security: re-secure fp-patch after 1M data import

pitch-deck/app/api/admin/fp-patch/route.ts

@@ -1,44 +1,17 @@
 import { NextRequest, NextResponse } from 'next/server'
+import { requireAdmin } from '@/lib/admin-auth'
 import pool from '@/lib/db'
 import { computeFinanzplan } from '@/lib/finanzplan/engine'
 
+/** Admin-only: recompute a Finanzplan scenario. */
 export async function POST(request: NextRequest) {
+  const guard = await requireAdmin(request)
+  if (guard.kind === 'response') return guard.response
+
   const body = await request.json().catch(() => ({}))
-  const results: string[] = []
+  const scenarioId = body.scenarioId || (await pool.query("SELECT id FROM fp_scenarios WHERE is_default = true LIMIT 1")).rows[0]?.id
+  if (!scenarioId) return NextResponse.json({ error: 'No scenario found' }, { status: 404 })
 
-  try {
+  const result = await computeFinanzplan(pool, scenarioId)
-    const BASE = (await pool.query("SELECT id FROM fp_scenarios WHERE is_default=true LIMIT 1")).rows[0]?.id
+  return NextResponse.json({ success: true, scenarioId, cash_m60: result.liquiditaet?.endstand?.m60 })
-    if (!BASE) return NextResponse.json({ ok: false, error: 'No base scenario' })
-
-    // Import betriebliche
-    if (body.betriebliche?.length) {
-      await pool.query(`DELETE FROM fp_betriebliche_aufwendungen WHERE scenario_id=$1`, [BASE])
-      for (const r of body.betriebliche) {
-        await pool.query(
-          `INSERT INTO fp_betriebliche_aufwendungen (scenario_id,category,row_label,row_index,is_editable,is_sum_row,formula_desc,values,sort_order) VALUES ($1,$2,$3,$4,$5,$6,$7,$8,$9)`,
-          [BASE, r.category, r.row_label, r.row_index, r.is_editable, r.is_sum_row, r.formula_desc, JSON.stringify(r.values), r.sort_order])
-      }
-      results.push(`betriebliche: ${body.betriebliche.length}`)
-    }
-
-    // Fix founders start_date if needed (should be Oct 2026)
-    const { rowCount: f1 } = await pool.query(
-      `UPDATE fp_personalkosten SET start_date='2026-10-01' WHERE scenario_id=$1 AND person_name ILIKE '%Benjamin%' AND (start_date IS NULL OR start_date > '2026-10-01')`, [BASE])
-    const { rowCount: f2 } = await pool.query(
-      `UPDATE fp_personalkosten SET start_date='2026-10-01' WHERE scenario_id=$1 AND person_name ILIKE '%Sharang%' AND (start_date IS NULL OR start_date > '2026-10-01')`, [BASE])
-    if (f1 || f2) results.push(`Founders start fixed: B=${f1} S=${f2}`)
-
-    // Recompute
-    const r = await computeFinanzplan(pool, BASE)
-    results.push(`BASE cash_m60=${r.liquiditaet?.endstand?.m60}`)
-
-    // Verify founders
-    const { rows: check } = await pool.query(
-      `SELECT person_name, start_date, brutto_monthly, (values_total->>'m10')::numeric as okt26 FROM fp_personalkosten WHERE scenario_id=$1 AND sort_order <= 2 ORDER BY sort_order`, [BASE])
-    results.push(`Founders: ${JSON.stringify(check)}`)
-  } catch (err) {
-    results.push(`ERROR: ${err instanceof Error ? err.message : String(err)}`)
-  }
-
-  return NextResponse.json({ ok: true, results })
 }

pitch-deck/middleware.ts

@@ -6,7 +6,6 @@ const PUBLIC_PATHS = [
   '/auth',                    // investor login pages
   '/api/auth',                // investor auth API
   '/api/health',
-  '/api/admin/fp-patch',
   '/api/admin-auth',          // admin login API
   '/pitch-admin/login',       // admin login page
   '/_next',