@wopr-network/platform-core 1.12.2 → 1.13.1

package/src/api/routes/admin-notes.ts

@@ -0,0 +1,145 @@
+import { Hono } from "hono";
+import type { AuthEnv } from "../../auth/index.js";
+import type { AdminAuditLogger } from "./admin-audit-helper.js";
+import { safeAuditLog } from "./admin-audit-helper.js";
+
+/** Minimal interface for admin notes storage — implemented by concrete stores. */
+export interface IAdminNotesRepository {
+  create(input: { tenantId: string; authorId: string; content: string; isPinned: boolean }): Promise<{ id: string }>;
+  list(filters: { tenantId: string; limit?: number; offset?: number }): Promise<{ entries: unknown[]; total: number }>;
+  update(
+    noteId: string,
+    tenantId: string,
+    updates: { content?: string; isPinned?: boolean },
+  ): Promise<{ id: string } | null>;
+  delete(noteId: string, tenantId: string): Promise<boolean>;
+}
+
+function parseIntParam(value: string | undefined): number | undefined {
+  if (value == null) return undefined;
+  const n = Number(value);
+  return Number.isFinite(n) ? n : undefined;
+}
+
+/**
+ * Create admin notes API routes.
+ * Pass a store factory and optional audit logger for DI.
+ */
+export function createAdminNotesApiRoutes(
+  storeFactory: () => IAdminNotesRepository,
+  auditLogger?: () => AdminAuditLogger,
+): Hono<AuthEnv> {
+  const routes = new Hono<AuthEnv>();
+
+  // GET /:tenantId -- list notes
+  routes.get("/:tenantId", async (c) => {
+    const store = storeFactory();
+    const tenantId = c.req.param("tenantId");
+    const filters = {
+      tenantId,
+      limit: parseIntParam(c.req.query("limit")),
+      offset: parseIntParam(c.req.query("offset")),
+    };
+    try {
+      const result = await store.list(filters);
+      return c.json(result);
+    } catch {
+      return c.json({ error: "Internal server error" }, 500);
+    }
+  });
+
+  // POST /:tenantId -- create note
+  routes.post("/:tenantId", async (c) => {
+    const store = storeFactory();
+    const tenantId = c.req.param("tenantId");
+    let body: Record<string, unknown>;
+    try {
+      body = (await c.req.json()) as Record<string, unknown>;
+    } catch {
+      return c.json({ error: "Invalid JSON body" }, 400);
+    }
+    const content = body.content;
+    if (typeof content !== "string" || !content.trim()) {
+      return c.json({ error: "content is required and must be non-empty" }, 400);
+    }
+    try {
+      const user = c.get("user");
+      const note = await store.create({
+        tenantId,
+        authorId: user?.id ?? "unknown",
+        content,
+        isPinned: body.isPinned === true,
+      });
+      safeAuditLog(auditLogger, {
+        adminUser: user?.id ?? "unknown",
+        action: "note.create",
+        category: "support",
+        targetTenant: tenantId,
+        details: { noteId: note.id },
+        outcome: "success",
+      });
+      return c.json(note, 201);
+    } catch (err) {
+      return c.json({ error: err instanceof Error ? err.message : "Internal server error" }, 500);
+    }
+  });
+
+  // PATCH /:tenantId/:noteId -- update note
+  routes.patch("/:tenantId/:noteId", async (c) => {
+    const store = storeFactory();
+    const tenantId = c.req.param("tenantId");
+    const noteId = c.req.param("noteId");
+    let body: Record<string, unknown>;
+    try {
+      body = (await c.req.json()) as Record<string, unknown>;
+    } catch {
+      return c.json({ error: "Invalid JSON body" }, 400);
+    }
+    const updates: { content?: string; isPinned?: boolean } = {};
+    if (typeof body.content === "string") updates.content = body.content;
+    if (typeof body.isPinned === "boolean") updates.isPinned = body.isPinned;
+    try {
+      const note = await store.update(noteId, tenantId, updates);
+      if (note === null) {
+        return c.json({ error: "Forbidden" }, 403);
+      }
+      const user = c.get("user");
+      safeAuditLog(auditLogger, {
+        adminUser: user?.id ?? "unknown",
+        action: "note.update",
+        category: "support",
+        targetTenant: tenantId,
+        details: { noteId, hasContentChange: !!updates.content, hasPinChange: updates.isPinned !== undefined },
+        outcome: "success",
+      });
+      return c.json(note);
+    } catch (err) {
+      return c.json({ error: err instanceof Error ? err.message : "Internal server error" }, 500);
+    }
+  });
+
+  // DELETE /:tenantId/:noteId -- delete note
+  routes.delete("/:tenantId/:noteId", async (c) => {
+    const store = storeFactory();
+    const tenantId = c.req.param("tenantId");
+    const noteId = c.req.param("noteId");
+    try {
+      const deleted = await store.delete(noteId, tenantId);
+      if (!deleted) return c.json({ error: "Forbidden" }, 403);
+      const user = c.get("user");
+      safeAuditLog(auditLogger, {
+        adminUser: user?.id ?? "unknown",
+        action: "note.delete",
+        category: "support",
+        targetTenant: tenantId,
+        details: { noteId },
+        outcome: "success",
+      });
+      return c.json({ ok: true });
+    } catch {
+      return c.json({ error: "Internal server error" }, 500);
+    }
+  });
+
+  return routes;
+}

package/src/api/routes/admin-onboarding.ts

@@ -0,0 +1,62 @@
+import { Hono } from "hono";
+import type { AuthEnv } from "../../auth/index.js";
+import type { IOnboardingScriptRepository } from "../../onboarding/drizzle-onboarding-script-repository.js";
+import type { AdminAuditLogger } from "./admin-audit-helper.js";
+import { safeAuditLog } from "./admin-audit-helper.js";
+
+type RepoFactory = () => IOnboardingScriptRepository;
+
+export function createAdminOnboardingRoutes(getRepo: RepoFactory, auditLogger?: () => AdminAuditLogger): Hono<AuthEnv> {
+  const routes = new Hono<AuthEnv>();
+
+  routes.get("/current", async (c) => {
+    const repo = getRepo();
+    const script = await repo.findCurrent();
+    if (!script) {
+      return c.json({ error: "No onboarding script found" }, 404);
+    }
+    return c.json(script);
+  });
+
+  routes.get("/history", async (c) => {
+    const repo = getRepo();
+    const limitParam = c.req.query("limit");
+    const limit = limitParam ? Math.min(50, Math.max(1, Number(limitParam) || 10)) : 10;
+    const history = await repo.findHistory(limit);
+    return c.json(history);
+  });
+
+  routes.post("/", async (c) => {
+    const repo = getRepo();
+    let body: Record<string, unknown>;
+    try {
+      body = (await c.req.json()) as Record<string, unknown>;
+    } catch {
+      return c.json({ error: "Invalid JSON body" }, 400);
+    }
+
+    const content = body.content;
+    if (typeof content !== "string" || !content.trim()) {
+      return c.json({ error: "content is required and must be non-empty" }, 400);
+    }
+
+    const user = c.get("user");
+    const adminUser = (user as { id?: string } | undefined)?.id ?? "unknown";
+    const script = await repo.insert({
+      content,
+      updatedBy: adminUser !== "unknown" ? adminUser : null,
+    });
+
+    safeAuditLog(auditLogger, {
+      adminUser,
+      action: "onboarding.script_updated",
+      category: "config",
+      details: { version: script.version },
+      outcome: "success",
+    });
+
+    return c.json(script, 201);
+  });
+
+  return routes;
+}

package/src/api/routes/admin-rates.ts

@@ -0,0 +1,462 @@
+import { Hono } from "hono";
+import type { ProviderCostInput, RateStore, SellRateInput } from "../../admin/rates/rate-store.js";
+import type { AuthEnv } from "../../auth/index.js";
+import type { AdminAuditLogger } from "./admin-audit-helper.js";
+import { safeAuditLog } from "./admin-audit-helper.js";
+
+function parseBooleanParam(value: string | undefined): boolean | undefined {
+  if (value === "true") return true;
+  if (value === "false") return false;
+  return undefined;
+}
+
+/**
+ * Create admin rate API routes.
+ * Pass a store factory and optional audit logger for DI.
+ */
+export function createAdminRateApiRoutes(
+  storeFactory: () => RateStore,
+  auditLogger?: () => AdminAuditLogger,
+): Hono<AuthEnv> {
+  const routes = new Hono<AuthEnv>();
+
+  // ── Combined List ──
+
+  routes.get("/", async (c) => {
+    const store = storeFactory();
+    const capability = c.req.query("capability");
+    const active = parseBooleanParam(c.req.query("active"));
+
+    try {
+      const [sellRates, providerCosts] = await Promise.all([
+        store.listSellRates({ capability, isActive: active }),
+        store.listProviderCosts({ capability, isActive: active }),
+      ]);
+
+      return c.json({
+        sell_rates: sellRates.entries,
+        provider_costs: providerCosts.entries,
+        total_sell_rates: sellRates.total,
+        total_provider_costs: providerCosts.total,
+      });
+    } catch {
+      return c.json({ error: "Internal server error" }, 500);
+    }
+  });
+
+  // ── Sell Rates ──
+
+  routes.post("/sell", async (c) => {
+    const store = storeFactory();
+
+    let body: Record<string, unknown>;
+    try {
+      body = (await c.req.json()) as Record<string, unknown>;
+    } catch {
+      return c.json({ error: "Invalid JSON body" }, 400);
+    }
+
+    const { capability, displayName, unit, priceUsd, model, isActive, sortOrder } = body;
+
+    if (typeof capability !== "string" || !capability.trim()) {
+      return c.json({ error: "capability is required and must be non-empty" }, 400);
+    }
+
+    if (typeof displayName !== "string" || !displayName.trim()) {
+      return c.json({ error: "displayName is required and must be non-empty" }, 400);
+    }
+
+    if (typeof unit !== "string" || !unit.trim()) {
+      return c.json({ error: "unit is required and must be non-empty" }, 400);
+    }
+
+    if (typeof priceUsd !== "number" || priceUsd <= 0) {
+      return c.json({ error: "priceUsd must be a positive number" }, 400);
+    }
+
+    if (model !== undefined && typeof model !== "string") {
+      return c.json({ error: "model must be a string if provided" }, 400);
+    }
+
+    if (isActive !== undefined && typeof isActive !== "boolean") {
+      return c.json({ error: "isActive must be a boolean if provided" }, 400);
+    }
+
+    if (sortOrder !== undefined && (typeof sortOrder !== "number" || !Number.isInteger(sortOrder))) {
+      return c.json({ error: "sortOrder must be an integer if provided" }, 400);
+    }
+
+    try {
+      const adminUser = (c.get("user") as { id?: string } | undefined)?.id ?? "unknown";
+      const input: SellRateInput = {
+        capability,
+        displayName,
+        unit,
+        priceUsd,
+        model: model as string | undefined,
+        isActive: isActive as boolean | undefined,
+        sortOrder: sortOrder as number | undefined,
+      };
+      let result: Awaited<ReturnType<typeof store.createSellRate>>;
+      try {
+        result = await store.createSellRate(input);
+      } catch (err) {
+        safeAuditLog(auditLogger, {
+          adminUser,
+          action: "rates.createSellRate",
+          category: "config",
+          details: { ...input, error: String(err) },
+          outcome: "failure",
+        });
+        throw err;
+      }
+      safeAuditLog(auditLogger, {
+        adminUser,
+        action: "rates.createSellRate",
+        category: "config",
+        details: { ...input },
+        outcome: "success",
+      });
+      return c.json(result, 201);
+    } catch (err) {
+      return c.json({ error: err instanceof Error ? err.message : "Internal server error" }, 500);
+    }
+  });
+
+  routes.put("/sell/:id", async (c) => {
+    const store = storeFactory();
+    const id = c.req.param("id");
+
+    let body: Record<string, unknown>;
+    try {
+      body = (await c.req.json()) as Record<string, unknown>;
+    } catch {
+      return c.json({ error: "Invalid JSON body" }, 400);
+    }
+
+    const { capability, displayName, unit, priceUsd, model, isActive, sortOrder } = body;
+
+    if (capability !== undefined && (typeof capability !== "string" || !capability.trim())) {
+      return c.json({ error: "capability must be non-empty if provided" }, 400);
+    }
+
+    if (displayName !== undefined && (typeof displayName !== "string" || !displayName.trim())) {
+      return c.json({ error: "displayName must be non-empty if provided" }, 400);
+    }
+
+    if (unit !== undefined && (typeof unit !== "string" || !unit.trim())) {
+      return c.json({ error: "unit must be non-empty if provided" }, 400);
+    }
+
+    if (priceUsd !== undefined && (typeof priceUsd !== "number" || priceUsd <= 0)) {
+      return c.json({ error: "priceUsd must be a positive number if provided" }, 400);
+    }
+
+    if (model !== undefined && model !== null && typeof model !== "string") {
+      return c.json({ error: "model must be a string or null if provided" }, 400);
+    }
+
+    if (isActive !== undefined && typeof isActive !== "boolean") {
+      return c.json({ error: "isActive must be a boolean if provided" }, 400);
+    }
+
+    if (sortOrder !== undefined && (typeof sortOrder !== "number" || !Number.isInteger(sortOrder))) {
+      return c.json({ error: "sortOrder must be an integer if provided" }, 400);
+    }
+
+    try {
+      const adminUser = (c.get("user") as { id?: string } | undefined)?.id ?? "unknown";
+      const input: Partial<SellRateInput> = {};
+      if (capability !== undefined) input.capability = capability as string;
+      if (displayName !== undefined) input.displayName = displayName as string;
+      if (unit !== undefined) input.unit = unit as string;
+      if (priceUsd !== undefined) input.priceUsd = priceUsd as number;
+      if ("model" in body) input.model = model as string | undefined;
+      if (isActive !== undefined) input.isActive = isActive as boolean;
+      if (sortOrder !== undefined) input.sortOrder = sortOrder as number;
+
+      let result: Awaited<ReturnType<typeof store.updateSellRate>>;
+      try {
+        result = await store.updateSellRate(id, input);
+      } catch (err) {
+        safeAuditLog(auditLogger, {
+          adminUser,
+          action: "rates.updateSellRate",
+          category: "config",
+          details: { id, ...input, error: String(err) },
+          outcome: "failure",
+        });
+        throw err;
+      }
+      safeAuditLog(auditLogger, {
+        adminUser,
+        action: "rates.updateSellRate",
+        category: "config",
+        details: { id, ...input },
+        outcome: "success",
+      });
+      return c.json(result, 200);
+    } catch (err) {
+      if (err instanceof Error && err.message.includes("not found")) {
+        return c.json({ error: err.message }, 404);
+      }
+      return c.json({ error: err instanceof Error ? err.message : "Internal server error" }, 500);
+    }
+  });
+
+  routes.delete("/sell/:id", async (c) => {
+    const store = storeFactory();
+    const id = c.req.param("id");
+
+    try {
+      const adminUser = (c.get("user") as { id?: string } | undefined)?.id ?? "unknown";
+      let deleted: boolean;
+      try {
+        deleted = await store.deleteSellRate(id);
+      } catch (err) {
+        safeAuditLog(auditLogger, {
+          adminUser,
+          action: "rates.deleteSellRate",
+          category: "config",
+          details: { id, error: String(err) },
+          outcome: "failure",
+        });
+        throw err;
+      }
+      if (deleted) {
+        safeAuditLog(auditLogger, {
+          adminUser,
+          action: "rates.deleteSellRate",
+          category: "config",
+          details: { id },
+          outcome: "success",
+        });
+        return c.json({ success: true }, 200);
+      }
+      return c.json({ error: "Sell rate not found" }, 404);
+    } catch {
+      return c.json({ error: "Internal server error" }, 500);
+    }
+  });
+
+  // ── Provider Costs ──
+
+  routes.post("/provider", async (c) => {
+    const store = storeFactory();
+
+    let body: Record<string, unknown>;
+    try {
+      body = (await c.req.json()) as Record<string, unknown>;
+    } catch {
+      return c.json({ error: "Invalid JSON body" }, 400);
+    }
+
+    const { capability, adapter, model, unit, costUsd, priority, latencyClass, isActive } = body;
+
+    if (typeof capability !== "string" || !capability.trim()) {
+      return c.json({ error: "capability is required and must be non-empty" }, 400);
+    }
+
+    if (typeof adapter !== "string" || !adapter.trim()) {
+      return c.json({ error: "adapter is required and must be non-empty" }, 400);
+    }
+
+    if (typeof unit !== "string" || !unit.trim()) {
+      return c.json({ error: "unit is required and must be non-empty" }, 400);
+    }
+
+    if (typeof costUsd !== "number" || costUsd <= 0) {
+      return c.json({ error: "costUsd must be a positive number" }, 400);
+    }
+
+    if (model !== undefined && typeof model !== "string") {
+      return c.json({ error: "model must be a string if provided" }, 400);
+    }
+
+    if (priority !== undefined && (typeof priority !== "number" || !Number.isInteger(priority))) {
+      return c.json({ error: "priority must be an integer if provided" }, 400);
+    }
+
+    if (latencyClass !== undefined && typeof latencyClass !== "string") {
+      return c.json({ error: "latencyClass must be a string if provided" }, 400);
+    }
+
+    if (isActive !== undefined && typeof isActive !== "boolean") {
+      return c.json({ error: "isActive must be a boolean if provided" }, 400);
+    }
+
+    try {
+      const adminUser = (c.get("user") as { id?: string } | undefined)?.id ?? "unknown";
+      const input: ProviderCostInput = {
+        capability,
+        adapter,
+        unit,
+        costUsd,
+        model: model as string | undefined,
+        priority: priority as number | undefined,
+        latencyClass: latencyClass as string | undefined,
+        isActive: isActive as boolean | undefined,
+      };
+      let result: Awaited<ReturnType<typeof store.createProviderCost>>;
+      try {
+        result = await store.createProviderCost(input);
+      } catch (err) {
+        safeAuditLog(auditLogger, {
+          adminUser,
+          action: "rates.createProviderCost",
+          category: "config",
+          details: { ...input, error: String(err) },
+          outcome: "failure",
+        });
+        throw err;
+      }
+      safeAuditLog(auditLogger, {
+        adminUser,
+        action: "rates.createProviderCost",
+        category: "config",
+        details: { ...input },
+        outcome: "success",
+      });
+      return c.json(result, 201);
+    } catch (err) {
+      return c.json({ error: err instanceof Error ? err.message : "Internal server error" }, 500);
+    }
+  });
+
+  routes.put("/provider/:id", async (c) => {
+    const store = storeFactory();
+    const id = c.req.param("id");
+
+    let body: Record<string, unknown>;
+    try {
+      body = (await c.req.json()) as Record<string, unknown>;
+    } catch {
+      return c.json({ error: "Invalid JSON body" }, 400);
+    }
+
+    const { capability, adapter, model, unit, costUsd, priority, latencyClass, isActive } = body;
+
+    if (capability !== undefined && (typeof capability !== "string" || !capability.trim())) {
+      return c.json({ error: "capability must be non-empty if provided" }, 400);
+    }
+
+    if (adapter !== undefined && (typeof adapter !== "string" || !adapter.trim())) {
+      return c.json({ error: "adapter must be non-empty if provided" }, 400);
+    }
+
+    if (unit !== undefined && (typeof unit !== "string" || !unit.trim())) {
+      return c.json({ error: "unit must be non-empty if provided" }, 400);
+    }
+
+    if (costUsd !== undefined && (typeof costUsd !== "number" || costUsd <= 0)) {
+      return c.json({ error: "costUsd must be a positive number if provided" }, 400);
+    }
+
+    if (model !== undefined && model !== null && typeof model !== "string") {
+      return c.json({ error: "model must be a string or null if provided" }, 400);
+    }
+
+    if (priority !== undefined && (typeof priority !== "number" || !Number.isInteger(priority))) {
+      return c.json({ error: "priority must be an integer if provided" }, 400);
+    }
+
+    if (latencyClass !== undefined && typeof latencyClass !== "string") {
+      return c.json({ error: "latencyClass must be a string if provided" }, 400);
+    }
+
+    if (isActive !== undefined && typeof isActive !== "boolean") {
+      return c.json({ error: "isActive must be a boolean if provided" }, 400);
+    }
+
+    try {
+      const adminUser = (c.get("user") as { id?: string } | undefined)?.id ?? "unknown";
+      const input: Partial<ProviderCostInput> = {};
+      if (capability !== undefined) input.capability = capability as string;
+      if (adapter !== undefined) input.adapter = adapter as string;
+      if (unit !== undefined) input.unit = unit as string;
+      if (costUsd !== undefined) input.costUsd = costUsd as number;
+      if ("model" in body) input.model = model as string | undefined;
+      if (priority !== undefined) input.priority = priority as number;
+      if (latencyClass !== undefined) input.latencyClass = latencyClass as string;
+      if (isActive !== undefined) input.isActive = isActive as boolean;
+
+      let result: Awaited<ReturnType<typeof store.updateProviderCost>>;
+      try {
+        result = await store.updateProviderCost(id, input);
+      } catch (err) {
+        safeAuditLog(auditLogger, {
+          adminUser,
+          action: "rates.updateProviderCost",
+          category: "config",
+          details: { id, ...input, error: String(err) },
+          outcome: "failure",
+        });
+        throw err;
+      }
+      safeAuditLog(auditLogger, {
+        adminUser,
+        action: "rates.updateProviderCost",
+        category: "config",
+        details: { id, ...input },
+        outcome: "success",
+      });
+      return c.json(result, 200);
+    } catch (err) {
+      if (err instanceof Error && err.message.includes("not found")) {
+        return c.json({ error: err.message }, 404);
+      }
+      return c.json({ error: err instanceof Error ? err.message : "Internal server error" }, 500);
+    }
+  });
+
+  routes.delete("/provider/:id", async (c) => {
+    const store = storeFactory();
+    const id = c.req.param("id");
+
+    try {
+      const adminUser = (c.get("user") as { id?: string } | undefined)?.id ?? "unknown";
+      let deleted: boolean;
+      try {
+        deleted = await store.deleteProviderCost(id);
+      } catch (err) {
+        safeAuditLog(auditLogger, {
+          adminUser,
+          action: "rates.deleteProviderCost",
+          category: "config",
+          details: { id, error: String(err) },
+          outcome: "failure",
+        });
+        throw err;
+      }
+      if (deleted) {
+        safeAuditLog(auditLogger, {
+          adminUser,
+          action: "rates.deleteProviderCost",
+          category: "config",
+          details: { id },
+          outcome: "success",
+        });
+        return c.json({ success: true }, 200);
+      }
+      return c.json({ error: "Provider cost not found" }, 404);
+    } catch {
+      return c.json({ error: "Internal server error" }, 500);
+    }
+  });
+
+  // ── Margin Report ──
+
+  routes.get("/margins", async (c) => {
+    const store = storeFactory();
+    const capability = c.req.query("capability");
+
+    try {
+      const report = await store.getMarginReport(capability);
+      return c.json({ margins: report });
+    } catch {
+      return c.json({ error: "Internal server error" }, 500);
+    }
+  });
+
+  return routes;
+}