@actuate-media/cms-core 0.10.4 → 0.11.0

package/dist/api/handlers.js

@@ -4,7 +4,8 @@ import { createSession, verifySession, revokeSession } from '../auth/session.js'
 import { createPasswordReset, executePasswordReset } from '../auth/reset.js';
 import { checkSetupRequired, createInitialAdmin } from '../setup/index.js';
 import { getDB } from '../db.js';
-import { generateCodeVerifier, generateCodeChallenge, generateState, getAuthorizationUrl, handleOAuthCallback, } from '../auth/oauth.js';
+import { generateCodeVerifier, generateCodeChallenge, generateState, generateOAuthNonce, getAuthorizationUrl, handleOAuthCallback, } from '../auth/oauth.js';
+import { createMfaPendingToken, verifyMfaPendingToken, computeRequestFingerprint, } from '../auth/mfa-pending.js';
 import { optimizeImage, formatBytes } from '../media/optimize.js';
 import { generateToken as generateCsrfToken } from '../security/csrf.js';
 import { logEvent } from '../security/audit.js';
@@ -15,12 +16,20 @@ import { verifyCaptcha, getCaptchaConfig } from '../security/captcha.js';
 import { checkForUpdates } from '../upgrade/version-check.js';
 import { createUpgradePR } from '../upgrade/upgrade-pr.js';
 import { encryptField, decryptField } from '../security/encrypted-fields.js';
+import { encryptSecret, decryptSecret, encryptStringArray } from '../security/secret-storage.js';
 import { createRateLimiter } from '../security/rate-limit.js';
 import { generateOpenAPISpec } from './openapi.js';
 import { createSSEPresenceAdapter } from '../presence/index.js';
 import { BUILT_IN_TEMPLATES } from '../page-builder/templates.js';
 import { validateTree } from '../page-builder/validate.js';
 import { auditAccessibility, fixAccessibility } from '../page-builder/a11y-fix.js';
+import { getClientIp, isResolvedIp } from '../security/client-ip.js';
+import { safeFetch, SsrfBlockedError } from '../security/safe-fetch.js';
+import { redactSecrets } from '../security/redact.js';
+import { enforceSessionLimits } from '../security/session-limits.js';
+import { verifyReauth } from '../security/reauth.js';
+import { validateMimeType, checkMagicBytes } from '../security/upload.js';
+import { sanitizeHtml } from '../security/sanitize.js';
 // Opaque dynamic import so Turbopack/webpack won't statically analyze the specifier.
 // Returns { put, del, ... } from @vercel/blob when available.
 async function importBlobStorage() {
@@ -302,6 +311,36 @@ export function parseCookieHeader(cookieHeader) {
     }
     return cookies;
 }
+/**
+ * Verify a password (or "current password") posted in the X-Reauth-Password
+ * header against the authenticated user. Returns an error Response when the
+ * header is missing or the password is wrong; returns null on success.
+ *
+ * Use this for high-impact account changes (TOTP enable/disable, role change,
+ * delete user, etc.) so a stolen session alone cannot perform them.
+ */
+async function requirePasswordReauth(request, userId) {
+    const password = request.headers.get('x-reauth-password');
+    if (!password) {
+        return new Response(JSON.stringify({
+            error: 'Re-authentication required for this action.',
+            code: 'REAUTH_REQUIRED',
+            method: 'password',
+        }), { status: 401, headers: { ...SECURITY_HEADERS } });
+    }
+    try {
+        const { getDB } = await import('../db.js');
+        const ok = await verifyReauth(userId, password, 'password', getDB());
+        if (!ok) {
+            return errorResponse('Re-authentication failed.', 401);
+        }
+        return null;
+    }
+    catch (err) {
+        console.error('[actuate][reauth] verify failed:', err instanceof Error ? err.message : err);
+        return errorResponse('Re-authentication failed.', 401);
+    }
+}
 async function requireAuth(request) {
     if (isSecretMissing()) {
         return {
@@ -334,11 +373,49 @@ function requireRole(role, allowedRoles) {
     return null;
 }
 const loginLimiter = createRateLimiter({ maxRequests: 5, windowMs: 15 * 60 * 1000 });
+const totpLimiter = createRateLimiter({ maxRequests: 10, windowMs: 15 * 60 * 1000 });
 const formLimiterGlobal = createRateLimiter({ maxRequests: 10, windowMs: 60_000 });
+const aiGenerateLimiter = createRateLimiter({ maxRequests: 20, windowMs: 60 * 60 * 1000 });
+const linkHealthLimiter = createRateLimiter({ maxRequests: 4, windowMs: 60 * 60 * 1000 });
 async function checkRateLimitAsync(limiter, key) {
     const result = await limiter.check(key);
     return result.allowed;
 }
+/**
+ * Resolve the client IP from trusted-proxy headers (Vercel first, then x-real-ip,
+ * then x-forwarded-for only when ACTUATE_TRUST_PROXY=1). Returns 'unknown' when
+ * no trustworthy source is available — callers MUST treat that case as a hard
+ * failure for security-sensitive decisions like rate-limit keys and IP allowlists.
+ */
+function clientIp(request) {
+    return getClientIp(request);
+}
+const MAX_CONCURRENT_SESSIONS = 5;
+/**
+ * After a successful primary-credential check, prune the user's active sessions
+ * down to the configured concurrent maximum (default 5; configurable via
+ * `auth.maxConcurrentSessions`). Strategy is "revoke oldest" so a user can
+ * always sign in.
+ */
+async function enforceSessionLimitsForUser(d, userId) {
+    if (!hasModel(d, 'session'))
+        return;
+    const config = globalThis.__actuateConfig?.auth ?? {};
+    const max = typeof config.maxConcurrentSessions === 'number' && config.maxConcurrentSessions > 0
+        ? config.maxConcurrentSessions
+        : MAX_CONCURRENT_SESSIONS;
+    const active = await d.session.findMany({
+        where: { userId, revokedAt: null, expiresAt: { gt: new Date() } },
+        select: { id: true, createdAt: true },
+    });
+    const decision = enforceSessionLimits(active.map((s) => ({ sessionId: s.id, userId, createdAt: s.createdAt })), { maxConcurrentSessions: max, strategy: 'revoke_oldest' });
+    if (decision.sessionsToRevoke.length > 0) {
+        await d.session.updateMany({
+            where: { id: { in: decision.sessionsToRevoke } },
+            data: { revokedAt: new Date() },
+        });
+    }
+}
 function getAdminPath() {
     return process.env.ACTUATE_ADMIN_PATH
         ?? globalThis.__actuateConfig?.admin?.path
@@ -451,13 +528,18 @@ export function registerCMSRoutes(router) {
             if (!email || !password) {
                 return errorResponse('Email and password are required', 400);
             }
-            const clientIp = request.headers.get('x-forwarded-for')?.split(',')[0]?.trim() ?? 'unknown';
-            if (!(await checkRateLimitAsync(loginLimiter, `login:${clientIp}`))) {
+            const ip = clientIp(request);
+            const userAgent = request.headers.get('user-agent');
+            // Bucket by IP when we have a trustworthy one; otherwise fall back to a
+            // global bucket. We deliberately avoid keying on the email alone — that
+            // would let attackers lock out legitimate users by spamming logins.
+            const rateLimitKey = isResolvedIp(ip) ? `login:${ip}` : 'login:unknown';
+            if (!(await checkRateLimitAsync(loginLimiter, rateLimitKey))) {
                 return errorResponse('Too many login attempts. Please try again later.', 429);
             }
             const captchaConfig = getCaptchaConfig();
             if (captchaConfig.provider !== 'none') {
-                const captchaResult = await verifyCaptcha(body.captchaToken ?? '', captchaConfig, clientIp);
+                const captchaResult = await verifyCaptcha(body.captchaToken ?? '', captchaConfig, ip);
                 if (!captchaResult.success) {
                     return errorResponse('CAPTCHA verification failed. Please try again.', 403);
                 }
@@ -479,8 +561,8 @@ export function registerCMSRoutes(router) {
                 await logEvent({
                     event: 'login_failed',
                     userId: user.id,
-                    ipAddress: request.headers.get('x-forwarded-for')?.split(',')[0]?.trim() ?? undefined,
-                    userAgent: request.headers.get('user-agent') ?? undefined,
+                    ipAddress: isResolvedIp(ip) ? ip : undefined,
+                    userAgent: userAgent ?? undefined,
                 });
                 return errorResponse('Invalid email or password', 401);
             }
@@ -488,8 +570,14 @@ export function registerCMSRoutes(router) {
                 return errorResponse('Account is deactivated', 403);
             }
             if (user.totpEnabled) {
-                return json({ data: { requiresTOTP: true, userId: user.id } });
+                // Hand back an opaque short-lived token instead of the raw userId.
+                // The /auth/totp/login endpoint will verify both this token and a
+                // stable browser fingerprint before checking the TOTP code.
+                const fingerprint = await computeRequestFingerprint(ip, userAgent);
+                const mfaPendingToken = await createMfaPendingToken({ userId: user.id, fingerprint }, getSessionSecret());
+                return json({ data: { requiresTOTP: true, mfaPendingToken } });
             }
+            await enforceSessionLimitsForUser(d, user.id);
             const tempSessionId = crypto.randomUUID();
             const token = await createSession({ userId: user.id, role: user.role, sessionId: tempSessionId }, { secret: getSessionSecret() });
             await db().session.create({
@@ -498,8 +586,8 @@ export function registerCMSRoutes(router) {
                     userId: user.id,
                     token,
                     expiresAt: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000),
-                    ipAddress: request.headers.get('x-forwarded-for')?.split(',')[0]?.trim() ?? null,
-                    userAgent: request.headers.get('user-agent') ?? null,
+                    ipAddress: isResolvedIp(ip) ? ip : null,
+                    userAgent: userAgent ?? null,
                 },
             });
             const response = json({
@@ -532,8 +620,8 @@ export function registerCMSRoutes(router) {
             await logEvent({
                 event: 'login_success',
                 userId: user.id,
-                ipAddress: request.headers.get('x-forwarded-for')?.split(',')[0]?.trim() ?? undefined,
-                userAgent: request.headers.get('user-agent') ?? undefined,
+                ipAddress: isResolvedIp(ip) ? ip : undefined,
+                userAgent: userAgent ?? undefined,
             });
             return response;
         }
@@ -547,10 +635,11 @@ export function registerCMSRoutes(router) {
             if (auth.error)
                 return auth.error;
             await revokeSession(auth.session.sessionId, db());
+            const ip = clientIp(request);
             await logEvent({
                 event: 'logout',
                 userId: auth.session.userId,
-                ipAddress: request.headers.get('x-forwarded-for')?.split(',')[0]?.trim() ?? undefined,
+                ipAddress: isResolvedIp(ip) ? ip : undefined,
             });
             const response = json({ data: { success: true } });
             response.headers.set('Set-Cookie', 'actuate_session=; Path=/; HttpOnly; SameSite=Lax; Max-Age=0');
@@ -567,8 +656,9 @@ export function registerCMSRoutes(router) {
             if (!email) {
                 return errorResponse('Email is required', 400);
             }
-            const clientIp = request.headers.get('x-forwarded-for')?.split(',')[0]?.trim() ?? 'unknown';
-            if (!(await checkRateLimitAsync(loginLimiter, `forgot:${clientIp}`))) {
+            const ip = clientIp(request);
+            const rateLimitKey = isResolvedIp(ip) ? `forgot:${ip}` : 'forgot:unknown';
+            if (!(await checkRateLimitAsync(loginLimiter, rateLimitKey))) {
                 return errorResponse('Too many requests. Please try again later.', 429);
             }
             const d = db();
@@ -582,7 +672,7 @@ export function registerCMSRoutes(router) {
             });
             await logEvent({
                 event: 'password_reset_request',
-                ipAddress: clientIp,
+                ipAddress: isResolvedIp(ip) ? ip : undefined,
                 userAgent: request.headers.get('user-agent') ?? undefined,
                 details: { email: email.toLowerCase().trim() },
             });
@@ -602,8 +692,9 @@ export function registerCMSRoutes(router) {
             if (password.length < 8) {
                 return errorResponse('Password must be at least 8 characters', 400);
             }
-            const clientIp = request.headers.get('x-forwarded-for')?.split(',')[0]?.trim() ?? 'unknown';
-            if (!(await checkRateLimitAsync(loginLimiter, `reset:${clientIp}`))) {
+            const ip = clientIp(request);
+            const rateLimitKey = isResolvedIp(ip) ? `reset:${ip}` : 'reset:unknown';
+            if (!(await checkRateLimitAsync(loginLimiter, rateLimitKey))) {
                 return errorResponse('Too many requests. Please try again later.', 429);
             }
             const d = db();
@@ -615,7 +706,7 @@ export function registerCMSRoutes(router) {
             }
             await logEvent({
                 event: 'password_reset_complete',
-                ipAddress: clientIp,
+                ipAddress: isResolvedIp(ip) ? ip : undefined,
                 userAgent: request.headers.get('user-agent') ?? undefined,
             });
             return json({ data: { success: true } });
@@ -636,7 +727,24 @@ export function registerCMSRoutes(router) {
             if (!user) {
                 return errorResponse('User not found', 404);
             }
-            return json({ data: user });
+            const response = json({ data: user });
+            // Bootstrap (or refresh) the double-submit CSRF cookie. Without this
+            // the admin app's first non-GET after a hard reload races to populate
+            // it; some users hit "Invalid CSRF token" on the very first save.
+            const cookies = parseCookieHeader(request.headers.get('cookie') ?? '');
+            if (!cookies['actuate_csrf']) {
+                const csrfToken = await generateCsrfToken();
+                const isProduction = process.env.NODE_ENV === 'production';
+                const csrfCookie = [
+                    `actuate_csrf=${csrfToken}`,
+                    'Path=/',
+                    'SameSite=Lax',
+                    'Max-Age=86400',
+                    ...(isProduction ? ['Secure'] : []),
+                ].join('; ');
+                response.headers.append('Set-Cookie', csrfCookie);
+            }
+            return response;
         }
         catch (err) {
             return internalError(err, 'auth/me');
@@ -650,6 +758,11 @@ export function registerCMSRoutes(router) {
             const auth = await requireAuth(request);
             if (auth.error)
                 return auth.error;
+            // Sensitive operation — require recent password reauth so a stolen
+            // session can't silently rotate someone's TOTP secret.
+            const reauthErr = await requirePasswordReauth(request, auth.session.userId);
+            if (reauthErr)
+                return reauthErr;
             const { generateTOTPSecret, generateTOTPUri, generateBackupCodes } = await import('../auth/totp.js');
             const user = await db().user.findUnique({ where: { id: auth.session.userId }, select: { email: true, totpEnabled: true } });
             if (!user)
@@ -659,7 +772,14 @@ export function registerCMSRoutes(router) {
             const secret = generateTOTPSecret();
             const uri = generateTOTPUri(secret, user.email);
             const backups = generateBackupCodes();
-            await db().user.update({ where: { id: auth.session.userId }, data: { totpSecret: secret, backupCodes: backups } });
+            // Persist encrypted; the plaintext is only returned to the user once
+            // (so they can scan the QR / save backup codes).
+            const encryptedSecret = await encryptSecret(secret);
+            const encryptedBackups = await encryptStringArray(backups);
+            await db().user.update({
+                where: { id: auth.session.userId },
+                data: { totpSecret: encryptedSecret, backupCodes: encryptedBackups },
+            });
             return json({ data: { secret, uri, backupCodes: backups } });
         }
         catch (err) {
@@ -678,10 +798,12 @@ export function registerCMSRoutes(router) {
             const user = await db().user.findUnique({ where: { id: auth.session.userId }, select: { totpSecret: true } });
             if (!user?.totpSecret)
                 return errorResponse('TOTP not set up', 400);
-            const valid = verifyTOTP(body.code, user.totpSecret);
+            const secret = await decryptSecret(user.totpSecret);
+            const valid = verifyTOTP(body.code, secret);
             if (!valid)
                 return errorResponse('Invalid code', 400);
             await db().user.update({ where: { id: auth.session.userId }, data: { totpEnabled: true } });
+            await logEvent({ event: 'totp_enabled', userId: auth.session.userId });
             return json({ data: { enabled: true } });
         }
         catch (err) {
@@ -693,7 +815,28 @@ export function registerCMSRoutes(router) {
             const auth = await requireAuth(request);
             if (auth.error)
                 return auth.error;
-            await db().user.update({ where: { id: auth.session.userId }, data: { totpEnabled: false, totpSecret: null, backupCodes: null } });
+            // Disabling MFA is a high-impact security change. Require recent password
+            // reauth and revoke every other session so a compromised cookie loses
+            // access immediately after MFA goes away.
+            const reauthErr = await requirePasswordReauth(request, auth.session.userId);
+            if (reauthErr)
+                return reauthErr;
+            const d = db();
+            await d.user.update({
+                where: { id: auth.session.userId },
+                data: { totpEnabled: false, totpSecret: null, backupCodes: null },
+            });
+            if (hasModel(d, 'session')) {
+                await d.session.updateMany({
+                    where: {
+                        userId: auth.session.userId,
+                        id: { not: auth.session.sessionId },
+                        revokedAt: null,
+                    },
+                    data: { revokedAt: new Date() },
+                });
+            }
+            await logEvent({ event: 'totp_disabled', userId: auth.session.userId });
             return json({ data: { enabled: false } });
         }
         catch (err) {
@@ -703,21 +846,107 @@ export function registerCMSRoutes(router) {
     router.post('/auth/totp/login', async (request) => {
         try {
             const body = await request.json();
-            if (!body.userId || !body.code)
-                return errorResponse('userId and code are required', 400);
+            if (!body.mfaPendingToken || !body.code) {
+                return errorResponse('mfaPendingToken and code are required', 400);
+            }
+            const ip = clientIp(request);
+            const userAgent = request.headers.get('user-agent');
+            // Per-IP and per-token rate limits. The per-token limit is the actual
+            // brute-force defence: even with IP rotation, an attacker has to obtain
+            // a fresh mfaPendingToken (which requires the password) for every
+            // window. The per-IP limit guards the IP-aware case and limits log noise.
+            const ipBucket = isResolvedIp(ip) ? `totp-ip:${ip}` : 'totp-ip:unknown';
+            if (!(await checkRateLimitAsync(totpLimiter, ipBucket))) {
+                return errorResponse('Too many TOTP attempts. Please try again later.', 429);
+            }
+            let pending;
+            try {
+                pending = await verifyMfaPendingToken(body.mfaPendingToken, getSessionSecret());
+            }
+            catch {
+                return errorResponse('Session expired. Please sign in again.', 401);
+            }
+            // Validate the request comes from the same browser that completed the
+            // password step. This frustrates attempts to ship a captured pending
+            // token to a different host.
+            const fingerprint = await computeRequestFingerprint(ip, userAgent);
+            if (fingerprint !== pending.fingerprint) {
+                return errorResponse('Session fingerprint mismatch. Please sign in again.', 401);
+            }
+            // Per-userId bucket is what actually caps brute-force. With the default
+            // 10 attempts / 15 min, an attacker would need ~190 years to cover the
+            // 1M code space even with unbounded IPs.
+            const userBucket = `totp-user:${pending.userId}`;
+            if (!(await checkRateLimitAsync(totpLimiter, userBucket))) {
+                return errorResponse('Too many TOTP attempts. Please try again later.', 429);
+            }
             const { verifyTOTP } = await import('../auth/totp.js');
-            const user = await db().user.findUnique({ where: { id: body.userId }, select: { id: true, email: true, role: true, totpSecret: true, totpEnabled: true, isActive: true } });
-            if (!user || !user.isActive || !user.totpEnabled || !user.totpSecret)
+            const user = await db().user.findUnique({
+                where: { id: pending.userId },
+                select: { id: true, email: true, name: true, role: true, totpSecret: true, totpEnabled: true, isActive: true },
+            });
+            if (!user || !user.isActive || !user.totpEnabled || !user.totpSecret) {
                 return errorResponse('Invalid request', 400);
-            const valid = verifyTOTP(body.code, user.totpSecret);
-            if (!valid)
+            }
+            const decryptedSecret = await decryptSecret(user.totpSecret);
+            const valid = verifyTOTP(body.code, decryptedSecret);
+            if (!valid) {
+                await logEvent({
+                    event: 'login_failed',
+                    userId: user.id,
+                    ipAddress: isResolvedIp(ip) ? ip : undefined,
+                    userAgent: userAgent ?? undefined,
+                    details: { reason: 'totp_invalid' },
+                });
                 return errorResponse('Invalid code', 401);
+            }
+            const d = db();
+            await enforceSessionLimitsForUser(d, user.id);
             const tempSessionId = crypto.randomUUID();
             const token = await createSession({ userId: user.id, role: user.role, sessionId: tempSessionId }, { secret: getSessionSecret() });
-            await db().session.create({ data: { id: tempSessionId, userId: user.id, token, expiresAt: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000) } });
+            await d.session.create({
+                data: {
+                    id: tempSessionId,
+                    userId: user.id,
+                    token,
+                    expiresAt: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000),
+                    ipAddress: isResolvedIp(ip) ? ip : null,
+                    userAgent: userAgent ?? null,
+                },
+            });
+            await logEvent({
+                event: 'login_success',
+                userId: user.id,
+                ipAddress: isResolvedIp(ip) ? ip : undefined,
+                userAgent: userAgent ?? undefined,
+                details: { mfa: 'totp' },
+            });
             const isProduction = process.env.NODE_ENV === 'production';
-            const sessionCookie = [`actuate_session=${token}`, 'Path=/', 'HttpOnly', 'SameSite=Lax', `Max-Age=${7 * 24 * 3600}`, ...(isProduction ? ['Secure'] : [])].join('; ');
-            return new Response(JSON.stringify({ data: { token, user: { id: user.id, email: user.email, role: user.role } } }), { status: 200, headers: { ...SECURITY_HEADERS, 'Set-Cookie': sessionCookie } });
+            const sessionCookie = [
+                `actuate_session=${token}`,
+                'Path=/',
+                'HttpOnly',
+                'SameSite=Lax',
+                `Max-Age=${7 * 24 * 3600}`,
+                ...(isProduction ? ['Secure'] : []),
+            ].join('; ');
+            const csrfToken = await generateCsrfToken();
+            const csrfCookie = [
+                `actuate_csrf=${csrfToken}`,
+                'Path=/',
+                'SameSite=Lax',
+                'Max-Age=86400',
+                ...(isProduction ? ['Secure'] : []),
+            ].join('; ');
+            const response = new Response(JSON.stringify({
+                data: {
+                    token,
+                    user: { id: user.id, email: user.email, name: user.name, role: user.role },
+                },
+            }), { status: 200, headers: { ...SECURITY_HEADERS } });
+            response.headers.append('Set-Cookie', sessionCookie);
+            response.headers.append('Set-Cookie', csrfCookie);
+            return response;
         }
         catch (err) {
             return internalError(err);
@@ -748,9 +977,25 @@ export function registerCMSRoutes(router) {
             };
             const codeVerifier = generateCodeVerifier();
             const codeChallenge = await generateCodeChallenge(codeVerifier);
-            const state = await generateState(provider, codeVerifier, getAdminPath(), secret);
+            // Generate a one-time nonce, embed it in the signed state, and also set
+            // it on a host-only cookie. The callback will require both to match —
+            // this binds the OAuth flow to the browser that started it and prevents
+            // an attacker from delivering a state token to a victim's browser.
+            const nonce = generateOAuthNonce();
+            const state = await generateState(provider, codeVerifier, getAdminPath(), secret, nonce);
             const url = getAuthorizationUrl(provider, oauthProviders[provider], state, codeChallenge);
-            return json({ data: { url } });
+            const isProduction = process.env.NODE_ENV === 'production';
+            const nonceCookie = [
+                `actuate_oauth_nonce=${nonce}`,
+                'Path=/',
+                'HttpOnly',
+                'SameSite=Lax',
+                'Max-Age=600',
+                ...(isProduction ? ['Secure'] : []),
+            ].join('; ');
+            const response = json({ data: { url } });
+            response.headers.append('Set-Cookie', nonceCookie);
+            return response;
         }
         catch (err) {
             return internalError(err);
@@ -785,31 +1030,39 @@ export function registerCMSRoutes(router) {
                 clientSecret: process.env[`OAUTH_${envPrefix}_CLIENT_SECRET`] ?? '',
                 redirectUri: `${siteUrl}/api/cms/auth/oauth/${provider}/callback`,
             };
-            const result = await handleOAuthCallback(provider, code, stateToken, oauthProviders, secret, db());
-            const cookieFlags = [
+            const cookies = parseCookieHeader(request.headers.get('cookie') ?? '');
+            const expectedNonce = cookies['actuate_oauth_nonce'] ?? null;
+            const cmsConfig = globalThis.__actuateConfig;
+            const allowSelfSignup = cmsConfig?.auth?.oauth?.allowSelfSignup === true;
+            const result = await handleOAuthCallback(provider, code, stateToken, oauthProviders, secret, db(), { expectedNonce, allowSelfSignup });
+            const isProduction = process.env.NODE_ENV === 'production';
+            const sessionCookieFlags = [
                 `actuate_session=${result.token}`,
                 'Path=/',
                 'HttpOnly',
                 'SameSite=Lax',
                 'Max-Age=604800',
             ];
-            if (siteUrl.startsWith('https')) {
-                cookieFlags.push('Secure');
+            if (siteUrl.startsWith('https') || isProduction) {
+                sessionCookieFlags.push('Secure');
             }
-            return new Response(null, {
+            const response = new Response(null, {
                 status: 302,
-                headers: {
-                    Location: getAdminPath(),
-                    'Set-Cookie': cookieFlags.join('; '),
-                },
+                headers: { Location: getAdminPath() },
             });
+            response.headers.append('Set-Cookie', sessionCookieFlags.join('; '));
+            // Clear the one-time nonce cookie regardless of outcome.
+            response.headers.append('Set-Cookie', 'actuate_oauth_nonce=; Path=/; HttpOnly; SameSite=Lax; Max-Age=0');
+            return response;
         }
         catch (err) {
             const message = err instanceof Error ? err.message : 'OAuth callback failed';
-            return new Response(null, {
+            const response = new Response(null, {
                 status: 302,
                 headers: { Location: `${getAdminPath()}?error=${encodeURIComponent(message)}` },
             });
+            response.headers.append('Set-Cookie', 'actuate_oauth_nonce=; Path=/; HttpOnly; SameSite=Lax; Max-Age=0');
+            return response;
         }
     });
     // ---------------------------------------------------------------------------
@@ -862,17 +1115,10 @@ export function registerCMSRoutes(router) {
             if (!doc) {
                 return errorResponse('Document not found', 404);
             }
-            const collectionConfig = globalThis.__actuateConfig?.collections?.[params.slug];
-            const fields = collectionConfig?.fields;
-            if (fields && doc.data && typeof doc.data === 'object') {
-                const user = { id: auth.session.userId, role: auth.session.role };
-                return json({
-                    data: {
-                        ...doc,
-                        data: await applyFieldAccess('read', fields, doc.data, user),
-                    },
-                });
-            }
+            // `getDocument` already lifts `_layout` / `_pageSettings` to the
+            // top-level page builder envelope and strips internal keys from
+            // `data`. Field-level access has been applied as well — we don't
+            // need to re-apply it here.
             return json({ data: doc });
         }
         catch (err) {
@@ -984,6 +1230,12 @@ export function registerCMSRoutes(router) {
             return internalError(err);
         }
     });
+    // The /media/presign endpoint returns advisory upload metadata; the actual
+    // upload still goes through /media/upload (which performs validation).
+    // Returning a presigned URL pointing at our own non-presigned endpoint was
+    // misleading, so we deprecated this in favour of just using /media/upload
+    // directly. We keep the route for backward compatibility but it now just
+    // returns a hint to use the upload endpoint.
     router.post('/media/presign', async (request) => {
         try {
             const auth = await requireAuth(request);
@@ -993,12 +1245,13 @@ export function registerCMSRoutes(router) {
             if (!body.filename || !body.contentType) {
                 return errorResponse('filename and contentType are required', 400);
             }
-            const storageKey = `actuate/media/${Date.now()}-${body.filename.replace(/[^a-zA-Z0-9._-]/g, '_')}`;
             return json({
                 data: {
-                    storageKey,
-                    uploadUrl: `/api/cms/media/upload`,
-                    fields: { storageKey, contentType: body.contentType },
+                    uploadUrl: '/api/cms/media/upload',
+                    method: 'POST',
+                    field: 'file',
+                    deprecated: true,
+                    message: 'Direct multipart upload to /media/upload is preferred; this endpoint will be removed in a future release.',
                 },
             });
         }
@@ -1007,6 +1260,26 @@ export function registerCMSRoutes(router) {
         }
     });
     const MAX_UPLOAD_BYTES = 50 * 1024 * 1024; // 50 MB
+    /**
+     * Allowlist of accepted upload mime types. Storing a file outside this set
+     * would let an attacker upload e.g. `.html`/`.js` and serve it from the same
+     * origin as the admin (cookie-leaking XSS), or `.svg` with embedded
+     * `<script>` (also XSS). Add to this list deliberately.
+     */
+    const ALLOWED_UPLOAD_MIME_TYPES = [
+        'image/jpeg',
+        'image/png',
+        'image/gif',
+        'image/webp',
+        'image/avif',
+        'image/svg+xml',
+        'application/pdf',
+        'video/mp4',
+        'video/webm',
+        'audio/mpeg',
+        'audio/ogg',
+        'audio/wav',
+    ];
     router.post('/media/upload', async (request) => {
         try {
             const auth = await requireAuth(request);
@@ -1028,7 +1301,21 @@ export function registerCMSRoutes(router) {
             if (originalSize > 50 * 1024 * 1024) {
                 return errorResponse('File exceeds maximum size of 50MB', 413);
             }
+            // 1. Block file types that aren't on our allowlist outright.
+            if (!validateMimeType(contentType, ALLOWED_UPLOAD_MIME_TYPES)) {
+                return errorResponse(`Unsupported file type "${contentType || 'unknown'}". Allowed types: ${ALLOWED_UPLOAD_MIME_TYPES.join(', ')}`, 415);
+            }
             const arrayBuffer = await file.arrayBuffer();
+            // 2. Verify the file's actual bytes match the claimed mime type. Without
+            // this, an attacker can upload a `.exe` with `Content-Type: image/png`
+            // and have it served from our origin.
+            const magicCheck = checkMagicBytes(arrayBuffer, contentType);
+            if (!magicCheck.valid) {
+                return errorResponse(`File contents do not match declared type "${contentType}".`, 415);
+            }
+            // 3. SVGs need an extra pass — even when the mime type is correct, the
+            // XML body can contain `<script>` or event-handler attributes that
+            // execute when an admin previews the file. Sanitize before storing.
             let uploadBuffer;
             let finalFilename = originalFilename;
             let finalMimeType = contentType;
@@ -1037,7 +1324,17 @@ export function registerCMSRoutes(router) {
             let height = null;
             let blurHash = null;
             let savings = 0;
-            if (!skipOptimize && contentType.startsWith('image/')) {
+            if (contentType === 'image/svg+xml') {
+                // Strip <script>, on*, javascript: URLs, foreignObject, etc.
+                const xml = new TextDecoder('utf-8', { fatal: false }).decode(arrayBuffer);
+                const sanitized = sanitizeHtml(xml, {
+                    allowedTags: ['svg', 'g', 'path', 'circle', 'ellipse', 'line', 'polygon', 'polyline', 'rect', 'text', 'tspan', 'defs', 'use', 'symbol', 'title', 'desc', 'style', 'linearGradient', 'radialGradient', 'stop', 'mask', 'clipPath', 'pattern', 'filter', 'feGaussianBlur', 'feColorMatrix', 'feOffset', 'feBlend', 'feFlood', 'feComposite', 'feMerge', 'feMergeNode'],
+                    allowedAttributes: { '*': ['id', 'class', 'fill', 'stroke', 'stroke-width', 'stroke-linecap', 'stroke-linejoin', 'opacity', 'transform', 'd', 'cx', 'cy', 'r', 'rx', 'ry', 'x', 'y', 'x1', 'y1', 'x2', 'y2', 'width', 'height', 'viewBox', 'xmlns', 'xmlns:xlink', 'preserveAspectRatio', 'points', 'points', 'offset', 'stop-color', 'stop-opacity', 'gradientUnits', 'gradientTransform', 'href', 'xlink:href', 'fill-rule', 'clip-rule', 'mask', 'clip-path', 'filter', 'patternUnits', 'patternContentUnits', 'in', 'in2', 'result', 'mode', 'values', 'type', 'stdDeviation', 'dx', 'dy'] },
+                });
+                uploadBuffer = Buffer.from(sanitized, 'utf-8');
+                finalSize = uploadBuffer.byteLength;
+            }
+            else if (!skipOptimize && contentType.startsWith('image/')) {
                 const result = await optimizeImage(arrayBuffer, originalFilename, contentType);
                 uploadBuffer = result.buffer;
                 finalFilename = result.filename;
@@ -1054,16 +1351,35 @@ export function registerCMSRoutes(router) {
             const sanitizedName = finalFilename.replace(/[^a-zA-Z0-9._-]/g, '_');
             const storageKey = `actuate/media/${Date.now()}-${sanitizedName}`;
             let publicUrl = '';
-            try {
-                const blob = await importBlobStorage();
-                const result = await blob.put(storageKey, uploadBuffer, {
-                    access: 'public',
-                    contentType: finalMimeType,
-                });
-                publicUrl = result.url;
+            // Prefer the configured platform storage adapter (e.g. platform-vercel,
+            // platform-aws, or a consumer-provided one). Falling through to
+            // @vercel/blob via dynamic import preserves the legacy behavior for
+            // installs that haven't wired up a platform package yet.
+            const { getStorageAdapter } = await import('../storage/index.js');
+            const storage = getStorageAdapter();
+            if (storage) {
+                try {
+                    publicUrl = await storage.upload(storageKey, uploadBuffer, finalMimeType);
+                }
+                catch (err) {
+                    if (process.env.NODE_ENV !== 'test') {
+                        console.error('[Actuate CMS] Storage adapter upload failed:', err);
+                    }
+                    return errorResponse('Storage upload failed', 500);
+                }
             }
-            catch {
-                publicUrl = `/api/cms/media/file/${storageKey}`;
+            else {
+                try {
+                    const blob = await importBlobStorage();
+                    const result = await blob.put(storageKey, uploadBuffer, {
+                        access: 'public',
+                        contentType: finalMimeType,
+                    });
+                    publicUrl = result.url;
+                }
+                catch {
+                    publicUrl = `/api/cms/media/file/${storageKey}`;
+                }
             }
             const media = await db().media.create({
                 data: {
@@ -1643,6 +1959,10 @@ export function registerCMSRoutes(router) {
             if (!q)
                 return json({ data: { documents: [], media: [], users: [] } });
             const d = db();
+            // Documents and media are visible to all signed-in users; the user
+            // directory is gated to EDITOR+ so a CLIENT can't enumerate the team
+            // (or harvest emails for spear-phishing).
+            const canSeeUserDirectory = auth.session.role === 'ADMIN' || auth.session.role === 'EDITOR';
             const [documents, media, users] = await Promise.all([
                 safeFindMany(d.document, {
                     where: { deletedAt: null, OR: [{ title: { contains: q, mode: 'insensitive' } }, { plainText: { contains: q, mode: 'insensitive' } }] },
@@ -1656,11 +1976,19 @@ export function registerCMSRoutes(router) {
                     orderBy: { createdAt: 'desc' },
                     select: { id: true, filename: true, altText: true, mimeType: true, storageKey: true },
                 }),
-                safeFindMany(d.user, {
-                    where: { isActive: true, OR: [{ name: { contains: q, mode: 'insensitive' } }, { email: { contains: q, mode: 'insensitive' } }] },
-                    take: 5,
-                    select: { id: true, name: true, email: true, role: true },
-                }),
+                canSeeUserDirectory
+                    ? safeFindMany(d.user, {
+                        where: {
+                            isActive: true,
+                            OR: [
+                                { name: { contains: q, mode: 'insensitive' } },
+                                { email: { contains: q, mode: 'insensitive' } },
+                            ],
+                        },
+                        take: 5,
+                        select: { id: true, name: true, email: true, role: true },
+                    })
+                    : Promise.resolve([]),
             ]);
             return json({ data: { documents, media, users } });
         }
@@ -1729,17 +2057,37 @@ export function registerCMSRoutes(router) {
             const auth = await requireAuth(request);
             if (auth.error)
                 return auth.error;
+            const roleErr = requireRole(auth.session.role, WRITE_ROLES);
+            if (roleErr)
+                return roleErr;
             const d = db();
             const forms = await d.document.findMany({
                 where: { collection: 'forms', deletedAt: null },
                 orderBy: { createdAt: 'desc' },
             });
-            const normalized = await Promise.all(forms.map(async (form) => {
-                const submissions = hasModel(d, 'formSubmission')
-                    ? await d.formSubmission.count({ where: { formId: form.id } })
-                    : 0;
-                return normalizeFormDocument(form, submissions);
-            }));
+            // Single grouped count is far cheaper than N+1 count() per form once
+            // the dashboard grows past a handful of forms. Fall back to per-form
+            // .count() when the consumer's Prisma client doesn't expose groupBy
+            // (older schemas, custom adapters).
+            let submissionCounts = new Map();
+            if (hasModel(d, 'formSubmission') && forms.length > 0) {
+                const ids = forms.map((f) => f.id);
+                if (typeof d.formSubmission.groupBy === 'function') {
+                    const grouped = await d.formSubmission.groupBy({
+                        by: ['formId'],
+                        where: { formId: { in: ids } },
+                        _count: { _all: true },
+                    });
+                    submissionCounts = new Map(grouped.map((g) => [g.formId, g._count._all]));
+                }
+                else {
+                    for (const id of ids) {
+                        const count = await d.formSubmission.count({ where: { formId: id } });
+                        submissionCounts.set(id, count);
+                    }
+                }
+            }
+            const normalized = forms.map((form) => normalizeFormDocument(form, submissionCounts.get(form.id) ?? 0));
             return json({ data: normalized });
         }
         catch (err) {
@@ -1751,6 +2099,9 @@ export function registerCMSRoutes(router) {
             const auth = await requireAuth(request);
             if (auth.error)
                 return auth.error;
+            const roleErr = requireRole(auth.session.role, WRITE_ROLES);
+            if (roleErr)
+                return roleErr;
             const url = new URL(request.url);
             const page = Number(url.searchParams.get('page')) || 1;
             const pageSize = clampPageSize(url.searchParams.get('pageSize'));
@@ -1876,16 +2227,42 @@ export function registerCMSRoutes(router) {
             if (!source || !destination) {
                 return errorResponse('source and destination are required', 400);
             }
-            if (destination.startsWith('http') && !destination.startsWith(process.env.NEXT_PUBLIC_SITE_URL ?? 'https://')) {
+            // Open-redirect defence: relative destinations (`/foo`) are always
+            // allowed; absolute destinations must point at an explicitly trusted
+            // host. We compare on parsed origins (not string `startsWith`) so
+            // `https://attacker.com.example.com` no longer passes a `startsWith`
+            // check on `https://example.com`. Configure the allowlist via
+            // `redirects.allowedExternalHosts` (string[] of hostnames).
+            if (destination.startsWith('http://') || destination.startsWith('https://')) {
+                let destUrl;
                 try {
-                    const destUrl = new URL(destination);
-                    if (!['http:', 'https:'].includes(destUrl.protocol)) {
-                        return errorResponse('Invalid destination URL', 400);
-                    }
+                    destUrl = new URL(destination);
                 }
                 catch {
                     return errorResponse('Invalid destination URL', 400);
                 }
+                if (!['http:', 'https:'].includes(destUrl.protocol)) {
+                    return errorResponse('Invalid destination URL', 400);
+                }
+                const cmsConfig = globalThis.__actuateConfig;
+                const allowed = new Set([
+                    ...(Array.isArray(cmsConfig?.redirects?.allowedExternalHosts)
+                        ? cmsConfig.redirects.allowedExternalHosts.map((h) => h.toLowerCase())
+                        : []),
+                ]);
+                const siteUrl = process.env.NEXT_PUBLIC_SITE_URL;
+                if (siteUrl) {
+                    try {
+                        allowed.add(new URL(siteUrl).hostname.toLowerCase());
+                    }
+                    catch { /* noop */ }
+                }
+                if (!allowed.has(destUrl.hostname.toLowerCase())) {
+                    return errorResponse('External redirect destinations must be to an allowlisted host. Add the host to `redirects.allowedExternalHosts` in your CMS config.', 400);
+                }
+            }
+            else if (!destination.startsWith('/')) {
+                return errorResponse('Destination must be an absolute URL or a path beginning with /', 400);
             }
             const redirect = await db().redirect.create({
                 data: {
@@ -1946,48 +2323,96 @@ export function registerCMSRoutes(router) {
             const auth = await requireAuth(request);
             if (auth.error)
                 return auth.error;
+            // EDITOR+ only — this endpoint hits arbitrary URLs and can be expensive.
+            const roleErr = requireRole(auth.session.role, WRITE_ROLES);
+            if (roleErr)
+                return roleErr;
+            // Tight rate limit because each call fans out to many outbound requests.
+            const ip = clientIp(request);
+            const rateKey = isResolvedIp(ip)
+                ? `link-health:${ip}`
+                : `link-health-user:${auth.session.userId}`;
+            if (!(await checkRateLimitAsync(linkHealthLimiter, rateKey))) {
+                return errorResponse('Too many link-health scans. Please try again later.', 429);
+            }
+            const MAX_LINKS_PER_PAGE = 50;
+            const MAX_TOTAL_LINKS = 500;
+            const PER_LINK_TIMEOUT_MS = 4000;
+            const CONCURRENCY = 8;
             const docs = await db().document.findMany({
                 where: { deletedAt: null, status: 'PUBLISHED' },
                 select: { id: true, title: true, data: true, collection: true },
             });
-            const linkResults = [];
             const urlRegex = /https?:\/\/[^\s"'<>]+/g;
             const siteUrl = process.env.NEXT_PUBLIC_SITE_URL ?? '';
-            for (const doc of docs) {
+            const queue = [];
+            const seenGlobal = new Set();
+            outer: for (const doc of docs) {
                 const pageTitle = doc.title ?? doc.data?.title ?? doc.id;
                 const content = JSON.stringify(doc.data ?? {});
                 const urls = content.match(urlRegex) ?? [];
-                const seen = new Set();
+                const seenInPage = new Set();
+                let countInPage = 0;
                 for (const url of urls) {
                     const clean = url.replace(/[",;)}\]]+$/, '');
-                    if (seen.has(clean))
+                    if (seenInPage.has(clean))
+                        continue;
+                    seenInPage.add(clean);
+                    if (seenGlobal.has(clean))
                         continue;
-                    seen.add(clean);
-                    const isInternal = siteUrl && clean.startsWith(siteUrl);
+                    seenGlobal.add(clean);
+                    if (countInPage >= MAX_LINKS_PER_PAGE)
+                        break;
+                    if (queue.length >= MAX_TOTAL_LINKS)
+                        break outer;
+                    const isInternal = !!siteUrl && clean.startsWith(siteUrl);
+                    queue.push({ docId: doc.id, pageTitle, clean, isInternal });
+                    countInPage++;
+                }
+            }
+            const linkResults = [];
+            let cursor = 0;
+            const worker = async () => {
+                while (cursor < queue.length) {
+                    const idx = cursor++;
+                    const job = queue[idx];
+                    let status = 0;
                     try {
-                        const resp = await fetch(clean, { method: 'HEAD', redirect: 'manual', signal: AbortSignal.timeout(5000) });
-                        if (resp.status >= 400 || (resp.status >= 300 && resp.status < 400)) {
-                            linkResults.push({
-                                id: `${doc.id}-${linkResults.length}`,
-                                page: pageTitle,
-                                url: clean,
-                                status: resp.status,
-                                type: isInternal ? 'internal' : 'external',
-                            });
+                        // safeFetch rejects private/loopback IPs and disables redirect
+                        // following so 302->internal can't smuggle the scanner past SSRF.
+                        const resp = await safeFetch(job.clean, {
+                            method: 'HEAD',
+                            timeoutMs: PER_LINK_TIMEOUT_MS,
+                        });
+                        status = resp.status;
+                        // Drain the body so the connection can be reused.
+                        try {
+                            await resp.body?.cancel();
                         }
+                        catch { /* noop */ }
+                    }
+                    catch (err) {
+                        status = err instanceof SsrfBlockedError ? -1 : 0;
                     }
-                    catch {
+                    if (status === -1 || status === 0 || status >= 300) {
                         linkResults.push({
-                            id: `${doc.id}-${linkResults.length}`,
-                            page: pageTitle,
-                            url: clean,
-                            status: 0,
-                            type: isInternal ? 'internal' : 'external',
+                            id: `${job.docId}-${idx}`,
+                            page: job.pageTitle,
+                            url: job.clean,
+                            status: status === -1 ? 0 : status,
+                            type: job.isInternal ? 'internal' : 'external',
                         });
                     }
                 }
-            }
-            return json({ data: linkResults });
+            };
+            await Promise.all(Array.from({ length: Math.min(CONCURRENCY, queue.length) }, worker));
+            return json({
+                data: {
+                    truncated: queue.length >= MAX_TOTAL_LINKS,
+                    checked: queue.length,
+                    issues: linkResults,
+                },
+            });
         }
         catch (err) {
             return internalError(err);
@@ -2047,7 +2472,12 @@ export function registerCMSRoutes(router) {
     // ---------------------------------------------------------------------------
     router.get('/seo/analysis/:documentId', async (request, params) => {
         try {
-            const doc = await db().document.findUnique({ where: { id: params.documentId } });
+            const auth = await requireAuth(request);
+            if (auth.error)
+                return auth.error;
+            const doc = await db().document.findFirst({
+                where: { id: params.documentId, deletedAt: null },
+            });
             if (!doc)
                 return errorResponse('Not found', 404);
             const { analyzeContent } = await import('../seo/analysis.js');
@@ -2076,7 +2506,12 @@ export function registerCMSRoutes(router) {
     });
     router.get('/seo/readability/:documentId', async (request, params) => {
         try {
-            const doc = await db().document.findUnique({ where: { id: params.documentId } });
+            const auth = await requireAuth(request);
+            if (auth.error)
+                return auth.error;
+            const doc = await db().document.findFirst({
+                where: { id: params.documentId, deletedAt: null },
+            });
             if (!doc)
                 return errorResponse('Not found', 404);
             const { calculateReadability, stripHtmlTags } = await import('../seo/analysis.js');
@@ -2094,7 +2529,12 @@ export function registerCMSRoutes(router) {
     });
     router.get('/seo/internal-links/:documentId', async (request, params) => {
         try {
-            const doc = await db().document.findUnique({ where: { id: params.documentId } });
+            const auth = await requireAuth(request);
+            if (auth.error)
+                return auth.error;
+            const doc = await db().document.findFirst({
+                where: { id: params.documentId, deletedAt: null },
+            });
             if (!doc)
                 return errorResponse('Not found', 404);
             const data = doc.data || {};
@@ -2110,6 +2550,7 @@ export function registerCMSRoutes(router) {
                 where: {
                     id: { not: params.documentId },
                     status: 'PUBLISHED',
+                    deletedAt: null,
                     OR: keywords.map((kw) => ({
                         title: { contains: kw, mode: 'insensitive' },
                     })),
@@ -2165,7 +2606,12 @@ export function registerCMSRoutes(router) {
     });
     router.get('/seo/schema/:documentId', async (request, params) => {
         try {
-            const doc = await db().document.findUnique({ where: { id: params.documentId } });
+            const auth = await requireAuth(request);
+            if (auth.error)
+                return auth.error;
+            const doc = await db().document.findFirst({
+                where: { id: params.documentId, deletedAt: null },
+            });
             if (!doc)
                 return errorResponse('Not found', 404);
             const { buildSchemaGraph } = await import('../content/structured-data.js');
@@ -2194,7 +2640,12 @@ export function registerCMSRoutes(router) {
     });
     router.get('/seo/meta/:documentId', async (request, params) => {
         try {
-            const doc = await db().document.findUnique({ where: { id: params.documentId } });
+            const auth = await requireAuth(request);
+            if (auth.error)
+                return auth.error;
+            const doc = await db().document.findFirst({
+                where: { id: params.documentId, deletedAt: null },
+            });
             if (!doc)
                 return errorResponse('Not found', 404);
             const { generateMetaTags } = await import('../seo/meta-tags.js');
@@ -2531,6 +2982,17 @@ export function registerCMSRoutes(router) {
             const body = await request.json();
             if (!body.name || !body.scope)
                 return errorResponse('name and scope are required', 400);
+            // A child folder MUST live in the same scope as its parent — without
+            // this check, a 'documents' folder could be reparented under a 'media'
+            // folder, hiding it from both UIs.
+            if (body.parentId) {
+                const parent = await db().folder.findUnique({ where: { id: body.parentId } });
+                if (!parent)
+                    return errorResponse('Parent folder not found', 404);
+                if (parent.scope !== body.scope) {
+                    return errorResponse('Parent folder is in a different scope', 400);
+                }
+            }
             const folder = await db().folder.create({
                 data: {
                     name: body.name,
@@ -2553,6 +3015,22 @@ export function registerCMSRoutes(router) {
             if (roleErr)
                 return roleErr;
             const body = await request.json();
+            const existing = await db().folder.findUnique({ where: { id: params.id } });
+            if (!existing)
+                return errorResponse('Folder not found', 404);
+            // Prevent reparenting into a different scope, and prevent making a folder
+            // a descendant of itself (which would create a cycle).
+            if (body.parentId !== undefined && body.parentId !== null) {
+                if (body.parentId === params.id) {
+                    return errorResponse('Folder cannot be its own parent', 400);
+                }
+                const parent = await db().folder.findUnique({ where: { id: body.parentId } });
+                if (!parent)
+                    return errorResponse('Parent folder not found', 404);
+                if (parent.scope !== existing.scope) {
+                    return errorResponse('Parent folder is in a different scope', 400);
+                }
+            }
             const data = {};
             if (body.name !== undefined)
                 data.name = body.name;
@@ -2578,7 +3056,22 @@ export function registerCMSRoutes(router) {
             const roleErr = requireRole(auth.session.role, WRITE_ROLES);
             if (roleErr)
                 return roleErr;
-            await db().folder.delete({ where: { id: params.id } });
+            // We don't cascade-delete the contents — they would silently vanish.
+            // Instead, refuse to delete a folder that still has documents, media,
+            // or sub-folders inside it.
+            const d = db();
+            const folder = await d.folder.findUnique({ where: { id: params.id } });
+            if (!folder)
+                return errorResponse('Folder not found', 404);
+            const [docCount, mediaCount, childCount] = await Promise.all([
+                hasModel(d, 'document') ? d.document.count({ where: { folderId: params.id, deletedAt: null } }) : 0,
+                hasModel(d, 'media') ? d.media.count({ where: { folderId: params.id } }) : 0,
+                d.folder.count({ where: { parentId: params.id } }),
+            ]);
+            if (docCount + mediaCount + childCount > 0) {
+                return errorResponse(`Folder is not empty (${docCount} documents, ${mediaCount} media, ${childCount} sub-folders). Move or delete its contents first.`, 409);
+            }
+            await d.folder.delete({ where: { id: params.id } });
             return json({ data: { success: true } });
         }
         catch (err) {
@@ -2594,6 +3087,15 @@ export function registerCMSRoutes(router) {
             if (roleErr)
                 return roleErr;
             const body = await request.json();
+            // Confirm the target folder is in the documents scope before moving in.
+            if (body.folderId) {
+                const target = await db().folder.findUnique({ where: { id: body.folderId } });
+                if (!target)
+                    return errorResponse('Folder not found', 404);
+                if (target.scope !== 'documents' && target.scope !== 'collections') {
+                    return errorResponse('Target folder is not a documents folder', 400);
+                }
+            }
             await db().document.update({
                 where: { id: params.id },
                 data: { folderId: body.folderId ?? null },
@@ -2613,6 +3115,14 @@ export function registerCMSRoutes(router) {
             if (roleErr)
                 return roleErr;
             const body = await request.json();
+            if (body.folderId) {
+                const target = await db().folder.findUnique({ where: { id: body.folderId } });
+                if (!target)
+                    return errorResponse('Folder not found', 404);
+                if (target.scope !== 'media') {
+                    return errorResponse('Target folder is not a media folder', 400);
+                }
+            }
             await db().media.update({
                 where: { id: params.id },
                 data: { folderId: body.folderId ?? null },
@@ -2821,10 +3331,14 @@ export function registerCMSRoutes(router) {
             if (!doc) {
                 return errorResponse('Global not found', 404);
             }
+            // Globals routed through `/public/globals/:slug` are by definition
+            // public site data — when no `access.read` is set we default to
+            // allowed. Integrators that want to gate a global must set
+            // `access.read` explicitly (returning `false` for public).
             const readAccess = globalConfig.access?.read;
             const allowed = readAccess
                 ? await readAccess({ user: null, doc })
-                : false;
+                : true;
             if (!allowed) {
                 return errorResponse('Forbidden', 403);
             }
@@ -3040,7 +3554,15 @@ export function registerCMSRoutes(router) {
                     bucket.push(tag.code);
                 }
             }
-            return json(grouped);
+            // Public endpoint that fans out to many page renders. Add a short
+            // edge cache so it doesn't become a per-request DB hit.
+            const response = new Response(JSON.stringify(grouped), {
+                status: 200,
+                headers: { ...SECURITY_HEADERS, 'Content-Type': 'application/json' },
+            });
+            response.headers.set('Cache-Control', 'public, max-age=60, s-maxage=60, stale-while-revalidate=300');
+            response.headers.set('Vary', 'path');
+            return response;
         }
         catch (err) {
             return internalError(err, 'script-tags/resolve');
@@ -3621,6 +4143,11 @@ export function registerCMSRoutes(router) {
         }
     });
     // ─── Page Builder AI Generation ─────────────────────────────────────
+    // Hard caps for AI input to keep token cost bounded and to limit the
+    // surface area for prompt injection. Adjust via the `ai.limits` block in
+    // the CMS config if you want stricter values; never raise past 8k.
+    const AI_PROMPT_MAX_CHARS = 4000;
+    const AI_CONTEXT_MAX_CHARS = 8000;
     router.post('/page-builder/generate', async (request) => {
         try {
             const auth = await requireAuth(request);
@@ -3629,11 +4156,23 @@ export function registerCMSRoutes(router) {
             const roleErr = requireRole(auth.session.role, ADMIN_ROLES);
             if (roleErr)
                 return roleErr;
+            // Per-user rate limit. AI generation is the single most expensive
+            // operation in the CMS — without this, a compromised admin account
+            // can drain a provider key in minutes.
+            if (!(await checkRateLimitAsync(aiGenerateLimiter, `ai-gen:${auth.session.userId}`))) {
+                return errorResponse('AI generation rate limit reached. Try again in an hour.', 429);
+            }
             const body = await request.json();
             const { prompt, template, context, steps, tone } = body;
             if (!prompt || typeof prompt !== 'string') {
                 return errorResponse('prompt is required', 400);
             }
+            if (prompt.length > AI_PROMPT_MAX_CHARS) {
+                return errorResponse(`prompt exceeds ${AI_PROMPT_MAX_CHARS} character limit`, 400);
+            }
+            if (typeof context === 'string' && context.length > AI_CONTEXT_MAX_CHARS) {
+                return errorResponse(`context exceeds ${AI_CONTEXT_MAX_CHARS} character limit`, 400);
+            }
             if (!steps || !Array.isArray(steps) || steps.length === 0) {
                 return errorResponse('steps array is required', 400);
             }
@@ -3646,7 +4185,15 @@ export function registerCMSRoutes(router) {
             await logEvent({
                 event: 'settings_changed',
                 userId: auth.session.userId,
-                details: { action: 'page_generation_started', prompt, steps, template },
+                details: {
+                    action: 'page_generation_started',
+                    // Redact secrets from the prompt before persisting to the audit log.
+                    // Even an admin pasting a key into a prompt by mistake shouldn't
+                    // result in that key being mirrored into permanent storage.
+                    prompt: redactSecrets(prompt).slice(0, 500),
+                    steps,
+                    template,
+                },
             });
             let generatePage = null;
             try {
@@ -3681,11 +4228,21 @@ export function registerCMSRoutes(router) {
             const roleErr = requireRole(auth.session.role, ADMIN_ROLES);
             if (roleErr)
                 return roleErr;
+            if (!(await checkRateLimitAsync(aiGenerateLimiter, `ai-block:${auth.session.userId}`))) {
+                return errorResponse('AI generation rate limit reached. Try again in an hour.', 429);
+            }
             const body = await request.json();
             const { blockType, variant, pageContext, tone } = body;
             if (!blockType || typeof blockType !== 'string') {
                 return errorResponse('blockType is required', 400);
             }
+            // Limit caller-supplied context that flows directly into the prompt.
+            if (pageContext) {
+                const total = JSON.stringify(pageContext).length;
+                if (total > AI_CONTEXT_MAX_CHARS) {
+                    return errorResponse(`pageContext exceeds ${AI_CONTEXT_MAX_CHARS} character limit`, 400);
+                }
+            }
             let generateBlockContent = null;
             try {
                 const aiModule = await importAIPlugin();