Refactor: Split 4 large files into sub-800-line modules

- `mcp/executor.rs` (1718 lines) → directory module with 9 files by tool category
- `commands/file_system.rs` (1196 lines) → directory module with 6 files by operation type
- `api-server/src/index.ts` (1099 lines) → 7 files by route domain
- `write_operations/integration_test.rs` (1564 lines) → 5 files by operation type

Pure mechanical splits, no logic changes. All 1282 Rust tests and 88 API server tests pass.

Author: vdavid

apps/api-server/CLAUDE.md

@@ -9,7 +9,13 @@ app versions).
 
 | File                                        | Purpose                                                               |
 | ------------------------------------------- | --------------------------------------------------------------------- |
-| `src/index.ts`                              | Hono app: all routes, webhook processing, admin endpoint              |
+| `src/index.ts`                              | Hono app assembly: mounts route modules, wires scheduled handler      |
+| `src/types.ts`                              | Shared types (`Bindings`), constants, and helpers (auth, validation)  |
+| `src/licensing.ts`                          | Routes: `/activate`, `/validate`, `/webhook/paddle`, `/admin/generate`|
+| `src/admin.ts`                              | Routes: `/admin/stats`, `/admin/downloads`, `/admin/active-users`, `/admin/crashes` |
+| `src/telemetry.ts`                          | Routes: `/crash-report`, `/update-check/:version`, `/download/:version/:arch` |
+| `src/likes.ts`                              | Routes: `/likes/:slug` (GET, POST, DELETE, OPTIONS)                   |
+| `src/scheduled.ts`                          | Cron handler functions (crash notifications, aggregation, DB size)    |
 | `src/license.ts`                            | Short code + license key generation, `LicenseType` enum               |
 | `src/paddle.ts`                             | HMAC-SHA256 webhook verification, `constantTimeEqual`                 |
 | `src/paddle-api.ts`                         | Paddle REST client: transaction/subscription/customer fetch           |
@@ -272,10 +278,6 @@ hard to explain as one person. The threshold is not published in the ToS to avoi
 
 ## Gotchas
 
-**Gotcha**: `index.ts` is a monolith (all routes, cron handlers, helpers in one file). **Why**: Hono's pattern
-encourages co-located routes, and the file was already monolithic before the telemetry migration. If it keeps growing,
-consider extracting admin endpoints and cron handlers into separate modules.
-
 **Gotcha**: `verifyAdminAuth` uses a manual type annotation for `c` instead of Hono's `Context` type. **Why**: Using
 `Context<{ Bindings: Bindings }>` would require importing Hono's internal generic types and threading them through. The
 manual shape `{ env: Bindings; req: { header: ... } }` is simpler and avoids coupling to Hono internals.

apps/api-server/src/admin.ts

@@ -0,0 +1,113 @@
+import { Hono } from 'hono'
+import { constantTimeEqual } from './paddle'
+import { type Bindings, activationCountKey, verifyAdminAuth } from './types'
+
+const admin = new Hono<{ Bindings: Bindings }>()
+
+const validDownloadRanges = new Set(['24h', '7d', '30d', 'all'])
+const validActiveUserRanges = new Set(['7d', '30d', '90d', 'all'])
+const validCrashRanges = new Set(['7d', '30d', '90d', 'all'])
+
+// Values are hardcoded, never from user input — safe to interpolate into SQL.
+const rangeToSqliteInterval: Record<string, string> = {
+  '24h': '-1 day',
+  '7d': '-7 days',
+  '30d': '-30 days',
+  '90d': '-90 days',
+}
+
+// Admin stats — returns activation count and device count
+// Auth: dedicated ADMIN_API_TOKEN, separate from the Paddle secrets used by /admin/generate
+admin.get('/admin/stats', async (c) => {
+  const token = c.env.ADMIN_API_TOKEN
+  if (!token) {
+    return c.json({ error: 'Admin API not configured' }, 500)
+  }
+
+  const authHeader = c.req.header('Authorization')
+  if (!authHeader || !constantTimeEqual(authHeader, `Bearer ${token}`)) {
+    return c.json({ error: 'Unauthorized' }, 401)
+  }
+
+  const raw = await c.env.LICENSE_CODES.get(activationCountKey)
+  const totalActivations = parseInt(raw ?? '0', 10)
+
+  // TODO: `activeDevices` requires querying the CF Analytics Engine SQL API
+  // (`POST /v4/accounts/{id}/analytics_engine/sql`), which is an external HTTP call,
+  // not available via the `DEVICE_COUNTS` binding (bindings only support `writeDataPoint`).
+  // For v1, return null. The analytics dashboard queries CF Analytics Engine directly.
+  const activeDevices: number | null = null
+
+  return c.json({ totalActivations, activeDevices })
+})
+
+// Admin downloads — aggregated download data from D1
+admin.get('/admin/downloads', async (c) => {
+  const authError = verifyAdminAuth(c)
+  if (authError) return authError
+
+  const range = c.req.query('range') ?? '7d'
+  if (!validDownloadRanges.has(range)) {
+    return c.json({ error: 'Invalid range. Use 24h, 7d, 30d, or all' }, 400)
+  }
+
+  const interval = rangeToSqliteInterval[range]
+  const whereClause = interval ? `WHERE created_at >= datetime('now', '${interval}')` : ''
+
+  const { results } = await c.env.TELEMETRY_DB.prepare(
+    `SELECT date(created_at) AS date, app_version AS version, arch, country, COUNT(*) AS count
+         FROM downloads ${whereClause}
+         GROUP BY date, version, arch, country
+         ORDER BY date ASC`,
+  ).all<{ date: string; version: string; arch: string; country: string; count: number }>()
+
+  return c.json(results)
+})
+
+// Admin active users — aggregated daily active user data from D1
+admin.get('/admin/active-users', async (c) => {
+  const authError = verifyAdminAuth(c)
+  if (authError) return authError
+
+  const range = c.req.query('range') ?? '7d'
+  if (!validActiveUserRanges.has(range)) {
+    return c.json({ error: 'Invalid range. Use 7d, 30d, 90d, or all' }, 400)
+  }
+
+  const interval = rangeToSqliteInterval[range]
+  const whereClause = interval ? `WHERE date >= date('now', '${interval}')` : ''
+
+  const { results } = await c.env.TELEMETRY_DB.prepare(
+    `SELECT date, app_version AS version, arch, unique_users AS uniqueUsers
+         FROM daily_active_users ${whereClause}
+         ORDER BY date ASC`,
+  ).all<{ date: string; version: string; arch: string; uniqueUsers: number }>()
+
+  return c.json(results)
+})
+
+// Admin crashes — aggregated crash data from D1
+admin.get('/admin/crashes', async (c) => {
+  const authError = verifyAdminAuth(c)
+  if (authError) return authError
+
+  const range = c.req.query('range') ?? '7d'
+  if (!validCrashRanges.has(range)) {
+    return c.json({ error: 'Invalid range. Use 7d, 30d, 90d, or all' }, 400)
+  }
+
+  const interval = rangeToSqliteInterval[range]
+  const whereClause = interval ? `WHERE created_at >= datetime('now', '${interval}')` : ''
+
+  const { results } = await c.env.TELEMETRY_DB.prepare(
+    `SELECT date(created_at) AS date, top_function AS topFunction, signal,
+                COUNT(*) AS count, GROUP_CONCAT(DISTINCT app_version) AS versions
+         FROM crash_reports ${whereClause}
+         GROUP BY date, topFunction, signal
+         ORDER BY date ASC`,
+  ).all<{ date: string; topFunction: string; signal: string; count: number; versions: string }>()
+
+  return c.json(results)
+})
+
+export { admin }