@commonpub/layer 0.81.0 → 0.83.0

package/server/api/contests/[slug]/index.get.ts

@@ -1,4 +1,4 @@
-import { getContestBySlug, canViewContest } from '@commonpub/server';
+import { getContestBySlug, canViewContest, isContestEditor } from '@commonpub/server';
 import type { ContestDetail } from '@commonpub/server';
 
 export default defineEventHandler(async (event): Promise<ContestDetail> => {
@@ -13,5 +13,13 @@ export default defineEventHandler(async (event): Promise<ContestDetail> => {
   if (!(await canViewContest(db, contest, user))) {
     throw createError({ statusCode: 404, statusMessage: 'Contest not found' });
   }
-  return contest;
+  // Per-request manage flag for the client (owner / editor / contest.manage).
+  // Server stays the enforcement boundary; this only drives UI affordances.
+  // Returned as a fresh object (not a mutation of the fetched row) so the
+  // per-viewer flag can never leak across requests if getContestBySlug is cached.
+  const viewerCanManage = user
+    ? ownerOrPermission(event, contest.createdById, 'contest.manage') ||
+      (await isContestEditor(db, contest.id, user.id))
+    : false;
+  return { ...contest, viewerCanManage };
 });

package/server/api/contests/[slug]/index.put.ts

@@ -1,4 +1,4 @@
-import { updateContest } from '@commonpub/server';
+import { updateContest, getContestBySlug, isContestEditor } from '@commonpub/server';
 import type { ContestDetail } from '@commonpub/server';
 import { updateContestSchema } from '@commonpub/schema';
 
@@ -9,9 +9,18 @@ export default defineEventHandler(async (event): Promise<ContestDetail> => {
   const { slug } = parseParams(event, { slug: 'string' });
   const input = await parseBody(event, updateContestSchema);
 
+  // Owner, a per-contest `editor` stakeholder, or a `contest.manage` holder may
+  // edit. The owner check inside updateContest covers the owner; pass canManage
+  // for the permission/editor paths (editor is also re-checked server-side).
+  const contest = await getContestBySlug(db, slug);
+  const canManage = contest
+    ? ownerOrPermission(event, contest.createdById, 'contest.manage') ||
+      (await isContestEditor(db, contest.id, user.id))
+    : false;
+
   let result;
   try {
-    result = await updateContest(db, slug, user.id, input);
+    result = await updateContest(db, slug, user.id, input, canManage);
   } catch (err) {
     if (err instanceof Error && err.message === 'SLUG_TAKEN') {
       throw createError({ statusCode: 409, statusMessage: 'That URL slug is already in use by another contest.' });

package/server/api/contests/[slug]/judge.post.ts

@@ -1,13 +1,19 @@
-import { judgeContestEntry } from '@commonpub/server';
+import { getContestBySlug, judgeContestEntry } from '@commonpub/server';
 import { judgeEntrySchema } from '@commonpub/schema';
 
 export default defineEventHandler(async (event): Promise<{ success: boolean }> => {
   requireFeature('contests');
   const user = requireAuth(event);
   const db = useDB();
+  const { slug } = parseParams(event, { slug: 'string' });
   const input = await parseBody(event, judgeEntrySchema);
 
-  const result = await judgeContestEntry(db, input.entryId, input.score, user.id, input.feedback, input.criteriaScores);
+  // B5a — resolve the contest from the route `:slug` and assert the entry belongs
+  // to it, so the slug in the path actually scopes the judged entry.
+  const contest = await getContestBySlug(db, slug);
+  if (!contest) throw createError({ statusCode: 404, statusMessage: 'Contest not found' });
+
+  const result = await judgeContestEntry(db, input.entryId, input.score, user.id, input.feedback, input.criteriaScores, contest.id);
   if (!result.judged) {
     throw createError({ statusCode: 403, statusMessage: result.error ?? 'Judging failed' });
   }

package/server/api/contests/[slug]/proposal.post.ts

@@ -0,0 +1,36 @@
+import { submitContestProposal, getContestBySlug, canViewContest } from '@commonpub/server';
+import { stageSubmissionSchema } from '@commonpub/schema';
+
+/**
+ * POST /api/contests/:slug/proposal
+ * Form-first proposal entry (Phase 4). Validates the stage form, creates a DRAFT
+ * placeholder project, links a contest entry to it, and records agreement
+ * acceptances + PII separately. Gated by features.contestProposals; the server
+ * enforces that the target stage is the current, proposal-mode submission stage.
+ */
+export default defineEventHandler(async (event): Promise<{ entryId: string; projectSlug: string; contentType: string }> => {
+  requireFeature('contests');
+  requireFeature('contestProposals');
+  const user = requireAuth(event);
+  const db = useDB();
+  const { slug } = parseParams(event, { slug: 'string' });
+
+  const contest = await getContestBySlug(db, slug);
+  if (!contest) throw createError({ statusCode: 404, statusMessage: 'Contest not found' });
+  if (!(await canViewContest(db, contest, user))) {
+    throw createError({ statusCode: 404, statusMessage: 'Contest not found' });
+  }
+
+  const input = await parseBody(event, stageSubmissionSchema);
+  const result = await submitContestProposal(db, {
+    contestId: contest.id,
+    stageId: input.stageId,
+    fields: input.fields,
+    userId: user.id,
+    ip: getRequestIP(event) ?? null,
+  });
+  if (!result.ok) {
+    throw createError({ statusCode: 400, statusMessage: result.error });
+  }
+  return { entryId: result.entryId, projectSlug: result.projectSlug, contentType: result.contentType };
+});

package/server/api/contests/[slug]/stakeholders/index.post.ts

@@ -1,11 +1,19 @@
 import { getContestBySlug, addContestStakeholder } from '@commonpub/server';
+import { stakeholderRoleSchema } from '@commonpub/schema';
 import { z } from 'zod';
 
-const addStakeholderSchema = z.object({ userId: z.string().uuid() });
+const addStakeholderSchema = z.object({
+  userId: z.string().uuid(),
+  // 'reviewer' (view-only, default) or 'editor' (full edit rights to THIS
+  // contest only). Only owner / contest.manage can add or promote, so an editor
+  // cannot mint more editors.
+  role: stakeholderRoleSchema.optional(),
+});
 
 /**
  * POST /api/contests/:slug/stakeholders
- * Grant a user view-only review access (contest owner or admin only).
+ * Grant a user per-contest access (reviewer = view-only, editor = full edit of
+ * this contest). Contest owner or a `contest.manage` holder only.
  */
 export default defineEventHandler(async (event) => {
   requireFeature('contests');
@@ -22,6 +30,7 @@ export default defineEventHandler(async (event) => {
 
   const body = await parseBody(event, addStakeholderSchema);
   const result = await addContestStakeholder(db, contest.id, body.userId, {
+    role: body.role,
     contestSlug: slug,
     contestTitle: contest.title,
     invitedBy: user.id,
@@ -29,5 +38,5 @@ export default defineEventHandler(async (event) => {
   if (!result.added) {
     throw createError({ statusCode: 400, statusMessage: result.error ?? 'Failed to add stakeholder' });
   }
-  return { added: true };
+  return { added: true, updated: result.updated ?? false };
 });

package/server/api/contests/[slug]/transition.post.ts

@@ -1,4 +1,4 @@
-import { getContestBySlug, transitionContestStatus } from '@commonpub/server';
+import { getContestBySlug, transitionContestStatus, isContestEditor } from '@commonpub/server';
 import type { ContestStatus } from '@commonpub/server';
 import { contestTransitionSchema } from '@commonpub/schema';
 
@@ -14,10 +14,15 @@ export default defineEventHandler(async (event): Promise<{ transitioned: boolean
     throw createError({ statusCode: 404, statusMessage: 'Contest not found' });
   }
 
-  const result = await transitionContestStatus(db, contest.id, user.id, input.status);
+  const canManage =
+    ownerOrPermission(event, contest.createdById, 'contest.manage') ||
+    (await isContestEditor(db, contest.id, user.id));
+
+  const result = await transitionContestStatus(db, contest.id, user.id, input.status, canManage);
 
   if (!result.transitioned) {
-    throw createError({ statusCode: 400, statusMessage: result.error || 'Transition failed' });
+    const denied = /authoriz|owner/i.test(result.error ?? '');
+    throw createError({ statusCode: denied ? 403 : 400, statusMessage: result.error || 'Transition failed' });
   }
 
   return { transitioned: true, newStatus: input.status };

package/server/api/contests/[slug]/user-search.get.ts

@@ -0,0 +1,30 @@
+import { z } from 'zod';
+import { getContestBySlug, searchUsers } from '@commonpub/server';
+import type { UserSearchResult } from '@commonpub/server';
+
+const querySchema = z.object({
+  q: z.string().min(2).max(100),
+  limit: z.coerce.number().int().min(1).max(25).optional(),
+});
+
+/**
+ * Scoped user lookup for contest invite pickers (judges/reviewers). Returns
+ * PUBLIC fields only and is gated to contest managers (owner / contest.manage),
+ * so non-admin organizers can search without the admin-only user list (the 403
+ * bug the judge/stakeholder managers used to hit).
+ */
+export default defineEventHandler(async (event): Promise<UserSearchResult[]> => {
+  requireFeature('contests');
+  requireAuth(event);
+  const db = useDB();
+  const { slug } = parseParams(event, { slug: 'string' });
+
+  const contest = await getContestBySlug(db, slug);
+  if (!contest) throw createError({ statusCode: 404, statusMessage: 'Contest not found' });
+  if (!ownerOrPermission(event, contest.createdById, 'contest.manage')) {
+    throw createError({ statusCode: 403, statusMessage: 'Not authorized to manage this contest' });
+  }
+
+  const { q, limit } = await parseQueryParams(event, querySchema);
+  return searchUsers(db, q, limit ?? 10);
+});

package/server/api/contests/index.post.ts

@@ -30,6 +30,6 @@ export default defineEventHandler(async (event): Promise<ContestDetail> => {
 
   return createContest(db, { ...input, slug, createdBy: user.id } as CreateContestInput, {
     userRole: user.role,
-    contestCreationPolicy: config.instance.contestCreation ?? 'staff',
+    contestCreationPolicy: config.instance.contestCreation ?? 'admin',
   });
 });

package/server/api/docs/[siteSlug]/nav.get.ts

@@ -20,7 +20,12 @@ export default defineEventHandler(async (event) => {
 
   if (!version) return [];
 
+  // Public viewers only see published pages in nav; the site owner/admin (the docs
+  // editor uses this route too) sees drafts too.
+  const viewer = getOptionalUser(event);
+  const canSeeDrafts = !!viewer && (viewer.role === 'admin' || viewer.id === result.site.ownerId);
+
   // Return pages directly as nav items
-  const pages = await listDocsPages(db, version.id);
+  const pages = await listDocsPages(db, version.id, { publishedOnly: !canSeeDrafts });
   return pages.map(p => ({ id: p.id, title: p.title, sidebarLabel: p.sidebarLabel, slug: p.slug, sortOrder: p.sortOrder, parentId: p.parentId }));
 });

package/server/api/docs/[siteSlug]/pages/[pageId].get.ts

@@ -15,7 +15,11 @@ export default defineEventHandler(async (event) => {
 
   if (!version) throw createError({ statusCode: 404, statusMessage: 'No version found' });
 
-  const pages = await listDocsPages(db, version.id);
+  // Public viewers only see published pages; the site owner/admin sees drafts too.
+  const viewer = getOptionalUser(event);
+  const canSeeDrafts = !!viewer && (viewer.role === 'admin' || viewer.id === result.site.ownerId);
+
+  const pages = await listDocsPages(db, version.id, { publishedOnly: !canSeeDrafts });
   const page = pages.find((p) => p.slug === pageSlug);
   if (!page) throw createError({ statusCode: 404, statusMessage: 'Page not found' });
 

package/server/api/docs/[siteSlug]/pages/index.get.ts

@@ -30,7 +30,12 @@ export default defineEventHandler(async (event) => {
     throw createError({ statusCode: 404, statusMessage: 'No version found for docs site' });
   }
 
-  const pages = await listDocsPages(db, version.id);
+  // Public viewers only see published pages; the site owner/admin (e.g. the docs
+  // editor at /docs/[siteSlug]/edit, which hits this same route) sees drafts too.
+  const viewer = getOptionalUser(event);
+  const canSeeDrafts = !!viewer && (viewer.role === 'admin' || viewer.id === result.site.ownerId);
+
+  const pages = await listDocsPages(db, version.id, { publishedOnly: !canSeeDrafts });
 
   // Content is JSONB — arrays come back parsed, legacy strings stay as strings
   return pages.map((page) => {

package/server/api/docs/[siteSlug]/search.get.ts

@@ -17,5 +17,11 @@ export default defineEventHandler(async (event) => {
   const version = result.versions?.find((v) => v.isDefault) ?? result.versions?.[0];
   if (!version) return [];
 
-  return searchDocsPages(db, result.site.id, version.id, query.q ?? '', config.docs.searchLanguage);
+  // Public viewers only search published pages; the site owner/admin sees drafts too.
+  const viewer = getOptionalUser(event);
+  const canSeeDrafts = !!viewer && (viewer.role === 'admin' || viewer.id === result.site.ownerId);
+
+  return searchDocsPages(db, result.site.id, version.id, query.q ?? '', config.docs.searchLanguage, {
+    publishedOnly: !canSeeDrafts,
+  });
 });

package/server/api/events/[slug]/attendees.get.ts

@@ -14,6 +14,16 @@ export default defineEventHandler(async (event) => {
   const existing = await getEventBySlug(db, slug);
   if (!existing) throw createError({ statusCode: 404, statusMessage: 'Event not found' });
 
+  // Don't expose the attendee roster for non-published events (draft/cancelled/etc)
+  // to the public; gate to the creator/admin, matching the event-detail gating.
+  // (Fuller per-event roster privacy for published events is a separate product
+  // decision — tracked as a follow-up.)
+  if (existing.status !== 'published' && existing.status !== 'active') {
+    const viewer = getOptionalUser(event);
+    const canView = !!viewer && (viewer.role === 'admin' || viewer.id === existing.createdById);
+    if (!canView) throw createError({ statusCode: 404, statusMessage: 'Event not found' });
+  }
+
   const query = getQuery(event);
   return listEventAttendees(db, existing.id, {
     status: (query.status as AttendeeStatus) || undefined,

package/server/api/events/[slug].get.ts

@@ -13,5 +13,14 @@ export default defineEventHandler(async (event) => {
   const result = await getEventBySlug(db, slug);
   if (!result) throw createError({ statusCode: 404, statusMessage: 'Event not found' });
 
+  // Only published/active events are publicly viewable. Draft/cancelled/completed
+  // events are visible only to the creator or an admin (mirrors content/contest
+  // draft gating). 404 (not 403) so the slug's existence isn't leaked.
+  if (result.status !== 'published' && result.status !== 'active') {
+    const viewer = getOptionalUser(event);
+    const canView = !!viewer && (viewer.role === 'admin' || viewer.id === result.createdById);
+    if (!canView) throw createError({ statusCode: 404, statusMessage: 'Event not found' });
+  }
+
   return result;
 });

package/server/api/events/index.get.ts

@@ -23,9 +23,16 @@ export default defineEventHandler(async (event) => {
     userId = user.id;
   }
 
+  // hubId feeds a uuid SQL bind; reject a malformed value at the door (a
+  // non-uuid string reaching the bind throws an unhandled 500).
+  const hubId = (query.hubId as string) || undefined;
+  if (hubId && !isUuid(hubId)) {
+    throw createError({ statusCode: 400, statusMessage: 'Invalid hubId' });
+  }
+
   return listEvents(db, {
     status,
-    hubId: (query.hubId as string) || undefined,
+    hubId,
     upcoming: query.upcoming === 'true',
     featured: query.featured === 'true',
     userId,

package/server/api/federated-hubs/[id]/posts/[postId]/replies.get.ts

@@ -2,7 +2,7 @@ import { listFederatedHubPostReplies } from '@commonpub/server';
 
 export default defineEventHandler(async (event) => {
   requireFeature('federation');
-  const postId = getRouterParam(event, 'postId')!;
+  const { postId } = parseParams(event, { id: 'uuid', postId: 'uuid' });
   const query = getQuery(event);
   const db = useDB();
 

package/server/api/federation/content/[id]/build.get.ts

@@ -0,0 +1,10 @@
+import { isFederatedBuildMarked } from '@commonpub/server';
+
+// Hydration counterpart to the federated build toggle — see content/[id]/build.get.ts.
+export default defineEventHandler(async (event): Promise<{ marked: boolean }> => {
+  requireFeature('federation');
+  const user = requireAuth(event);
+  const db = useDB();
+  const { id } = parseParams(event, { id: 'uuid' });
+  return { marked: await isFederatedBuildMarked(db, id, user.id) };
+});

package/server/api/hubs/[slug]/invites/[id].delete.ts

@@ -0,0 +1,17 @@
+import { revokeInvite, getHubBySlug } from '@commonpub/server';
+
+export default defineEventHandler(async (event): Promise<{ revoked: boolean }> => {
+  const user = requireAuth(event);
+  const db = useDB();
+  const { slug, id } = parseParams(event, { slug: 'string', id: 'uuid' });
+  const hub = await getHubBySlug(db, slug);
+  if (!hub) {
+    throw createError({ statusCode: 404, statusMessage: 'Hub not found' });
+  }
+
+  const revoked = await revokeInvite(db, id, user.id, hub.id);
+  if (!revoked) {
+    throw createError({ statusCode: 403, statusMessage: 'Not authorized to revoke invites' });
+  }
+  return { revoked };
+});

package/server/api/hubs/[slug]/invites.get.ts

@@ -1,4 +1,4 @@
-import { listInvites, getHubBySlug, getMember } from '@commonpub/server';
+import { listInvites, getHubBySlug, getMember, hasPermission } from '@commonpub/server';
 import type { HubInviteItem } from '@commonpub/server';
 
 export default defineEventHandler(async (event): Promise<HubInviteItem[]> => {
@@ -10,9 +10,11 @@ export default defineEventHandler(async (event): Promise<HubInviteItem[]> => {
     throw createError({ statusCode: 404, statusMessage: 'Hub not found' });
   }
 
-  // Only moderators, admins, and owners can view invite lists
+  // Invite management is admin+ (matches createInvite/revokeInvite's manageMembers).
+  // Gating the list at the same level keeps moderators from seeing write controls
+  // they can't use.
   const member = await getMember(db, hub.id, user.id);
-  if (!member || !['moderator', 'admin', 'owner'].includes(member.role)) {
+  if (!member || !hasPermission(member.role, 'manageMembers')) {
     throw createError({ statusCode: 403, statusMessage: 'Insufficient permissions' });
   }
 

package/server/api/hubs/[slug]/posts/[postId]/poll-options.get.ts

@@ -7,8 +7,7 @@ import { getPollOptions, getUserPollVote } from '@commonpub/server';
 export default defineEventHandler(async (event) => {
   requireFeature('hubs');
   const db = useDB();
-  const postId = getRouterParam(event, 'postId');
-  if (!postId) throw createError({ statusCode: 400, statusMessage: 'Missing postId' });
+  const { postId } = parseParams(event, { postId: 'uuid' });
 
   const options = await getPollOptions(db, postId);
   const user = getOptionalUser(event);

package/server/api/hubs/[slug]/posts/[postId]/poll-vote.post.ts

@@ -13,8 +13,7 @@ export default defineEventHandler(async (event) => {
   requireFeature('hubs');
   const user = requireAuth(event);
   const db = useDB();
-  const postId = getRouterParam(event, 'postId');
-  if (!postId) throw createError({ statusCode: 400, statusMessage: 'Missing postId' });
+  const { postId } = parseParams(event, { postId: 'uuid' });
 
   const body = await parseBody(event, pollVoteSchema);
   const result = await voteOnPoll(db, postId, body.optionId, user.id);

package/server/api/hubs/[slug]/posts/[postId]/vote.post.ts

@@ -13,8 +13,7 @@ export default defineEventHandler(async (event) => {
   requireFeature('hubs');
   const user = requireAuth(event);
   const db = useDB();
-  const postId = getRouterParam(event, 'postId');
-  if (!postId) throw createError({ statusCode: 400, statusMessage: 'Missing postId' });
+  const { postId } = parseParams(event, { postId: 'uuid' });
 
   const body = await parseBody(event, voteSchema);
   return voteOnPost(db, postId, user.id, body.direction);

package/server/api/hubs/[slug]/requests/[userId]/approve.post.ts

@@ -0,0 +1,15 @@
+import { approveJoinRequest, getHubBySlug } from '@commonpub/server';
+
+export default defineEventHandler(async (event): Promise<{ approved: boolean; error?: string }> => {
+  const user = requireAuth(event);
+  const db = useDB();
+  const { slug, userId } = parseParams(event, { slug: 'string', userId: 'uuid' });
+
+  const hub = await getHubBySlug(db, slug);
+  if (!hub) {
+    throw createError({ statusCode: 404, statusMessage: 'Hub not found' });
+  }
+
+  // Permission (manageMembers) is enforced inside approveJoinRequest.
+  return approveJoinRequest(db, user.id, hub.id, userId);
+});

package/server/api/hubs/[slug]/requests/[userId]/deny.post.ts

@@ -0,0 +1,15 @@
+import { denyJoinRequest, getHubBySlug } from '@commonpub/server';
+
+export default defineEventHandler(async (event): Promise<{ denied: boolean; error?: string }> => {
+  const user = requireAuth(event);
+  const db = useDB();
+  const { slug, userId } = parseParams(event, { slug: 'string', userId: 'uuid' });
+
+  const hub = await getHubBySlug(db, slug);
+  if (!hub) {
+    throw createError({ statusCode: 404, statusMessage: 'Hub not found' });
+  }
+
+  // Permission (manageMembers) is enforced inside denyJoinRequest.
+  return denyJoinRequest(db, user.id, hub.id, userId);
+});

package/server/api/hubs/[slug]/requests.get.ts

@@ -0,0 +1,20 @@
+import { listJoinRequests, getHubBySlug, getMember } from '@commonpub/server';
+import type { HubMemberItem } from '@commonpub/server';
+
+export default defineEventHandler(async (event): Promise<{ items: HubMemberItem[]; total: number }> => {
+  const user = requireAuth(event);
+  const db = useDB();
+  const { slug } = parseParams(event, { slug: 'string' });
+  const hub = await getHubBySlug(db, slug);
+  if (!hub) {
+    throw createError({ statusCode: 404, statusMessage: 'Hub not found' });
+  }
+
+  // Reviewing join requests is a member-management action (admin/owner).
+  const member = await getMember(db, hub.id, user.id);
+  if (!member || !['admin', 'owner'].includes(member.role)) {
+    throw createError({ statusCode: 403, statusMessage: 'Insufficient permissions' });
+  }
+
+  return listJoinRequests(db, hub.id);
+});

package/server/api/hubs/[slug]/resources/[id].delete.ts

@@ -3,8 +3,7 @@ import { deleteHubResource } from '@commonpub/server';
 export default defineEventHandler(async (event) => {
   const db = useDB();
   const user = requireAuth(event);
-  const id = getRouterParam(event, 'id');
-  if (!id) throw createError({ statusCode: 400, statusMessage: 'Missing resource ID' });
+  const { id } = parseParams(event, { id: 'uuid' });
 
   const result = await deleteHubResource(db, id, user.id);
   if (!result.success) {

package/server/api/hubs/[slug]/resources/[id].put.ts

@@ -4,8 +4,7 @@ import { updateHubResourceSchema } from '@commonpub/schema';
 export default defineEventHandler(async (event) => {
   const db = useDB();
   const user = requireAuth(event);
-  const id = getRouterParam(event, 'id');
-  if (!id) throw createError({ statusCode: 400, statusMessage: 'Missing resource ID' });
+  const { id } = parseParams(event, { id: 'uuid' });
 
   const input = await parseBody(event, updateHubResourceSchema);
 

package/server/api/me.get.ts

@@ -6,8 +6,15 @@
  */
 export default defineEventHandler((event) => {
   const { user, session } = event.context.auth ?? {};
+  // Effective permissions resolved by the auth middleware (RBAC). The admin
+  // floor lives in users.role, so the set is empty for admins — useCan() applies
+  // the floor client-side. Permissions/roleKeys are advisory (UX only); the
+  // server is always the enforcement boundary.
+  const resolved = event.context.cpubPermissions;
   return {
     user: user ?? null,
     session: session ?? null,
+    permissions: resolved ? [...resolved.permissions] : [],
+    roleKeys: resolved?.roleKeys ?? [],
   };
 });

package/server/api/products/[id].delete.ts

@@ -1,11 +1,31 @@
 import { deleteProduct } from '@commonpub/server';
+import { products } from '@commonpub/schema';
+import { eq } from 'drizzle-orm';
 
 export default defineEventHandler(async (event): Promise<{ deleted: boolean }> => {
+  const user = requireAuth(event);
   const db = useDB();
-  requirePermission(event, 'content.moderate');
   const { id } = parseParams(event, { id: 'uuid' });
 
-  const deleted = await deleteProduct(db, id);
+  // Owner OR moderator may delete. Resolve the product's owner first.
+  const [product] = await db
+    .select({ createdById: products.createdById })
+    .from(products)
+    .where(eq(products.id, id))
+    .limit(1);
+
+  if (!product) {
+    throw createError({ statusCode: 404, statusMessage: 'Product not found' });
+  }
+
+  if (!ownerOrPermission(event, product.createdById, 'content.moderate')) {
+    throw createError({ statusCode: 403, statusMessage: 'Missing permission: content.moderate' });
+  }
+
+  // Pass userId for an owner-scoped data-layer delete; moderators (non-owners)
+  // are already gated above, so they delete unconditionally.
+  const isOwner = product.createdById === user.id;
+  const deleted = await deleteProduct(db, id, isOwner ? user.id : undefined);
 
   if (!deleted) {
     throw createError({ statusCode: 404, statusMessage: 'Product not found' });

package/server/api/registry/ping.post.ts

@@ -1,4 +1,4 @@
-import { recordRegistryPing, createRateLimitStore, getClientIp } from '@commonpub/server';
+import { recordRegistryPing, createRateLimitStore, getClientIp, recordActivitySeen } from '@commonpub/server';
 import { verifyInboxRequest, extractDomain } from '../../utils/inbox';
 
 /**
@@ -32,13 +32,27 @@ export default defineEventHandler(async (event) => {
   const preRl = await store.check(`registry:ping:ip:${getClientIp(event)}`, PRE_TIER);
   if (!preRl.allowed) reject429(preRl.resetAt);
 
-  const { actorUri } = await verifyInboxRequest(event, 'registry-ping');
+  const { actorUri, body } = await verifyInboxRequest(event, 'registry-ping');
   const domain = extractDomain(actorUri);
 
   // Per-verified-domain cap (the signer is now cryptographically known).
   const rl = await store.check(`registry:ping:${domain}`, PING_TIER);
   if (!rl.allowed) reject429(rl.resetAt);
 
-  const result = await recordRegistryPing(useDB(), domain, actorUri);
+  const db = useDB();
+
+  // Replay dedup: claim the verified activity id BEFORE recording the ping so a
+  // replayed, validly-signed ping can't re-trigger the NodeInfo pull. No id =
+  // process normally. Placed after verification so attacker-chosen ids can't be
+  // seeded.
+  const activityId = body.id;
+  if (typeof activityId === 'string' && activityId.length > 0) {
+    const first = await recordActivitySeen(db, activityId);
+    if (!first) {
+      return { status: 'ok' };
+    }
+  }
+
+  const result = await recordRegistryPing(db, domain, actorUri);
   return { status: result };
 });

package/server/api/search/index.get.ts

@@ -7,7 +7,7 @@ import { z } from 'zod';
 const searchQuerySchema = z.object({
   q: z.string().max(200).optional(),
   type: z.string().optional(),
-  sort: z.enum(['relevance', 'recent', 'popular']).optional(),
+  sort: z.enum(['relevance', 'recent', 'popular', 'likes']).optional(),
   difficulty: z.string().optional(),
   tags: z.string().optional(),
   author: z.string().optional(),
@@ -141,8 +141,10 @@ export default defineEventHandler(async (event): Promise<{ items: unknown[]; tot
       difficulty: params.difficulty as ContentFilters['difficulty'],
       tag: tagList[0],
       // Postgres has no relevance ranking (that's Meilisearch's job) — the old
-      // path also fell back to recency for 'relevance'.
-      sort: params.sort === 'popular' ? 'popular' : 'recent',
+      // path also fell back to recency for 'relevance'. 'popular'/'likes' pass
+      // through (listContent coerces them to recency when the merge federates,
+      // since federated rows carry no view/like counts — same as 'popular').
+      sort: params.sort === 'popular' || params.sort === 'likes' ? params.sort : 'recent',
       limit,
       offset,
     };

package/server/api/social/bookmark.get.ts

@@ -7,6 +7,7 @@ const checkSchema = z.object({
 });
 
 export default defineEventHandler(async (event): Promise<{ bookmarked: boolean }> => {
+  requireFeature('social');
   const user = requireAuth(event);
   const db = useDB();
   const query = parseQueryParams(event, checkSchema);

package/server/api/social/bookmark.post.ts

@@ -7,6 +7,7 @@ const toggleBookmarkSchema = z.object({
 });
 
 export default defineEventHandler(async (event): Promise<{ bookmarked: boolean }> => {
+  requireFeature('social');
   const user = requireAuth(event);
   const db = useDB();
   const input = await parseBody(event, toggleBookmarkSchema);

package/server/api/social/bookmarks.get.ts

@@ -8,6 +8,7 @@ const bookmarksQuerySchema = z.object({
 });
 
 export default defineEventHandler(async (event): Promise<PaginatedResponse<BookmarkItem>> => {
+  requireFeature('social');
   const user = requireAuth(event);
   const db = useDB();
   const query = parseQueryParams(event, bookmarksQuerySchema);