dineway 0.1.4 → 0.1.5

package/src/astro/routes/api/import/wordpress-plugin/execute.ts

@@ -8,22 +8,33 @@
 
 import type { APIRoute } from "astro";
 import { ContentRepository, SchemaRegistry } from "dineway";
+import { z } from "zod";
 
 import { requirePerm } from "#api/authorize.js";
 import { apiError, apiSuccess, handleError } from "#api/error.js";
+import {
+	ensureWorkflowHitlRouteRequest,
+	hitlRequiredRouteError,
+	resolveHitlRouteActor,
+} from "#api/hitl-route-helpers.js";
 import { isParseError, parseBody } from "#api/parse.js";
 import { wpPluginExecuteBody } from "#api/schemas.js";
 import { BylineRepository } from "#db/repositories/byline.js";
 import { getSource } from "#import/index.js";
-import { validateExternalUrl, SsrfError } from "#import/ssrf.js";
+import { resolveAndValidateExternalUrl, SsrfError } from "#import/ssrf.js";
 import type { ImportConfig, ImportResult, NormalizedItem } from "#import/types.js";
 import { resolveImportByline } from "#import/utils.js";
 import type { FieldType } from "#schema/types.js";
+import { RiskPolicyEvaluator, WordPressImportHitlPayloadBuilder } from "#site-context/index.js";
 import type { DinewayHandlers, DinewayManifest } from "#types";
 import { slugify } from "#utils/slugify.js";
 
 export const prerender = false;
 
+const wpPluginExecuteRouteBody = wpPluginExecuteBody.extend({
+	hitlRequestId: z.string().min(1).optional(),
+});
+
 export interface WpPluginImportConfig extends ImportConfig {
 	/** Author mappings (WP author login -> Dineway user ID) */
 	authorMappings?: Record<string, string | null>;
@@ -46,12 +57,12 @@ export const POST: APIRoute = async ({ request, locals }) => {
 	}
 
 	try {
-		const body = await parseBody(request, wpPluginExecuteBody);
+		const body = await parseBody(request, wpPluginExecuteRouteBody);
 		if (isParseError(body)) return body;
 
-		// SSRF: reject internal/private network targets
+		// SSRF: reject internal/private network targets before import work starts.
 		try {
-			validateExternalUrl(body.url);
+			await resolveAndValidateExternalUrl(body.url);
 		} catch (e) {
 			const msg = e instanceof SsrfError ? e.message : "Invalid URL";
 			return apiError("SSRF_BLOCKED", msg, 400);
@@ -78,16 +89,39 @@ export const POST: APIRoute = async ({ request, locals }) => {
 		console.log("[WP Plugin Import] Starting import for:", body.url);
 		console.log("[WP Plugin Import] Post types:", postTypes);
 
+		const sourceInput = { type: "url", url: body.url, token: body.token } as const;
+		const actor = resolveHitlRouteActor(locals);
+		const evaluator = new RiskPolicyEvaluator({
+			db: dineway.db,
+			handlers: dineway,
+		});
+		let items: AsyncIterable<NormalizedItem> | Iterable<NormalizedItem>;
+
+		if (evaluator.requiresWorkflowHitl(actor.identity)) {
+			const fetchedItems = await collectPluginItems(
+				source.fetchContent(sourceInput, { postTypes, includeDrafts: true }),
+			);
+			const action = await new WordPressImportHitlPayloadBuilder().buildPluginExecuteRequest({
+				siteUrl: body.url,
+				config,
+				items: fetchedItems,
+			});
+			const decision = await evaluator.evaluateWorkflowHitl({
+				actor: actor.identity,
+				hitlRequestId: body.hitlRequestId,
+				action,
+			});
+			if (!decision.allowed) {
+				const ensured = await ensureWorkflowHitlRouteRequest(dineway.db, locals, decision.action);
+				return hitlRequiredRouteError(decision, ensured);
+			}
+			items = fetchedItems;
+		} else {
+			items = source.fetchContent(sourceInput, { postTypes, includeDrafts: true });
+		}
+
 		// Import content (including drafts since we have auth)
-		const result = await importContent(
-			source.fetchContent(
-				{ type: "url", url: body.url, token: body.token },
-				{ postTypes, includeDrafts: true },
-			),
-			config,
-			dineway,
-			dinewayManifest,
-		);
+		const result = await importContent(items, config, dineway, dinewayManifest);
 
 		console.log("[WP Plugin Import] Import result:", JSON.stringify(result, null, 2));
 
@@ -134,7 +168,7 @@ const IMPORT_FIELDS: Array<{
 ];
 
 async function importContent(
-	items: AsyncGenerator<NormalizedItem>,
+	items: AsyncIterable<NormalizedItem> | Iterable<NormalizedItem>,
 	config: WpPluginImportConfig,
 	dineway: DinewayHandlers,
 	manifest: DinewayManifest,
@@ -332,7 +366,7 @@ async function importContent(
 			console.error(`Import error for "${item.title || "Untitled"}":`, error);
 			result.errors.push({
 				title: item.title || "Untitled",
-				error: "Failed to import item",
+				error: error instanceof Error && error.message ? error.message : "Failed to import item",
 			});
 		}
 	}
@@ -355,3 +389,11 @@ function mapStatus(wpStatus: string | undefined): string {
 			return "draft";
 	}
 }
+
+async function collectPluginItems(items: AsyncIterable<NormalizedItem>): Promise<NormalizedItem[]> {
+	const collected: NormalizedItem[] = [];
+	for await (const item of items) {
+		collected.push(item);
+	}
+	return collected;
+}

package/src/astro/routes/api/manifest.ts

@@ -11,6 +11,9 @@ import type { APIRoute } from "astro";
 
 import { getAuthMode } from "#auth/mode.js";
 
+import { experimentalSiteContextWorkflowsEnabled } from "../../../site-context/experimental-workflows.js";
+import { COMMIT, VERSION } from "../../../version.js";
+import { getStoredConfig } from "../../integration/runtime.js";
 import type { DinewayManifest } from "../../types.js";
 
 export const prerender = false;
@@ -20,6 +23,7 @@ export const GET: APIRoute = async ({ locals }) => {
 
 	// Determine auth mode from config
 	const authMode = getAuthMode(dineway?.config);
+	const adminBranding = dinewayManifest?.admin ?? dineway?.config.admin ?? getStoredConfig()?.admin;
 
 	// Check if self-signup is enabled (any allowed domain with enabled = 1)
 	// Only relevant for passkey auth — external auth providers handle their own signup
@@ -39,17 +43,25 @@ export const GET: APIRoute = async ({ locals }) => {
 	const manifest: DinewayManifest = dinewayManifest
 		? {
 				...dinewayManifest,
+				features: {
+					...dinewayManifest.features,
+					siteContextWorkflows: experimentalSiteContextWorkflowsEnabled(),
+				},
 				authMode: authMode.type === "external" ? authMode.providerType : "passkey",
 				signupEnabled,
+				admin: adminBranding,
 			}
 		: {
-				version: "0.1.0",
+				version: VERSION,
+				commit: COMMIT,
 				hash: "default",
 				collections: {},
 				plugins: {},
+				features: { siteContextWorkflows: experimentalSiteContextWorkflowsEnabled() },
 				taxonomies: [],
 				authMode: "passkey",
 				signupEnabled,
+				admin: adminBranding,
 			};
 
 	return Response.json(

package/src/astro/routes/api/mcp.ts

@@ -50,6 +50,7 @@ export const POST: APIRoute = async ({ request, locals }) => {
 					userId: user.id,
 					userRole: user.role,
 					tokenScopes: locals.tokenScopes,
+					authToken: locals.authToken,
 				},
 			},
 		});

package/src/astro/routes/api/media/providers/[providerId]/[itemId].ts

@@ -7,6 +7,7 @@
 
 import type { APIRoute } from "astro";
 
+import { requirePerm } from "#api/authorize.js";
 import { apiError, apiSuccess, handleError } from "#api/error.js";
 
 export const prerender = false;
@@ -15,7 +16,9 @@ export const prerender = false;
  * Get a single media item from a provider
  */
 export const GET: APIRoute = async ({ params, locals }) => {
-	const { dineway } = locals;
+	const { dineway, user } = locals;
+	const denied = requirePerm(user, "media:read");
+	if (denied) return denied;
 	const { providerId, itemId } = params;
 
 	if (!providerId || !itemId) {
@@ -56,7 +59,9 @@ export const GET: APIRoute = async ({ params, locals }) => {
  * Delete a media item from a provider
  */
 export const DELETE: APIRoute = async ({ params, locals }) => {
-	const { dineway } = locals;
+	const { dineway, user } = locals;
+	const denied = requirePerm(user, "media:delete_any");
+	if (denied) return denied;
 	const { providerId, itemId } = params;
 
 	if (!providerId || !itemId) {

package/src/astro/routes/api/media/upload-url.ts

@@ -16,7 +16,7 @@ import { ulid } from "ulidx";
 import { requirePerm } from "#api/authorize.js";
 import { apiError, apiSuccess, handleError } from "#api/error.js";
 import { isParseError, parseBody } from "#api/parse.js";
-import { mediaUploadUrlBody } from "#api/schemas.js";
+import { DEFAULT_MAX_UPLOAD_SIZE, mediaUploadUrlBody } from "#api/schemas.js";
 
 export const prerender = false;
 
@@ -59,7 +59,16 @@ export const POST: APIRoute = async ({ request, locals }) => {
 	}
 
 	try {
-		const body = await parseBody(request, mediaUploadUrlBody);
+		const maxUploadSize = dineway.config.maxUploadSize ?? DEFAULT_MAX_UPLOAD_SIZE;
+		if (!Number.isFinite(maxUploadSize) || maxUploadSize <= 0) {
+			return apiError(
+				"CONFIGURATION_ERROR",
+				"Invalid maxUploadSize configuration. Expected a positive finite number.",
+				500,
+			);
+		}
+
+		const body = await parseBody(request, mediaUploadUrlBody(maxUploadSize));
 		if (isParseError(body)) return body;
 
 		// Validate content type

package/src/astro/routes/api/media.ts

@@ -13,7 +13,7 @@ import { ulid } from "ulidx";
 import { requirePerm } from "#api/authorize.js";
 import { apiError, apiSuccess, handleError, unwrapResult } from "#api/error.js";
 import { isParseError, parseQuery } from "#api/parse.js";
-import { mediaListQuery } from "#api/schemas.js";
+import { DEFAULT_MAX_UPLOAD_SIZE, formatFileSize, mediaListQuery } from "#api/schemas.js";
 import { MediaRepository } from "#db/repositories/media.js";
 import { generatePlaceholder } from "#media/placeholder.js";
 import { computeContentHash } from "#utils/hash.js";
@@ -22,9 +22,6 @@ import type { MediaItem } from "../../types.js";
 
 export const prerender = false;
 
-/** Maximum allowed file upload size (50 MB). */
-const MAX_UPLOAD_SIZE = 50 * 1024 * 1024;
-
 /**
  * Add URL to media items
  * Uses relative URLs to ensure portability across deployments
@@ -89,9 +86,14 @@ export const POST: APIRoute = async ({ request, locals }) => {
 	}
 
 	try {
+		const maxUploadSize = dineway.config.maxUploadSize ?? DEFAULT_MAX_UPLOAD_SIZE;
+		if (!Number.isFinite(maxUploadSize) || maxUploadSize <= 0) {
+			return apiError("CONFIGURATION_ERROR", "Invalid maxUploadSize configuration", 500);
+		}
+
 		// Best-effort size check before buffering the full multipart body
 		const contentLength = request.headers.get("Content-Length");
-		if (contentLength && parseInt(contentLength, 10) > MAX_UPLOAD_SIZE) {
+		if (contentLength && parseInt(contentLength, 10) > maxUploadSize) {
 			return apiError("PAYLOAD_TOO_LARGE", "Upload too large", 413);
 		}
 
@@ -110,10 +112,10 @@ export const POST: APIRoute = async ({ request, locals }) => {
 		}
 
 		// Check file size before buffering
-		if (file.size > MAX_UPLOAD_SIZE) {
+		if (file.size > maxUploadSize) {
 			return apiError(
 				"PAYLOAD_TOO_LARGE",
-				`File exceeds maximum size of ${MAX_UPLOAD_SIZE / 1024 / 1024}MB`,
+				`File exceeds maximum size of ${formatFileSize(maxUploadSize)}`,
 				413,
 			);
 		}

package/src/astro/routes/api/menus/[name]/items.ts

@@ -7,6 +7,7 @@
  */
 
 import type { APIRoute } from "astro";
+import { z } from "zod";
 
 import { requirePerm } from "#api/authorize.js";
 import { handleError, unwrapResult } from "#api/error.js";
@@ -15,6 +16,11 @@ import {
 	handleMenuItemDelete,
 	handleMenuItemUpdate,
 } from "#api/handlers/menus.js";
+import {
+	ensureWorkflowHitlRouteRequest,
+	hitlRequiredRouteError,
+	resolveHitlRouteActor,
+} from "#api/hitl-route-helpers.js";
 import { isParseError, parseBody, parseQuery } from "#api/parse.js";
 import {
 	createMenuItemBody,
@@ -22,9 +28,27 @@ import {
 	menuItemUpdateQuery,
 	updateMenuItemBody,
 } from "#api/schemas.js";
+import {
+	logMenuActivity,
+	menuApiRouteSource,
+	MenuHitlPayloadBuilder,
+	RiskPolicyEvaluator,
+} from "#site-context/index.js";
 
 export const prerender = false;
 
+const createMenuItemHitlBody = createMenuItemBody.extend({
+	hitlRequestId: z.string().min(1).optional(),
+});
+
+const updateMenuItemHitlBody = updateMenuItemBody.extend({
+	hitlRequestId: z.string().min(1).optional(),
+});
+
+const deleteMenuItemHitlQuery = menuItemDeleteQuery.extend({
+	hitlRequestId: z.string().min(1).optional(),
+});
+
 export const POST: APIRoute = async ({ params, request, locals }) => {
 	const { dineway, user } = locals;
 	const name = params.name!;
@@ -33,10 +57,42 @@ export const POST: APIRoute = async ({ params, request, locals }) => {
 	if (denied) return denied;
 
 	try {
-		const body = await parseBody(request, createMenuItemBody);
+		const body = await parseBody(request, createMenuItemHitlBody);
 		if (isParseError(body)) return body;
 
-		const result = await handleMenuItemCreate(dineway.db, name, body);
+		const { hitlRequestId, ...menuInput } = body;
+		const actor = resolveHitlRouteActor(locals);
+		const action = await new MenuHitlPayloadBuilder(dineway.db).buildCreateMenuItemRequest({
+			menuName: name,
+			...menuInput,
+		});
+		const decision = await new RiskPolicyEvaluator({
+			db: dineway.db,
+			handlers: dineway,
+		}).evaluateWorkflowHitl({
+			actor: actor.identity,
+			hitlRequestId,
+			action,
+		});
+		if (!decision.allowed) {
+			const ensured = await ensureWorkflowHitlRouteRequest(dineway.db, locals, decision.action);
+			return hitlRequiredRouteError(decision, ensured);
+		}
+
+		const result = await handleMenuItemCreate(dineway.db, name, menuInput);
+		if (!result.success) return unwrapResult(result, 201);
+
+		await logMenuActivity(dineway.db, locals, {
+			action: "item_created",
+			menuName: name,
+			itemId: result.data.id,
+			...menuApiRouteSource("item_created"),
+			summary: `Created menu item ${result.data.id} in ${name}`,
+			detail: {
+				label: result.data.label,
+				hitlRequestId: decision.required ? decision.hitlRequest.id : null,
+			},
+		});
 		return unwrapResult(result, 201);
 	} catch (error) {
 		return handleError(error, "Failed to create menu item", "MENU_ITEM_CREATE_ERROR");
@@ -56,10 +112,43 @@ export const PUT: APIRoute = async ({ params, request, locals }) => {
 	const itemId = query.id;
 
 	try {
-		const body = await parseBody(request, updateMenuItemBody);
+		const body = await parseBody(request, updateMenuItemHitlBody);
 		if (isParseError(body)) return body;
 
-		const result = await handleMenuItemUpdate(dineway.db, name, itemId, body);
+		const { hitlRequestId, ...menuInput } = body;
+		const actor = resolveHitlRouteActor(locals);
+		const action = await new MenuHitlPayloadBuilder(dineway.db).buildUpdateMenuItemRequest({
+			menuName: name,
+			itemId,
+			...menuInput,
+		});
+		const decision = await new RiskPolicyEvaluator({
+			db: dineway.db,
+			handlers: dineway,
+		}).evaluateWorkflowHitl({
+			actor: actor.identity,
+			hitlRequestId,
+			action,
+		});
+		if (!decision.allowed) {
+			const ensured = await ensureWorkflowHitlRouteRequest(dineway.db, locals, decision.action);
+			return hitlRequiredRouteError(decision, ensured);
+		}
+
+		const result = await handleMenuItemUpdate(dineway.db, name, itemId, menuInput);
+		if (!result.success) return unwrapResult(result);
+
+		await logMenuActivity(dineway.db, locals, {
+			action: "item_updated",
+			menuName: name,
+			itemId,
+			...menuApiRouteSource("item_updated"),
+			summary: `Updated menu item ${itemId} in ${name}`,
+			detail: {
+				label: result.data.label,
+				hitlRequestId: decision.required ? decision.hitlRequest.id : null,
+			},
+		});
 		return unwrapResult(result);
 	} catch (error) {
 		return handleError(error, "Failed to update menu item", "MENU_ITEM_UPDATE_ERROR");
@@ -74,12 +163,42 @@ export const DELETE: APIRoute = async ({ params, request, locals }) => {
 	if (denied) return denied;
 
 	const url = new URL(request.url);
-	const query = parseQuery(url, menuItemDeleteQuery);
+	const query = parseQuery(url, deleteMenuItemHitlQuery);
 	if (isParseError(query)) return query;
 	const itemId = query.id;
 
 	try {
+		const actor = resolveHitlRouteActor(locals);
+		const action = await new MenuHitlPayloadBuilder(dineway.db).buildDeleteMenuItemRequest({
+			menuName: name,
+			itemId,
+		});
+		const decision = await new RiskPolicyEvaluator({
+			db: dineway.db,
+			handlers: dineway,
+		}).evaluateWorkflowHitl({
+			actor: actor.identity,
+			hitlRequestId: query.hitlRequestId,
+			action,
+		});
+		if (!decision.allowed) {
+			const ensured = await ensureWorkflowHitlRouteRequest(dineway.db, locals, decision.action);
+			return hitlRequiredRouteError(decision, ensured);
+		}
+
 		const result = await handleMenuItemDelete(dineway.db, name, itemId);
+		if (!result.success) return unwrapResult(result);
+
+		await logMenuActivity(dineway.db, locals, {
+			action: "item_deleted",
+			menuName: name,
+			itemId,
+			...menuApiRouteSource("item_deleted"),
+			summary: `Deleted menu item ${itemId} from ${name}`,
+			detail: {
+				hitlRequestId: decision.required ? decision.hitlRequest.id : null,
+			},
+		});
 		return unwrapResult(result);
 	} catch (error) {
 		return handleError(error, "Failed to delete menu item", "MENU_ITEM_DELETE_ERROR");

package/src/astro/routes/api/menus/[name]/reorder.ts

@@ -5,15 +5,31 @@
  */
 
 import type { APIRoute } from "astro";
+import { z } from "zod";
 
 import { requirePerm } from "#api/authorize.js";
 import { handleError, unwrapResult } from "#api/error.js";
 import { handleMenuItemReorder } from "#api/handlers/menus.js";
+import {
+	ensureWorkflowHitlRouteRequest,
+	hitlRequiredRouteError,
+	resolveHitlRouteActor,
+} from "#api/hitl-route-helpers.js";
 import { isParseError, parseBody } from "#api/parse.js";
 import { reorderMenuItemsBody } from "#api/schemas.js";
+import {
+	logMenuActivity,
+	menuApiRouteSource,
+	MenuHitlPayloadBuilder,
+	RiskPolicyEvaluator,
+} from "#site-context/index.js";
 
 export const prerender = false;
 
+const reorderMenuItemsHitlBody = reorderMenuItemsBody.extend({
+	hitlRequestId: z.string().min(1).optional(),
+});
+
 export const POST: APIRoute = async ({ params, request, locals }) => {
 	const { dineway, user } = locals;
 	const name = params.name!;
@@ -22,10 +38,40 @@ export const POST: APIRoute = async ({ params, request, locals }) => {
 	if (denied) return denied;
 
 	try {
-		const body = await parseBody(request, reorderMenuItemsBody);
+		const body = await parseBody(request, reorderMenuItemsHitlBody);
 		if (isParseError(body)) return body;
 
+		const actor = resolveHitlRouteActor(locals);
+		const action = await new MenuHitlPayloadBuilder(dineway.db).buildReorderMenuItemsRequest({
+			menuName: name,
+			items: body.items,
+		});
+		const decision = await new RiskPolicyEvaluator({
+			db: dineway.db,
+			handlers: dineway,
+		}).evaluateWorkflowHitl({
+			actor: actor.identity,
+			hitlRequestId: body.hitlRequestId,
+			action,
+		});
+		if (!decision.allowed) {
+			const ensured = await ensureWorkflowHitlRouteRequest(dineway.db, locals, decision.action);
+			return hitlRequiredRouteError(decision, ensured);
+		}
+
 		const result = await handleMenuItemReorder(dineway.db, name, body.items);
+		if (!result.success) return unwrapResult(result);
+
+		await logMenuActivity(dineway.db, locals, {
+			action: "reordered",
+			menuName: name,
+			...menuApiRouteSource("reordered"),
+			summary: `Reordered menu ${name}`,
+			detail: {
+				itemCount: body.items.length,
+				hitlRequestId: decision.required ? decision.hitlRequest.id : null,
+			},
+		});
 		return unwrapResult(result);
 	} catch (error) {
 		return handleError(error, "Failed to reorder menu items", "MENU_REORDER_ERROR");

package/src/astro/routes/api/menus/[name].ts

@@ -7,15 +7,35 @@
  */
 
 import type { APIRoute } from "astro";
+import { z } from "zod";
 
 import { requirePerm } from "#api/authorize.js";
 import { handleError, unwrapResult } from "#api/error.js";
 import { handleMenuDelete, handleMenuGet, handleMenuUpdate } from "#api/handlers/menus.js";
-import { isParseError, parseBody } from "#api/parse.js";
+import {
+	ensureWorkflowHitlRouteRequest,
+	hitlRequiredRouteError,
+	resolveHitlRouteActor,
+} from "#api/hitl-route-helpers.js";
+import { isParseError, parseBody, parseQuery } from "#api/parse.js";
 import { updateMenuBody } from "#api/schemas.js";
+import {
+	logMenuActivity,
+	menuApiRouteSource,
+	MenuHitlPayloadBuilder,
+	RiskPolicyEvaluator,
+} from "#site-context/index.js";
 
 export const prerender = false;
 
+const updateMenuHitlBody = updateMenuBody.extend({
+	hitlRequestId: z.string().min(1).optional(),
+});
+
+const deleteMenuQuery = z.object({
+	hitlRequestId: z.string().min(1).optional(),
+});
+
 export const GET: APIRoute = async ({ params, locals }) => {
 	const { dineway, user } = locals;
 	const name = params.name!;
@@ -39,25 +59,85 @@ export const PUT: APIRoute = async ({ params, request, locals }) => {
 	if (denied) return denied;
 
 	try {
-		const body = await parseBody(request, updateMenuBody);
+		const body = await parseBody(request, updateMenuHitlBody);
 		if (isParseError(body)) return body;
 
-		const result = await handleMenuUpdate(dineway.db, name, body);
+		const { hitlRequestId, ...menuInput } = body;
+		const actor = resolveHitlRouteActor(locals);
+		const action = await new MenuHitlPayloadBuilder(dineway.db).buildUpdateMenuRequest({
+			name,
+			...menuInput,
+		});
+		const decision = await new RiskPolicyEvaluator({
+			db: dineway.db,
+			handlers: dineway,
+		}).evaluateWorkflowHitl({
+			actor: actor.identity,
+			hitlRequestId,
+			action,
+		});
+		if (!decision.allowed) {
+			const ensured = await ensureWorkflowHitlRouteRequest(dineway.db, locals, decision.action);
+			return hitlRequiredRouteError(decision, ensured);
+		}
+
+		const result = await handleMenuUpdate(dineway.db, name, menuInput);
+		if (!result.success) return unwrapResult(result);
+
+		await logMenuActivity(dineway.db, locals, {
+			action: "updated",
+			menuName: result.data.name,
+			...menuApiRouteSource("updated"),
+			summary: `Updated menu ${result.data.name}`,
+			detail: {
+				label: result.data.label,
+				hitlRequestId: decision.required ? decision.hitlRequest.id : null,
+			},
+		});
 		return unwrapResult(result);
 	} catch (error) {
 		return handleError(error, "Failed to update menu", "MENU_UPDATE_ERROR");
 	}
 };
 
-export const DELETE: APIRoute = async ({ params, locals }) => {
+export const DELETE: APIRoute = async ({ params, request, locals }) => {
 	const { dineway, user } = locals;
 	const name = params.name!;
 
 	const denied = requirePerm(user, "menus:manage");
 	if (denied) return denied;
 
+	const query = parseQuery(new URL(request.url), deleteMenuQuery);
+	if (isParseError(query)) return query;
+
 	try {
+		const actor = resolveHitlRouteActor(locals);
+		const action = await new MenuHitlPayloadBuilder(dineway.db).buildDeleteMenuRequest({ name });
+		const decision = await new RiskPolicyEvaluator({
+			db: dineway.db,
+			handlers: dineway,
+		}).evaluateWorkflowHitl({
+			actor: actor.identity,
+			hitlRequestId: query.hitlRequestId,
+			action,
+		});
+		if (!decision.allowed) {
+			const ensured = await ensureWorkflowHitlRouteRequest(dineway.db, locals, decision.action);
+			return hitlRequiredRouteError(decision, ensured);
+		}
+
 		const result = await handleMenuDelete(dineway.db, name);
+		if (!result.success) return unwrapResult(result);
+
+		await logMenuActivity(dineway.db, locals, {
+			action: "deleted",
+			menuName: name,
+			...menuApiRouteSource("deleted"),
+			summary: `Deleted menu ${name}`,
+			detail: {
+				hitlRequestId: decision.required ? decision.hitlRequest.id : null,
+			},
+		});
 		return unwrapResult(result);
 	} catch (error) {
 		return handleError(error, "Failed to delete menu", "MENU_DELETE_ERROR");