@edge-base/server 0.1.5 → 0.2.1

package/src/durable-objects/database-live-do.ts

@@ -573,11 +573,13 @@ export class DatabaseLiveDO extends DurableObject<DOEnv> {
           if (!canRead) continue;
 
           let shouldSend = true;
-          if (change.data && (meta.channelFilters.size > 0 || meta.channelOrFilters.size > 0)) {
+          if (meta.channelFilters.size > 0 || meta.channelOrFilters.size > 0) {
             const filters = meta.channelFilters.get(batch.channel) || [];
             const orFilters = meta.channelOrFilters.get(batch.channel) || [];
             if (filters.length > 0 || orFilters.length > 0) {
-              shouldSend = evaluateDatabaseLiveFilters(change.data as Record<string, unknown>, filters, orFilters);
+              shouldSend = change.data
+                ? evaluateDatabaseLiveFilters(change.data as Record<string, unknown>, filters, orFilters)
+                : true; // DELETE events (null data) pass filters
             }
           }
 
@@ -608,11 +610,13 @@ export class DatabaseLiveDO extends DurableObject<DOEnv> {
         if (!canRead) continue;
 
         let shouldSend = true;
-        if (change.data && (meta.channelFilters.size > 0 || meta.channelOrFilters.size > 0)) {
+        if (meta.channelFilters.size > 0 || meta.channelOrFilters.size > 0) {
           const filters = meta.channelFilters.get(batch.channel) || [];
           const orFilters = meta.channelOrFilters.get(batch.channel) || [];
           if (filters.length > 0 || orFilters.length > 0) {
-            shouldSend = evaluateDatabaseLiveFilters(change.data as Record<string, unknown>, filters, orFilters);
+            shouldSend = change.data
+              ? evaluateDatabaseLiveFilters(change.data as Record<string, unknown>, filters, orFilters)
+              : true; // DELETE events (null data) pass filters
           }
         }
 
@@ -727,11 +731,13 @@ export class DatabaseLiveDO extends DurableObject<DOEnv> {
       if (!canRead) continue;
 
       let shouldSend = true;
-      if (eventData && (meta.channelFilters.size > 0 || meta.channelOrFilters.size > 0) && msgChannel) {
+      if ((meta.channelFilters.size > 0 || meta.channelOrFilters.size > 0) && msgChannel) {
         const filters = meta.channelFilters.get(msgChannel) || [];
         const orFilters = meta.channelOrFilters.get(msgChannel) || [];
         if (filters.length > 0 || orFilters.length > 0) {
-          shouldSend = evaluateDatabaseLiveFilters(eventData, filters, orFilters);
+          shouldSend = eventData
+            ? evaluateDatabaseLiveFilters(eventData, filters, orFilters)
+            : true; // DELETE events (null data) pass filters
         }
       }
 
@@ -820,11 +826,14 @@ export class DatabaseLiveDO extends DurableObject<DOEnv> {
       const result = await Promise.race([
         Promise.resolve(rule(authCtx as Record<string, unknown> | null, row)),
         new Promise<never>((_, reject) =>
-          setTimeout(() => reject(new Error('Database live row access timeout')), 50),
+          setTimeout(() => reject(new Error('Database live row access timeout')), 500),
         ),
       ]);
       return Boolean(result);
-    } catch {
+    } catch (e) {
+      if (e instanceof Error && e.message.includes('timeout')) {
+        console.warn('DatabaseLive: row access rule timed out after 500ms');
+      }
       return false;
     }
   }
@@ -848,11 +857,14 @@ export class DatabaseLiveDO extends DurableObject<DOEnv> {
       const result = await Promise.race([
         Promise.resolve(tableRules(authCtx as Record<string, unknown> | null, {})),
         new Promise<never>((_, reject) =>
-          setTimeout(() => reject(new Error('Database live channel access timeout')), 50),
+          setTimeout(() => reject(new Error('Database live channel access timeout')), 500),
         ),
       ]);
       return Boolean(result);
-    } catch {
+    } catch (e) {
+      if (e instanceof Error && e.message.includes('timeout')) {
+        console.warn('DatabaseLive: channel access rule timed out after 500ms');
+      }
       return false;
     }
   }

package/src/durable-objects/logs-do.ts

@@ -484,10 +484,10 @@ export class LogsDO extends DurableObject<LogsDOEnv> {
         whereParts.push('status >= ?');
         params.push(SERVER_ERROR_STATUS);
       } else if (level === 'warn') {
-        whereParts.push('status >= ? AND status < ?');
+        whereParts.push('(status >= ? AND status < ? AND status != 304)');
         params.push(300, SERVER_ERROR_STATUS);
       } else if (level === 'info') {
-        whereParts.push('status >= ? AND status < ?');
+        whereParts.push('(status >= ? AND status < ? OR status = 304)');
         params.push(200, 300);
       }
 

package/src/durable-objects/rooms-do.ts

@@ -115,6 +115,7 @@ const DEFAULT_MEMBER_RECONNECT_TIMEOUT_MS = 30000;
 const SIGNAL_DENIED = Symbol('rooms.signal.denied');
 const MEDIA_DENIED = Symbol('rooms.media.denied');
 const WEBSOCKET_OPEN = 1;
+const CLOUDFLARE_REALTIME_KIT_MEETING_STORAGE_KEY = 'cloudflareRealtimeKitMeetingId';
 
 function computeStateDelta(
   previous: Record<string, unknown>,
@@ -146,10 +147,16 @@ export class RoomsDO extends RoomRuntimeBaseDO {
   private readonly memberRoles = new Map<string, string>();
   private readonly memberMediaStates = new Map<string, RoomMemberMediaState>();
   private readonly memberRealtimeSessions = new Map<string, RoomMemberRealtimeSession>();
+  private cloudflareRealtimeKitMeetingId: string | null = null;
+  private cloudflareRealtimeKitMeetingIdPromise: Promise<string> | null = null;
 
   override async fetch(request: Request): Promise<Response> {
     const url = new URL(request.url);
 
+    if (url.pathname === '/media/cloudflare_realtimekit/session' && request.method === 'POST') {
+      return this.handleCloudflareRealtimeKitSessionCreate(request, url);
+    }
+
     if (url.pathname === '/media/realtime/session') {
       if (request.method === 'POST') return this.handleRealtimeSessionCreate(request, url);
       if (request.method === 'GET') return this.handleRealtimeSessionGet(request, url);
@@ -175,6 +182,53 @@ export class RoomsDO extends RoomRuntimeBaseDO {
     return super.fetch(request);
   }
 
+  private async handleCloudflareRealtimeKitSessionCreate(request: Request, url: URL): Promise<Response> {
+    try {
+      const body = await this.readJsonBody<{
+        connectionId?: string;
+        customParticipantId?: string;
+        name?: string;
+        picture?: string;
+      }>(request);
+      const { memberId, connectionId, meta } = await this.authenticateRealtimeRequest(
+        request,
+        url,
+        typeof body.connectionId === 'string' ? body.connectionId : undefined,
+      );
+      if (this.hasPublishedTracks(memberId)) {
+        return this.jsonResponse(409, {
+          code: 409,
+          message: 'Unpublish existing room media before creating a new Cloudflare RealtimeKit session',
+        });
+      }
+
+      const config = this.getCloudflareRealtimeKitConfig();
+      const meetingId = await this.ensureCloudflareRealtimeKitMeetingId(config);
+      const participant = await this.createCloudflareRealtimeKitParticipant(config, meetingId, {
+        customParticipantId: this.buildCloudflareRealtimeKitParticipantId(memberId, body.customParticipantId),
+        name: typeof body.name === 'string' && body.name.trim()
+          ? body.name.trim()
+          : meta.auth?.email ?? meta.userId ?? memberId,
+        picture: typeof body.picture === 'string' && body.picture.trim() ? body.picture.trim() : undefined,
+      });
+
+      return this.jsonResponse(200, {
+        sessionId: participant.id,
+        meetingId,
+        participantId: participant.id,
+        authToken: participant.token,
+        presetName: participant.presetName ?? config.presetName,
+        connectionId,
+        reused: false,
+      });
+    } catch (err) {
+      return this.jsonResponse(400, {
+        code: 400,
+        message: err instanceof Error ? err.message : 'Failed to create Cloudflare RealtimeKit session',
+      });
+    }
+  }
+
   private async handleRealtimeSessionCreate(request: Request, url: URL): Promise<Response> {
     try {
       const body = await this.readJsonBody<{
@@ -422,6 +476,154 @@ export class RoomsDO extends RoomRuntimeBaseDO {
     return createCloudflareRealtimeClient(this.env as unknown as Env);
   }
 
+  private getCloudflareRealtimeKitConfig(): {
+    accountId: string;
+    apiToken: string;
+    appId: string;
+    presetName: string;
+  } {
+    const env = this.env as unknown as Env;
+    const accountId = env.CF_ACCOUNT_ID?.trim();
+    const apiToken = env.CF_API_TOKEN?.trim();
+    const appId = env.CF_REALTIME_APP_ID?.trim();
+    const presetName = env.CF_REALTIME_PRESET_NAME?.trim() || 'group_call_participant';
+
+    if (!accountId || !apiToken || !appId) {
+      throw new Error(
+        'Cloudflare Realtime is not configured. Set CF_ACCOUNT_ID, CF_API_TOKEN, and CF_REALTIME_APP_ID.',
+      );
+    }
+
+    return { accountId, apiToken, appId, presetName };
+  }
+
+  private buildCloudflareRealtimeKitParticipantId(memberId: string, provided?: string): string {
+    const trimmed = typeof provided === 'string' ? provided.trim() : '';
+    if (trimmed) {
+      return trimmed;
+    }
+
+    return [
+      this.namespace ?? 'room',
+      this.roomId ?? 'unknown',
+      memberId,
+      Date.now().toString(36),
+    ].join(':');
+  }
+
+  private async ensureCloudflareRealtimeKitMeetingId(config: {
+    accountId: string;
+    apiToken: string;
+    appId: string;
+  }): Promise<string> {
+    if (this.cloudflareRealtimeKitMeetingId) {
+      return this.cloudflareRealtimeKitMeetingId;
+    }
+
+    if (this.cloudflareRealtimeKitMeetingIdPromise) {
+      return this.cloudflareRealtimeKitMeetingIdPromise;
+    }
+
+    this.cloudflareRealtimeKitMeetingIdPromise = (async () => {
+      const storedMeetingId = await this.ctx.storage.get<string>(CLOUDFLARE_REALTIME_KIT_MEETING_STORAGE_KEY);
+      if (storedMeetingId) {
+        this.cloudflareRealtimeKitMeetingId = storedMeetingId;
+        return storedMeetingId;
+      }
+
+      const response = await fetch(
+        `https://api.cloudflare.com/client/v4/accounts/${encodeURIComponent(config.accountId)}`
+          + `/realtime/kit/${encodeURIComponent(config.appId)}/meetings`,
+        {
+          method: 'POST',
+          headers: {
+            Authorization: `Bearer ${config.apiToken}`,
+            'Content-Type': 'application/json',
+          },
+          body: JSON.stringify({
+            title: `${this.namespace ?? 'room'}::${this.roomId ?? 'unknown'}`,
+          }),
+        },
+      );
+      const data = await this.parseCloudflareApiEnvelope<{ id: string }>(response);
+      this.cloudflareRealtimeKitMeetingId = data.id;
+      await this.ctx.storage.put(CLOUDFLARE_REALTIME_KIT_MEETING_STORAGE_KEY, data.id);
+      return data.id;
+    })();
+
+    try {
+      return await this.cloudflareRealtimeKitMeetingIdPromise;
+    } finally {
+      this.cloudflareRealtimeKitMeetingIdPromise = null;
+    }
+  }
+
+  private async createCloudflareRealtimeKitParticipant(
+    config: {
+      accountId: string;
+      apiToken: string;
+      appId: string;
+      presetName: string;
+    },
+    meetingId: string,
+    payload: {
+      customParticipantId: string;
+      name?: string;
+      picture?: string;
+    },
+  ): Promise<{ id: string; token: string; presetName?: string }> {
+    const response = await fetch(
+      `https://api.cloudflare.com/client/v4/accounts/${encodeURIComponent(config.accountId)}`
+        + `/realtime/kit/${encodeURIComponent(config.appId)}`
+        + `/meetings/${encodeURIComponent(meetingId)}/participants`,
+      {
+        method: 'POST',
+        headers: {
+          Authorization: `Bearer ${config.apiToken}`,
+          'Content-Type': 'application/json',
+        },
+        body: JSON.stringify({
+          custom_participant_id: payload.customParticipantId,
+          preset_name: config.presetName,
+          name: payload.name,
+          picture: payload.picture,
+        }),
+      },
+    );
+
+    const data = await this.parseCloudflareApiEnvelope<{
+      id: string;
+      token: string;
+      preset_name?: string;
+    }>(response);
+
+    return {
+      id: data.id,
+      token: data.token,
+      presetName: data.preset_name,
+    };
+  }
+
+  private async parseCloudflareApiEnvelope<T>(response: Response): Promise<T> {
+    const payload = (await response.json().catch(() => ({}))) as {
+      success?: boolean;
+      errors?: Array<{ message?: string }>;
+      messages?: Array<{ message?: string }>;
+      result?: T;
+      data?: T;
+    };
+
+    if (!response.ok || payload.success === false) {
+      const message =
+        payload.errors?.find((entry) => typeof entry.message === 'string')?.message
+        ?? payload.messages?.find((entry) => typeof entry.message === 'string')?.message
+        ?? `Cloudflare API request failed (${response.status})`;
+      throw new Error(message);
+    }
+
+    return (payload.data ?? payload.result ?? {}) as T;
+  }
+
   private async authenticateRealtimeRequest(
     request: Request,
     url: URL,

package/src/lib/auth-d1-service.ts

@@ -194,7 +194,7 @@ export async function updateUser(
     'email', 'passwordHash', 'displayName', 'avatarUrl', 'emailVisibility',
     'role', 'status', 'verified', 'isAnonymous', 'locale', 'metadata', 'appMetadata',
     'customClaims', 'phone', 'phoneVerified', 'disabled', 'bannedUntil',
-    'lastSignInAt', 'updatedAt',
+    'lastSignInAt', 'lastSignedInAt', 'updatedAt',
   ]);
 
   const sets: string[] = [];

package/src/lib/auth-d1.ts

@@ -125,6 +125,7 @@ CREATE TABLE IF NOT EXISTS _users (
   disabled INTEGER DEFAULT 0,
   status TEXT DEFAULT 'active',
   locale TEXT DEFAULT 'en',
+  lastSignedInAt TEXT,
   createdAt TEXT NOT NULL,
   updatedAt TEXT NOT NULL
 );
@@ -309,6 +310,7 @@ CREATE TABLE IF NOT EXISTS _users (
   disabled INTEGER DEFAULT 0,
   status TEXT DEFAULT 'active',
   locale TEXT DEFAULT 'en',
+  lastSignedInAt TEXT,
   createdAt TEXT NOT NULL,
   updatedAt TEXT NOT NULL
 );
@@ -403,6 +405,14 @@ export async function ensureAuthSchema(db: AuthDb): Promise<void> {
     .filter((s) => s.length > 0);
 
   await db.batch(statements.map((sql) => ({ sql })));
+
+  // Migrate existing _users tables: add lastSignedInAt if missing
+  try {
+    await db.run('ALTER TABLE _users ADD COLUMN lastSignedInAt TEXT', []);
+  } catch {
+    // Column already exists — safe to ignore
+  }
+
   schemaInitialized = true;
 }
 

package/src/lib/d1-handler.ts

@@ -399,8 +399,27 @@ async function handleList(
   }
 
   const queryOpts = parseQueryParams(Object.fromEntries(new URL(c.req.url).searchParams));
-  const { sql, params, countSql, countParams } = buildListQuery(tableName, queryOpts, 'sqlite');
-  const result = await executeD1Query(resolved.db, sql, params);
+  let query = buildListQuery(tableName, queryOpts, 'sqlite');
+  let result;
+  try {
+    result = await executeD1Query(resolved.db, query.sql, query.params);
+  } catch {
+    // FTS table may not exist — fall back to substring search
+    if (queryOpts.search) {
+      const searchFields = tableConfig.schema ? Object.keys(tableConfig.schema).filter(k => tableConfig.schema![k] !== false) : ['id'];
+      query = buildSubstringSearchQuery(tableName, queryOpts.search, {
+        pagination: queryOpts.pagination,
+        filters: queryOpts.filters,
+        orFilters: queryOpts.orFilters,
+        sort: queryOpts.sort,
+        fields: searchFields,
+      }, 'sqlite');
+      result = await executeD1Query(resolved.db, query.sql, query.params);
+    } else {
+      throw new Error('Query failed');
+    }
+  }
+  const { countSql, countParams } = query;
 
   // Apply read rules per row + normalize booleans/JSON
   let items = result.rows.map(r => normalizeRow(stripInternalFields(r), tableConfig));
@@ -435,7 +454,7 @@ async function handleList(
     total = Number(countResult.rows[0]?.total ?? 0);
   }
 
-  const perPage = queryOpts.pagination?.limit ?? queryOpts.pagination?.perPage ?? 20;
+  const perPage = queryOpts.pagination?.limit ?? queryOpts.pagination?.perPage ?? 100;
   const page = queryOpts.pagination?.page ?? 1;
   // Always include cursor/hasMore like DO does — clients can start cursor pagination from any page
   const hasMore = items.length === perPage;
@@ -497,7 +516,7 @@ async function handleSearch(
 
   let items: Record<string, unknown>[];
   let total = 0;
-  const limit = queryOpts.pagination?.limit ?? queryOpts.pagination?.perPage ?? 20;
+  const limit = queryOpts.pagination?.limit ?? queryOpts.pagination?.perPage ?? 100;
   const offset = queryOpts.pagination?.offset ?? ((queryOpts.pagination?.page ?? 1) - 1) * limit;
   const searchQuery = buildSearchQuery(tableName, searchTerm, {
     pagination: queryOpts.pagination,

package/src/lib/internal-request.ts

@@ -2,17 +2,14 @@ import type { Context } from 'hono';
 import type { HonoEnv } from './hono.js';
 import type { Env } from '../types.js';
 
-export function isTrustedInternalRequestUrl(url: string): boolean {
-  try {
-    const host = new URL(url).host;
-    return host === 'internal' || host === 'do';
-  } catch {
-    return false;
-  }
+export function isTrustedInternalRequestUrl(_url: string): boolean {
+  // Requests are only trusted when the runtime marks them internal via context.
+  // URL hosts (including 'do' / 'internal') can be spoofed in self-hosted or proxy setups.
+  return false;
 }
 
 export function isTrustedInternalContext(c: Pick<Context<HonoEnv>, 'get' | 'req'>): boolean {
-  return c.get('isInternalRequest' as never) === true || isTrustedInternalRequestUrl(c.req.url);
+  return c.get('isInternalRequest' as never) === true;
 }
 
 export function buildInternalHandlerContext(options: {

package/src/lib/openapi.ts

@@ -49,6 +49,7 @@ const USER_BEARER_PATHS = new Set([
 
 const USER_BEARER_PREFIXES = [
   '/api/room/media/realtime/',
+  '/api/room/media/cloudflare_realtimekit/',
 ];
 
 const SERVICE_KEY_ONLY_PATHS = new Set([

package/src/lib/pagination.ts

@@ -1,7 +1,7 @@
 /**
  * Pagination parameter validation.
  *
- * Clamps limit to 1..100 (default 20) and offset to ≥0 (default 0).
+ * Clamps limit to 1..1000 (default 100) and offset to ≥0 (default 0).
  * Handles NaN, negative, and absurdly large values safely.
  */
 
@@ -9,8 +9,8 @@ export function parsePagination(
   limitParam: string | undefined,
   offsetParam: string | undefined,
 ): { limit: number; offset: number } {
-  const rawLimit = parseInt(limitParam || '20', 10);
-  const limit = Number.isFinite(rawLimit) && rawLimit > 0 ? Math.min(rawLimit, 100) : 20;
+  const rawLimit = parseInt(limitParam || '100', 10);
+  const limit = Number.isFinite(rawLimit) && rawLimit > 0 ? Math.min(rawLimit, 1000) : 100;
 
   const rawOffset = parseInt(offsetParam || '0', 10);
   const offset = Number.isFinite(rawOffset) && rawOffset >= 0 ? rawOffset : 0;

package/src/lib/postgres-handler.ts

@@ -365,7 +365,7 @@ async function handleList(
     total = Number(countResult.rows[0]?.total ?? 0);
   }
 
-  const perPage = queryOpts.pagination?.limit ?? queryOpts.pagination?.perPage ?? 20;
+  const perPage = queryOpts.pagination?.limit ?? queryOpts.pagination?.perPage ?? 100;
   const page = queryOpts.pagination?.page ?? 1;
   const hasMore = queryOpts.pagination?.after || queryOpts.pagination?.before
     ? items.length >= perPage
@@ -428,7 +428,7 @@ async function handleSearch(
   const ftsFields = tableConfig.fts?.length
     ? tableConfig.fts
     : getTextFields(tableConfig);
-  const limit = queryOpts.pagination?.limit ?? queryOpts.pagination?.perPage ?? 20;
+  const limit = queryOpts.pagination?.limit ?? queryOpts.pagination?.perPage ?? 100;
   const offset = queryOpts.pagination?.offset ?? ((queryOpts.pagination?.page ?? 1) - 1) * limit;
   const searchQuery = buildSearchQuery(tableName, searchTerm, {
     pagination: queryOpts.pagination,

package/src/lib/query-engine.ts

@@ -657,10 +657,10 @@ function buildLimitClause(
   const _bt = bt ?? new BindTracker('sqlite');
 
   if (!pagination) {
-    return { limitClause: `LIMIT ${_bt.next()}`, limitParams: [20] }; // Default limit
+    return { limitClause: `LIMIT ${_bt.next()}`, limitParams: [100] }; // Default limit
   }
 
-  const limit = pagination.limit ?? pagination.perPage ?? 20;
+  const limit = Math.min(pagination.limit ?? pagination.perPage ?? 100, 1000);
 
   // Cursor-based: no offset
   if (pagination.after || pagination.before) {

package/src/middleware/rate-limit.ts

@@ -50,17 +50,17 @@ export const RATE_LIMIT_DEFAULTS: Record<string, { requests: number; windowSec:
   events:      { requests: 100,        windowSec: 60 },
 };
 
-// Dev mode defaults: 10x higher to accommodate React strict mode double-rendering,
-// hot-reload page refreshes, and onSnapshot polling during development.
+// Dev mode defaults: significantly higher to accommodate React strict mode double-rendering,
+// hot-reload page refreshes, onSnapshot polling, and multi-client testing during development.
 export const RATE_LIMIT_DEV_DEFAULTS: Record<string, { requests: number; windowSec: number }> = {
   global:      { requests: 10_000_000, windowSec: 60 },
-  db:          { requests: 1000,       windowSec: 60 },
-  storage:     { requests: 500,        windowSec: 60 },
-  functions:   { requests: 500,        windowSec: 60 },
-  auth:        { requests: 300,        windowSec: 60 },
+  db:          { requests: 5000,       windowSec: 60 },
+  storage:     { requests: 1000,       windowSec: 60 },
+  functions:   { requests: 1000,       windowSec: 60 },
+  auth:        { requests: 500,        windowSec: 60 },
   authSignin:  { requests: 100,        windowSec: 60 },
   authSignup:  { requests: 100,        windowSec: 60 },
-  events:      { requests: 1000,       windowSec: 60 },
+  events:      { requests: 5000,       windowSec: 60 },
 };
 
 // ─── Window parser ───
@@ -256,7 +256,7 @@ export const rateLimitMiddleware: MiddlewareHandler<HonoEnv> = async (c, next) =
   if (!counter.check(counterKey, requests, windowSec)) {
     c.header('Retry-After', String(counter.getRetryAfter(counterKey)));
     return c.json(
-      { code: 429, message: 'Too many requests. Please try again later.' },
+      { code: 429, message: 'Too many requests. Please try again later.', group },
       429,
     );
   }
@@ -268,7 +268,7 @@ export const rateLimitMiddleware: MiddlewareHandler<HonoEnv> = async (c, next) =
     if (!success) {
       c.header('Retry-After', '60');
       return c.json(
-        { code: 429, message: 'Too many requests. Please try again later.' },
+        { code: 429, message: 'Too many requests. Please try again later.', group },
         429,
       );
     }
@@ -282,7 +282,7 @@ export const rateLimitMiddleware: MiddlewareHandler<HonoEnv> = async (c, next) =
     if (!counter.check(globalKey, globalLimit.requests, globalLimit.windowSec)) {
       c.header('Retry-After', String(counter.getRetryAfter(globalKey)));
       return c.json(
-        { code: 429, message: 'Too many requests. Please try again later.' },
+        { code: 429, message: 'Too many requests. Please try again later.', group: 'global' },
         429,
       );
     }
@@ -294,7 +294,7 @@ export const rateLimitMiddleware: MiddlewareHandler<HonoEnv> = async (c, next) =
       if (!success) {
         c.header('Retry-After', '60');
         return c.json(
-          { code: 429, message: 'Too many requests. Please try again later.' },
+          { code: 429, message: 'Too many requests. Please try again later.', group: 'global' },
           429,
         );
       }

package/src/routes/admin.ts

@@ -119,6 +119,15 @@ function quoteSqlIdentifier(identifier: string): string {
   return `"${identifier}"`;
 }
 
+function isPublicAdminSetupAllowed(env: Env): boolean {
+  try {
+    const config = parseConfig(env);
+    return config.release !== true;
+  } catch {
+    return false;
+  }
+}
+
 interface MonitoringStats {
   subsystem?: string;
   activeConnections: number;
@@ -231,8 +240,8 @@ function getLogStatusCode(log: Record<string, unknown>): number {
 function matchesLogLevel(status: number, level: string): boolean {
   const normalized = level.toLowerCase();
   if (normalized === 'error') return status >= 500;
-  if (normalized === 'warn') return status >= 300 && status < 500;
-  if (normalized === 'info') return status >= 200 && status < 300;
+  if (normalized === 'warn') return (status >= 300 && status < 500 && status !== 304);
+  if (normalized === 'info') return (status >= 200 && status < 300) || status === 304;
   return true;
 }
 
@@ -361,7 +370,16 @@ const adminSetupStatus = createRoute({
 adminRoute.openapi(adminSetupStatus, async (c) => {
   await ensureAuthSchema(getAuthDb(c));
   const exists = await adminExists(getAuthDb(c));
-  return c.json({ needsSetup: !exists });
+  const needsSetup = !exists;
+  const publicSetupAllowed = needsSetup ? isPublicAdminSetupAllowed(c.env) : false;
+  return c.json({
+    needsSetup,
+    publicSetupAllowed,
+    setupMethod: needsSetup ? (publicSetupAllowed ? 'browser' : 'cli') : 'login',
+    message: needsSetup && !publicSetupAllowed
+      ? 'Public admin setup is disabled for this deployment. Run `npx edgebase admin bootstrap` with a Service Key, or use the deploy/docker bootstrap flow instead.'
+      : undefined,
+  });
 });
 
 // POST /admin/api/setup — create the first admin account
@@ -387,6 +405,7 @@ const adminSetup = createRoute({
   responses: {
     201: { description: 'Admin created', content: { 'application/json': { schema: jsonResponseSchema } } },
     400: { description: 'Bad request', content: { 'application/json': { schema: errorResponseSchema } } },
+    403: { description: 'Forbidden', content: { 'application/json': { schema: errorResponseSchema } } },
   },
 });
 
@@ -394,6 +413,14 @@ adminRoute.openapi(adminSetup, async (c) => {
   await ensureAuthSchema(getAuthDb(c));
   const exists = await adminExists(getAuthDb(c));
   if (exists) throw new EdgeBaseError(400, 'Admin account already exists. Use login instead.', undefined, 'already-exists');
+  if (!isPublicAdminSetupAllowed(c.env)) {
+    throw new EdgeBaseError(
+      403,
+      'Public admin setup is disabled for this deployment. Run `npx edgebase admin bootstrap` with a Service Key, or use the deploy/docker bootstrap flow instead.',
+      undefined,
+      'forbidden',
+    );
+  }
 
   const body = await c.req.json<{ email: string; password: string }>();
   if (!body.email || !body.password) throw new EdgeBaseError(400, 'Email and password are required.', undefined, 'validation-failed');