@betttercms/astro 0.1.0

package/README.md

@@ -0,0 +1,77 @@
+# @betttercms/astro
+
+The BetterCMS adapter for Astro — a `bettercms()` integration, a
+`bettercms:client` virtual module, typed content loaders, draft preview, and
+native `.astro` rendering components. The Astro equivalent of `@sanity/astro`.
+
+## Install
+
+```bash
+npm install @betttercms/astro
+```
+
+## Setup
+
+```js
+// astro.config.mjs
+import { defineConfig } from "astro/config";
+import bettercms from "@betttercms/astro";
+
+export default defineConfig({
+  integrations: [
+    bettercms({
+      apiUrl: "https://api.bettercms.ai", // or PUBLIC_BCMS_API_URL
+      workspace: "my-workspace",          // or PUBLIC_BCMS_WORKSPACE
+      // projectId, studioUrl, mediaUrl optional
+    }),
+  ],
+  output: "server", // required for draft mode + live reads
+});
+```
+
+Server env (never bundled to the client):
+
+```bash
+BCMS_API_KEY=bcms_pk_...        # content:read (or content:read:draft for previews)
+BCMS_DRAFT_SECRET=<32+ chars>   # signs the draft cookie
+```
+
+Add the virtual-module + `Astro.locals` types to `src/env.d.ts`:
+
+```ts
+/// <reference types="@betttercms/astro/env" />
+```
+
+## Reading content
+
+```astro
+---
+import { loadPage, loadForms } from "bettercms:client";
+import BcmsBlocks from "@betttercms/astro/components/BcmsBlocks.astro";
+
+const page = await loadPage(Astro, "home");
+const { items: forms, turnstileSiteKey } = await loadForms(Astro);
+---
+{page && <BcmsBlocks blocks={page.blocks} forms={forms} turnstileSiteKey={turnstileSiteKey} />}
+```
+
+Loaders take `Astro` so they automatically read drafts when draft mode is on:
+`loadPage`, `loadEntry`, `loadEntries`, `loadForms`. The raw `client` and
+`getClient(Astro)` are exported too.
+
+## Components
+
+| Component | Purpose |
+| --- | --- |
+| `@betttercms/astro/components/BcmsBlocks.astro` | Render a page's `blockJson` (all 8 block types). |
+| `@betttercms/astro/components/BcmsForm.astro` | Render + submit a form (conditional fields, honeypot, Turnstile). |
+| `@betttercms/astro/components/BcmsImage.astro` | Optimized image with a 1x/2x srcset via the media transform endpoint. |
+
+Markup is class-driven and unstyled — you own the CSS.
+
+## Draft mode
+
+The integration injects `/api/bcms/draft/enable?token=<jwt>&redirect=/path` and
+`/api/bcms/draft/disable`. Generate the preview-token link from the dashboard;
+visiting `enable` validates the token against the backend, sets a signed cookie,
+and subsequent loads return draft content. Disable with the `disable` route.

package/components/BcmsBlocks.astro

@@ -0,0 +1,81 @@
+---
+/**
+ * <BcmsBlocks> — renders a page's blockJson tree natively in Astro. Covers all
+ * 8 block types (heading, text, image, button, spacer, video, columns, form),
+ * with `columns` recursing via Astro.self and `form` resolving from the `forms`
+ * prop. Class names mirror the server-side renderer.
+ */
+import type { ContentBlock } from "@betttercms/types";
+import type { DeliveryForm } from "@betttercms/sdk";
+import BcmsImage from "./BcmsImage.astro";
+import BcmsForm from "./BcmsForm.astro";
+
+interface Props {
+  blocks: ContentBlock[];
+  forms?: DeliveryForm[];
+  turnstileSiteKey?: string | null;
+  class?: string;
+}
+
+const { blocks = [], forms = [], turnstileSiteKey, class: className } = Astro.props;
+const formMap = new Map(forms.map((f) => [f.id, f]));
+
+const clamp = (n: number, min: number, max: number) => Math.min(max, Math.max(min, n));
+const anyProps = (b: ContentBlock) => (b as { props?: Record<string, any> }).props ?? {};
+---
+
+<div class={className}>
+  {blocks.map((block) => {
+    const p = anyProps(block);
+    switch (block.type) {
+      case "heading": {
+        const Tag = `h${clamp(Number(p.level) || 2, 1, 6)}` as keyof HTMLElementTagNameMap;
+        return <Tag>{p.text}</Tag>;
+      }
+      case "text":
+        return <div class="bcms-text" set:html={p.html ?? ""} />;
+      case "image":
+        return p.caption ? (
+          <figure>
+            <BcmsImage src={p.src} alt={p.alt ?? ""} width={p.width} height={p.height} />
+            <figcaption>{p.caption}</figcaption>
+          </figure>
+        ) : (
+          <BcmsImage src={p.src} alt={p.alt ?? ""} width={p.width} height={p.height} />
+        );
+      case "button":
+        return (
+          <a class={`bcms-btn bcms-btn-${p.variant === "secondary" ? "secondary" : "primary"}`} href={p.href ?? "#"}>
+            {p.text}
+          </a>
+        );
+      case "spacer":
+        return <div class="bcms-spacer" style={`height:${Number(p.height) || 0}px`} />;
+      case "video":
+        return (
+          <video src={p.url} poster={p.poster} controls autoplay={!!p.autoplay} muted={!!p.autoplay} loop={!!p.loop} playsinline />
+        );
+      case "columns": {
+        const cols: ContentBlock[][] = Array.isArray(p.columns) ? p.columns : [];
+        return (
+          <div
+            class="bcms-cols"
+            style={`display:grid;grid-template-columns:repeat(${cols.length || 1},1fr);gap:${Number(p.gap) || 0}px`}
+          >
+            {cols.map((col) => (
+              <div class="bcms-col">
+                <Astro.self blocks={col} forms={forms} turnstileSiteKey={turnstileSiteKey} />
+              </div>
+            ))}
+          </div>
+        );
+      }
+      case "form": {
+        const form = formMap.get(p.formId);
+        return form ? <BcmsForm form={form} turnstileSiteKey={turnstileSiteKey} /> : null;
+      }
+      default:
+        return null;
+    }
+  })}
+</div>

package/components/BcmsForm.astro

@@ -0,0 +1,125 @@
+---
+/**
+ * <BcmsForm> — renders a BetterCMS form with conditional fields, honeypot and
+ * optional Turnstile. Submits JSON to the public forms endpoint with
+ * progressive enhancement (falls back to a normal POST without JS).
+ *
+ * Markup is class-driven and unstyled — the host owns CSS (matches the
+ * server-side renderer's class names: bcms-form, bcms-field, bcms-check, …).
+ */
+import config from "bettercms:config";
+import type { DeliveryForm, DeliveryFormField } from "@betttercms/sdk";
+
+interface Props {
+  form: DeliveryForm;
+  turnstileSiteKey?: string | null;
+  class?: string;
+}
+
+const { form, turnstileSiteKey, class: className } = Astro.props;
+const action = `${config.apiUrl}/api/v1/forms/public/${encodeURIComponent(form.id)}/submissions`;
+
+const INPUT_TYPE: Partial<Record<DeliveryFormField["type"], string>> = {
+  email: "email",
+  number: "number",
+  phone: "tel",
+  date: "date",
+  url: "url",
+};
+
+const showTurnstile = Boolean(form.turnstileEnabled && turnstileSiteKey);
+---
+
+<form class={`bcms-form${className ? ` ${className}` : ""}`} method="post" action={action} data-bcms-form>
+  {form.fields?.map((f) => {
+    const wrapAttrs = f.showIf ? { "data-bcms-showif": JSON.stringify(f.showIf) } : {};
+    if (f.type === "hidden") return <input type="hidden" name={f.key} value={f.defaultValue ?? ""} />;
+    if (f.type === "checkbox" || f.type === "consent")
+      return (
+        <label class="bcms-check" {...wrapAttrs}>
+          <input type="checkbox" name={f.key} required={f.required} />
+          <span>{f.label}</span>
+        </label>
+      );
+    return (
+      <div class="bcms-field" {...wrapAttrs}>
+        <label for={`bcms-f-${f.key}`}>{f.label}{f.required ? " *" : ""}</label>
+        {f.type === "textarea" ? (
+          <textarea id={`bcms-f-${f.key}`} name={f.key} placeholder={f.placeholder} required={f.required}>
+            {f.defaultValue ?? ""}
+          </textarea>
+        ) : f.type === "select" ? (
+          <select id={`bcms-f-${f.key}`} name={f.key} required={f.required}>
+            {(f.options ?? []).map((o) => <option value={o}>{o}</option>)}
+          </select>
+        ) : (
+          <input
+            type={INPUT_TYPE[f.type] ?? "text"}
+            id={`bcms-f-${f.key}`}
+            name={f.key}
+            placeholder={f.placeholder}
+            value={f.defaultValue}
+            required={f.required}
+          />
+        )}
+      </div>
+    );
+  })}
+
+  {form.honeypotField && (
+    <input type="text" name={form.honeypotField} tabindex="-1" autocomplete="off" style="position:absolute;left:-9999px" aria-hidden="true" />
+  )}
+
+  {showTurnstile && <div class="cf-turnstile" data-sitekey={turnstileSiteKey}></div>}
+
+  <button type="submit">{form.submitLabel || "Submit"}</button>
+  <p class="bcms-form-msg" hidden></p>
+</form>
+
+{showTurnstile && <script is:inline src="https://challenges.cloudflare.com/turnstile/v0/api.js" async defer></script>}
+
+<script is:inline data-bcms-form-success={form.successMessage ?? "Thanks!"} data-bcms-form-redirect={form.redirectUrl ?? ""}>
+  document.querySelectorAll("form[data-bcms-form]").forEach((form) => {
+    const msg = form.querySelector(".bcms-form-msg");
+    const cfg = document.currentScript;
+    const successMsg = cfg?.getAttribute("data-bcms-form-success") || "Thanks!";
+    const redirect = cfg?.getAttribute("data-bcms-form-redirect") || "";
+
+    // Conditional fields: show/hide based on another field's value.
+    const conds = form.querySelectorAll("[data-bcms-showif]");
+    const applyConds = () => {
+      conds.forEach((el) => {
+        try {
+          const { field, equals } = JSON.parse(el.getAttribute("data-bcms-showif"));
+          const input = form.elements[field];
+          const val = input && input.type === "checkbox" ? (input.checked ? "true" : "false") : input?.value;
+          el.style.display = val === equals ? "" : "none";
+        } catch {}
+      });
+    };
+    form.addEventListener("input", applyConds);
+    applyConds();
+
+    form.addEventListener("submit", async (e) => {
+      e.preventDefault();
+      const data = {};
+      new FormData(form).forEach((v, k) => { data[k] = v; });
+      const tsEl = form.querySelector('[name="cf-turnstile-response"]');
+      const body = { data };
+      if (tsEl?.value) body["cf-turnstile-response"] = tsEl.value;
+      try {
+        const res = await fetch(form.action, {
+          method: "POST",
+          headers: { "Content-Type": "application/json" },
+          body: JSON.stringify(body),
+        });
+        if (!res.ok) throw new Error(String(res.status));
+        if (redirect) { window.location.href = redirect; return; }
+        form.reset();
+        if (msg) { msg.textContent = successMsg; msg.hidden = false; }
+      } catch {
+        if (msg) { msg.textContent = "Something went wrong. Please try again."; msg.hidden = false; }
+      }
+    });
+  });
+</script>

package/components/BcmsImage.astro

@@ -0,0 +1,63 @@
+---
+/**
+ * <BcmsImage> — renders an optimized image via the BetterCMS media transform
+ * endpoint, with a 1x/2x srcset. Accepts an asset id, a MediaAsset, or a URL.
+ */
+import config from "bettercms:config";
+import imageUrlBuilder, {
+  type ImageSource,
+  type ImageFormat,
+  type ImageFit,
+} from "@betttercms/image-url";
+
+interface Props {
+  src: ImageSource;
+  alt?: string;
+  width?: number;
+  height?: number;
+  format?: ImageFormat;
+  quality?: number;
+  fit?: ImageFit;
+  sizes?: string;
+  loading?: "lazy" | "eager";
+  class?: string;
+}
+
+const {
+  src,
+  alt = "",
+  width,
+  height,
+  format = "webp",
+  quality,
+  fit,
+  sizes,
+  loading = "lazy",
+  class: className,
+} = Astro.props;
+
+const builder = imageUrlBuilder({ baseUrl: config.mediaUrl });
+const make = () => {
+  let b = builder(src);
+  if (width) b = b.width(width);
+  if (height) b = b.height(height);
+  if (format) b = b.format(format);
+  if (quality) b = b.quality(quality);
+  if (fit) b = b.fit(fit);
+  return b;
+};
+
+const src1x = make().url();
+const src2x = make().dpr(2).url();
+---
+
+<img
+  src={src1x}
+  srcset={`${src1x} 1x, ${src2x} 2x`}
+  alt={alt}
+  width={width}
+  height={height}
+  sizes={sizes}
+  loading={loading}
+  class={className}
+/>

package/components/BcmsLive.astro

@@ -0,0 +1,21 @@
+---
+/**
+ * <BcmsLive> — opens the BetterCMS delivery live SSE stream in the browser and
+ * reloads the page on every content change (dev + draft preview). Drop it once,
+ * e.g. in your layout. Build `src` with `liveSrc({ apiUrl, workspace, apiKey })`
+ * from `@betttercms/astro` (use a content:read key — it is browser-exposed).
+ */
+interface Props {
+  src: string;
+}
+const { src } = Astro.props;
+---
+
+<script is:inline define:vars={{ src }}>
+  try {
+    const es = new EventSource(src);
+    es.addEventListener("change", () => window.location.reload());
+  } catch (e) {
+    /* EventSource unsupported — no live refresh */
+  }
+</script>

package/components/BcmsVisualEditing.astro

@@ -0,0 +1,57 @@
+---
+/**
+ * <BcmsVisualEditing> — click-to-edit overlay for draft preview. Decodes the
+ * invisible stega provenance embedded in draft string values and, on Alt+Click,
+ * opens the matching dashboard editor. Render it only in draft mode.
+ *
+ *   import config from "bettercms:config";
+ *   {Astro.locals.bcms?.draft && <BcmsVisualEditing studioUrl={config.studioUrl} />}
+ *
+ * The decoder is inlined (is:inline) so it needs no client bundle; it mirrors the
+ * zero-width scheme in @betttercms/sdk's stega module.
+ */
+interface Props {
+  studioUrl?: string;
+}
+const { studioUrl = "https://dashboard.bettercms.ai" } = Astro.props;
+---
+
+<script is:inline define:vars={{ studioUrl }}>
+  (function () {
+    var ZERO = "​", ONE = "‌", START = "⁠", END = "⁡";
+    var FRAME = new RegExp(START + "([" + ZERO + ONE + "]*)" + END);
+
+    function fromBits(bits) {
+      var bytes = [];
+      for (var i = 0; i + 8 <= bits.length; i += 8) {
+        var b = 0;
+        for (var j = 0; j < 8; j++) b = (b << 1) | (bits[i + j] === ONE ? 1 : 0);
+        bytes.push(b);
+      }
+      return new TextDecoder().decode(new Uint8Array(bytes));
+    }
+
+    function decode(text) {
+      var m = text.match(FRAME);
+      if (!m) return null;
+      try { return JSON.parse(fromBits(m[1])); } catch (e) { return null; }
+    }
+
+    function href(p) {
+      var base = String(studioUrl).replace(/\/+$/, "");
+      var section = p.type === "page" ? "pages" : "content";
+      return base + "/" + section + "/" + encodeURIComponent(p.id) + "?field=" + encodeURIComponent(p.field);
+    }
+
+    document.addEventListener("click", function (e) {
+      if (!e.altKey) return;
+      var t = e.target && e.target.textContent;
+      if (!t) return;
+      var p = decode(t);
+      if (!p) return;
+      e.preventDefault();
+      window.open(href(p), "_blank", "noopener");
+    }, true);
+    document.documentElement.dataset.bcmsVisualEditing = "on";
+  })();
+</script>

package/dist/index.d.ts

@@ -0,0 +1,53 @@
+import { AstroIntegration } from 'astro';
+export { BcmsLocals, BetterCMSRuntime, RuntimeConfig, liveSrc } from './runtime.js';
+export { ImageFit, ImageFormat, ImageSource, ImageUrlBuilder, imageUrl, default as imageUrlBuilder } from '@betttercms/image-url';
+export { ContentBlock, DeliveryEntry, DeliveryList, DeliveryPage, Perspective } from '@betttercms/types';
+export { DeliveryForm, DeliveryFormField } from '@betttercms/sdk';
+
+/**
+ * Resolved configuration shared by the integration, runtime, middleware and
+ * draft routes. Public values are safe to ship to the browser; the API key and
+ * draft secret are read from server env at runtime and never live here.
+ */
+declare const DRAFT_COOKIE = "bcms-draft";
+interface BetterCMSAstroOptions {
+    /** Backend base, e.g. `https://api.bettercms.ai`. Falls back to `PUBLIC_BCMS_API_URL`. */
+    apiUrl?: string;
+    /** Workspace slug. Falls back to `PUBLIC_BCMS_WORKSPACE`. */
+    workspace?: string;
+    /** Optional project scope for forms. Falls back to `PUBLIC_BCMS_PROJECT_ID`. */
+    projectId?: string;
+    /** Media host for the image-url builder. Defaults to the prod media host. */
+    mediaUrl?: string;
+    /** Dashboard base for visual-editing deep links. */
+    studioUrl?: string;
+    /** Enable the draft-mode middleware + injected draft routes. Default true. */
+    draft?: boolean;
+}
+/** Browser-safe config — exposed via the `bettercms:config` virtual module. */
+interface PublicConfig {
+    apiUrl: string;
+    workspace: string;
+    projectId?: string;
+    mediaUrl: string;
+    studioUrl?: string;
+    draftCookie: string;
+}
+interface ResolvedConfig extends PublicConfig {
+    draft: boolean;
+}
+/** Merge integration options with `PUBLIC_BCMS_*` env, validating the essentials. */
+declare function resolveConfig(options: BetterCMSAstroOptions, env?: Record<string, string | undefined>): ResolvedConfig;
+
+/**
+ * `bettercms()` — the Astro integration.
+ *
+ * - Registers two virtual modules:
+ *     `bettercms:client`  → server runtime (client + typed loaders) — has the key.
+ *     `bettercms:config`  → browser-safe public config — no secrets.
+ * - Adds the draft-mode middleware and injects the draft enable/disable routes.
+ */
+
+declare function bettercms(options?: BetterCMSAstroOptions): AstroIntegration;
+
+export { type BetterCMSAstroOptions, DRAFT_COOKIE, type PublicConfig, type ResolvedConfig, bettercms, bettercms as default, resolveConfig };

package/dist/index.js

@@ -0,0 +1,111 @@
+// src/config.ts
+var DEFAULT_MEDIA_URL = "https://media.bettercms.ai";
+var DRAFT_COOKIE = "bcms-draft";
+function resolveConfig(options, env = process.env) {
+  const apiUrl = (options.apiUrl ?? env.PUBLIC_BCMS_API_URL ?? "").replace(/\/+$/, "");
+  const workspace = options.workspace ?? env.PUBLIC_BCMS_WORKSPACE ?? "";
+  if (!apiUrl) throw new Error("[@betttercms/astro] `apiUrl` (or PUBLIC_BCMS_API_URL) is required");
+  if (!workspace) throw new Error("[@betttercms/astro] `workspace` (or PUBLIC_BCMS_WORKSPACE) is required");
+  return {
+    apiUrl,
+    workspace,
+    projectId: options.projectId ?? env.PUBLIC_BCMS_PROJECT_ID,
+    mediaUrl: (options.mediaUrl ?? env.PUBLIC_BCMS_MEDIA_URL ?? DEFAULT_MEDIA_URL).replace(/\/+$/, ""),
+    studioUrl: options.studioUrl ?? env.PUBLIC_BCMS_STUDIO_URL,
+    draftCookie: DRAFT_COOKIE,
+    draft: options.draft ?? true
+  };
+}
+function toPublicConfig(c) {
+  const { draft: _draft, ...pub } = c;
+  return pub;
+}
+
+// src/integration.ts
+var CLIENT_ID = "bettercms:client";
+var CONFIG_ID = "bettercms:config";
+var RESOLVED = (id) => `\0${id}`;
+function configModule(cfg) {
+  return `export const config = ${JSON.stringify(toPublicConfig(cfg))};
+export default config;
+`;
+}
+function clientModule(cfg) {
+  return [
+    `import { createRuntime } from "@betttercms/astro/runtime";`,
+    `const runtime = createRuntime({`,
+    `  apiUrl: ${JSON.stringify(cfg.apiUrl)},`,
+    `  workspace: ${JSON.stringify(cfg.workspace)},`,
+    `  projectId: ${JSON.stringify(cfg.projectId)},`,
+    `  apiKey: import.meta.env.BCMS_API_KEY,`,
+    `});`,
+    `export const client = runtime.client;`,
+    `export const getClient = runtime.getClient;`,
+    `export const loadEntry = runtime.loadEntry;`,
+    `export const loadEntries = runtime.loadEntries;`,
+    `export const loadPage = runtime.loadPage;`,
+    `export const loadForms = runtime.loadForms;`,
+    `export default runtime;`
+  ].join("\n");
+}
+function virtualPlugin(cfg) {
+  return {
+    name: "@betttercms/astro:virtual",
+    resolveId(id) {
+      if (id === CLIENT_ID || id === CONFIG_ID) return RESOLVED(id);
+      return null;
+    },
+    load(id) {
+      if (id === RESOLVED(CONFIG_ID)) return configModule(cfg);
+      if (id === RESOLVED(CLIENT_ID)) return clientModule(cfg);
+      return null;
+    }
+  };
+}
+function bettercms(options = {}) {
+  return {
+    name: "@betttercms/astro",
+    hooks: {
+      "astro:config:setup": ({ updateConfig, addMiddleware, injectRoute, logger }) => {
+        const cfg = resolveConfig(options);
+        updateConfig({ vite: { plugins: [virtualPlugin(cfg)] } });
+        if (cfg.draft) {
+          addMiddleware({ entrypoint: "@betttercms/astro/middleware", order: "pre" });
+          injectRoute({
+            pattern: "/api/bcms/draft/enable",
+            entrypoint: "@betttercms/astro/draft-enable",
+            prerender: false
+          });
+          injectRoute({
+            pattern: "/api/bcms/draft/disable",
+            entrypoint: "@betttercms/astro/draft-disable",
+            prerender: false
+          });
+          logger.info("draft mode enabled \u2014 /api/bcms/draft/{enable,disable} injected");
+        }
+      }
+    }
+  };
+}
+var integration_default = bettercms;
+
+// src/runtime.ts
+import { createClient } from "@betttercms/sdk";
+function liveSrc(opts) {
+  const base = opts.apiUrl.replace(/\/+$/, "");
+  return `${base}/api/v1/delivery/${opts.workspace}/live?key=${encodeURIComponent(opts.apiKey)}`;
+}
+var enc = new TextEncoder();
+
+// src/index.ts
+import { default as default2, imageUrl } from "@betttercms/image-url";
+export {
+  DRAFT_COOKIE,
+  bettercms,
+  integration_default as default,
+  imageUrl,
+  default2 as imageUrlBuilder,
+  liveSrc,
+  resolveConfig
+};
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/config.ts","../src/integration.ts","../src/runtime.ts","../src/index.ts"],"sourcesContent":["/**\n * Resolved configuration shared by the integration, runtime, middleware and\n * draft routes. Public values are safe to ship to the browser; the API key and\n * draft secret are read from server env at runtime and never live here.\n */\n\nconst DEFAULT_MEDIA_URL = \"https://media.bettercms.ai\";\nexport const DRAFT_COOKIE = \"bcms-draft\";\n\nexport interface BetterCMSAstroOptions {\n  /** Backend base, e.g. `https://api.bettercms.ai`. Falls back to `PUBLIC_BCMS_API_URL`. */\n  apiUrl?: string;\n  /** Workspace slug. Falls back to `PUBLIC_BCMS_WORKSPACE`. */\n  workspace?: string;\n  /** Optional project scope for forms. Falls back to `PUBLIC_BCMS_PROJECT_ID`. */\n  projectId?: string;\n  /** Media host for the image-url builder. Defaults to the prod media host. */\n  mediaUrl?: string;\n  /** Dashboard base for visual-editing deep links. */\n  studioUrl?: string;\n  /** Enable the draft-mode middleware + injected draft routes. Default true. */\n  draft?: boolean;\n}\n\n/** Browser-safe config — exposed via the `bettercms:config` virtual module. */\nexport interface PublicConfig {\n  apiUrl: string;\n  workspace: string;\n  projectId?: string;\n  mediaUrl: string;\n  studioUrl?: string;\n  draftCookie: string;\n}\n\nexport interface ResolvedConfig extends PublicConfig {\n  draft: boolean;\n}\n\n/** Merge integration options with `PUBLIC_BCMS_*` env, validating the essentials. */\nexport function resolveConfig(\n  options: BetterCMSAstroOptions,\n  env: Record<string, string | undefined> = process.env,\n): ResolvedConfig {\n  const apiUrl = (options.apiUrl ?? env.PUBLIC_BCMS_API_URL ?? \"\").replace(/\\/+$/, \"\");\n  const workspace = options.workspace ?? env.PUBLIC_BCMS_WORKSPACE ?? \"\";\n  if (!apiUrl) throw new Error(\"[@betttercms/astro] `apiUrl` (or PUBLIC_BCMS_API_URL) is required\");\n  if (!workspace) throw new Error(\"[@betttercms/astro] `workspace` (or PUBLIC_BCMS_WORKSPACE) is required\");\n\n  return {\n    apiUrl,\n    workspace,\n    projectId: options.projectId ?? env.PUBLIC_BCMS_PROJECT_ID,\n    mediaUrl: (options.mediaUrl ?? env.PUBLIC_BCMS_MEDIA_URL ?? DEFAULT_MEDIA_URL).replace(/\\/+$/, \"\"),\n    studioUrl: options.studioUrl ?? env.PUBLIC_BCMS_STUDIO_URL,\n    draftCookie: DRAFT_COOKIE,\n    draft: options.draft ?? true,\n  };\n}\n\nexport function toPublicConfig(c: ResolvedConfig): PublicConfig {\n  const { draft: _draft, ...pub } = c;\n  return pub;\n}\n","/**\n * `bettercms()` — the Astro integration.\n *\n * - Registers two virtual modules:\n *     `bettercms:client`  → server runtime (client + typed loaders) — has the key.\n *     `bettercms:config`  → browser-safe public config — no secrets.\n * - Adds the draft-mode middleware and injects the draft enable/disable routes.\n */\nimport type { AstroIntegration } from \"astro\";\nimport {\n  resolveConfig,\n  toPublicConfig,\n  type BetterCMSAstroOptions,\n  type ResolvedConfig,\n} from \"./config.js\";\n\nconst CLIENT_ID = \"bettercms:client\";\nconst CONFIG_ID = \"bettercms:config\";\nconst RESOLVED = (id: string) => `\\0${id}`;\n\nfunction configModule(cfg: ResolvedConfig): string {\n  return `export const config = ${JSON.stringify(toPublicConfig(cfg))};\\nexport default config;\\n`;\n}\n\nfunction clientModule(cfg: ResolvedConfig): string {\n  // The key is read from server env at runtime so it never lands in a client\n  // bundle. Public values are inlined.\n  return [\n    `import { createRuntime } from \"@betttercms/astro/runtime\";`,\n    `const runtime = createRuntime({`,\n    `  apiUrl: ${JSON.stringify(cfg.apiUrl)},`,\n    `  workspace: ${JSON.stringify(cfg.workspace)},`,\n    `  projectId: ${JSON.stringify(cfg.projectId)},`,\n    `  apiKey: import.meta.env.BCMS_API_KEY,`,\n    `});`,\n    `export const client = runtime.client;`,\n    `export const getClient = runtime.getClient;`,\n    `export const loadEntry = runtime.loadEntry;`,\n    `export const loadEntries = runtime.loadEntries;`,\n    `export const loadPage = runtime.loadPage;`,\n    `export const loadForms = runtime.loadForms;`,\n    `export default runtime;`,\n  ].join(\"\\n\");\n}\n\nfunction virtualPlugin(cfg: ResolvedConfig) {\n  return {\n    name: \"@betttercms/astro:virtual\",\n    resolveId(id: string) {\n      if (id === CLIENT_ID || id === CONFIG_ID) return RESOLVED(id);\n      return null;\n    },\n    load(id: string) {\n      if (id === RESOLVED(CONFIG_ID)) return configModule(cfg);\n      if (id === RESOLVED(CLIENT_ID)) return clientModule(cfg);\n      return null;\n    },\n  };\n}\n\nexport function bettercms(options: BetterCMSAstroOptions = {}): AstroIntegration {\n  return {\n    name: \"@betttercms/astro\",\n    hooks: {\n      \"astro:config:setup\": ({ updateConfig, addMiddleware, injectRoute, logger }) => {\n        const cfg = resolveConfig(options);\n\n        updateConfig({ vite: { plugins: [virtualPlugin(cfg)] } });\n\n        if (cfg.draft) {\n          addMiddleware({ entrypoint: \"@betttercms/astro/middleware\", order: \"pre\" });\n          injectRoute({\n            pattern: \"/api/bcms/draft/enable\",\n            entrypoint: \"@betttercms/astro/draft-enable\",\n            prerender: false,\n          });\n          injectRoute({\n            pattern: \"/api/bcms/draft/disable\",\n            entrypoint: \"@betttercms/astro/draft-disable\",\n            prerender: false,\n          });\n          logger.info(\"draft mode enabled — /api/bcms/draft/{enable,disable} injected\");\n        }\n      },\n    },\n  };\n}\n\nexport default bettercms;\n","/**\n * Runtime for @betttercms/astro — the code the `bettercms:client` virtual\n * module binds to. Provides a published client, per-request draft client\n * selection, typed loaders, and signed-cookie helpers for draft mode.\n *\n * Read-only; no I/O at import time. Safe in Node and edge runtimes (uses Web\n * Crypto + global fetch only).\n */\nimport { createClient, type BetterCMSReadClient } from \"@betttercms/sdk\";\nimport type { DeliveryEntry, DeliveryList, DeliveryPage } from \"@betttercms/types\";\n\nexport interface RuntimeConfig {\n  apiUrl: string;\n  workspace: string;\n  projectId?: string;\n  /** Server-only delivery key (a `content:read:draft` key for drafts). */\n  apiKey?: string;\n}\n\n/** Per-request draft state, set on `Astro.locals.bcms` by the middleware. */\nexport interface BcmsLocals {\n  draft: boolean;\n  token?: string;\n}\n\ninterface HasLocals {\n  locals: { bcms?: BcmsLocals };\n}\n\nexport interface BetterCMSRuntime {\n  /** Published-perspective client (use for SSG / non-draft reads). */\n  client: BetterCMSReadClient;\n  /** Pick the right client for a request (draft client when draft mode is on). */\n  getClient(astro?: HasLocals): BetterCMSReadClient;\n  loadEntry<T = Record<string, unknown>>(\n    astro: HasLocals,\n    slug: string,\n    opts?: Parameters<BetterCMSReadClient[\"getEntry\"]>[1],\n  ): Promise<DeliveryEntry<T>>;\n  loadEntries<T = Record<string, unknown>>(\n    astro: HasLocals,\n    opts?: Parameters<BetterCMSReadClient[\"listEntries\"]>[0],\n  ): Promise<DeliveryList<DeliveryEntry<T>>>;\n  loadPage(astro: HasLocals, slug: string): Promise<DeliveryPage | null>;\n  loadForms(\n    astro: HasLocals,\n    opts?: Parameters<BetterCMSReadClient[\"listForms\"]>[0],\n  ): Promise<Awaited<ReturnType<BetterCMSReadClient[\"listForms\"]>>>;\n}\n\nexport function createRuntime(config: RuntimeConfig): BetterCMSRuntime {\n  const published = createClient({ ...config, perspective: \"published\" });\n\n  const getClient = (astro?: HasLocals): BetterCMSReadClient => {\n    const bcms = astro?.locals?.bcms;\n    if (bcms?.draft) {\n      return createClient({ ...config, perspective: \"drafts\", previewToken: bcms.token });\n    }\n    return published;\n  };\n\n  return {\n    client: published,\n    getClient,\n    loadEntry: (astro, slug, opts) => getClient(astro).getEntry(slug, opts),\n    loadEntries: (astro, opts) => getClient(astro).listEntries(opts),\n    loadPage: (astro, slug) => getClient(astro).getPage(slug),\n    loadForms: (astro, opts) => getClient(astro).listForms(opts),\n  };\n}\n\n/**\n * Build the live SSE URL for `<BcmsLive>`. The key is a query param because\n * browser EventSource cannot send headers — use a content:read key.\n */\nexport function liveSrc(opts: { apiUrl: string; workspace: string; apiKey: string }): string {\n  const base = opts.apiUrl.replace(/\\/+$/, \"\");\n  return `${base}/api/v1/delivery/${opts.workspace}/live?key=${encodeURIComponent(opts.apiKey)}`;\n}\n\n// ── Signed-cookie helpers (HMAC-SHA256, base64url) ──────────────────────────\n\nconst enc = new TextEncoder();\n\nfunction base64url(bytes: ArrayBuffer): string {\n  const b = btoa(String.fromCharCode(...new Uint8Array(bytes)));\n  return b.replace(/\\+/g, \"-\").replace(/\\//g, \"_\").replace(/=+$/, \"\");\n}\n\nasync function hmac(value: string, secret: string): Promise<string> {\n  const key = await crypto.subtle.importKey(\n    \"raw\",\n    enc.encode(secret),\n    { name: \"HMAC\", hash: \"SHA-256\" },\n    false,\n    [\"sign\"],\n  );\n  return base64url(await crypto.subtle.sign(\"HMAC\", key, enc.encode(value)));\n}\n\n/** Sign a value as `value.sig` for tamper-evident cookie storage. */\nexport async function signValue(value: string, secret: string): Promise<string> {\n  return `${value}.${await hmac(value, secret)}`;\n}\n\n/** Verify a signed value, returning the original value or null if tampered. */\nexport async function verifyValue(signed: string, secret: string): Promise<string | null> {\n  const idx = signed.lastIndexOf(\".\");\n  if (idx < 0) return null;\n  const value = signed.slice(0, idx);\n  const sig = signed.slice(idx + 1);\n  const expected = await hmac(value, secret);\n  // Constant-time-ish compare via length + char accumulation.\n  if (sig.length !== expected.length) return null;\n  let diff = 0;\n  for (let i = 0; i < sig.length; i++) diff |= sig.charCodeAt(i) ^ expected.charCodeAt(i);\n  return diff === 0 ? value : null;\n}\n\n/** Decode a preview-token JWT payload (UNVERIFIED) to read its `entrySlug`. */\nexport function decodeTokenSlug(token: string): string | null {\n  try {\n    const part = token.split(\".\")[1];\n    if (!part) return null;\n    const json = JSON.parse(\n      atob(part.replace(/-/g, \"+\").replace(/_/g, \"/\")),\n    ) as { entrySlug?: string };\n    return json.entrySlug ?? null;\n  } catch {\n    return null;\n  }\n}\n","/**\n * @betttercms/astro — the BetterCMS adapter for Astro.\n *\n *   import { defineConfig } from \"astro/config\";\n *   import bettercms from \"@betttercms/astro\";\n *\n *   export default defineConfig({\n *     integrations: [bettercms({ apiUrl, workspace })],\n *     output: \"server\",\n *   });\n *\n * Then in any page: `import { loadPage } from \"bettercms:client\"`.\n */\nexport { bettercms, default } from \"./integration.js\";\nexport {\n  resolveConfig,\n  DRAFT_COOKIE,\n  type BetterCMSAstroOptions,\n  type PublicConfig,\n  type ResolvedConfig,\n} from \"./config.js\";\nexport { liveSrc } from \"./runtime.js\";\nexport type { BcmsLocals, BetterCMSRuntime, RuntimeConfig } from \"./runtime.js\";\n\n// Image URL builder, re-exported for `<BcmsImage>` and host code.\nexport { default as imageUrlBuilder, imageUrl } from \"@betttercms/image-url\";\nexport type {\n  ImageUrlBuilder,\n  ImageSource,\n  ImageFormat,\n  ImageFit,\n} from \"@betttercms/image-url\";\n\n// Delivery read types, re-exported for typing page/entry data.\nexport type {\n  Perspective,\n  DeliveryEntry,\n  DeliveryPage,\n  DeliveryList,\n  ContentBlock,\n} from \"@betttercms/types\";\nexport type { DeliveryForm, DeliveryFormField } from \"@betttercms/sdk\";\n"],"mappings":";AAMA,IAAM,oBAAoB;AACnB,IAAM,eAAe;AAgCrB,SAAS,cACd,SACA,MAA0C,QAAQ,KAClC;AAChB,QAAM,UAAU,QAAQ,UAAU,IAAI,uBAAuB,IAAI,QAAQ,QAAQ,EAAE;AACnF,QAAM,YAAY,QAAQ,aAAa,IAAI,yBAAyB;AACpE,MAAI,CAAC,OAAQ,OAAM,IAAI,MAAM,mEAAmE;AAChG,MAAI,CAAC,UAAW,OAAM,IAAI,MAAM,wEAAwE;AAExG,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA,WAAW,QAAQ,aAAa,IAAI;AAAA,IACpC,WAAW,QAAQ,YAAY,IAAI,yBAAyB,mBAAmB,QAAQ,QAAQ,EAAE;AAAA,IACjG,WAAW,QAAQ,aAAa,IAAI;AAAA,IACpC,aAAa;AAAA,IACb,OAAO,QAAQ,SAAS;AAAA,EAC1B;AACF;AAEO,SAAS,eAAe,GAAiC;AAC9D,QAAM,EAAE,OAAO,QAAQ,GAAG,IAAI,IAAI;AAClC,SAAO;AACT;;;AC9CA,IAAM,YAAY;AAClB,IAAM,YAAY;AAClB,IAAM,WAAW,CAAC,OAAe,KAAK,EAAE;AAExC,SAAS,aAAa,KAA6B;AACjD,SAAO,yBAAyB,KAAK,UAAU,eAAe,GAAG,CAAC,CAAC;AAAA;AAAA;AACrE;AAEA,SAAS,aAAa,KAA6B;AAGjD,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA,aAAa,KAAK,UAAU,IAAI,MAAM,CAAC;AAAA,IACvC,gBAAgB,KAAK,UAAU,IAAI,SAAS,CAAC;AAAA,IAC7C,gBAAgB,KAAK,UAAU,IAAI,SAAS,CAAC;AAAA,IAC7C;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF,EAAE,KAAK,IAAI;AACb;AAEA,SAAS,cAAc,KAAqB;AAC1C,SAAO;AAAA,IACL,MAAM;AAAA,IACN,UAAU,IAAY;AACpB,UAAI,OAAO,aAAa,OAAO,UAAW,QAAO,SAAS,EAAE;AAC5D,aAAO;AAAA,IACT;AAAA,IACA,KAAK,IAAY;AACf,UAAI,OAAO,SAAS,SAAS,EAAG,QAAO,aAAa,GAAG;AACvD,UAAI,OAAO,SAAS,SAAS,EAAG,QAAO,aAAa,GAAG;AACvD,aAAO;AAAA,IACT;AAAA,EACF;AACF;AAEO,SAAS,UAAU,UAAiC,CAAC,GAAqB;AAC/E,SAAO;AAAA,IACL,MAAM;AAAA,IACN,OAAO;AAAA,MACL,sBAAsB,CAAC,EAAE,cAAc,eAAe,aAAa,OAAO,MAAM;AAC9E,cAAM,MAAM,cAAc,OAAO;AAEjC,qBAAa,EAAE,MAAM,EAAE,SAAS,CAAC,cAAc,GAAG,CAAC,EAAE,EAAE,CAAC;AAExD,YAAI,IAAI,OAAO;AACb,wBAAc,EAAE,YAAY,gCAAgC,OAAO,MAAM,CAAC;AAC1E,sBAAY;AAAA,YACV,SAAS;AAAA,YACT,YAAY;AAAA,YACZ,WAAW;AAAA,UACb,CAAC;AACD,sBAAY;AAAA,YACV,SAAS;AAAA,YACT,YAAY;AAAA,YACZ,WAAW;AAAA,UACb,CAAC;AACD,iBAAO,KAAK,qEAAgE;AAAA,QAC9E;AAAA,MACF;AAAA,IACF;AAAA,EACF;AACF;AAEA,IAAO,sBAAQ;;;AChFf,SAAS,oBAA8C;AAmEhD,SAAS,QAAQ,MAAqE;AAC3F,QAAM,OAAO,KAAK,OAAO,QAAQ,QAAQ,EAAE;AAC3C,SAAO,GAAG,IAAI,oBAAoB,KAAK,SAAS,aAAa,mBAAmB,KAAK,MAAM,CAAC;AAC9F;AAIA,IAAM,MAAM,IAAI,YAAY;;;ACzD5B,SAAoB,WAAXA,UAA4B,gBAAgB;","names":["default"]}

package/dist/middleware-entry.d.ts

@@ -0,0 +1,12 @@
+import { MiddlewareHandler } from 'astro';
+
+/**
+ * Draft-mode middleware (registered via `addMiddleware`).
+ *
+ * Reads the signed draft cookie, verifies it with `BCMS_DRAFT_SECRET`, and
+ * publishes the result on `Astro.locals.bcms` so loaders pick the draft client.
+ */
+
+declare const onRequest: MiddlewareHandler;
+
+export { onRequest };

package/dist/middleware-entry.js

@@ -0,0 +1,48 @@
+// src/middleware-entry.ts
+import config from "bettercms:config";
+
+// src/runtime.ts
+import { createClient } from "@betttercms/sdk";
+var enc = new TextEncoder();
+function base64url(bytes) {
+  const b = btoa(String.fromCharCode(...new Uint8Array(bytes)));
+  return b.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+async function hmac(value, secret) {
+  const key = await crypto.subtle.importKey(
+    "raw",
+    enc.encode(secret),
+    { name: "HMAC", hash: "SHA-256" },
+    false,
+    ["sign"]
+  );
+  return base64url(await crypto.subtle.sign("HMAC", key, enc.encode(value)));
+}
+async function verifyValue(signed, secret) {
+  const idx = signed.lastIndexOf(".");
+  if (idx < 0) return null;
+  const value = signed.slice(0, idx);
+  const sig = signed.slice(idx + 1);
+  const expected = await hmac(value, secret);
+  if (sig.length !== expected.length) return null;
+  let diff = 0;
+  for (let i = 0; i < sig.length; i++) diff |= sig.charCodeAt(i) ^ expected.charCodeAt(i);
+  return diff === 0 ? value : null;
+}
+
+// src/middleware-entry.ts
+var onRequest = async (context, next) => {
+  const cookie = context.cookies.get(config.draftCookie)?.value;
+  const secret = import.meta.env.BCMS_DRAFT_SECRET;
+  let locals = { draft: false };
+  if (cookie && secret) {
+    const token = await verifyValue(cookie, secret);
+    if (token) locals = { draft: true, token };
+  }
+  context.locals.bcms = locals;
+  return next();
+};
+export {
+  onRequest
+};
+//# sourceMappingURL=middleware-entry.js.map

package/dist/middleware-entry.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/middleware-entry.ts","../src/runtime.ts"],"sourcesContent":["/**\n * Draft-mode middleware (registered via `addMiddleware`).\n *\n * Reads the signed draft cookie, verifies it with `BCMS_DRAFT_SECRET`, and\n * publishes the result on `Astro.locals.bcms` so loaders pick the draft client.\n */\nimport type { MiddlewareHandler } from \"astro\";\nimport config from \"bettercms:config\";\nimport { verifyValue, type BcmsLocals } from \"./runtime.js\";\n\nexport const onRequest: MiddlewareHandler = async (context, next) => {\n  const cookie = context.cookies.get(config.draftCookie)?.value;\n  const secret = import.meta.env.BCMS_DRAFT_SECRET as string | undefined;\n\n  let locals: BcmsLocals = { draft: false };\n  if (cookie && secret) {\n    const token = await verifyValue(cookie, secret);\n    if (token) locals = { draft: true, token };\n  }\n  context.locals.bcms = locals;\n\n  return next();\n};\n","/**\n * Runtime for @betttercms/astro — the code the `bettercms:client` virtual\n * module binds to. Provides a published client, per-request draft client\n * selection, typed loaders, and signed-cookie helpers for draft mode.\n *\n * Read-only; no I/O at import time. Safe in Node and edge runtimes (uses Web\n * Crypto + global fetch only).\n */\nimport { createClient, type BetterCMSReadClient } from \"@betttercms/sdk\";\nimport type { DeliveryEntry, DeliveryList, DeliveryPage } from \"@betttercms/types\";\n\nexport interface RuntimeConfig {\n  apiUrl: string;\n  workspace: string;\n  projectId?: string;\n  /** Server-only delivery key (a `content:read:draft` key for drafts). */\n  apiKey?: string;\n}\n\n/** Per-request draft state, set on `Astro.locals.bcms` by the middleware. */\nexport interface BcmsLocals {\n  draft: boolean;\n  token?: string;\n}\n\ninterface HasLocals {\n  locals: { bcms?: BcmsLocals };\n}\n\nexport interface BetterCMSRuntime {\n  /** Published-perspective client (use for SSG / non-draft reads). */\n  client: BetterCMSReadClient;\n  /** Pick the right client for a request (draft client when draft mode is on). */\n  getClient(astro?: HasLocals): BetterCMSReadClient;\n  loadEntry<T = Record<string, unknown>>(\n    astro: HasLocals,\n    slug: string,\n    opts?: Parameters<BetterCMSReadClient[\"getEntry\"]>[1],\n  ): Promise<DeliveryEntry<T>>;\n  loadEntries<T = Record<string, unknown>>(\n    astro: HasLocals,\n    opts?: Parameters<BetterCMSReadClient[\"listEntries\"]>[0],\n  ): Promise<DeliveryList<DeliveryEntry<T>>>;\n  loadPage(astro: HasLocals, slug: string): Promise<DeliveryPage | null>;\n  loadForms(\n    astro: HasLocals,\n    opts?: Parameters<BetterCMSReadClient[\"listForms\"]>[0],\n  ): Promise<Awaited<ReturnType<BetterCMSReadClient[\"listForms\"]>>>;\n}\n\nexport function createRuntime(config: RuntimeConfig): BetterCMSRuntime {\n  const published = createClient({ ...config, perspective: \"published\" });\n\n  const getClient = (astro?: HasLocals): BetterCMSReadClient => {\n    const bcms = astro?.locals?.bcms;\n    if (bcms?.draft) {\n      return createClient({ ...config, perspective: \"drafts\", previewToken: bcms.token });\n    }\n    return published;\n  };\n\n  return {\n    client: published,\n    getClient,\n    loadEntry: (astro, slug, opts) => getClient(astro).getEntry(slug, opts),\n    loadEntries: (astro, opts) => getClient(astro).listEntries(opts),\n    loadPage: (astro, slug) => getClient(astro).getPage(slug),\n    loadForms: (astro, opts) => getClient(astro).listForms(opts),\n  };\n}\n\n/**\n * Build the live SSE URL for `<BcmsLive>`. The key is a query param because\n * browser EventSource cannot send headers — use a content:read key.\n */\nexport function liveSrc(opts: { apiUrl: string; workspace: string; apiKey: string }): string {\n  const base = opts.apiUrl.replace(/\\/+$/, \"\");\n  return `${base}/api/v1/delivery/${opts.workspace}/live?key=${encodeURIComponent(opts.apiKey)}`;\n}\n\n// ── Signed-cookie helpers (HMAC-SHA256, base64url) ──────────────────────────\n\nconst enc = new TextEncoder();\n\nfunction base64url(bytes: ArrayBuffer): string {\n  const b = btoa(String.fromCharCode(...new Uint8Array(bytes)));\n  return b.replace(/\\+/g, \"-\").replace(/\\//g, \"_\").replace(/=+$/, \"\");\n}\n\nasync function hmac(value: string, secret: string): Promise<string> {\n  const key = await crypto.subtle.importKey(\n    \"raw\",\n    enc.encode(secret),\n    { name: \"HMAC\", hash: \"SHA-256\" },\n    false,\n    [\"sign\"],\n  );\n  return base64url(await crypto.subtle.sign(\"HMAC\", key, enc.encode(value)));\n}\n\n/** Sign a value as `value.sig` for tamper-evident cookie storage. */\nexport async function signValue(value: string, secret: string): Promise<string> {\n  return `${value}.${await hmac(value, secret)}`;\n}\n\n/** Verify a signed value, returning the original value or null if tampered. */\nexport async function verifyValue(signed: string, secret: string): Promise<string | null> {\n  const idx = signed.lastIndexOf(\".\");\n  if (idx < 0) return null;\n  const value = signed.slice(0, idx);\n  const sig = signed.slice(idx + 1);\n  const expected = await hmac(value, secret);\n  // Constant-time-ish compare via length + char accumulation.\n  if (sig.length !== expected.length) return null;\n  let diff = 0;\n  for (let i = 0; i < sig.length; i++) diff |= sig.charCodeAt(i) ^ expected.charCodeAt(i);\n  return diff === 0 ? value : null;\n}\n\n/** Decode a preview-token JWT payload (UNVERIFIED) to read its `entrySlug`. */\nexport function decodeTokenSlug(token: string): string | null {\n  try {\n    const part = token.split(\".\")[1];\n    if (!part) return null;\n    const json = JSON.parse(\n      atob(part.replace(/-/g, \"+\").replace(/_/g, \"/\")),\n    ) as { entrySlug?: string };\n    return json.entrySlug ?? null;\n  } catch {\n    return null;\n  }\n}\n"],"mappings":";AAOA,OAAO,YAAY;;;ACCnB,SAAS,oBAA8C;AA0EvD,IAAM,MAAM,IAAI,YAAY;AAE5B,SAAS,UAAU,OAA4B;AAC7C,QAAM,IAAI,KAAK,OAAO,aAAa,GAAG,IAAI,WAAW,KAAK,CAAC,CAAC;AAC5D,SAAO,EAAE,QAAQ,OAAO,GAAG,EAAE,QAAQ,OAAO,GAAG,EAAE,QAAQ,OAAO,EAAE;AACpE;AAEA,eAAe,KAAK,OAAe,QAAiC;AAClE,QAAM,MAAM,MAAM,OAAO,OAAO;AAAA,IAC9B;AAAA,IACA,IAAI,OAAO,MAAM;AAAA,IACjB,EAAE,MAAM,QAAQ,MAAM,UAAU;AAAA,IAChC;AAAA,IACA,CAAC,MAAM;AAAA,EACT;AACA,SAAO,UAAU,MAAM,OAAO,OAAO,KAAK,QAAQ,KAAK,IAAI,OAAO,KAAK,CAAC,CAAC;AAC3E;AAQA,eAAsB,YAAY,QAAgB,QAAwC;AACxF,QAAM,MAAM,OAAO,YAAY,GAAG;AAClC,MAAI,MAAM,EAAG,QAAO;AACpB,QAAM,QAAQ,OAAO,MAAM,GAAG,GAAG;AACjC,QAAM,MAAM,OAAO,MAAM,MAAM,CAAC;AAChC,QAAM,WAAW,MAAM,KAAK,OAAO,MAAM;AAEzC,MAAI,IAAI,WAAW,SAAS,OAAQ,QAAO;AAC3C,MAAI,OAAO;AACX,WAAS,IAAI,GAAG,IAAI,IAAI,QAAQ,IAAK,SAAQ,IAAI,WAAW,CAAC,IAAI,SAAS,WAAW,CAAC;AACtF,SAAO,SAAS,IAAI,QAAQ;AAC9B;;;AD3GO,IAAM,YAA+B,OAAO,SAAS,SAAS;AACnE,QAAM,SAAS,QAAQ,QAAQ,IAAI,OAAO,WAAW,GAAG;AACxD,QAAM,SAAS,YAAY,IAAI;AAE/B,MAAI,SAAqB,EAAE,OAAO,MAAM;AACxC,MAAI,UAAU,QAAQ;AACpB,UAAM,QAAQ,MAAM,YAAY,QAAQ,MAAM;AAC9C,QAAI,MAAO,UAAS,EAAE,OAAO,MAAM,MAAM;AAAA,EAC3C;AACA,UAAQ,OAAO,OAAO;AAEtB,SAAO,KAAK;AACd;","names":[]}

package/dist/routes/draft-disable.d.ts

@@ -0,0 +1,9 @@
+import { APIRoute } from 'astro';
+
+/**
+ * GET /api/bcms/draft/disable?redirect=/path — clear the draft cookie.
+ */
+
+declare const GET: APIRoute;
+
+export { GET };

package/dist/routes/draft-disable.js

@@ -0,0 +1,11 @@
+// src/routes/draft-disable.ts
+import config from "bettercms:config";
+var GET = async (context) => {
+  const redirectTo = new URL(context.request.url).searchParams.get("redirect") ?? "/";
+  context.cookies.delete(config.draftCookie, { path: "/" });
+  return context.redirect(redirectTo, 302);
+};
+export {
+  GET
+};
+//# sourceMappingURL=draft-disable.js.map

package/dist/routes/draft-disable.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/routes/draft-disable.ts"],"sourcesContent":["/**\n * GET /api/bcms/draft/disable?redirect=/path — clear the draft cookie.\n */\nimport type { APIRoute } from \"astro\";\nimport config from \"bettercms:config\";\n\nexport const GET: APIRoute = async (context) => {\n  const redirectTo = new URL(context.request.url).searchParams.get(\"redirect\") ?? \"/\";\n  context.cookies.delete(config.draftCookie, { path: \"/\" });\n  return context.redirect(redirectTo, 302);\n};\n"],"mappings":";AAIA,OAAO,YAAY;AAEZ,IAAM,MAAgB,OAAO,YAAY;AAC9C,QAAM,aAAa,IAAI,IAAI,QAAQ,QAAQ,GAAG,EAAE,aAAa,IAAI,UAAU,KAAK;AAChF,UAAQ,QAAQ,OAAO,OAAO,aAAa,EAAE,MAAM,IAAI,CAAC;AACxD,SAAO,QAAQ,SAAS,YAAY,GAAG;AACzC;","names":[]}

package/dist/routes/draft-enable.d.ts

@@ -0,0 +1,13 @@
+import { APIRoute } from 'astro';
+
+/**
+ * GET /api/bcms/draft/enable?token=<jwt>&redirect=/path
+ *
+ * Validates the preview token against the backend `/preview/:slug` endpoint
+ * (the backend is the signature authority), then sets a signed draft cookie and
+ * redirects. Requires `BCMS_DRAFT_SECRET` in the server env.
+ */
+
+declare const GET: APIRoute;
+
+export { GET };

package/dist/routes/draft-enable.js

@@ -0,0 +1,64 @@
+// src/routes/draft-enable.ts
+import config from "bettercms:config";
+
+// src/runtime.ts
+import { createClient } from "@betttercms/sdk";
+var enc = new TextEncoder();
+function base64url(bytes) {
+  const b = btoa(String.fromCharCode(...new Uint8Array(bytes)));
+  return b.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+async function hmac(value, secret) {
+  const key = await crypto.subtle.importKey(
+    "raw",
+    enc.encode(secret),
+    { name: "HMAC", hash: "SHA-256" },
+    false,
+    ["sign"]
+  );
+  return base64url(await crypto.subtle.sign("HMAC", key, enc.encode(value)));
+}
+async function signValue(value, secret) {
+  return `${value}.${await hmac(value, secret)}`;
+}
+function decodeTokenSlug(token) {
+  try {
+    const part = token.split(".")[1];
+    if (!part) return null;
+    const json = JSON.parse(
+      atob(part.replace(/-/g, "+").replace(/_/g, "/"))
+    );
+    return json.entrySlug ?? null;
+  } catch {
+    return null;
+  }
+}
+
+// src/routes/draft-enable.ts
+var GET = async (context) => {
+  const url = new URL(context.request.url);
+  const token = url.searchParams.get("token");
+  const redirectTo = url.searchParams.get("redirect") ?? "/";
+  const secret = import.meta.env.BCMS_DRAFT_SECRET;
+  if (!secret) return new Response("BCMS_DRAFT_SECRET is not configured", { status: 500 });
+  if (!token) return new Response("Missing token", { status: 400 });
+  const slug = decodeTokenSlug(token);
+  if (!slug) return new Response("Malformed token", { status: 400 });
+  const res = await fetch(
+    `${config.apiUrl}/api/v1/preview/${encodeURIComponent(slug)}?token=${encodeURIComponent(token)}`
+  );
+  if (!res.ok) return new Response("Invalid or expired token", { status: 401 });
+  context.cookies.set(config.draftCookie, await signValue(token, secret), {
+    httpOnly: true,
+    sameSite: "lax",
+    secure: url.protocol === "https:",
+    path: "/",
+    maxAge: 60 * 60 * 24
+    // 24h, matching the preview-token lifetime
+  });
+  return context.redirect(redirectTo, 302);
+};
+export {
+  GET
+};
+//# sourceMappingURL=draft-enable.js.map

package/dist/routes/draft-enable.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/routes/draft-enable.ts","../../src/runtime.ts"],"sourcesContent":["/**\n * GET /api/bcms/draft/enable?token=<jwt>&redirect=/path\n *\n * Validates the preview token against the backend `/preview/:slug` endpoint\n * (the backend is the signature authority), then sets a signed draft cookie and\n * redirects. Requires `BCMS_DRAFT_SECRET` in the server env.\n */\nimport type { APIRoute } from \"astro\";\nimport config from \"bettercms:config\";\nimport { decodeTokenSlug, signValue } from \"../runtime.js\";\n\nexport const GET: APIRoute = async (context) => {\n  const url = new URL(context.request.url);\n  const token = url.searchParams.get(\"token\");\n  const redirectTo = url.searchParams.get(\"redirect\") ?? \"/\";\n  const secret = import.meta.env.BCMS_DRAFT_SECRET as string | undefined;\n\n  if (!secret) return new Response(\"BCMS_DRAFT_SECRET is not configured\", { status: 500 });\n  if (!token) return new Response(\"Missing token\", { status: 400 });\n\n  const slug = decodeTokenSlug(token);\n  if (!slug) return new Response(\"Malformed token\", { status: 400 });\n\n  const res = await fetch(\n    `${config.apiUrl}/api/v1/preview/${encodeURIComponent(slug)}?token=${encodeURIComponent(token)}`,\n  );\n  if (!res.ok) return new Response(\"Invalid or expired token\", { status: 401 });\n\n  context.cookies.set(config.draftCookie, await signValue(token, secret), {\n    httpOnly: true,\n    sameSite: \"lax\",\n    secure: url.protocol === \"https:\",\n    path: \"/\",\n    maxAge: 60 * 60 * 24, // 24h, matching the preview-token lifetime\n  });\n\n  return context.redirect(redirectTo, 302);\n};\n","/**\n * Runtime for @betttercms/astro — the code the `bettercms:client` virtual\n * module binds to. Provides a published client, per-request draft client\n * selection, typed loaders, and signed-cookie helpers for draft mode.\n *\n * Read-only; no I/O at import time. Safe in Node and edge runtimes (uses Web\n * Crypto + global fetch only).\n */\nimport { createClient, type BetterCMSReadClient } from \"@betttercms/sdk\";\nimport type { DeliveryEntry, DeliveryList, DeliveryPage } from \"@betttercms/types\";\n\nexport interface RuntimeConfig {\n  apiUrl: string;\n  workspace: string;\n  projectId?: string;\n  /** Server-only delivery key (a `content:read:draft` key for drafts). */\n  apiKey?: string;\n}\n\n/** Per-request draft state, set on `Astro.locals.bcms` by the middleware. */\nexport interface BcmsLocals {\n  draft: boolean;\n  token?: string;\n}\n\ninterface HasLocals {\n  locals: { bcms?: BcmsLocals };\n}\n\nexport interface BetterCMSRuntime {\n  /** Published-perspective client (use for SSG / non-draft reads). */\n  client: BetterCMSReadClient;\n  /** Pick the right client for a request (draft client when draft mode is on). */\n  getClient(astro?: HasLocals): BetterCMSReadClient;\n  loadEntry<T = Record<string, unknown>>(\n    astro: HasLocals,\n    slug: string,\n    opts?: Parameters<BetterCMSReadClient[\"getEntry\"]>[1],\n  ): Promise<DeliveryEntry<T>>;\n  loadEntries<T = Record<string, unknown>>(\n    astro: HasLocals,\n    opts?: Parameters<BetterCMSReadClient[\"listEntries\"]>[0],\n  ): Promise<DeliveryList<DeliveryEntry<T>>>;\n  loadPage(astro: HasLocals, slug: string): Promise<DeliveryPage | null>;\n  loadForms(\n    astro: HasLocals,\n    opts?: Parameters<BetterCMSReadClient[\"listForms\"]>[0],\n  ): Promise<Awaited<ReturnType<BetterCMSReadClient[\"listForms\"]>>>;\n}\n\nexport function createRuntime(config: RuntimeConfig): BetterCMSRuntime {\n  const published = createClient({ ...config, perspective: \"published\" });\n\n  const getClient = (astro?: HasLocals): BetterCMSReadClient => {\n    const bcms = astro?.locals?.bcms;\n    if (bcms?.draft) {\n      return createClient({ ...config, perspective: \"drafts\", previewToken: bcms.token });\n    }\n    return published;\n  };\n\n  return {\n    client: published,\n    getClient,\n    loadEntry: (astro, slug, opts) => getClient(astro).getEntry(slug, opts),\n    loadEntries: (astro, opts) => getClient(astro).listEntries(opts),\n    loadPage: (astro, slug) => getClient(astro).getPage(slug),\n    loadForms: (astro, opts) => getClient(astro).listForms(opts),\n  };\n}\n\n/**\n * Build the live SSE URL for `<BcmsLive>`. The key is a query param because\n * browser EventSource cannot send headers — use a content:read key.\n */\nexport function liveSrc(opts: { apiUrl: string; workspace: string; apiKey: string }): string {\n  const base = opts.apiUrl.replace(/\\/+$/, \"\");\n  return `${base}/api/v1/delivery/${opts.workspace}/live?key=${encodeURIComponent(opts.apiKey)}`;\n}\n\n// ── Signed-cookie helpers (HMAC-SHA256, base64url) ──────────────────────────\n\nconst enc = new TextEncoder();\n\nfunction base64url(bytes: ArrayBuffer): string {\n  const b = btoa(String.fromCharCode(...new Uint8Array(bytes)));\n  return b.replace(/\\+/g, \"-\").replace(/\\//g, \"_\").replace(/=+$/, \"\");\n}\n\nasync function hmac(value: string, secret: string): Promise<string> {\n  const key = await crypto.subtle.importKey(\n    \"raw\",\n    enc.encode(secret),\n    { name: \"HMAC\", hash: \"SHA-256\" },\n    false,\n    [\"sign\"],\n  );\n  return base64url(await crypto.subtle.sign(\"HMAC\", key, enc.encode(value)));\n}\n\n/** Sign a value as `value.sig` for tamper-evident cookie storage. */\nexport async function signValue(value: string, secret: string): Promise<string> {\n  return `${value}.${await hmac(value, secret)}`;\n}\n\n/** Verify a signed value, returning the original value or null if tampered. */\nexport async function verifyValue(signed: string, secret: string): Promise<string | null> {\n  const idx = signed.lastIndexOf(\".\");\n  if (idx < 0) return null;\n  const value = signed.slice(0, idx);\n  const sig = signed.slice(idx + 1);\n  const expected = await hmac(value, secret);\n  // Constant-time-ish compare via length + char accumulation.\n  if (sig.length !== expected.length) return null;\n  let diff = 0;\n  for (let i = 0; i < sig.length; i++) diff |= sig.charCodeAt(i) ^ expected.charCodeAt(i);\n  return diff === 0 ? value : null;\n}\n\n/** Decode a preview-token JWT payload (UNVERIFIED) to read its `entrySlug`. */\nexport function decodeTokenSlug(token: string): string | null {\n  try {\n    const part = token.split(\".\")[1];\n    if (!part) return null;\n    const json = JSON.parse(\n      atob(part.replace(/-/g, \"+\").replace(/_/g, \"/\")),\n    ) as { entrySlug?: string };\n    return json.entrySlug ?? null;\n  } catch {\n    return null;\n  }\n}\n"],"mappings":";AAQA,OAAO,YAAY;;;ACAnB,SAAS,oBAA8C;AA0EvD,IAAM,MAAM,IAAI,YAAY;AAE5B,SAAS,UAAU,OAA4B;AAC7C,QAAM,IAAI,KAAK,OAAO,aAAa,GAAG,IAAI,WAAW,KAAK,CAAC,CAAC;AAC5D,SAAO,EAAE,QAAQ,OAAO,GAAG,EAAE,QAAQ,OAAO,GAAG,EAAE,QAAQ,OAAO,EAAE;AACpE;AAEA,eAAe,KAAK,OAAe,QAAiC;AAClE,QAAM,MAAM,MAAM,OAAO,OAAO;AAAA,IAC9B;AAAA,IACA,IAAI,OAAO,MAAM;AAAA,IACjB,EAAE,MAAM,QAAQ,MAAM,UAAU;AAAA,IAChC;AAAA,IACA,CAAC,MAAM;AAAA,EACT;AACA,SAAO,UAAU,MAAM,OAAO,OAAO,KAAK,QAAQ,KAAK,IAAI,OAAO,KAAK,CAAC,CAAC;AAC3E;AAGA,eAAsB,UAAU,OAAe,QAAiC;AAC9E,SAAO,GAAG,KAAK,IAAI,MAAM,KAAK,OAAO,MAAM,CAAC;AAC9C;AAiBO,SAAS,gBAAgB,OAA8B;AAC5D,MAAI;AACF,UAAM,OAAO,MAAM,MAAM,GAAG,EAAE,CAAC;AAC/B,QAAI,CAAC,KAAM,QAAO;AAClB,UAAM,OAAO,KAAK;AAAA,MAChB,KAAK,KAAK,QAAQ,MAAM,GAAG,EAAE,QAAQ,MAAM,GAAG,CAAC;AAAA,IACjD;AACA,WAAO,KAAK,aAAa;AAAA,EAC3B,QAAQ;AACN,WAAO;AAAA,EACT;AACF;;;ADxHO,IAAM,MAAgB,OAAO,YAAY;AAC9C,QAAM,MAAM,IAAI,IAAI,QAAQ,QAAQ,GAAG;AACvC,QAAM,QAAQ,IAAI,aAAa,IAAI,OAAO;AAC1C,QAAM,aAAa,IAAI,aAAa,IAAI,UAAU,KAAK;AACvD,QAAM,SAAS,YAAY,IAAI;AAE/B,MAAI,CAAC,OAAQ,QAAO,IAAI,SAAS,uCAAuC,EAAE,QAAQ,IAAI,CAAC;AACvF,MAAI,CAAC,MAAO,QAAO,IAAI,SAAS,iBAAiB,EAAE,QAAQ,IAAI,CAAC;AAEhE,QAAM,OAAO,gBAAgB,KAAK;AAClC,MAAI,CAAC,KAAM,QAAO,IAAI,SAAS,mBAAmB,EAAE,QAAQ,IAAI,CAAC;AAEjE,QAAM,MAAM,MAAM;AAAA,IAChB,GAAG,OAAO,MAAM,mBAAmB,mBAAmB,IAAI,CAAC,UAAU,mBAAmB,KAAK,CAAC;AAAA,EAChG;AACA,MAAI,CAAC,IAAI,GAAI,QAAO,IAAI,SAAS,4BAA4B,EAAE,QAAQ,IAAI,CAAC;AAE5E,UAAQ,QAAQ,IAAI,OAAO,aAAa,MAAM,UAAU,OAAO,MAAM,GAAG;AAAA,IACtE,UAAU;AAAA,IACV,UAAU;AAAA,IACV,QAAQ,IAAI,aAAa;AAAA,IACzB,MAAM;AAAA,IACN,QAAQ,KAAK,KAAK;AAAA;AAAA,EACpB,CAAC;AAED,SAAO,QAAQ,SAAS,YAAY,GAAG;AACzC;","names":[]}

package/dist/runtime.d.ts

@@ -0,0 +1,57 @@
+import { BetterCMSReadClient } from '@betttercms/sdk';
+import { DeliveryEntry, DeliveryList, DeliveryPage } from '@betttercms/types';
+
+/**
+ * Runtime for @betttercms/astro — the code the `bettercms:client` virtual
+ * module binds to. Provides a published client, per-request draft client
+ * selection, typed loaders, and signed-cookie helpers for draft mode.
+ *
+ * Read-only; no I/O at import time. Safe in Node and edge runtimes (uses Web
+ * Crypto + global fetch only).
+ */
+
+interface RuntimeConfig {
+    apiUrl: string;
+    workspace: string;
+    projectId?: string;
+    /** Server-only delivery key (a `content:read:draft` key for drafts). */
+    apiKey?: string;
+}
+/** Per-request draft state, set on `Astro.locals.bcms` by the middleware. */
+interface BcmsLocals {
+    draft: boolean;
+    token?: string;
+}
+interface HasLocals {
+    locals: {
+        bcms?: BcmsLocals;
+    };
+}
+interface BetterCMSRuntime {
+    /** Published-perspective client (use for SSG / non-draft reads). */
+    client: BetterCMSReadClient;
+    /** Pick the right client for a request (draft client when draft mode is on). */
+    getClient(astro?: HasLocals): BetterCMSReadClient;
+    loadEntry<T = Record<string, unknown>>(astro: HasLocals, slug: string, opts?: Parameters<BetterCMSReadClient["getEntry"]>[1]): Promise<DeliveryEntry<T>>;
+    loadEntries<T = Record<string, unknown>>(astro: HasLocals, opts?: Parameters<BetterCMSReadClient["listEntries"]>[0]): Promise<DeliveryList<DeliveryEntry<T>>>;
+    loadPage(astro: HasLocals, slug: string): Promise<DeliveryPage | null>;
+    loadForms(astro: HasLocals, opts?: Parameters<BetterCMSReadClient["listForms"]>[0]): Promise<Awaited<ReturnType<BetterCMSReadClient["listForms"]>>>;
+}
+declare function createRuntime(config: RuntimeConfig): BetterCMSRuntime;
+/**
+ * Build the live SSE URL for `<BcmsLive>`. The key is a query param because
+ * browser EventSource cannot send headers — use a content:read key.
+ */
+declare function liveSrc(opts: {
+    apiUrl: string;
+    workspace: string;
+    apiKey: string;
+}): string;
+/** Sign a value as `value.sig` for tamper-evident cookie storage. */
+declare function signValue(value: string, secret: string): Promise<string>;
+/** Verify a signed value, returning the original value or null if tampered. */
+declare function verifyValue(signed: string, secret: string): Promise<string | null>;
+/** Decode a preview-token JWT payload (UNVERIFIED) to read its `entrySlug`. */
+declare function decodeTokenSlug(token: string): string | null;
+
+export { type BcmsLocals, type BetterCMSRuntime, type RuntimeConfig, createRuntime, decodeTokenSlug, liveSrc, signValue, verifyValue };

package/dist/runtime.js

@@ -0,0 +1,73 @@
+// src/runtime.ts
+import { createClient } from "@betttercms/sdk";
+function createRuntime(config) {
+  const published = createClient({ ...config, perspective: "published" });
+  const getClient = (astro) => {
+    const bcms = astro?.locals?.bcms;
+    if (bcms?.draft) {
+      return createClient({ ...config, perspective: "drafts", previewToken: bcms.token });
+    }
+    return published;
+  };
+  return {
+    client: published,
+    getClient,
+    loadEntry: (astro, slug, opts) => getClient(astro).getEntry(slug, opts),
+    loadEntries: (astro, opts) => getClient(astro).listEntries(opts),
+    loadPage: (astro, slug) => getClient(astro).getPage(slug),
+    loadForms: (astro, opts) => getClient(astro).listForms(opts)
+  };
+}
+function liveSrc(opts) {
+  const base = opts.apiUrl.replace(/\/+$/, "");
+  return `${base}/api/v1/delivery/${opts.workspace}/live?key=${encodeURIComponent(opts.apiKey)}`;
+}
+var enc = new TextEncoder();
+function base64url(bytes) {
+  const b = btoa(String.fromCharCode(...new Uint8Array(bytes)));
+  return b.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+async function hmac(value, secret) {
+  const key = await crypto.subtle.importKey(
+    "raw",
+    enc.encode(secret),
+    { name: "HMAC", hash: "SHA-256" },
+    false,
+    ["sign"]
+  );
+  return base64url(await crypto.subtle.sign("HMAC", key, enc.encode(value)));
+}
+async function signValue(value, secret) {
+  return `${value}.${await hmac(value, secret)}`;
+}
+async function verifyValue(signed, secret) {
+  const idx = signed.lastIndexOf(".");
+  if (idx < 0) return null;
+  const value = signed.slice(0, idx);
+  const sig = signed.slice(idx + 1);
+  const expected = await hmac(value, secret);
+  if (sig.length !== expected.length) return null;
+  let diff = 0;
+  for (let i = 0; i < sig.length; i++) diff |= sig.charCodeAt(i) ^ expected.charCodeAt(i);
+  return diff === 0 ? value : null;
+}
+function decodeTokenSlug(token) {
+  try {
+    const part = token.split(".")[1];
+    if (!part) return null;
+    const json = JSON.parse(
+      atob(part.replace(/-/g, "+").replace(/_/g, "/"))
+    );
+    return json.entrySlug ?? null;
+  } catch {
+    return null;
+  }
+}
+export {
+  createRuntime,
+  decodeTokenSlug,
+  liveSrc,
+  signValue,
+  verifyValue
+};
+//# sourceMappingURL=runtime.js.map

package/dist/runtime.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/runtime.ts"],"sourcesContent":["/**\n * Runtime for @betttercms/astro — the code the `bettercms:client` virtual\n * module binds to. Provides a published client, per-request draft client\n * selection, typed loaders, and signed-cookie helpers for draft mode.\n *\n * Read-only; no I/O at import time. Safe in Node and edge runtimes (uses Web\n * Crypto + global fetch only).\n */\nimport { createClient, type BetterCMSReadClient } from \"@betttercms/sdk\";\nimport type { DeliveryEntry, DeliveryList, DeliveryPage } from \"@betttercms/types\";\n\nexport interface RuntimeConfig {\n  apiUrl: string;\n  workspace: string;\n  projectId?: string;\n  /** Server-only delivery key (a `content:read:draft` key for drafts). */\n  apiKey?: string;\n}\n\n/** Per-request draft state, set on `Astro.locals.bcms` by the middleware. */\nexport interface BcmsLocals {\n  draft: boolean;\n  token?: string;\n}\n\ninterface HasLocals {\n  locals: { bcms?: BcmsLocals };\n}\n\nexport interface BetterCMSRuntime {\n  /** Published-perspective client (use for SSG / non-draft reads). */\n  client: BetterCMSReadClient;\n  /** Pick the right client for a request (draft client when draft mode is on). */\n  getClient(astro?: HasLocals): BetterCMSReadClient;\n  loadEntry<T = Record<string, unknown>>(\n    astro: HasLocals,\n    slug: string,\n    opts?: Parameters<BetterCMSReadClient[\"getEntry\"]>[1],\n  ): Promise<DeliveryEntry<T>>;\n  loadEntries<T = Record<string, unknown>>(\n    astro: HasLocals,\n    opts?: Parameters<BetterCMSReadClient[\"listEntries\"]>[0],\n  ): Promise<DeliveryList<DeliveryEntry<T>>>;\n  loadPage(astro: HasLocals, slug: string): Promise<DeliveryPage | null>;\n  loadForms(\n    astro: HasLocals,\n    opts?: Parameters<BetterCMSReadClient[\"listForms\"]>[0],\n  ): Promise<Awaited<ReturnType<BetterCMSReadClient[\"listForms\"]>>>;\n}\n\nexport function createRuntime(config: RuntimeConfig): BetterCMSRuntime {\n  const published = createClient({ ...config, perspective: \"published\" });\n\n  const getClient = (astro?: HasLocals): BetterCMSReadClient => {\n    const bcms = astro?.locals?.bcms;\n    if (bcms?.draft) {\n      return createClient({ ...config, perspective: \"drafts\", previewToken: bcms.token });\n    }\n    return published;\n  };\n\n  return {\n    client: published,\n    getClient,\n    loadEntry: (astro, slug, opts) => getClient(astro).getEntry(slug, opts),\n    loadEntries: (astro, opts) => getClient(astro).listEntries(opts),\n    loadPage: (astro, slug) => getClient(astro).getPage(slug),\n    loadForms: (astro, opts) => getClient(astro).listForms(opts),\n  };\n}\n\n/**\n * Build the live SSE URL for `<BcmsLive>`. The key is a query param because\n * browser EventSource cannot send headers — use a content:read key.\n */\nexport function liveSrc(opts: { apiUrl: string; workspace: string; apiKey: string }): string {\n  const base = opts.apiUrl.replace(/\\/+$/, \"\");\n  return `${base}/api/v1/delivery/${opts.workspace}/live?key=${encodeURIComponent(opts.apiKey)}`;\n}\n\n// ── Signed-cookie helpers (HMAC-SHA256, base64url) ──────────────────────────\n\nconst enc = new TextEncoder();\n\nfunction base64url(bytes: ArrayBuffer): string {\n  const b = btoa(String.fromCharCode(...new Uint8Array(bytes)));\n  return b.replace(/\\+/g, \"-\").replace(/\\//g, \"_\").replace(/=+$/, \"\");\n}\n\nasync function hmac(value: string, secret: string): Promise<string> {\n  const key = await crypto.subtle.importKey(\n    \"raw\",\n    enc.encode(secret),\n    { name: \"HMAC\", hash: \"SHA-256\" },\n    false,\n    [\"sign\"],\n  );\n  return base64url(await crypto.subtle.sign(\"HMAC\", key, enc.encode(value)));\n}\n\n/** Sign a value as `value.sig` for tamper-evident cookie storage. */\nexport async function signValue(value: string, secret: string): Promise<string> {\n  return `${value}.${await hmac(value, secret)}`;\n}\n\n/** Verify a signed value, returning the original value or null if tampered. */\nexport async function verifyValue(signed: string, secret: string): Promise<string | null> {\n  const idx = signed.lastIndexOf(\".\");\n  if (idx < 0) return null;\n  const value = signed.slice(0, idx);\n  const sig = signed.slice(idx + 1);\n  const expected = await hmac(value, secret);\n  // Constant-time-ish compare via length + char accumulation.\n  if (sig.length !== expected.length) return null;\n  let diff = 0;\n  for (let i = 0; i < sig.length; i++) diff |= sig.charCodeAt(i) ^ expected.charCodeAt(i);\n  return diff === 0 ? value : null;\n}\n\n/** Decode a preview-token JWT payload (UNVERIFIED) to read its `entrySlug`. */\nexport function decodeTokenSlug(token: string): string | null {\n  try {\n    const part = token.split(\".\")[1];\n    if (!part) return null;\n    const json = JSON.parse(\n      atob(part.replace(/-/g, \"+\").replace(/_/g, \"/\")),\n    ) as { entrySlug?: string };\n    return json.entrySlug ?? null;\n  } catch {\n    return null;\n  }\n}\n"],"mappings":";AAQA,SAAS,oBAA8C;AA0ChD,SAAS,cAAc,QAAyC;AACrE,QAAM,YAAY,aAAa,EAAE,GAAG,QAAQ,aAAa,YAAY,CAAC;AAEtE,QAAM,YAAY,CAAC,UAA2C;AAC5D,UAAM,OAAO,OAAO,QAAQ;AAC5B,QAAI,MAAM,OAAO;AACf,aAAO,aAAa,EAAE,GAAG,QAAQ,aAAa,UAAU,cAAc,KAAK,MAAM,CAAC;AAAA,IACpF;AACA,WAAO;AAAA,EACT;AAEA,SAAO;AAAA,IACL,QAAQ;AAAA,IACR;AAAA,IACA,WAAW,CAAC,OAAO,MAAM,SAAS,UAAU,KAAK,EAAE,SAAS,MAAM,IAAI;AAAA,IACtE,aAAa,CAAC,OAAO,SAAS,UAAU,KAAK,EAAE,YAAY,IAAI;AAAA,IAC/D,UAAU,CAAC,OAAO,SAAS,UAAU,KAAK,EAAE,QAAQ,IAAI;AAAA,IACxD,WAAW,CAAC,OAAO,SAAS,UAAU,KAAK,EAAE,UAAU,IAAI;AAAA,EAC7D;AACF;AAMO,SAAS,QAAQ,MAAqE;AAC3F,QAAM,OAAO,KAAK,OAAO,QAAQ,QAAQ,EAAE;AAC3C,SAAO,GAAG,IAAI,oBAAoB,KAAK,SAAS,aAAa,mBAAmB,KAAK,MAAM,CAAC;AAC9F;AAIA,IAAM,MAAM,IAAI,YAAY;AAE5B,SAAS,UAAU,OAA4B;AAC7C,QAAM,IAAI,KAAK,OAAO,aAAa,GAAG,IAAI,WAAW,KAAK,CAAC,CAAC;AAC5D,SAAO,EAAE,QAAQ,OAAO,GAAG,EAAE,QAAQ,OAAO,GAAG,EAAE,QAAQ,OAAO,EAAE;AACpE;AAEA,eAAe,KAAK,OAAe,QAAiC;AAClE,QAAM,MAAM,MAAM,OAAO,OAAO;AAAA,IAC9B;AAAA,IACA,IAAI,OAAO,MAAM;AAAA,IACjB,EAAE,MAAM,QAAQ,MAAM,UAAU;AAAA,IAChC;AAAA,IACA,CAAC,MAAM;AAAA,EACT;AACA,SAAO,UAAU,MAAM,OAAO,OAAO,KAAK,QAAQ,KAAK,IAAI,OAAO,KAAK,CAAC,CAAC;AAC3E;AAGA,eAAsB,UAAU,OAAe,QAAiC;AAC9E,SAAO,GAAG,KAAK,IAAI,MAAM,KAAK,OAAO,MAAM,CAAC;AAC9C;AAGA,eAAsB,YAAY,QAAgB,QAAwC;AACxF,QAAM,MAAM,OAAO,YAAY,GAAG;AAClC,MAAI,MAAM,EAAG,QAAO;AACpB,QAAM,QAAQ,OAAO,MAAM,GAAG,GAAG;AACjC,QAAM,MAAM,OAAO,MAAM,MAAM,CAAC;AAChC,QAAM,WAAW,MAAM,KAAK,OAAO,MAAM;AAEzC,MAAI,IAAI,WAAW,SAAS,OAAQ,QAAO;AAC3C,MAAI,OAAO;AACX,WAAS,IAAI,GAAG,IAAI,IAAI,QAAQ,IAAK,SAAQ,IAAI,WAAW,CAAC,IAAI,SAAS,WAAW,CAAC;AACtF,SAAO,SAAS,IAAI,QAAQ;AAC9B;AAGO,SAAS,gBAAgB,OAA8B;AAC5D,MAAI;AACF,UAAM,OAAO,MAAM,MAAM,GAAG,EAAE,CAAC;AAC/B,QAAI,CAAC,KAAM,QAAO;AAClB,UAAM,OAAO,KAAK;AAAA,MAChB,KAAK,KAAK,QAAQ,MAAM,GAAG,EAAE,QAAQ,MAAM,GAAG,CAAC;AAAA,IACjD;AACA,WAAO,KAAK,aAAa;AAAA,EAC3B,QAAQ;AACN,WAAO;AAAA,EACT;AACF;","names":[]}

package/env.d.ts

@@ -0,0 +1,33 @@
+/// <reference types="astro/client" />
+
+/**
+ * Ambient types for the virtual modules registered by the `bettercms()`
+ * integration, plus the `Astro.locals.bcms` augmentation. Add this package to
+ * your project's `src/env.d.ts` with:
+ *
+ *   /// <reference types="@betttercms/astro/env" />
+ */
+
+declare module "bettercms:config" {
+  import type { PublicConfig } from "@betttercms/astro";
+  export const config: PublicConfig;
+  export default config;
+}
+
+declare module "bettercms:client" {
+  import type { BetterCMSRuntime } from "@betttercms/astro";
+  export const client: BetterCMSRuntime["client"];
+  export const getClient: BetterCMSRuntime["getClient"];
+  export const loadEntry: BetterCMSRuntime["loadEntry"];
+  export const loadEntries: BetterCMSRuntime["loadEntries"];
+  export const loadPage: BetterCMSRuntime["loadPage"];
+  export const loadForms: BetterCMSRuntime["loadForms"];
+  const runtime: BetterCMSRuntime;
+  export default runtime;
+}
+
+declare namespace App {
+  interface Locals {
+    bcms?: import("@betttercms/astro").BcmsLocals;
+  }
+}

package/package.json

@@ -0,0 +1,66 @@
+{
+  "name": "@betttercms/astro",
+  "version": "0.1.0",
+  "type": "module",
+  "description": "The BetterCMS adapter for Astro — a `bettercms()` integration, a `bettercms:client` virtual module, typed content loaders, draft preview, and native .astro rendering components.",
+  "main": "./dist/index.js",
+  "module": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "sideEffects": false,
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js",
+      "default": "./dist/index.js"
+    },
+    "./runtime": {
+      "types": "./dist/runtime.d.ts",
+      "import": "./dist/runtime.js",
+      "default": "./dist/runtime.js"
+    },
+    "./middleware": {
+      "types": "./dist/middleware-entry.d.ts",
+      "import": "./dist/middleware-entry.js",
+      "default": "./dist/middleware-entry.js"
+    },
+    "./draft-enable": "./dist/routes/draft-enable.js",
+    "./draft-disable": "./dist/routes/draft-disable.js",
+    "./components/BcmsBlocks.astro": "./components/BcmsBlocks.astro",
+    "./components/BcmsForm.astro": "./components/BcmsForm.astro",
+    "./components/BcmsImage.astro": "./components/BcmsImage.astro",
+    "./components/BcmsLive.astro": "./components/BcmsLive.astro",
+    "./components/BcmsVisualEditing.astro": "./components/BcmsVisualEditing.astro",
+    "./env": "./env.d.ts"
+  },
+  "files": [
+    "dist",
+    "components",
+    "env.d.ts",
+    "README.md"
+  ],
+  "scripts": {
+    "typecheck": "tsc --noEmit",
+    "build": "tsup",
+    "test": "vitest run",
+    "test:watch": "vitest"
+  },
+  "dependencies": {
+    "@betttercms/image-url": "^0.1.0",
+    "@betttercms/sdk": "^1.3.0",
+    "@betttercms/types": "^1.2.0"
+  },
+  "peerDependencies": {
+    "astro": ">=4"
+  },
+  "devDependencies": {
+    "@types/node": "^20",
+    "astro": "^5.0.0",
+    "tsup": "^8.5.1",
+    "typescript": "^5",
+    "vitest": "^4.1.4"
+  },
+  "publishConfig": {
+    "registry": "https://registry.npmjs.org/",
+    "access": "public"
+  }
+}