npm - @autumnsgrove/groveengine - Versions diffs - 0.1.0 - Mend

@autumnsgrove/groveengine 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (219) hide show

package/README.md +163 -0
package/dist/auth/jwt.d.ts +14 -0
package/dist/auth/jwt.js +109 -0
package/dist/auth/session.d.ts +42 -0
package/dist/auth/session.js +105 -0
package/dist/components/admin/GutterManager.svelte +910 -0
package/dist/components/admin/GutterManager.svelte.d.ts +15 -0
package/dist/components/admin/MarkdownEditor.svelte +3114 -0
package/dist/components/admin/MarkdownEditor.svelte.d.ts +43 -0
package/dist/components/custom/CollapsibleSection.svelte +74 -0
package/dist/components/custom/CollapsibleSection.svelte.d.ts +15 -0
package/dist/components/custom/ContentWithGutter.svelte +646 -0
package/dist/components/custom/ContentWithGutter.svelte.d.ts +19 -0
package/dist/components/custom/GutterItem.svelte +201 -0
package/dist/components/custom/GutterItem.svelte.d.ts +11 -0
package/dist/components/custom/LeftGutter.svelte +271 -0
package/dist/components/custom/LeftGutter.svelte.d.ts +17 -0
package/dist/components/custom/MobileTOC.svelte +273 -0
package/dist/components/custom/MobileTOC.svelte.d.ts +11 -0
package/dist/components/custom/TableOfContents.svelte +163 -0
package/dist/components/custom/TableOfContents.svelte.d.ts +11 -0
package/dist/components/gallery/ImageGallery.svelte +681 -0
package/dist/components/gallery/ImageGallery.svelte.d.ts +11 -0
package/dist/components/gallery/Lightbox.svelte +107 -0
package/dist/components/gallery/Lightbox.svelte.d.ts +19 -0
package/dist/components/gallery/LightboxCaption.svelte +25 -0
package/dist/components/gallery/LightboxCaption.svelte.d.ts +11 -0
package/dist/components/gallery/ZoomableImage.svelte +163 -0
package/dist/components/gallery/ZoomableImage.svelte.d.ts +17 -0
package/dist/components/ui/Accordion.svelte +74 -0
package/dist/components/ui/Accordion.svelte.d.ts +42 -0
package/dist/components/ui/Badge.svelte +48 -0
package/dist/components/ui/Badge.svelte.d.ts +26 -0
package/dist/components/ui/Button.svelte +74 -0
package/dist/components/ui/Button.svelte.d.ts +34 -0
package/dist/components/ui/Card.svelte +102 -0
package/dist/components/ui/Card.svelte.d.ts +46 -0
package/dist/components/ui/Dialog.svelte +91 -0
package/dist/components/ui/Dialog.svelte.d.ts +43 -0
package/dist/components/ui/Input.svelte +81 -0
package/dist/components/ui/Input.svelte.d.ts +35 -0
package/dist/components/ui/Select.svelte +69 -0
package/dist/components/ui/Select.svelte.d.ts +36 -0
package/dist/components/ui/Sheet.svelte +98 -0
package/dist/components/ui/Sheet.svelte.d.ts +45 -0
package/dist/components/ui/Skeleton.svelte +31 -0
package/dist/components/ui/Skeleton.svelte.d.ts +26 -0
package/dist/components/ui/Table.svelte +59 -0
package/dist/components/ui/Table.svelte.d.ts +44 -0
package/dist/components/ui/Tabs.svelte +76 -0
package/dist/components/ui/Tabs.svelte.d.ts +41 -0
package/dist/components/ui/Textarea.svelte +81 -0
package/dist/components/ui/Textarea.svelte.d.ts +35 -0
package/dist/components/ui/Toast.svelte +18 -0
package/dist/components/ui/Toast.svelte.d.ts +7 -0
package/dist/components/ui/accordion/accordion-content.svelte +24 -0
package/dist/components/ui/accordion/accordion-content.svelte.d.ts +4 -0
package/dist/components/ui/accordion/accordion-item.svelte +12 -0
package/dist/components/ui/accordion/accordion-item.svelte.d.ts +4 -0
package/dist/components/ui/accordion/accordion-trigger.svelte +29 -0
package/dist/components/ui/accordion/accordion-trigger.svelte.d.ts +7 -0
package/dist/components/ui/accordion/index.d.ts +6 -0
package/dist/components/ui/accordion/index.js +8 -0
package/dist/components/ui/badge/badge.svelte +50 -0
package/dist/components/ui/badge/badge.svelte.d.ts +60 -0
package/dist/components/ui/badge/index.d.ts +2 -0
package/dist/components/ui/badge/index.js +2 -0
package/dist/components/ui/button/button.svelte +82 -0
package/dist/components/ui/button/button.svelte.d.ts +132 -0
package/dist/components/ui/button/index.d.ts +2 -0
package/dist/components/ui/button/index.js +4 -0
package/dist/components/ui/card/card-content.svelte +16 -0
package/dist/components/ui/card/card-content.svelte.d.ts +5 -0
package/dist/components/ui/card/card-description.svelte +16 -0
package/dist/components/ui/card/card-description.svelte.d.ts +5 -0
package/dist/components/ui/card/card-footer.svelte +16 -0
package/dist/components/ui/card/card-footer.svelte.d.ts +5 -0
package/dist/components/ui/card/card-header.svelte +16 -0
package/dist/components/ui/card/card-header.svelte.d.ts +5 -0
package/dist/components/ui/card/card-title.svelte +25 -0
package/dist/components/ui/card/card-title.svelte.d.ts +8 -0
package/dist/components/ui/card/card.svelte +20 -0
package/dist/components/ui/card/card.svelte.d.ts +5 -0
package/dist/components/ui/card/index.d.ts +7 -0
package/dist/components/ui/card/index.js +9 -0
package/dist/components/ui/dialog/dialog-content.svelte +38 -0
package/dist/components/ui/dialog/dialog-content.svelte.d.ts +9 -0
package/dist/components/ui/dialog/dialog-description.svelte +16 -0
package/dist/components/ui/dialog/dialog-description.svelte.d.ts +4 -0
package/dist/components/ui/dialog/dialog-footer.svelte +20 -0
package/dist/components/ui/dialog/dialog-footer.svelte.d.ts +5 -0
package/dist/components/ui/dialog/dialog-header.svelte +20 -0
package/dist/components/ui/dialog/dialog-header.svelte.d.ts +5 -0
package/dist/components/ui/dialog/dialog-overlay.svelte +19 -0
package/dist/components/ui/dialog/dialog-overlay.svelte.d.ts +4 -0
package/dist/components/ui/dialog/dialog-title.svelte +16 -0
package/dist/components/ui/dialog/dialog-title.svelte.d.ts +4 -0
package/dist/components/ui/dialog/index.d.ts +12 -0
package/dist/components/ui/dialog/index.js +14 -0
package/dist/components/ui/index.d.ts +26 -0
package/dist/components/ui/index.js +29 -0
package/dist/components/ui/input/index.d.ts +2 -0
package/dist/components/ui/input/index.js +4 -0
package/dist/components/ui/input/input.svelte +46 -0
package/dist/components/ui/input/input.svelte.d.ts +13 -0
package/dist/components/ui/select/index.d.ts +11 -0
package/dist/components/ui/select/index.js +13 -0
package/dist/components/ui/select/select-content.svelte +39 -0
package/dist/components/ui/select/select-content.svelte.d.ts +7 -0
package/dist/components/ui/select/select-group-heading.svelte +16 -0
package/dist/components/ui/select/select-group-heading.svelte.d.ts +4 -0
package/dist/components/ui/select/select-item.svelte +37 -0
package/dist/components/ui/select/select-item.svelte.d.ts +4 -0
package/dist/components/ui/select/select-scroll-down-button.svelte +19 -0
package/dist/components/ui/select/select-scroll-down-button.svelte.d.ts +4 -0
package/dist/components/ui/select/select-scroll-up-button.svelte +19 -0
package/dist/components/ui/select/select-scroll-up-button.svelte.d.ts +4 -0
package/dist/components/ui/select/select-separator.svelte +13 -0
package/dist/components/ui/select/select-separator.svelte.d.ts +4 -0
package/dist/components/ui/select/select-trigger.svelte +24 -0
package/dist/components/ui/select/select-trigger.svelte.d.ts +4 -0
package/dist/components/ui/separator/index.d.ts +2 -0
package/dist/components/ui/separator/index.js +4 -0
package/dist/components/ui/separator/separator.svelte +22 -0
package/dist/components/ui/separator/separator.svelte.d.ts +4 -0
package/dist/components/ui/sheet/index.d.ts +12 -0
package/dist/components/ui/sheet/index.js +14 -0
package/dist/components/ui/sheet/sheet-content.svelte +53 -0
package/dist/components/ui/sheet/sheet-content.svelte.d.ts +62 -0
package/dist/components/ui/sheet/sheet-description.svelte +16 -0
package/dist/components/ui/sheet/sheet-description.svelte.d.ts +4 -0
package/dist/components/ui/sheet/sheet-footer.svelte +20 -0
package/dist/components/ui/sheet/sheet-footer.svelte.d.ts +5 -0
package/dist/components/ui/sheet/sheet-header.svelte +20 -0
package/dist/components/ui/sheet/sheet-header.svelte.d.ts +5 -0
package/dist/components/ui/sheet/sheet-overlay.svelte +21 -0
package/dist/components/ui/sheet/sheet-overlay.svelte.d.ts +6 -0
package/dist/components/ui/sheet/sheet-title.svelte +16 -0
package/dist/components/ui/sheet/sheet-title.svelte.d.ts +4 -0
package/dist/components/ui/skeleton/index.d.ts +2 -0
package/dist/components/ui/skeleton/index.js +4 -0
package/dist/components/ui/skeleton/skeleton.svelte +17 -0
package/dist/components/ui/skeleton/skeleton.svelte.d.ts +5 -0
package/dist/components/ui/table/index.d.ts +9 -0
package/dist/components/ui/table/index.js +11 -0
package/dist/components/ui/table/table-body.svelte +16 -0
package/dist/components/ui/table/table-body.svelte.d.ts +5 -0
package/dist/components/ui/table/table-caption.svelte +16 -0
package/dist/components/ui/table/table-caption.svelte.d.ts +5 -0
package/dist/components/ui/table/table-cell.svelte +20 -0
package/dist/components/ui/table/table-cell.svelte.d.ts +5 -0
package/dist/components/ui/table/table-footer.svelte +16 -0
package/dist/components/ui/table/table-footer.svelte.d.ts +5 -0
package/dist/components/ui/table/table-head.svelte +23 -0
package/dist/components/ui/table/table-head.svelte.d.ts +5 -0
package/dist/components/ui/table/table-header.svelte +16 -0
package/dist/components/ui/table/table-header.svelte.d.ts +5 -0
package/dist/components/ui/table/table-row.svelte +23 -0
package/dist/components/ui/table/table-row.svelte.d.ts +5 -0
package/dist/components/ui/table/table.svelte +18 -0
package/dist/components/ui/table/table.svelte.d.ts +5 -0
package/dist/components/ui/tabs/index.d.ts +6 -0
package/dist/components/ui/tabs/index.js +8 -0
package/dist/components/ui/tabs/tabs-content.svelte +19 -0
package/dist/components/ui/tabs/tabs-content.svelte.d.ts +4 -0
package/dist/components/ui/tabs/tabs-list.svelte +19 -0
package/dist/components/ui/tabs/tabs-list.svelte.d.ts +4 -0
package/dist/components/ui/tabs/tabs-trigger.svelte +19 -0
package/dist/components/ui/tabs/tabs-trigger.svelte.d.ts +4 -0
package/dist/components/ui/textarea/index.d.ts +2 -0
package/dist/components/ui/textarea/index.js +4 -0
package/dist/components/ui/textarea/textarea.svelte +24 -0
package/dist/components/ui/textarea/textarea.svelte.d.ts +6 -0
package/dist/components/ui/toast.d.ts +86 -0
package/dist/components/ui/toast.js +99 -0
package/dist/db/schema.sql +238 -0
package/dist/index.d.ts +14 -0
package/dist/index.js +20 -0
package/dist/payments/index.d.ts +33 -0
package/dist/payments/index.js +47 -0
package/dist/payments/shop.d.ts +165 -0
package/dist/payments/shop.js +588 -0
package/dist/payments/stripe/client.d.ts +231 -0
package/dist/payments/stripe/client.js +198 -0
package/dist/payments/stripe/index.d.ts +18 -0
package/dist/payments/stripe/index.js +17 -0
package/dist/payments/stripe/provider.d.ts +50 -0
package/dist/payments/stripe/provider.js +530 -0
package/dist/payments/types.d.ts +355 -0
package/dist/payments/types.js +7 -0
package/dist/server/logger.d.ts +53 -0
package/dist/server/logger.js +252 -0
package/dist/styles/content.css +514 -0
package/dist/styles/tokens.css +175 -0
package/dist/utils/api.d.ts +20 -0
package/dist/utils/api.js +109 -0
package/dist/utils/cn.d.ts +15 -0
package/dist/utils/cn.js +18 -0
package/dist/utils/csrf.d.ts +22 -0
package/dist/utils/csrf.js +72 -0
package/dist/utils/debounce.d.ts +7 -0
package/dist/utils/debounce.js +14 -0
package/dist/utils/gallery.d.ts +66 -0
package/dist/utils/gallery.js +181 -0
package/dist/utils/gutter.d.ts +54 -0
package/dist/utils/gutter.js +169 -0
package/dist/utils/imageProcessor.d.ts +58 -0
package/dist/utils/imageProcessor.js +205 -0
package/dist/utils/json.d.ts +17 -0
package/dist/utils/json.js +26 -0
package/dist/utils/markdown.d.ts +101 -0
package/dist/utils/markdown.js +947 -0
package/dist/utils/sanitize.d.ts +25 -0
package/dist/utils/sanitize.js +127 -0
package/dist/utils/validation.d.ts +46 -0
package/dist/utils/validation.js +169 -0
package/dist/utils.d.ts +5 -0
package/dist/utils.js +5 -0
package/package.json +129 -0

package/README.md ADDED Viewed

@@ -0,0 +1,163 @@
+# @grove/engine
+Multi-tenant blog engine for the Grove Platform. Each Grove site runs as its own Cloudflare Worker, powered by this engine.
+## Features
+- **Gutter Annotations** - Unique sidebar annotation system for blog posts
+- **Markdown Editor** - Full-featured editor with live preview, themes, and drag-drop image upload
+- **Magic Code Auth** - Passwordless authentication via email codes
+- **Admin Panel** - Complete CMS for posts, pages, images, and settings
+- **Multi-Tenant Ready** - Designed for username.grove.place architecture
+- **Cloudflare Native** - D1 database, R2 storage, KV caching, Workers deployment
+## Architecture
+```
+Each Grove Site (Cloudflare Worker)
+├── src/
+│   ├── routes/
+│   │   ├── admin/        # CMS admin panel
+│   │   ├── api/          # REST API endpoints
+│   │   ├── auth/         # Magic code authentication
+│   │   ├── blog/         # Blog listing and posts
+│   │   ├── about/        # Static about page
+│   │   └── contact/      # Static contact page
+│   └── lib/
+│       ├── auth/         # JWT and session management
+│       ├── components/   # Svelte components
+│       │   ├── admin/    # MarkdownEditor, GutterManager
+│       │   ├── custom/   # ContentWithGutter, TableOfContents
+│       │   ├── gallery/  # ImageGallery, Lightbox, ZoomableImage
+│       │   └── ui/       # shadcn-svelte components
+│       ├── utils/        # Markdown parser, CSRF, sanitization
+│       └── styles/       # CSS and tokens
+├── UserContent/          # Site-specific content
+├── migrations/           # D1 database migrations
+└── static/fonts/         # Self-hosted fonts
+```
+## Cloudflare Bindings Required
+```toml
+# wrangler.toml
+[[d1_databases]]
+binding = "DB"
+database_name = "your-site-db"
+database_id = "your-database-id"
+[[r2_buckets]]
+binding = "IMAGES"
+bucket_name = "your-site-images"
+[[kv_namespaces]]
+binding = "CACHE"
+id = "your-kv-id"
+```
+## Environment Variables
+```bash
+# .dev.vars
+JWT_SECRET=your-secret-key
+ALLOWED_ADMIN_EMAILS=admin@example.com
+RESEND_API_KEY=re_xxxxx
+```
+## Quick Start
+1. **Clone and install**
+   ```bash
+   cd packages/engine
+   npm install
+   ```
+2. **Set up Cloudflare resources**
+   ```bash
+   npx wrangler d1 create your-site-db
+   npx wrangler r2 bucket create your-site-images
+   npx wrangler kv:namespace create CACHE
+   ```
+3. **Run migrations**
+   ```bash
+   npx wrangler d1 execute your-site-db --local --file=migrations/001_magic_codes.sql
+   npx wrangler d1 execute your-site-db --local --file=migrations/002_auth_security.sql
+   npx wrangler d1 execute your-site-db --local --file=migrations/003_site_settings.sql
+   npx wrangler d1 execute your-site-db --local --file=migrations/004_pages_table.sql
+   npx wrangler d1 execute your-site-db --local --file=migrations/005_multi_tenant.sql
+   ```
+4. **Configure environment**
+   ```bash
+   cp .dev.vars.example .dev.vars
+   # Edit .dev.vars with your values
+   ```
+5. **Start development**
+   ```bash
+   npm run dev
+   ```
+6. **Deploy**
+   ```bash
+   npx wrangler pages deploy
+   ```
+## Key Components
+### Gutter System
+The unique gutter annotation system allows sidebar notes on blog posts:
+- `ContentWithGutter.svelte` - Main content layout
+- `GutterItem.svelte` - Individual annotations
+- `LeftGutter.svelte` - Gutter container
+- `GutterManager.svelte` - Admin UI for managing gutters
+### Markdown Editor
+Full-featured editor with:
+- Live preview
+- Multiple themes (Grove, Amber, Matrix, Dracula, Nord, Rose)
+- Drag-drop image upload to R2
+- Mermaid diagram support
+- Slash commands
+- Zen mode
+### Authentication
+Passwordless magic code system:
+- Email-based verification codes
+- JWT sessions
+- Rate limiting
+- Constant-time comparison for security
+## Multi-Tenant Schema
+The engine supports multi-tenant deployment where each tenant gets isolated data:
+```sql
+-- Each tenant (subdomain)
+CREATE TABLE tenants (
+  id TEXT PRIMARY KEY,
+  subdomain TEXT UNIQUE NOT NULL,
+  plan TEXT DEFAULT 'starter',
+  -- ...
+);
+-- Posts scoped to tenant
+CREATE TABLE posts (
+  id TEXT PRIMARY KEY,
+  tenant_id TEXT NOT NULL,
+  slug TEXT NOT NULL,
+  -- ...
+  UNIQUE(tenant_id, slug)
+);
+```
+## Related Documentation
+- [Migration Strategy](../../docs/MIGRATION-STRATEGY.md)
+- [Agent Guide for New Sites](../../docs/guides/AGENT-GUIDE-NEW-GROVE-SITES.md)
+- [Customer Setup Guide](../../docs/guides/customer-setup.md)
+## License
+MIT

package/dist/auth/jwt.d.ts ADDED Viewed

@@ -0,0 +1,14 @@
+/**
+ * Sign a JWT payload
+ * @param {Object} payload - The payload to sign
+ * @param {string} secret - The secret key
+ * @returns {Promise<string>} - The signed JWT token
+ */
+export function signJwt(payload: Object, secret: string): Promise<string>;
+/**
+ * Verify and decode a JWT token
+ * @param {string} token - The JWT token to verify
+ * @param {string} secret - The secret key
+ * @returns {Promise<Object|null>} - The decoded payload or null if invalid
+ */
+export function verifyJwt(token: string, secret: string): Promise<Object | null>;

package/dist/auth/jwt.js ADDED Viewed

@@ -0,0 +1,109 @@
+/**
+ * JWT utilities using Web Crypto API (Cloudflare Workers compatible)
+ */
+const encoder = new TextEncoder();
+const decoder = new TextDecoder();
+/**
+ * Base64URL encode
+ */
+function base64UrlEncode(data) {
+  const base64 = btoa(String.fromCharCode(...new Uint8Array(data)));
+  return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+/**
+ * Base64URL decode
+ */
+function base64UrlDecode(str) {
+  const base64 = str.replace(/-/g, "+").replace(/_/g, "/");
+  const padding = "=".repeat((4 - (base64.length % 4)) % 4);
+  const binary = atob(base64 + padding);
+  return Uint8Array.from(binary, (c) => c.charCodeAt(0));
+}
+/**
+ * Create HMAC key from secret
+ */
+async function createKey(secret) {
+  return await crypto.subtle.importKey(
+    "raw",
+    encoder.encode(secret),
+    { name: "HMAC", hash: "SHA-256" },
+    false,
+    ["sign", "verify"],
+  );
+}
+/**
+ * Sign a JWT payload
+ * @param {Object} payload - The payload to sign
+ * @param {string} secret - The secret key
+ * @returns {Promise<string>} - The signed JWT token
+ */
+export async function signJwt(payload, secret) {
+  const header = { alg: "HS256", typ: "JWT" };
+  const headerEncoded = base64UrlEncode(encoder.encode(JSON.stringify(header)));
+  const payloadEncoded = base64UrlEncode(
+    encoder.encode(JSON.stringify(payload)),
+  );
+  const message = `${headerEncoded}.${payloadEncoded}`;
+  const key = await createKey(secret);
+  const signature = await crypto.subtle.sign(
+    "HMAC",
+    key,
+    encoder.encode(message),
+  );
+  const signatureEncoded = base64UrlEncode(signature);
+  return `${message}.${signatureEncoded}`;
+}
+/**
+ * Verify and decode a JWT token
+ * @param {string} token - The JWT token to verify
+ * @param {string} secret - The secret key
+ * @returns {Promise<Object|null>} - The decoded payload or null if invalid
+ */
+export async function verifyJwt(token, secret) {
+  try {
+    const parts = token.split(".");
+    if (parts.length !== 3) {
+      return null;
+    }
+    const [headerEncoded, payloadEncoded, signatureEncoded] = parts;
+    const message = `${headerEncoded}.${payloadEncoded}`;
+    const key = await createKey(secret);
+    const signature = base64UrlDecode(signatureEncoded);
+    const isValid = await crypto.subtle.verify(
+      "HMAC",
+      key,
+      signature,
+      encoder.encode(message),
+    );
+    if (!isValid) {
+      return null;
+    }
+    const payload = JSON.parse(decoder.decode(base64UrlDecode(payloadEncoded)));
+    // Check expiration
+    if (payload.exp && payload.exp < Math.floor(Date.now() / 1000)) {
+      return null;
+    }
+    return payload;
+  } catch (error) {
+    console.error("JWT verification error:", error);
+    return null;
+  }
+}

package/dist/auth/session.d.ts ADDED Viewed

@@ -0,0 +1,42 @@
+/**
+ * Create a session token for a user
+ * @param {Object} user - User data
+ * @param {string} user.email - User email address
+ * @param {string} secret - Session secret
+ * @returns {Promise<string>} - Signed JWT token
+ */
+export function createSession(user: {
+    email: string;
+}, secret: string): Promise<string>;
+/**
+ * Verify a session token and return user data
+ * @param {string} token - Session token
+ * @param {string} secret - Session secret
+ * @returns {Promise<Object|null>} - User data or null if invalid
+ */
+export function verifySession(token: string, secret: string): Promise<Object | null>;
+/**
+ * Create Set-Cookie header value for session
+ * @param {string} token - Session token
+ * @param {boolean} isProduction - Whether in production (for secure flag)
+ * @returns {string} - Cookie header value
+ */
+export function createSessionCookie(token: string, isProduction?: boolean): string;
+/**
+ * Create Set-Cookie header value to clear session
+ * @returns {string} - Cookie header value
+ */
+export function clearSessionCookie(): string;
+/**
+ * Parse session token from cookie header
+ * @param {string} cookieHeader - Cookie header value
+ * @returns {string|null} - Session token or null
+ */
+export function parseSessionCookie(cookieHeader: string): string | null;
+/**
+ * Check if an email is in the allowed admin list
+ * @param {string} email - Email address to check
+ * @param {string} allowedList - Comma-separated list of allowed emails
+ * @returns {boolean} - Whether the user is allowed
+ */
+export function isAllowedAdmin(email: string, allowedList: string): boolean;

package/dist/auth/session.js ADDED Viewed

@@ -0,0 +1,105 @@
+/**
+ * Session management utilities
+ */
+import { signJwt, verifyJwt } from "./jwt.js";
+const SESSION_COOKIE_NAME = "session";
+const SESSION_DURATION_SECONDS = 60 * 60 * 24 * 7; // 7 days
+/**
+ * Create a session token for a user
+ * @param {Object} user - User data
+ * @param {string} user.email - User email address
+ * @param {string} secret - Session secret
+ * @returns {Promise<string>} - Signed JWT token
+ */
+export async function createSession(user, secret) {
+  const payload = {
+    sub: user.email,
+    email: user.email,
+    exp: Math.floor(Date.now() / 1000) + SESSION_DURATION_SECONDS,
+  };
+  return await signJwt(payload, secret);
+}
+/**
+ * Verify a session token and return user data
+ * @param {string} token - Session token
+ * @param {string} secret - Session secret
+ * @returns {Promise<Object|null>} - User data or null if invalid
+ */
+export async function verifySession(token, secret) {
+  const payload = await verifyJwt(token, secret);
+  if (!payload) {
+    return null;
+  }
+  return {
+    email: payload.email,
+  };
+}
+/**
+ * Create Set-Cookie header value for session
+ * @param {string} token - Session token
+ * @param {boolean} isProduction - Whether in production (for secure flag)
+ * @returns {string} - Cookie header value
+ */
+export function createSessionCookie(token, isProduction = true) {
+  const parts = [
+    `${SESSION_COOKIE_NAME}=${token}`,
+    "Path=/",
+    `Max-Age=${SESSION_DURATION_SECONDS}`,
+    "HttpOnly",
+    "SameSite=Lax",
+  ];
+  if (isProduction) {
+    parts.push("Secure");
+  }
+  return parts.join("; ");
+}
+/**
+ * Create Set-Cookie header value to clear session
+ * @returns {string} - Cookie header value
+ */
+export function clearSessionCookie() {
+  return `${SESSION_COOKIE_NAME}=; Path=/; Max-Age=0; HttpOnly; SameSite=Lax`;
+}
+/**
+ * Parse session token from cookie header
+ * @param {string} cookieHeader - Cookie header value
+ * @returns {string|null} - Session token or null
+ */
+export function parseSessionCookie(cookieHeader) {
+  if (!cookieHeader) {
+    return null;
+  }
+  const cookies = cookieHeader.split(";").reduce((acc, cookie) => {
+    const [key, value] = cookie.trim().split("=");
+    if (key && value) {
+      acc[key] = value;
+    }
+    return acc;
+  }, {});
+  return cookies[SESSION_COOKIE_NAME] || null;
+}
+/**
+ * Check if an email is in the allowed admin list
+ * @param {string} email - Email address to check
+ * @param {string} allowedList - Comma-separated list of allowed emails
+ * @returns {boolean} - Whether the user is allowed
+ */
+export function isAllowedAdmin(email, allowedList) {
+  const allowed = allowedList.split(",").map((e) => e.trim().toLowerCase());
+  return allowed.includes(email.toLowerCase());
+}