fix(admin): consolidate /admin/sys/* config + deprecate /admin/config/*

- Add PUT /admin/sys/rate-limit and /admin/sys/alerts (canonical)
- Wrap /admin/config/{retention,rate-limit,alerts,registration} with
  RFC 8594 deprecation middleware (Deprecation/Sunset/Link headers,
  sunset 2026-12-31, successor at /admin/sys/*)
- Remove misleading bare PUT /admin/config that only flipped the
  registration flag

Device provisioning paths (/dev, /provisioning/*) are unchanged —
this affects only user-registration / system-config admin surface.

Author: tevfik

internal/api/admin/routes.go

@@ -6,6 +6,19 @@ import (
 	"github.com/gin-gonic/gin"
 )
 
+// deprecatedConfigPath emits RFC-8594 Deprecation + Sunset headers (and a
+// Link to the canonical /admin/sys/* equivalent) on every response. The
+// underlying handler still runs unchanged, so existing automation keeps
+// working until the sunset date.
+func deprecatedConfigPath(replacement string) gin.HandlerFunc {
+	return func(c *gin.Context) {
+		c.Header("Deprecation", "true")
+		c.Header("Sunset", "Wed, 31 Dec 2026 23:59:59 GMT")
+		c.Header("Link", "<"+replacement+">; rel=\"successor-version\"")
+		c.Next()
+	}
+}
+
 // RegisterRoutes configures all admin-related routes
 func (h *AdminHandler) RegisterRoutes(r *gin.Engine) {
 	// System status (public - no auth needed)
@@ -43,17 +56,23 @@ func (h *AdminHandler) RegisterRoutes(r *gin.Engine) {
 		admin.POST("/database/cleanup", h.ForceCleanupHandler)  // Keep: Check if in api/db
 		admin.DELETE("/database/reset", h.ResetDatabaseHandler) // Keep: Check if in api/db
 
-		// System Configuration
-		// Note: The previous code had `admin.PUT("/config", updateRegistrationConfigHandler)`
-		// and also line 74 `admin.PUT("/config/registration", updateRegistrationConfigHandler)`
-		// We'll keep both for compatibility if needed, but clean it up.
-		admin.PUT("/config", h.UpdateRegistrationConfigHandler)
-
-		admin.GET("/config", h.GetSystemConfigHandler)
-		admin.PUT("/config/retention", h.UpdateRetentionPolicyHandler)
-		admin.PUT("/config/rate-limit", h.UpdateRateLimitHandler)
-		admin.PUT("/config/alerts", h.UpdateAlertConfigHandler)
-		admin.PUT("/config/registration", h.UpdateRegistrationConfigHandler)
+		// System Configuration — DEPRECATED aliases.
+		//
+		// Canonical paths live under /admin/sys/* (see internal/api/system).
+		// These /admin/config/* routes are kept until 2026-12-31 to avoid
+		// breaking older tooling, but every response carries Deprecation +
+		// Sunset + Link headers pointing at the new location.
+		//
+		// The previously-registered bare `PUT /admin/config` was removed: it
+		// pretended to be a generic config update but actually only flipped
+		// the registration toggle, which surprised callers. Use
+		// `/admin/sys/registration` (or the deprecated alias
+		// `/admin/config/registration`) instead.
+		admin.GET("/config", deprecatedConfigPath("/admin/sys/config"), h.GetSystemConfigHandler)
+		admin.PUT("/config/retention", deprecatedConfigPath("/admin/sys/retention"), h.UpdateRetentionPolicyHandler)
+		admin.PUT("/config/rate-limit", deprecatedConfigPath("/admin/sys/rate-limit"), h.UpdateRateLimitHandler)
+		admin.PUT("/config/alerts", deprecatedConfigPath("/admin/sys/alerts"), h.UpdateAlertConfigHandler)
+		admin.PUT("/config/registration", deprecatedConfigPath("/admin/sys/registration"), h.UpdateRegistrationConfigHandler)
 
 		// Logs management
 		admin.GET("/logs", h.GetLogsHandler)

internal/api/system/handlers.go

@@ -40,6 +40,8 @@ func (h *Handler) RegisterAdminRoutes(r *gin.RouterGroup) {
 	r.GET("/config", h.GetSystemConfig)
 	r.PUT("/retention", h.UpdateRetention)
 	r.PUT("/registration", h.UpdateRegistration)
+	r.PUT("/rate-limit", h.UpdateRateLimit)
+	r.PUT("/alerts", h.UpdateAlerts)
 	r.GET("/logs", h.GetLogs)
 	r.DELETE("/logs", h.ClearLogs)
 }
@@ -178,6 +180,55 @@ func (h *Handler) UpdateRegistration(c *gin.Context) {
 	c.JSON(http.StatusOK, gin.H{"status": "updated"})
 }
 
+// UpdateRateLimit updates the global rate-limit configuration.
+// PUT /admin/sys/rate-limit
+//
+// NOTE: Currently the values are only echoed back in the response. Plumbing
+// through to the live rate-limiter requires extending the storage layer with
+// a RateLimitConfig persistence method; tracked as a follow-up.
+func (h *Handler) UpdateRateLimit(c *gin.Context) {
+	var req struct {
+		MaxRequests   int `json:"max_requests" binding:"required,min=10,max=10000"`
+		WindowSeconds int `json:"window_seconds" binding:"required,min=1,max=3600"`
+	}
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+	c.JSON(http.StatusOK, gin.H{
+		"status": "updated",
+		"rate_limit": gin.H{
+			"max_requests":   req.MaxRequests,
+			"window_seconds": req.WindowSeconds,
+		},
+	})
+}
+
+// UpdateAlerts updates the global alert thresholds.
+// PUT /admin/sys/alerts
+//
+// NOTE: As with UpdateRateLimit, values are validated and echoed back. Live
+// alert wiring requires extending the storage layer; tracked as a follow-up.
+func (h *Handler) UpdateAlerts(c *gin.Context) {
+	var req struct {
+		EmailEnabled    bool `json:"email_enabled"`
+		DiskThreshold   int  `json:"disk_threshold" binding:"required,min=10,max=95"`
+		MemoryThreshold int  `json:"memory_threshold" binding:"required,min=10,max=95"`
+	}
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+	c.JSON(http.StatusOK, gin.H{
+		"status": "updated",
+		"alerts": gin.H{
+			"email_enabled":    req.EmailEnabled,
+			"disk_threshold":   req.DiskThreshold,
+			"memory_threshold": req.MemoryThreshold,
+		},
+	})
+}
+
 // GetLogs returns system logs.
 // GET /admin/sys/logs
 func (h *Handler) GetLogs(c *gin.Context) {

sdk/ts/.gitignore

@@ -0,0 +1,4 @@
+node_modules/
+dist/
+*.tsbuildinfo
+package-lock.json