auramaxx 1.0.0-alpha.4

package/src/app/api/page.tsx

@@ -0,0 +1,212 @@
+import Link from 'next/link';
+import DocsThemeToggle from '@/components/docs/DocsThemeToggle';
+
+import { readDocFile, parseApiEndpoints, renderMarkdown, slugify, type ApiEndpoint } from '@/lib/docs';
+
+/** Group endpoints by section, then sub-group by base resource path. */
+const buildIndex = (endpoints: ApiEndpoint[]) => {
+  const sections = new Map<string, ApiEndpoint[]>();
+  for (const ep of endpoints) {
+    const group = sections.get(ep.section) ?? [];
+    group.push(ep);
+    sections.set(ep.section, group);
+  }
+
+  const result: { section: string; sectionSlug: string; resources: { base: string; endpoints: ApiEndpoint[] }[] }[] = [];
+
+  for (const [section, eps] of sections) {
+    // Derive the slug from the most specific heading (H3 if present)
+    const parts = section.split(' / ');
+    const sectionSlug = slugify(parts[parts.length - 1]);
+
+    // Sub-group by base resource: first two path segments (e.g. /wallet/create → /wallet, /actions/:id/resolve → /actions)
+    const byBase = new Map<string, ApiEndpoint[]>();
+    for (const ep of eps) {
+      const segments = ep.path.split('/').filter(Boolean);
+      const base = '/' + (segments[0] ?? '');
+      const group = byBase.get(base) ?? [];
+      group.push(ep);
+      byBase.set(base, group);
+    }
+
+    result.push({
+      section,
+      sectionSlug,
+      resources: [...byBase.entries()].map(([base, resEps]) => ({ base, endpoints: resEps })),
+    });
+  }
+
+  return result;
+};
+
+const METHOD_COLOR: Record<string, string> = {
+  GET: 'bg-emerald-600',
+  POST: 'bg-blue-600',
+  PUT: 'bg-amber-600',
+  PATCH: 'bg-orange-600',
+  DELETE: 'bg-red-600',
+  OPTIONS: 'bg-gray-500',
+  HEAD: 'bg-gray-500',
+};
+
+export default async function ApiReferencePage() {
+  const content = await readDocFile('API.md');
+  const endpoints = parseApiEndpoints(content);
+  const html = renderMarkdown(content);
+  const index = buildIndex(endpoints);
+
+  return (
+    <div className="min-h-screen bg-[var(--color-background,#f4f4f5)] relative p-4 py-8">
+      {/* Background matching Sterile Field */}
+      <div className="fixed inset-0 pointer-events-none z-0 overflow-hidden">
+        {/* Sterile Grid */}
+        <div className="absolute inset-0 bg-grid-adaptive bg-[size:4rem_4rem] opacity-30" />
+
+        {/* Tyvek Texture Overlay */}
+        <div className="absolute inset-0 tyvek-texture opacity-40 mix-blend-multiply" />
+
+        {/* Giant Background Typography */}
+        <div className="absolute top-[5%] left-[5%] opacity-5 select-none">
+          <h1 className="text-[15vw] font-bold leading-none text-[var(--color-text,#0a0a0a)] font-mono tracking-tighter">
+            AURA
+          </h1>
+        </div>
+        <div className="absolute bottom-[5%] right-[5%] opacity-5 select-none">
+          <h1 className="text-[15vw] font-bold leading-none text-[var(--color-text,#0a0a0a)] font-mono tracking-tighter text-right">
+            MAXXING
+          </h1>
+        </div>
+
+        {/* Lab Markings - Corner Finder Patterns */}
+        <div className="absolute top-10 left-10 w-32 h-32 border-l-4 border-t-4 border-[var(--color-text,#0a0a0a)] opacity-10">
+          <div className="absolute top-2 left-2 w-4 h-4 bg-[var(--color-text,#0a0a0a)]" />
+        </div>
+        <div className="absolute bottom-10 right-10 w-32 h-32 border-r-4 border-b-4 border-[var(--color-text,#0a0a0a)] opacity-10 flex items-end justify-end">
+          <div className="absolute bottom-2 right-2 w-4 h-4 bg-[var(--color-text,#0a0a0a)]" />
+        </div>
+      </div>
+
+      {/* Logo header */}
+      <Link
+        href="/"
+        className="fixed top-6 left-6 z-50 flex items-center gap-3 hover:opacity-80 transition-opacity"
+      >
+        <div className="w-10 h-10">
+          <img src="/logo.webp" alt="AuraWallet" className="w-full h-full object-contain" />
+        </div>
+        <div className="font-black text-xl tracking-tighter text-[var(--color-text,#0a0a0a)]">AURAWALLET</div>
+      </Link>
+
+      {/* Nav */}
+      <div className="fixed top-7 right-6 z-50 flex items-center gap-3 font-mono text-[10px] tracking-widest">
+        <Link href="/docs" className="text-[var(--color-text-muted,#6b7280)] hover:text-[var(--color-text,#0a0a0a)] transition-colors">DOCS</Link>
+        <Link href="/app" className="text-[var(--color-text-muted,#6b7280)] hover:text-[var(--color-text,#0a0a0a)] transition-colors">APP</Link>
+        <DocsThemeToggle />
+      </div>
+
+      <div className="relative z-[5] max-w-[1400px] mx-auto pt-16">
+        <div className="grid gap-4 md:grid-cols-[240px_minmax(0,1fr)]">
+          {/* Left rail — endpoint index (sticky) */}
+          <aside className="font-mono hidden md:block">
+            <div className="sticky top-20 max-h-[calc(100vh-6rem)] overflow-y-auto">
+              <div className="bg-[var(--color-surface,#f4f4f2)] border border-[var(--color-border,#d4d4d8)] shadow-lg overflow-hidden font-mono">
+                <div className="px-4 py-3 border-b border-[var(--color-border,#d4d4d8)] bg-[var(--color-surface-alt,#fafafa)] flex items-center justify-between">
+                  <span className="font-sans font-bold text-sm text-[var(--color-text,#0a0a0a)] uppercase tracking-tight">Endpoints</span>
+                  <span className="text-[9px] text-[var(--color-text-faint,#9ca3af)] font-bold">QTY: {endpoints.length.toString().padStart(3, '0')}</span>
+                </div>
+                <div className="p-3 space-y-2.5">
+                  {index.map(({ section, sectionSlug, resources }) => (
+                    <div key={section}>
+                      <a
+                        href={`#${sectionSlug}`}
+                        className="block text-[8px] text-[var(--color-text-faint,#9ca3af)] tracking-widest uppercase mb-1 hover:text-[var(--color-text,#0a0a0a)] transition-colors"
+                      >
+                        {section}
+                      </a>
+                      {resources.map(({ base, endpoints: resEps }) => (
+                        <div key={base} className="mb-1 border-l border-[var(--color-border,#d4d4d8)] ml-1">
+                          <div className="pl-2 py-0.5 text-[9px] text-[var(--color-text-faint,#9ca3af)] tracking-wide font-bold">{base}</div>
+                          <div>
+                            {resEps.map((ep) => (
+                              <a
+                                key={`${ep.method} ${ep.path}`}
+                                href={`#${sectionSlug}`}
+                                className="flex items-center gap-1.5 pl-2 pr-1 py-0.5 text-[10px] hover:bg-[var(--color-surface-alt,#fafafa)] transition-colors"
+                              >
+                                <span
+                                  className={`inline-block w-[34px] text-center py-px text-[7px] font-bold text-white tracking-wide shrink-0 ${METHOD_COLOR[ep.method] ?? 'bg-gray-500'}`}
+                                >
+                                  {ep.method}
+                                </span>
+                                <span className="text-[var(--color-text-muted,#6b7280)] truncate">{ep.path}</span>
+                              </a>
+                            ))}
+                          </div>
+                        </div>
+                      ))}
+                    </div>
+                  ))}
+
+                  {/* Docs link */}
+                  <div className="pt-2 border-t border-[var(--color-border,#d4d4d8)]">
+                    <Link
+                      href="/docs"
+                      className="flex items-center gap-2 px-2 py-1.5 text-[11px] border border-transparent hover:border-[var(--color-border-muted,#e5e5e5)] hover:bg-[var(--color-surface-alt,#fafafa)] text-[var(--color-text-muted,#6b7280)] transition-colors"
+                    >
+                      <svg width="12" height="12" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2" strokeLinecap="round" strokeLinejoin="round"><path d="M14 2H6a2 2 0 0 0-2 2v16a2 2 0 0 0 2 2h12a2 2 0 0 0 2-2V8z" /><polyline points="14 2 14 8 20 8" /><line x1="16" y1="13" x2="8" y2="13" /><line x1="16" y1="17" x2="8" y2="17" /><polyline points="10 9 9 9 8 9" /></svg>
+                      DOCS
+                    </Link>
+                  </div>
+                </div>
+                {/* Barcode + Stripe */}
+                <div className="flex items-center gap-3 px-4 py-2 border-t border-[var(--color-border,#d4d4d8)]">
+                  <div className="h-4 flex-1 bg-[repeating-linear-gradient(90deg,var(--color-text,#000),var(--color-text,#000)_1px,transparent_1px,transparent_3px)] opacity-30" />
+                </div>
+                <div className="h-2 w-full" style={{
+                  backgroundImage: 'repeating-linear-gradient(45deg, var(--color-text, #000), var(--color-text, #000) 5px, transparent 5px, transparent 10px)',
+                  opacity: 0.1,
+                }} />
+              </div>
+            </div>
+          </aside>
+
+          {/* Content — rendered API markdown */}
+          <div className="bg-[var(--color-surface,#f4f4f2)] border border-[var(--color-border,#d4d4d8)] shadow-lg overflow-hidden font-mono">
+            <div className="px-4 py-3 border-b border-[var(--color-border,#d4d4d8)] bg-[var(--color-surface-alt,#fafafa)] flex items-center justify-between">
+              <span className="font-sans font-bold text-sm text-[var(--color-text,#0a0a0a)] uppercase tracking-tight">API Reference</span>
+              <a
+                href="http://localhost:4242"
+                target="_blank"
+                rel="noopener noreferrer"
+                className="text-[10px] text-[var(--color-text-muted,#6b7280)] hover:text-[var(--color-text,#0a0a0a)] transition-colors tracking-widest"
+              >
+                OPEN API →
+              </a>
+            </div>
+
+            <div
+              className="p-5 prose-mono"
+              dangerouslySetInnerHTML={{ __html: html }}
+            />
+
+            {/* Footer */}
+            <div className="px-4 py-2 border-t border-[var(--color-border,#d4d4d8)] bg-[var(--color-surface-alt,#fafafa)]">
+              <div className="text-[8px] text-[var(--color-text-faint,#9ca3af)] uppercase tracking-wider mb-1">DOCUMENT REFERENCE</div>
+              <div className="text-[9px] text-[var(--color-text,#0a0a0a)] font-bold">API.md</div>
+            </div>
+
+            {/* Barcode + Stripe */}
+            <div className="flex items-center gap-3 px-4 py-2 border-t border-[var(--color-border,#d4d4d8)]">
+              <div className="h-4 flex-1 bg-[repeating-linear-gradient(90deg,var(--color-text,#000),var(--color-text,#000)_1px,transparent_1px,transparent_3px)] opacity-30" />
+              <span className="text-[8px] text-[var(--color-text-faint,#9ca3af)] tracking-wider">AURAWALLET</span>
+            </div>
+            <div className="h-2 w-full" style={{
+              backgroundImage: 'repeating-linear-gradient(45deg, var(--color-text, #000), var(--color-text, #000) 5px, transparent 5px, transparent 10px)',
+              opacity: 0.1,
+            }} />
+          </div>
+        </div>
+      </div>
+    </div>
+  );
+}

package/src/app/api/workspace/[id]/apps/[wid]/route.ts

@@ -0,0 +1,119 @@
+import { NextRequest, NextResponse } from 'next/server';
+import { PrismaClient } from '@prisma/client';
+import { requireWorkspaceAdmin } from '../../../auth';
+
+const prisma = new PrismaClient();
+
+// PATCH /api/workspace/[id]/apps/[wid] - Update app
+export async function PATCH(
+  request: NextRequest,
+  { params }: { params: Promise<{ id: string; wid: string }> }
+) {
+  try {
+    const unauthorized = await requireWorkspaceAdmin(request);
+    if (unauthorized) return unauthorized;
+
+    const { id: workspaceId, wid: appId } = await params;
+    const body = await request.json();
+    const { x, y, width, height, zIndex, isVisible, isLocked, config } = body;
+
+    // Verify app exists and belongs to workspace
+    const existing = await prisma.workspaceApp.findUnique({
+      where: { id: appId },
+    });
+
+    if (!existing) {
+      return NextResponse.json(
+        { success: false, error: 'App not found' },
+        { status: 404 }
+      );
+    }
+
+    if (existing.workspaceId !== workspaceId) {
+      return NextResponse.json(
+        { success: false, error: 'App does not belong to this workspace' },
+        { status: 400 }
+      );
+    }
+
+    const updateData: Record<string, unknown> = {};
+    if (x !== undefined) updateData.x = x;
+    if (y !== undefined) updateData.y = y;
+    if (width !== undefined) updateData.width = width;
+    if (height !== undefined) updateData.height = height;
+    if (zIndex !== undefined) updateData.zIndex = zIndex;
+    if (isVisible !== undefined) updateData.isVisible = isVisible;
+    if (isLocked !== undefined) updateData.isLocked = isLocked;
+    if (config !== undefined) updateData.config = JSON.stringify(config);
+
+    const app = await prisma.workspaceApp.update({
+      where: { id: appId },
+      data: updateData,
+    });
+
+    return NextResponse.json({
+      success: true,
+      app: {
+        id: app.id,
+        workspaceId: app.workspaceId,
+        appType: app.appType,
+        x: app.x,
+        y: app.y,
+        width: app.width,
+        height: app.height,
+        zIndex: app.zIndex,
+        isVisible: app.isVisible,
+        isLocked: app.isLocked,
+        config: app.config ? JSON.parse(app.config) : null,
+      },
+    });
+  } catch (error) {
+    console.error('Failed to update app:', error);
+    return NextResponse.json(
+      { success: false, error: 'Failed to update app' },
+      { status: 500 }
+    );
+  }
+}
+
+// DELETE /api/workspace/[id]/apps/[wid] - Remove app
+export async function DELETE(
+  request: NextRequest,
+  { params }: { params: Promise<{ id: string; wid: string }> }
+) {
+  try {
+    const unauthorized = await requireWorkspaceAdmin(request);
+    if (unauthorized) return unauthorized;
+
+    const { id: workspaceId, wid: appId } = await params;
+
+    // Verify app exists and belongs to workspace
+    const existing = await prisma.workspaceApp.findUnique({
+      where: { id: appId },
+    });
+
+    if (!existing) {
+      return NextResponse.json(
+        { success: false, error: 'App not found' },
+        { status: 404 }
+      );
+    }
+
+    if (existing.workspaceId !== workspaceId) {
+      return NextResponse.json(
+        { success: false, error: 'App does not belong to this workspace' },
+        { status: 400 }
+      );
+    }
+
+    await prisma.workspaceApp.delete({ where: { id: appId } });
+
+    return NextResponse.json({ success: true });
+  } catch (error) {
+    console.error('Failed to delete app:', error);
+    return NextResponse.json(
+      { success: false, error: 'Failed to delete app' },
+      { status: 500 }
+    );
+  }
+}

package/src/app/api/workspace/[id]/apps/route.ts

@@ -0,0 +1,81 @@
+import { NextRequest, NextResponse } from 'next/server';
+import { PrismaClient } from '@prisma/client';
+import { requireWorkspaceAdmin } from '../../auth';
+
+const prisma = new PrismaClient();
+
+// POST /api/workspace/[id]/apps - Add app to workspace
+export async function POST(
+  request: NextRequest,
+  { params }: { params: Promise<{ id: string }> }
+) {
+  try {
+    const unauthorized = await requireWorkspaceAdmin(request);
+    if (unauthorized) return unauthorized;
+
+    const { id: workspaceId } = await params;
+    const body = await request.json();
+    const { appType, x, y, width, height, zIndex, isVisible, isLocked, config } = body;
+
+    if (!appType) {
+      return NextResponse.json(
+        { success: false, error: 'appType is required' },
+        { status: 400 }
+      );
+    }
+
+    // Verify workspace exists
+    const workspace = await prisma.workspace.findUnique({ where: { id: workspaceId } });
+    if (!workspace) {
+      return NextResponse.json(
+        { success: false, error: 'Workspace not found' },
+        { status: 404 }
+      );
+    }
+
+    // Get max zIndex for this workspace
+    const maxZ = await prisma.workspaceApp.aggregate({
+      where: { workspaceId },
+      _max: { zIndex: true },
+    });
+    const newZIndex = zIndex ?? (maxZ._max.zIndex ?? 9) + 1;
+
+    const app = await prisma.workspaceApp.create({
+      data: {
+        workspaceId,
+        appType,
+        x: x ?? 20,
+        y: y ?? 20,
+        width: width ?? 320,
+        height: height ?? 280,
+        zIndex: newZIndex,
+        isVisible: isVisible ?? true,
+        isLocked: isLocked ?? false,
+        config: config ? JSON.stringify(config) : null,
+      },
+    });
+
+    return NextResponse.json({
+      success: true,
+      app: {
+        id: app.id,
+        workspaceId: app.workspaceId,
+        appType: app.appType,
+        x: app.x,
+        y: app.y,
+        width: app.width,
+        height: app.height,
+        zIndex: app.zIndex,
+        isVisible: app.isVisible,
+        isLocked: app.isLocked,
+        config: app.config ? JSON.parse(app.config) : null,
+      },
+    });
+  } catch (error) {
+    console.error('Failed to add app:', error);
+    return NextResponse.json(
+      { success: false, error: 'Failed to add app' },
+      { status: 500 }
+    );
+  }
+}

package/src/app/api/workspace/[id]/export/route.ts

@@ -0,0 +1,67 @@
+import { NextRequest, NextResponse } from 'next/server';
+import { PrismaClient } from '@prisma/client';
+import { requireWorkspaceAdmin } from '../../auth';
+
+const prisma = new PrismaClient();
+
+// GET /api/workspace/[id]/export - Export workspace as JSON
+export async function GET(
+  request: NextRequest,
+  { params }: { params: Promise<{ id: string }> }
+) {
+  try {
+    const unauthorized = await requireWorkspaceAdmin(request);
+    if (unauthorized) return unauthorized;
+
+    const { id } = await params;
+
+    const workspace = await prisma.workspace.findUnique({
+      where: { id },
+      include: {
+        apps: true,
+      },
+    });
+
+    if (!workspace) {
+      return NextResponse.json(
+        { success: false, error: 'Workspace not found' },
+        { status: 404 }
+      );
+    }
+
+    const exportData = {
+      version: 1,
+      exportedAt: new Date().toISOString(),
+      workspace: {
+        name: workspace.name,
+        slug: workspace.slug,
+        icon: workspace.icon,
+        order: workspace.order,
+        isDefault: workspace.isDefault,
+        isCloseable: workspace.isCloseable,
+      },
+      apps: workspace.apps.map((w: any) => ({
+        appType: w.appType,
+        x: w.x,
+        y: w.y,
+        width: w.width,
+        height: w.height,
+        zIndex: w.zIndex,
+        isVisible: w.isVisible,
+        isLocked: w.isLocked,
+        config: w.config ? JSON.parse(w.config) : null,
+      })),
+    };
+
+    return NextResponse.json({
+      success: true,
+      data: exportData,
+    });
+  } catch (error) {
+    console.error('Failed to export workspace:', error);
+    return NextResponse.json(
+      { success: false, error: 'Failed to export workspace' },
+      { status: 500 }
+    );
+  }
+}

package/src/app/api/workspace/[id]/route.ts

@@ -0,0 +1,168 @@
+import { NextRequest, NextResponse } from 'next/server';
+import { PrismaClient } from '@prisma/client';
+import { requireWorkspaceAdmin } from '../auth';
+
+const prisma = new PrismaClient();
+
+// GET /api/workspace/[id] - Get workspace with apps
+export async function GET(
+  request: NextRequest,
+  { params }: { params: Promise<{ id: string }> }
+) {
+  try {
+    const unauthorized = await requireWorkspaceAdmin(request);
+    if (unauthorized) return unauthorized;
+
+    const { id } = await params;
+
+    const workspace = await prisma.workspace.findUnique({
+      where: { id },
+      include: {
+        apps: {
+          orderBy: { zIndex: 'asc' },
+        },
+      },
+    });
+
+    if (!workspace) {
+      return NextResponse.json(
+        { success: false, error: 'Workspace not found' },
+        { status: 404 }
+      );
+    }
+
+    return NextResponse.json({
+      success: true,
+      workspace: {
+        id: workspace.id,
+        name: workspace.name,
+        slug: workspace.slug,
+        icon: workspace.icon,
+        order: workspace.order,
+        isDefault: workspace.isDefault,
+        isCloseable: workspace.isCloseable,
+      },
+      apps: workspace.apps.map((w: any) => ({
+        id: w.id,
+        workspaceId: w.workspaceId,
+        appType: w.appType,
+        x: w.x,
+        y: w.y,
+        width: w.width,
+        height: w.height,
+        zIndex: w.zIndex,
+        isVisible: w.isVisible,
+        isLocked: w.isLocked,
+        config: w.config ? JSON.parse(w.config) : null,
+      })),
+    });
+  } catch (error) {
+    console.error('Failed to get workspace:', error);
+    return NextResponse.json(
+      { success: false, error: 'Failed to get workspace' },
+      { status: 500 }
+    );
+  }
+}
+
+// PATCH /api/workspace/[id] - Update workspace
+export async function PATCH(
+  request: NextRequest,
+  { params }: { params: Promise<{ id: string }> }
+) {
+  try {
+    const unauthorized = await requireWorkspaceAdmin(request);
+    if (unauthorized) return unauthorized;
+
+    const { id } = await params;
+    const body = await request.json();
+    const { name, icon, order, isDefault, isCloseable } = body;
+
+    // Check if workspace exists
+    const existing = await prisma.workspace.findUnique({ where: { id } });
+    if (!existing) {
+      return NextResponse.json(
+        { success: false, error: 'Workspace not found' },
+        { status: 404 }
+      );
+    }
+
+    // If setting as default, unset existing default
+    if (isDefault) {
+      await prisma.workspace.updateMany({
+        where: { isDefault: true, id: { not: id } },
+        data: { isDefault: false },
+      });
+    }
+
+    const workspace = await prisma.workspace.update({
+      where: { id },
+      data: {
+        name: name ?? existing.name,
+        icon: icon ?? existing.icon,
+        order: order ?? existing.order,
+        isDefault: isDefault ?? existing.isDefault,
+        isCloseable: isCloseable ?? existing.isCloseable,
+      },
+    });
+
+    return NextResponse.json({
+      success: true,
+      workspace: {
+        id: workspace.id,
+        name: workspace.name,
+        slug: workspace.slug,
+        icon: workspace.icon,
+        order: workspace.order,
+        isDefault: workspace.isDefault,
+        isCloseable: workspace.isCloseable,
+      },
+    });
+  } catch (error) {
+    console.error('Failed to update workspace:', error);
+    return NextResponse.json(
+      { success: false, error: 'Failed to update workspace' },
+      { status: 500 }
+    );
+  }
+}
+
+// DELETE /api/workspace/[id] - Delete workspace
+export async function DELETE(
+  request: NextRequest,
+  { params }: { params: Promise<{ id: string }> }
+) {
+  try {
+    const unauthorized = await requireWorkspaceAdmin(request);
+    if (unauthorized) return unauthorized;
+
+    const { id } = await params;
+
+    // Check if workspace exists and is closeable
+    const workspace = await prisma.workspace.findUnique({ where: { id } });
+    if (!workspace) {
+      return NextResponse.json(
+        { success: false, error: 'Workspace not found' },
+        { status: 404 }
+      );
+    }
+
+    if (!workspace.isCloseable) {
+      return NextResponse.json(
+        { success: false, error: 'Cannot delete non-closeable workspace' },
+        { status: 400 }
+      );
+    }
+
+    // Cascade delete will remove apps
+    await prisma.workspace.delete({ where: { id } });
+
+    return NextResponse.json({ success: true });
+  } catch (error) {
+    console.error('Failed to delete workspace:', error);
+    return NextResponse.json(
+      { success: false, error: 'Failed to delete workspace' },
+      { status: 500 }
+    );
+  }
+}

package/src/app/api/workspace/auth.ts

@@ -0,0 +1,34 @@
+import { NextRequest, NextResponse } from 'next/server';
+
+const WALLET_API = process.env.WALLET_SERVER_URL || 'http://localhost:4242';
+
+/**
+ * Validate admin access by forwarding the Authorization header to Express.
+ */
+async function validateAdmin(authHeader: string | null): Promise<boolean> {
+  if (!authHeader) return false;
+
+  try {
+    // Use an authenticated admin-only endpoint as a lightweight verifier.
+    const resp = await fetch(`${WALLET_API}/setup`, {
+      headers: { Authorization: authHeader },
+      cache: 'no-store',
+    });
+    return resp.ok;
+  } catch {
+    return false;
+  }
+}
+
+export async function requireWorkspaceAdmin(
+  request: NextRequest
+): Promise<NextResponse | null> {
+  const authHeader = request.headers.get('authorization');
+  const isAdmin = await validateAdmin(authHeader);
+  if (isAdmin) return null;
+
+  return NextResponse.json(
+    { success: false, error: 'Admin access required' },
+    { status: 403 }
+  );
+}