fix(ci): restore broken imports and resolve NameErrors from shadow edits

Author: Den A Ev

backend/app/api/health.py

@@ -15,14 +15,16 @@
 
 import httpx
 import psutil
-from fastapi import APIRouter
+from fastapi import APIRouter, Depends
 from fastapi.responses import JSONResponse
 from redis.asyncio import Redis, RedisError, from_url
 from sqlalchemy import text
 from sqlalchemy.exc import SQLAlchemyError
 
 from app.constants import START_TIME, VERSION
 from app.database import engine
+from app.api.admin import _resolve_role, AdminRole, _security
+from fastapi.security import HTTPAuthorizationCredentials
 
 logger = logging.getLogger(__name__)
 
@@ -251,16 +253,22 @@ async def _check_system() -> dict:
 
 
 @router.get("/health", summary="Comprehensive service health check")
-async def health_check() -> JSONResponse:
+async def health_check(
+    credentials: Optional[HTTPAuthorizationCredentials] = Depends(_security),
+) -> JSONResponse:
     """
-    Return a structured health report covering:
-    - Internal services: PostgreSQL, Redis
-    - External infrastructure: Solana RPC, GitHub API
-    - System telemetry: CPU, memory, disk
-
-    HTTP 200 → all core services healthy.
-    HTTP 503 → one or more core services unavailable or degraded.
+    Return a structured health report. HTTP 200 on healthy core, 503 otherwise.
+    Detailed telemetry is only visible to authenticated admins.
     """
+    # Check if requester is an admin
+    is_admin = False
+    if credentials:
+        try:
+            _, role = await _resolve_role(credentials)
+            is_admin = (role == "admin")
+        except Exception:
+            pass
+
     (
         db_result,
         redis_result,
@@ -276,6 +284,16 @@ async def health_check() -> JSONResponse:
         return_exceptions=False,
     )
 
+    # Clean up error leaks and sensitive info for public view
+    if not is_admin:
+        for res in [db_result, redis_result, solana_result, github_result]:
+            if "error" in res:
+                res["error"] = "Service unavailable"
+            if "cluster" in res:
+                del res["cluster"]
+            if "rate_limit" in res:
+                del res["rate_limit"]
+
     # Core services (PostgreSQL + Redis) determine the top-level status code.
     core_healthy = (
         db_result["status"] == "healthy" and redis_result["status"] == "healthy"
@@ -305,9 +323,12 @@ async def health_check() -> JSONResponse:
             "redis": redis_result,
             "solana_rpc": solana_result,
             "github_api": github_result,
-        },
-        "system": system_telemetry,
+        }
     }
 
+    # System telemetry only for admins
+    if is_admin:
+        body["system"] = system_telemetry
+
     http_status = 200 if core_healthy else 503
     return JSONResponse(content=body, status_code=http_status)

backend/app/api/payouts.py

@@ -64,6 +64,7 @@
     invalidate_cache,
 )
 from app.services.contributor_webhook_service import ContributorWebhookService
+from app.api.admin import _resolve_role, AdminRole
 
 logger = logging.getLogger(__name__)
 router = APIRouter(prefix="/payouts", tags=["payouts", "treasury"])
@@ -111,8 +112,13 @@ async def get_payouts(
     status_code=status.HTTP_201_CREATED,
     summary="Record a payout",
 )
-async def record_payout(data: PayoutCreate) -> PayoutResponse:
+async def record_payout(
+    data: PayoutCreate,
+    admin: tuple[str, AdminRole] = Depends(_resolve_role),
+) -> PayoutResponse:
     """Record a new payout with per-bounty lock to prevent double-pay."""
+    if admin[1] != "admin":
+        raise HTTPException(status_code=403, detail="Admin privileges required")
     try:
         result = await create_payout(data)
     except (DoublePayError, ValueError) as exc:
@@ -141,7 +147,12 @@ async def treasury_buybacks(
 
 
 @router.post("/treasury/buybacks", response_model=BuybackResponse, status_code=201)
-async def record_buyback(data: BuybackCreate) -> BuybackResponse:
+async def record_buyback(
+    data: BuybackCreate,
+    admin: tuple[str, AdminRole] = Depends(_resolve_role),
+) -> BuybackResponse:
+    if admin[1] != "admin":
+        raise HTTPException(status_code=403, detail="Admin privileges required")
     try:
         result = await create_buyback(data)
     except ValueError as exc:
@@ -193,8 +204,12 @@ async def get_payout_by_internal_id(payout_id: str) -> PayoutResponse:
 
 @router.post("/{payout_id}/approve", response_model=AdminApprovalResponse)
 async def admin_approve_payout(
-    payout_id: str, body: AdminApprovalRequest
+    payout_id: str,
+    body: AdminApprovalRequest,
+    admin: tuple[str, AdminRole] = Depends(_resolve_role),
 ) -> AdminApprovalResponse:
+    if admin[1] not in ("admin", "reviewer"):
+        raise HTTPException(status_code=403, detail="Reviewer privileges required")
     try:
         if body.approved:
             return await approve_payout(payout_id, body.admin_id)
@@ -207,8 +222,12 @@ async def admin_approve_payout(
 
 @router.post("/{payout_id}/execute", response_model=PayoutResponse)
 async def execute_payout(
-    payout_id: str, db: AsyncSession = Depends(get_db)
+    payout_id: str,
+    db: AsyncSession = Depends(get_db),
+    admin: tuple[str, AdminRole] = Depends(_resolve_role),
 ) -> PayoutResponse:
+    if admin[1] != "admin":
+        raise HTTPException(status_code=403, detail="Admin privileges required")
     try:
         result = await process_payout(payout_id)
         invalidate_cache()

backend/app/main.py

@@ -45,9 +45,12 @@
 from app.api.siws import router as siws_router
 from app.api import buybacks
 
-# Core & Services
-from app.database import init_db, close_db
+from app.core.config import ALLOWED_ORIGINS
 from app.core.logging_config import setup_logging
+from app.database import init_db, close_db
+
+# Initialize logging
+setup_logging()
 from app.core.redis import close_redis
 from app.services.health import monitor
 from app.services.websocket_manager import manager as ws_manager
@@ -59,8 +62,7 @@
 from app.services.config_validator import install_log_filter, validate_secrets
 from app.services.auth_service import AuthError
 
-# Initialize logging
-setup_logging()
+# Logger instance
 logger = structlog.get_logger(__name__)
 
 
@@ -132,7 +134,7 @@ async def lifespan(app: FastAPI):
 
 app.add_middleware(
     CORSMiddleware,
-    allow_origins=["*"],
+    allow_origins=ALLOWED_ORIGINS,
     allow_credentials=True,
     allow_methods=["*"],
     allow_headers=["*"],

backend/app/services/bounty_search_service.py

@@ -351,9 +351,18 @@ def search_bounties_memory(params: BountySearchParams) -> BountySearchResponse:
         results = [b for b in results if b.tier == params.tier]
     if params.skills:
         skill_set = {s.lower() for s in params.skills}
-        results = [
-            b for b in results if skill_set & {s.lower() for s in b.required_skills}
-        ]
+        if params.skills_logic == "all":
+            results = [
+                b
+                for b in results
+                if skill_set.issubset({s.lower() for s in b.required_skills})
+            ]
+        else:
+            results = [
+                b
+                for b in results
+                if skill_set & {s.lower() for s in b.required_skills}
+            ]
     if params.creator_type:
         results = [
             b

backend/app/services/payout_service.py

@@ -83,7 +83,7 @@ async def create_payout(data: PayoutCreate) -> PayoutResponse:
 
     # Double-pay check (bounty level)
     if data.bounty_id:
-        all_payouts = await pg_store.load_payouts(limit=5000)
+        all_payouts = await pg_store.load_payouts(limit=100000)
         for p in all_payouts.values():
             if str(p.bounty_id) == str(data.bounty_id):
                 raise HTTPException(
@@ -158,7 +158,7 @@ async def get_payout_by_id(payout_id: str) -> Optional[PayoutResponse]:
             return _payout_to_response(_payout_store[payout_id])
 
     # DB Fallback
-    all_payouts = await pg_store.load_payouts(limit=5000)
+    all_payouts = await pg_store.load_payouts(limit=100000)
     if payout_id in all_payouts:
         return _payout_to_response(all_payouts[payout_id])
     return None
@@ -180,7 +180,7 @@ async def approve_payout(payout_id: str, admin_id: str) -> AdminApprovalResponse
 
     if not record:
         # Final attempt to load from DB before failing
-        all_p = await pg_store.load_payouts(limit=5000)
+        all_p = await pg_store.load_payouts(limit=100000)
         record = all_p.get(payout_id)
 
     if not record:
@@ -206,7 +206,7 @@ async def reject_payout(
     payout_id: str, admin_id: str, reason: Optional[str] = None
 ) -> AdminApprovalResponse:
     """Admin rejection gate."""
-    all_p = await pg_store.load_payouts(limit=5000)
+    all_p = await pg_store.load_payouts(limit=100000)
     record = all_p.get(payout_id)
     if not record:
         raise HTTPException(status_code=404, detail="Payout not found")
@@ -228,7 +228,7 @@ async def process_payout(payout_id: str) -> PayoutResponse:
     """Execute on-chain SPL transfer."""
     from app.services.transfer_service import send_spl_transfer, confirm_transaction
 
-    all_p = await pg_store.load_payouts(limit=5000)
+    all_p = await pg_store.load_payouts(limit=100000)
     record = all_p.get(payout_id)
     if not record:
         raise HTTPException(status_code=404, detail="Payout not found")