fix(db): bump temporary-notes migration timestamp past share-aliases (#201)

develop merged 20260626T130000-share-aliases; rename this PR's migration to
20260626T140000 so the two no longer share a timestamp prefix.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

.gitignore

@@ -42,6 +42,7 @@ lerna-debug.log*
 .nx/installation
 .nx/cache
 .claude/worktrees/
+.claude/tmp/
 
 # TypeScript incremental build artifacts
 *.tsbuildinfo

AGENTS.md

@@ -283,37 +283,46 @@ Vite SPA. Code is organized by feature under `apps/client/src/features/*` (mirro
 
 ### Cutting a release
 
-The git tag is the source of truth for the displayed version (UI reads `git describe --tags`); the `package.json` bump is metadata only. Steps:
+The git tag is the source of truth for the displayed version (the client UI reads `git describe --tags` via `vite.config.ts`); the `package.json` bump is metadata that backs the server `/version` endpoint (`version.service.ts`).
 
-1. Make sure `main` is clean and pushed (`git status`, `git push`).
+**Golden rule — tag on `develop` first, merge to `main` afterwards.** Cut the version-bump commit on `develop`, put the tag on *that* commit, and push it. Merge `develop` into `main` later (it does not block the tag or the release). Because the tag is in `develop`'s ancestry from the moment it is created, `git describe` on `develop` — and the `ghcr.io/vvzvlad/gitmost:develop` image — reports the new version immediately, with **no back-merge dance**. Do **not** tag `main`'s merge commit; that is the mistake described in the pitfall below (we hit it twice).
+
+Steps:
+
+1. Make sure `develop` is up to date, clean, and pushed to **both** remotes (`git status`; `git push gitea develop && git push github develop`).
 2. Pick `vX.Y.Z` (SemVer): **minor** bump for a batch of features, **patch** for fixes only. Review what landed with `git log <last-tag>..HEAD --no-merges`.
-3. Bump `"version"` to `X.Y.Z` in the **root** `package.json`, `apps/client/package.json`, and `apps/server/package.json` (keep all three in sync). Leave `packages/mcp` alone — it is versioned independently. Commit with the bare version as the subject, e.g. `0.91.0` (matches past bump commits).
+3. Bump `"version"` to `X.Y.Z` in the **root** `package.json`, `apps/client/package.json`, and `apps/server/package.json` (keep all three in sync). Leave `packages/mcp` alone — it is versioned independently. Commit **on `develop`** with the bare version as the subject, e.g. `0.94.1` (matches past bump commits).
-4. Update `CHANGELOG.md` (Keep a Changelog format): add a `## [X.Y.Z] - YYYY-MM-DD` section summarising `git log vPREV..HEAD --no-merges` grouped by type (Breaking / Added / Changed / Fixed / Removed), and add the `compare/vPREV...vX.Y.Z` link at the bottom. Fold the bump + changelog into the release commit.
+4. For a real release (skip for a bare hotfix tag), update `CHANGELOG.md` (Keep a Changelog format): add a `## [X.Y.Z] - YYYY-MM-DD` section summarising `git log vPREV..HEAD --no-merges` grouped by type (Breaking / Added / Changed / Fixed / Removed), and the `compare/vPREV...vX.Y.Z` link at the bottom. Fold it into the bump commit.
-5. Tag the release commit with a **lightweight** tag (existing release tags are lightweight): `git tag vX.Y.Z`.
+5. Tag that develop commit with a **lightweight** tag (existing release tags are lightweight): `git tag vX.Y.Z`.
-6. Push commit and tag: `git push origin main && git push origin vX.Y.Z`. Pushing the `v*` tag triggers `release.yml` (multi-arch GHCR images + a draft GitHub Release).
+6. Push the branch **and** the tag to **both** writable remotes — `git push <branch>` does **not** push tags, and tags are per-remote:
-7. **Back-merge the release into `develop`** so develop builds report the new version: `git checkout develop && git merge --no-ff main && git push origin develop` (push to Gitea as well if that is the canonical remote).
+   ```bash
+   git push gitea develop && git push gitea vX.Y.Z
+   git push github develop && git push github vX.Y.Z
+   ```
+   Pushing the `v*` tag to `github` triggers `release.yml` (multi-arch GHCR images + a draft GitHub Release). The tag *must* exist on `github`, because the `:develop` and release images are built there by GitHub Actions and `git describe` on the runner only sees the tags present on `github` (not your local clone or `gitea`).
+7. Merge `develop` into `main` when ready (commonly later — this does not gate the release):
+   ```bash
+   git checkout main
+   git merge --ff-only develop   # or a merge commit if fast-forward is not possible
+   git push gitea main && git push github main
+   ```
+   The tag is already reachable from `main` (it lives in the `develop` history that `main` now contains), so `main` reports `vX.Y.Z` too — no extra tagging needed.
 
-#### Why develop keeps showing the *previous* version (and why step 7 matters)
+#### Pitfall: tagging `main` instead of `develop` (the mistake to avoid)
 
-The UI version is `git describe --tags --always` (see `vite.config.ts`), which walks **backwards from the current commit** and picks the **nearest tag reachable in that commit's ancestry**, then appends `-<commits-since-tag>-g<short-hash>`.
+`git describe --tags --always` (see `vite.config.ts`) walks **backwards from the current commit** and picks the **nearest tag reachable in that commit's ancestry**, then appends `-<commits-since-tag>-g<short-hash>`.
 
-The release tag (`vX.Y.Z`) is created on **`main`'s release merge commit**, and that commit is **not** in `develop`'s history. So until the release is back-merged, `git describe` on `develop` cannot see the new tag and falls back to the *previous* reachable tag. Result: every develop build — and the `ghcr.io/vvzvlad/gitmost:develop` image — keeps reporting e.g. `v0.91.0-NNN-g<hash>` even though `main` is already tagged `v0.93.0`. This is the classic git-flow pitfall: the version on `develop` does **not** advance just because a release was tagged on `main`.
+The wrong flow we fell into twice: merge `develop` into `main` *first*, then tag `main`'s **release merge commit**. That merge commit is **not** in `develop`'s history, so `git describe` on `develop` cannot see the new tag and falls back to the *previous* reachable one. Result: every develop build — and the `ghcr.io/vvzvlad/gitmost:develop` image — keeps reporting e.g. `v0.93.0-NNN-g<hash>` even though a release was "cut". Tagging on `develop` (the golden rule above) avoids this entirely: the tag is in `develop`'s ancestry from the start, and `main` still gets it once `develop` is merged in.
 
-Back-merging `main → develop` (step 7) pulls the tagged release commit into `develop`'s ancestry, after which develop builds correctly show `vX.Y.Z-NNN-g<hash>`. If `develop` already drifted (release tagged but never back-merged), just run step 7 now — no new tag is needed.
+Second gotcha — the tag must exist on the remote CI builds from. `git describe` names a tag **ref**, not just a commit. The `:develop` and release images are built by GitHub Actions (`develop.yml` / `release.yml`, `actions/checkout` with `fetch-depth: 0`), so the version they print depends on which tags exist **on the `github` remote** — not on your local clone or on `gitea`. `git push <branch>` does **not** push tags; push them explicitly to **each** remote (`gitea` and `github`). A tag that only lives on `gitea` is invisible to the GitHub build.
 
-##### The tag must also exist on the remote that CI builds from (multi-remote gotcha)
+If you already tagged `main` (or `develop` still shows the old version), recover without re-tagging:
 
-`git describe` names a tag **ref**, not just a commit — so the back-merge is *necessary but not sufficient*. The develop image is built by GitHub Actions (`develop.yml`, `actions/checkout` with `fetch-depth: 0`, then `git describe --tags --always`), so the version it prints depends on which tags exist **on the `github` remote**, not on your local clone or on `gitea`.
+1. Make the tagged commit reachable from `develop` — either back-merge `main → develop` (`git checkout develop && git merge --no-ff main`), or confirm the tagged commit is already an ancestor of `develop`.
+2. Make sure the tag exists on `github`: compare `git ls-remote --tags github` with `gitea`, and push the missing one (`git push github vX.Y.Z` / `git push gitea vX.Y.Z`). Pushing a `v*` tag to `github` also fires `release.yml` — expected, just be aware.
+3. Re-run the develop build (`gh workflow run Develop`, or push any commit to `develop`) so `git describe` re-resolves with the tag now in scope.
 
-This repo has two writable remotes — `gitea` (canonical, where commits land) and `github` (where the `:develop` and release images are built) — plus `upstream` (docmost, never push). **`git push <branch>` does NOT push tags**; tags must be pushed explicitly and *to each remote separately*. A release tag that only lives on `gitea` is invisible to the GitHub Actions build: even with the tagged commit fully in `develop`'s history (step 7 done), `git describe` on the GitHub runner falls back to the previous tag it *does* have, so the develop image keeps showing e.g. `v0.91.0-NNN` while `git describe` locally already says `v0.93.0-NN`.
+(There is no `origin` remote here — push to `gitea` **and** `github` explicitly, and always push release tags to both.)
-
-Fix / checklist when develop still shows the old version after a back-merge:
-
-1. Confirm the tag is missing on github: `git ls-remote --tags github` (compare with `gitea`).
-2. Push it there: `git push github vX.Y.Z` (and `git push gitea vX.Y.Z` if it is missing on gitea too). Note: pushing a `v*` tag to `github` also triggers `release.yml` (multi-arch GHCR images + draft Release) — expected, but be aware.
-3. Re-run the develop build (`gh workflow run Develop`, or push any commit to `develop`) so `git describe` re-resolves with the tag now present.
-
-(The `git push origin ...` in steps 6–7 above is shorthand — there is no `origin` remote here; substitute `gitea` **and** `github` as appropriate, and always push release tags to both.)
 
 ## Planning docs
 

CHANGELOG.md

@@ -22,6 +22,26 @@ per-workspace rolling-day token budget.
 
 ### Added
 
+- **Custom pretty-links for shared pages (`/l/:alias`).** A page editor can give
+  any publicly shared page a short, memorable, workspace-scoped vanity address
+  backed by a new `share_aliases` table. Hitting `/l/<alias>` issues a `302`
+  (never `301`, since the target is retargetable) to the canonical
+  `/share/<key>/p/<slug>` page; an unknown, dangling, or no-longer-readable alias
+  serves the plain SPA index so that the existence of a name never leaks. An
+  alias can be moved to another page (with a confirm-reassign guard) and the
+  foreign key is `ON DELETE SET NULL`, so deleting the target leaves a dangling
+  alias any workspace member can reclaim. (#205)
+
+- **Temporary notes — auto-move to Trash after a workspace lifetime.** A note can
+  be marked temporary so it auto-moves to Trash once a configurable workspace
+  lifetime elapses (default `DEFAULT_TEMPORARY_NOTE_HOURS` = 24h) unless made
+  permanent first. The deadline is frozen at creation time, so later changes to
+  the workspace setting never reschedule existing notes; an hourly background
+  sweep trashes notes past their deadline (children ride along). An open
+  temporary note shows a banner with a "Make permanent" rescue action; restoring
+  a note from Trash disarms the timer so it is not immediately re-trashed.
+  Operators configure the lifetime per workspace. (#201)
+
 - **Persistent AI-chat history as the source of truth + server-side export.**
   An assistant turn is now persisted to the database step by step: the row is
   inserted upfront as `streaming` and updated as each agent step finishes, then

apps/client/public/locales/en-US/translation.json

@@ -598,6 +598,17 @@
   "Are you sure you want to permanently delete '{{title}}'? This action cannot be undone.": "Are you sure you want to permanently delete '{{title}}'? This action cannot be undone.",
   "Restore '{{title}}' and its sub-pages?": "Restore '{{title}}' and its sub-pages?",
   "Move to trash": "Move to trash",
+  "Make temporary": "Make temporary",
+  "Make permanent": "Make permanent",
+  "New temporary note": "New temporary note",
+  "Temporary note": "Temporary note",
+  "Temporary notes": "Temporary notes",
+  "Temporary note — moves to trash unless made permanent": "Temporary note — moves to trash unless made permanent",
+  "Note will move to trash unless made permanent": "Note will move to trash unless made permanent",
+  "Note is now permanent": "Note is now permanent",
+  "Temporary note lifetime (hours)": "Temporary note lifetime (hours)",
+  "A temporary note is automatically moved to trash after this many hours unless it is made permanent. The deadline is fixed when the note is created.": "A temporary note is automatically moved to trash after this many hours unless it is made permanent. The deadline is fixed when the note is created.",
+  "This temporary note moves to trash {{time}} (with its sub-pages) unless made permanent.": "This temporary note moves to trash {{time}} (with its sub-pages) unless made permanent.",
   "Move this page to trash?": "Move this page to trash?",
   "Restore page": "Restore page",
   "Permanently delete": "Permanently delete",
@@ -1318,5 +1329,15 @@
   "Protocol": "Protocol",
   "How chat requests are sent and how reasoning is surfaced": "How chat requests are sent and how reasoning is surfaced",
   "OpenAI-compatible (surfaces reasoning)": "OpenAI-compatible (surfaces reasoning)",
-  "OpenAI (official)": "OpenAI (official)"
+  "OpenAI (official)": "OpenAI (official)",
+  "Custom address": "Custom address",
+  "A short, memorable link you can point at any shared page.": "A short, memorable link you can point at any shared page.",
+  "Use 2-60 lowercase letters, digits and hyphens": "Use 2-60 lowercase letters, digits and hyphens",
+  "This address is already in use": "This address is already in use",
+  "Move custom address?": "Move custom address?",
+  "Move here": "Move here",
+  "The address \"{{alias}}\" currently points to \"{{title}}\". Move it to this page?": "The address \"{{alias}}\" currently points to \"{{title}}\". Move it to this page?",
+  "The address \"{{alias}}\" is already in use. Move it to this page?": "The address \"{{alias}}\" is already in use. Move it to this page?",
+  "Failed to set custom address": "Failed to set custom address",
+  "Failed to remove custom address": "Failed to remove custom address"
 }

apps/client/public/locales/ru-RU/translation.json

@@ -607,6 +607,17 @@
   "Are you sure you want to permanently delete '{{title}}'? This action cannot be undone.": "Вы уверены, что хотите окончательно удалить '{{title}}'? Это действие невозможно отменить.",
   "Restore '{{title}}' and its sub-pages?": "Восстановить '{{title}}' и её подстраницы?",
   "Move to trash": "Переместить в корзину",
+  "Make temporary": "Сделать временной",
+  "Make permanent": "Сделать постоянной",
+  "New temporary note": "Новая временная заметка",
+  "Temporary note": "Временная заметка",
+  "Temporary notes": "Временные заметки",
+  "Temporary note — moves to trash unless made permanent": "Временная заметка — уедет в корзину, если не сделать постоянной",
+  "Note will move to trash unless made permanent": "Заметка уедет в корзину, если не сделать её постоянной",
+  "Note is now permanent": "Заметка теперь постоянная",
+  "Temporary note lifetime (hours)": "Время жизни временной заметки (часы)",
+  "A temporary note is automatically moved to trash after this many hours unless it is made permanent. The deadline is fixed when the note is created.": "Временная заметка автоматически уезжает в корзину через указанное число часов, если не сделать её постоянной. Дедлайн фиксируется при создании заметки.",
+  "This temporary note moves to trash {{time}} (with its sub-pages) unless made permanent.": "Эта временная заметка уедет в корзину {{time}} (вместе с подстраницами), если не сделать её постоянной.",
   "Move this page to trash?": "Переместить эту страницу в корзину?",
   "Restore page": "Восстановить страницу",
   "Permanently delete": "Удалить навсегда",
@@ -1175,5 +1186,15 @@
   "Protocol": "Протокол",
   "How chat requests are sent and how reasoning is surfaced": "Как отправляются запросы чата и как показывается reasoning",
   "OpenAI-compatible (surfaces reasoning)": "OpenAI-совместимый (показывает reasoning)",
-  "OpenAI (official)": "OpenAI (официальный)"
+  "OpenAI (official)": "OpenAI (официальный)",
+  "Custom address": "Пользовательский адрес",
+  "A short, memorable link you can point at any shared page.": "Короткая запоминающаяся ссылка, которую можно направить на любую опубликованную страницу.",
+  "Use 2-60 lowercase letters, digits and hyphens": "Используйте 2–60 строчных букв, цифр и дефисов",
+  "This address is already in use": "Этот адрес уже занят",
+  "Move custom address?": "Переместить пользовательский адрес?",
+  "Move here": "Переместить сюда",
+  "The address \"{{alias}}\" currently points to \"{{title}}\". Move it to this page?": "Адрес «{{alias}}» сейчас указывает на «{{title}}». Переместить его на эту страницу?",
+  "The address \"{{alias}}\" is already in use. Move it to this page?": "Адрес «{{alias}}» уже используется. Переместить его на эту страницу?",
+  "Failed to set custom address": "Не удалось задать пользовательский адрес",
+  "Failed to remove custom address": "Не удалось удалить пользовательский адрес"
 }

apps/client/src/features/editor/full-editor.tsx

@@ -26,6 +26,7 @@ import { FixedToolbar } from "@/features/editor/components/fixed-toolbar/fixed-t
 import { PageEditMode } from "@/features/user/types/user.types.ts";
 import { useAsideTriggerProps } from "@/hooks/use-toggle-aside.tsx";
 import { DeletedPageBanner } from "@/features/page/trash/components/deleted-page-banner.tsx";
+import { TemporaryNoteBanner } from "@/features/page/components/temporary-note-banner.tsx";
 import clsx from "clsx";
 import {
   currentPageEditModeAtom,
@@ -37,6 +38,7 @@ const MemoizedTitleEditor = React.memo(TitleEditor);
 const MemoizedPageEditor = React.memo(PageEditor);
 const MemoizedFixedToolbar = React.memo(FixedToolbar);
 const MemoizedDeletedPageBanner = React.memo(DeletedPageBanner);
+const MemoizedTemporaryNoteBanner = React.memo(TemporaryNoteBanner);
 
 type PageUser = {
   id: string;
@@ -103,6 +105,7 @@ export function FullEditor({
         <MemoizedFixedToolbar />
       )}
       <MemoizedDeletedPageBanner slugId={slugId} />
+      <MemoizedTemporaryNoteBanner slugId={slugId} />
       <MemoizedTitleEditor
         pageId={pageId}
         slugId={slugId}

apps/client/src/features/page-embed/queries/page-embed-query.ts

@@ -1,7 +1,40 @@
 import { useMutation } from "@tanstack/react-query";
 import { notifications } from "@mantine/notifications";
-import { toggleTemplate } from "@/features/page-embed/services/page-embed-api";
+import {
-import type { ToggleTemplateResponse } from "@/features/page-embed/types/page-embed.types";
+  toggleTemplate,
+  toggleTemporary,
+} from "@/features/page-embed/services/page-embed-api";
+import type {
+  ToggleTemplateResponse,
+  ToggleTemporaryResponse,
+} from "@/features/page-embed/types/page-embed.types";
+import { queryClient } from "@/main.tsx";
+
+/**
+ * After toggling a note's temporary state, mirror the new deadline into the
+ * shared page cache (keyed by both slugId and id) and refresh the sidebar so the
+ * menu label, the in-page banner, and the tree icon all reflect the change.
+ * Centralised here so the header menu and the banner can't drift apart on the
+ * cache-key plumbing.
+ */
+export function syncTemporaryExpiresInCache(
+  page: { id: string; slugId: string },
+  temporaryExpiresAt: string | null,
+) {
+  for (const key of [page.slugId, page.id]) {
+    const cached = queryClient.getQueryData<any>(["pages", key]);
+    if (cached) {
+      queryClient.setQueryData(["pages", key], {
+        ...cached,
+        temporaryExpiresAt,
+      });
+    }
+  }
+  queryClient.invalidateQueries({
+    predicate: (item) =>
+      ["sidebar-pages"].includes(item.queryKey[0] as string),
+  });
+}
 
 export function useToggleTemplateMutation() {
   return useMutation<
@@ -18,3 +51,20 @@ export function useToggleTemplateMutation() {
     },
   });
 }
+
+export function useToggleTemporaryMutation() {
+  return useMutation<
+    ToggleTemporaryResponse,
+    Error,
+    { pageId: string; temporary?: boolean }
+  >({
+    mutationFn: (data) => toggleTemporary(data),
+    onError: (err: any) => {
+      notifications.show({
+        message:
+          err?.response?.data?.message || "Failed to update temporary note",
+        color: "red",
+      });
+    },
+  });
+}

apps/client/src/features/page-embed/services/page-embed-api.ts

@@ -2,6 +2,7 @@ import api from "@/lib/api-client";
 import type {
   PageTemplateLookup,
   ToggleTemplateResponse,
+  ToggleTemporaryResponse,
 } from "../types/page-embed.types";
 
 export async function lookupTemplate(params: {
@@ -18,3 +19,11 @@ export async function toggleTemplate(params: {
   const r = await api.post("/pages/toggle-template", params);
   return r.data;
 }
+
+export async function toggleTemporary(params: {
+  pageId: string;
+  temporary?: boolean;
+}): Promise<ToggleTemporaryResponse> {
+  const r = await api.post("/pages/toggle-temporary", params);
+  return r.data;
+}

apps/client/src/features/page-embed/types/page-embed.types.ts

@@ -14,3 +14,9 @@ export type ToggleTemplateResponse = {
   pageId: string;
   isTemplate: boolean;
 };
+
+export type ToggleTemporaryResponse = {
+  pageId: string;
+  // null => the note was made permanent; ISO string => armed deadline.
+  temporaryExpiresAt: string | null;
+};

apps/client/src/features/page/components/header/page-header-menu.tsx

@@ -2,6 +2,7 @@ import { ActionIcon, Button, Group, Menu, Text, ThemeIcon, Tooltip } from "@mant
 import {
   IconArrowRight,
   IconArrowsHorizontal,
+  IconClockHour4,
   IconDots,
   IconEye,
   IconEyeOff,
@@ -24,6 +25,10 @@ import { useDisclosure, useHotkeys } from "@mantine/hooks";
 import { useClipboard } from "@/hooks/use-clipboard";
 import { useParams } from "react-router-dom";
 import { usePageQuery } from "@/features/page/queries/page-query.ts";
+import {
+  useToggleTemporaryMutation,
+  syncTemporaryExpiresInCache,
+} from "@/features/page-embed/queries/page-embed-query.ts";
 import { buildPageUrl } from "@/features/page/page.utils.ts";
 import { notifications } from "@mantine/notifications";
 import { getAppUrl } from "@/lib/config.ts";
@@ -160,6 +165,29 @@ function PageActionMenu({ readOnly }: PageActionMenuProps) {
   const { data: watchStatus } = useWatchStatusQuery(page?.id);
   const watchPage = useWatchPageMutation();
   const unwatchPage = useUnwatchPageMutation();
+  const toggleTemporary = useToggleTemporaryMutation();
+  const isTemporary = !!page?.temporaryExpiresAt;
+
+  const handleToggleTemporary = async () => {
+    if (!page?.id) return;
+    const next = !isTemporary;
+    try {
+      const res = await toggleTemporary.mutateAsync({
+        pageId: page.id,
+        temporary: next,
+      });
+      // Reflect the new deadline in the page cache so the menu label flips and
+      // any banner updates. The sidebar icon refreshes via its own query.
+      syncTemporaryExpiresInCache(page, res.temporaryExpiresAt);
+      notifications.show({
+        message: next
+          ? t("Note will move to trash unless made permanent")
+          : t("Note is now permanent"),
+      });
+    } catch {
+      // mutation surfaces the error via notifications
+    }
+  };
 
   const handleCopyLink = () => {
     const pageUrl =
@@ -309,6 +337,12 @@ function PageActionMenu({ readOnly }: PageActionMenuProps) {
           {!readOnly && (
             <>
               <Menu.Divider />
+              <Menu.Item
+                leftSection={<IconClockHour4 size={16} />}
+                onClick={handleToggleTemporary}
+              >
+                {isTemporary ? t("Make permanent") : t("Make temporary")}
+              </Menu.Item>
               <Menu.Item
                 color={"red"}
                 leftSection={<IconTrash size={16} />}

apps/client/src/features/page/components/temporary-note-banner.tsx

@@ -0,0 +1,87 @@
+import { Button, Group, Paper, Text } from "@mantine/core";
+import { IconClockHour4 } from "@tabler/icons-react";
+import { Trans, useTranslation } from "react-i18next";
+import { useTimeAgo } from "@/hooks/use-time-ago.tsx";
+import { usePageQuery } from "@/features/page/queries/page-query.ts";
+import {
+  useToggleTemporaryMutation,
+  syncTemporaryExpiresInCache,
+} from "@/features/page-embed/queries/page-embed-query.ts";
+import { useGetSpaceBySlugQuery } from "@/features/space/queries/space-query.ts";
+import { useSpaceAbility } from "@/features/space/permissions/use-space-ability.ts";
+import {
+  SpaceCaslAction,
+  SpaceCaslSubject,
+} from "@/features/space/permissions/permissions.type.ts";
+
+type TemporaryNoteBannerProps = {
+  slugId: string;
+};
+
+/**
+ * Banner shown on an open temporary note ("structure or die"). Mirrors
+ * DeletedPageBanner: it reads the page from the shared query cache and offers
+ * the explicit rescue action — "Make permanent". Children ride along to trash
+ * with the note, which is noted in the copy.
+ */
+export function TemporaryNoteBanner({ slugId }: TemporaryNoteBannerProps) {
+  const { t } = useTranslation();
+  const { data: page } = usePageQuery({ pageId: slugId });
+  const { data: space } = useGetSpaceBySlugQuery(page?.space?.slug);
+  const spaceAbility = useSpaceAbility(space?.membership?.permissions);
+  const expiresTimeAgo = useTimeAgo(page?.temporaryExpiresAt);
+  const toggleTemporary = useToggleTemporaryMutation();
+
+  // Don't show on a note that is already in trash; the deleted-page banner
+  // owns that state.
+  if (!page?.temporaryExpiresAt || page?.deletedAt) return null;
+
+  const canEdit = spaceAbility.can(SpaceCaslAction.Edit, SpaceCaslSubject.Page);
+
+  const handleMakePermanent = async () => {
+    try {
+      const res = await toggleTemporary.mutateAsync({
+        pageId: page.id,
+        temporary: false,
+      });
+      syncTemporaryExpiresInCache(page, res.temporaryExpiresAt);
+    } catch {
+      // mutation surfaces the error via notifications
+    }
+  };
+
+  return (
+    <Paper radius="sm" mb="md" px="md" py="xs" bg="orange.0">
+      <Group justify="space-between" wrap="wrap" gap="sm">
+        <Group gap="xs" wrap="nowrap" style={{ flex: 1, minWidth: 0 }}>
+          <IconClockHour4
+            size={18}
+            stroke={1.5}
+            style={{
+              flexShrink: 0,
+              color: "var(--mantine-color-orange-7)",
+            }}
+          />
+          <Text size="sm">
+            <Trans
+              i18nKey="This temporary note moves to trash {{time}} (with its sub-pages) unless made permanent."
+              values={{ time: expiresTimeAgo }}
+            />
+          </Text>
+        </Group>
+        {canEdit && (
+          <Button
+            size="xs"
+            variant="light"
+            color="orange"
+            leftSection={<IconClockHour4 size={16} />}
+            onClick={handleMakePermanent}
+            loading={toggleTemporary.isPending}
+          >
+            {t("Make permanent")}
+          </Button>
+        )}
+      </Group>
+    </Paper>
+  );
+}

apps/client/src/features/page/tree/components/space-tree-node-menu.tsx

@@ -6,6 +6,7 @@ import { useDisclosure } from "@mantine/hooks";
 import { notifications } from "@mantine/notifications";
 import {
   IconArrowRight,
+  IconClockHour4,
   IconCopy,
   IconDotsVertical,
   IconFileExport,
@@ -30,7 +31,10 @@ import {
   useRemoveFavoriteMutation,
 } from "@/features/favorite/queries/favorite-query";
 
-import { useToggleTemplateMutation } from "@/features/page-embed/queries/page-embed-query";
+import {
+  useToggleTemplateMutation,
+  useToggleTemporaryMutation,
+} from "@/features/page-embed/queries/page-embed-query";
 import { treeDataAtom } from "@/features/page/tree/atoms/tree-data-atom.ts";
 import { treeModel } from "@/features/page/tree/model/tree-model";
 import { useTreeMutation } from "@/features/page/tree/hooks/use-tree-mutation.ts";
@@ -65,6 +69,8 @@ export function NodeMenu({ node, canEdit }: NodeMenuProps) {
   const isFavorited = favoriteIds.has(node.id);
   const toggleTemplate = useToggleTemplateMutation();
   const isTemplate = !!node.isTemplate;
+  const toggleTemporary = useToggleTemporaryMutation();
+  const isTemporary = !!node.temporaryExpiresAt;
 
   const handleToggleTemplate = async () => {
     const next = !isTemplate;
@@ -84,6 +90,29 @@ export function NodeMenu({ node, canEdit }: NodeMenuProps) {
     }
   };
 
+  const handleToggleTemporary = async () => {
+    const next = !isTemporary;
+    try {
+      const res = await toggleTemporary.mutateAsync({
+        pageId: node.id,
+        temporary: next,
+      });
+      // Reflect the new deadline locally so the icon/menu update immediately.
+      setData((prev) =>
+        treeModel.update(prev, node.id, {
+          temporaryExpiresAt: res.temporaryExpiresAt,
+        } as any),
+      );
+      notifications.show({
+        message: next
+          ? t("Note will move to trash unless made permanent")
+          : t("Note is now permanent"),
+      });
+    } catch {
+      // mutation surfaces the error via notifications
+    }
+  };
+
   const handleCopyLink = () => {
     const pageUrl =
       getAppUrl() + buildPageUrl(spaceSlug, node.slugId, node.name);
@@ -248,6 +277,17 @@ export function NodeMenu({ node, canEdit }: NodeMenuProps) {
                 {isTemplate ? t("Unset as template") : t("Make template")}
               </Menu.Item>
 
+              <Menu.Item
+                leftSection={<IconClockHour4 size={16} />}
+                onClick={(e) => {
+                  e.preventDefault();
+                  e.stopPropagation();
+                  handleToggleTemporary();
+                }}
+              >
+                {isTemporary ? t("Make permanent") : t("Make temporary")}
+              </Menu.Item>
+
               <Menu.Divider />
               <Menu.Item
                 c="red"

apps/client/src/features/page/tree/components/space-tree-row.tsx

@@ -6,6 +6,7 @@ import { ActionIcon, rem, Tooltip } from "@mantine/core";
 import {
   IconChevronDown,
   IconChevronRight,
+  IconClockHour4,
   IconFileDescription,
   IconPlus,
   IconPointFilled,
@@ -191,6 +192,28 @@ export function SpaceTreeRow({
         </Tooltip>
       )}
 
+      {node.temporaryExpiresAt && (
+        <Tooltip
+          // Children ride along to trash with the note (recursive removePage).
+          label={t("Temporary note — moves to trash unless made permanent")}
+          withArrow
+        >
+          <IconClockHour4
+            size={14}
+            stroke={1.5}
+            // Same visual-only indicator pattern as the template icon, but
+            // orange to flag the impending death timer.
+            style={{
+              flexShrink: 0,
+              marginLeft: rem(4),
+              color: "var(--mantine-color-orange-6)",
+            }}
+            aria-label={t("Temporary note")}
+            role="img"
+          />
+        </Tooltip>
+      )}
+
       <div className={classes.actions}>
         <NodeMenu node={node} canEdit={canEdit} />
 

apps/client/src/features/page/tree/hooks/use-tree-mutation.ts

@@ -22,7 +22,10 @@ import { getSpaceUrl } from "@/lib/config.ts";
 
 export type UseTreeMutation = {
   handleMove: (sourceId: string, op: DropOp) => Promise<void>;
-  handleCreate: (parentId: string | null) => Promise<void>;
+  handleCreate: (
+    parentId: string | null,
+    opts?: { temporary?: boolean },
+  ) => Promise<void>;
   handleRename: (id: string, name: string) => Promise<void>;
   handleDelete: (id: string) => Promise<void>;
 };
@@ -119,9 +122,15 @@ export function useTreeMutation(spaceId: string): UseTreeMutation {
   );
 
   const handleCreate = useCallback(
-    async (parentId: string | null) => {
+    async (parentId: string | null, opts?: { temporary?: boolean }) => {
-      const payload: { spaceId: string; parentPageId?: string } = { spaceId };
+      const payload: {
+        spaceId: string;
+        parentPageId?: string;
+        temporary?: boolean;
+      } = { spaceId };
       if (parentId) payload.parentPageId = parentId;
+      // Ask the server to arm the death timer for a "temporary note".
+      if (opts?.temporary) payload.temporary = true;
 
       let createdPage: IPage;
       try {
@@ -138,6 +147,8 @@ export function useTreeMutation(spaceId: string): UseTreeMutation {
         spaceId: createdPage.spaceId,
         parentPageId: createdPage.parentPageId,
         hasChildren: false,
+        // Show the temporary-note icon immediately on optimistic insert.
+        temporaryExpiresAt: createdPage.temporaryExpiresAt,
         children: [],
       };
 

apps/client/src/features/page/tree/types.ts

@@ -9,5 +9,7 @@ export type SpaceTreeNode = {
   hasChildren: boolean;
   canEdit?: boolean;
   isTemplate?: boolean;
+  // Death-timer deadline. null/absent => permanent; ISO string => temporary note.
+  temporaryExpiresAt?: string | null;
   children: SpaceTreeNode[];
 };

apps/client/src/features/page/tree/utils/utils.ts

@@ -26,6 +26,7 @@ export function buildTree(pages: IPage[]): SpaceTreeNode[] {
       parentPageId: page.parentPageId,
       canEdit: page.canEdit ?? page.permissions?.canEdit,
       isTemplate: page.isTemplate,
+      temporaryExpiresAt: page.temporaryExpiresAt,
       children: [],
     };
   });

apps/client/src/features/page/types/page.types.ts

@@ -13,6 +13,10 @@ export interface IPage {
   workspaceId: string;
   isLocked: boolean;
   isTemplate?: boolean;
+  // Death-timer deadline. null/absent => permanent; ISO string => temporary note.
+  temporaryExpiresAt?: string | null;
+  // Create-only input flag: ask the server to arm the timer on a new page.
+  temporary?: boolean;
   lastUpdatedById: string;
   createdAt: Date;
   updatedAt: Date;

apps/client/src/features/share/components/share-alias-section.tsx

@@ -0,0 +1,237 @@
+import {
+  ActionIcon,
+  Button,
+  Group,
+  Modal,
+  Text,
+  TextInput,
+} from "@mantine/core";
+import { IconExternalLink } from "@tabler/icons-react";
+import { useEffect, useMemo, useRef, useState } from "react";
+import { useTranslation } from "react-i18next";
+import CopyTextButton from "@/components/common/copy.tsx";
+import { getAppUrl } from "@/lib/config.ts";
+import {
+  useRemoveShareAliasMutation,
+  useSetShareAliasMutation,
+  useShareAliasForPageQuery,
+} from "@/features/share/queries/share-query.ts";
+import { checkShareAliasAvailability } from "@/features/share/services/share-service.ts";
+import {
+  isValidShareAlias,
+  normalizeShareAlias,
+} from "@/features/share/share-alias.util.ts";
+
+interface ShareAliasSectionProps {
+  pageId: string;
+  readOnly: boolean;
+}
+
+// The prefix label shown next to the slug input, e.g. "docs.example.com/l/".
+function aliasPrefixLabel(): string {
+  const url = getAppUrl();
+  const host = url.replace(/^https?:\/\//, "").replace(/\/+$/, "");
+  return `${host}/l/`;
+}
+
+export default function ShareAliasSection({
+  pageId,
+  readOnly,
+}: ShareAliasSectionProps) {
+  const { t } = useTranslation();
+  const { data: currentAlias } = useShareAliasForPageQuery(pageId);
+  const setAliasMutation = useSetShareAliasMutation();
+  const removeAliasMutation = useRemoveShareAliasMutation();
+
+  const [value, setValue] = useState("");
+  const [availability, setAvailability] = useState<{
+    valid: boolean;
+    available: boolean;
+    currentPageId: string | null;
+  } | null>(null);
+  const [reassign, setReassign] = useState<{
+    alias: string;
+    currentPageTitle: string | null;
+  } | null>(null);
+
+  // Seed the input from the page's current alias (if any).
+  useEffect(() => {
+    setValue(currentAlias?.alias ?? "");
+  }, [currentAlias?.alias, pageId]);
+
+  const normalized = useMemo(() => normalizeShareAlias(value), [value]);
+  const isValid = isValidShareAlias(normalized);
+  const unchanged = currentAlias?.alias === normalized;
+
+  // Debounced availability probe (skips when invalid or unchanged).
+  const debounceRef = useRef<ReturnType<typeof setTimeout>>();
+  useEffect(() => {
+    setAvailability(null);
+    if (!isValid || unchanged) return;
+    debounceRef.current && clearTimeout(debounceRef.current);
+    debounceRef.current = setTimeout(async () => {
+      try {
+        const res = await checkShareAliasAvailability(normalized);
+        setAvailability({
+          valid: res.valid,
+          available: res.available,
+          currentPageId: res.currentPageId,
+        });
+      } catch {
+        setAvailability(null);
+      }
+    }, 400);
+    return () => {
+      debounceRef.current && clearTimeout(debounceRef.current);
+    };
+  }, [normalized, isValid, unchanged]);
+
+  const prettyLink = currentAlias?.alias
+    ? `${getAppUrl()}/l/${currentAlias.alias}`
+    : null;
+
+  const handleSave = async (confirmReassign = false) => {
+    try {
+      await setAliasMutation.mutateAsync({
+        pageId,
+        alias: normalized,
+        confirmReassign,
+      });
+      setReassign(null);
+    } catch (error: any) {
+      // The address already points at another page: prompt to move it here.
+      if (error?.status === 409 || error?.response?.status === 409) {
+        const data = error?.response?.data;
+        if (data?.code === "ALIAS_REASSIGN_REQUIRED") {
+          setReassign({
+            alias: normalized,
+            currentPageTitle: data?.currentPageTitle ?? null,
+          });
+        }
+      }
+    }
+  };
+
+  const handleRemove = async () => {
+    if (!currentAlias?.id) return;
+    await removeAliasMutation.mutateAsync(currentAlias.id);
+    setValue("");
+  };
+
+  const showInvalid = normalized.length > 0 && !isValid;
+  const showTaken =
+    isValid && !unchanged && availability && !availability.available;
+
+  return (
+    <>
+      <Text size="sm" fw={500} mt="md">
+        {t("Custom address")}
+      </Text>
+      <Text size="xs" c="dimmed" mb={4}>
+        {t("A short, memorable link you can point at any shared page.")}
+      </Text>
+
+      {prettyLink && (
+        <Group my="xs" gap={4} wrap="nowrap">
+          <TextInput
+            variant="filled"
+            value={prettyLink}
+            readOnly
+            rightSection={<CopyTextButton text={prettyLink} />}
+            style={{ width: "100%" }}
+          />
+          <ActionIcon
+            component="a"
+            variant="default"
+            target="_blank"
+            href={prettyLink}
+            size="sm"
+          >
+            <IconExternalLink size={16} />
+          </ActionIcon>
+        </Group>
+      )}
+
+      <TextInput
+        value={value}
+        onChange={(e) => setValue(e.currentTarget.value)}
+        // Show the canonical form once the user pauses so what they type maps
+        // visibly to what gets stored.
+        onBlur={() => setValue(normalized)}
+        leftSection={
+          <Text size="xs" c="dimmed" pl={4} style={{ whiteSpace: "nowrap" }}>
+            {aliasPrefixLabel()}
+          </Text>
+        }
+        leftSectionWidth={Math.min(aliasPrefixLabel().length * 7 + 12, 180)}
+        placeholder={t("my-page")}
+        disabled={readOnly}
+        error={
+          showInvalid
+            ? t("Use 2-60 lowercase letters, digits and hyphens")
+            : showTaken
+              ? t("This address is already in use")
+              : undefined
+        }
+      />
+
+      <Group mt="xs" gap="xs">
+        <Button
+          size="compact-sm"
+          onClick={() => handleSave(false)}
+          loading={setAliasMutation.isPending}
+          disabled={readOnly || !isValid || unchanged}
+        >
+          {t("Save")}
+        </Button>
+        {currentAlias?.id && (
+          <Button
+            size="compact-sm"
+            variant="default"
+            color="red"
+            onClick={handleRemove}
+            loading={removeAliasMutation.isPending}
+            disabled={readOnly}
+          >
+            {t("Remove")}
+          </Button>
+        )}
+      </Group>
+
+      <Modal
+        opened={!!reassign}
+        onClose={() => setReassign(null)}
+        title={t("Move custom address?")}
+        centered
+        size="sm"
+      >
+        <Text size="sm">
+          {reassign?.currentPageTitle
+            ? t(
+                'The address "{{alias}}" currently points to "{{title}}". Move it to this page?',
+                {
+                  alias: reassign?.alias,
+                  title: reassign?.currentPageTitle,
+                },
+              )
+            : t(
+                'The address "{{alias}}" is already in use. Move it to this page?',
+                { alias: reassign?.alias },
+              )}
+        </Text>
+        <Group justify="flex-end" mt="md">
+          <Button variant="default" onClick={() => setReassign(null)}>
+            {t("Cancel")}
+          </Button>
+          <Button
+            color="red"
+            onClick={() => handleSave(true)}
+            loading={setAliasMutation.isPending}
+          >
+            {t("Move here")}
+          </Button>
+        </Group>
+      </Modal>
+    </>
+  );
+}

apps/client/src/features/share/components/share-modal.tsx

@@ -25,6 +25,7 @@ import CopyTextButton from "@/components/common/copy.tsx";
 import { getAppUrl } from "@/lib/config.ts";
 import { buildPageUrl } from "@/features/page/page.utils.ts";
 import classes from "@/features/share/components/share.module.css";
+import ShareAliasSection from "@/features/share/components/share-alias-section.tsx";
 import { useAtom } from "jotai";
 import { workspaceAtom } from "@/features/user/atoms/current-user-atom.ts";
 import { useSpaceQuery } from "@/features/space/queries/space-query.ts";
@@ -253,6 +254,9 @@ export default function ShareModal({ readOnly }: ShareModalProps) {
                     disabled={readOnly}
                   />
                 </Group>
+                {pageId && (
+                  <ShareAliasSection pageId={pageId} readOnly={readOnly} />
+                )}
               </>
             )}
           </>

apps/client/src/features/share/queries/share-query.ts

@@ -10,6 +10,8 @@ import { useTranslation } from "react-i18next";
 import {
   ICreateShare,
   IShare,
+  IShareAlias,
+  ISetShareAlias,
   ISharedItem,
   ISharedPage,
   ISharedPageTree,
@@ -20,11 +22,14 @@ import {
 import {
   createShare,
   deleteShare,
+  getShareAliasForPage,
   getSharedPageTree,
   getShareForPage,
   getShareInfo,
   getSharePageInfo,
   getShares,
+  removeShareAlias,
+  setShareAlias,
   updateShare,
 } from "@/features/share/services/share-service.ts";
 import { IPagination, QueryParams } from "@/lib/types.ts";
@@ -170,6 +175,72 @@ export function useDeleteShareMutation() {
   });
 }
 
+export function useShareAliasForPageQuery(
+  pageId: string,
+): UseQueryResult<IShareAlias | null, Error> {
+  return useQuery({
+    // The endpoint resolves to null when the page has no alias; normalize the
+    // absence so React Query never sees `undefined`.
+    queryKey: ["share-alias-for-page", pageId],
+    queryFn: async () => (await getShareAliasForPage(pageId)) ?? null,
+    enabled: !!pageId,
+    staleTime: 60 * 1000,
+    retry: false,
+  });
+}
+
+export function useSetShareAliasMutation() {
+  const { t } = useTranslation();
+  const queryClient = useQueryClient();
+
+  return useMutation<IShareAlias, Error, ISetShareAlias>({
+    mutationFn: (data) => setShareAlias(data),
+    onSuccess: () => {
+      queryClient.invalidateQueries({
+        predicate: (item) =>
+          ["share-alias-for-page", "share-list"].includes(
+            item.queryKey[0] as string,
+          ),
+      });
+    },
+    onError: (error) => {
+      // A 409 reassign-required is handled inline by the modal (it shows the
+      // "move address here?" confirmation), so don't surface a generic toast.
+      if (error?.["status"] === 409) return;
+      notifications.show({
+        message:
+          error?.["response"]?.data?.message || t("Failed to set custom address"),
+        color: "red",
+      });
+    },
+  });
+}
+
+export function useRemoveShareAliasMutation() {
+  const { t } = useTranslation();
+  const queryClient = useQueryClient();
+
+  return useMutation<void, Error, string>({
+    mutationFn: (aliasId) => removeShareAlias(aliasId),
+    onSuccess: () => {
+      queryClient.invalidateQueries({
+        predicate: (item) =>
+          ["share-alias-for-page", "share-list"].includes(
+            item.queryKey[0] as string,
+          ),
+      });
+    },
+    onError: (error) => {
+      notifications.show({
+        message:
+          error?.["response"]?.data?.message ||
+          t("Failed to remove custom address"),
+        color: "red",
+      });
+    },
+  });
+}
+
 export function useGetSharedPageTreeQuery(
   shareId: string,
 ): UseQueryResult<ISharedPageTree, Error> {

apps/client/src/features/share/services/share-service.ts

@@ -4,6 +4,9 @@ import { IPage } from "@/features/page/types/page.types";
 import {
   ICreateShare,
   IShare,
+  IShareAlias,
+  IShareAliasAvailability,
+  ISetShareAlias,
   ISharedItem,
   ISharedPage,
   ISharedPageTree,
@@ -57,3 +60,33 @@ export async function getSharedPageTree(
   const req = await api.post<ISharedPageTree>("/shares/tree", { shareId });
   return req.data;
 }
+
+export async function getShareAliasForPage(
+  pageId: string,
+): Promise<IShareAlias | null> {
+  const req = await api.post<IShareAlias | null>("/share-aliases/for-page", {
+    pageId,
+  });
+  return req.data;
+}
+
+export async function setShareAlias(
+  data: ISetShareAlias,
+): Promise<IShareAlias> {
+  const req = await api.post<IShareAlias>("/share-aliases/set", data);
+  return req.data;
+}
+
+export async function removeShareAlias(aliasId: string): Promise<void> {
+  await api.post("/share-aliases/remove", { aliasId });
+}
+
+export async function checkShareAliasAvailability(
+  alias: string,
+): Promise<IShareAliasAvailability> {
+  const req = await api.post<IShareAliasAvailability>(
+    "/share-aliases/availability",
+    { alias },
+  );
+  return req.data;
+}

apps/client/src/features/share/share-alias.util.test.ts

@@ -0,0 +1,32 @@
+import { describe, it, expect } from "vitest";
+import {
+  isValidShareAlias,
+  normalizeShareAlias,
+} from "@/features/share/share-alias.util.ts";
+
+// Mirrors the server-side util so the modal's live feedback matches what the
+// server will accept/store.
+describe("normalizeShareAlias", () => {
+  it("lowercases, trims and maps separators to single hyphens", () => {
+    expect(normalizeShareAlias("  My  Cool_Page ")).toBe("my-cool-page");
+  });
+
+  it("collapses repeated hyphens and trims edges", () => {
+    expect(normalizeShareAlias("--a---b--")).toBe("a-b");
+  });
+});
+
+describe("isValidShareAlias", () => {
+  it("accepts ascii hyphen-separated slugs of length 2..60", () => {
+    expect(isValidShareAlias("hello-world")).toBe(true);
+    expect(isValidShareAlias("a".repeat(60))).toBe(true);
+  });
+
+  it("rejects too short, edge/double hyphens, uppercase and non-ascii", () => {
+    expect(isValidShareAlias("a")).toBe(false);
+    expect(isValidShareAlias("-a")).toBe(false);
+    expect(isValidShareAlias("a--b")).toBe(false);
+    expect(isValidShareAlias("Hello")).toBe(false);
+    expect(isValidShareAlias("привет")).toBe(false);
+  });
+});

apps/client/src/features/share/share-alias.util.ts

@@ -0,0 +1,26 @@
+/**
+ * Client copy of the vanity share-alias helpers. Kept in sync with the server
+ * (`apps/server/src/core/share/share-alias.util.ts`) so live input feedback
+ * matches what the server will store/accept. ASCII-only, lowercase, hyphen
+ * separated, length 2..60.
+ */
+
+// Normalize a user-provided vanity alias into canonical ASCII storage form.
+export function normalizeShareAlias(raw: string): string {
+  return (raw ?? "")
+    .trim()
+    .toLowerCase()
+    .replace(/[\s_]+/g, "-")
+    .replace(/-{2,}/g, "-")
+    .replace(/^-+|-+$/g, "");
+}
+
+const ALIAS_RE = /^[a-z0-9]+(?:-[a-z0-9]+)*$/;
+export function isValidShareAlias(alias: string): boolean {
+  return (
+    typeof alias === "string" &&
+    alias.length >= 2 &&
+    alias.length <= 60 &&
+    ALIAS_RE.test(alias)
+  );
+}

apps/client/src/features/share/types/share.types.ts

@@ -75,6 +75,30 @@ export interface IShareInfoInput {
   pageId: string;
 }
 
+// Vanity /l/:alias pointer.
+export interface IShareAlias {
+  id: string;
+  workspaceId: string;
+  alias: string;
+  pageId: string | null;
+  creatorId: string | null;
+  createdAt: string;
+  updatedAt: string;
+}
+
+export interface ISetShareAlias {
+  pageId: string;
+  alias: string;
+  confirmReassign?: boolean;
+}
+
+export interface IShareAliasAvailability {
+  alias: string;
+  valid: boolean;
+  available: boolean;
+  currentPageId: string | null;
+}
+
 export interface ISharedPageTree {
   share: IShare;
   pageTree: Partial<IPage[]>;

apps/client/src/features/space/components/sidebar/space-sidebar.tsx

@@ -13,6 +13,7 @@ import {
   IconEye,
   IconEyeOff,
   IconFileExport,
+  IconHourglass,
   IconPlus,
   IconSettings,
   IconStar,
@@ -71,6 +72,10 @@ export function SpaceSidebar() {
     handleCreate(null);
   }
 
+  function handleCreateTemporaryPage() {
+    handleCreate(null, { temporary: true });
+  }
+
   return (
     <>
       <div className={classes.navbar}>
@@ -111,16 +116,39 @@ export function SpaceSidebar() {
                 SpaceCaslAction.Manage,
                 SpaceCaslSubject.Page,
               ) && (
-                <Tooltip label={t("Create page")} withArrow position="right">
+                <>
-                  <ActionIcon
+                  <Tooltip
-                    variant="default"
+                    label={t("Create page")}
-                    size={18}
+                    withArrow
-                    onClick={handleCreatePage}
+                    position="right"
-                    aria-label={t("Create page")}
                   >
-                    <IconPlus />
+                    <ActionIcon
-                  </ActionIcon>
+                      variant="default"
-                </Tooltip>
+                      size={18}
+                      onClick={handleCreatePage}
+                      aria-label={t("Create page")}
+                    >
+                      <IconPlus />
+                    </ActionIcon>
+                  </Tooltip>
+
+                  {/* Standalone second button: a "temporary note" auto-moves to
+                      trash after the workspace lifetime unless made permanent. */}
+                  <Tooltip
+                    label={t("New temporary note")}
+                    withArrow
+                    position="right"
+                  >
+                    <ActionIcon
+                      variant="default"
+                      size={18}
+                      onClick={handleCreateTemporaryPage}
+                      aria-label={t("New temporary note")}
+                    >
+                      <IconHourglass />
+                    </ActionIcon>
+                  </Tooltip>
+                </>
               )}
             </Group>
           </Group>

apps/client/src/features/workspace/components/settings/components/temporary-note-settings.tsx

@@ -0,0 +1,86 @@
+import { useState } from "react";
+import { useAtom } from "jotai";
+import {
+  Button,
+  Group,
+  NumberInput,
+  Paper,
+  Stack,
+  Text,
+} from "@mantine/core";
+import { notifications } from "@mantine/notifications";
+import { useTranslation } from "react-i18next";
+import useUserRole from "@/hooks/use-user-role.tsx";
+import { workspaceAtom } from "@/features/user/atoms/current-user-atom.ts";
+import { updateWorkspace } from "@/features/workspace/services/workspace-service.ts";
+import { IWorkspace } from "@/features/workspace/types/workspace.types.ts";
+
+// Mirrors DEFAULT_TEMPORARY_NOTE_HOURS on the server. Shown when the workspace
+// has no explicit value configured yet.
+const DEFAULT_TEMPORARY_NOTE_HOURS = 24;
+
+/**
+ * Workspace-level editor for the temporary-note lifetime, in HOURS. The deadline
+ * is frozen per-note at creation, so changing this only affects notes created
+ * afterwards. `temporaryNoteHours` is a top-level workspace column (like
+ * trashRetentionDays), not a nested setting.
+ */
+export default function TemporaryNoteSettings() {
+  const { t } = useTranslation();
+  const [workspace, setWorkspace] = useAtom(workspaceAtom);
+  const { isAdmin } = useUserRole();
+  const [isLoading, setIsLoading] = useState(false);
+  const [value, setValue] = useState<number>(
+    workspace?.temporaryNoteHours ?? DEFAULT_TEMPORARY_NOTE_HOURS,
+  );
+
+  async function handleSave() {
+    if (!value || value < 1) return;
+    setIsLoading(true);
+    try {
+      const updated = await updateWorkspace({
+        temporaryNoteHours: value,
+      } as Partial<IWorkspace>);
+      setWorkspace({ ...updated, temporaryNoteHours: value });
+      notifications.show({ message: t("Updated successfully") });
+    } catch (err) {
+      notifications.show({
+        message:
+          (err as any)?.response?.data?.message ?? t("Failed to update data"),
+        color: "red",
+      });
+    } finally {
+      setIsLoading(false);
+    }
+  }
+
+  return (
+    <Stack mt="sm">
+      <Text fw={700} size="lg">
+        {t("Temporary notes")}
+      </Text>
+
+      <Paper withBorder radius="md" p="lg">
+        <Text size="xs" c="dimmed" mb="xs">
+          {t(
+            "A temporary note is automatically moved to trash after this many hours unless it is made permanent. The deadline is fixed when the note is created.",
+          )}
+        </Text>
+        <NumberInput
+          label={t("Temporary note lifetime (hours)")}
+          min={1}
+          allowDecimal={false}
+          value={value}
+          onChange={(v) => setValue(typeof v === "number" ? v : Number(v))}
+          disabled={!isAdmin || isLoading}
+          w={220}
+        />
+        <Group justify="flex-end" mt="md">
+          <Button onClick={handleSave} loading={isLoading} disabled={!isAdmin}>
+            {t("Save")}
+          </Button>
+        </Group>
+      </Paper>
+    </Stack>
+  );
+}

apps/client/src/features/workspace/types/workspace.types.ts

@@ -28,6 +28,8 @@ export interface IWorkspace {
   aiDictationStreaming?: boolean;
   aiPublicShareAssistant?: boolean;
   trashRetentionDays?: number;
+  // Default lifetime (HOURS) for new temporary notes; frozen per-note at creation.
+  temporaryNoteHours?: number;
   restrictApiToAdmins?: boolean;
   allowMemberTemplates?: boolean;
   isScimEnabled?: boolean;

apps/client/src/pages/settings/workspace/workspace-settings.tsx

@@ -3,6 +3,7 @@ import WorkspaceNameForm from "@/features/workspace/components/settings/componen
 import WorkspaceIcon from "@/features/workspace/components/settings/components/workspace-icon.tsx";
 import HtmlEmbedSettings from "@/features/workspace/components/settings/components/html-embed-settings.tsx";
 import TrackerSettings from "@/features/workspace/components/settings/components/tracker-settings.tsx";
+import TemporaryNoteSettings from "@/features/workspace/components/settings/components/temporary-note-settings.tsx";
 import { useTranslation } from "react-i18next";
 import { getAppName } from "@/lib/config.ts";
 import { Helmet } from "react-helmet-async";
@@ -19,6 +20,7 @@ export default function WorkspaceSettings() {
       <WorkspaceNameForm />
       <HtmlEmbedSettings />
       <TrackerSettings />
+      <TemporaryNoteSettings />
     </>
   );
 }

apps/server/src/core/page/constants/temporary-note.constants.ts

@@ -0,0 +1,5 @@
+// Default lifetime for a temporary note, in HOURS, used when the workspace has
+// no `temporaryNoteHours` configured (NULL). Mirrors the trash-cleanup
+// DEFAULT_RETENTION_DAYS fallback. After this many hours a temporary note is
+// auto-moved to trash unless it was made permanent first.
+export const DEFAULT_TEMPORARY_NOTE_HOURS = 24;

apps/server/src/core/page/dto/create-page.dto.ts

@@ -1,4 +1,5 @@
 import {
+  IsBoolean,
   IsIn,
   IsOptional,
   IsString,
@@ -32,4 +33,10 @@ export class CreatePageDto {
   @Transform(({ value }) => value?.toLowerCase() ?? 'json')
   @IsIn(['json', 'markdown', 'html'])
   format?: ContentFormat;
+
+  // When true, create the page as a temporary note: arm its death timer
+  // (now + workspace temporaryNoteHours) at creation.
+  @IsOptional()
+  @IsBoolean()
+  temporary?: boolean;
 }

apps/server/src/core/page/page.module.ts

@@ -3,6 +3,7 @@ import { PageService } from './services/page.service';
 import { PageController } from './page.controller';
 import { PageHistoryService } from './services/page-history.service';
 import { TrashCleanupService } from './services/trash-cleanup.service';
+import { TemporaryNoteCleanupService } from './services/temporary-note-cleanup.service';
 import { BacklinkService } from './services/backlink.service';
 import { StorageModule } from '../../integrations/storage/storage.module';
 import { CollaborationModule } from '../../collaboration/collaboration.module';
@@ -16,6 +17,7 @@ import { LabelModule } from '../label/label.module';
     PageService,
     PageHistoryService,
     TrashCleanupService,
+    TemporaryNoteCleanupService,
     BacklinkService,
   ],
   exports: [PageService, PageHistoryService],

apps/server/src/core/page/services/page.service.spec.ts

@@ -2,6 +2,7 @@ import { BadRequestException } from '@nestjs/common';
 import { PageService } from './page.service';
 import { MovePageDto } from '../dto/move-page.dto';
 import { Page } from '@docmost/db/types/entity.types';
+import { DEFAULT_TEMPORARY_NOTE_HOURS } from '../constants/temporary-note.constants';
 
 // Direct instantiation with stub deps. The Test.createTestingModule form failed
 // to resolve the @InjectKysely()/@InjectQueue() tokens at compile(), and this
@@ -420,4 +421,79 @@ describe('PageService', () => {
       });
     });
   });
+
+  describe('create() temporary deadline (#201)', () => {
+    // db stub for the workspaces.temporaryNoteHours lookup:
+    // selectFrom('workspaces').select(['temporaryNoteHours']).where(...).executeTakeFirst()
+    const makeDb = (workspaceRow: any) => {
+      const builder: any = {
+        selectFrom: jest.fn(() => builder),
+        select: jest.fn(() => builder),
+        where: jest.fn(() => builder),
+        executeTakeFirst: jest.fn().mockResolvedValue(workspaceRow),
+      };
+      return builder;
+    };
+
+    const makeGeneralQueue = () =>
+      ({ add: jest.fn().mockReturnValue({ catch: jest.fn() }) }) as any;
+
+    const run = async (dto: any, workspaceRow: any) => {
+      const pageRepo = {
+        insertPage: jest.fn().mockResolvedValue({ id: 'p1' }),
+      };
+      const db = makeDb(workspaceRow);
+      const svc = new PageService(
+        pageRepo as any, // pageRepo
+        {} as any, // pagePermissionRepo
+        {} as any, // attachmentRepo
+        db as any, // db
+        {} as any, // storageService
+        {} as any, // attachmentQueue
+        {} as any, // aiQueue
+        makeGeneralQueue(), // generalQueue
+        {} as any, // eventEmitter
+        {} as any, // collaborationGateway
+        {} as any, // watcherService
+        {} as any, // transclusionService
+      );
+      // nextPagePosition runs a real db query; stub it out.
+      jest.spyOn(svc, 'nextPagePosition').mockResolvedValue('a0' as any);
+      await svc.create('u1', 'w1', dto, undefined);
+      return { payload: pageRepo.insertPage.mock.calls[0][0], db };
+    };
+
+    afterEach(() => jest.useRealTimers());
+
+    it('freezes temporaryExpiresAt at now + workspace hours when temporary', async () => {
+      jest.useFakeTimers().setSystemTime(new Date('2026-06-26T00:00:00.000Z'));
+      const { payload } = await run(
+        { title: 't', spaceId: 's1', temporary: true },
+        { temporaryNoteHours: 5 },
+      );
+      expect(payload.temporaryExpiresAt).toEqual(
+        new Date(Date.now() + 5 * 60 * 60 * 1000),
+      );
+    });
+
+    it('falls back to DEFAULT_TEMPORARY_NOTE_HOURS when the workspace hours are null', async () => {
+      jest.useFakeTimers().setSystemTime(new Date('2026-06-26T00:00:00.000Z'));
+      const { payload } = await run(
+        { title: 't', spaceId: 's1', temporary: true },
+        { temporaryNoteHours: null },
+      );
+      expect(payload.temporaryExpiresAt).toEqual(
+        new Date(Date.now() + DEFAULT_TEMPORARY_NOTE_HOURS * 60 * 60 * 1000),
+      );
+    });
+
+    it('leaves temporaryExpiresAt undefined and skips the workspace lookup for a non-temporary page', async () => {
+      const { payload, db } = await run(
+        { title: 't', spaceId: 's1' },
+        { temporaryNoteHours: 5 },
+      );
+      expect(payload.temporaryExpiresAt).toBeUndefined();
+      expect(db.selectFrom).not.toHaveBeenCalled();
+    });
+  });
 });

apps/server/src/core/page/services/page.service.ts

@@ -61,6 +61,7 @@ import {
   AuthProvenanceData,
   agentSourceFields,
 } from '../../../common/decorators/auth-provenance.decorator';
+import { DEFAULT_TEMPORARY_NOTE_HOURS } from '../constants/temporary-note.constants';
 
 // Hard upper bound on how deep the recursive page-tree CTEs (ancestor /
 // descendant traversals) may walk. Real page trees are only a handful of levels
@@ -140,6 +141,20 @@ export class PageService {
       parentPageId = parentPage.id;
     }
 
+    // Freeze the death timer here so later changes to the workspace setting
+    // never reschedule existing temporary notes. NULL => permanent page.
+    let temporaryExpiresAt: Date | undefined;
+    if (createPageDto.temporary) {
+      const workspace = await this.db
+        .selectFrom('workspaces')
+        .select(['temporaryNoteHours'])
+        .where('id', '=', workspaceId)
+        .executeTakeFirst();
+      const hours =
+        workspace?.temporaryNoteHours ?? DEFAULT_TEMPORARY_NOTE_HOURS;
+      temporaryExpiresAt = new Date(Date.now() + hours * 60 * 60 * 1000);
+    }
+
     let content = undefined;
     let textContent = undefined;
     let ydoc = undefined;
@@ -172,6 +187,7 @@ export class PageService {
       // (creatorId/lastUpdatedById); these only annotate the source. A normal
       // user request leaves the column default ('user').
       ...agentSourceFields(provenance, 'lastUpdatedSource', 'lastUpdatedAiChatId'),
+      temporaryExpiresAt,
       content,
       textContent,
       ydoc,
@@ -356,6 +372,7 @@ export class PageService {
         'spaceId',
         'creatorId',
         'isTemplate',
+        'temporaryExpiresAt',
         'deletedAt',
       ])
       .select((eb) => this.pageRepo.withHasChildren(eb))

apps/server/src/core/page/services/spec/temporary-note-cleanup.service.spec.ts

@@ -0,0 +1,154 @@
+import { TemporaryNoteCleanupService } from '../temporary-note-cleanup.service';
+
+/**
+ * Chainable Kysely stub that records every `.where(...)` call so the test can
+ * assert the sweep only selects armed, expired, not-yet-trashed notes. The
+ * terminal `.execute()` resolves the configured expired rows (the batch SELECT);
+ * `.executeTakeFirst()` resolves the per-row deadline re-read done just before
+ * each `removePage`. By default the re-read reports the note as still armed and
+ * still expired (epoch deadline < now), so the sweep proceeds to delete it;
+ * tests override `reReadFirst` to simulate a concurrent "Make permanent".
+ */
+function makeDbStub(expiredRows: any[]) {
+  const whereCalls: any[][] = [];
+  const reReadFirst = jest
+    .fn()
+    .mockResolvedValue({ temporaryExpiresAt: new Date(0), deletedAt: null });
+  const builder: any = {
+    selectFrom: jest.fn(() => builder),
+    select: jest.fn(() => builder),
+    where: jest.fn((...args: any[]) => {
+      whereCalls.push(args);
+      return builder;
+    }),
+    limit: jest.fn(() => builder),
+    execute: jest.fn().mockResolvedValue(expiredRows),
+    executeTakeFirst: reReadFirst,
+  };
+  return { builder, whereCalls, reReadFirst };
+}
+
+describe('TemporaryNoteCleanupService.sweepExpiredTemporaryNotes', () => {
+  it('selects only armed, expired, not-yet-trashed notes', async () => {
+    const { builder, whereCalls } = makeDbStub([]);
+    const pageRepo = { removePage: jest.fn() } as any;
+    const service = new TemporaryNoteCleanupService(builder, pageRepo);
+
+    await service.sweepExpiredTemporaryNotes();
+
+    // temporaryExpiresAt IS NOT NULL, temporaryExpiresAt < now, deletedAt IS NULL
+    const cols = whereCalls.map((c) => c[0]);
+    const ops = whereCalls.map((c) => c[1]);
+    expect(cols).toEqual([
+      'temporaryExpiresAt',
+      'temporaryExpiresAt',
+      'deletedAt',
+    ]);
+    expect(ops).toEqual(['is not', '<', 'is']);
+    // last operand is the trash filter -> null
+    expect(whereCalls[2][2]).toBeNull();
+    // The batch SELECT is capped so a large backlog is not pulled at once.
+    expect(builder.limit).toHaveBeenCalledTimes(1);
+    expect(builder.limit.mock.calls[0][0]).toBeGreaterThan(0);
+  });
+
+  it('soft-deletes each expired note via removePage, attributed to its creator', async () => {
+    const expired = [
+      { id: 'p1', creatorId: 'u1', workspaceId: 'w1' },
+      { id: 'p2', creatorId: 'u2', workspaceId: 'w1' },
+    ];
+    const { builder } = makeDbStub(expired);
+    const pageRepo = { removePage: jest.fn().mockResolvedValue(undefined) } as any;
+    const service = new TemporaryNoteCleanupService(builder, pageRepo);
+
+    await service.sweepExpiredTemporaryNotes();
+
+    expect(pageRepo.removePage).toHaveBeenCalledTimes(2);
+    expect(pageRepo.removePage).toHaveBeenNthCalledWith(1, 'p1', 'u1', 'w1');
+    expect(pageRepo.removePage).toHaveBeenNthCalledWith(2, 'p2', 'u2', 'w1');
+  });
+
+  it('continues past a failing note (one bad removePage does not abort the sweep)', async () => {
+    const expired = [
+      { id: 'bad', creatorId: 'u1', workspaceId: 'w1' },
+      { id: 'good', creatorId: 'u2', workspaceId: 'w1' },
+    ];
+    const { builder } = makeDbStub(expired);
+    const pageRepo = {
+      removePage: jest
+        .fn()
+        .mockRejectedValueOnce(new Error('boom'))
+        .mockResolvedValueOnce(undefined),
+    } as any;
+    const service = new TemporaryNoteCleanupService(builder, pageRepo);
+
+    await expect(
+      service.sweepExpiredTemporaryNotes(),
+    ).resolves.toBeUndefined();
+    expect(pageRepo.removePage).toHaveBeenCalledTimes(2);
+    expect(pageRepo.removePage).toHaveBeenNthCalledWith(2, 'good', 'u2', 'w1');
+  });
+
+  it('does NOT trash a note made permanent in the race window', async () => {
+    // The batch SELECT saw the note as expired, but before its turn in the loop
+    // the user clicked "Make permanent" (temporary_expires_at -> null). The
+    // deadline re-read must catch this and skip the delete so the keep wins.
+    const expired = [{ id: 'p1', creatorId: 'u1', workspaceId: 'w1' }];
+    const { builder, reReadFirst } = makeDbStub(expired);
+    reReadFirst.mockResolvedValueOnce({
+      temporaryExpiresAt: null,
+      deletedAt: null,
+    });
+    const pageRepo = { removePage: jest.fn() } as any;
+    const service = new TemporaryNoteCleanupService(builder, pageRepo);
+
+    await service.sweepExpiredTemporaryNotes();
+
+    expect(reReadFirst).toHaveBeenCalledTimes(1);
+    expect(pageRepo.removePage).not.toHaveBeenCalled();
+  });
+
+  it('skips a note already trashed since the batch SELECT', async () => {
+    const expired = [{ id: 'p1', creatorId: 'u1', workspaceId: 'w1' }];
+    const { builder, reReadFirst } = makeDbStub(expired);
+    reReadFirst.mockResolvedValueOnce({
+      temporaryExpiresAt: new Date(0),
+      deletedAt: new Date(),
+    });
+    const pageRepo = { removePage: jest.fn() } as any;
+    const service = new TemporaryNoteCleanupService(builder, pageRepo);
+
+    await service.sweepExpiredTemporaryNotes();
+
+    expect(pageRepo.removePage).not.toHaveBeenCalled();
+  });
+
+  it('does NOT trash a note re-armed to a future deadline in the race window', async () => {
+    // The batch SELECT saw the note as expired, but before its turn in the loop
+    // the user disarmed it and re-armed it to a fresh, still-future deadline
+    // (temporary_expires_at -> now + 1h). The deadline re-read must catch that
+    // the note is no longer expired and skip the delete so the keep wins.
+    const expired = [{ id: 'p1', creatorId: 'u1', workspaceId: 'w1' }];
+    const { builder, reReadFirst } = makeDbStub(expired);
+    reReadFirst.mockResolvedValueOnce({
+      temporaryExpiresAt: new Date(Date.now() + 60 * 60 * 1000),
+      deletedAt: null,
+    });
+    const pageRepo = { removePage: jest.fn() } as any;
+    const service = new TemporaryNoteCleanupService(builder, pageRepo);
+
+    await service.sweepExpiredTemporaryNotes();
+
+    expect(reReadFirst).toHaveBeenCalledTimes(1);
+    expect(pageRepo.removePage).not.toHaveBeenCalled();
+  });
+
+  it('does nothing when no notes are expired', async () => {
+    const { builder } = makeDbStub([]);
+    const pageRepo = { removePage: jest.fn() } as any;
+    const service = new TemporaryNoteCleanupService(builder, pageRepo);
+
+    await service.sweepExpiredTemporaryNotes();
+    expect(pageRepo.removePage).not.toHaveBeenCalled();
+  });
+});

apps/server/src/core/page/services/temporary-note-cleanup.service.ts

@@ -0,0 +1,105 @@
+import { Injectable, Logger } from '@nestjs/common';
+import { Interval } from '@nestjs/schedule';
+import { InjectKysely } from 'nestjs-kysely';
+import { KyselyDB } from '@docmost/db/types/kysely.types';
+import { PageRepo } from '@docmost/db/repos/page/page.repo';
+
+/**
+ * Background sweeper for temporary notes ("structure or die"). A note whose
+ * frozen deadline (`pages.temporary_expires_at`) has passed is auto-moved to
+ * trash via the exact same soft-delete path as a manual delete. Modelled on
+ * TrashCleanupService; `@nestjs/schedule` is already enabled globally.
+ */
+@Injectable()
+export class TemporaryNoteCleanupService {
+  private readonly logger = new Logger(TemporaryNoteCleanupService.name);
+
+  // Cap a single sweep so a large backlog (e.g. many notes created during
+  // downtime under a short lifetime) is not loaded into memory at once. The
+  // remainder is drained on the next hourly run; sub-hour overshoot is fine.
+  private static readonly SWEEP_BATCH_LIMIT = 500;
+
+  constructor(
+    @InjectKysely() private readonly db: KyselyDB,
+    private readonly pageRepo: PageRepo,
+  ) {}
+
+  // Hourly granularity: lifetimes are configured in hours, so a sub-hour
+  // overshoot past the deadline is acceptable.
+  @Interval('temporary-note-cleanup', 60 * 60 * 1000)
+  async sweepExpiredTemporaryNotes() {
+    try {
+      const now = new Date();
+
+      const expired = await this.db
+        .selectFrom('pages')
+        .select(['id', 'creatorId', 'workspaceId'])
+        .where('temporaryExpiresAt', 'is not', null)
+        .where('temporaryExpiresAt', '<', now)
+        .where('deletedAt', 'is', null) // not already in trash
+        .limit(TemporaryNoteCleanupService.SWEEP_BATCH_LIMIT)
+        .execute();
+
+      let trashed = 0;
+      for (const page of expired) {
+        try {
+          // Re-check the deadline at deletion time. The SELECT above is not
+          // transactional, so a user may click "Make permanent"
+          // (toggleTemporary sets temporary_expires_at = null) in the window
+          // between the SELECT and this per-row removePage. removePage deletes
+          // by id with only a `deletedAt IS NULL` filter and never re-reads the
+          // deadline, so without this guard a concurrently-kept note would
+          // still be trashed. Re-read the row and skip it unless it is still
+          // armed AND still expired, so a concurrent make-permanent wins.
+          const current = await this.db
+            .selectFrom('pages')
+            .select(['temporaryExpiresAt', 'deletedAt'])
+            .where('id', '=', page.id)
+            .executeTakeFirst();
+
+          if (
+            !current ||
+            current.deletedAt !== null ||
+            current.temporaryExpiresAt === null ||
+            new Date(current.temporaryExpiresAt) >= now
+          ) {
+            // Made permanent, already trashed, or no longer expired since the
+            // SELECT — leave it alone.
+            continue;
+          }
+
+          // Reuse the exact soft-delete path: recursive over children, removes
+          // shares in a transaction, and emits PAGE_SOFT_DELETED (tree
+          // invalidation + watcher notifications). Attribute the automatic
+          // deletion to the note's creator (no schema change). Both the SELECT
+          // above and removePage filter `deletedAt IS NULL`, so a double sweep
+          // is idempotent.
+          await this.pageRepo.removePage(
+            page.id,
+            // creatorId is set on every created page; a temporary note always
+            // has one. Cast to satisfy the non-null deletedById parameter.
+            page.creatorId as string,
+            page.workspaceId,
+          );
+          trashed++;
+        } catch (error) {
+          this.logger.error(
+            `Failed to trash expired temporary note ${page.id}`,
+            error instanceof Error ? error.stack : undefined,
+          );
+        }
+      }
+
+      if (trashed > 0) {
+        this.logger.debug(
+          `Temporary-note cleanup completed: ${trashed} notes trashed`,
+        );
+      }
+    } catch (error) {
+      this.logger.error(
+        'Temporary-note cleanup job failed',
+        error instanceof Error ? error.stack : undefined,
+      );
+    }
+  }
+}

apps/server/src/core/page/transclusion/dto/toggle-temporary.dto.ts

@@ -0,0 +1,15 @@
+import { IsBoolean, IsOptional, IsUUID } from 'class-validator';
+
+export class ToggleTemporaryDto {
+  @IsUUID()
+  pageId!: string;
+
+  /**
+   * When omitted, the temporary state is toggled relative to its current value.
+   * true  -> arm the timer (now + workspace temporaryNoteHours);
+   * false -> clear it (make permanent — "structure and survive").
+   */
+  @IsOptional()
+  @IsBoolean()
+  temporary?: boolean;
+}

apps/server/src/core/page/transclusion/page-template.controller.ts

@@ -16,8 +16,12 @@ import { TemplateLookupDto } from './dto/template-lookup.dto';
 import { PageRepo } from '@docmost/db/repos/page/page.repo';
 import { PageAccessService } from '../page-access/page-access.service';
 import { ToggleTemplateDto } from './dto/toggle-template.dto';
+import { ToggleTemporaryDto } from './dto/toggle-temporary.dto';
 import { UserThrottlerGuard } from '../../../integrations/throttle/user-throttler.guard';
 import { PAGE_TEMPLATE_THROTTLER } from '../../../integrations/throttle/throttler-names';
+import { InjectKysely } from 'nestjs-kysely';
+import { KyselyDB } from '@docmost/db/types/kysely.types';
+import { DEFAULT_TEMPORARY_NOTE_HOURS } from '../constants/temporary-note.constants';
 
 @UseGuards(JwtAuthGuard)
 @Controller('pages')
@@ -26,6 +30,7 @@ export class PageTemplateController {
     private readonly transclusionService: TransclusionService,
     private readonly pageRepo: PageRepo,
     private readonly pageAccessService: PageAccessService,
+    @InjectKysely() private readonly db: KyselyDB,
   ) {}
 
   /**
@@ -82,4 +87,54 @@ export class PageTemplateController {
 
     return { pageId: page.id, isTemplate };
   }
+
+  /**
+   * Arm or disarm the "death timer" on a page (`pages.temporary_expires_at`).
+   * Mirror of toggle-template: requires Edit on the page/space (CASL enforced in
+   * `validateCanEdit`). Arming freezes the deadline at now + the workspace's
+   * temporaryNoteHours; disarming ("Make permanent") clears it. Same workspace
+   * defense-in-depth as toggle-template (NotFound, never Forbidden, on mismatch).
+   */
+  @UseGuards(JwtAuthGuard, UserThrottlerGuard)
+  @Throttle({ [PAGE_TEMPLATE_THROTTLER]: { limit: 30, ttl: 60000 } })
+  @HttpCode(HttpStatus.OK)
+  @Post('toggle-temporary')
+  async toggleTemporary(
+    @Body() dto: ToggleTemporaryDto,
+    @AuthUser() user: User,
+  ) {
+    const page = await this.pageRepo.findById(dto.pageId);
+    if (!page || page.deletedAt) {
+      throw new NotFoundException('Page not found');
+    }
+
+    if (page.workspaceId !== user.workspaceId) {
+      // Defense-in-depth: never act on a page outside the caller's workspace.
+      // Use NotFound (not Forbidden) to avoid leaking cross-workspace existence.
+      throw new NotFoundException('Page not found');
+    }
+
+    await this.pageAccessService.validateCanEdit(page, user);
+
+    const makeTemporary =
+      typeof dto.temporary === 'boolean'
+        ? dto.temporary
+        : page.temporaryExpiresAt == null;
+
+    let temporaryExpiresAt: Date | null = null;
+    if (makeTemporary) {
+      const workspace = await this.db
+        .selectFrom('workspaces')
+        .select(['temporaryNoteHours'])
+        .where('id', '=', user.workspaceId)
+        .executeTakeFirst();
+      const hours =
+        workspace?.temporaryNoteHours ?? DEFAULT_TEMPORARY_NOTE_HOURS;
+      temporaryExpiresAt = new Date(Date.now() + hours * 60 * 60 * 1000);
+    }
+
+    await this.pageRepo.updatePage({ temporaryExpiresAt }, page.id);
+
+    return { pageId: page.id, temporaryExpiresAt };
+  }
 }

apps/server/src/core/page/transclusion/spec/page-template.controller.spec.ts

@@ -9,6 +9,7 @@ import { PageRepo } from '@docmost/db/repos/page/page.repo';
 import { PageAccessService } from '../../page-access/page-access.service';
 import { JwtAuthGuard } from '../../../../common/guards/jwt-auth.guard';
 import { UserThrottlerGuard } from '../../../../integrations/throttle/user-throttler.guard';
+import { KYSELY_MODULE_CONNECTION_TOKEN } from 'nestjs-kysely';
 
 describe('PageTemplateController.toggleTemplate', () => {
   let controller: PageTemplateController;
@@ -40,6 +41,8 @@ describe('PageTemplateController.toggleTemplate', () => {
         { provide: TransclusionService, useValue: transclusionService },
         { provide: PageRepo, useValue: pageRepo },
         { provide: PageAccessService, useValue: pageAccessService },
+        // toggleTemporary reads the workspace lifetime; toggleTemplate ignores it.
+        { provide: KYSELY_MODULE_CONNECTION_TOKEN(), useValue: {} },
       ],
     })
       .overrideGuard(JwtAuthGuard)

apps/server/src/core/page/transclusion/spec/page-temporary.controller.spec.ts

@@ -0,0 +1,220 @@
+import { Test } from '@nestjs/testing';
+import { ForbiddenException, NotFoundException } from '@nestjs/common';
+import { plainToInstance } from 'class-transformer';
+import { validate } from 'class-validator';
+import { KYSELY_MODULE_CONNECTION_TOKEN } from 'nestjs-kysely';
+import { PageTemplateController } from '../page-template.controller';
+import { TransclusionService } from '../transclusion.service';
+import { ToggleTemporaryDto } from '../dto/toggle-temporary.dto';
+import { PageRepo } from '@docmost/db/repos/page/page.repo';
+import { PageAccessService } from '../../page-access/page-access.service';
+import { JwtAuthGuard } from '../../../../common/guards/jwt-auth.guard';
+import { UserThrottlerGuard } from '../../../../integrations/throttle/user-throttler.guard';
+import { DEFAULT_TEMPORARY_NOTE_HOURS } from '../../constants/temporary-note.constants';
+
+/**
+ * Minimal chainable Kysely stub: every builder method returns `this`, and the
+ * terminal `executeTakeFirst` resolves the configured workspace row.
+ */
+function makeDbStub(workspaceRow: { temporaryNoteHours: number | null } | undefined) {
+  const builder: any = {
+    selectFrom: () => builder,
+    select: () => builder,
+    where: () => builder,
+    executeTakeFirst: jest.fn().mockResolvedValue(workspaceRow),
+  };
+  return builder;
+}
+
+describe('PageTemplateController.toggleTemporary', () => {
+  let controller: PageTemplateController;
+  let pageRepo: { findById: jest.Mock; updatePage: jest.Mock };
+  let pageAccessService: { validateCanEdit: jest.Mock };
+
+  const user = { id: 'u1', workspaceId: 'w1' } as any;
+
+  async function buildController(
+    page: any,
+    workspaceRow: { temporaryNoteHours: number | null } | undefined = {
+      temporaryNoteHours: null,
+    },
+  ) {
+    pageRepo = {
+      findById: jest.fn().mockResolvedValue(page),
+      updatePage: jest.fn().mockResolvedValue(undefined),
+    };
+    pageAccessService = {
+      validateCanEdit: jest.fn().mockResolvedValue(undefined),
+    };
+
+    const module = await Test.createTestingModule({
+      controllers: [PageTemplateController],
+      providers: [
+        { provide: TransclusionService, useValue: { lookupTemplate: jest.fn() } },
+        { provide: PageRepo, useValue: pageRepo },
+        { provide: PageAccessService, useValue: pageAccessService },
+        {
+          provide: KYSELY_MODULE_CONNECTION_TOKEN(),
+          useValue: makeDbStub(workspaceRow),
+        },
+      ],
+    })
+      .overrideGuard(JwtAuthGuard)
+      .useValue({ canActivate: () => true })
+      .overrideGuard(UserThrottlerGuard)
+      .useValue({ canActivate: () => true })
+      .compile();
+
+    controller = module.get(PageTemplateController);
+  }
+
+  beforeEach(() => {
+    jest.useFakeTimers().setSystemTime(new Date('2026-06-26T00:00:00.000Z'));
+  });
+
+  afterEach(() => {
+    jest.useRealTimers();
+  });
+
+  it('throws NotFound and does not touch the page when missing', async () => {
+    await buildController(null);
+    await expect(
+      controller.toggleTemporary({ pageId: 'p1' } as any, user),
+    ).rejects.toBeInstanceOf(NotFoundException);
+    expect(pageAccessService.validateCanEdit).not.toHaveBeenCalled();
+    expect(pageRepo.updatePage).not.toHaveBeenCalled();
+  });
+
+  it('throws NotFound (not Forbidden) for a cross-workspace page', async () => {
+    await buildController({
+      id: 'p1',
+      workspaceId: 'OTHER',
+      deletedAt: null,
+      temporaryExpiresAt: null,
+    });
+    await expect(
+      controller.toggleTemporary({ pageId: 'p1' } as any, user),
+    ).rejects.toBeInstanceOf(NotFoundException);
+    expect(pageRepo.updatePage).not.toHaveBeenCalled();
+  });
+
+  it('enforces CASL edit: when validateCanEdit throws, the timer is NOT changed', async () => {
+    await buildController({
+      id: 'p1',
+      workspaceId: 'w1',
+      deletedAt: null,
+      temporaryExpiresAt: null,
+    });
+    pageAccessService.validateCanEdit.mockRejectedValue(new ForbiddenException());
+    await expect(
+      controller.toggleTemporary({ pageId: 'p1' } as any, user),
+    ).rejects.toBeInstanceOf(ForbiddenException);
+    expect(pageRepo.updatePage).not.toHaveBeenCalled();
+  });
+
+  it('arms the timer (toggle) using the default hours when the page is permanent', async () => {
+    await buildController({
+      id: 'p1',
+      workspaceId: 'w1',
+      deletedAt: null,
+      temporaryExpiresAt: null,
+    });
+    const out = await controller.toggleTemporary({ pageId: 'p1' } as any, user);
+
+    const expected = new Date(
+      Date.now() + DEFAULT_TEMPORARY_NOTE_HOURS * 60 * 60 * 1000,
+    );
+    expect(pageAccessService.validateCanEdit).toHaveBeenCalled();
+    expect(pageRepo.updatePage).toHaveBeenCalledWith(
+      { temporaryExpiresAt: expected },
+      'p1',
+    );
+    expect(out).toEqual({ pageId: 'p1', temporaryExpiresAt: expected });
+  });
+
+  it('uses the workspace temporaryNoteHours override when set', async () => {
+    await buildController(
+      {
+        id: 'p1',
+        workspaceId: 'w1',
+        deletedAt: null,
+        temporaryExpiresAt: null,
+      },
+      { temporaryNoteHours: 3 },
+    );
+    const out = await controller.toggleTemporary({ pageId: 'p1' } as any, user);
+    const expected = new Date(Date.now() + 3 * 60 * 60 * 1000);
+    expect(pageRepo.updatePage).toHaveBeenCalledWith(
+      { temporaryExpiresAt: expected },
+      'p1',
+    );
+    expect(out.temporaryExpiresAt).toEqual(expected);
+  });
+
+  it('clears the timer (make permanent) when toggling an armed note', async () => {
+    await buildController({
+      id: 'p1',
+      workspaceId: 'w1',
+      deletedAt: null,
+      temporaryExpiresAt: new Date('2026-06-27T00:00:00.000Z'),
+    });
+    const out = await controller.toggleTemporary({ pageId: 'p1' } as any, user);
+    expect(pageRepo.updatePage).toHaveBeenCalledWith(
+      { temporaryExpiresAt: null },
+      'p1',
+    );
+    expect(out).toEqual({ pageId: 'p1', temporaryExpiresAt: null });
+  });
+
+  it('respects an explicit temporary:false instead of toggling', async () => {
+    await buildController({
+      id: 'p1',
+      workspaceId: 'w1',
+      deletedAt: null,
+      temporaryExpiresAt: null, // already permanent, but explicit false
+    });
+    const out = await controller.toggleTemporary(
+      { pageId: 'p1', temporary: false } as any,
+      user,
+    );
+    expect(pageRepo.updatePage).toHaveBeenCalledWith(
+      { temporaryExpiresAt: null },
+      'p1',
+    );
+    expect(out.temporaryExpiresAt).toBeNull();
+  });
+});
+
+describe('ToggleTemporaryDto validation (class-validator)', () => {
+  const uuid = '00000000-0000-4000-8000-000000000001';
+
+  it('accepts a valid UUID with no flag (toggle)', async () => {
+    const dto = plainToInstance(ToggleTemporaryDto, { pageId: uuid });
+    expect(await validate(dto)).toHaveLength(0);
+  });
+
+  it('accepts an explicit boolean temporary', async () => {
+    const dto = plainToInstance(ToggleTemporaryDto, {
+      pageId: uuid,
+      temporary: true,
+    });
+    expect(await validate(dto)).toHaveLength(0);
+  });
+
+  it('rejects a non-UUID pageId', async () => {
+    const dto = plainToInstance(ToggleTemporaryDto, { pageId: 'nope' });
+    const errors = await validate(dto);
+    expect(errors).toHaveLength(1);
+    expect(errors[0].constraints).toHaveProperty('isUuid');
+  });
+
+  it('rejects a non-boolean temporary', async () => {
+    const dto = plainToInstance(ToggleTemporaryDto, {
+      pageId: uuid,
+      temporary: 'yes',
+    });
+    const errors = await validate(dto);
+    expect(errors).toHaveLength(1);
+    expect(errors[0].constraints).toHaveProperty('isBoolean');
+  });
+});

apps/server/src/core/share/dto/share-alias.dto.ts

@@ -0,0 +1,44 @@
+import {
+  IsBoolean,
+  IsNotEmpty,
+  IsOptional,
+  IsString,
+} from 'class-validator';
+
+/**
+ * Create/retarget a vanity alias for a page. `confirmReassign` is the
+ * two-step guard for the "address already points at another page" case: the
+ * first call without it gets a 409 carrying the current target, the client
+ * confirms, and retries with `confirmReassign: true`.
+ */
+export class SetShareAliasDto {
+  @IsString()
+  @IsNotEmpty()
+  pageId: string;
+
+  @IsString()
+  @IsNotEmpty()
+  alias: string;
+
+  @IsBoolean()
+  @IsOptional()
+  confirmReassign?: boolean;
+}
+
+export class RemoveShareAliasDto {
+  @IsString()
+  @IsNotEmpty()
+  aliasId: string;
+}
+
+export class ShareAliasAvailabilityDto {
+  @IsString()
+  @IsNotEmpty()
+  alias: string;
+}
+
+export class ShareAliasForPageDto {
+  @IsString()
+  @IsNotEmpty()
+  pageId: string;
+}

apps/server/src/core/share/share-alias-redirect.controller.spec.ts

@@ -0,0 +1,252 @@
+import * as fs from 'node:fs';
+
+// `@sindresorhus/slugify` is ESM-only and not in jest's transformIgnorePatterns,
+// so the real module fails to parse under ts-jest. Stub it with a minimal,
+// deterministic slugifier — this spec asserts the controller's slug *assembly*
+// (`<title-slug>-<slugId>`, 70-char clamp, `untitled` fallback), not the upstream
+// slug algorithm. The factory keeps the real ESM module from ever being loaded.
+jest.mock('@sindresorhus/slugify', () => ({
+  __esModule: true,
+  default: (input: string) =>
+    String(input)
+      .toLowerCase()
+      .trim()
+      .replace(/[^a-z0-9]+/g, '-')
+      .replace(/^-+|-+$/g, ''),
+}));
+
+import { ShareAliasRedirectController } from './share-alias-redirect.controller';
+
+/**
+ * Routing/leak guard for the PUBLIC `GET /l/:alias` resolver.
+ *
+ * This is the most security-sensitive surface of the alias feature: an
+ * unauthenticated route that MUST serve the plain SPA index (exactly like any
+ * unknown path) for an unknown / dangling / no-longer-readable alias so that the
+ * existence of a name never leaks. Only a resolvable, still-readable alias may
+ * 302 to the canonical `/share/<key>/p/<title-slug>-<slugId>` page (302 — never
+ * 301 — because the target is retargetable). These tests pin that routing and
+ * the defensive percent-decoding, mirroring `share-seo.controller.routing.spec`.
+ */
+
+const STREAM_SENTINEL = { __isStream: true } as unknown as fs.ReadStream;
+
+// Stub fs at CALL time (jest.spyOn), NOT module load (jest.mock): the controller
+// transitively pulls bcrypt, whose native module is located by node-gyp-build
+// reading the filesystem at import time — a module-level fs mock breaks that.
+beforeEach(() => {
+  jest.spyOn(fs, 'existsSync').mockReturnValue(true);
+  jest.spyOn(fs, 'createReadStream').mockReturnValue(STREAM_SENTINEL);
+});
+afterEach(() => jest.restoreAllMocks());
+
+function makeRes() {
+  const res: any = {
+    sent: undefined as unknown,
+    statusCode: undefined as number | undefined,
+    redirectUrl: undefined as string | undefined,
+    type: jest.fn(() => res),
+    status: jest.fn((code: number) => {
+      res.statusCode = code;
+      return res;
+    }),
+    send: jest.fn((v: unknown) => {
+      res.sent = v;
+      return res;
+    }),
+    redirect: jest.fn((url: string, code: number) => {
+      res.redirectUrl = url;
+      res.statusCode = code;
+      return res;
+    }),
+  };
+  return res;
+}
+
+function makeController(opts: {
+  resolved?: { share: any; page: any } | null;
+  selfHosted?: boolean;
+}) {
+  const shareAliasService = {
+    resolveReadableTarget: jest.fn(async () => opts.resolved ?? null),
+  };
+  const workspaceRepo = {
+    findFirst: jest.fn(async () => ({ id: 'ws-self' })),
+    findByHostname: jest.fn(async (sub: string) =>
+      sub === 'acme' ? { id: 'ws-acme' } : null,
+    ),
+  };
+  const environmentService = {
+    isSelfHosted: jest.fn(() => opts.selfHosted ?? true),
+  };
+  const controller = new ShareAliasRedirectController(
+    shareAliasService as any,
+    workspaceRepo as any,
+    environmentService as any,
+  );
+  return { controller, shareAliasService, workspaceRepo, environmentService };
+}
+
+const selfReq: any = { raw: { headers: { host: 'self' } } };
+
+describe('ShareAliasRedirectController.resolve', () => {
+  it('302-redirects a resolvable alias to the canonical share page', async () => {
+    const { controller, shareAliasService } = makeController({
+      resolved: {
+        share: { key: 'SHAREKEY' },
+        page: { slugId: 'abc123', title: 'Quarterly Report' },
+      },
+    });
+    const res = makeRes();
+
+    await controller.resolve('promo', selfReq, res);
+
+    expect(shareAliasService.resolveReadableTarget).toHaveBeenCalledWith(
+      'promo',
+      'ws-self',
+    );
+    expect(res.redirect).toHaveBeenCalledWith(
+      '/share/SHAREKEY/p/quarterly-report-abc123',
+      302,
+    );
+    // No index stream was served on a hit.
+    expect(res.sent).toBeUndefined();
+  });
+
+  it('falls back to "untitled" in the slug when the target has no title', async () => {
+    const { controller } = makeController({
+      resolved: { share: { key: 'K' }, page: { slugId: 'sid', title: '' } },
+    });
+    const res = makeRes();
+
+    await controller.resolve('promo', selfReq, res);
+
+    expect(res.redirect).toHaveBeenCalledWith('/share/K/p/untitled-sid', 302);
+  });
+
+  it('clamps the title-slug to the first 70 characters of the page title', async () => {
+    // 119-char title; only the first 70 chars must reach the slug. The 70-char
+    // boundary deliberately falls mid-word ("Entire" -> "entir") so the clamp is
+    // unambiguous: anything past char 70 ("...e Fiscal Year...") must be dropped.
+    const longTitle =
+      'The Comprehensive Quarterly Financial Performance Report For The Entire Fiscal Year Two Thousand Twenty Five And Beyond';
+    const { controller } = makeController({
+      resolved: {
+        share: { key: 'K' },
+        page: { slugId: 'sid', title: longTitle },
+      },
+    });
+    const res = makeRes();
+
+    await controller.resolve('promo', selfReq, res);
+
+    expect(res.redirect).toHaveBeenCalledWith(
+      '/share/K/p/the-comprehensive-quarterly-financial-performance-report-for-the-entir-sid',
+      302,
+    );
+  });
+
+  it('streams the SPA index WITHOUT a 302 for an unknown/dangling/unreadable alias (no leak)', async () => {
+    const { controller, shareAliasService } = makeController({ resolved: null });
+    const res = makeRes();
+
+    await controller.resolve('does-not-exist', selfReq, res);
+
+    expect(shareAliasService.resolveReadableTarget).toHaveBeenCalled();
+    // The plain index stream was served and no redirect leaked alias existence.
+    expect(res.redirect).not.toHaveBeenCalled();
+    expect(res.sent).toBe(STREAM_SENTINEL);
+    expect(res.type).toHaveBeenCalledWith('text/html');
+  });
+
+  it('streams the SPA index without even resolving when the workspace is null', async () => {
+    // Subdomain host that maps to no workspace => workspace === null.
+    const { controller, shareAliasService, workspaceRepo } = makeController({
+      selfHosted: false,
+    });
+    const res = makeRes();
+    const req: any = { raw: { headers: { host: 'unknown.example.com' } } };
+
+    await controller.resolve('promo', req, res);
+
+    expect(workspaceRepo.findByHostname).toHaveBeenCalledWith('unknown');
+    // Never even attempts to resolve (alias existence cannot leak per-host).
+    expect(shareAliasService.resolveReadableTarget).not.toHaveBeenCalled();
+    expect(res.redirect).not.toHaveBeenCalled();
+    expect(res.sent).toBe(STREAM_SENTINEL);
+  });
+
+  it('defensively decodes broken percent-encoding and treats it as unknown', async () => {
+    const { controller, shareAliasService } = makeController({ resolved: null });
+    const res = makeRes();
+
+    // '%E0%A4%A' is invalid -> decodeURIComponent throws -> raw value is used,
+    // and the alias resolves to nothing (no crash, served as index).
+    await controller.resolve('%E0%A4%A', selfReq, res);
+
+    expect(shareAliasService.resolveReadableTarget).toHaveBeenCalledWith(
+      '%E0%A4%A',
+      'ws-self',
+    );
+    expect(res.redirect).not.toHaveBeenCalled();
+    expect(res.sent).toBe(STREAM_SENTINEL);
+  });
+
+  it('decodes a valid percent-encoded alias before resolving', async () => {
+    const { controller, shareAliasService } = makeController({ resolved: null });
+    const res = makeRes();
+
+    await controller.resolve('my%2Dlink', selfReq, res);
+
+    expect(shareAliasService.resolveReadableTarget).toHaveBeenCalledWith(
+      'my-link',
+      'ws-self',
+    );
+  });
+
+  it('resolves the workspace via findFirst on the self-hosted path', async () => {
+    const { controller, workspaceRepo, shareAliasService } = makeController({
+      selfHosted: true,
+      resolved: null,
+    });
+    const res = makeRes();
+
+    await controller.resolve('promo', selfReq, res);
+
+    expect(workspaceRepo.findFirst).toHaveBeenCalled();
+    expect(workspaceRepo.findByHostname).not.toHaveBeenCalled();
+    expect(shareAliasService.resolveReadableTarget).toHaveBeenCalledWith(
+      'promo',
+      'ws-self',
+    );
+  });
+
+  it('resolves the workspace via findByHostname (subdomain) on the cloud path', async () => {
+    const { controller, workspaceRepo, shareAliasService } = makeController({
+      selfHosted: false,
+      resolved: null,
+    });
+    const res = makeRes();
+    const req: any = { raw: { headers: { host: 'acme.example.com' } } };
+
+    await controller.resolve('promo', req, res);
+
+    expect(workspaceRepo.findByHostname).toHaveBeenCalledWith('acme');
+    expect(workspaceRepo.findFirst).not.toHaveBeenCalled();
+    expect(shareAliasService.resolveReadableTarget).toHaveBeenCalledWith(
+      'promo',
+      'ws-acme',
+    );
+  });
+
+  it('serves a 404 when no built client index exists', async () => {
+    jest.spyOn(fs, 'existsSync').mockReturnValue(false);
+    const { controller } = makeController({ resolved: null });
+    const res = makeRes();
+
+    await controller.resolve('promo', selfReq, res);
+
+    expect(res.status).toHaveBeenCalledWith(404);
+    expect(res.redirect).not.toHaveBeenCalled();
+  });
+});

apps/server/src/core/share/share-alias-redirect.controller.ts

@@ -0,0 +1,95 @@
+import { Controller, Get, Param, Req, Res } from '@nestjs/common';
+import { FastifyReply, FastifyRequest } from 'fastify';
+import { join } from 'path';
+import * as fs from 'node:fs';
+import slugify from '@sindresorhus/slugify';
+import { WorkspaceRepo } from '@docmost/db/repos/workspace/workspace.repo';
+import { EnvironmentService } from '../../integrations/environment/environment.service';
+import { Workspace } from '@docmost/db/types/entity.types';
+import { ShareAliasService } from './share-alias.service';
+
+/**
+ * Public resolver for vanity links `GET /l/:alias`. Excluded from the global
+ * `/api` prefix (see main.ts) and parallel to ShareSeoController.
+ *
+ * On a hit it issues a 302 (NEVER 301) to the canonical
+ * `/share/:key/p/:slug` page, so:
+ *   - the existing share render + SSR meta is reused verbatim (crawlers follow
+ *     the 302 and get the correct preview);
+ *   - because the alias target is mutable, a temporary redirect is always
+ *     re-resolved — a cached 301 would pin clients to the pre-swap page.
+ *
+ * Any unknown / dangling / no-longer-readable alias serves the plain SPA index
+ * (same as any unknown path) so the existence of a name never leaks.
+ */
+@Controller('l')
+export class ShareAliasRedirectController {
+  constructor(
+    private readonly shareAliasService: ShareAliasService,
+    private readonly workspaceRepo: WorkspaceRepo,
+    private readonly environmentService: EnvironmentService,
+  ) {}
+
+  @Get(':alias')
+  async resolve(
+    @Param('alias') rawAlias: string,
+    @Req() req: FastifyRequest,
+    @Res({ passthrough: false }) res: FastifyReply,
+  ) {
+    // NestJS does not apply middlewares to paths excluded from the global /api
+    // prefix, so the DomainMiddleware workspace resolution is duplicated here
+    // (same workaround as ShareSeoController).
+    let workspace: Workspace = null;
+    if (this.environmentService.isSelfHosted()) {
+      workspace = await this.workspaceRepo.findFirst();
+    } else {
+      const header = req.raw.headers.host;
+      const subdomain = header?.split('.')[0];
+      workspace = subdomain
+        ? await this.workspaceRepo.findByHostname(subdomain)
+        : null;
+    }
+
+    const clientDistPath = join(__dirname, '..', '..', '..', '..', 'client/dist');
+    const indexFilePath = join(clientDistPath, 'index.html');
+
+    let decoded = rawAlias;
+    try {
+      decoded = decodeURIComponent(rawAlias);
+    } catch {
+      // Malformed percent-encoding -> treat as unknown alias.
+    }
+
+    const resolved = workspace
+      ? await this.shareAliasService.resolveReadableTarget(
+          decoded,
+          workspace.id,
+        )
+      : null;
+
+    if (!resolved) {
+      return this.sendIndex(indexFilePath, res);
+    }
+
+    const slug = buildPageSlug(resolved.page.slugId, resolved.page.title);
+    // 302, NOT 301: the alias is retargetable, so the redirect must always be
+    // re-resolved by clients/crawlers.
+    return res.redirect(`/share/${resolved.share.key}/p/${slug}`, 302);
+  }
+
+  private sendIndex(indexFilePath: string, res: FastifyReply) {
+    if (!fs.existsSync(indexFilePath)) {
+      // No built client (e.g. API-only dev): nothing to serve.
+      res.status(404).send('Not found');
+      return;
+    }
+    const stream = fs.createReadStream(indexFilePath);
+    res.type('text/html').send(stream);
+  }
+}
+
+/** Canonical share page slug: `<title-slug>-<slugId>` (mirrors the client). */
+function buildPageSlug(slugId: string, title?: string): string {
+  const titleSlug = slugify(title?.substring(0, 70) || 'untitled');
+  return `${titleSlug}-${slugId}`;
+}

apps/server/src/core/share/share-alias.controller.spec.ts

@@ -0,0 +1,260 @@
+import {
+  BadRequestException,
+  ForbiddenException,
+  NotFoundException,
+} from '@nestjs/common';
+import { ShareAliasController } from './share-alias.controller';
+
+/**
+ * Authz-gate tests for the authenticated alias management controller. The access
+ * decisions for creating/retargeting/removing an alias live in THIS controller
+ * (the service spec delegates authorization to the caller), so each gate is
+ * pinned here against mocked PageRepo / ShareService / ShareAliasService /
+ * PageAccessService. A regression that drops any gate must fail here.
+ */
+describe('ShareAliasController authz gates', () => {
+  function makeController() {
+    const shareAliasService = {
+      setAlias: jest.fn(async () => ({ id: 'alias-1' })),
+      removeAlias: jest.fn(async () => undefined),
+      getAliasById: jest.fn(),
+      getAliasForPage: jest.fn(),
+      checkAvailability: jest.fn(),
+    };
+    const shareService = {
+      resolveReadableSharePage: jest.fn(),
+      isSharingAllowed: jest.fn(),
+    };
+    const pageRepo = { findById: jest.fn() };
+    const pageAccessService = {
+      validateCanEdit: jest.fn(async () => undefined),
+      validateCanView: jest.fn(async () => undefined),
+    };
+    const controller = new ShareAliasController(
+      shareAliasService as any,
+      shareService as any,
+      pageRepo as any,
+      pageAccessService as any,
+    );
+    return {
+      controller,
+      shareAliasService,
+      shareService,
+      pageRepo,
+      pageAccessService,
+    };
+  }
+
+  const user: any = { id: 'u-1' };
+  const workspace: any = { id: 'ws-1' };
+
+  describe('set', () => {
+    it('throws NotFoundException for a nonexistent page', async () => {
+      const { controller, pageRepo, pageAccessService } = makeController();
+      pageRepo.findById.mockResolvedValue(null);
+
+      await expect(
+        controller.set({ pageId: 'p-x', alias: 'promo' } as any, user, workspace),
+      ).rejects.toBeInstanceOf(NotFoundException);
+      expect(pageAccessService.validateCanEdit).not.toHaveBeenCalled();
+    });
+
+    it('throws NotFoundException for a page in another workspace', async () => {
+      const { controller, pageRepo } = makeController();
+      pageRepo.findById.mockResolvedValue({
+        id: 'p-1',
+        workspaceId: 'ws-OTHER',
+      });
+
+      await expect(
+        controller.set({ pageId: 'p-1', alias: 'promo' } as any, user, workspace),
+      ).rejects.toBeInstanceOf(NotFoundException);
+    });
+
+    it('enforces validateCanEdit before setting the alias', async () => {
+      const { controller, pageRepo, pageAccessService, shareService } =
+        makeController();
+      pageRepo.findById.mockResolvedValue({ id: 'p-1', workspaceId: 'ws-1' });
+      pageAccessService.validateCanEdit.mockRejectedValue(
+        new ForbiddenException('no edit'),
+      );
+
+      await expect(
+        controller.set({ pageId: 'p-1', alias: 'promo' } as any, user, workspace),
+      ).rejects.toBeInstanceOf(ForbiddenException);
+      // Gate short-circuits before any share resolution.
+      expect(shareService.resolveReadableSharePage).not.toHaveBeenCalled();
+    });
+
+    it('throws BadRequestException when the page is not publicly shared', async () => {
+      const { controller, pageRepo, shareService } = makeController();
+      pageRepo.findById.mockResolvedValue({ id: 'p-1', workspaceId: 'ws-1' });
+      shareService.resolveReadableSharePage.mockResolvedValue(null);
+
+      await expect(
+        controller.set({ pageId: 'p-1', alias: 'promo' } as any, user, workspace),
+      ).rejects.toThrow('Page is not publicly shared');
+      await expect(
+        controller.set({ pageId: 'p-1', alias: 'promo' } as any, user, workspace),
+      ).rejects.toBeInstanceOf(BadRequestException);
+    });
+
+    it('throws ForbiddenException when public sharing is disabled', async () => {
+      const { controller, pageRepo, shareService } = makeController();
+      pageRepo.findById.mockResolvedValue({ id: 'p-1', workspaceId: 'ws-1' });
+      shareService.resolveReadableSharePage.mockResolvedValue({
+        share: { spaceId: 'sp-1' },
+      });
+      shareService.isSharingAllowed.mockResolvedValue(false);
+
+      await expect(
+        controller.set({ pageId: 'p-1', alias: 'promo' } as any, user, workspace),
+      ).rejects.toBeInstanceOf(ForbiddenException);
+    });
+
+    it('delegates to setAlias on the happy path with all gates passed', async () => {
+      const { controller, pageRepo, shareService, shareAliasService } =
+        makeController();
+      pageRepo.findById.mockResolvedValue({ id: 'p-1', workspaceId: 'ws-1' });
+      shareService.resolveReadableSharePage.mockResolvedValue({
+        share: { spaceId: 'sp-1' },
+      });
+      shareService.isSharingAllowed.mockResolvedValue(true);
+
+      const result = await controller.set(
+        { pageId: 'p-1', alias: 'promo', confirmReassign: true } as any,
+        user,
+        workspace,
+      );
+
+      expect(shareAliasService.setAlias).toHaveBeenCalledWith({
+        workspaceId: 'ws-1',
+        pageId: 'p-1',
+        creatorId: 'u-1',
+        alias: 'promo',
+        confirmReassign: true,
+      });
+      expect(result).toEqual({ id: 'alias-1' });
+    });
+  });
+
+  describe('remove', () => {
+    it('throws NotFoundException for an unknown alias', async () => {
+      const { controller, shareAliasService } = makeController();
+      shareAliasService.getAliasById.mockResolvedValue(null);
+
+      await expect(
+        controller.remove({ aliasId: 'a-x' } as any, user, workspace),
+      ).rejects.toBeInstanceOf(NotFoundException);
+      expect(shareAliasService.removeAlias).not.toHaveBeenCalled();
+    });
+
+    it('requires validateCanEdit on the current target before removing', async () => {
+      const { controller, shareAliasService, pageRepo, pageAccessService } =
+        makeController();
+      shareAliasService.getAliasById.mockResolvedValue({
+        id: 'a-1',
+        pageId: 'p-1',
+      });
+      pageRepo.findById.mockResolvedValue({ id: 'p-1', workspaceId: 'ws-1' });
+      pageAccessService.validateCanEdit.mockRejectedValue(
+        new ForbiddenException('no edit'),
+      );
+
+      await expect(
+        controller.remove({ aliasId: 'a-1' } as any, user, workspace),
+      ).rejects.toBeInstanceOf(ForbiddenException);
+      expect(shareAliasService.removeAlias).not.toHaveBeenCalled();
+    });
+
+    it('removes a dangling alias (pageId null) WITHOUT an edit check', async () => {
+      const { controller, shareAliasService, pageRepo, pageAccessService } =
+        makeController();
+      shareAliasService.getAliasById.mockResolvedValue({
+        id: 'a-1',
+        pageId: null,
+      });
+
+      await controller.remove({ aliasId: 'a-1' } as any, user, workspace);
+
+      expect(pageRepo.findById).not.toHaveBeenCalled();
+      expect(pageAccessService.validateCanEdit).not.toHaveBeenCalled();
+      expect(shareAliasService.removeAlias).toHaveBeenCalledWith('a-1', 'ws-1');
+    });
+
+    it('removes when the editor can edit the current target', async () => {
+      const { controller, shareAliasService, pageRepo, pageAccessService } =
+        makeController();
+      shareAliasService.getAliasById.mockResolvedValue({
+        id: 'a-1',
+        pageId: 'p-1',
+      });
+      pageRepo.findById.mockResolvedValue({ id: 'p-1', workspaceId: 'ws-1' });
+
+      await controller.remove({ aliasId: 'a-1' } as any, user, workspace);
+
+      expect(pageAccessService.validateCanEdit).toHaveBeenCalled();
+      expect(shareAliasService.removeAlias).toHaveBeenCalledWith('a-1', 'ws-1');
+    });
+
+    it('removes even if the recorded target page no longer exists', async () => {
+      const { controller, shareAliasService, pageRepo, pageAccessService } =
+        makeController();
+      shareAliasService.getAliasById.mockResolvedValue({
+        id: 'a-1',
+        pageId: 'p-gone',
+      });
+      pageRepo.findById.mockResolvedValue(null);
+
+      await controller.remove({ aliasId: 'a-1' } as any, user, workspace);
+
+      expect(pageAccessService.validateCanEdit).not.toHaveBeenCalled();
+      expect(shareAliasService.removeAlias).toHaveBeenCalledWith('a-1', 'ws-1');
+    });
+  });
+
+  describe('forPage', () => {
+    it('throws NotFoundException for a cross-workspace/nonexistent page', async () => {
+      const { controller, pageRepo, pageAccessService } = makeController();
+      pageRepo.findById.mockResolvedValue({
+        id: 'p-1',
+        workspaceId: 'ws-OTHER',
+      });
+
+      await expect(
+        controller.forPage({ pageId: 'p-1' } as any, user, workspace),
+      ).rejects.toBeInstanceOf(NotFoundException);
+      expect(pageAccessService.validateCanView).not.toHaveBeenCalled();
+    });
+
+    it('requires validateCanView and returns the alias (or null)', async () => {
+      const { controller, pageRepo, pageAccessService, shareAliasService } =
+        makeController();
+      pageRepo.findById.mockResolvedValue({ id: 'p-1', workspaceId: 'ws-1' });
+      shareAliasService.getAliasForPage.mockResolvedValue({ id: 'a-1' });
+
+      const result = await controller.forPage(
+        { pageId: 'p-1' } as any,
+        user,
+        workspace,
+      );
+
+      expect(pageAccessService.validateCanView).toHaveBeenCalled();
+      expect(result).toEqual({ id: 'a-1' });
+    });
+
+    it('returns null when the page has no alias', async () => {
+      const { controller, pageRepo, shareAliasService } = makeController();
+      pageRepo.findById.mockResolvedValue({ id: 'p-1', workspaceId: 'ws-1' });
+      shareAliasService.getAliasForPage.mockResolvedValue(undefined);
+
+      const result = await controller.forPage(
+        { pageId: 'p-1' } as any,
+        user,
+        workspace,
+      );
+
+      expect(result).toBeNull();
+    });
+  });
+});

apps/server/src/core/share/share-alias.controller.ts

@@ -0,0 +1,139 @@
+import {
+  BadRequestException,
+  Body,
+  Controller,
+  ForbiddenException,
+  HttpCode,
+  HttpStatus,
+  NotFoundException,
+  Post,
+  UseGuards,
+} from '@nestjs/common';
+import { JwtAuthGuard } from '../../common/guards/jwt-auth.guard';
+import { AuthUser } from '../../common/decorators/auth-user.decorator';
+import { AuthWorkspace } from '../../common/decorators/auth-workspace.decorator';
+import { User, Workspace } from '@docmost/db/types/entity.types';
+import { PageRepo } from '@docmost/db/repos/page/page.repo';
+import { PageAccessService } from '../page/page-access/page-access.service';
+import { ShareService } from './share.service';
+import { ShareAliasService } from './share-alias.service';
+import {
+  RemoveShareAliasDto,
+  SetShareAliasDto,
+  ShareAliasAvailabilityDto,
+  ShareAliasForPageDto,
+} from './dto/share-alias.dto';
+
+/**
+ * Authenticated management of vanity `/l/:alias` links. The PUBLIC resolve path
+ * lives in `ShareAliasRedirectController` (`/l/:alias`); this controller only
+ * creates/retargets/removes/looks-up aliases for editors.
+ */
+@UseGuards(JwtAuthGuard)
+@Controller('share-aliases')
+export class ShareAliasController {
+  constructor(
+    private readonly shareAliasService: ShareAliasService,
+    private readonly shareService: ShareService,
+    private readonly pageRepo: PageRepo,
+    private readonly pageAccessService: PageAccessService,
+  ) {}
+
+  @HttpCode(HttpStatus.OK)
+  @Post('set')
+  async set(
+    @Body() dto: SetShareAliasDto,
+    @AuthUser() user: User,
+    @AuthWorkspace() workspace: Workspace,
+  ) {
+    const page = await this.pageRepo.findById(dto.pageId);
+    if (!page || page.workspaceId !== workspace.id) {
+      throw new NotFoundException('Page not found');
+    }
+
+    // Editing the page is required to point an address at it.
+    await this.pageAccessService.validateCanEdit(page, user);
+
+    // The page must currently be publicly readable through the share graph; an
+    // alias to a non-shared page would only ever 404.
+    const resolved = await this.shareService.resolveReadableSharePage(
+      undefined,
+      page.id,
+      workspace.id,
+    );
+    if (!resolved) {
+      throw new BadRequestException('Page is not publicly shared');
+    }
+
+    const sharingAllowed = await this.shareService.isSharingAllowed(
+      workspace.id,
+      resolved.share.spaceId,
+    );
+    if (!sharingAllowed) {
+      throw new ForbiddenException('Public sharing is disabled');
+    }
+
+    return this.shareAliasService.setAlias({
+      workspaceId: workspace.id,
+      pageId: page.id,
+      creatorId: user.id,
+      alias: dto.alias,
+      confirmReassign: dto.confirmReassign,
+    });
+  }
+
+  @HttpCode(HttpStatus.OK)
+  @Post('remove')
+  async remove(
+    @Body() dto: RemoveShareAliasDto,
+    @AuthUser() user: User,
+    @AuthWorkspace() workspace: Workspace,
+  ) {
+    const alias = await this.shareAliasService.getAliasById(
+      dto.aliasId,
+      workspace.id,
+    );
+    if (!alias) {
+      throw new NotFoundException('Alias not found');
+    }
+
+    // Only someone who can edit the (current) target page may free the address.
+    // A dangling alias (page deleted) can be removed by any workspace member.
+    if (alias.pageId) {
+      const page = await this.pageRepo.findById(alias.pageId);
+      if (page) {
+        await this.pageAccessService.validateCanEdit(page, user);
+      }
+    }
+
+    await this.shareAliasService.removeAlias(alias.id, workspace.id);
+  }
+
+  @HttpCode(HttpStatus.OK)
+  @Post('availability')
+  async availability(
+    @Body() dto: ShareAliasAvailabilityDto,
+    @AuthWorkspace() workspace: Workspace,
+  ) {
+    return this.shareAliasService.checkAvailability(dto.alias, workspace.id);
+  }
+
+  @HttpCode(HttpStatus.OK)
+  @Post('for-page')
+  async forPage(
+    @Body() dto: ShareAliasForPageDto,
+    @AuthUser() user: User,
+    @AuthWorkspace() workspace: Workspace,
+  ) {
+    const page = await this.pageRepo.findById(dto.pageId);
+    if (!page || page.workspaceId !== workspace.id) {
+      throw new NotFoundException('Page not found');
+    }
+    await this.pageAccessService.validateCanView(page, user);
+
+    return (
+      (await this.shareAliasService.getAliasForPage(page.id, workspace.id)) ??
+      null
+    );
+  }
+}

apps/server/src/core/share/share-alias.service.spec.ts

@@ -0,0 +1,252 @@
+import { BadRequestException, ConflictException } from '@nestjs/common';
+import { ShareAliasService } from './share-alias.service';
+
+/**
+ * Behaviour tests for the alias write/resolve semantics: create vs no-op vs the
+ * 409 reassign guard, uniqueness-race handling, availability probe, and the
+ * request-time readable-target resolution (which re-runs the share boundary).
+ */
+describe('ShareAliasService', () => {
+  function makeService() {
+    const shareAliasRepo = {
+      findByAliasAndWorkspace: jest.fn(),
+      findByPageId: jest.fn(),
+      findById: jest.fn(),
+      insert: jest.fn(),
+      updatePageId: jest.fn(),
+      delete: jest.fn(),
+    };
+    const pageRepo = { findById: jest.fn() };
+    const shareService = {
+      resolveReadableSharePage: jest.fn(),
+      isSharingAllowed: jest.fn(),
+    };
+    const service = new ShareAliasService(
+      shareAliasRepo as any,
+      pageRepo as any,
+      shareService as any,
+    );
+    return { service, shareAliasRepo, pageRepo, shareService };
+  }
+
+  describe('setAlias', () => {
+    it('rejects an invalid alias before touching the db', async () => {
+      const { service, shareAliasRepo } = makeService();
+      await expect(
+        service.setAlias({
+          workspaceId: 'ws-1',
+          pageId: 'p-1',
+          creatorId: 'u-1',
+          alias: 'A', // too short + uppercase
+        }),
+      ).rejects.toBeInstanceOf(BadRequestException);
+      expect(shareAliasRepo.findByAliasAndWorkspace).not.toHaveBeenCalled();
+    });
+
+    it('normalizes then inserts a brand-new alias', async () => {
+      const { service, shareAliasRepo } = makeService();
+      shareAliasRepo.findByAliasAndWorkspace.mockResolvedValue(undefined);
+      shareAliasRepo.insert.mockResolvedValue({ id: 'a-1', alias: 'my-page' });
+
+      const res = await service.setAlias({
+        workspaceId: 'ws-1',
+        pageId: 'p-1',
+        creatorId: 'u-1',
+        alias: '  My Page ',
+      });
+
+      expect(shareAliasRepo.findByAliasAndWorkspace).toHaveBeenCalledWith(
+        'my-page',
+        'ws-1',
+      );
+      expect(shareAliasRepo.insert).toHaveBeenCalledWith({
+        workspaceId: 'ws-1',
+        alias: 'my-page',
+        pageId: 'p-1',
+        creatorId: 'u-1',
+      });
+      expect(res).toMatchObject({ id: 'a-1' });
+    });
+
+    it('is a no-op when the alias already points at the same page', async () => {
+      const { service, shareAliasRepo } = makeService();
+      const existing = { id: 'a-1', alias: 'foo', pageId: 'p-1' };
+      shareAliasRepo.findByAliasAndWorkspace.mockResolvedValue(existing);
+
+      const res = await service.setAlias({
+        workspaceId: 'ws-1',
+        pageId: 'p-1',
+        creatorId: 'u-1',
+        alias: 'foo',
+      });
+
+      expect(res).toBe(existing);
+      expect(shareAliasRepo.insert).not.toHaveBeenCalled();
+      expect(shareAliasRepo.updatePageId).not.toHaveBeenCalled();
+    });
+
+    it('throws 409 with current target when name is taken and not confirmed', async () => {
+      const { service, shareAliasRepo, pageRepo } = makeService();
+      shareAliasRepo.findByAliasAndWorkspace.mockResolvedValue({
+        id: 'a-1',
+        alias: 'foo',
+        pageId: 'p-other',
+      });
+      pageRepo.findById.mockResolvedValue({ id: 'p-other', title: 'Other' });
+
+      try {
+        await service.setAlias({
+          workspaceId: 'ws-1',
+          pageId: 'p-1',
+          creatorId: 'u-1',
+          alias: 'foo',
+        });
+        fail('expected ConflictException');
+      } catch (err) {
+        expect(err).toBeInstanceOf(ConflictException);
+        expect((err as ConflictException).getResponse()).toMatchObject({
+          code: 'ALIAS_REASSIGN_REQUIRED',
+          currentPageId: 'p-other',
+          currentPageTitle: 'Other',
+        });
+      }
+      expect(shareAliasRepo.updatePageId).not.toHaveBeenCalled();
+    });
+
+    it('retargets (UPDATE page_id) when confirmReassign is set', async () => {
+      const { service, shareAliasRepo } = makeService();
+      shareAliasRepo.findByAliasAndWorkspace.mockResolvedValue({
+        id: 'a-1',
+        alias: 'foo',
+        pageId: 'p-other',
+      });
+      shareAliasRepo.updatePageId.mockResolvedValue({ id: 'a-1', pageId: 'p-1' });
+
+      const res = await service.setAlias({
+        workspaceId: 'ws-1',
+        pageId: 'p-1',
+        creatorId: 'u-1',
+        alias: 'foo',
+        confirmReassign: true,
+      });
+
+      expect(shareAliasRepo.updatePageId).toHaveBeenCalledWith(
+        'a-1',
+        'p-1',
+        'ws-1',
+      );
+      expect(res).toMatchObject({ pageId: 'p-1' });
+    });
+
+    it('maps a unique-violation race to 409', async () => {
+      const { service, shareAliasRepo } = makeService();
+      shareAliasRepo.findByAliasAndWorkspace.mockResolvedValue(undefined);
+      shareAliasRepo.insert.mockRejectedValue({ code: '23505' });
+
+      await expect(
+        service.setAlias({
+          workspaceId: 'ws-1',
+          pageId: 'p-1',
+          creatorId: 'u-1',
+          alias: 'foo',
+        }),
+      ).rejects.toBeInstanceOf(ConflictException);
+    });
+  });
+
+  describe('checkAvailability', () => {
+    it('reports invalid for a bad slug without a db hit', async () => {
+      const { service, shareAliasRepo } = makeService();
+      const res = await service.checkAvailability('Bad Slug!', 'ws-1');
+      expect(res).toMatchObject({ valid: false, available: false });
+      expect(shareAliasRepo.findByAliasAndWorkspace).not.toHaveBeenCalled();
+    });
+
+    it('reports available when no row exists', async () => {
+      const { service, shareAliasRepo } = makeService();
+      shareAliasRepo.findByAliasAndWorkspace.mockResolvedValue(undefined);
+      const res = await service.checkAvailability('free-name', 'ws-1');
+      expect(res).toMatchObject({
+        alias: 'free-name',
+        valid: true,
+        available: true,
+        currentPageId: null,
+      });
+    });
+
+    it('reports taken with the current target page', async () => {
+      const { service, shareAliasRepo } = makeService();
+      shareAliasRepo.findByAliasAndWorkspace.mockResolvedValue({
+        id: 'a-1',
+        pageId: 'p-9',
+      });
+      const res = await service.checkAvailability('taken', 'ws-1');
+      expect(res).toMatchObject({ available: false, currentPageId: 'p-9' });
+    });
+  });
+
+  describe('resolveReadableTarget', () => {
+    it('returns null for an invalid alias', async () => {
+      const { service } = makeService();
+      expect(await service.resolveReadableTarget('!!', 'ws-1')).toBeNull();
+    });
+
+    it('returns null for an unknown or dangling alias', async () => {
+      const { service, shareAliasRepo } = makeService();
+      shareAliasRepo.findByAliasAndWorkspace.mockResolvedValueOnce(undefined);
+      expect(await service.resolveReadableTarget('foo', 'ws-1')).toBeNull();
+
+      shareAliasRepo.findByAliasAndWorkspace.mockResolvedValueOnce({
+        id: 'a-1',
+        pageId: null,
+      });
+      expect(await service.resolveReadableTarget('foo', 'ws-1')).toBeNull();
+    });
+
+    it('returns null when the page is no longer publicly readable', async () => {
+      const { service, shareAliasRepo, shareService } = makeService();
+      shareAliasRepo.findByAliasAndWorkspace.mockResolvedValue({
+        id: 'a-1',
+        pageId: 'p-1',
+      });
+      shareService.resolveReadableSharePage.mockResolvedValue(null);
+      expect(await service.resolveReadableTarget('foo', 'ws-1')).toBeNull();
+    });
+
+    it('returns null when sharing is disabled for the space', async () => {
+      const { service, shareAliasRepo, shareService } = makeService();
+      shareAliasRepo.findByAliasAndWorkspace.mockResolvedValue({
+        id: 'a-1',
+        pageId: 'p-1',
+      });
+      shareService.resolveReadableSharePage.mockResolvedValue({
+        share: { key: 'k', spaceId: 's-1' },
+        page: { slugId: 'sid', title: 'T' },
+      });
+      shareService.isSharingAllowed.mockResolvedValue(false);
+      expect(await service.resolveReadableTarget('foo', 'ws-1')).toBeNull();
+    });
+
+    it('returns the resolved share+page on success', async () => {
+      const { service, shareAliasRepo, shareService } = makeService();
+      shareAliasRepo.findByAliasAndWorkspace.mockResolvedValue({
+        id: 'a-1',
+        pageId: 'p-1',
+      });
+      const resolved = {
+        share: { key: 'k', spaceId: 's-1' },
+        page: { slugId: 'sid', title: 'T' },
+      };
+      shareService.resolveReadableSharePage.mockResolvedValue(resolved);
+      shareService.isSharingAllowed.mockResolvedValue(true);
+
+      const res = await service.resolveReadableTarget('FOO', 'ws-1');
+      expect(res).toBe(resolved);
+      // alias was normalized to lowercase before lookup
+      expect(shareAliasRepo.findByAliasAndWorkspace).toHaveBeenCalledWith(
+        'foo',
+        'ws-1',
+      );
+    });
+  });
+});

apps/server/src/core/share/share-alias.service.ts

@@ -0,0 +1,187 @@
+import {
+  BadRequestException,
+  ConflictException,
+  Injectable,
+  Logger,
+} from '@nestjs/common';
+import { ShareAliasRepo } from '@docmost/db/repos/share-alias/share-alias.repo';
+import { PageRepo } from '@docmost/db/repos/page/page.repo';
+import { ShareService } from './share.service';
+import { Page, ShareAlias } from '@docmost/db/types/entity.types';
+import { isValidShareAlias, normalizeShareAlias } from './share-alias.util';
+
+/** Postgres unique_violation; the (workspace_id, alias) constraint races here. */
+const PG_UNIQUE_VIOLATION = '23505';
+
+export interface ResolvedAliasTarget {
+  share: NonNullable<
+    Awaited<ReturnType<ShareService['resolveReadableSharePage']>>
+  >['share'];
+  page: Page;
+}
+
+@Injectable()
+export class ShareAliasService {
+  private readonly logger = new Logger(ShareAliasService.name);
+
+  constructor(
+    private readonly shareAliasRepo: ShareAliasRepo,
+    private readonly pageRepo: PageRepo,
+    private readonly shareService: ShareService,
+  ) {}
+
+  /**
+   * Create or retarget a vanity alias. The alias is workspace-scoped:
+   *   - no row for this name        -> INSERT a new pointer
+   *   - row already points at pageId -> no-op (idempotent)
+   *   - row points elsewhere         -> the "swap". Without confirmReassign we
+   *     throw 409 carrying the current target so the client can confirm; with
+   *     it we UPDATE the single row's page_id (every /l/<alias> link follows the
+   *     302 to the new page instantly — no stale 301 cache).
+   *
+   * Caller is responsible for authorizing the page (edit rights + public
+   * readability); this method owns only the alias-name semantics.
+   */
+  async setAlias(opts: {
+    workspaceId: string;
+    pageId: string;
+    creatorId: string;
+    alias: string;
+    confirmReassign?: boolean;
+  }): Promise<ShareAlias> {
+    const { workspaceId, pageId, creatorId, confirmReassign } = opts;
+    const alias = normalizeShareAlias(opts.alias);
+    if (!isValidShareAlias(alias)) {
+      throw new BadRequestException(
+        'Invalid alias. Use 2-60 lowercase letters, digits and hyphens.',
+      );
+    }
+
+    const existing = await this.shareAliasRepo.findByAliasAndWorkspace(
+      alias,
+      workspaceId,
+    );
+
+    if (!existing) {
+      try {
+        return await this.shareAliasRepo.insert({
+          workspaceId,
+          alias,
+          pageId,
+          creatorId,
+        });
+      } catch (err: any) {
+        // Lost a uniqueness race: another request claimed the name first.
+        if (err?.code === PG_UNIQUE_VIOLATION) {
+          throw new ConflictException({ message: 'Alias already taken' });
+        }
+        this.logger.error(err);
+        throw new BadRequestException('Failed to set alias');
+      }
+    }
+
+    // Already points at this page -> nothing to do.
+    if (existing.pageId === pageId) {
+      return existing;
+    }
+
+    // Name occupied by a different (or dangling) target: require confirmation.
+    if (!confirmReassign) {
+      const currentPage = existing.pageId
+        ? await this.pageRepo.findById(existing.pageId)
+        : null;
+      throw new ConflictException({
+        message: 'Alias already in use',
+        code: 'ALIAS_REASSIGN_REQUIRED',
+        currentPageId: existing.pageId,
+        currentPageTitle: currentPage?.title ?? null,
+      });
+    }
+
+    return this.shareAliasRepo.updatePageId(existing.id, pageId, workspaceId);
+  }
+
+  /** Free a vanity name (no history kept). */
+  async removeAlias(aliasId: string, workspaceId: string): Promise<void> {
+    await this.shareAliasRepo.delete(aliasId, workspaceId);
+  }
+
+  /** Debounced availability probe for the modal. */
+  async checkAvailability(
+    rawAlias: string,
+    workspaceId: string,
+  ): Promise<{
+    alias: string;
+    valid: boolean;
+    available: boolean;
+    currentPageId: string | null;
+  }> {
+    const alias = normalizeShareAlias(rawAlias);
+    if (!isValidShareAlias(alias)) {
+      return { alias, valid: false, available: false, currentPageId: null };
+    }
+    const existing = await this.shareAliasRepo.findByAliasAndWorkspace(
+      alias,
+      workspaceId,
+    );
+    return {
+      alias,
+      valid: true,
+      available: !existing,
+      currentPageId: existing?.pageId ?? null,
+    };
+  }
+
+  /** A single alias row scoped to the workspace, or undefined. */
+  getAliasById(
+    aliasId: string,
+    workspaceId: string,
+  ): Promise<ShareAlias | undefined> {
+    return this.shareAliasRepo.findById(aliasId, workspaceId);
+  }
+
+  /** The alias currently targeting a page (modal display), or undefined. */
+  getAliasForPage(
+    pageId: string,
+    workspaceId: string,
+  ): Promise<ShareAlias | undefined> {
+    return this.shareAliasRepo.findByPageId(pageId, workspaceId);
+  }
+
+  /**
+   * Resolve a vanity alias to the canonical, publicly-READABLE share page, or
+   * null. This re-runs the authoritative share boundary at request time (so a
+   * later-unshared / restricted / sharing-disabled target collapses to null and
+   * the caller serves the generic SPA 404 — no existence leak). The alias row
+   * itself is just a pointer; this is where access is actually decided.
+   */
+  async resolveReadableTarget(
+    rawAlias: string,
+    workspaceId: string,
+  ): Promise<ResolvedAliasTarget | null> {
+    const alias = normalizeShareAlias(rawAlias);
+    if (!isValidShareAlias(alias)) return null;
+
+    const aliasRow = await this.shareAliasRepo.findByAliasAndWorkspace(
+      alias,
+      workspaceId,
+    );
+    // Unknown name or a dangling alias (target page deleted) -> not resolvable.
+    if (!aliasRow?.pageId) return null;
+
+    const resolved = await this.shareService.resolveReadableSharePage(
+      undefined,
+      aliasRow.pageId,
+      workspaceId,
+    );
+    if (!resolved) return null;
+
+    const sharingAllowed = await this.shareService.isSharingAllowed(
+      workspaceId,
+      resolved.share.spaceId,
+    );
+    if (!sharingAllowed) return null;
+
+    return resolved;
+  }
+}

apps/server/src/core/share/share-alias.util.spec.ts

@@ -0,0 +1,60 @@
+import { isValidShareAlias, normalizeShareAlias } from './share-alias.util';
+
+describe('normalizeShareAlias', () => {
+  it('lowercases and trims', () => {
+    expect(normalizeShareAlias('  HelloWorld  ')).toBe('helloworld');
+  });
+
+  it('converts spaces and underscores to single hyphens', () => {
+    expect(normalizeShareAlias('my cool   page')).toBe('my-cool-page');
+    expect(normalizeShareAlias('my_cool_page')).toBe('my-cool-page');
+  });
+
+  it('collapses repeated hyphens and trims edge hyphens', () => {
+    expect(normalizeShareAlias('--a---b--')).toBe('a-b');
+  });
+
+  it('handles null/undefined defensively', () => {
+    expect(normalizeShareAlias(undefined as unknown as string)).toBe('');
+  });
+});
+
+describe('isValidShareAlias', () => {
+  it('accepts ascii lowercase hyphen-separated slugs', () => {
+    expect(isValidShareAlias('hello')).toBe(true);
+    expect(isValidShareAlias('hello-world-2')).toBe(true);
+    expect(isValidShareAlias('a1')).toBe(true);
+  });
+
+  it('rejects too short / too long', () => {
+    expect(isValidShareAlias('a')).toBe(false);
+    expect(isValidShareAlias('a'.repeat(61))).toBe(false);
+    expect(isValidShareAlias('a'.repeat(60))).toBe(true);
+  });
+
+  it('rejects leading/trailing/double hyphens', () => {
+    expect(isValidShareAlias('-abc')).toBe(false);
+    expect(isValidShareAlias('abc-')).toBe(false);
+    expect(isValidShareAlias('a--b')).toBe(false);
+  });
+
+  it('rejects uppercase, cyrillic and other non-ascii', () => {
+    expect(isValidShareAlias('Hello')).toBe(false);
+    expect(isValidShareAlias('привет')).toBe(false);
+    expect(isValidShareAlias('a b')).toBe(false);
+    expect(isValidShareAlias('a_b')).toBe(false);
+    expect(isValidShareAlias('a.b')).toBe(false);
+  });
+
+  it('normalize + validate round-trips a messy input to a valid slug', () => {
+    const alias = normalizeShareAlias('  My  Cool_Page!! ');
+    // "!!" is not stripped by normalize (only case/separators), so the result
+    // still fails validation — the charset gate is intentionally separate.
+    expect(alias).toBe('my-cool-page!!');
+    expect(isValidShareAlias(alias)).toBe(false);
+
+    const ok = normalizeShareAlias('  My  Cool Page ');
+    expect(ok).toBe('my-cool-page');
+    expect(isValidShareAlias(ok)).toBe(true);
+  });
+});

apps/server/src/core/share/share-alias.util.ts

@@ -0,0 +1,30 @@
+/**
+ * Vanity share-alias helpers shared by the write path (set/availability) and the
+ * `/l/:alias` resolve path. Aliases are ASCII-only, lowercase, hyphen-separated
+ * slugs — deliberately no Cyrillic / transliteration: the user types the exact
+ * canonical form. Keep this in sync with the client copy in
+ * `apps/client/src/features/share/share-alias.util.ts`.
+ */
+
+// Normalize a user-provided vanity alias into canonical ASCII storage form.
+// This only canonicalizes shape (case, separators); it does NOT enforce the
+// charset — call isValidShareAlias afterwards to reject anything illegal.
+export function normalizeShareAlias(raw: string): string {
+  return (raw ?? '')
+    .trim()
+    .toLowerCase()
+    .replace(/[\s_]+/g, '-') // spaces/underscores -> single hyphen
+    .replace(/-{2,}/g, '-') // collapse repeated hyphens
+    .replace(/^-+|-+$/g, ''); // trim leading/trailing hyphens
+}
+
+// ASCII only: lowercase letters/digits in hyphen-separated groups, length 2..60.
+const ALIAS_RE = /^[a-z0-9]+(?:-[a-z0-9]+)*$/;
+export function isValidShareAlias(alias: string): boolean {
+  return (
+    typeof alias === 'string' &&
+    alias.length >= 2 &&
+    alias.length <= 60 &&
+    ALIAS_RE.test(alias)
+  );
+}

apps/server/src/core/share/share.module.ts

@@ -5,13 +5,22 @@ import { TokenModule } from '../auth/token.module';
 import { ShareSeoController } from './share-seo.controller';
 import { TransclusionModule } from '../page/transclusion/transclusion.module';
 import { AiModule } from '../../integrations/ai/ai.module';
+import { ShareAliasService } from './share-alias.service';
+import { ShareAliasController } from './share-alias.controller';
+import { ShareAliasRedirectController } from './share-alias-redirect.controller';
 
 @Module({
   // AiModule (AiSettingsService) is used by the page-info route to surface
   // whether the anonymous public-share assistant is enabled for the workspace.
   imports: [TokenModule, TransclusionModule, AiModule],
-  controllers: [ShareController, ShareSeoController],
+  controllers: [
-  providers: [ShareService],
+    ShareController,
-  exports: [ShareService],
+    ShareSeoController,
+    // Vanity /l/:alias: authenticated management + public 302 resolver.
+    ShareAliasController,
+    ShareAliasRedirectController,
+  ],
+  providers: [ShareService, ShareAliasService],
+  exports: [ShareService, ShareAliasService],
 })
 export class ShareModule {}

apps/server/src/core/workspace/dto/update-workspace.dto.ts

@@ -84,6 +84,13 @@ export class UpdateWorkspaceDto extends PartialType(CreateWorkspaceDto) {
   @Min(1)
   trashRetentionDays: number;
 
+  // Default lifetime for new temporary notes, in HOURS. Frozen per-note at
+  // creation, so changing this never reschedules existing notes.
+  @IsOptional()
+  @IsInt()
+  @Min(1)
+  temporaryNoteHours: number;
+
   @IsOptional()
   @IsBoolean()
   allowMemberTemplates: boolean;

apps/server/src/core/workspace/services/workspace.service.ts

@@ -330,6 +330,7 @@ export class WorkspaceService {
     if (
       typeof updateWorkspaceDto.disablePublicSharing !== 'undefined' ||
       typeof updateWorkspaceDto.trashRetentionDays !== 'undefined' ||
+      typeof updateWorkspaceDto.temporaryNoteHours !== 'undefined' ||
       typeof updateWorkspaceDto.mcpEnabled !== 'undefined' ||
       typeof updateWorkspaceDto.restrictApiToAdmins !== 'undefined' ||
       typeof updateWorkspaceDto.allowMemberTemplates !== 'undefined' ||
@@ -337,7 +338,13 @@ export class WorkspaceService {
     ) {
       const ws = await this.db
         .selectFrom('workspaces')
-        .select(['id', 'licenseKey', 'plan', 'trashRetentionDays'])
+        .select([
+          'id',
+          'licenseKey',
+          'plan',
+          'trashRetentionDays',
+          'temporaryNoteHours',
+        ])
         .where('id', '=', workspaceId)
         .executeTakeFirst();
 
@@ -378,6 +385,14 @@ export class WorkspaceService {
         before.trashRetentionDays = ws.trashRetentionDays;
         after.trashRetentionDays = updateWorkspaceDto.trashRetentionDays;
       }
+
+      if (
+        typeof updateWorkspaceDto.temporaryNoteHours !== 'undefined' &&
+        updateWorkspaceDto.temporaryNoteHours !== ws.temporaryNoteHours
+      ) {
+        before.temporaryNoteHours = ws.temporaryNoteHours;
+        after.temporaryNoteHours = updateWorkspaceDto.temporaryNoteHours;
+      }
     }
 
     if (updateWorkspaceDto.aiSearch) {

apps/server/src/database/database.module.ts

@@ -23,6 +23,7 @@ import { UserTokenRepo } from './repos/user-token/user-token.repo';
 import { UserSessionRepo } from '@docmost/db/repos/session/user-session.repo';
 import { BacklinkRepo } from '@docmost/db/repos/backlink/backlink.repo';
 import { ShareRepo } from '@docmost/db/repos/share/share.repo';
+import { ShareAliasRepo } from '@docmost/db/repos/share-alias/share-alias.repo';
 import { NotificationRepo } from '@docmost/db/repos/notification/notification.repo';
 import { WatcherRepo } from '@docmost/db/repos/watcher/watcher.repo';
 import { LabelRepo } from '@docmost/db/repos/label/label.repo';
@@ -96,6 +97,7 @@ import { normalizePostgresUrl } from '../common/helpers';
     UserSessionRepo,
     BacklinkRepo,
     ShareRepo,
+    ShareAliasRepo,
     NotificationRepo,
     WatcherRepo,
     LabelRepo,
@@ -128,6 +130,7 @@ import { normalizePostgresUrl } from '../common/helpers';
     UserSessionRepo,
     BacklinkRepo,
     ShareRepo,
+    ShareAliasRepo,
     NotificationRepo,
     WatcherRepo,
     LabelRepo,

apps/server/src/database/migrations/20260626T130000-share-aliases.ts

@@ -0,0 +1,54 @@
+import { type Kysely, sql } from 'kysely';
+
+/**
+ * Vanity share aliases: a retargetable, human-readable pointer (`/l/<alias>`)
+ * that lives independently of any single `shares` row. The alias belongs to the
+ * WORKSPACE (stable address), and `page_id` is nullable with ON DELETE SET NULL
+ * so the address survives deletion of its current target (it 404s until
+ * retargeted) rather than disappearing with the page.
+ */
+export async function up(db: Kysely<any>): Promise<void> {
+  await db.schema
+    .createTable('share_aliases')
+    .addColumn('id', 'uuid', (col) =>
+      col.primaryKey().defaultTo(sql`gen_uuid_v7()`),
+    )
+    .addColumn('workspace_id', 'uuid', (col) =>
+      col.references('workspaces.id').onDelete('cascade').notNull(),
+    )
+    // Normalized ASCII, lowercase. Uniqueness is enforced per-workspace below.
+    .addColumn('alias', 'varchar', (col) => col.notNull())
+    // Nullable + SET NULL: the address outlives its target page.
+    .addColumn('page_id', 'uuid', (col) =>
+      col.references('pages.id').onDelete('set null'),
+    )
+    .addColumn('creator_id', 'uuid', (col) =>
+      col.references('users.id').onDelete('set null'),
+    )
+    .addColumn('created_at', 'timestamptz', (col) =>
+      col.notNull().defaultTo(sql`now()`),
+    )
+    .addColumn('updated_at', 'timestamptz', (col) =>
+      col.notNull().defaultTo(sql`now()`),
+    )
+    .execute();
+
+  // The vanity name is unique within a workspace (mirrors shares.key scoping).
+  await db.schema
+    .createIndex('share_aliases_workspace_id_alias_unique')
+    .on('share_aliases')
+    .columns(['workspace_id', 'alias'])
+    .unique()
+    .execute();
+
+  // "Which alias targets this page?" lookup for the share modal.
+  await db.schema
+    .createIndex('share_aliases_page_id_idx')
+    .on('share_aliases')
+    .column('page_id')
+    .execute();
+}
+
+export async function down(db: Kysely<any>): Promise<void> {
+  await db.schema.dropTable('share_aliases').execute();
+}

apps/server/src/database/migrations/20260626T140000-page-temporary-notes.ts

@@ -0,0 +1,40 @@
+import { type Kysely, sql } from 'kysely';
+
+export async function up(db: Kysely<any>): Promise<void> {
+  // "Death timer" column. NULL = permanent page; non-NULL = temporary note,
+  // value is the exact moment the note auto-moves to trash. The deadline is
+  // frozen at creation, so changing the workspace setting never reschedules
+  // existing notes.
+  await db.schema
+    .alterTable('pages')
+    .addColumn('temporary_expires_at', 'timestamptz', (col) => col)
+    .execute();
+
+  // Partial index backing the cleanup sweep: only armed, not-yet-trashed notes.
+  await sql`
+    CREATE INDEX pages_temporary_expires_at_idx
+    ON pages (temporary_expires_at)
+    WHERE temporary_expires_at IS NOT NULL AND deleted_at IS NULL
+  `.execute(db);
+
+  // Default lifetime for new temporary notes, in HOURS. Frozen per-note at
+  // creation. NULL falls back to the in-code DEFAULT_TEMPORARY_NOTE_HOURS.
+  await db.schema
+    .alterTable('workspaces')
+    .addColumn('temporary_note_hours', 'int8', (col) => col)
+    .execute();
+}
+
+export async function down(db: Kysely<any>): Promise<void> {
+  await db.schema
+    .alterTable('workspaces')
+    .dropColumn('temporary_note_hours')
+    .execute();
+
+  await db.schema.dropIndex('pages_temporary_expires_at_idx').execute();
+
+  await db.schema
+    .alterTable('pages')
+    .dropColumn('temporary_expires_at')
+    .execute();
+}

apps/server/src/database/repos/page/page.repo.restore.spec.ts

@@ -0,0 +1,64 @@
+import { PageRepo } from './page.repo';
+
+/**
+ * Regression guard for #201: restorePage must disarm the temporary-note death
+ * timer by setting `temporaryExpiresAt = null` alongside the un-delete fields.
+ * Otherwise a restored note whose frozen deadline already passed would be
+ * re-trashed by the very next cleanup sweep. There is no real DB here — a
+ * chainable Kysely proxy records every `.set(...)` payload so we can assert the
+ * single restore UPDATE clears the deadline.
+ */
+function makeRestoreDbStub(opts: {
+  pageToRestore: any;
+  descendants: any[];
+}) {
+  const setCalls: any[] = [];
+  const proxy: any = new Proxy(function () {}, {
+    get(_t, prop) {
+      if (prop === 'then') return undefined;
+      if (prop === 'set')
+        return (payload: any) => {
+          setCalls.push(payload);
+          return proxy;
+        };
+      if (prop === 'executeTakeFirst')
+        return () => Promise.resolve(opts.pageToRestore);
+      if (prop === 'execute') return () => Promise.resolve(opts.descendants);
+      if (prop === 'withRecursive')
+        return (_name: string, cb: any) => {
+          // Exercise the recursive CTE builder against the proxy without a DB.
+          try {
+            cb(proxy);
+          } catch {
+            // builder shape only; ignore
+          }
+          return proxy;
+        };
+      return () => proxy;
+    },
+  });
+  return { proxy, setCalls };
+}
+
+describe('PageRepo.restorePage temporary-timer disarm (#201)', () => {
+  it('clears temporaryExpiresAt together with the un-delete fields', async () => {
+    const { proxy, setCalls } = makeRestoreDbStub({
+      // No parent => the deleted-parent lookup and detach branch are skipped, so
+      // the only UPDATE is the bulk restore we assert on.
+      pageToRestore: { id: 'p1', parentPageId: null, spaceId: 's1' },
+      descendants: [{ id: 'p1' }],
+    });
+    const eventEmitter = { emit: jest.fn() } as any;
+
+    const repo = new PageRepo(proxy, {} as any, eventEmitter);
+
+    await repo.restorePage('p1', 'w1');
+
+    expect(setCalls).toHaveLength(1);
+    expect(setCalls[0]).toEqual({
+      deletedById: null,
+      deletedAt: null,
+      temporaryExpiresAt: null,
+    });
+  });
+});

apps/server/src/database/repos/page/page.repo.ts

@@ -51,6 +51,7 @@ export class PageRepo {
     'workspaceId',
     'isLocked',
     'isTemplate',
+    'temporaryExpiresAt',
     'createdAt',
     'updatedAt',
     'deletedAt',
@@ -425,7 +426,10 @@ export class PageRepo {
     // Restore all pages, but only detach the root page if its parent is deleted
     await this.db
       .updateTable('pages')
-      .set({ deletedById: null, deletedAt: null })
+      // On restore, disarm the death timer: pulling a note out of trash means
+      // "keep it". Otherwise a deadline now in the past would re-trash it on the
+      // next cleanup sweep.
+      .set({ deletedById: null, deletedAt: null, temporaryExpiresAt: null })
       .where('id', 'in', pageIds)
       .execute();
 

apps/server/src/database/repos/share-alias/share-alias.repo.spec.ts

@@ -0,0 +1,120 @@
+import { ShareAliasRepo } from './share-alias.repo';
+import type { KyselyDB } from '../../types/kysely.types';
+
+/**
+ * SQL-shape unit tests for ShareAliasRepo. A live Postgres is out of scope;
+ * instead we spy on the Kysely builder to assert each method pins the
+ * workspace scope (so a name in one workspace can never resolve another's
+ * page) and threads the right columns.
+ */
+describe('ShareAliasRepo', () => {
+  function makeSelectRepo(result: unknown) {
+    const where = jest.fn();
+    const builder: any = {
+      select: jest.fn(() => builder),
+      where: jest.fn((...args: unknown[]) => {
+        where(...args);
+        return builder;
+      }),
+      executeTakeFirst: jest.fn().mockResolvedValue(result),
+    };
+    const db = { selectFrom: jest.fn(() => builder) } as unknown as KyselyDB;
+    return { repo: new ShareAliasRepo(db), db, where, builder };
+  }
+
+  it('findByAliasAndWorkspace scopes by alias AND workspace', async () => {
+    const row = { id: 'a-1', alias: 'foo', workspaceId: 'ws-1' };
+    const { repo, db, where } = makeSelectRepo(row);
+
+    const res = await repo.findByAliasAndWorkspace('foo', 'ws-1');
+
+    expect(res).toBe(row);
+    expect(db.selectFrom).toHaveBeenCalledWith('shareAliases');
+    expect(where).toHaveBeenCalledWith('alias', '=', 'foo');
+    expect(where).toHaveBeenCalledWith('workspaceId', '=', 'ws-1');
+  });
+
+  it('findByPageId scopes by page AND workspace', async () => {
+    const { repo, where } = makeSelectRepo(undefined);
+    await repo.findByPageId('p-1', 'ws-1');
+    expect(where).toHaveBeenCalledWith('pageId', '=', 'p-1');
+    expect(where).toHaveBeenCalledWith('workspaceId', '=', 'ws-1');
+  });
+
+  it('insert writes the provided columns and returns the row', async () => {
+    const values = jest.fn();
+    const inserted = { id: 'a-1' };
+    const builder: any = {
+      values: jest.fn((v: unknown) => {
+        values(v);
+        return builder;
+      }),
+      returning: jest.fn(() => builder),
+      executeTakeFirst: jest.fn().mockResolvedValue(inserted),
+    };
+    const db = { insertInto: jest.fn(() => builder) } as unknown as KyselyDB;
+    const repo = new ShareAliasRepo(db);
+
+    const res = await repo.insert({
+      workspaceId: 'ws-1',
+      alias: 'foo',
+      pageId: 'p-1',
+      creatorId: 'u-1',
+    });
+
+    expect(db.insertInto).toHaveBeenCalledWith('shareAliases');
+    expect(values).toHaveBeenCalledWith({
+      workspaceId: 'ws-1',
+      alias: 'foo',
+      pageId: 'p-1',
+      creatorId: 'u-1',
+    });
+    expect(res).toBe(inserted);
+  });
+
+  it('updatePageId retargets a single row scoped by id + workspace', async () => {
+    const set = jest.fn();
+    const where = jest.fn();
+    const builder: any = {
+      set: jest.fn((s: unknown) => {
+        set(s);
+        return builder;
+      }),
+      where: jest.fn((...args: unknown[]) => {
+        where(...args);
+        return builder;
+      }),
+      returning: jest.fn(() => builder),
+      executeTakeFirst: jest.fn().mockResolvedValue({ id: 'a-1' }),
+    };
+    const db = { updateTable: jest.fn(() => builder) } as unknown as KyselyDB;
+    const repo = new ShareAliasRepo(db);
+
+    await repo.updatePageId('a-1', 'p-2', 'ws-1');
+
+    expect(db.updateTable).toHaveBeenCalledWith('shareAliases');
+    expect(set.mock.calls[0][0].pageId).toBe('p-2');
+    expect(set.mock.calls[0][0].updatedAt).toBeInstanceOf(Date);
+    expect(where).toHaveBeenCalledWith('id', '=', 'a-1');
+    expect(where).toHaveBeenCalledWith('workspaceId', '=', 'ws-1');
+  });
+
+  it('delete scopes by id + workspace', async () => {
+    const where = jest.fn();
+    const builder: any = {
+      where: jest.fn((...args: unknown[]) => {
+        where(...args);
+        return builder;
+      }),
+      execute: jest.fn().mockResolvedValue(undefined),
+    };
+    const db = { deleteFrom: jest.fn(() => builder) } as unknown as KyselyDB;
+    const repo = new ShareAliasRepo(db);
+
+    await repo.delete('a-1', 'ws-1');
+
+    expect(db.deleteFrom).toHaveBeenCalledWith('shareAliases');
+    expect(where).toHaveBeenCalledWith('id', '=', 'a-1');
+    expect(where).toHaveBeenCalledWith('workspaceId', '=', 'ws-1');
+  });
+});

apps/server/src/database/repos/share-alias/share-alias.repo.ts

@@ -0,0 +1,109 @@
+import { Injectable } from '@nestjs/common';
+import { InjectKysely } from 'nestjs-kysely';
+import { KyselyDB, KyselyTransaction } from '../../types/kysely.types';
+import { dbOrTx } from '../../utils';
+import {
+  InsertableShareAlias,
+  ShareAlias,
+} from '@docmost/db/types/entity.types';
+
+/**
+ * Repository for vanity share aliases (`/l/:alias`). An alias is a long-lived,
+ * workspace-scoped pointer to a page; retargeting is a single UPDATE of
+ * `page_id`. All lookups are workspace-scoped so a name in one workspace can
+ * never resolve a page in another.
+ */
+@Injectable()
+export class ShareAliasRepo {
+  constructor(@InjectKysely() private readonly db: KyselyDB) {}
+
+  private baseFields: Array<keyof ShareAlias> = [
+    'id',
+    'workspaceId',
+    'alias',
+    'pageId',
+    'creatorId',
+    'createdAt',
+    'updatedAt',
+  ];
+
+  /** Resolve a (normalized) alias within a workspace, or undefined. */
+  async findByAliasAndWorkspace(
+    alias: string,
+    workspaceId: string,
+    trx?: KyselyTransaction,
+  ): Promise<ShareAlias | undefined> {
+    return dbOrTx(this.db, trx)
+      .selectFrom('shareAliases')
+      .select(this.baseFields)
+      .where('alias', '=', alias)
+      .where('workspaceId', '=', workspaceId)
+      .executeTakeFirst();
+  }
+
+  /** The alias currently pointing at a page (for the share modal). */
+  async findByPageId(
+    pageId: string,
+    workspaceId: string,
+    trx?: KyselyTransaction,
+  ): Promise<ShareAlias | undefined> {
+    return dbOrTx(this.db, trx)
+      .selectFrom('shareAliases')
+      .select(this.baseFields)
+      .where('pageId', '=', pageId)
+      .where('workspaceId', '=', workspaceId)
+      .executeTakeFirst();
+  }
+
+  async findById(
+    id: string,
+    workspaceId: string,
+    trx?: KyselyTransaction,
+  ): Promise<ShareAlias | undefined> {
+    return dbOrTx(this.db, trx)
+      .selectFrom('shareAliases')
+      .select(this.baseFields)
+      .where('id', '=', id)
+      .where('workspaceId', '=', workspaceId)
+      .executeTakeFirst();
+  }
+
+  async insert(
+    insertable: InsertableShareAlias,
+    trx?: KyselyTransaction,
+  ): Promise<ShareAlias> {
+    return dbOrTx(this.db, trx)
+      .insertInto('shareAliases')
+      .values(insertable)
+      .returning(this.baseFields)
+      .executeTakeFirst();
+  }
+
+  /** Retarget an existing alias to a new page (the "swap" operation). */
+  async updatePageId(
+    id: string,
+    pageId: string,
+    workspaceId: string,
+    trx?: KyselyTransaction,
+  ): Promise<ShareAlias> {
+    return dbOrTx(this.db, trx)
+      .updateTable('shareAliases')
+      .set({ pageId, updatedAt: new Date() })
+      .where('id', '=', id)
+      .where('workspaceId', '=', workspaceId)
+      .returning(this.baseFields)
+      .executeTakeFirst();
+  }
+
+  async delete(
+    id: string,
+    workspaceId: string,
+    trx?: KyselyTransaction,
+  ): Promise<void> {
+    await dbOrTx(this.db, trx)
+      .deleteFrom('shareAliases')
+      .where('id', '=', id)
+      .where('workspaceId', '=', workspaceId)
+      .execute();
+  }
+}

apps/server/src/database/repos/workspace/workspace.repo.ts

@@ -58,6 +58,7 @@ export class WorkspaceRepo {
     'plan',
     'enforceMfa',
     'trashRetentionDays',
+    'temporaryNoteHours',
     'isScimEnabled',
   ];
   constructor(@InjectKysely() private readonly db: KyselyDB) {}

apps/server/src/database/share-aliases.migration.spec.ts

@@ -0,0 +1,94 @@
+import * as migration from './migrations/20260626T130000-share-aliases';
+import type {
+  InsertableShareAlias,
+  ShareAlias,
+  UpdatableShareAlias,
+} from './types/entity.types';
+
+/**
+ * Sanity checks for the share_aliases migration + entity types. We don't run a
+ * live Postgres here (that's the integration suite); instead we assert the
+ * migration exposes the expected up/down contract and creates the table with
+ * the unique (workspace_id, alias) constraint and the page_id index, and that
+ * the generated entity types line up with the column set.
+ */
+describe('share-aliases migration', () => {
+  it('up creates the table, the unique index and the page_id index', async () => {
+    const calls: string[] = [];
+
+    const tableBuilder: any = new Proxy(
+      {},
+      {
+        get(_t, prop: string) {
+          if (prop === 'execute') return async () => undefined;
+          // addColumn/addConstraint/etc. are chainable no-ops.
+          return () => tableBuilder;
+        },
+      },
+    );
+
+    const indexBuilder: any = new Proxy(
+      {},
+      {
+        get(_t, prop: string) {
+          if (prop === 'execute') return async () => undefined;
+          return () => indexBuilder;
+        },
+      },
+    );
+
+    const schema = {
+      createTable: (name: string) => {
+        calls.push(`createTable:${name}`);
+        return tableBuilder;
+      },
+      createIndex: (name: string) => {
+        calls.push(`createIndex:${name}`);
+        return indexBuilder;
+      },
+    };
+
+    await migration.up({ schema } as any);
+
+    expect(calls).toContain('createTable:share_aliases');
+    expect(calls).toContain(
+      'createIndex:share_aliases_workspace_id_alias_unique',
+    );
+    expect(calls).toContain('createIndex:share_aliases_page_id_idx');
+  });
+
+  it('down drops the table', async () => {
+    const calls: string[] = [];
+    const dropBuilder: any = { execute: async () => undefined };
+    const schema = {
+      dropTable: (name: string) => {
+        calls.push(`dropTable:${name}`);
+        return dropBuilder;
+      },
+    };
+    await migration.down({ schema } as any);
+    expect(calls).toContain('dropTable:share_aliases');
+  });
+
+  it('entity types expose the alias columns', () => {
+    // Compile-time only: these typed declarations fail `tsc` if the entity types
+    // drift (missing/renamed columns, wrong nullability). The runtime assertions
+    // would be tautological, so the value is purely in the type-check.
+    const row: ShareAlias = {
+      id: 'a-1',
+      workspaceId: 'ws-1',
+      alias: 'foo',
+      pageId: 'p-1',
+      creatorId: 'u-1',
+      createdAt: new Date(),
+      updatedAt: new Date(),
+    };
+    const insert: InsertableShareAlias = {
+      workspaceId: 'ws-1',
+      alias: 'foo',
+    };
+    const update: UpdatableShareAlias = { pageId: null };
+
+    expect([row, insert, update]).toHaveLength(3);
+  });
+});

apps/server/src/database/types/db.d.ts

@@ -297,6 +297,7 @@ export interface Pages {
   position: string | null;
   slugId: string;
   spaceId: string;
+  temporaryExpiresAt: Timestamp | null;
   textContent: string | null;
   title: string | null;
   tsv: string | null;
@@ -305,6 +306,16 @@ export interface Pages {
   ydoc: Buffer | null;
 }
 
+export interface ShareAliases {
+  alias: string;
+  createdAt: Generated<Timestamp>;
+  creatorId: string | null;
+  id: Generated<string>;
+  pageId: string | null;
+  updatedAt: Generated<Timestamp>;
+  workspaceId: string;
+}
+
 export interface Shares {
   createdAt: Generated<Timestamp>;
   creatorId: string | null;
@@ -409,6 +420,7 @@ export interface WorkspaceInvitations {
 export interface Workspaces {
   auditRetentionDays: Generated<number>;
   trashRetentionDays: Generated<number>;
+  temporaryNoteHours: Generated<number>;
   billingEmail: string | null;
   createdAt: Generated<Timestamp>;
   customDomain: string | null;
@@ -674,6 +686,7 @@ export interface DB {
   pageVerifiers: PageVerifiers;
   pages: Pages;
   scimTokens: ScimTokens;
+  shareAliases: ShareAliases;
   shares: Shares;
   spaceMembers: SpaceMembers;
   spaces: Spaces;

apps/server/src/database/types/entity.types.ts

@@ -30,6 +30,7 @@ import {
   AuthProviders,
   AuthAccounts,
   Shares,
+  ShareAliases,
   Favorites,
   FileTasks,
   UserMfa as _UserMFA,
@@ -172,6 +173,11 @@ export type Share = Selectable<Shares>;
 export type InsertableShare = Insertable<Shares>;
 export type UpdatableShare = Updateable<Omit<Shares, 'id'>>;
 
+// Share alias (vanity /l/:alias pointer)
+export type ShareAlias = Selectable<ShareAliases>;
+export type InsertableShareAlias = Insertable<ShareAliases>;
+export type UpdatableShareAlias = Updateable<Omit<ShareAliases, 'id'>>;
+
 // Favorite
 export type Favorite = Selectable<Favorites>;
 export type InsertableFavorite = Insertable<Favorites>;

apps/server/src/main.ts

@@ -40,7 +40,14 @@ async function bootstrap() {
   app.useLogger(app.get(PinoLogger));
 
   app.setGlobalPrefix('api', {
-    exclude: ['robots.txt', 'share/:shareId/p/:pageSlug', 'mcp'],
+    exclude: [
+      'robots.txt',
+      'share/:shareId/p/:pageSlug',
+      // Vanity link resolver lives outside /api so /l/<alias> is a clean
+      // public URL that 302s to the canonical share page.
+      'l/:alias',
+      'mcp',
+    ],
   });
 
   const reflector = app.get(Reflector);

apps/server/test/jest-e2e.json

@@ -4,7 +4,7 @@
   "testEnvironment": "node",
   "testRegex": ".e2e-spec.ts$",
   "transform": {
-    "^.+\\.(t|j)sx?$": "ts-jest"
+    "^.+\\.(t|j)sx?$": ["ts-jest", { "tsconfig": { "allowJs": true } }]
   },
   "transformIgnorePatterns": [
     "/node_modules/(?!(\\.pnpm/)?(nanoid|uuid|image-dimensions|marked|happy-dom|lib0|@sindresorhus[+/][a-z0-9-]+|escape-string-regexp|p-limit|yocto-queue)(@|/))"