@logboard/cli 1.0.0

package/routes/role-config.js

@@ -0,0 +1,97 @@
+'use strict';
+const { Router } = require('express');
+const {
+	RoleConfigService,
+	ALL_PAGES,
+	ALL_CARDS,
+} = require('../services/RoleConfigService');
+const { authenticate } = require('../middleware/auth');
+const requireRole = require('../middleware/roles');
+
+const router = Router();
+const svc = new RoleConfigService();
+const admin = [authenticate, requireRole('admin')];
+
+// ── List roles + catalogue ─────────────────────────────────────────────────
+router.get('/', authenticate, async (req, res) => {
+	try {
+		res.json({
+			roles: await svc.getRoles(),
+			catalogue: { pages: ALL_PAGES, cards: ALL_CARDS },
+		});
+	} catch (e) {
+		res.status(500).json({ error: e.message });
+	}
+});
+
+// ── Upsert role (save pages, cards, label, color, allowedApps) ────────────
+router.put('/:name', ...admin, async (req, res) => {
+	try {
+		const role = await svc.upsertRole(req.params.name, req.body);
+		const audit = require('../services/AuditService');
+		await new audit()
+			.log(
+				req.user?.username,
+				'role_update',
+				req.params.name,
+				{
+					pages: req.body.pages?.length,
+					cards: req.body.cards?.length,
+					allowedApps: req.body.allowedApps,
+				},
+				req.ip || '',
+			)
+			.catch(() => {});
+		res.json(role);
+	} catch (e) {
+		res.status(e.status || 500).json({ error: e.message });
+	}
+});
+
+// ── Delete role ────────────────────────────────────────────────────────────
+router.delete('/:name', ...admin, async (req, res) => {
+	try {
+		await svc.deleteRole(req.params.name);
+		const audit = require('../services/AuditService');
+		await audit
+			.log(req.user?.username, 'role_delete', req.params.name, {}, req.ip || '')
+			.catch(() => {});
+		res.json({ success: true });
+	} catch (e) {
+		res.status(e.status || 500).json({ error: e.message });
+	}
+});
+
+// ── Per-service log access (allowedApps) ──────────────────────────────────
+router.get('/:roleName/allowed-apps', ...admin, async (req, res) => {
+	try {
+		const apps = await svc.getAllowedApps(req.params.roleName);
+		res.json({ roleName: req.params.roleName, allowedApps: apps });
+	} catch (e) {
+		res.status(e.status || 500).json({ error: e.message });
+	}
+});
+
+router.put('/:roleName/allowed-apps', ...admin, async (req, res) => {
+	try {
+		const role = await svc.setAllowedApps(
+			req.params.roleName,
+			req.body.allowedApps || [],
+		);
+		const audit = require('../services/AuditService');
+		await audit
+			.log(
+				req.user?.username,
+				'role_apps_update',
+				req.params.roleName,
+				{ apps: req.body.allowedApps },
+				req.ip || '',
+			)
+			.catch(() => {});
+		res.json(role);
+	} catch (e) {
+		res.status(e.status || 500).json({ error: e.message });
+	}
+});
+
+module.exports = router;

package/routes/saved-searches.js

@@ -0,0 +1,12 @@
+'use strict';
+const { Router } = require('express');
+const svc = require('../services/SavedSearchService');
+const { authenticate } = require('../middleware/auth');
+
+const router = Router();
+
+router.get('/', authenticate, async (req, res) => { try { res.json(await svc.getAll(req.user.username)); } catch (e) { res.status(500).json({ error: e.message }); } });
+router.post('/', authenticate, async (req, res) => { try { res.status(201).json(await svc.create(req.user.username, req.body)); } catch (e) { res.status(e.status||500).json({ error: e.message }); } });
+router.delete('/:id', authenticate, async (req, res) => { try { await svc.delete(req.user.username, req.params.id); res.json({ success: true }); } catch (e) { res.status(500).json({ error: e.message }); } });
+
+module.exports = router;

package/routes/server.js

@@ -0,0 +1,151 @@
+'use strict';
+const express      = require('express');
+const helmet       = require('helmet');
+const cookieParser = require('cookie-parser');
+const path         = require('path');
+const config       = require('./config');
+const { scheduleCleanup } = require('./lib/cleanup');
+const { closeAllStreams }  = require('./lib/streams');
+const BatchWriter          = require('./lib/batchWriter');
+const logger               = require('./lib/logger');
+const ejsEngine            = require('./lib/ejs');
+const { ipWhitelist }      = require('./middleware/ipWhitelist');
+const { orgMiddleware, orgMiddlewareUI } = require('./middleware/org');
+
+const app = express();
+app.set('trust proxy', true);
+
+// ── View engine ────────────────────────────────────────────────────────────
+app.engine('ejs', ejsEngine.renderFile);
+app.set('view engine', 'ejs');
+app.set('views', path.join(__dirname, 'views'));
+
+// ── Static assets (logo, future public dir) ────────────────────────────────
+app.use('/public', express.static(path.join(__dirname, 'views')));
+
+// ── Security headers ───────────────────────────────────────────────────────
+app.use(helmet({
+  contentSecurityPolicy: { directives: {
+    defaultSrc: ["'self'"],
+    connectSrc: ["'self'", `http://localhost:${config.PORT}`, `ws://localhost:${config.PORT}`, 'https://cdn.jsdelivr.net'],
+    scriptSrc:  ["'self'", "'unsafe-inline'", 'https://cdn.jsdelivr.net', 'https://unpkg.com'],
+    scriptSrcAttr: ["'unsafe-inline'"],
+    styleSrc:   ["'self'", "'unsafe-inline'", 'https://fonts.googleapis.com'],
+    fontSrc:    ["'self'", 'https://fonts.gstatic.com', 'data:'],
+    imgSrc:     ["'self'", 'data:', 'https:', 'http:'],  // allow external logo URLs
+  }},
+}));
+
+// ── CORS ───────────────────────────────────────────────────────────────────
+app.use((req, res, next) => {
+  const { origin } = req.headers;
+  if (!origin || config.CORS_ORIGINS.includes('*') || config.CORS_ORIGINS.includes(origin)) {
+    if (origin) res.setHeader('Access-Control-Allow-Origin', origin);
+    res.setHeader('Access-Control-Allow-Methods', 'GET,POST,PUT,PATCH,DELETE,OPTIONS');
+    res.setHeader('Access-Control-Allow-Headers', 'Content-Type, X-Api-Key, Authorization');
+    res.setHeader('Access-Control-Allow-Credentials', 'true');
+  }
+  if (req.method === 'OPTIONS') return res.sendStatus(204);
+  next();
+});
+
+// ── Body / cookies ─────────────────────────────────────────────────────────
+app.use(express.json({ limit: config.MAX_BODY_SIZE }));
+app.use(cookieParser());
+app.use((req, _res, next) => { logger.debug(req.method+' '+req.path); next(); });
+// req.org is attached by orgMiddleware — called inside each route after authenticate
+
+// ── Routes ─────────────────────────────────────────────────────────────────
+const healthRoute      = require('./routes/health');
+const authRoute        = require('./routes/auth');
+const streamRoute      = require('./routes/stream');
+const analyticsRoute   = require('./routes/analytics');
+const logsRoute        = require('./routes/logs');
+const uiRoute          = require('./routes/ui');
+const settingsRoute    = require('./routes/settings');
+const apiAnalyticsRoute= require('./routes/api-analytics');
+const roleConfigRoute  = require('./routes/role-config');
+const usersRoute       = require('./routes/users');
+const apiKeysRoute     = require('./routes/api-keys');
+const alertsRoute      = require('./routes/alerts');
+const auditRoute       = require('./routes/audit');
+const statusRoute      = require('./routes/status');
+const archiveRoute     = require('./routes/archive');
+const notificationsRoute = require('./routes/notifications')
+const savedSearchesRoute = require('./routes/saved-searches')
+const bookmarksRoute     = require('./routes/bookmarks')
+const metricsRoute       = require('./routes/metrics')
+const orgsRoute          = require('./routes/orgs')
+
+const batchWriter = new BatchWriter();
+logsRoute.setWriter(batchWriter);
+uiRoute.setWriter(batchWriter);
+archiveRoute.setWriter(batchWriter);
+
+// ── Mount API routes ───────────────────────────────────────────────────────
+app.use('/api/health',        healthRoute);
+app.use('/api/auth',          authRoute);
+app.use('/api/logs/stream',   streamRoute);
+// IP whitelist only on ingest endpoint
+app.use('/api/logs',          ipWhitelist(), logsRoute.router);
+app.use('/api/analytics',     analyticsRoute);
+app.use('/api/settings',      settingsRoute);
+app.use('/api/api-analytics', apiAnalyticsRoute);
+app.use('/api/role-config',   roleConfigRoute);
+app.use('/api/users',         usersRoute);
+app.use('/api/api-keys',      apiKeysRoute);
+app.use('/api/alerts',        alertsRoute);
+app.use('/api/audit',         auditRoute);
+app.use('/api/archive',       archiveRoute.router);
+app.use('/status',            statusRoute);
+app.use('/api/orgs',          orgsRoute);
+app.use('/api/notifications', notificationsRoute);
+app.use('/api/saved-searches',savedSearchesRoute);
+app.use('/api/bookmarks',     bookmarksRoute);
+app.use('/api/metrics',       metricsRoute);
+
+// ── UI routes ──────────────────────────────────────────────────────────────
+app.use('/', uiRoute.router);
+
+// ── 404 / error ────────────────────────────────────────────────────────────
+app.use((req, res) => {
+  if (req.path.startsWith('/api/')) return res.status(404).json({ error: 'Not found' });
+  res.status(404).render('404', { title: '404', user: req.user||null });
+});
+app.use((err, _req, res, _next) => {
+  logger.error('Unhandled: '+err.stack);
+  if (res.headersSent) return;
+  res.status(500).json({ error: 'Internal server error' });
+});
+
+scheduleCleanup();
+// Health monitor — alerts for RAM/CPU/disk
+const healthMonitor = require('./lib/healthMonitor');
+const SettingsService = require('./services/SettingsService');
+healthMonitor.start(() => new SettingsService().get());
+// Scheduled reports
+const ReportService = require('./services/ReportService');
+ReportService.startScheduler(() => new SettingsService().get());
+
+const server = app.listen(config.PORT, () => {
+  logger.info('LogBoard  →  http://localhost:'+config.PORT);
+  logger.info('Env: '+config.NODE_ENV+'  |  Log dir: '+config.LOG_BASE_DIR);
+  logger.info('Data dir: '+config.DATA_DIR);
+});
+
+let shuttingDown = false;
+async function shutdown(sig) {
+  if (shuttingDown) return; shuttingDown=true;
+  logger.info(sig+' received. Shutting down…');
+  server.close(async () => {
+    try { await batchWriter.flushAll(); } catch(e) { logger.error('Flush: '+e.message); }
+    closeAllStreams();
+    logger.info('Shutdown complete.');
+    process.exit(0);
+  });
+  setTimeout(() => { logger.error('Forced exit.'); process.exit(1); }, 10000).unref();
+}
+process.on('SIGTERM', ()=>shutdown('SIGTERM'));
+process.on('SIGINT',  ()=>shutdown('SIGINT'));
+process.on('uncaughtException',  e=>{ logger.error('Uncaught: '+e.stack); shutdown('uncaughtException'); });
+process.on('unhandledRejection', r=>{ logger.error('UnhandledRejection: '+r); });

package/routes/settings.js

@@ -0,0 +1,28 @@
+'use strict';
+const { Router }         = require('express');
+const SettingsService    = require('../services/SettingsService');
+const SettingsController = require('../controllers/SettingsController');
+const { authenticate }   = require('../middleware/auth');
+const requireRole        = require('../middleware/roles');
+const { bustCache }      = require('../middleware/ipWhitelist');
+
+const router = Router();
+
+// ── Org-aware per-request SettingsController ──────────────────────────────
+function getCtrl(req) {
+  return new SettingsController(new SettingsService(req.org));
+}
+
+// Any authenticated user can read settings
+router.get('/', authenticate, (req, res) => getCtrl(req).getSettings(req, res));
+
+// Admin-only mutations
+router.post('/', authenticate, requireRole('admin'), async (req, res) => {
+  const ctrl = getCtrl(req);
+  await ctrl.saveSettings(req, res);
+  bustCache(); // Clear IP whitelist cache after settings update
+});
+router.post('/cleanup', authenticate, requireRole('admin'), (req, res) => getCtrl(req).runCleanup(req, res));
+router.post('/reset',   authenticate, requireRole('admin'), (req, res) => getCtrl(req).resetSettings(req, res));
+
+module.exports = router;

package/routes/status.js

@@ -0,0 +1,21 @@
+'use strict';
+const { Router } = require('express');
+const router = Router();
+const AnalyticsService = require('../services/AnalyticsService');
+const svc = new AnalyticsService();
+
+// Public — no auth needed
+router.get('/', async (req, res) => {
+	try {
+		const data = await svc.getStatusPage();
+		const accept = req.headers.accept || '';
+		if (accept.includes('application/json')) {
+			return res.json(data);
+		}
+		res.render('status', { title: 'Status', data, appName: 'LogBoard', appLogoUrl: '/public/logo.png', user: null, allowedPages: null, allowedCards: [] });
+	} catch (e) {
+		res.status(500).json({ error: e.message });
+	}
+});
+
+module.exports = router;

package/routes/stream.js

@@ -0,0 +1,11 @@
+'use strict';
+const { Router } = require('express');
+const StreamController = require('../controllers/StreamController');
+const { authenticate } = require('../middleware/auth');
+
+const router = Router();
+const ctrl = new StreamController();
+
+router.get('/', authenticate, (req, res) => ctrl.stream(req, res));
+
+module.exports = router;

package/routes/super.js

@@ -0,0 +1,129 @@
+'use strict';
+const { Router }       = require('express');
+const { authenticate } = require('../middleware/auth');
+const { requireSuperAdmin } = require('../middleware/org');
+const OrgService       = require('../services/OrgService');
+const GlobalSettings   = require('../services/GlobalSettingsService');
+const config           = require('../config');
+const fsP              = require('fs').promises;
+const path             = require('path');
+
+const router = Router();
+const sa     = [authenticate, requireSuperAdmin];
+
+// ── Platform stats ─────────────────────────────────────────────────────────
+router.get('/platform-stats', ...sa, async (req, res) => {
+  try {
+    const orgs = await OrgService.getOrgs();
+    let totalUsers = 0, totalServices = 0, totalStorage = 0;
+    const orgDetails = [];
+    for (const org of Object.values(orgs)) {
+      const p = OrgService.orgPaths(org.slug);
+      let userCount = 0, serviceCount = 0, storage = 0;
+      try { userCount = Object.keys(JSON.parse(await fsP.readFile(p.usersFile,'utf8'))).length; } catch {}
+      try {
+        const dirs = await fsP.readdir(p.logsDir);
+        serviceCount = dirs.filter(d => !['_archive','app','unknown'].includes(d)).length;
+        for (const d of dirs) {
+          try {
+            const st = await fsP.stat(path.join(p.logsDir, d));
+            if (st.isDirectory()) {
+              const files = await fsP.readdir(path.join(p.logsDir, d));
+              for (const f of files) {
+                try { const s = await fsP.stat(path.join(p.logsDir, d, f)); storage += s.size; } catch {}
+              }
+            }
+          } catch {}
+        }
+      } catch {}
+      totalUsers   += userCount;
+      totalServices += serviceCount;
+      totalStorage  += storage;
+      orgDetails.push({ ...org, userCount, serviceCount, storage, storageHuman: formatBytes(storage) });
+    }
+    res.json({ totalOrgs: Object.keys(orgs).length, totalUsers, totalServices, totalStorage, totalStorageHuman: formatBytes(totalStorage), orgs: orgDetails });
+  } catch(e) { res.status(500).json({ error: e.message }); }
+});
+
+// ── System health ──────────────────────────────────────────────────────────
+router.get('/system-health', ...sa, async (req, res) => {
+  const os = require('os');
+  const total = os.totalmem(), free = os.freemem();
+  res.json({
+    node:     process.version,
+    pid:      process.pid,
+    uptime:   Math.round(process.uptime()),
+    platform: process.platform,
+    arch:     process.arch,
+    ramUsed:  Math.round((total-free)/1024/1024),
+    ramTotal: Math.round(total/1024/1024),
+    ramPct:   Math.round((total-free)/total*100),
+    cpus:     os.cpus().length,
+    hostname: os.hostname(),
+    env:      process.env.NODE_ENV || 'development',
+  });
+});
+
+// ── Global settings ────────────────────────────────────────────────────────
+router.get('/settings',      ...sa, async (req, res) => { try { res.json(await GlobalSettings.get()); } catch(e) { res.status(500).json({error:e.message}); } });
+router.post('/settings',     ...sa, async (req, res) => { try { res.json(await GlobalSettings.save(req.body)); } catch(e) { res.status(500).json({error:e.message}); } });
+
+// ── Super-admin accounts ───────────────────────────────────────────────────
+router.get('/admins', ...sa, async (req, res) => {
+  try {
+    const SFILE = path.join(config.DATA_DIR, 'super-admins.json');
+    let sas = {};
+    try { sas = JSON.parse(await fsP.readFile(SFILE,'utf8')); } catch {}
+    res.json(Object.values(sas).map(s => ({ username: s.username, createdAt: s.createdAt })));
+  } catch(e) { res.status(500).json({error:e.message}); }
+});
+
+router.delete('/admins/:username', ...sa, async (req, res) => {
+  try {
+    if (req.params.username === req.user.username) return res.status(400).json({ error: 'Cannot remove yourself' });
+    const SFILE = path.join(config.DATA_DIR, 'super-admins.json');
+    let sas = {};
+    try { sas = JSON.parse(await fsP.readFile(SFILE,'utf8')); } catch {}
+    delete sas[req.params.username];
+    await fsP.writeFile(SFILE, JSON.stringify(sas, null, 2), 'utf8');
+    res.json({ success: true });
+  } catch(e) { res.status(500).json({error:e.message}); }
+});
+
+// ── Platform audit ─────────────────────────────────────────────────────────
+router.get('/audit', ...sa, async (req, res) => {
+  try {
+    const SAUDIT = path.join(config.DATA_DIR, 'super-audit.ndjson');
+    let lines = [];
+    try { lines = (await fsP.readFile(SAUDIT,'utf8')).split('\n').filter(Boolean).reverse().slice(0,200).map(l=>{try{return JSON.parse(l);}catch{return{raw:l};}}); } catch {}
+    res.json({ entries: lines, total: lines.length });
+  } catch(e) { res.status(500).json({error:e.message}); }
+});
+
+function formatBytes(b) {
+  if (b < 1024) return b+'B';
+  if (b < 1024*1024) return (b/1024).toFixed(1)+'KB';
+  if (b < 1024*1024*1024) return (b/1024/1024).toFixed(1)+'MB';
+  return (b/1024/1024/1024).toFixed(2)+'GB';
+}
+
+module.exports = router;
+
+// ── Super-admin change password ───────────────────────────────────────────
+router.post('/change-password', ...sa, async (req, res) => {
+  try {
+    const { currentPassword, newPassword } = req.body;
+    if (!newPassword || newPassword.length < 8) return res.status(400).json({ error: 'New password must be at least 8 characters' });
+    const SFILE  = path.join(config.DATA_DIR, 'super-admins.json');
+    const bcrypt = require('bcryptjs');
+    let sas = {};
+    try { sas = JSON.parse(await fsP.readFile(SFILE,'utf8')); } catch {}
+    const sa = sas[req.user.username];
+    if (!sa) return res.status(404).json({ error: 'Account not found' });
+    const valid = await bcrypt.compare(currentPassword, sa.password);
+    if (!valid) return res.status(401).json({ error: 'Current password is incorrect' });
+    sas[req.user.username].password = await bcrypt.hash(newPassword, 10);
+    await fsP.writeFile(SFILE, JSON.stringify(sas, null, 2), 'utf8');
+    res.json({ success: true });
+  } catch(e) { res.status(500).json({ error: e.message }); }
+});

package/routes/ui.js

@@ -0,0 +1,120 @@
+'use strict';
+const { Router }       = require('express');
+const { authenticateUI } = require('../middleware/auth');
+const { requirePage }  = require('../middleware/pageAccess');
+const { requireSuperAdmin } = require('../middleware/org');
+const OrgController    = require('../controllers/OrgController');
+
+const router   = Router();
+const orgCtrl  = new OrgController();
+let ctrl; // set by setWriter() after batchWriter is ready
+
+// ── Inject LogService + AnalyticsService ─────────────────────────────────
+const LogService       = require('../services/LogService');
+const AnalyticsService = require('../services/AnalyticsService');
+
+module.exports.setWriter = function (bw) {
+  const UiController = require('../controllers/UiController');
+  ctrl = new UiController(new LogService(bw), new AnalyticsService());
+};
+
+// ── Public ────────────────────────────────────────────────────────────────
+router.get('/login',        (req, res) => ctrl ? ctrl.loginPage(req, res) : res.redirect('/login'));
+router.get('/invite/:token', (req, res) => orgCtrl.invitePage(req, res));
+
+// ── Main ──────────────────────────────────────────────────────────────────
+router.get('/',          authenticateUI, requirePage('dashboard'), (req, res) => ctrl.dashboard(req, res));
+router.get('/dashboard', authenticateUI, requirePage('dashboard'), (req, res) => ctrl.dashboard(req, res));
+router.get('/logs',      authenticateUI, requirePage('logs'),      (req, res) => ctrl.logsPage(req, res));
+router.get('/live',      authenticateUI, requirePage('live'),      (req, res) => ctrl.livePage(req, res));
+router.get('/insights',  authenticateUI, requirePage('insights'),  (req, res) => ctrl.insightsPage(req, res));
+
+// ── Monitor ───────────────────────────────────────────────────────────────
+router.get('/health',  authenticateUI, requirePage('health'),  (req, res) => ctrl.healthPage(req, res));
+router.get('/alerts',  authenticateUI, requirePage('alerts'),  (req, res) => ctrl.alertsPage(req, res));
+router.get('/archive', authenticateUI, requirePage('archive'), (req, res) => ctrl.archivePage(req, res));
+
+// ── Admin ─────────────────────────────────────────────────────────────────
+router.get('/users',     authenticateUI, requirePage('users'),     (req, res) => ctrl.usersPage(req, res));
+router.get('/api-keys',  authenticateUI, requirePage('api-keys'),  (req, res) => ctrl.apiKeysPage(req, res));
+router.get('/roles',     authenticateUI, requirePage('roles'),     (req, res) => ctrl.rolesPage(req, res));
+router.get('/settings',  authenticateUI, requirePage('settings'),  (req, res) => ctrl.settingsPage(req, res));
+router.get('/audit',     authenticateUI, requirePage('audit'),     (req, res) => ctrl.auditPage(req, res));
+
+// ── Extra ─────────────────────────────────────────────────────────────────
+router.get('/bookmarks',       authenticateUI, (req, res) => ctrl.bookmarksPage(req, res));
+router.get('/saved-searches',  authenticateUI, (req, res) => ctrl.savedSearchesPage(req, res));
+router.get('/notifications',   authenticateUI, (req, res) => ctrl.notificationsPage(req, res));
+router.get('/custom-dashboard',authenticateUI, (req, res) => ctrl.customDashboardPage(req, res));
+router.get('/heatmap',      authenticateUI, requirePage('insights'), (req, res) => ctrl.heatmapPage(req, res));
+router.get('/diff',         authenticateUI, requirePage('insights'), (req, res) => ctrl.diffPage(req, res));
+router.get('/service-map',  authenticateUI, requirePage('insights'), (req, res) => ctrl.serviceMapPage(req, res));
+
+// ── Super-admin ───────────────────────────────────────────────────────────
+router.get('/super-admin/orgs', authenticateUI, requireSuperAdmin, (req, res) => orgCtrl.orgsPage(req, res));
+
+// ── Legacy redirects ──────────────────────────────────────────────────────
+router.get('/analytics',     authenticateUI, (req, res) => res.redirect(`/insights?tab=log${req.query.service ? `&service=${req.query.service}` : ''}${req.query.date ? `&date=${req.query.date}` : ''}`));
+router.get('/api-analytics', authenticateUI, (req, res) => res.redirect('/insights?tab=api'));
+
+module.exports.router = router;
+// ── Super-admin UI pages ─────────────────────────────────────────────────
+router.get('/super-admin/analytics', authenticateUI, requireSuperAdmin, async (req, res) => {
+  const gs = require('../services/GlobalSettingsService');
+  const { buildThemeSnippet } = require('../lib/theme');
+  let settings = {};
+  try { settings = await new (require('../services/SettingsService'))(null).get(); } catch {}
+  res.render('super-admin-analytics', {
+    title:'Platform Analytics', user:req.user, allowedPages:[], allowedCards:[],
+    settings, appName:settings.appName||'LogBoard', appLogoUrl:settings.appLogoUrl||'/public/logo.png',
+    themeSnippet: buildThemeSnippet(settings),
+  });
+});
+
+router.get('/super-admin/system', authenticateUI, requireSuperAdmin, async (req, res) => {
+  const { buildThemeSnippet } = require('../lib/theme');
+  let settings = {};
+  try { settings = await new (require('../services/SettingsService'))(null).get(); } catch {}
+  res.render('super-admin-system', {
+    title:'System Health', user:req.user, allowedPages:[], allowedCards:[],
+    settings, appName:settings.appName||'LogBoard', appLogoUrl:settings.appLogoUrl||'/public/logo.png',
+    themeSnippet: buildThemeSnippet(settings),
+  });
+});
+
+router.get('/super-admin/settings', authenticateUI, requireSuperAdmin, async (req, res) => {
+  const GlobalSettings = require('../services/GlobalSettingsService');
+  const { buildThemeSnippet } = require('../lib/theme');
+  let settings = {}, globalSettings = {};
+  try { settings = await new (require('../services/SettingsService'))(null).get(); } catch {}
+  try { globalSettings = await GlobalSettings.get(); } catch {}
+  res.render('super-admin-settings', {
+    title:'Global Settings', user:req.user, allowedPages:[], allowedCards:[],
+    settings, globalSettings, appName:settings.appName||'LogBoard',
+    appLogoUrl:settings.appLogoUrl||'/public/logo.png',
+    themeSnippet:buildThemeSnippet(settings),
+    baseUrl: globalSettings.appBaseUrl||'http://localhost:9900',
+  });
+});
+
+router.get('/super-admin/admins', authenticateUI, requireSuperAdmin, async (req, res) => {
+  const { buildThemeSnippet } = require('../lib/theme');
+  let settings = {};
+  try { settings = await new (require('../services/SettingsService'))(null).get(); } catch {}
+  res.render('super-admin-admins', {
+    title:'Super Admins', user:req.user, allowedPages:[], allowedCards:[],
+    settings, appName:settings.appName||'LogBoard', appLogoUrl:settings.appLogoUrl||'/public/logo.png',
+    themeSnippet:buildThemeSnippet(settings),
+  });
+});
+
+router.get('/super-admin/profile', authenticateUI, requireSuperAdmin, async (req, res) => {
+  const { buildThemeSnippet } = require('../lib/theme');
+  let settings = {};
+  try { settings = await new (require('../services/SettingsService'))(null).get(); } catch {}
+  res.render('super-admin-profile', {
+    title:'My Profile', user:req.user, allowedPages:[], allowedCards:[],
+    settings, appName:settings.appName||'LogBoard', appLogoUrl:settings.appLogoUrl||'/public/logo.png',
+    themeSnippet:buildThemeSnippet(settings),
+  });
+});

package/routes/users.js

@@ -0,0 +1,13 @@
+'use strict';
+const { Router }=require('express');
+const UserController=require('../controllers/UserController');
+const { authenticate }=require('../middleware/auth');
+const requireRole=require('../middleware/roles');
+const router=Router(), ctrl=new UserController(), admin=[authenticate, requireRole('admin')];
+router.get('/', ...admin, (req, res) => ctrl.list(req, res));
+router.post('/', ...admin, (req, res) => ctrl.create(req, res));
+router.put('/:username/role', ...admin, (req, res) => ctrl.updateRole(req, res));
+router.put('/:username/reset-password', ...admin, (req, res) => ctrl.resetPassword(req, res));
+router.delete('/:username', ...admin, (req, res) => ctrl.remove(req, res));
+router.delete('/:username/2fa', ...admin, (req, res) => ctrl.revoke2fa(req, res));
+module.exports=router;