feat(pitch-deck): admin UI for investor + financial-model management

Adds /pitch-admin dashboard with real admin accounts (bcrypt) and full
audit attribution for every state-changing action.

Backend:
- pitch_admins + pitch_admin_sessions tables (migration 002)
- pitch_audit_logs.admin_id + target_investor_id columns
- lib/admin-auth.ts: bcryptjs hashing, single-session enforcement,
  jose JWT with 'pitch-admin' audience claim, requireAdmin guard
- logAudit extended to accept admin_id and target_investor_id
- middleware.ts: gates /pitch-admin/* and /api/admin/* on the admin
  cookie (with bearer-secret fallback for CLI compatibility)
- 14 API routes under /api/admin-auth and /api/admin (login, logout,
  me, dashboard, investors[id] CRUD + resend, admins CRUD,
  fm scenarios + assumptions PATCH)
- Existing /api/admin/{invite,investors,revoke,audit-logs} migrated
  to requireAdmin and now log with admin_id + target_investor_id
- scripts/create-admin.ts CLI bootstrap (npm run admin:create)

Frontend:
- /pitch-admin/login + /pitch-admin/(authed) route group
- AdminShell with sidebar nav + StatCard + AuditLogTable components
- Dashboard with KPIs, recent logins, recent activity
- Investors list with search/filter + resend/revoke inline actions
- Investor detail with inline edit + per-investor audit timeline
- Audit log viewer with actor/action/date filters + pagination
- Financial model scenario list + per-scenario assumption editor
  (categorized, inline edit, before/after diff in audit)
- Admins management (add, deactivate, reset password)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

pitch-deck/middleware.ts

@@ -1,11 +1,13 @@
 import { NextRequest, NextResponse } from 'next/server'
 import { jwtVerify } from 'jose'
 
+// Paths that bypass auth entirely
 const PUBLIC_PATHS = [
-  '/auth',
-  '/api/auth',
+  '/auth',                    // investor login pages
+  '/api/auth',                // investor auth API
   '/api/health',
-  '/api/admin',
+  '/api/admin-auth',          // admin login API
+  '/pitch-admin/login',       // admin login page
   '/_next',
   '/manifest.json',
   '/sw.js',
@@ -13,54 +15,82 @@ const PUBLIC_PATHS = [
   '/favicon.ico',
 ]
 
+// Paths gated on the admin session cookie
+const ADMIN_GATED_PREFIXES = ['/pitch-admin', '/api/admin']
+
 function isPublicPath(pathname: string): boolean {
   return PUBLIC_PATHS.some(p => pathname === p || pathname.startsWith(p + '/'))
 }
 
+function isAdminGatedPath(pathname: string): boolean {
+  return ADMIN_GATED_PREFIXES.some(p => pathname === p || pathname.startsWith(p + '/'))
+}
+
+const ADMIN_AUDIENCE = 'pitch-admin'
+
 export async function middleware(request: NextRequest) {
   const { pathname } = request.nextUrl
+  const secret = process.env.PITCH_JWT_SECRET
 
   // Allow public paths
   if (isPublicPath(pathname)) {
     return NextResponse.next()
   }
 
-  // Check for session cookie
-  const token = request.cookies.get('pitch_session')?.value
+  // ----- Admin-gated routes -----
+  if (isAdminGatedPath(pathname)) {
+    // Allow legacy bearer-secret CLI access on /api/admin/* (the API routes themselves
+    // also check this and log as actor='cli'). The bearer header is opaque to the JWT
+    // path, so we just let it through here and let the route handler enforce.
+    if (pathname.startsWith('/api/admin') && request.headers.get('authorization')?.startsWith('Bearer ')) {
+      return NextResponse.next()
+    }
 
-  if (!token) {
-    return NextResponse.redirect(new URL('/auth', request.url))
+    const adminToken = request.cookies.get('pitch_admin_session')?.value
+    if (!adminToken || !secret) {
+      if (pathname.startsWith('/api/')) {
+        return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+      }
+      return NextResponse.redirect(new URL('/pitch-admin/login', request.url))
+    }
+
+    try {
+      await jwtVerify(adminToken, new TextEncoder().encode(secret), { audience: ADMIN_AUDIENCE })
+      return NextResponse.next()
+    } catch {
+      if (pathname.startsWith('/api/')) {
+        return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+      }
+      const response = NextResponse.redirect(new URL('/pitch-admin/login', request.url))
+      response.cookies.delete('pitch_admin_session')
+      return response
+    }
   }
 
-  // Verify JWT
-  const secret = process.env.PITCH_JWT_SECRET
-  if (!secret) {
+  // ----- Investor-gated routes (everything else) -----
+  const token = request.cookies.get('pitch_session')?.value
+
+  if (!token || !secret) {
     return NextResponse.redirect(new URL('/auth', request.url))
   }
 
   try {
     const { payload } = await jwtVerify(token, new TextEncoder().encode(secret))
 
-    // Add investor info to headers for downstream use
     const response = NextResponse.next()
     response.headers.set('x-investor-id', payload.sub as string)
     response.headers.set('x-investor-email', payload.email as string)
     response.headers.set('x-session-id', payload.sessionId as string)
 
-    // Auto-refresh JWT if within last 15 minutes of expiry
     const exp = payload.exp as number
     const now = Math.floor(Date.now() / 1000)
     const timeLeft = exp - now
-
     if (timeLeft < 900 && timeLeft > 0) {
-      // Import dynamically to avoid Edge runtime issues with pg
-      // The actual refresh happens server-side in the API routes
       response.headers.set('x-token-refresh-needed', 'true')
     }
 
     return response
   } catch {
-    // Invalid or expired JWT
     const response = NextResponse.redirect(new URL('/auth', request.url))
     response.cookies.delete('pitch_session')
     return response
@@ -68,13 +98,5 @@ export async function middleware(request: NextRequest) {
 }
 
 export const config = {
-  matcher: [
-    /*
-     * Match all request paths except:
-     * - _next/static (static files)
-     * - _next/image (image optimization files)
-     * - favicon.ico (favicon file)
-     */
-    '/((?!_next/static|_next/image).*)',
-  ],
+  matcher: ['/((?!_next/static|_next/image).*)'],
 }