@olmocms/front 0.1.2 → 0.1.6

package/README.md

@@ -9,8 +9,7 @@ Shared utilities, React components, SEO helpers, middleware, and CLI scaffold to
 - [Package entries](#package-entries)
 - [Installation](#installation)
 - [Local development (watch mode)](#local-development-watch-mode)
-- [Publishing to npm](#publishing-to-npm)
-- [Versioning](#versioning)
+- [Releasing a new version](#releasing-a-new-version)
 - [CLI — olmo-front](#cli--olmo-front)
 - [Entry point reference](#entry-point-reference)
 
@@ -91,71 +90,58 @@ Then run `npm install`.
 
 ---
 
-## Publishing to npm
+## Releasing a new version
 
-### Prerequisites
+Releases are automated by GitLab CI: pushing a `vX.Y.Z` git tag triggers `npm publish` to the public npm registry. You do **not** run `npm publish` manually for normal releases.
 
-- npm account with access to the `@olmocms` org
-- npm auth token (Publish scope) stored in `.npmrc`
+### Day-to-day release flow
 
-### Step 1 — Set up `.npmrc`
+From a clean working tree on `main`:
 
 ```bash
-cp .npmrc.example .npmrc
+npm version patch   # or minor / major — bumps package.json AND creates a vX.Y.Z git tag
+git push origin main --follow-tags
 ```
 
-Replace `YOUR_NPM_TOKEN` with a token from **https://www.npmjs.com/settings/\<username\>/tokens**.
+That's the whole release. GitLab CI then:
 
-### Step 2 — Build
+1. Runs `typecheck` and `build` on every push (see `.gitlab-ci.yml`).
+2. On a tag matching `^v\d+\.\d+\.\d+$`, runs the `publish` job, which writes `NPM_TOKEN` into `~/.npmrc` and runs `npm publish`. `publishConfig.access: "public"` in `package.json` makes it a public scoped publish.
 
-```bash
-npm run build
-```
-
-Produces:
-- `dist/*.js` — ESM bundles
-- `dist/*.cjs` — CommonJS bundles
-- `dist/*.d.ts` — TypeScript declarations
-- `dist/cli/index.js` — CLI binary
-
-### Step 3 — Publish
-
-```bash
-npm publish
-```
+Watch the pipeline at **GitLab → CI/CD → Pipelines**. When green, verify on **https://www.npmjs.com/package/@olmocms/front**.
 
-The `publishConfig.access: "public"` in `package.json` ensures it publishes as a public scoped package.
-
-### Step 4 — Verify
-
-Check **https://www.npmjs.com/package/@olmocms/front** for the new version.
-
----
-
-## Versioning
+### Version bump rules
 
 Follow semantic versioning (`MAJOR.MINOR.PATCH`):
 
-| Change type | Version bump | Example |
+| Change | Bump | Example |
 |---|---|---|
 | Breaking API change | MAJOR | `0.x.x` → `1.0.0` |
 | New entry point or new export | MINOR | `0.1.0` → `0.2.0` |
 | Bug fix, internal refactor | PATCH | `0.1.0` → `0.1.1` |
 
-```bash
-npm version patch   # 0.1.0 → 0.1.1
-npm version minor   # 0.1.0 → 0.2.0
-npm version major   # 0.1.0 → 1.0.0
-```
+npm rejects re-publishing an existing version, so always bump first.
+
+### One-time setup (reference — already done)
+
+Kept here so the wiring is recoverable if the project is ever cloned fresh or the token rotates:
 
-Then:
+- **npm.js org** — the `@olmocms` organization owns the scope on npmjs.com.
+- **npm automation token** — generated under *Account → Access Tokens → Generate New Token → Granular Access Token* (or a classic *Automation* token), scoped to publish `@olmocms/*`. Automation tokens bypass 2FA, which CI requires.
+- **GitLab CI/CD variable** — token stored as `NPM_TOKEN` under *Settings → CI/CD → Variables*, marked **Masked** and **Protected**.
+- **GitLab protected tag** — `v*` added under *Settings → Repository → Protected tags*, so only protected refs can read `NPM_TOKEN`.
+- **`.gitlab-ci.yml`** — defines `typecheck`, `build`, and the tag-gated `publish` job.
+
+### Manual publish (fallback only)
+
+Only needed for the very first publish of a new scope or if CI is broken:
 
 ```bash
-npm run build && npm publish
+npm login
+npm run build
+npm publish
 ```
 
-npm does not allow overwriting an existing version — always increment before publishing.
-
 ---
 
 ## CLI — olmo-front

package/dist/auth/action.cjs

@@ -0,0 +1,106 @@
+"use server";
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/auth/action.ts
+var action_exports = {};
+__export(action_exports, {
+  stageLoginAction: () => stageLoginAction
+});
+module.exports = __toCommonJS(action_exports);
+var import_headers = require("next/headers");
+
+// src/auth/stage.ts
+var COOKIE_NAME = "olmo_stage_auth";
+var DEFAULT_SESSION_DAYS = 7;
+function readStageEnv() {
+  const username = process.env.OLMO_STAGE_USERNAME;
+  const password = process.env.OLMO_STAGE_PASSWORD;
+  const secret = process.env.OLMO_STAGE_SECRET;
+  if (!username || !password || !secret) return null;
+  const days = Number(process.env.OLMO_STAGE_SESSION_DAYS);
+  return {
+    username,
+    password,
+    secret,
+    sessionDays: Number.isFinite(days) && days > 0 ? days : DEFAULT_SESSION_DAYS
+  };
+}
+function getStageCookieName() {
+  return COOKIE_NAME;
+}
+function toBase64Url(bytes) {
+  const arr = bytes instanceof Uint8Array ? bytes : new Uint8Array(bytes);
+  let str = "";
+  for (let i = 0; i < arr.length; i++) str += String.fromCharCode(arr[i]);
+  return btoa(str).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+async function importKey(secret) {
+  return crypto.subtle.importKey(
+    "raw",
+    new TextEncoder().encode(secret),
+    { name: "HMAC", hash: "SHA-256" },
+    false,
+    ["sign", "verify"]
+  );
+}
+async function signSession(payload, secret) {
+  const body = toBase64Url(new TextEncoder().encode(JSON.stringify(payload)));
+  const key = await importKey(secret);
+  const sig = await crypto.subtle.sign("HMAC", key, new TextEncoder().encode(body));
+  return `${body}.${toBase64Url(sig)}`;
+}
+function verifyCredentials(env, username, password) {
+  if (typeof username !== "string" || typeof password !== "string") return false;
+  return username === env.username && password === env.password;
+}
+
+// src/auth/action.ts
+function safeRedirectTarget(raw) {
+  if (typeof raw !== "string" || raw.length === 0) return "/";
+  if (!raw.startsWith("/") || raw.startsWith("//")) return "/";
+  return raw;
+}
+async function stageLoginAction(_prev, formData) {
+  const env = readStageEnv();
+  if (!env) return { error: "missing_config" };
+  const username = formData.get("username");
+  const password = formData.get("password");
+  if (!verifyCredentials(env, username, password)) {
+    return { error: "invalid_credentials" };
+  }
+  const exp = Date.now() + env.sessionDays * 24 * 60 * 60 * 1e3;
+  const token = await signSession({ u: env.username, exp }, env.secret);
+  const store = await (0, import_headers.cookies)();
+  store.set(getStageCookieName(), token, {
+    httpOnly: true,
+    // secure must be false on HTTP dev (next dev on localhost) so the browser stores
+    // the cookie. In production builds (next start / Vercel) this becomes true.
+    secure: process.env.NODE_ENV === "production",
+    sameSite: "lax",
+    path: "/",
+    expires: new Date(exp)
+  });
+  return { redirectTo: safeRedirectTarget(formData.get("from")) };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  stageLoginAction
+});
+//# sourceMappingURL=action.cjs.map

package/dist/auth/action.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/auth/action.ts","../../src/auth/stage.ts"],"sourcesContent":["// 'use server' is injected by the tsup banner — keep this file directive-free\n// so the bundled output has exactly one directive at the top.\nimport { cookies } from 'next/headers';\nimport { getStageCookieName, readStageEnv, signSession, verifyCredentials } from './stage.js';\n\nexport type StageLoginState = {\n  error?: 'missing_config' | 'invalid_credentials' | null;\n  redirectTo?: string | null;\n};\n\nfunction safeRedirectTarget(raw: unknown): string {\n  if (typeof raw !== 'string' || raw.length === 0) return '/';\n  if (!raw.startsWith('/') || raw.startsWith('//')) return '/';\n  return raw;\n}\n\nexport async function stageLoginAction(_prev: StageLoginState, formData: FormData): Promise<StageLoginState> {\n  const env = readStageEnv();\n  if (!env) return { error: 'missing_config' };\n\n  const username = formData.get('username');\n  const password = formData.get('password');\n  if (!verifyCredentials(env, username, password)) {\n    return { error: 'invalid_credentials' };\n  }\n\n  const exp = Date.now() + env.sessionDays * 24 * 60 * 60 * 1000;\n  const token = await signSession({ u: env.username, exp }, env.secret);\n\n  const store = await cookies();\n  store.set(getStageCookieName(), token, {\n    httpOnly: true,\n    // secure must be false on HTTP dev (next dev on localhost) so the browser stores\n    // the cookie. In production builds (next start / Vercel) this becomes true.\n    secure: process.env.NODE_ENV === 'production',\n    sameSite: 'lax',\n    path: '/',\n    expires: new Date(exp),\n  });\n\n  // Return the target instead of calling redirect() here. The client-side\n  // <StageLogin> reads this in a useEffect and calls router.replace, which\n  // guarantees the Set-Cookie has been committed to the browser jar before\n  // the next GET fires. This eliminates the cookie-commit vs redirect race\n  // that surfaces on Vercel's edge runtime + CDN.\n  return { redirectTo: safeRedirectTarget(formData.get('from')) };\n}\n","// Internal helpers for the stage-environment auth gate.\n// Edge-runtime safe (uses Web Crypto, no Node APIs).\n\nconst COOKIE_NAME = 'olmo_stage_auth';\nconst DEFAULT_SESSION_DAYS = 7;\n\nexport type StagePayload = { u: string; exp: number };\n\nexport type StageEnv = {\n  username: string;\n  password: string;\n  secret: string;\n  sessionDays: number;\n};\n\nexport function readStageEnv(): StageEnv | null {\n  const username = process.env.OLMO_STAGE_USERNAME;\n  const password = process.env.OLMO_STAGE_PASSWORD;\n  const secret = process.env.OLMO_STAGE_SECRET;\n  if (!username || !password || !secret) return null;\n  const days = Number(process.env.OLMO_STAGE_SESSION_DAYS);\n  return {\n    username,\n    password,\n    secret,\n    sessionDays: Number.isFinite(days) && days > 0 ? days : DEFAULT_SESSION_DAYS,\n  };\n}\n\nexport function getStageCookieName(): string {\n  return COOKIE_NAME;\n}\n\nfunction toBase64Url(bytes: ArrayBuffer | Uint8Array): string {\n  const arr = bytes instanceof Uint8Array ? bytes : new Uint8Array(bytes);\n  let str = '';\n  for (let i = 0; i < arr.length; i++) str += String.fromCharCode(arr[i]);\n  return btoa(str).replace(/\\+/g, '-').replace(/\\//g, '_').replace(/=+$/, '');\n}\n\nfunction fromBase64Url(input: string): Uint8Array {\n  const pad = input.length % 4 === 0 ? '' : '='.repeat(4 - (input.length % 4));\n  const b64 = input.replace(/-/g, '+').replace(/_/g, '/') + pad;\n  const bin = atob(b64);\n  const out = new Uint8Array(bin.length);\n  for (let i = 0; i < bin.length; i++) out[i] = bin.charCodeAt(i);\n  return out;\n}\n\nasync function importKey(secret: string): Promise<CryptoKey> {\n  return crypto.subtle.importKey(\n    'raw',\n    new TextEncoder().encode(secret),\n    { name: 'HMAC', hash: 'SHA-256' },\n    false,\n    ['sign', 'verify'],\n  );\n}\n\nexport async function signSession(payload: StagePayload, secret: string): Promise<string> {\n  const body = toBase64Url(new TextEncoder().encode(JSON.stringify(payload)));\n  const key = await importKey(secret);\n  const sig = await crypto.subtle.sign('HMAC', key, new TextEncoder().encode(body));\n  return `${body}.${toBase64Url(sig)}`;\n}\n\nexport async function verifySession(token: string | undefined, secret: string): Promise<StagePayload | null> {\n  if (!token || typeof token !== 'string' || token.indexOf('.') === -1) return null;\n  const [body, sig] = token.split('.');\n  if (!body || !sig) return null;\n  let key: CryptoKey;\n  try {\n    key = await importKey(secret);\n  } catch {\n    return null;\n  }\n  let valid = false;\n  try {\n    valid = await crypto.subtle.verify('HMAC', key, fromBase64Url(sig) as BufferSource, new TextEncoder().encode(body));\n  } catch {\n    return null;\n  }\n  if (!valid) return null;\n  let payload: StagePayload;\n  try {\n    payload = JSON.parse(new TextDecoder().decode(fromBase64Url(body)));\n  } catch {\n    return null;\n  }\n  if (!payload || typeof payload.exp !== 'number' || payload.exp < Date.now()) return null;\n  return payload;\n}\n\nexport function verifyCredentials(env: StageEnv, username: unknown, password: unknown): boolean {\n  if (typeof username !== 'string' || typeof password !== 'string') return false;\n  return username === env.username && password === env.password;\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAEA,qBAAwB;;;ACCxB,IAAM,cAAc;AACpB,IAAM,uBAAuB;AAWtB,SAAS,eAAgC;AAC9C,QAAM,WAAW,QAAQ,IAAI;AAC7B,QAAM,WAAW,QAAQ,IAAI;AAC7B,QAAM,SAAS,QAAQ,IAAI;AAC3B,MAAI,CAAC,YAAY,CAAC,YAAY,CAAC,OAAQ,QAAO;AAC9C,QAAM,OAAO,OAAO,QAAQ,IAAI,uBAAuB;AACvD,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,IACA,aAAa,OAAO,SAAS,IAAI,KAAK,OAAO,IAAI,OAAO;AAAA,EAC1D;AACF;AAEO,SAAS,qBAA6B;AAC3C,SAAO;AACT;AAEA,SAAS,YAAY,OAAyC;AAC5D,QAAM,MAAM,iBAAiB,aAAa,QAAQ,IAAI,WAAW,KAAK;AACtE,MAAI,MAAM;AACV,WAAS,IAAI,GAAG,IAAI,IAAI,QAAQ,IAAK,QAAO,OAAO,aAAa,IAAI,CAAC,CAAC;AACtE,SAAO,KAAK,GAAG,EAAE,QAAQ,OAAO,GAAG,EAAE,QAAQ,OAAO,GAAG,EAAE,QAAQ,OAAO,EAAE;AAC5E;AAWA,eAAe,UAAU,QAAoC;AAC3D,SAAO,OAAO,OAAO;AAAA,IACnB;AAAA,IACA,IAAI,YAAY,EAAE,OAAO,MAAM;AAAA,IAC/B,EAAE,MAAM,QAAQ,MAAM,UAAU;AAAA,IAChC;AAAA,IACA,CAAC,QAAQ,QAAQ;AAAA,EACnB;AACF;AAEA,eAAsB,YAAY,SAAuB,QAAiC;AACxF,QAAM,OAAO,YAAY,IAAI,YAAY,EAAE,OAAO,KAAK,UAAU,OAAO,CAAC,CAAC;AAC1E,QAAM,MAAM,MAAM,UAAU,MAAM;AAClC,QAAM,MAAM,MAAM,OAAO,OAAO,KAAK,QAAQ,KAAK,IAAI,YAAY,EAAE,OAAO,IAAI,CAAC;AAChF,SAAO,GAAG,IAAI,IAAI,YAAY,GAAG,CAAC;AACpC;AA6BO,SAAS,kBAAkB,KAAe,UAAmB,UAA4B;AAC9F,MAAI,OAAO,aAAa,YAAY,OAAO,aAAa,SAAU,QAAO;AACzE,SAAO,aAAa,IAAI,YAAY,aAAa,IAAI;AACvD;;;ADtFA,SAAS,mBAAmB,KAAsB;AAChD,MAAI,OAAO,QAAQ,YAAY,IAAI,WAAW,EAAG,QAAO;AACxD,MAAI,CAAC,IAAI,WAAW,GAAG,KAAK,IAAI,WAAW,IAAI,EAAG,QAAO;AACzD,SAAO;AACT;AAEA,eAAsB,iBAAiB,OAAwB,UAA8C;AAC3G,QAAM,MAAM,aAAa;AACzB,MAAI,CAAC,IAAK,QAAO,EAAE,OAAO,iBAAiB;AAE3C,QAAM,WAAW,SAAS,IAAI,UAAU;AACxC,QAAM,WAAW,SAAS,IAAI,UAAU;AACxC,MAAI,CAAC,kBAAkB,KAAK,UAAU,QAAQ,GAAG;AAC/C,WAAO,EAAE,OAAO,sBAAsB;AAAA,EACxC;AAEA,QAAM,MAAM,KAAK,IAAI,IAAI,IAAI,cAAc,KAAK,KAAK,KAAK;AAC1D,QAAM,QAAQ,MAAM,YAAY,EAAE,GAAG,IAAI,UAAU,IAAI,GAAG,IAAI,MAAM;AAEpE,QAAM,QAAQ,UAAM,wBAAQ;AAC5B,QAAM,IAAI,mBAAmB,GAAG,OAAO;AAAA,IACrC,UAAU;AAAA;AAAA;AAAA,IAGV,QAAQ,QAAQ,IAAI,aAAa;AAAA,IACjC,UAAU;AAAA,IACV,MAAM;AAAA,IACN,SAAS,IAAI,KAAK,GAAG;AAAA,EACvB,CAAC;AAOD,SAAO,EAAE,YAAY,mBAAmB,SAAS,IAAI,MAAM,CAAC,EAAE;AAChE;","names":[]}

package/dist/auth/action.d.cts

@@ -0,0 +1,7 @@
+type StageLoginState = {
+    error?: 'missing_config' | 'invalid_credentials' | null;
+    redirectTo?: string | null;
+};
+declare function stageLoginAction(_prev: StageLoginState, formData: FormData): Promise<StageLoginState>;
+
+export { type StageLoginState, stageLoginAction };

package/dist/auth/action.d.ts

@@ -0,0 +1,7 @@
+type StageLoginState = {
+    error?: 'missing_config' | 'invalid_credentials' | null;
+    redirectTo?: string | null;
+};
+declare function stageLoginAction(_prev: StageLoginState, formData: FormData): Promise<StageLoginState>;
+
+export { type StageLoginState, stageLoginAction };

package/dist/auth/action.js

@@ -0,0 +1,82 @@
+"use server";
+
+// src/auth/action.ts
+import { cookies } from "next/headers";
+
+// src/auth/stage.ts
+var COOKIE_NAME = "olmo_stage_auth";
+var DEFAULT_SESSION_DAYS = 7;
+function readStageEnv() {
+  const username = process.env.OLMO_STAGE_USERNAME;
+  const password = process.env.OLMO_STAGE_PASSWORD;
+  const secret = process.env.OLMO_STAGE_SECRET;
+  if (!username || !password || !secret) return null;
+  const days = Number(process.env.OLMO_STAGE_SESSION_DAYS);
+  return {
+    username,
+    password,
+    secret,
+    sessionDays: Number.isFinite(days) && days > 0 ? days : DEFAULT_SESSION_DAYS
+  };
+}
+function getStageCookieName() {
+  return COOKIE_NAME;
+}
+function toBase64Url(bytes) {
+  const arr = bytes instanceof Uint8Array ? bytes : new Uint8Array(bytes);
+  let str = "";
+  for (let i = 0; i < arr.length; i++) str += String.fromCharCode(arr[i]);
+  return btoa(str).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+async function importKey(secret) {
+  return crypto.subtle.importKey(
+    "raw",
+    new TextEncoder().encode(secret),
+    { name: "HMAC", hash: "SHA-256" },
+    false,
+    ["sign", "verify"]
+  );
+}
+async function signSession(payload, secret) {
+  const body = toBase64Url(new TextEncoder().encode(JSON.stringify(payload)));
+  const key = await importKey(secret);
+  const sig = await crypto.subtle.sign("HMAC", key, new TextEncoder().encode(body));
+  return `${body}.${toBase64Url(sig)}`;
+}
+function verifyCredentials(env, username, password) {
+  if (typeof username !== "string" || typeof password !== "string") return false;
+  return username === env.username && password === env.password;
+}
+
+// src/auth/action.ts
+function safeRedirectTarget(raw) {
+  if (typeof raw !== "string" || raw.length === 0) return "/";
+  if (!raw.startsWith("/") || raw.startsWith("//")) return "/";
+  return raw;
+}
+async function stageLoginAction(_prev, formData) {
+  const env = readStageEnv();
+  if (!env) return { error: "missing_config" };
+  const username = formData.get("username");
+  const password = formData.get("password");
+  if (!verifyCredentials(env, username, password)) {
+    return { error: "invalid_credentials" };
+  }
+  const exp = Date.now() + env.sessionDays * 24 * 60 * 60 * 1e3;
+  const token = await signSession({ u: env.username, exp }, env.secret);
+  const store = await cookies();
+  store.set(getStageCookieName(), token, {
+    httpOnly: true,
+    // secure must be false on HTTP dev (next dev on localhost) so the browser stores
+    // the cookie. In production builds (next start / Vercel) this becomes true.
+    secure: process.env.NODE_ENV === "production",
+    sameSite: "lax",
+    path: "/",
+    expires: new Date(exp)
+  });
+  return { redirectTo: safeRedirectTarget(formData.get("from")) };
+}
+export {
+  stageLoginAction
+};
+//# sourceMappingURL=action.js.map

package/dist/auth/action.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/auth/action.ts","../../src/auth/stage.ts"],"sourcesContent":["// 'use server' is injected by the tsup banner — keep this file directive-free\n// so the bundled output has exactly one directive at the top.\nimport { cookies } from 'next/headers';\nimport { getStageCookieName, readStageEnv, signSession, verifyCredentials } from './stage.js';\n\nexport type StageLoginState = {\n  error?: 'missing_config' | 'invalid_credentials' | null;\n  redirectTo?: string | null;\n};\n\nfunction safeRedirectTarget(raw: unknown): string {\n  if (typeof raw !== 'string' || raw.length === 0) return '/';\n  if (!raw.startsWith('/') || raw.startsWith('//')) return '/';\n  return raw;\n}\n\nexport async function stageLoginAction(_prev: StageLoginState, formData: FormData): Promise<StageLoginState> {\n  const env = readStageEnv();\n  if (!env) return { error: 'missing_config' };\n\n  const username = formData.get('username');\n  const password = formData.get('password');\n  if (!verifyCredentials(env, username, password)) {\n    return { error: 'invalid_credentials' };\n  }\n\n  const exp = Date.now() + env.sessionDays * 24 * 60 * 60 * 1000;\n  const token = await signSession({ u: env.username, exp }, env.secret);\n\n  const store = await cookies();\n  store.set(getStageCookieName(), token, {\n    httpOnly: true,\n    // secure must be false on HTTP dev (next dev on localhost) so the browser stores\n    // the cookie. In production builds (next start / Vercel) this becomes true.\n    secure: process.env.NODE_ENV === 'production',\n    sameSite: 'lax',\n    path: '/',\n    expires: new Date(exp),\n  });\n\n  // Return the target instead of calling redirect() here. The client-side\n  // <StageLogin> reads this in a useEffect and calls router.replace, which\n  // guarantees the Set-Cookie has been committed to the browser jar before\n  // the next GET fires. This eliminates the cookie-commit vs redirect race\n  // that surfaces on Vercel's edge runtime + CDN.\n  return { redirectTo: safeRedirectTarget(formData.get('from')) };\n}\n","// Internal helpers for the stage-environment auth gate.\n// Edge-runtime safe (uses Web Crypto, no Node APIs).\n\nconst COOKIE_NAME = 'olmo_stage_auth';\nconst DEFAULT_SESSION_DAYS = 7;\n\nexport type StagePayload = { u: string; exp: number };\n\nexport type StageEnv = {\n  username: string;\n  password: string;\n  secret: string;\n  sessionDays: number;\n};\n\nexport function readStageEnv(): StageEnv | null {\n  const username = process.env.OLMO_STAGE_USERNAME;\n  const password = process.env.OLMO_STAGE_PASSWORD;\n  const secret = process.env.OLMO_STAGE_SECRET;\n  if (!username || !password || !secret) return null;\n  const days = Number(process.env.OLMO_STAGE_SESSION_DAYS);\n  return {\n    username,\n    password,\n    secret,\n    sessionDays: Number.isFinite(days) && days > 0 ? days : DEFAULT_SESSION_DAYS,\n  };\n}\n\nexport function getStageCookieName(): string {\n  return COOKIE_NAME;\n}\n\nfunction toBase64Url(bytes: ArrayBuffer | Uint8Array): string {\n  const arr = bytes instanceof Uint8Array ? bytes : new Uint8Array(bytes);\n  let str = '';\n  for (let i = 0; i < arr.length; i++) str += String.fromCharCode(arr[i]);\n  return btoa(str).replace(/\\+/g, '-').replace(/\\//g, '_').replace(/=+$/, '');\n}\n\nfunction fromBase64Url(input: string): Uint8Array {\n  const pad = input.length % 4 === 0 ? '' : '='.repeat(4 - (input.length % 4));\n  const b64 = input.replace(/-/g, '+').replace(/_/g, '/') + pad;\n  const bin = atob(b64);\n  const out = new Uint8Array(bin.length);\n  for (let i = 0; i < bin.length; i++) out[i] = bin.charCodeAt(i);\n  return out;\n}\n\nasync function importKey(secret: string): Promise<CryptoKey> {\n  return crypto.subtle.importKey(\n    'raw',\n    new TextEncoder().encode(secret),\n    { name: 'HMAC', hash: 'SHA-256' },\n    false,\n    ['sign', 'verify'],\n  );\n}\n\nexport async function signSession(payload: StagePayload, secret: string): Promise<string> {\n  const body = toBase64Url(new TextEncoder().encode(JSON.stringify(payload)));\n  const key = await importKey(secret);\n  const sig = await crypto.subtle.sign('HMAC', key, new TextEncoder().encode(body));\n  return `${body}.${toBase64Url(sig)}`;\n}\n\nexport async function verifySession(token: string | undefined, secret: string): Promise<StagePayload | null> {\n  if (!token || typeof token !== 'string' || token.indexOf('.') === -1) return null;\n  const [body, sig] = token.split('.');\n  if (!body || !sig) return null;\n  let key: CryptoKey;\n  try {\n    key = await importKey(secret);\n  } catch {\n    return null;\n  }\n  let valid = false;\n  try {\n    valid = await crypto.subtle.verify('HMAC', key, fromBase64Url(sig) as BufferSource, new TextEncoder().encode(body));\n  } catch {\n    return null;\n  }\n  if (!valid) return null;\n  let payload: StagePayload;\n  try {\n    payload = JSON.parse(new TextDecoder().decode(fromBase64Url(body)));\n  } catch {\n    return null;\n  }\n  if (!payload || typeof payload.exp !== 'number' || payload.exp < Date.now()) return null;\n  return payload;\n}\n\nexport function verifyCredentials(env: StageEnv, username: unknown, password: unknown): boolean {\n  if (typeof username !== 'string' || typeof password !== 'string') return false;\n  return username === env.username && password === env.password;\n}\n"],"mappings":";;;AAEA,SAAS,eAAe;;;ACCxB,IAAM,cAAc;AACpB,IAAM,uBAAuB;AAWtB,SAAS,eAAgC;AAC9C,QAAM,WAAW,QAAQ,IAAI;AAC7B,QAAM,WAAW,QAAQ,IAAI;AAC7B,QAAM,SAAS,QAAQ,IAAI;AAC3B,MAAI,CAAC,YAAY,CAAC,YAAY,CAAC,OAAQ,QAAO;AAC9C,QAAM,OAAO,OAAO,QAAQ,IAAI,uBAAuB;AACvD,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,IACA,aAAa,OAAO,SAAS,IAAI,KAAK,OAAO,IAAI,OAAO;AAAA,EAC1D;AACF;AAEO,SAAS,qBAA6B;AAC3C,SAAO;AACT;AAEA,SAAS,YAAY,OAAyC;AAC5D,QAAM,MAAM,iBAAiB,aAAa,QAAQ,IAAI,WAAW,KAAK;AACtE,MAAI,MAAM;AACV,WAAS,IAAI,GAAG,IAAI,IAAI,QAAQ,IAAK,QAAO,OAAO,aAAa,IAAI,CAAC,CAAC;AACtE,SAAO,KAAK,GAAG,EAAE,QAAQ,OAAO,GAAG,EAAE,QAAQ,OAAO,GAAG,EAAE,QAAQ,OAAO,EAAE;AAC5E;AAWA,eAAe,UAAU,QAAoC;AAC3D,SAAO,OAAO,OAAO;AAAA,IACnB;AAAA,IACA,IAAI,YAAY,EAAE,OAAO,MAAM;AAAA,IAC/B,EAAE,MAAM,QAAQ,MAAM,UAAU;AAAA,IAChC;AAAA,IACA,CAAC,QAAQ,QAAQ;AAAA,EACnB;AACF;AAEA,eAAsB,YAAY,SAAuB,QAAiC;AACxF,QAAM,OAAO,YAAY,IAAI,YAAY,EAAE,OAAO,KAAK,UAAU,OAAO,CAAC,CAAC;AAC1E,QAAM,MAAM,MAAM,UAAU,MAAM;AAClC,QAAM,MAAM,MAAM,OAAO,OAAO,KAAK,QAAQ,KAAK,IAAI,YAAY,EAAE,OAAO,IAAI,CAAC;AAChF,SAAO,GAAG,IAAI,IAAI,YAAY,GAAG,CAAC;AACpC;AA6BO,SAAS,kBAAkB,KAAe,UAAmB,UAA4B;AAC9F,MAAI,OAAO,aAAa,YAAY,OAAO,aAAa,SAAU,QAAO;AACzE,SAAO,aAAa,IAAI,YAAY,aAAa,IAAI;AACvD;;;ADtFA,SAAS,mBAAmB,KAAsB;AAChD,MAAI,OAAO,QAAQ,YAAY,IAAI,WAAW,EAAG,QAAO;AACxD,MAAI,CAAC,IAAI,WAAW,GAAG,KAAK,IAAI,WAAW,IAAI,EAAG,QAAO;AACzD,SAAO;AACT;AAEA,eAAsB,iBAAiB,OAAwB,UAA8C;AAC3G,QAAM,MAAM,aAAa;AACzB,MAAI,CAAC,IAAK,QAAO,EAAE,OAAO,iBAAiB;AAE3C,QAAM,WAAW,SAAS,IAAI,UAAU;AACxC,QAAM,WAAW,SAAS,IAAI,UAAU;AACxC,MAAI,CAAC,kBAAkB,KAAK,UAAU,QAAQ,GAAG;AAC/C,WAAO,EAAE,OAAO,sBAAsB;AAAA,EACxC;AAEA,QAAM,MAAM,KAAK,IAAI,IAAI,IAAI,cAAc,KAAK,KAAK,KAAK;AAC1D,QAAM,QAAQ,MAAM,YAAY,EAAE,GAAG,IAAI,UAAU,IAAI,GAAG,IAAI,MAAM;AAEpE,QAAM,QAAQ,MAAM,QAAQ;AAC5B,QAAM,IAAI,mBAAmB,GAAG,OAAO;AAAA,IACrC,UAAU;AAAA;AAAA;AAAA,IAGV,QAAQ,QAAQ,IAAI,aAAa;AAAA,IACjC,UAAU;AAAA,IACV,MAAM;AAAA,IACN,SAAS,IAAI,KAAK,GAAG;AAAA,EACvB,CAAC;AAOD,SAAO,EAAE,YAAY,mBAAmB,SAAS,IAAI,MAAM,CAAC,EAAE;AAChE;","names":[]}

package/dist/chunk-UCR7WW3X.js

@@ -0,0 +1,169 @@
+// src/middleware/chain.ts
+import { NextResponse } from "next/server";
+function chain(functions = [], index = 0) {
+  const current = functions[index];
+  if (current) {
+    const next = chain(functions, index + 1);
+    return current(next);
+  }
+  return () => NextResponse.next();
+}
+
+// src/middleware/headermiddleware.ts
+import { NextRequest } from "next/server";
+var headermiddleware = (next) => {
+  return async (request, _next) => {
+    const url = new URL(request.url);
+    const params = new URLSearchParams(url.search);
+    const headers = new Headers(request.headers);
+    headers.set("x-current-path", request.nextUrl.pathname);
+    headers.set("x-server", "true");
+    headers.set("olmo-preview", params.has("olmopreview").toString());
+    return next(new NextRequest(request.url, { headers }), _next);
+  };
+};
+
+// src/middleware/redirectmiddleware.ts
+import { NextResponse as NextResponse2 } from "next/server";
+var redirectmiddleware = (next) => {
+  return async (request, _next) => {
+    if (request.headers.has("rsc")) {
+      return next(request, _next);
+    }
+    if (!process.env.NEXT_PUBLIC_OLMO_TOKEN || !process.env.NEXT_PUBLIC_API_URL || !process.env.NEXT_PUBLIC_BASE_URL) {
+      return next(request, _next);
+    }
+    const pathNameWithTrailingSlash = request.nextUrl.pathname;
+    const response = await fetch(`${process.env.NEXT_PUBLIC_API_URL}/all/redirect`, {
+      method: "GET",
+      cache: "force-cache",
+      next: { tags: ["olmo", "redirect"] },
+      headers: { "front-token": process.env.NEXT_PUBLIC_OLMO_TOKEN }
+    });
+    const data = await response.json();
+    const redirects = data.map((e) => ({
+      source: e.source,
+      destination: e.destination,
+      permanent: e.permanent === "true"
+    }));
+    if (redirects.length > 0) {
+      const redirect = redirects.find((item) => item.source === pathNameWithTrailingSlash);
+      if (!redirect) {
+        return next(request, _next);
+      }
+      const newUrl = new URL(redirect.destination, process.env.NEXT_PUBLIC_BASE_URL).toString();
+      return NextResponse2.redirect(newUrl, { status: redirect.permanent ? 308 : 307 });
+    }
+    return next(request, _next);
+  };
+};
+
+// src/middleware/stagegatemiddleware.ts
+import { NextResponse as NextResponse3 } from "next/server";
+
+// src/auth/stage.ts
+var COOKIE_NAME = "olmo_stage_auth";
+var DEFAULT_SESSION_DAYS = 7;
+function readStageEnv() {
+  const username = process.env.OLMO_STAGE_USERNAME;
+  const password = process.env.OLMO_STAGE_PASSWORD;
+  const secret = process.env.OLMO_STAGE_SECRET;
+  if (!username || !password || !secret) return null;
+  const days = Number(process.env.OLMO_STAGE_SESSION_DAYS);
+  return {
+    username,
+    password,
+    secret,
+    sessionDays: Number.isFinite(days) && days > 0 ? days : DEFAULT_SESSION_DAYS
+  };
+}
+function getStageCookieName() {
+  return COOKIE_NAME;
+}
+function fromBase64Url(input) {
+  const pad = input.length % 4 === 0 ? "" : "=".repeat(4 - input.length % 4);
+  const b64 = input.replace(/-/g, "+").replace(/_/g, "/") + pad;
+  const bin = atob(b64);
+  const out = new Uint8Array(bin.length);
+  for (let i = 0; i < bin.length; i++) out[i] = bin.charCodeAt(i);
+  return out;
+}
+async function importKey(secret) {
+  return crypto.subtle.importKey(
+    "raw",
+    new TextEncoder().encode(secret),
+    { name: "HMAC", hash: "SHA-256" },
+    false,
+    ["sign", "verify"]
+  );
+}
+async function verifySession(token, secret) {
+  if (!token || typeof token !== "string" || token.indexOf(".") === -1) return null;
+  const [body, sig] = token.split(".");
+  if (!body || !sig) return null;
+  let key;
+  try {
+    key = await importKey(secret);
+  } catch {
+    return null;
+  }
+  let valid = false;
+  try {
+    valid = await crypto.subtle.verify("HMAC", key, fromBase64Url(sig), new TextEncoder().encode(body));
+  } catch {
+    return null;
+  }
+  if (!valid) return null;
+  let payload;
+  try {
+    payload = JSON.parse(new TextDecoder().decode(fromBase64Url(body)));
+  } catch {
+    return null;
+  }
+  if (!payload || typeof payload.exp !== "number" || payload.exp < Date.now()) return null;
+  return payload;
+}
+
+// src/middleware/stagegatemiddleware.ts
+var LOGIN_PATH = "/olmo-stage-login/";
+var NOINDEX = "noindex, nofollow, noarchive";
+function withNoindex(res) {
+  res.headers.set("X-Robots-Tag", NOINDEX);
+  return res;
+}
+var stagegatemiddleware = (next) => {
+  return async (request, _next) => {
+    if (process.env.NEXT_PUBLIC_ENV !== "stage") {
+      return next(request, _next);
+    }
+    const { pathname, search } = request.nextUrl;
+    if (pathname === LOGIN_PATH) {
+      return withNoindex(NextResponse3.next());
+    }
+    const env = readStageEnv();
+    if (!env) {
+      const url2 = request.nextUrl.clone();
+      url2.pathname = LOGIN_PATH;
+      url2.search = "";
+      return withNoindex(NextResponse3.redirect(url2, { status: 307 }));
+    }
+    const token = request.cookies.get(getStageCookieName())?.value;
+    const session = await verifySession(token, env.secret);
+    if (session) {
+      const res = await next(request, _next);
+      return withNoindex(res instanceof NextResponse3 ? res : NextResponse3.next());
+    }
+    const url = request.nextUrl.clone();
+    url.pathname = LOGIN_PATH;
+    url.search = `?from=${encodeURIComponent(pathname + search)}`;
+    return withNoindex(NextResponse3.redirect(url, { status: 307 }));
+  };
+};
+
+export {
+  chain,
+  headermiddleware,
+  redirectmiddleware,
+  stagegatemiddleware
+};
+//# sourceMappingURL=chunk-UCR7WW3X.js.map

package/dist/chunk-UCR7WW3X.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/middleware/chain.ts","../src/middleware/headermiddleware.ts","../src/middleware/redirectmiddleware.ts","../src/middleware/stagegatemiddleware.ts","../src/auth/stage.ts"],"sourcesContent":["import { NextResponse } from 'next/server';\nimport type { NextMiddleware } from 'next/server';\n\nexport type MiddlewareFactory = (middleware: NextMiddleware) => NextMiddleware;\n\nexport function chain(functions: MiddlewareFactory[] = [], index = 0): NextMiddleware {\n  const current = functions[index];\n  if (current) {\n    const next = chain(functions, index + 1);\n    return current(next);\n  }\n  return () => NextResponse.next();\n}\n","import { NextRequest } from 'next/server';\nimport type { NextFetchEvent } from 'next/server';\nimport type { MiddlewareFactory } from './chain.js';\n\nexport const headermiddleware: MiddlewareFactory = (next) => {\n  return async (request: NextRequest, _next: NextFetchEvent) => {\n    const url = new URL(request.url);\n    const params = new URLSearchParams(url.search);\n\n    const headers = new Headers(request.headers);\n    headers.set('x-current-path', request.nextUrl.pathname);\n    headers.set('x-server', 'true');\n    headers.set('olmo-preview', params.has('olmopreview').toString());\n\n    return next(new NextRequest(request.url, { headers }), _next);\n  };\n};\n","import { NextResponse } from 'next/server';\nimport type { NextFetchEvent, NextRequest } from 'next/server';\nimport type { MiddlewareFactory } from './chain.js';\n\ntype NextFetchRequestInit = RequestInit & { next?: { tags?: string[]; revalidate?: number | false } };\n\nexport const redirectmiddleware: MiddlewareFactory = (next) => {\n  return async (request: NextRequest, _next: NextFetchEvent) => {\n    if (request.headers.has('rsc')) {\n      return next(request, _next);\n    }\n\n    if (!process.env.NEXT_PUBLIC_OLMO_TOKEN || !process.env.NEXT_PUBLIC_API_URL || !process.env.NEXT_PUBLIC_BASE_URL) {\n      return next(request, _next);\n    }\n\n    const pathNameWithTrailingSlash = request.nextUrl.pathname;\n\n    const response = await fetch(`${process.env.NEXT_PUBLIC_API_URL}/all/redirect`, {\n      method: 'GET',\n      cache: 'force-cache',\n      next: { tags: ['olmo', 'redirect'] },\n      headers: { 'front-token': process.env.NEXT_PUBLIC_OLMO_TOKEN },\n    } as NextFetchRequestInit);\n\n    const data = await response.json();\n\n    const redirects = data.map((e: any) => ({\n      source: e.source,\n      destination: e.destination,\n      permanent: e.permanent === 'true',\n    }));\n\n    if (redirects.length > 0) {\n      const redirect = redirects.find((item: any) => item.source === pathNameWithTrailingSlash);\n\n      if (!redirect) {\n        return next(request, _next);\n      }\n\n      const newUrl = new URL(redirect.destination, process.env.NEXT_PUBLIC_BASE_URL).toString();\n      return NextResponse.redirect(newUrl, { status: redirect.permanent ? 308 : 307 });\n    }\n\n    return next(request, _next);\n  };\n};\n","import { NextResponse } from 'next/server';\nimport type { NextFetchEvent, NextRequest } from 'next/server';\nimport { getStageCookieName, readStageEnv, verifySession } from '../auth/stage.js';\nimport type { MiddlewareFactory } from './chain.js';\n\nconst LOGIN_PATH = '/olmo-stage-login/';\nconst NOINDEX = 'noindex, nofollow, noarchive';\n\nfunction withNoindex(res: NextResponse): NextResponse {\n  res.headers.set('X-Robots-Tag', NOINDEX);\n  return res;\n}\n\nexport const stagegatemiddleware: MiddlewareFactory = (next) => {\n  return async (request: NextRequest, _next: NextFetchEvent) => {\n    if (process.env.NEXT_PUBLIC_ENV !== 'stage') {\n      return next(request, _next);\n    }\n\n    const { pathname, search } = request.nextUrl;\n\n    if (pathname === LOGIN_PATH) {\n      return withNoindex(NextResponse.next());\n    }\n\n    const env = readStageEnv();\n    if (!env) {\n      // Misconfigured stage — deny everything except the login page itself.\n      const url = request.nextUrl.clone();\n      url.pathname = LOGIN_PATH;\n      url.search = '';\n      return withNoindex(NextResponse.redirect(url, { status: 307 }));\n    }\n\n    const token = request.cookies.get(getStageCookieName())?.value;\n    const session = await verifySession(token, env.secret);\n    if (session) {\n      const res = await next(request, _next);\n      return withNoindex(res instanceof NextResponse ? res : NextResponse.next());\n    }\n\n    const url = request.nextUrl.clone();\n    url.pathname = LOGIN_PATH;\n    url.search = `?from=${encodeURIComponent(pathname + search)}`;\n    return withNoindex(NextResponse.redirect(url, { status: 307 }));\n  };\n};\n","// Internal helpers for the stage-environment auth gate.\n// Edge-runtime safe (uses Web Crypto, no Node APIs).\n\nconst COOKIE_NAME = 'olmo_stage_auth';\nconst DEFAULT_SESSION_DAYS = 7;\n\nexport type StagePayload = { u: string; exp: number };\n\nexport type StageEnv = {\n  username: string;\n  password: string;\n  secret: string;\n  sessionDays: number;\n};\n\nexport function readStageEnv(): StageEnv | null {\n  const username = process.env.OLMO_STAGE_USERNAME;\n  const password = process.env.OLMO_STAGE_PASSWORD;\n  const secret = process.env.OLMO_STAGE_SECRET;\n  if (!username || !password || !secret) return null;\n  const days = Number(process.env.OLMO_STAGE_SESSION_DAYS);\n  return {\n    username,\n    password,\n    secret,\n    sessionDays: Number.isFinite(days) && days > 0 ? days : DEFAULT_SESSION_DAYS,\n  };\n}\n\nexport function getStageCookieName(): string {\n  return COOKIE_NAME;\n}\n\nfunction toBase64Url(bytes: ArrayBuffer | Uint8Array): string {\n  const arr = bytes instanceof Uint8Array ? bytes : new Uint8Array(bytes);\n  let str = '';\n  for (let i = 0; i < arr.length; i++) str += String.fromCharCode(arr[i]);\n  return btoa(str).replace(/\\+/g, '-').replace(/\\//g, '_').replace(/=+$/, '');\n}\n\nfunction fromBase64Url(input: string): Uint8Array {\n  const pad = input.length % 4 === 0 ? '' : '='.repeat(4 - (input.length % 4));\n  const b64 = input.replace(/-/g, '+').replace(/_/g, '/') + pad;\n  const bin = atob(b64);\n  const out = new Uint8Array(bin.length);\n  for (let i = 0; i < bin.length; i++) out[i] = bin.charCodeAt(i);\n  return out;\n}\n\nasync function importKey(secret: string): Promise<CryptoKey> {\n  return crypto.subtle.importKey(\n    'raw',\n    new TextEncoder().encode(secret),\n    { name: 'HMAC', hash: 'SHA-256' },\n    false,\n    ['sign', 'verify'],\n  );\n}\n\nexport async function signSession(payload: StagePayload, secret: string): Promise<string> {\n  const body = toBase64Url(new TextEncoder().encode(JSON.stringify(payload)));\n  const key = await importKey(secret);\n  const sig = await crypto.subtle.sign('HMAC', key, new TextEncoder().encode(body));\n  return `${body}.${toBase64Url(sig)}`;\n}\n\nexport async function verifySession(token: string | undefined, secret: string): Promise<StagePayload | null> {\n  if (!token || typeof token !== 'string' || token.indexOf('.') === -1) return null;\n  const [body, sig] = token.split('.');\n  if (!body || !sig) return null;\n  let key: CryptoKey;\n  try {\n    key = await importKey(secret);\n  } catch {\n    return null;\n  }\n  let valid = false;\n  try {\n    valid = await crypto.subtle.verify('HMAC', key, fromBase64Url(sig) as BufferSource, new TextEncoder().encode(body));\n  } catch {\n    return null;\n  }\n  if (!valid) return null;\n  let payload: StagePayload;\n  try {\n    payload = JSON.parse(new TextDecoder().decode(fromBase64Url(body)));\n  } catch {\n    return null;\n  }\n  if (!payload || typeof payload.exp !== 'number' || payload.exp < Date.now()) return null;\n  return payload;\n}\n\nexport function verifyCredentials(env: StageEnv, username: unknown, password: unknown): boolean {\n  if (typeof username !== 'string' || typeof password !== 'string') return false;\n  return username === env.username && password === env.password;\n}\n"],"mappings":";AAAA,SAAS,oBAAoB;AAKtB,SAAS,MAAM,YAAiC,CAAC,GAAG,QAAQ,GAAmB;AACpF,QAAM,UAAU,UAAU,KAAK;AAC/B,MAAI,SAAS;AACX,UAAM,OAAO,MAAM,WAAW,QAAQ,CAAC;AACvC,WAAO,QAAQ,IAAI;AAAA,EACrB;AACA,SAAO,MAAM,aAAa,KAAK;AACjC;;;ACZA,SAAS,mBAAmB;AAIrB,IAAM,mBAAsC,CAAC,SAAS;AAC3D,SAAO,OAAO,SAAsB,UAA0B;AAC5D,UAAM,MAAM,IAAI,IAAI,QAAQ,GAAG;AAC/B,UAAM,SAAS,IAAI,gBAAgB,IAAI,MAAM;AAE7C,UAAM,UAAU,IAAI,QAAQ,QAAQ,OAAO;AAC3C,YAAQ,IAAI,kBAAkB,QAAQ,QAAQ,QAAQ;AACtD,YAAQ,IAAI,YAAY,MAAM;AAC9B,YAAQ,IAAI,gBAAgB,OAAO,IAAI,aAAa,EAAE,SAAS,CAAC;AAEhE,WAAO,KAAK,IAAI,YAAY,QAAQ,KAAK,EAAE,QAAQ,CAAC,GAAG,KAAK;AAAA,EAC9D;AACF;;;AChBA,SAAS,gBAAAA,qBAAoB;AAMtB,IAAM,qBAAwC,CAAC,SAAS;AAC7D,SAAO,OAAO,SAAsB,UAA0B;AAC5D,QAAI,QAAQ,QAAQ,IAAI,KAAK,GAAG;AAC9B,aAAO,KAAK,SAAS,KAAK;AAAA,IAC5B;AAEA,QAAI,CAAC,QAAQ,IAAI,0BAA0B,CAAC,QAAQ,IAAI,uBAAuB,CAAC,QAAQ,IAAI,sBAAsB;AAChH,aAAO,KAAK,SAAS,KAAK;AAAA,IAC5B;AAEA,UAAM,4BAA4B,QAAQ,QAAQ;AAElD,UAAM,WAAW,MAAM,MAAM,GAAG,QAAQ,IAAI,mBAAmB,iBAAiB;AAAA,MAC9E,QAAQ;AAAA,MACR,OAAO;AAAA,MACP,MAAM,EAAE,MAAM,CAAC,QAAQ,UAAU,EAAE;AAAA,MACnC,SAAS,EAAE,eAAe,QAAQ,IAAI,uBAAuB;AAAA,IAC/D,CAAyB;AAEzB,UAAM,OAAO,MAAM,SAAS,KAAK;AAEjC,UAAM,YAAY,KAAK,IAAI,CAAC,OAAY;AAAA,MACtC,QAAQ,EAAE;AAAA,MACV,aAAa,EAAE;AAAA,MACf,WAAW,EAAE,cAAc;AAAA,IAC7B,EAAE;AAEF,QAAI,UAAU,SAAS,GAAG;AACxB,YAAM,WAAW,UAAU,KAAK,CAAC,SAAc,KAAK,WAAW,yBAAyB;AAExF,UAAI,CAAC,UAAU;AACb,eAAO,KAAK,SAAS,KAAK;AAAA,MAC5B;AAEA,YAAM,SAAS,IAAI,IAAI,SAAS,aAAa,QAAQ,IAAI,oBAAoB,EAAE,SAAS;AACxF,aAAOA,cAAa,SAAS,QAAQ,EAAE,QAAQ,SAAS,YAAY,MAAM,IAAI,CAAC;AAAA,IACjF;AAEA,WAAO,KAAK,SAAS,KAAK;AAAA,EAC5B;AACF;;;AC9CA,SAAS,gBAAAC,qBAAoB;;;ACG7B,IAAM,cAAc;AACpB,IAAM,uBAAuB;AAWtB,SAAS,eAAgC;AAC9C,QAAM,WAAW,QAAQ,IAAI;AAC7B,QAAM,WAAW,QAAQ,IAAI;AAC7B,QAAM,SAAS,QAAQ,IAAI;AAC3B,MAAI,CAAC,YAAY,CAAC,YAAY,CAAC,OAAQ,QAAO;AAC9C,QAAM,OAAO,OAAO,QAAQ,IAAI,uBAAuB;AACvD,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,IACA,aAAa,OAAO,SAAS,IAAI,KAAK,OAAO,IAAI,OAAO;AAAA,EAC1D;AACF;AAEO,SAAS,qBAA6B;AAC3C,SAAO;AACT;AASA,SAAS,cAAc,OAA2B;AAChD,QAAM,MAAM,MAAM,SAAS,MAAM,IAAI,KAAK,IAAI,OAAO,IAAK,MAAM,SAAS,CAAE;AAC3E,QAAM,MAAM,MAAM,QAAQ,MAAM,GAAG,EAAE,QAAQ,MAAM,GAAG,IAAI;AAC1D,QAAM,MAAM,KAAK,GAAG;AACpB,QAAM,MAAM,IAAI,WAAW,IAAI,MAAM;AACrC,WAAS,IAAI,GAAG,IAAI,IAAI,QAAQ,IAAK,KAAI,CAAC,IAAI,IAAI,WAAW,CAAC;AAC9D,SAAO;AACT;AAEA,eAAe,UAAU,QAAoC;AAC3D,SAAO,OAAO,OAAO;AAAA,IACnB;AAAA,IACA,IAAI,YAAY,EAAE,OAAO,MAAM;AAAA,IAC/B,EAAE,MAAM,QAAQ,MAAM,UAAU;AAAA,IAChC;AAAA,IACA,CAAC,QAAQ,QAAQ;AAAA,EACnB;AACF;AASA,eAAsB,cAAc,OAA2B,QAA8C;AAC3G,MAAI,CAAC,SAAS,OAAO,UAAU,YAAY,MAAM,QAAQ,GAAG,MAAM,GAAI,QAAO;AAC7E,QAAM,CAAC,MAAM,GAAG,IAAI,MAAM,MAAM,GAAG;AACnC,MAAI,CAAC,QAAQ,CAAC,IAAK,QAAO;AAC1B,MAAI;AACJ,MAAI;AACF,UAAM,MAAM,UAAU,MAAM;AAAA,EAC9B,QAAQ;AACN,WAAO;AAAA,EACT;AACA,MAAI,QAAQ;AACZ,MAAI;AACF,YAAQ,MAAM,OAAO,OAAO,OAAO,QAAQ,KAAK,cAAc,GAAG,GAAmB,IAAI,YAAY,EAAE,OAAO,IAAI,CAAC;AAAA,EACpH,QAAQ;AACN,WAAO;AAAA,EACT;AACA,MAAI,CAAC,MAAO,QAAO;AACnB,MAAI;AACJ,MAAI;AACF,cAAU,KAAK,MAAM,IAAI,YAAY,EAAE,OAAO,cAAc,IAAI,CAAC,CAAC;AAAA,EACpE,QAAQ;AACN,WAAO;AAAA,EACT;AACA,MAAI,CAAC,WAAW,OAAO,QAAQ,QAAQ,YAAY,QAAQ,MAAM,KAAK,IAAI,EAAG,QAAO;AACpF,SAAO;AACT;;;ADtFA,IAAM,aAAa;AACnB,IAAM,UAAU;AAEhB,SAAS,YAAY,KAAiC;AACpD,MAAI,QAAQ,IAAI,gBAAgB,OAAO;AACvC,SAAO;AACT;AAEO,IAAM,sBAAyC,CAAC,SAAS;AAC9D,SAAO,OAAO,SAAsB,UAA0B;AAC5D,QAAI,QAAQ,IAAI,oBAAoB,SAAS;AAC3C,aAAO,KAAK,SAAS,KAAK;AAAA,IAC5B;AAEA,UAAM,EAAE,UAAU,OAAO,IAAI,QAAQ;AAErC,QAAI,aAAa,YAAY;AAC3B,aAAO,YAAYC,cAAa,KAAK,CAAC;AAAA,IACxC;AAEA,UAAM,MAAM,aAAa;AACzB,QAAI,CAAC,KAAK;AAER,YAAMC,OAAM,QAAQ,QAAQ,MAAM;AAClC,MAAAA,KAAI,WAAW;AACf,MAAAA,KAAI,SAAS;AACb,aAAO,YAAYD,cAAa,SAASC,MAAK,EAAE,QAAQ,IAAI,CAAC,CAAC;AAAA,IAChE;AAEA,UAAM,QAAQ,QAAQ,QAAQ,IAAI,mBAAmB,CAAC,GAAG;AACzD,UAAM,UAAU,MAAM,cAAc,OAAO,IAAI,MAAM;AACrD,QAAI,SAAS;AACX,YAAM,MAAM,MAAM,KAAK,SAAS,KAAK;AACrC,aAAO,YAAY,eAAeD,gBAAe,MAAMA,cAAa,KAAK,CAAC;AAAA,IAC5E;AAEA,UAAM,MAAM,QAAQ,QAAQ,MAAM;AAClC,QAAI,WAAW;AACf,QAAI,SAAS,SAAS,mBAAmB,WAAW,MAAM,CAAC;AAC3D,WAAO,YAAYA,cAAa,SAAS,KAAK,EAAE,QAAQ,IAAI,CAAC,CAAC;AAAA,EAChE;AACF;","names":["NextResponse","NextResponse","NextResponse","url"]}

package/dist/cli/index.js

@@ -250,7 +250,7 @@ var addRouteCommand = new Command("route").description("Scaffold a new Olmo page
         { title: "List page (fetches a collection)", value: "list" },
         { title: "Single/detail page (slug route)", value: "single" }
       ],
-      initial: defaultType === "list" ? 1 : defaultType === "single" ? 2 : 0
+      initial: defaultType === "single" ? 2 : 0
     });
     if (!res.value) process.exit(0);
     routeType = res.value;