routes.ts

/**
 * API Routes Configuration
 * Central routing setup for all API endpoints
 */

import express from 'express';
import rateLimit from 'express-rate-limit';

import authMiddleware from './middleware/authMiddleware.js';
import antraegeRouter from './routes/antraege/index.js';
import { mountAuthStatusContractRouter } from './routes/auth/authStatusContractRouter.js';
import authInitRouter from './routes/auth/initController.js';
import { mountAdminVorlagenContractRouter } from './routes/auth/templates/adminVorlagenContractRouter.js';
import { mountUserProfileContractRouter } from './routes/auth/userProfileContractRouter.js';
import { mountBoardsContractRouter } from './routes/boards/boardsContractRouter.js';
import { mountChatGraphContractRouter } from './routes/chat/chatGraphContractRouter.js';
import { mountThreadsContractRouter } from './routes/chat/threadsContractRouter.js';
import { mountDocsContractRouter } from './routes/docs/docsContractRouter.js';
import { mountDocumentsContractRouter } from './routes/documents/documentsContractRouter.js';
import etherpadRoute from './routes/etherpad/etherpadController.js';
import { mountExportsContractRouter } from './routes/exports/exportsContractRouter.js';
import exportDocumentsRouter from './routes/exports/index.js';
import imagineCreateRoute from './routes/flux/imagineCreate.js';
import imaginePureRoute from './routes/flux/imaginePure.js';
import { mountImagePickerContractRouter } from './routes/image/imagePickerContractRouter.js';
import {
  pickerController as imagePickerRoute,
  generationController as imageGenerationRouter,
} from './routes/image/index.js';
import {
  offboardingRouter,
  databaseTestRouter,
  rateLimitRouter,
  grueneApiTestRouter,
  contentSyncRouter,
} from './routes/internal/index.js';
import { markdownController as markdownRouter } from './routes/markdown/index.js';
import { monitorRouter, monitorInternalRouter } from './routes/monitor/index.js';
import { mountNotebookCollectionsContractRouter } from './routes/notebook/notebookCollectionsContractRouter.js';
import { mountNotebookContractRouter } from './routes/notebook/notebookContractRouter.js';
import notificationsRouter from './routes/notifications/index.js';
import { mountNotificationsContractRouter } from './routes/notifications/notificationsContractRouter.js';
import protokollRouter from './routes/protokoll/index.js';
import { releasesRouter } from './routes/releases/index.js';
import researchRouter from './routes/research/researchController.js';
import scannerRouter from './routes/scanner/index.js';
import {
  searchController as searchRouter,
  webSearchController as webSearchRouter,
} from './routes/search/index.js';
import searchGraphRouter from './routes/search/searchGraphController.js';
import { mountShareContractRouter } from './routes/share/shareContractRouter.js';
import shareRouter from './routes/share/shareController.js';
import editSessionRouter from './routes/sharepic/editSession.js';
import promptRoute from './routes/sharepic/promptRoute.js';
import aiImageModificationRouter from './routes/sharepic/sharepic_canvas/aiImageModification.js';
import campaignCanvasRoute from './routes/sharepic/sharepic_canvas/campaign_canvas.js';
import { mountCampaignCanvasContractRouter } from './routes/sharepic/sharepic_canvas/campaignCanvasContractRouter.js';
import sharepicDreizeilenCanvasRoute from './routes/sharepic/sharepic_canvas/dreizeilen_canvas.js';
import imageUploadRouter from './routes/sharepic/sharepic_canvas/imageUploadRouter.js';
import imagineLabelCanvasRoute from './routes/sharepic/sharepic_canvas/imagine_label_canvas.js';
import infoSharepicCanvasRoute from './routes/sharepic/sharepic_canvas/info_canvas.js';
import processTextRouter from './routes/sharepic/sharepic_canvas/processTextRouter.js';
import profilbildCanvasRoute from './routes/sharepic/sharepic_canvas/profilbild_canvas.js';
import simpleCanvasRoute from './routes/sharepic/sharepic_canvas/simple_canvas.js';
import sliderCanvasRoute from './routes/sharepic/sharepic_canvas/slider_canvas.js';
import veranstaltungCanvasRoute from './routes/sharepic/sharepic_canvas/veranstaltung_canvas.js';
import zitatSharepicCanvasRoute from './routes/sharepic/sharepic_canvas/zitat_canvas.js';
import zitatPureSharepicCanvasRoute from './routes/sharepic/sharepic_canvas/zitat_pure_canvas.js';
import campaignGenerateRoute from './routes/sharepic/sharepic_claude/campaign_generate.js';
import sharepicClaudeRoute, {
  handleClaudeRequest,
  handleSliderSmartRequest,
} from './routes/sharepic/sharepic_claude/index.js';
import { type SharepicRequest } from './routes/sharepic/sharepic_claude/types.js';
import subtitlerRouter from './routes/subtitler/processingController.js';
import subtitlerProjectRouter from './routes/subtitler/projectController.js';
import subtitlerShareRouter from './routes/subtitler/shareController.js';
import subtitlerSocialRouter from './routes/subtitler/socialController.js';
import { mountSubtitlerContractRouter } from './routes/subtitler/subtitlerContractRouter.js';
import {
  universalRouter,
  textAdjustmentRouter as claudeTextAdjustmentRoute,
  textImproverRouter as claudeTextImproverRoute,
  subtitlesRouter as claudeSubtitlesRoute,
  leichteSpracheRouter as leichteSpracheRoute,
} from './routes/texte/index.js';
import { mountTransferContractRouter } from './routes/transfer/transferContractRouter.js';
import { mountUnsplashContractRouter } from './routes/unsplash/unsplashContractRouter.js';
import { recentValuesRouter } from './routes/user/index.js';
import { mountRecentValuesContractRouter } from './routes/user/recentValuesContractRouter.js';
import { mountVideoContractRouter } from './routes/video/videoContractRouter.js';
import ttsRouter from './routes/voice/ttsController.js';
import { mountVoiceContractRouter } from './routes/voice/voiceContractRouter.js';
import voiceRouter from './routes/voice/voiceController.js';
import { mountWordpressContractRouter } from './routes/wordpress/wordpressContractRouter.js';
import recentActivityRouter from './routes/workplace/recentActivityController.js';
import * as sharepicGenerationService from './services/chat/sharepicGenerationService.js';
import * as tusServiceModule from './services/subtitler/tusService.js';
import { createLogger } from './utils/logger.js';
import { RouteStatsTracker } from './utils/routeStats.js';

import type { Application, Request, Response, NextFunction, Router } from 'express';

/**
 * IP-based rate limiters for abuse prevention.
 * These are intentionally softer since most routes also have frontend-side throttling.
 * Complements the existing Redis-based per-user rate limiter (used for business quotas).
 * Disabled entirely when DISABLE_RATE_LIMITS=true (dev convenience).
 */
const isRateLimitDisabled = process.env.DISABLE_RATE_LIMITS === 'true';

const aiGenerationLimiter = isRateLimitDisabled
  ? (_req: Request, _res: Response, next: NextFunction) => next()
  : rateLimit({
      windowMs: 15 * 60 * 1000, // 15 minutes
      max: 200, // ~13 per minute average — protects against abuse, not normal use
      standardHeaders: true,
      legacyHeaders: false,
      message: { error: 'Too many AI generation requests, please try again later.' },
    });

const standardMutationLimiter = isRateLimitDisabled
  ? (_req: Request, _res: Response, next: NextFunction) => next()
  : rateLimit({
      windowMs: 15 * 60 * 1000,
      max: 200,
      standardHeaders: true,
      legacyHeaders: false,
      message: { error: 'Too many requests, please try again later.' },
    });

const authenticatedReadLimiter = isRateLimitDisabled
  ? (_req: Request, _res: Response, next: NextFunction) => next()
  : rateLimit({
      windowMs: 15 * 60 * 1000, // 15 minutes
      max: 1000, // ~66/min — generous for authenticated page loads with many parallel fetches
      standardHeaders: true,
      legacyHeaders: false,
      message: { error: 'Too many requests, please try again later.' },
    });

const publicReadLimiter = isRateLimitDisabled
  ? (_req: Request, _res: Response, next: NextFunction) => next()
  : rateLimit({
      windowMs: 60 * 60 * 1000, // 1 hour
      max: 500, // soft — prevents scraping, allows normal use
      standardHeaders: true,
      legacyHeaders: false,
      message: { error: 'Too many requests, please try again later.' },
    });

const log = createLogger('Routes');

const { requireAuth, optionalAuth } = authMiddleware;
const { generateSharepicForChat } = sharepicGenerationService;
const { tusServer: _tusServer } = tusServiceModule;

// Route usage tracking
const routeTracker = new RouteStatsTracker();

// Snapshotting (Yjs-based) – load conditionally to avoid hard dependency on yjs
let snapshottingRouter: Router | null = null;

async function loadOptionalModules(): Promise<void> {
  try {
    if (process.env.YJS_ENABLED === 'true') {
      // Dynamic import - module may not exist
      // @ts-expect-error - Optional module, may not be present
      const module = (await import('./routes/internal/snapshottingController.js')) as {
        default: typeof snapshottingRouter;
      };
      snapshottingRouter = module.default;
      log.debug('Snapshotting controller loaded');
    }
  } catch (e) {
    const err = e instanceof Error ? e : new Error(String(e));
    log.debug(`Snapshotting unavailable: ${err.message}`);
  }
}

// Initialize optional modules
void loadOptionalModules();

export async function setupRoutes(app: Application): Promise<void> {
  // Debug: Log ALL API requests at the start
  app.use('/api/*splat', (req: Request, res: Response, next: NextFunction) => {
    if (req.originalUrl.includes('releases')) {
      console.log(`[Routes DEBUG] API request: ${req.method} ${req.originalUrl}`);
    }
    next();
  });

  // Route tracking middleware
  app.use('/api/*splat', (req: Request, res: Response, next: NextFunction) => {
    next();
    setImmediate(() => {
      routeTracker.track(req.method, req.path);
    });
  });

  // Dynamic imports for ES modules
  // Auth routes - now TypeScript with subdirectory structure
  const {
    default: authRouter,
    authCoreRouter: _authCoreRouter,
    userProfileRouter: _userProfileRouter,
    userCustomGeneratorsRouter: _userCustomGeneratorsRouter,
    contentRouter: _userContentRouter,
    templatesRouter: _userTemplatesRouter,
    groupsRouter: _userGroupsRouter,
  } = await import('./routes/auth/index.js');
  const { default: documentsRouter } = await import('./routes/documents/index.js');
  const { default: claudeSocialRoute } = await import('./routes/texte/social.js');
  const { default: claudeAlttextRoute } = await import('./routes/texte/alttext.js');
  const { default: claudeGrueneratorAskRoute } = await import('./routes/texte/gruenerator_ask.js');
  const { default: claudeWebsiteRoute } = await import('./routes/texte/website.js');
  const { default: customGeneratorRoute } =
    await import('./routes/custom_generators/custom_generator.js');
  const { default: generatorConfiguratorRoute } =
    await import('./routes/custom_generators/generator_configurator.js');
  const { default: customPromptRoute } = await import('./routes/custom_prompts/custom_prompt.js');
  const {
    collectionsRouter: notebookCollectionsRouter,
    interactionRouter: notebookInteractionRouter,
    recentDocumentsRouter: notebookRecentDocumentsRouter,
    statisticsRouter: notebookStatisticsRouter,
    internalNotebookRouter,
  } = await import('./routes/notebook/index.js');
  const { default: nextcloudApiRouter } = await import('./routes/nextcloud/nextcloudApi.js');
  const { default: connectionsRouter } =
    await import('./routes/connections/connectionsController.js');
  const { default: wordpressApiRouter } = await import('./routes/wordpress/wordpressApi.js');
  const { urlController: crawlUrlRouter } = await import('./routes/crawl/index.js');
  const { default: grueneratorChatRoute } = await import('./routes/chat/grueneratorChat.js');
  const { default: chatServiceRouter } = await import('./routes/chat/index.js');
  const { default: chatGraphRouter } = await import('./routes/chat/chatGraphController.js');
  const { default: threadSharingRouter } = await import('./routes/chat/threadSharingController.js');
  const { default: gruenOMatRouter } = await import('./routes/gruenomat/gruenOMatController.js');
  const { default: mediaRouter } = await import('./routes/media/mediaController.js');
  const { sitesController: sitesRouter, publicController: _publicSiteRouter } =
    await import('./routes/sites/index.js');
  const { default: flyerController } = await import('./routes/sites/flyerController.js');
  const { default: fluxImageEditingRoute } = await import('./routes/flux/imageEditing.js');
  const { default: unsplashRouter } = await import('./routes/unsplash/unsplashRoutes.js');
  const { default: docsRouter } = await import('./routes/docs/index.js');

  const { default: publicDocRouter } = await import('./routes/docs/publicDocController.js');
  const { default: docResolveRouter } = await import('./routes/docs/resolveController.js');
  const { default: ogDocsRouter } = await import('./routes/docs/ogController.js');
  const { default: boardsRouter } = await import('./routes/boards/boardsController.js');
  const { default: boardCommentsRouter } =
    await import('./routes/boards/boardCommentsController.js');
  const { default: publicBoardRouter } = await import('./routes/boards/publicBoardController.js');
  const { default: usersRouter } = await import('./routes/users/userController.js');
  const { default: smartTexteRouter } = await import('./routes/texte/smart.js');
  const { default: playgroundRouter } = await import('./routes/texte/playground.js');
  const { default: contentTitleRouter } = await import('./routes/texte/contentTitleRoute.js');
  const { default: mem0Router } = await import('./routes/mem0/mem0Controller.js');
  const { default: emailRouter } = await import('./routes/email/emailController.js');
  const { default: videoRouter } = await import('./routes/video/index.js');
  const { default: transferRouter } = await import('./routes/transfer/transferController.js');
  const { default: visionRouter } = await import('./routes/vision/visionController.js');

  // Auth routes — authLimiter applied inside authCore.ts to login/callback only
  // ts-rest contract router for /api/profile — mounts before legacy authRouter
  // (ts-rest matches its own routes first; unmatched fall through). `requireAuth`
  // is applied at the prefix because all profile routes require authentication.
  app.use('/api/profile', requireAuth);
  mountUserProfileContractRouter(app);
  // ts-rest contract router for admin Vorlagen — mounts BEFORE the legacy authRouter
  // so contract-modeled routes match first; unmatched paths fall through.
  // `requireAuth` is applied at the prefix here because the contract router
  // does not inherit middleware from the later `app.use('/api/auth', ...)`
  // mount (Express middleware ordering), and every admin-vorlagen route
  // requires both authentication and an is_admin check (the latter is
  // enforced per-handler via `checkIsAdmin` inside the contract).
  app.use('/api/auth/admin/vorlagen', requireAuth);
  mountAdminVorlagenContractRouter(app);
  // ts-rest contract router for /api/auth/status — mounts BEFORE the legacy
  // authRouter so the contract route matches first. NO requireAuth at the
  // prefix: /status must respond to unauthed callers (returns
  // { isAuthenticated: false, user: null }) so the frontend can decide
  // whether to show the login screen.
  mountAuthStatusContractRouter(app);
  app.use('/api/auth', authenticatedReadLimiter, authRouter);
  // ts-rest contract router for notebook collections — mounts BEFORE the
  // legacy router so contract-modeled routes match first. requireAuth is
  // applied at the prefix because all 10 routes require authentication.
  app.use('/api/auth/notebook-collections', requireAuth);
  mountNotebookCollectionsContractRouter(app);
  app.use('/api/auth/notebook-collections', authenticatedReadLimiter, notebookCollectionsRouter);
  // ts-rest contract router for notebook interaction — mounts BEFORE the
  // legacy router so contract-modeled routes match first. Mixed auth: the
  // contract checks req.user per-handler where needed (no requireAuth at
  // the prefix, which would break the public/:token routes).
  mountNotebookContractRouter(app);
  app.use('/api/auth/notebook', authenticatedReadLimiter, notebookInteractionRouter);
  app.use('/api/auth/notebook', authenticatedReadLimiter, notebookRecentDocumentsRouter);
  app.use('/api/auth/notebook', authenticatedReadLimiter, notebookStatisticsRouter);
  // ts-rest contract router for /api/documents — mounts BEFORE the legacy documentsRouter
  // so ts-rest matches its own routes first; unmatched paths fall through.
  // requireAuth is applied at the prefix because all 3 contract routes require auth.
  app.use('/api/documents', requireAuth);
  mountDocumentsContractRouter(app);
  // Public read endpoints — soft limiter prevents scraping
  app.use('/api/documents', publicReadLimiter, documentsRouter);
  app.use('/api/crawl-url', requireAuth, standardMutationLimiter, crawlUrlRouter);
  // ts-rest contract router for /api/recent-values (Phase 4.1 pilot)
  // Mounted BEFORE the legacy router so ts-rest matches its own routes first;
  // unmatched paths fall through to the Express fallback below. `requireAuth`
  // is applied at the prefix because all routes return user-specific data.
  app.use('/api/recent-values', requireAuth);
  mountRecentValuesContractRouter(app);
  app.use('/api/recent-values', publicReadLimiter, recentValuesRouter);
  app.use('/api/antraege', requireAuth, standardMutationLimiter, antraegeRouter);
  app.use('/api/scanner', publicReadLimiter, scannerRouter);
  app.use('/api/protokoll', publicReadLimiter, protokollRouter);

  app.use('/api/claude_social', aiGenerationLimiter, claudeSocialRoute);
  app.use('/api/claude_alttext', aiGenerationLimiter, claudeAlttextRoute);
  app.use('/api/vision', aiGenerationLimiter, requireAuth, visionRouter);
  app.use('/api/claude_website', aiGenerationLimiter, claudeWebsiteRoute);
  app.use('/api/leichte_sprache', aiGenerationLimiter, leichteSpracheRoute);
  app.use('/api/claude_text_improver', aiGenerationLimiter, claudeTextImproverRoute);
  app.use('/api/chat', aiGenerationLimiter, grueneratorChatRoute);
  // ts-rest contract routers — mount before legacy routers.
  // Apply requireAuth on the path prefixes BEFORE the mount calls so
  // unauthenticated requests get a 401 instead of crashing the handlers
  // with `Cannot read properties of undefined (reading 'id')`.
  app.use('/api/chat-service/threads', requireAuth);
  app.use('/api/chat-graph', requireAuth);
  // /api/chat-graph/stream is in CUSTOM_BODY_PARSER_PATHS (bodyParserConfig.ts)
  // so the global 10mb body parser is skipped. The legacy chatGraphController
  // installs its own 50mb parser at controller mount, but ts-rest's contract
  // router (mounted next) runs BEFORE the legacy router and would otherwise
  // see req.body === undefined and 400. Install the same 50mb parser scoped
  // to /api/chat-graph here so both routers receive a parsed body.
  app.use('/api/chat-graph', express.json({ limit: '50mb' }));
  mountThreadsContractRouter(app);
  mountChatGraphContractRouter(app);
  app.use('/api/chat-service', authenticatedReadLimiter, chatServiceRouter);
  app.use('/api/chat-service/threads', authenticatedReadLimiter, threadSharingRouter);
  app.use('/api/chat-graph', aiGenerationLimiter, chatGraphRouter);
  app.use('/api/gruen-o-mat', gruenOMatRouter);
  app.use('/api/dreizeilen_canvas', standardMutationLimiter, sharepicDreizeilenCanvasRoute);
  app.use('/api/zitat_canvas', standardMutationLimiter, zitatSharepicCanvasRoute);
  app.use('/api/zitat_pure_canvas', standardMutationLimiter, zitatPureSharepicCanvasRoute);
  app.use('/api/info_canvas', standardMutationLimiter, infoSharepicCanvasRoute);
  app.use('/api/imagine_label_canvas', standardMutationLimiter, imagineLabelCanvasRoute);
  // ts-rest contract router — mount before legacy campaignCanvasRoute
  mountCampaignCanvasContractRouter(app);
  app.use('/api/campaign_canvas', standardMutationLimiter, campaignCanvasRoute);
  app.use('/api/veranstaltung_canvas', standardMutationLimiter, veranstaltungCanvasRoute);
  app.use('/api/profilbild_canvas', standardMutationLimiter, profilbildCanvasRoute);
  app.use('/api/simple_canvas', standardMutationLimiter, simpleCanvasRoute);
  app.use('/api/slider_canvas', standardMutationLimiter, sliderCanvasRoute);
  app.use('/api/campaign_generate', aiGenerationLimiter, campaignGenerateRoute);
  app.use('/api/dreizeilen_claude', aiGenerationLimiter, sharepicClaudeRoute);
  app.use('/api/sharepic/edit-session', standardMutationLimiter, editSessionRouter);
  app.use('/api/sharepic', aiGenerationLimiter, promptRoute);

  app.post(
    '/api/zitat_claude',
    aiGenerationLimiter,
    async (req: Request, res: Response): Promise<void> => {
      await handleClaudeRequest(req as SharepicRequest, res, 'zitat');
    }
  );
  app.post(
    '/api/headline_claude',
    aiGenerationLimiter,
    async (req: Request, res: Response): Promise<void> => {
      await handleClaudeRequest(req as SharepicRequest, res, 'headline');
    }
  );
  app.post(
    '/api/info_claude',
    aiGenerationLimiter,
    async (req: Request, res: Response): Promise<void> => {
      await handleClaudeRequest(req as SharepicRequest, res, 'info');
    }
  );
  app.post(
    '/api/veranstaltung_claude',
    aiGenerationLimiter,
    async (req: Request, res: Response): Promise<void> => {
      await handleClaudeRequest(req as SharepicRequest, res, 'veranstaltung');
    }
  );
  app.post(
    '/api/zitat_pure_claude',
    aiGenerationLimiter,
    async (req: Request, res: Response): Promise<void> => {
      await handleClaudeRequest(req as SharepicRequest, res, 'zitat_pure');
    }
  );
  app.post(
    '/api/simple_claude',
    aiGenerationLimiter,
    async (req: Request, res: Response): Promise<void> => {
      await handleClaudeRequest(req as SharepicRequest, res, 'simple');
    }
  );
  app.post(
    '/api/slider_claude',
    aiGenerationLimiter,
    async (req: Request, res: Response): Promise<void> => {
      if ((req.body as { smartCount?: unknown })?.smartCount) {
        await handleSliderSmartRequest(req as SharepicRequest, res);
      } else {
        await handleClaudeRequest(req as SharepicRequest, res, 'slider');
      }
    }
  );
  app.post(
    '/api/default_claude',
    aiGenerationLimiter,
    async (req: Request, res: Response): Promise<void> => {
      await handleClaudeRequest(req as SharepicRequest, res, 'default');
    }
  );

  app.post(
    '/api/generate-sharepic',
    aiGenerationLimiter,
    async (req: Request, res: Response): Promise<void> => {
      try {
        const { type, ...requestBody } = req.body as { type?: string; [key: string]: unknown };
        if (!type) {
          res.status(400).json({ success: false, error: 'Sharepic type is required' });
          return;
        }
        const result = await generateSharepicForChat(
          req,
          type as string,
          requestBody as Parameters<typeof generateSharepicForChat>[2]
        );
        res.json({ success: true, ...result.content.sharepic, metadata: result.content.metadata });
      } catch (error) {
        const err = error instanceof Error ? error : new Error(String(error));
        console.error('[UnifiedSharepic] Error:', err);
        res
          .status(500)
          .json({ success: false, error: err.message || 'Failed to generate sharepic' });
      }
    }
  );

  app.use('/api/ai-image-modification', aiGenerationLimiter, aiImageModificationRouter);
  app.use('/api/imageupload', standardMutationLimiter, imageUploadRouter);
  app.use('/api/processText', aiGenerationLimiter, processTextRouter);
  app.use('/api/claude_text_adjustment', aiGenerationLimiter, claudeTextAdjustmentRoute);
  app.use('/api/etherpad', standardMutationLimiter, etherpadRoute);
  app.use('/api/claude_universal', aiGenerationLimiter, universalRouter);
  app.use('/api/texte/smart', aiGenerationLimiter, smartTexteRouter);
  app.use('/api/texte/playground', requireAuth, aiGenerationLimiter, playgroundRouter);
  app.use('/api/generate-content-title', aiGenerationLimiter, contentTitleRouter);
  app.use('/api/claude_gruenerator_ask', aiGenerationLimiter, claudeGrueneratorAskRoute);
  app.use('/api/custom_generator', aiGenerationLimiter, customGeneratorRoute);
  app.use('/api/auth/custom_generator', aiGenerationLimiter, customGeneratorRoute);
  app.use('/api/generate_generator_config', aiGenerationLimiter, generatorConfiguratorRoute);
  app.use('/api/custom_prompt', aiGenerationLimiter, customPromptRoute);
  app.use('/api/auth/custom_prompt', aiGenerationLimiter, customPromptRoute);
  app.use('/api/claude/generate-short-subtitles', aiGenerationLimiter, claudeSubtitlesRoute);
  // requireAuth must run before the contract mount — createExpressEndpoints
  // registers handlers directly on the app, bypassing the legacy prefix
  // middleware. Same pattern as /api/transfer below.
  app.use('/api/subtitler/projects', requireAuth);
  mountSubtitlerContractRouter(app);
  app.use('/api/subtitler', standardMutationLimiter, subtitlerRouter);
  app.use('/api/subtitler', standardMutationLimiter, subtitlerSocialRouter);
  app.use('/api/subtitler/projects', standardMutationLimiter, subtitlerProjectRouter);
  app.use('/api/subtitler/share', publicReadLimiter, subtitlerShareRouter);
  // ts-rest contract router — mount before legacy shareRouter
  mountShareContractRouter(app);
  app.use('/api/share', publicReadLimiter, shareRouter);
  // ts-rest contract router — mount before legacy transferRouter (GET /list and DELETE /:token)
  // POST /upload (multer file upload) falls through to the legacy router.
  app.use('/api/transfer', requireAuth);
  mountTransferContractRouter(app);
  app.use('/api/transfer', standardMutationLimiter, transferRouter);
  app.use('/api/mem0', requireAuth, standardMutationLimiter, mem0Router);
  app.use('/api/email', requireAuth, standardMutationLimiter, emailRouter);
  app.use('/api/auth/init', publicReadLimiter, authInitRouter);
  app.use('/api/recent-activity', publicReadLimiter, recentActivityRouter);
  // ts-rest contract router for notifications — mounts BEFORE the legacy router
  // so contract-modeled routes match first; /stream SSE falls through to legacy.
  // requireAuth applied at prefix; notification-preferences also handled here.
  app.use('/api/notifications', requireAuth);
  mountNotificationsContractRouter(app);
  app.use('/api/notifications', requireAuth, publicReadLimiter, notificationsRouter);
  app.use('/api/media', requireAuth, authenticatedReadLimiter, mediaRouter);
  app.use('/api/og/docs', publicReadLimiter, ogDocsRouter);
  app.use('/api/docs/resolve', optionalAuth, publicReadLimiter, docResolveRouter);
  app.use('/api/docs/public', publicReadLimiter, publicDocRouter);
  // ts-rest contract router for /api/docs — mounts BEFORE the legacy docsRouter
  // so ts-rest matches its own routes first; unmatched paths fall through.
  // `requireAuth` is applied at the prefix so the contract router inherits
  // protection. The /api/og/docs, /api/docs/resolve, and /api/docs/public
  // routers above are registered first, so public docs requests match and
  // terminate before this middleware runs.
  app.use('/api/docs', requireAuth);
  mountDocsContractRouter(app);
  app.use('/api/docs', authenticatedReadLimiter, docsRouter);

  app.use('/api/boards/public', publicReadLimiter, publicBoardRouter);
  // ts-rest contract router — mount before legacy boardsRouter.
  // `requireAuth` is applied at the prefix so the contract router inherits
  // protection. The /api/boards/public router above is registered first, so
  // public board requests match and terminate before this middleware runs.
  app.use('/api/boards', requireAuth);
  mountBoardsContractRouter(app);
  app.use('/api/boards', authenticatedReadLimiter, boardsRouter);
  app.use('/api/board-comments', requireAuth, authenticatedReadLimiter, boardCommentsRouter);
  app.use('/api/users', requireAuth, publicReadLimiter, usersRouter);
  // ts-rest contract router — mount before legacy voiceController router
  mountVoiceContractRouter(app);
  app.use('/api/voice', publicReadLimiter, voiceRouter);
  app.use('/api/voice/tts', requireAuth, standardMutationLimiter, ttsRouter);
  // searchContractRouter exists but is intentionally NOT mounted yet — the
  // pilot contract doesn't model the SSE `?stream=true` mode that the frontend
  // depends on. Activate once streaming is added to the contract.
  app.use('/api/search', publicReadLimiter, searchRouter);
  app.use('/api/analyze', publicReadLimiter, searchRouter);
  app.use('/api/search-graph', requireAuth, standardMutationLimiter, searchGraphRouter);
  // ts-rest contract router — mount before legacy imagePickerRoute
  mountImagePickerContractRouter(app);
  app.use('/api/image-picker', publicReadLimiter, imagePickerRoute);
  // ts-rest contract router — mount before legacy unsplashRouter
  mountUnsplashContractRouter(app);
  app.use('/api/unsplash', publicReadLimiter, unsplashRouter);
  app.use('/api/web-search', publicReadLimiter, webSearchRouter);
  app.use('/api/research', requireAuth, standardMutationLimiter, researchRouter);
  app.use('/api/image-generation', aiGenerationLimiter, imageGenerationRouter);
  app.use('/api/rate-limit', publicReadLimiter, rateLimitRouter);

  // Debug: log all requests to /api/releases/*
  app.use('/api/releases', (req, res, next) => {
    console.log(
      `[Routes] Request to /api/releases: ${req.method} ${req.path} (originalUrl: ${req.originalUrl})`
    );
    next();
  });
  app.use('/api/releases', publicReadLimiter, releasesRouter);
  // ts-rest contract router — mount before legacy exports router
  mountExportsContractRouter(app);
  app.use('/api/exports', requireAuth, authenticatedReadLimiter, exportDocumentsRouter);
  app.use('/api/markdown', publicReadLimiter, markdownRouter);
  app.use('/api/database', publicReadLimiter, databaseTestRouter);

  if (snapshottingRouter) {
    app.use('/api/internal', snapshottingRouter);
  }
  app.use('/api/internal/offboarding', offboardingRouter);
  app.use('/api/internal/gruene-api', grueneApiTestRouter);
  app.use('/api/internal/monitor', monitorInternalRouter);
  app.use('/api/internal/notebook', internalNotebookRouter);
  app.use('/api/internal/content-sync', contentSyncRouter);
  app.use('/api/monitor', requireAuth, publicReadLimiter, monitorRouter);

  app.get(
    '/api/internal/route-stats',
    publicReadLimiter,
    async (req: Request, res: Response): Promise<void> => {
      try {
        const { getPostgresInstance } = await import('./database/services/PostgresService.js');
        const postgresService = getPostgresInstance();
        const limit = parseInt(req.query.limit as string) || 50;
        const stats = await postgresService.getRouteStats(limit);
        res.json({ success: true, stats, currentBuffer: routeTracker.getStatsObject() });
      } catch (error) {
        const err = error instanceof Error ? error : new Error(String(error));
        log.error(`Route stats fetch failed: ${err.message}`);
        res.status(500).json({ success: false, error: err.message });
      }
    }
  );

  // ts-rest contract router — mount before legacy videoRouter
  app.use('/api/video', requireAuth);
  mountVideoContractRouter(app);
  app.use('/api/video', requireAuth, standardMutationLimiter, videoRouter);
  app.use('/api/nextcloud', requireAuth, standardMutationLimiter, nextcloudApiRouter);
  app.use('/api/connections', standardMutationLimiter, requireAuth, connectionsRouter);
  // ts-rest contract router — mount before legacy wordpressApiRouter
  // requireAuth is also inside the legacy router, but we apply it here
  // since the contract router runs first.
  app.use('/api/wordpress', requireAuth);
  mountWordpressContractRouter(app);
  app.use('/api/wordpress', standardMutationLimiter, requireAuth, wordpressApiRouter);
  app.use('/api/sites/generate-from-flyer', aiGenerationLimiter, flyerController);
  app.use('/api/sites', standardMutationLimiter, sitesRouter);
  app.use('/api/flux/green-edit', aiGenerationLimiter, fluxImageEditingRoute);
  app.use('/api/imagine/create', aiGenerationLimiter, imagineCreateRoute);
  app.use('/api/imagine/pure', aiGenerationLimiter, imaginePureRoute);

  // Web redirect to frontend imagine (KI image studio)
  app.get('/web', (req: Request, res: Response) => {
    res.redirect(`${req.protocol}://${req.get('host')}/imagine`);
  });

  // Periodic flush of route stats to database
  setInterval(async () => {
    if (!routeTracker.hasStats()) return;
    const batch = routeTracker.flush();
    try {
      const { getPostgresInstance } = await import('./database/services/PostgresService.js');
      const postgresService = getPostgresInstance();
      await postgresService.batchUpdateRouteStats(batch);
    } catch {
      // Silently ignore flush errors
    }
  }, 60000);

  log.info('Routes initialized');
}

// Export the route tracker for external access if needed
export { routeTracker };

export default { setupRoutes };