@omnizap-system/omnizap 2.6.1 → 2.6.2

package/server/controllers/admin/adminPanelHandlers.js

@@ -1,7 +1,8 @@
 import { now as __timeNow, nowIso as __timeNowIso, toUnixMs as __timeNowMs } from '#time';
 import { randomUUID, randomBytes, scryptSync, timingSafeEqual } from 'node:crypto';
-import { URLSearchParams } from 'node:url';
+import { URL, URLSearchParams } from 'node:url';
 
+import { setAdminOverviewSnapshot } from '../../../app/observability/metrics.js';
 import { parseAdminModeratorUpsertPayload, parseAdminSessionPasswordPayload } from '../../auth/validation/authSchemas.js';
 
 export const createStickerCatalogAdminHandlers = ({ executeQuery, tables, logger, sendJson, readJsonBody, parseCookies, getCookieValuesFromRequest, appendSetCookie, buildCookieString, sanitizeText, normalizeGoogleSubject, normalizeEmail, normalizeJid, toIsoOrNull, toWhatsAppPhoneDigits, mapGoogleSessionResponseData, resolveGoogleWebSessionFromRequest, revokeGoogleWebSessionsByIdentity, getMarketplaceGlobalStatsCached, getSystemSummaryCached, getFeatureFlagsSnapshot, refreshFeatureFlags, listAdminBans, createAdminBanRecord, revokeAdminBanRecord, normalizeVisitPath, stickerWebPath, findStickerPackByPackKey, stickerPackService, buildManagedPackResponseData, sendManagedMutationStatus, sendManagedPackMutationStatus, deleteManagedPackWithCleanup, mapStickerPackWebManageError, cleanupOrphanStickerAssets, invalidateStickerCatalogDerivedCaches }) => {
@@ -16,6 +17,229 @@ export const createStickerCatalogAdminHandlers = ({ executeQuery, tables, logger
   const ADMIN_PANEL_SESSION_TTL_MS = Math.max(10 * 60 * 1000, Number(process.env.ADM_PANEL_SESSION_TTL_MS) || 12 * 60 * 60 * 1000);
   const ADMIN_MODERATOR_PASSWORD_MIN_LENGTH = Math.max(6, Number(process.env.ADM_MODERATOR_PASSWORD_MIN_LENGTH) || 8);
   const ADMIN_PANEL_SESSION_COOKIE_NAME = 'omnizap_admin_panel_session';
+  const SYSTEM_ADMIN_GRAFANA_TIME_FROM = sanitizeText(process.env.SYSTEM_ADMIN_GRAFANA_TIME_FROM || 'now-6h', 40, { allowEmpty: true }) || 'now-6h';
+  const SYSTEM_ADMIN_GRAFANA_TIME_TO = sanitizeText(process.env.SYSTEM_ADMIN_GRAFANA_TIME_TO || 'now', 40, { allowEmpty: true }) || 'now';
+  const SYSTEM_ADMIN_GRAFANA_REFRESH = sanitizeText(process.env.SYSTEM_ADMIN_GRAFANA_REFRESH || '10s', 20, { allowEmpty: true }) || '10s';
+  const SYSTEM_ADMIN_GRAFANA_STATUS_TIMEOUT_MS = Math.max(800, Number(process.env.SYSTEM_ADMIN_GRAFANA_STATUS_TIMEOUT_MS) || 2500);
+  const SYSTEM_ADMIN_GRAFANA_STATUS_CACHE_TTL_MS = Math.max(5000, Number(process.env.SYSTEM_ADMIN_GRAFANA_STATUS_CACHE_TTL_MS) || 15000);
+
+  const normalizeGrafanaBaseUrl = (value) => {
+    const raw = String(value || '').trim();
+    if (!raw) return '';
+    try {
+      const parsed = new URL(raw);
+      if (!['http:', 'https:'].includes(parsed.protocol)) return '';
+      const normalizedPathname = String(parsed.pathname || '/').replace(/\/+$/, '');
+      parsed.search = '';
+      parsed.hash = '';
+      return `${parsed.origin}${normalizedPathname === '/' ? '' : normalizedPathname}`;
+    } catch {
+      return '';
+    }
+  };
+
+  const normalizeGrafanaUid = (value) =>
+    String(value || '')
+      .trim()
+      .replace(/[^a-zA-Z0-9_-]/g, '')
+      .slice(0, 120);
+
+  const slugifyGrafanaDashboard = (value) => {
+    const raw = String(value || '')
+      .trim()
+      .toLowerCase();
+    const slug = raw
+      .replace(/[^a-z0-9]+/g, '-')
+      .replace(/^-+|-+$/g, '')
+      .slice(0, 90);
+    return slug || 'dashboard';
+  };
+
+  const parseGrafanaDashboardDefinitions = () => {
+    const raw = String(process.env.SYSTEM_ADMIN_GRAFANA_DASHBOARDS || '')
+      .split(',')
+      .map((item) => String(item || '').trim())
+      .filter(Boolean);
+
+    const parsed = raw
+      .map((entry) => {
+        const [uidPart, ...titleParts] = entry.split('|');
+        const uid = normalizeGrafanaUid(uidPart);
+        const title = sanitizeText(titleParts.join('|') || '', 90, { allowEmpty: true }) || '';
+        return uid ? { uid, title } : null;
+      })
+      .filter(Boolean);
+
+    if (parsed.length) return parsed;
+
+    return [
+      { uid: 'omnizap-system-admin', title: 'System Admin' },
+      { uid: 'omnizap-overview', title: 'Overview' },
+      { uid: 'omnizap-mysql', title: 'MySQL' },
+    ];
+  };
+
+  const buildAdminGrafanaObservabilityLinks = () => {
+    const baseUrl = normalizeGrafanaBaseUrl(process.env.SYSTEM_ADMIN_GRAFANA_URL || process.env.GRAFANA_PUBLIC_URL || '');
+    if (!baseUrl) {
+      return {
+        enabled: false,
+        base_url: null,
+        dashboards: [],
+      };
+    }
+
+    const base = new URL(`${baseUrl}/`);
+    const definitions = parseGrafanaDashboardDefinitions();
+
+    const dashboards = definitions
+      .map((entry, index) => {
+        const uid = normalizeGrafanaUid(entry?.uid || '');
+        if (!uid) return null;
+        const title = sanitizeText(entry?.title || '', 90, { allowEmpty: true }) || `Dashboard ${index + 1}`;
+        const slug = slugifyGrafanaDashboard(title || uid);
+        const viewUrl = new URL(`d/${encodeURIComponent(uid)}/${encodeURIComponent(slug)}`, base);
+        viewUrl.searchParams.set('orgId', '1');
+        viewUrl.searchParams.set('from', SYSTEM_ADMIN_GRAFANA_TIME_FROM);
+        viewUrl.searchParams.set('to', SYSTEM_ADMIN_GRAFANA_TIME_TO);
+        viewUrl.searchParams.set('refresh', SYSTEM_ADMIN_GRAFANA_REFRESH);
+
+        const embedUrl = new URL(String(viewUrl));
+        embedUrl.searchParams.set('kiosk', 'tv');
+
+        return {
+          uid,
+          title,
+          view_url: viewUrl.toString(),
+          embed_url: embedUrl.toString(),
+        };
+      })
+      .filter(Boolean);
+
+    return {
+      enabled: dashboards.length > 0,
+      base_url: baseUrl,
+      dashboards,
+    };
+  };
+  const grafanaObservabilityLinks = buildAdminGrafanaObservabilityLinks();
+  let grafanaRuntimeSnapshotCache = {
+    expires_at_ms: 0,
+    payload: null,
+  };
+
+  const resolveGrafanaHealthEndpointUrl = () => {
+    const candidates = [process.env.GRAFANA_PROXY_TARGET_URL, process.env.GRAFANA_INTERNAL_URL, process.env.SYSTEM_ADMIN_GRAFANA_URL, process.env.GRAFANA_PUBLIC_URL];
+    for (const candidate of candidates) {
+      const baseUrl = normalizeGrafanaBaseUrl(candidate);
+      if (!baseUrl) continue;
+      try {
+        return new URL('api/health', `${baseUrl}/`).toString();
+      } catch {
+        // noop
+      }
+    }
+    return '';
+  };
+
+  const getGrafanaRuntimeSnapshot = async () => {
+    const nowMs = __timeNowMs();
+    if (grafanaRuntimeSnapshotCache.payload && nowMs < grafanaRuntimeSnapshotCache.expires_at_ms) {
+      return grafanaRuntimeSnapshotCache.payload;
+    }
+
+    const dashboardsTotal = Array.isArray(grafanaObservabilityLinks?.dashboards) ? grafanaObservabilityLinks.dashboards.length : 0;
+    const baseSnapshot = {
+      enabled: Boolean(grafanaObservabilityLinks?.enabled),
+      available: false,
+      status: 'unavailable',
+      response_ms: null,
+      checked_at: __timeNowIso(),
+      http_status: null,
+      version: null,
+      database: null,
+      commit: null,
+      dashboards_total: dashboardsTotal,
+      error: null,
+    };
+
+    const healthEndpointUrl = resolveGrafanaHealthEndpointUrl();
+    if (!healthEndpointUrl) {
+      grafanaRuntimeSnapshotCache = {
+        expires_at_ms: nowMs + SYSTEM_ADMIN_GRAFANA_STATUS_CACHE_TTL_MS,
+        payload: baseSnapshot,
+      };
+      return baseSnapshot;
+    }
+
+    const controller = typeof AbortController === 'function' ? new AbortController() : null;
+    const timeoutId =
+      controller && Number.isFinite(SYSTEM_ADMIN_GRAFANA_STATUS_TIMEOUT_MS)
+        ? setTimeout(() => {
+            controller.abort();
+          }, SYSTEM_ADMIN_GRAFANA_STATUS_TIMEOUT_MS)
+        : null;
+    const startedAtMs = __timeNowMs();
+
+    try {
+      const response = await globalThis.fetch(healthEndpointUrl, {
+        method: 'GET',
+        headers: {
+          Accept: 'application/json',
+        },
+        signal: controller?.signal,
+      });
+      const responseMs = Math.max(0, __timeNowMs() - startedAtMs);
+      let payload = null;
+      try {
+        payload = await response.json();
+      } catch {
+        payload = null;
+      }
+
+      const version = sanitizeText(payload?.version || '', 40, { allowEmpty: true }) || null;
+      const commit = sanitizeText(payload?.commit || '', 80, { allowEmpty: true }) || null;
+      const database = sanitizeText(payload?.database || '', 30, { allowEmpty: true }) || null;
+      const normalizedDatabase = String(database || '')
+        .trim()
+        .toLowerCase();
+      const status = !response.ok ? 'offline' : normalizedDatabase === 'ok' ? 'online' : normalizedDatabase ? 'degraded' : 'online';
+
+      const snapshot = {
+        ...baseSnapshot,
+        available: response.ok,
+        status,
+        response_ms: responseMs,
+        checked_at: __timeNowIso(),
+        http_status: Number(response.status || 0) || null,
+        version,
+        database,
+        commit,
+      };
+      grafanaRuntimeSnapshotCache = {
+        expires_at_ms: __timeNowMs() + SYSTEM_ADMIN_GRAFANA_STATUS_CACHE_TTL_MS,
+        payload: snapshot,
+      };
+      return snapshot;
+    } catch (error) {
+      const responseMs = Math.max(0, __timeNowMs() - startedAtMs);
+      const isAbort = error?.name === 'AbortError';
+      const snapshot = {
+        ...baseSnapshot,
+        status: 'offline',
+        response_ms: responseMs,
+        checked_at: __timeNowIso(),
+        error: sanitizeText(isAbort ? 'timeout' : error?.message || 'fetch_failed', 80, { allowEmpty: true }) || 'fetch_failed',
+      };
+      grafanaRuntimeSnapshotCache = {
+        expires_at_ms: __timeNowMs() + SYSTEM_ADMIN_GRAFANA_STATUS_CACHE_TTL_MS,
+        payload: snapshot,
+      };
+      return snapshot;
+    } finally {
+      if (timeoutId) clearTimeout(timeoutId);
+    }
+  };
 
   const adminPanelSessionMap = new Map();
   let adminPanelSessionPruneAt = 0;
@@ -957,7 +1181,7 @@ export const createStickerCatalogAdminHandlers = ({ executeQuery, tables, logger
   };
 
   const buildAdminOverviewPayload = async ({ adminSession = null } = {}) => {
-    const [marketplaceStats, activeSessions, knownUsers, bans, packsCountRows, stickersCountRows, recentPacks, visitSummary, systemSummaryPayload, messageFlowDaily, moderationQueue, auditLog, featureFlags] = await Promise.all([
+    const [marketplaceStats, activeSessions, knownUsers, bans, packsCountRows, stickersCountRows, recentPacks, visitSummary, systemSummaryPayload, messageFlowDaily, moderationQueue, auditLog, featureFlags, grafanaRuntimeSnapshot] = await Promise.all([
       getMarketplaceGlobalStatsCached().catch(() => null),
       listAdminActiveGoogleWebSessions({ limit: 80 }),
       listAdminKnownGoogleUsers({ limit: 120 }),
@@ -976,6 +1200,19 @@ export const createStickerCatalogAdminHandlers = ({ executeQuery, tables, logger
       buildModerationQueueSnapshot({ limit: 80 }).catch(() => []),
       listAdminAuditLog({ limit: 120 }).catch(() => []),
       listAdminFeatureFlagsDetailed({ limit: 300 }).catch(() => []),
+      getGrafanaRuntimeSnapshot().catch(() => ({
+        enabled: Boolean(grafanaObservabilityLinks?.enabled),
+        available: false,
+        status: 'offline',
+        response_ms: null,
+        checked_at: __timeNowIso(),
+        http_status: null,
+        version: null,
+        database: null,
+        commit: null,
+        dashboards_total: Array.isArray(grafanaObservabilityLinks?.dashboards) ? grafanaObservabilityLinks.dashboards.length : 0,
+        error: 'runtime_snapshot_failed',
+      })),
     ]);
 
     const systemSummary = systemSummaryPayload?.data || null;
@@ -997,7 +1234,7 @@ export const createStickerCatalogAdminHandlers = ({ executeQuery, tables, logger
       systemMeta,
     });
 
-    return {
+    const overviewPayload = {
       admin_session: mapAdminPanelSessionResponseData(adminSession),
       marketplace_stats: marketplaceStats,
       counters: {
@@ -1045,9 +1282,22 @@ export const createStickerCatalogAdminHandlers = ({ executeQuery, tables, logger
       visit_metrics: visitSummary,
       system_summary: systemSummary,
       system_meta: systemMeta,
+      observability_links: {
+        grafana: grafanaObservabilityLinks,
+      },
+      observability_runtime: {
+        grafana: grafanaRuntimeSnapshot,
+      },
       message_flow_daily: messageFlowDaily,
       updated_at: __timeNowIso(),
     };
+
+    setAdminOverviewSnapshot({
+      overview: overviewPayload,
+      source: 'admin_overview_payload',
+    });
+
+    return overviewPayload;
   };
 
   const findAdminPackContextByKey = async (rawPackKey) => {

package/server/controllers/admin/systemAdminController.js

@@ -1,8 +1,17 @@
 import fs from 'node:fs/promises';
 import path from 'node:path';
+import { timingSafeEqual } from 'node:crypto';
 import { URL } from 'node:url';
 
 import logger from '#logger';
+import {
+  forceSystemAdminGroupFailover,
+  listSystemAdminAssignmentHistory,
+  listSystemAdminAssignments,
+  listSystemAdminSessions,
+  setSystemAdminGroupPin,
+  triggerSystemAdminManualRebalance,
+} from '../system/systemController.js';
 
 const parseEnvBool = (value, fallback) => {
   if (value === undefined || value === null || value === '') return fallback;
@@ -25,6 +34,8 @@ const SYSTEM_ADMIN_API_BASE_PATH = normalizeBasePath(process.env.SYSTEM_ADMIN_AP
 const SYSTEM_ADMIN_API_SESSION_PATH = `${SYSTEM_ADMIN_API_BASE_PATH}/session`;
 const LEGACY_SYSTEM_ADMIN_API_BASE_PATH = `${LEGACY_STICKER_API_BASE_PATH}/admin`;
 const LEGACY_SYSTEM_ADMIN_API_SESSION_PATH = `${LEGACY_SYSTEM_ADMIN_API_BASE_PATH}/session`;
+const SYSTEM_ADMIN_MULTI_SESSION_API_PATH = `${SYSTEM_ADMIN_API_BASE_PATH}/multi-session`;
+const LEGACY_SYSTEM_ADMIN_MULTI_SESSION_API_PATH = `${LEGACY_SYSTEM_ADMIN_API_BASE_PATH}/multi-session`;
 const STICKER_LOGIN_WEB_PATH = normalizeBasePath(process.env.STICKER_LOGIN_WEB_PATH, '/login');
 const STICKER_WEB_PATH = normalizeBasePath(process.env.STICKER_WEB_PATH, '/stickers');
 const STICKER_ADMIN_WEB_PATH = `${STICKER_WEB_PATH}/admin`;
@@ -37,6 +48,9 @@ const SITE_ORIGIN = String(process.env.SITE_ORIGIN || 'https://omnizap.shop')
 
 const USER_SYSTEMADM_TEMPLATE_PATH = path.join(process.cwd(), 'public', 'pages', 'user-systemadm.html');
 const LEGACY_STICKER_ADMIN_TEMPLATE_PATH = path.join(process.cwd(), 'public', 'pages', 'stickers-admin.html');
+const SYSTEM_ADMIN_OPS_TOKEN = String(
+  process.env.SYSTEM_ADMIN_OPS_TOKEN || process.env.USER_INTERNAL_API_TOKEN || process.env.ADMIN_TOKEN || process.env.ADMIN_API_TOKEN || '',
+).trim();
 
 let stickerCatalogControllerPromise = null;
 const loadStickerCatalogController = async () => {
@@ -108,6 +122,106 @@ const mapAdminApiPathToLegacy = (pathname) => {
   return null;
 };
 
+const mapMultiSessionApiPath = (pathname) => {
+  if (hasPathPrefix(pathname, SYSTEM_ADMIN_MULTI_SESSION_API_PATH)) {
+    const suffix = pathname.slice(SYSTEM_ADMIN_MULTI_SESSION_API_PATH.length);
+    return suffix || '/';
+  }
+  if (hasPathPrefix(pathname, LEGACY_SYSTEM_ADMIN_MULTI_SESSION_API_PATH)) {
+    const suffix = pathname.slice(LEGACY_SYSTEM_ADMIN_MULTI_SESSION_API_PATH.length);
+    return suffix || '/';
+  }
+  return null;
+};
+
+const constantTimeStringEqual = (left, right) => {
+  const leftBuffer = Buffer.from(String(left || ''), 'utf8');
+  const rightBuffer = Buffer.from(String(right || ''), 'utf8');
+  if (!leftBuffer.length || leftBuffer.length !== rightBuffer.length) return false;
+  try {
+    return timingSafeEqual(leftBuffer, rightBuffer);
+  } catch {
+    return false;
+  }
+};
+
+const extractBearerToken = (req) => {
+  const authHeader = String(req?.headers?.authorization || '').trim();
+  if (!authHeader.toLowerCase().startsWith('bearer ')) return '';
+  return authHeader.slice(7).trim();
+};
+
+const resolveOpsTokenFromRequest = (req) =>
+  String(req?.headers?.['x-system-admin-token'] || req?.headers?.['x-internal-api-token'] || req?.headers?.['x-admin-token'] || '').trim() ||
+  extractBearerToken(req);
+
+const hasValidOpsToken = (req) => {
+  if (!SYSTEM_ADMIN_OPS_TOKEN) return true;
+  const requestToken = resolveOpsTokenFromRequest(req);
+  if (!requestToken) return false;
+  return constantTimeStringEqual(requestToken, SYSTEM_ADMIN_OPS_TOKEN);
+};
+
+const readJsonBody = async (req, { maxBytes = 64 * 1024 } = {}) =>
+  new Promise((resolve, reject) => {
+    const chunks = [];
+    let total = 0;
+
+    req.on('data', (chunk) => {
+      total += chunk.length;
+      if (total > maxBytes) {
+        const error = new Error('Payload excedeu limite permitido.');
+        error.statusCode = 413;
+        reject(error);
+        req.destroy();
+        return;
+      }
+      chunks.push(chunk);
+    });
+
+    req.on('end', () => {
+      const raw = Buffer.concat(chunks).toString('utf8').trim();
+      if (!raw) {
+        resolve({});
+        return;
+      }
+
+      try {
+        resolve(JSON.parse(raw));
+      } catch {
+        const error = new Error('JSON invalido.');
+        error.statusCode = 400;
+        reject(error);
+      }
+    });
+
+    req.on('error', (error) => reject(error));
+  });
+
+const parseBool = (value, fallback = false) => {
+  if (value === undefined || value === null || value === '') return fallback;
+  const normalized = String(value).trim().toLowerCase();
+  if (['1', 'true', 'yes', 'y', 'on'].includes(normalized)) return true;
+  if (['0', 'false', 'no', 'n', 'off'].includes(normalized)) return false;
+  return fallback;
+};
+
+const parsePositiveInt = (value, fallback = 200, min = 1, max = 5000) => {
+  const parsed = Number.parseInt(String(value ?? ''), 10);
+  if (!Number.isFinite(parsed)) return fallback;
+  return Math.max(min, Math.min(max, parsed));
+};
+
+const decodePathSegment = (value) => {
+  const raw = String(value || '').trim();
+  if (!raw) return '';
+  try {
+    return decodeURIComponent(raw);
+  } catch {
+    return raw;
+  }
+};
+
 const renderUserSystemAdminHtml = async () => {
   const template = await fs.readFile(USER_SYSTEMADM_TEMPLATE_PATH, 'utf8');
   const dataAttributes = {
@@ -124,13 +238,147 @@ const renderUserSystemAdminHtml = async () => {
   return html;
 };
 
+const requireSystemAdminOpsAccess = (req, res) => {
+  if (hasValidOpsToken(req)) return true;
+  sendJson(req, res, 401, { error: 'Nao autorizado para operacoes de system admin.' });
+  return false;
+};
+
+const normalizeMultiSessionSubPath = (value) => {
+  const raw = String(value || '/').trim();
+  if (!raw || raw === '/') return '/';
+  return `/${raw
+    .replace(/^\/+/g, '')
+    .replace(/\/+$/g, '')}`;
+};
+
+const handleMultiSessionOpsRequest = async (req, res, { pathname, url }) => {
+  if (!requireSystemAdminOpsAccess(req, res)) return true;
+
+  const subPath = normalizeMultiSessionSubPath(pathname);
+  const requestUrl = (() => {
+    try {
+      return new URL(String(url?.href || req.url || '/'), SITE_ORIGIN);
+    } catch {
+      return new URL(SITE_ORIGIN);
+    }
+  })();
+
+  if (subPath === '/sessions') {
+    if (!['GET', 'HEAD'].includes(req.method || '')) {
+      sendJson(req, res, 405, { error: 'Metodo nao permitido.' });
+      return true;
+    }
+    const payload = await listSystemAdminSessions({
+      status: requestUrl.searchParams.get('status'),
+      limit: parsePositiveInt(requestUrl.searchParams.get('limit'), 200, 1, 5000),
+    });
+    sendJson(req, res, 200, payload);
+    return true;
+  }
+
+  if (subPath === '/assignments') {
+    if (!['GET', 'HEAD'].includes(req.method || '')) {
+      sendJson(req, res, 405, { error: 'Metodo nao permitido.' });
+      return true;
+    }
+    const payload = await listSystemAdminAssignments({
+      groupJid: requestUrl.searchParams.get('group_jid'),
+      ownerSessionId: requestUrl.searchParams.get('owner_session_id'),
+      includeExpired: parseBool(requestUrl.searchParams.get('include_expired'), false),
+      limit: parsePositiveInt(requestUrl.searchParams.get('limit'), 200, 1, 5000),
+    });
+    sendJson(req, res, 200, payload);
+    return true;
+  }
+
+  if (subPath === '/history') {
+    if (!['GET', 'HEAD'].includes(req.method || '')) {
+      sendJson(req, res, 405, { error: 'Metodo nao permitido.' });
+      return true;
+    }
+    const payload = await listSystemAdminAssignmentHistory({
+      groupJid: requestUrl.searchParams.get('group_jid'),
+      limit: parsePositiveInt(requestUrl.searchParams.get('limit'), 100, 1, 5000),
+    });
+    sendJson(req, res, 200, payload);
+    return true;
+  }
+
+  if (subPath === '/rebalance') {
+    if (!['POST'].includes(req.method || '')) {
+      sendJson(req, res, 405, { error: 'Metodo nao permitido.' });
+      return true;
+    }
+    const payload = await triggerSystemAdminManualRebalance();
+    sendJson(req, res, 200, payload);
+    return true;
+  }
+
+  const groupActionMatch = subPath.match(/^\/groups\/([^/]+)\/(pin|unpin|failover)$/i);
+  if (groupActionMatch) {
+    if (!['POST'].includes(req.method || '')) {
+      sendJson(req, res, 405, { error: 'Metodo nao permitido.' });
+      return true;
+    }
+
+    const groupJid = decodePathSegment(groupActionMatch[1]);
+    const action = String(groupActionMatch[2] || '').toLowerCase();
+    const body = await readJsonBody(req).catch((error) => {
+      const statusCode = Number(error?.statusCode || 400);
+      sendJson(req, res, statusCode, { error: error?.message || 'Falha ao interpretar payload JSON.' });
+      return null;
+    });
+    if (body === null) return true;
+
+    if (action === 'pin' || action === 'unpin') {
+      const pinned = action === 'pin';
+      const payload = await setSystemAdminGroupPin({
+        groupJid,
+        pinned,
+        sessionId: body?.session_id || body?.sessionId || null,
+        reason: body?.reason || null,
+        changedBy: 'system_admin_api',
+        metadata: body?.metadata || null,
+      });
+      sendJson(req, res, 200, payload);
+      return true;
+    }
+
+    if (action === 'failover') {
+      const targetSessionId = String(body?.target_session_id || body?.targetSessionId || requestUrl.searchParams.get('target_session_id') || '')
+        .trim()
+        .slice(0, 64);
+      if (!targetSessionId) {
+        sendJson(req, res, 400, { error: 'target_session_id e obrigatorio.' });
+        return true;
+      }
+
+      const payload = await forceSystemAdminGroupFailover({
+        groupJid,
+        targetSessionId,
+        reason: body?.reason || 'admin_force_failover',
+        changedBy: 'system_admin_api',
+        metadata: body?.metadata || null,
+      });
+      sendJson(req, res, 200, payload);
+      return true;
+    }
+  }
+
+  sendJson(req, res, 404, { error: 'Endpoint de operacao multi-session nao encontrado.' });
+  return true;
+};
+
 export const getSystemAdminRouteConfig = () => ({
   webPath: USER_SYSTEMADM_WEB_PATH,
   legacyWebPath: STICKER_ADMIN_WEB_PATH,
   apiAdminBasePath: SYSTEM_ADMIN_API_BASE_PATH,
   apiAdminSessionPath: SYSTEM_ADMIN_API_SESSION_PATH,
+  apiAdminMultiSessionPath: SYSTEM_ADMIN_MULTI_SESSION_API_PATH,
   legacyApiAdminBasePath: LEGACY_SYSTEM_ADMIN_API_BASE_PATH,
   legacyApiAdminSessionPath: LEGACY_SYSTEM_ADMIN_API_SESSION_PATH,
+  legacyApiAdminMultiSessionPath: LEGACY_SYSTEM_ADMIN_MULTI_SESSION_API_PATH,
 });
 
 export const maybeHandleSystemAdminRequest = async (req, res, { pathname, url }) => {
@@ -186,6 +434,25 @@ export const maybeHandleSystemAdminRequest = async (req, res, { pathname, url })
   }
 
   if (hasPathPrefix(pathname, SYSTEM_ADMIN_API_BASE_PATH) || hasPathPrefix(pathname, LEGACY_SYSTEM_ADMIN_API_BASE_PATH)) {
+    const multiSessionPath = mapMultiSessionApiPath(pathname);
+    if (multiSessionPath !== null) {
+      try {
+        return await handleMultiSessionOpsRequest(req, res, {
+          pathname: multiSessionPath,
+          url,
+        });
+      } catch (error) {
+        logger.error('Falha ao processar endpoint operacional multi-sessao.', {
+          action: 'system_admin_multi_session_endpoint_failed',
+          method: req.method,
+          path: pathname,
+          error: error?.message,
+        });
+        sendJson(req, res, 500, { error: 'Falha interna ao processar operacao multi-sessao.' });
+        return true;
+      }
+    }
+
     const legacyPathname = mapAdminApiPathToLegacy(pathname);
     if (!legacyPathname) return false;
 

package/server/controllers/sticker/stickerCatalogController.js

@@ -67,6 +67,7 @@ export const stripWebpExtension = (value) =>
     .replace(/\.webp$/i, '');
 
 const clampInt = (value, fallback, min, max) => {
+  if (value === undefined || value === null || value === '') return fallback;
   const parsed = Number(value);
   if (!Number.isFinite(parsed)) return fallback;
   return Math.max(min, Math.min(max, Math.floor(parsed)));
@@ -964,8 +965,6 @@ const convertUploadMediaToWebp = async ({ ownerJid, buffer, mimetype }) => {
 const PACK_TAG_MARKER_REGEX = /\[pack-tags:([^\]]+)\]/i;
 const AUTO_PACK_MARKER_REGEX = /\[(?:auto-theme|auto-tag):[^\]]+\]/gi;
 const AUTO_PACK_MARKER_TEST_REGEX = /\[(?:auto-theme|auto-tag):[^\]]+\]/i;
-const AUTO_PACK_COLLECTOR_MARKER = '[auto-pack:collector]';
-const AUTO_PACK_COLLECTOR_LEGACY_TEXT = 'coleção automática de figurinhas criadas pelo usuário.';
 const AUTO_PACK_DESCRIPTION_PREFIX_REGEX = /^curadoria automática por tema\.\s*tema:\s*[^.]+\.?\s*(?:score\s*=\s*-?\d+(?:\.\d+)?\.?\s*)?/i;
 const AUTO_PACK_SCORE_FRAGMENT_REGEX = /\bscore\s*=\s*-?\d+(?:\.\d+)?\.?/gi;
 const normalizePackTag = (value) =>
@@ -1024,29 +1023,10 @@ const parsePackDescriptionMetadata = (description) => {
   };
 };
 
-const isCollectorAutoPack = (pack) => {
-  if (!pack || typeof pack !== 'object') return false;
-  const description = String(pack.description || '').toLowerCase();
-  return description.includes(AUTO_PACK_COLLECTOR_MARKER) || description.includes(AUTO_PACK_COLLECTOR_LEGACY_TEXT);
-};
-
-const isThemeCurationAutoPack = (pack) => {
-  if (!pack || typeof pack !== 'object') return false;
-  const name = String(pack.name || '').trim();
-  if (/^\[auto\]/i.test(name)) return true;
-
-  const description = String(pack.description || '').toLowerCase();
-  if (description.includes('[auto-theme:') || description.includes('[auto-tag:')) return true;
-
-  return Boolean(String(pack.pack_theme_key || '').trim());
-};
-
 const shouldHidePackFromMyProfileDefault = (pack, { includeAutoPacks = false } = {}) => {
   if (!pack || typeof pack !== 'object') return false;
   if (includeAutoPacks) return false;
-  if (isCollectorAutoPack(pack)) return false;
-  if (isThemeCurationAutoPack(pack)) return true;
-  return pack.is_auto_pack === true || Number(pack.is_auto_pack || 0) === 1;
+  return false;
 };
 
 const buildPackDescriptionWithTags = (description, tags = []) => {
@@ -1734,6 +1714,12 @@ const getMarketplaceStatsCached = async (visibility) => {
         bucket.expiresAt = __timeNowMs() + HOME_MARKETPLACE_STATS_CACHE_SECONDS * 1000;
         return data;
       })
+      .catch((error) => {
+        if (hasValue && bucket.value) {
+          return bucket.value;
+        }
+        throw error;
+      })
       .finally(() => {
         bucket.pending = null;
       });
@@ -3219,7 +3205,7 @@ const handleCreatePackRequest = async (req, res) => {
   });
   const manualTags = mergeUniqueTags(Array.isArray(payload?.tags) ? payload.tags : []).slice(0, 8);
   const persistedDescription = buildPackDescriptionWithTags(description, manualTags);
-  const visibility = String(payload?.visibility || 'public')
+  const visibility = String(payload?.visibility || 'private')
     .trim()
     .toLowerCase();
   const googleSession = await resolveGoogleWebSessionFromRequest(req);