third-audience-mdx 1.0.0

package/dist/cli/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/cli/commands/init.ts","../../src/cli/commands/health.ts","../../src/cli/commands/export.ts","../../src/cli/index.ts"],"sourcesContent":["import fs from 'fs'\nimport path from 'path'\nimport readline from 'readline'\n\nexport async function init(): Promise<void> {\n  const cwd = process.cwd()\n  console.log('\\n🎯 third-audience-mdx setup\\n')\n\n  // Detect Next.js\n  const pkgPath = path.join(cwd, 'package.json')\n  if (!fs.existsSync(pkgPath)) {\n    console.error('No package.json found. Run this from your Next.js project root.')\n    process.exit(1)\n  }\n  const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf-8'))\n  if (!pkg.dependencies?.next && !pkg.devDependencies?.next) {\n    console.warn('⚠  next not found in package.json — make sure this is a Next.js project.')\n  }\n\n  const rl = readline.createInterface({ input: process.stdin, output: process.stdout })\n  const ask = (q: string, def: string) => new Promise<string>(r =>\n    rl.question(`${q} (${def}): `, ans => r(ans.trim() || def))\n  )\n\n  const contentDir = await ask('Content directory (where your .mdx files live)', 'content')\n  const dataDir = await ask('Data directory (for analytics logs)', 'data')\n  const secret = await ask('Dashboard secret (leave blank to disable auth in dev)', '')\n  rl.close()\n\n  // Write middleware.ts if not exists\n  const middlewarePath = path.join(cwd, 'middleware.ts')\n  if (!fs.existsSync(middlewarePath)) {\n    fs.writeFileSync(middlewarePath, `export { thirdAudienceMiddleware as middleware } from 'third-audience-mdx'\\nexport const config = { matcher: ['/((?!_next|api).*)'] }\\n`)\n    console.log('✅ Created middleware.ts')\n  } else {\n    console.log('⚠  middleware.ts already exists — add thirdAudienceMiddleware manually.')\n  }\n\n  // Write .env.local additions\n  const envPath = path.join(cwd, '.env.local')\n  const envLines = [`THIRD_AUDIENCE_SECRET=${secret}`, `NEXT_PUBLIC_SITE_URL=http://localhost:3000`]\n  const envContent = envLines.join('\\n') + '\\n'\n  if (!fs.existsSync(envPath)) {\n    fs.writeFileSync(envPath, envContent)\n    console.log('✅ Created .env.local')\n  } else {\n    fs.appendFileSync(envPath, '\\n# Third Audience\\n' + envContent)\n    console.log('✅ Appended to .env.local')\n  }\n\n  // Create data dir and .gitignore entry\n  fs.mkdirSync(path.join(cwd, dataDir, 'ta-cache'), { recursive: true })\n  const gitignorePath = path.join(cwd, '.gitignore')\n  const gitignoreAdditions = `\\n# Third Audience analytics (local only)\\n${dataDir}/ta-visits.jsonl\\n${dataDir}/ta-citations.jsonl\\n${dataDir}/ta-cache/\\n`\n  if (fs.existsSync(gitignorePath)) {\n    fs.appendFileSync(gitignorePath, gitignoreAdditions)\n  } else {\n    fs.writeFileSync(gitignorePath, gitignoreAdditions.trimStart())\n  }\n  console.log(`✅ Created ${dataDir}/ and updated .gitignore`)\n\n  console.log(`\n✅ Setup complete!\n\nNext steps:\n  1. Add to next.config.ts:\n       import { withThirdAudience } from 'third-audience-mdx'\n       export default withThirdAudience({ contentDir: '${contentDir}', dataDir: '${dataDir}' })\n\n  2. Add API routes in app/api/third-audience/ (see docs)\n\n  3. Visit /third-audience/ for your dashboard\n`)\n}\n","import fs from 'fs'\nimport path from 'path'\n\nexport async function health(): Promise<void> {\n  const cwd = process.cwd()\n  const checks: Array<{ label: string; ok: boolean; note?: string }> = []\n\n  // Node version\n  const nodeVersion = process.versions.node\n  const [nodeMajor] = nodeVersion.split('.').map(Number)\n  checks.push({ label: `Node.js ${nodeVersion}`, ok: nodeMajor >= 18, note: nodeMajor < 18 ? 'requires Node 18+' : undefined })\n\n  // package.json\n  const pkgPath = path.join(cwd, 'package.json')\n  checks.push({ label: 'package.json', ok: fs.existsSync(pkgPath) })\n\n  // next installed\n  const nextPath = path.join(cwd, 'node_modules', 'next')\n  checks.push({ label: 'next installed', ok: fs.existsSync(nextPath) })\n\n  // middleware.ts\n  const middlewarePath = path.join(cwd, 'middleware.ts')\n  checks.push({ label: 'middleware.ts', ok: fs.existsSync(middlewarePath) })\n\n  // content dir\n  const contentDir = process.env.TA_CONTENT_DIR ?? 'content'\n  const contentPath = path.join(cwd, contentDir)\n  const contentExists = fs.existsSync(contentPath)\n  const mdxCount = contentExists\n    ? countFiles(contentPath, ['.mdx', '.md'])\n    : 0\n  checks.push({ label: `contentDir (${contentDir})`, ok: contentExists, note: contentExists ? `${mdxCount} MDX files` : 'directory not found' })\n\n  // data dir\n  const dataDir = process.env.TA_DATA_DIR ?? 'data'\n  const dataPath = path.join(cwd, dataDir)\n  checks.push({ label: `dataDir (${dataDir})`, ok: fs.existsSync(dataPath) })\n\n  // JSONL files\n  const visitsPath = path.join(cwd, dataDir, 'ta-visits.jsonl')\n  const citationsPath = path.join(cwd, dataDir, 'ta-citations.jsonl')\n  const visitLines = fs.existsSync(visitsPath) ? countLines(visitsPath) : 0\n  const citationLines = fs.existsSync(citationsPath) ? countLines(citationsPath) : 0\n  checks.push({ label: 'ta-visits.jsonl', ok: true, note: `${visitLines} records` })\n  checks.push({ label: 'ta-citations.jsonl', ok: true, note: `${citationLines} records` })\n\n  // dashboard secret\n  checks.push({ label: 'THIRD_AUDIENCE_SECRET', ok: !!process.env.THIRD_AUDIENCE_SECRET, note: !process.env.THIRD_AUDIENCE_SECRET ? 'not set (dashboard is open)' : 'set' })\n\n  console.log('\\n🏥 third-audience health check\\n')\n  for (const c of checks) {\n    const icon = c.ok ? '✅' : '❌'\n    const note = c.note ? `  (${c.note})` : ''\n    console.log(`  ${icon}  ${c.label}${note}`)\n  }\n  console.log()\n}\n\nfunction countFiles(dir: string, exts: string[]): number {\n  let count = 0\n  for (const entry of fs.readdirSync(dir, { withFileTypes: true })) {\n    if (entry.isDirectory()) count += countFiles(path.join(dir, entry.name), exts)\n    else if (exts.some(e => entry.name.endsWith(e))) count++\n  }\n  return count\n}\n\nfunction countLines(filePath: string): number {\n  return fs.readFileSync(filePath, 'utf-8').split('\\n').filter(Boolean).length\n}\n","import fs from 'fs'\nimport path from 'path'\n\nexport async function exportData(args: string[]): Promise<void> {\n  const dataDir = process.env.TA_DATA_DIR ?? 'data'\n  const type = args[0] ?? 'visits'\n  const outPath = args[1] ?? `ta-${type}-export.csv`\n\n  const file = type === 'citations' ? 'ta-citations.jsonl' : 'ta-visits.jsonl'\n  const jsonlPath = path.join(process.cwd(), dataDir, file)\n\n  if (!fs.existsSync(jsonlPath)) {\n    console.error(`No data found at ${jsonlPath}`)\n    process.exit(1)\n  }\n\n  const records = fs.readFileSync(jsonlPath, 'utf-8')\n    .split('\\n')\n    .filter(Boolean)\n    .map(l => { try { return JSON.parse(l) } catch { return null } })\n    .filter(Boolean)\n\n  if (records.length === 0) {\n    console.log('No records to export.')\n    return\n  }\n\n  const headers = Object.keys(records[0])\n  const csv = [\n    headers.join(','),\n    ...records.map(r => headers.map(h => csvCell(r[h])).join(',')),\n  ].join('\\n') + '\\n'\n\n  fs.writeFileSync(outPath, csv)\n  console.log(`✅ Exported ${records.length} records to ${outPath}`)\n}\n\nfunction csvCell(val: unknown): string {\n  if (val === null || val === undefined) return ''\n  const s = String(val)\n  if (/[\",\\n]/.test(s)) return `\"${s.replace(/\"/g, '\"\"')}\"`\n  return s\n}\n","#!/usr/bin/env node\nimport { init } from './commands/init.js'\nimport { health } from './commands/health.js'\nimport { exportData } from './commands/export.js'\n\nconst [,, command, ...args] = process.argv\n\nswitch (command) {\n  case 'init':\n    init().catch(console.error)\n    break\n  case 'health':\n    health().catch(console.error)\n    break\n  case 'export':\n    exportData(args).catch(console.error)\n    break\n  default:\n    console.log(`third-audience CLI\n\nCommands:\n  init      Set up third-audience-mdx in your Next.js project\n  health    Show system health status\n  export    Export analytics data as CSV\n\nUsage: npx third-audience <command>`)\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,gBAAe;AACf,kBAAiB;AACjB,sBAAqB;AAErB,eAAsB,OAAsB;AAC1C,QAAM,MAAM,QAAQ,IAAI;AACxB,UAAQ,IAAI,wCAAiC;AAG7C,QAAM,UAAU,YAAAA,QAAK,KAAK,KAAK,cAAc;AAC7C,MAAI,CAAC,UAAAC,QAAG,WAAW,OAAO,GAAG;AAC3B,YAAQ,MAAM,iEAAiE;AAC/E,YAAQ,KAAK,CAAC;AAAA,EAChB;AACA,QAAM,MAAM,KAAK,MAAM,UAAAA,QAAG,aAAa,SAAS,OAAO,CAAC;AACxD,MAAI,CAAC,IAAI,cAAc,QAAQ,CAAC,IAAI,iBAAiB,MAAM;AACzD,YAAQ,KAAK,oFAA0E;AAAA,EACzF;AAEA,QAAM,KAAK,gBAAAC,QAAS,gBAAgB,EAAE,OAAO,QAAQ,OAAO,QAAQ,QAAQ,OAAO,CAAC;AACpF,QAAM,MAAM,CAAC,GAAW,QAAgB,IAAI;AAAA,IAAgB,OAC1D,GAAG,SAAS,GAAG,CAAC,KAAK,GAAG,OAAO,SAAO,EAAE,IAAI,KAAK,KAAK,GAAG,CAAC;AAAA,EAC5D;AAEA,QAAM,aAAa,MAAM,IAAI,kDAAkD,SAAS;AACxF,QAAM,UAAU,MAAM,IAAI,uCAAuC,MAAM;AACvE,QAAM,SAAS,MAAM,IAAI,yDAAyD,EAAE;AACpF,KAAG,MAAM;AAGT,QAAM,iBAAiB,YAAAF,QAAK,KAAK,KAAK,eAAe;AACrD,MAAI,CAAC,UAAAC,QAAG,WAAW,cAAc,GAAG;AAClC,cAAAA,QAAG,cAAc,gBAAgB;AAAA;AAAA,CAAyI;AAC1K,YAAQ,IAAI,8BAAyB;AAAA,EACvC,OAAO;AACL,YAAQ,IAAI,mFAAyE;AAAA,EACvF;AAGA,QAAM,UAAU,YAAAD,QAAK,KAAK,KAAK,YAAY;AAC3C,QAAM,WAAW,CAAC,yBAAyB,MAAM,IAAI,4CAA4C;AACjG,QAAM,aAAa,SAAS,KAAK,IAAI,IAAI;AACzC,MAAI,CAAC,UAAAC,QAAG,WAAW,OAAO,GAAG;AAC3B,cAAAA,QAAG,cAAc,SAAS,UAAU;AACpC,YAAQ,IAAI,2BAAsB;AAAA,EACpC,OAAO;AACL,cAAAA,QAAG,eAAe,SAAS,yBAAyB,UAAU;AAC9D,YAAQ,IAAI,+BAA0B;AAAA,EACxC;AAGA,YAAAA,QAAG,UAAU,YAAAD,QAAK,KAAK,KAAK,SAAS,UAAU,GAAG,EAAE,WAAW,KAAK,CAAC;AACrE,QAAM,gBAAgB,YAAAA,QAAK,KAAK,KAAK,YAAY;AACjD,QAAM,qBAAqB;AAAA;AAAA,EAA8C,OAAO;AAAA,EAAqB,OAAO;AAAA,EAAwB,OAAO;AAAA;AAC3I,MAAI,UAAAC,QAAG,WAAW,aAAa,GAAG;AAChC,cAAAA,QAAG,eAAe,eAAe,kBAAkB;AAAA,EACrD,OAAO;AACL,cAAAA,QAAG,cAAc,eAAe,mBAAmB,UAAU,CAAC;AAAA,EAChE;AACA,UAAQ,IAAI,kBAAa,OAAO,0BAA0B;AAE1D,UAAQ,IAAI;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,yDAM2C,UAAU,gBAAgB,OAAO;AAAA;AAAA;AAAA;AAAA;AAAA,CAKzF;AACD;;;ACzEA,IAAAE,aAAe;AACf,IAAAC,eAAiB;AAEjB,eAAsB,SAAwB;AAC5C,QAAM,MAAM,QAAQ,IAAI;AACxB,QAAM,SAA+D,CAAC;AAGtE,QAAM,cAAc,QAAQ,SAAS;AACrC,QAAM,CAAC,SAAS,IAAI,YAAY,MAAM,GAAG,EAAE,IAAI,MAAM;AACrD,SAAO,KAAK,EAAE,OAAO,WAAW,WAAW,IAAI,IAAI,aAAa,IAAI,MAAM,YAAY,KAAK,sBAAsB,OAAU,CAAC;AAG5H,QAAM,UAAU,aAAAC,QAAK,KAAK,KAAK,cAAc;AAC7C,SAAO,KAAK,EAAE,OAAO,gBAAgB,IAAI,WAAAC,QAAG,WAAW,OAAO,EAAE,CAAC;AAGjE,QAAM,WAAW,aAAAD,QAAK,KAAK,KAAK,gBAAgB,MAAM;AACtD,SAAO,KAAK,EAAE,OAAO,kBAAkB,IAAI,WAAAC,QAAG,WAAW,QAAQ,EAAE,CAAC;AAGpE,QAAM,iBAAiB,aAAAD,QAAK,KAAK,KAAK,eAAe;AACrD,SAAO,KAAK,EAAE,OAAO,iBAAiB,IAAI,WAAAC,QAAG,WAAW,cAAc,EAAE,CAAC;AAGzE,QAAM,aAAa,QAAQ,IAAI,kBAAkB;AACjD,QAAM,cAAc,aAAAD,QAAK,KAAK,KAAK,UAAU;AAC7C,QAAM,gBAAgB,WAAAC,QAAG,WAAW,WAAW;AAC/C,QAAM,WAAW,gBACb,WAAW,aAAa,CAAC,QAAQ,KAAK,CAAC,IACvC;AACJ,SAAO,KAAK,EAAE,OAAO,eAAe,UAAU,KAAK,IAAI,eAAe,MAAM,gBAAgB,GAAG,QAAQ,eAAe,sBAAsB,CAAC;AAG7I,QAAM,UAAU,QAAQ,IAAI,eAAe;AAC3C,QAAM,WAAW,aAAAD,QAAK,KAAK,KAAK,OAAO;AACvC,SAAO,KAAK,EAAE,OAAO,YAAY,OAAO,KAAK,IAAI,WAAAC,QAAG,WAAW,QAAQ,EAAE,CAAC;AAG1E,QAAM,aAAa,aAAAD,QAAK,KAAK,KAAK,SAAS,iBAAiB;AAC5D,QAAM,gBAAgB,aAAAA,QAAK,KAAK,KAAK,SAAS,oBAAoB;AAClE,QAAM,aAAa,WAAAC,QAAG,WAAW,UAAU,IAAI,WAAW,UAAU,IAAI;AACxE,QAAM,gBAAgB,WAAAA,QAAG,WAAW,aAAa,IAAI,WAAW,aAAa,IAAI;AACjF,SAAO,KAAK,EAAE,OAAO,mBAAmB,IAAI,MAAM,MAAM,GAAG,UAAU,WAAW,CAAC;AACjF,SAAO,KAAK,EAAE,OAAO,sBAAsB,IAAI,MAAM,MAAM,GAAG,aAAa,WAAW,CAAC;AAGvF,SAAO,KAAK,EAAE,OAAO,yBAAyB,IAAI,CAAC,CAAC,QAAQ,IAAI,uBAAuB,MAAM,CAAC,QAAQ,IAAI,wBAAwB,gCAAgC,MAAM,CAAC;AAEzK,UAAQ,IAAI,2CAAoC;AAChD,aAAW,KAAK,QAAQ;AACtB,UAAM,OAAO,EAAE,KAAK,WAAM;AAC1B,UAAM,OAAO,EAAE,OAAO,MAAM,EAAE,IAAI,MAAM;AACxC,YAAQ,IAAI,KAAK,IAAI,KAAK,EAAE,KAAK,GAAG,IAAI,EAAE;AAAA,EAC5C;AACA,UAAQ,IAAI;AACd;AAEA,SAAS,WAAW,KAAa,MAAwB;AACvD,MAAI,QAAQ;AACZ,aAAW,SAAS,WAAAA,QAAG,YAAY,KAAK,EAAE,eAAe,KAAK,CAAC,GAAG;AAChE,QAAI,MAAM,YAAY,EAAG,UAAS,WAAW,aAAAD,QAAK,KAAK,KAAK,MAAM,IAAI,GAAG,IAAI;AAAA,aACpE,KAAK,KAAK,OAAK,MAAM,KAAK,SAAS,CAAC,CAAC,EAAG;AAAA,EACnD;AACA,SAAO;AACT;AAEA,SAAS,WAAW,UAA0B;AAC5C,SAAO,WAAAC,QAAG,aAAa,UAAU,OAAO,EAAE,MAAM,IAAI,EAAE,OAAO,OAAO,EAAE;AACxE;;;ACrEA,IAAAC,aAAe;AACf,IAAAC,eAAiB;AAEjB,eAAsB,WAAWC,OAA+B;AAC9D,QAAM,UAAU,QAAQ,IAAI,eAAe;AAC3C,QAAM,OAAOA,MAAK,CAAC,KAAK;AACxB,QAAM,UAAUA,MAAK,CAAC,KAAK,MAAM,IAAI;AAErC,QAAM,OAAO,SAAS,cAAc,uBAAuB;AAC3D,QAAM,YAAY,aAAAC,QAAK,KAAK,QAAQ,IAAI,GAAG,SAAS,IAAI;AAExD,MAAI,CAAC,WAAAC,QAAG,WAAW,SAAS,GAAG;AAC7B,YAAQ,MAAM,oBAAoB,SAAS,EAAE;AAC7C,YAAQ,KAAK,CAAC;AAAA,EAChB;AAEA,QAAM,UAAU,WAAAA,QAAG,aAAa,WAAW,OAAO,EAC/C,MAAM,IAAI,EACV,OAAO,OAAO,EACd,IAAI,OAAK;AAAE,QAAI;AAAE,aAAO,KAAK,MAAM,CAAC;AAAA,IAAE,QAAQ;AAAE,aAAO;AAAA,IAAK;AAAA,EAAE,CAAC,EAC/D,OAAO,OAAO;AAEjB,MAAI,QAAQ,WAAW,GAAG;AACxB,YAAQ,IAAI,uBAAuB;AACnC;AAAA,EACF;AAEA,QAAM,UAAU,OAAO,KAAK,QAAQ,CAAC,CAAC;AACtC,QAAM,MAAM;AAAA,IACV,QAAQ,KAAK,GAAG;AAAA,IAChB,GAAG,QAAQ,IAAI,OAAK,QAAQ,IAAI,OAAK,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,GAAG,CAAC;AAAA,EAC/D,EAAE,KAAK,IAAI,IAAI;AAEf,aAAAA,QAAG,cAAc,SAAS,GAAG;AAC7B,UAAQ,IAAI,mBAAc,QAAQ,MAAM,eAAe,OAAO,EAAE;AAClE;AAEA,SAAS,QAAQ,KAAsB;AACrC,MAAI,QAAQ,QAAQ,QAAQ,OAAW,QAAO;AAC9C,QAAM,IAAI,OAAO,GAAG;AACpB,MAAI,SAAS,KAAK,CAAC,EAAG,QAAO,IAAI,EAAE,QAAQ,MAAM,IAAI,CAAC;AACtD,SAAO;AACT;;;ACrCA,IAAM,CAAC,EAAC,EAAE,SAAS,GAAG,IAAI,IAAI,QAAQ;AAEtC,QAAQ,SAAS;AAAA,EACf,KAAK;AACH,SAAK,EAAE,MAAM,QAAQ,KAAK;AAC1B;AAAA,EACF,KAAK;AACH,WAAO,EAAE,MAAM,QAAQ,KAAK;AAC5B;AAAA,EACF,KAAK;AACH,eAAW,IAAI,EAAE,MAAM,QAAQ,KAAK;AACpC;AAAA,EACF;AACE,YAAQ,IAAI;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,oCAOoB;AACpC;","names":["path","fs","readline","import_fs","import_path","path","fs","import_fs","import_path","args","path","fs"]}

package/dist/cli/index.mjs

@@ -0,0 +1,185 @@
+#!/usr/bin/env node
+
+// src/cli/commands/init.ts
+import fs from "fs";
+import path from "path";
+import readline from "readline";
+async function init() {
+  const cwd = process.cwd();
+  console.log("\n\u{1F3AF} third-audience-mdx setup\n");
+  const pkgPath = path.join(cwd, "package.json");
+  if (!fs.existsSync(pkgPath)) {
+    console.error("No package.json found. Run this from your Next.js project root.");
+    process.exit(1);
+  }
+  const pkg = JSON.parse(fs.readFileSync(pkgPath, "utf-8"));
+  if (!pkg.dependencies?.next && !pkg.devDependencies?.next) {
+    console.warn("\u26A0  next not found in package.json \u2014 make sure this is a Next.js project.");
+  }
+  const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+  const ask = (q, def) => new Promise(
+    (r) => rl.question(`${q} (${def}): `, (ans) => r(ans.trim() || def))
+  );
+  const contentDir = await ask("Content directory (where your .mdx files live)", "content");
+  const dataDir = await ask("Data directory (for analytics logs)", "data");
+  const secret = await ask("Dashboard secret (leave blank to disable auth in dev)", "");
+  rl.close();
+  const middlewarePath = path.join(cwd, "middleware.ts");
+  if (!fs.existsSync(middlewarePath)) {
+    fs.writeFileSync(middlewarePath, `export { thirdAudienceMiddleware as middleware } from 'third-audience-mdx'
+export const config = { matcher: ['/((?!_next|api).*)'] }
+`);
+    console.log("\u2705 Created middleware.ts");
+  } else {
+    console.log("\u26A0  middleware.ts already exists \u2014 add thirdAudienceMiddleware manually.");
+  }
+  const envPath = path.join(cwd, ".env.local");
+  const envLines = [`THIRD_AUDIENCE_SECRET=${secret}`, `NEXT_PUBLIC_SITE_URL=http://localhost:3000`];
+  const envContent = envLines.join("\n") + "\n";
+  if (!fs.existsSync(envPath)) {
+    fs.writeFileSync(envPath, envContent);
+    console.log("\u2705 Created .env.local");
+  } else {
+    fs.appendFileSync(envPath, "\n# Third Audience\n" + envContent);
+    console.log("\u2705 Appended to .env.local");
+  }
+  fs.mkdirSync(path.join(cwd, dataDir, "ta-cache"), { recursive: true });
+  const gitignorePath = path.join(cwd, ".gitignore");
+  const gitignoreAdditions = `
+# Third Audience analytics (local only)
+${dataDir}/ta-visits.jsonl
+${dataDir}/ta-citations.jsonl
+${dataDir}/ta-cache/
+`;
+  if (fs.existsSync(gitignorePath)) {
+    fs.appendFileSync(gitignorePath, gitignoreAdditions);
+  } else {
+    fs.writeFileSync(gitignorePath, gitignoreAdditions.trimStart());
+  }
+  console.log(`\u2705 Created ${dataDir}/ and updated .gitignore`);
+  console.log(`
+\u2705 Setup complete!
+
+Next steps:
+  1. Add to next.config.ts:
+       import { withThirdAudience } from 'third-audience-mdx'
+       export default withThirdAudience({ contentDir: '${contentDir}', dataDir: '${dataDir}' })
+
+  2. Add API routes in app/api/third-audience/ (see docs)
+
+  3. Visit /third-audience/ for your dashboard
+`);
+}
+
+// src/cli/commands/health.ts
+import fs2 from "fs";
+import path2 from "path";
+async function health() {
+  const cwd = process.cwd();
+  const checks = [];
+  const nodeVersion = process.versions.node;
+  const [nodeMajor] = nodeVersion.split(".").map(Number);
+  checks.push({ label: `Node.js ${nodeVersion}`, ok: nodeMajor >= 18, note: nodeMajor < 18 ? "requires Node 18+" : void 0 });
+  const pkgPath = path2.join(cwd, "package.json");
+  checks.push({ label: "package.json", ok: fs2.existsSync(pkgPath) });
+  const nextPath = path2.join(cwd, "node_modules", "next");
+  checks.push({ label: "next installed", ok: fs2.existsSync(nextPath) });
+  const middlewarePath = path2.join(cwd, "middleware.ts");
+  checks.push({ label: "middleware.ts", ok: fs2.existsSync(middlewarePath) });
+  const contentDir = process.env.TA_CONTENT_DIR ?? "content";
+  const contentPath = path2.join(cwd, contentDir);
+  const contentExists = fs2.existsSync(contentPath);
+  const mdxCount = contentExists ? countFiles(contentPath, [".mdx", ".md"]) : 0;
+  checks.push({ label: `contentDir (${contentDir})`, ok: contentExists, note: contentExists ? `${mdxCount} MDX files` : "directory not found" });
+  const dataDir = process.env.TA_DATA_DIR ?? "data";
+  const dataPath = path2.join(cwd, dataDir);
+  checks.push({ label: `dataDir (${dataDir})`, ok: fs2.existsSync(dataPath) });
+  const visitsPath = path2.join(cwd, dataDir, "ta-visits.jsonl");
+  const citationsPath = path2.join(cwd, dataDir, "ta-citations.jsonl");
+  const visitLines = fs2.existsSync(visitsPath) ? countLines(visitsPath) : 0;
+  const citationLines = fs2.existsSync(citationsPath) ? countLines(citationsPath) : 0;
+  checks.push({ label: "ta-visits.jsonl", ok: true, note: `${visitLines} records` });
+  checks.push({ label: "ta-citations.jsonl", ok: true, note: `${citationLines} records` });
+  checks.push({ label: "THIRD_AUDIENCE_SECRET", ok: !!process.env.THIRD_AUDIENCE_SECRET, note: !process.env.THIRD_AUDIENCE_SECRET ? "not set (dashboard is open)" : "set" });
+  console.log("\n\u{1F3E5} third-audience health check\n");
+  for (const c of checks) {
+    const icon = c.ok ? "\u2705" : "\u274C";
+    const note = c.note ? `  (${c.note})` : "";
+    console.log(`  ${icon}  ${c.label}${note}`);
+  }
+  console.log();
+}
+function countFiles(dir, exts) {
+  let count = 0;
+  for (const entry of fs2.readdirSync(dir, { withFileTypes: true })) {
+    if (entry.isDirectory()) count += countFiles(path2.join(dir, entry.name), exts);
+    else if (exts.some((e) => entry.name.endsWith(e))) count++;
+  }
+  return count;
+}
+function countLines(filePath) {
+  return fs2.readFileSync(filePath, "utf-8").split("\n").filter(Boolean).length;
+}
+
+// src/cli/commands/export.ts
+import fs3 from "fs";
+import path3 from "path";
+async function exportData(args2) {
+  const dataDir = process.env.TA_DATA_DIR ?? "data";
+  const type = args2[0] ?? "visits";
+  const outPath = args2[1] ?? `ta-${type}-export.csv`;
+  const file = type === "citations" ? "ta-citations.jsonl" : "ta-visits.jsonl";
+  const jsonlPath = path3.join(process.cwd(), dataDir, file);
+  if (!fs3.existsSync(jsonlPath)) {
+    console.error(`No data found at ${jsonlPath}`);
+    process.exit(1);
+  }
+  const records = fs3.readFileSync(jsonlPath, "utf-8").split("\n").filter(Boolean).map((l) => {
+    try {
+      return JSON.parse(l);
+    } catch {
+      return null;
+    }
+  }).filter(Boolean);
+  if (records.length === 0) {
+    console.log("No records to export.");
+    return;
+  }
+  const headers = Object.keys(records[0]);
+  const csv = [
+    headers.join(","),
+    ...records.map((r) => headers.map((h) => csvCell(r[h])).join(","))
+  ].join("\n") + "\n";
+  fs3.writeFileSync(outPath, csv);
+  console.log(`\u2705 Exported ${records.length} records to ${outPath}`);
+}
+function csvCell(val) {
+  if (val === null || val === void 0) return "";
+  const s = String(val);
+  if (/[",\n]/.test(s)) return `"${s.replace(/"/g, '""')}"`;
+  return s;
+}
+
+// src/cli/index.ts
+var [, , command, ...args] = process.argv;
+switch (command) {
+  case "init":
+    init().catch(console.error);
+    break;
+  case "health":
+    health().catch(console.error);
+    break;
+  case "export":
+    exportData(args).catch(console.error);
+    break;
+  default:
+    console.log(`third-audience CLI
+
+Commands:
+  init      Set up third-audience-mdx in your Next.js project
+  health    Show system health status
+  export    Export analytics data as CSV
+
+Usage: npx third-audience <command>`);
+}
+//# sourceMappingURL=index.mjs.map

package/dist/cli/index.mjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/cli/commands/init.ts","../../src/cli/commands/health.ts","../../src/cli/commands/export.ts","../../src/cli/index.ts"],"sourcesContent":["import fs from 'fs'\nimport path from 'path'\nimport readline from 'readline'\n\nexport async function init(): Promise<void> {\n  const cwd = process.cwd()\n  console.log('\\n🎯 third-audience-mdx setup\\n')\n\n  // Detect Next.js\n  const pkgPath = path.join(cwd, 'package.json')\n  if (!fs.existsSync(pkgPath)) {\n    console.error('No package.json found. Run this from your Next.js project root.')\n    process.exit(1)\n  }\n  const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf-8'))\n  if (!pkg.dependencies?.next && !pkg.devDependencies?.next) {\n    console.warn('⚠  next not found in package.json — make sure this is a Next.js project.')\n  }\n\n  const rl = readline.createInterface({ input: process.stdin, output: process.stdout })\n  const ask = (q: string, def: string) => new Promise<string>(r =>\n    rl.question(`${q} (${def}): `, ans => r(ans.trim() || def))\n  )\n\n  const contentDir = await ask('Content directory (where your .mdx files live)', 'content')\n  const dataDir = await ask('Data directory (for analytics logs)', 'data')\n  const secret = await ask('Dashboard secret (leave blank to disable auth in dev)', '')\n  rl.close()\n\n  // Write middleware.ts if not exists\n  const middlewarePath = path.join(cwd, 'middleware.ts')\n  if (!fs.existsSync(middlewarePath)) {\n    fs.writeFileSync(middlewarePath, `export { thirdAudienceMiddleware as middleware } from 'third-audience-mdx'\\nexport const config = { matcher: ['/((?!_next|api).*)'] }\\n`)\n    console.log('✅ Created middleware.ts')\n  } else {\n    console.log('⚠  middleware.ts already exists — add thirdAudienceMiddleware manually.')\n  }\n\n  // Write .env.local additions\n  const envPath = path.join(cwd, '.env.local')\n  const envLines = [`THIRD_AUDIENCE_SECRET=${secret}`, `NEXT_PUBLIC_SITE_URL=http://localhost:3000`]\n  const envContent = envLines.join('\\n') + '\\n'\n  if (!fs.existsSync(envPath)) {\n    fs.writeFileSync(envPath, envContent)\n    console.log('✅ Created .env.local')\n  } else {\n    fs.appendFileSync(envPath, '\\n# Third Audience\\n' + envContent)\n    console.log('✅ Appended to .env.local')\n  }\n\n  // Create data dir and .gitignore entry\n  fs.mkdirSync(path.join(cwd, dataDir, 'ta-cache'), { recursive: true })\n  const gitignorePath = path.join(cwd, '.gitignore')\n  const gitignoreAdditions = `\\n# Third Audience analytics (local only)\\n${dataDir}/ta-visits.jsonl\\n${dataDir}/ta-citations.jsonl\\n${dataDir}/ta-cache/\\n`\n  if (fs.existsSync(gitignorePath)) {\n    fs.appendFileSync(gitignorePath, gitignoreAdditions)\n  } else {\n    fs.writeFileSync(gitignorePath, gitignoreAdditions.trimStart())\n  }\n  console.log(`✅ Created ${dataDir}/ and updated .gitignore`)\n\n  console.log(`\n✅ Setup complete!\n\nNext steps:\n  1. Add to next.config.ts:\n       import { withThirdAudience } from 'third-audience-mdx'\n       export default withThirdAudience({ contentDir: '${contentDir}', dataDir: '${dataDir}' })\n\n  2. Add API routes in app/api/third-audience/ (see docs)\n\n  3. Visit /third-audience/ for your dashboard\n`)\n}\n","import fs from 'fs'\nimport path from 'path'\n\nexport async function health(): Promise<void> {\n  const cwd = process.cwd()\n  const checks: Array<{ label: string; ok: boolean; note?: string }> = []\n\n  // Node version\n  const nodeVersion = process.versions.node\n  const [nodeMajor] = nodeVersion.split('.').map(Number)\n  checks.push({ label: `Node.js ${nodeVersion}`, ok: nodeMajor >= 18, note: nodeMajor < 18 ? 'requires Node 18+' : undefined })\n\n  // package.json\n  const pkgPath = path.join(cwd, 'package.json')\n  checks.push({ label: 'package.json', ok: fs.existsSync(pkgPath) })\n\n  // next installed\n  const nextPath = path.join(cwd, 'node_modules', 'next')\n  checks.push({ label: 'next installed', ok: fs.existsSync(nextPath) })\n\n  // middleware.ts\n  const middlewarePath = path.join(cwd, 'middleware.ts')\n  checks.push({ label: 'middleware.ts', ok: fs.existsSync(middlewarePath) })\n\n  // content dir\n  const contentDir = process.env.TA_CONTENT_DIR ?? 'content'\n  const contentPath = path.join(cwd, contentDir)\n  const contentExists = fs.existsSync(contentPath)\n  const mdxCount = contentExists\n    ? countFiles(contentPath, ['.mdx', '.md'])\n    : 0\n  checks.push({ label: `contentDir (${contentDir})`, ok: contentExists, note: contentExists ? `${mdxCount} MDX files` : 'directory not found' })\n\n  // data dir\n  const dataDir = process.env.TA_DATA_DIR ?? 'data'\n  const dataPath = path.join(cwd, dataDir)\n  checks.push({ label: `dataDir (${dataDir})`, ok: fs.existsSync(dataPath) })\n\n  // JSONL files\n  const visitsPath = path.join(cwd, dataDir, 'ta-visits.jsonl')\n  const citationsPath = path.join(cwd, dataDir, 'ta-citations.jsonl')\n  const visitLines = fs.existsSync(visitsPath) ? countLines(visitsPath) : 0\n  const citationLines = fs.existsSync(citationsPath) ? countLines(citationsPath) : 0\n  checks.push({ label: 'ta-visits.jsonl', ok: true, note: `${visitLines} records` })\n  checks.push({ label: 'ta-citations.jsonl', ok: true, note: `${citationLines} records` })\n\n  // dashboard secret\n  checks.push({ label: 'THIRD_AUDIENCE_SECRET', ok: !!process.env.THIRD_AUDIENCE_SECRET, note: !process.env.THIRD_AUDIENCE_SECRET ? 'not set (dashboard is open)' : 'set' })\n\n  console.log('\\n🏥 third-audience health check\\n')\n  for (const c of checks) {\n    const icon = c.ok ? '✅' : '❌'\n    const note = c.note ? `  (${c.note})` : ''\n    console.log(`  ${icon}  ${c.label}${note}`)\n  }\n  console.log()\n}\n\nfunction countFiles(dir: string, exts: string[]): number {\n  let count = 0\n  for (const entry of fs.readdirSync(dir, { withFileTypes: true })) {\n    if (entry.isDirectory()) count += countFiles(path.join(dir, entry.name), exts)\n    else if (exts.some(e => entry.name.endsWith(e))) count++\n  }\n  return count\n}\n\nfunction countLines(filePath: string): number {\n  return fs.readFileSync(filePath, 'utf-8').split('\\n').filter(Boolean).length\n}\n","import fs from 'fs'\nimport path from 'path'\n\nexport async function exportData(args: string[]): Promise<void> {\n  const dataDir = process.env.TA_DATA_DIR ?? 'data'\n  const type = args[0] ?? 'visits'\n  const outPath = args[1] ?? `ta-${type}-export.csv`\n\n  const file = type === 'citations' ? 'ta-citations.jsonl' : 'ta-visits.jsonl'\n  const jsonlPath = path.join(process.cwd(), dataDir, file)\n\n  if (!fs.existsSync(jsonlPath)) {\n    console.error(`No data found at ${jsonlPath}`)\n    process.exit(1)\n  }\n\n  const records = fs.readFileSync(jsonlPath, 'utf-8')\n    .split('\\n')\n    .filter(Boolean)\n    .map(l => { try { return JSON.parse(l) } catch { return null } })\n    .filter(Boolean)\n\n  if (records.length === 0) {\n    console.log('No records to export.')\n    return\n  }\n\n  const headers = Object.keys(records[0])\n  const csv = [\n    headers.join(','),\n    ...records.map(r => headers.map(h => csvCell(r[h])).join(',')),\n  ].join('\\n') + '\\n'\n\n  fs.writeFileSync(outPath, csv)\n  console.log(`✅ Exported ${records.length} records to ${outPath}`)\n}\n\nfunction csvCell(val: unknown): string {\n  if (val === null || val === undefined) return ''\n  const s = String(val)\n  if (/[\",\\n]/.test(s)) return `\"${s.replace(/\"/g, '\"\"')}\"`\n  return s\n}\n","#!/usr/bin/env node\nimport { init } from './commands/init.js'\nimport { health } from './commands/health.js'\nimport { exportData } from './commands/export.js'\n\nconst [,, command, ...args] = process.argv\n\nswitch (command) {\n  case 'init':\n    init().catch(console.error)\n    break\n  case 'health':\n    health().catch(console.error)\n    break\n  case 'export':\n    exportData(args).catch(console.error)\n    break\n  default:\n    console.log(`third-audience CLI\n\nCommands:\n  init      Set up third-audience-mdx in your Next.js project\n  health    Show system health status\n  export    Export analytics data as CSV\n\nUsage: npx third-audience <command>`)\n}\n"],"mappings":";;;AAAA,OAAO,QAAQ;AACf,OAAO,UAAU;AACjB,OAAO,cAAc;AAErB,eAAsB,OAAsB;AAC1C,QAAM,MAAM,QAAQ,IAAI;AACxB,UAAQ,IAAI,wCAAiC;AAG7C,QAAM,UAAU,KAAK,KAAK,KAAK,cAAc;AAC7C,MAAI,CAAC,GAAG,WAAW,OAAO,GAAG;AAC3B,YAAQ,MAAM,iEAAiE;AAC/E,YAAQ,KAAK,CAAC;AAAA,EAChB;AACA,QAAM,MAAM,KAAK,MAAM,GAAG,aAAa,SAAS,OAAO,CAAC;AACxD,MAAI,CAAC,IAAI,cAAc,QAAQ,CAAC,IAAI,iBAAiB,MAAM;AACzD,YAAQ,KAAK,oFAA0E;AAAA,EACzF;AAEA,QAAM,KAAK,SAAS,gBAAgB,EAAE,OAAO,QAAQ,OAAO,QAAQ,QAAQ,OAAO,CAAC;AACpF,QAAM,MAAM,CAAC,GAAW,QAAgB,IAAI;AAAA,IAAgB,OAC1D,GAAG,SAAS,GAAG,CAAC,KAAK,GAAG,OAAO,SAAO,EAAE,IAAI,KAAK,KAAK,GAAG,CAAC;AAAA,EAC5D;AAEA,QAAM,aAAa,MAAM,IAAI,kDAAkD,SAAS;AACxF,QAAM,UAAU,MAAM,IAAI,uCAAuC,MAAM;AACvE,QAAM,SAAS,MAAM,IAAI,yDAAyD,EAAE;AACpF,KAAG,MAAM;AAGT,QAAM,iBAAiB,KAAK,KAAK,KAAK,eAAe;AACrD,MAAI,CAAC,GAAG,WAAW,cAAc,GAAG;AAClC,OAAG,cAAc,gBAAgB;AAAA;AAAA,CAAyI;AAC1K,YAAQ,IAAI,8BAAyB;AAAA,EACvC,OAAO;AACL,YAAQ,IAAI,mFAAyE;AAAA,EACvF;AAGA,QAAM,UAAU,KAAK,KAAK,KAAK,YAAY;AAC3C,QAAM,WAAW,CAAC,yBAAyB,MAAM,IAAI,4CAA4C;AACjG,QAAM,aAAa,SAAS,KAAK,IAAI,IAAI;AACzC,MAAI,CAAC,GAAG,WAAW,OAAO,GAAG;AAC3B,OAAG,cAAc,SAAS,UAAU;AACpC,YAAQ,IAAI,2BAAsB;AAAA,EACpC,OAAO;AACL,OAAG,eAAe,SAAS,yBAAyB,UAAU;AAC9D,YAAQ,IAAI,+BAA0B;AAAA,EACxC;AAGA,KAAG,UAAU,KAAK,KAAK,KAAK,SAAS,UAAU,GAAG,EAAE,WAAW,KAAK,CAAC;AACrE,QAAM,gBAAgB,KAAK,KAAK,KAAK,YAAY;AACjD,QAAM,qBAAqB;AAAA;AAAA,EAA8C,OAAO;AAAA,EAAqB,OAAO;AAAA,EAAwB,OAAO;AAAA;AAC3I,MAAI,GAAG,WAAW,aAAa,GAAG;AAChC,OAAG,eAAe,eAAe,kBAAkB;AAAA,EACrD,OAAO;AACL,OAAG,cAAc,eAAe,mBAAmB,UAAU,CAAC;AAAA,EAChE;AACA,UAAQ,IAAI,kBAAa,OAAO,0BAA0B;AAE1D,UAAQ,IAAI;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,yDAM2C,UAAU,gBAAgB,OAAO;AAAA;AAAA;AAAA;AAAA;AAAA,CAKzF;AACD;;;ACzEA,OAAOA,SAAQ;AACf,OAAOC,WAAU;AAEjB,eAAsB,SAAwB;AAC5C,QAAM,MAAM,QAAQ,IAAI;AACxB,QAAM,SAA+D,CAAC;AAGtE,QAAM,cAAc,QAAQ,SAAS;AACrC,QAAM,CAAC,SAAS,IAAI,YAAY,MAAM,GAAG,EAAE,IAAI,MAAM;AACrD,SAAO,KAAK,EAAE,OAAO,WAAW,WAAW,IAAI,IAAI,aAAa,IAAI,MAAM,YAAY,KAAK,sBAAsB,OAAU,CAAC;AAG5H,QAAM,UAAUA,MAAK,KAAK,KAAK,cAAc;AAC7C,SAAO,KAAK,EAAE,OAAO,gBAAgB,IAAID,IAAG,WAAW,OAAO,EAAE,CAAC;AAGjE,QAAM,WAAWC,MAAK,KAAK,KAAK,gBAAgB,MAAM;AACtD,SAAO,KAAK,EAAE,OAAO,kBAAkB,IAAID,IAAG,WAAW,QAAQ,EAAE,CAAC;AAGpE,QAAM,iBAAiBC,MAAK,KAAK,KAAK,eAAe;AACrD,SAAO,KAAK,EAAE,OAAO,iBAAiB,IAAID,IAAG,WAAW,cAAc,EAAE,CAAC;AAGzE,QAAM,aAAa,QAAQ,IAAI,kBAAkB;AACjD,QAAM,cAAcC,MAAK,KAAK,KAAK,UAAU;AAC7C,QAAM,gBAAgBD,IAAG,WAAW,WAAW;AAC/C,QAAM,WAAW,gBACb,WAAW,aAAa,CAAC,QAAQ,KAAK,CAAC,IACvC;AACJ,SAAO,KAAK,EAAE,OAAO,eAAe,UAAU,KAAK,IAAI,eAAe,MAAM,gBAAgB,GAAG,QAAQ,eAAe,sBAAsB,CAAC;AAG7I,QAAM,UAAU,QAAQ,IAAI,eAAe;AAC3C,QAAM,WAAWC,MAAK,KAAK,KAAK,OAAO;AACvC,SAAO,KAAK,EAAE,OAAO,YAAY,OAAO,KAAK,IAAID,IAAG,WAAW,QAAQ,EAAE,CAAC;AAG1E,QAAM,aAAaC,MAAK,KAAK,KAAK,SAAS,iBAAiB;AAC5D,QAAM,gBAAgBA,MAAK,KAAK,KAAK,SAAS,oBAAoB;AAClE,QAAM,aAAaD,IAAG,WAAW,UAAU,IAAI,WAAW,UAAU,IAAI;AACxE,QAAM,gBAAgBA,IAAG,WAAW,aAAa,IAAI,WAAW,aAAa,IAAI;AACjF,SAAO,KAAK,EAAE,OAAO,mBAAmB,IAAI,MAAM,MAAM,GAAG,UAAU,WAAW,CAAC;AACjF,SAAO,KAAK,EAAE,OAAO,sBAAsB,IAAI,MAAM,MAAM,GAAG,aAAa,WAAW,CAAC;AAGvF,SAAO,KAAK,EAAE,OAAO,yBAAyB,IAAI,CAAC,CAAC,QAAQ,IAAI,uBAAuB,MAAM,CAAC,QAAQ,IAAI,wBAAwB,gCAAgC,MAAM,CAAC;AAEzK,UAAQ,IAAI,2CAAoC;AAChD,aAAW,KAAK,QAAQ;AACtB,UAAM,OAAO,EAAE,KAAK,WAAM;AAC1B,UAAM,OAAO,EAAE,OAAO,MAAM,EAAE,IAAI,MAAM;AACxC,YAAQ,IAAI,KAAK,IAAI,KAAK,EAAE,KAAK,GAAG,IAAI,EAAE;AAAA,EAC5C;AACA,UAAQ,IAAI;AACd;AAEA,SAAS,WAAW,KAAa,MAAwB;AACvD,MAAI,QAAQ;AACZ,aAAW,SAASA,IAAG,YAAY,KAAK,EAAE,eAAe,KAAK,CAAC,GAAG;AAChE,QAAI,MAAM,YAAY,EAAG,UAAS,WAAWC,MAAK,KAAK,KAAK,MAAM,IAAI,GAAG,IAAI;AAAA,aACpE,KAAK,KAAK,OAAK,MAAM,KAAK,SAAS,CAAC,CAAC,EAAG;AAAA,EACnD;AACA,SAAO;AACT;AAEA,SAAS,WAAW,UAA0B;AAC5C,SAAOD,IAAG,aAAa,UAAU,OAAO,EAAE,MAAM,IAAI,EAAE,OAAO,OAAO,EAAE;AACxE;;;ACrEA,OAAOE,SAAQ;AACf,OAAOC,WAAU;AAEjB,eAAsB,WAAWC,OAA+B;AAC9D,QAAM,UAAU,QAAQ,IAAI,eAAe;AAC3C,QAAM,OAAOA,MAAK,CAAC,KAAK;AACxB,QAAM,UAAUA,MAAK,CAAC,KAAK,MAAM,IAAI;AAErC,QAAM,OAAO,SAAS,cAAc,uBAAuB;AAC3D,QAAM,YAAYD,MAAK,KAAK,QAAQ,IAAI,GAAG,SAAS,IAAI;AAExD,MAAI,CAACD,IAAG,WAAW,SAAS,GAAG;AAC7B,YAAQ,MAAM,oBAAoB,SAAS,EAAE;AAC7C,YAAQ,KAAK,CAAC;AAAA,EAChB;AAEA,QAAM,UAAUA,IAAG,aAAa,WAAW,OAAO,EAC/C,MAAM,IAAI,EACV,OAAO,OAAO,EACd,IAAI,OAAK;AAAE,QAAI;AAAE,aAAO,KAAK,MAAM,CAAC;AAAA,IAAE,QAAQ;AAAE,aAAO;AAAA,IAAK;AAAA,EAAE,CAAC,EAC/D,OAAO,OAAO;AAEjB,MAAI,QAAQ,WAAW,GAAG;AACxB,YAAQ,IAAI,uBAAuB;AACnC;AAAA,EACF;AAEA,QAAM,UAAU,OAAO,KAAK,QAAQ,CAAC,CAAC;AACtC,QAAM,MAAM;AAAA,IACV,QAAQ,KAAK,GAAG;AAAA,IAChB,GAAG,QAAQ,IAAI,OAAK,QAAQ,IAAI,OAAK,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,GAAG,CAAC;AAAA,EAC/D,EAAE,KAAK,IAAI,IAAI;AAEf,EAAAA,IAAG,cAAc,SAAS,GAAG;AAC7B,UAAQ,IAAI,mBAAc,QAAQ,MAAM,eAAe,OAAO,EAAE;AAClE;AAEA,SAAS,QAAQ,KAAsB;AACrC,MAAI,QAAQ,QAAQ,QAAQ,OAAW,QAAO;AAC9C,QAAM,IAAI,OAAO,GAAG;AACpB,MAAI,SAAS,KAAK,CAAC,EAAG,QAAO,IAAI,EAAE,QAAQ,MAAM,IAAI,CAAC;AACtD,SAAO;AACT;;;ACrCA,IAAM,CAAC,EAAC,EAAE,SAAS,GAAG,IAAI,IAAI,QAAQ;AAEtC,QAAQ,SAAS;AAAA,EACf,KAAK;AACH,SAAK,EAAE,MAAM,QAAQ,KAAK;AAC1B;AAAA,EACF,KAAK;AACH,WAAO,EAAE,MAAM,QAAQ,KAAK;AAC5B;AAAA,EACF,KAAK;AACH,eAAW,IAAI,EAAE,MAAM,QAAQ,KAAK;AACpC;AAAA,EACF;AACE,YAAQ,IAAI;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,oCAOoB;AACpC;","names":["fs","path","fs","path","args"]}

package/dist/dashboard/auth.d.mts

@@ -0,0 +1,16 @@
+import { NextRequest, NextResponse } from 'next/server';
+
+/**
+ * Authenticate an API route request. Accepts (in order):
+ * 1. X-TA-Api-Key header — for headless/external callers (mirrors WP's approach)
+ * 2. Authorization: Bearer <api-key> — same key, different transport
+ * 3. Valid ta_session cookie — browser dashboard session
+ */
+declare function checkApiAuth(req: NextRequest): boolean;
+/**
+ * Returns a 401 JSON response with the correct WWW-Authenticate header.
+ * Use as: if (!checkApiAuth(req)) return unauthorizedResponse()
+ */
+declare function unauthorizedResponse(): NextResponse;
+
+export { checkApiAuth, unauthorizedResponse };

package/dist/dashboard/auth.d.ts

@@ -0,0 +1,16 @@
+import { NextRequest, NextResponse } from 'next/server';
+
+/**
+ * Authenticate an API route request. Accepts (in order):
+ * 1. X-TA-Api-Key header — for headless/external callers (mirrors WP's approach)
+ * 2. Authorization: Bearer <api-key> — same key, different transport
+ * 3. Valid ta_session cookie — browser dashboard session
+ */
+declare function checkApiAuth(req: NextRequest): boolean;
+/**
+ * Returns a 401 JSON response with the correct WWW-Authenticate header.
+ * Use as: if (!checkApiAuth(req)) return unauthorizedResponse()
+ */
+declare function unauthorizedResponse(): NextResponse;
+
+export { checkApiAuth, unauthorizedResponse };

package/dist/dashboard/auth.js

@@ -0,0 +1,123 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/dashboard/auth.ts
+var auth_exports = {};
+__export(auth_exports, {
+  checkApiAuth: () => checkApiAuth,
+  unauthorizedResponse: () => unauthorizedResponse
+});
+module.exports = __toCommonJS(auth_exports);
+var import_server = require("next/server");
+
+// src/dashboard/admin-store.ts
+var import_fs = __toESM(require("fs"));
+var import_path = __toESM(require("path"));
+var import_crypto = __toESM(require("crypto"));
+function adminFilePath() {
+  const dataDir = process.env.TA_DATA_DIR ?? "data";
+  return import_path.default.join(process.cwd(), dataDir, "ta-admin.json");
+}
+function loadAdmin() {
+  const filePath = adminFilePath();
+  if (!import_fs.default.existsSync(filePath)) return null;
+  try {
+    return JSON.parse(import_fs.default.readFileSync(filePath, "utf-8"));
+  } catch {
+    return null;
+  }
+}
+var CIPHER = "aes-256-gcm";
+function getEncryptionKey() {
+  const secret = process.env.THIRD_AUDIENCE_SECRET ?? "ta-fallback-key-change-me";
+  return import_crypto.default.createHash("sha256").update(secret).digest();
+}
+function decryptApiKey(encoded) {
+  try {
+    const iv = Buffer.from(encoded.slice(0, 24), "hex");
+    const tag = Buffer.from(encoded.slice(24, 56), "hex");
+    const encrypted = Buffer.from(encoded.slice(56), "hex");
+    const key = getEncryptionKey();
+    const decipher = import_crypto.default.createDecipheriv(CIPHER, key, iv);
+    decipher.setAuthTag(tag);
+    return decipher.update(encrypted) + decipher.final("utf8");
+  } catch {
+    return null;
+  }
+}
+function getApiKey() {
+  const record = loadAdmin();
+  if (!record?.apiKey) return null;
+  return decryptApiKey(record.apiKey);
+}
+function verifyApiKey(key) {
+  const stored = getApiKey();
+  if (!stored) return false;
+  if (key.length !== stored.length) return false;
+  return import_crypto.default.timingSafeEqual(Buffer.from(key), Buffer.from(stored));
+}
+function verifySession(token) {
+  const lastDot = token.lastIndexOf(".");
+  if (lastDot === -1) return false;
+  const payload = token.slice(0, lastDot);
+  const sig = token.slice(lastDot + 1);
+  const expected = import_crypto.default.createHmac("sha256", process.env.THIRD_AUDIENCE_SECRET ?? "ta-salt").update(payload).digest("hex");
+  if (sig.length !== expected.length) return false;
+  return import_crypto.default.timingSafeEqual(Buffer.from(sig, "hex"), Buffer.from(expected, "hex"));
+}
+
+// src/dashboard/auth.ts
+var SESSION_COOKIE = "ta_session";
+function checkApiAuth(req) {
+  const apiKeyHeader = req.headers.get("x-ta-api-key");
+  if (apiKeyHeader) return verifyApiKey(apiKeyHeader);
+  const auth = req.headers.get("authorization") ?? "";
+  if (auth.startsWith("Bearer ")) {
+    const token = auth.slice(7);
+    return verifyApiKey(token);
+  }
+  const session = req.cookies.get(SESSION_COOKIE)?.value;
+  if (session) return verifySession(session);
+  return false;
+}
+function unauthorizedResponse() {
+  return import_server.NextResponse.json(
+    { error: "Unauthorized. Provide X-TA-Api-Key header or a valid session cookie." },
+    {
+      status: 401,
+      headers: { "WWW-Authenticate": 'Bearer realm="Third Audience API"' }
+    }
+  );
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  checkApiAuth,
+  unauthorizedResponse
+});
+//# sourceMappingURL=auth.js.map

package/dist/dashboard/auth.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/dashboard/auth.ts","../../src/dashboard/admin-store.ts"],"sourcesContent":["import type { NextRequest } from 'next/server'\nimport { NextResponse } from 'next/server'\nimport { verifySession, verifyApiKey } from './admin-store.js'\n\nconst SESSION_COOKIE = 'ta_session'\n\n/**\n * Authenticate an API route request. Accepts (in order):\n * 1. X-TA-Api-Key header — for headless/external callers (mirrors WP's approach)\n * 2. Authorization: Bearer <api-key> — same key, different transport\n * 3. Valid ta_session cookie — browser dashboard session\n */\nexport function checkApiAuth(req: NextRequest): boolean {\n  // 1. X-TA-Api-Key header (WP-style headless key)\n  const apiKeyHeader = req.headers.get('x-ta-api-key')\n  if (apiKeyHeader) return verifyApiKey(apiKeyHeader)\n\n  // 2. Bearer token (treat as api key)\n  const auth = req.headers.get('authorization') ?? ''\n  if (auth.startsWith('Bearer ')) {\n    const token = auth.slice(7)\n    return verifyApiKey(token)\n  }\n\n  // 3. Browser session cookie\n  const session = req.cookies.get(SESSION_COOKIE)?.value\n  if (session) return verifySession(session)\n\n  return false\n}\n\n/**\n * Returns a 401 JSON response with the correct WWW-Authenticate header.\n * Use as: if (!checkApiAuth(req)) return unauthorizedResponse()\n */\nexport function unauthorizedResponse(): NextResponse {\n  return NextResponse.json(\n    { error: 'Unauthorized. Provide X-TA-Api-Key header or a valid session cookie.' },\n    {\n      status: 401,\n      headers: { 'WWW-Authenticate': 'Bearer realm=\"Third Audience API\"' },\n    }\n  )\n}\n","import fs from 'fs'\nimport path from 'path'\nimport crypto from 'crypto'\n\nexport interface AdminRecord {\n  passwordHash: string        // sha256(secret + password)\n  isDefaultPassword: boolean\n  createdAt: string\n  lastLoginAt: string | null\n  apiKey?: string             // AES-256-GCM encrypted, for headless/external API callers\n}\n\nfunction adminFilePath(): string {\n  const dataDir = process.env.TA_DATA_DIR ?? 'data'\n  return path.join(process.cwd(), dataDir, 'ta-admin.json')\n}\n\nexport function generateDefaultPassword(): string {\n  return crypto.randomBytes(6).toString('hex') // 12-char hex, easy to type\n}\n\nexport function hashPassword(password: string): string {\n  const secret = process.env.THIRD_AUDIENCE_SECRET ?? 'ta-salt'\n  return crypto.createHash('sha256').update(secret + password).digest('hex')\n}\n\nexport function loadAdmin(): AdminRecord | null {\n  const filePath = adminFilePath()\n  if (!fs.existsSync(filePath)) return null\n  try {\n    return JSON.parse(fs.readFileSync(filePath, 'utf-8')) as AdminRecord\n  } catch {\n    return null\n  }\n}\n\nexport function saveAdmin(record: AdminRecord): void {\n  const filePath = adminFilePath()\n  const dir = path.dirname(filePath)\n  if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true })\n  fs.writeFileSync(filePath, JSON.stringify(record, null, 2), 'utf-8')\n}\n\nexport const DEFAULT_PASSWORD = 'Chang3M3Now!'\n\nexport function initAdmin(): { password: string; apiKey: string; isNew: boolean } {\n  const existing = loadAdmin()\n  if (existing) return { password: '', apiKey: '', isNew: false }\n\n  const apiKey = generateApiKey()\n  saveAdmin({\n    passwordHash: hashPassword(DEFAULT_PASSWORD),\n    isDefaultPassword: true,\n    createdAt: new Date().toISOString(),\n    lastLoginAt: null,\n    apiKey: encryptApiKey(apiKey),\n  })\n  return { password: DEFAULT_PASSWORD, apiKey, isNew: true }\n}\n\nexport function verifyPassword(password: string): boolean {\n  const record = loadAdmin()\n  if (!record) return false\n  return record.passwordHash === hashPassword(password)\n}\n\nexport function updatePassword(newPassword: string): void {\n  const record = loadAdmin()\n  if (!record) return\n  saveAdmin({\n    ...record,\n    passwordHash: hashPassword(newPassword),\n    isDefaultPassword: false,\n  })\n}\n\nexport function recordLogin(): void {\n  const record = loadAdmin()\n  if (!record) return\n  saveAdmin({ ...record, lastLoginAt: new Date().toISOString() })\n}\n\n// ---------------------------------------------------------------------------\n// API key — AES-256-GCM encrypted at rest, mirroring WP's SECURE_AUTH_KEY approach\n// ---------------------------------------------------------------------------\n\nconst CIPHER = 'aes-256-gcm'\n\nfunction getEncryptionKey(): Buffer {\n  const secret = process.env.THIRD_AUDIENCE_SECRET ?? 'ta-fallback-key-change-me'\n  // Derive a 32-byte key from the secret using SHA-256\n  return crypto.createHash('sha256').update(secret).digest()\n}\n\nfunction encryptApiKey(plaintext: string): string {\n  const iv = crypto.randomBytes(12)\n  const key = getEncryptionKey()\n  const cipher = crypto.createCipheriv(CIPHER, key, iv) as crypto.CipherGCM\n  const encrypted = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()])\n  const tag = cipher.getAuthTag()\n  // Format: iv(24 hex) + tag(32 hex) + encrypted(hex)\n  return iv.toString('hex') + tag.toString('hex') + encrypted.toString('hex')\n}\n\nfunction decryptApiKey(encoded: string): string | null {\n  try {\n    const iv = Buffer.from(encoded.slice(0, 24), 'hex')\n    const tag = Buffer.from(encoded.slice(24, 56), 'hex')\n    const encrypted = Buffer.from(encoded.slice(56), 'hex')\n    const key = getEncryptionKey()\n    const decipher = crypto.createDecipheriv(CIPHER, key, iv) as crypto.DecipherGCM\n    decipher.setAuthTag(tag)\n    return decipher.update(encrypted) + decipher.final('utf8')\n  } catch {\n    return null\n  }\n}\n\nexport function generateApiKey(): string {\n  return 'ta_' + crypto.randomBytes(24).toString('hex') // 51-char key\n}\n\nexport function getApiKey(): string | null {\n  const record = loadAdmin()\n  if (!record?.apiKey) return null\n  return decryptApiKey(record.apiKey)\n}\n\nexport function rotateApiKey(): string {\n  const record = loadAdmin()\n  if (!record) throw new Error('Admin store not initialised')\n  const newKey = generateApiKey()\n  saveAdmin({ ...record, apiKey: encryptApiKey(newKey) })\n  return newKey\n}\n\nexport function verifyApiKey(key: string): boolean {\n  const stored = getApiKey()\n  if (!stored) return false\n  if (key.length !== stored.length) return false\n  return crypto.timingSafeEqual(Buffer.from(key), Buffer.from(stored))\n}\n\n// ---------------------------------------------------------------------------\n// Session cookie: HMAC-SHA256(secret, userId + timestamp) — stateless, no DB\n// ---------------------------------------------------------------------------\nexport function signSession(payload: string): string {\n  const secret = process.env.THIRD_AUDIENCE_SECRET ?? 'ta-salt'\n  const sig = crypto.createHmac('sha256', secret).update(payload).digest('hex')\n  return `${payload}.${sig}`\n}\n\nexport function verifySession(token: string): boolean {\n  const lastDot = token.lastIndexOf('.')\n  if (lastDot === -1) return false\n  const payload = token.slice(0, lastDot)\n  const sig = token.slice(lastDot + 1)\n  const expected = crypto.createHmac('sha256', process.env.THIRD_AUDIENCE_SECRET ?? 'ta-salt')\n    .update(payload).digest('hex')\n  // Constant-time comparison\n  if (sig.length !== expected.length) return false\n  return crypto.timingSafeEqual(Buffer.from(sig, 'hex'), Buffer.from(expected, 'hex'))\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AACA,oBAA6B;;;ACD7B,gBAAe;AACf,kBAAiB;AACjB,oBAAmB;AAUnB,SAAS,gBAAwB;AAC/B,QAAM,UAAU,QAAQ,IAAI,eAAe;AAC3C,SAAO,YAAAA,QAAK,KAAK,QAAQ,IAAI,GAAG,SAAS,eAAe;AAC1D;AAWO,SAAS,YAAgC;AAC9C,QAAM,WAAW,cAAc;AAC/B,MAAI,CAAC,UAAAC,QAAG,WAAW,QAAQ,EAAG,QAAO;AACrC,MAAI;AACF,WAAO,KAAK,MAAM,UAAAA,QAAG,aAAa,UAAU,OAAO,CAAC;AAAA,EACtD,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAoDA,IAAM,SAAS;AAEf,SAAS,mBAA2B;AAClC,QAAM,SAAS,QAAQ,IAAI,yBAAyB;AAEpD,SAAO,cAAAC,QAAO,WAAW,QAAQ,EAAE,OAAO,MAAM,EAAE,OAAO;AAC3D;AAYA,SAAS,cAAc,SAAgC;AACrD,MAAI;AACF,UAAM,KAAK,OAAO,KAAK,QAAQ,MAAM,GAAG,EAAE,GAAG,KAAK;AAClD,UAAM,MAAM,OAAO,KAAK,QAAQ,MAAM,IAAI,EAAE,GAAG,KAAK;AACpD,UAAM,YAAY,OAAO,KAAK,QAAQ,MAAM,EAAE,GAAG,KAAK;AACtD,UAAM,MAAM,iBAAiB;AAC7B,UAAM,WAAW,cAAAC,QAAO,iBAAiB,QAAQ,KAAK,EAAE;AACxD,aAAS,WAAW,GAAG;AACvB,WAAO,SAAS,OAAO,SAAS,IAAI,SAAS,MAAM,MAAM;AAAA,EAC3D,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAMO,SAAS,YAA2B;AACzC,QAAM,SAAS,UAAU;AACzB,MAAI,CAAC,QAAQ,OAAQ,QAAO;AAC5B,SAAO,cAAc,OAAO,MAAM;AACpC;AAUO,SAAS,aAAa,KAAsB;AACjD,QAAM,SAAS,UAAU;AACzB,MAAI,CAAC,OAAQ,QAAO;AACpB,MAAI,IAAI,WAAW,OAAO,OAAQ,QAAO;AACzC,SAAO,cAAAC,QAAO,gBAAgB,OAAO,KAAK,GAAG,GAAG,OAAO,KAAK,MAAM,CAAC;AACrE;AAWO,SAAS,cAAc,OAAwB;AACpD,QAAM,UAAU,MAAM,YAAY,GAAG;AACrC,MAAI,YAAY,GAAI,QAAO;AAC3B,QAAM,UAAU,MAAM,MAAM,GAAG,OAAO;AACtC,QAAM,MAAM,MAAM,MAAM,UAAU,CAAC;AACnC,QAAM,WAAW,cAAAC,QAAO,WAAW,UAAU,QAAQ,IAAI,yBAAyB,SAAS,EACxF,OAAO,OAAO,EAAE,OAAO,KAAK;AAE/B,MAAI,IAAI,WAAW,SAAS,OAAQ,QAAO;AAC3C,SAAO,cAAAA,QAAO,gBAAgB,OAAO,KAAK,KAAK,KAAK,GAAG,OAAO,KAAK,UAAU,KAAK,CAAC;AACrF;;;AD9JA,IAAM,iBAAiB;AAQhB,SAAS,aAAa,KAA2B;AAEtD,QAAM,eAAe,IAAI,QAAQ,IAAI,cAAc;AACnD,MAAI,aAAc,QAAO,aAAa,YAAY;AAGlD,QAAM,OAAO,IAAI,QAAQ,IAAI,eAAe,KAAK;AACjD,MAAI,KAAK,WAAW,SAAS,GAAG;AAC9B,UAAM,QAAQ,KAAK,MAAM,CAAC;AAC1B,WAAO,aAAa,KAAK;AAAA,EAC3B;AAGA,QAAM,UAAU,IAAI,QAAQ,IAAI,cAAc,GAAG;AACjD,MAAI,QAAS,QAAO,cAAc,OAAO;AAEzC,SAAO;AACT;AAMO,SAAS,uBAAqC;AACnD,SAAO,2BAAa;AAAA,IAClB,EAAE,OAAO,uEAAuE;AAAA,IAChF;AAAA,MACE,QAAQ;AAAA,MACR,SAAS,EAAE,oBAAoB,oCAAoC;AAAA,IACrE;AAAA,EACF;AACF;","names":["path","fs","crypto","crypto","crypto","crypto"]}

package/dist/dashboard/auth.mjs

@@ -0,0 +1,87 @@
+// src/dashboard/auth.ts
+import { NextResponse } from "next/server";
+
+// src/dashboard/admin-store.ts
+import fs from "fs";
+import path from "path";
+import crypto from "crypto";
+function adminFilePath() {
+  const dataDir = process.env.TA_DATA_DIR ?? "data";
+  return path.join(process.cwd(), dataDir, "ta-admin.json");
+}
+function loadAdmin() {
+  const filePath = adminFilePath();
+  if (!fs.existsSync(filePath)) return null;
+  try {
+    return JSON.parse(fs.readFileSync(filePath, "utf-8"));
+  } catch {
+    return null;
+  }
+}
+var CIPHER = "aes-256-gcm";
+function getEncryptionKey() {
+  const secret = process.env.THIRD_AUDIENCE_SECRET ?? "ta-fallback-key-change-me";
+  return crypto.createHash("sha256").update(secret).digest();
+}
+function decryptApiKey(encoded) {
+  try {
+    const iv = Buffer.from(encoded.slice(0, 24), "hex");
+    const tag = Buffer.from(encoded.slice(24, 56), "hex");
+    const encrypted = Buffer.from(encoded.slice(56), "hex");
+    const key = getEncryptionKey();
+    const decipher = crypto.createDecipheriv(CIPHER, key, iv);
+    decipher.setAuthTag(tag);
+    return decipher.update(encrypted) + decipher.final("utf8");
+  } catch {
+    return null;
+  }
+}
+function getApiKey() {
+  const record = loadAdmin();
+  if (!record?.apiKey) return null;
+  return decryptApiKey(record.apiKey);
+}
+function verifyApiKey(key) {
+  const stored = getApiKey();
+  if (!stored) return false;
+  if (key.length !== stored.length) return false;
+  return crypto.timingSafeEqual(Buffer.from(key), Buffer.from(stored));
+}
+function verifySession(token) {
+  const lastDot = token.lastIndexOf(".");
+  if (lastDot === -1) return false;
+  const payload = token.slice(0, lastDot);
+  const sig = token.slice(lastDot + 1);
+  const expected = crypto.createHmac("sha256", process.env.THIRD_AUDIENCE_SECRET ?? "ta-salt").update(payload).digest("hex");
+  if (sig.length !== expected.length) return false;
+  return crypto.timingSafeEqual(Buffer.from(sig, "hex"), Buffer.from(expected, "hex"));
+}
+
+// src/dashboard/auth.ts
+var SESSION_COOKIE = "ta_session";
+function checkApiAuth(req) {
+  const apiKeyHeader = req.headers.get("x-ta-api-key");
+  if (apiKeyHeader) return verifyApiKey(apiKeyHeader);
+  const auth = req.headers.get("authorization") ?? "";
+  if (auth.startsWith("Bearer ")) {
+    const token = auth.slice(7);
+    return verifyApiKey(token);
+  }
+  const session = req.cookies.get(SESSION_COOKIE)?.value;
+  if (session) return verifySession(session);
+  return false;
+}
+function unauthorizedResponse() {
+  return NextResponse.json(
+    { error: "Unauthorized. Provide X-TA-Api-Key header or a valid session cookie." },
+    {
+      status: 401,
+      headers: { "WWW-Authenticate": 'Bearer realm="Third Audience API"' }
+    }
+  );
+}
+export {
+  checkApiAuth,
+  unauthorizedResponse
+};
+//# sourceMappingURL=auth.mjs.map

package/dist/dashboard/auth.mjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/dashboard/auth.ts","../../src/dashboard/admin-store.ts"],"sourcesContent":["import type { NextRequest } from 'next/server'\nimport { NextResponse } from 'next/server'\nimport { verifySession, verifyApiKey } from './admin-store.js'\n\nconst SESSION_COOKIE = 'ta_session'\n\n/**\n * Authenticate an API route request. Accepts (in order):\n * 1. X-TA-Api-Key header — for headless/external callers (mirrors WP's approach)\n * 2. Authorization: Bearer <api-key> — same key, different transport\n * 3. Valid ta_session cookie — browser dashboard session\n */\nexport function checkApiAuth(req: NextRequest): boolean {\n  // 1. X-TA-Api-Key header (WP-style headless key)\n  const apiKeyHeader = req.headers.get('x-ta-api-key')\n  if (apiKeyHeader) return verifyApiKey(apiKeyHeader)\n\n  // 2. Bearer token (treat as api key)\n  const auth = req.headers.get('authorization') ?? ''\n  if (auth.startsWith('Bearer ')) {\n    const token = auth.slice(7)\n    return verifyApiKey(token)\n  }\n\n  // 3. Browser session cookie\n  const session = req.cookies.get(SESSION_COOKIE)?.value\n  if (session) return verifySession(session)\n\n  return false\n}\n\n/**\n * Returns a 401 JSON response with the correct WWW-Authenticate header.\n * Use as: if (!checkApiAuth(req)) return unauthorizedResponse()\n */\nexport function unauthorizedResponse(): NextResponse {\n  return NextResponse.json(\n    { error: 'Unauthorized. Provide X-TA-Api-Key header or a valid session cookie.' },\n    {\n      status: 401,\n      headers: { 'WWW-Authenticate': 'Bearer realm=\"Third Audience API\"' },\n    }\n  )\n}\n","import fs from 'fs'\nimport path from 'path'\nimport crypto from 'crypto'\n\nexport interface AdminRecord {\n  passwordHash: string        // sha256(secret + password)\n  isDefaultPassword: boolean\n  createdAt: string\n  lastLoginAt: string | null\n  apiKey?: string             // AES-256-GCM encrypted, for headless/external API callers\n}\n\nfunction adminFilePath(): string {\n  const dataDir = process.env.TA_DATA_DIR ?? 'data'\n  return path.join(process.cwd(), dataDir, 'ta-admin.json')\n}\n\nexport function generateDefaultPassword(): string {\n  return crypto.randomBytes(6).toString('hex') // 12-char hex, easy to type\n}\n\nexport function hashPassword(password: string): string {\n  const secret = process.env.THIRD_AUDIENCE_SECRET ?? 'ta-salt'\n  return crypto.createHash('sha256').update(secret + password).digest('hex')\n}\n\nexport function loadAdmin(): AdminRecord | null {\n  const filePath = adminFilePath()\n  if (!fs.existsSync(filePath)) return null\n  try {\n    return JSON.parse(fs.readFileSync(filePath, 'utf-8')) as AdminRecord\n  } catch {\n    return null\n  }\n}\n\nexport function saveAdmin(record: AdminRecord): void {\n  const filePath = adminFilePath()\n  const dir = path.dirname(filePath)\n  if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true })\n  fs.writeFileSync(filePath, JSON.stringify(record, null, 2), 'utf-8')\n}\n\nexport const DEFAULT_PASSWORD = 'Chang3M3Now!'\n\nexport function initAdmin(): { password: string; apiKey: string; isNew: boolean } {\n  const existing = loadAdmin()\n  if (existing) return { password: '', apiKey: '', isNew: false }\n\n  const apiKey = generateApiKey()\n  saveAdmin({\n    passwordHash: hashPassword(DEFAULT_PASSWORD),\n    isDefaultPassword: true,\n    createdAt: new Date().toISOString(),\n    lastLoginAt: null,\n    apiKey: encryptApiKey(apiKey),\n  })\n  return { password: DEFAULT_PASSWORD, apiKey, isNew: true }\n}\n\nexport function verifyPassword(password: string): boolean {\n  const record = loadAdmin()\n  if (!record) return false\n  return record.passwordHash === hashPassword(password)\n}\n\nexport function updatePassword(newPassword: string): void {\n  const record = loadAdmin()\n  if (!record) return\n  saveAdmin({\n    ...record,\n    passwordHash: hashPassword(newPassword),\n    isDefaultPassword: false,\n  })\n}\n\nexport function recordLogin(): void {\n  const record = loadAdmin()\n  if (!record) return\n  saveAdmin({ ...record, lastLoginAt: new Date().toISOString() })\n}\n\n// ---------------------------------------------------------------------------\n// API key — AES-256-GCM encrypted at rest, mirroring WP's SECURE_AUTH_KEY approach\n// ---------------------------------------------------------------------------\n\nconst CIPHER = 'aes-256-gcm'\n\nfunction getEncryptionKey(): Buffer {\n  const secret = process.env.THIRD_AUDIENCE_SECRET ?? 'ta-fallback-key-change-me'\n  // Derive a 32-byte key from the secret using SHA-256\n  return crypto.createHash('sha256').update(secret).digest()\n}\n\nfunction encryptApiKey(plaintext: string): string {\n  const iv = crypto.randomBytes(12)\n  const key = getEncryptionKey()\n  const cipher = crypto.createCipheriv(CIPHER, key, iv) as crypto.CipherGCM\n  const encrypted = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()])\n  const tag = cipher.getAuthTag()\n  // Format: iv(24 hex) + tag(32 hex) + encrypted(hex)\n  return iv.toString('hex') + tag.toString('hex') + encrypted.toString('hex')\n}\n\nfunction decryptApiKey(encoded: string): string | null {\n  try {\n    const iv = Buffer.from(encoded.slice(0, 24), 'hex')\n    const tag = Buffer.from(encoded.slice(24, 56), 'hex')\n    const encrypted = Buffer.from(encoded.slice(56), 'hex')\n    const key = getEncryptionKey()\n    const decipher = crypto.createDecipheriv(CIPHER, key, iv) as crypto.DecipherGCM\n    decipher.setAuthTag(tag)\n    return decipher.update(encrypted) + decipher.final('utf8')\n  } catch {\n    return null\n  }\n}\n\nexport function generateApiKey(): string {\n  return 'ta_' + crypto.randomBytes(24).toString('hex') // 51-char key\n}\n\nexport function getApiKey(): string | null {\n  const record = loadAdmin()\n  if (!record?.apiKey) return null\n  return decryptApiKey(record.apiKey)\n}\n\nexport function rotateApiKey(): string {\n  const record = loadAdmin()\n  if (!record) throw new Error('Admin store not initialised')\n  const newKey = generateApiKey()\n  saveAdmin({ ...record, apiKey: encryptApiKey(newKey) })\n  return newKey\n}\n\nexport function verifyApiKey(key: string): boolean {\n  const stored = getApiKey()\n  if (!stored) return false\n  if (key.length !== stored.length) return false\n  return crypto.timingSafeEqual(Buffer.from(key), Buffer.from(stored))\n}\n\n// ---------------------------------------------------------------------------\n// Session cookie: HMAC-SHA256(secret, userId + timestamp) — stateless, no DB\n// ---------------------------------------------------------------------------\nexport function signSession(payload: string): string {\n  const secret = process.env.THIRD_AUDIENCE_SECRET ?? 'ta-salt'\n  const sig = crypto.createHmac('sha256', secret).update(payload).digest('hex')\n  return `${payload}.${sig}`\n}\n\nexport function verifySession(token: string): boolean {\n  const lastDot = token.lastIndexOf('.')\n  if (lastDot === -1) return false\n  const payload = token.slice(0, lastDot)\n  const sig = token.slice(lastDot + 1)\n  const expected = crypto.createHmac('sha256', process.env.THIRD_AUDIENCE_SECRET ?? 'ta-salt')\n    .update(payload).digest('hex')\n  // Constant-time comparison\n  if (sig.length !== expected.length) return false\n  return crypto.timingSafeEqual(Buffer.from(sig, 'hex'), Buffer.from(expected, 'hex'))\n}\n"],"mappings":";AACA,SAAS,oBAAoB;;;ACD7B,OAAO,QAAQ;AACf,OAAO,UAAU;AACjB,OAAO,YAAY;AAUnB,SAAS,gBAAwB;AAC/B,QAAM,UAAU,QAAQ,IAAI,eAAe;AAC3C,SAAO,KAAK,KAAK,QAAQ,IAAI,GAAG,SAAS,eAAe;AAC1D;AAWO,SAAS,YAAgC;AAC9C,QAAM,WAAW,cAAc;AAC/B,MAAI,CAAC,GAAG,WAAW,QAAQ,EAAG,QAAO;AACrC,MAAI;AACF,WAAO,KAAK,MAAM,GAAG,aAAa,UAAU,OAAO,CAAC;AAAA,EACtD,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAoDA,IAAM,SAAS;AAEf,SAAS,mBAA2B;AAClC,QAAM,SAAS,QAAQ,IAAI,yBAAyB;AAEpD,SAAO,OAAO,WAAW,QAAQ,EAAE,OAAO,MAAM,EAAE,OAAO;AAC3D;AAYA,SAAS,cAAc,SAAgC;AACrD,MAAI;AACF,UAAM,KAAK,OAAO,KAAK,QAAQ,MAAM,GAAG,EAAE,GAAG,KAAK;AAClD,UAAM,MAAM,OAAO,KAAK,QAAQ,MAAM,IAAI,EAAE,GAAG,KAAK;AACpD,UAAM,YAAY,OAAO,KAAK,QAAQ,MAAM,EAAE,GAAG,KAAK;AACtD,UAAM,MAAM,iBAAiB;AAC7B,UAAM,WAAW,OAAO,iBAAiB,QAAQ,KAAK,EAAE;AACxD,aAAS,WAAW,GAAG;AACvB,WAAO,SAAS,OAAO,SAAS,IAAI,SAAS,MAAM,MAAM;AAAA,EAC3D,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAMO,SAAS,YAA2B;AACzC,QAAM,SAAS,UAAU;AACzB,MAAI,CAAC,QAAQ,OAAQ,QAAO;AAC5B,SAAO,cAAc,OAAO,MAAM;AACpC;AAUO,SAAS,aAAa,KAAsB;AACjD,QAAM,SAAS,UAAU;AACzB,MAAI,CAAC,OAAQ,QAAO;AACpB,MAAI,IAAI,WAAW,OAAO,OAAQ,QAAO;AACzC,SAAO,OAAO,gBAAgB,OAAO,KAAK,GAAG,GAAG,OAAO,KAAK,MAAM,CAAC;AACrE;AAWO,SAAS,cAAc,OAAwB;AACpD,QAAM,UAAU,MAAM,YAAY,GAAG;AACrC,MAAI,YAAY,GAAI,QAAO;AAC3B,QAAM,UAAU,MAAM,MAAM,GAAG,OAAO;AACtC,QAAM,MAAM,MAAM,MAAM,UAAU,CAAC;AACnC,QAAM,WAAW,OAAO,WAAW,UAAU,QAAQ,IAAI,yBAAyB,SAAS,EACxF,OAAO,OAAO,EAAE,OAAO,KAAK;AAE/B,MAAI,IAAI,WAAW,SAAS,OAAQ,QAAO;AAC3C,SAAO,OAAO,gBAAgB,OAAO,KAAK,KAAK,KAAK,GAAG,OAAO,KAAK,UAAU,KAAK,CAAC;AACrF;;;AD9JA,IAAM,iBAAiB;AAQhB,SAAS,aAAa,KAA2B;AAEtD,QAAM,eAAe,IAAI,QAAQ,IAAI,cAAc;AACnD,MAAI,aAAc,QAAO,aAAa,YAAY;AAGlD,QAAM,OAAO,IAAI,QAAQ,IAAI,eAAe,KAAK;AACjD,MAAI,KAAK,WAAW,SAAS,GAAG;AAC9B,UAAM,QAAQ,KAAK,MAAM,CAAC;AAC1B,WAAO,aAAa,KAAK;AAAA,EAC3B;AAGA,QAAM,UAAU,IAAI,QAAQ,IAAI,cAAc,GAAG;AACjD,MAAI,QAAS,QAAO,cAAc,OAAO;AAEzC,SAAO;AACT;AAMO,SAAS,uBAAqC;AACnD,SAAO,aAAa;AAAA,IAClB,EAAE,OAAO,uEAAuE;AAAA,IAChF;AAAA,MACE,QAAQ;AAAA,MACR,SAAS,EAAE,oBAAoB,oCAAoC;AAAA,IACrE;AAAA,EACF;AACF;","names":[]}

package/dist/dashboard/routes/analytics-api-route.d.mts

@@ -0,0 +1,6 @@
+import { NextRequest, NextResponse } from 'next/server';
+
+/** GET /api/third-audience/analytics?days=30 */
+declare function GET(req: NextRequest): Promise<NextResponse<unknown>>;
+
+export { GET };

package/dist/dashboard/routes/analytics-api-route.d.ts

@@ -0,0 +1,6 @@
+import { NextRequest, NextResponse } from 'next/server';
+
+/** GET /api/third-audience/analytics?days=30 */
+declare function GET(req: NextRequest): Promise<NextResponse<unknown>>;
+
+export { GET };