@pilotiq/pilotiq 0.21.0 → 0.22.0

package/src/routes/guard.test.ts

@@ -0,0 +1,325 @@
+/**
+ * `Pilotiq.guard()` panel-wide 401 layer.
+ *
+ * Documented since Plan #10 as the unauthenticated-request gate; until
+ * 2026-05-21 only `_uploads` consulted it. Every other route relied on
+ * `cfg.user` returning null + `R.canX(user, …)` defaulting to true, so
+ * an app that wired `guard(req => Auth.check())` but shipped any
+ * Resource without `canAccess` overrides ended up with an
+ * unauthenticated, fully-readable admin panel.
+ *
+ * Fix: wrap every core panel route in one `router.group(...)` with the
+ * guard as group middleware. This file is the regression test —
+ * intentionally exhaustive so any future route that escapes the group
+ * (e.g. registered outside the wrap callback by accident) fails loudly.
+ */
+import { describe, it } from 'node:test'
+import assert from 'node:assert/strict'
+import { Router } from '@rudderjs/router'
+import type { RouteDefinition, MiddlewareHandler } from '@rudderjs/contracts'
+
+import { Pilotiq } from '../Pilotiq.js'
+import { Resource } from '../Resource.js'
+import { Global } from '../Global.js'
+import { Page } from '../Page.js'
+import { Cluster } from '../Cluster.js'
+import { RelationManager } from '../RelationManager.js'
+import { registerPilotiqRoutes } from '../routes.js'
+import { themeEditor } from '../plugins/themeEditor.js'
+
+// ─── Test fixtures ────────────────────────────────────────────
+
+class Comment extends RelationManager {
+  static override relationship = 'comments'
+}
+
+class Article extends Resource {
+  static override label         = 'Articles'
+  static override labelSingular = 'Article'
+  static override slug          = 'articles'
+  static override relations() { return [Comment] }
+}
+
+class Settings extends Global {
+  static override label = 'Settings'
+  static override slug  = 'settings'
+}
+
+class Analytics extends Page {
+  static override slug  = 'analytics'
+  static override label = 'Analytics'
+}
+
+class ReportsCluster extends Cluster {
+  static override slug = 'reports'
+  static override label = 'Reports'
+}
+
+class ClusteredPage extends Page {
+  static override slug    = 'overview'
+  static override label   = 'Overview'
+  static override cluster = ReportsCluster
+}
+
+// ─── Fake req/res ─────────────────────────────────────────────
+
+interface FakeRes {
+  statusCode: number
+  sentBody?:  unknown
+  status(code: number): FakeRes
+  send(body: unknown): FakeRes
+  json(body: unknown): FakeRes
+  redirect(url: string, code?: number): FakeRes
+  header(name: string, value: string): FakeRes
+}
+function fakeRes(): FakeRes {
+  const r: FakeRes = {
+    statusCode: 200,
+    status(code) { this.statusCode = code; return this },
+    send(body)   { this.sentBody = body;   return this },
+    json(body)   { this.sentBody = body;   return this },
+    redirect()   { return this },
+    header()     { return this },
+  }
+  return r
+}
+function fakeReq(overrides: Record<string, unknown> = {}): Record<string, unknown> {
+  return {
+    params: {},
+    body:   null,
+    query:  {},
+    raw:    {},
+    headers: {},
+    ...overrides,
+  }
+}
+
+/**
+ * Run a route's middleware chain *without* its handler. Returns whether
+ * the chain reached the handler slot (`reached: true`) or short-circuited
+ * (`reached: false`), plus the response captured during the chain. This
+ * is the tightest unit shape for "did the guard fire" — invoking the
+ * handler would require fully-mocked record loaders / form pipelines for
+ * the 30+ documented routes, which isn't what this test is for.
+ */
+async function runMiddleware(
+  route: RouteDefinition,
+  req:   Record<string, unknown>,
+): Promise<{ reached: boolean; res: FakeRes }> {
+  const res = fakeRes()
+  let reached = true
+  for (const mw of route.middleware as MiddlewareHandler[]) {
+    let didCallNext = false
+    const next = async () => { didCallNext = true }
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    await mw(req as any, res as any, next)
+    if (!didCallNext) {
+      reached = false
+      break
+    }
+  }
+  return { reached, res }
+}
+
+// Build a panel that touches every register* branch — resources (with
+// relations + soft-deletes), globals, custom pages, clusters, theme
+// editor, database notifications. The test then iterates router.list()
+// so coverage stays exhaustive even if new routes ship.
+function buildFullPanel(guard?: (req: unknown) => boolean | Promise<boolean>): Pilotiq {
+  let p = Pilotiq.make('admin')
+    .path('/admin')
+    .resources([Article])
+    .globals([Settings])
+    .pages([Analytics, ClusteredPage])
+    .clusters([ReportsCluster])
+    .databaseNotifications()
+    .use(themeEditor())
+  if (guard) p = p.guard(guard)
+  return p
+}
+
+// ─── Tests ────────────────────────────────────────────────────
+
+describe('Pilotiq.guard() — router.group() middleware', () => {
+  it('attaches the guard middleware to every core panel route', () => {
+    const router = new Router()
+    registerPilotiqRoutes(router, buildFullPanel(() => false))
+    const routes = router.list()
+    // Sanity: the panel above is rich enough to register many routes.
+    // Hard-fail under 20 routes to catch a future split that skips one
+    // of the register* branches by accident.
+    assert.ok(routes.length > 20, `expected >20 routes, got ${routes.length}`)
+    for (const r of routes) {
+      assert.ok(
+        r.middleware.length >= 1,
+        `route ${r.method} ${r.path} has no middleware — guard is missing`,
+      )
+    }
+  })
+
+  it('every core route 401s when guard returns false', async () => {
+    const router = new Router()
+    registerPilotiqRoutes(router, buildFullPanel(() => false))
+    const routes = router.list()
+    for (const r of routes) {
+      const { reached, res } = await runMiddleware(r, fakeReq())
+      assert.equal(
+        reached, false,
+        `route ${r.method} ${r.path} reached its handler despite guard=false`,
+      )
+      assert.equal(
+        res.statusCode, 401,
+        `route ${r.method} ${r.path} returned ${res.statusCode}, expected 401`,
+      )
+    }
+  })
+
+  it('every core route reaches its handler when guard returns true', async () => {
+    const router = new Router()
+    registerPilotiqRoutes(router, buildFullPanel(() => true))
+    const routes = router.list()
+    for (const r of routes) {
+      const { reached, res } = await runMiddleware(r, fakeReq())
+      assert.equal(
+        reached, true,
+        `route ${r.method} ${r.path} did not reach its handler when guard=true ` +
+        `(short-circuited with status ${res.statusCode})`,
+      )
+    }
+  })
+
+  it('skips the guard check entirely when no Pilotiq.guard() is configured', async () => {
+    const router = new Router()
+    registerPilotiqRoutes(router, buildFullPanel(undefined))
+    const routes = router.list()
+    // The middleware is still attached (the group runs unconditionally),
+    // but the guard branch inside it short-circuits when cfg.guard is
+    // undefined — every chain still calls next().
+    for (const r of routes) {
+      const { reached } = await runMiddleware(r, fakeReq())
+      assert.equal(
+        reached, true,
+        `route ${r.method} ${r.path} short-circuited even though no guard was configured`,
+      )
+    }
+  })
+
+  it('returns JSON 401 envelope when client sends Accept: application/json', async () => {
+    const router = new Router()
+    registerPilotiqRoutes(router, buildFullPanel(() => false))
+    const route = router.list().find(r => r.path === '/admin')
+    assert.ok(route, 'dashboard route missing')
+    const { res } = await runMiddleware(route, fakeReq({ headers: { accept: 'application/json' } }))
+    assert.equal(res.statusCode, 401)
+    assert.deepEqual(res.sentBody, { ok: false, error: 'Unauthorized' })
+  })
+
+  it('returns plain 401 body when no JSON Accept header', async () => {
+    const router = new Router()
+    registerPilotiqRoutes(router, buildFullPanel(() => false))
+    const route = router.list().find(r => r.path === '/admin')
+    assert.ok(route, 'dashboard route missing')
+    const { res } = await runMiddleware(route, fakeReq())
+    assert.equal(res.statusCode, 401)
+    assert.equal(res.sentBody, 'Unauthorized')
+  })
+
+  it('awaits async guard predicates', async () => {
+    const router = new Router()
+    registerPilotiqRoutes(router, buildFullPanel(async (_req) => {
+      await new Promise(r => setTimeout(r, 1))
+      return false
+    }))
+    const route = router.list().find(r => r.path === '/admin/articles')
+    assert.ok(route, 'articles list route missing')
+    const { reached, res } = await runMiddleware(route, fakeReq())
+    assert.equal(reached, false)
+    assert.equal(res.statusCode, 401)
+  })
+
+  it('forwards the request object to the guard predicate', async () => {
+    let seen: unknown = undefined
+    const router = new Router()
+    registerPilotiqRoutes(router, buildFullPanel((req) => { seen = req; return true }))
+    const route = router.list().find(r => r.path === '/admin/articles')
+    assert.ok(route, 'articles list route missing')
+    const req = fakeReq({ tag: 'abc' })
+    await runMiddleware(route, req)
+    assert.equal((seen as { tag?: string }).tag, 'abc')
+  })
+
+  it('covers _uploads — the original inline-guard site', async () => {
+    const router = new Router()
+    registerPilotiqRoutes(router, buildFullPanel(() => false))
+    const route = router.list().find(r => r.path === '/admin/_uploads')
+    assert.ok(route, '_uploads route missing')
+    const { reached, res } = await runMiddleware(route, fakeReq())
+    // The inline `if (cfg.guard && !await cfg.guard(req))` block inside
+    // handleUploadRequest was removed once the group middleware took
+    // over — this guarantees the route is now actually 401'd by the
+    // group middleware, not the inline check.
+    assert.equal(reached, false)
+    assert.equal(res.statusCode, 401)
+  })
+
+  it('covers relation manager + nested relation routes', async () => {
+    const router = new Router()
+    registerPilotiqRoutes(router, buildFullPanel(() => false))
+    const routes = router.list()
+    // Relation list: GET /admin/articles/:id/comments
+    const relList = routes.find(r => r.path === '/admin/articles/:id/comments' && r.method === 'GET')
+    assert.ok(relList, 'relation list route missing')
+    const { reached, res } = await runMiddleware(relList, fakeReq())
+    assert.equal(reached, false)
+    assert.equal(res.statusCode, 401)
+  })
+
+  it('covers cluster-prefixed routes', async () => {
+    const router = new Router()
+    registerPilotiqRoutes(router, buildFullPanel(() => false))
+    const routes = router.list()
+    const clustered = routes.find(r => r.path === '/admin/reports/overview' && r.method === 'GET')
+    assert.ok(clustered, 'clustered custom page route missing')
+    const { reached, res } = await runMiddleware(clustered, fakeReq())
+    assert.equal(reached, false)
+    assert.equal(res.statusCode, 401)
+  })
+
+  it('covers theme editor routes', async () => {
+    const router = new Router()
+    registerPilotiqRoutes(router, buildFullPanel(() => false))
+    const routes = router.list()
+    const themePages = [
+      ['GET',    '/admin/theme'],
+      ['GET',    '/admin/api/_theme'],
+      ['PUT',    '/admin/api/_theme'],
+      ['DELETE', '/admin/api/_theme'],
+    ] as const
+    for (const [method, path] of themePages) {
+      const r = routes.find(x => x.method === method && x.path === path)
+      assert.ok(r, `theme route ${method} ${path} missing`)
+      const { reached, res } = await runMiddleware(r, fakeReq())
+      assert.equal(reached, false, `${method} ${path}`)
+      assert.equal(res.statusCode, 401, `${method} ${path}`)
+    }
+  })
+
+  it('covers _notifications endpoints', async () => {
+    const router = new Router()
+    registerPilotiqRoutes(router, buildFullPanel(() => false))
+    const routes = router.list()
+    const notif = [
+      ['GET',  '/admin/_notifications'],
+      ['POST', '/admin/_notifications/:id/read'],
+      ['POST', '/admin/_notifications/:id/unread'],
+      ['POST', '/admin/_notifications/read-all'],
+    ] as const
+    for (const [method, path] of notif) {
+      const r = routes.find(x => x.method === method && x.path === path)
+      assert.ok(r, `notifications route ${method} ${path} missing`)
+      const { reached, res } = await runMiddleware(r, fakeReq())
+      assert.equal(reached, false, `${method} ${path}`)
+      assert.equal(res.statusCode, 401, `${method} ${path}`)
+    }
+  })
+})

package/src/routes/helpers.ts

@@ -256,6 +256,30 @@ export async function policyAccess(
   return ownerOk && clusterOk
 }
 
+/**
+ * Two-predicate policy gate. Runs `policyAccess(owner, user)` in
+ * parallel with `checkPolicy(predicate)` and returns true only when
+ * both resolve truthy. Use this when the predicate does NOT depend on a
+ * record loaded between the two checks — record-dependent gates (e.g.
+ * `canEdit(user, record)` where `record` is loaded mid-handler) must
+ * stay sequential.
+ *
+ * Both checks fail-closed (throw → false). The pair runs whenever the
+ * route handler enters; replacing the serial pair halves the wait when
+ * either predicate makes a network round-trip.
+ */
+export async function policyGate(
+  owner: Parameters<typeof policyAccess>[0],
+  user: unknown,
+  predicate: () => boolean | Promise<boolean>,
+): Promise<boolean> {
+  const [accessOk, predOk] = await Promise.all([
+    policyAccess(owner, user),
+    checkPolicy(predicate),
+  ])
+  return accessOk && predOk
+}
+
 /** Run `policyAccess(R, user)` and `findRecord(R, recordId, { user })`
  *  in parallel. Both depend only on `user`, so the two round-trips
  *  overlap instead of waiting on each other. When `R.model` isn't set
@@ -588,14 +612,12 @@ export async function handleUploadRequest(
     return res.json({ ok: false, error: 'No upload adapter configured' })
   }
 
-  // Auth: panel-wide `guard` and per-request `user`. We don't enforce
-  // per-resource canEdit here because the field doesn't know which
-  // resource it belongs to — apps that need it should hook into
-  // their adapter's `put()` and consult their own auth there.
-  if (cfg.guard && !await cfg.guard(req)) {
-    res.status(401)
-    return res.json({ ok: false, error: 'Unauthorized' })
-  }
+  // Auth: `Pilotiq.guard()` runs as a `router.group(...)` middleware in
+  // `routes.ts`, so by the time we land here the panel-wide gate has
+  // already passed. We don't enforce per-resource canEdit because the
+  // field doesn't know which resource it belongs to — apps that need
+  // it should hook into their adapter's `put()` and consult their own
+  // auth there.
 
   // Parse multipart body. Hono's parseBody returns `Record<string, File | string>`.
   const raw = req.raw as { req?: { parseBody?: (opts?: { all?: boolean }) => Promise<Record<string, unknown>> } } | undefined

package/src/routes/resources.ts

@@ -35,6 +35,7 @@ import {
   cellHookErrorMessage,
   checkPolicy,
   policyAccess,
+  policyGate,
   resolveDispatchTarget,
   handleFormState,
   handleFormWizard,
@@ -87,8 +88,7 @@ export function registerResourceRoutes(
       const indexUrl  = resourceBase
       router.get(indexUrl, async (req, res) => {
         const user = await pilotiq.resolveUser(req)
-        if (!await policyAccess(R, user))  return forbidden(res, wantsJson(req))
-        if (!await checkPolicy(() => R.canViewAny(user))) return forbidden(res, wantsJson(req))
+        if (!await policyGate(R, user, () => R.canViewAny(user))) return forbidden(res, wantsJson(req))
 
         if (R.persistFiltersInSession) {
           const query = (req.query as Record<string, unknown> | undefined) ?? {}
@@ -113,16 +113,14 @@ export function registerResourceRoutes(
 
       router.post(`${indexUrl}/_widget/:id`, async (req, res) => {
         const user = await pilotiq.resolveUser(req)
-        if (!await policyAccess(R, user))  return forbidden(res, true)
-        if (!await checkPolicy(() => R.canViewAny(user))) return forbidden(res, true)
+        if (!await policyGate(R, user, () => R.canViewAny(user))) return forbidden(res, true)
         return handleWidgetData(req, res, pilotiq, { kind: 'resource', slug }, req.params['id']!)
       })
 
       if (R.deferLoading) {
         router.get(`${indexUrl}/_table`, async (req, res) => {
           const user = await pilotiq.resolveUser(req)
-          if (!await policyAccess(R, user))  return forbidden(res, true)
-          if (!await checkPolicy(() => R.canViewAny(user))) return forbidden(res, true)
+          if (!await policyGate(R, user, () => R.canViewAny(user))) return forbidden(res, true)
           const data = await resourceTableData(pilotiq, slug, req.query as Record<string, string>, req)
           if (!data) { res.status(404); return res.json({ ok: false, error: 'Resource not found' }) }
           return res.json({ ok: true, ...data })
@@ -169,12 +167,11 @@ export function registerResourceRoutes(
       if (options.reorderable) {
         router.post(`${indexUrl}/_reorder`, async (req, res) => {
           const user = await pilotiq.resolveUser(req)
-          if (!await policyAccess(R, user)) return forbidden(res, true)
           // List-level edit gate. The drop affects many rows at once;
           // there's no single record to authorize against, so we pass
           // `undefined` and let user-supplied `canEdit` overrides branch
           // on `record === undefined` if they want row-level granularity.
-          if (!await checkPolicy(() => R.canEdit(user, undefined))) return forbidden(res, true)
+          if (!await policyGate(R, user, () => R.canEdit(user, undefined))) return forbidden(res, true)
 
           const body = await readFormBody(req)
           const raw  = (body as { ids?: unknown }).ids
@@ -302,8 +299,7 @@ export function registerResourceRoutes(
     if (pages.create) {
       router.post(`${resourceBase}/_form/:formId/state`, async (req, res) => {
         const user = await pilotiq.resolveUser(req)
-        if (!await policyAccess(R, user)) return forbidden(res, true)
-        if (!await checkPolicy(() => R.canCreate(user))) return forbidden(res, true)
+        if (!await policyGate(R, user, () => R.canCreate(user))) return forbidden(res, true)
         const formId = req.params['formId']!
         return handleFormState(req, res, pilotiq, { kind: 'resource-create', slug }, formId)
       })
@@ -311,8 +307,7 @@ export function registerResourceRoutes(
       // Plan #8 — wizard step-validate endpoint for create-mode forms.
       router.post(`${resourceBase}/_form/:formId/wizard`, async (req, res) => {
         const user = await pilotiq.resolveUser(req)
-        if (!await policyAccess(R, user)) return forbidden(res, true)
-        if (!await checkPolicy(() => R.canCreate(user))) return forbidden(res, true)
+        if (!await policyGate(R, user, () => R.canCreate(user))) return forbidden(res, true)
         const formId = req.params['formId']!
         return handleFormWizard(req, res, pilotiq, { kind: 'resource-create', slug }, formId)
       })
@@ -320,8 +315,7 @@ export function registerResourceRoutes(
       // Async-mention endpoint for create-mode forms.
       router.post(`${resourceBase}/_form/:formId/mentions`, async (req, res) => {
         const user = await pilotiq.resolveUser(req)
-        if (!await policyAccess(R, user)) return forbidden(res, true)
-        if (!await checkPolicy(() => R.canCreate(user))) return forbidden(res, true)
+        if (!await policyGate(R, user, () => R.canCreate(user))) return forbidden(res, true)
         const formId = req.params['formId']!
         return handleFormMentions(req, res, pilotiq, { kind: 'resource-create', slug }, formId)
       })
@@ -329,8 +323,7 @@ export function registerResourceRoutes(
       // SelectField inline-create modal endpoint for create-mode forms.
       router.post(`${resourceBase}/_form/:formId/create-option/:fieldName`, async (req, res) => {
         const user = await pilotiq.resolveUser(req)
-        if (!await policyAccess(R, user)) return forbidden(res, true)
-        if (!await checkPolicy(() => R.canCreate(user))) return forbidden(res, true)
+        if (!await policyGate(R, user, () => R.canCreate(user))) return forbidden(res, true)
         const formId    = req.params['formId']!
         const fieldName = req.params['fieldName']!
         return handleFormCreateOption(req, res, pilotiq, { kind: 'resource-create', slug }, formId, fieldName)
@@ -392,8 +385,7 @@ export function registerResourceRoutes(
 
       router.get(createUrl, async (req, res) => {
         const user = await pilotiq.resolveUser(req)
-        if (!await policyAccess(R, user)) return forbidden(res, wantsJson(req))
-        if (!await checkPolicy(() => R.canCreate(user))) return forbidden(res, wantsJson(req))
+        if (!await policyGate(R, user, () => R.canCreate(user))) return forbidden(res, wantsJson(req))
         const data = await resourceCreateData(pilotiq, slug, undefined, req)
         return view('pilotiq.resource-create', data ?? {})
       })
@@ -401,8 +393,7 @@ export function registerResourceRoutes(
       // Create — POST ${resourceBase}/create
       router.post(createUrl, async (req, res) => {
         const user = await pilotiq.resolveUser(req)
-        if (!await policyAccess(R, user)) return forbidden(res, wantsJson(req))
-        if (!await checkPolicy(() => R.canCreate(user))) return forbidden(res, wantsJson(req))
+        if (!await policyGate(R, user, () => R.canCreate(user))) return forbidden(res, wantsJson(req))
 
         const body = await readFormBody(req)
         const { values, formId, continueCreate } = splitMeta(body)
@@ -464,8 +455,7 @@ export function registerResourceRoutes(
       // coerced values.
       router.post(`${createUrl}/_action/:actionName`, async (req, res) => {
         const user = await pilotiq.resolveUser(req)
-        if (!await policyAccess(R, user)) return forbidden(res, wantsJson(req))
-        if (!await checkPolicy(() => R.canCreate(user))) return forbidden(res, wantsJson(req))
+        if (!await policyGate(R, user, () => R.canCreate(user))) return forbidden(res, wantsJson(req))
 
         const actionName = req.params['actionName']!
         const json = wantsJson(req)

package/src/routes/theme.ts

@@ -9,29 +9,15 @@ import { migrateThemeOverrides } from '../theme/migrate.js'
 import { radiusMap } from '../theme/radius.js'
 import { panelInfo } from '../pageData.js'
 
-/** Minimal Prisma surface used by the theme editor — narrow enough to
- *  keep the DI lookup type-safe without dragging in `PrismaClient`,
- *  which would couple the package to a concrete schema. */
-type PanelGlobalRow = { data: string | object | null }
-type PanelGlobalDelegate = {
-  panelGlobal: {
-    findUnique(args: { where: { slug: string } }): Promise<PanelGlobalRow | null>
-    upsert(args: {
-      where:  { slug: string }
-      update: { data: string }
-      create: { slug: string; data: string }
-    }): Promise<unknown>
-    delete(args: { where: { slug: string } }): Promise<unknown>
-  }
-}
-
 /**
  * Register the theme editor routes — the `${base}/theme` editor page
  * plus the `${base}/api/_theme` GET / PUT / DELETE persistence endpoints.
  * Only mounted when `cfg.themeEditor` is set (caller checks first).
  *
- * Pulled out of `registerPilotiqRoutes` in 2026-05-12 (Phase 3 of the
- * routes.ts split).
+ * Storage persists through `panel.getThemeStorage()` — the adapter
+ * resolved by the service provider's boot pass (explicit when
+ * `themeEditor({ storage })` was set, otherwise the implicit Prisma
+ * fallback while that back-compat branch is still active).
  */
 export function registerThemeRoutes(
   router:  Router,
@@ -51,16 +37,15 @@ export function registerThemeRoutes(
 
   router.get(`${base}/api/_theme`, async (_req, res) => {
     let overrides: Partial<ThemeConfig> | null = null
-    try {
-      const { app } = await import(/* @vite-ignore */ '@rudderjs/core') as { app(): { make(key: string): unknown } }
-      const prisma = app().make('prisma') as PanelGlobalDelegate
-      const slug = `${cfg.name}__theme`
-      const row = await prisma.panelGlobal.findUnique({ where: { slug } })
-      if (row?.data) {
-        const raw = typeof row.data === 'string' ? JSON.parse(row.data as string) : row.data
-        overrides = migrateThemeOverrides(raw)
+    const storage = pilotiq.getThemeStorage()
+    if (storage) {
+      try {
+        const raw = await storage.load()
+        if (raw) overrides = migrateThemeOverrides(raw)
+      } catch (e) {
+        console.warn('[pilotiq] failed to load theme overrides:', e)
       }
-    } catch { /* no DB or no table — that's fine */ }
+    }
 
     return res.json({
       config:    cfg.theme ?? {},
@@ -77,18 +62,13 @@ export function registerThemeRoutes(
   })
 
   router.put(`${base}/api/_theme`, async (req, res) => {
+    const storage = pilotiq.getThemeStorage()
+    if (!storage) {
+      return res.status(500).json({ message: 'No theme storage adapter configured.' })
+    }
     try {
       const overrides = req.body as Partial<ThemeConfig>
-      const { app } = await import(/* @vite-ignore */ '@rudderjs/core') as { app(): { make(key: string): unknown } }
-      const prisma = app().make('prisma') as PanelGlobalDelegate
-      const slug = `${cfg.name}__theme`
-
-      await prisma.panelGlobal.upsert({
-        where:  { slug },
-        update: { data: JSON.stringify(overrides) },
-        create: { slug, data: JSON.stringify(overrides) },
-      })
-
+      await storage.save(overrides)
       pilotiq.setThemeOverrides(overrides)
       return res.json({ ok: true })
     } catch (e) {
@@ -97,13 +77,15 @@ export function registerThemeRoutes(
   })
 
   router.delete(`${base}/api/_theme`, async (_req, res) => {
-    try {
-      const { app } = await import(/* @vite-ignore */ '@rudderjs/core') as { app(): { make(key: string): unknown } }
-      const prisma = app().make('prisma') as PanelGlobalDelegate
-      const slug = `${cfg.name}__theme`
-      await prisma.panelGlobal.delete({ where: { slug } }).catch(() => {})
-      pilotiq.setThemeOverrides(undefined)
-    } catch { /* ignore */ }
+    const storage = pilotiq.getThemeStorage()
+    if (storage) {
+      try {
+        await storage.clear()
+      } catch (e) {
+        console.warn('[pilotiq] failed to clear theme overrides:', e)
+      }
+    }
+    pilotiq.setThemeOverrides(undefined)
     return res.json({ ok: true })
   })
 }