third-audience-mdx 1.0.0 → 1.0.3

package/dist/dashboard/routes/okf-graph-route.d.mts

@@ -0,0 +1,6 @@
+import { NextRequest, NextResponse } from 'next/server';
+
+/** GET /api/third-audience/okf-graph — returns graph JSON for the OKF dashboard viewer */
+declare function GET(req: NextRequest): Promise<NextResponse>;
+
+export { GET };

package/dist/dashboard/routes/okf-graph-route.d.ts

@@ -0,0 +1,6 @@
+import { NextRequest, NextResponse } from 'next/server';
+
+/** GET /api/third-audience/okf-graph — returns graph JSON for the OKF dashboard viewer */
+declare function GET(req: NextRequest): Promise<NextResponse>;
+
+export { GET };

package/dist/dashboard/routes/okf-graph-route.js

@@ -0,0 +1,266 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/dashboard/routes/okf-graph-route.ts
+var okf_graph_route_exports = {};
+__export(okf_graph_route_exports, {
+  GET: () => GET
+});
+module.exports = __toCommonJS(okf_graph_route_exports);
+var import_server2 = require("next/server");
+var import_path3 = __toESM(require("path"));
+
+// src/core/mdx-reader.ts
+var import_fs = __toESM(require("fs"));
+var import_path = __toESM(require("path"));
+var import_gray_matter = __toESM(require("gray-matter"));
+var MdxReader = class {
+  constructor(options) {
+    this.contentDir = options.contentDir;
+  }
+  /** Read a single MDX file by slug. Returns null if not found. */
+  read(slug) {
+    const candidates = [
+      import_path.default.join(this.contentDir, `${slug}.mdx`),
+      import_path.default.join(this.contentDir, `${slug}.md`),
+      import_path.default.join(this.contentDir, slug, "index.mdx"),
+      import_path.default.join(this.contentDir, slug, "index.md")
+    ];
+    for (const filePath of candidates) {
+      if (import_fs.default.existsSync(filePath)) {
+        return this.parseFile(slug, filePath);
+      }
+    }
+    return null;
+  }
+  /** Read all MDX files recursively. */
+  readAll() {
+    if (!import_fs.default.existsSync(this.contentDir)) return [];
+    return this.walkDir(this.contentDir, this.contentDir);
+  }
+  walkDir(dir, root) {
+    const results = [];
+    for (const entry of import_fs.default.readdirSync(dir, { withFileTypes: true })) {
+      const fullPath = import_path.default.join(dir, entry.name);
+      if (entry.isDirectory()) {
+        results.push(...this.walkDir(fullPath, root));
+      } else if (entry.name.endsWith(".mdx") || entry.name.endsWith(".md")) {
+        const relative = import_path.default.relative(root, fullPath);
+        const slug = relative.replace(/\.(mdx|md)$/, "").replace(/\/index$/, "");
+        results.push(this.parseFile(slug, fullPath));
+      }
+    }
+    return results;
+  }
+  parseFile(slug, filePath) {
+    const raw = import_fs.default.readFileSync(filePath, "utf-8");
+    const { data: frontmatter, content: rawContent } = (0, import_gray_matter.default)(raw);
+    return { slug, filePath, frontmatter, rawContent };
+  }
+};
+
+// src/core/markdown-renderer.ts
+var MarkdownRenderer = class {
+  render(file) {
+    const header = this.buildFrontmatterHeader(file.frontmatter);
+    const body = this.stripJsx(file.rawContent);
+    return header ? `${header}
+
+${body}` : body;
+  }
+  buildFrontmatterHeader(fm) {
+    const keys = Object.keys(fm);
+    if (keys.length === 0) return "";
+    const lines = keys.filter((k) => fm[k] !== void 0 && fm[k] !== null).map((k) => `${k}: ${this.yamlValue(fm[k])}`);
+    return `---
+${lines.join("\n")}
+---`;
+  }
+  yamlValue(val) {
+    if (typeof val === "string") {
+      return /[:#\[\]{},&*?|<>=!%@`]/.test(val) ? `"${val.replace(/"/g, '\\"')}"` : val;
+    }
+    if (val instanceof Date) return val.toISOString();
+    if (Array.isArray(val)) return `[${val.map((v) => this.yamlValue(v)).join(", ")}]`;
+    return String(val);
+  }
+  stripJsx(content) {
+    let out = content;
+    out = out.replace(/^import\s+.*?['"].*?['"]\s*\n?/gm, "");
+    out = out.replace(/^export\s+(?:default\s+)?(?:const|let|var|function|class)\s+[\s\S]*?(?=\n(?=[^{]|\n)|\n{2,})/gm, "");
+    out = out.replace(/^export\s*\{[^}]*\}\s*(?:from\s+['"][^'"]*['"])?\s*\n?/gm, "");
+    out = out.replace(/<([A-Z][A-Za-z0-9.]*)[^>]*\/>/g, "");
+    out = out.replace(/<([A-Z][A-Za-z0-9.]*)[^>]*>[\s\S]*?<\/\1>/g, "");
+    out = out.replace(/^\s*\{[^}]+\}\s*\n/gm, "");
+    out = out.replace(/\n{3,}/g, "\n\n");
+    return out.trim();
+  }
+};
+
+// src/okf/okf-bundle.ts
+var renderer = new MarkdownRenderer();
+function buildOkfGraph(files, baseUrl) {
+  const base = baseUrl.replace(/\/$/, "");
+  const slugSet = new Set(files.map((f) => f.slug));
+  const mdMap = /* @__PURE__ */ new Map();
+  for (const file of files) {
+    mdMap.set(file.slug, renderer.render(file));
+  }
+  const degrees = new Map(files.map((f) => [f.slug, 0]));
+  const rawEdges = [];
+  for (const file of files) {
+    const md = mdMap.get(file.slug) ?? "";
+    const linkRe = /\[([^\]]+)\]\((\/[^)]+)\)/g;
+    let m;
+    while ((m = linkRe.exec(md)) !== null) {
+      const candidate = m[2].replace(/^\//, "").replace(/\.md$/, "");
+      if (slugSet.has(candidate) && candidate !== file.slug) {
+        rawEdges.push({ source: file.slug, target: candidate });
+        degrees.set(file.slug, (degrees.get(file.slug) ?? 0) + 1);
+        degrees.set(candidate, (degrees.get(candidate) ?? 0) + 1);
+      }
+    }
+  }
+  const top100 = files.slice().sort((a, b) => (degrees.get(b.slug) ?? 0) - (degrees.get(a.slug) ?? 0)).slice(0, 100);
+  const topSet = new Set(top100.map((f) => f.slug));
+  const nodes = top100.map((f) => ({
+    id: f.slug,
+    title: String(f.frontmatter.title ?? f.slug),
+    type: String(f.frontmatter.type ?? "WebPage"),
+    url: `${base}/${f.slug}`
+  }));
+  const edges = rawEdges.filter((e) => topSet.has(e.source) && topSet.has(e.target));
+  return { nodes, edges };
+}
+
+// src/dashboard/auth.ts
+var import_server = require("next/server");
+
+// src/dashboard/admin-store.ts
+var import_fs2 = __toESM(require("fs"));
+var import_path2 = __toESM(require("path"));
+var import_crypto = __toESM(require("crypto"));
+function adminFilePath() {
+  const dataDir = process.env.TA_DATA_DIR ?? "data";
+  return import_path2.default.join(process.cwd(), dataDir, "ta-admin.json");
+}
+function loadAdmin() {
+  const filePath = adminFilePath();
+  if (!import_fs2.default.existsSync(filePath)) return null;
+  try {
+    return JSON.parse(import_fs2.default.readFileSync(filePath, "utf-8"));
+  } catch {
+    return null;
+  }
+}
+var CIPHER = "aes-256-gcm";
+function getEncryptionKey() {
+  const secret = process.env.THIRD_AUDIENCE_SECRET ?? "ta-fallback-key-change-me";
+  return import_crypto.default.createHash("sha256").update(secret).digest();
+}
+function decryptApiKey(encoded) {
+  try {
+    const iv = Buffer.from(encoded.slice(0, 24), "hex");
+    const tag = Buffer.from(encoded.slice(24, 56), "hex");
+    const encrypted = Buffer.from(encoded.slice(56), "hex");
+    const key = getEncryptionKey();
+    const decipher = import_crypto.default.createDecipheriv(CIPHER, key, iv);
+    decipher.setAuthTag(tag);
+    return decipher.update(encrypted) + decipher.final("utf8");
+  } catch {
+    return null;
+  }
+}
+function getApiKey() {
+  const record = loadAdmin();
+  if (!record?.apiKey) return null;
+  return decryptApiKey(record.apiKey);
+}
+function verifyApiKey(key) {
+  const stored = getApiKey();
+  if (!stored) return false;
+  if (key.length !== stored.length) return false;
+  return import_crypto.default.timingSafeEqual(Buffer.from(key), Buffer.from(stored));
+}
+function verifySession(token) {
+  const lastDot = token.lastIndexOf(".");
+  if (lastDot === -1) return false;
+  const payload = token.slice(0, lastDot);
+  const sig = token.slice(lastDot + 1);
+  const expected = import_crypto.default.createHmac("sha256", process.env.THIRD_AUDIENCE_SECRET ?? "ta-salt").update(payload).digest("hex");
+  if (sig.length !== expected.length) return false;
+  return import_crypto.default.timingSafeEqual(Buffer.from(sig, "hex"), Buffer.from(expected, "hex"));
+}
+
+// src/dashboard/auth.ts
+var SESSION_COOKIE = "ta_session";
+function checkApiAuth(req) {
+  const apiKeyHeader = req.headers.get("x-ta-api-key");
+  if (apiKeyHeader) return verifyApiKey(apiKeyHeader);
+  const auth = req.headers.get("authorization") ?? "";
+  if (auth.startsWith("Bearer ")) {
+    const token = auth.slice(7);
+    return verifyApiKey(token);
+  }
+  const session = req.cookies.get(SESSION_COOKIE)?.value;
+  if (session) return verifySession(session);
+  return false;
+}
+function unauthorizedResponse() {
+  return import_server.NextResponse.json(
+    { error: "Unauthorized. Provide X-TA-Api-Key header or a valid session cookie." },
+    {
+      status: 401,
+      headers: { "WWW-Authenticate": 'Bearer realm="Third Audience API"' }
+    }
+  );
+}
+
+// src/dashboard/routes/okf-graph-route.ts
+var reader = new MdxReader({ contentDir: import_path3.default.join(process.cwd(), process.env.TA_CONTENT_DIR ?? "content") });
+async function GET(req) {
+  if (!checkApiAuth(req)) return unauthorizedResponse();
+  const baseUrl = process.env.NEXT_PUBLIC_SITE_URL ?? `${req.nextUrl.protocol}//${req.nextUrl.host}`;
+  const files = reader.readAll();
+  const graph = buildOkfGraph(files, baseUrl);
+  return import_server2.NextResponse.json({
+    graph,
+    stats: {
+      pages: files.length,
+      nodes: graph.nodes.length,
+      edges: graph.edges.length
+    },
+    indexUrl: `${baseUrl}/okf`
+  });
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  GET
+});
+//# sourceMappingURL=okf-graph-route.js.map

package/dist/dashboard/routes/okf-graph-route.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../src/dashboard/routes/okf-graph-route.ts","../../../src/core/mdx-reader.ts","../../../src/core/markdown-renderer.ts","../../../src/okf/okf-bundle.ts","../../../src/dashboard/auth.ts","../../../src/dashboard/admin-store.ts"],"sourcesContent":["import { NextResponse, type NextRequest } from 'next/server'\nimport path from 'path'\nimport { MdxReader } from '../../core/mdx-reader.js'\nimport { buildOkfGraph } from '../../okf/okf-bundle.js'\nimport { checkApiAuth, unauthorizedResponse } from '../auth.js'\n\nconst reader = new MdxReader({ contentDir: path.join(process.cwd(), process.env.TA_CONTENT_DIR ?? 'content') })\n\n/** GET /api/third-audience/okf-graph — returns graph JSON for the OKF dashboard viewer */\nexport async function GET(req: NextRequest): Promise<NextResponse> {\n  if (!checkApiAuth(req)) return unauthorizedResponse()\n\n  const baseUrl = process.env.NEXT_PUBLIC_SITE_URL\n    ?? `${req.nextUrl.protocol}//${req.nextUrl.host}`\n\n  const files = reader.readAll()\n  const graph = buildOkfGraph(files, baseUrl)\n\n  return NextResponse.json({\n    graph,\n    stats: {\n      pages: files.length,\n      nodes: graph.nodes.length,\n      edges: graph.edges.length,\n    },\n    indexUrl: `${baseUrl}/okf`,\n  })\n}\n","import fs from 'fs'\nimport path from 'path'\nimport matter from 'gray-matter'\n\nexport interface MdxFile {\n  slug: string       // relative path without extension, e.g. 'blog/my-post'\n  filePath: string   // absolute path to .mdx file\n  frontmatter: Record<string, unknown>\n  rawContent: string // body after frontmatter\n}\n\nexport interface MdxReaderOptions {\n  contentDir: string // absolute path to content directory\n}\n\nexport class MdxReader {\n  private contentDir: string\n\n  constructor(options: MdxReaderOptions) {\n    this.contentDir = options.contentDir\n  }\n\n  /** Read a single MDX file by slug. Returns null if not found. */\n  read(slug: string): MdxFile | null {\n    const candidates = [\n      path.join(this.contentDir, `${slug}.mdx`),\n      path.join(this.contentDir, `${slug}.md`),\n      path.join(this.contentDir, slug, 'index.mdx'),\n      path.join(this.contentDir, slug, 'index.md'),\n    ]\n\n    for (const filePath of candidates) {\n      if (fs.existsSync(filePath)) {\n        return this.parseFile(slug, filePath)\n      }\n    }\n\n    return null\n  }\n\n  /** Read all MDX files recursively. */\n  readAll(): MdxFile[] {\n    if (!fs.existsSync(this.contentDir)) return []\n    return this.walkDir(this.contentDir, this.contentDir)\n  }\n\n  private walkDir(dir: string, root: string): MdxFile[] {\n    const results: MdxFile[] = []\n    for (const entry of fs.readdirSync(dir, { withFileTypes: true })) {\n      const fullPath = path.join(dir, entry.name)\n      if (entry.isDirectory()) {\n        results.push(...this.walkDir(fullPath, root))\n      } else if (entry.name.endsWith('.mdx') || entry.name.endsWith('.md')) {\n        const relative = path.relative(root, fullPath)\n        const slug = relative.replace(/\\.(mdx|md)$/, '').replace(/\\/index$/, '')\n        results.push(this.parseFile(slug, fullPath))\n      }\n    }\n    return results\n  }\n\n  private parseFile(slug: string, filePath: string): MdxFile {\n    const raw = fs.readFileSync(filePath, 'utf-8')\n    const { data: frontmatter, content: rawContent } = matter(raw)\n    return { slug, filePath, frontmatter, rawContent }\n  }\n}\n","import type { MdxFile } from './mdx-reader.js'\n\n/**\n * Strips JSX from MDX content and returns clean Markdown\n * suitable for AI crawlers.\n *\n * Removes:\n * - import/export statements\n * - JSX component tags (<ComponentName ... /> and <ComponentName>...</ComponentName>)\n * - Inline expressions {variable} that aren't standard Markdown\n *\n * Preserves:\n * - All standard Markdown (headings, lists, code blocks, links, images)\n * - Frontmatter (serialized as YAML header)\n */\nexport class MarkdownRenderer {\n  render(file: MdxFile): string {\n    const header = this.buildFrontmatterHeader(file.frontmatter)\n    const body = this.stripJsx(file.rawContent)\n    return header ? `${header}\\n\\n${body}` : body\n  }\n\n  private buildFrontmatterHeader(fm: Record<string, unknown>): string {\n    const keys = Object.keys(fm)\n    if (keys.length === 0) return ''\n    const lines = keys\n      .filter(k => fm[k] !== undefined && fm[k] !== null)\n      .map(k => `${k}: ${this.yamlValue(fm[k])}`)\n    return `---\\n${lines.join('\\n')}\\n---`\n  }\n\n  private yamlValue(val: unknown): string {\n    if (typeof val === 'string') {\n      // Quote strings containing special YAML chars\n      return /[:#\\[\\]{},&*?|<>=!%@`]/.test(val) ? `\"${val.replace(/\"/g, '\\\\\"')}\"` : val\n    }\n    if (val instanceof Date) return val.toISOString()\n    if (Array.isArray(val)) return `[${val.map(v => this.yamlValue(v)).join(', ')}]`\n    return String(val)\n  }\n\n  private stripJsx(content: string): string {\n    let out = content\n\n    // Remove import statements: import Foo from '...'  /  import { Foo } from '...'\n    out = out.replace(/^import\\s+.*?['\"].*?['\"]\\s*\\n?/gm, '')\n\n    // Remove export statements at line start (export const, export default, export { })\n    out = out.replace(/^export\\s+(?:default\\s+)?(?:const|let|var|function|class)\\s+[\\s\\S]*?(?=\\n(?=[^{]|\\n)|\\n{2,})/gm, '')\n    out = out.replace(/^export\\s*\\{[^}]*\\}\\s*(?:from\\s+['\"][^'\"]*['\"])?\\s*\\n?/gm, '')\n\n    // Remove self-closing JSX tags: <Component ... />\n    // Must not match HTML img/br/hr which are valid Markdown\n    out = out.replace(/<([A-Z][A-Za-z0-9.]*)[^>]*\\/>/g, '')\n\n    // Remove JSX block tags: <Component ...>...</Component>\n    // Greedy but bounded by matching closing tag\n    out = out.replace(/<([A-Z][A-Za-z0-9.]*)[^>]*>[\\s\\S]*?<\\/\\1>/g, '')\n\n    // Remove JSX expression blocks { expression } that span a whole line\n    out = out.replace(/^\\s*\\{[^}]+\\}\\s*\\n/gm, '')\n\n    // Collapse multiple blank lines to two\n    out = out.replace(/\\n{3,}/g, '\\n\\n')\n\n    return out.trim()\n  }\n}\n","import type { MdxFile } from '../core/mdx-reader.js'\nimport { MarkdownRenderer } from '../core/markdown-renderer.js'\n\nconst renderer = new MarkdownRenderer()\n\nexport interface OkfGraphNode {\n  id: string\n  title: string\n  type: string\n  url: string\n}\n\nexport interface OkfGraphEdge {\n  source: string\n  target: string\n}\n\nexport interface OkfGraphData {\n  nodes: OkfGraphNode[]\n  edges: OkfGraphEdge[]\n}\n\n/**\n * Builds the knowledge graph data for the OKF viewer.\n * Nodes = content pages; edges = internal links between them.\n * Trims to top 100 most-connected nodes (matching WP plugin behaviour).\n */\nexport function buildOkfGraph(files: MdxFile[], baseUrl: string): OkfGraphData {\n  const base = baseUrl.replace(/\\/$/, '')\n  const slugSet = new Set(files.map(f => f.slug))\n\n  // Build slug → markdown map for link extraction\n  const mdMap = new Map<string, string>()\n  for (const file of files) {\n    mdMap.set(file.slug, renderer.render(file))\n  }\n\n  // Count degrees to pick top 100\n  const degrees = new Map<string, number>(files.map(f => [f.slug, 0]))\n  const rawEdges: OkfGraphEdge[] = []\n\n  for (const file of files) {\n    const md = mdMap.get(file.slug) ?? ''\n    const linkRe = /\\[([^\\]]+)\\]\\((\\/[^)]+)\\)/g\n    let m: RegExpExecArray | null\n    while ((m = linkRe.exec(md)) !== null) {\n      const candidate = m[2].replace(/^\\//, '').replace(/\\.md$/, '')\n      if (slugSet.has(candidate) && candidate !== file.slug) {\n        rawEdges.push({ source: file.slug, target: candidate })\n        degrees.set(file.slug, (degrees.get(file.slug) ?? 0) + 1)\n        degrees.set(candidate, (degrees.get(candidate) ?? 0) + 1)\n      }\n    }\n  }\n\n  // Top 100 nodes by degree\n  const top100 = files\n    .slice()\n    .sort((a, b) => (degrees.get(b.slug) ?? 0) - (degrees.get(a.slug) ?? 0))\n    .slice(0, 100)\n  const topSet = new Set(top100.map(f => f.slug))\n\n  const nodes: OkfGraphNode[] = top100.map(f => ({\n    id: f.slug,\n    title: String(f.frontmatter.title ?? f.slug),\n    type: String(f.frontmatter.type ?? 'WebPage'),\n    url: `${base}/${f.slug}`,\n  }))\n\n  const edges = rawEdges.filter(e => topSet.has(e.source) && topSet.has(e.target))\n\n  return { nodes, edges }\n}\n\n/** Generates the /okf/index.md manifest listing all content. */\nexport function generateOkfIndex(files: MdxFile[], baseUrl: string): string {\n  const base = baseUrl.replace(/\\/$/, '')\n  const lines = [\n    '# Open Knowledge Format (OKF) Bundle',\n    '',\n    'This bundle contains all content as clean Markdown files for AI consumption.',\n    '',\n    '## Contents',\n    '',\n  ]\n\n  for (const file of files) {\n    const fm = file.frontmatter\n    const title = String(fm.title ?? file.slug)\n    const desc = fm.description ? ` — ${String(fm.description)}` : ''\n    lines.push(`- [${title}](${base}/okf/${file.slug}.md)${desc}`)\n  }\n\n  return lines.join('\\n') + '\\n'\n}\n\n/** Renders a single MDX file for OKF, with internal links rewritten to .md siblings. */\nexport function generateOkfPage(file: MdxFile, allFiles: MdxFile[], baseUrl: string): string {\n  const markdown = renderer.render(file)\n  return rewriteInternalLinks(markdown, allFiles, baseUrl)\n}\n\n/**\n * Rewrites internal links to point at sibling .md files in the OKF bundle.\n * e.g. [link](/blog/post) → [link](/okf/blog/post.md)\n */\nfunction rewriteInternalLinks(markdown: string, allFiles: MdxFile[], baseUrl: string): string {\n  const slugSet = new Set(allFiles.map(f => f.slug))\n  const base = baseUrl.replace(/\\/$/, '')\n\n  return markdown.replace(/\\[([^\\]]+)\\]\\((\\/[^)]+)\\)/g, (match, text, href) => {\n    // Strip leading slash and any trailing .md to get candidate slug\n    const candidate = href.replace(/^\\//, '').replace(/\\.md$/, '')\n    if (slugSet.has(candidate)) {\n      return `[${text}](${base}/okf/${candidate}.md)`\n    }\n    return match\n  })\n}\n","import type { NextRequest } from 'next/server'\nimport { NextResponse } from 'next/server'\nimport { verifySession, verifyApiKey } from './admin-store.js'\n\nconst SESSION_COOKIE = 'ta_session'\n\n/**\n * Authenticate an API route request. Accepts (in order):\n * 1. X-TA-Api-Key header — for headless/external callers (mirrors WP's approach)\n * 2. Authorization: Bearer <api-key> — same key, different transport\n * 3. Valid ta_session cookie — browser dashboard session\n */\nexport function checkApiAuth(req: NextRequest): boolean {\n  // 1. X-TA-Api-Key header (WP-style headless key)\n  const apiKeyHeader = req.headers.get('x-ta-api-key')\n  if (apiKeyHeader) return verifyApiKey(apiKeyHeader)\n\n  // 2. Bearer token (treat as api key)\n  const auth = req.headers.get('authorization') ?? ''\n  if (auth.startsWith('Bearer ')) {\n    const token = auth.slice(7)\n    return verifyApiKey(token)\n  }\n\n  // 3. Browser session cookie\n  const session = req.cookies.get(SESSION_COOKIE)?.value\n  if (session) return verifySession(session)\n\n  return false\n}\n\n/**\n * Returns a 401 JSON response with the correct WWW-Authenticate header.\n * Use as: if (!checkApiAuth(req)) return unauthorizedResponse()\n */\nexport function unauthorizedResponse(): NextResponse {\n  return NextResponse.json(\n    { error: 'Unauthorized. Provide X-TA-Api-Key header or a valid session cookie.' },\n    {\n      status: 401,\n      headers: { 'WWW-Authenticate': 'Bearer realm=\"Third Audience API\"' },\n    }\n  )\n}\n","import fs from 'fs'\nimport path from 'path'\nimport crypto from 'crypto'\n\nexport interface AdminRecord {\n  passwordHash: string        // sha256(secret + password)\n  isDefaultPassword: boolean\n  createdAt: string\n  lastLoginAt: string | null\n  apiKey?: string             // AES-256-GCM encrypted, for headless/external API callers\n}\n\nfunction adminFilePath(): string {\n  const dataDir = process.env.TA_DATA_DIR ?? 'data'\n  return path.join(process.cwd(), dataDir, 'ta-admin.json')\n}\n\nexport function generateDefaultPassword(): string {\n  return crypto.randomBytes(6).toString('hex') // 12-char hex, easy to type\n}\n\nexport function hashPassword(password: string): string {\n  const secret = process.env.THIRD_AUDIENCE_SECRET ?? 'ta-salt'\n  return crypto.createHash('sha256').update(secret + password).digest('hex')\n}\n\nexport function loadAdmin(): AdminRecord | null {\n  const filePath = adminFilePath()\n  if (!fs.existsSync(filePath)) return null\n  try {\n    return JSON.parse(fs.readFileSync(filePath, 'utf-8')) as AdminRecord\n  } catch {\n    return null\n  }\n}\n\nexport function saveAdmin(record: AdminRecord): void {\n  const filePath = adminFilePath()\n  const dir = path.dirname(filePath)\n  if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true })\n  fs.writeFileSync(filePath, JSON.stringify(record, null, 2), 'utf-8')\n}\n\nexport const DEFAULT_PASSWORD = 'Chang3M3Now!'\n\nexport function initAdmin(): { password: string; apiKey: string; isNew: boolean } {\n  const existing = loadAdmin()\n  if (existing) return { password: '', apiKey: '', isNew: false }\n\n  const apiKey = generateApiKey()\n  saveAdmin({\n    passwordHash: hashPassword(DEFAULT_PASSWORD),\n    isDefaultPassword: true,\n    createdAt: new Date().toISOString(),\n    lastLoginAt: null,\n    apiKey: encryptApiKey(apiKey),\n  })\n  return { password: DEFAULT_PASSWORD, apiKey, isNew: true }\n}\n\nexport function verifyPassword(password: string): boolean {\n  const record = loadAdmin()\n  if (!record) return false\n  return record.passwordHash === hashPassword(password)\n}\n\nexport function updatePassword(newPassword: string): void {\n  const record = loadAdmin()\n  if (!record) return\n  saveAdmin({\n    ...record,\n    passwordHash: hashPassword(newPassword),\n    isDefaultPassword: false,\n  })\n}\n\nexport function recordLogin(): void {\n  const record = loadAdmin()\n  if (!record) return\n  saveAdmin({ ...record, lastLoginAt: new Date().toISOString() })\n}\n\n// ---------------------------------------------------------------------------\n// API key — AES-256-GCM encrypted at rest, mirroring WP's SECURE_AUTH_KEY approach\n// ---------------------------------------------------------------------------\n\nconst CIPHER = 'aes-256-gcm'\n\nfunction getEncryptionKey(): Buffer {\n  const secret = process.env.THIRD_AUDIENCE_SECRET ?? 'ta-fallback-key-change-me'\n  // Derive a 32-byte key from the secret using SHA-256\n  return crypto.createHash('sha256').update(secret).digest()\n}\n\nfunction encryptApiKey(plaintext: string): string {\n  const iv = crypto.randomBytes(12)\n  const key = getEncryptionKey()\n  const cipher = crypto.createCipheriv(CIPHER, key, iv) as crypto.CipherGCM\n  const encrypted = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()])\n  const tag = cipher.getAuthTag()\n  // Format: iv(24 hex) + tag(32 hex) + encrypted(hex)\n  return iv.toString('hex') + tag.toString('hex') + encrypted.toString('hex')\n}\n\nfunction decryptApiKey(encoded: string): string | null {\n  try {\n    const iv = Buffer.from(encoded.slice(0, 24), 'hex')\n    const tag = Buffer.from(encoded.slice(24, 56), 'hex')\n    const encrypted = Buffer.from(encoded.slice(56), 'hex')\n    const key = getEncryptionKey()\n    const decipher = crypto.createDecipheriv(CIPHER, key, iv) as crypto.DecipherGCM\n    decipher.setAuthTag(tag)\n    return decipher.update(encrypted) + decipher.final('utf8')\n  } catch {\n    return null\n  }\n}\n\nexport function generateApiKey(): string {\n  return 'ta_' + crypto.randomBytes(24).toString('hex') // 51-char key\n}\n\nexport function getApiKey(): string | null {\n  const record = loadAdmin()\n  if (!record?.apiKey) return null\n  return decryptApiKey(record.apiKey)\n}\n\nexport function rotateApiKey(): string {\n  const record = loadAdmin()\n  if (!record) throw new Error('Admin store not initialised')\n  const newKey = generateApiKey()\n  saveAdmin({ ...record, apiKey: encryptApiKey(newKey) })\n  return newKey\n}\n\nexport function verifyApiKey(key: string): boolean {\n  const stored = getApiKey()\n  if (!stored) return false\n  if (key.length !== stored.length) return false\n  return crypto.timingSafeEqual(Buffer.from(key), Buffer.from(stored))\n}\n\n// ---------------------------------------------------------------------------\n// Session cookie: HMAC-SHA256(secret, userId + timestamp) — stateless, no DB\n// ---------------------------------------------------------------------------\nexport function signSession(payload: string): string {\n  const secret = process.env.THIRD_AUDIENCE_SECRET ?? 'ta-salt'\n  const sig = crypto.createHmac('sha256', secret).update(payload).digest('hex')\n  return `${payload}.${sig}`\n}\n\nexport function verifySession(token: string): boolean {\n  const lastDot = token.lastIndexOf('.')\n  if (lastDot === -1) return false\n  const payload = token.slice(0, lastDot)\n  const sig = token.slice(lastDot + 1)\n  const expected = crypto.createHmac('sha256', process.env.THIRD_AUDIENCE_SECRET ?? 'ta-salt')\n    .update(payload).digest('hex')\n  // Constant-time comparison\n  if (sig.length !== expected.length) return false\n  return crypto.timingSafeEqual(Buffer.from(sig, 'hex'), Buffer.from(expected, 'hex'))\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAAAA,iBAA+C;AAC/C,IAAAC,eAAiB;;;ACDjB,gBAAe;AACf,kBAAiB;AACjB,yBAAmB;AAaZ,IAAM,YAAN,MAAgB;AAAA,EAGrB,YAAY,SAA2B;AACrC,SAAK,aAAa,QAAQ;AAAA,EAC5B;AAAA;AAAA,EAGA,KAAK,MAA8B;AACjC,UAAM,aAAa;AAAA,MACjB,YAAAC,QAAK,KAAK,KAAK,YAAY,GAAG,IAAI,MAAM;AAAA,MACxC,YAAAA,QAAK,KAAK,KAAK,YAAY,GAAG,IAAI,KAAK;AAAA,MACvC,YAAAA,QAAK,KAAK,KAAK,YAAY,MAAM,WAAW;AAAA,MAC5C,YAAAA,QAAK,KAAK,KAAK,YAAY,MAAM,UAAU;AAAA,IAC7C;AAEA,eAAW,YAAY,YAAY;AACjC,UAAI,UAAAC,QAAG,WAAW,QAAQ,GAAG;AAC3B,eAAO,KAAK,UAAU,MAAM,QAAQ;AAAA,MACtC;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAAA;AAAA,EAGA,UAAqB;AACnB,QAAI,CAAC,UAAAA,QAAG,WAAW,KAAK,UAAU,EAAG,QAAO,CAAC;AAC7C,WAAO,KAAK,QAAQ,KAAK,YAAY,KAAK,UAAU;AAAA,EACtD;AAAA,EAEQ,QAAQ,KAAa,MAAyB;AACpD,UAAM,UAAqB,CAAC;AAC5B,eAAW,SAAS,UAAAA,QAAG,YAAY,KAAK,EAAE,eAAe,KAAK,CAAC,GAAG;AAChE,YAAM,WAAW,YAAAD,QAAK,KAAK,KAAK,MAAM,IAAI;AAC1C,UAAI,MAAM,YAAY,GAAG;AACvB,gBAAQ,KAAK,GAAG,KAAK,QAAQ,UAAU,IAAI,CAAC;AAAA,MAC9C,WAAW,MAAM,KAAK,SAAS,MAAM,KAAK,MAAM,KAAK,SAAS,KAAK,GAAG;AACpE,cAAM,WAAW,YAAAA,QAAK,SAAS,MAAM,QAAQ;AAC7C,cAAM,OAAO,SAAS,QAAQ,eAAe,EAAE,EAAE,QAAQ,YAAY,EAAE;AACvE,gBAAQ,KAAK,KAAK,UAAU,MAAM,QAAQ,CAAC;AAAA,MAC7C;AAAA,IACF;AACA,WAAO;AAAA,EACT;AAAA,EAEQ,UAAU,MAAc,UAA2B;AACzD,UAAM,MAAM,UAAAC,QAAG,aAAa,UAAU,OAAO;AAC7C,UAAM,EAAE,MAAM,aAAa,SAAS,WAAW,QAAI,mBAAAC,SAAO,GAAG;AAC7D,WAAO,EAAE,MAAM,UAAU,aAAa,WAAW;AAAA,EACnD;AACF;;;ACnDO,IAAM,mBAAN,MAAuB;AAAA,EAC5B,OAAO,MAAuB;AAC5B,UAAM,SAAS,KAAK,uBAAuB,KAAK,WAAW;AAC3D,UAAM,OAAO,KAAK,SAAS,KAAK,UAAU;AAC1C,WAAO,SAAS,GAAG,MAAM;AAAA;AAAA,EAAO,IAAI,KAAK;AAAA,EAC3C;AAAA,EAEQ,uBAAuB,IAAqC;AAClE,UAAM,OAAO,OAAO,KAAK,EAAE;AAC3B,QAAI,KAAK,WAAW,EAAG,QAAO;AAC9B,UAAM,QAAQ,KACX,OAAO,OAAK,GAAG,CAAC,MAAM,UAAa,GAAG,CAAC,MAAM,IAAI,EACjD,IAAI,OAAK,GAAG,CAAC,KAAK,KAAK,UAAU,GAAG,CAAC,CAAC,CAAC,EAAE;AAC5C,WAAO;AAAA,EAAQ,MAAM,KAAK,IAAI,CAAC;AAAA;AAAA,EACjC;AAAA,EAEQ,UAAU,KAAsB;AACtC,QAAI,OAAO,QAAQ,UAAU;AAE3B,aAAO,yBAAyB,KAAK,GAAG,IAAI,IAAI,IAAI,QAAQ,MAAM,KAAK,CAAC,MAAM;AAAA,IAChF;AACA,QAAI,eAAe,KAAM,QAAO,IAAI,YAAY;AAChD,QAAI,MAAM,QAAQ,GAAG,EAAG,QAAO,IAAI,IAAI,IAAI,OAAK,KAAK,UAAU,CAAC,CAAC,EAAE,KAAK,IAAI,CAAC;AAC7E,WAAO,OAAO,GAAG;AAAA,EACnB;AAAA,EAEQ,SAAS,SAAyB;AACxC,QAAI,MAAM;AAGV,UAAM,IAAI,QAAQ,oCAAoC,EAAE;AAGxD,UAAM,IAAI,QAAQ,kGAAkG,EAAE;AACtH,UAAM,IAAI,QAAQ,4DAA4D,EAAE;AAIhF,UAAM,IAAI,QAAQ,kCAAkC,EAAE;AAItD,UAAM,IAAI,QAAQ,8CAA8C,EAAE;AAGlE,UAAM,IAAI,QAAQ,wBAAwB,EAAE;AAG5C,UAAM,IAAI,QAAQ,WAAW,MAAM;AAEnC,WAAO,IAAI,KAAK;AAAA,EAClB;AACF;;;AChEA,IAAM,WAAW,IAAI,iBAAiB;AAwB/B,SAAS,cAAc,OAAkB,SAA+B;AAC7E,QAAM,OAAO,QAAQ,QAAQ,OAAO,EAAE;AACtC,QAAM,UAAU,IAAI,IAAI,MAAM,IAAI,OAAK,EAAE,IAAI,CAAC;AAG9C,QAAM,QAAQ,oBAAI,IAAoB;AACtC,aAAW,QAAQ,OAAO;AACxB,UAAM,IAAI,KAAK,MAAM,SAAS,OAAO,IAAI,CAAC;AAAA,EAC5C;AAGA,QAAM,UAAU,IAAI,IAAoB,MAAM,IAAI,OAAK,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC;AACnE,QAAM,WAA2B,CAAC;AAElC,aAAW,QAAQ,OAAO;AACxB,UAAM,KAAK,MAAM,IAAI,KAAK,IAAI,KAAK;AACnC,UAAM,SAAS;AACf,QAAI;AACJ,YAAQ,IAAI,OAAO,KAAK,EAAE,OAAO,MAAM;AACrC,YAAM,YAAY,EAAE,CAAC,EAAE,QAAQ,OAAO,EAAE,EAAE,QAAQ,SAAS,EAAE;AAC7D,UAAI,QAAQ,IAAI,SAAS,KAAK,cAAc,KAAK,MAAM;AACrD,iBAAS,KAAK,EAAE,QAAQ,KAAK,MAAM,QAAQ,UAAU,CAAC;AACtD,gBAAQ,IAAI,KAAK,OAAO,QAAQ,IAAI,KAAK,IAAI,KAAK,KAAK,CAAC;AACxD,gBAAQ,IAAI,YAAY,QAAQ,IAAI,SAAS,KAAK,KAAK,CAAC;AAAA,MAC1D;AAAA,IACF;AAAA,EACF;AAGA,QAAM,SAAS,MACZ,MAAM,EACN,KAAK,CAAC,GAAG,OAAO,QAAQ,IAAI,EAAE,IAAI,KAAK,MAAM,QAAQ,IAAI,EAAE,IAAI,KAAK,EAAE,EACtE,MAAM,GAAG,GAAG;AACf,QAAM,SAAS,IAAI,IAAI,OAAO,IAAI,OAAK,EAAE,IAAI,CAAC;AAE9C,QAAM,QAAwB,OAAO,IAAI,QAAM;AAAA,IAC7C,IAAI,EAAE;AAAA,IACN,OAAO,OAAO,EAAE,YAAY,SAAS,EAAE,IAAI;AAAA,IAC3C,MAAM,OAAO,EAAE,YAAY,QAAQ,SAAS;AAAA,IAC5C,KAAK,GAAG,IAAI,IAAI,EAAE,IAAI;AAAA,EACxB,EAAE;AAEF,QAAM,QAAQ,SAAS,OAAO,OAAK,OAAO,IAAI,EAAE,MAAM,KAAK,OAAO,IAAI,EAAE,MAAM,CAAC;AAE/E,SAAO,EAAE,OAAO,MAAM;AACxB;;;ACvEA,oBAA6B;;;ACD7B,IAAAC,aAAe;AACf,IAAAC,eAAiB;AACjB,oBAAmB;AAUnB,SAAS,gBAAwB;AAC/B,QAAM,UAAU,QAAQ,IAAI,eAAe;AAC3C,SAAO,aAAAC,QAAK,KAAK,QAAQ,IAAI,GAAG,SAAS,eAAe;AAC1D;AAWO,SAAS,YAAgC;AAC9C,QAAM,WAAW,cAAc;AAC/B,MAAI,CAAC,WAAAC,QAAG,WAAW,QAAQ,EAAG,QAAO;AACrC,MAAI;AACF,WAAO,KAAK,MAAM,WAAAA,QAAG,aAAa,UAAU,OAAO,CAAC;AAAA,EACtD,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAoDA,IAAM,SAAS;AAEf,SAAS,mBAA2B;AAClC,QAAM,SAAS,QAAQ,IAAI,yBAAyB;AAEpD,SAAO,cAAAC,QAAO,WAAW,QAAQ,EAAE,OAAO,MAAM,EAAE,OAAO;AAC3D;AAYA,SAAS,cAAc,SAAgC;AACrD,MAAI;AACF,UAAM,KAAK,OAAO,KAAK,QAAQ,MAAM,GAAG,EAAE,GAAG,KAAK;AAClD,UAAM,MAAM,OAAO,KAAK,QAAQ,MAAM,IAAI,EAAE,GAAG,KAAK;AACpD,UAAM,YAAY,OAAO,KAAK,QAAQ,MAAM,EAAE,GAAG,KAAK;AACtD,UAAM,MAAM,iBAAiB;AAC7B,UAAM,WAAW,cAAAC,QAAO,iBAAiB,QAAQ,KAAK,EAAE;AACxD,aAAS,WAAW,GAAG;AACvB,WAAO,SAAS,OAAO,SAAS,IAAI,SAAS,MAAM,MAAM;AAAA,EAC3D,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAMO,SAAS,YAA2B;AACzC,QAAM,SAAS,UAAU;AACzB,MAAI,CAAC,QAAQ,OAAQ,QAAO;AAC5B,SAAO,cAAc,OAAO,MAAM;AACpC;AAUO,SAAS,aAAa,KAAsB;AACjD,QAAM,SAAS,UAAU;AACzB,MAAI,CAAC,OAAQ,QAAO;AACpB,MAAI,IAAI,WAAW,OAAO,OAAQ,QAAO;AACzC,SAAO,cAAAC,QAAO,gBAAgB,OAAO,KAAK,GAAG,GAAG,OAAO,KAAK,MAAM,CAAC;AACrE;AAWO,SAAS,cAAc,OAAwB;AACpD,QAAM,UAAU,MAAM,YAAY,GAAG;AACrC,MAAI,YAAY,GAAI,QAAO;AAC3B,QAAM,UAAU,MAAM,MAAM,GAAG,OAAO;AACtC,QAAM,MAAM,MAAM,MAAM,UAAU,CAAC;AACnC,QAAM,WAAW,cAAAC,QAAO,WAAW,UAAU,QAAQ,IAAI,yBAAyB,SAAS,EACxF,OAAO,OAAO,EAAE,OAAO,KAAK;AAE/B,MAAI,IAAI,WAAW,SAAS,OAAQ,QAAO;AAC3C,SAAO,cAAAA,QAAO,gBAAgB,OAAO,KAAK,KAAK,KAAK,GAAG,OAAO,KAAK,UAAU,KAAK,CAAC;AACrF;;;AD9JA,IAAM,iBAAiB;AAQhB,SAAS,aAAa,KAA2B;AAEtD,QAAM,eAAe,IAAI,QAAQ,IAAI,cAAc;AACnD,MAAI,aAAc,QAAO,aAAa,YAAY;AAGlD,QAAM,OAAO,IAAI,QAAQ,IAAI,eAAe,KAAK;AACjD,MAAI,KAAK,WAAW,SAAS,GAAG;AAC9B,UAAM,QAAQ,KAAK,MAAM,CAAC;AAC1B,WAAO,aAAa,KAAK;AAAA,EAC3B;AAGA,QAAM,UAAU,IAAI,QAAQ,IAAI,cAAc,GAAG;AACjD,MAAI,QAAS,QAAO,cAAc,OAAO;AAEzC,SAAO;AACT;AAMO,SAAS,uBAAqC;AACnD,SAAO,2BAAa;AAAA,IAClB,EAAE,OAAO,uEAAuE;AAAA,IAChF;AAAA,MACE,QAAQ;AAAA,MACR,SAAS,EAAE,oBAAoB,oCAAoC;AAAA,IACrE;AAAA,EACF;AACF;;;AJrCA,IAAM,SAAS,IAAI,UAAU,EAAE,YAAY,aAAAC,QAAK,KAAK,QAAQ,IAAI,GAAG,QAAQ,IAAI,kBAAkB,SAAS,EAAE,CAAC;AAG9G,eAAsB,IAAI,KAAyC;AACjE,MAAI,CAAC,aAAa,GAAG,EAAG,QAAO,qBAAqB;AAEpD,QAAM,UAAU,QAAQ,IAAI,wBACvB,GAAG,IAAI,QAAQ,QAAQ,KAAK,IAAI,QAAQ,IAAI;AAEjD,QAAM,QAAQ,OAAO,QAAQ;AAC7B,QAAM,QAAQ,cAAc,OAAO,OAAO;AAE1C,SAAO,4BAAa,KAAK;AAAA,IACvB;AAAA,IACA,OAAO;AAAA,MACL,OAAO,MAAM;AAAA,MACb,OAAO,MAAM,MAAM;AAAA,MACnB,OAAO,MAAM,MAAM;AAAA,IACrB;AAAA,IACA,UAAU,GAAG,OAAO;AAAA,EACtB,CAAC;AACH;","names":["import_server","import_path","path","fs","matter","import_fs","import_path","path","fs","crypto","crypto","crypto","crypto","path"]}

package/dist/dashboard/routes/okf-graph-route.mjs

@@ -0,0 +1,231 @@
+// src/dashboard/routes/okf-graph-route.ts
+import { NextResponse as NextResponse2 } from "next/server";
+import path3 from "path";
+
+// src/core/mdx-reader.ts
+import fs from "fs";
+import path from "path";
+import matter from "gray-matter";
+var MdxReader = class {
+  constructor(options) {
+    this.contentDir = options.contentDir;
+  }
+  /** Read a single MDX file by slug. Returns null if not found. */
+  read(slug) {
+    const candidates = [
+      path.join(this.contentDir, `${slug}.mdx`),
+      path.join(this.contentDir, `${slug}.md`),
+      path.join(this.contentDir, slug, "index.mdx"),
+      path.join(this.contentDir, slug, "index.md")
+    ];
+    for (const filePath of candidates) {
+      if (fs.existsSync(filePath)) {
+        return this.parseFile(slug, filePath);
+      }
+    }
+    return null;
+  }
+  /** Read all MDX files recursively. */
+  readAll() {
+    if (!fs.existsSync(this.contentDir)) return [];
+    return this.walkDir(this.contentDir, this.contentDir);
+  }
+  walkDir(dir, root) {
+    const results = [];
+    for (const entry of fs.readdirSync(dir, { withFileTypes: true })) {
+      const fullPath = path.join(dir, entry.name);
+      if (entry.isDirectory()) {
+        results.push(...this.walkDir(fullPath, root));
+      } else if (entry.name.endsWith(".mdx") || entry.name.endsWith(".md")) {
+        const relative = path.relative(root, fullPath);
+        const slug = relative.replace(/\.(mdx|md)$/, "").replace(/\/index$/, "");
+        results.push(this.parseFile(slug, fullPath));
+      }
+    }
+    return results;
+  }
+  parseFile(slug, filePath) {
+    const raw = fs.readFileSync(filePath, "utf-8");
+    const { data: frontmatter, content: rawContent } = matter(raw);
+    return { slug, filePath, frontmatter, rawContent };
+  }
+};
+
+// src/core/markdown-renderer.ts
+var MarkdownRenderer = class {
+  render(file) {
+    const header = this.buildFrontmatterHeader(file.frontmatter);
+    const body = this.stripJsx(file.rawContent);
+    return header ? `${header}
+
+${body}` : body;
+  }
+  buildFrontmatterHeader(fm) {
+    const keys = Object.keys(fm);
+    if (keys.length === 0) return "";
+    const lines = keys.filter((k) => fm[k] !== void 0 && fm[k] !== null).map((k) => `${k}: ${this.yamlValue(fm[k])}`);
+    return `---
+${lines.join("\n")}
+---`;
+  }
+  yamlValue(val) {
+    if (typeof val === "string") {
+      return /[:#\[\]{},&*?|<>=!%@`]/.test(val) ? `"${val.replace(/"/g, '\\"')}"` : val;
+    }
+    if (val instanceof Date) return val.toISOString();
+    if (Array.isArray(val)) return `[${val.map((v) => this.yamlValue(v)).join(", ")}]`;
+    return String(val);
+  }
+  stripJsx(content) {
+    let out = content;
+    out = out.replace(/^import\s+.*?['"].*?['"]\s*\n?/gm, "");
+    out = out.replace(/^export\s+(?:default\s+)?(?:const|let|var|function|class)\s+[\s\S]*?(?=\n(?=[^{]|\n)|\n{2,})/gm, "");
+    out = out.replace(/^export\s*\{[^}]*\}\s*(?:from\s+['"][^'"]*['"])?\s*\n?/gm, "");
+    out = out.replace(/<([A-Z][A-Za-z0-9.]*)[^>]*\/>/g, "");
+    out = out.replace(/<([A-Z][A-Za-z0-9.]*)[^>]*>[\s\S]*?<\/\1>/g, "");
+    out = out.replace(/^\s*\{[^}]+\}\s*\n/gm, "");
+    out = out.replace(/\n{3,}/g, "\n\n");
+    return out.trim();
+  }
+};
+
+// src/okf/okf-bundle.ts
+var renderer = new MarkdownRenderer();
+function buildOkfGraph(files, baseUrl) {
+  const base = baseUrl.replace(/\/$/, "");
+  const slugSet = new Set(files.map((f) => f.slug));
+  const mdMap = /* @__PURE__ */ new Map();
+  for (const file of files) {
+    mdMap.set(file.slug, renderer.render(file));
+  }
+  const degrees = new Map(files.map((f) => [f.slug, 0]));
+  const rawEdges = [];
+  for (const file of files) {
+    const md = mdMap.get(file.slug) ?? "";
+    const linkRe = /\[([^\]]+)\]\((\/[^)]+)\)/g;
+    let m;
+    while ((m = linkRe.exec(md)) !== null) {
+      const candidate = m[2].replace(/^\//, "").replace(/\.md$/, "");
+      if (slugSet.has(candidate) && candidate !== file.slug) {
+        rawEdges.push({ source: file.slug, target: candidate });
+        degrees.set(file.slug, (degrees.get(file.slug) ?? 0) + 1);
+        degrees.set(candidate, (degrees.get(candidate) ?? 0) + 1);
+      }
+    }
+  }
+  const top100 = files.slice().sort((a, b) => (degrees.get(b.slug) ?? 0) - (degrees.get(a.slug) ?? 0)).slice(0, 100);
+  const topSet = new Set(top100.map((f) => f.slug));
+  const nodes = top100.map((f) => ({
+    id: f.slug,
+    title: String(f.frontmatter.title ?? f.slug),
+    type: String(f.frontmatter.type ?? "WebPage"),
+    url: `${base}/${f.slug}`
+  }));
+  const edges = rawEdges.filter((e) => topSet.has(e.source) && topSet.has(e.target));
+  return { nodes, edges };
+}
+
+// src/dashboard/auth.ts
+import { NextResponse } from "next/server";
+
+// src/dashboard/admin-store.ts
+import fs2 from "fs";
+import path2 from "path";
+import crypto from "crypto";
+function adminFilePath() {
+  const dataDir = process.env.TA_DATA_DIR ?? "data";
+  return path2.join(process.cwd(), dataDir, "ta-admin.json");
+}
+function loadAdmin() {
+  const filePath = adminFilePath();
+  if (!fs2.existsSync(filePath)) return null;
+  try {
+    return JSON.parse(fs2.readFileSync(filePath, "utf-8"));
+  } catch {
+    return null;
+  }
+}
+var CIPHER = "aes-256-gcm";
+function getEncryptionKey() {
+  const secret = process.env.THIRD_AUDIENCE_SECRET ?? "ta-fallback-key-change-me";
+  return crypto.createHash("sha256").update(secret).digest();
+}
+function decryptApiKey(encoded) {
+  try {
+    const iv = Buffer.from(encoded.slice(0, 24), "hex");
+    const tag = Buffer.from(encoded.slice(24, 56), "hex");
+    const encrypted = Buffer.from(encoded.slice(56), "hex");
+    const key = getEncryptionKey();
+    const decipher = crypto.createDecipheriv(CIPHER, key, iv);
+    decipher.setAuthTag(tag);
+    return decipher.update(encrypted) + decipher.final("utf8");
+  } catch {
+    return null;
+  }
+}
+function getApiKey() {
+  const record = loadAdmin();
+  if (!record?.apiKey) return null;
+  return decryptApiKey(record.apiKey);
+}
+function verifyApiKey(key) {
+  const stored = getApiKey();
+  if (!stored) return false;
+  if (key.length !== stored.length) return false;
+  return crypto.timingSafeEqual(Buffer.from(key), Buffer.from(stored));
+}
+function verifySession(token) {
+  const lastDot = token.lastIndexOf(".");
+  if (lastDot === -1) return false;
+  const payload = token.slice(0, lastDot);
+  const sig = token.slice(lastDot + 1);
+  const expected = crypto.createHmac("sha256", process.env.THIRD_AUDIENCE_SECRET ?? "ta-salt").update(payload).digest("hex");
+  if (sig.length !== expected.length) return false;
+  return crypto.timingSafeEqual(Buffer.from(sig, "hex"), Buffer.from(expected, "hex"));
+}
+
+// src/dashboard/auth.ts
+var SESSION_COOKIE = "ta_session";
+function checkApiAuth(req) {
+  const apiKeyHeader = req.headers.get("x-ta-api-key");
+  if (apiKeyHeader) return verifyApiKey(apiKeyHeader);
+  const auth = req.headers.get("authorization") ?? "";
+  if (auth.startsWith("Bearer ")) {
+    const token = auth.slice(7);
+    return verifyApiKey(token);
+  }
+  const session = req.cookies.get(SESSION_COOKIE)?.value;
+  if (session) return verifySession(session);
+  return false;
+}
+function unauthorizedResponse() {
+  return NextResponse.json(
+    { error: "Unauthorized. Provide X-TA-Api-Key header or a valid session cookie." },
+    {
+      status: 401,
+      headers: { "WWW-Authenticate": 'Bearer realm="Third Audience API"' }
+    }
+  );
+}
+
+// src/dashboard/routes/okf-graph-route.ts
+var reader = new MdxReader({ contentDir: path3.join(process.cwd(), process.env.TA_CONTENT_DIR ?? "content") });
+async function GET(req) {
+  if (!checkApiAuth(req)) return unauthorizedResponse();
+  const baseUrl = process.env.NEXT_PUBLIC_SITE_URL ?? `${req.nextUrl.protocol}//${req.nextUrl.host}`;
+  const files = reader.readAll();
+  const graph = buildOkfGraph(files, baseUrl);
+  return NextResponse2.json({
+    graph,
+    stats: {
+      pages: files.length,
+      nodes: graph.nodes.length,
+      edges: graph.edges.length
+    },
+    indexUrl: `${baseUrl}/okf`
+  });
+}
+export {
+  GET
+};
+//# sourceMappingURL=okf-graph-route.mjs.map

package/dist/dashboard/routes/okf-graph-route.mjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../src/dashboard/routes/okf-graph-route.ts","../../../src/core/mdx-reader.ts","../../../src/core/markdown-renderer.ts","../../../src/okf/okf-bundle.ts","../../../src/dashboard/auth.ts","../../../src/dashboard/admin-store.ts"],"sourcesContent":["import { NextResponse, type NextRequest } from 'next/server'\nimport path from 'path'\nimport { MdxReader } from '../../core/mdx-reader.js'\nimport { buildOkfGraph } from '../../okf/okf-bundle.js'\nimport { checkApiAuth, unauthorizedResponse } from '../auth.js'\n\nconst reader = new MdxReader({ contentDir: path.join(process.cwd(), process.env.TA_CONTENT_DIR ?? 'content') })\n\n/** GET /api/third-audience/okf-graph — returns graph JSON for the OKF dashboard viewer */\nexport async function GET(req: NextRequest): Promise<NextResponse> {\n  if (!checkApiAuth(req)) return unauthorizedResponse()\n\n  const baseUrl = process.env.NEXT_PUBLIC_SITE_URL\n    ?? `${req.nextUrl.protocol}//${req.nextUrl.host}`\n\n  const files = reader.readAll()\n  const graph = buildOkfGraph(files, baseUrl)\n\n  return NextResponse.json({\n    graph,\n    stats: {\n      pages: files.length,\n      nodes: graph.nodes.length,\n      edges: graph.edges.length,\n    },\n    indexUrl: `${baseUrl}/okf`,\n  })\n}\n","import fs from 'fs'\nimport path from 'path'\nimport matter from 'gray-matter'\n\nexport interface MdxFile {\n  slug: string       // relative path without extension, e.g. 'blog/my-post'\n  filePath: string   // absolute path to .mdx file\n  frontmatter: Record<string, unknown>\n  rawContent: string // body after frontmatter\n}\n\nexport interface MdxReaderOptions {\n  contentDir: string // absolute path to content directory\n}\n\nexport class MdxReader {\n  private contentDir: string\n\n  constructor(options: MdxReaderOptions) {\n    this.contentDir = options.contentDir\n  }\n\n  /** Read a single MDX file by slug. Returns null if not found. */\n  read(slug: string): MdxFile | null {\n    const candidates = [\n      path.join(this.contentDir, `${slug}.mdx`),\n      path.join(this.contentDir, `${slug}.md`),\n      path.join(this.contentDir, slug, 'index.mdx'),\n      path.join(this.contentDir, slug, 'index.md'),\n    ]\n\n    for (const filePath of candidates) {\n      if (fs.existsSync(filePath)) {\n        return this.parseFile(slug, filePath)\n      }\n    }\n\n    return null\n  }\n\n  /** Read all MDX files recursively. */\n  readAll(): MdxFile[] {\n    if (!fs.existsSync(this.contentDir)) return []\n    return this.walkDir(this.contentDir, this.contentDir)\n  }\n\n  private walkDir(dir: string, root: string): MdxFile[] {\n    const results: MdxFile[] = []\n    for (const entry of fs.readdirSync(dir, { withFileTypes: true })) {\n      const fullPath = path.join(dir, entry.name)\n      if (entry.isDirectory()) {\n        results.push(...this.walkDir(fullPath, root))\n      } else if (entry.name.endsWith('.mdx') || entry.name.endsWith('.md')) {\n        const relative = path.relative(root, fullPath)\n        const slug = relative.replace(/\\.(mdx|md)$/, '').replace(/\\/index$/, '')\n        results.push(this.parseFile(slug, fullPath))\n      }\n    }\n    return results\n  }\n\n  private parseFile(slug: string, filePath: string): MdxFile {\n    const raw = fs.readFileSync(filePath, 'utf-8')\n    const { data: frontmatter, content: rawContent } = matter(raw)\n    return { slug, filePath, frontmatter, rawContent }\n  }\n}\n","import type { MdxFile } from './mdx-reader.js'\n\n/**\n * Strips JSX from MDX content and returns clean Markdown\n * suitable for AI crawlers.\n *\n * Removes:\n * - import/export statements\n * - JSX component tags (<ComponentName ... /> and <ComponentName>...</ComponentName>)\n * - Inline expressions {variable} that aren't standard Markdown\n *\n * Preserves:\n * - All standard Markdown (headings, lists, code blocks, links, images)\n * - Frontmatter (serialized as YAML header)\n */\nexport class MarkdownRenderer {\n  render(file: MdxFile): string {\n    const header = this.buildFrontmatterHeader(file.frontmatter)\n    const body = this.stripJsx(file.rawContent)\n    return header ? `${header}\\n\\n${body}` : body\n  }\n\n  private buildFrontmatterHeader(fm: Record<string, unknown>): string {\n    const keys = Object.keys(fm)\n    if (keys.length === 0) return ''\n    const lines = keys\n      .filter(k => fm[k] !== undefined && fm[k] !== null)\n      .map(k => `${k}: ${this.yamlValue(fm[k])}`)\n    return `---\\n${lines.join('\\n')}\\n---`\n  }\n\n  private yamlValue(val: unknown): string {\n    if (typeof val === 'string') {\n      // Quote strings containing special YAML chars\n      return /[:#\\[\\]{},&*?|<>=!%@`]/.test(val) ? `\"${val.replace(/\"/g, '\\\\\"')}\"` : val\n    }\n    if (val instanceof Date) return val.toISOString()\n    if (Array.isArray(val)) return `[${val.map(v => this.yamlValue(v)).join(', ')}]`\n    return String(val)\n  }\n\n  private stripJsx(content: string): string {\n    let out = content\n\n    // Remove import statements: import Foo from '...'  /  import { Foo } from '...'\n    out = out.replace(/^import\\s+.*?['\"].*?['\"]\\s*\\n?/gm, '')\n\n    // Remove export statements at line start (export const, export default, export { })\n    out = out.replace(/^export\\s+(?:default\\s+)?(?:const|let|var|function|class)\\s+[\\s\\S]*?(?=\\n(?=[^{]|\\n)|\\n{2,})/gm, '')\n    out = out.replace(/^export\\s*\\{[^}]*\\}\\s*(?:from\\s+['\"][^'\"]*['\"])?\\s*\\n?/gm, '')\n\n    // Remove self-closing JSX tags: <Component ... />\n    // Must not match HTML img/br/hr which are valid Markdown\n    out = out.replace(/<([A-Z][A-Za-z0-9.]*)[^>]*\\/>/g, '')\n\n    // Remove JSX block tags: <Component ...>...</Component>\n    // Greedy but bounded by matching closing tag\n    out = out.replace(/<([A-Z][A-Za-z0-9.]*)[^>]*>[\\s\\S]*?<\\/\\1>/g, '')\n\n    // Remove JSX expression blocks { expression } that span a whole line\n    out = out.replace(/^\\s*\\{[^}]+\\}\\s*\\n/gm, '')\n\n    // Collapse multiple blank lines to two\n    out = out.replace(/\\n{3,}/g, '\\n\\n')\n\n    return out.trim()\n  }\n}\n","import type { MdxFile } from '../core/mdx-reader.js'\nimport { MarkdownRenderer } from '../core/markdown-renderer.js'\n\nconst renderer = new MarkdownRenderer()\n\nexport interface OkfGraphNode {\n  id: string\n  title: string\n  type: string\n  url: string\n}\n\nexport interface OkfGraphEdge {\n  source: string\n  target: string\n}\n\nexport interface OkfGraphData {\n  nodes: OkfGraphNode[]\n  edges: OkfGraphEdge[]\n}\n\n/**\n * Builds the knowledge graph data for the OKF viewer.\n * Nodes = content pages; edges = internal links between them.\n * Trims to top 100 most-connected nodes (matching WP plugin behaviour).\n */\nexport function buildOkfGraph(files: MdxFile[], baseUrl: string): OkfGraphData {\n  const base = baseUrl.replace(/\\/$/, '')\n  const slugSet = new Set(files.map(f => f.slug))\n\n  // Build slug → markdown map for link extraction\n  const mdMap = new Map<string, string>()\n  for (const file of files) {\n    mdMap.set(file.slug, renderer.render(file))\n  }\n\n  // Count degrees to pick top 100\n  const degrees = new Map<string, number>(files.map(f => [f.slug, 0]))\n  const rawEdges: OkfGraphEdge[] = []\n\n  for (const file of files) {\n    const md = mdMap.get(file.slug) ?? ''\n    const linkRe = /\\[([^\\]]+)\\]\\((\\/[^)]+)\\)/g\n    let m: RegExpExecArray | null\n    while ((m = linkRe.exec(md)) !== null) {\n      const candidate = m[2].replace(/^\\//, '').replace(/\\.md$/, '')\n      if (slugSet.has(candidate) && candidate !== file.slug) {\n        rawEdges.push({ source: file.slug, target: candidate })\n        degrees.set(file.slug, (degrees.get(file.slug) ?? 0) + 1)\n        degrees.set(candidate, (degrees.get(candidate) ?? 0) + 1)\n      }\n    }\n  }\n\n  // Top 100 nodes by degree\n  const top100 = files\n    .slice()\n    .sort((a, b) => (degrees.get(b.slug) ?? 0) - (degrees.get(a.slug) ?? 0))\n    .slice(0, 100)\n  const topSet = new Set(top100.map(f => f.slug))\n\n  const nodes: OkfGraphNode[] = top100.map(f => ({\n    id: f.slug,\n    title: String(f.frontmatter.title ?? f.slug),\n    type: String(f.frontmatter.type ?? 'WebPage'),\n    url: `${base}/${f.slug}`,\n  }))\n\n  const edges = rawEdges.filter(e => topSet.has(e.source) && topSet.has(e.target))\n\n  return { nodes, edges }\n}\n\n/** Generates the /okf/index.md manifest listing all content. */\nexport function generateOkfIndex(files: MdxFile[], baseUrl: string): string {\n  const base = baseUrl.replace(/\\/$/, '')\n  const lines = [\n    '# Open Knowledge Format (OKF) Bundle',\n    '',\n    'This bundle contains all content as clean Markdown files for AI consumption.',\n    '',\n    '## Contents',\n    '',\n  ]\n\n  for (const file of files) {\n    const fm = file.frontmatter\n    const title = String(fm.title ?? file.slug)\n    const desc = fm.description ? ` — ${String(fm.description)}` : ''\n    lines.push(`- [${title}](${base}/okf/${file.slug}.md)${desc}`)\n  }\n\n  return lines.join('\\n') + '\\n'\n}\n\n/** Renders a single MDX file for OKF, with internal links rewritten to .md siblings. */\nexport function generateOkfPage(file: MdxFile, allFiles: MdxFile[], baseUrl: string): string {\n  const markdown = renderer.render(file)\n  return rewriteInternalLinks(markdown, allFiles, baseUrl)\n}\n\n/**\n * Rewrites internal links to point at sibling .md files in the OKF bundle.\n * e.g. [link](/blog/post) → [link](/okf/blog/post.md)\n */\nfunction rewriteInternalLinks(markdown: string, allFiles: MdxFile[], baseUrl: string): string {\n  const slugSet = new Set(allFiles.map(f => f.slug))\n  const base = baseUrl.replace(/\\/$/, '')\n\n  return markdown.replace(/\\[([^\\]]+)\\]\\((\\/[^)]+)\\)/g, (match, text, href) => {\n    // Strip leading slash and any trailing .md to get candidate slug\n    const candidate = href.replace(/^\\//, '').replace(/\\.md$/, '')\n    if (slugSet.has(candidate)) {\n      return `[${text}](${base}/okf/${candidate}.md)`\n    }\n    return match\n  })\n}\n","import type { NextRequest } from 'next/server'\nimport { NextResponse } from 'next/server'\nimport { verifySession, verifyApiKey } from './admin-store.js'\n\nconst SESSION_COOKIE = 'ta_session'\n\n/**\n * Authenticate an API route request. Accepts (in order):\n * 1. X-TA-Api-Key header — for headless/external callers (mirrors WP's approach)\n * 2. Authorization: Bearer <api-key> — same key, different transport\n * 3. Valid ta_session cookie — browser dashboard session\n */\nexport function checkApiAuth(req: NextRequest): boolean {\n  // 1. X-TA-Api-Key header (WP-style headless key)\n  const apiKeyHeader = req.headers.get('x-ta-api-key')\n  if (apiKeyHeader) return verifyApiKey(apiKeyHeader)\n\n  // 2. Bearer token (treat as api key)\n  const auth = req.headers.get('authorization') ?? ''\n  if (auth.startsWith('Bearer ')) {\n    const token = auth.slice(7)\n    return verifyApiKey(token)\n  }\n\n  // 3. Browser session cookie\n  const session = req.cookies.get(SESSION_COOKIE)?.value\n  if (session) return verifySession(session)\n\n  return false\n}\n\n/**\n * Returns a 401 JSON response with the correct WWW-Authenticate header.\n * Use as: if (!checkApiAuth(req)) return unauthorizedResponse()\n */\nexport function unauthorizedResponse(): NextResponse {\n  return NextResponse.json(\n    { error: 'Unauthorized. Provide X-TA-Api-Key header or a valid session cookie.' },\n    {\n      status: 401,\n      headers: { 'WWW-Authenticate': 'Bearer realm=\"Third Audience API\"' },\n    }\n  )\n}\n","import fs from 'fs'\nimport path from 'path'\nimport crypto from 'crypto'\n\nexport interface AdminRecord {\n  passwordHash: string        // sha256(secret + password)\n  isDefaultPassword: boolean\n  createdAt: string\n  lastLoginAt: string | null\n  apiKey?: string             // AES-256-GCM encrypted, for headless/external API callers\n}\n\nfunction adminFilePath(): string {\n  const dataDir = process.env.TA_DATA_DIR ?? 'data'\n  return path.join(process.cwd(), dataDir, 'ta-admin.json')\n}\n\nexport function generateDefaultPassword(): string {\n  return crypto.randomBytes(6).toString('hex') // 12-char hex, easy to type\n}\n\nexport function hashPassword(password: string): string {\n  const secret = process.env.THIRD_AUDIENCE_SECRET ?? 'ta-salt'\n  return crypto.createHash('sha256').update(secret + password).digest('hex')\n}\n\nexport function loadAdmin(): AdminRecord | null {\n  const filePath = adminFilePath()\n  if (!fs.existsSync(filePath)) return null\n  try {\n    return JSON.parse(fs.readFileSync(filePath, 'utf-8')) as AdminRecord\n  } catch {\n    return null\n  }\n}\n\nexport function saveAdmin(record: AdminRecord): void {\n  const filePath = adminFilePath()\n  const dir = path.dirname(filePath)\n  if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true })\n  fs.writeFileSync(filePath, JSON.stringify(record, null, 2), 'utf-8')\n}\n\nexport const DEFAULT_PASSWORD = 'Chang3M3Now!'\n\nexport function initAdmin(): { password: string; apiKey: string; isNew: boolean } {\n  const existing = loadAdmin()\n  if (existing) return { password: '', apiKey: '', isNew: false }\n\n  const apiKey = generateApiKey()\n  saveAdmin({\n    passwordHash: hashPassword(DEFAULT_PASSWORD),\n    isDefaultPassword: true,\n    createdAt: new Date().toISOString(),\n    lastLoginAt: null,\n    apiKey: encryptApiKey(apiKey),\n  })\n  return { password: DEFAULT_PASSWORD, apiKey, isNew: true }\n}\n\nexport function verifyPassword(password: string): boolean {\n  const record = loadAdmin()\n  if (!record) return false\n  return record.passwordHash === hashPassword(password)\n}\n\nexport function updatePassword(newPassword: string): void {\n  const record = loadAdmin()\n  if (!record) return\n  saveAdmin({\n    ...record,\n    passwordHash: hashPassword(newPassword),\n    isDefaultPassword: false,\n  })\n}\n\nexport function recordLogin(): void {\n  const record = loadAdmin()\n  if (!record) return\n  saveAdmin({ ...record, lastLoginAt: new Date().toISOString() })\n}\n\n// ---------------------------------------------------------------------------\n// API key — AES-256-GCM encrypted at rest, mirroring WP's SECURE_AUTH_KEY approach\n// ---------------------------------------------------------------------------\n\nconst CIPHER = 'aes-256-gcm'\n\nfunction getEncryptionKey(): Buffer {\n  const secret = process.env.THIRD_AUDIENCE_SECRET ?? 'ta-fallback-key-change-me'\n  // Derive a 32-byte key from the secret using SHA-256\n  return crypto.createHash('sha256').update(secret).digest()\n}\n\nfunction encryptApiKey(plaintext: string): string {\n  const iv = crypto.randomBytes(12)\n  const key = getEncryptionKey()\n  const cipher = crypto.createCipheriv(CIPHER, key, iv) as crypto.CipherGCM\n  const encrypted = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()])\n  const tag = cipher.getAuthTag()\n  // Format: iv(24 hex) + tag(32 hex) + encrypted(hex)\n  return iv.toString('hex') + tag.toString('hex') + encrypted.toString('hex')\n}\n\nfunction decryptApiKey(encoded: string): string | null {\n  try {\n    const iv = Buffer.from(encoded.slice(0, 24), 'hex')\n    const tag = Buffer.from(encoded.slice(24, 56), 'hex')\n    const encrypted = Buffer.from(encoded.slice(56), 'hex')\n    const key = getEncryptionKey()\n    const decipher = crypto.createDecipheriv(CIPHER, key, iv) as crypto.DecipherGCM\n    decipher.setAuthTag(tag)\n    return decipher.update(encrypted) + decipher.final('utf8')\n  } catch {\n    return null\n  }\n}\n\nexport function generateApiKey(): string {\n  return 'ta_' + crypto.randomBytes(24).toString('hex') // 51-char key\n}\n\nexport function getApiKey(): string | null {\n  const record = loadAdmin()\n  if (!record?.apiKey) return null\n  return decryptApiKey(record.apiKey)\n}\n\nexport function rotateApiKey(): string {\n  const record = loadAdmin()\n  if (!record) throw new Error('Admin store not initialised')\n  const newKey = generateApiKey()\n  saveAdmin({ ...record, apiKey: encryptApiKey(newKey) })\n  return newKey\n}\n\nexport function verifyApiKey(key: string): boolean {\n  const stored = getApiKey()\n  if (!stored) return false\n  if (key.length !== stored.length) return false\n  return crypto.timingSafeEqual(Buffer.from(key), Buffer.from(stored))\n}\n\n// ---------------------------------------------------------------------------\n// Session cookie: HMAC-SHA256(secret, userId + timestamp) — stateless, no DB\n// ---------------------------------------------------------------------------\nexport function signSession(payload: string): string {\n  const secret = process.env.THIRD_AUDIENCE_SECRET ?? 'ta-salt'\n  const sig = crypto.createHmac('sha256', secret).update(payload).digest('hex')\n  return `${payload}.${sig}`\n}\n\nexport function verifySession(token: string): boolean {\n  const lastDot = token.lastIndexOf('.')\n  if (lastDot === -1) return false\n  const payload = token.slice(0, lastDot)\n  const sig = token.slice(lastDot + 1)\n  const expected = crypto.createHmac('sha256', process.env.THIRD_AUDIENCE_SECRET ?? 'ta-salt')\n    .update(payload).digest('hex')\n  // Constant-time comparison\n  if (sig.length !== expected.length) return false\n  return crypto.timingSafeEqual(Buffer.from(sig, 'hex'), Buffer.from(expected, 'hex'))\n}\n"],"mappings":";AAAA,SAAS,gBAAAA,qBAAsC;AAC/C,OAAOC,WAAU;;;ACDjB,OAAO,QAAQ;AACf,OAAO,UAAU;AACjB,OAAO,YAAY;AAaZ,IAAM,YAAN,MAAgB;AAAA,EAGrB,YAAY,SAA2B;AACrC,SAAK,aAAa,QAAQ;AAAA,EAC5B;AAAA;AAAA,EAGA,KAAK,MAA8B;AACjC,UAAM,aAAa;AAAA,MACjB,KAAK,KAAK,KAAK,YAAY,GAAG,IAAI,MAAM;AAAA,MACxC,KAAK,KAAK,KAAK,YAAY,GAAG,IAAI,KAAK;AAAA,MACvC,KAAK,KAAK,KAAK,YAAY,MAAM,WAAW;AAAA,MAC5C,KAAK,KAAK,KAAK,YAAY,MAAM,UAAU;AAAA,IAC7C;AAEA,eAAW,YAAY,YAAY;AACjC,UAAI,GAAG,WAAW,QAAQ,GAAG;AAC3B,eAAO,KAAK,UAAU,MAAM,QAAQ;AAAA,MACtC;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAAA;AAAA,EAGA,UAAqB;AACnB,QAAI,CAAC,GAAG,WAAW,KAAK,UAAU,EAAG,QAAO,CAAC;AAC7C,WAAO,KAAK,QAAQ,KAAK,YAAY,KAAK,UAAU;AAAA,EACtD;AAAA,EAEQ,QAAQ,KAAa,MAAyB;AACpD,UAAM,UAAqB,CAAC;AAC5B,eAAW,SAAS,GAAG,YAAY,KAAK,EAAE,eAAe,KAAK,CAAC,GAAG;AAChE,YAAM,WAAW,KAAK,KAAK,KAAK,MAAM,IAAI;AAC1C,UAAI,MAAM,YAAY,GAAG;AACvB,gBAAQ,KAAK,GAAG,KAAK,QAAQ,UAAU,IAAI,CAAC;AAAA,MAC9C,WAAW,MAAM,KAAK,SAAS,MAAM,KAAK,MAAM,KAAK,SAAS,KAAK,GAAG;AACpE,cAAM,WAAW,KAAK,SAAS,MAAM,QAAQ;AAC7C,cAAM,OAAO,SAAS,QAAQ,eAAe,EAAE,EAAE,QAAQ,YAAY,EAAE;AACvE,gBAAQ,KAAK,KAAK,UAAU,MAAM,QAAQ,CAAC;AAAA,MAC7C;AAAA,IACF;AACA,WAAO;AAAA,EACT;AAAA,EAEQ,UAAU,MAAc,UAA2B;AACzD,UAAM,MAAM,GAAG,aAAa,UAAU,OAAO;AAC7C,UAAM,EAAE,MAAM,aAAa,SAAS,WAAW,IAAI,OAAO,GAAG;AAC7D,WAAO,EAAE,MAAM,UAAU,aAAa,WAAW;AAAA,EACnD;AACF;;;ACnDO,IAAM,mBAAN,MAAuB;AAAA,EAC5B,OAAO,MAAuB;AAC5B,UAAM,SAAS,KAAK,uBAAuB,KAAK,WAAW;AAC3D,UAAM,OAAO,KAAK,SAAS,KAAK,UAAU;AAC1C,WAAO,SAAS,GAAG,MAAM;AAAA;AAAA,EAAO,IAAI,KAAK;AAAA,EAC3C;AAAA,EAEQ,uBAAuB,IAAqC;AAClE,UAAM,OAAO,OAAO,KAAK,EAAE;AAC3B,QAAI,KAAK,WAAW,EAAG,QAAO;AAC9B,UAAM,QAAQ,KACX,OAAO,OAAK,GAAG,CAAC,MAAM,UAAa,GAAG,CAAC,MAAM,IAAI,EACjD,IAAI,OAAK,GAAG,CAAC,KAAK,KAAK,UAAU,GAAG,CAAC,CAAC,CAAC,EAAE;AAC5C,WAAO;AAAA,EAAQ,MAAM,KAAK,IAAI,CAAC;AAAA;AAAA,EACjC;AAAA,EAEQ,UAAU,KAAsB;AACtC,QAAI,OAAO,QAAQ,UAAU;AAE3B,aAAO,yBAAyB,KAAK,GAAG,IAAI,IAAI,IAAI,QAAQ,MAAM,KAAK,CAAC,MAAM;AAAA,IAChF;AACA,QAAI,eAAe,KAAM,QAAO,IAAI,YAAY;AAChD,QAAI,MAAM,QAAQ,GAAG,EAAG,QAAO,IAAI,IAAI,IAAI,OAAK,KAAK,UAAU,CAAC,CAAC,EAAE,KAAK,IAAI,CAAC;AAC7E,WAAO,OAAO,GAAG;AAAA,EACnB;AAAA,EAEQ,SAAS,SAAyB;AACxC,QAAI,MAAM;AAGV,UAAM,IAAI,QAAQ,oCAAoC,EAAE;AAGxD,UAAM,IAAI,QAAQ,kGAAkG,EAAE;AACtH,UAAM,IAAI,QAAQ,4DAA4D,EAAE;AAIhF,UAAM,IAAI,QAAQ,kCAAkC,EAAE;AAItD,UAAM,IAAI,QAAQ,8CAA8C,EAAE;AAGlE,UAAM,IAAI,QAAQ,wBAAwB,EAAE;AAG5C,UAAM,IAAI,QAAQ,WAAW,MAAM;AAEnC,WAAO,IAAI,KAAK;AAAA,EAClB;AACF;;;AChEA,IAAM,WAAW,IAAI,iBAAiB;AAwB/B,SAAS,cAAc,OAAkB,SAA+B;AAC7E,QAAM,OAAO,QAAQ,QAAQ,OAAO,EAAE;AACtC,QAAM,UAAU,IAAI,IAAI,MAAM,IAAI,OAAK,EAAE,IAAI,CAAC;AAG9C,QAAM,QAAQ,oBAAI,IAAoB;AACtC,aAAW,QAAQ,OAAO;AACxB,UAAM,IAAI,KAAK,MAAM,SAAS,OAAO,IAAI,CAAC;AAAA,EAC5C;AAGA,QAAM,UAAU,IAAI,IAAoB,MAAM,IAAI,OAAK,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC;AACnE,QAAM,WAA2B,CAAC;AAElC,aAAW,QAAQ,OAAO;AACxB,UAAM,KAAK,MAAM,IAAI,KAAK,IAAI,KAAK;AACnC,UAAM,SAAS;AACf,QAAI;AACJ,YAAQ,IAAI,OAAO,KAAK,EAAE,OAAO,MAAM;AACrC,YAAM,YAAY,EAAE,CAAC,EAAE,QAAQ,OAAO,EAAE,EAAE,QAAQ,SAAS,EAAE;AAC7D,UAAI,QAAQ,IAAI,SAAS,KAAK,cAAc,KAAK,MAAM;AACrD,iBAAS,KAAK,EAAE,QAAQ,KAAK,MAAM,QAAQ,UAAU,CAAC;AACtD,gBAAQ,IAAI,KAAK,OAAO,QAAQ,IAAI,KAAK,IAAI,KAAK,KAAK,CAAC;AACxD,gBAAQ,IAAI,YAAY,QAAQ,IAAI,SAAS,KAAK,KAAK,CAAC;AAAA,MAC1D;AAAA,IACF;AAAA,EACF;AAGA,QAAM,SAAS,MACZ,MAAM,EACN,KAAK,CAAC,GAAG,OAAO,QAAQ,IAAI,EAAE,IAAI,KAAK,MAAM,QAAQ,IAAI,EAAE,IAAI,KAAK,EAAE,EACtE,MAAM,GAAG,GAAG;AACf,QAAM,SAAS,IAAI,IAAI,OAAO,IAAI,OAAK,EAAE,IAAI,CAAC;AAE9C,QAAM,QAAwB,OAAO,IAAI,QAAM;AAAA,IAC7C,IAAI,EAAE;AAAA,IACN,OAAO,OAAO,EAAE,YAAY,SAAS,EAAE,IAAI;AAAA,IAC3C,MAAM,OAAO,EAAE,YAAY,QAAQ,SAAS;AAAA,IAC5C,KAAK,GAAG,IAAI,IAAI,EAAE,IAAI;AAAA,EACxB,EAAE;AAEF,QAAM,QAAQ,SAAS,OAAO,OAAK,OAAO,IAAI,EAAE,MAAM,KAAK,OAAO,IAAI,EAAE,MAAM,CAAC;AAE/E,SAAO,EAAE,OAAO,MAAM;AACxB;;;ACvEA,SAAS,oBAAoB;;;ACD7B,OAAOC,SAAQ;AACf,OAAOC,WAAU;AACjB,OAAO,YAAY;AAUnB,SAAS,gBAAwB;AAC/B,QAAM,UAAU,QAAQ,IAAI,eAAe;AAC3C,SAAOA,MAAK,KAAK,QAAQ,IAAI,GAAG,SAAS,eAAe;AAC1D;AAWO,SAAS,YAAgC;AAC9C,QAAM,WAAW,cAAc;AAC/B,MAAI,CAACC,IAAG,WAAW,QAAQ,EAAG,QAAO;AACrC,MAAI;AACF,WAAO,KAAK,MAAMA,IAAG,aAAa,UAAU,OAAO,CAAC;AAAA,EACtD,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAoDA,IAAM,SAAS;AAEf,SAAS,mBAA2B;AAClC,QAAM,SAAS,QAAQ,IAAI,yBAAyB;AAEpD,SAAO,OAAO,WAAW,QAAQ,EAAE,OAAO,MAAM,EAAE,OAAO;AAC3D;AAYA,SAAS,cAAc,SAAgC;AACrD,MAAI;AACF,UAAM,KAAK,OAAO,KAAK,QAAQ,MAAM,GAAG,EAAE,GAAG,KAAK;AAClD,UAAM,MAAM,OAAO,KAAK,QAAQ,MAAM,IAAI,EAAE,GAAG,KAAK;AACpD,UAAM,YAAY,OAAO,KAAK,QAAQ,MAAM,EAAE,GAAG,KAAK;AACtD,UAAM,MAAM,iBAAiB;AAC7B,UAAM,WAAW,OAAO,iBAAiB,QAAQ,KAAK,EAAE;AACxD,aAAS,WAAW,GAAG;AACvB,WAAO,SAAS,OAAO,SAAS,IAAI,SAAS,MAAM,MAAM;AAAA,EAC3D,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAMO,SAAS,YAA2B;AACzC,QAAM,SAAS,UAAU;AACzB,MAAI,CAAC,QAAQ,OAAQ,QAAO;AAC5B,SAAO,cAAc,OAAO,MAAM;AACpC;AAUO,SAAS,aAAa,KAAsB;AACjD,QAAM,SAAS,UAAU;AACzB,MAAI,CAAC,OAAQ,QAAO;AACpB,MAAI,IAAI,WAAW,OAAO,OAAQ,QAAO;AACzC,SAAO,OAAO,gBAAgB,OAAO,KAAK,GAAG,GAAG,OAAO,KAAK,MAAM,CAAC;AACrE;AAWO,SAAS,cAAc,OAAwB;AACpD,QAAM,UAAU,MAAM,YAAY,GAAG;AACrC,MAAI,YAAY,GAAI,QAAO;AAC3B,QAAM,UAAU,MAAM,MAAM,GAAG,OAAO;AACtC,QAAM,MAAM,MAAM,MAAM,UAAU,CAAC;AACnC,QAAM,WAAW,OAAO,WAAW,UAAU,QAAQ,IAAI,yBAAyB,SAAS,EACxF,OAAO,OAAO,EAAE,OAAO,KAAK;AAE/B,MAAI,IAAI,WAAW,SAAS,OAAQ,QAAO;AAC3C,SAAO,OAAO,gBAAgB,OAAO,KAAK,KAAK,KAAK,GAAG,OAAO,KAAK,UAAU,KAAK,CAAC;AACrF;;;AD9JA,IAAM,iBAAiB;AAQhB,SAAS,aAAa,KAA2B;AAEtD,QAAM,eAAe,IAAI,QAAQ,IAAI,cAAc;AACnD,MAAI,aAAc,QAAO,aAAa,YAAY;AAGlD,QAAM,OAAO,IAAI,QAAQ,IAAI,eAAe,KAAK;AACjD,MAAI,KAAK,WAAW,SAAS,GAAG;AAC9B,UAAM,QAAQ,KAAK,MAAM,CAAC;AAC1B,WAAO,aAAa,KAAK;AAAA,EAC3B;AAGA,QAAM,UAAU,IAAI,QAAQ,IAAI,cAAc,GAAG;AACjD,MAAI,QAAS,QAAO,cAAc,OAAO;AAEzC,SAAO;AACT;AAMO,SAAS,uBAAqC;AACnD,SAAO,aAAa;AAAA,IAClB,EAAE,OAAO,uEAAuE;AAAA,IAChF;AAAA,MACE,QAAQ;AAAA,MACR,SAAS,EAAE,oBAAoB,oCAAoC;AAAA,IACrE;AAAA,EACF;AACF;;;AJrCA,IAAM,SAAS,IAAI,UAAU,EAAE,YAAYC,MAAK,KAAK,QAAQ,IAAI,GAAG,QAAQ,IAAI,kBAAkB,SAAS,EAAE,CAAC;AAG9G,eAAsB,IAAI,KAAyC;AACjE,MAAI,CAAC,aAAa,GAAG,EAAG,QAAO,qBAAqB;AAEpD,QAAM,UAAU,QAAQ,IAAI,wBACvB,GAAG,IAAI,QAAQ,QAAQ,KAAK,IAAI,QAAQ,IAAI;AAEjD,QAAM,QAAQ,OAAO,QAAQ;AAC7B,QAAM,QAAQ,cAAc,OAAO,OAAO;AAE1C,SAAOC,cAAa,KAAK;AAAA,IACvB;AAAA,IACA,OAAO;AAAA,MACL,OAAO,MAAM;AAAA,MACb,OAAO,MAAM,MAAM;AAAA,MACnB,OAAO,MAAM,MAAM;AAAA,IACrB;AAAA,IACA,UAAU,GAAG,OAAO;AAAA,EACtB,CAAC;AACH;","names":["NextResponse","path","fs","path","fs","path","NextResponse"]}

package/dist/dashboard/routes/okf-route.js

@@ -165,7 +165,7 @@ async function GET(req, { params }) {
   const baseUrl = process.env.NEXT_PUBLIC_SITE_URL ?? `${req.nextUrl.protocol}//${req.nextUrl.host}`;
   const allFiles = reader.readAll();
   const segments = params.path ?? [];
-  if (segments.length === 0 || segments.length === 1 && segments[0] === "index.md") {
+  if (segments.length === 0 || segments.length === 1 && (segments[0] === "index.md" || segments[0] === "index")) {
     return new import_server.NextResponse(generateOkfIndex(allFiles, baseUrl), {
       headers: { "Content-Type": "text/markdown; charset=utf-8" }
     });