Systemorph · sierragolflima · Apr 27, 2026 · Mar 19, 2026 · Mar 20, 2026 · Mar 30, 2026
diff --git a/.claude/settings.json b/.claude/settings.json
@@ -5,15 +5,26 @@
       "Bash(aspire mcp:*)",
       "Bash(az account:*)",
       "Bash(az containerapp * list:*)",
+      "Bash(az containerapp * logs:*)",
       "Bash(az containerapp * show:*)",
+      "Bash(az containerapp list:*)",
       "Bash(az containerapp logs:*)",
+      "Bash(az containerapp show:*)",
+      "Bash(az group list:*)",
+      "Bash(az group show:*)",
       "Bash(az monitor * list:*)",
       "Bash(az monitor * show:*)",
       "Bash(az monitor activity-log:*)",
+      "Bash(az monitor list:*)",
       "Bash(az monitor log-analytics query:*)",
       "Bash(az monitor metrics:*)",
+      "Bash(az monitor show:*)",
       "Bash(az postgres * list:*)",
       "Bash(az postgres * show:*)",
+      "Bash(az postgres list:*)",
+      "Bash(az postgres show:*)",
+      "Bash(az resource list:*)",
+      "Bash(az resource show:*)",
       "Bash(cat:*)",
       "Bash(claude:*)",
       "Bash(cmp:*)",
@@ -107,6 +118,7 @@
     ],
     "deny": [
       "Bash(az group delete:*)",
+      "Bash(az resource delete:*)",
       "Bash(git push --force:*)",
       "Bash(git push -f:*)",
       "Bash(git reset --hard:*)",

diff --git a/MeshWeaver.slnx b/MeshWeaver.slnx
@@ -145,6 +145,7 @@
     <Project Path="test/MeshWeaver.Persistence.Test/MeshWeaver.Persistence.Test.csproj" />
     <Project Path="test/MeshWeaver.Autocomplete.Test/MeshWeaver.Autocomplete.Test.csproj" />
     <Project Path="test/MeshWeaver.Query.Test/MeshWeaver.Query.Test.csproj" />
+    <Project Path="test/Memex.Portal.Shared.Test/Memex.Portal.Shared.Test.csproj" />
   </Folder>
   <Project Path="test/MeshWeaver.MemexTemplate.Test/MeshWeaver.MemexTemplate.Test.csproj" />
   <Folder Name="/tools/">

diff --git a/dist/templates/samples/Graph/Data/ACME/_Access/Public_Access.json b/dist/templates/samples/Graph/Data/ACME/_Access/Public_Access.json
diff --git a/memex/Memex.Portal.Monolith/Program.cs b/memex/Memex.Portal.Monolith/Program.cs
@@ -1,5 +1,6 @@
 using Memex.Portal.ServiceDefaults;
 using Memex.Portal.Shared;
+using MeshWeaver.AI;
 using MeshWeaver.ContentCollections;
 using MeshWeaver.Graph.Configuration;
 using MeshWeaver.Hosting;

diff --git a/memex/Memex.Portal.Shared/Authentication/OnboardingMiddleware.cs b/memex/Memex.Portal.Shared/Authentication/OnboardingMiddleware.cs
@@ -34,6 +34,7 @@ public class OnboardingMiddleware(RequestDelegate next, ILogger<OnboardingMiddle
         "/static/",
         "/favicon.ico",
         "/mcp",
+        "/signin-",
     };
 
     public async Task InvokeAsync(HttpContext context)

diff --git a/memex/Memex.Portal.Shared/Authentication/VirtualUserMiddleware.cs b/memex/Memex.Portal.Shared/Authentication/VirtualUserMiddleware.cs
@@ -23,10 +23,13 @@ public class VirtualUserMiddleware(RequestDelegate next, ILogger<VirtualUserMidd
 {
     private const string CookieName = "meshweaver_virtual_user";
 
+    private static readonly string[] ExcludedPrefixes =
+        ["/_framework", "/_content", "/_blazor", "/static/", "/favicon.ico", "/mcp"];
+
     public async Task InvokeAsync(HttpContext context)
     {
-        // Skip virtual user assignment for MCP requests — they should get 401, not a virtual identity
-        if (context.Request.Path.StartsWithSegments("/mcp"))
+        var path = context.Request.Path.Value ?? "";
+        if (ExcludedPrefixes.Any(p => path.StartsWith(p, StringComparison.OrdinalIgnoreCase)))
         {
             await next(context);
             return;

diff --git a/memex/Memex.Portal.Shared/MemexConfiguration.cs b/memex/Memex.Portal.Shared/MemexConfiguration.cs
@@ -66,6 +66,9 @@ public static void ConfigureMemexServices(this WebApplicationBuilder builder)
         // Trust forwarded headers from Azure Container Apps reverse proxy
         services.Configure<ForwardedHeadersOptions>(options =>
         {
+            options.ForwardedHeaders = Microsoft.AspNetCore.HttpOverrides.ForwardedHeaders.XForwardedFor
+                                     | Microsoft.AspNetCore.HttpOverrides.ForwardedHeaders.XForwardedProto
+                                     | Microsoft.AspNetCore.HttpOverrides.ForwardedHeaders.XForwardedHost;
             options.KnownIPNetworks.Clear();
             options.KnownProxies.Clear();
         });
@@ -360,10 +363,15 @@ public TBuilder ConfigureMemexMesh(IConfiguration configuration, bool isDevelopm
                 // Each hub gets its own "content" collection pointing to a subdirectory
                 .ConfigureDefaultNodeHub(config =>
                 {
+                    // Declared before the if-block so it's available for both the "content"
+                    // collection mapping below and the "attachments" mapping further down.
+                    var nodePath = config.Address.ToString();
+
                     if (contentStorageConfig != null)
                     {
-                        var nodePath = config.Address.ToString();
-                        var contentSubdir = nodePath;
+                        // Scope static media (SVG, PNG, JPG) to a per-node subdirectory
+                        // so each hub serves only its own content files.
+                        var contentSubdir = $"content/{nodePath}";
                         // Combine with original BasePath for FileSystem; for AzureBlob, subdirectory is the blob prefix
                         var basePath = string.IsNullOrEmpty(contentStorageConfig.BasePath)
                             ? contentSubdir
@@ -381,6 +389,10 @@ public TBuilder ConfigureMemexMesh(IConfiguration configuration, bool isDevelopm
                         config = config.AddContentCollection(_ => nodeContentConfig);
                     }
 
+                    // Map "attachments" to "storage" with per-node subdirectory
+                    // (needed by FutuRe and other samples that store datacube.csv, etc.)
+                    config = config.MapContentCollection("attachments", "storage", $"attachments/{nodePath}");
+
                     return config
                         .WithHeartBeatHandler() // silently ack heartbeats on every per-node hub
                         .AddDefaultLayoutAreas()
@@ -430,11 +442,9 @@ public static void StartMemexApplication<TApp>(this WebApplication app) where TA
 
         // Forward headers from reverse proxy (Azure Container Apps) so OIDC
         // middleware constructs redirect URIs with the correct scheme and host.
-        app.UseForwardedHeaders(new ForwardedHeadersOptions
-        {
-            ForwardedHeaders = Microsoft.AspNetCore.HttpOverrides.ForwardedHeaders.XForwardedFor
-                             | Microsoft.AspNetCore.HttpOverrides.ForwardedHeaders.XForwardedProto
-        });
+        // Always enabled: in production it reads X-Forwarded-* from the ACA proxy;
+        // in local dev it's a no-op since no proxy sets those headers.
+        app.UseForwardedHeaders();
 
         // Static files middleware must run before routing to serve _content/* paths from RCLs
         app.UseStaticFiles();

diff --git a/memex/Memex.Portal.Shared/Pages/Index.razor b/memex/Memex.Portal.Shared/Pages/Index.razor
@@ -13,13 +13,15 @@
 }
 
 @code {
+    private AccessContext? UserContext => AccessService?.Context ?? AccessService?.CircuitContext;
+
     private bool IsRealUser =>
-        AccessService?.Context != null
-        && !string.IsNullOrEmpty(AccessService.Context.ObjectId)
-        && !AccessService.Context.IsVirtual
-        && !string.Equals(AccessService.Context.ObjectId, WellKnownUsers.Anonymous, StringComparison.OrdinalIgnoreCase);
+        UserContext != null
+        && !string.IsNullOrEmpty(UserContext.ObjectId)
+        && !UserContext.IsVirtual
+        && !string.Equals(UserContext.ObjectId, WellKnownUsers.Anonymous, StringComparison.OrdinalIgnoreCase);
 
-    private string UserAddress => $"User/{AccessService?.Context?.ObjectId}";
+    private string UserAddress => $"User/{UserContext?.ObjectId}";
 
     protected override void OnInitialized()
     {

diff --git a/memex/Memex.Portal.Shared/Pages/Login.razor b/memex/Memex.Portal.Shared/Pages/Login.razor
@@ -1,4 +1,5 @@
 @page "/login"
+@using Microsoft.AspNetCore.Components.Authorization
 @using MeshWeaver.Blazor.Portal.Authentication
 @inject IAuthenticationNavigationService AuthNavService
 @inject NavigationManager Navigation
@@ -51,6 +52,9 @@
     [SupplyParameterFromQuery(Name = "error")]
     public string? ErrorMessage { get; set; }
 
+    [CascadingParameter]
+    private Task<AuthenticationState>? AuthStateTask { get; set; }
+
     private IReadOnlyList<ExternalProviderConfig> Providers { get; set; } = [];
     private bool ShowDevLogin { get; set; }
 
@@ -60,8 +64,18 @@
         Navigation.NavigateTo(url, forceLoad: true);
     }
 
-    protected override void OnInitialized()
+    protected override async Task OnInitializedAsync()
     {
+        if (AuthStateTask is not null)
+        {
+            var authState = await AuthStateTask;
+            if (authState.User?.Identity?.IsAuthenticated == true)
+            {
+                Navigation.NavigateTo(ReturnUrl ?? "/", forceLoad: true);
+                return;
+            }
+        }
+
         if (AuthNavService is AuthenticationNavigationService navService)
         {
             Providers = navService.GetAvailableProviders();