dineway 0.1.4 → 0.1.6

package/dist/{types-D38djUXv.d.mts → types-Cj0KMIZV.d.mts}

@@ -1,4 +1,4 @@
-import { u as FieldType } from "./types-BgQeVaPj.mjs";
+import { m as FieldType } from "./types-BuMDPy5C.mjs";
 import { z } from "astro/zod";
 import { JSX } from "astro/jsx-runtime";
 
@@ -239,6 +239,8 @@ interface ContentItemSeoInput {
 interface ContentItem {
   id: string;
   type: string;
+  slug: string | null;
+  status: string;
   data: Record<string, unknown>;
   /**
    * SEO metadata, populated when the collection has SEO enabled
@@ -247,11 +249,21 @@ interface ContentItem {
   seo?: ContentItemSeo;
   createdAt: string;
   updatedAt: string;
+  publishedAt: string | null;
+  locale: string | null;
+}
+/**
+ * Content filters supported by the plugin content API.
+ */
+interface ContentListWhere {
+  status?: string;
+  locale?: string;
 }
 /**
  * Content list options
  */
 interface ContentListOptions {
+  where?: ContentListWhere;
   limit?: number;
   cursor?: string;
   orderBy?: Record<string, "asc" | "desc">;
@@ -666,6 +678,7 @@ interface ContentHookEvent {
 interface ContentDeleteEvent {
   id: string;
   collection: string;
+  permanent: boolean;
 }
 /**
  * Content publish state change hook event (fired after publish or unpublish)
@@ -790,7 +803,7 @@ interface PageMetadataEvent {
  * link tags with these rel values. Adding "stylesheet", "prefetch", "prerender"
  * etc. would allow sandboxed plugins to inject external resources.
  */
-type PageMetadataLinkRel = "canonical" | "alternate" | "author" | "license" | "site.standard.document";
+type PageMetadataLinkRel = "canonical" | "alternate" | "author" | "license" | "nlweb" | "site.standard.document";
 type PageMetadataContribution = {
   kind: "meta";
   name: string;
@@ -1193,4 +1206,4 @@ interface PluginManifest {
   admin: PluginAdminConfig;
 }
 //#endregion
-export { StandardPluginDefinition as $, PageMetadataHandler as A, PluginManifest as B, MediaUploadEvent as C, PageFragmentHandler as D, PageFragmentEvent as E, PluginAdminPage as F, PublicPageContext as G, PluginStorageConfig as H, PluginCapability as I, ResolvedPlugin as J, RequestMeta as K, PluginContext as L, PagePlacement as M, PluginAdminConfig as N, PageMetadataContribution as O, PluginAdminExports as P, StandardHookHandler as Q, PluginDefinition as R, MediaItem as S, PageFragmentContribution as T, PortableTextBlockConfig as U, PluginRoute as V, PortableTextBlockField as W, RouteContext as X, ResolvedPluginHooks as Y, StandardHookEntry as Z, HookName as _, CommentAfterModerateEvent as a, Element as at, LogAccess as b, CommentBeforeCreateHandler as c, ContentAccess as d, StandardRouteEntry as et, ContentHookEvent as f, HookConfig as g, FieldWidgetConfig as h, CommentAfterCreateHandler as i, isStandardPluginDefinition as it, PageMetadataLinkRel as j, PageMetadataEvent as k, CommentModerateEvent as l, EmailMessage as m, CollectionCommentSettings as n, StorageCollection as nt, CommentAfterModerateHandler as o, CronEvent as p, ResolvedHook as q, CommentAfterCreateEvent as r, StoredComment as rt, CommentBeforeCreateEvent as s, BreadcrumbItem as t, StandardRouteHandler as tt, CommentModerateHandler as u, HttpAccess as v, ModerationDecision as w, MediaAccess as x, KVAccess as y, PluginHooks as z };
+export { StandardHookEntry as $, PageMetadataContribution as A, PluginDefinition as B, MediaAccess as C, PageFragmentContribution as D, ModerationDecision as E, PluginAdminConfig as F, PortableTextBlockConfig as G, PluginManifest as H, PluginAdminExports as I, RequestMeta as J, PortableTextBlockField as K, PluginAdminPage as L, PageMetadataHandler as M, PageMetadataLinkRel as N, PageFragmentEvent as O, PagePlacement as P, RouteContext as Q, PluginCapability as R, LogAccess as S, MediaUploadEvent as T, PluginRoute as U, PluginHooks as V, PluginStorageConfig as W, ResolvedPlugin as X, ResolvedHook as Y, ResolvedPluginHooks as Z, FieldWidgetConfig as _, CommentAfterModerateEvent as a, StoredComment as at, HttpAccess as b, CommentBeforeCreateHandler as c, ContentAccess as d, StandardHookHandler as et, ContentDeleteEvent as f, EmailMessage as g, CronEvent as h, CommentAfterCreateHandler as i, StorageCollection as it, PageMetadataEvent as j, PageFragmentHandler as k, CommentModerateEvent as l, ContentPublishStateChangeEvent as m, CollectionCommentSettings as n, StandardRouteEntry as nt, CommentAfterModerateHandler as o, isStandardPluginDefinition as ot, ContentHookEvent as p, PublicPageContext as q, CommentAfterCreateEvent as r, StandardRouteHandler as rt, CommentBeforeCreateEvent as s, Element as st, BreadcrumbItem as t, StandardPluginDefinition as tt, CommentModerateHandler as u, HookConfig as v, MediaItem as w, KVAccess as x, HookName as y, PluginContext as z };

package/dist/{types-DkvMXalq.d.mts → types-DOrVigru.d.mts}

@@ -170,6 +170,155 @@ interface AuditLogTable {
   details: string | null;
   status: string | null;
 }
+interface SiteActivityLogTable {
+  id: string;
+  actor_type: "user" | "api_token" | "system";
+  actor_id: string;
+  auth_metadata: string | null;
+  action_type: string;
+  subject_type: string;
+  subject_id: string | null;
+  related_subject_type: string | null;
+  related_subject_id: string | null;
+  source_type: "api_route" | "mcp_tool" | "system" | "plugin" | "unknown" | null;
+  source_name: string | null;
+  result_status: Generated<"succeeded" | "pending" | "failed" | "blocked">;
+  scope: string;
+  summary: string;
+  detail: string | null;
+  created_at: Generated<string>;
+}
+interface ContextEntryTable {
+  id: string;
+  scope: string;
+  context_type: string;
+  title: string;
+  body: string;
+  policy_key: string | null;
+  source_activity_id: string | null;
+  created_by_actor_type: "user" | "api_token" | "system";
+  created_by_actor_id: string;
+  created_auth_metadata: string | null;
+  supersedes_id: string | null;
+  version: number;
+  is_current: Generated<number>;
+  valid_until: string | null;
+  reviewed_at: string | null;
+  reviewed_by_actor_type: "user" | "api_token" | "system" | null;
+  reviewed_by_actor_id: string | null;
+  review_note: string | null;
+  created_at: Generated<string>;
+  updated_at: Generated<string>;
+}
+interface ContextTagTable {
+  context_entry_id: string;
+  tag: string;
+}
+interface ReviewRequestTable {
+  id: string;
+  status: Generated<"pending" | "approved" | "rejected">;
+  collection: string;
+  entry_id: string;
+  scope: string;
+  live_revision_id: string | null;
+  draft_revision_id: string | null;
+  reviewed_rev: string;
+  action_type: string;
+  action_hash: string;
+  risk_reason: string | null;
+  review_payload: string;
+  requested_by_actor_type: "user" | "api_token" | "system";
+  requested_by_actor_id: string;
+  requested_auth_metadata: string | null;
+  resolved_by_actor_type: "user" | "api_token" | "system" | null;
+  resolved_by_actor_id: string | null;
+  resolved_auth_metadata: string | null;
+  review_note: string | null;
+  created_at: Generated<string>;
+  updated_at: Generated<string>;
+  resolved_at: string | null;
+}
+interface EntityAliasTable {
+  id: string;
+  entity_type: string;
+  collection_slug: string | null;
+  entity_id: string;
+  alias: string;
+  normalized_alias: string;
+  created_at: Generated<string>;
+}
+interface HandoffSnapshotTable {
+  id: string;
+  scope: string;
+  actor_type: "user" | "api_token" | "system";
+  actor_id: string;
+  auth_metadata: string | null;
+  objective: string;
+  reasoning: string;
+  key_findings: string;
+  touched_objects: string;
+  pending_actions: string;
+  tool_evidence: string;
+  confidence: number | null;
+  handoff_kind: "pause" | "review_request" | "assignment";
+  reference_type: "review_request" | "assignment" | null;
+  reference_id: string | null;
+  created_at: Generated<string>;
+  resumed_at: string | null;
+}
+interface AssignmentTable {
+  id: string;
+  scope: string;
+  assignment_type: string;
+  status: Generated<"pending" | "accepted" | "in_progress" | "blocked" | "completed" | "declined" | "cancelled">;
+  priority: Generated<"low" | "normal" | "high" | "urgent">;
+  title: string;
+  summary: string | null;
+  details: string | null;
+  assigned_by_actor_type: "user" | "api_token" | "system";
+  assigned_by_actor_id: string;
+  assigned_to_actor_type: "user" | "api_token" | "system" | null;
+  assigned_to_actor_id: string | null;
+  metadata: string;
+  related_handoff_snapshot_id: string | null;
+  related_hitl_request_id: string | null;
+  due_at: string | null;
+  created_at: Generated<string>;
+  updated_at: Generated<string>;
+  accepted_at: string | null;
+  started_at: string | null;
+  blocked_at: string | null;
+  completed_at: string | null;
+  declined_at: string | null;
+  cancelled_at: string | null;
+}
+interface HitlRequestTable {
+  id: string;
+  scope: string;
+  action_type: string;
+  status: Generated<"pending" | "approved" | "rejected">;
+  priority: Generated<"low" | "normal" | "high" | "urgent">;
+  title: string;
+  summary: string | null;
+  risk_reason: string;
+  review_payload: string;
+  target_ref_type: string;
+  target_ref_id: string;
+  requested_by_actor_type: "user" | "api_token" | "system";
+  requested_by_actor_id: string;
+  requested_auth_metadata: string | null;
+  resolved_by_actor_type: "user" | "api_token" | "system" | null;
+  resolved_by_actor_id: string | null;
+  resolved_auth_metadata: string | null;
+  review_note: string | null;
+  metadata: string;
+  related_assignment_id: string | null;
+  related_handoff_snapshot_id: string | null;
+  sla_due_at: string | null;
+  created_at: Generated<string>;
+  updated_at: Generated<string>;
+  resolved_at: string | null;
+}
 interface MigrationTable {
   name: string;
   timestamp: string;
@@ -348,6 +497,14 @@ interface Database {
   auth_challenges: AuthChallengeTable;
   options: OptionTable;
   audit_logs: AuditLogTable;
+  _dineway_activity_log: SiteActivityLogTable;
+  _dineway_context_entries: ContextEntryTable;
+  _dineway_context_tags: ContextTagTable;
+  _dineway_review_requests: ReviewRequestTable;
+  _dineway_entity_aliases: EntityAliasTable;
+  _dineway_handoff_snapshots: HandoffSnapshotTable;
+  _dineway_assignments: AssignmentTable;
+  _dineway_hitl_requests: HitlRequestTable;
   _dineway_migrations: MigrationTable;
   _dineway_collections: CollectionTable;
   _dineway_fields: FieldTable;
@@ -393,6 +550,8 @@ interface NotFoundLogTable {
   referrer: string | null;
   user_agent: string | null;
   ip: string | null;
+  hits: number;
+  last_seen_at: string | null;
   created_at: string;
 }
 interface BylineTable {

package/dist/{validate-CXnRKfJK.mjs → validate-BZ5wnLLp.mjs}

@@ -1,5 +1,5 @@
 import { t as __exportAll } from "./chunk-ClPoSABd.mjs";
-import { t as FIELD_TYPES } from "./types-DuNbGKjF.mjs";
+import { t as FIELD_TYPES } from "./types-COeOq9nK.mjs";
 
 //#region src/seed/validate.ts
 /**
@@ -59,6 +59,7 @@ function validateSeed(data) {
 				collectionSlugs.add(collection.slug);
 			}
 			if (!collection.label) errors.push(`${prefix}: label is required`);
+			if (collection.urlPattern && !collection.urlPattern.includes("{slug}")) errors.push(`${prefix}.urlPattern: must include a {slug} placeholder`);
 			if (!Array.isArray(collection.fields)) errors.push(`${prefix}.fields: must be an array`);
 			else {
 				const fieldSlugs = /* @__PURE__ */ new Set();

package/dist/{validate-DVKJJ-M_.d.mts → validate-IPf8n4Fj.d.mts}

@@ -1,55 +1,8 @@
-import { t as Database } from "./types-DkvMXalq.mjs";
-import { u as FieldType } from "./types-BgQeVaPj.mjs";
-import { d as Storage } from "./types-ju-_ORz7.mjs";
+import { t as Database } from "./types-DOrVigru.mjs";
+import { i as SiteSettings, m as FieldType } from "./types-BuMDPy5C.mjs";
+import { d as Storage } from "./types-CWbdtiux.mjs";
 import { Kysely } from "kysely";
 
-//#region src/settings/types.d.ts
-/**
- * Site Settings Types
- *
- * Global configuration for the site (title, logo, social links, etc.)
- */
-/** Media reference for logo/favicon */
-interface MediaReference {
-  mediaId: string;
-  alt?: string;
-}
-/** Site-level SEO settings */
-interface SeoSettings {
-  /** Separator between page title and site title (e.g., " | ", " — ") */
-  titleSeparator?: string;
-  /** Default OG image when content has no seo_image */
-  defaultOgImage?: MediaReference;
-  /** Custom robots.txt content. If unset, a default is generated. */
-  robotsTxt?: string;
-  /** Google Search Console verification meta tag content */
-  googleVerification?: string;
-  /** Bing Webmaster Tools verification meta tag content */
-  bingVerification?: string;
-}
-/** Site settings schema */
-interface SiteSettings {
-  title: string;
-  tagline?: string;
-  logo?: MediaReference;
-  favicon?: MediaReference;
-  url?: string;
-  postsPerPage: number;
-  dateFormat: string;
-  timezone: string;
-  social?: {
-    twitter?: string;
-    github?: string;
-    facebook?: string;
-    instagram?: string;
-    linkedin?: string;
-    youtube?: string;
-  };
-  seo?: SeoSettings;
-}
-/** Keys that are valid site settings */
-type SiteSettingKey = keyof SiteSettings;
-//#endregion
 //#region src/seed/types.d.ts
 /**
  * Root seed file structure
@@ -374,4 +327,4 @@ declare function loadUserSeed(): Promise<SeedFile | null>;
  */
 declare function validateSeed(data: unknown): ValidationResult;
 //#endregion
-export { SiteSettingKey as C, SeoSettings as S, SeedTaxonomyTerm as _, applySeed as a, ValidationResult as b, SeedCollection as c, SeedFile as d, SeedMenu as f, SeedTaxonomy as g, SeedSection as h, defaultSeed as i, SeedContentEntry as l, SeedRedirect as m, loadSeed as n, SeedApplyOptions as o, SeedMenuItem as p, loadUserSeed as r, SeedApplyResult as s, validateSeed as t, SeedField as u, SeedWidget as v, SiteSettings as w, MediaReference as x, SeedWidgetArea as y };
+export { SeedTaxonomyTerm as _, applySeed as a, ValidationResult as b, SeedCollection as c, SeedFile as d, SeedMenu as f, SeedTaxonomy as g, SeedSection as h, defaultSeed as i, SeedContentEntry as l, SeedRedirect as m, loadSeed as n, SeedApplyOptions as o, SeedMenuItem as p, loadUserSeed as r, SeedApplyResult as s, validateSeed as t, SeedField as u, SeedWidget as v, SeedWidgetArea as y };

package/dist/{validate-CqRJb_xU.mjs → validate-VPnKoIzW.mjs}

@@ -61,16 +61,6 @@ function validateIdentifier(value, label = "identifier") {
 	if (!IDENTIFIER_PATTERN.test(value)) throw new IdentifierError(`${label} must match /^[a-z][a-z0-9_]*$/ (got "${value}")`, value);
 }
 /**
-* Validate that a string is a safe SQL identifier, allowing hyphens.
-*
-* Like `validateIdentifier` but also permits hyphens, which appear in
-* plugin IDs (e.g., "my-plugin"). Matches `/^[a-z][a-z0-9_-]*$/`.
-*
-* @param value - The string to validate
-* @param label - Human-readable label for error messages
-* @throws {IdentifierError} If the value is not valid
-*/
-/**
 * Validate that a string is a safe JSON field name for use in json_extract paths.
 *
 * More permissive than `validateIdentifier` — allows camelCase (mixed case)
@@ -86,6 +76,16 @@ function validateJsonFieldName(value, label = "JSON field name") {
 	if (value.length > MAX_IDENTIFIER_LENGTH) throw new IdentifierError(`${label} must be ${MAX_IDENTIFIER_LENGTH} characters or less, got ${value.length}`, value);
 	if (!GENERIC_IDENTIFIER_PATTERN.test(value)) throw new IdentifierError(`${label} must match /^[a-zA-Z][a-zA-Z0-9_]*$/ (got "${value}")`, value);
 }
+/**
+* Validate that a string is a safe SQL identifier, allowing hyphens.
+*
+* Like `validateIdentifier` but also permits hyphens, which appear in
+* plugin IDs (e.g., "my-plugin"). Matches `/^[a-z][a-z0-9_-]*$/`.
+*
+* @param value - The string to validate
+* @param label - Human-readable label for error messages
+* @throws {IdentifierError} If the value is not valid
+*/
 function validatePluginIdentifier(value, label = "plugin identifier") {
 	if (!value || typeof value !== "string") throw new IdentifierError(`${label} must be a non-empty string`, String(value));
 	if (value.length > MAX_IDENTIFIER_LENGTH) throw new IdentifierError(`${label} must be ${MAX_IDENTIFIER_LENGTH} characters or less, got ${value.length}`, value);

package/dist/version-hmtC3Cmv.mjs

@@ -0,0 +1,6 @@
+//#region src/version.ts
+const VERSION = "0.1.6";
+const COMMIT = "e16302a0";
+
+//#endregion
+export { VERSION as n, COMMIT as t };

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "dineway",
-  "version": "0.1.4",
-  "description": "Agentic Web builder with WordPress migration support",
+  "version": "0.1.6",
+  "description": "Agentic Website builder for restaurants — structured content meets AI via the Model Context Protocol",
   "type": "module",
   "main": "dist/index.mjs",
   "types": "dist/index.d.mts",
@@ -87,6 +87,10 @@
       "types": "./dist/request-context.d.mts",
       "default": "./dist/request-context.mjs"
     },
+    "./database/instrumentation": {
+      "types": "./dist/database/instrumentation.d.mts",
+      "default": "./dist/database/instrumentation.mjs"
+    },
     "./seed": {
       "types": "./dist/seed/index.d.mts",
       "default": "./dist/seed/index.mjs"
@@ -128,8 +132,11 @@
     "#api/*": "./src/api/*",
     "#db/*": "./src/database/*",
     "#auth/*": "./src/auth/*",
+    "#bylines/*": "./src/bylines/*",
+    "#taxonomies/*": "./src/taxonomies/*",
     "#schema/*": "./src/schema/*",
     "#search/*": "./src/search/*",
+    "#redirects/*": "./src/redirects/*",
     "#sections/*": "./src/sections/*",
     "#menus/*": "./src/menus/*",
     "#widgets/*": "./src/widgets/*",
@@ -143,6 +150,7 @@
     "#media/*": "./src/media/*",
     "#mcp/*": "./src/mcp/*",
     "#comments/*": "./src/comments/*",
+    "#site-context/*": "./src/site-context/*",
     "#types": "./src/astro/types.js"
   },
   "typesVersions": {
@@ -227,25 +235,38 @@
       ]
     }
   },
+  "scripts": {
+    "build": "tsdown",
+    "dev": "tsdown --watch",
+    "prepublishOnly": "node --run build",
+    "typecheck": "tsgo --noEmit",
+    "check": "publint && attw --pack --ignore-rules=cjs-resolves-to-esm --ignore-rules=no-resolution --ignore-rules=internal-resolution-error",
+    "test": "vitest",
+    "test:smoke": "vitest run --config vitest.smoke.config.ts",
+    "test:integration": "vitest run --config vitest.integration.config.ts"
+  },
   "dependencies": {
+    "@dineway-ai/admin": "workspace:*",
+    "@dineway-ai/auth": "workspace:*",
+    "@dineway-ai/gutenberg-to-portable-text": "workspace:*",
     "@floating-ui/react": "^0.27.16",
     "@modelcontextprotocol/sdk": "^1.26.0",
     "@portabletext/toolkit": "^5.0.1",
-    "@tiptap/core": "^3.20.0",
-    "@tiptap/extension-focus": "^3.20.0",
-    "@tiptap/extension-image": "^3.20.0",
-    "@tiptap/extension-link": "^3.20.0",
-    "@tiptap/extension-placeholder": "^3.20.0",
-    "@tiptap/extension-text-align": "^3.20.0",
-    "@tiptap/extension-typography": "^3.20.0",
-    "@tiptap/extension-underline": "^3.20.0",
-    "@tiptap/react": "^3.20.0",
-    "@tiptap/starter-kit": "^3.20.0",
-    "@tiptap/suggestion": "^3.20.0",
+    "@tiptap/core": "catalog:",
+    "@tiptap/extension-focus": "catalog:",
+    "@tiptap/extension-image": "catalog:",
+    "@tiptap/extension-link": "catalog:",
+    "@tiptap/extension-placeholder": "catalog:",
+    "@tiptap/extension-text-align": "catalog:",
+    "@tiptap/extension-typography": "catalog:",
+    "@tiptap/extension-underline": "catalog:",
+    "@tiptap/react": "catalog:",
+    "@tiptap/starter-kit": "catalog:",
+    "@tiptap/suggestion": "catalog:",
     "@unpic/placeholder": "^0.1.2",
     "arctic": "^3.7.0",
     "astro-portabletext": "^0.11.0",
-    "better-sqlite3": "^12.8.0",
+    "better-sqlite3": "catalog:",
     "blurhash": "^2.0.5",
     "citty": "^0.1.6",
     "consola": "^3.4.2",
@@ -261,10 +282,7 @@
     "sax": "^1.4.1",
     "ulidx": "^2.4.1",
     "upng-js": "^2.1.0",
-    "zod": "^4.3.5",
-    "@dineway-ai/auth": "0.1.3",
-    "@dineway-ai/admin": "0.1.3",
-    "@dineway-ai/gutenberg-to-portable-text": "0.1.3"
+    "zod": "^4.3.5"
   },
   "optionalDependencies": {
     "@libsql/kysely-libsql": "^0.4.0",
@@ -280,7 +298,8 @@
   },
   "devDependencies": {
     "@apidevtools/swagger-parser": "^12.1.0",
-    "@arethetypeswrong/cli": "^0.18.2",
+    "@arethetypeswrong/cli": "catalog:",
+    "@dineway-ai/blocks": "workspace:*",
     "@rivet-dev/agent-os-common": "^0.0.260331072558",
     "@rivet-dev/agent-os-core": "^0.1.1",
     "@types/better-sqlite3": "^7.6.12",
@@ -288,29 +307,21 @@
     "@types/sanitize-html": "^2.16.0",
     "@types/sax": "^1.2.7",
     "@vitest/ui": "^4.0.17",
-    "publint": "0.3.17",
-    "tsdown": "0.20.3",
-    "typescript": "^5.9.3",
+    "publint": "catalog:",
+    "tsdown": "catalog:",
+    "typescript": "catalog:",
     "vite": "^6.0.0",
-    "vitest": "^4.0.18",
-    "zod-openapi": "^5.4.6",
-    "@dineway-ai/blocks": "0.1.3"
+    "vitest": "catalog:",
+    "zod-openapi": "^5.4.6"
   },
   "keywords": [
     "astro",
-    "cms",
+    "restaurant",
+    "agentic",
+    "mcp",
     "content",
-    "wordpress"
+    "cms"
   ],
   "author": "Matt Kane",
-  "license": "MIT",
-  "scripts": {
-    "build": "tsdown",
-    "dev": "tsdown --watch",
-    "typecheck": "tsgo --noEmit",
-    "check": "publint && attw --pack --ignore-rules=cjs-resolves-to-esm --ignore-rules=no-resolution --ignore-rules=internal-resolution-error",
-    "test": "vitest",
-    "test:smoke": "vitest run --config vitest.smoke.config.ts",
-    "test:integration": "vitest run --config vitest.integration.config.ts"
-  }
-}
+  "license": "MIT"
+}

package/src/astro/routes/admin.astro

@@ -9,24 +9,38 @@ import "@dineway-ai/admin/styles.css";
 // Use package-qualified import so Astro generates a proper module URL
 // (relative imports resolve to absolute paths which break client hydration)
 import AdminWrapper from "dineway/routes/PluginRegistry";
+import { Font } from "astro:assets";
 
 export const prerender = false;
 
-import { resolveLocale } from "@dineway-ai/admin/locales";
+import { getLocaleDir, loadMessages, resolveLocale } from "@dineway-ai/admin/locales";
 
 const resolvedLocale = resolveLocale(Astro.request);
-const { messages } = await import(`@dineway-ai/admin/locales/${resolvedLocale}/messages.mjs`);
+const resolvedDir = getLocaleDir(resolvedLocale);
+const messages = await loadMessages(resolvedLocale);
+const adminConfig = Astro.locals.dineway?.config.admin;
+const pageTitle = adminConfig?.siteName ? `${adminConfig.siteName} Admin` : "Dineway Admin";
+const loadingLabel = adminConfig?.siteName
+	? `Loading ${adminConfig.siteName}...`
+	: "Loading Dineway...";
 ---
 
 <!doctype html>
-<html lang={resolvedLocale}>
+<html lang={resolvedLocale} dir={resolvedDir}>
 	<head>
 		<meta charset="UTF-8" />
 		<meta name="viewport" content="width=device-width, initial-scale=1.0" />
-		<link rel="icon" href="/favicon.svg" />
-		<title>Dineway Admin</title>
+		<Font cssVariable="--font-dineway" />
+		{
+			adminConfig?.favicon ? (
+				<link rel="icon" href={adminConfig.favicon} />
+			) : (
+				<link rel="icon" href="/favicon.svg" />
+			)
+		}
+		<title>{pageTitle}</title>
 	</head>
-	<body>
+	<body class="isolate">
 		<div id="admin-root" class="min-h-screen">
 			<div id="dineway-boot-loader">
 				<style>
@@ -59,10 +73,12 @@ const { messages } = await import(`@dineway-ai/admin/locales/${resolvedLocale}/m
 					}
 					#dineway-boot-loader p {
 						margin-top: 1rem;
-						font-family:
+						font-family: var(
+							--font-dineway,
 							system-ui,
 							-apple-system,
-							sans-serif;
+							sans-serif
+						);
 						font-size: 0.875rem;
 						color: light-dark(hsl(215.4 16.3% 46.9%), hsl(215 20.2% 65.1%));
 					}
@@ -74,7 +90,7 @@ const { messages } = await import(`@dineway-ai/admin/locales/${resolvedLocale}/m
 				</style>
 				<div class="loader-inner">
 					<div class="spinner"></div>
-					<p>Loading Dineway...</p>
+					<p>{loadingLabel}</p>
 				</div>
 			</div>
 			<AdminWrapper client:only="react" locale={resolvedLocale} messages={messages} />

package/src/astro/routes/api/admin/api-tokens/[id].ts

@@ -7,6 +7,7 @@
 import { Role } from "@dineway-ai/auth";
 import type { APIRoute } from "astro";
 
+import { rejectApiTokenAuthControlWrite } from "#api/auth-control-guard.js";
 import { apiError, handleError, unwrapResult } from "#api/error.js";
 import { handleApiTokenRevoke } from "#api/handlers/api-tokens.js";
 
@@ -26,6 +27,9 @@ export const DELETE: APIRoute = async ({ params, locals }) => {
 		return apiError("FORBIDDEN", "Admin privileges required", 403);
 	}
 
+	const credentialGuard = rejectApiTokenAuthControlWrite(locals, "api_tokens");
+	if (credentialGuard) return credentialGuard;
+
 	const tokenId = params.id;
 	if (!tokenId) {
 		return apiError("VALIDATION_ERROR", "Token ID is required", 400);

package/src/astro/routes/api/admin/api-tokens/index.ts

@@ -9,16 +9,22 @@ import { Role } from "@dineway-ai/auth";
 import type { APIRoute } from "astro";
 import { z } from "zod";
 
+import { rejectApiTokenAuthControlWrite } from "#api/auth-control-guard.js";
 import { apiError, handleError, unwrapResult } from "#api/error.js";
 import { handleApiTokenCreate, handleApiTokenList } from "#api/handlers/api-tokens.js";
 import { isParseError, parseBody } from "#api/parse.js";
-import { VALID_SCOPES } from "#auth/api-tokens.js";
+import { ALL_VALID_SCOPES } from "#auth/api-tokens.js";
+import {
+	experimentalSiteContextWorkflowsEnabled,
+	getExperimentalSiteContextWorkflowsDisabledMessage,
+	requestedExperimentalSiteContextWorkflowScopes,
+} from "#site-context/experimental-workflows.js";
 
 export const prerender = false;
 
 const createTokenSchema = z.object({
 	name: z.string().min(1).max(100),
-	scopes: z.array(z.enum(VALID_SCOPES)).min(1),
+	scopes: z.array(z.enum(ALL_VALID_SCOPES)).min(1),
 	expiresAt: z.string().datetime().optional(),
 });
 
@@ -56,9 +62,25 @@ export const POST: APIRoute = async ({ request, locals }) => {
 		return apiError("FORBIDDEN", "Admin privileges required", 403);
 	}
 
+	const credentialGuard = rejectApiTokenAuthControlWrite(locals, "api_tokens");
+	if (credentialGuard) return credentialGuard;
+
 	try {
 		const body = await parseBody(request, createTokenSchema);
 		if (isParseError(body)) return body;
+		const requestedWorkflowScopes = requestedExperimentalSiteContextWorkflowScopes(body.scopes);
+		if (requestedWorkflowScopes.length > 0 && !experimentalSiteContextWorkflowsEnabled()) {
+			return apiError(
+				"NOT_IMPLEMENTED",
+				getExperimentalSiteContextWorkflowsDisabledMessage(),
+				501,
+				{
+					status: "workflow_token_scopes_disabled",
+					reason: "workflow_token_scopes_disabled",
+					scopes: requestedWorkflowScopes,
+				},
+			);
+		}
 
 		const result = await handleApiTokenCreate(dineway.db, user.id, body);
 		return unwrapResult(result, 201);