diff --git a/README.md b/README.md
index 77503224..c12006f5 100644
--- a/README.md
+++ b/README.md
@@ -4,6 +4,7 @@
 
 - The IndieKit admin uses root auth/session paths (for example: `/session/login`, `/auth`, `/auth/new-password`).
 - Legacy `/admin` request paths are normalized to root login redirects (for example `/admin/posts` -> `/session/login?redirect=/posts`) to avoid post-login dead-end targets.
+- Legacy auth/session aliases are redirected directly (for example `/admin/auth/new-password` -> `/auth/new-password`, `/admin/session/login` -> `/session/login`).
 - Login page now auto-continues to the password consent screen by default. Add `?noautocontinue=1` to `/session/login` if you want to keep the manual button step.
 - Login uses `PASSWORD_SECRET` (bcrypt hash), not `INDIEKIT_PASSWORD`.
 - If no `PASSWORD_SECRET` exists yet, open `/auth/new-password` once to generate it.
diff --git a/scripts/patch-indieauth-devmode-guard.mjs b/scripts/patch-indieauth-devmode-guard.mjs
index 334b11a7..a7a2572a 100644
--- a/scripts/patch-indieauth-devmode-guard.mjs
+++ b/scripts/patch-indieauth-devmode-guard.mjs
@@ -14,13 +14,15 @@ const newDevModeCode = `if (devMode && process.env.INDIEKIT_ALLOW_DEV_AUTH === "
         request.session.scope = "create update delete media";
       } else if (!process.env.PASSWORD_SECRET) {`;
 
-const oldLoginRedirectCode = `        if (request.method === "GET") {
-          return response.redirect(
-            \`/session/login?redirect=\${request.originalUrl}\`,
-          );
-        }`;
-
 const newLoginRedirectCode = `        if (request.method === "GET") {
+          const directAlias = request.originalUrl.replace(
+            /^\\/admin\\/(auth|session)(?=\\/|$)/,
+            "/$1",
+          );
+          if (directAlias !== request.originalUrl) {
+            return response.redirect(directAlias);
+          }
+
           const loginRedirect =
             request.originalUrl === "/admin"
               ? "/"
@@ -30,6 +32,11 @@ const newLoginRedirectCode = `        if (request.method === "GET") {
           );
         }`;
 
+const oldLoginRedirectRegexes = [
+  /if \(request\.method === "GET"\) \{\n\s+return response\.redirect\(\n\s+`\/session\/login\?redirect=\$\{request\.originalUrl\}`,\n\s+\);\n\s+\}/m,
+  /if \(request\.method === "GET"\) \{\n\s+const loginRedirect =[\s\S]*?`\/session\/login\?redirect=\$\{loginRedirect\}`,\n\s+\);\n\s+\}/m,
+];
+
 async function exists(path) {
   try {
     await access(path);
@@ -56,11 +63,13 @@ for (const filePath of candidates) {
     updated = updated.replace(oldDevModeCode, newDevModeCode);
   }
 
-  if (
-    !updated.includes(newLoginRedirectCode) &&
-    updated.includes(oldLoginRedirectCode)
-  ) {
-    updated = updated.replace(oldLoginRedirectCode, newLoginRedirectCode);
+  if (!updated.includes("const directAlias = request.originalUrl.replace(")) {
+    for (const regex of oldLoginRedirectRegexes) {
+      if (regex.test(updated)) {
+        updated = updated.replace(regex, newLoginRedirectCode);
+        break;
+      }
+    }
   }
 
   if (updated !== source) {