npm - @access-dlsu/leapify - Versions diffs - 0.260531.1 → 0.260601.2 - Mend

@access-dlsu/leapify 0.260531.1 → 0.260601.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (31) hide show

package/dist/app.d.ts.map +1 -1
package/dist/auth/auth.d.ts +2 -2
package/dist/client/auth.d.ts +41 -41
package/dist/client/index.cjs +9 -0
package/dist/client/index.cjs.map +1 -1
package/dist/client/index.d.ts +7 -0
package/dist/client/index.d.ts.map +1 -1
package/dist/client/index.js +9 -0
package/dist/client/index.js.map +1 -1
package/dist/cron/reconcile-slots.d.ts.map +1 -1
package/dist/index.cjs +343 -222
package/dist/index.cjs.map +1 -1
package/dist/index.js +346 -225
package/dist/index.js.map +1 -1
package/dist/lib/middleware/cors.d.ts.map +1 -1
package/dist/lib/middleware/referer-guard.d.ts +1 -1
package/dist/lib/middleware/referer-guard.d.ts.map +1 -1
package/dist/routes/internal/batch-release.d.ts +4 -0
package/dist/routes/internal/batch-release.d.ts.map +1 -0
package/dist/routes/internal/reconcile-slots.d.ts +4 -0
package/dist/routes/internal/reconcile-slots.d.ts.map +1 -0
package/dist/routes/internal/reminder-emails.d.ts +4 -0
package/dist/routes/internal/reminder-emails.d.ts.map +1 -0
package/dist/routes/internal/renew-watches.d.ts +4 -0
package/dist/routes/internal/renew-watches.d.ts.map +1 -0
package/dist/routes/site-config.d.ts +2 -2
package/dist/routes/site-config.d.ts.map +1 -1
package/dist/services/gforms.d.ts.map +1 -1
package/dist/worker.js +539 -418
package/dist/worker.js.map +1 -1
package/package.json +155 -155

package/dist/worker.js CHANGED Viewed

@@ -1,12 +1,12 @@
 import { Hono } from 'hono';
 import { cors } from 'hono/cors';
+import { drizzle } from 'drizzle-orm/d1';
+import { sqliteTable, integer, text, index, uniqueIndex } from 'drizzle-orm/sqlite-core';
+import { sql, relations, eq, and, count, isNotNull, lte } from 'drizzle-orm';
 import { createMiddleware } from 'hono/factory';
 import { betterAuth } from 'better-auth';
 import { drizzleAdapter } from 'better-auth/adapters/drizzle';
 import { bearer } from 'better-auth/plugins';
-import { sql, relations, eq, and, count, lte } from 'drizzle-orm';
-import { drizzle } from 'drizzle-orm/d1';
-import { sqliteTable, integer, text, index, uniqueIndex } from 'drizzle-orm/sqlite-core';
 import { zValidator } from '@hono/zod-validator';
 import { z } from 'zod';
@@ -24,6 +24,8 @@ var LeapifyError = class extends Error {
     this.code = code;
     this.name = "LeapifyError";
   }
+  statusCode;
+  code;
 };
 var unauthorized = (message = "Unauthorized") => new LeapifyError(401, "UNAUTHORIZED", message);
 var domainRestricted = () => new LeapifyError(
@@ -52,212 +54,6 @@ var errorHandler = (err, c) => {
     500
   );
 };
-function createCorsMiddleware(allowedOrigins) {
-  return async (c, next) => {
-    const origin = c.req.header("origin");
-    const dynamicOriginsJson = await c.env.KV.get("config:allowed_origins", "json");
-    const currentAllowedOrigins = dynamicOriginsJson ?? allowedOrigins;
-    if (c.req.path.startsWith("/api/uploads/images")) {
-      c.header("Access-Control-Allow-Origin", "*");
-      c.header("Access-Control-Allow-Methods", "GET, OPTIONS");
-      if (c.req.method === "OPTIONS") {
-        return c.body(null, 204);
-      }
-      return next();
-    }
-    if (!c.req.path.startsWith("/health") && !c.req.path.startsWith("/api/auth") && !c.req.path.startsWith("/internal") && origin && !currentAllowedOrigins.includes("*") && !currentAllowedOrigins.includes(origin)) {
-      return c.json(
-        {
-          error: {
-            code: "DOMAIN_RESTRICTED",
-            message: `Origin ${origin} is not allowed`
-          }
-        },
-        403
-      );
-    }
-    const honoCors = cors({
-      origin: currentAllowedOrigins,
-      allowMethods: ["GET", "POST", "PATCH", "DELETE", "OPTIONS"],
-      allowHeaders: ["Content-Type", "Authorization"],
-      exposeHeaders: ["ETag", "Last-Modified", "Cache-Control"],
-      maxAge: 86400,
-      credentials: true
-    });
-    return honoCors(c, next);
-  };
-}
-function createRefererGuard(allowedOrigins) {
-  const MUTATION_METHODS = /* @__PURE__ */ new Set(["POST", "PATCH", "PUT", "DELETE"]);
-  const SKIP_PREFIXES = ["/health", "/internal", "/api/auth", "/.well-known"];
-  return createMiddleware(async (c, next) => {
-    if (!MUTATION_METHODS.has(c.req.method)) return next();
-    if (SKIP_PREFIXES.some((p) => c.req.path.startsWith(p))) return next();
-    const dynamicOriginsJson = await c.env.KV.get("config:allowed_origins", "json");
-    const currentAllowedOrigins = dynamicOriginsJson ?? allowedOrigins;
-    if (currentAllowedOrigins.includes("*")) return next();
-    const referer = c.req.header("referer") ?? "";
-    const isAllowed = currentAllowedOrigins.some((origin) => referer.startsWith(origin));
-    if (!isAllowed) {
-      throw forbidden("Request origin not permitted");
-    }
-    return next();
-  });
-}
-var TURNSTILE_PATH = "/.well-known/leapify/turnstile";
-var TURNSTILE_VERIFY_PATH = `${TURNSTILE_PATH}/verify`;
-var TURNSTILE_COOKIE_NAME = "leapify-turnstile";
-var VERIFY_URL = "https://challenges.cloudflare.com/turnstile/v0/siteverify";
-var COOKIE_MAX_AGE_SEC = 86400;
-var EXEMPT_PATHS = [
-  "/health",
-  "/internal",
-  "/api/auth",
-  "/api/uploads/images",
-  "/api/classes",
-  "/api/faqs",
-  "/api/config",
-  TURNSTILE_VERIFY_PATH
-];
-function base64urlEncode(bytes) {
-  let binary = "";
-  for (const byte of bytes) {
-    binary += String.fromCharCode(byte);
-  }
-  return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
-}
-function base64urlDecode(str) {
-  const padded = str.replace(/-/g, "+").replace(/_/g, "/");
-  const binary = atob(padded);
-  const bytes = new Uint8Array(new ArrayBuffer(binary.length));
-  for (let i = 0; i < binary.length; i++) {
-    bytes[i] = binary.charCodeAt(i);
-  }
-  return bytes;
-}
-async function importHmacKey(secret) {
-  return crypto.subtle.importKey(
-    "raw",
-    new TextEncoder().encode(secret),
-    { name: "HMAC", hash: "SHA-256" },
-    false,
-    ["sign", "verify"]
-  );
-}
-async function signCookie(secret, ip) {
-  const ts = Date.now();
-  const nonce = base64urlEncode(crypto.getRandomValues(new Uint8Array(8)));
-  const payload = `${ip}:${ts}:${nonce}`;
-  const key = await importHmacKey(secret);
-  const sig = await crypto.subtle.sign(
-    "HMAC",
-    key,
-    new TextEncoder().encode(payload)
-  );
-  const sigB64 = base64urlEncode(new Uint8Array(sig));
-  return `${base64urlEncode(new TextEncoder().encode(payload))}.${sigB64}`;
-}
-async function validateCookie(secret, cookie, ip) {
-  try {
-    const [payloadB64, sigB64] = cookie.split(".");
-    if (!payloadB64 || !sigB64) return false;
-    const payloadBytes = base64urlDecode(payloadB64);
-    const sigBytes = base64urlDecode(sigB64);
-    const key = await importHmacKey(secret);
-    const valid = await crypto.subtle.verify(
-      "HMAC",
-      key,
-      sigBytes,
-      payloadBytes
-    );
-    if (!valid) return false;
-    const payload = new TextDecoder().decode(payloadBytes);
-    const [cookieIp, tsStr] = payload.split(":");
-    if (cookieIp !== ip) return false;
-    const ts = parseInt(tsStr, 10);
-    if (isNaN(ts) || Date.now() - ts > COOKIE_MAX_AGE_SEC * 1e3) return false;
-    return true;
-  } catch {
-    return false;
-  }
-}
-function getClientIp(c) {
-  return c.req.header("CF-Connecting-IP") ?? c.req.header("X-Real-IP") ?? c.req.header("X-Forwarded-For")?.split(",")[0]?.trim() ?? "unknown";
-}
-function isExempt(path) {
-  const normalized = path.toLowerCase().replace(/\/$/, "");
-  return EXEMPT_PATHS.some((p) => {
-    const ep = p.toLowerCase().replace(/\/$/, "");
-    return normalized === ep || normalized.startsWith(ep + "/");
-  });
-}
-function setCookieHeader(c, token) {
-  const isSecure = c.req.raw.url.startsWith("https") || c.req.header("x-forwarded-proto") === "https";
-  c.header(
-    "Set-Cookie",
-    `${TURNSTILE_COOKIE_NAME}=${token}; Path=/; Max-Age=${COOKIE_MAX_AGE_SEC}; ${isSecure ? "Secure; " : ""}HttpOnly; SameSite=Lax`
-  );
-}
-async function handleTurnstileVerify(c) {
-  const body = await c.req.json();
-  const { token } = body;
-  if (!token) {
-    return c.json(
-      { error: { code: "VALIDATION_ERROR", message: "Missing Turnstile token" } },
-      422
-    );
-  }
-  const secret = c.env.TURNSTILE_SECRET_KEY;
-  if (!secret) {
-    return c.json(
-      { error: { code: "CONFIG_ERROR", message: "Turnstile not configured" } },
-      500
-    );
-  }
-  const ip = getClientIp(c);
-  const formData = new URLSearchParams();
-  formData.append("secret", secret);
-  formData.append("response", token);
-  if (ip !== "unknown") {
-    formData.append("remoteip", ip);
-  }
-  const res = await fetch(VERIFY_URL, {
-    method: "POST",
-    body: formData
-  });
-  const outcome = await res.json();
-  if (!outcome.success) {
-    return c.json(
-      { error: { code: "TURNSTILE_FAILED", message: "Turnstile verification failed", details: outcome["error-codes"] } },
-      403
-    );
-  }
-  const cookieToken = await signCookie(secret, ip);
-  setCookieHeader(c, cookieToken);
-  return c.json({ success: true });
-}
-function createTurnstileMiddleware() {
-  return createMiddleware(async (c, next) => {
-    if (isExempt(c.req.path)) return next();
-    if (c.req.method === "OPTIONS") return next();
-    if (c.req.header("Authorization")) return next();
-    const secret = c.env.TURNSTILE_SECRET_KEY;
-    if (!secret) return next();
-    const cookieHeader = c.req.header("Cookie") ?? "";
-    const cookieMatch = cookieHeader.match(
-      new RegExp(`${TURNSTILE_COOKIE_NAME}=([^;]+)`)
-    );
-    if (cookieMatch) {
-      const ip = getClientIp(c);
-      const valid = await validateCookie(secret, cookieMatch[1], ip);
-      if (valid) return next();
-    }
-    return c.json(
-      { error: { code: "TURNSTILE_REQUIRED", message: "Turnstile verification required" } },
-      401
-    );
-  });
-}
 // src/db/schema/index.ts
 var schema_exports = {};
@@ -490,8 +286,266 @@ var authVerification = sqliteTable(
 function createDb(d1) {
   return drizzle(d1, { schema: schema_exports });
 }
-// src/auth/auth.ts
+async function getOriginsFromDb(env) {
+  try {
+    const db = createDb(env.DB);
+    const row = await db.query.siteConfig.findFirst({
+      where: eq(siteConfig.key, "allowed_origins")
+    });
+    if (row) return JSON.parse(row.value);
+  } catch {
+  }
+  return null;
+}
+function createCorsMiddleware(allowedOrigins) {
+  return async (c, next) => {
+    const origin = c.req.header("origin");
+    const dynamicOriginsJson = await c.env.KV.get(
+      "config:allowed_origins",
+      "json"
+    );
+    let currentAllowedOrigins = dynamicOriginsJson ?? allowedOrigins;
+    if (!dynamicOriginsJson) {
+      const dbOrigins = await getOriginsFromDb(c.env);
+      if (dbOrigins) {
+        currentAllowedOrigins = dbOrigins;
+        await c.env.KV.put(
+          "config:allowed_origins",
+          JSON.stringify(dbOrigins),
+          { expirationTtl: 86400 }
+        );
+      }
+    }
+    if (c.req.path.startsWith("/api/uploads/images")) {
+      c.header("Access-Control-Allow-Origin", "*");
+      c.header("Access-Control-Allow-Methods", "GET, OPTIONS");
+      if (c.req.method === "OPTIONS") {
+        return c.body(null, 204);
+      }
+      return next();
+    }
+    if (!c.req.path.startsWith("/health") && !c.req.path.startsWith("/api/auth") && !c.req.path.startsWith("/internal") && origin && !currentAllowedOrigins.includes("*") && !currentAllowedOrigins.includes(origin) && origin !== new URL(c.req.url).origin) {
+      return c.json(
+        {
+          error: {
+            code: "DOMAIN_RESTRICTED",
+            message: `Origin ${origin} is not allowed`
+          }
+        },
+        403
+      );
+    }
+    const honoCors = cors({
+      origin: currentAllowedOrigins,
+      allowMethods: ["GET", "POST", "PATCH", "DELETE", "OPTIONS"],
+      allowHeaders: ["Content-Type", "Authorization"],
+      exposeHeaders: ["ETag", "Last-Modified", "Cache-Control"],
+      maxAge: 86400,
+      credentials: true
+    });
+    return honoCors(c, next);
+  };
+}
+async function getOriginsFromDb2(env) {
+  try {
+    const db = createDb(env.DB);
+    const row = await db.query.siteConfig.findFirst({
+      where: eq(siteConfig.key, "allowed_origins")
+    });
+    if (row) return JSON.parse(row.value);
+  } catch {
+  }
+  return null;
+}
+function createRefererGuard(allowedOrigins) {
+  const MUTATION_METHODS = /* @__PURE__ */ new Set(["POST", "PATCH", "PUT", "DELETE"]);
+  const SKIP_PREFIXES = ["/health", "/internal", "/api/auth", "/.well-known"];
+  return createMiddleware(async (c, next) => {
+    if (!MUTATION_METHODS.has(c.req.method)) return next();
+    if (SKIP_PREFIXES.some((p) => c.req.path.startsWith(p))) return next();
+    const dynamicOriginsJson = await c.env.KV.get(
+      "config:allowed_origins",
+      "json"
+    );
+    let currentAllowedOrigins = dynamicOriginsJson ?? allowedOrigins;
+    if (!dynamicOriginsJson) {
+      const dbOrigins = await getOriginsFromDb2(c.env);
+      if (dbOrigins) {
+        currentAllowedOrigins = dbOrigins;
+        await c.env.KV.put(
+          "config:allowed_origins",
+          JSON.stringify(dbOrigins),
+          { expirationTtl: 86400 }
+        );
+      }
+    }
+    if (currentAllowedOrigins.includes("*")) return next();
+    const referer = c.req.header("referer") ?? "";
+    const requestOrigin = new URL(c.req.url).origin;
+    if (referer.startsWith(requestOrigin)) return next();
+    const isAllowed = currentAllowedOrigins.some(
+      (origin) => referer.startsWith(origin)
+    );
+    if (!isAllowed) {
+      throw forbidden("Request origin not permitted");
+    }
+    return next();
+  });
+}
+var TURNSTILE_PATH = "/.well-known/leapify/turnstile";
+var TURNSTILE_VERIFY_PATH = `${TURNSTILE_PATH}/verify`;
+var TURNSTILE_COOKIE_NAME = "leapify-turnstile";
+var VERIFY_URL = "https://challenges.cloudflare.com/turnstile/v0/siteverify";
+var COOKIE_MAX_AGE_SEC = 86400;
+var EXEMPT_PATHS = [
+  "/health",
+  "/internal",
+  "/api/auth",
+  "/api/uploads/images",
+  "/api/classes",
+  "/api/faqs",
+  "/api/config",
+  TURNSTILE_VERIFY_PATH
+];
+function base64urlEncode(bytes) {
+  let binary = "";
+  for (const byte of bytes) {
+    binary += String.fromCharCode(byte);
+  }
+  return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function base64urlDecode(str) {
+  const padded = str.replace(/-/g, "+").replace(/_/g, "/");
+  const binary = atob(padded);
+  const bytes = new Uint8Array(new ArrayBuffer(binary.length));
+  for (let i = 0; i < binary.length; i++) {
+    bytes[i] = binary.charCodeAt(i);
+  }
+  return bytes;
+}
+async function importHmacKey(secret) {
+  return crypto.subtle.importKey(
+    "raw",
+    new TextEncoder().encode(secret),
+    { name: "HMAC", hash: "SHA-256" },
+    false,
+    ["sign", "verify"]
+  );
+}
+async function signCookie(secret, ip) {
+  const ts = Date.now();
+  const nonce = base64urlEncode(crypto.getRandomValues(new Uint8Array(8)));
+  const payload = `${ip}:${ts}:${nonce}`;
+  const key = await importHmacKey(secret);
+  const sig = await crypto.subtle.sign(
+    "HMAC",
+    key,
+    new TextEncoder().encode(payload)
+  );
+  const sigB64 = base64urlEncode(new Uint8Array(sig));
+  return `${base64urlEncode(new TextEncoder().encode(payload))}.${sigB64}`;
+}
+async function validateCookie(secret, cookie, ip) {
+  try {
+    const [payloadB64, sigB64] = cookie.split(".");
+    if (!payloadB64 || !sigB64) return false;
+    const payloadBytes = base64urlDecode(payloadB64);
+    const sigBytes = base64urlDecode(sigB64);
+    const key = await importHmacKey(secret);
+    const valid = await crypto.subtle.verify(
+      "HMAC",
+      key,
+      sigBytes,
+      payloadBytes
+    );
+    if (!valid) return false;
+    const payload = new TextDecoder().decode(payloadBytes);
+    const [cookieIp, tsStr] = payload.split(":");
+    if (cookieIp !== ip) return false;
+    const ts = parseInt(tsStr, 10);
+    if (isNaN(ts) || Date.now() - ts > COOKIE_MAX_AGE_SEC * 1e3) return false;
+    return true;
+  } catch {
+    return false;
+  }
+}
+function getClientIp(c) {
+  return c.req.header("CF-Connecting-IP") ?? c.req.header("X-Real-IP") ?? c.req.header("X-Forwarded-For")?.split(",")[0]?.trim() ?? "unknown";
+}
+function isExempt(path) {
+  const normalized = path.toLowerCase().replace(/\/$/, "");
+  return EXEMPT_PATHS.some((p) => {
+    const ep = p.toLowerCase().replace(/\/$/, "");
+    return normalized === ep || normalized.startsWith(ep + "/");
+  });
+}
+function setCookieHeader(c, token) {
+  const isSecure = c.req.raw.url.startsWith("https") || c.req.header("x-forwarded-proto") === "https";
+  c.header(
+    "Set-Cookie",
+    `${TURNSTILE_COOKIE_NAME}=${token}; Path=/; Max-Age=${COOKIE_MAX_AGE_SEC}; ${isSecure ? "Secure; " : ""}HttpOnly; SameSite=Lax`
+  );
+}
+async function handleTurnstileVerify(c) {
+  const body = await c.req.json();
+  const { token } = body;
+  if (!token) {
+    return c.json(
+      { error: { code: "VALIDATION_ERROR", message: "Missing Turnstile token" } },
+      422
+    );
+  }
+  const secret = c.env.TURNSTILE_SECRET_KEY;
+  if (!secret) {
+    return c.json(
+      { error: { code: "CONFIG_ERROR", message: "Turnstile not configured" } },
+      500
+    );
+  }
+  const ip = getClientIp(c);
+  const formData = new URLSearchParams();
+  formData.append("secret", secret);
+  formData.append("response", token);
+  if (ip !== "unknown") {
+    formData.append("remoteip", ip);
+  }
+  const res = await fetch(VERIFY_URL, {
+    method: "POST",
+    body: formData
+  });
+  const outcome = await res.json();
+  if (!outcome.success) {
+    return c.json(
+      { error: { code: "TURNSTILE_FAILED", message: "Turnstile verification failed", details: outcome["error-codes"] } },
+      403
+    );
+  }
+  const cookieToken = await signCookie(secret, ip);
+  setCookieHeader(c, cookieToken);
+  return c.json({ success: true });
+}
+function createTurnstileMiddleware() {
+  return createMiddleware(async (c, next) => {
+    if (isExempt(c.req.path)) return next();
+    if (c.req.method === "OPTIONS") return next();
+    if (c.req.header("Authorization")) return next();
+    const secret = c.env.TURNSTILE_SECRET_KEY;
+    if (!secret) return next();
+    const cookieHeader = c.req.header("Cookie") ?? "";
+    const cookieMatch = cookieHeader.match(
+      new RegExp(`${TURNSTILE_COOKIE_NAME}=([^;]+)`)
+    );
+    if (cookieMatch) {
+      const ip = getClientIp(c);
+      const valid = await validateCookie(secret, cookieMatch[1], ip);
+      if (valid) return next();
+    }
+    return c.json(
+      { error: { code: "TURNSTILE_REQUIRED", message: "Turnstile verification required" } },
+      401
+    );
+  });
+}
 var DLSU_DOMAIN = "@dlsu.edu.ph";
 function createAuth(env) {
   const db = createDb(env.DB);
@@ -787,7 +841,14 @@ healthRoute.get("/", async (c) => {
   const env = c.env;
   const hasSes = Boolean(env.SES_REGION) && Boolean(env.SES_ACCESS_KEY_ID) && Boolean(env.SES_SECRET_ACCESS_KEY);
   const hasResend = Boolean(env.RESEND_API_KEY);
-  const hasGForms = Boolean(env.GFORMS_SERVICE_ACCOUNT_JSON);
+  let hasGForms = false;
+  if (env.GFORMS_SERVICE_ACCOUNT_JSON) {
+    try {
+      const parsed = JSON.parse(env.GFORMS_SERVICE_ACCOUNT_JSON);
+      hasGForms = Boolean(parsed.client_email && parsed.private_key);
+    } catch {
+    }
+  }
   const probes = [];
   if (hasSes) {
     probes.push(
@@ -845,6 +906,7 @@ var CacheService = class {
   constructor(kv) {
     this.kv = kv;
   }
+  kv;
   async get(key) {
     return this.kv.get(key, "json");
   }
@@ -890,6 +952,8 @@ var SlotsService = class {
     this.db = db;
     this.cache = cache;
   }
+  db;
+  cache;
   kvKey(slug) {
     return `${SLOT_KV_PREFIX}${slug}`;
   }
@@ -1044,7 +1108,10 @@ var GFormsService = class {
       const response = await fetch(url.toString(), {
         headers: { Authorization: `Bearer ${token}` }
       });
-      if (!response.ok) throw new Error(`Forms API error: ${response.status}`);
+      if (!response.ok) {
+        const err = await response.text();
+        throw new Error(`Forms API error: ${response.status} ${err}`);
+      }
       const data = await response.json();
       allResponses.push(...data.responses ?? []);
       pageToken = data.nextPageToken;
@@ -1318,6 +1385,27 @@ classesRoute.get("/:slug/slots", eventsSlotsRateLimit, async (c) => {
   c.header("Cache-Control", "public, max-age=5, stale-while-revalidate=5");
   return c.json({ data: info });
 });
+classesRoute.post("/:slug/reconcile", authMiddleware, adminMiddleware, async (c) => {
+  const { slug } = c.req.param();
+  const db = createDb(c.env.DB);
+  const cache = new CacheService(c.env.KV);
+  const gforms = new GFormsService(c.env.GFORMS_SERVICE_ACCOUNT_JSON);
+  const slots = new SlotsService(db, cache);
+  const event = await db.query.events.findFirst({
+    where: eq(events.slug, slug),
+    columns: { gformsId: true }
+  });
+  if (!event) throw notFound("Event");
+  if (!event.gformsId) return c.json({ error: "No gformsId set for this event" }, 400);
+  try {
+    const googleCount = await gforms.getExactResponseCount(event.gformsId);
+    await slots.correctCount(slug, googleCount);
+    return c.json({ data: { registeredSlots: googleCount } });
+  } catch (err) {
+    const message = err?.message ?? "Failed to fetch from Google Forms API";
+    return c.json({ error: { code: "GFORMS_API_ERROR", message } }, 502);
+  }
+});
 classesRoute.post(
   "/",
   authMiddleware,
@@ -1504,7 +1592,7 @@ siteConfigRoute.patch("/:key", authMiddleware, adminMiddleware, async (c) => {
     set: { value: JSON.stringify(value), updatedAt: now }
   });
   await c.env.KV.put(`config:${key}`, JSON.stringify(value), {
-    expirationTtl: 600
+    expirationTtl: 86400
   });
   return c.json({ data: { key, value } });
 });
@@ -1577,54 +1665,244 @@ gformsWebhookRoute.post("/", internalMiddleware, async (c) => {
       return c.json({ error: "Invalid signature" }, 403);
     }
   }
-  let payload;
-  try {
-    payload = JSON.parse(rawBody);
-  } catch {
-    return c.json({ error: "Invalid payload" }, 400);
-  }
-  const { formId } = payload;
-  if (!formId) return c.json({ error: "Missing formId" }, 400);
-  const db = createDb(c.env.DB);
-  const cache = new CacheService(c.env.KV);
-  const event = await db.query.events.findFirst({
-    where: eq(events.gformsId, formId),
-    columns: { slug: true, maxSlots: true, registeredSlots: true }
+  let payload;
+  try {
+    payload = JSON.parse(rawBody);
+  } catch {
+    return c.json({ error: "Invalid payload" }, 400);
+  }
+  const { formId } = payload;
+  if (!formId) return c.json({ error: "Missing formId" }, 400);
+  const db = createDb(c.env.DB);
+  const cache = new CacheService(c.env.KV);
+  const event = await db.query.events.findFirst({
+    where: eq(events.gformsId, formId),
+    columns: { slug: true, maxSlots: true, registeredSlots: true }
+  });
+  if (!event) {
+    console.warn(`[gforms-webhook] Unknown formId: ${formId}`);
+    return c.json({ ok: true });
+  }
+  const slotsService = new SlotsService(db, cache);
+  const updated = await slotsService.increment(event.slug);
+  console.log(
+    `[gforms-webhook] Incremented "${event.slug}": ${updated?.registered}/${updated?.total}`
+  );
+  return c.json({ ok: true });
+});
+async function verifyGoogSignature(body, signature, secret) {
+  try {
+    const key = await crypto.subtle.importKey(
+      "raw",
+      new TextEncoder().encode(secret),
+      { name: "HMAC", hash: "SHA-256" },
+      false,
+      ["verify"]
+    );
+    const sigHex = signature.replace(/^hmac-sha256=/, "");
+    const sigBytes = Uint8Array.from(
+      sigHex.match(/.{1,2}/g)?.map((b) => parseInt(b, 16)) ?? []
+    );
+    return crypto.subtle.verify(
+      "HMAC",
+      key,
+      sigBytes,
+      new TextEncoder().encode(body)
+    );
+  } catch {
+    return false;
+  }
+}
+var LOCK_KEY = "cron:reconcile-slots:lock";
+var LOCK_TTL = 300;
+async function reconcileSlots(env) {
+  const db = createDb(env.DB);
+  const cache = new CacheService(env.KV);
+  const gforms = new GFormsService(env.GFORMS_SERVICE_ACCOUNT_JSON);
+  const slots = new SlotsService(db, cache);
+  const lock = await cache.get(LOCK_KEY);
+  if (lock) {
+    console.log("[reconcile-slots] Lock held, skipping.");
+    return;
+  }
+  await cache.set(LOCK_KEY, "1", LOCK_TTL);
+  try {
+    const publishedEvents = await db.query.events.findMany({
+      where: isNotNull(events.gformsId),
+      columns: { id: true, slug: true, gformsId: true, registeredSlots: true }
+    });
+    const eventsWithForms = publishedEvents.filter((e) => e.gformsId);
+    let corrected = 0;
+    for (const event of eventsWithForms) {
+      try {
+        const googleCount = await gforms.getExactResponseCount(event.gformsId);
+        const localCount = event.registeredSlots;
+        if (googleCount !== localCount) {
+          console.warn(
+            `[reconcile-slots] Drift on "${event.slug}": local=${localCount}, google=${googleCount}`
+          );
+          await slots.correctCount(event.slug, googleCount);
+          corrected++;
+        }
+      } catch (err) {
+        console.error(`[reconcile-slots] Error checking "${event.slug}":`, err);
+      }
+    }
+    console.log(
+      `[reconcile-slots] Checked ${eventsWithForms.length} events, corrected ${corrected}.`
+    );
+  } finally {
+    await cache.del(LOCK_KEY);
+  }
+}
+// src/routes/internal/reconcile-slots.ts
+var reconcileSlotsRoute = new Hono();
+reconcileSlotsRoute.post("/", internalMiddleware, async (c) => {
+  await reconcileSlots(c.env);
+  return c.json({ ok: true });
+});
+async function batchRelease(env) {
+  const db = createDb(env.DB);
+  const cache = new CacheService(env.KV);
+  const now = Math.floor(Date.now() / 1e3);
+  const toPublish = await db.query.events.findMany({
+    where: and(eq(events.status, "queued"), lte(events.releaseAt, now)),
+    columns: { id: true, slug: true }
+  });
+  if (toPublish.length === 0) return;
+  const ids = toPublish.map((e) => e.id);
+  await db.update(events).set({ status: "published", publishedAt: sql`(unixepoch())` }).where(
+    // Drizzle doesn't have inArray for D1; use raw SQL for batch
+    sql`${events.id} IN (${sql.join(
+      ids.map((id) => sql`${id}`),
+      sql`, `
+    )})`
+  );
+  await cache.del("events:list");
+  await cache.del("events:etag");
+  console.log(
+    `[batch-release] Published ${toPublish.length} events:`,
+    toPublish.map((e) => e.slug).join(", ")
+  );
+}
+// src/routes/internal/batch-release.ts
+var batchReleaseRoute = new Hono();
+batchReleaseRoute.post("/", internalMiddleware, async (c) => {
+  await batchRelease(c.env);
+  return c.json({ ok: true });
+});
+function parseStartTimestamp(dateTime, startTime) {
+  if (!dateTime) return null;
+  const combined = startTime ? `${dateTime} ${startTime}` : dateTime;
+  const ms = Date.parse(combined);
+  return Number.isNaN(ms) ? null : Math.floor(ms / 1e3);
+}
+async function reminderEmails(env) {
+  if (!env.EMAIL_QUEUE) {
+    console.warn(
+      "[reminder-emails] EMAIL_QUEUE binding not configured, skipping."
+    );
+    return;
+  }
+  const hasSes = !!(env.SES_REGION && env.SES_ACCESS_KEY_ID && env.SES_SECRET_ACCESS_KEY);
+  const hasResend = !!env.RESEND_API_KEY;
+  if (!hasSes && !hasResend) {
+    console.warn(
+      "[reminder-emails] No email providers configured. Skipping reminders."
+    );
+    return;
+  }
+  const db = createDb(env.DB);
+  const now = Math.floor(Date.now() / 1e3);
+  const candidates24h = await db.query.events.findMany({
+    where: and(
+      eq(events.status, "published"),
+      eq(events.reminder24hSent, false)
+    ),
+    columns: {
+      id: true,
+      dateTime: true,
+      startTime: true
+    }
+  });
+  for (const event of candidates24h) {
+    const startsAt = parseStartTimestamp(event.dateTime, event.startTime);
+    if (!startsAt) continue;
+    const hoursUntil = (startsAt - now) / 3600;
+    if (hoursUntil <= 25 && hoursUntil >= 23) {
+      await env.EMAIL_QUEUE.send({
+        type: "send_reminder_email",
+        payload: { eventId: event.id, hoursBeforeEvent: 24 }
+      });
+    }
+  }
+  const candidates1h = await db.query.events.findMany({
+    where: and(
+      eq(events.status, "published"),
+      eq(events.reminder1hSent, false)
+    ),
+    columns: {
+      id: true,
+      dateTime: true,
+      startTime: true
+    }
   });
-  if (!event) {
-    console.warn(`[gforms-webhook] Unknown formId: ${formId}`);
-    return c.json({ ok: true });
+  for (const event of candidates1h) {
+    const startsAt = parseStartTimestamp(event.dateTime, event.startTime);
+    if (!startsAt) continue;
+    const hoursUntil = (startsAt - now) / 3600;
+    if (hoursUntil <= 1.5 && hoursUntil >= 0) {
+      await env.EMAIL_QUEUE.send({
+        type: "send_reminder_email",
+        payload: { eventId: event.id, hoursBeforeEvent: 1 }
+      });
+    }
   }
-  const slotsService = new SlotsService(db, cache);
-  const updated = await slotsService.increment(event.slug);
-  console.log(
-    `[gforms-webhook] Incremented "${event.slug}": ${updated?.registered}/${updated?.total}`
-  );
+}
+// src/routes/internal/reminder-emails.ts
+var reminderEmailsRoute = new Hono();
+reminderEmailsRoute.post("/", internalMiddleware, async (c) => {
+  await reminderEmails(c.env);
   return c.json({ ok: true });
 });
-async function verifyGoogSignature(body, signature, secret) {
-  try {
-    const key = await crypto.subtle.importKey(
-      "raw",
-      new TextEncoder().encode(secret),
-      { name: "HMAC", hash: "SHA-256" },
-      false,
-      ["verify"]
-    );
-    const sigHex = signature.replace(/^hmac-sha256=/, "");
-    const sigBytes = Uint8Array.from(
-      sigHex.match(/.{1,2}/g)?.map((b) => parseInt(b, 16)) ?? []
-    );
-    return crypto.subtle.verify(
-      "HMAC",
-      key,
-      sigBytes,
-      new TextEncoder().encode(body)
-    );
-  } catch {
-    return false;
+var RENEWAL_WINDOW = 86400;
+async function renewWatches(env) {
+  const db = createDb(env.DB);
+  const gforms = new GFormsService(env.GFORMS_SERVICE_ACCOUNT_JSON);
+  const now = Math.floor(Date.now() / 1e3);
+  const threshold = now + RENEWAL_WINDOW;
+  const expiring = await db.query.events.findMany({
+    where: and(
+      eq(events.status, "published"),
+      lte(events.watchExpiresAt, threshold)
+    ),
+    columns: { id: true, slug: true, gformsId: true, watchId: true, watchExpiresAt: true }
+  });
+  const watchEvents = expiring.filter((e) => e.gformsId && e.watchId);
+  let renewed = 0;
+  for (const event of watchEvents) {
+    try {
+      const result = await gforms.renewWatch(event.gformsId, event.watchId);
+      const newExpiry = Math.floor(new Date(result.expireTime).getTime() / 1e3);
+      await db.update(events).set({ watchExpiresAt: newExpiry }).where(eq(events.id, event.id));
+      renewed++;
+      console.log(`[renew-watches] Renewed Watch for "${event.slug}", expires ${result.expireTime}`);
+    } catch (err) {
+      console.error(`[renew-watches] Failed to renew Watch for "${event.slug}":`, err);
+    }
   }
+  console.log(`[renew-watches] Renewed ${renewed}/${watchEvents.length} watches.`);
 }
+// src/routes/internal/renew-watches.ts
+var renewWatchesRoute = new Hono();
+renewWatchesRoute.post("/", internalMiddleware, async (c) => {
+  await renewWatches(c.env);
+  return c.json({ ok: true });
+});
 var ALLOWED_MIME_TYPES = /* @__PURE__ */ new Set([
   "image/jpeg",
   "image/png",
@@ -1891,6 +2169,10 @@ function createApp(options = {}) {
   app2.route("/api/faqs", faqsRoute);
   app2.route("/api/uploads", uploadsRoute);
   app2.route("/internal/gforms-webhook", gformsWebhookRoute);
+  app2.route("/internal/reconcile-slots", reconcileSlotsRoute);
+  app2.route("/internal/batch-release", batchReleaseRoute);
+  app2.route("/internal/reminder-emails", reminderEmailsRoute);
+  app2.route("/internal/renew-watches", renewWatchesRoute);
   app2.onError(errorHandler);
   app2.notFound(
     (c) => c.json({ error: { code: "NOT_FOUND", message: "Route not found" } }, 404)
@@ -1996,6 +2278,7 @@ var SesError = class extends Error {
     this.status = status;
     this.name = "SesError";
   }
+  status;
   /**
    * True for errors that are permanent (not worth retrying via SES again).
    * 400 BadRequest, 403 Forbidden, 404 NotFound → non-retryable.
@@ -2320,168 +2603,6 @@ async function processJob(job, services) {
     }
   }
 }
-async function batchRelease(env) {
-  const db = createDb(env.DB);
-  const cache = new CacheService(env.KV);
-  const now = Math.floor(Date.now() / 1e3);
-  const toPublish = await db.query.events.findMany({
-    where: and(eq(events.status, "queued"), lte(events.releaseAt, now)),
-    columns: { id: true, slug: true }
-  });
-  if (toPublish.length === 0) return;
-  const ids = toPublish.map((e) => e.id);
-  await db.update(events).set({ status: "published", publishedAt: sql`(unixepoch())` }).where(
-    // Drizzle doesn't have inArray for D1; use raw SQL for batch
-    sql`${events.id} IN (${sql.join(
-      ids.map((id) => sql`${id}`),
-      sql`, `
-    )})`
-  );
-  await cache.del("events:list");
-  await cache.del("events:etag");
-  console.log(
-    `[batch-release] Published ${toPublish.length} events:`,
-    toPublish.map((e) => e.slug).join(", ")
-  );
-}
-var LOCK_KEY = "cron:reconcile-slots:lock";
-var LOCK_TTL = 300;
-async function reconcileSlots(env) {
-  const db = createDb(env.DB);
-  const cache = new CacheService(env.KV);
-  const gforms = new GFormsService(env.GFORMS_SERVICE_ACCOUNT_JSON);
-  const slots = new SlotsService(db, cache);
-  const lock = await cache.get(LOCK_KEY);
-  if (lock) {
-    console.log("[reconcile-slots] Lock held, skipping.");
-    return;
-  }
-  await cache.set(LOCK_KEY, "1", LOCK_TTL);
-  try {
-    const publishedEvents = await db.query.events.findMany({
-      where: eq(events.status, "published"),
-      columns: { id: true, slug: true, gformsId: true, registeredSlots: true }
-    });
-    const eventsWithForms = publishedEvents.filter((e) => e.gformsId);
-    let corrected = 0;
-    for (const event of eventsWithForms) {
-      try {
-        const googleCount = await gforms.getExactResponseCount(event.gformsId);
-        const localCount = event.registeredSlots;
-        if (googleCount !== localCount) {
-          console.warn(
-            `[reconcile-slots] Drift on "${event.slug}": local=${localCount}, google=${googleCount}`
-          );
-          await slots.correctCount(event.slug, googleCount);
-          corrected++;
-        }
-      } catch (err) {
-        console.error(`[reconcile-slots] Error checking "${event.slug}":`, err);
-      }
-    }
-    console.log(
-      `[reconcile-slots] Checked ${eventsWithForms.length} events, corrected ${corrected}.`
-    );
-  } finally {
-    await cache.del(LOCK_KEY);
-  }
-}
-function parseStartTimestamp(dateTime, startTime) {
-  if (!dateTime) return null;
-  const combined = startTime ? `${dateTime} ${startTime}` : dateTime;
-  const ms = Date.parse(combined);
-  return Number.isNaN(ms) ? null : Math.floor(ms / 1e3);
-}
-async function reminderEmails(env) {
-  if (!env.EMAIL_QUEUE) {
-    console.warn(
-      "[reminder-emails] EMAIL_QUEUE binding not configured, skipping."
-    );
-    return;
-  }
-  const hasSes = !!(env.SES_REGION && env.SES_ACCESS_KEY_ID && env.SES_SECRET_ACCESS_KEY);
-  const hasResend = !!env.RESEND_API_KEY;
-  if (!hasSes && !hasResend) {
-    console.warn(
-      "[reminder-emails] No email providers configured. Skipping reminders."
-    );
-    return;
-  }
-  const db = createDb(env.DB);
-  const now = Math.floor(Date.now() / 1e3);
-  const candidates24h = await db.query.events.findMany({
-    where: and(
-      eq(events.status, "published"),
-      eq(events.reminder24hSent, false)
-    ),
-    columns: {
-      id: true,
-      dateTime: true,
-      startTime: true
-    }
-  });
-  for (const event of candidates24h) {
-    const startsAt = parseStartTimestamp(event.dateTime, event.startTime);
-    if (!startsAt) continue;
-    const hoursUntil = (startsAt - now) / 3600;
-    if (hoursUntil <= 25 && hoursUntil >= 23) {
-      await env.EMAIL_QUEUE.send({
-        type: "send_reminder_email",
-        payload: { eventId: event.id, hoursBeforeEvent: 24 }
-      });
-    }
-  }
-  const candidates1h = await db.query.events.findMany({
-    where: and(
-      eq(events.status, "published"),
-      eq(events.reminder1hSent, false)
-    ),
-    columns: {
-      id: true,
-      dateTime: true,
-      startTime: true
-    }
-  });
-  for (const event of candidates1h) {
-    const startsAt = parseStartTimestamp(event.dateTime, event.startTime);
-    if (!startsAt) continue;
-    const hoursUntil = (startsAt - now) / 3600;
-    if (hoursUntil <= 1.5 && hoursUntil >= 0) {
-      await env.EMAIL_QUEUE.send({
-        type: "send_reminder_email",
-        payload: { eventId: event.id, hoursBeforeEvent: 1 }
-      });
-    }
-  }
-}
-var RENEWAL_WINDOW = 86400;
-async function renewWatches(env) {
-  const db = createDb(env.DB);
-  const gforms = new GFormsService(env.GFORMS_SERVICE_ACCOUNT_JSON);
-  const now = Math.floor(Date.now() / 1e3);
-  const threshold = now + RENEWAL_WINDOW;
-  const expiring = await db.query.events.findMany({
-    where: and(
-      eq(events.status, "published"),
-      lte(events.watchExpiresAt, threshold)
-    ),
-    columns: { id: true, slug: true, gformsId: true, watchId: true, watchExpiresAt: true }
-  });
-  const watchEvents = expiring.filter((e) => e.gformsId && e.watchId);
-  let renewed = 0;
-  for (const event of watchEvents) {
-    try {
-      const result = await gforms.renewWatch(event.gformsId, event.watchId);
-      const newExpiry = Math.floor(new Date(result.expireTime).getTime() / 1e3);
-      await db.update(events).set({ watchExpiresAt: newExpiry }).where(eq(events.id, event.id));
-      renewed++;
-      console.log(`[renew-watches] Renewed Watch for "${event.slug}", expires ${result.expireTime}`);
-    } catch (err) {
-      console.error(`[renew-watches] Failed to renew Watch for "${event.slug}":`, err);
-    }
-  }
-  console.log(`[renew-watches] Renewed ${renewed}/${watchEvents.length} watches.`);
-}
 // src/db/migrate.ts
 var PATCH_STATEMENTS = [