# 15. Admin Portal ## Admin Roles Binary admin model. `is_admin = 1` on the `users` table grants full admin access. First registered user is automatically admin. No intermediate roles, no per-feature permissions, no delegation. ## Admin Routes All admin routes require `authenticateAdmin` middleware (JWT + `isAdmin` check). | Route Group | Purpose | |-------------|---------| | `/api/admin/users` | User CRUD | | `/api/admin/ai-provider/*` | AI provider configuration | | `/api/admin/bedrock/*` | AWS Bedrock management | | `/api/admin/cloud-connections/*` | Cloud drive connections | | `/api/admin/cloud-mounts/*` | Cloud mount points | | `/api/admin/hook-*-report` | Analytics reports | | `/api/admin/output-styles/*` | Output style management | | `/api/admin/refresh-stats` | Analytics refresh | | `/api/admin/quality-analysis` | Quality signal processing | | `/api/admin/skill-usage-report` | Skill analytics | ## Admin Capabilities ### User Management | Action | Endpoint | Details | |--------|----------|---------| | List users | GET `/api/admin/users` | All users with metadata | | Create user | POST `/api/admin/users` | Username, password, admin flag | | Update user | PATCH `/api/admin/users/:id` | Change role, reset password | | Delete user | DELETE `/api/admin/users/:id` | CASCADE deletes related records | | Send welcome email | POST `/api/admin/users/:id/welcome-email` | Via Postmark template | ### AI Provider Management | Action | Endpoint | Details | |--------|----------|---------| | View provider status | GET `/api/admin/ai-provider/status` | Active provider, health | | List available models | GET `/api/admin/ai-provider/models` | Claude and Bedrock models | | Activate provider | POST `/api/admin/ai-provider/activate` | Switch between Claude/Bedrock | | Configure Bedrock | POST `/api/admin/bedrock/configure` | AWS credentials, region | | Test Bedrock | POST `/api/admin/bedrock/test` | Validate connection | | Switch model | POST `/api/admin/bedrock/switch-model` | Change active model | | Toggle 1M context | POST `/api/admin/bedrock/context-mode` | Enable/disable with audit | | Remove Bedrock | DELETE `/api/admin/bedrock` | Clear configuration | ### Analytics & Reporting | Report | Endpoint | Data Source | |--------|----------|-------------| | Hook usage | GET `/api/admin/hook-usage-report` | `hook_usage_rollups` | | Session report | GET `/api/admin/hook-session-report` | `hook_sessions` | | Command report | GET `/api/admin/hook-command-report` | `hook_command_rollups` | | Context report | GET `/api/admin/hook-context-report` | Hook events analysis | | Timeseries | GET `/api/admin/hook-timeseries-report` | Rollups by time bucket | | User activity | GET `/api/admin/hook-user-activity-report` | Per-user analytics | | Skill usage | GET `/api/admin/skill-usage-report` | Skill execution stats | **Stats refresh:** POST `/api/admin/refresh-stats` triggers `statsRefreshWorker.js` (forked process) to process hook event JSONL files into rollup tables. ### Output Styles | Action | Endpoint | Details | |--------|----------|---------| | List styles | GET `/api/admin/output-styles` | All output style definitions | | Get style | GET `/api/admin/output-styles/:id` | Single style details | | Create style | POST `/api/admin/output-styles` | Name, content, metadata | | Update style | PUT `/api/admin/output-styles/:id` | Modify existing style | | Delete style | DELETE `/api/admin/output-styles/:id` | Remove style | Output styles modify Claude's response format via system prompt injection or post-processing. ### Cloud Drive Administration | Action | Endpoint | Details | |--------|----------|---------| | List connections | GET `/api/admin/cloud-connections` | All cloud provider connections | | Create connection | POST `/api/admin/cloud-connections` | Provider type, credentials | | Authorize | POST `/api/admin/cloud-connections/:id/authorize` | Start OAuth flow | | Delete connection | DELETE `/api/admin/cloud-connections/:id` | Remove connection | | List mounts | GET `/api/admin/cloud-mounts` | All mount points | | Create mount | POST `/api/admin/cloud-mounts` | Path, access mode, VFS profile | | Remount | POST `/api/admin/cloud-mounts/:id/remount` | Re-establish mount | | Delete mount | DELETE `/api/admin/cloud-mounts/:id` | Remove mount | ### System Health Dashboard Available in admin settings (General tab): | Metric | Source | Alert Threshold | |--------|--------|----------------| | Disk usage | Filesystem stats | Green <70%, Yellow 70-85%, Red >85% | | CPU load | System metrics | TBD | | Memory usage | Process metrics | Configurable thresholds | | Database health | `PRAGMA integrity_check` | Pass/fail | | Claude API | `/api/setup/claude-status` | Connected/disconnected | | WebSocket | Connection count | Active/inactive | ## Audit Logging | Audit Table | What It Records | |-------------|----------------| | `hook_events` | All Claude Code tool invocations | | `hook_tool_execs` | Tool execution details (command, duration, success) | | `hook_sessions` | Session lifecycle (start, end, reason) | | `hook_file_accesses` | File read/write operations | | `execution_history` | Scheduled prompt execution results | | `executions` | All execution types (schedule, meeting, API) | | `api_key_usage` | External API key activity | | `usage_events` | Token consumption and cost per exchange | | `response_quality_signals` | Response quality metrics | | `feedback_events` | User thumbs up/down feedback | | `stats_refresh_log` | Analytics refresh history | | `bedrock_context_audit` | 1M context toggle acknowledgments | | `prompt_versions` | CLAUDE.md and prompt change history | ## Admin UI Components | Component | File | Purpose | |-----------|------|---------| | `AIProviderSelector` | `admin/AIProviderSelector.jsx` | Provider selection card | | `BedrockConfigModal` | `admin/BedrockConfigModal.jsx` | Bedrock setup dialog | | `ClaudeConfigModal` | `admin/ClaudeConfigModal.jsx` | Claude API key dialog | | `OutputStyleModal` | `admin/OutputStyleModal.jsx` | Style editor dialog | | `OutputStylesManager` | `admin/OutputStylesManager.jsx` | Style list management | | `ProviderCard` | `admin/ProviderCard.jsx` | Provider status card | | `ReportingPage` | `ReportingPage.jsx` | Analytics dashboard |