@wopr-network/platform-core 1.13.0 → 1.13.2

package/dist/api/routes/secrets.js

@@ -0,0 +1,135 @@
+import { Hono } from "hono";
+import { validateTenantOwnership } from "../../auth/index.js";
+import { decrypt as defaultDecrypt, deriveInstanceKey as defaultDeriveInstanceKey } from "../../security/encryption.js";
+import { forwardSecretsToInstance as defaultForwardSecrets, writeEncryptedSeed as defaultWriteSeed, } from "../../security/key-injection.js";
+import { validateProviderKey as defaultValidateKey } from "../../security/key-validation.js";
+import { validateKeyRequestSchema, writeSecretsRequestSchema } from "../../security/types.js";
+/** Allowlist: only alphanumeric, hyphens, and underscores. */
+const INSTANCE_ID_RE = /^[a-zA-Z0-9_-]+$/;
+function isValidInstanceId(id) {
+    return INSTANCE_ID_RE.test(id);
+}
+/**
+ * Create secrets management routes.
+ *
+ * @param deps - Dependencies for secret operations
+ */
+export function createSecretsRoutes(deps) {
+    const routes = new Hono();
+    const instanceDataDir = deps.instanceDataDir ?? "/data/instances";
+    // Resolve security functions with defaults
+    const decryptFn = deps.security?.decrypt ?? defaultDecrypt;
+    const deriveInstanceKeyFn = deps.security?.deriveInstanceKey ?? defaultDeriveInstanceKey;
+    const writeEncryptedSeedFn = deps.security?.writeEncryptedSeed ?? defaultWriteSeed;
+    const forwardSecretsFn = deps.security?.forwardSecretsToInstance ?? defaultForwardSecrets;
+    const validateKeyFn = deps.security?.validateProviderKey ?? defaultValidateKey;
+    /**
+     * PUT /instances/:id/config/secrets
+     *
+     * Writes secrets to a running instance by forwarding the body opaquely,
+     * or writes an encrypted seed file if the instance is not running.
+     */
+    routes.put("/instances/:id/config/secrets", async (c) => {
+        const instanceId = c.req.param("id");
+        if (!isValidInstanceId(instanceId)) {
+            return c.json({ error: "Invalid instance ID" }, 400);
+        }
+        // Validate tenant ownership of the instance
+        const tenantId = await deps.profileLookup.getInstanceTenantId(instanceId);
+        const ownershipError = validateTenantOwnership(c, instanceId, tenantId);
+        if (ownershipError) {
+            return ownershipError;
+        }
+        const mode = c.req.query("mode") || "proxy";
+        if (mode === "seed") {
+            // Pre-boot: parse body to encrypt, then discard plaintext
+            let body;
+            try {
+                body = await c.req.json();
+            }
+            catch {
+                return c.json({ error: "Invalid JSON body" }, 400);
+            }
+            const parsed = writeSecretsRequestSchema.safeParse(body);
+            if (!parsed.success) {
+                return c.json({ error: "Validation failed", details: parsed.error.flatten() }, 400);
+            }
+            if (!deps.platformSecret) {
+                return c.json({ error: "Platform secret not configured" }, 500);
+            }
+            try {
+                const instanceKey = deriveInstanceKeyFn(instanceId, deps.platformSecret);
+                const woprHome = `${instanceDataDir}/${instanceId}`;
+                await writeEncryptedSeedFn(woprHome, parsed.data, instanceKey);
+                return c.json({ ok: true, mode: "seed" });
+            }
+            catch (err) {
+                const message = err instanceof Error ? err.message : "Failed to write seed";
+                deps.logger?.error("Failed to write encrypted seed", { instanceId, error: message });
+                return c.json({ error: "Failed to write encrypted seed" }, 500);
+            }
+        }
+        // Default: proxy mode — forward body opaquely to the instance container
+        const rawBody = await c.req.text();
+        const instanceUrl = `http://wopr-${instanceId}:3000`;
+        const authHeader = c.req.header("Authorization") || "";
+        const sessionToken = authHeader.replace(/^Bearer\s+/i, "");
+        const result = await forwardSecretsFn(instanceUrl, sessionToken, rawBody);
+        if (result.ok) {
+            return c.json({ ok: true, mode: "proxy" });
+        }
+        const status = result.status === 502 ? 502 : result.status === 503 ? 503 : result.status === 404 ? 404 : 500;
+        return c.json({ error: result.error || "Proxy failed" }, status);
+    });
+    /**
+     * POST /validate-key
+     *
+     * Validates a provider API key without logging or persisting it.
+     */
+    routes.post("/validate-key", async (c) => {
+        let body;
+        try {
+            body = await c.req.json();
+        }
+        catch {
+            return c.json({ error: "Invalid JSON body" }, 400);
+        }
+        const parsed = validateKeyRequestSchema.safeParse(body);
+        if (!parsed.success) {
+            return c.json({ error: "Validation failed", details: parsed.error.flatten() }, 400);
+        }
+        const { provider, encryptedKey } = parsed.data;
+        // Decrypt the key in memory
+        let plaintextKey;
+        try {
+            const encryptedPayload = JSON.parse(encryptedKey);
+            const instanceId = c.req.query("instanceId");
+            if (!instanceId) {
+                return c.json({ error: "instanceId query parameter required" }, 400);
+            }
+            if (!isValidInstanceId(instanceId)) {
+                return c.json({ error: "Invalid instance ID" }, 400);
+            }
+            // Validate tenant ownership of the instance
+            const tenantId = await deps.profileLookup.getInstanceTenantId(instanceId);
+            const ownershipError = validateTenantOwnership(c, instanceId, tenantId);
+            if (ownershipError) {
+                return ownershipError;
+            }
+            if (!deps.platformSecret) {
+                return c.json({ error: "Platform secret not configured" }, 500);
+            }
+            const instanceKey = deriveInstanceKeyFn(instanceId, deps.platformSecret);
+            plaintextKey = decryptFn(encryptedPayload, instanceKey);
+        }
+        catch {
+            return c.json({ error: "Failed to decrypt key payload" }, 400);
+        }
+        // Validate against the provider API
+        const result = await validateKeyFn(provider, plaintextKey);
+        // Explicitly discard the key reference
+        plaintextKey = "";
+        return c.json({ valid: result.valid, error: result.error });
+    });
+    return routes;
+}

package/dist/api/routes/tenant-keys.d.ts

@@ -0,0 +1,16 @@
+import { Hono } from "hono";
+import type { ITenantKeyRepository } from "../../security/tenant-keys/tenant-key-repository.js";
+export interface TenantKeyDeps {
+    repo: () => ITenantKeyRepository;
+    /** Platform secret for key derivation. If not provided, encrypt operations will fail with 500. */
+    platformSecret?: string;
+    logger?: {
+        warn(msg: string): void;
+    };
+}
+/**
+ * Create tenant key management routes.
+ *
+ * @param deps - Dependencies for tenant key operations
+ */
+export declare function createTenantKeyRoutes(deps: TenantKeyDeps): Hono;

package/dist/api/routes/tenant-keys.js

@@ -0,0 +1,142 @@
+import { createHmac } from "node:crypto";
+import { Hono } from "hono";
+import { z } from "zod";
+import { encrypt } from "../../security/encryption.js";
+import { providerSchema } from "../../security/types.js";
+// ---------------------------------------------------------------------------
+// Request schemas
+// ---------------------------------------------------------------------------
+const storeKeySchema = z.object({
+    provider: providerSchema,
+    apiKey: z.string().min(1, "API key is required"),
+    label: z.string().max(100).optional(),
+});
+/** Derive a per-tenant encryption key from tenant ID and platform secret. */
+function deriveTenantKey(tenantId, platformSecret) {
+    return createHmac("sha256", platformSecret).update(`tenant:${tenantId}`).digest();
+}
+/**
+ * Create tenant key management routes.
+ *
+ * @param deps - Dependencies for tenant key operations
+ */
+export function createTenantKeyRoutes(deps) {
+    const routes = new Hono();
+    /**
+     * GET /
+     *
+     * List all API keys for the authenticated tenant.
+     * Returns metadata only (never the encrypted key material).
+     */
+    routes.get("/", async (c) => {
+        const tenantId = getTenantId(c);
+        if (!tenantId) {
+            return c.json({ error: "Tenant context required" }, 400);
+        }
+        const keys = await deps.repo().listForTenant(tenantId);
+        return c.json({ keys });
+    });
+    /**
+     * GET /:provider
+     *
+     * Check whether the tenant has a stored key for a specific provider.
+     * Returns metadata only.
+     */
+    routes.get("/:provider", async (c) => {
+        const tenantId = getTenantId(c);
+        if (!tenantId) {
+            return c.json({ error: "Tenant context required" }, 400);
+        }
+        const provider = c.req.param("provider");
+        const parsed = providerSchema.safeParse(provider);
+        if (!parsed.success) {
+            return c.json({ error: "Invalid provider" }, 400);
+        }
+        const record = await deps.repo().get(tenantId, parsed.data);
+        if (!record) {
+            return c.json({ error: "No key stored for this provider" }, 404);
+        }
+        // Return metadata only, never the encrypted key
+        return c.json({
+            id: record.id,
+            tenant_id: record.tenant_id,
+            provider: record.provider,
+            label: record.label,
+            created_at: record.created_at,
+            updated_at: record.updated_at,
+        });
+    });
+    /**
+     * PUT /:provider
+     *
+     * Store or replace a tenant's API key for a provider.
+     * The key is encrypted at rest using AES-256-GCM with a tenant-derived key.
+     */
+    routes.put("/:provider", async (c) => {
+        const tenantId = getTenantId(c);
+        if (!tenantId) {
+            return c.json({ error: "Tenant context required" }, 400);
+        }
+        const provider = c.req.param("provider");
+        const providerParsed = providerSchema.safeParse(provider);
+        if (!providerParsed.success) {
+            return c.json({ error: "Invalid provider" }, 400);
+        }
+        let body;
+        try {
+            body = await c.req.json();
+        }
+        catch {
+            return c.json({ error: "Invalid JSON body" }, 400);
+        }
+        const parsed = storeKeySchema.safeParse(body);
+        if (!parsed.success) {
+            return c.json({ error: "Validation failed", details: parsed.error.flatten() }, 400);
+        }
+        if (parsed.data.provider !== providerParsed.data) {
+            return c.json({ error: "Provider in body must match URL parameter" }, 400);
+        }
+        if (!deps.platformSecret) {
+            return c.json({ error: "Platform secret not configured" }, 500);
+        }
+        // Encrypt the key in memory, then discard the plaintext
+        const tenantKey = deriveTenantKey(tenantId, deps.platformSecret);
+        const encryptedPayload = encrypt(parsed.data.apiKey, tenantKey);
+        const id = await deps.repo().upsert(tenantId, providerParsed.data, encryptedPayload, parsed.data.label ?? "");
+        return c.json({ ok: true, id, provider: providerParsed.data });
+    });
+    /**
+     * DELETE /:provider
+     *
+     * Delete a tenant's stored API key for a provider.
+     */
+    routes.delete("/:provider", async (c) => {
+        const tenantId = getTenantId(c);
+        if (!tenantId) {
+            return c.json({ error: "Tenant context required" }, 400);
+        }
+        const provider = c.req.param("provider");
+        const parsed = providerSchema.safeParse(provider);
+        if (!parsed.success) {
+            return c.json({ error: "Invalid provider" }, 400);
+        }
+        const deleted = await deps.repo().delete(tenantId, parsed.data);
+        if (!deleted) {
+            return c.json({ error: "No key stored for this provider" }, 404);
+        }
+        return c.json({ ok: true, provider: parsed.data });
+    });
+    return routes;
+}
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+/** Extract the tenant ID from the auth context. */
+function getTenantId(c) {
+    try {
+        return c.get("tokenTenantId");
+    }
+    catch {
+        return undefined;
+    }
+}

package/dist/api/routes/verify-email.d.ts

@@ -0,0 +1,19 @@
+import { Hono } from "hono";
+import type { Pool } from "pg";
+import type { ICreditLedger } from "../../credits/index.js";
+export interface VerifyEmailRouteDeps {
+    pool: Pool;
+    creditLedger: ICreditLedger;
+}
+export interface VerifyEmailRouteConfig {
+    /** UI origin for redirect URLs (default: http://localhost:3001) */
+    uiOrigin?: string;
+}
+/**
+ * Create verify-email routes with explicit dependencies (for testing).
+ */
+export declare function createVerifyEmailRoutes(deps: VerifyEmailRouteDeps, config?: VerifyEmailRouteConfig): Hono;
+/**
+ * Create verify-email routes with factory functions (for lazy init).
+ */
+export declare function createVerifyEmailRoutesLazy(poolFactory: () => Pool, creditLedgerFactory: () => ICreditLedger, config?: VerifyEmailRouteConfig): Hono;

package/dist/api/routes/verify-email.js

@@ -0,0 +1,70 @@
+import { Hono } from "hono";
+import { logger } from "../../config/logger.js";
+import { grantSignupCredits } from "../../credits/index.js";
+import { getEmailClient } from "../../email/client.js";
+import { verifyToken, welcomeTemplate } from "../../email/index.js";
+/**
+ * Create verify-email routes with explicit dependencies (for testing).
+ */
+export function createVerifyEmailRoutes(deps, config) {
+    return buildRoutes(() => deps.pool, () => deps.creditLedger, config);
+}
+/**
+ * Create verify-email routes with factory functions (for lazy init).
+ */
+export function createVerifyEmailRoutesLazy(poolFactory, creditLedgerFactory, config) {
+    return buildRoutes(poolFactory, creditLedgerFactory, config);
+}
+function buildRoutes(poolFactory, creditLedgerFactory, config) {
+    const uiOrigin = config?.uiOrigin ?? process.env.UI_ORIGIN ?? "http://localhost:3001";
+    const routes = new Hono();
+    routes.get("/verify", async (c) => {
+        const token = c.req.query("token");
+        if (!token) {
+            return c.redirect(`${uiOrigin}/auth/verify?status=error&reason=missing_token`);
+        }
+        const pool = poolFactory();
+        const result = await verifyToken(pool, token);
+        if (!result) {
+            return c.redirect(`${uiOrigin}/auth/verify?status=error&reason=invalid_or_expired`);
+        }
+        // Grant $5 signup credit (idempotent — safe on link re-click)
+        try {
+            const ledger = creditLedgerFactory();
+            const granted = await grantSignupCredits(ledger, result.userId);
+            if (granted) {
+                logger.info("Signup credit granted", { userId: result.userId });
+            }
+            else {
+                logger.info("Signup credit already granted, skipping", { userId: result.userId });
+            }
+        }
+        catch (err) {
+            logger.error("Failed to grant signup credit", {
+                userId: result.userId,
+                error: err instanceof Error ? err.message : String(err),
+            });
+            // Don't block verification if credit grant fails
+        }
+        // Send welcome email
+        try {
+            const emailClient = getEmailClient();
+            const template = welcomeTemplate(result.email);
+            await emailClient.send({
+                to: result.email,
+                ...template,
+                userId: result.userId,
+                templateName: "welcome",
+            });
+        }
+        catch (err) {
+            logger.error("Failed to send welcome email", {
+                userId: result.userId,
+                error: err instanceof Error ? err.message : String(err),
+            });
+            // Don't block verification if welcome email fails
+        }
+        return c.redirect(`${uiOrigin}/auth/verify?status=success`);
+    });
+    return routes;
+}

package/dist/api/routes/ws-auth.d.ts

@@ -0,0 +1,21 @@
+export interface WsAuthRequest {
+    nodeId: string;
+    authHeader: string | undefined;
+}
+export interface WsAuthResult {
+    authenticated: boolean;
+    nodeId?: string;
+    reason?: string;
+}
+export interface NodeSecretVerifier {
+    verifyNodeSecret(nodeId: string, secret: string): Promise<boolean | null>;
+}
+/**
+ * Authenticate a WebSocket upgrade request for a node agent connection.
+ *
+ * The bearer token resolves to a specific node via per-node persistent secret;
+ * the resolved nodeId must match the URL nodeId.
+ *
+ * @param verifier - object with verifyNodeSecret method (typically a node repository)
+ */
+export declare function authenticateWebSocketUpgrade(req: WsAuthRequest, verifier: NodeSecretVerifier): Promise<WsAuthResult>;

package/dist/api/routes/ws-auth.js

@@ -0,0 +1,24 @@
+/**
+ * Authenticate a WebSocket upgrade request for a node agent connection.
+ *
+ * The bearer token resolves to a specific node via per-node persistent secret;
+ * the resolved nodeId must match the URL nodeId.
+ *
+ * @param verifier - object with verifyNodeSecret method (typically a node repository)
+ */
+export async function authenticateWebSocketUpgrade(req, verifier) {
+    const { nodeId, authHeader } = req;
+    const bearer = authHeader?.replace(/^Bearer\s+/i, "");
+    // Per-node persistent secret — timing-safe comparison via verifyNodeSecret
+    if (bearer) {
+        const verified = await verifier.verifyNodeSecret(nodeId, bearer);
+        if (verified === true) {
+            return { authenticated: true, nodeId };
+        }
+    }
+    // No valid auth
+    if (!bearer) {
+        return { authenticated: false, reason: "unauthorized" };
+    }
+    return { authenticated: false, reason: "unauthorized" };
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wopr-network/platform-core",
-  "version": "1.13.0",
+  "version": "1.13.2",
   "type": "module",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -21,6 +21,7 @@
     "./discovery": "./dist/discovery/index.js",
     "./email": "./dist/email/index.js",
     "./fleet": "./dist/fleet/index.js",
+    "./fleet/profile-store": "./dist/fleet/profile-store.js",
     "./gateway": "./dist/gateway/index.js",
     "./inference": "./dist/inference/index.js",
     "./marketplace": "./dist/marketplace/index.js",
@@ -36,6 +37,39 @@
     "./security": "./dist/security/index.js",
     "./setup": "./dist/setup/index.js",
     "./tenancy": "./dist/tenancy/index.js",
+    "./api/routes/audit": "./dist/api/routes/audit.js",
+    "./api/routes/auth": "./dist/api/routes/auth.js",
+    "./api/routes/health": "./dist/api/routes/health.js",
+    "./api/routes/login-history": "./dist/api/routes/login-history.js",
+    "./api/routes/admin-audit": "./dist/api/routes/admin-audit.js",
+    "./api/routes/admin-audit-helper": "./dist/api/routes/admin-audit-helper.js",
+    "./api/routes/admin-backups": "./dist/api/routes/admin-backups.js",
+    "./api/routes/admin-compliance": "./dist/api/routes/admin-compliance.js",
+    "./api/routes/admin-credits": "./dist/api/routes/admin-credits.js",
+    "./api/routes/admin-inference": "./dist/api/routes/admin-inference.js",
+    "./api/routes/admin-migration": "./dist/api/routes/admin-migration.js",
+    "./api/routes/admin-gpu": "./dist/api/routes/admin-gpu.js",
+    "./api/routes/admin-marketplace": "./dist/api/routes/admin-marketplace.js",
+    "./api/routes/admin-notes": "./dist/api/routes/admin-notes.js",
+    "./api/routes/admin-onboarding": "./dist/api/routes/admin-onboarding.js",
+    "./api/routes/admin-rates": "./dist/api/routes/admin-rates.js",
+    "./api/routes/admin-recovery": "./dist/api/routes/admin-recovery.js",
+    "./api/routes/admin-roles": "./dist/api/routes/admin-roles.js",
+    "./api/routes/activity": "./dist/api/routes/activity.js",
+    "./api/routes/channel-validate": "./dist/api/routes/channel-validate.js",
+    "./api/routes/friends-proxy": "./dist/api/routes/friends-proxy.js",
+    "./api/routes/friends-types": "./dist/api/routes/friends-types.js",
+    "./api/routes/incident-response": "./dist/api/routes/incident-response.js",
+    "./api/routes/internal-nodes": "./dist/api/routes/internal-nodes.js",
+    "./api/routes/quota": "./dist/api/routes/quota.js",
+    "./api/routes/secrets": "./dist/api/routes/secrets.js",
+    "./api/routes/tenant-keys": "./dist/api/routes/tenant-keys.js",
+    "./api/routes/fleet-events": "./dist/api/routes/fleet-events.js",
+    "./api/routes/internal-gpu": "./dist/api/routes/internal-gpu.js",
+    "./api/routes/public-pricing": "./dist/api/routes/public-pricing.js",
+    "./api/routes/secret-audit": "./dist/api/routes/secret-audit.js",
+    "./api/routes/verify-email": "./dist/api/routes/verify-email.js",
+    "./api/routes/ws-auth": "./dist/api/routes/ws-auth.js",
     "./trpc": "./dist/trpc/index.js",
     "./*": "./dist/*.js"
   },

package/src/api/routes/activity.ts

@@ -0,0 +1,77 @@
+import { Hono } from "hono";
+import { DrizzleAuditLogRepository } from "../../audit/audit-log-repository.js";
+import { queryAuditLog } from "../../audit/query.js";
+import type { AuditEnv } from "../../audit/types.js";
+import type { DrizzleDb } from "../../db/index.js";
+
+/**
+ * Create activity feed routes.
+ *
+ * @param dbFactory - Factory returning the audit DB instance
+ */
+export function createActivityRoutes(dbFactory: () => DrizzleDb): Hono<AuditEnv> {
+  const routes = new Hono<AuditEnv>();
+
+  /**
+   * GET /
+   *
+   * Returns recent activity events for the authenticated user.
+   * Query params:
+   *   - limit: max results (default 20, max 100)
+   */
+  routes.get("/", async (c) => {
+    const user = c.get("user");
+    if (!user) return c.json({ error: "Unauthorized" }, 401);
+
+    const limitRaw = c.req.query("limit");
+    const limit = Math.min(Math.max(1, limitRaw ? Number.parseInt(limitRaw, 10) : 20), 100);
+
+    const db = dbFactory();
+    const rows = await queryAuditLog(new DrizzleAuditLogRepository(db), { userId: user.id, limit });
+
+    const events = rows.map((row) => ({
+      id: row.id,
+      timestamp: new Date(row.timestamp).toISOString(),
+      actor: row.user_id,
+      action: formatAction(row.action),
+      target: row.resource_id ?? row.resource_type,
+      targetHref: buildTargetHref(row.resource_type, row.resource_id ?? null),
+    }));
+
+    return c.json(events);
+  });
+
+  return routes;
+}
+
+function formatAction(action: string): string {
+  const parts = action.split(".");
+  if (parts.length === 2) {
+    const [resource, verb] = parts;
+    const pastTense: Record<string, string> = {
+      start: "Started",
+      stop: "Stopped",
+      create: "Created",
+      delete: "Deleted",
+      update: "Updated",
+      restart: "Restarted",
+    };
+    return `${pastTense[verb] ?? verb} ${resource}`;
+  }
+  return action;
+}
+
+function buildTargetHref(resourceType: string, resourceId: string | null): string {
+  if (!resourceId) return "/dashboard";
+  switch (resourceType) {
+    case "instance":
+    case "bot":
+      return `/instances/${resourceId}`;
+    case "snapshot":
+      return `/instances/${resourceId}`;
+    case "key":
+      return "/settings";
+    default:
+      return "/dashboard";
+  }
+}

package/src/api/routes/admin-audit-helper.ts

@@ -0,0 +1,18 @@
+import type { AuditEntry } from "../../admin/audit-log.js";
+
+/** Minimal interface for admin audit logging in route factories. */
+export interface AdminAuditLogger {
+  log(entry: AuditEntry): void | Promise<unknown>;
+}
+
+/** Safely log an admin audit entry — never throws. */
+export function safeAuditLog(logger: (() => AdminAuditLogger) | undefined, entry: AuditEntry): void {
+  if (!logger) return;
+  try {
+    void Promise.resolve(logger().log(entry)).catch(() => {
+      /* audit must not break request */
+    });
+  } catch {
+    /* audit must not break request */
+  }
+}

package/src/api/routes/admin-audit.ts

@@ -0,0 +1,67 @@
+import { Hono } from "hono";
+import type { AdminAuditLog } from "../../admin/index.js";
+import type { AuthEnv } from "../../auth/index.js";
+
+function parseIntParam(value: string | undefined): number | undefined {
+  if (value == null || value === "") return undefined;
+  const n = Number.parseInt(value, 10);
+  return Number.isFinite(n) ? n : undefined;
+}
+
+/**
+ * Create admin audit API routes with an injectable audit log service.
+ *
+ * Routes:
+ *   GET / — query admin audit log entries with filters
+ *   GET /export — export filtered entries as CSV
+ *
+ * @param auditLogFactory - factory returning an AdminAuditLog instance
+ */
+export function createAdminAuditApiRoutes(auditLogFactory: () => AdminAuditLog): Hono<AuthEnv> {
+  const routes = new Hono<AuthEnv>();
+
+  routes.get("/", async (c) => {
+    const filters = {
+      admin: c.req.query("admin") ?? undefined,
+      action: c.req.query("action") ?? undefined,
+      category: c.req.query("category") ?? undefined,
+      tenant: c.req.query("tenant") ?? undefined,
+      from: parseIntParam(c.req.query("from")),
+      to: parseIntParam(c.req.query("to")),
+      limit: parseIntParam(c.req.query("limit")),
+      offset: parseIntParam(c.req.query("offset")),
+    };
+
+    try {
+      const result = await auditLogFactory().query(filters);
+      return c.json(result);
+    } catch {
+      return c.json({ error: "Internal server error" }, 500);
+    }
+  });
+
+  routes.get("/export", async (c) => {
+    const filters = {
+      admin: c.req.query("admin") ?? undefined,
+      action: c.req.query("action") ?? undefined,
+      category: c.req.query("category") ?? undefined,
+      tenant: c.req.query("tenant") ?? undefined,
+      from: parseIntParam(c.req.query("from")),
+      to: parseIntParam(c.req.query("to")),
+    };
+
+    try {
+      const csv = await auditLogFactory().exportCsv(filters);
+      return new Response(csv, {
+        headers: {
+          "Content-Type": "text/csv",
+          "Content-Disposition": 'attachment; filename="audit-log.csv"',
+        },
+      });
+    } catch {
+      return c.json({ error: "Internal server error" }, 500);
+    }
+  });
+
+  return routes;
+}