@morphika/andami 0.2.26 → 0.4.0

package/app/admin/pages/[slug]/page.tsx

@@ -415,10 +415,10 @@ export default function PageEditorPage() {
     [store]
   );
 
-  // Handle add page section (project grid)
+  // Handle add page section (project grid / project carousel)
   // afterRowKey=null → always appends to end of page (bottom "Add Section" button)
   const handleAddSection = useCallback(
-    (blockType: "projectGridBlock") => {
+    (blockType: "projectGridBlock" | "projectCarouselBlock") => {
       store.addSection(blockType, null);
       setShowSectionPicker(false);
     },
@@ -517,9 +517,12 @@ export default function PageEditorPage() {
       {/* ---- Section Editor Bar (replaces toolbar in customSection mode) ---- */}
       {isInSectionEditor && <SectionEditorBar />}
 
-      {/* ---- Toolbar (hidden in section editor mode) ---- */}
-      {!isInSectionEditor && <div className="flex items-center justify-between bg-white border-b border-neutral-200 px-4 h-14 shrink-0">
-        <div className="flex items-center gap-3">
+      {/* ---- Toolbar (hidden in section editor mode) ----
+           3-column grid so the center group ("Home" + publish chips) is
+           truly centered on the viewport regardless of left/right widths. */}
+      {!isInSectionEditor && <div className="grid grid-cols-[1fr_auto_1fr] items-center bg-white border-b border-neutral-200 px-4 h-14 shrink-0">
+        {/* LEFT — back link + history + help + page settings */}
+        <div className="flex items-center gap-3 justify-self-start">
           <Link
             href={store.pageType === "project" ? "/admin/projects" : "/admin/pages"}
             className="text-xs text-neutral-400 hover:text-neutral-700 transition-colors flex items-center gap-1"
@@ -528,25 +531,8 @@ export default function PageEditorPage() {
             {store.pageType === "project" ? "Projects" : "Pages"}
           </Link>
           <span className="text-neutral-200">|</span>
-          <span className="text-sm font-semibold text-neutral-800">{store.pageTitle}</span>
-          <span className="text-xs text-neutral-400 uppercase px-2 py-0.5 border border-neutral-200 rounded-lg bg-neutral-50">
-            {store.pageType}
-          </span>
-          <PublishToggle
-            mode="builder"
-            isDraft={store.draftMode}
-            onPublish={() => store.publishPage()}
-            onUnpublish={() => store.unpublishPage()}
-          />
-          {store.isDirty && (
-            <span className="text-xs text-amber-500 animate-pulse">
-              Unsaved changes
-            </span>
-          )}
 
-        </div>
-        <div className="flex items-center gap-2">
-          {/* Undo/Redo buttons */}
+          {/* Undo / Redo */}
           <button
             onClick={() => store.undo()}
             disabled={!store.canUndo()}
@@ -563,9 +549,8 @@ export default function PageEditorPage() {
           >
             ↷
           </button>
-          <span className="text-neutral-200 mx-1">|</span>
 
-          {/* Help button */}
+          {/* Help */}
           <button
             onClick={() => setShowHelp(true)}
             className="rounded-lg px-2 py-1 text-xs text-neutral-400 hover:text-neutral-700 hover:bg-neutral-100 transition-colors"
@@ -574,7 +559,7 @@ export default function PageEditorPage() {
             ?
           </button>
 
-          {/* Page settings gear button */}
+          {/* Page settings gear */}
           <button
             onClick={() => store.clearSelection()}
             className="rounded-lg px-2 py-1 text-neutral-400 hover:text-neutral-700 hover:bg-neutral-100 transition-colors"
@@ -585,21 +570,29 @@ export default function PageEditorPage() {
               <path d="M19.4 15a1.65 1.65 0 0 0 .33 1.82l.06.06a2 2 0 0 1-2.83 2.83l-.06-.06a1.65 1.65 0 0 0-1.82-.33 1.65 1.65 0 0 0-1 1.51V21a2 2 0 0 1-4 0v-.09A1.65 1.65 0 0 0 9 19.4a1.65 1.65 0 0 0-1.82.33l-.06.06a2 2 0 0 1-2.83-2.83l.06-.06A1.65 1.65 0 0 0 4.68 15a1.65 1.65 0 0 0-1.51-1H3a2 2 0 0 1 0-4h.09A1.65 1.65 0 0 0 4.6 9a1.65 1.65 0 0 0-.33-1.82l-.06-.06a2 2 0 0 1 2.83-2.83l.06.06A1.65 1.65 0 0 0 9 4.68a1.65 1.65 0 0 0 1-1.51V3a2 2 0 0 1 4 0v.09a1.65 1.65 0 0 0 1 1.51 1.65 1.65 0 0 0 1.82-.33l.06-.06a2 2 0 0 1 2.83 2.83l-.06.06A1.65 1.65 0 0 0 19.4 9a1.65 1.65 0 0 0 1.51 1H21a2 2 0 0 1 0 4h-.09a1.65 1.65 0 0 0-1.51 1z" />
             </svg>
           </button>
-          <span className="text-neutral-200 mx-1">|</span>
-
-          {store.saveError && (
-            <span className="text-xs text-red-500">
-              {store.saveError}
-            </span>
-          )}
-          {store.lastSavedAt && !store.isDirty && (
-            <span className="text-xs text-neutral-400">
-              Saved {new Date(store.lastSavedAt).toLocaleTimeString()}
-            </span>
-          )}
-          <span className="text-xs text-neutral-300">
-            Ctrl+S
-          </span>
+          <span className="text-neutral-200">|</span>
+        </div>
+
+        {/* CENTER — page title + publish state */}
+        <div className="flex items-center gap-3 justify-self-center">
+          <span className="text-sm font-semibold text-neutral-800">{store.pageTitle}</span>
+          <PublishToggle
+            mode="builder"
+            isDraft={store.draftMode}
+            onPublish={() => store.publishPage()}
+            onUnpublish={() => store.unpublishPage()}
+          />
+        </div>
+
+        {/* RIGHT — notification area + preview + save */}
+        <div className="flex items-center gap-3 justify-self-end">
+          {/* Notification slot: save error takes precedence over unsaved-changes */}
+          {store.saveError ? (
+            <span className="text-xs text-red-500">{store.saveError}</span>
+          ) : store.isDirty ? (
+            <span className="text-xs text-amber-500 animate-pulse">Unsaved changes</span>
+          ) : null}
+
           {/* Preview in new tab */}
           <button
             onClick={() => openPreview(store)}
@@ -613,6 +606,7 @@ export default function PageEditorPage() {
             </svg>
             Preview
           </button>
+
           <button
             onClick={handleSave}
             disabled={store.isSaving || !store.isDirty}
@@ -813,18 +807,18 @@ export default function PageEditorPage() {
                   {/* Add section button — hidden in section editor mode */}
                   {!isInSectionEditor && (
                   <div className="relative" style={{ height: 0 }}>
-                    <div className="absolute left-0 right-0 top-2" style={{ zIndex: 4 }}>
+                    <div className="absolute left-0 right-0 top-2 flex justify-center" style={{ zIndex: 4 }}>
                       <button
                         onClick={(e) => {
                           e.stopPropagation();
                           setShowSectionPicker(true);
                         }}
-                        className="w-full rounded-xl py-3 text-xs font-medium transition-colors"
+                        className="rounded-full text-[10px] font-medium transition-all hover:scale-105"
                         style={{
-                          background: "linear-gradient(170deg, rgba(38,38,48,0.95) 0%, rgba(28,28,36,0.97) 100%)",
-                          color: "rgba(200,160,220,0.8)",
-                          boxShadow: "0 2px 8px rgba(0,0,0,0.2), inset 0 1px 0 rgba(255,255,255,0.04)",
-                          border: "1px solid rgba(255,255,255,0.06)",
+                          padding: "5px 16px",
+                          background: "#e0daff",
+                          color: "#7500d5",
+                          border: "1px dashed #7500d5",
                         }}
                       >
                         + Add Section

package/app/api/admin/assets/scan/route.ts

@@ -103,11 +103,13 @@ export async function POST(request: NextRequest) {
     // Replace scannedFiles with filtered list (no _thumbs/ entries in registry)
     scannedFiles = realFiles;
 
-    // Get existing assets from registry for merging
-    const existingRegistry = await client.fetch(
-      `*[_type == "assetRegistry"][0]{ assets }`
+    // Get existing assets from registry for merging.
+    // Capture `_rev` so the final patch can use optimistic concurrency (ifRevisionId).
+    const existingRegistry = await client.fetch<{ _rev?: string; assets?: RegisteredAsset[] } | null>(
+      `*[_type == "assetRegistry"][0]{ _rev, assets }`
     );
     const existingAssets: RegisteredAsset[] = existingRegistry?.assets || [];
+    const registryRev: string | undefined = existingRegistry?._rev;
 
     // Build maps for fast lookup
     const existingByPath = new Map<string, RegisteredAsset>();
@@ -228,16 +230,41 @@ export async function POST(request: NextRequest) {
       }
     }
 
-    // Update the registry
-    await writeClient
-      .patch("assetRegistry")
-      .set({
-        assets: mergedAssets,
-        scan_status: "ready",
-        scan_error: "",
-        last_scanned_at: now,
-      })
-      .commit();
+    // Update the registry. Use optimistic concurrency (ifRevisionId) so a
+    // concurrent write to assetRegistry (e.g. an upload register hitting
+    // /api/admin/assets/register while we were merging) makes the commit
+    // fail loudly instead of silently overwriting the other change.
+    try {
+      const patch = writeClient.patch("assetRegistry");
+      if (registryRev) patch.ifRevisionId(registryRev);
+      await patch
+        .set({
+          assets: mergedAssets,
+          scan_status: "ready",
+          scan_error: "",
+          last_scanned_at: now,
+        })
+        .commit();
+    } catch (commitErr) {
+      const msg = commitErr instanceof Error ? commitErr.message : "";
+      // Sanity signals rev conflicts with a revision-mismatch error.
+      if (msg.toLowerCase().includes("revision")) {
+        // Clear the "scanning" marker so the UI isn't stuck
+        await writeClient
+          .patch("assetRegistry")
+          .set({ scan_status: "ready", scan_error: "Registry was modified during scan — please retry" })
+          .commit()
+          .catch(() => {});
+        return NextResponse.json(
+          {
+            error:
+              "Registry was modified by another process during this scan. Please retry.",
+          },
+          { status: 409 }
+        );
+      }
+      throw commitErr;
+    }
 
     return NextResponse.json({
       success: true,

package/app/api/admin/custom-sections/[slug]/route.ts

@@ -4,7 +4,7 @@ import { adminClient as client } from "../../../../../lib/sanity/client";
 import { writeClient } from "../../../../../lib/sanity/writeClient";
 import { customSectionBySlugQuery, pagesUsingCustomSectionQuery } from "../../../../../lib/sanity/queries";
 import { isAdminAuthenticated } from "../../../../../lib/auth";
-import { validateCsrf, csrfErrorResponse } from "../../../../../lib/csrf";
+import { validateCsrf, csrfErrorResponse, hasJsonContentType, contentTypeErrorResponse } from "../../../../../lib/csrf";
 import { isBodyTooLarge, MAX_PAGE_BODY_SIZE } from "../../../../../lib/security";
 import { auditLog } from "../../../../../lib/audit";
 import { logger } from "../../../../../lib/logger";
@@ -46,6 +46,9 @@ export async function PATCH(request: NextRequest, context: RouteContext) {
   if (!validateCsrf(request)) {
     return csrfErrorResponse();
   }
+  if (!hasJsonContentType(request)) {
+    return contentTypeErrorResponse();
+  }
   if (isBodyTooLarge(request, MAX_PAGE_BODY_SIZE)) {
     return NextResponse.json({ error: "Request body too large" }, { status: 413 });
   }

package/app/api/admin/custom-sections/route.ts

@@ -3,7 +3,7 @@ import { adminClient as client } from "../../../../lib/sanity/client";
 import { writeClient } from "../../../../lib/sanity/writeClient";
 import { allCustomSectionsQuery } from "../../../../lib/sanity/queries";
 import { isAdminAuthenticated } from "../../../../lib/auth";
-import { validateCsrf, csrfErrorResponse } from "../../../../lib/csrf";
+import { validateCsrf, csrfErrorResponse, hasJsonContentType, contentTypeErrorResponse } from "../../../../lib/csrf";
 import { isBodyTooLarge, MAX_JSON_BODY_SIZE } from "../../../../lib/security";
 import { auditLog } from "../../../../lib/audit";
 import { logger } from "../../../../lib/logger";
@@ -39,6 +39,9 @@ export async function POST(request: NextRequest) {
   if (!validateCsrf(request)) {
     return csrfErrorResponse();
   }
+  if (!hasJsonContentType(request)) {
+    return contentTypeErrorResponse();
+  }
   if (isBodyTooLarge(request, MAX_JSON_BODY_SIZE)) {
     return NextResponse.json({ error: "Request body too large" }, { status: 413 });
   }

package/app/api/admin/pages/[slug]/route.ts

@@ -5,7 +5,7 @@ import { writeClient } from "../../../../../lib/sanity/writeClient";
 import { pageBySlugQuery } from "../../../../../lib/sanity/queries";
 import { isAdminAuthenticated } from "../../../../../lib/auth";
 import { isSafeUrl, isValidAssetPath, isBodyTooLarge, MAX_PAGE_BODY_SIZE, MAX_JSON_BODY_SIZE } from "../../../../../lib/security";
-import { validateCsrf, csrfErrorResponse } from "../../../../../lib/csrf";
+import { validateCsrf, csrfErrorResponse, hasJsonContentType, contentTypeErrorResponse } from "../../../../../lib/csrf";
 import { auditLog } from "../../../../../lib/audit";
 import { logger } from "../../../../../lib/logger";
 /** Raw nav_items from Sanity before GROQ projection resolves references */
@@ -250,6 +250,9 @@ export async function POST(
   if (!validateCsrf(request)) {
     return csrfErrorResponse();
   }
+  if (!hasJsonContentType(request)) {
+    return contentTypeErrorResponse();
+  }
   if (isBodyTooLarge(request, MAX_PAGE_BODY_SIZE)) {
     return NextResponse.json({ error: "Request body too large" }, { status: 413 });
   }
@@ -371,6 +374,9 @@ export async function PATCH(
   if (!validateCsrf(request)) {
     return csrfErrorResponse();
   }
+  if (!hasJsonContentType(request)) {
+    return contentTypeErrorResponse();
+  }
 
   if (isBodyTooLarge(request, MAX_JSON_BODY_SIZE)) {
     return NextResponse.json({ error: "Request body too large" }, { status: 413 });

package/app/api/admin/pages/route.ts

@@ -3,7 +3,7 @@ import { adminClient as client } from "../../../../lib/sanity/client";
 import { writeClient } from "../../../../lib/sanity/writeClient";
 import { allPagesQuery } from "../../../../lib/sanity/queries";
 import { isAdminAuthenticated } from "../../../../lib/auth";
-import { validateCsrf, csrfErrorResponse } from "../../../../lib/csrf";
+import { validateCsrf, csrfErrorResponse, hasJsonContentType, contentTypeErrorResponse } from "../../../../lib/csrf";
 import { isBodyTooLarge, MAX_JSON_BODY_SIZE } from "../../../../lib/security";
 import { auditLog } from "../../../../lib/audit";
 import { logger } from "../../../../lib/logger";
@@ -39,6 +39,9 @@ export async function POST(request: NextRequest) {
   if (!validateCsrf(request)) {
     return csrfErrorResponse();
   }
+  if (!hasJsonContentType(request)) {
+    return contentTypeErrorResponse();
+  }
   if (isBodyTooLarge(request, MAX_JSON_BODY_SIZE)) {
     return NextResponse.json({ error: "Request body too large" }, { status: 413 });
   }

package/app/api/admin/r2/connect/route.ts

@@ -5,6 +5,7 @@ import { writeClient } from "../../../../../lib/sanity/writeClient";
 import { validateCsrf, csrfErrorResponse } from "../../../../../lib/csrf";
 import { encryptToken, isBodyTooLarge, MAX_JSON_BODY_SIZE, jsonError } from "../../../../../lib/security";
 import { logger } from "../../../../../lib/logger";
+import { invalidateProviderConfigCache } from "../../../../../lib/storage";
 
 /**
  * POST /api/admin/r2/connect — Validate and store R2 credentials.
@@ -99,6 +100,9 @@ export async function POST(request: NextRequest) {
     }
 
     // #17: Test S3 API credentials (not just public URL) using HeadBucket
+    // Surface CORS-configuration outcome so the caller can warn the user.
+    let corsConfiguredResult = false;
+    let corsErrorResult: string | undefined;
     try {
       const testS3 = new S3Client({
         region: "auto",
@@ -115,6 +119,8 @@ export async function POST(request: NextRequest) {
       // from the Vercel deployment origin. We allow all origins with * because
       // the presigned URL itself is the auth gate — only holders of a valid
       // signed URL can upload. This also covers preview deploys and localhost.
+      let corsConfigured = true;
+      let corsErrorMessage: string | undefined;
       try {
         await testS3.send(
           new PutBucketCorsCommand({
@@ -133,11 +139,17 @@ export async function POST(request: NextRequest) {
           })
         );
       } catch (corsErr) {
+        corsConfigured = false;
+        corsErrorMessage = corsErr instanceof Error ? corsErr.message : "Unknown CORS error";
         logger.warn("[Admin:R2]", "Failed to auto-configure CORS on R2 bucket", corsErr);
-        // Non-fatal — user can configure CORS manually in Cloudflare dashboard
+        // Non-fatal — surfaced in the response so the admin UI can prompt the
+        // user to configure CORS manually in the Cloudflare dashboard.
       }
 
       testS3.destroy();
+      // Hoist into outer scope so we can include it in the response below
+      corsConfiguredResult = corsConfigured;
+      corsErrorResult = corsErrorMessage;
     } catch (s3Err) {
       return jsonError(
         `S3 credential validation failed: ${s3Err instanceof Error ? s3Err.message : "Could not authenticate with the provided credentials"}. Check your Access Key ID, Secret Access Key, and bucket name.`,
@@ -166,10 +178,16 @@ export async function POST(request: NextRequest) {
       })
       .commit();
 
+    invalidateProviderConfigCache();
+
     return NextResponse.json({
       success: true,
       bucketName: bucketName.trim(),
       publicUrl: publicUrl.trim().replace(/\/$/, ""),
+      corsConfigured: corsConfiguredResult,
+      corsWarning: corsConfiguredResult
+        ? undefined
+        : `CORS auto-configuration failed${corsErrorResult ? ` (${corsErrorResult})` : ""}. Browser uploads may fail until you add a CORS rule in the Cloudflare dashboard allowing PUT from your domain.`,
     });
   } catch (err) {
     logger.error("[Admin:R2]", "Failed to connect R2", err);

package/app/api/admin/r2/disconnect/route.ts

@@ -3,6 +3,7 @@ import { isAdminAuthenticated } from "../../../../../lib/auth";
 import { writeClient } from "../../../../../lib/sanity/writeClient";
 import { validateCsrf, csrfErrorResponse } from "../../../../../lib/csrf";
 import { logger } from "../../../../../lib/logger";
+import { invalidateProviderConfigCache } from "../../../../../lib/storage";
 
 /**
  * POST /api/admin/r2/disconnect — Clear R2 credentials from the registry.
@@ -31,6 +32,8 @@ export async function POST(request: NextRequest) {
       ])
       .commit();
 
+    invalidateProviderConfigCache();
+
     return NextResponse.json({ success: true });
   } catch (err) {
     logger.error("[Admin:R2]", "Failed to disconnect R2", err);

package/app/api/admin/r2/rename/route.ts

@@ -81,6 +81,7 @@ export async function POST(request: NextRequest) {
     });
 
     const renamedPairs: Array<{ oldPath: string; newPath: string }> = [];
+    const renameFailures: Array<{ key: string; reason: string }> = [];
 
     if (isFolder) {
       // Rename all objects under the old prefix
@@ -102,19 +103,48 @@ export async function POST(request: NextRequest) {
           const objKey = obj.Key!;
           const newObjKey = newPrefix + objKey.slice(oldPrefix.length);
 
-          // Copy to new key
-          await s3.send(
-            new CopyObjectCommand({
-              Bucket: bucket,
-              CopySource: `${bucket}/${objKey}`,
-              Key: newObjKey,
-            })
-          );
+          // Per-object try/catch — one failed object shouldn't abort the whole
+          // rename and leave the folder half-moved. On copy failure we skip.
+          // On delete failure we attempt to roll back the copy so the user
+          // doesn't end up with duplicates.
+          try {
+            await s3.send(
+              new CopyObjectCommand({
+                Bucket: bucket,
+                CopySource: `${bucket}/${objKey}`,
+                Key: newObjKey,
+              })
+            );
+          } catch (copyErr) {
+            const reason = copyErr instanceof Error ? copyErr.message : "copy failed";
+            renameFailures.push({ key: objKey, reason });
+            logger.warn("[Admin:R2]", `rename: copy failed for ${objKey}`, copyErr);
+            continue;
+          }
 
-          // Delete old key
-          await s3.send(
-            new DeleteObjectCommand({ Bucket: bucket, Key: objKey })
-          );
+          try {
+            await s3.send(
+              new DeleteObjectCommand({ Bucket: bucket, Key: objKey })
+            );
+          } catch (deleteErr) {
+            const reason = deleteErr instanceof Error ? deleteErr.message : "delete failed";
+            // Copy succeeded but delete failed — roll back the copy so the
+            // old key remains authoritative and the user doesn't see dupes.
+            try {
+              await s3.send(
+                new DeleteObjectCommand({ Bucket: bucket, Key: newObjKey })
+              );
+            } catch (rollbackErr) {
+              logger.warn(
+                "[Admin:R2]",
+                `rename: rollback delete failed for ${newObjKey} — manual cleanup needed`,
+                rollbackErr
+              );
+            }
+            renameFailures.push({ key: objKey, reason: `delete failed (${reason})` });
+            logger.warn("[Admin:R2]", `rename: delete failed for ${objKey}`, deleteErr);
+            continue;
+          }
 
           renamedPairs.push({ oldPath: objKey, newPath: newObjKey });
         }
@@ -247,11 +277,20 @@ export async function POST(request: NextRequest) {
       }
     }
 
-    auditLog("r2.rename", { oldKey, newKey, isFolder, count: renamedPairs.length });
+    auditLog("r2.rename", {
+      oldKey,
+      newKey,
+      isFolder,
+      count: renamedPairs.length,
+      failed: renameFailures.length,
+    });
 
     return NextResponse.json({
       success: true,
       renamedCount: renamedPairs.length,
+      failedCount: renameFailures.length,
+      failures: renameFailures,
+      partial: renameFailures.length > 0,
     });
   } catch (err) {
     // #5: Gracefully handle corrupted encrypted tokens

package/app/api/admin/r2/upload-url/route.ts

@@ -3,7 +3,7 @@ import { S3Client, PutObjectCommand } from "@aws-sdk/client-s3";
 import { getSignedUrl } from "@aws-sdk/s3-request-presigner";
 import { isAdminAuthenticated } from "../../../../../lib/auth";
 import { validateCsrf, csrfErrorResponse } from "../../../../../lib/csrf";
-import { isBodyTooLarge, MAX_JSON_BODY_SIZE, jsonError, isValidAssetPath, checkRateLimit } from "../../../../../lib/security";
+import { isBodyTooLarge, MAX_JSON_BODY_SIZE, jsonError, isValidAssetPath, isValidUploadKey, checkRateLimit } from "../../../../../lib/security";
 import { adminClient as client } from "../../../../../lib/sanity/client";
 import { decryptToken } from "../../../../../lib/security";
 import { getMimeType, isMediaFile } from "../../../../../lib/storage/types";
@@ -77,6 +77,13 @@ export async function POST(request: NextRequest) {
     // ── Build the R2 object key ──
     const key = cleanFolder ? `${cleanFolder}/${filename}` : filename;
 
+    // Defense-in-depth: presigned keys must pass the upload-key allowlist.
+    // Rejects reserved prefixes (backup/, system/), hidden files, `_`-prefixed
+    // folders other than `_thumbs/`, pathological depth, etc.
+    if (!isValidUploadKey(key)) {
+      return jsonError("Upload path is not allowed", 400);
+    }
+
     // ── Resolve content type ──
     const resolvedContentType =
       contentType && typeof contentType === "string"

package/app/api/admin/settings/route.ts

@@ -4,7 +4,7 @@ import { adminClient as client } from "../../../../lib/sanity/client";
 import { writeClient } from "../../../../lib/sanity/writeClient";
 import { siteSettingsQuery } from "../../../../lib/sanity/queries";
 import { isSafeUrl, isBodyTooLarge, MAX_JSON_BODY_SIZE } from "../../../../lib/security";
-import { validateCsrf, csrfErrorResponse } from "../../../../lib/csrf";
+import { validateCsrf, csrfErrorResponse, hasJsonContentType, contentTypeErrorResponse } from "../../../../lib/csrf";
 import { auditLog } from "../../../../lib/audit";
 import { getSiteConfig } from "../../../../lib/config";
 import { logger } from "../../../../lib/logger";
@@ -71,6 +71,9 @@ export async function POST(request: NextRequest) {
   if (!validateCsrf(request)) {
     return csrfErrorResponse();
   }
+  if (!hasJsonContentType(request)) {
+    return contentTypeErrorResponse();
+  }
   if (isBodyTooLarge(request, MAX_JSON_BODY_SIZE)) {
     return NextResponse.json({ error: "Request body too large" }, { status: 413 });
   }

package/app/api/admin/styles/route.ts

@@ -3,7 +3,7 @@ import { isAdminAuthenticated } from "../../../../lib/auth";
 import { adminClient as client } from "../../../../lib/sanity/client";
 import { writeClient } from "../../../../lib/sanity/writeClient";
 import { siteStylesQuery } from "../../../../lib/sanity/queries";
-import { validateCsrf, csrfErrorResponse } from "../../../../lib/csrf";
+import { validateCsrf, csrfErrorResponse, hasJsonContentType, contentTypeErrorResponse } from "../../../../lib/csrf";
 import { isBodyTooLarge, MAX_JSON_BODY_SIZE } from "../../../../lib/security";
 import { logger } from "../../../../lib/logger";
 import { DEFAULT_GRID_WIDTH } from "../../../../lib/builder/constants";
@@ -158,6 +158,9 @@ export async function POST(request: NextRequest) {
   if (!validateCsrf(request)) {
     return csrfErrorResponse();
   }
+  if (!hasJsonContentType(request)) {
+    return contentTypeErrorResponse();
+  }
   if (isBodyTooLarge(request, MAX_JSON_BODY_SIZE)) {
     return NextResponse.json({ error: "Request body too large" }, { status: 413 });
   }