availsync 0.1.0

package/src/routes/admin.ts

@@ -0,0 +1,514 @@
+import express from 'express';
+import { z } from 'zod';
+import pool from '../db/client';
+import { migrationSummary } from '../db/migrations';
+import { appVersion, gitCommit } from '../lib/appInfo';
+import { envReadiness, stripeReadiness } from '../lib/env';
+import { requireAdminSession } from '../middleware/auth';
+import { log } from '../lib/logger';
+
+const router = express.Router();
+
+const OrgListQuerySchema = z.object({
+  plan: z.enum(['free', 'individual', 'team']).optional(),
+  q: z.string().max(120).optional(),
+  active: z.enum(['today', '7d', '30d']).optional(),
+  limit: z.coerce.number().int().min(1).max(200).optional().default(50),
+  offset: z.coerce.number().int().min(0).optional().default(0),
+});
+
+const SupportListQuerySchema = z.object({
+  status: z.enum(['open', 'in_review', 'closed']).optional(),
+  plan: z.enum(['individual', 'team']).optional(),
+  q: z.string().max(120).optional(),
+  limit: z.coerce.number().int().min(1).max(100).optional().default(50),
+  offset: z.coerce.number().int().min(0).optional().default(0),
+});
+
+const SupportUpdateSchema = z.object({
+  status: z.enum(['open', 'in_review', 'closed']),
+});
+
+const WaitlistListQuerySchema = z.object({
+  status: z.enum(['new', 'contacted', 'closed']).optional(),
+  plan: z.enum(['individual', 'team']).optional(),
+  q: z.string().max(120).optional(),
+  limit: z.coerce.number().int().min(1).max(100).optional().default(50),
+  offset: z.coerce.number().int().min(0).optional().default(0),
+});
+
+const WaitlistUpdateSchema = z.object({
+  status: z.enum(['new', 'contacted', 'closed']),
+});
+
+router.get('/admin/overview', requireAdminSession, async (_req, res) => {
+  try {
+    const result = await pool.query(
+      `SELECT
+         (SELECT COUNT(*)::int FROM orgs) AS total_workspaces,
+         (SELECT COUNT(DISTINCT org_id)::int FROM agent_activity_events WHERE created_at >= NOW() - INTERVAL '24 hours') AS active_workspaces,
+         (SELECT COUNT(*)::int FROM orgs WHERE plan = 'free') AS free_workspaces,
+         (SELECT COUNT(*)::int FROM orgs WHERE plan = 'individual') AS individual_workspaces,
+         (SELECT COUNT(*)::int FROM orgs WHERE plan = 'team') AS team_workspaces,
+         (SELECT COUNT(*)::int FROM orgs WHERE plan <> 'free') AS paid_workspaces,
+         (SELECT COALESCE(SUM(CASE WHEN plan = 'individual' THEN 10 WHEN plan = 'team' THEN 25 ELSE 0 END), 0)::int FROM orgs WHERE subscription_status IN ('active', 'trialing')) AS estimated_mrr,
+         (SELECT COUNT(*)::int FROM orgs WHERE subscription_status = 'canceled' OR cancel_at_period_end = true) AS canceled_workspaces,
+         (SELECT COUNT(*)::int FROM agents) AS total_agents,
+         (SELECT COUNT(*)::int FROM agents WHERE GREATEST(COALESCE(last_seen_at, 'epoch'::timestamptz), COALESCE(mcp_last_seen_at, 'epoch'::timestamptz)) > NOW() - INTERVAL '15 minutes') AS connected_agents,
+         (SELECT COUNT(*)::int FROM agent_activity_events WHERE created_at >= date_trunc('day', NOW())) AS api_calls_today,
+         (SELECT COUNT(*)::int FROM agent_activity_events WHERE created_at >= date_trunc('month', NOW())) AS api_calls_month,
+         (SELECT COUNT(*)::int FROM agent_activity_events WHERE status = 'error' AND created_at >= date_trunc('day', NOW())) AS errors_today,
+         (SELECT COUNT(DISTINCT org_id)::int FROM agent_activity_events WHERE created_at >= NOW() - INTERVAL '7 days' AND activity_type NOT LIKE 'setup_test%' AND activity_type NOT IN ('verification_run', 'connection_test') AND COALESCE(metadata->>'source', '') NOT IN ('setup_test', 'onboarding_verification')) AS active_workspaces_7d,
+         (SELECT COUNT(*)::int FROM agents WHERE last_seen_at IS NULL AND mcp_last_seen_at IS NULL AND NOT EXISTS (SELECT 1 FROM agent_activity_events WHERE agent_activity_events.agent_id = agents.id AND activity_type NOT LIKE 'setup_test%' AND activity_type NOT IN ('verification_run', 'connection_test') AND COALESCE(metadata->>'source', '') NOT IN ('setup_test', 'onboarding_verification'))) AS never_connected_agents,
+         (SELECT COUNT(*)::int FROM agents WHERE GREATEST(COALESCE(last_seen_at, 'epoch'::timestamptz), COALESCE(mcp_last_seen_at, 'epoch'::timestamptz), COALESCE((SELECT MAX(created_at) FROM agent_activity_events WHERE agent_activity_events.agent_id = agents.id AND activity_type NOT LIKE 'setup_test%' AND activity_type NOT IN ('verification_run', 'connection_test') AND COALESCE(metadata->>'source', '') NOT IN ('setup_test', 'onboarding_verification')), 'epoch'::timestamptz)) < NOW() - INTERVAL '3 days' AND (last_seen_at IS NOT NULL OR mcp_last_seen_at IS NOT NULL OR EXISTS (SELECT 1 FROM agent_activity_events WHERE agent_activity_events.agent_id = agents.id AND activity_type NOT LIKE 'setup_test%' AND activity_type NOT IN ('verification_run', 'connection_test') AND COALESCE(metadata->>'source', '') NOT IN ('setup_test', 'onboarding_verification')))) AS quiet_agents,
+         ((SELECT COUNT(*)::int FROM work_claim_events WHERE event_type = 'blocked' AND created_at >= NOW() - INTERVAL '7 days' AND COALESCE(metadata->>'source', '') NOT IN ('setup_test', 'onboarding_verification')) + (SELECT COUNT(*)::int FROM hold_events WHERE event_type IN ('conflict_won', 'conflict_lost', 'superseded') AND created_at >= NOW() - INTERVAL '7 days')) AS conflicts_prevented_7d,
+         (SELECT COUNT(*)::int FROM work_claims WHERE status = 'active' AND expires_at >= NOW()) AS active_work_claims,
+         (SELECT COUNT(*)::int FROM work_claim_events WHERE event_type = 'blocked') AS blocked_agent_runs,
+         (SELECT COUNT(*)::int FROM paid_plan_waitlist) AS waitlist_leads,
+         (SELECT COUNT(*)::int FROM paid_plan_waitlist WHERE status = 'new') AS waitlist_new,
+         (SELECT MAX(created_at) FROM orgs) AS latest_signup_at`,
+    );
+
+    return res.json(result.rows[0]);
+  } catch (err) {
+    log.error('[admin] overview error', { error: (err as Error).message });
+    return res.status(500).json({ error: 'internal_error', message: 'An unexpected error occurred' });
+  }
+});
+
+router.get('/admin/system', requireAdminSession, async (_req, res) => {
+  try {
+    const [migrations, latest] = await Promise.all([
+      migrationSummary(),
+      pool.query(
+        `SELECT
+           (SELECT MAX(created_at) FROM agent_activity_events) AS latest_activity_at,
+           (SELECT MAX(created_at) FROM hold_events) AS latest_hold_event_at,
+           (SELECT MAX(created_at) FROM work_claim_events) AS latest_work_event_at`,
+      ),
+    ]);
+    await pool.query('SELECT 1');
+
+    const env = envReadiness();
+    const stripe = stripeReadiness();
+    const status = migrations.failed > 0 || !env.ok ? 'degraded' : 'ok';
+
+    return res.json({
+      status,
+      app: {
+        version: appVersion(),
+        git_commit: gitCommit(),
+        node_version: process.version,
+        uptime_seconds: Math.floor(process.uptime()),
+      },
+      database: {
+        connected: true,
+      },
+      migrations,
+      env,
+      stripe,
+      latest_events: latest.rows[0],
+      timestamp: new Date().toISOString(),
+    });
+  } catch (err) {
+    log.error('[admin] system error', { error: (err as Error).message });
+    return res.status(500).json({
+      status: 'error',
+      error: 'system_diagnostics_failed',
+      message: 'Unable to load system diagnostics',
+    });
+  }
+});
+
+router.get('/admin/support/tickets', requireAdminSession, async (req, res) => {
+  const parsed = SupportListQuerySchema.safeParse(req.query);
+  if (!parsed.success) {
+    return res.status(400).json({ error: 'validation_error', details: parsed.error.flatten() });
+  }
+
+  try {
+    const result = await pool.query(
+      `SELECT
+         support_tickets.id,
+         support_tickets.org_id,
+         orgs.name AS org_name,
+         support_tickets.user_id,
+         support_tickets.email,
+         support_tickets.subject,
+         support_tickets.category,
+         support_tickets.message,
+         support_tickets.status,
+         support_tickets.priority,
+         support_tickets.plan,
+         support_tickets.context,
+         support_tickets.created_at,
+         support_tickets.updated_at,
+         COUNT(*) OVER()::int AS total_count
+       FROM support_tickets
+       JOIN orgs ON orgs.id = support_tickets.org_id
+       WHERE ($1::text IS NULL OR support_tickets.status = $1)
+         AND ($2::text IS NULL OR support_tickets.plan = $2)
+         AND (
+           $3::text IS NULL
+           OR support_tickets.email ILIKE '%' || $3 || '%'
+           OR support_tickets.subject ILIKE '%' || $3 || '%'
+           OR orgs.name ILIKE '%' || $3 || '%'
+         )
+       ORDER BY
+         CASE support_tickets.status WHEN 'open' THEN 0 WHEN 'in_review' THEN 1 ELSE 2 END,
+         support_tickets.created_at DESC
+       LIMIT $4 OFFSET $5`,
+      [
+        parsed.data.status ?? null,
+        parsed.data.plan ?? null,
+        parsed.data.q ?? null,
+        parsed.data.limit,
+        parsed.data.offset,
+      ],
+    );
+
+    return res.json({
+      tickets: result.rows.map(({ total_count: _total, ...row }) => row),
+      limit: parsed.data.limit,
+      offset: parsed.data.offset,
+      count: result.rows.length,
+      total: result.rows[0]?.total_count ?? 0,
+    });
+  } catch (err) {
+    log.error('[admin] support list error', { error: (err as Error).message });
+    return res.status(500).json({ error: 'internal_error', message: 'An unexpected error occurred' });
+  }
+});
+
+router.put('/admin/support/tickets/:ticket_id', requireAdminSession, async (req, res) => {
+  const ticketId = z.string().uuid().safeParse(req.params.ticket_id);
+  const parsed = SupportUpdateSchema.safeParse(req.body);
+  if (!ticketId.success || !parsed.success) {
+    return res.status(400).json({ error: 'validation_error', message: 'Invalid ticket update' });
+  }
+
+  try {
+    const result = await pool.query(
+      `UPDATE support_tickets
+       SET status = $2,
+           updated_at = NOW()
+       WHERE id = $1
+       RETURNING id, org_id, user_id, email, subject, category, message, status, priority, plan, context, created_at, updated_at`,
+      [ticketId.data, parsed.data.status],
+    );
+
+    if (result.rows.length === 0) {
+      return res.status(404).json({ error: 'ticket_not_found', message: 'Support ticket not found' });
+    }
+
+    return res.json({ ticket: result.rows[0] });
+  } catch (err) {
+    log.error('[admin] support update error', { error: (err as Error).message, ticket_id: ticketId.data });
+    return res.status(500).json({ error: 'internal_error', message: 'An unexpected error occurred' });
+  }
+});
+
+router.get('/admin/waitlist', requireAdminSession, async (req, res) => {
+  const parsed = WaitlistListQuerySchema.safeParse(req.query);
+  if (!parsed.success) {
+    return res.status(400).json({ error: 'validation_error', details: parsed.error.flatten() });
+  }
+
+  try {
+    const result = await pool.query(
+      `SELECT
+         paid_plan_waitlist.id,
+         paid_plan_waitlist.org_id,
+         orgs.name AS org_name,
+         paid_plan_waitlist.user_id,
+         paid_plan_waitlist.email,
+         paid_plan_waitlist.plan,
+         paid_plan_waitlist.source,
+         paid_plan_waitlist.message,
+         paid_plan_waitlist.status,
+         paid_plan_waitlist.context,
+         paid_plan_waitlist.created_at,
+         paid_plan_waitlist.updated_at,
+         COUNT(*) OVER()::int AS total_count
+       FROM paid_plan_waitlist
+       LEFT JOIN orgs ON orgs.id = paid_plan_waitlist.org_id
+       WHERE ($1::text IS NULL OR paid_plan_waitlist.status = $1)
+         AND ($2::text IS NULL OR paid_plan_waitlist.plan = $2)
+         AND (
+           $3::text IS NULL
+           OR paid_plan_waitlist.email ILIKE '%' || $3 || '%'
+           OR paid_plan_waitlist.message ILIKE '%' || $3 || '%'
+           OR orgs.name ILIKE '%' || $3 || '%'
+         )
+       ORDER BY
+         CASE paid_plan_waitlist.status WHEN 'new' THEN 0 WHEN 'contacted' THEN 1 ELSE 2 END,
+         paid_plan_waitlist.created_at DESC
+       LIMIT $4 OFFSET $5`,
+      [
+        parsed.data.status ?? null,
+        parsed.data.plan ?? null,
+        parsed.data.q ?? null,
+        parsed.data.limit,
+        parsed.data.offset,
+      ],
+    );
+
+    return res.json({
+      leads: result.rows.map(({ total_count: _total, ...row }) => row),
+      limit: parsed.data.limit,
+      offset: parsed.data.offset,
+      count: result.rows.length,
+      total: result.rows[0]?.total_count ?? 0,
+    });
+  } catch (err) {
+    log.error('[admin] waitlist list error', { error: (err as Error).message });
+    return res.status(500).json({ error: 'internal_error', message: 'An unexpected error occurred' });
+  }
+});
+
+router.put('/admin/waitlist/:lead_id', requireAdminSession, async (req, res) => {
+  const leadId = z.string().uuid().safeParse(req.params.lead_id);
+  const parsed = WaitlistUpdateSchema.safeParse(req.body);
+  if (!leadId.success || !parsed.success) {
+    return res.status(400).json({ error: 'validation_error', message: 'Invalid waitlist update' });
+  }
+
+  try {
+    const result = await pool.query(
+      `UPDATE paid_plan_waitlist
+       SET status = $2,
+           updated_at = NOW()
+       WHERE id = $1
+       RETURNING id, org_id, user_id, email, plan, source, message, status, context, created_at, updated_at`,
+      [leadId.data, parsed.data.status],
+    );
+
+    if (result.rows.length === 0) {
+      return res.status(404).json({ error: 'lead_not_found', message: 'Waitlist lead not found' });
+    }
+
+    return res.json({ lead: result.rows[0] });
+  } catch (err) {
+    log.error('[admin] waitlist update error', { error: (err as Error).message, lead_id: leadId.data });
+    return res.status(500).json({ error: 'internal_error', message: 'An unexpected error occurred' });
+  }
+});
+
+router.get('/admin/orgs', requireAdminSession, async (req, res) => {
+  const parsed = OrgListQuerySchema.safeParse(req.query);
+  if (!parsed.success) {
+    return res.status(400).json({ error: 'validation_error', details: parsed.error.flatten() });
+  }
+
+  const activeIntervals: Record<string, string> = {
+    today: '24 hours',
+    '7d': '7 days',
+    '30d': '30 days',
+  };
+  const activeInterval = parsed.data.active ? activeIntervals[parsed.data.active] : null;
+
+  try {
+    const result = await pool.query(
+      `WITH org_stats AS (
+         SELECT
+           orgs.id,
+           orgs.name,
+           orgs.plan,
+           orgs.agent_limit,
+           orgs.subscription_status,
+           orgs.current_period_end,
+           orgs.cancel_at_period_end,
+           orgs.stripe_customer_id IS NOT NULL AS has_stripe_customer,
+           orgs.stripe_subscription_id IS NOT NULL AS has_stripe_subscription,
+           orgs.created_at,
+           owner.email AS owner_email,
+           (SELECT COUNT(*)::int FROM agents WHERE agents.org_id = orgs.id) AS agent_count,
+           (SELECT COUNT(*)::int FROM agents WHERE agents.org_id = orgs.id AND GREATEST(COALESCE(agents.last_seen_at, 'epoch'::timestamptz), COALESCE(agents.mcp_last_seen_at, 'epoch'::timestamptz)) > NOW() - INTERVAL '15 minutes') AS connected_agent_count,
+           (SELECT COUNT(*)::int FROM work_claims WHERE work_claims.org_id = orgs.id AND work_claims.status = 'active' AND work_claims.expires_at >= NOW()) AS active_work_claims,
+           (SELECT COUNT(*)::int FROM work_resources WHERE work_resources.org_id = orgs.id) AS protected_resources,
+           (SELECT COUNT(*)::int FROM agent_activity_events WHERE agent_activity_events.org_id = orgs.id AND agent_activity_events.created_at > NOW() - INTERVAL '24 hours') AS api_calls_24h,
+           (SELECT COUNT(*)::int FROM agent_activity_events WHERE agent_activity_events.org_id = orgs.id AND agent_activity_events.created_at >= date_trunc('month', NOW())) AS api_calls_month,
+           (SELECT COUNT(*)::int FROM agent_activity_events WHERE agent_activity_events.org_id = orgs.id AND agent_activity_events.status = 'error' AND agent_activity_events.created_at > NOW() - INTERVAL '24 hours') AS errors_24h,
+           (SELECT MAX(created_at) FROM agent_activity_events WHERE agent_activity_events.org_id = orgs.id) AS last_activity_at
+         FROM orgs
+         LEFT JOIN LATERAL (
+           SELECT email
+           FROM workspace_users
+           WHERE workspace_users.org_id = orgs.id
+           ORDER BY CASE WHEN role = 'owner' THEN 0 ELSE 1 END, created_at ASC
+           LIMIT 1
+         ) owner ON true
+       )
+       SELECT *, COUNT(*) OVER()::int AS total_count
+       FROM org_stats
+       WHERE ($1::text IS NULL OR plan = $1)
+         AND ($2::text IS NULL OR name ILIKE '%' || $2 || '%' OR owner_email ILIKE '%' || $2 || '%')
+         AND ($3::text IS NULL OR last_activity_at > NOW() - ($3::interval))
+       ORDER BY created_at DESC
+       LIMIT $4 OFFSET $5`,
+      [
+        parsed.data.plan ?? null,
+        parsed.data.q ?? null,
+        activeInterval,
+        parsed.data.limit,
+        parsed.data.offset,
+      ],
+    );
+
+    return res.json({
+      orgs: result.rows.map(({ total_count: _total, ...row }) => row),
+      limit: parsed.data.limit,
+      offset: parsed.data.offset,
+      count: result.rows.length,
+      total: result.rows[0]?.total_count ?? 0,
+    });
+  } catch (err) {
+    log.error('[admin] org list error', { error: (err as Error).message });
+    return res.status(500).json({ error: 'internal_error', message: 'An unexpected error occurred' });
+  }
+});
+
+router.get('/admin/orgs/:org_id', requireAdminSession, async (req, res) => {
+  const orgId = z.string().uuid().safeParse(req.params.org_id);
+  if (!orgId.success) {
+    return res.status(400).json({ error: 'validation_error', message: 'Invalid org id' });
+  }
+
+  try {
+    const org = await pool.query(
+      `SELECT
+         id,
+         name,
+         plan,
+         agent_limit,
+         subscription_status,
+         current_period_end,
+         cancel_at_period_end,
+         stripe_customer_id IS NOT NULL AS has_stripe_customer,
+         stripe_subscription_id IS NOT NULL AS has_stripe_subscription,
+         created_at
+       FROM orgs
+       WHERE id = $1`,
+      [orgId.data],
+    );
+    if (org.rows.length === 0) {
+      return res.status(404).json({ error: 'org_not_found', message: 'Organization not found' });
+    }
+
+    const [users, agents, usage, activity, holdEvents, workEvents] = await Promise.all([
+      pool.query(
+        `SELECT id, email, role, created_at
+         FROM workspace_users
+         WHERE org_id = $1
+         ORDER BY created_at ASC`,
+        [orgId.data],
+      ),
+      pool.query(
+        `SELECT
+           id,
+           name,
+           agent_type,
+           priority,
+           last_seen_at,
+           mcp_last_seen_at,
+           mcp_client_name,
+           created_at,
+           (SELECT MAX(created_at) FROM agent_activity_events WHERE agent_id = agents.id) AS last_activity_at,
+           (SELECT MAX(created_at) FROM agent_activity_events WHERE agent_id = agents.id AND status = 'error') AS last_error_at
+         FROM agents
+         WHERE org_id = $1
+         ORDER BY created_at DESC`,
+        [orgId.data],
+      ),
+      pool.query(
+        `SELECT
+           (SELECT COUNT(*)::int FROM agents WHERE org_id = $1) AS agents,
+           (SELECT COUNT(*)::int FROM agents WHERE org_id = $1 AND GREATEST(COALESCE(last_seen_at, 'epoch'::timestamptz), COALESCE(mcp_last_seen_at, 'epoch'::timestamptz)) > NOW() - INTERVAL '15 minutes') AS connected_agents,
+           (SELECT COUNT(*)::int FROM work_resources WHERE org_id = $1) AS protected_resources,
+           (SELECT COUNT(*)::int FROM agent_activity_events WHERE org_id = $1 AND created_at > NOW() - INTERVAL '24 hours') AS api_calls_24h,
+           (SELECT COUNT(*)::int FROM agent_activity_events WHERE org_id = $1 AND created_at >= date_trunc('month', NOW())) AS api_calls_month,
+           (SELECT COUNT(*)::int FROM agent_activity_events WHERE org_id = $1 AND status = 'error' AND created_at > NOW() - INTERVAL '24 hours') AS errors_24h,
+           (SELECT COALESCE(SUM(total_tokens), 0)::int FROM agent_activity_events WHERE org_id = $1 AND created_at > NOW() - INTERVAL '24 hours') AS tokens_24h,
+           (SELECT COUNT(*)::int FROM agents WHERE org_id = $1 AND last_seen_at IS NULL AND mcp_last_seen_at IS NULL AND NOT EXISTS (SELECT 1 FROM agent_activity_events WHERE agent_activity_events.agent_id = agents.id AND activity_type NOT LIKE 'setup_test%' AND activity_type NOT IN ('verification_run', 'connection_test') AND COALESCE(metadata->>'source', '') NOT IN ('setup_test', 'onboarding_verification'))) AS never_connected_agents,
+           (SELECT COUNT(*)::int FROM agents WHERE org_id = $1 AND GREATEST(COALESCE(last_seen_at, 'epoch'::timestamptz), COALESCE(mcp_last_seen_at, 'epoch'::timestamptz), COALESCE((SELECT MAX(created_at) FROM agent_activity_events WHERE agent_activity_events.agent_id = agents.id AND activity_type NOT LIKE 'setup_test%' AND activity_type NOT IN ('verification_run', 'connection_test') AND COALESCE(metadata->>'source', '') NOT IN ('setup_test', 'onboarding_verification')), 'epoch'::timestamptz)) < NOW() - INTERVAL '3 days' AND (last_seen_at IS NOT NULL OR mcp_last_seen_at IS NOT NULL OR EXISTS (SELECT 1 FROM agent_activity_events WHERE agent_activity_events.agent_id = agents.id AND activity_type NOT LIKE 'setup_test%' AND activity_type NOT IN ('verification_run', 'connection_test') AND COALESCE(metadata->>'source', '') NOT IN ('setup_test', 'onboarding_verification')))) AS quiet_agents,
+           ((SELECT COUNT(*)::int FROM work_claim_events WHERE org_id = $1 AND event_type = 'blocked' AND created_at >= NOW() - INTERVAL '7 days' AND COALESCE(metadata->>'source', '') NOT IN ('setup_test', 'onboarding_verification')) + (SELECT COUNT(*)::int FROM hold_events WHERE org_id = $1 AND event_type IN ('conflict_won', 'conflict_lost', 'superseded') AND created_at >= NOW() - INTERVAL '7 days')) AS conflicts_prevented_7d,
+           (SELECT COUNT(*)::int FROM work_claims WHERE org_id = $1 AND status = 'active' AND expires_at >= NOW()) AS active_work_claims,
+           (SELECT COUNT(*)::int FROM work_claim_events WHERE org_id = $1 AND event_type = 'blocked') AS blocked_agent_runs,
+           (SELECT MAX(created_at) FROM agent_activity_events WHERE org_id = $1) AS last_activity_at`,
+        [orgId.data],
+      ),
+      pool.query(
+        `SELECT
+           agent_activity_events.id,
+           agent_activity_events.agent_id,
+           agents.name AS agent_name,
+           agent_activity_events.activity_type,
+           agent_activity_events.endpoint,
+           agent_activity_events.method,
+           agent_activity_events.status_code,
+           agent_activity_events.status,
+           agent_activity_events.error_code,
+           agent_activity_events.error_message,
+           agent_activity_events.created_at
+         FROM agent_activity_events
+         LEFT JOIN agents ON agents.id = agent_activity_events.agent_id
+         WHERE agent_activity_events.org_id = $1
+         ORDER BY agent_activity_events.created_at DESC
+         LIMIT 20`,
+        [orgId.data],
+      ),
+      pool.query(
+        `SELECT
+           hold_events.id,
+           hold_events.event_type,
+           hold_events.agent_id,
+           agents.name AS agent_name,
+           hold_events.rule_applied,
+           hold_events.actor_type,
+           hold_events.actor_label,
+           hold_events.created_at
+         FROM hold_events
+         LEFT JOIN agents ON agents.id = hold_events.agent_id
+         WHERE hold_events.org_id = $1
+         ORDER BY hold_events.created_at DESC
+         LIMIT 20`,
+        [orgId.data],
+      ),
+      pool.query(
+        `SELECT
+           work_claim_events.id,
+           work_claim_events.event_type,
+           work_claim_events.agent_id,
+           agents.name AS agent_name,
+           work_resources.resource_type,
+           work_resources.resource_key,
+           work_claim_events.rule_applied,
+           work_claim_events.actor_type,
+           work_claim_events.actor_label,
+           work_claim_events.created_at
+         FROM work_claim_events
+         LEFT JOIN agents ON agents.id = work_claim_events.agent_id
+         LEFT JOIN work_resources ON work_resources.id = work_claim_events.resource_id
+         WHERE work_claim_events.org_id = $1
+         ORDER BY work_claim_events.created_at DESC
+         LIMIT 20`,
+        [orgId.data],
+      ),
+    ]);
+
+    return res.json({
+      org: org.rows[0],
+      users: users.rows,
+      agents: agents.rows,
+      usage: usage.rows[0],
+      recent_activity: activity.rows,
+      recent_hold_events: holdEvents.rows,
+      recent_work_events: workEvents.rows,
+    });
+  } catch (err) {
+    log.error('[admin] org detail error', { error: (err as Error).message });
+    return res.status(500).json({ error: 'internal_error', message: 'An unexpected error occurred' });
+  }
+});
+
+export default router;

package/src/routes/audit.ts

@@ -0,0 +1,68 @@
+import express from 'express';
+import { z } from 'zod';
+import pool from '../db/client';
+import { requireWorkspaceSession, type WorkspaceAuthenticatedRequest } from '../middleware/auth';
+import { log } from '../lib/logger';
+
+const router = express.Router();
+
+const AuditQuerySchema = z.object({
+  limit: z.coerce.number().int().min(1).max(200).optional().default(50),
+  offset: z.coerce.number().int().min(0).optional().default(0),
+  agent_id: z.string().uuid().optional(),
+  event_type: z.enum(['created', 'superseded', 'released', 'conflict_won', 'conflict_lost']).optional(),
+});
+
+router.get('/audit', requireWorkspaceSession, async (req, res) => {
+  const parsed = AuditQuerySchema.safeParse(req.query);
+  if (!parsed.success) {
+    return res.status(400).json({ error: 'validation_error', details: parsed.error.flatten() });
+  }
+
+  const authReq = req as WorkspaceAuthenticatedRequest;
+
+  try {
+    const result = await pool.query(
+      `SELECT
+         he.id,
+         he.hold_id,
+         he.event_type,
+         he.agent_id,
+         a.name AS agent_name,
+         he.org_id,
+         he.conflicting_hold_id,
+         he.rule_applied,
+         he.metadata,
+         he.actor_type,
+         he.actor_id,
+         he.actor_label,
+         he.created_at
+       FROM hold_events he
+       LEFT JOIN agents a ON a.id = he.agent_id
+       WHERE he.org_id = $1
+         AND ($4::uuid IS NULL OR he.agent_id = $4)
+         AND ($5::text IS NULL OR he.event_type = $5)
+       ORDER BY he.created_at DESC
+       LIMIT $2 OFFSET $3`,
+      [
+        authReq.org.id,
+        parsed.data.limit,
+        parsed.data.offset,
+        parsed.data.agent_id ?? null,
+        parsed.data.event_type ?? null,
+      ],
+    );
+
+    return res.json({
+      events: result.rows,
+      limit: parsed.data.limit,
+      offset: parsed.data.offset,
+      count: result.rows.length,
+    });
+  } catch (err) {
+    log.error('[audit] unexpected error', { error: (err as Error).message });
+    return res.status(500).json({ error: 'internal_error', message: 'An unexpected error occurred' });
+  }
+});
+
+export default router;