@jant/core 0.3.45 → 0.3.47

package/src/lib/__tests__/feed.test.ts

@@ -1,6 +1,21 @@
 import { describe, expect, it } from "vitest";
 import { defaultFeedRenderer } from "../feed.js";
-import type { FeedData, FeedPostView, PostView } from "../../types.js";
+import type {
+  FeedData,
+  FeedPostView,
+  MediaView,
+  PostView,
+} from "../../types.js";
+
+function makeMediaView(overrides: Partial<MediaView> = {}): MediaView {
+  return {
+    id: "med_1",
+    url: "https://example.com/media/file.bin",
+    thumbnailUrl: "https://example.com/media/file.bin",
+    mimeType: "application/octet-stream",
+    ...overrides,
+  };
+}
 
 function makePostView(overrides: Partial<FeedPostView> = {}): FeedPostView {
   return {
@@ -206,4 +221,230 @@ describe("feed renderers", () => {
     expect(xml).toContain('<time datetime="2026-03-19T12:00:00.000Z">');
     expect(xml).toContain("<p>This is a reply</p>");
   });
+
+  it("embeds image attachments as figures with alt text caption", () => {
+    const post = makePostView({
+      bodyHtml: "<p>Look at this.</p>",
+      media: [
+        makeMediaView({
+          id: "med_img",
+          url: "https://example.com/media/photo.jpg",
+          thumbnailUrl: "https://example.com/media/photo-thumb.jpg",
+          mimeType: "image/jpeg",
+          altText: "A red bicycle",
+          width: 1200,
+          height: 800,
+          size: 245_000,
+        }),
+      ],
+    });
+    const xml = defaultFeedRenderer(makeFeedData(post));
+
+    expect(xml).toContain('<a href="https://example.com/media/photo.jpg">');
+    expect(xml).toContain(
+      '<img src="https://example.com/media/photo.jpg" alt="A red bicycle" width="1200" height="800"/>',
+    );
+    expect(xml).toContain("<figcaption>A red bicycle</figcaption>");
+    expect(xml).toContain(
+      '<link rel="enclosure" type="image/jpeg" href="https://example.com/media/photo.jpg" length="245000"',
+    );
+  });
+
+  it("renders video attachments as poster + caption (never inline <video>)", () => {
+    const post = makePostView({
+      media: [
+        makeMediaView({
+          id: "med_vid",
+          url: "https://example.com/media/clip.mp4",
+          thumbnailUrl: "https://example.com/media/clip-thumb.jpg",
+          posterUrl: "https://example.com/media/clip-poster.jpg",
+          mimeType: "video/mp4",
+          durationSeconds: 42,
+          size: 1_200_000,
+          width: 1920,
+          height: 1080,
+        }),
+      ],
+    });
+    const xml = defaultFeedRenderer(makeFeedData(post));
+
+    expect(xml).not.toContain("<video");
+    expect(xml).toContain(
+      '<img src="https://example.com/media/clip-poster.jpg"',
+    );
+    expect(xml).toContain("Watch video · 0:42 · 1.1 MB");
+    expect(xml).toContain(
+      '<link rel="enclosure" type="video/mp4" href="https://example.com/media/clip.mp4" length="1200000"',
+    );
+  });
+
+  it("renders audio attachments as a labeled link with duration and size", () => {
+    const post = makePostView({
+      media: [
+        makeMediaView({
+          id: "med_audio",
+          url: "https://example.com/media/song.mp3",
+          thumbnailUrl: "https://example.com/media/song.mp3",
+          mimeType: "audio/mpeg",
+          originalName: "song.mp3",
+          durationSeconds: 215,
+          size: 5_242_880,
+        }),
+      ],
+    });
+    const xml = defaultFeedRenderer(makeFeedData(post));
+
+    expect(xml).toContain(
+      '<a href="https://example.com/media/song.mp3">📎 [audio/mpeg] song.mp3</a> (3:35 · 5.0 MB)',
+    );
+    expect(xml).toContain(
+      '<link rel="enclosure" type="audio/mpeg" href="https://example.com/media/song.mp3" length="5242880" title="song.mp3"',
+    );
+  });
+
+  it("renders text attachments as a single-line link to the rendered preview with char count", () => {
+    const post = makePostView({
+      permalink: "/post-1",
+      media: [
+        makeMediaView({
+          id: "med_txt",
+          url: "https://example.com/media/notes.md",
+          thumbnailUrl: "https://example.com/media/notes.md",
+          mimeType: "text/markdown",
+          originalName: "notes.md",
+          summary: "Outline of the talk: intro, three acts, takeaways.",
+          chars: 4200,
+        }),
+      ],
+    });
+    const xml = defaultFeedRenderer(makeFeedData(post));
+
+    expect(xml).toContain(
+      '<a href="https://example.com/post-1/text/med_txt">📎 [text/markdown] notes.md</a> (4200 chars): Outline of the talk: intro, three acts, takeaways.',
+    );
+    // No multi-line aside / "Read full text" CTA — single line only.
+    expect(xml).not.toContain("Read full text");
+    expect(xml).not.toContain("<aside>");
+  });
+
+  it("omits the summary suffix when a text attachment has none", () => {
+    const post = makePostView({
+      permalink: "/post-1",
+      media: [
+        makeMediaView({
+          id: "med_txt_no_summary",
+          url: "https://example.com/media/silent.md",
+          thumbnailUrl: "https://example.com/media/silent.md",
+          mimeType: "text/markdown",
+          originalName: "silent.md",
+          chars: 50,
+        }),
+      ],
+    });
+    const xml = defaultFeedRenderer(makeFeedData(post));
+
+    expect(xml).toContain(
+      '<a href="https://example.com/post-1/text/med_txt_no_summary">📎 [text/markdown] silent.md</a> (50 chars)</p>',
+    );
+    expect(xml).not.toContain("(50 chars):");
+  });
+
+  it("falls back to file size when a text attachment has no char count", () => {
+    const post = makePostView({
+      permalink: "/post-1",
+      media: [
+        makeMediaView({
+          id: "med_txt2",
+          url: "https://example.com/media/raw.txt",
+          thumbnailUrl: "https://example.com/media/raw.txt",
+          mimeType: "text/plain",
+          originalName: "raw.txt",
+          size: 2048,
+        }),
+      ],
+    });
+    const xml = defaultFeedRenderer(makeFeedData(post));
+
+    expect(xml).toContain(
+      '<a href="https://example.com/post-1/text/med_txt2">📎 [text/plain] raw.txt</a> (2 KB)',
+    );
+  });
+
+  it("renders document attachments as a link with size suffix", () => {
+    const post = makePostView({
+      media: [
+        makeMediaView({
+          id: "med_pdf",
+          url: "https://example.com/media/spec.pdf",
+          thumbnailUrl: "https://example.com/media/spec.pdf",
+          mimeType: "application/pdf",
+          originalName: "spec.pdf",
+          size: 524_288,
+        }),
+      ],
+    });
+    const xml = defaultFeedRenderer(makeFeedData(post));
+
+    expect(xml).toContain(
+      '<a href="https://example.com/media/spec.pdf">📎 [application/pdf] spec.pdf</a> (512 KB)',
+    );
+    expect(xml).toContain(
+      '<link rel="enclosure" type="application/pdf" href="https://example.com/media/spec.pdf" length="524288" title="spec.pdf"',
+    );
+  });
+
+  it("strips MIME-type parameters from the attachment label", () => {
+    const post = makePostView({
+      permalink: "/post-1",
+      media: [
+        makeMediaView({
+          id: "med_html",
+          url: "https://example.com/media/note.html",
+          thumbnailUrl: "https://example.com/media/note.html",
+          mimeType: "text/html; charset=utf-8",
+          originalName: "note.html",
+          chars: 120,
+        }),
+      ],
+    });
+    const xml = defaultFeedRenderer(makeFeedData(post));
+
+    // The visible link tag should be cleaned to the bare type
+    expect(xml).toContain("[text/html] note.html");
+    // The enclosure link still preserves the full canonical MIME type
+    expect(xml).toContain('type="text/html; charset=utf-8"');
+  });
+
+  it("escapes XML special characters in media URLs and names", () => {
+    const post = makePostView({
+      media: [
+        makeMediaView({
+          id: "med_x",
+          url: "https://example.com/media/file.pdf?a=1&b=2",
+          thumbnailUrl: "https://example.com/media/file.pdf?a=1&b=2",
+          mimeType: "application/pdf",
+          originalName: "Q&A <draft>.pdf",
+          size: 1024,
+        }),
+      ],
+    });
+    const xml = defaultFeedRenderer(makeFeedData(post));
+
+    expect(xml).not.toContain("?a=1&b=2");
+    expect(xml).toContain("?a=1&amp;b=2");
+    expect(xml).toContain("Q&amp;A &lt;draft&gt;.pdf");
+  });
+
+  it("emits no enclosure links and no media block when post has no media", () => {
+    const xml = defaultFeedRenderer(
+      makeFeedData(
+        makePostView({
+          bodyHtml: "<p>Plain text only.</p>",
+        }),
+      ),
+    );
+
+    expect(xml).not.toContain('rel="enclosure"');
+    expect(xml).not.toContain("<figure>");
+  });
 });

package/src/lib/__tests__/post-meta.test.ts

@@ -23,7 +23,6 @@ const basePost: Post = {
   previewProvider: null,
   replyToId: null,
   threadId: "post-1",
-  deletedAt: null,
   publishedAt: 1,
   lastActivityAt: 1,
   createdAt: 1,

package/src/lib/__tests__/view.test.ts

@@ -57,7 +57,6 @@ function makePost(overrides: Partial<Post> = {}): Post {
     previewProvider: null,
     replyToId: null,
     threadId: UUID_1,
-    deletedAt: null,
     publishedAt: 1706745600, // 2024-02-01T00:00:00Z
     createdAt: 1706745600,
     updatedAt: 1706745600,

package/src/lib/csp-builder.ts

@@ -7,17 +7,18 @@
  *
  * Design rationale (Jant-specific):
  *
- *   - **Public pages** allow `frame-src 'https:'` and `script-src 'https:'`.
- *     The site author is the only content source — there is no UGC, no
- *     untrusted writer, no public composer. Locking down third-party scripts
- *     would block legitimate embeds (YouTube, Letterbird, analytics) and
- *     deliver no security benefit Jant doesn't already get from being
- *     single-author. This matches Ghost/WordPress/Bear precedent.
+ *   - **Public pages** allow `frame-src`, `script-src`, `style-src`,
+ *     `font-src`, and `connect-src` to load from any `https:` source. The site
+ *     author is the only content source — there is no UGC, no untrusted
+ *     writer, no public composer. Locking these down would block legitimate
+ *     embeds (YouTube, Letterbird, analytics), giscus's stylesheet, and
+ *     Google Fonts, and deliver no security benefit Jant doesn't already get
+ *     from being single-author. This matches Ghost/WordPress/Bear precedent.
  *
  *   - **Authoring/auth/API routes** (FRAME_PROTECTED_PATH_PREFIXES) keep the
  *     tight policy: only same-origin scripts, no third-party iframes, and
  *     `frame-ancestors 'none'`. Compromise of an embed page must not lead
- *     into the dashboard.
+ *     into the settings pages.
  */
 
 export interface CspBuildInput {
@@ -29,6 +30,13 @@ export interface CspBuildInput {
   uploadConnectSources: string[];
   /** True in `vite dev` so we add `ws:` to connect-src. */
   isDev: boolean;
+  /**
+   * Add `'unsafe-inline'` to script-src so author-pasted inline `<script>`
+   * blocks in customHeadHtml / customBodyEndHtml can execute. Should only be
+   * set on public (non-frame-protected) pages, and only when the author has
+   * actually configured code injection — see `secureHeadersMiddleware`.
+   */
+  allowInlineScript?: boolean;
 }
 
 export interface ContentSecurityPolicyDirectives {
@@ -54,11 +62,18 @@ function appendUnique(sources: string[], value: string | null): void {
 export function buildCspDirectives(
   input: CspBuildInput,
 ): ContentSecurityPolicyDirectives {
-  const { isFrameProtected, assetOrigin, uploadConnectSources, isDev } = input;
+  const {
+    isFrameProtected,
+    assetOrigin,
+    uploadConnectSources,
+    isDev,
+    allowInlineScript,
+  } = input;
 
   // Base script-src: same-origin, Datastar's `unsafe-eval` for data-on-* /
   // data-signals expressions, blob: for media workers (heic-to, mediabunny).
   const scriptSrc = ["'self'", "'unsafe-eval'", "blob:"];
+  if (allowInlineScript) scriptSrc.push("'unsafe-inline'");
   appendUnique(scriptSrc, assetOrigin);
 
   const styleSrc = ["'self'", "'unsafe-inline'"];
@@ -70,12 +85,15 @@ export function buildCspDirectives(
   const connectSrc = isDev ? ["'self'", "ws:"] : ["'self'"];
   for (const src of uploadConnectSources) appendUnique(connectSrc, src);
 
-  // On public (non-admin) pages, allow third-party iframes and scripts so
-  // embeds and code-injection HTML work. Admin pages stay tight.
+  // On public (non-admin) pages, allow third-party iframes, scripts,
+  // stylesheets, fonts, and fetch endpoints so embeds and code-injection
+  // HTML work. Admin pages stay tight.
   let frameSrc: string[] | undefined;
   if (!isFrameProtected) {
     frameSrc = ["'self'", "https:"];
     appendUnique(scriptSrc, "https:");
+    appendUnique(styleSrc, "https:");
+    appendUnique(fontSrc, "https:");
     appendUnique(connectSrc, "https:");
   }
 

package/src/lib/feed.ts

@@ -10,8 +10,9 @@
  * ```
  */
 
-import type { FeedData, FeedPostView, PostView } from "../types.js";
+import type { FeedData, FeedPostView, MediaView, PostView } from "../types.js";
 import { extractDisplayDomain } from "./url.js";
+import { getMediaCategory } from "./upload.js";
 
 /**
  * Escape special XML characters.
@@ -100,6 +101,136 @@ function renderRatingHtml(rating: number): string {
   return `<p>${filled}${empty} ${rating}/5</p>`;
 }
 
+function formatFeedBytes(bytes: number): string {
+  if (bytes < 1024) return `${bytes} B`;
+  if (bytes < 1024 * 1024) return `${Math.round(bytes / 1024)} KB`;
+  return `${(bytes / (1024 * 1024)).toFixed(1)} MB`;
+}
+
+function formatFeedDuration(seconds: number): string {
+  const total = Math.max(0, Math.round(seconds));
+  const m = Math.floor(total / 60);
+  const s = total % 60;
+  return `${m}:${String(s).padStart(2, "0")}`;
+}
+
+function getMediaMeta(item: MediaView): string {
+  const parts: string[] = [];
+  if (item.durationSeconds != null && item.durationSeconds > 0) {
+    parts.push(formatFeedDuration(item.durationSeconds));
+  }
+  if (item.size != null && item.size > 0) {
+    parts.push(formatFeedBytes(item.size));
+  }
+  return parts.join(" · ");
+}
+
+/**
+ * Strip MIME type parameters like `; charset=utf-8` so the visible label
+ * stays compact (e.g. `text/html` instead of `text/html; charset=utf-8`).
+ */
+function cleanMimeType(mimeType: string): string {
+  const semi = mimeType.indexOf(";");
+  return (semi >= 0 ? mimeType.slice(0, semi) : mimeType).trim();
+}
+
+/**
+ * Build the visible link text for non-visual attachments — paperclip +
+ * MIME-type tag + filename. Marks the line clearly as an attachment so it
+ * doesn't get mistaken for body text.
+ */
+function buildAttachmentLinkText(
+  item: MediaView,
+  fallbackName: string,
+): string {
+  const name = item.originalName?.trim() || fallbackName;
+  const mime = cleanMimeType(item.mimeType);
+  return `📎 [${escapeXml(mime)}] ${escapeXml(name)}`;
+}
+
+/**
+ * Render a single media attachment as HTML for embedding in feed content.
+ *
+ * - Images embed as `<figure><a><img/></a><figcaption/></figure>` with alt
+ *   used as caption when present.
+ * - Videos render as a poster thumbnail linked to the file with a caption
+ *   describing the action — feed reader support for `<video>` is uneven, so
+ *   we never inline the player.
+ * - Audio, text, and document attachments render as plain links with size
+ *   and duration metadata when known. Text attachments link to the rendered
+ *   preview page when a post permalink is available.
+ */
+function renderMediaItem(item: MediaView, postPermalinkUrl?: string): string {
+  const category = getMediaCategory(item.mimeType);
+  const url = escapeXml(item.url);
+  const name = item.originalName ?? "";
+  const altText = item.altText ?? "";
+  const caption = item.altText?.trim() || "";
+  const meta = getMediaMeta(item);
+
+  if (category === "image") {
+    const dims =
+      item.width && item.height
+        ? ` width="${item.width}" height="${item.height}"`
+        : "";
+    const figcaption = caption
+      ? `<figcaption>${escapeXml(caption)}</figcaption>`
+      : "";
+    return `<figure><a href="${url}"><img src="${url}" alt="${escapeXml(altText)}"${dims}/></a>${figcaption}</figure>`;
+  }
+
+  if (category === "video") {
+    const poster = item.posterUrl || item.thumbnailUrl;
+    const dims =
+      item.width && item.height
+        ? ` width="${item.width}" height="${item.height}"`
+        : "";
+    const label = `Watch video${meta ? ` · ${meta}` : ""}`;
+    return `<figure><a href="${url}"><img src="${escapeXml(poster)}" alt="${escapeXml(altText || name)}"${dims}/></a><figcaption>${escapeXml(label)}</figcaption></figure>`;
+  }
+
+  if (category === "audio") {
+    const linkText = buildAttachmentLinkText(item, "Audio");
+    const suffix = meta ? ` (${escapeXml(meta)})` : "";
+    return `<p><a href="${url}">${linkText}</a>${suffix}</p>`;
+  }
+
+  if (category === "text") {
+    const previewHref = postPermalinkUrl
+      ? escapeXml(`${postPermalinkUrl}/text/${item.id}`)
+      : url;
+    const linkText = buildAttachmentLinkText(item, "Attached text");
+    // Prefer character count over byte size — more meaningful for text.
+    const textMeta =
+      typeof item.chars === "number" && item.chars > 0
+        ? `${item.chars} chars`
+        : meta;
+    const metaSuffix = textMeta ? ` (${escapeXml(textMeta)})` : "";
+    const summary = item.summary?.trim() ?? "";
+    const summarySuffix = summary ? `: ${escapeXml(summary)}` : "";
+    return `<p><a href="${previewHref}">${linkText}</a>${metaSuffix}${summarySuffix}</p>`;
+  }
+
+  // document, archive, office, font, 3d, code → plain link
+  const linkText = buildAttachmentLinkText(item, "Attachment");
+  const suffix = meta ? ` (${escapeXml(meta)})` : "";
+  return `<p><a href="${url}">${linkText}</a>${suffix}</p>`;
+}
+
+/**
+ * Render all media attachments for a post as HTML for embedding in feed
+ * content. Returns an empty string when the post has no media.
+ */
+function renderMediaForFeed(
+  media: MediaView[],
+  postPermalinkUrl?: string,
+): string {
+  if (media.length === 0) return "";
+  return media
+    .map((item) => renderMediaItem(item, postPermalinkUrl))
+    .join("\n");
+}
+
 /**
  * Build the HTML content for a single post (root or reply).
  *
@@ -129,6 +260,11 @@ function buildSinglePostContent(post: PostView, permalinkUrl?: string): string {
     parts.push(stripUnsafeFeedHtml(post.bodyHtml));
   }
 
+  const mediaHtml = renderMediaForFeed(post.media, permalinkUrl);
+  if (mediaHtml) {
+    parts.push(mediaHtml);
+  }
+
   if (post.rating && post.rating > 0) {
     parts.push(renderRatingHtml(post.rating));
   }
@@ -209,15 +345,29 @@ export function defaultFeedRenderer(data: FeedData): string {
         ? `\n    <link href="${escapedPermalink}" rel="related"/>`
         : "";
 
+      // One <link rel="enclosure"> per attachment so podcast/offline readers
+      // can fetch them. Atom omits length when size is unknown; mimeType is
+      // always known from the upload pipeline.
+      const enclosureLinks = post.media
+        .map((m) => {
+          const lengthAttr =
+            m.size != null && m.size > 0 ? ` length="${m.size}"` : "";
+          const titleAttr = m.originalName
+            ? ` title="${escapeXml(m.originalName)}"`
+            : "";
+          return `\n    <link rel="enclosure" type="${escapeXml(m.mimeType)}" href="${escapeXml(m.url)}"${lengthAttr}${titleAttr}/>`;
+        })
+        .join("");
+
       return `
   <entry>
     <title>${escapeXml(title)}</title>
-    <link href="${alternateLink}" rel="alternate"/>${relatedLink}
+    <link href="${alternateLink}" rel="alternate"/>${relatedLink}${enclosureLinks}
     <id>${escapedPermalink}</id>
     <published>${publishedAt}</published>
     <updated>${updatedAt}</updated>
     <summary type="text">${escapeXml(summary)}</summary>
-    <content type="html"><![CDATA[${escapeCdata(buildFeedContent(post, siteUrl, alternateUrl ? permalinkUrl : undefined))}]]></content>
+    <content type="html"><![CDATA[${escapeCdata(buildFeedContent(post, siteUrl, permalinkUrl))}]]></content>
   </entry>`;
     })
     .join("");

package/src/middleware/__tests__/secure-headers.test.ts

@@ -135,4 +135,93 @@ describe("secureHeadersMiddleware", () => {
     expect(response.headers.get("x-frame-options")).toBe("DENY");
     expect(csp).toContain("frame-ancestors 'none'");
   });
+
+  it("does not relax script-src when no code injection is configured", async () => {
+    const app = new Hono<Env>();
+    const settings = {
+      get: vi.fn(async () => null as string | null),
+    };
+
+    app.use("*", async (c, next) => {
+      c.set("services", { settings } as AppVariables["services"]);
+      await next();
+    });
+    app.use("*", secureHeadersMiddleware());
+    app.get("/", (c) => c.text("ok"));
+
+    const response = await app.request("/");
+    const csp = response.headers.get("content-security-policy") ?? "";
+
+    expect(csp).not.toMatch(/script-src[^;]*'unsafe-inline'/);
+    expect(csp).toContain("script-src 'self' 'unsafe-eval' blob: https:");
+  });
+
+  it("relaxes script-src with 'unsafe-inline' when code injection is set", async () => {
+    const app = new Hono<Env>();
+    const settings = {
+      get: vi.fn(async (key: string) => {
+        if (key === "CUSTOM_HEAD_HTML")
+          return "<script>console.log('hi')</script>";
+        return null;
+      }),
+    };
+
+    app.use("*", async (c, next) => {
+      c.set("services", { settings } as AppVariables["services"]);
+      await next();
+    });
+    app.use("*", secureHeadersMiddleware());
+    app.get("/", (c) => c.text("ok"));
+
+    const response = await app.request("/");
+    const csp = response.headers.get("content-security-policy");
+
+    expect(csp).toContain(
+      "script-src 'self' 'unsafe-eval' blob: 'unsafe-inline' https:",
+    );
+  });
+
+  it("keeps script-src tight on frame-protected paths regardless of injection", async () => {
+    const app = new Hono<Env>();
+    const settings = {
+      get: vi.fn(async (key: string) => {
+        if (key === "CUSTOM_HEAD_HTML") return "<script>x()</script>";
+        return null;
+      }),
+    };
+
+    app.use("*", async (c, next) => {
+      c.set("services", { settings } as AppVariables["services"]);
+      await next();
+    });
+    app.use("*", secureHeadersMiddleware());
+    app.get("/settings", (c) => c.text("ok"));
+
+    const response = await app.request("/settings");
+    const csp = response.headers.get("content-security-policy") ?? "";
+
+    expect(csp).not.toMatch(/script-src[^;]*'unsafe-inline'/);
+    // Settings lookup should be skipped entirely on frame-protected paths.
+    expect(settings.get).not.toHaveBeenCalled();
+  });
+
+  it("skips the settings lookup on static asset paths", async () => {
+    const app = new Hono<Env>();
+    const settings = {
+      get: vi.fn(async () => null as string | null),
+    };
+
+    app.use("*", async (c, next) => {
+      c.set("services", { settings } as AppVariables["services"]);
+      await next();
+    });
+    app.use("*", secureHeadersMiddleware());
+    app.get("/media/foo.jpg", (c) => c.text("ok"));
+    app.get("/favicon.ico", (c) => c.text("ok"));
+
+    await app.request("/media/foo.jpg");
+    await app.request("/favicon.ico");
+
+    expect(settings.get).not.toHaveBeenCalled();
+  });
 });

package/src/middleware/auth.ts

@@ -113,7 +113,7 @@ function getPostSigninRedirect(requestUrl: string): string | null {
 /**
  * Middleware that requires authentication.
  * Redirects to signin page if not authenticated.
- * Session-only — Bearer tokens are not accepted for dashboard pages.
+ * Session-only — Bearer tokens are not accepted for settings pages.
  */
 export function requireAuth(redirectTo = "/signin"): MiddlewareHandler<Env> {
   return async (c, next) => {