@actuate-media/cms-core 0.35.1 → 0.37.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (72) hide show
  1. package/dist/__tests__/api/appearance-routes.test.d.ts +2 -0
  2. package/dist/__tests__/api/appearance-routes.test.d.ts.map +1 -0
  3. package/dist/__tests__/api/appearance-routes.test.js +134 -0
  4. package/dist/__tests__/api/appearance-routes.test.js.map +1 -0
  5. package/dist/__tests__/api/security-routes.test.d.ts +2 -0
  6. package/dist/__tests__/api/security-routes.test.d.ts.map +1 -0
  7. package/dist/__tests__/api/security-routes.test.js +212 -0
  8. package/dist/__tests__/api/security-routes.test.js.map +1 -0
  9. package/dist/__tests__/appearance/appearance.test.d.ts +2 -0
  10. package/dist/__tests__/appearance/appearance.test.d.ts.map +1 -0
  11. package/dist/__tests__/appearance/appearance.test.js +273 -0
  12. package/dist/__tests__/appearance/appearance.test.js.map +1 -0
  13. package/dist/__tests__/security/center.test.d.ts +2 -0
  14. package/dist/__tests__/security/center.test.d.ts.map +1 -0
  15. package/dist/__tests__/security/center.test.js +226 -0
  16. package/dist/__tests__/security/center.test.js.map +1 -0
  17. package/dist/api/handlers.d.ts.map +1 -1
  18. package/dist/api/handlers.js +261 -3
  19. package/dist/api/handlers.js.map +1 -1
  20. package/dist/appearance/color.d.ts +24 -0
  21. package/dist/appearance/color.d.ts.map +1 -0
  22. package/dist/appearance/color.js +90 -0
  23. package/dist/appearance/color.js.map +1 -0
  24. package/dist/appearance/index.d.ts +13 -0
  25. package/dist/appearance/index.d.ts.map +1 -0
  26. package/dist/appearance/index.js +5 -0
  27. package/dist/appearance/index.js.map +1 -0
  28. package/dist/appearance/logo-shape.d.ts +26 -0
  29. package/dist/appearance/logo-shape.d.ts.map +1 -0
  30. package/dist/appearance/logo-shape.js +62 -0
  31. package/dist/appearance/logo-shape.js.map +1 -0
  32. package/dist/appearance/resolve.d.ts +46 -0
  33. package/dist/appearance/resolve.d.ts.map +1 -0
  34. package/dist/appearance/resolve.js +208 -0
  35. package/dist/appearance/resolve.js.map +1 -0
  36. package/dist/appearance/theme-tokens.d.ts +50 -0
  37. package/dist/appearance/theme-tokens.d.ts.map +1 -0
  38. package/dist/appearance/theme-tokens.js +198 -0
  39. package/dist/appearance/theme-tokens.js.map +1 -0
  40. package/dist/appearance/types.d.ts +110 -0
  41. package/dist/appearance/types.d.ts.map +1 -0
  42. package/dist/appearance/types.js +16 -0
  43. package/dist/appearance/types.js.map +1 -0
  44. package/dist/index.d.ts +2 -0
  45. package/dist/index.d.ts.map +1 -1
  46. package/dist/index.js +2 -0
  47. package/dist/index.js.map +1 -1
  48. package/dist/security/center/gather.d.ts +12 -0
  49. package/dist/security/center/gather.d.ts.map +1 -0
  50. package/dist/security/center/gather.js +185 -0
  51. package/dist/security/center/gather.js.map +1 -0
  52. package/dist/security/center/index.d.ts +13 -0
  53. package/dist/security/center/index.d.ts.map +1 -0
  54. package/dist/security/center/index.js +4 -0
  55. package/dist/security/center/index.js.map +1 -0
  56. package/dist/security/center/settings.d.ts +38 -0
  57. package/dist/security/center/settings.d.ts.map +1 -0
  58. package/dist/security/center/settings.js +121 -0
  59. package/dist/security/center/settings.js.map +1 -0
  60. package/dist/security/center/status.d.ts +10 -0
  61. package/dist/security/center/status.d.ts.map +1 -0
  62. package/dist/security/center/status.js +249 -0
  63. package/dist/security/center/status.js.map +1 -0
  64. package/dist/security/center/summaries.d.ts +21 -0
  65. package/dist/security/center/summaries.d.ts.map +1 -0
  66. package/dist/security/center/summaries.js +65 -0
  67. package/dist/security/center/summaries.js.map +1 -0
  68. package/dist/security/center/types.d.ts +127 -0
  69. package/dist/security/center/types.d.ts.map +1 -0
  70. package/dist/security/center/types.js +12 -0
  71. package/dist/security/center/types.js.map +1 -0
  72. package/package.json +11 -1
@@ -0,0 +1,127 @@
1
+ /**
2
+ * Security Center types.
3
+ *
4
+ * The Security Center answers one question for an operator: "is this CMS safe
5
+ * to run in production?" It is mostly a *computed posture* surface — it reads
6
+ * real auth/session/secret/audit state — plus a small set of genuinely
7
+ * enforced, persisted policy settings (MFA requirement, concurrent-session
8
+ * cap). Anything that is not actually enforced is reported as honest status
9
+ * with a source badge, never as a decorative toggle.
10
+ */
11
+ export type SecurityStatusLevel = 'secure' | 'needs_attention' | 'at_risk' | 'unknown';
12
+ export type CheckStatus = 'pass' | 'warning' | 'fail' | 'unknown';
13
+ export interface SecurityCheck {
14
+ key: string;
15
+ label: string;
16
+ status: CheckStatus;
17
+ /** Short human value, e.g. "3 of 4 admins" or "Enabled". */
18
+ value?: string;
19
+ /** In-admin deep link the operator can follow to act on this check. */
20
+ actionHref?: string;
21
+ }
22
+ export type SecurityWarningCategory = 'auth' | 'sessions' | 'api_keys' | 'uploads' | 'rate_limit' | 'audit' | 'secrets' | 'access';
23
+ export interface SecurityWarning {
24
+ id: string;
25
+ severity: 'critical' | 'warning' | 'info';
26
+ category: SecurityWarningCategory;
27
+ title: string;
28
+ description: string;
29
+ actionLabel?: string;
30
+ actionHref?: string;
31
+ }
32
+ export interface SecurityStatus {
33
+ status: SecurityStatusLevel;
34
+ /** 0–100 posture score (advisory; the level is the source of truth). */
35
+ score: number;
36
+ label: string;
37
+ description: string;
38
+ checks: SecurityCheck[];
39
+ warnings: SecurityWarning[];
40
+ lastCheckedAt: string;
41
+ }
42
+ /** Persisted, enforced MFA policy. */
43
+ export interface MfaSettings {
44
+ required: boolean;
45
+ gracePeriodDays: number;
46
+ /** ISO timestamp when `required` was last switched on (drives the grace window). */
47
+ requiredAt?: string;
48
+ }
49
+ /** Persisted, enforced session policy. `maxConcurrentSessions = 0` ⇒ unlimited. */
50
+ export interface SessionSettings {
51
+ maxConcurrentSessions: number;
52
+ }
53
+ export interface SecuritySettings {
54
+ mfa: MfaSettings;
55
+ session: SessionSettings;
56
+ updatedAt?: string;
57
+ updatedBy?: string;
58
+ }
59
+ export interface UsersSecuritySummary {
60
+ totalUsers: number;
61
+ totalAdmins: number;
62
+ withMfa: number;
63
+ withoutMfa: number;
64
+ adminsWithoutMfa: number;
65
+ inactive: number;
66
+ }
67
+ export interface ApiKeysSecuritySummary {
68
+ active: number;
69
+ withoutExpiration: number;
70
+ broadScope: number;
71
+ staleUnused90d: number;
72
+ }
73
+ /** Status of secrets/encryption — never the values themselves. */
74
+ export interface SecretsStatus {
75
+ cmsSecret: CheckStatus;
76
+ encryptionKey: CheckStatus;
77
+ rateLimitBackend: 'distributed' | 'in_memory';
78
+ apiKeysHashed: boolean;
79
+ webhookSecretsEncrypted: boolean;
80
+ }
81
+ export interface IpAllowlistStatus {
82
+ enabled: boolean;
83
+ source: 'config' | 'none';
84
+ ranges: string[];
85
+ currentIp: string | null;
86
+ currentIpAllowed: boolean | null;
87
+ }
88
+ export interface SecuritySourceMetadata {
89
+ source: 'config' | 'environment' | 'database' | 'plugin' | 'computed';
90
+ editable: boolean;
91
+ reason?: string;
92
+ }
93
+ /** Everything the admin Security tab needs in one round-trip. */
94
+ export interface SecurityCenterData {
95
+ settings: SecuritySettings;
96
+ status: SecurityStatus;
97
+ users: UsersSecuritySummary;
98
+ apiKeys: ApiKeysSecuritySummary;
99
+ secrets: SecretsStatus;
100
+ ipAllowlist: IpAllowlistStatus;
101
+ failedLogins24h: number;
102
+ activeSessions: number;
103
+ csrfEnabled: boolean;
104
+ uploadValidation: boolean;
105
+ auditEnabled: boolean;
106
+ /** Effective max session age in hours (config/default; read-only today). */
107
+ sessionMaxAgeHours: number;
108
+ /** Whether the current admin (the viewer) has TOTP enabled — drives lockout-safe MFA enable. */
109
+ viewerHasMfa: boolean;
110
+ environment: string;
111
+ sources: Record<string, SecuritySourceMetadata>;
112
+ }
113
+ /** Signals consumed by the pure {@link computeSecurityStatus}. */
114
+ export interface SecurityStatusInput {
115
+ isProduction: boolean;
116
+ settings: SecuritySettings;
117
+ users: UsersSecuritySummary;
118
+ apiKeys: ApiKeysSecuritySummary;
119
+ secrets: SecretsStatus;
120
+ ipAllowlist: IpAllowlistStatus;
121
+ failedLogins24h: number;
122
+ activeSessions: number;
123
+ csrfEnabled: boolean;
124
+ uploadValidation: boolean;
125
+ auditEnabled: boolean;
126
+ }
127
+ //# sourceMappingURL=types.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/security/center/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,MAAM,MAAM,mBAAmB,GAAG,QAAQ,GAAG,iBAAiB,GAAG,SAAS,GAAG,SAAS,CAAA;AACtF,MAAM,MAAM,WAAW,GAAG,MAAM,GAAG,SAAS,GAAG,MAAM,GAAG,SAAS,CAAA;AAEjE,MAAM,WAAW,aAAa;IAC5B,GAAG,EAAE,MAAM,CAAA;IACX,KAAK,EAAE,MAAM,CAAA;IACb,MAAM,EAAE,WAAW,CAAA;IACnB,4DAA4D;IAC5D,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,uEAAuE;IACvE,UAAU,CAAC,EAAE,MAAM,CAAA;CACpB;AAED,MAAM,MAAM,uBAAuB,GAC/B,MAAM,GACN,UAAU,GACV,UAAU,GACV,SAAS,GACT,YAAY,GACZ,OAAO,GACP,SAAS,GACT,QAAQ,CAAA;AAEZ,MAAM,WAAW,eAAe;IAC9B,EAAE,EAAE,MAAM,CAAA;IACV,QAAQ,EAAE,UAAU,GAAG,SAAS,GAAG,MAAM,CAAA;IACzC,QAAQ,EAAE,uBAAuB,CAAA;IACjC,KAAK,EAAE,MAAM,CAAA;IACb,WAAW,EAAE,MAAM,CAAA;IACnB,WAAW,CAAC,EAAE,MAAM,CAAA;IACpB,UAAU,CAAC,EAAE,MAAM,CAAA;CACpB;AAED,MAAM,WAAW,cAAc;IAC7B,MAAM,EAAE,mBAAmB,CAAA;IAC3B,wEAAwE;IACxE,KAAK,EAAE,MAAM,CAAA;IACb,KAAK,EAAE,MAAM,CAAA;IACb,WAAW,EAAE,MAAM,CAAA;IACnB,MAAM,EAAE,aAAa,EAAE,CAAA;IACvB,QAAQ,EAAE,eAAe,EAAE,CAAA;IAC3B,aAAa,EAAE,MAAM,CAAA;CACtB;AAED,sCAAsC;AACtC,MAAM,WAAW,WAAW;IAC1B,QAAQ,EAAE,OAAO,CAAA;IACjB,eAAe,EAAE,MAAM,CAAA;IACvB,oFAAoF;IACpF,UAAU,CAAC,EAAE,MAAM,CAAA;CACpB;AAED,mFAAmF;AACnF,MAAM,WAAW,eAAe;IAC9B,qBAAqB,EAAE,MAAM,CAAA;CAC9B;AAED,MAAM,WAAW,gBAAgB;IAC/B,GAAG,EAAE,WAAW,CAAA;IAChB,OAAO,EAAE,eAAe,CAAA;IACxB,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,SAAS,CAAC,EAAE,MAAM,CAAA;CACnB;AAED,MAAM,WAAW,oBAAoB;IACnC,UAAU,EAAE,MAAM,CAAA;IAClB,WAAW,EAAE,MAAM,CAAA;IACnB,OAAO,EAAE,MAAM,CAAA;IACf,UAAU,EAAE,MAAM,CAAA;IAClB,gBAAgB,EAAE,MAAM,CAAA;IACxB,QAAQ,EAAE,MAAM,CAAA;CACjB;AAED,MAAM,WAAW,sBAAsB;IACrC,MAAM,EAAE,MAAM,CAAA;IACd,iBAAiB,EAAE,MAAM,CAAA;IACzB,UAAU,EAAE,MAAM,CAAA;IAClB,cAAc,EAAE,MAAM,CAAA;CACvB;AAED,kEAAkE;AAClE,MAAM,WAAW,aAAa;IAC5B,SAAS,EAAE,WAAW,CAAA;IACtB,aAAa,EAAE,WAAW,CAAA;IAC1B,gBAAgB,EAAE,aAAa,GAAG,WAAW,CAAA;IAC7C,aAAa,EAAE,OAAO,CAAA;IACtB,uBAAuB,EAAE,OAAO,CAAA;CACjC;AAED,MAAM,WAAW,iBAAiB;IAChC,OAAO,EAAE,OAAO,CAAA;IAChB,MAAM,EAAE,QAAQ,GAAG,MAAM,CAAA;IACzB,MAAM,EAAE,MAAM,EAAE,CAAA;IAChB,SAAS,EAAE,MAAM,GAAG,IAAI,CAAA;IACxB,gBAAgB,EAAE,OAAO,GAAG,IAAI,CAAA;CACjC;AAED,MAAM,WAAW,sBAAsB;IACrC,MAAM,EAAE,QAAQ,GAAG,aAAa,GAAG,UAAU,GAAG,QAAQ,GAAG,UAAU,CAAA;IACrE,QAAQ,EAAE,OAAO,CAAA;IACjB,MAAM,CAAC,EAAE,MAAM,CAAA;CAChB;AAED,iEAAiE;AACjE,MAAM,WAAW,kBAAkB;IACjC,QAAQ,EAAE,gBAAgB,CAAA;IAC1B,MAAM,EAAE,cAAc,CAAA;IACtB,KAAK,EAAE,oBAAoB,CAAA;IAC3B,OAAO,EAAE,sBAAsB,CAAA;IAC/B,OAAO,EAAE,aAAa,CAAA;IACtB,WAAW,EAAE,iBAAiB,CAAA;IAC9B,eAAe,EAAE,MAAM,CAAA;IACvB,cAAc,EAAE,MAAM,CAAA;IACtB,WAAW,EAAE,OAAO,CAAA;IACpB,gBAAgB,EAAE,OAAO,CAAA;IACzB,YAAY,EAAE,OAAO,CAAA;IACrB,4EAA4E;IAC5E,kBAAkB,EAAE,MAAM,CAAA;IAC1B,gGAAgG;IAChG,YAAY,EAAE,OAAO,CAAA;IACrB,WAAW,EAAE,MAAM,CAAA;IACnB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,sBAAsB,CAAC,CAAA;CAChD;AAED,kEAAkE;AAClE,MAAM,WAAW,mBAAmB;IAClC,YAAY,EAAE,OAAO,CAAA;IACrB,QAAQ,EAAE,gBAAgB,CAAA;IAC1B,KAAK,EAAE,oBAAoB,CAAA;IAC3B,OAAO,EAAE,sBAAsB,CAAA;IAC/B,OAAO,EAAE,aAAa,CAAA;IACtB,WAAW,EAAE,iBAAiB,CAAA;IAC9B,eAAe,EAAE,MAAM,CAAA;IACvB,cAAc,EAAE,MAAM,CAAA;IACtB,WAAW,EAAE,OAAO,CAAA;IACpB,gBAAgB,EAAE,OAAO,CAAA;IACzB,YAAY,EAAE,OAAO,CAAA;CACtB"}
@@ -0,0 +1,12 @@
1
+ /**
2
+ * Security Center types.
3
+ *
4
+ * The Security Center answers one question for an operator: "is this CMS safe
5
+ * to run in production?" It is mostly a *computed posture* surface — it reads
6
+ * real auth/session/secret/audit state — plus a small set of genuinely
7
+ * enforced, persisted policy settings (MFA requirement, concurrent-session
8
+ * cap). Anything that is not actually enforced is reported as honest status
9
+ * with a source badge, never as a decorative toggle.
10
+ */
11
+ export {};
12
+ //# sourceMappingURL=types.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"types.js","sourceRoot":"","sources":["../../../src/security/center/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG"}
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@actuate-media/cms-core",
3
- "version": "0.35.1",
3
+ "version": "0.37.0",
4
4
  "repository": {
5
5
  "type": "git",
6
6
  "url": "https://github.com/actuate-media/actuatecms.git",
@@ -54,6 +54,16 @@
54
54
  "import": "./dist/api/index.js",
55
55
  "default": "./dist/api/index.js"
56
56
  },
57
+ "./appearance": {
58
+ "types": "./dist/appearance/index.d.ts",
59
+ "import": "./dist/appearance/index.js",
60
+ "default": "./dist/appearance/index.js"
61
+ },
62
+ "./security-center": {
63
+ "types": "./dist/security/center/index.d.ts",
64
+ "import": "./dist/security/center/index.js",
65
+ "default": "./dist/security/center/index.js"
66
+ },
57
67
  "./page-builder": {
58
68
  "types": "./dist/page-builder/index.d.ts",
59
69
  "import": "./dist/page-builder/index.js",