src/app/api/v1/admin/settings/%5Bkey%5D/reveal/route.ts

import { NextResponse } from 'next/server';

import { withAuth, withPermission } from '@/lib/api/helpers';
import { createAuditLog } from '@/lib/audit';
import { errorResponse, NotFoundError } from '@/lib/errors';
import { registryFor } from '@/lib/settings/registry';
import { getSetting } from '@/lib/settings/resolver';

/**
 * POST /api/v1/admin/settings/:key/reveal
 *
 * Returns the decrypted cleartext for an encrypted / sensitive setting.
 * Used by the eye-toggle on encrypted fields in the registry-driven admin
 * form so the operator can verify what they saved earlier.
 *
 * Gated on `admin.manage_settings` (the same permission required to write
 * the value — so this never widens an existing trust boundary). Every
 * reveal is audit-logged with the request id so a super-admin can trace
 * who looked at what and when.
 *
 * Refuses to reveal values resolved from `env` or `default` — those would
 * leak server-process secrets via the API.
 */
export const POST = withAuth(
  withPermission('admin', 'manage_settings', async (_req, ctx, params) => {
    try {
      const key = params.key!;
      const entry = registryFor(key);
      if (!entry) throw new NotFoundError(`Unknown setting: ${key}`);
      if (!entry.encrypted && !entry.sensitive) {
        // Non-sensitive values are already returned in the resolved-list
        // endpoint, so a dedicated reveal isn't needed (and could be
        // misused to bypass observability).
        return NextResponse.json({ data: { revealed: false, value: null } }, { status: 200 });
      }

      // Resolve through the standard chain so the user sees exactly what
      // the runtime would. The resolver decrypts on the way out.
      const value = await getSetting<string>(key, ctx.portId);

      void createAuditLog({
        userId: ctx.userId,
        portId: ctx.portId,
        action: 'view',
        entityType: 'setting',
        entityId: key,
        metadata: { settingKey: key, op: 'reveal' },
        ipAddress: ctx.ipAddress,
        userAgent: ctx.userAgent,
      });

      return NextResponse.json({ data: { revealed: true, value: value ?? null } });
    } catch (error) {
      return errorResponse(error);
    }
  }),
);
fix(audit): comprehensive 2026-05-15 audit fix wave + Documenso v2 polish Bundles the prior session's 50-task fix sweep (Documenso v2 + EOI/signing- progress redesign + env-to-admin migration + dev-mode banner) with the 2026-05-18 audit fix wave (3 CRITICAL, 14 HIGH, 28 MEDIUM, 6 LOW). CRITICAL (3): - C-01 interest-berths INNER JOIN -> LEFT JOIN so hard-deleted berths no longer silently drop interest links - C-02 /setup added to PUBLIC_PATHS; fresh-deploy bootstrap loop fixed - C-03 generic PATCH /interests/[id] no longer accepts pipelineStage — callers must go through /stage with the override-guard chain HIGH (14/15): - H-01 explicit ON DELETE on previously-implicit NO ACTION FKs across interests/documents/reservations/reminders/invoices (migration 0070) - H-02 login page reads ?redirect= param with same-origin guard - H-03 CRM invite token moves to URL fragment so it never lands in nginx access logs / Referer headers - H-04 Retry-After header on sign-in-by-identifier 429 (RFC 6585 §4) - H-05 toggleAccount writes an audit row - H-06 upsertSetting masks any value whose key ends with _encrypted - H-07 archiveClient cascade fires per-interest audit rows - H-08 createSalesTransporter applies SMTP_TIMEOUTS - H-09 AppShell stable children — viewport flip across breakpoint no longer destroys in-progress form drafts - H-10 portal documents page swaps Unicode glyph status icons for Lucide CheckCircle2/XCircle/Circle + aria-labels - H-12 list components swap alert(...) for toast.warning(...) - H-13 5 icon-only buttons gain aria-label - H-14 parseBody treats empty bodies as {} - H-15 admin layout renders a 403 panel instead of silent bounce - H-11 not applicable — mobile-search-overlay IS a mobile bottom-sheet MEDIUM (28+): - M-MT01-05 defense-in-depth port_id/parent-id filters on UPDATE/DELETE WHEREs across custom-fields, notes (all 6 entity types x update + delete), client-contacts, yacht ownerClient lookup, webhook reads - M-D01 documents-hub realtime event-name typo (file:created -> uploaded) - M-EM01 portal-auth emails thread through portId - M-EM02 sendEmail accepts cc/bcc params - M-EM04 notification_digest catalog key - M-IN01 portal presigned download URLs use 4h TTL - M-IN02 OpenAI client lazy-instantiated - M-IN04 stale pdfme refs updated to pdf-lib AcroForm - M-IN05 umami.testConnection returns tagged union - M-L01 reservations tenure_type unified with berths - M-L02 report-generators canonicalize stage values - M-AU01 audit log placeholder copy fixed - M-AU04 outcome_set / outcome_cleared distinct audit verbs - M-NEW-2 activity feed entity name+type separator - M-R01 portal allowlist narrowed + portal_session backstop in proxy - M-SC02 companies archived partial index - M-SC04 audit_logs.searchText documented as DB-managed - M-S01 storage_s3_access_key_encrypted admin field - M-U01 audit log empty state uses <EmptyState> - M-U09 invoice delete dialog -> <AlertDialog> - M-U10 toast.success on ClientForm + InterestForm create/edit - M-U11 settings-form-card logo preview alt text - M-U14 mobile topbar title on clients/yachts/interests/berths - M-U15 Invoices in mobile More-sheet LOW (6/8): - L-AU01 severity defaults for security-relevant verbs - L-AU02 +13 missing actions in admin audit filter - L-AU03 +7 missing entity types in admin audit filter - L-AU04 dead listAuditLogs stubbed - L-D02 CLAUDE.md Owner-wins chain tightened Bonus — Document detail polish (#67 partial, 3/6 deliverables): - state-aware action button per signer - watcher Add UI with display-name resolution - cleanSignerName cleanup Prior session work bundled in: - Documenso v2 webhook + envelope-ID normalization + sequential signing - SigningProgress UI redesign (avatars, per-signer state, timestamps) - env->admin settings registry + RegistryDrivenForm + encrypted creds - Embedded-signing card + Test connection + setup help - Dev-mode EMAIL_REDIRECT_TO banner - Pipeline rules admin page - Sales email config card - Audit log details Sheet - EOI tab: Finalising badge, absolute timestamps, sequential indicator - Notes pipeline_stage_at_creation (migration 0069) - Documenso numeric ID dual-key webhook (migration 0068) - Dimensions criterion copy (migration 0067) Tests: 1374/1374 vitest pass. tsc clean. lint clean. See docs/AUDIT-FIX-WAVE-2026-05-18.md for the full progress report and the user-input items still pending. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-18 13:28:50 +02:00			`import { NextResponse } from 'next/server';`

			`import { withAuth, withPermission } from '@/lib/api/helpers';`
			`import { createAuditLog } from '@/lib/audit';`
			`import { errorResponse, NotFoundError } from '@/lib/errors';`
			`import { registryFor } from '@/lib/settings/registry';`
			`import { getSetting } from '@/lib/settings/resolver';`

			`/**`
			`* POST /api/v1/admin/settings/:key/reveal`
			`*`
			`* Returns the decrypted cleartext for an encrypted / sensitive setting.`
			`* Used by the eye-toggle on encrypted fields in the registry-driven admin`
			`* form so the operator can verify what they saved earlier.`
			`*`
			* Gated on `admin.manage_settings` (the same permission required to write
			`* the value — so this never widens an existing trust boundary). Every`
			`* reveal is audit-logged with the request id so a super-admin can trace`
			`* who looked at what and when.`
			`*`
			* Refuses to reveal values resolved from `env` or `default` — those would
			`* leak server-process secrets via the API.`
			`*/`
			`export const POST = withAuth(`
			`withPermission('admin', 'manage_settings', async (_req, ctx, params) => {`
			`try {`
			`const key = params.key!;`
			`const entry = registryFor(key);`
			if (!entry) throw new NotFoundError(`Unknown setting: ${key}`);
			`if (!entry.encrypted && !entry.sensitive) {`
			`// Non-sensitive values are already returned in the resolved-list`
			`// endpoint, so a dedicated reveal isn't needed (and could be`
			`// misused to bypass observability).`
			`return NextResponse.json({ data: { revealed: false, value: null } }, { status: 200 });`
			`}`

			`// Resolve through the standard chain so the user sees exactly what`
			`// the runtime would. The resolver decrypts on the way out.`
			`const value = await getSetting<string>(key, ctx.portId);`

			`void createAuditLog({`
			`userId: ctx.userId,`
			`portId: ctx.portId,`
			`action: 'view',`
			`entityType: 'setting',`
			`entityId: key,`
			`metadata: { settingKey: key, op: 'reveal' },`
			`ipAddress: ctx.ipAddress,`
			`userAgent: ctx.userAgent,`
			`});`

			`return NextResponse.json({ data: { revealed: true, value: value ?? null } });`
			`} catch (error) {`
			`return errorResponse(error);`
			`}`
			`}),`
			`);`