mcpmake 0.1.0

package/dist/cloud/web/router.js

@@ -0,0 +1,1921 @@
+/**
+ * Web route handler — serves HTML pages and static assets.
+ *
+ * Called before API routes in the main server. Returns `true` if the
+ * request was handled, `false` to fall through to API routes.
+ */
+import os from 'node:os';
+import { randomUUID, randomBytes } from 'node:crypto';
+import { writeFile, mkdir, unlink, rm } from 'node:fs/promises';
+import { join } from 'node:path';
+import { serveStatic } from './static-server.js';
+import { renderPage, renderTemplate } from './template-engine.js';
+import { getAuthenticatedUser, getSessionToken, requireAuth, requireAdmin, hashPassword, verifyPassword, setSessionCookie, clearSessionCookie, getUserByEmail, getUserById, createUser, updateUser, deleteUser, countUsers, listUsers, getSession, createSession, destroySession, setPendingToken, consumePendingToken, generateResetToken, hashResetToken, setPasswordResetToken, getUserByResetToken, clearPasswordResetToken, isEmailVerificationRequired, generateVerificationToken, hashVerificationToken, setEmailVerificationToken, getUserByVerificationToken, markEmailVerified, } from './auth.js';
+import { validateCsrf } from './csrf.js';
+import { getDoc, getSidebar, renderDoc, renderDocsIndexHtml } from './docs.js';
+import { parseMultipart, isAllowedSpecFile, getSafeExtension } from '../multipart.js';
+import { buildFromSpec, detectFormat, detectFormatFromContent } from '../build-pipeline.js';
+import { getContainerBackend } from '../container-backend.js';
+import { buildQueue } from '../build-queue.js';
+// Routing is backend-authoritative: the Caddy wildcard forwards every server
+// subdomain to this backend, so we no longer add per-container Caddy routes.
+import { generateBearerToken, hashToken, hashSpec } from '../security.js';
+import { getClientIp } from '../request-security.js';
+import { safeFetch, assertPublicUrl, SsrfError } from '../ssrf.js';
+import { loginLimiter, uploadLimiter, resetLimiter, usageTracker, getSecretStore, getPgServerStore, getCreditStore, getMetricSampleStore, getTelemetryStore, failureTracker, getDb, } from '../shared-state.js';
+import { gatherResourceReading, evaluatePressure, DEFAULT_THRESHOLDS, INITIAL_PRESSURE_STATE, } from '../resource-monitor.js';
+import { sendMail } from '../mailer.js';
+import { checkQuota, getPlanLimits, checkServerLimit } from '../billing/billing-engine.js';
+import { isStripeConfigured, createCheckoutSession, createPortalSession } from '../stripe.js';
+import { renderSparkline, renderBars, renderDualLine } from './charts.js';
+import { logger } from '../../utils/logger.js';
+const MAX_SPEC_SIZE = 5 * 1024 * 1024; // 5 MB
+const MAX_NAME_LEN = 100;
+const UPLOAD_DIR = '/tmp/mcpmake-uploads';
+const MAX_FORM_BODY = 1024 * 1024; // 1 MB
+/**
+ * Handle web requests (HTML pages and static files).
+ *
+ * @returns `true` if handled, `false` to fall through to API routes.
+ */
+export async function handleWebRequest(req, res, context) {
+    const method = req.method ?? 'GET';
+    const url = new URL(req.url ?? '/', `http://${req.headers.host ?? 'localhost'}`);
+    const pathname = url.pathname;
+    // Static files
+    if (pathname.startsWith('/static/')) {
+        const served = await serveStatic(req, res);
+        if (served)
+            return true;
+        // Static file not found — send 404
+        sendHtml(res, 404, '<h1>404 — Not Found</h1>');
+        return true;
+    }
+    // --- Auth routes (GET + POST) ---
+    if (pathname === '/login' && method === 'GET') {
+        return handleLoginPage(req, res);
+    }
+    if (pathname === '/login' && method === 'POST') {
+        return handleLoginSubmit(req, res);
+    }
+    if (pathname === '/register' && method === 'GET') {
+        return handleRegisterPage(req, res);
+    }
+    if (pathname === '/register' && method === 'POST') {
+        return handleRegisterSubmit(req, res);
+    }
+    if (pathname === '/forgot-password' && method === 'GET') {
+        return handleForgotPasswordPage(req, res);
+    }
+    if (pathname === '/forgot-password' && method === 'POST') {
+        return handleForgotPasswordSubmit(req, res);
+    }
+    if (pathname === '/reset-password' && method === 'GET') {
+        return handleResetPasswordPage(req, res);
+    }
+    if (pathname === '/reset-password' && method === 'POST') {
+        return handleResetPasswordSubmit(req, res);
+    }
+    if (pathname === '/verify-email' && method === 'GET') {
+        return handleVerifyEmail(req, res);
+    }
+    if (pathname === '/dashboard/resend-verification' && method === 'POST') {
+        return handleResendVerification(req, res);
+    }
+    if (pathname === '/logout' && method === 'POST') {
+        return handleLogout(req, res);
+    }
+    // --- Dashboard routes (all require auth) ---
+    if (pathname === '/dashboard' && method === 'GET') {
+        return handleDashboardServers(req, res, context);
+    }
+    if (pathname === '/dashboard/_servers' && method === 'GET') {
+        return handleDashboardServersPartial(req, res, context);
+    }
+    if (pathname === '/dashboard/create' && method === 'GET') {
+        return handleDashboardCreatePage(req, res);
+    }
+    if (pathname === '/dashboard/create' && method === 'POST') {
+        return handleDashboardCreateSubmit(req, res, context);
+    }
+    // Match /dashboard/servers/:slug
+    const dashSlugMatch = pathname.match(/^\/dashboard\/servers\/([a-z0-9][a-z0-9-]*)$/);
+    if (dashSlugMatch && method === 'GET') {
+        return handleDashboardServerDetail(req, res, context, dashSlugMatch[1]);
+    }
+    // Match /dashboard/servers/:slug/_status (htmx partial)
+    const dashStatusMatch = pathname.match(/^\/dashboard\/servers\/([a-z0-9][a-z0-9-]*)\/_status$/);
+    if (dashStatusMatch && method === 'GET') {
+        return handleDashboardServerStatus(req, res, context, dashStatusMatch[1]);
+    }
+    // Match /dashboard/servers/:slug/logs
+    const dashLogsMatch = pathname.match(/^\/dashboard\/servers\/([a-z0-9][a-z0-9-]*)\/logs$/);
+    if (dashLogsMatch && method === 'GET') {
+        return handleDashboardServerLogs(req, res, context, dashLogsMatch[1]);
+    }
+    // Match /dashboard/servers/:slug/metrics
+    const dashMetricsMatch = pathname.match(/^\/dashboard\/servers\/([a-z0-9][a-z0-9-]*)\/metrics$/);
+    if (dashMetricsMatch && method === 'GET') {
+        return handleDashboardServerMetrics(req, res, context, dashMetricsMatch[1]);
+    }
+    // Match /dashboard/servers/:slug/secrets (POST — set a secret)
+    const dashSecretsMatch = pathname.match(/^\/dashboard\/servers\/([a-z0-9][a-z0-9-]*)\/secrets$/);
+    if (dashSecretsMatch && method === 'POST') {
+        return handleDashboardServerSecrets(req, res, context, dashSecretsMatch[1]);
+    }
+    // Match /dashboard/servers/:slug/delete
+    const dashDeleteMatch = pathname.match(/^\/dashboard\/servers\/([a-z0-9][a-z0-9-]*)\/delete$/);
+    if (dashDeleteMatch && method === 'POST') {
+        return handleDashboardServerDelete(req, res, context, dashDeleteMatch[1]);
+    }
+    // --- Billing routes ---
+    if (pathname === '/dashboard/billing' && method === 'GET') {
+        return handleBillingPage(req, res);
+    }
+    if (pathname === '/dashboard/billing/checkout' && method === 'POST') {
+        return handleBillingCheckout(req, res);
+    }
+    if (pathname === '/dashboard/billing/portal' && method === 'POST') {
+        return handleBillingPortal(req, res);
+    }
+    if (pathname === '/dashboard/billing/success' && method === 'GET') {
+        return handleBillingSuccess(req, res);
+    }
+    // --- Admin routes ---
+    if (pathname === '/admin' && method === 'GET') {
+        return handleAdminOverview(req, res, context);
+    }
+    if (pathname === '/admin/_stats' && method === 'GET') {
+        return handleAdminStatsPartial(req, res, context);
+    }
+    if (pathname === '/admin/servers' && method === 'GET') {
+        return handleAdminServers(req, res, context);
+    }
+    const adminServerDeleteMatch = pathname.match(/^\/admin\/servers\/([a-z0-9][a-z0-9-]*)\/delete$/);
+    if (adminServerDeleteMatch && method === 'POST') {
+        return handleAdminServerDelete(req, res, context, adminServerDeleteMatch[1]);
+    }
+    if (pathname === '/admin/users' && method === 'GET') {
+        return handleAdminUsers(req, res, context);
+    }
+    const adminUserPlanMatch = pathname.match(/^\/admin\/users\/([a-f0-9-]+)\/plan$/);
+    if (adminUserPlanMatch && method === 'POST') {
+        return handleAdminUserPlan(req, res, adminUserPlanMatch[1]);
+    }
+    const adminUserAdminMatch = pathname.match(/^\/admin\/users\/([a-f0-9-]+)\/admin$/);
+    if (adminUserAdminMatch && method === 'POST') {
+        return handleAdminUserAdmin(req, res, adminUserAdminMatch[1]);
+    }
+    const adminUserDeleteMatch = pathname.match(/^\/admin\/users\/([a-f0-9-]+)\/delete$/);
+    if (adminUserDeleteMatch && method === 'POST') {
+        return handleAdminUserDelete(req, res, adminUserDeleteMatch[1]);
+    }
+    const adminUserCreditsMatch = pathname.match(/^\/admin\/users\/([a-f0-9-]+)\/credits$/);
+    if (adminUserCreditsMatch && method === 'POST') {
+        return handleAdminUserCredits(req, res, context, adminUserCreditsMatch[1]);
+    }
+    // Only handle GET for remaining page routes
+    if (method !== 'GET') {
+        return false;
+    }
+    if (pathname === '/admin/telemetry') {
+        return handleAdminTelemetry(req, res);
+    }
+    // Bare user-id edit page. Registered AFTER /admin/users (exact) and the
+    // /plan, /admin, /delete, /credits POST matches above so it never shadows
+    // them. The `method !== 'GET'` guard above means only GET reaches here.
+    const adminUserEditMatch = pathname.match(/^\/admin\/users\/([a-f0-9-]+)$/);
+    if (adminUserEditMatch) {
+        return handleAdminUserEdit(req, res, context, adminUserEditMatch[1]);
+    }
+    // --- Page routes ---
+    if (pathname === '/') {
+        const html = renderPage('pages/landing/index', 'layouts/landing', {
+            metaTitle: 'mcpmake Cloud — Your API, as an MCP server in 30 seconds',
+            metaDescription: 'Upload an OpenAPI spec or HAR file. We generate and host the MCP server. Connect it to Claude, Cursor, or any MCP client.',
+            domain: context.domain,
+            year: new Date().getFullYear(),
+        });
+        sendHtml(res, 200, html);
+        return true;
+    }
+    // Legal pages (footer links).
+    if (pathname === '/terms') {
+        const html = renderPage('pages/legal/terms', 'layouts/landing', {
+            metaTitle: 'Terms of Service — mcpmake Cloud',
+            domain: context.domain,
+            year: new Date().getFullYear(),
+        });
+        sendHtml(res, 200, html);
+        return true;
+    }
+    if (pathname === '/privacy') {
+        const html = renderPage('pages/legal/privacy', 'layouts/landing', {
+            metaTitle: 'Privacy Policy — mcpmake Cloud',
+            domain: context.domain,
+            year: new Date().getFullYear(),
+        });
+        sendHtml(res, 200, html);
+        return true;
+    }
+    // Documentation (public — rendered from the project's Markdown docs).
+    if (pathname === '/docs') {
+        return handleDocsIndex(res, context);
+    }
+    const docMatch = pathname.match(/^\/docs\/([a-z0-9][a-z0-9-]*)$/);
+    if (docMatch) {
+        return handleDocPage(res, context, docMatch[1]);
+    }
+    // For non-API GET requests that didn't match any route, render a 404 page
+    if (!pathname.startsWith('/api/')) {
+        const html = renderPage('pages/errors/404', 'layouts/landing', {
+            metaTitle: '404 — Page not found — mcpmake Cloud',
+        });
+        sendHtml(res, 404, html);
+        return true;
+    }
+    // API routes — fall through to API handler
+    return false;
+}
+// ---------------------------------------------------------------------------
+// Documentation route handlers
+// ---------------------------------------------------------------------------
+function handleDocsIndex(res, context) {
+    const html = renderPage('pages/docs/show', 'layouts/landing', {
+        metaTitle: 'Documentation — mcpmake',
+        metaDescription: 'mcpmake documentation: cloud quickstart, CLI reference, website MCP servers, and migration guides.',
+        domain: context.domain,
+        year: new Date().getFullYear(),
+        isIndex: true,
+        docTitle: 'Documentation',
+        docGroups: getSidebar(),
+        docHtml: renderDocsIndexHtml(),
+    });
+    sendHtml(res, 200, html);
+    return true;
+}
+function handleDocPage(res, context, slug) {
+    const meta = getDoc(slug);
+    const docHtml = meta ? renderDoc(slug) : null;
+    if (!meta || docHtml === null) {
+        const notFound = renderPage('pages/errors/404', 'layouts/landing', {
+            metaTitle: '404 — Page not found — mcpmake Cloud',
+            domain: context.domain,
+            year: new Date().getFullYear(),
+        });
+        sendHtml(res, 404, notFound);
+        return true;
+    }
+    const html = renderPage('pages/docs/show', 'layouts/landing', {
+        metaTitle: `${meta.title} — mcpmake docs`,
+        metaDescription: meta.description,
+        domain: context.domain,
+        year: new Date().getFullYear(),
+        isIndex: false,
+        docTitle: meta.title,
+        docGroups: getSidebar(slug),
+        docHtml,
+    });
+    sendHtml(res, 200, html);
+    return true;
+}
+// ---------------------------------------------------------------------------
+// Auth route handlers
+// ---------------------------------------------------------------------------
+async function handleLoginPage(req, res) {
+    // If already logged in, redirect to dashboard
+    const auth = await getAuthenticatedUser(req);
+    if (auth) {
+        redirect(res, '/dashboard');
+        return true;
+    }
+    // Create a temporary session for the CSRF token (anon — always in-memory)
+    const tempSession = await createSession('__anon__');
+    setSessionCookie(res, req, tempSession.token);
+    const html = renderPage('pages/auth/login', 'layouts/auth', {
+        metaTitle: 'Sign in — mcpmake Cloud',
+        csrfToken: tempSession.csrfToken,
+        email: '',
+    });
+    sendHtml(res, 200, html);
+    return true;
+}
+async function handleLoginSubmit(req, res) {
+    const body = await parseFormBody(req);
+    // Validate CSRF — need to get the session from the cookie
+    const auth = await getAuthenticatedUser(req);
+    if (auth) {
+        redirect(res, '/dashboard');
+        return true;
+    }
+    // Get the anon session for CSRF validation
+    const sessionToken = getSessionToken(req);
+    const session = sessionToken ? await getSession(sessionToken) : undefined;
+    if (!session || !validateCsrf(req, body, session)) {
+        return renderLoginError(req, res, 'Invalid form submission. Please try again.', body.email ?? '');
+    }
+    // Destroy the anon session
+    await destroySession(session.token);
+    const email = (body.email ?? '').trim().toLowerCase();
+    const password = body.password ?? '';
+    if (!email || !password) {
+        return renderLoginError(req, res, 'Email and password are required.', email);
+    }
+    // Rate limit login attempts by IP and by email
+    const clientIp = getClientIp(req);
+    const ipCheck = loginLimiter.check(`login-ip:${clientIp}`);
+    const emailCheck = loginLimiter.check(`login-email:${email}`);
+    if (!ipCheck.allowed || !emailCheck.allowed) {
+        return renderLoginError(req, res, 'Too many login attempts. Please try again later.', email);
+    }
+    const user = await getUserByEmail(email);
+    if (!user) {
+        return renderLoginError(req, res, 'Invalid email or password.', email);
+    }
+    const valid = await verifyPassword(password, user.passwordHash);
+    if (!valid) {
+        return renderLoginError(req, res, 'Invalid email or password.', email);
+    }
+    // Update last login
+    await updateUser(user.id, { lastLoginAt: new Date().toISOString() });
+    // Create session
+    const newSession = await createSession(user.id);
+    setSessionCookie(res, req, newSession.token);
+    redirect(res, '/dashboard');
+    return true;
+}
+async function renderLoginError(req, res, error, email) {
+    const tempSession = await createSession('__anon__');
+    setSessionCookie(res, req, tempSession.token);
+    const html = renderPage('pages/auth/login', 'layouts/auth', {
+        metaTitle: 'Sign in — mcpmake Cloud',
+        csrfToken: tempSession.csrfToken,
+        error,
+        email,
+    });
+    sendHtml(res, 200, html);
+    return true;
+}
+async function handleRegisterPage(req, res) {
+    // If already logged in, redirect to dashboard
+    const auth = await getAuthenticatedUser(req);
+    if (auth) {
+        redirect(res, '/dashboard');
+        return true;
+    }
+    const tempSession = await createSession('__anon__');
+    setSessionCookie(res, req, tempSession.token);
+    const html = renderPage('pages/auth/register', 'layouts/auth', {
+        metaTitle: 'Register — mcpmake Cloud',
+        csrfToken: tempSession.csrfToken,
+        email: '',
+    });
+    sendHtml(res, 200, html);
+    return true;
+}
+async function handleRegisterSubmit(req, res) {
+    const body = await parseFormBody(req);
+    // If already logged in, redirect
+    const auth = await getAuthenticatedUser(req);
+    if (auth) {
+        redirect(res, '/dashboard');
+        return true;
+    }
+    // CSRF check
+    const sessionToken = getSessionToken(req);
+    const session = sessionToken ? await getSession(sessionToken) : undefined;
+    if (!session || !validateCsrf(req, body, session)) {
+        return renderRegisterError(req, res, 'Invalid form submission. Please try again.', body.email ?? '');
+    }
+    // Destroy the anon session
+    await destroySession(session.token);
+    const email = (body.email ?? '').trim().toLowerCase();
+    const password = body.password ?? '';
+    const confirmPassword = body.confirmPassword ?? '';
+    // Validate email
+    if (!email) {
+        return renderRegisterError(req, res, 'Email is required.', email);
+    }
+    if (!isValidEmail(email)) {
+        return renderRegisterError(req, res, 'Please enter a valid email address.', email);
+    }
+    // Email allowlist — restrict registration to approved domains/addresses
+    const allowedEmails = (process.env.ALLOWED_EMAILS ?? '')
+        .split(',')
+        .map((s) => s.trim())
+        .filter(Boolean);
+    if (allowedEmails.length > 0) {
+        const isAllowed = allowedEmails.some((pattern) => {
+            if (pattern.startsWith('*@')) {
+                const allowedDomain = pattern.slice(2).toLowerCase();
+                const atIdx = email.lastIndexOf('@');
+                return atIdx >= 0 && email.slice(atIdx + 1) === allowedDomain;
+            }
+            return email === pattern;
+        });
+        if (!isAllowed) {
+            return renderRegisterError(req, res, 'Registration is currently limited to invited users.', email);
+        }
+    }
+    // Validate password
+    if (password.length < 8) {
+        return renderRegisterError(req, res, 'Password must be at least 8 characters.', email);
+    }
+    if (password !== confirmPassword) {
+        return renderRegisterError(req, res, 'Passwords do not match.', email);
+    }
+    // Check for existing user
+    if (await getUserByEmail(email)) {
+        return renderRegisterError(req, res, 'An account with this email already exists.', email);
+    }
+    // Hash password (async — yields the event loop)
+    const passwordHashValue = await hashPassword(password);
+    // Re-check after await to prevent race conditions (e.g. two concurrent
+    // registrations both seeing count === 0 and both becoming admin)
+    if (await getUserByEmail(email)) {
+        return renderRegisterError(req, res, 'An account with this email already exists.', email);
+    }
+    const now = new Date().toISOString();
+    const isFirstUser = (await countUsers()) === 0;
+    const adminEmail = process.env.ADMIN_EMAIL?.toLowerCase().trim();
+    const isAdmin = isFirstUser || (!!adminEmail && email === adminEmail);
+    const user = {
+        id: randomUUID(),
+        email,
+        passwordHash: passwordHashValue,
+        plan: 'free',
+        isAdmin,
+        // Admins (and the first user / operator) are auto-verified so they are
+        // never locked out of their own instance.
+        emailVerified: isAdmin,
+        createdAt: now,
+        lastLoginAt: now,
+    };
+    await createUser(user);
+    // Send an email verification link to non-admin users.
+    if (!user.emailVerified) {
+        await sendVerificationEmail(req, user).catch((err) => logger.error(`[mailer] Failed to send verification email: ${err}`));
+    }
+    // Create session and log in
+    const newSession = await createSession(user.id);
+    setSessionCookie(res, req, newSession.token);
+    redirect(res, '/dashboard');
+    return true;
+}
+/**
+ * Generate a fresh email verification token, persist its hash, and email the
+ * verification link to the user. Shared by registration and resend.
+ */
+async function sendVerificationEmail(req, user) {
+    const { token, hash } = generateVerificationToken();
+    await setEmailVerificationToken(user.id, hash);
+    const host = req.headers.host ?? 'localhost';
+    const proto = process.env.TRUST_PROXY === 'true' && req.headers['x-forwarded-proto'] === 'https'
+        ? 'https'
+        : 'http';
+    const verifyUrl = `${proto}://${host}/verify-email?token=${token}`;
+    await sendMail({
+        to: user.email,
+        subject: 'Verify your mcpmake email',
+        text: [
+            `Welcome to mcpmake Cloud!`,
+            ``,
+            `Confirm your email address to start deploying servers:`,
+            `${verifyUrl}`,
+            ``,
+            `If you did not create this account, you can ignore this email.`,
+        ].join('\n'),
+        html: [
+            `<p>Welcome to mcpmake Cloud!</p>`,
+            `<p>Confirm your email address to start deploying servers:</p>`,
+            `<p><a href="${verifyUrl}">${verifyUrl}</a></p>`,
+            `<p>If you did not create this account, you can ignore this email.</p>`,
+        ].join('\n'),
+    });
+}
+async function renderRegisterError(req, res, error, email) {
+    const tempSession = await createSession('__anon__');
+    setSessionCookie(res, req, tempSession.token);
+    const html = renderPage('pages/auth/register', 'layouts/auth', {
+        metaTitle: 'Register — mcpmake Cloud',
+        csrfToken: tempSession.csrfToken,
+        error,
+        email,
+    });
+    sendHtml(res, 200, html);
+    return true;
+}
+async function handleLogout(req, res) {
+    const token = getSessionToken(req);
+    const session = token ? await getSession(token) : undefined;
+    if (session) {
+        const body = await parseFormBody(req);
+        if (!validateCsrf(req, body, session)) {
+            redirect(res, '/dashboard');
+            return true;
+        }
+        await destroySession(session.token);
+    }
+    clearSessionCookie(res, req);
+    redirect(res, '/');
+    return true;
+}
+// ---------------------------------------------------------------------------
+// Password reset route handlers
+// ---------------------------------------------------------------------------
+async function handleForgotPasswordPage(req, res) {
+    const auth = await getAuthenticatedUser(req);
+    if (auth) {
+        redirect(res, '/dashboard');
+        return true;
+    }
+    const tempSession = await createSession('__anon__');
+    setSessionCookie(res, req, tempSession.token);
+    const html = renderPage('pages/auth/forgot-password', 'layouts/auth', {
+        metaTitle: 'Reset password — mcpmake Cloud',
+        csrfToken: tempSession.csrfToken,
+        email: '',
+    });
+    sendHtml(res, 200, html);
+    return true;
+}
+async function handleForgotPasswordSubmit(req, res) {
+    const body = await parseFormBody(req);
+    const auth = await getAuthenticatedUser(req);
+    if (auth) {
+        redirect(res, '/dashboard');
+        return true;
+    }
+    // CSRF check
+    const sessionToken = getSessionToken(req);
+    const session = sessionToken ? await getSession(sessionToken) : undefined;
+    if (!session || !validateCsrf(req, body, session)) {
+        return renderForgotPasswordError(req, res, 'Invalid form submission. Please try again.', '');
+    }
+    await destroySession(session.token);
+    const email = (body.email ?? '').trim().toLowerCase();
+    if (!email) {
+        return renderForgotPasswordError(req, res, 'Email is required.', email);
+    }
+    // Rate limit by IP
+    const clientIp = getClientIp(req);
+    const ipCheck = resetLimiter.check(`reset-ip:${clientIp}`);
+    if (!ipCheck.allowed) {
+        return renderForgotPasswordError(req, res, 'Too many reset requests. Please try again later.', email);
+    }
+    // Always show success message to prevent email enumeration
+    const successMessage = 'If an account with that email exists, a password reset link has been sent.';
+    const user = await getUserByEmail(email);
+    if (user) {
+        const { token, hash } = generateResetToken();
+        await setPasswordResetToken(user.id, hash);
+        const host = req.headers.host ?? 'localhost';
+        const proto = process.env.TRUST_PROXY === 'true' && req.headers['x-forwarded-proto'] === 'https'
+            ? 'https'
+            : 'http';
+        const resetUrl = `${proto}://${host}/reset-password?token=${token}`;
+        try {
+            await sendMail({
+                to: user.email,
+                subject: 'Reset your mcpmake password',
+                text: [
+                    `You requested a password reset for your mcpmake Cloud account.`,
+                    ``,
+                    `Click the link below to set a new password (expires in 1 hour):`,
+                    `${resetUrl}`,
+                    ``,
+                    `If you did not request this, you can safely ignore this email.`,
+                ].join('\n'),
+                html: [
+                    `<p>You requested a password reset for your mcpmake Cloud account.</p>`,
+                    `<p>Click the link below to set a new password (expires in 1 hour):</p>`,
+                    `<p><a href="${resetUrl}">${resetUrl}</a></p>`,
+                    `<p>If you did not request this, you can safely ignore this email.</p>`,
+                ].join('\n'),
+            });
+        }
+        catch (err) {
+            logger.error(`[mailer] Failed to send reset email: ${err instanceof Error ? err.message : err}`);
+        }
+    }
+    // Always show success — never reveal whether the email exists
+    const tempSession = await createSession('__anon__');
+    setSessionCookie(res, req, tempSession.token);
+    const html = renderPage('pages/auth/forgot-password', 'layouts/auth', {
+        metaTitle: 'Reset password — mcpmake Cloud',
+        csrfToken: tempSession.csrfToken,
+        success: successMessage,
+    });
+    sendHtml(res, 200, html);
+    return true;
+}
+async function renderForgotPasswordError(req, res, error, email) {
+    const tempSession = await createSession('__anon__');
+    setSessionCookie(res, req, tempSession.token);
+    const html = renderPage('pages/auth/forgot-password', 'layouts/auth', {
+        metaTitle: 'Reset password — mcpmake Cloud',
+        csrfToken: tempSession.csrfToken,
+        error,
+        email,
+    });
+    sendHtml(res, 200, html);
+    return true;
+}
+async function handleResetPasswordPage(req, res) {
+    const url = new URL(req.url ?? '/', `http://${req.headers.host ?? 'localhost'}`);
+    const token = url.searchParams.get('token') ?? '';
+    const tempSession = await createSession('__anon__');
+    setSessionCookie(res, req, tempSession.token);
+    if (!token || !/^[a-f0-9]{64}$/.test(token)) {
+        const html = renderPage('pages/auth/reset-password', 'layouts/auth', {
+            metaTitle: 'Reset password — mcpmake Cloud',
+            csrfToken: tempSession.csrfToken,
+            expired: true,
+        });
+        sendHtml(res, 200, html);
+        return true;
+    }
+    const tokenHash = hashResetToken(token);
+    const user = await getUserByResetToken(tokenHash);
+    if (!user) {
+        const html = renderPage('pages/auth/reset-password', 'layouts/auth', {
+            metaTitle: 'Reset password — mcpmake Cloud',
+            csrfToken: tempSession.csrfToken,
+            expired: true,
+        });
+        sendHtml(res, 200, html);
+        return true;
+    }
+    const html = renderPage('pages/auth/reset-password', 'layouts/auth', {
+        metaTitle: 'Reset password — mcpmake Cloud',
+        csrfToken: tempSession.csrfToken,
+        token,
+    });
+    sendHtml(res, 200, html);
+    return true;
+}
+async function handleResetPasswordSubmit(req, res) {
+    const body = await parseFormBody(req);
+    // CSRF check
+    const sessionToken = getSessionToken(req);
+    const session = sessionToken ? await getSession(sessionToken) : undefined;
+    if (!session || !validateCsrf(req, body, session)) {
+        return renderResetPasswordError(req, res, 'Invalid form submission. Please try again.', '');
+    }
+    await destroySession(session.token);
+    const token = body.token ?? '';
+    const password = body.password ?? '';
+    const confirmPassword = body.confirmPassword ?? '';
+    if (!token || !/^[a-f0-9]{64}$/.test(token)) {
+        return renderResetPasswordError(req, res, '', '', true);
+    }
+    const tokenHash = hashResetToken(token);
+    const user = await getUserByResetToken(tokenHash);
+    if (!user) {
+        return renderResetPasswordError(req, res, '', '', true);
+    }
+    if (password.length < 8) {
+        return renderResetPasswordError(req, res, 'Password must be at least 8 characters.', token);
+    }
+    if (password !== confirmPassword) {
+        return renderResetPasswordError(req, res, 'Passwords do not match.', token);
+    }
+    const newHash = await hashPassword(password);
+    await updateUser(user.id, { passwordHash: newHash });
+    await clearPasswordResetToken(user.id);
+    // Redirect to login with success message
+    const tempSession = await createSession('__anon__');
+    setSessionCookie(res, req, tempSession.token);
+    const html = renderPage('pages/auth/login', 'layouts/auth', {
+        metaTitle: 'Sign in — mcpmake Cloud',
+        csrfToken: tempSession.csrfToken,
+        email: user.email,
+        success: 'Your password has been reset. Please sign in with your new password.',
+    });
+    sendHtml(res, 200, html);
+    return true;
+}
+async function renderResetPasswordError(req, res, error, token, expired = false) {
+    const tempSession = await createSession('__anon__');
+    setSessionCookie(res, req, tempSession.token);
+    const html = renderPage('pages/auth/reset-password', 'layouts/auth', {
+        metaTitle: 'Reset password — mcpmake Cloud',
+        csrfToken: tempSession.csrfToken,
+        error: error || undefined,
+        token: token || undefined,
+        expired,
+    });
+    sendHtml(res, 200, html);
+    return true;
+}
+// ---------------------------------------------------------------------------
+// Email verification route handlers
+// ---------------------------------------------------------------------------
+async function handleVerifyEmail(req, res) {
+    const url = new URL(req.url ?? '/', `http://${req.headers.host ?? 'localhost'}`);
+    const token = url.searchParams.get('token') ?? '';
+    if (!token || !/^[a-f0-9]{64}$/.test(token)) {
+        redirect(res, '/dashboard?error=' + encodeURIComponent('Invalid or expired verification link.'));
+        return true;
+    }
+    const user = await getUserByVerificationToken(hashVerificationToken(token));
+    if (!user) {
+        redirect(res, '/dashboard?error=' + encodeURIComponent('Invalid or expired verification link.'));
+        return true;
+    }
+    await markEmailVerified(user.id);
+    redirect(res, '/dashboard?success=' + encodeURIComponent('Email verified — you can now deploy servers.'));
+    return true;
+}
+async function handleResendVerification(req, res) {
+    const auth = await requireAuth(req, res);
+    if (!auth)
+        return true;
+    const body = await parseFormBody(req);
+    if (!validateCsrf(req, body, auth.session)) {
+        redirect(res, '/dashboard?error=' + encodeURIComponent('Invalid form submission.'));
+        return true;
+    }
+    if (auth.user.emailVerified) {
+        redirect(res, '/dashboard?success=' + encodeURIComponent('Your email is already verified.'));
+        return true;
+    }
+    // Rate limit resends by user to prevent mail flooding.
+    const check = resetLimiter.check(`verify-resend:${auth.user.id}`);
+    if (!check.allowed) {
+        redirect(res, '/dashboard?error=' + encodeURIComponent('Too many requests. Please try again later.'));
+        return true;
+    }
+    await sendVerificationEmail(req, auth.user).catch((err) => logger.error(`[mailer] Failed to resend verification email: ${err}`));
+    redirect(res, '/dashboard?success=' + encodeURIComponent('Verification email sent. Check your inbox.'));
+    return true;
+}
+// ---------------------------------------------------------------------------
+// Dashboard route handlers
+// ---------------------------------------------------------------------------
+async function handleDashboardServers(req, res, context) {
+    const auth = await requireAuth(req, res);
+    if (!auth)
+        return true;
+    const url = new URL(req.url ?? '/', `http://${req.headers.host ?? 'localhost'}`);
+    const flashSuccess = url.searchParams.get('success') ?? undefined;
+    const flashError = url.searchParams.get('error') ?? undefined;
+    const allServers = context.store.list();
+    const userServers = allServers
+        .filter((s) => s.userId === auth.user.id)
+        .map((s) => ({
+        ...s,
+        csrfToken: auth.session.csrfToken,
+        endpoint: `https://${s.slug}.${context.domain}`,
+    }));
+    const html = renderPage('pages/dashboard/servers', 'layouts/dashboard', {
+        metaTitle: 'Dashboard — mcpmake Cloud',
+        activePage: 'servers',
+        user: auth.user,
+        csrfToken: auth.session.csrfToken,
+        servers: userServers,
+        showVerifyBanner: isEmailVerificationRequired() && !auth.user.emailVerified,
+        flashSuccess,
+        flashError,
+    });
+    sendHtml(res, 200, html);
+    return true;
+}
+async function handleDashboardServersPartial(req, res, context) {
+    const auth = await requireAuth(req, res);
+    if (!auth)
+        return true;
+    const allServers = context.store.list();
+    const userServers = allServers
+        .filter((s) => s.userId === auth.user.id)
+        .map((s) => ({
+        ...s,
+        csrfToken: auth.session.csrfToken,
+        endpoint: `https://${s.slug}.${context.domain}`,
+    }));
+    const html = renderTemplate('pages/dashboard/servers-partial', {
+        servers: userServers,
+        csrfToken: auth.session.csrfToken,
+    });
+    sendHtml(res, 200, html);
+    return true;
+}
+async function handleDashboardCreatePage(req, res) {
+    const auth = await requireAuth(req, res);
+    if (!auth)
+        return true;
+    const html = renderPage('pages/dashboard/create', 'layouts/dashboard', {
+        metaTitle: 'New Server — mcpmake Cloud',
+        activePage: 'create',
+        user: auth.user,
+        csrfToken: auth.session.csrfToken,
+    });
+    sendHtml(res, 200, html);
+    return true;
+}
+async function handleDashboardCreateSubmit(req, res, context) {
+    const auth = await requireAuth(req, res);
+    if (!auth)
+        return true;
+    const contentType = req.headers['content-type'] ?? '';
+    if (!contentType.includes('multipart/form-data')) {
+        return renderCreateError(res, auth, 'Invalid form submission.');
+    }
+    const parsed = await parseMultipart(req, contentType);
+    if (!parsed) {
+        return renderCreateError(res, auth, 'Failed to parse form data.');
+    }
+    // Validate CSRF token from form field
+    const csrfBody = { _csrf: parsed.fields.get('_csrf') ?? '' };
+    if (!validateCsrf(req, csrfBody, auth.session)) {
+        return renderCreateError(res, auth, 'Invalid form submission. Please try again.');
+    }
+    // Require a verified email before allowing any server creation.
+    if (isEmailVerificationRequired() && !auth.user.emailVerified) {
+        return renderCreateError(res, auth, 'Please verify your email address before deploying a server. Check your inbox, or resend the link from your dashboard.');
+    }
+    // Rate limit server creation (same limiter as the API path)
+    const clientIp = getClientIp(req);
+    const rateCheck = uploadLimiter.check(clientIp);
+    if (!rateCheck.allowed) {
+        return renderCreateError(res, auth, 'Rate limit exceeded. Try again later.');
+    }
+    // Check billing quota for Playwright servers
+    const userPlan = (auth.user.plan ?? 'free');
+    const usage = usageTracker.getUsageSummary(auth.user.id);
+    const quota = checkQuota(auth.user.id, userPlan, usage.totalSessionsMs);
+    if (!quota.allowed) {
+        return renderCreateError(res, auth, `Browser usage quota exceeded (${Math.round(quota.limit)} min). Upgrade your plan for more.`);
+    }
+    // Enforce the plan's hosted-server limit before allocating a port / building.
+    // Count from Postgres when available so the limit survives process restarts.
+    const pgServerStore = getPgServerStore();
+    const ownedServers = pgServerStore
+        ? (await pgServerStore.list()).filter((s) => s.userId === auth.user.id)
+        : context.store.list().filter((s) => s.userId === auth.user.id);
+    const serverLimit = checkServerLimit(userPlan, ownedServers.length);
+    if (!serverLimit.allowed) {
+        return renderCreateError(res, auth, `You've reached your plan's limit of ${serverLimit.limit} hosted server${serverLimit.limit === 1 ? '' : 's'}. Upgrade your plan or delete an existing server.`);
+    }
+    // Determine source: file upload or URL
+    const sourceUrl = parsed.fields.get('source_url')?.trim();
+    let specFile = parsed.files.get('spec');
+    let fileName;
+    if (sourceUrl && sourceUrl.startsWith('http')) {
+        // Fetch spec from URL
+        try {
+            const urlObj = new URL(sourceUrl);
+            if (!['http:', 'https:'].includes(urlObj.protocol)) {
+                return renderCreateError(res, auth, 'Only http/https URLs are supported.');
+            }
+            // SSRF guard: refuse private / link-local / metadata targets and
+            // re-validate every redirect hop.
+            let fetchRes;
+            try {
+                fetchRes = await safeFetch(sourceUrl, {
+                    headers: { Accept: 'application/json, application/yaml, text/yaml, */*' },
+                    timeoutMs: 15_000,
+                });
+            }
+            catch (err) {
+                if (err instanceof SsrfError) {
+                    return renderCreateError(res, auth, 'That URL is not allowed (must be a public address).');
+                }
+                throw err;
+            }
+            if (!fetchRes.ok) {
+                return renderCreateError(res, auth, `Failed to fetch URL: ${fetchRes.status} ${fetchRes.statusText}`);
+            }
+            const contentType = fetchRes.headers.get('content-type') ?? '';
+            const body = Buffer.from(await fetchRes.arrayBuffer());
+            if (body.length > MAX_SPEC_SIZE) {
+                return renderCreateError(res, auth, 'Fetched content too large. Maximum is 5MB.');
+            }
+            // Determine extension from content type or URL
+            let ext = '.yaml';
+            if (contentType.includes('json') || sourceUrl.endsWith('.json'))
+                ext = '.json';
+            else if (sourceUrl.endsWith('.har'))
+                ext = '.har';
+            else if (sourceUrl.endsWith('.yml'))
+                ext = '.yml';
+            // If it looks like HTML (a website), run Playwright analysis
+            if (contentType.includes('text/html') && !sourceUrl.match(/\.(yaml|yml|json|har)(\?|$)/i)) {
+                // Website-to-MCP: analyze with Playwright headless
+                const depthStr = parsed.fields.get('depth') ?? '2';
+                const crawlDepth = Math.min(Math.max(parseInt(depthStr, 10) || 2, 1), 3);
+                const maxPages = crawlDepth === 1 ? 5 : crawlDepth === 2 ? 15 : 30;
+                try {
+                    const { crawlSite } = await import('../../analyzer/site-crawler.js');
+                    const { generateSiteTools } = await import('../../site-transformer/tool-generator.js');
+                    const { emitSiteProject } = await import('../../emitter/index.js');
+                    const { mkdtemp } = await import('node:fs/promises');
+                    const { tmpdir } = await import('node:os');
+                    // SSRF guard before driving a headless browser to the target. The
+                    // seed URL is validated here; deep-crawled links rely on the
+                    // network-level egress allowlist (deploy/harden-egress.sh).
+                    try {
+                        await assertPublicUrl(sourceUrl);
+                    }
+                    catch (err) {
+                        if (err instanceof SsrfError) {
+                            return renderCreateError(res, auth, 'That URL is not allowed (must be a public address).');
+                        }
+                        throw err;
+                    }
+                    logger.info(`[dashboard] Crawling website: ${sourceUrl} (depth: ${crawlDepth}, max: ${maxPages})`);
+                    const { siteDescriptor } = await crawlSite({
+                        url: sourceUrl,
+                        depth: crawlDepth,
+                        maxPages,
+                        headless: true,
+                        captureScreenshots: false,
+                        timeout: 60_000,
+                    });
+                    if (siteDescriptor.pages.length === 0) {
+                        return renderCreateError(res, auth, 'No pages could be analyzed from that URL.');
+                    }
+                    const tools = generateSiteTools(siteDescriptor);
+                    if (tools.length === 0) {
+                        return renderCreateError(res, auth, 'No interactive elements found on the site.');
+                    }
+                    const rawName = (parsed.fields.get('name') ?? '').trim();
+                    const serverName = rawName
+                        ? rawName
+                            .toLowerCase()
+                            .replace(/[^a-z0-9]+/g, '-')
+                            .replace(/^-|-$/g, '')
+                        : new URL(sourceUrl).hostname.replace(/[^a-z0-9]+/g, '-');
+                    const buildDir = await mkdtemp(join(tmpdir(), 'mcpmake-site-'));
+                    await emitSiteProject({
+                        serverName,
+                        serverVersion: '1.0.0',
+                        baseUrl: siteDescriptor.baseUrl,
+                        transport: 'http',
+                        siteDescriptor,
+                        tools,
+                        envVars: [
+                            {
+                                name: 'BASE_URL',
+                                description: 'Target website URL',
+                                required: true,
+                                example: siteDescriptor.baseUrl,
+                            },
+                        ],
+                        browserConfig: {
+                            headless: true,
+                            idleTimeoutMs: 5 * 60 * 1000,
+                            viewport: { width: 1280, height: 720 },
+                            maxSessions: 3,
+                        },
+                    }, { outputDir: buildDir, force: true, dryRun: false });
+                    // Build and deploy the Playwright server
+                    const slug = serverName.slice(0, 40) + '-' + randomBytes(4).toString('hex');
+                    const imageName = `mcpmake-${slug}`;
+                    const imageTag = 'latest';
+                    // Install deps and build in the emitted project
+                    const { execFile: execFileCb } = await import('node:child_process');
+                    const { promisify } = await import('node:util');
+                    const execFileAsync = promisify(execFileCb);
+                    // Gate the heavy install/build/image steps through the build queue
+                    // so concurrent crawls can't exhaust the host.
+                    await buildQueue.run(async () => {
+                        await execFileAsync('npm', ['install', '--omit=dev'], {
+                            cwd: buildDir,
+                            timeout: 60_000,
+                        });
+                        await execFileAsync('npm', ['run', 'build'], { cwd: buildDir, timeout: 30_000 });
+                        await getContainerBackend().buildImage(buildDir, imageName, imageTag);
+                    });
+                    try {
+                        await rm(buildDir, { recursive: true, force: true });
+                    }
+                    catch {
+                        logger.warn(`Failed to clean up build directory: ${buildDir}`);
+                    }
+                    const port = context.ports.allocate();
+                    const bearerToken = generateBearerToken();
+                    const tokenHash = hashToken(bearerToken);
+                    const specHash = hashSpec(Buffer.from(sourceUrl));
+                    const secrets = await getSecretStore().getSecretsAsEnv(slug);
+                    const containerId = await getContainerBackend().startContainer({
+                        slug,
+                        imageName,
+                        imageTag,
+                        envVars: { BASE_URL: sourceUrl, MCP_AUTH_TOKEN: bearerToken },
+                        port,
+                        serverType: 'playwright',
+                        secrets,
+                    });
+                    // Routing is backend-authoritative (Caddy wildcard → this backend),
+                    // so no per-container Caddy route is created.
+                    const now = new Date().toISOString();
+                    context.store.create({
+                        slug,
+                        userId: auth.user.id,
+                        specHash,
+                        containerId,
+                        port,
+                        bearerToken: tokenHash,
+                        status: 'running',
+                        toolCount: tools.length,
+                        serverType: 'playwright',
+                        createdAt: now,
+                        lastActiveAt: now,
+                    });
+                    const pgStore = getPgServerStore();
+                    if (pgStore) {
+                        await pgStore.create({
+                            slug,
+                            userId: auth.user.id,
+                            specHash,
+                            containerId,
+                            port,
+                            bearerToken: tokenHash,
+                            status: 'running',
+                            toolCount: tools.length,
+                            serverType: 'playwright',
+                            createdAt: now,
+                            lastActiveAt: now,
+                        });
+                    }
+                    context.metrics.init(slug);
+                    await setPendingToken(auth.session.token, slug, bearerToken);
+                    redirect(res, `/dashboard/servers/${encodeURIComponent(slug)}`);
+                    return true;
+                }
+                catch (err) {
+                    const msg = err instanceof Error ? err.message : String(err);
+                    logger.error(`[dashboard] Website analysis failed: ${msg}`);
+                    return renderCreateError(res, auth, `Website analysis failed: ${msg.slice(0, 200)}`);
+                }
+            }
+            fileName = `url-spec${ext}`;
+            specFile = { data: body, filename: fileName };
+        }
+        catch (err) {
+            const msg = err instanceof Error ? err.message : String(err);
+            return renderCreateError(res, auth, `Failed to fetch URL: ${msg}`);
+        }
+    }
+    else if (!specFile) {
+        return renderCreateError(res, auth, 'Please upload a spec file or enter a URL.');
+    }
+    else {
+        fileName = specFile.filename ?? 'spec';
+    }
+    if (specFile.data.length > MAX_SPEC_SIZE) {
+        return renderCreateError(res, auth, `File too large (${Math.round(specFile.data.length / 1024)}KB). Maximum is 5MB.`);
+    }
+    if (!isAllowedSpecFile(fileName)) {
+        return renderCreateError(res, auth, 'Invalid file type. Accepted: .yaml, .yml, .json, .har');
+    }
+    let name = parsed.fields.get('name') ?? undefined;
+    if (name && name.length > MAX_NAME_LEN) {
+        name = name.slice(0, MAX_NAME_LEN);
+    }
+    if (name) {
+        name = name.replace(/[^\x20-\x7E]/g, '');
+    }
+    // Save uploaded file
+    await mkdir(UPLOAD_DIR, { recursive: true });
+    const tempId = randomBytes(8).toString('hex');
+    const safeExtension = getSafeExtension(fileName);
+    const specPath = join(UPLOAD_DIR, `${tempId}${safeExtension}`);
+    await writeFile(specPath, specFile.data);
+    try {
+        let format = detectFormat(specPath);
+        if (safeExtension === '.json') {
+            format = await detectFormatFromContent(specPath);
+        }
+        logger.info(`[dashboard] Building from ${format} spec: ${fileName}`);
+        const buildResult = await buildFromSpec(specPath, { name, format });
+        const port = context.ports.allocate();
+        const bearerToken = generateBearerToken();
+        const tokenHash = hashToken(bearerToken);
+        const specHash = hashSpec(specFile.data);
+        await buildQueue.run(() => getContainerBackend().buildImage(buildResult.buildDir, buildResult.imageName, buildResult.imageTag));
+        try {
+            await rm(buildResult.buildDir, { recursive: true, force: true });
+        }
+        catch {
+            logger.warn(`Failed to clean up build directory: ${buildResult.buildDir}`);
+        }
+        // Retrieve any stored secrets for the slug to inject as env vars
+        const secrets = await getSecretStore().getSecretsAsEnv(buildResult.slug);
+        // Inject the raw bearer token so the container authenticates /mcp traffic.
+        const containerId = await getContainerBackend().startContainer({
+            slug: buildResult.slug,
+            imageName: buildResult.imageName,
+            imageTag: buildResult.imageTag,
+            envVars: { MCP_AUTH_TOKEN: bearerToken },
+            port,
+            serverType: buildResult.serverType,
+            secrets,
+        });
+        // Routing is backend-authoritative (Caddy wildcard → this backend), so no
+        // per-container Caddy route is created.
+        const now = new Date().toISOString();
+        context.store.create({
+            slug: buildResult.slug,
+            userId: auth.user.id,
+            specHash,
+            containerId,
+            port,
+            bearerToken: tokenHash,
+            status: 'running',
+            toolCount: buildResult.toolCount,
+            serverType: buildResult.serverType,
+            createdAt: now,
+            lastActiveAt: now,
+        });
+        context.metrics.init(buildResult.slug);
+        await setPendingToken(auth.session.token, buildResult.slug, bearerToken);
+        redirect(res, `/dashboard/servers/${encodeURIComponent(buildResult.slug)}`);
+        return true;
+    }
+    catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        logger.error(`[dashboard] Build failed: ${message}`);
+        return renderCreateError(res, auth, 'Build failed. Please check your spec file and try again.');
+    }
+    finally {
+        try {
+            await unlink(specPath);
+        }
+        catch {
+            // Ignore cleanup errors
+        }
+    }
+}
+function renderCreateError(res, auth, error) {
+    const html = renderPage('pages/dashboard/create', 'layouts/dashboard', {
+        metaTitle: 'New Server — mcpmake Cloud',
+        activePage: 'create',
+        user: auth.user,
+        csrfToken: auth.session.csrfToken,
+        flashError: error,
+    });
+    sendHtml(res, 200, html);
+    return true;
+}
+async function handleDashboardServerDetail(req, res, context, slug) {
+    const auth = await requireAuth(req, res);
+    if (!auth)
+        return true;
+    const server = context.store.get(slug);
+    if (!server || server.userId !== auth.user.id) {
+        redirect(res, '/dashboard?error=' + encodeURIComponent('Server not found.'));
+        return true;
+    }
+    const url = new URL(req.url ?? '/', `http://${req.headers.host ?? 'localhost'}`);
+    const flashSuccess = url.searchParams.get('success') ?? undefined;
+    const flashError = url.searchParams.get('error') ?? undefined;
+    const token = await consumePendingToken(auth.session.token, slug);
+    // Retrieve secret names (never values) for display
+    const secretNames = await getSecretStore().listSecrets(slug);
+    // Build Playwright-specific data if this is a site server
+    const isPlaywright = server.serverType === 'playwright';
+    let sessions = [];
+    let usage = {};
+    let screenshots = [];
+    let changes = [];
+    if (isPlaywright) {
+        const summary = usageTracker.getUsageSummary(auth.user.id);
+        const plan = (auth.user.plan ?? 'free');
+        const quota = checkQuota(auth.user.id, plan, summary.totalSessionsMs);
+        usage = {
+            minutesUsed: Math.round(summary.totalSessionsMs / 60_000),
+            minutesRemaining: Math.round(quota.remaining),
+            toolCalls: summary.totalToolCalls,
+            screenshots: summary.totalScreenshots,
+            plan,
+            limit: quota.limit === Infinity ? 'unlimited' : quota.limit,
+        };
+        // Sessions, screenshots, and changes will be populated from DB when available
+    }
+    const html = renderPage('pages/dashboard/server-detail', 'layouts/dashboard', {
+        metaTitle: `${slug} — mcpmake Cloud`,
+        activePage: 'servers',
+        user: auth.user,
+        csrfToken: auth.session.csrfToken,
+        server,
+        endpoint: `https://${slug}.${context.domain}`,
+        token,
+        isPlaywright,
+        sessions,
+        usage,
+        screenshots,
+        changes,
+        secretNames,
+        flashSuccess,
+        flashError,
+    });
+    sendHtml(res, 200, html, token ? { 'Cache-Control': 'no-store' } : undefined);
+    return true;
+}
+async function handleDashboardServerStatus(req, res, context, slug) {
+    const auth = await requireAuth(req, res);
+    if (!auth)
+        return true;
+    const server = context.store.get(slug);
+    if (!server || server.userId !== auth.user.id) {
+        sendHtml(res, 404, '<span class="status-badge status-stopped">unknown</span>');
+        return true;
+    }
+    const html = renderTemplate('partials/status-badge', { status: server.status });
+    sendHtml(res, 200, html);
+    return true;
+}
+async function handleDashboardServerLogs(req, res, context, slug) {
+    const auth = await requireAuth(req, res);
+    if (!auth)
+        return true;
+    const server = context.store.get(slug);
+    if (!server || server.userId !== auth.user.id) {
+        redirect(res, '/dashboard?error=' + encodeURIComponent('Server not found.'));
+        return true;
+    }
+    const html = renderPage('pages/dashboard/server-logs', 'layouts/dashboard', {
+        metaTitle: `Logs — ${slug} — mcpmake Cloud`,
+        activePage: 'servers',
+        user: auth.user,
+        csrfToken: auth.session.csrfToken,
+        server,
+    });
+    sendHtml(res, 200, html);
+    return true;
+}
+async function handleDashboardServerMetrics(req, res, context, slug) {
+    const auth = await requireAuth(req, res);
+    if (!auth)
+        return true;
+    const server = context.store.get(slug);
+    if (!server || server.userId !== auth.user.id) {
+        redirect(res, '/dashboard?error=' + encodeURIComponent('Server not found.'));
+        return true;
+    }
+    const serverMetrics = context.metrics.get(slug);
+    const topTools = context.metrics.getTopTools(slug);
+    const maxCalls = topTools.length > 0 ? topTools[0].calls : 1;
+    const topToolsWithPercentage = topTools.map((t) => ({
+        ...t,
+        percentage: Math.max(5, Math.round((t.calls / maxCalls) * 100)),
+    }));
+    const html = renderPage('pages/dashboard/server-metrics', 'layouts/dashboard', {
+        metaTitle: `Metrics — ${slug} — mcpmake Cloud`,
+        activePage: 'servers',
+        user: auth.user,
+        csrfToken: auth.session.csrfToken,
+        server,
+        totalRequests: serverMetrics?.totalRequests ?? 0,
+        topTools: topToolsWithPercentage,
+        lastActiveAt: serverMetrics?.lastActiveAt ?? server.lastActiveAt,
+    });
+    sendHtml(res, 200, html);
+    return true;
+}
+async function handleDashboardServerDelete(req, res, context, slug) {
+    const auth = await requireAuth(req, res);
+    if (!auth)
+        return true;
+    const body = await parseFormBody(req);
+    if (!validateCsrf(req, body, auth.session)) {
+        redirect(res, '/dashboard?error=' + encodeURIComponent('Invalid form submission.'));
+        return true;
+    }
+    const server = context.store.get(slug);
+    if (!server || server.userId !== auth.user.id) {
+        redirect(res, '/dashboard?error=' + encodeURIComponent('Server not found.'));
+        return true;
+    }
+    if (server.containerId) {
+        try {
+            await getContainerBackend().stopContainer(server.containerId);
+        }
+        catch (err) {
+            logger.warn(`Failed to stop container for ${slug}: ${err}`);
+        }
+    }
+    // No Caddy route to remove — routing is backend-authoritative (wildcard).
+    context.ports.release(server.port);
+    context.store.delete(slug);
+    const pgStoreForDelete = getPgServerStore();
+    if (pgStoreForDelete)
+        await pgStoreForDelete.delete(slug);
+    context.metrics.delete(slug);
+    redirect(res, '/dashboard?success=' + encodeURIComponent(`Server "${slug}" has been deleted.`));
+    return true;
+}
+async function handleDashboardServerSecrets(req, res, context, slug) {
+    const auth = await requireAuth(req, res);
+    if (!auth)
+        return true;
+    const body = await parseFormBody(req);
+    if (!validateCsrf(req, body, auth.session)) {
+        redirect(res, `/dashboard/servers/${encodeURIComponent(slug)}?error=` +
+            encodeURIComponent('Invalid form submission.'));
+        return true;
+    }
+    const pgStore = getPgServerStore();
+    const server = pgStore ? await pgStore.get(slug) : context.store.get(slug);
+    if (!server || server.userId !== auth.user.id) {
+        redirect(res, '/dashboard?error=' + encodeURIComponent('Server not found.'));
+        return true;
+    }
+    const secretName = (body.secret_name ?? '').trim();
+    const secretValue = body.secret_value ?? '';
+    if (!secretName || !secretValue) {
+        redirect(res, `/dashboard/servers/${encodeURIComponent(slug)}?error=` +
+            encodeURIComponent('Secret name and value are required.'));
+        return true;
+    }
+    // Validate secret name: must look like an env var (letters, digits, underscores)
+    if (!/^[A-Za-z_][A-Za-z0-9_]*$/.test(secretName)) {
+        redirect(res, `/dashboard/servers/${encodeURIComponent(slug)}?error=` +
+            encodeURIComponent('Secret name must be a valid environment variable name (letters, digits, underscores).'));
+        return true;
+    }
+    await getSecretStore().storeSecret(slug, secretName, secretValue);
+    redirect(res, `/dashboard/servers/${encodeURIComponent(slug)}?success=` +
+        encodeURIComponent(`Secret "${secretName}" saved.`));
+    return true;
+}
+// ---------------------------------------------------------------------------
+// Billing route handlers
+// ---------------------------------------------------------------------------
+async function handleBillingPage(req, res) {
+    const auth = await requireAuth(req, res);
+    if (!auth)
+        return true;
+    const url = new URL(req.url ?? '/', `http://${req.headers.host ?? 'localhost'}`);
+    const flashSuccess = url.searchParams.get('success') ?? undefined;
+    const flashError = url.searchParams.get('error') ?? undefined;
+    const plan = (auth.user.plan ?? 'free');
+    const limits = getPlanLimits(plan);
+    const usage = usageTracker.getUsageSummary(auth.user.id);
+    const quota = checkQuota(auth.user.id, plan, usage.totalSessionsMs);
+    const html = renderPage('pages/dashboard/billing', 'layouts/dashboard', {
+        metaTitle: 'Billing — mcpmake Cloud',
+        activePage: 'billing',
+        user: auth.user,
+        csrfToken: auth.session.csrfToken,
+        stripeConfigured: isStripeConfigured(),
+        currentPlan: plan,
+        minutesUsed: Math.round(usage.totalSessionsMs / 60_000),
+        minutesLimit: limits.maxMinutes === Infinity ? 'unlimited' : limits.maxMinutes,
+        minutesRemaining: quota.remaining === Infinity ? 'unlimited' : Math.round(quota.remaining),
+        hasSubscription: !!auth.user.stripeCustomerId,
+        flashSuccess,
+        flashError,
+    });
+    sendHtml(res, 200, html);
+    return true;
+}
+async function handleBillingCheckout(req, res) {
+    const auth = await requireAuth(req, res);
+    if (!auth)
+        return true;
+    const body = await parseFormBody(req);
+    if (!validateCsrf(req, body, auth.session)) {
+        redirect(res, '/dashboard/billing?error=' + encodeURIComponent('Invalid form submission.'));
+        return true;
+    }
+    const plan = body.plan;
+    const validPlans = new Set(['hobbyist', 'pro', 'team']);
+    if (!plan || !validPlans.has(plan)) {
+        redirect(res, '/dashboard/billing?error=' + encodeURIComponent('Invalid plan selected.'));
+        return true;
+    }
+    if (!isStripeConfigured()) {
+        redirect(res, '/dashboard/billing?error=' + encodeURIComponent('Payments are not configured.'));
+        return true;
+    }
+    try {
+        const host = req.headers.host ?? 'localhost';
+        const proto = process.env.TRUST_PROXY === 'true' && req.headers['x-forwarded-proto'] === 'https'
+            ? 'https'
+            : 'http';
+        const baseUrl = `${proto}://${host}`;
+        const checkoutUrl = await createCheckoutSession({
+            userId: auth.user.id,
+            email: auth.user.email,
+            plan,
+            successUrl: `${baseUrl}/dashboard/billing/success?plan=${encodeURIComponent(plan)}`,
+            cancelUrl: `${baseUrl}/dashboard/billing`,
+        });
+        redirect(res, checkoutUrl);
+    }
+    catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        logger.error(`[billing] Checkout failed: ${message}`);
+        redirect(res, '/dashboard/billing?error=' +
+            encodeURIComponent('Failed to start checkout. Please try again.'));
+    }
+    return true;
+}
+async function handleBillingPortal(req, res) {
+    const auth = await requireAuth(req, res);
+    if (!auth)
+        return true;
+    const body = await parseFormBody(req);
+    if (!validateCsrf(req, body, auth.session)) {
+        redirect(res, '/dashboard/billing?error=' + encodeURIComponent('Invalid form submission.'));
+        return true;
+    }
+    if (!auth.user.stripeCustomerId) {
+        redirect(res, '/dashboard/billing?error=' + encodeURIComponent('No active subscription found.'));
+        return true;
+    }
+    try {
+        const host = req.headers.host ?? 'localhost';
+        const proto = process.env.TRUST_PROXY === 'true' && req.headers['x-forwarded-proto'] === 'https'
+            ? 'https'
+            : 'http';
+        const returnUrl = `${proto}://${host}/dashboard/billing`;
+        const portalUrl = await createPortalSession(auth.user.stripeCustomerId, returnUrl);
+        redirect(res, portalUrl);
+    }
+    catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        logger.error(`[billing] Portal session failed: ${message}`);
+        redirect(res, '/dashboard/billing?error=' +
+            encodeURIComponent('Failed to open billing portal. Please try again.'));
+    }
+    return true;
+}
+async function handleBillingSuccess(req, res) {
+    const auth = await requireAuth(req, res);
+    if (!auth)
+        return true;
+    const url = new URL(req.url ?? '/', `http://${req.headers.host ?? 'localhost'}`);
+    const plan = url.searchParams.get('plan') ?? '';
+    redirect(res, '/dashboard/billing?success=' +
+        encodeURIComponent(plan
+            ? `Welcome to the ${plan.charAt(0).toUpperCase() + plan.slice(1)} plan! Your subscription is now active.`
+            : 'Your subscription is now active!'));
+    return true;
+}
+// ---------------------------------------------------------------------------
+// Admin route handlers
+// ---------------------------------------------------------------------------
+async function gatherAdminStats(context) {
+    // Prefer the Postgres store when configured — `context.store` is the in-memory
+    // store, which is empty after a restart in Pg mode (the Pg-blindness bug).
+    const pg = getPgServerStore();
+    const allServers = pg ? await pg.list() : context.store.list();
+    const runningCount = allServers.filter((s) => s.status === 'running').length;
+    const mem = process.memoryUsage();
+    const uptimeSec = process.uptime();
+    const hours = Math.floor(uptimeSec / 3600);
+    const mins = Math.floor((uptimeSec % 3600) / 60);
+    const secs = Math.floor(uptimeSec % 60);
+    const uptimeStr = hours > 0 ? `${hours}h ${mins}m ${secs}s` : mins > 0 ? `${mins}m ${secs}s` : `${secs}s`;
+    // --- Charts: 24h history from durable metric samples ---
+    let samples = [];
+    try {
+        samples = await getMetricSampleStore().recent(24 * 3600 * 1000);
+    }
+    catch {
+        samples = [];
+    }
+    const dbAvailable = getDb() != null;
+    // History needs a database; with no DB and no samples, the in-memory ring is
+    // empty (or lost on restart) so render an explicit empty-state instead of a
+    // blank chart.
+    const hasHistory = samples.length > 0;
+    const historyEmpty = !dbAvailable && !hasHistory;
+    let charts = {};
+    if (hasHistory) {
+        charts = {
+            requestsErrors: renderDualLine(samples.map((s) => s.requests), samples.map((s) => s.errors5xx), { labelA: 'Requests / interval', labelB: '5xx errors', unit: '' }),
+            memDisk: renderDualLine(samples.map((s) => s.memUsedPct), samples.map((s) => s.diskUsedPct), { labelA: 'Memory used', labelB: 'Disk used', unit: '%' }),
+            users: renderSparkline(samples.map((s) => s.totalUsers), { label: 'Total users', color: 'var(--color-success, #10b981)' }),
+            servers: renderBars(samples.map((s) => s.totalServers), { label: 'Total servers' }),
+        };
+    }
+    // --- Live "last hour" sparkline from the in-memory failure tracker ---
+    const lastHourSeries = failureTracker.series(60);
+    const lastHourChart = renderSparkline(lastHourSeries.map((p) => p.total), { label: 'Requests / min (last hour)' });
+    // --- Failure rate (last hour) ---
+    const failWindow = failureTracker.window(60);
+    // --- Health panel ---
+    let reading;
+    try {
+        reading = await gatherResourceReading(runningCount, process.env.DATA_DIR ?? '/');
+    }
+    catch {
+        reading = { memUsedPct: 0, diskUsedPct: 0, activeContainers: runningCount };
+    }
+    const pressure = evaluatePressure(reading, DEFAULT_THRESHOLDS, INITIAL_PRESSURE_STATE);
+    const ramOk = reading.memUsedPct < DEFAULT_THRESHOLDS.memPct;
+    const diskOk = reading.diskUsedPct < DEFAULT_THRESHOLDS.diskPct;
+    const health = {
+        db: dbAvailable,
+        stripe: isStripeConfigured(),
+        backend: getContainerBackend().name,
+        ramOk,
+        diskOk,
+        memUsedPct: reading.memUsedPct.toFixed(0),
+        diskUsedPct: reading.diskUsedPct.toFixed(0),
+        alerts: pressure.alerts,
+    };
+    return {
+        stats: {
+            totalServers: allServers.length,
+            runningServers: runningCount,
+            totalUsers: await countUsers(),
+            portsAllocated: context.ports.allocatedCount,
+        },
+        failure: {
+            requests: failWindow.total,
+            serverErrorRatePct: failWindow.serverErrorRatePct.toFixed(1),
+            clientErrorRatePct: failWindow.clientErrorRatePct.toFixed(1),
+        },
+        health,
+        historyEmpty,
+        hasHistory,
+        charts,
+        lastHourChart,
+        systemInfo: {
+            memoryRss: (mem.rss / 1024 / 1024).toFixed(1),
+            memoryHeapUsed: (mem.heapUsed / 1024 / 1024).toFixed(1),
+            uptime: uptimeStr,
+            nodeVersion: process.version,
+            platform: `${os.platform()} ${os.arch()}`,
+            totalMem: (os.totalmem() / 1024 / 1024).toFixed(0),
+            freeMem: (os.freemem() / 1024 / 1024).toFixed(0),
+        },
+    };
+}
+async function handleAdminOverview(req, res, context) {
+    const auth = await requireAdmin(req, res);
+    if (!auth)
+        return true;
+    const data = await gatherAdminStats(context);
+    const html = renderPage('pages/admin/overview', 'layouts/admin', {
+        metaTitle: 'Admin Overview — mcpmake Cloud',
+        activePage: 'overview',
+        user: auth.user,
+        csrfToken: auth.session.csrfToken,
+        ...data,
+    });
+    sendHtml(res, 200, html);
+    return true;
+}
+async function handleAdminStatsPartial(req, res, context) {
+    const auth = await requireAdmin(req, res);
+    if (!auth)
+        return true;
+    const data = await gatherAdminStats(context);
+    const html = renderTemplate('partials/admin-stats', data);
+    sendHtml(res, 200, html);
+    return true;
+}
+async function handleAdminServers(req, res, context) {
+    const auth = await requireAdmin(req, res);
+    if (!auth)
+        return true;
+    const pg = getPgServerStore();
+    const allServers = pg ? await pg.list() : context.store.list();
+    const allUsers = await listUsers();
+    const userMap = new Map(allUsers.map((u) => [u.id, u.email]));
+    // Enrich server records with user email for display
+    const servers = allServers.map((s) => ({
+        ...s,
+        userEmail: s.userId ? (userMap.get(s.userId) ?? null) : null,
+    }));
+    const html = renderPage('pages/admin/servers', 'layouts/admin', {
+        metaTitle: 'Servers — Admin — mcpmake Cloud',
+        activePage: 'servers',
+        user: auth.user,
+        csrfToken: auth.session.csrfToken,
+        servers,
+    });
+    sendHtml(res, 200, html);
+    return true;
+}
+async function handleAdminServerDelete(req, res, context, slug) {
+    const auth = await requireAdmin(req, res);
+    if (!auth)
+        return true;
+    const body = await parseFormBody(req);
+    if (!validateCsrf(req, body, auth.session)) {
+        sendHtml(res, 403, '<h1>403 — Invalid CSRF token</h1>');
+        return true;
+    }
+    // Prefer the Pg store: the in-memory `store` is empty after a restart in Pg
+    // mode, so reading/deleting only in-memory would leave a ghost row that
+    // reappears on the next list (and leaks its port forever).
+    const pg = getPgServerStore();
+    const record = pg ? await pg.get(slug) : context.store.get(slug);
+    if (!record) {
+        redirect(res, '/admin/servers');
+        return true;
+    }
+    // Stop the container
+    try {
+        if (record.containerId) {
+            await getContainerBackend().stopContainer(record.containerId);
+        }
+    }
+    catch {
+        // Container may already be stopped or Docker unavailable
+    }
+    // No Caddy route to remove — routing is backend-authoritative (wildcard).
+    // Release port and delete record from both stores
+    context.ports.release(record.port);
+    if (pg)
+        await pg.delete(slug);
+    context.store.delete(slug);
+    redirect(res, '/admin/servers');
+    return true;
+}
+async function handleAdminUsers(req, res, context) {
+    const auth = await requireAdmin(req, res);
+    if (!auth)
+        return true;
+    const allUsers = await listUsers();
+    const pg = getPgServerStore();
+    const allServers = pg ? await pg.list() : context.store.list();
+    // Count servers per user
+    const serverCounts = new Map();
+    for (const s of allServers) {
+        if (s.userId) {
+            serverCounts.set(s.userId, (serverCounts.get(s.userId) ?? 0) + 1);
+        }
+    }
+    const users = allUsers.map(({ passwordHash: _, ...u }) => ({
+        ...u,
+        serverCount: serverCounts.get(u.id) ?? 0,
+    }));
+    const html = renderPage('pages/admin/users', 'layouts/admin', {
+        metaTitle: 'Users — Admin — mcpmake Cloud',
+        activePage: 'users',
+        user: auth.user,
+        csrfToken: auth.session.csrfToken,
+        users,
+    });
+    sendHtml(res, 200, html);
+    return true;
+}
+async function handleAdminUserPlan(req, res, userId) {
+    const auth = await requireAdmin(req, res);
+    if (!auth)
+        return true;
+    const body = await parseFormBody(req);
+    if (!validateCsrf(req, body, auth.session)) {
+        sendHtml(res, 403, '<h1>403 — Invalid CSRF token</h1>');
+        return true;
+    }
+    const validPlans = new Set(['free', 'hobbyist', 'pro', 'team', 'enterprise']);
+    const plan = body.plan;
+    if (!plan || !validPlans.has(plan)) {
+        sendHtml(res, 400, '<h1>400 — Invalid plan</h1>');
+        return true;
+    }
+    const target = await getUserById(userId);
+    if (!target) {
+        redirect(res, '/admin/users');
+        return true;
+    }
+    await updateUser(userId, { plan: plan });
+    // If htmx request, return 204 (no content, hx-swap="none")
+    if (req.headers['hx-request']) {
+        res.writeHead(204);
+        res.end();
+        return true;
+    }
+    redirect(res, '/admin/users');
+    return true;
+}
+async function handleAdminUserAdmin(req, res, userId) {
+    const auth = await requireAdmin(req, res);
+    if (!auth)
+        return true;
+    const body = await parseFormBody(req);
+    if (!validateCsrf(req, body, auth.session)) {
+        sendHtml(res, 403, '<h1>403 — Invalid CSRF token</h1>');
+        return true;
+    }
+    const target = await getUserById(userId);
+    if (!target) {
+        redirect(res, '/admin/users');
+        return true;
+    }
+    // Prevent admin from removing their own admin status
+    if (target.id === auth.user.id) {
+        sendHtml(res, 400, '<h1>400 — Cannot modify your own admin status</h1>');
+        return true;
+    }
+    await updateUser(userId, { isAdmin: !target.isAdmin });
+    if (req.headers['hx-request']) {
+        res.writeHead(204);
+        res.end();
+        return true;
+    }
+    redirect(res, '/admin/users');
+    return true;
+}
+async function handleAdminUserDelete(req, res, userId) {
+    const auth = await requireAdmin(req, res);
+    if (!auth)
+        return true;
+    const body = await parseFormBody(req);
+    if (!validateCsrf(req, body, auth.session)) {
+        sendHtml(res, 403, '<h1>403 — Invalid CSRF token</h1>');
+        return true;
+    }
+    // Prevent admin from deleting themselves
+    if (userId === auth.user.id) {
+        sendHtml(res, 400, '<h1>400 — Cannot delete your own account</h1>');
+        return true;
+    }
+    const target = await getUserById(userId);
+    if (!target) {
+        redirect(res, '/admin/users');
+        return true;
+    }
+    await deleteUser(userId);
+    redirect(res, '/admin/users');
+    return true;
+}
+/** Cap on a single grant/revoke amount — guards against typos / overflow. */
+const MAX_CREDIT_AMOUNT = 100_000_000;
+async function handleAdminUserEdit(req, res, context, userId) {
+    const auth = await requireAdmin(req, res);
+    if (!auth)
+        return true;
+    const target = await getUserById(userId);
+    if (!target) {
+        redirect(res, '/admin/users');
+        return true;
+    }
+    const credits = getCreditStore();
+    const balance = await credits.balance(userId);
+    const ledgerRaw = await credits.recentLedger(userId, 20);
+    const ledger = ledgerRaw.map((e) => ({
+        delta: e.delta,
+        deltaLabel: e.delta >= 0 ? `+${e.delta}` : String(e.delta),
+        isCredit: e.delta >= 0,
+        reason: e.reason,
+        balanceAfter: e.balanceAfter == null ? '—' : String(e.balanceAfter),
+        createdAt: e.createdAt,
+    }));
+    const pg = getPgServerStore();
+    const allServers = pg ? await pg.list() : context.store.list();
+    const serverCount = allServers.filter((s) => s.userId === userId).length;
+    const { passwordHash: _omit, ...safeUser } = target;
+    const html = renderPage('pages/admin/user-edit', 'layouts/admin', {
+        metaTitle: `${target.email} — Admin — mcpmake Cloud`,
+        activePage: 'users',
+        user: auth.user,
+        csrfToken: auth.session.csrfToken,
+        targetUser: safeUser,
+        balance,
+        ledger,
+        serverCount,
+    });
+    sendHtml(res, 200, html);
+    return true;
+}
+async function handleAdminUserCredits(req, res, _context, userId) {
+    const auth = await requireAdmin(req, res);
+    if (!auth)
+        return true;
+    const body = await parseFormBody(req);
+    if (!validateCsrf(req, body, auth.session)) {
+        sendHtml(res, 403, '<h1>403 — Invalid CSRF token</h1>');
+        return true;
+    }
+    const target = await getUserById(userId);
+    if (!target) {
+        redirect(res, '/admin/users');
+        return true;
+    }
+    const action = body.action;
+    if (action !== 'grant' && action !== 'revoke') {
+        sendHtml(res, 400, '<h1>400 — Invalid action</h1>');
+        return true;
+    }
+    // Validate amount: must be a positive integer within a sane bound.
+    const raw = (body.amount ?? '').trim();
+    if (!/^\d+$/.test(raw)) {
+        sendHtml(res, 400, '<h1>400 — Invalid amount</h1>');
+        return true;
+    }
+    const amount = Number(raw);
+    if (!Number.isInteger(amount) || amount <= 0 || amount > MAX_CREDIT_AMOUNT) {
+        sendHtml(res, 400, '<h1>400 — Invalid amount</h1>');
+        return true;
+    }
+    const credits = getCreditStore();
+    if (action === 'grant') {
+        await credits.grant(userId, amount, auth.user.id);
+    }
+    else {
+        await credits.revoke(userId, amount, auth.user.id);
+    }
+    redirect(res, `/admin/users/${encodeURIComponent(userId)}`);
+    return true;
+}
+async function handleAdminTelemetry(req, res) {
+    const auth = await requireAdmin(req, res);
+    if (!auth)
+        return true;
+    let groups = [];
+    try {
+        groups = await getTelemetryStore().recentGrouped(100);
+    }
+    catch {
+        groups = [];
+    }
+    const html = renderPage('pages/admin/telemetry', 'layouts/admin', {
+        metaTitle: 'Telemetry — Admin — mcpmake Cloud',
+        activePage: 'telemetry',
+        user: auth.user,
+        csrfToken: auth.session.csrfToken,
+        groups,
+    });
+    sendHtml(res, 200, html);
+    return true;
+}
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+function sendHtml(res, status, html, extraHeaders) {
+    const body = Buffer.from(html, 'utf-8');
+    res.writeHead(status, {
+        'Content-Type': 'text/html; charset=utf-8',
+        'Content-Length': body.length,
+        'Cache-Control': 'no-cache',
+        'Content-Security-Policy': "default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self'; frame-ancestors 'none'",
+        'Referrer-Policy': 'same-origin',
+        'X-Content-Type-Options': 'nosniff',
+        'X-Frame-Options': 'DENY',
+        ...extraHeaders,
+    });
+    res.end(body);
+}
+/**
+ * Render a 500 error page. Exported for use in the main server error handler.
+ */
+export function render500Page(res) {
+    try {
+        const html = renderPage('pages/errors/500', 'layouts/landing', {
+            metaTitle: '500 — Something went wrong — mcpmake Cloud',
+        });
+        sendHtml(res, 500, html);
+    }
+    catch {
+        // Fallback if template rendering itself fails
+        sendHtml(res, 500, '<h1>500 — Internal Server Error</h1>');
+    }
+}
+function redirect(res, location) {
+    res.writeHead(302, { Location: location });
+    res.end();
+}
+/**
+ * Validate email: must contain @ with at least one char before it,
+ * and a dot after the @.
+ */
+function isValidEmail(email) {
+    const atIndex = email.indexOf('@');
+    if (atIndex < 1)
+        return false;
+    const domain = email.slice(atIndex + 1);
+    return domain.includes('.') && !domain.startsWith('.') && !domain.endsWith('.');
+}
+/**
+ * Parse URL-encoded form body from a POST request.
+ * Returns a plain object of field name -> value.
+ * Max body size: 1MB.
+ */
+async function parseFormBody(req) {
+    return new Promise((resolve) => {
+        const chunks = [];
+        let totalSize = 0;
+        req.on('data', (chunk) => {
+            totalSize += chunk.length;
+            if (totalSize > MAX_FORM_BODY) {
+                req.destroy();
+                resolve({});
+                return;
+            }
+            chunks.push(chunk);
+        });
+        req.on('end', () => {
+            const raw = Buffer.concat(chunks).toString('utf-8');
+            const params = new URLSearchParams(raw);
+            const result = {};
+            for (const [key, value] of params) {
+                result[key] = value;
+            }
+            resolve(result);
+        });
+        req.on('error', () => {
+            resolve({});
+        });
+    });
+}