feat(api): add unified v2 gateway and mobile read slice

backend/unified-api/Dockerfile

@@ -0,0 +1,13 @@
+FROM node:20-alpine
+
+WORKDIR /app
+
+COPY package*.json ./
+RUN npm ci --omit=dev
+
+COPY src ./src
+
+ENV PORT=8080
+EXPOSE 8080
+
+CMD ["node", "src/server.js"]

backend/unified-api/package.json

@@ -0,0 +1,24 @@
+{
+  "name": "@krow/unified-api",
+  "version": "0.1.0",
+  "private": true,
+  "type": "module",
+  "engines": {
+    "node": ">=20"
+  },
+  "scripts": {
+    "start": "node src/server.js",
+    "test": "node --test"
+  },
+  "dependencies": {
+    "express": "^4.21.2",
+    "firebase-admin": "^13.0.2",
+    "pg": "^8.20.0",
+    "pino": "^9.6.0",
+    "pino-http": "^10.3.0",
+    "zod": "^3.24.2"
+  },
+  "devDependencies": {
+    "supertest": "^7.0.0"
+  }
+}

backend/unified-api/src/app.js

@@ -0,0 +1,31 @@
+import express from 'express';
+import pino from 'pino';
+import pinoHttp from 'pino-http';
+import { requestContext } from './middleware/request-context.js';
+import { errorHandler, notFoundHandler } from './middleware/error-handler.js';
+import { healthRouter } from './routes/health.js';
+import { createAuthRouter } from './routes/auth.js';
+import { createProxyRouter } from './routes/proxy.js';
+
+const logger = pino({ level: process.env.LOG_LEVEL || 'info' });
+
+export function createApp(options = {}) {
+  const app = express();
+
+  app.use(requestContext);
+  app.use(
+    pinoHttp({
+      logger,
+      customProps: (req) => ({ requestId: req.requestId }),
+    })
+  );
+
+  app.use(healthRouter);
+  app.use('/auth', createAuthRouter({ fetchImpl: options.fetchImpl, authService: options.authService }));
+  app.use(createProxyRouter(options));
+
+  app.use(notFoundHandler);
+  app.use(errorHandler);
+
+  return app;
+}

backend/unified-api/src/lib/errors.js

@@ -0,0 +1,26 @@
+export class AppError extends Error {
+  constructor(code, message, status = 400, details = {}) {
+    super(message);
+    this.name = 'AppError';
+    this.code = code;
+    this.status = status;
+    this.details = details;
+  }
+}
+
+export function toErrorEnvelope(error, requestId) {
+  const status = error?.status && Number.isInteger(error.status) ? error.status : 500;
+  const code = error?.code || 'INTERNAL_ERROR';
+  const message = error?.message || 'Unexpected error';
+  const details = error?.details || {};
+
+  return {
+    status,
+    body: {
+      code,
+      message,
+      details,
+      requestId,
+    },
+  };
+}

backend/unified-api/src/middleware/error-handler.js

@@ -0,0 +1,25 @@
+import { toErrorEnvelope } from '../lib/errors.js';
+
+export function notFoundHandler(req, res) {
+  res.status(404).json({
+    code: 'NOT_FOUND',
+    message: `Route not found: ${req.method} ${req.path}`,
+    details: {},
+    requestId: req.requestId,
+  });
+}
+
+export function errorHandler(error, req, res, _next) {
+  const envelope = toErrorEnvelope(error, req.requestId);
+  if (req.log) {
+    req.log.error(
+      {
+        errCode: envelope.body.code,
+        status: envelope.status,
+        details: envelope.body.details,
+      },
+      envelope.body.message
+    );
+  }
+  res.status(envelope.status).json(envelope.body);
+}

backend/unified-api/src/middleware/request-context.js

@@ -0,0 +1,9 @@
+import { randomUUID } from 'node:crypto';
+
+export function requestContext(req, res, next) {
+  const incoming = req.get('X-Request-Id');
+  req.requestId = incoming || randomUUID();
+  res.setHeader('X-Request-Id', req.requestId);
+  res.locals.startedAt = Date.now();
+  next();
+}

backend/unified-api/src/routes/auth.js

@@ -0,0 +1,129 @@
+import express from 'express';
+import { AppError } from '../lib/errors.js';
+import { parseClientSignIn, parseClientSignUp, signInClient, signOutActor, signUpClient, getSessionForActor } from '../services/auth-service.js';
+import { verifyFirebaseToken } from '../services/firebase-auth.js';
+
+const defaultAuthService = {
+  parseClientSignIn,
+  parseClientSignUp,
+  signInClient,
+  signOutActor,
+  signUpClient,
+  getSessionForActor,
+};
+
+function getBearerToken(header) {
+  if (!header) return null;
+  const [scheme, token] = header.split(' ');
+  if (!scheme || scheme.toLowerCase() !== 'bearer' || !token) return null;
+  return token;
+}
+
+async function requireAuth(req, _res, next) {
+  try {
+    const token = getBearerToken(req.get('Authorization'));
+    if (!token) {
+      throw new AppError('UNAUTHENTICATED', 'Missing bearer token', 401);
+    }
+
+    if (process.env.AUTH_BYPASS === 'true') {
+      req.actor = { uid: 'test-user', email: 'test@krow.local', role: 'TEST' };
+      return next();
+    }
+
+    const decoded = await verifyFirebaseToken(token, { checkRevoked: true });
+    req.actor = {
+      uid: decoded.uid,
+      email: decoded.email || null,
+      role: decoded.role || null,
+    };
+    return next();
+  } catch (error) {
+    if (error instanceof AppError) return next(error);
+    return next(new AppError('UNAUTHENTICATED', 'Token verification failed', 401));
+  }
+}
+
+export function createAuthRouter(options = {}) {
+  const router = express.Router();
+  const fetchImpl = options.fetchImpl || fetch;
+  const authService = options.authService || defaultAuthService;
+
+  router.use(express.json({ limit: '1mb' }));
+
+  router.post('/client/sign-in', async (req, res, next) => {
+    try {
+      const payload = authService.parseClientSignIn(req.body);
+      const session = await authService.signInClient(payload, { fetchImpl });
+      return res.status(200).json({
+        ...session,
+        requestId: req.requestId,
+      });
+    } catch (error) {
+      return next(error);
+    }
+  });
+
+  router.post('/client/sign-up', async (req, res, next) => {
+    try {
+      const payload = authService.parseClientSignUp(req.body);
+      const session = await authService.signUpClient(payload, { fetchImpl });
+      return res.status(201).json({
+        ...session,
+        requestId: req.requestId,
+      });
+    } catch (error) {
+      return next(error);
+    }
+  });
+
+  router.get('/session', requireAuth, async (req, res, next) => {
+    try {
+      const session = await authService.getSessionForActor(req.actor);
+      return res.status(200).json({
+        ...session,
+        requestId: req.requestId,
+      });
+    } catch (error) {
+      return next(error);
+    }
+  });
+
+  router.post('/sign-out', requireAuth, async (req, res, next) => {
+    try {
+      const result = await authService.signOutActor(req.actor);
+      return res.status(200).json({
+        ...result,
+        requestId: req.requestId,
+      });
+    } catch (error) {
+      return next(error);
+    }
+  });
+
+  router.post('/client/sign-out', requireAuth, async (req, res, next) => {
+    try {
+      const result = await authService.signOutActor(req.actor);
+      return res.status(200).json({
+        ...result,
+        requestId: req.requestId,
+      });
+    } catch (error) {
+      return next(error);
+    }
+  });
+
+  router.post('/staff/sign-out', requireAuth, async (req, res, next) => {
+    try {
+      const result = await authService.signOutActor(req.actor);
+      return res.status(200).json({
+        ...result,
+        requestId: req.requestId,
+      });
+    } catch (error) {
+      return next(error);
+    }
+  });
+
+  return router;
+}

backend/unified-api/src/routes/health.js

@@ -0,0 +1,45 @@
+import { Router } from 'express';
+import { checkDatabaseHealth, isDatabaseConfigured } from '../services/db.js';
+
+export const healthRouter = Router();
+
+function healthHandler(req, res) {
+  res.status(200).json({
+    ok: true,
+    service: 'krow-api-v2',
+    version: process.env.SERVICE_VERSION || 'dev',
+    requestId: req.requestId,
+  });
+}
+
+healthRouter.get('/health', healthHandler);
+healthRouter.get('/healthz', healthHandler);
+
+healthRouter.get('/readyz', async (req, res) => {
+  if (!isDatabaseConfigured()) {
+    return res.status(503).json({
+      ok: false,
+      service: 'krow-api-v2',
+      status: 'DATABASE_NOT_CONFIGURED',
+      requestId: req.requestId,
+    });
+  }
+
+  try {
+    const ok = await checkDatabaseHealth();
+    return res.status(ok ? 200 : 503).json({
+      ok,
+      service: 'krow-api-v2',
+      status: ok ? 'READY' : 'DATABASE_UNAVAILABLE',
+      requestId: req.requestId,
+    });
+  } catch (error) {
+    return res.status(503).json({
+      ok: false,
+      service: 'krow-api-v2',
+      status: 'DATABASE_UNAVAILABLE',
+      details: { message: error.message },
+      requestId: req.requestId,
+    });
+  }
+});

backend/unified-api/src/routes/proxy.js

@@ -0,0 +1,75 @@
+import { Router } from 'express';
+import { AppError } from '../lib/errors.js';
+
+const HOP_BY_HOP_HEADERS = new Set([
+  'connection',
+  'content-length',
+  'host',
+  'keep-alive',
+  'proxy-authenticate',
+  'proxy-authorization',
+  'te',
+  'trailer',
+  'transfer-encoding',
+  'upgrade',
+]);
+
+function resolveTargetBase(pathname) {
+  if (pathname.startsWith('/core')) return process.env.CORE_API_BASE_URL;
+  if (pathname.startsWith('/commands')) return process.env.COMMAND_API_BASE_URL;
+  if (pathname.startsWith('/query')) return process.env.QUERY_API_BASE_URL;
+  return null;
+}
+
+function copyHeaders(source, target) {
+  for (const [key, value] of source.entries()) {
+    if (HOP_BY_HOP_HEADERS.has(key.toLowerCase())) continue;
+    target.setHeader(key, value);
+  }
+}
+
+async function forwardRequest(req, res, next, fetchImpl) {
+  try {
+    const requestPath = new URL(req.originalUrl, 'http://localhost').pathname;
+    const baseUrl = resolveTargetBase(requestPath);
+    if (!baseUrl) {
+      throw new AppError('NOT_FOUND', `No upstream configured for ${requestPath}`, 404);
+    }
+
+    const url = new URL(req.originalUrl, baseUrl);
+    const headers = new Headers();
+    for (const [key, value] of Object.entries(req.headers)) {
+      if (value == null || HOP_BY_HOP_HEADERS.has(key.toLowerCase())) continue;
+      if (Array.isArray(value)) {
+        for (const item of value) headers.append(key, item);
+      } else {
+        headers.set(key, value);
+      }
+    }
+    headers.set('x-request-id', req.requestId);
+
+    const upstream = await fetchImpl(url, {
+      method: req.method,
+      headers,
+      body: req.method === 'GET' || req.method === 'HEAD' ? undefined : req,
+      duplex: req.method === 'GET' || req.method === 'HEAD' ? undefined : 'half',
+    });
+
+    copyHeaders(upstream.headers, res);
+    res.status(upstream.status);
+
+    const buffer = Buffer.from(await upstream.arrayBuffer());
+    return res.send(buffer);
+  } catch (error) {
+    return next(error);
+  }
+}
+
+export function createProxyRouter(options = {}) {
+  const router = Router();
+  const fetchImpl = options.fetchImpl || fetch;
+
+  router.use(['/core', '/commands', '/query'], (req, res, next) => forwardRequest(req, res, next, fetchImpl));
+
+  return router;
+}

backend/unified-api/src/server.js

@@ -0,0 +1,9 @@
+import { createApp } from './app.js';
+
+const port = Number(process.env.PORT || 8080);
+const app = createApp();
+
+app.listen(port, () => {
+  // eslint-disable-next-line no-console
+  console.log(`krow-api-v2 listening on port ${port}`);
+});

backend/unified-api/src/services/auth-service.js

@@ -0,0 +1,157 @@
+import { z } from 'zod';
+import { AppError } from '../lib/errors.js';
+import { withTransaction } from './db.js';
+import { verifyFirebaseToken, revokeUserSessions } from './firebase-auth.js';
+import { deleteAccount, signInWithPassword, signUpWithPassword } from './identity-toolkit.js';
+import { loadActorContext } from './user-context.js';
+
+const clientSignInSchema = z.object({
+  email: z.string().email(),
+  password: z.string().min(8),
+});
+
+const clientSignUpSchema = z.object({
+  companyName: z.string().min(2).max(120),
+  email: z.string().email(),
+  password: z.string().min(8),
+  displayName: z.string().min(2).max(120).optional(),
+});
+
+function slugify(input) {
+  return input
+    .toLowerCase()
+    .replace(/[^a-z0-9]+/g, '-')
+    .replace(/^-+|-+$/g, '')
+    .slice(0, 50);
+}
+
+function buildAuthEnvelope(authPayload, context) {
+  return {
+    sessionToken: authPayload.idToken,
+    refreshToken: authPayload.refreshToken,
+    expiresInSeconds: Number.parseInt(`${authPayload.expiresIn || 3600}`, 10),
+    user: {
+      id: context.user?.userId || authPayload.localId,
+      email: context.user?.email || null,
+      displayName: context.user?.displayName || null,
+      phone: context.user?.phone || null,
+    },
+    tenant: context.tenant,
+    business: context.business,
+    vendor: context.vendor,
+    staff: context.staff,
+  };
+}
+
+export function parseClientSignIn(body) {
+  const parsed = clientSignInSchema.safeParse(body || {});
+  if (!parsed.success) {
+    throw new AppError('VALIDATION_ERROR', 'Invalid client sign-in payload', 400, {
+      issues: parsed.error.issues,
+    });
+  }
+  return parsed.data;
+}
+
+export function parseClientSignUp(body) {
+  const parsed = clientSignUpSchema.safeParse(body || {});
+  if (!parsed.success) {
+    throw new AppError('VALIDATION_ERROR', 'Invalid client sign-up payload', 400, {
+      issues: parsed.error.issues,
+    });
+  }
+  return parsed.data;
+}
+
+export async function getSessionForActor(actor) {
+  return loadActorContext(actor.uid);
+}
+
+export async function signInClient(payload, { fetchImpl = fetch } = {}) {
+  const authPayload = await signInWithPassword(payload, fetchImpl);
+  const decoded = await verifyFirebaseToken(authPayload.idToken);
+  const context = await loadActorContext(decoded.uid);
+
+  if (!context.user || !context.business) {
+    throw new AppError('FORBIDDEN', 'Authenticated user does not have a client business membership', 403, {
+      uid: decoded.uid,
+      email: decoded.email || null,
+    });
+  }
+
+  return buildAuthEnvelope(authPayload, context);
+}
+
+export async function signUpClient(payload, { fetchImpl = fetch } = {}) {
+  const authPayload = await signUpWithPassword(payload, fetchImpl);
+
+  try {
+    const decoded = await verifyFirebaseToken(authPayload.idToken);
+    const defaultDisplayName = payload.displayName || payload.companyName;
+    const tenantSlug = slugify(payload.companyName);
+    const businessSlug = tenantSlug;
+
+    await withTransaction(async (client) => {
+      await client.query(
+        `
+        INSERT INTO users (id, email, display_name, status, metadata)
+        VALUES ($1, $2, $3, 'ACTIVE', '{}'::jsonb)
+        ON CONFLICT (id) DO UPDATE
+          SET email = EXCLUDED.email,
+              display_name = EXCLUDED.display_name,
+              updated_at = NOW()
+        `,
+        [decoded.uid, payload.email, defaultDisplayName]
+      );
+
+      const tenantResult = await client.query(
+        `
+        INSERT INTO tenants (slug, name, status, metadata)
+        VALUES ($1, $2, 'ACTIVE', '{"source":"unified-api-sign-up"}'::jsonb)
+        RETURNING id, slug, name
+        `,
+        [tenantSlug, payload.companyName]
+      );
+      const tenant = tenantResult.rows[0];
+
+      const businessResult = await client.query(
+        `
+        INSERT INTO businesses (
+          tenant_id, slug, business_name, status, contact_name, contact_email, metadata
+        )
+        VALUES ($1, $2, $3, 'ACTIVE', $4, $5, '{"source":"unified-api-sign-up"}'::jsonb)
+        RETURNING id, slug, business_name
+        `,
+        [tenant.id, businessSlug, payload.companyName, defaultDisplayName, payload.email]
+      );
+      const business = businessResult.rows[0];
+
+      await client.query(
+        `
+        INSERT INTO tenant_memberships (tenant_id, user_id, membership_status, base_role, metadata)
+        VALUES ($1, $2, 'ACTIVE', 'admin', '{"source":"sign-up"}'::jsonb)
+        `,
+        [tenant.id, decoded.uid]
+      );
+
+      await client.query(
+        `
+        INSERT INTO business_memberships (tenant_id, business_id, user_id, membership_status, business_role, metadata)
+        VALUES ($1, $2, $3, 'ACTIVE', 'owner', '{"source":"sign-up"}'::jsonb)
+        `,
+        [tenant.id, business.id, decoded.uid]
+      );
+    });
+
+    const context = await loadActorContext(decoded.uid);
+    return buildAuthEnvelope(authPayload, context);
+  } catch (error) {
+    await deleteAccount({ idToken: authPayload.idToken }, fetchImpl).catch(() => null);
+    throw error;
+  }
+}
+
+export async function signOutActor(actor) {
+  await revokeUserSessions(actor.uid);
+  return { signedOut: true };
+}

backend/unified-api/src/services/db.js

@@ -0,0 +1,87 @@
+import { Pool } from 'pg';
+
+let pool;
+
+function parseIntOrDefault(value, fallback) {
+  const parsed = Number.parseInt(`${value || fallback}`, 10);
+  return Number.isFinite(parsed) ? parsed : fallback;
+}
+
+function resolveDatabasePoolConfig() {
+  if (process.env.DATABASE_URL) {
+    return {
+      connectionString: process.env.DATABASE_URL,
+      max: parseIntOrDefault(process.env.DB_POOL_MAX, 10),
+      idleTimeoutMillis: parseIntOrDefault(process.env.DB_IDLE_TIMEOUT_MS, 30000),
+    };
+  }
+
+  const user = process.env.DB_USER;
+  const password = process.env.DB_PASSWORD;
+  const database = process.env.DB_NAME;
+  const host = process.env.DB_HOST || (
+    process.env.INSTANCE_CONNECTION_NAME
+      ? `/cloudsql/${process.env.INSTANCE_CONNECTION_NAME}`
+      : ''
+  );
+
+  if (!user || password == null || !database || !host) {
+    return null;
+  }
+
+  return {
+    host,
+    port: parseIntOrDefault(process.env.DB_PORT, 5432),
+    user,
+    password,
+    database,
+    max: parseIntOrDefault(process.env.DB_POOL_MAX, 10),
+    idleTimeoutMillis: parseIntOrDefault(process.env.DB_IDLE_TIMEOUT_MS, 30000),
+  };
+}
+
+export function isDatabaseConfigured() {
+  return Boolean(resolveDatabasePoolConfig());
+}
+
+function getPool() {
+  if (!pool) {
+    const resolved = resolveDatabasePoolConfig();
+    if (!resolved) {
+      throw new Error('Database connection settings are required');
+    }
+    pool = new Pool(resolved);
+  }
+  return pool;
+}
+
+export async function query(text, params = []) {
+  return getPool().query(text, params);
+}
+
+export async function withTransaction(work) {
+  const client = await getPool().connect();
+  try {
+    await client.query('BEGIN');
+    const result = await work(client);
+    await client.query('COMMIT');
+    return result;
+  } catch (error) {
+    await client.query('ROLLBACK');
+    throw error;
+  } finally {
+    client.release();
+  }
+}
+
+export async function checkDatabaseHealth() {
+  const result = await query('SELECT 1 AS ok');
+  return result.rows[0]?.ok === 1;
+}
+
+export async function closePool() {
+  if (pool) {
+    await pool.end();
+    pool = null;
+  }
+}

backend/unified-api/src/services/firebase-auth.js

@@ -0,0 +1,18 @@
+import { applicationDefault, getApps, initializeApp } from 'firebase-admin/app';
+import { getAuth } from 'firebase-admin/auth';
+
+function ensureAdminApp() {
+  if (getApps().length === 0) {
+    initializeApp({ credential: applicationDefault() });
+  }
+}
+
+export async function verifyFirebaseToken(token, { checkRevoked = false } = {}) {
+  ensureAdminApp();
+  return getAuth().verifyIdToken(token, checkRevoked);
+}
+
+export async function revokeUserSessions(uid) {
+  ensureAdminApp();
+  await getAuth().revokeRefreshTokens(uid);
+}

backend/unified-api/src/services/identity-toolkit.js

@@ -0,0 +1,65 @@
+import { AppError } from '../lib/errors.js';
+
+const IDENTITY_TOOLKIT_BASE_URL = 'https://identitytoolkit.googleapis.com/v1';
+
+function getApiKey() {
+  const apiKey = process.env.FIREBASE_WEB_API_KEY;
+  if (!apiKey) {
+    throw new AppError('CONFIGURATION_ERROR', 'FIREBASE_WEB_API_KEY is required', 500);
+  }
+  return apiKey;
+}
+
+async function callIdentityToolkit(path, payload, fetchImpl = fetch) {
+  const response = await fetchImpl(`${IDENTITY_TOOLKIT_BASE_URL}/${path}?key=${getApiKey()}`, {
+    method: 'POST',
+    headers: {
+      'content-type': 'application/json',
+    },
+    body: JSON.stringify(payload),
+  });
+
+  const json = await response.json().catch(() => ({}));
+  if (!response.ok) {
+    throw new AppError(
+      'AUTH_PROVIDER_ERROR',
+      json?.error?.message || `Identity Toolkit request failed: ${path}`,
+      response.status,
+      { provider: 'firebase-identity-toolkit', path }
+    );
+  }
+
+  return json;
+}
+
+export async function signInWithPassword({ email, password }, fetchImpl = fetch) {
+  return callIdentityToolkit(
+    'accounts:signInWithPassword',
+    {
+      email,
+      password,
+      returnSecureToken: true,
+    },
+    fetchImpl
+  );
+}
+
+export async function signUpWithPassword({ email, password }, fetchImpl = fetch) {
+  return callIdentityToolkit(
+    'accounts:signUp',
+    {
+      email,
+      password,
+      returnSecureToken: true,
+    },
+    fetchImpl
+  );
+}
+
+export async function deleteAccount({ idToken }, fetchImpl = fetch) {
+  return callIdentityToolkit(
+    'accounts:delete',
+    { idToken },
+    fetchImpl
+  );
+}

backend/unified-api/src/services/user-context.js

@@ -0,0 +1,91 @@
+import { query } from './db.js';
+
+export async function loadActorContext(uid) {
+  const [userResult, tenantResult, businessResult, vendorResult, staffResult] = await Promise.all([
+    query(
+      `
+      SELECT id AS "userId", email, display_name AS "displayName", phone, status
+      FROM users
+      WHERE id = $1
+      `,
+      [uid]
+    ),
+    query(
+      `
+      SELECT tm.id AS "membershipId",
+             tm.tenant_id AS "tenantId",
+             tm.base_role AS role,
+             t.name AS "tenantName",
+             t.slug AS "tenantSlug"
+      FROM tenant_memberships tm
+      JOIN tenants t ON t.id = tm.tenant_id
+      WHERE tm.user_id = $1
+        AND tm.membership_status = 'ACTIVE'
+      ORDER BY tm.created_at ASC
+      LIMIT 1
+      `,
+      [uid]
+    ),
+    query(
+      `
+      SELECT bm.id AS "membershipId",
+             bm.business_id AS "businessId",
+             bm.business_role AS role,
+             b.business_name AS "businessName",
+             b.slug AS "businessSlug",
+             bm.tenant_id AS "tenantId"
+      FROM business_memberships bm
+      JOIN businesses b ON b.id = bm.business_id
+      WHERE bm.user_id = $1
+        AND bm.membership_status = 'ACTIVE'
+      ORDER BY bm.created_at ASC
+      LIMIT 1
+      `,
+      [uid]
+    ),
+    query(
+      `
+      SELECT vm.id AS "membershipId",
+             vm.vendor_id AS "vendorId",
+             vm.vendor_role AS role,
+             v.company_name AS "vendorName",
+             v.slug AS "vendorSlug",
+             vm.tenant_id AS "tenantId"
+      FROM vendor_memberships vm
+      JOIN vendors v ON v.id = vm.vendor_id
+      WHERE vm.user_id = $1
+        AND vm.membership_status = 'ACTIVE'
+      ORDER BY vm.created_at ASC
+      LIMIT 1
+      `,
+      [uid]
+    ),
+    query(
+      `
+      SELECT s.id AS "staffId",
+             s.tenant_id AS "tenantId",
+             s.full_name AS "fullName",
+             s.primary_role AS "primaryRole",
+             s.onboarding_status AS "onboardingStatus",
+             s.status,
+             w.id AS "workforceId",
+             w.vendor_id AS "vendorId",
+             w.workforce_number AS "workforceNumber"
+      FROM staffs s
+      LEFT JOIN workforce w ON w.staff_id = s.id
+      WHERE s.user_id = $1
+      ORDER BY s.created_at ASC
+      LIMIT 1
+      `,
+      [uid]
+    ),
+  ]);
+
+  return {
+    user: userResult.rows[0] || null,
+    tenant: tenantResult.rows[0] || null,
+    business: businessResult.rows[0] || null,
+    vendor: vendorResult.rows[0] || null,
+    staff: staffResult.rows[0] || null,
+  };
+}

backend/unified-api/test/app.test.js

@@ -0,0 +1,112 @@
+import test from 'node:test';
+import assert from 'node:assert/strict';
+import request from 'supertest';
+import { createApp } from '../src/app.js';
+
+process.env.AUTH_BYPASS = 'true';
+
+test('GET /healthz returns healthy response', async () => {
+  const app = createApp();
+  const res = await request(app).get('/healthz');
+
+  assert.equal(res.status, 200);
+  assert.equal(res.body.ok, true);
+  assert.equal(res.body.service, 'krow-api-v2');
+});
+
+test('GET /readyz reports database not configured when env is absent', async () => {
+  delete process.env.DATABASE_URL;
+  delete process.env.DB_HOST;
+  delete process.env.DB_NAME;
+  delete process.env.DB_USER;
+  delete process.env.DB_PASSWORD;
+  delete process.env.INSTANCE_CONNECTION_NAME;
+
+  const app = createApp();
+  const res = await request(app).get('/readyz');
+
+  assert.equal(res.status, 503);
+  assert.equal(res.body.status, 'DATABASE_NOT_CONFIGURED');
+});
+
+test('POST /auth/client/sign-in validates payload', async () => {
+  const app = createApp();
+  const res = await request(app).post('/auth/client/sign-in').send({
+    email: 'bad-email',
+    password: 'short',
+  });
+
+  assert.equal(res.status, 400);
+  assert.equal(res.body.code, 'VALIDATION_ERROR');
+});
+
+test('POST /auth/client/sign-in returns injected auth envelope', async () => {
+  const app = createApp({
+    authService: {
+      parseClientSignIn: (body) => body,
+      parseClientSignUp: (body) => body,
+      signInClient: async () => ({
+        sessionToken: 'token',
+        refreshToken: 'refresh',
+        expiresInSeconds: 3600,
+        user: { id: 'u1', email: 'legendary@krowd.com' },
+        tenant: { tenantId: 't1' },
+        business: { businessId: 'b1' },
+      }),
+      signUpClient: async () => assert.fail('signUpClient should not be called'),
+      signOutActor: async () => ({ signedOut: true }),
+      getSessionForActor: async () => ({ user: { userId: 'u1' } }),
+    },
+  });
+
+  const res = await request(app).post('/auth/client/sign-in').send({
+    email: 'legendary@krowd.com',
+    password: 'super-secret',
+  });
+
+  assert.equal(res.status, 200);
+  assert.equal(res.body.sessionToken, 'token');
+  assert.equal(res.body.business.businessId, 'b1');
+});
+
+test('GET /auth/session returns injected session for authenticated actor', async () => {
+  const app = createApp({
+    authService: {
+      parseClientSignIn: (body) => body,
+      parseClientSignUp: (body) => body,
+      signInClient: async () => assert.fail('signInClient should not be called'),
+      signUpClient: async () => assert.fail('signUpClient should not be called'),
+      signOutActor: async () => ({ signedOut: true }),
+      getSessionForActor: async (actor) => ({ actorUid: actor.uid }),
+    },
+  });
+
+  const res = await request(app)
+    .get('/auth/session')
+    .set('Authorization', 'Bearer test-token');
+
+  assert.equal(res.status, 200);
+  assert.equal(res.body.actorUid, 'test-user');
+});
+
+test('proxy forwards query routes to query base url', async () => {
+  process.env.QUERY_API_BASE_URL = 'https://query.example';
+  process.env.CORE_API_BASE_URL = 'https://core.example';
+  process.env.COMMAND_API_BASE_URL = 'https://command.example';
+
+  let seenUrl = null;
+  const app = createApp({
+    fetchImpl: async (url) => {
+      seenUrl = `${url}`;
+      return new Response(JSON.stringify({ ok: true }), {
+        status: 200,
+        headers: { 'content-type': 'application/json' },
+      });
+    },
+  });
+
+  const res = await request(app).get('/query/test-route?foo=bar');
+
+  assert.equal(res.status, 200);
+  assert.equal(seenUrl, 'https://query.example/query/test-route?foo=bar');
+});