@commonpub/layer 0.81.0 → 0.83.0

package/server/api/admin/federation/refederate.post.ts

@@ -2,8 +2,22 @@ import { contentItems, hubs, hubPosts } from '@commonpub/schema';
 import { federateContent, federateHubPost, federateHubActor } from '@commonpub/server';
 import { eq, and, gte, desc, isNull } from 'drizzle-orm';
 import { z } from 'zod';
+import { createHash, timingSafeEqual } from 'node:crypto';
 import { extractDomain } from '../../../utils/inbox';
 
+/**
+ * Constant-time secret comparison. `===` on the raw strings short-circuits at the
+ * first differing byte, leaking the secret's length and a per-character timing
+ * oracle on the signing secret. We SHA-256 both sides to a fixed 32-byte digest
+ * first (so neither length nor content leaks via timing), then compare the digests
+ * with `timingSafeEqual` (which requires equal-length buffers — always true here).
+ */
+function secretsMatch(a: string, b: string): boolean {
+  const da = createHash('sha256').update(a).digest();
+  const db = createHash('sha256').update(b).digest();
+  return timingSafeEqual(da, db);
+}
+
 /** Default re-federation window when neither `all` nor `since` is given — avoids a delivery storm. */
 const DEFAULT_SINCE_DAYS = 30;
 /** Hard cap on a bounded (non-`all`) re-federation run. */
@@ -27,7 +41,10 @@ export default defineEventHandler(async (event) => {
   // Allow CLI trigger via AUTH_SECRET header (for server-side automation)
   const cliSecret = getRequestHeader(event, 'x-admin-secret');
   const runtimeConfig = useRuntimeConfig();
-  if (cliSecret && cliSecret === runtimeConfig.authSecret) {
+  const authSecret = runtimeConfig.authSecret as string | undefined;
+  // Fail-closed: only accept the shared-secret bypass when BOTH the header and a
+  // configured server secret are present, compared in constant time.
+  if (cliSecret && authSecret && secretsMatch(cliSecret, authSecret)) {
     // Authorized via shared secret
   } else {
     requirePermission(event, 'federation.manage');

package/server/api/admin/layouts/[id]/publish.post.ts

@@ -17,10 +17,7 @@ export default defineEventHandler(async (event) => {
   const admin = requirePermission(event, 'layout.manage');
   const db = useDB();
 
-  const id = getRouterParam(event, 'id');
-  if (!id) {
-    throw createError({ statusCode: 400, statusMessage: 'Missing id param' });
-  }
+  const { id } = parseParams(event, { id: 'uuid' });
 
   const existing = await getLayoutById(db, id);
   if (!existing) {

package/server/api/admin/layouts/[id]/versions/[versionId]/revert.post.ts

@@ -18,11 +18,7 @@ export default defineEventHandler(async (event) => {
   const admin = requirePermission(event, 'layout.manage');
   const db = useDB();
 
-  const id = getRouterParam(event, 'id');
-  const versionId = getRouterParam(event, 'versionId');
-  if (!id || !versionId) {
-    throw createError({ statusCode: 400, statusMessage: 'Missing id or versionId param' });
-  }
+  const { id, versionId } = parseParams(event, { id: 'uuid', versionId: 'uuid' });
 
   const existing = await getLayoutById(db, id);
   if (!existing) {

package/server/api/admin/layouts/[id]/versions/index.get.ts

@@ -15,10 +15,7 @@ export default defineEventHandler(async (event) => {
   requirePermission(event, 'layout.manage');
   const db = useDB();
 
-  const id = getRouterParam(event, 'id');
-  if (!id) {
-    throw createError({ statusCode: 400, statusMessage: 'Missing id param' });
-  }
+  const { id } = parseParams(event, { id: 'uuid' });
 
   const existing = await getLayoutById(db, id);
   if (!existing) {

package/server/api/admin/layouts/[id].delete.ts

@@ -18,10 +18,7 @@ export default defineEventHandler(async (event): Promise<{ ok: true; id: string
   const admin = requirePermission(event, 'layout.manage');
   const db = useDB();
 
-  const id = getRouterParam(event, 'id');
-  if (!id) {
-    throw createError({ statusCode: 400, statusMessage: 'Missing id param' });
-  }
+  const { id } = parseParams(event, { id: 'uuid' });
 
   const existing = await getLayoutById(db, id);
   if (!existing) {

package/server/api/admin/layouts/[id].get.ts

@@ -13,10 +13,7 @@ export default defineEventHandler(async (event) => {
   requireFeature('layoutEngine');
   requirePermission(event, 'layout.manage');
 
-  const id = getRouterParam(event, 'id');
-  if (!id) {
-    throw createError({ statusCode: 400, statusMessage: 'Missing id param' });
-  }
+  const { id } = parseParams(event, { id: 'uuid' });
 
   const db = useDB();
   const layout = await getLayoutById(db, id);

package/server/api/admin/layouts/[id].put.ts

@@ -30,10 +30,7 @@ export default defineEventHandler(async (event) => {
   const admin = requirePermission(event, 'layout.manage');
   const db = useDB();
 
-  const id = getRouterParam(event, 'id');
-  if (!id) {
-    throw createError({ statusCode: 400, statusMessage: 'Missing id param' });
-  }
+  const { id } = parseParams(event, { id: 'uuid' });
 
   const existing = await getLayoutById(db, id);
   if (!existing) {

package/server/api/admin/permissions.get.ts

@@ -0,0 +1,14 @@
+import { PERMISSIONS } from '@commonpub/schema';
+
+// The grantable permission catalog — drives the role editor's checkbox list.
+// `*` and `admin.access` are the admin bypass: they're reserved to the `admin`
+// system role and stripped from every other role server-side (see
+// rbac/admin.ts sanitizeGrants), so we don't offer them in the editor (a
+// checkbox for them would silently never stick). Gated on `roles.manage`.
+const ADMIN_BYPASS_GRANTS = new Set(['*', 'admin.access']);
+
+export default defineEventHandler((event): string[] => {
+  requireFeature('admin');
+  requirePermission(event, 'roles.manage');
+  return PERMISSIONS.filter((p) => !ADMIN_BYPASS_GRANTS.has(p));
+});

package/server/api/admin/roles/[id]/index.delete.ts

@@ -0,0 +1,25 @@
+import { deleteRole } from '@commonpub/server';
+
+// Delete a custom role (system roles are protected). Cascades its grants +
+// user assignments via the FK.
+export default defineEventHandler(async (event): Promise<{ deleted: true }> => {
+  requireFeature('admin');
+  requirePermission(event, 'roles.manage');
+  const db = useDB();
+  const actor = requireAuth(event);
+  const { id } = parseParams(event, { id: 'uuid' });
+
+  try {
+    await deleteRole(db, id, actor.id);
+  } catch (err) {
+    if (err instanceof Error && err.message === 'ROLE_NOT_FOUND') {
+      throw createError({ statusCode: 404, statusMessage: 'Role not found' });
+    }
+    if (err instanceof Error && err.message === 'ROLE_IS_SYSTEM') {
+      throw createError({ statusCode: 400, statusMessage: 'System roles cannot be deleted' });
+    }
+    throw err;
+  }
+  invalidateAllPermissions();
+  return { deleted: true };
+});

package/server/api/admin/roles/[id]/index.put.ts

@@ -0,0 +1,24 @@
+import { updateRole } from '@commonpub/server';
+import { updateRoleSchema } from '@commonpub/schema';
+
+// Edit a role's name/description/permissions (system roles included — e.g. tune
+// the staff moderator set). The admin role always keeps its `*` bypass.
+export default defineEventHandler(async (event): Promise<{ ok: true }> => {
+  requireFeature('admin');
+  requirePermission(event, 'roles.manage');
+  const db = useDB();
+  const actor = requireAuth(event);
+  const { id } = parseParams(event, { id: 'uuid' });
+  const input = await parseBody(event, updateRoleSchema);
+
+  try {
+    await updateRole(db, id, input, actor.id);
+  } catch (err) {
+    if (err instanceof Error && err.message === 'ROLE_NOT_FOUND') {
+      throw createError({ statusCode: 404, statusMessage: 'Role not found' });
+    }
+    throw err;
+  }
+  invalidateAllPermissions();
+  return { ok: true };
+});

package/server/api/admin/roles/index.get.ts

@@ -0,0 +1,10 @@
+import { listRolesWithPermissions } from '@commonpub/server';
+import type { RoleWithPermissions } from '@commonpub/server';
+
+// List all roles with their permission keys + member counts. Gated on
+// `roles.manage` (RBAC self-administration).
+export default defineEventHandler(async (event): Promise<RoleWithPermissions[]> => {
+  requireFeature('admin');
+  requirePermission(event, 'roles.manage');
+  return listRolesWithPermissions(useDB());
+});

package/server/api/admin/roles/index.post.ts

@@ -0,0 +1,27 @@
+import { createRole } from '@commonpub/server';
+import { createRoleSchema } from '@commonpub/schema';
+
+// Create a custom role. Gated on `roles.manage`. New grants take effect on the
+// next request (≤ cache TTL); invalidate the whole cache to be immediate.
+export default defineEventHandler(async (event): Promise<{ id: string }> => {
+  requireFeature('admin');
+  requirePermission(event, 'roles.manage');
+  const db = useDB();
+  const actor = requireAuth(event);
+  const input = await parseBody(event, createRoleSchema);
+
+  let result;
+  try {
+    result = await createRole(db, input, actor.id);
+  } catch (err) {
+    if (err instanceof Error && err.message === 'ROLE_KEY_TAKEN') {
+      throw createError({ statusCode: 409, statusMessage: 'A role with that key already exists' });
+    }
+    if (err instanceof Error && err.message === 'ROLE_KEY_RESERVED') {
+      throw createError({ statusCode: 400, statusMessage: 'That key is reserved for a system role' });
+    }
+    throw err;
+  }
+  invalidateAllPermissions();
+  return result;
+});

package/server/api/admin/users/[id]/role.put.ts

@@ -8,5 +8,24 @@ export default defineEventHandler(async (event): Promise<void> => {
   const { id } = parseParams(event, { id: 'uuid' });
   const input = await parseBody(event, adminUpdateRoleSchema);
 
-  return updateUserRole(db, id, input.role, admin.id);
+  // Minting an admin is admin-only: `users.manage` lets a custom role manage
+  // non-admin users, but must not be a backdoor to creating admins (which would
+  // turn `users.manage` into root). Promotion to the admin system role requires
+  // the admin floor itself.
+  if (input.role === 'admin') requirePermission(event, 'admin.access');
+
+  try {
+    await updateUserRole(db, id, input.role, admin.id);
+  } catch (err) {
+    if (err instanceof Error && err.message === 'LAST_ADMIN') {
+      throw createError({ statusCode: 400, statusMessage: 'Cannot demote the only admin account' });
+    }
+    if (err instanceof Error && err.message === 'User not found') {
+      throw createError({ statusCode: 404, statusMessage: 'User not found' });
+    }
+    throw err;
+  }
+  // The role change alters effective permissions — drop the cached set so the
+  // next request resolves fresh (cache lives in the layer; commit happened above).
+  invalidatePermissions(id);
 });

package/server/api/admin/users/[id]/roles.get.ts

@@ -0,0 +1,10 @@
+import { getUserRoleIds } from '@commonpub/server';
+
+// The role IDs a user currently holds (system + custom) — for the admin UI's
+// role assignment checkboxes.
+export default defineEventHandler(async (event): Promise<{ roleIds: string[] }> => {
+  requireFeature('admin');
+  requirePermission(event, 'roles.manage');
+  const { id } = parseParams(event, { id: 'uuid' });
+  return { roleIds: await getUserRoleIds(useDB(), id) };
+});

package/server/api/admin/users/[id]/roles.put.ts

@@ -0,0 +1,17 @@
+import { setUserCustomRoles } from '@commonpub/server';
+import { setUserRolesSchema } from '@commonpub/schema';
+
+// Replace a user's CUSTOM (non-system) role assignments. The system/primary role
+// is managed separately via role.put.ts; system role IDs here are ignored.
+export default defineEventHandler(async (event): Promise<{ ok: true }> => {
+  requireFeature('admin');
+  requirePermission(event, 'roles.manage');
+  const db = useDB();
+  const actor = requireAuth(event);
+  const { id } = parseParams(event, { id: 'uuid' });
+  const input = await parseBody(event, setUserRolesSchema);
+
+  await setUserCustomRoles(db, id, input.roleIds, actor.id);
+  invalidatePermissions(id);
+  return { ok: true };
+});

package/server/api/auth/federated/login.post.ts

@@ -1,5 +1,5 @@
 import { discoverOAuthEndpoint } from '@commonpub/auth';
-import { storeOAuthState, isDomainTrusted } from '@commonpub/server';
+import { storeOAuthState, isDomainTrusted, createSafeActorFetchFn } from '@commonpub/server';
 import { z } from 'zod';
 
 const loginSchema = z.object({
@@ -27,7 +27,10 @@ export default defineEventHandler(async (event) => {
     });
   }
 
-  const endpoints = await discoverOAuthEndpoint(instanceDomain, 'instance');
+  // SSRF-safe fetch (pinned dispatcher): even a trusted domain's WebFinger/registration
+  // response must not be able to drive a request to an internal address (audit session 204).
+  const safeFetch = createSafeActorFetchFn();
+  const endpoints = await discoverOAuthEndpoint(instanceDomain, 'instance', safeFetch as unknown as typeof fetch);
   if (!endpoints) {
     throw createError({
       statusCode: 502,
@@ -43,15 +46,19 @@ export default defineEventHandler(async (event) => {
   if (!clientId) {
     try {
       const regUrl = endpoints.tokenEndpoint.replace('/token', '/register');
-      const regResult = await $fetch<{ client_id: string; client_secret: string }>(regUrl, {
+      // regUrl is derived from the remote's discovery response — route the POST through
+      // the SSRF-safe fetch so it can't be pointed at an internal address.
+      const regRes = await safeFetch(regUrl, {
         method: 'POST',
-        body: {
+        headers: { 'content-type': 'application/json' },
+        body: JSON.stringify({
           client_name: config.instance.name || config.instance.domain,
           redirect_uris: [redirectUri],
           client_uri: `https://${config.instance.domain}`,
           instance_domain: config.instance.domain,
-        },
+        }),
       });
+      const regResult = (await regRes.json()) as { client_id: string; client_secret: string };
       effectiveClientId = regResult.client_id;
       effectiveClientSecret = regResult.client_secret;
     } catch {

package/server/api/content/[id]/__tests__/versions.get.test.ts

@@ -0,0 +1,127 @@
+/**
+ * Auth-gating proving test for `GET /api/content/:id/versions`
+ * (audit session 204).
+ *
+ * Version history (titles, author, timestamps — incl. for unpublished drafts)
+ * was world-readable for any content id. The fix requires an authenticated
+ * caller AND that they be the content owner OR hold `content.moderate`.
+ *
+ * This drives the REAL route handler against a REAL (PGlite) DB seeded with a
+ * content item + a version row. The Nitro auth auto-imports are stubbed with
+ * their REAL semantics (requireAuth throws 401 when anonymous; ownerOrPermission
+ * returns true iff the caller is the owner or holds the permission), reading a
+ * per-test `currentUser` — so the handler's actual branch on the gate boolean
+ * and the DB row's authorId is exercised.
+ */
+import { describe, it, expect, beforeAll } from 'vitest';
+import type { H3Event } from 'h3';
+import {
+  createTestDB,
+  createTestUser,
+} from '../../../../../../../packages/server/src/__tests__/helpers/testdb';
+import { contentItems, contentVersions } from '@commonpub/schema';
+import type { DB } from '../../../../../../../packages/server/src/types';
+
+interface HttpError extends Error {
+  statusCode: number;
+}
+interface TestUser {
+  id: string;
+  permissions: Set<string>;
+}
+
+let db: DB;
+let contentId: string;
+let ownerId: string;
+// null => anonymous. permissions => the set the caller holds.
+let currentUser: TestUser | null;
+
+{
+  const g = globalThis as Record<string, unknown>;
+  g.defineEventHandler = (fn: unknown): unknown => fn;
+  g.createError = (opts: { statusCode: number; statusMessage: string }): HttpError => {
+    const e = new Error(opts.statusMessage) as HttpError;
+    e.statusCode = opts.statusCode;
+    return e;
+  };
+  // Real semantics: 401 when there is no authenticated user.
+  g.requireAuth = (_event: H3Event): { id: string } => {
+    if (!currentUser) {
+      const e = new Error('Unauthorized') as HttpError;
+      e.statusCode = 401;
+      throw e;
+    }
+    return { id: currentUser.id };
+  };
+  g.useDB = (): DB => db;
+  // parseParams returns the id under test (route would parse from the path).
+  g.parseParams = (): { id: string } => ({ id: contentId });
+  // Real semantics: owner OR permission-holder.
+  g.ownerOrPermission = (_event: H3Event, resourceOwnerId: string, perm: string): boolean => {
+    if (!currentUser) return false;
+    if (currentUser.id === resourceOwnerId) return true;
+    return currentUser.permissions.has(perm);
+  };
+}
+
+const handlerMod = await import('../versions.get');
+const handler = handlerMod.default as (event: H3Event) => Promise<unknown>;
+const fakeEvent = {} as H3Event;
+
+function statusOf(p: Promise<unknown>): Promise<number | 'no-throw'> {
+  return p.then(
+    () => 'no-throw' as const,
+    (e: HttpError) => e.statusCode,
+  );
+}
+
+beforeAll(async () => {
+  db = await createTestDB();
+  const owner = await createTestUser(db, { username: 'owner' });
+  ownerId = owner.id;
+  const [item] = await db
+    .insert(contentItems)
+    .values({
+      authorId: owner.id,
+      type: 'blog',
+      title: 'Draft',
+      slug: 'draft',
+      status: 'draft',
+      visibility: 'private',
+      content: [],
+    } as never)
+    .returning();
+  contentId = (item as { id: string }).id;
+  await db.insert(contentVersions).values({
+    contentId,
+    version: 1,
+    title: 'Draft v1',
+    createdById: owner.id,
+  } as never);
+}, 30_000); // PGlite pushSchema is heavy; generous setup timeout under parallel load
+
+describe('versions.get — author/moderator-only', () => {
+  it('anonymous caller → 401', async () => {
+    currentUser = null;
+    expect(await statusOf(handler(fakeEvent))).toBe(401);
+  });
+
+  it('authenticated non-owner without content.moderate → 403', async () => {
+    currentUser = { id: 'some-other-user-id', permissions: new Set() };
+    expect(await statusOf(handler(fakeEvent))).toBe(403);
+  });
+
+  it('owner → returns the version list', async () => {
+    currentUser = { id: ownerId, permissions: new Set() };
+    const result = (await handler(fakeEvent)) as Array<{ title: string | null }>;
+    expect(Array.isArray(result)).toBe(true);
+    expect(result.length).toBe(1);
+    expect(result[0]?.title).toBe('Draft v1');
+  });
+
+  it('non-owner WITH content.moderate → returns the version list', async () => {
+    currentUser = { id: 'mod-user-id', permissions: new Set(['content.moderate']) };
+    const result = (await handler(fakeEvent)) as unknown[];
+    expect(result.length).toBe(1);
+  });
+});

package/server/api/content/[id]/build.get.ts

@@ -0,0 +1,11 @@
+import { isBuildMarked } from '@commonpub/server';
+
+// Hydration counterpart to build.post.ts (which TOGGLES): lets the content view
+// show the correct "I Built This" state on load, so a reload doesn't render the
+// button inactive and a re-click doesn't silently un-mark + decrement the count.
+export default defineEventHandler(async (event): Promise<{ marked: boolean }> => {
+  const user = requireAuth(event);
+  const db = useDB();
+  const { id } = parseParams(event, { id: 'uuid' });
+  return { marked: await isBuildMarked(db, id, user.id) };
+});

package/server/api/content/[id]/report.post.ts

@@ -2,6 +2,8 @@ import { createReport } from '@commonpub/server';
 import { createReportSchema } from '@commonpub/schema';
 
 export default defineEventHandler(async (event): Promise<{ id: string }> => {
+  // NOTE: abuse reporting is a safety function and deliberately NOT gated behind the
+  // `social` feature flag (it must work even where social interactions are off). (session 204)
   const db = useDB();
   const user = requireAuth(event);
   const { id } = parseParams(event, { id: 'uuid' });

package/server/api/content/[id]/versions.get.ts

@@ -1,9 +1,24 @@
 import { listContentVersions } from '@commonpub/server';
 import type { ContentVersionItem } from '@commonpub/server';
+import { contentItems } from '@commonpub/schema';
+import { eq } from 'drizzle-orm';
 
 export default defineEventHandler(async (event): Promise<ContentVersionItem[]> => {
+  requireAuth(event);
   const db = useDB();
   const { id } = parseParams(event, { id: 'uuid' });
 
+  // Version history (titles, author, timestamps, incl. for unpublished drafts) is
+  // author/moderator-only — was world-readable for any content id (audit session 204).
+  const [row] = await db
+    .select({ authorId: contentItems.authorId })
+    .from(contentItems)
+    .where(eq(contentItems.id, id))
+    .limit(1);
+  if (!row) throw createError({ statusCode: 404, statusMessage: 'Content not found' });
+  if (!ownerOrPermission(event, row.authorId, 'content.moderate')) {
+    throw createError({ statusCode: 403, statusMessage: 'Forbidden' });
+  }
+
   return listContentVersions(db, id);
 });

package/server/api/contests/[slug]/advance.post.ts

@@ -1,8 +1,9 @@
-import { getContestBySlug, advanceContestStage } from '@commonpub/server';
+import { getContestBySlug, advanceContestStage, isContestEditor } from '@commonpub/server';
 import { contestAdvanceSchema } from '@commonpub/schema';
 
 // Phase B2 — apply an advancement cut at a review stage (cull the cohort to top-N
-// or a manual pick, snapshot scores, advance to the next stage). Owner-gated.
+// or a manual pick, snapshot scores, advance to the next stage). Authorized for
+// the owner, a per-contest `editor`, or a `contest.manage` holder.
 export default defineEventHandler(async (event): Promise<{ advanced: boolean; advancedCount: number; eliminatedCount: number }> => {
   requireFeature('contests');
   const db = useDB();
@@ -13,10 +14,14 @@ export default defineEventHandler(async (event): Promise<{ advanced: boolean; ad
   const contest = await getContestBySlug(db, slug);
   if (!contest) throw createError({ statusCode: 404, statusMessage: 'Contest not found' });
 
-  const result = await advanceContestStage(db, contest.id, user.id, input);
+  const canManage =
+    ownerOrPermission(event, contest.createdById, 'contest.manage') ||
+    (await isContestEditor(db, contest.id, user.id));
+
+  const result = await advanceContestStage(db, contest.id, user.id, input, canManage);
   if (!result.advanced) {
-    const owner = /owner/i.test(result.error ?? '');
-    throw createError({ statusCode: owner ? 403 : 400, statusMessage: result.error || 'Advancement failed' });
+    const denied = /authoriz|owner/i.test(result.error ?? '');
+    throw createError({ statusCode: denied ? 403 : 400, statusMessage: result.error || 'Advancement failed' });
   }
   return result;
 });

package/server/api/contests/[slug]/entries/[entryId]/private.get.ts

@@ -0,0 +1,48 @@
+import { getContestBySlug, getContestEntry, canViewContest, getEntryPrivateData } from '@commonpub/server';
+import type { EntryPrivateData } from '@commonpub/server';
+
+/**
+ * GET /api/contests/:slug/entries/:entryId/private
+ * Entrant PII + agreement acceptances for one entry. This is the ONLY way to
+ * read PII — it never travels through the normal entries endpoints. Gated by the
+ * `contest.pii` permission (admin; staff/others only when RBAC is enabled and the
+ * grant is assigned) OR the requester being the entrant (own PII). Returns an empty
+ * shape when the entry has no stored PII/agreements.
+ */
+export default defineEventHandler(async (event): Promise<EntryPrivateData> => {
+  requireFeature('contests');
+  const user = requireAuth(event);
+  const db = useDB();
+  // PII response — never cache it (browser HTTP cache, bfcache, or any intermediary).
+  setHeader(event, 'Cache-Control', 'no-store');
+  const { slug, entryId } = parseParams(event, { slug: 'string', entryId: 'uuid' });
+
+  const contest = await getContestBySlug(db, slug);
+  if (!contest) throw createError({ statusCode: 404, statusMessage: 'Contest not found' });
+  if (!(await canViewContest(db, contest, user))) {
+    throw createError({ statusCode: 404, statusMessage: 'Contest not found' });
+  }
+
+  const entry = await getContestEntry(db, entryId);
+  if (!entry || entry.contestId !== contest.id) {
+    throw createError({ statusCode: 404, statusMessage: 'Entry not found' });
+  }
+
+  // Authz: the entrant reads their own PII; everyone else needs contest.pii.
+  const isEntrant = user.id === entry.userId;
+  if (!isEntrant && !hasPermission(event, 'contest.pii')) {
+    throw createError({ statusCode: 403, statusMessage: 'You do not have access to entrant personal data' });
+  }
+
+  const data = await getEntryPrivateData(db, entryId);
+  // Always anchor contestId/userId to the validated context (getEntryPrivateData
+  // can't fill them when an entry has agreements but no stored PII row).
+  return {
+    contestId: contest.id,
+    entryId,
+    userId: entry.userId,
+    fields: data?.fields ?? {},
+    updatedAt: data?.updatedAt ?? new Date(0),
+    agreements: data?.agreements ?? [],
+  };
+});

package/server/api/contests/[slug]/entries/[entryId]/submission.put.ts

@@ -27,7 +27,7 @@ export default defineEventHandler(async (event): Promise<{ submitted: boolean; s
   }
 
   const input = await parseBody(event, stageSubmissionSchema);
-  const result = await submitStageArtifact(db, entryId, input.stageId, input.fields, user.id);
+  const result = await submitStageArtifact(db, entryId, input.stageId, input.fields, user.id, getRequestIP(event) ?? null);
   if (!result.submitted) {
     throw createError({ statusCode: 400, statusMessage: result.error ?? 'Could not submit' });
   }

package/server/api/contests/[slug]/entries/[entryId]/vote.delete.ts

@@ -8,8 +8,7 @@ export default defineEventHandler(async (event) => {
   requireFeature('contests');
   const user = requireAuth(event);
   const db = useDB();
-  const entryId = getRouterParam(event, 'entryId');
-  if (!entryId) throw createError({ statusCode: 400, statusMessage: 'Missing entryId' });
+  const { entryId } = parseParams(event, { entryId: 'uuid' });
 
   const removed = await removeContestEntryVote(db, entryId, user.id);
   if (!removed) {

package/server/api/contests/[slug]/entries/[entryId]/vote.post.ts

@@ -8,8 +8,7 @@ export default defineEventHandler(async (event) => {
   requireFeature('contests');
   const user = requireAuth(event);
   const db = useDB();
-  const entryId = getRouterParam(event, 'entryId');
-  if (!entryId) throw createError({ statusCode: 400, statusMessage: 'Missing entryId' });
+  const { entryId } = parseParams(event, { entryId: 'uuid' });
 
   const result = await voteOnContestEntry(db, entryId, user.id);
   if (!result.voted) {

package/server/api/contests/[slug]/export.get.ts

@@ -0,0 +1,43 @@
+import { getContestBySlug, canViewContest, isContestEditor, isContestJudge, buildContestExport } from '@commonpub/server';
+
+/**
+ * GET /api/contests/:slug/export   (CSV)
+ * The offline-judging spreadsheet: one row per entry (all of them, not the 100
+ * cap), one empty column per rubric criterion for manual tallying. PII columns
+ * are included ONLY when the requester holds `contest.pii`. Gated to the contest
+ * owner / a `contest.manage` holder / a per-contest editor / an accepted judge.
+ */
+export default defineEventHandler(async (event): Promise<string> => {
+  requireFeature('contests');
+  const user = requireAuth(event);
+  const db = useDB();
+  const { slug } = parseParams(event, { slug: 'string' });
+
+  const contest = await getContestBySlug(db, slug);
+  if (!contest) throw createError({ statusCode: 404, statusMessage: 'Contest not found' });
+  if (!(await canViewContest(db, contest, user))) {
+    throw createError({ statusCode: 404, statusMessage: 'Contest not found' });
+  }
+
+  const canManage =
+    user.id === contest.createdById ||
+    hasPermission(event, 'contest.manage') ||
+    (await isContestEditor(db, contest.id, user.id));
+  const isJudge = await isContestJudge(db, contest.id, user.id);
+  if (!canManage && !isJudge) {
+    throw createError({ statusCode: 403, statusMessage: 'You cannot export this contest' });
+  }
+
+  // PII columns only for `contest.pii` holders (admin, or an assigned grant when
+  // RBAC is enabled), never plain judges or non-admin owners.
+  const includePii = hasPermission(event, 'contest.pii');
+  const result = await buildContestExport(db, contest.id, includePii);
+  if (!result) throw createError({ statusCode: 404, statusMessage: 'Contest not found' });
+
+  setHeader(event, 'Content-Type', 'text/csv; charset=utf-8');
+  setHeader(event, 'Content-Disposition', `attachment; filename="${result.filename}"`);
+  // The export can carry PII columns — never cache it anywhere.
+  setHeader(event, 'Cache-Control', 'no-store');
+  // UTF-8 BOM so Excel detects the encoding.
+  return `${result.csv}`;
+});