# Agent 1 — Batch 2 Implementation Report

## Task
Implement `POST /api/content/:cxid/report` in `crates/cgcx-server/src/main.rs`.

## Changes Made

### 1. `crates/cgcx-server/Cargo.toml`
- Added dependency:
  ```toml
  reqwest = { version = "0.12", default-features = false, features = ["json", "rustls-tls"] }
  ```

### 2. `crates/cgcx-server/src/main.rs`
- **Imports**: Added `ReportRepo` to the `cgcx_db` import list.
- **AppState**: Added `http_client: reqwest::Client` field.
- **Main initialization**: Created `reqwest::Client::new()` and included it in `AppState`.
- **Route**: Added `.route("/api/content/:cxid/report", post(report_content))` to the main router.
  - The route is automatically covered by the existing `tower_governor::GovernorLayer` applied to the whole app.
- **Structs**:
  - Added `ReportRequest { reason: String }` for JSON deserialization.
- **Handler `report_content`**:
  1. Parses `cxid` from path parameter.
  2. Looks up content via `ContentRepo::get`; returns `404 Not Found` if missing.
  3. Validates content is active (not `Deleted` or `Blacklisted`); returns `404` otherwise.
  4. Counts associated files via `ContentFileRepo::list_by_content`.
  5. Inserts a report row via `ReportRepo::insert` with `reporter_user_id = 0`.
  6. Constructs an HTML notification message matching the bot’s report format:
     ```
     <b>[ NEW REPORT ]</b> #{report_id}

     CXID: <code>{cxid}</code>
     Reporter: <i>web</i>
     Owner: <code>{content.user_id}</code>
     Uploaded: <i>{content.created_at}</i>
     Files: <b>{file_count}</b>
     ```
  7. Sends the message to **all** configured `review_group_ids` via direct HTTPS `POST` to the Telegram Bot API (`{api_base}/bot{token}/sendMessage`).
  8. Includes an inline keyboard with the same admin actions as bot reports:
     - `[ Rmv + Ban ]` → `v1:admin:delblk:{report_id}`
     - `[ Delete Only ]` → `v1:admin:del:{report_id}`
     - `[ Blacklist Only ]` → `v1:admin:blk:{report_id}`
     - `[ Ignore ]` → `v1:admin:ign:{report_id}`
  9. If any HTTPS call fails, logs a `tracing::warn` but **does not** fail the HTTP request.
  10. Returns `204 No Content` on success.

## Validation

- `cargo check -p cgcx-server` — **PASSED** (clean compile, no warnings).
- The router merge order places the new route inside the same `Router` that gets the general governor layer, so rate limiting applies automatically.

## Open Risks / Notes

1. **Foreign Key for `reporter_user_id = 0`**: The `reports` table has `FOREIGN KEY (reporter_user_id) REFERENCES users(id)`. If SQLite `PRAGMA foreign_keys = ON` is active and no user with `id = 0` exists, the insert will fail with a database error (returned as `500 Internal Server Error`). This matches the explicit instruction to use `0` for web submissions, but the project may need a dummy user row or a schema adjustment if this becomes an issue in production.
2. **Telegram API failures are non-blocking**: As required, a failed notification is only logged; the caller still receives `204`. This means review groups could miss reports if the network or Telegram API is down.
3. **No dedicated rate limit for reports**: The endpoint shares the general API rate-limit bucket. If high report volume is expected, a separate governor config (like the password route) could be considered later.

## Recommended Next Step

- Verify the frontend report submission flow end-to-end against the new endpoint.
- Optionally seed a user with `id = 0` (or relax the FK) if web reports trigger foreign-key violations.

---
**Date**: 2026-05-24