feat(api): admin endpoint /_all lista todos diag logs (BOAT_TOKEN only)

server/src/index.js

@@ -143,6 +143,20 @@ app.post('/api/bms/diag-log', requireAuth, (req, res) => {
   }
 });
 
+// ADMIN: lista TODOS os logs (BOAT_TOKEN apenas)
+app.get('/api/bms/diag-log/_all', requireAuth, (req, res) => {
+  if (!req.user.viaBoatToken) return res.status(403).json({ error: 'admin only' });
+  const dir = path.join(db.dataDir, 'diag-logs');
+  try {
+    if (!fs.existsSync(dir)) return res.json({ files: [] });
+    const files = fs.readdirSync(dir).map(f => {
+      const stat = fs.statSync(path.join(dir, f));
+      return { name: f, size: stat.size, mtime: stat.mtime };
+    }).sort((a, b) => b.mtime - a.mtime);
+    res.json({ files });
+  } catch (e) { res.status(500).json({ error: e.message }) }
+});
+
 // Lista logs disponíveis (debug)
 app.get('/api/bms/diag-log', requireAuth, (req, res) => {
   const dir = path.join(db.dataDir, 'diag-logs');
@@ -164,7 +178,10 @@ app.get('/api/bms/diag-log', requireAuth, (req, res) => {
 // Lê conteúdo de um log específico
 app.get('/api/bms/diag-log/:file', requireAuth, (req, res) => {
   const file = req.params.file.replace(/[^a-zA-Z0-9._-]/g, '');
-  if (!file.startsWith(`${req.user.id}-`)) return res.status(403).json({ error: 'forbidden' });
+  // Admin (BOAT_TOKEN) lê qualquer; user normal só os próprios
+  if (!req.user.viaBoatToken && !file.startsWith(`${req.user.id}-`)) {
+    return res.status(403).json({ error: 'forbidden' });
+  }
   const fullPath = path.join(db.dataDir, 'diag-logs', file);
   try {
     if (!fs.existsSync(fullPath)) return res.status(404).json({ error: 'not found' });