feat(pitch-deck): admin UI for investor + financial-model management (#3)

Adds /pitch-admin dashboard with real bcrypt admin accounts and full
audit attribution for every state-changing action.

- pitch_admins + pitch_admin_sessions tables (migration 002)
- pitch_audit_logs.admin_id + target_investor_id columns
- lib/admin-auth.ts: bcryptjs, single-session, jose JWT with audience claim
- middleware.ts: two-cookie gating with bearer-secret CLI fallback
- 14 new API routes (admin-auth, dashboard, investor detail/edit/resend,
  admins CRUD, fm scenarios + assumptions PATCH)
- 9 admin pages: login, dashboard, investors list/new/[id], audit,
  financial-model list/[id], admins
- Bootstrap CLI: npm run admin:create
- 36 vitest tests covering auth, admin-auth, rate-limit primitives

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

pitch-deck/app/api/admin/audit-logs/route.ts

@@ -1,42 +1,77 @@
 import { NextRequest, NextResponse } from 'next/server'
 import pool from '@/lib/db'
-import { validateAdminSecret } from '@/lib/auth'
+import { requireAdmin } from '@/lib/admin-auth'
 
 export async function GET(request: NextRequest) {
-  if (!validateAdminSecret(request)) {
-    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
-  }
+  const guard = await requireAdmin(request)
+  if (guard.kind === 'response') return guard.response
 
   const { searchParams } = new URL(request.url)
   const investorId = searchParams.get('investor_id')
+  const targetInvestorId = searchParams.get('target_investor_id')
+  const adminId = searchParams.get('admin_id')
+  const actorType = searchParams.get('actor_type')      // 'admin' | 'investor'
   const action = searchParams.get('action')
+  const since = searchParams.get('since')               // ISO date
+  const until = searchParams.get('until')
   const limit = Math.min(parseInt(searchParams.get('limit') || '100'), 500)
   const offset = parseInt(searchParams.get('offset') || '0')
 
   const conditions: string[] = []
   const params: unknown[] = []
-  let paramIdx = 1
+  let p = 1
 
   if (investorId) {
-    conditions.push(`a.investor_id = $${paramIdx++}`)
+    conditions.push(`a.investor_id = $${p++}`)
     params.push(investorId)
   }
+  if (targetInvestorId) {
+    conditions.push(`a.target_investor_id = $${p++}`)
+    params.push(targetInvestorId)
+  }
+  if (adminId) {
+    conditions.push(`a.admin_id = $${p++}`)
+    params.push(adminId)
+  }
+  if (actorType === 'admin') {
+    conditions.push(`a.admin_id IS NOT NULL`)
+  } else if (actorType === 'investor') {
+    conditions.push(`a.investor_id IS NOT NULL`)
+  }
   if (action) {
-    conditions.push(`a.action = $${paramIdx++}`)
+    conditions.push(`a.action = $${p++}`)
     params.push(action)
   }
+  if (since) {
+    conditions.push(`a.created_at >= $${p++}`)
+    params.push(since)
+  }
+  if (until) {
+    conditions.push(`a.created_at <= $${p++}`)
+    params.push(until)
+  }
 
   const where = conditions.length > 0 ? `WHERE ${conditions.join(' AND ')}` : ''
 
   const { rows } = await pool.query(
-    `SELECT a.*, i.email as investor_email, i.name as investor_name
+    `SELECT a.*,
+            i.email AS investor_email, i.name AS investor_name,
+            ti.email AS target_investor_email, ti.name AS target_investor_name,
+            ad.email AS admin_email, ad.name AS admin_name
      FROM pitch_audit_logs a
      LEFT JOIN pitch_investors i ON i.id = a.investor_id
+     LEFT JOIN pitch_investors ti ON ti.id = a.target_investor_id
+     LEFT JOIN pitch_admins ad ON ad.id = a.admin_id
      ${where}
      ORDER BY a.created_at DESC
-     LIMIT $${paramIdx++} OFFSET $${paramIdx++}`,
-    [...params, limit, offset]
+     LIMIT $${p++} OFFSET $${p++}`,
+    [...params, limit, offset],
   )
 
-  return NextResponse.json({ logs: rows })
+  const totalRes = await pool.query(
+    `SELECT COUNT(*)::int AS total FROM pitch_audit_logs a ${where}`,
+    params,
+  )
+
+  return NextResponse.json({ logs: rows, total: totalRes.rows[0].total })
 }