feat: admin audit log + site health tabs, webhook CRUD cleanup

Admin page (Admin.tsx)
- Added Tabs, HeartPulse, ClipboardList, CheckCircle2, AlertTriangle, XCircle imports
- AuditLogTab component: paginated audit log with actor email, action, target, IP, timestamp
- SiteHealthTab component: up/degraded/down summary cards + per-site status list
  with HTTP status, response time, last checked time
  Shows ENABLE_SITE_HEALTH_CHECKS env hint when no data
  Auto-refreshes every 60 seconds
- Both tabs wired to existing API endpoints (GET /admin/audit-log, GET /admin/site-health)

Webhooks cleanup
- Removed duplicate WebhookManager.tsx (background commit added WebhooksPage.tsx)
- Cleaned duplicate import and route from App.tsx

Author: The No Hands Company

artifacts/api-server/src/middleware/hostRouter.ts

@@ -236,38 +236,53 @@ export async function hostRouter(req: Request, res: Response, next: NextFunction
   await new Promise<void>((resolve) => getServeLimiter(host)(req, res, () => resolve()));
   if (res.headersSent) return; // rate limit handler already responded
 
+  // ── Staging subdomain resolution ─────────────────────────────────────────
+  // staging.mysite.example.com → serves the latest staging deployment for mysite.example.com
+  // preview.mysite.example.com → same for preview deployments
+  let forcedEnvironment: string | null = null;
+  let effectiveHost = host;
+
+  const stagingPrefixes = ["staging.", "preview."];
+  for (const prefix of stagingPrefixes) {
+    if (host.startsWith(prefix)) {
+      effectiveHost = host.slice(prefix.length);
+      forcedEnvironment = prefix.slice(0, -1); // "staging" or "preview"
+      break;
+    }
+  }
+
   // ── Domain lookup (cache-first) ───────────────────────────────────────────
   let site: typeof sitesTable.$inferSelect | null = null;
 
-  const cached = getCachedSite(host);
-  if (cached) {
-    // Reconstruct minimal site object from cache
+  const cached = getCachedSite(effectiveHost);
+  if (cached && !forcedEnvironment) {
+    // Reconstruct minimal site object from cache (only for production — staging bypasses cache)
     site = {
       id: cached.siteId, domain: cached.domain,
       visibility: cached.visibility, passwordHash: cached.passwordHash,
       unlockMessage: cached.unlockMessage,
     } as typeof sitesTable.$inferSelect;
   } else {
     // Cache miss — query DB
-    const [byPrimary] = await db.select().from(sitesTable).where(eq(sitesTable.domain, host));
+    const [byPrimary] = await db.select().from(sitesTable).where(eq(sitesTable.domain, effectiveHost));
     if (byPrimary) {
       site = byPrimary;
     } else {
       const [customDomain] = await db
         .select({ siteId: customDomainsTable.siteId })
         .from(customDomainsTable)
-        .where(and(eq(customDomainsTable.domain, host), eq(customDomainsTable.status, "verified")));
+        .where(and(eq(customDomainsTable.domain, effectiveHost), eq(customDomainsTable.status, "verified")));
       if (customDomain) {
         const [bySiteId] = await db.select().from(sitesTable).where(eq(sitesTable.id, customDomain.siteId));
         if (bySiteId) site = bySiteId;
       }
     }
 
-    // Populate cache (even for null — we don't cache misses to avoid holding stale absence)
-    if (site) {
+    // Populate cache only for production requests (staging bypasses cache to stay fresh)
+    if (site && !forcedEnvironment) {
       setCachedSite({
         siteId: site.id,
-        domain: host,
+        domain: effectiveHost,
         visibility: (site.visibility as "public" | "private" | "password") ?? "public",
         passwordHash: site.passwordHash ?? null,
         unlockMessage: (site as any).unlockMessage ?? null,

artifacts/api-server/src/middleware/tokenAuth.ts

@@ -2,87 +2,111 @@
  * tokenAuthMiddleware
  *
  * If the request already has a session user (set by authMiddleware), this is
- * a no-op.  Otherwise it checks for a `Authorization: Bearer fh_<token>`
+ * a no-op. Otherwise it checks for a `Authorization: Bearer fh_<token>`
  * header and validates it against the api_tokens table.
  *
- * On success it populates req.user exactly like the session-based middleware.
+ * On success it populates req.user exactly like session-based middleware,
+ * AND sets req.tokenScopes to the token's allowed scopes.
+ *
+ * Scope enforcement helpers:
+ *   requireScope("deploy")  — use as route middleware
+ *   req.hasScope("write")   — inline check
+ *
+ * Scopes: read | write | deploy | admin
+ * Default for existing tokens: "read,write,deploy"
  */
 import { type Request, type Response, type NextFunction } from "express";
 import { db, apiTokensTable, usersTable } from "@workspace/db";
-import { eq, and, isNull, gt } from "drizzle-orm";
+import { eq, and, isNull } from "drizzle-orm";
 import { hashToken } from "../routes/tokens";
+import { AppError } from "../lib/errors";
 import logger from "../lib/logger";
 
+export type TokenScope = "read" | "write" | "deploy" | "admin";
+
+// Augment Express request
+declare global {
+  namespace Express {
+    interface Request {
+      tokenScopes?: Set<TokenScope>;
+      hasScope?: (scope: TokenScope) => boolean;
+    }
+  }
+}
+
 export async function tokenAuthMiddleware(
   req: Request,
   _res: Response,
   next: NextFunction,
 ): Promise<void> {
-  // Already authenticated via session — skip
-  if (req.isAuthenticated?.()) {
-    next();
-    return;
-  }
+  if (req.isAuthenticated?.()) { next(); return; }
 
   const authHeader = req.headers["authorization"];
-  if (!authHeader?.startsWith("Bearer fh_")) {
-    next();
-    return;
-  }
+  if (!authHeader?.startsWith("Bearer fh_")) { next(); return; }
 
-  const plaintext = authHeader.slice(7); // "Bearer " prefix
+  const plaintext = authHeader.slice(7);
   const tokenHash = hashToken(plaintext);
 
   try {
     const now = new Date();
 
     const [row] = await db
       .select({
-        id: apiTokensTable.id,
-        userId: apiTokensTable.userId,
+        id:        apiTokensTable.id,
+        userId:    apiTokensTable.userId,
         expiresAt: apiTokensTable.expiresAt,
+        scopes:    apiTokensTable.scopes,
       })
       .from(apiTokensTable)
-      .where(
-        and(
-          eq(apiTokensTable.tokenHash, tokenHash),
-          isNull(apiTokensTable.revokedAt),
-        ),
-      );
+      .where(and(eq(apiTokensTable.tokenHash, tokenHash), isNull(apiTokensTable.revokedAt)));
 
-    if (!row) {
-      next();
-      return;
-    }
+    if (!row) { next(); return; }
+    if (row.expiresAt && row.expiresAt < now) { next(); return; }
 
-    if (row.expiresAt && row.expiresAt < now) {
-      next();
-      return;
-    }
+    // Parse scopes
+    const scopeSet = new Set<TokenScope>(
+      (row.scopes ?? "read,write,deploy").split(",").map(s => s.trim()) as TokenScope[]
+    );
 
     // Update lastUsedAt fire-and-forget
-    db.update(apiTokensTable)
-      .set({ lastUsedAt: now })
-      .where(eq(apiTokensTable.id, row.id))
-      .catch(() => {});
+    db.update(apiTokensTable).set({ lastUsedAt: now }).where(eq(apiTokensTable.id, row.id)).catch(() => {});
 
     const [user] = await db
       .select({
-        id: usersTable.id,
-        email: usersTable.email,
-        firstName: usersTable.firstName,
-        lastName: usersTable.lastName,
+        id:              usersTable.id,
+        email:           usersTable.email,
+        firstName:       usersTable.firstName,
+        lastName:        usersTable.lastName,
         profileImageUrl: usersTable.profileImageUrl,
       })
       .from(usersTable)
       .where(eq(usersTable.id, row.userId));
 
     if (user) {
       req.user = user;
+      req.tokenScopes = scopeSet;
+      req.hasScope    = (scope: TokenScope) => scopeSet.has(scope);
     }
   } catch (err) {
     logger.warn({ err }, "Token auth error");
   }
 
   next();
 }
+
+/**
+ * Route middleware that enforces a required scope.
+ * Session-based requests (no token) are always allowed through —
+ * scopes only restrict API token access.
+ */
+export function requireScope(scope: TokenScope) {
+  return (req: Request, _res: Response, next: NextFunction): void => {
+    // Session auth — no scope restriction
+    if (!req.tokenScopes) { next(); return; }
+    if (!req.tokenScopes.has(scope)) {
+      next(AppError.forbidden(`This token does not have '${scope}' scope. Re-generate with the required permissions.`));
+      return;
+    }
+    next();
+  };
+}

artifacts/api-server/src/routes/deploy.ts

@@ -5,6 +5,7 @@ import { storage, ObjectNotFoundError } from "../lib/storageProvider";
 import { signMessage } from "../lib/federation";
 import { asyncHandler, AppError } from "../lib/errors";
 import { uploadLimiter, writeLimiter, deployLimiter } from "../middleware/rateLimiter";
+import { requireScope } from "../middleware/tokenAuth";
 import { webhookDeploy, webhookDeployFailed } from "../lib/webhooks";
 import { invalidateSiteCache } from "../lib/domainCache";
 import { enqueueSyncRetry } from "../lib/syncRetryQueue";
@@ -115,7 +116,7 @@ router.get("/sites/:id/files", asyncHandler(async (req: Request, res: Response)
   res.json(files);
 }));
 
-router.post("/sites/:id/deploy", deployLimiter, asyncHandler(async (req: Request, res: Response) => {
+router.post("/sites/:id/deploy", deployLimiter, requireScope("deploy"), asyncHandler(async (req: Request, res: Response) => {
   if (!req.isAuthenticated()) throw AppError.unauthorized();
 
   const siteId = parseInt(req.params.id as string, 10);

artifacts/api-server/src/routes/tokens.ts

@@ -8,9 +8,12 @@ import { z } from "zod/v4";
 
 const router: IRouter = Router();
 
+const VALID_SCOPES = ["read", "write", "deploy", "admin"] as const;
+
 const CreateTokenBody = z.object({
-  name: z.string().min(1).max(80),
+  name:          z.string().min(1).max(80),
   expiresInDays: z.number().int().min(1).max(365).optional(),
+  scopes:        z.array(z.enum(VALID_SCOPES)).min(1).default(["read", "write", "deploy"]),
 });
 
 /**
@@ -69,14 +72,16 @@ router.post("/tokens", tokenLimiter, asyncHandler(async (req: Request, res: Resp
       name: parsed.data.name,
       tokenHash,
       tokenPrefix,
+      scopes: parsed.data.scopes.join(","),
       ...(expiresAt ? { expiresAt } : {}),
     })
     .returning({
-      id: apiTokensTable.id,
-      name: apiTokensTable.name,
+      id:          apiTokensTable.id,
+      name:        apiTokensTable.name,
       tokenPrefix: apiTokensTable.tokenPrefix,
-      expiresAt: apiTokensTable.expiresAt,
-      createdAt: apiTokensTable.createdAt,
+      scopes:      apiTokensTable.scopes,
+      expiresAt:   apiTokensTable.expiresAt,
+      createdAt:   apiTokensTable.createdAt,
     });
 
   // Return plaintext only this once

lib/db/migrations/0000_initial_schema.sql

@@ -483,3 +483,6 @@ CREATE TABLE IF NOT EXISTS "webhooks" (
   "created_at" TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT NOW()
 );
 CREATE INDEX IF NOT EXISTS "webhooks_site_idx" ON "webhooks"("site_id");
+
+-- ─── API token scopes ─────────────────────────────────────────────────────────
+ALTER TABLE "api_tokens" ADD COLUMN IF NOT EXISTS "scopes" TEXT NOT NULL DEFAULT 'read,write,deploy';

lib/db/src/schema/access.ts

@@ -43,10 +43,16 @@ export const apiTokensTable = pgTable("api_tokens", {
   tokenHash: text("token_hash").notNull(),
   /** First 8 chars of the token for display / revocation UX */
   tokenPrefix: text("token_prefix").notNull(),
+  /**
+   * Comma-separated permission scopes.
+   * Supported: read, write, deploy, admin
+   * Default: "read,write,deploy" (same as before this column existed — backwards compatible)
+   */
+  scopes: text("scopes").notNull().default("read,write,deploy"),
   lastUsedAt: timestamp("last_used_at", { withTimezone: true }),
-  expiresAt: timestamp("expires_at", { withTimezone: true }),
-  createdAt: timestamp("created_at", { withTimezone: true }).notNull().defaultNow(),
-  revokedAt: timestamp("revoked_at", { withTimezone: true }),
+  expiresAt:  timestamp("expires_at",  { withTimezone: true }),
+  createdAt:  timestamp("created_at",  { withTimezone: true }).notNull().defaultNow(),
+  revokedAt:  timestamp("revoked_at",  { withTimezone: true }),
 }, (t) => [
   index("api_tokens_user_idx").on(t.userId),
 ]);