bedrock-flows 0.7.1

package/template/apps/dashboard/src/auth-client.ts

@@ -0,0 +1,17 @@
+/**
+ * Browser-side Better Auth client for the React dashboard.
+ *
+ * Same-origin → no baseURL needed; cookies flow with credentials: 'include'.
+ * Worker mounts the auth handler at /api/auth/*, so vite dev needs to be
+ * accessed through wrangler dev (or a proxy) for sign-in/up to round-trip.
+ * The dashboard itself loads fine on vite alone but session calls fail.
+ */
+import { createAuthClient } from 'better-auth/react'
+import { adminClient, emailOTPClient } from 'better-auth/client/plugins'
+
+// adminClient → authClient.admin.* (Users page). emailOTPClient → authClient.emailOtp.*
+// (verifyEmail / sendVerificationOtp) for the signup email-verification step.
+export const authClient = createAuthClient({
+  plugins: [adminClient(), emailOTPClient()],
+})
+export const { useSession, signIn, signOut, signUp } = authClient

package/template/apps/dashboard/src/changelog.tsx

@@ -0,0 +1,92 @@
+// In-app changelog page + the running version number. CHANGELOG.md at the
+// repo root is the single source of truth: Vite bundles it in at build time
+// (?raw), the topmost released heading becomes APP_VERSION, so the badge in
+// the sidebar can never drift from what the changelog says shipped.
+import type { ReactNode } from 'react'
+import styles from './App.module.css'
+import raw from '../../../CHANGELOG.md?raw'
+
+// First released heading — "## [0.3.0] — date". A "## [Unreleased]" section
+// above it doesn't count: the badge reflects the last cut release.
+export const APP_VERSION = raw.match(/^## \[(\d+\.\d+\.\d+)\]/m)?.[1] ?? 'dev'
+
+// The changelog uses a small markdown subset (h2 versions, h3 groups,
+// paragraphs, bullets, **bold**, `code`, [links]) — rendered with a tiny
+// parser instead of pulling in a markdown dependency for one page.
+const INLINE = /(\*\*[^*]+\*\*|`[^`]+`|\[[^\]]+\]\([^)\s]+\))/g
+
+function renderInline(text: string): ReactNode[] {
+  return text.split(INLINE).map((part, i) => {
+    if (/^\*\*[^*]+\*\*$/.test(part)) return <strong key={i}>{part.slice(2, -2)}</strong>
+    if (/^`[^`]+`$/.test(part)) return <code key={i}>{part.slice(1, -1)}</code>
+    const link = part.match(/^\[([^\]]+)\]\(([^)\s]+)\)$/)
+    if (link) return <a key={i} href={link[2]} target="_blank" rel="noreferrer">{link[1]}</a>
+    return part
+  })
+}
+
+type Block = { kind: 'h2' | 'h3' | 'p'; text: string } | { kind: 'ul'; items: string[] }
+
+function parseBlocks(md: string): Block[] {
+  const blocks: Block[] = []
+  let para: string[] = []
+  const flush = () => {
+    if (para.length) { blocks.push({ kind: 'p', text: para.join(' ') }); para = [] }
+  }
+  for (const line of md.split('\n')) {
+    if (line.startsWith('# ')) { flush(); continue } // page chrome already has the title
+    if (line.startsWith('## ')) { flush(); blocks.push({ kind: 'h2', text: line.slice(3) }); continue }
+    if (line.startsWith('### ')) { flush(); blocks.push({ kind: 'h3', text: line.slice(4) }); continue }
+    if (line.startsWith('- ')) {
+      flush()
+      const last = blocks[blocks.length - 1]
+      const ul = last && last.kind === 'ul' ? last : (blocks.push({ kind: 'ul', items: [] }), blocks[blocks.length - 1] as { kind: 'ul'; items: string[] })
+      ul.items.push(line.slice(2))
+      continue
+    }
+    if (/^\s+\S/.test(line)) {
+      // Hard-wrapped continuation of the previous bullet or paragraph line.
+      const last = blocks[blocks.length - 1]
+      if (!para.length && last && last.kind === 'ul') { last.items[last.items.length - 1] += ' ' + line.trim(); continue }
+      para.push(line.trim())
+      continue
+    }
+    if (!line.trim()) { flush(); continue }
+    para.push(line.trim())
+  }
+  flush()
+  return blocks
+}
+
+export function ChangelogView() {
+  const blocks = parseBlocks(raw)
+  return (
+    <section className={styles.changelog}>
+      {blocks.map((b, i) => {
+        if (b.kind === 'h2') {
+          // "[0.3.0] — 2026-06-12" → version + date; non-semver headings
+          // ("[Unreleased]") render as-is without the v prefix.
+          const m = b.text.match(/^\[([^\]]+)\](?:\s*—\s*(.*))?$/)
+          const ver = m?.[1] ?? b.text
+          const semver = /^\d/.test(ver)
+          return (
+            <h2 key={i} className={styles.changelogVersion}>
+              {semver ? `v${ver}` : ver}
+              {semver && ver === APP_VERSION && <span className={styles.changelogCurrent}>running</span>}
+              {m?.[2] && <span className={styles.changelogDate}>{m[2]}</span>}
+            </h2>
+          )
+        }
+        if (b.kind === 'h3') return <h3 key={i} className={styles.changelogGroup}>{b.text}</h3>
+        if (b.kind === 'ul') {
+          return (
+            <ul key={i} className={styles.changelogList}>
+              {b.items.map((it, j) => <li key={j}>{renderInline(it)}</li>)}
+            </ul>
+          )
+        }
+        return <p key={i} className={styles.changelogNote}>{renderInline(b.text)}</p>
+      })}
+    </section>
+  )
+}

package/template/apps/dashboard/src/index.css

@@ -0,0 +1,86 @@
+*,
+*::before,
+*::after {
+  box-sizing: border-box;
+}
+
+html,
+body,
+#root {
+  margin: 0;
+  padding: 0;
+  min-height: 100%;
+}
+
+/* Dashboard chrome tokens. The overview page is 100% chrome (no embedded
+   prototype iframes), so this whole UI follows the user's system theme. */
+:root {
+  --dash-bg: #f8fafc;
+  --dash-surface: #ffffff;
+  --dash-surface-alt: #f8fafc;
+  --dash-text: #111827;
+  --dash-text-muted: #6b7280;
+  --dash-border: #e5e7eb;
+  --dash-border-strong: #cbd5e1;
+  --dash-link: #1d4ed8;
+  --dash-link-hover: #0f172a;
+  --dash-code-bg: #eef2f7;
+  --dash-table-head-bg: #111827;
+  --dash-table-head-text: #ffffff;
+  --dash-table-row-hover: #f8fafc;
+  --dash-table-divider: #f1f5f9;
+}
+/* Dark tokens apply when (a) the OS prefers dark and the user hasn't
+   forced light, or (b) the user explicitly chose dark in the user menu.
+   The theme choice is set as data-theme on <html> by the theme
+   controller (see src/theme.ts). */
+@media (prefers-color-scheme: dark) {
+  :root:not([data-theme='light']) {
+    --dash-bg: #0b1220;
+    --dash-surface: #111827;
+    --dash-surface-alt: #1e293b;
+    --dash-text: #f1f5f9;
+    --dash-text-muted: #94a3b8;
+    --dash-border: #1e293b;
+    --dash-border-strong: #334155;
+    --dash-link: #60a5fa;
+    --dash-link-hover: #f1f5f9;
+    --dash-code-bg: #1e293b;
+    --dash-table-head-bg: #1e293b;
+    --dash-table-head-text: #f1f5f9;
+    --dash-table-row-hover: #1e293b;
+    --dash-table-divider: #1e293b;
+  }
+}
+:root[data-theme='dark'] {
+  --dash-bg: #0b1220;
+  --dash-surface: #111827;
+  --dash-surface-alt: #1e293b;
+  --dash-text: #f1f5f9;
+  --dash-text-muted: #94a3b8;
+  --dash-border: #1e293b;
+  --dash-border-strong: #334155;
+  --dash-link: #60a5fa;
+  --dash-link-hover: #f1f5f9;
+  --dash-code-bg: #1e293b;
+  --dash-table-head-bg: #1e293b;
+  --dash-table-head-text: #f1f5f9;
+  --dash-table-row-hover: #1e293b;
+  --dash-table-divider: #1e293b;
+}
+
+body {
+  font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
+  color: var(--dash-text);
+  background: var(--dash-bg);
+  -webkit-font-smoothing: antialiased;
+  -moz-osx-font-smoothing: grayscale;
+}
+
+code {
+  font-family: ui-monospace, SFMono-Regular, Menlo, Consolas, monospace;
+  font-size: 0.92em;
+  background: var(--dash-code-bg);
+  padding: 1px 5px;
+  border-radius: 4px;
+}

package/template/apps/dashboard/src/main.tsx

@@ -0,0 +1,15 @@
+import { StrictMode } from 'react'
+import { createRoot } from 'react-dom/client'
+import './index.css'
+import App from './App.tsx'
+import { applyTheme, getTheme } from './theme'
+
+// Apply the saved theme before first paint so there's no flash of the
+// system theme when the user has overridden it.
+applyTheme(getTheme())
+
+createRoot(document.getElementById('root')!).render(
+  <StrictMode>
+    <App />
+  </StrictMode>,
+)

package/template/apps/dashboard/src/theme.ts

@@ -0,0 +1,31 @@
+/**
+ * Manual theme override, shared by the dashboard and the prototype
+ * chrome. Without an override the UI follows the OS (prefers-color-scheme
+ * media query). When the user picks Light or Dark in the user menu we set
+ * `data-theme` on <html>; CSS uses `:root[data-theme='dark']` /
+ * `:root:not([data-theme='light'])` to honor the choice.
+ *
+ * Stored under one localStorage key so the wireflow + screen pages
+ * (which read it via a tiny inline script) stay consistent with the
+ * dashboard without their own UI.
+ */
+export type Theme = 'system' | 'light' | 'dark'
+
+export const THEME_KEY = 'bedrockTheme'
+
+export function getTheme(): Theme {
+  const v = (typeof localStorage !== 'undefined' && localStorage.getItem(THEME_KEY)) || 'system'
+  return v === 'light' || v === 'dark' ? v : 'system'
+}
+
+export function applyTheme(theme: Theme): void {
+  const el = document.documentElement
+  if (theme === 'system') el.removeAttribute('data-theme')
+  else el.setAttribute('data-theme', theme)
+}
+
+export function setTheme(theme: Theme): void {
+  if (theme === 'system') localStorage.removeItem(THEME_KEY)
+  else localStorage.setItem(THEME_KEY, theme)
+  applyTheme(theme)
+}

package/template/apps/dashboard/src/vite-env.d.ts

@@ -0,0 +1,4 @@
+/// <reference types="vite/client" />
+
+// Build-time constants injected by vite.config.ts `define` from bedrock.config.ts.
+declare const __BEDROCK_COMMENTS_PROD_ORIGIN__: string

package/template/apps/dashboard/vite.config.ts

@@ -0,0 +1,48 @@
+import { defineConfig } from 'vite'
+import react from '@vitejs/plugin-react'
+import path from 'node:path'
+import { fileURLToPath } from 'node:url'
+import { prototypePlugin } from '@obra-studio/bedrock-flows/vite-plugin'
+import bedrockConfig from '../../bedrock.config'
+
+// prototypes/ + design-system/ live at the repo root, not in the app dir.
+const repoRoot = path.resolve(path.dirname(fileURLToPath(import.meta.url)), '../..')
+
+// Dynamic routes the Cloudflare Worker owns (Better Auth + KV-backed comments,
+// people directory, spec store, debug log). In dev they're proxied to the
+// worker (`wrangler dev` on :8787) so the dashboard can actually sign in —
+// the React shell is auth-gated and the Vite plugin doesn't run Better Auth.
+// Everything else (/p, /ds) stays on Vite for live reload.
+const WORKER_ORIGIN = 'http://localhost:8787'
+const workerRoute = { target: WORKER_ORIGIN, changeOrigin: true }
+
+export default defineConfig({
+  plugins: [react(), prototypePlugin(bedrockConfig, repoRoot)],
+  // Per-project values reach App.tsx from bedrock.config.ts — never hardcode
+  // a deployment's worker URL in platform code (children sync these files).
+  define: {
+    __BEDROCK_COMMENTS_PROD_ORIGIN__: JSON.stringify(
+      bedrockConfig.modules.commenting?.prodOrigin ?? '',
+    ),
+  },
+  server: {
+    // Pin the dev port so bookmarks (and the worker's localhost trust) stay
+    // stable instead of drifting to 5174 when 5173 is busy.
+    port: 5173,
+    proxy: {
+      '/api': workerRoute,
+      '/__wf-comments': workerRoute,
+      '/__wf-people': workerRoute,
+      '/__wf-log': workerRoute,
+      '/__spec': workerRoute,
+    },
+  },
+  // Repo-root public/ holds the shared chrome (proto-chrome.css, screen-comments.css,
+  // favicon, icons) + the bundled wireflow-client.js — served at / in dev, copied to dist.
+  publicDir: path.resolve(repoRoot, 'public'),
+  build: {
+    // Unified output at the repo root so the worker serves dashboard + /p + /ds together.
+    outDir: path.resolve(repoRoot, 'dist'),
+    emptyOutDir: true,
+  },
+})

package/template/apps/worker/.dev.vars.example

@@ -0,0 +1,50 @@
+# Template for apps/worker/.dev.vars (which is gitignored). Copy to .dev.vars
+# and fill in. These feed `wrangler dev`; for production set the same keys with
+# `wrangler secret put <KEY>`. See docs/INFRASTRUCTURE.md.
+
+# ── Better Auth (required) ───────────────────────────────────────────────────
+# Signing secret for sessions. Generate: openssl rand -base64 32
+BETTER_AUTH_SECRET=replace-me
+# The origin the app is served from. Local: http://localhost:8787
+# Prod: https://<worker-name>.<account>.workers.dev
+BETTER_AUTH_URL=http://localhost:8787
+# Optional: API key for the @better-auth/infra `dash` admin dashboard
+# (/api/auth/dash/*). Unset = dashboard endpoints unusable; auth still boots.
+# BETTER_AUTH_API_KEY=ba_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+# Google OAuth — set BOTH to enable "Continue with Google". Create an OAuth
+# client in Google Cloud Console with authorized redirect URI:
+#   <BETTER_AUTH_URL>/api/auth/callback/google
+#   (local: http://localhost:8787/api/auth/callback/google)
+# GOOGLE_CLIENT_ID=
+# GOOGLE_CLIENT_SECRET=
+# Optional signup allow-list — set either / both. Exact emails (AUTH_ALLOWLIST)
+# and/or whole domains (AUTH_ALLOWED_DOMAINS). Blank/unset = anyone can sign up.
+# Emailed invites authorize their address past this list.
+# AUTH_ALLOWLIST=you@example.com,teammate@example.com
+# AUTH_ALLOWED_DOMAINS=example.com
+# Owner email auto-promoted to admin on signup → manages users in-app (Users tab).
+# AUTH_OWNER_EMAIL=you@example.com
+# LOCALHOST-ONLY: role of the synthetic dev session (default: designer).
+# Set to `manager` to test the manager comment flow (pending-review gating).
+# One of: user | manager | designer | admin. Ignored in production.
+# DEV_ROLE=manager
+
+# ── Comment resolve endpoint (optional) ──────────────────────────────────────
+# Enables POST /__wf-comments/<id>/resolve (used by scripts/comment-resolve.mjs
+# and resolve-all-open.mjs). Must match BF_RESOLVE_TOKEN when running those CLIs.
+# WF_RESOLVE_TOKEN=choose-a-long-random-string
+
+# ── Postmark notification emails (optional; no-op unless POSTMARK_TOKEN set) ──
+# Postmark server token. Until a sending domain is verified you can use
+# POSTMARK_API_TEST (sandbox — nothing is delivered).
+# POSTMARK_TOKEN=your-postmark-server-token
+# Verified sender address (defaults to johan@obra.studio in code if unset).
+# POSTMARK_FROM=you@your-verified-domain.com
+# Postmark message stream (defaults to "outbound").
+# POSTMARK_STREAM=outbound
+# Comma-separated emails notified on EVERY new comment (not only @mentions).
+# COMMENTS_NOTIFY_LIST=you@example.com
+
+# Extra trusted auth origins (comma-separated, * wildcards OK) — e.g. your
+# account workers.dev wildcard so preview workers can authenticate.
+AUTH_TRUSTED_ORIGINS=https://*.your-subdomain.workers.dev

package/template/apps/worker/package.json

@@ -0,0 +1,19 @@
+{
+  "name": "@bedrock-flows/worker",
+  "version": "0.0.0",
+  "private": true,
+  "type": "module",
+  "description": "Cloudflare Worker — static assets + enabled modules’ workerRoutes (comments, spec KV)",
+  "scripts": {
+    "deploy": "wrangler deploy",
+    "dev": "wrangler dev",
+    "typecheck": "tsc -p tsconfig.json --noEmit"
+  },
+  "dependencies": {
+    "@obra-studio/bedrock-flows": "__BEDROCK_FLOWS_VERSION__"
+  },
+  "devDependencies": {
+    "@cloudflare/workers-types": "^4.20260507.1",
+    "wrangler": "^4.88.0"
+  }
+}

package/template/apps/worker/src/index.ts

@@ -0,0 +1,295 @@
+/**
+ * Cloudflare Worker — thin shell.
+ *
+ * Serves built static assets via the `assets` binding and dispatches to each
+ * enabled module's `worker` handler (first non-null Response wins). Comment KV
+ * logic now lives in @obra-studio/bedrock-flows/commenting — no inline commentCode here.
+ *
+ * Still in the shell (asset proxying; may move to module serverRoutes later):
+ *   - /__wf-log debug endpoint
+ *   - /p/<id>/(mermaid|figma) alternate wireflow views
+ *   - static assets with cache headers
+ * Ported from bedrock-flows worker/index.ts.
+ */
+import bedrockConfig from '../../../bedrock.config.js'
+import { loadEnabledModules } from '@obra-studio/bedrock-flows/core'
+import commenting, { sanitizeManagerCommentsPut, type CommentsEnv } from '@obra-studio/bedrock-flows/commenting'
+import spec from '@obra-studio/bedrock-flows/spec'
+import { handleAuthRequest, getSessionUser, type AuthWorkerEnv } from '@obra-studio/bedrock-flows/auth'
+
+interface Env {
+  WF_ATTACHMENTS?: R2Bucket
+  ASSETS: { fetch: (request: Request) => Promise<Response> }
+  WF_COMMENTS: KVNamespace
+  SPEC_KV: KVNamespace
+  WF_RESOLVE_TOKEN?: string
+  // Best-effort comment-notification email (commenting module; all optional).
+  POSTMARK_TOKEN?: string
+  POSTMARK_FROM?: string
+  POSTMARK_STREAM?: string
+  COMMENTS_NOTIFY_LIST?: string
+  // Better Auth (D1 + secret). D1 also backs @mention email resolution.
+  AUTH_DB: D1Database
+  BETTER_AUTH_SECRET: string
+  BETTER_AUTH_URL?: string
+  BETTER_AUTH_API_KEY?: string
+  GOOGLE_CLIENT_ID?: string
+  GOOGLE_CLIENT_SECRET?: string
+  AUTH_ALLOWLIST?: string
+}
+
+const LOG_PATH = '/__wf-log'
+// PUT a comment thread — identifies the manager-sanitize case inside the
+// comment-endpoint gate (which covers every /__wf-comments/* method).
+const COMMENT_PUT = /^\/__wf-comments\/[A-Za-z0-9_-]+\.json$/
+
+// Assemble worker handlers from the enabled, worker-capable modules.
+const moduleRegistry = { [commenting.id]: commenting }
+const workerHandlers = loadEnabledModules(bedrockConfig, moduleRegistry)
+  .map((m) => m.worker)
+  .filter((h): h is NonNullable<typeof h> => Boolean(h))
+
+// spec drives flows, so mount its KV /__spec handler whenever flows is enabled.
+if (bedrockConfig.modules.flows?.enabled && spec.worker) {
+  workerHandlers.push(spec.worker)
+}
+
+const EMAIL_RE = /^[^\s@]+@[^\s@]+\.[^\s@]+$/
+
+function inviteJson(body: unknown, status = 200): Response {
+  return new Response(JSON.stringify(body), {
+    status,
+    headers: { 'Content-Type': 'application/json', 'Cache-Control': 'no-store' },
+  })
+}
+
+// Email an invite via Postmark (best-effort). Falls back to the Postmark sandbox
+// token when POSTMARK_TOKEN is unset → nothing is delivered, call still succeeds.
+async function sendInviteEmail(env: Env, to: string, link: string): Promise<void> {
+  const token = env.POSTMARK_TOKEN || 'POSTMARK_API_TEST'
+  const from = env.POSTMARK_FROM || 'johan@obra.studio'
+  const stream = env.POSTMARK_STREAM || 'outbound'
+  const text = `You've been invited to review prototypes in Bedrock Flows.\n\nCreate your account: ${link}\n`
+  const html =
+    `<p style="font-family:-apple-system,Segoe UI,Roboto,sans-serif;font-size:14px">You've been invited to review prototypes in <strong>Bedrock Flows</strong>.</p>` +
+    `<p style="font-family:-apple-system,Segoe UI,Roboto,sans-serif;font-size:14px"><a href="${link}">Create your account →</a></p>`
+  try {
+    await fetch('https://api.postmarkapp.com/email', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json', Accept: 'application/json', 'X-Postmark-Server-Token': token },
+      body: JSON.stringify({ From: from, To: to, Subject: "You're invited to Bedrock Flows", TextBody: text, HtmlBody: html, MessageStream: stream }),
+    })
+  } catch (err) {
+    console.error('[invite] email send failed', err)
+  }
+}
+
+// POST { email } (admin only) → store an invite + email a signup link.
+// GET ?token=<token> (public) → resolve the token to its email for prefill.
+async function handleInvite(request: Request, env: Env): Promise<Response> {
+  const url = new URL(request.url)
+
+  if (request.method === 'GET') {
+    const token = url.searchParams.get('token') || ''
+    if (!token) return inviteJson({ error: 'missing token' }, 400)
+    try {
+      const row = await env.AUTH_DB
+        .prepare('SELECT email FROM invitation WHERE token = ? LIMIT 1')
+        .bind(token)
+        .first<{ email: string }>()
+      if (!row) return inviteJson({ error: 'invalid token' }, 404)
+      return inviteJson({ email: row.email })
+    } catch {
+      return inviteJson({ error: 'invalid token' }, 404)
+    }
+  }
+
+  if (request.method === 'POST') {
+    const user = await getSessionUser(request, env as AuthWorkerEnv)
+    if (!user || user.role !== 'admin') return inviteJson({ error: 'admin only' }, 403)
+    let body: { email?: string }
+    try {
+      body = (await request.json()) as { email?: string }
+    } catch {
+      return inviteJson({ error: 'invalid JSON' }, 400)
+    }
+    const email = (body.email || '').trim().toLowerCase()
+    if (!EMAIL_RE.test(email)) return inviteJson({ error: 'invalid email' }, 400)
+
+    const token = crypto.randomUUID()
+    try {
+      // Self-migrating: create the table on first use so no separate migration
+      // step is needed when standing up a new project.
+      await env.AUTH_DB
+        .prepare('CREATE TABLE IF NOT EXISTS invitation (email TEXT PRIMARY KEY, token TEXT NOT NULL, createdAt TEXT, used INTEGER DEFAULT 0)')
+        .run()
+      await env.AUTH_DB
+        .prepare('INSERT OR REPLACE INTO invitation (email, token, createdAt, used) VALUES (?, ?, ?, 0)')
+        .bind(email, token, new Date().toISOString())
+        .run()
+    } catch (err) {
+      console.error('[invite] db write failed', err)
+      return inviteJson({ error: 'could not store invite (is the invitation table migrated?)' }, 500)
+    }
+
+    const base = (env.BETTER_AUTH_URL || url.origin).replace(/\/$/, '')
+    await sendInviteEmail(env, email, `${base}/?invite=${token}`)
+    return inviteJson({ ok: true })
+  }
+
+  return inviteJson({ error: 'method not allowed' }, 405)
+}
+
+export default {
+  async fetch(request: Request, env: Env, ctx: ExecutionContext): Promise<Response> {
+    const url = new URL(request.url)
+
+    if (url.pathname === LOG_PATH) {
+      if (request.method !== 'POST') {
+        return new Response('method not allowed', { status: 405 })
+      }
+      let body: unknown
+      try { body = await request.json() } catch { body = { raw: 'unparseable' } }
+      const ua = request.headers.get('user-agent') || ''
+      const ip = request.headers.get('cf-connecting-ip') || ''
+      console.log('[wf-log]', JSON.stringify({ ts: Date.now(), ip, ua, body }))
+      return new Response('', { status: 204 })
+    }
+
+    // Public client config — which auth providers are actually configured, so the
+    // sign-in UI only shows what works (e.g. hide Google when not provisioned).
+    if (url.pathname === '/__auth-config') {
+      return new Response(
+        JSON.stringify({ google: Boolean(env.GOOGLE_CLIENT_ID && env.GOOGLE_CLIENT_SECRET) }),
+        { headers: { 'Content-Type': 'application/json', 'Cache-Control': 'no-store' } },
+      )
+    }
+
+    // Invite flow: admin POSTs an email → invitee gets a link → self-signup.
+    // Public GET ?token resolves the invite to its email for the signup prefill.
+    if (url.pathname === '/api/invite') {
+      return handleInvite(request, env)
+    }
+
+    // Auth: /api/auth/* (Better Auth) + the /__wf-people @mention directory.
+    const authRes = await handleAuthRequest(request, env as AuthWorkerEnv)
+    if (authRes) return authRes
+
+    // The agent token (WF_RESOLVE_TOKEN) is the machine identity for the
+    // headless agent CLIs (scripts/comment*.mjs, resolve-all-open.mjs): it
+    // grants READ access to gated content/comments. Writes keep their own
+    // rules (resolve endpoint re-checks this token; spec PUT needs a
+    // designer/admin session).
+    const hasAgentToken = (() => {
+      const bearer = (request.headers.get('Authorization') || '').replace(/^Bearer\s+/i, '')
+      return Boolean(env.WF_RESOLVE_TOKEN && bearer === env.WF_RESOLVE_TOKEN)
+    })()
+
+    // Comment endpoints — reads AND writes need a caller identity: a
+    // signed-in session or the agent token. (Reads used to be public for the
+    // localhost read-only mirror; closed deliberately — client feedback is
+    // as sensitive as the designs it's about. A localhost mirror pointed at
+    // a prod origin now renders without comments.) OPTIONS preflights pass
+    // through to the commenting handler's CORS response.
+    const isCommentPath =
+      url.pathname.startsWith('/__wf-comments/') ||
+      url.pathname === '/__wf-comment-counts' ||
+      url.pathname === '/__wf-comment-counts.json'
+    if (isCommentPath && request.method !== 'OPTIONS') {
+      const user = hasAgentToken ? null : await getSessionUser(request, env as AuthWorkerEnv)
+      if (!hasAgentToken && !user) {
+        return new Response(JSON.stringify({ error: 'auth required' }), {
+          status: 401,
+          headers: { 'Content-Type': 'application/json', 'Cache-Control': 'no-store' },
+        })
+      }
+      // Managers only give comments — rewrite their thread PUTs so new
+      // comments land in 'pending-review' (designer approval required) and
+      // other people's entries / workflow fields can't be altered.
+      if (user?.role === 'manager' && request.method === 'PUT' && COMMENT_PUT.test(url.pathname)) {
+        request = await sanitizeManagerCommentsPut(request, env as unknown as CommentsEnv, {
+          id: user.id,
+          role: user.role,
+        })
+      }
+    }
+
+    // ── Server-side content gate ─────────────────────────────────────────
+    // Design content requires a signed-in session (or the agent token). The
+    // in-page auth gates are cosmetic overlays on top of fully-served HTML —
+    // without this, an anonymous browser reads every prototype, design
+    // system, and spec behind them. HTML navigations bounce to the dashboard
+    // sign-in (?next= returns them to the page after); data/subresource
+    // requests get a bare 401. Localhost dev passes via the synthetic
+    // session.
+    const isProtectedContent =
+      /^\/(p|ds)(\/|$)/.test(url.pathname) ||
+      url.pathname === '/__prototypes.json' ||
+      url.pathname === '/__ds.json' ||
+      url.pathname.startsWith('/__spec/')
+    if (isProtectedContent) {
+      const user = hasAgentToken ? null : await getSessionUser(request, env as AuthWorkerEnv)
+      if (!hasAgentToken && !user) {
+        const wantsHtml =
+          request.method === 'GET' && (request.headers.get('Accept') || '').includes('text/html')
+        if (wantsHtml) {
+          return Response.redirect(
+            `${url.origin}/?next=${encodeURIComponent(url.pathname + url.search)}`,
+            302,
+          )
+        }
+        return new Response(JSON.stringify({ error: 'auth required' }), {
+          status: 401,
+          headers: { 'Content-Type': 'application/json', 'Cache-Control': 'no-store' },
+        })
+      }
+      // Spec edits change what gets designed — designer/admin SESSION only.
+      // (The spec PUT was previously unauthenticated; managers, reviewers,
+      // and the read-level agent token don't rewrite the spec.)
+      if (
+        url.pathname.startsWith('/__spec/') &&
+        request.method === 'PUT' &&
+        !(user && (user.role === 'designer' || user.role === 'admin'))
+      ) {
+        return new Response(JSON.stringify({ error: 'designer role required' }), {
+          status: 403,
+          headers: { 'Content-Type': 'application/json', 'Cache-Control': 'no-store' },
+        })
+      }
+    }
+
+    // Enabled modules get first crack (commenting KV, later spec KV). Pass ctx
+    // so the commenting handler can fire best-effort emails via waitUntil.
+    for (const handle of workerHandlers) {
+      const res = await handle(request, env, ctx)
+      if (res) return res
+    }
+
+    // /p/<id>/mermaid and /p/<id>/figma — alternate wireflow views.
+    const viewMatch = /^\/p\/([A-Za-z0-9_-]+)\/(mermaid|figma)\/?$/.exec(url.pathname)
+    if (viewMatch) {
+      const dirUrl = new URL(request.url)
+      dirUrl.pathname = `/p/${viewMatch[1]}/`
+      const res = await env.ASSETS.fetch(new Request(dirUrl.toString(), { headers: request.headers }))
+      return new Response(res.body, {
+        status: res.status === 307 || res.status === 308 ? 200 : res.status,
+        headers: res.headers,
+      })
+    }
+
+    // Static assets with cache headers.
+    const res = await env.ASSETS.fetch(request)
+    const p = url.pathname
+    const fingerprinted = /[-.][0-9a-f]{8,}\.(?:js|css|woff2?|png|jpe?g|svg|webp|gif)$/i.test(p)
+    const cacheableAsset = /\.(?:css|woff2?|png|jpe?g|svg|webp|gif|ico)$/i.test(p)
+    if (fingerprinted || cacheableAsset) {
+      const headers = new Headers(res.headers)
+      headers.set(
+        'Cache-Control',
+        fingerprinted ? 'public, max-age=31536000, immutable' : 'public, max-age=3600',
+      )
+      return new Response(res.body, { status: res.status, headers })
+    }
+    return res
+  },
+}