@omniradiology/omnirad 0.1.3

package/app/api/copilot/history/route.ts

@@ -0,0 +1,95 @@
+import { NextRequest, NextResponse } from "next/server";
+import { sqlite } from "@/db";
+
+// GET /api/copilot/history — get chat history
+export async function GET(req: NextRequest) {
+    const { searchParams } = new URL(req.url);
+    const sessionId = searchParams.get("sessionId");
+
+    try {
+        if (sessionId) {
+            // Return all messages for a specific session
+            const stmt = sqlite.prepare(
+                "SELECT * FROM chat_messages WHERE session_id = ? ORDER BY created_at ASC"
+            );
+            const messages = stmt.all(sessionId);
+
+            return NextResponse.json(
+                messages.map((m: any) => ({
+                    id: m.id,
+                    role: m.role,
+                    content: m.content,
+                    viewerActions: m.viewer_actions ? JSON.parse(m.viewer_actions) : [],
+                    references: m.references_data ? JSON.parse(m.references_data) : [],
+                    timestamp: m.created_at,
+                }))
+            );
+        }
+
+        // Return list of all sessions (grouped)
+        const stmt = sqlite.prepare(`
+            SELECT 
+                session_id,
+                MAX(patient_id) as patient_id,
+                MIN(created_at) as first_message,
+                MAX(created_at) as last_message,
+                COUNT(*) as message_count
+            FROM chat_messages 
+            GROUP BY session_id
+            ORDER BY MAX(created_at) DESC
+            LIMIT 50
+        `);
+        const sessions = stmt.all();
+
+        // Get the latest message content for each session
+        const result = (sessions as any[]).map((s: any) => {
+            const lastMsg = sqlite.prepare(
+                "SELECT content FROM chat_messages WHERE session_id = ? ORDER BY created_at DESC LIMIT 1"
+            ).get(s.session_id) as any;
+
+            // Get patient name if patient_id exists
+            let patientName = null;
+            if (s.patient_id) {
+                const patient = sqlite.prepare(
+                    "SELECT patient_name FROM patients WHERE id = ?"
+                ).get(s.patient_id) as any;
+                if (patient) patientName = patient.patient_name;
+            }
+
+            return {
+                sessionId: s.session_id,
+                patientId: s.patient_id,
+                patientName,
+                lastMessage: lastMsg?.content || "",
+                messageCount: s.message_count,
+                createdAt: s.first_message,
+                updatedAt: s.last_message,
+            };
+        });
+
+        return NextResponse.json(result);
+    } catch (error: any) {
+        console.error("[Copilot] History error:", error);
+        return NextResponse.json({ error: error.message }, { status: 500 });
+    }
+}
+
+// DELETE /api/copilot/history — clear session history
+export async function DELETE(req: NextRequest) {
+    const { searchParams } = new URL(req.url);
+    const sessionId = searchParams.get("sessionId");
+
+    try {
+        if (sessionId) {
+            sqlite.prepare("DELETE FROM chat_messages WHERE session_id = ?").run(sessionId);
+            return NextResponse.json({ success: true, message: `Session ${sessionId} cleared.` });
+        }
+
+        // Clear all chat history
+        sqlite.exec("DELETE FROM chat_messages");
+        return NextResponse.json({ success: true, message: "All chat history cleared." });
+    } catch (error: any) {
+        console.error("[Copilot] Delete error:", error);
+        return NextResponse.json({ error: error.message }, { status: 500 });
+    }
+}

package/app/api/copilot/reports/route.ts

@@ -0,0 +1,81 @@
+import { NextRequest, NextResponse } from "next/server";
+import { sqlite } from "@/db";
+
+// GET /api/copilot/reports — get report data for the viewer panel
+export async function GET(req: NextRequest) {
+    const { searchParams } = new URL(req.url);
+    const id = searchParams.get("id");
+    const patientId = searchParams.get("patientId");
+
+    try {
+        if (id) {
+            // Get specific report by DB id
+            let row = sqlite.prepare("SELECT * FROM reports WHERE id = ?").get(id) as any;
+
+            // If not found by DB id, search by report_header.report_id in JSON
+            if (!row) {
+                const allReports = sqlite.prepare("SELECT * FROM reports").all() as any[];
+                for (const r of allReports) {
+                    try {
+                        const rd = JSON.parse(r.report_data);
+                        if (rd?.report_header?.report_id === id) {
+                            row = r;
+                            break;
+                        }
+                    } catch { /* skip */ }
+                }
+            }
+
+            if (!row) {
+                return NextResponse.json({ error: "Report not found" }, { status: 404 });
+            }
+
+            const reportData = typeof row.report_data === 'string' ? JSON.parse(row.report_data) : row.report_data;
+
+            return NextResponse.json({
+                id: row.id,
+                patientId: row.patient_id,
+                patientName: row.patient_name,
+                modality: row.modality,
+                urgency: row.urgency,
+                reportStatus: row.report_status,
+                reportData,
+                imageData: row.image_data || null,
+                pacsStudyUid: row.pacs_study_uid,
+                createdAt: row.created_at,
+            });
+        }
+
+        if (patientId) {
+            // Get all reports for a patient
+            const rows = sqlite.prepare(
+                "SELECT id, patient_name, modality, urgency, report_status, report_data, image_data, created_at FROM reports WHERE patient_id = ? ORDER BY created_at DESC"
+            ).all(patientId) as any[];
+
+            const reports = rows.map((row: any) => {
+                let reportData: any = {};
+                try {
+                    reportData = JSON.parse(row.report_data);
+                } catch { /* skip */ }
+
+                return {
+                    id: row.id,
+                    reportId: reportData?.report_header?.report_id || row.id,
+                    patientName: row.patient_name,
+                    modality: reportData?.study?.modality || row.modality,
+                    date: reportData?.report_header?.report_date || row.created_at,
+                    status: row.report_status,
+                    urgency: reportData?.urgency || row.urgency,
+                    hasImages: !!(row.image_data || reportData?.image_data),
+                };
+            });
+
+            return NextResponse.json(reports);
+        }
+
+        return NextResponse.json({ error: "Either 'id' or 'patientId' parameter is required" }, { status: 400 });
+    } catch (error: any) {
+        console.error("[Copilot] Reports error:", error);
+        return NextResponse.json({ error: error.message }, { status: 500 });
+    }
+}

package/app/api/fhir/Bundle/report/[id]/route.ts

@@ -0,0 +1,85 @@
+/// <reference types="fhir" />
+import { NextRequest } from "next/server";
+import { db } from "@/db";
+import { reports, patients } from "@/db/schema";
+import { eq } from "drizzle-orm";
+import { 
+    toFhirPatient, 
+    toFhirDiagnosticReport, 
+    toFhirImagingStudy, 
+    fhirResponse, 
+    fhirErrorResponse, 
+    requireFhirAccess 
+} from "@/lib/fhir";
+
+
+export async function GET(
+    request: NextRequest,
+    { params }: { params: Promise<{ id: string }> }
+) {
+    // 1. Auth check
+    const authError = await requireFhirAccess(request, "read");
+    if (authError) return authError;
+
+    // 2. Fetch data
+    const { id } = await params;
+    const reportRow = db.select().from(reports).where(eq(reports.id, id)).get();
+
+    if (!reportRow) {
+        return fhirErrorResponse("not-found", `DiagnosticReport with id '${id}' not found`, 404);
+    }
+
+    let reportData;
+    try {
+        reportData = JSON.parse(reportRow.reportData);
+    } catch (e) {
+        return fhirErrorResponse("exception", "Failed to parse internal report data", 500);
+    }
+
+    const patientRow = reportRow.patientId 
+        ? db.select().from(patients).where(eq(patients.id, reportRow.patientId)).get() 
+        : undefined;
+
+    // 3. Serialize resources
+    const entries: fhir4.BundleEntry[] = [];
+
+    // Add Patient
+    if (patientRow) {
+        entries.push({
+            fullUrl: `urn:uuid:${patientRow.id}`,
+            resource: toFhirPatient(patientRow as any)
+        });
+    }
+
+    // Add DiagnosticReport
+    const fhirReport = toFhirDiagnosticReport({
+        report: reportRow,
+        reportData,
+        patient: patientRow as any
+    });
+    entries.push({
+        fullUrl: `urn:uuid:${fhirReport.id}`,
+        resource: fhirReport
+    });
+
+    // Add ImagingStudy if it exists
+    if (reportRow.pacsStudyUid) {
+        const fhirStudy = toFhirImagingStudy({
+            report: reportRow,
+            reportData,
+            patient: patientRow as any
+        });
+        entries.push({
+            fullUrl: `urn:uuid:${fhirStudy.id}`,
+            resource: fhirStudy
+        });
+    }
+
+    const bundle: fhir4.Bundle = {
+        resourceType: "Bundle",
+        type: "collection",
+        entry: entries
+    };
+
+    return fhirResponse(bundle);
+}

package/app/api/fhir/DiagnosticReport/[id]/route.ts

@@ -0,0 +1,45 @@
+import { NextRequest } from "next/server";
+import { db } from "@/db";
+import { reports, patients } from "@/db/schema";
+import { eq } from "drizzle-orm";
+import { toFhirDiagnosticReport, fhirResponse, fhirErrorResponse, requireFhirAccess } from "@/lib/fhir";
+
+export async function GET(
+    request: NextRequest,
+    { params }: { params: Promise<{ id: string }> }
+) {
+    // 1. Auth check
+    const authError = await requireFhirAccess(request, "read");
+    if (authError) return authError;
+
+    // 2. Fetch data
+    const { id } = await params;
+    const reportRow = db.select().from(reports).where(eq(reports.id, id)).get();
+
+    if (!reportRow) {
+        return fhirErrorResponse("not-found", `DiagnosticReport with id '${id}' not found`, 404);
+    }
+
+    let reportData;
+    try {
+        reportData = JSON.parse(reportRow.reportData);
+    } catch (e) {
+        return fhirErrorResponse("exception", "Failed to parse internal report data", 500);
+    }
+
+    const patientRow = reportRow.patientId 
+        ? db.select().from(patients).where(eq(patients.id, reportRow.patientId)).get() 
+        : undefined;
+
+    // Optional PDF generation handling could go here
+    // const includePdf = request.nextUrl.searchParams.get("includePdf") === "true";
+
+    // 3. Serialize and return
+    const resource = toFhirDiagnosticReport({
+        report: reportRow,
+        reportData,
+        patient: patientRow as any
+    });
+
+    return fhirResponse(resource);
+}

package/app/api/fhir/ImagingStudy/[id]/route.ts

@@ -0,0 +1,57 @@
+import { NextRequest } from "next/server";
+import { db } from "@/db";
+import { reports, patients } from "@/db/schema";
+import { eq, or } from "drizzle-orm";
+import { toFhirImagingStudy, fhirResponse, fhirErrorResponse, requireFhirAccess, sanitizeId } from "@/lib/fhir";
+
+export async function GET(
+    request: NextRequest,
+    { params }: { params: Promise<{ id: string }> }
+) {
+    // 1. Auth check
+    const authError = await requireFhirAccess(request, "read");
+    if (authError) return authError;
+
+    // 2. Fetch data
+    const { id } = await params;
+    
+    // We try to find the report by its sanitized PACS UID OR its internal ID
+    // Since we don't have a direct index on sanitized UID, we might just load by ID
+    // or by exact pacsStudyUid if they provided the raw one
+    const reportRow = db.select().from(reports)
+        .where(or(
+            eq(reports.id, id),
+            eq(reports.pacsStudyUid, id) // Fallback in case they used the raw DICOM UID
+        )).get();
+
+    if (!reportRow) {
+        // As a fallback, we could query all reports and sanitize their UIDs, but for performance,
+        // we'll stick to ID or raw UID for now. If they want to use sanitized UID, they should
+        // look it up via DiagnosticReport.imagingStudy.reference first.
+        return fhirErrorResponse("not-found", `ImagingStudy with id '${id}' not found`, 404);
+    }
+
+    if (!reportRow.pacsStudyUid) {
+        return fhirErrorResponse("not-supported", `Report '${reportRow.id}' does not have associated PACS metadata`, 404);
+    }
+
+    let reportData;
+    try {
+        reportData = JSON.parse(reportRow.reportData);
+    } catch (e) {
+        return fhirErrorResponse("exception", "Failed to parse internal report data", 500);
+    }
+
+    const patientRow = reportRow.patientId 
+        ? db.select().from(patients).where(eq(patients.id, reportRow.patientId)).get() 
+        : undefined;
+
+    // 3. Serialize and return
+    const resource = toFhirImagingStudy({
+        report: reportRow,
+        reportData,
+        patient: patientRow as any
+    });
+
+    return fhirResponse(resource);
+}

package/app/api/fhir/Patient/[id]/route.ts

@@ -0,0 +1,26 @@
+import { NextRequest } from "next/server";
+import { db } from "@/db";
+import { patients } from "@/db/schema";
+import { eq } from "drizzle-orm";
+import { toFhirPatient, fhirResponse, fhirErrorResponse, requireFhirAccess } from "@/lib/fhir";
+
+export async function GET(
+    request: NextRequest,
+    { params }: { params: Promise<{ id: string }> }
+) {
+    // 1. Auth check
+    const authError = await requireFhirAccess(request, "read");
+    if (authError) return authError;
+
+    // 2. Fetch data
+    const { id } = await params;
+    const patientRow = db.select().from(patients).where(eq(patients.id, id)).get();
+
+    if (!patientRow) {
+        return fhirErrorResponse("not-found", `Patient with id '${id}' not found`, 404);
+    }
+
+    // 3. Serialize and return
+    const resource = toFhirPatient(patientRow as any);
+    return fhirResponse(resource);
+}

package/app/api/fhir/ServiceRequest/route.ts

@@ -0,0 +1,85 @@
+/// <reference types="fhir" />
+import { NextRequest } from "next/server";
+import { db } from "@/db";
+import { patients, worklistOrders } from "@/db/schema";
+import { eq } from "drizzle-orm";
+import { 
+    parseInboundServiceRequest, 
+    toFhirServiceRequest,
+    fhirResponse, 
+    fhirErrorResponse, 
+    requireFhirAccess 
+} from "@/lib/fhir";
+
+
+export async function POST(request: NextRequest) {
+    // 1. Auth check
+    const authError = await requireFhirAccess(request, "write");
+    if (authError) return authError;
+
+    // 2. Validate content type
+    const contentType = request.headers.get("content-type");
+    if (!contentType?.includes("application/fhir+json")) {
+        return fhirErrorResponse("invalid", "Content-Type must be application/fhir+json", 415);
+    }
+
+    try {
+        const body = await request.json() as fhir4.ServiceRequest;
+
+        if (body.resourceType !== "ServiceRequest") {
+            return fhirErrorResponse("invalid", `Expected ServiceRequest, got ${body.resourceType}`, 400);
+        }
+
+        // 3. Parse and map to OmniRad model
+        const orderInput = parseInboundServiceRequest(body);
+        
+        // Ensure patient exists
+        let patientId = orderInput.patientId;
+        
+        if (orderInput.patientIdentifier && !patientId) {
+            // Try to find patient by identifier
+            const existing = db.select().from(patients).where(eq(patients.patientIdNumber, orderInput.patientIdentifier)).get();
+            if (existing) {
+                patientId = existing.id;
+            } else {
+                // We could auto-create a patient stub here if we had all the details, 
+                // but usually the EMR sends Patient first or we match by demographics.
+                // For MVP, we'll store the order without a linked patient ID, but keeping the name/identifier.
+            }
+        }
+
+        const newId = `order_${Date.now()}_${Math.random().toString(36).substring(2, 9)}`;
+
+        // 4. Store in database
+        const newOrder = {
+            id: newId,
+            sourceSystem: "FHIR",
+            fhirServiceRequestId: body.id || null,
+            patientId: patientId || null,
+            patientName: orderInput.patientName,
+            patientIdentifier: orderInput.patientIdentifier,
+            status: orderInput.status,
+            intent: orderInput.intent,
+            priority: orderInput.priority,
+            urgency: orderInput.urgency,
+            modality: orderInput.modality || null,
+            requestedProcedure: orderInput.requestedProcedure,
+            reason: orderInput.reason || null,
+            authoredOn: orderInput.authoredOn || new Date().toISOString(),
+            requesterDisplay: orderInput.requesterDisplay || null,
+            rawFhir: JSON.stringify(body),
+            createdAt: new Date().toISOString(),
+            updatedAt: new Date().toISOString()
+        };
+
+        db.insert(worklistOrders).values(newOrder).run();
+
+        // 5. Return success with the stored resource representation
+        const storedResource = toFhirServiceRequest(newOrder as any);
+        return fhirResponse(storedResource, 201);
+
+    } catch (e: any) {
+        console.error("[FHIR ServiceRequest] Error processing inbound order:", e);
+        return fhirErrorResponse("exception", `Failed to process ServiceRequest: ${e.message}`, 400);
+    }
+}

package/app/api/fhir/config/route.ts

@@ -0,0 +1,102 @@
+import { NextRequest, NextResponse } from "next/server";
+import { db } from "@/db";
+import { fhirIntegrationConfig } from "@/db/schema";
+import { eq } from "drizzle-orm";
+import { requireUser, requirePermission, handleAuthError } from "@/lib/security/authz";
+import { maskSecret } from "@/lib/security/secrets";
+import { safeError } from "@/lib/security/phi-redaction";
+import { auditSuccess, auditEventFromContext } from "@/lib/security/audit";
+
+export async function GET(request: NextRequest) {
+    try {
+        const ctx = await requireUser(request);
+        requirePermission(ctx, "settings.read");
+
+        const row = db.select().from(fhirIntegrationConfig).where(eq(fhirIntegrationConfig.id, 1)).get();
+        if (!row) {
+            return NextResponse.json({
+                enabled: false,
+                publicBaseUrl: "",
+                authMode: "bearer_token",
+                inboundServiceRequestEnabled: false,
+                outboundReadEnabled: true,
+                externalFhirBaseUrl: "",
+                externalFhirAuthType: "none",
+                externalFhirClientId: "",
+                externalFhirClientSecret: "",
+                hasClientSecret: false,
+                externalFhirBearerToken: "",
+                hasBearerToken: false,
+            });
+        }
+        return NextResponse.json({
+            enabled: row.enabled ?? false,
+            publicBaseUrl: row.publicBaseUrl || "",
+            authMode: row.authMode || "bearer_token",
+            inboundServiceRequestEnabled: row.inboundServiceRequestEnabled ?? false,
+            outboundReadEnabled: row.outboundReadEnabled ?? true,
+            externalFhirBaseUrl: row.externalFhirBaseUrl || "",
+            externalFhirAuthType: row.externalFhirAuthType || "none",
+            externalFhirClientId: row.externalFhirClientId || "",
+            externalFhirClientSecret: maskSecret(row.externalFhirClientSecret),
+            hasClientSecret: !!(row.externalFhirClientSecret && row.externalFhirClientSecret.length > 0),
+            externalFhirBearerToken: maskSecret(row.externalFhirBearerToken),
+            hasBearerToken: !!(row.externalFhirBearerToken && row.externalFhirBearerToken.length > 0),
+        });
+    } catch (error) {
+        if ((error as any)?.statusCode) return handleAuthError(error);
+        safeError("Error reading FHIR configuration:", error);
+        return NextResponse.json({ error: "Failed to read FHIR configuration" }, { status: 500 });
+    }
+}
+
+export async function POST(request: NextRequest) {
+    try {
+        const ctx = await requireUser(request);
+        requirePermission(ctx, "settings.write");
+
+        const data = await request.json();
+        const exists = db.select().from(fhirIntegrationConfig).where(eq(fhirIntegrationConfig.id, 1)).get();
+        const now = new Date().toISOString();
+
+        const updateData: Record<string, any> = {
+            enabled: data.enabled ?? false,
+            publicBaseUrl: data.publicBaseUrl || "",
+            authMode: data.authMode || "bearer_token",
+            inboundServiceRequestEnabled: data.inboundServiceRequestEnabled ?? false,
+            outboundReadEnabled: data.outboundReadEnabled ?? true,
+            externalFhirBaseUrl: data.externalFhirBaseUrl || "",
+            externalFhirAuthType: data.externalFhirAuthType || "none",
+            externalFhirClientId: data.externalFhirClientId || "",
+            updatedAt: now,
+        };
+
+        // Only update secrets if new non-masked values provided
+        if (data.externalFhirClientSecret && !data.externalFhirClientSecret.startsWith("********")) {
+            updateData.externalFhirClientSecret = data.externalFhirClientSecret;
+        }
+        if (data.externalFhirBearerToken && !data.externalFhirBearerToken.startsWith("********")) {
+            updateData.externalFhirBearerToken = data.externalFhirBearerToken;
+        }
+
+        if (exists) {
+            db.update(fhirIntegrationConfig).set(updateData).where(eq(fhirIntegrationConfig.id, 1)).run();
+        } else {
+            db.insert(fhirIntegrationConfig).values({
+                id: 1,
+                ...updateData,
+                createdAt: now,
+            }).run();
+        }
+
+        await auditSuccess(auditEventFromContext(ctx, "settings.update", "fhir", {
+            metadata: { method: "POST", route: "/api/fhir/config" },
+        }));
+
+        return NextResponse.json({ success: true });
+    } catch (error) {
+        if ((error as any)?.statusCode) return handleAuthError(error);
+        safeError("Error saving FHIR configuration:", error);
+        return NextResponse.json({ error: "Failed to save FHIR configuration" }, { status: 500 });
+    }
+}

package/app/api/fhir/config/test-connection/route.ts

@@ -0,0 +1,49 @@
+import { NextRequest, NextResponse } from "next/server";
+import { createFhirClient } from "@/lib/fhir/client";
+import { requireUser, requirePermission, handleAuthError } from "@/lib/security/authz";
+import { safeError } from "@/lib/security/phi-redaction";
+
+export async function POST(request: NextRequest) {
+    try {
+        const ctx = await requireUser(request);
+        requirePermission(ctx, "settings.write");
+
+        const body = await request.json();
+        const {
+            externalFhirBaseUrl,
+            externalFhirAuthType,
+            externalFhirBearerToken,
+            externalFhirClientId,
+            externalFhirClientSecret
+        } = body;
+
+        if (!externalFhirBaseUrl) {
+            return NextResponse.json({ success: false, error: "FHIR Base URL is required." });
+        }
+
+        const client = createFhirClient(
+            externalFhirBaseUrl,
+            externalFhirAuthType,
+            externalFhirBearerToken,
+            externalFhirClientId,
+            externalFhirClientSecret
+        );
+
+        // Attempt to fetch capability statement (metadata)
+        const capabilityStatement = await client.capabilityStatement();
+
+        return NextResponse.json({
+            success: true,
+            fhirVersion: (capabilityStatement as any)?.fhirVersion || "Unknown",
+            softwareName: (capabilityStatement as any)?.software?.name || (capabilityStatement as any)?.publisher || "Unknown FHIR Server"
+        });
+
+    } catch (error: any) {
+        if (error?.statusCode) return handleAuthError(error);
+        safeError("FHIR Test Connection Error:", error);
+        return NextResponse.json({ 
+            success: false, 
+            error: error.message || "Failed to connect to the FHIR server. Please check your credentials and URL." 
+        });
+    }
+}

package/app/api/fhir/metadata/route.ts

@@ -0,0 +1,51 @@
+/// <reference types="fhir" />
+import { NextRequest } from "next/server";
+import { fhirResponse } from "@/lib/fhir";
+
+
+export async function GET(request: NextRequest) {
+    const origin = request.nextUrl.origin;
+    
+    const capabilityStatement: fhir4.CapabilityStatement = {
+        resourceType: "CapabilityStatement",
+        status: "active",
+        date: new Date().toISOString(),
+        publisher: "OmniRad",
+        kind: "instance",
+        software: {
+            name: "OmniRad FHIR Integration",
+            version: "1.0.0"
+        },
+        implementation: {
+            description: "OmniRad Radiology Information System",
+            url: `${origin}/api/fhir`
+        },
+        fhirVersion: "4.0.1",
+        format: ["application/fhir+json"],
+        rest: [
+            {
+                mode: "server",
+                resource: [
+                    {
+                        type: "Patient",
+                        interaction: [{ code: "read" }]
+                    },
+                    {
+                        type: "DiagnosticReport",
+                        interaction: [{ code: "read" }]
+                    },
+                    {
+                        type: "ImagingStudy",
+                        interaction: [{ code: "read" }]
+                    },
+                    {
+                        type: "ServiceRequest",
+                        interaction: [{ code: "create" }]
+                    }
+                ]
+            }
+        ]
+    };
+
+    return fhirResponse(capabilityStatement);
+}