whale-code 6.5.4 → 6.5.6

package/dist/server/handlers/nodes.js

@@ -1,990 +1,1398 @@
 // handlers/nodes.ts — Node & Channel management endpoints
 // Auth: User JWT for management, Node API key for node operations
+
 import { createHash, randomBytes, randomUUID } from "node:crypto";
 import { checkPlanLimits, incrementUsage } from "./billing.js";
 import { queueSpan, auditRowToSpan } from "../lib/clickhouse-buffer.js";
+
+// ============================================================================
+// TYPES
+// ============================================================================
+
+/** Context returned by resolveConversation — carries customer identity + session state */
+
+/** Sender context passed through to the agent invoker for customer-aware prompts */
+
+// Callback type for agent invocation (injected from index.ts to avoid circular deps)
+
 let agentInvoker = null;
+
 /** Set the agent invoker — called once from index.ts to break circular dependency */
 export function setNodeAgentInvoker(invoker) {
-    agentInvoker = invoker;
+  agentInvoker = invoker;
 }
+
 // ============================================================================
 // HELPERS
 // ============================================================================
+
 function hashApiKey(key) {
-    return createHash("sha256").update(key).digest("hex");
+  return createHash("sha256").update(key).digest("hex");
 }
 function generateNodeApiKey() {
-    return randomBytes(32).toString("hex");
+  return randomBytes(32).toString("hex");
 }
+
 // 5-minute in-memory cache for node auth (survives transient Supabase 525s)
 const NODE_AUTH_CACHE_TTL = 5 * 60 * 1000;
 const nodeAuthCache = new Map();
+
 /** Clear the node auth cache (for tests). */
 export function clearNodeAuthCache() {
-    nodeAuthCache.clear();
+  nodeAuthCache.clear();
 }
+
 /** Authenticate a node by API key, returns node row or null.
  *  Retries once on transient error, falls back to cache if both fail. */
 async function authenticateNode(supabase, apiKey) {
-    const hash = hashApiKey(apiKey);
-    // Attempt DB query with one retry on transient errors
-    for (let attempt = 0; attempt < 2; attempt++) {
-        try {
-            const { data, error } = await supabase
-                .from("nodes")
-                .select("id, store_id, name")
-                .eq("api_key_hash", hash)
-                .single();
-            if (data) {
-                // Success — update cache and return
-                nodeAuthCache.set(hash, { node: data, cachedAt: Date.now() });
-                return data;
-            }
-            // Non-transient error (e.g. row not found) — no retry
-            if (error && !isTransientError(error)) {
-                return null;
-            }
-            // Transient error on first attempt — retry
-            if (attempt === 0 && error) {
-                console.warn(`[node-auth] Transient error (attempt 1): ${error.message}. Retrying...`);
-                continue;
-            }
-            return null;
-        }
-        catch (err) {
-            // Network-level error (fetch failure, timeout)
-            if (attempt === 0) {
-                console.warn(`[node-auth] Network error (attempt 1): ${err.message}. Retrying...`);
-                continue;
-            }
-        }
-    }
-    // Both attempts failed — fall back to cache
-    const cached = nodeAuthCache.get(hash);
-    if (cached && Date.now() - cached.cachedAt < NODE_AUTH_CACHE_TTL) {
-        console.warn(`[node-auth] Using cached auth for node ${cached.node.id} (DB unavailable)`);
-        return cached.node;
+  const hash = hashApiKey(apiKey);
+
+  // Attempt DB query with one retry on transient errors
+  for (let attempt = 0; attempt < 2; attempt++) {
+    try {
+      const {
+        data,
+        error
+      } = await supabase.from("nodes").select("id, store_id, name").eq("api_key_hash", hash).single();
+      if (data) {
+        // Success — update cache and return
+        nodeAuthCache.set(hash, {
+          node: data,
+          cachedAt: Date.now()
+        });
+        return data;
+      }
+
+      // Non-transient error (e.g. row not found) — no retry
+      if (error && !isTransientError(error)) {
+        return null;
+      }
+
+      // Transient error on first attempt — retry
+      if (attempt === 0 && error) {
+        console.warn(`[node-auth] Transient error (attempt 1): ${error.message}. Retrying...`);
+        continue;
+      }
+      return null;
+    } catch (err) {
+      // Network-level error (fetch failure, timeout)
+      if (attempt === 0) {
+        console.warn(`[node-auth] Network error (attempt 1): ${err.message}. Retrying...`);
+        continue;
+      }
     }
-    return null;
+  }
+
+  // Both attempts failed — fall back to cache
+  const cached = nodeAuthCache.get(hash);
+  if (cached && Date.now() - cached.cachedAt < NODE_AUTH_CACHE_TTL) {
+    console.warn(`[node-auth] Using cached auth for node ${cached.node.id} (DB unavailable)`);
+    return cached.node;
+  }
+  return null;
 }
+
 /** Check if a user (by auth UUID) has access to a store.
  *  Mirrors the logic in get_user_store_ids():
  *    1) store_members.auth_user_id = authUserId
  *    2) stores.owner_user_id = platform_users.id WHERE auth_id = authUserId */
 async function userHasStoreAccess(supabase, authUserId, storeId) {
-    // Check store_members first (direct membership)
-    const { data: membership } = await supabase
-        .from("store_members")
-        .select("id")
-        .eq("auth_user_id", authUserId)
-        .eq("store_id", storeId)
-        .limit(1);
-    if (membership?.length)
-        return true;
-    // Check via platform_users → stores.owner_user_id
-    const { data: platformUser } = await supabase
-        .from("platform_users")
-        .select("id")
-        .eq("auth_id", authUserId)
-        .limit(1)
-        .single();
-    if (platformUser) {
-        const { data: ownedStore } = await supabase
-            .from("stores")
-            .select("id")
-            .eq("owner_user_id", platformUser.id)
-            .eq("id", storeId)
-            .limit(1);
-        if (ownedStore?.length)
-            return true;
-    }
-    return false;
+  // Check store_members first (direct membership)
+  const {
+    data: membership
+  } = await supabase.from("store_members").select("id").eq("auth_user_id", authUserId).eq("store_id", storeId).limit(1);
+  if (membership?.length) return true;
+
+  // Check via platform_users → stores.owner_user_id
+  const {
+    data: platformUser
+  } = await supabase.from("platform_users").select("id").eq("auth_id", authUserId).limit(1).single();
+  if (platformUser) {
+    const {
+      data: ownedStore
+    } = await supabase.from("stores").select("id").eq("owner_user_id", platformUser.id).eq("id", storeId).limit(1);
+    if (ownedStore?.length) return true;
+  }
+  return false;
 }
+
 /** Check if a Supabase error is transient (network, 5xx, Cloudflare) */
 function isTransientError(error) {
-    const msg = error.message || "";
-    return msg.includes("525") || msg.includes("502") || msg.includes("503")
-        || msg.includes("504") || msg.includes("520") || msg.includes("522")
-        || msg.includes("524") || msg.includes("timeout") || msg.includes("ECONNRESET")
-        || msg.includes("fetch failed");
+  const msg = error.message || "";
+  return msg.includes("525") || msg.includes("502") || msg.includes("503") || msg.includes("504") || msg.includes("520") || msg.includes("522") || msg.includes("524") || msg.includes("timeout") || msg.includes("ECONNRESET") || msg.includes("fetch failed");
 }
+
 /** Log a node event to node_events */
 async function logNodeEvent(supabase, storeId, nodeId, eventType, details = {}) {
-    // node_events — existing table for node lifecycle
-    await supabase.from("node_events").insert({
-        store_id: storeId,
+  // node_events — existing table for node lifecycle
+  await supabase.from("node_events").insert({
+    store_id: storeId,
+    node_id: nodeId,
+    event_type: eventType,
+    details
+  });
+
+  // Telemetry → ClickHouse
+  try {
+    const now = new Date();
+    queueSpan(auditRowToSpan({
+      action: `node.${eventType}`,
+      severity: "info",
+      store_id: storeId,
+      resource_type: "whale_node",
+      resource_id: nodeId,
+      source: "whale-node",
+      user_id: details.registered_by || details.deleted_by || null,
+      trace_id: randomUUID(),
+      span_kind: "INTERNAL",
+      service_name: "whale-node",
+      status_code: "OK",
+      start_time: now.toISOString(),
+      end_time: now.toISOString(),
+      details: {
+        ...details,
         node_id: nodeId,
-        event_type: eventType,
-        details,
-    });
-    // Telemetry → ClickHouse
-    try {
-        const now = new Date();
-        queueSpan(auditRowToSpan({
-            action: `node.${eventType}`,
-            severity: "info",
-            store_id: storeId,
-            resource_type: "whale_node",
-            resource_id: nodeId,
-            source: "whale-node",
-            user_id: (details.registered_by || details.deleted_by || null),
-            trace_id: randomUUID(),
-            span_kind: "INTERNAL",
-            service_name: "whale-node",
-            status_code: "OK",
-            start_time: now.toISOString(),
-            end_time: now.toISOString(),
-            details: { ...details, node_id: nodeId, event_type: eventType },
-        }));
-    }
-    catch {
-        // Telemetry must never break node operations
-    }
+        event_type: eventType
+      }
+    }));
+  } catch {
+    // Telemetry must never break node operations
+  }
 }
+
 /** Resolve or create a conversation for a sender on a channel.
  *  Reuses conversation if last message from same sender was < 30 min ago.
  *  Creates an ai_conversations row for new sessions so telemetry/history works.
  *  Resolves customer identity from the dynamic bridge table. */
 async function resolveConversation(supabase, channelId, senderId, storeId, channelType, senderName) {
-    // ── Resolve customer identity (best-effort, any channel type) ──
-    let customerId = null;
-    let customerName = null;
-    if (channelType) {
-        try {
-            const { data } = await supabase.rpc("resolve_sender_to_customer", {
-                p_store_id: storeId,
-                p_channel_type: channelType,
-                p_sender_id: senderId,
-                p_sender_name: senderName || null,
-            });
-            if (data?.length) {
-                customerId = data[0].customer_id;
-                customerName = data[0].customer_name;
-            }
-        }
-        catch { /* customer resolution non-critical */ }
-    }
-    // ── 30-min window — reuse existing conversation ──
-    const thirtyMinAgo = new Date(Date.now() - 30 * 60 * 1000).toISOString();
-    const { data: recent } = await supabase
-        .from("channel_messages")
-        .select("conversation_id")
-        .eq("channel_id", channelId)
-        .eq("sender_id", senderId)
-        .gt("created_at", thirtyMinAgo)
-        .not("conversation_id", "is", null)
-        .order("created_at", { ascending: false })
-        .limit(1);
-    if (recent?.length && recent[0].conversation_id) {
-        // Backfill customer_id on existing conversation if newly resolved
-        if (customerId) {
-            Promise.resolve(supabase.from("ai_conversations")
-                .update({ customer_id: customerId })
-                .eq("id", recent[0].conversation_id)
-                .is("customer_id", null)).catch(() => { });
-        }
-        return { conversationId: recent[0].conversation_id, customerId, customerName, isNewSession: false };
-    }
-    // ── New session — create ai_conversations row ──
-    const newId = randomUUID();
-    const title = senderName
-        ? `${senderName} via ${channelType || "channel"}`
-        : `${senderId} via ${channelType || "channel"}`;
+  // ── Resolve customer identity (best-effort, any channel type) ──
+  let customerId = null;
+  let customerName = null;
+  if (channelType) {
     try {
-        await supabase.from("ai_conversations").insert({
-            id: newId,
-            store_id: storeId,
-            agent_id: null, // set later by invokeAgentForChannel
-            channel_id: channelId,
-            sender_id: senderId,
-            channel_type: channelType || null,
-            customer_id: customerId,
-            title,
-            metadata: { source: "channel", channel_type: channelType || "unknown" },
-        });
+      const {
+        data
+      } = await supabase.rpc("resolve_sender_to_customer", {
+        p_store_id: storeId,
+        p_channel_type: channelType,
+        p_sender_id: senderId,
+        p_sender_name: senderName || null
+      });
+      if (data?.length) {
+        customerId = data[0].customer_id;
+        customerName = data[0].customer_name;
+      }
+    } catch {/* customer resolution non-critical */}
+  }
+
+  // ── 30-min window — reuse existing conversation ──
+  const thirtyMinAgo = new Date(Date.now() - 30 * 60 * 1000).toISOString();
+  const {
+    data: recent
+  } = await supabase.from("channel_messages").select("conversation_id").eq("channel_id", channelId).eq("sender_id", senderId).gt("created_at", thirtyMinAgo).not("conversation_id", "is", null).order("created_at", {
+    ascending: false
+  }).limit(1);
+  if (recent?.length && recent[0].conversation_id) {
+    // Backfill customer_id on existing conversation if newly resolved
+    if (customerId) {
+      Promise.resolve(supabase.from("ai_conversations").update({
+        customer_id: customerId
+      }).eq("id", recent[0].conversation_id).is("customer_id", null)).catch(() => {});
     }
-    catch { /* ai_conversations insert non-critical — agent still works without it */ }
-    return { conversationId: newId, customerId, customerName, isNewSession: true };
+    return {
+      conversationId: recent[0].conversation_id,
+      customerId,
+      customerName,
+      isNewSession: false
+    };
+  }
+
+  // ── New session — create ai_conversations row ──
+  const newId = randomUUID();
+  const title = senderName ? `${senderName} via ${channelType || "channel"}` : `${senderId} via ${channelType || "channel"}`;
+  try {
+    await supabase.from("ai_conversations").insert({
+      id: newId,
+      store_id: storeId,
+      agent_id: null,
+      // set later by invokeAgentForChannel
+      channel_id: channelId,
+      sender_id: senderId,
+      channel_type: channelType || null,
+      customer_id: customerId,
+      title,
+      metadata: {
+        source: "channel",
+        channel_type: channelType || "unknown"
+      }
+    });
+  } catch {/* ai_conversations insert non-critical — agent still works without it */}
+  return {
+    conversationId: newId,
+    customerId,
+    customerName,
+    isNewSession: true
+  };
 }
+
 // ============================================================================
 // ROUTE HANDLER
 // ============================================================================
+
 export async function handleNodeRoutes(pathname, method, body, supabase, auth, queryParams) {
-    // ── POST /nodes/register ──────────────────────────────────────
-    // User auth required. Creates a node and returns API key (shown once).
-    if (pathname === "/nodes/register" && method === "POST") {
-        if (!auth.userId && !auth.isServiceRole) {
-            return { status: 401, body: { error: "User authentication required" } };
-        }
-        if (!body)
-            return { status: 400, body: { error: "Request body required" } };
-        const reg = body;
-        if (!reg.name || !reg.store_id) {
-            return { status: 400, body: { error: "name and store_id required" } };
-        }
-        // Verify user has access to this store
-        if (auth.userId) {
-            const hasAccess = await userHasStoreAccess(supabase, auth.userId, reg.store_id);
-            if (!hasAccess) {
-                return { status: 403, body: { error: "No access to this store" } };
-            }
-        }
-        // Check node limit against store plan
-        const { data: planRow } = await supabase
-            .from("store_plans")
-            .select("plan, limits")
-            .eq("store_id", reg.store_id)
-            .single();
-        const planLimits = planRow?.limits;
-        const nodesMax = planLimits?.nodes_max ?? 1; // free plan default
-        const { count } = await supabase
-            .from("nodes")
-            .select("id", { count: "exact", head: true })
-            .eq("store_id", reg.store_id);
-        if ((count || 0) >= nodesMax) {
-            return { status: 429, body: { error: `Node limit reached (${count}/${nodesMax} on ${planRow?.plan || "free"} plan)` } };
-        }
-        const apiKey = generateNodeApiKey();
-        const apiKeyHash = hashApiKey(apiKey);
-        const { data: node, error } = await supabase
-            .from("nodes")
-            .insert({
-            store_id: reg.store_id,
-            name: reg.name,
-            api_key_hash: apiKeyHash,
-            capabilities: reg.capabilities || [],
-            hardware: reg.hardware || {},
-            version: reg.version || "1.0.0",
-            config: reg.config || {},
-            status: "offline",
-        })
-            .select("id, name, store_id, status, created_at")
-            .single();
-        if (error) {
-            return { status: 500, body: { error: error.message } };
-        }
-        await logNodeEvent(supabase, reg.store_id, node.id, "registered", {
-            name: reg.name,
-            registered_by: auth.userId,
-        });
+  // ── POST /nodes/register ──────────────────────────────────────
+  // User auth required. Creates a node and returns API key (shown once).
+  if (pathname === "/nodes/register" && method === "POST") {
+    if (!auth.userId && !auth.isServiceRole) {
+      return {
+        status: 401,
+        body: {
+          error: "User authentication required"
+        }
+      };
+    }
+    if (!body) return {
+      status: 400,
+      body: {
+        error: "Request body required"
+      }
+    };
+    const reg = body;
+    if (!reg.name || !reg.store_id) {
+      return {
+        status: 400,
+        body: {
+          error: "name and store_id required"
+        }
+      };
+    }
+
+    // Verify user has access to this store
+    if (auth.userId) {
+      const hasAccess = await userHasStoreAccess(supabase, auth.userId, reg.store_id);
+      if (!hasAccess) {
         return {
-            status: 201,
-            body: {
-                success: true,
-                node,
-                api_key: apiKey, // Shown ONCE — user must save this
-                message: "Save your API key — it cannot be retrieved later.",
-            },
+          status: 403,
+          body: {
+            error: "No access to this store"
+          }
         };
+      }
+    }
+
+    // Check node limit against store plan
+    const {
+      data: planRow
+    } = await supabase.from("store_plans").select("plan, limits").eq("store_id", reg.store_id).single();
+    const planLimits = planRow?.limits;
+    const nodesMax = planLimits?.nodes_max ?? 1; // free plan default
+
+    const {
+      count
+    } = await supabase.from("nodes").select("id", {
+      count: "exact",
+      head: true
+    }).eq("store_id", reg.store_id);
+    if ((count || 0) >= nodesMax) {
+      return {
+        status: 429,
+        body: {
+          error: `Node limit reached (${count}/${nodesMax} on ${planRow?.plan || "free"} plan)`
+        }
+      };
+    }
+    const apiKey = generateNodeApiKey();
+    const apiKeyHash = hashApiKey(apiKey);
+    const {
+      data: node,
+      error
+    } = await supabase.from("nodes").insert({
+      store_id: reg.store_id,
+      name: reg.name,
+      api_key_hash: apiKeyHash,
+      capabilities: reg.capabilities || [],
+      hardware: reg.hardware || {},
+      version: reg.version || "1.0.0",
+      config: reg.config || {},
+      status: "offline"
+    }).select("id, name, store_id, status, created_at").single();
+    if (error) {
+      return {
+        status: 500,
+        body: {
+          error: error.message
+        }
+      };
+    }
+    await logNodeEvent(supabase, reg.store_id, node.id, "registered", {
+      name: reg.name,
+      registered_by: auth.userId
+    });
+    return {
+      status: 201,
+      body: {
+        success: true,
+        node,
+        api_key: apiKey,
+        // Shown ONCE — user must save this
+        message: "Save your API key — it cannot be retrieved later."
+      }
+    };
+  }
+
+  // ── POST /nodes/heartbeat ─────────────────────────────────────
+  // Node API key auth. Updates status + hardware info.
+  if (pathname === "/nodes/heartbeat" && method === "POST") {
+    const node = await authenticateNode(supabase, auth.rawToken);
+    if (!node) {
+      return {
+        status: 401,
+        body: {
+          error: "Invalid node API key"
+        }
+      };
+    }
+    const hb = body;
+    const updates = {
+      status: "online",
+      last_heartbeat: new Date().toISOString(),
+      updated_at: new Date().toISOString()
+    };
+    if (hb.hardware) updates.hardware = hb.hardware;
+    if (hb.capabilities) updates.capabilities = hb.capabilities;
+    if (hb.version) updates.version = hb.version;
+    await supabase.from("nodes").update(updates).eq("id", node.id);
+
+    // Sync channel statuses if reported
+    if (hb.channels?.length) {
+      for (const ch of hb.channels) {
+        await supabase.from("channels").update({
+          status: ch.status,
+          updated_at: new Date().toISOString()
+        }).eq("node_id", node.id).eq("type", ch.type);
+      }
     }
-    // ── POST /nodes/heartbeat ─────────────────────────────────────
-    // Node API key auth. Updates status + hardware info.
-    if (pathname === "/nodes/heartbeat" && method === "POST") {
-        const node = await authenticateNode(supabase, auth.rawToken);
-        if (!node) {
-            return { status: 401, body: { error: "Invalid node API key" } };
-        }
-        const hb = body;
-        const updates = {
-            status: "online",
-            last_heartbeat: new Date().toISOString(),
-            updated_at: new Date().toISOString(),
+
+    // Fetch pending commands for this node
+    let pendingCommands = [];
+    try {
+      const {
+        data: cmds
+      } = await supabase.from("node_commands").select("id, command, payload").eq("node_id", node.id).eq("status", "pending").order("created_at", {
+        ascending: true
+      }).limit(10);
+      if (cmds?.length) {
+        pendingCommands = cmds;
+        // Mark them as acknowledged
+        const cmdIds = cmds.map(c => c.id);
+        await supabase.from("node_commands").update({
+          status: "acknowledged",
+          acknowledged_at: new Date().toISOString()
+        }).in("id", cmdIds);
+      }
+    } catch {
+      // Command delivery is best-effort
+    }
+    return {
+      status: 200,
+      body: {
+        success: true,
+        node_id: node.id,
+        commands: pendingCommands
+      }
+    };
+  }
+
+  // ── GET|POST /nodes ────────────────────────────────────────────
+  // User auth. Lists nodes for a store.
+  if (pathname === "/nodes" && (method === "GET" || method === "POST")) {
+    // store_id from body or query params
+    const storeId = body?.store_id || queryParams?.get("store_id");
+    if (!storeId) {
+      return {
+        status: 400,
+        body: {
+          error: "store_id required"
+        }
+      };
+    }
+
+    // Verify user has access to the requested store
+    if (auth.userId) {
+      const hasAccess = await userHasStoreAccess(supabase, auth.userId, storeId);
+      if (!hasAccess) {
+        return {
+          status: 403,
+          body: {
+            error: "Not authorized to access this store's nodes"
+          }
         };
-        if (hb.hardware)
-            updates.hardware = hb.hardware;
-        if (hb.capabilities)
-            updates.capabilities = hb.capabilities;
-        if (hb.version)
-            updates.version = hb.version;
-        await supabase.from("nodes").update(updates).eq("id", node.id);
-        // Sync channel statuses if reported
-        if (hb.channels?.length) {
-            for (const ch of hb.channels) {
-                await supabase
-                    .from("channels")
-                    .update({ status: ch.status, updated_at: new Date().toISOString() })
-                    .eq("node_id", node.id)
-                    .eq("type", ch.type);
-            }
-        }
-        // Fetch pending commands for this node
-        let pendingCommands = [];
-        try {
-            const { data: cmds } = await supabase
-                .from("node_commands")
-                .select("id, command, payload")
-                .eq("node_id", node.id)
-                .eq("status", "pending")
-                .order("created_at", { ascending: true })
-                .limit(10);
-            if (cmds?.length) {
-                pendingCommands = cmds;
-                // Mark them as acknowledged
-                const cmdIds = cmds.map((c) => c.id);
-                await supabase
-                    .from("node_commands")
-                    .update({ status: "acknowledged", acknowledged_at: new Date().toISOString() })
-                    .in("id", cmdIds);
-            }
-        }
-        catch {
-            // Command delivery is best-effort
+      }
+    } else if (!auth.isServiceRole) {
+      return {
+        status: 401,
+        body: {
+          error: "Authentication required"
+        }
+      };
+    }
+    const {
+      data: nodes,
+      error
+    } = await supabase.from("nodes").select("id, name, status, hardware, capabilities, version, ip_address, last_heartbeat, created_at").eq("store_id", storeId).order("created_at", {
+      ascending: false
+    });
+    if (error) {
+      return {
+        status: 500,
+        body: {
+          error: error.message
         }
+      };
+    }
+
+    // Also fetch channels per node
+    const nodeIds = (nodes || []).map(n => n.id);
+    const {
+      data: channels
+    } = nodeIds.length ? await supabase.from("channels").select("id, node_id, type, name, status, stats").in("node_id", nodeIds) : {
+      data: []
+    };
+
+    // Attach channels to nodes
+    const result = (nodes || []).map(n => ({
+      ...n,
+      channels: (channels || []).filter(c => c.node_id === n.id)
+    }));
+    return {
+      status: 200,
+      body: {
+        success: true,
+        nodes: result
+      }
+    };
+  }
+
+  // ── PATCH /nodes/:id ──────────────────────────────────────────
+  // User auth. Update node name, capabilities, config.
+  const patchNodeMatch = pathname.match(/^\/nodes\/([a-f0-9-]+)$/);
+  if (patchNodeMatch && (method === "PUT" || method === "POST") && body?._method === "PATCH") {
+    const nodeId = patchNodeMatch[1];
+    if (!auth.userId && !auth.isServiceRole) {
+      return {
+        status: 401,
+        body: {
+          error: "User authentication required"
+        }
+      };
+    }
+
+    // Verify ownership
+    const {
+      data: nodeRow
+    } = await supabase.from("nodes").select("id, store_id, name").eq("id", nodeId).single();
+    if (!nodeRow) {
+      return {
+        status: 404,
+        body: {
+          error: "Node not found"
+        }
+      };
+    }
+    if (auth.userId) {
+      const hasAccess = await userHasStoreAccess(supabase, auth.userId, nodeRow.store_id);
+      if (!hasAccess) {
         return {
-            status: 200,
-            body: { success: true, node_id: node.id, commands: pendingCommands },
+          status: 403,
+          body: {
+            error: "No access to this node"
+          }
         };
+      }
     }
-    // ── GET|POST /nodes ────────────────────────────────────────────
-    // User auth. Lists nodes for a store.
-    if (pathname === "/nodes" && (method === "GET" || method === "POST")) {
-        // store_id from body or query params
-        const storeId = body?.store_id || queryParams?.get("store_id");
-        if (!storeId) {
-            return { status: 400, body: { error: "store_id required" } };
-        }
-        // Verify user has access to the requested store
-        if (auth.userId) {
-            const hasAccess = await userHasStoreAccess(supabase, auth.userId, storeId);
-            if (!hasAccess) {
-                return { status: 403, body: { error: "Not authorized to access this store's nodes" } };
-            }
-        }
-        else if (!auth.isServiceRole) {
-            return { status: 401, body: { error: "Authentication required" } };
-        }
-        const { data: nodes, error } = await supabase
-            .from("nodes")
-            .select("id, name, status, hardware, capabilities, version, ip_address, last_heartbeat, created_at")
-            .eq("store_id", storeId)
-            .order("created_at", { ascending: false });
-        if (error) {
-            return { status: 500, body: { error: error.message } };
-        }
-        // Also fetch channels per node
-        const nodeIds = (nodes || []).map((n) => n.id);
-        const { data: channels } = nodeIds.length
-            ? await supabase
-                .from("channels")
-                .select("id, node_id, type, name, status, stats")
-                .in("node_id", nodeIds)
-            : { data: [] };
-        // Attach channels to nodes
-        const result = (nodes || []).map((n) => ({
-            ...n,
-            channels: (channels || []).filter((c) => c.node_id === n.id),
-        }));
-        return { status: 200, body: { success: true, nodes: result } };
-    }
-    // ── PATCH /nodes/:id ──────────────────────────────────────────
-    // User auth. Update node name, capabilities, config.
-    const patchNodeMatch = pathname.match(/^\/nodes\/([a-f0-9-]+)$/);
-    if (patchNodeMatch && (method === "PUT" || method === "POST") && body?._method === "PATCH") {
-        const nodeId = patchNodeMatch[1];
-        if (!auth.userId && !auth.isServiceRole) {
-            return { status: 401, body: { error: "User authentication required" } };
-        }
-        // Verify ownership
-        const { data: nodeRow } = await supabase
-            .from("nodes")
-            .select("id, store_id, name")
-            .eq("id", nodeId)
-            .single();
-        if (!nodeRow) {
-            return { status: 404, body: { error: "Node not found" } };
-        }
-        if (auth.userId) {
-            const hasAccess = await userHasStoreAccess(supabase, auth.userId, nodeRow.store_id);
-            if (!hasAccess) {
-                return { status: 403, body: { error: "No access to this node" } };
-            }
-        }
-        const nodeUpdates = { updated_at: new Date().toISOString() };
-        if (body.name !== undefined)
-            nodeUpdates.name = body.name;
-        if (body.capabilities !== undefined)
-            nodeUpdates.capabilities = body.capabilities;
-        if (body.config !== undefined)
-            nodeUpdates.config = body.config;
-        const { data: updated, error: updateErr } = await supabase
-            .from("nodes")
-            .update(nodeUpdates)
-            .eq("id", nodeId)
-            .select("id, name, status, capabilities, config, version, hardware, last_heartbeat, updated_at")
-            .single();
-        if (updateErr) {
-            return { status: 500, body: { error: updateErr.message } };
-        }
-        return { status: 200, body: { success: true, node: updated } };
-    }
-    // ── POST /nodes/:id/commands ────────────────────────────────
-    // User auth. Queue a command for a node.
-    const commandMatch = pathname.match(/^\/nodes\/([a-f0-9-]+)\/commands$/);
-    if (commandMatch && method === "POST") {
-        const nodeId = commandMatch[1];
-        if (!auth.userId && !auth.isServiceRole) {
-            return { status: 401, body: { error: "User authentication required" } };
-        }
-        if (!body)
-            return { status: 400, body: { error: "Request body required" } };
-        const command = body.command;
-        const payload = body.payload || {};
-        if (!command) {
-            return { status: 400, body: { error: "command is required" } };
-        }
-        const validCommands = ["restart", "shutdown", "rotate_key", "pause_all_channels", "resume_all_channels", "update"];
-        if (!validCommands.includes(command)) {
-            return { status: 400, body: { error: `Invalid command. Valid: ${validCommands.join(", ")}` } };
-        }
-        // Verify node exists and get store_id
-        const { data: targetNode } = await supabase
-            .from("nodes")
-            .select("id, store_id")
-            .eq("id", nodeId)
-            .single();
-        if (!targetNode) {
-            return { status: 404, body: { error: "Node not found" } };
-        }
-        if (auth.userId) {
-            const hasAccess = await userHasStoreAccess(supabase, auth.userId, targetNode.store_id);
-            if (!hasAccess) {
-                return { status: 403, body: { error: "No access to this node" } };
-            }
-        }
-        const { data: cmd, error: cmdErr } = await supabase
-            .from("node_commands")
-            .insert({
-            node_id: nodeId,
-            store_id: targetNode.store_id,
-            command,
-            payload,
-            status: "pending",
-        })
-            .select("id, command, status, created_at")
-            .single();
-        if (cmdErr) {
-            return { status: 500, body: { error: cmdErr.message } };
-        }
-        await logNodeEvent(supabase, targetNode.store_id, nodeId, "command_queued", {
-            command,
-            command_id: cmd.id,
-            queued_by: auth.userId,
-        });
-        return { status: 201, body: { success: true, command: cmd } };
-    }
-    // ── POST /nodes/:id/rotate-key ─────────────────────────────
-    // User auth. Generate a new API key for a node.
-    const rotateMatch = pathname.match(/^\/nodes\/([a-f0-9-]+)\/rotate-key$/);
-    if (rotateMatch && method === "POST") {
-        const nodeId = rotateMatch[1];
-        if (!auth.userId && !auth.isServiceRole) {
-            return { status: 401, body: { error: "User authentication required" } };
-        }
-        // Verify ownership
-        const { data: rotateNode } = await supabase
-            .from("nodes")
-            .select("id, store_id, name")
-            .eq("id", nodeId)
-            .single();
-        if (!rotateNode) {
-            return { status: 404, body: { error: "Node not found" } };
-        }
-        if (auth.userId) {
-            const hasAccess = await userHasStoreAccess(supabase, auth.userId, rotateNode.store_id);
-            if (!hasAccess) {
-                return { status: 403, body: { error: "No access to this node" } };
-            }
-        }
-        const newApiKey = generateNodeApiKey();
-        const newHash = hashApiKey(newApiKey);
-        const { error: rotateErr } = await supabase
-            .from("nodes")
-            .update({ api_key_hash: newHash, updated_at: new Date().toISOString() })
-            .eq("id", nodeId);
-        if (rotateErr) {
-            return { status: 500, body: { error: rotateErr.message } };
-        }
-        // Invalidate auth cache for old hash
-        for (const [hash, cached] of nodeAuthCache) {
-            if (cached.node.id === nodeId) {
-                nodeAuthCache.delete(hash);
-            }
-        }
-        await logNodeEvent(supabase, rotateNode.store_id, nodeId, "key_rotated", {
-            rotated_by: auth.userId,
-        });
+    const nodeUpdates = {
+      updated_at: new Date().toISOString()
+    };
+    if (body.name !== undefined) nodeUpdates.name = body.name;
+    if (body.capabilities !== undefined) nodeUpdates.capabilities = body.capabilities;
+    if (body.config !== undefined) nodeUpdates.config = body.config;
+    const {
+      data: updated,
+      error: updateErr
+    } = await supabase.from("nodes").update(nodeUpdates).eq("id", nodeId).select("id, name, status, capabilities, config, version, hardware, last_heartbeat, updated_at").single();
+    if (updateErr) {
+      return {
+        status: 500,
+        body: {
+          error: updateErr.message
+        }
+      };
+    }
+    return {
+      status: 200,
+      body: {
+        success: true,
+        node: updated
+      }
+    };
+  }
+
+  // ── POST /nodes/:id/commands ────────────────────────────────
+  // User auth. Queue a command for a node.
+  const commandMatch = pathname.match(/^\/nodes\/([a-f0-9-]+)\/commands$/);
+  if (commandMatch && method === "POST") {
+    const nodeId = commandMatch[1];
+    if (!auth.userId && !auth.isServiceRole) {
+      return {
+        status: 401,
+        body: {
+          error: "User authentication required"
+        }
+      };
+    }
+    if (!body) return {
+      status: 400,
+      body: {
+        error: "Request body required"
+      }
+    };
+    const command = body.command;
+    const payload = body.payload || {};
+    if (!command) {
+      return {
+        status: 400,
+        body: {
+          error: "command is required"
+        }
+      };
+    }
+    const validCommands = ["restart", "shutdown", "rotate_key", "pause_all_channels", "resume_all_channels", "update"];
+    if (!validCommands.includes(command)) {
+      return {
+        status: 400,
+        body: {
+          error: `Invalid command. Valid: ${validCommands.join(", ")}`
+        }
+      };
+    }
+
+    // Verify node exists and get store_id
+    const {
+      data: targetNode
+    } = await supabase.from("nodes").select("id, store_id").eq("id", nodeId).single();
+    if (!targetNode) {
+      return {
+        status: 404,
+        body: {
+          error: "Node not found"
+        }
+      };
+    }
+    if (auth.userId) {
+      const hasAccess = await userHasStoreAccess(supabase, auth.userId, targetNode.store_id);
+      if (!hasAccess) {
         return {
-            status: 200,
-            body: {
-                success: true,
-                api_key: newApiKey,
-                message: "Save your new API key — it cannot be retrieved later. The old key is now invalid.",
-            },
+          status: 403,
+          body: {
+            error: "No access to this node"
+          }
         };
+      }
     }
-    // ── DELETE /nodes/:id ─────────────────────────────────────────
-    // User auth. Deletes a node and all its channels.
-    const deleteMatch = pathname.match(/^\/nodes\/([a-f0-9-]+)$/);
-    if (deleteMatch && method === "DELETE") {
-        const nodeId = deleteMatch[1];
-        // Verify ownership
-        const { data: node } = await supabase
-            .from("nodes")
-            .select("id, store_id, name")
-            .eq("id", nodeId)
-            .single();
-        if (!node) {
-            return { status: 404, body: { error: "Node not found" } };
-        }
-        if (auth.userId) {
-            const hasAccess = await userHasStoreAccess(supabase, auth.userId, node.store_id);
-            if (!hasAccess) {
-                return { status: 403, body: { error: "No access to this node" } };
-            }
-        }
-        await logNodeEvent(supabase, node.store_id, nodeId, "deleted", {
-            name: node.name,
-            deleted_by: auth.userId,
-        });
-        const { error } = await supabase.from("nodes").delete().eq("id", nodeId);
-        if (error) {
-            return { status: 500, body: { error: error.message } };
-        }
-        return { status: 200, body: { success: true, deleted: nodeId } };
-    }
-    // ── POST /channels ───────────────────────────────────────────
-    // User auth OR node API key. Registers a channel on a node.
-    if (pathname === "/channels" && method === "POST") {
-        if (!body)
-            return { status: 400, body: { error: "Request body required" } };
-        const reg = body;
-        if (!reg.store_id || !reg.node_id || !reg.type || !reg.name) {
-            return { status: 400, body: { error: "store_id, node_id, type, and name required" } };
-        }
-        // Verify node exists and belongs to store
-        const { data: node } = await supabase
-            .from("nodes")
-            .select("id, store_id")
-            .eq("id", reg.node_id)
-            .eq("store_id", reg.store_id)
-            .single();
-        if (!node) {
-            return { status: 404, body: { error: "Node not found in this store" } };
-        }
-        // Check channel-per-node limit against store plan
-        const { data: chanPlanRow } = await supabase
-            .from("store_plans")
-            .select("plan, limits")
-            .eq("store_id", reg.store_id)
-            .single();
-        const chanPlanLimits = chanPlanRow?.limits;
-        const channelsPerNode = chanPlanLimits?.channels_per_node ?? 2; // free plan default
-        const { count: existingChannels } = await supabase
-            .from("channels")
-            .select("id", { count: "exact", head: true })
-            .eq("node_id", reg.node_id);
-        if ((existingChannels || 0) >= channelsPerNode) {
-            return { status: 429, body: { error: `Channel limit reached (${existingChannels}/${channelsPerNode} per node on ${chanPlanRow?.plan || "free"} plan)` } };
-        }
-        const { data: channel, error } = await supabase
-            .from("channels")
-            .insert({
-            store_id: reg.store_id,
-            node_id: reg.node_id,
-            type: reg.type,
-            name: reg.name,
-            config: reg.config || {},
-            agent_id: reg.agent_id || null,
-            status: "inactive",
-        })
-            .select("id, type, name, status, created_at")
-            .single();
-        if (error) {
-            return { status: 500, body: { error: error.message } };
-        }
-        await logNodeEvent(supabase, reg.store_id, reg.node_id, "channel_added", {
-            channel_id: channel.id,
-            type: reg.type,
-            name: reg.name,
-        });
-        return { status: 201, body: { success: true, channel } };
-    }
-    // ── GET|POST /channels/list ──────────────────────────────────
-    // User auth. Lists channels for a store.
-    if (pathname === "/channels/list" && (method === "GET" || method === "POST")) {
-        const storeId = body?.store_id || queryParams?.get("store_id");
-        if (!storeId) {
-            return { status: 400, body: { error: "store_id required" } };
-        }
-        // Verify user has access to the requested store
-        if (auth.userId) {
-            const hasAccess = await userHasStoreAccess(supabase, auth.userId, storeId);
-            if (!hasAccess) {
-                return { status: 403, body: { error: "Not authorized to access this store's channels" } };
-            }
-        }
-        else if (!auth.isServiceRole) {
-            return { status: 401, body: { error: "Authentication required" } };
-        }
-        const { data: channels, error } = await supabase
-            .from("channels")
-            .select(`
+    const {
+      data: cmd,
+      error: cmdErr
+    } = await supabase.from("node_commands").insert({
+      node_id: nodeId,
+      store_id: targetNode.store_id,
+      command,
+      payload,
+      status: "pending"
+    }).select("id, command, status, created_at").single();
+    if (cmdErr) {
+      return {
+        status: 500,
+        body: {
+          error: cmdErr.message
+        }
+      };
+    }
+    await logNodeEvent(supabase, targetNode.store_id, nodeId, "command_queued", {
+      command,
+      command_id: cmd.id,
+      queued_by: auth.userId
+    });
+    return {
+      status: 201,
+      body: {
+        success: true,
+        command: cmd
+      }
+    };
+  }
+
+  // ── POST /nodes/:id/rotate-key ─────────────────────────────
+  // User auth. Generate a new API key for a node.
+  const rotateMatch = pathname.match(/^\/nodes\/([a-f0-9-]+)\/rotate-key$/);
+  if (rotateMatch && method === "POST") {
+    const nodeId = rotateMatch[1];
+    if (!auth.userId && !auth.isServiceRole) {
+      return {
+        status: 401,
+        body: {
+          error: "User authentication required"
+        }
+      };
+    }
+
+    // Verify ownership
+    const {
+      data: rotateNode
+    } = await supabase.from("nodes").select("id, store_id, name").eq("id", nodeId).single();
+    if (!rotateNode) {
+      return {
+        status: 404,
+        body: {
+          error: "Node not found"
+        }
+      };
+    }
+    if (auth.userId) {
+      const hasAccess = await userHasStoreAccess(supabase, auth.userId, rotateNode.store_id);
+      if (!hasAccess) {
+        return {
+          status: 403,
+          body: {
+            error: "No access to this node"
+          }
+        };
+      }
+    }
+    const newApiKey = generateNodeApiKey();
+    const newHash = hashApiKey(newApiKey);
+    const {
+      error: rotateErr
+    } = await supabase.from("nodes").update({
+      api_key_hash: newHash,
+      updated_at: new Date().toISOString()
+    }).eq("id", nodeId);
+    if (rotateErr) {
+      return {
+        status: 500,
+        body: {
+          error: rotateErr.message
+        }
+      };
+    }
+
+    // Invalidate auth cache for old hash
+    for (const [hash, cached] of nodeAuthCache) {
+      if (cached.node.id === nodeId) {
+        nodeAuthCache.delete(hash);
+      }
+    }
+    await logNodeEvent(supabase, rotateNode.store_id, nodeId, "key_rotated", {
+      rotated_by: auth.userId
+    });
+    return {
+      status: 200,
+      body: {
+        success: true,
+        api_key: newApiKey,
+        message: "Save your new API key — it cannot be retrieved later. The old key is now invalid."
+      }
+    };
+  }
+
+  // ── DELETE /nodes/:id ─────────────────────────────────────────
+  // User auth. Deletes a node and all its channels.
+  const deleteMatch = pathname.match(/^\/nodes\/([a-f0-9-]+)$/);
+  if (deleteMatch && method === "DELETE") {
+    const nodeId = deleteMatch[1];
+
+    // Verify ownership
+    const {
+      data: node
+    } = await supabase.from("nodes").select("id, store_id, name").eq("id", nodeId).single();
+    if (!node) {
+      return {
+        status: 404,
+        body: {
+          error: "Node not found"
+        }
+      };
+    }
+    if (auth.userId) {
+      const hasAccess = await userHasStoreAccess(supabase, auth.userId, node.store_id);
+      if (!hasAccess) {
+        return {
+          status: 403,
+          body: {
+            error: "No access to this node"
+          }
+        };
+      }
+    }
+    await logNodeEvent(supabase, node.store_id, nodeId, "deleted", {
+      name: node.name,
+      deleted_by: auth.userId
+    });
+    const {
+      error
+    } = await supabase.from("nodes").delete().eq("id", nodeId);
+    if (error) {
+      return {
+        status: 500,
+        body: {
+          error: error.message
+        }
+      };
+    }
+    return {
+      status: 200,
+      body: {
+        success: true,
+        deleted: nodeId
+      }
+    };
+  }
+
+  // ── POST /channels ───────────────────────────────────────────
+  // User auth OR node API key. Registers a channel on a node.
+  if (pathname === "/channels" && method === "POST") {
+    if (!body) return {
+      status: 400,
+      body: {
+        error: "Request body required"
+      }
+    };
+    const reg = body;
+    if (!reg.store_id || !reg.node_id || !reg.type || !reg.name) {
+      return {
+        status: 400,
+        body: {
+          error: "store_id, node_id, type, and name required"
+        }
+      };
+    }
+
+    // Verify node exists and belongs to store
+    const {
+      data: node
+    } = await supabase.from("nodes").select("id, store_id").eq("id", reg.node_id).eq("store_id", reg.store_id).single();
+    if (!node) {
+      return {
+        status: 404,
+        body: {
+          error: "Node not found in this store"
+        }
+      };
+    }
+
+    // Check channel-per-node limit against store plan
+    const {
+      data: chanPlanRow
+    } = await supabase.from("store_plans").select("plan, limits").eq("store_id", reg.store_id).single();
+    const chanPlanLimits = chanPlanRow?.limits;
+    const channelsPerNode = chanPlanLimits?.channels_per_node ?? 2; // free plan default
+
+    const {
+      count: existingChannels
+    } = await supabase.from("channels").select("id", {
+      count: "exact",
+      head: true
+    }).eq("node_id", reg.node_id);
+    if ((existingChannels || 0) >= channelsPerNode) {
+      return {
+        status: 429,
+        body: {
+          error: `Channel limit reached (${existingChannels}/${channelsPerNode} per node on ${chanPlanRow?.plan || "free"} plan)`
+        }
+      };
+    }
+    const {
+      data: channel,
+      error
+    } = await supabase.from("channels").insert({
+      store_id: reg.store_id,
+      node_id: reg.node_id,
+      type: reg.type,
+      name: reg.name,
+      config: reg.config || {},
+      agent_id: reg.agent_id || null,
+      status: "inactive"
+    }).select("id, type, name, status, created_at").single();
+    if (error) {
+      return {
+        status: 500,
+        body: {
+          error: error.message
+        }
+      };
+    }
+    await logNodeEvent(supabase, reg.store_id, reg.node_id, "channel_added", {
+      channel_id: channel.id,
+      type: reg.type,
+      name: reg.name
+    });
+    return {
+      status: 201,
+      body: {
+        success: true,
+        channel
+      }
+    };
+  }
+
+  // ── GET|POST /channels/list ──────────────────────────────────
+  // User auth. Lists channels for a store.
+  if (pathname === "/channels/list" && (method === "GET" || method === "POST")) {
+    const storeId = body?.store_id || queryParams?.get("store_id");
+    if (!storeId) {
+      return {
+        status: 400,
+        body: {
+          error: "store_id required"
+        }
+      };
+    }
+
+    // Verify user has access to the requested store
+    if (auth.userId) {
+      const hasAccess = await userHasStoreAccess(supabase, auth.userId, storeId);
+      if (!hasAccess) {
+        return {
+          status: 403,
+          body: {
+            error: "Not authorized to access this store's channels"
+          }
+        };
+      }
+    } else if (!auth.isServiceRole) {
+      return {
+        status: 401,
+        body: {
+          error: "Authentication required"
+        }
+      };
+    }
+    const {
+      data: channels,
+      error
+    } = await supabase.from("channels").select(`
         id, node_id, type, name, status, config, agent_id, stats,
         error_message, created_at, updated_at,
         nodes!inner(id, name, status)
-      `)
-            .eq("store_id", storeId)
-            .order("created_at", { ascending: false });
-        if (error) {
-            return { status: 500, body: { error: error.message } };
-        }
-        return { status: 200, body: { success: true, channels: channels || [] } };
-    }
-    // ── PATCH /channels/:id ────────────────────────────────────────
-    // User auth. Update channel config/agent assignment.
-    const channelPatchMatch = pathname.match(/^\/channels\/([a-f0-9-]+)$/);
-    if (channelPatchMatch && (method === "PUT" || method === "POST") && body?._method === "PATCH") {
-        const channelId = channelPatchMatch[1];
-        // Fetch the channel first to verify ownership
-        const { data: existingChannel } = await supabase
-            .from("channels")
-            .select("id, store_id")
-            .eq("id", channelId)
-            .single();
-        if (!existingChannel) {
-            return { status: 404, body: { error: "Channel not found" } };
-        }
-        // Verify the user has access to this channel's store
-        if (auth.userId) {
-            const hasAccess = await userHasStoreAccess(supabase, auth.userId, existingChannel.store_id);
-            if (!hasAccess) {
-                return { status: 403, body: { error: "Not authorized to modify this channel" } };
-            }
+      `).eq("store_id", storeId).order("created_at", {
+      ascending: false
+    });
+    if (error) {
+      return {
+        status: 500,
+        body: {
+          error: error.message
         }
-        else if (!auth.isServiceRole) {
-            return { status: 401, body: { error: "Authentication required" } };
-        }
-        const updates = {};
-        if (body.agent_id !== undefined)
-            updates.agent_id = body.agent_id;
-        if (body.config !== undefined)
-            updates.config = body.config;
-        if (body.name !== undefined)
-            updates.name = body.name;
-        if (body.status !== undefined)
-            updates.status = body.status;
-        updates.updated_at = new Date().toISOString();
-        const { data: channel, error } = await supabase
-            .from("channels")
-            .update(updates)
-            .eq("id", channelId)
-            .select("id, type, name, status, agent_id, config, updated_at")
-            .single();
-        if (error) {
-            return { status: 500, body: { error: error.message } };
-        }
-        return { status: 200, body: { success: true, channel } };
-    }
-    // ── POST /channels/:id/messages ──────────────────────────────
-    // Node API key auth. Ingests a message from a channel.
-    // If direction=inbound and channel has agent_id, auto-invokes agent.
-    const messageMatch = pathname.match(/^\/channels\/([a-f0-9-]+)\/messages$/);
-    if (messageMatch && method === "POST") {
-        const channelId = messageMatch[1];
-        if (!body)
-            return { status: 400, body: { error: "Request body required" } };
-        // Authenticate node (or service role for admin access)
-        const node = await authenticateNode(supabase, auth.rawToken);
-        if (!node && !auth.isServiceRole) {
-            return { status: 401, body: { error: "Invalid node API key" } };
-        }
-        // Verify channel exists (and belongs to this node if node auth)
-        let channelQuery = supabase
-            .from("channels")
-            .select("id, store_id, node_id, agent_id, config, type, name")
-            .eq("id", channelId);
-        if (node)
-            channelQuery = channelQuery.eq("node_id", node.id);
-        const { data: channel } = await channelQuery.single();
-        if (!channel) {
-            return { status: 404, body: { error: "Channel not found" } };
-        }
-        const msg = body;
-        const direction = msg.direction || "inbound";
-        const senderId = msg.sender_id || "unknown";
-        // Check plan message limits before accepting
-        const limitCheck = await checkPlanLimits(supabase, channel.store_id, "message");
-        if (!limitCheck.allowed) {
-            return { status: 429, body: { error: limitCheck.reason || "Message limit exceeded" } };
-        }
-        // Resolve conversation ID (reuse if < 30 min gap from same sender)
-        // Channel type is dynamic — read from channel.config.type or channel row's type column
-        const channelType = channel.config?.type || channel.type || "unknown";
-        const channelName = channel.name || "";
-        let conversationId = msg.conversation_id;
-        let senderContext;
-        if (!conversationId && direction === "inbound") {
-            const ctx = await resolveConversation(supabase, channelId, senderId, channel.store_id, channelType, msg.sender_name);
-            conversationId = ctx.conversationId;
-            senderContext = {
-                senderId,
-                senderName: msg.sender_name || undefined,
-                customerId: ctx.customerId,
-                customerName: ctx.customerName,
-                channelType,
-                channelId,
-                channelName,
-            };
-        }
-        // Insert inbound message
-        const { data: message, error } = await supabase
-            .from("channel_messages")
-            .insert({
-            store_id: channel.store_id,
+      };
+    }
+    return {
+      status: 200,
+      body: {
+        success: true,
+        channels: channels || []
+      }
+    };
+  }
+
+  // ── PATCH /channels/:id ────────────────────────────────────────
+  // User auth. Update channel config/agent assignment.
+  const channelPatchMatch = pathname.match(/^\/channels\/([a-f0-9-]+)$/);
+  if (channelPatchMatch && (method === "PUT" || method === "POST") && body?._method === "PATCH") {
+    const channelId = channelPatchMatch[1];
+
+    // Fetch the channel first to verify ownership
+    const {
+      data: existingChannel
+    } = await supabase.from("channels").select("id, store_id").eq("id", channelId).single();
+    if (!existingChannel) {
+      return {
+        status: 404,
+        body: {
+          error: "Channel not found"
+        }
+      };
+    }
+
+    // Verify the user has access to this channel's store
+    if (auth.userId) {
+      const hasAccess = await userHasStoreAccess(supabase, auth.userId, existingChannel.store_id);
+      if (!hasAccess) {
+        return {
+          status: 403,
+          body: {
+            error: "Not authorized to modify this channel"
+          }
+        };
+      }
+    } else if (!auth.isServiceRole) {
+      return {
+        status: 401,
+        body: {
+          error: "Authentication required"
+        }
+      };
+    }
+    const updates = {};
+    if (body.agent_id !== undefined) updates.agent_id = body.agent_id;
+    if (body.config !== undefined) updates.config = body.config;
+    if (body.name !== undefined) updates.name = body.name;
+    if (body.status !== undefined) updates.status = body.status;
+    updates.updated_at = new Date().toISOString();
+    const {
+      data: channel,
+      error
+    } = await supabase.from("channels").update(updates).eq("id", channelId).select("id, type, name, status, agent_id, config, updated_at").single();
+    if (error) {
+      return {
+        status: 500,
+        body: {
+          error: error.message
+        }
+      };
+    }
+    return {
+      status: 200,
+      body: {
+        success: true,
+        channel
+      }
+    };
+  }
+
+  // ── POST /channels/:id/messages ──────────────────────────────
+  // Node API key auth. Ingests a message from a channel.
+  // If direction=inbound and channel has agent_id, auto-invokes agent.
+  const messageMatch = pathname.match(/^\/channels\/([a-f0-9-]+)\/messages$/);
+  if (messageMatch && method === "POST") {
+    const channelId = messageMatch[1];
+    if (!body) return {
+      status: 400,
+      body: {
+        error: "Request body required"
+      }
+    };
+
+    // Authenticate node (or service role for admin access)
+    const node = await authenticateNode(supabase, auth.rawToken);
+    if (!node && !auth.isServiceRole) {
+      return {
+        status: 401,
+        body: {
+          error: "Invalid node API key"
+        }
+      };
+    }
+
+    // Verify channel exists (and belongs to this node if node auth)
+    let channelQuery = supabase.from("channels").select("id, store_id, node_id, agent_id, config, type, name").eq("id", channelId);
+    if (node) channelQuery = channelQuery.eq("node_id", node.id);
+    const {
+      data: channel
+    } = await channelQuery.single();
+    if (!channel) {
+      return {
+        status: 404,
+        body: {
+          error: "Channel not found"
+        }
+      };
+    }
+    const msg = body;
+    const direction = msg.direction || "inbound";
+    const senderId = msg.sender_id || "unknown";
+
+    // Check plan message limits before accepting
+    const limitCheck = await checkPlanLimits(supabase, channel.store_id, "message");
+    if (!limitCheck.allowed) {
+      return {
+        status: 429,
+        body: {
+          error: limitCheck.reason || "Message limit exceeded"
+        }
+      };
+    }
+
+    // Resolve conversation ID (reuse if < 30 min gap from same sender)
+    // Channel type is dynamic — read from channel.config.type or channel row's type column
+    const channelType = channel.config?.type || channel.type || "unknown";
+    const channelName = channel.name || "";
+    let conversationId = msg.conversation_id;
+    let senderContext;
+    if (!conversationId && direction === "inbound") {
+      const ctx = await resolveConversation(supabase, channelId, senderId, channel.store_id, channelType, msg.sender_name);
+      conversationId = ctx.conversationId;
+      senderContext = {
+        senderId,
+        senderName: msg.sender_name || undefined,
+        customerId: ctx.customerId,
+        customerName: ctx.customerName,
+        channelType,
+        channelId,
+        channelName
+      };
+    }
+
+    // Insert inbound message
+    const {
+      data: message,
+      error
+    } = await supabase.from("channel_messages").insert({
+      store_id: channel.store_id,
+      channel_id: channelId,
+      direction,
+      sender_id: senderId,
+      sender_name: msg.sender_name,
+      content: msg.content,
+      content_type: msg.content_type || "text",
+      metadata: msg.metadata || {},
+      agent_id: channel.agent_id,
+      conversation_id: conversationId
+    }).select("id, direction, content, conversation_id, created_at").single();
+    if (error) {
+      return {
+        status: 500,
+        body: {
+          error: error.message
+        }
+      };
+    }
+
+    // Update channel stats (best-effort)
+    try {
+      await supabase.rpc("increment_channel_stats", {
+        p_channel_id: channelId
+      });
+    } catch {
+      // Stats function may not exist yet — that's fine
+    }
+
+    // Telemetry → ClickHouse for inbound message
+    if (direction === "inbound") {
+      try {
+        queueSpan(auditRowToSpan({
+          action: "node.message.inbound",
+          severity: "info",
+          store_id: channel.store_id,
+          resource_type: "whale_node",
+          resource_id: channelId,
+          source: "whale-node",
+          conversation_id: conversationId || message.conversation_id || null,
+          trace_id: randomUUID(),
+          span_kind: "INTERNAL",
+          service_name: "whale-node",
+          status_code: "OK",
+          start_time: new Date().toISOString(),
+          end_time: new Date().toISOString(),
+          details: {
             channel_id: channelId,
-            direction,
+            channel_type: channelType,
             sender_id: senderId,
-            sender_name: msg.sender_name,
-            content: msg.content,
-            content_type: msg.content_type || "text",
-            metadata: msg.metadata || {},
-            agent_id: channel.agent_id,
-            conversation_id: conversationId,
-        })
-            .select("id, direction, content, conversation_id, created_at")
-            .single();
-        if (error) {
-            return { status: 500, body: { error: error.message } };
-        }
-        // Update channel stats (best-effort)
+            sender_name: msg.sender_name || null,
+            node_id: node?.id || null,
+            has_agent: !!channel.agent_id
+          }
+        }));
+      } catch {
+        // Telemetry must never break message flow
+      }
+    }
+
+    // Track message usage (best-effort, non-blocking)
+    incrementUsage(supabase, channel.store_id, direction === "inbound" ? {
+      messages_in: 1
+    } : {
+      messages_out: 1
+    }).catch(err => console.error("[billing] usage increment failed:", err.message));
+
+    // ── Agent auto-invocation ───────────────────────────────────
+    // If inbound message and channel has an agent assigned, invoke it
+    let agentResponse = null;
+    if (direction === "inbound" && channel.agent_id && agentInvoker) {
+      // Check agent invocation limits before calling
+      const agentLimitCheck = await checkPlanLimits(supabase, channel.store_id, "agent_invocation");
+      if (!agentLimitCheck.allowed) {
+        console.warn(`[channel-agent] Agent invocation blocked: ${agentLimitCheck.reason}`);
+      } else {
         try {
-            await supabase.rpc("increment_channel_stats", {
-                p_channel_id: channelId,
-            });
-        }
-        catch {
-            // Stats function may not exist yet — that's fine
-        }
-        // Telemetry → ClickHouse for inbound message
-        if (direction === "inbound") {
-            try {
-                queueSpan(auditRowToSpan({
-                    action: "node.message.inbound",
-                    severity: "info",
-                    store_id: channel.store_id,
-                    resource_type: "whale_node",
-                    resource_id: channelId,
-                    source: "whale-node",
-                    conversation_id: conversationId || message.conversation_id || null,
-                    trace_id: randomUUID(),
-                    span_kind: "INTERNAL",
-                    service_name: "whale-node",
-                    status_code: "OK",
-                    start_time: new Date().toISOString(),
-                    end_time: new Date().toISOString(),
-                    details: {
-                        channel_id: channelId,
-                        channel_type: channelType,
-                        sender_id: senderId,
-                        sender_name: msg.sender_name || null,
-                        node_id: node?.id || null,
-                        has_agent: !!channel.agent_id,
-                    },
-                }));
-            }
-            catch {
-                // Telemetry must never break message flow
-            }
-        }
-        // Track message usage (best-effort, non-blocking)
-        incrementUsage(supabase, channel.store_id, direction === "inbound" ? { messages_in: 1 } : { messages_out: 1 }).catch((err) => console.error("[billing] usage increment failed:", err.message));
-        // ── Agent auto-invocation ───────────────────────────────────
-        // If inbound message and channel has an agent assigned, invoke it
-        let agentResponse = null;
-        if (direction === "inbound" && channel.agent_id && agentInvoker) {
-            // Check agent invocation limits before calling
-            const agentLimitCheck = await checkPlanLimits(supabase, channel.store_id, "agent_invocation");
-            if (!agentLimitCheck.allowed) {
-                console.warn(`[channel-agent] Agent invocation blocked: ${agentLimitCheck.reason}`);
-            }
-            else {
-                try {
-                    console.log(`[channel-agent] Invoking agent ${channel.agent_id} for channel ${channelId}`);
-                    const result = await agentInvoker(supabase, channel.agent_id, msg.content, channel.store_id, conversationId || message.conversation_id, senderContext);
-                    // Track agent invocation usage
-                    incrementUsage(supabase, channel.store_id, { agent_invocations: 1 })
-                        .catch((err) => console.error("[billing] agent usage increment failed:", err.message));
-                    if (result.success && result.response) {
-                        // Insert agent response as outbound message
-                        const { data: outMsg, error: outErr } = await supabase
-                            .from("channel_messages")
-                            .insert({
-                            store_id: channel.store_id,
-                            channel_id: channelId,
-                            direction: "outbound",
-                            sender_id: "agent",
-                            sender_name: "AI Agent",
-                            content: result.response,
-                            content_type: "text",
-                            metadata: { agent_id: channel.agent_id, auto_response: true },
-                            agent_id: channel.agent_id,
-                            conversation_id: conversationId || message.conversation_id,
-                        })
-                            .select("id, direction, content, conversation_id, created_at")
-                            .single();
-                        if (!outErr && outMsg) {
-                            agentResponse = outMsg;
-                            // Track outbound message usage
-                            incrementUsage(supabase, channel.store_id, { messages_out: 1 })
-                                .catch((err) => console.error("[billing] outbound usage increment failed:", err.message));
-                            console.log(`[channel-agent] Response stored: ${outMsg.id}`);
-                        }
-                    }
-                    else if (result.error) {
-                        console.error(`[channel-agent] Agent error: ${result.error}`);
-                    }
-                }
-                catch (err) {
-                    console.error(`[channel-agent] Invocation failed:`, err.message);
-                }
+          console.log(`[channel-agent] Invoking agent ${channel.agent_id} for channel ${channelId}`);
+          const result = await agentInvoker(supabase, channel.agent_id, msg.content, channel.store_id, conversationId || message.conversation_id, senderContext);
+
+          // Track agent invocation usage
+          incrementUsage(supabase, channel.store_id, {
+            agent_invocations: 1
+          }).catch(err => console.error("[billing] agent usage increment failed:", err.message));
+          if (result.success && result.response) {
+            // Insert agent response as outbound message
+            const {
+              data: outMsg,
+              error: outErr
+            } = await supabase.from("channel_messages").insert({
+              store_id: channel.store_id,
+              channel_id: channelId,
+              direction: "outbound",
+              sender_id: "agent",
+              sender_name: "AI Agent",
+              content: result.response,
+              content_type: "text",
+              metadata: {
+                agent_id: channel.agent_id,
+                auto_response: true
+              },
+              agent_id: channel.agent_id,
+              conversation_id: conversationId || message.conversation_id
+            }).select("id, direction, content, conversation_id, created_at").single();
+            if (!outErr && outMsg) {
+              agentResponse = outMsg;
+              // Track outbound message usage
+              incrementUsage(supabase, channel.store_id, {
+                messages_out: 1
+              }).catch(err => console.error("[billing] outbound usage increment failed:", err.message));
+              console.log(`[channel-agent] Response stored: ${outMsg.id}`);
             }
+          } else if (result.error) {
+            console.error(`[channel-agent] Agent error: ${result.error}`);
+          }
+        } catch (err) {
+          console.error(`[channel-agent] Invocation failed:`, err.message);
         }
+      }
+    }
+    return {
+      status: 201,
+      body: {
+        success: true,
+        message,
+        agent_response: agentResponse,
+        conversation_id: conversationId || message.conversation_id
+      }
+    };
+  }
+
+  // ── GET /channels/:id/messages ─────────────────────────────────
+  // Node API key auth. Retrieves messages for a channel.
+  // Query params (via body): direction, undelivered, limit, after
+  const getMessagesMatch = pathname.match(/^\/channels\/([a-f0-9-]+)\/messages$/);
+  if (getMessagesMatch && method === "GET") {
+    const channelId = getMessagesMatch[1];
+
+    // Authenticate node (or service role for admin access)
+    const node = await authenticateNode(supabase, auth.rawToken);
+    if (!node && !auth.isServiceRole) {
+      return {
+        status: 401,
+        body: {
+          error: "Invalid node API key"
+        }
+      };
+    }
+
+    // Verify channel exists (and belongs to this node if node auth)
+    let chQuery = supabase.from("channels").select("id, node_id").eq("id", channelId);
+    if (node) chQuery = chQuery.eq("node_id", node.id);
+    const {
+      data: channel
+    } = await chQuery.single();
+    if (!channel) {
+      return {
+        status: 404,
+        body: {
+          error: "Channel not found"
+        }
+      };
+    }
+    let query = supabase.from("channel_messages").select("id, direction, sender_id, sender_name, content, content_type, metadata, conversation_id, delivered_at, created_at").eq("channel_id", channelId);
+
+    // Filter by direction (body or query param)
+    const direction = body?.direction || queryParams?.get("direction");
+    if (direction) {
+      query = query.eq("direction", direction);
+    }
+
+    // Filter undelivered outbound messages (for node polling)
+    const undelivered = body?.undelivered || queryParams?.get("undelivered");
+    if (undelivered === true || undelivered === "true") {
+      query = query.eq("direction", "outbound").is("delivered_at", null);
+    }
+
+    // After a specific timestamp
+    const after = body?.after || queryParams?.get("after");
+    if (after) {
+      query = query.gt("created_at", after);
+    }
+    const rawLimit = body?.limit || queryParams?.get("limit") || 50;
+    const limit = Math.min(Number(rawLimit), 200);
+    query = query.order("created_at", {
+      ascending: true
+    }).limit(limit);
+    const {
+      data: messages,
+      error: msgErr
+    } = await query;
+    if (msgErr) {
+      return {
+        status: 500,
+        body: {
+          error: msgErr.message
+        }
+      };
+    }
+    return {
+      status: 200,
+      body: {
+        success: true,
+        messages: messages || []
+      }
+    };
+  }
+
+  // ── PATCH /channels/:id/messages/:msgId ──────────────────────
+  // Node API key auth. Mark message as delivered.
+  const deliverMatch = pathname.match(/^\/channels\/([a-f0-9-]+)\/messages\/([a-f0-9-]+)$/);
+  if (deliverMatch && (method === "PUT" || method === "POST") && body?._method === "PATCH") {
+    const channelId = deliverMatch[1];
+    const msgId = deliverMatch[2];
+    const node = await authenticateNode(supabase, auth.rawToken);
+    if (!node) {
+      return {
+        status: 401,
+        body: {
+          error: "Invalid node API key"
+        }
+      };
+    }
+    const {
+      error
+    } = await supabase.from("channel_messages").update({
+      delivered_at: body?.delivered_at || new Date().toISOString(),
+      metadata: {
+        ...(body?.metadata || {}),
+        delivered_by_node: node.id
+      }
+    }).eq("id", msgId).eq("channel_id", channelId);
+    if (error) {
+      return {
+        status: 500,
+        body: {
+          error: error.message
+        }
+      };
+    }
+    return {
+      status: 200,
+      body: {
+        success: true,
+        delivered: msgId
+      }
+    };
+  }
+
+  // ── POST /channels/:id/messages/:msgId/delivered ─────────────
+  // Simpler delivery marking endpoint (no _method hack needed)
+  const deliverSimpleMatch = pathname.match(/^\/channels\/([a-f0-9-]+)\/messages\/([a-f0-9-]+)\/delivered$/);
+  if (deliverSimpleMatch && method === "POST") {
+    const channelId = deliverSimpleMatch[1];
+    const msgId = deliverSimpleMatch[2];
+    const node = await authenticateNode(supabase, auth.rawToken);
+    if (!node) {
+      return {
+        status: 401,
+        body: {
+          error: "Invalid node API key"
+        }
+      };
+    }
+    const {
+      error
+    } = await supabase.from("channel_messages").update({
+      delivered_at: new Date().toISOString()
+    }).eq("id", msgId).eq("channel_id", channelId);
+    if (error) {
+      return {
+        status: 500,
+        body: {
+          error: error.message
+        }
+      };
+    }
+    return {
+      status: 200,
+      body: {
+        success: true,
+        delivered: msgId
+      }
+    };
+  }
+
+  // ── GET /nodes/:id/events ────────────────────────────────────
+  // User auth. Lists recent events for a node.
+  const eventsMatch = pathname.match(/^\/nodes\/([a-f0-9-]+)\/events$/);
+  if (eventsMatch && method === "GET") {
+    const nodeId = eventsMatch[1];
+    const limit = body?.limit || 50;
+
+    // Verify user has access to this node's store
+    const {
+      data: node
+    } = await supabase.from("nodes").select("store_id").eq("id", nodeId).single();
+    if (!node) {
+      return {
+        status: 404,
+        body: {
+          error: "Node not found"
+        }
+      };
+    }
+    if (auth.userId) {
+      const hasAccess = await userHasStoreAccess(supabase, auth.userId, node.store_id);
+      if (!hasAccess) {
         return {
-            status: 201,
-            body: {
-                success: true,
-                message,
-                agent_response: agentResponse,
-                conversation_id: conversationId || message.conversation_id,
-            },
+          status: 403,
+          body: {
+            error: "Not authorized to view this node's events"
+          }
         };
+      }
+    } else if (!auth.isServiceRole) {
+      return {
+        status: 401,
+        body: {
+          error: "Authentication required"
+        }
+      };
     }
-    // ── GET /channels/:id/messages ─────────────────────────────────
-    // Node API key auth. Retrieves messages for a channel.
-    // Query params (via body): direction, undelivered, limit, after
-    const getMessagesMatch = pathname.match(/^\/channels\/([a-f0-9-]+)\/messages$/);
-    if (getMessagesMatch && method === "GET") {
-        const channelId = getMessagesMatch[1];
-        // Authenticate node (or service role for admin access)
-        const node = await authenticateNode(supabase, auth.rawToken);
-        if (!node && !auth.isServiceRole) {
-            return { status: 401, body: { error: "Invalid node API key" } };
-        }
-        // Verify channel exists (and belongs to this node if node auth)
-        let chQuery = supabase.from("channels").select("id, node_id").eq("id", channelId);
-        if (node)
-            chQuery = chQuery.eq("node_id", node.id);
-        const { data: channel } = await chQuery.single();
-        if (!channel) {
-            return { status: 404, body: { error: "Channel not found" } };
-        }
-        let query = supabase
-            .from("channel_messages")
-            .select("id, direction, sender_id, sender_name, content, content_type, metadata, conversation_id, delivered_at, created_at")
-            .eq("channel_id", channelId);
-        // Filter by direction (body or query param)
-        const direction = body?.direction || queryParams?.get("direction");
-        if (direction) {
-            query = query.eq("direction", direction);
-        }
-        // Filter undelivered outbound messages (for node polling)
-        const undelivered = body?.undelivered || queryParams?.get("undelivered");
-        if (undelivered === true || undelivered === "true") {
-            query = query.eq("direction", "outbound").is("delivered_at", null);
-        }
-        // After a specific timestamp
-        const after = body?.after || queryParams?.get("after");
-        if (after) {
-            query = query.gt("created_at", after);
-        }
-        const rawLimit = body?.limit || queryParams?.get("limit") || 50;
-        const limit = Math.min(Number(rawLimit), 200);
-        query = query.order("created_at", { ascending: true }).limit(limit);
-        const { data: messages, error: msgErr } = await query;
-        if (msgErr) {
-            return { status: 500, body: { error: msgErr.message } };
-        }
-        return { status: 200, body: { success: true, messages: messages || [] } };
-    }
-    // ── PATCH /channels/:id/messages/:msgId ──────────────────────
-    // Node API key auth. Mark message as delivered.
-    const deliverMatch = pathname.match(/^\/channels\/([a-f0-9-]+)\/messages\/([a-f0-9-]+)$/);
-    if (deliverMatch && (method === "PUT" || method === "POST") && body?._method === "PATCH") {
-        const channelId = deliverMatch[1];
-        const msgId = deliverMatch[2];
-        const node = await authenticateNode(supabase, auth.rawToken);
-        if (!node) {
-            return { status: 401, body: { error: "Invalid node API key" } };
-        }
-        const { error } = await supabase
-            .from("channel_messages")
-            .update({
-            delivered_at: body?.delivered_at || new Date().toISOString(),
-            metadata: { ...(body?.metadata || {}), delivered_by_node: node.id },
-        })
-            .eq("id", msgId)
-            .eq("channel_id", channelId);
-        if (error) {
-            return { status: 500, body: { error: error.message } };
-        }
-        return { status: 200, body: { success: true, delivered: msgId } };
-    }
-    // ── POST /channels/:id/messages/:msgId/delivered ─────────────
-    // Simpler delivery marking endpoint (no _method hack needed)
-    const deliverSimpleMatch = pathname.match(/^\/channels\/([a-f0-9-]+)\/messages\/([a-f0-9-]+)\/delivered$/);
-    if (deliverSimpleMatch && method === "POST") {
-        const channelId = deliverSimpleMatch[1];
-        const msgId = deliverSimpleMatch[2];
-        const node = await authenticateNode(supabase, auth.rawToken);
-        if (!node) {
-            return { status: 401, body: { error: "Invalid node API key" } };
-        }
-        const { error } = await supabase
-            .from("channel_messages")
-            .update({ delivered_at: new Date().toISOString() })
-            .eq("id", msgId)
-            .eq("channel_id", channelId);
-        if (error) {
-            return { status: 500, body: { error: error.message } };
-        }
-        return { status: 200, body: { success: true, delivered: msgId } };
-    }
-    // ── GET /nodes/:id/events ────────────────────────────────────
-    // User auth. Lists recent events for a node.
-    const eventsMatch = pathname.match(/^\/nodes\/([a-f0-9-]+)\/events$/);
-    if (eventsMatch && method === "GET") {
-        const nodeId = eventsMatch[1];
-        const limit = body?.limit || 50;
-        // Verify user has access to this node's store
-        const { data: node } = await supabase
-            .from("nodes")
-            .select("store_id")
-            .eq("id", nodeId)
-            .single();
-        if (!node) {
-            return { status: 404, body: { error: "Node not found" } };
-        }
-        if (auth.userId) {
-            const hasAccess = await userHasStoreAccess(supabase, auth.userId, node.store_id);
-            if (!hasAccess) {
-                return { status: 403, body: { error: "Not authorized to view this node's events" } };
-            }
-        }
-        else if (!auth.isServiceRole) {
-            return { status: 401, body: { error: "Authentication required" } };
-        }
-        const { data: events, error } = await supabase
-            .from("node_events")
-            .select("id, event_type, details, created_at")
-            .eq("node_id", nodeId)
-            .order("created_at", { ascending: false })
-            .limit(limit);
-        if (error) {
-            return { status: 500, body: { error: error.message } };
-        }
-        return { status: 200, body: { success: true, events: events || [] } };
+    const {
+      data: events,
+      error
+    } = await supabase.from("node_events").select("id, event_type, details, created_at").eq("node_id", nodeId).order("created_at", {
+      ascending: false
+    }).limit(limit);
+    if (error) {
+      return {
+        status: 500,
+        body: {
+          error: error.message
+        }
+      };
     }
-    // No route matched
-    return null;
+    return {
+      status: 200,
+      body: {
+        success: true,
+        events: events || []
+      }
+    };
+  }
+
+  // No route matched
+  return null;
 }
+//# sourceMappingURL=nodes.js.map