@actuate-media/cms-core 0.13.0 → 0.15.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (73) hide show
  1. package/LICENSE +21 -21
  2. package/dist/__tests__/api/api-key-auth.test.d.ts +2 -0
  3. package/dist/__tests__/api/api-key-auth.test.d.ts.map +1 -0
  4. package/dist/__tests__/api/api-key-auth.test.js +254 -0
  5. package/dist/__tests__/api/api-key-auth.test.js.map +1 -0
  6. package/dist/__tests__/api/public-seo.test.d.ts +2 -0
  7. package/dist/__tests__/api/public-seo.test.d.ts.map +1 -0
  8. package/dist/__tests__/api/public-seo.test.js +341 -0
  9. package/dist/__tests__/api/public-seo.test.js.map +1 -0
  10. package/dist/__tests__/security/api-key-enhanced.test.d.ts +2 -0
  11. package/dist/__tests__/security/api-key-enhanced.test.d.ts.map +1 -0
  12. package/dist/__tests__/security/api-key-enhanced.test.js +110 -0
  13. package/dist/__tests__/security/api-key-enhanced.test.js.map +1 -0
  14. package/dist/__tests__/seo/page-meta.test.d.ts +2 -0
  15. package/dist/__tests__/seo/page-meta.test.d.ts.map +1 -0
  16. package/dist/__tests__/seo/page-meta.test.js +204 -0
  17. package/dist/__tests__/seo/page-meta.test.js.map +1 -0
  18. package/dist/api/handler-factory.d.ts.map +1 -1
  19. package/dist/api/handler-factory.js +20 -2
  20. package/dist/api/handler-factory.js.map +1 -1
  21. package/dist/api/handlers.d.ts.map +1 -1
  22. package/dist/api/handlers.js +764 -31
  23. package/dist/api/handlers.js.map +1 -1
  24. package/dist/config/types.d.ts +75 -0
  25. package/dist/config/types.d.ts.map +1 -1
  26. package/dist/security/api-key-enhanced.d.ts +48 -5
  27. package/dist/security/api-key-enhanced.d.ts.map +1 -1
  28. package/dist/security/api-key-enhanced.js +60 -9
  29. package/dist/security/api-key-enhanced.js.map +1 -1
  30. package/dist/seo/index.d.ts +2 -0
  31. package/dist/seo/index.d.ts.map +1 -1
  32. package/dist/seo/index.js +1 -0
  33. package/dist/seo/index.js.map +1 -1
  34. package/dist/seo/page-meta.d.ts +79 -0
  35. package/dist/seo/page-meta.d.ts.map +1 -0
  36. package/dist/seo/page-meta.js +209 -0
  37. package/dist/seo/page-meta.js.map +1 -0
  38. package/generated/browser.ts +109 -0
  39. package/generated/client.ts +133 -0
  40. package/generated/commonInputTypes.ts +709 -0
  41. package/generated/enums.ts +125 -0
  42. package/generated/internal/class.ts +376 -0
  43. package/generated/internal/prismaNamespace.ts +2617 -0
  44. package/generated/internal/prismaNamespaceBrowser.ts +611 -0
  45. package/generated/models/ApiKey.ts +1550 -0
  46. package/generated/models/AuditLog.ts +1206 -0
  47. package/generated/models/BackupRecord.ts +1250 -0
  48. package/generated/models/ContentLock.ts +1472 -0
  49. package/generated/models/ContentTemplate.ts +1416 -0
  50. package/generated/models/Document.ts +3005 -0
  51. package/generated/models/Folder.ts +1904 -0
  52. package/generated/models/FormSubmission.ts +1200 -0
  53. package/generated/models/InAppNotification.ts +1457 -0
  54. package/generated/models/Media.ts +2340 -0
  55. package/generated/models/MediaUsage.ts +1472 -0
  56. package/generated/models/OAuthAccount.ts +1463 -0
  57. package/generated/models/Redirect.ts +1284 -0
  58. package/generated/models/Session.ts +1492 -0
  59. package/generated/models/Site.ts +1206 -0
  60. package/generated/models/User.ts +3513 -0
  61. package/generated/models/Version.ts +1511 -0
  62. package/generated/models/WorkflowState.ts +1514 -0
  63. package/generated/models.ts +29 -0
  64. package/package.json +1 -1
  65. package/prisma/cms-schema.prisma +306 -306
  66. package/prisma/migrations/0001_init/migration.sql +384 -384
  67. package/prisma/migrations/0002_folders/migration.sql +39 -39
  68. package/prisma/migrations/0003_search_and_webhooks/migration.sql +50 -50
  69. package/prisma/migrations/0004_script_tags/migration.sql +21 -21
  70. package/prisma/migrations/0005_password_reset_tokens/migration.sql +20 -20
  71. package/prisma/migrations/0006_page_builder/migration.sql +38 -38
  72. package/prisma/migrations/migration_lock.toml +3 -3
  73. package/prisma/schema.prisma +549 -549
package/LICENSE CHANGED
@@ -1,21 +1,21 @@
1
- MIT License
2
-
3
- Copyright (c) 2026 Actuate Media
4
-
5
- Permission is hereby granted, free of charge, to any person obtaining a copy
6
- of this software and associated documentation files (the "Software"), to deal
7
- in the Software without restriction, including without limitation the rights
8
- to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9
- copies of the Software, and to permit persons to whom the Software is
10
- furnished to do so, subject to the following conditions:
11
-
12
- The above copyright notice and this permission notice shall be included in all
13
- copies or substantial portions of the Software.
14
-
15
- THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16
- IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17
- FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18
- AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19
- LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20
- OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21
- SOFTWARE.
1
+ MIT License
2
+
3
+ Copyright (c) 2026 Actuate Media
4
+
5
+ Permission is hereby granted, free of charge, to any person obtaining a copy
6
+ of this software and associated documentation files (the "Software"), to deal
7
+ in the Software without restriction, including without limitation the rights
8
+ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9
+ copies of the Software, and to permit persons to whom the Software is
10
+ furnished to do so, subject to the following conditions:
11
+
12
+ The above copyright notice and this permission notice shall be included in all
13
+ copies or substantial portions of the Software.
14
+
15
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20
+ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21
+ SOFTWARE.
package/dist/__tests__/api/api-key-auth.test.d.ts ADDED
@@ -0,0 +1,2 @@
1
+ export {};
2
+ //# sourceMappingURL=api-key-auth.test.d.ts.map
package/dist/__tests__/api/api-key-auth.test.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"api-key-auth.test.d.ts","sourceRoot":"","sources":["../../../src/__tests__/api/api-key-auth.test.ts"],"names":[],"mappings":""}
package/dist/__tests__/api/api-key-auth.test.js ADDED
@@ -0,0 +1,254 @@
1
+ import { beforeEach, describe, expect, it } from 'vitest';
2
+ import { handleActuateAPI } from '../../api/index.js';
3
+ import { initDB } from '../../db.js';
4
+ import { generateApiKey } from '../../security/api-key-enhanced.js';
5
+ // Make sure the API surface that authenticates via API keys actually:
6
+ // 1. accepts an `Authorization: Bearer act_sk_*` token without CSRF,
7
+ // 2. enforces the key's scopes (collection + action),
8
+ // 3. rejects revoked/expired keys.
9
+ //
10
+ // We don't spin up the real database for these — a mock Prisma client that
11
+ // answers `apiKey.findUnique` and a minimal `document` interface is enough
12
+ // to exercise the auth + CSRF skip + scope check paths.
13
+ const VALID_SECRET = 'a'.repeat(48);
14
+ function createMockDB(opts) {
15
+ const apiKey = opts.apiKey;
16
+ return {
17
+ apiKey: {
18
+ // `hasModel` probes for `findMany` to decide whether the model exists
19
+ // on the Prisma client. Including a stub here is enough to clear the
20
+ // check even though our tests only exercise findUnique/update.
21
+ findMany: async () => (apiKey ? [apiKey] : []),
22
+ findUnique: async ({ where }) => {
23
+ if (!apiKey)
24
+ return null;
25
+ if (apiKey.keyHash !== where.keyHash)
26
+ return null;
27
+ return apiKey;
28
+ },
29
+ update: async () => apiKey,
30
+ },
31
+ document: {
32
+ findMany: async () => [],
33
+ count: async () => 0,
34
+ create: async ({ data }) => ({
35
+ ...data,
36
+ id: 'doc-1',
37
+ createdAt: new Date(),
38
+ updatedAt: new Date(),
39
+ }),
40
+ },
41
+ user: {},
42
+ session: {},
43
+ media: {},
44
+ };
45
+ }
46
+ async function makeKey(scopes) {
47
+ const { key, keyHash, keyPrefix } = await generateApiKey({ prefix: 'act_sk', scopes });
48
+ return {
49
+ key,
50
+ record: {
51
+ id: 'apikey-1',
52
+ keyHash,
53
+ keyPrefix,
54
+ userId: 'user-1',
55
+ scopes,
56
+ ipRestrictions: null,
57
+ expiresAt: null,
58
+ lastUsedAt: null,
59
+ revokedAt: null,
60
+ },
61
+ };
62
+ }
63
+ describe('API key authentication', () => {
64
+ beforeEach(() => {
65
+ delete globalThis.__actuateConfig;
66
+ process.env.CMS_SECRET = VALID_SECRET;
67
+ });
68
+ it('allows a request authenticated by a valid API key (no CSRF token)', async () => {
69
+ const { key, record } = await makeKey({ collections: ['posts'], actions: ['read'] });
70
+ const db = createMockDB({ apiKey: record });
71
+ initDB(db);
72
+ const handler = handleActuateAPI({
73
+ prismaClient: db,
74
+ config: {
75
+ collections: {
76
+ posts: { slug: 'posts', labels: { singular: 'Post', plural: 'Posts' }, fields: {} },
77
+ },
78
+ },
79
+ });
80
+ const response = await handler(new Request('https://example.com/api/cms/collections/posts', {
81
+ headers: { Authorization: `Bearer ${key}` },
82
+ }));
83
+ expect(response.status).toBe(200);
84
+ });
85
+ it('rejects with 401 when bearer token does not match any API key in the DB', async () => {
86
+ const { record } = await makeKey({ admin: true });
87
+ const db = createMockDB({ apiKey: record });
88
+ initDB(db);
89
+ const handler = handleActuateAPI({
90
+ prismaClient: db,
91
+ config: {
92
+ collections: {
93
+ posts: { slug: 'posts', labels: { singular: 'Post', plural: 'Posts' }, fields: {} },
94
+ },
95
+ },
96
+ });
97
+ const fakeKey = 'act_sk_' + 'f'.repeat(64);
98
+ const response = await handler(new Request('https://example.com/api/cms/collections/posts', {
99
+ headers: { Authorization: `Bearer ${fakeKey}` },
100
+ }));
101
+ expect(response.status).toBe(401);
102
+ });
103
+ it('rejects revoked API keys', async () => {
104
+ const { key, record } = await makeKey({ admin: true });
105
+ record.revokedAt = new Date();
106
+ const db = createMockDB({ apiKey: record });
107
+ initDB(db);
108
+ const handler = handleActuateAPI({
109
+ prismaClient: db,
110
+ config: {
111
+ collections: {
112
+ posts: { slug: 'posts', labels: { singular: 'Post', plural: 'Posts' }, fields: {} },
113
+ },
114
+ },
115
+ });
116
+ const response = await handler(new Request('https://example.com/api/cms/collections/posts', {
117
+ headers: { Authorization: `Bearer ${key}` },
118
+ }));
119
+ expect(response.status).toBe(401);
120
+ });
121
+ it('rejects expired API keys', async () => {
122
+ const { key, record } = await makeKey({ admin: true });
123
+ record.expiresAt = new Date(Date.now() - 60_000);
124
+ const db = createMockDB({ apiKey: record });
125
+ initDB(db);
126
+ const handler = handleActuateAPI({
127
+ prismaClient: db,
128
+ config: {
129
+ collections: {
130
+ posts: { slug: 'posts', labels: { singular: 'Post', plural: 'Posts' }, fields: {} },
131
+ },
132
+ },
133
+ });
134
+ const response = await handler(new Request('https://example.com/api/cms/collections/posts', {
135
+ headers: { Authorization: `Bearer ${key}` },
136
+ }));
137
+ expect(response.status).toBe(401);
138
+ });
139
+ it('rejects with 403 when scope does not include the requested collection', async () => {
140
+ const { key, record } = await makeKey({ collections: ['posts'], actions: ['read'] });
141
+ const db = createMockDB({ apiKey: record });
142
+ initDB(db);
143
+ const handler = handleActuateAPI({
144
+ prismaClient: db,
145
+ config: {
146
+ collections: {
147
+ posts: { slug: 'posts', labels: { singular: 'Post', plural: 'Posts' }, fields: {} },
148
+ pages: { slug: 'pages', labels: { singular: 'Page', plural: 'Pages' }, fields: {} },
149
+ },
150
+ },
151
+ });
152
+ const response = await handler(new Request('https://example.com/api/cms/collections/pages', {
153
+ headers: { Authorization: `Bearer ${key}` },
154
+ }));
155
+ expect(response.status).toBe(403);
156
+ });
157
+ it('rejects with 403 when scope does not include the requested action', async () => {
158
+ const { key, record } = await makeKey({ collections: ['posts'], actions: ['read'] });
159
+ const db = createMockDB({ apiKey: record });
160
+ initDB(db);
161
+ const handler = handleActuateAPI({
162
+ prismaClient: db,
163
+ config: {
164
+ collections: {
165
+ posts: { slug: 'posts', labels: { singular: 'Post', plural: 'Posts' }, fields: {} },
166
+ },
167
+ },
168
+ });
169
+ // POST should be blocked without `create` in actions — and crucially the
170
+ // request has no CSRF token, so we're confirming that the API-key path
171
+ // bypassed CSRF and got as far as scope enforcement before failing.
172
+ const response = await handler(new Request('https://example.com/api/cms/collections/posts', {
173
+ method: 'POST',
174
+ headers: { Authorization: `Bearer ${key}`, 'Content-Type': 'application/json' },
175
+ body: JSON.stringify({ title: 'Hello' }),
176
+ }));
177
+ expect(response.status).toBe(403);
178
+ });
179
+ it('CSRF middleware does not block API-key POST requests', async () => {
180
+ // Same shape as the previous test but with create scope — the request
181
+ // should make it past CSRF, past scope, and at least into the action
182
+ // handler. A 500/400 from the action layer here would still mean the
183
+ // CSRF check passed (which is what we're asserting).
184
+ const { key, record } = await makeKey({
185
+ collections: ['posts'],
186
+ actions: ['create'],
187
+ admin: false,
188
+ });
189
+ const db = createMockDB({ apiKey: record });
190
+ initDB(db);
191
+ const handler = handleActuateAPI({
192
+ prismaClient: db,
193
+ config: {
194
+ collections: {
195
+ posts: { slug: 'posts', labels: { singular: 'Post', plural: 'Posts' }, fields: {} },
196
+ },
197
+ },
198
+ });
199
+ const response = await handler(new Request('https://example.com/api/cms/collections/posts', {
200
+ method: 'POST',
201
+ headers: { Authorization: `Bearer ${key}`, 'Content-Type': 'application/json' },
202
+ body: JSON.stringify({ title: 'Hello' }),
203
+ }));
204
+ // Should not be a 403 CSRF rejection.
205
+ expect(response.status).not.toBe(403);
206
+ if (response.status === 403) {
207
+ const body = await response.json().catch(() => ({}));
208
+ expect(body.error).not.toBe('Invalid CSRF token');
209
+ }
210
+ });
211
+ it('non-API-key requests still require CSRF for POST', async () => {
212
+ const db = createMockDB({});
213
+ initDB(db);
214
+ const handler = handleActuateAPI({
215
+ prismaClient: db,
216
+ config: {
217
+ collections: {
218
+ posts: { slug: 'posts', labels: { singular: 'Post', plural: 'Posts' }, fields: {} },
219
+ },
220
+ },
221
+ });
222
+ const response = await handler(new Request('https://example.com/api/cms/collections/posts', {
223
+ method: 'POST',
224
+ headers: { 'Content-Type': 'application/json' },
225
+ body: JSON.stringify({ title: 'Hello' }),
226
+ }));
227
+ expect(response.status).toBe(403);
228
+ const body = await response.json().catch(() => ({}));
229
+ expect(body.error).toBe('Invalid CSRF token');
230
+ });
231
+ it('admin scope grants access to any collection', async () => {
232
+ const { key, record } = await makeKey({ admin: true });
233
+ const db = createMockDB({ apiKey: record });
234
+ initDB(db);
235
+ const handler = handleActuateAPI({
236
+ prismaClient: db,
237
+ config: {
238
+ collections: {
239
+ posts: { slug: 'posts', labels: { singular: 'Post', plural: 'Posts' }, fields: {} },
240
+ pages: { slug: 'pages', labels: { singular: 'Page', plural: 'Pages' }, fields: {} },
241
+ },
242
+ },
243
+ });
244
+ const a = await handler(new Request('https://example.com/api/cms/collections/posts', {
245
+ headers: { Authorization: `Bearer ${key}` },
246
+ }));
247
+ const b = await handler(new Request('https://example.com/api/cms/collections/pages', {
248
+ headers: { Authorization: `Bearer ${key}` },
249
+ }));
250
+ expect(a.status).toBe(200);
251
+ expect(b.status).toBe(200);
252
+ });
253
+ });
254
+ //# sourceMappingURL=api-key-auth.test.js.map
package/dist/__tests__/api/api-key-auth.test.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"api-key-auth.test.js","sourceRoot":"","sources":["../../../src/__tests__/api/api-key-auth.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAA;AAEzD,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAA;AACrD,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAA;AACpC,OAAO,EAAE,cAAc,EAAE,MAAM,oCAAoC,CAAA;AAGnE,sEAAsE;AACtE,uEAAuE;AACvE,wDAAwD;AACxD,qCAAqC;AACrC,EAAE;AACF,2EAA2E;AAC3E,2EAA2E;AAC3E,wDAAwD;AAExD,MAAM,YAAY,GAAG,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAA;AAcnC,SAAS,YAAY,CAAC,IAAiE;IACrF,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAA;IAC1B,OAAO;QACL,MAAM,EAAE;YACN,sEAAsE;YACtE,qEAAqE;YACrE,+DAA+D;YAC/D,QAAQ,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YAC9C,UAAU,EAAE,KAAK,EAAE,EAAE,KAAK,EAAkC,EAAE,EAAE;gBAC9D,IAAI,CAAC,MAAM;oBAAE,OAAO,IAAI,CAAA;gBACxB,IAAI,MAAM,CAAC,OAAO,KAAK,KAAK,CAAC,OAAO;oBAAE,OAAO,IAAI,CAAA;gBACjD,OAAO,MAAM,CAAA;YACf,CAAC;YACD,MAAM,EAAE,KAAK,IAAI,EAAE,CAAC,MAAM;SAC3B;QACD,QAAQ,EAAE;YACR,QAAQ,EAAE,KAAK,IAAI,EAAE,CAAC,EAAE;YACxB,KAAK,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC;YACpB,MAAM,EAAE,KAAK,EAAE,EAAE,IAAI,EAAO,EAAE,EAAE,CAAC,CAAC;gBAChC,GAAG,IAAI;gBACP,EAAE,EAAE,OAAO;gBACX,SAAS,EAAE,IAAI,IAAI,EAAE;gBACrB,SAAS,EAAE,IAAI,IAAI,EAAE;aACtB,CAAC;SACH;QACD,IAAI,EAAE,EAAE;QACR,OAAO,EAAE,EAAE;QACX,KAAK,EAAE,EAAE;KACH,CAAA;AACV,CAAC;AAED,KAAK,UAAU,OAAO,CAAC,MAAmB;IACxC,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,SAAS,EAAE,GAAG,MAAM,cAAc,CAAC,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC,CAAA;IACtF,OAAO;QACL,GAAG;QACH,MAAM,EAAE;YACN,EAAE,EAAE,UAAU;YACd,OAAO;YACP,SAAS;YACT,MAAM,EAAE,QAAQ;YAChB,MAAM;YACN,cAAc,EAAE,IAAI;YACpB,SAAS,EAAE,IAAI;YACf,UAAU,EAAE,IAAI;YAChB,SAAS,EAAE,IAAI;SAChB;KACF,CAAA;AACH,CAAC;AAED,QAAQ,CAAC,wBAAwB,EAAE,GAAG,EAAE;IACtC,UAAU,CAAC,GAAG,EAAE;QACd,OAAQ,UAAkB,CAAC,eAAe,CAAA;QAC1C,OAAO,CAAC,GAAG,CAAC,UAAU,GAAG,YAAY,CAAA;IACvC,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,mEAAmE,EAAE,KAAK,IAAI,EAAE;QACjF,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,MAAM,OAAO,CAAC,EAAE,WAAW,EAAE,CAAC,OAAO,CAAC,EAAE,OAAO,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC,CAAA;QACpF,MAAM,EAAE,GAAG,YAAY,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,CAAA;QAC3C,MAAM,CAAC,EAAE,CAAC,CAAA;QACV,MAAM,OAAO,GAAG,gBAAgB,CAAC;YAC/B,YAAY,EAAE,EAAE;YAChB,MAAM,EAAE;gBACN,WAAW,EAAE;oBACX,KAAK,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE;iBACpF;aACF;SACF,CAAC,CAAA;QAEF,MAAM,QAAQ,GAAG,MAAM,OAAO,CAC5B,IAAI,OAAO,CAAC,+CAA+C,EAAE;YAC3D,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,GAAG,EAAE,EAAE;SAC5C,CAAC,CACH,CAAA;QAED,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IACnC,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,yEAAyE,EAAE,KAAK,IAAI,EAAE;QACvF,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,OAAO,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAA;QACjD,MAAM,EAAE,GAAG,YAAY,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,CAAA;QAC3C,MAAM,CAAC,EAAE,CAAC,CAAA;QACV,MAAM,OAAO,GAAG,gBAAgB,CAAC;YAC/B,YAAY,EAAE,EAAE;YAChB,MAAM,EAAE;gBACN,WAAW,EAAE;oBACX,KAAK,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE;iBACpF;aACF;SACF,CAAC,CAAA;QAEF,MAAM,OAAO,GAAG,SAAS,GAAG,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAA;QAC1C,MAAM,QAAQ,GAAG,MAAM,OAAO,CAC5B,IAAI,OAAO,CAAC,+CAA+C,EAAE;YAC3D,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,OAAO,EAAE,EAAE;SAChD,CAAC,CACH,CAAA;QAED,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IACnC,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,0BAA0B,EAAE,KAAK,IAAI,EAAE;QACxC,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,MAAM,OAAO,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAA;QACtD,MAAM,CAAC,SAAS,GAAG,IAAI,IAAI,EAAE,CAAA;QAC7B,MAAM,EAAE,GAAG,YAAY,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,CAAA;QAC3C,MAAM,CAAC,EAAE,CAAC,CAAA;QACV,MAAM,OAAO,GAAG,gBAAgB,CAAC;YAC/B,YAAY,EAAE,EAAE;YAChB,MAAM,EAAE;gBACN,WAAW,EAAE;oBACX,KAAK,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE;iBACpF;aACF;SACF,CAAC,CAAA;QAEF,MAAM,QAAQ,GAAG,MAAM,OAAO,CAC5B,IAAI,OAAO,CAAC,+CAA+C,EAAE;YAC3D,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,GAAG,EAAE,EAAE;SAC5C,CAAC,CACH,CAAA;QAED,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IACnC,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,0BAA0B,EAAE,KAAK,IAAI,EAAE;QACxC,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,MAAM,OAAO,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAA;QACtD,MAAM,CAAC,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,CAAA;QAChD,MAAM,EAAE,GAAG,YAAY,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,CAAA;QAC3C,MAAM,CAAC,EAAE,CAAC,CAAA;QACV,MAAM,OAAO,GAAG,gBAAgB,CAAC;YAC/B,YAAY,EAAE,EAAE;YAChB,MAAM,EAAE;gBACN,WAAW,EAAE;oBACX,KAAK,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE;iBACpF;aACF;SACF,CAAC,CAAA;QAEF,MAAM,QAAQ,GAAG,MAAM,OAAO,CAC5B,IAAI,OAAO,CAAC,+CAA+C,EAAE;YAC3D,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,GAAG,EAAE,EAAE;SAC5C,CAAC,CACH,CAAA;QAED,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IACnC,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,uEAAuE,EAAE,KAAK,IAAI,EAAE;QACrF,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,MAAM,OAAO,CAAC,EAAE,WAAW,EAAE,CAAC,OAAO,CAAC,EAAE,OAAO,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC,CAAA;QACpF,MAAM,EAAE,GAAG,YAAY,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,CAAA;QAC3C,MAAM,CAAC,EAAE,CAAC,CAAA;QACV,MAAM,OAAO,GAAG,gBAAgB,CAAC;YAC/B,YAAY,EAAE,EAAE;YAChB,MAAM,EAAE;gBACN,WAAW,EAAE;oBACX,KAAK,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE;oBACnF,KAAK,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE;iBACpF;aACF;SACF,CAAC,CAAA;QAEF,MAAM,QAAQ,GAAG,MAAM,OAAO,CAC5B,IAAI,OAAO,CAAC,+CAA+C,EAAE;YAC3D,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,GAAG,EAAE,EAAE;SAC5C,CAAC,CACH,CAAA;QAED,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IACnC,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,mEAAmE,EAAE,KAAK,IAAI,EAAE;QACjF,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,MAAM,OAAO,CAAC,EAAE,WAAW,EAAE,CAAC,OAAO,CAAC,EAAE,OAAO,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC,CAAA;QACpF,MAAM,EAAE,GAAG,YAAY,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,CAAA;QAC3C,MAAM,CAAC,EAAE,CAAC,CAAA;QACV,MAAM,OAAO,GAAG,gBAAgB,CAAC;YAC/B,YAAY,EAAE,EAAE;YAChB,MAAM,EAAE;gBACN,WAAW,EAAE;oBACX,KAAK,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE;iBACpF;aACF;SACF,CAAC,CAAA;QAEF,yEAAyE;QACzE,uEAAuE;QACvE,oEAAoE;QACpE,MAAM,QAAQ,GAAG,MAAM,OAAO,CAC5B,IAAI,OAAO,CAAC,+CAA+C,EAAE;YAC3D,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAC/E,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;SACzC,CAAC,CACH,CAAA;QAED,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IACnC,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,sDAAsD,EAAE,KAAK,IAAI,EAAE;QACpE,sEAAsE;QACtE,qEAAqE;QACrE,qEAAqE;QACrE,qDAAqD;QACrD,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,MAAM,OAAO,CAAC;YACpC,WAAW,EAAE,CAAC,OAAO,CAAC;YACtB,OAAO,EAAE,CAAC,QAAQ,CAAC;YACnB,KAAK,EAAE,KAAK;SACb,CAAC,CAAA;QACF,MAAM,EAAE,GAAG,YAAY,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,CAAA;QAC3C,MAAM,CAAC,EAAE,CAAC,CAAA;QACV,MAAM,OAAO,GAAG,gBAAgB,CAAC;YAC/B,YAAY,EAAE,EAAE;YAChB,MAAM,EAAE;gBACN,WAAW,EAAE;oBACX,KAAK,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE;iBACpF;aACF;SACF,CAAC,CAAA;QAEF,MAAM,QAAQ,GAAG,MAAM,OAAO,CAC5B,IAAI,OAAO,CAAC,+CAA+C,EAAE;YAC3D,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAC/E,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;SACzC,CAAC,CACH,CAAA;QAED,sCAAsC;QACtC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;QACrC,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAAA;YACpD,MAAM,CAAE,IAAY,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAA;QAC5D,CAAC;IACH,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,kDAAkD,EAAE,KAAK,IAAI,EAAE;QAChE,MAAM,EAAE,GAAG,YAAY,CAAC,EAAE,CAAC,CAAA;QAC3B,MAAM,CAAC,EAAE,CAAC,CAAA;QACV,MAAM,OAAO,GAAG,gBAAgB,CAAC;YAC/B,YAAY,EAAE,EAAE;YAChB,MAAM,EAAE;gBACN,WAAW,EAAE;oBACX,KAAK,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE;iBACpF;aACF;SACF,CAAC,CAAA;QAEF,MAAM,QAAQ,GAAG,MAAM,OAAO,CAC5B,IAAI,OAAO,CAAC,+CAA+C,EAAE;YAC3D,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;SACzC,CAAC,CACH,CAAA;QAED,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;QACjC,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAAA;QACpD,MAAM,CAAE,IAAY,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAA;IACxD,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,6CAA6C,EAAE,KAAK,IAAI,EAAE;QAC3D,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,MAAM,OAAO,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAA;QACtD,MAAM,EAAE,GAAG,YAAY,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,CAAA;QAC3C,MAAM,CAAC,EAAE,CAAC,CAAA;QACV,MAAM,OAAO,GAAG,gBAAgB,CAAC;YAC/B,YAAY,EAAE,EAAE;YAChB,MAAM,EAAE;gBACN,WAAW,EAAE;oBACX,KAAK,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE;oBACnF,KAAK,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE;iBACpF;aACF;SACF,CAAC,CAAA;QAEF,MAAM,CAAC,GAAG,MAAM,OAAO,CACrB,IAAI,OAAO,CAAC,+CAA+C,EAAE;YAC3D,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,GAAG,EAAE,EAAE;SAC5C,CAAC,CACH,CAAA;QACD,MAAM,CAAC,GAAG,MAAM,OAAO,CACrB,IAAI,OAAO,CAAC,+CAA+C,EAAE;YAC3D,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,GAAG,EAAE,EAAE;SAC5C,CAAC,CACH,CAAA;QAED,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;QAC1B,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IAC5B,CAAC,CAAC,CAAA;AACJ,CAAC,CAAC,CAAA"}
package/dist/__tests__/api/public-seo.test.d.ts ADDED
@@ -0,0 +1,2 @@
1
+ export {};
2
+ //# sourceMappingURL=public-seo.test.d.ts.map
package/dist/__tests__/api/public-seo.test.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"public-seo.test.d.ts","sourceRoot":"","sources":["../../../src/__tests__/api/public-seo.test.ts"],"names":[],"mappings":""}
package/dist/__tests__/api/public-seo.test.js ADDED
@@ -0,0 +1,341 @@
1
+ import { beforeEach, describe, expect, it } from 'vitest';
2
+ import { handleActuateAPI } from '../../api/index.js';
3
+ import { initDB } from '../../db.js';
4
+ function createMockDB(docs) {
5
+ const findFirst = async (args) => {
6
+ const where = args?.where ?? {};
7
+ const matches = docs.filter((d) => {
8
+ if (where.collection && d.collection !== where.collection)
9
+ return false;
10
+ if (where.status && d.status !== where.status)
11
+ return false;
12
+ if (where.deletedAt === null) {
13
+ // mock docs never carry deletedAt
14
+ }
15
+ if (where.OR && Array.isArray(where.OR)) {
16
+ return where.OR.some((clause) => {
17
+ if (clause.slug !== undefined)
18
+ return d.slug === clause.slug;
19
+ if (clause.data?.path && clause.data?.equals) {
20
+ const path = clause.data.path[0];
21
+ return d.data?.[path] === clause.data.equals;
22
+ }
23
+ return false;
24
+ });
25
+ }
26
+ return true;
27
+ });
28
+ const doc = matches[0];
29
+ if (!doc)
30
+ return null;
31
+ return {
32
+ ...doc,
33
+ publishedAt: doc.publishedAt ?? null,
34
+ updatedAt: doc.updatedAt ?? new Date('2026-03-15T12:00:00Z'),
35
+ createdAt: doc.createdAt ?? new Date('2026-01-01T00:00:00Z'),
36
+ structuredData: doc.structuredData ?? null,
37
+ };
38
+ };
39
+ const findMany = async (args) => {
40
+ const where = args?.where ?? {};
41
+ return docs.filter((d) => {
42
+ if (where.collection && d.collection !== where.collection)
43
+ return false;
44
+ if (where.status && d.status !== where.status)
45
+ return false;
46
+ return true;
47
+ });
48
+ };
49
+ return {
50
+ document: { findFirst, findMany },
51
+ user: {},
52
+ session: {},
53
+ media: {},
54
+ };
55
+ }
56
+ describe('public SEO routes', () => {
57
+ beforeEach(() => {
58
+ delete globalThis.__actuateConfig;
59
+ });
60
+ it('exposes /sitemap.xml as a sitemap index over configured collections', async () => {
61
+ const handler = handleActuateAPI({
62
+ prismaClient: createMockDB([]),
63
+ config: {
64
+ seo: { siteUrl: 'https://example.com', siteName: 'Example' },
65
+ collections: {
66
+ pages: {
67
+ slug: 'pages',
68
+ labels: { singular: 'Page', plural: 'Pages' },
69
+ urlPrefix: '',
70
+ type: 'page',
71
+ fields: {},
72
+ },
73
+ posts: {
74
+ slug: 'posts',
75
+ labels: { singular: 'Post', plural: 'Posts' },
76
+ urlPrefix: 'blog',
77
+ type: 'post',
78
+ fields: {},
79
+ },
80
+ },
81
+ },
82
+ });
83
+ const response = await handler(new Request('https://example.com/api/cms/sitemap.xml'));
84
+ expect(response.status).toBe(200);
85
+ expect(response.headers.get('Content-Type')).toContain('application/xml');
86
+ const text = await response.text();
87
+ expect(text).toContain('<sitemapindex');
88
+ expect(text).toContain('/api/cms/sitemaps/pages.xml');
89
+ expect(text).toContain('/api/cms/sitemaps/posts.xml');
90
+ });
91
+ it('respects seo.sitemap.excludeCollections', async () => {
92
+ const handler = handleActuateAPI({
93
+ prismaClient: createMockDB([]),
94
+ config: {
95
+ seo: {
96
+ siteUrl: 'https://example.com',
97
+ sitemap: { excludeCollections: ['drafts'] },
98
+ },
99
+ collections: {
100
+ pages: {
101
+ slug: 'pages',
102
+ labels: { singular: 'P', plural: 'Pp' },
103
+ urlPrefix: '',
104
+ fields: {},
105
+ },
106
+ drafts: {
107
+ slug: 'drafts',
108
+ labels: { singular: 'D', plural: 'Dd' },
109
+ urlPrefix: 'd',
110
+ fields: {},
111
+ },
112
+ },
113
+ },
114
+ });
115
+ const response = await handler(new Request('https://example.com/api/cms/sitemap.xml'));
116
+ const text = await response.text();
117
+ expect(text).toContain('/sitemaps/pages.xml');
118
+ expect(text).not.toContain('/sitemaps/drafts.xml');
119
+ });
120
+ it('returns 404 when seo.sitemap.disabled is true', async () => {
121
+ const handler = handleActuateAPI({
122
+ prismaClient: createMockDB([]),
123
+ config: {
124
+ seo: { siteUrl: 'https://example.com', sitemap: { disabled: true } },
125
+ collections: {
126
+ pages: { slug: 'pages', labels: { singular: 'P', plural: 'P' }, fields: {} },
127
+ },
128
+ },
129
+ });
130
+ const response = await handler(new Request('https://example.com/api/cms/sitemap.xml'));
131
+ expect(response.status).toBe(404);
132
+ });
133
+ it('renders per-collection sitemap with absolute URLs and lastmod', async () => {
134
+ const docs = [
135
+ {
136
+ id: '1',
137
+ slug: 'about',
138
+ collection: 'pages',
139
+ status: 'PUBLISHED',
140
+ data: { title: 'About', slug: 'about' },
141
+ updatedAt: new Date('2026-03-10T09:00:00Z'),
142
+ },
143
+ {
144
+ id: '2',
145
+ slug: 'contact',
146
+ collection: 'pages',
147
+ status: 'PUBLISHED',
148
+ data: { title: 'Contact', slug: 'contact' },
149
+ updatedAt: new Date('2026-03-11T09:00:00Z'),
150
+ },
151
+ ];
152
+ initDB(createMockDB(docs));
153
+ const handler = handleActuateAPI({
154
+ prismaClient: createMockDB(docs),
155
+ config: {
156
+ seo: { siteUrl: 'https://example.com' },
157
+ collections: {
158
+ pages: {
159
+ slug: 'pages',
160
+ labels: { singular: 'P', plural: 'Pp' },
161
+ urlPrefix: '',
162
+ type: 'page',
163
+ fields: {},
164
+ },
165
+ },
166
+ },
167
+ });
168
+ const response = await handler(new Request('https://example.com/api/cms/sitemaps/pages.xml'));
169
+ expect(response.status).toBe(200);
170
+ const text = await response.text();
171
+ expect(text).toContain('<urlset');
172
+ expect(text).toContain('<loc>https://example.com/about</loc>');
173
+ expect(text).toContain('<loc>https://example.com/contact</loc>');
174
+ expect(text).toContain('<priority>0.8</priority>');
175
+ expect(text).toContain('2026-03-10T09:00:00.000Z');
176
+ });
177
+ it('returns 404 for sitemap of an unknown collection', async () => {
178
+ const handler = handleActuateAPI({
179
+ prismaClient: createMockDB([]),
180
+ config: {
181
+ seo: { siteUrl: 'https://example.com' },
182
+ collections: {
183
+ pages: { slug: 'pages', labels: { singular: 'P', plural: 'P' }, fields: {} },
184
+ },
185
+ },
186
+ });
187
+ const response = await handler(new Request('https://example.com/api/cms/sitemaps/unknown.xml'));
188
+ expect(response.status).toBe(404);
189
+ });
190
+ it('includes archivePath in a post-type sitemap', async () => {
191
+ const docs = [
192
+ {
193
+ id: '1',
194
+ slug: 'first',
195
+ collection: 'posts',
196
+ status: 'PUBLISHED',
197
+ data: { title: 'First', slug: 'first' },
198
+ },
199
+ ];
200
+ initDB(createMockDB(docs));
201
+ const handler = handleActuateAPI({
202
+ prismaClient: createMockDB(docs),
203
+ config: {
204
+ seo: { siteUrl: 'https://example.com' },
205
+ collections: {
206
+ posts: {
207
+ slug: 'posts',
208
+ labels: { singular: 'Post', plural: 'Posts' },
209
+ urlPrefix: 'blog',
210
+ type: 'post',
211
+ seo: { archivePath: '/blog' },
212
+ fields: {},
213
+ },
214
+ },
215
+ },
216
+ });
217
+ const response = await handler(new Request('https://example.com/api/cms/sitemaps/posts.xml'));
218
+ const text = await response.text();
219
+ expect(text).toContain('<loc>https://example.com/blog</loc>');
220
+ expect(text).toContain('<loc>https://example.com/blog/first</loc>');
221
+ });
222
+ it('serves /robots.txt with a Sitemap reference', async () => {
223
+ const handler = handleActuateAPI({
224
+ prismaClient: createMockDB([]),
225
+ config: {
226
+ seo: { siteUrl: 'https://example.com' },
227
+ collections: {},
228
+ },
229
+ });
230
+ const response = await handler(new Request('https://example.com/api/cms/robots.txt'));
231
+ expect(response.status).toBe(200);
232
+ expect(response.headers.get('Content-Type')).toContain('text/plain');
233
+ const text = await response.text();
234
+ expect(text).toMatch(/^User-agent: \*/m);
235
+ expect(text).toContain('Disallow: /admin');
236
+ expect(text).toContain('Sitemap: https://example.com/api/cms/sitemap.xml');
237
+ });
238
+ it('appends AI bot blocks when seo.robots.blockAIBots is true', async () => {
239
+ const handler = handleActuateAPI({
240
+ prismaClient: createMockDB([]),
241
+ config: {
242
+ seo: { siteUrl: 'https://example.com', robots: { blockAIBots: true } },
243
+ collections: {},
244
+ },
245
+ });
246
+ const response = await handler(new Request('https://example.com/api/cms/robots.txt'));
247
+ const text = await response.text();
248
+ expect(text).toContain('User-agent: GPTBot');
249
+ expect(text).toContain('User-agent: ClaudeBot');
250
+ expect(text).toContain('Disallow: /');
251
+ });
252
+ it('returns 404 for /robots.txt when seo.robots.disabled is true', async () => {
253
+ const handler = handleActuateAPI({
254
+ prismaClient: createMockDB([]),
255
+ config: {
256
+ seo: { siteUrl: 'https://example.com', robots: { disabled: true } },
257
+ collections: {},
258
+ },
259
+ });
260
+ const response = await handler(new Request('https://example.com/api/cms/robots.txt'));
261
+ expect(response.status).toBe(404);
262
+ });
263
+ it('renders /og.png as an SVG OG card', async () => {
264
+ const handler = handleActuateAPI({
265
+ prismaClient: createMockDB([]),
266
+ config: {
267
+ seo: { siteUrl: 'https://example.com', siteName: 'Example' },
268
+ collections: {},
269
+ },
270
+ });
271
+ const response = await handler(new Request('https://example.com/api/cms/og.png?title=Hello%20World&description=Welcome'));
272
+ expect(response.status).toBe(200);
273
+ expect(response.headers.get('Content-Type')).toContain('image/svg+xml');
274
+ const text = await response.text();
275
+ expect(text).toContain('<svg');
276
+ expect(text).toContain('Hello');
277
+ expect(text).toContain('Example');
278
+ });
279
+ it('returns 404 for /og.png when seo.ogImage.disabled is true', async () => {
280
+ const handler = handleActuateAPI({
281
+ prismaClient: createMockDB([]),
282
+ config: {
283
+ seo: { siteUrl: 'https://example.com', ogImage: { disabled: true } },
284
+ collections: {},
285
+ },
286
+ });
287
+ const response = await handler(new Request('https://example.com/api/cms/og.png?title=X'));
288
+ expect(response.status).toBe(404);
289
+ });
290
+ it('enriches /resolve with composed jsonLd and meta', async () => {
291
+ const docs = [
292
+ {
293
+ id: 'post-1',
294
+ slug: 'hello',
295
+ collection: 'posts',
296
+ status: 'PUBLISHED',
297
+ data: {
298
+ title: 'Hello World',
299
+ slug: 'hello',
300
+ metaDescription: 'A first post',
301
+ authorName: 'Jane',
302
+ },
303
+ publishedAt: new Date('2026-02-01T00:00:00Z'),
304
+ updatedAt: new Date('2026-02-10T00:00:00Z'),
305
+ },
306
+ ];
307
+ initDB(createMockDB(docs));
308
+ const handler = handleActuateAPI({
309
+ prismaClient: createMockDB(docs),
310
+ config: {
311
+ seo: {
312
+ siteUrl: 'https://example.com',
313
+ siteName: 'Example',
314
+ organization: { name: 'Example Inc' },
315
+ },
316
+ collections: {
317
+ posts: {
318
+ slug: 'posts',
319
+ labels: { singular: 'Post', plural: 'Posts' },
320
+ urlPrefix: 'blog',
321
+ type: 'post',
322
+ fields: {},
323
+ },
324
+ },
325
+ },
326
+ });
327
+ const response = await handler(new Request('https://example.com/api/cms/resolve?path=/blog/hello'));
328
+ expect(response.status).toBe(200);
329
+ const body = (await response.json());
330
+ expect(body.meta).toBeDefined();
331
+ expect(body.meta.title).toBe('Hello World');
332
+ expect(body.meta.canonical).toBe('https://example.com/blog/hello');
333
+ expect(body.meta.tags['og:title']).toBe('Hello World');
334
+ expect(body.jsonLd['@type']).toBe('BlogPosting');
335
+ expect(body.jsonLd.author).toMatchObject({ '@type': 'Person', name: 'Jane' });
336
+ expect(body.jsonLd.publisher).toMatchObject({ '@type': 'Organization', name: 'Example Inc' });
337
+ expect(typeof body.jsonLdHtml).toBe('string');
338
+ expect(body.jsonLdHtml).toContain('<script type="application/ld+json">');
339
+ });
340
+ });
341
+ //# sourceMappingURL=public-seo.test.js.map