npm - dineway - Versions diffs - 0.1.3 → 0.1.5 - Mend

dineway 0.1.3 → 0.1.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (296) hide show

package/README.md +6 -3
package/dist/{apply-CAPvMfoU.mjs → apply-iVSqz2qs.mjs} +132 -39
package/dist/astro/index.d.mts +18 -9
package/dist/astro/index.mjs +238 -16
package/dist/astro/middleware/auth.d.mts +16 -5
package/dist/astro/middleware/auth.mjs +74 -37
package/dist/astro/middleware/redirect.mjs +24 -8
package/dist/astro/middleware/request-context.mjs +18 -5
package/dist/astro/middleware/setup.mjs +1 -1
package/dist/astro/middleware.mjs +411 -169
package/dist/astro/types.d.mts +25 -8
package/dist/{byline-DeWCMU_i.mjs → byline-OhH2dlRu.mjs} +6 -21
package/dist/{bylines-DyqBV9EQ.mjs → bylines-BGpD9_hy.mjs} +16 -6
package/dist/cache-BdSY-gQN.mjs +42 -0
package/dist/chunks--4F8ddV4.mjs +18 -0
package/dist/cli/index.mjs +935 -15
package/dist/client/external-auth-headers.d.mts +1 -1
package/dist/client/index.d.mts +11 -3
package/dist/client/index.mjs +4 -3
package/dist/{connection-C9pxzuag.mjs → connection-BCNICDWN.mjs} +22 -5
package/dist/{content-zSgdNmnt.mjs → content-DWi4d0rT.mjs} +41 -2
package/dist/database/instrumentation.d.mts +34 -0
package/dist/database/instrumentation.mjs +53 -0
package/dist/db/index.d.mts +3 -3
package/dist/db/index.mjs +2 -2
package/dist/db/libsql.d.mts +1 -1
package/dist/db/libsql.mjs +11 -5
package/dist/db/postgres.d.mts +1 -1
package/dist/db/sqlite.d.mts +1 -1
package/dist/db/sqlite.mjs +7 -1
package/dist/db-errors-CEqD7qH9.mjs +23 -0
package/dist/{default-WYlzADZL.mjs → default-VjJyuuG9.mjs} +2 -0
package/dist/{dialect-helpers-B9uSp2GJ.mjs → dialect-helpers-DhTzaUxP.mjs} +3 -0
package/dist/{error-DrxtnGPg.mjs → error-BmL6QipT.mjs} +7 -3
package/dist/{index-C-jx21qs.d.mts → index-yvc6E_17.d.mts} +157 -30
package/dist/index.d.mts +11 -11
package/dist/index.mjs +24 -22
package/dist/{loader-qKmo0wAY.mjs → loader-sMG4TZ-u.mjs} +9 -3
package/dist/media/index.d.mts +1 -1
package/dist/media/index.mjs +1 -1
package/dist/media/local-runtime.d.mts +7 -7
package/dist/page/index.d.mts +10 -2
package/dist/page/index.mjs +22 -1
package/dist/patterns-CrCYkMBb.mjs +92 -0
package/dist/{placeholder-bOx1xCTY.d.mts → placeholder--wOi4TbO.d.mts} +1 -1
package/dist/{placeholder-B3knXwNc.mjs → placeholder-Cp8g5Emj.mjs} +1 -1
package/dist/plugins/adapt-sandbox-entry.d.mts +5 -5
package/dist/plugins/adapt-sandbox-entry.mjs +1 -1
package/dist/{query-BiaPl_g2.mjs → query-kDmwCsHh.mjs} +118 -50
package/dist/{redirect-JPqLAbxa.mjs → redirect-DnEWAkVg.mjs} +43 -99
package/dist/{registry-DSd1GWB8.mjs → registry-C0zjeB9P.mjs} +191 -123
package/dist/request-cache-Dk5qPSOx.mjs +66 -0
package/dist/request-context.d.mts +4 -16
package/dist/{runner-B5l1JfOj.d.mts → runner-CFI6B6J2.d.mts} +1 -1
package/dist/{runner-BGUGywgG.mjs → runner-DWZm2KQm.mjs} +589 -137
package/dist/runtime.d.mts +6 -6
package/dist/runtime.mjs +2 -2
package/dist/{search-BNruJHDL.mjs → search-ByRGV2pq.mjs} +570 -424
package/dist/seed/index.d.mts +2 -2
package/dist/seed/index.mjs +11 -10
package/dist/seo/index.d.mts +1 -1
package/dist/storage/local.d.mts +1 -1
package/dist/storage/local.mjs +1 -1
package/dist/storage/s3.d.mts +11 -3
package/dist/storage/s3.mjs +78 -15
package/dist/taxonomies-1s5PaS_8.mjs +266 -0
package/dist/transaction-Cn2rjY78.mjs +27 -0
package/dist/{types-BgQeVaPj.d.mts → types-BuMDPy5C.d.mts} +52 -3
package/dist/{types-DuNbGKjF.mjs → types-COeOq9nK.mjs} +6 -1
package/dist/{types-ju-_ORz7.d.mts → types-CWbdtiux.d.mts} +13 -5
package/dist/{types-D38djUXv.d.mts → types-Cj0KMIZV.d.mts} +16 -3
package/dist/{types-DkvMXalq.d.mts → types-DOrVigru.d.mts} +159 -0
package/dist/{validate-CXnRKfJK.mjs → validate-BZ5wnLLp.mjs} +2 -1
package/dist/{validate-DVKJJ-M_.d.mts → validate-IPf8n4Fj.d.mts} +4 -51
package/dist/{validate-CqRJb_xU.mjs → validate-VPnKoIzW.mjs} +10 -10
package/dist/version-BKXPsfmJ.mjs +6 -0
package/package.json +53 -39
package/src/astro/routes/PluginRegistry.tsx +21 -0
package/src/astro/routes/admin.astro +99 -0
package/src/astro/routes/api/admin/allowed-domains/[domain].ts +112 -0
package/src/astro/routes/api/admin/allowed-domains/index.ts +108 -0
package/src/astro/routes/api/admin/api-tokens/[id].ts +44 -0
package/src/astro/routes/api/admin/api-tokens/index.ts +90 -0
package/src/astro/routes/api/admin/briefing.ts +76 -0
package/src/astro/routes/api/admin/bylines/[id]/index.ts +90 -0
package/src/astro/routes/api/admin/bylines/index.ts +74 -0
package/src/astro/routes/api/admin/comments/[id]/status.ts +120 -0
package/src/astro/routes/api/admin/comments/[id].ts +64 -0
package/src/astro/routes/api/admin/comments/bulk.ts +42 -0
package/src/astro/routes/api/admin/comments/counts.ts +30 -0
package/src/astro/routes/api/admin/comments/index.ts +46 -0
package/src/astro/routes/api/admin/context/[id]/history.ts +35 -0
package/src/astro/routes/api/admin/context/[id]/index.ts +35 -0
package/src/astro/routes/api/admin/context/[id]/review.ts +57 -0
package/src/astro/routes/api/admin/context/[id]/supersede.ts +58 -0
package/src/astro/routes/api/admin/context/diff.ts +35 -0
package/src/astro/routes/api/admin/context/index.ts +69 -0
package/src/astro/routes/api/admin/context/stale.ts +35 -0
package/src/astro/routes/api/admin/hitl-requests/[id]/index.ts +38 -0
package/src/astro/routes/api/admin/hitl-requests/[id]/resolve.ts +54 -0
package/src/astro/routes/api/admin/hitl-requests/index.ts +38 -0
package/src/astro/routes/api/admin/hooks/exclusive/[hookName].ts +132 -0
package/src/astro/routes/api/admin/hooks/exclusive/index.ts +51 -0
package/src/astro/routes/api/admin/oauth-clients/[id].ts +137 -0
package/src/astro/routes/api/admin/oauth-clients/index.ts +95 -0
package/src/astro/routes/api/admin/plugins/[id]/disable.ts +91 -0
package/src/astro/routes/api/admin/plugins/[id]/enable.ts +91 -0
package/src/astro/routes/api/admin/plugins/[id]/index.ts +38 -0
package/src/astro/routes/api/admin/plugins/[id]/uninstall.ts +98 -0
package/src/astro/routes/api/admin/plugins/[id]/update.ts +154 -0
package/src/astro/routes/api/admin/plugins/index.ts +32 -0
package/src/astro/routes/api/admin/plugins/marketplace/[id]/icon.ts +62 -0
package/src/astro/routes/api/admin/plugins/marketplace/[id]/index.ts +33 -0
package/src/astro/routes/api/admin/plugins/marketplace/[id]/install.ts +135 -0
package/src/astro/routes/api/admin/plugins/marketplace/index.ts +38 -0
package/src/astro/routes/api/admin/plugins/updates.ts +28 -0
package/src/astro/routes/api/admin/review-requests/[id]/index.ts +35 -0
package/src/astro/routes/api/admin/review-requests/[id]/resolve.ts +52 -0
package/src/astro/routes/api/admin/review-requests/index.ts +35 -0
package/src/astro/routes/api/admin/themes/marketplace/[id]/index.ts +33 -0
package/src/astro/routes/api/admin/themes/marketplace/[id]/thumbnail.ts +62 -0
package/src/astro/routes/api/admin/themes/marketplace/index.ts +45 -0
package/src/astro/routes/api/admin/users/[id]/disable.ts +72 -0
package/src/astro/routes/api/admin/users/[id]/enable.ts +48 -0
package/src/astro/routes/api/admin/users/[id]/index.ts +166 -0
package/src/astro/routes/api/admin/users/[id]/send-recovery.ts +72 -0
package/src/astro/routes/api/admin/users/index.ts +66 -0
package/src/astro/routes/api/auth/dev-bypass.ts +139 -0
package/src/astro/routes/api/auth/invite/accept.ts +52 -0
package/src/astro/routes/api/auth/invite/complete.ts +86 -0
package/src/astro/routes/api/auth/invite/index.ts +99 -0
package/src/astro/routes/api/auth/invite/register-options.ts +73 -0
package/src/astro/routes/api/auth/logout.ts +40 -0
package/src/astro/routes/api/auth/magic-link/send.ts +90 -0
package/src/astro/routes/api/auth/magic-link/verify.ts +71 -0
package/src/astro/routes/api/auth/me.ts +60 -0
package/src/astro/routes/api/auth/oauth/[provider]/callback.ts +221 -0
package/src/astro/routes/api/auth/oauth/[provider].ts +120 -0
package/src/astro/routes/api/auth/passkey/[id].ts +124 -0
package/src/astro/routes/api/auth/passkey/index.ts +54 -0
package/src/astro/routes/api/auth/passkey/options.ts +85 -0
package/src/astro/routes/api/auth/passkey/register/options.ts +88 -0
package/src/astro/routes/api/auth/passkey/register/verify.ts +119 -0
package/src/astro/routes/api/auth/passkey/verify.ts +72 -0
package/src/astro/routes/api/auth/signup/complete.ts +87 -0
package/src/astro/routes/api/auth/signup/request.ts +89 -0
package/src/astro/routes/api/auth/signup/verify.ts +53 -0
package/src/astro/routes/api/comments/[collection]/[contentId]/index.ts +310 -0
package/src/astro/routes/api/content/[collection]/[id]/compare.ts +28 -0
package/src/astro/routes/api/content/[collection]/[id]/discard-draft.ts +68 -0
package/src/astro/routes/api/content/[collection]/[id]/duplicate.ts +77 -0
package/src/astro/routes/api/content/[collection]/[id]/permanent.ts +42 -0
package/src/astro/routes/api/content/[collection]/[id]/preview-url.ts +107 -0
package/src/astro/routes/api/content/[collection]/[id]/publish.ts +100 -0
package/src/astro/routes/api/content/[collection]/[id]/restore.ts +64 -0
package/src/astro/routes/api/content/[collection]/[id]/revisions.ts +31 -0
package/src/astro/routes/api/content/[collection]/[id]/schedule.ts +129 -0
package/src/astro/routes/api/content/[collection]/[id]/terms/[taxonomy].ts +143 -0
package/src/astro/routes/api/content/[collection]/[id]/translations.ts +50 -0
package/src/astro/routes/api/content/[collection]/[id]/unpublish.ts +69 -0
package/src/astro/routes/api/content/[collection]/[id].ts +173 -0
package/src/astro/routes/api/content/[collection]/index.ts +103 -0
package/src/astro/routes/api/content/[collection]/trash.ts +33 -0
package/src/astro/routes/api/dashboard.ts +32 -0
package/src/astro/routes/api/dev/emails.ts +36 -0
package/src/astro/routes/api/health.ts +54 -0
package/src/astro/routes/api/import/probe.ts +47 -0
package/src/astro/routes/api/import/wordpress/analyze.ts +523 -0
package/src/astro/routes/api/import/wordpress/execute.ts +330 -0
package/src/astro/routes/api/import/wordpress/media.ts +338 -0
package/src/astro/routes/api/import/wordpress/prepare.ts +212 -0
package/src/astro/routes/api/import/wordpress/rewrite-urls.ts +425 -0
package/src/astro/routes/api/import/wordpress-plugin/analyze.ts +111 -0
package/src/astro/routes/api/import/wordpress-plugin/callback.ts +58 -0
package/src/astro/routes/api/import/wordpress-plugin/execute.ts +399 -0
package/src/astro/routes/api/manifest.ts +75 -0
package/src/astro/routes/api/mcp.ts +125 -0
package/src/astro/routes/api/media/[id]/confirm.ts +93 -0
package/src/astro/routes/api/media/[id].ts +145 -0
package/src/astro/routes/api/media/file/[...key].ts +79 -0
package/src/astro/routes/api/media/providers/[providerId]/[itemId].ts +91 -0
package/src/astro/routes/api/media/providers/[providerId]/index.ts +111 -0
package/src/astro/routes/api/media/providers/index.ts +30 -0
package/src/astro/routes/api/media/upload-url.ts +146 -0
package/src/astro/routes/api/media.ts +204 -0
package/src/astro/routes/api/menus/[name]/items.ts +206 -0
package/src/astro/routes/api/menus/[name]/reorder.ts +79 -0
package/src/astro/routes/api/menus/[name].ts +145 -0
package/src/astro/routes/api/menus/index.ts +91 -0
package/src/astro/routes/api/oauth/authorize.ts +430 -0
package/src/astro/routes/api/oauth/device/authorize.ts +45 -0
package/src/astro/routes/api/oauth/device/code.ts +56 -0
package/src/astro/routes/api/oauth/device/token.ts +70 -0
package/src/astro/routes/api/oauth/register.ts +182 -0
package/src/astro/routes/api/oauth/token/refresh.ts +38 -0
package/src/astro/routes/api/oauth/token/revoke.ts +38 -0
package/src/astro/routes/api/oauth/token.ts +195 -0
package/src/astro/routes/api/openapi.json.ts +33 -0
package/src/astro/routes/api/plugins/[pluginId]/[...path].ts +109 -0
package/src/astro/routes/api/redirects/404s/index.ts +72 -0
package/src/astro/routes/api/redirects/404s/summary.ts +33 -0
package/src/astro/routes/api/redirects/[id].ts +183 -0
package/src/astro/routes/api/redirects/index.ts +100 -0
package/src/astro/routes/api/revisions/[revisionId]/index.ts +29 -0
package/src/astro/routes/api/revisions/[revisionId]/restore.ts +62 -0
package/src/astro/routes/api/schema/collections/[slug]/fields/[fieldSlug].ts +104 -0
package/src/astro/routes/api/schema/collections/[slug]/fields/index.ts +67 -0
package/src/astro/routes/api/schema/collections/[slug]/fields/reorder.ts +45 -0
package/src/astro/routes/api/schema/collections/[slug]/index.ts +107 -0
package/src/astro/routes/api/schema/collections/index.ts +61 -0
package/src/astro/routes/api/schema/index.ts +109 -0
package/src/astro/routes/api/schema/orphans/[slug].ts +36 -0
package/src/astro/routes/api/schema/orphans/index.ts +26 -0
package/src/astro/routes/api/search/enable.ts +64 -0
package/src/astro/routes/api/search/index.ts +52 -0
package/src/astro/routes/api/search/rebuild.ts +72 -0
package/src/astro/routes/api/search/stats.ts +35 -0
package/src/astro/routes/api/search/suggest.ts +50 -0
package/src/astro/routes/api/sections/[slug].ts +203 -0
package/src/astro/routes/api/sections/index.ts +107 -0
package/src/astro/routes/api/settings/email.ts +150 -0
package/src/astro/routes/api/settings.ts +116 -0
package/src/astro/routes/api/setup/admin-verify.ts +122 -0
package/src/astro/routes/api/setup/admin.ts +104 -0
package/src/astro/routes/api/setup/dev-bypass.ts +200 -0
package/src/astro/routes/api/setup/dev-reset.ts +40 -0
package/src/astro/routes/api/setup/index.ts +128 -0
package/src/astro/routes/api/setup/status.ts +122 -0
package/src/astro/routes/api/snapshot.ts +76 -0
package/src/astro/routes/api/taxonomies/[name]/terms/[slug].ts +232 -0
package/src/astro/routes/api/taxonomies/[name]/terms/index.ts +131 -0
package/src/astro/routes/api/taxonomies/index.ts +114 -0
package/src/astro/routes/api/themes/preview.ts +78 -0
package/src/astro/routes/api/typegen.ts +114 -0
package/src/astro/routes/api/well-known/auth.ts +71 -0
package/src/astro/routes/api/well-known/oauth-authorization-server.ts +48 -0
package/src/astro/routes/api/well-known/oauth-protected-resource.ts +39 -0
package/src/astro/routes/api/widget-areas/[name]/reorder.ts +114 -0
package/src/astro/routes/api/widget-areas/[name]/widgets/[id].ts +213 -0
package/src/astro/routes/api/widget-areas/[name]/widgets.ts +126 -0
package/src/astro/routes/api/widget-areas/[name].ts +135 -0
package/src/astro/routes/api/widget-areas/index.ts +149 -0
package/src/astro/routes/api/widget-components.ts +22 -0
package/src/astro/routes/robots.txt.ts +81 -0
package/src/astro/routes/sitemap-[collection].xml.ts +104 -0
package/src/astro/routes/sitemap.xml.ts +92 -0
package/src/components/Break.astro +45 -0
package/src/components/Button.astro +71 -0
package/src/components/Buttons.astro +49 -0
package/src/components/Code.astro +59 -0
package/src/components/Columns.astro +59 -0
package/src/components/CommentForm.astro +315 -0
package/src/components/Comments.astro +232 -0
package/src/components/Cover.astro +128 -0
package/src/components/DinewayBodyEnd.astro +32 -0
package/src/components/DinewayBodyStart.astro +32 -0
package/src/components/DinewayHead.astro +61 -0
package/src/components/DinewayImage.astro +178 -0
package/src/components/DinewayMedia.astro +167 -0
package/src/components/Embed.astro +128 -0
package/src/components/File.astro +122 -0
package/src/components/Gallery.astro +93 -0
package/src/components/HtmlBlock.astro +33 -0
package/src/components/Image.astro +178 -0
package/src/components/InlineEditor.astro +27 -0
package/src/components/InlinePortableTextEditor.tsx +1937 -0
package/src/components/LiveSearch.astro +614 -0
package/src/components/PortableText.astro +51 -0
package/src/components/Pullquote.astro +51 -0
package/src/components/Table.astro +135 -0
package/src/components/WidgetArea.astro +22 -0
package/src/components/WidgetRenderer.astro +72 -0
package/src/components/index.ts +106 -0
package/src/components/marks/Link.astro +31 -0
package/src/components/marks/StrikeThrough.astro +7 -0
package/src/components/marks/Subscript.astro +7 -0
package/src/components/marks/Superscript.astro +7 -0
package/src/components/marks/Underline.astro +7 -0
package/src/components/marks.ts +19 -0
package/src/components/widgets/Archives.astro +65 -0
package/src/components/widgets/Categories.astro +35 -0
package/src/components/widgets/RecentPosts.astro +51 -0
package/src/components/widgets/Search.astro +18 -0
package/src/components/widgets/Tags.astro +38 -0
package/src/ui.ts +75 -0
package/LICENSE +0 -9
/package/dist/{adapters-BlzWJG82.d.mts → adapters-C2ypTrZZ.d.mts} +0 -0
/package/dist/{config-Cq8H0SfX.mjs → config-BXwuX8Bx.mjs} +0 -0
/package/dist/{load-C6FCD1FU.mjs → load-Coc9HpHH.mjs} +0 -0
/package/dist/{manifest-schema-CTSEyIJ3.mjs → manifest-schema-D1MSVnoI.mjs} +0 -0
/package/dist/{mode-BlyYtIFO.mjs → mode-47goXBBK.mjs} +0 -0
/package/dist/{tokens-4vgYuXsZ.mjs → tokens-CJz9ubV6.mjs} +0 -0
/package/dist/{transport-C5FYnid7.mjs → transport-DB5eDN4x.mjs} +0 -0
/package/dist/{transport-gIL-e43D.d.mts → transport-Wge_IzKl.d.mts} +0 -0
/package/dist/{types-CLLdsG3g.d.mts → types-BzcUjoqg.d.mts} +0 -0
/package/dist/{types-DShnjzb6.mjs → types-griIBQOQ.mjs} +0 -0

package/src/astro/routes/api/setup/admin-verify.ts ADDED Viewed

@@ -0,0 +1,122 @@
+/**
+ * POST /_dineway/api/setup/admin/verify
+ *
+ * Complete admin creation by verifying the passkey registration
+ */
+import type { APIRoute } from "astro";
+export const prerender = false;
+import { Role, secureCompare } from "@dineway-ai/auth";
+import { createKyselyAdapter } from "@dineway-ai/auth/adapters/kysely";
+import { verifyRegistrationResponse, registerPasskey } from "@dineway-ai/auth/passkey";
+import { apiError, apiSuccess, handleError } from "#api/error.js";
+import { isParseError, parseBody } from "#api/parse.js";
+import { getPublicOrigin } from "#api/public-url.js";
+import { setupAdminVerifyBody } from "#api/schemas.js";
+import { createChallengeStore } from "#auth/challenge-store.js";
+import { getPasskeyConfig } from "#auth/passkey-config.js";
+import { SETUP_NONCE_COOKIE } from "#auth/setup-nonce.js";
+import { OptionsRepository } from "#db/repositories/options.js";
+export const POST: APIRoute = async ({ cookies, request, locals }) => {
+	const { dineway } = locals;
+	if (!dineway?.db) {
+		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	}
+	try {
+		// Check if setup is already complete
+		const options = new OptionsRepository(dineway.db);
+		const setupComplete = await options.get("dineway:setup_complete");
+		if (setupComplete === true || setupComplete === "true") {
+			return apiError("SETUP_COMPLETE", "Setup already complete", 400);
+		}
+		// Check if any users exist
+		const adapter = createKyselyAdapter(dineway.db);
+		const userCount = await adapter.countUsers();
+		if (userCount > 0) {
+			return apiError("ADMIN_EXISTS", "Admin user already exists", 400);
+		}
+		// Get setup state
+		const setupState = await options.get<{
+			step?: string;
+			email?: string;
+			name?: string | null;
+			nonce?: string;
+		}>("dineway:setup_state");
+		if (!setupState || setupState.step !== "admin") {
+			return apiError("INVALID_STATE", "Invalid setup state. Please restart setup.", 400);
+		}
+		const cookieNonce = cookies.get(SETUP_NONCE_COOKIE)?.value;
+		if (!setupState.nonce || !cookieNonce || !secureCompare(cookieNonce, setupState.nonce)) {
+			return apiError(
+				"INVALID_STATE",
+				"Setup session expired or tampered with. Please restart the admin step.",
+				400,
+			);
+		}
+		if (!setupState.email) {
+			return apiError("INVALID_STATE", "Invalid setup state. Please restart setup.", 400);
+		}
+		// Parse request body
+		const body = await parseBody(request, setupAdminVerifyBody);
+		if (isParseError(body)) return body;
+		// Get passkey config
+		const url = new URL(request.url);
+		const siteName = (await options.get<string>("dineway:site_title")) ?? undefined;
+		const siteUrl = getPublicOrigin(url, dineway?.config);
+		const passkeyConfig = getPasskeyConfig(url, siteName, siteUrl);
+		// Verify the registration response
+		const challengeStore = createChallengeStore(dineway.db);
+		const verified = await verifyRegistrationResponse(
+			passkeyConfig,
+			body.credential,
+			challengeStore,
+		);
+		// Create the admin user
+		const user = await adapter.createUser({
+			email: setupState.email,
+			name: setupState.name ?? null,
+			role: Role.ADMIN,
+			emailVerified: false, // No email verification for first user
+		});
+		// Register the passkey
+		await registerPasskey(adapter, user.id, verified, "Setup passkey");
+		// Mark setup as complete
+		await options.set("dineway:setup_complete", true);
+		// Clean up setup state and the session nonce cookie
+		await options.delete("dineway:setup_state");
+		cookies.delete(SETUP_NONCE_COOKIE, { path: "/_dineway/" });
+		return apiSuccess({
+			success: true,
+			user: {
+				id: user.id,
+				email: user.email,
+				name: user.name,
+				role: user.role,
+			},
+		});
+	} catch (error) {
+		return handleError(error, "Failed to verify admin setup", "SETUP_VERIFY_ERROR");
+	}
+};

package/src/astro/routes/api/setup/admin.ts ADDED Viewed

@@ -0,0 +1,104 @@
+/**
+ * POST /_dineway/api/setup/admin
+ *
+ * Step 3 of setup: Start admin creation by returning passkey registration options
+ */
+import type { APIRoute } from "astro";
+export const prerender = false;
+import { generateToken } from "@dineway-ai/auth";
+import { createKyselyAdapter } from "@dineway-ai/auth/adapters/kysely";
+import { generateRegistrationOptions } from "@dineway-ai/auth/passkey";
+import { apiError, apiSuccess, handleError } from "#api/error.js";
+import { isParseError, parseBody } from "#api/parse.js";
+import { getPublicOrigin } from "#api/public-url.js";
+import { setupAdminBody } from "#api/schemas.js";
+import { createChallengeStore } from "#auth/challenge-store.js";
+import { getPasskeyConfig } from "#auth/passkey-config.js";
+import { SETUP_NONCE_COOKIE, SETUP_NONCE_MAX_AGE_SECONDS } from "#auth/setup-nonce.js";
+import { OptionsRepository } from "#db/repositories/options.js";
+export const POST: APIRoute = async ({ cookies, request, locals }) => {
+	const { dineway } = locals;
+	if (!dineway?.db) {
+		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	}
+	try {
+		// Check if setup is already complete
+		const options = new OptionsRepository(dineway.db);
+		const setupComplete = await options.get("dineway:setup_complete");
+		if (setupComplete === true || setupComplete === "true") {
+			return apiError("SETUP_COMPLETE", "Setup already complete", 400);
+		}
+		// Check if any users exist
+		const adapter = createKyselyAdapter(dineway.db);
+		const userCount = await adapter.countUsers();
+		if (userCount > 0) {
+			return apiError("ADMIN_EXISTS", "Admin user already exists", 400);
+		}
+		// Parse request body
+		const body = await parseBody(request, setupAdminBody);
+		if (isParseError(body)) return body;
+		const nonce = generateToken();
+		// Get passkey config
+		const url = new URL(request.url);
+		const siteName = (await options.get<string>("dineway:site_title")) ?? undefined;
+		const siteUrl = getPublicOrigin(url, dineway?.config);
+		const passkeyConfig = getPasskeyConfig(url, siteName, siteUrl);
+		// Generate registration options
+		const challengeStore = createChallengeStore(dineway.db);
+		// Create a temporary user object for registration options
+		// (not persisted until passkey is verified)
+		const tempUser = {
+			id: `setup-${Date.now()}`, // Temporary ID
+			email: body.email.toLowerCase(),
+			name: body.name || null,
+		};
+		const registrationOptions = await generateRegistrationOptions(
+			passkeyConfig,
+			tempUser,
+			[], // No existing credentials
+			challengeStore,
+		);
+		// Store the nonce with the setup state. The verify endpoint compares
+		// it to an HttpOnly cookie so the admin step stays bound to this browser.
+		await options.set("dineway:setup_state", {
+			step: "admin",
+			email: body.email.toLowerCase(),
+			name: body.name || null,
+			tempUserId: tempUser.id,
+			nonce,
+		});
+		const publicOrigin = new URL(siteUrl);
+		cookies.set(SETUP_NONCE_COOKIE, nonce, {
+			path: "/_dineway/",
+			httpOnly: true,
+			sameSite: "strict",
+			secure: publicOrigin.protocol === "https:",
+			maxAge: SETUP_NONCE_MAX_AGE_SECONDS,
+		});
+		return apiSuccess({
+			success: true,
+			options: registrationOptions,
+		});
+	} catch (error) {
+		return handleError(error, "Failed to create admin", "SETUP_ADMIN_ERROR");
+	}
+};

package/src/astro/routes/api/setup/dev-bypass.ts ADDED Viewed

@@ -0,0 +1,200 @@
+/**
+ * POST /_dineway/api/setup/dev-bypass
+ * GET  /_dineway/api/setup/dev-bypass
+ *
+ * Development-only endpoint to bypass the setup wizard.
+ * Runs migrations, creates a dev admin user, and marks setup complete.
+ *
+ * ONLY available when import.meta.env.DEV is true.
+ *
+ * Usage:
+ * - GET with redirect: /_dineway/api/setup/dev-bypass?redirect=/_dineway/admin
+ * - POST for API: Returns JSON with setup info
+ *
+ * For agent/browser testing, navigate to:
+ *   /_dineway/api/setup/dev-bypass?redirect=/_dineway/admin
+ */
+import type { APIRoute } from "astro";
+export const prerender = false;
+import { ulid } from "ulidx";
+import { apiError, apiSuccess, handleError } from "#api/error.js";
+import { escapeHtml } from "#api/escape.js";
+import { handleApiTokenCreate } from "#api/handlers/api-tokens.js";
+import { getPublicOrigin } from "#api/public-url.js";
+import { isSafeRedirect } from "#api/redirect.js";
+import { runMigrations } from "#db/migrations/runner.js";
+import { OptionsRepository } from "#db/repositories/options.js";
+import { applySeed } from "#seed/apply.js";
+import { loadSeed } from "#seed/load.js";
+import { validateSeed } from "#seed/validate.js";
+// RBAC role levels (matching @dineway-ai/auth)
+const ROLE_ADMIN = 50;
+const DEV_USER_EMAIL = "dev@dineway.local";
+const DEV_USER_NAME = "Dev Admin";
+const DEV_SITE_TITLE = "Dineway Dev Site";
+async function handleDevBypass(context: Parameters<APIRoute>[0]): Promise<Response> {
+	// CRITICAL: Only allow in development mode
+	if (!import.meta.env.DEV) {
+		return apiError("FORBIDDEN", "Dev bypass is only available in development mode", 403);
+	}
+	const { locals, url, session } = context;
+	const { dineway } = locals;
+	if (!dineway?.db) {
+		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	}
+	try {
+		// Run migrations
+		const migrations = await runMigrations(dineway.db);
+		console.log("[setup-dev-bypass] Migrations applied:", migrations.applied);
+		// Apply seed (user seed or built-in default)
+		const seed = await loadSeed();
+		const validation = validateSeed(seed);
+		if (validation.valid) {
+			const seedResult = await applySeed(dineway.db, seed, {
+				includeContent: true,
+				onConflict: "skip",
+				storage: dineway.storage ?? undefined,
+			});
+			console.log(
+				`[setup-dev-bypass] Seed applied: ${seedResult.collections.created} collections, ${seedResult.fields.created} fields`,
+			);
+		}
+		const options = new OptionsRepository(dineway.db);
+		// Find or create dev user (direct DB access to avoid @dineway-ai/auth import issues in dev)
+		const existingUser = await dineway.db
+			.selectFrom("users")
+			.selectAll()
+			.where("email", "=", DEV_USER_EMAIL)
+			.executeTakeFirst();
+		let user: { id: string; email: string; name: string; role: number };
+		let userCreated = false;
+		if (!existingUser) {
+			const now = new Date().toISOString();
+			const newUser = {
+				id: ulid(),
+				email: DEV_USER_EMAIL,
+				name: DEV_USER_NAME,
+				role: ROLE_ADMIN,
+				email_verified: 1,
+				created_at: now,
+				updated_at: now,
+			};
+			await dineway.db.insertInto("users").values(newUser).execute();
+			user = {
+				id: newUser.id,
+				email: newUser.email,
+				name: newUser.name,
+				role: newUser.role,
+			};
+			userCreated = true;
+			console.log("[setup-dev-bypass] Created dev admin user:", user.email);
+		} else {
+			user = {
+				id: existingUser.id,
+				email: existingUser.email,
+				name: existingUser.name || DEV_USER_NAME,
+				role: existingUser.role,
+			};
+		}
+		// Set site title if not already set
+		const existingTitle = await options.get("dineway:site_title");
+		if (!existingTitle) {
+			await options.set("dineway:site_title", DEV_SITE_TITLE);
+		}
+		// Store canonical site URL (used by magic-link/recovery emails)
+		await options.set("dineway:site_url", getPublicOrigin(url, dineway?.config));
+		// Mark setup complete
+		await options.set("dineway:setup_complete", true);
+		// Create session
+		if (session) {
+			session.set("user", { id: user.id });
+		}
+		// Optionally create a PAT token (?token=1) for headless/CLI testing.
+		let token: string | undefined;
+		if (url.searchParams.has("token")) {
+			const result = await handleApiTokenCreate(dineway.db, user.id, {
+				name: "dev-bypass-token",
+				scopes: [
+					"content:read",
+					"content:write",
+					"media:read",
+					"media:write",
+					"schema:read",
+					"schema:write",
+					"admin",
+				],
+			});
+			if (result.success) {
+				token = result.data.token;
+			}
+		}
+		// Check for redirect parameter
+		const redirect = url.searchParams.get("redirect");
+		if (redirect) {
+			// Validate redirect is a safe local path (prevent open redirect via //evil.com or /\evil.com)
+			if (!isSafeRedirect(redirect)) {
+				return apiError("INVALID_REDIRECT", "Redirect must be a local path", 400);
+			}
+			// Return an HTML page with meta-refresh redirect
+			// This ensures the session is fully saved before redirect
+			const safeRedirect = escapeHtml(redirect);
+			const html = `<!DOCTYPE html>
+<html>
+<head>
+	<meta http-equiv="refresh" content="0;url=${safeRedirect}">
+</head>
+<body>Redirecting...</body>
+</html>`;
+			return new Response(html, {
+				status: 200,
+				headers: { "Content-Type": "text/html" },
+			});
+		}
+		// Return JSON response
+		return apiSuccess({
+			success: true,
+			message: "Dev setup complete",
+			migrations: migrations.applied,
+			userCreated,
+			user: {
+				id: user.id,
+				email: user.email,
+				name: user.name,
+				role: user.role,
+			},
+			...(token ? { token } : {}),
+		});
+	} catch (error) {
+		return handleError(error, "Dev bypass failed", "DEV_BYPASS_ERROR");
+	}
+}
+// Support both GET and POST
+export const GET: APIRoute = handleDevBypass;
+export const POST: APIRoute = handleDevBypass;

package/src/astro/routes/api/setup/dev-reset.ts ADDED Viewed

@@ -0,0 +1,40 @@
+/**
+ * POST /_dineway/api/setup/dev-reset
+ *
+ * Development-only endpoint to reset setup state for testing.
+ * Clears the setup_complete flag and deletes all users,
+ * returning the site to the pre-setup state.
+ *
+ * ONLY available when import.meta.env.DEV is true.
+ */
+import type { APIRoute } from "astro";
+export const prerender = false;
+import { apiError, apiSuccess, handleError } from "#api/error.js";
+import { OptionsRepository } from "#db/repositories/options.js";
+export const POST: APIRoute = async ({ locals }) => {
+	if (!import.meta.env.DEV) {
+		return apiError("FORBIDDEN", "Dev reset is only available in development mode", 403);
+	}
+	const { dineway } = locals;
+	if (!dineway?.db) {
+		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	}
+	try {
+		const options = new OptionsRepository(dineway.db);
+		await options.delete("dineway:setup_complete");
+		await options.delete("dineway:setup_state");
+		await dineway.db.deleteFrom("users").execute();
+		return apiSuccess({ success: true });
+	} catch (error) {
+		return handleError(error, "Dev reset failed", "DEV_RESET_ERROR");
+	}
+};

package/src/astro/routes/api/setup/index.ts ADDED Viewed

@@ -0,0 +1,128 @@
+/**
+ * POST /_dineway/api/setup
+ *
+ * Executes the setup wizard - applies seed file and marks setup complete
+ */
+import type { APIRoute } from "astro";
+export const prerender = false;
+import { apiError, apiSuccess, handleError } from "#api/error.js";
+import { isParseError, parseBody } from "#api/parse.js";
+import { getPublicOrigin } from "#api/public-url.js";
+import { setupBody } from "#api/schemas.js";
+import { getAuthMode } from "#auth/mode.js";
+import { runMigrations } from "#db/migrations/runner.js";
+import { OptionsRepository } from "#db/repositories/options.js";
+import { applySeed } from "#seed/apply.js";
+import { loadSeed } from "#seed/load.js";
+import { validateSeed } from "#seed/validate.js";
+export const POST: APIRoute = async ({ request, url, locals }) => {
+	const { dineway } = locals;
+	if (!dineway?.db) {
+		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	}
+	try {
+		// Guard: reject if setup has already been completed.
+		// The options table may not exist on first-ever setup (pre-migration),
+		// so a query failure means setup hasn't run yet — allow it to proceed.
+		try {
+			const options = new OptionsRepository(dineway.db);
+			const setupComplete = await options.get("dineway:setup_complete");
+			if (setupComplete === true || setupComplete === "true") {
+				return apiError("ALREADY_CONFIGURED", "Setup has already been completed", 409);
+			}
+		} catch {
+			// Options table doesn't exist yet — first-ever setup, allow it
+		}
+		// Parse request body
+		const body = await parseBody(request, setupBody);
+		if (isParseError(body)) return body;
+		// 1. Run core migrations
+		try {
+			await runMigrations(dineway.db);
+		} catch (error) {
+			return handleError(error, "Failed to run database migrations", "MIGRATION_ERROR");
+		}
+		// 2. Load seed file (user seed or built-in default)
+		const seed = await loadSeed();
+		// 3. Override seed settings with form values
+		seed.settings = {
+			...seed.settings,
+			title: body.title,
+			tagline: body.tagline,
+		};
+		// 4. Apply seed
+		const validation = validateSeed(seed);
+		if (!validation.valid) {
+			return apiError("INVALID_SEED", `Invalid seed file: ${validation.errors.join(", ")}`, 400);
+		}
+		let result;
+		try {
+			result = await applySeed(dineway.db, seed, {
+				includeContent: body.includeContent,
+				onConflict: "skip",
+				storage: dineway.storage ?? undefined,
+			});
+		} catch (error) {
+			return handleError(error, "Failed to apply seed", "SEED_ERROR");
+		}
+		// 5. Store setup state
+		// In external auth mode, mark setup complete immediately (first user to login becomes admin)
+		// In passkey mode, setup_complete is set after admin user is created
+		const authMode = getAuthMode(dineway.config);
+		const useExternalAuth = authMode.type === "external";
+		try {
+			const options = new OptionsRepository(dineway.db);
+			// Store the canonical site URL from the setup request.
+			// Keep the first value so later unauthenticated setup calls cannot
+			// rewrite the public origin during the setup window.
+			const siteUrl = getPublicOrigin(url, dineway.config);
+			await options.setIfAbsent("dineway:site_url", siteUrl);
+			if (useExternalAuth) {
+				// External auth mode: mark setup complete now
+				// First user to log in via external provider will become admin
+				await options.set("dineway:setup_complete", true);
+				await options.set("dineway:site_title", body.title);
+				if (body.tagline) {
+					await options.set("dineway:site_tagline", body.tagline);
+				}
+			} else {
+				// Passkey mode: store state for next step (admin creation)
+				await options.set("dineway:setup_state", {
+					step: "site_complete",
+					title: body.title,
+					tagline: body.tagline,
+				});
+			}
+		} catch (error) {
+			console.error("Failed to save setup state:", error);
+			// Non-fatal - continue anyway
+		}
+		// 6. Return success with result
+		return apiSuccess({
+			success: true,
+			// In external auth mode, setup is complete - redirect to admin
+			setupComplete: useExternalAuth,
+			result,
+		});
+	} catch (error) {
+		return handleError(error, "Setup failed", "SETUP_ERROR");
+	}
+};