aigetwey 1.0.1

package/dashboard/src/lib/client.ts

@@ -0,0 +1,190 @@
+"use client";
+
+/**
+ * Browser-side admin client. Talks to the gateway THROUGH the same-origin proxy
+ * (`/api/gw/admin/...`), which injects the admin Bearer server-side — so the
+ * password never reaches the browser. Server components read initial data via
+ * lib/gateway.ts directly; client components mutate through here.
+ */
+import type {
+  ConfigReply,
+  EndpointPayload,
+  HeadroomStatusReply,
+  InjectLevel,
+  PingResult,
+  PricingPayload,
+  ProviderSnapshot,
+  QuotaSnapshot,
+  WireFormat,
+} from "./gateway";
+
+export interface ApiResult<T> {
+  ok: boolean;
+  status: number;
+  data: T | null;
+  error?: string;
+}
+
+async function api<T>(method: string, path: string, body?: unknown): Promise<ApiResult<T>> {
+  let res: Response;
+  try {
+    res = await fetch(`/api/gw${path}`, {
+      method,
+      headers: body !== undefined ? { "content-type": "application/json" } : {},
+      body: body !== undefined ? JSON.stringify(body) : undefined,
+    });
+  } catch (e) {
+    return { ok: false, status: 0, data: null, error: (e as Error).message };
+  }
+  const text = await res.text();
+  let data: T | null = null;
+  try {
+    data = text ? (JSON.parse(text) as T) : null;
+  } catch {
+    data = null;
+  }
+  if (!res.ok) {
+    const err = (data as { error?: string } | null)?.error ?? `request failed (${res.status})`;
+    return { ok: false, status: res.status, data, error: err };
+  }
+  return { ok: true, status: res.status, data };
+}
+
+export const adminApi = {
+  providers: () => api<{ providers: ProviderSnapshot[] }>("GET", "/admin/providers"),
+  quota: () => api<{ quota: QuotaSnapshot[] }>("GET", "/admin/quota"),
+
+  addProvider: (p: {
+    id: string;
+    format: WireFormat;
+    base_url: string;
+    api_key?: string;
+    free?: boolean;
+    auto_models?: boolean;
+    service_account?: string;
+  }) => api<ConfigReply>("POST", "/admin/providers", p),
+  editProvider: (id: string, patch: { base_url?: string; format?: WireFormat; name?: string }) =>
+    api<ConfigReply>("PUT", `/admin/providers/${encodeURIComponent(id)}`, patch),
+  renameProvider: (id: string, newId: string) =>
+    api<ConfigReply>("PUT", `/admin/providers/${encodeURIComponent(id)}/rename`, { id: newId }),
+  removeProvider: (id: string) => api<ConfigReply>("DELETE", `/admin/providers/${encodeURIComponent(id)}`),
+  addKey: (id: string, key: string, name?: string) =>
+    api<ConfigReply>("POST", `/admin/providers/${encodeURIComponent(id)}/keys`, { key, name }),
+  editKey: (id: string, index: number, patch: { key?: string; name?: string }) =>
+    api<ConfigReply>("PUT", `/admin/providers/${encodeURIComponent(id)}/keys/${index}`, patch),
+  removeKey: (id: string, index: number) =>
+    api<ConfigReply>("DELETE", `/admin/providers/${encodeURIComponent(id)}/keys/${index}`),
+  revealKey: (id: string, index: number) =>
+    api<{ key: string }>("GET", `/admin/providers/${encodeURIComponent(id)}/keys/${index}/reveal`),
+  addModel: (id: string, model: string, price?: { price_in?: number; price_out?: number }) =>
+    api<ConfigReply>("POST", `/admin/providers/${encodeURIComponent(id)}/models`, { model, ...price }),
+  addModels: (id: string, models: string[]) =>
+    api<ConfigReply>("POST", `/admin/providers/${encodeURIComponent(id)}/models`, { models }),
+  // model id can hold a slash (provider/model); send it as a query param so the
+  // proxy's path split doesn't mangle it.
+  removeModel: (id: string, model: string) =>
+    api<ConfigReply>("DELETE", `/admin/providers/${encodeURIComponent(id)}/models?model=${encodeURIComponent(model)}`),
+  clearModels: (id: string) => api<ConfigReply>("DELETE", `/admin/providers/${encodeURIComponent(id)}/models`),
+  pricing: () => api<PricingPayload>("GET", "/admin/pricing"),
+  setModelPrice: (id: string, model: string, price: { price_in?: number | null; price_out?: number | null }) =>
+    api<ConfigReply>("PUT", `/admin/providers/${encodeURIComponent(id)}/models/price`, { model, ...price }),
+  testProvider: (id: string) => api<PingResult>("POST", `/admin/providers/${encodeURIComponent(id)}/test`),
+  testKey: (id: string, index: number) =>
+    api<PingResult>("POST", `/admin/providers/${encodeURIComponent(id)}/keys/${index}/test`),
+  testModel: (id: string, model: string) =>
+    api<{ ok: boolean; status?: number; error?: string }>(
+      "POST",
+      `/admin/providers/${encodeURIComponent(id)}/models/test?model=${encodeURIComponent(model)}`,
+    ),
+  validateProvider: (b: { format: WireFormat; base_url: string; api_key?: string }) =>
+    api<PingResult>("POST", "/admin/providers/validate", b),
+  // discover: returns the upstream catalog flagged with which ids are in config.
+  discoverModels: (id: string) =>
+    api<{ ok: boolean; models: Array<{ id: string; added: boolean }> }>(
+      "POST",
+      `/admin/providers/${encodeURIComponent(id)}/connect`,
+    ),
+
+  reorderKey: (id: string, from: number, to: number) =>
+    api<ConfigReply>("PUT", `/admin/providers/${encodeURIComponent(id)}/keys/reorder`, { from, to }),
+  toggleKey: (id: string, index: number, enabled: boolean) =>
+    api<ConfigReply>("PUT", `/admin/providers/${encodeURIComponent(id)}/keys/${index}/toggle`, { enabled }),
+  setProviderStrategy: (id: string, strategy: "fallback" | "round-robin" | null, sticky?: number) =>
+    api<ConfigReply>("PUT", `/admin/providers/${encodeURIComponent(id)}/strategy`, { strategy, sticky }),
+  setProviderDisabled: (id: string, disabled: boolean) =>
+    api<ConfigReply>("PUT", `/admin/providers/${encodeURIComponent(id)}/disabled`, { disabled }),
+
+  setRoute: (
+    alias: string,
+    body: { target: string[]; model?: string | string[]; strategy?: "fallback" | "round-robin"; price_in?: number; price_out?: number },
+  ) => api<ConfigReply>("PUT", `/admin/routes/${encodeURIComponent(alias)}`, body),
+  removeRoute: (alias: string) => api<ConfigReply>("DELETE", `/admin/routes/${encodeURIComponent(alias)}`),
+
+  endpoint: () => api<EndpointPayload>("GET", "/admin/endpoint"),
+  setRtk: (enabled: boolean) => api<ConfigReply>("PUT", "/admin/endpoint/rtk", { enabled }),
+  setCaveman: (level: InjectLevel) => api<ConfigReply>("PUT", "/admin/endpoint/caveman", { level }),
+  setPonytail: (level: InjectLevel) => api<ConfigReply>("PUT", "/admin/endpoint/ponytail", { level }),
+  addServerKey: (key: string, name?: string) => api<ConfigReply>("POST", "/admin/endpoint/keys", { key, name }),
+  editServerKey: (index: number, name: string) => api<ConfigReply>("PUT", `/admin/endpoint/keys/${index}`, { name }),
+  removeServerKey: (index: number) => api<ConfigReply>("DELETE", `/admin/endpoint/keys/${index}`),
+  revealServerKey: (index: number) => api<{ key: string }>("GET", `/admin/endpoint/keys/${index}/reveal`),
+
+  setHeadroom: (patch: { enabled?: boolean; url?: string; compress_user_messages?: boolean }) =>
+    api<ConfigReply>("PUT", "/admin/endpoint/headroom", patch),
+  headroomStatus: () => api<HeadroomStatusReply>("GET", "/admin/headroom/status"),
+  headroomStart: () => api<{ success?: boolean; pid?: number; alreadyRunning?: boolean }>("POST", "/admin/headroom/start"),
+  headroomStop: () => api<{ stopped: boolean; reason?: string; pid?: number }>("POST", "/admin/headroom/stop"),
+
+  putConfig: (text: string) => api<{ ok: boolean }>("PUT", "/admin/config", { text }),
+
+  version: () => api<{ current: string; latest: string | null; updateAvailable: boolean }>("GET", "/admin/version"),
+  shutdown: () => api<{ ok: boolean; message: string }>("POST", "/admin/shutdown"),
+};
+
+// Local CLI-tool detection/auto-config. These hit the dashboard's OWN server
+// routes (/api/cli-detect/*), not the gateway proxy — they read/write the tool's
+// config file on this machine. Session-gated by middleware like everything else.
+export interface CliStatus {
+  auto: boolean;
+  installed: boolean;
+  configured?: boolean;
+  path?: string;
+  baseUrl?: string | null;
+  models?: string[];
+  activeModel?: string | null;
+  // claude returns its three slot defaults instead of a flat list
+  modelSlots?: { opus?: string | null; sonnet?: string | null; haiku?: string | null };
+}
+
+async function appApi<T>(method: string, url: string, body?: unknown): Promise<ApiResult<T>> {
+  let res: Response;
+  try {
+    res = await fetch(url, {
+      method,
+      headers: body !== undefined ? { "content-type": "application/json" } : {},
+      body: body !== undefined ? JSON.stringify(body) : undefined,
+    });
+  } catch (e) {
+    return { ok: false, status: 0, data: null, error: (e as Error).message };
+  }
+  const text = await res.text();
+  const data = text ? (JSON.parse(text) as T) : null;
+  if (!res.ok) {
+    const err = (data as { error?: string } | null)?.error ?? `request failed (${res.status})`;
+    return { ok: false, status: res.status, data, error: err };
+  }
+  return { ok: true, status: res.status, data };
+}
+
+/** Admin account actions that hit the dashboard's OWN routes (not the gw proxy). */
+export const account = {
+  changePassword: (current: string, next: string) =>
+    appApi<{ ok: boolean }>("POST", "/api/password", { current, next }),
+};
+
+export const cliConfig = {
+  status: (tool: string) => appApi<CliStatus>("GET", `/api/cli-detect/${encodeURIComponent(tool)}`),
+  apply: (tool: string, body: { base: string; key?: string; models?: string[] | Record<string, string>; active?: string }) =>
+    appApi<{ success?: boolean; path?: string }>("POST", `/api/cli-detect/${encodeURIComponent(tool)}`, body),
+  reset: (tool: string) => appApi<{ success?: boolean }>("DELETE", `/api/cli-detect/${encodeURIComponent(tool)}`),
+};

package/dashboard/src/lib/gateway.ts

@@ -0,0 +1,269 @@
+import "server-only";
+import { currentPassword } from "./session";
+
+/**
+ * Server-side proxy to the gateway admin API. Runs only in Next.js server
+ * context (route handlers / server components) — injects the admin password as
+ * a Bearer token so it never reaches the browser.
+ *
+ * Scoped to the admin surface the gateway exposes today (usage, logs, providers,
+ * quota, whole-config CRUD). Granular provider/combo mutation helpers are added
+ * alongside the pages that drive them in phase 11.
+ */
+function gatewayUrl(): string {
+  return (process.env.GATEWAY_URL ?? "http://127.0.0.1:18080").replace(/\/$/, "");
+}
+
+export interface GatewayResult<T> {
+  ok: boolean;
+  status: number;
+  data: T | null;
+  error?: string;
+}
+
+async function call<T>(method: string, path: string, body?: unknown): Promise<GatewayResult<T>> {
+  let res: Response;
+  try {
+    res = await fetch(gatewayUrl() + path, {
+      method,
+      headers: {
+        authorization: `Bearer ${await currentPassword()}`,
+        ...(body !== undefined ? { "content-type": "application/json" } : {}),
+      },
+      body: body !== undefined ? JSON.stringify(body) : undefined,
+      cache: "no-store",
+    });
+  } catch (e) {
+    return { ok: false, status: 0, data: null, error: `gateway unreachable: ${(e as Error).message}` };
+  }
+
+  const text = await res.text();
+  let data: T | null = null;
+  try {
+    data = text ? (JSON.parse(text) as T) : null;
+  } catch {
+    data = null;
+  }
+  if (!res.ok) {
+    const err = (data as { error?: string } | null)?.error ?? `gateway returned ${res.status}`;
+    return { ok: false, status: res.status, data, error: err };
+  }
+  return { ok: true, status: res.status, data };
+}
+
+/** Verify a specific admin password against the gateway (used at login, before a
+ * session cookie exists). */
+export async function checkGatewayAuth(password: string): Promise<boolean> {
+  try {
+    const res = await fetch(gatewayUrl() + "/admin/providers", {
+      headers: { authorization: `Bearer ${password}` },
+      cache: "no-store",
+    });
+    return res.ok;
+  } catch {
+    return false;
+  }
+}
+
+export const gateway = {
+  providers: () => call<{ providers: ProviderSnapshot[] }>("GET", "/admin/providers"),
+  quota: () => call<{ quota: QuotaSnapshot[] }>("GET", "/admin/quota"),
+  models: () => call<ModelsPayload>("GET", "/admin/models"),
+  logs: (limit = 100) => call<{ logs: UsageLog[] }>("GET", `/admin/logs?limit=${limit}`),
+  usage: (since = 0) => call<UsageSummary>("GET", `/admin/usage?since=${since}`),
+  usageSeries: (since: number, bucket: number) =>
+    call<{ series: UsageSeriesPoint[] }>("GET", `/admin/usage/series?since=${since}&bucket=${bucket}`),
+  config: () => call<MaskedConfig>("GET", "/admin/config"),
+  putConfig: (text: string) => call<{ ok: boolean; config: MaskedConfig }>("PUT", "/admin/config", { text }),
+  changePassword: (current: string, next: string) =>
+    call<{ ok: boolean }>("PUT", "/admin/password", { current, next }),
+
+  // ---- provider mutations (reply carries the fresh masked config) ----
+  addProvider: (p: {
+    id: string;
+    format: WireFormat;
+    base_url: string;
+    api_key?: string;
+    free?: boolean;
+    auto_models?: boolean;
+    service_account?: string;
+  }) => call<ConfigReply>("POST", "/admin/providers", p),
+  editProvider: (id: string, patch: { base_url?: string; format?: WireFormat }) =>
+    call<ConfigReply>("PUT", `/admin/providers/${encodeURIComponent(id)}`, patch),
+  removeProvider: (id: string) => call<ConfigReply>("DELETE", `/admin/providers/${encodeURIComponent(id)}`),
+  addKey: (id: string, key: string) =>
+    call<ConfigReply>("POST", `/admin/providers/${encodeURIComponent(id)}/keys`, { key }),
+  removeKey: (id: string, index: number) =>
+    call<ConfigReply>("DELETE", `/admin/providers/${encodeURIComponent(id)}/keys/${index}`),
+  addProviderModel: (id: string, model: string, price?: { price_in?: number; price_out?: number }) =>
+    call<ConfigReply>("POST", `/admin/providers/${encodeURIComponent(id)}/models`, { model, ...price }),
+  addProviderModels: (id: string, models: string[]) =>
+    call<ConfigReply>("POST", `/admin/providers/${encodeURIComponent(id)}/models`, { models }),
+  removeProviderModel: (id: string, model: string) =>
+    call<ConfigReply>("DELETE", `/admin/providers/${encodeURIComponent(id)}/models/${encodeURIComponent(model)}`),
+  clearProviderModels: (id: string) =>
+    call<ConfigReply>("DELETE", `/admin/providers/${encodeURIComponent(id)}/models`),
+  testProvider: (id: string) => call<PingResult>("POST", `/admin/providers/${encodeURIComponent(id)}/test`),
+  discoverModels: (id: string) =>
+    call<{ ok: boolean; models: Array<{ id: string; added: boolean }> }>(
+      "POST",
+      `/admin/providers/${encodeURIComponent(id)}/connect`,
+    ),
+
+  // ---- combos: alias + ordered provider chain + strategy ----
+  setRoute: (
+    alias: string,
+    body: { target: string[]; model?: string | string[]; strategy?: "fallback" | "round-robin"; price_in?: number; price_out?: number },
+  ) => call<ConfigReply>("PUT", `/admin/routes/${encodeURIComponent(alias)}`, body),
+  removeRoute: (alias: string) => call<ConfigReply>("DELETE", `/admin/routes/${encodeURIComponent(alias)}`),
+
+  // ---- endpoint: toggles + gateway keys ----
+  endpoint: () => call<EndpointPayload>("GET", "/admin/endpoint"),
+  setRtk: (enabled: boolean) => call<ConfigReply>("PUT", "/admin/endpoint/rtk", { enabled }),
+  setCaveman: (level: InjectLevel) => call<ConfigReply>("PUT", "/admin/endpoint/caveman", { level }),
+  setPonytail: (level: InjectLevel) => call<ConfigReply>("PUT", "/admin/endpoint/ponytail", { level }),
+  addServerKey: (key: string) => call<ConfigReply>("POST", "/admin/endpoint/keys", { key }),
+  removeServerKey: (index: number) => call<ConfigReply>("DELETE", `/admin/endpoint/keys/${index}`),
+};
+
+// ---- shapes mirrored from the gateway admin API ----
+
+export type WireFormat = "openai" | "anthropic" | "gemini";
+export type InjectLevel = "off" | "lite" | "full" | "ultra";
+
+export interface ConfigReply {
+  ok: boolean;
+  config: MaskedConfig;
+}
+
+export interface MaskedRoute {
+  alias: string;
+  target: string[];
+  model?: string | string[];
+  strategy: "fallback" | "round-robin";
+  price_in?: number;
+  price_out?: number;
+}
+export interface MaskedProvider {
+  id: string;
+  name?: string;
+  format: WireFormat;
+  base_url: string;
+  api_key?: string;
+  api_keys?: string[];
+  /** optional friendly label per key, keyed by the MASKED key string. */
+  key_names?: Record<string, string>;
+  free: boolean;
+  auto_models: boolean;
+  service_account?: string;
+  models: Array<{ id: string; price_in?: number; price_out?: number }>;
+  quota?: { window: "5h" | "daily" | "weekly" | "monthly"; reset_at?: string; timezone: string; limit_tokens?: number };
+  cooldown_base_ms: number;
+  max_retries: number;
+  disabled_keys?: number[];
+  disabled?: boolean;
+  strategy?: "fallback" | "round-robin";
+  sticky?: number;
+}
+export interface MaskedConfig {
+  server: { host: string; port: number; api_keys: string[] };
+  endpoint: { rtk: boolean; caveman: InjectLevel; ponytail: InjectLevel };
+  providers: MaskedProvider[];
+  models: MaskedRoute[];
+}
+
+export interface EndpointPayload {
+  port: number;
+  rtk: boolean;
+  caveman: InjectLevel;
+  ponytail: InjectLevel;
+  headroom: { enabled: boolean; url: string; compress_user_messages: boolean };
+  keys: Array<{ key: string; name?: string }>;
+}
+
+export interface HeadroomStatusReply {
+  installed: boolean;
+  path: string | null;
+  running: boolean;
+  python: string | null;
+  localUrl: boolean;
+  canStart: boolean;
+  url: string;
+  managedPid: number | null;
+  enabled: boolean;
+  compress_user_messages: boolean;
+}
+
+export interface PingResult {
+  reachable: boolean;
+  status?: number;
+  ok: boolean;
+  error?: string;
+}
+
+export interface PricingModel {
+  id: string;
+  price_in: number | null;
+  price_out: number | null;
+  default_in: number | null;
+  default_out: number | null;
+}
+export interface PricingPayload {
+  providers: Array<{ id: string; models: PricingModel[] }>;
+}
+
+export interface ModelsPayload {
+  providers: Array<{
+    id: string;
+    format: WireFormat;
+    models: Array<{ id: string; ref: string; price_in?: number; price_out?: number }>;
+  }>;
+  routes: MaskedRoute[];
+}
+
+export interface KeySnapshot {
+  key: string;
+  healthy: boolean;
+  cooldown_ms: number;
+  fail_count: number;
+  last_error: { message: string; status?: number; at: number } | null;
+}
+export interface ProviderSnapshot {
+  id: string;
+  format: WireFormat;
+  keys: KeySnapshot[];
+}
+export interface QuotaSnapshot {
+  provider: string;
+  window: "5h" | "daily" | "weekly" | "monthly";
+  consumed: number;
+  limit_tokens?: number;
+  reset_in_ms: number;
+  pct?: number;
+  exhausted: boolean;
+}
+export interface UsageLog {
+  ts: number;
+  alias: string;
+  provider: string;
+  model: string;
+  tokens_in: number;
+  tokens_out: number;
+  cached_tokens: number;
+  cost: number;
+  status: number;
+  latency_ms: number;
+  stream: number;
+}
+export interface UsageSummary {
+  total: { requests: number; tokens_in: number; tokens_out: number; cost: number };
+  by_provider: Array<{ provider: string; requests: number; tokens_in: number; tokens_out: number; cost: number }>;
+  by_model: Array<{ alias: string; model: string; requests: number; tokens_in: number; tokens_out: number; cost: number }>;
+}
+export interface UsageSeriesPoint {
+  ts: number;
+  requests: number;
+  tokens_in: number;
+  tokens_out: number;
+  cost: number;
+}

package/dashboard/src/lib/session.ts

@@ -0,0 +1,71 @@
+import { createHmac, timingSafeEqual, createCipheriv, createDecipheriv, scryptSync, randomBytes } from "node:crypto";
+import { cookies } from "next/headers";
+
+/**
+ * Dashboard session. The browser never holds the admin password in readable
+ * form: on login we verify it against the gateway, encrypt it (AES-256-GCM) and
+ * sign the ciphertext (HMAC), then store that in an httpOnly cookie. The proxy
+ * and server-side fetches decrypt it to use as the gateway Bearer; the password
+ * itself never reaches client JS.
+ *
+ * Cookie token = `<b64(iv|tag|ciphertext)>.<hmac(payload)>`. Middleware only
+ * needs the HMAC check (cheap, edge-safe); decryption happens in node handlers.
+ */
+const COOKIE = "aigetwey_session";
+
+function secret(): string {
+  return process.env.SESSION_SECRET ?? "";
+}
+
+function aesKey(): Buffer {
+  return scryptSync(secret(), "aigetwey-session-aes", 32);
+}
+
+export function sign(value: string): string {
+  return createHmac("sha256", secret()).update(value).digest("hex");
+}
+
+/** Encrypt + sign the password into a cookie token. */
+export function sealSession(password: string): string {
+  const iv = randomBytes(12);
+  const cipher = createCipheriv("aes-256-gcm", aesKey(), iv);
+  const ct = Buffer.concat([cipher.update(password, "utf8"), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  const payload = Buffer.concat([iv, tag, ct]).toString("base64url");
+  return `${payload}.${sign(payload)}`;
+}
+
+/** Verify the token's signature only — no decryption (edge/middleware-safe). */
+export function verifyToken(token: string | undefined): boolean {
+  if (!token || !secret()) return false;
+  const [payload, sig] = token.split(".");
+  if (!payload || !sig) return false;
+  const expected = sign(payload);
+  const a = Buffer.from(sig);
+  const b = Buffer.from(expected);
+  return a.length === b.length && timingSafeEqual(a, b);
+}
+
+/** Verify + decrypt the token back to the password, or null if tampered. */
+export function openSession(token: string | undefined): string | null {
+  if (!verifyToken(token) || !token) return null;
+  try {
+    const payload = Buffer.from(token.split(".")[0], "base64url");
+    const iv = payload.subarray(0, 12);
+    const tag = payload.subarray(12, 28);
+    const ct = payload.subarray(28);
+    const decipher = createDecipheriv("aes-256-gcm", aesKey(), iv);
+    decipher.setAuthTag(tag);
+    return Buffer.concat([decipher.update(ct), decipher.final()]).toString("utf8");
+  } catch {
+    return null;
+  }
+}
+
+/** The logged-in admin password, read from the session cookie (server-side). */
+export async function currentPassword(): Promise<string> {
+  const token = (await cookies()).get(COOKIE)?.value;
+  return openSession(token) ?? "";
+}
+
+export const SESSION_COOKIE = COOKIE;

package/dashboard/src/middleware.ts

@@ -0,0 +1,37 @@
+import { NextResponse } from "next/server";
+import type { NextRequest } from "next/server";
+import { openSession, SESSION_COOKIE } from "@/lib/session";
+
+/**
+ * Gate every page and admin-proxy route behind a valid session. The login page
+ * and the auth endpoints stay open; everything else redirects to /login (pages)
+ * or 401s (api).
+ */
+const OPEN = ["/login", "/api/login", "/api/logout"];
+
+export function middleware(req: NextRequest): NextResponse {
+  const { pathname } = req.nextUrl;
+  if (OPEN.some((p) => pathname === p || pathname.startsWith(p + "/"))) {
+    return NextResponse.next();
+  }
+
+  // a session is valid only if its cookie decrypts to a password — this also
+  // rejects stale cookies from an older format (which would yield an empty
+  // Bearer and a confusing "missing admin password" from the gateway).
+  const token = req.cookies.get(SESSION_COOKIE)?.value;
+  if (openSession(token)) return NextResponse.next();
+
+  if (pathname.startsWith("/api/")) {
+    return NextResponse.json({ error: "unauthorized" }, { status: 401 });
+  }
+  const url = req.nextUrl.clone();
+  url.pathname = "/login";
+  return NextResponse.redirect(url);
+}
+
+export const config = {
+  // run on everything except next internals and static assets
+  matcher: ["/((?!_next/static|_next/image|favicon.ico).*)"],
+  // session verification uses node:crypto, unsupported on the Edge runtime
+  runtime: "nodejs",
+};

package/dashboard/tsconfig.json

@@ -0,0 +1,21 @@
+{
+  "compilerOptions": {
+    "target": "ES2022",
+    "lib": ["dom", "dom.iterable", "ES2022"],
+    "allowJs": true,
+    "skipLibCheck": true,
+    "strict": true,
+    "noEmit": true,
+    "esModuleInterop": true,
+    "module": "esnext",
+    "moduleResolution": "bundler",
+    "resolveJsonModule": true,
+    "isolatedModules": true,
+    "jsx": "react-jsx",
+    "incremental": true,
+    "plugins": [{ "name": "next" }],
+    "paths": { "@/*": ["./src/*"] }
+  },
+  "include": ["next-env.d.ts", "**/*.ts", "**/*.tsx", ".next/types/**/*.ts", ".next/dev/types/**/*.ts"],
+  "exclude": ["node_modules"]
+}