Skip to content

API: System

Controllers: admin-admins.controller.ts, admin-roles.controller.ts, admin-approvals.controller.ts, admin-audit.controller.ts, admin-stats.controller.ts.

Mount admin/admins.

MethodPathPerm
GET/admin/admins/me(any authenticated admin)
GET/admin/adminsadmins:read
GET/admin/admins/:idadmins:read
POST/admin/adminsadmins:write
PUT/admin/admins/:idadmins:write
DELETE/admin/admins/:idadmins:write

Returns the current admin’s profile including resolved permissions array. Called by the admin UI on every navigation to populate the permission-aware sidebar.

{
"email": "newuser@twistcue.local",
"name": "New User",
"roleId": "0192...",
"password": "temporary-please-reset"
}

Mount admin/roles.

MethodPathPerm
GET/admin/rolesroles:read
GET/admin/roles/:idroles:read
POST/admin/rolesroles:manage
PUT/admin/roles/:idroles:manage
DELETE/admin/roles/:idroles:manage
{
"name": "compliance",
"description": "PII compliance officer",
"permissions": ["users:read", "users:anonymize", "audit:read"]
}
  • Role name must be unique; cannot collide with the 6 system role names.
  • permissions: array of valid permission strings; refused if any is unknown.
  • Role changes may go through the approvals queue depending on config.

Mount admin/approvals.

MethodPathPerm
GET/admin/approvalsapprovals:read
GET/admin/approvals/:idapprovals:read
POST/admin/approvals/:id/approveapprovals:decide + the underlying resource perm
POST/admin/approvals/:id/rejectapprovals:decide + the underlying resource perm

Query: status (pending|approved|rejected), actionType, requestedBy, cursor, limit.

{
"id": "...",
"actionType": "refund.execute",
"payload": { "purchaseId": "...", "amountCents": 8000, "reason": "..." },
"requestedBy": "adminId-1",
"approvedBy": null,
"status": "pending",
"resolvedAt": null,
"createdAt": "..."
}
{ "note": "Reviewed refund policy; approved." }

Response: the executed underlying action (e.g. the refund row with status='executed').

Error 403: approver_must_differ if requested_by == req.admin.sub.

{ "note": "Insufficient documentation; requestor to resubmit with support ticket URL." }

Mount admin/audit-logs.

MethodPathPerm
GET/admin/audit-logsaudit:read

Query: adminId, action (glob), refType, refId, dateFrom, dateTo, cursor, limit.

{
"id": "...",
"adminId": "...",
"adminEmail": "finance@twistcue.local",
"action": "refund.execute",
"refType": "refund",
"refId": "...",
"before": { /* prior state */ },
"after": { /* new state */ },
"ip": "1.2.3.4",
"userAgent": "Mozilla/5.0...",
"createdAt": "..."
}

Mount admin/stats.

MethodPathPerm
GET/admin/statsanalytics:read

Superseded by /admin/analytics/overview but kept for backward compatibility with the P1 dashboard.