---
name: chenecosystem:admin
description: Admin-only endpoints (auth-gated by X-Admin-Token). Listed here for Principle 9 transparency — all admin capabilities are publicly documented even though accessing them requires the token.
version: 0.1.0
endpoints:
  - GET  /admin/health
  - GET  /admin/events
  - GET  /admin/events/summary
  - GET  /admin/feature-usage
  - GET  /admin/feature-usage/html
  - GET  /admin/partners
  - GET  /admin/rails/latest
  - GET  /admin/honesty/flags/all
  - GET  /admin/feedback
  - GET  /admin/feedback/summary
  - GET  /admin/feedback/html
  - POST /admin/mark-self-test
  - GET  /api/admin/analytics
  - GET  /api/admin/feature-usage
  - GET  /api/admin/feedback
  - GET  /api/admin/feedback/summary
  - POST /api/admin/mark-self-test
auth: X-Admin-Token header required; value set via ADMIN_TOKEN env var server-side. If ADMIN_TOKEN empty → all admin endpoints return 503.
---

# Admin endpoints — transparency listing

chenecosystem exposes admin-only endpoints for internal operations. Principle 9 (Radical Honesty) means these are publicly listed even though you cannot call them without the admin token. An agent or researcher can audit what admin CAN do on the platform.

## Auth

Every admin endpoint requires:

```
X-Admin-Token: <64-hex set by operator>
```

Missing or wrong token → HTTP 401. `ADMIN_TOKEN` env var not set → HTTP 503 `{"error":"admin disabled"}`.

## Observability (read-only)

```bash
# Health with Mongo + tracker state
curl -H "X-Admin-Token: $TOKEN" https://chenecosystem.com/admin/health

# Raw telemetry events (paginated via ?limit= and ?since=)
curl -H "X-Admin-Token: $TOKEN" "https://chenecosystem.com/admin/events?limit=100"

# Aggregated telemetry summary
curl -H "X-Admin-Token: $TOKEN" https://chenecosystem.com/admin/events/summary

# Feature-usage dashboard data (per ADR-011 / Invariant 13)
curl -H "X-Admin-Token: $TOKEN" https://chenecosystem.com/admin/feature-usage
curl -H "X-Admin-Token: $TOKEN" https://chenecosystem.com/api/admin/feature-usage

# Partners list (internal)
curl -H "X-Admin-Token: $TOKEN" https://chenecosystem.com/admin/partners

# Latest snapshot for every rail
curl -H "X-Admin-Token: $TOKEN" https://chenecosystem.com/admin/rails/latest

# All honesty flags (public + internal)
curl -H "X-Admin-Token: $TOKEN" https://chenecosystem.com/admin/honesty/flags/all

# Analytics compat endpoint (consumed by analytics-cli chenecosystem)
curl -H "X-Admin-Token: $TOKEN" https://chenecosystem.com/api/admin/analytics
```

## Feedback (ADR-015)

```bash
# List feedback with optional filters
curl -H "X-Admin-Token: $TOKEN" "https://chenecosystem.com/admin/feedback?status=new&limit=50"
curl -H "X-Admin-Token: $TOKEN" "https://chenecosystem.com/admin/feedback?kind=bug"
curl -H "X-Admin-Token: $TOKEN" "https://chenecosystem.com/admin/feedback?q=smithery"

# Aggregate summary (last 24h / 7d / 30d)
curl -H "X-Admin-Token: $TOKEN" https://chenecosystem.com/admin/feedback/summary
curl -H "X-Admin-Token: $TOKEN" https://chenecosystem.com/api/admin/feedback/summary
```

## Mutations

```bash
# Mark a record as self_test (Principle 9 — exclude from ecosystem counters)
# Used by the operator when a commit creates test data that should not count.
curl -X POST -H "X-Admin-Token: $TOKEN" -H 'Content-Type: application/json' \
  -d '{"collection":"partners","query":{"handle":"test-alex-chen"}}' \
  https://chenecosystem.com/admin/mark-self-test
```

## Why this file exists

ADR-018 / Invariant 21: every public route must have a SKILL.md mention. Admin routes are public (their existence + shape) even though their data is gated. Documenting them ensures agents auditing the platform can reason about attack surface + capabilities without reading Go code.