@jant/core 0.3.50 → 0.4.1

package/dist/{app-C7CtIQM-.js → app-DQgkp6yV.js}

@@ -1,7 +1,7 @@
 import { a as getSitePathPrefix, c as normalizePath, d as sanitizeUrl, f as slugify, g as toPublicPath, h as toPublicHref, i as getSiteOrigin, m as toAbsoluteSiteUrl, n as extractDisplayDomain, o as isFullUrl, p as stripSitePathPrefix, r as extractDomain, s as isSafeInternalRedirect, t as buildSiteUrl, u as normalizeSiteUrl, v as __exportAll } from "./url-umUptr5z.js";
-import { A as JANT_POSITIVE_LOGO_PNG_FILENAME, B as getJantLogoHref, C as formatYearMonth, D as HOME_BRANDING_LINK_LABEL, E as toISOString, F as getJantBundledAsset, G as base64ToUint8Array, H as JANT_LOGO_PATH_DATA, I as getJantIconFilename, L as getJantIconHref, M as getDefaultJantAppleTouchIconBytes, N as getDefaultJantFaviconIcoBytes, O as HOME_BRANDING_PREFIX, P as getJantBrandPackHref, R as getJantLogoFilename, S as formatTime, U as JANT_LOGO_VIEW_BOX, V as getJantPositiveLogoPngHref, W as arrayBufferToBase64, _ as getMediaUrl, b as formatRelativeAge, d as extractSummaryHtml, f as renderTiptapDocument, g as getImageUrl, h as escapeHtml, i as tiptapJsonToMarkdown, j as JANT_REPO_URL, k as JANT_BRAND_PACK_FILENAME, l as extractBodyText, m as trimTiptapBody, o as render, p as renderTiptapJson, s as toPlainText, t as createExportService, u as extractSummary, v as getPublicUrlForProvider, w as now, x as formatRelativeTime, y as formatDate, z as getJantLogoFills } from "./export-ZBlfKSKm.js";
+import { A as JANT_POSITIVE_LOGO_PNG_FILENAME, B as getJantLogoHref, C as formatYearMonth, D as HOME_BRANDING_LINK_LABEL, E as toISOString, F as getJantBundledAsset, G as base64ToUint8Array, H as JANT_LOGO_PATH_DATA, I as getJantIconFilename, L as getJantIconHref, M as getDefaultJantAppleTouchIconBytes, N as getDefaultJantFaviconIcoBytes, O as HOME_BRANDING_PREFIX, P as getJantBrandPackHref, R as getJantLogoFilename, S as formatTime, U as JANT_LOGO_VIEW_BOX, V as getJantPositiveLogoPngHref, W as arrayBufferToBase64, _ as getMediaUrl, b as formatRelativeAge, d as extractSummaryHtml, f as renderTiptapDocument, g as getImageUrl, h as escapeHtml, i as tiptapJsonToMarkdown, j as JANT_REPO_URL, k as JANT_BRAND_PACK_FILENAME, l as extractBodyText, m as trimTiptapBody, o as render, p as renderTiptapJson, s as toPlainText, t as createExportService, u as extractSummary, v as getPublicUrlForProvider, w as now, x as formatRelativeTime, y as formatDate, z as getJantLogoFills } from "./export-DwH3ga3Y.js";
 import { C as coalesceDisplayText, S as shouldUseSecureCookies, _ as getInternalAdminToken, a as getConfiguredSingleSiteUrl, b as getSiteResolutionMode, c as getDevApiToken, d as getHostedControlPlaneBaseUrl, f as getHostedControlPlaneDomainCheckSecret, g as getHostedControlPlaneSsoSecret, h as getHostedControlPlaneProviderLabel$1, i as getConfiguredSingleSitePathPrefix, l as getEnvString, m as getHostedControlPlaneInternalToken, n as getAuthSecret, o as getConfiguredStorageDriver, p as getHostedControlPlaneInternalBaseUrl, r as getConfiguredSingleSiteOrigin, s as getCorsOrigins, u as getGitHubAppConfig, v as getLocalStoragePath } from "./env-CgaH9Mut.js";
-import { l as markdownToTiptapJson, o as createGitHubSyncService } from "./github-sync-bL1hnx3Q.js";
+import { l as markdownToTiptapJson, o as createGitHubSyncService } from "./github-sync-eHOTYZGO.js";
 import { a as listInstallationReposPage, n as getInstallation, o as searchInstallationRepos, t as buildInstallUrl } from "./github-app-D0GvNnqp.js";
 import { r as parseRepoSlug, t as createGitHubClient } from "./github-api-Bh0PH3zr.js";
 import { I18n } from "@lingui/core";
@@ -3418,10 +3418,10 @@ function normalizeThemeColorForMeta(color) {
 * internal paths (e.g. `/_assets/client-HASH.js`) embedded by the Worker build
 * from the Vite client manifest. Used only in production (IS_VITE_DEV=false).
 */ var IS_VITE_DEV = typeof __JANT_DEV__ !== "undefined" && __JANT_DEV__ === true;
-var CORE_VERSION = "0.3.50-947a76e8ff575c8d";
-var CLIENT_JS_FILE = "/_assets/client-dSfWfMe9.js";
-var CLIENT_AUTH_JS_FILE = "/_assets/client-auth-Ce5WEAVS.js";
-var CLIENT_CSS_FILE = "/_assets/client-BoUn7xBo.css";
+var CORE_VERSION = "0.4.1-ec7ca04d562a5649";
+var CLIENT_JS_FILE = "/_assets/client-DqsPJKiP.js";
+var CLIENT_AUTH_JS_FILE = "/_assets/client-auth-N6fiJcOg.js";
+var CLIENT_CSS_FILE = "/_assets/client-BbJ0FhON.css";
 var CLIENT_CJK_CSS_FILE = "/_assets/client-cjk-B7Z0snDu.css";
 var CLIENT_CJK_TC_CSS_FILE = "/_assets/client-cjk-tc-BesJYrb2.css";
 var CLIENT_CJK_JP_CSS_FILE = "/_assets/client-cjk-jp-DZwrTzQC.css";
@@ -3739,7 +3739,7 @@ var IconSprite = () => {
 	const cjkSerifFont = appConfig?.cjkSerifFont ?? "off";
 	const cjkStylesheetPath = cjkSerifFont === "zh-Hans" ? IS_VITE_DEV ? assetPath("/src/style-cjk.css") : toPublicAssetPath(CLIENT_CJK_CSS_FILE, assetBasePath) : cjkSerifFont === "zh-Hant" ? IS_VITE_DEV ? assetPath("/src/style-cjk-tc.css") : toPublicAssetPath(CLIENT_CJK_TC_CSS_FILE, assetBasePath) : cjkSerifFont === "ja" ? IS_VITE_DEV ? assetPath("/src/style-cjk-jp.css") : toPublicAssetPath(CLIENT_CJK_JP_CSS_FILE, assetBasePath) : cjkSerifFont === "ko" ? IS_VITE_DEV ? assetPath("/src/style-cjk-kr.css") : toPublicAssetPath(CLIENT_CJK_KR_CSS_FILE, assetBasePath) : null;
 	const clientScriptPath = IS_VITE_DEV ? resolvedClientBundle === "full" ? assetPath("/src/client-auth.ts") : assetPath("/src/client.ts") : toPublicAssetPath(resolvedClientBundle === "full" ? CLIENT_AUTH_JS_FILE : CLIENT_JS_FILE, assetBasePath);
-	const faviconAssetVersion = resolvedFaviconVersion || "0.3.50-947a76e8ff575c8d";
+	const faviconAssetVersion = resolvedFaviconVersion || "0.4.1-ec7ca04d562a5649";
 	const resolvedFaviconHref = faviconHref ?? (faviconAssetVersion ? toPublicPath(`/favicon.ico?v=${faviconAssetVersion}`, sitePathPrefix) : toPublicPath("/favicon.ico", sitePathPrefix));
 	const resolvedAppleTouchHref = appleTouchHref ?? (faviconAssetVersion ? toPublicPath(`/apple-touch-icon.png?v=${faviconAssetVersion}`, sitePathPrefix) : toPublicPath("/apple-touch-icon.png", sitePathPrefix));
 	const socialImageHref = resolvedSocialImagePath && (isFullUrl(resolvedSocialImagePath) || resolvedSocialImagePath.startsWith("//") ? resolvedSocialImagePath : toAbsoluteSiteUrl(resolvedSocialImagePath, appConfig?.siteUrl || "", sitePathPrefix));
@@ -6397,83 +6397,44 @@ hostedSsoRoutes.get("/__sso", async (c) => {
 	}
 });
 //#endregion
-//#region src/lib/crypto.ts
-/**
-* Compare two byte arrays using a constant-time loop.
-*
-* This avoids relying on runtime-specific crypto helpers so the same behavior
-* works in Node.js and Workers.
-*
-* @param a - First byte array
-* @param b - Second byte array
-* @returns `true` when the inputs are byte-for-byte identical
-*
-* @example
-* ```ts
-* const isEqual = timingSafeEqualBytes(
-*   new TextEncoder().encode("abc"),
-*   new TextEncoder().encode("abc"),
-* );
-* ```
-*/ function timingSafeEqualBytes(a, b) {
-	if (a.byteLength !== b.byteLength) return false;
-	let mismatch = 0;
-	for (let index = 0; index < a.byteLength; index += 1) mismatch |= (a[index] ?? 0) ^ (b[index] ?? 0);
-	return mismatch === 0;
-}
-/**
-* Compare two strings using a constant-time byte comparison.
-*
-* @param a - First string
-* @param b - Second string
-* @returns `true` when the UTF-8 byte sequences are identical
-*
-* @example
-* ```ts
-* const isEqual = timingSafeEqualText("token-a", "token-b");
-* ```
-*/ function timingSafeEqualText(a, b) {
-	const encoder = new TextEncoder();
-	return timingSafeEqualBytes(encoder.encode(a), encoder.encode(b));
-}
-//#endregion
 //#region src/lib/hosted-domain-check.ts
+var VERIFICATION_HMAC_VERSION = "v1";
 var textEncoder$3 = new TextEncoder();
-new TextDecoder();
-function toBase64Url$1(bytes) {
-	let binary = "";
-	for (const byte of bytes) binary += String.fromCharCode(byte);
-	return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
+function bytesToHex$1(bytes) {
+	let out = "";
+	for (const byte of bytes) out += byte.toString(16).padStart(2, "0");
+	return out;
 }
-async function createHmacSignature$1(secret, payload) {
+/**
+* Compute the plaintext HMAC token returned from
+* `/.well-known/jant-verification`.
+*
+* The control plane sends a nonce in the query string; the site replies with
+* `jant-verification=<hex>` where `<hex>` is `HMAC-SHA256(secret, payload)`
+* over `payload = "v1:" + host + ":" + nonce`. The shared secret is
+* `HOSTED_CONTROL_PLANE_DOMAIN_CHECK_SECRET`.
+*/ async function computeHostedVerificationToken(secret, host, nonce) {
 	const key = await crypto.subtle.importKey("raw", textEncoder$3.encode(secret), {
 		name: "HMAC",
 		hash: "SHA-256"
 	}, false, ["sign"]);
-	return new Uint8Array(await crypto.subtle.sign("HMAC", key, textEncoder$3.encode(payload)));
-}
-async function signHostedDomainCheckToken(secret, claims) {
-	const payload = toBase64Url$1(textEncoder$3.encode(JSON.stringify(claims)));
-	return `${payload}.${toBase64Url$1(await createHmacSignature$1(secret, payload))}`;
+	const payload = `${VERIFICATION_HMAC_VERSION}:${host.trim().toLowerCase()}:${nonce}`;
+	return bytesToHex$1(new Uint8Array(await crypto.subtle.sign("HMAC", key, textEncoder$3.encode(payload))));
 }
 //#endregion
 //#region src/routes/hosted/domain-check.ts
 var hostedDomainCheckRoutes = new Hono();
-hostedDomainCheckRoutes.get("/.well-known/jant-domain-check", async (c) => {
+hostedDomainCheckRoutes.get("/.well-known/jant-verification", async (c) => {
 	const secret = getHostedControlPlaneDomainCheckSecret(c.env);
-	if (!secret) throw new NotFoundError("Hosted domain check endpoint");
-	if (!c.var.currentSiteDomain) throw new NotFoundError("Hosted domain check endpoint");
+	if (!secret) throw new NotFoundError("Hosted domain verification endpoint");
+	if (!c.var.currentSiteDomain) throw new NotFoundError("Hosted domain verification endpoint");
 	const nonce = c.req.query("nonce")?.trim();
-	if (!nonce) return c.json({ error: "Missing nonce." }, 400);
-	const token = await signHostedDomainCheckToken(secret, {
-		aud: "jant-cloud",
-		domainId: c.var.currentSiteDomain.id,
-		host: c.var.currentSiteDomain.host.trim().toLowerCase(),
-		iat: Math.floor(Date.now() / 1e3),
-		iss: "jant-core",
-		nonce
-	});
-	return c.json({ token }, 200, { "Cache-Control": "no-store" });
+	if (!nonce) return c.text("Missing nonce.", 400);
+	const token = await computeHostedVerificationToken(secret, c.var.currentSiteDomain.host.trim().toLowerCase(), nonce);
+	return c.text(`jant-verification=${token}\n`, 200, {
+		"Cache-Control": "no-store",
+		"Content-Type": "text/plain; charset=utf-8"
+	});
 });
 //#endregion
 //#region src/lib/collection-paths.ts
@@ -9935,7 +9896,7 @@ function getThreadPreviewState({ secondReply, penultimateReply, latestReply, tot
 /**
 * Thread Preview
 *
-* Shows latest reply as the hero post with faded ancestor context above.
+* Shows latest reply as the hero post with ancestor context above.
 * Thread line connects all posts via `.thread-group` / `.thread-item`.
 */ var ROOT_CONTEXT_DISPLAY = { footer: { hideReply: true } };
 var CONTEXT_DISPLAY = {
@@ -9945,8 +9906,6 @@ var CONTEXT_DISPLAY = {
 var HERO_DISPLAY = {};
 var ThreadPreview = ({ rootPost, secondReply, penultimateReply, latestReply, totalReplyCount }) => {
 	const { i18n } = useLingui();
-	const showMoreLabel = i18n._({ id: "fMPkxb" });
-	const showLessLabel = i18n._({ id: "6lGV3K" });
 	const { hiddenCount } = getThreadPreviewState({
 		secondReply,
 		penultimateReply,
@@ -9956,56 +9915,41 @@ var ThreadPreview = ({ rootPost, secondReply, penultimateReply, latestReply, tot
 	const hiddenPostsLabel = i18n._({ id: "oO0hKx" }, { count: hiddenCount });
 	const renderedSecondReply = secondReply && secondReply.id !== latestReply.id ? secondReply : void 0;
 	const renderedPenultimateReply = penultimateReply && penultimateReply.id !== latestReply.id && penultimateReply.id !== secondReply?.id ? penultimateReply : void 0;
+	const gapHref = renderedSecondReply?.permalink ?? latestReply.permalink;
 	return /* @__PURE__ */ jsxDEV$1("div", {
 		class: "thread-group thread-group-preview",
 		children: [
 			/* @__PURE__ */ jsxDEV$1("div", {
-				class: "thread-context-shell thread-context-collapsed",
-				"data-thread-context": true,
-				children: [
-					/* @__PURE__ */ jsxDEV$1("div", {
-						class: "thread-item thread-item-context",
-						children: /* @__PURE__ */ jsxDEV$1(TimelineItemFromPost, {
-							post: rootPost,
-							mode: "feed",
-							display: ROOT_CONTEXT_DISPLAY
-						})
-					}),
-					renderedSecondReply && /* @__PURE__ */ jsxDEV$1("div", {
-						class: "thread-item thread-item-context",
-						children: /* @__PURE__ */ jsxDEV$1(TimelineItemFromPost, {
-							post: renderedSecondReply,
-							mode: "feed",
-							display: CONTEXT_DISPLAY
-						})
-					}),
-					hiddenCount > 0 && /* @__PURE__ */ jsxDEV$1("div", {
-						class: "thread-item thread-item-gap",
-						children: /* @__PURE__ */ jsxDEV$1("a", {
-							href: latestReply.permalink,
-							class: "thread-gap-link",
-							children: hiddenPostsLabel
-						})
-					}),
-					renderedPenultimateReply && /* @__PURE__ */ jsxDEV$1("div", {
-						class: "thread-item thread-item-context",
-						children: /* @__PURE__ */ jsxDEV$1(TimelineItemFromPost, {
-							post: renderedPenultimateReply,
-							mode: "feed",
-							display: CONTEXT_DISPLAY
-						})
-					}),
-					/* @__PURE__ */ jsxDEV$1("div", { class: "thread-context-fade" })
-				]
+				class: "thread-item thread-item-context",
+				children: /* @__PURE__ */ jsxDEV$1(TimelineItemFromPost, {
+					post: rootPost,
+					mode: "feed",
+					display: ROOT_CONTEXT_DISPLAY
+				})
 			}),
-			/* @__PURE__ */ jsxDEV$1("button", {
-				type: "button",
-				class: "thread-context-toggle text-muted-foreground hover:text-foreground hidden",
-				"data-thread-context-toggle": true,
-				"data-label-more": showMoreLabel,
-				"data-label-less": showLessLabel,
-				"aria-expanded": "false",
-				children: showMoreLabel
+			renderedSecondReply && /* @__PURE__ */ jsxDEV$1("div", {
+				class: "thread-item thread-item-context",
+				children: /* @__PURE__ */ jsxDEV$1(TimelineItemFromPost, {
+					post: renderedSecondReply,
+					mode: "feed",
+					display: CONTEXT_DISPLAY
+				})
+			}),
+			hiddenCount > 0 && /* @__PURE__ */ jsxDEV$1("div", {
+				class: "thread-item thread-item-gap",
+				children: /* @__PURE__ */ jsxDEV$1("a", {
+					href: gapHref,
+					class: "thread-gap-link",
+					children: hiddenPostsLabel
+				})
+			}),
+			renderedPenultimateReply && /* @__PURE__ */ jsxDEV$1("div", {
+				class: "thread-item thread-item-context",
+				children: /* @__PURE__ */ jsxDEV$1(TimelineItemFromPost, {
+					post: renderedPenultimateReply,
+					mode: "feed",
+					display: CONTEXT_DISPLAY
+				})
 			}),
 			/* @__PURE__ */ jsxDEV$1("div", {
 				class: "thread-item thread-item-hero",
@@ -20233,7 +20177,7 @@ async function syncHostedControlPlaneSiteAvatar(input) {
 		return;
 	}
 	await markSyncPending(settings);
-	const { createGitHubSyncService } = await import("./github-sync-C593r22F.js");
+	const { createGitHubSyncService } = await import("./github-sync-D2FO19Re.js");
 	const { getGitHubAppConfig } = await import("./env-CgaH9Mut.js").then((n) => n.t);
 	const run = runBackgroundSync(settings, createGitHubSyncService(c.var.services, c.var.currentSite.id, await buildSyncSiteConfig(c), {
 		storage: c.var.storage,
@@ -21020,7 +20964,7 @@ settingsRoutes.post("/github-sync/connect", async (c) => {
 	await c.var.services.settings.set("GITHUB_SYNC_AUTH_MODE", "pat");
 	await c.var.services.settings.set("GITHUB_SYNC_APP_INSTALLATION_ID", "");
 	await c.var.services.settings.set("GITHUB_SYNC_ENABLED", "true");
-	const { createGitHubSyncService } = await import("./github-sync-C593r22F.js");
+	const { createGitHubSyncService } = await import("./github-sync-D2FO19Re.js");
 	const syncService = createGitHubSyncService(c.var.services, c.var.currentSite.id, await buildSyncSiteConfig(c), {
 		storage: c.var.storage,
 		githubApp: getGitHubAppConfig(c.env)
@@ -21039,7 +20983,7 @@ settingsRoutes.post("/github-sync/connect", async (c) => {
 	return dsRedirect(publicPath(c, "/settings/github-sync"));
 });
 settingsRoutes.post("/github-sync/push", async (c) => {
-	const { createGitHubSyncService } = await import("./github-sync-C593r22F.js");
+	const { createGitHubSyncService } = await import("./github-sync-D2FO19Re.js");
 	const syncService = createGitHubSyncService(c.var.services, c.var.currentSite.id, await buildSyncSiteConfig(c), {
 		storage: c.var.storage,
 		githubApp: getGitHubAppConfig(c.env)
@@ -21059,7 +21003,7 @@ settingsRoutes.post("/github-sync/push", async (c) => {
 	});
 });
 settingsRoutes.post("/github-sync/disconnect", async (c) => {
-	const { createGitHubSyncService } = await import("./github-sync-C593r22F.js");
+	const { createGitHubSyncService } = await import("./github-sync-D2FO19Re.js");
 	await createGitHubSyncService(c.var.services, c.var.currentSite.id, await buildSyncSiteConfig(c), { githubApp: getGitHubAppConfig(c.env) }).teardownWebhook();
 	return dsRedirect(publicPath(c, "/settings/github-sync"));
 });
@@ -21250,7 +21194,7 @@ function buildRepoPickerLabels(c) {
 	const { parseRepoSlug, createGitHubClient } = await import("./github-api-Bh0PH3zr.js").then((n) => n.n);
 	const parsed = parseRepoSlug(repo);
 	if (!parsed) return wantsJson ? c.json({ error: "Invalid repository format." }, 400) : c.text("Invalid repository format.", 400);
-	const { classifyRepoForSync } = await import("./github-sync-C593r22F.js");
+	const { classifyRepoForSync } = await import("./github-sync-D2FO19Re.js");
 	const ghClient = createGitHubClient(() => getInstallationTokenFromApp(app, installationId));
 	let classification;
 	try {
@@ -21280,7 +21224,7 @@ function buildRepoPickerLabels(c) {
 	await c.var.services.settings.set("GITHUB_SYNC_REPO", repo);
 	await c.var.services.settings.set("GITHUB_SYNC_TOKEN", "");
 	await c.var.services.settings.set("GITHUB_SYNC_ENABLED", "true");
-	const { createGitHubSyncService } = await import("./github-sync-C593r22F.js");
+	const { createGitHubSyncService } = await import("./github-sync-D2FO19Re.js");
 	const syncService = createGitHubSyncService(c.var.services, c.var.currentSite.id, await buildSyncSiteConfig(c), {
 		storage: c.var.storage,
 		githubApp: app
@@ -21396,7 +21340,7 @@ function requireGitHubApp(c) {
 	const { parseRepoSlug, createGitHubClient } = await import("./github-api-Bh0PH3zr.js").then((n) => n.n);
 	const parsed = parseRepoSlug(repo);
 	if (!parsed) return c.json({ error: "Invalid repository format." }, 400);
-	const { classifyRepoForSync } = await import("./github-sync-C593r22F.js");
+	const { classifyRepoForSync } = await import("./github-sync-D2FO19Re.js");
 	const client = createGitHubClient(() => getInstallationTokenFromApp(app, installationId));
 	try {
 		const classification = await classifyRepoForSync(client, parsed.owner, parsed.repo, c.var.currentSite.id);
@@ -24752,8 +24696,10 @@ internalApiTokensRoutes.post("/purge", requireInternalAdminApi(), async (c) => {
 });
 //#endregion
 //#region src/routes/api/internal/sites.ts
+var ManagedSiteKeySchema = z.string().trim().toLowerCase().min(3).max(40).regex(/^[a-z0-9](?:[a-z0-9-]{1,38}[a-z0-9])?$/, "Site key must use lowercase letters, numbers, or hyphens.");
+var SiteKeyAvailabilityQuerySchema = z.object({ key: ManagedSiteKeySchema });
 var CreateManagedSiteSchema = z.object({
-	key: z.string().trim().toLowerCase().min(3).max(40).regex(/^[a-z0-9](?:[a-z0-9-]{1,38}[a-z0-9])?$/, "Site key must use lowercase letters, numbers, or hyphens."),
+	key: ManagedSiteKeySchema,
 	primaryHost: z.string().trim().toLowerCase().min(1).max(255).regex(/^(?=.{1,255}$)(?:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?$/, "Primary host must be a valid hostname."),
 	siteName: z.string().trim().min(1).max(120),
 	siteLanguage: z.string().trim().max(35).optional(),
@@ -24778,6 +24724,12 @@ internalSitesRoutes.post("/", requireInternalAdminApi(), async (c) => {
 		status: result.site.status
 	}, 201);
 });
+internalSitesRoutes.get("/availability", requireInternalAdminApi(), async (c) => {
+	assertHostBasedMode(c.env);
+	const query = parseValidated(SiteKeyAvailabilityQuerySchema, { key: c.req.query("key") ?? "" });
+	const result = await c.var.services.siteAdmin.isManagedSiteKeyAvailable(query.key);
+	return c.json(result);
+});
 internalSitesRoutes.delete("/:siteId", requireInternalAdminApi(), async (c) => {
 	assertHostBasedMode(c.env);
 	await c.var.services.siteAdmin.deleteManagedSite(c.req.param("siteId"), { storage: c.var.storage });
@@ -24847,6 +24799,18 @@ internalSitesRoutes.post("/:siteId/domains/:domainId/primary", requireInternalAd
 		redirectToPrimary: domain.redirectToPrimary
 	})) });
 });
+var ManagedSiteDomainRedirectSchema = z.object({ redirectToPrimary: z.boolean() });
+internalSitesRoutes.post("/:siteId/domains/:domainId/redirect", requireInternalAdminApi(), async (c) => {
+	assertHostBasedMode(c.env);
+	const body = parseValidated(ManagedSiteDomainRedirectSchema, await c.req.json());
+	const domains = await c.var.services.siteAdmin.setManagedSiteDomainRedirect(c.req.param("siteId"), c.req.param("domainId"), body.redirectToPrimary);
+	return c.json({ domains: domains.map((domain) => ({
+		host: domain.host,
+		id: domain.id,
+		kind: domain.kind,
+		redirectToPrimary: domain.redirectToPrimary
+	})) });
+});
 internalSitesRoutes.delete("/:siteId/domains/:domainId", requireInternalAdminApi(), async (c) => {
 	assertHostBasedMode(c.env);
 	const domains = await c.var.services.siteAdmin.deleteManagedSiteDomain(c.req.param("siteId"), c.req.param("domainId"));
@@ -26616,7 +26580,7 @@ var cors = (options) => {
 //#endregion
 //#region src/lib/hosted-domain.ts
 var CANONICAL_REDIRECT_BYPASS_PREFIXES = [
-	"/.well-known/jant-domain-check",
+	"/.well-known/jant-verification",
 	"/__dev",
 	"/__sso",
 	"/api/",
@@ -26963,6 +26927,46 @@ function createD1RateLimiter(db, schema, now = () => Math.floor(Date.now() / 1e3
 	} };
 }
 //#endregion
+//#region src/lib/crypto.ts
+/**
+* Compare two byte arrays using a constant-time loop.
+*
+* This avoids relying on runtime-specific crypto helpers so the same behavior
+* works in Node.js and Workers.
+*
+* @param a - First byte array
+* @param b - Second byte array
+* @returns `true` when the inputs are byte-for-byte identical
+*
+* @example
+* ```ts
+* const isEqual = timingSafeEqualBytes(
+*   new TextEncoder().encode("abc"),
+*   new TextEncoder().encode("abc"),
+* );
+* ```
+*/ function timingSafeEqualBytes(a, b) {
+	if (a.byteLength !== b.byteLength) return false;
+	let mismatch = 0;
+	for (let index = 0; index < a.byteLength; index += 1) mismatch |= (a[index] ?? 0) ^ (b[index] ?? 0);
+	return mismatch === 0;
+}
+/**
+* Compare two strings using a constant-time byte comparison.
+*
+* @param a - First string
+* @param b - Second string
+* @returns `true` when the UTF-8 byte sequences are identical
+*
+* @example
+* ```ts
+* const isEqual = timingSafeEqualText("token-a", "token-b");
+* ```
+*/ function timingSafeEqualText(a, b) {
+	const encoder = new TextEncoder();
+	return timingSafeEqualBytes(encoder.encode(a), encoder.encode(b));
+}
+//#endregion
 //#region src/lib/hosted-sso.ts
 var textEncoder = new TextEncoder();
 var textDecoder = new TextDecoder();
@@ -30755,6 +30759,14 @@ function createSiteAdminService(db, databaseSchema = sqliteSchemaBundle, databas
 			if (supportsDrizzleTransaction(db, databaseDialect)) return db.transaction(async (tx) => createWithDatabase(tx, input));
 			return createWithDatabase(db, input);
 		},
+		async isManagedSiteKeyAvailable(key) {
+			assertManagedSiteOperationsEnabled();
+			const normalizedKey = key.trim();
+			return {
+				available: !(await db.select({ id: sites.id }).from(sites).where(eq(sites.key, normalizedKey)).limit(1))[0],
+				key: normalizedKey
+			};
+		},
 		async getManagedSiteMediaUsage(siteId) {
 			assertManagedSiteOperationsEnabled();
 			return getManagedSiteMediaUsage(siteId);
@@ -30785,7 +30797,7 @@ function createSiteAdminService(db, databaseSchema = sqliteSchemaBundle, databas
 			const themeCss = buildThemeStyle(activeTheme, appConfig.themeMode, fontOverrides);
 			const navItemList = await navItems.list();
 			const appleTouchKey = allSettings[SETTINGS_KEYS.SITE_FAVICON_APPLE_TOUCH];
-			const { createExportService } = await import("./export-ZBlfKSKm.js").then((n) => n.n);
+			const { createExportService } = await import("./export-DwH3ga3Y.js").then((n) => n.n);
 			const exportService = createExportService({
 				collections,
 				media: mediaService,
@@ -30877,7 +30889,7 @@ function createSiteAdminService(db, databaseSchema = sqliteSchemaBundle, databas
 				const timestamp = now();
 				if (input.makePrimary) await targetDb.update(siteDomains).set({
 					kind: "alias",
-					redirectToPrimary: true,
+					redirectToPrimary: false,
 					updatedAt: timestamp
 				}).where(eq(siteDomains.siteId, normalizedSiteId));
 				await targetDb.insert(siteDomains).values({
@@ -30892,6 +30904,19 @@ function createSiteAdminService(db, databaseSchema = sqliteSchemaBundle, databas
 				});
 			});
 		},
+		async setManagedSiteDomainRedirect(siteId, domainId, redirectToPrimary) {
+			assertManagedSiteOperationsEnabled();
+			return mutateSiteDomains(siteId, async (targetDb, normalizedSiteId) => {
+				await requireSite(targetDb, normalizedSiteId);
+				const normalizedDomainId = domainId.trim();
+				if (!(await targetDb.select({ id: siteDomains.id }).from(siteDomains).where(sql`${siteDomains.id} = ${normalizedDomainId} AND ${siteDomains.siteId} = ${normalizedSiteId}`).limit(1))[0]) throw new NotFoundError("Site domain");
+				const timestamp = now();
+				await targetDb.update(siteDomains).set({
+					redirectToPrimary,
+					updatedAt: timestamp
+				}).where(eq(siteDomains.id, normalizedDomainId));
+			});
+		},
 		async setManagedSitePrimaryDomain(siteId, domainId) {
 			assertManagedSiteOperationsEnabled();
 			return mutateSiteDomains(siteId, async (targetDb, normalizedSiteId) => {

package/dist/app-DYJLFZaM.js

@@ -0,0 +1,6 @@
+import "./url-umUptr5z.js";
+import { t as createApp } from "./app-DQgkp6yV.js";
+import "./export-DwH3ga3Y.js";
+import "./env-CgaH9Mut.js";
+import "./github-sync-eHOTYZGO.js";
+export { createApp };

package/dist/client/.vite/manifest.json

@@ -146,7 +146,7 @@
     "name": "url"
   },
   "src/client-auth.ts": {
-    "file": "_assets/client-auth-Ce5WEAVS.js",
+    "file": "_assets/client-auth-N6fiJcOg.js",
     "name": "client-auth",
     "src": "src/client-auth.ts",
     "isEntry": true,
@@ -163,7 +163,7 @@
     ]
   },
   "src/client.ts": {
-    "file": "_assets/client-dSfWfMe9.js",
+    "file": "_assets/client-DqsPJKiP.js",
     "name": "client",
     "src": "src/client.ts",
     "isEntry": true,
@@ -858,7 +858,7 @@
     ]
   },
   "src/style.css": {
-    "file": "_assets/client-BoUn7xBo.css",
+    "file": "_assets/client-BbJ0FhON.css",
     "name": "style",
     "names": [
       "style.css"