@aphexcms/cms-core 0.1.12 → 0.1.14

package/dist/local-api/permissions.d.ts

@@ -0,0 +1,45 @@
+import type { LocalAPIContext } from './types.js';
+import type { SchemaType } from '../types/schemas.js';
+import type { CMSConfig } from '../types/config.js';
+/**
+ * Permission error thrown when access is denied
+ */
+export declare class PermissionError extends Error {
+    readonly operation: string;
+    readonly resource: string;
+    constructor(message: string, operation: string, resource: string);
+}
+/**
+ * Checks permissions for Local API operations
+ */
+export declare class PermissionChecker {
+    private _config;
+    private schemas;
+    constructor(_config: CMSConfig, schemas: Map<string, SchemaType>);
+    /**
+     * Get the CMS config
+     * Available for future per-collection permission logic
+     */
+    get config(): CMSConfig;
+    /**
+     * Check if the current context has read permissions for a collection
+     */
+    canRead(context: LocalAPIContext, collectionName: string): Promise<void>;
+    /**
+     * Check if the current context has write permissions (create/update)
+     */
+    canWrite(context: LocalAPIContext, collectionName: string): Promise<void>;
+    /**
+     * Check if the current context has delete permissions
+     */
+    canDelete(context: LocalAPIContext, collectionName: string): Promise<void>;
+    /**
+     * Check if the current context has publish permissions
+     */
+    canPublish(context: LocalAPIContext, collectionName: string): Promise<void>;
+    /**
+     * Validate that a collection exists in the schema
+     */
+    validateCollection(collectionName: string): void;
+}
+//# sourceMappingURL=permissions.d.ts.map

package/dist/local-api/permissions.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"permissions.d.ts","sourceRoot":"","sources":["../../src/lib/local-api/permissions.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,SAAS,CAAC;AAC/C,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AACnD,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAEjD;;GAEG;AACH,qBAAa,eAAgB,SAAQ,KAAK;aAGxB,SAAS,EAAE,MAAM;aACjB,QAAQ,EAAE,MAAM;gBAFhC,OAAO,EAAE,MAAM,EACC,SAAS,EAAE,MAAM,EACjB,QAAQ,EAAE,MAAM;CAKjC;AAED;;GAEG;AACH,qBAAa,iBAAiB;IAE5B,OAAO,CAAC,OAAO;IACf,OAAO,CAAC,OAAO;gBADP,OAAO,EAAE,SAAS,EAClB,OAAO,EAAE,GAAG,CAAC,MAAM,EAAE,UAAU,CAAC;IAGzC;;;OAGG;IACH,IAAI,MAAM,IAAI,SAAS,CAEtB;IAED;;OAEG;IACG,OAAO,CAAC,OAAO,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAoB9E;;OAEG;IACG,QAAQ,CAAC,OAAO,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IA6B/E;;OAEG;IACG,SAAS,CAAC,OAAO,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IA6BhF;;OAEG;IACG,UAAU,CAAC,OAAO,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IA4BjF;;OAEG;IACH,kBAAkB,CAAC,cAAc,EAAE,MAAM,GAAG,IAAI;CAShD"}

package/dist/local-api/permissions.js

@@ -0,0 +1,117 @@
+// local-api/permissions.ts
+//
+// Permission checking for the Local API layer
+/**
+ * Permission error thrown when access is denied
+ */
+export class PermissionError extends Error {
+    operation;
+    resource;
+    constructor(message, operation, resource) {
+        super(message);
+        this.operation = operation;
+        this.resource = resource;
+        this.name = 'PermissionError';
+    }
+}
+/**
+ * Checks permissions for Local API operations
+ */
+export class PermissionChecker {
+    _config;
+    schemas;
+    constructor(_config, schemas) {
+        this._config = _config;
+        this.schemas = schemas;
+    }
+    /**
+     * Get the CMS config
+     * Available for future per-collection permission logic
+     */
+    get config() {
+        return this._config;
+    }
+    /**
+     * Check if the current context has read permissions for a collection
+     */
+    async canRead(context, collectionName) {
+        // Always allow if overrideAccess is true (system operations)
+        if (context.overrideAccess) {
+            return;
+        }
+        // Require authentication for read operations
+        if (!context.user) {
+            throw new PermissionError('Authentication required for read operations', 'read', collectionName);
+        }
+        // All authenticated users can read (role-based restrictions handled by RLS)
+        // Additional per-collection permission logic can be added here in the future
+        return;
+    }
+    /**
+     * Check if the current context has write permissions (create/update)
+     */
+    async canWrite(context, collectionName) {
+        // Always allow if overrideAccess is true (system operations)
+        if (context.overrideAccess) {
+            return;
+        }
+        // Require authentication for write operations
+        if (!context.user) {
+            throw new PermissionError('Authentication required for write operations', 'write', collectionName);
+        }
+        // Check if user has write role (not a viewer)
+        // Viewers have read-only access
+        if (context.user.role === 'viewer') {
+            throw new PermissionError('Write permission denied. Viewers have read-only access.', 'write', collectionName);
+        }
+        // Additional per-collection permission logic can be added here in the future
+        return;
+    }
+    /**
+     * Check if the current context has delete permissions
+     */
+    async canDelete(context, collectionName) {
+        // Always allow if overrideAccess is true (system operations)
+        if (context.overrideAccess) {
+            return;
+        }
+        // Require authentication for delete operations
+        if (!context.user) {
+            throw new PermissionError('Authentication required for delete operations', 'delete', collectionName);
+        }
+        // Check if user has sufficient role (admin or super_admin)
+        // Editors can create/update but not delete
+        if (context.user.role === 'viewer' || context.user.role === 'editor') {
+            throw new PermissionError('Delete permission denied. Only admins can delete resources.', 'delete', collectionName);
+        }
+        // Additional per-collection permission logic can be added here in the future
+        return;
+    }
+    /**
+     * Check if the current context has publish permissions
+     */
+    async canPublish(context, collectionName) {
+        // Always allow if overrideAccess is true (system operations)
+        if (context.overrideAccess) {
+            return;
+        }
+        // Require authentication for publish operations
+        if (!context.user) {
+            throw new PermissionError('Authentication required for publish operations', 'publish', collectionName);
+        }
+        // Check if user has write role (not a viewer)
+        if (context.user.role === 'viewer') {
+            throw new PermissionError('Publish permission denied. Viewers have read-only access.', 'publish', collectionName);
+        }
+        // Additional per-collection permission logic can be added here in the future
+        return;
+    }
+    /**
+     * Validate that a collection exists in the schema
+     */
+    validateCollection(collectionName) {
+        if (!this.schemas.has(collectionName)) {
+            throw new Error(`Collection "${collectionName}" not found in schema. Available collections: ${Array.from(this.schemas.keys()).join(', ')}`);
+        }
+    }
+}

package/dist/local-api/types.d.ts

@@ -0,0 +1,65 @@
+import type { CMSUser } from '../types/user.js';
+import type { Auth } from '../types/auth.js';
+/**
+ * Context for Local API operations
+ * This provides the necessary information for access control and multi-tenancy
+ */
+export interface LocalAPIContext {
+    /**
+     * Organization ID for multi-tenancy
+     * Required for all operations to ensure proper data isolation
+     */
+    organizationId: string;
+    /**
+     * Current user (if available)
+     * Used for permission checks and audit trails
+     */
+    user?: CMSUser;
+    /**
+     * Override access control and RLS
+     * Set to true for system operations (seed scripts, cron jobs, admin tasks)
+     * When true, uses the system database adapter that bypasses RLS
+     * @default false
+     */
+    overrideAccess?: boolean;
+    /**
+     * Full auth object from locals.auth
+     * Preserved to allow custom permission logic to access any custom fields
+     * added via module augmentation (e.g., custom roles, permissions, metadata)
+     */
+    auth?: Auth;
+    /**
+     * Request context for transactions
+     * Can be used to pass SvelteKit RequestEvent or similar context
+     */
+    req?: unknown;
+}
+/**
+ * Options for create operations
+ */
+export interface CreateOptions {
+    /**
+     * Draft data for the document/asset
+     */
+    data: Record<string, unknown>;
+    /**
+     * Whether to immediately publish after creation
+     * @default false
+     */
+    publish?: boolean;
+}
+/**
+ * Options for update operations
+ */
+export interface UpdateOptions {
+    /**
+     * Data to update
+     */
+    data: Record<string, unknown>;
+    /**
+     * Whether to publish after update
+     * @default false
+     */
+    publish?: boolean;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/local-api/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/lib/local-api/types.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,eAAe,CAAC;AAC7C,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,eAAe,CAAC;AAE1C;;;GAGG;AACH,MAAM,WAAW,eAAe;IAC/B;;;OAGG;IACH,cAAc,EAAE,MAAM,CAAC;IAEvB;;;OAGG;IACH,IAAI,CAAC,EAAE,OAAO,CAAC;IAEf;;;;;OAKG;IACH,cAAc,CAAC,EAAE,OAAO,CAAC;IAEzB;;;;OAIG;IACH,IAAI,CAAC,EAAE,IAAI,CAAC;IAEZ;;;OAGG;IACH,GAAG,CAAC,EAAE,OAAO,CAAC;CACd;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC7B;;OAEG;IACH,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAE9B;;;OAGG;IACH,OAAO,CAAC,EAAE,OAAO,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC7B;;OAEG;IACH,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAE9B;;;OAGG;IACH,OAAO,CAAC,EAAE,OAAO,CAAC;CAClB"}

package/dist/local-api/types.js

@@ -0,0 +1,4 @@
+// local-api/types.ts
+//
+// Core types for the Local API layer
+export {};

package/dist/routes/documents-by-id.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"documents-by-id.d.ts","sourceRoot":"","sources":["../../src/lib/routes/documents-by-id.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAKpD,eAAO,MAAM,GAAG,EAAE,cA2DjB,CAAC;AAGF,eAAO,MAAM,GAAG,EAAE,cAoEjB,CAAC;AAGF,eAAO,MAAM,MAAM,EAAE,cA+CpB,CAAC"}
+{"version":3,"file":"documents-by-id.d.ts","sourceRoot":"","sources":["../../src/lib/routes/documents-by-id.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAKpD,eAAO,MAAM,GAAG,EAAE,cAuEjB,CAAC;AAGF,eAAO,MAAM,GAAG,EAAE,cAqEjB,CAAC;AAGF,eAAO,MAAM,MAAM,EAAE,cA+DpB,CAAC"}

package/dist/routes/documents-by-id.js

@@ -1,44 +1,41 @@
 // Aphex CMS Document by ID API Handlers
 import { json } from '@sveltejs/kit';
-import { canWrite } from '../types/auth.js';
+import { authToContext } from '../local-api/auth-helpers.js';
+import { PermissionError } from '../local-api/permissions.js';
 // GET /api/documents/[id] - Get document by ID
 export const GET = async ({ params, url, locals }) => {
     try {
-        const { databaseAdapter, auth: authProvider } = locals.aphexCMS;
-        const auth = locals.auth;
+        const { localAPI, databaseAdapter } = locals.aphexCMS;
+        const context = authToContext(locals.auth);
         const { id } = params;
-        if (!auth) {
-            return json({ success: false, error: 'Unauthorized' }, { status: 401 });
-        }
         if (!id) {
             return json({ success: false, error: 'Document ID is required' }, { status: 400 });
         }
-        // Parse depth parameter
+        // Parse query params
         const depthParam = url.searchParams.get('depth');
-        const depth = depthParam ? parseInt(depthParam) : 0;
-        const clampedDepth = isNaN(depth) ? 0 : Math.max(0, Math.min(depth, 5)); // Clamp between 0-5
-        const document = await databaseAdapter.findByDocId(auth.organizationId, id, clampedDepth);
-        if (!document) {
+        const depth = depthParam ? Math.max(0, Math.min(parseInt(depthParam), 5)) : 0;
+        const perspective = url.searchParams.get('perspective') || 'draft';
+        // First, fetch document to get its type (need this for collection-specific API)
+        const rawDoc = await databaseAdapter.findByDocId(context.organizationId, id, 0);
+        if (!rawDoc) {
             return json({ success: false, error: 'Document not found' }, { status: 404 });
         }
-        // Populate createdBy user info if available
-        if (document.createdBy && authProvider) {
-            try {
-                if (typeof document.createdBy === 'string') {
-                    const user = await authProvider.getUserById(document.createdBy);
-                    if (user) {
-                        document.createdBy = {
-                            id: user.id,
-                            name: user.name,
-                            email: user.email
-                        };
-                    }
-                }
-            }
-            catch (err) {
-                // If user fetch fails, keep the user ID
-                console.warn('[documents-by-id] Failed to populate createdBy user:', err);
-            }
+        // Get collection API (TypeScript-safe)
+        const collection = localAPI.collections[rawDoc.type];
+        if (!collection) {
+            return json({
+                success: false,
+                error: 'Invalid document type',
+                message: `Collection '${rawDoc.type}' not found`
+            }, { status: 400 });
+        }
+        // Now use LocalAPI for permission-checked retrieval
+        const document = await collection.findByID(context, id, {
+            depth,
+            perspective
+        });
+        if (!document) {
+            return json({ success: false, error: 'Document not found' }, { status: 404 });
         }
         return json({
             success: true,
@@ -47,6 +44,13 @@ export const GET = async ({ params, url, locals }) => {
     }
     catch (error) {
         console.error('Failed to fetch document:', error);
+        if (error instanceof PermissionError) {
+            return json({
+                success: false,
+                error: 'Forbidden',
+                message: error.message
+            }, { status: 403 });
+        }
         return json({
             success: false,
             error: 'Failed to fetch document',
@@ -57,34 +61,33 @@ export const GET = async ({ params, url, locals }) => {
 // PUT /api/documents/[id] - Update document
 export const PUT = async ({ params, request, locals }) => {
     try {
-        const { databaseAdapter } = locals.aphexCMS;
-        const auth = locals.auth;
+        const { localAPI, databaseAdapter } = locals.aphexCMS;
+        const context = authToContext(locals.auth);
         const { id } = params;
         const body = await request.json();
-        if (!auth) {
-            return json({ success: false, error: 'Unauthorized' }, { status: 401 });
-        }
-        // Check write permissions (viewers are read-only)
-        if (!canWrite(auth)) {
-            return json({
-                success: false,
-                error: 'Forbidden',
-                message: 'You do not have permission to update documents. Viewers have read-only access.'
-            }, { status: 403 });
-        }
-        const documentData = body.draftData;
         if (!id) {
             return json({ success: false, error: 'Document ID is required' }, { status: 400 });
         }
-        let updatedDocument;
-        // NO VALIDATION FOR DRAFTS - Sanity-style: drafts can have any state
-        // Validation only happens on publish
-        if (auth.type == 'session') {
-            updatedDocument = await databaseAdapter.updateDocDraft(auth.organizationId, id, documentData, auth.user.id);
+        const documentData = body.draftData || body.data;
+        const shouldPublish = body.publish || false;
+        // Fetch document to get its type
+        const rawDoc = await databaseAdapter.findByDocId(context.organizationId, id, 0);
+        if (!rawDoc) {
+            return json({ success: false, error: 'Document not found' }, { status: 404 });
         }
-        else {
-            updatedDocument = await databaseAdapter.updateDocDraft(auth.organizationId, id, documentData, auth.keyId);
+        // Get collection API (TypeScript-safe)
+        const collection = localAPI.collections[rawDoc.type];
+        if (!collection) {
+            return json({
+                success: false,
+                error: 'Invalid document type',
+                message: `Collection '${rawDoc.type}' not found`
+            }, { status: 400 });
         }
+        // Update via LocalAPI (permission checks happen inside)
+        const updatedDocument = await collection.update(context, id, documentData, {
+            publish: shouldPublish
+        });
         if (!updatedDocument) {
             return json({ success: false, error: 'Document not found' }, { status: 404 });
         }
@@ -95,6 +98,13 @@ export const PUT = async ({ params, request, locals }) => {
     }
     catch (error) {
         console.error('Failed to update document:', error);
+        if (error instanceof PermissionError) {
+            return json({
+                success: false,
+                error: 'Forbidden',
+                message: error.message
+            }, { status: 403 });
+        }
         return json({
             success: false,
             error: 'Failed to update document',
@@ -105,24 +115,28 @@ export const PUT = async ({ params, request, locals }) => {
 // DELETE /api/documents/[id] - Delete document
 export const DELETE = async ({ params, locals }) => {
     try {
-        const { databaseAdapter } = locals.aphexCMS;
-        const auth = locals.auth;
+        const { localAPI, databaseAdapter } = locals.aphexCMS;
+        const context = authToContext(locals.auth);
         const { id } = params;
-        if (!auth) {
-            return json({ success: false, error: 'Unauthorized' }, { status: 401 });
+        if (!id) {
+            return json({ success: false, error: 'Document ID is required' }, { status: 400 });
+        }
+        // Fetch document to get its type
+        const rawDoc = await databaseAdapter.findByDocId(context.organizationId, id, 0);
+        if (!rawDoc) {
+            return json({ success: false, error: 'Document not found' }, { status: 404 });
         }
-        // Check write permissions (viewers are read-only)
-        if (!canWrite(auth)) {
+        // Get collection API (TypeScript-safe)
+        const collection = localAPI.collections[rawDoc.type];
+        if (!collection) {
             return json({
                 success: false,
-                error: 'Forbidden',
-                message: 'You do not have permission to delete documents. Viewers have read-only access.'
-            }, { status: 403 });
-        }
-        if (!id) {
-            return json({ success: false, error: 'Document ID is required' }, { status: 400 });
+                error: 'Invalid document type',
+                message: `Collection '${rawDoc.type}' not found`
+            }, { status: 400 });
         }
-        const success = await databaseAdapter.deleteDocById(auth.organizationId, id);
+        // Delete via LocalAPI (permission checks happen inside)
+        const success = await collection.delete(context, id);
         if (!success) {
             return json({ success: false, error: 'Document not found' }, { status: 404 });
         }
@@ -133,6 +147,13 @@ export const DELETE = async ({ params, locals }) => {
     }
     catch (error) {
         console.error('Failed to delete document:', error);
+        if (error instanceof PermissionError) {
+            return json({
+                success: false,
+                error: 'Forbidden',
+                message: error.message
+            }, { status: 403 });
+        }
         return json({
             success: false,
             error: 'Failed to delete document',

package/dist/routes/documents-publish.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"documents-publish.d.ts","sourceRoot":"","sources":["../../src/lib/routes/documents-publish.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAKpD,eAAO,MAAM,IAAI,EAAE,cAkIlB,CAAC;AAGF,eAAO,MAAM,MAAM,EAAE,cAsEpB,CAAC"}
+{"version":3,"file":"documents-publish.d.ts","sourceRoot":"","sources":["../../src/lib/routes/documents-publish.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAKpD,eAAO,MAAM,IAAI,EAAE,cAiGlB,CAAC;AAGF,eAAO,MAAM,MAAM,EAAE,cAqFpB,CAAC"}

package/dist/routes/documents-publish.js

@@ -1,28 +1,13 @@
 // Aphex CMS Document Publish API Handlers
 import { json } from '@sveltejs/kit';
-import { validateField } from '../field-validation/utils.js';
-import { canWrite } from '../types/auth.js';
+import { authToContext } from '../local-api/auth-helpers.js';
+import { PermissionError } from '../local-api/permissions.js';
 // POST /api/documents/[id]/publish - Publish document
 export const POST = async ({ params, locals }) => {
     try {
-        const { databaseAdapter, cmsEngine } = locals.aphexCMS;
-        const auth = locals.auth;
+        const { localAPI, databaseAdapter } = locals.aphexCMS;
+        const context = authToContext(locals.auth);
         const { id } = params;
-        if (!auth) {
-            return json({
-                success: false,
-                error: 'Unauthorized',
-                message: 'Authentication required'
-            }, { status: 401 });
-        }
-        // Check write permissions (viewers are read-only)
-        if (!canWrite(auth)) {
-            return json({
-                success: false,
-                error: 'Forbidden',
-                message: 'You do not have permission to publish documents. Viewers have read-only access.'
-            }, { status: 403 });
-        }
         if (!id) {
             return json({
                 success: false,
@@ -30,57 +15,31 @@ export const POST = async ({ params, locals }) => {
                 message: 'Document ID is required'
             }, { status: 400 });
         }
-        // Get document to validate
-        const document = await databaseAdapter.findByDocId(auth.organizationId, id);
-        if (!document || !document.draftData) {
+        // Fetch document to get its type
+        const rawDoc = await databaseAdapter.findByDocId(context.organizationId, id, 0);
+        if (!rawDoc) {
             return json({
                 success: false,
-                error: 'Document not found or cannot be published',
-                message: 'Document may not exist or may not have draft content'
+                error: 'Document not found',
+                message: 'Document may not exist'
             }, { status: 404 });
         }
-        // Get schema for validation (from config to preserve validation functions)
-        const schema = cmsEngine.getSchemaTypeByName(document.type);
-        if (!schema) {
+        // Get collection API (TypeScript-safe)
+        const collection = localAPI.collections[rawDoc.type];
+        if (!collection) {
             return json({
                 success: false,
                 error: 'Invalid document type',
-                message: `Schema type '${document.type}' not found`
-            }, { status: 400 });
-        }
-        // VALIDATE before publishing - block if errors exist
-        const validationErrors = [];
-        for (const field of schema.fields) {
-            const value = document.draftData[field.name];
-            const result = await validateField(field, value, document.draftData);
-            if (!result.isValid) {
-                const errorMessages = result.errors
-                    .filter((e) => e.level === 'error')
-                    .map((e) => e.message);
-                if (errorMessages.length > 0) {
-                    validationErrors.push({
-                        field: field.name,
-                        errors: errorMessages
-                    });
-                }
-            }
-        }
-        // Block publishing if validation errors exist
-        if (validationErrors.length > 0) {
-            return json({
-                success: false,
-                error: 'Cannot publish: validation errors',
-                message: 'Please fix all validation errors before publishing',
-                validationErrors
+                message: `Collection '${rawDoc.type}' not found`
             }, { status: 400 });
         }
-        // All validation passed - proceed with publish
-        const publishedDocument = await databaseAdapter.publishDoc(auth.organizationId, id);
+        // Publish via LocalAPI (permission checks and validation happen inside)
+        const publishedDocument = await collection.publish(context, id);
         if (!publishedDocument) {
             return json({
                 success: false,
                 error: 'Document not found or cannot be published',
-                message: 'Document may not exist or may not have draft content'
+                message: 'Document may not have draft content to publish'
             }, { status: 404 });
         }
         return json({
@@ -91,6 +50,21 @@ export const POST = async ({ params, locals }) => {
     }
     catch (error) {
         console.error('Failed to publish document:', error);
+        if (error instanceof PermissionError) {
+            return json({
+                success: false,
+                error: 'Forbidden',
+                message: error.message
+            }, { status: 403 });
+        }
+        // Validation errors from LocalAPI are regular errors with specific messages
+        if (error instanceof Error && error.message.includes('validation errors')) {
+            return json({
+                success: false,
+                error: 'Cannot publish: validation errors',
+                message: error.message
+            }, { status: 400 });
+        }
         return json({
             success: false,
             error: 'Failed to publish document',
@@ -101,32 +75,36 @@ export const POST = async ({ params, locals }) => {
 // DELETE /api/documents/[id]/publish - Unpublish document
 export const DELETE = async ({ params, locals }) => {
     try {
-        const { databaseAdapter } = locals.aphexCMS;
-        const auth = locals.auth;
+        const { localAPI, databaseAdapter } = locals.aphexCMS;
+        const context = authToContext(locals.auth);
         const { id } = params;
-        if (!auth) {
+        if (!id) {
             return json({
                 success: false,
-                error: 'Unauthorized',
-                message: 'Authentication required'
-            }, { status: 401 });
+                error: 'Missing document ID',
+                message: 'Document ID is required'
+            }, { status: 400 });
         }
-        // Check write permissions (viewers are read-only)
-        if (!canWrite(auth)) {
+        // Fetch document to get its type
+        const rawDoc = await databaseAdapter.findByDocId(context.organizationId, id, 0);
+        if (!rawDoc) {
             return json({
                 success: false,
-                error: 'Forbidden',
-                message: 'You do not have permission to unpublish documents. Viewers have read-only access.'
-            }, { status: 403 });
+                error: 'Document not found',
+                message: `No document found with ID: ${id}`
+            }, { status: 404 });
         }
-        if (!id) {
+        // Get collection API (TypeScript-safe)
+        const collection = localAPI.collections[rawDoc.type];
+        if (!collection) {
             return json({
                 success: false,
-                error: 'Missing document ID',
-                message: 'Document ID is required'
+                error: 'Invalid document type',
+                message: `Collection '${rawDoc.type}' not found`
             }, { status: 400 });
         }
-        const unpublishedDocument = await databaseAdapter.unpublishDoc(auth.organizationId, id);
+        // Unpublish via LocalAPI (permission checks happen inside)
+        const unpublishedDocument = await collection.unpublish(context, id);
         if (!unpublishedDocument) {
             return json({
                 success: false,
@@ -142,6 +120,13 @@ export const DELETE = async ({ params, locals }) => {
     }
     catch (error) {
         console.error('Failed to unpublish document:', error);
+        if (error instanceof PermissionError) {
+            return json({
+                success: false,
+                error: 'Forbidden',
+                message: error.message
+            }, { status: 403 });
+        }
         return json({
             success: false,
             error: 'Failed to unpublish document',