SecureBananaLabs · dicnunz · May 21, 2026
diff --git a/apps/api/package.json b/apps/api/package.json
@@ -5,7 +5,7 @@
   "scripts": {
     "dev": "node src/server.js",
     "start": "node src/server.js",
-    "test": "node --test src/tests"
+    "test": "node --test src/tests/*.test.js"
   },
   "dependencies": {
     "cors": "^2.8.5",

diff --git a/apps/api/src/controllers/adminController.js b/apps/api/src/controllers/adminController.js
@@ -1,6 +1,70 @@
 import { ok } from "../utils/response.js";
-import { getAdminMetrics } from "../services/adminService.js";
+import {
+  decideModerationListing,
+  getAdminMetrics,
+  getAdminOverview,
+  getPlatformControls,
+  listAdminAuditLog,
+  listAdminDisputes,
+  listAdminUsers,
+  listModerationQueue,
+  resolveDispute,
+  updatePlatformControl,
+  updateUserStatus
+} from "../services/adminService.js";
+
+export async function overview(req, res) {
+  return ok(res, await getAdminOverview());
+}
 
 export async function metrics(req, res) {
   return ok(res, await getAdminMetrics());
 }
+
+export async function users(req, res) {
+  return ok(res, await listAdminUsers(req.query));
+}
+
+export async function userStatusUpdate(req, res) {
+  return ok(
+    res,
+    await updateUserStatus(req.params.userId, req.body, req.user?.sub ?? "admin")
+  );
+}
+
+export async function moderation(req, res) {
+  return ok(res, await listModerationQueue(req.query));
+}
+
+export async function moderationDecision(req, res) {
+  return ok(
+    res,
+    await decideModerationListing(req.params.jobId, req.body, req.user?.sub ?? "admin")
+  );
+}
+
+export async function disputes(req, res) {
+  return ok(res, await listAdminDisputes(req.query));
+}
+
+export async function disputeRuling(req, res) {
+  return ok(
+    res,
+    await resolveDispute(req.params.disputeId, req.body, req.user?.sub ?? "admin")
+  );
+}
+
+export async function controls(req, res) {
+  return ok(res, await getPlatformControls());
+}
+
+export async function controlUpdate(req, res) {
+  return ok(
+    res,
+    await updatePlatformControl(req.params.controlKey, req.body, req.user?.sub ?? "admin")
+  );
+}
+
+export async function auditLog(req, res) {
+  return ok(res, await listAdminAuditLog(req.query));
+}
diff --git a/apps/api/src/middleware/auth.js b/apps/api/src/middleware/auth.js
@@ -14,3 +14,11 @@ export function authMiddleware(req, res, next) {
     return fail(res, "Invalid token", 401);
   }
 }
+
+export function adminOnly(req, res, next) {
+  if (req.user?.role !== "admin") {
+    return fail(res, "Admin access required", 403);
+  }
+
+  return next();
+}
diff --git a/apps/api/src/routes/adminRoutes.js b/apps/api/src/routes/adminRoutes.js
@@ -1,8 +1,31 @@
 import { Router } from "express";
-import { metrics } from "../controllers/adminController.js";
-import { authMiddleware } from "../middleware/auth.js";
+import {
+  auditLog,
+  controlUpdate,
+  controls,
+  disputeRuling,
+  disputes,
+  metrics,
+  moderation,
+  moderationDecision,
+  overview,
+  userStatusUpdate,
+  users
+} from "../controllers/adminController.js";
+import { adminOnly, authMiddleware } from "../middleware/auth.js";
 
 export const adminRoutes = Router();
 
 adminRoutes.use(authMiddleware);
+adminRoutes.use(adminOnly);
+adminRoutes.get("/overview", overview);
 adminRoutes.get("/metrics", metrics);
+adminRoutes.get("/users", users);
+adminRoutes.patch("/users/:userId/status", userStatusUpdate);
+adminRoutes.get("/moderation", moderation);
+adminRoutes.patch("/moderation/:jobId/decision", moderationDecision);
+adminRoutes.get("/disputes", disputes);
+adminRoutes.patch("/disputes/:disputeId/ruling", disputeRuling);
+adminRoutes.get("/controls", controls);
+adminRoutes.patch("/controls/:controlKey", controlUpdate);
+adminRoutes.get("/audit-log", auditLog);