feat: implement complete admin dashboard (Phase 8)

Add full admin backend and frontend for system management:

Backend: AdminOnlyMiddleware, 20 admin API handlers for user management,
agent management (verify/unverify/delete), report moderation, category
CRUD, global analytics, and invocation logs. Extended UserAuth, Review,
Invocation, and Reputation store/service layers with admin-specific
queries (ListUsers, ListReports, GlobalStats, TopAgents, etc).

Frontend: AdminGuard, admin API client, data hooks, 7-link sidebar,
and 8 admin pages (Overview, Users, Agents, AgentDetail, Reports,
Categories, Analytics, Invocations) with search, filtering, pagination,
and inline CRUD operations.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: gcmsg

internal/invocation/postgres.go

@@ -196,6 +196,139 @@ func (s *PostgresStore) ProviderDashboardStats(ctx context.Context, ownerUserID
 	return &stats, nil
 }
 
+func (s *PostgresStore) ListAll(ctx context.Context, agentID, userID string, limit, offset int) ([]InvocationRecord, int, error) {
+	if limit <= 0 {
+		limit = 50
+	}
+
+	where := "1=1"
+	var args []interface{}
+	argN := 1
+	if agentID != "" {
+		where += fmt.Sprintf(" AND agent_id = $%d", argN)
+		args = append(args, agentID)
+		argN++
+	}
+	if userID != "" {
+		where += fmt.Sprintf(" AND user_id = $%d", argN)
+		args = append(args, userID)
+		argN++
+	}
+
+	var total int
+	countArgs := make([]interface{}, len(args))
+	copy(countArgs, args)
+	if err := s.db.QueryRowContext(ctx, "SELECT COUNT(*) FROM invocations WHERE "+where, countArgs...).Scan(&total); err != nil {
+		return nil, 0, err
+	}
+
+	args = append(args, limit, offset)
+	rows, err := s.db.QueryContext(ctx,
+		fmt.Sprintf("SELECT id, agent_id, user_id, protocol, status_code, duration_ms, error, ip_address, created_at FROM invocations WHERE %s ORDER BY created_at DESC LIMIT $%d OFFSET $%d", where, argN, argN+1),
+		args...,
+	)
+	if err != nil {
+		return nil, 0, err
+	}
+	defer func() { _ = rows.Close() }()
+
+	var records []InvocationRecord
+	for rows.Next() {
+		var r InvocationRecord
+		if err := rows.Scan(&r.ID, &r.AgentID, &r.UserID, &r.Protocol, &r.StatusCode, &r.DurationMs, &r.Error, &r.IPAddress, &r.CreatedAt); err != nil {
+			return nil, 0, err
+		}
+		records = append(records, r)
+	}
+	return records, total, rows.Err()
+}
+
+func (s *PostgresStore) GlobalStats(ctx context.Context, since time.Time) (*AgentInvocationStats, error) {
+	var stats AgentInvocationStats
+	err := s.db.QueryRowContext(ctx,
+		`SELECT COUNT(*),
+		        SUM(CASE WHEN status_code >= 200 AND status_code < 400 THEN 1 ELSE 0 END),
+		        SUM(CASE WHEN status_code >= 400 OR error != '' THEN 1 ELSE 0 END),
+		        COALESCE(AVG(duration_ms), 0)
+		 FROM invocations WHERE created_at >= $1`,
+		since.UTC(),
+	).Scan(&stats.TotalCalls, &stats.SuccessCalls, &stats.ErrorCalls, &stats.AvgDurationMs)
+	if err != nil {
+		return nil, err
+	}
+	return &stats, nil
+}
+
+func (s *PostgresStore) GlobalTimeSeries(ctx context.Context, since time.Time, bucketMinutes int) ([]TimeSeriesPoint, error) {
+	if bucketMinutes <= 0 {
+		bucketMinutes = 60
+	}
+	rows, err := s.db.QueryContext(ctx,
+		fmt.Sprintf(`SELECT
+			date_trunc('hour', created_at) + (EXTRACT(minute FROM created_at)::int / %d * %d) * interval '1 minute' as bucket,
+			COUNT(*),
+			SUM(CASE WHEN status_code >= 200 AND status_code < 400 THEN 1 ELSE 0 END),
+			SUM(CASE WHEN status_code >= 400 OR error != '' THEN 1 ELSE 0 END),
+			COALESCE(AVG(duration_ms), 0)
+		 FROM invocations WHERE created_at >= $1
+		 GROUP BY bucket ORDER BY bucket`, bucketMinutes, bucketMinutes),
+		since.UTC(),
+	)
+	if err != nil {
+		return nil, err
+	}
+	defer func() { _ = rows.Close() }()
+
+	var points []TimeSeriesPoint
+	for rows.Next() {
+		var p TimeSeriesPoint
+		if err := rows.Scan(&p.Timestamp, &p.TotalCalls, &p.SuccessCalls, &p.ErrorCalls, &p.AvgDurationMs); err != nil {
+			return nil, err
+		}
+		points = append(points, p)
+	}
+	return points, rows.Err()
+}
+
+func (s *PostgresStore) TopAgents(ctx context.Context, since time.Time, limit int) ([]AgentCallStats, error) {
+	if limit <= 0 {
+		limit = 10
+	}
+	rows, err := s.db.QueryContext(ctx,
+		`SELECT i.agent_id, COALESCE(a.name, i.agent_id),
+		        COUNT(*),
+		        SUM(CASE WHEN i.status_code >= 200 AND i.status_code < 400 THEN 1 ELSE 0 END),
+		        SUM(CASE WHEN i.status_code >= 400 OR i.error != '' THEN 1 ELSE 0 END),
+		        COALESCE(AVG(i.duration_ms), 0)
+		 FROM invocations i
+		 LEFT JOIN agents a ON a.id = i.agent_id
+		 WHERE i.created_at >= $1
+		 GROUP BY i.agent_id, a.name
+		 ORDER BY COUNT(*) DESC LIMIT $2`,
+		since.UTC(), limit,
+	)
+	if err != nil {
+		return nil, err
+	}
+	defer func() { _ = rows.Close() }()
+
+	var stats []AgentCallStats
+	for rows.Next() {
+		var s AgentCallStats
+		if err := rows.Scan(&s.AgentID, &s.AgentName, &s.TotalCalls, &s.SuccessCalls, &s.ErrorCalls, &s.AvgDurationMs); err != nil {
+			return nil, err
+		}
+		stats = append(stats, s)
+	}
+	return stats, rows.Err()
+}
+
+func (s *PostgresStore) CountInvocations(ctx context.Context) (int, error) {
+	var count int
+	err := s.db.QueryRowContext(ctx, "SELECT COUNT(*) FROM invocations").Scan(&count)
+	return count, err
+}
+
 func (s *PostgresStore) Close() error {
 	return nil
 }

internal/invocation/service.go

@@ -54,3 +54,28 @@ func (s *Service) AgentTimeSeries(ctx context.Context, agentID string, since tim
 func (s *Service) ProviderDashboardStats(ctx context.Context, ownerUserID string) (*AgentInvocationStats, error) {
 	return s.store.ProviderDashboardStats(ctx, ownerUserID)
 }
+
+// ListAll returns all invocations with optional agent/user filters.
+func (s *Service) ListAll(ctx context.Context, agentID, userID string, limit, offset int) ([]InvocationRecord, int, error) {
+	return s.store.ListAll(ctx, agentID, userID, limit, offset)
+}
+
+// GlobalStats returns aggregated stats across all agents.
+func (s *Service) GlobalStats(ctx context.Context, since time.Time) (*AgentInvocationStats, error) {
+	return s.store.GlobalStats(ctx, since)
+}
+
+// GlobalTimeSeries returns time-bucketed invocation data across all agents.
+func (s *Service) GlobalTimeSeries(ctx context.Context, since time.Time, bucketMinutes int) ([]TimeSeriesPoint, error) {
+	return s.store.GlobalTimeSeries(ctx, since, bucketMinutes)
+}
+
+// TopAgents returns the top agents by call count.
+func (s *Service) TopAgents(ctx context.Context, since time.Time, limit int) ([]AgentCallStats, error) {
+	return s.store.TopAgents(ctx, since, limit)
+}
+
+// CountInvocations returns the total number of invocations.
+func (s *Service) CountInvocations(ctx context.Context) (int, error) {
+	return s.store.CountInvocations(ctx)
+}

internal/invocation/sqlite.go

@@ -204,6 +204,140 @@ func (s *SQLiteStore) ProviderDashboardStats(ctx context.Context, ownerUserID st
 	return &stats, nil
 }
 
+func (s *SQLiteStore) ListAll(ctx context.Context, agentID, userID string, limit, offset int) ([]InvocationRecord, int, error) {
+	if limit <= 0 {
+		limit = 50
+	}
+
+	where := "1=1"
+	var args []interface{}
+	if agentID != "" {
+		where += " AND agent_id = ?"
+		args = append(args, agentID)
+	}
+	if userID != "" {
+		where += " AND user_id = ?"
+		args = append(args, userID)
+	}
+
+	var total int
+	countArgs := make([]interface{}, len(args))
+	copy(countArgs, args)
+	if err := s.db.QueryRowContext(ctx, "SELECT COUNT(*) FROM invocations WHERE "+where, countArgs...).Scan(&total); err != nil {
+		return nil, 0, err
+	}
+
+	args = append(args, limit, offset)
+	rows, err := s.db.QueryContext(ctx,
+		"SELECT id, agent_id, user_id, protocol, status_code, duration_ms, error, ip_address, created_at FROM invocations WHERE "+where+" ORDER BY created_at DESC LIMIT ? OFFSET ?",
+		args...,
+	)
+	if err != nil {
+		return nil, 0, err
+	}
+	defer func() { _ = rows.Close() }()
+
+	var records []InvocationRecord
+	for rows.Next() {
+		var r InvocationRecord
+		var createdAt string
+		if err := rows.Scan(&r.ID, &r.AgentID, &r.UserID, &r.Protocol, &r.StatusCode, &r.DurationMs, &r.Error, &r.IPAddress, &createdAt); err != nil {
+			return nil, 0, err
+		}
+		r.CreatedAt, _ = time.Parse(time.RFC3339, createdAt)
+		records = append(records, r)
+	}
+	return records, total, rows.Err()
+}
+
+func (s *SQLiteStore) GlobalStats(ctx context.Context, since time.Time) (*AgentInvocationStats, error) {
+	var stats AgentInvocationStats
+	err := s.db.QueryRowContext(ctx,
+		`SELECT COUNT(*),
+		        SUM(CASE WHEN status_code >= 200 AND status_code < 400 THEN 1 ELSE 0 END),
+		        SUM(CASE WHEN status_code >= 400 OR error != '' THEN 1 ELSE 0 END),
+		        COALESCE(AVG(duration_ms), 0)
+		 FROM invocations WHERE created_at >= ?`,
+		since.UTC().Format(time.RFC3339),
+	).Scan(&stats.TotalCalls, &stats.SuccessCalls, &stats.ErrorCalls, &stats.AvgDurationMs)
+	if err != nil {
+		return nil, err
+	}
+	return &stats, nil
+}
+
+func (s *SQLiteStore) GlobalTimeSeries(ctx context.Context, since time.Time, bucketMinutes int) ([]TimeSeriesPoint, error) {
+	if bucketMinutes <= 0 {
+		bucketMinutes = 60
+	}
+	rows, err := s.db.QueryContext(ctx,
+		fmt.Sprintf(`SELECT
+			strftime('%%Y-%%m-%%dT%%H:%%M:00Z', created_at, 'utc', '-' || (strftime('%%M', created_at) %% %d) || ' minutes') as bucket,
+			COUNT(*),
+			SUM(CASE WHEN status_code >= 200 AND status_code < 400 THEN 1 ELSE 0 END),
+			SUM(CASE WHEN status_code >= 400 OR error != '' THEN 1 ELSE 0 END),
+			COALESCE(AVG(duration_ms), 0)
+		 FROM invocations WHERE created_at >= ?
+		 GROUP BY bucket ORDER BY bucket`, bucketMinutes),
+		since.UTC().Format(time.RFC3339),
+	)
+	if err != nil {
+		return nil, err
+	}
+	defer func() { _ = rows.Close() }()
+
+	var points []TimeSeriesPoint
+	for rows.Next() {
+		var p TimeSeriesPoint
+		var ts string
+		if err := rows.Scan(&ts, &p.TotalCalls, &p.SuccessCalls, &p.ErrorCalls, &p.AvgDurationMs); err != nil {
+			return nil, err
+		}
+		p.Timestamp, _ = time.Parse(time.RFC3339, ts)
+		points = append(points, p)
+	}
+	return points, rows.Err()
+}
+
+func (s *SQLiteStore) TopAgents(ctx context.Context, since time.Time, limit int) ([]AgentCallStats, error) {
+	if limit <= 0 {
+		limit = 10
+	}
+	rows, err := s.db.QueryContext(ctx,
+		`SELECT i.agent_id, COALESCE(a.name, i.agent_id),
+		        COUNT(*),
+		        SUM(CASE WHEN i.status_code >= 200 AND i.status_code < 400 THEN 1 ELSE 0 END),
+		        SUM(CASE WHEN i.status_code >= 400 OR i.error != '' THEN 1 ELSE 0 END),
+		        COALESCE(AVG(i.duration_ms), 0)
+		 FROM invocations i
+		 LEFT JOIN agents a ON a.id = i.agent_id
+		 WHERE i.created_at >= ?
+		 GROUP BY i.agent_id
+		 ORDER BY COUNT(*) DESC LIMIT ?`,
+		since.UTC().Format(time.RFC3339), limit,
+	)
+	if err != nil {
+		return nil, err
+	}
+	defer func() { _ = rows.Close() }()
+
+	var stats []AgentCallStats
+	for rows.Next() {
+		var s AgentCallStats
+		if err := rows.Scan(&s.AgentID, &s.AgentName, &s.TotalCalls, &s.SuccessCalls, &s.ErrorCalls, &s.AvgDurationMs); err != nil {
+			return nil, err
+		}
+		stats = append(stats, s)
+	}
+	return stats, rows.Err()
+}
+
+func (s *SQLiteStore) CountInvocations(ctx context.Context) (int, error) {
+	var count int
+	err := s.db.QueryRowContext(ctx, "SELECT COUNT(*) FROM invocations").Scan(&count)
+	return count, err
+}
+
 func (s *SQLiteStore) Close() error {
 	return nil
 }

internal/invocation/store.go

@@ -38,6 +38,16 @@ type TimeSeriesPoint struct {
 	AvgDurationMs float64  `json:"avg_duration_ms"`
 }
 
+// AgentCallStats holds per-agent call statistics for admin top-agents report.
+type AgentCallStats struct {
+	AgentID       string  `json:"agent_id"`
+	AgentName     string  `json:"agent_name"`
+	TotalCalls    int64   `json:"total_calls"`
+	SuccessCalls  int64   `json:"success_calls"`
+	ErrorCalls    int64   `json:"error_calls"`
+	AvgDurationMs float64 `json:"avg_duration_ms"`
+}
+
 // Store defines the persistence interface for invocation records.
 type Store interface {
 	// Insert records a new invocation.
@@ -61,6 +71,21 @@ type Store interface {
 	// ProviderDashboardStats returns aggregated stats for all agents owned by a user.
 	ProviderDashboardStats(ctx context.Context, ownerUserID string) (*AgentInvocationStats, error)
 
+	// ListAll returns all invocations with optional agent/user filters.
+	ListAll(ctx context.Context, agentID, userID string, limit, offset int) ([]InvocationRecord, int, error)
+
+	// GlobalStats returns aggregated stats across all agents since the given time.
+	GlobalStats(ctx context.Context, since time.Time) (*AgentInvocationStats, error)
+
+	// GlobalTimeSeries returns time-bucketed invocation data across all agents.
+	GlobalTimeSeries(ctx context.Context, since time.Time, bucketMinutes int) ([]TimeSeriesPoint, error)
+
+	// TopAgents returns the top agents by call count since the given time.
+	TopAgents(ctx context.Context, since time.Time, limit int) ([]AgentCallStats, error)
+
+	// CountInvocations returns the total number of invocations.
+	CountInvocations(ctx context.Context) (int, error)
+
 	// Migrate creates the required tables.
 	Migrate(ctx context.Context) error
 

internal/reputation/engine.go

@@ -125,3 +125,8 @@ func (e *Engine) SetVerified(ctx context.Context, agentID string) error {
 	}
 	return e.RecordEvent(ctx, agentID, EventVerificationPass, "")
 }
+
+// UnsetVerified removes the verified status from an agent.
+func (e *Engine) UnsetVerified(ctx context.Context, agentID string) error {
+	return e.store.UnsetAgentVerified(ctx, agentID)
+}

internal/reputation/postgres.go

@@ -149,6 +149,15 @@ func (s *PostgresStore) SetAgentVerified(ctx context.Context, agentID string) er
 	return err
 }
 
+// UnsetAgentVerified removes the verified status from an agent.
+func (s *PostgresStore) UnsetAgentVerified(ctx context.Context, agentID string) error {
+	_, err := s.db.ExecContext(ctx,
+		`UPDATE agents SET verified = FALSE, verified_at = NULL WHERE id = $1`,
+		agentID,
+	)
+	return err
+}
+
 // ListStaleOnlineAgents returns IDs of agents whose status is online but
 // whose last heartbeat is older than the given timeout.
 func (s *PostgresStore) ListStaleOnlineAgents(ctx context.Context, timeout time.Duration) ([]string, error) {

internal/reputation/sqlite.go

@@ -163,6 +163,15 @@ func (s *SQLiteStore) SetAgentVerified(ctx context.Context, agentID string) erro
 	return err
 }
 
+// UnsetAgentVerified removes the verified status from an agent.
+func (s *SQLiteStore) UnsetAgentVerified(ctx context.Context, agentID string) error {
+	_, err := s.db.ExecContext(ctx,
+		`UPDATE agents SET verified = 0, verified_at = NULL WHERE id = ?`,
+		agentID,
+	)
+	return err
+}
+
 // ListStaleOnlineAgents returns IDs of agents whose status is online but
 // whose last heartbeat is older than the given timeout.
 func (s *SQLiteStore) ListStaleOnlineAgents(ctx context.Context, timeout time.Duration) ([]string, error) {

internal/reputation/store.go

@@ -50,6 +50,9 @@ type Store interface {
 	// SetAgentVerified marks an agent as verified.
 	SetAgentVerified(ctx context.Context, agentID string) error
 
+	// UnsetAgentVerified removes the verified status from an agent.
+	UnsetAgentVerified(ctx context.Context, agentID string) error
+
 	// ListStaleOnlineAgents returns IDs of agents whose status is online but
 	// whose last heartbeat is older than the given timeout.
 	ListStaleOnlineAgents(ctx context.Context, timeout time.Duration) ([]string, error)