feat(docforge): slice 6b — template authoring HTTP endpoints (t-paliad-349)

Admin-gated authoring API over docforge.TemplateStore + the docx authoring
engine (handlers/templates.go, routes under adminGate):
  GET  /api/admin/templates            — catalog list
  POST /api/admin/templates            — multipart upload → ImportForAuthoring
                                          (validate + detect slots) → Create v1
  GET  /api/admin/templates/{id}       — authoring view (run-addressable
                                          preview + slots)
  POST /api/admin/templates/{id}/slots — InjectSlot at the selection →
                                          AddVersion (re-detect slots from the
                                          new carrier so template_slots mirror
                                          the carrier's actual {{tokens}})

docforge.ErrTemplateNotFound → 404; injection failures (bad selection/key)
→ 400 with the engine's message for the UI to surface. Upload capped at
10 MB. Slot placement creates a version per placement (immutable snapshot);
batching a session into one version on explicit save is a documented
refinement.

Verification: go build/vet clean, handlers test green, gofmt-clean. The docx
surgery + store are unit/live-tested; the integrated HTTP flow is verified
post-merge (needs DATABASE_URL + Supabase auth).

m/paliad#157

internal/handlers/handlers.go

@@ -755,6 +755,14 @@ func Register(mux *http.ServeMux, client *auth.Client, giteaAPIToken string, svc
 		protected.HandleFunc("GET /api/admin/backups/{id}", adminGate(users, handleAdminGetBackup))
 		protected.HandleFunc("GET /api/admin/backups/{id}/file", adminGate(users, handleAdminDownloadBackup))
 
+		// t-paliad-349 docforge slice 6 — template authoring surface
+		// (upload base .docx → place variable slots → save). Admin-only,
+		// firm-shared catalog like submission_bases.
+		protected.HandleFunc("GET /api/admin/templates", adminGate(users, handleListTemplates))
+		protected.HandleFunc("POST /api/admin/templates", adminGate(users, handleUploadTemplate))
+		protected.HandleFunc("GET /api/admin/templates/{id}", adminGate(users, handleGetTemplateAuthoring))
+		protected.HandleFunc("POST /api/admin/templates/{id}/slots", adminGate(users, handlePlaceTemplateSlot))
+
 		protected.HandleFunc("GET /api/admin/users", adminGate(users, handleAdminListUsers))
 		protected.HandleFunc("POST /api/admin/users", adminGate(users, handleAdminCreateUser))
 		protected.HandleFunc("POST /api/admin/users/full", adminGate(users, handleAdminCreateFullUser))

internal/handlers/templates.go

@@ -0,0 +1,273 @@
+package handlers
+
+// docforge template authoring handlers (t-paliad-349 slice 6).
+//
+// The admin-only authoring surface: upload a base .docx, see it rendered as
+// run-addressable text, place {{variable}} slots into it, and save the
+// result as a reusable template. Backed by docforge.TemplateStore
+// (Postgres bytea carrier) + the docx authoring engine
+// (ImportForAuthoring / InjectSlot).
+//
+// Endpoints (all under adminGate — templates are firm-shared, admin-
+// authored, like submission_bases):
+//   GET  /api/admin/templates              — catalog list
+//   POST /api/admin/templates              — multipart upload → create v1
+//   GET  /api/admin/templates/{id}         — authoring view (preview+slots)
+//   POST /api/admin/templates/{id}/slots   — place a slot → new version
+//
+// Slot placement creates a new template version (immutable snapshot) per
+// placement. That keeps the snapshot guarantee simple; batching a whole
+// authoring session into one version on an explicit "save" is a documented
+// future refinement (it trades the version-per-slot churn for a client- or
+// session-held draft carrier).
+//
+// VERIFICATION CEILING: the live upload→render→select→inject→save flow
+// needs the app running with DATABASE_URL + Supabase auth + Playwright; it
+// is verified post-merge. The docx surgery (ImportForAuthoring/InjectSlot)
+// and the store are unit/live-tested independently.
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+
+	"mgit.msbls.de/m/paliad/pkg/docforge"
+	"mgit.msbls.de/m/paliad/pkg/docforge/docx"
+)
+
+// maxTemplateUpload bounds an uploaded .docx. Templates are firm letterhead
+// + chrome — tens of KB in practice; 10 MB is a generous ceiling.
+const maxTemplateUpload = 10 << 20
+
+type templateMetaJSON struct {
+	ID           string `json:"id"`
+	Slug         string `json:"slug,omitempty"`
+	NameDE       string `json:"name_de"`
+	NameEN       string `json:"name_en"`
+	Kind         string `json:"kind"`
+	SourceFormat string `json:"source_format"`
+	Firm         string `json:"firm,omitempty"`
+	IsActive     bool   `json:"is_active"`
+	Version      int    `json:"version"`
+}
+
+type templateSlotJSON struct {
+	Key        string `json:"key"`
+	Anchor     string `json:"anchor"`
+	Label      string `json:"label,omitempty"`
+	OrderIndex int    `json:"order_index"`
+}
+
+type authoringViewJSON struct {
+	Template    templateMetaJSON   `json:"template"`
+	PreviewHTML string             `json:"preview_html"`
+	Slots       []templateSlotJSON `json:"slots"`
+}
+
+func metaJSON(m docforge.TemplateMeta) templateMetaJSON {
+	return templateMetaJSON{
+		ID: m.ID, Slug: m.Slug, NameDE: m.NameDE, NameEN: m.NameEN,
+		Kind: m.Kind, SourceFormat: m.SourceFormat, Firm: m.Firm,
+		IsActive: m.IsActive, Version: m.Version,
+	}
+}
+
+func slotsJSON(slots []docforge.TemplateSlot) []templateSlotJSON {
+	out := make([]templateSlotJSON, 0, len(slots))
+	for _, s := range slots {
+		out = append(out, templateSlotJSON{Key: s.Key, Anchor: s.Anchor, Label: s.Label, OrderIndex: s.OrderIndex})
+	}
+	return out
+}
+
+// writeTemplateError maps docforge's not-found sentinel to 404 and falls
+// back to the shared service-error mapper.
+func writeTemplateError(w http.ResponseWriter, err error) {
+	if errors.Is(err, docforge.ErrTemplateNotFound) {
+		writeJSON(w, http.StatusNotFound, map[string]string{"error": "template not found"})
+		return
+	}
+	writeServiceError(w, err)
+}
+
+func requireTemplateStore(w http.ResponseWriter) bool {
+	if !requireDB(w) {
+		return false
+	}
+	if dbSvc.templateStore == nil {
+		writeJSON(w, http.StatusServiceUnavailable, map[string]string{"error": "template store not configured"})
+		return false
+	}
+	return true
+}
+
+// handleListTemplates backs GET /api/admin/templates.
+func handleListTemplates(w http.ResponseWriter, r *http.Request) {
+	if !requireTemplateStore(w) {
+		return
+	}
+	if _, ok := requireUser(w, r); !ok {
+		return
+	}
+	metas, err := dbSvc.templateStore.List(r.Context(), docforge.TemplateFilter{ActiveOnly: true})
+	if err != nil {
+		writeTemplateError(w, err)
+		return
+	}
+	out := make([]templateMetaJSON, 0, len(metas))
+	for _, m := range metas {
+		out = append(out, metaJSON(m))
+	}
+	writeJSON(w, http.StatusOK, map[string]any{"templates": out})
+}
+
+// handleUploadTemplate backs POST /api/admin/templates (multipart). Reads
+// the uploaded .docx, validates it parses, detects any slots already in it,
+// and creates the template at version 1.
+func handleUploadTemplate(w http.ResponseWriter, r *http.Request) {
+	if !requireTemplateStore(w) {
+		return
+	}
+	uid, ok := requireUser(w, r)
+	if !ok {
+		return
+	}
+	if err := r.ParseMultipartForm(maxTemplateUpload); err != nil {
+		writeJSON(w, http.StatusBadRequest, map[string]string{"error": "invalid multipart form"})
+		return
+	}
+	file, _, err := r.FormFile("file")
+	if err != nil {
+		writeJSON(w, http.StatusBadRequest, map[string]string{"error": "file field required"})
+		return
+	}
+	defer file.Close()
+	carrier, err := io.ReadAll(io.LimitReader(file, maxTemplateUpload))
+	if err != nil {
+		writeJSON(w, http.StatusBadRequest, map[string]string{"error": "could not read uploaded file"})
+		return
+	}
+	nameDE := r.FormValue("name_de")
+	nameEN := r.FormValue("name_en")
+	if nameDE == "" || nameEN == "" {
+		writeJSON(w, http.StatusBadRequest, map[string]string{"error": "name_de and name_en required"})
+		return
+	}
+
+	// Validate + detect existing slots before persisting.
+	view, err := docx.ImportForAuthoring(carrier)
+	if err != nil {
+		writeJSON(w, http.StatusBadRequest, map[string]string{"error": "not a parseable .docx: " + err.Error()})
+		return
+	}
+
+	tmpl, err := dbSvc.templateStore.Create(r.Context(),
+		docforge.TemplateMetaInput{
+			Slug:      r.FormValue("slug"),
+			NameDE:    nameDE,
+			NameEN:    nameEN,
+			Firm:      r.FormValue("firm"),
+			CreatedBy: uid.String(),
+		},
+		docforge.TemplateVersionInput{
+			CarrierBytes: carrier,
+			Slots:        view.Slots,
+			CreatedBy:    uid.String(),
+		})
+	if err != nil {
+		writeTemplateError(w, err)
+		return
+	}
+	writeJSON(w, http.StatusCreated, authoringViewJSON{
+		Template:    metaJSON(tmpl.TemplateMeta),
+		PreviewHTML: view.PreviewHTML,
+		Slots:       slotsJSON(tmpl.Slots),
+	})
+}
+
+// handleGetTemplateAuthoring backs GET /api/admin/templates/{id} — the
+// authoring view: current carrier rendered run-addressable + its slots.
+func handleGetTemplateAuthoring(w http.ResponseWriter, r *http.Request) {
+	if !requireTemplateStore(w) {
+		return
+	}
+	if _, ok := requireUser(w, r); !ok {
+		return
+	}
+	tmpl, err := dbSvc.templateStore.Get(r.Context(), r.PathValue("id"))
+	if err != nil {
+		writeTemplateError(w, err)
+		return
+	}
+	view, err := docx.ImportForAuthoring(tmpl.CarrierBytes)
+	if err != nil {
+		writeJSON(w, http.StatusInternalServerError, map[string]string{"error": "stored carrier failed to parse: " + err.Error()})
+		return
+	}
+	writeJSON(w, http.StatusOK, authoringViewJSON{
+		Template:    metaJSON(tmpl.TemplateMeta),
+		PreviewHTML: view.PreviewHTML,
+		Slots:       slotsJSON(view.Slots),
+	})
+}
+
+type placeSlotInput struct {
+	RunIndex     int    `json:"run_index"`
+	SelectedText string `json:"selected_text"`
+	SlotKey      string `json:"slot_key"`
+}
+
+// handlePlaceTemplateSlot backs POST /api/admin/templates/{id}/slots —
+// inject a slot at the selection and persist as a new version.
+func handlePlaceTemplateSlot(w http.ResponseWriter, r *http.Request) {
+	if !requireTemplateStore(w) {
+		return
+	}
+	uid, ok := requireUser(w, r)
+	if !ok {
+		return
+	}
+	var in placeSlotInput
+	if err := json.NewDecoder(r.Body).Decode(&in); err != nil {
+		writeJSON(w, http.StatusBadRequest, map[string]string{"error": "invalid JSON body"})
+		return
+	}
+	id := r.PathValue("id")
+	tmpl, err := dbSvc.templateStore.Get(r.Context(), id)
+	if err != nil {
+		writeTemplateError(w, err)
+		return
+	}
+
+	newCarrier, err := docx.InjectSlot(tmpl.CarrierBytes, in.RunIndex, in.SelectedText, in.SlotKey)
+	if err != nil {
+		// Injection failures are client-fixable (bad selection / key).
+		writeJSON(w, http.StatusBadRequest, map[string]string{"error": err.Error()})
+		return
+	}
+	// Re-detect slots from the new carrier so template_slots mirrors the
+	// carrier's actual {{tokens}} (single source of truth).
+	newView, err := docx.ImportForAuthoring(newCarrier)
+	if err != nil {
+		writeJSON(w, http.StatusInternalServerError, map[string]string{"error": fmt.Sprintf("post-inject parse: %v", err)})
+		return
+	}
+	updated, err := dbSvc.templateStore.AddVersion(r.Context(), id,
+		docforge.TemplateVersionInput{
+			CarrierBytes: newCarrier,
+			Stylemap:     tmpl.Stylemap,
+			Slots:        newView.Slots,
+			CreatedBy:    uid.String(),
+		})
+	if err != nil {
+		writeTemplateError(w, err)
+		return
+	}
+	writeJSON(w, http.StatusOK, authoringViewJSON{
+		Template:    metaJSON(updated.TemplateMeta),
+		PreviewHTML: newView.PreviewHTML,
+		Slots:       slotsJSON(updated.Slots),
+	})
+}