third-audience-mdx 1.0.2 → 1.0.4

package/dist/dashboard/routes/bots-config-route.d.mts

@@ -0,0 +1,8 @@
+import { NextRequest, NextResponse } from 'next/server';
+
+/** GET /api/third-audience/bots-config — returns current bots configuration */
+declare function GET(req: NextRequest): Promise<NextResponse>;
+/** POST /api/third-audience/bots-config — saves bots configuration */
+declare function POST(req: NextRequest): Promise<NextResponse>;
+
+export { GET, POST };

package/dist/dashboard/routes/bots-config-route.d.ts

@@ -0,0 +1,8 @@
+import { NextRequest, NextResponse } from 'next/server';
+
+/** GET /api/third-audience/bots-config — returns current bots configuration */
+declare function GET(req: NextRequest): Promise<NextResponse>;
+/** POST /api/third-audience/bots-config — saves bots configuration */
+declare function POST(req: NextRequest): Promise<NextResponse>;
+
+export { GET, POST };

package/dist/dashboard/routes/bots-config-route.js

@@ -0,0 +1,149 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/dashboard/routes/bots-config-route.ts
+var bots_config_route_exports = {};
+__export(bots_config_route_exports, {
+  GET: () => GET,
+  POST: () => POST
+});
+module.exports = __toCommonJS(bots_config_route_exports);
+var import_fs2 = __toESM(require("fs"));
+var import_path2 = __toESM(require("path"));
+var import_server2 = require("next/server");
+
+// src/dashboard/auth.ts
+var import_server = require("next/server");
+
+// src/dashboard/admin-store.ts
+var import_fs = __toESM(require("fs"));
+var import_path = __toESM(require("path"));
+var import_crypto = __toESM(require("crypto"));
+function adminFilePath() {
+  const dataDir = process.env.TA_DATA_DIR ?? "data";
+  return import_path.default.join(process.cwd(), dataDir, "ta-admin.json");
+}
+function loadAdmin() {
+  const filePath = adminFilePath();
+  if (!import_fs.default.existsSync(filePath)) return null;
+  try {
+    return JSON.parse(import_fs.default.readFileSync(filePath, "utf-8"));
+  } catch {
+    return null;
+  }
+}
+var CIPHER = "aes-256-gcm";
+function getEncryptionKey() {
+  const secret = process.env.THIRD_AUDIENCE_SECRET ?? "ta-fallback-key-change-me";
+  return import_crypto.default.createHash("sha256").update(secret).digest();
+}
+function decryptApiKey(encoded) {
+  try {
+    const iv = Buffer.from(encoded.slice(0, 24), "hex");
+    const tag = Buffer.from(encoded.slice(24, 56), "hex");
+    const encrypted = Buffer.from(encoded.slice(56), "hex");
+    const key = getEncryptionKey();
+    const decipher = import_crypto.default.createDecipheriv(CIPHER, key, iv);
+    decipher.setAuthTag(tag);
+    return decipher.update(encrypted) + decipher.final("utf8");
+  } catch {
+    return null;
+  }
+}
+function getApiKey() {
+  const record = loadAdmin();
+  if (!record?.apiKey) return null;
+  return decryptApiKey(record.apiKey);
+}
+function verifyApiKey(key) {
+  const stored = getApiKey();
+  if (!stored) return false;
+  if (key.length !== stored.length) return false;
+  return import_crypto.default.timingSafeEqual(Buffer.from(key), Buffer.from(stored));
+}
+function verifySession(token) {
+  const lastDot = token.lastIndexOf(".");
+  if (lastDot === -1) return false;
+  const payload = token.slice(0, lastDot);
+  const sig = token.slice(lastDot + 1);
+  const expected = import_crypto.default.createHmac("sha256", process.env.THIRD_AUDIENCE_SECRET ?? "ta-salt").update(payload).digest("hex");
+  if (sig.length !== expected.length) return false;
+  return import_crypto.default.timingSafeEqual(Buffer.from(sig, "hex"), Buffer.from(expected, "hex"));
+}
+
+// src/dashboard/auth.ts
+var SESSION_COOKIE = "ta_session";
+function checkApiAuth(req) {
+  const apiKeyHeader = req.headers.get("x-ta-api-key");
+  if (apiKeyHeader) return verifyApiKey(apiKeyHeader);
+  const auth = req.headers.get("authorization") ?? "";
+  if (auth.startsWith("Bearer ")) {
+    const token = auth.slice(7);
+    return verifyApiKey(token);
+  }
+  const session = req.cookies.get(SESSION_COOKIE)?.value;
+  if (session) return verifySession(session);
+  return false;
+}
+function unauthorizedResponse() {
+  return import_server.NextResponse.json(
+    { error: "Unauthorized. Provide X-TA-Api-Key header or a valid session cookie." },
+    {
+      status: 401,
+      headers: { "WWW-Authenticate": 'Bearer realm="Third Audience API"' }
+    }
+  );
+}
+
+// src/dashboard/routes/bots-config-route.ts
+function botsConfigPath() {
+  return import_path2.default.join(process.cwd(), process.env.TA_DATA_DIR ?? "data", "ta-bots-config.json");
+}
+async function GET(req) {
+  if (!checkApiAuth(req)) return unauthorizedResponse();
+  const filePath = botsConfigPath();
+  if (!import_fs2.default.existsSync(filePath)) {
+    return import_server2.NextResponse.json({ allowlist: [], blocklist: [], track_unknown: true });
+  }
+  return import_server2.NextResponse.json(JSON.parse(import_fs2.default.readFileSync(filePath, "utf-8")));
+}
+async function POST(req) {
+  if (!checkApiAuth(req)) return unauthorizedResponse();
+  const body = await req.json();
+  const filePath = botsConfigPath();
+  import_fs2.default.mkdirSync(import_path2.default.dirname(filePath), { recursive: true });
+  import_fs2.default.writeFileSync(filePath, JSON.stringify(body, null, 2));
+  return new import_server2.NextResponse(null, { status: 204 });
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  GET,
+  POST
+});
+//# sourceMappingURL=bots-config-route.js.map

package/dist/dashboard/routes/bots-config-route.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../src/dashboard/routes/bots-config-route.ts","../../../src/dashboard/auth.ts","../../../src/dashboard/admin-store.ts"],"sourcesContent":["import fs from 'fs'\nimport path from 'path'\nimport { NextResponse, type NextRequest } from 'next/server'\nimport { checkApiAuth, unauthorizedResponse } from '../auth.js'\n\nfunction botsConfigPath(): string {\n  return path.join(process.cwd(), process.env.TA_DATA_DIR ?? 'data', 'ta-bots-config.json')\n}\n\n/** GET /api/third-audience/bots-config — returns current bots configuration */\nexport async function GET(req: NextRequest): Promise<NextResponse> {\n  if (!checkApiAuth(req)) return unauthorizedResponse()\n\n  const filePath = botsConfigPath()\n  if (!fs.existsSync(filePath)) {\n    return NextResponse.json({ allowlist: [], blocklist: [], track_unknown: true })\n  }\n\n  return NextResponse.json(JSON.parse(fs.readFileSync(filePath, 'utf-8')))\n}\n\n/** POST /api/third-audience/bots-config — saves bots configuration */\nexport async function POST(req: NextRequest): Promise<NextResponse> {\n  if (!checkApiAuth(req)) return unauthorizedResponse()\n\n  const body = await req.json()\n  const filePath = botsConfigPath()\n  fs.mkdirSync(path.dirname(filePath), { recursive: true })\n  fs.writeFileSync(filePath, JSON.stringify(body, null, 2))\n\n  return new NextResponse(null, { status: 204 })\n}\n","import type { NextRequest } from 'next/server'\nimport { NextResponse } from 'next/server'\nimport { verifySession, verifyApiKey } from './admin-store.js'\n\nconst SESSION_COOKIE = 'ta_session'\n\n/**\n * Authenticate an API route request. Accepts (in order):\n * 1. X-TA-Api-Key header — for headless/external callers (mirrors WP's approach)\n * 2. Authorization: Bearer <api-key> — same key, different transport\n * 3. Valid ta_session cookie — browser dashboard session\n */\nexport function checkApiAuth(req: NextRequest): boolean {\n  // 1. X-TA-Api-Key header (WP-style headless key)\n  const apiKeyHeader = req.headers.get('x-ta-api-key')\n  if (apiKeyHeader) return verifyApiKey(apiKeyHeader)\n\n  // 2. Bearer token (treat as api key)\n  const auth = req.headers.get('authorization') ?? ''\n  if (auth.startsWith('Bearer ')) {\n    const token = auth.slice(7)\n    return verifyApiKey(token)\n  }\n\n  // 3. Browser session cookie\n  const session = req.cookies.get(SESSION_COOKIE)?.value\n  if (session) return verifySession(session)\n\n  return false\n}\n\n/**\n * Returns a 401 JSON response with the correct WWW-Authenticate header.\n * Use as: if (!checkApiAuth(req)) return unauthorizedResponse()\n */\nexport function unauthorizedResponse(): NextResponse {\n  return NextResponse.json(\n    { error: 'Unauthorized. Provide X-TA-Api-Key header or a valid session cookie.' },\n    {\n      status: 401,\n      headers: { 'WWW-Authenticate': 'Bearer realm=\"Third Audience API\"' },\n    }\n  )\n}\n","import fs from 'fs'\nimport path from 'path'\nimport crypto from 'crypto'\n\nexport interface AdminRecord {\n  passwordHash: string        // sha256(secret + password)\n  isDefaultPassword: boolean\n  createdAt: string\n  lastLoginAt: string | null\n  apiKey?: string             // AES-256-GCM encrypted, for headless/external API callers\n}\n\nfunction adminFilePath(): string {\n  const dataDir = process.env.TA_DATA_DIR ?? 'data'\n  return path.join(process.cwd(), dataDir, 'ta-admin.json')\n}\n\nexport function generateDefaultPassword(): string {\n  return crypto.randomBytes(6).toString('hex') // 12-char hex, easy to type\n}\n\nexport function hashPassword(password: string): string {\n  const secret = process.env.THIRD_AUDIENCE_SECRET ?? 'ta-salt'\n  return crypto.createHash('sha256').update(secret + password).digest('hex')\n}\n\nexport function loadAdmin(): AdminRecord | null {\n  const filePath = adminFilePath()\n  if (!fs.existsSync(filePath)) return null\n  try {\n    return JSON.parse(fs.readFileSync(filePath, 'utf-8')) as AdminRecord\n  } catch {\n    return null\n  }\n}\n\nexport function saveAdmin(record: AdminRecord): void {\n  const filePath = adminFilePath()\n  const dir = path.dirname(filePath)\n  if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true })\n  fs.writeFileSync(filePath, JSON.stringify(record, null, 2), 'utf-8')\n}\n\nexport const DEFAULT_PASSWORD = 'Chang3M3Now!'\n\nexport function initAdmin(): { password: string; apiKey: string; isNew: boolean } {\n  const existing = loadAdmin()\n  if (existing) return { password: '', apiKey: '', isNew: false }\n\n  const apiKey = generateApiKey()\n  saveAdmin({\n    passwordHash: hashPassword(DEFAULT_PASSWORD),\n    isDefaultPassword: true,\n    createdAt: new Date().toISOString(),\n    lastLoginAt: null,\n    apiKey: encryptApiKey(apiKey),\n  })\n  return { password: DEFAULT_PASSWORD, apiKey, isNew: true }\n}\n\nexport function verifyPassword(password: string): boolean {\n  const record = loadAdmin()\n  if (!record) return false\n  return record.passwordHash === hashPassword(password)\n}\n\nexport function updatePassword(newPassword: string): void {\n  const record = loadAdmin()\n  if (!record) return\n  saveAdmin({\n    ...record,\n    passwordHash: hashPassword(newPassword),\n    isDefaultPassword: false,\n  })\n}\n\nexport function recordLogin(): void {\n  const record = loadAdmin()\n  if (!record) return\n  saveAdmin({ ...record, lastLoginAt: new Date().toISOString() })\n}\n\n// ---------------------------------------------------------------------------\n// API key — AES-256-GCM encrypted at rest, mirroring WP's SECURE_AUTH_KEY approach\n// ---------------------------------------------------------------------------\n\nconst CIPHER = 'aes-256-gcm'\n\nfunction getEncryptionKey(): Buffer {\n  const secret = process.env.THIRD_AUDIENCE_SECRET ?? 'ta-fallback-key-change-me'\n  // Derive a 32-byte key from the secret using SHA-256\n  return crypto.createHash('sha256').update(secret).digest()\n}\n\nfunction encryptApiKey(plaintext: string): string {\n  const iv = crypto.randomBytes(12)\n  const key = getEncryptionKey()\n  const cipher = crypto.createCipheriv(CIPHER, key, iv) as crypto.CipherGCM\n  const encrypted = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()])\n  const tag = cipher.getAuthTag()\n  // Format: iv(24 hex) + tag(32 hex) + encrypted(hex)\n  return iv.toString('hex') + tag.toString('hex') + encrypted.toString('hex')\n}\n\nfunction decryptApiKey(encoded: string): string | null {\n  try {\n    const iv = Buffer.from(encoded.slice(0, 24), 'hex')\n    const tag = Buffer.from(encoded.slice(24, 56), 'hex')\n    const encrypted = Buffer.from(encoded.slice(56), 'hex')\n    const key = getEncryptionKey()\n    const decipher = crypto.createDecipheriv(CIPHER, key, iv) as crypto.DecipherGCM\n    decipher.setAuthTag(tag)\n    return decipher.update(encrypted) + decipher.final('utf8')\n  } catch {\n    return null\n  }\n}\n\nexport function generateApiKey(): string {\n  return 'ta_' + crypto.randomBytes(24).toString('hex') // 51-char key\n}\n\nexport function getApiKey(): string | null {\n  const record = loadAdmin()\n  if (!record?.apiKey) return null\n  return decryptApiKey(record.apiKey)\n}\n\nexport function rotateApiKey(): string {\n  const record = loadAdmin()\n  if (!record) throw new Error('Admin store not initialised')\n  const newKey = generateApiKey()\n  saveAdmin({ ...record, apiKey: encryptApiKey(newKey) })\n  return newKey\n}\n\nexport function verifyApiKey(key: string): boolean {\n  const stored = getApiKey()\n  if (!stored) return false\n  if (key.length !== stored.length) return false\n  return crypto.timingSafeEqual(Buffer.from(key), Buffer.from(stored))\n}\n\n// ---------------------------------------------------------------------------\n// Session cookie: HMAC-SHA256(secret, userId + timestamp) — stateless, no DB\n// ---------------------------------------------------------------------------\nexport function signSession(payload: string): string {\n  const secret = process.env.THIRD_AUDIENCE_SECRET ?? 'ta-salt'\n  const sig = crypto.createHmac('sha256', secret).update(payload).digest('hex')\n  return `${payload}.${sig}`\n}\n\nexport function verifySession(token: string): boolean {\n  const lastDot = token.lastIndexOf('.')\n  if (lastDot === -1) return false\n  const payload = token.slice(0, lastDot)\n  const sig = token.slice(lastDot + 1)\n  const expected = crypto.createHmac('sha256', process.env.THIRD_AUDIENCE_SECRET ?? 'ta-salt')\n    .update(payload).digest('hex')\n  // Constant-time comparison\n  if (sig.length !== expected.length) return false\n  return crypto.timingSafeEqual(Buffer.from(sig, 'hex'), Buffer.from(expected, 'hex'))\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAAAA,aAAe;AACf,IAAAC,eAAiB;AACjB,IAAAC,iBAA+C;;;ACD/C,oBAA6B;;;ACD7B,gBAAe;AACf,kBAAiB;AACjB,oBAAmB;AAUnB,SAAS,gBAAwB;AAC/B,QAAM,UAAU,QAAQ,IAAI,eAAe;AAC3C,SAAO,YAAAC,QAAK,KAAK,QAAQ,IAAI,GAAG,SAAS,eAAe;AAC1D;AAWO,SAAS,YAAgC;AAC9C,QAAM,WAAW,cAAc;AAC/B,MAAI,CAAC,UAAAC,QAAG,WAAW,QAAQ,EAAG,QAAO;AACrC,MAAI;AACF,WAAO,KAAK,MAAM,UAAAA,QAAG,aAAa,UAAU,OAAO,CAAC;AAAA,EACtD,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAoDA,IAAM,SAAS;AAEf,SAAS,mBAA2B;AAClC,QAAM,SAAS,QAAQ,IAAI,yBAAyB;AAEpD,SAAO,cAAAC,QAAO,WAAW,QAAQ,EAAE,OAAO,MAAM,EAAE,OAAO;AAC3D;AAYA,SAAS,cAAc,SAAgC;AACrD,MAAI;AACF,UAAM,KAAK,OAAO,KAAK,QAAQ,MAAM,GAAG,EAAE,GAAG,KAAK;AAClD,UAAM,MAAM,OAAO,KAAK,QAAQ,MAAM,IAAI,EAAE,GAAG,KAAK;AACpD,UAAM,YAAY,OAAO,KAAK,QAAQ,MAAM,EAAE,GAAG,KAAK;AACtD,UAAM,MAAM,iBAAiB;AAC7B,UAAM,WAAW,cAAAC,QAAO,iBAAiB,QAAQ,KAAK,EAAE;AACxD,aAAS,WAAW,GAAG;AACvB,WAAO,SAAS,OAAO,SAAS,IAAI,SAAS,MAAM,MAAM;AAAA,EAC3D,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAMO,SAAS,YAA2B;AACzC,QAAM,SAAS,UAAU;AACzB,MAAI,CAAC,QAAQ,OAAQ,QAAO;AAC5B,SAAO,cAAc,OAAO,MAAM;AACpC;AAUO,SAAS,aAAa,KAAsB;AACjD,QAAM,SAAS,UAAU;AACzB,MAAI,CAAC,OAAQ,QAAO;AACpB,MAAI,IAAI,WAAW,OAAO,OAAQ,QAAO;AACzC,SAAO,cAAAC,QAAO,gBAAgB,OAAO,KAAK,GAAG,GAAG,OAAO,KAAK,MAAM,CAAC;AACrE;AAWO,SAAS,cAAc,OAAwB;AACpD,QAAM,UAAU,MAAM,YAAY,GAAG;AACrC,MAAI,YAAY,GAAI,QAAO;AAC3B,QAAM,UAAU,MAAM,MAAM,GAAG,OAAO;AACtC,QAAM,MAAM,MAAM,MAAM,UAAU,CAAC;AACnC,QAAM,WAAW,cAAAC,QAAO,WAAW,UAAU,QAAQ,IAAI,yBAAyB,SAAS,EACxF,OAAO,OAAO,EAAE,OAAO,KAAK;AAE/B,MAAI,IAAI,WAAW,SAAS,OAAQ,QAAO;AAC3C,SAAO,cAAAA,QAAO,gBAAgB,OAAO,KAAK,KAAK,KAAK,GAAG,OAAO,KAAK,UAAU,KAAK,CAAC;AACrF;;;AD9JA,IAAM,iBAAiB;AAQhB,SAAS,aAAa,KAA2B;AAEtD,QAAM,eAAe,IAAI,QAAQ,IAAI,cAAc;AACnD,MAAI,aAAc,QAAO,aAAa,YAAY;AAGlD,QAAM,OAAO,IAAI,QAAQ,IAAI,eAAe,KAAK;AACjD,MAAI,KAAK,WAAW,SAAS,GAAG;AAC9B,UAAM,QAAQ,KAAK,MAAM,CAAC;AAC1B,WAAO,aAAa,KAAK;AAAA,EAC3B;AAGA,QAAM,UAAU,IAAI,QAAQ,IAAI,cAAc,GAAG;AACjD,MAAI,QAAS,QAAO,cAAc,OAAO;AAEzC,SAAO;AACT;AAMO,SAAS,uBAAqC;AACnD,SAAO,2BAAa;AAAA,IAClB,EAAE,OAAO,uEAAuE;AAAA,IAChF;AAAA,MACE,QAAQ;AAAA,MACR,SAAS,EAAE,oBAAoB,oCAAoC;AAAA,IACrE;AAAA,EACF;AACF;;;ADtCA,SAAS,iBAAyB;AAChC,SAAO,aAAAC,QAAK,KAAK,QAAQ,IAAI,GAAG,QAAQ,IAAI,eAAe,QAAQ,qBAAqB;AAC1F;AAGA,eAAsB,IAAI,KAAyC;AACjE,MAAI,CAAC,aAAa,GAAG,EAAG,QAAO,qBAAqB;AAEpD,QAAM,WAAW,eAAe;AAChC,MAAI,CAAC,WAAAC,QAAG,WAAW,QAAQ,GAAG;AAC5B,WAAO,4BAAa,KAAK,EAAE,WAAW,CAAC,GAAG,WAAW,CAAC,GAAG,eAAe,KAAK,CAAC;AAAA,EAChF;AAEA,SAAO,4BAAa,KAAK,KAAK,MAAM,WAAAA,QAAG,aAAa,UAAU,OAAO,CAAC,CAAC;AACzE;AAGA,eAAsB,KAAK,KAAyC;AAClE,MAAI,CAAC,aAAa,GAAG,EAAG,QAAO,qBAAqB;AAEpD,QAAM,OAAO,MAAM,IAAI,KAAK;AAC5B,QAAM,WAAW,eAAe;AAChC,aAAAA,QAAG,UAAU,aAAAD,QAAK,QAAQ,QAAQ,GAAG,EAAE,WAAW,KAAK,CAAC;AACxD,aAAAC,QAAG,cAAc,UAAU,KAAK,UAAU,MAAM,MAAM,CAAC,CAAC;AAExD,SAAO,IAAI,4BAAa,MAAM,EAAE,QAAQ,IAAI,CAAC;AAC/C;","names":["import_fs","import_path","import_server","path","fs","crypto","crypto","crypto","crypto","path","fs"]}

package/dist/dashboard/routes/bots-config-route.mjs

@@ -0,0 +1,113 @@
+// src/dashboard/routes/bots-config-route.ts
+import fs2 from "fs";
+import path2 from "path";
+import { NextResponse as NextResponse2 } from "next/server";
+
+// src/dashboard/auth.ts
+import { NextResponse } from "next/server";
+
+// src/dashboard/admin-store.ts
+import fs from "fs";
+import path from "path";
+import crypto from "crypto";
+function adminFilePath() {
+  const dataDir = process.env.TA_DATA_DIR ?? "data";
+  return path.join(process.cwd(), dataDir, "ta-admin.json");
+}
+function loadAdmin() {
+  const filePath = adminFilePath();
+  if (!fs.existsSync(filePath)) return null;
+  try {
+    return JSON.parse(fs.readFileSync(filePath, "utf-8"));
+  } catch {
+    return null;
+  }
+}
+var CIPHER = "aes-256-gcm";
+function getEncryptionKey() {
+  const secret = process.env.THIRD_AUDIENCE_SECRET ?? "ta-fallback-key-change-me";
+  return crypto.createHash("sha256").update(secret).digest();
+}
+function decryptApiKey(encoded) {
+  try {
+    const iv = Buffer.from(encoded.slice(0, 24), "hex");
+    const tag = Buffer.from(encoded.slice(24, 56), "hex");
+    const encrypted = Buffer.from(encoded.slice(56), "hex");
+    const key = getEncryptionKey();
+    const decipher = crypto.createDecipheriv(CIPHER, key, iv);
+    decipher.setAuthTag(tag);
+    return decipher.update(encrypted) + decipher.final("utf8");
+  } catch {
+    return null;
+  }
+}
+function getApiKey() {
+  const record = loadAdmin();
+  if (!record?.apiKey) return null;
+  return decryptApiKey(record.apiKey);
+}
+function verifyApiKey(key) {
+  const stored = getApiKey();
+  if (!stored) return false;
+  if (key.length !== stored.length) return false;
+  return crypto.timingSafeEqual(Buffer.from(key), Buffer.from(stored));
+}
+function verifySession(token) {
+  const lastDot = token.lastIndexOf(".");
+  if (lastDot === -1) return false;
+  const payload = token.slice(0, lastDot);
+  const sig = token.slice(lastDot + 1);
+  const expected = crypto.createHmac("sha256", process.env.THIRD_AUDIENCE_SECRET ?? "ta-salt").update(payload).digest("hex");
+  if (sig.length !== expected.length) return false;
+  return crypto.timingSafeEqual(Buffer.from(sig, "hex"), Buffer.from(expected, "hex"));
+}
+
+// src/dashboard/auth.ts
+var SESSION_COOKIE = "ta_session";
+function checkApiAuth(req) {
+  const apiKeyHeader = req.headers.get("x-ta-api-key");
+  if (apiKeyHeader) return verifyApiKey(apiKeyHeader);
+  const auth = req.headers.get("authorization") ?? "";
+  if (auth.startsWith("Bearer ")) {
+    const token = auth.slice(7);
+    return verifyApiKey(token);
+  }
+  const session = req.cookies.get(SESSION_COOKIE)?.value;
+  if (session) return verifySession(session);
+  return false;
+}
+function unauthorizedResponse() {
+  return NextResponse.json(
+    { error: "Unauthorized. Provide X-TA-Api-Key header or a valid session cookie." },
+    {
+      status: 401,
+      headers: { "WWW-Authenticate": 'Bearer realm="Third Audience API"' }
+    }
+  );
+}
+
+// src/dashboard/routes/bots-config-route.ts
+function botsConfigPath() {
+  return path2.join(process.cwd(), process.env.TA_DATA_DIR ?? "data", "ta-bots-config.json");
+}
+async function GET(req) {
+  if (!checkApiAuth(req)) return unauthorizedResponse();
+  const filePath = botsConfigPath();
+  if (!fs2.existsSync(filePath)) {
+    return NextResponse2.json({ allowlist: [], blocklist: [], track_unknown: true });
+  }
+  return NextResponse2.json(JSON.parse(fs2.readFileSync(filePath, "utf-8")));
+}
+async function POST(req) {
+  if (!checkApiAuth(req)) return unauthorizedResponse();
+  const body = await req.json();
+  const filePath = botsConfigPath();
+  fs2.mkdirSync(path2.dirname(filePath), { recursive: true });
+  fs2.writeFileSync(filePath, JSON.stringify(body, null, 2));
+  return new NextResponse2(null, { status: 204 });
+}
+export {
+  GET,
+  POST
+};
+//# sourceMappingURL=bots-config-route.mjs.map

package/dist/dashboard/routes/bots-config-route.mjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../src/dashboard/routes/bots-config-route.ts","../../../src/dashboard/auth.ts","../../../src/dashboard/admin-store.ts"],"sourcesContent":["import fs from 'fs'\nimport path from 'path'\nimport { NextResponse, type NextRequest } from 'next/server'\nimport { checkApiAuth, unauthorizedResponse } from '../auth.js'\n\nfunction botsConfigPath(): string {\n  return path.join(process.cwd(), process.env.TA_DATA_DIR ?? 'data', 'ta-bots-config.json')\n}\n\n/** GET /api/third-audience/bots-config — returns current bots configuration */\nexport async function GET(req: NextRequest): Promise<NextResponse> {\n  if (!checkApiAuth(req)) return unauthorizedResponse()\n\n  const filePath = botsConfigPath()\n  if (!fs.existsSync(filePath)) {\n    return NextResponse.json({ allowlist: [], blocklist: [], track_unknown: true })\n  }\n\n  return NextResponse.json(JSON.parse(fs.readFileSync(filePath, 'utf-8')))\n}\n\n/** POST /api/third-audience/bots-config — saves bots configuration */\nexport async function POST(req: NextRequest): Promise<NextResponse> {\n  if (!checkApiAuth(req)) return unauthorizedResponse()\n\n  const body = await req.json()\n  const filePath = botsConfigPath()\n  fs.mkdirSync(path.dirname(filePath), { recursive: true })\n  fs.writeFileSync(filePath, JSON.stringify(body, null, 2))\n\n  return new NextResponse(null, { status: 204 })\n}\n","import type { NextRequest } from 'next/server'\nimport { NextResponse } from 'next/server'\nimport { verifySession, verifyApiKey } from './admin-store.js'\n\nconst SESSION_COOKIE = 'ta_session'\n\n/**\n * Authenticate an API route request. Accepts (in order):\n * 1. X-TA-Api-Key header — for headless/external callers (mirrors WP's approach)\n * 2. Authorization: Bearer <api-key> — same key, different transport\n * 3. Valid ta_session cookie — browser dashboard session\n */\nexport function checkApiAuth(req: NextRequest): boolean {\n  // 1. X-TA-Api-Key header (WP-style headless key)\n  const apiKeyHeader = req.headers.get('x-ta-api-key')\n  if (apiKeyHeader) return verifyApiKey(apiKeyHeader)\n\n  // 2. Bearer token (treat as api key)\n  const auth = req.headers.get('authorization') ?? ''\n  if (auth.startsWith('Bearer ')) {\n    const token = auth.slice(7)\n    return verifyApiKey(token)\n  }\n\n  // 3. Browser session cookie\n  const session = req.cookies.get(SESSION_COOKIE)?.value\n  if (session) return verifySession(session)\n\n  return false\n}\n\n/**\n * Returns a 401 JSON response with the correct WWW-Authenticate header.\n * Use as: if (!checkApiAuth(req)) return unauthorizedResponse()\n */\nexport function unauthorizedResponse(): NextResponse {\n  return NextResponse.json(\n    { error: 'Unauthorized. Provide X-TA-Api-Key header or a valid session cookie.' },\n    {\n      status: 401,\n      headers: { 'WWW-Authenticate': 'Bearer realm=\"Third Audience API\"' },\n    }\n  )\n}\n","import fs from 'fs'\nimport path from 'path'\nimport crypto from 'crypto'\n\nexport interface AdminRecord {\n  passwordHash: string        // sha256(secret + password)\n  isDefaultPassword: boolean\n  createdAt: string\n  lastLoginAt: string | null\n  apiKey?: string             // AES-256-GCM encrypted, for headless/external API callers\n}\n\nfunction adminFilePath(): string {\n  const dataDir = process.env.TA_DATA_DIR ?? 'data'\n  return path.join(process.cwd(), dataDir, 'ta-admin.json')\n}\n\nexport function generateDefaultPassword(): string {\n  return crypto.randomBytes(6).toString('hex') // 12-char hex, easy to type\n}\n\nexport function hashPassword(password: string): string {\n  const secret = process.env.THIRD_AUDIENCE_SECRET ?? 'ta-salt'\n  return crypto.createHash('sha256').update(secret + password).digest('hex')\n}\n\nexport function loadAdmin(): AdminRecord | null {\n  const filePath = adminFilePath()\n  if (!fs.existsSync(filePath)) return null\n  try {\n    return JSON.parse(fs.readFileSync(filePath, 'utf-8')) as AdminRecord\n  } catch {\n    return null\n  }\n}\n\nexport function saveAdmin(record: AdminRecord): void {\n  const filePath = adminFilePath()\n  const dir = path.dirname(filePath)\n  if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true })\n  fs.writeFileSync(filePath, JSON.stringify(record, null, 2), 'utf-8')\n}\n\nexport const DEFAULT_PASSWORD = 'Chang3M3Now!'\n\nexport function initAdmin(): { password: string; apiKey: string; isNew: boolean } {\n  const existing = loadAdmin()\n  if (existing) return { password: '', apiKey: '', isNew: false }\n\n  const apiKey = generateApiKey()\n  saveAdmin({\n    passwordHash: hashPassword(DEFAULT_PASSWORD),\n    isDefaultPassword: true,\n    createdAt: new Date().toISOString(),\n    lastLoginAt: null,\n    apiKey: encryptApiKey(apiKey),\n  })\n  return { password: DEFAULT_PASSWORD, apiKey, isNew: true }\n}\n\nexport function verifyPassword(password: string): boolean {\n  const record = loadAdmin()\n  if (!record) return false\n  return record.passwordHash === hashPassword(password)\n}\n\nexport function updatePassword(newPassword: string): void {\n  const record = loadAdmin()\n  if (!record) return\n  saveAdmin({\n    ...record,\n    passwordHash: hashPassword(newPassword),\n    isDefaultPassword: false,\n  })\n}\n\nexport function recordLogin(): void {\n  const record = loadAdmin()\n  if (!record) return\n  saveAdmin({ ...record, lastLoginAt: new Date().toISOString() })\n}\n\n// ---------------------------------------------------------------------------\n// API key — AES-256-GCM encrypted at rest, mirroring WP's SECURE_AUTH_KEY approach\n// ---------------------------------------------------------------------------\n\nconst CIPHER = 'aes-256-gcm'\n\nfunction getEncryptionKey(): Buffer {\n  const secret = process.env.THIRD_AUDIENCE_SECRET ?? 'ta-fallback-key-change-me'\n  // Derive a 32-byte key from the secret using SHA-256\n  return crypto.createHash('sha256').update(secret).digest()\n}\n\nfunction encryptApiKey(plaintext: string): string {\n  const iv = crypto.randomBytes(12)\n  const key = getEncryptionKey()\n  const cipher = crypto.createCipheriv(CIPHER, key, iv) as crypto.CipherGCM\n  const encrypted = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()])\n  const tag = cipher.getAuthTag()\n  // Format: iv(24 hex) + tag(32 hex) + encrypted(hex)\n  return iv.toString('hex') + tag.toString('hex') + encrypted.toString('hex')\n}\n\nfunction decryptApiKey(encoded: string): string | null {\n  try {\n    const iv = Buffer.from(encoded.slice(0, 24), 'hex')\n    const tag = Buffer.from(encoded.slice(24, 56), 'hex')\n    const encrypted = Buffer.from(encoded.slice(56), 'hex')\n    const key = getEncryptionKey()\n    const decipher = crypto.createDecipheriv(CIPHER, key, iv) as crypto.DecipherGCM\n    decipher.setAuthTag(tag)\n    return decipher.update(encrypted) + decipher.final('utf8')\n  } catch {\n    return null\n  }\n}\n\nexport function generateApiKey(): string {\n  return 'ta_' + crypto.randomBytes(24).toString('hex') // 51-char key\n}\n\nexport function getApiKey(): string | null {\n  const record = loadAdmin()\n  if (!record?.apiKey) return null\n  return decryptApiKey(record.apiKey)\n}\n\nexport function rotateApiKey(): string {\n  const record = loadAdmin()\n  if (!record) throw new Error('Admin store not initialised')\n  const newKey = generateApiKey()\n  saveAdmin({ ...record, apiKey: encryptApiKey(newKey) })\n  return newKey\n}\n\nexport function verifyApiKey(key: string): boolean {\n  const stored = getApiKey()\n  if (!stored) return false\n  if (key.length !== stored.length) return false\n  return crypto.timingSafeEqual(Buffer.from(key), Buffer.from(stored))\n}\n\n// ---------------------------------------------------------------------------\n// Session cookie: HMAC-SHA256(secret, userId + timestamp) — stateless, no DB\n// ---------------------------------------------------------------------------\nexport function signSession(payload: string): string {\n  const secret = process.env.THIRD_AUDIENCE_SECRET ?? 'ta-salt'\n  const sig = crypto.createHmac('sha256', secret).update(payload).digest('hex')\n  return `${payload}.${sig}`\n}\n\nexport function verifySession(token: string): boolean {\n  const lastDot = token.lastIndexOf('.')\n  if (lastDot === -1) return false\n  const payload = token.slice(0, lastDot)\n  const sig = token.slice(lastDot + 1)\n  const expected = crypto.createHmac('sha256', process.env.THIRD_AUDIENCE_SECRET ?? 'ta-salt')\n    .update(payload).digest('hex')\n  // Constant-time comparison\n  if (sig.length !== expected.length) return false\n  return crypto.timingSafeEqual(Buffer.from(sig, 'hex'), Buffer.from(expected, 'hex'))\n}\n"],"mappings":";AAAA,OAAOA,SAAQ;AACf,OAAOC,WAAU;AACjB,SAAS,gBAAAC,qBAAsC;;;ACD/C,SAAS,oBAAoB;;;ACD7B,OAAO,QAAQ;AACf,OAAO,UAAU;AACjB,OAAO,YAAY;AAUnB,SAAS,gBAAwB;AAC/B,QAAM,UAAU,QAAQ,IAAI,eAAe;AAC3C,SAAO,KAAK,KAAK,QAAQ,IAAI,GAAG,SAAS,eAAe;AAC1D;AAWO,SAAS,YAAgC;AAC9C,QAAM,WAAW,cAAc;AAC/B,MAAI,CAAC,GAAG,WAAW,QAAQ,EAAG,QAAO;AACrC,MAAI;AACF,WAAO,KAAK,MAAM,GAAG,aAAa,UAAU,OAAO,CAAC;AAAA,EACtD,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAoDA,IAAM,SAAS;AAEf,SAAS,mBAA2B;AAClC,QAAM,SAAS,QAAQ,IAAI,yBAAyB;AAEpD,SAAO,OAAO,WAAW,QAAQ,EAAE,OAAO,MAAM,EAAE,OAAO;AAC3D;AAYA,SAAS,cAAc,SAAgC;AACrD,MAAI;AACF,UAAM,KAAK,OAAO,KAAK,QAAQ,MAAM,GAAG,EAAE,GAAG,KAAK;AAClD,UAAM,MAAM,OAAO,KAAK,QAAQ,MAAM,IAAI,EAAE,GAAG,KAAK;AACpD,UAAM,YAAY,OAAO,KAAK,QAAQ,MAAM,EAAE,GAAG,KAAK;AACtD,UAAM,MAAM,iBAAiB;AAC7B,UAAM,WAAW,OAAO,iBAAiB,QAAQ,KAAK,EAAE;AACxD,aAAS,WAAW,GAAG;AACvB,WAAO,SAAS,OAAO,SAAS,IAAI,SAAS,MAAM,MAAM;AAAA,EAC3D,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAMO,SAAS,YAA2B;AACzC,QAAM,SAAS,UAAU;AACzB,MAAI,CAAC,QAAQ,OAAQ,QAAO;AAC5B,SAAO,cAAc,OAAO,MAAM;AACpC;AAUO,SAAS,aAAa,KAAsB;AACjD,QAAM,SAAS,UAAU;AACzB,MAAI,CAAC,OAAQ,QAAO;AACpB,MAAI,IAAI,WAAW,OAAO,OAAQ,QAAO;AACzC,SAAO,OAAO,gBAAgB,OAAO,KAAK,GAAG,GAAG,OAAO,KAAK,MAAM,CAAC;AACrE;AAWO,SAAS,cAAc,OAAwB;AACpD,QAAM,UAAU,MAAM,YAAY,GAAG;AACrC,MAAI,YAAY,GAAI,QAAO;AAC3B,QAAM,UAAU,MAAM,MAAM,GAAG,OAAO;AACtC,QAAM,MAAM,MAAM,MAAM,UAAU,CAAC;AACnC,QAAM,WAAW,OAAO,WAAW,UAAU,QAAQ,IAAI,yBAAyB,SAAS,EACxF,OAAO,OAAO,EAAE,OAAO,KAAK;AAE/B,MAAI,IAAI,WAAW,SAAS,OAAQ,QAAO;AAC3C,SAAO,OAAO,gBAAgB,OAAO,KAAK,KAAK,KAAK,GAAG,OAAO,KAAK,UAAU,KAAK,CAAC;AACrF;;;AD9JA,IAAM,iBAAiB;AAQhB,SAAS,aAAa,KAA2B;AAEtD,QAAM,eAAe,IAAI,QAAQ,IAAI,cAAc;AACnD,MAAI,aAAc,QAAO,aAAa,YAAY;AAGlD,QAAM,OAAO,IAAI,QAAQ,IAAI,eAAe,KAAK;AACjD,MAAI,KAAK,WAAW,SAAS,GAAG;AAC9B,UAAM,QAAQ,KAAK,MAAM,CAAC;AAC1B,WAAO,aAAa,KAAK;AAAA,EAC3B;AAGA,QAAM,UAAU,IAAI,QAAQ,IAAI,cAAc,GAAG;AACjD,MAAI,QAAS,QAAO,cAAc,OAAO;AAEzC,SAAO;AACT;AAMO,SAAS,uBAAqC;AACnD,SAAO,aAAa;AAAA,IAClB,EAAE,OAAO,uEAAuE;AAAA,IAChF;AAAA,MACE,QAAQ;AAAA,MACR,SAAS,EAAE,oBAAoB,oCAAoC;AAAA,IACrE;AAAA,EACF;AACF;;;ADtCA,SAAS,iBAAyB;AAChC,SAAOC,MAAK,KAAK,QAAQ,IAAI,GAAG,QAAQ,IAAI,eAAe,QAAQ,qBAAqB;AAC1F;AAGA,eAAsB,IAAI,KAAyC;AACjE,MAAI,CAAC,aAAa,GAAG,EAAG,QAAO,qBAAqB;AAEpD,QAAM,WAAW,eAAe;AAChC,MAAI,CAACC,IAAG,WAAW,QAAQ,GAAG;AAC5B,WAAOC,cAAa,KAAK,EAAE,WAAW,CAAC,GAAG,WAAW,CAAC,GAAG,eAAe,KAAK,CAAC;AAAA,EAChF;AAEA,SAAOA,cAAa,KAAK,KAAK,MAAMD,IAAG,aAAa,UAAU,OAAO,CAAC,CAAC;AACzE;AAGA,eAAsB,KAAK,KAAyC;AAClE,MAAI,CAAC,aAAa,GAAG,EAAG,QAAO,qBAAqB;AAEpD,QAAM,OAAO,MAAM,IAAI,KAAK;AAC5B,QAAM,WAAW,eAAe;AAChC,EAAAA,IAAG,UAAUD,MAAK,QAAQ,QAAQ,GAAG,EAAE,WAAW,KAAK,CAAC;AACxD,EAAAC,IAAG,cAAc,UAAU,KAAK,UAAU,MAAM,MAAM,CAAC,CAAC;AAExD,SAAO,IAAIC,cAAa,MAAM,EAAE,QAAQ,IAAI,CAAC;AAC/C;","names":["fs","path","NextResponse","path","fs","NextResponse"]}

package/dist/dashboard/routes/okf-graph-route.d.mts

@@ -0,0 +1,6 @@
+import { NextRequest, NextResponse } from 'next/server';
+
+/** GET /api/third-audience/okf-graph — returns graph JSON for the OKF dashboard viewer */
+declare function GET(req: NextRequest): Promise<NextResponse>;
+
+export { GET };

package/dist/dashboard/routes/okf-graph-route.d.ts

@@ -0,0 +1,6 @@
+import { NextRequest, NextResponse } from 'next/server';
+
+/** GET /api/third-audience/okf-graph — returns graph JSON for the OKF dashboard viewer */
+declare function GET(req: NextRequest): Promise<NextResponse>;
+
+export { GET };

package/dist/dashboard/routes/okf-graph-route.js

@@ -0,0 +1,266 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/dashboard/routes/okf-graph-route.ts
+var okf_graph_route_exports = {};
+__export(okf_graph_route_exports, {
+  GET: () => GET
+});
+module.exports = __toCommonJS(okf_graph_route_exports);
+var import_server2 = require("next/server");
+var import_path3 = __toESM(require("path"));
+
+// src/core/mdx-reader.ts
+var import_fs = __toESM(require("fs"));
+var import_path = __toESM(require("path"));
+var import_gray_matter = __toESM(require("gray-matter"));
+var MdxReader = class {
+  constructor(options) {
+    this.contentDir = options.contentDir;
+  }
+  /** Read a single MDX file by slug. Returns null if not found. */
+  read(slug) {
+    const candidates = [
+      import_path.default.join(this.contentDir, `${slug}.mdx`),
+      import_path.default.join(this.contentDir, `${slug}.md`),
+      import_path.default.join(this.contentDir, slug, "index.mdx"),
+      import_path.default.join(this.contentDir, slug, "index.md")
+    ];
+    for (const filePath of candidates) {
+      if (import_fs.default.existsSync(filePath)) {
+        return this.parseFile(slug, filePath);
+      }
+    }
+    return null;
+  }
+  /** Read all MDX files recursively. */
+  readAll() {
+    if (!import_fs.default.existsSync(this.contentDir)) return [];
+    return this.walkDir(this.contentDir, this.contentDir);
+  }
+  walkDir(dir, root) {
+    const results = [];
+    for (const entry of import_fs.default.readdirSync(dir, { withFileTypes: true })) {
+      const fullPath = import_path.default.join(dir, entry.name);
+      if (entry.isDirectory()) {
+        results.push(...this.walkDir(fullPath, root));
+      } else if (entry.name.endsWith(".mdx") || entry.name.endsWith(".md")) {
+        const relative = import_path.default.relative(root, fullPath);
+        const slug = relative.replace(/\.(mdx|md)$/, "").replace(/\/index$/, "");
+        results.push(this.parseFile(slug, fullPath));
+      }
+    }
+    return results;
+  }
+  parseFile(slug, filePath) {
+    const raw = import_fs.default.readFileSync(filePath, "utf-8");
+    const { data: frontmatter, content: rawContent } = (0, import_gray_matter.default)(raw);
+    return { slug, filePath, frontmatter, rawContent };
+  }
+};
+
+// src/core/markdown-renderer.ts
+var MarkdownRenderer = class {
+  render(file) {
+    const header = this.buildFrontmatterHeader(file.frontmatter);
+    const body = this.stripJsx(file.rawContent);
+    return header ? `${header}
+
+${body}` : body;
+  }
+  buildFrontmatterHeader(fm) {
+    const keys = Object.keys(fm);
+    if (keys.length === 0) return "";
+    const lines = keys.filter((k) => fm[k] !== void 0 && fm[k] !== null).map((k) => `${k}: ${this.yamlValue(fm[k])}`);
+    return `---
+${lines.join("\n")}
+---`;
+  }
+  yamlValue(val) {
+    if (typeof val === "string") {
+      return /[:#\[\]{},&*?|<>=!%@`]/.test(val) ? `"${val.replace(/"/g, '\\"')}"` : val;
+    }
+    if (val instanceof Date) return val.toISOString();
+    if (Array.isArray(val)) return `[${val.map((v) => this.yamlValue(v)).join(", ")}]`;
+    return String(val);
+  }
+  stripJsx(content) {
+    let out = content;
+    out = out.replace(/^import\s+.*?['"].*?['"]\s*\n?/gm, "");
+    out = out.replace(/^export\s+(?:default\s+)?(?:const|let|var|function|class)\s+[\s\S]*?(?=\n(?=[^{]|\n)|\n{2,})/gm, "");
+    out = out.replace(/^export\s*\{[^}]*\}\s*(?:from\s+['"][^'"]*['"])?\s*\n?/gm, "");
+    out = out.replace(/<([A-Z][A-Za-z0-9.]*)[^>]*\/>/g, "");
+    out = out.replace(/<([A-Z][A-Za-z0-9.]*)[^>]*>[\s\S]*?<\/\1>/g, "");
+    out = out.replace(/^\s*\{[^}]+\}\s*\n/gm, "");
+    out = out.replace(/\n{3,}/g, "\n\n");
+    return out.trim();
+  }
+};
+
+// src/okf/okf-bundle.ts
+var renderer = new MarkdownRenderer();
+function buildOkfGraph(files, baseUrl) {
+  const base = baseUrl.replace(/\/$/, "");
+  const slugSet = new Set(files.map((f) => f.slug));
+  const mdMap = /* @__PURE__ */ new Map();
+  for (const file of files) {
+    mdMap.set(file.slug, renderer.render(file));
+  }
+  const degrees = new Map(files.map((f) => [f.slug, 0]));
+  const rawEdges = [];
+  for (const file of files) {
+    const md = mdMap.get(file.slug) ?? "";
+    const linkRe = /\[([^\]]+)\]\((\/[^)]+)\)/g;
+    let m;
+    while ((m = linkRe.exec(md)) !== null) {
+      const candidate = m[2].replace(/^\//, "").replace(/\.md$/, "");
+      if (slugSet.has(candidate) && candidate !== file.slug) {
+        rawEdges.push({ source: file.slug, target: candidate });
+        degrees.set(file.slug, (degrees.get(file.slug) ?? 0) + 1);
+        degrees.set(candidate, (degrees.get(candidate) ?? 0) + 1);
+      }
+    }
+  }
+  const top100 = files.slice().sort((a, b) => (degrees.get(b.slug) ?? 0) - (degrees.get(a.slug) ?? 0)).slice(0, 100);
+  const topSet = new Set(top100.map((f) => f.slug));
+  const nodes = top100.map((f) => ({
+    id: f.slug,
+    title: String(f.frontmatter.title ?? f.slug),
+    type: String(f.frontmatter.type ?? "WebPage"),
+    url: `${base}/${f.slug}`
+  }));
+  const edges = rawEdges.filter((e) => topSet.has(e.source) && topSet.has(e.target));
+  return { nodes, edges };
+}
+
+// src/dashboard/auth.ts
+var import_server = require("next/server");
+
+// src/dashboard/admin-store.ts
+var import_fs2 = __toESM(require("fs"));
+var import_path2 = __toESM(require("path"));
+var import_crypto = __toESM(require("crypto"));
+function adminFilePath() {
+  const dataDir = process.env.TA_DATA_DIR ?? "data";
+  return import_path2.default.join(process.cwd(), dataDir, "ta-admin.json");
+}
+function loadAdmin() {
+  const filePath = adminFilePath();
+  if (!import_fs2.default.existsSync(filePath)) return null;
+  try {
+    return JSON.parse(import_fs2.default.readFileSync(filePath, "utf-8"));
+  } catch {
+    return null;
+  }
+}
+var CIPHER = "aes-256-gcm";
+function getEncryptionKey() {
+  const secret = process.env.THIRD_AUDIENCE_SECRET ?? "ta-fallback-key-change-me";
+  return import_crypto.default.createHash("sha256").update(secret).digest();
+}
+function decryptApiKey(encoded) {
+  try {
+    const iv = Buffer.from(encoded.slice(0, 24), "hex");
+    const tag = Buffer.from(encoded.slice(24, 56), "hex");
+    const encrypted = Buffer.from(encoded.slice(56), "hex");
+    const key = getEncryptionKey();
+    const decipher = import_crypto.default.createDecipheriv(CIPHER, key, iv);
+    decipher.setAuthTag(tag);
+    return decipher.update(encrypted) + decipher.final("utf8");
+  } catch {
+    return null;
+  }
+}
+function getApiKey() {
+  const record = loadAdmin();
+  if (!record?.apiKey) return null;
+  return decryptApiKey(record.apiKey);
+}
+function verifyApiKey(key) {
+  const stored = getApiKey();
+  if (!stored) return false;
+  if (key.length !== stored.length) return false;
+  return import_crypto.default.timingSafeEqual(Buffer.from(key), Buffer.from(stored));
+}
+function verifySession(token) {
+  const lastDot = token.lastIndexOf(".");
+  if (lastDot === -1) return false;
+  const payload = token.slice(0, lastDot);
+  const sig = token.slice(lastDot + 1);
+  const expected = import_crypto.default.createHmac("sha256", process.env.THIRD_AUDIENCE_SECRET ?? "ta-salt").update(payload).digest("hex");
+  if (sig.length !== expected.length) return false;
+  return import_crypto.default.timingSafeEqual(Buffer.from(sig, "hex"), Buffer.from(expected, "hex"));
+}
+
+// src/dashboard/auth.ts
+var SESSION_COOKIE = "ta_session";
+function checkApiAuth(req) {
+  const apiKeyHeader = req.headers.get("x-ta-api-key");
+  if (apiKeyHeader) return verifyApiKey(apiKeyHeader);
+  const auth = req.headers.get("authorization") ?? "";
+  if (auth.startsWith("Bearer ")) {
+    const token = auth.slice(7);
+    return verifyApiKey(token);
+  }
+  const session = req.cookies.get(SESSION_COOKIE)?.value;
+  if (session) return verifySession(session);
+  return false;
+}
+function unauthorizedResponse() {
+  return import_server.NextResponse.json(
+    { error: "Unauthorized. Provide X-TA-Api-Key header or a valid session cookie." },
+    {
+      status: 401,
+      headers: { "WWW-Authenticate": 'Bearer realm="Third Audience API"' }
+    }
+  );
+}
+
+// src/dashboard/routes/okf-graph-route.ts
+var reader = new MdxReader({ contentDir: import_path3.default.join(process.cwd(), process.env.TA_CONTENT_DIR ?? "content") });
+async function GET(req) {
+  if (!checkApiAuth(req)) return unauthorizedResponse();
+  const baseUrl = process.env.NEXT_PUBLIC_SITE_URL ?? `${req.nextUrl.protocol}//${req.nextUrl.host}`;
+  const files = reader.readAll();
+  const graph = buildOkfGraph(files, baseUrl);
+  return import_server2.NextResponse.json({
+    graph,
+    stats: {
+      pages: files.length,
+      nodes: graph.nodes.length,
+      edges: graph.edges.length
+    },
+    indexUrl: `${baseUrl}/okf`
+  });
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  GET
+});
+//# sourceMappingURL=okf-graph-route.js.map