nrdocs 0.2.1 → 0.2.2

package/dist/deploy-worker/index.js

@@ -0,0 +1,2458 @@
+// ../worker/src/router.ts
+function buildRoute(method, path, handler) {
+  const paramNames = [];
+  const regexStr = path.replace(/:([a-zA-Z_][a-zA-Z0-9_]*)/g, (_match, name) => {
+    paramNames.push(name);
+    return "([^/]+)";
+  });
+  const pattern = new RegExp(`^${regexStr}$`);
+  return { method, pattern, paramNames, handler };
+}
+function matchRoute(routes, method, pathname) {
+  for (const route of routes) {
+    if (route.method !== method) continue;
+    const match = route.pattern.exec(pathname);
+    if (match) {
+      const params = {};
+      for (let i = 0; i < route.paramNames.length; i++) {
+        const name = route.paramNames[i];
+        params[name] = decodeURIComponent(match[i + 1]);
+      }
+      return { handler: route.handler, params };
+    }
+  }
+  return null;
+}
+var Router = class {
+  routes = [];
+  get(path, handler) {
+    this.routes.push(buildRoute("GET", path, handler));
+  }
+  post(path, handler) {
+    this.routes.push(buildRoute("POST", path, handler));
+  }
+  put(path, handler) {
+    this.routes.push(buildRoute("PUT", path, handler));
+  }
+  delete(path, handler) {
+    this.routes.push(buildRoute("DELETE", path, handler));
+  }
+  async handle(request, env) {
+    const url = new URL(request.url);
+    const result = matchRoute(this.routes, request.method, url.pathname);
+    if (!result) return null;
+    return result.handler(request, env, result.params);
+  }
+};
+
+// ../worker/src/responses.ts
+function jsonSuccess(data, status = 200) {
+  return Response.json({ ok: true, data }, { status });
+}
+function jsonError(code, message, status, details) {
+  const body = {
+    ok: false,
+    error: { code, message }
+  };
+  if (details) {
+    body.error.details = details;
+  }
+  return Response.json(body, { status });
+}
+
+// ../shared/dist/constants.js
+var NRDOCS_VERSION = "0.1.0";
+var ACCESS_MODES = ["none", "public", "password"];
+var DEFAULT_MAX_ARCHIVE_SIZE_MB = 50;
+var DEFAULT_MAX_FILE_COUNT = 5e3;
+var DEFAULT_MAX_EXTRACTED_SIZE_MB = 200;
+var DEFAULT_MAX_SINGLE_FILE_SIZE_MB = 25;
+var DEFAULT_MIN_PASSWORD_LENGTH = 8;
+var DEFAULT_MAX_PASSWORD_LENGTH = 128;
+var DEFAULT_PBKDF2_ITERATIONS = 1e5;
+var ALLOWED_STATIC_KEYS = ["homepage", "favicon", "robots"];
+var ALLOWED_ASSET_EXTENSIONS = /* @__PURE__ */ new Set([
+  ".html",
+  ".css",
+  ".json",
+  ".svg",
+  ".png",
+  ".jpg",
+  ".jpeg",
+  ".gif",
+  ".webp",
+  ".ico",
+  ".txt",
+  ".pdf"
+]);
+var REJECTED_EXTENSIONS = /* @__PURE__ */ new Set([".js", ".mjs", ".cjs"]);
+
+// ../worker/src/auth.ts
+function requireOperator(request, env) {
+  const authHeader = request.headers.get("Authorization");
+  if (!authHeader) {
+    return {
+      authenticated: false,
+      response: jsonError("UNAUTHORIZED", "Missing Authorization header", 401)
+    };
+  }
+  const parts = authHeader.split(" ");
+  if (parts.length !== 2 || parts[0] !== "Bearer") {
+    return {
+      authenticated: false,
+      response: jsonError("UNAUTHORIZED", "Invalid Authorization header format", 401)
+    };
+  }
+  const token = parts[1];
+  if (!timingSafeEqual(token, env.OPERATOR_TOKEN)) {
+    return {
+      authenticated: false,
+      response: jsonError("UNAUTHORIZED", "Invalid operator token", 401)
+    };
+  }
+  return { authenticated: true };
+}
+function timingSafeEqual(a, b) {
+  if (a.length !== b.length) {
+    const dummy = a;
+    let result2 = 1;
+    for (let i = 0; i < dummy.length; i++) {
+      result2 |= dummy.charCodeAt(i) ^ dummy.charCodeAt(i);
+    }
+    void result2;
+    return false;
+  }
+  let result = 0;
+  for (let i = 0; i < a.length; i++) {
+    result |= a.charCodeAt(i) ^ b.charCodeAt(i);
+  }
+  return result === 0;
+}
+
+// ../worker/src/handlers/status.ts
+async function handleStatus(request, env, _params) {
+  const basicInfo = {
+    service: "nrdocs",
+    version: NRDOCS_VERSION,
+    base_url: env.BASE_URL
+  };
+  const auth = requireOperator(request, env);
+  if (auth.authenticated) {
+    return jsonSuccess({
+      ...basicInfo,
+      authenticated: true
+    });
+  }
+  return jsonSuccess(basicInfo);
+}
+
+// ../worker/src/handlers/operator-me.ts
+async function handleOperatorMe(request, env, _params) {
+  const auth = requireOperator(request, env);
+  if (!auth.authenticated) return auth.response;
+  return jsonSuccess({
+    operator: {
+      type: "operator_token"
+    },
+    deployment: {
+      base_url: env.BASE_URL,
+      version: NRDOCS_VERSION
+    }
+  });
+}
+
+// ../worker/src/crypto.ts
+async function hashPassword(password, iterations) {
+  const iterationCount = iterations ?? DEFAULT_PBKDF2_ITERATIONS;
+  const saltBytes = new Uint8Array(16);
+  crypto.getRandomValues(saltBytes);
+  const encoder = new TextEncoder();
+  const passwordBytes = encoder.encode(password);
+  const keyMaterial = await crypto.subtle.importKey(
+    "raw",
+    passwordBytes,
+    "PBKDF2",
+    false,
+    ["deriveBits"]
+  );
+  const derivedBits = await crypto.subtle.deriveBits(
+    {
+      name: "PBKDF2",
+      salt: saltBytes,
+      iterations: iterationCount,
+      hash: "SHA-256"
+    },
+    keyMaterial,
+    256
+  );
+  return {
+    hash: bytesToHex(new Uint8Array(derivedBits)),
+    salt: bytesToHex(saltBytes),
+    iteration_count: iterationCount
+  };
+}
+async function verifyPassword(password, hash, salt, iterationCount) {
+  const encoder = new TextEncoder();
+  const passwordBytes = encoder.encode(password);
+  const saltBytes = hexToBytes(salt);
+  const keyMaterial = await crypto.subtle.importKey(
+    "raw",
+    passwordBytes,
+    "PBKDF2",
+    false,
+    ["deriveBits"]
+  );
+  const derivedBits = await crypto.subtle.deriveBits(
+    {
+      name: "PBKDF2",
+      salt: saltBytes,
+      iterations: iterationCount,
+      hash: "SHA-256"
+    },
+    keyMaterial,
+    256
+  );
+  const derivedHex = bytesToHex(new Uint8Array(derivedBits));
+  return constantTimeEqual(derivedHex, hash);
+}
+function bytesToHex(bytes) {
+  let hex = "";
+  for (let i = 0; i < bytes.length; i++) {
+    hex += bytes[i].toString(16).padStart(2, "0");
+  }
+  return hex;
+}
+function hexToBytes(hex) {
+  const bytes = new Uint8Array(hex.length / 2);
+  for (let i = 0; i < bytes.length; i++) {
+    bytes[i] = parseInt(hex.slice(i * 2, i * 2 + 2), 16);
+  }
+  return bytes;
+}
+function constantTimeEqual(a, b) {
+  if (a.length !== b.length) return false;
+  let result = 0;
+  for (let i = 0; i < a.length; i++) {
+    result |= a.charCodeAt(i) ^ b.charCodeAt(i);
+  }
+  return result === 0;
+}
+
+// ../worker/src/db/id.ts
+function generateId(prefix) {
+  return `${prefix}${crypto.randomUUID().replace(/-/g, "")}`;
+}
+
+// ../worker/src/db/repos.ts
+function normalizeRepo(row) {
+  return {
+    ...row,
+    allow_repo_owner_password: row["allow_repo_owner_password"] === 1
+  };
+}
+async function findRepoByFullName(db, fullName) {
+  const row = await db.prepare("SELECT * FROM repos WHERE full_name = ?").bind(fullName.toLowerCase()).first();
+  return row ? normalizeRepo(row) : null;
+}
+async function findRepoByGithubId(db, githubRepoId) {
+  const row = await db.prepare("SELECT * FROM repos WHERE github_repository_id = ?").bind(githubRepoId).first();
+  return row ? normalizeRepo(row) : null;
+}
+async function upsertRepo(db, input) {
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  const owner = input.owner.toLowerCase();
+  const name = input.name.toLowerCase();
+  const fullName = input.full_name.toLowerCase();
+  const existing = await findRepoByGithubId(db, input.github_repository_id);
+  if (existing) {
+    await db.prepare(
+      `UPDATE repos SET owner = ?, name = ?, full_name = ?, site_title = COALESCE(?, site_title), requested_access = COALESCE(?, requested_access), updated_at = ? WHERE id = ?`
+    ).bind(
+      owner,
+      name,
+      fullName,
+      input.site_title ?? null,
+      input.requested_access ?? null,
+      now,
+      existing.id
+    ).run();
+    const updated = await findRepoByGithubId(db, input.github_repository_id);
+    return updated;
+  }
+  const id = generateId("repo_");
+  await db.prepare(
+    `INSERT INTO repos (id, github_repository_id, owner, name, full_name, approval_state, access_mode, allow_repo_owner_password, site_title, requested_access, created_at, updated_at)
+       VALUES (?, ?, ?, ?, ?, 'pending', 'none', ?, ?, ?, ?, ?)`
+  ).bind(
+    id,
+    input.github_repository_id,
+    owner,
+    name,
+    fullName,
+    input.allow_repo_owner_password === true ? 1 : 0,
+    input.site_title ?? null,
+    input.requested_access ?? null,
+    now,
+    now
+  ).run();
+  const created = await findRepoByGithubId(db, input.github_repository_id);
+  return created;
+}
+async function approveRepo(db, repoId, accessMode, approvedBy) {
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  await db.prepare(
+    `UPDATE repos SET approval_state = 'approved', access_mode = ?, approved_at = ?, approved_by = ?, disabled_at = NULL, disabled_by = NULL, updated_at = ? WHERE id = ?`
+  ).bind(accessMode, now, approvedBy, now, repoId).run();
+  const row = await db.prepare("SELECT * FROM repos WHERE id = ?").bind(repoId).first();
+  return normalizeRepo(row);
+}
+async function disableRepo(db, repoId, disabledBy, reason) {
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  await db.prepare(
+    `UPDATE repos SET approval_state = 'disabled', access_mode = 'none', disabled_at = ?, disabled_by = ?, updated_at = ? WHERE id = ?`
+  ).bind(now, disabledBy, now, repoId).run();
+  void reason;
+  const row = await db.prepare("SELECT * FROM repos WHERE id = ?").bind(repoId).first();
+  return normalizeRepo(row);
+}
+async function setAccessMode(db, repoId, accessMode) {
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  await db.prepare(`UPDATE repos SET access_mode = ?, updated_at = ? WHERE id = ?`).bind(accessMode, now, repoId).run();
+  const row = await db.prepare("SELECT * FROM repos WHERE id = ?").bind(repoId).first();
+  return normalizeRepo(row);
+}
+async function setSelfPasswordAllowFlag(db, repoId, allow) {
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  await db.prepare(
+    `UPDATE repos SET allow_repo_owner_password = ?, updated_at = ? WHERE id = ?`
+  ).bind(allow ? 1 : 0, now, repoId).run();
+}
+async function updateLatestBuild(db, repoId, buildId) {
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  await db.prepare(
+    `UPDATE repos SET latest_successful_build_id = ?, updated_at = ? WHERE id = ?`
+  ).bind(buildId, now, repoId).run();
+}
+async function listRepos(db, filters) {
+  const conditions = [];
+  const bindings = [];
+  if (filters?.state) {
+    conditions.push("approval_state = ?");
+    bindings.push(filters.state);
+  }
+  if (filters?.access) {
+    conditions.push("access_mode = ?");
+    bindings.push(filters.access);
+  }
+  if (filters?.owner) {
+    conditions.push("owner = ?");
+    bindings.push(filters.owner.toLowerCase());
+  }
+  if (filters?.cursor) {
+    conditions.push("id > ?");
+    bindings.push(filters.cursor);
+  }
+  const limit = filters?.limit ?? 50;
+  const where = conditions.length > 0 ? `WHERE ${conditions.join(" AND ")}` : "";
+  const query = `SELECT * FROM repos ${where} ORDER BY id ASC LIMIT ?`;
+  bindings.push(limit + 1);
+  const stmt = db.prepare(query);
+  const result = await stmt.bind(...bindings).all();
+  const rows = (result.results ?? []).map(normalizeRepo);
+  let nextCursor = null;
+  if (rows.length > limit) {
+    rows.pop();
+    nextCursor = rows[rows.length - 1]?.id ?? null;
+  }
+  return { repos: rows, next_cursor: nextCursor };
+}
+
+// ../worker/src/db/builds.ts
+async function createBuild(db, input) {
+  const id = generateId("build_");
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  await db.prepare(
+    `INSERT INTO builds (id, repo_id, github_repository_id, git_sha, git_ref, workflow_ref, run_id, status, created_at)
+       VALUES (?, ?, ?, ?, ?, ?, ?, 'uploading', ?)`
+  ).bind(
+    id,
+    input.repo_id,
+    input.github_repository_id,
+    input.git_sha,
+    input.git_ref ?? null,
+    input.workflow_ref ?? null,
+    input.run_id ?? null,
+    now
+  ).run();
+  const build = await db.prepare("SELECT * FROM builds WHERE id = ?").bind(id).first();
+  return build;
+}
+async function markBuildSuccess(db, buildId, artifactPrefix, sizeBytes, fileCount, contentHash) {
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  await db.prepare(
+    `UPDATE builds SET status = 'success', artifact_prefix = ?, artifact_size_bytes = ?, file_count = ?, content_hash = ?, completed_at = ? WHERE id = ?`
+  ).bind(artifactPrefix, sizeBytes, fileCount, contentHash, now, buildId).run();
+  const build = await db.prepare("SELECT * FROM builds WHERE id = ?").bind(buildId).first();
+  return build;
+}
+async function markBuildFailed(db, buildId, errorCode, errorMessage) {
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  await db.prepare(
+    `UPDATE builds SET status = 'failed', error_code = ?, error_message = ?, completed_at = ? WHERE id = ?`
+  ).bind(errorCode, errorMessage, now, buildId).run();
+  const build = await db.prepare("SELECT * FROM builds WHERE id = ?").bind(buildId).first();
+  return build;
+}
+async function findBuildById(db, buildId) {
+  const result = await db.prepare("SELECT * FROM builds WHERE id = ?").bind(buildId).first();
+  return result ?? null;
+}
+
+// ../worker/src/db/rules.ts
+function normalizeRule(row) {
+  return {
+    ...row,
+    enabled: row["enabled"] === 1 || row["enabled"] === true,
+    default_allow_repo_owner_password: row["default_allow_repo_owner_password"] === 1 || row["default_allow_repo_owner_password"] === true
+  };
+}
+async function createRule(db, pattern, accessMode, createdBy, priority, defaultAllowSelfPassword = true) {
+  const id = generateId("rule_");
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  await db.prepare(
+    `INSERT INTO auto_approval_rules (id, pattern, access_mode, enabled, priority, default_allow_repo_owner_password, created_at, created_by, updated_at, updated_by)
+       VALUES (?, ?, ?, 1, ?, ?, ?, ?, ?, ?)`
+  ).bind(
+    id,
+    pattern.toLowerCase(),
+    accessMode,
+    priority ?? 0,
+    defaultAllowSelfPassword ? 1 : 0,
+    now,
+    createdBy,
+    now,
+    createdBy
+  ).run();
+  const row = await db.prepare("SELECT * FROM auto_approval_rules WHERE id = ?").bind(id).first();
+  return normalizeRule(row);
+}
+async function deleteRule(db, ruleId) {
+  const result = await db.prepare("DELETE FROM auto_approval_rules WHERE id = ?").bind(ruleId).run();
+  return (result.meta?.changes ?? 0) > 0;
+}
+async function listRules(db) {
+  const result = await db.prepare("SELECT * FROM auto_approval_rules WHERE enabled = 1 ORDER BY priority DESC, created_at ASC").all();
+  return (result.results ?? []).map(normalizeRule);
+}
+function findMatchingRule(rules, fullName) {
+  const normalized = fullName.toLowerCase();
+  const owner = normalized.split("/")[0];
+  const exactMatches = [];
+  const namespaceMatches = [];
+  for (const rule of rules) {
+    if (!rule.enabled) continue;
+    const pattern = rule.pattern.toLowerCase();
+    if (pattern === normalized) {
+      exactMatches.push(rule);
+    } else if (pattern === `${owner}/*`) {
+      namespaceMatches.push(rule);
+    }
+  }
+  const candidates = exactMatches.length > 0 ? exactMatches : namespaceMatches;
+  if (candidates.length === 0) return null;
+  candidates.sort((a, b) => {
+    if (b.priority !== a.priority) return b.priority - a.priority;
+    return a.created_at.localeCompare(b.created_at);
+  });
+  return candidates[0];
+}
+async function matchRules(db, fullName) {
+  const rules = await listRules(db);
+  return findMatchingRule(rules, fullName);
+}
+
+// ../worker/src/db/passwords.ts
+async function setPassword(db, repoId, hash, salt, iterationCount, updatedBy) {
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  await db.prepare(
+    `UPDATE password_credentials SET active = 0, updated_at = ?, updated_by = ? WHERE repo_id = ? AND active = 1`
+  ).bind(now, updatedBy, repoId).run();
+  const latest = await db.prepare(
+    `SELECT MAX(password_version) as max_version FROM password_credentials WHERE repo_id = ?`
+  ).bind(repoId).first();
+  const nextVersion = (latest?.max_version ?? 0) + 1;
+  const id = generateId("cred_");
+  await db.prepare(
+    `INSERT INTO password_credentials (id, repo_id, password_hash, hash_algorithm, salt, iteration_count, password_version, active, created_at, updated_at, updated_by)
+       VALUES (?, ?, ?, 'pbkdf2-sha256', ?, ?, ?, 1, ?, ?, ?)`
+  ).bind(id, repoId, hash, salt, iterationCount, nextVersion, now, now, updatedBy).run();
+  const cred = await db.prepare("SELECT * FROM password_credentials WHERE id = ?").bind(id).first();
+  return cred;
+}
+async function getActivePassword(db, repoId) {
+  const result = await db.prepare(
+    "SELECT * FROM password_credentials WHERE repo_id = ? AND active = 1 ORDER BY password_version DESC LIMIT 1"
+  ).bind(repoId).first();
+  return result ?? null;
+}
+async function hasPassword(db, repoId) {
+  const result = await db.prepare(
+    "SELECT COUNT(*) as cnt FROM password_credentials WHERE repo_id = ? AND active = 1"
+  ).bind(repoId).first();
+  return (result?.cnt ?? 0) > 0;
+}
+async function nextPasswordVersion(db, repoId) {
+  const latest = await db.prepare(
+    `SELECT MAX(password_version) as max_version FROM password_credentials WHERE repo_id = ?`
+  ).bind(repoId).first();
+  return (latest?.max_version ?? 0) + 1;
+}
+async function storeSelfServicePassword(db, args) {
+  const { hash, salt, iteration_count } = await hashPassword(args.plaintext);
+  const credId = generateId("cred_");
+  const auditCredId = generateId("evt_");
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  const version = await nextPasswordVersion(db, args.repo.id);
+  const flipToPassword = args.repo.approval_state === "approved" && args.repo.access_mode === "none";
+  const stmts = [];
+  stmts.push(
+    db.prepare(
+      `UPDATE password_credentials SET active = 0, updated_at = ?, updated_by = ? WHERE repo_id = ? AND active = 1`
+    ).bind(now, "repo_owner", args.repo.id)
+  );
+  stmts.push(
+    db.prepare(
+      `INSERT INTO password_credentials (id, repo_id, password_hash, hash_algorithm, salt, iteration_count, password_version, active, created_at, updated_at, updated_by)
+         VALUES (?, ?, ?, 'pbkdf2-sha256', ?, ?, ?, 1, ?, ?, ?)`
+    ).bind(
+      credId,
+      args.repo.id,
+      hash,
+      salt,
+      iteration_count,
+      version,
+      now,
+      now,
+      "repo_owner"
+    )
+  );
+  stmts.push(
+    db.prepare(
+      `INSERT INTO audit_log (id, event_type, actor_type, actor_id, repo_id, build_id, rule_id, metadata_json, created_at)
+         VALUES (?, 'repo.self_password_set', 'github_action', ?, ?, ?, NULL, NULL, ?)`
+    ).bind(auditCredId, args.fullName, args.repo.id, args.buildId, now)
+  );
+  if (flipToPassword) {
+    const auditModeId = generateId("evt_");
+    stmts.push(
+      db.prepare(
+        `UPDATE repos SET access_mode = 'password', updated_at = ? WHERE id = ?`
+      ).bind(now, args.repo.id)
+    );
+    stmts.push(
+      db.prepare(
+        `INSERT INTO audit_log (id, event_type, actor_type, actor_id, repo_id, build_id, rule_id, metadata_json, created_at)
+           VALUES (?, 'repo.access_changed', 'github_action', ?, ?, ?, NULL, ?, ?)`
+      ).bind(
+        auditModeId,
+        args.fullName,
+        args.repo.id,
+        args.buildId,
+        JSON.stringify({ old_mode: args.repo.access_mode, new_mode: "password" }),
+        now
+      )
+    );
+  }
+  try {
+    const results = await db.batch(stmts);
+    for (const r of results) {
+      if (r.error) {
+        return { ok: false };
+      }
+    }
+    return { ok: true };
+  } catch {
+    return { ok: false };
+  }
+}
+
+// ../worker/src/db/audit.ts
+async function writeAuditEvent(db, event) {
+  const id = generateId("evt_");
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  const metadataJson = event.metadata ? JSON.stringify(event.metadata) : null;
+  await db.prepare(
+    `INSERT INTO audit_log (id, event_type, actor_type, actor_id, repo_id, build_id, rule_id, metadata_json, created_at)
+       VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)`
+  ).bind(
+    id,
+    event.event_type,
+    event.actor_type,
+    event.actor_id ?? null,
+    event.repo_id ?? null,
+    event.build_id ?? null,
+    event.rule_id ?? null,
+    metadataJson,
+    now
+  ).run();
+}
+
+// ../worker/src/db/transitions.ts
+function validateApproval(repo) {
+  if (!repo.latest_successful_build_id) {
+    return {
+      valid: false,
+      error: "Cannot approve repo without a successful build"
+    };
+  }
+  return { valid: true };
+}
+function validateAccessChange(repo, _newMode) {
+  if (repo.approval_state !== "approved") {
+    return {
+      valid: false,
+      error: `Cannot change access mode on a repo in '${repo.approval_state}' state; must be approved`
+    };
+  }
+  return { valid: true };
+}
+
+// ../worker/src/handlers/repos.ts
+async function handleListRepos(request, env, _params) {
+  const auth = requireOperator(request, env);
+  if (!auth.authenticated) return auth.response;
+  const url = new URL(request.url);
+  const state = url.searchParams.get("state");
+  const access = url.searchParams.get("access");
+  const owner = url.searchParams.get("owner");
+  const limitStr = url.searchParams.get("limit");
+  const cursor = url.searchParams.get("cursor");
+  const limit = limitStr ? Math.min(Math.max(parseInt(limitStr, 10) || 50, 1), 100) : 50;
+  const result = await listRepos(env.DB, {
+    state: state ?? void 0,
+    access: access ?? void 0,
+    owner: owner ?? void 0,
+    limit,
+    cursor: cursor ?? void 0
+  });
+  return jsonSuccess({
+    repos: result.repos,
+    next_cursor: result.next_cursor
+  });
+}
+async function handleGetRepo(request, env, params) {
+  const auth = requireOperator(request, env);
+  if (!auth.authenticated) return auth.response;
+  const fullName = `${params["owner"]}/${params["repo"]}`.toLowerCase();
+  const repo = await findRepoByFullName(env.DB, fullName);
+  if (!repo) {
+    return jsonError("NOT_FOUND", `Repository '${fullName}' not found`, 404);
+  }
+  return jsonSuccess({ repo });
+}
+async function handleApproveRepo(request, env, params) {
+  const auth = requireOperator(request, env);
+  if (!auth.authenticated) return auth.response;
+  const fullName = `${params["owner"]}/${params["repo"]}`.toLowerCase();
+  const repo = await findRepoByFullName(env.DB, fullName);
+  if (!repo) {
+    return jsonError("NOT_FOUND", `Repository '${fullName}' not found`, 404);
+  }
+  let body;
+  try {
+    body = await request.json();
+  } catch {
+    return jsonError("INVALID_BODY", "Request body must be valid JSON", 400);
+  }
+  if (!body.access_mode || !["public", "password"].includes(body.access_mode)) {
+    return jsonError(
+      "VALIDATION_ERROR",
+      'access_mode must be "public" or "password"',
+      400,
+      { field: "access_mode" }
+    );
+  }
+  const validation = validateApproval(repo);
+  if (!validation.valid) {
+    return jsonError("INVALID_STATE", validation.error, 409);
+  }
+  const accessMode = body.access_mode;
+  const updated = await approveRepo(env.DB, repo.id, accessMode, "operator");
+  await writeAuditEvent(env.DB, {
+    event_type: "repo.approved",
+    actor_type: "operator",
+    repo_id: repo.id,
+    metadata: { access_mode: accessMode }
+  });
+  return jsonSuccess({ repo: updated });
+}
+async function handleDisableRepo(request, env, params) {
+  const auth = requireOperator(request, env);
+  if (!auth.authenticated) return auth.response;
+  const fullName = `${params["owner"]}/${params["repo"]}`.toLowerCase();
+  const repo = await findRepoByFullName(env.DB, fullName);
+  if (!repo) {
+    return jsonError("NOT_FOUND", `Repository '${fullName}' not found`, 404);
+  }
+  let reason;
+  try {
+    const body = await request.json();
+    reason = body.reason;
+  } catch {
+  }
+  const updated = await disableRepo(env.DB, repo.id, "operator", reason);
+  await writeAuditEvent(env.DB, {
+    event_type: "repo.disabled",
+    actor_type: "operator",
+    repo_id: repo.id,
+    metadata: reason ? { reason } : void 0
+  });
+  return jsonSuccess({ repo: updated });
+}
+async function handleSetAccess(request, env, params) {
+  const auth = requireOperator(request, env);
+  if (!auth.authenticated) return auth.response;
+  const fullName = `${params["owner"]}/${params["repo"]}`.toLowerCase();
+  const repo = await findRepoByFullName(env.DB, fullName);
+  if (!repo) {
+    return jsonError("NOT_FOUND", `Repository '${fullName}' not found`, 404);
+  }
+  let body;
+  try {
+    body = await request.json();
+  } catch {
+    return jsonError("INVALID_BODY", "Request body must be valid JSON", 400);
+  }
+  if (!body.access_mode || !ACCESS_MODES.includes(body.access_mode)) {
+    return jsonError(
+      "VALIDATION_ERROR",
+      `access_mode must be one of: ${ACCESS_MODES.join(", ")}`,
+      400,
+      { field: "access_mode" }
+    );
+  }
+  const newMode = body.access_mode;
+  const validation = validateAccessChange(repo, newMode);
+  if (!validation.valid) {
+    return jsonError("INVALID_STATE", validation.error, 409);
+  }
+  const updated = await setAccessMode(env.DB, repo.id, newMode);
+  await writeAuditEvent(env.DB, {
+    event_type: "repo.access_changed",
+    actor_type: "operator",
+    repo_id: repo.id,
+    metadata: { old_mode: repo.access_mode, new_mode: newMode }
+  });
+  return jsonSuccess({ repo: updated });
+}
+async function handleSetPassword(request, env, params) {
+  const auth = requireOperator(request, env);
+  if (!auth.authenticated) return auth.response;
+  const fullName = `${params["owner"]}/${params["repo"]}`.toLowerCase();
+  const repo = await findRepoByFullName(env.DB, fullName);
+  if (!repo) {
+    return jsonError("NOT_FOUND", `Repository '${fullName}' not found`, 404);
+  }
+  let body;
+  try {
+    body = await request.json();
+  } catch {
+    return jsonError("INVALID_BODY", "Request body must be valid JSON", 400);
+  }
+  if (!body.password || typeof body.password !== "string") {
+    return jsonError("VALIDATION_ERROR", "password is required", 400, { field: "password" });
+  }
+  if (body.password.length < DEFAULT_MIN_PASSWORD_LENGTH) {
+    return jsonError(
+      "VALIDATION_ERROR",
+      `Password must be at least ${DEFAULT_MIN_PASSWORD_LENGTH} characters`,
+      400,
+      { field: "password", min_length: DEFAULT_MIN_PASSWORD_LENGTH }
+    );
+  }
+  if (body.password.length > DEFAULT_MAX_PASSWORD_LENGTH) {
+    return jsonError(
+      "VALIDATION_ERROR",
+      `Password must be at most ${DEFAULT_MAX_PASSWORD_LENGTH} characters`,
+      400,
+      { field: "password", max_length: DEFAULT_MAX_PASSWORD_LENGTH }
+    );
+  }
+  const { hash, salt, iteration_count } = await hashPassword(body.password);
+  await setPassword(env.DB, repo.id, hash, salt, iteration_count, "operator");
+  await writeAuditEvent(env.DB, {
+    event_type: "repo.password_set",
+    actor_type: "operator",
+    repo_id: repo.id
+  });
+  return jsonSuccess({ message: "Password updated successfully" });
+}
+async function handleAllowSelfPassword(request, env, params) {
+  const auth = requireOperator(request, env);
+  if (!auth.authenticated) return auth.response;
+  const fullName = `${params["owner"]}/${params["repo"]}`.toLowerCase();
+  const repo = await findRepoByFullName(env.DB, fullName);
+  if (!repo) {
+    return jsonError("NOT_FOUND", `Repository '${fullName}' not found`, 404);
+  }
+  await setSelfPasswordAllowFlag(env.DB, repo.id, true);
+  await writeAuditEvent(env.DB, {
+    event_type: "repo.self_password_allowed",
+    actor_type: "operator",
+    repo_id: repo.id
+  });
+  const updated = await findRepoByFullName(env.DB, fullName);
+  return jsonSuccess({ repo: updated });
+}
+async function handleDisallowSelfPassword(request, env, params) {
+  const auth = requireOperator(request, env);
+  if (!auth.authenticated) return auth.response;
+  const fullName = `${params["owner"]}/${params["repo"]}`.toLowerCase();
+  const repo = await findRepoByFullName(env.DB, fullName);
+  if (!repo) {
+    return jsonError("NOT_FOUND", `Repository '${fullName}' not found`, 404);
+  }
+  await setSelfPasswordAllowFlag(env.DB, repo.id, false);
+  await writeAuditEvent(env.DB, {
+    event_type: "repo.self_password_disallowed",
+    actor_type: "operator",
+    repo_id: repo.id
+  });
+  const updated = await findRepoByFullName(env.DB, fullName);
+  return jsonSuccess({ repo: updated });
+}
+
+// ../worker/src/handlers/rules.ts
+async function handleListRules(request, env, _params) {
+  const auth = requireOperator(request, env);
+  if (!auth.authenticated) return auth.response;
+  const rules = await listRules(env.DB);
+  return jsonSuccess({ rules });
+}
+async function handleCreateRule(request, env, _params) {
+  const auth = requireOperator(request, env);
+  if (!auth.authenticated) return auth.response;
+  let body;
+  try {
+    body = await request.json();
+  } catch {
+    return jsonError("INVALID_BODY", "Request body must be valid JSON", 400);
+  }
+  if (!body.pattern || typeof body.pattern !== "string") {
+    return jsonError("VALIDATION_ERROR", "pattern is required", 400, { field: "pattern" });
+  }
+  const patternRegex = /^[a-zA-Z0-9_.-]+\/(\*|[a-zA-Z0-9_.-]+)$/;
+  if (!patternRegex.test(body.pattern)) {
+    return jsonError(
+      "VALIDATION_ERROR",
+      'pattern must be in format "owner/repo" or "owner/*"',
+      400,
+      { field: "pattern" }
+    );
+  }
+  if (!body.access_mode || !["public", "password"].includes(body.access_mode)) {
+    return jsonError(
+      "VALIDATION_ERROR",
+      'access_mode must be "public" or "password"',
+      400,
+      { field: "access_mode" }
+    );
+  }
+  const accessMode = body.access_mode;
+  const priority = typeof body.priority === "number" ? body.priority : 0;
+  let defaultAllowSelfPassword = true;
+  if (body.default_allow_repo_owner_password !== void 0) {
+    if (typeof body.default_allow_repo_owner_password !== "boolean") {
+      return jsonError(
+        "VALIDATION_ERROR",
+        "default_allow_repo_owner_password must be a boolean",
+        400,
+        { field: "default_allow_repo_owner_password" }
+      );
+    }
+    defaultAllowSelfPassword = body.default_allow_repo_owner_password;
+  }
+  const rule = await createRule(env.DB, body.pattern, accessMode, "operator", priority, defaultAllowSelfPassword);
+  await writeAuditEvent(env.DB, {
+    event_type: "rule.created",
+    actor_type: "operator",
+    rule_id: rule.id,
+    metadata: { pattern: body.pattern, access_mode: accessMode, priority }
+  });
+  return jsonSuccess({ rule }, 201);
+}
+async function handleDeleteRule(request, env, params) {
+  const auth = requireOperator(request, env);
+  if (!auth.authenticated) return auth.response;
+  const ruleId = params["id"];
+  const deleted = await deleteRule(env.DB, ruleId);
+  if (!deleted) {
+    return jsonError("NOT_FOUND", `Rule '${ruleId}' not found`, 404);
+  }
+  await writeAuditEvent(env.DB, {
+    event_type: "rule.deleted",
+    actor_type: "operator",
+    rule_id: ruleId
+  });
+  return jsonSuccess({ deleted: true });
+}
+
+// ../worker/src/handlers/static-files.ts
+async function handleListStatic(request, env, _params) {
+  const auth = requireOperator(request, env);
+  if (!auth.authenticated) return auth.response;
+  const files = ALLOWED_STATIC_KEYS.map((key) => ({
+    key,
+    source: "bundled_default",
+    custom: false
+  }));
+  return jsonSuccess({ files });
+}
+async function handleSetStatic(request, env, _params) {
+  const auth = requireOperator(request, env);
+  if (!auth.authenticated) return auth.response;
+  return jsonError("NOT_IMPLEMENTED", "Static file upload not yet implemented", 501);
+}
+async function handleDeleteStatic(request, env, _params) {
+  const auth = requireOperator(request, env);
+  if (!auth.authenticated) return auth.response;
+  return jsonError("NOT_IMPLEMENTED", "Static file deletion not yet implemented", 501);
+}
+
+// ../worker/src/oidc.ts
+var GITHUB_OIDC_ISSUER = "https://token.actions.githubusercontent.com";
+var GITHUB_JWKS_URL = "https://token.actions.githubusercontent.com/.well-known/jwks";
+var cachedKeys = null;
+var cacheTimestamp = 0;
+var CACHE_TTL_MS = 60 * 60 * 1e3;
+async function verifyGithubOidc(token, expectedAudience) {
+  const parts = token.split(".");
+  if (parts.length !== 3) {
+    return { ok: false, error: "Invalid JWT format: expected 3 parts" };
+  }
+  const [headerB64, payloadB64, signatureB64] = parts;
+  let header;
+  try {
+    header = JSON.parse(base64urlDecode(headerB64));
+  } catch (_e) {
+    return { ok: false, error: "Invalid JWT header" };
+  }
+  if (header.alg !== "RS256") {
+    return { ok: false, error: `Unsupported algorithm: ${header.alg}` };
+  }
+  if (!header.kid) {
+    return { ok: false, error: "JWT header missing kid" };
+  }
+  let payload;
+  try {
+    payload = JSON.parse(base64urlDecode(payloadB64));
+  } catch (_e) {
+    return { ok: false, error: "Invalid JWT payload" };
+  }
+  const claimError = validateStandardClaims(payload, expectedAudience);
+  if (claimError) {
+    return { ok: false, error: claimError };
+  }
+  const keys = await fetchJwks();
+  const key = keys.get(header.kid);
+  if (!key) {
+    cachedKeys = null;
+    const refreshedKeys = await fetchJwks();
+    const refreshedKey = refreshedKeys.get(header.kid);
+    if (!refreshedKey) {
+      return { ok: false, error: `Unknown key ID: ${header.kid}` };
+    }
+    const valid = await verifySignature(refreshedKey, headerB64, payloadB64, signatureB64);
+    if (!valid) {
+      return { ok: false, error: "Invalid JWT signature" };
+    }
+  } else {
+    const valid = await verifySignature(key, headerB64, payloadB64, signatureB64);
+    if (!valid) {
+      return { ok: false, error: "Invalid JWT signature" };
+    }
+  }
+  const claims = {
+    repository: payload.repository ?? "",
+    repository_id: payload.repository_id ?? "",
+    repository_owner: payload.repository_owner ?? "",
+    repository_owner_id: payload.repository_owner_id ?? "",
+    ref: payload.ref ?? "",
+    sha: payload.sha ?? "",
+    workflow_ref: payload.workflow_ref,
+    run_id: payload.run_id,
+    aud: typeof payload.aud === "string" ? payload.aud : payload.aud?.[0],
+    iss: payload.iss
+  };
+  if (!claims.repository) {
+    return { ok: false, error: "Token missing repository claim" };
+  }
+  return { ok: true, claims };
+}
+function validateStandardClaims(payload, expectedAudience) {
+  if (payload.iss !== GITHUB_OIDC_ISSUER) {
+    return `Invalid issuer: ${payload.iss}`;
+  }
+  const aud = typeof payload.aud === "string" ? [payload.aud] : payload.aud;
+  if (!aud || !aud.includes(expectedAudience)) {
+    return `Invalid audience: expected ${expectedAudience}`;
+  }
+  const now = Math.floor(Date.now() / 1e3);
+  if (payload.exp !== void 0 && payload.exp < now - 60) {
+    return "Token has expired";
+  }
+  if (payload.nbf !== void 0 && payload.nbf > now + 60) {
+    return "Token not yet valid";
+  }
+  return null;
+}
+function base64urlDecode(input) {
+  const bytes = base64urlDecodeBytes(input);
+  return new TextDecoder().decode(bytes);
+}
+function base64urlDecodeBytes(input) {
+  let base64 = input.replace(/-/g, "+").replace(/_/g, "/");
+  const pad = base64.length % 4;
+  if (pad === 2) base64 += "==";
+  else if (pad === 3) base64 += "=";
+  const binary = atob(base64);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) {
+    bytes[i] = binary.charCodeAt(i);
+  }
+  return bytes;
+}
+async function verifySignature(key, headerB64, payloadB64, signatureB64) {
+  const encoder = new TextEncoder();
+  const data = encoder.encode(`${headerB64}.${payloadB64}`);
+  const signature = base64urlDecodeBytes(signatureB64);
+  return crypto.subtle.verify(
+    { name: "RSASSA-PKCS1-v1_5" },
+    key,
+    signature,
+    data
+  );
+}
+async function fetchJwks() {
+  const now = Date.now();
+  if (cachedKeys && now - cacheTimestamp < CACHE_TTL_MS) {
+    return cachedKeys;
+  }
+  const response = await fetch(GITHUB_JWKS_URL);
+  if (!response.ok) {
+    throw new Error(`Failed to fetch JWKS: ${response.status}`);
+  }
+  const jwks = await response.json();
+  const keys = /* @__PURE__ */ new Map();
+  for (const jwk of jwks.keys) {
+    if (jwk.kty !== "RSA" || jwk.alg !== "RS256" || !jwk.kid) continue;
+    const cryptoKey = await crypto.subtle.importKey(
+      "jwk",
+      {
+        kty: jwk.kty,
+        n: jwk.n,
+        e: jwk.e,
+        alg: "RS256"
+      },
+      { name: "RSASSA-PKCS1-v1_5", hash: "SHA-256" },
+      false,
+      ["verify"]
+    );
+    keys.set(jwk.kid, cryptoKey);
+  }
+  cachedKeys = keys;
+  cacheTimestamp = now;
+  return keys;
+}
+
+// ../worker/src/archive.ts
+var MANIFEST_FILENAME = "nrdocs-manifest.json";
+function validatePath(filePath) {
+  if (!filePath || filePath.length === 0) {
+    return { code: "INVALID_PATH", message: "Empty file path" };
+  }
+  if (filePath.includes("\0")) {
+    return { code: "INVALID_PATH", message: `Path contains null bytes: ${filePath}` };
+  }
+  if (filePath.startsWith("/")) {
+    return { code: "PATH_TRAVERSAL", message: `Absolute path not allowed: ${filePath}` };
+  }
+  if (filePath.includes("\\")) {
+    return { code: "PATH_TRAVERSAL", message: `Backslash not allowed in path: ${filePath}` };
+  }
+  if (filePath.includes("..")) {
+    return { code: "PATH_TRAVERSAL", message: `Path traversal not allowed: ${filePath}` };
+  }
+  return null;
+}
+function validateExtension(filePath) {
+  const basename = filePath.split("/").pop() ?? filePath;
+  if (basename === MANIFEST_FILENAME) {
+    return null;
+  }
+  const lastDot = basename.lastIndexOf(".");
+  if (lastDot === -1) {
+    return { code: "INVALID_EXTENSION", message: `No extension found: ${filePath}` };
+  }
+  const ext = basename.slice(lastDot).toLowerCase();
+  if (REJECTED_EXTENSIONS.has(ext)) {
+    const normalized = filePath.replace(/\\/g, "/");
+    if (normalized.startsWith("_nrdocs/")) {
+      return null;
+    }
+    return { code: "REJECTED_EXTENSION", message: `Rejected extension ${ext}: ${filePath}` };
+  }
+  if (!ALLOWED_ASSET_EXTENSIONS.has(ext)) {
+    return { code: "INVALID_EXTENSION", message: `Extension not allowed ${ext}: ${filePath}` };
+  }
+  return null;
+}
+async function extractArtifact(archive, limits) {
+  const maxFileCount = limits?.maxFileCount ?? DEFAULT_MAX_FILE_COUNT;
+  const maxTotalSize = limits?.maxTotalSize ?? DEFAULT_MAX_EXTRACTED_SIZE_MB * 1024 * 1024;
+  const maxSingleFileSize = limits?.maxSingleFileSize ?? DEFAULT_MAX_SINGLE_FILE_SIZE_MB * 1024 * 1024;
+  let tarData;
+  try {
+    tarData = await decompressGzip(archive);
+  } catch (_e) {
+    return { ok: false, error: { code: "DECOMPRESSION_FAILED", message: "Failed to decompress gzip archive" } };
+  }
+  const files = [];
+  let totalSize = 0;
+  let hasManifest = false;
+  let manifest = {};
+  let offset = 0;
+  while (offset < tarData.length) {
+    if (offset + 512 > tarData.length) break;
+    if (isZeroBlock(tarData, offset)) break;
+    const header = parseTarHeader(tarData, offset);
+    if (!header) break;
+    offset += 512;
+    if (header.type !== "0" && header.type !== "" && header.type !== null) {
+      if (header.type === "1" || header.type === "2") {
+        return {
+          ok: false,
+          error: { code: "INVALID_ENTRY_TYPE", message: `Symlinks/hardlinks not allowed: ${header.name}` }
+        };
+      }
+      if (header.type === "3" || header.type === "4" || header.type === "6") {
+        return {
+          ok: false,
+          error: { code: "INVALID_ENTRY_TYPE", message: `Special file type not allowed: ${header.name}` }
+        };
+      }
+      const blocks2 = Math.ceil(header.size / 512);
+      offset += blocks2 * 512;
+      continue;
+    }
+    if (header.size === 0) continue;
+    const pathError = validatePath(header.name);
+    if (pathError) return { ok: false, error: pathError };
+    const extError = validateExtension(header.name);
+    if (extError) return { ok: false, error: extError };
+    if (header.size > maxSingleFileSize) {
+      return {
+        ok: false,
+        error: {
+          code: "FILE_TOO_LARGE",
+          message: `File exceeds size limit (${header.size} bytes): ${header.name}`
+        }
+      };
+    }
+    totalSize += header.size;
+    if (totalSize > maxTotalSize) {
+      return {
+        ok: false,
+        error: { code: "TOTAL_SIZE_EXCEEDED", message: `Total extracted size exceeds limit` }
+      };
+    }
+    if (files.length >= maxFileCount) {
+      return {
+        ok: false,
+        error: { code: "FILE_COUNT_EXCEEDED", message: `File count exceeds limit of ${maxFileCount}` }
+      };
+    }
+    const content = tarData.slice(offset, offset + header.size);
+    files.push({ path: header.name, content, size: header.size });
+    const basename = header.name.split("/").pop() ?? header.name;
+    if (basename === MANIFEST_FILENAME) {
+      hasManifest = true;
+      try {
+        const decoder = new TextDecoder();
+        manifest = JSON.parse(decoder.decode(content));
+      } catch (_e) {
+        return { ok: false, error: { code: "INVALID_MANIFEST", message: "nrdocs-manifest.json is not valid JSON" } };
+      }
+    }
+    const blocks = Math.ceil(header.size / 512);
+    offset += blocks * 512;
+  }
+  if (!hasManifest) {
+    return {
+      ok: false,
+      error: { code: "MISSING_MANIFEST", message: "Archive must contain nrdocs-manifest.json" }
+    };
+  }
+  return {
+    ok: true,
+    result: {
+      files,
+      manifest,
+      totalSize,
+      fileCount: files.length
+    }
+  };
+}
+function parseTarHeader(data, offset) {
+  const name = readString(data, offset, 100);
+  if (!name) return null;
+  const sizeStr = readString(data, offset + 124, 12);
+  const size = parseOctal(sizeStr);
+  const typeByte = data[offset + 156];
+  const type = typeByte === 0 ? null : String.fromCharCode(typeByte);
+  const prefix = readString(data, offset + 345, 155);
+  const fullName = prefix ? `${prefix}/${name}` : name;
+  const normalizedName = fullName.replace(/^\.\//, "");
+  return { name: normalizedName, size, type };
+}
+function readString(data, offset, length) {
+  let end = offset;
+  const max = offset + length;
+  while (end < max && data[end] !== 0) {
+    end++;
+  }
+  const decoder = new TextDecoder();
+  return decoder.decode(data.slice(offset, end)).trim();
+}
+function parseOctal(str) {
+  const trimmed = str.trim();
+  if (!trimmed) return 0;
+  return parseInt(trimmed, 8) || 0;
+}
+function isZeroBlock(data, offset) {
+  for (let i = 0; i < 512 && offset + i < data.length; i++) {
+    if (data[offset + i] !== 0) return false;
+  }
+  return true;
+}
+async function decompressGzip(data) {
+  const ds = new DecompressionStream("gzip");
+  const writer = ds.writable.getWriter();
+  const reader = ds.readable.getReader();
+  writer.write(new Uint8Array(data));
+  writer.close();
+  const chunks = [];
+  let totalLength = 0;
+  while (true) {
+    const { done, value } = await reader.read();
+    if (done) break;
+    chunks.push(value);
+    totalLength += value.length;
+  }
+  const result = new Uint8Array(totalLength);
+  let pos = 0;
+  for (const chunk of chunks) {
+    result.set(chunk, pos);
+    pos += chunk.length;
+  }
+  return result;
+}
+
+// ../worker/src/artifacts.ts
+function buildArtifactPrefix(repoId, buildId) {
+  return `artifacts/${repoId}/${buildId}/`;
+}
+function buildArtifactKey(repoId, buildId, filePath) {
+  return `${buildArtifactPrefix(repoId, buildId)}${filePath}`;
+}
+async function storeArtifactFile(r2, repoId, buildId, filePath, content, contentType) {
+  const key = buildArtifactKey(repoId, buildId, filePath);
+  const options = {};
+  if (contentType) {
+    options.httpMetadata = { contentType };
+  }
+  await r2.put(key, content, options);
+}
+async function getArtifactFile(r2, repoId, buildId, filePath) {
+  const key = buildArtifactKey(repoId, buildId, filePath);
+  return r2.get(key);
+}
+
+// ../worker/src/mime.ts
+var MIME_MAP = {
+  ".html": "text/html; charset=utf-8",
+  ".js": "text/javascript; charset=utf-8",
+  ".css": "text/css; charset=utf-8",
+  ".json": "application/json; charset=utf-8",
+  ".svg": "image/svg+xml",
+  ".png": "image/png",
+  ".jpg": "image/jpeg",
+  ".jpeg": "image/jpeg",
+  ".gif": "image/gif",
+  ".webp": "image/webp",
+  ".ico": "image/x-icon",
+  ".txt": "text/plain; charset=utf-8",
+  ".pdf": "application/pdf"
+};
+function getMimeType(filePath) {
+  const ext = getExtension(filePath);
+  if (!ext) return null;
+  return MIME_MAP[ext] ?? null;
+}
+function getSecurityHeaders(filePath) {
+  const headers = {
+    "X-Content-Type-Options": "nosniff"
+  };
+  const ext = getExtension(filePath);
+  if (ext === ".svg") {
+    headers["Content-Security-Policy"] = "script-src 'none'; object-src 'none'; base-uri 'none'";
+  }
+  return headers;
+}
+function getExtension(filePath) {
+  const lastDot = filePath.lastIndexOf(".");
+  if (lastDot === -1) return null;
+  const lastSlash = filePath.lastIndexOf("/");
+  if (lastDot < lastSlash) return null;
+  return filePath.slice(lastDot).toLowerCase();
+}
+
+// ../worker/src/handlers/publish.ts
+async function handlePublish(request, env, _params) {
+  const authHeader = request.headers.get("Authorization");
+  if (!authHeader) {
+    return jsonError("UNAUTHORIZED", "Missing Authorization header", 401);
+  }
+  const parts = authHeader.split(" ");
+  if (parts.length !== 2 || parts[0] !== "Bearer") {
+    return jsonError("UNAUTHORIZED", "Invalid Authorization header format", 401);
+  }
+  const token = parts[1];
+  const oidcResult = await verifyGithubOidc(token, "nrdocs");
+  if (!oidcResult.ok) {
+    return jsonError("OIDC_VERIFICATION_FAILED", oidcResult.error, 401);
+  }
+  const claims = oidcResult.claims;
+  const fullName = claims.repository.toLowerCase();
+  const ownerName = claims.repository_owner.toLowerCase();
+  const repoName = fullName.split("/")[1] ?? "";
+  const existingRepo = await findRepoByGithubId(env.DB, claims.repository_id);
+  if (existingRepo && existingRepo.approval_state === "disabled") {
+    return jsonError("REPO_DISABLED", "This repository has been disabled by the operator", 409);
+  }
+  let matchedRuleForNewRepo = null;
+  if (!existingRepo) {
+    matchedRuleForNewRepo = await matchRules(env.DB, fullName);
+    if (!matchedRuleForNewRepo) {
+      return jsonError(
+        "REPO_NOT_ALLOWED",
+        `Repository '${fullName}' is not allowed to publish to this instance. The operator must add an auto-approval rule first. Run: nrdocs rules add '${ownerName}/*' --access password`,
+        403
+      );
+    }
+  }
+  let formData;
+  try {
+    formData = await request.formData();
+  } catch (_e) {
+    return jsonError("INVALID_REQUEST", "Expected multipart/form-data body", 400);
+  }
+  const metadataField = formData.get("metadata");
+  const artifactField = formData.get("artifact");
+  if (!artifactField || typeof artifactField === "string") {
+    return jsonError("INVALID_REQUEST", "Missing artifact file in form data", 400);
+  }
+  const artifactFile = artifactField;
+  let metadata = {};
+  if (metadataField) {
+    try {
+      metadata = JSON.parse(metadataField);
+    } catch (_e) {
+      return jsonError("INVALID_METADATA", "metadata field must be valid JSON", 400);
+    }
+    if (metadata.site_title !== void 0 && typeof metadata.site_title !== "string") {
+      return jsonError("INVALID_METADATA", "site_title must be a string", 400);
+    }
+    if (metadata.requested_access !== void 0) {
+      if (!["public", "password"].includes(metadata.requested_access)) {
+        return jsonError("INVALID_METADATA", 'requested_access must be "public" or "password"', 400);
+      }
+    }
+  }
+  const maxArchiveSize = DEFAULT_MAX_ARCHIVE_SIZE_MB * 1024 * 1024;
+  const archiveBuffer = await artifactFile.arrayBuffer();
+  if (archiveBuffer.byteLength > maxArchiveSize) {
+    return jsonError(
+      "ARCHIVE_TOO_LARGE",
+      `Archive exceeds ${DEFAULT_MAX_ARCHIVE_SIZE_MB}MB limit`,
+      400
+    );
+  }
+  const extractResult = await extractArtifact(archiveBuffer);
+  if (!extractResult.ok) {
+    return jsonError(
+      "EXTRACTION_FAILED",
+      extractResult.error.message,
+      400,
+      { code: extractResult.error.code }
+    );
+  }
+  const { files, totalSize, fileCount } = extractResult.result;
+  const repo = await upsertRepo(env.DB, {
+    github_repository_id: claims.repository_id,
+    owner: ownerName,
+    name: repoName,
+    full_name: fullName,
+    site_title: metadata.site_title,
+    requested_access: metadata.requested_access,
+    allow_repo_owner_password: matchedRuleForNewRepo?.default_allow_repo_owner_password
+  });
+  const build = await createBuild(env.DB, {
+    repo_id: repo.id,
+    github_repository_id: claims.repository_id,
+    git_sha: claims.sha,
+    git_ref: claims.ref,
+    workflow_ref: claims.workflow_ref,
+    run_id: claims.run_id
+  });
+  try {
+    for (const file of files) {
+      const artifactPath = file.path.toLowerCase();
+      const contentType = getMimeType(artifactPath) ?? "application/octet-stream";
+      await storeArtifactFile(
+        env.ARTIFACTS,
+        repo.id,
+        build.id,
+        artifactPath,
+        file.content.buffer,
+        contentType
+      );
+    }
+  } catch (_e) {
+    await markBuildFailed(env.DB, build.id, "STORAGE_FAILED", "Failed to store artifact files in R2");
+    return jsonError("STORAGE_FAILED", "Failed to store artifact files", 500);
+  }
+  const contentHash = await computeContentHash(files);
+  const prefix = buildArtifactPrefix(repo.id, build.id);
+  const successBuild = await markBuildSuccess(env.DB, build.id, prefix, totalSize, fileCount, contentHash);
+  await updateLatestBuild(env.DB, repo.id, build.id);
+  await writeAuditEvent(env.DB, {
+    event_type: "build.published",
+    actor_type: "github_action",
+    actor_id: fullName,
+    repo_id: repo.id,
+    build_id: build.id,
+    metadata: {
+      git_sha: claims.sha,
+      git_ref: claims.ref,
+      file_count: fileCount,
+      total_size: totalSize
+    }
+  });
+  const passwordRaw = formData.get("password");
+  if (typeof passwordRaw === "string") {
+    const currentRepo = await findRepoByGithubId(env.DB, claims.repository_id);
+    if (currentRepo && currentRepo.allow_repo_owner_password === true) {
+      if (passwordRaw.length < DEFAULT_MIN_PASSWORD_LENGTH || passwordRaw.length > DEFAULT_MAX_PASSWORD_LENGTH) {
+        return jsonError(
+          "INVALID_PASSWORD",
+          `Password must be between ${DEFAULT_MIN_PASSWORD_LENGTH} and ${DEFAULT_MAX_PASSWORD_LENGTH} characters`,
+          400
+        );
+      }
+      const result = await storeSelfServicePassword(env.DB, {
+        repo: currentRepo,
+        plaintext: passwordRaw,
+        fullName,
+        buildId: build.id
+      });
+      if (!result.ok) {
+        return jsonError(
+          "AUDIT_WRITE_FAILED",
+          "Failed to record self-service password change",
+          500
+        );
+      }
+    } else if (currentRepo && currentRepo.allow_repo_owner_password === false) {
+      try {
+        await writeAuditEvent(env.DB, {
+          event_type: "repo.self_password_ignored",
+          actor_type: "github_action",
+          actor_id: fullName,
+          repo_id: currentRepo.id,
+          build_id: build.id
+        });
+      } catch (_e) {
+        return jsonError(
+          "AUDIT_WRITE_FAILED",
+          "Failed to record self-service password decision",
+          500
+        );
+      }
+    }
+  }
+  let approvalState = repo.approval_state;
+  let approvalSource = null;
+  let accessMode = repo.access_mode;
+  const updatedRepo = await findRepoByGithubId(env.DB, claims.repository_id);
+  if (updatedRepo) {
+    approvalState = updatedRepo.approval_state;
+    accessMode = updatedRepo.access_mode;
+  }
+  if (approvalState === "pending") {
+    const matchedRule = await matchRules(env.DB, fullName);
+    if (matchedRule) {
+      const approved = await approveRepo(env.DB, repo.id, matchedRule.access_mode, `auto_rule:${matchedRule.id}`);
+      approvalState = approved.approval_state;
+      accessMode = approved.access_mode;
+      approvalSource = `auto_rule:${matchedRule.id}`;
+      await writeAuditEvent(env.DB, {
+        event_type: "repo.auto_approved",
+        actor_type: "system",
+        actor_id: "auto_approval",
+        repo_id: repo.id,
+        rule_id: matchedRule.id,
+        metadata: {
+          pattern: matchedRule.pattern,
+          access_mode: matchedRule.access_mode
+        }
+      });
+    }
+  }
+  const servingUrl = `${env.BASE_URL}/${fullName}/`;
+  let visible = false;
+  let reason;
+  let requiresPassword = false;
+  if (approvalState !== "approved") {
+    reason = "awaiting_operator_approval";
+  } else if (accessMode === "none") {
+    reason = "access_mode_not_set";
+  } else if (accessMode === "password") {
+    const hasPw = await hasPassword(env.DB, repo.id);
+    if (!hasPw) {
+      reason = "needs_password";
+      requiresPassword = true;
+    } else {
+      visible = true;
+      reason = "serving";
+      requiresPassword = true;
+    }
+  } else {
+    visible = true;
+    reason = "serving";
+  }
+  const responseData = {
+    repo: {
+      full_name: fullName,
+      github_repository_id: claims.repository_id
+    },
+    build: {
+      id: successBuild.id,
+      status: successBuild.status,
+      git_sha: claims.sha
+    },
+    approval: {
+      state: approvalState,
+      source: approvalSource
+    },
+    access: {
+      mode: accessMode
+    },
+    serving: {
+      visible,
+      reason,
+      url: servingUrl,
+      ...requiresPassword ? { requires_password: true } : {}
+    }
+  };
+  return jsonSuccess(responseData);
+}
+async function computeContentHash(files) {
+  const sorted = [...files].sort((a, b) => a.path.localeCompare(b.path));
+  const encoder = new TextEncoder();
+  const parts = [];
+  for (const file of sorted) {
+    parts.push(encoder.encode(file.path + "\n"));
+    parts.push(file.content);
+  }
+  let totalLen = 0;
+  for (const p of parts) totalLen += p.length;
+  const combined = new Uint8Array(totalLen);
+  let offset = 0;
+  for (const p of parts) {
+    combined.set(p, offset);
+    offset += p.length;
+  }
+  const hashBuffer = await crypto.subtle.digest("SHA-256", combined);
+  const hashArray = new Uint8Array(hashBuffer);
+  let hex = "";
+  for (let i = 0; i < hashArray.length; i++) {
+    hex += hashArray[i].toString(16).padStart(2, "0");
+  }
+  return hex;
+}
+
+// ../worker/src/handlers/audit.ts
+async function handleAuditLog(request, env, _params) {
+  const auth = requireOperator(request, env);
+  if (!auth.authenticated) {
+    return auth.response;
+  }
+  const url = new URL(request.url);
+  const repoFilter = url.searchParams.get("repo") ?? void 0;
+  const eventFilter = url.searchParams.get("event") ?? void 0;
+  const cursor = url.searchParams.get("cursor") ?? void 0;
+  const limitParam = url.searchParams.get("limit");
+  let limit = 50;
+  if (limitParam) {
+    const parsed = parseInt(limitParam, 10);
+    if (!isNaN(parsed) && parsed > 0) {
+      limit = Math.min(parsed, 100);
+    }
+  }
+  const conditions = [];
+  const bindings = [];
+  if (repoFilter) {
+    conditions.push(
+      `repo_id IN (SELECT id FROM repos WHERE full_name = ?)`
+    );
+    bindings.push(repoFilter.toLowerCase());
+  }
+  if (eventFilter) {
+    conditions.push("event_type = ?");
+    bindings.push(eventFilter);
+  }
+  if (cursor) {
+    conditions.push("created_at < ?");
+    bindings.push(cursor);
+  }
+  const whereClause = conditions.length > 0 ? `WHERE ${conditions.join(" AND ")}` : "";
+  const query = `SELECT id, event_type, actor_type, actor_id, repo_id, build_id, rule_id, metadata_json, created_at
+    FROM audit_log ${whereClause}
+    ORDER BY created_at DESC
+    LIMIT ?`;
+  bindings.push(limit + 1);
+  const stmt = env.DB.prepare(query);
+  const result = await stmt.bind(...bindings).all();
+  const rows = result.results ?? [];
+  const hasMore = rows.length > limit;
+  const events = hasMore ? rows.slice(0, limit) : rows;
+  const items = events.map((row) => ({
+    id: row.id,
+    event_type: row.event_type,
+    actor_type: row.actor_type,
+    actor_id: row.actor_id,
+    repo_id: row.repo_id,
+    build_id: row.build_id,
+    rule_id: row.rule_id,
+    metadata: row.metadata_json ? JSON.parse(row.metadata_json) : null,
+    created_at: row.created_at
+  }));
+  const nextCursor = hasMore && events.length > 0 ? events[events.length - 1].created_at : null;
+  return jsonSuccess({
+    items,
+    cursor: nextCursor,
+    has_more: hasMore
+  });
+}
+
+// ../worker/src/path-resolver.ts
+function resolveServingPath(requestPath, owner, repo) {
+  const prefix = `/${owner}/${repo}`;
+  if (requestPath === prefix) {
+    return { type: "redirect", location: `${prefix}/` };
+  }
+  if (!requestPath.startsWith(`${prefix}/`)) {
+    return { type: "not_found" };
+  }
+  const relativePath = requestPath.slice(prefix.length + 1);
+  if (relativePath === "") {
+    return { type: "serve", filePath: "index.html" };
+  }
+  const normalizedRelative = relativePath.replace(/\/+$/, "");
+  const ext = getExtension2(normalizedRelative);
+  if (isPlatformRuntimePath(normalizedRelative, ext)) {
+    return { type: "serve", filePath: normalizedRelative };
+  }
+  if (ext && ext !== ".html" && ALLOWED_ASSET_EXTENSIONS.has(ext)) {
+    return { type: "serve", filePath: relativePath };
+  }
+  if (ext === ".html") {
+    const withoutExt = relativePath.slice(0, -5);
+    if (withoutExt.endsWith("/index") || withoutExt === "index") {
+      const dir = withoutExt === "index" ? "" : withoutExt.slice(0, -6);
+      return { type: "redirect", location: `${prefix}/${dir}${dir ? "/" : ""}` };
+    }
+    return { type: "redirect", location: `${prefix}/${withoutExt}/` };
+  }
+  if (relativePath.endsWith("/")) {
+    return { type: "serve", filePath: `${relativePath}index.html` };
+  }
+  return { type: "redirect", location: `${prefix}/${relativePath}/` };
+}
+function isReservedPath(pathname) {
+  if (pathname === "/favicon.ico" || pathname === "/robots.txt") {
+    return true;
+  }
+  if (pathname.startsWith("/api/") || pathname.startsWith("/api") && pathname.length === 4 || pathname.startsWith("/_nrdocs/") || pathname.startsWith("/_nrdocs") && pathname.length === 8 || pathname.startsWith("/.well-known/")) {
+    return true;
+  }
+  return false;
+}
+function isPlatformRuntimePath(normalizedRelative, ext) {
+  if (!normalizedRelative.startsWith("_nrdocs/")) return false;
+  return ext === ".js" || ext === ".mjs" || ext === ".cjs";
+}
+function getExtension2(filePath) {
+  const lastDot = filePath.lastIndexOf(".");
+  if (lastDot === -1) return null;
+  const lastSlash = filePath.lastIndexOf("/");
+  if (lastDot < lastSlash) return null;
+  return filePath.slice(lastDot).toLowerCase();
+}
+
+// ../worker/src/session.ts
+function normalizeRepoPath(repoPath) {
+  const trimmed = repoPath.replace(/^\//, "").replace(/\/$/, "");
+  if (!trimmed) return "/";
+  const segments = trimmed.split("/").filter(Boolean).map((s) => s.toLowerCase());
+  if (segments.length < 2) return `/${segments.join("/")}`;
+  return `/${segments[0]}/${segments[1]}`;
+}
+function normalizeRepoFullName(fullName) {
+  const parts = fullName.split("/").filter(Boolean);
+  if (parts.length < 2) return fullName.toLowerCase();
+  return `${parts[0].toLowerCase()}/${parts[1].toLowerCase()}`;
+}
+async function createSessionCookie(data, secret) {
+  const payload = JSON.stringify(data);
+  const payloadB64 = base64urlEncode(payload);
+  const signature = await hmacSign(payload, secret);
+  const signatureB64 = base64urlEncode(signature);
+  return `${payloadB64}.${signatureB64}`;
+}
+async function validateSessionCookie(cookie, secret) {
+  const dotIndex = cookie.indexOf(".");
+  if (dotIndex === -1) return null;
+  const payloadB64 = cookie.slice(0, dotIndex);
+  const signatureB64 = cookie.slice(dotIndex + 1);
+  if (!payloadB64 || !signatureB64) return null;
+  let payload;
+  try {
+    payload = base64urlDecode2(payloadB64);
+  } catch {
+    return null;
+  }
+  const expectedSignature = await hmacSign(payload, secret);
+  const expectedB64 = base64urlEncode(expectedSignature);
+  if (!constantTimeEqual2(signatureB64, expectedB64)) {
+    return null;
+  }
+  let data;
+  try {
+    data = JSON.parse(payload);
+  } catch {
+    return null;
+  }
+  if (!data.repo_id || typeof data.password_version !== "number" || typeof data.expires_at !== "number") {
+    return null;
+  }
+  if (Date.now() > data.expires_at) {
+    return null;
+  }
+  return data;
+}
+async function findSessionForRepo(request, repoPath, repoId, secret) {
+  const cookieHeader = request.headers.get("Cookie");
+  if (!cookieHeader) return null;
+  const cookies = parseCookies(cookieHeader);
+  const seen = /* @__PURE__ */ new Set();
+  const preferred = cookies[getSessionCookieName(repoPath)];
+  if (preferred) seen.add(preferred);
+  for (const [name, value] of Object.entries(cookies)) {
+    if (name.startsWith("__nrdocs_session_")) {
+      seen.add(value);
+    }
+  }
+  for (const value of seen) {
+    const session = await validateSessionCookie(value, secret);
+    if (session?.repo_id === repoId) return session;
+  }
+  return null;
+}
+function buildSetCookieHeader(cookieValue, repoPath, maxAgeSeconds) {
+  const canonical = normalizeRepoPath(repoPath);
+  const cookieName = getSessionCookieName(canonical);
+  return `${cookieName}=${cookieValue}; HttpOnly; Secure; SameSite=Lax; Path=${canonical}/; Max-Age=${maxAgeSeconds}`;
+}
+function getSessionCookieName(repoPath) {
+  const normalized = normalizeRepoPath(repoPath).replace(/^\//, "").replace(/\/$/, "").replace(/\//g, "_");
+  return `__nrdocs_session_${normalized}`;
+}
+function parseCookies(header) {
+  const cookies = {};
+  const pairs = header.split(";");
+  for (const pair of pairs) {
+    const eqIndex = pair.indexOf("=");
+    if (eqIndex === -1) continue;
+    const key = pair.slice(0, eqIndex).trim();
+    const value = pair.slice(eqIndex + 1).trim();
+    if (key) {
+      cookies[key] = value;
+    }
+  }
+  return cookies;
+}
+async function hmacSign(data, secret) {
+  const encoder = new TextEncoder();
+  const key = await crypto.subtle.importKey(
+    "raw",
+    encoder.encode(secret),
+    { name: "HMAC", hash: "SHA-256" },
+    false,
+    ["sign"]
+  );
+  const signature = await crypto.subtle.sign("HMAC", key, encoder.encode(data));
+  const bytes = new Uint8Array(signature);
+  let hex = "";
+  for (let i = 0; i < bytes.length; i++) {
+    hex += bytes[i].toString(16).padStart(2, "0");
+  }
+  return hex;
+}
+function base64urlEncode(input) {
+  const encoder = new TextEncoder();
+  const bytes = encoder.encode(input);
+  let binary = "";
+  for (let i = 0; i < bytes.length; i++) {
+    binary += String.fromCharCode(bytes[i]);
+  }
+  const base64 = btoa(binary);
+  return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function base64urlDecode2(input) {
+  let base64 = input.replace(/-/g, "+").replace(/_/g, "/");
+  while (base64.length % 4 !== 0) {
+    base64 += "=";
+  }
+  const binary = atob(base64);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) {
+    bytes[i] = binary.charCodeAt(i);
+  }
+  const decoder = new TextDecoder();
+  return decoder.decode(bytes);
+}
+function constantTimeEqual2(a, b) {
+  if (a.length !== b.length) return false;
+  let result = 0;
+  for (let i = 0; i < a.length; i++) {
+    result |= a.charCodeAt(i) ^ b.charCodeAt(i);
+  }
+  return result === 0;
+}
+
+// ../worker/src/handlers/password-page.ts
+function renderPasswordPage(repoFullName, error) {
+  const errorHtml = error ? `<p class="error" role="alert">${escapeHtml(error)}</p>` : "";
+  const html = `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <title>Password Required</title>
+  <style>
+    * { box-sizing: border-box; margin: 0; padding: 0; }
+    body {
+      font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif;
+      display: flex;
+      align-items: center;
+      justify-content: center;
+      min-height: 100vh;
+      background: #f5f5f5;
+      color: #333;
+    }
+    .container {
+      background: #fff;
+      border-radius: 8px;
+      padding: 2rem;
+      box-shadow: 0 2px 8px rgba(0,0,0,0.1);
+      width: 100%;
+      max-width: 400px;
+    }
+    h1 { font-size: 1.25rem; margin-bottom: 1rem; }
+    label { display: block; font-size: 0.875rem; margin-bottom: 0.5rem; font-weight: 500; }
+    input[type="password"] {
+      width: 100%;
+      padding: 0.5rem 0.75rem;
+      border: 1px solid #ccc;
+      border-radius: 4px;
+      font-size: 1rem;
+      margin-bottom: 1rem;
+    }
+    input[type="password"]:focus {
+      outline: 2px solid #0066cc;
+      outline-offset: 1px;
+      border-color: #0066cc;
+    }
+    button {
+      width: 100%;
+      padding: 0.625rem;
+      background: #0066cc;
+      color: #fff;
+      border: none;
+      border-radius: 4px;
+      font-size: 1rem;
+      cursor: pointer;
+    }
+    button:hover { background: #0052a3; }
+    button:focus { outline: 2px solid #0066cc; outline-offset: 2px; }
+    .error { color: #cc0000; font-size: 0.875rem; margin-bottom: 1rem; }
+  </style>
+</head>
+<body>
+  <main class="container">
+    <h1>Password Required</h1>
+    ${errorHtml}
+    <form method="POST" action="/_nrdocs/login">
+      <input type="hidden" name="repo" value="${escapeHtml(repoFullName)}">
+      <label for="password">Enter password to view documentation</label>
+      <input type="password" id="password" name="password" required autocomplete="current-password">
+      <button type="submit">Submit</button>
+    </form>
+  </main>
+</body>
+</html>`;
+  return new Response(html, {
+    status: 200,
+    headers: {
+      "Content-Type": "text/html; charset=utf-8",
+      "Cache-Control": "no-store",
+      "X-Content-Type-Options": "nosniff"
+    }
+  });
+}
+function escapeHtml(str) {
+  return str.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#x27;");
+}
+
+// ../worker/src/handlers/serve.ts
+async function handleServe(request, env, url) {
+  const segments = url.pathname.split("/").filter(Boolean);
+  if (segments.length < 2) {
+    return notFound();
+  }
+  const rawOwner = segments[0];
+  const rawRepo = segments[1];
+  const owner = rawOwner.toLowerCase();
+  const repo = rawRepo.toLowerCase();
+  if (rawOwner !== owner || rawRepo !== repo) {
+    const normalized = url.pathname.replace(`/${rawOwner}/${rawRepo}`, `/${owner}/${repo}`) + url.search;
+    return new Response(null, {
+      status: 301,
+      headers: { Location: normalized }
+    });
+  }
+  const fullName = `${owner}/${repo}`;
+  const repoRecord = await findRepoByFullName(env.DB, fullName);
+  if (!repoRecord) return notFound();
+  if (repoRecord.approval_state !== "approved") return notFound();
+  if (!repoRecord.latest_successful_build_id) return notFound();
+  if (repoRecord.access_mode === "none") return notFound();
+  if (repoRecord.access_mode === "password") {
+    const repoPath = normalizeRepoPath(`/${owner}/${repo}`);
+    let authenticated = false;
+    const session = await findSessionForRepo(
+      request,
+      repoPath,
+      repoRecord.id,
+      env.SESSION_SECRET
+    );
+    if (session) {
+      const credential = await getActivePassword(env.DB, repoRecord.id);
+      if (credential && session.password_version === credential.password_version) {
+        authenticated = true;
+      }
+    }
+    if (!authenticated) {
+      return renderPasswordPage(fullName);
+    }
+  }
+  const resolution = resolveServingPath(url.pathname, owner, repo);
+  switch (resolution.type) {
+    case "redirect":
+      return new Response(null, {
+        status: 301,
+        headers: { Location: resolution.location }
+      });
+    case "not_found":
+      return notFound();
+    case "serve": {
+      const build = await findBuildById(env.DB, repoRecord.latest_successful_build_id);
+      if (!build || !build.artifact_prefix) {
+        return notFound();
+      }
+      let filePath = resolution.filePath;
+      let file = await getArtifactFile(
+        env.ARTIFACTS,
+        repoRecord.id,
+        build.id,
+        filePath
+      );
+      if (!file && filePath !== filePath.toLowerCase()) {
+        filePath = filePath.toLowerCase();
+        file = await getArtifactFile(
+          env.ARTIFACTS,
+          repoRecord.id,
+          build.id,
+          filePath
+        );
+      }
+      if (!file && filePath === "index.html") {
+        const fallback = await resolveRootPageFromManifest(
+          env,
+          repoRecord.id,
+          build.id
+        );
+        if (fallback) {
+          return new Response(null, {
+            status: 302,
+            headers: { Location: `/${owner}/${repo}/${fallback}` }
+          });
+        }
+      }
+      if (!file) {
+        return notFound();
+      }
+      const mimeType = getMimeType(filePath) ?? "application/octet-stream";
+      const securityHeaders = getSecurityHeaders(filePath);
+      return new Response(file.body, {
+        status: 200,
+        headers: {
+          "Content-Type": mimeType,
+          "Cache-Control": "public, max-age=300",
+          ...securityHeaders
+        }
+      });
+    }
+  }
+}
+async function resolveRootPageFromManifest(env, repoId, buildId) {
+  const manifestFile = await getArtifactFile(env.ARTIFACTS, repoId, buildId, "nrdocs-manifest.json");
+  if (!manifestFile) return null;
+  let manifest;
+  try {
+    manifest = JSON.parse(await manifestFile.text());
+  } catch {
+    return null;
+  }
+  const pages = manifest.pages ?? [];
+  if (pages.length === 0) return null;
+  const indexPage = pages.find((p) => p.path === "index.html");
+  const pagePath = indexPage?.path ?? pages[0]?.path;
+  if (!pagePath || pagePath === "index.html") return null;
+  const dir = pagePath.replace(/\/index\.html$/, "");
+  return dir ? `${dir}/` : null;
+}
+function notFound() {
+  return new Response("Not Found", {
+    status: 404,
+    headers: {
+      "Content-Type": "text/plain; charset=utf-8",
+      "X-Content-Type-Options": "nosniff"
+    }
+  });
+}
+
+// ../worker/src/handlers/password-auth.ts
+var SESSION_MAX_AGE_SECONDS = 86400;
+async function handlePasswordLogin(request, env) {
+  const contentType = request.headers.get("Content-Type") ?? "";
+  if (!contentType.includes("application/x-www-form-urlencoded")) {
+    return jsonError("BAD_REQUEST", "Invalid content type", 400);
+  }
+  let formData;
+  try {
+    const body = await request.text();
+    formData = new URLSearchParams(body);
+  } catch {
+    return jsonError("BAD_REQUEST", "Invalid form data", 400);
+  }
+  const password = formData.get("password") ?? "";
+  const repoFullName = normalizeRepoFullName(formData.get("repo") ?? "");
+  if (!password || !repoFullName) {
+    return jsonError("BAD_REQUEST", "Missing required fields", 400);
+  }
+  const repo = await findRepoByFullName(env.DB, repoFullName);
+  if (!repo || repo.approval_state !== "approved" || repo.access_mode !== "password") {
+    return jsonError("NOT_FOUND", "Not found", 404);
+  }
+  const credential = await getActivePassword(env.DB, repo.id);
+  if (!credential) {
+    return jsonError("NOT_FOUND", "Not found", 404);
+  }
+  const valid = await verifyPassword(
+    password,
+    credential.password_hash,
+    credential.salt,
+    credential.iteration_count
+  );
+  if (!valid) {
+    return renderPasswordPage(repoFullName, "Incorrect password. Please try again.");
+  }
+  const sessionData = {
+    repo_id: repo.id,
+    password_version: credential.password_version,
+    expires_at: Date.now() + SESSION_MAX_AGE_SECONDS * 1e3
+  };
+  const cookieValue = await createSessionCookie(sessionData, env.SESSION_SECRET);
+  const repoPath = normalizeRepoPath(`/${repo.full_name}`);
+  const setCookie = buildSetCookieHeader(cookieValue, repoPath, SESSION_MAX_AGE_SECONDS);
+  return new Response(null, {
+    status: 303,
+    headers: {
+      Location: `${repoPath}/`,
+      "Set-Cookie": setCookie
+    }
+  });
+}
+
+// ../worker/src/handlers/homepage.ts
+function handleHomepage(_request, env) {
+  const html = `<!doctype html>
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <meta name="description" content="nrdocs publishes documentation from GitHub repos without exposing the repository. Public or password-protected docs from any repo.">
+  <meta name="generator" content="nrdocs ${NRDOCS_VERSION}">
+  <title>nrdocs \u2014 Publish docs without exposing the repo</title>
+  <style>
+    :root{--bg:#f7f7f4;--surface:#fff;--surface-alt:#efefe9;--text:#171717;--muted:#686860;--line:#deded6;--accent:#1f6feb;--accent-dark:#174ea6;--code-bg:#202124;--code-text:#f5f5f0;--max:1120px;--radius:18px;--shadow:0 18px 50px rgba(20,20,20,0.08)}
+    *{box-sizing:border-box}
+    html{scroll-behavior:smooth}
+    body{margin:0;font-family:Inter,ui-sans-serif,system-ui,-apple-system,BlinkMacSystemFont,"Segoe UI",sans-serif;background:var(--bg);color:var(--text);line-height:1.6;-webkit-font-smoothing:antialiased}
+    a{color:inherit;text-decoration:none}
+    .site-header{position:sticky;top:0;z-index:20;border-bottom:1px solid rgba(222,222,214,0.8);background:rgba(247,247,244,0.88);backdrop-filter:blur(16px)}
+    .nav{max-width:var(--max);margin:0 auto;padding:18px 24px;display:flex;align-items:center;justify-content:space-between;gap:24px}
+    .brand{display:inline-flex;align-items:center;gap:10px;font-weight:720;letter-spacing:-0.03em;font-size:20px}
+    .brand-mark{width:34px;height:34px;border-radius:10px;display:grid;place-items:center;background:var(--text);color:var(--surface);font-size:14px;font-weight:800;letter-spacing:-0.05em}
+    .nav-links{display:flex;align-items:center;gap:22px;color:var(--muted);font-size:14px;font-weight:560}
+    .nav-links a:hover{color:var(--text)}
+    .container{max-width:var(--max);margin:0 auto;padding:0 24px}
+    .hero{padding:86px 0 64px;display:grid;grid-template-columns:minmax(0,1.05fr) minmax(320px,0.95fr);gap:54px;align-items:center}
+    .eyebrow{display:inline-flex;align-items:center;gap:8px;padding:7px 11px;border:1px solid var(--line);border-radius:999px;background:var(--surface);color:var(--muted);font-size:13px;font-weight:620;margin-bottom:22px}
+    .eyebrow span{width:7px;height:7px;border-radius:999px;background:#2da44e}
+    h1,h2,h3,p{margin-top:0}
+    h1{font-size:clamp(46px,7vw,72px);line-height:0.96;letter-spacing:-0.06em;margin-bottom:26px}
+    .hero-copy{font-size:clamp(18px,2vw,21px);color:var(--muted);max-width:660px;margin-bottom:34px}
+    .hero-copy strong{color:var(--text);font-weight:720}
+    .actions{display:flex;flex-wrap:wrap;gap:12px;align-items:center}
+    .button{display:inline-flex;align-items:center;justify-content:center;min-height:46px;padding:0 18px;border-radius:12px;font-weight:700;border:1px solid transparent;transition:transform 160ms ease,background 160ms ease}
+    .button:hover{transform:translateY(-1px)}
+    .button.primary{background:var(--text);color:var(--surface)}
+    .button.primary:hover{background:#2c2c2c}
+    .button.secondary{background:var(--surface);color:var(--text);border-color:var(--line)}
+    .button.secondary:hover{border-color:#c7c7bd}
+    .hero-card{background:var(--surface);border:1px solid var(--line);border-radius:26px;box-shadow:var(--shadow);overflow:hidden}
+    .terminal-top{display:flex;align-items:center;gap:7px;padding:16px 18px;background:var(--surface-alt);border-bottom:1px solid var(--line)}
+    .dot{width:10px;height:10px;border-radius:999px;background:#c9c9c1}
+    .terminal{margin:0;background:var(--code-bg);color:var(--code-text);padding:24px;font-family:ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;font-size:14px;line-height:1.75;min-height:220px;overflow-x:auto;white-space:pre}
+    .terminal .muted{color:#a8a8a0}
+    .terminal .ok{color:#9be9a8}
+    .terminal .path{color:#79c0ff}
+    section{padding:68px 0}
+    .section-head{max-width:760px;margin-bottom:34px}
+    .section-kicker{color:var(--accent-dark);font-size:13px;font-weight:800;letter-spacing:0.08em;text-transform:uppercase;margin-bottom:12px}
+    h2{font-size:clamp(32px,5vw,48px);line-height:1.05;letter-spacing:-0.05em;margin-bottom:16px}
+    .section-copy{color:var(--muted);font-size:18px;max-width:720px}
+    .grid{display:grid;gap:18px}
+    .grid.two{grid-template-columns:repeat(2,minmax(0,1fr))}
+    .grid.three{grid-template-columns:repeat(3,minmax(0,1fr))}
+    .grid.four{grid-template-columns:repeat(4,minmax(0,1fr))}
+    .card{background:var(--surface);border:1px solid var(--line);border-radius:var(--radius);padding:24px}
+    .card h3{font-size:20px;letter-spacing:-0.03em;margin-bottom:10px}
+    .card p{color:var(--muted);margin-bottom:0}
+    .problem-list{margin:1.2rem 0 0;padding-left:1.2rem;color:var(--muted);line-height:1.7}
+    .problem-list li{margin-bottom:0.3rem}
+    .compare{display:grid;grid-template-columns:1fr 1fr;gap:18px;margin-top:28px}
+    .compare-card{background:var(--surface);border:1px solid var(--line);border-radius:var(--radius);padding:24px}
+    .compare-card h3{font-size:16px;margin-bottom:12px;color:var(--muted);font-weight:700;text-transform:uppercase;letter-spacing:0.04em}
+    .compare-card pre{background:var(--surface-alt);border-radius:10px;padding:16px;font-size:13px;line-height:1.7;margin:0;white-space:pre;font-family:ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;color:var(--text)}
+    .workflow{display:grid;grid-template-columns:repeat(5,minmax(0,1fr));gap:12px;margin-top:28px}
+    .step{background:var(--surface);border:1px solid var(--line);border-radius:16px;padding:18px;min-height:130px}
+    .step-number{display:inline-grid;place-items:center;width:28px;height:28px;border-radius:9px;background:var(--surface-alt);color:var(--muted);font-size:13px;font-weight:800;margin-bottom:14px}
+    .step strong{display:block;line-height:1.25;letter-spacing:-0.02em;margin-bottom:6px}
+    .step span{color:var(--muted);font-size:14px;line-height:1.45;display:block}
+    .callout{background:var(--text);color:var(--surface);border-radius:28px;padding:44px;display:grid;grid-template-columns:minmax(0,1fr) auto;gap:28px;align-items:center;margin-top:48px}
+    .callout h2{color:var(--surface);margin-bottom:12px}
+    .callout p{color:#d6d6cf;max-width:680px;margin-bottom:0;font-size:18px}
+    .callout .button{background:var(--surface);color:var(--text);white-space:nowrap}
+    .status-badge{display:inline-block;padding:5px 10px;border-radius:8px;background:var(--surface-alt);border:1px solid var(--line);font-size:13px;font-weight:600;color:var(--muted);margin-top:12px}
+    .footnote{color:var(--muted);font-size:14px;text-align:center;padding:34px 24px 48px}
+    @media(max-width:900px){.nav-links{display:none}.hero,.compare,.callout{grid-template-columns:1fr}.grid.two,.grid.three,.grid.four,.workflow{grid-template-columns:1fr}.hero{padding-top:60px}.callout{padding:32px}}
+    @media(max-width:520px){.container,.nav{padding-left:18px;padding-right:18px}h1{font-size:42px}.terminal{font-size:12px;padding:18px}.callout{padding:24px}}
+  </style>
+</head>
+<body>
+  <header class="site-header">
+    <nav class="nav">
+      <a class="brand" href="/"><span class="brand-mark">nr</span><span>nrdocs</span></a>
+      <div class="nav-links">
+        <a href="#problem">Problem</a>
+        <a href="#workflow">Workflow</a>
+        <a href="#use-cases">Use cases</a>
+        <a href="#features">Features</a>
+        <a href="https://github.com/noam-r/nrdocs">GitHub</a>
+      </div>
+    </nav>
+  </header>
+
+  <main>
+    <div class="container">
+      <section class="hero">
+        <div>
+          <div class="eyebrow"><span></span> Open-source docs publishing</div>
+          <h1>Publish docs without exposing the repo.</h1>
+          <p class="hero-copy">
+            <strong>nrdocs</strong> lets teams keep documentation next to the code, then publish only the generated docs site. Use it for public docs from private repos, password-protected docs, or many small docs sites under one shared domain.
+          </p>
+          <p class="hero-copy" style="font-size:0.95em;margin-bottom:28px">Works with public and private GitHub repositories. Especially useful when the docs need a different visibility policy than the code.</p>
+          <div class="actions">
+            <a class="button primary" href="https://github.com/noam-r/nrdocs">View on GitHub</a>
+            <a class="button secondary" href="https://github.com/noam-r/nrdocs#quick-start">Setup guide</a>
+          </div>
+        </div>
+        <aside class="hero-card">
+          <div class="terminal-top"><span class="dot"></span><span class="dot"></span><span class="dot"></span></div>
+          <pre class="terminal"><span class="muted"># deploy once</span>
+nrdocs deploy
+
+<span class="muted"># repo owner</span>
+nrdocs init
+git push
+
+<span class="muted"># operator approves</span>
+nrdocs approve owner/repo --access public
+<span class="ok">\u2713 docs live</span>
+<span class="path">${env.BASE_URL}/owner/repo/</span></pre>
+        </aside>
+      </section>
+    </div>
+
+    <section id="problem">
+      <div class="container">
+        <div class="section-head">
+          <div class="section-kicker">The problem</div>
+          <h2>GitHub Pages couples docs to repo visibility.</h2>
+          <p class="section-copy">You have a repo where the code must stay private, but the docs should be easy to publish. The usual options are awkward:</p>
+          <ul class="problem-list">
+            <li>Make the repo public</li>
+            <li>Create and maintain a second public docs repo</li>
+            <li>Use enterprise-only private Pages access</li>
+            <li>Give readers access to the source repo</li>
+          </ul>
+          <p class="section-copy" style="margin-top:1.2rem"><strong>nrdocs gives you a cleaner option:</strong> keep docs in the repo, publish only the docs output.</p>
+        </div>
+
+        <div class="compare">
+          <div class="compare-card">
+            <h3>Without nrdocs</h3>
+            <pre>private repo
+  \u2193 copy docs manually
+public docs repo
+  \u2193 GitHub Pages
+public docs site</pre>
+          </div>
+          <div class="compare-card">
+            <h3>With nrdocs</h3>
+            <pre>any repo (public or private)
+  \u2193 git push
+nrdocs (GitHub Actions + OIDC)
+  \u2193
+public or protected docs site</pre>
+          </div>
+        </div>
+      </div>
+    </section>
+
+    <section id="workflow">
+      <div class="container">
+        <div class="section-head">
+          <div class="section-kicker">How it works</div>
+          <h2>A normal Git workflow for documentation.</h2>
+          <p class="section-copy">An operator deploys nrdocs once. Repo owners initialize docs publishing. GitHub Actions publishes via OIDC. The operator approves. Readers get a clean docs URL. Future pushes update automatically.</p>
+        </div>
+        <div class="workflow">
+          <div class="step"><div class="step-number">1</div><strong>Deploy once</strong><span>Operator runs nrdocs deploy on Cloudflare.</span></div>
+          <div class="step"><div class="step-number">2</div><strong>Init</strong><span>Repo owner runs nrdocs init. Adds Markdown docs.</span></div>
+          <div class="step"><div class="step-number">3</div><strong>Push</strong><span>GitHub Action registers and publishes docs via OIDC.</span></div>
+          <div class="step"><div class="step-number">4</div><strong>Approve</strong><span>Operator decides: public or password-protected.</span></div>
+          <div class="step"><div class="step-number">5</div><strong>Live</strong><span>Docs served. Updates publish without re-approval.</span></div>
+        </div>
+      </div>
+    </section>
+
+    <section id="use-cases">
+      <div class="container">
+        <div class="section-head">
+          <div class="section-kicker">Use cases</div>
+          <h2>Use nrdocs when docs and code need different visibility.</h2>
+        </div>
+        <div class="grid four">
+          <article class="card"><h3>Public docs from a private repo</h3><p>Keep the source private while publishing documentation for users, customers, or the community.</p></article>
+          <article class="card"><h3>Password-protected internal docs</h3><p>Share docs with a small audience without giving readers access to the GitHub repository.</p></article>
+          <article class="card"><h3>Same-repo documentation</h3><p>Keep docs close to the code they describe instead of copying them into a separate publishing repo.</p></article>
+          <article class="card"><h3>Many sites, one platform</h3><p>Run one shared nrdocs instance and approve multiple repositories under a common docs domain.</p></article>
+        </div>
+      </div>
+    </section>
+
+    <section id="audience">
+      <div class="container">
+        <div class="section-head">
+          <div class="section-kicker">Two roles</div>
+          <h2>Built for repo owners and platform operators.</h2>
+        </div>
+        <div class="grid two">
+          <article class="card">
+            <h3>For repo owners</h3>
+            <p>Write Markdown in your repo. Run nrdocs init. Push normally. Get a docs URL after approval. No hosting infrastructure to manage.</p>
+          </article>
+          <article class="card">
+            <h3>For platform operators</h3>
+            <p>Deploy one shared nrdocs instance. Approve which repos may publish. Choose public or password-protected access. Keep platform secrets out of project repos.</p>
+          </article>
+        </div>
+      </div>
+    </section>
+
+    <section id="features">
+      <div class="container">
+        <div class="section-head">
+          <div class="section-kicker">Features</div>
+          <h2>Publish, protect, serve.</h2>
+        </div>
+        <div class="grid three">
+          <article class="card"><h3>No accidental public repos</h3><p>Publish documentation without making the source repository public.</p></article>
+          <article class="card"><h3>Public or password-protected</h3><p>Choose whether each docs site is open to everyone or protected by a shared password.</p></article>
+          <article class="card"><h3>No publishing secrets in repos</h3><p>GitHub OIDC lets repositories publish without handing long-lived platform credentials to repo owners.</p></article>
+          <article class="card"><h3>Operator approval flow</h3><p>Operators control which repositories can publish and under which access policy.</p></article>
+          <article class="card"><h3>Serverless hosting</h3><p>Runs on Cloudflare Workers, D1, and R2. No VM, no container, no maintenance.</p></article>
+          <article class="card"><h3>Markdown-first</h3><p>Start with simple Markdown documentation that lives next to the code.</p></article>
+        </div>
+      </div>
+    </section>
+
+    <section id="not">
+      <div class="container">
+        <div class="grid two">
+          <article class="card">
+            <div class="section-kicker">What nrdocs is not</div>
+            <h3>Not another docs generator</h3>
+            <p>MkDocs, Docusaurus, and similar tools build documentation sites. nrdocs focuses on publishing, routing, protecting, and serving docs that live in GitHub repos. Use the built-in Markdown flow for simple docs today.</p>
+          </article>
+          <article class="card">
+            <div class="section-kicker">Project status</div>
+            <h3>Early open-source release</h3>
+            <p>nrdocs is an early open-source project. The current focus is making same-repo docs publishing smooth for public and private GitHub repositories.</p>
+            <div class="status-badge">v${NRDOCS_VERSION} &middot; early release</div>
+          </article>
+        </div>
+      </div>
+    </section>
+
+    <div class="container">
+      <div class="callout">
+        <div>
+          <h2>Try nrdocs</h2>
+          <p>Deploy once, initialize a repo, approve the site, and publish docs without exposing the source repository.</p>
+        </div>
+        <div class="actions">
+          <a class="button" href="https://github.com/noam-r/nrdocs">View on GitHub</a>
+        </div>
+      </div>
+    </div>
+  </main>
+
+  <footer class="footnote">
+    <p>nrdocs v${NRDOCS_VERSION} &middot; docs should move with the work, not chase it around.</p>
+  </footer>
+</body>
+</html>`;
+  return new Response(html, {
+    status: 200,
+    headers: {
+      "Content-Type": "text/html; charset=utf-8",
+      "X-Content-Type-Options": "nosniff",
+      "Cache-Control": "public, max-age=3600"
+    }
+  });
+}
+
+// ../worker/src/index.ts
+var router = new Router();
+router.get("/api/status", handleStatus);
+router.get("/api/operator/me", handleOperatorMe);
+router.get("/api/repos", handleListRepos);
+router.get("/api/repos/:owner/:repo", handleGetRepo);
+router.post("/api/repos/:owner/:repo/approve", handleApproveRepo);
+router.post("/api/repos/:owner/:repo/disable", handleDisableRepo);
+router.post("/api/repos/:owner/:repo/access", handleSetAccess);
+router.post("/api/repos/:owner/:repo/password", handleSetPassword);
+router.post("/api/repos/:owner/:repo/allow-self-password", handleAllowSelfPassword);
+router.post("/api/repos/:owner/:repo/disallow-self-password", handleDisallowSelfPassword);
+router.get("/api/auto-approval-rules", handleListRules);
+router.post("/api/auto-approval-rules", handleCreateRule);
+router.delete("/api/auto-approval-rules/:id", handleDeleteRule);
+router.get("/api/static", handleListStatic);
+router.put("/api/static/:key", handleSetStatic);
+router.delete("/api/static/:key", handleDeleteStatic);
+router.post("/api/publish", handlePublish);
+router.get("/api/audit-log", handleAuditLog);
+var index_default = {
+  async fetch(request, env) {
+    const requestId = crypto.randomUUID();
+    try {
+      const response = await router.handle(request, env);
+      if (response) return response;
+      const url = new URL(request.url);
+      if (request.method === "POST" && url.pathname === "/_nrdocs/login") {
+        return handlePasswordLogin(request, env);
+      }
+      if (url.pathname === "/" && request.method === "GET") {
+        return handleHomepage(request, env);
+      }
+      if (isReservedPath(url.pathname)) {
+        return jsonError("NOT_FOUND", "Not found", 404);
+      }
+      if (request.method === "GET") {
+        const segments = url.pathname.split("/").filter(Boolean);
+        if (segments.length >= 2) {
+          return handleServe(request, env, url);
+        }
+      }
+      return jsonError("NOT_FOUND", "Endpoint not found", 404);
+    } catch (err) {
+      const message = err instanceof Error ? err.message : "Unknown error";
+      console.error(`[${requestId}] Unhandled error:`, message);
+      return new Response(
+        JSON.stringify({
+          ok: false,
+          error: {
+            code: "INTERNAL_ERROR",
+            message: "An internal error occurred"
+          },
+          request_id: requestId
+        }),
+        {
+          status: 500,
+          headers: { "Content-Type": "application/json" }
+        }
+      );
+    }
+  }
+};
+export {
+  index_default as default
+};