Add functionality to hide setup page; implement disable setup endpoint and storage management

src/router.ts

@@ -35,7 +35,7 @@ import {
 import { handleSync } from './handlers/sync';
 
 // Setup handlers
-import { handleSetupPage, handleSetupStatus } from './handlers/setup';
+import { handleSetupPage, handleSetupStatus, handleDisableSetup } from './handlers/setup';
 
 // Import handler
 import { handleCiphersImport } from './handlers/import';
@@ -99,6 +99,11 @@ export async function handleRequest(request: Request, env: Env): Promise<Respons
       return handleSetupStatus(request, env);
     }
 
+    // Disable setup page (one-way)
+    if (path === '/setup/disable' && method === 'POST') {
+      return handleDisableSetup(request, env);
+    }
+
     // Favicon - return empty
     if (path === '/favicon.ico') {
       return new Response(null, { status: 204 });
@@ -209,6 +214,22 @@ export async function handleRequest(request: Request, env: Env): Promise<Respons
     // Increment rate limit counter
     await rateLimit.incrementApiCount(userId + ':' + clientId);
 
+    // Block account operations that could change password or delete user
+    if (method === 'POST' || method === 'PUT' || method === 'DELETE') {
+      const blockedAccountPaths = new Set([
+        '/api/accounts/password',
+        '/api/accounts/change-password',
+        '/api/accounts/set-password',
+        '/api/accounts/master-password',
+        '/api/accounts/delete',
+        '/api/accounts/delete-account',
+        '/api/accounts/delete-vault',
+      ]);
+      if (blockedAccountPaths.has(path)) {
+        return errorResponse('This operation is disabled', 403);
+      }
+    }
+
     // Account endpoints
     if (path === '/api/accounts/profile') {
       if (method === 'GET') return handleGetProfile(request, env, userId);