@wopr-network/platform-ui-core 1.27.8 → 1.27.9

package/src/lib/require-auth.ts

@@ -0,0 +1,57 @@
+"use client";
+
+import { useRouter } from "next/navigation";
+import { useEffect } from "react";
+import { useSession } from "@/lib/auth-client";
+
+/**
+ * Hook for pages that require authentication.
+ * Redirects to /login if no session. Returns session data when authed.
+ *
+ * Usage:
+ *   const { user, session, isPending } = useRequireAuth();
+ *   if (isPending) return <Loading />;
+ */
+export function useRequireAuth(callbackUrl?: string) {
+  const { data, isPending } = useSession();
+  const router = useRouter();
+
+  useEffect(() => {
+    // Diagnostic logging — remove once redirect loop is resolved
+    if (!isPending) {
+    }
+
+    if (!isPending && !data?.session) {
+      const callback = callbackUrl || window.location.pathname;
+      router.replace(`/login?reason=expired&callbackUrl=${encodeURIComponent(callback)}`);
+    }
+  }, [isPending, data, router, callbackUrl]);
+
+  return {
+    user: data?.user ?? null,
+    session: data?.session ?? null,
+    isPending,
+    isAuthed: !!data?.session,
+  };
+}
+
+/**
+ * Hook for pages that require platform_admin role.
+ * Redirects to / if not admin.
+ */
+export function useRequireAdmin() {
+  const auth = useRequireAuth();
+  const router = useRouter();
+
+  useEffect(() => {
+    if (!auth.isPending && auth.user && (auth.user as Record<string, unknown>).role !== "platform_admin") {
+      router.replace("/");
+    }
+  }, [auth.isPending, auth.user, router]);
+
+  return {
+    ...auth,
+    isAdmin: (auth.user as Record<string, unknown> | null)?.role === "platform_admin",
+  };
+}
+// retry

package/src/lib/settings-api.ts

@@ -33,10 +33,7 @@ export async function saveProviderKey(
   });
 }
 
-export async function testProviderKey(
-  provider: string,
-  key?: string,
-): Promise<{ valid: boolean; error?: string }> {
+export async function testProviderKey(provider: string, key?: string): Promise<{ valid: boolean; error?: string }> {
   return trpcVanilla.capabilities.testKey.mutate({
     provider: provider as ProviderName,
     key: key ?? "",

package/src/lib/sidecar-routes.ts

@@ -0,0 +1,43 @@
+// core/platform-ui-core/src/lib/sidecar-routes.ts
+
+export type RouteType = "iframe" | "native";
+
+export const IFRAME_PREFIXES = [
+  "/dashboard",
+  "/inbox",
+  "/issues",
+  "/routines",
+  "/goals",
+  "/projects",
+  "/agents",
+  "/org",
+  "/skills",
+  "/company",
+  "/approvals",
+  "/activity",
+  "/costs",
+  "/execution-workspaces",
+  "/plugins",
+] as const;
+
+export function getRouteType(pathname: string): RouteType {
+  for (const prefix of IFRAME_PREFIXES) {
+    if (pathname === prefix || pathname.startsWith(`${prefix}/`)) return "iframe";
+  }
+  return "native";
+}
+
+export function fromSidecarPath(sidecarPath: string): string {
+  const segments = sidecarPath.split("/").filter(Boolean);
+  if (segments.length === 0) return "/dashboard";
+
+  const firstSegment = `/${segments[0]}`;
+  for (const prefix of IFRAME_PREFIXES) {
+    if (firstSegment === prefix || prefix.startsWith(`${firstSegment}/`)) {
+      return sidecarPath;
+    }
+  }
+
+  // First segment is a company prefix — strip it
+  return `/${segments.slice(1).join("/")}` || "/dashboard";
+}

package/src/lib/trpc-server.ts

@@ -0,0 +1,49 @@
+/**
+ * Server-side tRPC client for calling core from SSR / API routes / server actions.
+ *
+ * This client injects service-to-service auth headers so that core can identify
+ * the calling product, tenant, and user without relying on browser session cookies.
+ *
+ * Environment variables (server-only — NEVER prefix with NEXT_PUBLIC_):
+ *   CORE_SERVICE_TOKEN  — shared secret between this UI server and core
+ *   INTERNAL_API_URL    — internal network URL (e.g. http://core:3001)
+ *                         Falls back to NEXT_PUBLIC_API_URL → localhost:3001
+ *
+ * The browser-side tRPC client (trpc.tsx) still uses session cookies during the
+ * transition period. Eventually all calls will flow through SSR → this client → core.
+ */
+import { createTRPCClient, httpBatchLink } from "@trpc/client";
+import type { AppRouter } from "./trpc-types";
+
+export interface ServerTRPCContext {
+  tenantId: string;
+  userId: string;
+  product: string;
+  roles?: string[];
+}
+
+/**
+ * Create a tRPC client for server-side calls to core.
+ *
+ * Each request context (SSR render, API route handler) should call this once
+ * with the current user/tenant context extracted from the incoming request.
+ */
+export function createServerTRPCClient(ctx: ServerTRPCContext) {
+  const serviceToken = process.env.CORE_SERVICE_TOKEN ?? "";
+  const apiUrl = process.env.INTERNAL_API_URL ?? process.env.NEXT_PUBLIC_API_URL ?? "http://localhost:3001";
+
+  return createTRPCClient<AppRouter>({
+    links: [
+      httpBatchLink({
+        url: `${apiUrl}/trpc`,
+        headers: () => ({
+          ...(serviceToken ? { Authorization: `Bearer ${serviceToken}` } : {}),
+          "X-Tenant-Id": ctx.tenantId,
+          "X-User-Id": ctx.userId,
+          "X-Product": ctx.product,
+          ...(ctx.roles?.length ? { "X-User-Roles": ctx.roles.join(",") } : {}),
+        }),
+      }),
+    ],
+  });
+}

package/src/lib/trpc-types.ts

@@ -13,12 +13,7 @@
  * The real AppRouter type lives at:
  *   wopr-network/wopr-platform/src/trpc/index.ts → `export type AppRouter = typeof appRouter;`
  */
-import type {
-  AnyTRPCMutationProcedure,
-  AnyTRPCQueryProcedure,
-  AnyTRPCRootTypes,
-  TRPCBuiltRouter,
-} from "@trpc/server";
+import type { AnyTRPCMutationProcedure, AnyTRPCQueryProcedure, AnyTRPCRootTypes, TRPCBuiltRouter } from "@trpc/server";
 
 /**
  * Minimal router record for the procedures this UI consumes.
@@ -106,6 +101,7 @@ type AppRouterRecord = {
     billingInfo: AnyTRPCQueryProcedure;
     creditsBalance: AnyTRPCQueryProcedure;
     creditsHistory: AnyTRPCQueryProcedure;
+    creditsDailySummary: AnyTRPCQueryProcedure;
     creditsCheckout: AnyTRPCMutationProcedure;
     creditOptions: AnyTRPCQueryProcedure;
     inferenceMode: AnyTRPCQueryProcedure;
@@ -133,6 +129,7 @@ type AppRouterRecord = {
   fleet: {
     listInstances: AnyTRPCQueryProcedure;
     getInstance: AnyTRPCQueryProcedure;
+    instanceVersionCheck: AnyTRPCQueryProcedure;
     createInstance: AnyTRPCMutationProcedure;
     controlInstance: AnyTRPCMutationProcedure;
     getInstanceHealth: AnyTRPCQueryProcedure;
@@ -159,6 +156,7 @@ type AppRouterRecord = {
     getProfile: AnyTRPCQueryProcedure;
     updateProfile: AnyTRPCMutationProcedure;
     changePassword: AnyTRPCMutationProcedure;
+    deleteAccount: AnyTRPCMutationProcedure;
   };
   org: {
     getOrganization: AnyTRPCQueryProcedure;

package/src/lib/trpc.tsx

@@ -5,6 +5,7 @@ import { createTRPCClient, httpBatchLink } from "@trpc/client";
 import { createTRPCReact } from "@trpc/react-query";
 import { useState } from "react";
 import { PLATFORM_BASE_URL } from "./api-config";
+import { getBrandConfig } from "./brand-config";
 import { handleUnauthorized } from "./fetch-utils";
 import { getActiveTenantId, TenantProvider } from "./tenant-context";
 import type { AppRouter } from "./trpc-types";
@@ -16,8 +17,7 @@ async function trpcFetchWithAuth(url: RequestInfo | URL, options?: RequestInit)
   if (res.status === 401) {
     // On login page, don't throw — let the batch continue so public queries
     // (like enabledSocialProviders) resolve alongside failing auth queries.
-    const onLoginPage =
-      typeof window !== "undefined" && window.location.pathname.startsWith("/login");
+    const onLoginPage = typeof window !== "undefined" && window.location.pathname.startsWith("/login");
     if (!onLoginPage) {
       handleUnauthorized();
     }
@@ -36,7 +36,11 @@ export const trpcVanilla = createTRPCClient<AppRouter>({
       fetch: trpcFetchWithAuth,
       headers() {
         const tenantId = getActiveTenantId();
-        return tenantId ? { "x-tenant-id": tenantId } : {};
+        const product = process.env.NEXT_PUBLIC_PRODUCT_SLUG || getBrandConfig().storagePrefix;
+        return {
+          ...(tenantId ? { "x-tenant-id": tenantId } : {}),
+          ...(product ? { "x-product": product } : {}),
+        };
       },
     }),
   ],
@@ -87,7 +91,11 @@ export function TRPCProvider({
           fetch: trpcFetchWithAuth,
           headers() {
             const tenantId = getActiveTenantId();
-            return tenantId ? { "x-tenant-id": tenantId } : {};
+            const product = process.env.NEXT_PUBLIC_PRODUCT_SLUG || getBrandConfig().storagePrefix;
+            return {
+              ...(tenantId ? { "x-tenant-id": tenantId } : {}),
+              ...(product ? { "x-product": product } : {}),
+            };
           },
         }),
       ],

package/src/lib/validate-redirect-url.ts

@@ -1,8 +1,5 @@
 /** Origins that are always allowed as redirect targets from checkout responses. */
-const STATIC_ALLOWED_ORIGINS: readonly string[] = [
-  "https://checkout.stripe.com",
-  "https://billing.stripe.com",
-];
+const STATIC_ALLOWED_ORIGINS: readonly string[] = ["https://checkout.stripe.com", "https://billing.stripe.com"];
 
 /**
  * Build the full allowed origins set, including any configured BTCPay Server origin.

package/src/lib/webmcp/marketplace-onboarding-tools.ts

@@ -10,17 +10,14 @@ function isOnMarketplace(): boolean {
   return typeof window !== "undefined" && window.location.pathname.startsWith("/marketplace");
 }
 
-export function getMarketplaceOnboardingTools(
-  deps: MarketplaceOnboardingToolDeps,
-): ModelContextTool[] {
+export function getMarketplaceOnboardingTools(deps: MarketplaceOnboardingToolDeps): ModelContextTool[] {
   const { router } = deps;
 
   return [
     // ── Marketplace tools ───────────────────────────────────────────
     {
       name: "marketplace.showSuperpowers",
-      description:
-        "Filter the marketplace grid by a search query. Navigates to the marketplace page first if needed.",
+      description: "Filter the marketplace grid by a search query. Navigates to the marketplace page first if needed.",
       inputSchema: {
         type: "object",
         properties: {
@@ -34,16 +31,13 @@ export function getMarketplaceOnboardingTools(
           router.push(`/marketplace?q=${encodeURIComponent(query)}`);
           return { ok: true, navigated: true };
         }
-        window.dispatchEvent(
-          new CustomEvent(eventName("marketplace"), { detail: { type: "filter", query } }),
-        );
+        window.dispatchEvent(new CustomEvent(eventName("marketplace"), { detail: { type: "filter", query } }));
         return { ok: true, navigated: false };
       },
     },
     {
       name: "marketplace.highlightCard",
-      description:
-        "Pulse/glow a specific plugin card and scroll it into view. Uses data-plugin-card-id attribute.",
+      description: "Pulse/glow a specific plugin card and scroll it into view. Uses data-plugin-card-id attribute.",
       inputSchema: {
         type: "object",
         properties: {
@@ -86,9 +80,7 @@ export function getMarketplaceOnboardingTools(
         properties: {},
       },
       handler: async () => {
-        window.dispatchEvent(
-          new CustomEvent(eventName("marketplace"), { detail: { type: "clearFilter" } }),
-        );
+        window.dispatchEvent(new CustomEvent(eventName("marketplace"), { detail: { type: "clearFilter" } }));
         return { ok: true };
       },
     },
@@ -188,9 +180,7 @@ export function getMarketplaceOnboardingTools(
       },
       handler: async (params) => {
         const elementId = params.elementId as string;
-        const el = document.querySelector(
-          `[data-onboarding-id="${CSS.escape(elementId)}"]`,
-        ) as HTMLElement | null;
+        const el = document.querySelector(`[data-onboarding-id="${CSS.escape(elementId)}"]`) as HTMLElement | null;
         if (!el) {
           return { error: `Element with data-onboarding-id='${elementId}' not found` };
         }

package/src/lib/webmcp/register.ts

@@ -1,8 +1,5 @@
 import { isWebMCPAvailable } from "./feature-detect";
-import {
-  getMarketplaceOnboardingTools,
-  type MarketplaceOnboardingToolDeps,
-} from "./marketplace-onboarding-tools";
+import { getMarketplaceOnboardingTools, type MarketplaceOnboardingToolDeps } from "./marketplace-onboarding-tools";
 import { type ConfirmCallback, getChatWebMCPTools, getWebMCPTools } from "./tools";
 
 /**

package/src/lib/webmcp/tools.ts

@@ -1,10 +1,4 @@
-import {
-  controlInstance,
-  createInstance,
-  getInstanceHealth,
-  getInstanceLogs,
-  listInstances,
-} from "@/lib/api";
+import { controlInstance, createInstance, getInstanceHealth, getInstanceLogs, listInstances } from "@/lib/api";
 import { installPlugin } from "@/lib/bot-settings-data";
 import { brandName, eventName, getBrandConfig, productName } from "@/lib/brand-config";
 import { listMarketplacePlugins } from "@/lib/marketplace-data";
@@ -324,8 +318,7 @@ export function getChatWebMCPTools(): ModelContextTool[] {
     },
     {
       name: "setup.begin",
-      description:
-        "Begin conversational setup for a plugin. Bot receives plugin ID and config schema.",
+      description: "Begin conversational setup for a plugin. Bot receives plugin ID and config schema.",
       inputSchema: {
         type: "object",
         properties: {

package/src/proxy.ts

@@ -1,13 +1,26 @@
 import { type NextRequest, NextResponse } from "next/server";
-import { getBrandConfig } from "@/lib/brand-config";
-import { logger } from "@/lib/logger";
-import { sanitizeRedirectUrl } from "@/lib/utils";
 
-const log = logger("middleware");
+/**
+ * Middleware — CSP headers, CSRF protection, nonce generation, tenant cookie forwarding.
+ *
+ * NO auth checks. Pages that need auth use useRequireAuth() from @/lib/require-auth.
+ */
+
+const MUTATION_METHODS = new Set(["POST", "PUT", "PATCH", "DELETE"]);
+
+const CSRF_EXEMPT_AUTH_PATHS = ["/api/auth/callback"];
+
+// Middleware runs at edge before initBrandConfig(). Read cookie name from
+// env var directly — this is the ONE place process.env is acceptable for
+// brand config, because middleware can't await the core API.
+const TENANT_COOKIE_NAME =
+  process.env.NEXT_PUBLIC_BRAND_TENANT_COOKIE ||
+  `${process.env.NEXT_PUBLIC_BRAND_STORAGE_PREFIX || "platform"}_tenant_id`;
+
+const NONCE_STYLES_ENABLED = true;
 
 /** Derive API origin from request hostname. Convention: api.<domain>. */
 function getApiOrigin(host: string): string {
-  // Explicit override for local dev
   if (process.env.NEXT_PUBLIC_API_URL) {
     try {
       return new URL(process.env.NEXT_PUBLIC_API_URL).origin;
@@ -24,21 +37,6 @@ function getApiOrigin(host: string): string {
   return `https://api.${hostname}`;
 }
 
-/**
- * Only add upgrade-insecure-requests when actually serving over HTTPS.
- * Checking NODE_ENV breaks local dev in Docker (NODE_ENV=production but no TLS).
- * Computed per-request in buildCsp() from the request URL protocol.
- */
-
-/**
- * Nonce-based style-src toggle.
- *
- * Enabled — style-src uses nonce-based policy instead of 'unsafe-inline'.
- * Tailwind v4 compiles styles at build time (no runtime injection).
- * framer-motion nonce support is provided via MotionConfig in the root layout.
- */
-const NONCE_STYLES_ENABLED = true;
-
 /** Build the CSP header value with a per-request nonce. */
 function buildCsp(nonce: string, requestUrl?: string, requestHost?: string): string {
   const isHttps = requestUrl ? requestUrl.startsWith("https://") : false;
@@ -49,10 +47,10 @@ function buildCsp(nonce: string, requestUrl?: string, requestHost?: string): str
     ...(NONCE_STYLES_ENABLED
       ? [`style-src-elem 'self' 'unsafe-inline' 'nonce-${nonce}'`, "style-src-attr 'unsafe-inline'"]
       : ["style-src 'self' 'unsafe-inline'"]),
-    "img-src 'self' data: blob:",
+    "img-src 'self' data: blob: https:",
     "font-src 'self'",
     `connect-src 'self' https://api.stripe.com${api ? ` ${api}` : ""}`,
-    "frame-src https://js.stripe.com",
+    "frame-src 'self' https://js.stripe.com",
     "frame-ancestors 'none'",
     "base-uri 'self'",
     "form-action 'self'",
@@ -61,241 +59,66 @@ function buildCsp(nonce: string, requestUrl?: string, requestHost?: string): str
   ].join("; ");
 }
 
-const publicPaths = [
-  "/login",
-  "/signup",
-  "/forgot-password",
-  "/reset-password",
-  "/auth/callback",
-  "/auth/verify",
-  "/api/auth/",
-];
-
-/** Paths that are public only when matched exactly (not as a prefix). */
-const publicExactPaths = new Set([
-  "/",
-  "/og",
-  "/terms",
-  "/privacy",
-  "/pricing",
-  "/status",
-  // Health endpoint must be publicly accessible for infra probes (uptime monitors,
-  // Kubernetes liveness/readiness, load balancers) that do not carry session cookies.
-  "/api/health",
-  // Better Auth root endpoint — sub-paths matched via publicPaths prefix list (/api/auth/).
-  "/api/auth",
-]);
-
-const MUTATION_METHODS = new Set(["POST", "PUT", "PATCH", "DELETE"]);
-
-/**
- * Mutation paths under /api/auth that are exempt from CSRF origin validation.
- * OAuth identity providers POST to callback URLs cross-origin — these cannot
- * carry a matching Origin header, so we must allow them through.
- * All other /api/auth mutations (sign-in, sign-up, sign-out, etc.) are
- * validated like any other /api route.
- */
-const CSRF_EXEMPT_AUTH_PATHS = [
-  "/api/auth/callback", // e.g. /api/auth/callback/google, /api/auth/callback/github
-];
-
-const PLATFORM_BASE_URL = process.env.NEXT_PUBLIC_API_URL ?? "http://localhost:3001";
-
-const TENANT_COOKIE_NAME = getBrandConfig().tenantCookieName;
-
-/** Post-auth landing page — configurable per brand (default: /marketplace). */
-const HOME_PATH = (() => {
-  const p = (process.env.NEXT_PUBLIC_BRAND_HOME_PATH || "/marketplace").trim();
-  if (!p || /^https?:\/\//i.test(p)) return "/marketplace";
-  return p.startsWith("/") ? p : `/${p}`;
-})();
-
-/**
- * Validate that a state-changing request originates from this application.
- * Checks the Origin header (preferred) with Referer as fallback.
- * Returns true if the request is safe, false if it should be blocked.
- */
 export function validateCsrfOrigin(request: NextRequest): boolean {
   const origin = request.headers.get("origin");
   const referer = request.headers.get("referer");
   const host = request.headers.get("host");
-
   if (!host) return false;
-
-  // Build the allowed origin using the request's actual protocol only,
-  // preventing protocol downgrade attacks (e.g. HTTP origin to HTTPS endpoint)
-  const protocol = request.nextUrl.protocol; // "https:" or "http:"
+  const protocol = request.nextUrl.protocol;
   const allowedOrigin = `${protocol}//${host}`;
-
-  // Check Origin header first (most reliable)
-  if (origin) {
-    return origin === allowedOrigin;
-  }
-
-  // Fall back to Referer header
+  if (origin) return origin === allowedOrigin;
   if (referer) {
     try {
-      const refererOrigin = new URL(referer).origin;
-      return refererOrigin === allowedOrigin;
+      return new URL(referer).origin === allowedOrigin;
     } catch {
-      // Malformed referer URL — treat as non-matching origin
       return false;
     }
   }
-
-  // No Origin or Referer on a mutation request is suspicious — block it.
-  // Legitimate browser form submissions and fetch() calls include Origin.
   return false;
 }
 
-/**
- * Fetch the authenticated user's role from Better Auth's get-session endpoint.
- * Returns the role string (e.g. "platform_admin", "user") or null if the
- * session is invalid or the request fails. Fails closed: any error → null.
- */
-async function getSessionRole(request: NextRequest): Promise<string | null> {
-  const sessionCookie =
-    request.cookies.get("better-auth.session_token") ??
-    request.cookies.get("__Secure-better-auth.session_token");
-
-  if (!sessionCookie?.value.trim()) return null;
-
-  try {
-    const res = await fetch(`${PLATFORM_BASE_URL}/api/auth/get-session`, {
-      headers: {
-        cookie: `${sessionCookie.name}=${sessionCookie.value}`,
-      },
-    });
-    if (!res.ok) return null;
-    const data = await res.json();
-    return data?.user?.role ?? null;
-  } catch (e) {
-    log.warn("Failed to fetch user role for middleware routing", e);
-    return null;
-  }
-}
-
 export default async function middleware(request: NextRequest) {
   const { pathname } = request.nextUrl;
-  const host = request.headers.get("host") || "";
 
-  // Generate a per-request nonce for CSP
+  // Sidecar proxy: rewrite /_sidecar/* to the core API.
+  // The core's tenant-proxy middleware resolves the user's instance
+  // from their session, finds the container URL, and proxies upstream.
+  if (pathname.startsWith("/_sidecar")) {
+    const apiOrigin = process.env.INTERNAL_API_URL || "http://core:3001";
+    const target = new URL(`${apiOrigin}${pathname}${request.nextUrl.search}`);
+    return NextResponse.rewrite(target);
+  }
+
   const nonce = crypto.randomUUID();
   const cspHeaderValue = buildCsp(nonce, request.url, request.headers.get("host") ?? "");
 
-  /** Apply CSP and cache-busting headers to any response before returning it. */
   function withCsp(response: NextResponse): NextResponse {
     response.headers.set("Content-Security-Policy", cspHeaderValue);
-    // Nonce is passed to server components via request headers (not response headers).
-    // See nextWithNonce() below — it uses NextResponse.next({ request: { headers } }).
     response.headers.set("Vary", "*");
     return response;
   }
 
-  /**
-   * Create a NextResponse.next() that forwards the CSP nonce to server components
-   * via request headers, without exposing it in the HTTP response.
-   */
   function nextWithNonce(): NextResponse {
     const requestHeaders = new Headers(request.headers);
     requestHeaders.set("x-nonce", nonce);
-
-    // Strip any client-supplied x-tenant-id before conditionally setting from the
-    // trusted HttpOnly cookie. Without this delete, a client that sends their own
-    // x-tenant-id header could spoof a tenant when no cookie is present.
     requestHeaders.delete("x-tenant-id");
-
-    // Forward HttpOnly tenant cookie as request header for server components
     const tenantCookie = request.cookies.get(TENANT_COOKIE_NAME);
     if (tenantCookie?.value) {
       requestHeaders.set("x-tenant-id", tenantCookie.value);
     }
-
     return NextResponse.next({ request: { headers: requestHeaders } });
   }
 
-  // CSRF protection: validate Origin/Referer on state-changing API requests.
+  // CSRF protection on API mutations
   if (pathname.startsWith("/api") && MUTATION_METHODS.has(request.method)) {
-    // OAuth callback endpoints receive cross-origin POSTs from identity providers (POST only)
     const isCsrfExempt =
-      CSRF_EXEMPT_AUTH_PATHS.some((p) => pathname === p || pathname.startsWith(`${p}/`)) &&
-      request.method === "POST";
+      CSRF_EXEMPT_AUTH_PATHS.some((p) => pathname === p || pathname.startsWith(`${p}/`)) && request.method === "POST";
     if (!isCsrfExempt && !validateCsrfOrigin(request)) {
       return NextResponse.json({ error: "CSRF validation failed" }, { status: 403 });
     }
   }
 
-  // Redirect authenticated users from "/" to the app subdomain if on the marketing domain.
-  // On the app subdomain, redirect to HOME_PATH. On the base domain, redirect to app subdomain.
-  // NOTE: This check requires the Better Auth server to set the session cookie with
-  // domain=".<base-domain>" so it is visible on both the app and marketing subdomains.
-  // See: wopr-platform/src/auth/better-auth.ts advanced.cookies.session_token.attributes.domain
-  if (pathname === "/") {
-    const sessionToken =
-      request.cookies.get("better-auth.session_token") ??
-      request.cookies.get("__Secure-better-auth.session_token");
-    if (sessionToken?.value.trim()) {
-      const appDomain =
-        process.env.NEXT_PUBLIC_BRAND_APP_DOMAIN || process.env.NEXT_PUBLIC_APP_DOMAIN;
-      if (appDomain && !host.startsWith("app.")) {
-        // On marketing domain — redirect to the app subdomain
-        const appUrl = new URL(`https://${appDomain}`);
-        appUrl.pathname = HOME_PATH;
-        return withCsp(NextResponse.redirect(appUrl));
-      }
-      // On app subdomain (or no configured app domain) — redirect to home
-      return withCsp(NextResponse.redirect(new URL(HOME_PATH, request.url)));
-    }
-  }
-
-  // --- Admin route authorization (server-side) ---
-  // Non-admins are redirected before any page JS loads.
-  // Unauthenticated users fall through to the session check below (→ /login).
-  if (pathname.startsWith("/admin")) {
-    const sessionCookie =
-      request.cookies.get("better-auth.session_token") ??
-      request.cookies.get("__Secure-better-auth.session_token");
-    if (sessionCookie?.value.trim()) {
-      const role = await getSessionRole(request);
-      if (role !== "platform_admin") {
-        return withCsp(NextResponse.redirect(new URL(HOME_PATH, request.url)));
-      }
-      // Admin confirmed — serve page with anti-cache headers so revocation
-      // is detected on the very next navigation (browser must revalidate).
-      const response = nextWithNonce();
-      response.headers.set("Cache-Control", "no-store, no-cache, must-revalidate");
-      response.headers.set("Pragma", "no-cache");
-      response.headers.set("Expires", "0");
-      return withCsp(response);
-    }
-    // No session cookie → fall through to the session check below which redirects to /login
-  }
-
-  // Allow public paths
-  if (publicExactPaths.has(pathname) || publicPaths.some((p) => pathname.startsWith(p))) {
-    return withCsp(nextWithNonce());
-  }
-
-  // Allow static files (but not API paths with dots, e.g. /api/config.json)
-  if (pathname.startsWith("/_next") || (pathname.includes(".") && !pathname.startsWith("/api"))) {
-    return withCsp(nextWithNonce());
-  }
-
-  // Check for session cookie (Better Auth uses "better-auth.session_token" by default).
-  // NOTE: Bearer token auth (Authorization: Bearer <token>) is intentionally not supported
-  // here. This is a browser-facing UI application; all API consumers are the Next.js
-  // front-end itself (cookie-based). Automation/SDK/CLI clients should use the platform
-  // API directly (wopr-platform), which issues and validates Bearer tokens independently.
-  const sessionToken =
-    request.cookies.get("better-auth.session_token") ??
-    request.cookies.get("__Secure-better-auth.session_token");
-
-  if (!sessionToken || !sessionToken.value.trim()) {
-    const loginUrl = new URL("/login", request.url);
-    loginUrl.searchParams.set("callbackUrl", sanitizeRedirectUrl(pathname));
-    return withCsp(NextResponse.redirect(loginUrl));
-  }
-
+  // Everything gets CSP + nonce. Auth is handled by pages via useRequireAuth().
   return withCsp(nextWithNonce());
 }