npm - palaryn - Versions diffs - 0.1.0 → 0.3.2 - Mend

palaryn 0.1.0 → 0.3.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (344) hide show

package/README.md +243 -588
package/dist/sdk/typescript/src/client.js +2 -2
package/dist/sdk/typescript/src/client.js.map +1 -1
package/dist/src/anomaly/detector.d.ts +7 -4
package/dist/src/anomaly/detector.d.ts.map +1 -1
package/dist/src/anomaly/detector.js +22 -12
package/dist/src/anomaly/detector.js.map +1 -1
package/dist/src/audit/logger.d.ts +10 -0
package/dist/src/audit/logger.d.ts.map +1 -1
package/dist/src/audit/logger.js +52 -38
package/dist/src/audit/logger.js.map +1 -1
package/dist/src/auth/routes.d.ts.map +1 -1
package/dist/src/auth/routes.js +35 -0
package/dist/src/auth/routes.js.map +1 -1
package/dist/src/budget/manager.d.ts +5 -0
package/dist/src/budget/manager.d.ts.map +1 -1
package/dist/src/budget/manager.js +32 -0
package/dist/src/budget/manager.js.map +1 -1
package/dist/src/budget/model-pricing.d.ts +20 -0
package/dist/src/budget/model-pricing.d.ts.map +1 -0
package/dist/src/budget/model-pricing.js +107 -0
package/dist/src/budget/model-pricing.js.map +1 -0
package/dist/src/budget/usage-extractor.d.ts +3 -1
package/dist/src/budget/usage-extractor.d.ts.map +1 -1
package/dist/src/budget/usage-extractor.js +47 -3
package/dist/src/budget/usage-extractor.js.map +1 -1
package/dist/src/config/defaults.d.ts.map +1 -1
package/dist/src/config/defaults.js +65 -13
package/dist/src/config/defaults.js.map +1 -1
package/dist/src/dlp/tool-patterns.d.ts +7 -0
package/dist/src/dlp/tool-patterns.d.ts.map +1 -0
package/dist/src/dlp/tool-patterns.js +34 -0
package/dist/src/dlp/tool-patterns.js.map +1 -0
package/dist/src/executor/filesystem-executor.d.ts +28 -0
package/dist/src/executor/filesystem-executor.d.ts.map +1 -0
package/dist/src/executor/filesystem-executor.js +192 -0
package/dist/src/executor/filesystem-executor.js.map +1 -0
package/dist/src/executor/http-executor.d.ts.map +1 -1
package/dist/src/executor/http-executor.js +22 -2
package/dist/src/executor/http-executor.js.map +1 -1
package/dist/src/executor/index.d.ts +4 -0
package/dist/src/executor/index.d.ts.map +1 -1
package/dist/src/executor/index.js +9 -1
package/dist/src/executor/index.js.map +1 -1
package/dist/src/executor/shell-executor.d.ts +22 -0
package/dist/src/executor/shell-executor.d.ts.map +1 -0
package/dist/src/executor/shell-executor.js +119 -0
package/dist/src/executor/shell-executor.js.map +1 -0
package/dist/src/executor/sql-executor.d.ts +29 -0
package/dist/src/executor/sql-executor.d.ts.map +1 -0
package/dist/src/executor/sql-executor.js +114 -0
package/dist/src/executor/sql-executor.js.map +1 -0
package/dist/src/executor/websocket-executor.d.ts +26 -0
package/dist/src/executor/websocket-executor.d.ts.map +1 -0
package/dist/src/executor/websocket-executor.js +205 -0
package/dist/src/executor/websocket-executor.js.map +1 -0
package/dist/src/interceptor/index.d.ts +2 -0
package/dist/src/interceptor/index.d.ts.map +1 -0
package/dist/src/interceptor/index.js +6 -0
package/dist/src/interceptor/index.js.map +1 -0
package/dist/src/interceptor/provider-interceptor.d.ts +36 -0
package/dist/src/interceptor/provider-interceptor.d.ts.map +1 -0
package/dist/src/interceptor/provider-interceptor.js +302 -0
package/dist/src/interceptor/provider-interceptor.js.map +1 -0
package/dist/src/mcp/auth-verifier.d.ts.map +1 -1
package/dist/src/mcp/auth-verifier.js +3 -2
package/dist/src/mcp/auth-verifier.js.map +1 -1
package/dist/src/mcp/bridge.d.ts +14 -10
package/dist/src/mcp/bridge.d.ts.map +1 -1
package/dist/src/mcp/bridge.js +51 -227
package/dist/src/mcp/bridge.js.map +1 -1
package/dist/src/mcp/http-transport.d.ts +2 -0
package/dist/src/mcp/http-transport.d.ts.map +1 -1
package/dist/src/mcp/http-transport.js +117 -66
package/dist/src/mcp/http-transport.js.map +1 -1
package/dist/src/mcp/internal-auth.d.ts +13 -0
package/dist/src/mcp/internal-auth.d.ts.map +1 -0
package/dist/src/mcp/internal-auth.js +12 -0
package/dist/src/mcp/internal-auth.js.map +1 -0
package/dist/src/mcp/tool-definitions.d.ts +41 -0
package/dist/src/mcp/tool-definitions.d.ts.map +1 -0
package/dist/src/mcp/tool-definitions.js +491 -0
package/dist/src/mcp/tool-definitions.js.map +1 -0
package/dist/src/middleware/auth.js.map +1 -1
package/dist/src/middleware/session.js.map +1 -1
package/dist/src/middleware/validate.d.ts +8 -0
package/dist/src/middleware/validate.d.ts.map +1 -1
package/dist/src/middleware/validate.js +45 -0
package/dist/src/middleware/validate.js.map +1 -1
package/dist/src/policy/engine.d.ts +4 -0
package/dist/src/policy/engine.d.ts.map +1 -1
package/dist/src/policy/engine.js +117 -0
package/dist/src/policy/engine.js.map +1 -1
package/dist/src/saas/routes.d.ts.map +1 -1
package/dist/src/saas/routes.js +355 -22
package/dist/src/saas/routes.js.map +1 -1
package/dist/src/server/app.d.ts.map +1 -1
package/dist/src/server/app.js +24 -3
package/dist/src/server/app.js.map +1 -1
package/dist/src/server/gateway.d.ts.map +1 -1
package/dist/src/server/gateway.js +17 -0
package/dist/src/server/gateway.js.map +1 -1
package/dist/src/server/index.d.ts.map +1 -1
package/dist/src/server/index.js +18 -0
package/dist/src/server/index.js.map +1 -1
package/dist/src/storage/interfaces.d.ts +14 -3
package/dist/src/storage/interfaces.d.ts.map +1 -1
package/dist/src/storage/memory.d.ts +2 -0
package/dist/src/storage/memory.d.ts.map +1 -1
package/dist/src/storage/memory.js +6 -0
package/dist/src/storage/memory.js.map +1 -1
package/dist/src/storage/postgres.d.ts +5 -0
package/dist/src/storage/postgres.d.ts.map +1 -1
package/dist/src/storage/postgres.js +16 -0
package/dist/src/storage/postgres.js.map +1 -1
package/dist/src/storage/redis.d.ts +10 -0
package/dist/src/storage/redis.d.ts.map +1 -1
package/dist/src/storage/redis.js +65 -0
package/dist/src/storage/redis.js.map +1 -1
package/dist/src/types/budget.d.ts +4 -0
package/dist/src/types/budget.d.ts.map +1 -1
package/dist/src/types/config.d.ts +58 -0
package/dist/src/types/config.d.ts.map +1 -1
package/dist/src/types/events.d.ts +1 -0
package/dist/src/types/events.d.ts.map +1 -1
package/dist/src/types/policy.d.ts +11 -1
package/dist/src/types/policy.d.ts.map +1 -1
package/dist/src/types/tool-result.d.ts +11 -0
package/dist/src/types/tool-result.d.ts.map +1 -1
package/dist/tests/unit/app-routes.test.d.ts +2 -0
package/dist/tests/unit/app-routes.test.d.ts.map +1 -0
package/dist/tests/unit/app-routes.test.js +715 -0
package/dist/tests/unit/app-routes.test.js.map +1 -0
package/dist/tests/unit/audit-logger.test.js +105 -0
package/dist/tests/unit/audit-logger.test.js.map +1 -1
package/dist/tests/unit/auth-providers.test.d.ts +2 -0
package/dist/tests/unit/auth-providers.test.d.ts.map +1 -0
package/dist/tests/unit/auth-providers.test.js +279 -0
package/dist/tests/unit/auth-providers.test.js.map +1 -0
package/dist/tests/unit/auth-routes-extended.test.d.ts +2 -0
package/dist/tests/unit/auth-routes-extended.test.d.ts.map +1 -0
package/dist/tests/unit/auth-routes-extended.test.js +993 -0
package/dist/tests/unit/auth-routes-extended.test.js.map +1 -0
package/dist/tests/unit/auth-verifier.test.d.ts +2 -0
package/dist/tests/unit/auth-verifier.test.d.ts.map +1 -0
package/dist/tests/unit/auth-verifier.test.js +505 -0
package/dist/tests/unit/auth-verifier.test.js.map +1 -0
package/dist/tests/unit/billing-routes.test.d.ts +2 -0
package/dist/tests/unit/billing-routes.test.d.ts.map +1 -0
package/dist/tests/unit/billing-routes.test.js +432 -0
package/dist/tests/unit/billing-routes.test.js.map +1 -0
package/dist/tests/unit/config-defaults.test.d.ts +2 -0
package/dist/tests/unit/config-defaults.test.d.ts.map +1 -0
package/dist/tests/unit/config-defaults.test.js +119 -0
package/dist/tests/unit/config-defaults.test.js.map +1 -0
package/dist/tests/unit/defaults.test.js +0 -10
package/dist/tests/unit/defaults.test.js.map +1 -1
package/dist/tests/unit/filesystem-executor.test.d.ts +2 -0
package/dist/tests/unit/filesystem-executor.test.d.ts.map +1 -0
package/dist/tests/unit/filesystem-executor.test.js +280 -0
package/dist/tests/unit/filesystem-executor.test.js.map +1 -0
package/dist/tests/unit/gateway-branches.test.d.ts +2 -0
package/dist/tests/unit/gateway-branches.test.d.ts.map +1 -0
package/dist/tests/unit/gateway-branches.test.js +1039 -0
package/dist/tests/unit/gateway-branches.test.js.map +1 -0
package/dist/tests/unit/http-executor-branches.test.d.ts +2 -0
package/dist/tests/unit/http-executor-branches.test.d.ts.map +1 -0
package/dist/tests/unit/http-executor-branches.test.js +495 -0
package/dist/tests/unit/http-executor-branches.test.js.map +1 -0
package/dist/tests/unit/logger.test.d.ts +2 -0
package/dist/tests/unit/logger.test.d.ts.map +1 -0
package/dist/tests/unit/logger.test.js +97 -0
package/dist/tests/unit/logger.test.js.map +1 -0
package/dist/tests/unit/mcp-internal-auth.test.d.ts +2 -0
package/dist/tests/unit/mcp-internal-auth.test.d.ts.map +1 -0
package/dist/tests/unit/mcp-internal-auth.test.js +445 -0
package/dist/tests/unit/mcp-internal-auth.test.js.map +1 -0
package/dist/tests/unit/metrics.test.js +102 -0
package/dist/tests/unit/metrics.test.js.map +1 -1
package/dist/tests/unit/model-pricing.test.d.ts +2 -0
package/dist/tests/unit/model-pricing.test.d.ts.map +1 -0
package/dist/tests/unit/model-pricing.test.js +87 -0
package/dist/tests/unit/model-pricing.test.js.map +1 -0
package/dist/tests/unit/oauth-stores.test.d.ts +2 -0
package/dist/tests/unit/oauth-stores.test.d.ts.map +1 -0
package/dist/tests/unit/oauth-stores.test.js +260 -0
package/dist/tests/unit/oauth-stores.test.js.map +1 -0
package/dist/tests/unit/policy-engine.test.js +466 -0
package/dist/tests/unit/policy-engine.test.js.map +1 -1
package/dist/tests/unit/provider-interceptor.test.d.ts +2 -0
package/dist/tests/unit/provider-interceptor.test.d.ts.map +1 -0
package/dist/tests/unit/provider-interceptor.test.js +472 -0
package/dist/tests/unit/provider-interceptor.test.js.map +1 -0
package/dist/tests/unit/saas-routes-branches.test.d.ts +2 -0
package/dist/tests/unit/saas-routes-branches.test.d.ts.map +1 -0
package/dist/tests/unit/saas-routes-branches.test.js +2165 -0
package/dist/tests/unit/saas-routes-branches.test.js.map +1 -0
package/dist/tests/unit/saas-routes-crud.test.d.ts +2 -0
package/dist/tests/unit/saas-routes-crud.test.d.ts.map +1 -0
package/dist/tests/unit/saas-routes-crud.test.js +332 -0
package/dist/tests/unit/saas-routes-crud.test.js.map +1 -0
package/dist/tests/unit/saas-routes-data.test.d.ts +2 -0
package/dist/tests/unit/saas-routes-data.test.d.ts.map +1 -0
package/dist/tests/unit/saas-routes-data.test.js +405 -0
package/dist/tests/unit/saas-routes-data.test.js.map +1 -0
package/dist/tests/unit/saas-routes.test.js +3 -3
package/dist/tests/unit/saas-routes.test.js.map +1 -1
package/dist/tests/unit/shell-executor.test.d.ts +2 -0
package/dist/tests/unit/shell-executor.test.d.ts.map +1 -0
package/dist/tests/unit/shell-executor.test.js +145 -0
package/dist/tests/unit/shell-executor.test.js.map +1 -0
package/dist/tests/unit/sql-executor.test.d.ts +2 -0
package/dist/tests/unit/sql-executor.test.d.ts.map +1 -0
package/dist/tests/unit/sql-executor.test.js +177 -0
package/dist/tests/unit/sql-executor.test.js.map +1 -0
package/dist/tests/unit/stream-proxy.test.d.ts +2 -0
package/dist/tests/unit/stream-proxy.test.d.ts.map +1 -0
package/dist/tests/unit/stream-proxy.test.js +147 -0
package/dist/tests/unit/stream-proxy.test.js.map +1 -0
package/dist/tests/unit/tool-definitions.test.d.ts +2 -0
package/dist/tests/unit/tool-definitions.test.d.ts.map +1 -0
package/dist/tests/unit/tool-definitions.test.js +184 -0
package/dist/tests/unit/tool-definitions.test.js.map +1 -0
package/dist/tests/unit/usage-extractor.test.js +140 -0
package/dist/tests/unit/usage-extractor.test.js.map +1 -1
package/dist/tests/unit/webhook-handler.test.d.ts +2 -0
package/dist/tests/unit/webhook-handler.test.d.ts.map +1 -0
package/dist/tests/unit/webhook-handler.test.js +453 -0
package/dist/tests/unit/webhook-handler.test.js.map +1 -0
package/dist/tests/unit/webhook-routes.test.d.ts +2 -0
package/dist/tests/unit/webhook-routes.test.d.ts.map +1 -0
package/dist/tests/unit/webhook-routes.test.js +69 -0
package/dist/tests/unit/webhook-routes.test.js.map +1 -0
package/dist/tests/unit/websocket-executor.test.d.ts +2 -0
package/dist/tests/unit/websocket-executor.test.d.ts.map +1 -0
package/dist/tests/unit/websocket-executor.test.js +121 -0
package/dist/tests/unit/websocket-executor.test.js.map +1 -0
package/package.json +8 -2
package/policy-packs/demo_fail.yaml +41 -0
package/policy-packs/full_tools.yaml +136 -0
package/src/admin/index.ts +1 -0
package/src/admin/routes.ts +509 -0
package/src/admin/templates.ts +572 -0
package/src/anomaly/detector.ts +730 -0
package/src/anomaly/index.ts +1 -0
package/src/approval/manager.ts +569 -0
package/src/approval/webhook.ts +133 -0
package/src/audit/logger.ts +490 -0
package/src/auth/index.ts +5 -0
package/src/auth/password.ts +21 -0
package/src/auth/pkce.ts +22 -0
package/src/auth/providers.ts +208 -0
package/src/auth/routes.ts +561 -0
package/src/auth/session.ts +84 -0
package/src/billing/index.ts +6 -0
package/src/billing/plan-enforcer.ts +135 -0
package/src/billing/routes.ts +229 -0
package/src/billing/stripe-client.ts +58 -0
package/src/billing/webhook-handler.ts +182 -0
package/src/billing/webhook-routes.ts +28 -0
package/src/budget/manager.ts +679 -0
package/src/budget/model-pricing.ts +119 -0
package/src/budget/usage-extractor.ts +214 -0
package/src/cli.ts +91 -0
package/src/config/defaults.ts +261 -0
package/src/config/validate.ts +88 -0
package/src/dlp/composite-scanner.ts +213 -0
package/src/dlp/index.ts +9 -0
package/src/dlp/interfaces.ts +34 -0
package/src/dlp/patterns.ts +30 -0
package/src/dlp/prompt-injection-backend.ts +181 -0
package/src/dlp/prompt-injection-patterns.ts +302 -0
package/src/dlp/regex-backend.ts +181 -0
package/src/dlp/scanner.ts +502 -0
package/src/dlp/text-normalizer.ts +225 -0
package/src/dlp/tool-patterns.ts +35 -0
package/src/dlp/trufflehog-backend.ts +190 -0
package/src/executor/filesystem-executor.ts +196 -0
package/src/executor/http-executor.ts +349 -0
package/src/executor/index.ts +9 -0
package/src/executor/interfaces.ts +11 -0
package/src/executor/noop-executor.ts +23 -0
package/src/executor/registry.ts +64 -0
package/src/executor/shell-executor.ts +148 -0
package/src/executor/slack-executor.ts +176 -0
package/src/executor/sql-executor.ts +146 -0
package/src/executor/websocket-executor.ts +211 -0
package/src/index.ts +24 -0
package/src/interceptor/index.ts +1 -0
package/src/interceptor/provider-interceptor.ts +315 -0
package/src/mcp/auth-verifier.ts +152 -0
package/src/mcp/bridge.ts +703 -0
package/src/mcp/http-transport.ts +698 -0
package/src/mcp/index.ts +9 -0
package/src/mcp/internal-auth.ts +14 -0
package/src/mcp/oauth-pages.ts +139 -0
package/src/mcp/oauth-postgres-stores.ts +278 -0
package/src/mcp/oauth-provider.ts +536 -0
package/src/mcp/oauth-stores.ts +202 -0
package/src/mcp/server.ts +55 -0
package/src/mcp/tool-definitions.ts +562 -0
package/src/metrics/collector.ts +357 -0
package/src/metrics/index.ts +1 -0
package/src/middleware/auth.ts +814 -0
package/src/middleware/session.ts +85 -0
package/src/middleware/validate.ts +130 -0
package/src/policy/engine.ts +815 -0
package/src/policy/index.ts +2 -0
package/src/policy/opa-engine.ts +829 -0
package/src/proxy/forward-proxy.ts +649 -0
package/src/proxy/index.ts +1 -0
package/src/ratelimit/limiter.ts +196 -0
package/src/replay/engine.ts +142 -0
package/src/replay/index.ts +1 -0
package/src/saas/index.ts +1 -0
package/src/saas/routes.ts +2178 -0
package/src/server/app.ts +985 -0
package/src/server/errors.ts +49 -0
package/src/server/gateway.ts +1130 -0
package/src/server/index.ts +307 -0
package/src/server/logger.ts +255 -0
package/src/server/stream-proxy.ts +202 -0
package/src/storage/file-persistence.ts +315 -0
package/src/storage/index.ts +4 -0
package/src/storage/interfaces.ts +287 -0
package/src/storage/memory.ts +686 -0
package/src/storage/postgres.ts +1831 -0
package/src/storage/redis.ts +835 -0
package/src/tracing/index.ts +1 -0
package/src/tracing/provider.ts +100 -0
package/src/trust/calculator.ts +141 -0
package/src/trust/index.ts +7 -0
package/src/types/budget.ts +36 -0
package/src/types/config.ts +278 -0
package/src/types/events.ts +41 -0
package/src/types/express.d.ts +14 -0
package/src/types/index.ts +7 -0
package/src/types/policy.ts +83 -0
package/src/types/stripe-config.ts +11 -0
package/src/types/subscription.ts +59 -0
package/src/types/tool-call.ts +47 -0
package/src/types/tool-result.ts +82 -0
package/src/types/user.ts +125 -0
package/tsconfig.json +24 -0

package/src/admin/routes.ts ADDED Viewed

@@ -0,0 +1,509 @@
+import express from 'express';
+import * as crypto from 'crypto';
+import * as fs from 'fs';
+import * as yaml from 'js-yaml';
+import { randomUUID } from 'crypto';
+import { Gateway } from '../server/gateway';
+import { GatewayConfig } from '../types/config';
+import {
+  DashboardStats,
+  BudgetInfo,
+  CostSummary,
+  ApiKeyInfo,
+  dashboardTemplate,
+  approvalsTemplate,
+  policiesTemplate,
+  budgetsTemplate,
+  traceListTemplate,
+  traceDetailTemplate,
+  apiKeysTemplate,
+  layoutTemplate,
+  escapeHtml,
+} from './templates';
+// CSRF token store: token -> expiry timestamp (ms)
+const csrfTokens = new Map<string, number>();
+const CSRF_TOKEN_TTL_MS = 60 * 60 * 1000; // 1 hour
+const MAX_CSRF_TOKENS = 10000;
+/** Generate a single-use CSRF token with 1-hour expiry */
+function generateCSRFToken(): string {
+  // Prune expired tokens on each generation call
+  const now = Date.now();
+  for (const [token, expiry] of csrfTokens) {
+    if (expiry < now) {
+      csrfTokens.delete(token);
+    }
+  }
+  // Hard cap: if still too many tokens, evict oldest
+  if (csrfTokens.size >= MAX_CSRF_TOKENS) {
+    const firstKey = csrfTokens.keys().next().value;
+    if (firstKey) csrfTokens.delete(firstKey);
+  }
+  const token = crypto.randomBytes(32).toString('hex');
+  csrfTokens.set(token, now + CSRF_TOKEN_TTL_MS);
+  return token;
+}
+/** Validate and consume a single-use CSRF token. Returns true if valid. */
+function validateCSRFToken(token: string): boolean {
+  if (!token) return false;
+  const expiry = csrfTokens.get(token);
+  if (expiry === undefined) return false;
+  // Delete the token (single-use)
+  csrfTokens.delete(token);
+  // Check if expired
+  return Date.now() < expiry;
+}
+export function createAdminRouter(gateway: Gateway, config: GatewayConfig): express.Router {
+  const router = express.Router();
+  // Parse URL-encoded form bodies for POST routes
+  router.use(express.urlencoded({ extended: true }));
+  // ---------- GET /admin -- Dashboard overview ----------
+  router.get('/', (req, res) => {
+    try {
+      const auditLogger = gateway.getAuditLogger();
+      const allEvents = auditLogger.getAllEvents();
+      const pendingApprovals = gateway.getPendingApprovals();
+      const policy = gateway.getCurrentPolicy();
+      // Gather unique workspace IDs from events
+      const workspaceIds = new Set<string>();
+      for (const event of allEvents) {
+        if (event.workspace_id) {
+          workspaceIds.add(event.workspace_id);
+        }
+      }
+      const stats: DashboardStats = {
+        total_requests: allEvents.filter(e => e.event_type === 'TOOL_CALL_RECEIVED').length,
+        pending_approvals: pendingApprovals.length,
+        active_workspaces: workspaceIds.size,
+        policy_rules: policy.rules ? policy.rules.length : 0,
+        recent_events: allEvents.slice(-20).reverse(),
+      };
+      res.send(dashboardTemplate(stats));
+    } catch (err) {
+      const message = err instanceof Error ? err.message : 'Unknown error';
+      res.status(500).send(layoutTemplate('Error', 'dashboard',
+        `<div class="alert alert-error">Failed to load dashboard: ${escapeHtml(message)}</div>`));
+    }
+  });
+  // ---------- GET /admin/approvals -- Pending approvals list ----------
+  router.get('/approvals', (req, res) => {
+    try {
+      const approvals = gateway.getPendingApprovals();
+      const csrfToken = generateCSRFToken();
+      res.send(approvalsTemplate(approvals, csrfToken));
+    } catch (err) {
+      const message = err instanceof Error ? err.message : 'Unknown error';
+      res.status(500).send(layoutTemplate('Error', 'approvals',
+        `<div class="alert alert-error">Failed to load approvals: ${escapeHtml(message)}</div>`));
+    }
+  });
+  // ---------- POST /admin/approvals/:id/approve -- Approve an approval ----------
+  router.post('/approvals/:id/approve', async (req, res) => {
+    if (!validateCSRFToken(req.body._csrf)) {
+      res.status(403).send('Invalid or missing CSRF token');
+      return;
+    }
+    const approvalId = req.params.id;
+    const approvalManager = gateway.getApprovalManager();
+    try {
+      await approvalManager.resolveById(approvalId, 'admin', true);
+    } catch {
+      // Approval may have expired or already been resolved
+    }
+    res.redirect('/admin/approvals');
+  });
+  // ---------- POST /admin/approvals/:id/deny -- Deny an approval ----------
+  router.post('/approvals/:id/deny', async (req, res) => {
+    if (!validateCSRFToken(req.body._csrf)) {
+      res.status(403).send('Invalid or missing CSRF token');
+      return;
+    }
+    const approvalId = req.params.id;
+    const approvalManager = gateway.getApprovalManager();
+    try {
+      await approvalManager.resolveById(approvalId, 'admin', false, 'Denied via admin panel');
+    } catch {
+      // Approval may have expired or already been resolved
+    }
+    res.redirect('/admin/approvals');
+  });
+  // ---------- GET /admin/policies -- Policy viewer + YAML editor ----------
+  router.get('/policies', (req, res) => {
+    try {
+      const policy = gateway.getCurrentPolicy();
+      const csrfToken = generateCSRFToken();
+      // Read raw YAML from disk to pre-fill the editor
+      let policyYaml = '';
+      try {
+        policyYaml = fs.readFileSync(gateway.getPolicyPackPath(), 'utf-8');
+      } catch {
+        // If file can't be read, editor will be empty
+      }
+      // Handle success/error flash from POST redirect
+      const applied = typeof req.query.applied === 'string' ? req.query.applied : undefined;
+      const msg = typeof req.query.msg === 'string' ? req.query.msg : undefined;
+      const reloaded = typeof req.query.reloaded === 'string' ? req.query.reloaded : undefined;
+      const applyResult = applied !== undefined
+        ? { success: applied === '1', message: msg || (applied === '1' ? 'Policy applied successfully' : 'Failed to apply policy') }
+        : reloaded !== undefined
+          ? { success: reloaded === '1', message: msg || (reloaded === '1' ? 'Policy reloaded from disk' : 'Failed to reload policy') }
+          : undefined;
+      res.send(policiesTemplate(policy, undefined, csrfToken, policyYaml, applyResult));
+    } catch (err) {
+      const message = err instanceof Error ? err.message : 'Unknown error';
+      res.status(500).send(layoutTemplate('Error', 'policies',
+        `<div class="alert alert-error">Failed to load policies: ${escapeHtml(message)}</div>`));
+    }
+  });
+  // ---------- POST /admin/policies/apply -- Save YAML to disk & hot-reload ----------
+  router.post('/policies/apply', (req, res) => {
+    if (!validateCSRFToken(req.body._csrf)) {
+      res.status(403).send('Invalid or missing CSRF token');
+      return;
+    }
+    const policyYamlText = req.body.policy_yaml;
+    // Validate: not empty
+    if (!policyYamlText || typeof policyYamlText !== 'string' || policyYamlText.trim().length === 0) {
+      res.redirect('/admin/policies?applied=0&msg=' + encodeURIComponent('Policy YAML cannot be empty'));
+      return;
+    }
+    // Validate: parseable YAML
+    let parsed: any;
+    try {
+      parsed = yaml.load(policyYamlText);
+    } catch (err) {
+      const message = err instanceof Error ? err.message : 'Invalid YAML';
+      res.redirect('/admin/policies?applied=0&msg=' + encodeURIComponent('Invalid YAML: ' + message));
+      return;
+    }
+    // Validate: valid policy structure
+    const validation = gateway.validatePolicy(parsed);
+    if (!validation.valid) {
+      res.redirect('/admin/policies?applied=0&msg=' + encodeURIComponent('Validation errors: ' + validation.errors.join('; ')));
+      return;
+    }
+    // Write to disk
+    try {
+      fs.writeFileSync(gateway.getPolicyPackPath(), policyYamlText, 'utf-8');
+    } catch (err) {
+      const message = err instanceof Error ? err.message : 'Write failed';
+      res.redirect('/admin/policies?applied=0&msg=' + encodeURIComponent('Failed to write file: ' + message));
+      return;
+    }
+    // Hot-reload
+    const result = gateway.reloadPolicy();
+    if (result.success) {
+      res.redirect('/admin/policies?applied=1&msg=' + encodeURIComponent(`Policy reloaded successfully (${result.ruleCount} rules active)`));
+    } else {
+      res.redirect('/admin/policies?applied=0&msg=' + encodeURIComponent('Reload failed: ' + (result.error || 'unknown error')));
+    }
+  });
+  // ---------- POST /admin/policies/reload -- Hot-reload policy from disk ----------
+  router.post('/policies/reload', (req, res) => {
+    if (!validateCSRFToken(req.body._csrf)) {
+      res.status(403).send('Invalid or missing CSRF token');
+      return;
+    }
+    const result = gateway.reloadPolicy();
+    if (result.success) {
+      res.redirect('/admin/policies?reloaded=1&msg=' + encodeURIComponent(`Policy reloaded from disk (${result.ruleCount} rules active)`));
+    } else {
+      res.redirect('/admin/policies?reloaded=0&msg=' + encodeURIComponent('Reload failed: ' + (result.error || 'unknown error')));
+    }
+  });
+  // ---------- POST /admin/policies/validate -- Validate a policy ----------
+  router.post('/policies/validate', (req, res) => {
+    if (!validateCSRFToken(req.body._csrf)) {
+      res.status(403).send('Invalid or missing CSRF token');
+      return;
+    }
+    const policy = gateway.getCurrentPolicy();
+    const csrfToken = generateCSRFToken();
+    let validationResult: { valid: boolean; errors: string[] };
+    try {
+      const policyJson = req.body.policy_json;
+      const parsed = JSON.parse(policyJson);
+      validationResult = gateway.validatePolicy(parsed);
+    } catch (err) {
+      const message = err instanceof Error ? err.message : 'Invalid JSON';
+      validationResult = { valid: false, errors: [message] };
+    }
+    // Read current YAML for the editor
+    let policyYaml = '';
+    try {
+      policyYaml = fs.readFileSync(gateway.getPolicyPackPath(), 'utf-8');
+    } catch {
+      // If file can't be read, editor will be empty
+    }
+    res.send(policiesTemplate(policy, validationResult, csrfToken, policyYaml));
+  });
+  // ---------- GET /admin/budgets -- Budget overview ----------
+  router.get('/budgets', (req, res) => {
+    try {
+      const budgetManager = gateway.getBudgetManager();
+      const budgetConfig = budgetManager.getConfig();
+      const spending = budgetManager.getSpendingSummary();
+      const budgets: BudgetInfo[] = [];
+      // Show configured budget limits with actual spending
+      budgets.push({
+        key: 'task_default',
+        type: 'task',
+        label: 'Task Budget (default)',
+        spent: spending.task_total,
+        limit: budgetConfig.task_budget_usd,
+      });
+      if (budgetConfig.user_daily_budget_usd !== undefined) {
+        budgets.push({
+          key: 'user_daily',
+          type: 'user_daily',
+          label: 'User Daily Budget',
+          spent: spending.user_daily_total,
+          limit: budgetConfig.user_daily_budget_usd,
+        });
+      }
+      if (budgetConfig.user_monthly_budget_usd !== undefined) {
+        budgets.push({
+          key: 'user_monthly',
+          type: 'user_monthly',
+          label: 'User Monthly Budget',
+          spent: spending.user_monthly_total,
+          limit: budgetConfig.user_monthly_budget_usd,
+        });
+      }
+      if (budgetConfig.workspace_daily_budget_usd !== undefined) {
+        budgets.push({
+          key: 'workspace_daily',
+          type: 'workspace_daily',
+          label: 'Workspace Daily Budget',
+          spent: spending.workspace_daily_total,
+          limit: budgetConfig.workspace_daily_budget_usd,
+        });
+      }
+      if (budgetConfig.workspace_monthly_budget_usd !== undefined) {
+        budgets.push({
+          key: 'workspace_monthly',
+          type: 'workspace_monthly',
+          label: 'Workspace Monthly Budget',
+          spent: spending.workspace_monthly_total,
+          limit: budgetConfig.workspace_monthly_budget_usd,
+        });
+      }
+      // Build cost summary from audit events
+      const auditLogger = gateway.getAuditLogger();
+      const allEvents = auditLogger.getAllEvents();
+      let estimatedTotal = 0;
+      let actualTotal = 0;
+      const toolCosts = new Map<string, number>();
+      for (const event of allEvents) {
+        if (event.event_type === 'BUDGET_CHECKED' && event.metadata) {
+          const estimated = typeof event.metadata.estimated_cost_usd === 'number' ? event.metadata.estimated_cost_usd : 0;
+          estimatedTotal += estimated;
+        }
+        if (event.event_type === 'USAGE_REPORTED' && event.metadata) {
+          const actual = typeof event.metadata.actual_cost_usd === 'number' ? event.metadata.actual_cost_usd : 0;
+          actualTotal += actual;
+        }
+        if (event.event_type === 'TOOL_EXECUTED') {
+          const toolName = event.tool_name || 'unknown';
+          toolCosts.set(toolName, (toolCosts.get(toolName) || 0) + 1);
+        }
+      }
+      const topTools = Array.from(toolCosts.entries())
+        .map(([tool_name, count]) => ({ tool_name, cost: count * 0.001 })) // approximate from count
+        .sort((a, b) => b.cost - a.cost)
+        .slice(0, 5);
+      const costSummary: CostSummary = {
+        estimated_total: estimatedTotal || spending.task_total,
+        actual_total: actualTotal,
+        top_tools: topTools,
+      };
+      res.send(budgetsTemplate(budgets, costSummary));
+    } catch (err) {
+      const message = err instanceof Error ? err.message : 'Unknown error';
+      res.status(500).send(layoutTemplate('Error', 'budgets',
+        `<div class="alert alert-error">Failed to load budgets: ${escapeHtml(message)}</div>`));
+    }
+  });
+  // ---------- GET /admin/traces -- Trace explorer ----------
+  router.get('/traces', (req, res) => {
+    try {
+      const taskIdQuery = typeof req.query.task_id === 'string' ? req.query.task_id : undefined;
+      // If a task_id is provided via query, redirect to detail page
+      if (taskIdQuery) {
+        res.redirect(`/admin/traces/${taskIdQuery}`);
+        return;
+      }
+      const page = Math.max(1, parseInt(req.query.page as string) || 1);
+      const limit = Math.min(Math.max(1, parseInt(req.query.limit as string) || 50), 200);
+      // Build a summary of recent task IDs from audit events
+      const auditLogger = gateway.getAuditLogger();
+      const allEvents = auditLogger.getAllEvents();
+      const taskMap = new Map<string, { event_count: number; first_seen: string }>();
+      for (const event of allEvents) {
+        const existing = taskMap.get(event.task_id);
+        if (existing) {
+          existing.event_count++;
+        } else {
+          taskMap.set(event.task_id, { event_count: 1, first_seen: event.timestamp });
+        }
+      }
+      const allTraces = Array.from(taskMap.entries())
+        .map(([task_id, info]) => ({ task_id, ...info }))
+        .reverse();
+      const total = allTraces.length;
+      const totalPages = Math.max(1, Math.ceil(total / limit));
+      const offset = (page - 1) * limit;
+      const traces = allTraces.slice(offset, offset + limit);
+      res.send(traceListTemplate(traces, { page, limit, total, totalPages }));
+    } catch (err) {
+      const message = err instanceof Error ? err.message : 'Unknown error';
+      res.status(500).send(layoutTemplate('Error', 'traces',
+        `<div class="alert alert-error">Failed to load traces: ${escapeHtml(message)}</div>`));
+    }
+  });
+  // ---------- GET /admin/traces/:task_id -- Trace detail ----------
+  router.get('/traces/:task_id', (req, res) => {
+    try {
+      const taskId = req.params.task_id;
+      const events = gateway.getTaskTrace(taskId);
+      res.send(traceDetailTemplate(taskId, events));
+    } catch (err) {
+      const message = err instanceof Error ? err.message : 'Unknown error';
+      res.status(500).send(layoutTemplate('Error', 'traces',
+        `<div class="alert alert-error">Failed to load trace detail: ${escapeHtml(message)}</div>`));
+    }
+  });
+  // ---------- GET /admin/api-keys -- API key management ----------
+  router.get('/api-keys', (req, res) => {
+    try {
+      const keys = getApiKeysFromConfig(config);
+      const csrfToken = generateCSRFToken();
+      const createdKey = typeof req.query.created === 'string' ? req.query.created : undefined;
+      res.send(apiKeysTemplate(keys, csrfToken, createdKey));
+    } catch (err) {
+      const message = err instanceof Error ? err.message : 'Unknown error';
+      res.status(500).send(layoutTemplate('Error', 'api-keys',
+        `<div class="alert alert-error">Failed to load API keys: ${escapeHtml(message)}</div>`));
+    }
+  });
+  // ---------- POST /admin/api-keys -- Create new API key ----------
+  router.post('/api-keys', (req, res) => {
+    if (!validateCSRFToken(req.body._csrf)) {
+      res.status(403).send('Invalid or missing CSRF token');
+      return;
+    }
+    const workspaceId = req.body.workspace_id || 'ws_default';
+    const description = req.body.description || '';
+    const newKey = `key-${randomUUID().replace(/-/g, '').substring(0, 16)}`;
+    config.auth.api_keys[newKey] = {
+      workspace_id: workspaceId,
+      description: description,
+      created_at: new Date().toISOString(),
+    };
+    res.redirect('/admin/api-keys?created=' + encodeURIComponent(newKey));
+  });
+  // ---------- POST /admin/api-keys/:key/revoke -- Revoke an API key ----------
+  router.post('/api-keys/:key/revoke', (req, res) => {
+    if (!validateCSRFToken(req.body._csrf)) {
+      res.status(403).send('Invalid or missing CSRF token');
+      return;
+    }
+    const key = req.params.key;
+    if (config.auth.api_keys[key]) {
+      config.auth.api_keys[key].revoked = true;
+    }
+    res.redirect('/admin/api-keys');
+  });
+  return router;
+}
+/** Extract API key info from the gateway config */
+function getApiKeysFromConfig(config: GatewayConfig): ApiKeyInfo[] {
+  const keys: ApiKeyInfo[] = [];
+  for (const [key, keyConfig] of Object.entries(config.auth.api_keys)) {
+    keys.push({
+      key,
+      workspace_id: keyConfig.workspace_id,
+      description: keyConfig.description,
+      roles: keyConfig.roles,
+      created_at: keyConfig.created_at,
+      last_used_at: keyConfig.last_used_at,
+      revoked: keyConfig.revoked,
+      expires_at: keyConfig.expires_at,
+    });
+  }
+  return keys;
+}