dineway 0.1.4 → 0.1.6

package/src/astro/routes/api/menus/index.ts

@@ -6,15 +6,31 @@
  */
 
 import type { APIRoute } from "astro";
+import { z } from "zod";
 
 import { requirePerm } from "#api/authorize.js";
 import { handleError, unwrapResult } from "#api/error.js";
 import { handleMenuCreate, handleMenuList } from "#api/handlers/menus.js";
+import {
+	ensureWorkflowHitlRouteRequest,
+	hitlRequiredRouteError,
+	resolveHitlRouteActor,
+} from "#api/hitl-route-helpers.js";
 import { isParseError, parseBody } from "#api/parse.js";
 import { createMenuBody } from "#api/schemas.js";
+import {
+	logMenuActivity,
+	menuApiRouteSource,
+	MenuHitlPayloadBuilder,
+	RiskPolicyEvaluator,
+} from "#site-context/index.js";
 
 export const prerender = false;
 
+const createMenuHitlBody = createMenuBody.extend({
+	hitlRequestId: z.string().min(1).optional(),
+});
+
 export const GET: APIRoute = async ({ locals }) => {
 	const { dineway, user } = locals;
 
@@ -36,10 +52,38 @@ export const POST: APIRoute = async ({ request, locals }) => {
 	if (denied) return denied;
 
 	try {
-		const body = await parseBody(request, createMenuBody);
+		const body = await parseBody(request, createMenuHitlBody);
 		if (isParseError(body)) return body;
 
-		const result = await handleMenuCreate(dineway.db, body);
+		const { hitlRequestId, ...menuInput } = body;
+		const actor = resolveHitlRouteActor(locals);
+		const action = await new MenuHitlPayloadBuilder(dineway.db).buildCreateMenuRequest(menuInput);
+		const decision = await new RiskPolicyEvaluator({
+			db: dineway.db,
+			handlers: dineway,
+		}).evaluateWorkflowHitl({
+			actor: actor.identity,
+			hitlRequestId,
+			action,
+		});
+		if (!decision.allowed) {
+			const ensured = await ensureWorkflowHitlRouteRequest(dineway.db, locals, decision.action);
+			return hitlRequiredRouteError(decision, ensured);
+		}
+
+		const result = await handleMenuCreate(dineway.db, menuInput);
+		if (!result.success) return unwrapResult(result, 201);
+
+		await logMenuActivity(dineway.db, locals, {
+			action: "created",
+			menuName: result.data.name,
+			...menuApiRouteSource("created"),
+			summary: `Created menu ${result.data.name}`,
+			detail: {
+				label: result.data.label,
+				hitlRequestId: decision.required ? decision.hitlRequest.id : null,
+			},
+		});
 		return unwrapResult(result, 201);
 	} catch (error) {
 		return handleError(error, "Failed to create menu", "MENU_CREATE_ERROR");

package/src/astro/routes/api/oauth/authorize.ts

@@ -19,11 +19,16 @@ import { escapeHtml } from "#api/escape.js";
 import {
 	buildDeniedRedirect,
 	handleAuthorizationApproval,
-	validateRedirectUri,
 } from "#api/handlers/oauth-authorization.js";
 import { lookupOAuthClient, validateClientRedirectUri } from "#api/handlers/oauth-clients.js";
+import { validateRedirectUri } from "#api/oauth/redirect-uri.js";
 import { getPublicOrigin } from "#api/public-url.js";
-import { VALID_SCOPES } from "#auth/api-tokens.js";
+import { ALL_VALID_SCOPES } from "#auth/api-tokens.js";
+import {
+	disabledExperimentalSiteContextWorkflowScopes,
+	filterExperimentalSiteContextWorkflowScopes,
+	getExperimentalSiteContextWorkflowScopesDisabledMessage,
+} from "#site-context/experimental-workflows.js";
 
 export const prerender = false;
 
@@ -52,7 +57,7 @@ function csrfCookieHeader(token: string, request: Request, siteUrl?: string): st
 		? siteUrl.startsWith("https:")
 		: new URL(request.url).protocol === "https:";
 	const secure = isSecure ? "; Secure" : "";
-	return `${CSRF_COOKIE_NAME}=${token}; Path=/_dineway/api/oauth/authorize; HttpOnly; SameSite=Strict${secure}`;
+	return `${CSRF_COOKIE_NAME}=${token}; Path=/_dineway/oauth/authorize; HttpOnly; SameSite=Strict${secure}`;
 }
 
 /** Extract the CSRF token from the request's cookies. */
@@ -141,11 +146,19 @@ export const GET: APIRoute = async ({ url, request, locals }) => {
 	}
 
 	// Parse and validate scopes
-	const validSet = new Set<string>(VALID_SCOPES);
-	const requestedScopes = (scope ?? "")
-		.split(" ")
-		.filter(Boolean)
-		.filter((s) => validSet.has(s));
+	const rawRequestedScopes = (scope ?? "").split(" ").filter(Boolean);
+	const disabledWorkflowScopes = disabledExperimentalSiteContextWorkflowScopes(rawRequestedScopes);
+	if (disabledWorkflowScopes.length > 0) {
+		return new Response(
+			renderErrorPage(getExperimentalSiteContextWorkflowScopesDisabledMessage()),
+			{
+				status: 400,
+				headers: { "Content-Type": "text/html; charset=utf-8" },
+			},
+		);
+	}
+	const validSet = new Set<string>(filterExperimentalSiteContextWorkflowScopes(ALL_VALID_SCOPES));
+	const requestedScopes = rawRequestedScopes.filter((s) => validSet.has(s));
 
 	if (requestedScopes.length === 0) {
 		return new Response(renderErrorPage("No valid scopes requested."), {

package/src/astro/routes/api/oauth/device/code.ts

@@ -15,6 +15,7 @@ import { handleDeviceCodeRequest } from "#api/handlers/device-flow.js";
 import { isParseError, parseBody } from "#api/parse.js";
 import { getPublicOrigin } from "#api/public-url.js";
 import { checkRateLimit, getClientIp, rateLimitResponse } from "#auth/rate-limit.js";
+import { getTrustedProxyHeaders } from "#auth/trusted-proxy.js";
 
 export const prerender = false;
 
@@ -35,7 +36,7 @@ export const POST: APIRoute = async ({ request, locals, url }) => {
 		if (isParseError(body)) return body;
 
 		// Rate limit: 10 requests per 60 seconds per IP
-		const ip = getClientIp(request);
+		const ip = getClientIp(request, getTrustedProxyHeaders(dineway.config));
 		const rateLimit = await checkRateLimit(dineway.db, ip, "device/code", 10, 60);
 		if (!rateLimit.allowed) {
 			return rateLimitResponse(60);

package/src/astro/routes/api/oauth/device/token.ts

@@ -17,6 +17,7 @@ import { apiError, handleError, unwrapResult } from "#api/error.js";
 import { handleDeviceTokenExchange } from "#api/handlers/device-flow.js";
 import { isParseError, parseBody } from "#api/parse.js";
 import { checkRateLimit, getClientIp, rateLimitResponse } from "#auth/rate-limit.js";
+import { getTrustedProxyHeaders } from "#auth/trusted-proxy.js";
 
 export const prerender = false;
 
@@ -37,7 +38,7 @@ export const POST: APIRoute = async ({ request, locals }) => {
 		if (isParseError(body)) return body;
 
 		// Rate limit: 12 requests per 60 seconds per IP
-		const ip = getClientIp(request);
+		const ip = getClientIp(request, getTrustedProxyHeaders(dineway.config));
 		const rateLimit = await checkRateLimit(dineway.db, ip, "device/token", 12, 60);
 		if (!rateLimit.allowed) {
 			return rateLimitResponse(60);

package/src/astro/routes/api/oauth/register.ts

@@ -0,0 +1,182 @@
+/**
+ * POST /_dineway/api/oauth/register
+ *
+ * RFC 7591 Dynamic Client Registration. Public, unauthenticated.
+ * MCP clients call this to register before starting the OAuth flow.
+ */
+
+import type { APIRoute } from "astro";
+
+import { apiError, handleError } from "#api/error.js";
+import { handleOAuthClientCreate } from "#api/handlers/oauth-clients.js";
+import {
+	disabledExperimentalSiteContextWorkflowScopes,
+	getExperimentalSiteContextWorkflowScopesDisabledMessage,
+} from "#site-context/experimental-workflows.js";
+
+export const prerender = false;
+
+const OAUTH_REGISTRATION_HEADERS: HeadersInit = {
+	"Cache-Control": "no-store",
+	Pragma: "no-cache",
+	"Access-Control-Allow-Origin": "*",
+};
+
+const OAUTH_PREFLIGHT_HEADERS: HeadersInit = {
+	"Access-Control-Allow-Origin": "*",
+	"Access-Control-Allow-Methods": "POST, OPTIONS",
+	"Access-Control-Allow-Headers": "Content-Type",
+	"Access-Control-Max-Age": "86400",
+};
+
+const SUPPORTED_GRANT_TYPES = new Set([
+	"authorization_code",
+	"refresh_token",
+	"urn:ietf:params:oauth:grant-type:device_code",
+]);
+const SUPPORTED_RESPONSE_TYPES = new Set(["code"]);
+
+function registrationError(description: string, status = 400): Response {
+	return Response.json(
+		{
+			error: "invalid_client_metadata",
+			error_description: description,
+		},
+		{ status, headers: OAUTH_REGISTRATION_HEADERS },
+	);
+}
+
+function isRecord(value: unknown): value is Record<string, unknown> {
+	return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+
+function isStringArray(value: unknown): value is string[] {
+	return Array.isArray(value) && value.every((item) => typeof item === "string");
+}
+
+function parseScope(value: unknown): string[] | Response | undefined {
+	if (value === undefined) return undefined;
+	if (typeof value === "string") {
+		const scopes = value.split(" ").filter(Boolean);
+		return scopes.length > 0 ? scopes : undefined;
+	}
+	if (isStringArray(value)) {
+		const scopes = value.filter(Boolean);
+		return scopes.length > 0 ? scopes : undefined;
+	}
+	return registrationError("scope must be a string or array of strings");
+}
+
+function parseSupportedStringArray(
+	value: unknown,
+	field: string,
+	supported: ReadonlySet<string>,
+): string[] | Response | undefined {
+	if (value === undefined) return undefined;
+	if (!isStringArray(value)) {
+		return registrationError(`${field} must be an array of strings`);
+	}
+	const invalidValue = value.find((item) => !supported.has(item));
+	if (invalidValue) {
+		return registrationError(`${field} contains unsupported value: ${invalidValue}`);
+	}
+	return value;
+}
+
+export const OPTIONS: APIRoute = () => {
+	return new Response(null, { status: 204, headers: OAUTH_PREFLIGHT_HEADERS });
+};
+
+export const POST: APIRoute = async ({ request, locals }) => {
+	const { dineway } = locals;
+
+	if (!dineway?.db) {
+		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	}
+
+	try {
+		let body: unknown;
+		try {
+			body = await request.json();
+		} catch {
+			return registrationError("Request body must be valid JSON");
+		}
+
+		if (!isRecord(body)) {
+			return registrationError("Request body must be a JSON object");
+		}
+
+		if (!isStringArray(body.redirect_uris) || body.redirect_uris.length === 0) {
+			return registrationError("redirect_uris must be a non-empty array of strings");
+		}
+
+		if (
+			body.token_endpoint_auth_method !== undefined &&
+			body.token_endpoint_auth_method !== "none"
+		) {
+			return registrationError("Only token_endpoint_auth_method=none is supported");
+		}
+
+		const grantTypes = parseSupportedStringArray(
+			body.grant_types,
+			"grant_types",
+			SUPPORTED_GRANT_TYPES,
+		);
+		if (grantTypes instanceof Response) {
+			return grantTypes;
+		}
+
+		const responseTypes = parseSupportedStringArray(
+			body.response_types,
+			"response_types",
+			SUPPORTED_RESPONSE_TYPES,
+		);
+		if (responseTypes instanceof Response) {
+			return responseTypes;
+		}
+
+		const scopes = parseScope(body.scope);
+		if (scopes instanceof Response) {
+			return scopes;
+		}
+		if (scopes) {
+			const disabledWorkflowScopes = disabledExperimentalSiteContextWorkflowScopes(scopes);
+			if (disabledWorkflowScopes.length > 0) {
+				return registrationError(getExperimentalSiteContextWorkflowScopesDisabledMessage());
+			}
+		}
+
+		const clientId = crypto.randomUUID();
+		const clientName =
+			typeof body.client_name === "string" && body.client_name
+				? body.client_name
+				: `dynamic-${clientId.slice(0, 8)}`;
+
+		const result = await handleOAuthClientCreate(dineway.db, {
+			id: clientId,
+			name: clientName,
+			redirectUris: body.redirect_uris,
+			scopes,
+		});
+
+		if (!result.success) {
+			return registrationError(result.error.message);
+		}
+
+		return Response.json(
+			{
+				client_id: result.data.id,
+				client_id_issued_at: Math.floor(new Date(result.data.createdAt).getTime() / 1000),
+				redirect_uris: result.data.redirectUris,
+				client_name: result.data.name,
+				grant_types: grantTypes ?? ["authorization_code", "refresh_token"],
+				response_types: responseTypes ?? ["code"],
+				token_endpoint_auth_method: "none",
+				scope: result.data.scopes ? result.data.scopes.join(" ") : undefined,
+			},
+			{ status: 201, headers: OAUTH_REGISTRATION_HEADERS },
+		);
+	} catch (error) {
+		return handleError(error, "Failed to register OAuth client", "CLIENT_REGISTER_ERROR");
+	}
+};

package/src/astro/routes/api/oauth/token.ts

@@ -22,6 +22,20 @@ import { handleAuthorizationCodeExchange } from "#api/handlers/oauth-authorizati
 
 export const prerender = false;
 
+const OAUTH_TOKEN_HEADERS: HeadersInit = {
+	"Content-Type": "application/json",
+	"Cache-Control": "no-store",
+	Pragma: "no-cache",
+	"Access-Control-Allow-Origin": "*",
+};
+
+const OAUTH_PREFLIGHT_HEADERS: HeadersInit = {
+	"Access-Control-Allow-Origin": "*",
+	"Access-Control-Allow-Methods": "POST, OPTIONS",
+	"Access-Control-Allow-Headers": "Content-Type",
+	"Access-Control-Max-Age": "86400",
+};
+
 // ---------------------------------------------------------------------------
 // Parse helpers
 // ---------------------------------------------------------------------------
@@ -87,6 +101,10 @@ const refreshSchema = z.object({
 // Handler
 // ---------------------------------------------------------------------------
 
+export const OPTIONS: APIRoute = () => {
+	return new Response(null, { status: 204, headers: OAUTH_PREFLIGHT_HEADERS });
+};
+
 export const POST: APIRoute = async ({ request, locals }) => {
 	const { dineway } = locals;
 
@@ -161,13 +179,6 @@ export const POST: APIRoute = async ({ request, locals }) => {
 // OAuth response helpers (RFC 6749 §5.1 / §5.2)
 // ---------------------------------------------------------------------------
 
-/** RFC 6749 §5.1 requires Cache-Control: no-store and Pragma: no-cache on token responses */
-const OAUTH_TOKEN_HEADERS: HeadersInit = {
-	"Content-Type": "application/json",
-	"Cache-Control": "no-store",
-	Pragma: "no-cache",
-};
-
 function oauthSuccess(data: unknown): Response {
 	return Response.json(data, { headers: OAUTH_TOKEN_HEADERS });
 }

package/src/astro/routes/api/openapi.json.ts

@@ -15,9 +15,10 @@ export const prerender = false;
 
 let cachedSpec: string | null = null;
 
-export const GET: APIRoute = async () => {
+export const GET: APIRoute = async ({ locals }) => {
 	if (!cachedSpec) {
-		const doc = generateOpenApiDocument();
+		const maxUploadSize = locals.dineway?.config.maxUploadSize;
+		const doc = generateOpenApiDocument({ maxUploadSize });
 		cachedSpec = JSON.stringify(doc);
 	}
 

package/src/astro/routes/api/plugins/[pluginId]/[...path].ts

@@ -39,10 +39,10 @@ const handleRequest: APIRoute = async ({ params, request, locals }) => {
 
 	// Public routes skip auth, CSRF, and scope checks entirely
 	if (!routeMeta.public) {
+		const isStateChangingMethod = !["GET", "HEAD", "OPTIONS"].includes(method);
+
 		// Private routes require authentication and permission checks
-		const permission = ["GET", "HEAD", "OPTIONS"].includes(method)
-			? "plugins:read"
-			: "plugins:manage";
+		const permission = isStateChangingMethod ? "plugins:manage" : "plugins:read";
 		const denied = requirePerm(user, permission);
 		if (denied) return denied;
 
@@ -51,13 +51,30 @@ const handleRequest: APIRoute = async ({ params, request, locals }) => {
 		const scopeError = requireScope(locals, "admin");
 		if (scopeError) return scopeError;
 
+		// Generic private plugin routes can carry arbitrary plugin-defined payloads,
+		// including secret-bearing config. Until route metadata can describe a
+		// redacted review payload plus immutable reviewed target, API-token writes
+		// stay blocked instead of being routed through generic HITL.
+		if (isStateChangingMethod && locals.authToken?.type === "api_token") {
+			return apiError(
+				"HITL_UNSUPPORTED",
+				"Private plugin routes do not yet support API-token writes without a reviewed redaction contract",
+				409,
+				{
+					reason: "review_contract_missing",
+					pluginId,
+					path: `/${path}`,
+				},
+			);
+		}
+
 		// CSRF protection for state-changing requests on private routes.
 		// Plugin routes use soft auth in the middleware (user resolved but not required),
 		// so the middleware's CSRF check doesn't run. We enforce it here for private routes.
 		// Token-authed requests (which set tokenScopes) are exempt — tokens aren't
 		// ambient credentials like cookies.
 		if (
-			!["GET", "HEAD", "OPTIONS"].includes(method) &&
+			isStateChangingMethod &&
 			!locals.tokenScopes &&
 			request.headers.get("X-Dineway-Request") !== "1"
 		) {

package/src/astro/routes/api/redirects/[id].ts

@@ -7,6 +7,7 @@
  */
 
 import type { APIRoute } from "astro";
+import { z } from "zod";
 
 import { requirePerm } from "#api/authorize.js";
 import { apiError, handleError, unwrapResult } from "#api/error.js";
@@ -15,11 +16,31 @@ import {
 	handleRedirectGet,
 	handleRedirectUpdate,
 } from "#api/handlers/redirects.js";
-import { isParseError, parseBody } from "#api/parse.js";
+import {
+	ensureWorkflowHitlRouteRequest,
+	hitlRequiredRouteError,
+	resolveHitlRouteActor,
+} from "#api/hitl-route-helpers.js";
+import { isParseError, parseBody, parseQuery } from "#api/parse.js";
 import { updateRedirectBody } from "#api/schemas.js";
+import {
+	activityChangedKeys,
+	logRedirectActivity,
+	redirectApiRouteSource,
+	RedirectHitlPayloadBuilder,
+	RiskPolicyEvaluator,
+} from "#site-context/index.js";
 
 export const prerender = false;
 
+const updateRedirectHitlBody = updateRedirectBody.extend({
+	hitlRequestId: z.string().min(1).optional(),
+});
+
+const deleteRedirectQuery = z.object({
+	hitlRequestId: z.string().min(1).optional(),
+});
+
 export const GET: APIRoute = async ({ params, locals }) => {
 	const { dineway, user } = locals;
 	const db = dineway.db;
@@ -53,17 +74,56 @@ export const PUT: APIRoute = async ({ params, request, locals }) => {
 	}
 
 	try {
-		const body = await parseBody(request, updateRedirectBody);
+		const body = await parseBody(request, updateRedirectHitlBody);
 		if (isParseError(body)) return body;
 
-		const result = await handleRedirectUpdate(db, id, body);
+		const current = await handleRedirectGet(db, id);
+		if (!current.success) return unwrapResult(current);
+
+		const { hitlRequestId, ...redirectInput } = body;
+		const actor = resolveHitlRouteActor(locals);
+		const action = await new RedirectHitlPayloadBuilder().buildUpdateRedirectRequest({
+			redirect: current.data,
+			...redirectInput,
+		});
+		const decision = await new RiskPolicyEvaluator({
+			db,
+			handlers: dineway,
+		}).evaluateWorkflowHitl({
+			actor: actor.identity,
+			hitlRequestId,
+			action,
+		});
+		if (!decision.allowed) {
+			const ensured = await ensureWorkflowHitlRouteRequest(db, locals, decision.action);
+			return hitlRequiredRouteError(decision, ensured);
+		}
+
+		const result = await handleRedirectUpdate(db, id, redirectInput);
+		if (!result.success) return unwrapResult(result);
+
+		await logRedirectActivity(db, locals, {
+			action: "updated",
+			redirectId: result.data.id,
+			source: result.data.source,
+			destination: result.data.destination,
+			...redirectApiRouteSource("updated"),
+			summary: `Updated redirect ${result.data.source} -> ${result.data.destination}`,
+			detail: {
+				changedKeys: activityChangedKeys(redirectInput),
+				type: result.data.type,
+				enabled: result.data.enabled,
+				groupName: result.data.groupName,
+				hitlRequestId: decision.required ? decision.hitlRequest.id : null,
+			},
+		});
 		return unwrapResult(result);
 	} catch (error) {
 		return handleError(error, "Failed to update redirect", "REDIRECT_UPDATE_ERROR");
 	}
 };
 
-export const DELETE: APIRoute = async ({ params, locals }) => {
+export const DELETE: APIRoute = async ({ params, request, locals }) => {
 	const { dineway, user } = locals;
 	const db = dineway.db;
 	const { id } = params;
@@ -75,8 +135,47 @@ export const DELETE: APIRoute = async ({ params, locals }) => {
 		return apiError("VALIDATION_ERROR", "id is required", 400);
 	}
 
+	const query = parseQuery(new URL(request.url), deleteRedirectQuery);
+	if (isParseError(query)) return query;
+
 	try {
+		const current = await handleRedirectGet(db, id);
+		if (!current.success) return unwrapResult(current);
+
+		const actor = resolveHitlRouteActor(locals);
+		const action = await new RedirectHitlPayloadBuilder().buildDeleteRedirectRequest({
+			redirect: current.data,
+		});
+		const decision = await new RiskPolicyEvaluator({
+			db,
+			handlers: dineway,
+		}).evaluateWorkflowHitl({
+			actor: actor.identity,
+			hitlRequestId: query.hitlRequestId,
+			action,
+		});
+		if (!decision.allowed) {
+			const ensured = await ensureWorkflowHitlRouteRequest(db, locals, decision.action);
+			return hitlRequiredRouteError(decision, ensured);
+		}
+
 		const result = await handleRedirectDelete(db, id);
+		if (!result.success) return unwrapResult(result);
+
+		await logRedirectActivity(db, locals, {
+			action: "deleted",
+			redirectId: current.data.id,
+			source: current.data.source,
+			destination: current.data.destination,
+			...redirectApiRouteSource("deleted"),
+			summary: `Deleted redirect ${current.data.source} -> ${current.data.destination}`,
+			detail: {
+				type: current.data.type,
+				enabled: current.data.enabled,
+				groupName: current.data.groupName,
+				hitlRequestId: decision.required ? decision.hitlRequest.id : null,
+			},
+		});
 		return unwrapResult(result);
 	} catch (error) {
 		return handleError(error, "Failed to delete redirect", "REDIRECT_DELETE_ERROR");

package/src/astro/routes/api/redirects/index.ts

@@ -6,15 +6,31 @@
  */
 
 import type { APIRoute } from "astro";
+import { z } from "zod";
 
 import { requirePerm } from "#api/authorize.js";
 import { handleError, unwrapResult } from "#api/error.js";
 import { handleRedirectCreate, handleRedirectList } from "#api/handlers/redirects.js";
+import {
+	ensureWorkflowHitlRouteRequest,
+	hitlRequiredRouteError,
+	resolveHitlRouteActor,
+} from "#api/hitl-route-helpers.js";
 import { isParseError, parseBody, parseQuery } from "#api/parse.js";
 import { createRedirectBody, redirectsListQuery } from "#api/schemas.js";
+import {
+	logRedirectActivity,
+	redirectApiRouteSource,
+	RedirectHitlPayloadBuilder,
+	RiskPolicyEvaluator,
+} from "#site-context/index.js";
 
 export const prerender = false;
 
+const createRedirectHitlBody = createRedirectBody.extend({
+	hitlRequestId: z.string().min(1).optional(),
+});
+
 export const GET: APIRoute = async ({ url, locals }) => {
 	const { dineway, user } = locals;
 	const db = dineway.db;
@@ -41,10 +57,42 @@ export const POST: APIRoute = async ({ request, locals }) => {
 	if (denied) return denied;
 
 	try {
-		const body = await parseBody(request, createRedirectBody);
+		const body = await parseBody(request, createRedirectHitlBody);
 		if (isParseError(body)) return body;
 
-		const result = await handleRedirectCreate(db, body);
+		const { hitlRequestId, ...redirectInput } = body;
+		const actor = resolveHitlRouteActor(locals);
+		const action = await new RedirectHitlPayloadBuilder().buildCreateRedirectRequest(redirectInput);
+		const decision = await new RiskPolicyEvaluator({
+			db,
+			handlers: dineway,
+		}).evaluateWorkflowHitl({
+			actor: actor.identity,
+			hitlRequestId,
+			action,
+		});
+		if (!decision.allowed) {
+			const ensured = await ensureWorkflowHitlRouteRequest(db, locals, decision.action);
+			return hitlRequiredRouteError(decision, ensured);
+		}
+
+		const result = await handleRedirectCreate(db, redirectInput);
+		if (!result.success) return unwrapResult(result, 201);
+
+		await logRedirectActivity(db, locals, {
+			action: "created",
+			redirectId: result.data.id,
+			source: result.data.source,
+			destination: result.data.destination,
+			...redirectApiRouteSource("created"),
+			summary: `Created redirect ${result.data.source} -> ${result.data.destination}`,
+			detail: {
+				type: result.data.type,
+				enabled: result.data.enabled,
+				groupName: result.data.groupName,
+				hitlRequestId: decision.required ? decision.hitlRequest.id : null,
+			},
+		});
 		return unwrapResult(result, 201);
 	} catch (error) {
 		return handleError(error, "Failed to create redirect", "REDIRECT_CREATE_ERROR");