@actuate-media/cms-core 0.1.0 → 0.2.0

package/dist/security/captcha.d.ts

@@ -0,0 +1,32 @@
+/**
+ * Server-side CAPTCHA verification for reCAPTCHA v3 and Cloudflare Turnstile.
+ * Both providers share the same verify interface — only the secret key and
+ * verification URL differ.
+ */
+export type CaptchaProvider = 'recaptcha' | 'turnstile' | 'none';
+export interface CaptchaConfig {
+    provider: CaptchaProvider;
+    /** Public site key (safe to expose to client) */
+    siteKey: string;
+    /** Server-side secret key (from env) */
+    secretKey: string;
+    /** Minimum score threshold for reCAPTCHA v3 (0.0–1.0, default 0.5). Ignored by Turnstile. */
+    scoreThreshold?: number;
+}
+export interface CaptchaVerifyResult {
+    success: boolean;
+    score?: number;
+    action?: string;
+    errorCodes?: string[];
+}
+/**
+ * Verifies a CAPTCHA token server-side.
+ * Works for both reCAPTCHA v3 and Cloudflare Turnstile.
+ */
+export declare function verifyCaptcha(token: string, config: CaptchaConfig, remoteIp?: string): Promise<CaptchaVerifyResult>;
+/**
+ * Resolves CAPTCHA config from environment variables.
+ * Returns { provider: 'none' } if no keys are configured.
+ */
+export declare function getCaptchaConfig(): CaptchaConfig;
+//# sourceMappingURL=captcha.d.ts.map

package/dist/security/captcha.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"captcha.d.ts","sourceRoot":"","sources":["../../src/security/captcha.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,MAAM,MAAM,eAAe,GAAG,WAAW,GAAG,WAAW,GAAG,MAAM,CAAC;AAEjE,MAAM,WAAW,aAAa;IAC5B,QAAQ,EAAE,eAAe,CAAC;IAC1B,iDAAiD;IACjD,OAAO,EAAE,MAAM,CAAC;IAChB,wCAAwC;IACxC,SAAS,EAAE,MAAM,CAAC;IAClB,6FAA6F;IAC7F,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAED,MAAM,WAAW,mBAAmB;IAClC,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;CACvB;AAOD;;;GAGG;AACH,wBAAsB,aAAa,CACjC,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,aAAa,EACrB,QAAQ,CAAC,EAAE,MAAM,GAChB,OAAO,CAAC,mBAAmB,CAAC,CAyE9B;AAED;;;GAGG;AACH,wBAAgB,gBAAgB,IAAI,aAAa,CAyBhD"}

package/dist/security/captcha.js

@@ -0,0 +1,101 @@
+/**
+ * Server-side CAPTCHA verification for reCAPTCHA v3 and Cloudflare Turnstile.
+ * Both providers share the same verify interface — only the secret key and
+ * verification URL differ.
+ */
+const VERIFY_URLS = {
+    recaptcha: 'https://www.google.com/recaptcha/api/siteverify',
+    turnstile: 'https://challenges.cloudflare.com/turnstile/v0/siteverify',
+};
+/**
+ * Verifies a CAPTCHA token server-side.
+ * Works for both reCAPTCHA v3 and Cloudflare Turnstile.
+ */
+export async function verifyCaptcha(token, config, remoteIp) {
+    if (config.provider === 'none') {
+        return { success: true };
+    }
+    if (!token) {
+        return { success: false, errorCodes: ['missing-input-response'] };
+    }
+    const verifyUrl = VERIFY_URLS[config.provider];
+    if (!verifyUrl) {
+        return { success: false, errorCodes: [`unknown-provider:${config.provider}`] };
+    }
+    const params = new URLSearchParams({
+        secret: config.secretKey,
+        response: token,
+    });
+    if (remoteIp) {
+        params.set('remoteip', remoteIp);
+    }
+    try {
+        const res = await fetch(verifyUrl, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+            body: params.toString(),
+        });
+        if (!res.ok) {
+            return { success: false, errorCodes: [`http-error:${res.status}`] };
+        }
+        const data = (await res.json());
+        if (!data.success) {
+            return {
+                success: false,
+                score: data.score,
+                action: data.action,
+                errorCodes: data['error-codes'] ?? [],
+            };
+        }
+        // reCAPTCHA v3 returns a score; enforce the threshold
+        if (config.provider === 'recaptcha' && typeof data.score === 'number') {
+            const threshold = config.scoreThreshold ?? 0.5;
+            if (data.score < threshold) {
+                return {
+                    success: false,
+                    score: data.score,
+                    action: data.action,
+                    errorCodes: ['score-below-threshold'],
+                };
+            }
+        }
+        return {
+            success: true,
+            score: data.score,
+            action: data.action,
+        };
+    }
+    catch (err) {
+        return {
+            success: false,
+            errorCodes: ['network-error'],
+        };
+    }
+}
+/**
+ * Resolves CAPTCHA config from environment variables.
+ * Returns { provider: 'none' } if no keys are configured.
+ */
+export function getCaptchaConfig() {
+    const recaptchaSiteKey = process.env.RECAPTCHA_SITE_KEY;
+    const recaptchaSecret = process.env.RECAPTCHA_SECRET_KEY;
+    if (recaptchaSiteKey && recaptchaSecret) {
+        return {
+            provider: 'recaptcha',
+            siteKey: recaptchaSiteKey,
+            secretKey: recaptchaSecret,
+            scoreThreshold: parseFloat(process.env.RECAPTCHA_SCORE_THRESHOLD ?? '0.5'),
+        };
+    }
+    const turnstileSiteKey = process.env.TURNSTILE_SITE_KEY;
+    const turnstileSecret = process.env.TURNSTILE_SECRET_KEY;
+    if (turnstileSiteKey && turnstileSecret) {
+        return {
+            provider: 'turnstile',
+            siteKey: turnstileSiteKey,
+            secretKey: turnstileSecret,
+        };
+    }
+    return { provider: 'none', siteKey: '', secretKey: '' };
+}
+//# sourceMappingURL=captcha.js.map

package/dist/security/captcha.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"captcha.js","sourceRoot":"","sources":["../../src/security/captcha.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAqBH,MAAM,WAAW,GAA2B;IAC1C,SAAS,EAAE,iDAAiD;IAC5D,SAAS,EAAE,2DAA2D;CACvE,CAAC;AAEF;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,KAAa,EACb,MAAqB,EACrB,QAAiB;IAEjB,IAAI,MAAM,CAAC,QAAQ,KAAK,MAAM,EAAE,CAAC;QAC/B,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC3B,CAAC;IAED,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC,wBAAwB,CAAC,EAAE,CAAC;IACpE,CAAC;IAED,MAAM,SAAS,GAAG,WAAW,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IAC/C,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC,oBAAoB,MAAM,CAAC,QAAQ,EAAE,CAAC,EAAE,CAAC;IACjF,CAAC;IAED,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;QACjC,MAAM,EAAE,MAAM,CAAC,SAAS;QACxB,QAAQ,EAAE,KAAK;KAChB,CAAC,CAAC;IACH,IAAI,QAAQ,EAAE,CAAC;QACb,MAAM,CAAC,GAAG,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;IACnC,CAAC;IAED,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,SAAS,EAAE;YACjC,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;YAChE,IAAI,EAAE,MAAM,CAAC,QAAQ,EAAE;SACxB,CAAC,CAAC;QAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC,cAAc,GAAG,CAAC,MAAM,EAAE,CAAC,EAAE,CAAC;QACtE,CAAC;QAED,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAK7B,CAAC;QAEF,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;YAClB,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE,IAAI,CAAC,KAAK;gBACjB,MAAM,EAAE,IAAI,CAAC,MAAM;gBACnB,UAAU,EAAE,IAAI,CAAC,aAAa,CAAC,IAAI,EAAE;aACtC,CAAC;QACJ,CAAC;QAED,sDAAsD;QACtD,IAAI,MAAM,CAAC,QAAQ,KAAK,WAAW,IAAI,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;YACtE,MAAM,SAAS,GAAG,MAAM,CAAC,cAAc,IAAI,GAAG,CAAC;YAC/C,IAAI,IAAI,CAAC,KAAK,GAAG,SAAS,EAAE,CAAC;gBAC3B,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,KAAK,EAAE,IAAI,CAAC,KAAK;oBACjB,MAAM,EAAE,IAAI,CAAC,MAAM;oBACnB,UAAU,EAAE,CAAC,uBAAuB,CAAC;iBACtC,CAAC;YACJ,CAAC;QACH,CAAC;QAED,OAAO;YACL,OAAO,EAAE,IAAI;YACb,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,MAAM,EAAE,IAAI,CAAC,MAAM;SACpB,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO;YACL,OAAO,EAAE,KAAK;YACd,UAAU,EAAE,CAAC,eAAe,CAAC;SAC9B,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,gBAAgB;IAC9B,MAAM,gBAAgB,GAAG,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC;IACxD,MAAM,eAAe,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC;IAEzD,IAAI,gBAAgB,IAAI,eAAe,EAAE,CAAC;QACxC,OAAO;YACL,QAAQ,EAAE,WAAW;YACrB,OAAO,EAAE,gBAAgB;YACzB,SAAS,EAAE,eAAe;YAC1B,cAAc,EAAE,UAAU,CAAC,OAAO,CAAC,GAAG,CAAC,yBAAyB,IAAI,KAAK,CAAC;SAC3E,CAAC;IACJ,CAAC;IAED,MAAM,gBAAgB,GAAG,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC;IACxD,MAAM,eAAe,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC;IAEzD,IAAI,gBAAgB,IAAI,eAAe,EAAE,CAAC;QACxC,OAAO;YACL,QAAQ,EAAE,WAAW;YACrB,OAAO,EAAE,gBAAgB;YACzB,SAAS,EAAE,eAAe;SAC3B,CAAC;IACJ,CAAC;IAED,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,EAAE,SAAS,EAAE,EAAE,EAAE,CAAC;AAC1D,CAAC"}

package/dist/security/index.d.ts

@@ -1,31 +1,33 @@
-export { checkAccess, getPermissionsForRole, filterFieldsByRole, filterWritableFields, applyFieldAccess } from "./access";
-export type { Role, Permission, FieldAccessUser } from "./access";
-export { generateToken as generateCsrfToken, validateToken as validateCsrfToken } from "./csrf";
-export { createRateLimiter } from "./rate-limit";
-export type { RateLimiter, RateLimitConfig, RateLimitResult } from "./rate-limit";
-export { sanitizeHtml, stripHtml } from "./sanitize";
-export { validateMimeType, checkMagicBytes } from "./upload";
-export { validateWebhookUrl, resolveAndCheck } from "./webhook";
-export { logEvent, getAuditLog } from "./audit";
-export type { AuditEntry, AuditLogQuery, AuditLogResult } from "./audit";
-export { getSecurityHeaders } from "./headers";
-export type { SecurityHeadersConfig } from "./headers";
-export { applySecurityMiddleware } from "./middleware";
-export type { SecurityMiddlewareConfig, SecurityMiddlewareResult } from "./middleware";
-export { checkBreached } from "./breach-check";
-export { detectLoginAnomaly, checkBruteForce } from "./anomaly-detection";
-export type { LoginAttempt, AnomalyResult } from "./anomaly-detection";
-export { requiresReauth, verifyReauth } from "./reauth";
-export type { ReauthConfig, ReauthContext } from "./reauth";
-export { isIpAllowed } from "./ip-allowlist";
-export { enforceSessionLimits } from "./session-limits";
-export type { SessionInfo, SessionLimitConfig } from "./session-limits";
-export { encryptField, decryptField } from "./encrypted-fields";
-export { getCorsHeaders } from "./cors";
-export type { CorsConfig } from "./cors";
-export { generateCspNonce, buildCspHeader } from "./csp-nonces";
-export { generateSecurityTxt } from "./security-txt";
-export type { SecurityTxtConfig } from "./security-txt";
-export { generateApiKey, validateApiKeyScope } from "./api-key-enhanced";
-export type { ApiKeyScope, EnhancedApiKeyConfig } from "./api-key-enhanced";
+export { checkAccess, getPermissionsForRole, filterFieldsByRole, filterWritableFields, applyFieldAccess } from "./access.js";
+export type { Role, Permission, FieldAccessUser } from "./access.js";
+export { generateToken as generateCsrfToken, validateToken as validateCsrfToken } from "./csrf.js";
+export { createRateLimiter } from "./rate-limit.js";
+export type { RateLimiter, RateLimitConfig, RateLimitResult } from "./rate-limit.js";
+export { sanitizeHtml, stripHtml } from "./sanitize.js";
+export { validateMimeType, checkMagicBytes } from "./upload.js";
+export { validateWebhookUrl, resolveAndCheck } from "./webhook.js";
+export { logEvent, getAuditLog } from "./audit.js";
+export type { AuditEntry, AuditLogQuery, AuditLogResult } from "./audit.js";
+export { getSecurityHeaders } from "./headers.js";
+export type { SecurityHeadersConfig } from "./headers.js";
+export { applySecurityMiddleware } from "./middleware.js";
+export type { SecurityMiddlewareConfig, SecurityMiddlewareResult } from "./middleware.js";
+export { checkBreached } from "./breach-check.js";
+export { detectLoginAnomaly, checkBruteForce } from "./anomaly-detection.js";
+export type { LoginAttempt, AnomalyResult } from "./anomaly-detection.js";
+export { requiresReauth, verifyReauth } from "./reauth.js";
+export type { ReauthConfig, ReauthContext } from "./reauth.js";
+export { isIpAllowed } from "./ip-allowlist.js";
+export { enforceSessionLimits } from "./session-limits.js";
+export type { SessionInfo, SessionLimitConfig } from "./session-limits.js";
+export { encryptField, decryptField } from "./encrypted-fields.js";
+export { getCorsHeaders } from "./cors.js";
+export type { CorsConfig } from "./cors.js";
+export { generateCspNonce, buildCspHeader } from "./csp-nonces.js";
+export { generateSecurityTxt } from "./security-txt.js";
+export type { SecurityTxtConfig } from "./security-txt.js";
+export { generateApiKey, validateApiKeyScope } from "./api-key-enhanced.js";
+export type { ApiKeyScope, EnhancedApiKeyConfig } from "./api-key-enhanced.js";
+export { verifyCaptcha, getCaptchaConfig } from "./captcha.js";
+export type { CaptchaConfig, CaptchaProvider, CaptchaVerifyResult } from "./captcha.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/security/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/security/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,qBAAqB,EAAE,kBAAkB,EAAE,oBAAoB,EAAE,gBAAgB,EAAE,MAAM,UAAU,CAAC;AAC1H,YAAY,EAAE,IAAI,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,UAAU,CAAC;AAElE,OAAO,EAAE,aAAa,IAAI,iBAAiB,EAAE,aAAa,IAAI,iBAAiB,EAAE,MAAM,QAAQ,CAAC;AAEhG,OAAO,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AACjD,YAAY,EAAE,WAAW,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;AAElF,OAAO,EAAE,YAAY,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAErD,OAAO,EAAE,gBAAgB,EAAE,eAAe,EAAE,MAAM,UAAU,CAAC;AAE7D,OAAO,EAAE,kBAAkB,EAAE,eAAe,EAAE,MAAM,WAAW,CAAC;AAEhE,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,SAAS,CAAC;AAChD,YAAY,EAAE,UAAU,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAEzE,OAAO,EAAE,kBAAkB,EAAE,MAAM,WAAW,CAAC;AAC/C,YAAY,EAAE,qBAAqB,EAAE,MAAM,WAAW,CAAC;AAEvD,OAAO,EAAE,uBAAuB,EAAE,MAAM,cAAc,CAAC;AACvD,YAAY,EAAE,wBAAwB,EAAE,wBAAwB,EAAE,MAAM,cAAc,CAAC;AAEvF,OAAO,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AAE/C,OAAO,EAAE,kBAAkB,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAC1E,YAAY,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAEvE,OAAO,EAAE,cAAc,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AACxD,YAAY,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAE5D,OAAO,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAE7C,OAAO,EAAE,oBAAoB,EAAE,MAAM,kBAAkB,CAAC;AACxD,YAAY,EAAE,WAAW,EAAE,kBAAkB,EAAE,MAAM,kBAAkB,CAAC;AAExE,OAAO,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAEhE,OAAO,EAAE,cAAc,EAAE,MAAM,QAAQ,CAAC;AACxC,YAAY,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AAEzC,OAAO,EAAE,gBAAgB,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAEhE,OAAO,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AACrD,YAAY,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAC;AAExD,OAAO,EAAE,cAAc,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AACzE,YAAY,EAAE,WAAW,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/security/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,qBAAqB,EAAE,kBAAkB,EAAE,oBAAoB,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAC7H,YAAY,EAAE,IAAI,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAErE,OAAO,EAAE,aAAa,IAAI,iBAAiB,EAAE,aAAa,IAAI,iBAAiB,EAAE,MAAM,WAAW,CAAC;AAEnG,OAAO,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AACpD,YAAY,EAAE,WAAW,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAErF,OAAO,EAAE,YAAY,EAAE,SAAS,EAAE,MAAM,eAAe,CAAC;AAExD,OAAO,EAAE,gBAAgB,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAEhE,OAAO,EAAE,kBAAkB,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;AAEnE,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AACnD,YAAY,EAAE,UAAU,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAE5E,OAAO,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AAClD,YAAY,EAAE,qBAAqB,EAAE,MAAM,cAAc,CAAC;AAE1D,OAAO,EAAE,uBAAuB,EAAE,MAAM,iBAAiB,CAAC;AAC1D,YAAY,EAAE,wBAAwB,EAAE,wBAAwB,EAAE,MAAM,iBAAiB,CAAC;AAE1F,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAElD,OAAO,EAAE,kBAAkB,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AAC7E,YAAY,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AAE1E,OAAO,EAAE,cAAc,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3D,YAAY,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAE/D,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAEhD,OAAO,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAC3D,YAAY,EAAE,WAAW,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAC;AAE3E,OAAO,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AAEnE,OAAO,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAC3C,YAAY,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AAE5C,OAAO,EAAE,gBAAgB,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAC;AAEnE,OAAO,EAAE,mBAAmB,EAAE,MAAM,mBAAmB,CAAC;AACxD,YAAY,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AAE3D,OAAO,EAAE,cAAc,EAAE,mBAAmB,EAAE,MAAM,uBAAuB,CAAC;AAC5E,YAAY,EAAE,WAAW,EAAE,oBAAoB,EAAE,MAAM,uBAAuB,CAAC;AAE/E,OAAO,EAAE,aAAa,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAC/D,YAAY,EAAE,aAAa,EAAE,eAAe,EAAE,mBAAmB,EAAE,MAAM,cAAc,CAAC"}

package/dist/security/index.js

@@ -1,20 +1,21 @@
-export { checkAccess, getPermissionsForRole, filterFieldsByRole, filterWritableFields, applyFieldAccess } from "./access";
-export { generateToken as generateCsrfToken, validateToken as validateCsrfToken } from "./csrf";
-export { createRateLimiter } from "./rate-limit";
-export { sanitizeHtml, stripHtml } from "./sanitize";
-export { validateMimeType, checkMagicBytes } from "./upload";
-export { validateWebhookUrl, resolveAndCheck } from "./webhook";
-export { logEvent, getAuditLog } from "./audit";
-export { getSecurityHeaders } from "./headers";
-export { applySecurityMiddleware } from "./middleware";
-export { checkBreached } from "./breach-check";
-export { detectLoginAnomaly, checkBruteForce } from "./anomaly-detection";
-export { requiresReauth, verifyReauth } from "./reauth";
-export { isIpAllowed } from "./ip-allowlist";
-export { enforceSessionLimits } from "./session-limits";
-export { encryptField, decryptField } from "./encrypted-fields";
-export { getCorsHeaders } from "./cors";
-export { generateCspNonce, buildCspHeader } from "./csp-nonces";
-export { generateSecurityTxt } from "./security-txt";
-export { generateApiKey, validateApiKeyScope } from "./api-key-enhanced";
+export { checkAccess, getPermissionsForRole, filterFieldsByRole, filterWritableFields, applyFieldAccess } from "./access.js";
+export { generateToken as generateCsrfToken, validateToken as validateCsrfToken } from "./csrf.js";
+export { createRateLimiter } from "./rate-limit.js";
+export { sanitizeHtml, stripHtml } from "./sanitize.js";
+export { validateMimeType, checkMagicBytes } from "./upload.js";
+export { validateWebhookUrl, resolveAndCheck } from "./webhook.js";
+export { logEvent, getAuditLog } from "./audit.js";
+export { getSecurityHeaders } from "./headers.js";
+export { applySecurityMiddleware } from "./middleware.js";
+export { checkBreached } from "./breach-check.js";
+export { detectLoginAnomaly, checkBruteForce } from "./anomaly-detection.js";
+export { requiresReauth, verifyReauth } from "./reauth.js";
+export { isIpAllowed } from "./ip-allowlist.js";
+export { enforceSessionLimits } from "./session-limits.js";
+export { encryptField, decryptField } from "./encrypted-fields.js";
+export { getCorsHeaders } from "./cors.js";
+export { generateCspNonce, buildCspHeader } from "./csp-nonces.js";
+export { generateSecurityTxt } from "./security-txt.js";
+export { generateApiKey, validateApiKeyScope } from "./api-key-enhanced.js";
+export { verifyCaptcha, getCaptchaConfig } from "./captcha.js";
 //# sourceMappingURL=index.js.map

package/dist/security/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/security/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,qBAAqB,EAAE,kBAAkB,EAAE,oBAAoB,EAAE,gBAAgB,EAAE,MAAM,UAAU,CAAC;AAG1H,OAAO,EAAE,aAAa,IAAI,iBAAiB,EAAE,aAAa,IAAI,iBAAiB,EAAE,MAAM,QAAQ,CAAC;AAEhG,OAAO,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AAGjD,OAAO,EAAE,YAAY,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAErD,OAAO,EAAE,gBAAgB,EAAE,eAAe,EAAE,MAAM,UAAU,CAAC;AAE7D,OAAO,EAAE,kBAAkB,EAAE,eAAe,EAAE,MAAM,WAAW,CAAC;AAEhE,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,SAAS,CAAC;AAGhD,OAAO,EAAE,kBAAkB,EAAE,MAAM,WAAW,CAAC;AAG/C,OAAO,EAAE,uBAAuB,EAAE,MAAM,cAAc,CAAC;AAGvD,OAAO,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AAE/C,OAAO,EAAE,kBAAkB,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAG1E,OAAO,EAAE,cAAc,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AAGxD,OAAO,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAE7C,OAAO,EAAE,oBAAoB,EAAE,MAAM,kBAAkB,CAAC;AAGxD,OAAO,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAEhE,OAAO,EAAE,cAAc,EAAE,MAAM,QAAQ,CAAC;AAGxC,OAAO,EAAE,gBAAgB,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAEhE,OAAO,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AAGrD,OAAO,EAAE,cAAc,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/security/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,qBAAqB,EAAE,kBAAkB,EAAE,oBAAoB,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAG7H,OAAO,EAAE,aAAa,IAAI,iBAAiB,EAAE,aAAa,IAAI,iBAAiB,EAAE,MAAM,WAAW,CAAC;AAEnG,OAAO,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AAGpD,OAAO,EAAE,YAAY,EAAE,SAAS,EAAE,MAAM,eAAe,CAAC;AAExD,OAAO,EAAE,gBAAgB,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAEhE,OAAO,EAAE,kBAAkB,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;AAEnE,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAGnD,OAAO,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AAGlD,OAAO,EAAE,uBAAuB,EAAE,MAAM,iBAAiB,CAAC;AAG1D,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAElD,OAAO,EAAE,kBAAkB,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AAG7E,OAAO,EAAE,cAAc,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAG3D,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAEhD,OAAO,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAG3D,OAAO,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AAEnE,OAAO,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAG3C,OAAO,EAAE,gBAAgB,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAC;AAEnE,OAAO,EAAE,mBAAmB,EAAE,MAAM,mBAAmB,CAAC;AAGxD,OAAO,EAAE,cAAc,EAAE,mBAAmB,EAAE,MAAM,uBAAuB,CAAC;AAG5E,OAAO,EAAE,aAAa,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC"}

package/dist/security/middleware.d.ts

@@ -1,5 +1,5 @@
-import { type SecurityHeadersConfig } from "./headers";
-import type { RateLimiter } from "./rate-limit";
+import { type SecurityHeadersConfig } from "./headers.js";
+import type { RateLimiter } from "./rate-limit.js";
 export interface SecurityMiddlewareConfig {
     headers?: SecurityHeadersConfig;
     csrf?: {

package/dist/security/middleware.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../../src/security/middleware.ts"],"names":[],"mappings":"AAAA,OAAO,EAAsB,KAAK,qBAAqB,EAAE,MAAM,WAAW,CAAC;AAE3E,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAEhD,MAAM,WAAW,wBAAwB;IACvC,OAAO,CAAC,EAAE,qBAAqB,CAAC;IAChC,IAAI,CAAC,EAAE;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,UAAU,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IACjD,SAAS,CAAC,EAAE,WAAW,CAAC;IACxB,YAAY,CAAC,EAAE,CAAC,OAAO,EAAE,OAAO,KAAK,MAAM,CAAC;CAC7C;AAED,MAAM,WAAW,wBAAwB;IACvC,OAAO,EAAE,OAAO,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,4FAA4F;AAC5F,wBAAsB,uBAAuB,CAC3C,OAAO,EAAE,OAAO,EAChB,MAAM,EAAE,wBAAwB,GAC/B,OAAO,CAAC,wBAAwB,CAAC,CAiCnC"}
+{"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../../src/security/middleware.ts"],"names":[],"mappings":"AAAA,OAAO,EAAsB,KAAK,qBAAqB,EAAE,MAAM,cAAc,CAAC;AAE9E,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAEnD,MAAM,WAAW,wBAAwB;IACvC,OAAO,CAAC,EAAE,qBAAqB,CAAC;IAChC,IAAI,CAAC,EAAE;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,UAAU,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IACjD,SAAS,CAAC,EAAE,WAAW,CAAC;IACxB,YAAY,CAAC,EAAE,CAAC,OAAO,EAAE,OAAO,KAAK,MAAM,CAAC;CAC7C;AAED,MAAM,WAAW,wBAAwB;IACvC,OAAO,EAAE,OAAO,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,4FAA4F;AAC5F,wBAAsB,uBAAuB,CAC3C,OAAO,EAAE,OAAO,EAChB,MAAM,EAAE,wBAAwB,GAC/B,OAAO,CAAC,wBAAwB,CAAC,CAiCnC"}

package/dist/security/middleware.js

@@ -1,5 +1,5 @@
-import { getSecurityHeaders } from "./headers";
-import { validateToken as validateCsrf } from "./csrf";
+import { getSecurityHeaders } from "./headers.js";
+import { validateToken as validateCsrf } from "./csrf.js";
 /** Compose a security middleware pipeline that applies headers, CSRF, and rate limiting. */
 export async function applySecurityMiddleware(request, config) {
     const responseHeaders = getSecurityHeaders(config.headers);

package/dist/security/middleware.js.map

@@ -1 +1 @@
-{"version":3,"file":"middleware.js","sourceRoot":"","sources":["../../src/security/middleware.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,kBAAkB,EAA8B,MAAM,WAAW,CAAC;AAC3E,OAAO,EAAE,aAAa,IAAI,YAAY,EAAE,MAAM,QAAQ,CAAC;AAiBvD,4FAA4F;AAC5F,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,OAAgB,EAChB,MAAgC;IAEhC,MAAM,eAAe,GAAG,kBAAkB,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAE3D,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;QACrB,MAAM,GAAG,GAAG,MAAM,CAAC,YAAY,EAAE,CAAC,OAAO,CAAC,IAAI,WAAW,CAAC,OAAO,CAAC,CAAC;QACnE,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACjD,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACpB,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,OAAO,EAAE,eAAe;gBACxB,KAAK,EAAE,qBAAqB;gBAC5B,MAAM,EAAE,GAAG;aACZ,CAAC;QACJ,CAAC;QACD,eAAe,CAAC,uBAAuB,CAAC,GAAG,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QACpE,eAAe,CAAC,mBAAmB,CAAC,GAAG,MAAM,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC;IACtE,CAAC;IAED,IAAI,MAAM,CAAC,IAAI,EAAE,OAAO,IAAI,gBAAgB,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAC7D,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,EAAE,CAAC;QAC5D,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,IAAI,gBAAgB,CAAC;QAC9D,MAAM,WAAW,GAAG,WAAW,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,EAAE,UAAU,CAAC,CAAC;QACjF,IAAI,CAAC,WAAW,IAAI,CAAC,YAAY,CAAC,SAAS,EAAE,WAAW,CAAC,EAAE,CAAC;YAC1D,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,OAAO,EAAE,eAAe;gBACxB,KAAK,EAAE,oBAAoB;gBAC3B,MAAM,EAAE,GAAG;aACZ,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,eAAe,EAAE,CAAC;AACrD,CAAC;AAED,SAAS,gBAAgB,CAAC,MAAc;IACtC,OAAO,CAAC,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC,CAAC;AAC3E,CAAC;AAED,SAAS,WAAW,CAAC,OAAgB;IACnC,OAAO,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,SAAS,CAAC;AACpF,CAAC;AAED,SAAS,WAAW,CAAC,YAAoB,EAAE,IAAY;IACrD,MAAM,KAAK,GAAG,YAAY,CAAC,KAAK,CAAC,IAAI,MAAM,CAAC,cAAc,IAAI,UAAU,CAAC,CAAC,CAAC;IAC3E,OAAO,KAAK,EAAE,CAAC,CAAC,CAAC,CAAC;AACpB,CAAC"}
+{"version":3,"file":"middleware.js","sourceRoot":"","sources":["../../src/security/middleware.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,kBAAkB,EAA8B,MAAM,cAAc,CAAC;AAC9E,OAAO,EAAE,aAAa,IAAI,YAAY,EAAE,MAAM,WAAW,CAAC;AAiB1D,4FAA4F;AAC5F,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,OAAgB,EAChB,MAAgC;IAEhC,MAAM,eAAe,GAAG,kBAAkB,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAE3D,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;QACrB,MAAM,GAAG,GAAG,MAAM,CAAC,YAAY,EAAE,CAAC,OAAO,CAAC,IAAI,WAAW,CAAC,OAAO,CAAC,CAAC;QACnE,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACjD,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACpB,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,OAAO,EAAE,eAAe;gBACxB,KAAK,EAAE,qBAAqB;gBAC5B,MAAM,EAAE,GAAG;aACZ,CAAC;QACJ,CAAC;QACD,eAAe,CAAC,uBAAuB,CAAC,GAAG,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QACpE,eAAe,CAAC,mBAAmB,CAAC,GAAG,MAAM,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC;IACtE,CAAC;IAED,IAAI,MAAM,CAAC,IAAI,EAAE,OAAO,IAAI,gBAAgB,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAC7D,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,EAAE,CAAC;QAC5D,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,IAAI,gBAAgB,CAAC;QAC9D,MAAM,WAAW,GAAG,WAAW,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,EAAE,UAAU,CAAC,CAAC;QACjF,IAAI,CAAC,WAAW,IAAI,CAAC,YAAY,CAAC,SAAS,EAAE,WAAW,CAAC,EAAE,CAAC;YAC1D,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,OAAO,EAAE,eAAe;gBACxB,KAAK,EAAE,oBAAoB;gBAC3B,MAAM,EAAE,GAAG;aACZ,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,eAAe,EAAE,CAAC;AACrD,CAAC;AAED,SAAS,gBAAgB,CAAC,MAAc;IACtC,OAAO,CAAC,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC,CAAC;AAC3E,CAAC;AAED,SAAS,WAAW,CAAC,OAAgB;IACnC,OAAO,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,SAAS,CAAC;AACpF,CAAC;AAED,SAAS,WAAW,CAAC,YAAoB,EAAE,IAAY;IACrD,MAAM,KAAK,GAAG,YAAY,CAAC,KAAK,CAAC,IAAI,MAAM,CAAC,cAAc,IAAI,UAAU,CAAC,CAAC,CAAC;IAC3E,OAAO,KAAK,EAAE,CAAC,CAAC,CAAC,CAAC;AACpB,CAAC"}

package/dist/security/reauth.js

@@ -1,4 +1,4 @@
-import { verifyPassword } from '../auth/password';
+import { verifyPassword } from '../auth/password.js';
 /** Check whether a sensitive action requires re-authentication. */
 export function requiresReauth(context, config) {
     if (!config.requiredForActions.includes(context.action))
@@ -12,7 +12,7 @@ export async function verifyReauth(userId, credential, method, db) {
         return false;
     }
     if (!db) {
-        const { getDB } = await import('../db');
+        const { getDB } = await import('../db.js');
         db = getDB();
     }
     const user = await db.user.findUnique({

package/dist/security/reauth.js.map

@@ -1 +1 @@
-{"version":3,"file":"reauth.js","sourceRoot":"","sources":["../../src/security/reauth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AAYlD,mEAAmE;AACnE,MAAM,UAAU,cAAc,CAC5B,OAAsB,EACtB,MAAoB;IAEpB,IAAI,CAAC,MAAM,CAAC,kBAAkB,CAAC,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC;QAAE,OAAO,KAAK,CAAC;IACtE,MAAM,OAAO,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC,GAAG,IAAI,CAAC;IACnE,OAAO,OAAO,GAAG,MAAM,CAAC,aAAa,CAAC;AACxC,CAAC;AAED,uDAAuD;AACvD,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,MAAc,EACd,UAAkB,EAClB,MAA2B,EAC3B,EAAQ;IAER,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;QACtB,OAAO,KAAK,CAAC;IACf,CAAC;IAED,IAAI,CAAC,EAAE,EAAE,CAAC;QACR,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC,CAAC;QACxC,EAAE,GAAG,KAAK,EAAE,CAAC;IACf,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC;QACpC,KAAK,EAAE,EAAE,EAAE,EAAE,MAAM,EAAE;QACrB,MAAM,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE;KAC/C,CAAC,CAAC;IAEH,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,QAAQ,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;QAClD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,OAAO,cAAc,CAAC,UAAU,EAAE,IAAI,CAAC,YAAY,CAAC,CAAC;AACvD,CAAC;AAED,qEAAqE;AACrE,MAAM,CAAC,MAAM,qBAAqB,GAAiB;IACjD,aAAa,EAAE,GAAG;IAClB,kBAAkB,EAAE;QAClB,aAAa;QACb,kBAAkB;QAClB,iBAAiB;QACjB,aAAa;QACb,sBAAsB;KACvB;CACF,CAAC"}
+{"version":3,"file":"reauth.js","sourceRoot":"","sources":["../../src/security/reauth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAYrD,mEAAmE;AACnE,MAAM,UAAU,cAAc,CAC5B,OAAsB,EACtB,MAAoB;IAEpB,IAAI,CAAC,MAAM,CAAC,kBAAkB,CAAC,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC;QAAE,OAAO,KAAK,CAAC;IACtE,MAAM,OAAO,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC,GAAG,IAAI,CAAC;IACnE,OAAO,OAAO,GAAG,MAAM,CAAC,aAAa,CAAC;AACxC,CAAC;AAED,uDAAuD;AACvD,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,MAAc,EACd,UAAkB,EAClB,MAA2B,EAC3B,EAAQ;IAER,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;QACtB,OAAO,KAAK,CAAC;IACf,CAAC;IAED,IAAI,CAAC,EAAE,EAAE,CAAC;QACR,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,MAAM,CAAC,UAAU,CAAC,CAAC;QAC3C,EAAE,GAAG,KAAK,EAAE,CAAC;IACf,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC;QACpC,KAAK,EAAE,EAAE,EAAE,EAAE,MAAM,EAAE;QACrB,MAAM,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE;KAC/C,CAAC,CAAC;IAEH,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,QAAQ,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;QAClD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,OAAO,cAAc,CAAC,UAAU,EAAE,IAAI,CAAC,YAAY,CAAC,CAAC;AACvD,CAAC;AAED,qEAAqE;AACrE,MAAM,CAAC,MAAM,qBAAqB,GAAiB;IACjD,aAAa,EAAE,GAAG;IAClB,kBAAkB,EAAE;QAClB,aAAa;QACb,kBAAkB;QAClB,iBAAiB;QACjB,aAAa;QACb,sBAAsB;KACvB;CACF,CAAC"}

package/dist/seo/index.d.ts

@@ -1,9 +1,9 @@
-export { analyzeContent, calculateReadability, stripHtmlTags, countSyllables, detectPassiveVoice, splitSentences, splitParagraphs, } from './analysis';
-export type { SEOAnalysisResult, SEOCheck, AnalysisInput, ReadabilityResult, } from './analysis';
-export { generateMetaTags, renderMetaTagsHtml, generateNextMetadata, } from './meta-tags';
-export type { MetaTagInput, } from './meta-tags';
-export { resolveTitle, getDocumentTitle, } from './title-templates';
-export type { TitleTemplateConfig, TitleVariable, } from './title-templates';
-export { generateLlmsTxt, } from './llms-txt';
-export type { LlmsTxtConfig, LlmsTxtPage, } from './llms-txt';
+export { analyzeContent, calculateReadability, stripHtmlTags, countSyllables, detectPassiveVoice, splitSentences, splitParagraphs, } from './analysis.js';
+export type { SEOAnalysisResult, SEOCheck, AnalysisInput, ReadabilityResult, } from './analysis.js';
+export { generateMetaTags, renderMetaTagsHtml, generateNextMetadata, } from './meta-tags.js';
+export type { MetaTagInput, } from './meta-tags.js';
+export { resolveTitle, getDocumentTitle, } from './title-templates.js';
+export type { TitleTemplateConfig, TitleVariable, } from './title-templates.js';
+export { generateLlmsTxt, } from './llms-txt.js';
+export type { LlmsTxtConfig, LlmsTxtPage, } from './llms-txt.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/seo/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/seo/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,cAAc,EACd,oBAAoB,EACpB,aAAa,EACb,cAAc,EACd,kBAAkB,EAClB,cAAc,EACd,eAAe,GAChB,MAAM,YAAY,CAAC;AAEpB,YAAY,EACV,iBAAiB,EACjB,QAAQ,EACR,aAAa,EACb,iBAAiB,GAClB,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,gBAAgB,EAChB,kBAAkB,EAClB,oBAAoB,GACrB,MAAM,aAAa,CAAC;AAErB,YAAY,EACV,YAAY,GACb,MAAM,aAAa,CAAC;AAErB,OAAO,EACL,YAAY,EACZ,gBAAgB,GACjB,MAAM,mBAAmB,CAAC;AAE3B,YAAY,EACV,mBAAmB,EACnB,aAAa,GACd,MAAM,mBAAmB,CAAC;AAE3B,OAAO,EACL,eAAe,GAChB,MAAM,YAAY,CAAC;AAEpB,YAAY,EACV,aAAa,EACb,WAAW,GACZ,MAAM,YAAY,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/seo/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,cAAc,EACd,oBAAoB,EACpB,aAAa,EACb,cAAc,EACd,kBAAkB,EAClB,cAAc,EACd,eAAe,GAChB,MAAM,eAAe,CAAC;AAEvB,YAAY,EACV,iBAAiB,EACjB,QAAQ,EACR,aAAa,EACb,iBAAiB,GAClB,MAAM,eAAe,CAAC;AAEvB,OAAO,EACL,gBAAgB,EAChB,kBAAkB,EAClB,oBAAoB,GACrB,MAAM,gBAAgB,CAAC;AAExB,YAAY,EACV,YAAY,GACb,MAAM,gBAAgB,CAAC;AAExB,OAAO,EACL,YAAY,EACZ,gBAAgB,GACjB,MAAM,sBAAsB,CAAC;AAE9B,YAAY,EACV,mBAAmB,EACnB,aAAa,GACd,MAAM,sBAAsB,CAAC;AAE9B,OAAO,EACL,eAAe,GAChB,MAAM,eAAe,CAAC;AAEvB,YAAY,EACV,aAAa,EACb,WAAW,GACZ,MAAM,eAAe,CAAC"}

package/dist/seo/index.js

@@ -1,5 +1,5 @@
-export { analyzeContent, calculateReadability, stripHtmlTags, countSyllables, detectPassiveVoice, splitSentences, splitParagraphs, } from './analysis';
-export { generateMetaTags, renderMetaTagsHtml, generateNextMetadata, } from './meta-tags';
-export { resolveTitle, getDocumentTitle, } from './title-templates';
-export { generateLlmsTxt, } from './llms-txt';
+export { analyzeContent, calculateReadability, stripHtmlTags, countSyllables, detectPassiveVoice, splitSentences, splitParagraphs, } from './analysis.js';
+export { generateMetaTags, renderMetaTagsHtml, generateNextMetadata, } from './meta-tags.js';
+export { resolveTitle, getDocumentTitle, } from './title-templates.js';
+export { generateLlmsTxt, } from './llms-txt.js';
 //# sourceMappingURL=index.js.map

package/dist/seo/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/seo/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,cAAc,EACd,oBAAoB,EACpB,aAAa,EACb,cAAc,EACd,kBAAkB,EAClB,cAAc,EACd,eAAe,GAChB,MAAM,YAAY,CAAC;AASpB,OAAO,EACL,gBAAgB,EAChB,kBAAkB,EAClB,oBAAoB,GACrB,MAAM,aAAa,CAAC;AAMrB,OAAO,EACL,YAAY,EACZ,gBAAgB,GACjB,MAAM,mBAAmB,CAAC;AAO3B,OAAO,EACL,eAAe,GAChB,MAAM,YAAY,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/seo/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,cAAc,EACd,oBAAoB,EACpB,aAAa,EACb,cAAc,EACd,kBAAkB,EAClB,cAAc,EACd,eAAe,GAChB,MAAM,eAAe,CAAC;AASvB,OAAO,EACL,gBAAgB,EAChB,kBAAkB,EAClB,oBAAoB,GACrB,MAAM,gBAAgB,CAAC;AAMxB,OAAO,EACL,YAAY,EACZ,gBAAgB,GACjB,MAAM,sBAAsB,CAAC;AAO9B,OAAO,EACL,eAAe,GAChB,MAAM,eAAe,CAAC"}

package/dist/setup/index.js

@@ -5,7 +5,7 @@
  * 1. Interactive — setup wizard UI at /admin when no users exist
  * 2. Automated — env-var-based admin creation for CI/headless deploys
  */
-import { hashPassword } from '../auth/password';
+import { hashPassword } from '../auth/password.js';
 /**
  * Check if the CMS needs first-run setup (no admin users exist).
  * Uses a raw count query to avoid loading the full user model.

package/dist/setup/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/setup/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAmBhD;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,EAAO;IAC9C,IAAI,CAAC;QACH,MAAM,SAAS,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;QACxC,OAAO,EAAE,aAAa,EAAE,SAAS,KAAK,CAAC,EAAE,SAAS,EAAE,CAAC;IACvD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC,EAAE,CAAC;IAC/C,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,EAAO,EACP,KAAuB;IAEvB,IAAI,CAAC,KAAK,CAAC,KAAK,IAAI,CAAC,KAAK,CAAC,QAAQ,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;QACnD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,wCAAwC,EAAE,CAAC;IAC7E,CAAC;IAED,IAAI,KAAK,CAAC,QAAQ,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QAC/B,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,yCAAyC,EAAE,CAAC;IAC9E,CAAC;IAED,MAAM,YAAY,GAAG,MAAM,YAAY,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;IAExD,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,YAAY,CAAC,KAAK,EAAE,EAAO,EAAE,EAAE;YACnD,MAAM,aAAa,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;YAC5C,IAAI,aAAa,GAAG,CAAC,EAAE,CAAC;gBACtB,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;YAC3D,CAAC;YAED,OAAO,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC;gBACpB,IAAI,EAAE;oBACJ,KAAK,EAAE,KAAK,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,IAAI,EAAE;oBACvC,IAAI,EAAE,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE;oBACvB,YAAY;oBACZ,IAAI,EAAE,OAAO;oBACb,QAAQ,EAAE,IAAI;oBACd,UAAU,EAAE,IAAI;oBAChB,aAAa,EAAE,IAAI;iBACpB;aACF,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QAEH,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,EAAE,CAAC;IAC5C,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,cAAc,CAAC;QACpE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;IAC5C,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,EAAO;IACzC,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;IAC1C,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC;IAEhD,IAAI,CAAC,KAAK,IAAI,CAAC,QAAQ,EAAE,CAAC;QACxB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,kBAAkB,CAAC,EAAE,CAAC,CAAC;IACvD,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,OAAO,CAAC;IAEnD,OAAO,kBAAkB,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC;AAC3D,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/setup/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AAmBnD;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,EAAO;IAC9C,IAAI,CAAC;QACH,MAAM,SAAS,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;QACxC,OAAO,EAAE,aAAa,EAAE,SAAS,KAAK,CAAC,EAAE,SAAS,EAAE,CAAC;IACvD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC,EAAE,CAAC;IAC/C,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,EAAO,EACP,KAAuB;IAEvB,IAAI,CAAC,KAAK,CAAC,KAAK,IAAI,CAAC,KAAK,CAAC,QAAQ,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;QACnD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,wCAAwC,EAAE,CAAC;IAC7E,CAAC;IAED,IAAI,KAAK,CAAC,QAAQ,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QAC/B,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,yCAAyC,EAAE,CAAC;IAC9E,CAAC;IAED,MAAM,YAAY,GAAG,MAAM,YAAY,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;IAExD,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,YAAY,CAAC,KAAK,EAAE,EAAO,EAAE,EAAE;YACnD,MAAM,aAAa,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;YAC5C,IAAI,aAAa,GAAG,CAAC,EAAE,CAAC;gBACtB,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;YAC3D,CAAC;YAED,OAAO,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC;gBACpB,IAAI,EAAE;oBACJ,KAAK,EAAE,KAAK,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,IAAI,EAAE;oBACvC,IAAI,EAAE,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE;oBACvB,YAAY;oBACZ,IAAI,EAAE,OAAO;oBACb,QAAQ,EAAE,IAAI;oBACd,UAAU,EAAE,IAAI;oBAChB,aAAa,EAAE,IAAI;iBACpB;aACF,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QAEH,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,EAAE,CAAC;IAC5C,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,cAAc,CAAC;QACpE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;IAC5C,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,EAAO;IACzC,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;IAC1C,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC;IAEhD,IAAI,CAAC,KAAK,IAAI,CAAC,QAAQ,EAAE,CAAC;QACxB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,kBAAkB,CAAC,EAAE,CAAC,CAAC;IACvD,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,OAAO,CAAC;IAEnD,OAAO,kBAAkB,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC;AAC3D,CAAC"}

package/dist/upgrade/index.d.ts

@@ -1,7 +1,7 @@
-export { checkForUpdates, parseSemver } from "./version-check";
-export type { VersionInfo } from "./version-check";
-export { fetchChangelog, parseChangelog } from "./changelog";
-export type { ChangelogEntry } from "./changelog";
-export { createUpgradePR } from "./upgrade-pr";
-export type { UpgradePROptions, UpgradePRResult } from "./upgrade-pr";
+export { checkForUpdates, parseSemver } from "./version-check.js";
+export type { VersionInfo } from "./version-check.js";
+export { fetchChangelog, parseChangelog } from "./changelog.js";
+export type { ChangelogEntry } from "./changelog.js";
+export { createUpgradePR } from "./upgrade-pr.js";
+export type { UpgradePROptions, UpgradePRResult } from "./upgrade-pr.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/upgrade/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/upgrade/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAC/D,YAAY,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAEnD,OAAO,EAAE,cAAc,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAC7D,YAAY,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAElD,OAAO,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;AAC/C,YAAY,EAAE,gBAAgB,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/upgrade/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AAClE,YAAY,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AAEtD,OAAO,EAAE,cAAc,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAChE,YAAY,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAErD,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAClD,YAAY,EAAE,gBAAgB,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC"}

package/dist/upgrade/index.js

@@ -1,4 +1,4 @@
-export { checkForUpdates, parseSemver } from "./version-check";
-export { fetchChangelog, parseChangelog } from "./changelog";
-export { createUpgradePR } from "./upgrade-pr";
+export { checkForUpdates, parseSemver } from "./version-check.js";
+export { fetchChangelog, parseChangelog } from "./changelog.js";
+export { createUpgradePR } from "./upgrade-pr.js";
 //# sourceMappingURL=index.js.map

package/dist/upgrade/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/upgrade/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAG/D,OAAO,EAAE,cAAc,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAG7D,OAAO,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/upgrade/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AAGlE,OAAO,EAAE,cAAc,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAGhE,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC"}

package/dist/upgrade/upgrade-pr.d.ts

@@ -11,6 +11,6 @@ export interface UpgradePRResult {
     prUrl: string;
     branchName: string;
 }
-/** Create a GitHub Pull Request for an Actuate CMS version upgrade. */
+/** Create a GitHub Pull Request that bumps Actuate CMS package versions. */
 export declare function createUpgradePR(options: UpgradePROptions): Promise<UpgradePRResult>;
 //# sourceMappingURL=upgrade-pr.d.ts.map

package/dist/upgrade/upgrade-pr.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"upgrade-pr.d.ts","sourceRoot":"","sources":["../../src/upgrade/upgrade-pr.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,gBAAgB;IAC/B,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,aAAa,EAAE,MAAM,CAAC;IACtB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,eAAe;IAC9B,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,uEAAuE;AACvE,wBAAsB,eAAe,CACnC,OAAO,EAAE,gBAAgB,GACxB,OAAO,CAAC,eAAe,CAAC,CA0C1B"}
+{"version":3,"file":"upgrade-pr.d.ts","sourceRoot":"","sources":["../../src/upgrade/upgrade-pr.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,gBAAgB;IAC/B,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,aAAa,EAAE,MAAM,CAAC;IACtB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,eAAe;IAC9B,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,EAAE,MAAM,CAAC;CACpB;AAuBD,4EAA4E;AAC5E,wBAAsB,eAAe,CACnC,OAAO,EAAE,gBAAgB,GACxB,OAAO,CAAC,eAAe,CAAC,CA8I1B"}

package/dist/upgrade/upgrade-pr.js

@@ -1,34 +1,124 @@
-/** Create a GitHub Pull Request for an Actuate CMS version upgrade. */
+const GITHUB_API = "https://api.github.com";
+async function ghFetch(path, token, options = {}) {
+    return fetch(`${GITHUB_API}${path}`, {
+        ...options,
+        headers: {
+            Authorization: `token ${token}`,
+            Accept: "application/vnd.github.v3+json",
+            "Content-Type": "application/json",
+            ...options.headers,
+        },
+    });
+}
+const SAFE_NAME = /^[a-zA-Z0-9._-]+$/;
+const SAFE_VERSION = /^\d+\.\d+\.\d+(-[\w.]+)?$/;
+/** Create a GitHub Pull Request that bumps Actuate CMS package versions. */
 export async function createUpgradePR(options) {
-    const branchName = `actuate/upgrade-${options.targetVersion}`;
-    const title = `chore: upgrade Actuate CMS to ${options.targetVersion}`;
+    const { owner, repo, githubToken, targetVersion, changesDescription } = options;
+    if (!SAFE_NAME.test(owner))
+        throw new Error("Invalid repository owner");
+    if (!SAFE_NAME.test(repo))
+        throw new Error("Invalid repository name");
+    if (!SAFE_VERSION.test(targetVersion))
+        throw new Error("Invalid version format");
+    const baseBranch = options.baseBranch ?? "main";
+    const branchName = `actuate/upgrade-${targetVersion}`;
+    // 1. Get the latest commit SHA on the base branch
+    const refRes = await ghFetch(`/repos/${owner}/${repo}/git/ref/heads/${baseBranch}`, githubToken);
+    if (!refRes.ok) {
+        throw new Error(`Failed to get base branch: ${refRes.status} ${await refRes.text()}`);
+    }
+    const refData = (await refRes.json());
+    const baseSha = refData.object.sha;
+    // 2. Get the current package.json from the base branch
+    const pkgRes = await ghFetch(`/repos/${owner}/${repo}/contents/package.json?ref=${baseBranch}`, githubToken);
+    if (!pkgRes.ok) {
+        throw new Error(`Failed to read package.json: ${pkgRes.status}`);
+    }
+    const pkgData = (await pkgRes.json());
+    const pkgContent = atob(pkgData.content.replace(/\n/g, ""));
+    const pkg = JSON.parse(pkgContent);
+    // 3. Bump @actuate-media/* dependencies to the target version
+    const actuatePackages = [
+        "@actuate-media/cms-core",
+        "@actuate-media/cms-admin",
+        "@actuate-media/plugin-seo",
+        "@actuate-media/plugin-forms",
+        "@actuate-media/plugin-media",
+        "@actuate-media/plugin-email",
+        "@actuate-media/plugin-blocks",
+        "@actuate-media/plugin-redirects",
+        "@actuate-media/plugin-navigation",
+        "@actuate-media/plugin-commerce",
+        "@actuate-media/plugin-ai",
+    ];
+    for (const dep of actuatePackages) {
+        if (pkg.dependencies?.[dep]) {
+            pkg.dependencies[dep] = `^${targetVersion}`;
+        }
+        if (pkg.devDependencies?.[dep]) {
+            pkg.devDependencies[dep] = `^${targetVersion}`;
+        }
+    }
+    const updatedPkg = JSON.stringify(pkg, null, 2) + "\n";
+    const encodedContent = btoa(updatedPkg);
+    // 4. Create a new branch from the base
+    const createBranchRes = await ghFetch(`/repos/${owner}/${repo}/git/refs`, githubToken, {
+        method: "POST",
+        body: JSON.stringify({
+            ref: `refs/heads/${branchName}`,
+            sha: baseSha,
+        }),
+    });
+    if (!createBranchRes.ok) {
+        const errText = await createBranchRes.text();
+        if (!errText.includes("Reference already exists")) {
+            throw new Error(`Failed to create branch: ${createBranchRes.status} ${errText}`);
+        }
+    }
+    // 5. Update package.json on the new branch
+    const updateFileRes = await ghFetch(`/repos/${owner}/${repo}/contents/package.json`, githubToken, {
+        method: "PUT",
+        body: JSON.stringify({
+            message: `chore: bump Actuate CMS to ${targetVersion}`,
+            content: encodedContent,
+            sha: pkgData.sha,
+            branch: branchName,
+        }),
+    });
+    if (!updateFileRes.ok) {
+        throw new Error(`Failed to update package.json: ${updateFileRes.status} ${await updateFileRes.text()}`);
+    }
+    // 6. Create the pull request
+    const title = `chore: upgrade Actuate CMS to ${targetVersion}`;
     const body = [
-        `## Actuate CMS Upgrade to ${options.targetVersion}`,
+        `## Actuate CMS Upgrade to ${targetVersion}`,
         "",
-        options.changesDescription,
+        changesDescription,
+        "",
+        "### After merging",
+        "",
+        "```bash",
+        "npm install",
+        "npx prisma migrate deploy",
+        "```",
         "",
         "---",
-        "*This PR was automatically created by the Actuate CMS upgrade tool.*",
+        "*This PR was automatically created by the Actuate CMS admin panel.*",
     ].join("\n");
-    const response = await fetch(`https://api.github.com/repos/${options.owner}/${options.repo}/pulls`, {
+    const prRes = await ghFetch(`/repos/${owner}/${repo}/pulls`, githubToken, {
         method: "POST",
-        headers: {
-            Authorization: `token ${options.githubToken}`,
-            Accept: "application/vnd.github.v3+json",
-            "Content-Type": "application/json",
-        },
         body: JSON.stringify({
             title,
             body,
             head: branchName,
-            base: options.baseBranch ?? "main",
+            base: baseBranch,
         }),
     });
-    if (!response.ok) {
-        const error = await response.text();
-        throw new Error(`Failed to create PR: ${response.status} ${error}`);
+    if (!prRes.ok) {
+        throw new Error(`Failed to create PR: ${prRes.status} ${await prRes.text()}`);
     }
-    const pr = (await response.json());
+    const pr = (await prRes.json());
     return {
         prNumber: pr.number,
         prUrl: pr.html_url,