security: re-secure fp-patch after execution

pitch-deck/app/api/admin/fp-patch/route.ts

@@ -1,56 +1,27 @@
-import { NextResponse } from 'next/server'
+import { NextRequest, NextResponse } from 'next/server'
+import { requireAdmin } from '@/lib/admin-auth'
 import pool from '@/lib/db'
 import { computeFinanzplan } from '@/lib/finanzplan/engine'
 
-/** TEMP public — will be re-secured after execution */
+/**
-export async function POST() {
+ * Admin-only: recompute a Finanzplan scenario.
-  const results: string[] = []
+ * POST /api/admin/fp-patch  { scenarioId?: string }
-  const WD = 'c0000000-0000-0000-0000-000000000200'
+ */
+export async function POST(request: NextRequest) {
+  const guard = await requireAdmin(request)
+  if (guard.kind === 'response') return guard.response
 
-  try {
+  const body = await request.json().catch(() => ({}))
-    // 1. Clear Fremdkapital m10 (200k was wrong)
+  const scenarioId = body.scenarioId || (await pool.query("SELECT id FROM fp_scenarios WHERE is_default = true LIMIT 1")).rows[0]?.id
-    await pool.query(`
-      UPDATE fp_liquiditaet SET values = jsonb_set(values, '{m10}', '0')
-      WHERE scenario_id = $1 AND row_label = 'Erhaltenes Fremdkapital'
-    `, [WD])
-    results.push('CLEARED Fremdkapital m10')
 
-    // 2. Add Rechtsanwalt (50%) at sort_order 3, move Full-Stack to 10
+  if (!scenarioId) {
-    // First check if already done
+    return NextResponse.json({ error: 'No scenario found' }, { status: 404 })
-    const { rows: existing } = await pool.query(
-      `SELECT id FROM fp_personalkosten WHERE scenario_id = $1 AND position ILIKE '%Datenschutzjurist%'`, [WD]
-    )
-    if (existing.length === 0) {
-      // Move Full-Stack from sort 3 to 10
-      await pool.query(`
-        UPDATE fp_personalkosten SET sort_order = 10
-        WHERE scenario_id = $1 AND sort_order = 3 AND position ILIKE '%Full-Stack%'
-      `, [WD])
-      // Insert Rechtsanwalt
-      await pool.query(`
-        INSERT INTO fp_personalkosten (
-          scenario_id, person_name, position, start_date, brutto_monthly,
-          annual_raise_pct, ag_sozial_pct, is_editable, sort_order,
-          values_brutto, values_sozial, values_total
-        ) VALUES ($1, 'Pos 3', 'IT-Recht / Datenschutzjurist (50%)', '2026-10-01', 3333.00,
-          3.0, 20.425, true, 3, '{}', '{}', '{}')
-      `, [WD])
-      results.push('ADDED Rechtsanwalt (50%) at pos 3, moved Full-Stack to 10')
-    } else {
-      results.push('Rechtsanwalt already exists, skipped')
-    }
-
-    // 3. Recompute WD
-    const r1 = await computeFinanzplan(pool, WD)
-    results.push(`COMPUTED WD: cash_m60=${r1.liquiditaet?.endstand?.m60}`)
-
-    // 4. Recompute Base
-    const { rows: base } = await pool.query("SELECT id FROM fp_scenarios WHERE is_default = true LIMIT 1")
-    const r2 = await computeFinanzplan(pool, base[0].id)
-    results.push(`COMPUTED BASE: cash_m60=${r2.liquiditaet?.endstand?.m60}`)
-  } catch (err) {
-    results.push(`ERROR: ${err instanceof Error ? err.message : String(err)}`)
   }
 
-  return NextResponse.json({ success: true, results })
+  const result = await computeFinanzplan(pool, scenarioId)
+  return NextResponse.json({
+    success: true,
+    scenarioId,
+    cash_m60: result.liquiditaet?.endstand?.m60,
+  })
 }

pitch-deck/middleware.ts

@@ -6,7 +6,6 @@ const PUBLIC_PATHS = [
   '/auth',                    // investor login pages
   '/api/auth',                // investor auth API
   '/api/health',
-  '/api/admin/fp-patch',
   '/api/admin-auth',          // admin login API
   '/pitch-admin/login',       // admin login page
   '/_next',