@airdraft/cloud 0.1.0

package/dist/relay.js

@@ -0,0 +1,101 @@
+import { hashApiKey } from '@airdraft/auth';
+import { signGitHubAppJwt } from './jwt.js';
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+const GITHUB_API = 'https://api.github.com';
+const CACHE_TTL_S = 55 * 60; // 55 minutes — 5 min buffer before GitHub's 1-hr expiry
+const RATE_LIMIT_KEY = (installationId) => `ratelimit:github:token:${installationId}`;
+const TOKEN_CACHE_KEY = (installationId) => `github:token:${installationId}`;
+function json(body, status = 200) {
+    return new Response(JSON.stringify(body), {
+        status,
+        headers: { 'Content-Type': 'application/json' },
+    });
+}
+// ---------------------------------------------------------------------------
+// handleTokenRelay
+// ---------------------------------------------------------------------------
+/**
+ * Handler for `POST /v1/github/token`.
+ *
+ * Exchanges a project API key (`ntk_*`) for a GitHub installation access token.
+ * Used by mode 2 self-hosted runtimes that rely on Airdraft's shared GitHub App.
+ *
+ * Flow:
+ * 1. Extract and validate `ntk_*` key from `Authorization: Bearer` header
+ * 2. Hash → look up in `projects` collection
+ * 3. Apply per-installation rate limit (1 req/s, Redis counter)
+ * 4. Return cached token from Redis if still fresh
+ * 5. Mint fresh token via GitHub App JWT → cache → return
+ *
+ * ```ts
+ * // In a Next.js route handler:
+ * export async function POST(req: Request) {
+ *   return handleTokenRelay(req, db, {
+ *     githubAppId: process.env.GITHUB_APP_ID!,
+ *     githubAppPrivateKey: process.env.GITHUB_APP_PRIVATE_KEY!,
+ *     cache: redisCache,
+ *   })
+ * }
+ * ```
+ */
+export async function handleTokenRelay(req, db, opts) {
+    // 1. Extract API key from Authorization header
+    const authHeader = req.headers.get('Authorization') ?? '';
+    const apiKey = authHeader.startsWith('Bearer ') ? authHeader.slice(7).trim() : null;
+    if (!apiKey || !apiKey.startsWith('ntk_')) {
+        return json({ error: 'INVALID_KEY' }, 401);
+    }
+    // 2. Hash → project lookup
+    const hash = hashApiKey(apiKey);
+    const project = await db.projects.findOne({ apiKeyHash: hash });
+    if (!project)
+        return json({ error: 'INVALID_KEY' }, 401);
+    if (!project.github)
+        return json({ error: 'GITHUB_NOT_CONNECTED' }, 404);
+    const { installationId } = project.github;
+    // 3. Rate limit: 1 req/installation/sec via Redis counter
+    if (opts.cache) {
+        const rlKey = RATE_LIMIT_KEY(installationId);
+        const count = await opts.cache.get(rlKey);
+        if (count !== null && parseInt(count, 10) >= 1) {
+            return json({ error: 'RATE_LIMITED' }, 429);
+        }
+        await opts.cache.set(rlKey, '1', 1); // TTL: 1 second
+    }
+    // 4. L2 cache check
+    if (opts.cache) {
+        const cached = await opts.cache.get(TOKEN_CACHE_KEY(installationId));
+        if (cached) {
+            return json(JSON.parse(cached));
+        }
+    }
+    // 5. Mint fresh token via GitHub App JWT
+    let githubRes;
+    try {
+        const jwt = await signGitHubAppJwt(opts.githubAppId, opts.githubAppPrivateKey);
+        githubRes = await fetch(`${GITHUB_API}/app/installations/${installationId}/access_tokens`, {
+            method: 'POST',
+            headers: {
+                Authorization: `Bearer ${jwt}`,
+                Accept: 'application/vnd.github+json',
+                'X-GitHub-Api-Version': '2022-11-28',
+            },
+        });
+    }
+    catch {
+        return json({ error: 'GITHUB_UNAVAILABLE' }, 503);
+    }
+    if (!githubRes.ok) {
+        return json({ error: 'GITHUB_UNAVAILABLE' }, 503);
+    }
+    const body = await githubRes.json();
+    const result = { token: body.token, expiresAt: body.expires_at };
+    // Cache for 55 minutes
+    if (opts.cache) {
+        await opts.cache.set(TOKEN_CACHE_KEY(installationId), JSON.stringify(result), CACHE_TTL_S);
+    }
+    return json(result);
+}
+//# sourceMappingURL=relay.js.map

package/dist/relay.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"relay.js","sourceRoot":"","sources":["../src/relay.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAA;AAC3C,OAAO,EAAE,gBAAgB,EAAE,MAAM,UAAU,CAAA;AAgB3C,8EAA8E;AAC9E,UAAU;AACV,8EAA8E;AAE9E,MAAM,UAAU,GAAG,wBAAwB,CAAA;AAC3C,MAAM,WAAW,GAAG,EAAE,GAAG,EAAE,CAAA,CAAC,wDAAwD;AACpF,MAAM,cAAc,GAAG,CAAC,cAAsB,EAAE,EAAE,CAAC,0BAA0B,cAAc,EAAE,CAAA;AAC7F,MAAM,eAAe,GAAG,CAAC,cAAsB,EAAE,EAAE,CAAC,gBAAgB,cAAc,EAAE,CAAA;AAEpF,SAAS,IAAI,CAAC,IAAa,EAAE,MAAM,GAAG,GAAG;IACvC,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE;QACxC,MAAM;QACN,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;KAChD,CAAC,CAAA;AACJ,CAAC;AAED,8EAA8E;AAC9E,mBAAmB;AACnB,8EAA8E;AAE9E;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,GAAY,EACZ,EAAW,EACX,IAAkB;IAElB,+CAA+C;IAC/C,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,IAAI,EAAE,CAAA;IACzD,MAAM,MAAM,GAAG,UAAU,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,IAAI,CAAA;IAEnF,IAAI,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;QAC1C,OAAO,IAAI,CAAC,EAAE,KAAK,EAAE,aAAa,EAAE,EAAE,GAAG,CAAC,CAAA;IAC5C,CAAC;IAED,2BAA2B;IAC3B,MAAM,IAAI,GAAG,UAAU,CAAC,MAAM,CAAC,CAAA;IAC/B,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,UAAU,EAAE,IAAI,EAAE,CAAC,CAAA;IAE/D,IAAI,CAAC,OAAO;QAAE,OAAO,IAAI,CAAC,EAAE,KAAK,EAAE,aAAa,EAAE,EAAE,GAAG,CAAC,CAAA;IACxD,IAAI,CAAC,OAAO,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC,EAAE,KAAK,EAAE,sBAAsB,EAAE,EAAE,GAAG,CAAC,CAAA;IAExE,MAAM,EAAE,cAAc,EAAE,GAAG,OAAO,CAAC,MAAM,CAAA;IAEzC,0DAA0D;IAC1D,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;QACf,MAAM,KAAK,GAAG,cAAc,CAAC,cAAc,CAAC,CAAA;QAC5C,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,CAAA;QACzC,IAAI,KAAK,KAAK,IAAI,IAAI,QAAQ,CAAC,KAAK,EAAE,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;YAC/C,OAAO,IAAI,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,EAAE,GAAG,CAAC,CAAA;QAC7C,CAAC;QACD,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,KAAK,EAAE,GAAG,EAAE,CAAC,CAAC,CAAA,CAAC,gBAAgB;IACtD,CAAC;IAED,oBAAoB;IACpB,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;QACf,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,eAAe,CAAC,cAAc,CAAC,CAAC,CAAA;QACpE,IAAI,MAAM,EAAE,CAAC;YACX,OAAO,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAY,CAAC,CAAA;QAC5C,CAAC;IACH,CAAC;IAED,yCAAyC;IACzC,IAAI,SAAmB,CAAA;IACvB,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,gBAAgB,CAAC,IAAI,CAAC,WAAW,EAAE,IAAI,CAAC,mBAAmB,CAAC,CAAA;QAC9E,SAAS,GAAG,MAAM,KAAK,CACrB,GAAG,UAAU,sBAAsB,cAAc,gBAAgB,EACjE;YACE,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,aAAa,EAAE,UAAU,GAAG,EAAE;gBAC9B,MAAM,EAAE,6BAA6B;gBACrC,sBAAsB,EAAE,YAAY;aACrC;SACF,CACF,CAAA;IACH,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC,EAAE,KAAK,EAAE,oBAAoB,EAAE,EAAE,GAAG,CAAC,CAAA;IACnD,CAAC;IAED,IAAI,CAAC,SAAS,CAAC,EAAE,EAAE,CAAC;QAClB,OAAO,IAAI,CAAC,EAAE,KAAK,EAAE,oBAAoB,EAAE,EAAE,GAAG,CAAC,CAAA;IACnD,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,SAAS,CAAC,IAAI,EAA2C,CAAA;IAC5E,MAAM,MAAM,GAAG,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,SAAS,EAAE,IAAI,CAAC,UAAU,EAAE,CAAA;IAEhE,uBAAuB;IACvB,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;QACf,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,eAAe,CAAC,cAAc,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,WAAW,CAAC,CAAA;IAC5F,CAAC;IAED,OAAO,IAAI,CAAC,MAAM,CAAC,CAAA;AACrB,CAAC"}

package/dist/runtime.d.ts

@@ -0,0 +1,48 @@
+import type { CloudAuthAdapter } from '@airdraft/cloud-auth';
+import type { CloudDb, TokenCache } from './types.js';
+/**
+ * Evicts the cached CmsEngine for a project. Called by `handleWebhook` on
+ * push events so the next request picks up the updated schema immediately.
+ */
+export declare function bustEngineCache(projectId: string): void;
+export interface CloudCmsOptions {
+    db: CloudDb;
+    /** TokenCache used for GitHub token caching AND schema caching. */
+    schemaCache: TokenCache;
+    githubAppId: string;
+    githubAppPrivateKey: string;
+    /**
+     * Cloud auth adapter. When provided, Bearer JWTs from cloud dashboard
+     * sessions are accepted alongside ntk_* API keys.
+     */
+    authAdapter?: CloudAuthAdapter;
+}
+interface RouteContext {
+    params: Promise<{
+        projectSlug: string;
+        route?: string[];
+    }>;
+}
+type HandlerFn = (req: Request, ctx: RouteContext) => Promise<Response>;
+export interface CloudCmsHandler {
+    GET: HandlerFn;
+    POST: HandlerFn;
+    PUT: HandlerFn;
+    PATCH: HandlerFn;
+    DELETE: HandlerFn;
+}
+/**
+ * Creates Next.js App Router route handlers for the cloud CMS runtime.
+ *
+ * Mount at `app/(cms)/[projectSlug]/api/cms/[...route]/route.ts`:
+ *
+ * ```ts
+ * const { GET, POST, PUT, DELETE } = createCloudCmsHandler({ db, schemaCache, githubAppId, githubAppPrivateKey })
+ * export { GET, POST, PUT, DELETE }
+ * ```
+ *
+ * URL pattern: `cms.airdraft.space/{projectSlug}/api/cms/{collection}/{slug?}`
+ */
+export declare function createCloudCmsHandler(opts: CloudCmsOptions): CloudCmsHandler;
+export {};
+//# sourceMappingURL=runtime.d.ts.map

package/dist/runtime.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"runtime.d.ts","sourceRoot":"","sources":["../src/runtime.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAA;AAC5D,OAAO,KAAK,EAAE,OAAO,EAAE,UAAU,EAAc,MAAM,YAAY,CAAA;AAejE;;;GAGG;AACH,wBAAgB,eAAe,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI,CAEvD;AAMD,MAAM,WAAW,eAAe;IAC9B,EAAE,EAAE,OAAO,CAAA;IACX,mEAAmE;IACnE,WAAW,EAAE,UAAU,CAAA;IACvB,WAAW,EAAE,MAAM,CAAA;IACnB,mBAAmB,EAAE,MAAM,CAAA;IAC3B;;;OAGG;IACH,WAAW,CAAC,EAAE,gBAAgB,CAAA;CAC/B;AAED,UAAU,YAAY;IACpB,MAAM,EAAE,OAAO,CAAC;QAAE,WAAW,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC,CAAA;CAC3D;AAED,KAAK,SAAS,GAAG,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,YAAY,KAAK,OAAO,CAAC,QAAQ,CAAC,CAAA;AAEvE,MAAM,WAAW,eAAe;IAC9B,GAAG,EAAE,SAAS,CAAA;IACd,IAAI,EAAE,SAAS,CAAA;IACf,GAAG,EAAE,SAAS,CAAA;IACd,KAAK,EAAE,SAAS,CAAA;IAChB,MAAM,EAAE,SAAS,CAAA;CAClB;AAwID;;;;;;;;;;;GAWG;AACH,wBAAgB,qBAAqB,CAAC,IAAI,EAAE,eAAe,GAAG,eAAe,CAwD5E"}

package/dist/runtime.js

@@ -0,0 +1,186 @@
+import { GitHubAdapter } from '@airdraft/core';
+import { createCmsHandler } from '@airdraft/next';
+import { withAuth } from '@airdraft/plugin-auth';
+import { withAuditLog } from '@airdraft/plugin-audit-log';
+import { hashApiKey } from '@airdraft/auth';
+const _engineCache = new Map();
+const ENGINE_TTL_MS = 5 * 60 * 1000; // 5 minutes
+/**
+ * Evicts the cached CmsEngine for a project. Called by `handleWebhook` on
+ * push events so the next request picks up the updated schema immediately.
+ */
+export function bustEngineCache(projectId) {
+    _engineCache.delete(projectId);
+}
+const SCHEMA_CACHE_PREFIX = 'schema:';
+function json(body, status = 200) {
+    return new Response(JSON.stringify(body), {
+        status,
+        headers: { 'Content-Type': 'application/json' },
+    });
+}
+// ---------------------------------------------------------------------------
+// buildProjectHandler
+// ---------------------------------------------------------------------------
+async function buildProjectHandler(project, opts) {
+    if (!project || !project.github)
+        throw new Error('Project or GitHub connection missing');
+    const { appId, repo, branch, installationId } = {
+        appId: opts.githubAppId,
+        repo: project.github.repo,
+        branch: project.github.branch,
+        installationId: String(project.github.installationId),
+    };
+    // Build GitHub adapter (direct JWT signing — cloud app owns the GitHub App)
+    const adapter = new GitHubAdapter({
+        appId,
+        privateKey: opts.githubAppPrivateKey,
+        installationId,
+        repo,
+        branch,
+    });
+    // Load schema JSON — check Redis cache first
+    const schemaCacheKey = `${SCHEMA_CACHE_PREFIX}${project._id.toString()}`;
+    let schemaJson = null;
+    if (opts.schemaCache) {
+        schemaJson = await opts.schemaCache.get(schemaCacheKey);
+    }
+    if (!schemaJson) {
+        const file = await adapter.read('airdraft.schema.json');
+        if (!file)
+            throw new Error('airdraft.schema.json not found in repository');
+        schemaJson = file.content;
+        await opts.schemaCache?.set(schemaCacheKey, schemaJson, 5 * 60); // 5-min TTL
+    }
+    const schema = JSON.parse(schemaJson);
+    // Build unified auth provider
+    const projectApiKeyHash = project.apiKeyHash;
+    const projectTeamId = project.teamId;
+    const db = opts.db;
+    const authAdapter = opts.authAdapter;
+    const authProvider = {
+        async verify(req) {
+            const authHeader = req.headers.get('Authorization') ?? '';
+            // 1. ntk_* API key — hash compare against stored hash
+            if (authHeader.startsWith('Bearer ntk_')) {
+                const key = authHeader.slice(7).trim();
+                if (projectApiKeyHash && hashApiKey(key) === projectApiKeyHash) {
+                    return { id: 'api-key', email: 'api@key', name: 'API Key', role: 'admin' };
+                }
+                return null;
+            }
+            // 2. Cloud session — Bearer JWT or httpOnly cookie via CloudAuthAdapter.
+            //    Called regardless of Authorization header presence so that dashboard
+            //    pages using same-origin cookie auth (no Bearer header) also pass.
+            if (authAdapter) {
+                const identity = await authAdapter.verifySession(req);
+                if (!identity)
+                    return null;
+                const membership = await db.memberships.findOne({
+                    teamId: projectTeamId,
+                    userId: identity.userId,
+                });
+                if (!membership)
+                    return null;
+                // Map cloud role to CMS role
+                const roleMap = {
+                    owner: 'admin',
+                    admin: 'admin',
+                    editor: 'publisher',
+                    viewer: 'editor',
+                };
+                const role = roleMap[membership.role] ?? 'editor';
+                return { id: identity.userId, email: identity.email, name: identity.name, role };
+            }
+            return null;
+        },
+    };
+    // Build CmsConfig — include MongoDB audit persister when auditEvents collection available
+    const plugins = [withAuth({ provider: authProvider })];
+    if (opts.db.auditEvents) {
+        const projectId = project._id.toString();
+        plugins.push(withAuditLog({
+            persist: async (event) => {
+                try {
+                    await opts.db.auditEvents.insertOne({
+                        ...event,
+                        projectId,
+                    });
+                }
+                catch {
+                    // audit log failures must never crash the CMS handler
+                }
+            },
+        }));
+    }
+    const config = {
+        adapter,
+        collections: schema.collections,
+        plugins,
+        basePath: '/api/cms',
+    };
+    return createCmsHandler(config);
+}
+// ---------------------------------------------------------------------------
+// createCloudCmsHandler
+// ---------------------------------------------------------------------------
+/**
+ * Creates Next.js App Router route handlers for the cloud CMS runtime.
+ *
+ * Mount at `app/(cms)/[projectSlug]/api/cms/[...route]/route.ts`:
+ *
+ * ```ts
+ * const { GET, POST, PUT, DELETE } = createCloudCmsHandler({ db, schemaCache, githubAppId, githubAppPrivateKey })
+ * export { GET, POST, PUT, DELETE }
+ * ```
+ *
+ * URL pattern: `cms.airdraft.space/{projectSlug}/api/cms/{collection}/{slug?}`
+ */
+export function createCloudCmsHandler(opts) {
+    async function handle(req, ctx) {
+        const params = await ctx.params;
+        const projectSlug = params.projectSlug;
+        const route = params.route ?? [];
+        // Load project by slug
+        const project = await opts.db.projects.findOne({ slug: projectSlug });
+        if (!project) {
+            return json({ error: { code: 'PROJECT_NOT_FOUND', message: 'Project not found' } }, 404);
+        }
+        if (!project.github) {
+            return json({ error: { code: 'GITHUB_NOT_CONNECTED', message: 'GitHub App not connected to this project' } }, 404);
+        }
+        // Get or build cached handler
+        const projectId = project._id.toString();
+        const cached = _engineCache.get(projectId);
+        let handler;
+        if (cached && cached.expiresAt > Date.now()) {
+            handler = cached.handler;
+        }
+        else {
+            try {
+                handler = await buildProjectHandler(project, opts);
+            }
+            catch (err) {
+                console.error('[airdraft/cloud] Failed to build engine for project', projectSlug, err);
+                return json({ error: { code: 'ENGINE_INIT_FAILED', message: 'Failed to initialize CMS engine' } }, 500);
+            }
+            _engineCache.set(projectId, { handler, expiresAt: Date.now() + ENGINE_TTL_MS });
+        }
+        // Delegate to the inner CMS handler, adapting the route context
+        const innerCtx = { params: Promise.resolve({ route }) };
+        const method = req.method.toUpperCase();
+        const routeHandler = handler[method];
+        if (!routeHandler) {
+            return json({ error: { code: 'METHOD_NOT_ALLOWED', message: `${method} not supported` } }, 405);
+        }
+        return routeHandler(req, innerCtx);
+    }
+    return {
+        GET: handle,
+        POST: handle,
+        PUT: handle,
+        PATCH: handle,
+        DELETE: handle,
+    };
+}
+//# sourceMappingURL=runtime.js.map

package/dist/runtime.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"runtime.js","sourceRoot":"","sources":["../src/runtime.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAA;AAC9C,OAAO,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAA;AACjD,OAAO,EAAE,QAAQ,EAAE,MAAM,uBAAuB,CAAA;AAEhD,OAAO,EAAE,YAAY,EAAE,MAAM,4BAA4B,CAAA;AACzD,OAAO,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAA;AAc3C,MAAM,YAAY,GAAG,IAAI,GAAG,EAAyB,CAAA;AACrD,MAAM,aAAa,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAA,CAAC,YAAY;AAEhD;;;GAGG;AACH,MAAM,UAAU,eAAe,CAAC,SAAiB;IAC/C,YAAY,CAAC,MAAM,CAAC,SAAS,CAAC,CAAA;AAChC,CAAC;AAiCD,MAAM,mBAAmB,GAAG,SAAS,CAAA;AAErC,SAAS,IAAI,CAAC,IAAa,EAAE,MAAM,GAAG,GAAG;IACvC,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE;QACxC,MAAM;QACN,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;KAChD,CAAC,CAAA;AACJ,CAAC;AAED,8EAA8E;AAC9E,sBAAsB;AACtB,8EAA8E;AAE9E,KAAK,UAAU,mBAAmB,CAChC,OAA2B,EAC3B,IAAqB;IAErB,IAAI,CAAC,OAAO,IAAI,CAAC,OAAO,CAAC,MAAM;QAAE,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAA;IAExF,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,cAAc,EAAE,GAAG;QAC9C,KAAK,EAAE,IAAI,CAAC,WAAW;QACvB,IAAI,EAAE,OAAO,CAAC,MAAM,CAAC,IAAI;QACzB,MAAM,EAAE,OAAO,CAAC,MAAM,CAAC,MAAM;QAC7B,cAAc,EAAE,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,cAAc,CAAC;KACtD,CAAA;IAED,4EAA4E;IAC5E,MAAM,OAAO,GAAG,IAAI,aAAa,CAAC;QAChC,KAAK;QACL,UAAU,EAAE,IAAI,CAAC,mBAAmB;QACpC,cAAc;QACd,IAAI;QACJ,MAAM;KACP,CAAC,CAAA;IAEF,6CAA6C;IAC7C,MAAM,cAAc,GAAG,GAAG,mBAAmB,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,EAAE,CAAA;IACxE,IAAI,UAAU,GAAkB,IAAI,CAAA;IAEpC,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;QACrB,UAAU,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,cAAc,CAAC,CAAA;IACzD,CAAC;IAED,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAA;QACvD,IAAI,CAAC,IAAI;YAAE,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAA;QAC1E,UAAU,GAAG,IAAI,CAAC,OAAO,CAAA;QACzB,MAAM,IAAI,CAAC,WAAW,EAAE,GAAG,CAAC,cAAc,EAAE,UAAU,EAAE,CAAC,GAAG,EAAE,CAAC,CAAA,CAAC,YAAY;IAC9E,CAAC;IAED,MAAM,MAAM,GAAc,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAA;IAEhD,8BAA8B;IAC9B,MAAM,iBAAiB,GAAG,OAAO,CAAC,UAAU,CAAA;IAC5C,MAAM,aAAa,GAAG,OAAO,CAAC,MAAM,CAAA;IACpC,MAAM,EAAE,GAAG,IAAI,CAAC,EAAE,CAAA;IAClB,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,CAAA;IAEpC,MAAM,YAAY,GAAiB;QACjC,KAAK,CAAC,MAAM,CAAC,GAAY;YACvB,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,IAAI,EAAE,CAAA;YAEzD,sDAAsD;YACtD,IAAI,UAAU,CAAC,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;gBACzC,MAAM,GAAG,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAA;gBACtC,IAAI,iBAAiB,IAAI,UAAU,CAAC,GAAG,CAAC,KAAK,iBAAiB,EAAE,CAAC;oBAC/D,OAAO,EAAE,EAAE,EAAE,SAAS,EAAE,KAAK,EAAE,SAAS,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,OAAO,EAAE,CAAA;gBAC5E,CAAC;gBACD,OAAO,IAAI,CAAA;YACb,CAAC;YAED,yEAAyE;YACzE,0EAA0E;YAC1E,uEAAuE;YACvE,IAAI,WAAW,EAAE,CAAC;gBAChB,MAAM,QAAQ,GAAG,MAAM,WAAW,CAAC,aAAa,CAAC,GAAG,CAAC,CAAA;gBACrD,IAAI,CAAC,QAAQ;oBAAE,OAAO,IAAI,CAAA;gBAE1B,MAAM,UAAU,GAAG,MAAM,EAAE,CAAC,WAAW,CAAC,OAAO,CAAC;oBAC9C,MAAM,EAAE,aAAa;oBACrB,MAAM,EAAE,QAAQ,CAAC,MAAM;iBACxB,CAAC,CAAA;gBACF,IAAI,CAAC,UAAU;oBAAE,OAAO,IAAI,CAAA;gBAE5B,6BAA6B;gBAC7B,MAAM,OAAO,GAAqC;oBAChD,KAAK,EAAE,OAAO;oBACd,KAAK,EAAE,OAAO;oBACd,MAAM,EAAE,WAAW;oBACnB,MAAM,EAAE,QAAQ;iBACjB,CAAA;gBACD,MAAM,IAAI,GAAG,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,QAAQ,CAAA;gBACjD,OAAO,EAAE,EAAE,EAAE,QAAQ,CAAC,MAAM,EAAE,KAAK,EAAE,QAAQ,CAAC,KAAK,EAAE,IAAI,EAAE,QAAQ,CAAC,IAAI,EAAE,IAAI,EAAE,CAAA;YAClF,CAAC;YAED,OAAO,IAAI,CAAA;QACb,CAAC;KACF,CAAA;IAED,0FAA0F;IAC1F,MAAM,OAAO,GAAG,CAAC,QAAQ,CAAC,EAAE,QAAQ,EAAE,YAAY,EAAE,CAAC,CAAC,CAAA;IAEtD,IAAI,IAAI,CAAC,EAAE,CAAC,WAAW,EAAE,CAAC;QACxB,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAA;QACxC,OAAO,CAAC,IAAI,CACV,YAAY,CAAC;YACX,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE;gBACvB,IAAI,CAAC;oBACH,MAAM,IAAI,CAAC,EAAE,CAAC,WAAW,CAAC,SAAS,CAAC;wBAClC,GAAG,KAAK;wBACR,SAAS;qBACD,CAAC,CAAA;gBACb,CAAC;gBAAC,MAAM,CAAC;oBACP,sDAAsD;gBACxD,CAAC;YACH,CAAC;SACF,CAAC,CACH,CAAA;IACH,CAAC;IAED,MAAM,MAAM,GAAc;QACxB,OAAO;QACP,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,OAAO;QACP,QAAQ,EAAE,UAAU;KACrB,CAAA;IAED,OAAO,gBAAgB,CAAC,MAAM,CAAC,CAAA;AACjC,CAAC;AAED,8EAA8E;AAC9E,wBAAwB;AACxB,8EAA8E;AAE9E;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,qBAAqB,CAAC,IAAqB;IACzD,KAAK,UAAU,MAAM,CAAC,GAAY,EAAE,GAAiB;QACnD,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,MAAM,CAAA;QAC/B,MAAM,WAAW,GAAG,MAAM,CAAC,WAAW,CAAA;QACtC,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,IAAI,EAAE,CAAA;QAEhC,uBAAuB;QACvB,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,WAAW,EAAE,CAAC,CAAA;QACrE,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,IAAI,CAAC,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,mBAAmB,EAAE,OAAO,EAAE,mBAAmB,EAAE,EAAE,EAAE,GAAG,CAAC,CAAA;QAC1F,CAAC;QACD,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC;YACpB,OAAO,IAAI,CACT,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,sBAAsB,EAAE,OAAO,EAAE,0CAA0C,EAAE,EAAE,EAChG,GAAG,CACJ,CAAA;QACH,CAAC;QAED,8BAA8B;QAC9B,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAA;QACxC,MAAM,MAAM,GAAG,YAAY,CAAC,GAAG,CAAC,SAAS,CAAC,CAAA;QAC1C,IAAI,OAA4C,CAAA;QAEhD,IAAI,MAAM,IAAI,MAAM,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;YAC5C,OAAO,GAAG,MAAM,CAAC,OAAO,CAAA;QAC1B,CAAC;aAAM,CAAC;YACN,IAAI,CAAC;gBACH,OAAO,GAAG,MAAM,mBAAmB,CAAC,OAAO,EAAE,IAAI,CAAC,CAAA;YACpD,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,OAAO,CAAC,KAAK,CAAC,qDAAqD,EAAE,WAAW,EAAE,GAAG,CAAC,CAAA;gBACtF,OAAO,IAAI,CACT,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,oBAAoB,EAAE,OAAO,EAAE,iCAAiC,EAAE,EAAE,EACrF,GAAG,CACJ,CAAA;YACH,CAAC;YACD,YAAY,CAAC,GAAG,CAAC,SAAS,EAAE,EAAE,OAAO,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,aAAa,EAAE,CAAC,CAAA;QACjF,CAAC;QAED,gEAAgE;QAChE,MAAM,QAAQ,GAAG,EAAE,MAAM,EAAE,OAAO,CAAC,OAAO,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,CAAA;QACvD,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,WAAW,EAAiD,CAAA;QACtF,MAAM,YAAY,GAAG,OAAO,CAAC,MAAM,CAAC,CAAA;QACpC,IAAI,CAAC,YAAY,EAAE,CAAC;YAClB,OAAO,IAAI,CAAC,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,oBAAoB,EAAE,OAAO,EAAE,GAAG,MAAM,gBAAgB,EAAE,EAAE,EAAE,GAAG,CAAC,CAAA;QACjG,CAAC;QAED,OAAO,YAAY,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAA;IACpC,CAAC;IAED,OAAO;QACL,GAAG,EAAE,MAAM;QACX,IAAI,EAAE,MAAM;QACZ,GAAG,EAAE,MAAM;QACX,KAAK,EAAE,MAAM;QACb,MAAM,EAAE,MAAM;KACf,CAAA;AACH,CAAC"}

package/dist/state.d.ts

@@ -0,0 +1,40 @@
+/**
+ * Payload embedded in the CSRF state token passed to GitHub during the
+ * App installation flow. Stateless — no DB storage needed.
+ */
+export interface StatePayload {
+    /** Project to associate the installation with. */
+    projectId: string;
+    /** User who initiated the connection — must still be admin at callback time. */
+    userId: string;
+    /** 32-byte hex nonce for replay resistance within the 10-minute window. */
+    nonce: string;
+    mode: 'dashboard' | 'cli';
+    /** CLI-only: local HTTP server port for receiving credentials. */
+    port?: number;
+    /** Unix ms expiry — 10-minute window. */
+    expiresAt: number;
+}
+export type StateVerifyResult = {
+    valid: true;
+    payload: StatePayload;
+} | {
+    valid: false;
+    reason: 'invalid_signature' | 'expired' | 'malformed';
+};
+/**
+ * Signs a CSRF state token using HMAC-SHA256.
+ * Format: `<base64url(payload)>.<base64url(signature)>`
+ *
+ * ```ts
+ * const state = signState({ projectId, userId, mode: 'dashboard' }, callbackSecret)
+ * const url = `https://github.com/apps/airdraft/installations/new?state=${state}`
+ * ```
+ */
+export declare function signState(payload: Omit<StatePayload, 'nonce' | 'expiresAt'>, secret: string): string;
+/**
+ * Verifies a CSRF state token. Returns the decoded payload on success,
+ * or a typed failure reason on any error.
+ */
+export declare function verifyState(token: string, secret: string): StateVerifyResult;
+//# sourceMappingURL=state.d.ts.map

package/dist/state.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"state.d.ts","sourceRoot":"","sources":["../src/state.ts"],"names":[],"mappings":"AAMA;;;GAGG;AACH,MAAM,WAAW,YAAY;IAC3B,kDAAkD;IAClD,SAAS,EAAE,MAAM,CAAA;IACjB,gFAAgF;IAChF,MAAM,EAAE,MAAM,CAAA;IACd,2EAA2E;IAC3E,KAAK,EAAE,MAAM,CAAA;IACb,IAAI,EAAE,WAAW,GAAG,KAAK,CAAA;IACzB,kEAAkE;IAClE,IAAI,CAAC,EAAE,MAAM,CAAA;IACb,yCAAyC;IACzC,SAAS,EAAE,MAAM,CAAA;CAClB;AAED,MAAM,MAAM,iBAAiB,GACzB;IAAE,KAAK,EAAE,IAAI,CAAC;IAAC,OAAO,EAAE,YAAY,CAAA;CAAE,GACtC;IAAE,KAAK,EAAE,KAAK,CAAC;IAAC,MAAM,EAAE,mBAAmB,GAAG,SAAS,GAAG,WAAW,CAAA;CAAE,CAAA;AAQ3E;;;;;;;;GAQG;AACH,wBAAgB,SAAS,CACvB,OAAO,EAAE,IAAI,CAAC,YAAY,EAAE,OAAO,GAAG,WAAW,CAAC,EAClD,MAAM,EAAE,MAAM,GACb,MAAM,CASR;AAMD;;;GAGG;AACH,wBAAgB,WAAW,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,iBAAiB,CA+B5E"}

package/dist/state.js

@@ -0,0 +1,58 @@
+import { createHmac, randomBytes, timingSafeEqual } from 'node:crypto';
+const STATE_TTL_MS = 10 * 60 * 1000; // 10 minutes
+// ---------------------------------------------------------------------------
+// Sign
+// ---------------------------------------------------------------------------
+/**
+ * Signs a CSRF state token using HMAC-SHA256.
+ * Format: `<base64url(payload)>.<base64url(signature)>`
+ *
+ * ```ts
+ * const state = signState({ projectId, userId, mode: 'dashboard' }, callbackSecret)
+ * const url = `https://github.com/apps/airdraft/installations/new?state=${state}`
+ * ```
+ */
+export function signState(payload, secret) {
+    const full = {
+        ...payload,
+        nonce: randomBytes(32).toString('hex'),
+        expiresAt: Date.now() + STATE_TTL_MS,
+    };
+    const encoded = Buffer.from(JSON.stringify(full)).toString('base64url');
+    const sig = createHmac('sha256', secret).update(encoded).digest('base64url');
+    return `${encoded}.${sig}`;
+}
+// ---------------------------------------------------------------------------
+// Verify
+// ---------------------------------------------------------------------------
+/**
+ * Verifies a CSRF state token. Returns the decoded payload on success,
+ * or a typed failure reason on any error.
+ */
+export function verifyState(token, secret) {
+    const dotIdx = token.lastIndexOf('.');
+    if (dotIdx === -1)
+        return { valid: false, reason: 'malformed' };
+    const encoded = token.slice(0, dotIdx);
+    const receivedSig = token.slice(dotIdx + 1);
+    // Constant-time signature comparison
+    const expectedSig = createHmac('sha256', secret).update(encoded).digest('base64url');
+    const expectedBuf = Buffer.from(expectedSig);
+    const receivedBuf = Buffer.from(receivedSig);
+    if (expectedBuf.length !== receivedBuf.length ||
+        !timingSafeEqual(expectedBuf, receivedBuf)) {
+        return { valid: false, reason: 'invalid_signature' };
+    }
+    let payload;
+    try {
+        payload = JSON.parse(Buffer.from(encoded, 'base64url').toString('utf8'));
+    }
+    catch {
+        return { valid: false, reason: 'malformed' };
+    }
+    if (Date.now() > payload.expiresAt) {
+        return { valid: false, reason: 'expired' };
+    }
+    return { valid: true, payload };
+}
+//# sourceMappingURL=state.js.map

package/dist/state.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"state.js","sourceRoot":"","sources":["../src/state.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,aAAa,CAAA;AA4BtE,MAAM,YAAY,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAA,CAAC,aAAa;AAEjD,8EAA8E;AAC9E,OAAO;AACP,8EAA8E;AAE9E;;;;;;;;GAQG;AACH,MAAM,UAAU,SAAS,CACvB,OAAkD,EAClD,MAAc;IAEd,MAAM,IAAI,GAAiB;QACzB,GAAG,OAAO;QACV,KAAK,EAAE,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC;QACtC,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,YAAY;KACrC,CAAA;IACD,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAA;IACvE,MAAM,GAAG,GAAG,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAA;IAC5E,OAAO,GAAG,OAAO,IAAI,GAAG,EAAE,CAAA;AAC5B,CAAC;AAED,8EAA8E;AAC9E,SAAS;AACT,8EAA8E;AAE9E;;;GAGG;AACH,MAAM,UAAU,WAAW,CAAC,KAAa,EAAE,MAAc;IACvD,MAAM,MAAM,GAAG,KAAK,CAAC,WAAW,CAAC,GAAG,CAAC,CAAA;IACrC,IAAI,MAAM,KAAK,CAAC,CAAC;QAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,CAAA;IAE/D,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAA;IACtC,MAAM,WAAW,GAAG,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAA;IAE3C,qCAAqC;IACrC,MAAM,WAAW,GAAG,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAA;IACpF,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,CAAA;IAC5C,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,CAAA;IAE5C,IACE,WAAW,CAAC,MAAM,KAAK,WAAW,CAAC,MAAM;QACzC,CAAC,eAAe,CAAC,WAAW,EAAE,WAAW,CAAC,EAC1C,CAAC;QACD,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,mBAAmB,EAAE,CAAA;IACtD,CAAC;IAED,IAAI,OAAqB,CAAA;IACzB,IAAI,CAAC;QACH,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAiB,CAAA;IAC1F,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,CAAA;IAC9C,CAAC;IAED,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO,CAAC,SAAS,EAAE,CAAC;QACnC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,CAAA;IAC5C,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,CAAA;AACjC,CAAC"}

package/dist/team.d.ts

@@ -0,0 +1,31 @@
+import type { CloudAuthAdapter } from '@airdraft/cloud-auth';
+import type { CloudDb } from './types.js';
+/**
+ * GET /v1/teams
+ *
+ * Returns all teams the authenticated user is a member of.
+ */
+export declare function handleListTeams(req: Request, db: CloudDb, auth: CloudAuthAdapter): Promise<Response>;
+/**
+ * POST /v1/teams
+ *
+ * Body: `{ name: string }`
+ *
+ * Creates a new team and adds the creator as `owner`.
+ */
+export declare function handleCreateTeam(req: Request, db: CloudDb, auth: CloudAuthAdapter): Promise<Response>;
+/**
+ * GET /v1/teams/:teamSlug
+ *
+ * Returns team by slug. Requires membership.
+ */
+export declare function handleGetTeam(req: Request, db: CloudDb, auth: CloudAuthAdapter, teamSlug: string): Promise<Response>;
+/**
+ * PATCH /v1/teams/:teamSlug
+ *
+ * Body: `{ name?: string }`
+ *
+ * Updates team metadata. Requires `owner` or `admin` role.
+ */
+export declare function handleUpdateTeam(req: Request, db: CloudDb, auth: CloudAuthAdapter, teamSlug: string): Promise<Response>;
+//# sourceMappingURL=team.d.ts.map

package/dist/team.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"team.d.ts","sourceRoot":"","sources":["../src/team.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAA;AAC5D,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,YAAY,CAAA;AAqBzC;;;;GAIG;AACH,wBAAsB,eAAe,CACnC,GAAG,EAAE,OAAO,EACZ,EAAE,EAAE,OAAO,EACX,IAAI,EAAE,gBAAgB,GACrB,OAAO,CAAC,QAAQ,CAAC,CAanB;AAMD;;;;;;GAMG;AACH,wBAAsB,gBAAgB,CACpC,GAAG,EAAE,OAAO,EACZ,EAAE,EAAE,OAAO,EACX,IAAI,EAAE,gBAAgB,GACrB,OAAO,CAAC,QAAQ,CAAC,CA6CnB;AAMD;;;;GAIG;AACH,wBAAsB,aAAa,CACjC,GAAG,EAAE,OAAO,EACZ,EAAE,EAAE,OAAO,EACX,IAAI,EAAE,gBAAgB,EACtB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,QAAQ,CAAC,CAcnB;AAMD;;;;;;GAMG;AACH,wBAAsB,gBAAgB,CACpC,GAAG,EAAE,OAAO,EACZ,EAAE,EAAE,OAAO,EACX,IAAI,EAAE,gBAAgB,EACtB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,QAAQ,CAAC,CAkCnB"}

package/dist/team.js

@@ -0,0 +1,150 @@
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+function json(body, status = 200) {
+    return new Response(JSON.stringify(body), {
+        status,
+        headers: { 'Content-Type': 'application/json' },
+    });
+}
+function err(code, message, status) {
+    return json({ error: { code, message } }, status);
+}
+// ---------------------------------------------------------------------------
+// handleListTeams
+// ---------------------------------------------------------------------------
+/**
+ * GET /v1/teams
+ *
+ * Returns all teams the authenticated user is a member of.
+ */
+export async function handleListTeams(req, db, auth) {
+    const identity = await auth.verifySession(req);
+    if (!identity)
+        return err('UNAUTHORIZED', 'Not authenticated', 401);
+    const memberships = await db.memberships.find({ userId: identity.userId }).toArray();
+    const teamIds = memberships.map((m) => m.teamId);
+    const { ObjectId } = await import('mongodb');
+    const teams = await db.teams
+        .find({ _id: { $in: teamIds.map((id) => new ObjectId(id)) } })
+        .toArray();
+    return json({ data: teams });
+}
+// ---------------------------------------------------------------------------
+// handleCreateTeam
+// ---------------------------------------------------------------------------
+/**
+ * POST /v1/teams
+ *
+ * Body: `{ name: string }`
+ *
+ * Creates a new team and adds the creator as `owner`.
+ */
+export async function handleCreateTeam(req, db, auth) {
+    const identity = await auth.verifySession(req);
+    if (!identity)
+        return err('UNAUTHORIZED', 'Not authenticated', 401);
+    let body;
+    try {
+        body = await req.json();
+    }
+    catch {
+        return err('INVALID_BODY', 'Request body must be JSON', 400);
+    }
+    const name = typeof body.name === 'string' ? body.name.trim() : '';
+    if (!name)
+        return err('INVALID_NAME', 'Team name is required', 400);
+    // Generate URL-safe slug from name
+    const baseSlug = name.toLowerCase().replace(/[^a-z0-9]+/g, '-').replace(/^-|-$/g, '');
+    if (!baseSlug)
+        return err('INVALID_NAME', 'Team name must contain alphanumeric characters', 400);
+    // Ensure slug uniqueness
+    const existing = await db.teams.findOne({ slug: baseSlug });
+    const slug = existing ? `${baseSlug}-${Date.now().toString(36)}` : baseSlug;
+    const now = new Date();
+    const { ObjectId } = await import('mongodb');
+    const teamId = new ObjectId();
+    await db.teams.insertOne({
+        _id: teamId,
+        name,
+        slug,
+        ownerId: identity.userId,
+        planSlug: 'free',
+        createdAt: now,
+    });
+    await db.memberships.insertOne({
+        _id: new ObjectId(),
+        teamId: teamId.toString(),
+        userId: identity.userId,
+        role: 'owner',
+        createdAt: now,
+    });
+    const team = await db.teams.findOne({ _id: teamId });
+    return json({ data: team }, 201);
+}
+// ---------------------------------------------------------------------------
+// handleGetTeam
+// ---------------------------------------------------------------------------
+/**
+ * GET /v1/teams/:teamSlug
+ *
+ * Returns team by slug. Requires membership.
+ */
+export async function handleGetTeam(req, db, auth, teamSlug) {
+    const identity = await auth.verifySession(req);
+    if (!identity)
+        return err('UNAUTHORIZED', 'Not authenticated', 401);
+    const team = await db.teams.findOne({ slug: teamSlug });
+    if (!team)
+        return err('TEAM_NOT_FOUND', 'Team not found', 404);
+    const membership = await db.memberships.findOne({
+        teamId: team._id.toString(),
+        userId: identity.userId,
+    });
+    if (!membership)
+        return err('FORBIDDEN', 'Not a member of this team', 403);
+    return json({ data: team });
+}
+// ---------------------------------------------------------------------------
+// handleUpdateTeam
+// ---------------------------------------------------------------------------
+/**
+ * PATCH /v1/teams/:teamSlug
+ *
+ * Body: `{ name?: string }`
+ *
+ * Updates team metadata. Requires `owner` or `admin` role.
+ */
+export async function handleUpdateTeam(req, db, auth, teamSlug) {
+    const identity = await auth.verifySession(req);
+    if (!identity)
+        return err('UNAUTHORIZED', 'Not authenticated', 401);
+    const team = await db.teams.findOne({ slug: teamSlug });
+    if (!team)
+        return err('TEAM_NOT_FOUND', 'Team not found', 404);
+    const membership = await db.memberships.findOne({
+        teamId: team._id.toString(),
+        userId: identity.userId,
+    });
+    if (!membership || !['owner', 'admin'].includes(membership.role)) {
+        return err('FORBIDDEN', 'Requires owner or admin role', 403);
+    }
+    let body;
+    try {
+        body = await req.json();
+    }
+    catch {
+        return err('INVALID_BODY', 'Request body must be JSON', 400);
+    }
+    const updates = {};
+    if (typeof body.name === 'string' && body.name.trim()) {
+        updates.name = body.name.trim();
+    }
+    if (Object.keys(updates).length === 0) {
+        return err('NO_CHANGES', 'No valid fields to update', 400);
+    }
+    await db.teams.updateOne({ _id: team._id }, { $set: updates });
+    const updated = await db.teams.findOne({ _id: team._id });
+    return json({ data: updated });
+}
+//# sourceMappingURL=team.js.map