web-agent-bridge 1.0.0 → 1.1.0

package/server/models/db.js

@@ -1,8 +1,10 @@
 const Database = require('better-sqlite3');
 const path = require('path');
 const fs = require('fs');
+const crypto = require('crypto');
 const bcrypt = require('bcryptjs');
 const { v4: uuidv4 } = require('uuid');
+const { encryptOptional, decryptOptional } = require('../utils/secureFields');
 
 const isTest = process.env.NODE_ENV === 'test';
 const DATA_DIR = isTest
@@ -71,6 +73,101 @@ db.exec(`
   CREATE INDEX IF NOT EXISTS idx_sites_license ON sites(license_key);
   CREATE INDEX IF NOT EXISTS idx_analytics_site ON analytics(site_id);
   CREATE INDEX IF NOT EXISTS idx_analytics_created ON analytics(created_at);
+
+  CREATE TABLE IF NOT EXISTS admins (
+    id TEXT PRIMARY KEY,
+    email TEXT UNIQUE NOT NULL,
+    password TEXT NOT NULL,
+    name TEXT NOT NULL,
+    role TEXT DEFAULT 'admin' CHECK(role IN ('admin','superadmin')),
+    created_at TEXT DEFAULT (datetime('now'))
+  );
+
+  CREATE TABLE IF NOT EXISTS free_grants (
+    id TEXT PRIMARY KEY,
+    user_id TEXT NOT NULL,
+    site_id TEXT,
+    granted_tier TEXT NOT NULL CHECK(granted_tier IN ('starter','pro','enterprise')),
+    reason TEXT,
+    granted_by TEXT NOT NULL,
+    granted_at TEXT DEFAULT (datetime('now')),
+    expires_at TEXT,
+    active INTEGER DEFAULT 1,
+    FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE,
+    FOREIGN KEY (granted_by) REFERENCES admins(id)
+  );
+
+  CREATE TABLE IF NOT EXISTS stripe_customers (
+    id TEXT PRIMARY KEY,
+    user_id TEXT UNIQUE NOT NULL,
+    stripe_customer_id TEXT UNIQUE,
+    created_at TEXT DEFAULT (datetime('now')),
+    FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
+  );
+
+  CREATE TABLE IF NOT EXISTS stripe_subscriptions (
+    id TEXT PRIMARY KEY,
+    user_id TEXT NOT NULL,
+    site_id TEXT NOT NULL,
+    stripe_subscription_id TEXT UNIQUE,
+    stripe_price_id TEXT,
+    tier TEXT NOT NULL CHECK(tier IN ('starter','pro','enterprise')),
+    status TEXT DEFAULT 'active' CHECK(status IN ('active','cancelled','past_due','trialing','incomplete')),
+    current_period_start TEXT,
+    current_period_end TEXT,
+    created_at TEXT DEFAULT (datetime('now')),
+    FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE,
+    FOREIGN KEY (site_id) REFERENCES sites(id) ON DELETE CASCADE
+  );
+
+  CREATE TABLE IF NOT EXISTS payments (
+    id TEXT PRIMARY KEY,
+    user_id TEXT NOT NULL,
+    stripe_payment_id TEXT UNIQUE,
+    amount INTEGER NOT NULL,
+    currency TEXT DEFAULT 'usd',
+    status TEXT DEFAULT 'succeeded',
+    description TEXT,
+    created_at TEXT DEFAULT (datetime('now')),
+    FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
+  );
+
+  CREATE TABLE IF NOT EXISTS notifications_log (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    user_id TEXT,
+    email_to TEXT NOT NULL,
+    template TEXT NOT NULL,
+    subject TEXT NOT NULL,
+    status TEXT DEFAULT 'sent' CHECK(status IN ('sent','failed','queued')),
+    error_message TEXT,
+    created_at TEXT DEFAULT (datetime('now'))
+  );
+
+  CREATE TABLE IF NOT EXISTS smtp_settings (
+    id INTEGER PRIMARY KEY CHECK(id = 1),
+    host TEXT,
+    port INTEGER DEFAULT 587,
+    secure INTEGER DEFAULT 0,
+    username TEXT,
+    password TEXT,
+    from_name TEXT DEFAULT 'Web Agent Bridge',
+    from_email TEXT,
+    enabled INTEGER DEFAULT 0,
+    updated_at TEXT DEFAULT (datetime('now'))
+  );
+
+  INSERT OR IGNORE INTO smtp_settings (id) VALUES (1);
+
+  CREATE TABLE IF NOT EXISTS platform_settings (
+    key TEXT PRIMARY KEY,
+    value TEXT,
+    updated_at TEXT DEFAULT (datetime('now'))
+  );
+
+  CREATE INDEX IF NOT EXISTS idx_free_grants_user ON free_grants(user_id);
+  CREATE INDEX IF NOT EXISTS idx_stripe_subs_user ON stripe_subscriptions(user_id);
+  CREATE INDEX IF NOT EXISTS idx_payments_user ON payments(user_id);
+  CREATE INDEX IF NOT EXISTS idx_notifications_user ON notifications_log(user_id);
 `);
 
 function generateLicenseKey() {
@@ -78,7 +175,8 @@ function generateLicenseKey() {
   const segments = [];
   for (let s = 0; s < 4; s++) {
     let seg = '';
-    for (let i = 0; i < 5; i++) seg += chars[Math.floor(Math.random() * chars.length)];
+    const bytes = crypto.randomBytes(5);
+    for (let i = 0; i < 5; i++) seg += chars[bytes[i] % chars.length];
     segments.push(seg);
   }
   return `WAB-${segments.join('-')}`;
@@ -169,6 +267,10 @@ function verifyLicense(domain, licenseKey) {
     return { valid: false, error: 'Invalid license key', tier: 'free' };
   }
 
+  // Check for free grant override
+  const grant = db.prepare(`SELECT * FROM free_grants WHERE user_id = ? AND (site_id = ? OR site_id IS NULL) AND active = 1 AND (expires_at IS NULL OR expires_at > datetime('now')) ORDER BY granted_at DESC LIMIT 1`).get(site.user_id, site.id);
+  const effectiveTier = grant ? grant.granted_tier : site.tier;
+
   const tierPermissions = {
     free: { apiAccess: false, automatedLogin: false, extractData: false, advancedAnalytics: false },
     starter: { apiAccess: false, automatedLogin: true, extractData: false, advancedAnalytics: true },
@@ -178,17 +280,238 @@ function verifyLicense(domain, licenseKey) {
 
   return {
     valid: true,
-    tier: site.tier,
+    tier: effectiveTier,
     domain: site.domain,
-    allowedPermissions: tierPermissions[site.tier] || tierPermissions.free
+    allowedPermissions: tierPermissions[effectiveTier] || tierPermissions.free
   };
 }
 
+// ─── Admin Operations ─────────────────────────────────────────────────
+function createAdmin({ email, password, name, role }) {
+  const id = uuidv4();
+  const hashed = bcrypt.hashSync(password, 12);
+  db.prepare(`INSERT INTO admins (id, email, password, name, role) VALUES (?, ?, ?, ?, ?)`).run(id, email, hashed, name, role || 'admin');
+  return { id, email, name, role: role || 'admin' };
+}
+
+function loginAdmin({ email, password }) {
+  const admin = db.prepare(`SELECT * FROM admins WHERE email = ?`).get(email);
+  if (!admin) return null;
+  if (!bcrypt.compareSync(password, admin.password)) return null;
+  return { id: admin.id, email: admin.email, name: admin.name, role: admin.role };
+}
+
+function findAdminById(id) {
+  return db.prepare(`SELECT id, email, name, role, created_at FROM admins WHERE id = ?`).get(id);
+}
+
+/**
+ * First-run admin creation from env only (no hardcoded password).
+ * Alternatively use: node scripts/create-admin.js <email> <password>
+ */
+function maybeBootstrapAdmin() {
+  if (isTest) return;
+  const count = db.prepare(`SELECT COUNT(*) as c FROM admins`).get().c;
+  if (count > 0) return;
+  const email = process.env.BOOTSTRAP_ADMIN_EMAIL;
+  const password = process.env.BOOTSTRAP_ADMIN_PASSWORD;
+  if (!email || !password) {
+    console.warn('[WAB] No admin accounts. Set BOOTSTRAP_ADMIN_EMAIL and BOOTSTRAP_ADMIN_PASSWORD for first boot, or run: node scripts/create-admin.js <email> <password>');
+    return;
+  }
+  createAdmin({ email, password, name: 'Bootstrap Admin', role: 'superadmin' });
+  console.log('[WAB] Bootstrap admin created from BOOTSTRAP_ADMIN_* environment variables.');
+}
+
+// ─── Admin Queries ────────────────────────────────────────────────────
+function getAllUsers() {
+  return db.prepare(`SELECT id, email, name, company, created_at FROM users ORDER BY created_at DESC`).all();
+}
+
+function getAllSites() {
+  return db.prepare(`SELECT s.*, u.email as user_email, u.name as user_name FROM sites s LEFT JOIN users u ON s.user_id = u.id ORDER BY s.created_at DESC`).all();
+}
+
+function getAdminStats() {
+  const totalUsers = db.prepare(`SELECT COUNT(*) as c FROM users`).get().c;
+  const totalSites = db.prepare(`SELECT COUNT(*) as c FROM sites WHERE active = 1`).get().c;
+  const totalAnalytics = db.prepare(`SELECT COUNT(*) as c FROM analytics`).get().c;
+  const todayAnalytics = db.prepare(`SELECT COUNT(*) as c FROM analytics WHERE created_at >= date('now')`).get().c;
+  const tierBreakdown = db.prepare(`SELECT tier, COUNT(*) as count FROM sites WHERE active = 1 GROUP BY tier`).all();
+  const recentUsers = db.prepare(`SELECT id, email, name, company, created_at FROM users ORDER BY created_at DESC LIMIT 10`).all();
+  const totalRevenue = db.prepare(`SELECT COALESCE(SUM(amount), 0) as total FROM payments WHERE status = 'succeeded'`).get().total;
+  const activeGrants = db.prepare(`SELECT COUNT(*) as c FROM free_grants WHERE active = 1 AND (expires_at IS NULL OR expires_at > datetime('now'))`).get().c;
+  const monthlySignups = db.prepare(`SELECT COUNT(*) as c FROM users WHERE created_at >= date('now', '-30 days')`).get().c;
+  return { totalUsers, totalSites, totalAnalytics, todayAnalytics, tierBreakdown, recentUsers, totalRevenue, activeGrants, monthlySignups };
+}
+
+function getPlatformAnalytics(days) {
+  const since = new Date(Date.now() - days * 86400000).toISOString();
+  const timeline = db.prepare(`SELECT date(created_at) as day, COUNT(*) as count FROM analytics WHERE created_at >= ? GROUP BY day ORDER BY day`).all(since);
+  const topActions = db.prepare(`SELECT action_name, COUNT(*) as count FROM analytics WHERE created_at >= ? GROUP BY action_name ORDER BY count DESC LIMIT 20`).all(since);
+  const signups = db.prepare(`SELECT date(created_at) as day, COUNT(*) as count FROM users WHERE created_at >= ? GROUP BY day ORDER BY day`).all(since);
+  return { timeline, topActions, signups };
+}
+
+// ─── Free Grant Operations ────────────────────────────────────────────
+function grantFreeTier({ userId, siteId, tier, reason, grantedBy, expiresAt }) {
+  const id = uuidv4();
+  db.prepare(`INSERT INTO free_grants (id, user_id, site_id, granted_tier, reason, granted_by, expires_at) VALUES (?, ?, ?, ?, ?, ?, ?)`).run(id, userId, siteId || null, tier, reason || null, grantedBy, expiresAt || null);
+  if (siteId) {
+    db.prepare(`UPDATE sites SET tier = ?, updated_at = datetime('now') WHERE id = ?`).run(tier, siteId);
+  } else {
+    db.prepare(`UPDATE sites SET tier = ?, updated_at = datetime('now') WHERE user_id = ? AND active = 1`).run(tier, userId);
+  }
+  return { id, userId, siteId, tier, reason };
+}
+
+function revokeGrant(grantId) {
+  const grant = db.prepare(`SELECT * FROM free_grants WHERE id = ?`).get(grantId);
+  if (!grant) return false;
+  db.prepare(`UPDATE free_grants SET active = 0 WHERE id = ?`).run(grantId);
+  if (grant.site_id) {
+    db.prepare(`UPDATE sites SET tier = 'free', updated_at = datetime('now') WHERE id = ?`).run(grant.site_id);
+  } else {
+    db.prepare(`UPDATE sites SET tier = 'free', updated_at = datetime('now') WHERE user_id = ? AND active = 1`).run(grant.user_id);
+  }
+  return true;
+}
+
+function getActiveGrants() {
+  return db.prepare(`SELECT g.*, u.email as user_email, u.name as user_name, a.name as admin_name FROM free_grants g LEFT JOIN users u ON g.user_id = u.id LEFT JOIN admins a ON g.granted_by = a.id WHERE g.active = 1 ORDER BY g.granted_at DESC`).all();
+}
+
+// ─── Stripe DB Operations ─────────────────────────────────────────────
+function saveStripeCustomer(userId, stripeCustomerId) {
+  const id = uuidv4();
+  db.prepare(`INSERT OR REPLACE INTO stripe_customers (id, user_id, stripe_customer_id) VALUES (?, ?, ?)`).run(id, userId, stripeCustomerId);
+}
+
+function getStripeCustomer(userId) {
+  return db.prepare(`SELECT * FROM stripe_customers WHERE user_id = ?`).get(userId);
+}
+
+function saveStripeSubscription({ userId, siteId, stripeSubId, stripePriceId, tier, status, periodStart, periodEnd }) {
+  const id = uuidv4();
+  db.prepare(`INSERT INTO stripe_subscriptions (id, user_id, site_id, stripe_subscription_id, stripe_price_id, tier, status, current_period_start, current_period_end) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)`).run(id, userId, siteId, stripeSubId, stripePriceId, tier, status || 'active', periodStart, periodEnd);
+}
+
+function updateStripeSubscription(stripeSubId, { status, periodStart, periodEnd, tier }) {
+  const updates = [];
+  const params = [];
+  if (status) { updates.push('status = ?'); params.push(status); }
+  if (periodStart) { updates.push('current_period_start = ?'); params.push(periodStart); }
+  if (periodEnd) { updates.push('current_period_end = ?'); params.push(periodEnd); }
+  if (tier) { updates.push('tier = ?'); params.push(tier); }
+  if (updates.length === 0) return;
+  params.push(stripeSubId);
+  db.prepare(`UPDATE stripe_subscriptions SET ${updates.join(', ')} WHERE stripe_subscription_id = ?`).run(...params);
+}
+
+function getStripeSubscriptionBySubId(stripeSubId) {
+  return db.prepare(`SELECT * FROM stripe_subscriptions WHERE stripe_subscription_id = ?`).get(stripeSubId);
+}
+
+function savePayment({ userId, stripePaymentId, amount, currency, status, description }) {
+  const id = uuidv4();
+  db.prepare(`INSERT INTO payments (id, user_id, stripe_payment_id, amount, currency, status, description) VALUES (?, ?, ?, ?, ?, ?, ?)`).run(id, userId, stripePaymentId, amount, currency || 'usd', status || 'succeeded', description || null);
+}
+
+function getPayments(limit) {
+  return db.prepare(`SELECT p.*, u.email as user_email, u.name as user_name FROM payments p LEFT JOIN users u ON p.user_id = u.id ORDER BY p.created_at DESC LIMIT ?`).all(limit || 50);
+}
+
+// ─── SMTP Settings ────────────────────────────────────────────────────
+function getSmtpSettings() {
+  const row = db.prepare(`SELECT * FROM smtp_settings WHERE id = 1`).get();
+  if (!row) return null;
+  if (row.password) {
+    const dec = decryptOptional(row.password);
+    return { ...row, password: dec != null ? dec : row.password };
+  }
+  return row;
+}
+
+function updateSmtpSettings({ host, port, secure, username, password, fromName, fromEmail, enabled }) {
+  const current = db.prepare(`SELECT password FROM smtp_settings WHERE id = 1`).get();
+  let nextPassword = current && current.password;
+  if (password !== undefined) {
+    nextPassword = encryptOptional(password);
+  }
+  db.prepare(`UPDATE smtp_settings SET host = ?, port = ?, secure = ?, username = ?, password = ?, from_name = ?, from_email = ?, enabled = ?, updated_at = datetime('now') WHERE id = 1`).run(host, port || 587, secure ? 1 : 0, username, nextPassword, fromName || 'Web Agent Bridge', fromEmail, enabled ? 1 : 0);
+}
+
+function logNotification({ userId, emailTo, template, subject, status, errorMessage }) {
+  db.prepare(`INSERT INTO notifications_log (user_id, email_to, template, subject, status, error_message) VALUES (?, ?, ?, ?, ?, ?)`).run(userId || null, emailTo, template, subject, status || 'sent', errorMessage || null);
+}
+
+function getNotificationLogs(limit) {
+  return db.prepare(`SELECT * FROM notifications_log ORDER BY created_at DESC LIMIT ?`).all(limit || 100);
+}
+
+// ─── Admin User Management ───────────────────────────────────────────
+function adminUpdateUserTier(userId, siteId, tier) {
+  if (siteId) {
+    db.prepare(`UPDATE sites SET tier = ?, updated_at = datetime('now') WHERE id = ? AND user_id = ?`).run(tier, siteId, userId);
+  } else {
+    db.prepare(`UPDATE sites SET tier = ?, updated_at = datetime('now') WHERE user_id = ? AND active = 1`).run(tier, userId);
+  }
+}
+
+/**
+ * Admin: update any site by id (tier and/or active).
+ *
+ * @param {string} siteId Site UUID.
+ * @param {{ tier?: string, active?: boolean }} updates Partial updates.
+ * @returns {boolean}
+ */
+function adminUpdateSite(siteId, updates) {
+  const site = findSiteById.get(siteId);
+  if (!site) return false;
+  let tier = site.tier;
+  let active = site.active;
+  if (updates.tier !== undefined) {
+    if (!['free', 'starter', 'pro', 'enterprise'].includes(updates.tier)) return false;
+    tier = updates.tier;
+  }
+  if (updates.active !== undefined) {
+    active = updates.active ? 1 : 0;
+  }
+  db.prepare(`UPDATE sites SET tier = ?, active = ?, updated_at = datetime('now') WHERE id = ?`).run(tier, active, siteId);
+  return true;
+}
+
+function adminDeleteUser(userId) {
+  db.prepare(`UPDATE sites SET active = 0 WHERE user_id = ?`).run(userId);
+  db.prepare(`DELETE FROM users WHERE id = ?`).run(userId);
+}
+
+function getUserFullDetails(userId) {
+  const user = db.prepare(`SELECT id, email, name, company, created_at FROM users WHERE id = ?`).get(userId);
+  if (!user) return null;
+  const sites = db.prepare(`SELECT * FROM sites WHERE user_id = ? ORDER BY created_at DESC`).all(userId);
+  const grants = db.prepare(`SELECT * FROM free_grants WHERE user_id = ? AND active = 1`).all(userId);
+  const payments = db.prepare(`SELECT * FROM payments WHERE user_id = ? ORDER BY created_at DESC`).all(userId);
+  const stripeCustomer = db.prepare(`SELECT * FROM stripe_customers WHERE user_id = ?`).get(userId);
+  return { ...user, sites, grants, payments, stripeCustomer };
+}
+
+// ─── Platform Settings ───────────────────────────────────────────────
+function getPlatformSetting(key) {
+  const row = db.prepare(`SELECT value FROM platform_settings WHERE key = ?`).get(key);
+  return row ? row.value : null;
+}
+
+function setPlatformSetting(key, value) {
+  db.prepare(`INSERT OR REPLACE INTO platform_settings (key, value, updated_at) VALUES (?, ?, datetime('now'))`).run(key, value);
+}
+
 module.exports = {
   db,
   registerUser,
   loginUser,
   findUserById,
+  findUserByEmail,
   addSite,
   findSitesByUser,
   findSiteById,
@@ -201,5 +524,38 @@ module.exports = {
   getAnalyticsTimeline,
   verifyLicense,
   generateLicenseKey,
-  generateApiKey
+  generateApiKey,
+  // Admin
+  createAdmin,
+  loginAdmin,
+  findAdminById,
+  maybeBootstrapAdmin,
+  getAllUsers,
+  getAllSites,
+  getAdminStats,
+  getPlatformAnalytics,
+  adminUpdateUserTier,
+  adminUpdateSite,
+  adminDeleteUser,
+  getUserFullDetails,
+  // Free Grants
+  grantFreeTier,
+  revokeGrant,
+  getActiveGrants,
+  // Stripe
+  saveStripeCustomer,
+  getStripeCustomer,
+  saveStripeSubscription,
+  updateStripeSubscription,
+  getStripeSubscriptionBySubId,
+  savePayment,
+  getPayments,
+  // SMTP
+  getSmtpSettings,
+  updateSmtpSettings,
+  logNotification,
+  getNotificationLogs,
+  // Platform
+  getPlatformSetting,
+  setPlatformSetting
 };

package/server/routes/admin.js

@@ -0,0 +1,247 @@
+/**
+ * Admin API Routes
+ * Full admin panel backend: users, sites, analytics, Stripe, SMTP, grants
+ */
+
+const express = require('express');
+const router = express.Router();
+const { authenticateAdmin, generateAdminToken } = require('../middleware/adminAuth');
+const {
+  loginAdmin, findAdminById, createAdmin,
+  getAllUsers, getAllSites, getAdminStats, getPlatformAnalytics,
+  getUserFullDetails, adminUpdateUserTier, adminUpdateSite, adminDeleteUser,
+  grantFreeTier, revokeGrant, getActiveGrants,
+  getSmtpSettings, updateSmtpSettings, getNotificationLogs,
+  getPayments, getPlatformSetting, setPlatformSetting,
+  findUserByEmail,
+  findSiteById,
+  getAnalyticsBySite,
+  getAnalyticsTimeline
+} = require('../models/db');
+const { sendEmail } = require('../services/email');
+const { createCheckoutSession, createPortalSession, isStripeConfigured, getStripePrices } = require('../services/stripe');
+
+// ─── Auth ──────────────────────────────────────────────────────────────
+
+router.post('/login', (req, res) => {
+  const { email, password } = req.body;
+  if (!email || !password) return res.status(400).json({ error: 'Email and password required' });
+
+  const admin = loginAdmin({ email, password });
+  if (!admin) return res.status(401).json({ error: 'Invalid credentials' });
+
+  const token = generateAdminToken(admin);
+  res.json({ admin, token });
+});
+
+router.get('/me', authenticateAdmin, (req, res) => {
+  const admin = findAdminById(req.admin.id);
+  if (!admin) return res.status(404).json({ error: 'Admin not found' });
+  res.json({ admin });
+});
+
+// ─── Dashboard Stats ──────────────────────────────────────────────────
+
+router.get('/stats', authenticateAdmin, (req, res) => {
+  const stats = getAdminStats();
+  stats.stripeConfigured = isStripeConfigured();
+  res.json(stats);
+});
+
+router.get('/analytics', authenticateAdmin, (req, res) => {
+  const days = parseInt(req.query.days) || 30;
+  const data = getPlatformAnalytics(days);
+  res.json(data);
+});
+
+// ─── Users Management ─────────────────────────────────────────────────
+
+router.get('/users', authenticateAdmin, (req, res) => {
+  const users = getAllUsers();
+  res.json({ users });
+});
+
+router.get('/users/:id', authenticateAdmin, (req, res) => {
+  const user = getUserFullDetails(req.params.id);
+  if (!user) return res.status(404).json({ error: 'User not found' });
+  res.json({ user });
+});
+
+router.put('/users/:id/tier', authenticateAdmin, (req, res) => {
+  const { tier, siteId } = req.body;
+  if (!['free', 'starter', 'pro', 'enterprise'].includes(tier)) {
+    return res.status(400).json({ error: 'Invalid tier' });
+  }
+  adminUpdateUserTier(req.params.id, siteId, tier);
+  res.json({ success: true });
+});
+
+router.delete('/users/:id', authenticateAdmin, (req, res) => {
+  adminDeleteUser(req.params.id);
+  res.json({ success: true });
+});
+
+// ─── Sites Management ─────────────────────────────────────────────────
+
+router.get('/sites', authenticateAdmin, (req, res) => {
+  const sites = getAllSites();
+  res.json({ sites });
+});
+
+router.put('/sites/:id', authenticateAdmin, (req, res) => {
+  const { tier, active } = req.body;
+  const ok = adminUpdateSite(req.params.id, { tier, active });
+  if (!ok) return res.status(404).json({ error: 'Site not found or invalid tier' });
+  res.json({ success: true });
+});
+
+router.get('/sites/:id/analytics', authenticateAdmin, (req, res) => {
+  const site = findSiteById.get(req.params.id);
+  if (!site) return res.status(404).json({ error: 'Site not found' });
+  const days = parseInt(req.query.days, 10) || 30;
+  const since = new Date(Date.now() - days * 86400000).toISOString();
+  const summary = getAnalyticsBySite.all(site.id, since);
+  const timeline = getAnalyticsTimeline.all(site.id, since);
+  res.json({
+    site: {
+      id: site.id,
+      name: site.name,
+      domain: site.domain,
+      tier: site.tier,
+      license_key: site.license_key
+    },
+    summary,
+    timeline,
+    period: `${days} days`
+  });
+});
+
+// ─── Free Grants ──────────────────────────────────────────────────────
+
+router.get('/grants', authenticateAdmin, (req, res) => {
+  const grants = getActiveGrants();
+  res.json({ grants });
+});
+
+router.post('/grants', authenticateAdmin, (req, res) => {
+  const { userId, siteId, tier, reason, expiresAt } = req.body;
+  if (!userId || !tier) return res.status(400).json({ error: 'userId and tier required' });
+  if (!['starter', 'pro', 'enterprise'].includes(tier)) return res.status(400).json({ error: 'Invalid tier' });
+
+  const grant = grantFreeTier({ userId, siteId, tier, reason, grantedBy: req.admin.id, expiresAt });
+
+  // Send notification email
+  const user = getUserFullDetails(userId);
+  if (user) {
+    sendEmail({
+      to: user.email,
+      template: 'tier_upgrade',
+      data: { name: user.name, tier, reason: reason || 'Complimentary upgrade' },
+      userId
+    }).catch(() => {});
+  }
+
+  res.status(201).json({ grant });
+});
+
+router.delete('/grants/:id', authenticateAdmin, (req, res) => {
+  const ok = revokeGrant(req.params.id);
+  if (!ok) return res.status(404).json({ error: 'Grant not found' });
+  res.json({ success: true });
+});
+
+// ─── Stripe Settings ─────────────────────────────────────────────────
+
+router.get('/stripe/config', authenticateAdmin, (req, res) => {
+  const secretKey = getPlatformSetting('stripe_secret_key');
+  const publishableKey = getPlatformSetting('stripe_publishable_key');
+  const webhookSecret = getPlatformSetting('stripe_webhook_secret');
+  const prices = getStripePrices();
+
+  res.json({
+    configured: isStripeConfigured(),
+    hasSecretKey: !!secretKey,
+    publishableKey: publishableKey || '',
+    webhookSecret: webhookSecret ? '••••' + webhookSecret.slice(-4) : '',
+    prices
+  });
+});
+
+router.put('/stripe/config', authenticateAdmin, (req, res) => {
+  const { secretKey, publishableKey, webhookSecret, priceStarter, pricePro, priceEnterprise } = req.body;
+
+  if (secretKey) setPlatformSetting('stripe_secret_key', secretKey);
+  if (publishableKey) setPlatformSetting('stripe_publishable_key', publishableKey);
+  if (webhookSecret) setPlatformSetting('stripe_webhook_secret', webhookSecret);
+  if (priceStarter) setPlatformSetting('stripe_price_starter', priceStarter);
+  if (pricePro) setPlatformSetting('stripe_price_pro', pricePro);
+  if (priceEnterprise) setPlatformSetting('stripe_price_enterprise', priceEnterprise);
+
+  res.json({ success: true });
+});
+
+// ─── Payments ──────────────────────────────────────────────────────────
+
+router.get('/payments', authenticateAdmin, (req, res) => {
+  const limit = parseInt(req.query.limit) || 50;
+  const payments = getPayments(limit);
+  res.json({ payments });
+});
+
+// ─── SMTP Settings ────────────────────────────────────────────────────
+
+router.get('/smtp', authenticateAdmin, (req, res) => {
+  const settings = getSmtpSettings();
+  // Mask password
+  if (settings && settings.password) {
+    settings.password = '••••••••';
+  }
+  res.json({ settings });
+});
+
+router.put('/smtp', authenticateAdmin, (req, res) => {
+  const { host, port, secure, username, password, fromName, fromEmail, enabled } = req.body;
+  if (!host || !username || !fromEmail) {
+    return res.status(400).json({ error: 'Host, username, and fromEmail are required' });
+  }
+  updateSmtpSettings({ host, port, secure, username, password, fromName, fromEmail, enabled });
+  res.json({ success: true });
+});
+
+router.post('/smtp/test', authenticateAdmin, (req, res) => {
+  const { testEmail } = req.body;
+  if (!testEmail) return res.status(400).json({ error: 'testEmail required' });
+
+  sendEmail({
+    to: testEmail,
+    template: 'welcome',
+    data: { name: 'Test User', dashboardUrl: 'https://webagentbridge.com/dashboard' }
+  }).then(result => {
+    res.json(result);
+  }).catch(err => {
+    res.status(500).json({ success: false, error: err.message });
+  });
+});
+
+// ─── Notification Logs ────────────────────────────────────────────────
+
+router.get('/notifications', authenticateAdmin, (req, res) => {
+  const limit = parseInt(req.query.limit) || 100;
+  const logs = getNotificationLogs(limit);
+  res.json({ logs });
+});
+
+// ─── Send Custom Notification ─────────────────────────────────────────
+
+router.post('/notifications/send', authenticateAdmin, (req, res) => {
+  const { userId, email, template, data } = req.body;
+  if (!email || !template) return res.status(400).json({ error: 'email and template required' });
+
+  sendEmail({ to: email, template, data: data || {}, userId }).then(result => {
+    res.json(result);
+  }).catch(err => {
+    res.status(500).json({ success: false, error: err.message });
+  });
+});
+
+module.exports = router;