@actuate-media/cms-core 0.10.4 → 0.11.1

package/dist/api/handlers.js

@@ -4,7 +4,8 @@ import { createSession, verifySession, revokeSession } from '../auth/session.js'
 import { createPasswordReset, executePasswordReset } from '../auth/reset.js';
 import { checkSetupRequired, createInitialAdmin } from '../setup/index.js';
 import { getDB } from '../db.js';
-import { generateCodeVerifier, generateCodeChallenge, generateState, getAuthorizationUrl, handleOAuthCallback, } from '../auth/oauth.js';
+import { generateCodeVerifier, generateCodeChallenge, generateState, generateOAuthNonce, getAuthorizationUrl, handleOAuthCallback, } from '../auth/oauth.js';
+import { createMfaPendingToken, verifyMfaPendingToken, computeRequestFingerprint, } from '../auth/mfa-pending.js';
 import { optimizeImage, formatBytes } from '../media/optimize.js';
 import { generateToken as generateCsrfToken } from '../security/csrf.js';
 import { logEvent } from '../security/audit.js';
@@ -15,12 +16,20 @@ import { verifyCaptcha, getCaptchaConfig } from '../security/captcha.js';
 import { checkForUpdates } from '../upgrade/version-check.js';
 import { createUpgradePR } from '../upgrade/upgrade-pr.js';
 import { encryptField, decryptField } from '../security/encrypted-fields.js';
+import { encryptSecret, decryptSecret, encryptStringArray, } from '../security/secret-storage.js';
 import { createRateLimiter } from '../security/rate-limit.js';
 import { generateOpenAPISpec } from './openapi.js';
 import { createSSEPresenceAdapter } from '../presence/index.js';
 import { BUILT_IN_TEMPLATES } from '../page-builder/templates.js';
 import { validateTree } from '../page-builder/validate.js';
 import { auditAccessibility, fixAccessibility } from '../page-builder/a11y-fix.js';
+import { getClientIp, isResolvedIp } from '../security/client-ip.js';
+import { safeFetch, SsrfBlockedError } from '../security/safe-fetch.js';
+import { redactSecrets } from '../security/redact.js';
+import { enforceSessionLimits } from '../security/session-limits.js';
+import { verifyReauth } from '../security/reauth.js';
+import { validateMimeType, checkMagicBytes } from '../security/upload.js';
+import { sanitizeHtml } from '../security/sanitize.js';
 // Opaque dynamic import so Turbopack/webpack won't statically analyze the specifier.
 // Returns { put, del, ... } from @vercel/blob when available.
 async function importBlobStorage() {
@@ -62,7 +71,9 @@ function mediaUrl(storageKey) {
     const value = String(storageKey ?? '');
     if (!value)
         return '';
-    return value.startsWith('http://') || value.startsWith('https://') || value.startsWith('/') ? value : '';
+    return value.startsWith('http://') || value.startsWith('https://') || value.startsWith('/')
+        ? value
+        : '';
 }
 function normalizeMediaItem(media) {
     const width = typeof media.width === 'number' ? media.width : null;
@@ -158,9 +169,9 @@ function hasModel(d, name) {
     }
 }
 function modelNotAvailable(name) {
-    return errorResponse(`The "${name}" model is not available in your Prisma schema. `
-        + 'Run `actuate db:init` for new schemas, or carefully update the existing Actuate block, create/apply a Prisma migration, then regenerate Prisma Client. '
-        + 'See https://actuatecms.dev/docs/database-setup for required models.', 501);
+    return errorResponse(`The "${name}" model is not available in your Prisma schema. ` +
+        'Run `actuate db:init` for new schemas, or carefully update the existing Actuate block, create/apply a Prisma migration, then regenerate Prisma Client. ' +
+        'See https://actuatecms.dev/docs/database-setup for required models.', 501);
 }
 async function safeCount(model, where) {
     try {
@@ -223,28 +234,34 @@ function isAllowedStorageUrl(url) {
     }
 }
 const ALLOWED_SORT_FIELDS = new Set([
-    'createdAt', 'updatedAt', 'publishedAt', 'status', 'collection',
+    'createdAt',
+    'updatedAt',
+    'publishedAt',
+    'status',
+    'collection',
 ]);
 let _secretMissing = false;
 let _secretWarningLogged = false;
 function getSessionSecret() {
-    const secret = process.env.CMS_SECRET
-        ?? process.env.CMS_SESSION_SECRET
-        ?? globalThis.__actuateConfig?.secret;
+    const secret = process.env.CMS_SECRET ??
+        process.env.CMS_SESSION_SECRET ??
+        globalThis.__actuateConfig?.secret;
     if (!secret) {
         _secretMissing = true;
         if (!_secretWarningLogged) {
             _secretWarningLogged = true;
-            console.error('[Actuate CMS] Missing CMS secret. Set the CMS_SECRET environment variable (min 32 characters) '
-                + 'or pass `secret` in your actuate.config.ts. '
-                + 'Generate one with: node -e "console.log(require(\'crypto\').randomBytes(32).toString(\'hex\'))" '
-                + '-- All authenticated API routes will return 503 until this is configured.');
+            console.error('[Actuate CMS] Missing CMS secret. Set the CMS_SECRET environment variable (min 32 characters) ' +
+                'or pass `secret` in your actuate.config.ts. ' +
+                "Generate one with: node -e \"console.log(require('crypto').randomBytes(32).toString('hex'))\" " +
+                '-- All authenticated API routes will return 503 until this is configured.');
         }
         throw new Error('CMS secret not configured');
     }
     if (secret.length < 32) {
-        throw new Error('[Actuate CMS] CMS secret must be at least 32 characters (got ' + secret.length + '). '
-            + 'Generate a secure value with: node -e "console.log(require(\'crypto\').randomBytes(32).toString(\'hex\'))"');
+        throw new Error('[Actuate CMS] CMS secret must be at least 32 characters (got ' +
+            secret.length +
+            '). ' +
+            "Generate a secure value with: node -e \"console.log(require('crypto').randomBytes(32).toString('hex'))\"");
     }
     _secretMissing = false;
     return secret;
@@ -302,6 +319,36 @@ export function parseCookieHeader(cookieHeader) {
     }
     return cookies;
 }
+/**
+ * Verify a password (or "current password") posted in the X-Reauth-Password
+ * header against the authenticated user. Returns an error Response when the
+ * header is missing or the password is wrong; returns null on success.
+ *
+ * Use this for high-impact account changes (TOTP enable/disable, role change,
+ * delete user, etc.) so a stolen session alone cannot perform them.
+ */
+async function requirePasswordReauth(request, userId) {
+    const password = request.headers.get('x-reauth-password');
+    if (!password) {
+        return new Response(JSON.stringify({
+            error: 'Re-authentication required for this action.',
+            code: 'REAUTH_REQUIRED',
+            method: 'password',
+        }), { status: 401, headers: { ...SECURITY_HEADERS } });
+    }
+    try {
+        const { getDB } = await import('../db.js');
+        const ok = await verifyReauth(userId, password, 'password', getDB());
+        if (!ok) {
+            return errorResponse('Re-authentication failed.', 401);
+        }
+        return null;
+    }
+    catch (err) {
+        console.error('[actuate][reauth] verify failed:', err instanceof Error ? err.message : err);
+        return errorResponse('Re-authentication failed.', 401);
+    }
+}
 async function requireAuth(request) {
     if (isSecretMissing()) {
         return {
@@ -334,15 +381,59 @@ function requireRole(role, allowedRoles) {
     return null;
 }
 const loginLimiter = createRateLimiter({ maxRequests: 5, windowMs: 15 * 60 * 1000 });
+const totpLimiter = createRateLimiter({ maxRequests: 10, windowMs: 15 * 60 * 1000 });
 const formLimiterGlobal = createRateLimiter({ maxRequests: 10, windowMs: 60_000 });
+const aiGenerateLimiter = createRateLimiter({ maxRequests: 20, windowMs: 60 * 60 * 1000 });
+const linkHealthLimiter = createRateLimiter({ maxRequests: 4, windowMs: 60 * 60 * 1000 });
 async function checkRateLimitAsync(limiter, key) {
+    // Explicit, environment-gated bypass for test harnesses. Production never
+    // sets this — Vercel + the deploy guide both omit it. We deliberately do
+    // NOT key off `NODE_ENV === 'test'` because Next.js builds run with
+    // NODE_ENV=test in some CI configurations and we want rate limiting
+    // exercised by unit tests that explicitly opt in.
+    if (process.env.ACTUATE_DISABLE_RATE_LIMIT === '1') {
+        return true;
+    }
     const result = await limiter.check(key);
     return result.allowed;
 }
+/**
+ * Resolve the client IP from trusted-proxy headers (Vercel first, then x-real-ip,
+ * then x-forwarded-for only when ACTUATE_TRUST_PROXY=1). Returns 'unknown' when
+ * no trustworthy source is available — callers MUST treat that case as a hard
+ * failure for security-sensitive decisions like rate-limit keys and IP allowlists.
+ */
+function clientIp(request) {
+    return getClientIp(request);
+}
+const MAX_CONCURRENT_SESSIONS = 5;
+/**
+ * After a successful primary-credential check, prune the user's active sessions
+ * down to the configured concurrent maximum (default 5; configurable via
+ * `auth.maxConcurrentSessions`). Strategy is "revoke oldest" so a user can
+ * always sign in.
+ */
+async function enforceSessionLimitsForUser(d, userId) {
+    if (!hasModel(d, 'session'))
+        return;
+    const config = globalThis.__actuateConfig?.auth ?? {};
+    const max = typeof config.maxConcurrentSessions === 'number' && config.maxConcurrentSessions > 0
+        ? config.maxConcurrentSessions
+        : MAX_CONCURRENT_SESSIONS;
+    const active = await d.session.findMany({
+        where: { userId, revokedAt: null, expiresAt: { gt: new Date() } },
+        select: { id: true, createdAt: true },
+    });
+    const decision = enforceSessionLimits(active.map((s) => ({ sessionId: s.id, userId, createdAt: s.createdAt })), { maxConcurrentSessions: max, strategy: 'revoke_oldest' });
+    if (decision.sessionsToRevoke.length > 0) {
+        await d.session.updateMany({
+            where: { id: { in: decision.sessionsToRevoke } },
+            data: { revokedAt: new Date() },
+        });
+    }
+}
 function getAdminPath() {
-    return process.env.ACTUATE_ADMIN_PATH
-        ?? globalThis.__actuateConfig?.admin?.path
-        ?? '/admin';
+    return (process.env.ACTUATE_ADMIN_PATH ?? globalThis.__actuateConfig?.admin?.path ?? '/admin');
 }
 class ModelNotAvailableError extends Error {
     model;
@@ -365,7 +456,9 @@ export function registerCMSRoutes(router) {
                     if (typeof prop !== 'string' || prop.startsWith('$') || prop === 'then')
                         return undefined;
                     return new Proxy({}, {
-                        get() { throw new ModelNotAvailableError(String(prop)); },
+                        get() {
+                            throw new ModelNotAvailableError(String(prop));
+                        },
                     });
                 },
             });
@@ -386,7 +479,9 @@ export function registerCMSRoutes(router) {
                 if (val !== undefined && val !== null)
                     return val;
                 return new Proxy({}, {
-                    get() { throw new ModelNotAvailableError(String(prop)); },
+                    get() {
+                        throw new ModelNotAvailableError(String(prop));
+                    },
                 });
             },
         });
@@ -398,12 +493,7 @@ export function registerCMSRoutes(router) {
     router.get('/auth/csrf', async () => {
         const token = await generateCsrfToken();
         const isProduction = process.env.NODE_ENV === 'production';
-        const cookieFlags = [
-            `actuate_csrf=${token}`,
-            'Path=/',
-            'SameSite=Lax',
-            'Max-Age=86400',
-        ];
+        const cookieFlags = [`actuate_csrf=${token}`, 'Path=/', 'SameSite=Lax', 'Max-Age=86400'];
         if (isProduction)
             cookieFlags.push('Secure');
         const response = json({ data: { token } });
@@ -446,18 +536,23 @@ export function registerCMSRoutes(router) {
     // ---------------------------------------------------------------------------
     router.post('/auth/login', async (request) => {
         try {
-            const body = await request.json();
+            const body = (await request.json());
             const { email, password } = body;
             if (!email || !password) {
                 return errorResponse('Email and password are required', 400);
             }
-            const clientIp = request.headers.get('x-forwarded-for')?.split(',')[0]?.trim() ?? 'unknown';
-            if (!(await checkRateLimitAsync(loginLimiter, `login:${clientIp}`))) {
+            const ip = clientIp(request);
+            const userAgent = request.headers.get('user-agent');
+            // Bucket by IP when we have a trustworthy one; otherwise fall back to a
+            // global bucket. We deliberately avoid keying on the email alone — that
+            // would let attackers lock out legitimate users by spamming logins.
+            const rateLimitKey = isResolvedIp(ip) ? `login:${ip}` : 'login:unknown';
+            if (!(await checkRateLimitAsync(loginLimiter, rateLimitKey))) {
                 return errorResponse('Too many login attempts. Please try again later.', 429);
             }
             const captchaConfig = getCaptchaConfig();
             if (captchaConfig.provider !== 'none') {
-                const captchaResult = await verifyCaptcha(body.captchaToken ?? '', captchaConfig, clientIp);
+                const captchaResult = await verifyCaptcha(body.captchaToken ?? '', captchaConfig, ip);
                 if (!captchaResult.success) {
                     return errorResponse('CAPTCHA verification failed. Please try again.', 403);
                 }
@@ -479,8 +574,8 @@ export function registerCMSRoutes(router) {
                 await logEvent({
                     event: 'login_failed',
                     userId: user.id,
-                    ipAddress: request.headers.get('x-forwarded-for')?.split(',')[0]?.trim() ?? undefined,
-                    userAgent: request.headers.get('user-agent') ?? undefined,
+                    ipAddress: isResolvedIp(ip) ? ip : undefined,
+                    userAgent: userAgent ?? undefined,
                 });
                 return errorResponse('Invalid email or password', 401);
             }
@@ -488,8 +583,14 @@ export function registerCMSRoutes(router) {
                 return errorResponse('Account is deactivated', 403);
             }
             if (user.totpEnabled) {
-                return json({ data: { requiresTOTP: true, userId: user.id } });
+                // Hand back an opaque short-lived token instead of the raw userId.
+                // The /auth/totp/login endpoint will verify both this token and a
+                // stable browser fingerprint before checking the TOTP code.
+                const fingerprint = await computeRequestFingerprint(ip, userAgent);
+                const mfaPendingToken = await createMfaPendingToken({ userId: user.id, fingerprint }, getSessionSecret());
+                return json({ data: { requiresTOTP: true, mfaPendingToken } });
             }
+            await enforceSessionLimitsForUser(d, user.id);
             const tempSessionId = crypto.randomUUID();
             const token = await createSession({ userId: user.id, role: user.role, sessionId: tempSessionId }, { secret: getSessionSecret() });
             await db().session.create({
@@ -498,8 +599,8 @@ export function registerCMSRoutes(router) {
                     userId: user.id,
                     token,
                     expiresAt: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000),
-                    ipAddress: request.headers.get('x-forwarded-for')?.split(',')[0]?.trim() ?? null,
-                    userAgent: request.headers.get('user-agent') ?? null,
+                    ipAddress: isResolvedIp(ip) ? ip : null,
+                    userAgent: userAgent ?? null,
                 },
             });
             const response = json({
@@ -519,12 +620,7 @@ export function registerCMSRoutes(router) {
             if (isProduction)
                 sessionCookie.push('Secure');
             const csrfToken = await generateCsrfToken();
-            const csrfCookie = [
-                `actuate_csrf=${csrfToken}`,
-                'Path=/',
-                'SameSite=Lax',
-                'Max-Age=86400',
-            ];
+            const csrfCookie = [`actuate_csrf=${csrfToken}`, 'Path=/', 'SameSite=Lax', 'Max-Age=86400'];
             if (isProduction)
                 csrfCookie.push('Secure');
             response.headers.append('Set-Cookie', sessionCookie.join('; '));
@@ -532,8 +628,8 @@ export function registerCMSRoutes(router) {
             await logEvent({
                 event: 'login_success',
                 userId: user.id,
-                ipAddress: request.headers.get('x-forwarded-for')?.split(',')[0]?.trim() ?? undefined,
-                userAgent: request.headers.get('user-agent') ?? undefined,
+                ipAddress: isResolvedIp(ip) ? ip : undefined,
+                userAgent: userAgent ?? undefined,
             });
             return response;
         }
@@ -547,10 +643,11 @@ export function registerCMSRoutes(router) {
             if (auth.error)
                 return auth.error;
             await revokeSession(auth.session.sessionId, db());
+            const ip = clientIp(request);
             await logEvent({
                 event: 'logout',
                 userId: auth.session.userId,
-                ipAddress: request.headers.get('x-forwarded-for')?.split(',')[0]?.trim() ?? undefined,
+                ipAddress: isResolvedIp(ip) ? ip : undefined,
             });
             const response = json({ data: { success: true } });
             response.headers.set('Set-Cookie', 'actuate_session=; Path=/; HttpOnly; SameSite=Lax; Max-Age=0');
@@ -562,13 +659,14 @@ export function registerCMSRoutes(router) {
     });
     router.post('/auth/forgot-password', async (request) => {
         try {
-            const body = await request.json();
+            const body = (await request.json());
             const { email } = body;
             if (!email) {
                 return errorResponse('Email is required', 400);
             }
-            const clientIp = request.headers.get('x-forwarded-for')?.split(',')[0]?.trim() ?? 'unknown';
-            if (!(await checkRateLimitAsync(loginLimiter, `forgot:${clientIp}`))) {
+            const ip = clientIp(request);
+            const rateLimitKey = isResolvedIp(ip) ? `forgot:${ip}` : 'forgot:unknown';
+            if (!(await checkRateLimitAsync(loginLimiter, rateLimitKey))) {
                 return errorResponse('Too many requests. Please try again later.', 429);
             }
             const d = db();
@@ -582,7 +680,7 @@ export function registerCMSRoutes(router) {
             });
             await logEvent({
                 event: 'password_reset_request',
-                ipAddress: clientIp,
+                ipAddress: isResolvedIp(ip) ? ip : undefined,
                 userAgent: request.headers.get('user-agent') ?? undefined,
                 details: { email: email.toLowerCase().trim() },
             });
@@ -594,7 +692,7 @@ export function registerCMSRoutes(router) {
     });
     router.post('/auth/reset-password', async (request) => {
         try {
-            const body = await request.json();
+            const body = (await request.json());
             const { token, password } = body;
             if (!token || !password) {
                 return errorResponse('Token and new password are required', 400);
@@ -602,8 +700,9 @@ export function registerCMSRoutes(router) {
             if (password.length < 8) {
                 return errorResponse('Password must be at least 8 characters', 400);
             }
-            const clientIp = request.headers.get('x-forwarded-for')?.split(',')[0]?.trim() ?? 'unknown';
-            if (!(await checkRateLimitAsync(loginLimiter, `reset:${clientIp}`))) {
+            const ip = clientIp(request);
+            const rateLimitKey = isResolvedIp(ip) ? `reset:${ip}` : 'reset:unknown';
+            if (!(await checkRateLimitAsync(loginLimiter, rateLimitKey))) {
                 return errorResponse('Too many requests. Please try again later.', 429);
             }
             const d = db();
@@ -615,7 +714,7 @@ export function registerCMSRoutes(router) {
             }
             await logEvent({
                 event: 'password_reset_complete',
-                ipAddress: clientIp,
+                ipAddress: isResolvedIp(ip) ? ip : undefined,
                 userAgent: request.headers.get('user-agent') ?? undefined,
             });
             return json({ data: { success: true } });
@@ -636,7 +735,24 @@ export function registerCMSRoutes(router) {
             if (!user) {
                 return errorResponse('User not found', 404);
             }
-            return json({ data: user });
+            const response = json({ data: user });
+            // Bootstrap (or refresh) the double-submit CSRF cookie. Without this
+            // the admin app's first non-GET after a hard reload races to populate
+            // it; some users hit "Invalid CSRF token" on the very first save.
+            const cookies = parseCookieHeader(request.headers.get('cookie') ?? '');
+            if (!cookies['actuate_csrf']) {
+                const csrfToken = await generateCsrfToken();
+                const isProduction = process.env.NODE_ENV === 'production';
+                const csrfCookie = [
+                    `actuate_csrf=${csrfToken}`,
+                    'Path=/',
+                    'SameSite=Lax',
+                    'Max-Age=86400',
+                    ...(isProduction ? ['Secure'] : []),
+                ].join('; ');
+                response.headers.append('Set-Cookie', csrfCookie);
+            }
+            return response;
         }
         catch (err) {
             return internalError(err, 'auth/me');
@@ -650,8 +766,16 @@ export function registerCMSRoutes(router) {
             const auth = await requireAuth(request);
             if (auth.error)
                 return auth.error;
+            // Sensitive operation — require recent password reauth so a stolen
+            // session can't silently rotate someone's TOTP secret.
+            const reauthErr = await requirePasswordReauth(request, auth.session.userId);
+            if (reauthErr)
+                return reauthErr;
             const { generateTOTPSecret, generateTOTPUri, generateBackupCodes } = await import('../auth/totp.js');
-            const user = await db().user.findUnique({ where: { id: auth.session.userId }, select: { email: true, totpEnabled: true } });
+            const user = await db().user.findUnique({
+                where: { id: auth.session.userId },
+                select: { email: true, totpEnabled: true },
+            });
             if (!user)
                 return errorResponse('User not found', 404);
             if (user.totpEnabled)
@@ -659,7 +783,14 @@ export function registerCMSRoutes(router) {
             const secret = generateTOTPSecret();
             const uri = generateTOTPUri(secret, user.email);
             const backups = generateBackupCodes();
-            await db().user.update({ where: { id: auth.session.userId }, data: { totpSecret: secret, backupCodes: backups } });
+            // Persist encrypted; the plaintext is only returned to the user once
+            // (so they can scan the QR / save backup codes).
+            const encryptedSecret = await encryptSecret(secret);
+            const encryptedBackups = await encryptStringArray(backups);
+            await db().user.update({
+                where: { id: auth.session.userId },
+                data: { totpSecret: encryptedSecret, backupCodes: encryptedBackups },
+            });
             return json({ data: { secret, uri, backupCodes: backups } });
         }
         catch (err) {
@@ -671,17 +802,22 @@ export function registerCMSRoutes(router) {
             const auth = await requireAuth(request);
             if (auth.error)
                 return auth.error;
-            const body = await request.json();
+            const body = (await request.json());
             if (!body.code)
                 return errorResponse('Code is required', 400);
             const { verifyTOTP } = await import('../auth/totp.js');
-            const user = await db().user.findUnique({ where: { id: auth.session.userId }, select: { totpSecret: true } });
+            const user = await db().user.findUnique({
+                where: { id: auth.session.userId },
+                select: { totpSecret: true },
+            });
             if (!user?.totpSecret)
                 return errorResponse('TOTP not set up', 400);
-            const valid = verifyTOTP(body.code, user.totpSecret);
+            const secret = await decryptSecret(user.totpSecret);
+            const valid = verifyTOTP(body.code, secret);
             if (!valid)
                 return errorResponse('Invalid code', 400);
             await db().user.update({ where: { id: auth.session.userId }, data: { totpEnabled: true } });
+            await logEvent({ event: 'totp_enabled', userId: auth.session.userId });
             return json({ data: { enabled: true } });
         }
         catch (err) {
@@ -693,7 +829,28 @@ export function registerCMSRoutes(router) {
             const auth = await requireAuth(request);
             if (auth.error)
                 return auth.error;
-            await db().user.update({ where: { id: auth.session.userId }, data: { totpEnabled: false, totpSecret: null, backupCodes: null } });
+            // Disabling MFA is a high-impact security change. Require recent password
+            // reauth and revoke every other session so a compromised cookie loses
+            // access immediately after MFA goes away.
+            const reauthErr = await requirePasswordReauth(request, auth.session.userId);
+            if (reauthErr)
+                return reauthErr;
+            const d = db();
+            await d.user.update({
+                where: { id: auth.session.userId },
+                data: { totpEnabled: false, totpSecret: null, backupCodes: null },
+            });
+            if (hasModel(d, 'session')) {
+                await d.session.updateMany({
+                    where: {
+                        userId: auth.session.userId,
+                        id: { not: auth.session.sessionId },
+                        revokedAt: null,
+                    },
+                    data: { revokedAt: new Date() },
+                });
+            }
+            await logEvent({ event: 'totp_disabled', userId: auth.session.userId });
             return json({ data: { enabled: false } });
         }
         catch (err) {
@@ -702,22 +859,116 @@ export function registerCMSRoutes(router) {
     });
     router.post('/auth/totp/login', async (request) => {
         try {
-            const body = await request.json();
-            if (!body.userId || !body.code)
-                return errorResponse('userId and code are required', 400);
+            const body = (await request.json());
+            if (!body.mfaPendingToken || !body.code) {
+                return errorResponse('mfaPendingToken and code are required', 400);
+            }
+            const ip = clientIp(request);
+            const userAgent = request.headers.get('user-agent');
+            // Per-IP and per-token rate limits. The per-token limit is the actual
+            // brute-force defence: even with IP rotation, an attacker has to obtain
+            // a fresh mfaPendingToken (which requires the password) for every
+            // window. The per-IP limit guards the IP-aware case and limits log noise.
+            const ipBucket = isResolvedIp(ip) ? `totp-ip:${ip}` : 'totp-ip:unknown';
+            if (!(await checkRateLimitAsync(totpLimiter, ipBucket))) {
+                return errorResponse('Too many TOTP attempts. Please try again later.', 429);
+            }
+            let pending;
+            try {
+                pending = await verifyMfaPendingToken(body.mfaPendingToken, getSessionSecret());
+            }
+            catch {
+                return errorResponse('Session expired. Please sign in again.', 401);
+            }
+            // Validate the request comes from the same browser that completed the
+            // password step. This frustrates attempts to ship a captured pending
+            // token to a different host.
+            const fingerprint = await computeRequestFingerprint(ip, userAgent);
+            if (fingerprint !== pending.fingerprint) {
+                return errorResponse('Session fingerprint mismatch. Please sign in again.', 401);
+            }
+            // Per-userId bucket is what actually caps brute-force. With the default
+            // 10 attempts / 15 min, an attacker would need ~190 years to cover the
+            // 1M code space even with unbounded IPs.
+            const userBucket = `totp-user:${pending.userId}`;
+            if (!(await checkRateLimitAsync(totpLimiter, userBucket))) {
+                return errorResponse('Too many TOTP attempts. Please try again later.', 429);
+            }
             const { verifyTOTP } = await import('../auth/totp.js');
-            const user = await db().user.findUnique({ where: { id: body.userId }, select: { id: true, email: true, role: true, totpSecret: true, totpEnabled: true, isActive: true } });
-            if (!user || !user.isActive || !user.totpEnabled || !user.totpSecret)
+            const user = await db().user.findUnique({
+                where: { id: pending.userId },
+                select: {
+                    id: true,
+                    email: true,
+                    name: true,
+                    role: true,
+                    totpSecret: true,
+                    totpEnabled: true,
+                    isActive: true,
+                },
+            });
+            if (!user || !user.isActive || !user.totpEnabled || !user.totpSecret) {
                 return errorResponse('Invalid request', 400);
-            const valid = verifyTOTP(body.code, user.totpSecret);
-            if (!valid)
+            }
+            const decryptedSecret = await decryptSecret(user.totpSecret);
+            const valid = verifyTOTP(body.code, decryptedSecret);
+            if (!valid) {
+                await logEvent({
+                    event: 'login_failed',
+                    userId: user.id,
+                    ipAddress: isResolvedIp(ip) ? ip : undefined,
+                    userAgent: userAgent ?? undefined,
+                    details: { reason: 'totp_invalid' },
+                });
                 return errorResponse('Invalid code', 401);
+            }
+            const d = db();
+            await enforceSessionLimitsForUser(d, user.id);
             const tempSessionId = crypto.randomUUID();
             const token = await createSession({ userId: user.id, role: user.role, sessionId: tempSessionId }, { secret: getSessionSecret() });
-            await db().session.create({ data: { id: tempSessionId, userId: user.id, token, expiresAt: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000) } });
+            await d.session.create({
+                data: {
+                    id: tempSessionId,
+                    userId: user.id,
+                    token,
+                    expiresAt: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000),
+                    ipAddress: isResolvedIp(ip) ? ip : null,
+                    userAgent: userAgent ?? null,
+                },
+            });
+            await logEvent({
+                event: 'login_success',
+                userId: user.id,
+                ipAddress: isResolvedIp(ip) ? ip : undefined,
+                userAgent: userAgent ?? undefined,
+                details: { mfa: 'totp' },
+            });
             const isProduction = process.env.NODE_ENV === 'production';
-            const sessionCookie = [`actuate_session=${token}`, 'Path=/', 'HttpOnly', 'SameSite=Lax', `Max-Age=${7 * 24 * 3600}`, ...(isProduction ? ['Secure'] : [])].join('; ');
-            return new Response(JSON.stringify({ data: { token, user: { id: user.id, email: user.email, role: user.role } } }), { status: 200, headers: { ...SECURITY_HEADERS, 'Set-Cookie': sessionCookie } });
+            const sessionCookie = [
+                `actuate_session=${token}`,
+                'Path=/',
+                'HttpOnly',
+                'SameSite=Lax',
+                `Max-Age=${7 * 24 * 3600}`,
+                ...(isProduction ? ['Secure'] : []),
+            ].join('; ');
+            const csrfToken = await generateCsrfToken();
+            const csrfCookie = [
+                `actuate_csrf=${csrfToken}`,
+                'Path=/',
+                'SameSite=Lax',
+                'Max-Age=86400',
+                ...(isProduction ? ['Secure'] : []),
+            ].join('; ');
+            const response = new Response(JSON.stringify({
+                data: {
+                    token,
+                    user: { id: user.id, email: user.email, name: user.name, role: user.role },
+                },
+            }), { status: 200, headers: { ...SECURITY_HEADERS } });
+            response.headers.append('Set-Cookie', sessionCookie);
+            response.headers.append('Set-Cookie', csrfCookie);
+            return response;
         }
         catch (err) {
             return internalError(err);
@@ -748,9 +999,25 @@ export function registerCMSRoutes(router) {
             };
             const codeVerifier = generateCodeVerifier();
             const codeChallenge = await generateCodeChallenge(codeVerifier);
-            const state = await generateState(provider, codeVerifier, getAdminPath(), secret);
+            // Generate a one-time nonce, embed it in the signed state, and also set
+            // it on a host-only cookie. The callback will require both to match —
+            // this binds the OAuth flow to the browser that started it and prevents
+            // an attacker from delivering a state token to a victim's browser.
+            const nonce = generateOAuthNonce();
+            const state = await generateState(provider, codeVerifier, getAdminPath(), secret, nonce);
             const url = getAuthorizationUrl(provider, oauthProviders[provider], state, codeChallenge);
-            return json({ data: { url } });
+            const isProduction = process.env.NODE_ENV === 'production';
+            const nonceCookie = [
+                `actuate_oauth_nonce=${nonce}`,
+                'Path=/',
+                'HttpOnly',
+                'SameSite=Lax',
+                'Max-Age=600',
+                ...(isProduction ? ['Secure'] : []),
+            ].join('; ');
+            const response = json({ data: { url } });
+            response.headers.append('Set-Cookie', nonceCookie);
+            return response;
         }
         catch (err) {
             return internalError(err);
@@ -785,31 +1052,39 @@ export function registerCMSRoutes(router) {
                 clientSecret: process.env[`OAUTH_${envPrefix}_CLIENT_SECRET`] ?? '',
                 redirectUri: `${siteUrl}/api/cms/auth/oauth/${provider}/callback`,
             };
-            const result = await handleOAuthCallback(provider, code, stateToken, oauthProviders, secret, db());
-            const cookieFlags = [
+            const cookies = parseCookieHeader(request.headers.get('cookie') ?? '');
+            const expectedNonce = cookies['actuate_oauth_nonce'] ?? null;
+            const cmsConfig = globalThis.__actuateConfig;
+            const allowSelfSignup = cmsConfig?.auth?.oauth?.allowSelfSignup === true;
+            const result = await handleOAuthCallback(provider, code, stateToken, oauthProviders, secret, db(), { expectedNonce, allowSelfSignup });
+            const isProduction = process.env.NODE_ENV === 'production';
+            const sessionCookieFlags = [
                 `actuate_session=${result.token}`,
                 'Path=/',
                 'HttpOnly',
                 'SameSite=Lax',
                 'Max-Age=604800',
             ];
-            if (siteUrl.startsWith('https')) {
-                cookieFlags.push('Secure');
+            if (siteUrl.startsWith('https') || isProduction) {
+                sessionCookieFlags.push('Secure');
             }
-            return new Response(null, {
+            const response = new Response(null, {
                 status: 302,
-                headers: {
-                    Location: getAdminPath(),
-                    'Set-Cookie': cookieFlags.join('; '),
-                },
+                headers: { Location: getAdminPath() },
             });
+            response.headers.append('Set-Cookie', sessionCookieFlags.join('; '));
+            // Clear the one-time nonce cookie regardless of outcome.
+            response.headers.append('Set-Cookie', 'actuate_oauth_nonce=; Path=/; HttpOnly; SameSite=Lax; Max-Age=0');
+            return response;
         }
         catch (err) {
             const message = err instanceof Error ? err.message : 'OAuth callback failed';
-            return new Response(null, {
+            const response = new Response(null, {
                 status: 302,
                 headers: { Location: `${getAdminPath()}?error=${encodeURIComponent(message)}` },
             });
+            response.headers.append('Set-Cookie', 'actuate_oauth_nonce=; Path=/; HttpOnly; SameSite=Lax; Max-Age=0');
+            return response;
         }
     });
     // ---------------------------------------------------------------------------
@@ -862,17 +1137,10 @@ export function registerCMSRoutes(router) {
             if (!doc) {
                 return errorResponse('Document not found', 404);
             }
-            const collectionConfig = globalThis.__actuateConfig?.collections?.[params.slug];
-            const fields = collectionConfig?.fields;
-            if (fields && doc.data && typeof doc.data === 'object') {
-                const user = { id: auth.session.userId, role: auth.session.role };
-                return json({
-                    data: {
-                        ...doc,
-                        data: await applyFieldAccess('read', fields, doc.data, user),
-                    },
-                });
-            }
+            // `getDocument` already lifts `_layout` / `_pageSettings` to the
+            // top-level page builder envelope and strips internal keys from
+            // `data`. Field-level access has been applied as well — we don't
+            // need to re-apply it here.
             return json({ data: doc });
         }
         catch (err) {
@@ -887,7 +1155,7 @@ export function registerCMSRoutes(router) {
             const roleErr = requireRole(auth.session.role, WRITE_ROLES);
             if (roleErr)
                 return roleErr;
-            const body = await request.json();
+            const body = (await request.json());
             const ctx = buildActionContext(auth.session, db());
             const doc = await createDocument(params.slug, body, ctx);
             await logEvent({
@@ -909,7 +1177,7 @@ export function registerCMSRoutes(router) {
             const roleErr = requireRole(auth.session.role, WRITE_ROLES);
             if (roleErr)
                 return roleErr;
-            const body = await request.json();
+            const body = (await request.json());
             const ctx = buildActionContext(auth.session, db());
             const doc = await updateDocument(params.slug, params.id, body, ctx);
             await logEvent({
@@ -984,21 +1252,28 @@ export function registerCMSRoutes(router) {
             return internalError(err);
         }
     });
+    // The /media/presign endpoint returns advisory upload metadata; the actual
+    // upload still goes through /media/upload (which performs validation).
+    // Returning a presigned URL pointing at our own non-presigned endpoint was
+    // misleading, so we deprecated this in favour of just using /media/upload
+    // directly. We keep the route for backward compatibility but it now just
+    // returns a hint to use the upload endpoint.
     router.post('/media/presign', async (request) => {
         try {
             const auth = await requireAuth(request);
             if (auth.error)
                 return auth.error;
-            const body = await request.json();
+            const body = (await request.json());
             if (!body.filename || !body.contentType) {
                 return errorResponse('filename and contentType are required', 400);
             }
-            const storageKey = `actuate/media/${Date.now()}-${body.filename.replace(/[^a-zA-Z0-9._-]/g, '_')}`;
             return json({
                 data: {
-                    storageKey,
-                    uploadUrl: `/api/cms/media/upload`,
-                    fields: { storageKey, contentType: body.contentType },
+                    uploadUrl: '/api/cms/media/upload',
+                    method: 'POST',
+                    field: 'file',
+                    deprecated: true,
+                    message: 'Direct multipart upload to /media/upload is preferred; this endpoint will be removed in a future release.',
                 },
             });
         }
@@ -1007,6 +1282,26 @@ export function registerCMSRoutes(router) {
         }
     });
     const MAX_UPLOAD_BYTES = 50 * 1024 * 1024; // 50 MB
+    /**
+     * Allowlist of accepted upload mime types. Storing a file outside this set
+     * would let an attacker upload e.g. `.html`/`.js` and serve it from the same
+     * origin as the admin (cookie-leaking XSS), or `.svg` with embedded
+     * `<script>` (also XSS). Add to this list deliberately.
+     */
+    const ALLOWED_UPLOAD_MIME_TYPES = [
+        'image/jpeg',
+        'image/png',
+        'image/gif',
+        'image/webp',
+        'image/avif',
+        'image/svg+xml',
+        'application/pdf',
+        'video/mp4',
+        'video/webm',
+        'audio/mpeg',
+        'audio/ogg',
+        'audio/wav',
+    ];
     router.post('/media/upload', async (request) => {
         try {
             const auth = await requireAuth(request);
@@ -1028,7 +1323,21 @@ export function registerCMSRoutes(router) {
             if (originalSize > 50 * 1024 * 1024) {
                 return errorResponse('File exceeds maximum size of 50MB', 413);
             }
+            // 1. Block file types that aren't on our allowlist outright.
+            if (!validateMimeType(contentType, ALLOWED_UPLOAD_MIME_TYPES)) {
+                return errorResponse(`Unsupported file type "${contentType || 'unknown'}". Allowed types: ${ALLOWED_UPLOAD_MIME_TYPES.join(', ')}`, 415);
+            }
             const arrayBuffer = await file.arrayBuffer();
+            // 2. Verify the file's actual bytes match the claimed mime type. Without
+            // this, an attacker can upload a `.exe` with `Content-Type: image/png`
+            // and have it served from our origin.
+            const magicCheck = checkMagicBytes(arrayBuffer, contentType);
+            if (!magicCheck.valid) {
+                return errorResponse(`File contents do not match declared type "${contentType}".`, 415);
+            }
+            // 3. SVGs need an extra pass — even when the mime type is correct, the
+            // XML body can contain `<script>` or event-handler attributes that
+            // execute when an admin previews the file. Sanitize before storing.
             let uploadBuffer;
             let finalFilename = originalFilename;
             let finalMimeType = contentType;
@@ -1037,7 +1346,105 @@ export function registerCMSRoutes(router) {
             let height = null;
             let blurHash = null;
             let savings = 0;
-            if (!skipOptimize && contentType.startsWith('image/')) {
+            if (contentType === 'image/svg+xml') {
+                // Strip <script>, on*, javascript: URLs, foreignObject, etc.
+                const xml = new TextDecoder('utf-8', { fatal: false }).decode(arrayBuffer);
+                const sanitized = sanitizeHtml(xml, {
+                    allowedTags: [
+                        'svg',
+                        'g',
+                        'path',
+                        'circle',
+                        'ellipse',
+                        'line',
+                        'polygon',
+                        'polyline',
+                        'rect',
+                        'text',
+                        'tspan',
+                        'defs',
+                        'use',
+                        'symbol',
+                        'title',
+                        'desc',
+                        'style',
+                        'linearGradient',
+                        'radialGradient',
+                        'stop',
+                        'mask',
+                        'clipPath',
+                        'pattern',
+                        'filter',
+                        'feGaussianBlur',
+                        'feColorMatrix',
+                        'feOffset',
+                        'feBlend',
+                        'feFlood',
+                        'feComposite',
+                        'feMerge',
+                        'feMergeNode',
+                    ],
+                    allowedAttributes: {
+                        '*': [
+                            'id',
+                            'class',
+                            'fill',
+                            'stroke',
+                            'stroke-width',
+                            'stroke-linecap',
+                            'stroke-linejoin',
+                            'opacity',
+                            'transform',
+                            'd',
+                            'cx',
+                            'cy',
+                            'r',
+                            'rx',
+                            'ry',
+                            'x',
+                            'y',
+                            'x1',
+                            'y1',
+                            'x2',
+                            'y2',
+                            'width',
+                            'height',
+                            'viewBox',
+                            'xmlns',
+                            'xmlns:xlink',
+                            'preserveAspectRatio',
+                            'points',
+                            'points',
+                            'offset',
+                            'stop-color',
+                            'stop-opacity',
+                            'gradientUnits',
+                            'gradientTransform',
+                            'href',
+                            'xlink:href',
+                            'fill-rule',
+                            'clip-rule',
+                            'mask',
+                            'clip-path',
+                            'filter',
+                            'patternUnits',
+                            'patternContentUnits',
+                            'in',
+                            'in2',
+                            'result',
+                            'mode',
+                            'values',
+                            'type',
+                            'stdDeviation',
+                            'dx',
+                            'dy',
+                        ],
+                    },
+                });
+                uploadBuffer = Buffer.from(sanitized, 'utf-8');
+                finalSize = uploadBuffer.byteLength;
+            }
+            else if (!skipOptimize && contentType.startsWith('image/')) {
                 const result = await optimizeImage(arrayBuffer, originalFilename, contentType);
                 uploadBuffer = result.buffer;
                 finalFilename = result.filename;
@@ -1054,16 +1461,35 @@ export function registerCMSRoutes(router) {
             const sanitizedName = finalFilename.replace(/[^a-zA-Z0-9._-]/g, '_');
             const storageKey = `actuate/media/${Date.now()}-${sanitizedName}`;
             let publicUrl = '';
-            try {
-                const blob = await importBlobStorage();
-                const result = await blob.put(storageKey, uploadBuffer, {
-                    access: 'public',
-                    contentType: finalMimeType,
-                });
-                publicUrl = result.url;
+            // Prefer the configured platform storage adapter (e.g. platform-vercel,
+            // platform-aws, or a consumer-provided one). Falling through to
+            // @vercel/blob via dynamic import preserves the legacy behavior for
+            // installs that haven't wired up a platform package yet.
+            const { getStorageAdapter } = await import('../storage/index.js');
+            const storage = getStorageAdapter();
+            if (storage) {
+                try {
+                    publicUrl = await storage.upload(storageKey, uploadBuffer, finalMimeType);
+                }
+                catch (err) {
+                    if (process.env.NODE_ENV !== 'test') {
+                        console.error('[Actuate CMS] Storage adapter upload failed:', err);
+                    }
+                    return errorResponse('Storage upload failed', 500);
+                }
             }
-            catch {
-                publicUrl = `/api/cms/media/file/${storageKey}`;
+            else {
+                try {
+                    const blob = await importBlobStorage();
+                    const result = await blob.put(storageKey, uploadBuffer, {
+                        access: 'public',
+                        contentType: finalMimeType,
+                    });
+                    publicUrl = result.url;
+                }
+                catch {
+                    publicUrl = `/api/cms/media/file/${storageKey}`;
+                }
             }
             const media = await db().media.create({
                 data: {
@@ -1151,7 +1577,9 @@ export function registerCMSRoutes(router) {
                 try {
                     await blob.del(media.storageKey);
                 }
-                catch { /* best-effort */ }
+                catch {
+                    /* best-effort */
+                }
             }
             catch {
                 newPublicUrl = `/api/cms/media/file/${newStorageKey}`;
@@ -1195,7 +1623,7 @@ export function registerCMSRoutes(router) {
             const roleErr = requireRole(auth.session.role, WRITE_ROLES);
             if (roleErr)
                 return roleErr;
-            const body = await request.json();
+            const body = (await request.json());
             const updated = await db().media.update({
                 where: { id: params.id },
                 data: {
@@ -1320,7 +1748,7 @@ export function registerCMSRoutes(router) {
             if (!encKey) {
                 return errorResponse('CMS_ENCRYPTION_KEY is required to store encrypted credentials.', 400);
             }
-            const body = await request.json();
+            const body = (await request.json());
             if (body.githubRepo && !/^[a-zA-Z0-9._-]+\/[a-zA-Z0-9._-]+$/.test(body.githubRepo)) {
                 return errorResponse('Invalid repository format. Use owner/repo.', 400);
             }
@@ -1362,7 +1790,7 @@ export function registerCMSRoutes(router) {
             if (!session || session.role !== 'admin') {
                 return errorResponse('Unauthorized — admin only', 403);
             }
-            const body = await request.json();
+            const body = (await request.json());
             if (!body.targetVersion) {
                 return errorResponse('targetVersion is required', 400);
             }
@@ -1427,7 +1855,7 @@ export function registerCMSRoutes(router) {
             if (!(await checkRateLimitAsync(loginLimiter, `setup:${clientIp}`))) {
                 return errorResponse('Too many setup attempts', 429);
             }
-            const body = await request.json();
+            const body = (await request.json());
             if (!body.name || !body.email || !body.password) {
                 return errorResponse('Name, email, and password are required', 400);
             }
@@ -1452,9 +1880,17 @@ export function registerCMSRoutes(router) {
     // Health endpoint -- reports available models and CMS version
     // ---------------------------------------------------------------------------
     const CMS_EXPECTED_MODELS = [
-        'document', 'media', 'user', 'session', 'version',
-        'folder', 'redirect', 'formSubmission', 'auditLog',
-        'webhookEndpoint', 'webhookDeliveryLog',
+        'document',
+        'media',
+        'user',
+        'session',
+        'version',
+        'folder',
+        'redirect',
+        'formSubmission',
+        'auditLog',
+        'webhookEndpoint',
+        'webhookDeliveryLog',
     ];
     router.get('/health', async () => {
         const cmsVersion = globalThis.__actuateCoreVersion ?? '0.0.0';
@@ -1573,8 +2009,12 @@ export function registerCMSRoutes(router) {
                     orderBy: { updatedAt: 'desc' },
                     take: 20,
                     select: {
-                        id: true, title: true, status: true, collection: true,
-                        updatedAt: true, createdById: true,
+                        id: true,
+                        title: true,
+                        status: true,
+                        collection: true,
+                        updatedAt: true,
+                        createdById: true,
                         createdBy: { select: { name: true, email: true } },
                     },
                 }),
@@ -1643,24 +2083,54 @@ export function registerCMSRoutes(router) {
             if (!q)
                 return json({ data: { documents: [], media: [], users: [] } });
             const d = db();
+            // Documents and media are visible to all signed-in users; the user
+            // directory is gated to EDITOR+ so a CLIENT can't enumerate the team
+            // (or harvest emails for spear-phishing).
+            const canSeeUserDirectory = auth.session.role === 'ADMIN' || auth.session.role === 'EDITOR';
             const [documents, media, users] = await Promise.all([
                 safeFindMany(d.document, {
-                    where: { deletedAt: null, OR: [{ title: { contains: q, mode: 'insensitive' } }, { plainText: { contains: q, mode: 'insensitive' } }] },
+                    where: {
+                        deletedAt: null,
+                        OR: [
+                            { title: { contains: q, mode: 'insensitive' } },
+                            { plainText: { contains: q, mode: 'insensitive' } },
+                        ],
+                    },
                     take: 10,
                     orderBy: { updatedAt: 'desc' },
-                    select: { id: true, title: true, slug: true, collection: true, status: true, updatedAt: true },
+                    select: {
+                        id: true,
+                        title: true,
+                        slug: true,
+                        collection: true,
+                        status: true,
+                        updatedAt: true,
+                    },
                 }),
                 safeFindMany(d.media, {
-                    where: { OR: [{ filename: { contains: q, mode: 'insensitive' } }, { altText: { contains: q, mode: 'insensitive' } }] },
+                    where: {
+                        OR: [
+                            { filename: { contains: q, mode: 'insensitive' } },
+                            { altText: { contains: q, mode: 'insensitive' } },
+                        ],
+                    },
                     take: 5,
                     orderBy: { createdAt: 'desc' },
                     select: { id: true, filename: true, altText: true, mimeType: true, storageKey: true },
                 }),
-                safeFindMany(d.user, {
-                    where: { isActive: true, OR: [{ name: { contains: q, mode: 'insensitive' } }, { email: { contains: q, mode: 'insensitive' } }] },
-                    take: 5,
-                    select: { id: true, name: true, email: true, role: true },
-                }),
+                canSeeUserDirectory
+                    ? safeFindMany(d.user, {
+                        where: {
+                            isActive: true,
+                            OR: [
+                                { name: { contains: q, mode: 'insensitive' } },
+                                { email: { contains: q, mode: 'insensitive' } },
+                            ],
+                        },
+                        take: 5,
+                        select: { id: true, name: true, email: true, role: true },
+                    })
+                    : Promise.resolve([]),
             ]);
             return json({ data: { documents, media, users } });
         }
@@ -1729,17 +2199,37 @@ export function registerCMSRoutes(router) {
             const auth = await requireAuth(request);
             if (auth.error)
                 return auth.error;
+            const roleErr = requireRole(auth.session.role, WRITE_ROLES);
+            if (roleErr)
+                return roleErr;
             const d = db();
             const forms = await d.document.findMany({
                 where: { collection: 'forms', deletedAt: null },
                 orderBy: { createdAt: 'desc' },
             });
-            const normalized = await Promise.all(forms.map(async (form) => {
-                const submissions = hasModel(d, 'formSubmission')
-                    ? await d.formSubmission.count({ where: { formId: form.id } })
-                    : 0;
-                return normalizeFormDocument(form, submissions);
-            }));
+            // Single grouped count is far cheaper than N+1 count() per form once
+            // the dashboard grows past a handful of forms. Fall back to per-form
+            // .count() when the consumer's Prisma client doesn't expose groupBy
+            // (older schemas, custom adapters).
+            let submissionCounts = new Map();
+            if (hasModel(d, 'formSubmission') && forms.length > 0) {
+                const ids = forms.map((f) => f.id);
+                if (typeof d.formSubmission.groupBy === 'function') {
+                    const grouped = await d.formSubmission.groupBy({
+                        by: ['formId'],
+                        where: { formId: { in: ids } },
+                        _count: { _all: true },
+                    });
+                    submissionCounts = new Map(grouped.map((g) => [g.formId, g._count._all]));
+                }
+                else {
+                    for (const id of ids) {
+                        const count = await d.formSubmission.count({ where: { formId: id } });
+                        submissionCounts.set(id, count);
+                    }
+                }
+            }
+            const normalized = forms.map((form) => normalizeFormDocument(form, submissionCounts.get(form.id) ?? 0));
             return json({ data: normalized });
         }
         catch (err) {
@@ -1751,6 +2241,9 @@ export function registerCMSRoutes(router) {
             const auth = await requireAuth(request);
             if (auth.error)
                 return auth.error;
+            const roleErr = requireRole(auth.session.role, WRITE_ROLES);
+            if (roleErr)
+                return roleErr;
             const url = new URL(request.url);
             const page = Number(url.searchParams.get('page')) || 1;
             const pageSize = clampPageSize(url.searchParams.get('pageSize'));
@@ -1792,7 +2285,7 @@ export function registerCMSRoutes(router) {
                 return errorResponse('Form not found', 404);
             }
             const formData = (form.data ?? {});
-            const body = await request.json();
+            const body = (await request.json());
             if (!body.fields || typeof body.fields !== 'object') {
                 return errorResponse('Missing or invalid "fields" in request body', 400);
             }
@@ -1812,14 +2305,10 @@ export function registerCMSRoutes(router) {
                     submittedAt: new Date(),
                 },
             });
-            // Fire form hooks asynchronously (email notification, webhooks)
             (async () => {
                 try {
                     const config = globalThis.__actuateConfig;
-                    const hooks = [
-                        ...(config?.plugins?.forms?.hooks ?? []),
-                        ...(config?._pluginHooks ?? []),
-                    ];
+                    const hooks = [...(config?.plugins?.forms?.hooks ?? []), ...(config?._pluginHooks ?? [])];
                     const formHooks = hooks.filter((h) => h.event === 'afterCreate:form-submissions');
                     for (const hook of formHooks) {
                         await hook.handler({ formId, data: body.fields });
@@ -1869,23 +2358,51 @@ export function registerCMSRoutes(router) {
                 return auth.error;
             if (auth.session.role !== 'ADMIN')
                 return errorResponse('Admin access required', 403);
-            const body = await request.json();
+            const body = (await request.json());
             const source = String(body.source ?? body.from ?? '').trim();
             const destination = String(body.destination ?? body.to ?? '').trim();
             const requestedStatus = Number(body.statusCode ?? body.type);
             if (!source || !destination) {
                 return errorResponse('source and destination are required', 400);
             }
-            if (destination.startsWith('http') && !destination.startsWith(process.env.NEXT_PUBLIC_SITE_URL ?? 'https://')) {
+            // Open-redirect defence: relative destinations (`/foo`) are always
+            // allowed; absolute destinations must point at an explicitly trusted
+            // host. We compare on parsed origins (not string `startsWith`) so
+            // `https://attacker.com.example.com` no longer passes a `startsWith`
+            // check on `https://example.com`. Configure the allowlist via
+            // `redirects.allowedExternalHosts` (string[] of hostnames).
+            if (destination.startsWith('http://') || destination.startsWith('https://')) {
+                let destUrl;
                 try {
-                    const destUrl = new URL(destination);
-                    if (!['http:', 'https:'].includes(destUrl.protocol)) {
-                        return errorResponse('Invalid destination URL', 400);
-                    }
+                    destUrl = new URL(destination);
                 }
                 catch {
                     return errorResponse('Invalid destination URL', 400);
                 }
+                if (!['http:', 'https:'].includes(destUrl.protocol)) {
+                    return errorResponse('Invalid destination URL', 400);
+                }
+                const cmsConfig = globalThis.__actuateConfig;
+                const allowed = new Set([
+                    ...(Array.isArray(cmsConfig?.redirects?.allowedExternalHosts)
+                        ? cmsConfig.redirects.allowedExternalHosts.map((h) => h.toLowerCase())
+                        : []),
+                ]);
+                const siteUrl = process.env.NEXT_PUBLIC_SITE_URL;
+                if (siteUrl) {
+                    try {
+                        allowed.add(new URL(siteUrl).hostname.toLowerCase());
+                    }
+                    catch {
+                        /* noop */
+                    }
+                }
+                if (!allowed.has(destUrl.hostname.toLowerCase())) {
+                    return errorResponse('External redirect destinations must be to an allowlisted host. Add the host to `redirects.allowedExternalHosts` in your CMS config.', 400);
+                }
+            }
+            else if (!destination.startsWith('/')) {
+                return errorResponse('Destination must be an absolute URL or a path beginning with /', 400);
             }
             const redirect = await db().redirect.create({
                 data: {
@@ -1946,48 +2463,98 @@ export function registerCMSRoutes(router) {
             const auth = await requireAuth(request);
             if (auth.error)
                 return auth.error;
+            // EDITOR+ only — this endpoint hits arbitrary URLs and can be expensive.
+            const roleErr = requireRole(auth.session.role, WRITE_ROLES);
+            if (roleErr)
+                return roleErr;
+            // Tight rate limit because each call fans out to many outbound requests.
+            const ip = clientIp(request);
+            const rateKey = isResolvedIp(ip)
+                ? `link-health:${ip}`
+                : `link-health-user:${auth.session.userId}`;
+            if (!(await checkRateLimitAsync(linkHealthLimiter, rateKey))) {
+                return errorResponse('Too many link-health scans. Please try again later.', 429);
+            }
+            const MAX_LINKS_PER_PAGE = 50;
+            const MAX_TOTAL_LINKS = 500;
+            const PER_LINK_TIMEOUT_MS = 4000;
+            const CONCURRENCY = 8;
             const docs = await db().document.findMany({
                 where: { deletedAt: null, status: 'PUBLISHED' },
                 select: { id: true, title: true, data: true, collection: true },
             });
-            const linkResults = [];
             const urlRegex = /https?:\/\/[^\s"'<>]+/g;
             const siteUrl = process.env.NEXT_PUBLIC_SITE_URL ?? '';
-            for (const doc of docs) {
+            const queue = [];
+            const seenGlobal = new Set();
+            outer: for (const doc of docs) {
                 const pageTitle = doc.title ?? doc.data?.title ?? doc.id;
                 const content = JSON.stringify(doc.data ?? {});
                 const urls = content.match(urlRegex) ?? [];
-                const seen = new Set();
+                const seenInPage = new Set();
+                let countInPage = 0;
                 for (const url of urls) {
                     const clean = url.replace(/[",;)}\]]+$/, '');
-                    if (seen.has(clean))
+                    if (seenInPage.has(clean))
+                        continue;
+                    seenInPage.add(clean);
+                    if (seenGlobal.has(clean))
                         continue;
-                    seen.add(clean);
-                    const isInternal = siteUrl && clean.startsWith(siteUrl);
+                    seenGlobal.add(clean);
+                    if (countInPage >= MAX_LINKS_PER_PAGE)
+                        break;
+                    if (queue.length >= MAX_TOTAL_LINKS)
+                        break outer;
+                    const isInternal = !!siteUrl && clean.startsWith(siteUrl);
+                    queue.push({ docId: doc.id, pageTitle, clean, isInternal });
+                    countInPage++;
+                }
+            }
+            const linkResults = [];
+            let cursor = 0;
+            const worker = async () => {
+                while (cursor < queue.length) {
+                    const idx = cursor++;
+                    const job = queue[idx];
+                    let status = 0;
                     try {
-                        const resp = await fetch(clean, { method: 'HEAD', redirect: 'manual', signal: AbortSignal.timeout(5000) });
-                        if (resp.status >= 400 || (resp.status >= 300 && resp.status < 400)) {
-                            linkResults.push({
-                                id: `${doc.id}-${linkResults.length}`,
-                                page: pageTitle,
-                                url: clean,
-                                status: resp.status,
-                                type: isInternal ? 'internal' : 'external',
-                            });
+                        // safeFetch rejects private/loopback IPs and disables redirect
+                        // following so 302->internal can't smuggle the scanner past SSRF.
+                        const resp = await safeFetch(job.clean, {
+                            method: 'HEAD',
+                            timeoutMs: PER_LINK_TIMEOUT_MS,
+                        });
+                        status = resp.status;
+                        // Drain the body so the connection can be reused.
+                        try {
+                            await resp.body?.cancel();
+                        }
+                        catch {
+                            /* noop */
                         }
                     }
-                    catch {
+                    catch (err) {
+                        status = err instanceof SsrfBlockedError ? -1 : 0;
+                    }
+                    if (status === -1 || status === 0 || status >= 300) {
                         linkResults.push({
-                            id: `${doc.id}-${linkResults.length}`,
-                            page: pageTitle,
-                            url: clean,
-                            status: 0,
-                            type: isInternal ? 'internal' : 'external',
+                            id: `${job.docId}-${idx}`,
+                            page: job.pageTitle,
+                            url: job.clean,
+                            status: status === -1 ? 0 : status,
+                            type: job.isInternal ? 'internal' : 'external',
                         });
                     }
                 }
-            }
-            return json({ data: linkResults });
+            };
+            await Promise.all(Array.from({ length: Math.min(CONCURRENCY, queue.length) }, worker));
+            return json({
+                data: {
+                    truncated: queue.length >= MAX_TOTAL_LINKS,
+                    checked: queue.length,
+                    issues: linkResults,
+                },
+            });
         }
         catch (err) {
             return internalError(err);
@@ -2003,7 +2570,14 @@ export function registerCMSRoutes(router) {
                 return roleErr;
             const documents = await db().document.findMany({
                 where: { status: 'PUBLISHED', deletedAt: null },
-                select: { id: true, title: true, slug: true, collection: true, data: true, plainText: true },
+                select: {
+                    id: true,
+                    title: true,
+                    slug: true,
+                    collection: true,
+                    data: true,
+                    plainText: true,
+                },
             });
             const issues = [];
             for (const doc of documents) {
@@ -2020,7 +2594,11 @@ export function registerCMSRoutes(router) {
                 const plainText = (doc.plainText ?? '');
                 if (plainText.length > 0 && plainText.length < 300)
                     problems.push('Content is too short (< 300 characters)');
-                const content = typeof data.body === 'string' ? data.body : typeof data.content === 'string' ? data.content : '';
+                const content = typeof data.body === 'string'
+                    ? data.body
+                    : typeof data.content === 'string'
+                        ? data.content
+                        : '';
                 if (content) {
                     const imgMatches = content.match(/<img\b[^>]*>/gi) ?? [];
                     const missingAlt = imgMatches.filter((img) => !img.includes('alt=')).length;
@@ -2030,7 +2608,12 @@ export function registerCMSRoutes(router) {
                         problems.push('No H1 heading found in content');
                 }
                 if (problems.length > 0) {
-                    issues.push({ documentId: doc.id, title: doc.title ?? 'Untitled', slug: doc.slug ?? '', problems });
+                    issues.push({
+                        documentId: doc.id,
+                        title: doc.title ?? 'Untitled',
+                        slug: doc.slug ?? '',
+                        problems,
+                    });
                 }
             }
             const total = documents.length;
@@ -2047,7 +2630,12 @@ export function registerCMSRoutes(router) {
     // ---------------------------------------------------------------------------
     router.get('/seo/analysis/:documentId', async (request, params) => {
         try {
-            const doc = await db().document.findUnique({ where: { id: params.documentId } });
+            const auth = await requireAuth(request);
+            if (auth.error)
+                return auth.error;
+            const doc = await db().document.findFirst({
+                where: { id: params.documentId, deletedAt: null },
+            });
             if (!doc)
                 return errorResponse('Not found', 404);
             const { analyzeContent } = await import('../seo/analysis.js');
@@ -2076,7 +2664,12 @@ export function registerCMSRoutes(router) {
     });
     router.get('/seo/readability/:documentId', async (request, params) => {
         try {
-            const doc = await db().document.findUnique({ where: { id: params.documentId } });
+            const auth = await requireAuth(request);
+            if (auth.error)
+                return auth.error;
+            const doc = await db().document.findFirst({
+                where: { id: params.documentId, deletedAt: null },
+            });
             if (!doc)
                 return errorResponse('Not found', 404);
             const { calculateReadability, stripHtmlTags } = await import('../seo/analysis.js');
@@ -2094,12 +2687,20 @@ export function registerCMSRoutes(router) {
     });
     router.get('/seo/internal-links/:documentId', async (request, params) => {
         try {
-            const doc = await db().document.findUnique({ where: { id: params.documentId } });
+            const auth = await requireAuth(request);
+            if (auth.error)
+                return auth.error;
+            const doc = await db().document.findFirst({
+                where: { id: params.documentId, deletedAt: null },
+            });
             if (!doc)
                 return errorResponse('Not found', 404);
             const data = doc.data || {};
             const title = doc.title || data.title || '';
-            const keywords = title.split(/\s+/).filter((w) => w.length > 3).slice(0, 5);
+            const keywords = title
+                .split(/\s+/)
+                .filter((w) => w.length > 3)
+                .slice(0, 5);
             if (keywords.length === 0) {
                 return new Response(JSON.stringify({ suggestions: [] }), {
                     status: 200,
@@ -2110,6 +2711,7 @@ export function registerCMSRoutes(router) {
                 where: {
                     id: { not: params.documentId },
                     status: 'PUBLISHED',
+                    deletedAt: null,
                     OR: keywords.map((kw) => ({
                         title: { contains: kw, mode: 'insensitive' },
                     })),
@@ -2165,7 +2767,12 @@ export function registerCMSRoutes(router) {
     });
     router.get('/seo/schema/:documentId', async (request, params) => {
         try {
-            const doc = await db().document.findUnique({ where: { id: params.documentId } });
+            const auth = await requireAuth(request);
+            if (auth.error)
+                return auth.error;
+            const doc = await db().document.findFirst({
+                where: { id: params.documentId, deletedAt: null },
+            });
             if (!doc)
                 return errorResponse('Not found', 404);
             const { buildSchemaGraph } = await import('../content/structured-data.js');
@@ -2194,7 +2801,12 @@ export function registerCMSRoutes(router) {
     });
     router.get('/seo/meta/:documentId', async (request, params) => {
         try {
-            const doc = await db().document.findUnique({ where: { id: params.documentId } });
+            const auth = await requireAuth(request);
+            if (auth.error)
+                return auth.error;
+            const doc = await db().document.findFirst({
+                where: { id: params.documentId, deletedAt: null },
+            });
             if (!doc)
                 return errorResponse('Not found', 404);
             const { generateMetaTags } = await import('../seo/meta-tags.js');
@@ -2251,12 +2863,12 @@ export function registerCMSRoutes(router) {
             const auth = await requireAuth(request);
             if (auth.error)
                 return auth.error;
-            const docs = await safeFindMany(db().document, {
+            const docs = (await safeFindMany(db().document, {
                 where: { deletedAt: null, status: 'PUBLISHED' },
                 select: { id: true, title: true, collection: true, data: true, plainText: true },
                 orderBy: { updatedAt: 'desc' },
                 take: 50,
-            });
+            }));
             let missingMetaDescriptions = 0;
             let missingAltText = 0;
             const topContent = [];
@@ -2264,7 +2876,11 @@ export function registerCMSRoutes(router) {
                 const data = doc.data ?? {};
                 if (!data.metaDescription && !data.seoDescription)
                     missingMetaDescriptions++;
-                const content = typeof data.body === 'string' ? data.body : typeof data.content === 'string' ? data.content : '';
+                const content = typeof data.body === 'string'
+                    ? data.body
+                    : typeof data.content === 'string'
+                        ? data.content
+                        : '';
                 if (content) {
                     const imgMatches = content.match(/<img\b[^>]*>/gi) ?? [];
                     const noAlt = imgMatches.filter((img) => !img.includes('alt=')).length;
@@ -2294,7 +2910,11 @@ export function registerCMSRoutes(router) {
                             continue;
                         seen.add(clean);
                         try {
-                            const resp = await fetch(clean, { method: 'HEAD', redirect: 'manual', signal: AbortSignal.timeout(3000) });
+                            const resp = await fetch(clean, {
+                                method: 'HEAD',
+                                redirect: 'manual',
+                                signal: AbortSignal.timeout(3000),
+                            });
                             if (resp.status >= 400)
                                 brokenInternalLinks++;
                         }
@@ -2304,7 +2924,9 @@ export function registerCMSRoutes(router) {
                     }
                 }
             }
-            catch { /* best effort */ }
+            catch {
+                /* best effort */
+            }
             return json({
                 data: {
                     totalPages: docs.length,
@@ -2345,7 +2967,10 @@ export function registerCMSRoutes(router) {
             }
         }
         if (unresolved.size > 0 && layoutConfig.inherit !== false) {
-            const segments = path.replace(/^\/|\/$/g, '').split('/').filter(Boolean);
+            const segments = path
+                .replace(/^\/|\/$/g, '')
+                .split('/')
+                .filter(Boolean);
             const walkDepth = Math.min(segments.length - 1, MAX_RESOLVE_DEPTH);
             for (let i = walkDepth; i > 0 && unresolved.size > 0; i--) {
                 const parentSlug = segments.slice(0, i).join('/');
@@ -2354,10 +2979,7 @@ export function registerCMSRoutes(router) {
                         collection: matchedCollection,
                         deletedAt: null,
                         status: 'PUBLISHED',
-                        OR: [
-                            { data: { path: ['slug'], equals: parentSlug } },
-                            { slug: parentSlug },
-                        ],
+                        OR: [{ data: { path: ['slug'], equals: parentSlug } }, { slug: parentSlug }],
                     },
                     select: { data: true },
                 });
@@ -2414,14 +3036,17 @@ export function registerCMSRoutes(router) {
             if (!pathParam) {
                 return errorResponse('Missing required "path" query parameter', 400);
             }
-            const segments = pathParam.replace(/^\/|\/$/g, '').split('/').filter(Boolean);
+            const segments = pathParam
+                .replace(/^\/|\/$/g, '')
+                .split('/')
+                .filter(Boolean);
             const configCollections = globalThis.__actuateConfig?.collections ?? {};
             const collectionDefs = Object.values(configCollections);
             let matchedCollection = null;
             let docSlug = null;
             if (segments.length === 0) {
                 // Root path — find a page-type collection and look for "home" or "index"
-                const pageCol = collectionDefs.find((c) => c.type === 'page' && !((c.urlPrefix ?? '').replace(/^\/|\/$/g, '')));
+                const pageCol = collectionDefs.find((c) => c.type === 'page' && !(c.urlPrefix ?? '').replace(/^\/|\/$/g, ''));
                 matchedCollection = pageCol?.slug ?? 'pages';
                 docSlug = 'home';
             }
@@ -2467,16 +3092,13 @@ export function registerCMSRoutes(router) {
                             { slug: 'home' },
                             { slug: 'index' },
                         ]
-                        : [
-                            { data: { path: ['slug'], equals: docSlug } },
-                            { slug: docSlug },
-                        ],
+                        : [{ data: { path: ['slug'], equals: docSlug } }, { slug: docSlug }],
                 },
             });
             if (!doc) {
                 return errorResponse('Document not found', 404);
             }
-            const docData = (doc.data && typeof doc.data === 'object') ? doc.data : {};
+            const docData = doc.data && typeof doc.data === 'object' ? doc.data : {};
             const layout = await resolveLayout(pathParam, docData, matchedCollection);
             const { _layout: _omit, ...cleanData } = docData;
             return json({
@@ -2528,9 +3150,20 @@ export function registerCMSRoutes(router) {
             const roleErr = requireRole(auth.session.role, WRITE_ROLES);
             if (roleErr)
                 return roleErr;
-            const body = await request.json();
+            const body = (await request.json());
             if (!body.name || !body.scope)
                 return errorResponse('name and scope are required', 400);
+            // A child folder MUST live in the same scope as its parent — without
+            // this check, a 'documents' folder could be reparented under a 'media'
+            // folder, hiding it from both UIs.
+            if (body.parentId) {
+                const parent = await db().folder.findUnique({ where: { id: body.parentId } });
+                if (!parent)
+                    return errorResponse('Parent folder not found', 404);
+                if (parent.scope !== body.scope) {
+                    return errorResponse('Parent folder is in a different scope', 400);
+                }
+            }
             const folder = await db().folder.create({
                 data: {
                     name: body.name,
@@ -2552,7 +3185,23 @@ export function registerCMSRoutes(router) {
             const roleErr = requireRole(auth.session.role, WRITE_ROLES);
             if (roleErr)
                 return roleErr;
-            const body = await request.json();
+            const body = (await request.json());
+            const existing = await db().folder.findUnique({ where: { id: params.id } });
+            if (!existing)
+                return errorResponse('Folder not found', 404);
+            // Prevent reparenting into a different scope, and prevent making a folder
+            // a descendant of itself (which would create a cycle).
+            if (body.parentId !== undefined && body.parentId !== null) {
+                if (body.parentId === params.id) {
+                    return errorResponse('Folder cannot be its own parent', 400);
+                }
+                const parent = await db().folder.findUnique({ where: { id: body.parentId } });
+                if (!parent)
+                    return errorResponse('Parent folder not found', 404);
+                if (parent.scope !== existing.scope) {
+                    return errorResponse('Parent folder is in a different scope', 400);
+                }
+            }
             const data = {};
             if (body.name !== undefined)
                 data.name = body.name;
@@ -2578,7 +3227,24 @@ export function registerCMSRoutes(router) {
             const roleErr = requireRole(auth.session.role, WRITE_ROLES);
             if (roleErr)
                 return roleErr;
-            await db().folder.delete({ where: { id: params.id } });
+            // We don't cascade-delete the contents — they would silently vanish.
+            // Instead, refuse to delete a folder that still has documents, media,
+            // or sub-folders inside it.
+            const d = db();
+            const folder = await d.folder.findUnique({ where: { id: params.id } });
+            if (!folder)
+                return errorResponse('Folder not found', 404);
+            const [docCount, mediaCount, childCount] = await Promise.all([
+                hasModel(d, 'document')
+                    ? d.document.count({ where: { folderId: params.id, deletedAt: null } })
+                    : 0,
+                hasModel(d, 'media') ? d.media.count({ where: { folderId: params.id } }) : 0,
+                d.folder.count({ where: { parentId: params.id } }),
+            ]);
+            if (docCount + mediaCount + childCount > 0) {
+                return errorResponse(`Folder is not empty (${docCount} documents, ${mediaCount} media, ${childCount} sub-folders). Move or delete its contents first.`, 409);
+            }
+            await d.folder.delete({ where: { id: params.id } });
             return json({ data: { success: true } });
         }
         catch (err) {
@@ -2593,7 +3259,16 @@ export function registerCMSRoutes(router) {
             const roleErr = requireRole(auth.session.role, WRITE_ROLES);
             if (roleErr)
                 return roleErr;
-            const body = await request.json();
+            const body = (await request.json());
+            // Confirm the target folder is in the documents scope before moving in.
+            if (body.folderId) {
+                const target = await db().folder.findUnique({ where: { id: body.folderId } });
+                if (!target)
+                    return errorResponse('Folder not found', 404);
+                if (target.scope !== 'documents' && target.scope !== 'collections') {
+                    return errorResponse('Target folder is not a documents folder', 400);
+                }
+            }
             await db().document.update({
                 where: { id: params.id },
                 data: { folderId: body.folderId ?? null },
@@ -2612,7 +3287,15 @@ export function registerCMSRoutes(router) {
             const roleErr = requireRole(auth.session.role, WRITE_ROLES);
             if (roleErr)
                 return roleErr;
-            const body = await request.json();
+            const body = (await request.json());
+            if (body.folderId) {
+                const target = await db().folder.findUnique({ where: { id: body.folderId } });
+                if (!target)
+                    return errorResponse('Folder not found', 404);
+                if (target.scope !== 'media') {
+                    return errorResponse('Target folder is not a media folder', 400);
+                }
+            }
             await db().media.update({
                 where: { id: params.id },
                 data: { folderId: body.folderId ?? null },
@@ -2631,7 +3314,7 @@ export function registerCMSRoutes(router) {
             const auth = await requireAuth(request);
             if (auth.error)
                 return auth.error;
-            const body = await request.json();
+            const body = (await request.json());
             if (!body.collection || !body.documentId) {
                 return errorResponse('collection and documentId are required', 400);
             }
@@ -2673,7 +3356,7 @@ export function registerCMSRoutes(router) {
             const auth = await requireAuth(request);
             if (auth.error)
                 return auth.error;
-            const body = await request.json();
+            const body = (await request.json());
             if (!body.stage)
                 return errorResponse('Stage is required', 400);
             const { transitionDocument } = await import('../workflow/index.js');
@@ -2700,7 +3383,9 @@ export function registerCMSRoutes(router) {
                 return errorResponse('Document not found', 404);
             const stage = (doc.workflowStage ?? 'DRAFT');
             const transitions = getAvailableTransitions(stage, auth.session.role);
-            return json({ data: { stage, transitions, reviewerId: doc.reviewerId, reviewNote: doc.reviewNote } });
+            return json({
+                data: { stage, transitions, reviewerId: doc.reviewerId, reviewNote: doc.reviewNote },
+            });
         }
         catch (err) {
             return internalError(err);
@@ -2821,17 +3506,17 @@ export function registerCMSRoutes(router) {
             if (!doc) {
                 return errorResponse('Global not found', 404);
             }
+            // Globals routed through `/public/globals/:slug` are by definition
+            // public site data — when no `access.read` is set we default to
+            // allowed. Integrators that want to gate a global must set
+            // `access.read` explicitly (returning `false` for public).
             const readAccess = globalConfig.access?.read;
-            const allowed = readAccess
-                ? await readAccess({ user: null, doc })
-                : false;
+            const allowed = readAccess ? await readAccess({ user: null, doc }) : true;
             if (!allowed) {
                 return errorResponse('Forbidden', 403);
             }
             return json({
-                data: doc.data && typeof doc.data === 'object'
-                    ? doc.data
-                    : {},
+                data: doc.data && typeof doc.data === 'object' ? doc.data : {},
             });
         }
         catch (err) {
@@ -2862,7 +3547,7 @@ export function registerCMSRoutes(router) {
             const roleErr = requireRole(auth.session.role, ADMIN_ROLES);
             if (roleErr)
                 return roleErr;
-            const body = await request.json();
+            const body = (await request.json());
             const ctx = buildActionContext(auth.session, db());
             const global = await updateGlobal(params.slug, body, ctx);
             return json({ data: global });
@@ -2898,7 +3583,7 @@ export function registerCMSRoutes(router) {
             const roleErr = requireRole(auth.session.role, ADMIN_ROLES);
             if (roleErr)
                 return roleErr;
-            const body = await request.json();
+            const body = (await request.json());
             if (!body.url || !body.events?.length) {
                 return errorResponse('url and events are required', 400);
             }
@@ -2930,7 +3615,7 @@ export function registerCMSRoutes(router) {
             const roleErr = requireRole(auth.session.role, ADMIN_ROLES);
             if (roleErr)
                 return roleErr;
-            const body = await request.json();
+            const body = (await request.json());
             const { updateEndpoint } = await import('../webhooks/index.js');
             const updated = await updateEndpoint(params.id, body);
             return json({ data: updated });
@@ -3040,7 +3725,15 @@ export function registerCMSRoutes(router) {
                     bucket.push(tag.code);
                 }
             }
-            return json(grouped);
+            // Public endpoint that fans out to many page renders. Add a short
+            // edge cache so it doesn't become a per-request DB hit.
+            const response = new Response(JSON.stringify(grouped), {
+                status: 200,
+                headers: { ...SECURITY_HEADERS, 'Content-Type': 'application/json' },
+            });
+            response.headers.set('Cache-Control', 'public, max-age=60, s-maxage=60, stale-while-revalidate=300');
+            response.headers.set('Vary', 'path');
+            return response;
         }
         catch (err) {
             return internalError(err, 'script-tags/resolve');
@@ -3077,7 +3770,7 @@ export function registerCMSRoutes(router) {
             const d = db();
             if (!hasModel(d, 'scriptTag'))
                 return modelNotAvailable('ScriptTag');
-            const body = await request.json();
+            const body = (await request.json());
             if (!body.name || !body.code || !body.placement) {
                 return errorResponse('name, code, and placement are required', 400);
             }
@@ -3126,7 +3819,7 @@ export function registerCMSRoutes(router) {
             const existing = await d.scriptTag.findUnique({ where: { id: params.id } });
             if (!existing)
                 return errorResponse('Script tag not found', 404);
-            const body = await request.json();
+            const body = (await request.json());
             const update = {};
             if (body.name !== undefined)
                 update.name = body.name;
@@ -3308,7 +4001,7 @@ export function registerCMSRoutes(router) {
             const d = db();
             if (!hasModel(d, 'pageTemplate'))
                 return modelNotAvailable('PageTemplate');
-            const body = await request.json();
+            const body = (await request.json());
             if (!body.name)
                 return errorResponse('name is required', 400);
             if (!body.tree)
@@ -3359,7 +4052,7 @@ export function registerCMSRoutes(router) {
                 return errorResponse('Template not found', 404);
             if (existing.builtIn)
                 return errorResponse('Cannot update built-in templates', 403);
-            const body = await request.json();
+            const body = (await request.json());
             const update = {};
             if (body.name !== undefined)
                 update.name = body.name;
@@ -3507,7 +4200,7 @@ export function registerCMSRoutes(router) {
             const d = db();
             if (!hasModel(d, 'savedSection'))
                 return modelNotAvailable('SavedSection');
-            const body = await request.json();
+            const body = (await request.json());
             if (!body.name)
                 return errorResponse('name is required', 400);
             if (!body.tree)
@@ -3556,7 +4249,7 @@ export function registerCMSRoutes(router) {
             const existing = await d.savedSection.findUnique({ where: { id: params.id } });
             if (!existing)
                 return errorResponse('Saved section not found', 404);
-            const body = await request.json();
+            const body = (await request.json());
             const update = {};
             if (body.name !== undefined)
                 update.name = body.name;
@@ -3621,6 +4314,11 @@ export function registerCMSRoutes(router) {
         }
     });
     // ─── Page Builder AI Generation ─────────────────────────────────────
+    // Hard caps for AI input to keep token cost bounded and to limit the
+    // surface area for prompt injection. Adjust via the `ai.limits` block in
+    // the CMS config if you want stricter values; never raise past 8k.
+    const AI_PROMPT_MAX_CHARS = 4000;
+    const AI_CONTEXT_MAX_CHARS = 8000;
     router.post('/page-builder/generate', async (request) => {
         try {
             const auth = await requireAuth(request);
@@ -3629,11 +4327,23 @@ export function registerCMSRoutes(router) {
             const roleErr = requireRole(auth.session.role, ADMIN_ROLES);
             if (roleErr)
                 return roleErr;
+            // Per-user rate limit. AI generation is the single most expensive
+            // operation in the CMS — without this, a compromised admin account
+            // can drain a provider key in minutes.
+            if (!(await checkRateLimitAsync(aiGenerateLimiter, `ai-gen:${auth.session.userId}`))) {
+                return errorResponse('AI generation rate limit reached. Try again in an hour.', 429);
+            }
             const body = await request.json();
             const { prompt, template, context, steps, tone } = body;
             if (!prompt || typeof prompt !== 'string') {
                 return errorResponse('prompt is required', 400);
             }
+            if (prompt.length > AI_PROMPT_MAX_CHARS) {
+                return errorResponse(`prompt exceeds ${AI_PROMPT_MAX_CHARS} character limit`, 400);
+            }
+            if (typeof context === 'string' && context.length > AI_CONTEXT_MAX_CHARS) {
+                return errorResponse(`context exceeds ${AI_CONTEXT_MAX_CHARS} character limit`, 400);
+            }
             if (!steps || !Array.isArray(steps) || steps.length === 0) {
                 return errorResponse('steps array is required', 400);
             }
@@ -3646,7 +4356,15 @@ export function registerCMSRoutes(router) {
             await logEvent({
                 event: 'settings_changed',
                 userId: auth.session.userId,
-                details: { action: 'page_generation_started', prompt, steps, template },
+                details: {
+                    action: 'page_generation_started',
+                    // Redact secrets from the prompt before persisting to the audit log.
+                    // Even an admin pasting a key into a prompt by mistake shouldn't
+                    // result in that key being mirrored into permanent storage.
+                    prompt: redactSecrets(prompt).slice(0, 500),
+                    steps,
+                    template,
+                },
             });
             let generatePage = null;
             try {
@@ -3681,11 +4399,21 @@ export function registerCMSRoutes(router) {
             const roleErr = requireRole(auth.session.role, ADMIN_ROLES);
             if (roleErr)
                 return roleErr;
+            if (!(await checkRateLimitAsync(aiGenerateLimiter, `ai-block:${auth.session.userId}`))) {
+                return errorResponse('AI generation rate limit reached. Try again in an hour.', 429);
+            }
             const body = await request.json();
             const { blockType, variant, pageContext, tone } = body;
             if (!blockType || typeof blockType !== 'string') {
                 return errorResponse('blockType is required', 400);
             }
+            // Limit caller-supplied context that flows directly into the prompt.
+            if (pageContext) {
+                const total = JSON.stringify(pageContext).length;
+                if (total > AI_CONTEXT_MAX_CHARS) {
+                    return errorResponse(`pageContext exceeds ${AI_CONTEXT_MAX_CHARS} character limit`, 400);
+                }
+            }
             let generateBlockContent = null;
             try {
                 const aiModule = await importAIPlugin();
@@ -3738,7 +4466,11 @@ export function registerCMSRoutes(router) {
             await logEvent({
                 event: 'settings_changed',
                 userId: auth.session.userId,
-                details: { action: 'a11y_auto_fix', fixedCount: result.report.fixedCount, remainingCount: result.report.remainingCount },
+                details: {
+                    action: 'a11y_auto_fix',
+                    fixedCount: result.report.fixedCount,
+                    remainingCount: result.report.remainingCount,
+                },
             });
             return json({ data: result });
         }