npm - @aphexcms/cms-core - Versions diffs - 0.1.7 → 0.1.9 - Mend

@aphexcms/cms-core 0.1.7 → 0.1.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (351) hide show

package/package.json +6 -4
package/src/lib/api/assets.ts +75 -0
package/src/lib/api/client.ts +150 -0
package/src/lib/api/documents.ts +102 -0
package/src/lib/api/index.ts +7 -0
package/src/lib/api/organizations.ts +154 -0
package/src/lib/api/types.ts +34 -0
package/src/lib/auth/auth-errors.ts +23 -0
package/src/lib/auth/auth-hooks.ts +132 -0
package/src/lib/auth/provider.ts +25 -0
package/{dist/client/index.js → src/lib/client/index.ts} +19 -8
package/{dist → src/lib}/components/AdminApp.svelte +4 -5
package/{dist → src/lib}/components/admin/DocumentEditor.svelte +7 -7
package/{dist → src/lib}/components/admin/SchemaField.svelte +1 -1
package/{dist → src/lib}/components/admin/fields/ArrayField.svelte +3 -3
package/{dist → src/lib}/components/admin/fields/BooleanField.svelte +1 -1
package/{dist → src/lib}/components/admin/fields/ImageField.svelte +40 -13
package/{dist → src/lib}/components/admin/fields/NumberField.svelte +1 -1
package/{dist → src/lib}/components/admin/fields/ReferenceField.svelte +2 -2
package/{dist → src/lib}/components/admin/fields/SlugField.svelte +2 -2
package/{dist → src/lib}/components/admin/fields/StringField.svelte +1 -1
package/{dist → src/lib}/components/admin/fields/TextareaField.svelte +1 -1
package/{dist/components/index.js → src/lib/components/index.ts} +5 -1
package/{dist → src/lib}/components/layout/OrganizationSwitcher.svelte +2 -2
package/{dist → src/lib}/components/layout/Sidebar.svelte +1 -1
package/{dist → src/lib}/components/layout/sidebar/AppSidebar.svelte +1 -1
package/{dist → src/lib}/components/layout/sidebar/NavUser.svelte +1 -1
package/src/lib/config.ts +18 -0
package/{dist/db/adapters/index.js → src/lib/db/adapters/index.ts} +0 -1
package/{dist/db/index.js → src/lib/db/index.ts} +2 -1
package/src/lib/db/interfaces/asset.ts +61 -0
package/src/lib/db/interfaces/document.ts +53 -0
package/src/lib/db/interfaces/index.ts +98 -0
package/src/lib/db/interfaces/organization.ts +51 -0
package/src/lib/db/interfaces/schema.ts +13 -0
package/src/lib/db/interfaces/user.ts +16 -0
package/src/lib/db/utils/reference-resolver.ts +119 -0
package/src/lib/define.ts +7 -0
package/{dist/email/index.js → src/lib/email/index.ts} +2 -1
package/src/lib/email/interfaces/email.ts +45 -0
package/src/lib/engine.ts +85 -0
package/src/lib/field-validation/rule.ts +287 -0
package/src/lib/field-validation/utils.ts +91 -0
package/src/lib/hooks.ts +142 -0
package/{dist/index.js → src/lib/index.ts} +2 -1
package/{dist/is-mobile.svelte.js → src/lib/is-mobile.svelte.ts} +5 -3
package/src/lib/routes/assets-by-id.ts +161 -0
package/src/lib/routes/assets-cdn.ts +185 -0
package/src/lib/routes/assets.ts +116 -0
package/src/lib/routes/documents-by-id.ts +188 -0
package/src/lib/routes/documents-publish.ts +211 -0
package/src/lib/routes/documents.ts +172 -0
package/src/lib/routes/index.ts +13 -0
package/src/lib/routes/organizations-by-id.ts +258 -0
package/src/lib/routes/organizations-invitations.ts +183 -0
package/src/lib/routes/organizations-members.ts +301 -0
package/src/lib/routes/organizations-switch.ts +74 -0
package/src/lib/routes/organizations.ts +147 -0
package/src/lib/routes/schemas-by-type.ts +35 -0
package/src/lib/routes/schemas.ts +19 -0
package/src/lib/routes-exports.ts +42 -0
package/src/lib/schema-context.svelte.ts +24 -0
package/src/lib/schema-utils/cleanup.ts +116 -0
package/src/lib/schema-utils/index.ts +4 -0
package/src/lib/schema-utils/utils.ts +47 -0
package/src/lib/schema-utils/validator.ts +58 -0
package/src/lib/server/index.ts +40 -0
package/src/lib/services/asset-service.ts +256 -0
package/src/lib/services/index.ts +6 -0
package/src/lib/storage/adapters/index.ts +2 -0
package/src/lib/storage/adapters/local-storage-adapter.ts +215 -0
package/{dist/storage/index.js → src/lib/storage/index.ts} +4 -2
package/src/lib/storage/interfaces/index.ts +2 -0
package/src/lib/storage/interfaces/storage.ts +114 -0
package/src/lib/storage/providers/storage.ts +83 -0
package/src/lib/types/asset.ts +81 -0
package/src/lib/types/auth.ts +80 -0
package/src/lib/types/config.ts +45 -0
package/src/lib/types/document.ts +38 -0
package/src/lib/types/index.ts +8 -0
package/src/lib/types/organization.ts +119 -0
package/src/lib/types/schemas.ts +151 -0
package/src/lib/types/sidebar.ts +37 -0
package/src/lib/types/user.ts +17 -0
package/src/lib/utils/content-hash.ts +75 -0
package/src/lib/utils/image-url.ts +204 -0
package/src/lib/utils/index.ts +12 -0
package/src/lib/utils/slug.ts +33 -0
package/src/lib/utils.ts +13 -0
package/dist/api/assets.d.ts +0 -48
package/dist/api/assets.d.ts.map +0 -1
package/dist/api/assets.js +0 -52
package/dist/api/client.d.ts +0 -37
package/dist/api/client.d.ts.map +0 -1
package/dist/api/client.js +0 -125
package/dist/api/documents.d.ts +0 -56
package/dist/api/documents.d.ts.map +0 -1
package/dist/api/documents.js +0 -77
package/dist/api/index.d.ts +0 -7
package/dist/api/index.d.ts.map +0 -1
package/dist/api/index.js +0 -5
package/dist/api/organizations.d.ts +0 -101
package/dist/api/organizations.d.ts.map +0 -1
package/dist/api/organizations.js +0 -92
package/dist/api/types.d.ts +0 -23
package/dist/api/types.d.ts.map +0 -1
package/dist/api/types.js +0 -1
package/dist/auth/auth-errors.d.ts +0 -7
package/dist/auth/auth-errors.d.ts.map +0 -1
package/dist/auth/auth-errors.js +0 -13
package/dist/auth/auth-hooks.d.ts +0 -6
package/dist/auth/auth-hooks.d.ts.map +0 -1
package/dist/auth/auth-hooks.js +0 -108
package/dist/auth/provider.d.ts +0 -17
package/dist/auth/provider.d.ts.map +0 -1
package/dist/auth/provider.js +0 -1
package/dist/client/index.d.ts +0 -24
package/dist/client/index.d.ts.map +0 -1
package/dist/components/AdminApp.svelte.d.ts +0 -24
package/dist/components/AdminApp.svelte.d.ts.map +0 -1
package/dist/components/admin/AdminLayout.svelte.d.ts +0 -15
package/dist/components/admin/AdminLayout.svelte.d.ts.map +0 -1
package/dist/components/admin/DocumentEditor.svelte.d.ts +0 -18
package/dist/components/admin/DocumentEditor.svelte.d.ts.map +0 -1
package/dist/components/admin/DocumentTypesList.svelte.d.ts +0 -14
package/dist/components/admin/DocumentTypesList.svelte.d.ts.map +0 -1
package/dist/components/admin/ObjectModal.svelte.d.ts +0 -15
package/dist/components/admin/ObjectModal.svelte.d.ts.map +0 -1
package/dist/components/admin/SchemaField.svelte.d.ts +0 -19
package/dist/components/admin/SchemaField.svelte.d.ts.map +0 -1
package/dist/components/admin/fields/ArrayField.svelte.d.ts +0 -12
package/dist/components/admin/fields/ArrayField.svelte.d.ts.map +0 -1
package/dist/components/admin/fields/BooleanField.svelte.d.ts +0 -13
package/dist/components/admin/fields/BooleanField.svelte.d.ts.map +0 -1
package/dist/components/admin/fields/ImageField.svelte.d.ts +0 -15
package/dist/components/admin/fields/ImageField.svelte.d.ts.map +0 -1
package/dist/components/admin/fields/NumberField.svelte.d.ts +0 -14
package/dist/components/admin/fields/NumberField.svelte.d.ts.map +0 -1
package/dist/components/admin/fields/ReferenceField.svelte.d.ts +0 -12
package/dist/components/admin/fields/ReferenceField.svelte.d.ts.map +0 -1
package/dist/components/admin/fields/SlugField.svelte.d.ts +0 -15
package/dist/components/admin/fields/SlugField.svelte.d.ts.map +0 -1
package/dist/components/admin/fields/StringField.svelte.d.ts +0 -14
package/dist/components/admin/fields/StringField.svelte.d.ts.map +0 -1
package/dist/components/admin/fields/TextareaField.svelte.d.ts +0 -14
package/dist/components/admin/fields/TextareaField.svelte.d.ts.map +0 -1
package/dist/components/fields/index.d.ts +0 -9
package/dist/components/fields/index.d.ts.map +0 -1
package/dist/components/index.d.ts +0 -7
package/dist/components/index.d.ts.map +0 -1
package/dist/components/layout/OrganizationSwitcher.svelte.d.ts +0 -11
package/dist/components/layout/OrganizationSwitcher.svelte.d.ts.map +0 -1
package/dist/components/layout/Sidebar.svelte.d.ts +0 -14
package/dist/components/layout/Sidebar.svelte.d.ts.map +0 -1
package/dist/components/layout/sidebar/AppSidebar.svelte.d.ts +0 -11
package/dist/components/layout/sidebar/AppSidebar.svelte.d.ts.map +0 -1
package/dist/components/layout/sidebar/NavMain.svelte.d.ts +0 -19
package/dist/components/layout/sidebar/NavMain.svelte.d.ts.map +0 -1
package/dist/components/layout/sidebar/NavSecondary.svelte.d.ts +0 -9
package/dist/components/layout/sidebar/NavSecondary.svelte.d.ts.map +0 -1
package/dist/components/layout/sidebar/NavUser.svelte.d.ts +0 -9
package/dist/components/layout/sidebar/NavUser.svelte.d.ts.map +0 -1
package/dist/config.d.ts +0 -3
package/dist/config.d.ts.map +0 -1
package/dist/config.js +0 -15
package/dist/db/adapters/index.d.ts +0 -1
package/dist/db/adapters/index.d.ts.map +0 -1
package/dist/db/index.d.ts +0 -2
package/dist/db/index.d.ts.map +0 -1
package/dist/db/interfaces/asset.d.ts +0 -51
package/dist/db/interfaces/asset.d.ts.map +0 -1
package/dist/db/interfaces/asset.js +0 -1
package/dist/db/interfaces/document.d.ts +0 -36
package/dist/db/interfaces/document.d.ts.map +0 -1
package/dist/db/interfaces/document.js +0 -1
package/dist/db/interfaces/index.d.ts +0 -73
package/dist/db/interfaces/index.d.ts.map +0 -1
package/dist/db/interfaces/index.js +0 -1
package/dist/db/interfaces/organization.d.ts +0 -27
package/dist/db/interfaces/organization.d.ts.map +0 -1
package/dist/db/interfaces/organization.js +0 -1
package/dist/db/interfaces/schema.d.ts +0 -21
package/dist/db/interfaces/schema.d.ts.map +0 -1
package/dist/db/interfaces/schema.js +0 -1
package/dist/db/interfaces/user.d.ts +0 -15
package/dist/db/interfaces/user.d.ts.map +0 -1
package/dist/db/interfaces/user.js +0 -1
package/dist/db/utils/reference-resolver.d.ts +0 -18
package/dist/db/utils/reference-resolver.d.ts.map +0 -1
package/dist/db/utils/reference-resolver.js +0 -80
package/dist/define.d.ts +0 -3
package/dist/define.d.ts.map +0 -1
package/dist/define.js +0 -4
package/dist/email/index.d.ts +0 -2
package/dist/email/index.d.ts.map +0 -1
package/dist/email/interfaces/email.d.ts +0 -42
package/dist/email/interfaces/email.d.ts.map +0 -1
package/dist/email/interfaces/email.js +0 -1
package/dist/engine.d.ts +0 -26
package/dist/engine.d.ts.map +0 -1
package/dist/engine.js +0 -66
package/dist/field-validation/rule.d.ts +0 -51
package/dist/field-validation/rule.d.ts.map +0 -1
package/dist/field-validation/rule.js +0 -221
package/dist/field-validation/utils.d.ts +0 -21
package/dist/field-validation/utils.d.ts.map +0 -1
package/dist/field-validation/utils.js +0 -66
package/dist/hooks.d.ts +0 -23
package/dist/hooks.d.ts.map +0 -1
package/dist/hooks.js +0 -96
package/dist/index.d.ts +0 -2
package/dist/index.d.ts.map +0 -1
package/dist/is-mobile.svelte.d.ts +0 -5
package/dist/is-mobile.svelte.d.ts.map +0 -1
package/dist/routes/assets-by-id.d.ts +0 -5
package/dist/routes/assets-by-id.d.ts.map +0 -1
package/dist/routes/assets-by-id.js +0 -138
package/dist/routes/assets-cdn.d.ts +0 -3
package/dist/routes/assets-cdn.d.ts.map +0 -1
package/dist/routes/assets-cdn.js +0 -155
package/dist/routes/assets.d.ts +0 -4
package/dist/routes/assets.d.ts.map +0 -1
package/dist/routes/assets.js +0 -94
package/dist/routes/documents-by-id.d.ts +0 -5
package/dist/routes/documents-by-id.d.ts.map +0 -1
package/dist/routes/documents-by-id.js +0 -142
package/dist/routes/documents-publish.d.ts +0 -4
package/dist/routes/documents-publish.d.ts.map +0 -1
package/dist/routes/documents-publish.js +0 -151
package/dist/routes/documents.d.ts +0 -4
package/dist/routes/documents.d.ts.map +0 -1
package/dist/routes/documents.js +0 -131
package/dist/routes/index.d.ts +0 -6
package/dist/routes/index.d.ts.map +0 -1
package/dist/routes/index.js +0 -10
package/dist/routes/organizations-by-id.d.ts +0 -5
package/dist/routes/organizations-by-id.d.ts.map +0 -1
package/dist/routes/organizations-by-id.js +0 -187
package/dist/routes/organizations-invitations.d.ts +0 -4
package/dist/routes/organizations-invitations.d.ts.map +0 -1
package/dist/routes/organizations-invitations.js +0 -125
package/dist/routes/organizations-members.d.ts +0 -5
package/dist/routes/organizations-members.d.ts.map +0 -1
package/dist/routes/organizations-members.js +0 -206
package/dist/routes/organizations-switch.d.ts +0 -3
package/dist/routes/organizations-switch.d.ts.map +0 -1
package/dist/routes/organizations-switch.js +0 -53
package/dist/routes/organizations.d.ts +0 -4
package/dist/routes/organizations.d.ts.map +0 -1
package/dist/routes/organizations.js +0 -108
package/dist/routes/schemas-by-type.d.ts +0 -3
package/dist/routes/schemas-by-type.d.ts.map +0 -1
package/dist/routes/schemas-by-type.js +0 -25
package/dist/routes/schemas.d.ts +0 -3
package/dist/routes/schemas.d.ts.map +0 -1
package/dist/routes/schemas.js +0 -11
package/dist/routes-exports.d.ts +0 -14
package/dist/routes-exports.d.ts.map +0 -1
package/dist/routes-exports.js +0 -19
package/dist/schema-context.svelte.d.ts +0 -10
package/dist/schema-context.svelte.d.ts.map +0 -1
package/dist/schema-context.svelte.js +0 -18
package/dist/schema-utils/cleanup.d.ts +0 -21
package/dist/schema-utils/cleanup.d.ts.map +0 -1
package/dist/schema-utils/cleanup.js +0 -80
package/dist/schema-utils/index.d.ts +0 -4
package/dist/schema-utils/index.d.ts.map +0 -1
package/dist/schema-utils/index.js +0 -4
package/dist/schema-utils/utils.d.ts +0 -30
package/dist/schema-utils/utils.d.ts.map +0 -1
package/dist/schema-utils/utils.js +0 -37
package/dist/schema-utils/validator.d.ts +0 -6
package/dist/schema-utils/validator.d.ts.map +0 -1
package/dist/schema-utils/validator.js +0 -45
package/dist/server/index.d.ts +0 -16
package/dist/server/index.d.ts.map +0 -1
package/dist/server/index.js +0 -28
package/dist/services/asset-service.d.ts +0 -86
package/dist/services/asset-service.d.ts.map +0 -1
package/dist/services/asset-service.js +0 -187
package/dist/services/index.d.ts +0 -3
package/dist/services/index.d.ts.map +0 -1
package/dist/services/index.js +0 -4
package/dist/storage/adapters/index.d.ts +0 -2
package/dist/storage/adapters/index.d.ts.map +0 -1
package/dist/storage/adapters/index.js +0 -2
package/dist/storage/adapters/local-storage-adapter.d.ts +0 -54
package/dist/storage/adapters/local-storage-adapter.d.ts.map +0 -1
package/dist/storage/adapters/local-storage-adapter.js +0 -187
package/dist/storage/index.d.ts +0 -3
package/dist/storage/index.d.ts.map +0 -1
package/dist/storage/interfaces/index.d.ts +0 -2
package/dist/storage/interfaces/index.d.ts.map +0 -1
package/dist/storage/interfaces/index.js +0 -2
package/dist/storage/interfaces/storage.d.ts +0 -91
package/dist/storage/interfaces/storage.d.ts.map +0 -1
package/dist/storage/interfaces/storage.js +0 -1
package/dist/storage/providers/storage.d.ts +0 -43
package/dist/storage/providers/storage.d.ts.map +0 -1
package/dist/storage/providers/storage.js +0 -64
package/dist/types/asset.d.ts +0 -73
package/dist/types/asset.d.ts.map +0 -1
package/dist/types/asset.js +0 -2
package/dist/types/auth.d.ts +0 -50
package/dist/types/auth.d.ts.map +0 -1
package/dist/types/auth.js +0 -41
package/dist/types/config.d.ts +0 -47
package/dist/types/config.d.ts.map +0 -1
package/dist/types/config.js +0 -1
package/dist/types/document.d.ts +0 -34
package/dist/types/document.d.ts.map +0 -1
package/dist/types/document.js +0 -1
package/dist/types/index.d.ts +0 -9
package/dist/types/index.d.ts.map +0 -1
package/dist/types/index.js +0 -8
package/dist/types/organization.d.ts +0 -105
package/dist/types/organization.d.ts.map +0 -1
package/dist/types/organization.js +0 -3
package/dist/types/schemas.d.ts +0 -114
package/dist/types/schemas.d.ts.map +0 -1
package/dist/types/schemas.js +0 -1
package/dist/types/sidebar.d.ts +0 -33
package/dist/types/sidebar.d.ts.map +0 -1
package/dist/types/sidebar.js +0 -1
package/dist/types/user.d.ts +0 -14
package/dist/types/user.d.ts.map +0 -1
package/dist/types/user.js +0 -1
package/dist/utils/content-hash.d.ts +0 -22
package/dist/utils/content-hash.d.ts.map +0 -1
package/dist/utils/content-hash.js +0 -67
package/dist/utils/image-url.d.ts +0 -88
package/dist/utils/image-url.d.ts.map +0 -1
package/dist/utils/image-url.js +0 -165
package/dist/utils/index.d.ts +0 -6
package/dist/utils/index.d.ts.map +0 -1
package/dist/utils/index.js +0 -9
package/dist/utils/slug.d.ts +0 -13
package/dist/utils/slug.d.ts.map +0 -1
package/dist/utils/slug.js +0 -30
package/dist/utils.d.ts +0 -13
package/dist/utils.d.ts.map +0 -1
package/dist/utils.js +0 -5
/package/{dist → src/lib}/app.d.ts +0 -0
/package/{dist → src/lib}/auth/MULTI_TENANCY_PLAN.md +0 -0
/package/{dist → src/lib}/components/admin/AdminLayout.svelte +0 -0
/package/{dist → src/lib}/components/admin/DocumentTypesList.svelte +0 -0
/package/{dist → src/lib}/components/admin/ObjectModal.svelte +0 -0
/package/{dist/components/fields/index.js → src/lib/components/fields/index.ts} +0 -0
/package/{dist → src/lib}/components/layout/sidebar/NavMain.svelte +0 -0
/package/{dist → src/lib}/components/layout/sidebar/NavSecondary.svelte +0 -0
/package/{dist → src/lib}/plugins/README.md +0 -0

package/src/lib/routes/assets-cdn.ts ADDED Viewed

@@ -0,0 +1,185 @@
+import type { RequestHandler } from '@sveltejs/kit';
+export const GET: RequestHandler = async ({ params, locals, setHeaders, request }) => {
+	console.log('[Asset CDN] ========== ROUTE HIT ==========');
+	console.log('[Asset CDN] Params:', params);
+	try {
+		const { assetService, databaseAdapter, storageAdapter, cmsEngine, config } = locals.aphexCMS;
+		let auth = locals.auth;
+		const { id, filename } = params;
+		console.log('[Asset CDN] Request for asset:', id, filename);
+		console.log('[Asset CDN] Has auth?', !!auth);
+		// If no session auth, check for API key in headers
+		if (!auth) {
+			const apiKey = request.headers.get('x-api-key');
+			console.log('[Asset CDN] API key present?', !!apiKey);
+			if (apiKey && config.auth?.provider) {
+				try {
+					const apiKeyAuth = await config.auth.provider.validateApiKey(request, databaseAdapter);
+					if (apiKeyAuth) {
+						auth = apiKeyAuth;
+						console.log('[Asset CDN] Authenticated via API key, org:', apiKeyAuth.organizationId);
+					}
+				} catch (err) {
+					console.warn('[Asset CDN] API key validation failed:', err);
+				}
+			}
+		}
+		console.log('[Asset CDN] Auth type:', auth?.type);
+		if (!id) {
+			return new Response('Asset ID is required', { status: 400 });
+		}
+		// Try to fetch asset globally first (bypasses RLS for public assets)
+		const asset = await assetService.findAssetByIdGlobal(id);
+		console.log('[Asset CDN] Asset found globally?', !!asset);
+		if (!asset) {
+			console.warn('[Asset CDN] Asset not found:', id);
+			return new Response('Asset not found', { status: 404 });
+		}
+		const organizationId = auth?.organizationId;
+		console.log('[Asset CDN] Auth object:', JSON.stringify(auth, null, 2));
+		console.log('[Asset CDN] Auth organizationId:', organizationId);
+		console.log('[Asset CDN] Asset organizationId:', asset.organizationId);
+		// Check if this asset is used in a private field
+		// The field metadata (schemaType and fieldPath) is stored when the asset is uploaded
+		let isPrivate = false;
+		const schemaType = asset.metadata?.schemaType;
+		const fieldPath = asset.metadata?.fieldPath;
+		if (schemaType && fieldPath) {
+			// Get the schema definition from IN-MEMORY config (always up-to-date with code changes)
+			const schema = cmsEngine.getSchemaTypeByName(schemaType);
+			console.log(`[Asset CDN] Schema lookup for ${schemaType}:`, {
+				found: !!schema,
+				fieldCount: schema?.fields?.length
+			});
+			if (schema && schema.fields) {
+				// Navigate the field path to find the field definition
+				const findField = (fields: any[], path: string): any => {
+					const parts = path.split('.');
+					let current: any = null;
+					for (let i = 0; i < parts.length; i++) {
+						const part = parts[i];
+						current = fields.find((f) => f.name === part);
+						if (!current) return null;
+						// If not the last part, navigate into nested fields
+						if (i < parts.length - 1) {
+							if (current.type === 'object' && current.fields) {
+								fields = current.fields;
+							} else {
+								return null;
+							}
+						}
+					}
+					return current;
+				};
+				const field = findField(schema.fields, fieldPath);
+				console.log(`[Asset CDN] Field lookup for ${fieldPath}:`, {
+					found: !!field,
+					type: field?.type,
+					private: field?.private
+				});
+				if (field && field.type === 'image') {
+					isPrivate = field.private === true;
+					console.log(
+						`[Asset CDN] Field check: ${schemaType}.${fieldPath} - private: ${isPrivate}`
+					);
+				} else {
+					console.warn(`[Asset CDN] Could not find field: ${schemaType}.${fieldPath}`);
+				}
+			}
+		} else {
+			console.log('[Asset CDN] No field metadata - treating as public');
+		}
+		console.log('[Asset CDN] Asset privacy result:', { isPrivate, schemaType, fieldPath });
+		// If asset is private, require auth
+		if (isPrivate && !organizationId) {
+			console.warn('[Asset CDN] Private asset accessed without auth - DENIED');
+			return new Response('Unauthorized - This asset is private', { status: 401 });
+		}
+		// If asset is private, verify org matches
+		if (isPrivate && organizationId && organizationId !== asset.organizationId) {
+			console.warn('[Asset CDN] Org mismatch for private asset - FORBIDDEN');
+			return new Response('Forbidden', { status: 403 });
+		}
+		// Log the decision
+		if (isPrivate && organizationId) {
+			console.log('[Asset CDN] Private asset access ALLOWED - user has auth and org matches');
+		} else if (!isPrivate) {
+			console.log('[Asset CDN] Public asset access ALLOWED');
+		}
+		console.log('[Asset CDN] Asset found:', {
+			id: asset.id,
+			path: asset.path,
+			mimeType: asset.mimeType,
+			storageAdapter: asset.storageAdapter
+		});
+		// If asset has a direct URL (S3/R2), redirect to it
+		if (asset.url && asset.url.startsWith('http')) {
+			console.log('[Asset CDN] Redirecting to external URL:', asset.url);
+			return new Response(null, {
+				status: 302,
+				headers: { Location: asset.url }
+			});
+		}
+		// Otherwise, serve from local storage
+		if (!storageAdapter?.getObject) {
+			console.error('[Asset CDN] Storage adapter does not support getObject');
+			return new Response('Storage adapter does not support file serving', { status: 500 });
+		}
+		console.log('[Asset CDN] Reading file from storage:', asset.path);
+		const fileBuffer = await storageAdapter.getObject(asset.path);
+		console.log('[Asset CDN] Serving file:', {
+			size: fileBuffer.length,
+			mimeType: asset.mimeType
+		});
+		// Set appropriate headers for the asset
+		setHeaders({
+			'Content-Type': asset.mimeType || 'application/octet-stream',
+			'Content-Length': fileBuffer.length.toString(),
+			'Cache-Control': 'public, max-age=31536000, immutable', // Cache for 1 year
+			'Content-Disposition': `inline; filename="${encodeURIComponent(asset.originalFilename || asset.filename)}"`,
+			...(asset.mimeType?.startsWith('image/') && {
+				'Accept-Ranges': 'bytes'
+			})
+		});
+		// Convert Buffer to ArrayBuffer for Response
+		const arrayBuffer = fileBuffer.buffer.slice(
+			fileBuffer.byteOffset,
+			fileBuffer.byteOffset + fileBuffer.byteLength
+		) as ArrayBuffer;
+		return new Response(arrayBuffer);
+	} catch (error) {
+		console.error('[Asset CDN] Error serving asset:', error);
+		return new Response('Failed to serve asset', { status: 500 });
+	}
+};

package/src/lib/routes/assets.ts ADDED Viewed

@@ -0,0 +1,116 @@
+// Aphex CMS Asset API Handlers
+import { json } from '@sveltejs/kit';
+import type { RequestHandler } from '@sveltejs/kit';
+export const POST: RequestHandler = async ({ request, locals }) => {
+	try {
+		const { assetService } = locals.aphexCMS;
+		const auth = locals.auth;
+		if (!auth) {
+			return json({ success: false, error: 'Unauthorized' }, { status: 401 });
+		}
+		const formData = await request.formData();
+		const file = formData.get('file') as File;
+		if (!file) {
+			return json({ success: false, error: 'No file provided' }, { status: 400 });
+		}
+		// Convert file to buffer
+		const arrayBuffer = await file.arrayBuffer();
+		const buffer = Buffer.from(arrayBuffer);
+		// Get optional metadata from form data
+		const title = (formData.get('title') as string) || undefined;
+		const description = (formData.get('description') as string) || undefined;
+		const alt = (formData.get('alt') as string) || undefined;
+		const creditLine = (formData.get('creditLine') as string) || undefined;
+		// Get field metadata for privacy checking
+		const schemaType = (formData.get('schemaType') as string) || undefined;
+		const fieldPath = (formData.get('fieldPath') as string) || undefined;
+		// Create asset upload data
+		const uploadData = {
+			buffer,
+			originalFilename: file.name,
+			mimeType: file.type,
+			size: file.size,
+			title,
+			description,
+			alt,
+			creditLine,
+			createdBy: auth.type === 'session' ? auth.user.id : undefined,
+			metadata: {
+				schemaType,
+				fieldPath
+			}
+		};
+		// Upload asset using the service
+		const asset = await assetService.uploadAsset(auth.organizationId, uploadData);
+		return json({
+			success: true,
+			data: asset
+		});
+	} catch (error) {
+		console.error('Asset upload failed:', error);
+		return json(
+			{
+				success: false,
+				error: 'Asset upload failed',
+				message: error instanceof Error ? error.message : 'Unknown error'
+			},
+			{ status: 500 }
+		);
+	}
+};
+export const GET: RequestHandler = async ({ url, locals }) => {
+	try {
+		const { assetService } = locals.aphexCMS;
+		const auth = locals.auth;
+		if (!auth) {
+			return json({ success: false, error: 'Unauthorized' }, { status: 401 });
+		}
+		// Parse query parameters
+		const assetType = url.searchParams.get('assetType') as 'image' | 'file' | undefined;
+		const mimeType = url.searchParams.get('mimeType') || undefined;
+		const search = url.searchParams.get('search') || undefined;
+		const limitParam = url.searchParams.get('limit');
+		const offsetParam = url.searchParams.get('offset');
+		const limit = limitParam ? parseInt(limitParam) : 20;
+		const offset = offsetParam ? parseInt(offsetParam) : 0;
+		const filters = {
+			assetType,
+			mimeType,
+			search,
+			limit: isNaN(limit) ? 20 : limit,
+			offset: isNaN(offset) ? 0 : offset
+		};
+		const assets = await assetService.findAssets(auth.organizationId, filters);
+		return json({
+			success: true,
+			data: assets
+		});
+	} catch (error) {
+		console.error('Failed to fetch assets:', error);
+		return json(
+			{
+				success: false,
+				error: 'Failed to fetch assets',
+				message: error instanceof Error ? error.message : 'Unknown error'
+			},
+			{ status: 500 }
+		);
+	}
+};

package/src/lib/routes/documents-by-id.ts ADDED Viewed

@@ -0,0 +1,188 @@
+// Aphex CMS Document by ID API Handlers
+import { json } from '@sveltejs/kit';
+import type { RequestHandler } from '@sveltejs/kit';
+import type { Document } from '../types/document';
+import { canWrite } from '../types/auth';
+// GET /api/documents/[id] - Get document by ID
+export const GET: RequestHandler = async ({ params, url, locals }) => {
+	try {
+		const { databaseAdapter, auth: authProvider } = locals.aphexCMS;
+		const auth = locals.auth;
+		const { id } = params;
+		if (!auth) {
+			return json({ success: false, error: 'Unauthorized' }, { status: 401 });
+		}
+		if (!id) {
+			return json({ success: false, error: 'Document ID is required' }, { status: 400 });
+		}
+		// Parse depth parameter
+		const depthParam = url.searchParams.get('depth');
+		const depth = depthParam ? parseInt(depthParam) : 0;
+		const clampedDepth = isNaN(depth) ? 0 : Math.max(0, Math.min(depth, 5)); // Clamp between 0-5
+		const document = await databaseAdapter.findByDocId(auth.organizationId, id, clampedDepth);
+		if (!document) {
+			return json({ success: false, error: 'Document not found' }, { status: 404 });
+		}
+		// Populate createdBy user info if available
+		if (document.createdBy && authProvider) {
+			try {
+				if (typeof document.createdBy === 'string') {
+					const user = await authProvider.getUserById(document.createdBy);
+					if (user) {
+						document.createdBy = {
+							id: user.id,
+							name: user.name,
+							email: user.email
+						};
+					}
+				}
+			} catch (err) {
+				// If user fetch fails, keep the user ID
+				console.warn('[documents-by-id] Failed to populate createdBy user:', err);
+			}
+		}
+		return json({
+			success: true,
+			data: document
+		});
+	} catch (error) {
+		console.error('Failed to fetch document:', error);
+		return json(
+			{
+				success: false,
+				error: 'Failed to fetch document',
+				message: error instanceof Error ? error.message : 'Unknown error'
+			},
+			{ status: 500 }
+		);
+	}
+};
+// PUT /api/documents/[id] - Update document
+export const PUT: RequestHandler = async ({ params, request, locals }) => {
+	try {
+		const { databaseAdapter } = locals.aphexCMS;
+		const auth = locals.auth;
+		const { id } = params;
+		const body = await request.json();
+		if (!auth) {
+			return json({ success: false, error: 'Unauthorized' }, { status: 401 });
+		}
+		// Check write permissions (viewers are read-only)
+		if (!canWrite(auth)) {
+			return json(
+				{
+					success: false,
+					error: 'Forbidden',
+					message: 'You do not have permission to update documents. Viewers have read-only access.'
+				},
+				{ status: 403 }
+			);
+		}
+		const documentData = body.draftData;
+		if (!id) {
+			return json({ success: false, error: 'Document ID is required' }, { status: 400 });
+		}
+		let updatedDocument: Document | null;
+		// NO VALIDATION FOR DRAFTS - Sanity-style: drafts can have any state
+		// Validation only happens on publish
+		if (auth.type == 'session') {
+			updatedDocument = await databaseAdapter.updateDocDraft(
+				auth.organizationId,
+				id,
+				documentData,
+				auth.user.id
+			);
+		} else {
+			updatedDocument = await databaseAdapter.updateDocDraft(
+				auth.organizationId,
+				id,
+				documentData,
+				auth.keyId
+			);
+		}
+		if (!updatedDocument) {
+			return json({ success: false, error: 'Document not found' }, { status: 404 });
+		}
+		return json({
+			success: true,
+			data: updatedDocument
+		});
+	} catch (error) {
+		console.error('Failed to update document:', error);
+		return json(
+			{
+				success: false,
+				error: 'Failed to update document',
+				message: error instanceof Error ? error.message : 'Unknown error'
+			},
+			{ status: 500 }
+		);
+	}
+};
+// DELETE /api/documents/[id] - Delete document
+export const DELETE: RequestHandler = async ({ params, locals }) => {
+	try {
+		const { databaseAdapter } = locals.aphexCMS;
+		const auth = locals.auth;
+		const { id } = params;
+		if (!auth) {
+			return json({ success: false, error: 'Unauthorized' }, { status: 401 });
+		}
+		// Check write permissions (viewers are read-only)
+		if (!canWrite(auth)) {
+			return json(
+				{
+					success: false,
+					error: 'Forbidden',
+					message: 'You do not have permission to delete documents. Viewers have read-only access.'
+				},
+				{ status: 403 }
+			);
+		}
+		if (!id) {
+			return json({ success: false, error: 'Document ID is required' }, { status: 400 });
+		}
+		const success = await databaseAdapter.deleteDocById(auth.organizationId, id);
+		if (!success) {
+			return json({ success: false, error: 'Document not found' }, { status: 404 });
+		}
+		return json({
+			success: true,
+			message: 'Document deleted successfully'
+		});
+	} catch (error) {
+		console.error('Failed to delete document:', error);
+		return json(
+			{
+				success: false,
+				error: 'Failed to delete document',
+				message: error instanceof Error ? error.message : 'Unknown error'
+			},
+			{ status: 500 }
+		);
+	}
+};

package/src/lib/routes/documents-publish.ts ADDED Viewed

@@ -0,0 +1,211 @@
+// Aphex CMS Document Publish API Handlers
+import { json } from '@sveltejs/kit';
+import type { RequestHandler } from '@sveltejs/kit';
+import { validateField } from '../field-validation/utils';
+import { canWrite } from '../types/auth';
+// POST /api/documents/[id]/publish - Publish document
+export const POST: RequestHandler = async ({ params, locals }) => {
+	try {
+		const { databaseAdapter, cmsEngine } = locals.aphexCMS;
+		const auth = locals.auth;
+		const { id } = params;
+		if (!auth) {
+			return json(
+				{
+					success: false,
+					error: 'Unauthorized',
+					message: 'Authentication required'
+				},
+				{ status: 401 }
+			);
+		}
+		// Check write permissions (viewers are read-only)
+		if (!canWrite(auth)) {
+			return json(
+				{
+					success: false,
+					error: 'Forbidden',
+					message: 'You do not have permission to publish documents. Viewers have read-only access.'
+				},
+				{ status: 403 }
+			);
+		}
+		if (!id) {
+			return json(
+				{
+					success: false,
+					error: 'Missing document ID',
+					message: 'Document ID is required'
+				},
+				{ status: 400 }
+			);
+		}
+		// Get document to validate
+		const document = await databaseAdapter.findByDocId(auth.organizationId, id);
+		if (!document || !document.draftData) {
+			return json(
+				{
+					success: false,
+					error: 'Document not found or cannot be published',
+					message: 'Document may not exist or may not have draft content'
+				},
+				{ status: 404 }
+			);
+		}
+		// Get schema for validation (from config to preserve validation functions)
+		const schema = cmsEngine.getSchemaTypeByName(document.type);
+		if (!schema) {
+			return json(
+				{
+					success: false,
+					error: 'Invalid document type',
+					message: `Schema type '${document.type}' not found`
+				},
+				{ status: 400 }
+			);
+		}
+		// VALIDATE before publishing - block if errors exist
+		const validationErrors: Array<{ field: string; errors: string[] }> = [];
+		for (const field of schema.fields) {
+			const value = document.draftData[field.name];
+			const result = await validateField(field, value, document.draftData);
+			if (!result.isValid) {
+				const errorMessages = result.errors
+					.filter((e) => e.level === 'error')
+					.map((e) => e.message);
+				if (errorMessages.length > 0) {
+					validationErrors.push({
+						field: field.name,
+						errors: errorMessages
+					});
+				}
+			}
+		}
+		// Block publishing if validation errors exist
+		if (validationErrors.length > 0) {
+			return json(
+				{
+					success: false,
+					error: 'Cannot publish: validation errors',
+					message: 'Please fix all validation errors before publishing',
+					validationErrors
+				},
+				{ status: 400 }
+			);
+		}
+		// All validation passed - proceed with publish
+		const publishedDocument = await databaseAdapter.publishDoc(auth.organizationId, id);
+		if (!publishedDocument) {
+			return json(
+				{
+					success: false,
+					error: 'Document not found or cannot be published',
+					message: 'Document may not exist or may not have draft content'
+				},
+				{ status: 404 }
+			);
+		}
+		return json({
+			success: true,
+			data: publishedDocument,
+			message: 'Document published successfully'
+		});
+	} catch (error) {
+		console.error('Failed to publish document:', error);
+		return json(
+			{
+				success: false,
+				error: 'Failed to publish document',
+				message: error instanceof Error ? error.message : 'Unknown error'
+			},
+			{ status: 500 }
+		);
+	}
+};
+// DELETE /api/documents/[id]/publish - Unpublish document
+export const DELETE: RequestHandler = async ({ params, locals }) => {
+	try {
+		const { databaseAdapter } = locals.aphexCMS;
+		const auth = locals.auth;
+		const { id } = params;
+		if (!auth) {
+			return json(
+				{
+					success: false,
+					error: 'Unauthorized',
+					message: 'Authentication required'
+				},
+				{ status: 401 }
+			);
+		}
+		// Check write permissions (viewers are read-only)
+		if (!canWrite(auth)) {
+			return json(
+				{
+					success: false,
+					error: 'Forbidden',
+					message:
+						'You do not have permission to unpublish documents. Viewers have read-only access.'
+				},
+				{ status: 403 }
+			);
+		}
+		if (!id) {
+			return json(
+				{
+					success: false,
+					error: 'Missing document ID',
+					message: 'Document ID is required'
+				},
+				{ status: 400 }
+			);
+		}
+		const unpublishedDocument = await databaseAdapter.unpublishDoc(auth.organizationId, id);
+		if (!unpublishedDocument) {
+			return json(
+				{
+					success: false,
+					error: 'Document not found',
+					message: `No document found with ID: ${id}`
+				},
+				{ status: 404 }
+			);
+		}
+		return json({
+			success: true,
+			data: unpublishedDocument,
+			message: 'Document unpublished successfully'
+		});
+	} catch (error) {
+		console.error('Failed to unpublish document:', error);
+		return json(
+			{
+				success: false,
+				error: 'Failed to unpublish document',
+				message: error instanceof Error ? error.message : 'Unknown error'
+			},
+			{ status: 500 }
+		);
+	}
+};