@actuate-media/cms-core 0.1.0

package/dist/preview/index.js

@@ -0,0 +1,45 @@
+import * as jose from 'jose';
+export function createPreviewAdapter(secret, db) {
+    const secretKey = new TextEncoder().encode(secret);
+    return {
+        async createPreviewSession(collection, documentId) {
+            const expiresAt = new Date(Date.now() + 5 * 60 * 1000);
+            const token = await new jose.SignJWT({ collection, documentId })
+                .setProtectedHeader({ alg: 'HS256' })
+                .setIssuedAt()
+                .setExpirationTime(expiresAt)
+                .setIssuer('actuate-cms-preview')
+                .sign(secretKey);
+            return { token, collection, documentId, expiresAt };
+        },
+        async validatePreviewToken(token) {
+            try {
+                const { payload } = await jose.jwtVerify(token, secretKey, {
+                    issuer: 'actuate-cms-preview',
+                });
+                return {
+                    token,
+                    collection: payload.collection,
+                    documentId: payload.documentId,
+                    expiresAt: new Date((payload.exp ?? 0) * 1000),
+                };
+            }
+            catch {
+                return null;
+            }
+        },
+        async exitPreview(_token) {
+            // JWT-based tokens are stateless; no server-side invalidation needed
+        },
+        async getPreviewData(session) {
+            const prisma = db;
+            const doc = await prisma.document.findFirst({
+                where: { id: session.documentId, collection: session.collection },
+            });
+            if (!doc)
+                return null;
+            return { ...doc, data: doc.data };
+        },
+    };
+}
+//# sourceMappingURL=index.js.map

package/dist/preview/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/preview/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAgB7B,MAAM,UAAU,oBAAoB,CAAC,MAAc,EAAE,EAAW;IAC9D,MAAM,SAAS,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAEnD,OAAO;QACL,KAAK,CAAC,oBAAoB,CAAC,UAAU,EAAE,UAAU;YAC/C,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;YACvD,MAAM,KAAK,GAAG,MAAM,IAAI,IAAI,CAAC,OAAO,CAAC,EAAE,UAAU,EAAE,UAAU,EAAE,CAAC;iBAC7D,kBAAkB,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC;iBACpC,WAAW,EAAE;iBACb,iBAAiB,CAAC,SAAS,CAAC;iBAC5B,SAAS,CAAC,qBAAqB,CAAC;iBAChC,IAAI,CAAC,SAAS,CAAC,CAAC;YACnB,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,UAAU,EAAE,SAAS,EAAE,CAAC;QACtD,CAAC;QAED,KAAK,CAAC,oBAAoB,CAAC,KAAK;YAC9B,IAAI,CAAC;gBACH,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,SAAS,EAAE;oBACzD,MAAM,EAAE,qBAAqB;iBAC9B,CAAC,CAAC;gBACH,OAAO;oBACL,KAAK;oBACL,UAAU,EAAE,OAAO,CAAC,UAAoB;oBACxC,UAAU,EAAE,OAAO,CAAC,UAAoB;oBACxC,SAAS,EAAE,IAAI,IAAI,CAAC,CAAC,OAAO,CAAC,GAAG,IAAI,CAAC,CAAC,GAAG,IAAI,CAAC;iBAC/C,CAAC;YACJ,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;QAED,KAAK,CAAC,WAAW,CAAC,MAAM;YACtB,qEAAqE;QACvE,CAAC;QAED,KAAK,CAAC,cAAc,CAAC,OAAO;YAC1B,MAAM,MAAM,GAAG,EAAS,CAAC;YACzB,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAC;gBAC1C,KAAK,EAAE,EAAE,EAAE,EAAE,OAAO,CAAC,UAAU,EAAE,UAAU,EAAE,OAAO,CAAC,UAAU,EAAE;aAClE,CAAC,CAAC;YACH,IAAI,CAAC,GAAG;gBAAE,OAAO,IAAI,CAAC;YACtB,OAAO,EAAE,GAAG,GAAG,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,CAAC;QACpC,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/privacy/index.d.ts

@@ -0,0 +1,33 @@
+export interface UserDataExport {
+    user: Record<string, unknown>;
+    documents: Record<string, unknown>[];
+    media: Record<string, unknown>[];
+    auditLogs: Record<string, unknown>[];
+    sessions: Record<string, unknown>[];
+    exportedAt: string;
+}
+export interface RetentionPolicy {
+    collection: string;
+    maxAgeDays: number;
+    action: "delete" | "anonymize" | "archive";
+}
+export interface ErasureResult {
+    deletedDocuments: number;
+    anonymizedRecords: number;
+    deletedMedia: number;
+    deletedSessions: number;
+}
+/** Export all data associated with a user (GDPR Article 20 - Right to Data Portability). */
+export declare function exportUserData(_userId: string, _db: unknown): Promise<UserDataExport>;
+/** Erase all personal data for a user (GDPR Article 17 - Right to Erasure). */
+export declare function eraseUserData(_userId: string, _db: unknown): Promise<ErasureResult>;
+/** Apply retention policies to documents past their retention period. */
+export declare function applyRetentionPolicies(_policies: RetentionPolicy[], _db: unknown): Promise<{
+    processed: number;
+    actions: Array<{
+        collection: string;
+        count: number;
+        action: string;
+    }>;
+}>;
+//# sourceMappingURL=index.d.ts.map

package/dist/privacy/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/privacy/index.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC9B,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,CAAC;IACrC,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,CAAC;IACjC,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,CAAC;IACrC,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,CAAC;IACpC,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,eAAe;IAC9B,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,QAAQ,GAAG,WAAW,GAAG,SAAS,CAAC;CAC5C;AAED,MAAM,WAAW,aAAa;IAC5B,gBAAgB,EAAE,MAAM,CAAC;IACzB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,YAAY,EAAE,MAAM,CAAC;IACrB,eAAe,EAAE,MAAM,CAAC;CACzB;AAED,4FAA4F;AAC5F,wBAAsB,cAAc,CAClC,OAAO,EAAE,MAAM,EACf,GAAG,EAAE,OAAO,GACX,OAAO,CAAC,cAAc,CAAC,CAGzB;AAED,+EAA+E;AAC/E,wBAAsB,aAAa,CACjC,OAAO,EAAE,MAAM,EACf,GAAG,EAAE,OAAO,GACX,OAAO,CAAC,aAAa,CAAC,CAGxB;AAED,yEAAyE;AACzE,wBAAsB,sBAAsB,CAC1C,SAAS,EAAE,eAAe,EAAE,EAC5B,GAAG,EAAE,OAAO,GACX,OAAO,CAAC;IAAE,SAAS,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,KAAK,CAAC;QAAE,UAAU,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC,CAAA;CAAE,CAAC,CAEvG"}

package/dist/privacy/index.js

@@ -0,0 +1,15 @@
+/** Export all data associated with a user (GDPR Article 20 - Right to Data Portability). */
+export async function exportUserData(_userId, _db) {
+    // TODO: gather all user-related data from all tables
+    throw new Error("Not implemented");
+}
+/** Erase all personal data for a user (GDPR Article 17 - Right to Erasure). */
+export async function eraseUserData(_userId, _db) {
+    // TODO: delete or anonymize all user data, revoke sessions, remove PII
+    throw new Error("Not implemented");
+}
+/** Apply retention policies to documents past their retention period. */
+export async function applyRetentionPolicies(_policies, _db) {
+    throw new Error("Not implemented");
+}
+//# sourceMappingURL=index.js.map

package/dist/privacy/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/privacy/index.ts"],"names":[],"mappings":"AAsBA,4FAA4F;AAC5F,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,OAAe,EACf,GAAY;IAEZ,qDAAqD;IACrD,MAAM,IAAI,KAAK,CAAC,iBAAiB,CAAC,CAAC;AACrC,CAAC;AAED,+EAA+E;AAC/E,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,OAAe,EACf,GAAY;IAEZ,uEAAuE;IACvE,MAAM,IAAI,KAAK,CAAC,iBAAiB,CAAC,CAAC;AACrC,CAAC;AAED,yEAAyE;AACzE,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,SAA4B,EAC5B,GAAY;IAEZ,MAAM,IAAI,KAAK,CAAC,iBAAiB,CAAC,CAAC;AACrC,CAAC"}

package/dist/relationships/index.d.ts

@@ -0,0 +1,13 @@
+export interface ReverseRelationship {
+    sourceDocumentId: string;
+    sourceCollection: string;
+    fieldName: string;
+}
+/** Find all documents that reference a target document via relationship fields. */
+export declare function getReverseRelationships(targetDocumentId: string, _db: unknown): Promise<ReverseRelationship[]>;
+/** Check if deleting a document would orphan any references. */
+export declare function checkOrphanedReferences(documentId: string, _db: unknown): Promise<{
+    hasReferences: boolean;
+    references: ReverseRelationship[];
+}>;
+//# sourceMappingURL=index.d.ts.map

package/dist/relationships/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/relationships/index.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,mBAAmB;IAClC,gBAAgB,EAAE,MAAM,CAAC;IACzB,gBAAgB,EAAE,MAAM,CAAC;IACzB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,mFAAmF;AACnF,wBAAsB,uBAAuB,CAC3C,gBAAgB,EAAE,MAAM,EACxB,GAAG,EAAE,OAAO,GACX,OAAO,CAAC,mBAAmB,EAAE,CAAC,CAIhC;AAED,gEAAgE;AAChE,wBAAsB,uBAAuB,CAC3C,UAAU,EAAE,MAAM,EAClB,GAAG,EAAE,OAAO,GACX,OAAO,CAAC;IAAE,aAAa,EAAE,OAAO,CAAC;IAAC,UAAU,EAAE,mBAAmB,EAAE,CAAA;CAAE,CAAC,CAGxE"}

package/dist/relationships/index.js

@@ -0,0 +1,12 @@
+/** Find all documents that reference a target document via relationship fields. */
+export async function getReverseRelationships(targetDocumentId, _db) {
+    // TODO: query content_graph edges where `to` matches targetDocumentId
+    void targetDocumentId;
+    throw new Error("Not implemented");
+}
+/** Check if deleting a document would orphan any references. */
+export async function checkOrphanedReferences(documentId, _db) {
+    const references = await getReverseRelationships(documentId, _db);
+    return { hasReferences: references.length > 0, references };
+}
+//# sourceMappingURL=index.js.map

package/dist/relationships/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/relationships/index.ts"],"names":[],"mappings":"AAMA,mFAAmF;AACnF,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,gBAAwB,EACxB,GAAY;IAEZ,sEAAsE;IACtE,KAAK,gBAAgB,CAAC;IACtB,MAAM,IAAI,KAAK,CAAC,iBAAiB,CAAC,CAAC;AACrC,CAAC;AAED,gEAAgE;AAChE,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,UAAkB,EAClB,GAAY;IAEZ,MAAM,UAAU,GAAG,MAAM,uBAAuB,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC;IAClE,OAAO,EAAE,aAAa,EAAE,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,UAAU,EAAE,CAAC;AAC9D,CAAC"}

package/dist/scheduling/index.d.ts

@@ -0,0 +1,44 @@
+export interface ScheduledAction {
+    documentId: string;
+    collection: string;
+    action: "publish" | "unpublish" | "archive";
+    scheduledAt: Date;
+}
+export interface ScheduleCalendarEntry {
+    id: string;
+    documentId: string;
+    collection: string;
+    title: string;
+    action: "publish" | "unpublish";
+    scheduledAt: Date;
+}
+type PrismaDB = any;
+/** Get all scheduled actions within a date range for a calendar view. */
+export declare function getScheduleCalendar(from: Date, to: Date, db: PrismaDB): Promise<ScheduleCalendarEntry[]>;
+/** Process documents due for scheduled publishing. */
+export declare function processScheduledPublish(db: PrismaDB): Promise<{
+    published: number;
+    errors: Array<{
+        documentId: string;
+        error: string;
+    }>;
+}>;
+/** Process documents due for scheduled unpublishing. */
+export declare function processScheduledUnpublish(db: PrismaDB): Promise<{
+    unpublished: number;
+    errors: Array<{
+        documentId: string;
+        error: string;
+    }>;
+}>;
+/** Cron handler that runs both publish and unpublish processing. */
+export declare function schedulingCronHandler(db: PrismaDB): Promise<{
+    published: number;
+    unpublished: number;
+    errors: Array<{
+        documentId: string;
+        error: string;
+    }>;
+}>;
+export {};
+//# sourceMappingURL=index.d.ts.map

package/dist/scheduling/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/scheduling/index.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,eAAe;IAC9B,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,SAAS,GAAG,WAAW,GAAG,SAAS,CAAC;IAC5C,WAAW,EAAE,IAAI,CAAC;CACnB;AAED,MAAM,WAAW,qBAAqB;IACpC,EAAE,EAAE,MAAM,CAAC;IACX,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,SAAS,GAAG,WAAW,CAAC;IAChC,WAAW,EAAE,IAAI,CAAC;CACnB;AAED,KAAK,QAAQ,GAAG,GAAG,CAAC;AAEpB,yEAAyE;AACzE,wBAAsB,mBAAmB,CACvC,IAAI,EAAE,IAAI,EACV,EAAE,EAAE,IAAI,EACR,EAAE,EAAE,QAAQ,GACX,OAAO,CAAC,qBAAqB,EAAE,CAAC,CA4ClC;AAED,sDAAsD;AACtD,wBAAsB,uBAAuB,CAC3C,EAAE,EAAE,QAAQ,GACX,OAAO,CAAC;IAAE,SAAS,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,KAAK,CAAC;QAAE,UAAU,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC,CAAA;CAAE,CAAC,CAiCtF;AAED,wDAAwD;AACxD,wBAAsB,yBAAyB,CAC7C,EAAE,EAAE,QAAQ,GACX,OAAO,CAAC;IAAE,WAAW,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,KAAK,CAAC;QAAE,UAAU,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC,CAAA;CAAE,CAAC,CAgCxF;AAED,oEAAoE;AACpE,wBAAsB,qBAAqB,CAAC,EAAE,EAAE,QAAQ,GAAG,OAAO,CAAC;IACjE,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,KAAK,CAAC;QAAE,UAAU,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CACtD,CAAC,CASD"}

package/dist/scheduling/index.js

@@ -0,0 +1,119 @@
+/** Get all scheduled actions within a date range for a calendar view. */
+export async function getScheduleCalendar(from, to, db) {
+    const docs = await db.document.findMany({
+        where: {
+            deletedAt: null,
+            OR: [
+                { scheduledAt: { gte: from, lte: to } },
+                { scheduledUnpublishAt: { gte: from, lte: to } },
+            ],
+        },
+        select: {
+            id: true,
+            collection: true,
+            title: true,
+            scheduledAt: true,
+            scheduledUnpublishAt: true,
+        },
+    });
+    const entries = [];
+    for (const doc of docs) {
+        if (doc.scheduledAt && doc.scheduledAt >= from && doc.scheduledAt <= to) {
+            entries.push({
+                id: `${doc.id}-publish`,
+                documentId: doc.id,
+                collection: doc.collection,
+                title: doc.title ?? 'Untitled',
+                action: 'publish',
+                scheduledAt: doc.scheduledAt,
+            });
+        }
+        if (doc.scheduledUnpublishAt && doc.scheduledUnpublishAt >= from && doc.scheduledUnpublishAt <= to) {
+            entries.push({
+                id: `${doc.id}-unpublish`,
+                documentId: doc.id,
+                collection: doc.collection,
+                title: doc.title ?? 'Untitled',
+                action: 'unpublish',
+                scheduledAt: doc.scheduledUnpublishAt,
+            });
+        }
+    }
+    return entries.sort((a, b) => a.scheduledAt.getTime() - b.scheduledAt.getTime());
+}
+/** Process documents due for scheduled publishing. */
+export async function processScheduledPublish(db) {
+    const now = new Date();
+    const docs = await db.document.findMany({
+        where: {
+            status: 'SCHEDULED',
+            scheduledAt: { lte: now },
+            deletedAt: null,
+        },
+    });
+    let published = 0;
+    const errors = [];
+    for (const doc of docs) {
+        try {
+            await db.document.update({
+                where: { id: doc.id },
+                data: {
+                    status: 'PUBLISHED',
+                    publishedAt: now,
+                    scheduledAt: null,
+                },
+            });
+            published++;
+        }
+        catch (err) {
+            errors.push({
+                documentId: doc.id,
+                error: err instanceof Error ? err.message : 'Unknown error',
+            });
+        }
+    }
+    return { published, errors };
+}
+/** Process documents due for scheduled unpublishing. */
+export async function processScheduledUnpublish(db) {
+    const now = new Date();
+    const docs = await db.document.findMany({
+        where: {
+            status: 'PUBLISHED',
+            scheduledUnpublishAt: { lte: now },
+            deletedAt: null,
+        },
+    });
+    let unpublished = 0;
+    const errors = [];
+    for (const doc of docs) {
+        try {
+            await db.document.update({
+                where: { id: doc.id },
+                data: {
+                    status: 'DRAFT',
+                    scheduledUnpublishAt: null,
+                },
+            });
+            unpublished++;
+        }
+        catch (err) {
+            errors.push({
+                documentId: doc.id,
+                error: err instanceof Error ? err.message : 'Unknown error',
+            });
+        }
+    }
+    return { unpublished, errors };
+}
+/** Cron handler that runs both publish and unpublish processing. */
+export async function schedulingCronHandler(db) {
+    const publishResult = await processScheduledPublish(db);
+    const unpublishResult = await processScheduledUnpublish(db);
+    return {
+        published: publishResult.published,
+        unpublished: unpublishResult.unpublished,
+        errors: [...publishResult.errors, ...unpublishResult.errors],
+    };
+}
+//# sourceMappingURL=index.js.map

package/dist/scheduling/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/scheduling/index.ts"],"names":[],"mappings":"AAkBA,yEAAyE;AACzE,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,IAAU,EACV,EAAQ,EACR,EAAY;IAEZ,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC;QACtC,KAAK,EAAE;YACL,SAAS,EAAE,IAAI;YACf,EAAE,EAAE;gBACF,EAAE,WAAW,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,EAAE,EAAE,EAAE,EAAE;gBACvC,EAAE,oBAAoB,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,EAAE,EAAE,EAAE,EAAE;aACjD;SACF;QACD,MAAM,EAAE;YACN,EAAE,EAAE,IAAI;YACR,UAAU,EAAE,IAAI;YAChB,KAAK,EAAE,IAAI;YACX,WAAW,EAAE,IAAI;YACjB,oBAAoB,EAAE,IAAI;SAC3B;KACF,CAAC,CAAC;IAEH,MAAM,OAAO,GAA4B,EAAE,CAAC;IAE5C,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,IAAI,GAAG,CAAC,WAAW,IAAI,GAAG,CAAC,WAAW,IAAI,IAAI,IAAI,GAAG,CAAC,WAAW,IAAI,EAAE,EAAE,CAAC;YACxE,OAAO,CAAC,IAAI,CAAC;gBACX,EAAE,EAAE,GAAG,GAAG,CAAC,EAAE,UAAU;gBACvB,UAAU,EAAE,GAAG,CAAC,EAAE;gBAClB,UAAU,EAAE,GAAG,CAAC,UAAU;gBAC1B,KAAK,EAAE,GAAG,CAAC,KAAK,IAAI,UAAU;gBAC9B,MAAM,EAAE,SAAS;gBACjB,WAAW,EAAE,GAAG,CAAC,WAAW;aAC7B,CAAC,CAAC;QACL,CAAC;QACD,IAAI,GAAG,CAAC,oBAAoB,IAAI,GAAG,CAAC,oBAAoB,IAAI,IAAI,IAAI,GAAG,CAAC,oBAAoB,IAAI,EAAE,EAAE,CAAC;YACnG,OAAO,CAAC,IAAI,CAAC;gBACX,EAAE,EAAE,GAAG,GAAG,CAAC,EAAE,YAAY;gBACzB,UAAU,EAAE,GAAG,CAAC,EAAE;gBAClB,UAAU,EAAE,GAAG,CAAC,UAAU;gBAC1B,KAAK,EAAE,GAAG,CAAC,KAAK,IAAI,UAAU;gBAC9B,MAAM,EAAE,WAAW;gBACnB,WAAW,EAAE,GAAG,CAAC,oBAAoB;aACtC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,WAAW,CAAC,OAAO,EAAE,CAAC,CAAC;AACnF,CAAC;AAED,sDAAsD;AACtD,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,EAAY;IAEZ,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;IACvB,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC;QACtC,KAAK,EAAE;YACL,MAAM,EAAE,WAAW;YACnB,WAAW,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE;YACzB,SAAS,EAAE,IAAI;SAChB;KACF,CAAC,CAAC;IAEH,IAAI,SAAS,GAAG,CAAC,CAAC;IAClB,MAAM,MAAM,GAAiD,EAAE,CAAC;IAEhE,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,IAAI,CAAC;YACH,MAAM,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC;gBACvB,KAAK,EAAE,EAAE,EAAE,EAAE,GAAG,CAAC,EAAE,EAAE;gBACrB,IAAI,EAAE;oBACJ,MAAM,EAAE,WAAW;oBACnB,WAAW,EAAE,GAAG;oBAChB,WAAW,EAAE,IAAI;iBAClB;aACF,CAAC,CAAC;YACH,SAAS,EAAE,CAAC;QACd,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,CAAC,IAAI,CAAC;gBACV,UAAU,EAAE,GAAG,CAAC,EAAE;gBAClB,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe;aAC5D,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,CAAC;AAC/B,CAAC;AAED,wDAAwD;AACxD,MAAM,CAAC,KAAK,UAAU,yBAAyB,CAC7C,EAAY;IAEZ,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;IACvB,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC;QACtC,KAAK,EAAE;YACL,MAAM,EAAE,WAAW;YACnB,oBAAoB,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE;YAClC,SAAS,EAAE,IAAI;SAChB;KACF,CAAC,CAAC;IAEH,IAAI,WAAW,GAAG,CAAC,CAAC;IACpB,MAAM,MAAM,GAAiD,EAAE,CAAC;IAEhE,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,IAAI,CAAC;YACH,MAAM,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC;gBACvB,KAAK,EAAE,EAAE,EAAE,EAAE,GAAG,CAAC,EAAE,EAAE;gBACrB,IAAI,EAAE;oBACJ,MAAM,EAAE,OAAO;oBACf,oBAAoB,EAAE,IAAI;iBAC3B;aACF,CAAC,CAAC;YACH,WAAW,EAAE,CAAC;QAChB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,CAAC,IAAI,CAAC;gBACV,UAAU,EAAE,GAAG,CAAC,EAAE;gBAClB,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe;aAC5D,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,EAAE,WAAW,EAAE,MAAM,EAAE,CAAC;AACjC,CAAC;AAED,oEAAoE;AACpE,MAAM,CAAC,KAAK,UAAU,qBAAqB,CAAC,EAAY;IAKtD,MAAM,aAAa,GAAG,MAAM,uBAAuB,CAAC,EAAE,CAAC,CAAC;IACxD,MAAM,eAAe,GAAG,MAAM,yBAAyB,CAAC,EAAE,CAAC,CAAC;IAE5D,OAAO;QACL,SAAS,EAAE,aAAa,CAAC,SAAS;QAClC,WAAW,EAAE,eAAe,CAAC,WAAW;QACxC,MAAM,EAAE,CAAC,GAAG,aAAa,CAAC,MAAM,EAAE,GAAG,eAAe,CAAC,MAAM,CAAC;KAC7D,CAAC;AACJ,CAAC"}

package/dist/search/index.d.ts

@@ -0,0 +1,25 @@
+export interface SearchOptions {
+    collection?: string;
+    locale?: string;
+    status?: string;
+    page?: number;
+    pageSize?: number;
+}
+export interface SearchResult {
+    id: string;
+    title: string;
+    slug: string;
+    collection: string;
+    excerpt: string;
+    score: number;
+    highlights: string[];
+}
+export interface SearchResponse {
+    results: SearchResult[];
+    total: number;
+    page: number;
+    pageSize: number;
+}
+/** Search documents using Postgres full-text search with relevance ranking. */
+export declare function searchDocuments(query: string, options?: SearchOptions): Promise<SearchResponse>;
+//# sourceMappingURL=index.d.ts.map

package/dist/search/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/search/index.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,aAAa;IAC5B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,YAAY;IAC3B,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,CAAC;IACnB,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,EAAE,MAAM,EAAE,CAAC;CACtB;AAED,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,YAAY,EAAE,CAAC;IACxB,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;CAClB;AAgBD,+EAA+E;AAC/E,wBAAsB,eAAe,CACnC,KAAK,EAAE,MAAM,EACb,OAAO,GAAE,aAAkB,GAC1B,OAAO,CAAC,cAAc,CAAC,CAiHzB"}

package/dist/search/index.js

@@ -0,0 +1,168 @@
+import { getDB } from '../db';
+/**
+ * Convert a user query into a Postgres tsquery-compatible string.
+ * Splits on whitespace, strips non-word chars, joins with & for AND matching.
+ */
+function toTsQuery(query) {
+    const terms = query
+        .replace(/[^\w\s]/g, ' ')
+        .trim()
+        .split(/\s+/)
+        .filter(Boolean)
+        .map((t) => `${t}:*`);
+    return terms.join(' & ');
+}
+/** Search documents using Postgres full-text search with relevance ranking. */
+export async function searchDocuments(query, options = {}) {
+    const db = getDB();
+    const { collection, locale, status, page = 1, pageSize = 20 } = options;
+    const offset = (page - 1) * pageSize;
+    const sanitized = query.replace(/[^\w\s]/g, ' ').trim();
+    if (!sanitized) {
+        return { results: [], total: 0, page, pageSize };
+    }
+    const tsQueryStr = toTsQuery(sanitized);
+    if (!tsQueryStr) {
+        return { results: [], total: 0, page, pageSize };
+    }
+    const conditions = [`d."deletedAt" IS NULL`];
+    const params = [];
+    let paramIdx = 1;
+    // tsquery as a parameter instead of inline interpolation
+    params.push(tsQueryStr);
+    const tsQueryParam = `$${paramIdx++}`;
+    if (collection) {
+        conditions.push(`d."collection" = $${paramIdx++}`);
+        params.push(collection);
+    }
+    if (locale) {
+        conditions.push(`d."locale" = $${paramIdx++}`);
+        params.push(locale);
+    }
+    if (status) {
+        conditions.push(`d."status"::text = $${paramIdx++}`);
+        params.push(status);
+    }
+    const whereClause = conditions.join(' AND ');
+    const ftsVector = `to_tsvector('english', COALESCE(d."title", '') || ' ' || COALESCE(d."plainText", ''))`;
+    const ftsCondition = `(${ftsVector} @@ to_tsquery('english', ${tsQueryParam}))`;
+    const ilikePlaceholder = `$${paramIdx}`;
+    params.push(`%${sanitized}%`);
+    paramIdx++;
+    const fallbackCondition = `(d."title" ILIKE ${ilikePlaceholder} OR d."plainText" ILIKE ${ilikePlaceholder})`;
+    const rankExpr = `ts_rank_cd(${ftsVector}, to_tsquery('english', ${tsQueryParam}))`;
+    const headline = `ts_headline('english', COALESCE(d."plainText", ''), to_tsquery('english', ${tsQueryParam}), 'StartSel=<mark>, StopSel=</mark>, MaxWords=35, MinWords=15, MaxFragments=2')`;
+    const limitParam = `$${paramIdx++}`;
+    params.push(pageSize);
+    const offsetParam = `$${paramIdx++}`;
+    params.push(offset);
+    const sql = `
+    SELECT
+      d."id",
+      d."title",
+      d."slug",
+      d."collection",
+      d."status",
+      d."updatedAt",
+      ${rankExpr} AS score,
+      ${headline} AS headline,
+      LEFT(COALESCE(d."plainText", ''), 200) AS excerpt
+    FROM "actuate_documents" d
+    WHERE ${whereClause}
+      AND (${ftsCondition} OR ${fallbackCondition})
+    ORDER BY score DESC, d."updatedAt" DESC
+    LIMIT ${limitParam}
+    OFFSET ${offsetParam}
+  `;
+    const countSql = `
+    SELECT COUNT(*)::int AS total
+    FROM "actuate_documents" d
+    WHERE ${whereClause}
+      AND (${ftsCondition} OR ${fallbackCondition})
+  `;
+    const countParams = params.slice(0, -2);
+    try {
+        const [rows, countRows] = await Promise.all([
+            db.$queryRawUnsafe(sql, ...params),
+            db.$queryRawUnsafe(countSql, ...countParams),
+        ]);
+        const total = countRows[0]?.total ?? 0;
+        const results = rows.map((row) => {
+            const headlineText = row.headline ?? '';
+            const highlights = headlineText
+                .match(/<mark>(.*?)<\/mark>/g)
+                ?.map((m) => m.replace(/<\/?mark>/g, '')) ?? [];
+            return {
+                id: row.id,
+                title: row.title ?? '',
+                slug: row.slug ?? '',
+                collection: row.collection,
+                excerpt: headlineText || row.excerpt || '',
+                score: parseFloat(row.score) || 0,
+                highlights,
+            };
+        });
+        return { results, total, page, pageSize };
+    }
+    catch {
+        return fallbackSearch(sanitized, options);
+    }
+}
+/** Fallback search using Prisma contains (for non-Postgres or when FTS fails). */
+async function fallbackSearch(query, options) {
+    const db = getDB();
+    const { collection, locale, status, page = 1, pageSize = 20 } = options;
+    const offset = (page - 1) * pageSize;
+    const where = {
+        deletedAt: null,
+        OR: [
+            { plainText: { contains: query, mode: 'insensitive' } },
+            { title: { contains: query, mode: 'insensitive' } },
+        ],
+    };
+    if (collection)
+        where.collection = collection;
+    if (locale)
+        where.locale = locale;
+    if (status)
+        where.status = status;
+    const [results, total] = await Promise.all([
+        db.document.findMany({
+            where,
+            orderBy: { updatedAt: 'desc' },
+            skip: offset,
+            take: pageSize,
+            select: {
+                id: true,
+                title: true,
+                slug: true,
+                collection: true,
+                plainText: true,
+            },
+        }),
+        db.document.count({ where }),
+    ]);
+    return {
+        results: results.map((doc) => {
+            const text = doc.plainText ?? '';
+            const idx = text.toLowerCase().indexOf(query.toLowerCase());
+            const start = Math.max(0, idx - 40);
+            const excerpt = idx >= 0
+                ? '...' + text.substring(start, start + 200) + '...'
+                : text.substring(0, 200);
+            return {
+                id: doc.id,
+                title: doc.title ?? '',
+                slug: doc.slug ?? '',
+                collection: doc.collection,
+                excerpt,
+                score: doc.title?.toLowerCase().includes(query.toLowerCase()) ? 2 : 1,
+                highlights: [query],
+            };
+        }),
+        total,
+        page,
+        pageSize,
+    };
+}
+//# sourceMappingURL=index.js.map

package/dist/search/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/search/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,OAAO,CAAC;AA2B9B;;;GAGG;AACH,SAAS,SAAS,CAAC,KAAa;IAC9B,MAAM,KAAK,GAAG,KAAK;SAChB,OAAO,CAAC,UAAU,EAAE,GAAG,CAAC;SACxB,IAAI,EAAE;SACN,KAAK,CAAC,KAAK,CAAC;SACZ,MAAM,CAAC,OAAO,CAAC;SACf,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IACxB,OAAO,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;AAC3B,CAAC;AAED,+EAA+E;AAC/E,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,KAAa,EACb,UAAyB,EAAE;IAE3B,MAAM,EAAE,GAAG,KAAK,EAAO,CAAC;IACxB,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,GAAG,CAAC,EAAE,QAAQ,GAAG,EAAE,EAAE,GAAG,OAAO,CAAC;IACxE,MAAM,MAAM,GAAG,CAAC,IAAI,GAAG,CAAC,CAAC,GAAG,QAAQ,CAAC;IAErC,MAAM,SAAS,GAAG,KAAK,CAAC,OAAO,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;IACxD,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,OAAO,EAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC;IACnD,CAAC;IAED,MAAM,UAAU,GAAG,SAAS,CAAC,SAAS,CAAC,CAAC;IACxC,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,OAAO,EAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC;IACnD,CAAC;IAED,MAAM,UAAU,GAAa,CAAC,uBAAuB,CAAC,CAAC;IACvD,MAAM,MAAM,GAAU,EAAE,CAAC;IACzB,IAAI,QAAQ,GAAG,CAAC,CAAC;IAEjB,yDAAyD;IACzD,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IACxB,MAAM,YAAY,GAAG,IAAI,QAAQ,EAAE,EAAE,CAAC;IAEtC,IAAI,UAAU,EAAE,CAAC;QACf,UAAU,CAAC,IAAI,CAAC,qBAAqB,QAAQ,EAAE,EAAE,CAAC,CAAC;QACnD,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAC1B,CAAC;IACD,IAAI,MAAM,EAAE,CAAC;QACX,UAAU,CAAC,IAAI,CAAC,iBAAiB,QAAQ,EAAE,EAAE,CAAC,CAAC;QAC/C,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACtB,CAAC;IACD,IAAI,MAAM,EAAE,CAAC;QACX,UAAU,CAAC,IAAI,CAAC,uBAAuB,QAAQ,EAAE,EAAE,CAAC,CAAC;QACrD,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACtB,CAAC;IAED,MAAM,WAAW,GAAG,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAE7C,MAAM,SAAS,GAAG,uFAAuF,CAAC;IAE1G,MAAM,YAAY,GAAG,IAAI,SAAS,6BAA6B,YAAY,IAAI,CAAC;IAEhF,MAAM,gBAAgB,GAAG,IAAI,QAAQ,EAAE,CAAC;IACxC,MAAM,CAAC,IAAI,CAAC,IAAI,SAAS,GAAG,CAAC,CAAC;IAC9B,QAAQ,EAAE,CAAC;IAEX,MAAM,iBAAiB,GAAG,oBAAoB,gBAAgB,2BAA2B,gBAAgB,GAAG,CAAC;IAE7G,MAAM,QAAQ,GAAG,cAAc,SAAS,2BAA2B,YAAY,IAAI,CAAC;IACpF,MAAM,QAAQ,GAAG,6EAA6E,YAAY,kFAAkF,CAAC;IAE7L,MAAM,UAAU,GAAG,IAAI,QAAQ,EAAE,EAAE,CAAC;IACpC,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACtB,MAAM,WAAW,GAAG,IAAI,QAAQ,EAAE,EAAE,CAAC;IACrC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAEpB,MAAM,GAAG,GAAG;;;;;;;;QAQN,QAAQ;QACR,QAAQ;;;YAGJ,WAAW;aACV,YAAY,OAAO,iBAAiB;;YAErC,UAAU;aACT,WAAW;GACrB,CAAC;IAEF,MAAM,QAAQ,GAAG;;;YAGP,WAAW;aACV,YAAY,OAAO,iBAAiB;GAC9C,CAAC;IAEF,MAAM,WAAW,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IAExC,IAAI,CAAC;QACH,MAAM,CAAC,IAAI,EAAE,SAAS,CAAC,GAAmB,MAAM,OAAO,CAAC,GAAG,CAAC;YAC1D,EAAE,CAAC,eAAe,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC;YAClC,EAAE,CAAC,eAAe,CAAC,QAAQ,EAAE,GAAG,WAAW,CAAC;SAC7C,CAAC,CAAC;QAEH,MAAM,KAAK,GAAG,SAAS,CAAC,CAAC,CAAC,EAAE,KAAK,IAAI,CAAC,CAAC;QAEvC,MAAM,OAAO,GAAmB,IAAI,CAAC,GAAG,CAAC,CAAC,GAAQ,EAAE,EAAE;YACpD,MAAM,YAAY,GAAW,GAAG,CAAC,QAAQ,IAAI,EAAE,CAAC;YAChD,MAAM,UAAU,GAAG,YAAY;iBAC5B,KAAK,CAAC,sBAAsB,CAAC;gBAC9B,EAAE,GAAG,CAAC,CAAC,CAAS,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,YAAY,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;YAE1D,OAAO;gBACL,EAAE,EAAE,GAAG,CAAC,EAAE;gBACV,KAAK,EAAE,GAAG,CAAC,KAAK,IAAI,EAAE;gBACtB,IAAI,EAAE,GAAG,CAAC,IAAI,IAAI,EAAE;gBACpB,UAAU,EAAE,GAAG,CAAC,UAAU;gBAC1B,OAAO,EAAE,YAAY,IAAI,GAAG,CAAC,OAAO,IAAI,EAAE;gBAC1C,KAAK,EAAE,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC;gBACjC,UAAU;aACX,CAAC;QACJ,CAAC,CAAC,CAAC;QAEH,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC;IAC5C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,cAAc,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;IAC5C,CAAC;AACH,CAAC;AAED,kFAAkF;AAClF,KAAK,UAAU,cAAc,CAC3B,KAAa,EACb,OAAsB;IAEtB,MAAM,EAAE,GAAG,KAAK,EAAO,CAAC;IACxB,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,GAAG,CAAC,EAAE,QAAQ,GAAG,EAAE,EAAE,GAAG,OAAO,CAAC;IACxE,MAAM,MAAM,GAAG,CAAC,IAAI,GAAG,CAAC,CAAC,GAAG,QAAQ,CAAC;IAErC,MAAM,KAAK,GAAQ;QACjB,SAAS,EAAE,IAAI;QACf,EAAE,EAAE;YACF,EAAE,SAAS,EAAE,EAAE,QAAQ,EAAE,KAAK,EAAE,IAAI,EAAE,aAAa,EAAE,EAAE;YACvD,EAAE,KAAK,EAAE,EAAE,QAAQ,EAAE,KAAK,EAAE,IAAI,EAAE,aAAa,EAAE,EAAE;SACpD;KACF,CAAC;IAEF,IAAI,UAAU;QAAE,KAAK,CAAC,UAAU,GAAG,UAAU,CAAC;IAC9C,IAAI,MAAM;QAAE,KAAK,CAAC,MAAM,GAAG,MAAM,CAAC;IAClC,IAAI,MAAM;QAAE,KAAK,CAAC,MAAM,GAAG,MAAM,CAAC;IAElC,MAAM,CAAC,OAAO,EAAE,KAAK,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;QACzC,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC;YACnB,KAAK;YACL,OAAO,EAAE,EAAE,SAAS,EAAE,MAAM,EAAE;YAC9B,IAAI,EAAE,MAAM;YACZ,IAAI,EAAE,QAAQ;YACd,MAAM,EAAE;gBACN,EAAE,EAAE,IAAI;gBACR,KAAK,EAAE,IAAI;gBACX,IAAI,EAAE,IAAI;gBACV,UAAU,EAAE,IAAI;gBAChB,SAAS,EAAE,IAAI;aAChB;SACF,CAAC;QACF,EAAE,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,KAAK,EAAE,CAAC;KAC7B,CAAC,CAAC;IAEH,OAAO;QACL,OAAO,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC,GAAQ,EAAE,EAAE;YAChC,MAAM,IAAI,GAAW,GAAG,CAAC,SAAS,IAAI,EAAE,CAAC;YACzC,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,CAAC;YAC5D,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,GAAG,GAAG,EAAE,CAAC,CAAC;YACpC,MAAM,OAAO,GAAG,GAAG,IAAI,CAAC;gBACtB,CAAC,CAAC,KAAK,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,KAAK,GAAG,GAAG,CAAC,GAAG,KAAK;gBACpD,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;YAE3B,OAAO;gBACL,EAAE,EAAE,GAAG,CAAC,EAAE;gBACV,KAAK,EAAE,GAAG,CAAC,KAAK,IAAI,EAAE;gBACtB,IAAI,EAAE,GAAG,CAAC,IAAI,IAAI,EAAE;gBACpB,UAAU,EAAE,GAAG,CAAC,UAAU;gBAC1B,OAAO;gBACP,KAAK,EAAE,GAAG,CAAC,KAAK,EAAE,WAAW,EAAE,CAAC,QAAQ,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;gBACrE,UAAU,EAAE,CAAC,KAAK,CAAC;aACpB,CAAC;QACJ,CAAC,CAAC;QACF,KAAK;QACL,IAAI;QACJ,QAAQ;KACT,CAAC;AACJ,CAAC"}

package/dist/security/access.d.ts

@@ -0,0 +1,26 @@
+import type { FieldDefinition } from "../config/types";
+export type Role = "ADMIN" | "EDITOR" | "AUTHOR" | "CLIENT";
+export type FieldAccessUser = {
+    id: string;
+    role: string;
+} | null;
+export interface Permission {
+    action: "create" | "read" | "update" | "delete" | "publish";
+    resource: string;
+    fields?: string[];
+}
+/** Check whether a user with the given role can perform an action on a resource. */
+export declare function checkAccess(userRole: Role, requiredRole: Role): boolean;
+/** Return the list of permissions granted to a role. */
+export declare function getPermissionsForRole(role: Role): Permission[];
+/** Filter field definitions to only include those the user is allowed to read. */
+export declare function filterFieldsByRole(fields: Record<string, FieldDefinition>, user: FieldAccessUser): Promise<Record<string, FieldDefinition>>;
+/** Filter incoming data to only include keys the user is allowed to update. */
+export declare function filterWritableFields(fields: Record<string, FieldDefinition>, data: Record<string, unknown>, user: FieldAccessUser): Promise<Record<string, unknown>>;
+/**
+ * Apply field-level access control to a data object.
+ * For 'read': strips keys the user cannot read.
+ * For 'write': strips keys the user cannot update.
+ */
+export declare function applyFieldAccess(operation: "read" | "write", fields: Record<string, FieldDefinition>, data: Record<string, unknown>, user: FieldAccessUser): Promise<Record<string, unknown>>;
+//# sourceMappingURL=access.d.ts.map

package/dist/security/access.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"access.d.ts","sourceRoot":"","sources":["../../src/security/access.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAEvD,MAAM,MAAM,IAAI,GAAG,OAAO,GAAG,QAAQ,GAAG,QAAQ,GAAG,QAAQ,CAAC;AAE5D,MAAM,MAAM,eAAe,GAAG;IAAE,EAAE,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAAC;AAElE,MAAM,WAAW,UAAU;IACzB,MAAM,EAAE,QAAQ,GAAG,MAAM,GAAG,QAAQ,GAAG,QAAQ,GAAG,SAAS,CAAC;IAC5D,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;CACnB;AASD,oFAAoF;AACpF,wBAAgB,WAAW,CACzB,QAAQ,EAAE,IAAI,EACd,YAAY,EAAE,IAAI,GACjB,OAAO,CAET;AAED,wDAAwD;AACxD,wBAAgB,qBAAqB,CAAC,IAAI,EAAE,IAAI,GAAG,UAAU,EAAE,CAkB9D;AAED,kFAAkF;AAClF,wBAAsB,kBAAkB,CACtC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,EACvC,IAAI,EAAE,eAAe,GACpB,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC,CAe1C;AAED,+EAA+E;AAC/E,wBAAsB,oBAAoB,CACxC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,EACvC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC7B,IAAI,EAAE,eAAe,GACpB,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAgBlC;AAED;;;;GAIG;AACH,wBAAsB,gBAAgB,CACpC,SAAS,EAAE,MAAM,GAAG,OAAO,EAC3B,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,EACvC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC7B,IAAI,EAAE,eAAe,GACpB,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CA6BlC"}

package/dist/security/access.js

@@ -0,0 +1,92 @@
+const ROLE_HIERARCHY = {
+    ADMIN: 100,
+    EDITOR: 75,
+    AUTHOR: 50,
+    CLIENT: 25,
+};
+/** Check whether a user with the given role can perform an action on a resource. */
+export function checkAccess(userRole, requiredRole) {
+    return ROLE_HIERARCHY[userRole] >= ROLE_HIERARCHY[requiredRole];
+}
+/** Return the list of permissions granted to a role. */
+export function getPermissionsForRole(role) {
+    const permissions = [
+        { action: "read", resource: "*" },
+    ];
+    if (checkAccess(role, "AUTHOR")) {
+        permissions.push({ action: "create", resource: "*" });
+        permissions.push({ action: "update", resource: "own" });
+    }
+    if (checkAccess(role, "EDITOR")) {
+        permissions.push({ action: "update", resource: "*" });
+        permissions.push({ action: "publish", resource: "*" });
+    }
+    if (checkAccess(role, "ADMIN")) {
+        permissions.push({ action: "delete", resource: "*" });
+    }
+    return permissions;
+}
+/** Filter field definitions to only include those the user is allowed to read. */
+export async function filterFieldsByRole(fields, user) {
+    const result = {};
+    for (const [name, field] of Object.entries(fields)) {
+        if (!field.access?.read) {
+            result[name] = field;
+            continue;
+        }
+        const allowed = await field.access.read({ user });
+        if (allowed) {
+            result[name] = field;
+        }
+    }
+    return result;
+}
+/** Filter incoming data to only include keys the user is allowed to update. */
+export async function filterWritableFields(fields, data, user) {
+    const result = {};
+    for (const [key, value] of Object.entries(data)) {
+        const field = fields[key];
+        if (!field || !field.access?.update) {
+            result[key] = value;
+            continue;
+        }
+        const allowed = await field.access.update({ user });
+        if (allowed) {
+            result[key] = value;
+        }
+    }
+    return result;
+}
+/**
+ * Apply field-level access control to a data object.
+ * For 'read': strips keys the user cannot read.
+ * For 'write': strips keys the user cannot update.
+ */
+export async function applyFieldAccess(operation, fields, data, user) {
+    const accessKey = operation === "read" ? "read" : "update";
+    const result = {};
+    const SYSTEM_KEYS = new Set([
+        'title', 'slug', 'status', '_aiScore', '_embedding',
+    ]);
+    for (const [key, value] of Object.entries(data)) {
+        const field = fields[key];
+        if (!field) {
+            if (operation === 'write' && !SYSTEM_KEYS.has(key)) {
+                continue;
+            }
+            result[key] = value;
+            continue;
+        }
+        const check = field.access?.[accessKey];
+        if (!check) {
+            result[key] = value;
+            continue;
+        }
+        const allowed = await check({ user });
+        if (allowed) {
+            result[key] = value;
+        }
+    }
+    return result;
+}
+//# sourceMappingURL=access.js.map