feat(perm): block API endpoints for globally-disabled features (B-lite)

Adds backend/src/middleware/features.js with requireFeature(name)

that returns 404 when app_settings.feature_<name>_enabled='0'.

Wired on 8 routes:

- /api/pet            (pet)

- /api/collection     (collection)

- /api/red-book       (red_book)

- /api/flashcards     (flashcards)

- /api/knowledge-map  (knowledge_map)

- /api/biochem        (biochem)

- /api/games/hangman/*   (hangman, per-route inside games router)

- /api/games/crossword/* (crossword, per-route)

Scope: GLOBAL only. Per-class disable (classes.features JSON) and the

free_student role overlay remain UI-gated. Add user-aware merge later

if needed (extract logic from /api/features endpoint into shared helper).

Not gated (intentional, core teacher tools): board, classroom, live_quiz.

Smoke: pet disabled → 404; enabled → 401 (auth-required passthrough).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

backend/src/middleware/features.js

@@ -0,0 +1,41 @@
+'use strict';
+
+/**
+ * Feature-flag middleware: blocks the request when the named feature is
+ * globally disabled in app_settings.
+ *
+ * Scope (B-lite): GLOBAL only — checks the app_settings.feature_<name>_enabled
+ * row that admin toggles in the admin panel. Per-class disable
+ * (classes.features JSON) and the free_student role-level overlay
+ * (app_settings.free_student_features) are NOT checked here — those layers
+ * remain UI-gated in /api/features. A student bypassing the UI gate via
+ * direct curl is the documented limitation; can be tightened later by
+ * extracting the merge logic from server.js → /api/features into a shared
+ * helper.
+ *
+ * Default: missing key = enabled (opt-in disable model).
+ *
+ * Response: 404 on disabled feature (intentional — don't leak endpoint shape).
+ *
+ * Usage:
+ *   app.use('/api/pet', requireFeature('pet'), petRoutes);
+ *   router.get('/hangman/word', requireFeature('hangman'), authMiddleware, handler);
+ */
+const db = require('../db/db');
+
+const _stmt = db.prepare(
+  "SELECT value FROM app_settings WHERE key = ?"
+);
+
+function requireFeature(name) {
+  const settingKey = `feature_${name}_enabled`;
+  return (req, res, next) => {
+    const row = _stmt.get(settingKey);
+    if (row && row.value === '0') {
+      return res.status(404).json({ error: 'Feature disabled' });
+    }
+    next();
+  };
+}
+
+module.exports = { requireFeature };

backend/src/routes/games.js

@@ -1,10 +1,14 @@
 const router = require('express').Router();
 const { authMiddleware } = require('../middleware/auth');
+const { requireFeature } = require('../middleware/features');
 const c = require('../controllers/gamesController');
 
-router.get('/hangman/word',         authMiddleware, c.hangmanWord);
-router.post('/hangman/complete',    authMiddleware, c.hangmanComplete);
-router.get('/crossword/generate',   authMiddleware, c.crosswordGenerate);
-router.post('/crossword/complete',  authMiddleware, c.crosswordComplete);
+const hangman   = requireFeature('hangman');
+const crossword = requireFeature('crossword');
+
+router.get('/hangman/word',         hangman,   authMiddleware, c.hangmanWord);
+router.post('/hangman/complete',    hangman,   authMiddleware, c.hangmanComplete);
+router.get('/crossword/generate',   crossword, authMiddleware, c.crosswordGenerate);
+router.post('/crossword/complete',  crossword, authMiddleware, c.crosswordComplete);
 
 module.exports = router;

backend/src/server.js

@@ -130,6 +130,7 @@ app.use(express.json({ limit: '1mb' }));
 
 /* ── Global API rate limit ── */
 const rateLimit = require('./middleware/rateLimit');
+const { requireFeature } = require('./middleware/features');
 // Classroom real-time endpoints (cursor, stroke-preview) fire ~10/s per user — higher limit
 app.use('/api/classroom', rateLimit({ windowMs: 60_000, max: 6000, message: 'Слишком много запросов' }));
 app.use('/api', rateLimit({ windowMs: 60_000, max: 600, message: 'Слишком много запросов, подождите минуту' }));
@@ -154,7 +155,7 @@ app.use('/api/shop',          shopRoutes);
 app.use('/api/templates',     templateRoutes);
 app.use('/api/bookmarks',    bookmarkRoutes);
 app.use('/api/search',       searchRoutes);
-app.use('/api/flashcards',   flashcardRoutes);
+app.use('/api/flashcards',   requireFeature('flashcards'), flashcardRoutes);
 app.use('/api/settings',    settingsRoutes);
 app.use('/api/preferences', require('./routes/preferences'));
 app.use('/api/avatar',     require('./routes/avatar'));
@@ -163,11 +164,11 @@ app.use('/api/live',              liveRoutes);
 app.use('/api/classroom/guest',   guestClassroomRoutes); // public — MUST be before /api/classroom
 app.use('/api/classroom',         classroomRoutes);
 app.use('/api/games',        gamesRoutes);
-app.use('/api/knowledge-map', knowledgeMapRoutes);
-app.use('/api/pet',          petRoutes);
-app.use('/api/collection',   collectionRoutes);
-app.use('/api/red-book',     redBookRoutes);
-app.use('/api/biochem',      require('./routes/biochem'));
+app.use('/api/knowledge-map', requireFeature('knowledge_map'), knowledgeMapRoutes);
+app.use('/api/pet',          requireFeature('pet'),           petRoutes);
+app.use('/api/collection',   requireFeature('collection'),    collectionRoutes);
+app.use('/api/red-book',     requireFeature('red_book'),      redBookRoutes);
+app.use('/api/biochem',      requireFeature('biochem'),       require('./routes/biochem'));
 app.use('/api/parent',       parentRoutes);
 app.use('/api/exam9',        exam9Routes);
 app.use('/api/textbooks',    textbookRoutes);