server.js

// ipfs-gate v0.1 — HTTP server (Express).
// Public endpoints: /reserve, /upload, /status/:cid, /ipfs/:cid
// Admin endpoints: /admin/* (Bearer ADMIN_KEY)

require('dotenv').config();

const express = require('express');
const cors = require('cors');
const rateLimit = require('express-rate-limit');
const multer = require('multer');
const crypto = require('crypto');

const quota = require('./quota');
const envelope = require('./envelope');
const hive = require('./hive-verify');
const moderation = require('./moderation');
const sweeper = require('./sweeper');
const kubo = require('./backends/kubo');
const pricing = require('./pricing');
const releaseAuth = require('./release-policy');

// ─── Config ─────────────────────────────────────────────────────────────────

const PORT = parseInt(process.env.PORT || '3001', 10);
// Default 0.0.0.0 — ipfs-gate is meant to live behind nginx in a docker network.
// Override to 127.0.0.1 only when running outside Docker (local dev on a laptop).
const BIND_HOST = process.env.BIND_HOST || '0.0.0.0';
const CORS_ORIGIN = process.env.CORS_ORIGIN || '*';
const ADMIN_KEY = process.env.ADMIN_KEY || '';
const PAYMENT_CURRENCY = process.env.PAYMENT_CURRENCY || 'CNOOBS';
const PAYMENT_AMOUNT = process.env.PAYMENT_AMOUNT || '1';
const IPFS_GATE_HIVE_ACCOUNT = (process.env.IPFS_GATE_HIVE_ACCOUNT || '').toLowerCase();
// parseFloat allows fractional days for testing (e.g. 0.001 ≈ 86s). In the v1
// claim model this is only the DEFAULT duration when a /reserve omits
// hours_requested — the authoritative timer is the claim's expiry_ts.
const DEFAULT_TTL_DAYS = parseFloat(process.env.DEFAULT_TTL_DAYS || '7');
const DEFAULT_HOURS = Math.max(pricing.MIN_HOURS, Math.round(DEFAULT_TTL_DAYS * 24));
const MAX_FILE_SIZE_MB = parseInt(process.env.MAX_FILE_SIZE_MB || '10', 10);
const MAX_FILE_SIZE_BYTES = MAX_FILE_SIZE_MB * 1024 * 1024;
const RATE_LIMIT_RESERVE = parseInt(process.env.RATE_LIMIT_RESERVE_PER_MIN || '30', 10);
const RATE_LIMIT_UPLOAD = parseInt(process.env.RATE_LIMIT_UPLOAD_PER_MIN || '30', 10);
const PUBLIC_GATEWAY_BASE = process.env.PUBLIC_GATEWAY_BASE ||
  `https://ipfs.${process.env.SERVER_DOMAIN || 'localhost'}`;
// v0.1.4 — Cache-Control max-age for /ipfs/:cid responses. Browsers honour
// this; during dev/testing keep it short (e.g. 3600 = 1h) so pin expiry is
// observable without incognito tricks. Production default 86400 (1 day).
const GATEWAY_CACHE_MAX_AGE = parseInt(process.env.GATEWAY_CACHE_MAX_AGE || '86400', 10);
// v0.2 — freshness window for signed user-API requests (replay protection on
// /uploads/by-user + /uploads/delete). The signed message embeds a unix-second
// timestamp; requests outside ±SKEW are rejected.
const SIGNED_REQUEST_MAX_SKEW_SEC = parseInt(process.env.SIGNED_REQUEST_MAX_SKEW_SEC || '300', 10);
// v0.2 — MIME types we will NOT serve inline on PUBLIC CIDs, even when claimed.
// These can host active content that would execute on the gate's own origin
// (stored-XSS). Public uploads of these types are forced to octet-stream +
// attachment disposition. Encrypted CIDs are always octet-stream regardless.
const PUBLIC_INLINE_DENY = new Set(['text/html', 'application/xhtml+xml', 'image/svg+xml']);
const MIME_RE = /^[a-z0-9][a-z0-9.+-]*\/[a-z0-9][a-z0-9.+-]*$/i;

if (!IPFS_GATE_HIVE_ACCOUNT) {
  console.error('FATAL: IPFS_GATE_HIVE_ACCOUNT not set. Refusing to start.');
  process.exit(1);
}
if (!ADMIN_KEY) {
  console.warn('WARN: ADMIN_KEY is empty — admin endpoints are unprotected. Set ADMIN_KEY in .env.');
}

// ─── App ────────────────────────────────────────────────────────────────────

const app = express();
app.disable('x-powered-by');
// Behind nginx (one proxy hop), so the client IP is in X-Forwarded-For. Without
// this, express-rate-limit throws ERR_ERL_UNEXPECTED_X_FORWARDED_FOR and would
// otherwise key every request off the nginx container IP. '1' = trust the first
// proxy only (don't blindly trust a client-spoofed XFF chain).
app.set('trust proxy', 1);
app.use(cors({ origin: CORS_ORIGIN }));
app.use(express.json({ limit: '64kb' }));

// ─── Helpers ────────────────────────────────────────────────────────────────

function respondError(res, code, message, details) {
  const codeToStatus = {
    bad_request: 400,
    unauthorized: 401,
    forbidden: 403,
    not_found: 404,
    conflict: 409,
    gone: 410,
    payload_too_large: 413,
    rate_limited: 429,
    unprocessable_entity: 422,
    legal_takedown: 451,
    insufficient_storage: 507,
    internal_error: 500,
    bad_gateway: 502,
    not_implemented: 501
  };
  const status = codeToStatus[code] || 500;
  res.status(status).json({ error: code, message, details: details || {} });
}

function handleError(res, err, fallbackCode = 'internal_error') {
  if (err && err.code && (
    typeof err.code === 'string' && err.code !== 'SQLITE_CONSTRAINT_UNIQUE'
  )) {
    return respondError(res, err.code, err.message);
  }
  console.error('[server] unhandled error:', err && err.stack || err);
  return respondError(res, fallbackCode, err && err.message || String(err));
}

function requireAdmin(req, res, next) {
  const h = req.headers['authorization'] || '';
  const m = h.match(/^Bearer\s+(.+)$/);
  if (!ADMIN_KEY || !m || m[1] !== ADMIN_KEY) {
    return respondError(res, 'unauthorized', 'admin auth required');
  }
  next();
}

function isoFromMs(ms) {
  return ms ? new Date(ms).toISOString() : null;
}

/**
 * Verify a signed user-API request (no on-chain payment to anchor identity, so
 * this is the sole auth gate). Three checks, all must pass:
 *   1. ts is within ±SIGNED_REQUEST_MAX_SKEW_SEC of now (replay window).
 *   2. sig is a valid Hive signature over `message` by `pubkey`.
 *   3. pubkey is a CURRENT posting key of `account` on Hive (binds key→account).
 * Throws { code:'bad_request'|'unauthorized' } on failure; resolves on success.
 */
async function verifySignedUserRequest({ account, ts, pubkey, sig, message }) {
  if (typeof account !== 'string' || !/^[a-z0-9][a-z0-9.\-]*$/.test(account)) {
    throw Object.assign(new Error('valid hive_account required'), { code: 'bad_request' });
  }
  const tsNum = Number(ts);
  if (!Number.isInteger(tsNum)) {
    throw Object.assign(new Error('ts (unix seconds) required'), { code: 'bad_request' });
  }
  if (typeof pubkey !== 'string' || typeof sig !== 'string' || !pubkey || !sig) {
    throw Object.assign(new Error('pubkey and sig required'), { code: 'bad_request' });
  }
  const skew = Math.abs(Math.floor(Date.now() / 1000) - tsNum);
  if (skew > SIGNED_REQUEST_MAX_SKEW_SEC) {
    throw Object.assign(new Error('request timestamp outside freshness window'), { code: 'unauthorized' });
  }
  if (!envelope.verifyHiveSig(message, sig, pubkey)) {
    throw Object.assign(new Error('signature verification failed'), { code: 'unauthorized' });
  }
  let postingKeys;
  try {
    postingKeys = await hive.getAccountPostingPubkeys(account);
  } catch (e) {
    // Fail closed: if Hive is unreachable we cannot prove key ownership.
    throw Object.assign(new Error(`could not verify account keys: ${e.message}`), { code: 'unprocessable_entity' });
  }
  if (!postingKeys.includes(pubkey)) {
    throw Object.assign(new Error('pubkey is not a current posting key for this account'), { code: 'unauthorized' });
  }
}

/**
 * Settle one already-cancelled (or expired) claim: compute the pro-rata refund,
 * record it in the durable refund ledger, and attempt the on-chain broadcast.
 * NEVER throws — the claim is closed regardless; the refund row carries
 * sent / pending / failed / skipped so the operator can see + retry. Returns a
 * small summary. 'pending' is the key-optional gate path (no IPFS_GATE_ACTIVE_KEY).
 */
/**
 * Record a refund of `amount` to claim.owner in the durable ledger and attempt
 * the on-chain broadcast. NEVER throws. Returns { amount, status, ... } where
 * status ∈ sent | pending | failed | skipped. `pending` is the key-optional path
 * (no IPFS_GATE_ACTIVE_KEY → operator settles manually). Shared by every refund
 * path (user cancel + admin force-action).
 */
async function broadcastRefund(claim, amount, reason) {
  const memo = `ipfs-gate:refund:${claim.claim_id}`;

  if (!amount || amount <= 0) {
    quota.recordRefund({
      claim_id: claim.claim_id, to_account: claim.owner, amount: 0,
      currency: claim.currency, memo, status: 'skipped',
      reason: `${reason}: nothing refundable (consumed/forfeit/dust)`
    });
    return { amount: 0, status: 'skipped' };
  }

  const rec = quota.recordRefund({
    claim_id: claim.claim_id, to_account: claim.owner, amount,
    currency: claim.currency, memo, status: 'pending', reason
  });

  try {
    const sent = await hive.sendRefund({ to: claim.owner, amount, currency: claim.currency, memo });
    quota.markRefundSettled(rec.refund_id, 'sent', sent.tx_id);
    return { amount, status: 'sent', tx_id: sent.tx_id, refund_id: rec.refund_id };
  } catch (e) {
    if (e.code === 'no_refund_key') {
      console.warn(`[refund] ${rec.refund_id} pending (no escrow key): ${amount} ${claim.currency} → @${claim.owner}`);
      return { amount, status: 'pending', refund_id: rec.refund_id };
    }
    quota.markRefundSettled(rec.refund_id, 'failed', null);
    console.error(`[refund] ${rec.refund_id} broadcast failed: ${e.message}`);
    return { amount, status: 'failed', refund_id: rec.refund_id, error: e.message };
  }
}

/**
 * Settle a user-initiated cancel refund. DORMANT backstop → full escrow minus
 * BACKSTOP_CANCEL_FEE_PCT (cohosting §6); ACTIVE claim → pro-rata. (claim is the
 * pre-flip row, so claim.state still reflects what it WAS.)
 */
async function settleClaimRefund(claim, reason = 'cancel') {
  const isDormant = claim.state === 'dormant';
  const amount = isDormant
    ? pricing.calculateDormantRefund(claim).amount
    : pricing.calculateRefund(claim, Date.now()).amount;
  return broadcastRefund(claim, amount, isDormant ? 'dormant_cancel' : reason);
}

/**
 * Settle a refund for an ADMIN force-action (cohosting §7). innocent=true (a
 * CID-ban backstopper) → full escrow no fee; otherwise per refund_policy.
 */
async function settleForcedRefund(claim, { policy = 'prorata', innocent = false } = {}) {
  const amount = pricing.forcedRefundAmount(claim, { policy, innocent });
  const reason = innocent
    ? 'admin_void_innocent_backstop'
    : (policy === 'none' ? 'admin_void_forfeit' : 'admin_void_prorata');
  return broadcastRefund(claim, amount, reason);
}

// ─── Rate limiters ──────────────────────────────────────────────────────────

const reserveLimiter = rateLimit({
  windowMs: 60 * 1000,
  max: RATE_LIMIT_RESERVE,
  standardHeaders: true,
  legacyHeaders: false,
  handler: (req, res) => respondError(res, 'rate_limited', 'too many /reserve requests')
});

const uploadLimiter = rateLimit({
  windowMs: 60 * 1000,
  max: RATE_LIMIT_UPLOAD,
  standardHeaders: true,
  legacyHeaders: false,
  handler: (req, res) => respondError(res, 'rate_limited', 'too many /upload requests')
});

const userApiLimiter = rateLimit({
  windowMs: 60 * 1000,
  max: parseInt(process.env.RATE_LIMIT_USER_API_PER_MIN || '60', 10),
  standardHeaders: true,
  legacyHeaders: false,
  handler: (req, res) => respondError(res, 'rate_limited', 'too many requests')
});

// ─── Multer for ciphertext uploads ──────────────────────────────────────────

const upload = multer({
  storage: multer.memoryStorage(),
  limits: { fileSize: MAX_FILE_SIZE_BYTES + 1024 } // tiny slop for header overhead
});

// ─── Public endpoints ───────────────────────────────────────────────────────

app.get('/', (req, res) => {
  res.json({
    service: 'ipfs-gate',
    version: '1.0.0-dev',
    operator: IPFS_GATE_HIVE_ACCOUNT,
    // v1 claim model: cost is computed per upload (size × time × copies). The
    // flat `amount` is retired — clients must POST /reserve with size_bytes (and
    // optional hours_requested/copies) to get a quote. `currency`, `max_size_mb`
    // and the default duration stay advertised here for the picker UI.
    payment: {
      model: 'claim-mb-hour',
      currency: PAYMENT_CURRENCY,
      max_size_mb: MAX_FILE_SIZE_MB,
      default_hours: DEFAULT_HOURS,
      ttl_days: DEFAULT_TTL_DAYS
    },
    pricing: {
      rate_per_mb_hour: pricing.RATE_PER_MB_HOUR,
      min_hours: pricing.MIN_HOURS,
      mb_divisor: pricing.MB_DIVISOR,
      node_count: pricing.getNodeCount(),
      // copies selector range the gate offers (1..node_count) + the Cluster
      // self-heal leeway. node_count=1 → backstop is the only co-host option.
      copies_max: pricing.getNodeCount(),
      replication_leeway: pricing.REPLICATION_LEEWAY
    },
    features: { public_uploads: true, uploads_tab: true, claim_model: true }
  });
});

/**
 * POST /reserve
 * Body: { uploader, size_bytes, hours_requested?, copies?, mode? }
 * v1 claim model: the gate computes a per-claim quote (size × time × copies) and
 * returns it as payment.amount. hours_requested defaults to DEFAULT_HOURS; copies
 * defaults to 1 (capped at NODE_COUNT). The flat-fee path is retired.
 * Returns: { reservation_id, expires_at, mode, payment:{currency,amount,escrow_account,memo}, quote:{...}, max_size_bytes }
 */
app.post('/reserve', reserveLimiter, (req, res) => {
  try {
    const { uploader, size_bytes } = req.body || {};
    // v0.2 — optional upload mode. 'encrypted' (default) = ciphertext, served
    // as octet-stream (unchanged). 'public' = plaintext, shareable link served
    // with the claimed MIME. Same reserve→pay→upload billing for both.
    const mode = (req.body && req.body.mode) || 'encrypted';
    if (typeof uploader !== 'string' || !Number.isInteger(size_bytes)) {
      return respondError(res, 'bad_request', 'uploader (string) and size_bytes (integer) required');
    }
    if (mode !== 'encrypted' && mode !== 'public') {
      return respondError(res, 'bad_request', "mode must be 'encrypted' or 'public'");
    }

    // Quote inputs. hours_requested / copies are optional; defaults keep a bare
    // {uploader,size_bytes} request working (it just gets the default duration).
    const rawHours = (req.body && req.body.hours_requested);
    const hoursRequested = (rawHours === undefined || rawHours === null) ? DEFAULT_HOURS : Number(rawHours);
    const rawCopies = (req.body && req.body.copies);
    const copiesRequested = (rawCopies === undefined || rawCopies === null) ? 1 : Number(rawCopies);
    if (!Number.isFinite(hoursRequested) || hoursRequested <= 0) {
      return respondError(res, 'bad_request', 'hours_requested must be a positive number');
    }

    let quote;
    try {
      quote = pricing.calculateCost({ sizeBytes: size_bytes, hoursRequested, copies: copiesRequested });
    } catch (e) {
      return handleError(res, e);
    }

    const r = quota.createReservation(uploader.toLowerCase(), size_bytes, mode, {
      hoursRequested: quote.billable_hrs,
      copies: quote.copies,
      quotedAmount: quote.total
    });

    res.json({
      reservation_id: r.id,
      expires_at: isoFromMs(r.expires_at),
      mode,
      payment: {
        currency: PAYMENT_CURRENCY,
        amount: String(quote.total),
        escrow_account: IPFS_GATE_HIVE_ACCOUNT,
        memo: quota.getMemoForReservation(r.id)
      },
      quote: {
        billable_mb: quote.billable_mb,
        billable_hrs: quote.billable_hrs,
        copies: quote.copies,
        // honest surfacing: if the client asked for more copies than the gate has
        // nodes, the granted `copies` is capped — don't let that be silent.
        copies_requested: Math.max(1, Math.floor(copiesRequested) || 1),
        copies_capped: quote.copies < Math.max(1, Math.floor(copiesRequested) || 1),
        node_count: pricing.getNodeCount(),
        replication: pricing.replicationConfig(quote.copies),
        rate_per_mb_hour: quote.rate,
        total: quote.total,
        currency: PAYMENT_CURRENCY
      },
      max_size_bytes: quota.MAX_FILE_SIZE_BYTES
    });
  } catch (e) {
    return handleError(res, e);
  }
});

/**
 * POST /upload
 * multipart/form-data with fields: reservation_id, tx_id, uploader_pubkey,
 *                                   upload_proof_sig, ciphertext (file)
 * Returns: { cid, size_bytes, expires_at, gateway_url, deduped, existing_expires_at }
 */
app.post('/upload', uploadLimiter, upload.single('ciphertext'), async (req, res) => {
  try {
    const { reservation_id, tx_id, uploader_pubkey, upload_proof_sig } = req.body || {};
    // v0.2 — public uploads carry a claimed plaintext MIME (rendering hint only,
    // never a security input — see GET /ipfs/:cid hardening). `kind` is v4call's
    // kind_hint, accepted for audit but not otherwise used by the gate.
    const claimedMime = (req.body && req.body.mime) || null;

    if (!reservation_id || !tx_id || !uploader_pubkey || !upload_proof_sig) {
      return respondError(res, 'bad_request', 'reservation_id, tx_id, uploader_pubkey, upload_proof_sig all required');
    }
    if (!req.file || !req.file.buffer) {
      return respondError(res, 'bad_request', 'ciphertext file field required');
    }

    const ciphertext = req.file.buffer;
    const sizeBytes = ciphertext.length;
    if (sizeBytes > MAX_FILE_SIZE_BYTES) {
      return respondError(res, 'payload_too_large', `ciphertext exceeds ${MAX_FILE_SIZE_MB}MB`);
    }

    // 1. Look up reservation
    const r = quota.getReservation(reservation_id);
    if (!r) return respondError(res, 'not_found', 'reservation not found');
    if (r.status === 'expired') return respondError(res, 'gone', 'reservation expired');
    if (r.status !== 'pending') {
      return respondError(res, 'conflict', `reservation is ${r.status}, expected pending`);
    }
    if (r.expires_at < quota.now()) {
      return respondError(res, 'gone', 'reservation expired');
    }
    if (sizeBytes > r.size_bytes) {
      return respondError(res, 'payload_too_large', `ciphertext (${sizeBytes}) exceeds reserved size (${r.size_bytes})`);
    }

    const uploader = r.uploader;

    // 1b. Resolve upload mode from the (paid) reservation and validate the
    //     claimed MIME for public uploads BEFORE doing any Hive payment work,
    //     so malformed requests are rejected cheaply.
    const mode = r.mode || 'encrypted';
    let mime = null;
    if (mode === 'public') {
      if (typeof claimedMime !== 'string' || !MIME_RE.test(claimedMime) || claimedMime.length > 255) {
        return respondError(res, 'bad_request', 'public upload requires a valid `mime` field');
      }
      mime = claimedMime.toLowerCase();
    }

    // 1c. Optional release-authority policy (Stage 3). Validated up-front so a bad
    //     policy is rejected before any payment work. Defaults to owner_only.
    let releasePolicyObj = null;
    if (req.body && req.body.release_policy) {
      let parsed;
      try { parsed = JSON.parse(req.body.release_policy); }
      catch (e) { return respondError(res, 'bad_request', 'release_policy must be valid JSON'); }
      try { releasePolicyObj = releaseAuth.normalizeReleasePolicy(parsed); }
      catch (e) { return handleError(res, e); }
    }

    // 1d. Optional proof-of-receipt commitment (Stage 6). SHA-256(plaintext) the
    //     sender commits to; stored on the order so a recipient can later prove
    //     decryption (POST /claims/receipt). NOT in the public Reveal link, so a
    //     bystander (ciphertext only) can't reproduce it. NULL for public uploads.
    let receiptHash = null;
    if (req.body && req.body.receipt_hash) {
      const rh = String(req.body.receipt_hash).toLowerCase();
      if (!/^[a-f0-9]{64}$/.test(rh)) {
        return respondError(res, 'bad_request', 'receipt_hash must be a 64-char hex sha256');
      }
      receiptHash = rh;
    }

    // 2. Banned-account check (banlist could've been added between reserve and upload)
    if (quota.isAccountBanned(uploader)) {
      return respondError(res, 'forbidden', 'uploader is banned');
    }

    // 3. Verify upload_proof_sig
    const ciphertextSha256Hex = envelope.sha256Hex(ciphertext);
    const sigOk = envelope.verifyUploadProof({
      ciphertextSha256Hex,
      reservationId: reservation_id,
      uploader,
      uploaderPubkey: uploader_pubkey,
      sigStr: upload_proof_sig
    });
    if (!sigOk) {
      return respondError(res, 'unauthorized', 'upload_proof_sig verification failed');
    }

    // 4. Replay protection (UNIQUE on payments.tx_id is the schema-level guarantee,
    //    but check here so we can return a clean error before doing Hive work)
    if (quota.getPaymentByTxId(tx_id)) {
      return respondError(res, 'conflict', 'tx_id already used');
    }

    // 5. Verify Hive payment (tx_id lookup + amount/memo/currency validation).
    //    v1 claim model: the required amount is the per-claim QUOTE captured at
    //    /reserve (size × time × copies), not a flat fee.
    const expectedMemo = quota.getMemoForReservation(reservation_id);
    let payResult;
    try {
      payResult = await hive.verifyPayment({
        tx_id,
        sender: uploader,
        expectedMemo,
        expectedAmount: r.quoted_amount
      });
    } catch (e) {
      return handleError(res, e, 'unprocessable_entity');
    }

    // Sidechain confirmation — HARD reject. v0.1.2 (and earlier) used a balance
    // comparison which was useless: the escrow's existing balance always exceeded
    // the per-payment amount, so an under-balanced sender whose transfer was
    // rejected by the Hive-Engine sidechain still passed the check, and the file
    // got pinned for free. v0.1.3 polls getTransactionInfo on the Hive-Engine
    // blockchain RPC for an authoritative success/fail signal.
    let paymentStatus = 'confirmed';
    let sidechainResult;
    try {
      sidechainResult = await hive.verifyHiveEngineSidechain(tx_id);
    } catch (e) {
      console.error(`[server] sidechain RPC failed for ${tx_id}: ${e.message}`);
      quota.markReservationCancelled(reservation_id);
      return respondError(res, 'unprocessable_entity', `Hive-Engine sidechain unreachable: ${e.message}`);
    }
    if (sidechainResult.confirmed === false) {
      quota.markReservationCancelled(reservation_id);
      if (sidechainResult.reason === 'rejected') {
        const detail = (sidechainResult.errors || []).join('; ') || 'sidechain rejected the transfer';
        console.warn(`[server] sidechain rejected tx ${tx_id}: ${detail}`);
        return respondError(res, 'unprocessable_entity', `Hive-Engine rejected the transfer: ${detail}`);
      }
      // 'pending' — exhausted retries; safer to reject than to pin a phantom payment
      console.warn(`[server] sidechain still pending for tx ${tx_id} after retries`);
      return respondError(res, 'unprocessable_entity', 'Hive-Engine sidechain did not confirm the transfer within the retry budget. Try uploading again in ~30s.');
    }
    // Belt-and-braces: also record balance for the audit log
    try {
      payResult.balance_after = await hive.getHiveEngineBalance(IPFS_GATE_HIVE_ACCOUNT, PAYMENT_CURRENCY);
    } catch (e) {
      console.warn(`[server] post-confirm balance read failed: ${e.message}`);
    }

    // 6. Record payment + mark reservation paid (atomic)
    let payment;
    try {
      payment = quota.recordPayment({
        tx_id,
        reservation_id,
        uploader,
        currency: payResult.currency,
        amount: payResult.paid,
        memo: expectedMemo,
        block_num: payResult.block_num,
        status: paymentStatus
      });
    } catch (e) {
      return handleError(res, e);
    }
    quota.markReservationPaid(reservation_id, tx_id);

    // 7. Compute CID locally (defence: also verify against Kubo's response after pin)
    // For v0.1 we trust Kubo's returned CID since it's the same machine.

    // 8. Pin to Kubo
    let pinResult;
    try {
      pinResult = await kubo.pin(ciphertext);
    } catch (e) {
      // Pin failed. Mark reservation cancelled. Payment stays as 'confirmed' for now —
      // operator should refund manually + log via /admin/log-refund.
      quota.markReservationCancelled(reservation_id);
      console.error(`[server] kubo.pin failed for reservation ${reservation_id}: ${e.message}`);
      return handleError(res, e, 'bad_gateway');
    }
    const cid = pinResult.cid;

    // 9. Block list check on CID (could have been added between reserve and pin)
    if (quota.isCidBlocked(cid)) {
      // Unpin immediately
      try { await kubo.unpin(cid); } catch (e) { /* best-effort */ }
      quota.markReservationCancelled(reservation_id);
      return respondError(res, 'legal_takedown', 'this CID is blocked on this server');
    }

    // 10. Derive the claim from the (paid) reservation's quote, then create the
    //     pin (mirroring the claim's expiry_ts) + the order/claim atomically.
    //     The claim's expiry_ts is the lifecycle authority; the pin row carries
    //     the same timestamp so disk/serve accounting and the sweeper agree.
    const hoursPaid = (r.hours_requested && r.hours_requested > 0) ? r.hours_requested : DEFAULT_HOURS;
    const copies = pricing.cappedCopies(r.copies || 1);
    const sizeMB = pricing.billableMB(sizeBytes);
    const rateLocked = pricing.RATE_PER_MB_HOUR;
    const startTs = quota.now();
    const expiryTs = startTs + hoursPaid * pricing.HOUR_MS;

    const pin = quota.createPin({
      cid,
      uploader,
      size_bytes: sizeBytes,
      payment_id: payment.id,
      expires_at: expiryTs,
      mode,
      mime
    });
    quota.markReservationUploaded(reservation_id, pin.id);

    const claim = quota.createOrderWithClaim({
      cid,
      owner: uploader,
      pinId: pin.id,
      paymentId: payment.id,
      sizeBytes,
      sizeMB,
      rateLocked,
      paidHours: hoursPaid,
      copies,
      amountPaid: payResult.paid,
      currency: payResult.currency,
      startTs,
      expiryTs,
      releasePolicy: releasePolicyObj,
      receiptHash
    });

    // 11. Dedup info (was there already an active pin for this CID before us?)
    const allActive = quota.getActivePinsForCid(cid);
    const deduped = allActive.length > 1;
    const otherExpiries = allActive.filter(p => p.id !== pin.id).map(p => p.expires_at);
    const existing_expires_at = otherExpiries.length > 0
      ? isoFromMs(Math.max(...otherExpiries))
      : null;

    res.json({
      cid,
      size_bytes: sizeBytes,
      expires_at: isoFromMs(pin.expires_at),
      gateway_url: `${PUBLIC_GATEWAY_BASE}/ipfs/${cid}`,
      deduped,
      existing_expires_at,
      claim_id: claim.claim_id,
      order_id: claim.order_id,
      claim: {
        paid_hours: hoursPaid,
        copies,
        size_mb: sizeMB,
        rate_per_mb_hour: rateLocked,
        amount_paid: payResult.paid,
        currency: payResult.currency
      }
    });
  } catch (e) {
    return handleError(res, e);
  }
});

/**
 * GET /status/:cid
 */
app.get('/status/:cid', (req, res) => {
  try {
    const cid = req.params.cid;
    if (quota.isCidBlocked(cid)) {
      return respondError(res, 'legal_takedown', 'this CID has been removed');
    }
    const active = quota.getActivePinsForCid(cid);
    if (active.length === 0) {
      return respondError(res, 'not_found', 'CID not pinned');
    }
    const maxExpiry = Math.max(...active.map(p => p.expires_at));
    res.json({
      cid,
      pinned: true,
      expires_at: isoFromMs(maxExpiry),
      active_pin_count: active.length
    });
  } catch (e) {
    return handleError(res, e);
  }
});

/**
 * GET /ipfs/:cid — gateway pass-through
 */
app.get('/ipfs/:cid', async (req, res) => {
  try {
    const cid = req.params.cid;
    if (quota.isCidBlocked(cid)) {
      return respondError(res, 'legal_takedown', 'this CID has been removed');
    }
    const serve = quota.getServeInfoForCid(cid);
    if (!serve) {
      return respondError(res, 'not_found', 'CID not pinned here');
    }
    const upstream = await kubo.cat(cid);

    // v0.2 — content-type. Encrypted CIDs are opaque ciphertext → octet-stream.
    // Public CIDs are served with their claimed MIME so links render directly,
    // EXCEPT active-content types (html/svg/...), which are forced to download
    // so a public link can't become stored-XSS on the gate's own origin. The
    // claimed MIME is a rendering hint, never trusted for a security decision.
    res.set('X-Content-Type-Options', 'nosniff');
    if (serve.mode === 'public' && serve.mime && MIME_RE.test(serve.mime) && !PUBLIC_INLINE_DENY.has(serve.mime)) {
      res.set('Content-Type', serve.mime);
    } else {
      res.set('Content-Type', 'application/octet-stream');
      if (serve.mode === 'public') {
        res.set('Content-Disposition', 'attachment');
      }
    }
    // Cache-Control max-age is env-configurable (v0.1.4). Default 86400 (1 day)
    // for production; recommend 3600 or less during dev/testing so pin expiry
    // is visible without browser cache lying. Set GATEWAY_CACHE_MAX_AGE in .env.
    res.set('Cache-Control', `public, max-age=${GATEWAY_CACHE_MAX_AGE}`);
    // Stream the response
    upstream.body.pipeTo(new WritableStream({
      write(chunk) { res.write(Buffer.from(chunk)); },
      close() { res.end(); }
    })).catch(e => {
      console.warn(`[server] gateway stream failed for ${cid}: ${e.message}`);
      try { res.end(); } catch (_) {}
    });
  } catch (e) {
    return handleError(res, e);
  }
});

// ─── Signed user endpoints (Hive posting-key auth, no payment) ───────────────
// These let a user manage their OWN uploads. Unlike /upload there is no
// on-chain payment to anchor identity, so the signed request IS the auth — see
// verifySignedUserRequest (proves the supplied pubkey is the account's posting
// key on Hive, not just that some key signed).

/**
 * GET /uploads/by-user
 * Query: hive_account, ts (unix seconds), pubkey, sig
 * Signed message: ipfs-gate:list-uploads:v1:<hive_account>:<ts>
 * Returns the caller's pinned uploads + (shared-disk) quota snapshot.
 */
app.get('/uploads/by-user', userApiLimiter, async (req, res) => {
  try {
    const account = String(req.query.hive_account || '').toLowerCase();
    const ts = req.query.ts;
    const pubkey = req.query.pubkey;
    const sig = req.query.sig;

    const message = `ipfs-gate:list-uploads:v1:${account}:${ts}`;
    await verifySignedUserRequest({ account, ts, pubkey, sig, message });

    const disk = quota.getDiskUsage();
    const rows = quota.listUploadsForAccount(account, 500, 0);
    const uploads = rows.map(p => ({
      cid: p.cid,
      size_bytes: p.size_bytes,
      mime: p.mime || null,
      mode: p.mode || 'encrypted',
      kind: null,
      uploaded_at: isoFromMs(p.created_at),
      expires_at: isoFromMs(p.expires_at),
      pinned: p.status === 'active',
      status: p.status,
      public_url: (p.mode === 'public') ? `${PUBLIC_GATEWAY_BASE}/ipfs/${p.cid}` : null
    }));

    res.json({
      hive_account: account,
      quota: {
        // NOTE: there is no per-account byte cap in v0.2 — these are the
        // SHARED gate-disk figures. quota_scope makes that explicit so the
        // client renders an honest "X of Y (shared)" label.
        quota_scope: 'shared_disk',
        used_bytes: disk.used_bytes,
        limit_bytes: disk.limit_bytes,
        available_bytes: disk.available_bytes,
        pending_count: quota.getAccountPendingCount(account)
      },
      uploads
    });
  } catch (e) {
    return handleError(res, e);
  }
});

/**
 * POST /uploads/delete
 * Body: { cid, hive_account, ts (unix seconds), pubkey, sig }
 * Signed message: ipfs-gate:delete-pin:v1:<cid>:<hive_account>:<ts>
 * Unpins ONLY the caller's pin row(s) for the CID. Kubo-unpins + GCs only when
 * no active pin remains for the CID (multi-pin-record dedup model).
 */
app.post('/uploads/delete', userApiLimiter, async (req, res) => {
  try {
    const { cid } = req.body || {};
    const account = String((req.body && req.body.hive_account) || '').toLowerCase();
    const ts = req.body && req.body.ts;
    const pubkey = req.body && req.body.pubkey;
    const sig = req.body && req.body.sig;

    if (typeof cid !== 'string' || !cid) {
      return respondError(res, 'bad_request', 'cid required');
    }

    const message = `ipfs-gate:delete-pin:v1:${cid}:${account}:${ts}`;
    await verifySignedUserRequest({ account, ts, pubkey, sig, message });

    // v1 claim model: "delete my upload" = cancel the caller's active claim(s)
    // on this CID → pro-rata refund. Fall back to the legacy pin-delete only for
    // pre-claim rows (no claim row exists for the CID/owner).
    const myActiveClaims = quota.getActiveClaimsForCid(cid).filter(c => c.owner === account);
    let removed = 0;
    let fullyUnpinned = false;
    const refunds = [];

    if (myActiveClaims.length > 0) {
      for (const c of myActiveClaims) {
        const r = quota.cancelClaim(c.claim_id, account);
        removed++;
        if (r.fully_unpinned) fullyUnpinned = true;
        const refund = await settleClaimRefund(r.claim, 'user_deleted');
        refunds.push({ claim_id: c.claim_id, activated_backstop: r.activated || null, ...refund });
      }
    } else {
      const result = quota.removePinForUploader(cid, account);
      removed = result.removed;
      fullyUnpinned = result.fully_unpinned;
    }

    if (removed === 0) {
      return respondError(res, 'not_found', 'no active upload for this account + cid');
    }

    if (fullyUnpinned) {
      try {
        await kubo.unpin(cid);
        await kubo.gc();
      } catch (e) {
        // Row is already freed in the DB; a stale Kubo pin is harmless (the next
        // sweeper GC will reclaim it). Log + report fully_unpinned honestly.
        console.warn(`[uploads/delete] kubo unpin/gc failed for ${cid}: ${e.message}`);
      }
    }

    res.json({ ok: true, cid, removed, fully_unpinned: fullyUnpinned, refunds });
  } catch (e) {
    return handleError(res, e);
  }
});

/**
 * POST /claims/cancel  (signed user request — Hive posting-key auth)
 * Body: { claim_id, hive_account, ts (unix seconds), pubkey, sig }
 * Signed message: ipfs-gate:cancel-claim:v1:<claim_id>:<hive_account>:<ts>
 * Cancels the caller's OWN active claim early → pro-rata refund (PRICING-V1 §3)
 * → unpins the CID iff no other active claim remains (last-funder unpin).
 */
app.post('/claims/cancel', userApiLimiter, async (req, res) => {
  try {
    const { claim_id } = req.body || {};
    const account = String((req.body && req.body.hive_account) || '').toLowerCase();
    const ts = req.body && req.body.ts;
    const pubkey = req.body && req.body.pubkey;
    const sig = req.body && req.body.sig;

    if (typeof claim_id !== 'string' || !claim_id) {
      return respondError(res, 'bad_request', 'claim_id required');
    }

    const message = `ipfs-gate:cancel-claim:v1:${claim_id}:${account}:${ts}`;
    await verifySignedUserRequest({ account, ts, pubkey, sig, message });

    // Atomic, status-locked cancel (quota.cancelClaim) — only one cancel wins, so
    // the refund settled below can't double-pay on a concurrent cancel. Cancelling
    // an ACTIVE claim may promote a queued backstop (FIFO) instead of unpinning;
    // cancelling a DORMANT backstop just voids the pledge (escrow-minus-fee refund).
    const { claim, fully_unpinned, activated, was_dormant } = quota.cancelClaim(claim_id, account);
    const refund = await settleClaimRefund(claim, 'cancel');

    if (fully_unpinned) {
      try {
        await kubo.unpin(claim.cid);
        await kubo.gc();
      } catch (e) {
        console.warn(`[claims/cancel] kubo unpin/gc failed for ${claim.cid}: ${e.message}`);
      }
    }

    res.json({
      ok: true, claim_id, cid: claim.cid,
      was_dormant: !!was_dormant,
      fully_unpinned,
      activated_backstop: activated || null,
      refund
    });
  } catch (e) {
    return handleError(res, e);
  }
});

/**
 * POST /claims/release  (signed user request — Hive posting-key auth)
 * Body: { order_id, hive_account, ts (unix seconds), pubkey, sig }
 * Signed message: ipfs-gate:release:v1:<order_id>:<hive_account>:<ts>
 * A recipient (or the owner) consents to stop hosting. When the order's
 * release_policy threshold is met (owner override / any_of / all_of), the order's
 * active claim is ENDED → pro-rata refund to the owner → the §5 lifecycle runs
 * (release ≠ deletion: a queued backstop still takes the baton).
 */
app.post('/claims/release', userApiLimiter, async (req, res) => {
  try {
    const { order_id } = req.body || {};
    const account = String((req.body && req.body.hive_account) || '').toLowerCase();
    const ts = req.body && req.body.ts;
    const pubkey = req.body && req.body.pubkey;
    const sig = req.body && req.body.sig;

    if (typeof order_id !== 'string' || !order_id) {
      return respondError(res, 'bad_request', 'order_id required');
    }

    const message = `ipfs-gate:release:v1:${order_id}:${account}:${ts}`;
    await verifySignedUserRequest({ account, ts, pubkey, sig, message });

    const order = quota.getOrder(order_id);
    if (!order) return respondError(res, 'not_found', 'order not found');

    let policy;
    try { policy = JSON.parse(order.release_policy); } catch (e) { policy = { type: 'owner_only' }; }

    const consented = quota.getReleaseConsents(order_id);
    let decision;
    try {
      decision = releaseAuth.evaluateRelease({ policy, owner: order.owner, releaser: account, consented });
    } catch (e) {
      return handleError(res, e);
    }

    if (!decision.authorized) {
      return respondError(res, 'forbidden', `@${account} is not authorised to release this order under its ${policy.type} policy`);
    }
    if (decision.records_consent) {
      quota.recordReleaseConsent(order_id, account, sig);
    }

    // all_of still waiting for the rest of the set
    if (!decision.ends) {
      const addresses = (policy.addresses || []).map(a => String(a).toLowerCase());
      const have = quota.getReleaseConsents(order_id);
      return res.json({
        ok: true, order_id, released: false, policy_type: policy.type,
        consents: have, needed: addresses.length,
        got: have.filter(a => addresses.includes(a)).length
      });
    }

    // Threshold met → end the order's active claim (idempotent if already closed).
    const activeClaim = quota.getActiveClaimForOrder(order_id);
    if (!activeClaim) {
      return res.json({ ok: true, order_id, released: true, ended: false, note: 'no active claim to end (already closed)' });
    }

    const { claim, fully_unpinned, activated } = quota.endActiveClaimForRelease(activeClaim.claim_id);
    const refund = await settleClaimRefund(claim, 'released');

    if (fully_unpinned) {
      try {
        await kubo.unpin(claim.cid);
        await kubo.gc();
      } catch (e) {
        console.warn(`[claims/release] kubo unpin/gc failed for ${claim.cid}: ${e.message}`);
      }
    }

    res.json({
      ok: true, order_id, released: true, ended: true,
      claim_id: claim.claim_id, cid: claim.cid, policy_type: policy.type,
      fully_unpinned, activated_backstop: activated || null, refund
    });
  } catch (e) {
    return handleError(res, e);
  }
});

/**
 * POST /claims/receipt  (Stage 6 — proof-of-receipt + release bridge)
 * Body: { order_id, hive_account, ts (unix s), pubkey, sig, proof_hash }
 * Signed message: ipfs-gate:receipt:v1:<order_id>:<hive_account>:<ts>:<proof_hash>
 *
 * proof_hash = SHA-256(decrypted plaintext). Only an account that actually
 * decrypted the file can reproduce it (it is NOT in the public Reveal link), so a
 * matching, posting-key-signed proof_hash proves decryption. We record the receipt
 * (audit) AND fold it into the order's release authority exactly like /claims/release
 * — a verified receipt IS a release consent. owner_only / not-a-listed-recipient
 * receipts are still recorded but don't end hosting (the owner releases those).
 */
app.post('/claims/receipt', userApiLimiter, async (req, res) => {
  try {
    const { order_id } = req.body || {};
    const account = String((req.body && req.body.hive_account) || '').toLowerCase();
    const ts = req.body && req.body.ts;
    const pubkey = req.body && req.body.pubkey;
    const sig = req.body && req.body.sig;
    const proofHash = String((req.body && req.body.proof_hash) || '').toLowerCase();

    if (typeof order_id !== 'string' || !order_id) {
      return respondError(res, 'bad_request', 'order_id required');
    }
    if (!/^[a-f0-9]{64}$/.test(proofHash)) {
      return respondError(res, 'bad_request', 'proof_hash must be a 64-char hex sha256');
    }

    // proof_hash is bound INTO the signed message so it can't be swapped/replayed.
    const message = `ipfs-gate:receipt:v1:${order_id}:${account}:${ts}:${proofHash}`;
    await verifySignedUserRequest({ account, ts, pubkey, sig, message });

    const order = quota.getOrder(order_id);
    if (!order) return respondError(res, 'not_found', 'order not found');
    if (!order.receipt_hash) {
      return respondError(res, 'unprocessable_entity', 'this order has no receipt commitment (uploaded before proof-of-receipt, or a public upload) — receipts unsupported');
    }

    // Proof of decryption: the recipient must reproduce SHA-256(plaintext), which
    // only an account holding the decrypted bytes can compute.
    if (proofHash !== String(order.receipt_hash).toLowerCase()) {
      return respondError(res, 'forbidden', 'proof does not match — you must actually decrypt the file to confirm receipt');
    }

    // Record the receipt (idempotent audit of who decrypted).
    quota.recordReceipt(order_id, account, proofHash, sig);

    // Bridge into release authority — a verified receipt is a release consent.
    let policy;
    try { policy = JSON.parse(order.release_policy); } catch (e) { policy = { type: 'owner_only' }; }
    const consented = quota.getReleaseConsents(order_id);
    let decision;
    try {
      decision = releaseAuth.evaluateRelease({ policy, owner: order.owner, releaser: account, consented });
    } catch (e) {
      return handleError(res, e);
    }
    const receiptList = quota.getReceipts(order_id).map(r => r.recipient);

    // Decrypted, but not a release participant under this policy (owner_only, or
    // not in addresses): receipt stands as audit, hosting is unchanged.
    if (!decision.authorized) {
      return res.json({
        ok: true, order_id, receipt_recorded: true, released: false,
        policy_type: policy.type, receipts: receiptList,
        note: `receipt recorded; @${account} is not a release participant under the ${policy.type} policy`
      });
    }
    if (decision.records_consent) {
      quota.recordReleaseConsent(order_id, account, sig);
    }

    // all_of still waiting for the rest of the set.
    if (!decision.ends) {
      const addresses = (policy.addresses || []).map(a => String(a).toLowerCase());
      const have = quota.getReleaseConsents(order_id);
      return res.json({
        ok: true, order_id, receipt_recorded: true, released: false, policy_type: policy.type,
        consents: have, needed: addresses.length,
        got: have.filter(a => addresses.includes(a)).length, receipts: receiptList
      });
    }

    // Threshold met → end the order's active claim (same as /claims/release).
    const activeClaim = quota.getActiveClaimForOrder(order_id);
    if (!activeClaim) {
      return res.json({ ok: true, order_id, receipt_recorded: true, released: true, ended: false, note: 'no active claim to end (already closed)', receipts: receiptList });
    }
    const { claim, fully_unpinned, activated } = quota.endActiveClaimForRelease(activeClaim.claim_id);
    const refund = await settleClaimRefund(claim, 'released-via-receipt');
    if (fully_unpinned) {
      try { await kubo.unpin(claim.cid); await kubo.gc(); }
      catch (e) { console.warn(`[claims/receipt] kubo unpin/gc failed for ${claim.cid}: ${e.message}`); }
    }
    res.json({
      ok: true, order_id, receipt_recorded: true, released: true, ended: true,
      claim_id: claim.claim_id, cid: claim.cid, policy_type: policy.type,
      fully_unpinned, activated_backstop: activated || null, refund, receipts: receiptList
    });
  } catch (e) {
    return handleError(res, e);
  }
});

// ─── Backstop (co-hosting safety-net) ────────────────────────────────────────
// A backstop is a prepaid, dormant claim on an already-hosted CID that activates
// (FIFO) only if the file would otherwise be deleted (cohosting-backstop.md). It
// adds no bytes (leans on the existing copy), so it needs no disk reservation —
// just pay into escrow and the gate records the dormant claim. Replay-guarded by
// payments.tx_id UNIQUE (no reservation needed). The pledger pays into escrow now;
// the escrow is consumed only across the stretch the backstop is the live host.

/**
 * GET /backstop/quote?cid=<cid>&hours=<h>&copies=<c>
 * Quote the cost to backstop an already-hosted CID. Pay this amount to
 * payment.escrow_account with payment.memo, then POST /backstop/pledge.
 */
app.get('/backstop/quote', userApiLimiter, (req, res) => {
  try {
    const cid = String(req.query.cid || '');
    const hours = (req.query.hours === undefined) ? DEFAULT_HOURS : Number(req.query.hours);
    const copies = (req.query.copies === undefined) ? 1 : Number(req.query.copies);
    if (!cid) return respondError(res, 'bad_request', 'cid required');
    if (quota.isCidBlocked(cid)) return respondError(res, 'legal_takedown', 'this CID is blocked on this server');

    const active = quota.getActivePinsForCid(cid);
    if (active.length === 0) {
      return respondError(res, 'not_found', 'CID is not currently hosted here — you can only backstop a live file');
    }
    const sizeBytes = active[0].size_bytes;
    const quote = pricing.calculateCost({ sizeBytes, hoursRequested: hours, copies });

    res.json({
      cid,
      mode: 'backstop',
      payment: {
        currency: PAYMENT_CURRENCY,
        amount: String(quote.total),
        escrow_account: IPFS_GATE_HIVE_ACCOUNT,
        memo: `ipfs-gate:backstop:${cid}`
      },
      quote: {
        billable_mb: quote.billable_mb,
        billable_hrs: quote.billable_hrs,
        copies: quote.copies,
        copies_requested: Math.max(1, Math.floor(copies) || 1),
        copies_capped: quote.copies < Math.max(1, Math.floor(copies) || 1),
        node_count: pricing.getNodeCount(),
        replication: pricing.replicationConfig(quote.copies),
        rate_per_mb_hour: quote.rate,
        total: quote.total,
        currency: PAYMENT_CURRENCY
      },
      queue_depth: quota.getDormantBackstopsForCid(cid).length
    });
  } catch (e) {
    return handleError(res, e);
  }
});

/**
 * POST /backstop/pledge
 * Body: { pledger, cid, hours_requested?, copies?, tx_id }
 * Verifies the on-chain escrow payment (memo ipfs-gate:backstop:<cid>, sender =
 * pledger, amount ≥ quote) and records a DORMANT backstop claim. It activates
 * automatically (FIFO) when the CID's last active claim ends.
 */
app.post('/backstop/pledge', uploadLimiter, async (req, res) => {
  try {
    const { pledger, cid, tx_id } = req.body || {};
    const hours = (req.body && req.body.hours_requested === undefined) ? DEFAULT_HOURS : Number(req.body.hours_requested);
    const copies = (req.body && req.body.copies === undefined) ? 1 : Number(req.body.copies);
    if (typeof pledger !== 'string' || !pledger || typeof cid !== 'string' || !cid || !tx_id) {
      return respondError(res, 'bad_request', 'pledger, cid, tx_id required');
    }
    const account = pledger.toLowerCase();
    if (quota.isAccountBanned(account)) return respondError(res, 'forbidden', 'pledger is banned');
    if (quota.isCidBlocked(cid)) return respondError(res, 'legal_takedown', 'this CID is blocked on this server');

    const active = quota.getActivePinsForCid(cid);
    if (active.length === 0) {
      return respondError(res, 'not_found', 'CID is not currently hosted here — you can only backstop a live file');
    }
    const sizeBytes = active[0].size_bytes;
    const quote = pricing.calculateCost({ sizeBytes, hoursRequested: hours, copies });

    if (quota.getPaymentByTxId(tx_id)) return respondError(res, 'conflict', 'tx_id already used');

    const expectedMemo = `ipfs-gate:backstop:${cid}`;
    let payResult;
    try {
      payResult = await hive.verifyPayment({ tx_id, sender: account, expectedMemo, expectedAmount: quote.total });
    } catch (e) {
      return handleError(res, e, 'unprocessable_entity');
    }

    let sc;
    try {
      sc = await hive.verifyHiveEngineSidechain(tx_id);
    } catch (e) {
      return respondError(res, 'unprocessable_entity', `Hive-Engine sidechain unreachable: ${e.message}`);
    }
    if (sc.confirmed === false) {
      const detail = sc.reason === 'rejected'
        ? ((sc.errors || []).join('; ') || 'sidechain rejected the transfer')
        : 'sidechain did not confirm within the retry budget — try again in ~30s';
      return respondError(res, 'unprocessable_entity', `Hive-Engine did not confirm: ${detail}`);
    }

    let payment;
    try {
      payment = quota.recordPayment({
        tx_id, reservation_id: null, uploader: account,
        currency: payResult.currency, amount: payResult.paid,
        memo: expectedMemo, block_num: payResult.block_num, status: 'confirmed'
      });
    } catch (e) {
      return handleError(res, e);
    }

    // Dormant claim: no pin, placeholder start/expiry (set on activation).
    const tnow = quota.now();
    const claim = quota.createOrderWithClaim({
      cid, owner: account, pinId: null, paymentId: payment.id,
      sizeBytes, sizeMB: quote.billable_mb, rateLocked: pricing.RATE_PER_MB_HOUR,
      paidHours: quote.billable_hrs, copies: quote.copies,
      amountPaid: payResult.paid, currency: payResult.currency,
      startTs: tnow, expiryTs: tnow,
      kind: 'backstop', state: 'dormant'
    });

    const queue = quota.getDormantBackstopsForCid(cid).map(c => c.claim_id);
    res.json({
      ok: true, claim_id: claim.claim_id, cid, kind: 'backstop', state: 'dormant',
      pledged_hours: quote.billable_hrs, copies: quote.copies,
      amount_escrowed: payResult.paid, currency: payResult.currency,
      queue_position: queue.indexOf(claim.claim_id) + 1, queue_depth: queue.length
    });
  } catch (e) {
    return handleError(res, e);
  }
});

/**
 * GET /backstop/queue?cid=<cid>
 * Public during testing (cohosting §9) — shows the active funder + the FIFO
 * backstop queue (identities + amounts) for debug visibility.
 */
app.get('/backstop/queue', (req, res) => {
  try {
    const cid = String(req.query.cid || '');
    if (!cid) return respondError(res, 'bad_request', 'cid required');
    const active = quota.getActiveClaimsForCid(cid).map(c => ({
      claim_id: c.claim_id, owner: c.owner, kind: c.kind,
      paid_hours: c.paid_hours, expires_at: isoFromMs(c.expiry_ts)
    }));
    const dormant = quota.getDormantBackstopsForCid(cid).map((c, i) => ({
      position: i + 1, claim_id: c.claim_id, owner: c.owner,
      pledged_hours: c.paid_hours, amount_escrowed: c.amount_paid, currency: c.currency
    }));
    res.json({
      cid,
      active,
      backstop_queue: dormant,
      total_pledged_hours: dormant.reduce((s, c) => s + c.pledged_hours, 0)
    });
  } catch (e) {
    return handleError(res, e);
  }
});

// ─── Extend / top-up (cohosting §8) ──────────────────────────────────────────
// A live host pays more to push their OWN expiry_ts out, billed at the claim's
// rate_locked (never the live rate). No new claim — just more hours.

/**
 * GET /claims/extend/quote?claim_id=<id>&hours=<h>
 * Quote extra hours at the claim's locked rate. Pay then POST /claims/extend.
 */
app.get('/claims/extend/quote', userApiLimiter, (req, res) => {
  try {
    const claimId = String(req.query.claim_id || '');
    const hours = (req.query.hours === undefined) ? 0 : Number(req.query.hours);
    if (!claimId) return respondError(res, 'bad_request', 'claim_id required');
    const claim = quota.getClaim(claimId);
    if (!claim) return respondError(res, 'not_found', 'claim not found');
    if (claim.state !== 'active') return respondError(res, 'conflict', `claim is ${claim.state}; only active claims can be extended`);

    let extraHrs;
    try { extraHrs = pricing.billableHours(hours); } catch (e) { return handleError(res, e); }
    const cost = pricing.roundCoins(claim.size_mb * extraHrs * claim.rate_locked * claim.copies_requested);

    res.json({
      claim_id: claimId,
      payment: {
        currency: claim.currency,
        amount: String(cost),
        escrow_account: IPFS_GATE_HIVE_ACCOUNT,
        memo: `ipfs-gate:extend:${claimId}`
      },
      quote: {
        billable_mb: claim.size_mb, extra_hrs: extraHrs, copies: claim.copies_requested,
        rate_per_mb_hour: claim.rate_locked, total: cost, currency: claim.currency
      }
    });
  } catch (e) {
    return handleError(res, e);
  }
});

/**
 * POST /claims/extend
 * Body: { claim_id, extra_hours, tx_id }
 * Verifies the escrow payment (memo ipfs-gate:extend:<claim_id>, sender = the
 * claim owner, amount ≥ quote at rate_locked) and pushes paid_hours + expiry_ts.
 */
app.post('/claims/extend', uploadLimiter, async (req, res) => {
  try {
    const { claim_id, tx_id } = req.body || {};
    if (typeof claim_id !== 'string' || !claim_id || !tx_id) {
      return respondError(res, 'bad_request', 'claim_id, extra_hours, tx_id required');
    }
    let extraHrs;
    try { extraHrs = pricing.billableHours(req.body && req.body.extra_hours); } catch (e) { return handleError(res, e); }

    const claim = quota.getClaim(claim_id);
    if (!claim) return respondError(res, 'not_found', 'claim not found');
    if (claim.state !== 'active') return respondError(res, 'conflict', `claim is ${claim.state}; only active claims can be extended`);
    if (quota.isCidBlocked(claim.cid)) return respondError(res, 'legal_takedown', 'this CID is blocked on this server');

    const cost = pricing.roundCoins(claim.size_mb * extraHrs * claim.rate_locked * claim.copies_requested);
    if (quota.getPaymentByTxId(tx_id)) return respondError(res, 'conflict', 'tx_id already used');

    const expectedMemo = `ipfs-gate:extend:${claim_id}`;
    let payResult;
    try {
      payResult = await hive.verifyPayment({ tx_id, sender: claim.owner, expectedMemo, expectedAmount: cost });
    } catch (e) {
      return handleError(res, e, 'unprocessable_entity');
    }

    let sc;
    try {
      sc = await hive.verifyHiveEngineSidechain(tx_id);
    } catch (e) {
      return respondError(res, 'unprocessable_entity', `Hive-Engine sidechain unreachable: ${e.message}`);
    }
    if (sc.confirmed === false) {
      const detail = sc.reason === 'rejected'
        ? ((sc.errors || []).join('; ') || 'sidechain rejected the transfer')
        : 'sidechain did not confirm within the retry budget — try again in ~30s';
      return respondError(res, 'unprocessable_entity', `Hive-Engine did not confirm: ${detail}`);
    }

    try {
      quota.recordPayment({
        tx_id, reservation_id: null, uploader: claim.owner,
        currency: payResult.currency, amount: payResult.paid,
        memo: expectedMemo, block_num: payResult.block_num, status: 'confirmed'
      });
    } catch (e) {
      return handleError(res, e);
    }

    const updated = quota.extendClaim(claim_id, claim.owner, extraHrs);
    res.json({
      ok: true, claim_id, added_hours: extraHrs,
      paid_hours: updated.paid_hours, expires_at: isoFromMs(updated.expiry_ts),
      amount_paid: payResult.paid, currency: payResult.currency
    });
  } catch (e) {
    return handleError(res, e);
  }
});

// ─── Admin endpoints ────────────────────────────────────────────────────────

app.post('/admin/ban', requireAdmin, async (req, res) => {
  try {
    const { hive_account, reason, refund_policy } = req.body || {};
    const result = moderation.banAccount({ hive_account, reason, refund_policy });

    // Settle refunds for the banned user's voided claims — per refund_policy.
    // The banned user is NOT innocent (cohosting §7), so no full-refund override.
    const refunds = { sent: 0, pending: 0, failed: 0, skipped: 0 };
    for (const claim of result.voided_claims) {
      const r = await settleForcedRefund(claim, { policy: result.refund_policy, innocent: false });
      refunds[r.status] = (refunds[r.status] || 0) + 1;
    }

    // Unpin from Kubo (best-effort) for CIDs with no funder left (no other user's
    // backstop took the baton).
    let unpinned = 0;
    for (const cid of result.cids_to_unpin) {
      try {
        await kubo.unpin(cid);
        unpinned++;
      } catch (e) {
        console.warn(`[admin/ban] failed to unpin ${cid}: ${e.message}`);
      }
    }
    if (unpinned > 0) {
      try { await kubo.gc(); } catch (e) { /* best-effort */ }
    }

    res.json({
      banned: String(hive_account).toLowerCase(),
      pins_affected: result.pins_affected,
      claims_voided: result.voided_claims.length,
      backstops_activated: result.activated.length,
      cids_unpinned: unpinned,
      refunds,
      moderation_log_id: result.moderation_log_id
    });
  } catch (e) {
    return handleError(res, e);
  }
});

app.post('/admin/unban', requireAdmin, (req, res) => {
  try {
    const { hive_account } = req.body || {};
    const result = moderation.unbanAccount({ hive_account });
    res.json({ unbanned: hive_account.toLowerCase(), moderation_log_id: result.moderation_log_id });
  } catch (e) {
    return handleError(res, e);
  }
});

app.post('/admin/takedown', requireAdmin, async (req, res) => {
  try {
    const { cid, reason, refund_policy } = req.body || {};
    const result = moderation.takedownCid({ cid, reason, refund_policy });

    // Settle refunds (cohosting §7): dormant backstoppers are INNOCENT third
    // parties → full escrow, no fee; the active host/offender follows refund_policy.
    const refunds = { sent: 0, pending: 0, failed: 0, skipped: 0 };
    let backstoppers_refunded = 0;
    for (const claim of result.voided_claims) {
      const innocent = claim.state === 'dormant';
      if (innocent) backstoppers_refunded++;
      const r = await settleForcedRefund(claim, { policy: result.refund_policy, innocent });
      refunds[r.status] = (refunds[r.status] || 0) + 1;
    }

    // Content kill — always unpin (the whole queue was voided; no backstop survives).
    let unpinned = false;
    try {
      await kubo.unpin(cid);
      await kubo.gc();
      unpinned = true;
    } catch (e) {
      console.warn(`[admin/takedown] kubo.unpin failed: ${e.message}`);
    }
    res.json({
      cid,
      pins_affected: result.pins_affected,
      claims_voided: result.voided_claims.length,
      backstoppers_refunded,
      refund_policy: result.refund_policy,
      refunds,
      unpinned_from_kubo: unpinned,
      moderation_log_id: result.moderation_log_id
    });
  } catch (e) {
    return handleError(res, e);
  }
});

app.post('/admin/untakedown', requireAdmin, (req, res) => {
  try {
    const { cid } = req.body || {};
    const result = moderation.untakedownCid({ cid });
    res.json({ cid, moderation_log_id: result.moderation_log_id });
  } catch (e) {
    return handleError(res, e);
  }
});

app.get('/admin/uploads', requireAdmin, (req, res) => {
  try {
    const account = (req.query.account || '').toLowerCase();
    if (!account) return respondError(res, 'bad_request', 'account query param required');
    const limit = Math.min(parseInt(req.query.limit || '100', 10), 500);
    const offset = parseInt(req.query.offset || '0', 10);
    const uploads = quota.listUploadsForAccount(account, limit, offset).map(u => ({
      pin_id: u.pin_id,
      cid: u.cid,
      size_bytes: u.size_bytes,
      created_at: isoFromMs(u.created_at),
      expires_at: isoFromMs(u.expires_at),
      status: u.status,
      status_reason: u.status_reason,
      payment: { tx_id: u.tx_id, amount: u.amount, currency: u.currency }
    }));
    res.json({
      account,
      total: quota.countUploadsForAccount(account),
      limit,
      offset,
      uploads
    });
  } catch (e) {
    return handleError(res, e);
  }
});

app.get('/admin/bans', requireAdmin, (req, res) => {
  try {
    const bans = moderation.listBans().map(b => ({
      hive_account: b.hive_account,
      banned_at: isoFromMs(b.banned_at),
      banned_by: b.banned_by,
      reason: b.reason,
      refund_policy: b.refund_policy
    }));
    res.json({ bans });
  } catch (e) {
    return handleError(res, e);
  }
});

app.get('/admin/takedowns', requireAdmin, (req, res) => {
  try {
    const takedowns = moderation.listTakedowns().map(t => ({
      cid: t.cid,
      blocked_at: isoFromMs(t.blocked_at),
      blocked_by: t.blocked_by,
      reason: t.reason
    }));
    res.json({ takedowns });
  } catch (e) {
    return handleError(res, e);
  }
});

app.post('/admin/takedowns/import', requireAdmin, (req, res) => {
  try {
    const list = (req.body && req.body.takedowns) || [];
    const result = moderation.importTakedowns(list);
    res.json(result);
  } catch (e) {
    return handleError(res, e);
  }
});

app.get('/admin/moderation/log', requireAdmin, (req, res) => {
  try {
    const limit = Math.min(parseInt(req.query.limit || '50', 10), 500);
    const offset = parseInt(req.query.offset || '0', 10);
    const { log, total } = moderation.listModerationLog(limit, offset);
    res.json({
      log: log.map(r => ({
        id: r.id,
        action: r.action,
        target_type: r.target_type,
        target: r.target,
        reason: r.reason,
        admin_id: r.admin_id,
        timestamp: isoFromMs(r.timestamp),
        metadata: r.metadata
      })),
      total,
      limit,
      offset
    });
  } catch (e) {
    return handleError(res, e);
  }
});

app.get('/admin/stats', requireAdmin, async (req, res) => {
  try {
    const db = quota.open();
    const diskUsage = quota.getDiskUsage();
    const pinsByStatus = db.prepare(
      "SELECT status, COUNT(*) AS c FROM pins GROUP BY status"
    ).all().reduce((acc, r) => (acc[r.status] = r.c, acc), {});
    const paymentsByStatus = db.prepare(
      "SELECT status, COUNT(*) AS c FROM payments GROUP BY status"
    ).all().reduce((acc, r) => (acc[r.status] = r.c, acc), {});
    const totalRevenue = db.prepare(
      "SELECT currency, COALESCE(SUM(amount),0) AS total FROM payments WHERE status='confirmed' GROUP BY currency"
    ).all().reduce((acc, r) => (acc[r.currency] = r.total, acc), {});
    const activeBans = db.prepare(
      "SELECT COUNT(*) AS c FROM banned_accounts WHERE unbanned_at IS NULL"
    ).get().c;
    const activeTakedowns = db.prepare(
      "SELECT COUNT(*) AS c FROM blocked_cids WHERE unblocked_at IS NULL"
    ).get().c;
    const recentActions24h = db.prepare(
      "SELECT COUNT(*) AS c FROM moderation_log WHERE timestamp > ?"
    ).get(quota.now() - 24 * 60 * 60 * 1000).c;

    const kuboStats = await kubo.stats();

    res.json({
      disk: {
        limit_bytes: diskUsage.limit_bytes,
        used_bytes: diskUsage.used_bytes,
        available_bytes: diskUsage.available_bytes,
        used_percent: diskUsage.limit_bytes > 0
          ? Math.round((diskUsage.used_bytes / diskUsage.limit_bytes) * 10000) / 100
          : 0
      },
      pins: {
        active_count: pinsByStatus.active || 0,
        expired_count: pinsByStatus.expired || 0,
        banned_count: pinsByStatus.banned || 0,
        takedown_count: pinsByStatus.takedown || 0
      },
      payments: {
        confirmed_count: paymentsByStatus.confirmed || 0,
        orphan_count: paymentsByStatus.orphan || 0,
        paid_unconfirmed_count: paymentsByStatus.paid_unconfirmed || 0,
        refunded_count: paymentsByStatus.refunded || 0,
        total_revenue: totalRevenue
      },
      moderation: {
        active_bans: activeBans,
        active_takedowns: activeTakedowns,
        recent_actions_24h: recentActions24h
      },
      kubo: kuboStats
    });
  } catch (e) {
    return handleError(res, e);
  }
});

app.get('/admin/orphan-payments', requireAdmin, (req, res) => {
  try {
    const orphans = moderation.listOrphanPayments().map(p => ({
      payment_id: p.id,
      tx_id: p.tx_id,
      uploader: p.uploader,
      currency: p.currency,
      amount: p.amount,
      memo: p.memo,
      verified_at: isoFromMs(p.verified_at),
      status: p.status,
      reason_unmatched: p.memo && !quota.parseMemoReservationId(p.memo)
        ? 'memo did not match ipfs-gate:upload:<id> pattern'
        : 'matched memo but sidechain unconfirmed'
    }));
    res.json({ orphans });
  } catch (e) {
    return handleError(res, e);
  }
});

app.post('/admin/log-refund', requireAdmin, (req, res) => {
  try {
    const { payment_id, refund_tx_id, reason } = req.body || {};
    const result = moderation.logManualRefund({ payment_id, refund_tx_id, reason });
    res.json(result);
  } catch (e) {
    return handleError(res, e);
  }
});

// ─── 404 ────────────────────────────────────────────────────────────────────

app.use((req, res) => {
  respondError(res, 'not_found', `no route for ${req.method} ${req.path}`);
});

// ─── Boot ───────────────────────────────────────────────────────────────────

async function boot() {
  quota.open();
  quota.runMigrations();

  // Probe Kubo (non-fatal — server can run, just won't be useful)
  try {
    const s = await kubo.stats();
    if (s.status !== 'ok') {
      console.warn(`[server] kubo backend status: ${s.status} (${s.error || 'unknown'})`);
    } else {
      console.log(`[server] kubo backend OK, version ${s.version}, used ${s.used_bytes} bytes`);
    }
  } catch (e) {
    console.warn(`[server] kubo probe failed at boot: ${e.message} — will continue, but uploads will fail until Kubo is reachable.`);
  }

  sweeper.start();

  app.listen(PORT, BIND_HOST, () => {
    console.log(`ipfs-gate v1 (claim model) listening on ${BIND_HOST}:${PORT}`);
    console.log(`  operator account: @${IPFS_GATE_HIVE_ACCOUNT}`);
    console.log(`  pricing: ${pricing.RATE_PER_MB_HOUR} ${PAYMENT_CURRENCY} / MB-hour, min ${pricing.MIN_HOURS}h, ${pricing.NODE_COUNT} node(s), ≤${MAX_FILE_SIZE_MB}MB`);
    console.log(`  refunds: ${process.env.IPFS_GATE_ACTIVE_KEY ? 'auto (escrow key set)' : 'MANUAL — IPFS_GATE_ACTIVE_KEY unset, refunds recorded pending'}`);
    console.log(`  CORS origin: ${CORS_ORIGIN}`);
  });
}

boot().catch(e => {
  console.error('[server] boot failed:', e);
  process.exit(1);
});

// Graceful shutdown
function shutdown(sig) {
  console.log(`[server] received ${sig}, shutting down...`);
  sweeper.stop();
  process.exit(0);
}
process.on('SIGTERM', () => shutdown('SIGTERM'));
process.on('SIGINT', () => shutdown('SIGINT'));