@commonpub/layer 0.3.37 → 0.3.38

package/layouts/default.vue

@@ -183,8 +183,9 @@ const userUsername = computed(() => user.value?.username ?? '');
           <h4 class="cpub-footer-col-title">Platform</h4>
           <NuxtLink to="/about" class="cpub-footer-link">About</NuxtLink>
           <NuxtLink v-if="docs" to="/docs" class="cpub-footer-link">Docs</NuxtLink>
+          <NuxtLink to="/privacy" class="cpub-footer-link">Privacy Policy</NuxtLink>
+          <NuxtLink to="/terms" class="cpub-footer-link">Terms of Service</NuxtLink>
           <a href="/feed.xml" class="cpub-footer-link">RSS Feed</a>
-          <a href="/sitemap.xml" class="cpub-footer-link">Sitemap</a>
         </nav>
       </div>
       <div class="cpub-footer-bottom">

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@commonpub/layer",
-  "version": "0.3.37",
+  "version": "0.3.38",
   "type": "module",
   "main": "./nuxt.config.ts",
   "files": [
@@ -51,12 +51,12 @@
     "zod": "^4.3.6",
     "@commonpub/auth": "0.5.0",
     "@commonpub/config": "0.7.1",
+    "@commonpub/docs": "0.5.2",
     "@commonpub/editor": "0.5.0",
     "@commonpub/learning": "0.5.0",
-    "@commonpub/docs": "0.5.2",
     "@commonpub/protocol": "0.9.5",
+    "@commonpub/server": "2.21.0",
     "@commonpub/schema": "0.8.13",
-    "@commonpub/server": "2.20.1",
     "@commonpub/ui": "0.7.1"
   },
   "devDependencies": {

package/pages/auth/register.vue

@@ -101,6 +101,13 @@ async function handleSubmit(): Promise<void> {
         />
       </div>
 
+      <p class="register-legal">
+        By creating an account, you agree to our
+        <NuxtLink to="/terms">Terms of Service</NuxtLink>
+        and acknowledge our
+        <NuxtLink to="/privacy">Privacy Policy</NuxtLink>.
+      </p>
+
       <button type="submit" class="submit-btn" :disabled="loading">
         {{ loading ? 'Creating...' : 'Create account' }}
       </button>
@@ -206,6 +213,21 @@ async function handleSubmit(): Promise<void> {
   cursor: not-allowed;
 }
 
+.register-legal {
+  font-size: 11px;
+  color: var(--text-faint);
+  line-height: 1.5;
+}
+
+.register-legal a {
+  color: var(--accent);
+  text-decoration: none;
+}
+
+.register-legal a:hover {
+  text-decoration: underline;
+}
+
 .register-footer {
   text-align: center;
   font-size: 12px;

package/pages/privacy.vue

@@ -0,0 +1,206 @@
+<script setup lang="ts">
+useSeoMeta({
+  title: `Privacy Policy — ${useSiteName()}`,
+  description: 'How we collect, use, and protect your personal data.',
+});
+
+const siteName = useSiteName();
+const { federation: federationEnabled } = useFeatures();
+</script>
+
+<template>
+  <div class="cpub-legal">
+    <div class="cpub-legal-header">
+      <h1 class="cpub-legal-title">Privacy Policy</h1>
+      <p class="cpub-legal-updated">Last updated: April 2026</p>
+    </div>
+
+    <div class="cpub-legal-body">
+      <section class="cpub-legal-section">
+        <h2>1. Who We Are</h2>
+        <p>
+          This {{ siteName }} instance is operated by its administrator (the "data controller").
+          {{ siteName }} is powered by <a href="https://commonpub.io" target="_blank" rel="noopener">CommonPub</a>,
+          an open-source, self-hosted platform. Each instance is independently operated and responsible for its own data processing.
+        </p>
+      </section>
+
+      <section class="cpub-legal-section">
+        <h2>2. What Data We Collect</h2>
+        <p>When you create an account, we collect:</p>
+        <ul>
+          <li><strong>Account data:</strong> email address, username, password (stored as a secure hash)</li>
+          <li><strong>Profile data:</strong> display name, bio, headline, location, website, avatar, banner image, social links, skills, pronouns, timezone (all optional)</li>
+          <li><strong>Content:</strong> projects, articles, blog posts, comments, and other content you create</li>
+          <li><strong>Activity data:</strong> likes, follows, bookmarks, hub memberships, learning path enrollments</li>
+          <li><strong>Messages:</strong> direct messages you send to other users on this instance</li>
+        </ul>
+        <p>We also automatically collect:</p>
+        <ul>
+          <li><strong>Session data:</strong> IP address and browser user agent when you log in, stored for the duration of your session (up to 7 days)</li>
+          <li><strong>Theme preference:</strong> your light/dark mode choice, stored in your browser's local storage</li>
+        </ul>
+      </section>
+
+      <section class="cpub-legal-section">
+        <h2>3. How We Use Your Data</h2>
+        <ul>
+          <li><strong>Providing the service:</strong> displaying your profile, publishing your content, delivering notifications</li>
+          <li><strong>Authentication:</strong> verifying your identity when you log in</li>
+          <li><strong>Security:</strong> protecting against unauthorized access, abuse, and spam</li>
+          <li><strong>Email notifications:</strong> sending notification digests and alerts you've opted into (configurable in settings)</li>
+        </ul>
+      </section>
+
+      <section class="cpub-legal-section">
+        <h2>4. Legal Basis for Processing</h2>
+        <p>We process your data under the following legal bases (GDPR Article 6):</p>
+        <ul>
+          <li><strong>Contract performance (Art. 6(1)(b)):</strong> processing necessary to provide you with the service you signed up for</li>
+          <li><strong>Legitimate interest (Art. 6(1)(f)):</strong> session security, rate limiting, and preventing abuse</li>
+        </ul>
+      </section>
+
+      <section class="cpub-legal-section">
+        <h2>5. Cookies and Local Storage</h2>
+        <p>We use only <strong>strictly necessary</strong> technologies:</p>
+        <ul>
+          <li><strong>Session cookie</strong> (<code>better-auth.session_token</code>): an authentication cookie that identifies your login session. It is httpOnly (not accessible to JavaScript), secure (HTTPS-only in production), and expires after 7 days. This cookie is strictly necessary for the service to function and does not require consent.</li>
+          <li><strong>Theme preference</strong> (<code>cpub-theme</code> in localStorage): stores your light/dark mode choice in your browser. This is a UI preference, not used for tracking.</li>
+        </ul>
+        <p>We do not use any analytics, advertising, or tracking cookies. No cookie consent banner is required because we only use strictly necessary cookies.</p>
+      </section>
+
+      <section v-if="federationEnabled" class="cpub-legal-section">
+        <h2>6. Federation and ActivityPub</h2>
+        <p>This instance participates in the <a href="https://activitypub.rocks" target="_blank" rel="noopener">ActivityPub</a> federation protocol. When you publish content or interact publicly, the following data may be shared with remote instances:</p>
+        <ul>
+          <li>Your username, display name, avatar, and bio</li>
+          <li>Your published content (projects, articles, blog posts)</li>
+          <li>Your public interactions (likes, follows, comments on federated content)</li>
+        </ul>
+        <p>Your email address, location, social links, timezone, and other private profile fields are <strong>never</strong> shared via federation.</p>
+        <p><strong>Important:</strong> Once your data is federated to remote instances, this instance cannot guarantee its deletion on those servers. Remote instances operate independently and may retain cached copies of your public data even after you delete your account here.</p>
+      </section>
+
+      <section class="cpub-legal-section">
+        <h2>{{ federationEnabled ? '7' : '6' }}. Third-Party Services</h2>
+        <p>We load icon fonts from <strong>Font Awesome</strong> via the Cloudflare CDN (<code>cdnjs.cloudflare.com</code>). This means your browser makes requests to Cloudflare's servers, which are subject to <a href="https://www.cloudflare.com/privacypolicy/" target="_blank" rel="noopener">Cloudflare's privacy policy</a>.</p>
+        <p>We do not use any analytics services, advertising networks, or tracking technologies.</p>
+      </section>
+
+      <section class="cpub-legal-section">
+        <h2>{{ federationEnabled ? '8' : '7' }}. Data Retention</h2>
+        <ul>
+          <li><strong>Account data:</strong> retained until you delete your account</li>
+          <li><strong>Session data:</strong> automatically expires after 7 days of inactivity</li>
+          <li><strong>Content:</strong> retained until you delete it or delete your account</li>
+          <li><strong>Audit logs:</strong> retained per the instance operator's policy</li>
+        </ul>
+      </section>
+
+      <section class="cpub-legal-section">
+        <h2>{{ federationEnabled ? '9' : '8' }}. Your Rights</h2>
+        <p>Under the GDPR and similar data protection laws, you have the right to:</p>
+        <ul>
+          <li><strong>Access:</strong> view the data we hold about you (via your profile and settings)</li>
+          <li><strong>Rectification:</strong> update or correct your data (via your profile settings)</li>
+          <li><strong>Erasure:</strong> delete your account and all associated data (via account settings)</li>
+          <li><strong>Portability:</strong> download your data in a machine-readable format (via account settings)</li>
+          <li><strong>Restriction and objection:</strong> contact the instance administrator</li>
+        </ul>
+        <p>To exercise these rights, visit your <NuxtLink to="/settings/account">account settings</NuxtLink> or contact the instance administrator.</p>
+      </section>
+
+      <section class="cpub-legal-section">
+        <h2>{{ federationEnabled ? '10' : '9' }}. Contact</h2>
+        <p>For privacy-related inquiries, contact the administrator of this {{ siteName }} instance.</p>
+      </section>
+    </div>
+  </div>
+</template>
+
+<style scoped>
+.cpub-legal {
+  max-width: 740px;
+  margin: 0 auto;
+  padding: 48px 24px 80px;
+}
+
+.cpub-legal-header {
+  margin-bottom: 40px;
+}
+
+.cpub-legal-title {
+  font-size: 28px;
+  font-weight: 700;
+  margin-bottom: 8px;
+}
+
+.cpub-legal-updated {
+  font-size: 12px;
+  color: var(--text-faint);
+  font-family: var(--font-mono);
+}
+
+.cpub-legal-body {
+  display: flex;
+  flex-direction: column;
+  gap: 32px;
+}
+
+.cpub-legal-section h2 {
+  font-size: 16px;
+  font-weight: 600;
+  margin-bottom: 12px;
+}
+
+.cpub-legal-section p {
+  font-size: 14px;
+  line-height: 1.7;
+  color: var(--text-dim);
+  margin-bottom: 8px;
+}
+
+.cpub-legal-section ul {
+  padding-left: 20px;
+  margin: 8px 0;
+}
+
+.cpub-legal-section li {
+  font-size: 14px;
+  line-height: 1.7;
+  color: var(--text-dim);
+  margin-bottom: 4px;
+}
+
+.cpub-legal-section strong {
+  color: var(--text);
+}
+
+.cpub-legal-section code {
+  font-family: var(--font-mono);
+  font-size: 12px;
+  padding: 1px 5px;
+  background: var(--surface2);
+  border: var(--border-width-default) solid var(--border);
+}
+
+.cpub-legal-section a {
+  color: var(--accent);
+  text-decoration: none;
+}
+
+.cpub-legal-section a:hover {
+  text-decoration: underline;
+}
+
+@media (max-width: 640px) {
+  .cpub-legal {
+    padding: 24px 16px 60px;
+  }
+  .cpub-legal-title {
+    font-size: 22px;
+  }
+}
+</style>

package/pages/settings/account.vue

@@ -86,6 +86,14 @@ async function handleDeleteAccount(): Promise<void> {
       </button>
     </form>
 
+    <div class="cpub-form-group">
+      <label class="cpub-form-label">Your Data</label>
+      <p class="cpub-form-hint cpub-mb-2">Download a copy of all your data in JSON format.</p>
+      <a href="/api/auth/export-data" download class="cpub-btn cpub-btn-sm">
+        <i class="fa-solid fa-download"></i> Download My Data
+      </a>
+    </div>
+
     <hr class="cpub-danger-divider" />
 
     <div>
@@ -126,6 +134,7 @@ async function handleDeleteAccount(): Promise<void> {
 
 <style scoped>
 .cpub-mt-2 { margin-top: var(--space-2); }
+.cpub-mb-2 { margin-bottom: var(--space-2); }
 
 .cpub-danger-divider {
   border: none;

package/pages/terms.vue

@@ -0,0 +1,168 @@
+<script setup lang="ts">
+useSeoMeta({
+  title: `Terms of Service — ${useSiteName()}`,
+  description: 'Terms and conditions for using this platform.',
+});
+
+const siteName = useSiteName();
+</script>
+
+<template>
+  <div class="cpub-legal">
+    <div class="cpub-legal-header">
+      <h1 class="cpub-legal-title">Terms of Service</h1>
+      <p class="cpub-legal-updated">Last updated: April 2026</p>
+    </div>
+
+    <div class="cpub-legal-body">
+      <section class="cpub-legal-section">
+        <h2>1. Acceptance</h2>
+        <p>By creating an account or using {{ siteName }}, you agree to these Terms of Service and our <NuxtLink to="/privacy">Privacy Policy</NuxtLink>. If you do not agree, do not use the service.</p>
+      </section>
+
+      <section class="cpub-legal-section">
+        <h2>2. Your Account</h2>
+        <ul>
+          <li>You must provide accurate information when creating an account.</li>
+          <li>You are responsible for keeping your login credentials secure.</li>
+          <li>You must be at least 16 years old to create an account (or the minimum age required by your jurisdiction).</li>
+          <li>One person, one account. Automated or bot accounts require prior approval from the instance administrator.</li>
+        </ul>
+      </section>
+
+      <section class="cpub-legal-section">
+        <h2>3. Your Content</h2>
+        <p>You retain ownership of content you create on {{ siteName }}. By publishing content, you grant us a license to display, distribute, and federate it as part of operating the platform.</p>
+        <ul>
+          <li>You must have the right to publish any content you upload (no plagiarism, no copyright infringement).</li>
+          <li>Content you import must be your own original work.</li>
+          <li>You may delete your content at any time. Federated copies on remote instances are outside our control.</li>
+          <li>We may remove content that violates these terms or applicable law.</li>
+        </ul>
+      </section>
+
+      <section class="cpub-legal-section">
+        <h2>4. Acceptable Use</h2>
+        <p>You agree not to:</p>
+        <ul>
+          <li>Post illegal content or content that infringes others' rights</li>
+          <li>Harass, threaten, or abuse other users</li>
+          <li>Spam, phish, or distribute malware</li>
+          <li>Attempt to gain unauthorized access to the platform or other users' accounts</li>
+          <li>Scrape, crawl, or automatically collect data from the platform beyond what public APIs allow</li>
+          <li>Impersonate another person or entity</li>
+          <li>Use the platform for commercial advertising without permission</li>
+        </ul>
+      </section>
+
+      <section class="cpub-legal-section">
+        <h2>5. Moderation</h2>
+        <p>The instance administrator may, at their discretion:</p>
+        <ul>
+          <li>Remove content that violates these terms</li>
+          <li>Suspend or delete accounts that violate these terms</li>
+          <li>Block federation with other instances</li>
+        </ul>
+        <p>We aim to handle moderation decisions transparently and fairly.</p>
+      </section>
+
+      <section class="cpub-legal-section">
+        <h2>6. Availability and Changes</h2>
+        <p>We provide {{ siteName }} on an "as is" basis. We do not guarantee uninterrupted availability. We may modify or discontinue the service at any time.</p>
+        <p>These terms may be updated. Continued use after changes constitutes acceptance.</p>
+      </section>
+
+      <section class="cpub-legal-section">
+        <h2>7. Limitation of Liability</h2>
+        <p>To the fullest extent permitted by law, the instance operator is not liable for any indirect, incidental, or consequential damages arising from your use of the platform. This includes data loss, service interruptions, or actions of other users or federated instances.</p>
+      </section>
+
+      <section class="cpub-legal-section">
+        <h2>8. Account Deletion</h2>
+        <p>You may delete your account at any time from your <NuxtLink to="/settings/account">account settings</NuxtLink>. Account deletion is permanent and removes all your data, content, and activity from this instance. See our <NuxtLink to="/privacy">Privacy Policy</NuxtLink> for details on data retention and federation.</p>
+      </section>
+
+      <section class="cpub-legal-section">
+        <h2>9. Contact</h2>
+        <p>For questions about these terms, contact the administrator of this {{ siteName }} instance.</p>
+      </section>
+    </div>
+  </div>
+</template>
+
+<style scoped>
+.cpub-legal {
+  max-width: 740px;
+  margin: 0 auto;
+  padding: 48px 24px 80px;
+}
+
+.cpub-legal-header {
+  margin-bottom: 40px;
+}
+
+.cpub-legal-title {
+  font-size: 28px;
+  font-weight: 700;
+  margin-bottom: 8px;
+}
+
+.cpub-legal-updated {
+  font-size: 12px;
+  color: var(--text-faint);
+  font-family: var(--font-mono);
+}
+
+.cpub-legal-body {
+  display: flex;
+  flex-direction: column;
+  gap: 32px;
+}
+
+.cpub-legal-section h2 {
+  font-size: 16px;
+  font-weight: 600;
+  margin-bottom: 12px;
+}
+
+.cpub-legal-section p {
+  font-size: 14px;
+  line-height: 1.7;
+  color: var(--text-dim);
+  margin-bottom: 8px;
+}
+
+.cpub-legal-section ul {
+  padding-left: 20px;
+  margin: 8px 0;
+}
+
+.cpub-legal-section li {
+  font-size: 14px;
+  line-height: 1.7;
+  color: var(--text-dim);
+  margin-bottom: 4px;
+}
+
+.cpub-legal-section strong {
+  color: var(--text);
+}
+
+.cpub-legal-section a {
+  color: var(--accent);
+  text-decoration: none;
+}
+
+.cpub-legal-section a:hover {
+  text-decoration: underline;
+}
+
+@media (max-width: 640px) {
+  .cpub-legal {
+    padding: 24px 16px 60px;
+  }
+  .cpub-legal-title {
+    font-size: 22px;
+  }
+}
+</style>

package/server/api/auth/delete-user.post.ts

@@ -0,0 +1,55 @@
+import { deleteUser, federateDelete, listContent } from '@commonpub/server';
+import { contentItems } from '@commonpub/schema';
+import { eq, and } from 'drizzle-orm';
+
+export default defineEventHandler(async (event): Promise<{ success: true }> => {
+  const user = requireAuth(event);
+  const db = useDB();
+  const config = useConfig();
+
+  // Prevent deleting the last admin
+  if (user.role === 'admin') {
+    const { users } = await import('@commonpub/schema');
+    const admins = await db
+      .select({ id: users.id })
+      .from(users)
+      .where(eq(users.role, 'admin'))
+      .limit(2);
+    if (admins.length <= 1) {
+      throw createError({
+        statusCode: 400,
+        statusMessage: 'Cannot delete the only admin account',
+      });
+    }
+  }
+
+  // Federation cleanup: send Delete activities for published content
+  if (config.features.federation) {
+    const domain = config.instance.domain;
+    if (domain) {
+      const published = await db
+        .select({ id: contentItems.id })
+        .from(contentItems)
+        .where(and(
+          eq(contentItems.authorId, user.id),
+          eq(contentItems.status, 'published'),
+        ));
+
+      for (const item of published) {
+        try {
+          await federateDelete(db, item.id, domain, user.username);
+        } catch {
+          // Best-effort — don't block deletion if federation fails
+        }
+      }
+    }
+  }
+
+  // Delete the user (cascades to all related data)
+  await deleteUser(db, user.id, user.id);
+
+  // Clear the session cookie
+  deleteCookie(event, 'better-auth.session_token', { path: '/' });
+
+  return { success: true };
+});

package/server/api/auth/export-data.get.ts

@@ -0,0 +1,15 @@
+import { exportUserData } from '@commonpub/server';
+
+export default defineEventHandler(async (event) => {
+  const user = requireAuth(event);
+  const db = useDB();
+
+  const data = await exportUserData(db, user.id);
+
+  const filename = `commonpub-export-${user.username}-${new Date().toISOString().split('T')[0]}.json`;
+
+  setHeader(event, 'Content-Type', 'application/json');
+  setHeader(event, 'Content-Disposition', `attachment; filename="${filename}"`);
+
+  return data;
+});