@waiaas/daemon 2.9.1-rc → 2.10.0-rc

package/dist/api/middleware/master-auth.d.ts

@@ -8,6 +8,7 @@
  *
  * @see docs/52-auth-redesign.md
  */
+import type { Database as SQLiteDatabase } from 'better-sqlite3';
 /** Mutable ref for in-memory master password + hash, enabling hot-swap on password change. */
 export interface MasterPasswordRef {
     password: string;
@@ -17,6 +18,8 @@ export interface MasterAuthDeps {
     masterPasswordHash?: string;
     /** Mutable ref for live password/hash updates. Takes precedence over masterPasswordHash. */
     passwordRef?: MasterPasswordRef;
+    /** Raw SQLite for audit logging (MASTER_AUTH_FAILED). */
+    sqlite?: SQLiteDatabase;
 }
 export declare function createMasterAuth(deps: MasterAuthDeps): import("hono").MiddlewareHandler<any, string, {}, Response>;
 //# sourceMappingURL=master-auth.d.ts.map

package/dist/api/middleware/master-auth.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"master-auth.d.ts","sourceRoot":"","sources":["../../../src/api/middleware/master-auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAUH,8FAA8F;AAC9F,MAAM,WAAW,iBAAiB;IAChC,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,cAAc;IAC7B,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,4FAA4F;IAC5F,WAAW,CAAC,EAAE,iBAAiB,CAAC;CACjC;AAMD,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,cAAc,+DA6BpD"}
+{"version":3,"file":"master-auth.d.ts","sourceRoot":"","sources":["../../../src/api/middleware/master-auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAKH,OAAO,KAAK,EAAE,QAAQ,IAAI,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAOjE,8FAA8F;AAC9F,MAAM,WAAW,iBAAiB;IAChC,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,cAAc;IAC7B,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,4FAA4F;IAC5F,WAAW,CAAC,EAAE,iBAAiB,CAAC;IAChC,yDAAyD;IACzD,MAAM,CAAC,EAAE,cAAc,CAAC;CACzB;AAMD,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,cAAc,+DA2CpD"}

package/dist/api/middleware/master-auth.js

@@ -11,6 +11,7 @@
 import { createMiddleware } from 'hono/factory';
 import argon2 from 'argon2';
 import { WAIaaSError } from '@waiaas/core';
+import { insertAuditLog } from '../../infrastructure/database/audit-helper.js';
 // ---------------------------------------------------------------------------
 // Middleware factory
 // ---------------------------------------------------------------------------
@@ -32,6 +33,19 @@ export function createMasterAuth(deps) {
         // Verify password against stored Argon2id hash
         const isValid = await argon2.verify(hash, password);
         if (!isValid) {
+            // Audit log: MASTER_AUTH_FAILED (best-effort)
+            if (deps.sqlite) {
+                insertAuditLog(deps.sqlite, {
+                    eventType: 'MASTER_AUTH_FAILED',
+                    actor: 'unknown',
+                    details: {
+                        reason: 'Invalid master password',
+                        ip: c.req.header('x-forwarded-for') ?? 'localhost',
+                    },
+                    severity: 'critical',
+                    ipAddress: c.req.header('x-forwarded-for') ?? undefined,
+                });
+            }
             throw new WAIaaSError('INVALID_MASTER_PASSWORD', {
                 message: 'Invalid master password',
             });

package/dist/api/middleware/master-auth.js.map

@@ -1 +1 @@
-{"version":3,"file":"master-auth.js","sourceRoot":"","sources":["../../../src/api/middleware/master-auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,MAAM,MAAM,QAAQ,CAAC;AAC5B,OAAO,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAkB3C,8EAA8E;AAC9E,qBAAqB;AACrB,8EAA8E;AAE9E,MAAM,UAAU,gBAAgB,CAAC,IAAoB;IACnD,OAAO,gBAAgB,CAAC,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE;QACxC,MAAM,QAAQ,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,mBAAmB,CAAC,CAAC;QAEnD,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,WAAW,CAAC,yBAAyB,EAAE;gBAC/C,OAAO,EAAE,sCAAsC;aAChD,CAAC,CAAC;QACL,CAAC;QAED,kEAAkE;QAClE,MAAM,IAAI,GAAG,IAAI,CAAC,WAAW,EAAE,IAAI,IAAI,IAAI,CAAC,kBAAkB,CAAC;QAC/D,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,MAAM,IAAI,WAAW,CAAC,yBAAyB,EAAE;gBAC/C,OAAO,EAAE,gCAAgC;aAC1C,CAAC,CAAC;QACL,CAAC;QAED,+CAA+C;QAC/C,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;QAEpD,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,IAAI,WAAW,CAAC,yBAAyB,EAAE;gBAC/C,OAAO,EAAE,yBAAyB;aACnC,CAAC,CAAC;QACL,CAAC;QAED,MAAM,IAAI,EAAE,CAAC;IACf,CAAC,CAAC,CAAC;AACL,CAAC"}
+{"version":3,"file":"master-auth.js","sourceRoot":"","sources":["../../../src/api/middleware/master-auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,MAAM,MAAM,QAAQ,CAAC;AAC5B,OAAO,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAE3C,OAAO,EAAE,cAAc,EAAE,MAAM,+CAA+C,CAAC;AAoB/E,8EAA8E;AAC9E,qBAAqB;AACrB,8EAA8E;AAE9E,MAAM,UAAU,gBAAgB,CAAC,IAAoB;IACnD,OAAO,gBAAgB,CAAC,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE;QACxC,MAAM,QAAQ,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,mBAAmB,CAAC,CAAC;QAEnD,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,WAAW,CAAC,yBAAyB,EAAE;gBAC/C,OAAO,EAAE,sCAAsC;aAChD,CAAC,CAAC;QACL,CAAC;QAED,kEAAkE;QAClE,MAAM,IAAI,GAAG,IAAI,CAAC,WAAW,EAAE,IAAI,IAAI,IAAI,CAAC,kBAAkB,CAAC;QAC/D,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,MAAM,IAAI,WAAW,CAAC,yBAAyB,EAAE;gBAC/C,OAAO,EAAE,gCAAgC;aAC1C,CAAC,CAAC;QACL,CAAC;QAED,+CAA+C;QAC/C,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;QAEpD,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,8CAA8C;YAC9C,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;gBAChB,cAAc,CAAC,IAAI,CAAC,MAAM,EAAE;oBAC1B,SAAS,EAAE,oBAAoB;oBAC/B,KAAK,EAAE,SAAS;oBAChB,OAAO,EAAE;wBACP,MAAM,EAAE,yBAAyB;wBACjC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,iBAAiB,CAAC,IAAI,WAAW;qBACnD;oBACD,QAAQ,EAAE,UAAU;oBACpB,SAAS,EAAE,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,iBAAiB,CAAC,IAAI,SAAS;iBACxD,CAAC,CAAC;YACL,CAAC;YAED,MAAM,IAAI,WAAW,CAAC,yBAAyB,EAAE;gBAC/C,OAAO,EAAE,yBAAyB;aACnC,CAAC,CAAC;QACL,CAAC;QAED,MAAM,IAAI,EAAE,CAAC;IACf,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/api/routes/admin.d.ts

@@ -47,6 +47,7 @@ import type { VersionCheckService } from '../../infrastructure/version/version-c
 import type { DelayQueue } from '../../workflow/delay-queue.js';
 import type { ApprovalWorkflow } from '../../workflow/approval-workflow.js';
 import type { MasterPasswordRef } from '../middleware/master-auth.js';
+import type { EncryptedBackupService } from '../../infrastructure/backup/encrypted-backup-service.js';
 export interface KillSwitchState {
     state: string;
     activatedAt: number | null;
@@ -83,6 +84,9 @@ export interface AdminRouteDeps {
     delayQueue?: DelayQueue;
     approvalWorkflow?: ApprovalWorkflow;
     rpcPool?: RpcPool;
+    encryptedBackupService?: EncryptedBackupService;
+    adminStatsService?: import('../../services/admin-stats-service.js').AdminStatsService;
+    autoStopService?: import('../../services/autostop/autostop-service.js').AutoStopService;
 }
 export declare function adminRoutes(deps: AdminRouteDeps): OpenAPIHono;
 //# sourceMappingURL=admin.d.ts.map

package/dist/api/routes/admin.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"admin.d.ts","sourceRoot":"","sources":["../../../src/api/routes/admin.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+BG;AAEH,OAAO,EAAE,WAAW,EAAkB,MAAM,mBAAmB,CAAC;AAEhE,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,4BAA4B,CAAC;AACxE,OAAO,KAAK,EAAE,QAAQ,IAAI,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAGjE,OAAO,KAAK,EAAyE,YAAY,EAAE,iBAAiB,EAAgB,MAAM,cAAc,CAAC;AACzJ,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AAE5C,OAAO,KAAK,EAAE,gBAAgB,EAAc,MAAM,gDAAgD,CAAC;AAKnG,OAAO,KAAK,KAAK,MAAM,MAAM,yCAAyC,CAAC;AACvE,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,6CAA6C,CAAC;AACvF,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,uCAAuC,CAAC;AAC1E,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,wCAAwC,CAAC;AAE9E,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,sCAAsC,CAAC;AAGxE,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,yDAAyD,CAAC;AACtG,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,uCAAuC,CAAC;AAC/E,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,uDAAuD,CAAC;AACjG,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,+BAA+B,CAAC;AAChE,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,qCAAqC,CAAC;AAC5E,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,8BAA8B,CAAC;AAmCtE,MAAM,WAAW,eAAe;IAC9B,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;CAC5B;AAED,MAAM,WAAW,cAAc;IAC7B,EAAE,EAAE,qBAAqB,CAAC,OAAO,MAAM,CAAC,CAAC;IACzC,gBAAgB,CAAC,EAAE,gBAAgB,CAAC;IACpC,wEAAwE;IACxE,WAAW,CAAC,EAAE,iBAAiB,CAAC;IAChC,kBAAkB,EAAE,MAAM,eAAe,CAAC;IAC1C,kBAAkB,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,WAAW,CAAC,EAAE,MAAM,KAAK,IAAI,CAAC;IAClE,iBAAiB,CAAC,EAAE,iBAAiB,CAAC;IACtC,eAAe,CAAC,EAAE,MAAM,IAAI,CAAC;IAC7B,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;IAChB,YAAY,EAAE,MAAM,CAAC;IACrB,mBAAmB,CAAC,EAAE,mBAAmB,CAAC;IAC1C,kBAAkB,CAAC,EAAE,YAAY,CAAC,eAAe,CAAC,CAAC;IACnD,eAAe,CAAC,EAAE,eAAe,CAAC;IAClC,iBAAiB,CAAC,EAAE,CAAC,WAAW,EAAE,MAAM,EAAE,KAAK,IAAI,CAAC;IACpD,WAAW,CAAC,EAAE,WAAW,GAAG,IAAI,CAAC;IACjC,YAAY,CAAC,EAAE,YAAY,CAAC;IAC5B,WAAW,CAAC,EAAE,YAAY,CAAC;IAC3B,YAAY,CAAC,EAAE;QAAE,yBAAyB,EAAE,OAAO,CAAC;QAAC,wBAAwB,EAAE,MAAM,CAAA;KAAE,CAAC;IACxF,sBAAsB,CAAC,EAAE,sBAAsB,CAAC;IAChD,gBAAgB,CAAC,EAAE,iBAAiB,CAAC;IACrC,MAAM,CAAC,EAAE,cAAc,CAAC;IACxB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,mBAAmB,CAAC,EAAE,mBAAmB,GAAG,IAAI,CAAC;IACjD,UAAU,CAAC,EAAE,UAAU,CAAC;IACxB,gBAAgB,CAAC,EAAE,gBAAgB,CAAC;IACpC,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAqzBD,wBAAgB,WAAW,CAAC,IAAI,EAAE,cAAc,GAAG,WAAW,CAm3D7D"}
+{"version":3,"file":"admin.d.ts","sourceRoot":"","sources":["../../../src/api/routes/admin.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+BG;AAEH,OAAO,EAAE,WAAW,EAAkB,MAAM,mBAAmB,CAAC;AAEhE,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,4BAA4B,CAAC;AACxE,OAAO,KAAK,EAAE,QAAQ,IAAI,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAGjE,OAAO,KAAK,EAAyE,YAAY,EAAE,iBAAiB,EAAgB,MAAM,cAAc,CAAC;AACzJ,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AAE5C,OAAO,KAAK,EAAE,gBAAgB,EAAc,MAAM,gDAAgD,CAAC;AAKnG,OAAO,KAAK,KAAK,MAAM,MAAM,yCAAyC,CAAC;AACvE,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,6CAA6C,CAAC;AACvF,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,uCAAuC,CAAC;AAC1E,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,wCAAwC,CAAC;AAE9E,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,sCAAsC,CAAC;AAGxE,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,yDAAyD,CAAC;AACtG,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,uCAAuC,CAAC;AAC/E,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,uDAAuD,CAAC;AACjG,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,+BAA+B,CAAC;AAChE,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,qCAAqC,CAAC;AAC5E,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,8BAA8B,CAAC;AAiCtE,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,yDAAyD,CAAC;AAMtG,MAAM,WAAW,eAAe;IAC9B,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;CAC5B;AAED,MAAM,WAAW,cAAc;IAC7B,EAAE,EAAE,qBAAqB,CAAC,OAAO,MAAM,CAAC,CAAC;IACzC,gBAAgB,CAAC,EAAE,gBAAgB,CAAC;IACpC,wEAAwE;IACxE,WAAW,CAAC,EAAE,iBAAiB,CAAC;IAChC,kBAAkB,EAAE,MAAM,eAAe,CAAC;IAC1C,kBAAkB,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,WAAW,CAAC,EAAE,MAAM,KAAK,IAAI,CAAC;IAClE,iBAAiB,CAAC,EAAE,iBAAiB,CAAC;IACtC,eAAe,CAAC,EAAE,MAAM,IAAI,CAAC;IAC7B,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;IAChB,YAAY,EAAE,MAAM,CAAC;IACrB,mBAAmB,CAAC,EAAE,mBAAmB,CAAC;IAC1C,kBAAkB,CAAC,EAAE,YAAY,CAAC,eAAe,CAAC,CAAC;IACnD,eAAe,CAAC,EAAE,eAAe,CAAC;IAClC,iBAAiB,CAAC,EAAE,CAAC,WAAW,EAAE,MAAM,EAAE,KAAK,IAAI,CAAC;IACpD,WAAW,CAAC,EAAE,WAAW,GAAG,IAAI,CAAC;IACjC,YAAY,CAAC,EAAE,YAAY,CAAC;IAC5B,WAAW,CAAC,EAAE,YAAY,CAAC;IAC3B,YAAY,CAAC,EAAE;QAAE,yBAAyB,EAAE,OAAO,CAAC;QAAC,wBAAwB,EAAE,MAAM,CAAA;KAAE,CAAC;IACxF,sBAAsB,CAAC,EAAE,sBAAsB,CAAC;IAChD,gBAAgB,CAAC,EAAE,iBAAiB,CAAC;IACrC,MAAM,CAAC,EAAE,cAAc,CAAC;IACxB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,mBAAmB,CAAC,EAAE,mBAAmB,GAAG,IAAI,CAAC;IACjD,UAAU,CAAC,EAAE,UAAU,CAAC;IACxB,gBAAgB,CAAC,EAAE,gBAAgB,CAAC;IACpC,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,sBAAsB,CAAC,EAAE,sBAAsB,CAAC;IAChD,iBAAiB,CAAC,EAAE,OAAO,uCAAuC,EAAE,iBAAiB,CAAC;IACtF,eAAe,CAAC,EAAE,OAAO,6CAA6C,EAAE,eAAe,CAAC;CACzF;AAqzBD,wBAAgB,WAAW,CAAC,IAAI,EAAE,cAAc,GAAG,WAAW,CAskE7D"}

package/dist/api/routes/admin.js

@@ -40,7 +40,7 @@ import { generateId } from '../../infrastructure/database/id.js';
 import { buildConnectInfoPrompt } from './connect-info.js';
 import { getSettingDefinition } from '../../infrastructure/settings/index.js';
 import { resolveRpcUrl } from '../../infrastructure/adapter-pool.js';
-import { AdminStatusResponseSchema, KillSwitchResponseSchema, KillSwitchActivateResponseSchema, KillSwitchEscalateResponseSchema, MasterPasswordChangeRequestSchema, MasterPasswordChangeResponseSchema, RecoverResponseSchema, KillSwitchRecoverRequestSchema, ShutdownResponseSchema, RotateSecretResponseSchema, NotificationStatusResponseSchema, NotificationTestRequestSchema, NotificationTestResponseSchema, NotificationLogResponseSchema, SettingsResponseSchema, SettingsUpdateRequestSchema, SettingsUpdateResponseSchema, TestRpcRequestSchema, TestRpcResponseSchema, OracleStatusResponseSchema, AgentPromptRequestSchema, AgentPromptResponseSchema, SessionReissueResponseSchema, StakingPositionsResponseSchema, RpcStatusResponseSchema, buildErrorResponses, openApiValidationHook, } from './openapi-schemas.js';
+import { AdminStatusResponseSchema, KillSwitchResponseSchema, KillSwitchActivateResponseSchema, KillSwitchEscalateResponseSchema, MasterPasswordChangeRequestSchema, MasterPasswordChangeResponseSchema, RecoverResponseSchema, KillSwitchRecoverRequestSchema, ShutdownResponseSchema, RotateSecretResponseSchema, NotificationStatusResponseSchema, NotificationTestRequestSchema, NotificationTestResponseSchema, NotificationLogResponseSchema, SettingsResponseSchema, SettingsUpdateRequestSchema, SettingsUpdateResponseSchema, TestRpcRequestSchema, TestRpcResponseSchema, OracleStatusResponseSchema, AgentPromptRequestSchema, AgentPromptResponseSchema, SessionReissueResponseSchema, StakingPositionsResponseSchema, RpcStatusResponseSchema, BackupInfoResponseSchema, BackupListResponseSchema, ErrorResponseSchema, buildErrorResponses, openApiValidationHook, } from './openapi-schemas.js';
 // ---------------------------------------------------------------------------
 // Route definitions
 // ---------------------------------------------------------------------------
@@ -2328,6 +2328,191 @@ export function adminRoutes(deps) {
             activeCount: positions.length,
         }, 200);
     });
+    // ---------------------------------------------------------------------------
+    // POST /admin/backup (create encrypted backup)
+    // ---------------------------------------------------------------------------
+    const createBackupRoute = createRoute({
+        method: 'post',
+        path: '/admin/backup',
+        tags: ['Admin'],
+        summary: 'Create an encrypted backup',
+        responses: {
+            200: {
+                description: 'Backup created successfully',
+                content: { 'application/json': { schema: BackupInfoResponseSchema } },
+            },
+            401: {
+                description: 'Master password not available',
+                content: { 'application/json': { schema: ErrorResponseSchema } },
+            },
+            501: {
+                description: 'Backup service not configured',
+                content: { 'application/json': { schema: ErrorResponseSchema } },
+            },
+            ...buildErrorResponses(['INVALID_MASTER_PASSWORD']),
+        },
+    });
+    router.openapi(createBackupRoute, async (c) => {
+        if (!deps.encryptedBackupService) {
+            return c.json({ code: 'NOT_CONFIGURED', message: 'Backup service not configured', retryable: false }, 501);
+        }
+        if (!deps.passwordRef?.password) {
+            return c.json({ code: 'INVALID_MASTER_PASSWORD', message: 'Master password not available', retryable: false }, 401);
+        }
+        const info = await deps.encryptedBackupService.createBackup(deps.passwordRef.password);
+        return c.json(info, 200);
+    });
+    // ---------------------------------------------------------------------------
+    // GET /admin/backups (list backups)
+    // ---------------------------------------------------------------------------
+    const listBackupsRoute = createRoute({
+        method: 'get',
+        path: '/admin/backups',
+        tags: ['Admin'],
+        summary: 'List available backups',
+        responses: {
+            200: {
+                description: 'Backup list',
+                content: { 'application/json': { schema: BackupListResponseSchema } },
+            },
+            501: {
+                description: 'Backup service not configured',
+                content: { 'application/json': { schema: ErrorResponseSchema } },
+            },
+        },
+    });
+    router.openapi(listBackupsRoute, async (c) => {
+        if (!deps.encryptedBackupService) {
+            return c.json({ code: 'NOT_CONFIGURED', message: 'Backup service not configured', retryable: false }, 501);
+        }
+        const backups = deps.encryptedBackupService.listBackups();
+        const retentionCount = deps.daemonConfig?.backup?.retention_count ?? 7;
+        return c.json({ backups, total: backups.length, retention_count: retentionCount }, 200);
+    });
+    // ---------------------------------------------------------------------------
+    // GET /admin/stats -- 7-category operational statistics (STAT-01)
+    // ---------------------------------------------------------------------------
+    const adminStatsRoute = createRoute({
+        method: 'get',
+        path: '/admin/stats',
+        tags: ['Admin'],
+        summary: 'Get operational statistics',
+        responses: {
+            200: {
+                description: 'Operational statistics (7 categories)',
+                content: { 'application/json': { schema: z.any() } },
+            },
+        },
+    });
+    router.openapi(adminStatsRoute, async (c) => {
+        if (!deps.adminStatsService) {
+            return c.json({ code: 'NOT_CONFIGURED', message: 'Stats service not configured', retryable: false }, 503);
+        }
+        const stats = deps.adminStatsService.getStats();
+        return c.json(stats, 200);
+    });
+    // ---------------------------------------------------------------------------
+    // GET /admin/autostop/rules -- List AutoStop rules with status (PLUG-03)
+    // ---------------------------------------------------------------------------
+    const autostopRulesRoute = createRoute({
+        method: 'get',
+        path: '/admin/autostop/rules',
+        tags: ['Admin'],
+        summary: 'List AutoStop rules with status',
+        responses: {
+            200: {
+                description: 'AutoStop rules list',
+                content: { 'application/json': { schema: z.any() } },
+            },
+        },
+    });
+    router.openapi(autostopRulesRoute, async (c) => {
+        if (!deps.autoStopService) {
+            return c.json({ globalEnabled: false, rules: [] }, 200);
+        }
+        const status = deps.autoStopService.getStatus();
+        const registry = deps.autoStopService.registry;
+        const rules = registry.getRules().map((r) => {
+            const ruleStatus = r.getStatus();
+            return {
+                id: r.id,
+                displayName: r.displayName,
+                description: r.description,
+                enabled: r.enabled,
+                subscribedEvents: r.subscribedEvents,
+                config: ruleStatus.config,
+                state: ruleStatus.state,
+            };
+        });
+        return c.json({ globalEnabled: status.enabled, rules }, 200);
+    });
+    // ---------------------------------------------------------------------------
+    // PUT /admin/autostop/rules/:id -- Update AutoStop rule (PLUG-03)
+    // ---------------------------------------------------------------------------
+    const autostopRuleUpdateRoute = createRoute({
+        method: 'put',
+        path: '/admin/autostop/rules/{id}',
+        tags: ['Admin'],
+        summary: 'Update AutoStop rule enabled/config',
+        request: {
+            params: z.object({ id: z.string() }),
+            body: {
+                content: {
+                    'application/json': {
+                        schema: z.object({
+                            enabled: z.boolean().optional(),
+                            config: z.record(z.unknown()).optional(),
+                        }),
+                    },
+                },
+            },
+        },
+        responses: {
+            200: {
+                description: 'Rule updated',
+                content: { 'application/json': { schema: z.any() } },
+            },
+            404: {
+                description: 'Rule not found',
+                content: { 'application/json': { schema: z.any() } },
+            },
+        },
+    });
+    router.openapi(autostopRuleUpdateRoute, async (c) => {
+        if (!deps.autoStopService) {
+            throw new WAIaaSError('RULE_NOT_FOUND');
+        }
+        const { id } = c.req.valid('param');
+        const body = c.req.valid('json');
+        const registry = deps.autoStopService.registry;
+        const rule = registry.getRule(id);
+        if (!rule) {
+            throw new WAIaaSError('RULE_NOT_FOUND');
+        }
+        // Update enabled state
+        if (body.enabled !== undefined) {
+            registry.setEnabled(id, body.enabled);
+            // Persist to Admin Settings
+            if (deps.settingsService) {
+                deps.settingsService.set(`autostop.rule.${id}.enabled`, String(body.enabled));
+            }
+        }
+        // Update config
+        if (body.config) {
+            rule.updateConfig(body.config);
+        }
+        // Return updated rule info
+        const ruleStatus = rule.getStatus();
+        return c.json({
+            id: rule.id,
+            displayName: rule.displayName,
+            description: rule.description,
+            enabled: rule.enabled,
+            subscribedEvents: rule.subscribedEvents,
+            config: ruleStatus.config,
+            state: ruleStatus.state,
+        }, 200);
+    });
     return router;
 }
 //# sourceMappingURL=admin.js.map