feat: complete admin phase C and add safe mutation pilot

2026-05-28 12:46:06 +00:00
parent c58945353d
commit ce49497a6a
17 changed files with 1568 additions and 21 deletions
@@ -89,6 +89,36 @@ Notes:
 - Billing return notices now appear on the account page for completed and canceled checkout flows.
 - Internal billing support visibility is available through `/api/admin/billing/workspaces` for allowlisted admin emails.
 ## Admin Operations Runbook
 Bootstrap/security hardening checklist after first-run admin setup:
 - Set `ALLOW_ADMIN_BOOTSTRAP=false` and redeploy API.
 - Rotate `ADMIN_BOOTSTRAP_TOKEN` and store it in your secrets manager.
 - Ensure at least two active app-admin identities are configured.
 - Prefer `ADMIN_EMAILS`; stop relying on deprecated `BILLING_ADMIN_EMAILS` fallback.
 Support diagnostics starting thresholds:
 - Failed webhooks: investigate when there are 5+ failures in 15 minutes or 20+ failures in 24 hours.
 - Stale sync accounts: investigate when 10+ workspaces are stale for more than 24 hours.
 - Repeated payment failures: investigate any workspace with 3+ `invoice_payment_failed` events in 7 days.
 - Pending plan effective in past: investigate when count remains above 0 for more than 2 hours.
 First-response sequence for repeated failures:
 1. Open Admin Console diagnostics and capture affected workspace IDs.
 2. Open each workspace detail and review recent timeline and webhook event history.
 3. Verify Stripe webhook delivery status and replay failed events where safe.
 4. Confirm billing sync recovers and anomaly counts return toward baseline.
 5. Escalate with captured event IDs and workspace IDs if issues persist.
 Safe mutation pilot:
 - Admin Console now includes a constrained billing resync mutation.
 - Required inputs: `workspaceId`, operational reason, and typed confirmation (`RESYNC`).
 - Optional input: `ticketRef` for support/incident traceability.
 ## Docker Deployment
 1. Copy `.env.example` to `.env` and set at least:
@@ -97,11 +97,29 @@
 - [x] Phase B (Admin Access Management): Add admin UI for managing app-admin identities with status visibility (active/disabled).
 - [x] Phase B (Admin Access Management): Prevent accidental lockout with guardrails (e.g., disallow disabling the last active admin).
 - [x] Phase B (Admin Access Management): Add explicit audit entries for admin identity mutations.
- [ ] Phase C (Audit & Support Operations): Add admin audit log page/table with filters (actor, action, workspace, date window).
+- [x] Phase C execution split (implementation sequencing)
- [ ] Phase C (Audit & Support Operations): Expose bootstrap/security posture checks in admin UI (bootstrap enabled state, fallback allowlist usage warnings).
+  - [x] Sub-step 1 (Backend foundations): ship admin audit list API + security posture API + diagnostics aggregate API, plus shared types/client contracts.
- [ ] Phase C (Audit & Support Operations): Add support-oriented diagnostics widgets (recent webhook issues, billing sync errors, timeline anomalies).
+  - [x] Sub-step 2 (Admin Console UI): add audit explorer table/filters, security posture card, and diagnostics widgets with drill-down links.
  - [x] Sub-step 3 (Hardening & operations): normalize audit action taxonomy, tune indexes/query performance, and finalize runbook/alerts for repeated failures.
 - [x] Phase C (Audit & Support Operations): Add admin audit log page/table with filters (actor, action, workspace, date window).
  - [x] Add backend admin audit-list endpoint with filters for actor email, action, workspace ID, date range, and pagination.
  - [x] Review audit-log query performance and indexes to ensure efficient filtering and default sorting by `occurred_at DESC`.
  - [x] Implement admin audit table UI with filter controls plus clear loading, empty, and error states.
  - [x] Normalize admin audit action taxonomy so admin-route events use consistent action names.
 - [x] Phase C (Audit & Support Operations): Expose bootstrap/security posture checks in admin UI (bootstrap enabled state, fallback allowlist usage warnings).
  - [x] Add backend admin security-posture endpoint returning `bootstrapRequired`, `bootstrapEnabled`, and fallback allowlist usage status.
  - [x] Add warning semantics when deprecated `BILLING_ADMIN_EMAILS` fallback is active.
  - [x] Add admin UI security-posture card with explicit remediation guidance for risky states.
  - [x] Document post-bootstrap hardening checklist: disable bootstrap, rotate bootstrap token, and verify at least two active admins.
 - [x] Phase C (Audit & Support Operations): Add support-oriented diagnostics widgets (recent webhook issues, billing sync errors, timeline anomalies).
  - [x] Add backend diagnostics endpoint aggregating recent failed webhook events, stale billing-sync accounts, and recent timeline-anomaly counts.
  - [x] Define timeline-anomaly heuristics (for example: repeated `payment_failed`, pending plan effective date in the past, and stale sync threshold breaches).
  - [x] Add admin diagnostics widgets with counts and drill-down links to existing workspace detail views.
  - [x] Define alerting and runbook follow-up tasks for repeated failures surfaced by diagnostics.
 - [ ] Phase D (Safe Mutations, later): Keep initial admin console read-only for billing data; defer write/mutation actions until policies and runbooks are defined.
  - [x] Pilot: add constrained `billing resync` admin mutation with non-destructive intent and explicit operator guidance.
 - [ ] Phase D (Safe Mutations, later): For future write actions, require explicit confirmations, actor attribution, and rollback guidance.
  - [x] Pilot guardrails in place: required reason, typed confirmation (`RESYNC`), optional `ticketRef`, and admin audit attribution.
 ## 13) [DEFER] Operational Enforcement Follow-Up
 - [ ] Add queue prioritization by plan tier.
@@ -134,9 +152,49 @@
 - [ ] Phase 7: harden post-payments lifecycle handling, wire real billing CTAs, and add pragmatic admin billing visibility before broader commercialization work.
 - [ ] Phase 7a: ship dedicated read-only admin console and migrate existing admin billing tools out of the account page.
 - [ ] Phase 7b: ship app-admin identity management APIs/UI with last-admin lockout protection and audit logging.
- [ ] Phase 7c: ship admin audit explorer and support diagnostics views.
+- [x] Phase 7c: ship admin audit explorer and support diagnostics views (Phase C from section 12).
 - [ ] Phase 7d: evaluate controlled admin write-actions only after policy/runbook readiness.
 - [ ] Phase 7e: MinIO/object-storage foundation + dataset registry schema.
 - [ ] Phase 7f: postal ingestion worker pipeline + admin APIs.
 - [ ] Phase 7g: admin console postal dataset operations and activation workflow.
 - [ ] Phase 8: expand analytics, ops, and revenue instrumentation around the live billing and upgrade flows.
 - [ ] Phase 9: launch collaboration, API, enrichment, and enterprise features as architecture matures.
 - [ ] Phase 10: complete deferred operational enforcement work such as queue prioritization, throttling, and backend export enforcement when runtime scale justifies it.
 - [ ] Phase 11: decide and implement founder/LTD strategy only after the app/site, billing lifecycle, admin/support visibility, analytics, and broader product maturity work are in place.
 ## 16) Multi-Country Postal Dataset Onboarding (MinIO-backed)
 - Architecture decision
  - [ ] Standardize on self-hosted MinIO (S3-compatible) for postal dataset storage and processing.
  - [ ] Retire host-mounted files and manual CLI-only import as primary onboarding paths.
 - Infrastructure/bootstrap
  - [ ] Add MinIO service to Docker deployment with persistent volume and health checks.
  - [ ] Define credential bootstrap/rotation expectations and automated bucket creation for postal datasets.
  - [ ] Document backup/restore expectations (RPO/RTO target, snapshot cadence, and restore verification).
 - Config/env
  - [ ] Add and document `S3_ENDPOINT`, `S3_REGION`, `S3_ACCESS_KEY_ID`, `S3_SECRET_ACCESS_KEY`, `S3_FORCE_PATH_STYLE`, and `S3_BUCKET_POSTAL_DATASETS`.
  - [ ] Wire S3-compatible config into both API and worker runtime boot paths.
 - Data model
  - [ ] Add `postal_datasets` schema for object metadata, versioning, and activation status lifecycle.
  - [ ] Add `postal_dataset_runs` schema for run tracking, timing, actor/source metadata, and run types.
  - [ ] Add `postal_country_support` schema/state fields for per-country readiness, coverage, and active dataset linkage.
  - [ ] Define lifecycle states and transitions (draft, uploaded, validated, processing, ready, active, failed, archived) and enforce transition guards.
 - API/admin flows
  - [ ] Add admin-authenticated dataset register + upload URL flow for object ingest.
  - [ ] Add validate/process/activate endpoints and dataset run history/read APIs.
  - [ ] Require admin authorization and audit logging for all mutating dataset actions.
 - Worker pipeline
  - [ ] Implement queued jobs: `postal.validate`, `postal.import`, `postal.neighbors`, `postal.check`, `postal.activate`.
  - [ ] Enforce idempotency keys and per-country mutex/locking to prevent conflicting runs.
  - [ ] Track progress checkpoints and standard retry/backoff policy with terminal failure states.
 - Country adapters
  - [ ] Implement pluggable country-specific validation/normalization profiles.
  - [ ] Enforce country geometry/topology constraints (bounds, shapes, adjacency expectations) during validation.
 - Safety/operability
  - [ ] Keep activation behind an explicit admin gate after successful checks.
  - [ ] Preserve previous active dataset for rollback and support fast re-activation.
  - [ ] Add alerts and runbook steps for failed, stalled, or long-running jobs.
 - UX/admin console
  - [ ] Add postal dataset list with status, country, version, and activation markers.
  - [ ] Add run logs/error visibility and filtered run history in admin console.
  - [ ] Add activation controls with confirmation guardrails and rollback visibility.
  - [ ] Add per-country readiness visibility so operators can see launch coverage at a glance.
@@ -0,0 +1,8 @@
 create index if not exists admin_access_audit_action_occurred_at_idx
  on public.admin_access_audit (action, occurred_at desc);
 create index if not exists admin_access_audit_workspace_occurred_at_idx
  on public.admin_access_audit (target_workspace_id, occurred_at desc);
 create index if not exists admin_access_audit_actor_email_lower_idx
  on public.admin_access_audit (lower(actor_email));
@@ -11,6 +11,7 @@ import { searchJobRoutes } from './routes/search-jobs.js';
 import { analyticsRoutes } from './routes/analytics.js';
 import { adminBootstrapRoutes } from './routes/admin-bootstrap.js';
 import { adminAccessRoutes } from './routes/admin-access.js';
 import { adminOpsRoutes } from './routes/admin-ops.js';
 function parseAllowedOrigins(rawOrigins: string) {
  return rawOrigins
@@ -60,6 +61,7 @@ export async function buildApp() {
  await app.register(analyticsRoutes, { prefix: '/api' });
  await app.register(adminBootstrapRoutes, { prefix: '/api' });
  await app.register(adminAccessRoutes, { prefix: '/api' });
  await app.register(adminOpsRoutes, { prefix: '/api' });
  return app;
 }
@@ -6,6 +6,24 @@ import { getDbPool } from '../db/pool.js';
 type DbClient = Pool | PoolClient;
 export const ADMIN_AUDIT_ACTIONS = {
  ADMIN_ACCESS_LIST: 'admin_access_list',
  ADMIN_ACCESS_UPSERT: 'admin_access_upsert',
  ADMIN_ACCESS_STATUS_CHANGED: 'admin_access_status_changed',
  ANALYTICS_SUMMARY: 'analytics_summary',
  BILLING_WORKSPACES_LIST: 'billing_workspaces_list',
  BILLING_WORKSPACE_DETAIL: 'billing_workspace_detail',
  BOOTSTRAP_ADMIN_CLAIMED: 'bootstrap_admin_claimed',
  ADMIN_OPS_AUDIT_LIST: 'admin_ops_audit_list',
  ADMIN_OPS_SECURITY_POSTURE: 'admin_ops_security_posture',
  ADMIN_OPS_DIAGNOSTICS: 'admin_ops_diagnostics',
  ADMIN_MUTATION_BILLING_RESYNC_REQUESTED: 'admin_mutation_billing_resync_requested',
 } as const;
 export type AdminAuditAction = (typeof ADMIN_AUDIT_ACTIONS)[keyof typeof ADMIN_AUDIT_ACTIONS];
 export const ADMIN_AUDIT_ACTION_VALUES = Object.values(ADMIN_AUDIT_ACTIONS) as [AdminAuditAction, ...AdminAuditAction[]];
 type ApplicationAdminRow = {
  id: string;
  email: string;
@@ -17,6 +35,40 @@ type ApplicationAdminRow = {
  updated_at: string;
 };
 type AdminAccessAuditRow = {
  id: string;
  actor_user_id: string | null;
  actor_email: string | null;
  route: string;
  action: string;
  target_workspace_id: string | null;
  target_workspace_name: string | null;
  metadata_json: Record<string, unknown>;
  occurred_at: string;
 };
 export type AdminAccessAuditSummary = {
  id: string;
  actorUserId: string | null;
  actorEmail: string | null;
  route: string;
  action: AdminAuditAction;
  targetWorkspaceId: string | null;
  targetWorkspaceName: string | null;
  metadataJson: Record<string, unknown>;
  occurredAt: string;
 };
 export type AdminAccessAuditListFilters = {
  actorEmail?: string;
  action?: AdminAuditAction;
  workspaceId?: string;
  from?: string;
  to?: string;
  limit: number;
  offset: number;
 };
 function toApplicationAdminSummary(row: ApplicationAdminRow): ApplicationAdminSummary {
  return {
    id: row.id,
@@ -33,7 +85,7 @@ type AdminAccessAuditPayload = {
  actorUserId?: string | null;
  actorEmail?: string | null;
  route: string;
-  action: string;
+  action: AdminAuditAction;
  targetWorkspaceId?: string | null;
  metadataJson?: Record<string, unknown>;
  occurredAt?: string;
@@ -222,3 +274,101 @@ export async function recordAdminAccessAudit(db: DbClient, payload: AdminAccessA
    ],
  );
 }
 function buildAdminAccessAuditWhere(filters: Omit<AdminAccessAuditListFilters, 'limit' | 'offset'>) {
  const clauses: string[] = [];
  const params: Array<string> = [];
  if (filters.actorEmail?.trim()) {
    params.push(`%${filters.actorEmail.trim().toLowerCase()}%`);
    clauses.push(`lower(audit.actor_email) like $${params.length}`);
  }
  if (filters.action?.trim()) {
    params.push(filters.action.trim());
    clauses.push(`audit.action = $${params.length}`);
  }
  if (filters.workspaceId?.trim()) {
    params.push(filters.workspaceId.trim());
    clauses.push(`audit.target_workspace_id = $${params.length}::uuid`);
  }
  if (filters.from) {
    params.push(filters.from);
    clauses.push(`audit.occurred_at >= $${params.length}::timestamptz`);
  }
  if (filters.to) {
    params.push(filters.to);
    clauses.push(`audit.occurred_at <= $${params.length}::timestamptz`);
  }
  return {
    whereSql: clauses.length > 0 ? `where ${clauses.join(' and ')}` : '',
    params,
  };
 }
 function mapAdminAccessAuditRow(row: AdminAccessAuditRow): AdminAccessAuditSummary {
  return {
    id: row.id,
    actorUserId: row.actor_user_id,
    actorEmail: row.actor_email,
    route: row.route,
    action: row.action as AdminAuditAction,
    targetWorkspaceId: row.target_workspace_id,
    targetWorkspaceName: row.target_workspace_name,
    metadataJson: row.metadata_json,
    occurredAt: row.occurred_at,
  };
 }
 export async function countAdminAccessAudit(
  db: DbClient,
  filters: Omit<AdminAccessAuditListFilters, 'limit' | 'offset'>,
 ): Promise<number> {
  const built = buildAdminAccessAuditWhere(filters);
  const result = await db.query<{ count: string }>(
    `
      select count(*)::text as count
      from public.admin_access_audit audit
      ${built.whereSql}
    `,
    built.params,
  );
  return Number(result.rows[0]?.count ?? '0');
 }
 export async function listAdminAccessAudit(db: DbClient, filters: AdminAccessAuditListFilters): Promise<AdminAccessAuditSummary[]> {
  const built = buildAdminAccessAuditWhere(filters);
  const params = [...built.params, filters.limit, filters.offset];
  const limitParam = `$${built.params.length + 1}`;
  const offsetParam = `$${built.params.length + 2}`;
  const result = await db.query<AdminAccessAuditRow>(
    `
      select
        audit.id,
        audit.actor_user_id,
        audit.actor_email,
        audit.route,
        audit.action,
        audit.target_workspace_id,
        workspace.name as target_workspace_name,
        audit.metadata_json,
        audit.occurred_at
      from public.admin_access_audit audit
      left join public.workspaces workspace
        on workspace.id = audit.target_workspace_id
      ${built.whereSql}
      order by audit.occurred_at desc
      limit ${limitParam}
      offset ${offsetParam}
    `,
    params,
  );
  return result.rows.map(mapAdminAccessAuditRow);
 }
@@ -133,6 +133,17 @@ type BillingAdminWorkspaceSummaryRow = {
  external_subscription_ref: string | null;
 };
 type BillingStaleSyncWorkspaceRow = {
  workspace_id: string;
  workspace_name: string;
  billing_sync_status: BillingSyncStatus;
  last_stripe_sync_at: string | null;
  status: AccountBillingStatus;
  plan_code: string | null;
  pending_plan_code: string | null;
  pending_plan_effective_at: string | null;
 };
 type UsagePeriodRow = {
  id: string;
  workspace_id: string;
@@ -174,6 +185,23 @@ type AddonPurchaseRow = {
  updated_at: string;
 };
 export type BillingStaleSyncWorkspaceSummary = {
  workspaceId: string;
  workspaceName: string;
  billingSyncStatus: BillingSyncStatus;
  lastStripeSyncAt: string | null;
  status: AccountBillingStatus;
  planCode: PlanCode | null;
  pendingPlanCode: PlanCode | null;
  pendingPlanEffectiveAt: string | null;
 };
 export type BillingTimelineAnomalySummary = {
  repeatedPaymentFailedCount: number;
  pendingPlanPastEffectiveCount: number;
  staleSyncThresholdCount: number;
 };
 export async function getBillingAccountForWorkspace(db: DbClient, workspaceId: string): Promise<BillingAccountRecord | null> {
  const result = await db.query<BillingAccountRow>(
    `
@@ -509,6 +537,118 @@ export async function listRecentBillingTimelineEventsForWorkspace(db: DbClient,
  return result.rows.map(mapBillingTimelineEventRow);
 }
 export async function listStaleBillingSyncWorkspaces(
  db: DbClient,
  input: { staleThresholdHours?: number; limit?: number } = {},
 ): Promise<BillingStaleSyncWorkspaceSummary[]> {
  const staleThresholdHours = input.staleThresholdHours ?? 24;
  const limit = input.limit ?? 10;
  const result = await db.query<BillingStaleSyncWorkspaceRow>(
    `
      select
        w.id as workspace_id,
        w.name as workspace_name,
        billing.billing_sync_status,
        billing.last_stripe_sync_at,
        billing.status,
        billing.plan_code,
        billing.pending_plan_code,
        billing.pending_plan_effective_at
      from public.workspace_billing_accounts billing
      join public.workspaces w on w.id = billing.workspace_id
      where
        billing.billing_sync_status in ('stale', 'error')
        or billing.last_stripe_sync_at is null
        or billing.last_stripe_sync_at < now() - make_interval(hours => $1::int)
      order by
        case when billing.billing_sync_status = 'error' then 0 else 1 end asc,
        billing.last_stripe_sync_at asc nulls first
      limit $2
    `,
    [staleThresholdHours, limit],
  );
  return result.rows.map((row) => ({
    workspaceId: row.workspace_id,
    workspaceName: row.workspace_name,
    billingSyncStatus: row.billing_sync_status,
    lastStripeSyncAt: row.last_stripe_sync_at,
    status: row.status,
    planCode: row.plan_code as PlanCode | null,
    pendingPlanCode: row.pending_plan_code as PlanCode | null,
    pendingPlanEffectiveAt: row.pending_plan_effective_at,
  }));
 }
 export async function countStaleBillingSyncWorkspaces(db: DbClient, staleThresholdHours = 24): Promise<number> {
  const result = await db.query<{ count: string }>(
    `
      select count(*)::text as count
      from public.workspace_billing_accounts billing
      where
        billing.billing_sync_status in ('stale', 'error')
        or billing.last_stripe_sync_at is null
        or billing.last_stripe_sync_at < now() - make_interval(hours => $1::int)
    `,
    [staleThresholdHours],
  );
  return Number(result.rows[0]?.count ?? '0');
 }
 export async function getBillingTimelineAnomalySummary(
  db: DbClient,
  input: { windowDays?: number; paymentFailedThreshold?: number; staleThresholdHours?: number } = {},
 ): Promise<BillingTimelineAnomalySummary> {
  const windowDays = input.windowDays ?? 7;
  const paymentFailedThreshold = input.paymentFailedThreshold ?? 2;
  const staleThresholdHours = input.staleThresholdHours ?? 24;
  const repeatedPaymentFailedResult = await db.query<{ count: string }>(
    `
      select count(*)::text as count
      from (
        select event.workspace_id
        from public.workspace_billing_timeline_events event
        where event.event_type = 'invoice_payment_failed'
          and event.occurred_at >= now() - make_interval(days => $1::int)
        group by event.workspace_id
        having count(*) >= $2
      ) repeated_failure_workspaces
    `,
    [windowDays, paymentFailedThreshold],
  );
  const pendingPlanPastEffectiveResult = await db.query<{ count: string }>(
    `
      select count(*)::text as count
      from public.workspace_billing_accounts billing
      where billing.pending_plan_code is not null
        and billing.pending_plan_effective_at is not null
        and billing.pending_plan_effective_at < now()
    `,
  );
  const staleSyncThresholdResult = await db.query<{ count: string }>(
    `
      select count(*)::text as count
      from public.workspace_billing_accounts billing
      where
        billing.billing_sync_status in ('stale', 'error')
        or billing.last_stripe_sync_at is null
        or billing.last_stripe_sync_at < now() - make_interval(hours => $1::int)
    `,
    [staleThresholdHours],
  );
  return {
    repeatedPaymentFailedCount: Number(repeatedPaymentFailedResult.rows[0]?.count ?? '0'),
    pendingPlanPastEffectiveCount: Number(pendingPlanPastEffectiveResult.rows[0]?.count ?? '0'),
    staleSyncThresholdCount: Number(staleSyncThresholdResult.rows[0]?.count ?? '0'),
  };
 }
 export async function listBillingAdminWorkspaceSummaries(db: DbClient, search: string | null, limit = 50) {
  const result = await db.query<BillingAdminWorkspaceSummaryRow>(
    `
@@ -68,11 +68,24 @@ function parseAdminEmailAllowlist(allowlist: string | undefined): string[] {
    .filter(Boolean);
 }
 function hasEntries(raw: string | undefined) {
  return parseAdminEmailAllowlist(raw).length > 0;
 }
 export function getAdminEmailAllowlist() {
  const env = getEnv();
  return parseAdminEmailAllowlist(env.ADMIN_EMAILS || env.BILLING_ADMIN_EMAILS);
 }
 export function hasAdminEmailAllowlistConfigured() {
  return hasEntries(getEnv().ADMIN_EMAILS);
 }
 export function isUsingDeprecatedBillingAdminFallback() {
  const env = getEnv();
  return !hasEntries(env.ADMIN_EMAILS) && hasEntries(env.BILLING_ADMIN_EMAILS);
 }
 export function isBillingAdminEmail(email: string) {
  const allowlist = getAdminEmailAllowlist();
@@ -38,6 +38,14 @@ type BillingWebhookEventRow = {
  updated_at: string;
 };
 type BillingFailedWebhookEventRow = BillingWebhookEventRow & {
  workspace_name: string | null;
 };
 export type BillingFailedWebhookEventSummary = BillingWebhookEventRecord & {
  workspaceName: string | null;
 };
 export async function recordIncomingWebhookEvent(
  db: DbClient,
  input: {
@@ -146,6 +154,62 @@ export async function listRecentWebhookEventsForWorkspace(db: DbClient, workspac
  return result.rows.map(mapBillingWebhookEventRow);
 }
 export async function listRecentFailedWebhookEvents(
  db: DbClient,
  input: { sinceDays?: number; limit?: number } = {},
 ): Promise<BillingFailedWebhookEventSummary[]> {
  const sinceDays = input.sinceDays ?? 7;
  const limit = input.limit ?? 10;
  const result = await db.query<BillingFailedWebhookEventRow>(
    `
      select
        event.id,
        event.provider,
        event.external_event_id,
        event.event_type,
        event.status,
        event.workspace_id,
        event.external_customer_ref,
        event.external_subscription_ref,
        event.payload_json,
        event.error_message,
        event.received_at,
        event.processed_at,
        event.created_at,
        event.updated_at,
        workspace.name as workspace_name
      from public.billing_webhook_events event
      left join public.workspaces workspace
        on workspace.id = event.workspace_id
      where event.status = 'failed'
        and event.received_at >= now() - make_interval(days => $1::int)
      order by event.received_at desc
      limit $2
    `,
    [sinceDays, limit],
  );
  return result.rows.map((row) => ({
    ...mapBillingWebhookEventRow(row),
    workspaceName: row.workspace_name,
  }));
 }
 export async function countRecentFailedWebhookEvents(db: DbClient, sinceDays = 7): Promise<number> {
  const result = await db.query<{ count: string }>(
    `
      select count(*)::text as count
      from public.billing_webhook_events event
      where event.status = 'failed'
        and event.received_at >= now() - make_interval(days => $1::int)
    `,
    [sinceDays],
  );
  return Number(result.rows[0]?.count ?? '0');
 }
 function mapBillingWebhookEventRow(row: BillingWebhookEventRow): BillingWebhookEventRecord {
  return {
    id: row.id,
@@ -5,7 +5,14 @@ import { getAddonByCode } from '../../../shared/billing/addons.js';
 import type { AddonCode, ActivePlanCode } from '../../../shared/billing/plans.js';
 import { getPlanByCode } from '../../../shared/billing/plans.js';
 import { ensureWorkspaceForUser } from '../account/repository.js';
-import { ensureBillingAccountForWorkspace, listAddonBalancesForWorkspace, recordAddonPurchase, updateBillingAccountState, upsertAddonBalance } from '../billing/repository.js';
+import {
  ensureBillingAccountForWorkspace,
  getBillingAccountForWorkspace,
  listAddonBalancesForWorkspace,
  recordAddonPurchase,
  updateBillingAccountState,
  upsertAddonBalance,
 } from '../billing/repository.js';
 import { getEnv } from '../config/env.js';
 import {
  assertAddonSupportsStripeCheckout,
@@ -336,6 +343,28 @@ export async function retrieveStripeSubscription(subscriptionId: string) {
  return stripe.subscriptions.retrieve(subscriptionId);
 }
 export async function requestWorkspaceBillingResyncByAdmin(db: DbClient, input: { workspaceId: string }) {
  ensureStripeReady('resync');
  const billingAccount = await getBillingAccountForWorkspace(db, input.workspaceId);
  if (!billingAccount) {
    throw new Error('Billing workspace not found.');
  }
  if (!billingAccount.externalSubscriptionRef) {
    throw new Error('Workspace does not have a Stripe subscription reference.');
  }
  const subscription = await retrieveStripeSubscription(billingAccount.externalSubscriptionRef);
  await syncWorkspaceBillingFromStripeSubscription(db, subscription, input.workspaceId);
  return {
    workspaceId: input.workspaceId,
    externalSubscriptionRef: billingAccount.externalSubscriptionRef,
  };
 }
 export function mapStripeSubscriptionStatus(status: Stripe.Subscription.Status): 'active' | 'inactive' | 'past_due' | 'canceled' {
  switch (status) {
    case 'active':
@@ -7,6 +7,7 @@ import type {
  AdminApplicationAdminUpsertRequest,
 } from '../../../shared/types.js';
 import {
  ADMIN_AUDIT_ACTIONS,
  getActiveApplicationAdminCountExcludingId,
  listApplicationAdmins,
  recordAdminAccessAudit,
@@ -37,7 +38,7 @@ export const adminAccessRoutes: FastifyPluginAsync = async (app) => {
        actorUserId: request.authUser?.id,
        actorEmail: request.authUser?.email,
        route: request.routeOptions.url ?? request.url,
-        action: 'admin_access_list',
+        action: ADMIN_AUDIT_ACTIONS.ADMIN_ACCESS_LIST,
      });
      const admins = await listApplicationAdmins(db);
      const response: AdminApplicationAdminsListResponse = { admins };
@@ -60,7 +61,7 @@ export const adminAccessRoutes: FastifyPluginAsync = async (app) => {
        actorUserId: request.authUser?.id,
        actorEmail: request.authUser?.email,
        route: request.routeOptions.url ?? request.url,
-        action: 'admin_access_upsert',
+        action: ADMIN_AUDIT_ACTIONS.ADMIN_ACCESS_UPSERT,
        metadataJson: {
          targetEmail: payload.email.trim(),
        },
@@ -103,7 +104,7 @@ export const adminAccessRoutes: FastifyPluginAsync = async (app) => {
        actorUserId: request.authUser?.id,
        actorEmail: request.authUser?.email,
        route: request.routeOptions.url ?? request.url,
-        action: 'admin_access_status_changed',
+        action: ADMIN_AUDIT_ACTIONS.ADMIN_ACCESS_STATUS_CHANGED,
        metadataJson: {
          targetAdminId: adminId,
          nextStatus: payload.status,
@@ -2,7 +2,13 @@ import type { FastifyPluginAsync, FastifyRequest } from 'fastify';
 import { ZodError, z } from 'zod';
 import type { AdminBootstrapClaimResponse, AdminBootstrapStatusResponse } from '../../../shared/types.js';
 import { createDefaultWorkspaceForUser } from '../account/repository.js';
-import { createApplicationAdmin, isApplicationAdmin, isBootstrapRequired, recordAdminAccessAudit } from '../auth/admin.js';
+import {
  ADMIN_AUDIT_ACTIONS,
  createApplicationAdmin,
  isApplicationAdmin,
  isBootstrapRequired,
  recordAdminAccessAudit,
 } from '../auth/admin.js';
 import { hashPassword } from '../auth/passwords.js';
 import { createSession, setSessionCookie } from '../auth/sessions.js';
 import { createUser, getUserByEmail, toAppUser } from '../auth/users.js';
@@ -91,7 +97,7 @@ export const adminBootstrapRoutes: FastifyPluginAsync = async (app) => {
          actorUserId: user.id,
          actorEmail: user.email,
          route: '/api/admin/bootstrap/claim',
-          action: 'bootstrap_admin_claimed',
+          action: ADMIN_AUDIT_ACTIONS.BOOTSTRAP_ADMIN_CLAIMED,
          metadataJson: {
            bootstrapRequiredAtClaim: true,
          },
@@ -0,0 +1,259 @@
 import type { FastifyPluginAsync } from 'fastify';
 import { ZodError, z } from 'zod';
 import type {
  AdminAuditLogListResponse,
  AdminBillingResyncRequest,
  AdminBillingResyncResponse,
  AdminSecurityPostureResponse,
  AdminSupportDiagnosticsResponse,
 } from '../../../shared/types.js';
 import {
  ADMIN_AUDIT_ACTIONS,
  ADMIN_AUDIT_ACTION_VALUES,
  countAdminAccessAudit,
  getActiveApplicationAdminCount,
  isBootstrapRequired,
  listAdminAccessAudit,
  recordAdminAccessAudit,
  requireAdmin,
 } from '../auth/admin.js';
 import { requireAuth } from '../auth/middleware.js';
 import {
  countStaleBillingSyncWorkspaces,
  getBillingTimelineAnomalySummary,
  listStaleBillingSyncWorkspaces,
 } from '../billing/repository.js';
 import {
  hasAdminEmailAllowlistConfigured,
  isAdminBootstrapEnabled,
  isUsingDeprecatedBillingAdminFallback,
 } from '../config/env.js';
 import { getDbPool } from '../db/pool.js';
 import {
  countRecentFailedWebhookEvents,
  listRecentFailedWebhookEvents,
 } from '../payments/repository.js';
 import { requestWorkspaceBillingResyncByAdmin } from '../payments/service.js';
 const auditListQuerySchema = z.object({
  actorEmail: z.string().trim().min(1).max(255).optional(),
  action: z.enum(ADMIN_AUDIT_ACTION_VALUES).optional(),
  workspaceId: z.string().uuid().optional(),
  from: z.string().datetime().optional(),
  to: z.string().datetime().optional(),
  page: z.coerce.number().int().min(1).max(10_000).optional(),
  pageSize: z.coerce.number().int().min(1).max(100).optional(),
 });
 const diagnosticsQuerySchema = z.object({
  windowDays: z.coerce.number().int().min(1).max(90).optional(),
  staleSyncThresholdHours: z.coerce.number().int().min(1).max(720).optional(),
  sampleLimit: z.coerce.number().int().min(1).max(50).optional(),
 });
 const billingResyncBodySchema = z.object({
  workspaceId: z.string().uuid(),
  reason: z.string().trim().min(10).max(500),
  confirmationText: z.literal('RESYNC'),
  ticketRef: z.string().trim().min(1).max(120).optional(),
 });
 export const adminOpsRoutes: FastifyPluginAsync = async (app) => {
  app.get('/admin/ops/audit', { preHandler: [requireAuth, requireAdmin] }, async (request, reply) => {
    try {
      const query = auditListQuerySchema.parse(request.query ?? {});
      const page = query.page ?? 1;
      const pageSize = query.pageSize ?? 25;
      const offset = (page - 1) * pageSize;
      const db = getDbPool();
      await recordAdminAccessAudit(db, {
        actorUserId: request.authUser?.id,
        actorEmail: request.authUser?.email,
        route: request.routeOptions.url ?? request.url,
        action: ADMIN_AUDIT_ACTIONS.ADMIN_OPS_AUDIT_LIST,
        metadataJson: {
          filters: {
            actorEmail: query.actorEmail ?? null,
            action: query.action ?? null,
            workspaceId: query.workspaceId ?? null,
            from: query.from ?? null,
            to: query.to ?? null,
          },
          page,
          pageSize,
        },
      });
      const [items, total] = await Promise.all([
        listAdminAccessAudit(db, {
          actorEmail: query.actorEmail,
          action: query.action,
          workspaceId: query.workspaceId,
          from: query.from,
          to: query.to,
          limit: pageSize,
          offset,
        }),
        countAdminAccessAudit(db, {
          actorEmail: query.actorEmail,
          action: query.action,
          workspaceId: query.workspaceId,
          from: query.from,
          to: query.to,
        }),
      ]);
      const response: AdminAuditLogListResponse = {
        items,
        page,
        pageSize,
        total,
      };
      return response;
    } catch (error) {
      if (error instanceof ZodError) {
        return reply.code(400).send({ error: error.issues[0]?.message || 'Invalid admin audit query.' });
      }
      request.log.error(error);
      return reply.code(500).send({ error: 'Failed to load admin audit logs.' });
    }
  });
  app.get('/admin/ops/security-posture', { preHandler: [requireAuth, requireAdmin] }, async (request, reply) => {
    try {
      const db = getDbPool();
      await recordAdminAccessAudit(db, {
        actorUserId: request.authUser?.id,
        actorEmail: request.authUser?.email,
        route: request.routeOptions.url ?? request.url,
        action: ADMIN_AUDIT_ACTIONS.ADMIN_OPS_SECURITY_POSTURE,
      });
      const [bootstrapRequired, activeApplicationAdminCount] = await Promise.all([
        isBootstrapRequired(db),
        getActiveApplicationAdminCount(db),
      ]);
      const response: AdminSecurityPostureResponse = {
        bootstrapRequired,
        bootstrapEnabled: isAdminBootstrapEnabled(),
        activeApplicationAdminCount,
        adminAllowlistConfigured: hasAdminEmailAllowlistConfigured(),
        usingDeprecatedBillingAdminFallback: isUsingDeprecatedBillingAdminFallback(),
      };
      return response;
    } catch (error) {
      request.log.error(error);
      return reply.code(500).send({ error: 'Failed to load admin security posture.' });
    }
  });
  app.get('/admin/ops/diagnostics', { preHandler: [requireAuth, requireAdmin] }, async (request, reply) => {
    try {
      const query = diagnosticsQuerySchema.parse(request.query ?? {});
      const windowDays = query.windowDays ?? 7;
      const staleSyncThresholdHours = query.staleSyncThresholdHours ?? 24;
      const sampleLimit = query.sampleLimit ?? 10;
      const db = getDbPool();
      await recordAdminAccessAudit(db, {
        actorUserId: request.authUser?.id,
        actorEmail: request.authUser?.email,
        route: request.routeOptions.url ?? request.url,
        action: ADMIN_AUDIT_ACTIONS.ADMIN_OPS_DIAGNOSTICS,
        metadataJson: {
          windowDays,
          staleSyncThresholdHours,
          sampleLimit,
        },
      });
      const [failedWebhooksCount, staleBillingSyncCount, failedWebhooks, staleBillingSync, timelineAnomalies] = await Promise.all([
        countRecentFailedWebhookEvents(db, windowDays),
        countStaleBillingSyncWorkspaces(db, staleSyncThresholdHours),
        listRecentFailedWebhookEvents(db, { sinceDays: windowDays, limit: sampleLimit }),
        listStaleBillingSyncWorkspaces(db, { staleThresholdHours: staleSyncThresholdHours, limit: sampleLimit }),
        getBillingTimelineAnomalySummary(db, {
          windowDays,
          staleThresholdHours: staleSyncThresholdHours,
          paymentFailedThreshold: 2,
        }),
      ]);
      const response: AdminSupportDiagnosticsResponse = {
        windowDays,
        staleSyncThresholdHours,
        failedWebhooks: {
          count: failedWebhooksCount,
          items: failedWebhooks.map((issue) => ({
            id: issue.id,
            eventType: issue.eventType,
            workspaceId: issue.workspaceId,
            workspaceName: issue.workspaceName,
            errorMessage: issue.errorMessage,
            receivedAt: issue.receivedAt,
            externalEventId: issue.externalEventId,
          })),
        },
        staleBillingSync: {
          count: staleBillingSyncCount,
          items: staleBillingSync,
        },
        timelineAnomalies,
      };
      return response;
    } catch (error) {
      if (error instanceof ZodError) {
        return reply.code(400).send({ error: error.issues[0]?.message || 'Invalid admin diagnostics query.' });
      }
      request.log.error(error);
      return reply.code(500).send({ error: 'Failed to load admin diagnostics.' });
    }
  });
  app.post('/admin/mutations/billing/resync', { preHandler: [requireAuth, requireAdmin] }, async (request, reply) => {
    try {
      const payload = billingResyncBodySchema.parse(request.body ?? {}) as AdminBillingResyncRequest;
      const db = getDbPool();
      const result = await requestWorkspaceBillingResyncByAdmin(db, {
        workspaceId: payload.workspaceId,
      });
      await recordAdminAccessAudit(db, {
        actorUserId: request.authUser?.id,
        actorEmail: request.authUser?.email,
        route: request.routeOptions.url ?? request.url,
        action: ADMIN_AUDIT_ACTIONS.ADMIN_MUTATION_BILLING_RESYNC_REQUESTED,
        targetWorkspaceId: payload.workspaceId,
        metadataJson: {
          reason: payload.reason,
          ticketRef: payload.ticketRef?.trim() || null,
          confirmationText: payload.confirmationText,
        },
      });
      const response: AdminBillingResyncResponse = {
        accepted: true,
        message: 'Billing resync was requested successfully.',
        workspaceId: result.workspaceId,
        externalSubscriptionRef: result.externalSubscriptionRef,
      };
      return reply.code(202).send(response);
    } catch (error) {
      if (error instanceof ZodError) {
        return reply.code(400).send({ error: error.issues[0]?.message || 'Invalid billing resync payload.' });
      }
      request.log.error(error);
      return reply.code(500).send({ error: error instanceof Error ? error.message : 'Failed to request billing resync.' });
    }
  });
 };
@@ -2,7 +2,7 @@ import type { FastifyPluginAsync } from 'fastify';
 import { z, ZodError } from 'zod';
 import { ensureWorkspaceForUser } from '../account/repository.js';
 import { hydrateAuthUser, requireAuth } from '../auth/middleware.js';
-import { recordAdminAccessAudit, requireAdmin } from '../auth/admin.js';
+import { ADMIN_AUDIT_ACTIONS, recordAdminAccessAudit, requireAdmin } from '../auth/admin.js';
 import { getDbPool } from '../db/pool.js';
 import { getAdminAnalyticsSummary, recordAnalyticsEvent } from '../analytics/service.js';
@@ -75,7 +75,7 @@ export const analyticsRoutes: FastifyPluginAsync = async (app) => {
        actorUserId: request.authUser?.id,
        actorEmail: request.authUser?.email,
        route: request.routeOptions.url ?? request.url,
-        action: 'analytics_summary',
+        action: ADMIN_AUDIT_ACTIONS.ANALYTICS_SUMMARY,
        metadataJson: {
          days: query.days ?? 30,
        },
@@ -2,7 +2,7 @@ import type { FastifyPluginAsync } from 'fastify';
 import { z, ZodError } from 'zod';
 import { getDbPool } from '../db/pool.js';
 import { requireAuth } from '../auth/middleware.js';
-import { recordAdminAccessAudit, requireAdmin } from '../auth/admin.js';
+import { ADMIN_AUDIT_ACTIONS, recordAdminAccessAudit, requireAdmin } from '../auth/admin.js';
 import type { AddonCode, ActivePlanCode } from '../../../shared/billing/plans.js';
 import { listRecentWebhookEventsForWorkspace } from '../payments/repository.js';
 import { createAddonCheckoutSession, createBillingPortalSession, createSubscriptionCheckoutSession } from '../payments/service.js';
@@ -121,7 +121,7 @@ export const billingRoutes: FastifyPluginAsync = async (app) => {
        actorUserId: request.authUser?.id,
        actorEmail: request.authUser?.email,
        route: request.routeOptions.url ?? request.url,
-        action: 'billing_workspaces_list',
+        action: ADMIN_AUDIT_ACTIONS.BILLING_WORKSPACES_LIST,
        metadataJson: {
          query: query.query ?? null,
          limit: query.limit ?? 50,
@@ -151,7 +151,7 @@ export const billingRoutes: FastifyPluginAsync = async (app) => {
        actorUserId: request.authUser?.id,
        actorEmail: request.authUser?.email,
        route: request.routeOptions.url ?? request.url,
-        action: 'billing_workspace_detail',
+        action: ADMIN_AUDIT_ACTIONS.BILLING_WORKSPACE_DETAIL,
        targetWorkspaceId: workspaceId,
      });
      const summary = await getBillingAdminWorkspaceSummaryByWorkspaceId(db, workspaceId);
@@ -62,6 +62,111 @@ export interface AdminApplicationAdminResponse {
  admin: ApplicationAdminSummary;
 }
 export type AdminAuditAction =
  | 'admin_access_list'
  | 'admin_access_upsert'
  | 'admin_access_status_changed'
  | 'analytics_summary'
  | 'billing_workspaces_list'
  | 'billing_workspace_detail'
  | 'bootstrap_admin_claimed'
  | 'admin_ops_audit_list'
  | 'admin_ops_security_posture'
  | 'admin_ops_diagnostics'
  | 'admin_mutation_billing_resync_requested';
 export interface AdminAuditLogItem {
  id: string;
  actorUserId: string | null;
  actorEmail: string | null;
  route: string;
  action: AdminAuditAction;
  targetWorkspaceId: string | null;
  targetWorkspaceName: string | null;
  metadataJson: Record<string, unknown>;
  occurredAt: string;
 }
 export interface AdminAuditLogFilters {
  actorEmail?: string;
  action?: AdminAuditAction;
  workspaceId?: string;
  from?: string;
  to?: string;
  page?: number;
  pageSize?: number;
 }
 export interface AdminAuditLogListResponse {
  items: AdminAuditLogItem[];
  page: number;
  pageSize: number;
  total: number;
 }
 export interface AdminSecurityPostureResponse {
  bootstrapRequired: boolean;
  bootstrapEnabled: boolean;
  activeApplicationAdminCount: number;
  adminAllowlistConfigured: boolean;
  usingDeprecatedBillingAdminFallback: boolean;
 }
 export interface AdminFailedWebhookIssue {
  id: string;
  eventType: string;
  workspaceId: string | null;
  workspaceName: string | null;
  errorMessage: string | null;
  receivedAt: string;
  externalEventId: string;
 }
 export interface AdminStaleBillingSyncIssue {
  workspaceId: string;
  workspaceName: string;
  billingSyncStatus: BillingSyncStatus;
  lastStripeSyncAt: string | null;
  status: AccountBillingStatus;
  planCode: PlanCode | null;
  pendingPlanCode: PlanCode | null;
  pendingPlanEffectiveAt: string | null;
 }
 export interface AdminTimelineAnomalySummary {
  repeatedPaymentFailedCount: number;
  pendingPlanPastEffectiveCount: number;
  staleSyncThresholdCount: number;
 }
 export interface AdminSupportDiagnosticsResponse {
  windowDays: number;
  staleSyncThresholdHours: number;
  failedWebhooks: {
    count: number;
    items: AdminFailedWebhookIssue[];
  };
  staleBillingSync: {
    count: number;
    items: AdminStaleBillingSyncIssue[];
  };
  timelineAnomalies: AdminTimelineAnomalySummary;
 }
 export interface AdminBillingResyncRequest {
  workspaceId: string;
  reason: string;
  confirmationText: string;
  ticketRef?: string;
 }
 export interface AdminBillingResyncResponse {
  accepted: boolean;
  message: string;
  workspaceId: string;
  externalSubscriptionRef: string;
 }
 export type WorkspaceType = 'personal' | 'company';
 export type WorkspaceRole = 'owner' | 'member';
@@ -1,23 +1,71 @@
-import { BarChart3, Loader2, Search, ShieldCheck } from 'lucide-react';
+import { BarChart3, Loader2, Search, ShieldCheck, ShieldAlert } from 'lucide-react';
 import { useEffect, useState } from 'react';
-import type { AdminAnalyticsSummary, ApplicationAdminSummary, BillingAdminWorkspaceDetail, BillingAdminWorkspaceSummary } from '../../shared/types';
+import type {
  AdminAnalyticsSummary,
  AdminAuditAction,
  AdminAuditLogItem,
  AdminSecurityPostureResponse,
  AdminSupportDiagnosticsResponse,
  ApplicationAdminSummary,
  BillingAdminWorkspaceDetail,
  BillingAdminWorkspaceSummary,
 } from '../../shared/types';
 import { formatBillingStatusLabel, formatDateLabel } from '../lib/billing-ui';
 import {
  getAdminAnalyticsSummary,
  getAdminBillingWorkspaceDetail,
  getAdminSecurityPosture,
  getAdminSupportDiagnostics,
  listAdminAuditLogs,
  listAdminBillingWorkspaces,
  listApplicationAdmins,
  requestAdminBillingResync,
  updateApplicationAdminStatus,
  upsertApplicationAdmin,
 } from '../lib/admin';
-import { Alert, Badge, Button, Card, FieldLabel, Input, LoadingState, PageContainer, PageShell, SectionHeader } from './ui';
+import { Alert, Badge, Button, Card, FieldLabel, Input, LoadingState, PageContainer, PageShell, SectionHeader, Select } from './ui';
 const MIN_SUMMARY_DAYS = 7;
 const MAX_SUMMARY_DAYS = 90;
 const DEFAULT_SUMMARY_DAYS = 30;
 const DEFAULT_AUDIT_PAGE_SIZE = 25;
 const DEFAULT_DIAGNOSTICS_WINDOW_DAYS = 7;
 const DEFAULT_STALE_THRESHOLD_HOURS = 24;
 const AUDIT_ACTION_OPTIONS: Array<{ value: AdminAuditAction; label: string }> = [
  { value: 'admin_access_list', label: 'Admin access list' },
  { value: 'admin_access_upsert', label: 'Admin access upsert' },
  { value: 'admin_access_status_changed', label: 'Admin access status changed' },
  { value: 'analytics_summary', label: 'Analytics summary' },
  { value: 'billing_workspaces_list', label: 'Billing workspaces list' },
  { value: 'billing_workspace_detail', label: 'Billing workspace detail' },
  { value: 'bootstrap_admin_claimed', label: 'Bootstrap admin claimed' },
  { value: 'admin_ops_audit_list', label: 'Admin ops audit list' },
  { value: 'admin_ops_security_posture', label: 'Admin ops security posture' },
  { value: 'admin_ops_diagnostics', label: 'Admin ops diagnostics' },
  { value: 'admin_mutation_billing_resync_requested', label: 'Admin mutation billing resync requested' },
 ];
 function formatAuditActionLabel(action: AdminAuditAction) {
  const matched = AUDIT_ACTION_OPTIONS.find((option) => option.value === action);
  return matched?.label ?? action;
 }
 const clampSummaryDays = (value: number) => Math.min(MAX_SUMMARY_DAYS, Math.max(MIN_SUMMARY_DAYS, value));
 function toIsoDateTime(value: string) {
  if (!value) {
    return undefined;
  }
  const parsed = new Date(value);
  if (Number.isNaN(parsed.getTime())) {
    return undefined;
  }
  return parsed.toISOString();
 }
 export function AdminPage() {
  const [summaryDays, setSummaryDays] = useState(DEFAULT_SUMMARY_DAYS);
  const [analyticsSummary, setAnalyticsSummary] = useState<AdminAnalyticsSummary | null>(null);
@@ -40,6 +88,99 @@ export function AdminPage() {
  const [adminEmailSubmitting, setAdminEmailSubmitting] = useState(false);
  const [statusMutationAdminId, setStatusMutationAdminId] = useState<string | null>(null);
  const [securityPosture, setSecurityPosture] = useState<AdminSecurityPostureResponse | null>(null);
  const [securityLoading, setSecurityLoading] = useState(true);
  const [securityError, setSecurityError] = useState<string | null>(null);
  const [diagnostics, setDiagnostics] = useState<AdminSupportDiagnosticsResponse | null>(null);
  const [diagnosticsLoading, setDiagnosticsLoading] = useState(true);
  const [diagnosticsError, setDiagnosticsError] = useState<string | null>(null);
  const [auditItems, setAuditItems] = useState<AdminAuditLogItem[]>([]);
  const [auditLoading, setAuditLoading] = useState(true);
  const [auditError, setAuditError] = useState<string | null>(null);
  const [auditPage, setAuditPage] = useState(1);
  const [auditTotal, setAuditTotal] = useState(0);
  const [auditActorEmail, setAuditActorEmail] = useState('');
  const [auditAction, setAuditAction] = useState<AdminAuditAction | ''>('');
  const [auditWorkspaceId, setAuditWorkspaceId] = useState('');
  const [auditFrom, setAuditFrom] = useState('');
  const [auditTo, setAuditTo] = useState('');
  const [mutationWorkspaceId, setMutationWorkspaceId] = useState('');
  const [mutationReason, setMutationReason] = useState('');
  const [mutationTicketRef, setMutationTicketRef] = useState('');
  const [mutationConfirmation, setMutationConfirmation] = useState('');
  const [mutationSubmitting, setMutationSubmitting] = useState(false);
  const [mutationFeedback, setMutationFeedback] = useState<string | null>(null);
  const [mutationError, setMutationError] = useState<string | null>(null);
  const loadAuditLogs = async (
    page: number,
    overrides?: Partial<{ actorEmail: string; action: AdminAuditAction | ''; workspaceId: string; from: string; to: string }>,
  ) => {
    const actorEmail = overrides?.actorEmail ?? auditActorEmail;
    const action = overrides?.action ?? auditAction;
    const workspaceId = overrides?.workspaceId ?? auditWorkspaceId;
    const from = overrides?.from ?? auditFrom;
    const to = overrides?.to ?? auditTo;
    setAuditLoading(true);
    setAuditError(null);
    try {
      const response = await listAdminAuditLogs({
        actorEmail: actorEmail.trim() || undefined,
        action: action || undefined,
        workspaceId: workspaceId.trim() || undefined,
        from: toIsoDateTime(from),
        to: toIsoDateTime(to),
        page,
        pageSize: DEFAULT_AUDIT_PAGE_SIZE,
      });
      setAuditItems(response.items);
      setAuditTotal(response.total);
      setAuditPage(response.page);
    } catch (error) {
      setAuditError(error instanceof Error ? error.message : 'Failed to load admin audit logs.');
    } finally {
      setAuditLoading(false);
    }
  };
  const loadSecurityPosture = async () => {
    setSecurityLoading(true);
    setSecurityError(null);
    try {
      const response = await getAdminSecurityPosture();
      setSecurityPosture(response);
    } catch (error) {
      setSecurityError(error instanceof Error ? error.message : 'Failed to load security posture.');
    } finally {
      setSecurityLoading(false);
    }
  };
  const loadDiagnostics = async () => {
    setDiagnosticsLoading(true);
    setDiagnosticsError(null);
    try {
      const response = await getAdminSupportDiagnostics({
        windowDays: DEFAULT_DIAGNOSTICS_WINDOW_DAYS,
        staleSyncThresholdHours: DEFAULT_STALE_THRESHOLD_HOURS,
        sampleLimit: 10,
      });
      setDiagnostics(response);
    } catch (error) {
      setDiagnosticsError(error instanceof Error ? error.message : 'Failed to load support diagnostics.');
    } finally {
      setDiagnosticsLoading(false);
    }
  };
  useEffect(() => {
    let isMounted = true;
@@ -52,10 +193,17 @@ export function AdminPage() {
      setAdminsError(null);
      try {
-        const [summary, workspaceResponse, adminResponse] = await Promise.all([
+        const [summary, workspaceResponse, adminResponse, securityResponse, diagnosticsResponse, auditResponse] = await Promise.all([
          getAdminAnalyticsSummary(DEFAULT_SUMMARY_DAYS),
          listAdminBillingWorkspaces(),
          listApplicationAdmins(),
          getAdminSecurityPosture(),
          getAdminSupportDiagnostics({
            windowDays: DEFAULT_DIAGNOSTICS_WINDOW_DAYS,
            staleSyncThresholdHours: DEFAULT_STALE_THRESHOLD_HOURS,
            sampleLimit: 10,
          }),
          listAdminAuditLogs({ page: 1, pageSize: DEFAULT_AUDIT_PAGE_SIZE }),
        ]);
        if (!isMounted) {
@@ -65,6 +213,11 @@ export function AdminPage() {
        setAnalyticsSummary(summary);
        setWorkspaces(workspaceResponse.workspaces);
        setAdmins(adminResponse.admins);
        setSecurityPosture(securityResponse);
        setDiagnostics(diagnosticsResponse);
        setAuditItems(auditResponse.items);
        setAuditTotal(auditResponse.total);
        setAuditPage(auditResponse.page);
      } catch (error) {
        if (!isMounted) {
          return;
@@ -74,11 +227,17 @@ export function AdminPage() {
        setSummaryError(message);
        setWorkspacesError(message);
        setAdminsError(message);
        setSecurityError(message);
        setDiagnosticsError(message);
        setAuditError(message);
      } finally {
        if (isMounted) {
          setSummaryLoading(false);
          setWorkspacesLoading(false);
          setAdminsLoading(false);
          setSecurityLoading(false);
          setDiagnosticsLoading(false);
          setAuditLoading(false);
        }
      }
    };
@@ -161,6 +320,7 @@ export function AdminPage() {
      setAdminMutationFeedback(`Admin access is active for ${response.admin.email}.`);
      setAdminEmailInput('');
      await refreshAdmins();
      await loadSecurityPosture();
    } catch (error) {
      setAdminMutationError(error instanceof Error ? error.message : 'Failed to add or reactivate admin.');
    } finally {
@@ -177,6 +337,7 @@ export function AdminPage() {
      const response = await updateApplicationAdminStatus(adminId, status);
      setAdminMutationFeedback(`${response.admin.email} is now ${status}.`);
      await refreshAdmins();
      await loadSecurityPosture();
    } catch (error) {
      setAdminMutationError(error instanceof Error ? error.message : 'Failed to update admin status.');
    } finally {
@@ -184,15 +345,125 @@ export function AdminPage() {
    }
  };
  const handleRequestBillingResync = async () => {
    setMutationError(null);
    setMutationFeedback(null);
    setMutationSubmitting(true);
    try {
      const response = await requestAdminBillingResync({
        workspaceId: mutationWorkspaceId.trim(),
        reason: mutationReason.trim(),
        confirmationText: mutationConfirmation.trim(),
        ticketRef: mutationTicketRef.trim() || undefined,
      });
      setMutationFeedback(response.message);
      if (selectedWorkspace?.summary.workspaceId === mutationWorkspaceId.trim()) {
        await handleLoadWorkspaceDetail(mutationWorkspaceId.trim());
      }
      await loadDiagnostics();
      await loadAuditLogs(1);
    } catch (error) {
      setMutationError(error instanceof Error ? error.message : 'Failed to request billing resync.');
    } finally {
      setMutationSubmitting(false);
    }
  };
  const totalAuditPages = Math.max(1, Math.ceil(auditTotal / DEFAULT_AUDIT_PAGE_SIZE));
  const canSubmitMutation =
    mutationWorkspaceId.trim().length > 0
    && mutationReason.trim().length >= 10
    && mutationConfirmation.trim() === 'RESYNC'
    && !mutationSubmitting;
  return (
    <PageShell>
      <PageContainer>
        <SectionHeader
          eyebrow="Admin"
          title="Admin Console"
-          description="Visibility into pricing analytics, admin access identities, and workspace billing state."
+          description="Visibility into pricing analytics, admin access identities, security posture, support diagnostics, and workspace billing state."
        />
        <Card className="p-6">
          <div className="flex flex-wrap items-center justify-between gap-3">
            <div className="flex items-center gap-3">
              <div className="rounded-xl bg-stone-100 p-3 text-stone-900">
                <ShieldAlert className="h-5 w-5" />
              </div>
              <div>
                <p className="text-sm font-semibold uppercase tracking-[0.18em] text-stone-500">Safe Mutations (Pilot)</p>
                <h2 className="text-lg font-semibold text-stone-950">Request billing resync for a workspace</h2>
              </div>
            </div>
          </div>
          <p className="mt-3 text-sm text-stone-600">
            This triggers a Stripe subscription re-sync for one workspace. It does not directly change plan pricing configuration.
          </p>
          <div className="mt-4 grid grid-cols-1 gap-3 md:grid-cols-2">
            <div>
              <FieldLabel>Workspace ID</FieldLabel>
              <Input
                value={mutationWorkspaceId}
                onChange={(event) => setMutationWorkspaceId(event.target.value)}
                placeholder="Workspace UUID"
              />
            </div>
            <div>
              <FieldLabel>Ticket reference (optional)</FieldLabel>
              <Input
                value={mutationTicketRef}
                onChange={(event) => setMutationTicketRef(event.target.value)}
                placeholder="SUP-1234"
              />
            </div>
          </div>
          <div className="mt-3">
            <FieldLabel>Reason (required)</FieldLabel>
            <Input
              value={mutationReason}
              onChange={(event) => setMutationReason(event.target.value)}
              placeholder="Explain why this resync is needed."
            />
          </div>
          <div className="mt-3">
            <FieldLabel>Type RESYNC to confirm</FieldLabel>
            <Input
              value={mutationConfirmation}
              onChange={(event) => setMutationConfirmation(event.target.value)}
              placeholder="RESYNC"
            />
          </div>
          {mutationError ? <Alert className="mt-4" variant="error">{mutationError}</Alert> : null}
          {mutationFeedback ? <Alert className="mt-4" variant="success">{mutationFeedback}</Alert> : null}
          <div className="mt-4 flex flex-wrap items-center gap-2">
            <Button type="button" onClick={() => void handleRequestBillingResync()} disabled={!canSubmitMutation}>
              {mutationSubmitting ? <Loader2 className="h-4 w-4 animate-spin" /> : null}
              Request billing resync
            </Button>
            {selectedWorkspace ? (
              <Button
                type="button"
                variant="subtle"
                onClick={() => setMutationWorkspaceId(selectedWorkspace.summary.workspaceId)}
                disabled={mutationSubmitting}
              >
                Use selected workspace
              </Button>
            ) : null}
          </div>
        </Card>
        <Card className="p-6">
          <div className="flex flex-wrap items-center justify-between gap-3">
            <div className="flex items-center gap-3">
@@ -263,6 +534,337 @@ export function AdminPage() {
          </div>
        </Card>
        <Card className="p-6">
          <div className="flex flex-wrap items-center justify-between gap-3">
            <div className="flex items-center gap-3">
              <div className="rounded-xl bg-stone-100 p-3 text-stone-900">
                <ShieldAlert className="h-5 w-5" />
              </div>
              <div>
                <p className="text-sm font-semibold uppercase tracking-[0.18em] text-stone-500">Security Posture</p>
                <h2 className="text-lg font-semibold text-stone-950">Bootstrap and admin-allowlist checks</h2>
              </div>
            </div>
            <Button type="button" variant="secondary" onClick={() => void loadSecurityPosture()} disabled={securityLoading}>
              {securityLoading ? <Loader2 className="h-4 w-4 animate-spin" /> : null}
              Refresh
            </Button>
          </div>
          {securityError ? <Alert className="mt-4" variant="error">{securityError}</Alert> : null}
          {securityLoading && !securityPosture ? <LoadingState message="Loading security posture..." /> : null}
          {securityPosture ? (
            <div className="mt-4 space-y-4">
              <div className="grid grid-cols-1 gap-3 md:grid-cols-3">
                <div className="rounded-xl bg-stone-50 p-3">
                  <p className="text-xs uppercase tracking-[0.14em] text-stone-500">Bootstrap Required</p>
                  <p className="mt-1 font-semibold text-stone-900">{securityPosture.bootstrapRequired ? 'Yes' : 'No'}</p>
                </div>
                <div className="rounded-xl bg-stone-50 p-3">
                  <p className="text-xs uppercase tracking-[0.14em] text-stone-500">Bootstrap Enabled</p>
                  <p className="mt-1 font-semibold text-stone-900">{securityPosture.bootstrapEnabled ? 'Yes' : 'No'}</p>
                </div>
                <div className="rounded-xl bg-stone-50 p-3">
                  <p className="text-xs uppercase tracking-[0.14em] text-stone-500">Active App Admins</p>
                  <p className="mt-1 font-semibold text-stone-900">{securityPosture.activeApplicationAdminCount}</p>
                </div>
              </div>
              {securityPosture.usingDeprecatedBillingAdminFallback ? (
                <Alert variant="error" title="Deprecated allowlist fallback active">
                  <p>Set `ADMIN_EMAILS` and stop relying on `BILLING_ADMIN_EMAILS` fallback.</p>
                </Alert>
              ) : null}
              {!securityPosture.adminAllowlistConfigured ? (
                <Alert variant="info" title="Admin allowlist not configured">
                  <p>Configure `ADMIN_EMAILS` for emergency access and recovery playbooks.</p>
                </Alert>
              ) : null}
              {securityPosture.bootstrapEnabled ? (
                <Alert variant="error" title="Bootstrap still enabled">
                  <p>After first-run setup, disable bootstrap and rotate `ADMIN_BOOTSTRAP_TOKEN`.</p>
                </Alert>
              ) : null}
              <div className="rounded-xl border border-stone-200 bg-stone-50 p-3 text-sm text-stone-700">
                <p className="font-semibold text-stone-900">Hardening checklist</p>
                <ul className="mt-2 space-y-1">
                  <li>- Disable bootstrap once initial admin setup is complete.</li>
                  <li>- Rotate the bootstrap token and store it in secrets management.</li>
                  <li>- Keep at least two active application admins to reduce lockout risk.</li>
                </ul>
              </div>
            </div>
          ) : null}
        </Card>
        <Card className="p-6">
          <div className="flex flex-wrap items-center justify-between gap-3">
            <div className="flex items-center gap-3">
              <div className="rounded-xl bg-stone-100 p-3 text-stone-900">
                <ShieldAlert className="h-5 w-5" />
              </div>
              <div>
                <p className="text-sm font-semibold uppercase tracking-[0.18em] text-stone-500">Support Diagnostics</p>
                <h2 className="text-lg font-semibold text-stone-950">Webhook failures, sync health, and timeline anomalies</h2>
              </div>
            </div>
            <Button type="button" variant="secondary" onClick={() => void loadDiagnostics()} disabled={diagnosticsLoading}>
              {diagnosticsLoading ? <Loader2 className="h-4 w-4 animate-spin" /> : null}
              Refresh
            </Button>
          </div>
          {diagnosticsError ? <Alert className="mt-4" variant="error">{diagnosticsError}</Alert> : null}
          {diagnosticsLoading && !diagnostics ? <LoadingState message="Loading support diagnostics..." /> : null}
          {diagnostics ? (
            <div className="mt-4 space-y-4">
              <div className="grid grid-cols-1 gap-3 md:grid-cols-3">
                <DiagnosticsMetricCard title="Failed webhooks" value={diagnostics.failedWebhooks.count} />
                <DiagnosticsMetricCard title="Stale sync accounts" value={diagnostics.staleBillingSync.count} />
                <DiagnosticsMetricCard
                  title="Timeline anomalies"
                  value={
                    diagnostics.timelineAnomalies.repeatedPaymentFailedCount
                    + diagnostics.timelineAnomalies.pendingPlanPastEffectiveCount
                    + diagnostics.timelineAnomalies.staleSyncThresholdCount
                  }
                />
              </div>
              <div className="grid grid-cols-1 gap-4 xl:grid-cols-2">
                <div className="rounded-2xl border border-stone-200 p-4">
                  <div className="flex items-center justify-between gap-3">
                    <p className="text-sm font-semibold uppercase tracking-[0.14em] text-stone-500">Failed webhook samples</p>
                    <Badge>{diagnostics.failedWebhooks.count} total</Badge>
                  </div>
                  <div className="mt-3 space-y-2">
                    {diagnostics.failedWebhooks.items.length === 0 ? <p className="text-sm text-stone-600">No failed webhook events in window.</p> : null}
                    {diagnostics.failedWebhooks.items.map((issue) => (
                      <div key={issue.id} className="rounded-xl border border-stone-200 bg-stone-50 p-3 text-sm">
                        <div className="flex items-start justify-between gap-3">
                          <div>
                            <p className="font-semibold text-stone-900">{issue.eventType}</p>
                            <p className="text-stone-600">{issue.workspaceName || 'Unknown workspace'} - {formatDateLabel(issue.receivedAt)}</p>
                            <p className="mt-1 text-xs text-stone-500">{issue.errorMessage || 'No error message provided.'}</p>
                          </div>
                          {issue.workspaceId ? (
                            <Button
                              type="button"
                              size="sm"
                              variant="secondary"
                              onClick={() => void handleLoadWorkspaceDetail(issue.workspaceId!)}
                            >
                              Open
                            </Button>
                          ) : null}
                        </div>
                      </div>
                    ))}
                  </div>
                </div>
                <div className="rounded-2xl border border-stone-200 p-4">
                  <div className="flex items-center justify-between gap-3">
                    <p className="text-sm font-semibold uppercase tracking-[0.14em] text-stone-500">Stale sync samples</p>
                    <Badge>{diagnostics.staleBillingSync.count} total</Badge>
                  </div>
                  <div className="mt-3 space-y-2">
                    {diagnostics.staleBillingSync.items.length === 0 ? <p className="text-sm text-stone-600">No stale sync accounts in window.</p> : null}
                    {diagnostics.staleBillingSync.items.map((issue) => (
                      <div key={issue.workspaceId} className="rounded-xl border border-stone-200 bg-stone-50 p-3 text-sm">
                        <div className="flex items-start justify-between gap-3">
                          <div>
                            <p className="font-semibold text-stone-900">{issue.workspaceName}</p>
                            <p className="text-stone-600">{issue.planCode || 'No plan'} - {formatBillingStatusLabel(issue.status)}</p>
                            <p className="mt-1 text-xs text-stone-500">Last sync: {formatDateLabel(issue.lastStripeSyncAt)}</p>
                          </div>
                          <Button
                            type="button"
                            size="sm"
                            variant="secondary"
                            onClick={() => void handleLoadWorkspaceDetail(issue.workspaceId)}
                          >
                            Open
                          </Button>
                        </div>
                      </div>
                    ))}
                  </div>
                </div>
              </div>
              <div className="rounded-2xl border border-stone-200 p-4 text-sm">
                <p className="font-semibold text-stone-900">Timeline anomaly counters ({diagnostics.windowDays}-day window)</p>
                <div className="mt-2 grid grid-cols-1 gap-2 md:grid-cols-3">
                  <div className="rounded-xl bg-stone-50 p-3 text-stone-700">
                    Repeated payment failures: <span className="font-semibold text-stone-900">{diagnostics.timelineAnomalies.repeatedPaymentFailedCount}</span>
                  </div>
                  <div className="rounded-xl bg-stone-50 p-3 text-stone-700">
                    Pending plan past effective date: <span className="font-semibold text-stone-900">{diagnostics.timelineAnomalies.pendingPlanPastEffectiveCount}</span>
                  </div>
                  <div className="rounded-xl bg-stone-50 p-3 text-stone-700">
                    Stale sync threshold breaches: <span className="font-semibold text-stone-900">{diagnostics.timelineAnomalies.staleSyncThresholdCount}</span>
                  </div>
                </div>
              </div>
            </div>
          ) : null}
        </Card>
        <Card className="p-6">
          <div className="flex flex-wrap items-center justify-between gap-3">
            <div className="flex items-center gap-3">
              <div className="rounded-xl bg-stone-100 p-3 text-stone-900">
                <ShieldCheck className="h-5 w-5" />
              </div>
              <div>
                <p className="text-sm font-semibold uppercase tracking-[0.18em] text-stone-500">Admin Audit Explorer</p>
                <h2 className="text-lg font-semibold text-stone-950">Route and support action history</h2>
              </div>
            </div>
            <Button type="button" variant="secondary" onClick={() => void loadAuditLogs(auditPage)} disabled={auditLoading}>
              {auditLoading ? <Loader2 className="h-4 w-4 animate-spin" /> : null}
              Refresh
            </Button>
          </div>
          <div className="mt-4 grid grid-cols-1 gap-3 md:grid-cols-2 xl:grid-cols-5">
            <div>
              <FieldLabel>Actor email</FieldLabel>
              <Input value={auditActorEmail} onChange={(event) => setAuditActorEmail(event.target.value)} placeholder="ops@company.com" />
            </div>
            <div>
              <FieldLabel>Action</FieldLabel>
              <Select value={auditAction} onChange={(event) => setAuditAction(event.target.value as AdminAuditAction | '')}>
                <option value="">All actions</option>
                {AUDIT_ACTION_OPTIONS.map((option) => (
                  <option key={option.value} value={option.value}>{option.label}</option>
                ))}
              </Select>
            </div>
            <div>
              <FieldLabel>Workspace ID</FieldLabel>
              <Input value={auditWorkspaceId} onChange={(event) => setAuditWorkspaceId(event.target.value)} placeholder="uuid" />
            </div>
            <div>
              <FieldLabel>From</FieldLabel>
              <Input type="datetime-local" value={auditFrom} onChange={(event) => setAuditFrom(event.target.value)} />
            </div>
            <div>
              <FieldLabel>To</FieldLabel>
              <Input type="datetime-local" value={auditTo} onChange={(event) => setAuditTo(event.target.value)} />
            </div>
          </div>
          <div className="mt-3 flex items-center gap-2">
            <Button
              type="button"
              onClick={() => {
                void loadAuditLogs(1);
              }}
              disabled={auditLoading}
            >
              Apply filters
            </Button>
            <Button
              type="button"
              variant="subtle"
              onClick={() => {
                setAuditActorEmail('');
                setAuditAction('');
                setAuditWorkspaceId('');
                setAuditFrom('');
                setAuditTo('');
                void loadAuditLogs(1, {
                  actorEmail: '',
                  action: '',
                  workspaceId: '',
                  from: '',
                  to: '',
                });
              }}
              disabled={auditLoading}
            >
              Clear
            </Button>
          </div>
          {auditError ? <Alert className="mt-4" variant="error">{auditError}</Alert> : null}
          <div className="mt-4 overflow-x-auto">
            {auditLoading && auditItems.length === 0 ? <LoadingState message="Loading admin audit logs..." /> : null}
            {!auditLoading && auditItems.length === 0 ? (
              <p className="rounded-2xl border border-dashed border-stone-200 bg-stone-50 px-4 py-5 text-sm text-stone-600">
                No audit entries found for the selected filters.
              </p>
            ) : null}
            {auditItems.length > 0 ? (
              <table className="w-full min-w-[920px] text-left text-sm">
                <thead>
                  <tr className="border-b border-stone-200 text-xs uppercase tracking-[0.14em] text-stone-500">
                    <th className="px-3 py-2">Occurred</th>
                    <th className="px-3 py-2">Actor</th>
                    <th className="px-3 py-2">Action</th>
                    <th className="px-3 py-2">Route</th>
                    <th className="px-3 py-2">Workspace</th>
                  </tr>
                </thead>
                <tbody>
                  {auditItems.map((item) => (
                    <tr key={item.id} className="border-b border-stone-100">
                      <td className="px-3 py-2 text-stone-700">{formatDateLabel(item.occurredAt)}</td>
                      <td className="px-3 py-2 text-stone-700">{item.actorEmail || 'Unknown actor'}</td>
                      <td className="px-3 py-2">
                        <span className="rounded-full bg-stone-100 px-2 py-1 text-xs font-semibold text-stone-700" title={item.action}>
                          {formatAuditActionLabel(item.action)}
                        </span>
                      </td>
                      <td className="px-3 py-2 text-stone-700">{item.route}</td>
                      <td className="px-3 py-2 text-stone-700">{item.targetWorkspaceName || item.targetWorkspaceId || 'N/A'}</td>
                    </tr>
                  ))}
                </tbody>
              </table>
            ) : null}
          </div>
          <div className="mt-4 flex flex-wrap items-center justify-between gap-3 text-sm text-stone-600">
            <p>
              Showing page {auditPage} of {totalAuditPages} ({auditTotal} total entries)
            </p>
            <div className="flex items-center gap-2">
              <Button
                type="button"
                variant="secondary"
                size="sm"
                disabled={auditLoading || auditPage <= 1}
                onClick={() => {
                  void loadAuditLogs(auditPage - 1);
                }}
              >
                Previous
              </Button>
              <Button
                type="button"
                variant="secondary"
                size="sm"
                disabled={auditLoading || auditPage >= totalAuditPages}
                onClick={() => {
                  void loadAuditLogs(auditPage + 1);
                }}
              >
                Next
              </Button>
            </div>
          </div>
        </Card>
        <Card className="p-6">
          <div className="flex flex-wrap items-center justify-between gap-3">
            <div className="flex items-center gap-3">
@@ -413,6 +1015,15 @@ export function AdminPage() {
  );
 }
 function DiagnosticsMetricCard({ title, value }: { title: string; value: number }) {
  return (
    <div className="rounded-xl border border-stone-200 bg-stone-50 p-4">
      <p className="text-xs uppercase tracking-[0.14em] text-stone-500">{title}</p>
      <p className="mt-1 text-2xl font-semibold tracking-tight text-stone-900">{value}</p>
    </div>
  );
 }
 function MetricBucketCard({ title, buckets }: { title: string; buckets: Array<{ key: string; count: number }> }) {
  return (
    <div className="rounded-2xl border border-stone-200 p-4">
@@ -1,7 +1,13 @@
 import type {
  AdminAuditLogFilters,
  AdminAuditLogListResponse,
  AdminBillingResyncRequest,
  AdminBillingResyncResponse,
  AdminApplicationAdminResponse,
  AdminApplicationAdminsListResponse,
  AdminAnalyticsSummary,
  AdminSecurityPostureResponse,
  AdminSupportDiagnosticsResponse,
  ApplicationAdminStatus,
  BillingAdminWorkspaceDetailResponse,
  BillingAdminWorkspaceListResponse,
@@ -40,3 +46,68 @@ export async function updateApplicationAdminStatus(adminId: string, status: Appl
    body: JSON.stringify({ status }),
  });
 }
 export async function listAdminAuditLogs(filters: AdminAuditLogFilters = {}) {
  const params = new URLSearchParams();
  if (filters.actorEmail?.trim()) {
    params.set('actorEmail', filters.actorEmail.trim());
  }
  if (filters.action?.trim()) {
    params.set('action', filters.action.trim());
  }
  if (filters.workspaceId?.trim()) {
    params.set('workspaceId', filters.workspaceId.trim());
  }
  if (filters.from) {
    params.set('from', filters.from);
  }
  if (filters.to) {
    params.set('to', filters.to);
  }
  if (typeof filters.page === 'number') {
    params.set('page', String(filters.page));
  }
  if (typeof filters.pageSize === 'number') {
    params.set('pageSize', String(filters.pageSize));
  }
  const queryString = params.toString();
  return apiRequest<AdminAuditLogListResponse>(`/admin/ops/audit${queryString ? `?${queryString}` : ''}`);
 }
 export async function getAdminSecurityPosture() {
  return apiRequest<AdminSecurityPostureResponse>('/admin/ops/security-posture');
 }
 export async function getAdminSupportDiagnostics(query?: { windowDays?: number; staleSyncThresholdHours?: number; sampleLimit?: number }) {
  const params = new URLSearchParams();
  if (typeof query?.windowDays === 'number') {
    params.set('windowDays', String(query.windowDays));
  }
  if (typeof query?.staleSyncThresholdHours === 'number') {
    params.set('staleSyncThresholdHours', String(query.staleSyncThresholdHours));
  }
  if (typeof query?.sampleLimit === 'number') {
    params.set('sampleLimit', String(query.sampleLimit));
  }
  const queryString = params.toString();
  return apiRequest<AdminSupportDiagnosticsResponse>(`/admin/ops/diagnostics${queryString ? `?${queryString}` : ''}`);
 }
 export async function requestAdminBillingResync(payload: AdminBillingResyncRequest) {
  return apiRequest<AdminBillingResyncResponse>('/admin/mutations/billing/resync', {
    method: 'POST',
    body: JSON.stringify(payload),
  });
 }