@actuate-media/cms-core 0.14.0 → 0.16.0

package/dist/api/handlers.js

@@ -177,6 +177,79 @@ function modelNotAvailable(name) {
         'Run `actuate db:init` for new schemas, or carefully update the existing Actuate block, create/apply a Prisma migration, then regenerate Prisma Client. ' +
         'See https://actuatecms.dev/docs/database-setup for required models.', 501);
 }
+/**
+ * XML-escape a value for safe inclusion in sitemap content. Sitemaps reject
+ * unescaped ampersands and angle brackets; URLs frequently contain `&` query
+ * separators, so this is non-optional.
+ */
+function escapeXml(value) {
+    return value
+        .replace(/&/g, '&')
+        .replace(/</g, '&lt;')
+        .replace(/>/g, '&gt;')
+        .replace(/"/g, '&quot;')
+        .replace(/'/g, '&apos;');
+}
+/**
+ * Renders a 1200x630 SVG suitable for og:image. We don't pull in Satori/resvg
+ * because most integrators don't need PNG — major crawlers (Facebook, Twitter,
+ * LinkedIn, Slack, Discord) handle image/svg+xml correctly. Sites that
+ * specifically need PNG can override with their own /og endpoint via
+ * @vercel/og and point `seo.defaultOgImage` at it.
+ */
+function renderOgSvg(opts) {
+    const { title, description, siteName, bg, fg, muted } = opts;
+    // Naive line wrapping at ~22 chars (large font). Good enough for an OG card;
+    // anything longer than ~3 lines gets truncated with an ellipsis.
+    const wrap = (text, maxChars, maxLines) => {
+        const words = text.split(/\s+/);
+        const lines = [];
+        let current = '';
+        for (const w of words) {
+            if (lines.length >= maxLines)
+                break;
+            const next = current ? `${current} ${w}` : w;
+            if (next.length > maxChars) {
+                if (current)
+                    lines.push(current);
+                current = w;
+                if (lines.length === maxLines - 1 && words.indexOf(w) < words.length - 1) {
+                    lines.push(current.length > maxChars ? current.slice(0, maxChars - 1) + '…' : current + '…');
+                    current = '';
+                    break;
+                }
+            }
+            else {
+                current = next;
+            }
+        }
+        if (current && lines.length < maxLines)
+            lines.push(current);
+        return lines;
+    };
+    const escapeSvg = (s) => s.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;').replace(/"/g, '&quot;');
+    const titleLines = wrap(title, 28, 3);
+    const descLines = description ? wrap(description, 60, 2) : [];
+    const titleEls = titleLines
+        .map((line, i) => `<tspan x="60" dy="${i === 0 ? 0 : 78}">${escapeSvg(line)}</tspan>`)
+        .join('');
+    const descEls = descLines
+        .map((line, i) => `<tspan x="60" dy="${i === 0 ? 0 : 36}">${escapeSvg(line)}</tspan>`)
+        .join('');
+    // Layout: site name top-left, title bottom-left, description below title.
+    // Coordinates are roughly aligned to the 1200x630 spec used by every major
+    // social platform.
+    const titleY = descLines.length > 0 ? 360 : 420;
+    const descY = titleY + 80 * titleLines.length;
+    return `<?xml version="1.0" encoding="UTF-8"?>
+<svg xmlns="http://www.w3.org/2000/svg" width="1200" height="630" viewBox="0 0 1200 630">
+  <rect width="1200" height="630" fill="${bg}"/>
+  ${siteName ? `<text x="60" y="100" font-family="system-ui, -apple-system, Segoe UI, Arial, sans-serif" font-size="28" font-weight="500" fill="${muted}">${escapeSvg(siteName)}</text>` : ''}
+  <text x="60" y="${titleY}" font-family="system-ui, -apple-system, Segoe UI, Arial, sans-serif" font-size="68" font-weight="700" fill="${fg}">${titleEls}</text>
+  ${descLines.length > 0 ? `<text x="60" y="${descY}" font-family="system-ui, -apple-system, Segoe UI, Arial, sans-serif" font-size="30" fill="${muted}">${descEls}</text>` : ''}
+  <rect x="60" y="560" width="60" height="6" fill="${fg}" rx="3"/>
+</svg>`;
+}
 async function safeCount(model, where) {
     try {
         if (!model || typeof model !== 'object')
@@ -313,7 +386,7 @@ async function extractSession(request) {
             const ipRestrictions = Array.isArray(apiKey.ipRestrictions)
                 ? apiKey.ipRestrictions
                 : apiKey.ipRestrictions
-                    ? apiKey.ipRestrictions.allow ?? null
+                    ? (apiKey.ipRestrictions.allow ?? null)
                     : null;
             if (ipRestrictions && ipRestrictions.length > 0) {
                 const ip = getClientIp(request);
@@ -3118,6 +3191,237 @@ export function registerCMSRoutes(router) {
             return internalError(err, 'llms.txt');
         }
     });
+    // ---------------------------------------------------------------------------
+    // Public SEO surfaces: sitemap.xml, per-collection sitemaps, robots.txt,
+    // and the dynamic /og.png OG-image endpoint. These are unauthenticated by
+    // design — search engines and social crawlers will fetch them.
+    // ---------------------------------------------------------------------------
+    function siteUrlFromRequest(request) {
+        const cfg = getActuateConfig()?.seo;
+        if (cfg?.siteUrl)
+            return cfg.siteUrl.replace(/\/+$/, '');
+        // Fall back to the request origin so the routes work on preview deploys
+        // before the integrator has configured siteUrl.
+        try {
+            const u = new URL(request.url);
+            return `${u.protocol}//${u.host}`;
+        }
+        catch {
+            return '';
+        }
+    }
+    function sitemapEligibleCollections() {
+        const cfg = getActuateConfig();
+        if (!cfg)
+            return [];
+        const excluded = new Set(cfg.seo?.sitemap?.excludeCollections ?? []);
+        const out = [];
+        for (const [slug, col] of Object.entries(cfg.collections ?? {})) {
+            if (excluded.has(slug))
+                continue;
+            if (col.seo?.excludeFromSitemap)
+                continue;
+            out.push({ slug, urlPrefix: col.urlPrefix, type: col.type, seo: col.seo });
+        }
+        return out;
+    }
+    router.get('/sitemap.xml', async (request) => {
+        try {
+            const cfg = getActuateConfig();
+            if (cfg?.seo?.sitemap?.disabled)
+                return errorResponse('Sitemap disabled', 404);
+            const base = siteUrlFromRequest(request);
+            const cols = sitemapEligibleCollections();
+            // Sitemap index points at /sitemaps/:slug.xml for each collection.
+            const sitemaps = cols
+                .map((c) => [
+                '  <sitemap>',
+                `    <loc>${base}/api/cms/sitemaps/${c.slug}.xml</loc>`,
+                `    <lastmod>${new Date().toISOString()}</lastmod>`,
+                '  </sitemap>',
+            ].join('\n'))
+                .join('\n');
+            const xml = [
+                '<?xml version="1.0" encoding="UTF-8"?>',
+                '<sitemapindex xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">',
+                sitemaps,
+                '</sitemapindex>',
+            ].join('\n');
+            return new Response(xml, {
+                status: 200,
+                headers: {
+                    'Content-Type': 'application/xml; charset=utf-8',
+                    'Cache-Control': 'public, max-age=300, s-maxage=600',
+                },
+            });
+        }
+        catch (err) {
+            return internalError(err, 'sitemap.xml');
+        }
+    });
+    // The router's path-param syntax (`:name`) greedily matches everything up
+    // to the next `/`, so registering as `/sitemaps/:slug.xml` would capture
+    // `slug.xml` into a single param. We register `/sitemaps/:slug` instead and
+    // require the `.xml` suffix in the handler.
+    router.get('/sitemaps/:slug', async (request, params) => {
+        try {
+            const cfg = getActuateConfig();
+            if (cfg?.seo?.sitemap?.disabled)
+                return errorResponse('Sitemap disabled', 404);
+            const slugParam = params.slug ?? '';
+            if (!/\.xml$/i.test(slugParam))
+                return errorResponse('Sitemap not found', 404);
+            const rawSlug = slugParam.replace(/\.xml$/i, '');
+            const collection = cfg?.collections?.[rawSlug];
+            if (!collection)
+                return errorResponse('Collection not found', 404);
+            if (collection.seo?.excludeFromSitemap)
+                return errorResponse('Collection excluded from sitemap', 404);
+            const base = siteUrlFromRequest(request);
+            const docs = await db().document.findMany({
+                where: { collection: rawSlug, deletedAt: null, status: 'PUBLISHED' },
+                select: { slug: true, updatedAt: true, data: true },
+                orderBy: { updatedAt: 'desc' },
+                take: 5000,
+            });
+            const prefix = (collection.urlPrefix ?? '').replace(/^\/|\/$/g, '');
+            const defaultPriority = collection.seo?.sitemapPriority ??
+                cfg?.seo?.sitemap?.defaultPriority ??
+                (collection.type === 'page' ? 0.8 : 0.6);
+            const changefreq = collection.seo?.sitemapChangeFreq ?? cfg?.seo?.sitemap?.defaultChangeFreq ?? 'weekly';
+            const urls = [];
+            // Archive page first (e.g. /blog) for post-type collections.
+            if (collection.seo?.archivePath && collection.type === 'post') {
+                const archive = collection.seo.archivePath.startsWith('http')
+                    ? collection.seo.archivePath
+                    : `${base}${collection.seo.archivePath}`;
+                urls.push([
+                    '  <url>',
+                    `    <loc>${escapeXml(archive)}</loc>`,
+                    `    <lastmod>${new Date().toISOString()}</lastmod>`,
+                    `    <changefreq>${changefreq}</changefreq>`,
+                    '    <priority>0.6</priority>',
+                    '  </url>',
+                ].join('\n'));
+            }
+            for (const d of docs) {
+                const data = d.data || {};
+                const slug = d.slug ?? data.slug;
+                if (!slug)
+                    continue;
+                const loc = prefix ? `${base}/${prefix}/${slug}` : `${base}/${slug}`;
+                urls.push([
+                    '  <url>',
+                    `    <loc>${escapeXml(loc)}</loc>`,
+                    `    <lastmod>${d.updatedAt?.toISOString() ?? new Date().toISOString()}</lastmod>`,
+                    `    <changefreq>${changefreq}</changefreq>`,
+                    `    <priority>${defaultPriority.toFixed(1)}</priority>`,
+                    '  </url>',
+                ].join('\n'));
+            }
+            const xml = [
+                '<?xml version="1.0" encoding="UTF-8"?>',
+                '<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">',
+                urls.join('\n'),
+                '</urlset>',
+            ].join('\n');
+            return new Response(xml, {
+                status: 200,
+                headers: {
+                    'Content-Type': 'application/xml; charset=utf-8',
+                    'Cache-Control': 'public, max-age=300, s-maxage=600',
+                },
+            });
+        }
+        catch (err) {
+            return internalError(err, 'sitemaps/:slug.xml');
+        }
+    });
+    router.get('/robots.txt', async (request) => {
+        try {
+            const cfg = getActuateConfig();
+            const seo = cfg?.seo;
+            if (seo?.robots?.disabled)
+                return errorResponse('robots.txt disabled', 404);
+            const base = siteUrlFromRequest(request);
+            const sitemapUrl = seo?.sitemap?.disabled ? undefined : `${base}/api/cms/sitemap.xml`;
+            const lines = [
+                'User-agent: *',
+                'Allow: /',
+                'Disallow: /admin',
+                'Disallow: /api/',
+                '',
+            ];
+            for (const rule of seo?.robots?.additionalRules ?? []) {
+                lines.push(`User-agent: ${rule.userAgent}`);
+                for (const allow of rule.allow ?? [])
+                    lines.push(`Allow: ${allow}`);
+                for (const dis of rule.disallow ?? [])
+                    lines.push(`Disallow: ${dis}`);
+                lines.push('');
+            }
+            if (seo?.robots?.blockAIBots) {
+                const bots = [
+                    'GPTBot',
+                    'ChatGPT-User',
+                    'ClaudeBot',
+                    'Claude-Web',
+                    'anthropic-ai',
+                    'Bytespider',
+                    'CCBot',
+                    'Google-Extended',
+                ];
+                for (const bot of bots) {
+                    lines.push(`User-agent: ${bot}`);
+                    lines.push('Disallow: /');
+                    lines.push('');
+                }
+            }
+            if (sitemapUrl)
+                lines.push(`Sitemap: ${sitemapUrl}`, '');
+            return new Response(lines.join('\n'), {
+                status: 200,
+                headers: {
+                    'Content-Type': 'text/plain; charset=utf-8',
+                    'Cache-Control': 'public, max-age=3600, s-maxage=3600',
+                },
+            });
+        }
+        catch (err) {
+            return internalError(err, 'robots.txt');
+        }
+    });
+    router.get('/og.png', async (request) => {
+        try {
+            const cfg = getActuateConfig();
+            if (cfg?.seo?.ogImage?.disabled)
+                return errorResponse('og.png disabled', 404);
+            const url = new URL(request.url);
+            const title = url.searchParams.get('title') ?? cfg?.seo?.siteName ?? 'Untitled';
+            const description = url.searchParams.get('description') ?? undefined;
+            const siteName = url.searchParams.get('siteName') ?? cfg?.seo?.siteName;
+            const theme = url.searchParams.get('theme') ?? cfg?.seo?.ogImage?.theme ?? 'light';
+            const bg = theme === 'dark' ? '#0a0a0a' : '#ffffff';
+            const fg = theme === 'dark' ? '#fafafa' : '#0a0a0a';
+            const muted = theme === 'dark' ? '#a1a1aa' : '#71717a';
+            // SVG OG image. Crawlers (Facebook, Twitter/X, LinkedIn, Slack, Discord)
+            // all accept image/svg+xml when served with the right Content-Type. We
+            // chose SVG over PNG to avoid forcing a Satori/resvg dependency on
+            // every integrator; sites that need PNG can override with `og:image`
+            // pointing at their own /og endpoint built with @vercel/og.
+            const svg = renderOgSvg({ title, description, siteName, theme, bg, fg, muted });
+            return new Response(svg, {
+                status: 200,
+                headers: {
+                    'Content-Type': 'image/svg+xml; charset=utf-8',
+                    'Cache-Control': 'public, max-age=86400, s-maxage=86400',
+                },
+            });
+        }
+        catch (err) {
+            return internalError(err, 'og.png');
+        }
+    });
     router.get('/seo/schema/:documentId', async (request, params) => {
         try {
             const auth = await requireAuth(request);
@@ -3454,6 +3758,28 @@ export function registerCMSRoutes(router) {
             const docData = doc.data && typeof doc.data === 'object' ? doc.data : {};
             const layout = await resolveLayout(pathParam, docData, matchedCollection);
             const { _layout: _omit, ...cleanData } = docData;
+            // Compose page meta + JSON-LD up front so client renderers (Next.js
+            // generateMetadata, plain SSR, MCP agents) don't have to re-derive
+            // schema, OG tags, and canonical URLs from raw doc data. Reads the
+            // collection's SEO config and the site-wide SEO defaults.
+            const cfg = getActuateConfig();
+            const collectionDef = cfg?.collections?.[matchedCollection] ?? null;
+            const { composePageMeta } = await import('../seo/page-meta.js');
+            const composed = composePageMeta({
+                doc: {
+                    id: doc.id,
+                    collection: doc.collection,
+                    slug: doc.slug ?? cleanData.slug ?? null,
+                    data: cleanData,
+                    publishedAt: doc.publishedAt,
+                    updatedAt: doc.updatedAt,
+                    structuredData: doc.structuredData ?? null,
+                    pageSettings: cleanData.pageSettings ?? null,
+                },
+                collection: collectionDef,
+                config: cfg ?? null,
+                siteUrl: siteUrlFromRequest(request),
+            });
             return json({
                 data: {
                     id: doc.id,
@@ -3461,8 +3787,18 @@ export function registerCMSRoutes(router) {
                     data: cleanData,
                     status: doc.status,
                     publishedAt: doc.publishedAt,
-                    structuredData: doc.structuredData,
+                    structuredData: composed.jsonLd ?? doc.structuredData,
+                },
+                meta: {
+                    title: composed.title,
+                    description: composed.description,
+                    canonical: composed.canonical,
+                    url: composed.url,
+                    tags: composed.meta,
+                    html: composed.metaHtml,
                 },
+                jsonLd: composed.jsonLd,
+                jsonLdHtml: composed.jsonLdHtml,
                 ...(Object.keys(layout).length > 0 ? { layout } : {}),
             });
         }
@@ -4374,6 +4710,7 @@ export function registerCMSRoutes(router) {
                 return modelNotAvailable('PageTemplate');
             const url = new URL(request.url, 'http://localhost');
             const category = url.searchParams.get('category');
+            const collection = url.searchParams.get('collection');
             const builtInCount = await safeCount(d.pageTemplate, { builtIn: true });
             if (builtInCount === 0) {
                 await seedBuiltInTemplates(d);
@@ -4385,6 +4722,37 @@ export function registerCMSRoutes(router) {
                 where,
                 orderBy: [{ builtIn: 'desc' }, { updatedAt: 'desc' }],
             });
+            // When a `collection` filter is supplied, reorder the response so the
+            // suggested templates for that collection bubble to the top. The admin
+            // "Create new" picker uses this so blog posts default to `blog-post`,
+            // case studies to `case-study`, etc., without forcing the user to scan
+            // every template alphabetically.
+            if (collection) {
+                const { getTemplatesForCollection } = await import('../collections/presets.js');
+                const { primary, alternates } = getTemplatesForCollection(collection);
+                const suggestionOrder = new Map();
+                if (primary)
+                    suggestionOrder.set(`builtin-${primary}`, 0);
+                alternates.forEach((alt, i) => suggestionOrder.set(`builtin-${alt}`, i + 1));
+                templates.sort((a, b) => {
+                    const ai = suggestionOrder.has(a.id) ? suggestionOrder.get(a.id) : 100;
+                    const bi = suggestionOrder.has(b.id) ? suggestionOrder.get(b.id) : 100;
+                    return ai - bi;
+                });
+                const annotated = templates.map((t) => ({
+                    ...t,
+                    suggested: suggestionOrder.has(t.id),
+                    suggestionRank: suggestionOrder.get(t.id) ?? null,
+                }));
+                return json({
+                    data: annotated,
+                    suggestion: {
+                        collection,
+                        primary: primary ? `builtin-${primary}` : null,
+                        alternates: alternates.map((a) => `builtin-${a}`),
+                    },
+                });
+            }
             return json({ data: templates });
         }
         catch (err) {