towards multi-user

site/src/layouts/Base.astro

@@ -1,11 +1,31 @@
 ---
+import { readFileSync } from 'node:fs';
+import { join, resolve } from 'node:path';
+
 interface Props {
   title?: string;
   description?: string;
+  /** Set true on pages that must remain accessible without auth (login, register). */
+  public?: boolean;
 }
-const { title = 'BincioActivity', description = 'Your personal activity stats' } = Astro.props;
+const { title = 'BincioActivity', description = 'Your personal activity stats', public: isPublicPage = false } = Astro.props;
 const editUrl = import.meta.env.PUBLIC_EDIT_URL ?? '';
 const baseUrl = import.meta.env.BASE_URL ?? '/';
+
+// Detect whether this instance is private (multi-user, requires login to view).
+let instancePrivate = false;
+try {
+  const candidates = [
+    process.env.BINCIO_DATA_DIR,
+    resolve(process.cwd(), 'public', 'data'),
+    resolve(process.cwd(), '..', 'bincio_data'),
+  ].filter(Boolean) as string[];
+  const dataDir = candidates.find(d => { try { readFileSync(join(d, 'index.json')); return true; } catch { return false; } });
+  if (dataDir) {
+    const root = JSON.parse(readFileSync(join(dataDir, 'index.json'), 'utf-8'));
+    instancePrivate = root?.instance?.private === true;
+  }
+} catch { /* non-fatal */ }
 ---
 <!doctype html>
 <html lang="en" data-theme="dark">
@@ -28,6 +48,15 @@ const baseUrl = import.meta.env.BASE_URL ?? '/';
     });
   </script>
 
+  <!-- Auth wall: redirect to /login/ on private instances when not authenticated -->
+  {instancePrivate && !isPublicPage && (
+    <script is:inline>
+      fetch('/api/me', { credentials: 'include' })
+        .then(r => { if (r.status === 401 || r.status === 404) window.location.replace('/login/'); })
+        .catch(() => {});
+    </script>
+  )}
+
   <style is:global>
     /* ── Theme tokens ─────────────────────────────────────────────────────── */
     :root, [data-theme="dark"] {