axios": "^1.14.0",
+    "bcryptjs": "^2.4.3",
+    "cookie-parser": "^1.4.6",
+    "dotenv": "^16.3.1",
+    "express": "^4.18.2",
+    "helmet": "^7.0.0",
+    "jsonwebtoken": "^9.0.2",
+    "node-cron": "^4.2.1",
+    "qrcode": "^1.5.3",
+    "speakeasy": "^2.0.0",
+    "nodemailer": "^6.9.13",
+    "passport": "^0.7.0",
+    "passport-github2": "^0.1.12",
+    "passport-google-oauth20": "^2.0.0"
+  },
+  "devDependencies": {
+    "nodemon": "^3.0.1",
+    "@eslint/js": "^9.7.0",
+    "eslint": "^9.7.0"
+  }
+}

package/routes/alerts.js

@@ -0,0 +1,18 @@
+'use strict';
+const { Router } = require('express');
+const svc = require('../services/AlertRulesService');
+const audit = require('../services/AuditService');
+const { authenticate } = require('../middleware/auth');
+const requireRole = require('../middleware/roles');
+
+const router = Router();
+const adminOnly = [authenticate, requireRole('admin')];
+const authAny = [authenticate];
+
+router.get('/rules', ...authAny, async (req, res) => { try { res.json(await svc.listRules()); } catch (e) { res.status(500).json({ error: e.message }); } });
+router.post('/rules', ...adminOnly, async (req, res) => { try { const r=await svc.upsertRule(req.body); await new audit().log(req.user.username, 'alert_rule_create', r.name, {}, req.ip); res.status(201).json(r); } catch (e) { res.status(e.status||500).json({ error: e.message }); } });
+router.put('/rules/:id', ...adminOnly, async (req, res) => { try { const r=await svc.upsertRule({ ...req.body, id: req.params.id }); await new audit().log(req.user.username, 'alert_rule_update', r.name, {}, req.ip); res.json(r); } catch (e) { res.status(e.status||500).json({ error: e.message }); } });
+router.delete('/rules/:id', ...adminOnly, async (req, res) => { try { await svc.deleteRule(req.params.id); await new audit().log(req.user.username, 'alert_rule_delete', req.params.id, {}, req.ip); res.json({ success: true }); } catch (e) { res.status(e.status||500).json({ error: e.message }); } });
+router.get('/history', ...authAny, async (req, res) => { try { res.json(await svc.getHistory(100)); } catch (e) { res.status(500).json({ error: e.message }); } });
+
+module.exports = router;

package/routes/analytics.js

@@ -0,0 +1,26 @@
+
+// RBAC: get allowed apps for requesting user
+async function getAllowedApps (req) {
+	try {
+		const { RoleConfigService } = require('../services/RoleConfigService');
+		return await new RoleConfigService().getAllowedApps(req.user?.role || 'viewer');
+	} catch { return []; }
+}
+
+'use strict';
+const { Router } = require('express');
+const AnalyticsService = require('../services/AnalyticsService');
+const AnalyticsController = require('../controllers/AnalyticsController');
+const { authenticate } = require('../middleware/auth');
+
+const router = Router();
+const ctrl = new AnalyticsController(new AnalyticsService());
+
+router.get('/overview', authenticate, (req, res) => ctrl.overview(req, res));
+router.get('/hourly', authenticate, (req, res) => ctrl.hourly(req, res));
+router.get('/levels', authenticate, (req, res) => ctrl.levels(req, res));
+router.get('/top-services', authenticate, (req, res) => ctrl.topServices(req, res));
+router.get('/recent-errors', authenticate, (req, res) => ctrl.recentErrors(req, res));
+router.get('/trend', authenticate, (req, res) => ctrl.trend(req, res));
+
+module.exports = router;

package/routes/api-analytics.js

@@ -0,0 +1,30 @@
+'use strict';
+const { Router }                = require('express');
+const ApiAnalyticsService       = require('../services/ApiAnalyticsService');
+const ApiAnalyticsController    = require('../controllers/ApiAnalyticsController');
+const { authenticate }          = require('../middleware/auth');
+
+const router = Router();
+
+// Per-request org-scoped controller
+function ctrl(req) {
+  return new ApiAnalyticsController(new ApiAnalyticsService(req.org));
+}
+
+router.get('/services',        authenticate, (req, res) => ctrl(req).services(req, res));
+router.get('/overview',        authenticate, (req, res) => ctrl(req).overview(req, res));
+router.get('/hourly',          authenticate, (req, res) => ctrl(req).hourly(req, res));
+router.get('/endpoints',       authenticate, (req, res) => ctrl(req).endpoints(req, res));
+router.get('/slowest',         authenticate, (req, res) => ctrl(req).slowest(req, res));
+router.get('/errors',          authenticate, (req, res) => ctrl(req).topErrors(req, res));
+router.get('/status',          authenticate, (req, res) => ctrl(req).statusDist(req, res));
+router.get('/apdex',           authenticate, (req, res) => ctrl(req).apdex(req, res));
+router.get('/trend',           authenticate, (req, res) => ctrl(req).trend(req, res));
+router.get('/heaviest',        authenticate, (req, res) => ctrl(req).heaviest(req, res));
+router.get('/individual-slowest', authenticate, (req, res) => ctrl(req).individualSlowest(req, res));
+router.get('/peak-rpm',        authenticate, (req, res) => ctrl(req).peakRpm(req, res));
+router.get('/slow-trend',      authenticate, (req, res) => ctrl(req).slowTrend(req, res));
+router.get('/error-trend',     authenticate, (req, res) => ctrl(req).errorTrend(req, res));
+router.get('/hourly-pattern',  authenticate, (req, res) => ctrl(req).hourlyPattern(req, res));
+
+module.exports = router;

package/routes/api-keys.js

@@ -0,0 +1,12 @@
+'use strict';
+const { Router }=require('express');
+const ApiKeyController=require('../controllers/ApiKeyController');
+const { authenticate }=require('../middleware/auth');
+const requireRole=require('../middleware/roles');
+const router=Router(), ctrl=new ApiKeyController(), admin=[authenticate, requireRole('admin')];
+router.get('/', ...admin, (req, res) => ctrl.list(req, res));
+router.post('/', ...admin, (req, res) => ctrl.create(req, res));
+router.patch('/:id', ...admin, (req, res) => ctrl.update(req, res));
+router.post('/:id/revoke', ...admin, (req, res) => ctrl.revoke(req, res));
+router.delete('/:id', ...admin, (req, res) => ctrl.remove(req, res));
+module.exports=router;

package/routes/archive.js

@@ -0,0 +1,91 @@
+'use strict';
+const { Router } = require('express');
+const router = Router();
+const { authenticate } = require('../middleware/auth');
+const requireRole = require('../middleware/roles');
+const LogService = require('../services/LogService');
+const path = require('path');
+const fs = require('fs');
+const config = require('../config');
+
+const admin = [authenticate, requireRole('admin')];
+const auth = [authenticate];
+
+let _svc;
+module.exports.setWriter = (bw) => { _svc = new LogService(bw); };
+
+router.get('/list', ...auth, async (req, res) => {
+	try {
+		const dir = config.ARCHIVE_DIR;
+		if (!fs.existsSync(dir)) { return res.json({ archives: [] }); }
+		const files = fs.readdirSync(dir).filter((f) => f.endsWith('.tar.gz') || f.endsWith('.zip'));
+		const list = files.map((f) => {
+			const fp = path.join(dir, f);
+			const st = fs.statSync(fp);
+			return { name: f, size: st.size, created: st.birthtime };
+		}).sort((a, b) => new Date(b.created) - new Date(a.created));
+		res.json({ archives: list });
+	} catch (e) { res.status(500).json({ error: e.message }); }
+});
+
+router.get('/download/:filename', ...auth, async (req, res) => {
+	const name = path.basename(req.params.filename);
+	const fp = path.join(config.ARCHIVE_DIR, name);
+	if (!fs.existsSync(fp)) { return res.status(404).json({ error: 'Not found' }); }
+	res.download(fp);
+});
+
+router.post('/create', ...admin, async (req, res) => {
+	try {
+		const { startDate, endDate, services } = req.body;
+		if (!startDate || !endDate) { return res.status(400).json({ error: 'startDate and endDate required' }); }
+		const archiver = require('archiver');
+		const fsP = require('fs').promises;
+		const { sanitizeDate, sanitizeAppName } = require('../lib/utils');
+
+		sanitizeDate(startDate); sanitizeDate(endDate);
+
+		const dir = config.ARCHIVE_DIR;
+		if (!fs.existsSync(dir)) { fs.mkdirSync(dir, { recursive: true }); }
+
+		const filename = `logboard-${ startDate }-to-${ endDate }-${ Date.now() }.tar.gz`;
+		const outPath = path.join(dir, filename);
+		const output = fs.createWriteStream(outPath);
+		const archive = archiver('tar', { gzip: true });
+
+		archive.pipe(output);
+
+		// Collect files in date range
+		const allDirs = fs.existsSync(config.LOG_BASE_DIR) ? fs.readdirSync(config.LOG_BASE_DIR) : [];
+		const svcs = services?.length ? services : allDirs;
+
+		for (const svc of svcs) {
+			try { sanitizeAppName(svc); } catch { continue; }
+			const svcDir = path.join(config.LOG_BASE_DIR, svc);
+			if (!fs.existsSync(svcDir)) { continue; }
+			const files = fs.readdirSync(svcDir).filter((f) => /^\d{4}-\d{2}-\d{2}\.log$/.test(f));
+			for (const f of files) {
+				const date = f.slice(0, 10);
+				if (date >= startDate && date <= endDate) {
+					archive.file(path.join(svcDir, f), { name: `${svc }/${ f}` });
+				}
+			}
+		}
+
+		await new Promise((resolve, reject) => {
+			output.on('close', resolve);
+			archive.on('error', reject);
+			archive.finalize();
+		});
+
+		res.json({ filename, size: fs.statSync(outPath).size });
+	} catch (e) { res.status(500).json({ error: e.message }); }
+});
+
+router.delete('/:filename', ...admin, async (req, res) => {
+	const name = path.basename(req.params.filename);
+	const fp = path.join(config.ARCHIVE_DIR, name);
+	try { fs.unlinkSync(fp); res.json({ success: true }); } catch (e) { res.status(404).json({ error: 'Not found' }); }
+});
+
+module.exports.router = router;