dineway 0.1.4 → 0.1.6

package/src/astro/routes/api/schema/collections/[slug]/fields/[fieldSlug].ts

@@ -18,6 +18,11 @@ import {
 import { parseBody, isParseError } from "#api/parse.js";
 import { updateFieldBody } from "#api/schemas.js";
 import type { UpdateFieldInput } from "#schema/types.js";
+import {
+	activityChangedKeys,
+	logSchemaActivity,
+	schemaApiRouteSource,
+} from "#site-context/activity-events.js";
 
 export const prerender = false;
 
@@ -57,6 +62,19 @@ export const PUT: APIRoute = async ({ params, request, locals }) => {
 		fieldSlug,
 		body as UpdateFieldInput,
 	);
+	if (result.success) dineway.invalidateManifest();
+	if (result.success) {
+		await logSchemaActivity(dineway.db, locals, {
+			action: "field_updated",
+			collection: collectionSlug,
+			field: fieldSlug,
+			...schemaApiRouteSource("field_updated"),
+			summary: `Updated field ${fieldSlug} in ${collectionSlug}`,
+			detail: {
+				changedFields: activityChangedKeys(body),
+			},
+		});
+	}
 	return unwrapResult(result);
 };
 
@@ -72,5 +90,15 @@ export const DELETE: APIRoute = async ({ params, locals }) => {
 	if (denied) return denied;
 
 	const result = await handleSchemaFieldDelete(dineway.db, collectionSlug, fieldSlug);
+	if (result.success) dineway.invalidateManifest();
+	if (result.success) {
+		await logSchemaActivity(dineway.db, locals, {
+			action: "field_deleted",
+			collection: collectionSlug,
+			field: fieldSlug,
+			...schemaApiRouteSource("field_deleted"),
+			summary: `Deleted field ${fieldSlug} from ${collectionSlug}`,
+		});
+	}
 	return unwrapResult(result);
 };

package/src/astro/routes/api/schema/collections/[slug]/fields/index.ts

@@ -13,6 +13,7 @@ import { handleSchemaFieldList, handleSchemaFieldCreate } from "#api/index.js";
 import { parseBody, isParseError } from "#api/parse.js";
 import { createFieldBody } from "#api/schemas.js";
 import type { CreateFieldInput } from "#schema/types.js";
+import { logSchemaActivity, schemaApiRouteSource } from "#site-context/activity-events.js";
 
 export const prerender = false;
 
@@ -48,5 +49,19 @@ export const POST: APIRoute = async ({ params, request, locals }) => {
 		collectionSlug,
 		body as CreateFieldInput,
 	);
+	if (result.success) dineway.invalidateManifest();
+	if (result.success) {
+		await logSchemaActivity(dineway.db, locals, {
+			action: "field_created",
+			collection: collectionSlug,
+			field: body.slug,
+			...schemaApiRouteSource("field_created"),
+			summary: `Created field ${body.slug} in ${collectionSlug}`,
+			detail: {
+				fieldType: body.type,
+				label: body.label,
+			},
+		});
+	}
 	return unwrapResult(result, 201);
 };

package/src/astro/routes/api/schema/collections/[slug]/fields/reorder.ts

@@ -11,6 +11,7 @@ import { requireDb, unwrapResult } from "#api/error.js";
 import { handleSchemaFieldReorder } from "#api/index.js";
 import { parseBody, isParseError } from "#api/parse.js";
 import { fieldReorderBody } from "#api/schemas.js";
+import { logSchemaActivity, schemaApiRouteSource } from "#site-context/activity-events.js";
 
 export const prerender = false;
 
@@ -28,5 +29,17 @@ export const POST: APIRoute = async ({ params, request, locals }) => {
 	if (isParseError(body)) return body;
 
 	const result = await handleSchemaFieldReorder(dineway.db, collectionSlug, body.fieldSlugs);
+	if (result.success) dineway.invalidateManifest();
+	if (result.success) {
+		await logSchemaActivity(dineway.db, locals, {
+			action: "fields_reordered",
+			collection: collectionSlug,
+			...schemaApiRouteSource("fields_reordered"),
+			summary: `Reordered fields in ${collectionSlug}`,
+			detail: {
+				fieldCount: body.fieldSlugs.length,
+			},
+		});
+	}
 	return unwrapResult(result);
 };

package/src/astro/routes/api/schema/collections/[slug]/index.ts

@@ -18,6 +18,11 @@ import {
 import { parseBody, parseQuery, isParseError } from "#api/parse.js";
 import { collectionGetQuery, updateCollectionBody } from "#api/schemas.js";
 import type { UpdateCollectionInput } from "#schema/types.js";
+import {
+	activityChangedKeys,
+	logSchemaActivity,
+	schemaApiRouteSource,
+} from "#site-context/activity-events.js";
 
 export const prerender = false;
 
@@ -59,6 +64,18 @@ export const PUT: APIRoute = async ({ params, request, locals }) => {
 		// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- parseBody validates via Zod
 		body as UpdateCollectionInput,
 	);
+	if (result.success) dineway.invalidateManifest();
+	if (result.success) {
+		await logSchemaActivity(dineway.db, locals, {
+			action: "collection_updated",
+			collection: slug,
+			...schemaApiRouteSource("collection_updated"),
+			summary: `Updated collection ${slug}`,
+			detail: {
+				changedFields: activityChangedKeys(body),
+			},
+		});
+	}
 	return unwrapResult(result);
 };
 
@@ -76,5 +93,15 @@ export const DELETE: APIRoute = async ({ params, url, locals }) => {
 	const result = await handleSchemaCollectionDelete(dineway.db, slug, {
 		force,
 	});
+	if (result.success) dineway.invalidateManifest();
+	if (result.success) {
+		await logSchemaActivity(dineway.db, locals, {
+			action: "collection_deleted",
+			collection: slug,
+			...schemaApiRouteSource("collection_deleted"),
+			summary: `Deleted collection ${slug}`,
+			detail: { force },
+		});
+	}
 	return unwrapResult(result);
 };

package/src/astro/routes/api/schema/collections/index.ts

@@ -13,6 +13,7 @@ import { handleSchemaCollectionList, handleSchemaCollectionCreate } from "#api/i
 import { parseBody, isParseError } from "#api/parse.js";
 import { createCollectionBody } from "#api/schemas.js";
 import type { CreateCollectionInput } from "#schema/types.js";
+import { logSchemaActivity, schemaApiRouteSource } from "#site-context/activity-events.js";
 
 export const prerender = false;
 
@@ -43,5 +44,18 @@ export const POST: APIRoute = async ({ request, locals }) => {
 
 	// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- Zod schema output narrowed to CreateCollectionInput
 	const result = await handleSchemaCollectionCreate(dineway.db, body as CreateCollectionInput);
+	if (result.success) dineway.invalidateManifest();
+	if (result.success) {
+		await logSchemaActivity(dineway.db, locals, {
+			action: "collection_created",
+			collection: body.slug,
+			...schemaApiRouteSource("collection_created"),
+			summary: `Created collection ${body.slug}`,
+			detail: {
+				label: body.label,
+				labelSingular: body.labelSingular ?? null,
+			},
+		});
+	}
 	return unwrapResult(result, 201);
 };

package/src/astro/routes/api/search/index.ts

@@ -37,6 +37,7 @@ export const GET: APIRoute = async ({ url, locals }) => {
 		: undefined;
 
 	try {
+		await dineway.ensureSearchHealthy?.();
 		const result = await searchWithDb(dineway.db, query.q, {
 			collections,
 			status: query.status,

package/src/astro/routes/api/search/suggest.ts

@@ -36,6 +36,7 @@ export const GET: APIRoute = async ({ url, locals }) => {
 		: undefined;
 
 	try {
+		await dineway.ensureSearchHealthy?.();
 		const suggestions = await getSuggestions(dineway.db, query.q, {
 			collections,
 			locale: query.locale,

package/src/astro/routes/api/sections/[slug].ts

@@ -7,6 +7,7 @@
  */
 
 import type { APIRoute } from "astro";
+import { z } from "zod";
 
 import { requirePerm } from "#api/authorize.js";
 import { apiError, handleError, unwrapResult } from "#api/error.js";
@@ -15,11 +16,31 @@ import {
 	handleSectionGet,
 	handleSectionUpdate,
 } from "#api/handlers/sections.js";
-import { isParseError, parseBody } from "#api/parse.js";
+import {
+	ensureWorkflowHitlRouteRequest,
+	hitlRequiredRouteError,
+	resolveHitlRouteActor,
+} from "#api/hitl-route-helpers.js";
+import { isParseError, parseBody, parseQuery } from "#api/parse.js";
 import { updateSectionBody } from "#api/schemas.js";
+import {
+	activityChangedKeys,
+	logSectionActivity,
+	RiskPolicyEvaluator,
+	sectionApiRouteSource,
+	SectionHitlPayloadBuilder,
+} from "#site-context/index.js";
 
 export const prerender = false;
 
+const updateSectionHitlBody = updateSectionBody.extend({
+	hitlRequestId: z.string().min(1).optional(),
+});
+
+const deleteSectionQuery = z.object({
+	hitlRequestId: z.string().min(1).optional(),
+});
+
 export const GET: APIRoute = async ({ params, locals }) => {
 	const { dineway, user } = locals;
 	const db = dineway.db;
@@ -53,17 +74,65 @@ export const PUT: APIRoute = async ({ params, request, locals }) => {
 	}
 
 	try {
-		const body = await parseBody(request, updateSectionBody);
+		const body = await parseBody(request, updateSectionHitlBody);
 		if (isParseError(body)) return body;
 
-		const result = await handleSectionUpdate(db, slug, body);
+		const current = await new SectionHitlPayloadBuilder(db).loadSectionSnapshot(slug);
+		if (!current) {
+			return apiError("NOT_FOUND", `Section "${slug}" not found`, 404);
+		}
+
+		const { hitlRequestId, ...sectionInput } = body;
+		const actor = resolveHitlRouteActor(locals);
+		const evaluator = new RiskPolicyEvaluator({
+			db,
+			handlers: dineway,
+		});
+		let approvedHitlRequestId: string | null = null;
+
+		if (evaluator.requiresWorkflowHitl(actor.identity)) {
+			const action = await new SectionHitlPayloadBuilder(db).buildUpdateSectionRequest({
+				section: current,
+				...sectionInput,
+			});
+			const decision = await evaluator.evaluateWorkflowHitl({
+				actor: actor.identity,
+				hitlRequestId,
+				action,
+			});
+			if (!decision.allowed) {
+				const ensured = await ensureWorkflowHitlRouteRequest(db, locals, decision.action);
+				return hitlRequiredRouteError(decision, ensured);
+			}
+			approvedHitlRequestId = decision.hitlRequest.id;
+		}
+
+		const result = await handleSectionUpdate(db, slug, sectionInput);
+		if (result.success) {
+			await logSectionActivity(db, locals, {
+				action: "updated",
+				sectionId: result.data.id,
+				sectionSlug: result.data.slug,
+				...sectionApiRouteSource("updated"),
+				detail: {
+					changedKeys: activityChangedKeys(sectionInput),
+					source: current.source,
+					themeId: current.themeId,
+					previewMediaId:
+						sectionInput.previewMediaId !== undefined
+							? sectionInput.previewMediaId
+							: current.previewMediaId,
+					hitlRequestId: approvedHitlRequestId,
+				},
+			});
+		}
 		return unwrapResult(result);
 	} catch (error) {
 		return handleError(error, "Failed to update section", "SECTION_UPDATE_ERROR");
 	}
 };
 
-export const DELETE: APIRoute = async ({ params, locals }) => {
+export const DELETE: APIRoute = async ({ params, request, locals }) => {
 	const { dineway, user } = locals;
 	const db = dineway.db;
 	const { slug } = params;
@@ -75,8 +144,58 @@ export const DELETE: APIRoute = async ({ params, locals }) => {
 		return apiError("VALIDATION_ERROR", "slug is required", 400);
 	}
 
+	const query = parseQuery(new URL(request.url), deleteSectionQuery);
+	if (isParseError(query)) return query;
+
 	try {
+		const current = await new SectionHitlPayloadBuilder(db).loadSectionSnapshot(slug);
+		if (!current) {
+			return apiError("NOT_FOUND", `Section "${slug}" not found`, 404);
+		}
+
+		if (current.source === "theme") {
+			const result = await handleSectionDelete(db, slug);
+			return unwrapResult(result);
+		}
+
+		const actor = resolveHitlRouteActor(locals);
+		const evaluator = new RiskPolicyEvaluator({
+			db,
+			handlers: dineway,
+		});
+		let approvedHitlRequestId: string | null = null;
+
+		if (evaluator.requiresWorkflowHitl(actor.identity)) {
+			const action = await new SectionHitlPayloadBuilder(db).buildDeleteSectionRequest({
+				section: current,
+			});
+			const decision = await evaluator.evaluateWorkflowHitl({
+				actor: actor.identity,
+				hitlRequestId: query.hitlRequestId,
+				action,
+			});
+			if (!decision.allowed) {
+				const ensured = await ensureWorkflowHitlRouteRequest(db, locals, decision.action);
+				return hitlRequiredRouteError(decision, ensured);
+			}
+			approvedHitlRequestId = decision.hitlRequest.id;
+		}
+
 		const result = await handleSectionDelete(db, slug);
+		if (result.success) {
+			await logSectionActivity(db, locals, {
+				action: "deleted",
+				sectionId: current.id,
+				sectionSlug: current.slug,
+				...sectionApiRouteSource("deleted"),
+				detail: {
+					source: current.source,
+					themeId: current.themeId,
+					previewMediaId: current.previewMediaId,
+					hitlRequestId: approvedHitlRequestId,
+				},
+			});
+		}
 		return unwrapResult(result);
 	} catch (error) {
 		return handleError(error, "Failed to delete section", "SECTION_DELETE_ERROR");

package/src/astro/routes/api/sections/index.ts

@@ -6,15 +6,31 @@
  */
 
 import type { APIRoute } from "astro";
+import { z } from "zod";
 
 import { requirePerm } from "#api/authorize.js";
 import { handleError, unwrapResult } from "#api/error.js";
 import { handleSectionCreate, handleSectionList } from "#api/handlers/sections.js";
+import {
+	ensureWorkflowHitlRouteRequest,
+	hitlRequiredRouteError,
+	resolveHitlRouteActor,
+} from "#api/hitl-route-helpers.js";
 import { isParseError, parseBody, parseQuery } from "#api/parse.js";
 import { createSectionBody, sectionsListQuery } from "#api/schemas.js";
+import {
+	logSectionActivity,
+	RiskPolicyEvaluator,
+	sectionApiRouteSource,
+	SectionHitlPayloadBuilder,
+} from "#site-context/index.js";
 
 export const prerender = false;
 
+const createSectionHitlBody = createSectionBody.extend({
+	hitlRequestId: z.string().min(1).optional(),
+});
+
 export const GET: APIRoute = async ({ url, locals }) => {
 	const { dineway, user } = locals;
 	const db = dineway.db;
@@ -41,10 +57,49 @@ export const POST: APIRoute = async ({ request, locals }) => {
 	if (denied) return denied;
 
 	try {
-		const body = await parseBody(request, createSectionBody);
+		const body = await parseBody(request, createSectionHitlBody);
 		if (isParseError(body)) return body;
 
-		const result = await handleSectionCreate(db, body);
+		const { hitlRequestId, ...sectionInput } = body;
+		const actor = resolveHitlRouteActor(locals);
+		const evaluator = new RiskPolicyEvaluator({
+			db,
+			handlers: dineway,
+		});
+		let approvedHitlRequestId: string | null = null;
+
+		if (evaluator.requiresWorkflowHitl(actor.identity)) {
+			const action = await new SectionHitlPayloadBuilder(db).buildCreateSectionRequest(
+				sectionInput,
+			);
+			const decision = await evaluator.evaluateWorkflowHitl({
+				actor: actor.identity,
+				hitlRequestId,
+				action,
+			});
+			if (!decision.allowed) {
+				const ensured = await ensureWorkflowHitlRouteRequest(db, locals, decision.action);
+				return hitlRequiredRouteError(decision, ensured);
+			}
+			approvedHitlRequestId = decision.hitlRequest.id;
+		}
+
+		const result = await handleSectionCreate(db, sectionInput);
+		if (result.success) {
+			await logSectionActivity(db, locals, {
+				action: "created",
+				sectionId: result.data.id,
+				sectionSlug: result.data.slug,
+				...sectionApiRouteSource("created"),
+				detail: {
+					title: result.data.title,
+					source: result.data.source,
+					themeId: result.data.themeId ?? null,
+					previewMediaId: sectionInput.previewMediaId ?? null,
+					hitlRequestId: approvedHitlRequestId,
+				},
+			});
+		}
 		return unwrapResult(result, 201);
 	} catch (error) {
 		return handleError(error, "Failed to create section", "SECTION_CREATE_ERROR");

package/src/astro/routes/api/settings.ts

@@ -6,15 +6,31 @@
  */
 
 import type { APIRoute } from "astro";
+import { z } from "zod";
 
 import { requirePerm } from "#api/authorize.js";
 import { apiError, handleError, unwrapResult } from "#api/error.js";
 import { handleSettingsGet, handleSettingsUpdate } from "#api/handlers/settings.js";
+import {
+	ensureWorkflowHitlRouteRequest,
+	hitlRequiredRouteError,
+	resolveHitlRouteActor,
+} from "#api/hitl-route-helpers.js";
 import { isParseError, parseBody } from "#api/parse.js";
 import { settingsUpdateBody } from "#api/schemas.js";
+import {
+	logSiteActivitySafely,
+	RiskPolicyEvaluator,
+	settingsApiRouteSource,
+	SettingsHitlPayloadBuilder,
+} from "#site-context/index.js";
 
 export const prerender = false;
 
+const settingsHitlBody = settingsUpdateBody.extend({
+	hitlRequestId: z.string().min(1).optional(),
+});
+
 /**
  * GET /_dineway/api/settings
  *
@@ -56,10 +72,43 @@ export const POST: APIRoute = async ({ request, locals }) => {
 	if (denied) return denied;
 
 	try {
-		const body = await parseBody(request, settingsUpdateBody);
+		const body = await parseBody(request, settingsHitlBody);
 		if (isParseError(body)) return body;
 
-		const result = await handleSettingsUpdate(dineway.db, dineway.storage, body);
+		const { hitlRequestId, ...settingsInput } = body;
+		const actor = resolveHitlRouteActor(locals);
+		const action = await new SettingsHitlPayloadBuilder(dineway.db).buildUpdateSettingsRequest(
+			settingsInput,
+		);
+		const decision = await new RiskPolicyEvaluator({
+			db: dineway.db,
+			handlers: dineway,
+		}).evaluateWorkflowHitl({
+			actor: actor.identity,
+			hitlRequestId,
+			action,
+		});
+		if (!decision.allowed) {
+			const ensured = await ensureWorkflowHitlRouteRequest(dineway.db, locals, decision.action);
+			return hitlRequiredRouteError(decision, ensured);
+		}
+
+		const result = await handleSettingsUpdate(dineway.db, dineway.storage, settingsInput);
+		if (!result.success) return unwrapResult(result);
+
+		await logSiteActivitySafely(dineway.db, locals, {
+			actionType: "settings.updated",
+			subjectType: "site_settings",
+			subjectId: "site",
+			scope: "site",
+			...settingsApiRouteSource("updated"),
+			summary: action.summary ?? "Updated site settings",
+			detail: {
+				changedKeys: Object.keys(settingsInput).toSorted(),
+				touchesSeo: Object.hasOwn(settingsInput, "seo"),
+				hitlRequestId: decision.required ? decision.hitlRequest.id : null,
+			},
+		});
 		return unwrapResult(result);
 	} catch (error) {
 		return handleError(error, "Failed to update settings", "SETTINGS_UPDATE_ERROR");

package/src/astro/routes/api/setup/admin-verify.ts

@@ -8,7 +8,7 @@ import type { APIRoute } from "astro";
 
 export const prerender = false;
 
-import { Role } from "@dineway-ai/auth";
+import { Role, secureCompare } from "@dineway-ai/auth";
 import { createKyselyAdapter } from "@dineway-ai/auth/adapters/kysely";
 import { verifyRegistrationResponse, registerPasskey } from "@dineway-ai/auth/passkey";
 
@@ -18,9 +18,10 @@ import { getPublicOrigin } from "#api/public-url.js";
 import { setupAdminVerifyBody } from "#api/schemas.js";
 import { createChallengeStore } from "#auth/challenge-store.js";
 import { getPasskeyConfig } from "#auth/passkey-config.js";
+import { SETUP_NONCE_COOKIE } from "#auth/setup-nonce.js";
 import { OptionsRepository } from "#db/repositories/options.js";
 
-export const POST: APIRoute = async ({ request, locals }) => {
+export const POST: APIRoute = async ({ cookies, request, locals }) => {
 	const { dineway } = locals;
 
 	if (!dineway?.db) {
@@ -45,12 +46,30 @@ export const POST: APIRoute = async ({ request, locals }) => {
 		}
 
 		// Get setup state
-		const setupState = await options.get("dineway:setup_state");
+		const setupState = await options.get<{
+			step?: string;
+			email?: string;
+			name?: string | null;
+			nonce?: string;
+		}>("dineway:setup_state");
 
 		if (!setupState || setupState.step !== "admin") {
 			return apiError("INVALID_STATE", "Invalid setup state. Please restart setup.", 400);
 		}
 
+		const cookieNonce = cookies.get(SETUP_NONCE_COOKIE)?.value;
+		if (!setupState.nonce || !cookieNonce || !secureCompare(cookieNonce, setupState.nonce)) {
+			return apiError(
+				"INVALID_STATE",
+				"Setup session expired or tampered with. Please restart the admin step.",
+				400,
+			);
+		}
+
+		if (!setupState.email) {
+			return apiError("INVALID_STATE", "Invalid setup state. Please restart setup.", 400);
+		}
+
 		// Parse request body
 		const body = await parseBody(request, setupAdminVerifyBody);
 		if (isParseError(body)) return body;
@@ -73,7 +92,7 @@ export const POST: APIRoute = async ({ request, locals }) => {
 		// Create the admin user
 		const user = await adapter.createUser({
 			email: setupState.email,
-			name: setupState.name,
+			name: setupState.name ?? null,
 			role: Role.ADMIN,
 			emailVerified: false, // No email verification for first user
 		});
@@ -84,8 +103,9 @@ export const POST: APIRoute = async ({ request, locals }) => {
 		// Mark setup as complete
 		await options.set("dineway:setup_complete", true);
 
-		// Clean up setup state
+		// Clean up setup state and the session nonce cookie
 		await options.delete("dineway:setup_state");
+		cookies.delete(SETUP_NONCE_COOKIE, { path: "/_dineway/" });
 
 		return apiSuccess({
 			success: true,

package/src/astro/routes/api/setup/admin.ts

@@ -8,6 +8,7 @@ import type { APIRoute } from "astro";
 
 export const prerender = false;
 
+import { generateToken } from "@dineway-ai/auth";
 import { createKyselyAdapter } from "@dineway-ai/auth/adapters/kysely";
 import { generateRegistrationOptions } from "@dineway-ai/auth/passkey";
 
@@ -17,9 +18,10 @@ import { getPublicOrigin } from "#api/public-url.js";
 import { setupAdminBody } from "#api/schemas.js";
 import { createChallengeStore } from "#auth/challenge-store.js";
 import { getPasskeyConfig } from "#auth/passkey-config.js";
+import { SETUP_NONCE_COOKIE, SETUP_NONCE_MAX_AGE_SECONDS } from "#auth/setup-nonce.js";
 import { OptionsRepository } from "#db/repositories/options.js";
 
-export const POST: APIRoute = async ({ request, locals }) => {
+export const POST: APIRoute = async ({ cookies, request, locals }) => {
 	const { dineway } = locals;
 
 	if (!dineway?.db) {
@@ -47,12 +49,7 @@ export const POST: APIRoute = async ({ request, locals }) => {
 		const body = await parseBody(request, setupAdminBody);
 		if (isParseError(body)) return body;
 
-		// Store admin info in setup state for later
-		await options.set("dineway:setup_state", {
-			step: "admin",
-			email: body.email.toLowerCase(),
-			name: body.name || null,
-		});
+		const nonce = generateToken();
 
 		// Get passkey config
 		const url = new URL(request.url);
@@ -78,12 +75,23 @@ export const POST: APIRoute = async ({ request, locals }) => {
 			challengeStore,
 		);
 
-		// Store the temp user ID with the setup state
+		// Store the nonce with the setup state. The verify endpoint compares
+		// it to an HttpOnly cookie so the admin step stays bound to this browser.
 		await options.set("dineway:setup_state", {
 			step: "admin",
 			email: body.email.toLowerCase(),
 			name: body.name || null,
 			tempUserId: tempUser.id,
+			nonce,
+		});
+
+		const publicOrigin = new URL(siteUrl);
+		cookies.set(SETUP_NONCE_COOKIE, nonce, {
+			path: "/_dineway/",
+			httpOnly: true,
+			sameSite: "strict",
+			secure: publicOrigin.protocol === "https:",
+			maxAge: SETUP_NONCE_MAX_AGE_SECONDS,
 		});
 
 		return apiSuccess({

package/src/astro/routes/api/setup/index.ts

@@ -89,9 +89,10 @@ export const POST: APIRoute = async ({ request, url, locals }) => {
 			const options = new OptionsRepository(dineway.db);
 
 			// Store the canonical site URL from the setup request.
-			// This is trusted because setup runs on the real domain.
+			// Keep the first value so later unauthenticated setup calls cannot
+			// rewrite the public origin during the setup window.
 			const siteUrl = getPublicOrigin(url, dineway.config);
-			await options.set("dineway:site_url", siteUrl);
+			await options.setIfAbsent("dineway:site_url", siteUrl);
 
 			if (useExternalAuth) {
 				// External auth mode: mark setup complete now