@access-dlsu/leapify 0.260531.1 → 0.260601.1

package/dist/lib/middleware/cors.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"cors.d.ts","sourceRoot":"","sources":["../../../src/lib/middleware/cors.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,MAAM,CAAA;AAE7C,wBAAgB,oBAAoB,CAAC,cAAc,EAAE,MAAM,EAAE,GAAG,iBAAiB,CAiDhF"}
+{"version":3,"file":"cors.d.ts","sourceRoot":"","sources":["../../../src/lib/middleware/cors.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,MAAM,CAAA;AAoB7C,wBAAgB,oBAAoB,CAClC,cAAc,EAAE,MAAM,EAAE,GACvB,iBAAiB,CAgEnB"}

package/dist/lib/middleware/referer-guard.d.ts

@@ -7,7 +7,7 @@ import type { LeapifyBindings } from '../../types';
  * always allowed through without a Referer check.
  *
  * This is a friction layer — it stops naive raw-HTTP clients that don't set Referer.
- * Sophisticated clients can spoof it, so this must NOT be relied on as the sole control
+ * Sophisticated clients can spook it, so this must NOT be relied on as the sole control
  * for authenticated mutation endpoints (Firebase JWT is the primary control there).
  *
  * Skipped entirely for /health and /internal routes.

package/dist/lib/middleware/referer-guard.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"referer-guard.d.ts","sourceRoot":"","sources":["../../../src/lib/middleware/referer-guard.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,aAAa,CAAA;AAGlD;;;;;;;;;;;;GAYG;AACH,wBAAgB,kBAAkB,CAAC,cAAc,EAAE,MAAM,EAAE;cAIrB,eAAe;yBAsBpD"}
+{"version":3,"file":"referer-guard.d.ts","sourceRoot":"","sources":["../../../src/lib/middleware/referer-guard.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,aAAa,CAAA;AAqBlD;;;;;;;;;;;;GAYG;AACH,wBAAgB,kBAAkB,CAAC,cAAc,EAAE,MAAM,EAAE;cAIrB,eAAe;yBA2CpD"}

package/dist/routes/site-config.d.ts

@@ -1,4 +1,4 @@
-import { Hono } from "hono";
-import type { LeapifyEnv } from "../types";
+import { Hono } from 'hono';
+import type { LeapifyEnv } from '../types';
 export declare const siteConfigRoute: Hono<LeapifyEnv, import("hono/types").BlankSchema, "/">;
 //# sourceMappingURL=site-config.d.ts.map

package/dist/routes/site-config.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"site-config.d.ts","sourceRoot":"","sources":["../../src/routes/site-config.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAC5B,OAAO,KAAK,EAAE,UAAU,EAAgC,MAAM,UAAU,CAAC;AAMzE,eAAO,MAAM,eAAe,yDAAyB,CAAC"}
+{"version":3,"file":"site-config.d.ts","sourceRoot":"","sources":["../../src/routes/site-config.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAA;AAC3B,OAAO,KAAK,EAAE,UAAU,EAAgC,MAAM,UAAU,CAAA;AAMxE,eAAO,MAAM,eAAe,yDAAyB,CAAA"}

package/dist/worker.js

@@ -1,12 +1,12 @@
 import { Hono } from 'hono';
 import { cors } from 'hono/cors';
+import { drizzle } from 'drizzle-orm/d1';
+import { sqliteTable, integer, text, index, uniqueIndex } from 'drizzle-orm/sqlite-core';
+import { sql, relations, eq, and, count, lte } from 'drizzle-orm';
 import { createMiddleware } from 'hono/factory';
 import { betterAuth } from 'better-auth';
 import { drizzleAdapter } from 'better-auth/adapters/drizzle';
 import { bearer } from 'better-auth/plugins';
-import { sql, relations, eq, and, count, lte } from 'drizzle-orm';
-import { drizzle } from 'drizzle-orm/d1';
-import { sqliteTable, integer, text, index, uniqueIndex } from 'drizzle-orm/sqlite-core';
 import { zValidator } from '@hono/zod-validator';
 import { z } from 'zod';
 
@@ -24,6 +24,8 @@ var LeapifyError = class extends Error {
     this.code = code;
     this.name = "LeapifyError";
   }
+  statusCode;
+  code;
 };
 var unauthorized = (message = "Unauthorized") => new LeapifyError(401, "UNAUTHORIZED", message);
 var domainRestricted = () => new LeapifyError(
@@ -52,212 +54,6 @@ var errorHandler = (err, c) => {
     500
   );
 };
-function createCorsMiddleware(allowedOrigins) {
-  return async (c, next) => {
-    const origin = c.req.header("origin");
-    const dynamicOriginsJson = await c.env.KV.get("config:allowed_origins", "json");
-    const currentAllowedOrigins = dynamicOriginsJson ?? allowedOrigins;
-    if (c.req.path.startsWith("/api/uploads/images")) {
-      c.header("Access-Control-Allow-Origin", "*");
-      c.header("Access-Control-Allow-Methods", "GET, OPTIONS");
-      if (c.req.method === "OPTIONS") {
-        return c.body(null, 204);
-      }
-      return next();
-    }
-    if (!c.req.path.startsWith("/health") && !c.req.path.startsWith("/api/auth") && !c.req.path.startsWith("/internal") && origin && !currentAllowedOrigins.includes("*") && !currentAllowedOrigins.includes(origin)) {
-      return c.json(
-        {
-          error: {
-            code: "DOMAIN_RESTRICTED",
-            message: `Origin ${origin} is not allowed`
-          }
-        },
-        403
-      );
-    }
-    const honoCors = cors({
-      origin: currentAllowedOrigins,
-      allowMethods: ["GET", "POST", "PATCH", "DELETE", "OPTIONS"],
-      allowHeaders: ["Content-Type", "Authorization"],
-      exposeHeaders: ["ETag", "Last-Modified", "Cache-Control"],
-      maxAge: 86400,
-      credentials: true
-    });
-    return honoCors(c, next);
-  };
-}
-function createRefererGuard(allowedOrigins) {
-  const MUTATION_METHODS = /* @__PURE__ */ new Set(["POST", "PATCH", "PUT", "DELETE"]);
-  const SKIP_PREFIXES = ["/health", "/internal", "/api/auth", "/.well-known"];
-  return createMiddleware(async (c, next) => {
-    if (!MUTATION_METHODS.has(c.req.method)) return next();
-    if (SKIP_PREFIXES.some((p) => c.req.path.startsWith(p))) return next();
-    const dynamicOriginsJson = await c.env.KV.get("config:allowed_origins", "json");
-    const currentAllowedOrigins = dynamicOriginsJson ?? allowedOrigins;
-    if (currentAllowedOrigins.includes("*")) return next();
-    const referer = c.req.header("referer") ?? "";
-    const isAllowed = currentAllowedOrigins.some((origin) => referer.startsWith(origin));
-    if (!isAllowed) {
-      throw forbidden("Request origin not permitted");
-    }
-    return next();
-  });
-}
-var TURNSTILE_PATH = "/.well-known/leapify/turnstile";
-var TURNSTILE_VERIFY_PATH = `${TURNSTILE_PATH}/verify`;
-var TURNSTILE_COOKIE_NAME = "leapify-turnstile";
-var VERIFY_URL = "https://challenges.cloudflare.com/turnstile/v0/siteverify";
-var COOKIE_MAX_AGE_SEC = 86400;
-var EXEMPT_PATHS = [
-  "/health",
-  "/internal",
-  "/api/auth",
-  "/api/uploads/images",
-  "/api/classes",
-  "/api/faqs",
-  "/api/config",
-  TURNSTILE_VERIFY_PATH
-];
-function base64urlEncode(bytes) {
-  let binary = "";
-  for (const byte of bytes) {
-    binary += String.fromCharCode(byte);
-  }
-  return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
-}
-function base64urlDecode(str) {
-  const padded = str.replace(/-/g, "+").replace(/_/g, "/");
-  const binary = atob(padded);
-  const bytes = new Uint8Array(new ArrayBuffer(binary.length));
-  for (let i = 0; i < binary.length; i++) {
-    bytes[i] = binary.charCodeAt(i);
-  }
-  return bytes;
-}
-async function importHmacKey(secret) {
-  return crypto.subtle.importKey(
-    "raw",
-    new TextEncoder().encode(secret),
-    { name: "HMAC", hash: "SHA-256" },
-    false,
-    ["sign", "verify"]
-  );
-}
-async function signCookie(secret, ip) {
-  const ts = Date.now();
-  const nonce = base64urlEncode(crypto.getRandomValues(new Uint8Array(8)));
-  const payload = `${ip}:${ts}:${nonce}`;
-  const key = await importHmacKey(secret);
-  const sig = await crypto.subtle.sign(
-    "HMAC",
-    key,
-    new TextEncoder().encode(payload)
-  );
-  const sigB64 = base64urlEncode(new Uint8Array(sig));
-  return `${base64urlEncode(new TextEncoder().encode(payload))}.${sigB64}`;
-}
-async function validateCookie(secret, cookie, ip) {
-  try {
-    const [payloadB64, sigB64] = cookie.split(".");
-    if (!payloadB64 || !sigB64) return false;
-    const payloadBytes = base64urlDecode(payloadB64);
-    const sigBytes = base64urlDecode(sigB64);
-    const key = await importHmacKey(secret);
-    const valid = await crypto.subtle.verify(
-      "HMAC",
-      key,
-      sigBytes,
-      payloadBytes
-    );
-    if (!valid) return false;
-    const payload = new TextDecoder().decode(payloadBytes);
-    const [cookieIp, tsStr] = payload.split(":");
-    if (cookieIp !== ip) return false;
-    const ts = parseInt(tsStr, 10);
-    if (isNaN(ts) || Date.now() - ts > COOKIE_MAX_AGE_SEC * 1e3) return false;
-    return true;
-  } catch {
-    return false;
-  }
-}
-function getClientIp(c) {
-  return c.req.header("CF-Connecting-IP") ?? c.req.header("X-Real-IP") ?? c.req.header("X-Forwarded-For")?.split(",")[0]?.trim() ?? "unknown";
-}
-function isExempt(path) {
-  const normalized = path.toLowerCase().replace(/\/$/, "");
-  return EXEMPT_PATHS.some((p) => {
-    const ep = p.toLowerCase().replace(/\/$/, "");
-    return normalized === ep || normalized.startsWith(ep + "/");
-  });
-}
-function setCookieHeader(c, token) {
-  const isSecure = c.req.raw.url.startsWith("https") || c.req.header("x-forwarded-proto") === "https";
-  c.header(
-    "Set-Cookie",
-    `${TURNSTILE_COOKIE_NAME}=${token}; Path=/; Max-Age=${COOKIE_MAX_AGE_SEC}; ${isSecure ? "Secure; " : ""}HttpOnly; SameSite=Lax`
-  );
-}
-async function handleTurnstileVerify(c) {
-  const body = await c.req.json();
-  const { token } = body;
-  if (!token) {
-    return c.json(
-      { error: { code: "VALIDATION_ERROR", message: "Missing Turnstile token" } },
-      422
-    );
-  }
-  const secret = c.env.TURNSTILE_SECRET_KEY;
-  if (!secret) {
-    return c.json(
-      { error: { code: "CONFIG_ERROR", message: "Turnstile not configured" } },
-      500
-    );
-  }
-  const ip = getClientIp(c);
-  const formData = new URLSearchParams();
-  formData.append("secret", secret);
-  formData.append("response", token);
-  if (ip !== "unknown") {
-    formData.append("remoteip", ip);
-  }
-  const res = await fetch(VERIFY_URL, {
-    method: "POST",
-    body: formData
-  });
-  const outcome = await res.json();
-  if (!outcome.success) {
-    return c.json(
-      { error: { code: "TURNSTILE_FAILED", message: "Turnstile verification failed", details: outcome["error-codes"] } },
-      403
-    );
-  }
-  const cookieToken = await signCookie(secret, ip);
-  setCookieHeader(c, cookieToken);
-  return c.json({ success: true });
-}
-function createTurnstileMiddleware() {
-  return createMiddleware(async (c, next) => {
-    if (isExempt(c.req.path)) return next();
-    if (c.req.method === "OPTIONS") return next();
-    if (c.req.header("Authorization")) return next();
-    const secret = c.env.TURNSTILE_SECRET_KEY;
-    if (!secret) return next();
-    const cookieHeader = c.req.header("Cookie") ?? "";
-    const cookieMatch = cookieHeader.match(
-      new RegExp(`${TURNSTILE_COOKIE_NAME}=([^;]+)`)
-    );
-    if (cookieMatch) {
-      const ip = getClientIp(c);
-      const valid = await validateCookie(secret, cookieMatch[1], ip);
-      if (valid) return next();
-    }
-    return c.json(
-      { error: { code: "TURNSTILE_REQUIRED", message: "Turnstile verification required" } },
-      401
-    );
-  });
-}
 
 // src/db/schema/index.ts
 var schema_exports = {};
@@ -490,8 +286,266 @@ var authVerification = sqliteTable(
 function createDb(d1) {
   return drizzle(d1, { schema: schema_exports });
 }
-
-// src/auth/auth.ts
+async function getOriginsFromDb(env) {
+  try {
+    const db = createDb(env.DB);
+    const row = await db.query.siteConfig.findFirst({
+      where: eq(siteConfig.key, "allowed_origins")
+    });
+    if (row) return JSON.parse(row.value);
+  } catch {
+  }
+  return null;
+}
+function createCorsMiddleware(allowedOrigins) {
+  return async (c, next) => {
+    const origin = c.req.header("origin");
+    const dynamicOriginsJson = await c.env.KV.get(
+      "config:allowed_origins",
+      "json"
+    );
+    let currentAllowedOrigins = dynamicOriginsJson ?? allowedOrigins;
+    if (!dynamicOriginsJson) {
+      const dbOrigins = await getOriginsFromDb(c.env);
+      if (dbOrigins) {
+        currentAllowedOrigins = dbOrigins;
+        await c.env.KV.put(
+          "config:allowed_origins",
+          JSON.stringify(dbOrigins),
+          { expirationTtl: 86400 }
+        );
+      }
+    }
+    if (c.req.path.startsWith("/api/uploads/images")) {
+      c.header("Access-Control-Allow-Origin", "*");
+      c.header("Access-Control-Allow-Methods", "GET, OPTIONS");
+      if (c.req.method === "OPTIONS") {
+        return c.body(null, 204);
+      }
+      return next();
+    }
+    if (!c.req.path.startsWith("/health") && !c.req.path.startsWith("/api/auth") && !c.req.path.startsWith("/internal") && origin && !currentAllowedOrigins.includes("*") && !currentAllowedOrigins.includes(origin) && origin !== new URL(c.req.url).origin) {
+      return c.json(
+        {
+          error: {
+            code: "DOMAIN_RESTRICTED",
+            message: `Origin ${origin} is not allowed`
+          }
+        },
+        403
+      );
+    }
+    const honoCors = cors({
+      origin: currentAllowedOrigins,
+      allowMethods: ["GET", "POST", "PATCH", "DELETE", "OPTIONS"],
+      allowHeaders: ["Content-Type", "Authorization"],
+      exposeHeaders: ["ETag", "Last-Modified", "Cache-Control"],
+      maxAge: 86400,
+      credentials: true
+    });
+    return honoCors(c, next);
+  };
+}
+async function getOriginsFromDb2(env) {
+  try {
+    const db = createDb(env.DB);
+    const row = await db.query.siteConfig.findFirst({
+      where: eq(siteConfig.key, "allowed_origins")
+    });
+    if (row) return JSON.parse(row.value);
+  } catch {
+  }
+  return null;
+}
+function createRefererGuard(allowedOrigins) {
+  const MUTATION_METHODS = /* @__PURE__ */ new Set(["POST", "PATCH", "PUT", "DELETE"]);
+  const SKIP_PREFIXES = ["/health", "/internal", "/api/auth", "/.well-known"];
+  return createMiddleware(async (c, next) => {
+    if (!MUTATION_METHODS.has(c.req.method)) return next();
+    if (SKIP_PREFIXES.some((p) => c.req.path.startsWith(p))) return next();
+    const dynamicOriginsJson = await c.env.KV.get(
+      "config:allowed_origins",
+      "json"
+    );
+    let currentAllowedOrigins = dynamicOriginsJson ?? allowedOrigins;
+    if (!dynamicOriginsJson) {
+      const dbOrigins = await getOriginsFromDb2(c.env);
+      if (dbOrigins) {
+        currentAllowedOrigins = dbOrigins;
+        await c.env.KV.put(
+          "config:allowed_origins",
+          JSON.stringify(dbOrigins),
+          { expirationTtl: 86400 }
+        );
+      }
+    }
+    if (currentAllowedOrigins.includes("*")) return next();
+    const referer = c.req.header("referer") ?? "";
+    const requestOrigin = new URL(c.req.url).origin;
+    if (referer.startsWith(requestOrigin)) return next();
+    const isAllowed = currentAllowedOrigins.some(
+      (origin) => referer.startsWith(origin)
+    );
+    if (!isAllowed) {
+      throw forbidden("Request origin not permitted");
+    }
+    return next();
+  });
+}
+var TURNSTILE_PATH = "/.well-known/leapify/turnstile";
+var TURNSTILE_VERIFY_PATH = `${TURNSTILE_PATH}/verify`;
+var TURNSTILE_COOKIE_NAME = "leapify-turnstile";
+var VERIFY_URL = "https://challenges.cloudflare.com/turnstile/v0/siteverify";
+var COOKIE_MAX_AGE_SEC = 86400;
+var EXEMPT_PATHS = [
+  "/health",
+  "/internal",
+  "/api/auth",
+  "/api/uploads/images",
+  "/api/classes",
+  "/api/faqs",
+  "/api/config",
+  TURNSTILE_VERIFY_PATH
+];
+function base64urlEncode(bytes) {
+  let binary = "";
+  for (const byte of bytes) {
+    binary += String.fromCharCode(byte);
+  }
+  return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function base64urlDecode(str) {
+  const padded = str.replace(/-/g, "+").replace(/_/g, "/");
+  const binary = atob(padded);
+  const bytes = new Uint8Array(new ArrayBuffer(binary.length));
+  for (let i = 0; i < binary.length; i++) {
+    bytes[i] = binary.charCodeAt(i);
+  }
+  return bytes;
+}
+async function importHmacKey(secret) {
+  return crypto.subtle.importKey(
+    "raw",
+    new TextEncoder().encode(secret),
+    { name: "HMAC", hash: "SHA-256" },
+    false,
+    ["sign", "verify"]
+  );
+}
+async function signCookie(secret, ip) {
+  const ts = Date.now();
+  const nonce = base64urlEncode(crypto.getRandomValues(new Uint8Array(8)));
+  const payload = `${ip}:${ts}:${nonce}`;
+  const key = await importHmacKey(secret);
+  const sig = await crypto.subtle.sign(
+    "HMAC",
+    key,
+    new TextEncoder().encode(payload)
+  );
+  const sigB64 = base64urlEncode(new Uint8Array(sig));
+  return `${base64urlEncode(new TextEncoder().encode(payload))}.${sigB64}`;
+}
+async function validateCookie(secret, cookie, ip) {
+  try {
+    const [payloadB64, sigB64] = cookie.split(".");
+    if (!payloadB64 || !sigB64) return false;
+    const payloadBytes = base64urlDecode(payloadB64);
+    const sigBytes = base64urlDecode(sigB64);
+    const key = await importHmacKey(secret);
+    const valid = await crypto.subtle.verify(
+      "HMAC",
+      key,
+      sigBytes,
+      payloadBytes
+    );
+    if (!valid) return false;
+    const payload = new TextDecoder().decode(payloadBytes);
+    const [cookieIp, tsStr] = payload.split(":");
+    if (cookieIp !== ip) return false;
+    const ts = parseInt(tsStr, 10);
+    if (isNaN(ts) || Date.now() - ts > COOKIE_MAX_AGE_SEC * 1e3) return false;
+    return true;
+  } catch {
+    return false;
+  }
+}
+function getClientIp(c) {
+  return c.req.header("CF-Connecting-IP") ?? c.req.header("X-Real-IP") ?? c.req.header("X-Forwarded-For")?.split(",")[0]?.trim() ?? "unknown";
+}
+function isExempt(path) {
+  const normalized = path.toLowerCase().replace(/\/$/, "");
+  return EXEMPT_PATHS.some((p) => {
+    const ep = p.toLowerCase().replace(/\/$/, "");
+    return normalized === ep || normalized.startsWith(ep + "/");
+  });
+}
+function setCookieHeader(c, token) {
+  const isSecure = c.req.raw.url.startsWith("https") || c.req.header("x-forwarded-proto") === "https";
+  c.header(
+    "Set-Cookie",
+    `${TURNSTILE_COOKIE_NAME}=${token}; Path=/; Max-Age=${COOKIE_MAX_AGE_SEC}; ${isSecure ? "Secure; " : ""}HttpOnly; SameSite=Lax`
+  );
+}
+async function handleTurnstileVerify(c) {
+  const body = await c.req.json();
+  const { token } = body;
+  if (!token) {
+    return c.json(
+      { error: { code: "VALIDATION_ERROR", message: "Missing Turnstile token" } },
+      422
+    );
+  }
+  const secret = c.env.TURNSTILE_SECRET_KEY;
+  if (!secret) {
+    return c.json(
+      { error: { code: "CONFIG_ERROR", message: "Turnstile not configured" } },
+      500
+    );
+  }
+  const ip = getClientIp(c);
+  const formData = new URLSearchParams();
+  formData.append("secret", secret);
+  formData.append("response", token);
+  if (ip !== "unknown") {
+    formData.append("remoteip", ip);
+  }
+  const res = await fetch(VERIFY_URL, {
+    method: "POST",
+    body: formData
+  });
+  const outcome = await res.json();
+  if (!outcome.success) {
+    return c.json(
+      { error: { code: "TURNSTILE_FAILED", message: "Turnstile verification failed", details: outcome["error-codes"] } },
+      403
+    );
+  }
+  const cookieToken = await signCookie(secret, ip);
+  setCookieHeader(c, cookieToken);
+  return c.json({ success: true });
+}
+function createTurnstileMiddleware() {
+  return createMiddleware(async (c, next) => {
+    if (isExempt(c.req.path)) return next();
+    if (c.req.method === "OPTIONS") return next();
+    if (c.req.header("Authorization")) return next();
+    const secret = c.env.TURNSTILE_SECRET_KEY;
+    if (!secret) return next();
+    const cookieHeader = c.req.header("Cookie") ?? "";
+    const cookieMatch = cookieHeader.match(
+      new RegExp(`${TURNSTILE_COOKIE_NAME}=([^;]+)`)
+    );
+    if (cookieMatch) {
+      const ip = getClientIp(c);
+      const valid = await validateCookie(secret, cookieMatch[1], ip);
+      if (valid) return next();
+    }
+    return c.json(
+      { error: { code: "TURNSTILE_REQUIRED", message: "Turnstile verification required" } },
+      401
+    );
+  });
+}
 var DLSU_DOMAIN = "@dlsu.edu.ph";
 function createAuth(env) {
   const db = createDb(env.DB);
@@ -787,7 +841,14 @@ healthRoute.get("/", async (c) => {
   const env = c.env;
   const hasSes = Boolean(env.SES_REGION) && Boolean(env.SES_ACCESS_KEY_ID) && Boolean(env.SES_SECRET_ACCESS_KEY);
   const hasResend = Boolean(env.RESEND_API_KEY);
-  const hasGForms = Boolean(env.GFORMS_SERVICE_ACCOUNT_JSON);
+  let hasGForms = false;
+  if (env.GFORMS_SERVICE_ACCOUNT_JSON) {
+    try {
+      const parsed = JSON.parse(env.GFORMS_SERVICE_ACCOUNT_JSON);
+      hasGForms = Boolean(parsed.client_email && parsed.private_key);
+    } catch {
+    }
+  }
   const probes = [];
   if (hasSes) {
     probes.push(
@@ -845,6 +906,7 @@ var CacheService = class {
   constructor(kv) {
     this.kv = kv;
   }
+  kv;
   async get(key) {
     return this.kv.get(key, "json");
   }
@@ -890,6 +952,8 @@ var SlotsService = class {
     this.db = db;
     this.cache = cache;
   }
+  db;
+  cache;
   kvKey(slug) {
     return `${SLOT_KV_PREFIX}${slug}`;
   }
@@ -1504,7 +1568,7 @@ siteConfigRoute.patch("/:key", authMiddleware, adminMiddleware, async (c) => {
     set: { value: JSON.stringify(value), updatedAt: now }
   });
   await c.env.KV.put(`config:${key}`, JSON.stringify(value), {
-    expirationTtl: 600
+    expirationTtl: 86400
   });
   return c.json({ data: { key, value } });
 });
@@ -1996,6 +2060,7 @@ var SesError = class extends Error {
     this.status = status;
     this.name = "SesError";
   }
+  status;
   /**
    * True for errors that are permanent (not worth retrying via SES again).
    * 400 BadRequest, 403 Forbidden, 404 NotFound → non-retryable.