Benjamin_Boenisch/breakpilot-core
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security: re-secure fp-patch
All checks were successful
Build pitch-deck / build-push-deploy (push) Successful in 1m11s
Details
CI / go-lint (push) Has been skipped
Details
CI / python-lint (push) Has been skipped
Details
CI / nodejs-lint (push) Has been skipped
Details
CI / test-go-consent (push) Successful in 35s
Details
CI / test-python-voice (push) Successful in 37s
Details
CI / test-bqas (push) Successful in 33s
Details

Browse Source
This commit is contained in:
Benjamin Admin
2026-04-22 20:37:51 +02:00
parent b28f266cbe
commit 2195ccfa1a
2 changed files with 9 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files

50
pitch-deck/app/api/admin/fp-patch/route.ts
View File

@@ -1,49 +1,17 @@
import { NextRequest, NextResponse } from 'next/server'
import { requireAdmin } from '@/lib/admin-auth'
import pool from '@/lib/db'
import { computeFinanzplan } from '@/lib/finanzplan/engine'
/** Admin-only: recompute a Finanzplan scenario. */
export async function POST(request: NextRequest) {
const guard = await requireAdmin(request)
if (guard.kind === 'response') return guard.response
const body = await request.json().catch(() => ({}))
const results: string[] = []
const scenarioId = body.scenarioId || (await pool.query("SELECT id FROM fp_scenarios WHERE is_default = true LIMIT 1")).rows[0]?.id
if (!scenarioId) return NextResponse.json({ error: 'No scenario found' }, { status: 404 })
try {
// Get Base Case scenario ID on production
const BASE = (await pool.query("SELECT id FROM fp_scenarios WHERE is_default=true LIMIT 1")).rows[0]?.id
if (!BASE) { results.push('NO BASE SCENARIO'); return NextResponse.json({ ok: false, results }) }
// Import kunden
if (body.kunden?.length) {
await pool.query(`DELETE FROM fp_kunden WHERE scenario_id=$1`, [BASE])
for (const r of body.kunden) {
await pool.query(
`INSERT INTO fp_kunden (scenario_id,segment_name,segment_index,row_label,row_index,is_editable,values,sort_order) VALUES ($1,$2,$3,$4,$5,$6,$7,$8)`,
[BASE, r.segment_name, r.segment_index, r.row_label, r.row_index, r.is_editable, JSON.stringify(r.values), r.sort_order])
}
results.push(`kunden: ${body.kunden.length}`)
}
// Import umsatz
if (body.umsatz?.length) {
await pool.query(`DELETE FROM fp_umsatzerloese WHERE scenario_id=$1`, [BASE])
for (const r of body.umsatz) {
await pool.query(
`INSERT INTO fp_umsatzerloese (scenario_id,section,row_label,row_index,is_editable,values,sort_order) VALUES ($1,$2,$3,$4,$5,$6,$7)`,
[BASE, r.section, r.row_label, r.row_index, r.is_editable, JSON.stringify(r.values), r.sort_order])
}
results.push(`umsatz: ${body.umsatz.length}`)
}
// Recompute Base Case
const r = await computeFinanzplan(pool, BASE)
results.push(`BASE cash_m60=${r.liquiditaet?.endstand?.m60}`)
// Verify
const { rows: guv } = await pool.query(
`SELECT (values->>'y2026')::numeric as y26, (values->>'y2030')::numeric as y30 FROM fp_guv WHERE scenario_id=$1 AND row_label='Umsatzerlöse'`, [BASE])
results.push(`Umsatz: ${JSON.stringify(guv[0])}`)
} catch (err) {
results.push(`ERROR: ${err instanceof Error ? err.message : String(err)}`)
}
return NextResponse.json({ ok: true, results })
const result = await computeFinanzplan(pool, scenarioId)
return NextResponse.json({ success: true, scenarioId, cash_m60: result.liquiditaet?.endstand?.m60 })
}

1
pitch-deck/middleware.ts
View File

@@ -6,7 +6,6 @@ const PUBLIC_PATHS = [
'/auth', // investor login pages
'/api/auth', // investor auth API
'/api/health',
'/api/admin/fp-patch',
'/api/admin-auth', // admin login API
'/pitch-admin/login', // admin login page
'/_next',