disclosure-bureau/web/middleware.ts

/**
 * Next.js middleware — refreshes the Supabase auth session on every request,
 * so Server Components see the latest user state.
 *
 * Skipped on static assets and the static-file API to keep them fast.
 */
import { NextResponse, type NextRequest } from "next/server";
import { createServerClient, type CookieOptions } from "@supabase/ssr";

export async function middleware(request: NextRequest) {
  const url = process.env.NEXT_PUBLIC_SUPABASE_URL;
  const key = process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY;

  let response = NextResponse.next({ request });

  if (!url || !key) {
    // Supabase not configured — skip auth refresh entirely
    return response;
  }

  const supabase = createServerClient(url, key, {
    cookies: {
      getAll() {
        return request.cookies.getAll();
      },
      setAll(toSet: Array<{ name: string; value: string; options?: CookieOptions }>) {
        toSet.forEach(({ name, value }) => request.cookies.set(name, value));
        response = NextResponse.next({ request });
        toSet.forEach(({ name, value, options }) => response.cookies.set(name, value, options));
      },
    },
  });

  // Trigger refresh (silently if token still valid)
  const { data: { user } } = await supabase.auth.getUser();

  // Gate /admin/* by role. Non-admin (including anonymous) gets the public
  // 404, not a redirect — we don't want to leak the existence of the route.
  const pathname = request.nextUrl.pathname;
  if (pathname.startsWith("/admin")) {
    if (!user) {
      return new NextResponse("Not Found", { status: 404 });
    }
    const { data: profile } = await supabase
      .from("profiles")
      .select("role")
      .eq("id", user.id)
      .maybeSingle();
    if (profile?.role !== "admin") {
      return new NextResponse("Not Found", { status: 404 });
    }
  }

  return response;
}

export const config = {
  matcher: [
    // Match everything EXCEPT static files + the static-file API
    "/((?!_next/static|_next/image|favicon.ico|api/static).*)",
  ],
};
baseline: Disclosure Bureau pipeline + Next.js UI + Supabase stack 2026-05-18 01:44:36 +00:00			`/**`
			`* Next.js middleware — refreshes the Supabase auth session on every request,`
			`* so Server Components see the latest user state.`
			`*`
			`* Skipped on static assets and the static-file API to keep them fast.`
			`*/`
			`import { NextResponse, type NextRequest } from "next/server";`
			`import { createServerClient, type CookieOptions } from "@supabase/ssr";`

			`export async function middleware(request: NextRequest) {`
			`const url = process.env.NEXT_PUBLIC_SUPABASE_URL;`
			`const key = process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY;`

			`let response = NextResponse.next({ request });`

			`if (!url \|\| !key) {`
			`// Supabase not configured — skip auth refresh entirely`
			`return response;`
			`}`

			`const supabase = createServerClient(url, key, {`
			`cookies: {`
			`getAll() {`
			`return request.cookies.getAll();`
			`},`
			`setAll(toSet: Array<{ name: string; value: string; options?: CookieOptions }>) {`
			`toSet.forEach(({ name, value }) => request.cookies.set(name, value));`
			`response = NextResponse.next({ request });`
			`toSet.forEach(({ name, value, options }) => response.cookies.set(name, value, options));`
			`},`
			`},`
			`});`

			`// Trigger refresh (silently if token still valid)`
guard /admin/* by role + filter chat artifacts to cited chunks middleware.ts now checks profiles.role on every /admin/* request and returns a plain 404 (not a redirect) for anonymous users and any authenticated user without role='admin'. The 404 wording matches a non-existent route, so we don't leak the existence of an admin area. gutomec@gmail.com promoted to admin in the live DB. openrouter.ts chat now collects artifacts silently during the tool-call loop instead of streaming them to the SSE. After the model writes its final prose (and after the forced-synthesis pass if needed), we scan the assembled text for [[doc-id/p007#cNNNN]] citations and emit ONLY the artifacts referenced. Duplicates are deduped by chunk_id. The persisted citations column on messages now stores the filtered set too, so old sessions reload with the same focused card grid. Before: every hybrid_search hit (up to 6 per call × 5 calls = 30+ citation cards plus crop images) flooded the chat regardless of what the model ended up using. After: only the chunks actually woven into the answer. 2026-05-18 20:41:35 +00:00			`const { data: { user } } = await supabase.auth.getUser();`

			`// Gate /admin/* by role. Non-admin (including anonymous) gets the public`
			`// 404, not a redirect — we don't want to leak the existence of the route.`
			`const pathname = request.nextUrl.pathname;`
			`if (pathname.startsWith("/admin")) {`
			`if (!user) {`
			`return new NextResponse("Not Found", { status: 404 });`
			`}`
			`const { data: profile } = await supabase`
			`.from("profiles")`
			`.select("role")`
			`.eq("id", user.id)`
			`.maybeSingle();`
			`if (profile?.role !== "admin") {`
			`return new NextResponse("Not Found", { status: 404 });`
			`}`
			`}`
baseline: Disclosure Bureau pipeline + Next.js UI + Supabase stack 2026-05-18 01:44:36 +00:00
			`return response;`
			`}`

			`export const config = {`
			`matcher: [`
			`// Match everything EXCEPT static files + the static-file API`
			`"/((?!_next/static\|_next/image\|favicon.ico\|api/static).*)",`
			`],`
			`};`