@omnizap-system/omnizap 2.5.12

package/server/http/siteRoutingUtils.js

@@ -0,0 +1,87 @@
+const parseEnvBool = (value, fallback) => {
+  if (value === undefined || value === null || value === '') return fallback;
+  const normalized = String(value).trim().toLowerCase();
+  if (['1', 'true', 'yes', 'y', 'on'].includes(normalized)) return true;
+  if (['0', 'false', 'no', 'n', 'off'].includes(normalized)) return false;
+  return fallback;
+};
+
+export const toRequestHost = (req) =>
+  String(req?.headers?.host || '')
+    .split(',')[0]
+    .trim()
+    .toLowerCase()
+    .replace(/\.$/, '')
+    .split(':')[0];
+
+export const isIpLiteralHost = (value) => {
+  const host = String(value || '')
+    .trim()
+    .toLowerCase();
+  if (!host) return false;
+  if (/^\d{1,3}(?:\.\d{1,3}){3}$/.test(host)) return true;
+  return host.includes(':');
+};
+
+const SITE_CANONICAL_HOST =
+  String(process.env.SITE_CANONICAL_HOST || 'omnizap.shop')
+    .trim()
+    .toLowerCase() || 'omnizap.shop';
+const SITE_CANONICAL_SCHEME =
+  String(process.env.SITE_CANONICAL_SCHEME || 'https')
+    .trim()
+    .toLowerCase() === 'http'
+    ? 'http'
+    : 'https';
+const SITE_CANONICAL_REDIRECT_ENABLED = parseEnvBool(process.env.SITE_CANONICAL_REDIRECT_ENABLED, true);
+const SITE_ORIGIN = String(process.env.SITE_ORIGIN || `${SITE_CANONICAL_SCHEME}://${SITE_CANONICAL_HOST}`)
+  .trim()
+  .replace(/\/+$/, '');
+const SITE_COOKIE_DOMAIN = String(process.env.SITE_COOKIE_DOMAIN || SITE_CANONICAL_HOST)
+  .trim()
+  .toLowerCase()
+  .replace(/^https?:\/\//, '')
+  .split('/')[0]
+  .split(':')[0]
+  .replace(/^\.+/, '')
+  .replace(/\.+$/, '');
+
+export const getSiteRoutingConfig = () => ({
+  canonicalHost: SITE_CANONICAL_HOST,
+  canonicalScheme: SITE_CANONICAL_SCHEME,
+  canonicalRedirectEnabled: SITE_CANONICAL_REDIRECT_ENABLED,
+  origin: SITE_ORIGIN,
+  cookieDomain: SITE_COOKIE_DOMAIN,
+});
+
+export const toSiteAbsoluteUrl = (value) => {
+  const raw = String(value || '').trim();
+  if (!raw) return SITE_ORIGIN;
+  if (/^https?:\/\//i.test(raw)) return raw;
+  return `${SITE_ORIGIN}${raw.startsWith('/') ? raw : `/${raw}`}`;
+};
+
+export const resolveCookieDomainForRequest = (req) => {
+  if (!SITE_COOKIE_DOMAIN || isIpLiteralHost(SITE_COOKIE_DOMAIN)) return '';
+  const requestHost = toRequestHost(req);
+  if (!requestHost || isIpLiteralHost(requestHost) || requestHost === 'localhost') return '';
+  if (requestHost === SITE_COOKIE_DOMAIN) return SITE_COOKIE_DOMAIN;
+  if (requestHost.endsWith(`.${SITE_COOKIE_DOMAIN}`)) return SITE_COOKIE_DOMAIN;
+  return '';
+};
+
+export const maybeRedirectToCanonicalHost = (req, res, url) => {
+  if (!SITE_CANONICAL_REDIRECT_ENABLED) return false;
+  if (!['GET', 'HEAD'].includes(req.method || '')) return false;
+  if (!SITE_CANONICAL_HOST) return false;
+
+  const requestHost = toRequestHost(req);
+  if (requestHost !== `www.${SITE_CANONICAL_HOST}`) return false;
+
+  const location = `${SITE_CANONICAL_SCHEME}://${SITE_CANONICAL_HOST}${url.pathname}${url.search || ''}`;
+  res.statusCode = 301;
+  res.setHeader('Location', location);
+  res.setHeader('Cache-Control', 'public, max-age=3600');
+  res.end();
+  return true;
+};

package/server/index.js

@@ -0,0 +1 @@
+export { startHttpServer, stopHttpServer } from './http/httpServer.js';

package/server/middleware/cachePolicy.js

@@ -0,0 +1,26 @@
+import { URL } from 'node:url';
+
+import { isAssetPath } from './cachePolicyHelpers.js';
+
+export const applyCachePolicy = (req, res, { pathname } = {}) => {
+  const resolvedPathname = pathname || new URL(req.url || '/', 'http://localhost').pathname;
+
+  if (isAssetPath(resolvedPathname)) {
+    res.setHeader('Cache-Control', 'public, max-age=31536000, immutable');
+    return;
+  }
+
+  if (resolvedPathname === '/sitemap.xml' || resolvedPathname.startsWith('/stickers')) {
+    res.setHeader('Cache-Control', 'public, max-age=60');
+    return;
+  }
+
+  if (resolvedPathname.startsWith('/api/') || resolvedPathname.startsWith('/user') || resolvedPathname === '/login') {
+    res.setHeader('Cache-Control', 'no-store, no-cache, must-revalidate, proxy-revalidate');
+    res.setHeader('Pragma', 'no-cache');
+    res.setHeader('Expires', '0');
+    return;
+  }
+
+  res.setHeader('Cache-Control', 'no-store');
+};

package/server/middleware/cachePolicyHelpers.js

@@ -0,0 +1 @@
+export const isAssetPath = (pathname = '') => pathname === '/stickers/assets/styles.css' || pathname === '/stickers/assets/catalog.js' || pathname.startsWith('/stickers/assets/');

package/server/middleware/endpointRateLimit.js

@@ -0,0 +1,181 @@
+import { rateLimit } from 'express-rate-limit';
+import { resolveClientIp } from '../http/clientIp.js';
+
+const parseNumber = (value, fallback, min, max) => {
+  const parsed = Number(value);
+  if (!Number.isFinite(parsed)) return fallback;
+  return Math.max(min, Math.min(max, Math.floor(parsed)));
+};
+
+const buildLimiter = ({ keyPrefix, windowMs, max }) => {
+  const safeWindowMs = parseNumber(windowMs, 60_000, 1_000, 60 * 60 * 1000);
+  const safeMax = parseNumber(max, 10, 1, 100_000);
+  const safeKeyPrefix = String(keyPrefix || 'auth').trim() || 'auth';
+
+  return rateLimit({
+    windowMs: safeWindowMs,
+    limit: safeMax,
+    standardHeaders: false,
+    legacyHeaders: false,
+    validate: false,
+    keyGenerator: (req) => `${safeKeyPrefix}:${resolveClientIp(req)}`,
+    handler: (req, res, _next, options) => {
+      if (res.writableEnded) return;
+      req.__endpointRateLimitBlocked = true;
+      const retryAfterSeconds = Math.max(1, Math.ceil(Number(options?.windowMs || safeWindowMs) / 1000));
+      res.statusCode = Number(options?.statusCode || 429);
+      res.setHeader('Content-Type', 'application/json; charset=utf-8');
+      res.setHeader('Retry-After', String(retryAfterSeconds));
+      if (req.method === 'HEAD') {
+        res.end();
+        return;
+      }
+      res.end(
+        JSON.stringify({
+          error: 'Too Many Requests',
+          code: 'RATE_LIMITED',
+        }),
+      );
+    },
+  });
+};
+
+const authLoginLimiter = buildLimiter({
+  keyPrefix: 'auth_login',
+  windowMs: parseNumber(process.env.AUTH_LOGIN_RATE_LIMIT_WINDOW_MS, 60_000, 1_000, 60 * 60 * 1000),
+  max: parseNumber(process.env.AUTH_LOGIN_RATE_LIMIT_MAX, 10, 1, 100_000),
+});
+
+const authPasswordLimiter = buildLimiter({
+  keyPrefix: 'auth_password',
+  windowMs: parseNumber(process.env.AUTH_PASSWORD_RATE_LIMIT_WINDOW_MS, 60_000, 1_000, 60 * 60 * 1000),
+  max: parseNumber(process.env.AUTH_PASSWORD_RATE_LIMIT_MAX, 8, 1, 100_000),
+});
+
+const authPasswordRecoveryRequestLimiter = buildLimiter({
+  keyPrefix: 'auth_password_recovery_request',
+  windowMs: parseNumber(process.env.AUTH_PASSWORD_RECOVERY_RATE_LIMIT_WINDOW_MS, 60_000, 1_000, 60 * 60 * 1000),
+  max: parseNumber(process.env.AUTH_PASSWORD_RECOVERY_RATE_LIMIT_MAX, 4, 1, 100_000),
+});
+
+const adminSessionLimiter = buildLimiter({
+  keyPrefix: 'admin_session',
+  windowMs: parseNumber(process.env.AUTH_ADMIN_SESSION_RATE_LIMIT_WINDOW_MS, 60_000, 1_000, 60 * 60 * 1000),
+  max: parseNumber(process.env.AUTH_ADMIN_SESSION_RATE_LIMIT_MAX, 6, 1, 100_000),
+});
+
+const runLimiter = async (limiter, req, res) => {
+  req.__endpointRateLimitBlocked = false;
+
+  const runPromise = new Promise((resolve) => {
+    let nextCalled = false;
+    const next = () => {
+      nextCalled = true;
+      resolve(true);
+    };
+
+    try {
+      const maybePromise = limiter(req, res, next);
+      if (maybePromise && typeof maybePromise.then === 'function') {
+        maybePromise
+          .then(() => {
+            if (nextCalled) return;
+            if (req.__endpointRateLimitBlocked || res.writableEnded) {
+              resolve(false);
+              return;
+            }
+            resolve(true);
+          })
+          .catch(() => resolve(false));
+        return;
+      }
+
+      if (nextCalled) {
+        resolve(true);
+        return;
+      }
+
+      if (req.__endpointRateLimitBlocked || res.writableEnded) {
+        resolve(false);
+        return;
+      }
+
+      resolve(true);
+    } catch {
+      resolve(false);
+    }
+  });
+
+  return runPromise;
+};
+
+const isSensitivePostPath = (pathname) => {
+  const safePath = String(pathname || '')
+    .trim()
+    .toLowerCase();
+  if (!safePath) return null;
+
+  if (safePath.endsWith('/auth/google/session') || safePath.endsWith('/auth/login')) {
+    return 'auth_login';
+  }
+
+  if (safePath.endsWith('/auth/terms/acceptance')) {
+    return 'auth_login';
+  }
+
+  if (safePath.endsWith('/auth/password')) {
+    return 'auth_password';
+  }
+
+  if (safePath.endsWith('/auth/password/recovery/request')) {
+    return 'auth_password_recovery_request';
+  }
+
+  if (safePath.endsWith('/auth/password/recovery/verify')) {
+    return 'auth_password';
+  }
+
+  if (safePath.endsWith('/auth/password/recovery/session')) {
+    return 'auth_password';
+  }
+
+  if (safePath.endsWith('/auth/password/recovery/session/request')) {
+    return 'auth_password_recovery_request';
+  }
+
+  if (safePath.endsWith('/auth/password/recovery/session/verify')) {
+    return 'auth_password';
+  }
+
+  if (safePath.endsWith('/admin/session')) {
+    return 'admin_session';
+  }
+
+  return null;
+};
+
+export const applySensitiveRouteRateLimit = async (req, res, { pathname }) => {
+  const method = String(req?.method || '').toUpperCase();
+  if (method !== 'POST') return true;
+
+  const routeType = isSensitivePostPath(pathname);
+  if (!routeType) return true;
+
+  if (routeType === 'auth_login') {
+    return runLimiter(authLoginLimiter, req, res);
+  }
+
+  if (routeType === 'auth_password') {
+    return runLimiter(authPasswordLimiter, req, res);
+  }
+
+  if (routeType === 'auth_password_recovery_request') {
+    return runLimiter(authPasswordRecoveryRequestLimiter, req, res);
+  }
+
+  if (routeType === 'admin_session') {
+    return runLimiter(adminSessionLimiter, req, res);
+  }
+
+  return true;
+};

package/server/middleware/rateLimit.js

@@ -0,0 +1,70 @@
+import { resolveClientIp } from '../http/clientIp.js';
+
+const rateLimitBuckets = new Map();
+let pruneAt = 0;
+
+const parseNumber = (value, fallback, min, max) => {
+  const parsed = Number(value);
+  if (!Number.isFinite(parsed)) return fallback;
+  return Math.max(min, Math.min(max, Math.floor(parsed)));
+};
+
+const pruneBuckets = (windowMs, nowMs) => {
+  if (nowMs - pruneAt < windowMs) return;
+  pruneAt = nowMs;
+
+  for (const [key, bucket] of rateLimitBuckets.entries()) {
+    if (nowMs - bucket.start > windowMs) {
+      rateLimitBuckets.delete(key);
+    }
+  }
+};
+
+const sendTooManyRequests = (req, res, retryAfterSeconds) => {
+  if (res.writableEnded) return;
+  res.statusCode = 429;
+  res.setHeader('Content-Type', 'application/json; charset=utf-8');
+  res.setHeader('Retry-After', String(Math.max(1, retryAfterSeconds)));
+  if (req.method === 'HEAD') {
+    res.end();
+    return;
+  }
+  res.end(JSON.stringify({ error: 'Too Many Requests' }));
+};
+
+export const createRateLimit = ({ windowMs = 60_000, max = 60, keyPrefix = 'global' } = {}) => {
+  const safeWindowMs = parseNumber(windowMs, 60_000, 1_000, 60 * 60 * 1000);
+  const safeMax = parseNumber(max, 60, 1, 100_000);
+  const safeKeyPrefix = String(keyPrefix || 'global').trim() || 'global';
+
+  return (req, res) => {
+    const nowMs = Date.now();
+    pruneBuckets(safeWindowMs, nowMs);
+
+    const ip = resolveClientIp(req);
+    const key = `${safeKeyPrefix}:${ip}`;
+    const existing = rateLimitBuckets.get(key);
+
+    if (!existing || nowMs - existing.start > safeWindowMs) {
+      rateLimitBuckets.set(key, { start: nowMs, count: 1 });
+      return true;
+    }
+
+    existing.count += 1;
+    if (existing.count <= safeMax) return true;
+
+    const retryAfterSeconds = Math.ceil((safeWindowMs - (nowMs - existing.start)) / 1000);
+    sendTooManyRequests(req, res, retryAfterSeconds);
+    return false;
+  };
+};
+
+export const createAdminApiRateLimit = () => {
+  const windowMs = parseNumber(process.env.ADMIN_RATE_LIMIT_WINDOW_MS, 60_000, 1_000, 60 * 60 * 1000);
+  const max = parseNumber(process.env.ADMIN_RATE_LIMIT_MAX, 30, 1, 100_000);
+  return createRateLimit({
+    windowMs,
+    max,
+    keyPrefix: 'admin_api',
+  });
+};

package/server/middleware/requireAdminAuth.js

@@ -0,0 +1,48 @@
+import logger from '#logger';
+import { resolveClientIp } from '../http/clientIp.js';
+
+const ADMIN_TOKEN = String(process.env.ADMIN_TOKEN || process.env.ADMIN_API_TOKEN || '').trim();
+
+const extractAdminTokenFromRequest = (req) => {
+  const headerToken = String(req.headers['x-admin-token'] || '').trim();
+  if (headerToken) return headerToken;
+
+  const authorizationHeader = String(req.headers.authorization || '').trim();
+  if (!authorizationHeader) return '';
+
+  const firstSpaceIndex = authorizationHeader.indexOf(' ');
+  if (firstSpaceIndex <= 0) return '';
+
+  const authScheme = authorizationHeader.slice(0, firstSpaceIndex).trim().toLowerCase();
+  if (authScheme !== 'bearer') return '';
+
+  return authorizationHeader.slice(firstSpaceIndex + 1).trim();
+};
+
+const sendUnauthorized = (res) => {
+  if (res.writableEnded) return;
+  res.statusCode = 401;
+  res.setHeader('Content-Type', 'application/json; charset=utf-8');
+  res.setHeader('Cache-Control', 'no-store');
+  res.end(JSON.stringify({ error: 'Unauthorized' }));
+};
+
+/**
+ * Camada opcional de auth de admin.
+ * Quando `ADMIN_TOKEN` nao estiver configurado, delega para a auth interna do controller.
+ */
+export const requireAdminAuth = (req, res) => {
+  if (!ADMIN_TOKEN) return true;
+
+  const requestToken = extractAdminTokenFromRequest(req);
+  if (requestToken && requestToken === ADMIN_TOKEN) return true;
+
+  logger.warn('Tentativa de acesso admin sem token valido.', {
+    action: 'admin_auth_token_invalid',
+    method: req.method || 'UNKNOWN',
+    path: req.url || '',
+    remote_address: resolveClientIp(req, { fallback: null }),
+  });
+  sendUnauthorized(res);
+  return false;
+};

package/server/middleware/securityHeaders.js

@@ -0,0 +1,97 @@
+import helmet from 'helmet';
+
+import logger from '#logger';
+
+const parseEnvBool = (value, fallback = false) => {
+  if (value === undefined || value === null || value === '') return fallback;
+  const normalized = String(value).trim().toLowerCase();
+  if (['1', 'true', 'yes', 'y', 'on'].includes(normalized)) return true;
+  if (['0', 'false', 'no', 'n', 'off'].includes(normalized)) return false;
+  return fallback;
+};
+
+const HELMET_CSP_ENFORCE = parseEnvBool(process.env.HELMET_CONTENT_SECURITY_POLICY_ENABLED, true);
+const BACKEND_BUILD_ID = String(process.env.OMNIZAP_BUILD_ID || '')
+  .trim()
+  .slice(0, 80);
+
+const HELMET_CSP_DIRECTIVES = {
+  defaultSrc: ["'self'"],
+  baseUri: ["'self'"],
+  objectSrc: ["'none'"],
+  frameAncestors: ["'self'"],
+  formAction: ["'self'"],
+  scriptSrc: ["'self'", "'unsafe-inline'", 'https://accounts.google.com', 'https://cdn.tailwindcss.com'],
+  styleSrc: ["'self'", "'unsafe-inline'", 'https://fonts.googleapis.com', 'https://cdnjs.cloudflare.com'],
+  imgSrc: ["'self'", 'data:', 'blob:', 'https:'],
+  fontSrc: ["'self'", 'data:', 'https://fonts.gstatic.com', 'https://cdnjs.cloudflare.com'],
+  connectSrc: ["'self'", 'https://accounts.google.com', 'https://oauth2.googleapis.com', 'https://api.github.com'],
+  frameSrc: ["'self'", 'https://accounts.google.com'],
+  workerSrc: ["'self'", 'blob:'],
+  manifestSrc: ["'self'"],
+};
+
+const serializeCspDirectives = (directives = {}) =>
+  Object.entries(directives)
+    .map(([directive, values]) => {
+      const kebabDirective = String(directive || '')
+        .trim()
+        .replace(/[A-Z]/g, (char) => `-${char.toLowerCase()}`);
+      if (!kebabDirective) return '';
+      const normalizedValues = Array.isArray(values) ? values.map((value) => String(value || '').trim()).filter(Boolean) : [];
+      return normalizedValues.length ? `${kebabDirective} ${normalizedValues.join(' ')}` : kebabDirective;
+    })
+    .filter(Boolean)
+    .join('; ');
+
+const FALLBACK_CSP_HEADER = serializeCspDirectives(HELMET_CSP_DIRECTIVES);
+
+const helmetMiddleware = helmet({
+  contentSecurityPolicy: {
+    useDefaults: false,
+    directives: HELMET_CSP_DIRECTIVES,
+    reportOnly: !HELMET_CSP_ENFORCE,
+  },
+  crossOriginEmbedderPolicy: false,
+  // Mantemos permissões explícitas para browser APIs sensíveis.
+  permissionsPolicy: {
+    features: {
+      geolocation: [],
+      microphone: [],
+      camera: [],
+    },
+  },
+});
+
+const applyFallbackHeaders = (res) => {
+  if (!res.getHeader('X-Content-Type-Options')) res.setHeader('X-Content-Type-Options', 'nosniff');
+  if (!res.getHeader('X-Frame-Options')) res.setHeader('X-Frame-Options', 'DENY');
+  if (!res.getHeader('Referrer-Policy')) res.setHeader('Referrer-Policy', 'strict-origin-when-cross-origin');
+  if (!res.getHeader('Permissions-Policy')) res.setHeader('Permissions-Policy', 'geolocation=(), microphone=(), camera=()');
+  if (FALLBACK_CSP_HEADER && !res.getHeader('Content-Security-Policy') && !res.getHeader('Content-Security-Policy-Report-Only')) {
+    const cspHeaderName = HELMET_CSP_ENFORCE ? 'Content-Security-Policy' : 'Content-Security-Policy-Report-Only';
+    res.setHeader(cspHeaderName, FALLBACK_CSP_HEADER);
+  }
+  if (BACKEND_BUILD_ID && !res.getHeader('X-Omnizap-Build')) res.setHeader('X-Omnizap-Build', BACKEND_BUILD_ID);
+};
+
+export const applySecurityHeaders = (req, res) => {
+  try {
+    const maybePromise = helmetMiddleware(req, res, () => {});
+    if (maybePromise && typeof maybePromise.catch === 'function') {
+      maybePromise.catch((error) => {
+        logger.warn('Falha ao aplicar helmet middleware.', {
+          action: 'helmet_apply_failed',
+          error: error?.message,
+        });
+      });
+    }
+  } catch (error) {
+    logger.warn('Falha ao aplicar headers do helmet. Aplicando fallback.', {
+      action: 'helmet_apply_failed',
+      error: error?.message,
+    });
+  }
+
+  applyFallbackHeaders(res);
+};

package/server/routes/admin/systemAdminRouter.js

@@ -0,0 +1,64 @@
+let systemAdminControllerPromise = null;
+
+const loadSystemAdminController = async () => {
+  if (!systemAdminControllerPromise) {
+    systemAdminControllerPromise = import('../../controllers/admin/systemAdminController.js');
+  }
+  return systemAdminControllerPromise;
+};
+
+const normalizeBasePath = (value, fallback) => {
+  const raw = String(value || '').trim() || fallback;
+  const withLeadingSlash = raw.startsWith('/') ? raw : `/${raw}`;
+  const withoutTrailingSlash = withLeadingSlash.length > 1 && withLeadingSlash.endsWith('/') ? withLeadingSlash.slice(0, -1) : withLeadingSlash;
+  return withoutTrailingSlash || fallback;
+};
+
+const startsWithPath = (pathname, prefix) => {
+  if (!pathname || !prefix) return false;
+  if (pathname === prefix) return true;
+  return pathname.startsWith(`${prefix}/`);
+};
+
+const DEFAULT_USER_SYSTEM_ADMIN_WEB_PATH = '/user/systemadm';
+const DEFAULT_LEGACY_STICKER_ADMIN_WEB_PATH = '/stickers/admin';
+const DEFAULT_SYSTEM_ADMIN_API_BASE_PATH = '/api/admin';
+const DEFAULT_SYSTEM_ADMIN_API_SESSION_PATH = '/api/admin/session';
+const DEFAULT_LEGACY_STICKER_ADMIN_API_BASE_PATH = '/api/sticker-packs/admin';
+const DEFAULT_LEGACY_STICKER_ADMIN_API_SESSION_PATH = '/api/sticker-packs/admin/session';
+
+export const getSystemAdminRouterConfig = async () => {
+  const controller = await loadSystemAdminController();
+  const legacyConfig = (typeof controller?.getSystemAdminRouteConfig === 'function' ? controller.getSystemAdminRouteConfig() : null) || {};
+  return {
+    webPath: normalizeBasePath(legacyConfig.webPath, DEFAULT_USER_SYSTEM_ADMIN_WEB_PATH),
+    legacyWebPath: normalizeBasePath(legacyConfig.legacyWebPath, DEFAULT_LEGACY_STICKER_ADMIN_WEB_PATH),
+    apiAdminBasePath: normalizeBasePath(legacyConfig.apiAdminBasePath, DEFAULT_SYSTEM_ADMIN_API_BASE_PATH),
+    apiAdminSessionPath: normalizeBasePath(legacyConfig.apiAdminSessionPath, DEFAULT_SYSTEM_ADMIN_API_SESSION_PATH),
+    legacyApiAdminBasePath: normalizeBasePath(legacyConfig.legacyApiAdminBasePath, DEFAULT_LEGACY_STICKER_ADMIN_API_BASE_PATH),
+    legacyApiAdminSessionPath: normalizeBasePath(legacyConfig.legacyApiAdminSessionPath, DEFAULT_LEGACY_STICKER_ADMIN_API_SESSION_PATH),
+  };
+};
+
+export const shouldHandleSystemAdminPath = (pathname, systemAdminConfig = null) => {
+  const resolvedConfig = systemAdminConfig || {
+    webPath: DEFAULT_USER_SYSTEM_ADMIN_WEB_PATH,
+    legacyWebPath: DEFAULT_LEGACY_STICKER_ADMIN_WEB_PATH,
+    apiAdminBasePath: DEFAULT_SYSTEM_ADMIN_API_BASE_PATH,
+    apiAdminSessionPath: DEFAULT_SYSTEM_ADMIN_API_SESSION_PATH,
+    legacyApiAdminBasePath: DEFAULT_LEGACY_STICKER_ADMIN_API_BASE_PATH,
+    legacyApiAdminSessionPath: DEFAULT_LEGACY_STICKER_ADMIN_API_SESSION_PATH,
+  };
+
+  if (startsWithPath(pathname, resolvedConfig.webPath)) return true;
+  if (startsWithPath(pathname, resolvedConfig.legacyWebPath)) return true;
+  if (startsWithPath(pathname, resolvedConfig.apiAdminBasePath)) return true;
+  if (startsWithPath(pathname, resolvedConfig.legacyApiAdminBasePath)) return true;
+  return false;
+};
+
+export const maybeHandleSystemAdminRequest = async (req, res, { pathname, url }) => {
+  const controller = await loadSystemAdminController();
+  if (typeof controller?.maybeHandleSystemAdminRequest !== 'function') return false;
+  return controller.maybeHandleSystemAdminRequest(req, res, { pathname, url });
+};

package/server/routes/email/emailAutomationRouter.js

@@ -0,0 +1,46 @@
+let emailAutomationControllerPromise = null;
+
+const loadEmailAutomationController = async () => {
+  if (!emailAutomationControllerPromise) {
+    emailAutomationControllerPromise = import('../../controllers/email/emailAutomationController.js');
+  }
+  return emailAutomationControllerPromise;
+};
+
+const normalizeBasePath = (value, fallback) => {
+  const raw = String(value || '').trim() || fallback;
+  const withLeadingSlash = raw.startsWith('/') ? raw : `/${raw}`;
+  const withoutTrailingSlash = withLeadingSlash.length > 1 && withLeadingSlash.endsWith('/') ? withLeadingSlash.slice(0, -1) : withLeadingSlash;
+  return withoutTrailingSlash || fallback;
+};
+
+const startsWithPath = (pathname, prefix) => {
+  if (!pathname || !prefix) return false;
+  if (pathname === prefix) return true;
+  return pathname.startsWith(`${prefix}/`);
+};
+
+const DEFAULT_EMAIL_AUTOMATION_API_BASE_PATH = '/api/email';
+
+export const getEmailAutomationRouterConfig = async () => {
+  const controller = await loadEmailAutomationController();
+  const routeConfig = (typeof controller?.getEmailAutomationRouteConfig === 'function' ? controller.getEmailAutomationRouteConfig() : null) || {};
+
+  return {
+    apiBasePath: normalizeBasePath(routeConfig.apiBasePath, DEFAULT_EMAIL_AUTOMATION_API_BASE_PATH),
+  };
+};
+
+export const shouldHandleEmailAutomationPath = (pathname, config = null) => {
+  const resolvedConfig = config || {
+    apiBasePath: DEFAULT_EMAIL_AUTOMATION_API_BASE_PATH,
+  };
+
+  return startsWithPath(pathname, resolvedConfig.apiBasePath);
+};
+
+export const maybeHandleEmailAutomationRequest = async (req, res, { pathname, url }) => {
+  const controller = await loadEmailAutomationController();
+  if (typeof controller?.maybeHandleEmailAutomationRequest !== 'function') return false;
+  return controller.maybeHandleEmailAutomationRequest(req, res, { pathname, url });
+};

package/server/routes/health/healthRouter.js

@@ -0,0 +1,41 @@
+const sendJson = (req, res, statusCode, payload) => {
+  if (res.writableEnded) return true;
+  res.statusCode = statusCode;
+  res.setHeader('Content-Type', 'application/json; charset=utf-8');
+  if (req.method === 'HEAD') {
+    res.end();
+    return true;
+  }
+  res.end(JSON.stringify(payload));
+  return true;
+};
+
+const isAllowedMethod = (method) => method === 'GET' || method === 'HEAD';
+
+export const shouldHandleHealthPath = (pathname) => pathname === '/healthz' || pathname === '/readyz';
+
+export const maybeHandleHealthRequest = async (req, res, { pathname }) => {
+  if (!shouldHandleHealthPath(pathname)) return false;
+
+  if (!isAllowedMethod(req.method || '')) {
+    return sendJson(req, res, 405, { error: 'Method Not Allowed' });
+  }
+
+  if (pathname === '/healthz') {
+    return sendJson(req, res, 200, {
+      ok: true,
+      service: 'omnizap',
+      type: 'health',
+    });
+  }
+
+  if (pathname === '/readyz') {
+    return sendJson(req, res, 200, {
+      ok: true,
+      service: 'omnizap',
+      type: 'ready',
+    });
+  }
+
+  return false;
+};