@actuate-media/cms-core 0.57.0 → 0.57.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/__tests__/api/stats-seo-cache.test.js +1 -1
- package/dist/__tests__/api/stats-seo-cache.test.js.map +1 -1
- package/dist/api/guarded-db.d.ts +13 -0
- package/dist/api/guarded-db.d.ts.map +1 -0
- package/dist/api/guarded-db.js +58 -0
- package/dist/api/guarded-db.js.map +1 -0
- package/dist/api/handler-factory.d.ts.map +1 -1
- package/dist/api/handler-factory.js +2 -1
- package/dist/api/handler-factory.js.map +1 -1
- package/dist/api/handlers.d.ts +5 -3
- package/dist/api/handlers.d.ts.map +1 -1
- package/dist/api/handlers.js +54 -13068
- package/dist/api/handlers.js.map +1 -1
- package/dist/api/route-helpers.d.ts +320 -0
- package/dist/api/route-helpers.d.ts.map +1 -0
- package/dist/api/route-helpers.js +1307 -0
- package/dist/api/route-helpers.js.map +1 -0
- package/dist/api/routes/ai-seo.d.ts +3 -0
- package/dist/api/routes/ai-seo.d.ts.map +1 -0
- package/dist/api/routes/ai-seo.js +377 -0
- package/dist/api/routes/ai-seo.js.map +1 -0
- package/dist/api/routes/ai-settings.d.ts +3 -0
- package/dist/api/routes/ai-settings.d.ts.map +1 -0
- package/dist/api/routes/ai-settings.js +764 -0
- package/dist/api/routes/ai-settings.js.map +1 -0
- package/dist/api/routes/auth.d.ts +3 -0
- package/dist/api/routes/auth.d.ts.map +1 -0
- package/dist/api/routes/auth.js +787 -0
- package/dist/api/routes/auth.js.map +1 -0
- package/dist/api/routes/collab.d.ts +3 -0
- package/dist/api/routes/collab.d.ts.map +1 -0
- package/dist/api/routes/collab.js +426 -0
- package/dist/api/routes/collab.js.map +1 -0
- package/dist/api/routes/dashboard.d.ts +7 -0
- package/dist/api/routes/dashboard.d.ts.map +1 -0
- package/dist/api/routes/dashboard.js +540 -0
- package/dist/api/routes/dashboard.js.map +1 -0
- package/dist/api/routes/documents.d.ts +3 -0
- package/dist/api/routes/documents.d.ts.map +1 -0
- package/dist/api/routes/documents.js +180 -0
- package/dist/api/routes/documents.js.map +1 -0
- package/dist/api/routes/folders.d.ts +3 -0
- package/dist/api/routes/folders.d.ts.map +1 -0
- package/dist/api/routes/folders.js +195 -0
- package/dist/api/routes/folders.js.map +1 -0
- package/dist/api/routes/forms.d.ts +3 -0
- package/dist/api/routes/forms.d.ts.map +1 -0
- package/dist/api/routes/forms.js +661 -0
- package/dist/api/routes/forms.js.map +1 -0
- package/dist/api/routes/globals.d.ts +3 -0
- package/dist/api/routes/globals.d.ts.map +1 -0
- package/dist/api/routes/globals.js +131 -0
- package/dist/api/routes/globals.js.map +1 -0
- package/dist/api/routes/media.d.ts +3 -0
- package/dist/api/routes/media.d.ts.map +1 -0
- package/dist/api/routes/media.js +521 -0
- package/dist/api/routes/media.js.map +1 -0
- package/dist/api/routes/meta.d.ts +3 -0
- package/dist/api/routes/meta.d.ts.map +1 -0
- package/dist/api/routes/meta.js +96 -0
- package/dist/api/routes/meta.js.map +1 -0
- package/dist/api/routes/page-templates.d.ts +3 -0
- package/dist/api/routes/page-templates.d.ts.map +1 -0
- package/dist/api/routes/page-templates.js +265 -0
- package/dist/api/routes/page-templates.js.map +1 -0
- package/dist/api/routes/presence.d.ts +3 -0
- package/dist/api/routes/presence.d.ts.map +1 -0
- package/dist/api/routes/presence.js +35 -0
- package/dist/api/routes/presence.js.map +1 -0
- package/dist/api/routes/preview.d.ts +3 -0
- package/dist/api/routes/preview.d.ts.map +1 -0
- package/dist/api/routes/preview.js +111 -0
- package/dist/api/routes/preview.js.map +1 -0
- package/dist/api/routes/redirects.d.ts +3 -0
- package/dist/api/routes/redirects.d.ts.map +1 -0
- package/dist/api/routes/redirects.js +790 -0
- package/dist/api/routes/redirects.js.map +1 -0
- package/dist/api/routes/saved-sections.d.ts +3 -0
- package/dist/api/routes/saved-sections.d.ts.map +1 -0
- package/dist/api/routes/saved-sections.js +1036 -0
- package/dist/api/routes/saved-sections.js.map +1 -0
- package/dist/api/routes/scheduling.d.ts +3 -0
- package/dist/api/routes/scheduling.d.ts.map +1 -0
- package/dist/api/routes/scheduling.js +373 -0
- package/dist/api/routes/scheduling.js.map +1 -0
- package/dist/api/routes/sections.d.ts +3 -0
- package/dist/api/routes/sections.d.ts.map +1 -0
- package/dist/api/routes/sections.js +500 -0
- package/dist/api/routes/sections.js.map +1 -0
- package/dist/api/routes/security-center.d.ts +3 -0
- package/dist/api/routes/security-center.d.ts.map +1 -0
- package/dist/api/routes/security-center.js +71 -0
- package/dist/api/routes/security-center.js.map +1 -0
- package/dist/api/routes/seo-public.d.ts +14 -0
- package/dist/api/routes/seo-public.d.ts.map +1 -0
- package/dist/api/routes/seo-public.js +930 -0
- package/dist/api/routes/seo-public.js.map +1 -0
- package/dist/api/routes/seo.d.ts +8 -0
- package/dist/api/routes/seo.d.ts.map +1 -0
- package/dist/api/routes/seo.js +848 -0
- package/dist/api/routes/seo.js.map +1 -0
- package/dist/api/routes/system.d.ts +3 -0
- package/dist/api/routes/system.d.ts.map +1 -0
- package/dist/api/routes/system.js +340 -0
- package/dist/api/routes/system.js.map +1 -0
- package/dist/api/routes/url-resolution.d.ts +3 -0
- package/dist/api/routes/url-resolution.d.ts.map +1 -0
- package/dist/api/routes/url-resolution.js +457 -0
- package/dist/api/routes/url-resolution.js.map +1 -0
- package/dist/api/routes/users.d.ts +3 -0
- package/dist/api/routes/users.d.ts.map +1 -0
- package/dist/api/routes/users.js +1162 -0
- package/dist/api/routes/users.js.map +1 -0
- package/dist/api/routes/webhooks.d.ts +3 -0
- package/dist/api/routes/webhooks.d.ts.map +1 -0
- package/dist/api/routes/webhooks.js +338 -0
- package/dist/api/routes/webhooks.js.map +1 -0
- package/package.json +1 -1
|
@@ -0,0 +1,320 @@
|
|
|
1
|
+
import type { ActionContext } from '../actions.js';
|
|
2
|
+
import { type TeamOptions } from '../auth/team.js';
|
|
3
|
+
import type { CollectionDefinition } from '../config/types.js';
|
|
4
|
+
import type { FetchFormEntriesParams, FetchFormsParams, FormDefinition } from '../forms/types.js';
|
|
5
|
+
import { type IncomingFile } from '../forms/files.js';
|
|
6
|
+
import { type ApiKeyScope } from '../security/api-key-enhanced.js';
|
|
7
|
+
export declare function importBlobStorage(): Promise<any>;
|
|
8
|
+
export declare function importAIPlugin(): Promise<any>;
|
|
9
|
+
/**
|
|
10
|
+
* Build the system/user prompt for an inline co-author action. Kept
|
|
11
|
+
* deterministic and small so the governed runtime can route it to any
|
|
12
|
+
* configured provider/model.
|
|
13
|
+
*/
|
|
14
|
+
export declare function buildCoauthorPrompt(action: 'rewrite' | 'expand' | 'compress' | 'proofread', body: {
|
|
15
|
+
text?: string;
|
|
16
|
+
style?: string;
|
|
17
|
+
tone?: string;
|
|
18
|
+
instructions?: string;
|
|
19
|
+
targetLength?: number;
|
|
20
|
+
}): {
|
|
21
|
+
system: string;
|
|
22
|
+
user: string;
|
|
23
|
+
maxTokens: number;
|
|
24
|
+
};
|
|
25
|
+
/**
|
|
26
|
+
* Common helper for the read endpoints. Reads the `?populate=` query param,
|
|
27
|
+
* fetches the target collection's field schema, and expands every relation
|
|
28
|
+
* reference into a {@link RelationSummary}. When the caller didn't ask for
|
|
29
|
+
* population (or the doc has no `data` field) we short-circuit and return
|
|
30
|
+
* the doc untouched.
|
|
31
|
+
*
|
|
32
|
+
* Lives here (not in `actions.ts`) because the rest of the actions API
|
|
33
|
+
* stays purely DB-shaped — population is an HTTP concern.
|
|
34
|
+
*/
|
|
35
|
+
export declare function maybePopulate(request: Request, collection: string, doc: Record<string, unknown> | null, dbInstance: unknown): Promise<Record<string, unknown> | null>;
|
|
36
|
+
export declare const SECURITY_HEADERS: Record<string, string>;
|
|
37
|
+
export declare function json(data: unknown, status?: number): Response;
|
|
38
|
+
/**
|
|
39
|
+
* Variant of `json()` that emits the Phase-5.5 public-read
|
|
40
|
+
* `Cache-Control` header when the active CMS config opts in.
|
|
41
|
+
*
|
|
42
|
+
* - Session-cookie requests always get `private, no-store`.
|
|
43
|
+
* - API-key / unauthenticated requests get
|
|
44
|
+
* `public, s-maxage=N, stale-while-revalidate=M` when
|
|
45
|
+
* `cache.publicReads.enabled` is true.
|
|
46
|
+
* - Otherwise no `Cache-Control` header is set (i.e. the response is
|
|
47
|
+
* uncacheable downstream, matching the pre-5.5 behaviour).
|
|
48
|
+
*
|
|
49
|
+
* Use this for the public read endpoints (`/collections/:slug`,
|
|
50
|
+
* `/collections/:slug/:id`, `/globals/:slug`, `/resolve`). Mutating
|
|
51
|
+
* endpoints stay on the plain `json()` so the CDN never caches a write
|
|
52
|
+
* response by accident.
|
|
53
|
+
*/
|
|
54
|
+
export declare function jsonWithCache(data: unknown, request: Request, status?: number): Response;
|
|
55
|
+
export declare function errorResponse(message: string, status: number): Response;
|
|
56
|
+
export declare function internalError(err: unknown, context?: string): Response;
|
|
57
|
+
export declare function clampPageSize(raw: number | string | null, max?: number, fallback?: number): number;
|
|
58
|
+
export declare function mediaUrl(storageKey: unknown): string;
|
|
59
|
+
export declare function normalizeMediaItem(media: any): any;
|
|
60
|
+
/**
|
|
61
|
+
* Build the admin editor route for a document that references a media asset.
|
|
62
|
+
* Pages own the `/pages/*` namespace; post-type collections use
|
|
63
|
+
* `/posts/:type/:id/edit`; everything else falls back to the generic
|
|
64
|
+
* collection editor. Kept in sync with the route table in `AdminRoot.tsx`.
|
|
65
|
+
*/
|
|
66
|
+
export declare function mediaUsageEditPath(collection: string, id: string): string;
|
|
67
|
+
/**
|
|
68
|
+
* Map the `MediaUsage` join rows (with their related document) into the
|
|
69
|
+
* `{ page, path }[]` shape the admin drawer renders. Soft-deleted documents
|
|
70
|
+
* are excluded so trashed pages don't keep an asset looking "in use".
|
|
71
|
+
*/
|
|
72
|
+
export declare function buildMediaUsedOn(mediaUsages: unknown): {
|
|
73
|
+
page: string;
|
|
74
|
+
path: string;
|
|
75
|
+
}[];
|
|
76
|
+
export declare const MEDIA_TITLE_STOPWORDS: Set<string>;
|
|
77
|
+
/**
|
|
78
|
+
* Derive a concise, Title-Cased title from AI-generated alt text. The alt
|
|
79
|
+
* text is already a model output describing the image, so the title stays
|
|
80
|
+
* grounded in real content rather than the filename.
|
|
81
|
+
*/
|
|
82
|
+
export declare function deriveMediaTitleFromAlt(alt: string): string;
|
|
83
|
+
export declare function asRecord(value: unknown): Record<string, unknown>;
|
|
84
|
+
export declare function normalizeSubmission(submission: any): any;
|
|
85
|
+
/**
|
|
86
|
+
* Map a forms-service domain error to an HTTP response. Returns `null` for
|
|
87
|
+
* unrecognised errors so the caller can fall through to `internalError`.
|
|
88
|
+
*/
|
|
89
|
+
export declare function mapFormError(err: unknown): Response | null;
|
|
90
|
+
export declare function parseFormsQuery(url: URL): FetchFormsParams;
|
|
91
|
+
export declare function parseEntriesQuery(url: URL): FetchFormEntriesParams;
|
|
92
|
+
/**
|
|
93
|
+
* Build CORS headers for the public form endpoints. When the form has no
|
|
94
|
+
* embed allowlist we reflect the requesting origin (open embedding). When an
|
|
95
|
+
* allowlist is set we only echo the origin if it matches, so a disallowed site
|
|
96
|
+
* cannot read the response. Browser-level CORS is complemented by a hard
|
|
97
|
+
* server-side origin check in the submit handler.
|
|
98
|
+
*/
|
|
99
|
+
export declare function formCorsHeaders(request: Request, allowedDomains?: string[]): Record<string, string>;
|
|
100
|
+
export declare function normalizeAllowedHost(domain: string): string;
|
|
101
|
+
export declare function isOriginAllowed(origin: string, allowedDomains: string[]): boolean;
|
|
102
|
+
export declare function jsonWithHeaders(data: unknown, status: number, extra: Record<string, string>): Response;
|
|
103
|
+
/**
|
|
104
|
+
* Parse a public submission request into field values, files, and metadata.
|
|
105
|
+
* Supports both `application/json` (no files) and `multipart/form-data`
|
|
106
|
+
* (files + fields). Unknown/oversized bodies are rejected by the caller's
|
|
107
|
+
* Content-Length gate before this runs.
|
|
108
|
+
*/
|
|
109
|
+
export declare function parseSubmissionRequest(request: Request): Promise<{
|
|
110
|
+
values: Record<string, unknown>;
|
|
111
|
+
files: IncomingFile[];
|
|
112
|
+
meta: {
|
|
113
|
+
attribution: Record<string, unknown> | null;
|
|
114
|
+
elapsedMs: number | null;
|
|
115
|
+
pageUrl: string | null;
|
|
116
|
+
captchaToken: string;
|
|
117
|
+
};
|
|
118
|
+
} | null>;
|
|
119
|
+
export declare function safeJsonObject(value: unknown): Record<string, unknown> | null;
|
|
120
|
+
/**
|
|
121
|
+
* Shared public-submission handler used by both the slug-based public route and
|
|
122
|
+
* the legacy by-id route. Enforces per-IP+form rate limiting, embed-origin
|
|
123
|
+
* allowlisting, optional CAPTCHA, file validation, then runs the core
|
|
124
|
+
* submission pipeline. Always responds with CORS headers so embedded forms can
|
|
125
|
+
* read the result.
|
|
126
|
+
*/
|
|
127
|
+
export declare function submitToForm(request: Request, form: FormDefinition): Promise<Response>;
|
|
128
|
+
export declare function normalizeRedirect(redirect: any): any;
|
|
129
|
+
export declare function normalizeSeoPage(page: any): any;
|
|
130
|
+
export declare function hasModel(d: any, name: string): boolean;
|
|
131
|
+
/** Format a number compactly, e.g. 8400 -> "8.4K", 1_200_000 -> "1.2M". */
|
|
132
|
+
export declare function formatCompactNumber(n: number): string;
|
|
133
|
+
/** Minimal CSV line parser supporting double-quoted fields with escaped quotes. */
|
|
134
|
+
export declare function parseCsvLine(line: string): string[];
|
|
135
|
+
export declare function modelNotAvailable(name: string): Response;
|
|
136
|
+
/**
|
|
137
|
+
* XML-escape a value for safe inclusion in sitemap content. Sitemaps reject
|
|
138
|
+
* unescaped ampersands and angle brackets; URLs frequently contain `&` query
|
|
139
|
+
* separators, so this is non-optional.
|
|
140
|
+
*/
|
|
141
|
+
export declare function escapeXml(value: string): string;
|
|
142
|
+
/**
|
|
143
|
+
* URLs per sitemap file. The sitemaps protocol caps a single file at 50,000
|
|
144
|
+
* URLs; we use a margin below that so the optional archive URL on page 0 can
|
|
145
|
+
* never push a file over the limit. Collections larger than this are split
|
|
146
|
+
* across multiple `?page=N` files referenced from the sitemap index.
|
|
147
|
+
*/
|
|
148
|
+
export declare const SITEMAP_PAGE_SIZE = 45000;
|
|
149
|
+
/**
|
|
150
|
+
* Renders a 1200x630 SVG suitable for og:image. We don't pull in Satori/resvg
|
|
151
|
+
* because most integrators don't need PNG — major crawlers (Facebook, Twitter,
|
|
152
|
+
* LinkedIn, Slack, Discord) handle image/svg+xml correctly. Sites that
|
|
153
|
+
* specifically need PNG can override with their own /og endpoint via
|
|
154
|
+
* @vercel/og and point `seo.defaultOgImage` at it.
|
|
155
|
+
*/
|
|
156
|
+
export declare function renderOgSvg(opts: {
|
|
157
|
+
title: string;
|
|
158
|
+
description?: string;
|
|
159
|
+
siteName?: string | null;
|
|
160
|
+
theme: 'light' | 'dark';
|
|
161
|
+
bg: string;
|
|
162
|
+
fg: string;
|
|
163
|
+
muted: string;
|
|
164
|
+
}): string;
|
|
165
|
+
/**
|
|
166
|
+
* Log unexpected query failures from the `safe*` wrappers.
|
|
167
|
+
*
|
|
168
|
+
* The wrappers exist so an optional Prisma model (e.g. a delegate
|
|
169
|
+
* that older schemas don't define) doesn't blow up the route — they
|
|
170
|
+
* return the empty value (`0` / `[]`) when the model isn't available.
|
|
171
|
+
* That defensive contract historically swallowed *every* error,
|
|
172
|
+
* including Prisma's "Unknown argument" rejections that flag a real
|
|
173
|
+
* application bug (see the `relationLoadStrategy` regression
|
|
174
|
+
* discovered while landing Phase 5.5 #5). Logging the underlying
|
|
175
|
+
* error preserves the defensive return semantics while making the
|
|
176
|
+
* actual class of bug visible in Vercel + Sentry logs.
|
|
177
|
+
*
|
|
178
|
+
* Kept private to this module — it's a logging contract, not a
|
|
179
|
+
* public API.
|
|
180
|
+
*/
|
|
181
|
+
export declare function logSafeQueryFailure(scope: string, err: unknown): void;
|
|
182
|
+
export declare function safeCount(model: any, where?: Record<string, unknown>): Promise<number>;
|
|
183
|
+
export declare function safeFindMany<T>(model: any, args: Record<string, unknown>): Promise<T[]>;
|
|
184
|
+
export declare function isAllowedStorageUrl(url: string): boolean;
|
|
185
|
+
/** Max image size (bytes) we'll pull into memory for vision analysis. */
|
|
186
|
+
export declare const MAX_VISION_IMAGE_BYTES: number;
|
|
187
|
+
/**
|
|
188
|
+
* Fetch image bytes for multimodal (vision) analysis through {@link safeFetch}
|
|
189
|
+
* (SSRF-safe: re-validates the host, DNS-resolves to defeat rebinding, no
|
|
190
|
+
* redirects). Returns `null` on any failure (non-image, oversize, blocked,
|
|
191
|
+
* network) so the caller transparently falls back to a context-only heuristic.
|
|
192
|
+
*/
|
|
193
|
+
export declare function fetchImageForVision(url: string, knownMimeType?: string): Promise<{
|
|
194
|
+
base64: string;
|
|
195
|
+
mimeType: string;
|
|
196
|
+
} | null>;
|
|
197
|
+
export declare const ALLOWED_SORT_FIELDS: Set<string>;
|
|
198
|
+
export declare function getSessionSecret(): string;
|
|
199
|
+
export declare function isSecretMissing(): boolean;
|
|
200
|
+
/**
|
|
201
|
+
* Authenticated request context. `apiKey` is set when the request was
|
|
202
|
+
* authenticated via an `act_sk_*` API key (rather than a user session) — in
|
|
203
|
+
* that case `sessionId` is the API key id and `role` reflects either the
|
|
204
|
+
* granted `admin` scope or `'API_KEY'` for scoped keys.
|
|
205
|
+
*/
|
|
206
|
+
export type AuthSession = {
|
|
207
|
+
userId: string;
|
|
208
|
+
role: string;
|
|
209
|
+
sessionId: string;
|
|
210
|
+
apiKey?: {
|
|
211
|
+
id: string;
|
|
212
|
+
scopes: ApiKeyScope;
|
|
213
|
+
};
|
|
214
|
+
};
|
|
215
|
+
export declare function extractSession(request: Request): Promise<AuthSession | null>;
|
|
216
|
+
export declare function parseCookieHeader(cookieHeader: string): Record<string, string>;
|
|
217
|
+
/**
|
|
218
|
+
* Verify a password (or "current password") posted in the X-Reauth-Password
|
|
219
|
+
* header against the authenticated user. Returns an error Response when the
|
|
220
|
+
* header is missing or the password is wrong; returns null on success.
|
|
221
|
+
*
|
|
222
|
+
* Use this for high-impact account changes (TOTP enable/disable, role change,
|
|
223
|
+
* delete user, etc.) so a stolen session alone cannot perform them.
|
|
224
|
+
*/
|
|
225
|
+
export declare function requirePasswordReauth(request: Request, userId: string): Promise<Response | null>;
|
|
226
|
+
export declare function requireAuth(request: Request): Promise<{
|
|
227
|
+
session: AuthSession;
|
|
228
|
+
error?: never;
|
|
229
|
+
} | {
|
|
230
|
+
session?: never;
|
|
231
|
+
error: Response;
|
|
232
|
+
}>;
|
|
233
|
+
/**
|
|
234
|
+
* Check that the request's auth context permits `action` on `collection`.
|
|
235
|
+
* - Session-authenticated requests fall through to `requireRole` semantics:
|
|
236
|
+
* write actions require WRITE_ROLES.
|
|
237
|
+
* - API-key-authenticated requests must have an explicit scope match.
|
|
238
|
+
*/
|
|
239
|
+
export declare function requireCollectionScope(session: AuthSession, collection: string, action: 'read' | 'create' | 'update' | 'delete'): Response | null;
|
|
240
|
+
export declare function requireGlobalScope(session: AuthSession, slug: string): Response | null;
|
|
241
|
+
export declare function requireMediaScope(session: AuthSession): Response | null;
|
|
242
|
+
export declare function requirePageBuilderScope(session: AuthSession): Response | null;
|
|
243
|
+
export declare function requireAdminScope(session: AuthSession): Response | null;
|
|
244
|
+
export declare function buildActionContext(session: {
|
|
245
|
+
userId: string;
|
|
246
|
+
role: string;
|
|
247
|
+
}, db: any, locale?: string): ActionContext;
|
|
248
|
+
export declare const WRITE_ROLES: Set<string>;
|
|
249
|
+
export declare const ADMIN_ROLES: Set<string>;
|
|
250
|
+
export declare function requireRole(role: string, allowedRoles: Set<string>): Response | null;
|
|
251
|
+
/**
|
|
252
|
+
* Build the shared {@link TeamOptions} for the Users endpoints from config +
|
|
253
|
+
* session: the workspace domain (for external-domain detection) and the seat
|
|
254
|
+
* cap (config-provided; null = unlimited until billing exists).
|
|
255
|
+
*/
|
|
256
|
+
export declare function teamOptionsFor(session: AuthSession): TeamOptions;
|
|
257
|
+
/** Whether the configured email provider can actually send mail. */
|
|
258
|
+
export declare function isEmailConfigured(): boolean;
|
|
259
|
+
export declare const loginLimiter: import("../security/rate-limit.js").RateLimiter;
|
|
260
|
+
export declare const inviteLimiter: import("../security/rate-limit.js").RateLimiter;
|
|
261
|
+
export declare const totpLimiter: import("../security/rate-limit.js").RateLimiter;
|
|
262
|
+
export declare const formLimiterGlobal: import("../security/rate-limit.js").RateLimiter;
|
|
263
|
+
export declare const aiGenerateLimiter: import("../security/rate-limit.js").RateLimiter;
|
|
264
|
+
export declare const uploadLimiter: import("../security/rate-limit.js").RateLimiter;
|
|
265
|
+
export declare const aiAnalysisLimiter: import("../security/rate-limit.js").RateLimiter;
|
|
266
|
+
export declare const AI_ANALYSIS_MAX_CHARS = 50000;
|
|
267
|
+
export declare const linkHealthLimiter: import("../security/rate-limit.js").RateLimiter;
|
|
268
|
+
export declare const seoAuditLimiter: import("../security/rate-limit.js").RateLimiter;
|
|
269
|
+
export declare function checkRateLimitAsync(limiter: {
|
|
270
|
+
check: (key: string) => Promise<{
|
|
271
|
+
allowed: boolean;
|
|
272
|
+
}>;
|
|
273
|
+
}, key: string): Promise<boolean>;
|
|
274
|
+
/**
|
|
275
|
+
* Resolve the client IP from trusted-proxy headers (Vercel first, then x-real-ip,
|
|
276
|
+
* then x-forwarded-for only when ACTUATE_TRUST_PROXY=1). Returns 'unknown' when
|
|
277
|
+
* no trustworthy source is available — callers MUST treat that case as a hard
|
|
278
|
+
* failure for security-sensitive decisions like rate-limit keys and IP allowlists.
|
|
279
|
+
*/
|
|
280
|
+
export declare function clientIp(request: Request): string;
|
|
281
|
+
/**
|
|
282
|
+
* Compute a before/after diff of top-level scalar (string/number/boolean) keys
|
|
283
|
+
* between a stored record and an incoming patch. Used to audit settings changes
|
|
284
|
+
* without ever logging nested objects (which may hold secret blobs).
|
|
285
|
+
*/
|
|
286
|
+
export declare function diffScalarKeys(previous: Record<string, unknown>, next: Record<string, unknown>): Array<{
|
|
287
|
+
key: string;
|
|
288
|
+
from: unknown;
|
|
289
|
+
to: unknown;
|
|
290
|
+
}>;
|
|
291
|
+
export declare const MAX_CONCURRENT_SESSIONS = 5;
|
|
292
|
+
/**
|
|
293
|
+
* After a successful primary-credential check, prune the user's active sessions
|
|
294
|
+
* down to the configured concurrent maximum (default 5; configurable via
|
|
295
|
+
* `auth.maxConcurrentSessions`). Strategy is "revoke oldest" so a user can
|
|
296
|
+
* always sign in.
|
|
297
|
+
*/
|
|
298
|
+
export declare function enforceSessionLimitsForUser(d: any, userId: string): Promise<void>;
|
|
299
|
+
export declare function getAdminPath(): string;
|
|
300
|
+
/**
|
|
301
|
+
* Resolve a collection definition from the runtime config, tolerating both
|
|
302
|
+
* the array and the record (keyed-by-slug) shapes consumers use.
|
|
303
|
+
*/
|
|
304
|
+
export declare function findCollectionDef(slug: string): CollectionDefinition | undefined;
|
|
305
|
+
/**
|
|
306
|
+
* True when `collection` declares a `sections` JSON field — the storage
|
|
307
|
+
* contract the flat Page Editor + section endpoints rely on. Guards against
|
|
308
|
+
* silently dropping section writes on a collection that never declared the
|
|
309
|
+
* field (the field-access layer strips undeclared keys).
|
|
310
|
+
*/
|
|
311
|
+
export declare function collectionSupportsSections(slug: string): boolean;
|
|
312
|
+
/**
|
|
313
|
+
* Gate a per-document read for endpoints (e.g. SEO analysis) that fetch a
|
|
314
|
+
* document directly rather than through the collection CRUD routes. Enforces
|
|
315
|
+
* both the API-key collection scope and the collection's `access.read` rule
|
|
316
|
+
* so an AUTHOR scoped to one collection cannot read another's content.
|
|
317
|
+
* Returns a `Response` to short-circuit with, or `null` when allowed.
|
|
318
|
+
*/
|
|
319
|
+
export declare function enforceDocumentReadAccess(session: AuthSession, collection: string): Promise<Response | null>;
|
|
320
|
+
//# sourceMappingURL=route-helpers.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"route-helpers.d.ts","sourceRoot":"","sources":["../../src/api/route-helpers.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,eAAe,CAAA;AAKlD,OAAO,EAA0B,KAAK,WAAW,EAAE,MAAM,iBAAiB,CAAA;AAG1E,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAA;AAS9D,OAAO,KAAK,EACV,sBAAsB,EACtB,gBAAgB,EAChB,cAAc,EAEf,MAAM,mBAAmB,CAAA;AAM1B,OAAO,EAIL,KAAK,YAAY,EAClB,MAAM,mBAAmB,CAAA;AAS1B,OAAO,EAQL,KAAK,WAAW,EACjB,MAAM,iCAAiC,CAAA;AAKxC,wBAAsB,iBAAiB,IAAI,OAAO,CAAC,GAAG,CAAC,CAGtD;AAED,wBAAsB,cAAc,IAAI,OAAO,CAAC,GAAG,CAAC,CAGnD;AAED;;;;GAIG;AACH,wBAAgB,mBAAmB,CACjC,MAAM,EAAE,SAAS,GAAG,QAAQ,GAAG,UAAU,GAAG,WAAW,EACvD,IAAI,EAAE;IACJ,IAAI,CAAC,EAAE,MAAM,CAAA;IACb,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,IAAI,CAAC,EAAE,MAAM,CAAA;IACb,YAAY,CAAC,EAAE,MAAM,CAAA;IACrB,YAAY,CAAC,EAAE,MAAM,CAAA;CACtB,GACA;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,CAAA;CAAE,CAuDrD;AAED;;;;;;;;;GASG;AACH,wBAAsB,aAAa,CACjC,OAAO,EAAE,OAAO,EAChB,UAAU,EAAE,MAAM,EAClB,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,EACnC,UAAU,EAAE,OAAO,GAClB,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC,CAoBzC;AAED,eAAO,MAAM,gBAAgB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAKnD,CAAA;AAED,wBAAgB,IAAI,CAAC,IAAI,EAAE,OAAO,EAAE,MAAM,SAAM,GAAG,QAAQ,CAK1D;AAED;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,aAAa,CAAC,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,SAAM,GAAG,QAAQ,CAKrF;AAED,wBAAgB,aAAa,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,QAAQ,CAEvE;AAED,wBAAgB,aAAa,CAAC,GAAG,EAAE,OAAO,EAAE,OAAO,CAAC,EAAE,MAAM,GAAG,QAAQ,CAOtE;AAED,wBAAgB,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,EAAE,GAAG,SAAM,EAAE,QAAQ,SAAK,GAAG,MAAM,CAG3F;AAED,wBAAgB,QAAQ,CAAC,UAAU,EAAE,OAAO,GAAG,MAAM,CAMpD;AAED,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,GAAG,OAgB5C;AAED;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,UAAU,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,GAAG,MAAM,CAKzE;AAED;;;;GAIG;AACH,wBAAgB,gBAAgB,CAAC,WAAW,EAAE,OAAO,GAAG;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,EAAE,CAcvF;AAED,eAAO,MAAM,qBAAqB,aAkBhC,CAAA;AAEF;;;;GAIG;AACH,wBAAgB,uBAAuB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAa3D;AAED,wBAAgB,QAAQ,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAIhE;AAED,wBAAgB,mBAAmB,CAAC,UAAU,EAAE,GAAG,OAuBlD;AAED;;;GAGG;AACH,wBAAgB,YAAY,CAAC,GAAG,EAAE,OAAO,GAAG,QAAQ,GAAG,IAAI,CAc1D;AAED,wBAAgB,eAAe,CAAC,GAAG,EAAE,GAAG,GAAG,gBAAgB,CAkB1D;AAED,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,GAAG,GAAG,sBAAsB,CAyBlE;AAID;;;;;;GAMG;AACH,wBAAgB,eAAe,CAC7B,OAAO,EAAE,OAAO,EAChB,cAAc,CAAC,EAAE,MAAM,EAAE,GACxB,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAcxB;AAED,wBAAgB,oBAAoB,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAO3D;AAED,wBAAgB,eAAe,CAAC,MAAM,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,EAAE,GAAG,OAAO,CAUjF;AAED,wBAAgB,eAAe,CAC7B,IAAI,EAAE,OAAO,EACb,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAC5B,QAAQ,CAKV;AAED;;;;;GAKG;AACH,wBAAsB,sBAAsB,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC;IACtE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;IAC/B,KAAK,EAAE,YAAY,EAAE,CAAA;IACrB,IAAI,EAAE;QACJ,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAA;QAC3C,SAAS,EAAE,MAAM,GAAG,IAAI,CAAA;QACxB,OAAO,EAAE,MAAM,GAAG,IAAI,CAAA;QACtB,YAAY,EAAE,MAAM,CAAA;KACrB,CAAA;CACF,GAAG,IAAI,CAAC,CAoER;AAED,wBAAgB,cAAc,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAe7E;AAED;;;;;;GAMG;AACH,wBAAsB,YAAY,CAAC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,cAAc,GAAG,OAAO,CAAC,QAAQ,CAAC,CA+F5F;AAED,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,GAAG,OAS9C;AAED,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,GAAG,OAiBzC;AAED,wBAAgB,QAAQ,CAAC,CAAC,EAAE,GAAG,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAMtD;AAED,2EAA2E;AAC3E,wBAAgB,mBAAmB,CAAC,CAAC,EAAE,MAAM,GAAG,MAAM,CAKrD;AAED,mFAAmF;AACnF,wBAAgB,YAAY,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,EAAE,CA4BnD;AAED,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,MAAM,GAAG,QAAQ,CAOxD;AAED;;;;GAIG;AACH,wBAAgB,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAO/C;AAED;;;;;GAKG;AACH,eAAO,MAAM,iBAAiB,QAAQ,CAAA;AAEtC;;;;;;GAMG;AACH,wBAAgB,WAAW,CAAC,IAAI,EAAE;IAChC,KAAK,EAAE,MAAM,CAAA;IACb,WAAW,CAAC,EAAE,MAAM,CAAA;IACpB,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;IACxB,KAAK,EAAE,OAAO,GAAG,MAAM,CAAA;IACvB,EAAE,EAAE,MAAM,CAAA;IACV,EAAE,EAAE,MAAM,CAAA;IACV,KAAK,EAAE,MAAM,CAAA;CACd,GAAG,MAAM,CAyDT;AAED;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,GAAG,IAAI,CAUrE;AAED,wBAAsB,SAAS,CAAC,KAAK,EAAE,GAAG,EAAE,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC,MAAM,CAAC,CAe5F;AAED,wBAAsB,YAAY,CAAC,CAAC,EAAE,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC,CAAC,EAAE,CAAC,CAe7F;AAED,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAcxD;AAED,yEAAyE;AACzE,eAAO,MAAM,sBAAsB,QAAkB,CAAA;AAErD;;;;;GAKG;AACH,wBAAsB,mBAAmB,CACvC,GAAG,EAAE,MAAM,EACX,aAAa,CAAC,EAAE,MAAM,GACrB,OAAO,CAAC;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAAC,CAgBtD;AAED,eAAO,MAAM,mBAAmB,aAM9B,CAAA;AAKF,wBAAgB,gBAAgB,IAAI,MAAM,CA0BzC;AAED,wBAAgB,eAAe,IAAI,OAAO,CAQzC;AAED;;;;;GAKG;AACH,MAAM,MAAM,WAAW,GAAG;IACxB,MAAM,EAAE,MAAM,CAAA;IACd,IAAI,EAAE,MAAM,CAAA;IACZ,SAAS,EAAE,MAAM,CAAA;IACjB,MAAM,CAAC,EAAE;QACP,EAAE,EAAE,MAAM,CAAA;QACV,MAAM,EAAE,WAAW,CAAA;KACpB,CAAA;CACF,CAAA;AAED,wBAAsB,cAAc,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAyElF;AAED,wBAAgB,iBAAiB,CAAC,YAAY,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAS9E;AAED;;;;;;;GAOG;AACH,wBAAsB,qBAAqB,CACzC,OAAO,EAAE,OAAO,EAChB,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,CAwB1B;AAED,wBAAsB,WAAW,CAC/B,OAAO,EAAE,OAAO,GACf,OAAO,CAAC;IAAE,OAAO,EAAE,WAAW,CAAC;IAAC,KAAK,CAAC,EAAE,KAAK,CAAA;CAAE,GAAG;IAAE,OAAO,CAAC,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,QAAQ,CAAA;CAAE,CAAC,CAkBzF;AAED;;;;;GAKG;AACH,wBAAgB,sBAAsB,CACpC,OAAO,EAAE,WAAW,EACpB,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE,MAAM,GAAG,QAAQ,GAAG,QAAQ,GAAG,QAAQ,GAC9C,QAAQ,GAAG,IAAI,CAYjB;AAED,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,WAAW,EAAE,IAAI,EAAE,MAAM,GAAG,QAAQ,GAAG,IAAI,CAOtF;AAED,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,WAAW,GAAG,QAAQ,GAAG,IAAI,CAOvE;AAED,wBAAgB,uBAAuB,CAAC,OAAO,EAAE,WAAW,GAAG,QAAQ,GAAG,IAAI,CAQ7E;AAED,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,WAAW,GAAG,QAAQ,GAAG,IAAI,CAQvE;AAED,wBAAgB,kBAAkB,CAChC,OAAO,EAAE;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,EACzC,EAAE,EAAE,GAAG,EACP,MAAM,CAAC,EAAE,MAAM,GACd,aAAa,CAOf;AAED,eAAO,MAAM,WAAW,aAAkD,CAAA;AAC1E,eAAO,MAAM,WAAW,aAA8B,CAAA;AAEtD,wBAAgB,WAAW,CAAC,IAAI,EAAE,MAAM,EAAE,YAAY,EAAE,GAAG,CAAC,MAAM,CAAC,GAAG,QAAQ,GAAG,IAAI,CAKpF;AAED;;;;GAIG;AACH,wBAAgB,cAAc,CAAC,OAAO,EAAE,WAAW,GAAG,WAAW,CAehE;AAED,oEAAoE;AACpE,wBAAgB,iBAAiB,IAAI,OAAO,CAI3C;AAED,eAAO,MAAM,YAAY,iDAAkE,CAAA;AAG3F,eAAO,MAAM,aAAa,iDAAmE,CAAA;AAC7F,eAAO,MAAM,WAAW,iDAAmE,CAAA;AAC3F,eAAO,MAAM,iBAAiB,iDAA2D,CAAA;AACzF,eAAO,MAAM,iBAAiB,iDAAmE,CAAA;AAGjG,eAAO,MAAM,aAAa,iDAAmE,CAAA;AAG7F,eAAO,MAAM,iBAAiB,iDAAmE,CAAA;AAGjG,eAAO,MAAM,qBAAqB,QAAS,CAAA;AAC3C,eAAO,MAAM,iBAAiB,iDAAkE,CAAA;AAChG,eAAO,MAAM,eAAe,iDAAmE,CAAA;AAE/F,wBAAsB,mBAAmB,CACvC,OAAO,EAAE;IAAE,KAAK,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC;QAAE,OAAO,EAAE,OAAO,CAAA;KAAE,CAAC,CAAA;CAAE,EAClE,GAAG,EAAE,MAAM,GACV,OAAO,CAAC,OAAO,CAAC,CAWlB;AAED;;;;;GAKG;AACH,wBAAgB,QAAQ,CAAC,OAAO,EAAE,OAAO,GAAG,MAAM,CAEjD;AAED;;;;GAIG;AACH,wBAAgB,cAAc,CAC5B,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACjC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC5B,KAAK,CAAC;IAAE,GAAG,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,OAAO,CAAC;IAAC,EAAE,EAAE,OAAO,CAAA;CAAE,CAAC,CAapD;AAED,eAAO,MAAM,uBAAuB,IAAI,CAAA;AAExC;;;;;GAKG;AACH,wBAAsB,2BAA2B,CAAC,CAAC,EAAE,GAAG,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CA8CvF;AAED,wBAAgB,YAAY,IAAI,MAAM,CAErC;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,MAAM,GAAG,oBAAoB,GAAG,SAAS,CAUhF;AAED;;;;;GAKG;AACH,wBAAgB,0BAA0B,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAchE;AAED;;;;;;GAMG;AACH,wBAAsB,yBAAyB,CAC7C,OAAO,EAAE,WAAW,EACpB,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,CAY1B"}
|