feat(admin): comprehensive admin interface (users, tunnels, metrics, audit, reserved subdomains)

Adds an authenticated admin surface gated by auth.users.app_metadata.role==='admin'.

- lib/auth/admin-guard.ts: requireAdmin() (pages) + requireAdminApi() (routes)
- middleware.ts: defense-in-depth /admin and /api/admin guarding
- API: users (list/detail/role/ban/delete), tunnels (list + active/quota/reset/reassign/regenerate-token/delete), metrics, audit log, reserved subdomains
- Self-lockout prevention (no self demote/ban/delete)
- Best-effort Redis kill-switch via dependency-free net-socket client (REDIS_URL)
- admin_audit_log + reserved_subdomains migration (RLS on, service-role only)
- Admin UI (overview, users, tunnels, reserved, audit) + conditional nav link

app/api/admin/tunnels/[id]/active/route.ts

@@ -0,0 +1,62 @@
+import { NextResponse, type NextRequest } from 'next/server';
+import { requireAdminApi } from '@/lib/auth/admin-guard';
+import { getSupabaseAdmin } from '@/lib/supabase/admin';
+import { logAdminAction } from '@/lib/auth/audit';
+import { isUuid, parseBoolean } from '@/lib/admin/validators';
+import { redisSet } from '@/lib/redis';
+
+export const runtime = 'nodejs';
+export const dynamic = 'force-dynamic';
+
+export async function POST(
+  req: NextRequest,
+  { params }: { params: { id: string } },
+) {
+  const auth = await requireAdminApi();
+  if (!auth.ok) return auth.response;
+
+  const { id } = params;
+  if (!isUuid(id)) {
+    return NextResponse.json({ error: 'invalid tunnel id' }, { status: 400 });
+  }
+
+  let body: { is_active?: unknown };
+  try {
+    body = (await req.json()) as { is_active?: unknown };
+  } catch {
+    return NextResponse.json({ error: 'invalid json' }, { status: 400 });
+  }
+  const isActive = parseBoolean(body.is_active);
+  if (isActive === null) {
+    return NextResponse.json(
+      { error: 'is_active must be a boolean' },
+      { status: 400 },
+    );
+  }
+
+  const admin = getSupabaseAdmin();
+  const { data, error } = await admin
+    .from('tunnels')
+    .update({ is_active: isActive })
+    .eq('id', id)
+    .select('subdomain')
+    .maybeSingle<{ subdomain: string }>();
+  if (error) {
+    return NextResponse.json({ error: error.message }, { status: 500 });
+  }
+  if (!data) {
+    return NextResponse.json({ error: 'tunnel not found' }, { status: 404 });
+  }
+
+  // Best-effort live kill-switch (never throws).
+  await redisSet(`tunnel:active:${data.subdomain}`, isActive ? '1' : '0');
+
+  await logAdminAction(auth.user, {
+    action: isActive ? 'tunnel.activate' : 'tunnel.deactivate',
+    target_type: 'tunnel',
+    target_id: id,
+    details: { subdomain: data.subdomain, is_active: isActive },
+  });
+
+  return NextResponse.json({ ok: true, is_active: isActive });
+}

app/api/admin/tunnels/[id]/quota/route.ts

@@ -0,0 +1,61 @@
+import { NextResponse, type NextRequest } from 'next/server';
+import { requireAdminApi } from '@/lib/auth/admin-guard';
+import { getSupabaseAdmin } from '@/lib/supabase/admin';
+import { logAdminAction } from '@/lib/auth/audit';
+import { isUuid, parsePositiveInt } from '@/lib/admin/validators';
+
+export const runtime = 'nodejs';
+export const dynamic = 'force-dynamic';
+
+// 100 TiB ceiling — generous but guards against absurd values.
+const MAX_QUOTA = 100 * 1024 ** 4;
+
+export async function POST(
+  req: NextRequest,
+  { params }: { params: { id: string } },
+) {
+  const auth = await requireAdminApi();
+  if (!auth.ok) return auth.response;
+
+  const { id } = params;
+  if (!isUuid(id)) {
+    return NextResponse.json({ error: 'invalid tunnel id' }, { status: 400 });
+  }
+
+  let body: { quota_bytes?: unknown };
+  try {
+    body = (await req.json()) as { quota_bytes?: unknown };
+  } catch {
+    return NextResponse.json({ error: 'invalid json' }, { status: 400 });
+  }
+  const parsed = parsePositiveInt(body.quota_bytes, MAX_QUOTA);
+  if (!parsed.ok) {
+    return NextResponse.json(
+      { error: `quota_bytes ${parsed.error}` },
+      { status: 400 },
+    );
+  }
+
+  const admin = getSupabaseAdmin();
+  const { data, error } = await admin
+    .from('tunnels')
+    .update({ quota_bytes: parsed.value })
+    .eq('id', id)
+    .select('subdomain')
+    .maybeSingle<{ subdomain: string }>();
+  if (error) {
+    return NextResponse.json({ error: error.message }, { status: 500 });
+  }
+  if (!data) {
+    return NextResponse.json({ error: 'tunnel not found' }, { status: 404 });
+  }
+
+  await logAdminAction(auth.user, {
+    action: 'tunnel.quota',
+    target_type: 'tunnel',
+    target_id: id,
+    details: { subdomain: data.subdomain, quota_bytes: parsed.value },
+  });
+
+  return NextResponse.json({ ok: true, quota_bytes: parsed.value });
+}

app/api/admin/tunnels/[id]/reassign/route.ts

@@ -0,0 +1,83 @@
+import { NextResponse, type NextRequest } from 'next/server';
+import { requireAdminApi } from '@/lib/auth/admin-guard';
+import { getSupabaseAdmin } from '@/lib/supabase/admin';
+import { logAdminAction } from '@/lib/auth/audit';
+import { isUuid } from '@/lib/admin/validators';
+import { validateSubdomain } from '@/lib/validation';
+import { isSubdomainReserved } from '@/lib/admin/reserved';
+
+export const runtime = 'nodejs';
+export const dynamic = 'force-dynamic';
+
+export async function POST(
+  req: NextRequest,
+  { params }: { params: { id: string } },
+) {
+  const auth = await requireAdminApi();
+  if (!auth.ok) return auth.response;
+
+  const { id } = params;
+  if (!isUuid(id)) {
+    return NextResponse.json({ error: 'invalid tunnel id' }, { status: 400 });
+  }
+
+  let body: { subdomain?: unknown };
+  try {
+    body = (await req.json()) as { subdomain?: unknown };
+  } catch {
+    return NextResponse.json({ error: 'invalid json' }, { status: 400 });
+  }
+
+  // Same validation as the user-facing claim flow (format + hardcoded reserved).
+  const v = validateSubdomain(body.subdomain);
+  if (!v.ok) {
+    return NextResponse.json({ error: v.error }, { status: 400 });
+  }
+  const subdomain = v.value;
+
+  // Also reject anything reserved in the DB table.
+  if (await isSubdomainReserved(subdomain)) {
+    return NextResponse.json(
+      { error: `'${subdomain}' is reserved` },
+      { status: 400 },
+    );
+  }
+
+  const admin = getSupabaseAdmin();
+
+  // Reject if taken by a different tunnel.
+  const { data: existing } = await admin
+    .from('tunnels')
+    .select('id')
+    .eq('subdomain', subdomain)
+    .maybeSingle<{ id: string }>();
+  if (existing && existing.id !== id) {
+    return NextResponse.json({ error: 'subdomain taken' }, { status: 409 });
+  }
+
+  const { data, error } = await admin
+    .from('tunnels')
+    .update({ subdomain })
+    .eq('id', id)
+    .select('subdomain')
+    .maybeSingle<{ subdomain: string }>();
+  if (error) {
+    const code = (error as { code?: string }).code;
+    if (code === '23505') {
+      return NextResponse.json({ error: 'subdomain taken' }, { status: 409 });
+    }
+    return NextResponse.json({ error: error.message }, { status: 500 });
+  }
+  if (!data) {
+    return NextResponse.json({ error: 'tunnel not found' }, { status: 404 });
+  }
+
+  await logAdminAction(auth.user, {
+    action: 'tunnel.reassign',
+    target_type: 'tunnel',
+    target_id: id,
+    details: { subdomain },
+  });
+
+  return NextResponse.json({ ok: true, subdomain });
+}

app/api/admin/tunnels/[id]/regenerate-token/route.ts

@@ -0,0 +1,47 @@
+import { NextResponse, type NextRequest } from 'next/server';
+import { randomBytes } from 'node:crypto';
+import { requireAdminApi } from '@/lib/auth/admin-guard';
+import { getSupabaseAdmin } from '@/lib/supabase/admin';
+import { logAdminAction } from '@/lib/auth/audit';
+import { isUuid } from '@/lib/admin/validators';
+
+export const runtime = 'nodejs';
+export const dynamic = 'force-dynamic';
+
+export async function POST(
+  _req: NextRequest,
+  { params }: { params: { id: string } },
+) {
+  const auth = await requireAdminApi();
+  if (!auth.ok) return auth.response;
+
+  const { id } = params;
+  if (!isUuid(id)) {
+    return NextResponse.json({ error: 'invalid tunnel id' }, { status: 400 });
+  }
+
+  const token = randomBytes(32).toString('hex');
+
+  const admin = getSupabaseAdmin();
+  const { data, error } = await admin
+    .from('tunnels')
+    .update({ token })
+    .eq('id', id)
+    .select('subdomain, token')
+    .maybeSingle<{ subdomain: string; token: string }>();
+  if (error) {
+    return NextResponse.json({ error: error.message }, { status: 500 });
+  }
+  if (!data) {
+    return NextResponse.json({ error: 'tunnel not found' }, { status: 404 });
+  }
+
+  await logAdminAction(auth.user, {
+    action: 'tunnel.regenerate_token',
+    target_type: 'tunnel',
+    target_id: id,
+    details: { subdomain: data.subdomain },
+  });
+
+  return NextResponse.json({ ok: true, token: data.token });
+}

app/api/admin/tunnels/[id]/reset-usage/route.ts

@@ -0,0 +1,44 @@
+import { NextResponse, type NextRequest } from 'next/server';
+import { requireAdminApi } from '@/lib/auth/admin-guard';
+import { getSupabaseAdmin } from '@/lib/supabase/admin';
+import { logAdminAction } from '@/lib/auth/audit';
+import { isUuid } from '@/lib/admin/validators';
+
+export const runtime = 'nodejs';
+export const dynamic = 'force-dynamic';
+
+export async function POST(
+  _req: NextRequest,
+  { params }: { params: { id: string } },
+) {
+  const auth = await requireAdminApi();
+  if (!auth.ok) return auth.response;
+
+  const { id } = params;
+  if (!isUuid(id)) {
+    return NextResponse.json({ error: 'invalid tunnel id' }, { status: 400 });
+  }
+
+  const admin = getSupabaseAdmin();
+  const { data, error } = await admin
+    .from('tunnels')
+    .update({ bytes_used: 0 })
+    .eq('id', id)
+    .select('subdomain')
+    .maybeSingle<{ subdomain: string }>();
+  if (error) {
+    return NextResponse.json({ error: error.message }, { status: 500 });
+  }
+  if (!data) {
+    return NextResponse.json({ error: 'tunnel not found' }, { status: 404 });
+  }
+
+  await logAdminAction(auth.user, {
+    action: 'tunnel.reset_usage',
+    target_type: 'tunnel',
+    target_id: id,
+    details: { subdomain: data.subdomain },
+  });
+
+  return NextResponse.json({ ok: true });
+}

app/api/admin/tunnels/[id]/route.ts

@@ -0,0 +1,48 @@
+import { NextResponse, type NextRequest } from 'next/server';
+import { requireAdminApi } from '@/lib/auth/admin-guard';
+import { getSupabaseAdmin } from '@/lib/supabase/admin';
+import { logAdminAction } from '@/lib/auth/audit';
+import { isUuid } from '@/lib/admin/validators';
+import { redisSet } from '@/lib/redis';
+
+export const runtime = 'nodejs';
+export const dynamic = 'force-dynamic';
+
+export async function DELETE(
+  _req: NextRequest,
+  { params }: { params: { id: string } },
+) {
+  const auth = await requireAdminApi();
+  if (!auth.ok) return auth.response;
+
+  const { id } = params;
+  if (!isUuid(id)) {
+    return NextResponse.json({ error: 'invalid tunnel id' }, { status: 400 });
+  }
+
+  const admin = getSupabaseAdmin();
+  const { data, error } = await admin
+    .from('tunnels')
+    .delete()
+    .eq('id', id)
+    .select('subdomain')
+    .maybeSingle<{ subdomain: string }>();
+  if (error) {
+    return NextResponse.json({ error: error.message }, { status: 500 });
+  }
+  if (!data) {
+    return NextResponse.json({ error: 'tunnel not found' }, { status: 404 });
+  }
+
+  // Best-effort live kill-switch.
+  await redisSet(`tunnel:active:${data.subdomain}`, '0');
+
+  await logAdminAction(auth.user, {
+    action: 'tunnel.delete',
+    target_type: 'tunnel',
+    target_id: id,
+    details: { subdomain: data.subdomain },
+  });
+
+  return NextResponse.json({ ok: true });
+}