fraim 2.0.177 → 2.0.180

package/dist/src/routes/oauth-routes.js

@@ -0,0 +1,325 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.registerOAuthRoutes = registerOAuthRoutes;
+const cookie_service_1 = require("../services/cookie-service");
+const oauth_helpers_1 = require("../services/oauth-helpers");
+const audit_log_1 = require("../services/audit-log");
+const GOOGLE_AUTH_URL = 'https://accounts.google.com/o/oauth2/v2/auth';
+const GOOGLE_TOKEN_URL = 'https://oauth2.googleapis.com/token';
+const GITHUB_AUTH_URL = 'https://github.com/login/oauth/authorize';
+const GITHUB_TOKEN_URL = 'https://github.com/login/oauth/access_token';
+const GITHUB_USER_EMAILS_URL = 'https://api.github.com/user/emails';
+function getGoogleOAuthConfig() {
+    const clientId = process.env.GOOGLE_OAUTH_CLIENT_ID;
+    const clientSecret = process.env.GOOGLE_OAUTH_CLIENT_SECRET;
+    if (!clientId || !clientSecret) {
+        throw new Error('GOOGLE_OAUTH_CLIENT_ID and GOOGLE_OAUTH_CLIENT_SECRET must be set');
+    }
+    return { clientId, clientSecret };
+}
+function getGitHubOAuthConfig() {
+    const clientId = process.env.GITHUB_OAUTH_CLIENT_ID;
+    const clientSecret = process.env.GITHUB_OAUTH_CLIENT_SECRET;
+    if (!clientId || !clientSecret) {
+        throw new Error('GITHUB_OAUTH_CLIENT_ID and GITHUB_OAUTH_CLIENT_SECRET must be set');
+    }
+    return { clientId, clientSecret };
+}
+/**
+ * Build the base URL used for OAuth redirect_uri and token-exchange.
+ *
+ * Preference order:
+ *  1. FRAIM_PUBLIC_BASE_URL env var (explicit canonical override, recommended in prod)
+ *  2. X-Forwarded-Proto + X-Forwarded-Host from the request (set by Azure App Service
+ *     from the actual hostname the user navigated to — safe because Azure validates
+ *     that host headers correspond to configured custom domains or the default
+ *     azurewebsites.net hostname before forwarding the request)
+ *
+ * Using the request-derived host means the OAuth flow stays on whichever domain
+ * the user signed in from, so the fraim_oauth_pending cookie is always in scope
+ * for the callback. No hard-coded domain needed.
+ */
+function buildBaseUrl(req) {
+    const fromEnv = process.env.FRAIM_PUBLIC_BASE_URL;
+    if (fromEnv && /^https?:\/\//i.test(fromEnv)) {
+        return fromEnv.replace(/\/+$/, '');
+    }
+    const proto = req.headers['x-forwarded-proto'] || req.protocol || 'https';
+    const host = req.headers['x-forwarded-host'] || req.get('host') || 'localhost';
+    return `${proto}://${host}`;
+}
+function callbackUrl(req, provider) {
+    return `${buildBaseUrl(req)}/api/auth/oauth/${provider}/callback`;
+}
+function decodeJwtPayload(jwt) {
+    const parts = jwt.split('.');
+    if (parts.length !== 3)
+        throw new Error('malformed JWT');
+    const payload = parts[1].replace(/-/g, '+').replace(/_/g, '/');
+    const padded = payload + '='.repeat((4 - payload.length % 4) % 4);
+    const json = Buffer.from(padded, 'base64').toString('utf8');
+    return JSON.parse(json);
+}
+function registerOAuthRoutes(app, deps) {
+    const { dbService } = deps;
+    const fetchFn = deps.fetch ?? globalThis.fetch;
+    const googleCfg = deps.getGoogleConfig ?? getGoogleOAuthConfig;
+    const githubCfg = deps.getGitHubConfig ?? getGitHubOAuthConfig;
+    // Startup diagnostics — log config presence without exposing secret values.
+    console.log('[FRAIM OAuth] startup config check:', {
+        FRAIM_PUBLIC_BASE_URL: process.env.FRAIM_PUBLIC_BASE_URL || '(not set — will derive from request host)',
+        FRAIM_COOKIE_DOMAIN: process.env.FRAIM_COOKIE_DOMAIN || '(not set — cookie scoped to exact host)',
+        GOOGLE_OAUTH_CLIENT_ID: process.env.GOOGLE_OAUTH_CLIENT_ID ? '(set)' : '(NOT SET)',
+        GOOGLE_OAUTH_CLIENT_SECRET: process.env.GOOGLE_OAUTH_CLIENT_SECRET ? '(set)' : '(NOT SET)',
+        GITHUB_OAUTH_CLIENT_ID: process.env.GITHUB_OAUTH_CLIENT_ID ? '(set)' : '(NOT SET)',
+        NODE_ENV: process.env.NODE_ENV || '(not set)',
+    });
+    // Helper used by both providers to finalise authentication once we have a verified email.
+    async function completeSignIn(req, res, verifiedEmail, provider, surface, redirectTo) {
+        const lower = verifiedEmail.toLowerCase();
+        const apiKeyData = await dbService.getApiKeyByUserId(lower, false);
+        if (!apiKeyData) {
+            // Sign-in is NOT a sign-up. If the verified email doesn't already match a
+            // FRAIM account, route the user to the sign-up flow. Account creation is
+            // owned by /api/request-access, not by login. (Round-2 user feedback.)
+            await (0, audit_log_1.auditLog)('OAUTH_CALLBACK_SUCCESS', {
+                userId: lower,
+                provider,
+                surface,
+                outcome: 'failure',
+                reason: 'no_account',
+            });
+            (0, cookie_service_1.clearOAuthPendingCookie)(res);
+            return res.redirect(`/auth/error.html?reason=no_account`);
+        }
+        const sessionId = (0, oauth_helpers_1.generateSessionId)();
+        await dbService.createAuthSession({
+            sessionId,
+            userId: lower,
+            authMethod: provider === 'google' ? 'oauth:google' : 'oauth:github',
+            userAgent: typeof req.headers['user-agent'] === 'string' ? req.headers['user-agent'] : undefined,
+            ip: (0, oauth_helpers_1.clientIpFromReq)(req),
+        });
+        await (0, audit_log_1.auditLog)('OAUTH_CALLBACK_SUCCESS', { userId: lower, sessionId, provider, surface, outcome: 'success' });
+        await (0, audit_log_1.auditLog)('SESSION_CREATED', { userId: lower, sessionId, surface, provider, outcome: 'success' });
+        (0, cookie_service_1.setSessionCookie)(res, sessionId);
+        (0, cookie_service_1.clearOAuthPendingCookie)(res);
+        res.redirect(redirectTo);
+    }
+    app.get('/api/auth/oauth/:provider/start', async (req, res) => {
+        const providerRaw = req.params.provider;
+        const provider = typeof providerRaw === 'string' ? providerRaw : '';
+        if (!(0, oauth_helpers_1.isSupportedProvider)(provider)) {
+            return res.status(404).json({ error: 'unsupported_provider' });
+        }
+        const surface = (0, oauth_helpers_1.pickSurfaceOrDefault)(req.query.surface);
+        const redirectTo = (0, oauth_helpers_1.safeRedirectPath)(req.query.redirect_to, (0, oauth_helpers_1.defaultRedirectForSurface)(surface));
+        try {
+            const codeVerifier = (0, oauth_helpers_1.generatePkceVerifier)();
+            const stateNonce = (0, oauth_helpers_1.generateStateNonce)();
+            const pendingId = (0, oauth_helpers_1.generatePendingOAuthId)();
+            await dbService.createPendingOAuth({
+                pendingId,
+                provider,
+                surface,
+                codeVerifier,
+                stateNonce,
+                redirectTo,
+            });
+            (0, cookie_service_1.setOAuthPendingCookie)(res, pendingId);
+            await (0, audit_log_1.auditLog)('OAUTH_START', { provider, surface, ip: (0, oauth_helpers_1.clientIpFromReq)(req), outcome: 'success' });
+            if (provider === 'google') {
+                const cfg = googleCfg();
+                const url = new URL(GOOGLE_AUTH_URL);
+                url.searchParams.set('response_type', 'code');
+                url.searchParams.set('client_id', cfg.clientId);
+                url.searchParams.set('redirect_uri', callbackUrl(req, 'google'));
+                url.searchParams.set('scope', 'openid email profile');
+                url.searchParams.set('state', stateNonce);
+                url.searchParams.set('code_challenge', (0, oauth_helpers_1.pkceChallenge)(codeVerifier));
+                url.searchParams.set('code_challenge_method', 'S256');
+                url.searchParams.set('access_type', 'online');
+                url.searchParams.set('prompt', 'select_account');
+                return res.redirect(url.toString());
+            }
+            else {
+                const cfg = githubCfg();
+                const url = new URL(GITHUB_AUTH_URL);
+                url.searchParams.set('client_id', cfg.clientId);
+                url.searchParams.set('redirect_uri', callbackUrl(req, 'github'));
+                url.searchParams.set('scope', 'read:user user:email');
+                url.searchParams.set('state', stateNonce);
+                url.searchParams.set('allow_signup', 'true');
+                return res.redirect(url.toString());
+            }
+        }
+        catch (err) {
+            console.error(`[FRAIM AUTH] /api/auth/oauth/${provider}/start error:`, err instanceof Error ? err.message : String(err));
+            return res.redirect('/auth/error.html?reason=oauth_start_failed');
+        }
+    });
+    app.get('/api/auth/oauth/google/callback', async (req, res) => {
+        const errorParam = req.query.error;
+        const code = req.query.code;
+        const state = req.query.state;
+        const pendingId = (0, cookie_service_1.readOAuthPendingCookie)(req);
+        try {
+            if (errorParam) {
+                await (0, audit_log_1.auditLog)('OAUTH_PROVIDER_ERROR', { provider: 'google', reason: errorParam, outcome: 'failure' });
+                (0, cookie_service_1.clearOAuthPendingCookie)(res);
+                return res.redirect('/?oauth_error=denied');
+            }
+            if (!code || !state || !pendingId) {
+                // Most common prod cause: cookie domain mismatch (sign-in page on domain A, callback on domain B).
+                // Check FRAIM_PUBLIC_BASE_URL — it must match the domain the user signed in from.
+                console.error('[FRAIM OAuth] google callback missing params:', {
+                    hasCode: !!code,
+                    hasState: !!state,
+                    hasPendingCookie: !!pendingId,
+                    host: req.get('host'),
+                    publicBaseUrl: process.env.FRAIM_PUBLIC_BASE_URL || '(not set)',
+                });
+                await (0, audit_log_1.auditLog)('OAUTH_STATE_MISMATCH', { provider: 'google', reason: 'missing_params', outcome: 'failure' });
+                (0, cookie_service_1.clearOAuthPendingCookie)(res);
+                return res.redirect('/auth/error.html?reason=oauth_state');
+            }
+            const pending = await dbService.consumePendingOAuth(pendingId);
+            if (!pending || pending.provider !== 'google' || pending.stateNonce !== state) {
+                const subReason = !pending ? 'pending_not_found' : pending.provider !== 'google' ? 'provider_mismatch' : 'state_mismatch';
+                console.error('[FRAIM OAuth] google callback state mismatch:', {
+                    subReason,
+                    hasPending: !!pending,
+                    host: req.get('host'),
+                    publicBaseUrl: process.env.FRAIM_PUBLIC_BASE_URL || '(not set)',
+                });
+                await (0, audit_log_1.auditLog)('OAUTH_STATE_MISMATCH', {
+                    provider: 'google',
+                    reason: subReason,
+                    outcome: 'failure',
+                });
+                (0, cookie_service_1.clearOAuthPendingCookie)(res);
+                return res.redirect('/auth/error.html?reason=oauth_state');
+            }
+            const cfg = googleCfg();
+            const tokenResp = await fetchFn(GOOGLE_TOKEN_URL, {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/x-www-form-urlencoded', Accept: 'application/json' },
+                body: new URLSearchParams({
+                    grant_type: 'authorization_code',
+                    code,
+                    code_verifier: pending.codeVerifier,
+                    client_id: cfg.clientId,
+                    client_secret: cfg.clientSecret,
+                    redirect_uri: callbackUrl(req, 'google'),
+                }).toString(),
+            });
+            if (!tokenResp.ok) {
+                const text = await tokenResp.text().catch(() => '');
+                await (0, audit_log_1.auditLog)('OAUTH_PROVIDER_ERROR', { provider: 'google', reason: `token_${tokenResp.status}`, outcome: 'failure', extra: text.slice(0, 200) });
+                return res.redirect('/auth/error.html?reason=oauth_provider');
+            }
+            const tokenJson = await tokenResp.json();
+            if (!tokenJson.id_token) {
+                await (0, audit_log_1.auditLog)('OAUTH_PROVIDER_ERROR', { provider: 'google', reason: 'no_id_token', outcome: 'failure' });
+                return res.redirect('/auth/error.html?reason=oauth_provider');
+            }
+            const payload = decodeJwtPayload(tokenJson.id_token);
+            if (!payload.email_verified || !(0, oauth_helpers_1.isLikelyValidEmail)(payload.email)) {
+                await (0, audit_log_1.auditLog)('OAUTH_UNVERIFIED_EMAIL', { provider: 'google', outcome: 'failure' });
+                return res.redirect('/auth/error.html?reason=unverified_email');
+            }
+            await completeSignIn(req, res, payload.email, 'google', pending.surface, pending.redirectTo);
+        }
+        catch (err) {
+            console.error('[FRAIM AUTH] /api/auth/oauth/google/callback error:', err instanceof Error ? err.message : String(err));
+            return res.redirect('/auth/error.html?reason=oauth_provider');
+        }
+    });
+    app.get('/api/auth/oauth/github/callback', async (req, res) => {
+        const errorParam = req.query.error;
+        const code = req.query.code;
+        const state = req.query.state;
+        const pendingId = (0, cookie_service_1.readOAuthPendingCookie)(req);
+        try {
+            if (errorParam) {
+                await (0, audit_log_1.auditLog)('OAUTH_PROVIDER_ERROR', { provider: 'github', reason: errorParam, outcome: 'failure' });
+                (0, cookie_service_1.clearOAuthPendingCookie)(res);
+                return res.redirect('/?oauth_error=denied');
+            }
+            if (!code || !state || !pendingId) {
+                console.error('[FRAIM OAuth] github callback missing params:', {
+                    hasCode: !!code,
+                    hasState: !!state,
+                    hasPendingCookie: !!pendingId,
+                    host: req.get('host'),
+                    publicBaseUrl: process.env.FRAIM_PUBLIC_BASE_URL || '(not set)',
+                });
+                await (0, audit_log_1.auditLog)('OAUTH_STATE_MISMATCH', { provider: 'github', reason: 'missing_params', outcome: 'failure' });
+                (0, cookie_service_1.clearOAuthPendingCookie)(res);
+                return res.redirect('/auth/error.html?reason=oauth_state');
+            }
+            const pending = await dbService.consumePendingOAuth(pendingId);
+            if (!pending || pending.provider !== 'github' || pending.stateNonce !== state) {
+                const subReason = !pending ? 'pending_not_found' : pending.provider !== 'github' ? 'provider_mismatch' : 'state_mismatch';
+                console.error('[FRAIM OAuth] github callback state mismatch:', {
+                    subReason,
+                    hasPending: !!pending,
+                    host: req.get('host'),
+                    publicBaseUrl: process.env.FRAIM_PUBLIC_BASE_URL || '(not set)',
+                });
+                await (0, audit_log_1.auditLog)('OAUTH_STATE_MISMATCH', {
+                    provider: 'github',
+                    reason: subReason,
+                    outcome: 'failure',
+                });
+                (0, cookie_service_1.clearOAuthPendingCookie)(res);
+                return res.redirect('/auth/error.html?reason=oauth_state');
+            }
+            const cfg = githubCfg();
+            const tokenResp = await fetchFn(GITHUB_TOKEN_URL, {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/x-www-form-urlencoded', Accept: 'application/json' },
+                body: new URLSearchParams({
+                    client_id: cfg.clientId,
+                    client_secret: cfg.clientSecret,
+                    code,
+                    redirect_uri: callbackUrl(req, 'github'),
+                }).toString(),
+            });
+            if (!tokenResp.ok) {
+                const text = await tokenResp.text().catch(() => '');
+                await (0, audit_log_1.auditLog)('OAUTH_PROVIDER_ERROR', { provider: 'github', reason: `token_${tokenResp.status}`, outcome: 'failure', extra: text.slice(0, 200) });
+                return res.redirect('/auth/error.html?reason=oauth_provider');
+            }
+            const tokenJson = await tokenResp.json();
+            if (!tokenJson.access_token) {
+                await (0, audit_log_1.auditLog)('OAUTH_PROVIDER_ERROR', { provider: 'github', reason: tokenJson.error ?? 'no_access_token', outcome: 'failure' });
+                return res.redirect('/auth/error.html?reason=oauth_provider');
+            }
+            const emailsResp = await fetchFn(GITHUB_USER_EMAILS_URL, {
+                headers: {
+                    Accept: 'application/vnd.github+json',
+                    Authorization: `Bearer ${tokenJson.access_token}`,
+                    'User-Agent': 'fraim-server',
+                    'X-GitHub-Api-Version': '2022-11-28',
+                },
+            });
+            if (!emailsResp.ok) {
+                await (0, audit_log_1.auditLog)('OAUTH_PROVIDER_ERROR', { provider: 'github', reason: `emails_${emailsResp.status}`, outcome: 'failure' });
+                return res.redirect('/auth/error.html?reason=oauth_provider');
+            }
+            const emails = await emailsResp.json();
+            const primary = emails.find(e => e.primary && e.verified);
+            const verifiedEmail = primary?.email ?? emails.find(e => e.verified)?.email;
+            if (!verifiedEmail || !(0, oauth_helpers_1.isLikelyValidEmail)(verifiedEmail)) {
+                await (0, audit_log_1.auditLog)('OAUTH_UNVERIFIED_EMAIL', { provider: 'github', outcome: 'failure' });
+                return res.redirect('/auth/error.html?reason=unverified_email');
+            }
+            await completeSignIn(req, res, verifiedEmail, 'github', pending.surface, pending.redirectTo);
+        }
+        catch (err) {
+            console.error('[FRAIM AUTH] /api/auth/oauth/github/callback error:', err instanceof Error ? err.message : String(err));
+            return res.redirect('/auth/error.html?reason=oauth_provider');
+        }
+    });
+}

package/dist/src/routes/payment-routes.js

@@ -0,0 +1,186 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.registerPaymentRoutes = registerPaymentRoutes;
+exports.registerAdminPaymentRoutes = registerAdminPaymentRoutes;
+const create_session_1 = require("../api/payment/create-session");
+const session_details_1 = require("../api/payment/session-details");
+const dashboard_link_1 = require("../api/payment/dashboard-link");
+const webhook_1 = require("../api/payment/webhook");
+const contact_1 = require("../api/sales/contact");
+const payments_1 = require("../api/admin/payments");
+const sales_leads_1 = require("../api/admin/sales-leads");
+const get_config_1 = require("../api/pricing/get-config");
+const rate_limit_1 = require("../middleware/rate-limit");
+/**
+ * Register all payment-related routes
+ * These routes must be registered BEFORE auth middleware
+ */
+function registerPaymentRoutes(app, getPaymentRepo, dbService) {
+    // Per-route rate limiters. Webhooks are intentionally NOT rate-limited at
+    // the application layer because Stripe controls delivery and retry semantics.
+    const publicLimiter = (0, rate_limit_1.publicApiRateLimiter)();
+    const sensitiveLimiter = (0, rate_limit_1.sensitiveRateLimiter)();
+    // Pricing config endpoint (public, no auth required)
+    app.get('/api/pricing/config', publicLimiter, async (req, res) => {
+        await (0, get_config_1.getPricingConfig)(req, res);
+    });
+    // Payment API endpoints (public, no auth required)
+    app.post('/api/payment/create-session', sensitiveLimiter, async (req, res) => {
+        const paymentRepo = getPaymentRepo();
+        if (!paymentRepo) {
+            return res.status(500).json({ error: 'Payment system not initialized' });
+        }
+        await (0, create_session_1.createCheckoutSession)(req, res, paymentRepo, dbService);
+    });
+    // Payment success page — fetch Stripe session details by session_id
+    app.get('/api/payment/session-details', publicLimiter, async (req, res) => {
+        await (0, session_details_1.getSessionDetails)(req, res);
+    });
+    // Checkout success page: provide immediate dashboard URL (no email wait)
+    app.get('/api/payment/dashboard-link', publicLimiter, async (req, res) => {
+        await (0, dashboard_link_1.getDashboardLinkFromCheckoutSession)(req, res, dbService);
+    });
+    // Stripe webhook endpoint (raw body required for signature verification)
+    // Intentionally NOT rate-limited; Stripe handles its own delivery semantics.
+    app.post('/api/payment/webhook', async (req, res) => {
+        const paymentRepo = getPaymentRepo();
+        if (!paymentRepo) {
+            return res.status(500).json({ error: 'Payment system not initialized' });
+        }
+        await (0, webhook_1.handleStripeWebhook)(req, res, paymentRepo, dbService);
+    });
+    // Sales inquiry endpoint (public, no auth required)
+    app.post('/api/sales/contact', sensitiveLimiter, async (req, res) => {
+        await (0, contact_1.createSalesLead)(req, res, dbService);
+    });
+    // Payment bypass endpoint for non-production testing only.
+    // Two layers of defence:
+    //   1. Route returns 404 entirely when NODE_ENV === 'production'.
+    //   2. PAYMENT_BYPASS_CODE must be explicitly set in the environment; there is no
+    //      hardcoded fallback. If it is unset, the route returns 503.
+    app.post('/api/payment/bypass', sensitiveLimiter, async (req, res) => {
+        if (process.env.NODE_ENV === 'production') {
+            return res.status(404).json({ error: 'Not found' });
+        }
+        const BYPASS_CODE = process.env.PAYMENT_BYPASS_CODE;
+        if (!BYPASS_CODE) {
+            console.error('[FRAIM] /api/payment/bypass invoked but PAYMENT_BYPASS_CODE is not configured');
+            return res.status(503).json({ error: 'Payment bypass is not configured on this server' });
+        }
+        const { code, apiKey, daysUntilExpiry } = req.body;
+        if (code !== BYPASS_CODE) {
+            return res.status(403).json({ error: 'Invalid bypass code' });
+        }
+        if (!apiKey) {
+            return res.status(400).json({ error: 'apiKey is required' });
+        }
+        const existingKey = await dbService.getApiKeyByKey(apiKey);
+        if (!existingKey) {
+            return res.status(404).json({ error: 'API key not found' });
+        }
+        // Cap at 365 days. Defense in depth: even with the bypass code, do not let a
+        // request grant a multi-year subscription to an account.
+        const MAX_BYPASS_DAYS = 365;
+        const requestedDays = parseInt(daysUntilExpiry) || 30;
+        const days = Math.max(1, Math.min(requestedDays, MAX_BYPASS_DAYS));
+        const newExpiry = new Date(Date.now() + days * 24 * 60 * 60 * 1000);
+        await dbService.updateApiKey(apiKey, {
+            tier: 'paid-subscription',
+            status: 'active',
+            expiresAt: newExpiry,
+            currentPeriodEnd: newExpiry,
+            stripeCustomerId: 'bypass_test_customer',
+            stripeSubscriptionId: 'bypass_test_subscription'
+        });
+        console.log(`[FRAIM] payment_bypass activated`, { userId: existingKey.userId, expiresAt: newExpiry.toISOString() });
+        return res.json({
+            success: true,
+            message: `Key upgraded to paid-subscription, expires in ${days} days`,
+            expiresAt: newExpiry.toISOString(),
+            tier: 'paid-subscription'
+        });
+    });
+}
+/**
+ * Register admin payment routes
+ * These routes require auth middleware to be applied first
+ */
+function registerAdminPaymentRoutes(app, getPaymentRepo, dbService) {
+    // Admin endpoints (require auth)
+    app.get('/admin/payments', async (req, res) => {
+        const paymentRepo = getPaymentRepo();
+        if (!paymentRepo) {
+            return res.status(500).json({ error: 'Payment system not initialized' });
+        }
+        await (0, payments_1.listPayments)(req, res, paymentRepo);
+    });
+    app.get('/admin/sales-leads', async (req, res) => {
+        await (0, sales_leads_1.listSalesLeads)(req, res, dbService);
+    });
+    // ── Partner Discount CRUD ─────────────────────────────────────────────────
+    /** List all partner discount entries */
+    app.get('/admin/partner-discounts', async (req, res) => {
+        try {
+            const entries = await dbService.listPartnerDiscounts();
+            res.json(entries);
+        }
+        catch (error) {
+            res.status(500).json({ error: 'Failed to list partner discounts', details: error.message });
+        }
+    });
+    /** Create a new partner discount entry */
+    app.post('/admin/partner-discounts', async (req, res) => {
+        try {
+            const { type, match, couponId, company } = req.body;
+            if (!type || !['email', 'domain'].includes(type)) {
+                return res.status(400).json({ error: 'type must be "email" or "domain"' });
+            }
+            if (!match || typeof match !== 'string' || !match.trim()) {
+                return res.status(400).json({ error: 'match is required (email address or domain)' });
+            }
+            if (!couponId || typeof couponId !== 'string' || !couponId.trim()) {
+                return res.status(400).json({ error: 'couponId is required (Stripe coupon ID)' });
+            }
+            const entry = await dbService.createPartnerDiscount({
+                type,
+                match: match.trim().toLowerCase(),
+                couponId: couponId.trim(),
+                company: company?.trim() || undefined,
+                active: true,
+                createdAt: new Date(),
+                useCount: 0,
+            });
+            res.status(201).json(entry);
+        }
+        catch (error) {
+            if (error.code === 11000) {
+                return res.status(409).json({ error: 'A discount entry for that type+match already exists' });
+            }
+            res.status(500).json({ error: 'Failed to create partner discount', details: error.message });
+        }
+    });
+    /** Update an existing partner discount entry (active, couponId, company) */
+    app.patch('/admin/partner-discounts/:id', async (req, res) => {
+        try {
+            const id = req.params.id;
+            const { active, couponId, company } = req.body;
+            const update = {};
+            if (typeof active === 'boolean')
+                update.active = active;
+            if (typeof couponId === 'string' && couponId.trim())
+                update.couponId = couponId.trim();
+            if (typeof company === 'string')
+                update.company = company.trim() || undefined;
+            if (Object.keys(update).length === 0) {
+                return res.status(400).json({ error: 'No valid fields to update (active, couponId, company)' });
+            }
+            const updated = await dbService.updatePartnerDiscount(id, update);
+            if (!updated)
+                return res.status(404).json({ error: 'Partner discount not found' });
+            res.json({ success: true });
+        }
+        catch (error) {
+            res.status(500).json({ error: 'Failed to update partner discount', details: error.message });
+        }
+    });
+}

package/dist/src/routes/persona-catalog-routes.js

@@ -0,0 +1,84 @@
+"use strict";
+/**
+ * GET /api/personas/catalog
+ *
+ * Public, read-only endpoint that returns the full persona catalog for
+ * fraim-pro/index.html and fraim-pro/pricing.html to hydrate their grids.
+ *
+ * Auth: none — added to publicPrefixes in src/middleware/auth.ts.
+ *
+ * Response shape: PersonaCatalogResponse (see types below).
+ *
+ * Issue #545: centralizes emoji, gradient, blurb, and price display in
+ * PERSONA_HIRE_CATALOG so the HTML surfaces are derived views, not sources
+ * of truth.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.formatPrice = formatPrice;
+exports.buildPersonaCatalog = buildPersonaCatalog;
+exports.registerPersonaCatalogRoutes = registerPersonaCatalogRoutes;
+const fs_1 = require("fs");
+const path_1 = require("path");
+const persona_hiring_1 = require("../config/persona-hiring");
+const persona_capability_bundles_1 = require("../config/persona-capability-bundles");
+const portfolio_slug_overrides_1 = require("../config/portfolio-slug-overrides");
+/**
+ * Format a cents integer to a dollar string, dropping trailing .00.
+ *
+ * Examples:
+ *   990  -> "$9.90"
+ *   4990 -> "$49.90"
+ *   24900 -> "$249"
+ *   100  -> "$1"
+ *
+ * Exported so persona-capability-bundles.ts can reuse the same function.
+ */
+function formatPrice(cents) {
+    return `$${(cents / 100).toFixed(2).replace(/\.00$/, '')}`;
+}
+/**
+ * Build the catalog array from PERSONA_HIRE_CATALOG + PERSONA_CAPABILITY_BUNDLES.
+ *
+ * Exported for unit testing without requiring an HTTP context.
+ */
+function buildPersonaCatalog() {
+    const ROOT = process.cwd();
+    return Object.entries(persona_hiring_1.PERSONA_HIRE_CATALOG).map(([key, persona]) => {
+        const hireKey = key;
+        const slug = portfolio_slug_overrides_1.PORTFOLIO_SLUG_OVERRIDES[key] ?? key;
+        const hasPortfolioPage = (0, fs_1.existsSync)((0, path_1.join)(ROOT, 'public', 'portfolio', slug + '.html'));
+        const bundle = persona_capability_bundles_1.PERSONA_CAPABILITY_BUNDLES[hireKey];
+        const sampleJobs = bundle?.catalogMetadata?.sampleJobs ?? [];
+        return {
+            key,
+            displayName: persona.displayName,
+            role: persona.role,
+            emoji: persona.emoji,
+            gradient: persona.gradient,
+            blurb: persona.blurb,
+            avatarUrl: (0, persona_hiring_1.buildPersonaAvatarUrl)(hireKey),
+            avatarBackgroundColor: persona_hiring_1.PERSONA_AVATAR_CATALOG[hireKey].bg,
+            jobPriceCents: persona.jobPriceCents,
+            fulltimePriceCents: persona.fulltimePriceCents,
+            portfolioSlug: slug,
+            hasPortfolioPage,
+            sampleJobs,
+        };
+    });
+}
+/**
+ * Register the persona catalog route.
+ * Must be called BEFORE auth middleware (it is public — no key required).
+ */
+function registerPersonaCatalogRoutes(app) {
+    app.get('/api/personas/catalog', (req, res) => {
+        try {
+            const personas = buildPersonaCatalog();
+            res.json({ personas });
+        }
+        catch (err) {
+            console.error('[persona-catalog] Error building catalog:', err);
+            res.status(500).json({ error: 'Failed to build persona catalog' });
+        }
+    });
+}