@omnizap-system/omnizap 2.6.0 → 2.6.2

package/server/controllers/system/stickerCatalogSystemContext.js

@@ -1,4 +1,6 @@
+import { now as __timeNow, nowIso as __timeNowIso, toUnixMs as __timeNowMs } from '#time';
 import { withTimeout } from '../../http/httpRequestUtils.js';
+import { resolveBotPhoneFromEnv } from '../../../utils/whatsapp/contactEnv.js';
 
 export const createStickerCatalogSystemContext = ({ executeQuery, tables, logger, getSystemMetrics, getActiveSocket, resolveSocketReadyState, resolveActiveSocketBotJid, resolveCatalogBotPhone, fetchPrometheusSummary, metricsEndpoint, systemSummaryCache, systemSummaryCacheSeconds, readmeSummaryCache, readmeSummaryCacheSeconds, readmeMessageTypeSampleLimit, readmeCommandPrefix, buildMenuCaption, buildStickerMenu, buildMediaMenu, buildQuoteMenu, buildAnimeMenu, buildAiMenu, buildStatsMenu, buildAdminMenu, profilePictureUrlFromActiveSocket, normalizeJid, getJidUser, globalRankCache, globalRankRefreshSeconds, marketplaceGlobalStatsCache, marketplaceGlobalStatsCacheSeconds }) => {
   let globalRankRefreshTimer = null;
@@ -125,7 +127,7 @@ export const createStickerCatalogSystemContext = ({ executeQuery, tables, logger
           http_latency_p95_ms: prometheus?.http_latency_p95_ms ?? null,
           queue_peak: prometheus?.queue_peak ?? null,
         },
-        updated_at: new Date().toISOString(),
+        updated_at: __timeNowIso(),
       },
       meta: {
         metrics_endpoint: metricsEndpoint,
@@ -138,7 +140,7 @@ export const createStickerCatalogSystemContext = ({ executeQuery, tables, logger
   };
 
   const getSystemSummaryCached = async () => {
-    const now = Date.now();
+    const now = __timeNowMs();
     const hasValue = Boolean(systemSummaryCache.value);
 
     if (hasValue && now < systemSummaryCache.expiresAt) {
@@ -149,9 +151,15 @@ export const createStickerCatalogSystemContext = ({ executeQuery, tables, logger
       systemSummaryCache.pending = withTimeout(buildSystemSummarySnapshot(), 5000)
         .then((payload) => {
           systemSummaryCache.value = payload;
-          systemSummaryCache.expiresAt = Date.now() + systemSummaryCacheSeconds * 1000;
+          systemSummaryCache.expiresAt = __timeNowMs() + systemSummaryCacheSeconds * 1000;
           return payload;
         })
+        .catch((error) => {
+          if (hasValue && systemSummaryCache.value) {
+            return systemSummaryCache.value;
+          }
+          throw error;
+        })
         .finally(() => {
           systemSummaryCache.pending = null;
         });
@@ -278,7 +286,7 @@ export const createStickerCatalogSystemContext = ({ executeQuery, tables, logger
       .slice(0, 8);
 
     const commands = collectAvailableMenuCommands(readmeCommandPrefix);
-    const generatedAt = new Date().toISOString();
+    const generatedAt = __timeNowIso();
 
     const totals = {
       total_users: Number(lidMapTotals?.total_users || 0),
@@ -314,7 +322,7 @@ export const createStickerCatalogSystemContext = ({ executeQuery, tables, logger
   };
 
   const getReadmeSummaryCached = async () => {
-    const now = Date.now();
+    const now = __timeNowMs();
     const hasValue = Boolean(readmeSummaryCache.value);
 
     if (hasValue && now < readmeSummaryCache.expiresAt) {
@@ -325,9 +333,15 @@ export const createStickerCatalogSystemContext = ({ executeQuery, tables, logger
       readmeSummaryCache.pending = withTimeout(buildReadmeSummarySnapshot(), 7000)
         .then((payload) => {
           readmeSummaryCache.value = payload;
-          readmeSummaryCache.expiresAt = Date.now() + readmeSummaryCacheSeconds * 1000;
+          readmeSummaryCache.expiresAt = __timeNowMs() + readmeSummaryCacheSeconds * 1000;
           return payload;
         })
+        .catch((error) => {
+          if (hasValue && readmeSummaryCache.value) {
+            return readmeSummaryCache.value;
+          }
+          throw error;
+        })
         .finally(() => {
           readmeSummaryCache.pending = null;
         });
@@ -345,12 +359,8 @@ export const createStickerCatalogSystemContext = ({ executeQuery, tables, logger
     const botPhoneFromCatalog = String(resolveCatalogBotPhone() || '').replace(/\D+/g, '');
     if (botPhoneFromCatalog) candidates.add(botPhoneFromCatalog);
 
-    const envCandidates = [process.env.WHATSAPP_BOT_NUMBER, process.env.BOT_NUMBER, process.env.PHONE_NUMBER, process.env.BOT_PHONE_NUMBER];
-
-    for (const candidate of envCandidates) {
-      const digits = String(candidate || '').replace(/\D+/g, '');
-      if (digits) candidates.add(digits);
-    }
+    const configuredBotPhone = String(resolveBotPhoneFromEnv({ fallback: '' }) || '').replace(/\D+/g, '');
+    if (configuredBotPhone) candidates.add(configuredBotPhone);
 
     return Array.from(candidates).filter((value) => value.length >= 8);
   };
@@ -522,12 +532,12 @@ export const createStickerCatalogSystemContext = ({ executeQuery, tables, logger
       top_type: topType,
       top_type_count: topTypeCount,
       rows: rowsEnriched,
-      updated_at: new Date().toISOString(),
+      updated_at: __timeNowIso(),
     };
   };
 
   const getGlobalRankingSummaryCached = async () => {
-    const now = Date.now();
+    const now = __timeNowMs();
     const hasValue = Boolean(globalRankCache.value);
 
     if (hasValue && now < globalRankCache.expiresAt) {
@@ -538,9 +548,15 @@ export const createStickerCatalogSystemContext = ({ executeQuery, tables, logger
       globalRankCache.pending = withTimeout(buildGlobalRankingSummary(), 5000)
         .then((data) => {
           globalRankCache.value = data;
-          globalRankCache.expiresAt = Date.now() + globalRankRefreshSeconds * 1000;
+          globalRankCache.expiresAt = __timeNowMs() + globalRankRefreshSeconds * 1000;
           return data;
         })
+        .catch((error) => {
+          if (hasValue && globalRankCache.value) {
+            return globalRankCache.value;
+          }
+          throw error;
+        })
         .finally(() => {
           globalRankCache.pending = null;
         });
@@ -579,7 +595,7 @@ export const createStickerCatalogSystemContext = ({ executeQuery, tables, logger
   };
 
   const buildLastSevenUtcDateKeys = () => {
-    const now = new Date();
+    const now = __timeNow();
     const todayUtc = Date.UTC(now.getUTCFullYear(), now.getUTCMonth(), now.getUTCDate());
     return Array.from({ length: 7 }).map((_, index) => {
       const date = new Date(todayUtc - (6 - index) * 24 * 60 * 60 * 1000);
@@ -718,12 +734,12 @@ export const createStickerCatalogSystemContext = ({ executeQuery, tables, logger
       clicks_last_7_days: Number(clicksLast7Days || 0),
       likes_last_7_days: Number(likesLast7Days || 0),
       series_last_7_days: seriesLast7Days,
-      updated_at: new Date().toISOString(),
+      updated_at: __timeNowIso(),
     };
   };
 
   const getMarketplaceGlobalStatsCached = async () => {
-    const now = Date.now();
+    const now = __timeNowMs();
     const hasValue = Boolean(marketplaceGlobalStatsCache.value);
     if (hasValue && now < marketplaceGlobalStatsCache.expiresAt) {
       return marketplaceGlobalStatsCache.value;
@@ -733,9 +749,15 @@ export const createStickerCatalogSystemContext = ({ executeQuery, tables, logger
       marketplaceGlobalStatsCache.pending = withTimeout(buildMarketplaceGlobalStatsSnapshot(), 5000)
         .then((data) => {
           marketplaceGlobalStatsCache.value = data;
-          marketplaceGlobalStatsCache.expiresAt = Date.now() + marketplaceGlobalStatsCacheSeconds * 1000;
+          marketplaceGlobalStatsCache.expiresAt = __timeNowMs() + marketplaceGlobalStatsCacheSeconds * 1000;
           return data;
         })
+        .catch((error) => {
+          if (hasValue && marketplaceGlobalStatsCache.value) {
+            return marketplaceGlobalStatsCache.value;
+          }
+          throw error;
+        })
         .finally(() => {
           marketplaceGlobalStatsCache.pending = null;
         });

package/server/controllers/system/systemController.js

@@ -1,6 +1,6 @@
 import logger from '#logger';
 import { executeQuery, TABLES } from '../../../database/index.js';
-import { getActiveSocket, getJidUser, normalizeJid, profilePictureUrlFromActiveSocket } from '../../../app/config/index.js';
+import { getActiveSocket, getActiveSocketsBySession, getJidUser, getMultiSessionRuntimeConfig, isSocketOpen, normalizeJid, profilePictureUrlFromActiveSocket } from '../../../app/config/index.js';
 import { getSystemMetrics } from '../../../app/utils/systemMetrics/systemMetricsModule.js';
 import { createStickerCatalogSystemContext } from './stickerCatalogSystemContext.js';
 import { createStickerCatalogNonCatalogHandlers } from '../sticker/nonCatalogHandlers.js';
@@ -10,6 +10,9 @@ import { fetchPrometheusSummary } from './systemMetricsController.js';
 import { buildBotContactInfo, buildSupportInfo, resolveCatalogBotPhone } from './contactController.js';
 import { buildAdminMenu, buildAiMenu, buildAnimeMenu, buildMediaMenu, buildMenuCaption, buildQuoteMenu, buildStatsMenu, buildStickerMenu } from '../../../app/modules/menuModule/common.js';
 import { trackWebVisitMetric } from './visitController.js';
+import groupOwnershipService from '../../../app/services/multiSession/groupOwnershipService.js';
+import sessionRegistryService from '../../../app/services/multiSession/sessionRegistryService.js';
+import { runGroupAssignmentBalancerCycle } from '../../../app/services/multiSession/assignmentBalancerService.js';
 
 const SYSTEM_SUMMARY_CACHE_SECONDS = Number(process.env.SYSTEM_SUMMARY_CACHE_SECONDS || 20);
 const README_SUMMARY_CACHE_SECONDS = Number(process.env.README_SUMMARY_CACHE_SECONDS || 1800);
@@ -132,4 +135,254 @@ export const systemHandlers = createStickerCatalogNonCatalogHandlers({
   isAuthenticatedGoogleSession: (sess) => Boolean(sess?.sub && (sess?.ownerJid || sess?.ownerPhone || sess?.email)),
 });
 
+const clampLimit = (value, fallback = 200, min = 1, max = 5_000) => {
+  const parsed = Number.parseInt(String(value ?? ''), 10);
+  if (!Number.isFinite(parsed)) return fallback;
+  return Math.max(min, Math.min(max, parsed));
+};
+
+const normalizeOptional = (value, maxLength = 255) => {
+  const normalized = String(value || '')
+    .trim()
+    .slice(0, maxLength);
+  return normalized || null;
+};
+
+const normalizeBoolean = (value, fallback = false) => {
+  if (value === undefined || value === null || value === '') return fallback;
+  const normalized = String(value).trim().toLowerCase();
+  if (['1', 'true', 'yes', 'y', 'on'].includes(normalized)) return true;
+  if (['0', 'false', 'no', 'n', 'off'].includes(normalized)) return false;
+  return fallback;
+};
+
+const toIso = (value) => {
+  if (!value) return null;
+  const parsed = new Date(value);
+  if (Number.isNaN(parsed.getTime())) return null;
+  return parsed.toISOString();
+};
+
+const resolveSocketRuntimeState = (socket) => {
+  const open = isSocketOpen(socket);
+  const readyState = resolveSocketReadyState(socket);
+  const botJid = resolveActiveSocketBotJid(socket);
+  return {
+    socket_open: open,
+    socket_ready_state: readyState,
+    socket_bot_jid: botJid || null,
+  };
+};
+
+export const listSystemAdminSessions = async ({ status = null, limit = 200 } = {}) => {
+  const runtimeConfig = getMultiSessionRuntimeConfig();
+  const safeStatus = normalizeOptional(status, 24);
+  const safeLimit = clampLimit(limit, 200, 1, 5_000);
+  const registryRows = await sessionRegistryService.listSessions({
+    status: safeStatus,
+    limit: safeLimit,
+  });
+
+  const socketsBySession = getActiveSocketsBySession();
+  const knownSessionIds = new Set();
+  for (const sessionId of runtimeConfig.sessionIds || []) knownSessionIds.add(sessionId);
+  for (const row of registryRows || []) {
+    if (row?.sessionId) knownSessionIds.add(row.sessionId);
+  }
+
+  const selectedSessionIds = Array.from(knownSessionIds)
+    .filter(Boolean)
+    .slice(0, safeLimit);
+  const registryBySession = new Map((registryRows || []).map((row) => [row.sessionId, row]));
+
+  const sessions = selectedSessionIds.map((sessionId) => {
+    const row = registryBySession.get(sessionId) || null;
+    const socket = socketsBySession.get(sessionId) || null;
+    const socketRuntime = resolveSocketRuntimeState(socket);
+
+    return {
+      session_id: sessionId,
+      is_primary: sessionId === runtimeConfig.primarySessionId,
+      configured: (runtimeConfig.sessionIds || []).includes(sessionId),
+      configured_weight: Number(runtimeConfig.sessionWeights?.[sessionId] || 1),
+      status: row?.status || (socketRuntime.socket_open ? 'online' : 'offline'),
+      bot_jid: row?.botJid || socketRuntime.socket_bot_jid || null,
+      capacity_weight: Number(row?.capacityWeight || runtimeConfig.sessionWeights?.[sessionId] || 1),
+      current_score: Number(row?.currentScore || 0),
+      last_heartbeat_at: toIso(row?.lastHeartbeatAt),
+      last_connected_at: toIso(row?.lastConnectedAt),
+      last_disconnected_at: toIso(row?.lastDisconnectedAt),
+      updated_at: toIso(row?.updatedAt),
+      metadata: row?.metadata || null,
+      ...socketRuntime,
+    };
+  });
+
+  return {
+    generated_at: new Date().toISOString(),
+    primary_session_id: runtimeConfig.primarySessionId,
+    configured_session_ids: runtimeConfig.sessionIds || [],
+    sessions,
+  };
+};
+
+export const listSystemAdminAssignments = async (
+  {
+    groupJid = null,
+    ownerSessionId = null,
+    includeExpired = false,
+    limit = 200,
+  } = {},
+) => {
+  const safeGroupJid = normalizeOptional(groupJid, 255);
+  const safeOwnerSessionId = normalizeOptional(ownerSessionId, 64);
+  const safeIncludeExpired = normalizeBoolean(includeExpired, false);
+  const safeLimit = clampLimit(limit, 200, 1, 5_000);
+
+  const assignments = await groupOwnershipService.listAssignments({
+    groupJid: safeGroupJid,
+    ownerSessionId: safeOwnerSessionId,
+    includeExpired: safeIncludeExpired,
+    limit: safeLimit,
+  });
+
+  return {
+    generated_at: new Date().toISOString(),
+    filters: {
+      group_jid: safeGroupJid,
+      owner_session_id: safeOwnerSessionId,
+      include_expired: safeIncludeExpired,
+      limit: safeLimit,
+    },
+    assignments: (assignments || []).map((assignment) => ({
+      group_jid: assignment?.groupJid || null,
+      owner_session_id: assignment?.ownerSessionId || null,
+      lease_expires_at: toIso(assignment?.leaseExpiresAt),
+      cooldown_until: toIso(assignment?.cooldownUntil),
+      assignment_version: Number(assignment?.assignmentVersion || 1),
+      pinned: assignment?.pinned === true,
+      active: assignment?.active !== false,
+      last_reason: assignment?.lastReason || null,
+      created_at: toIso(assignment?.createdAt),
+      updated_at: toIso(assignment?.updatedAt),
+    })),
+  };
+};
+
+export const setSystemAdminGroupPin = async (
+  {
+    groupJid,
+    pinned,
+    sessionId = null,
+    reason = null,
+    changedBy = 'admin_api',
+    metadata = null,
+  } = {},
+) => {
+  const outcome = await groupOwnershipService.setPinned({
+    groupJid,
+    pinned,
+    sessionId,
+    reason: reason || (pinned ? 'admin_pin_group' : 'admin_unpin_group'),
+    changedBy,
+    metadata,
+  });
+
+  return {
+    updated: Boolean(outcome?.updated),
+    reason: outcome?.reason || null,
+    assignment_version: Number(outcome?.assignmentVersion || 0) || null,
+    previous_owner_session_id: outcome?.previousOwnerSessionId || null,
+    owner: outcome?.owner
+      ? {
+          group_jid: outcome.owner.groupJid,
+          owner_session_id: outcome.owner.ownerSessionId,
+          lease_expires_at: toIso(outcome.owner.leaseExpiresAt),
+          cooldown_until: toIso(outcome.owner.cooldownUntil),
+          assignment_version: Number(outcome.owner.assignmentVersion || 1),
+          pinned: outcome.owner.pinned === true,
+          last_reason: outcome.owner.lastReason || null,
+        }
+      : null,
+  };
+};
+
+export const forceSystemAdminGroupFailover = async (
+  {
+    groupJid,
+    targetSessionId,
+    reason = 'admin_force_failover',
+    changedBy = 'admin_api',
+    metadata = null,
+  } = {},
+) => {
+  const outcome = await groupOwnershipService.forceAssign({
+    groupJid,
+    sessionId: targetSessionId,
+    reason,
+    changedBy,
+    metadata,
+  });
+
+  return {
+    reassigned: Boolean(outcome?.reassigned),
+    reason: outcome?.reason || null,
+    assignment_version: Number(outcome?.assignmentVersion || 0) || null,
+    previous_owner_session_id: outcome?.previousOwnerSessionId || null,
+    owner: outcome?.owner
+      ? {
+          group_jid: outcome.owner.groupJid,
+          owner_session_id: outcome.owner.ownerSessionId,
+          lease_expires_at: toIso(outcome.owner.leaseExpiresAt),
+          assignment_version: Number(outcome.owner.assignmentVersion || 1),
+          pinned: outcome.owner.pinned === true,
+          last_reason: outcome.owner.lastReason || null,
+        }
+      : null,
+  };
+};
+
+export const triggerSystemAdminManualRebalance = async () => {
+  const cycle = await runGroupAssignmentBalancerCycle();
+  return {
+    generated_at: new Date().toISOString(),
+    cycle,
+  };
+};
+
+export const listSystemAdminAssignmentHistory = async ({ groupJid = null, limit = 100 } = {}) => {
+  const safeLimit = clampLimit(limit, 100, 1, 5_000);
+  const safeGroupJid = normalizeOptional(groupJid, 255);
+  const params = [];
+  const where = [];
+  if (safeGroupJid) {
+    where.push('group_jid = ?');
+    params.push(safeGroupJid);
+  }
+
+  const rows = await executeQuery(
+    `SELECT id, group_jid, previous_session_id, new_session_id, change_reason, changed_by, assignment_version, metadata, created_at
+       FROM ${TABLES.GROUP_ASSIGNMENT_HISTORY}
+       ${where.length > 0 ? `WHERE ${where.join(' AND ')}` : ''}
+      ORDER BY id DESC
+      LIMIT ${safeLimit}`,
+    params,
+  );
+
+  return {
+    generated_at: new Date().toISOString(),
+    history: (Array.isArray(rows) ? rows : []).map((row) => ({
+      id: Number(row?.id || 0),
+      group_jid: row?.group_jid || null,
+      previous_session_id: row?.previous_session_id || null,
+      new_session_id: row?.new_session_id || null,
+      change_reason: row?.change_reason || null,
+      changed_by: row?.changed_by || null,
+      assignment_version: Number(row?.assignment_version || 0) || null,
+      metadata: row?.metadata || null,
+      created_at: toIso(row?.created_at),
+    })),
+  };
+};
+
 export { scheduleGlobalRankingPreload };

package/server/controllers/system/systemMetricsController.js

@@ -1,3 +1,4 @@
+import { now as __timeNow, nowIso as __timeNowIso, toUnixMs as __timeNowMs } from '#time';
 import { formatDuration } from '../../http/httpRequestUtils.js';
 
 const METRICS_ENDPOINT = process.env.METRICS_ENDPOINT || `http://127.0.0.1:${process.env.METRICS_PORT || 9102}${process.env.METRICS_PATH || '/metrics'}`;
@@ -124,7 +125,7 @@ export const fetchPrometheusSummary = async () => {
     const series = parsePrometheusText(text);
 
     const processStart = pickMetricValue(series, 'omnizap_process_start_time_seconds');
-    const nowSeconds = Date.now() / 1000;
+    const nowSeconds = __timeNowMs() / 1000;
     const processUptimeSeconds = Number.isFinite(processStart) ? Math.max(0, nowSeconds - processStart) : null;
 
     const lagP99 = pickMetricValue(series, 'omnizap_nodejs_eventloop_lag_p99_seconds');

package/server/controllers/userController.js

@@ -3,6 +3,7 @@ import path from 'node:path';
 
 import logger from '#logger';
 import { DEFAULT_LEGACY_STICKER_API_BASE_PATH, DEFAULT_USER_API_BASE_PATH, isUserApiPath, normalizeBasePath, resolveLegacyUserApiPath } from '../routes/user/userApiPaths.js';
+import { buildWhatsappUrl, resolvePublicWhatsappNumber } from '../utils/publicContact.js';
 
 const LEGACY_STICKER_API_BASE_PATH = normalizeBasePath(process.env.STICKER_API_BASE_PATH, DEFAULT_LEGACY_STICKER_API_BASE_PATH);
 const USER_API_BASE_PATH = normalizeBasePath(process.env.USER_API_BASE_PATH || process.env.AUTH_API_BASE_PATH, DEFAULT_USER_API_BASE_PATH);
@@ -11,6 +12,8 @@ const USER_PROFILE_WEB_PATH = normalizeBasePath(process.env.USER_PROFILE_WEB_PAT
 const USER_PASSWORD_RESET_WEB_PATH = normalizeBasePath(process.env.USER_PASSWORD_RESET_WEB_PATH, '/user/password-reset');
 const USER_DASHBOARD_TEMPLATE_PATH = path.join(process.cwd(), 'public', 'pages', 'user.html');
 const USER_PASSWORD_RESET_TEMPLATE_PATH = path.join(process.cwd(), 'public', 'pages', 'user-password-reset.html');
+const PUBLIC_WHATSAPP_NUMBER = resolvePublicWhatsappNumber();
+const PUBLIC_WHATSAPP_URL = buildWhatsappUrl(PUBLIC_WHATSAPP_NUMBER);
 
 const hasPathPrefix = (pathname, prefix) => pathname === prefix || pathname.startsWith(`${prefix}/`);
 const escapeHtmlAttribute = (value) =>
@@ -52,7 +55,10 @@ const renderUserDashboardHtml = async ({ passwordReset = false } = {}) => {
   const dataAttributes = {
     'data-api-base-path': USER_API_BASE_PATH,
     'data-login-path': STICKER_LOGIN_WEB_PATH,
+    'data-panel-path': USER_PROFILE_WEB_PATH,
     'data-password-reset-web-path': USER_PASSWORD_RESET_WEB_PATH,
+    'data-support-whatsapp-number': PUBLIC_WHATSAPP_NUMBER,
+    'data-support-whatsapp-url': PUBLIC_WHATSAPP_URL,
   };
 
   let html = template;

package/server/email/emailTemplateService.js

@@ -1,3 +1,5 @@
+import { now as __timeNow, nowIso as __timeNowIso, toUnixMs as __timeNowMs } from '#time';
+import { resolveAdminPhoneFromEnv, resolveBotPhoneFromEnv, resolveSupportPhoneFromEnv } from '../../utils/whatsapp/contactEnv.js';
 const DEFAULT_SITE_ORIGIN = 'https://omnizap.shop';
 const DEFAULT_BRAND_NAME = 'OmniZap';
 
@@ -76,7 +78,7 @@ const resolveBrandConfig = (payload = {}) => {
   const supportFallback = `${siteOrigin}/termos-de-uso/`;
   const replyToAddress = normalizeEmailAddress(payload?.replyTo || process.env.SMTP_REPLY_TO || process.env.EMAIL_REPLY_TO || process.env.MAIL_REPLY_TO || '');
   const fromAddress = normalizeEmailAddress(process.env.SMTP_FROM || process.env.EMAIL_FROM || process.env.MAIL_FROM || process.env.SMTP_USER || process.env.EMAIL_USER || process.env.MAIL_USER || '');
-  const supportPhoneCandidate = normalizePhoneDigits(payload?.supportPhone || process.env.EMAIL_BRAND_SUPPORT_PHONE || process.env.WHATSAPP_SUPPORT_NUMBER || process.env.OWNER_NUMBER || '', 20);
+  const supportPhoneCandidate = normalizePhoneDigits(payload?.supportPhone || resolveSupportPhoneFromEnv({ fallback: resolveAdminPhoneFromEnv({ fallback: '' }) }) || '', 20);
   const supportPhoneDigits = isLikelyPhoneDigits(supportPhoneCandidate) ? supportPhoneCandidate : '';
   const supportPhonePn = formatPhonePn(supportPhoneDigits);
   const supportWhatsappUrl = supportPhoneDigits ? `https://wa.me/${supportPhoneDigits}` : '';
@@ -125,7 +127,7 @@ const renderEmailLayout = ({ payload = {}, preheader = '', heading = '', greetin
   const safeSecondaryCtaUrl = normalizeHttpUrl(secondaryCtaUrl, '');
   const safeSecurityNote = normalizeText(securityNote, 220);
   const safeFooterMessage = normalizeText(footerMessage, 220);
-  const year = new Date().getUTCFullYear();
+  const year = __timeNow().getUTCFullYear();
 
   const logoBlock = brand.brandLogoUrl ? `<img src="${escapeHtml(brand.brandLogoUrl)}" alt="${escapeHtml(brand.brandName)}" width="132" style="display:block;border:0;outline:none;text-decoration:none;height:auto;margin:0 auto;" />` : `<div style="display:inline-block;font-size:26px;font-weight:800;color:#0f172a;letter-spacing:0.2px;">${escapeHtml(brand.brandName)}</div>`;
 
@@ -215,7 +217,7 @@ const resolveNavigationLinks = (payload = {}) => {
 };
 
 const resolveWelcomeBotWhatsApp = (payload = {}) => {
-  const botPhoneCandidate = normalizePhoneDigits(payload?.botPhone || payload?.botNumber || process.env.EMAIL_WELCOME_BOT_PHONE || process.env.WHATSAPP_BOT_NUMBER || process.env.BOT_NUMBER || process.env.BOT_PHONE_NUMBER || process.env.PHONE_NUMBER || process.env.EMAIL_BRAND_SUPPORT_PHONE || '', 20);
+  const botPhoneCandidate = normalizePhoneDigits(payload?.botPhone || payload?.botNumber || process.env.EMAIL_WELCOME_BOT_PHONE || resolveBotPhoneFromEnv({ fallback: resolveSupportPhoneFromEnv({ fallback: '' }) }) || '', 20);
   const botPhoneDigits = isLikelyPhoneDigits(botPhoneCandidate) ? botPhoneCandidate : '';
   const botPhonePn = formatPhonePn(botPhoneDigits);
   const botWhatsAppUrl = botPhoneDigits ? `https://wa.me/${botPhoneDigits}` : '';

package/server/http/httpServer.js

@@ -1,3 +1,4 @@
+import { now as __timeNow, nowIso as __timeNowIso, toUnixMs as __timeNowMs } from '#time';
 import http from 'node:http';
 
 import logger from '#logger';
@@ -5,6 +6,7 @@ import { getMetricsServerConfig, isMetricsEnabled, recordHttpRequest, resolveRou
 import { applyCachePolicy } from '../middleware/cachePolicy.js';
 import { applySensitiveRouteRateLimit } from '../middleware/endpointRateLimit.js';
 import { applySecurityHeaders } from '../middleware/securityHeaders.js';
+import { shouldHandleGrafanaProxyPath } from '../routes/observability/grafanaProxyRouter.js';
 import { getIndexRouteConfigs, routeRequest } from '../routes/indexRouter.js';
 import { parseRequestUrl, normalizeRequestId } from './requestContext.js';
 
@@ -41,7 +43,7 @@ export const startHttpServer = () => {
   const { host, port, path: metricsPath } = getMetricsServerConfig();
 
   server = http.createServer(async (req, res) => {
-    const requestStartedAt = Date.now();
+    const requestStartedAt = __timeNowMs();
     const requestId = normalizeRequestId(req.headers['x-request-id']);
     res.setHeader('X-Request-Id', requestId);
 
@@ -64,10 +66,11 @@ export const startHttpServer = () => {
       userConfig: routeConfigs?.userConfig || null,
       systemAdminConfig: routeConfigs?.systemAdminConfig || null,
     });
+    const isGrafanaProxyRequest = shouldHandleGrafanaProxyPath(pathname, routeConfigs?.grafanaProxyConfig || null);
 
     res.once('finish', () => {
       recordHttpRequest({
-        durationMs: Date.now() - requestStartedAt,
+        durationMs: __timeNowMs() - requestStartedAt,
         method: req.method,
         statusCode: res.statusCode,
         routeGroup,
@@ -75,10 +78,12 @@ export const startHttpServer = () => {
     });
 
     try {
-      applySecurityHeaders(req, res);
-      applyCachePolicy(req, res, { pathname });
-      const allowedByRateLimit = await applySensitiveRouteRateLimit(req, res, { pathname });
-      if (!allowedByRateLimit) return;
+      if (!isGrafanaProxyRequest) {
+        applySecurityHeaders(req, res);
+        applyCachePolicy(req, res, { pathname });
+        const allowedByRateLimit = await applySensitiveRouteRateLimit(req, res, { pathname });
+        if (!allowedByRateLimit) return;
+      }
 
       await routeRequest(req, res, {
         pathname,

package/server/middleware/rateLimit.js

@@ -1,3 +1,4 @@
+import { now as __timeNow, nowIso as __timeNowIso, toUnixMs as __timeNowMs } from '#time';
 import { resolveClientIp } from '../http/clientIp.js';
 
 const rateLimitBuckets = new Map();
@@ -38,7 +39,7 @@ export const createRateLimit = ({ windowMs = 60_000, max = 60, keyPrefix = 'glob
   const safeKeyPrefix = String(keyPrefix || 'global').trim() || 'global';
 
   return (req, res) => {
-    const nowMs = Date.now();
+    const nowMs = __timeNowMs();
     pruneBuckets(safeWindowMs, nowMs);
 
     const ip = resolveClientIp(req);

package/server/middleware/securityHeaders.js

@@ -10,10 +10,29 @@ const parseEnvBool = (value, fallback = false) => {
   return fallback;
 };
 
+const parseEnvList = (value) =>
+  String(value || '')
+    .split(',')
+    .map((item) => String(item || '').trim())
+    .filter(Boolean);
+
+const toHttpOrigin = (value) => {
+  const raw = String(value || '').trim();
+  if (!raw) return '';
+  try {
+    const parsed = new URL(raw);
+    if (!['http:', 'https:'].includes(parsed.protocol)) return '';
+    return parsed.origin;
+  } catch {
+    return '';
+  }
+};
+
 const HELMET_CSP_ENFORCE = parseEnvBool(process.env.HELMET_CONTENT_SECURITY_POLICY_ENABLED, true);
 const BACKEND_BUILD_ID = String(process.env.OMNIZAP_BUILD_ID || '')
   .trim()
   .slice(0, 80);
+const FRAME_SRC_EXTRA = Array.from(new Set([...parseEnvList(process.env.HELMET_CSP_FRAME_SRC_EXTRA), process.env.SYSTEM_ADMIN_GRAFANA_URL, process.env.GRAFANA_PUBLIC_URL].map((item) => toHttpOrigin(item)).filter(Boolean)));
 
 const HELMET_CSP_DIRECTIVES = {
   defaultSrc: ["'self'"],
@@ -26,7 +45,7 @@ const HELMET_CSP_DIRECTIVES = {
   imgSrc: ["'self'", 'data:', 'blob:', 'https:'],
   fontSrc: ["'self'", 'data:', 'https://fonts.gstatic.com', 'https://cdnjs.cloudflare.com'],
   connectSrc: ["'self'", 'https://accounts.google.com', 'https://oauth2.googleapis.com', 'https://api.github.com'],
-  frameSrc: ["'self'", 'https://accounts.google.com'],
+  frameSrc: ["'self'", 'https://accounts.google.com', ...FRAME_SRC_EXTRA],
   workerSrc: ["'self'", 'blob:'],
   manifestSrc: ["'self'"],
 };

package/server/routes/admin/systemAdminRouter.js

@@ -24,8 +24,10 @@ const DEFAULT_USER_SYSTEM_ADMIN_WEB_PATH = '/user/systemadm';
 const DEFAULT_LEGACY_STICKER_ADMIN_WEB_PATH = '/stickers/admin';
 const DEFAULT_SYSTEM_ADMIN_API_BASE_PATH = '/api/admin';
 const DEFAULT_SYSTEM_ADMIN_API_SESSION_PATH = '/api/admin/session';
+const DEFAULT_SYSTEM_ADMIN_API_MULTI_SESSION_PATH = '/api/admin/multi-session';
 const DEFAULT_LEGACY_STICKER_ADMIN_API_BASE_PATH = '/api/sticker-packs/admin';
 const DEFAULT_LEGACY_STICKER_ADMIN_API_SESSION_PATH = '/api/sticker-packs/admin/session';
+const DEFAULT_LEGACY_STICKER_ADMIN_API_MULTI_SESSION_PATH = '/api/sticker-packs/admin/multi-session';
 
 export const getSystemAdminRouterConfig = async () => {
   const controller = await loadSystemAdminController();
@@ -35,8 +37,10 @@ export const getSystemAdminRouterConfig = async () => {
     legacyWebPath: normalizeBasePath(legacyConfig.legacyWebPath, DEFAULT_LEGACY_STICKER_ADMIN_WEB_PATH),
     apiAdminBasePath: normalizeBasePath(legacyConfig.apiAdminBasePath, DEFAULT_SYSTEM_ADMIN_API_BASE_PATH),
     apiAdminSessionPath: normalizeBasePath(legacyConfig.apiAdminSessionPath, DEFAULT_SYSTEM_ADMIN_API_SESSION_PATH),
+    apiAdminMultiSessionPath: normalizeBasePath(legacyConfig.apiAdminMultiSessionPath, DEFAULT_SYSTEM_ADMIN_API_MULTI_SESSION_PATH),
     legacyApiAdminBasePath: normalizeBasePath(legacyConfig.legacyApiAdminBasePath, DEFAULT_LEGACY_STICKER_ADMIN_API_BASE_PATH),
     legacyApiAdminSessionPath: normalizeBasePath(legacyConfig.legacyApiAdminSessionPath, DEFAULT_LEGACY_STICKER_ADMIN_API_SESSION_PATH),
+    legacyApiAdminMultiSessionPath: normalizeBasePath(legacyConfig.legacyApiAdminMultiSessionPath, DEFAULT_LEGACY_STICKER_ADMIN_API_MULTI_SESSION_PATH),
   };
 };
 
@@ -46,8 +50,10 @@ export const shouldHandleSystemAdminPath = (pathname, systemAdminConfig = null)
     legacyWebPath: DEFAULT_LEGACY_STICKER_ADMIN_WEB_PATH,
     apiAdminBasePath: DEFAULT_SYSTEM_ADMIN_API_BASE_PATH,
     apiAdminSessionPath: DEFAULT_SYSTEM_ADMIN_API_SESSION_PATH,
+    apiAdminMultiSessionPath: DEFAULT_SYSTEM_ADMIN_API_MULTI_SESSION_PATH,
     legacyApiAdminBasePath: DEFAULT_LEGACY_STICKER_ADMIN_API_BASE_PATH,
     legacyApiAdminSessionPath: DEFAULT_LEGACY_STICKER_ADMIN_API_SESSION_PATH,
+    legacyApiAdminMultiSessionPath: DEFAULT_LEGACY_STICKER_ADMIN_API_MULTI_SESSION_PATH,
   };
 
   if (startsWithPath(pathname, resolvedConfig.webPath)) return true;