@technomoron/mail-magic 1.0.13 → 1.0.15

package/CHANGES

@@ -1,3 +1,17 @@
+Version 1.0.15 (2026-02-01)
+
+- Made the optional admin UI/API opt-in via `ADMIN_ENABLED`, delegating admin
+  registration to the `@technomoron/mail-magic-admin` package with an
+  override path via `ADMIN_APP_PATH`.
+- Serve public assets directly from `ASSET_ROUTE` (outside the API base path)
+  and allow asset URLs to use `ASSET_PUBLIC_BASE` when rendering templates.
+- Added coverage for asset base URL overrides in the test suite.
+
+Version 1.0.14 (2026-02-01)
+
+- Consolidated the API domain/user assertion into a shared helper to keep
+  validation logic consistent across modules.
+
 Version 1.0.13 (2026-01-31)
 
 - Fixed the per-package release script name and tag format used to trigger

package/README.md

@@ -24,7 +24,7 @@ During development you can run `npm run dev` for a watch mode that recompiles on
 
 ## Configuration
 
-- **Environment variables** are defined in `src/store/envloader.ts`. Important settings include SMTP credentials, API host/port, the config directory path, and database options.
+- **Environment variables** are defined in `src/store/envloader.ts`. Important settings include SMTP credentials, API host/port, the config directory path, database options, and `ADMIN_ENABLED`/`ADMIN_APP_PATH` to control the admin UI/API.
 - **Config directory** (`CONFIG_PATH`) contains JSON seed data (`init-data.json`), optional API key files, and template assets. Each domain now lives directly under the config root (for example `data/example.com/form-template/…`). Use an absolute path or a relative one like `../data` when you want the config outside the repo. Review `config-example/` for the recommended layout, in particular the `form-template/` and `tx-template/` folders used for compiled Nunjucks templates.
 - **Database** defaults to SQLite (`maildata.db`). You can switch dialects by updating the environment options if your deployment requires another database.
 - **Uploads** default to `<CONFIG_PATH>/<domain>/uploads` via `UPLOAD_PATH=./{domain}/uploads`. Set a fixed path if you prefer a shared upload directory.
@@ -33,11 +33,11 @@ When `DB_AUTO_RELOAD` is enabled the service watches `init-data.json` and refres
 
 ### Admin UI
 
-The server mounts the admin UI at `/` when the `@technomoron/mail-magic-admin` package is installed. This is a placeholder Vue app today, but it is already wired so future admin features can live there without changing the server routing.
+The server mounts the admin UI at `/` only when `ADMIN_ENABLED` is true and the `@technomoron/mail-magic-admin` package is installed. You can point `ADMIN_APP_PATH` at a dist folder (or its parent) to override the package-provided build. The admin API module is loaded from the admin package as well. This is a placeholder Vue app today, but it is already wired so future admin features can live there without changing the server routing.
 
 ### Template assets and inline resources
 
-- Keep any non-inline files (images, attachments, etc.) under `<CONFIG_PATH>/<domain>/assets`. Mail Magic rewrites `asset('logo.png')` to the public route `/asset/<domain>/logo.png` (or whatever you set via `ASSET_ROUTE`).
+- Keep any non-inline files (images, attachments, etc.) under `<CONFIG_PATH>/<domain>/assets`. Mail Magic rewrites `asset('logo.png')` using `ASSET_ROUTE` (default `/asset`) and a base URL from `ASSET_PUBLIC_BASE` (or `API_URL` if unset). The default output looks like `http://localhost:3776/asset/<domain>/logo.png`.
 - Pass `true` as the second argument when you want to embed a file as an inline CID attachment: `asset('logo.png', true)` stores the file in Nodemailer and rewrites the HTML to reference `cid:logo.png`.
 - Avoid mixing template-type folders for assets; everything that should be linked externally belongs in the shared `<domain>/assets` tree so it can be served for both form and transactional templates.
 
@@ -50,6 +50,8 @@ The server mounts the admin UI at `/` when the `@technomoron/mail-magic-admin` p
 | POST   | `/v1/form/template` | Store or update a form submission template    |
 | POST   | `/v1/form/message`  | Submit a form payload and deliver the email   |
 
+All routes are mounted under `API_BASE_PATH` (default `/api`), so the full path is typically `/api/v1/...`.
+
 All authenticated routes expect an API token associated with a configured user. Attachments can be uploaded alongside the `/v1/tx/message` request and are forwarded by Nodemailer.
 
 ## Available Scripts

package/TUTORIAL.MD

@@ -58,7 +58,7 @@ myorg-config/
 
 > **Tip:** If you want to share partials between templates, keep file names aligned (e.g. identical `header.njk` content under both `form-template/partials/` and `tx-template/partials/`).
 
-> **Assets vs inline:** Any file you want to serve as an external URL must live under `myorg.com/assets/`. The template helper `asset('logo.png')` will become `/asset/myorg.com/logo.png`. Use `asset('logo.png', true)` when you need the file embedded as a CID attachment instead.
+> **Assets vs inline:** Any file you want to serve as an external URL must live under `myorg.com/assets/`. The template helper `asset('logo.png')` will become `http://localhost:3776/asset/myorg.com/logo.png` by default. You can change the base via `ASSET_PUBLIC_BASE` (or `API_URL`) and the path via `ASSET_ROUTE`. Use `asset('logo.png', true)` when you need the file embedded as a CID attachment instead.
 
 ---
 

package/dist/api/assets.js

@@ -1,11 +1,10 @@
 import fs from 'fs';
 import path from 'path';
 import { ApiError, ApiModule } from '@technomoron/api-server-base';
-import { api_domain } from '../models/domain.js';
 import { api_form } from '../models/form.js';
 import { api_txmail } from '../models/txmail.js';
-import { api_user } from '../models/user.js';
 import { decodeComponent, sendFileAsync } from '../util.js';
+import { assert_domain_and_user } from './auth.js';
 const DOMAIN_PATTERN = /^[a-z0-9][a-z0-9._-]*$/i;
 const SEGMENT_PATTERN = /^[a-zA-Z0-9._-]+$/;
 export class AssetAPI extends ApiModule {
@@ -21,25 +20,6 @@ export class AssetAPI extends ApiModule {
         }
         return '';
     }
-    async assertDomainAndUser(apireq) {
-        const domainName = this.getBodyValue(apireq.req.body ?? {}, 'domain');
-        if (!domainName) {
-            throw new ApiError({ code: 401, message: 'Missing domain' });
-        }
-        const user = await api_user.findOne({ where: { token: apireq.token } });
-        if (!user) {
-            throw new ApiError({ code: 401, message: `Invalid/Unknown API Key/Token '${apireq.token}'` });
-        }
-        const dbdomain = await api_domain.findOne({ where: { name: domainName } });
-        if (!dbdomain) {
-            throw new ApiError({ code: 401, message: `Unable to look up the domain ${domainName}` });
-        }
-        if (dbdomain.user_id !== user.user_id) {
-            throw new ApiError({ code: 403, message: `Domain ${domainName} is not owned by this user` });
-        }
-        apireq.domain = dbdomain;
-        apireq.user = user;
-    }
     normalizeSubdir(value) {
         if (!value) {
             return '';
@@ -129,7 +109,7 @@ export class AssetAPI extends ApiModule {
         throw new ApiError({ code: 400, message: 'templateType must be "tx" or "form"' });
     }
     async postAssets(apireq) {
-        await this.assertDomainAndUser(apireq);
+        await assert_domain_and_user(apireq);
         const rawFiles = Array.isArray(apireq.req.files) ? apireq.req.files : [];
         if (!rawFiles.length) {
             throw new ApiError({ code: 400, message: 'No files uploaded' });
@@ -152,22 +132,37 @@ export class AssetAPI extends ApiModule {
         await this.moveUploadedFiles(rawFiles, candidate);
         return [200, { Status: 'OK' }];
     }
-    async getAsset(apiReq) {
-        const domain = decodeComponent(apiReq.req.params.domain);
+    defineRoutes() {
+        return [
+            {
+                method: 'post',
+                path: '/v1/assets',
+                handler: (apiReq) => this.postAssets(apiReq),
+                auth: { type: 'yes', req: 'any' }
+            }
+        ];
+    }
+}
+export function createAssetHandler(server) {
+    return async (req, res) => {
+        const domain = decodeComponent(req?.params?.domain);
         if (!domain || !DOMAIN_PATTERN.test(domain)) {
-            throw new ApiError({ code: 404, message: 'Asset not found' });
+            res.status(404).end();
+            return;
         }
-        const rawPath = apiReq.req.params[0] ?? '';
+        const rawPath = typeof req?.params?.[0] === 'string' ? req.params[0] : '';
         const segments = rawPath
             .split('/')
             .filter(Boolean)
             .map((segment) => decodeComponent(segment));
         if (!segments.length || segments.some((segment) => !SEGMENT_PATTERN.test(segment))) {
-            throw new ApiError({ code: 404, message: 'Asset not found' });
+            res.status(404).end();
+            return;
         }
-        const assetsRoot = path.join(this.server.storage.configpath, domain, 'assets');
+        const assetsRoot = path.join(server.storage.configpath, domain, 'assets');
         if (!fs.existsSync(assetsRoot)) {
-            throw new ApiError({ code: 404, message: 'Asset not found' });
+            res.status(404).end();
+            return;
         }
         const resolvedRoot = fs.realpathSync(assetsRoot);
         const normalizedRoot = resolvedRoot.endsWith(path.sep) ? resolvedRoot : resolvedRoot + path.sep;
@@ -175,56 +170,36 @@ export class AssetAPI extends ApiModule {
         try {
             const stats = await fs.promises.stat(candidate);
             if (!stats.isFile()) {
-                throw new ApiError({ code: 404, message: 'Asset not found' });
+                res.status(404).end();
+                return;
             }
         }
         catch {
-            throw new ApiError({ code: 404, message: 'Asset not found' });
+            res.status(404).end();
+            return;
         }
         let realCandidate;
         try {
             realCandidate = await fs.promises.realpath(candidate);
         }
         catch {
-            throw new ApiError({ code: 404, message: 'Asset not found' });
+            res.status(404).end();
+            return;
         }
         if (!realCandidate.startsWith(normalizedRoot)) {
-            throw new ApiError({ code: 404, message: 'Asset not found' });
+            res.status(404).end();
+            return;
         }
-        const { res } = apiReq;
-        const originalStatus = res.status.bind(res);
-        const originalJson = res.json.bind(res);
-        res.status = ((code) => (res.headersSent ? res : originalStatus(code)));
-        res.json = ((body) => (res.headersSent ? res : originalJson(body)));
         res.type(path.extname(realCandidate));
         res.set('Cache-Control', 'public, max-age=300');
         try {
             await sendFileAsync(res, realCandidate);
         }
         catch (err) {
-            this.server.storage.print_debug(`Failed to serve asset ${domain}/${segments.join('/')}: ${err instanceof Error ? err.message : String(err)}`);
+            server.storage.print_debug(`Failed to serve asset ${domain}/${segments.join('/')}: ${err instanceof Error ? err.message : String(err)}`);
             if (!res.headersSent) {
-                throw new ApiError({ code: 500, message: 'Failed to stream asset' });
+                res.status(500).end();
             }
         }
-        return [200, null];
-    }
-    defineRoutes() {
-        const route = this.server.storage.env.ASSET_ROUTE;
-        const normalizedRoute = route.startsWith('/') ? route : `/${route}`;
-        return [
-            {
-                method: 'post',
-                path: '/v1/assets',
-                handler: (apiReq) => this.postAssets(apiReq),
-                auth: { type: 'yes', req: 'any' }
-            },
-            {
-                method: 'get',
-                path: `${normalizedRoute}/:domain/*`,
-                handler: (apiReq) => this.getAsset(apiReq),
-                auth: { type: 'none', req: 'any' }
-            }
-        ];
-    }
+    };
 }

package/dist/api/auth.js

@@ -0,0 +1,37 @@
+import { ApiError } from '@technomoron/api-server-base';
+import { api_domain } from '../models/domain.js';
+import { api_user } from '../models/user.js';
+function getBodyValue(body, ...keys) {
+    for (const key of keys) {
+        const value = body[key];
+        if (Array.isArray(value) && value.length > 0) {
+            return String(value[0]);
+        }
+        if (value !== undefined && value !== null) {
+            return String(value);
+        }
+    }
+    return '';
+}
+export async function assert_domain_and_user(apireq) {
+    const body = apireq.req.body ?? {};
+    const domain = getBodyValue(body, 'domain');
+    const locale = getBodyValue(body, 'locale');
+    if (!domain) {
+        throw new ApiError({ code: 401, message: 'Missing domain' });
+    }
+    const user = await api_user.findOne({ where: { token: apireq.token } });
+    if (!user) {
+        throw new ApiError({ code: 401, message: `Invalid/Unknown API Key/Token '${apireq.token}'` });
+    }
+    const dbdomain = await api_domain.findOne({ where: { name: domain } });
+    if (!dbdomain) {
+        throw new ApiError({ code: 401, message: `Unable to look up the domain ${domain}` });
+    }
+    if (dbdomain.user_id !== user.user_id) {
+        throw new ApiError({ code: 403, message: `Domain ${domain} is not owned by this user` });
+    }
+    apireq.domain = dbdomain;
+    apireq.user = user;
+    apireq.locale = locale || 'en';
+}

package/dist/api/forms.js

@@ -4,8 +4,8 @@ import emailAddresses from 'email-addresses';
 import nunjucks from 'nunjucks';
 import { api_domain } from '../models/domain.js';
 import { api_form } from '../models/form.js';
-import { api_user } from '../models/user.js';
 import { buildRequestMeta, normalizeSlug } from '../util.js';
+import { assert_domain_and_user } from './auth.js';
 export class FormAPI extends ApiModule {
     validateEmail(email) {
         const parsed = emailAddresses.parseOneAddress(email);
@@ -14,28 +14,8 @@ export class FormAPI extends ApiModule {
         }
         return undefined;
     }
-    async assertDomainAndUser(apireq) {
-        const { domain, locale } = apireq.req.body;
-        if (!domain) {
-            throw new ApiError({ code: 401, message: 'Missing domain' });
-        }
-        const user = await api_user.findOne({ where: { token: apireq.token } });
-        if (!user) {
-            throw new ApiError({ code: 401, message: `Invalid/Unknown API Key/Token '${apireq.token}'` });
-        }
-        const dbdomain = await api_domain.findOne({ where: { name: domain } });
-        if (!dbdomain) {
-            throw new ApiError({ code: 401, message: `Unable to look up the domain ${domain}` });
-        }
-        if (dbdomain.user_id !== user.user_id) {
-            throw new ApiError({ code: 403, message: `Domain ${domain} is not owned by this user` });
-        }
-        apireq.domain = dbdomain;
-        apireq.locale = locale || 'en';
-        apireq.user = user;
-    }
     async postFormTemplate(apireq) {
-        await this.assertDomainAndUser(apireq);
+        await assert_domain_and_user(apireq);
         const { template, sender = '', recipient = '', idname, subject = '', locale = '', secret = '' } = apireq.req.body;
         if (!template) {
             throw new ApiError({ code: 400, message: 'Missing template data' });

package/dist/api/mailer.js

@@ -2,10 +2,9 @@ import { ApiModule, ApiError } from '@technomoron/api-server-base';
 import emailAddresses from 'email-addresses';
 import { convert } from 'html-to-text';
 import nunjucks from 'nunjucks';
-import { api_domain } from '../models/domain.js';
 import { api_txmail } from '../models/txmail.js';
-import { api_user } from '../models/user.js';
 import { buildRequestMeta } from '../util.js';
+import { assert_domain_and_user } from './auth.js';
 export class MailerAPI extends ApiModule {
     //
     // Validate and return the parsed email address
@@ -38,29 +37,9 @@ export class MailerAPI extends ApiModule {
         });
         return { valid, invalid };
     }
-    async assert_domain_and_user(apireq) {
-        const { domain, locale } = apireq.req.body;
-        if (!domain) {
-            throw new ApiError({ code: 401, message: 'Missing domain' });
-        }
-        const user = await api_user.findOne({ where: { token: apireq.token } });
-        if (!user) {
-            throw new ApiError({ code: 401, message: `Invalid/Unknown API Key/Token '${apireq.token}'` });
-        }
-        const dbdomain = await api_domain.findOne({ where: { name: domain } });
-        if (!dbdomain) {
-            throw new ApiError({ code: 401, message: `Unable to look up the domain ${domain}` });
-        }
-        if (dbdomain.user_id !== user.user_id) {
-            throw new ApiError({ code: 403, message: `Domain ${domain} is not owned by this user` });
-        }
-        apireq.domain = dbdomain;
-        apireq.locale = locale || 'en';
-        apireq.user = user;
-    }
     // Store a template in the database
     async post_template(apireq) {
-        await this.assert_domain_and_user(apireq);
+        await assert_domain_and_user(apireq);
         const { template, sender = '', name, subject = '', locale = '' } = apireq.req.body;
         if (!template) {
             throw new ApiError({ code: 400, message: 'Missing template data' });
@@ -100,8 +79,8 @@ export class MailerAPI extends ApiModule {
     }
     // Send a template using posted arguments.
     async post_send(apireq) {
-        await this.assert_domain_and_user(apireq);
         const { name, rcpt, domain = '', locale = '', vars = {}, replyTo, reply_to, headers } = apireq.req.body;
+        await assert_domain_and_user(apireq);
         if (!name || !rcpt || !domain) {
             throw new ApiError({ code: 400, message: 'name/rcpt/domain required' });
         }

package/dist/index.js

@@ -1,12 +1,23 @@
-import fs from 'node:fs';
-import { createRequire } from 'node:module';
-import path from 'node:path';
-import { fileURLToPath, pathToFileURL } from 'node:url';
-import { AssetAPI } from './api/assets.js';
+import { pathToFileURL } from 'node:url';
+import { AssetAPI, createAssetHandler } from './api/assets.js';
 import { FormAPI } from './api/forms.js';
 import { MailerAPI } from './api/mailer.js';
 import { mailApiServer } from './server.js';
 import { mailStore } from './store/store.js';
+function normalizeRoute(value, fallback = '') {
+    if (!value) {
+        return fallback;
+    }
+    const trimmed = value.trim();
+    if (!trimmed) {
+        return fallback;
+    }
+    const withLeading = trimmed.startsWith('/') ? trimmed : `/${trimmed}`;
+    if (withLeading === '/') {
+        return withLeading;
+    }
+    return withLeading.replace(/\/+$/, '');
+}
 function buildServerConfig(store, overrides) {
     const env = store.env;
     return {
@@ -14,7 +25,7 @@ function buildServerConfig(store, overrides) {
         apiPort: env.API_PORT,
         uploadPath: store.getUploadStagingPath(),
         debug: env.DEBUG,
-        apiBasePath: '',
+        apiBasePath: normalizeRoute(env.API_BASE_PATH, '/api'),
         swaggerEnabled: env.SWAGGER_ENABLED,
         swaggerPath: env.SWAGGER_PATH,
         ...overrides
@@ -22,9 +33,18 @@ function buildServerConfig(store, overrides) {
 }
 export async function createMailMagicServer(overrides = {}) {
     const store = await new mailStore().init();
+    if (typeof overrides.apiBasePath === 'string') {
+        store.env.API_BASE_PATH = overrides.apiBasePath;
+    }
     const config = buildServerConfig(store, overrides);
     const server = new mailApiServer(config, store).api(new MailerAPI()).api(new FormAPI()).api(new AssetAPI());
-    mountAdminUi(server, store);
+    mountAssetRoute(server, store);
+    if (store.env.ADMIN_ENABLED) {
+        await enableAdminFeatures(server, store);
+    }
+    else {
+        store.print_debug('Admin UI/API disabled via ADMIN_ENABLED');
+    }
     return { server, store, env: store.env };
 }
 export async function startMailMagicServer(overrides = {}) {
@@ -56,58 +76,44 @@ const isDirectExecution = (() => {
 if (isDirectExecution) {
     void bootMailMagic();
 }
-function resolveAdminDist() {
-    const require = createRequire(import.meta.url);
+async function enableAdminFeatures(server, store) {
     try {
-        const pkgPath = require.resolve('@technomoron/mail-magic-admin/package.json');
-        const pkgDir = path.dirname(pkgPath);
-        const distPath = path.join(pkgDir, 'dist');
-        if (fs.existsSync(distPath)) {
-            return distPath;
+        const mod = (await import('@technomoron/mail-magic-admin'));
+        if (typeof mod?.registerAdmin === 'function') {
+            await mod.registerAdmin(server, {
+                apiBasePath: normalizeRoute(store.env.API_BASE_PATH, '/api'),
+                assetRoute: normalizeRoute(store.env.ASSET_ROUTE, '/asset'),
+                appPath: store.env.ADMIN_APP_PATH,
+                logger: (message) => store.print_debug(message)
+            });
+        }
+        else if (mod?.AdminAPI) {
+            server.api(new mod.AdminAPI());
+        }
+        else {
+            store.print_debug('Admin features not exported from @technomoron/mail-magic-admin');
         }
     }
-    catch {
-        // ignore
-    }
-    const fallbackBase = path.dirname(fileURLToPath(import.meta.url));
-    const fallback = path.resolve(fallbackBase, '..', '..', 'mail-magic-admin', 'dist');
-    if (fs.existsSync(fallback)) {
-        return fallback;
+    catch (err) {
+        store.print_debug(`Unable to load admin module: ${err instanceof Error ? err.message : String(err)}`);
     }
-    return null;
 }
-function mountAdminUi(server, store) {
-    const distPath = resolveAdminDist();
-    if (!distPath) {
-        store.print_debug('Admin UI not found, skipping static mount');
+function mountAssetRoute(server, store) {
+    const normalizedRoute = normalizeRoute(store.env.ASSET_ROUTE, '/asset');
+    server.app.get(`${normalizedRoute}/:domain/*`, createAssetHandler(server));
+    ensureApiNotFoundLast(server);
+}
+function ensureApiNotFoundLast(server) {
+    const anyServer = server;
+    const handler = anyServer.apiNotFoundHandler;
+    const stack = anyServer.app?._router?.stack;
+    if (!handler || !Array.isArray(stack)) {
         return;
     }
-    const assetRoute = store.env.ASSET_ROUTE.startsWith('/') ? store.env.ASSET_ROUTE : `/${store.env.ASSET_ROUTE}`;
-    const indexPath = path.join(distPath, 'index.html');
-    const hasIndex = fs.existsSync(indexPath);
-    server.app.get('*', (req, res, next) => {
-        if (req.method !== 'GET') {
-            next();
-            return;
-        }
-        if (req.path.startsWith('/api') || req.path.startsWith(assetRoute)) {
-            next();
-            return;
-        }
-        const requestPath = req.path === '/' ? 'index.html' : req.path.replace(/^\//, '');
-        const resolvedPath = path.resolve(distPath, requestPath);
-        if (!resolvedPath.startsWith(`${distPath}${path.sep}`) && resolvedPath !== distPath) {
-            next();
-            return;
-        }
-        if (fs.existsSync(resolvedPath) && fs.statSync(resolvedPath).isFile()) {
-            res.sendFile(resolvedPath);
-            return;
-        }
-        if (!hasIndex) {
-            next();
-            return;
-        }
-        res.sendFile(indexPath);
-    });
+    const index = stack.findIndex((layer) => layer?.handle === handler);
+    if (index === -1 || index === stack.length - 1) {
+        return;
+    }
+    const [layer] = stack.splice(index, 1);
+    stack.push(layer);
 }

package/dist/models/init.js

@@ -35,7 +35,7 @@ function resolveAsset(basePath, domainName, assetName) {
 }
 function buildAssetUrl(baseUrl, route, domainName, assetPath) {
     const trimmedBase = baseUrl.endsWith('/') ? baseUrl.slice(0, -1) : baseUrl;
-    const normalizedRoute = route.startsWith('/') ? route : `/${route}`;
+    const normalizedRoute = route ? (route.startsWith('/') ? route : `/${route}`) : '';
     const encodedDomain = encodeURIComponent(domainName);
     const encodedPath = assetPath
         .split('/')
@@ -69,7 +69,8 @@ function extractAndReplaceAssets(html, opts) {
             throw new Error(`Asset path escapes domain assets directory: ${fullPath}`);
         }
         const normalizedAssetPath = relativeToAssets.split(path.sep).join('/');
-        const assetUrl = buildAssetUrl(opts.apiUrl, opts.assetRoute, opts.domainName, normalizedAssetPath);
+        const baseUrl = opts.assetBaseUrl?.trim() ? opts.assetBaseUrl : opts.apiUrl;
+        const assetUrl = buildAssetUrl(baseUrl, opts.assetRoute, opts.domainName, normalizedAssetPath);
         return `src="${assetUrl}"`;
     });
     return { html: replacedHtml, assets };
@@ -106,6 +107,7 @@ async function _load_template(store, filename, pathname, user, domain, locale, t
             basePath: baseConfigPath,
             domainName: domain.name,
             apiUrl: store.env.API_URL,
+            assetBaseUrl: store.env.ASSET_PUBLIC_BASE,
             assetRoute: store.env.ASSET_ROUTE
         });
         return { html, assets };

package/dist/store/envloader.js

@@ -28,6 +28,14 @@ export const envOptions = defineEnvOptions({
         description: 'Sets the public URL for the API (i.e. https://ml.example.com:3790)',
         default: 'http://localhost:3776'
     },
+    API_BASE_PATH: {
+        description: 'Base path prefix for API routes',
+        default: '/api'
+    },
+    ASSET_PUBLIC_BASE: {
+        description: 'Public base URL for asset hosting (origin or origin + path)',
+        default: ''
+    },
     SWAGGER_ENABLED: {
         description: 'Enable the Swagger/OpenAPI endpoint',
         type: 'boolean',
@@ -37,6 +45,15 @@ export const envOptions = defineEnvOptions({
         description: 'Path to expose the Swagger/OpenAPI spec (default: /api/swagger when enabled)',
         default: ''
     },
+    ADMIN_ENABLED: {
+        description: 'Enable the optional admin UI and admin API module when available',
+        default: false,
+        type: 'boolean'
+    },
+    ADMIN_APP_PATH: {
+        description: 'Optional path to the admin UI dist directory (or its parent)',
+        default: ''
+    },
     ASSET_ROUTE: {
         description: 'Route prefix exposed for config assets',
         default: '/asset'

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@technomoron/mail-magic",
-	"version": "1.0.13",
+	"version": "1.0.15",
 	"main": "dist/index.js",
 	"type": "module",
 	"bin": {