feat: REST API layer for web dashboard

.env.example

@@ -44,15 +44,20 @@ NEXTAUTH_SECRET=your_nextauth_secret
 # Docker Compose overrides this to http://localhost:3000 automatically.
 NEXTAUTH_URL=http://localhost:3000
 
+# Bot REST API port (optional — default: 3001)
+BOT_API_PORT=3001
+
 # Bot API URL for web dashboard → bot communication (required for web dashboard)
-# Not yet implemented — the bot does not expose an HTTP API yet (see Issue #29).
 # Docker Compose overrides this when the bot API is available.
-# BOT_API_URL=http://localhost:3001
+BOT_API_URL=http://localhost:3001
 
 # Shared secret for bot ↔ web dashboard API authentication
 # Required when running the web dashboard.
 BOT_API_SECRET=your_bot_api_secret
 
+# Dashboard URL for CORS origin (required for web dashboard)
+DASHBOARD_URL=http://localhost:3000
+
 # Discord client ID exposed to browser (required for web dashboard)
 NEXT_PUBLIC_DISCORD_CLIENT_ID=your_discord_client_id
 

AGENTS.md

@@ -32,6 +32,11 @@
 | `src/modules/moderation.js` | Moderation — case creation, DM notifications, mod log embeds, escalation, tempban scheduler |
 | `src/modules/config.js` | Config loading/saving (DB + file), runtime updates |
 | `src/modules/events.js` | Event handler registration (wires modules to Discord events) |
+| `src/api/server.js` | Express API server setup (createApp, startServer, stopServer) |
+| `src/api/index.js` | API route mounting |
+| `src/api/routes/guilds.js` | Guild REST API endpoints (info, config, stats, members, moderation, actions) |
+| `src/api/middleware/auth.js` | API authentication middleware |
+| `src/api/middleware/rateLimit.js` | Rate limiting middleware |
 | `src/utils/errors.js` | Error classes and handling utilities |
 | `src/utils/health.js` | Health monitoring singleton |
 | `src/utils/permissions.js` | Permission checking for commands |

README.md

@@ -371,13 +371,13 @@ Set these in the Railway dashboard for the Web Dashboard service:
 
 ### Private Networking
 
-Railway services within the same project can communicate over a private internal network. When the bot exposes an HTTP API (planned), the Web Dashboard will reach it at:
+Railway services within the same project can communicate over a private internal network. The bot exposes a REST API server, and the Web Dashboard reaches it at:
 
 ```text
 http://bot.railway.internal:<PORT>
 ```
 
-> **Note:** The bot does not currently expose an HTTP API server — it connects to Discord via WebSocket only. `BOT_API_URL` is used by the web dashboard to query bot state; this feature requires the bot API to be implemented first.
+> **Note:** The bot exposes a REST API server on `BOT_API_PORT` (default `3001`) alongside its Discord WebSocket connection. `BOT_API_URL` is used by the web dashboard to query bot state.
 
 ### Slash Command Registration
 
@@ -444,7 +444,7 @@ docker compose up --build
 
 | Service | URL | Description |
 |---------|-----|-------------|
-| **bot** | — (internal) | Discord bot, no HTTP server |
+| **bot** | `localhost:3001` | Discord bot with REST API server (`BOT_API_PORT`) |
 | **db** | `localhost:5432` | PostgreSQL 17, user: `postgres`, password: `postgres`, database: `billsbot` |
 | **web** | `localhost:3000` | Next.js web dashboard (requires `--profile full`) |
 

package.json

@@ -19,6 +19,7 @@
   "dependencies": {
     "discord.js": "^14.25.1",
     "dotenv": "^17.3.1",
+    "express": "^5.2.1",
     "mem0ai": "^2.2.2",
     "pg": "^8.18.0",
     "winston": "^3.19.0",
@@ -36,6 +37,7 @@
   "devDependencies": {
     "@biomejs/biome": "^2.4.0",
     "@vitest/coverage-v8": "^4.0.18",
+    "supertest": "^7.2.2",
     "vitest": "^4.0.18"
   }
 }