@actuate-media/cms-core 0.11.2 → 0.13.0

package/dist/diagnostics/env.js

@@ -0,0 +1,293 @@
+/**
+ * Environment shape validation for the Actuate CMS runtime.
+ *
+ * The `/health` and admin diagnostics endpoints surface this so operators
+ * notice mis-configured secrets *before* a runtime call hits them. We never
+ * return the values themselves — only the validation verdict and a redacted
+ * preview where it helps debugging (e.g. "first 4 hex chars match").
+ *
+ * Why a dedicated module:
+ *   - Centralises all "is this env var well-formed" rules so consumers don't
+ *     re-invent length / hex / placeholder checks per call site.
+ *   - Fails closed on shape errors (e.g. a 31-char CMS_SECRET, an
+ *     `aes256-local-dev-key-...` placeholder still in production) which the
+ *     prior `presence-only` check missed entirely (audit issue M6).
+ */
+const HEX_RE = /^[0-9a-fA-F]+$/;
+const PLACEHOLDER_PATTERNS = [
+    /change-?(me|in-?prod)/i,
+    /your-?(secret|key|token)/i,
+    /placeholder/i,
+    /example/i,
+    /todo/i,
+    /aes256-local-dev-key/i,
+];
+function isPlaceholder(value) {
+    return PLACEHOLDER_PATTERNS.some((p) => p.test(value));
+}
+const PROCESS_ENV = {
+    get: (name) => process.env[name],
+};
+/**
+ * Validate the shape of every well-known runtime env var. Pass a custom
+ * `source` to test without mutating `process.env`.
+ */
+export function validateEnvShape(source = PROCESS_ENV) {
+    const checks = [];
+    // ─── CMS_SECRET ──────────────────────────────────────────────
+    // The `source.get('CMS_SECRET')` lookup is intentionally pluggable: the
+    // runtime caller (`/api/cms/health`) wraps this so the lookup also covers
+    // the legacy `CMS_SESSION_SECRET` env var and `actuate.config.ts → secret`
+    // — those are equally valid sources at runtime via `getSessionSecret()`.
+    // Without that wrapping, a config-file-only deploy would be falsely
+    // reported as `missing` (Bugbot review on PR #43, Medium).
+    const secret = source.get('CMS_SECRET');
+    if (!secret) {
+        checks.push({
+            name: 'CMS_SECRET',
+            status: 'missing',
+            message: 'Required. Generate with `node -e "console.log(crypto.randomBytes(32).toString(\'hex\'))"` and set `CMS_SECRET`, or pass `secret` in `actuate.config.ts`.',
+            required: true,
+        });
+    }
+    else if (secret.length < 32) {
+        checks.push({
+            name: 'CMS_SECRET',
+            status: 'error',
+            message: `Must be ≥ 32 characters (got ${secret.length}). JWT signing requires this minimum.`,
+            required: true,
+        });
+    }
+    else if (isPlaceholder(secret)) {
+        checks.push({
+            name: 'CMS_SECRET',
+            status: 'error',
+            message: 'Looks like a placeholder string. Replace with a real 32+ char random secret.',
+            required: true,
+        });
+    }
+    else {
+        // Intentionally do not include `secret.length` here — `/health` is
+        // unauthenticated and exact secret lengths narrow brute-force search
+        // space for an attacker. The error/warn branches above can stay verbose
+        // because they only trigger on operator-visible misconfigurations.
+        checks.push({
+            name: 'CMS_SECRET',
+            status: 'ok',
+            message: 'Configured.',
+            required: true,
+        });
+    }
+    // ─── CMS_ENCRYPTION_KEY ──────────────────────────────────────
+    const encKey = source.get('CMS_ENCRYPTION_KEY');
+    if (!encKey) {
+        checks.push({
+            name: 'CMS_ENCRYPTION_KEY',
+            status: 'warn',
+            message: 'Optional but recommended. AES-256-GCM field encryption will throw at runtime when not set. Provide 64 hex chars.',
+            required: false,
+        });
+    }
+    else if (encKey.length !== 64) {
+        checks.push({
+            name: 'CMS_ENCRYPTION_KEY',
+            status: 'error',
+            message: `Must be exactly 64 hex characters (32 bytes). Got ${encKey.length}.`,
+            required: false,
+        });
+    }
+    else if (!HEX_RE.test(encKey)) {
+        // No `isPlaceholder()` branch follows — by this point the value has
+        // already passed length-64 and `HEX_RE`, meaning it's pure hex chars.
+        // Every pattern in `PLACEHOLDER_PATTERNS` requires non-hex letters
+        // (`g`, `h`, `l`, `m`, `o`, `p`, `r`, `s`, `t`, `u`, `v`, `w`, `x`, `y`, `z`,
+        // hyphens) so a passing hex string can never match a placeholder. The
+        // message below already says "Looks like a placeholder" for the common
+        // case where the configured value is a documented dev placeholder
+        // (e.g. `aes256-local-dev-key-change-in-prod`, which fails this branch).
+        checks.push({
+            name: 'CMS_ENCRYPTION_KEY',
+            status: 'error',
+            message: 'Must contain only hex characters (0-9, a-f). Looks like a placeholder.',
+            required: false,
+        });
+    }
+    else {
+        checks.push({
+            name: 'CMS_ENCRYPTION_KEY',
+            status: 'ok',
+            message: 'Configured.',
+            required: false,
+        });
+    }
+    // ─── DATABASE_URL ────────────────────────────────────────────
+    const dbUrl = source.get('DATABASE_URL');
+    if (!dbUrl) {
+        checks.push({
+            name: 'DATABASE_URL',
+            status: 'missing',
+            message: 'Required. Connection string for the Prisma client.',
+            required: true,
+        });
+    }
+    else if (!/^(postgres(ql)?|mysql|file|sqlite):/i.test(dbUrl)) {
+        checks.push({
+            name: 'DATABASE_URL',
+            status: 'error',
+            message: 'Must start with a known DB scheme (postgres://, mysql://, file:, sqlite://).',
+            required: true,
+        });
+    }
+    else {
+        checks.push({
+            name: 'DATABASE_URL',
+            status: 'ok',
+            message: 'Configured.',
+            required: true,
+        });
+    }
+    // ─── BLOB_READ_WRITE_TOKEN ──────────────────────────────────
+    const blob = source.get('BLOB_READ_WRITE_TOKEN');
+    if (!blob) {
+        checks.push({
+            name: 'BLOB_READ_WRITE_TOKEN',
+            status: 'warn',
+            message: 'Required for media uploads on Vercel Blob storage. Without it, /media/upload will fail.',
+            required: false,
+        });
+    }
+    else if (!blob.startsWith('vercel_blob_')) {
+        checks.push({
+            name: 'BLOB_READ_WRITE_TOKEN',
+            status: 'warn',
+            message: 'Does not start with `vercel_blob_` — verify this is a real Vercel Blob token.',
+            required: false,
+        });
+    }
+    else {
+        checks.push({
+            name: 'BLOB_READ_WRITE_TOKEN',
+            status: 'ok',
+            message: 'Configured.',
+            required: false,
+        });
+    }
+    // ─── UPSTASH_REDIS_REST_URL / TOKEN ─────────────────────────
+    const upstashUrl = source.get('UPSTASH_REDIS_REST_URL');
+    const upstashToken = source.get('UPSTASH_REDIS_REST_TOKEN');
+    if (!upstashUrl && !upstashToken) {
+        checks.push({
+            name: 'UPSTASH_REDIS_REST_URL',
+            status: 'warn',
+            message: 'Optional. Without Upstash, rate limiting falls back to in-memory (single-process only — unsafe across serverless invocations).',
+            required: false,
+        });
+    }
+    else if (upstashUrl && !upstashToken) {
+        checks.push({
+            name: 'UPSTASH_REDIS_REST_TOKEN',
+            status: 'error',
+            message: 'URL is set but token is missing — rate limiter will refuse to start.',
+            required: false,
+        });
+    }
+    else if (!upstashUrl && upstashToken) {
+        checks.push({
+            name: 'UPSTASH_REDIS_REST_URL',
+            status: 'error',
+            message: 'Token is set but URL is missing — rate limiter will refuse to start.',
+            required: false,
+        });
+    }
+    else {
+        try {
+            // eslint-disable-next-line no-new
+            new URL(upstashUrl);
+            checks.push({
+                name: 'UPSTASH_REDIS_REST_URL',
+                status: 'ok',
+                message: 'Configured (Upstash backend active).',
+                required: false,
+            });
+        }
+        catch {
+            checks.push({
+                name: 'UPSTASH_REDIS_REST_URL',
+                status: 'error',
+                message: 'Not a valid URL.',
+                required: false,
+            });
+        }
+    }
+    // ─── RESEND_API_KEY ─────────────────────────────────────────
+    const resend = source.get('RESEND_API_KEY');
+    if (!resend) {
+        checks.push({
+            name: 'RESEND_API_KEY',
+            status: 'warn',
+            message: 'Optional. Without it, transactional email (lead notifications, password reset) is silently skipped.',
+            required: false,
+        });
+    }
+    else if (!resend.startsWith('re_')) {
+        checks.push({
+            name: 'RESEND_API_KEY',
+            status: 'warn',
+            message: 'Does not start with `re_` — verify this is a real Resend API key.',
+            required: false,
+        });
+    }
+    else {
+        checks.push({
+            name: 'RESEND_API_KEY',
+            status: 'ok',
+            message: 'Configured.',
+            required: false,
+        });
+    }
+    // ─── CRON_SECRET ────────────────────────────────────────────
+    const cronSecret = source.get('CRON_SECRET');
+    if (!cronSecret) {
+        checks.push({
+            name: 'CRON_SECRET',
+            status: 'warn',
+            message: 'Required to authorise /api/cms/cron/* endpoints. Without it, cron routes return 401 to all callers.',
+            required: false,
+        });
+    }
+    else if (cronSecret.length < 16) {
+        checks.push({
+            name: 'CRON_SECRET',
+            status: 'error',
+            message: `Should be ≥ 16 chars (got ${cronSecret.length}). Cron endpoints are publicly addressable.`,
+            required: false,
+        });
+    }
+    else if (isPlaceholder(cronSecret)) {
+        checks.push({
+            name: 'CRON_SECRET',
+            status: 'error',
+            message: 'Looks like a placeholder string.',
+            required: false,
+        });
+    }
+    else {
+        // Same reasoning as CMS_SECRET above — keep the length out of the
+        // unauthenticated /health surface.
+        checks.push({
+            name: 'CRON_SECRET',
+            status: 'ok',
+            message: 'Configured.',
+            required: false,
+        });
+    }
+    const errorCount = checks.filter((c) => c.status === 'error' || (c.status === 'missing' && c.required)).length;
+    const warnCount = checks.filter((c) => c.status === 'warn').length;
+    return {
+        ok: errorCount === 0,
+        errorCount,
+        warnCount,
+        checks,
+    };
+}
+//# sourceMappingURL=env.js.map

package/dist/diagnostics/env.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"env.js","sourceRoot":"","sources":["../../src/diagnostics/env.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAwBH,MAAM,MAAM,GAAG,gBAAgB,CAAA;AAC/B,MAAM,oBAAoB,GAAG;IAC3B,wBAAwB;IACxB,2BAA2B;IAC3B,cAAc;IACd,UAAU;IACV,OAAO;IACP,uBAAuB;CACxB,CAAA;AAED,SAAS,aAAa,CAAC,KAAa;IAClC,OAAO,oBAAoB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAA;AACxD,CAAC;AAMD,MAAM,WAAW,GAAc;IAC7B,GAAG,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC;CACjC,CAAA;AAED;;;GAGG;AACH,MAAM,UAAU,gBAAgB,CAAC,SAAoB,WAAW;IAC9D,MAAM,MAAM,GAAe,EAAE,CAAA;IAE7B,gEAAgE;IAChE,wEAAwE;IACxE,0EAA0E;IAC1E,2EAA2E;IAC3E,yEAAyE;IACzE,oEAAoE;IACpE,2DAA2D;IAC3D,MAAM,MAAM,GAAG,MAAM,CAAC,GAAG,CAAC,YAAY,CAAC,CAAA;IACvC,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,YAAY;YAClB,MAAM,EAAE,SAAS;YACjB,OAAO,EACL,0JAA0J;YAC5J,QAAQ,EAAE,IAAI;SACf,CAAC,CAAA;IACJ,CAAC;SAAM,IAAI,MAAM,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QAC9B,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,YAAY;YAClB,MAAM,EAAE,OAAO;YACf,OAAO,EAAE,gCAAgC,MAAM,CAAC,MAAM,uCAAuC;YAC7F,QAAQ,EAAE,IAAI;SACf,CAAC,CAAA;IACJ,CAAC;SAAM,IAAI,aAAa,CAAC,MAAM,CAAC,EAAE,CAAC;QACjC,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,YAAY;YAClB,MAAM,EAAE,OAAO;YACf,OAAO,EAAE,8EAA8E;YACvF,QAAQ,EAAE,IAAI;SACf,CAAC,CAAA;IACJ,CAAC;SAAM,CAAC;QACN,mEAAmE;QACnE,qEAAqE;QACrE,wEAAwE;QACxE,mEAAmE;QACnE,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,YAAY;YAClB,MAAM,EAAE,IAAI;YACZ,OAAO,EAAE,aAAa;YACtB,QAAQ,EAAE,IAAI;SACf,CAAC,CAAA;IACJ,CAAC;IAED,gEAAgE;IAChE,MAAM,MAAM,GAAG,MAAM,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAA;IAC/C,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,oBAAoB;YAC1B,MAAM,EAAE,MAAM;YACd,OAAO,EACL,kHAAkH;YACpH,QAAQ,EAAE,KAAK;SAChB,CAAC,CAAA;IACJ,CAAC;SAAM,IAAI,MAAM,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QAChC,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,oBAAoB;YAC1B,MAAM,EAAE,OAAO;YACf,OAAO,EAAE,qDAAqD,MAAM,CAAC,MAAM,GAAG;YAC9E,QAAQ,EAAE,KAAK;SAChB,CAAC,CAAA;IACJ,CAAC;SAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;QAChC,oEAAoE;QACpE,sEAAsE;QACtE,mEAAmE;QACnE,8EAA8E;QAC9E,sEAAsE;QACtE,uEAAuE;QACvE,kEAAkE;QAClE,yEAAyE;QACzE,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,oBAAoB;YAC1B,MAAM,EAAE,OAAO;YACf,OAAO,EAAE,wEAAwE;YACjF,QAAQ,EAAE,KAAK;SAChB,CAAC,CAAA;IACJ,CAAC;SAAM,CAAC;QACN,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,oBAAoB;YAC1B,MAAM,EAAE,IAAI;YACZ,OAAO,EAAE,aAAa;YACtB,QAAQ,EAAE,KAAK;SAChB,CAAC,CAAA;IACJ,CAAC;IAED,gEAAgE;IAChE,MAAM,KAAK,GAAG,MAAM,CAAC,GAAG,CAAC,cAAc,CAAC,CAAA;IACxC,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,cAAc;YACpB,MAAM,EAAE,SAAS;YACjB,OAAO,EAAE,oDAAoD;YAC7D,QAAQ,EAAE,IAAI;SACf,CAAC,CAAA;IACJ,CAAC;SAAM,IAAI,CAAC,sCAAsC,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QAC/D,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,cAAc;YACpB,MAAM,EAAE,OAAO;YACf,OAAO,EAAE,8EAA8E;YACvF,QAAQ,EAAE,IAAI;SACf,CAAC,CAAA;IACJ,CAAC;SAAM,CAAC;QACN,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,cAAc;YACpB,MAAM,EAAE,IAAI;YACZ,OAAO,EAAE,aAAa;YACtB,QAAQ,EAAE,IAAI;SACf,CAAC,CAAA;IACJ,CAAC;IAED,+DAA+D;IAC/D,MAAM,IAAI,GAAG,MAAM,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAA;IAChD,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,uBAAuB;YAC7B,MAAM,EAAE,MAAM;YACd,OAAO,EACL,yFAAyF;YAC3F,QAAQ,EAAE,KAAK;SAChB,CAAC,CAAA;IACJ,CAAC;SAAM,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,cAAc,CAAC,EAAE,CAAC;QAC5C,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,uBAAuB;YAC7B,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,+EAA+E;YACxF,QAAQ,EAAE,KAAK;SAChB,CAAC,CAAA;IACJ,CAAC;SAAM,CAAC;QACN,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,uBAAuB;YAC7B,MAAM,EAAE,IAAI;YACZ,OAAO,EAAE,aAAa;YACtB,QAAQ,EAAE,KAAK;SAChB,CAAC,CAAA;IACJ,CAAC;IAED,+DAA+D;IAC/D,MAAM,UAAU,GAAG,MAAM,CAAC,GAAG,CAAC,wBAAwB,CAAC,CAAA;IACvD,MAAM,YAAY,GAAG,MAAM,CAAC,GAAG,CAAC,0BAA0B,CAAC,CAAA;IAC3D,IAAI,CAAC,UAAU,IAAI,CAAC,YAAY,EAAE,CAAC;QACjC,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,wBAAwB;YAC9B,MAAM,EAAE,MAAM;YACd,OAAO,EACL,gIAAgI;YAClI,QAAQ,EAAE,KAAK;SAChB,CAAC,CAAA;IACJ,CAAC;SAAM,IAAI,UAAU,IAAI,CAAC,YAAY,EAAE,CAAC;QACvC,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,0BAA0B;YAChC,MAAM,EAAE,OAAO;YACf,OAAO,EAAE,sEAAsE;YAC/E,QAAQ,EAAE,KAAK;SAChB,CAAC,CAAA;IACJ,CAAC;SAAM,IAAI,CAAC,UAAU,IAAI,YAAY,EAAE,CAAC;QACvC,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,wBAAwB;YAC9B,MAAM,EAAE,OAAO;YACf,OAAO,EAAE,sEAAsE;YAC/E,QAAQ,EAAE,KAAK;SAChB,CAAC,CAAA;IACJ,CAAC;SAAM,CAAC;QACN,IAAI,CAAC;YACH,kCAAkC;YAClC,IAAI,GAAG,CAAC,UAAoB,CAAC,CAAA;YAC7B,MAAM,CAAC,IAAI,CAAC;gBACV,IAAI,EAAE,wBAAwB;gBAC9B,MAAM,EAAE,IAAI;gBACZ,OAAO,EAAE,sCAAsC;gBAC/C,QAAQ,EAAE,KAAK;aAChB,CAAC,CAAA;QACJ,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,CAAC,IAAI,CAAC;gBACV,IAAI,EAAE,wBAAwB;gBAC9B,MAAM,EAAE,OAAO;gBACf,OAAO,EAAE,kBAAkB;gBAC3B,QAAQ,EAAE,KAAK;aAChB,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;IAED,+DAA+D;IAC/D,MAAM,MAAM,GAAG,MAAM,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAA;IAC3C,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,gBAAgB;YACtB,MAAM,EAAE,MAAM;YACd,OAAO,EACL,qGAAqG;YACvG,QAAQ,EAAE,KAAK;SAChB,CAAC,CAAA;IACJ,CAAC;SAAM,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;QACrC,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,gBAAgB;YACtB,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,mEAAmE;YAC5E,QAAQ,EAAE,KAAK;SAChB,CAAC,CAAA;IACJ,CAAC;SAAM,CAAC;QACN,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,gBAAgB;YACtB,MAAM,EAAE,IAAI;YACZ,OAAO,EAAE,aAAa;YACtB,QAAQ,EAAE,KAAK;SAChB,CAAC,CAAA;IACJ,CAAC;IAED,+DAA+D;IAC/D,MAAM,UAAU,GAAG,MAAM,CAAC,GAAG,CAAC,aAAa,CAAC,CAAA;IAC5C,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,aAAa;YACnB,MAAM,EAAE,MAAM;YACd,OAAO,EACL,qGAAqG;YACvG,QAAQ,EAAE,KAAK;SAChB,CAAC,CAAA;IACJ,CAAC;SAAM,IAAI,UAAU,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QAClC,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,aAAa;YACnB,MAAM,EAAE,OAAO;YACf,OAAO,EAAE,6BAA6B,UAAU,CAAC,MAAM,6CAA6C;YACpG,QAAQ,EAAE,KAAK;SAChB,CAAC,CAAA;IACJ,CAAC;SAAM,IAAI,aAAa,CAAC,UAAU,CAAC,EAAE,CAAC;QACrC,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,aAAa;YACnB,MAAM,EAAE,OAAO;YACf,OAAO,EAAE,kCAAkC;YAC3C,QAAQ,EAAE,KAAK;SAChB,CAAC,CAAA;IACJ,CAAC;SAAM,CAAC;QACN,kEAAkE;QAClE,mCAAmC;QACnC,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,aAAa;YACnB,MAAM,EAAE,IAAI;YACZ,OAAO,EAAE,aAAa;YACtB,QAAQ,EAAE,KAAK;SAChB,CAAC,CAAA;IACJ,CAAC;IAED,MAAM,UAAU,GAAG,MAAM,CAAC,MAAM,CAC9B,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,OAAO,IAAI,CAAC,CAAC,CAAC,MAAM,KAAK,SAAS,IAAI,CAAC,CAAC,QAAQ,CAAC,CACtE,CAAC,MAAM,CAAA;IACR,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,MAAM,CAAC,CAAC,MAAM,CAAA;IAElE,OAAO;QACL,EAAE,EAAE,UAAU,KAAK,CAAC;QACpB,UAAU;QACV,SAAS;QACT,MAAM;KACP,CAAA;AACH,CAAC"}

package/dist/diagnostics/logger.d.ts

@@ -0,0 +1,38 @@
+/**
+ * Structured logger for Actuate CMS (audit issue L7).
+ *
+ * Why a dedicated module instead of `console.*`:
+ *
+ *   1. **Filterable in production.** Operators can set
+ *      `ACTUATE_LOG_LEVEL=warn` to silence routine info logs without losing
+ *      error visibility — `console.*` calls can't be silenced without
+ *      monkey-patching.
+ *
+ *   2. **Structured output for log aggregators.** Setting
+ *      `ACTUATE_LOG_FORMAT=json` switches to one-line JSON entries with
+ *      consistent fields (`ts`, `level`, `scope`, `msg`, `details`),
+ *      ready for ingestion by Datadog, Sentry, or CloudWatch.
+ *
+ *   3. **Scoped namespaces.** `createLogger('rate-limit')` prefixes every
+ *      message with `[actuate][rate-limit]` so a grep finds related
+ *      entries instantly.
+ *
+ * **Migration path:** existing `console.*` calls keep working. New code and
+ * security-sensitive paths use the logger. Replace `console.*` callsites
+ * incrementally as files are touched.
+ */
+export type LogLevel = 'silent' | 'error' | 'warn' | 'info' | 'debug';
+export interface ScopedLogger {
+    error(msg: string, details?: Record<string, unknown>): void;
+    warn(msg: string, details?: Record<string, unknown>): void;
+    info(msg: string, details?: Record<string, unknown>): void;
+    debug(msg: string, details?: Record<string, unknown>): void;
+}
+/**
+ * Create a logger scoped to a subsystem name (e.g. `rate-limit`, `oauth`).
+ * Output format:
+ *   text: `[actuate][rate-limit] Upstash failed { reason: '...' }`
+ *   json: `{"ts":"...","level":"error","scope":"rate-limit","msg":"...","details":{...}}`
+ */
+export declare function createLogger(scope: string): ScopedLogger;
+//# sourceMappingURL=logger.d.ts.map

package/dist/diagnostics/logger.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"logger.d.ts","sourceRoot":"","sources":["../../src/diagnostics/logger.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAEH,MAAM,MAAM,QAAQ,GAAG,QAAQ,GAAG,OAAO,GAAG,MAAM,GAAG,MAAM,GAAG,OAAO,CAAA;AAkErE,MAAM,WAAW,YAAY;IAC3B,KAAK,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAA;IAC3D,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAA;IAC1D,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAA;IAC1D,KAAK,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAA;CAC5D;AAED;;;;;GAKG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,YAAY,CAOxD"}

package/dist/diagnostics/logger.js

@@ -0,0 +1,89 @@
+/**
+ * Structured logger for Actuate CMS (audit issue L7).
+ *
+ * Why a dedicated module instead of `console.*`:
+ *
+ *   1. **Filterable in production.** Operators can set
+ *      `ACTUATE_LOG_LEVEL=warn` to silence routine info logs without losing
+ *      error visibility — `console.*` calls can't be silenced without
+ *      monkey-patching.
+ *
+ *   2. **Structured output for log aggregators.** Setting
+ *      `ACTUATE_LOG_FORMAT=json` switches to one-line JSON entries with
+ *      consistent fields (`ts`, `level`, `scope`, `msg`, `details`),
+ *      ready for ingestion by Datadog, Sentry, or CloudWatch.
+ *
+ *   3. **Scoped namespaces.** `createLogger('rate-limit')` prefixes every
+ *      message with `[actuate][rate-limit]` so a grep finds related
+ *      entries instantly.
+ *
+ * **Migration path:** existing `console.*` calls keep working. New code and
+ * security-sensitive paths use the logger. Replace `console.*` callsites
+ * incrementally as files are touched.
+ */
+const LEVEL_RANK = {
+    silent: 0,
+    error: 10,
+    warn: 20,
+    info: 30,
+    debug: 40,
+};
+function resolveLevel() {
+    const raw = (process.env.ACTUATE_LOG_LEVEL ?? '').toLowerCase();
+    if (raw === 'silent' || raw === 'error' || raw === 'warn' || raw === 'info' || raw === 'debug') {
+        return raw;
+    }
+    // Default: warn in production, info elsewhere. Tests run with NODE_ENV=test
+    // and benefit from `info` so failing assertions show context.
+    return process.env.NODE_ENV === 'production' ? 'warn' : 'info';
+}
+function isJsonFormat() {
+    return (process.env.ACTUATE_LOG_FORMAT ?? '').toLowerCase() === 'json';
+}
+function shouldLog(level) {
+    const current = resolveLevel();
+    return LEVEL_RANK[level] <= LEVEL_RANK[current];
+}
+function emit(level, scope, msg, details) {
+    if (!shouldLog(level))
+        return;
+    const sink = level === 'error'
+        ? console.error
+        : level === 'warn'
+            ? console.warn
+            : level === 'info'
+                ? console.info
+                : console.debug;
+    if (isJsonFormat()) {
+        sink(JSON.stringify({
+            ts: new Date().toISOString(),
+            level,
+            scope,
+            msg,
+            ...(details ? { details } : {}),
+        }));
+        return;
+    }
+    const prefix = `[actuate][${scope}]`;
+    if (details) {
+        sink(prefix, msg, details);
+    }
+    else {
+        sink(prefix, msg);
+    }
+}
+/**
+ * Create a logger scoped to a subsystem name (e.g. `rate-limit`, `oauth`).
+ * Output format:
+ *   text: `[actuate][rate-limit] Upstash failed { reason: '...' }`
+ *   json: `{"ts":"...","level":"error","scope":"rate-limit","msg":"...","details":{...}}`
+ */
+export function createLogger(scope) {
+    return {
+        error: (msg, details) => emit('error', scope, msg, details),
+        warn: (msg, details) => emit('warn', scope, msg, details),
+        info: (msg, details) => emit('info', scope, msg, details),
+        debug: (msg, details) => emit('debug', scope, msg, details),
+    };
+}
+//# sourceMappingURL=logger.js.map

package/dist/diagnostics/logger.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"logger.js","sourceRoot":"","sources":["../../src/diagnostics/logger.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAIH,MAAM,UAAU,GAA6B;IAC3C,MAAM,EAAE,CAAC;IACT,KAAK,EAAE,EAAE;IACT,IAAI,EAAE,EAAE;IACR,IAAI,EAAE,EAAE;IACR,KAAK,EAAE,EAAE;CACV,CAAA;AAED,SAAS,YAAY;IACnB,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,iBAAiB,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAA;IAC/D,IAAI,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,OAAO,IAAI,GAAG,KAAK,MAAM,IAAI,GAAG,KAAK,MAAM,IAAI,GAAG,KAAK,OAAO,EAAE,CAAC;QAC/F,OAAO,GAAG,CAAA;IACZ,CAAC;IACD,4EAA4E;IAC5E,8DAA8D;IAC9D,OAAO,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAA;AAChE,CAAC;AAED,SAAS,YAAY;IACnB,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,KAAK,MAAM,CAAA;AACxE,CAAC;AAED,SAAS,SAAS,CAAC,KAAe;IAChC,MAAM,OAAO,GAAG,YAAY,EAAE,CAAA;IAC9B,OAAO,UAAU,CAAC,KAAK,CAAC,IAAI,UAAU,CAAC,OAAO,CAAC,CAAA;AACjD,CAAC;AAED,SAAS,IAAI,CACX,KAAkC,EAClC,KAAa,EACb,GAAW,EACX,OAAiC;IAEjC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC;QAAE,OAAM;IAC7B,MAAM,IAAI,GACR,KAAK,KAAK,OAAO;QACf,CAAC,CAAC,OAAO,CAAC,KAAK;QACf,CAAC,CAAC,KAAK,KAAK,MAAM;YAChB,CAAC,CAAC,OAAO,CAAC,IAAI;YACd,CAAC,CAAC,KAAK,KAAK,MAAM;gBAChB,CAAC,CAAC,OAAO,CAAC,IAAI;gBACd,CAAC,CAAC,OAAO,CAAC,KAAK,CAAA;IAEvB,IAAI,YAAY,EAAE,EAAE,CAAC;QACnB,IAAI,CACF,IAAI,CAAC,SAAS,CAAC;YACb,EAAE,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YAC5B,KAAK;YACL,KAAK;YACL,GAAG;YACH,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAChC,CAAC,CACH,CAAA;QACD,OAAM;IACR,CAAC;IAED,MAAM,MAAM,GAAG,aAAa,KAAK,GAAG,CAAA;IACpC,IAAI,OAAO,EAAE,CAAC;QACZ,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,OAAO,CAAC,CAAA;IAC5B,CAAC;SAAM,CAAC;QACN,IAAI,CAAC,MAAM,EAAE,GAAG,CAAC,CAAA;IACnB,CAAC;AACH,CAAC;AASD;;;;;GAKG;AACH,MAAM,UAAU,YAAY,CAAC,KAAa;IACxC,OAAO;QACL,KAAK,EAAE,CAAC,GAAG,EAAE,OAAO,EAAE,EAAE,CAAC,IAAI,CAAC,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,OAAO,CAAC;QAC3D,IAAI,EAAE,CAAC,GAAG,EAAE,OAAO,EAAE,EAAE,CAAC,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE,OAAO,CAAC;QACzD,IAAI,EAAE,CAAC,GAAG,EAAE,OAAO,EAAE,EAAE,CAAC,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE,OAAO,CAAC;QACzD,KAAK,EAAE,CAAC,GAAG,EAAE,OAAO,EAAE,EAAE,CAAC,IAAI,CAAC,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,OAAO,CAAC;KAC5D,CAAA;AACH,CAAC"}

package/dist/page-builder/blocks.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"blocks.d.ts","sourceRoot":"","sources":["../../src/page-builder/blocks.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,mBAAmB,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAA;AA0QxE,MAAM,WAAW,mBAAmB;IAClC;;;;;;;;OAQG;IACH,YAAY,CAAC,EAAE,mBAAmB,EAAE,CAAA;IACpC;;;OAGG;IACH,WAAW,CAAC,EAAE,OAAO,CAAA;CACtB;AAYD,qBAAa,YAAY;IACvB,OAAO,CAAC,MAAM,CAAkC;gBAEpC,OAAO,GAAE,mBAAwB;IAmB7C,GAAG,CAAC,IAAI,EAAE,MAAM,GAAG,mBAAmB,GAAG,SAAS;IAIlD,MAAM,IAAI,mBAAmB,EAAE;IAI/B,QAAQ,CAAC,KAAK,EAAE,mBAAmB,GAAG,IAAI;IAI1C,UAAU,CAAC,SAAS,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,iBAAiB,GAAG,SAAS;CAKlF"}
+{"version":3,"file":"blocks.d.ts","sourceRoot":"","sources":["../../src/page-builder/blocks.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,mBAAmB,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAA;AA0QxE,MAAM,WAAW,mBAAmB;IAClC;;;;;;;;OAQG;IACH,YAAY,CAAC,EAAE,mBAAmB,EAAE,CAAA;IACpC;;;OAGG;IACH,WAAW,CAAC,EAAE,OAAO,CAAA;CACtB;AAiBD,qBAAa,YAAY;IACvB,OAAO,CAAC,MAAM,CAAkC;gBAEpC,OAAO,GAAE,mBAAwB;IAmB7C,GAAG,CAAC,IAAI,EAAE,MAAM,GAAG,mBAAmB,GAAG,SAAS;IAIlD,MAAM,IAAI,mBAAmB,EAAE;IAI/B,QAAQ,CAAC,KAAK,EAAE,mBAAmB,GAAG,IAAI;IAI1C,UAAU,CAAC,SAAS,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,iBAAiB,GAAG,SAAS;CAKlF"}

package/dist/page-builder/blocks.js

@@ -264,7 +264,12 @@ const CORE_BLOCKS = [
 function readCustomBlocksFromGlobalConfig() {
     if (typeof globalThis === 'undefined')
         return [];
-    const config = globalThis.__actuateConfig;
+    // We read directly from `globalThis` (rather than via `getActuateConfig()`)
+    // so this stays synchronous at module-load time and avoids importing the
+    // wider runtime module from inside page-builder. The shape we need is
+    // narrow enough that a local typed cast is safer than `as any`.
+    const config = globalThis
+        .__actuateConfig;
     const blocks = config?.pageBuilder?.blocks;
     if (Array.isArray(blocks)) {
         return blocks.filter((b) => !!b && typeof b.type === 'string');

package/dist/page-builder/blocks.js.map

@@ -1 +1 @@
-{"version":3,"file":"blocks.js","sourceRoot":"","sources":["../../src/page-builder/blocks.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,GAA0B;IACzC;QACE,IAAI,EAAE,MAAM;QACZ,KAAK,EAAE,MAAM;QACb,IAAI,EAAE,MAAM;QACZ,WAAW,EAAE,+DAA+D;QAC5E,QAAQ,EAAE;YACR;gBACE,IAAI,EAAE,UAAU;gBAChB,KAAK,EAAE,UAAU;gBACjB,WAAW,EAAE,wCAAwC;aACtD;YACD;gBACE,IAAI,EAAE,aAAa;gBACnB,KAAK,EAAE,aAAa;gBACpB,WAAW,EAAE,sCAAsC;aACpD;YACD;gBACE,IAAI,EAAE,UAAU;gBAChB,KAAK,EAAE,kBAAkB;gBACzB,WAAW,EAAE,oCAAoC;aAClD;YACD,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,SAAS,EAAE,WAAW,EAAE,qCAAqC,EAAE;SAC1F;QACD,MAAM,EAAE;YACN,KAAK,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE;YACvD,QAAQ,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,UAAU,EAAE;YAC7C,KAAK,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE;YACxC,QAAQ,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,WAAW,EAAE;YAC7C,OAAO,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,UAAU,EAAE;YAC5C,OAAO,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,UAAU,EAAE;YAC3C,cAAc,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,iBAAiB,EAAE,GAAG,EAAE,CAAC,EAAE,GAAG,EAAE,GAAG,EAAE;SAC/E;KACF;IACD;QACE,IAAI,EAAE,MAAM;QACZ,KAAK,EAAE,MAAM;QACb,IAAI,EAAE,MAAM;QACZ,WAAW,EAAE,+CAA+C;QAC5D,QAAQ,EAAE;YACR,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,WAAW,EAAE,6BAA6B,EAAE;YAC7E,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,+BAA+B,EAAE;YACzF;gBACE,IAAI,EAAE,cAAc;gBACpB,KAAK,EAAE,cAAc;gBACrB,WAAW,EAAE,qCAAqC;aACnD;SACF;QACD,MAAM,EAAE;YACN,IAAI,EAAE,EAAE,IAAI,EAAE,UAAU,EAAE,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,IAAI,EAAE;YACzD,OAAO,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE;YAC3C,YAAY,EAAE;gBACZ,IAAI,EAAE,QAAQ;gBACd,KAAK,EAAE,eAAe;gBACtB,OAAO,EAAE;oBACP,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE;oBAC5B,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE;oBAC5B,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE;iBAC7B;aACF;SACF;KACF;IACD;QACE,IAAI,EAAE,OAAO;QACb,KAAK,EAAE,OAAO;QACd,IAAI,EAAE,OAAO;QACb,WAAW,EAAE,6CAA6C;QAC1D,QAAQ,EAAE;YACR,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,oBAAoB,EAAE;YAC9E,EAAE,IAAI,EAAE,WAAW,EAAE,KAAK,EAAE,WAAW,EAAE,WAAW,EAAE,kCAAkC,EAAE;YAC1F,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,SAAS,EAAE,WAAW,EAAE,4BAA4B,EAAE;YAChF;gBACE,IAAI,EAAE,cAAc;gBACpB,KAAK,EAAE,cAAc;gBACrB,WAAW,EAAE,mCAAmC;aACjD;SACF;QACD,MAAM,EAAE;YACN,GAAG,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,EAAE;YACvD,GAAG,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,UAAU,EAAE,QAAQ,EAAE,IAAI,EAAE;YACxD,OAAO,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE;YAC3C,IAAI,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE;YACpC,WAAW,EAAE;gBACX,IAAI,EAAE,QAAQ;gBACd,KAAK,EAAE,cAAc;gBACrB,OAAO,EAAE;oBACP,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE;oBAChC,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE;oBAChC,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE;oBAC9B,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE;iBAC/B;aACF;SACF;KACF;IACD;QACE,IAAI,EAAE,OAAO;QACb,KAAK,EAAE,OAAO;QACd,IAAI,EAAE,YAAY;QAClB,WAAW,EAAE,0DAA0D;QACvE,QAAQ,EAAE;YACR,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,eAAe,EAAE,WAAW,EAAE,0BAA0B,EAAE;YACnF,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,eAAe,EAAE,WAAW,EAAE,0BAA0B,EAAE;YACnF,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,eAAe,EAAE,WAAW,EAAE,0BAA0B,EAAE;YACnF;gBACE,IAAI,EAAE,YAAY;gBAClB,KAAK,EAAE,YAAY;gBACnB,WAAW,EAAE,qCAAqC;aACnD;SACF;QACD,MAAM,EAAE;YACN,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,KAAK,EAAE,OAAO;gBACd,MAAM,EAAE;oBACN,KAAK,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE;oBACvD,WAAW,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,aAAa,EAAE;oBACnD,KAAK,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE;oBACxC,IAAI,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE;oBACpC,IAAI,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE;iBACtC;aACF;SACF;KACF;IACD;QACE,IAAI,EAAE,KAAK;QACX,KAAK,EAAE,gBAAgB;QACvB,IAAI,EAAE,cAAc;QACpB,WAAW,EAAE,sCAAsC;QACnD,QAAQ,EAAE;YACR,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,WAAW,EAAE,2BAA2B,EAAE;YAC7E,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,WAAW,EAAE,oBAAoB,EAAE;YACtE,EAAE,IAAI,EAAE,UAAU,EAAE,KAAK,EAAE,UAAU,EAAE,WAAW,EAAE,yBAAyB,EAAE;YAC/E,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,WAAW,EAAE,uCAAuC,EAAE;SACxF;QACD,MAAM,EAAE;YACN,OAAO,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE,QAAQ,EAAE,IAAI,EAAE;YAC3D,IAAI,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE;YACrC,UAAU,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,aAAa,EAAE,QAAQ,EAAE,IAAI,EAAE;YAClE,UAAU,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,aAAa,EAAE,QAAQ,EAAE,IAAI,EAAE;YACjE,WAAW,EAAE;gBACX,IAAI,EAAE,QAAQ;gBACd,KAAK,EAAE,cAAc;gBACrB,OAAO,EAAE;oBACP,EAAE,KAAK,EAAE,SAAS,EAAE,KAAK,EAAE,SAAS,EAAE;oBACtC,EAAE,KAAK,EAAE,WAAW,EAAE,KAAK,EAAE,WAAW,EAAE;oBAC1C,EAAE,KAAK,EAAE,SAAS,EAAE,KAAK,EAAE,SAAS,EAAE;iBACvC;aACF;SACF;KACF;IACD;QACE,IAAI,EAAE,OAAO;QACb,KAAK,EAAE,OAAO;QACd,IAAI,EAAE,MAAM;QACZ,WAAW,EAAE,uBAAuB;QACpC,QAAQ,EAAE;YACR,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,WAAW,EAAE,qCAAqC,EAAE;YACvF;gBACE,IAAI,EAAE,UAAU;gBAChB,KAAK,EAAE,UAAU;gBACjB,WAAW,EAAE,0CAA0C;aACxD;YACD;gBACE,IAAI,EAAE,YAAY;gBAClB,KAAK,EAAE,YAAY;gBACnB,WAAW,EAAE,qCAAqC;aACnD;SACF;QACD,MAAM,EAAE;YACN,GAAG,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE;YAClD,MAAM,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE;YAC1C,QAAQ,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,UAAU,EAAE;YAChD,IAAI,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,EAAE;SACzC;KACF;IACD;QACE,IAAI,EAAE,SAAS;QACf,KAAK,EAAE,SAAS;QAChB,IAAI,EAAE,MAAM;QACZ,WAAW,EAAE,mDAAmD;QAChE,QAAQ,EAAE;YACR,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,wBAAwB,EAAE;YACtE,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,SAAS,EAAE,WAAW,EAAE,8BAA8B,EAAE;YAClF,EAAE,IAAI,EAAE,UAAU,EAAE,KAAK,EAAE,UAAU,EAAE,WAAW,EAAE,+BAA+B,EAAE;YACrF,EAAE,IAAI,EAAE,UAAU,EAAE,KAAK,EAAE,UAAU,EAAE,WAAW,EAAE,oCAAoC,EAAE;SAC3F;QACD,MAAM,EAAE;YACN,MAAM,EAAE;gBACN,IAAI,EAAE,OAAO;gBACb,KAAK,EAAE,QAAQ;gBACf,MAAM,EAAE;oBACN,GAAG,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,EAAE;oBACvD,GAAG,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,UAAU,EAAE,QAAQ,EAAE,IAAI,EAAE;oBACxD,OAAO,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE;iBAC5C;aACF;SACF;KACF;IACD;QACE,IAAI,EAAE,KAAK;QACX,KAAK,EAAE,KAAK;QACZ,IAAI,EAAE,YAAY;QAClB,WAAW,EAAE,iCAAiC;QAC9C,QAAQ,EAAE;YACR,EAAE,IAAI,EAAE,WAAW,EAAE,KAAK,EAAE,WAAW,EAAE,WAAW,EAAE,8BAA8B,EAAE;YACtF,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,sCAAsC,EAAE;YACpF;gBACE,IAAI,EAAE,YAAY;gBAClB,KAAK,EAAE,YAAY;gBACnB,WAAW,EAAE,oCAAoC;aAClD;SACF;QACD,MAAM,EAAE;YACN,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,KAAK,EAAE,OAAO;gBACd,MAAM,EAAE;oBACN,QAAQ,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,UAAU,EAAE,QAAQ,EAAE,IAAI,EAAE;oBAC7D,MAAM,EAAE,EAAE,IAAI,EAAE,UAAU,EAAE,KAAK,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,EAAE;iBAC9D;aACF;SACF;KACF;IACD;QACE,IAAI,EAAE,MAAM;QACZ,KAAK,EAAE,MAAM;QACb,IAAI,EAAE,UAAU;QAChB,WAAW,EAAE,yCAAyC;QACtD,QAAQ,EAAE;YACR,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,SAAS,EAAE,WAAW,EAAE,8BAA8B,EAAE;YAClF,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,sBAAsB,EAAE;YAChF,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,WAAW,EAAE,0BAA0B,EAAE;SAC7E;QACD,MAAM,EAAE;YACN,MAAM,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE;YACpE,cAAc,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,iBAAiB,EAAE;SAC3D;KACF;IACD;QACE,IAAI,EAAE,MAAM;QACZ,KAAK,EAAE,MAAM;QACb,IAAI,EAAE,MAAM;QACZ,WAAW,EAAE,oCAAoC;QACjD,QAAQ,EAAE;YACR,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,WAAW,EAAE,oBAAoB,EAAE;YACpE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,gBAAgB,EAAE;YAC9D,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,WAAW,EAAE,+BAA+B,EAAE;SAClF;QACD,MAAM,EAAE;YACN,OAAO,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE,QAAQ,EAAE,IAAI,EAAE;YAC3D,QAAQ,EAAE;gBACR,IAAI,EAAE,QAAQ;gBACd,KAAK,EAAE,UAAU;gBACjB,OAAO,EAAE;oBACP,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE;oBAChC,EAAE,KAAK,EAAE,YAAY,EAAE,KAAK,EAAE,YAAY,EAAE;oBAC5C,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE;iBAC/B;aACF;YACD,SAAS,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,WAAW,EAAE;SACnD;KACF;CACF,CAAA;AAoBD,SAAS,gCAAgC;IACvC,IAAI,OAAO,UAAU,KAAK,WAAW;QAAE,OAAO,EAAE,CAAA;IAChD,MAAM,MAAM,GAAI,UAAkC,CAAC,eAAe,CAAA;IAClE,MAAM,MAAM,GAAG,MAAM,EAAE,WAAW,EAAE,MAAM,CAAA;IAC1C,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAC1B,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAA4B,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,OAAO,CAAC,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAA;IAC1F,CAAC;IACD,OAAO,EAAE,CAAA;AACX,CAAC;AAED,MAAM,OAAO,YAAY;IACf,MAAM,CAAkC;IAEhD,YAAY,UAA+B,EAAE;QAC3C,MAAM,WAAW,GAAG,OAAO,CAAC,WAAW,KAAK,KAAK,CAAA;QACjD,IAAI,CAAC,MAAM,GAAG,IAAI,GAAG,EAAE,CAAA;QAEvB,IAAI,WAAW,EAAE,CAAC;YAChB,KAAK,MAAM,KAAK,IAAI,WAAW,EAAE,CAAC;gBAChC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,CAAA;YACpC,CAAC;QACH,CAAC;QAED,sEAAsE;QACtE,sEAAsE;QACtE,qDAAqD;QACrD,MAAM,MAAM,GAAG,OAAO,CAAC,YAAY,IAAI,gCAAgC,EAAE,CAAA;QACzE,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;YAC3B,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,CAAA;QACpC,CAAC;IACH,CAAC;IAED,GAAG,CAAC,IAAY;QACd,OAAO,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAA;IAC9B,CAAC;IAED,MAAM;QACJ,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,CAAA;IACzC,CAAC;IAED,QAAQ,CAAC,KAA0B;QACjC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,CAAA;IACpC,CAAC;IAED,UAAU,CAAC,SAAiB,EAAE,WAAmB;QAC/C,MAAM,KAAK,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAA;QACxC,IAAI,CAAC,KAAK;YAAE,OAAO,SAAS,CAAA;QAC5B,OAAO,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,WAAW,CAAC,CAAA;IAC3D,CAAC;CACF"}
+{"version":3,"file":"blocks.js","sourceRoot":"","sources":["../../src/page-builder/blocks.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,GAA0B;IACzC;QACE,IAAI,EAAE,MAAM;QACZ,KAAK,EAAE,MAAM;QACb,IAAI,EAAE,MAAM;QACZ,WAAW,EAAE,+DAA+D;QAC5E,QAAQ,EAAE;YACR;gBACE,IAAI,EAAE,UAAU;gBAChB,KAAK,EAAE,UAAU;gBACjB,WAAW,EAAE,wCAAwC;aACtD;YACD;gBACE,IAAI,EAAE,aAAa;gBACnB,KAAK,EAAE,aAAa;gBACpB,WAAW,EAAE,sCAAsC;aACpD;YACD;gBACE,IAAI,EAAE,UAAU;gBAChB,KAAK,EAAE,kBAAkB;gBACzB,WAAW,EAAE,oCAAoC;aAClD;YACD,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,SAAS,EAAE,WAAW,EAAE,qCAAqC,EAAE;SAC1F;QACD,MAAM,EAAE;YACN,KAAK,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE;YACvD,QAAQ,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,UAAU,EAAE;YAC7C,KAAK,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE;YACxC,QAAQ,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,WAAW,EAAE;YAC7C,OAAO,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,UAAU,EAAE;YAC5C,OAAO,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,UAAU,EAAE;YAC3C,cAAc,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,iBAAiB,EAAE,GAAG,EAAE,CAAC,EAAE,GAAG,EAAE,GAAG,EAAE;SAC/E;KACF;IACD;QACE,IAAI,EAAE,MAAM;QACZ,KAAK,EAAE,MAAM;QACb,IAAI,EAAE,MAAM;QACZ,WAAW,EAAE,+CAA+C;QAC5D,QAAQ,EAAE;YACR,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,WAAW,EAAE,6BAA6B,EAAE;YAC7E,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,+BAA+B,EAAE;YACzF;gBACE,IAAI,EAAE,cAAc;gBACpB,KAAK,EAAE,cAAc;gBACrB,WAAW,EAAE,qCAAqC;aACnD;SACF;QACD,MAAM,EAAE;YACN,IAAI,EAAE,EAAE,IAAI,EAAE,UAAU,EAAE,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,IAAI,EAAE;YACzD,OAAO,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE;YAC3C,YAAY,EAAE;gBACZ,IAAI,EAAE,QAAQ;gBACd,KAAK,EAAE,eAAe;gBACtB,OAAO,EAAE;oBACP,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE;oBAC5B,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE;oBAC5B,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE;iBAC7B;aACF;SACF;KACF;IACD;QACE,IAAI,EAAE,OAAO;QACb,KAAK,EAAE,OAAO;QACd,IAAI,EAAE,OAAO;QACb,WAAW,EAAE,6CAA6C;QAC1D,QAAQ,EAAE;YACR,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,oBAAoB,EAAE;YAC9E,EAAE,IAAI,EAAE,WAAW,EAAE,KAAK,EAAE,WAAW,EAAE,WAAW,EAAE,kCAAkC,EAAE;YAC1F,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,SAAS,EAAE,WAAW,EAAE,4BAA4B,EAAE;YAChF;gBACE,IAAI,EAAE,cAAc;gBACpB,KAAK,EAAE,cAAc;gBACrB,WAAW,EAAE,mCAAmC;aACjD;SACF;QACD,MAAM,EAAE;YACN,GAAG,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,EAAE;YACvD,GAAG,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,UAAU,EAAE,QAAQ,EAAE,IAAI,EAAE;YACxD,OAAO,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE;YAC3C,IAAI,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE;YACpC,WAAW,EAAE;gBACX,IAAI,EAAE,QAAQ;gBACd,KAAK,EAAE,cAAc;gBACrB,OAAO,EAAE;oBACP,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE;oBAChC,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE;oBAChC,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE;oBAC9B,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE;iBAC/B;aACF;SACF;KACF;IACD;QACE,IAAI,EAAE,OAAO;QACb,KAAK,EAAE,OAAO;QACd,IAAI,EAAE,YAAY;QAClB,WAAW,EAAE,0DAA0D;QACvE,QAAQ,EAAE;YACR,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,eAAe,EAAE,WAAW,EAAE,0BAA0B,EAAE;YACnF,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,eAAe,EAAE,WAAW,EAAE,0BAA0B,EAAE;YACnF,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,eAAe,EAAE,WAAW,EAAE,0BAA0B,EAAE;YACnF;gBACE,IAAI,EAAE,YAAY;gBAClB,KAAK,EAAE,YAAY;gBACnB,WAAW,EAAE,qCAAqC;aACnD;SACF;QACD,MAAM,EAAE;YACN,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,KAAK,EAAE,OAAO;gBACd,MAAM,EAAE;oBACN,KAAK,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE;oBACvD,WAAW,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,aAAa,EAAE;oBACnD,KAAK,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE;oBACxC,IAAI,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE;oBACpC,IAAI,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE;iBACtC;aACF;SACF;KACF;IACD;QACE,IAAI,EAAE,KAAK;QACX,KAAK,EAAE,gBAAgB;QACvB,IAAI,EAAE,cAAc;QACpB,WAAW,EAAE,sCAAsC;QACnD,QAAQ,EAAE;YACR,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,WAAW,EAAE,2BAA2B,EAAE;YAC7E,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,WAAW,EAAE,oBAAoB,EAAE;YACtE,EAAE,IAAI,EAAE,UAAU,EAAE,KAAK,EAAE,UAAU,EAAE,WAAW,EAAE,yBAAyB,EAAE;YAC/E,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,WAAW,EAAE,uCAAuC,EAAE;SACxF;QACD,MAAM,EAAE;YACN,OAAO,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE,QAAQ,EAAE,IAAI,EAAE;YAC3D,IAAI,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE;YACrC,UAAU,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,aAAa,EAAE,QAAQ,EAAE,IAAI,EAAE;YAClE,UAAU,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,aAAa,EAAE,QAAQ,EAAE,IAAI,EAAE;YACjE,WAAW,EAAE;gBACX,IAAI,EAAE,QAAQ;gBACd,KAAK,EAAE,cAAc;gBACrB,OAAO,EAAE;oBACP,EAAE,KAAK,EAAE,SAAS,EAAE,KAAK,EAAE,SAAS,EAAE;oBACtC,EAAE,KAAK,EAAE,WAAW,EAAE,KAAK,EAAE,WAAW,EAAE;oBAC1C,EAAE,KAAK,EAAE,SAAS,EAAE,KAAK,EAAE,SAAS,EAAE;iBACvC;aACF;SACF;KACF;IACD;QACE,IAAI,EAAE,OAAO;QACb,KAAK,EAAE,OAAO;QACd,IAAI,EAAE,MAAM;QACZ,WAAW,EAAE,uBAAuB;QACpC,QAAQ,EAAE;YACR,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,WAAW,EAAE,qCAAqC,EAAE;YACvF;gBACE,IAAI,EAAE,UAAU;gBAChB,KAAK,EAAE,UAAU;gBACjB,WAAW,EAAE,0CAA0C;aACxD;YACD;gBACE,IAAI,EAAE,YAAY;gBAClB,KAAK,EAAE,YAAY;gBACnB,WAAW,EAAE,qCAAqC;aACnD;SACF;QACD,MAAM,EAAE;YACN,GAAG,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE;YAClD,MAAM,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE;YAC1C,QAAQ,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,UAAU,EAAE;YAChD,IAAI,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,EAAE;SACzC;KACF;IACD;QACE,IAAI,EAAE,SAAS;QACf,KAAK,EAAE,SAAS;QAChB,IAAI,EAAE,MAAM;QACZ,WAAW,EAAE,mDAAmD;QAChE,QAAQ,EAAE;YACR,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,wBAAwB,EAAE;YACtE,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,SAAS,EAAE,WAAW,EAAE,8BAA8B,EAAE;YAClF,EAAE,IAAI,EAAE,UAAU,EAAE,KAAK,EAAE,UAAU,EAAE,WAAW,EAAE,+BAA+B,EAAE;YACrF,EAAE,IAAI,EAAE,UAAU,EAAE,KAAK,EAAE,UAAU,EAAE,WAAW,EAAE,oCAAoC,EAAE;SAC3F;QACD,MAAM,EAAE;YACN,MAAM,EAAE;gBACN,IAAI,EAAE,OAAO;gBACb,KAAK,EAAE,QAAQ;gBACf,MAAM,EAAE;oBACN,GAAG,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,EAAE;oBACvD,GAAG,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,UAAU,EAAE,QAAQ,EAAE,IAAI,EAAE;oBACxD,OAAO,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE;iBAC5C;aACF;SACF;KACF;IACD;QACE,IAAI,EAAE,KAAK;QACX,KAAK,EAAE,KAAK;QACZ,IAAI,EAAE,YAAY;QAClB,WAAW,EAAE,iCAAiC;QAC9C,QAAQ,EAAE;YACR,EAAE,IAAI,EAAE,WAAW,EAAE,KAAK,EAAE,WAAW,EAAE,WAAW,EAAE,8BAA8B,EAAE;YACtF,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,sCAAsC,EAAE;YACpF;gBACE,IAAI,EAAE,YAAY;gBAClB,KAAK,EAAE,YAAY;gBACnB,WAAW,EAAE,oCAAoC;aAClD;SACF;QACD,MAAM,EAAE;YACN,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,KAAK,EAAE,OAAO;gBACd,MAAM,EAAE;oBACN,QAAQ,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,UAAU,EAAE,QAAQ,EAAE,IAAI,EAAE;oBAC7D,MAAM,EAAE,EAAE,IAAI,EAAE,UAAU,EAAE,KAAK,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,EAAE;iBAC9D;aACF;SACF;KACF;IACD;QACE,IAAI,EAAE,MAAM;QACZ,KAAK,EAAE,MAAM;QACb,IAAI,EAAE,UAAU;QAChB,WAAW,EAAE,yCAAyC;QACtD,QAAQ,EAAE;YACR,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,SAAS,EAAE,WAAW,EAAE,8BAA8B,EAAE;YAClF,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,sBAAsB,EAAE;YAChF,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,WAAW,EAAE,0BAA0B,EAAE;SAC7E;QACD,MAAM,EAAE;YACN,MAAM,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE;YACpE,cAAc,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,iBAAiB,EAAE;SAC3D;KACF;IACD;QACE,IAAI,EAAE,MAAM;QACZ,KAAK,EAAE,MAAM;QACb,IAAI,EAAE,MAAM;QACZ,WAAW,EAAE,oCAAoC;QACjD,QAAQ,EAAE;YACR,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,WAAW,EAAE,oBAAoB,EAAE;YACpE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,gBAAgB,EAAE;YAC9D,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,WAAW,EAAE,+BAA+B,EAAE;SAClF;QACD,MAAM,EAAE;YACN,OAAO,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE,QAAQ,EAAE,IAAI,EAAE;YAC3D,QAAQ,EAAE;gBACR,IAAI,EAAE,QAAQ;gBACd,KAAK,EAAE,UAAU;gBACjB,OAAO,EAAE;oBACP,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE;oBAChC,EAAE,KAAK,EAAE,YAAY,EAAE,KAAK,EAAE,YAAY,EAAE;oBAC5C,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE;iBAC/B;aACF;YACD,SAAS,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,WAAW,EAAE;SACnD;KACF;CACF,CAAA;AAoBD,SAAS,gCAAgC;IACvC,IAAI,OAAO,UAAU,KAAK,WAAW;QAAE,OAAO,EAAE,CAAA;IAChD,4EAA4E;IAC5E,yEAAyE;IACzE,sEAAsE;IACtE,gEAAgE;IAChE,MAAM,MAAM,GAAI,UAA2E;SACxF,eAAe,CAAA;IAClB,MAAM,MAAM,GAAG,MAAM,EAAE,WAAW,EAAE,MAAM,CAAA;IAC1C,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAC1B,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAA4B,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,OAAO,CAAC,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAA;IAC1F,CAAC;IACD,OAAO,EAAE,CAAA;AACX,CAAC;AAED,MAAM,OAAO,YAAY;IACf,MAAM,CAAkC;IAEhD,YAAY,UAA+B,EAAE;QAC3C,MAAM,WAAW,GAAG,OAAO,CAAC,WAAW,KAAK,KAAK,CAAA;QACjD,IAAI,CAAC,MAAM,GAAG,IAAI,GAAG,EAAE,CAAA;QAEvB,IAAI,WAAW,EAAE,CAAC;YAChB,KAAK,MAAM,KAAK,IAAI,WAAW,EAAE,CAAC;gBAChC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,CAAA;YACpC,CAAC;QACH,CAAC;QAED,sEAAsE;QACtE,sEAAsE;QACtE,qDAAqD;QACrD,MAAM,MAAM,GAAG,OAAO,CAAC,YAAY,IAAI,gCAAgC,EAAE,CAAA;QACzE,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;YAC3B,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,CAAA;QACpC,CAAC;IACH,CAAC;IAED,GAAG,CAAC,IAAY;QACd,OAAO,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAA;IAC9B,CAAC;IAED,MAAM;QACJ,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,CAAA;IACzC,CAAC;IAED,QAAQ,CAAC,KAA0B;QACjC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,CAAA;IACpC,CAAC;IAED,UAAU,CAAC,SAAiB,EAAE,WAAmB;QAC/C,MAAM,KAAK,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAA;QACxC,IAAI,CAAC,KAAK;YAAE,OAAO,SAAS,CAAA;QAC5B,OAAO,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,WAAW,CAAC,CAAA;IAC3D,CAAC;CACF"}

package/dist/security/audit.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"audit.d.ts","sourceRoot":"","sources":["../../src/security/audit.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,UAAU;IACzB,KAAK,EAAE,MAAM,CAAA;IACb,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;IACjC,SAAS,CAAC,EAAE,IAAI,CAAA;CACjB;AAED,MAAM,WAAW,aAAa;IAC5B,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,IAAI,CAAC,EAAE,IAAI,CAAA;IACX,EAAE,CAAC,EAAE,IAAI,CAAA;IACT,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,MAAM,CAAC,EAAE,MAAM,CAAA;CAChB;AAED,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,UAAU,EAAE,CAAA;IACrB,KAAK,EAAE,MAAM,CAAA;CACd;AAED,iCAAiC;AACjC,wBAAsB,QAAQ,CAAC,KAAK,EAAE;IACpC,KAAK,EAAE,MAAM,CAAA;IACb,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CAClC,GAAG,OAAO,CAAC,IAAI,CAAC,CAmBhB;AAED,2DAA2D;AAC3D,wBAAsB,WAAW,CAC/B,OAAO,GAAE;IACP,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,IAAI,CAAC,EAAE,MAAM,CAAA;IACb,QAAQ,CAAC,EAAE,MAAM,CAAA;CACb,GACL,OAAO,CAAC;IAAE,OAAO,EAAE,GAAG,EAAE,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,CAAC,CAmB5C"}
+{"version":3,"file":"audit.d.ts","sourceRoot":"","sources":["../../src/security/audit.ts"],"names":[],"mappings":"AAKA,MAAM,WAAW,UAAU;IACzB,KAAK,EAAE,MAAM,CAAA;IACb,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;IACjC,SAAS,CAAC,EAAE,IAAI,CAAA;CACjB;AAED,MAAM,WAAW,aAAa;IAC5B,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,IAAI,CAAC,EAAE,IAAI,CAAA;IACX,EAAE,CAAC,EAAE,IAAI,CAAA;IACT,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,MAAM,CAAC,EAAE,MAAM,CAAA;CAChB;AAED,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,UAAU,EAAE,CAAA;IACrB,KAAK,EAAE,MAAM,CAAA;CACd;AAED,iCAAiC;AACjC,wBAAsB,QAAQ,CAAC,KAAK,EAAE;IACpC,KAAK,EAAE,MAAM,CAAA;IACb,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CAClC,GAAG,OAAO,CAAC,IAAI,CAAC,CAmBhB;AAED,2DAA2D;AAC3D,wBAAsB,WAAW,CAC/B,OAAO,GAAE;IACP,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,IAAI,CAAC,EAAE,MAAM,CAAA;IACb,QAAQ,CAAC,EAAE,MAAM,CAAA;CACb,GACL,OAAO,CAAC;IAAE,OAAO,EAAE,GAAG,EAAE,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,CAAC,CAmB5C"}

package/dist/security/audit.js

@@ -1,4 +1,6 @@
 import { getDB } from '../db.js';
+import { createLogger } from '../diagnostics/logger.js';
+const logger = createLogger('audit');
 /** Record an audit log event. */
 export async function logEvent(event) {
     try {
@@ -17,7 +19,7 @@ export async function logEvent(event) {
         // Fail open — audit logging should never block the primary operation,
         // but still surface the failure so the operator can fix it.
         if (process.env.NODE_ENV !== 'test') {
-            console.error('[actuate][audit] logEvent failed:', err instanceof Error ? err.message : err);
+            logger.error('logEvent failed', { reason: err instanceof Error ? err.message : String(err) });
         }
     }
 }

package/dist/security/audit.js.map

@@ -1 +1 @@
-{"version":3,"file":"audit.js","sourceRoot":"","sources":["../../src/security/audit.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,UAAU,CAAA;AAyBhC,iCAAiC;AACjC,MAAM,CAAC,KAAK,UAAU,QAAQ,CAAC,KAM9B;IACC,IAAI,CAAC;QACH,MAAM,EAAE,GAAG,KAAK,EAAO,CAAA;QACvB,MAAM,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC;YACvB,IAAI,EAAE;gBACJ,KAAK,EAAE,KAAK,CAAC,KAAK;gBAClB,MAAM,EAAE,KAAK,CAAC,MAAM,IAAI,IAAI;gBAC5B,SAAS,EAAE,KAAK,CAAC,SAAS,IAAI,IAAI;gBAClC,SAAS,EAAE,KAAK,CAAC,SAAS,IAAI,IAAI;gBAClC,OAAO,EAAE,KAAK,CAAC,OAAO,IAAI,IAAI;aAC/B;SACF,CAAC,CAAA;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,sEAAsE;QACtE,4DAA4D;QAC5D,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,MAAM,EAAE,CAAC;YACpC,OAAO,CAAC,KAAK,CAAC,mCAAmC,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAA;QAC9F,CAAC;IACH,CAAC;AACH,CAAC;AAED,2DAA2D;AAC3D,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,UAKI,EAAE;IAEN,MAAM,EAAE,GAAG,KAAK,EAAO,CAAA;IACvB,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,GAAG,CAAC,EAAE,QAAQ,GAAG,EAAE,EAAE,GAAG,OAAO,CAAA;IAE1D,MAAM,KAAK,GAAQ,EAAE,CAAA;IACrB,IAAI,MAAM;QAAE,KAAK,CAAC,MAAM,GAAG,MAAM,CAAA;IACjC,IAAI,KAAK;QAAE,KAAK,CAAC,KAAK,GAAG,KAAK,CAAA;IAE9B,MAAM,CAAC,OAAO,EAAE,KAAK,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;QACzC,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC;YACnB,KAAK;YACL,OAAO,EAAE,EAAE,SAAS,EAAE,MAAM,EAAE;YAC9B,IAAI,EAAE,CAAC,IAAI,GAAG,CAAC,CAAC,GAAG,QAAQ;YAC3B,IAAI,EAAE,QAAQ;SACf,CAAC;QACF,EAAE,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,KAAK,EAAE,CAAC;KAC7B,CAAC,CAAA;IAEF,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CAAA;AAC3B,CAAC"}
+{"version":3,"file":"audit.js","sourceRoot":"","sources":["../../src/security/audit.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,UAAU,CAAA;AAChC,OAAO,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAA;AAEvD,MAAM,MAAM,GAAG,YAAY,CAAC,OAAO,CAAC,CAAA;AAyBpC,iCAAiC;AACjC,MAAM,CAAC,KAAK,UAAU,QAAQ,CAAC,KAM9B;IACC,IAAI,CAAC;QACH,MAAM,EAAE,GAAG,KAAK,EAAO,CAAA;QACvB,MAAM,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC;YACvB,IAAI,EAAE;gBACJ,KAAK,EAAE,KAAK,CAAC,KAAK;gBAClB,MAAM,EAAE,KAAK,CAAC,MAAM,IAAI,IAAI;gBAC5B,SAAS,EAAE,KAAK,CAAC,SAAS,IAAI,IAAI;gBAClC,SAAS,EAAE,KAAK,CAAC,SAAS,IAAI,IAAI;gBAClC,OAAO,EAAE,KAAK,CAAC,OAAO,IAAI,IAAI;aAC/B;SACF,CAAC,CAAA;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,sEAAsE;QACtE,4DAA4D;QAC5D,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,MAAM,EAAE,CAAC;YACpC,MAAM,CAAC,KAAK,CAAC,iBAAiB,EAAE,EAAE,MAAM,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAA;QAC/F,CAAC;IACH,CAAC;AACH,CAAC;AAED,2DAA2D;AAC3D,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,UAKI,EAAE;IAEN,MAAM,EAAE,GAAG,KAAK,EAAO,CAAA;IACvB,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,GAAG,CAAC,EAAE,QAAQ,GAAG,EAAE,EAAE,GAAG,OAAO,CAAA;IAE1D,MAAM,KAAK,GAAQ,EAAE,CAAA;IACrB,IAAI,MAAM;QAAE,KAAK,CAAC,MAAM,GAAG,MAAM,CAAA;IACjC,IAAI,KAAK;QAAE,KAAK,CAAC,KAAK,GAAG,KAAK,CAAA;IAE9B,MAAM,CAAC,OAAO,EAAE,KAAK,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;QACzC,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC;YACnB,KAAK;YACL,OAAO,EAAE,EAAE,SAAS,EAAE,MAAM,EAAE;YAC9B,IAAI,EAAE,CAAC,IAAI,GAAG,CAAC,CAAC,GAAG,QAAQ;YAC3B,IAAI,EAAE,QAAQ;SACf,CAAC;QACF,EAAE,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,KAAK,EAAE,CAAC;KAC7B,CAAC,CAAA;IAEF,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CAAA;AAC3B,CAAC"}

package/dist/security/encrypted-fields.d.ts

@@ -1,3 +1,12 @@
+/**
+ * Thrown for invalid `CMS_ENCRYPTION_KEY` shape. We use a named class so the
+ * caller (typically an API handler) can map it to a clear 500 with operator
+ * guidance rather than the opaque `OperationError` that some Web Crypto
+ * implementations throw on malformed keys.
+ */
+export declare class InvalidEncryptionKeyError extends Error {
+    constructor(reason: string);
+}
 /** Encrypt a field value using AES-256-GCM. */
 export declare function encryptField(value: string, keyHex: string): Promise<string>;
 /** Decrypt a field value encrypted with AES-256-GCM. */

package/dist/security/encrypted-fields.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"encrypted-fields.d.ts","sourceRoot":"","sources":["../../src/security/encrypted-fields.ts"],"names":[],"mappings":"AAIA,+CAA+C;AAC/C,wBAAsB,YAAY,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAgBjF;AAED,wDAAwD;AACxD,wBAAsB,YAAY,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAarF"}
+{"version":3,"file":"encrypted-fields.d.ts","sourceRoot":"","sources":["../../src/security/encrypted-fields.ts"],"names":[],"mappings":"AAQA;;;;;GAKG;AACH,qBAAa,yBAA0B,SAAQ,KAAK;gBACtC,MAAM,EAAE,MAAM;CAQ3B;AAyBD,+CAA+C;AAC/C,wBAAsB,YAAY,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAiBjF;AAED,wDAAwD;AACxD,wBAAsB,YAAY,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAcrF"}

package/dist/security/encrypted-fields.js

@@ -1,8 +1,46 @@
 const ALGORITHM = 'AES-GCM';
 const IV_LENGTH = 12;
 const TAG_LENGTH = 128;
+const KEY_BYTES = 32; // AES-256 requires exactly 32 bytes
+const KEY_HEX_LENGTH = KEY_BYTES * 2;
+const HEX_RE = /^[0-9a-fA-F]+$/;
+/**
+ * Thrown for invalid `CMS_ENCRYPTION_KEY` shape. We use a named class so the
+ * caller (typically an API handler) can map it to a clear 500 with operator
+ * guidance rather than the opaque `OperationError` that some Web Crypto
+ * implementations throw on malformed keys.
+ */
+export class InvalidEncryptionKeyError extends Error {
+    constructor(reason) {
+        super(`[Actuate CMS] CMS_ENCRYPTION_KEY is invalid: ${reason}. ` +
+            `Generate a valid key with: ` +
+            `node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"`);
+        this.name = 'InvalidEncryptionKeyError';
+    }
+}
+/**
+ * Validate that `keyHex` is exactly 64 hex chars (32 bytes for AES-256).
+ *
+ * Without this guard, WebCrypto's `importKey` either throws an opaque
+ * `OperationError` (short keys), or in some non-spec runtimes silently
+ * truncates / pads — both produce ciphertext that the matching `decrypt`
+ * call can't reverse, surfaced to the user as a generic "decryption failed"
+ * weeks after the bad key was first deployed.
+ */
+function validateKey(keyHex) {
+    if (typeof keyHex !== 'string' || keyHex.length === 0) {
+        throw new InvalidEncryptionKeyError('key is empty or not a string');
+    }
+    if (keyHex.length !== KEY_HEX_LENGTH) {
+        throw new InvalidEncryptionKeyError(`key must be ${KEY_HEX_LENGTH} hex characters (${KEY_BYTES} bytes), got ${keyHex.length}`);
+    }
+    if (!HEX_RE.test(keyHex)) {
+        throw new InvalidEncryptionKeyError('key must contain only hex characters [0-9a-fA-F]');
+    }
+}
 /** Encrypt a field value using AES-256-GCM. */
 export async function encryptField(value, keyHex) {
+    validateKey(keyHex);
     const key = await importKey(keyHex);
     const iv = crypto.getRandomValues(new Uint8Array(IV_LENGTH));
     const encoded = new TextEncoder().encode(value);
@@ -14,6 +52,7 @@ export async function encryptField(value, keyHex) {
 }
 /** Decrypt a field value encrypted with AES-256-GCM. */
 export async function decryptField(encrypted, keyHex) {
+    validateKey(keyHex);
     const key = await importKey(keyHex);
     const data = hexToBuffer(encrypted);
     const iv = data.slice(0, IV_LENGTH);
@@ -33,10 +72,22 @@ function bufferToHex(buffer) {
         .map((b) => b.toString(16).padStart(2, '0'))
         .join('');
 }
+/**
+ * Decode a hex string to bytes. Caller is expected to have validated shape
+ * via `validateKey` for keys; this function tolerates already-validated input
+ * and rejects odd-length hex (which previously silently dropped trailing chars).
+ */
 function hexToBuffer(hex) {
+    if (hex.length % 2 !== 0) {
+        throw new Error('hex string must have an even number of characters');
+    }
     const bytes = new Uint8Array(hex.length / 2);
     for (let i = 0; i < hex.length; i += 2) {
-        bytes[i / 2] = parseInt(hex.slice(i, i + 2), 16);
+        const byte = parseInt(hex.slice(i, i + 2), 16);
+        if (Number.isNaN(byte)) {
+            throw new Error(`invalid hex character at offset ${i}`);
+        }
+        bytes[i / 2] = byte;
     }
     return bytes;
 }