build: Update library assets with UI visibility fix

- Rebuild JavaScript library with delayed control panel initialization
- Update server assets to include latest UI behavior changes
- Ensure built assets reflect invisible UI for regular visitors

The control panel now only appears after gate activation, maintaining
the invisible CMS principle for end users.

cmd/serve.go

@@ -19,6 +19,7 @@ import (
 	"github.com/insertr/insertr/internal/auth"
 	"github.com/insertr/insertr/internal/content"
 	"github.com/insertr/insertr/internal/db"
+	"github.com/insertr/insertr/internal/engine"
 )
 
 var serveCmd = &cobra.Command{
@@ -59,10 +60,14 @@ func runServe(cmd *cobra.Command, args []string) {
 	// Initialize authentication service
 	authConfig := &auth.AuthConfig{
 		DevMode:   viper.GetBool("dev_mode"),
-		JWTSecret: viper.GetString("jwt_secret"),
+		Provider:  viper.GetString("auth.provider"),
+		JWTSecret: viper.GetString("auth.jwt_secret"),
 	}
 
-	// Set default JWT secret if not configured
+	// Set default values
+	if authConfig.Provider == "" {
+		authConfig.Provider = "mock"
+	}
 	if authConfig.JWTSecret == "" {
 		authConfig.JWTSecret = "dev-secret-change-in-production"
 		if authConfig.DevMode {
@@ -70,13 +75,46 @@ func runServe(cmd *cobra.Command, args []string) {
 		}
 	}
 
-	authService := auth.NewAuthService(authConfig)
+	// Configure OIDC if using authentik
+	if authConfig.Provider == "authentik" {
+		oidcConfig := &auth.OIDCConfig{
+			Endpoint:     viper.GetString("auth.oidc.endpoint"),
+			ClientID:     viper.GetString("auth.oidc.client_id"),
+			ClientSecret: viper.GetString("auth.oidc.client_secret"),
+			RedirectURL:  fmt.Sprintf("http://localhost:%d/auth/callback", port),
+		}
+
+		// Support environment variables for sensitive values
+		if clientSecret := os.Getenv("AUTHENTIK_CLIENT_SECRET"); clientSecret != "" {
+			oidcConfig.ClientSecret = clientSecret
+		}
+		if endpoint := os.Getenv("AUTHENTIK_ENDPOINT"); endpoint != "" {
+			oidcConfig.Endpoint = endpoint
+		}
+
+		authConfig.OIDC = oidcConfig
+
+		// Validate required OIDC config
+		if oidcConfig.Endpoint == "" || oidcConfig.ClientID == "" || oidcConfig.ClientSecret == "" {
+			log.Fatalf("❌ Authentik OIDC configuration incomplete. Required: endpoint, client_id, client_secret")
+		}
+
+		log.Printf("🔐 Using Authentik OIDC provider: %s", oidcConfig.Endpoint)
+	} else {
+		log.Printf("🔑 Using auth provider: %s", authConfig.Provider)
+	}
+
+	authService, err := auth.NewAuthService(authConfig)
+	if err != nil {
+		log.Fatalf("Failed to initialize authentication service: %v", err)
+	}
 
 	// Initialize content client for site manager
 	contentClient := content.NewDatabaseClient(database)
 
-	// Initialize site manager
-	siteManager := content.NewSiteManager(contentClient, devMode)
+	// Initialize site manager with auth provider
+	authProvider := &engine.AuthProvider{Type: authConfig.Provider}
+	siteManager := content.NewSiteManagerWithAuth(contentClient, devMode, authProvider)
 
 	// Load sites from configuration
 	if siteConfigs := viper.Get("server.sites"); siteConfigs != nil {
@@ -146,6 +184,12 @@ func runServe(cmd *cobra.Command, args []string) {
 	router.Get("/insertr.js", contentHandler.ServeInsertrJS)
 	router.Get("/insertr.css", contentHandler.ServeInsertrCSS)
 
+	// Auth routes
+	router.Route("/auth", func(authRouter chi.Router) {
+		authRouter.Get("/login", authService.HandleOAuthLogin)
+		authRouter.Get("/callback", authService.HandleOAuthCallback)
+	})
+
 	// API routes
 	router.Route("/api", func(apiRouter chi.Router) {
 		// Site enhancement endpoint