dineway 0.1.4 → 0.1.6

package/dist/astro/index.mjs

@@ -1,7 +1,9 @@
-import { t as defaultSeed } from "../default-WYlzADZL.mjs";
+import { n as VERSION, t as COMMIT } from "../version-hmtC3Cmv.mjs";
+import { t as defaultSeed } from "../default-VjJyuuG9.mjs";
 import { createRequire } from "node:module";
 import { existsSync, readFileSync } from "node:fs";
 import { dirname, resolve } from "node:path";
+import { fontProviders } from "astro/config";
 import { fileURLToPath } from "node:url";
 
 //#region src/astro/storage/adapters.ts
@@ -9,19 +11,28 @@ import { fileURLToPath } from "node:url";
 * S3-compatible storage adapter
 *
 * Works with AWS S3, MinIO, and other S3-compatible object stores.
+* Any omitted field is resolved from the matching `S3_*` environment
+* variable when the Node process starts. Explicit values take precedence.
 *
 * @example
 * ```ts
+* // All fields from runtime env
+* storage: s3()
+*
+* // Mix explicit CDN config with endpoint/bucket/credentials from env
+* storage: s3({ publicUrl: "https://cdn.example.com" })
+*
+* // All explicit values
 * storage: s3({
 *   endpoint: process.env.S3_ENDPOINT!,
 *   bucket: "media",
-*   accessKeyId: process.env.S3_ACCESS_KEY_ID!,
-*   secretAccessKey: process.env.S3_SECRET_ACCESS_KEY!,
+*   accessKeyId: process.env.S3_ACCESS_KEY_ID,
+*   secretAccessKey: process.env.S3_SECRET_ACCESS_KEY,
 *   publicUrl: "https://cdn.example.com", // optional CDN
 * })
 * ```
 */
-function s3(config) {
+function s3(config = {}) {
 	return {
 		entrypoint: "dineway/storage/s3",
 		config
@@ -48,6 +59,118 @@ function local(config) {
 	};
 }
 
+//#endregion
+//#region src/astro/integration/font-provider.ts
+/**
+* Dineway Noto Sans font provider.
+*
+* Wraps Google Fonts so the base Noto Sans family and optional
+* script-specific Noto Sans families share one logical font entry.
+* The browser then chooses the right file per character via unicode-range.
+*/
+/**
+* All subset names used by Google Fonts CSS responses.
+* Passed when resolving extra script families so the unifont provider does
+* not filter out faces for those families.
+*/
+const ALL_GOOGLE_SUBSETS = [
+	"arabic",
+	"armenian",
+	"bengali",
+	"chinese-simplified",
+	"chinese-traditional",
+	"chinese-hongkong",
+	"cyrillic",
+	"cyrillic-ext",
+	"devanagari",
+	"ethiopic",
+	"farsi",
+	"georgian",
+	"greek",
+	"greek-ext",
+	"gujarati",
+	"gurmukhi",
+	"hebrew",
+	"japanese",
+	"kannada",
+	"khmer",
+	"korean",
+	"lao",
+	"latin",
+	"latin-ext",
+	"malayalam",
+	"math",
+	"myanmar",
+	"oriya",
+	"sinhala",
+	"symbols",
+	"tamil",
+	"telugu",
+	"thai",
+	"tibetan",
+	"vietnamese"
+];
+/**
+* Known Noto Sans and compatible script families on Google Fonts.
+*/
+const NOTO_SCRIPT_FAMILIES = {
+	arabic: "Noto Sans Arabic",
+	armenian: "Noto Sans Armenian",
+	bengali: "Noto Sans Bengali",
+	"chinese-simplified": "Noto Sans SC",
+	"chinese-traditional": "Noto Sans TC",
+	"chinese-hongkong": "Noto Sans HK",
+	devanagari: "Noto Sans Devanagari",
+	ethiopic: "Noto Sans Ethiopic",
+	farsi: "Vazirmatn",
+	georgian: "Noto Sans Georgian",
+	gujarati: "Noto Sans Gujarati",
+	gurmukhi: "Noto Sans Gurmukhi",
+	hebrew: "Noto Sans Hebrew",
+	japanese: "Noto Sans JP",
+	kannada: "Noto Sans Kannada",
+	khmer: "Noto Sans Khmer",
+	korean: "Noto Sans KR",
+	lao: "Noto Sans Lao",
+	malayalam: "Noto Sans Malayalam",
+	myanmar: "Noto Sans Myanmar",
+	oriya: "Noto Sans Oriya",
+	sinhala: "Noto Sans Sinhala",
+	tamil: "Noto Sans Tamil",
+	telugu: "Noto Sans Telugu",
+	thai: "Noto Sans Thai",
+	tibetan: "Noto Sans Tibetan"
+};
+function notoSans(options) {
+	const googleProvider = fontProviders.google();
+	return {
+		name: "dineway-noto",
+		async init(context) {
+			await googleProvider.init?.(context);
+		},
+		async resolveFont(resolveFontOptions) {
+			const base = await googleProvider.resolveFont(resolveFontOptions);
+			const baseFonts = base?.fonts ?? [];
+			if (!options?.scripts?.length) return base;
+			const baseSubsets = new Set(baseFonts.map((font) => font.meta?.subset).filter(Boolean));
+			const extraFaces = (await Promise.all(options.scripts.map(async (script) => {
+				const family = NOTO_SCRIPT_FAMILIES[script];
+				if (!family) {
+					if (ALL_GOOGLE_SUBSETS.includes(script)) return;
+					console.warn(`[dineway] Unknown Noto Sans script "${script}". Available: ${Object.keys(NOTO_SCRIPT_FAMILIES).join(", ")}`);
+					return;
+				}
+				return googleProvider.resolveFont({
+					...resolveFontOptions,
+					familyName: family,
+					subsets: ALL_GOOGLE_SUBSETS
+				});
+			}))).flatMap((result) => (result?.fonts ?? []).filter((font) => !font.meta?.subset || !baseSubsets.has(font.meta.subset)));
+			return { fonts: [...baseFonts, ...extraFaces] };
+		}
+	};
+}
+
 //#endregion
 //#region src/astro/integration/routes.ts
 /**
@@ -84,6 +207,10 @@ function injectCoreRoutes(injectRoute) {
 		pattern: "/_dineway/api/dashboard",
 		entrypoint: resolveRoute("api/dashboard.ts")
 	});
+	injectRoute({
+		pattern: "/_dineway/api/health",
+		entrypoint: resolveRoute("api/health.ts")
+	});
 	injectRoute({
 		pattern: "/_dineway/api/content/[collection]",
 		entrypoint: resolveRoute("api/content/[collection]/index.ts")
@@ -360,6 +487,62 @@ function injectCoreRoutes(injectRoute) {
 		pattern: "/_dineway/api/admin/bylines/[id]",
 		entrypoint: resolveRoute("api/admin/bylines/[id]/index.ts")
 	});
+	injectRoute({
+		pattern: "/_dineway/api/admin/briefing",
+		entrypoint: resolveRoute("api/admin/briefing.ts")
+	});
+	injectRoute({
+		pattern: "/_dineway/api/admin/review-requests",
+		entrypoint: resolveRoute("api/admin/review-requests/index.ts")
+	});
+	injectRoute({
+		pattern: "/_dineway/api/admin/review-requests/[id]",
+		entrypoint: resolveRoute("api/admin/review-requests/[id]/index.ts")
+	});
+	injectRoute({
+		pattern: "/_dineway/api/admin/review-requests/[id]/resolve",
+		entrypoint: resolveRoute("api/admin/review-requests/[id]/resolve.ts")
+	});
+	injectRoute({
+		pattern: "/_dineway/api/admin/hitl-requests",
+		entrypoint: resolveRoute("api/admin/hitl-requests/index.ts")
+	});
+	injectRoute({
+		pattern: "/_dineway/api/admin/hitl-requests/[id]",
+		entrypoint: resolveRoute("api/admin/hitl-requests/[id]/index.ts")
+	});
+	injectRoute({
+		pattern: "/_dineway/api/admin/hitl-requests/[id]/resolve",
+		entrypoint: resolveRoute("api/admin/hitl-requests/[id]/resolve.ts")
+	});
+	injectRoute({
+		pattern: "/_dineway/api/admin/context",
+		entrypoint: resolveRoute("api/admin/context/index.ts")
+	});
+	injectRoute({
+		pattern: "/_dineway/api/admin/context/stale",
+		entrypoint: resolveRoute("api/admin/context/stale.ts")
+	});
+	injectRoute({
+		pattern: "/_dineway/api/admin/context/diff",
+		entrypoint: resolveRoute("api/admin/context/diff.ts")
+	});
+	injectRoute({
+		pattern: "/_dineway/api/admin/context/[id]",
+		entrypoint: resolveRoute("api/admin/context/[id]/index.ts")
+	});
+	injectRoute({
+		pattern: "/_dineway/api/admin/context/[id]/history",
+		entrypoint: resolveRoute("api/admin/context/[id]/history.ts")
+	});
+	injectRoute({
+		pattern: "/_dineway/api/admin/context/[id]/supersede",
+		entrypoint: resolveRoute("api/admin/context/[id]/supersede.ts")
+	});
+	injectRoute({
+		pattern: "/_dineway/api/admin/context/[id]/review",
+		entrypoint: resolveRoute("api/admin/context/[id]/review.ts")
+	});
 	injectRoute({
 		pattern: "/_dineway/api/admin/users/[id]",
 		entrypoint: resolveRoute("api/admin/users/[id]/index.ts")
@@ -420,6 +603,10 @@ function injectCoreRoutes(injectRoute) {
 		pattern: "/_dineway/api/oauth/token",
 		entrypoint: resolveRoute("api/oauth/token.ts")
 	});
+	injectRoute({
+		pattern: "/_dineway/api/oauth/register",
+		entrypoint: resolveRoute("api/oauth/register.ts")
+	});
 	injectRoute({
 		pattern: "/_dineway/oauth/authorize",
 		entrypoint: resolveRoute("api/oauth/authorize.ts")
@@ -429,7 +616,7 @@ function injectCoreRoutes(injectRoute) {
 		entrypoint: resolveRoute("api/well-known/oauth-protected-resource.ts")
 	});
 	injectRoute({
-		pattern: "/_dineway/.well-known/oauth-authorization-server",
+		pattern: "/.well-known/oauth-authorization-server/_dineway",
 		entrypoint: resolveRoute("api/well-known/oauth-authorization-server.ts")
 	});
 	injectRoute({
@@ -591,7 +778,7 @@ function injectCoreRoutes(injectRoute) {
 }
 /**
 * Injects the MCP (Model Context Protocol) server route.
-* Only injected when `mcp: true` is set in the Dineway config.
+* Injected by default unless `mcp: false` is set in the Dineway config.
 */
 function injectMcpRoute(injectRoute) {
 	injectRoute({
@@ -640,6 +827,10 @@ function injectBuiltinAuthRoutes(injectRoute) {
 		pattern: "/_dineway/api/auth/invite/accept",
 		entrypoint: resolveRoute("api/auth/invite/accept.ts")
 	});
+	injectRoute({
+		pattern: "/_dineway/api/auth/invite/register-options",
+		entrypoint: resolveRoute("api/auth/invite/register-options.ts")
+	});
 	injectRoute({
 		pattern: "/_dineway/api/auth/invite/complete",
 		entrypoint: resolveRoute("api/auth/invite/complete.ts")
@@ -1106,10 +1297,16 @@ const NODE_NATIVE_EXTERNALS = [
 */
 function createViteConfig(options, command) {
 	const adminDistPath = resolveAdminDist();
-	const adminSourcePath = command === "dev" ? resolveAdminSource() : void 0;
+	const isDev = command === "dev";
+	const adminSourcePath = isDev ? resolveAdminSource() : void 0;
 	const useSource = adminSourcePath !== void 0;
 	const devPlugins = adminSourcePath ? [linguiMacroPlugin(adminSourcePath, adminDistPath)] : [];
 	return {
+		define: {
+			__DINEWAY_VERSION__: JSON.stringify(VERSION),
+			__DINEWAY_COMMIT__: JSON.stringify(COMMIT),
+			__DINEWAY_PSEUDO_LOCALE__: JSON.stringify(isDev && process.env["DINEWAY_PSEUDO_LOCALE"] === "1")
+		},
 		resolve: {
 			dedupe: [
 				"@dineway-ai/admin",
@@ -1219,7 +1416,10 @@ function dineway(config = {}) {
 		storage: resolvedConfig.storage,
 		auth: resolvedConfig.auth,
 		marketplace: resolvedConfig.marketplace,
-		siteUrl: resolvedConfig.siteUrl
+		maxUploadSize: resolvedConfig.maxUploadSize,
+		admin: resolvedConfig.admin,
+		siteUrl: resolvedConfig.siteUrl,
+		trustedProxyHeaders: resolvedConfig.trustedProxyHeaders
 	};
 	const useExternalAuth = !!(resolvedConfig.auth && "entrypoint" in resolvedConfig.auth);
 	return {
@@ -1236,11 +1436,36 @@ function dineway(config = {}) {
 						prefixDefaultLocale: typeof routing === "object" ? routing.prefixDefaultLocale ?? false : false
 					};
 				}
+				const securityConfig = {
+					checkOrigin: false,
+					...resolvedConfig.siteUrl ? { allowedDomains: [{ hostname: new URL(resolvedConfig.siteUrl).hostname }] } : {}
+				};
+				const fontsConfig = resolvedConfig.fonts;
+				const fontScripts = fontsConfig && typeof fontsConfig === "object" ? fontsConfig.scripts : void 0;
 				updateConfig({
-					security: {
-						checkOrigin: false,
-						...resolvedConfig.siteUrl ? { allowedDomains: [{ hostname: new URL(resolvedConfig.siteUrl).hostname }] } : {}
-					},
+					security: securityConfig,
+					fonts: fontsConfig === false ? [] : [{
+						provider: notoSans({ scripts: fontScripts }),
+						name: "Noto Sans",
+						cssVariable: "--font-dineway",
+						weights: ["100 900"],
+						styles: ["normal", "italic"],
+						subsets: [
+							"latin",
+							"latin-ext",
+							"cyrillic",
+							"cyrillic-ext",
+							"devanagari",
+							"greek",
+							"greek-ext",
+							"vietnamese"
+						],
+						fallbacks: [
+							"ui-sans-serif",
+							"system-ui",
+							"sans-serif"
+						]
+					}],
 					vite: createViteConfig({
 						serializableConfig,
 						resolvedConfig,
@@ -1250,10 +1475,7 @@ function dineway(config = {}) {
 				});
 				injectCoreRoutes(injectRoute);
 				if (!useExternalAuth) injectBuiltinAuthRoutes(injectRoute);
-				if (resolvedConfig.mcp) {
-					injectMcpRoute(injectRoute);
-					logger.info("MCP server enabled at /_dineway/api/mcp");
-				}
+				if (resolvedConfig.mcp !== false) injectMcpRoute(injectRoute);
 				if (resolvedConfig.playground) addMiddleware({
 					entrypoint: resolvedConfig.playground.middlewareEntrypoint,
 					order: "pre"

package/dist/astro/middleware/auth.d.mts

@@ -1,12 +1,21 @@
-import "../../types-DkvMXalq.mjs";
-import "../../index-C-jx21qs.mjs";
-import "../../runner-B5l1JfOj.mjs";
-import "../../types-D38djUXv.mjs";
-import "../../validate-DVKJJ-M_.mjs";
+import "../../types-DOrVigru.mjs";
+import "../../index-yvc6E_17.mjs";
+import "../../runner-CFI6B6J2.mjs";
+import "../../types-Cj0KMIZV.mjs";
+import "../../validate-IPf8n4Fj.mjs";
 import { DinewayHandlers, DinewayManifest } from "../types.mjs";
+import { Kysely } from "kysely";
 import { User } from "@dineway-ai/auth";
 import * as astro from "astro";
 
+//#region src/site-context/actor.d.ts
+type SiteAuthTokenType = "api_token" | "oauth_token";
+interface SiteAuthTokenContext {
+  type: SiteAuthTokenType;
+  /** Non-secret persistent token id. Present for API tokens; absent for OAuth access tokens today. */
+  id?: string | null;
+}
+//#endregion
 //#region src/astro/middleware/auth.d.ts
 declare global {
   namespace App {
@@ -14,6 +23,8 @@ declare global {
       user?: User;
       /** Token scopes when authenticated via API token or OAuth token. Undefined for session auth. */
       tokenScopes?: string[];
+      /** Non-secret bearer token metadata for activity attribution. Undefined for session auth. */
+      authToken?: SiteAuthTokenContext;
       dineway?: DinewayHandlers;
       dinewayManifest?: DinewayManifest;
     }

package/dist/astro/middleware/auth.mjs

@@ -1,5 +1,5 @@
-import { t as apiError } from "../../error-DrxtnGPg.mjs";
-import { t as getAuthMode } from "../../mode-BlyYtIFO.mjs";
+import { t as apiError } from "../../error-BmL6QipT.mjs";
+import { t as getAuthMode } from "../../mode-47goXBBK.mjs";
 import { ulid } from "ulidx";
 import { defineMiddleware } from "astro:middleware";
 import { createKyselyAdapter } from "@dineway-ai/auth/adapters/kysely";
@@ -58,7 +58,7 @@ function checkPublicCsrf(request, url, publicOrigin) {
 * the build. Container deployments set env vars at runtime, so we must read
 * process.env which Vite leaves untouched.
 *
-* On non-Node runtimes process.env may be unavailable, so the fallback chain
+* On runtimes without `process.env`, the fallback chain
 * continues to url.origin.
 *
 * Caches after first call.
@@ -117,7 +117,8 @@ async function resolveApiToken(db, rawToken) {
 	db.updateTable("_dineway_api_tokens").set({ last_used_at: (/* @__PURE__ */ new Date()).toISOString() }).where("id", "=", row.id).execute().catch(() => {});
 	return {
 		userId: row.user_id,
-		scopes: JSON.parse(row.scopes)
+		scopes: JSON.parse(row.scopes),
+		tokenId: row.id
 	};
 }
 /**
@@ -174,6 +175,35 @@ function buildDinewayCsp() {
 /** Cache headers for middleware error responses (matches API_CACHE_HEADERS in api/error.ts) */
 const MW_CACHE_HEADERS = { "Cache-Control": "private, no-store" };
 const ROLE_ADMIN = 50;
+const MCP_ENDPOINT_PATH = "/_dineway/api/mcp";
+function isUnsafeMethod(method) {
+	return method !== "GET" && method !== "HEAD" && method !== "OPTIONS";
+}
+function csrfRejectedResponse() {
+	return new Response(JSON.stringify({ error: {
+		code: "CSRF_REJECTED",
+		message: "Missing required header"
+	} }), {
+		status: 403,
+		headers: {
+			"Content-Type": "application/json",
+			...MW_CACHE_HEADERS
+		}
+	});
+}
+function mcpUnauthorizedResponse(url, config) {
+	const origin = getPublicOrigin(url, config);
+	return Response.json({ error: {
+		code: "NOT_AUTHENTICATED",
+		message: "Not authenticated"
+	} }, {
+		status: 401,
+		headers: {
+			"WWW-Authenticate": `Bearer resource_metadata="${origin}/.well-known/oauth-protected-resource"`,
+			...MW_CACHE_HEADERS
+		}
+	});
+}
 /**
 * API routes that skip auth — each handles its own access control.
 *
@@ -187,29 +217,39 @@ const PUBLIC_API_PREFIXES = [
 	"/_dineway/api/auth/dev-bypass",
 	"/_dineway/api/auth/signup/",
 	"/_dineway/api/auth/magic-link/",
-	"/_dineway/api/auth/invite/accept",
-	"/_dineway/api/auth/invite/complete",
+	"/_dineway/api/auth/invite/",
 	"/_dineway/api/auth/oauth/",
 	"/_dineway/api/oauth/device/token",
 	"/_dineway/api/oauth/device/code",
 	"/_dineway/api/oauth/token",
+	"/_dineway/api/oauth/register",
 	"/_dineway/api/comments/",
 	"/_dineway/api/media/file/",
 	"/_dineway/.well-known/"
 ];
 const PUBLIC_API_EXACT = new Set([
+	"/_dineway/api/health",
 	"/_dineway/api/auth/passkey/options",
 	"/_dineway/api/auth/passkey/verify",
 	"/_dineway/api/oauth/token",
 	"/_dineway/api/snapshot",
 	"/_dineway/api/search"
 ]);
+const CSRF_EXEMPT_PUBLIC_ROUTES = new Set([
+	"/_dineway/api/oauth/token",
+	"/_dineway/api/oauth/register",
+	"/_dineway/api/oauth/device/code",
+	"/_dineway/api/oauth/device/token"
+]);
 function isPublicDinewayRoute(pathname) {
 	if (PUBLIC_API_EXACT.has(pathname)) return true;
 	if (PUBLIC_API_PREFIXES.some((p) => pathname.startsWith(p))) return true;
 	if (import.meta.env.DEV && pathname === "/_dineway/api/typegen") return true;
 	return false;
 }
+function isCsrfExemptPublicRoute(pathname) {
+	return CSRF_EXEMPT_PUBLIC_ROUTES.has(pathname);
+}
 const onRequest = defineMiddleware(async (context, next) => {
 	const { url } = context;
 	const isAdminRoute = url.pathname.startsWith("/_dineway/admin");
@@ -218,8 +258,7 @@ const onRequest = defineMiddleware(async (context, next) => {
 	const isPublicApiRoute = isPublicDinewayRoute(url.pathname);
 	const isPublicRoute = !isAdminRoute && !isApiRoute;
 	if (isPublicApiRoute) {
-		const method = context.request.method.toUpperCase();
-		if (method !== "GET" && method !== "HEAD" && method !== "OPTIONS") {
+		if (isUnsafeMethod(context.request.method.toUpperCase()) && !isCsrfExemptPublicRoute(url.pathname)) {
 			const publicOrigin = getPublicOrigin(url, context.locals.dineway?.config);
 			const csrfError = checkPublicCsrf(context.request, url, publicOrigin);
 			if (csrfError) return csrfError;
@@ -258,7 +297,7 @@ const onRequest = defineMiddleware(async (context, next) => {
 			"Content-Type": "application/json",
 			...MW_CACHE_HEADERS
 		};
-		if (url.pathname === "/_dineway/api/mcp") headers["WWW-Authenticate"] = `Bearer resource_metadata="${getPublicOrigin(url, context.locals.dineway?.config)}/.well-known/oauth-protected-resource"`;
+		if (url.pathname === MCP_ENDPOINT_PATH) headers["WWW-Authenticate"] = `Bearer resource_metadata="${getPublicOrigin(url, context.locals.dineway?.config)}/.well-known/oauth-protected-resource"`;
 		return new Response(JSON.stringify({ error: {
 			code: "INVALID_TOKEN",
 			message: "Invalid or expired token"
@@ -269,18 +308,10 @@ const onRequest = defineMiddleware(async (context, next) => {
 	}
 	const isTokenAuth = bearerResult === "authenticated";
 	const method = context.request.method.toUpperCase();
+	if (url.pathname === MCP_ENDPOINT_PATH && !isTokenAuth) return mcpUnauthorizedResponse(url, context.locals.dineway?.config);
 	const isOAuthConsent = url.pathname.startsWith("/_dineway/oauth/authorize");
-	if (isApiRoute && !isTokenAuth && !isOAuthConsent && method !== "GET" && method !== "HEAD" && method !== "OPTIONS" && !isPublicApiRoute) {
-		if (context.request.headers.get("X-Dineway-Request") !== "1") return new Response(JSON.stringify({ error: {
-			code: "CSRF_REJECTED",
-			message: "Missing required header"
-		} }), {
-			status: 403,
-			headers: {
-				"Content-Type": "application/json",
-				...MW_CACHE_HEADERS
-			}
-		});
+	if (isApiRoute && !isTokenAuth && !isOAuthConsent && isUnsafeMethod(method) && !isPublicApiRoute) {
+		if (context.request.headers.get("X-Dineway-Request") !== "1") return csrfRejectedResponse();
 	}
 	if (isTokenAuth) {
 		const scopeError = enforceTokenScope(url.pathname, method, context.locals.tokenScopes);
@@ -300,18 +331,18 @@ const onRequest = defineMiddleware(async (context, next) => {
 async function handleDinewayAuth(context, next) {
 	const { url, locals } = context;
 	const { dineway } = locals;
-	const isLoginRoute = url.pathname.startsWith("/_dineway/admin/login");
+	const isPublicAdminRoute = url.pathname.startsWith("/_dineway/admin/login") || url.pathname.startsWith("/_dineway/admin/invite/accept");
 	const isApiRoute = url.pathname.startsWith("/_dineway/api");
 	if (!dineway?.db) return next();
 	const authMode = getAuthMode(dineway.config);
 	if (authMode.type === "external") {
 		if (import.meta.env.DEV) {
-			if (isLoginRoute) return next();
+			if (isPublicAdminRoute) return next();
 			return handlePasskeyAuth(context, next, isApiRoute);
 		}
 		return handleExternalAuth(context, next, authMode, isApiRoute);
 	}
-	if (isLoginRoute) return next();
+	if (isPublicAdminRoute) return next();
 	return handlePasskeyAuth(context, next, isApiRoute);
 }
 /**
@@ -471,14 +502,24 @@ async function handleBearerAuth(context) {
 	const { dineway } = locals;
 	if (!dineway?.db) return "none";
 	let resolved = null;
-	if (token.startsWith("ec_pat_")) resolved = await resolveApiToken(dineway.db, token);
-	else if (token.startsWith("ec_oat_")) resolved = await resolveOAuthToken(dineway.db, token);
-	else return "invalid";
+	let authToken;
+	if (token.startsWith("ec_pat_")) {
+		const apiToken = await resolveApiToken(dineway.db, token);
+		resolved = apiToken;
+		if (apiToken) authToken = {
+			type: "api_token",
+			id: apiToken.tokenId
+		};
+	} else if (token.startsWith("ec_oat_")) {
+		resolved = await resolveOAuthToken(dineway.db, token);
+		if (resolved) authToken = { type: "oauth_token" };
+	} else return "invalid";
 	if (!resolved) return "invalid";
 	const user = await createKyselyAdapter(dineway.db).getUserById(resolved.userId);
 	if (!user || user.disabled) return "invalid";
 	locals.user = user;
 	locals.tokenScopes = resolved.scopes;
+	locals.authToken = authToken;
 	return "authenticated";
 }
 /**
@@ -490,17 +531,13 @@ async function handlePasskeyAuth(context, next, isApiRoute) {
 	try {
 		const sessionUser = await session?.get("user");
 		if (!sessionUser?.id) {
-			if (isApiRoute) {
-				const headers = { ...MW_CACHE_HEADERS };
-				if (url.pathname === "/_dineway/api/mcp") headers["WWW-Authenticate"] = `Bearer resource_metadata="${getPublicOrigin(url, dineway?.config)}/.well-known/oauth-protected-resource"`;
-				return Response.json({ error: {
-					code: "NOT_AUTHENTICATED",
-					message: "Not authenticated"
-				} }, {
-					status: 401,
-					headers
-				});
-			}
+			if (isApiRoute) return Response.json({ error: {
+				code: "NOT_AUTHENTICATED",
+				message: "Not authenticated"
+			} }, {
+				status: 401,
+				headers: MW_CACHE_HEADERS
+			});
 			const loginUrl = new URL("/_dineway/admin/login", getPublicOrigin(url, dineway?.config));
 			loginUrl.searchParams.set("redirect", url.pathname);
 			return context.redirect(loginUrl.toString());

package/dist/astro/middleware/redirect.mjs

@@ -1,7 +1,9 @@
-import "../../dialect-helpers-B9uSp2GJ.mjs";
+import { getRequestContext } from "../../request-context.mjs";
+import "../../dialect-helpers-DhTzaUxP.mjs";
 import "../../base64-F8-DUraK.mjs";
 import "../../types-BawVha09.mjs";
-import { t as RedirectRepository } from "../../redirect-JPqLAbxa.mjs";
+import { t as RedirectRepository } from "../../redirect-DnEWAkVg.mjs";
+import { a as matchCachedPatterns, n as compileRedirectRules, o as setCachedPatternRules, r as getCachedPatternRules } from "../../cache-BdSY-gQN.mjs";
 import { defineMiddleware } from "astro:middleware";
 
 //#region src/astro/middleware/redirect.ts
@@ -35,12 +37,26 @@ const onRequest = defineMiddleware(async (context, next) => {
 	if (!dineway?.db) return next();
 	try {
 		const repo = new RedirectRepository(dineway.db);
-		const match = await repo.matchPath(pathname);
-		if (match) {
-			if (match.resolvedDestination.startsWith("//") || match.resolvedDestination.startsWith("/\\")) return next();
-			repo.recordHit(match.redirect.id).catch(() => {});
-			const code = isRedirectCode(match.redirect.type) ? match.redirect.type : 301;
-			return context.redirect(match.resolvedDestination, code);
+		const exact = await repo.findExactMatch(pathname);
+		if (exact) {
+			if (exact.destination.startsWith("//") || exact.destination.startsWith("/\\")) return next();
+			repo.recordHit(exact.id).catch(() => {});
+			const code = isRedirectCode(exact.type) ? exact.type : 301;
+			return context.redirect(exact.destination, code);
+		}
+		const hasDbOverride = !!getRequestContext()?.db;
+		let rules = !hasDbOverride ? getCachedPatternRules() : null;
+		if (!rules) {
+			const patternRedirects = await repo.findEnabledPatternRules();
+			rules = hasDbOverride ? compileRedirectRules(patternRedirects) : setCachedPatternRules(patternRedirects);
+		}
+		const patternMatch = matchCachedPatterns(rules, pathname);
+		if (patternMatch) {
+			const { redirect, destination } = patternMatch;
+			if (destination.startsWith("//") || destination.startsWith("/\\")) return next();
+			repo.recordHit(redirect.id).catch(() => {});
+			const code = isRedirectCode(redirect.type) ? redirect.type : 301;
+			return context.redirect(destination, code);
 		}
 		const response = await next();
 		if (response.status === 404) {