@actuate-media/cms-core 0.11.2 → 0.13.0

package/dist/api/handler-factory.js

@@ -7,6 +7,7 @@ import { createRateLimiter } from '../security/rate-limit.js';
 import { getClientIp } from '../security/client-ip.js';
 import { autoSeedAdmin } from '../setup/index.js';
 import { setStorageAdapter } from '../storage/index.js';
+import { getActuateConfig, setActuateConfig, setActuateCoreVersion } from '../config/runtime.js';
 /**
  * Routes that may legitimately receive a state-mutating request without a
  * CSRF token. Matched by exact prefix on the rewritten (CMS-relative) path,
@@ -22,6 +23,8 @@ import { setStorageAdapter } from '../storage/index.js';
  *   /auth/oauth/...       — OAuth init + callback redirects
  *   /setup/create-admin   — only reachable on a fresh install
  *   /forms/:id/submit     — public form submissions (regex below)
+ *   /cron/...             — Vercel Cron / external schedulers; auth is via
+ *                           Authorization: Bearer ${CRON_SECRET} instead
  */
 const CSRF_EXEMPT_PATHS = [
     '/auth/login',
@@ -31,6 +34,7 @@ const CSRF_EXEMPT_PATHS = [
     '/auth/reset-password',
     '/auth/oauth/',
     '/setup/create-admin',
+    '/cron/',
 ];
 function isCsrfExemptPath(pathname) {
     if (CSRF_EXEMPT_PATHS.some((p) => pathname === p ||
@@ -45,11 +49,13 @@ const _require = createRequire(import.meta.url);
 const { version: CMS_CORE_VERSION } = _require('../../package.json');
 let cachedGraphQL = null;
 export function handleActuateAPI(options = {}) {
-    ;
-    globalThis.__actuateCoreVersion = CMS_CORE_VERSION;
+    setActuateCoreVersion(CMS_CORE_VERSION);
     if (options.config) {
-        ;
-        globalThis.__actuateConfig = options.config;
+        // Cast through `unknown` only to satisfy the typed setter; the public
+        // signature accepts `unknown` deliberately because consumers may have
+        // their own typings. Plugins and downstream code use `getActuateConfig()`
+        // which gives them the ActuateCMSConfig shape.
+        setActuateConfig(options.config);
         const config = options.config;
         const hooks = [];
         if (Array.isArray(config.plugins)) {
@@ -175,7 +181,7 @@ export function handleActuateAPI(options = {}) {
                         });
                     }
                 }
-                const config = globalThis.__actuateConfig;
+                const config = getActuateConfig();
                 if (config) {
                     if (!cachedGraphQL) {
                         const { createGraphQLHandler } = await import('../graphql/index.js');
@@ -193,7 +199,10 @@ export function handleActuateAPI(options = {}) {
                     method: request.method,
                     headers: request.headers,
                     body: request.body,
-                    // @ts-ignore -- duplex is needed for streaming bodies
+                    // @ts-expect-error -- `duplex` is required for streaming bodies but
+                    // not yet in the lib.dom RequestInit type. Using @ts-expect-error
+                    // (vs @ts-ignore) ensures this directive itself fails when a future
+                    // TS lib update adds the property, prompting us to remove the cast.
                     duplex: 'half',
                 });
                 return router.handle(rewrittenRequest);

package/dist/api/handler-factory.js.map

@@ -1 +1 @@
-{"version":3,"file":"handler-factory.js","sourceRoot":"","sources":["../../src/api/handler-factory.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAA;AAC3C,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAA;AAC7C,OAAO,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAA;AACpE,OAAO,EAAE,MAAM,EAAE,eAAe,EAAE,MAAM,UAAU,CAAA;AAClD,OAAO,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAA;AACxD,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAA;AAC7D,OAAO,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAA;AACtD,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAA;AACjD,OAAO,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAA;AAEvD;;;;;;;;;;;;;;;GAeG;AACH,MAAM,iBAAiB,GAA0B;IAC/C,aAAa;IACb,cAAc;IACd,kBAAkB;IAClB,uBAAuB;IACvB,sBAAsB;IACtB,cAAc;IACd,qBAAqB;CACtB,CAAA;AAED,SAAS,gBAAgB,CAAC,QAAgB;IACxC,IACE,iBAAiB,CAAC,IAAI,CACpB,CAAC,CAAC,EAAE,EAAE,CACJ,QAAQ,KAAK,CAAC;QACd,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC;QAC5B,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAC9C,EACD,CAAC;QACD,OAAO,IAAI,CAAA;IACb,CAAC;IACD,mCAAmC;IACnC,OAAO,0BAA0B,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;AAClD,CAAC;AAED,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;AAC/C,MAAM,EAAE,OAAO,EAAE,gBAAgB,EAAE,GAAG,QAAQ,CAAC,oBAAoB,CAAwB,CAAA;AAQ3F,IAAI,aAAa,GAEN,IAAI,CAAA;AAEf,MAAM,UAAU,gBAAgB,CAAC,UAAmC,EAAE;IACpE,CAAC;IAAC,UAAkB,CAAC,oBAAoB,GAAG,gBAAgB,CAAA;IAE5D,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;QACnB,CAAC;QAAC,UAAkB,CAAC,eAAe,GAAG,OAAO,CAAC,MAAM,CAAA;QAErD,MAAM,MAAM,GAAG,OAAO,CAAC,MAAa,CAAA;QACpC,MAAM,KAAK,GAAU,EAAE,CAAA;QACvB,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC;YAClC,KAAK,MAAM,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;gBACpC,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,EAAE,KAAK,CAAC,EAAE,CAAC;oBACjC,KAAK,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,CAAA;gBAC7B,CAAC;YACH,CAAC;QACH,CAAC;QACD,CAAC;QAAC,MAAc,CAAC,YAAY,GAAG,KAAK,CAAA;QAErC,uEAAuE;QACvE,qEAAqE;QACrE,qEAAqE;QACrE,qEAAqE;QACrE,MAAM,eAAe,GAAG,MAAM,CAAC,QAAQ,EAAE,OAAO,CAAA;QAChD,IACE,eAAe;YACf,OAAO,eAAe,KAAK,QAAQ;YACnC,OAAQ,eAAuB,CAAC,MAAM,KAAK,UAAU,EACrD,CAAC;YACD,IAAI,CAAC;gBACH,iBAAiB,CAAC,eAAe,CAAC,CAAA;YACpC,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,MAAM,EAAE,CAAC;oBACpC,OAAO,CAAC,IAAI,CAAC,4DAA4D,EAAE,GAAG,CAAC,CAAA;gBACjF,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,MAAM,MAAM,GAAG,eAAe,EAAE,CAAA;IAEhC,MAAM,WAAW,GAAG,iBAAiB,CAAC,EAAE,QAAQ,EAAE,KAAK,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC,CAAA;IAE5E,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,EAAE;QACjC,yEAAyE;QACzE,yEAAyE;QACzE,uEAAuE;QACvE,oEAAoE;QACpE,MAAM,EAAE,GAAG,WAAW,CAAC,OAAO,CAAC,CAAA;QAC/B,MAAM,MAAM,GAAG,EAAE,KAAK,SAAS,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,CAAA;QAC5D,MAAM,eAAe,GAAG,MAAM,WAAW,CAAC,KAAK,CAAC,MAAM,CAAC,CAAA;QACvD,IAAI,CAAC,eAAe,CAAC,OAAO,EAAE,CAAC;YAC7B,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC,EAAE;gBAClE,MAAM,EAAE,GAAG;gBACX,OAAO,EAAE;oBACP,cAAc,EAAE,kBAAkB;oBAClC,aAAa,EAAE,eAAe,CAAC,UAAU,EAAE,QAAQ,EAAE,IAAI,IAAI;iBAC9D;aACF,CAAC,CAAA;QACJ,CAAC;QAED,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;YAChE,mEAAmE;YACnE,mEAAmE;YACnE,mEAAmE;YACnE,IAAI,CAAC,gBAAgB,CAAC,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC;gBACrD,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,CAAA;gBACrD,MAAM,UAAU,GAAG,iBAAiB,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC,cAAc,CAAC,CAAA;gBACzF,IAAI,CAAC,SAAS,IAAI,CAAC,UAAU,IAAI,CAAC,iBAAiB,CAAC,SAAS,EAAE,UAAU,CAAC,EAAE,CAAC;oBAC3E,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC,EAAE;wBACnE,MAAM,EAAE,GAAG;wBACX,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;qBAChD,CAAC,CAAA;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,IAAI,EAAE,CAAA;IACf,CAAC,CAAC,CAAA;IAEF,iBAAiB,CAAC,MAAM,CAAC,CAAA;IAEzB,IAAI,SAAS,GAAG,KAAK,CAAA;IAErB,OAAO,KAAK,UAAU,OAAO,CAAC,OAAgB;QAC5C,IAAI,CAAC;YACH,IAAI,CAAC,eAAe,EAAE,EAAE,CAAC;gBACvB,MAAM,MAAM,GACV,OAAO,CAAC,YAAY;oBACpB,CAAC,OAAO,CAAC,kBAAkB,CAAC,CAAC,CAAC,MAAM,OAAO,CAAC,kBAAkB,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAA;gBAC1E,IAAI,MAAM,EAAE,CAAC;oBACX,MAAM,CAAC,MAAM,CAAC,CAAA;oBACd,aAAa,CAAC,MAAM,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAA;gBACvC,CAAC;YACH,CAAC;YAED,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,SAAS,GAAG,IAAI,CAAA;gBAChB,IAAI,CAAC;oBACH,MAAM,MAAM,GAAG,OAAO,CAAC,YAAmD,CAAA;oBAC1E,IAAI,MAAM,EAAE,CAAC;wBACX,MAAM,QAAQ,GAAG,CAAC,UAAU,EAAE,MAAM,EAAE,SAAS,EAAE,OAAO,CAAC,CAAA;wBACzD,MAAM,OAAO,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,MAAM,CAAC,CAAC,CAAA;wBACtD,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;4BACvB,OAAO,CAAC,IAAI,CACV,kDAAkD,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI;gCACtE,sEAAsE;gCACtE,+EAA+E,CAClF,CAAA;wBACH,CAAC;oBACH,CAAC;gBACH,CAAC;gBAAC,MAAM,CAAC,CAAA,CAAC;YACZ,CAAC;YAED,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;YAChC,MAAM,YAAY,GAAG,GAAG,CAAC,QAAQ,CAAA;YAEjC,IAAI,YAAY,KAAK,kBAAkB,IAAI,YAAY,CAAC,UAAU,CAAC,kBAAkB,CAAC,EAAE,CAAC;gBACvF,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,UAAU,CAAA;gBACrC,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;oBAClC,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,yBAAyB,EAAE,CAAC,EAAE;wBACxE,MAAM,EAAE,GAAG;wBACX,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;qBAChD,CAAC,CAAA;gBACJ,CAAC;gBAED,MAAM,EAAE,GAAG,WAAW,CAAC,OAAO,CAAC,CAAA;gBAC/B,MAAM,MAAM,GAAG,EAAE,KAAK,SAAS,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,CAAA;gBAC5D,MAAM,eAAe,GAAG,MAAM,WAAW,CAAC,KAAK,CAAC,MAAM,CAAC,CAAA;gBACvD,IAAI,CAAC,eAAe,CAAC,OAAO,EAAE,CAAC;oBAC7B,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC,EAAE;wBAClE,MAAM,EAAE,GAAG;wBACX,OAAO,EAAE;4BACP,cAAc,EAAE,kBAAkB;4BAClC,aAAa,EAAE,eAAe,CAAC,UAAU,EAAE,QAAQ,EAAE,IAAI,IAAI;yBAC9D;qBACF,CAAC,CAAA;gBACJ,CAAC;gBAED,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;oBAChE,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,CAAA;oBACrD,MAAM,UAAU,GAAG,iBAAiB,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC,cAAc,CAAC,CAAA;oBACzF,IAAI,CAAC,SAAS,IAAI,CAAC,UAAU,IAAI,CAAC,iBAAiB,CAAC,SAAS,EAAE,UAAU,CAAC,EAAE,CAAC;wBAC3E,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC,EAAE;4BACnE,MAAM,EAAE,GAAG;4BACX,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;yBAChD,CAAC,CAAA;oBACJ,CAAC;gBACH,CAAC;gBAED,MAAM,MAAM,GAAI,UAAkB,CAAC,eAAe,CAAA;gBAClD,IAAI,MAAM,EAAE,CAAC;oBACX,IAAI,CAAC,aAAa,EAAE,CAAC;wBACnB,MAAM,EAAE,oBAAoB,EAAE,GAAG,MAAM,MAAM,CAAC,qBAAqB,CAAC,CAAA;wBACpE,aAAa,GAAG,oBAAoB,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,CAAA;oBAC1D,CAAC;oBACD,OAAO,aAAa,CAAC,MAAM,CAAC,OAAO,CAAC,CAAA;gBACtC,CAAC;YACH,CAAC;YAED,MAAM,SAAS,GAAG,UAAU,CAAA;YAC5B,IAAI,YAAY,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;gBACvC,MAAM,YAAY,GAAG,YAAY,CAAC,KAAK,CAAC,SAAS,CAAC,MAAM,CAAC,IAAI,GAAG,CAAA;gBAChE,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,YAAY,EAAE,GAAG,CAAC,MAAM,CAAC,CAAA;gBACtD,YAAY,CAAC,MAAM,GAAG,GAAG,CAAC,MAAM,CAAA;gBAEhC,MAAM,gBAAgB,GAAG,IAAI,OAAO,CAAC,YAAY,CAAC,QAAQ,EAAE,EAAE;oBAC5D,MAAM,EAAE,OAAO,CAAC,MAAM;oBACtB,OAAO,EAAE,OAAO,CAAC,OAAO;oBACxB,IAAI,EAAE,OAAO,CAAC,IAAI;oBAClB,sDAAsD;oBACtD,MAAM,EAAE,MAAM;iBACf,CAAC,CAAA;gBAEF,OAAO,MAAM,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAA;YACxC,CAAC;YAED,OAAO,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAA;QAC/B,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAA;YAChE,MAAM,KAAK,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAA;YAC1D,OAAO,CAAC,KAAK,CAAC,iDAAiD,OAAO,EAAE,EAAE,KAAK,CAAC,CAAA;YAEhF,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,CAAA;YACnD,OAAO,IAAI,QAAQ,CACjB,IAAI,CAAC,SAAS,CAAC;gBACb,KAAK,EAAE,oBAAoB;gBAC3B,GAAG,CAAC,KAAK,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;aACzC,CAAC,EACF;gBACE,MAAM,EAAE,GAAG;gBACX,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;aAChD,CACF,CAAA;QACH,CAAC;IACH,CAAC,CAAA;AACH,CAAC"}
+{"version":3,"file":"handler-factory.js","sourceRoot":"","sources":["../../src/api/handler-factory.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAA;AAC3C,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAA;AAC7C,OAAO,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAA;AACpE,OAAO,EAAE,MAAM,EAAE,eAAe,EAAE,MAAM,UAAU,CAAA;AAClD,OAAO,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAA;AACxD,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAA;AAC7D,OAAO,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAA;AACtD,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAA;AACjD,OAAO,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAA;AACvD,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAA;AAEhG;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,iBAAiB,GAA0B;IAC/C,aAAa;IACb,cAAc;IACd,kBAAkB;IAClB,uBAAuB;IACvB,sBAAsB;IACtB,cAAc;IACd,qBAAqB;IACrB,QAAQ;CACT,CAAA;AAED,SAAS,gBAAgB,CAAC,QAAgB;IACxC,IACE,iBAAiB,CAAC,IAAI,CACpB,CAAC,CAAC,EAAE,EAAE,CACJ,QAAQ,KAAK,CAAC;QACd,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC;QAC5B,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAC9C,EACD,CAAC;QACD,OAAO,IAAI,CAAA;IACb,CAAC;IACD,mCAAmC;IACnC,OAAO,0BAA0B,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;AAClD,CAAC;AAED,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;AAC/C,MAAM,EAAE,OAAO,EAAE,gBAAgB,EAAE,GAAG,QAAQ,CAAC,oBAAoB,CAAwB,CAAA;AAQ3F,IAAI,aAAa,GAEN,IAAI,CAAA;AAEf,MAAM,UAAU,gBAAgB,CAAC,UAAmC,EAAE;IACpE,qBAAqB,CAAC,gBAAgB,CAAC,CAAA;IAEvC,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;QACnB,sEAAsE;QACtE,sEAAsE;QACtE,0EAA0E;QAC1E,+CAA+C;QAC/C,gBAAgB,CAAC,OAAO,CAAC,MAAe,CAAC,CAAA;QAEzC,MAAM,MAAM,GAAG,OAAO,CAAC,MAAa,CAAA;QACpC,MAAM,KAAK,GAAU,EAAE,CAAA;QACvB,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC;YAClC,KAAK,MAAM,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;gBACpC,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,EAAE,KAAK,CAAC,EAAE,CAAC;oBACjC,KAAK,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,CAAA;gBAC7B,CAAC;YACH,CAAC;QACH,CAAC;QACD,CAAC;QAAC,MAAc,CAAC,YAAY,GAAG,KAAK,CAAA;QAErC,uEAAuE;QACvE,qEAAqE;QACrE,qEAAqE;QACrE,qEAAqE;QACrE,MAAM,eAAe,GAAG,MAAM,CAAC,QAAQ,EAAE,OAAO,CAAA;QAChD,IACE,eAAe;YACf,OAAO,eAAe,KAAK,QAAQ;YACnC,OAAQ,eAAuB,CAAC,MAAM,KAAK,UAAU,EACrD,CAAC;YACD,IAAI,CAAC;gBACH,iBAAiB,CAAC,eAAe,CAAC,CAAA;YACpC,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,MAAM,EAAE,CAAC;oBACpC,OAAO,CAAC,IAAI,CAAC,4DAA4D,EAAE,GAAG,CAAC,CAAA;gBACjF,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,MAAM,MAAM,GAAG,eAAe,EAAE,CAAA;IAEhC,MAAM,WAAW,GAAG,iBAAiB,CAAC,EAAE,QAAQ,EAAE,KAAK,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC,CAAA;IAE5E,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,EAAE;QACjC,yEAAyE;QACzE,yEAAyE;QACzE,uEAAuE;QACvE,oEAAoE;QACpE,MAAM,EAAE,GAAG,WAAW,CAAC,OAAO,CAAC,CAAA;QAC/B,MAAM,MAAM,GAAG,EAAE,KAAK,SAAS,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,CAAA;QAC5D,MAAM,eAAe,GAAG,MAAM,WAAW,CAAC,KAAK,CAAC,MAAM,CAAC,CAAA;QACvD,IAAI,CAAC,eAAe,CAAC,OAAO,EAAE,CAAC;YAC7B,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC,EAAE;gBAClE,MAAM,EAAE,GAAG;gBACX,OAAO,EAAE;oBACP,cAAc,EAAE,kBAAkB;oBAClC,aAAa,EAAE,eAAe,CAAC,UAAU,EAAE,QAAQ,EAAE,IAAI,IAAI;iBAC9D;aACF,CAAC,CAAA;QACJ,CAAC;QAED,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;YAChE,mEAAmE;YACnE,mEAAmE;YACnE,mEAAmE;YACnE,IAAI,CAAC,gBAAgB,CAAC,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC;gBACrD,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,CAAA;gBACrD,MAAM,UAAU,GAAG,iBAAiB,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC,cAAc,CAAC,CAAA;gBACzF,IAAI,CAAC,SAAS,IAAI,CAAC,UAAU,IAAI,CAAC,iBAAiB,CAAC,SAAS,EAAE,UAAU,CAAC,EAAE,CAAC;oBAC3E,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC,EAAE;wBACnE,MAAM,EAAE,GAAG;wBACX,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;qBAChD,CAAC,CAAA;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,IAAI,EAAE,CAAA;IACf,CAAC,CAAC,CAAA;IAEF,iBAAiB,CAAC,MAAM,CAAC,CAAA;IAEzB,IAAI,SAAS,GAAG,KAAK,CAAA;IAErB,OAAO,KAAK,UAAU,OAAO,CAAC,OAAgB;QAC5C,IAAI,CAAC;YACH,IAAI,CAAC,eAAe,EAAE,EAAE,CAAC;gBACvB,MAAM,MAAM,GACV,OAAO,CAAC,YAAY;oBACpB,CAAC,OAAO,CAAC,kBAAkB,CAAC,CAAC,CAAC,MAAM,OAAO,CAAC,kBAAkB,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAA;gBAC1E,IAAI,MAAM,EAAE,CAAC;oBACX,MAAM,CAAC,MAAM,CAAC,CAAA;oBACd,aAAa,CAAC,MAAM,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAA;gBACvC,CAAC;YACH,CAAC;YAED,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,SAAS,GAAG,IAAI,CAAA;gBAChB,IAAI,CAAC;oBACH,MAAM,MAAM,GAAG,OAAO,CAAC,YAAmD,CAAA;oBAC1E,IAAI,MAAM,EAAE,CAAC;wBACX,MAAM,QAAQ,GAAG,CAAC,UAAU,EAAE,MAAM,EAAE,SAAS,EAAE,OAAO,CAAC,CAAA;wBACzD,MAAM,OAAO,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,MAAM,CAAC,CAAC,CAAA;wBACtD,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;4BACvB,OAAO,CAAC,IAAI,CACV,kDAAkD,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI;gCACtE,sEAAsE;gCACtE,+EAA+E,CAClF,CAAA;wBACH,CAAC;oBACH,CAAC;gBACH,CAAC;gBAAC,MAAM,CAAC,CAAA,CAAC;YACZ,CAAC;YAED,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;YAChC,MAAM,YAAY,GAAG,GAAG,CAAC,QAAQ,CAAA;YAEjC,IAAI,YAAY,KAAK,kBAAkB,IAAI,YAAY,CAAC,UAAU,CAAC,kBAAkB,CAAC,EAAE,CAAC;gBACvF,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,UAAU,CAAA;gBACrC,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;oBAClC,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,yBAAyB,EAAE,CAAC,EAAE;wBACxE,MAAM,EAAE,GAAG;wBACX,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;qBAChD,CAAC,CAAA;gBACJ,CAAC;gBAED,MAAM,EAAE,GAAG,WAAW,CAAC,OAAO,CAAC,CAAA;gBAC/B,MAAM,MAAM,GAAG,EAAE,KAAK,SAAS,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,CAAA;gBAC5D,MAAM,eAAe,GAAG,MAAM,WAAW,CAAC,KAAK,CAAC,MAAM,CAAC,CAAA;gBACvD,IAAI,CAAC,eAAe,CAAC,OAAO,EAAE,CAAC;oBAC7B,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC,EAAE;wBAClE,MAAM,EAAE,GAAG;wBACX,OAAO,EAAE;4BACP,cAAc,EAAE,kBAAkB;4BAClC,aAAa,EAAE,eAAe,CAAC,UAAU,EAAE,QAAQ,EAAE,IAAI,IAAI;yBAC9D;qBACF,CAAC,CAAA;gBACJ,CAAC;gBAED,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;oBAChE,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,CAAA;oBACrD,MAAM,UAAU,GAAG,iBAAiB,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC,cAAc,CAAC,CAAA;oBACzF,IAAI,CAAC,SAAS,IAAI,CAAC,UAAU,IAAI,CAAC,iBAAiB,CAAC,SAAS,EAAE,UAAU,CAAC,EAAE,CAAC;wBAC3E,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC,EAAE;4BACnE,MAAM,EAAE,GAAG;4BACX,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;yBAChD,CAAC,CAAA;oBACJ,CAAC;gBACH,CAAC;gBAED,MAAM,MAAM,GAAG,gBAAgB,EAAE,CAAA;gBACjC,IAAI,MAAM,EAAE,CAAC;oBACX,IAAI,CAAC,aAAa,EAAE,CAAC;wBACnB,MAAM,EAAE,oBAAoB,EAAE,GAAG,MAAM,MAAM,CAAC,qBAAqB,CAAC,CAAA;wBACpE,aAAa,GAAG,oBAAoB,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,CAAA;oBAC1D,CAAC;oBACD,OAAO,aAAa,CAAC,MAAM,CAAC,OAAO,CAAC,CAAA;gBACtC,CAAC;YACH,CAAC;YAED,MAAM,SAAS,GAAG,UAAU,CAAA;YAC5B,IAAI,YAAY,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;gBACvC,MAAM,YAAY,GAAG,YAAY,CAAC,KAAK,CAAC,SAAS,CAAC,MAAM,CAAC,IAAI,GAAG,CAAA;gBAChE,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,YAAY,EAAE,GAAG,CAAC,MAAM,CAAC,CAAA;gBACtD,YAAY,CAAC,MAAM,GAAG,GAAG,CAAC,MAAM,CAAA;gBAEhC,MAAM,gBAAgB,GAAG,IAAI,OAAO,CAAC,YAAY,CAAC,QAAQ,EAAE,EAAE;oBAC5D,MAAM,EAAE,OAAO,CAAC,MAAM;oBACtB,OAAO,EAAE,OAAO,CAAC,OAAO;oBACxB,IAAI,EAAE,OAAO,CAAC,IAAI;oBAClB,oEAAoE;oBACpE,kEAAkE;oBAClE,oEAAoE;oBACpE,oEAAoE;oBACpE,MAAM,EAAE,MAAM;iBACf,CAAC,CAAA;gBAEF,OAAO,MAAM,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAA;YACxC,CAAC;YAED,OAAO,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAA;QAC/B,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAA;YAChE,MAAM,KAAK,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAA;YAC1D,OAAO,CAAC,KAAK,CAAC,iDAAiD,OAAO,EAAE,EAAE,KAAK,CAAC,CAAA;YAEhF,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,CAAA;YACnD,OAAO,IAAI,QAAQ,CACjB,IAAI,CAAC,SAAS,CAAC;gBACb,KAAK,EAAE,oBAAoB;gBAC3B,GAAG,CAAC,KAAK,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;aACzC,CAAC,EACF;gBACE,MAAM,EAAE,GAAG;gBACX,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;aAChD,CACF,CAAA;QACH,CAAC;IACH,CAAC,CAAA;AACH,CAAC"}

package/dist/api/handlers.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"handlers.d.ts","sourceRoot":"","sources":["../../src/api/handlers.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,aAAa,CAAA;AAwW5C,wBAAgB,iBAAiB,CAAC,YAAY,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAS9E;AAkKD,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,SAAS,GAAG,IAAI,CAi1IzD"}
+{"version":3,"file":"handlers.d.ts","sourceRoot":"","sources":["../../src/api/handlers.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,aAAa,CAAA;AAyW5C,wBAAgB,iBAAiB,CAAC,YAAY,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAS9E;AAgKD,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,SAAS,GAAG,IAAI,CAy+IzD"}

package/dist/api/handlers.js

@@ -1,5 +1,5 @@
 import { listDocuments, getDocument, createDocument, updateDocument, deleteDocument, getGlobal, updateGlobal, } from '../actions.js';
-import { verifyPassword } from '../auth/password.js';
+import { verifyPassword, hashPassword, needsRehash, compareToDummyHash } from '../auth/password.js';
 import { createSession, verifySession, revokeSession } from '../auth/session.js';
 import { createPasswordReset, executePasswordReset } from '../auth/reset.js';
 import { checkSetupRequired, createInitialAdmin } from '../setup/index.js';
@@ -12,6 +12,7 @@ import { logEvent } from '../security/audit.js';
 import { applyFieldAccess } from '../security/access.js';
 import { createPreviewAdapter } from '../preview/index.js';
 import { schedulingCronHandler } from '../scheduling/index.js';
+import { isAuthorizedCronRequest, processCleanup, processSeoScan } from '../cron/index.js';
 import { verifyCaptcha, getCaptchaConfig } from '../security/captcha.js';
 import { checkForUpdates } from '../upgrade/version-check.js';
 import { createUpgradePR } from '../upgrade/upgrade-pr.js';
@@ -30,6 +31,8 @@ import { enforceSessionLimits } from '../security/session-limits.js';
 import { verifyReauth } from '../security/reauth.js';
 import { validateMimeType, checkMagicBytes } from '../security/upload.js';
 import { sanitizeHtml } from '../security/sanitize.js';
+import { getActuateConfig, getActuateCoreVersion } from '../config/runtime.js';
+import { validateEnvShape } from '../diagnostics/env.js';
 // Opaque dynamic import so Turbopack/webpack won't statically analyze the specifier.
 // Returns { put, del, ... } from @vercel/blob when available.
 async function importBlobStorage() {
@@ -243,9 +246,7 @@ const ALLOWED_SORT_FIELDS = new Set([
 let _secretMissing = false;
 let _secretWarningLogged = false;
 function getSessionSecret() {
-    const secret = process.env.CMS_SECRET ??
-        process.env.CMS_SESSION_SECRET ??
-        globalThis.__actuateConfig?.secret;
+    const secret = process.env.CMS_SECRET ?? process.env.CMS_SESSION_SECRET ?? getActuateConfig()?.secret;
     if (!secret) {
         _secretMissing = true;
         if (!_secretWarningLogged) {
@@ -416,9 +417,9 @@ const MAX_CONCURRENT_SESSIONS = 5;
 async function enforceSessionLimitsForUser(d, userId) {
     if (!hasModel(d, 'session'))
         return;
-    const config = globalThis.__actuateConfig?.auth ?? {};
-    const max = typeof config.maxConcurrentSessions === 'number' && config.maxConcurrentSessions > 0
-        ? config.maxConcurrentSessions
+    const auth = getActuateConfig()?.auth;
+    const max = typeof auth?.maxConcurrentSessions === 'number' && auth.maxConcurrentSessions > 0
+        ? auth.maxConcurrentSessions
         : MAX_CONCURRENT_SESSIONS;
     const active = await d.session.findMany({
         where: { userId, revokedAt: null, expiresAt: { gt: new Date() } },
@@ -433,7 +434,7 @@ async function enforceSessionLimitsForUser(d, userId) {
     }
 }
 function getAdminPath() {
-    return (process.env.ACTUATE_ADMIN_PATH ?? globalThis.__actuateConfig?.admin?.path ?? '/admin');
+    return process.env.ACTUATE_ADMIN_PATH ?? getActuateConfig()?.admin?.path ?? '/admin';
 }
 class ModelNotAvailableError extends Error {
     model;
@@ -504,7 +505,7 @@ export function registerCMSRoutes(router) {
     // OpenAPI spec
     // ---------------------------------------------------------------------------
     router.get('/openapi.json', async () => {
-        const config = globalThis.__actuateConfig;
+        const config = getActuateConfig();
         if (!config)
             return errorResponse('CMS not configured', 500);
         const spec = generateOpenAPISpec(config);
@@ -563,10 +564,18 @@ export function registerCMSRoutes(router) {
             const user = await d.user.findFirst({
                 where: { email: email.toLowerCase().trim() },
             });
+            // User-enumeration timing defense (H5): when the email doesn't exist,
+            // OR when the account is OAuth-only (no passwordHash), still spend
+            // the same ~100-200ms running PBKDF2 against a dummy hash before
+            // returning the error. Without this, attackers can distinguish
+            // "no such user" / "OAuth-only" / "wrong password" by the response
+            // delta, enabling targeted phishing & credential stuffing.
             if (!user) {
+                await compareToDummyHash(password);
                 return errorResponse('Invalid email or password', 401);
             }
             if (!user.passwordHash) {
+                await compareToDummyHash(password);
                 return errorResponse('This account uses social login. Please sign in with your OAuth provider.', 400);
             }
             const passwordValid = await verifyPassword(password, user.passwordHash);
@@ -582,6 +591,20 @@ export function registerCMSRoutes(router) {
             if (!user.isActive) {
                 return errorResponse('Account is deactivated', 403);
             }
+            // H6: opportunistically upgrade stored hashes that use weaker
+            // PBKDF2 parameters than the current policy. We have the plaintext
+            // here (and we know it's correct) — re-hash and persist. Wrapped in
+            // try/catch so a transient DB failure never fails an otherwise-valid
+            // login; the user gets in, the upgrade just runs again next time.
+            if (needsRehash(user.passwordHash)) {
+                try {
+                    const upgraded = await hashPassword(password);
+                    await d.user.update({ where: { id: user.id }, data: { passwordHash: upgraded } });
+                }
+                catch (err) {
+                    console.warn('[actuate][login] password rehash skipped:', err instanceof Error ? err.message : err);
+                }
+            }
             if (user.totpEnabled) {
                 // Hand back an opaque short-lived token instead of the raw userId.
                 // The /auth/totp/login endpoint will verify both this token and a
@@ -673,7 +696,7 @@ export function registerCMSRoutes(router) {
             if (!hasModel(d, 'user'))
                 return modelNotAvailable('user');
             const siteUrl = process.env.NEXT_PUBLIC_SITE_URL ?? new URL(request.url).origin;
-            const cmsConfig = globalThis.__actuateConfig;
+            const cmsConfig = getActuateConfig();
             await createPasswordReset(d, email.toLowerCase().trim(), {
                 siteUrl,
                 platform: cmsConfig?.platform,
@@ -1054,7 +1077,7 @@ export function registerCMSRoutes(router) {
             };
             const cookies = parseCookieHeader(request.headers.get('cookie') ?? '');
             const expectedNonce = cookies['actuate_oauth_nonce'] ?? null;
-            const cmsConfig = globalThis.__actuateConfig;
+            const cmsConfig = getActuateConfig();
             const allowSelfSignup = cmsConfig?.auth?.oauth?.allowSelfSignup === true;
             const result = await handleOAuthCallback(provider, code, stateToken, oauthProviders, secret, db(), { expectedNonce, allowSelfSignup });
             const isProduction = process.env.NODE_ENV === 'production';
@@ -1107,7 +1130,7 @@ export function registerCMSRoutes(router) {
                 locale: url.searchParams.get('locale') ?? undefined,
                 folderId: url.searchParams.get('folderId') ?? undefined,
             }, ctx);
-            const collectionConfig = globalThis.__actuateConfig?.collections?.[params.slug];
+            const collectionConfig = getActuateConfig()?.collections?.[params.slug];
             const fields = collectionConfig?.fields;
             if (fields && result.docs.length > 0) {
                 const user = { id: auth.session.userId, role: auth.session.role };
@@ -1307,7 +1330,21 @@ export function registerCMSRoutes(router) {
             const auth = await requireAuth(request);
             if (auth.error)
                 return auth.error;
-            const contentLength = parseInt(request.headers.get('content-length') ?? '0', 10);
+            // Reject *before* buffering the body. We require a valid content-length
+            // header so that chunked / no-length requests (which would otherwise
+            // bypass this gate and allow `request.formData()` to buffer unbounded
+            // memory) are rejected up front. The multipart envelope is always
+            // larger than the underlying file, so checking against MAX_UPLOAD_BYTES
+            // here is a safe upper bound — a 50 MB file cannot fit inside a 50 MB
+            // request body.
+            const contentLengthHeader = request.headers.get('content-length');
+            if (!contentLengthHeader) {
+                return errorResponse('Content-Length header is required for uploads (chunked encoding is not supported)', 411);
+            }
+            const contentLength = parseInt(contentLengthHeader, 10);
+            if (!Number.isFinite(contentLength) || contentLength <= 0) {
+                return errorResponse('Invalid Content-Length header', 400);
+            }
             if (contentLength > MAX_UPLOAD_BYTES) {
                 return errorResponse('File exceeds maximum size of 50MB', 413);
             }
@@ -1320,7 +1357,11 @@ export function registerCMSRoutes(router) {
             const originalFilename = file.name;
             const contentType = file.type;
             const originalSize = file.size;
-            if (originalSize > 50 * 1024 * 1024) {
+            // Belt-and-braces: even with the header check above, re-validate the
+            // *actual* file size after parsing in case the multipart envelope
+            // disagreed with the header. This must come BEFORE any further
+            // processing (magic byte read, SVG sanitization, blob upload).
+            if (originalSize > MAX_UPLOAD_BYTES) {
                 return errorResponse('File exceeds maximum size of 50MB', 413);
             }
             // 1. Block file types that aren't on our allowlist outright.
@@ -1705,7 +1746,7 @@ export function registerCMSRoutes(router) {
             const session = await extractSession(request);
             if (!session)
                 return errorResponse('Unauthorized', 401);
-            const coreVersion = globalThis.__actuateCoreVersion ?? '0.1.0';
+            const coreVersion = getActuateCoreVersion() ?? '0.1.0';
             const info = await checkForUpdates(coreVersion);
             const saved = await getUpdateConfig();
             return json({
@@ -1808,7 +1849,7 @@ export function registerCMSRoutes(router) {
             if (!owner || !repo) {
                 return errorResponse('GitHub repository not configured. Go to Settings > Updates to add one.', 400);
             }
-            const coreVersion = globalThis.__actuateCoreVersion ?? '0.1.0';
+            const coreVersion = getActuateCoreVersion() ?? '0.1.0';
             const result = await createUpgradePR({
                 owner,
                 repo,
@@ -1893,8 +1934,43 @@ export function registerCMSRoutes(router) {
         'webhookDeliveryLog',
     ];
     router.get('/health', async () => {
-        const cmsVersion = globalThis.__actuateCoreVersion ?? '0.0.0';
+        const cmsVersion = getActuateCoreVersion() ?? '0.0.0';
         const models = {};
+        // M6: validate the *shape* of every well-known env var, not just presence.
+        // A 31-char CMS_SECRET or a placeholder CMS_ENCRYPTION_KEY now reports as
+        // a hard error here instead of crashing at the first runtime use.
+        //
+        // Bugbot review (PR #43): CMS_SECRET has *three* legitimate sources —
+        // `process.env.CMS_SECRET`, the legacy `process.env.CMS_SESSION_SECRET`,
+        // and `getActuateConfig()?.secret` (config-file path documented in the
+        // missing-secret warning message itself). `getSessionSecret()` checks all
+        // three; `isSecretMissing()` consequently returns false when any of them
+        // is set. If `validateEnvShape()` only inspected `process.env.CMS_SECRET`,
+        // a config-file deploy would get `secretConfigured: true` AND
+        // `status: "unhealthy"` simultaneously — a contradiction that would trip
+        // monitoring / load-balancer health probes for no real fault. We pass a
+        // wrapped `EnvSource` so the validator sees what the runtime would
+        // actually resolve.
+        const env = validateEnvShape({
+            get(name) {
+                if (name === 'CMS_SECRET') {
+                    return (process.env.CMS_SECRET ?? process.env.CMS_SESSION_SECRET ?? getActuateConfig()?.secret);
+                }
+                return process.env[name];
+            },
+        });
+        // Derive overall status from env validation + model availability + DB
+        // connection. `env.errorCount > 0` outranks every model/DB issue because
+        // it represents a *deployment* misconfig the operator must fix before any
+        // request will succeed — pretending the deploy is "degraded" when secrets
+        // are malformed defeats the M6 goal of catching that at /health time.
+        function deriveStatus(dbConnected, allModelsAvailable) {
+            if (env.errorCount > 0)
+                return 'unhealthy';
+            if (allModelsAvailable && dbConnected)
+                return 'healthy';
+            return 'degraded';
+        }
         let d;
         try {
             d = db();
@@ -1904,9 +1980,10 @@ export function registerCMSRoutes(router) {
                 models[m] = false;
             return json({
                 data: {
-                    status: 'degraded',
+                    status: deriveStatus(false, false),
                     version: cmsVersion,
                     secretConfigured: !isSecretMissing(),
+                    env,
                     models,
                     databaseConnected: false,
                 },
@@ -1932,11 +2009,13 @@ export function registerCMSRoutes(router) {
             }
         }
         const allAvailable = Object.values(models).every(Boolean);
+        const status = deriveStatus(dbConnected, allAvailable);
         return json({
             data: {
-                status: allAvailable ? 'healthy' : 'degraded',
+                status,
                 version: cmsVersion,
                 secretConfigured: !isSecretMissing(),
+                env,
                 models,
                 databaseConnected: dbConnected,
             },
@@ -2307,9 +2386,9 @@ export function registerCMSRoutes(router) {
             });
             (async () => {
                 try {
-                    const config = globalThis.__actuateConfig;
-                    const hooks = [...(config?.plugins?.forms?.hooks ?? []), ...(config?._pluginHooks ?? [])];
-                    const formHooks = hooks.filter((h) => h.event === 'afterCreate:form-submissions');
+                    const config = getActuateConfig();
+                    const hooks = (config?._pluginHooks ?? []);
+                    const formHooks = hooks.filter((h) => h?.event === 'afterCreate:form-submissions');
                     for (const hook of formHooks) {
                         await hook.handler({ formId, data: body.fields });
                     }
@@ -2382,7 +2461,7 @@ export function registerCMSRoutes(router) {
                 if (!['http:', 'https:'].includes(destUrl.protocol)) {
                     return errorResponse('Invalid destination URL', 400);
                 }
-                const cmsConfig = globalThis.__actuateConfig;
+                const cmsConfig = getActuateConfig();
                 const allowed = new Set([
                     ...(Array.isArray(cmsConfig?.redirects?.allowedExternalHosts)
                         ? cmsConfig.redirects.allowedExternalHosts.map((h) => h.toLowerCase())
@@ -2944,7 +3023,7 @@ export function registerCMSRoutes(router) {
     // ---------------------------------------------------------------------------
     const MAX_RESOLVE_DEPTH = 10;
     async function resolveLayout(path, docData, matchedCollection) {
-        const config = globalThis.__actuateConfig;
+        const config = getActuateConfig();
         const layoutConfig = config?.layout;
         if (!layoutConfig?.regions)
             return {};
@@ -3040,7 +3119,7 @@ export function registerCMSRoutes(router) {
                 .replace(/^\/|\/$/g, '')
                 .split('/')
                 .filter(Boolean);
-            const configCollections = globalThis.__actuateConfig?.collections ?? {};
+            const configCollections = getActuateConfig()?.collections ?? {};
             const collectionDefs = Object.values(configCollections);
             let matchedCollection = null;
             let docSlug = null;
@@ -3472,6 +3551,66 @@ export function registerCMSRoutes(router) {
             return internalError(err, 'scheduling run');
         }
     });
+    // ---------------------------------------------------------------------------
+    // Cron endpoints — auth via `Authorization: Bearer ${CRON_SECRET}`.
+    //
+    // **HTTP method:** registered as GET because Vercel Cron sends GET requests
+    // (https://vercel.com/docs/cron-jobs). We also register POST aliases so
+    // self-hosted schedulers that POST (k8s CronJob, GH Actions step running
+    // `curl -X POST`, EventBridge HTTP target) keep working without changes.
+    //
+    // Vercel Cron sets the `Authorization: Bearer <CRON_SECRET>` header
+    // automatically when `CRON_SECRET` is defined in the project environment.
+    // When CRON_SECRET is unset, requests are rejected — fail-closed so a
+    // misconfigured deploy never exposes these to the public.
+    //
+    // CSRF is NOT required: these endpoints have no session and the body carries
+    // no admin intent — auth is exclusively via the Bearer token. They are also
+    // listed in `CSRF_EXEMPT_PATHS` in handler-factory.ts so the global CSRF
+    // gate doesn't block them.
+    // ---------------------------------------------------------------------------
+    const cronPublish = async (request) => {
+        try {
+            if (!isAuthorizedCronRequest(request.headers.get('authorization'))) {
+                return errorResponse('Unauthorized', 401);
+            }
+            const result = await schedulingCronHandler(db());
+            return json({ data: result });
+        }
+        catch (err) {
+            return internalError(err, 'cron publish');
+        }
+    };
+    router.get('/cron/publish', cronPublish);
+    router.post('/cron/publish', cronPublish);
+    const cronCleanup = async (request) => {
+        try {
+            if (!isAuthorizedCronRequest(request.headers.get('authorization'))) {
+                return errorResponse('Unauthorized', 401);
+            }
+            const result = await processCleanup(db());
+            return json({ data: result });
+        }
+        catch (err) {
+            return internalError(err, 'cron cleanup');
+        }
+    };
+    router.get('/cron/cleanup', cronCleanup);
+    router.post('/cron/cleanup', cronCleanup);
+    const cronSeoScan = async (request) => {
+        try {
+            if (!isAuthorizedCronRequest(request.headers.get('authorization'))) {
+                return errorResponse('Unauthorized', 401);
+            }
+            const result = await processSeoScan(db());
+            return json({ data: result });
+        }
+        catch (err) {
+            return internalError(err, 'cron seo-scan');
+        }
+    };
+    router.get('/cron/seo-scan', cronSeoScan);
+    router.post('/cron/seo-scan', cronSeoScan);
     router.get('/scheduling/calendar', async (request) => {
         try {
             const auth = await requireAuth(request);
@@ -3496,7 +3635,7 @@ export function registerCMSRoutes(router) {
     router.get('/public/globals/:slug', async (_request, params) => {
         try {
             const slug = params.slug;
-            const globalConfig = globalThis.__actuateConfig?.globals?.[slug];
+            const globalConfig = getActuateConfig()?.globals?.[slug];
             if (!globalConfig) {
                 return errorResponse('Global not found', 404);
             }