@actuate-media/cms-core 0.1.0 → 0.2.0

package/dist/api/handlers.js

@@ -1,18 +1,28 @@
-import { listDocuments, getDocument, createDocument, updateDocument, deleteDocument, getGlobal, updateGlobal, } from '../actions';
-import { verifyPassword } from '../auth/password';
-import { createSession, verifySession, revokeSession } from '../auth/session';
-import { checkSetupRequired, createInitialAdmin } from '../setup/index';
-import { getDB } from '../db';
-import { generateCodeVerifier, generateCodeChallenge, generateState, getAuthorizationUrl, handleOAuthCallback, } from '../auth/oauth';
-import { optimizeImage, formatBytes } from '../media/optimize';
-import { generateToken as generateCsrfToken } from '../security/csrf';
-import { logEvent } from '../security/audit';
-import { applyFieldAccess } from '../security/access';
-import { createPreviewAdapter } from '../preview/index';
-import { schedulingCronHandler } from '../scheduling/index';
-import { createRateLimiter } from '../security/rate-limit';
-import { generateOpenAPISpec } from './openapi';
-import { createSSEPresenceAdapter } from '../presence/index';
+import { listDocuments, getDocument, createDocument, updateDocument, deleteDocument, getGlobal, updateGlobal, } from '../actions.js';
+import { verifyPassword } from '../auth/password.js';
+import { createSession, verifySession, revokeSession } from '../auth/session.js';
+import { checkSetupRequired, createInitialAdmin } from '../setup/index.js';
+import { getDB } from '../db.js';
+import { generateCodeVerifier, generateCodeChallenge, generateState, getAuthorizationUrl, handleOAuthCallback, } from '../auth/oauth.js';
+import { optimizeImage, formatBytes } from '../media/optimize.js';
+import { generateToken as generateCsrfToken } from '../security/csrf.js';
+import { logEvent } from '../security/audit.js';
+import { applyFieldAccess } from '../security/access.js';
+import { createPreviewAdapter } from '../preview/index.js';
+import { schedulingCronHandler } from '../scheduling/index.js';
+import { verifyCaptcha, getCaptchaConfig } from '../security/captcha.js';
+import { checkForUpdates } from '../upgrade/version-check.js';
+import { createUpgradePR } from '../upgrade/upgrade-pr.js';
+import { encryptField, decryptField } from '../security/encrypted-fields.js';
+import { createRateLimiter } from '../security/rate-limit.js';
+import { generateOpenAPISpec } from './openapi.js';
+import { createSSEPresenceAdapter } from '../presence/index.js';
+// Opaque dynamic import so Turbopack/webpack won't statically analyze the specifier.
+// Returns { put, del, ... } from @vercel/blob when available.
+async function importBlobStorage() {
+    const mod = '@vercel/' + 'blob';
+    return import(/* webpackIgnore: true */ mod);
+}
 const SECURITY_HEADERS = {
     'Content-Type': 'application/json',
     'X-Content-Type-Options': 'nosniff',
@@ -29,6 +39,9 @@ function errorResponse(message, status) {
     return json({ error: message }, status);
 }
 function internalError(err, context) {
+    if (err instanceof ModelNotAvailableError) {
+        return modelNotAvailable(err.model);
+    }
     const msg = err instanceof Error ? err.message : String(err);
     console.error(`[actuate][api]${context ? ` ${context}:` : ''} ${msg}`);
     return errorResponse('Internal server error', 500);
@@ -37,6 +50,38 @@ function clampPageSize(raw, max = 100, fallback = 20) {
     const n = Number(raw) || fallback;
     return Math.min(Math.max(1, n), max);
 }
+function hasModel(d, name) {
+    try {
+        return d[name] && typeof d[name].findMany === 'function';
+    }
+    catch {
+        return false;
+    }
+}
+function modelNotAvailable(name) {
+    return errorResponse(`The "${name}" model is not available in your Prisma schema. `
+        + 'See https://actuatecms.dev/docs/database-setup for required models.', 501);
+}
+async function safeCount(model, where) {
+    try {
+        if (!model?.count)
+            return 0;
+        return await model.count(where ? { where } : undefined);
+    }
+    catch {
+        return 0;
+    }
+}
+async function safeFindMany(model, args) {
+    try {
+        if (!model?.findMany)
+            return [];
+        return await model.findMany(args);
+    }
+    catch {
+        return [];
+    }
+}
 function isAllowedStorageUrl(url) {
     try {
         const parsed = new URL(url);
@@ -63,11 +108,18 @@ const ALLOWED_SORT_FIELDS = new Set([
     'createdAt', 'updatedAt', 'publishedAt', 'status', 'collection',
 ]);
 function getSessionSecret() {
-    const secret = process.env.CMS_SECRET;
-    if (!secret)
-        throw new Error('CMS_SECRET environment variable is not set');
-    if (secret.length < 32)
-        throw new Error('CMS_SECRET must be at least 32 characters');
+    const secret = process.env.CMS_SECRET
+        ?? process.env.CMS_SESSION_SECRET
+        ?? globalThis.__actuateConfig?.secret;
+    if (!secret) {
+        throw new Error('[Actuate CMS] Missing CMS secret. Set the CMS_SECRET environment variable (min 32 characters) '
+            + 'or pass `secret` in your actuate.config.ts. '
+            + 'Generate one with: node -e "console.log(require(\'crypto\').randomBytes(32).toString(\'hex\'))"');
+    }
+    if (secret.length < 32) {
+        throw new Error('[Actuate CMS] CMS secret must be at least 32 characters (got ' + secret.length + '). '
+            + 'Generate a secure value with: node -e "console.log(require(\'crypto\').randomBytes(32).toString(\'hex\'))"');
+    }
     return secret;
 }
 async function extractSession(request) {
@@ -85,13 +137,15 @@ async function extractSession(request) {
         return null;
     try {
         const payload = await verifySession(token, { secret: getSessionSecret() });
-        // Verify session is not revoked in DB
-        const dbSession = await getDB().session.findUnique({
-            where: { id: payload.sessionId },
-            select: { revokedAt: true },
-        });
-        if (!dbSession || dbSession.revokedAt)
-            return null;
+        const d = getDB();
+        if (hasModel(d, 'session')) {
+            const dbSession = await d.session.findUnique({
+                where: { id: payload.sessionId },
+                select: { revokedAt: true },
+            });
+            if (!dbSession || dbSession.revokedAt)
+                return null;
+        }
         return payload;
     }
     catch {
@@ -137,8 +191,35 @@ async function checkRateLimitAsync(limiter, key) {
     const result = await limiter.check(key);
     return result.allowed;
 }
+function getAdminPath() {
+    return process.env.ACTUATE_ADMIN_PATH
+        ?? globalThis.__actuateConfig?.admin?.path
+        ?? '/admin';
+}
+class ModelNotAvailableError extends Error {
+    model;
+    constructor(model) {
+        super(`Model "${model}" is not available in the Prisma schema.`);
+        this.model = model;
+    }
+}
 export function registerCMSRoutes(router) {
-    const db = () => getDB();
+    const rawDb = () => getDB();
+    const db = () => {
+        const d = rawDb();
+        return new Proxy(d, {
+            get(target, prop) {
+                const val = target[prop];
+                if (val !== undefined)
+                    return val;
+                return new Proxy({}, {
+                    get() {
+                        throw new ModelNotAvailableError(String(prop));
+                    },
+                });
+            },
+        });
+    };
     const presenceAdapter = createSSEPresenceAdapter();
     // ---------------------------------------------------------------------------
     // CSRF token endpoint
@@ -203,7 +284,17 @@ export function registerCMSRoutes(router) {
             if (!(await checkRateLimitAsync(loginLimiter, `login:${clientIp}`))) {
                 return errorResponse('Too many login attempts. Please try again later.', 429);
             }
-            const user = await db().user.findFirst({
+            const captchaConfig = getCaptchaConfig();
+            if (captchaConfig.provider !== 'none') {
+                const captchaResult = await verifyCaptcha(body.captchaToken ?? '', captchaConfig, clientIp);
+                if (!captchaResult.success) {
+                    return errorResponse('CAPTCHA verification failed. Please try again.', 403);
+                }
+            }
+            const d = db();
+            if (!hasModel(d, 'user'))
+                return modelNotAvailable('user');
+            const user = await d.user.findFirst({
                 where: { email: email.toLowerCase().trim() },
             });
             if (!user) {
@@ -276,7 +367,7 @@ export function registerCMSRoutes(router) {
             return response;
         }
         catch (err) {
-            return errorResponse('Login failed', 500);
+            return internalError(err, 'login');
         }
     });
     router.post('/auth/logout', async (request) => {
@@ -295,7 +386,7 @@ export function registerCMSRoutes(router) {
             return response;
         }
         catch (err) {
-            return errorResponse('Logout failed', 500);
+            return internalError(err, 'logout');
         }
     });
     router.get('/auth/me', async (request) => {
@@ -313,7 +404,7 @@ export function registerCMSRoutes(router) {
             return json({ data: user });
         }
         catch (err) {
-            return errorResponse('Failed to fetch user', 500);
+            return internalError(err, 'auth/me');
         }
     });
     // ---------------------------------------------------------------------------
@@ -324,7 +415,7 @@ export function registerCMSRoutes(router) {
             const auth = await requireAuth(request);
             if (auth.error)
                 return auth.error;
-            const { generateTOTPSecret, generateTOTPUri, generateBackupCodes } = await import('../auth/totp');
+            const { generateTOTPSecret, generateTOTPUri, generateBackupCodes } = await import('../auth/totp.js');
             const user = await db().user.findUnique({ where: { id: auth.session.userId }, select: { email: true, totpEnabled: true } });
             if (!user)
                 return errorResponse('User not found', 404);
@@ -348,7 +439,7 @@ export function registerCMSRoutes(router) {
             const body = await request.json();
             if (!body.code)
                 return errorResponse('Code is required', 400);
-            const { verifyTOTP } = await import('../auth/totp');
+            const { verifyTOTP } = await import('../auth/totp.js');
             const user = await db().user.findUnique({ where: { id: auth.session.userId }, select: { totpSecret: true } });
             if (!user?.totpSecret)
                 return errorResponse('TOTP not set up', 400);
@@ -379,7 +470,7 @@ export function registerCMSRoutes(router) {
             const body = await request.json();
             if (!body.userId || !body.code)
                 return errorResponse('userId and code are required', 400);
-            const { verifyTOTP } = await import('../auth/totp');
+            const { verifyTOTP } = await import('../auth/totp.js');
             const user = await db().user.findUnique({ where: { id: body.userId }, select: { id: true, email: true, role: true, totpSecret: true, totpEnabled: true, isActive: true } });
             if (!user || !user.isActive || !user.totpEnabled || !user.totpSecret)
                 return errorResponse('Invalid request', 400);
@@ -422,7 +513,7 @@ export function registerCMSRoutes(router) {
             };
             const codeVerifier = generateCodeVerifier();
             const codeChallenge = await generateCodeChallenge(codeVerifier);
-            const state = await generateState(provider, codeVerifier, '/admin', secret);
+            const state = await generateState(provider, codeVerifier, getAdminPath(), secret);
             const url = getAuthorizationUrl(provider, oauthProviders[provider], state, codeChallenge);
             return json({ data: { url } });
         }
@@ -444,7 +535,7 @@ export function registerCMSRoutes(router) {
                 const desc = url.searchParams.get('error_description') ?? errorParam;
                 return new Response(null, {
                     status: 302,
-                    headers: { Location: `/admin/login?error=${encodeURIComponent(desc)}` },
+                    headers: { Location: `${getAdminPath()}?error=${encodeURIComponent(desc)}` },
                 });
             }
             if (!code || !stateToken) {
@@ -473,7 +564,7 @@ export function registerCMSRoutes(router) {
             return new Response(null, {
                 status: 302,
                 headers: {
-                    Location: '/admin',
+                    Location: getAdminPath(),
                     'Set-Cookie': cookieFlags.join('; '),
                 },
             });
@@ -482,7 +573,7 @@ export function registerCMSRoutes(router) {
             const message = err instanceof Error ? err.message : 'OAuth callback failed';
             return new Response(null, {
                 status: 302,
-                headers: { Location: `/admin/login?error=${encodeURIComponent(message)}` },
+                headers: { Location: `${getAdminPath()}?error=${encodeURIComponent(message)}` },
             });
         }
     });
@@ -572,7 +663,7 @@ export function registerCMSRoutes(router) {
             return json({ data: doc }, 201);
         }
         catch (err) {
-            return errorResponse('Failed to create document', 500);
+            return internalError(err, 'create document');
         }
     });
     router.put('/collections/:slug/:id', async (request, params) => {
@@ -594,7 +685,7 @@ export function registerCMSRoutes(router) {
             return json({ data: doc });
         }
         catch (err) {
-            return errorResponse('Failed to update document', 500);
+            return internalError(err, 'update document');
         }
     });
     router.delete('/collections/:slug/:id', async (request, params) => {
@@ -615,7 +706,7 @@ export function registerCMSRoutes(router) {
             return json({ data: { success: true } });
         }
         catch (err) {
-            return errorResponse('Failed to delete document', 500);
+            return internalError(err, 'delete document');
         }
     });
     // ---------------------------------------------------------------------------
@@ -721,8 +812,7 @@ export function registerCMSRoutes(router) {
             const storageKey = `actuate/media/${Date.now()}-${sanitizedName}`;
             let publicUrl = '';
             try {
-                // @ts-ignore -- @vercel/blob is an optional peer dependency
-                const blob = await import('@vercel/blob');
+                const blob = await importBlobStorage();
                 const result = await blob.put(storageKey, uploadBuffer, {
                     access: 'public',
                     contentType: finalMimeType,
@@ -808,8 +898,7 @@ export function registerCMSRoutes(router) {
             const newStorageKey = `actuate/media/${Date.now()}-${sanitizedName}`;
             let newPublicUrl = '';
             try {
-                // @ts-ignore -- @vercel/blob is an optional peer dependency
-                const blob = await import('@vercel/blob');
+                const blob = await importBlobStorage();
                 const uploadResult = await blob.put(newStorageKey, result.buffer, {
                     access: 'public',
                     contentType: result.mimeType,
@@ -893,8 +982,7 @@ export function registerCMSRoutes(router) {
                 return errorResponse('Media not found', 404);
             }
             try {
-                // @ts-ignore -- @vercel/blob is an optional peer dependency
-                const blob = await import('@vercel/blob');
+                const blob = await importBlobStorage();
                 await blob.del(media.storageKey);
             }
             catch {
@@ -915,6 +1003,172 @@ export function registerCMSRoutes(router) {
     // ---------------------------------------------------------------------------
     // Setup routes
     // ---------------------------------------------------------------------------
+    // ---------------------------------------------------------------------------
+    // Update routes
+    // ---------------------------------------------------------------------------
+    const UPDATE_CONFIG_KEY = '_cms_update_config';
+    async function getUpdateConfig() {
+        const encKey = process.env.CMS_ENCRYPTION_KEY;
+        if (!encKey)
+            return {};
+        try {
+            const doc = await db().document.findFirst({
+                where: { collection: UPDATE_CONFIG_KEY, deletedAt: null },
+            });
+            if (!doc?.data)
+                return {};
+            const raw = doc.data;
+            const result = {};
+            if (raw.githubToken)
+                result.githubToken = await decryptField(raw.githubToken, encKey);
+            if (raw.githubRepo)
+                result.githubRepo = await decryptField(raw.githubRepo, encKey);
+            return result;
+        }
+        catch {
+            return {};
+        }
+    }
+    router.get('/updates/check', async (request) => {
+        try {
+            const session = await extractSession(request);
+            if (!session)
+                return errorResponse('Unauthorized', 401);
+            const coreVersion = globalThis.__actuateCoreVersion ?? '0.1.0';
+            const info = await checkForUpdates(coreVersion);
+            const saved = await getUpdateConfig();
+            return json({
+                data: {
+                    ...info,
+                    hasGithubToken: !!(saved.githubToken || process.env.ACTUATE_GITHUB_TOKEN),
+                    githubRepo: saved.githubRepo || process.env.ACTUATE_GITHUB_REPO || '',
+                },
+            });
+        }
+        catch (err) {
+            return internalError(err);
+        }
+    });
+    router.get('/updates/config', async (request) => {
+        try {
+            const session = await extractSession(request);
+            if (!session || session.role !== 'admin') {
+                return errorResponse('Unauthorized — admin only', 403);
+            }
+            const saved = await getUpdateConfig();
+            return json({
+                data: {
+                    hasGithubToken: !!(saved.githubToken || process.env.ACTUATE_GITHUB_TOKEN),
+                    githubRepo: saved.githubRepo || process.env.ACTUATE_GITHUB_REPO || '',
+                },
+            });
+        }
+        catch (err) {
+            return internalError(err);
+        }
+    });
+    router.put('/updates/config', async (request) => {
+        try {
+            const session = await extractSession(request);
+            if (!session || session.role !== 'admin') {
+                return errorResponse('Unauthorized — admin only', 403);
+            }
+            const encKey = process.env.CMS_ENCRYPTION_KEY;
+            if (!encKey) {
+                return errorResponse('CMS_ENCRYPTION_KEY is required to store encrypted credentials.', 400);
+            }
+            const body = await request.json();
+            if (body.githubRepo && !/^[a-zA-Z0-9._-]+\/[a-zA-Z0-9._-]+$/.test(body.githubRepo)) {
+                return errorResponse('Invalid repository format. Use owner/repo.', 400);
+            }
+            const encrypted = {};
+            if (body.githubToken)
+                encrypted.githubToken = await encryptField(body.githubToken, encKey);
+            if (body.githubRepo)
+                encrypted.githubRepo = await encryptField(body.githubRepo, encKey);
+            await db().document.upsert({
+                where: { collection_slug: { collection: UPDATE_CONFIG_KEY, slug: UPDATE_CONFIG_KEY } },
+                create: {
+                    collection: UPDATE_CONFIG_KEY,
+                    slug: UPDATE_CONFIG_KEY,
+                    title: 'Update Configuration',
+                    data: encrypted,
+                    status: 'PUBLISHED',
+                    createdById: session.userId,
+                    updatedById: session.userId,
+                },
+                update: {
+                    data: encrypted,
+                    updatedById: session.userId,
+                },
+            });
+            await logEvent({
+                event: 'settings_changed',
+                userId: session.userId,
+                details: { setting: 'update_config' },
+            });
+            return json({ data: { success: true } });
+        }
+        catch (err) {
+            return internalError(err);
+        }
+    });
+    router.post('/updates/apply', async (request) => {
+        try {
+            const session = await extractSession(request);
+            if (!session || session.role !== 'admin') {
+                return errorResponse('Unauthorized — admin only', 403);
+            }
+            const body = await request.json();
+            if (!body.targetVersion) {
+                return errorResponse('targetVersion is required', 400);
+            }
+            if (!/^\d+\.\d+\.\d+(-[\w.]+)?$/.test(body.targetVersion)) {
+                return errorResponse('Invalid version format', 400);
+            }
+            const saved = await getUpdateConfig();
+            const githubToken = saved.githubToken || process.env.ACTUATE_GITHUB_TOKEN;
+            const githubRepo = saved.githubRepo || process.env.ACTUATE_GITHUB_REPO;
+            const owner = githubRepo?.split('/')[0];
+            const repo = githubRepo?.split('/')[1];
+            if (!githubToken) {
+                return errorResponse('GitHub token not configured. Go to Settings > Updates to add one.', 400);
+            }
+            if (!owner || !repo) {
+                return errorResponse('GitHub repository not configured. Go to Settings > Updates to add one.', 400);
+            }
+            const coreVersion = globalThis.__actuateCoreVersion ?? '0.1.0';
+            const result = await createUpgradePR({
+                owner,
+                repo,
+                targetVersion: body.targetVersion,
+                changesDescription: `Upgrade Actuate CMS from ${coreVersion} to ${body.targetVersion}.\n\nRun \`npx prisma migrate deploy\` after merging.`,
+                githubToken,
+            });
+            await logEvent({
+                event: 'cms_update_initiated',
+                userId: session.userId,
+                details: {
+                    fromVersion: coreVersion,
+                    toVersion: body.targetVersion,
+                    prUrl: result.prUrl,
+                },
+            });
+            return json({ data: result });
+        }
+        catch (err) {
+            return internalError(err);
+        }
+    });
+    router.get('/captcha/config', async () => {
+        const captchaConfig = getCaptchaConfig();
+        return json({
+            data: {
+                provider: captchaConfig.provider,
+                siteKey: captchaConfig.provider !== 'none' ? captchaConfig.siteKey : null,
+            },
+        });
+    });
     router.get('/setup/status', async () => {
         try {
             const status = await checkSetupRequired(db());
@@ -956,11 +1210,12 @@ export function registerCMSRoutes(router) {
             const auth = await requireAuth(request);
             if (auth.error)
                 return auth.error;
+            const d = db();
             const [totalDocuments, totalMedia, totalUsers, recentDocuments] = await Promise.all([
-                db().document.count({ where: { deletedAt: null } }),
-                db().media.count(),
-                db().user.count(),
-                db().document.findMany({
+                safeCount(d.document, { deletedAt: null }),
+                safeCount(d.media),
+                safeCount(d.user),
+                safeFindMany(d.document, {
                     where: { deletedAt: null },
                     orderBy: { updatedAt: 'desc' },
                     take: 10,
@@ -984,20 +1239,21 @@ export function registerCMSRoutes(router) {
             const q = (url.searchParams.get('q') ?? '').trim();
             if (!q)
                 return json({ data: { documents: [], media: [], users: [] } });
+            const d = db();
             const [documents, media, users] = await Promise.all([
-                db().document.findMany({
+                safeFindMany(d.document, {
                     where: { deletedAt: null, OR: [{ title: { contains: q, mode: 'insensitive' } }, { plainText: { contains: q, mode: 'insensitive' } }] },
                     take: 10,
                     orderBy: { updatedAt: 'desc' },
                     select: { id: true, title: true, slug: true, collection: true, status: true, updatedAt: true },
                 }),
-                db().media.findMany({
+                safeFindMany(d.media, {
                     where: { OR: [{ filename: { contains: q, mode: 'insensitive' } }, { altText: { contains: q, mode: 'insensitive' } }] },
                     take: 5,
                     orderBy: { createdAt: 'desc' },
                     select: { id: true, filename: true, altText: true, mimeType: true, storageKey: true },
                 }),
-                db().user.findMany({
+                safeFindMany(d.user, {
                     where: { isActive: true, OR: [{ name: { contains: q, mode: 'insensitive' } }, { email: { contains: q, mode: 'insensitive' } }] },
                     take: 5,
                     select: { id: true, name: true, email: true, role: true },
@@ -1124,6 +1380,14 @@ export function registerCMSRoutes(router) {
             if (!body.fields || typeof body.fields !== 'object') {
                 return errorResponse('Missing or invalid "fields" in request body', 400);
             }
+            const captchaConfig = getCaptchaConfig();
+            if (captchaConfig.provider !== 'none') {
+                const ip = request.headers.get('x-forwarded-for')?.split(',')[0]?.trim();
+                const captchaResult = await verifyCaptcha(body.captchaToken ?? '', captchaConfig, ip);
+                if (!captchaResult.success) {
+                    return errorResponse('CAPTCHA verification failed. Please try again.', 403);
+                }
+            }
             const submission = await db().formSubmission.create({
                 data: {
                     formId,
@@ -1218,7 +1482,7 @@ export function registerCMSRoutes(router) {
             return json({ data: redirect }, 201);
         }
         catch (err) {
-            return errorResponse('Failed to create redirect', 500);
+            return internalError(err, 'create redirect');
         }
     });
     router.delete('/redirects/:id', async (request, params) => {
@@ -1232,7 +1496,7 @@ export function registerCMSRoutes(router) {
             return json({ data: { success: true } });
         }
         catch (err) {
-            return errorResponse('Failed to delete redirect', 500);
+            return internalError(err, 'delete redirect');
         }
     });
     // ---------------------------------------------------------------------------
@@ -1369,7 +1633,7 @@ export function registerCMSRoutes(router) {
             const doc = await db().document.findUnique({ where: { id: params.documentId } });
             if (!doc)
                 return errorResponse('Not found', 404);
-            const { analyzeContent } = await import('../seo/analysis');
+            const { analyzeContent } = await import('../seo/analysis.js');
             const data = doc.data || {};
             const result = analyzeContent({
                 title: doc.title || data.title || '',
@@ -1398,7 +1662,7 @@ export function registerCMSRoutes(router) {
             const doc = await db().document.findUnique({ where: { id: params.documentId } });
             if (!doc)
                 return errorResponse('Not found', 404);
-            const { calculateReadability, stripHtmlTags } = await import('../seo/analysis');
+            const { calculateReadability, stripHtmlTags } = await import('../seo/analysis.js');
             const data = doc.data || {};
             const text = stripHtmlTags(data.content || data.body || '');
             const result = calculateReadability(text);
@@ -1454,7 +1718,7 @@ export function registerCMSRoutes(router) {
                 orderBy: { updatedAt: 'desc' },
                 take: 50,
             });
-            const { generateLlmsTxt } = await import('../seo/llms-txt');
+            const { generateLlmsTxt } = await import('../seo/llms-txt.js');
             const pages = docs.map((d) => {
                 const data = d.data || {};
                 return {
@@ -1487,7 +1751,7 @@ export function registerCMSRoutes(router) {
             const doc = await db().document.findUnique({ where: { id: params.documentId } });
             if (!doc)
                 return errorResponse('Not found', 404);
-            const { buildSchemaGraph } = await import('../content/structured-data');
+            const { buildSchemaGraph } = await import('../content/structured-data.js');
             const data = doc.data || {};
             const graph = buildSchemaGraph({
                 siteName: 'Actuate CMS',
@@ -1516,7 +1780,7 @@ export function registerCMSRoutes(router) {
             const doc = await db().document.findUnique({ where: { id: params.documentId } });
             if (!doc)
                 return errorResponse('Not found', 404);
-            const { generateMetaTags } = await import('../seo/meta-tags');
+            const { generateMetaTags } = await import('../seo/meta-tags.js');
             const data = doc.data || {};
             const tags = generateMetaTags({
                 title: data.metaTitle || doc.title || data.title || '',
@@ -1764,7 +2028,7 @@ export function registerCMSRoutes(router) {
             return json({ data: { token: session.token, expiresAt: session.expiresAt } });
         }
         catch (err) {
-            return errorResponse('Failed to create preview token', 500);
+            return internalError(err, 'create preview token');
         }
     });
     router.get('/preview/:collection/:id', async (request, params) => {
@@ -1786,7 +2050,7 @@ export function registerCMSRoutes(router) {
             return json({ data });
         }
         catch (err) {
-            return errorResponse('Failed to fetch preview data', 500);
+            return internalError(err, 'fetch preview data');
         }
     });
     // ---------------------------------------------------------------------------
@@ -1800,7 +2064,7 @@ export function registerCMSRoutes(router) {
             const body = await request.json();
             if (!body.stage)
                 return errorResponse('Stage is required', 400);
-            const { transitionDocument } = await import('../workflow/index');
+            const { transitionDocument } = await import('../workflow/index.js');
             const result = await transitionDocument(params.id, body.stage, auth.session.userId, auth.session.role, body.note);
             if (!result.success)
                 return errorResponse(result.error ?? 'Transition failed', 400);
@@ -1815,7 +2079,7 @@ export function registerCMSRoutes(router) {
             const auth = await requireAuth(request);
             if (auth.error)
                 return auth.error;
-            const { getAvailableTransitions } = await import('../workflow/index');
+            const { getAvailableTransitions } = await import('../workflow/index.js');
             const doc = await db().document.findFirst({
                 where: { id: params.id, deletedAt: null },
                 select: { workflowStage: true, reviewerId: true, reviewNote: true },
@@ -1890,7 +2154,7 @@ export function registerCMSRoutes(router) {
             return json({ data: doc });
         }
         catch (err) {
-            return errorResponse('Failed to restore version', 500);
+            return internalError(err, 'restore version');
         }
     });
     // ---------------------------------------------------------------------------
@@ -1908,7 +2172,7 @@ export function registerCMSRoutes(router) {
             return json({ data: result });
         }
         catch (err) {
-            return errorResponse('Scheduling run failed', 500);
+            return internalError(err, 'scheduling run');
         }
     });
     router.get('/scheduling/calendar', async (request) => {
@@ -1921,7 +2185,7 @@ export function registerCMSRoutes(router) {
             const toStr = url.searchParams.get('to');
             const from = fromStr ? new Date(fromStr) : new Date(Date.now() - 30 * 24 * 60 * 60 * 1000);
             const to = toStr ? new Date(toStr) : new Date(Date.now() + 90 * 24 * 60 * 60 * 1000);
-            const { getScheduleCalendar } = await import('../scheduling/index');
+            const { getScheduleCalendar } = await import('../scheduling/index.js');
             const entries = await getScheduleCalendar(from, to, db());
             return json({ data: entries });
         }
@@ -1976,7 +2240,7 @@ export function registerCMSRoutes(router) {
             const roleErr = requireRole(auth.session.role, ADMIN_ROLES);
             if (roleErr)
                 return roleErr;
-            const { listEndpoints } = await import('../webhooks/index');
+            const { listEndpoints } = await import('../webhooks/index.js');
             const endpoints = await listEndpoints();
             return json({ data: endpoints });
         }
@@ -1996,7 +2260,7 @@ export function registerCMSRoutes(router) {
             if (!body.url || !body.events?.length) {
                 return errorResponse('url and events are required', 400);
             }
-            const { createEndpoint } = await import('../webhooks/index');
+            const { createEndpoint } = await import('../webhooks/index.js');
             const secret = body.secret || crypto.randomUUID();
             const endpoint = await createEndpoint({
                 url: body.url,
@@ -2025,7 +2289,7 @@ export function registerCMSRoutes(router) {
             if (roleErr)
                 return roleErr;
             const body = await request.json();
-            const { updateEndpoint } = await import('../webhooks/index');
+            const { updateEndpoint } = await import('../webhooks/index.js');
             const updated = await updateEndpoint(params.id, body);
             return json({ data: updated });
         }
@@ -2041,7 +2305,7 @@ export function registerCMSRoutes(router) {
             const roleErr = requireRole(auth.session.role, ADMIN_ROLES);
             if (roleErr)
                 return roleErr;
-            const { deleteEndpoint } = await import('../webhooks/index');
+            const { deleteEndpoint } = await import('../webhooks/index.js');
             await deleteEndpoint(params.id);
             await logEvent({
                 event: 'settings_changed',
@@ -2062,7 +2326,7 @@ export function registerCMSRoutes(router) {
             const roleErr = requireRole(auth.session.role, ADMIN_ROLES);
             if (roleErr)
                 return roleErr;
-            const { getDeliveries } = await import('../webhooks/index');
+            const { getDeliveries } = await import('../webhooks/index.js');
             const deliveries = await getDeliveries(params.id);
             return json({ data: deliveries });
         }
@@ -2078,7 +2342,7 @@ export function registerCMSRoutes(router) {
             const roleErr = requireRole(auth.session.role, ADMIN_ROLES);
             if (roleErr)
                 return roleErr;
-            const { processRetries } = await import('../webhooks/index');
+            const { processRetries } = await import('../webhooks/index.js');
             const result = await processRetries();
             return json({ data: result });
         }