@commonpub/layer 0.10.1 → 0.13.0

package/pages/index.vue

@@ -1,11 +1,18 @@
 <script setup lang="ts">
-import type { Serialized, ContentListItem, PaginatedResponse } from '@commonpub/server';
+import type { Serialized, ContentListItem, PaginatedResponse, HomepageSection } from '@commonpub/server';
 
 useSeoMeta({
   title: `${useSiteName()} — Open Maker Platform`,
   description: 'Build, document, and share your projects with a community of makers.',
 });
 
+// Fetch configurable homepage sections (from DB or defaults)
+const { data: homepageSections } = await useFetch<HomepageSection[]>('/api/homepage/sections');
+const hasCustomSections = computed(() => !!homepageSections.value?.length);
+const sortedSections = computed(() =>
+  [...(homepageSections.value ?? [])].sort((a, b) => a.order - b.order),
+);
+
 const { user: authUser } = useAuth();
 const { hubs: hubsEnabled, contests: contestsEnabled, learning: learningEnabled, video: videoEnabled, docs: docsEnabled, editorial: editorialEnabled } = useFeatures();
 const { enabledTypeMeta } = useContentTypes();
@@ -117,6 +124,30 @@ async function handleHubJoin(hubSlug: string): Promise<void> {
 
 <template>
   <div>
+    <!-- ═══ CONFIGURABLE HOMEPAGE (section renderer) ═══ -->
+    <template v-if="hasCustomSections">
+      <!-- Full-width sections (hero) -->
+      <HomepageSectionRenderer :sections="sortedSections" zone="full-width" />
+
+      <!-- 2-column layout: main + sidebar -->
+      <div class="cpub-main-layout">
+        <main class="cpub-feed-col">
+          <HomepageSectionRenderer :sections="sortedSections" zone="main" />
+        </main>
+        <aside class="cpub-sidebar">
+          <HomepageSectionRenderer :sections="sortedSections" zone="sidebar" />
+          <!-- Powered badge -->
+          <div class="cpub-powered-badge">
+            <span class="cpub-powered-text">Powered by</span>
+            <span class="cpub-powered-logo">[<span>C</span>] CommonPub</span>
+          </div>
+        </aside>
+      </div>
+    </template>
+
+    <!-- ═══ LEGACY HARDCODED HOMEPAGE (fallback) ═══ -->
+    <template v-else>
+
     <!-- ═══ HERO BANNER ═══ -->
     <section v-if="!heroDismissed" class="cpub-hero-banner">
       <div class="cpub-hero-grid-bg" />
@@ -383,6 +414,8 @@ async function handleHubJoin(hubSlug: string): Promise<void> {
         </div>
       </aside>
     </div>
+
+    </template><!-- end legacy fallback -->
   </div>
 </template>
 

package/server/api/admin/features/index.get.ts

@@ -0,0 +1,32 @@
+import { getInstanceSetting } from '@commonpub/server';
+import type { FeatureFlags } from '@commonpub/config';
+
+/**
+ * GET /api/admin/features
+ * Returns current feature flags with metadata about defaults vs overrides.
+ */
+export default defineEventHandler(async (event) => {
+  requireAdmin(event);
+
+  const db = useDB();
+  const config = useConfig();
+
+  // Get DB overrides (may be null if never set)
+  const raw = await getInstanceSetting(db, 'features.overrides');
+  const overrides: Partial<FeatureFlags> = (raw && typeof raw === 'object' && !Array.isArray(raw))
+    ? raw as Partial<FeatureFlags>
+    : {};
+
+  // Build response with default + effective values for each flag
+  const flags = config.features as unknown as Record<string, boolean>;
+  const result: Record<string, { enabled: boolean; isOverridden: boolean }> = {};
+
+  for (const [key, value] of Object.entries(flags)) {
+    result[key] = {
+      enabled: value,
+      isOverridden: key in overrides,
+    };
+  }
+
+  return { flags: result, overrides };
+});

package/server/api/admin/features/index.put.ts

@@ -0,0 +1,56 @@
+import { setInstanceSetting, getInstanceSetting } from '@commonpub/server';
+import type { FeatureFlags } from '@commonpub/config';
+import { z } from 'zod';
+
+const updateFeaturesSchema = z.object({
+  overrides: z.record(z.string(), z.boolean()).refine(
+    (obj) => Object.keys(obj).length <= 20,
+    'Too many overrides',
+  ),
+});
+
+/**
+ * PUT /api/admin/features
+ * Set feature flag overrides. Pass { overrides: { flagName: true/false } }.
+ * To remove an override, omit the key from overrides.
+ */
+export default defineEventHandler(async (event) => {
+  const user = requireAdmin(event);
+
+  const body = await parseBody(event, updateFeaturesSchema);
+  const db = useDB();
+
+  // Validate that all keys are known feature flags
+  const config = useConfig();
+  const knownFlags = Object.keys(config.features);
+  for (const key of Object.keys(body.overrides)) {
+    if (!knownFlags.includes(key)) {
+      throw createError({ statusCode: 400, statusMessage: `Unknown feature flag: ${key}` });
+    }
+  }
+
+  // Merge with existing overrides (so partial updates work)
+  const raw = await getInstanceSetting(db, 'features.overrides');
+  const existing: Partial<FeatureFlags> = (raw && typeof raw === 'object' && !Array.isArray(raw))
+    ? raw as Partial<FeatureFlags>
+    : {};
+
+  const merged = { ...existing, ...body.overrides };
+
+  // Remove overrides that match the base config default (no point overriding to same value)
+  const base = config.features as unknown as Record<string, boolean>;
+  for (const [key, value] of Object.entries(merged)) {
+    if (base[key] === value) {
+      delete (merged as Record<string, unknown>)[key];
+    }
+  }
+
+  await setInstanceSetting(db, 'features.overrides', merged, user.id, getRequestIP(event) ?? undefined);
+
+  // Invalidate config cache so the change takes effect immediately
+  if (typeof invalidateConfigCache === 'function') {
+    invalidateConfigCache();
+  }
+
+  return { overrides: merged, message: 'Feature flags updated' };
+});

package/server/api/admin/homepage/sections.get.ts

@@ -0,0 +1,11 @@
+import { getHomepageSections } from '@commonpub/server';
+
+/**
+ * GET /api/admin/homepage/sections
+ * Returns homepage sections for admin editing.
+ */
+export default defineEventHandler(async (event) => {
+  requireAdmin(event);
+  const db = useDB();
+  return getHomepageSections(db);
+});

package/server/api/admin/homepage/sections.put.ts

@@ -0,0 +1,52 @@
+import { setHomepageSections } from '@commonpub/server';
+import { z } from 'zod';
+
+const sectionConfigSchema = z.object({
+  contentType: z.string().max(64).optional(),
+  sort: z.enum(['popular', 'recent', 'featured', 'editorial']).optional(),
+  limit: z.number().int().min(1).max(50).optional(),
+  columns: z.union([z.literal(2), z.literal(3), z.literal(4)]).optional(),
+  showEditorial: z.boolean().optional(),
+  categorySlug: z.string().max(64).optional(),
+  featureGate: z.string().max(64).optional(),
+  variant: z.string().max(64).optional(),
+  customTitle: z.string().max(255).optional(),
+  customSubtitle: z.string().max(500).optional(),
+  html: z.string().max(10000).optional(),
+});
+
+const sectionSchema = z.object({
+  id: z.string().min(1).max(64),
+  type: z.enum(['hero', 'editorial', 'content-grid', 'content-carousel', 'contests', 'hubs', 'learning', 'stats', 'custom-html']),
+  title: z.string().max(255).optional(),
+  enabled: z.boolean(),
+  order: z.number().int().min(0),
+  config: sectionConfigSchema,
+});
+
+const updateSectionsSchema = z.object({
+  sections: z.array(sectionSchema).min(1).max(20),
+});
+
+/**
+ * PUT /api/admin/homepage/sections
+ * Save homepage section configuration.
+ */
+export default defineEventHandler(async (event) => {
+  const user = requireAdmin(event);
+  const db = useDB();
+  const body = await parseBody(event, updateSectionsSchema);
+
+  // Validate unique IDs
+  const ids = new Set<string>();
+  for (const section of body.sections) {
+    if (ids.has(section.id)) {
+      throw createError({ statusCode: 400, statusMessage: `Duplicate section ID: ${section.id}` });
+    }
+    ids.add(section.id);
+  }
+
+  await setHomepageSections(db, body.sections, user.id, getRequestIP(event) ?? undefined);
+
+  return { sections: body.sections, message: 'Homepage updated' };
+});

package/server/api/admin/navigation/items.get.ts

@@ -0,0 +1,11 @@
+import { getNavItems } from '@commonpub/server';
+
+/**
+ * GET /api/admin/navigation/items
+ * Returns navigation items for admin editing.
+ */
+export default defineEventHandler(async (event) => {
+  requireAdmin(event);
+  const db = useDB();
+  return getNavItems(db);
+});

package/server/api/admin/navigation/items.put.ts

@@ -0,0 +1,51 @@
+import type { NavItem } from '@commonpub/server';
+import { setNavItems } from '@commonpub/server';
+import { z } from 'zod';
+
+const navItemSchema: z.ZodType<NavItem> = z.lazy(() =>
+  z.object({
+    id: z.string().min(1).max(64),
+    type: z.enum(['link', 'dropdown', 'external']),
+    label: z.string().min(1).max(128),
+    icon: z.string().max(128).optional(),
+    route: z.string().max(255).optional(),
+    href: z.string().url().max(1024).optional(),
+    featureGate: z.string().max(64).optional(),
+    children: z.array(navItemSchema).max(20).optional(),
+    visibleTo: z.enum(['all', 'authenticated', 'admin']).optional(),
+    disabled: z.boolean().optional(),
+  }),
+) as z.ZodType<NavItem>;
+
+const updateNavSchema = z.object({
+  items: z.array(navItemSchema).min(1).max(30),
+});
+
+/**
+ * PUT /api/admin/navigation/items
+ * Save navigation item configuration.
+ */
+export default defineEventHandler(async (event) => {
+  const user = requireAdmin(event);
+  const db = useDB();
+  const body = await parseBody(event, updateNavSchema);
+
+  // Validate unique IDs (flatten to check children too)
+  const ids = new Set<string>();
+  function collectIds(items: NavItem[]): void {
+    for (const item of items) {
+      if (ids.has(item.id)) {
+        throw createError({ statusCode: 400, statusMessage: `Duplicate nav item ID: ${item.id}` });
+      }
+      ids.add(item.id);
+      if (item.children) {
+        collectIds(item.children);
+      }
+    }
+  }
+  collectIds(body.items);
+
+  await setNavItems(db, body.items, user.id, getRequestIP(event) ?? undefined);
+
+  return { items: body.items, message: 'Navigation updated' };
+});

package/server/api/contests/[slug]/entries/[entryId]/vote.delete.ts

@@ -0,0 +1,20 @@
+import { removeContestEntryVote } from '@commonpub/server';
+
+/**
+ * DELETE /api/contests/:slug/entries/:entryId/vote
+ * Remove community vote from a contest entry.
+ */
+export default defineEventHandler(async (event) => {
+  requireFeature('contests');
+  const user = requireAuth(event);
+  const db = useDB();
+  const entryId = getRouterParam(event, 'entryId');
+  if (!entryId) throw createError({ statusCode: 400, statusMessage: 'Missing entryId' });
+
+  const removed = await removeContestEntryVote(db, entryId, user.id);
+  if (!removed) {
+    throw createError({ statusCode: 400, statusMessage: 'No vote found' });
+  }
+
+  return { removed: true };
+});

package/server/api/contests/[slug]/entries/[entryId]/vote.post.ts

@@ -0,0 +1,20 @@
+import { voteOnContestEntry } from '@commonpub/server';
+
+/**
+ * POST /api/contests/:slug/entries/:entryId/vote
+ * Vote on a contest entry (community voting).
+ */
+export default defineEventHandler(async (event) => {
+  requireFeature('contests');
+  const user = requireAuth(event);
+  const db = useDB();
+  const entryId = getRouterParam(event, 'entryId');
+  if (!entryId) throw createError({ statusCode: 400, statusMessage: 'Missing entryId' });
+
+  const result = await voteOnContestEntry(db, entryId, user.id);
+  if (!result.voted) {
+    throw createError({ statusCode: 400, statusMessage: result.error ?? 'Vote failed' });
+  }
+
+  return { voted: true };
+});

package/server/api/contests/[slug]/judge.post.ts

@@ -1,18 +1,16 @@
-import { judgeContestEntry, getContestBySlug } from '@commonpub/server';
+import { judgeContestEntry } from '@commonpub/server';
 import { judgeEntrySchema } from '@commonpub/schema';
 
 export default defineEventHandler(async (event): Promise<{ success: boolean }> => {
   requireFeature('contests');
   const user = requireAuth(event);
   const db = useDB();
-  const { slug } = parseParams(event, { slug: 'string' });
   const input = await parseBody(event, judgeEntrySchema);
 
-  const contest = await getContestBySlug(db, slug);
-  if (!contest) throw createError({ statusCode: 404, message: 'Contest not found' });
-  const judges = (contest.judges ?? []) as string[];
-  if (!judges.includes(user.id)) throw createError({ statusCode: 403, message: 'Not a judge for this contest' });
+  const result = await judgeContestEntry(db, input.entryId, input.score, user.id, input.feedback);
+  if (!result.judged) {
+    throw createError({ statusCode: 403, message: result.error ?? 'Judging failed' });
+  }
 
-  await judgeContestEntry(db, input.entryId, input.score, user.id, input.feedback);
   return { success: true };
 });

package/server/api/contests/[slug]/judges/[userId].delete.ts

@@ -0,0 +1,26 @@
+import { getContestBySlug, removeContestJudge } from '@commonpub/server';
+
+/**
+ * DELETE /api/contests/:slug/judges/:userId
+ * Remove a judge from a contest (contest owner or admin only).
+ */
+export default defineEventHandler(async (event) => {
+  requireFeature('contests');
+  const user = requireAuth(event);
+  const db = useDB();
+  const slug = getRouterParam(event, 'slug');
+  const targetUserId = getRouterParam(event, 'userId');
+  if (!slug || !targetUserId) throw createError({ statusCode: 400, statusMessage: 'Missing parameters' });
+
+  const contest = await getContestBySlug(db, slug);
+  if (!contest) throw createError({ statusCode: 404, statusMessage: 'Contest not found' });
+
+  if (contest.createdById !== user.id && user.role !== 'admin') {
+    throw createError({ statusCode: 403, statusMessage: 'Only contest owner or admin can manage judges' });
+  }
+
+  const removed = await removeContestJudge(db, contest.id, targetUserId);
+  if (!removed) throw createError({ statusCode: 404, statusMessage: 'Judge not found' });
+
+  return { removed: true };
+});

package/server/api/contests/[slug]/judges/accept.post.ts

@@ -0,0 +1,21 @@
+import { getContestBySlug, acceptJudgeInvite } from '@commonpub/server';
+
+/**
+ * POST /api/contests/:slug/judges/accept
+ * Accept a judge invitation (authenticated user).
+ */
+export default defineEventHandler(async (event) => {
+  requireFeature('contests');
+  const user = requireAuth(event);
+  const db = useDB();
+  const slug = getRouterParam(event, 'slug');
+  if (!slug) throw createError({ statusCode: 400, statusMessage: 'Missing slug' });
+
+  const contest = await getContestBySlug(db, slug);
+  if (!contest) throw createError({ statusCode: 404, statusMessage: 'Contest not found' });
+
+  const accepted = await acceptJudgeInvite(db, contest.id, user.id);
+  if (!accepted) throw createError({ statusCode: 400, statusMessage: 'No pending invitation found' });
+
+  return { accepted: true };
+});

package/server/api/contests/[slug]/judges/index.get.ts

@@ -0,0 +1,17 @@
+import { getContestBySlug, listContestJudges } from '@commonpub/server';
+
+/**
+ * GET /api/contests/:slug/judges
+ * List judges for a contest.
+ */
+export default defineEventHandler(async (event) => {
+  requireFeature('contests');
+  const db = useDB();
+  const slug = getRouterParam(event, 'slug');
+  if (!slug) throw createError({ statusCode: 400, statusMessage: 'Missing slug' });
+
+  const contest = await getContestBySlug(db, slug);
+  if (!contest) throw createError({ statusCode: 404, statusMessage: 'Contest not found' });
+
+  return listContestJudges(db, contest.id);
+});

package/server/api/contests/[slug]/judges/index.post.ts

@@ -0,0 +1,36 @@
+import { getContestBySlug, addContestJudge } from '@commonpub/server';
+import type { JudgeRole } from '@commonpub/server';
+import { z } from 'zod';
+
+const addJudgeSchema = z.object({
+  userId: z.string().uuid(),
+  role: z.enum(['lead', 'judge', 'guest']).optional(),
+});
+
+/**
+ * POST /api/contests/:slug/judges
+ * Add a judge to a contest (contest owner or admin only).
+ */
+export default defineEventHandler(async (event) => {
+  requireFeature('contests');
+  const user = requireAuth(event);
+  const db = useDB();
+  const slug = getRouterParam(event, 'slug');
+  if (!slug) throw createError({ statusCode: 400, statusMessage: 'Missing slug' });
+
+  const contest = await getContestBySlug(db, slug);
+  if (!contest) throw createError({ statusCode: 404, statusMessage: 'Contest not found' });
+
+  if (contest.createdById !== user.id && user.role !== 'admin') {
+    throw createError({ statusCode: 403, statusMessage: 'Only contest owner or admin can manage judges' });
+  }
+
+  const body = await parseBody(event, addJudgeSchema);
+  const result = await addContestJudge(db, contest.id, body.userId, (body.role ?? 'judge') as JudgeRole);
+
+  if (!result.added) {
+    throw createError({ statusCode: 400, statusMessage: result.error ?? 'Failed to add judge' });
+  }
+
+  return { added: true };
+});

package/server/api/events/[slug]/attendees.get.ts

@@ -0,0 +1,23 @@
+import { getEventBySlug, listEventAttendees } from '@commonpub/server';
+import type { AttendeeStatus } from '@commonpub/server';
+
+/**
+ * GET /api/events/:slug/attendees
+ * List attendees for an event (public).
+ */
+export default defineEventHandler(async (event) => {
+  requireFeature('events');
+  const db = useDB();
+  const slug = getRouterParam(event, 'slug');
+  if (!slug) throw createError({ statusCode: 400, statusMessage: 'Missing slug' });
+
+  const existing = await getEventBySlug(db, slug);
+  if (!existing) throw createError({ statusCode: 404, statusMessage: 'Event not found' });
+
+  const query = getQuery(event);
+  return listEventAttendees(db, existing.id, {
+    status: (query.status as AttendeeStatus) || undefined,
+    limit: query.limit ? Number(query.limit) : undefined,
+    offset: query.offset ? Number(query.offset) : undefined,
+  });
+});

package/server/api/events/[slug]/rsvp.delete.ts

@@ -0,0 +1,23 @@
+import { getEventBySlug, cancelRsvp } from '@commonpub/server';
+
+/**
+ * DELETE /api/events/:slug/rsvp
+ * Cancel RSVP for an event (authenticated).
+ */
+export default defineEventHandler(async (event) => {
+  requireFeature('events');
+  const user = requireAuth(event);
+  const db = useDB();
+  const slug = getRouterParam(event, 'slug');
+  if (!slug) throw createError({ statusCode: 400, statusMessage: 'Missing slug' });
+
+  const existing = await getEventBySlug(db, slug);
+  if (!existing) throw createError({ statusCode: 404, statusMessage: 'Event not found' });
+
+  const cancelled = await cancelRsvp(db, existing.id, user.id);
+  if (!cancelled) {
+    throw createError({ statusCode: 400, statusMessage: 'No RSVP found' });
+  }
+
+  return { cancelled: true };
+});

package/server/api/events/[slug]/rsvp.post.ts

@@ -0,0 +1,23 @@
+import { getEventBySlug, rsvpEvent } from '@commonpub/server';
+
+/**
+ * POST /api/events/:slug/rsvp
+ * RSVP to an event (authenticated).
+ */
+export default defineEventHandler(async (event) => {
+  requireFeature('events');
+  const user = requireAuth(event);
+  const db = useDB();
+  const slug = getRouterParam(event, 'slug');
+  if (!slug) throw createError({ statusCode: 400, statusMessage: 'Missing slug' });
+
+  const existing = await getEventBySlug(db, slug);
+  if (!existing) throw createError({ statusCode: 404, statusMessage: 'Event not found' });
+
+  const result = await rsvpEvent(db, existing.id, user.id);
+  if (!result.success) {
+    throw createError({ statusCode: 400, statusMessage: result.error ?? 'RSVP failed' });
+  }
+
+  return { status: result.status };
+});

package/server/api/events/[slug].delete.ts

@@ -0,0 +1,22 @@
+import { deleteEvent, getEventBySlug } from '@commonpub/server';
+
+/**
+ * DELETE /api/events/:slug
+ * Delete an event (owner or admin).
+ */
+export default defineEventHandler(async (event) => {
+  requireFeature('events');
+  const user = requireAuth(event);
+  const db = useDB();
+  const slug = getRouterParam(event, 'slug');
+  if (!slug) throw createError({ statusCode: 400, statusMessage: 'Missing slug' });
+
+  const existing = await getEventBySlug(db, slug);
+  if (!existing) throw createError({ statusCode: 404, statusMessage: 'Event not found' });
+
+  const isAdmin = user.role === 'admin';
+  const deleted = await deleteEvent(db, existing.id, user.id, isAdmin);
+  if (!deleted) throw createError({ statusCode: 403, statusMessage: 'Unauthorized' });
+
+  return { deleted: true };
+});

package/server/api/events/[slug].get.ts

@@ -0,0 +1,17 @@
+import { getEventBySlug } from '@commonpub/server';
+
+/**
+ * GET /api/events/:slug
+ * Get event details by slug (public).
+ */
+export default defineEventHandler(async (event) => {
+  requireFeature('events');
+  const db = useDB();
+  const slug = getRouterParam(event, 'slug');
+  if (!slug) throw createError({ statusCode: 400, statusMessage: 'Missing slug' });
+
+  const result = await getEventBySlug(db, slug);
+  if (!result) throw createError({ statusCode: 404, statusMessage: 'Event not found' });
+
+  return result;
+});

package/server/api/events/[slug].put.ts

@@ -0,0 +1,38 @@
+import { updateEvent } from '@commonpub/server';
+import { z } from 'zod';
+
+const updateEventSchema = z.object({
+  title: z.string().min(1).max(255).optional(),
+  description: z.string().max(10000).optional(),
+  coverImage: z.string().max(500).optional(),
+  eventType: z.enum(['in-person', 'online', 'hybrid']).optional(),
+  status: z.enum(['draft', 'published', 'active', 'completed', 'cancelled']).optional(),
+  startDate: z.string().datetime().optional(),
+  endDate: z.string().datetime().optional(),
+  timezone: z.string().max(64).optional(),
+  location: z.string().max(500).optional(),
+  locationUrl: z.string().url().max(500).optional(),
+  onlineUrl: z.string().url().max(500).optional(),
+  capacity: z.number().int().min(1).max(100000).optional(),
+  isFeatured: z.boolean().optional(),
+});
+
+/**
+ * PUT /api/events/:slug
+ * Update an event (owner or admin).
+ */
+export default defineEventHandler(async (event) => {
+  requireFeature('events');
+  const user = requireAuth(event);
+  const db = useDB();
+  const slug = getRouterParam(event, 'slug');
+  if (!slug) throw createError({ statusCode: 400, statusMessage: 'Missing slug' });
+
+  const body = await parseBody(event, updateEventSchema);
+  const isAdmin = user.role === 'admin';
+
+  const result = await updateEvent(db, slug, user.id, body, isAdmin);
+  if (!result) throw createError({ statusCode: 404, statusMessage: 'Event not found or unauthorized' });
+
+  return result;
+});

package/server/api/events/index.get.ts

@@ -0,0 +1,21 @@
+import { listEvents } from '@commonpub/server';
+import type { EventStatus } from '@commonpub/server';
+
+/**
+ * GET /api/events
+ * List published/active events (public).
+ */
+export default defineEventHandler(async (event) => {
+  requireFeature('events');
+  const db = useDB();
+  const query = getQuery(event);
+
+  return listEvents(db, {
+    status: (query.status as EventStatus) || undefined,
+    hubId: (query.hubId as string) || undefined,
+    upcoming: query.upcoming === 'true',
+    featured: query.featured === 'true',
+    limit: query.limit ? Number(query.limit) : undefined,
+    offset: query.offset ? Number(query.offset) : undefined,
+  });
+});

package/server/api/events/index.post.ts

@@ -0,0 +1,40 @@
+import { createEvent } from '@commonpub/server';
+import { generateSlug } from '@commonpub/server';
+import { z } from 'zod';
+
+const createEventSchema = z.object({
+  title: z.string().min(1).max(255),
+  description: z.string().max(10000).optional(),
+  coverImage: z.string().max(500).optional(),
+  eventType: z.enum(['in-person', 'online', 'hybrid']).optional(),
+  startDate: z.string().datetime(),
+  endDate: z.string().datetime(),
+  timezone: z.string().max(64).optional(),
+  location: z.string().max(500).optional(),
+  locationUrl: z.string().url().max(500).optional(),
+  onlineUrl: z.string().url().max(500).optional(),
+  capacity: z.number().int().min(1).max(100000).optional(),
+  hubId: z.string().uuid().optional(),
+}).refine(d => new Date(d.endDate) > new Date(d.startDate), {
+  message: 'End date must be after start date',
+  path: ['endDate'],
+});
+
+/**
+ * POST /api/events
+ * Create a new event (authenticated).
+ */
+export default defineEventHandler(async (event) => {
+  requireFeature('events');
+  const user = requireAuth(event);
+  const db = useDB();
+  const body = await parseBody(event, createEventSchema);
+
+  const slug = generateSlug(body.title);
+
+  return createEvent(db, {
+    ...body,
+    slug,
+    createdBy: user.id,
+  });
+});