MCP + CLI: Eden Treaty migration, admin tools, ACL

apps/admin/lib/api.ts

@@ -94,8 +94,12 @@ export async function getUsers({
   q?: string;
   includeDeleted?: boolean;
 } = {}): Promise<PaginatedResponse<AdminUser>> {
+  // users-list no longer accepts includeDeleted — Better Auth doesn't support
+  // user soft-delete, so the field was dead code. Caller-supplied value is
+  // ignored.
+  void includeDeleted;
   const { data, error } = await adminClient['users-list'].get({
-    query: { limit, offset, q, includeDeleted: includeDeleted ? 'true' : undefined },
+    query: { limit, offset, q },
   });
   if (error) throwOnError(error);
   return unwrap(data, 'users');
@@ -138,7 +142,7 @@ export async function getPacks({
   includeDeleted?: boolean;
 } = {}): Promise<PaginatedResponse<AdminPack>> {
   const { data, error } = await adminClient['packs-list'].get({
-    query: { limit, offset, q, includeDeleted: includeDeleted ? 'true' : undefined },
+    query: { limit, offset, q, includeDeleted },
   });
   if (error) throwOnError(error);
   return unwrap(data, 'packs');
@@ -315,7 +319,7 @@ export async function getTrailConditions({
   includeDeleted?: boolean;
 } = {}): Promise<PaginatedResponse<TrailConditionReport>> {
   const { data, error } = await adminClient.trails.conditions.get({
-    query: { q, limit, offset, includeDeleted: includeDeleted ? 'true' : undefined },
+    query: { q, limit, offset, includeDeleted },
   });
   if (error) throwOnError(error);
   return unwrap(data, 'trailConditions');

apps/expo/features/packs/hooks/usePackGapAnalysis.ts

@@ -4,7 +4,7 @@ import { apiClient } from 'expo-app/lib/api/packrat';
 export interface GapAnalysisRequest {
   destination?: string;
   tripType?: string;
-  duration?: string;
+  duration?: number;
   startDate?: string;
   endDate?: string;
 }

apps/guides/scripts/generate-og-images.ts

@@ -18,11 +18,30 @@
 
 import fs from 'node:fs';
 import path from 'node:path';
+import { isString } from '@packrat/guards';
 import { ImageResponse } from 'next/og';
 import { createElement } from 'react';
 import { getAllPosts } from '../lib/mdx-static';
 import { getGuidesOgImageElement, getPostOgImageElement, OG_IMAGE_SIZE } from '../lib/og-image';
 
+// @vercel/og auto-fetches Google Fonts when it encounters glyphs outside its
+// bundled Latin coverage. CF Pages' build network occasionally returns 4xx for
+// fonts.googleapis.com, killing the build. Intercept and return an empty 404
+// so loadGoogleFont gives up cleanly and ImageResponse falls back to bundled.
+const FONT_HOSTS = new Set(['fonts.googleapis.com', 'fonts.gstatic.com']);
+const originalFetch = globalThis.fetch;
+globalThis.fetch = (async (input: RequestInfo | URL, init?: RequestInit) => {
+  const href = isString(input) ? input : input instanceof URL ? input.href : input.url;
+  try {
+    if (FONT_HOSTS.has(new URL(href).hostname)) {
+      return new Response(null, { status: 404 });
+    }
+  } catch {
+    // Not a parseable absolute URL — fall through to the real fetch.
+  }
+  return originalFetch(input, init);
+}) as typeof fetch;
+
 const PUBLIC_DIR = path.join(import.meta.dir, '..', 'public');
 const OG_DIR = path.join(PUBLIC_DIR, 'og');
 

apps/landing/lib/og-image.tsx

@@ -78,7 +78,7 @@ export function getLandingOgImageElement(): ReactElement {
           gap: '48px',
         }}
       >
-        {['10K+ Users', '4.8★ Rating', '100% Free'].map((stat) => (
+        {['10K+ Users', '4.8/5 Rating', '100% Free'].map((stat) => (
           <div
             key={stat}
             style={{

apps/landing/scripts/generate-og-images.ts

@@ -15,10 +15,29 @@
 
 import fs from 'node:fs';
 import path from 'node:path';
+import { isString } from '@packrat/guards';
 import { ImageResponse } from 'next/og';
 import { createElement } from 'react';
 import { getLandingOgImageElement, OG_IMAGE_SIZE } from '../lib/og-image';
 
+// @vercel/og auto-fetches Google Fonts when it encounters glyphs outside its
+// bundled Latin coverage. CF Pages' build network occasionally returns 4xx for
+// fonts.googleapis.com, killing the build. Intercept and return an empty 404
+// so loadGoogleFont gives up cleanly and ImageResponse falls back to bundled.
+const FONT_HOSTS = new Set(['fonts.googleapis.com', 'fonts.gstatic.com']);
+const originalFetch = globalThis.fetch;
+globalThis.fetch = (async (input: RequestInfo | URL, init?: RequestInit) => {
+  const href = isString(input) ? input : input instanceof URL ? input.href : input.url;
+  try {
+    if (FONT_HOSTS.has(new URL(href).hostname)) {
+      return new Response(null, { status: 404 });
+    }
+  } catch {
+    // Not a parseable absolute URL — fall through to the real fetch.
+  }
+  return originalFetch(input, init);
+}) as typeof fetch;
+
 const PUBLIC_DIR = path.join(import.meta.dir, '..', 'public');
 
 async function generateOgImages(): Promise<void> {

packages/api/src/routes/admin/analytics/catalog.ts

@@ -131,7 +131,7 @@ export const catalogAnalyticsRoutes = new Elysia({ prefix: '/catalog' })
     },
     {
       query: z.object({
-        limit: z.coerce.number().int().min(1).max(100).optional().default(25),
+        limit: z.coerce.number().int().min(1).max(100).optional(),
       }),
       response: { 200: z.array(BrandRowSchema), ...AdminErrorResponses },
       detail: { tags: ['Admin'], summary: 'Top gear brands' },
@@ -227,7 +227,7 @@ export const catalogAnalyticsRoutes = new Elysia({ prefix: '/catalog' })
     },
     {
       query: z.object({
-        limit: z.coerce.number().int().min(1).max(200).optional().default(50),
+        limit: z.coerce.number().int().min(1).max(200).optional(),
       }),
       response: { 200: EtlResponseSchema, ...AdminErrorResponses },
       detail: { tags: ['Admin'], summary: 'ETL pipeline history' },
@@ -309,7 +309,7 @@ export const catalogAnalyticsRoutes = new Elysia({ prefix: '/catalog' })
     },
     {
       query: z.object({
-        limit: z.coerce.number().int().min(1).max(100).optional().default(20),
+        limit: z.coerce.number().int().min(1).max(100).optional(),
       }),
       response: { 200: EtlFailureSummarySchema, ...AdminErrorResponses },
       detail: { tags: ['Admin'], summary: 'Top ETL validation failure patterns' },
@@ -372,7 +372,7 @@ export const catalogAnalyticsRoutes = new Elysia({ prefix: '/catalog' })
     {
       params: z.object({ jobId: z.string().uuid() }),
       query: z.object({
-        limit: z.coerce.number().int().min(1).max(200).optional().default(50),
+        limit: z.coerce.number().int().min(1).max(200).optional(),
       }),
       response: { 200: EtlJobFailuresSchema, ...AdminErrorResponses },
       detail: { tags: ['Admin'], summary: 'Validation failures for a specific ETL job' },

packages/api/src/routes/admin/index.ts

@@ -4,7 +4,7 @@ import { verifyCFAccessRequest } from '@packrat/api/middleware/cfAccess';
 import { timingSafeEqual } from '@packrat/api/utils/auth';
 import { getEnv } from '@packrat/api/utils/env-validation';
 import { catalogItems, packs, users } from '@packrat/db';
-import { assertAllDefined } from '@packrat/guards';
+import { assertAllDefined, queryBoolean } from '@packrat/guards';
 import {
   AdminCatalogListSchema,
   AdminErrorResponses,
@@ -26,6 +26,13 @@ const ADMIN_TOKEN_TTL_SECONDS = 3600; // 1 hour
 const ADMIN_JWT_ISSUER = 'packrat-api';
 const ADMIN_JWT_AUDIENCE = 'packrat-admin';
 
+function checkAdminCredentials(username: string, password: string): boolean {
+  const env = getEnv();
+  const userOk = timingSafeEqual(username, env.ADMIN_USERNAME);
+  const passOk = timingSafeEqual(password, env.ADMIN_PASSWORD);
+  return userOk && passOk;
+}
+
 function basicAuthGuard(request: Request): { authorized: true } | { authorized: false } {
   const header = request.headers.get('authorization') ?? '';
   if (!header.startsWith('Basic ')) return { authorized: false };
@@ -36,10 +43,7 @@ function basicAuthGuard(request: Request): { authorized: true } | { authorized:
     if (sep === -1) return { authorized: false };
     const username = decoded.slice(0, sep);
     const password = decoded.slice(sep + 1);
-    const env = getEnv();
-    const userOk = timingSafeEqual(username, env.ADMIN_USERNAME);
-    const passOk = timingSafeEqual(password, env.ADMIN_PASSWORD);
-    if (userOk && passOk) return { authorized: true };
+    if (checkAdminCredentials(username, password)) return { authorized: true };
   } catch {
     return { authorized: false };
   }
@@ -131,6 +135,50 @@ export const adminRoutes = new Elysia({ prefix: '/admin' })
       allowedHeaders: ['Authorization', 'Content-Type'],
     }),
   )
+  // Login (body-credential variant) — same credential semantics as /token,
+  // but takes `{ username, password }` in the JSON body. Typed clients (MCP,
+  // CLI, Eden Treaty) can hit this without overriding the Authorization
+  // header. The Basic-auth /token route remains for the admin SPA.
+  .post(
+    '/login',
+    async ({ body, request }) => {
+      const env = getEnv();
+      if (env.TOKEN_RATE_LIMITER) {
+        const ip = request.headers.get('cf-connecting-ip') ?? 'unknown';
+        const { success } = await env.TOKEN_RATE_LIMITER.limit({ key: ip });
+        if (!success) return status(429, { error: 'Too many requests' });
+      }
+      const { CF_ACCESS_TEAM_DOMAIN, CF_ACCESS_AUD } = env;
+      if (CF_ACCESS_TEAM_DOMAIN && CF_ACCESS_AUD) {
+        const cfIdentity = await verifyCFAccessRequest(request, {
+          teamDomain: CF_ACCESS_TEAM_DOMAIN,
+          aud: CF_ACCESS_AUD,
+        });
+        if (!cfIdentity) return status(401, { error: 'CF Access authentication required' });
+      }
+      if (!checkAdminCredentials(body.username, body.password)) {
+        return status(401, { error: 'Invalid username or password' });
+      }
+      const token = await issueAdminJwt(body.username);
+      return { token, expiresIn: ADMIN_TOKEN_TTL_SECONDS };
+    },
+    {
+      body: z.object({
+        username: z.string().min(1),
+        password: z.string().min(1),
+      }),
+      response: {
+        200: z.object({ token: z.string(), expiresIn: z.number() }),
+        401: z.object({ error: z.string() }),
+        429: z.object({ error: z.string() }),
+      },
+      detail: {
+        tags: ['Admin'],
+        summary: 'Exchange JSON credentials for a short-lived admin JWT',
+      },
+    },
+  )
+
   // Token exchange — must be registered BEFORE the auth guard so the admin
   // SPA can exchange Basic credentials for a short-lived JWT.
   .post(
@@ -180,7 +228,9 @@ export const adminRoutes = new Elysia({ prefix: '/admin' })
     },
   )
   .onBeforeHandle(async ({ request, path }) => {
-    if (path === '/api/admin/token') return;
+    // Credential-exchange routes own their own auth gating (Basic for /token,
+    // JSON body for /login). Skip the bearer guard for both.
+    if (path === '/api/admin/token' || path === '/api/admin/login') return;
     if (request.method === 'OPTIONS') return;
     const ok = await adminAuthGuard(request);
     if (!ok) return status(401, { error: 'Unauthorized' });
@@ -275,7 +325,6 @@ export const adminRoutes = new Elysia({ prefix: '/admin' })
         limit: z.coerce.number().int().positive().max(100).optional(),
         offset: z.coerce.number().int().min(0).optional(),
         q: z.string().optional(),
-        includeDeleted: z.string().optional(),
       }),
       response: { 200: AdminUsersListSchema, ...AdminErrorResponses },
       detail: { tags: ['Admin'], summary: 'List users' },
@@ -291,6 +340,7 @@ export const adminRoutes = new Elysia({ prefix: '/admin' })
         const limit = Number(query.limit ?? 100);
         const offset = Number(query.offset ?? 0);
         const search = query.q;
+        const includeDeleted = query.includeDeleted ?? false;
         const searchFilter = search
           ? or(
               ilike(packs.name, `%${search}%`),
@@ -299,7 +349,9 @@ export const adminRoutes = new Elysia({ prefix: '/admin' })
               ilike(users.email, `%${search}%`),
             )
           : undefined;
-        const whereClause = and(eq(packs.deleted, false), searchFilter);
+        const whereClause = includeDeleted
+          ? searchFilter
+          : and(eq(packs.deleted, false), searchFilter);
 
         const [packsList, [totalRow]] = await Promise.all([
           db
@@ -349,7 +401,10 @@ export const adminRoutes = new Elysia({ prefix: '/admin' })
         limit: z.coerce.number().int().positive().max(100).optional(),
         offset: z.coerce.number().int().min(0).optional(),
         q: z.string().optional(),
-        includeDeleted: z.string().optional(),
+        // queryBoolean() instead of z.coerce.boolean() — the latter treats
+        // any non-empty string as truthy, so ?includeDeleted=false would
+        // wrongly include soft-deleted rows.
+        includeDeleted: queryBoolean(),
       }),
       response: { 200: AdminPacksListSchema, ...AdminErrorResponses },
       detail: { tags: ['Admin'], summary: 'List packs' },

packages/api/src/routes/admin/trails.ts

@@ -1,5 +1,6 @@
 import { createDb, createOsmDb } from '@packrat/api/db';
 import { trailConditionReports, users } from '@packrat/db';
+import { queryBoolean } from '@packrat/guards';
 import {
   AdminErrorResponses,
   SuccessSchema,
@@ -243,7 +244,7 @@ export const adminTrailsRoutes = new Elysia({ prefix: '/trails' })
       const limit = query.limit ?? 50;
       const offset = query.offset ?? 0;
       const search = query.q;
-      const includeDeleted = query.includeDeleted === 'true';
+      const includeDeleted = query.includeDeleted ?? false;
 
       try {
         const deletedFilter = includeDeleted ? undefined : eq(trailConditionReports.deleted, false);
@@ -300,9 +301,10 @@ export const adminTrailsRoutes = new Elysia({ prefix: '/trails' })
     {
       query: z.object({
         q: z.string().optional(),
-        limit: z.coerce.number().int().min(1).max(100).optional().default(50),
-        offset: z.coerce.number().int().min(0).optional().default(0),
-        includeDeleted: z.string().optional(),
+        // Handler defaults limit to 50, offset to 0; keep schema truly optional.
+        limit: z.coerce.number().int().min(1).max(100).optional(),
+        offset: z.coerce.number().int().min(0).optional(),
+        includeDeleted: queryBoolean(),
       }),
       response: { 200: TrailConditionsListSchema, ...AdminErrorResponses },
       detail: { tags: ['Admin'], summary: 'List all trail condition reports' },