'use strict';

// Minimal express-like router.
function makeApp() {
  const routes = {};
  return {
    post(path, handler) {
      routes[`POST ${path}`] = handler;
    },
    handle(method, path, req, res) {
      const key = `${method} ${path}`;
      if (routes[key]) {
        return routes[key](req, res);
      }
      return { status: 404, body: 'not found' };
    }
  };
}

function createServer() {
  const app = makeApp();
  app.post('/api/admin/exec', (req) => {
    if (!req || typeof req.body?.code !== 'string') {
      return { status: 400, body: 'bad request' };
    }
    // Sink: eval on admin endpoint (reachable)
    // eslint-disable-next-line no-eval
    const result = eval(req.body.code);
    return { status: 200, body: String(result) };
  });
  return app;
}

module.exports = { createServer };