@omnizap-system/omnizap 2.6.1 → 2.6.2

package/server/controllers/system/contactController.js

@@ -1,13 +1,12 @@
 import logger from '#logger';
 import { getActiveSocket, getAdminPhone, getAdminRawValue, getJidUser, resolveAdminJid, resolveBotJid, extractUserIdInfo, resolveUserId } from '../../../app/config/index.js';
+import { isLikelyWhatsAppPhone, normalizePhoneDigits, resolveAdminPhoneFromEnv, resolveBotPhoneFromEnv, resolveSupportPhoneFromEnv } from '../../../utils/whatsapp/contactEnv.js';
 
 const PACK_COMMAND_PREFIX = String(process.env.COMMAND_PREFIX || '/').trim() || '/';
 
-const normalizePhoneDigits = (value) => String(value || '').replace(/\D+/g, '');
-
 const isPlausibleWhatsAppPhone = (value) => {
   const digits = normalizePhoneDigits(value);
-  return digits.length >= 10 && digits.length <= 15 ? digits : '';
+  return isLikelyWhatsAppPhone(digits) ? digits : '';
 };
 
 const resolveActiveSocketBotJid = (activeSocket) => {
@@ -26,18 +25,12 @@ export const resolveCatalogBotPhone = () => {
   const jidUser = botJid ? getJidUser(botJid) : null;
   const fromSocket = normalizePhoneDigits(jidUser || '');
 
-  if (fromSocket && fromSocket.length >= 10) {
+  if (isLikelyWhatsAppPhone(fromSocket)) {
     return fromSocket;
   }
 
-  const envCandidates = [process.env.WHATSAPP_BOT_NUMBER, process.env.BOT_NUMBER, process.env.PHONE_NUMBER, process.env.BOT_PHONE_NUMBER, process.env.USER_ADMIN];
-
-  for (const candidate of envCandidates) {
-    const digits = normalizePhoneDigits(candidate || '');
-    if (digits && digits.length >= 10 && digits.length <= 15) {
-      return digits;
-    }
-  }
+  const fromEnv = resolveBotPhoneFromEnv({ fallback: '' });
+  if (fromEnv) return fromEnv;
 
   logger.warn('Nao foi possivel resolver o numero do bot para contato.', {
     action: 'resolve_bot_phone_failed',
@@ -75,12 +68,11 @@ const resolveSupportAdminPhone = async () => {
   const adminPhone = isPlausibleWhatsAppPhone(getAdminPhone() || '');
   if (adminPhone) return adminPhone;
 
-  const candidates = [process.env.WHATSAPP_SUPPORT_NUMBER, process.env.OWNER_NUMBER, process.env.USER_ADMIN];
+  const configuredAdminPhone = resolveAdminPhoneFromEnv({ fallback: '' });
+  if (configuredAdminPhone) return configuredAdminPhone;
 
-  for (const candidate of candidates) {
-    const digits = isPlausibleWhatsAppPhone(getJidUser(candidate || '') || candidate);
-    if (digits) return digits;
-  }
+  const configuredSupportPhone = resolveSupportPhoneFromEnv({ fallback: '' });
+  if (configuredSupportPhone) return configuredSupportPhone;
 
   return '';
 };

package/server/controllers/system/stickerCatalogSystemContext.js

@@ -1,5 +1,6 @@
 import { now as __timeNow, nowIso as __timeNowIso, toUnixMs as __timeNowMs } from '#time';
 import { withTimeout } from '../../http/httpRequestUtils.js';
+import { resolveBotPhoneFromEnv } from '../../../utils/whatsapp/contactEnv.js';
 
 export const createStickerCatalogSystemContext = ({ executeQuery, tables, logger, getSystemMetrics, getActiveSocket, resolveSocketReadyState, resolveActiveSocketBotJid, resolveCatalogBotPhone, fetchPrometheusSummary, metricsEndpoint, systemSummaryCache, systemSummaryCacheSeconds, readmeSummaryCache, readmeSummaryCacheSeconds, readmeMessageTypeSampleLimit, readmeCommandPrefix, buildMenuCaption, buildStickerMenu, buildMediaMenu, buildQuoteMenu, buildAnimeMenu, buildAiMenu, buildStatsMenu, buildAdminMenu, profilePictureUrlFromActiveSocket, normalizeJid, getJidUser, globalRankCache, globalRankRefreshSeconds, marketplaceGlobalStatsCache, marketplaceGlobalStatsCacheSeconds }) => {
   let globalRankRefreshTimer = null;
@@ -153,6 +154,12 @@ export const createStickerCatalogSystemContext = ({ executeQuery, tables, logger
           systemSummaryCache.expiresAt = __timeNowMs() + systemSummaryCacheSeconds * 1000;
           return payload;
         })
+        .catch((error) => {
+          if (hasValue && systemSummaryCache.value) {
+            return systemSummaryCache.value;
+          }
+          throw error;
+        })
         .finally(() => {
           systemSummaryCache.pending = null;
         });
@@ -329,6 +336,12 @@ export const createStickerCatalogSystemContext = ({ executeQuery, tables, logger
           readmeSummaryCache.expiresAt = __timeNowMs() + readmeSummaryCacheSeconds * 1000;
           return payload;
         })
+        .catch((error) => {
+          if (hasValue && readmeSummaryCache.value) {
+            return readmeSummaryCache.value;
+          }
+          throw error;
+        })
         .finally(() => {
           readmeSummaryCache.pending = null;
         });
@@ -346,12 +359,8 @@ export const createStickerCatalogSystemContext = ({ executeQuery, tables, logger
     const botPhoneFromCatalog = String(resolveCatalogBotPhone() || '').replace(/\D+/g, '');
     if (botPhoneFromCatalog) candidates.add(botPhoneFromCatalog);
 
-    const envCandidates = [process.env.WHATSAPP_BOT_NUMBER, process.env.BOT_NUMBER, process.env.PHONE_NUMBER, process.env.BOT_PHONE_NUMBER];
-
-    for (const candidate of envCandidates) {
-      const digits = String(candidate || '').replace(/\D+/g, '');
-      if (digits) candidates.add(digits);
-    }
+    const configuredBotPhone = String(resolveBotPhoneFromEnv({ fallback: '' }) || '').replace(/\D+/g, '');
+    if (configuredBotPhone) candidates.add(configuredBotPhone);
 
     return Array.from(candidates).filter((value) => value.length >= 8);
   };
@@ -542,6 +551,12 @@ export const createStickerCatalogSystemContext = ({ executeQuery, tables, logger
           globalRankCache.expiresAt = __timeNowMs() + globalRankRefreshSeconds * 1000;
           return data;
         })
+        .catch((error) => {
+          if (hasValue && globalRankCache.value) {
+            return globalRankCache.value;
+          }
+          throw error;
+        })
         .finally(() => {
           globalRankCache.pending = null;
         });
@@ -737,6 +752,12 @@ export const createStickerCatalogSystemContext = ({ executeQuery, tables, logger
           marketplaceGlobalStatsCache.expiresAt = __timeNowMs() + marketplaceGlobalStatsCacheSeconds * 1000;
           return data;
         })
+        .catch((error) => {
+          if (hasValue && marketplaceGlobalStatsCache.value) {
+            return marketplaceGlobalStatsCache.value;
+          }
+          throw error;
+        })
         .finally(() => {
           marketplaceGlobalStatsCache.pending = null;
         });

package/server/controllers/system/systemController.js

@@ -1,6 +1,6 @@
 import logger from '#logger';
 import { executeQuery, TABLES } from '../../../database/index.js';
-import { getActiveSocket, getJidUser, normalizeJid, profilePictureUrlFromActiveSocket } from '../../../app/config/index.js';
+import { getActiveSocket, getActiveSocketsBySession, getJidUser, getMultiSessionRuntimeConfig, isSocketOpen, normalizeJid, profilePictureUrlFromActiveSocket } from '../../../app/config/index.js';
 import { getSystemMetrics } from '../../../app/utils/systemMetrics/systemMetricsModule.js';
 import { createStickerCatalogSystemContext } from './stickerCatalogSystemContext.js';
 import { createStickerCatalogNonCatalogHandlers } from '../sticker/nonCatalogHandlers.js';
@@ -10,6 +10,9 @@ import { fetchPrometheusSummary } from './systemMetricsController.js';
 import { buildBotContactInfo, buildSupportInfo, resolveCatalogBotPhone } from './contactController.js';
 import { buildAdminMenu, buildAiMenu, buildAnimeMenu, buildMediaMenu, buildMenuCaption, buildQuoteMenu, buildStatsMenu, buildStickerMenu } from '../../../app/modules/menuModule/common.js';
 import { trackWebVisitMetric } from './visitController.js';
+import groupOwnershipService from '../../../app/services/multiSession/groupOwnershipService.js';
+import sessionRegistryService from '../../../app/services/multiSession/sessionRegistryService.js';
+import { runGroupAssignmentBalancerCycle } from '../../../app/services/multiSession/assignmentBalancerService.js';
 
 const SYSTEM_SUMMARY_CACHE_SECONDS = Number(process.env.SYSTEM_SUMMARY_CACHE_SECONDS || 20);
 const README_SUMMARY_CACHE_SECONDS = Number(process.env.README_SUMMARY_CACHE_SECONDS || 1800);
@@ -132,4 +135,254 @@ export const systemHandlers = createStickerCatalogNonCatalogHandlers({
   isAuthenticatedGoogleSession: (sess) => Boolean(sess?.sub && (sess?.ownerJid || sess?.ownerPhone || sess?.email)),
 });
 
+const clampLimit = (value, fallback = 200, min = 1, max = 5_000) => {
+  const parsed = Number.parseInt(String(value ?? ''), 10);
+  if (!Number.isFinite(parsed)) return fallback;
+  return Math.max(min, Math.min(max, parsed));
+};
+
+const normalizeOptional = (value, maxLength = 255) => {
+  const normalized = String(value || '')
+    .trim()
+    .slice(0, maxLength);
+  return normalized || null;
+};
+
+const normalizeBoolean = (value, fallback = false) => {
+  if (value === undefined || value === null || value === '') return fallback;
+  const normalized = String(value).trim().toLowerCase();
+  if (['1', 'true', 'yes', 'y', 'on'].includes(normalized)) return true;
+  if (['0', 'false', 'no', 'n', 'off'].includes(normalized)) return false;
+  return fallback;
+};
+
+const toIso = (value) => {
+  if (!value) return null;
+  const parsed = new Date(value);
+  if (Number.isNaN(parsed.getTime())) return null;
+  return parsed.toISOString();
+};
+
+const resolveSocketRuntimeState = (socket) => {
+  const open = isSocketOpen(socket);
+  const readyState = resolveSocketReadyState(socket);
+  const botJid = resolveActiveSocketBotJid(socket);
+  return {
+    socket_open: open,
+    socket_ready_state: readyState,
+    socket_bot_jid: botJid || null,
+  };
+};
+
+export const listSystemAdminSessions = async ({ status = null, limit = 200 } = {}) => {
+  const runtimeConfig = getMultiSessionRuntimeConfig();
+  const safeStatus = normalizeOptional(status, 24);
+  const safeLimit = clampLimit(limit, 200, 1, 5_000);
+  const registryRows = await sessionRegistryService.listSessions({
+    status: safeStatus,
+    limit: safeLimit,
+  });
+
+  const socketsBySession = getActiveSocketsBySession();
+  const knownSessionIds = new Set();
+  for (const sessionId of runtimeConfig.sessionIds || []) knownSessionIds.add(sessionId);
+  for (const row of registryRows || []) {
+    if (row?.sessionId) knownSessionIds.add(row.sessionId);
+  }
+
+  const selectedSessionIds = Array.from(knownSessionIds)
+    .filter(Boolean)
+    .slice(0, safeLimit);
+  const registryBySession = new Map((registryRows || []).map((row) => [row.sessionId, row]));
+
+  const sessions = selectedSessionIds.map((sessionId) => {
+    const row = registryBySession.get(sessionId) || null;
+    const socket = socketsBySession.get(sessionId) || null;
+    const socketRuntime = resolveSocketRuntimeState(socket);
+
+    return {
+      session_id: sessionId,
+      is_primary: sessionId === runtimeConfig.primarySessionId,
+      configured: (runtimeConfig.sessionIds || []).includes(sessionId),
+      configured_weight: Number(runtimeConfig.sessionWeights?.[sessionId] || 1),
+      status: row?.status || (socketRuntime.socket_open ? 'online' : 'offline'),
+      bot_jid: row?.botJid || socketRuntime.socket_bot_jid || null,
+      capacity_weight: Number(row?.capacityWeight || runtimeConfig.sessionWeights?.[sessionId] || 1),
+      current_score: Number(row?.currentScore || 0),
+      last_heartbeat_at: toIso(row?.lastHeartbeatAt),
+      last_connected_at: toIso(row?.lastConnectedAt),
+      last_disconnected_at: toIso(row?.lastDisconnectedAt),
+      updated_at: toIso(row?.updatedAt),
+      metadata: row?.metadata || null,
+      ...socketRuntime,
+    };
+  });
+
+  return {
+    generated_at: new Date().toISOString(),
+    primary_session_id: runtimeConfig.primarySessionId,
+    configured_session_ids: runtimeConfig.sessionIds || [],
+    sessions,
+  };
+};
+
+export const listSystemAdminAssignments = async (
+  {
+    groupJid = null,
+    ownerSessionId = null,
+    includeExpired = false,
+    limit = 200,
+  } = {},
+) => {
+  const safeGroupJid = normalizeOptional(groupJid, 255);
+  const safeOwnerSessionId = normalizeOptional(ownerSessionId, 64);
+  const safeIncludeExpired = normalizeBoolean(includeExpired, false);
+  const safeLimit = clampLimit(limit, 200, 1, 5_000);
+
+  const assignments = await groupOwnershipService.listAssignments({
+    groupJid: safeGroupJid,
+    ownerSessionId: safeOwnerSessionId,
+    includeExpired: safeIncludeExpired,
+    limit: safeLimit,
+  });
+
+  return {
+    generated_at: new Date().toISOString(),
+    filters: {
+      group_jid: safeGroupJid,
+      owner_session_id: safeOwnerSessionId,
+      include_expired: safeIncludeExpired,
+      limit: safeLimit,
+    },
+    assignments: (assignments || []).map((assignment) => ({
+      group_jid: assignment?.groupJid || null,
+      owner_session_id: assignment?.ownerSessionId || null,
+      lease_expires_at: toIso(assignment?.leaseExpiresAt),
+      cooldown_until: toIso(assignment?.cooldownUntil),
+      assignment_version: Number(assignment?.assignmentVersion || 1),
+      pinned: assignment?.pinned === true,
+      active: assignment?.active !== false,
+      last_reason: assignment?.lastReason || null,
+      created_at: toIso(assignment?.createdAt),
+      updated_at: toIso(assignment?.updatedAt),
+    })),
+  };
+};
+
+export const setSystemAdminGroupPin = async (
+  {
+    groupJid,
+    pinned,
+    sessionId = null,
+    reason = null,
+    changedBy = 'admin_api',
+    metadata = null,
+  } = {},
+) => {
+  const outcome = await groupOwnershipService.setPinned({
+    groupJid,
+    pinned,
+    sessionId,
+    reason: reason || (pinned ? 'admin_pin_group' : 'admin_unpin_group'),
+    changedBy,
+    metadata,
+  });
+
+  return {
+    updated: Boolean(outcome?.updated),
+    reason: outcome?.reason || null,
+    assignment_version: Number(outcome?.assignmentVersion || 0) || null,
+    previous_owner_session_id: outcome?.previousOwnerSessionId || null,
+    owner: outcome?.owner
+      ? {
+          group_jid: outcome.owner.groupJid,
+          owner_session_id: outcome.owner.ownerSessionId,
+          lease_expires_at: toIso(outcome.owner.leaseExpiresAt),
+          cooldown_until: toIso(outcome.owner.cooldownUntil),
+          assignment_version: Number(outcome.owner.assignmentVersion || 1),
+          pinned: outcome.owner.pinned === true,
+          last_reason: outcome.owner.lastReason || null,
+        }
+      : null,
+  };
+};
+
+export const forceSystemAdminGroupFailover = async (
+  {
+    groupJid,
+    targetSessionId,
+    reason = 'admin_force_failover',
+    changedBy = 'admin_api',
+    metadata = null,
+  } = {},
+) => {
+  const outcome = await groupOwnershipService.forceAssign({
+    groupJid,
+    sessionId: targetSessionId,
+    reason,
+    changedBy,
+    metadata,
+  });
+
+  return {
+    reassigned: Boolean(outcome?.reassigned),
+    reason: outcome?.reason || null,
+    assignment_version: Number(outcome?.assignmentVersion || 0) || null,
+    previous_owner_session_id: outcome?.previousOwnerSessionId || null,
+    owner: outcome?.owner
+      ? {
+          group_jid: outcome.owner.groupJid,
+          owner_session_id: outcome.owner.ownerSessionId,
+          lease_expires_at: toIso(outcome.owner.leaseExpiresAt),
+          assignment_version: Number(outcome.owner.assignmentVersion || 1),
+          pinned: outcome.owner.pinned === true,
+          last_reason: outcome.owner.lastReason || null,
+        }
+      : null,
+  };
+};
+
+export const triggerSystemAdminManualRebalance = async () => {
+  const cycle = await runGroupAssignmentBalancerCycle();
+  return {
+    generated_at: new Date().toISOString(),
+    cycle,
+  };
+};
+
+export const listSystemAdminAssignmentHistory = async ({ groupJid = null, limit = 100 } = {}) => {
+  const safeLimit = clampLimit(limit, 100, 1, 5_000);
+  const safeGroupJid = normalizeOptional(groupJid, 255);
+  const params = [];
+  const where = [];
+  if (safeGroupJid) {
+    where.push('group_jid = ?');
+    params.push(safeGroupJid);
+  }
+
+  const rows = await executeQuery(
+    `SELECT id, group_jid, previous_session_id, new_session_id, change_reason, changed_by, assignment_version, metadata, created_at
+       FROM ${TABLES.GROUP_ASSIGNMENT_HISTORY}
+       ${where.length > 0 ? `WHERE ${where.join(' AND ')}` : ''}
+      ORDER BY id DESC
+      LIMIT ${safeLimit}`,
+    params,
+  );
+
+  return {
+    generated_at: new Date().toISOString(),
+    history: (Array.isArray(rows) ? rows : []).map((row) => ({
+      id: Number(row?.id || 0),
+      group_jid: row?.group_jid || null,
+      previous_session_id: row?.previous_session_id || null,
+      new_session_id: row?.new_session_id || null,
+      change_reason: row?.change_reason || null,
+      changed_by: row?.changed_by || null,
+      assignment_version: Number(row?.assignment_version || 0) || null,
+      metadata: row?.metadata || null,
+      created_at: toIso(row?.created_at),
+    })),
+  };
+};
+
 export { scheduleGlobalRankingPreload };

package/server/controllers/userController.js

@@ -3,6 +3,7 @@ import path from 'node:path';
 
 import logger from '#logger';
 import { DEFAULT_LEGACY_STICKER_API_BASE_PATH, DEFAULT_USER_API_BASE_PATH, isUserApiPath, normalizeBasePath, resolveLegacyUserApiPath } from '../routes/user/userApiPaths.js';
+import { buildWhatsappUrl, resolvePublicWhatsappNumber } from '../utils/publicContact.js';
 
 const LEGACY_STICKER_API_BASE_PATH = normalizeBasePath(process.env.STICKER_API_BASE_PATH, DEFAULT_LEGACY_STICKER_API_BASE_PATH);
 const USER_API_BASE_PATH = normalizeBasePath(process.env.USER_API_BASE_PATH || process.env.AUTH_API_BASE_PATH, DEFAULT_USER_API_BASE_PATH);
@@ -11,6 +12,8 @@ const USER_PROFILE_WEB_PATH = normalizeBasePath(process.env.USER_PROFILE_WEB_PAT
 const USER_PASSWORD_RESET_WEB_PATH = normalizeBasePath(process.env.USER_PASSWORD_RESET_WEB_PATH, '/user/password-reset');
 const USER_DASHBOARD_TEMPLATE_PATH = path.join(process.cwd(), 'public', 'pages', 'user.html');
 const USER_PASSWORD_RESET_TEMPLATE_PATH = path.join(process.cwd(), 'public', 'pages', 'user-password-reset.html');
+const PUBLIC_WHATSAPP_NUMBER = resolvePublicWhatsappNumber();
+const PUBLIC_WHATSAPP_URL = buildWhatsappUrl(PUBLIC_WHATSAPP_NUMBER);
 
 const hasPathPrefix = (pathname, prefix) => pathname === prefix || pathname.startsWith(`${prefix}/`);
 const escapeHtmlAttribute = (value) =>
@@ -52,7 +55,10 @@ const renderUserDashboardHtml = async ({ passwordReset = false } = {}) => {
   const dataAttributes = {
     'data-api-base-path': USER_API_BASE_PATH,
     'data-login-path': STICKER_LOGIN_WEB_PATH,
+    'data-panel-path': USER_PROFILE_WEB_PATH,
     'data-password-reset-web-path': USER_PASSWORD_RESET_WEB_PATH,
+    'data-support-whatsapp-number': PUBLIC_WHATSAPP_NUMBER,
+    'data-support-whatsapp-url': PUBLIC_WHATSAPP_URL,
   };
 
   let html = template;

package/server/email/emailTemplateService.js

@@ -1,4 +1,5 @@
 import { now as __timeNow, nowIso as __timeNowIso, toUnixMs as __timeNowMs } from '#time';
+import { resolveAdminPhoneFromEnv, resolveBotPhoneFromEnv, resolveSupportPhoneFromEnv } from '../../utils/whatsapp/contactEnv.js';
 const DEFAULT_SITE_ORIGIN = 'https://omnizap.shop';
 const DEFAULT_BRAND_NAME = 'OmniZap';
 
@@ -77,7 +78,7 @@ const resolveBrandConfig = (payload = {}) => {
   const supportFallback = `${siteOrigin}/termos-de-uso/`;
   const replyToAddress = normalizeEmailAddress(payload?.replyTo || process.env.SMTP_REPLY_TO || process.env.EMAIL_REPLY_TO || process.env.MAIL_REPLY_TO || '');
   const fromAddress = normalizeEmailAddress(process.env.SMTP_FROM || process.env.EMAIL_FROM || process.env.MAIL_FROM || process.env.SMTP_USER || process.env.EMAIL_USER || process.env.MAIL_USER || '');
-  const supportPhoneCandidate = normalizePhoneDigits(payload?.supportPhone || process.env.EMAIL_BRAND_SUPPORT_PHONE || process.env.WHATSAPP_SUPPORT_NUMBER || process.env.OWNER_NUMBER || '', 20);
+  const supportPhoneCandidate = normalizePhoneDigits(payload?.supportPhone || resolveSupportPhoneFromEnv({ fallback: resolveAdminPhoneFromEnv({ fallback: '' }) }) || '', 20);
   const supportPhoneDigits = isLikelyPhoneDigits(supportPhoneCandidate) ? supportPhoneCandidate : '';
   const supportPhonePn = formatPhonePn(supportPhoneDigits);
   const supportWhatsappUrl = supportPhoneDigits ? `https://wa.me/${supportPhoneDigits}` : '';
@@ -216,7 +217,7 @@ const resolveNavigationLinks = (payload = {}) => {
 };
 
 const resolveWelcomeBotWhatsApp = (payload = {}) => {
-  const botPhoneCandidate = normalizePhoneDigits(payload?.botPhone || payload?.botNumber || process.env.EMAIL_WELCOME_BOT_PHONE || process.env.WHATSAPP_BOT_NUMBER || process.env.BOT_NUMBER || process.env.BOT_PHONE_NUMBER || process.env.PHONE_NUMBER || process.env.EMAIL_BRAND_SUPPORT_PHONE || '', 20);
+  const botPhoneCandidate = normalizePhoneDigits(payload?.botPhone || payload?.botNumber || process.env.EMAIL_WELCOME_BOT_PHONE || resolveBotPhoneFromEnv({ fallback: resolveSupportPhoneFromEnv({ fallback: '' }) }) || '', 20);
   const botPhoneDigits = isLikelyPhoneDigits(botPhoneCandidate) ? botPhoneCandidate : '';
   const botPhonePn = formatPhonePn(botPhoneDigits);
   const botWhatsAppUrl = botPhoneDigits ? `https://wa.me/${botPhoneDigits}` : '';

package/server/http/httpServer.js

@@ -6,6 +6,7 @@ import { getMetricsServerConfig, isMetricsEnabled, recordHttpRequest, resolveRou
 import { applyCachePolicy } from '../middleware/cachePolicy.js';
 import { applySensitiveRouteRateLimit } from '../middleware/endpointRateLimit.js';
 import { applySecurityHeaders } from '../middleware/securityHeaders.js';
+import { shouldHandleGrafanaProxyPath } from '../routes/observability/grafanaProxyRouter.js';
 import { getIndexRouteConfigs, routeRequest } from '../routes/indexRouter.js';
 import { parseRequestUrl, normalizeRequestId } from './requestContext.js';
 
@@ -65,6 +66,7 @@ export const startHttpServer = () => {
       userConfig: routeConfigs?.userConfig || null,
       systemAdminConfig: routeConfigs?.systemAdminConfig || null,
     });
+    const isGrafanaProxyRequest = shouldHandleGrafanaProxyPath(pathname, routeConfigs?.grafanaProxyConfig || null);
 
     res.once('finish', () => {
       recordHttpRequest({
@@ -76,10 +78,12 @@ export const startHttpServer = () => {
     });
 
     try {
-      applySecurityHeaders(req, res);
-      applyCachePolicy(req, res, { pathname });
-      const allowedByRateLimit = await applySensitiveRouteRateLimit(req, res, { pathname });
-      if (!allowedByRateLimit) return;
+      if (!isGrafanaProxyRequest) {
+        applySecurityHeaders(req, res);
+        applyCachePolicy(req, res, { pathname });
+        const allowedByRateLimit = await applySensitiveRouteRateLimit(req, res, { pathname });
+        if (!allowedByRateLimit) return;
+      }
 
       await routeRequest(req, res, {
         pathname,

package/server/middleware/securityHeaders.js

@@ -10,10 +10,29 @@ const parseEnvBool = (value, fallback = false) => {
   return fallback;
 };
 
+const parseEnvList = (value) =>
+  String(value || '')
+    .split(',')
+    .map((item) => String(item || '').trim())
+    .filter(Boolean);
+
+const toHttpOrigin = (value) => {
+  const raw = String(value || '').trim();
+  if (!raw) return '';
+  try {
+    const parsed = new URL(raw);
+    if (!['http:', 'https:'].includes(parsed.protocol)) return '';
+    return parsed.origin;
+  } catch {
+    return '';
+  }
+};
+
 const HELMET_CSP_ENFORCE = parseEnvBool(process.env.HELMET_CONTENT_SECURITY_POLICY_ENABLED, true);
 const BACKEND_BUILD_ID = String(process.env.OMNIZAP_BUILD_ID || '')
   .trim()
   .slice(0, 80);
+const FRAME_SRC_EXTRA = Array.from(new Set([...parseEnvList(process.env.HELMET_CSP_FRAME_SRC_EXTRA), process.env.SYSTEM_ADMIN_GRAFANA_URL, process.env.GRAFANA_PUBLIC_URL].map((item) => toHttpOrigin(item)).filter(Boolean)));
 
 const HELMET_CSP_DIRECTIVES = {
   defaultSrc: ["'self'"],
@@ -26,7 +45,7 @@ const HELMET_CSP_DIRECTIVES = {
   imgSrc: ["'self'", 'data:', 'blob:', 'https:'],
   fontSrc: ["'self'", 'data:', 'https://fonts.gstatic.com', 'https://cdnjs.cloudflare.com'],
   connectSrc: ["'self'", 'https://accounts.google.com', 'https://oauth2.googleapis.com', 'https://api.github.com'],
-  frameSrc: ["'self'", 'https://accounts.google.com'],
+  frameSrc: ["'self'", 'https://accounts.google.com', ...FRAME_SRC_EXTRA],
   workerSrc: ["'self'", 'blob:'],
   manifestSrc: ["'self'"],
 };

package/server/routes/admin/systemAdminRouter.js

@@ -24,8 +24,10 @@ const DEFAULT_USER_SYSTEM_ADMIN_WEB_PATH = '/user/systemadm';
 const DEFAULT_LEGACY_STICKER_ADMIN_WEB_PATH = '/stickers/admin';
 const DEFAULT_SYSTEM_ADMIN_API_BASE_PATH = '/api/admin';
 const DEFAULT_SYSTEM_ADMIN_API_SESSION_PATH = '/api/admin/session';
+const DEFAULT_SYSTEM_ADMIN_API_MULTI_SESSION_PATH = '/api/admin/multi-session';
 const DEFAULT_LEGACY_STICKER_ADMIN_API_BASE_PATH = '/api/sticker-packs/admin';
 const DEFAULT_LEGACY_STICKER_ADMIN_API_SESSION_PATH = '/api/sticker-packs/admin/session';
+const DEFAULT_LEGACY_STICKER_ADMIN_API_MULTI_SESSION_PATH = '/api/sticker-packs/admin/multi-session';
 
 export const getSystemAdminRouterConfig = async () => {
   const controller = await loadSystemAdminController();
@@ -35,8 +37,10 @@ export const getSystemAdminRouterConfig = async () => {
     legacyWebPath: normalizeBasePath(legacyConfig.legacyWebPath, DEFAULT_LEGACY_STICKER_ADMIN_WEB_PATH),
     apiAdminBasePath: normalizeBasePath(legacyConfig.apiAdminBasePath, DEFAULT_SYSTEM_ADMIN_API_BASE_PATH),
     apiAdminSessionPath: normalizeBasePath(legacyConfig.apiAdminSessionPath, DEFAULT_SYSTEM_ADMIN_API_SESSION_PATH),
+    apiAdminMultiSessionPath: normalizeBasePath(legacyConfig.apiAdminMultiSessionPath, DEFAULT_SYSTEM_ADMIN_API_MULTI_SESSION_PATH),
     legacyApiAdminBasePath: normalizeBasePath(legacyConfig.legacyApiAdminBasePath, DEFAULT_LEGACY_STICKER_ADMIN_API_BASE_PATH),
     legacyApiAdminSessionPath: normalizeBasePath(legacyConfig.legacyApiAdminSessionPath, DEFAULT_LEGACY_STICKER_ADMIN_API_SESSION_PATH),
+    legacyApiAdminMultiSessionPath: normalizeBasePath(legacyConfig.legacyApiAdminMultiSessionPath, DEFAULT_LEGACY_STICKER_ADMIN_API_MULTI_SESSION_PATH),
   };
 };
 
@@ -46,8 +50,10 @@ export const shouldHandleSystemAdminPath = (pathname, systemAdminConfig = null)
     legacyWebPath: DEFAULT_LEGACY_STICKER_ADMIN_WEB_PATH,
     apiAdminBasePath: DEFAULT_SYSTEM_ADMIN_API_BASE_PATH,
     apiAdminSessionPath: DEFAULT_SYSTEM_ADMIN_API_SESSION_PATH,
+    apiAdminMultiSessionPath: DEFAULT_SYSTEM_ADMIN_API_MULTI_SESSION_PATH,
     legacyApiAdminBasePath: DEFAULT_LEGACY_STICKER_ADMIN_API_BASE_PATH,
     legacyApiAdminSessionPath: DEFAULT_LEGACY_STICKER_ADMIN_API_SESSION_PATH,
+    legacyApiAdminMultiSessionPath: DEFAULT_LEGACY_STICKER_ADMIN_API_MULTI_SESSION_PATH,
   };
 
   if (startsWithPath(pathname, resolvedConfig.webPath)) return true;

package/server/routes/indexRouter.js

@@ -9,6 +9,7 @@ import { getStickerSiteRouterConfig, maybeHandleStickerSiteRequest, shouldHandle
 import { getStickerDataRouterConfig, maybeHandleStickerDataRequest, shouldHandleStickerDataPath } from './sticker/stickerDataRouter.js';
 import { getStickerApiRouterConfig, maybeHandleStickerApiRequest, shouldHandleStickerApiPath } from './sticker/stickerApiRouter.js';
 import { maybeHandleStaticPageRequest, shouldHandleStaticPagePath } from './static/staticPageRouter.js';
+import { getGrafanaProxyRouterConfig, maybeHandleGrafanaProxyRequest, shouldHandleGrafanaProxyPath } from './observability/grafanaProxyRouter.js';
 
 const startsWithPath = (pathname, prefix) => {
   if (!pathname || !prefix) return false;
@@ -112,12 +113,27 @@ const loadStickerApiConfigSafe = async () => {
   }
 };
 
+const loadGrafanaProxyConfigSafe = async () => {
+  try {
+    return getGrafanaProxyRouterConfig();
+  } catch {
+    return {
+      enabled: false,
+      basePath: '/api/grafana',
+      legacyBasePath: '/grafana',
+      timeoutMs: 15000,
+      target: null,
+    };
+  }
+};
+
 export const getIndexRouteConfigs = async () => {
   if (!indexRouteConfigsPromise) {
-    indexRouteConfigsPromise = Promise.all([loadUserConfigSafe(), loadSystemAdminConfigSafe(), loadEmailAutomationConfigSafe(), loadStickerSiteConfigSafe(), loadStickerDataConfigSafe(), loadStickerApiConfigSafe()]).then(([userConfig, systemAdminConfig, emailAutomationConfig, stickerSiteConfig, stickerDataConfig, stickerApiConfig]) => ({
+    indexRouteConfigsPromise = Promise.all([loadUserConfigSafe(), loadSystemAdminConfigSafe(), loadEmailAutomationConfigSafe(), loadStickerSiteConfigSafe(), loadStickerDataConfigSafe(), loadStickerApiConfigSafe(), loadGrafanaProxyConfigSafe()]).then(([userConfig, systemAdminConfig, emailAutomationConfig, stickerSiteConfig, stickerDataConfig, stickerApiConfig, grafanaProxyConfig]) => ({
       userConfig,
       systemAdminConfig,
       emailAutomationConfig,
+      grafanaProxyConfig,
       stickerConfig: {
         ...stickerSiteConfig,
         ...stickerDataConfig,
@@ -140,6 +156,7 @@ export const routeRequest = async (req, res, { pathname, url, metricsPath = '/me
   const userConfig = resolvedConfigs?.userConfig || null;
   const systemAdminConfig = resolvedConfigs?.systemAdminConfig || null;
   const emailAutomationConfig = resolvedConfigs?.emailAutomationConfig || null;
+  const grafanaProxyConfig = resolvedConfigs?.grafanaProxyConfig || null;
   const stickerConfig = resolvedConfigs?.stickerConfig || null;
 
   // 1) Metrics
@@ -163,7 +180,14 @@ export const routeRequest = async (req, res, { pathname, url, metricsPath = '/me
     return sendNotFound(req, res);
   }
 
-  // 4) User
+  // 4) Grafana proxy (/api/grafana e alias /grafana)
+  if (shouldHandleGrafanaProxyPath(pathname, grafanaProxyConfig)) {
+    const handled = await maybeHandleGrafanaProxyRequest(req, res, { pathname, url, config: grafanaProxyConfig });
+    if (handled) return true;
+    return sendNotFound(req, res);
+  }
+
+  // 5) User
   const systemAdminCandidate = shouldHandleSystemAdminStep(pathname, systemAdminConfig);
   if (shouldHandleUserStep(pathname, userConfig)) {
     const handled = await maybeHandleUserRequest(req, res, { pathname, url });
@@ -173,14 +197,14 @@ export const routeRequest = async (req, res, { pathname, url, metricsPath = '/me
     if (!systemAdminCandidate) return sendNotFound(req, res);
   }
 
-  // 5) System admin + legacy /stickers/admin
+  // 6) System admin + legacy /stickers/admin
   if (systemAdminCandidate) {
     const handled = await maybeHandleSystemAdminRequest(req, res, { pathname, url });
     if (handled) return true;
     return sendNotFound(req, res);
   }
 
-  // 6) Sticker catalog apenas nos prefixes permitidos
+  // 7) Sticker catalog apenas nos prefixes permitidos
   if (shouldHandleStickerSitePath(pathname, stickerConfig)) {
     const handled = await maybeHandleStickerSiteRequest(req, res, { pathname, url });
     if (handled) return true;
@@ -212,14 +236,14 @@ export const routeRequest = async (req, res, { pathname, url, metricsPath = '/me
     return sendNotFound(req, res);
   }
 
-  // 7) Paginas estaticas (templates em public/pages)
+  // 8) Paginas estaticas (templates em public/pages)
   if (shouldHandleStaticPagePath(pathname)) {
     const handled = await maybeHandleStaticPageRequest(req, res, { pathname });
     if (handled) return true;
     return sendNotFound(req, res);
   }
 
-  // 8) 404 global
+  // 9) 404 global
   return sendNotFound(req, res);
 };