whale-code 6.4.0

package/dist/server/handlers/nodes.js

@@ -0,0 +1,699 @@
+// handlers/nodes.ts — Node & Channel management endpoints
+// Auth: User JWT for management, Node API key for node operations
+import { createHash, randomBytes, randomUUID } from "node:crypto";
+import { checkPlanLimits, incrementUsage } from "./billing.js";
+let agentInvoker = null;
+/** Set the agent invoker — called once from index.ts to break circular dependency */
+export function setNodeAgentInvoker(invoker) {
+    agentInvoker = invoker;
+}
+// ============================================================================
+// HELPERS
+// ============================================================================
+function hashApiKey(key) {
+    return createHash("sha256").update(key).digest("hex");
+}
+function generateNodeApiKey() {
+    return randomBytes(32).toString("hex");
+}
+/** Authenticate a node by API key, returns node row or null */
+async function authenticateNode(supabase, apiKey) {
+    const hash = hashApiKey(apiKey);
+    const { data } = await supabase
+        .from("nodes")
+        .select("id, store_id, name")
+        .eq("api_key_hash", hash)
+        .single();
+    return data;
+}
+/** Log a node event to both node_events and audit_logs (unified telemetry) */
+async function logNodeEvent(supabase, storeId, nodeId, eventType, details = {}) {
+    // node_events — existing table for node lifecycle
+    await supabase.from("node_events").insert({
+        store_id: storeId,
+        node_id: nodeId,
+        event_type: eventType,
+        details,
+    });
+    // audit_logs — unified telemetry (same schema as tool/chat spans)
+    try {
+        const now = new Date();
+        const auditRow = {
+            action: `node.${eventType}`,
+            severity: "info",
+            store_id: storeId,
+            resource_type: "whale_node",
+            resource_id: nodeId,
+            source: "whale-node",
+            user_id: (details.registered_by || details.deleted_by || null),
+            trace_id: randomUUID(),
+            span_kind: "INTERNAL",
+            service_name: "whale-node",
+            status_code: "OK",
+            start_time: now.toISOString(),
+            end_time: now.toISOString(),
+            details: { ...details, node_id: nodeId, event_type: eventType },
+        };
+        const { error } = await supabase.from("audit_logs").insert(auditRow);
+        // Retry without store_id on FK constraint
+        if (error?.message?.includes("store_id")) {
+            auditRow.store_id = null;
+            await supabase.from("audit_logs").insert(auditRow);
+        }
+    }
+    catch {
+        // Audit must never break node operations
+    }
+}
+/** Resolve or create a conversation for a sender on a channel.
+ *  Reuses conversation if last message from same sender was < 30 min ago.
+ *  Creates an ai_conversations row for new sessions so telemetry/history works.
+ *  Resolves customer identity from the dynamic bridge table. */
+async function resolveConversation(supabase, channelId, senderId, storeId, channelType, senderName) {
+    // ── Resolve customer identity (best-effort, any channel type) ──
+    let customerId = null;
+    let customerName = null;
+    if (channelType) {
+        try {
+            const { data } = await supabase.rpc("resolve_sender_to_customer", {
+                p_store_id: storeId,
+                p_channel_type: channelType,
+                p_sender_id: senderId,
+                p_sender_name: senderName || null,
+            });
+            if (data?.length) {
+                customerId = data[0].customer_id;
+                customerName = data[0].customer_name;
+            }
+        }
+        catch { /* customer resolution non-critical */ }
+    }
+    // ── 30-min window — reuse existing conversation ──
+    const thirtyMinAgo = new Date(Date.now() - 30 * 60 * 1000).toISOString();
+    const { data: recent } = await supabase
+        .from("channel_messages")
+        .select("conversation_id")
+        .eq("channel_id", channelId)
+        .eq("sender_id", senderId)
+        .gt("created_at", thirtyMinAgo)
+        .not("conversation_id", "is", null)
+        .order("created_at", { ascending: false })
+        .limit(1);
+    if (recent?.length && recent[0].conversation_id) {
+        // Backfill customer_id on existing conversation if newly resolved
+        if (customerId) {
+            Promise.resolve(supabase.from("ai_conversations")
+                .update({ customer_id: customerId })
+                .eq("id", recent[0].conversation_id)
+                .is("customer_id", null)).catch(() => { });
+        }
+        return { conversationId: recent[0].conversation_id, customerId, customerName, isNewSession: false };
+    }
+    // ── New session — create ai_conversations row ──
+    const newId = randomUUID();
+    const title = senderName
+        ? `${senderName} via ${channelType || "channel"}`
+        : `${senderId} via ${channelType || "channel"}`;
+    try {
+        await supabase.from("ai_conversations").insert({
+            id: newId,
+            store_id: storeId,
+            agent_id: null, // set later by invokeAgentForChannel
+            channel_id: channelId,
+            sender_id: senderId,
+            channel_type: channelType || null,
+            customer_id: customerId,
+            title,
+            metadata: { source: "channel", channel_type: channelType || "unknown" },
+        });
+    }
+    catch { /* ai_conversations insert non-critical — agent still works without it */ }
+    return { conversationId: newId, customerId, customerName, isNewSession: true };
+}
+// ============================================================================
+// ROUTE HANDLER
+// ============================================================================
+export async function handleNodeRoutes(pathname, method, body, supabase, auth, queryParams) {
+    // ── POST /nodes/register ──────────────────────────────────────
+    // User auth required. Creates a node and returns API key (shown once).
+    if (pathname === "/nodes/register" && method === "POST") {
+        if (!auth.userId && !auth.isServiceRole) {
+            return { status: 401, body: { error: "User authentication required" } };
+        }
+        if (!body)
+            return { status: 400, body: { error: "Request body required" } };
+        const reg = body;
+        if (!reg.name || !reg.store_id) {
+            return { status: 400, body: { error: "name and store_id required" } };
+        }
+        // Verify user has access to this store
+        if (auth.userId) {
+            const { data: stores } = await supabase
+                .from("user_stores")
+                .select("store_id")
+                .eq("user_id", auth.userId)
+                .eq("store_id", reg.store_id);
+            if (!stores?.length) {
+                return { status: 403, body: { error: "No access to this store" } };
+            }
+        }
+        // Check node limit against store plan
+        const { data: planRow } = await supabase
+            .from("store_plans")
+            .select("plan, limits")
+            .eq("store_id", reg.store_id)
+            .single();
+        const planLimits = planRow?.limits;
+        const nodesMax = planLimits?.nodes_max ?? 1; // free plan default
+        const { count } = await supabase
+            .from("nodes")
+            .select("id", { count: "exact", head: true })
+            .eq("store_id", reg.store_id);
+        if ((count || 0) >= nodesMax) {
+            return { status: 429, body: { error: `Node limit reached (${count}/${nodesMax} on ${planRow?.plan || "free"} plan)` } };
+        }
+        const apiKey = generateNodeApiKey();
+        const apiKeyHash = hashApiKey(apiKey);
+        const { data: node, error } = await supabase
+            .from("nodes")
+            .insert({
+            store_id: reg.store_id,
+            name: reg.name,
+            api_key_hash: apiKeyHash,
+            capabilities: reg.capabilities || [],
+            hardware: reg.hardware || {},
+            version: reg.version || "1.0.0",
+            status: "offline",
+        })
+            .select("id, name, store_id, status, created_at")
+            .single();
+        if (error) {
+            return { status: 500, body: { error: error.message } };
+        }
+        await logNodeEvent(supabase, reg.store_id, node.id, "registered", {
+            name: reg.name,
+            registered_by: auth.userId,
+        });
+        return {
+            status: 201,
+            body: {
+                success: true,
+                node,
+                api_key: apiKey, // Shown ONCE — user must save this
+                message: "Save your API key — it cannot be retrieved later.",
+            },
+        };
+    }
+    // ── POST /nodes/heartbeat ─────────────────────────────────────
+    // Node API key auth. Updates status + hardware info.
+    if (pathname === "/nodes/heartbeat" && method === "POST") {
+        const node = await authenticateNode(supabase, auth.rawToken);
+        if (!node) {
+            return { status: 401, body: { error: "Invalid node API key" } };
+        }
+        const hb = body;
+        const updates = {
+            status: "online",
+            last_heartbeat: new Date().toISOString(),
+            updated_at: new Date().toISOString(),
+        };
+        if (hb.hardware)
+            updates.hardware = hb.hardware;
+        if (hb.capabilities)
+            updates.capabilities = hb.capabilities;
+        if (hb.version)
+            updates.version = hb.version;
+        await supabase.from("nodes").update(updates).eq("id", node.id);
+        // Sync channel statuses if reported
+        if (hb.channels?.length) {
+            for (const ch of hb.channels) {
+                await supabase
+                    .from("channels")
+                    .update({ status: ch.status, updated_at: new Date().toISOString() })
+                    .eq("node_id", node.id)
+                    .eq("type", ch.type);
+            }
+        }
+        return {
+            status: 200,
+            body: { success: true, node_id: node.id },
+        };
+    }
+    // ── GET|POST /nodes ────────────────────────────────────────────
+    // User auth. Lists nodes for a store.
+    if (pathname === "/nodes" && (method === "GET" || method === "POST")) {
+        // store_id from body or query params
+        const storeId = body?.store_id || queryParams?.get("store_id");
+        if (!storeId) {
+            return { status: 400, body: { error: "store_id required" } };
+        }
+        const { data: nodes, error } = await supabase
+            .from("nodes")
+            .select("id, name, status, hardware, capabilities, version, ip_address, last_heartbeat, created_at")
+            .eq("store_id", storeId)
+            .order("created_at", { ascending: false });
+        if (error) {
+            return { status: 500, body: { error: error.message } };
+        }
+        // Also fetch channels per node
+        const nodeIds = (nodes || []).map((n) => n.id);
+        const { data: channels } = nodeIds.length
+            ? await supabase
+                .from("channels")
+                .select("id, node_id, type, name, status, stats")
+                .in("node_id", nodeIds)
+            : { data: [] };
+        // Attach channels to nodes
+        const result = (nodes || []).map((n) => ({
+            ...n,
+            channels: (channels || []).filter((c) => c.node_id === n.id),
+        }));
+        return { status: 200, body: { success: true, nodes: result } };
+    }
+    // ── DELETE /nodes/:id ─────────────────────────────────────────
+    // User auth. Deletes a node and all its channels.
+    const deleteMatch = pathname.match(/^\/nodes\/([a-f0-9-]+)$/);
+    if (deleteMatch && method === "DELETE") {
+        const nodeId = deleteMatch[1];
+        // Verify ownership
+        const { data: node } = await supabase
+            .from("nodes")
+            .select("id, store_id, name")
+            .eq("id", nodeId)
+            .single();
+        if (!node) {
+            return { status: 404, body: { error: "Node not found" } };
+        }
+        if (auth.userId) {
+            const { data: stores } = await supabase
+                .from("user_stores")
+                .select("store_id")
+                .eq("user_id", auth.userId)
+                .eq("store_id", node.store_id);
+            if (!stores?.length) {
+                return { status: 403, body: { error: "No access to this node" } };
+            }
+        }
+        await logNodeEvent(supabase, node.store_id, nodeId, "deleted", {
+            name: node.name,
+            deleted_by: auth.userId,
+        });
+        const { error } = await supabase.from("nodes").delete().eq("id", nodeId);
+        if (error) {
+            return { status: 500, body: { error: error.message } };
+        }
+        return { status: 200, body: { success: true, deleted: nodeId } };
+    }
+    // ── POST /channels ───────────────────────────────────────────
+    // User auth OR node API key. Registers a channel on a node.
+    if (pathname === "/channels" && method === "POST") {
+        if (!body)
+            return { status: 400, body: { error: "Request body required" } };
+        const reg = body;
+        if (!reg.store_id || !reg.node_id || !reg.type || !reg.name) {
+            return { status: 400, body: { error: "store_id, node_id, type, and name required" } };
+        }
+        // Verify node exists and belongs to store
+        const { data: node } = await supabase
+            .from("nodes")
+            .select("id, store_id")
+            .eq("id", reg.node_id)
+            .eq("store_id", reg.store_id)
+            .single();
+        if (!node) {
+            return { status: 404, body: { error: "Node not found in this store" } };
+        }
+        // Check channel-per-node limit against store plan
+        const { data: chanPlanRow } = await supabase
+            .from("store_plans")
+            .select("plan, limits")
+            .eq("store_id", reg.store_id)
+            .single();
+        const chanPlanLimits = chanPlanRow?.limits;
+        const channelsPerNode = chanPlanLimits?.channels_per_node ?? 2; // free plan default
+        const { count: existingChannels } = await supabase
+            .from("channels")
+            .select("id", { count: "exact", head: true })
+            .eq("node_id", reg.node_id);
+        if ((existingChannels || 0) >= channelsPerNode) {
+            return { status: 429, body: { error: `Channel limit reached (${existingChannels}/${channelsPerNode} per node on ${chanPlanRow?.plan || "free"} plan)` } };
+        }
+        const { data: channel, error } = await supabase
+            .from("channels")
+            .insert({
+            store_id: reg.store_id,
+            node_id: reg.node_id,
+            type: reg.type,
+            name: reg.name,
+            config: reg.config || {},
+            agent_id: reg.agent_id || null,
+            status: "inactive",
+        })
+            .select("id, type, name, status, created_at")
+            .single();
+        if (error) {
+            return { status: 500, body: { error: error.message } };
+        }
+        await logNodeEvent(supabase, reg.store_id, reg.node_id, "channel_added", {
+            channel_id: channel.id,
+            type: reg.type,
+            name: reg.name,
+        });
+        return { status: 201, body: { success: true, channel } };
+    }
+    // ── GET|POST /channels/list ──────────────────────────────────
+    // User auth. Lists channels for a store.
+    if (pathname === "/channels/list" && (method === "GET" || method === "POST")) {
+        const storeId = body?.store_id || queryParams?.get("store_id");
+        if (!storeId) {
+            return { status: 400, body: { error: "store_id required" } };
+        }
+        const { data: channels, error } = await supabase
+            .from("channels")
+            .select(`
+        id, node_id, type, name, status, config, agent_id, stats,
+        error_message, created_at, updated_at,
+        nodes!inner(id, name, status)
+      `)
+            .eq("store_id", storeId)
+            .order("created_at", { ascending: false });
+        if (error) {
+            return { status: 500, body: { error: error.message } };
+        }
+        return { status: 200, body: { success: true, channels: channels || [] } };
+    }
+    // ── PATCH /channels/:id ────────────────────────────────────────
+    // User auth. Update channel config/agent assignment.
+    const channelPatchMatch = pathname.match(/^\/channels\/([a-f0-9-]+)$/);
+    if (channelPatchMatch && (method === "PUT" || method === "POST") && body?._method === "PATCH") {
+        const channelId = channelPatchMatch[1];
+        const updates = {};
+        if (body.agent_id !== undefined)
+            updates.agent_id = body.agent_id;
+        if (body.config !== undefined)
+            updates.config = body.config;
+        if (body.name !== undefined)
+            updates.name = body.name;
+        if (body.status !== undefined)
+            updates.status = body.status;
+        updates.updated_at = new Date().toISOString();
+        const { data: channel, error } = await supabase
+            .from("channels")
+            .update(updates)
+            .eq("id", channelId)
+            .select("id, type, name, status, agent_id, config, updated_at")
+            .single();
+        if (error) {
+            return { status: 500, body: { error: error.message } };
+        }
+        return { status: 200, body: { success: true, channel } };
+    }
+    // ── POST /channels/:id/messages ──────────────────────────────
+    // Node API key auth. Ingests a message from a channel.
+    // If direction=inbound and channel has agent_id, auto-invokes agent.
+    const messageMatch = pathname.match(/^\/channels\/([a-f0-9-]+)\/messages$/);
+    if (messageMatch && method === "POST") {
+        const channelId = messageMatch[1];
+        if (!body)
+            return { status: 400, body: { error: "Request body required" } };
+        // Authenticate node (or service role for admin access)
+        const node = await authenticateNode(supabase, auth.rawToken);
+        if (!node && !auth.isServiceRole) {
+            return { status: 401, body: { error: "Invalid node API key" } };
+        }
+        // Verify channel exists (and belongs to this node if node auth)
+        let channelQuery = supabase
+            .from("channels")
+            .select("id, store_id, node_id, agent_id, config, type, name")
+            .eq("id", channelId);
+        if (node)
+            channelQuery = channelQuery.eq("node_id", node.id);
+        const { data: channel } = await channelQuery.single();
+        if (!channel) {
+            return { status: 404, body: { error: "Channel not found" } };
+        }
+        const msg = body;
+        const direction = msg.direction || "inbound";
+        const senderId = msg.sender_id || "unknown";
+        // Check plan message limits before accepting
+        const limitCheck = await checkPlanLimits(supabase, channel.store_id, "message");
+        if (!limitCheck.allowed) {
+            return { status: 429, body: { error: limitCheck.reason || "Message limit exceeded" } };
+        }
+        // Resolve conversation ID (reuse if < 30 min gap from same sender)
+        // Channel type is dynamic — read from channel.config.type or channel row's type column
+        const channelType = channel.config?.type || channel.type || "unknown";
+        const channelName = channel.name || "";
+        let conversationId = msg.conversation_id;
+        let senderContext;
+        if (!conversationId && direction === "inbound") {
+            const ctx = await resolveConversation(supabase, channelId, senderId, channel.store_id, channelType, msg.sender_name);
+            conversationId = ctx.conversationId;
+            senderContext = {
+                senderId,
+                senderName: msg.sender_name || undefined,
+                customerId: ctx.customerId,
+                customerName: ctx.customerName,
+                channelType,
+                channelId,
+                channelName,
+            };
+        }
+        // Insert inbound message
+        const { data: message, error } = await supabase
+            .from("channel_messages")
+            .insert({
+            store_id: channel.store_id,
+            channel_id: channelId,
+            direction,
+            sender_id: senderId,
+            sender_name: msg.sender_name,
+            content: msg.content,
+            content_type: msg.content_type || "text",
+            metadata: msg.metadata || {},
+            agent_id: channel.agent_id,
+            conversation_id: conversationId,
+        })
+            .select("id, direction, content, conversation_id, created_at")
+            .single();
+        if (error) {
+            return { status: 500, body: { error: error.message } };
+        }
+        // Update channel stats (best-effort)
+        try {
+            await supabase.rpc("increment_channel_stats", {
+                p_channel_id: channelId,
+            });
+        }
+        catch {
+            // Stats function may not exist yet — that's fine
+        }
+        // Audit log for inbound message (unified telemetry)
+        if (direction === "inbound") {
+            try {
+                const auditRow = {
+                    action: `node.message.inbound`,
+                    severity: "info",
+                    store_id: channel.store_id,
+                    resource_type: "whale_node",
+                    resource_id: channelId,
+                    source: "whale-node",
+                    conversation_id: conversationId || message.conversation_id || null,
+                    trace_id: randomUUID(),
+                    span_kind: "INTERNAL",
+                    service_name: "whale-node",
+                    status_code: "OK",
+                    start_time: new Date().toISOString(),
+                    end_time: new Date().toISOString(),
+                    details: {
+                        channel_id: channelId,
+                        channel_type: channelType,
+                        sender_id: senderId,
+                        sender_name: msg.sender_name || null,
+                        node_id: node?.id || null,
+                        has_agent: !!channel.agent_id,
+                    },
+                };
+                const { error: auditErr } = await supabase.from("audit_logs").insert(auditRow);
+                if (auditErr?.message?.includes("store_id")) {
+                    auditRow.store_id = null;
+                    await supabase.from("audit_logs").insert(auditRow);
+                }
+            }
+            catch {
+                // Audit must never break message flow
+            }
+        }
+        // Track message usage (best-effort, non-blocking)
+        incrementUsage(supabase, channel.store_id, direction === "inbound" ? { messages_in: 1 } : { messages_out: 1 }).catch((err) => console.error("[billing] usage increment failed:", err.message));
+        // ── Agent auto-invocation ───────────────────────────────────
+        // If inbound message and channel has an agent assigned, invoke it
+        let agentResponse = null;
+        if (direction === "inbound" && channel.agent_id && agentInvoker) {
+            // Check agent invocation limits before calling
+            const agentLimitCheck = await checkPlanLimits(supabase, channel.store_id, "agent_invocation");
+            if (!agentLimitCheck.allowed) {
+                console.warn(`[channel-agent] Agent invocation blocked: ${agentLimitCheck.reason}`);
+            }
+            else {
+                try {
+                    console.log(`[channel-agent] Invoking agent ${channel.agent_id} for channel ${channelId}`);
+                    const result = await agentInvoker(supabase, channel.agent_id, msg.content, channel.store_id, conversationId || message.conversation_id, senderContext);
+                    // Track agent invocation usage
+                    incrementUsage(supabase, channel.store_id, { agent_invocations: 1 })
+                        .catch((err) => console.error("[billing] agent usage increment failed:", err.message));
+                    if (result.success && result.response) {
+                        // Insert agent response as outbound message
+                        const { data: outMsg, error: outErr } = await supabase
+                            .from("channel_messages")
+                            .insert({
+                            store_id: channel.store_id,
+                            channel_id: channelId,
+                            direction: "outbound",
+                            sender_id: "agent",
+                            sender_name: "AI Agent",
+                            content: result.response,
+                            content_type: "text",
+                            metadata: { agent_id: channel.agent_id, auto_response: true },
+                            agent_id: channel.agent_id,
+                            conversation_id: conversationId || message.conversation_id,
+                        })
+                            .select("id, direction, content, conversation_id, created_at")
+                            .single();
+                        if (!outErr && outMsg) {
+                            agentResponse = outMsg;
+                            // Track outbound message usage
+                            incrementUsage(supabase, channel.store_id, { messages_out: 1 })
+                                .catch((err) => console.error("[billing] outbound usage increment failed:", err.message));
+                            console.log(`[channel-agent] Response stored: ${outMsg.id}`);
+                        }
+                    }
+                    else if (result.error) {
+                        console.error(`[channel-agent] Agent error: ${result.error}`);
+                    }
+                }
+                catch (err) {
+                    console.error(`[channel-agent] Invocation failed:`, err.message);
+                }
+            }
+        }
+        return {
+            status: 201,
+            body: {
+                success: true,
+                message,
+                agent_response: agentResponse,
+                conversation_id: conversationId || message.conversation_id,
+            },
+        };
+    }
+    // ── GET /channels/:id/messages ─────────────────────────────────
+    // Node API key auth. Retrieves messages for a channel.
+    // Query params (via body): direction, undelivered, limit, after
+    const getMessagesMatch = pathname.match(/^\/channels\/([a-f0-9-]+)\/messages$/);
+    if (getMessagesMatch && method === "GET") {
+        const channelId = getMessagesMatch[1];
+        // Authenticate node (or service role for admin access)
+        const node = await authenticateNode(supabase, auth.rawToken);
+        if (!node && !auth.isServiceRole) {
+            return { status: 401, body: { error: "Invalid node API key" } };
+        }
+        // Verify channel exists (and belongs to this node if node auth)
+        let chQuery = supabase.from("channels").select("id, node_id").eq("id", channelId);
+        if (node)
+            chQuery = chQuery.eq("node_id", node.id);
+        const { data: channel } = await chQuery.single();
+        if (!channel) {
+            return { status: 404, body: { error: "Channel not found" } };
+        }
+        let query = supabase
+            .from("channel_messages")
+            .select("id, direction, sender_id, sender_name, content, content_type, metadata, conversation_id, delivered_at, created_at")
+            .eq("channel_id", channelId);
+        // Filter by direction (body or query param)
+        const direction = body?.direction || queryParams?.get("direction");
+        if (direction) {
+            query = query.eq("direction", direction);
+        }
+        // Filter undelivered outbound messages (for node polling)
+        const undelivered = body?.undelivered || queryParams?.get("undelivered");
+        if (undelivered === true || undelivered === "true") {
+            query = query.eq("direction", "outbound").is("delivered_at", null);
+        }
+        // After a specific timestamp
+        const after = body?.after || queryParams?.get("after");
+        if (after) {
+            query = query.gt("created_at", after);
+        }
+        const rawLimit = body?.limit || queryParams?.get("limit") || 50;
+        const limit = Math.min(Number(rawLimit), 200);
+        query = query.order("created_at", { ascending: true }).limit(limit);
+        const { data: messages, error: msgErr } = await query;
+        if (msgErr) {
+            return { status: 500, body: { error: msgErr.message } };
+        }
+        return { status: 200, body: { success: true, messages: messages || [] } };
+    }
+    // ── PATCH /channels/:id/messages/:msgId ──────────────────────
+    // Node API key auth. Mark message as delivered.
+    const deliverMatch = pathname.match(/^\/channels\/([a-f0-9-]+)\/messages\/([a-f0-9-]+)$/);
+    if (deliverMatch && (method === "PUT" || method === "POST") && body?._method === "PATCH") {
+        const channelId = deliverMatch[1];
+        const msgId = deliverMatch[2];
+        const node = await authenticateNode(supabase, auth.rawToken);
+        if (!node) {
+            return { status: 401, body: { error: "Invalid node API key" } };
+        }
+        const { error } = await supabase
+            .from("channel_messages")
+            .update({
+            delivered_at: body?.delivered_at || new Date().toISOString(),
+            metadata: { ...(body?.metadata || {}), delivered_by_node: node.id },
+        })
+            .eq("id", msgId)
+            .eq("channel_id", channelId);
+        if (error) {
+            return { status: 500, body: { error: error.message } };
+        }
+        return { status: 200, body: { success: true, delivered: msgId } };
+    }
+    // ── POST /channels/:id/messages/:msgId/delivered ─────────────
+    // Simpler delivery marking endpoint (no _method hack needed)
+    const deliverSimpleMatch = pathname.match(/^\/channels\/([a-f0-9-]+)\/messages\/([a-f0-9-]+)\/delivered$/);
+    if (deliverSimpleMatch && method === "POST") {
+        const channelId = deliverSimpleMatch[1];
+        const msgId = deliverSimpleMatch[2];
+        const node = await authenticateNode(supabase, auth.rawToken);
+        if (!node) {
+            return { status: 401, body: { error: "Invalid node API key" } };
+        }
+        const { error } = await supabase
+            .from("channel_messages")
+            .update({ delivered_at: new Date().toISOString() })
+            .eq("id", msgId)
+            .eq("channel_id", channelId);
+        if (error) {
+            return { status: 500, body: { error: error.message } };
+        }
+        return { status: 200, body: { success: true, delivered: msgId } };
+    }
+    // ── GET /nodes/:id/events ────────────────────────────────────
+    // User auth. Lists recent events for a node.
+    const eventsMatch = pathname.match(/^\/nodes\/([a-f0-9-]+)\/events$/);
+    if (eventsMatch && method === "GET") {
+        const nodeId = eventsMatch[1];
+        const limit = body?.limit || 50;
+        const { data: events, error } = await supabase
+            .from("node_events")
+            .select("id, event_type, details, created_at")
+            .eq("node_id", nodeId)
+            .order("created_at", { ascending: false })
+            .limit(limit);
+        if (error) {
+            return { status: 500, body: { error: error.message } };
+        }
+        return { status: 200, body: { success: true, events: events || [] } };
+    }
+    // No route matched
+    return null;
+}