@actuate-media/cms-core 0.12.0 → 0.14.0

package/dist/diagnostics/env.js

@@ -0,0 +1,293 @@
+/**
+ * Environment shape validation for the Actuate CMS runtime.
+ *
+ * The `/health` and admin diagnostics endpoints surface this so operators
+ * notice mis-configured secrets *before* a runtime call hits them. We never
+ * return the values themselves — only the validation verdict and a redacted
+ * preview where it helps debugging (e.g. "first 4 hex chars match").
+ *
+ * Why a dedicated module:
+ *   - Centralises all "is this env var well-formed" rules so consumers don't
+ *     re-invent length / hex / placeholder checks per call site.
+ *   - Fails closed on shape errors (e.g. a 31-char CMS_SECRET, an
+ *     `aes256-local-dev-key-...` placeholder still in production) which the
+ *     prior `presence-only` check missed entirely (audit issue M6).
+ */
+const HEX_RE = /^[0-9a-fA-F]+$/;
+const PLACEHOLDER_PATTERNS = [
+    /change-?(me|in-?prod)/i,
+    /your-?(secret|key|token)/i,
+    /placeholder/i,
+    /example/i,
+    /todo/i,
+    /aes256-local-dev-key/i,
+];
+function isPlaceholder(value) {
+    return PLACEHOLDER_PATTERNS.some((p) => p.test(value));
+}
+const PROCESS_ENV = {
+    get: (name) => process.env[name],
+};
+/**
+ * Validate the shape of every well-known runtime env var. Pass a custom
+ * `source` to test without mutating `process.env`.
+ */
+export function validateEnvShape(source = PROCESS_ENV) {
+    const checks = [];
+    // ─── CMS_SECRET ──────────────────────────────────────────────
+    // The `source.get('CMS_SECRET')` lookup is intentionally pluggable: the
+    // runtime caller (`/api/cms/health`) wraps this so the lookup also covers
+    // the legacy `CMS_SESSION_SECRET` env var and `actuate.config.ts → secret`
+    // — those are equally valid sources at runtime via `getSessionSecret()`.
+    // Without that wrapping, a config-file-only deploy would be falsely
+    // reported as `missing` (Bugbot review on PR #43, Medium).
+    const secret = source.get('CMS_SECRET');
+    if (!secret) {
+        checks.push({
+            name: 'CMS_SECRET',
+            status: 'missing',
+            message: 'Required. Generate with `node -e "console.log(crypto.randomBytes(32).toString(\'hex\'))"` and set `CMS_SECRET`, or pass `secret` in `actuate.config.ts`.',
+            required: true,
+        });
+    }
+    else if (secret.length < 32) {
+        checks.push({
+            name: 'CMS_SECRET',
+            status: 'error',
+            message: `Must be ≥ 32 characters (got ${secret.length}). JWT signing requires this minimum.`,
+            required: true,
+        });
+    }
+    else if (isPlaceholder(secret)) {
+        checks.push({
+            name: 'CMS_SECRET',
+            status: 'error',
+            message: 'Looks like a placeholder string. Replace with a real 32+ char random secret.',
+            required: true,
+        });
+    }
+    else {
+        // Intentionally do not include `secret.length` here — `/health` is
+        // unauthenticated and exact secret lengths narrow brute-force search
+        // space for an attacker. The error/warn branches above can stay verbose
+        // because they only trigger on operator-visible misconfigurations.
+        checks.push({
+            name: 'CMS_SECRET',
+            status: 'ok',
+            message: 'Configured.',
+            required: true,
+        });
+    }
+    // ─── CMS_ENCRYPTION_KEY ──────────────────────────────────────
+    const encKey = source.get('CMS_ENCRYPTION_KEY');
+    if (!encKey) {
+        checks.push({
+            name: 'CMS_ENCRYPTION_KEY',
+            status: 'warn',
+            message: 'Optional but recommended. AES-256-GCM field encryption will throw at runtime when not set. Provide 64 hex chars.',
+            required: false,
+        });
+    }
+    else if (encKey.length !== 64) {
+        checks.push({
+            name: 'CMS_ENCRYPTION_KEY',
+            status: 'error',
+            message: `Must be exactly 64 hex characters (32 bytes). Got ${encKey.length}.`,
+            required: false,
+        });
+    }
+    else if (!HEX_RE.test(encKey)) {
+        // No `isPlaceholder()` branch follows — by this point the value has
+        // already passed length-64 and `HEX_RE`, meaning it's pure hex chars.
+        // Every pattern in `PLACEHOLDER_PATTERNS` requires non-hex letters
+        // (`g`, `h`, `l`, `m`, `o`, `p`, `r`, `s`, `t`, `u`, `v`, `w`, `x`, `y`, `z`,
+        // hyphens) so a passing hex string can never match a placeholder. The
+        // message below already says "Looks like a placeholder" for the common
+        // case where the configured value is a documented dev placeholder
+        // (e.g. `aes256-local-dev-key-change-in-prod`, which fails this branch).
+        checks.push({
+            name: 'CMS_ENCRYPTION_KEY',
+            status: 'error',
+            message: 'Must contain only hex characters (0-9, a-f). Looks like a placeholder.',
+            required: false,
+        });
+    }
+    else {
+        checks.push({
+            name: 'CMS_ENCRYPTION_KEY',
+            status: 'ok',
+            message: 'Configured.',
+            required: false,
+        });
+    }
+    // ─── DATABASE_URL ────────────────────────────────────────────
+    const dbUrl = source.get('DATABASE_URL');
+    if (!dbUrl) {
+        checks.push({
+            name: 'DATABASE_URL',
+            status: 'missing',
+            message: 'Required. Connection string for the Prisma client.',
+            required: true,
+        });
+    }
+    else if (!/^(postgres(ql)?|mysql|file|sqlite):/i.test(dbUrl)) {
+        checks.push({
+            name: 'DATABASE_URL',
+            status: 'error',
+            message: 'Must start with a known DB scheme (postgres://, mysql://, file:, sqlite://).',
+            required: true,
+        });
+    }
+    else {
+        checks.push({
+            name: 'DATABASE_URL',
+            status: 'ok',
+            message: 'Configured.',
+            required: true,
+        });
+    }
+    // ─── BLOB_READ_WRITE_TOKEN ──────────────────────────────────
+    const blob = source.get('BLOB_READ_WRITE_TOKEN');
+    if (!blob) {
+        checks.push({
+            name: 'BLOB_READ_WRITE_TOKEN',
+            status: 'warn',
+            message: 'Required for media uploads on Vercel Blob storage. Without it, /media/upload will fail.',
+            required: false,
+        });
+    }
+    else if (!blob.startsWith('vercel_blob_')) {
+        checks.push({
+            name: 'BLOB_READ_WRITE_TOKEN',
+            status: 'warn',
+            message: 'Does not start with `vercel_blob_` — verify this is a real Vercel Blob token.',
+            required: false,
+        });
+    }
+    else {
+        checks.push({
+            name: 'BLOB_READ_WRITE_TOKEN',
+            status: 'ok',
+            message: 'Configured.',
+            required: false,
+        });
+    }
+    // ─── UPSTASH_REDIS_REST_URL / TOKEN ─────────────────────────
+    const upstashUrl = source.get('UPSTASH_REDIS_REST_URL');
+    const upstashToken = source.get('UPSTASH_REDIS_REST_TOKEN');
+    if (!upstashUrl && !upstashToken) {
+        checks.push({
+            name: 'UPSTASH_REDIS_REST_URL',
+            status: 'warn',
+            message: 'Optional. Without Upstash, rate limiting falls back to in-memory (single-process only — unsafe across serverless invocations).',
+            required: false,
+        });
+    }
+    else if (upstashUrl && !upstashToken) {
+        checks.push({
+            name: 'UPSTASH_REDIS_REST_TOKEN',
+            status: 'error',
+            message: 'URL is set but token is missing — rate limiter will refuse to start.',
+            required: false,
+        });
+    }
+    else if (!upstashUrl && upstashToken) {
+        checks.push({
+            name: 'UPSTASH_REDIS_REST_URL',
+            status: 'error',
+            message: 'Token is set but URL is missing — rate limiter will refuse to start.',
+            required: false,
+        });
+    }
+    else {
+        try {
+            // eslint-disable-next-line no-new
+            new URL(upstashUrl);
+            checks.push({
+                name: 'UPSTASH_REDIS_REST_URL',
+                status: 'ok',
+                message: 'Configured (Upstash backend active).',
+                required: false,
+            });
+        }
+        catch {
+            checks.push({
+                name: 'UPSTASH_REDIS_REST_URL',
+                status: 'error',
+                message: 'Not a valid URL.',
+                required: false,
+            });
+        }
+    }
+    // ─── RESEND_API_KEY ─────────────────────────────────────────
+    const resend = source.get('RESEND_API_KEY');
+    if (!resend) {
+        checks.push({
+            name: 'RESEND_API_KEY',
+            status: 'warn',
+            message: 'Optional. Without it, transactional email (lead notifications, password reset) is silently skipped.',
+            required: false,
+        });
+    }
+    else if (!resend.startsWith('re_')) {
+        checks.push({
+            name: 'RESEND_API_KEY',
+            status: 'warn',
+            message: 'Does not start with `re_` — verify this is a real Resend API key.',
+            required: false,
+        });
+    }
+    else {
+        checks.push({
+            name: 'RESEND_API_KEY',
+            status: 'ok',
+            message: 'Configured.',
+            required: false,
+        });
+    }
+    // ─── CRON_SECRET ────────────────────────────────────────────
+    const cronSecret = source.get('CRON_SECRET');
+    if (!cronSecret) {
+        checks.push({
+            name: 'CRON_SECRET',
+            status: 'warn',
+            message: 'Required to authorise /api/cms/cron/* endpoints. Without it, cron routes return 401 to all callers.',
+            required: false,
+        });
+    }
+    else if (cronSecret.length < 16) {
+        checks.push({
+            name: 'CRON_SECRET',
+            status: 'error',
+            message: `Should be ≥ 16 chars (got ${cronSecret.length}). Cron endpoints are publicly addressable.`,
+            required: false,
+        });
+    }
+    else if (isPlaceholder(cronSecret)) {
+        checks.push({
+            name: 'CRON_SECRET',
+            status: 'error',
+            message: 'Looks like a placeholder string.',
+            required: false,
+        });
+    }
+    else {
+        // Same reasoning as CMS_SECRET above — keep the length out of the
+        // unauthenticated /health surface.
+        checks.push({
+            name: 'CRON_SECRET',
+            status: 'ok',
+            message: 'Configured.',
+            required: false,
+        });
+    }
+    const errorCount = checks.filter((c) => c.status === 'error' || (c.status === 'missing' && c.required)).length;
+    const warnCount = checks.filter((c) => c.status === 'warn').length;
+    return {
+        ok: errorCount === 0,
+        errorCount,
+        warnCount,
+        checks,
+    };
+}
+//# sourceMappingURL=env.js.map

package/dist/diagnostics/env.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"env.js","sourceRoot":"","sources":["../../src/diagnostics/env.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAwBH,MAAM,MAAM,GAAG,gBAAgB,CAAA;AAC/B,MAAM,oBAAoB,GAAG;IAC3B,wBAAwB;IACxB,2BAA2B;IAC3B,cAAc;IACd,UAAU;IACV,OAAO;IACP,uBAAuB;CACxB,CAAA;AAED,SAAS,aAAa,CAAC,KAAa;IAClC,OAAO,oBAAoB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAA;AACxD,CAAC;AAMD,MAAM,WAAW,GAAc;IAC7B,GAAG,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC;CACjC,CAAA;AAED;;;GAGG;AACH,MAAM,UAAU,gBAAgB,CAAC,SAAoB,WAAW;IAC9D,MAAM,MAAM,GAAe,EAAE,CAAA;IAE7B,gEAAgE;IAChE,wEAAwE;IACxE,0EAA0E;IAC1E,2EAA2E;IAC3E,yEAAyE;IACzE,oEAAoE;IACpE,2DAA2D;IAC3D,MAAM,MAAM,GAAG,MAAM,CAAC,GAAG,CAAC,YAAY,CAAC,CAAA;IACvC,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,YAAY;YAClB,MAAM,EAAE,SAAS;YACjB,OAAO,EACL,0JAA0J;YAC5J,QAAQ,EAAE,IAAI;SACf,CAAC,CAAA;IACJ,CAAC;SAAM,IAAI,MAAM,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QAC9B,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,YAAY;YAClB,MAAM,EAAE,OAAO;YACf,OAAO,EAAE,gCAAgC,MAAM,CAAC,MAAM,uCAAuC;YAC7F,QAAQ,EAAE,IAAI;SACf,CAAC,CAAA;IACJ,CAAC;SAAM,IAAI,aAAa,CAAC,MAAM,CAAC,EAAE,CAAC;QACjC,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,YAAY;YAClB,MAAM,EAAE,OAAO;YACf,OAAO,EAAE,8EAA8E;YACvF,QAAQ,EAAE,IAAI;SACf,CAAC,CAAA;IACJ,CAAC;SAAM,CAAC;QACN,mEAAmE;QACnE,qEAAqE;QACrE,wEAAwE;QACxE,mEAAmE;QACnE,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,YAAY;YAClB,MAAM,EAAE,IAAI;YACZ,OAAO,EAAE,aAAa;YACtB,QAAQ,EAAE,IAAI;SACf,CAAC,CAAA;IACJ,CAAC;IAED,gEAAgE;IAChE,MAAM,MAAM,GAAG,MAAM,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAA;IAC/C,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,oBAAoB;YAC1B,MAAM,EAAE,MAAM;YACd,OAAO,EACL,kHAAkH;YACpH,QAAQ,EAAE,KAAK;SAChB,CAAC,CAAA;IACJ,CAAC;SAAM,IAAI,MAAM,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QAChC,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,oBAAoB;YAC1B,MAAM,EAAE,OAAO;YACf,OAAO,EAAE,qDAAqD,MAAM,CAAC,MAAM,GAAG;YAC9E,QAAQ,EAAE,KAAK;SAChB,CAAC,CAAA;IACJ,CAAC;SAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;QAChC,oEAAoE;QACpE,sEAAsE;QACtE,mEAAmE;QACnE,8EAA8E;QAC9E,sEAAsE;QACtE,uEAAuE;QACvE,kEAAkE;QAClE,yEAAyE;QACzE,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,oBAAoB;YAC1B,MAAM,EAAE,OAAO;YACf,OAAO,EAAE,wEAAwE;YACjF,QAAQ,EAAE,KAAK;SAChB,CAAC,CAAA;IACJ,CAAC;SAAM,CAAC;QACN,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,oBAAoB;YAC1B,MAAM,EAAE,IAAI;YACZ,OAAO,EAAE,aAAa;YACtB,QAAQ,EAAE,KAAK;SAChB,CAAC,CAAA;IACJ,CAAC;IAED,gEAAgE;IAChE,MAAM,KAAK,GAAG,MAAM,CAAC,GAAG,CAAC,cAAc,CAAC,CAAA;IACxC,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,cAAc;YACpB,MAAM,EAAE,SAAS;YACjB,OAAO,EAAE,oDAAoD;YAC7D,QAAQ,EAAE,IAAI;SACf,CAAC,CAAA;IACJ,CAAC;SAAM,IAAI,CAAC,sCAAsC,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QAC/D,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,cAAc;YACpB,MAAM,EAAE,OAAO;YACf,OAAO,EAAE,8EAA8E;YACvF,QAAQ,EAAE,IAAI;SACf,CAAC,CAAA;IACJ,CAAC;SAAM,CAAC;QACN,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,cAAc;YACpB,MAAM,EAAE,IAAI;YACZ,OAAO,EAAE,aAAa;YACtB,QAAQ,EAAE,IAAI;SACf,CAAC,CAAA;IACJ,CAAC;IAED,+DAA+D;IAC/D,MAAM,IAAI,GAAG,MAAM,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAA;IAChD,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,uBAAuB;YAC7B,MAAM,EAAE,MAAM;YACd,OAAO,EACL,yFAAyF;YAC3F,QAAQ,EAAE,KAAK;SAChB,CAAC,CAAA;IACJ,CAAC;SAAM,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,cAAc,CAAC,EAAE,CAAC;QAC5C,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,uBAAuB;YAC7B,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,+EAA+E;YACxF,QAAQ,EAAE,KAAK;SAChB,CAAC,CAAA;IACJ,CAAC;SAAM,CAAC;QACN,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,uBAAuB;YAC7B,MAAM,EAAE,IAAI;YACZ,OAAO,EAAE,aAAa;YACtB,QAAQ,EAAE,KAAK;SAChB,CAAC,CAAA;IACJ,CAAC;IAED,+DAA+D;IAC/D,MAAM,UAAU,GAAG,MAAM,CAAC,GAAG,CAAC,wBAAwB,CAAC,CAAA;IACvD,MAAM,YAAY,GAAG,MAAM,CAAC,GAAG,CAAC,0BAA0B,CAAC,CAAA;IAC3D,IAAI,CAAC,UAAU,IAAI,CAAC,YAAY,EAAE,CAAC;QACjC,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,wBAAwB;YAC9B,MAAM,EAAE,MAAM;YACd,OAAO,EACL,gIAAgI;YAClI,QAAQ,EAAE,KAAK;SAChB,CAAC,CAAA;IACJ,CAAC;SAAM,IAAI,UAAU,IAAI,CAAC,YAAY,EAAE,CAAC;QACvC,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,0BAA0B;YAChC,MAAM,EAAE,OAAO;YACf,OAAO,EAAE,sEAAsE;YAC/E,QAAQ,EAAE,KAAK;SAChB,CAAC,CAAA;IACJ,CAAC;SAAM,IAAI,CAAC,UAAU,IAAI,YAAY,EAAE,CAAC;QACvC,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,wBAAwB;YAC9B,MAAM,EAAE,OAAO;YACf,OAAO,EAAE,sEAAsE;YAC/E,QAAQ,EAAE,KAAK;SAChB,CAAC,CAAA;IACJ,CAAC;SAAM,CAAC;QACN,IAAI,CAAC;YACH,kCAAkC;YAClC,IAAI,GAAG,CAAC,UAAoB,CAAC,CAAA;YAC7B,MAAM,CAAC,IAAI,CAAC;gBACV,IAAI,EAAE,wBAAwB;gBAC9B,MAAM,EAAE,IAAI;gBACZ,OAAO,EAAE,sCAAsC;gBAC/C,QAAQ,EAAE,KAAK;aAChB,CAAC,CAAA;QACJ,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,CAAC,IAAI,CAAC;gBACV,IAAI,EAAE,wBAAwB;gBAC9B,MAAM,EAAE,OAAO;gBACf,OAAO,EAAE,kBAAkB;gBAC3B,QAAQ,EAAE,KAAK;aAChB,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;IAED,+DAA+D;IAC/D,MAAM,MAAM,GAAG,MAAM,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAA;IAC3C,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,gBAAgB;YACtB,MAAM,EAAE,MAAM;YACd,OAAO,EACL,qGAAqG;YACvG,QAAQ,EAAE,KAAK;SAChB,CAAC,CAAA;IACJ,CAAC;SAAM,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;QACrC,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,gBAAgB;YACtB,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,mEAAmE;YAC5E,QAAQ,EAAE,KAAK;SAChB,CAAC,CAAA;IACJ,CAAC;SAAM,CAAC;QACN,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,gBAAgB;YACtB,MAAM,EAAE,IAAI;YACZ,OAAO,EAAE,aAAa;YACtB,QAAQ,EAAE,KAAK;SAChB,CAAC,CAAA;IACJ,CAAC;IAED,+DAA+D;IAC/D,MAAM,UAAU,GAAG,MAAM,CAAC,GAAG,CAAC,aAAa,CAAC,CAAA;IAC5C,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,aAAa;YACnB,MAAM,EAAE,MAAM;YACd,OAAO,EACL,qGAAqG;YACvG,QAAQ,EAAE,KAAK;SAChB,CAAC,CAAA;IACJ,CAAC;SAAM,IAAI,UAAU,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QAClC,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,aAAa;YACnB,MAAM,EAAE,OAAO;YACf,OAAO,EAAE,6BAA6B,UAAU,CAAC,MAAM,6CAA6C;YACpG,QAAQ,EAAE,KAAK;SAChB,CAAC,CAAA;IACJ,CAAC;SAAM,IAAI,aAAa,CAAC,UAAU,CAAC,EAAE,CAAC;QACrC,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,aAAa;YACnB,MAAM,EAAE,OAAO;YACf,OAAO,EAAE,kCAAkC;YAC3C,QAAQ,EAAE,KAAK;SAChB,CAAC,CAAA;IACJ,CAAC;SAAM,CAAC;QACN,kEAAkE;QAClE,mCAAmC;QACnC,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,aAAa;YACnB,MAAM,EAAE,IAAI;YACZ,OAAO,EAAE,aAAa;YACtB,QAAQ,EAAE,KAAK;SAChB,CAAC,CAAA;IACJ,CAAC;IAED,MAAM,UAAU,GAAG,MAAM,CAAC,MAAM,CAC9B,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,OAAO,IAAI,CAAC,CAAC,CAAC,MAAM,KAAK,SAAS,IAAI,CAAC,CAAC,QAAQ,CAAC,CACtE,CAAC,MAAM,CAAA;IACR,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,MAAM,CAAC,CAAC,MAAM,CAAA;IAElE,OAAO;QACL,EAAE,EAAE,UAAU,KAAK,CAAC;QACpB,UAAU;QACV,SAAS;QACT,MAAM;KACP,CAAA;AACH,CAAC"}

package/dist/diagnostics/logger.d.ts

@@ -0,0 +1,38 @@
+/**
+ * Structured logger for Actuate CMS (audit issue L7).
+ *
+ * Why a dedicated module instead of `console.*`:
+ *
+ *   1. **Filterable in production.** Operators can set
+ *      `ACTUATE_LOG_LEVEL=warn` to silence routine info logs without losing
+ *      error visibility — `console.*` calls can't be silenced without
+ *      monkey-patching.
+ *
+ *   2. **Structured output for log aggregators.** Setting
+ *      `ACTUATE_LOG_FORMAT=json` switches to one-line JSON entries with
+ *      consistent fields (`ts`, `level`, `scope`, `msg`, `details`),
+ *      ready for ingestion by Datadog, Sentry, or CloudWatch.
+ *
+ *   3. **Scoped namespaces.** `createLogger('rate-limit')` prefixes every
+ *      message with `[actuate][rate-limit]` so a grep finds related
+ *      entries instantly.
+ *
+ * **Migration path:** existing `console.*` calls keep working. New code and
+ * security-sensitive paths use the logger. Replace `console.*` callsites
+ * incrementally as files are touched.
+ */
+export type LogLevel = 'silent' | 'error' | 'warn' | 'info' | 'debug';
+export interface ScopedLogger {
+    error(msg: string, details?: Record<string, unknown>): void;
+    warn(msg: string, details?: Record<string, unknown>): void;
+    info(msg: string, details?: Record<string, unknown>): void;
+    debug(msg: string, details?: Record<string, unknown>): void;
+}
+/**
+ * Create a logger scoped to a subsystem name (e.g. `rate-limit`, `oauth`).
+ * Output format:
+ *   text: `[actuate][rate-limit] Upstash failed { reason: '...' }`
+ *   json: `{"ts":"...","level":"error","scope":"rate-limit","msg":"...","details":{...}}`
+ */
+export declare function createLogger(scope: string): ScopedLogger;
+//# sourceMappingURL=logger.d.ts.map

package/dist/diagnostics/logger.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"logger.d.ts","sourceRoot":"","sources":["../../src/diagnostics/logger.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAEH,MAAM,MAAM,QAAQ,GAAG,QAAQ,GAAG,OAAO,GAAG,MAAM,GAAG,MAAM,GAAG,OAAO,CAAA;AAkErE,MAAM,WAAW,YAAY;IAC3B,KAAK,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAA;IAC3D,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAA;IAC1D,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAA;IAC1D,KAAK,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAA;CAC5D;AAED;;;;;GAKG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,YAAY,CAOxD"}

package/dist/diagnostics/logger.js

@@ -0,0 +1,89 @@
+/**
+ * Structured logger for Actuate CMS (audit issue L7).
+ *
+ * Why a dedicated module instead of `console.*`:
+ *
+ *   1. **Filterable in production.** Operators can set
+ *      `ACTUATE_LOG_LEVEL=warn` to silence routine info logs without losing
+ *      error visibility — `console.*` calls can't be silenced without
+ *      monkey-patching.
+ *
+ *   2. **Structured output for log aggregators.** Setting
+ *      `ACTUATE_LOG_FORMAT=json` switches to one-line JSON entries with
+ *      consistent fields (`ts`, `level`, `scope`, `msg`, `details`),
+ *      ready for ingestion by Datadog, Sentry, or CloudWatch.
+ *
+ *   3. **Scoped namespaces.** `createLogger('rate-limit')` prefixes every
+ *      message with `[actuate][rate-limit]` so a grep finds related
+ *      entries instantly.
+ *
+ * **Migration path:** existing `console.*` calls keep working. New code and
+ * security-sensitive paths use the logger. Replace `console.*` callsites
+ * incrementally as files are touched.
+ */
+const LEVEL_RANK = {
+    silent: 0,
+    error: 10,
+    warn: 20,
+    info: 30,
+    debug: 40,
+};
+function resolveLevel() {
+    const raw = (process.env.ACTUATE_LOG_LEVEL ?? '').toLowerCase();
+    if (raw === 'silent' || raw === 'error' || raw === 'warn' || raw === 'info' || raw === 'debug') {
+        return raw;
+    }
+    // Default: warn in production, info elsewhere. Tests run with NODE_ENV=test
+    // and benefit from `info` so failing assertions show context.
+    return process.env.NODE_ENV === 'production' ? 'warn' : 'info';
+}
+function isJsonFormat() {
+    return (process.env.ACTUATE_LOG_FORMAT ?? '').toLowerCase() === 'json';
+}
+function shouldLog(level) {
+    const current = resolveLevel();
+    return LEVEL_RANK[level] <= LEVEL_RANK[current];
+}
+function emit(level, scope, msg, details) {
+    if (!shouldLog(level))
+        return;
+    const sink = level === 'error'
+        ? console.error
+        : level === 'warn'
+            ? console.warn
+            : level === 'info'
+                ? console.info
+                : console.debug;
+    if (isJsonFormat()) {
+        sink(JSON.stringify({
+            ts: new Date().toISOString(),
+            level,
+            scope,
+            msg,
+            ...(details ? { details } : {}),
+        }));
+        return;
+    }
+    const prefix = `[actuate][${scope}]`;
+    if (details) {
+        sink(prefix, msg, details);
+    }
+    else {
+        sink(prefix, msg);
+    }
+}
+/**
+ * Create a logger scoped to a subsystem name (e.g. `rate-limit`, `oauth`).
+ * Output format:
+ *   text: `[actuate][rate-limit] Upstash failed { reason: '...' }`
+ *   json: `{"ts":"...","level":"error","scope":"rate-limit","msg":"...","details":{...}}`
+ */
+export function createLogger(scope) {
+    return {
+        error: (msg, details) => emit('error', scope, msg, details),
+        warn: (msg, details) => emit('warn', scope, msg, details),
+        info: (msg, details) => emit('info', scope, msg, details),
+        debug: (msg, details) => emit('debug', scope, msg, details),
+    };
+}
+//# sourceMappingURL=logger.js.map

package/dist/diagnostics/logger.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"logger.js","sourceRoot":"","sources":["../../src/diagnostics/logger.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAIH,MAAM,UAAU,GAA6B;IAC3C,MAAM,EAAE,CAAC;IACT,KAAK,EAAE,EAAE;IACT,IAAI,EAAE,EAAE;IACR,IAAI,EAAE,EAAE;IACR,KAAK,EAAE,EAAE;CACV,CAAA;AAED,SAAS,YAAY;IACnB,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,iBAAiB,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAA;IAC/D,IAAI,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,OAAO,IAAI,GAAG,KAAK,MAAM,IAAI,GAAG,KAAK,MAAM,IAAI,GAAG,KAAK,OAAO,EAAE,CAAC;QAC/F,OAAO,GAAG,CAAA;IACZ,CAAC;IACD,4EAA4E;IAC5E,8DAA8D;IAC9D,OAAO,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAA;AAChE,CAAC;AAED,SAAS,YAAY;IACnB,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,KAAK,MAAM,CAAA;AACxE,CAAC;AAED,SAAS,SAAS,CAAC,KAAe;IAChC,MAAM,OAAO,GAAG,YAAY,EAAE,CAAA;IAC9B,OAAO,UAAU,CAAC,KAAK,CAAC,IAAI,UAAU,CAAC,OAAO,CAAC,CAAA;AACjD,CAAC;AAED,SAAS,IAAI,CACX,KAAkC,EAClC,KAAa,EACb,GAAW,EACX,OAAiC;IAEjC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC;QAAE,OAAM;IAC7B,MAAM,IAAI,GACR,KAAK,KAAK,OAAO;QACf,CAAC,CAAC,OAAO,CAAC,KAAK;QACf,CAAC,CAAC,KAAK,KAAK,MAAM;YAChB,CAAC,CAAC,OAAO,CAAC,IAAI;YACd,CAAC,CAAC,KAAK,KAAK,MAAM;gBAChB,CAAC,CAAC,OAAO,CAAC,IAAI;gBACd,CAAC,CAAC,OAAO,CAAC,KAAK,CAAA;IAEvB,IAAI,YAAY,EAAE,EAAE,CAAC;QACnB,IAAI,CACF,IAAI,CAAC,SAAS,CAAC;YACb,EAAE,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YAC5B,KAAK;YACL,KAAK;YACL,GAAG;YACH,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAChC,CAAC,CACH,CAAA;QACD,OAAM;IACR,CAAC;IAED,MAAM,MAAM,GAAG,aAAa,KAAK,GAAG,CAAA;IACpC,IAAI,OAAO,EAAE,CAAC;QACZ,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,OAAO,CAAC,CAAA;IAC5B,CAAC;SAAM,CAAC;QACN,IAAI,CAAC,MAAM,EAAE,GAAG,CAAC,CAAA;IACnB,CAAC;AACH,CAAC;AASD;;;;;GAKG;AACH,MAAM,UAAU,YAAY,CAAC,KAAa;IACxC,OAAO;QACL,KAAK,EAAE,CAAC,GAAG,EAAE,OAAO,EAAE,EAAE,CAAC,IAAI,CAAC,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,OAAO,CAAC;QAC3D,IAAI,EAAE,CAAC,GAAG,EAAE,OAAO,EAAE,EAAE,CAAC,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE,OAAO,CAAC;QACzD,IAAI,EAAE,CAAC,GAAG,EAAE,OAAO,EAAE,EAAE,CAAC,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE,OAAO,CAAC;QACzD,KAAK,EAAE,CAAC,GAAG,EAAE,OAAO,EAAE,EAAE,CAAC,IAAI,CAAC,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,OAAO,CAAC;KAC5D,CAAA;AACH,CAAC"}

package/dist/page-builder/blocks.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"blocks.d.ts","sourceRoot":"","sources":["../../src/page-builder/blocks.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,mBAAmB,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAA;AA0QxE,MAAM,WAAW,mBAAmB;IAClC;;;;;;;;OAQG;IACH,YAAY,CAAC,EAAE,mBAAmB,EAAE,CAAA;IACpC;;;OAGG;IACH,WAAW,CAAC,EAAE,OAAO,CAAA;CACtB;AAYD,qBAAa,YAAY;IACvB,OAAO,CAAC,MAAM,CAAkC;gBAEpC,OAAO,GAAE,mBAAwB;IAmB7C,GAAG,CAAC,IAAI,EAAE,MAAM,GAAG,mBAAmB,GAAG,SAAS;IAIlD,MAAM,IAAI,mBAAmB,EAAE;IAI/B,QAAQ,CAAC,KAAK,EAAE,mBAAmB,GAAG,IAAI;IAI1C,UAAU,CAAC,SAAS,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,iBAAiB,GAAG,SAAS;CAKlF"}
+{"version":3,"file":"blocks.d.ts","sourceRoot":"","sources":["../../src/page-builder/blocks.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,mBAAmB,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAA;AA0QxE,MAAM,WAAW,mBAAmB;IAClC;;;;;;;;OAQG;IACH,YAAY,CAAC,EAAE,mBAAmB,EAAE,CAAA;IACpC;;;OAGG;IACH,WAAW,CAAC,EAAE,OAAO,CAAA;CACtB;AAiBD,qBAAa,YAAY;IACvB,OAAO,CAAC,MAAM,CAAkC;gBAEpC,OAAO,GAAE,mBAAwB;IAmB7C,GAAG,CAAC,IAAI,EAAE,MAAM,GAAG,mBAAmB,GAAG,SAAS;IAIlD,MAAM,IAAI,mBAAmB,EAAE;IAI/B,QAAQ,CAAC,KAAK,EAAE,mBAAmB,GAAG,IAAI;IAI1C,UAAU,CAAC,SAAS,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,iBAAiB,GAAG,SAAS;CAKlF"}

package/dist/page-builder/blocks.js

@@ -264,7 +264,12 @@ const CORE_BLOCKS = [
 function readCustomBlocksFromGlobalConfig() {
     if (typeof globalThis === 'undefined')
         return [];
-    const config = globalThis.__actuateConfig;
+    // We read directly from `globalThis` (rather than via `getActuateConfig()`)
+    // so this stays synchronous at module-load time and avoids importing the
+    // wider runtime module from inside page-builder. The shape we need is
+    // narrow enough that a local typed cast is safer than `as any`.
+    const config = globalThis
+        .__actuateConfig;
     const blocks = config?.pageBuilder?.blocks;
     if (Array.isArray(blocks)) {
         return blocks.filter((b) => !!b && typeof b.type === 'string');

package/dist/page-builder/blocks.js.map

@@ -1 +1 @@
-{"version":3,"file":"blocks.js","sourceRoot":"","sources":["../../src/page-builder/blocks.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,GAA0B;IACzC;QACE,IAAI,EAAE,MAAM;QACZ,KAAK,EAAE,MAAM;QACb,IAAI,EAAE,MAAM;QACZ,WAAW,EAAE,+DAA+D;QAC5E,QAAQ,EAAE;YACR;gBACE,IAAI,EAAE,UAAU;gBAChB,KAAK,EAAE,UAAU;gBACjB,WAAW,EAAE,wCAAwC;aACtD;YACD;gBACE,IAAI,EAAE,aAAa;gBACnB,KAAK,EAAE,aAAa;gBACpB,WAAW,EAAE,sCAAsC;aACpD;YACD;gBACE,IAAI,EAAE,UAAU;gBAChB,KAAK,EAAE,kBAAkB;gBACzB,WAAW,EAAE,oCAAoC;aAClD;YACD,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,SAAS,EAAE,WAAW,EAAE,qCAAqC,EAAE;SAC1F;QACD,MAAM,EAAE;YACN,KAAK,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE;YACvD,QAAQ,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,UAAU,EAAE;YAC7C,KAAK,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE;YACxC,QAAQ,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,WAAW,EAAE;YAC7C,OAAO,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,UAAU,EAAE;YAC5C,OAAO,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,UAAU,EAAE;YAC3C,cAAc,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,iBAAiB,EAAE,GAAG,EAAE,CAAC,EAAE,GAAG,EAAE,GAAG,EAAE;SAC/E;KACF;IACD;QACE,IAAI,EAAE,MAAM;QACZ,KAAK,EAAE,MAAM;QACb,IAAI,EAAE,MAAM;QACZ,WAAW,EAAE,+CAA+C;QAC5D,QAAQ,EAAE;YACR,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,WAAW,EAAE,6BAA6B,EAAE;YAC7E,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,+BAA+B,EAAE;YACzF;gBACE,IAAI,EAAE,cAAc;gBACpB,KAAK,EAAE,cAAc;gBACrB,WAAW,EAAE,qCAAqC;aACnD;SACF;QACD,MAAM,EAAE;YACN,IAAI,EAAE,EAAE,IAAI,EAAE,UAAU,EAAE,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,IAAI,EAAE;YACzD,OAAO,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE;YAC3C,YAAY,EAAE;gBACZ,IAAI,EAAE,QAAQ;gBACd,KAAK,EAAE,eAAe;gBACtB,OAAO,EAAE;oBACP,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE;oBAC5B,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE;oBAC5B,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE;iBAC7B;aACF;SACF;KACF;IACD;QACE,IAAI,EAAE,OAAO;QACb,KAAK,EAAE,OAAO;QACd,IAAI,EAAE,OAAO;QACb,WAAW,EAAE,6CAA6C;QAC1D,QAAQ,EAAE;YACR,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,oBAAoB,EAAE;YAC9E,EAAE,IAAI,EAAE,WAAW,EAAE,KAAK,EAAE,WAAW,EAAE,WAAW,EAAE,kCAAkC,EAAE;YAC1F,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,SAAS,EAAE,WAAW,EAAE,4BAA4B,EAAE;YAChF;gBACE,IAAI,EAAE,cAAc;gBACpB,KAAK,EAAE,cAAc;gBACrB,WAAW,EAAE,mCAAmC;aACjD;SACF;QACD,MAAM,EAAE;YACN,GAAG,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,EAAE;YACvD,GAAG,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,UAAU,EAAE,QAAQ,EAAE,IAAI,EAAE;YACxD,OAAO,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE;YAC3C,IAAI,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE;YACpC,WAAW,EAAE;gBACX,IAAI,EAAE,QAAQ;gBACd,KAAK,EAAE,cAAc;gBACrB,OAAO,EAAE;oBACP,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE;oBAChC,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE;oBAChC,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE;oBAC9B,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE;iBAC/B;aACF;SACF;KACF;IACD;QACE,IAAI,EAAE,OAAO;QACb,KAAK,EAAE,OAAO;QACd,IAAI,EAAE,YAAY;QAClB,WAAW,EAAE,0DAA0D;QACvE,QAAQ,EAAE;YACR,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,eAAe,EAAE,WAAW,EAAE,0BAA0B,EAAE;YACnF,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,eAAe,EAAE,WAAW,EAAE,0BAA0B,EAAE;YACnF,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,eAAe,EAAE,WAAW,EAAE,0BAA0B,EAAE;YACnF;gBACE,IAAI,EAAE,YAAY;gBAClB,KAAK,EAAE,YAAY;gBACnB,WAAW,EAAE,qCAAqC;aACnD;SACF;QACD,MAAM,EAAE;YACN,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,KAAK,EAAE,OAAO;gBACd,MAAM,EAAE;oBACN,KAAK,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE;oBACvD,WAAW,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,aAAa,EAAE;oBACnD,KAAK,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE;oBACxC,IAAI,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE;oBACpC,IAAI,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE;iBACtC;aACF;SACF;KACF;IACD;QACE,IAAI,EAAE,KAAK;QACX,KAAK,EAAE,gBAAgB;QACvB,IAAI,EAAE,cAAc;QACpB,WAAW,EAAE,sCAAsC;QACnD,QAAQ,EAAE;YACR,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,WAAW,EAAE,2BAA2B,EAAE;YAC7E,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,WAAW,EAAE,oBAAoB,EAAE;YACtE,EAAE,IAAI,EAAE,UAAU,EAAE,KAAK,EAAE,UAAU,EAAE,WAAW,EAAE,yBAAyB,EAAE;YAC/E,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,WAAW,EAAE,uCAAuC,EAAE;SACxF;QACD,MAAM,EAAE;YACN,OAAO,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE,QAAQ,EAAE,IAAI,EAAE;YAC3D,IAAI,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE;YACrC,UAAU,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,aAAa,EAAE,QAAQ,EAAE,IAAI,EAAE;YAClE,UAAU,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,aAAa,EAAE,QAAQ,EAAE,IAAI,EAAE;YACjE,WAAW,EAAE;gBACX,IAAI,EAAE,QAAQ;gBACd,KAAK,EAAE,cAAc;gBACrB,OAAO,EAAE;oBACP,EAAE,KAAK,EAAE,SAAS,EAAE,KAAK,EAAE,SAAS,EAAE;oBACtC,EAAE,KAAK,EAAE,WAAW,EAAE,KAAK,EAAE,WAAW,EAAE;oBAC1C,EAAE,KAAK,EAAE,SAAS,EAAE,KAAK,EAAE,SAAS,EAAE;iBACvC;aACF;SACF;KACF;IACD;QACE,IAAI,EAAE,OAAO;QACb,KAAK,EAAE,OAAO;QACd,IAAI,EAAE,MAAM;QACZ,WAAW,EAAE,uBAAuB;QACpC,QAAQ,EAAE;YACR,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,WAAW,EAAE,qCAAqC,EAAE;YACvF;gBACE,IAAI,EAAE,UAAU;gBAChB,KAAK,EAAE,UAAU;gBACjB,WAAW,EAAE,0CAA0C;aACxD;YACD;gBACE,IAAI,EAAE,YAAY;gBAClB,KAAK,EAAE,YAAY;gBACnB,WAAW,EAAE,qCAAqC;aACnD;SACF;QACD,MAAM,EAAE;YACN,GAAG,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE;YAClD,MAAM,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE;YAC1C,QAAQ,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,UAAU,EAAE;YAChD,IAAI,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,EAAE;SACzC;KACF;IACD;QACE,IAAI,EAAE,SAAS;QACf,KAAK,EAAE,SAAS;QAChB,IAAI,EAAE,MAAM;QACZ,WAAW,EAAE,mDAAmD;QAChE,QAAQ,EAAE;YACR,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,wBAAwB,EAAE;YACtE,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,SAAS,EAAE,WAAW,EAAE,8BAA8B,EAAE;YAClF,EAAE,IAAI,EAAE,UAAU,EAAE,KAAK,EAAE,UAAU,EAAE,WAAW,EAAE,+BAA+B,EAAE;YACrF,EAAE,IAAI,EAAE,UAAU,EAAE,KAAK,EAAE,UAAU,EAAE,WAAW,EAAE,oCAAoC,EAAE;SAC3F;QACD,MAAM,EAAE;YACN,MAAM,EAAE;gBACN,IAAI,EAAE,OAAO;gBACb,KAAK,EAAE,QAAQ;gBACf,MAAM,EAAE;oBACN,GAAG,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,EAAE;oBACvD,GAAG,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,UAAU,EAAE,QAAQ,EAAE,IAAI,EAAE;oBACxD,OAAO,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE;iBAC5C;aACF;SACF;KACF;IACD;QACE,IAAI,EAAE,KAAK;QACX,KAAK,EAAE,KAAK;QACZ,IAAI,EAAE,YAAY;QAClB,WAAW,EAAE,iCAAiC;QAC9C,QAAQ,EAAE;YACR,EAAE,IAAI,EAAE,WAAW,EAAE,KAAK,EAAE,WAAW,EAAE,WAAW,EAAE,8BAA8B,EAAE;YACtF,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,sCAAsC,EAAE;YACpF;gBACE,IAAI,EAAE,YAAY;gBAClB,KAAK,EAAE,YAAY;gBACnB,WAAW,EAAE,oCAAoC;aAClD;SACF;QACD,MAAM,EAAE;YACN,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,KAAK,EAAE,OAAO;gBACd,MAAM,EAAE;oBACN,QAAQ,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,UAAU,EAAE,QAAQ,EAAE,IAAI,EAAE;oBAC7D,MAAM,EAAE,EAAE,IAAI,EAAE,UAAU,EAAE,KAAK,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,EAAE;iBAC9D;aACF;SACF;KACF;IACD;QACE,IAAI,EAAE,MAAM;QACZ,KAAK,EAAE,MAAM;QACb,IAAI,EAAE,UAAU;QAChB,WAAW,EAAE,yCAAyC;QACtD,QAAQ,EAAE;YACR,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,SAAS,EAAE,WAAW,EAAE,8BAA8B,EAAE;YAClF,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,sBAAsB,EAAE;YAChF,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,WAAW,EAAE,0BAA0B,EAAE;SAC7E;QACD,MAAM,EAAE;YACN,MAAM,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE;YACpE,cAAc,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,iBAAiB,EAAE;SAC3D;KACF;IACD;QACE,IAAI,EAAE,MAAM;QACZ,KAAK,EAAE,MAAM;QACb,IAAI,EAAE,MAAM;QACZ,WAAW,EAAE,oCAAoC;QACjD,QAAQ,EAAE;YACR,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,WAAW,EAAE,oBAAoB,EAAE;YACpE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,gBAAgB,EAAE;YAC9D,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,WAAW,EAAE,+BAA+B,EAAE;SAClF;QACD,MAAM,EAAE;YACN,OAAO,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE,QAAQ,EAAE,IAAI,EAAE;YAC3D,QAAQ,EAAE;gBACR,IAAI,EAAE,QAAQ;gBACd,KAAK,EAAE,UAAU;gBACjB,OAAO,EAAE;oBACP,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE;oBAChC,EAAE,KAAK,EAAE,YAAY,EAAE,KAAK,EAAE,YAAY,EAAE;oBAC5C,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE;iBAC/B;aACF;YACD,SAAS,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,WAAW,EAAE;SACnD;KACF;CACF,CAAA;AAoBD,SAAS,gCAAgC;IACvC,IAAI,OAAO,UAAU,KAAK,WAAW;QAAE,OAAO,EAAE,CAAA;IAChD,MAAM,MAAM,GAAI,UAAkC,CAAC,eAAe,CAAA;IAClE,MAAM,MAAM,GAAG,MAAM,EAAE,WAAW,EAAE,MAAM,CAAA;IAC1C,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAC1B,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAA4B,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,OAAO,CAAC,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAA;IAC1F,CAAC;IACD,OAAO,EAAE,CAAA;AACX,CAAC;AAED,MAAM,OAAO,YAAY;IACf,MAAM,CAAkC;IAEhD,YAAY,UAA+B,EAAE;QAC3C,MAAM,WAAW,GAAG,OAAO,CAAC,WAAW,KAAK,KAAK,CAAA;QACjD,IAAI,CAAC,MAAM,GAAG,IAAI,GAAG,EAAE,CAAA;QAEvB,IAAI,WAAW,EAAE,CAAC;YAChB,KAAK,MAAM,KAAK,IAAI,WAAW,EAAE,CAAC;gBAChC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,CAAA;YACpC,CAAC;QACH,CAAC;QAED,sEAAsE;QACtE,sEAAsE;QACtE,qDAAqD;QACrD,MAAM,MAAM,GAAG,OAAO,CAAC,YAAY,IAAI,gCAAgC,EAAE,CAAA;QACzE,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;YAC3B,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,CAAA;QACpC,CAAC;IACH,CAAC;IAED,GAAG,CAAC,IAAY;QACd,OAAO,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAA;IAC9B,CAAC;IAED,MAAM;QACJ,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,CAAA;IACzC,CAAC;IAED,QAAQ,CAAC,KAA0B;QACjC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,CAAA;IACpC,CAAC;IAED,UAAU,CAAC,SAAiB,EAAE,WAAmB;QAC/C,MAAM,KAAK,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAA;QACxC,IAAI,CAAC,KAAK;YAAE,OAAO,SAAS,CAAA;QAC5B,OAAO,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,WAAW,CAAC,CAAA;IAC3D,CAAC;CACF"}
+{"version":3,"file":"blocks.js","sourceRoot":"","sources":["../../src/page-builder/blocks.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,GAA0B;IACzC;QACE,IAAI,EAAE,MAAM;QACZ,KAAK,EAAE,MAAM;QACb,IAAI,EAAE,MAAM;QACZ,WAAW,EAAE,+DAA+D;QAC5E,QAAQ,EAAE;YACR;gBACE,IAAI,EAAE,UAAU;gBAChB,KAAK,EAAE,UAAU;gBACjB,WAAW,EAAE,wCAAwC;aACtD;YACD;gBACE,IAAI,EAAE,aAAa;gBACnB,KAAK,EAAE,aAAa;gBACpB,WAAW,EAAE,sCAAsC;aACpD;YACD;gBACE,IAAI,EAAE,UAAU;gBAChB,KAAK,EAAE,kBAAkB;gBACzB,WAAW,EAAE,oCAAoC;aAClD;YACD,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,SAAS,EAAE,WAAW,EAAE,qCAAqC,EAAE;SAC1F;QACD,MAAM,EAAE;YACN,KAAK,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE;YACvD,QAAQ,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,UAAU,EAAE;YAC7C,KAAK,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE;YACxC,QAAQ,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,WAAW,EAAE;YAC7C,OAAO,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,UAAU,EAAE;YAC5C,OAAO,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,UAAU,EAAE;YAC3C,cAAc,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,iBAAiB,EAAE,GAAG,EAAE,CAAC,EAAE,GAAG,EAAE,GAAG,EAAE;SAC/E;KACF;IACD;QACE,IAAI,EAAE,MAAM;QACZ,KAAK,EAAE,MAAM;QACb,IAAI,EAAE,MAAM;QACZ,WAAW,EAAE,+CAA+C;QAC5D,QAAQ,EAAE;YACR,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,WAAW,EAAE,6BAA6B,EAAE;YAC7E,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,+BAA+B,EAAE;YACzF;gBACE,IAAI,EAAE,cAAc;gBACpB,KAAK,EAAE,cAAc;gBACrB,WAAW,EAAE,qCAAqC;aACnD;SACF;QACD,MAAM,EAAE;YACN,IAAI,EAAE,EAAE,IAAI,EAAE,UAAU,EAAE,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,IAAI,EAAE;YACzD,OAAO,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE;YAC3C,YAAY,EAAE;gBACZ,IAAI,EAAE,QAAQ;gBACd,KAAK,EAAE,eAAe;gBACtB,OAAO,EAAE;oBACP,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE;oBAC5B,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE;oBAC5B,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE;iBAC7B;aACF;SACF;KACF;IACD;QACE,IAAI,EAAE,OAAO;QACb,KAAK,EAAE,OAAO;QACd,IAAI,EAAE,OAAO;QACb,WAAW,EAAE,6CAA6C;QAC1D,QAAQ,EAAE;YACR,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,oBAAoB,EAAE;YAC9E,EAAE,IAAI,EAAE,WAAW,EAAE,KAAK,EAAE,WAAW,EAAE,WAAW,EAAE,kCAAkC,EAAE;YAC1F,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,SAAS,EAAE,WAAW,EAAE,4BAA4B,EAAE;YAChF;gBACE,IAAI,EAAE,cAAc;gBACpB,KAAK,EAAE,cAAc;gBACrB,WAAW,EAAE,mCAAmC;aACjD;SACF;QACD,MAAM,EAAE;YACN,GAAG,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,EAAE;YACvD,GAAG,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,UAAU,EAAE,QAAQ,EAAE,IAAI,EAAE;YACxD,OAAO,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE;YAC3C,IAAI,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE;YACpC,WAAW,EAAE;gBACX,IAAI,EAAE,QAAQ;gBACd,KAAK,EAAE,cAAc;gBACrB,OAAO,EAAE;oBACP,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE;oBAChC,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE;oBAChC,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE;oBAC9B,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE;iBAC/B;aACF;SACF;KACF;IACD;QACE,IAAI,EAAE,OAAO;QACb,KAAK,EAAE,OAAO;QACd,IAAI,EAAE,YAAY;QAClB,WAAW,EAAE,0DAA0D;QACvE,QAAQ,EAAE;YACR,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,eAAe,EAAE,WAAW,EAAE,0BAA0B,EAAE;YACnF,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,eAAe,EAAE,WAAW,EAAE,0BAA0B,EAAE;YACnF,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,eAAe,EAAE,WAAW,EAAE,0BAA0B,EAAE;YACnF;gBACE,IAAI,EAAE,YAAY;gBAClB,KAAK,EAAE,YAAY;gBACnB,WAAW,EAAE,qCAAqC;aACnD;SACF;QACD,MAAM,EAAE;YACN,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,KAAK,EAAE,OAAO;gBACd,MAAM,EAAE;oBACN,KAAK,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE;oBACvD,WAAW,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,aAAa,EAAE;oBACnD,KAAK,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE;oBACxC,IAAI,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE;oBACpC,IAAI,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE;iBACtC;aACF;SACF;KACF;IACD;QACE,IAAI,EAAE,KAAK;QACX,KAAK,EAAE,gBAAgB;QACvB,IAAI,EAAE,cAAc;QACpB,WAAW,EAAE,sCAAsC;QACnD,QAAQ,EAAE;YACR,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,WAAW,EAAE,2BAA2B,EAAE;YAC7E,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,WAAW,EAAE,oBAAoB,EAAE;YACtE,EAAE,IAAI,EAAE,UAAU,EAAE,KAAK,EAAE,UAAU,EAAE,WAAW,EAAE,yBAAyB,EAAE;YAC/E,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,WAAW,EAAE,uCAAuC,EAAE;SACxF;QACD,MAAM,EAAE;YACN,OAAO,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE,QAAQ,EAAE,IAAI,EAAE;YAC3D,IAAI,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE;YACrC,UAAU,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,aAAa,EAAE,QAAQ,EAAE,IAAI,EAAE;YAClE,UAAU,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,aAAa,EAAE,QAAQ,EAAE,IAAI,EAAE;YACjE,WAAW,EAAE;gBACX,IAAI,EAAE,QAAQ;gBACd,KAAK,EAAE,cAAc;gBACrB,OAAO,EAAE;oBACP,EAAE,KAAK,EAAE,SAAS,EAAE,KAAK,EAAE,SAAS,EAAE;oBACtC,EAAE,KAAK,EAAE,WAAW,EAAE,KAAK,EAAE,WAAW,EAAE;oBAC1C,EAAE,KAAK,EAAE,SAAS,EAAE,KAAK,EAAE,SAAS,EAAE;iBACvC;aACF;SACF;KACF;IACD;QACE,IAAI,EAAE,OAAO;QACb,KAAK,EAAE,OAAO;QACd,IAAI,EAAE,MAAM;QACZ,WAAW,EAAE,uBAAuB;QACpC,QAAQ,EAAE;YACR,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,WAAW,EAAE,qCAAqC,EAAE;YACvF;gBACE,IAAI,EAAE,UAAU;gBAChB,KAAK,EAAE,UAAU;gBACjB,WAAW,EAAE,0CAA0C;aACxD;YACD;gBACE,IAAI,EAAE,YAAY;gBAClB,KAAK,EAAE,YAAY;gBACnB,WAAW,EAAE,qCAAqC;aACnD;SACF;QACD,MAAM,EAAE;YACN,GAAG,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE;YAClD,MAAM,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE;YAC1C,QAAQ,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,UAAU,EAAE;YAChD,IAAI,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,EAAE;SACzC;KACF;IACD;QACE,IAAI,EAAE,SAAS;QACf,KAAK,EAAE,SAAS;QAChB,IAAI,EAAE,MAAM;QACZ,WAAW,EAAE,mDAAmD;QAChE,QAAQ,EAAE;YACR,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,wBAAwB,EAAE;YACtE,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,SAAS,EAAE,WAAW,EAAE,8BAA8B,EAAE;YAClF,EAAE,IAAI,EAAE,UAAU,EAAE,KAAK,EAAE,UAAU,EAAE,WAAW,EAAE,+BAA+B,EAAE;YACrF,EAAE,IAAI,EAAE,UAAU,EAAE,KAAK,EAAE,UAAU,EAAE,WAAW,EAAE,oCAAoC,EAAE;SAC3F;QACD,MAAM,EAAE;YACN,MAAM,EAAE;gBACN,IAAI,EAAE,OAAO;gBACb,KAAK,EAAE,QAAQ;gBACf,MAAM,EAAE;oBACN,GAAG,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,EAAE;oBACvD,GAAG,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,UAAU,EAAE,QAAQ,EAAE,IAAI,EAAE;oBACxD,OAAO,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE;iBAC5C;aACF;SACF;KACF;IACD;QACE,IAAI,EAAE,KAAK;QACX,KAAK,EAAE,KAAK;QACZ,IAAI,EAAE,YAAY;QAClB,WAAW,EAAE,iCAAiC;QAC9C,QAAQ,EAAE;YACR,EAAE,IAAI,EAAE,WAAW,EAAE,KAAK,EAAE,WAAW,EAAE,WAAW,EAAE,8BAA8B,EAAE;YACtF,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,sCAAsC,EAAE;YACpF;gBACE,IAAI,EAAE,YAAY;gBAClB,KAAK,EAAE,YAAY;gBACnB,WAAW,EAAE,oCAAoC;aAClD;SACF;QACD,MAAM,EAAE;YACN,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,KAAK,EAAE,OAAO;gBACd,MAAM,EAAE;oBACN,QAAQ,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,UAAU,EAAE,QAAQ,EAAE,IAAI,EAAE;oBAC7D,MAAM,EAAE,EAAE,IAAI,EAAE,UAAU,EAAE,KAAK,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,EAAE;iBAC9D;aACF;SACF;KACF;IACD;QACE,IAAI,EAAE,MAAM;QACZ,KAAK,EAAE,MAAM;QACb,IAAI,EAAE,UAAU;QAChB,WAAW,EAAE,yCAAyC;QACtD,QAAQ,EAAE;YACR,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,SAAS,EAAE,WAAW,EAAE,8BAA8B,EAAE;YAClF,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,sBAAsB,EAAE;YAChF,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,WAAW,EAAE,0BAA0B,EAAE;SAC7E;QACD,MAAM,EAAE;YACN,MAAM,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE;YACpE,cAAc,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,iBAAiB,EAAE;SAC3D;KACF;IACD;QACE,IAAI,EAAE,MAAM;QACZ,KAAK,EAAE,MAAM;QACb,IAAI,EAAE,MAAM;QACZ,WAAW,EAAE,oCAAoC;QACjD,QAAQ,EAAE;YACR,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,WAAW,EAAE,oBAAoB,EAAE;YACpE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,gBAAgB,EAAE;YAC9D,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,WAAW,EAAE,+BAA+B,EAAE;SAClF;QACD,MAAM,EAAE;YACN,OAAO,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE,QAAQ,EAAE,IAAI,EAAE;YAC3D,QAAQ,EAAE;gBACR,IAAI,EAAE,QAAQ;gBACd,KAAK,EAAE,UAAU;gBACjB,OAAO,EAAE;oBACP,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE;oBAChC,EAAE,KAAK,EAAE,YAAY,EAAE,KAAK,EAAE,YAAY,EAAE;oBAC5C,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE;iBAC/B;aACF;YACD,SAAS,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,WAAW,EAAE;SACnD;KACF;CACF,CAAA;AAoBD,SAAS,gCAAgC;IACvC,IAAI,OAAO,UAAU,KAAK,WAAW;QAAE,OAAO,EAAE,CAAA;IAChD,4EAA4E;IAC5E,yEAAyE;IACzE,sEAAsE;IACtE,gEAAgE;IAChE,MAAM,MAAM,GAAI,UAA2E;SACxF,eAAe,CAAA;IAClB,MAAM,MAAM,GAAG,MAAM,EAAE,WAAW,EAAE,MAAM,CAAA;IAC1C,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAC1B,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAA4B,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,OAAO,CAAC,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAA;IAC1F,CAAC;IACD,OAAO,EAAE,CAAA;AACX,CAAC;AAED,MAAM,OAAO,YAAY;IACf,MAAM,CAAkC;IAEhD,YAAY,UAA+B,EAAE;QAC3C,MAAM,WAAW,GAAG,OAAO,CAAC,WAAW,KAAK,KAAK,CAAA;QACjD,IAAI,CAAC,MAAM,GAAG,IAAI,GAAG,EAAE,CAAA;QAEvB,IAAI,WAAW,EAAE,CAAC;YAChB,KAAK,MAAM,KAAK,IAAI,WAAW,EAAE,CAAC;gBAChC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,CAAA;YACpC,CAAC;QACH,CAAC;QAED,sEAAsE;QACtE,sEAAsE;QACtE,qDAAqD;QACrD,MAAM,MAAM,GAAG,OAAO,CAAC,YAAY,IAAI,gCAAgC,EAAE,CAAA;QACzE,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;YAC3B,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,CAAA;QACpC,CAAC;IACH,CAAC;IAED,GAAG,CAAC,IAAY;QACd,OAAO,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAA;IAC9B,CAAC;IAED,MAAM;QACJ,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,CAAA;IACzC,CAAC;IAED,QAAQ,CAAC,KAA0B;QACjC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,CAAA;IACpC,CAAC;IAED,UAAU,CAAC,SAAiB,EAAE,WAAmB;QAC/C,MAAM,KAAK,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAA;QACxC,IAAI,CAAC,KAAK;YAAE,OAAO,SAAS,CAAA;QAC5B,OAAO,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,WAAW,CAAC,CAAA;IAC3D,CAAC;CACF"}

package/dist/security/api-key-enhanced.d.ts

@@ -1,18 +1,45 @@
+/**
+ * API key generation and scope validation.
+ *
+ * Keys are formatted `act_sk_<64 hex chars>`. We store only a SHA-256 hash of
+ * the key in the database; the raw key is shown to the user exactly once at
+ * creation time. The first 15 chars (`act_sk_` + 8 hex) are stored as
+ * `keyPrefix` so the admin UI can display a human-recognizable token without
+ * leaking the secret half.
+ */
 export interface ApiKeyScope {
+    /**
+     * Collection slugs the key is allowed to act on. Use `'*'` for all
+     * collections. Omit/empty to deny collection access entirely.
+     */
     collections?: string[];
+    /**
+     * Actions allowed on the listed collections. Omit/empty to deny.
+     */
     actions?: ('read' | 'create' | 'update' | 'delete')[];
+    /**
+     * Global slugs the key is allowed to read or update. `'*'` for all.
+     */
     globals?: string[];
+    /** When true, the key can upload/manage media. */
     media?: boolean;
+    /**
+     * When true, the key can call AI page-builder endpoints (`/page-builder/*`).
+     * AI generation is expensive — issue this scope sparingly.
+     */
+    pageBuilder?: boolean;
+    /**
+     * When true, the key has full admin access (can manage users, settings,
+     * other API keys). Equivalent to a logged-in ADMIN session.
+     */
+    admin?: boolean;
 }
 export interface EnhancedApiKeyConfig {
+    /** Token prefix (always `act_sk` for live keys). */
     prefix: string;
     scopes: ApiKeyScope;
     ipRestrictions?: string[];
     expiresAt?: Date;
-    rateLimit?: {
-        maxRequests: number;
-        windowMs: number;
-    };
 }
 /** Generate a new API key with scoped permissions. */
 export declare function generateApiKey(config: EnhancedApiKeyConfig): Promise<{
@@ -20,6 +47,22 @@ export declare function generateApiKey(config: EnhancedApiKeyConfig): Promise<{
     keyHash: string;
     keyPrefix: string;
 }>;
-/** Validate an API key's scopes against a requested action. */
+/** SHA-256 hash a raw API key for lookup. */
+export declare function hashApiKey(rawKey: string): Promise<string>;
+/** True when the request's bearer token looks like an API key (vs a session JWT). */
+export declare function looksLikeApiKey(token: string): boolean;
+/**
+ * Validate an API key's scopes against a collection action. Returns true when
+ * the key is permitted to perform `action` on `collection`. Admin keys always
+ * pass.
+ */
 export declare function validateApiKeyScope(scopes: ApiKeyScope, collection: string, action: 'read' | 'create' | 'update' | 'delete'): boolean;
+/** Validate scope for a global action. */
+export declare function validateApiKeyGlobalScope(scopes: ApiKeyScope, slug: string): boolean;
+/** Validate scope for media uploads/management. */
+export declare function validateApiKeyMediaScope(scopes: ApiKeyScope): boolean;
+/** Validate scope for page-builder/AI endpoints. */
+export declare function validateApiKeyPageBuilderScope(scopes: ApiKeyScope): boolean;
+/** Validate IP restrictions against the request's client IP. */
+export declare function validateApiKeyIp(restrictions: string[] | null | undefined, ip: string): boolean;
 //# sourceMappingURL=api-key-enhanced.d.ts.map

package/dist/security/api-key-enhanced.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"api-key-enhanced.d.ts","sourceRoot":"","sources":["../../src/security/api-key-enhanced.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,WAAW;IAC1B,WAAW,CAAC,EAAE,MAAM,EAAE,CAAA;IACtB,OAAO,CAAC,EAAE,CAAC,MAAM,GAAG,QAAQ,GAAG,QAAQ,GAAG,QAAQ,CAAC,EAAE,CAAA;IACrD,OAAO,CAAC,EAAE,MAAM,EAAE,CAAA;IAClB,KAAK,CAAC,EAAE,OAAO,CAAA;CAChB;AAED,MAAM,WAAW,oBAAoB;IACnC,MAAM,EAAE,MAAM,CAAA;IACd,MAAM,EAAE,WAAW,CAAA;IACnB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAA;IACzB,SAAS,CAAC,EAAE,IAAI,CAAA;IAChB,SAAS,CAAC,EAAE;QAAE,WAAW,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAE,CAAA;CACtD;AAED,sDAAsD;AACtD,wBAAsB,cAAc,CAClC,MAAM,EAAE,oBAAoB,GAC3B,OAAO,CAAC;IAAE,GAAG,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,CAAA;CAAE,CAAC,CAc9D;AAED,+DAA+D;AAC/D,wBAAgB,mBAAmB,CACjC,MAAM,EAAE,WAAW,EACnB,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE,MAAM,GAAG,QAAQ,GAAG,QAAQ,GAAG,QAAQ,GAC9C,OAAO,CAQT"}
+{"version":3,"file":"api-key-enhanced.d.ts","sourceRoot":"","sources":["../../src/security/api-key-enhanced.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,MAAM,WAAW,WAAW;IAC1B;;;OAGG;IACH,WAAW,CAAC,EAAE,MAAM,EAAE,CAAA;IACtB;;OAEG;IACH,OAAO,CAAC,EAAE,CAAC,MAAM,GAAG,QAAQ,GAAG,QAAQ,GAAG,QAAQ,CAAC,EAAE,CAAA;IACrD;;OAEG;IACH,OAAO,CAAC,EAAE,MAAM,EAAE,CAAA;IAClB,kDAAkD;IAClD,KAAK,CAAC,EAAE,OAAO,CAAA;IACf;;;OAGG;IACH,WAAW,CAAC,EAAE,OAAO,CAAA;IACrB;;;OAGG;IACH,KAAK,CAAC,EAAE,OAAO,CAAA;CAChB;AAED,MAAM,WAAW,oBAAoB;IACnC,oDAAoD;IACpD,MAAM,EAAE,MAAM,CAAA;IACd,MAAM,EAAE,WAAW,CAAA;IACnB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAA;IACzB,SAAS,CAAC,EAAE,IAAI,CAAA;CACjB;AAED,sDAAsD;AACtD,wBAAsB,cAAc,CAClC,MAAM,EAAE,oBAAoB,GAC3B,OAAO,CAAC;IAAE,GAAG,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,CAAA;CAAE,CAAC,CAY9D;AAED,6CAA6C;AAC7C,wBAAsB,UAAU,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAKhE;AAED,qFAAqF;AACrF,wBAAgB,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAEtD;AAED;;;;GAIG;AACH,wBAAgB,mBAAmB,CACjC,MAAM,EAAE,WAAW,EACnB,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE,MAAM,GAAG,QAAQ,GAAG,QAAQ,GAAG,QAAQ,GAC9C,OAAO,CAMT;AAED,0CAA0C;AAC1C,wBAAgB,yBAAyB,CAAC,MAAM,EAAE,WAAW,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAKpF;AAED,mDAAmD;AACnD,wBAAgB,wBAAwB,CAAC,MAAM,EAAE,WAAW,GAAG,OAAO,CAErE;AAED,oDAAoD;AACpD,wBAAgB,8BAA8B,CAAC,MAAM,EAAE,WAAW,GAAG,OAAO,CAE3E;AAED,gEAAgE;AAChE,wBAAgB,gBAAgB,CAAC,YAAY,EAAE,MAAM,EAAE,GAAG,IAAI,GAAG,SAAS,EAAE,EAAE,EAAE,MAAM,GAAG,OAAO,CAI/F"}