feat(telemetry): add admin UI, server/client auth telemetry; grant admin to Ishita

app.py

@@ -99,6 +99,21 @@ def require_auth(request: Request) -> Dict[str, Any]:
     """Dependency that requires authentication"""
     user = get_current_user(request)
     if not user:
+        # Server-side auth telemetry for unauthorized access
+        try:
+            _record_server_telemetry(
+                request=request,
+                event_type='auth',
+                status='unauthorized',
+                metadata={
+                    'path': str(request.url),
+                    'method': request.method,
+                    'has_auth_header': bool(request.headers.get('Authorization'))
+                },
+                user=None
+            )
+        except Exception:
+            pass
         raise HTTPException(
             status_code=status.HTTP_401_UNAUTHORIZED,
             detail="Authentication required",
@@ -308,6 +323,22 @@ async def login(login_data: LoginRequest, response: Response):
     """Authenticate user and create session"""
     result = auth_manager.authenticate(login_data.username, login_data.password)
     if not result:
+        # Telemetry: login failure
+        try:
+            # Construct a minimal request-like object for _record_server_telemetry if needed
+            from fastapi import Request as _Req
+        except Exception:
+            pass
+        # We have the real request inside FastAPI dependency; emulate via middleware not needed here
+        # Instead, log via logger for this path
+        # Note: We cannot access Request here directly, so we skip client context
+        # Use file-based fallback
+        _write_telemetry({
+            'event_type': 'auth',
+            'status': 'login_failed',
+            'metadata': {'username': login_data.username},
+            'timestamp': datetime.now().isoformat()
+        })
         raise HTTPException(
             status_code=status.HTTP_401_UNAUTHORIZED,
             detail="Invalid username or password"
@@ -323,6 +354,18 @@ async def login(login_data: LoginRequest, response: Response):
         samesite="lax"    # CSRF protection
     )
     
+    # Telemetry: login success (server-side)
+    try:
+        # We cannot access Request here directly; emit without client metadata
+        _write_telemetry({
+            'event_type': 'auth',
+            'status': 'login_success',
+            'metadata': {'username': login_data.username},
+            'timestamp': datetime.now().isoformat(),
+            'user': {'username': result['user']['username'], 'role': result['user']['role']}
+        })
+    except Exception:
+        pass
     return result
 
 @app.get("/api/auth/validate", tags=["Authentication"])
@@ -345,6 +388,18 @@ async def logout(request: Request, response: Response):
         token = request.cookies.get('auth_token')
     
     if token:
+        # Telemetry: logout server-side
+        try:
+            session = auth_manager.validate_session(token)
+            _record_server_telemetry(
+                request=request,
+                event_type='auth',
+                status='logout',
+                metadata={'path': str(request.url)},
+                user=session or None
+            )
+        except Exception:
+            pass
         auth_manager.logout(token)
     
     # Clear the authentication cookie (must match creation parameters)
@@ -795,6 +850,28 @@ async def get_tree_codes_api():
 
 
 # Telemetry logging
+# Internal helper to record server-side telemetry without requiring client call
+
+def _record_server_telemetry(request: Request, event_type: str, status: str = None, metadata: Dict[str, Any] = None, user: Dict[str, Any] = None):
+    evt = {
+        'event_type': event_type,
+        'status': status,
+        'metadata': metadata or {},
+        'timestamp': datetime.now().isoformat(),
+        'user': None,
+        'client': {
+            'ip': request.client.host if request.client else None,
+            'user_agent': request.headers.get('user-agent')
+        }
+    }
+    if user:
+        evt['user'] = { 'username': user.get('username'), 'role': user.get('role') }
+    if getattr(db, 'connected', False):
+        if not db.log_telemetry(evt):
+            _write_telemetry(evt)
+    else:
+        _write_telemetry(evt)
+
 class TelemetryEvent(BaseModel):
     event_type: str = Field(..., description="Type of event, e.g., 'upload', 'ui', 'error'")
     status: Optional[str] = Field(None, description="Status such as success/error")
@@ -845,6 +922,35 @@ async def telemetry(event: TelemetryEvent, request: Request, user: Dict[str, Any
         raise HTTPException(status_code=500, detail="Failed to record telemetry")
 
 
+# Telemetry query (admin-only)
+@app.get("/api/telemetry", tags=["System"])
+async def get_telemetry(limit: int = 100, user: Dict[str, Any] = Depends(require_permission("admin"))):
+    """Return recent telemetry events. Uses Supabase if connected, else reads telemetry.log."""
+    limit = max(1, min(1000, limit))
+    try:
+        if getattr(db, 'connected', False):
+            events = db.get_recent_telemetry(limit)
+            return {"events": events, "source": "supabase", "count": len(events)}
+        # Fallback to file
+        events: List[Dict[str, Any]] = []
+        try:
+            with open("telemetry.log", "r", encoding="utf-8") as f:
+                lines = f.readlines()
+                for line in lines[-limit:]:
+                    line = line.strip()
+                    if not line:
+                        continue
+                    try:
+                        events.append(json.loads(line))
+                    except Exception:
+                        continue
+        except FileNotFoundError:
+            events = []
+        return {"events": events, "source": "file", "count": len(events)}
+    except Exception as e:
+        logger.error(f"Get telemetry failed: {e}")
+        raise HTTPException(status_code=500, detail="Failed to fetch telemetry")
+
 # Version info
 @app.get("/api/version", tags=["System"])
 async def get_version():

auth.py

@@ -55,9 +55,9 @@ class AuthManager:
             # User accounts
             "ishita": {
                 "password_hash": self._hash_password(ishita_password),
-                "role": "researcher",
+                "role": "admin",
                 "full_name": "Ishita", 
-                "permissions": ["read", "write", "edit_own"]
+                "permissions": ["read", "write", "delete", "admin"]
             },
             
             "jeeb": {

static/index.html

@@ -917,7 +917,7 @@
         // Force refresh if we detect cached version
         (function() {
             const currentVersion = '5.1.1';
-            const timestamp = '1755112765'; // Cache-busting bump
+            const timestamp = '1755113716'; // Cache-busting bump
             const lastVersion = sessionStorage.getItem('treetrack_version');
             const lastTimestamp = sessionStorage.getItem('treetrack_timestamp');
             
@@ -1162,7 +1162,7 @@
         </div>
     </div>
 
-    <script type="module" src="/static/js/tree-track-app.js?v=5.1.1&t=1755112765"></script>
+    <script type="module" src="/static/js/tree-track-app.js?v=5.1.1&t=1755113716"></script>
     
     <script>
         // Initialize Granim background animation on page load

static/js/modules/auth-manager.js

@@ -38,6 +38,22 @@ export class AuthManager {
 
     async logout() {
         try {
+            // Telemetry: logout initiated (best-effort)
+            try {
+                await fetch('/api/telemetry', {
+                    method: 'POST',
+                    headers: {
+                        'Content-Type': 'application/json',
+                        'Authorization': `Bearer ${this.authToken}`
+                    },
+                    body: JSON.stringify({
+                        event_type: 'auth',
+                        status: 'logout_initiated',
+                        metadata: { source: 'client' }
+                    })
+                });
+            } catch (_) { /* ignore */ }
+
             await fetch('/api/auth/logout', {
                 method: 'POST',
                 headers: {

static/js/tree-track-app.js

@@ -38,12 +38,25 @@ export class TreeTrackApp {
             // Setup event listeners
             this.setupEventListeners();
             
+            // Log UI load telemetry
+            this.apiClient.sendTelemetry({
+                event_type: 'ui',
+                status: 'view',
+                metadata: { page: 'index', action: 'load' }
+            }).catch(() => {});
+            
             // Load initial data
             await this.loadInitialData();
             
         } catch (error) {
             console.error('Error initializing TreeTrack app:', error);
             this.uiManager.showMessage('Error initializing application: ' + error.message, 'error');
+            // Telemetry for init error
+            this.apiClient?.sendTelemetry({
+                event_type: 'ui',
+                status: 'error',
+                metadata: { page: 'index', action: 'init', error: error?.message }
+            }).catch(() => {});
         }
     }
 
@@ -155,16 +168,41 @@ export class TreeTrackApp {
             // Save or update tree
             let result;
             if (this.formManager.isInEditMode()) {
-                result = await this.apiClient.updateTree(this.formManager.getCurrentEditId(), treeData);
+                const id = this.formManager.getCurrentEditId();
+                // Telemetry: update start
+                this.apiClient.sendTelemetry({
+                    event_type: 'tree_update',
+                    status: 'start',
+                    metadata: { tree_id: id }
+                }).catch(() => {});
+                result = await this.apiClient.updateTree(id, treeData);
                 this.uiManager.showMessage(`Tree #${result.id} updated successfully!`, 'success');
+                // Telemetry: update success
+                this.apiClient.sendTelemetry({
+                    event_type: 'tree_update',
+                    status: 'success',
+                    metadata: { tree_id: result.id }
+                }).catch(() => {});
                 // Exit edit mode silently after successful update
                 this.handleCancelEdit(false);
             } else {
+                // Telemetry: create start
+                this.apiClient.sendTelemetry({
+                    event_type: 'tree_create',
+                    status: 'start',
+                    metadata: { has_location_name: !!treeData.location_name }
+                }).catch(() => {});
                 result = await this.apiClient.saveTree(treeData);
                 this.uiManager.showMessage(
                     `Tree successfully added! Tree ID: ${result.id}. The form has been cleared for your next entry.`, 
                     'success'
                 );
+                // Telemetry: create success
+                this.apiClient.sendTelemetry({
+                    event_type: 'tree_create',
+                    status: 'success',
+                    metadata: { tree_id: result.id }
+                }).catch(() => {});
                 this.formManager.resetForm(true);
             }
             
@@ -176,6 +214,12 @@ export class TreeTrackApp {
             console.error('Error submitting form:', error);
             this.uiManager.showMessage('Error saving tree: ' + error.message, 'error');
             this.uiManager.focusFirstError();
+            // Telemetry: save/update error
+            this.apiClient.sendTelemetry({
+                event_type: this.formManager.isInEditMode() ? 'tree_update' : 'tree_create',
+                status: 'error',
+                metadata: { error: error?.message }
+            }).catch(() => {});
         }
     }
 
@@ -209,12 +253,30 @@ export class TreeTrackApp {
         }
         
         try {
+            // Telemetry: delete start
+            this.apiClient.sendTelemetry({
+                event_type: 'tree_delete',
+                status: 'start',
+                metadata: { tree_id: treeId }
+            }).catch(() => {});
             await this.apiClient.deleteTree(treeId);
             this.uiManager.showMessage(`Tree #${treeId} deleted successfully.`, 'success');
+            // Telemetry: delete success
+            this.apiClient.sendTelemetry({
+                event_type: 'tree_delete',
+                status: 'success',
+                metadata: { tree_id: treeId }
+            }).catch(() => {});
             await this.loadTrees();
         } catch (error) {
             console.error('Error deleting tree:', error);
             this.uiManager.showMessage('Error deleting tree: ' + error.message, 'error');
+            // Telemetry: delete error
+            this.apiClient.sendTelemetry({
+                event_type: 'tree_delete',
+                status: 'error',
+                metadata: { tree_id: treeId, error: error?.message }
+            }).catch(() => {});
         }
     }
 
@@ -232,9 +294,21 @@ export class TreeTrackApp {
             this.uiManager.showLoadingState('treeList', 'Loading trees...');
             const trees = await this.apiClient.loadTrees();
             this.uiManager.renderTreeList(trees);
+            // Telemetry: list loaded
+            this.apiClient.sendTelemetry({
+                event_type: 'tree_list',
+                status: 'success',
+                metadata: { count: Array.isArray(trees) ? trees.length : null }
+            }).catch(() => {});
         } catch (error) {
             console.error('Error loading trees:', error);
             this.uiManager.showErrorState('treeList', 'Error loading trees');
+            // Telemetry: list error
+            this.apiClient.sendTelemetry({
+                event_type: 'tree_list',
+                status: 'error',
+                metadata: { error: error?.message }
+            }).catch(() => {});
         }
     }
 

static/map.html

@@ -813,7 +813,7 @@
         // Force refresh if we detect cached version
         (function() {
             const currentVersion = '5.1.1';
-const timestamp = '1755112765'; // Current timestamp for cache busting
+const timestamp = '1755113716'; // Current timestamp for cache busting
             const lastVersion = sessionStorage.getItem('treetrack_version');
             const lastTimestamp = sessionStorage.getItem('treetrack_timestamp');
             
@@ -939,7 +939,7 @@ const timestamp = '1755112765'; // Current timestamp for cache busting
 
     <!-- Leaflet JS -->
     <script src="https://unpkg.com/leaflet@1.9.4/dist/leaflet.js"></script>
-<script src="/static/map.js?v=5.1.1&t=1755112765">
+<script src="/static/map.js?v=5.1.1&t=1755113716">
     
                     "default-state": {
                         gradients: [

static/sw.js

@@ -1,5 +1,5 @@
 // TreeTrack Service Worker - PWA and Offline Support
-const VERSION = 1755112765; // Cache busting bump - force clients to fetch new static assets and header image change
+const VERSION = 1755113716; // Cache busting bump - force clients to fetch new static assets and header image change
 const CACHE_NAME = `treetrack-v${VERSION}`;
 const STATIC_CACHE = `static-v${VERSION}`;
 const API_CACHE = `api-v${VERSION}`;

static/telemetry.html

@@ -0,0 +1,179 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+  <title>Telemetry Viewer - Admin</title>
+  <link rel="stylesheet" href="/static/css/design-system.css" />
+  <meta http-equiv="Cache-Control" content="no-cache, no-store, must-revalidate">
+  <meta http-equiv="Pragma" content="no-cache">
+  <meta http-equiv="Expires" content="0">
+  <style>
+    body { font-family: Inter, system-ui, -apple-system, Segoe UI, sans-serif; background: var(--gray-50); color: var(--gray-800); }
+    .container { max-width: 1200px; margin: 0 auto; padding: 1rem; }
+    .header { display: flex; justify-content: space-between; align-items: center; margin: 1rem 0; }
+    .title { font-size: 1.25rem; font-weight: 700; }
+    .controls { display: flex; gap: .5rem; align-items: center; }
+    .filter-input { padding: .5rem .75rem; border: 1px solid var(--gray-300); border-radius: .5rem; font-size: .9rem; }
+    .btn { padding: .5rem .75rem; border: 1px solid var(--gray-300); background: white; border-radius: .5rem; cursor: pointer; }
+    .btn-primary { background: var(--primary-600); color: white; border-color: var(--primary-600); }
+    .btn:disabled { opacity: .5; cursor: not-allowed; }
+    .meta { color: var(--gray-500); font-size: .85rem; }
+    .table { width: 100%; border-collapse: collapse; background: white; border: 1px solid var(--gray-200); border-radius: .75rem; overflow: hidden; }
+    .table th, .table td { padding: .5rem .75rem; border-bottom: 1px solid var(--gray-100); text-align: left; vertical-align: top; font-size: .9rem; }
+    .table th { background: var(--gray-50); font-weight: 600; }
+    .pill { display: inline-block; padding: .15rem .4rem; border-radius: .5rem; font-size: .75rem; border: 1px solid var(--gray-300); }
+    .pill-success { background: var(--green-50); color: var(--green-700); border-color: var(--green-300); }
+    .pill-error { background: var(--red-50); color: var(--red-700); border-color: var(--red-300); }
+    .pill-start { background: var(--orange-50); color: var(--orange-700); border-color: var(--orange-300); }
+    .code { font-family: ui-monospace, SFMono-Regular, Menlo, Consolas, monospace; font-size: .8rem; background: var(--gray-50); padding: .35rem .5rem; border-radius: .35rem; border: 1px solid var(--gray-200); display: inline-block; max-width: 520px; overflow: auto; }
+    .row { transition: background .2s ease; }
+    .row:hover { background: var(--gray-50); }
+    .footer { display: flex; justify-content: space-between; align-items: center; margin-top: .75rem; }
+  </style>
+</head>
+<body>
+  <div class="container">
+    <div class="header">
+      <div>
+        <div class="title">Telemetry Viewer (Admin)</div>
+        <div class="meta">Inspect recent telemetry events to monitor app health and user actions.</div>
+      </div>
+      <div class="controls">
+        <input id="limit" class="filter-input" type="number" min="1" max="1000" value="200" title="Max events" />
+        <input id="search" class="filter-input" placeholder="Search text (type, status, user, etc.)" />
+        <button id="refresh" class="btn btn-primary">Refresh</button>
+        <a class="btn" href="/">Back</a>
+      </div>
+    </div>
+
+    <div id="meta" class="meta" style="margin-bottom: .5rem;">&nbsp;</div>
+
+    <table class="table">
+      <thead>
+        <tr>
+          <th style="width: 10rem;">Timestamp</th>
+          <th style="width: 8rem;">Type</th>
+          <th style="width: 8rem;">Status</th>
+          <th style="width: 10rem;">User</th>
+          <th>Metadata</th>
+        </tr>
+      </thead>
+      <tbody id="tbody"></tbody>
+    </table>
+
+    <div class="footer">
+      <div id="source" class="meta"></div>
+      <div class="meta">Only accessible to admin users</div>
+    </div>
+  </div>
+
+  <script type="module">
+    async function fetchTelemetry(limit) {
+      const params = new URLSearchParams({ limit: String(limit) });
+      const res = await fetch(`/api/telemetry?${params.toString()}`, { headers: authHeaders() });
+      if (res.status === 401 || res.status === 403) {
+        alert('Unauthorized. You must be an admin to view telemetry.');
+        window.location.href = '/login';
+        return null;
+      }
+      if (!res.ok) {
+        throw new Error('Failed to fetch telemetry');
+      }
+      return res.json();
+    }
+
+    function authHeaders() {
+      const token = localStorage.getItem('auth_token');
+      return token ? { 'Authorization': `Bearer ${token}` } : {};
+    }
+
+    function pill(status) {
+      if (!status) return '';
+      const cls = status === 'success' ? 'pill-success' : status === 'error' ? 'pill-error' : status === 'start' ? 'pill-start' : '';
+      return `<span class="pill ${cls}">${status}</span>`;
+    }
+
+    function escapeHtml(s) { return s.replace(/[&<>]/g, c => ({'&':'&amp;','<':'&lt;','>':'&gt;'}[c])); }
+
+    function renderRows(events) {
+      const tbody = document.getElementById('tbody');
+      const q = (document.getElementById('search').value || '').toLowerCase().trim();
+      tbody.innerHTML = '';
+      for (const evt of events) {
+        const ts = evt.timestamp || '';
+        const type = evt.event_type || '';
+        const status = evt.status || '';
+        const user = (evt.user && evt.user.username) ? `${evt.user.username} (${evt.user.role || ''})` : '';
+        const meta = evt.metadata ? escapeHtml(JSON.stringify(evt.metadata)) : '';
+        const line = `${ts} ${type} ${status} ${user} ${meta}`.toLowerCase();
+        if (q && !line.includes(q)) continue;
+        const tr = document.createElement('tr');
+        tr.className = 'row';
+        tr.innerHTML = `
+          <td>${escapeHtml(ts)}</td>
+          <td><span class="pill">${escapeHtml(type)}</span></td>
+          <td>${pill(status)}</td>
+          <td>${escapeHtml(user)}</td>
+          <td><span class="code">${meta}</span></td>
+        `;
+        tbody.appendChild(tr);
+      }
+    }
+
+    async function refresh() {
+      const limit = Math.max(1, Math.min(1000, parseInt(document.getElementById('limit').value || '200', 10)));
+      document.getElementById('refresh').disabled = true;
+      try {
+        const data = await fetchTelemetry(limit);
+        if (!data) return;
+        document.getElementById('meta').textContent = `Loaded ${data.count} events`;
+        document.getElementById('source').textContent = `Source: ${data.source}`;
+        renderRows(data.events || []);
+      } catch (e) {
+        alert(e.message || 'Failed to load telemetry');
+      } finally {
+        document.getElementById('refresh').disabled = false;
+      }
+    }
+
+    document.getElementById('refresh').addEventListener('click', refresh);
+    document.getElementById('search').addEventListener('input', () => {
+      // quick re-filter without fetching again
+      const meta = document.getElementById('meta').textContent || '';
+      // no-op; filtering reads from table content
+      const rows = Array.from(document.querySelectorAll('#tbody tr'));
+      const q = (document.getElementById('search').value || '').toLowerCase().trim();
+      rows.forEach(row => {
+        const text = row.textContent.toLowerCase();
+        row.style.display = q && !text.includes(q) ? 'none' : '';
+      });
+    });
+
+    // On load: validate auth and fetch
+    (async () => {
+      try {
+        const token = localStorage.getItem('auth_token');
+        if (!token) {
+          window.location.href = '/login';
+          return;
+        }
+        // Validate user and ensure admin
+        const res = await fetch('/api/auth/validate', { headers: authHeaders() });
+        if (!res.ok) { window.location.href = '/login'; return; }
+        const info = await res.json();
+        const perms = (info.user && info.user.permissions) || [];
+        if (!perms.includes('admin')) {
+          alert('Admin access required');
+          window.location.href = '/';
+          return;
+        }
+        await refresh();
+      } catch {
+        window.location.href = '/login';
+      }
+    })();
+  </script>
+</body>
+</html>
+

supabase_database.py

@@ -295,3 +295,16 @@ class SupabaseDatabase:
         except Exception as e:
             logger.error(f"Failed to log telemetry: {e}")
             return False
+
+    def get_recent_telemetry(self, limit: int = 100) -> List[Dict[str, Any]]:
+        """Fetch recent telemetry events from Supabase."""
+        try:
+            result = self.client.table('telemetry_events') \
+                .select('*') \
+                .order('timestamp', desc=True) \
+                .limit(limit) \
+                .execute()
+            return result.data or []
+        except Exception as e:
+            logger.error(f"Failed to fetch telemetry: {e}")
+            return []

version.json

@@ -1,4 +1,4 @@
 {
   "version": "5.1.1",
-  "timestamp": 1755112765
+  "timestamp": 1755113716
 }