npm - @commonpub/layer - Versions diffs - 0.81.0 → 0.83.0 - Mend

@commonpub/layer 0.81.0 → 0.83.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (212) hide show

package/components/AppToast.vue +1 -1
package/components/ContentAvatar.vue +98 -0
package/components/CpubCriteriaBar.vue +88 -0
package/components/CpubDateTimeField.vue +73 -0
package/components/CpubMarkdown.vue +3 -1
package/components/FormatToggle.vue +2 -2
package/components/ImageUpload.vue +5 -8
package/components/MirrorDetailModal.vue +3 -1
package/components/MirrorRequestApproveModal.vue +3 -1
package/components/ProductEditModal.vue +184 -0
package/components/RemoteFollowDialog.vue +2 -2
package/components/SearchSidebar.vue +14 -21
package/components/ShareToHubModal.vue +3 -1
package/components/admin/layouts/AdminLayoutsPalette.vue +5 -1
package/components/admin/layouts/AdminLayoutsPaletteTile.vue +7 -1
package/components/admin/layouts/AdminLayoutsToolbar.vue +1 -1
package/components/blocks/BlockCompareColumnsView.vue +92 -0
package/components/blocks/BlockContentRenderer.vue +17 -0
package/components/blocks/BlockCriteriaBarView.vue +25 -0
package/components/blocks/BlockGalleryView.vue +5 -0
package/components/blocks/BlockHtmlView.vue +26 -0
package/components/blocks/BlockImageView.vue +4 -0
package/components/blocks/BlockJudgesShowcaseView.vue +52 -0
package/components/blocks/BlockRoadmapView.vue +84 -0
package/components/blocks/BlockSponsorsView.vue +89 -0
package/components/blocks/BlockTableView.vue +49 -0
package/components/blocks/BlockTabsView.vue +121 -0
package/components/contest/ContestBodyCanvas.vue +155 -0
package/components/contest/ContestCriteriaEditor.vue +79 -0
package/components/contest/ContestEditor.vue +948 -0
package/components/contest/ContestEntries.vue +1 -1
package/components/contest/ContestEntryPrivateData.vue +126 -0
package/components/contest/ContestHero.vue +114 -186
package/components/contest/ContestJudgeManager.vue +6 -4
package/components/contest/ContestJudgingCriteria.vue +5 -21
package/components/contest/ContestPrizes.vue +8 -1
package/components/contest/ContestProposalForm.vue +88 -0
package/components/contest/ContestRules.vue +8 -1
package/components/contest/ContestSidebar.vue +11 -3
package/components/contest/ContestStageSubmission.vue +10 -36
package/components/contest/ContestStagesEditor.vue +141 -65
package/components/contest/ContestStakeholderManager.vue +54 -20
package/components/contest/ContestSubmissionField.vue +141 -0
package/components/contest/blocks/CompareColumnsBlock.vue +127 -0
package/components/contest/blocks/ContestTabPanel.vue +27 -0
package/components/contest/blocks/CriteriaBarBlock.vue +118 -0
package/components/contest/blocks/HtmlBlock.vue +61 -0
package/components/contest/blocks/JudgesShowcaseBlock.vue +96 -0
package/components/contest/blocks/RoadmapBlock.vue +127 -0
package/components/contest/blocks/SponsorsBlock.vue +127 -0
package/components/contest/blocks/TableBlock.vue +101 -0
package/components/contest/blocks/TabsBlock.vue +168 -0
package/components/editors/ArticleEditor.vue +9 -16
package/components/editors/ExplainerEditor.vue +8 -5
package/components/editors/ProjectEditor.vue +13 -10
package/components/homepage/CustomHtmlSection.vue +11 -2
package/components/hub/HubProducts.vue +4 -2
package/components/nav/NavDropdown.vue +1 -5
package/components/nav/NavLink.vue +2 -0
package/components/views/ArticleView.vue +3 -56
package/components/views/ExplainerView.vue +4 -0
package/components/views/ProjectView.vue +83 -245
package/composables/useAuth.ts +13 -0
package/composables/useCan.ts +23 -0
package/composables/useContestEditor.ts +388 -0
package/composables/useDocsPageTree.ts +154 -0
package/composables/useDocsSiteSettings.ts +107 -0
package/composables/useEditorAutosave.ts +131 -0
package/composables/useEngagement.ts +13 -6
package/composables/useFeatures.ts +9 -1
package/composables/useFileUpload.ts +60 -0
package/composables/useProfileContent.ts +84 -0
package/composables/useSanitize.ts +38 -4
package/composables/useScrollSpy.ts +87 -0
package/layouts/admin.vue +43 -18
package/layouts/default.vue +18 -9
package/nuxt.config.ts +13 -0
package/package.json +8 -8
package/pages/[type]/index.vue +6 -1
package/pages/admin/api-keys.vue +13 -3
package/pages/admin/features.vue +2 -0
package/pages/admin/federation.vue +1 -1
package/pages/admin/layouts/[id].vue +30 -2
package/pages/admin/roles.vue +286 -0
package/pages/admin/settings.vue +2 -1
package/pages/admin/users.vue +81 -1
package/pages/admin/video-categories.vue +203 -0
package/pages/cert/[code].vue +6 -2
package/pages/contests/[slug]/edit.vue +4 -764
package/pages/contests/[slug]/entries/[entryId].vue +34 -1
package/pages/contests/[slug]/index.vue +97 -8
package/pages/contests/[slug]/judge.vue +49 -26
package/pages/contests/create.vue +5 -466
package/pages/contests/index.vue +7 -2
package/pages/cookies.vue +1 -1
package/pages/docs/[siteSlug]/[...pagePath].vue +13 -26
package/pages/docs/[siteSlug]/edit.vue +93 -231
package/pages/events/[slug]/edit.vue +20 -20
package/pages/events/create.vue +18 -18
package/pages/events/index.vue +7 -2
package/pages/hubs/[slug]/index.vue +34 -9
package/pages/hubs/[slug]/invites.vue +312 -0
package/pages/hubs/[slug]/members.vue +128 -0
package/pages/hubs/[slug]/posts/[postId].vue +2 -2
package/pages/hubs/index.vue +6 -1
package/pages/learn/[slug]/[lessonSlug]/index.vue +12 -3
package/pages/learn/index.vue +8 -1
package/pages/messages/index.vue +1 -1
package/pages/mirror/[id].vue +1 -1
package/pages/products/[slug].vue +55 -2
package/pages/products/index.vue +6 -1
package/pages/settings/account.vue +8 -8
package/pages/settings/profile.vue +23 -14
package/pages/u/[username]/[type]/[slug]/edit.vue +12 -5
package/pages/u/[username]/followers.vue +11 -3
package/pages/u/[username]/following.vue +10 -8
package/pages/u/[username]/index.vue +73 -7
package/pages/videos/index.vue +13 -10
package/server/api/admin/api-keys/[id]/usage.get.ts +2 -2
package/server/api/admin/api-keys/[id].delete.ts +2 -2
package/server/api/admin/api-keys/index.get.ts +1 -0
package/server/api/admin/api-keys/index.post.ts +1 -0
package/server/api/admin/federation/refederate.post.ts +18 -1
package/server/api/admin/layouts/[id]/publish.post.ts +1 -4
package/server/api/admin/layouts/[id]/versions/[versionId]/revert.post.ts +1 -5
package/server/api/admin/layouts/[id]/versions/index.get.ts +1 -4
package/server/api/admin/layouts/[id].delete.ts +1 -4
package/server/api/admin/layouts/[id].get.ts +1 -4
package/server/api/admin/layouts/[id].put.ts +1 -4
package/server/api/admin/permissions.get.ts +14 -0
package/server/api/admin/roles/[id]/index.delete.ts +25 -0
package/server/api/admin/roles/[id]/index.put.ts +24 -0
package/server/api/admin/roles/index.get.ts +10 -0
package/server/api/admin/roles/index.post.ts +27 -0
package/server/api/admin/users/[id]/role.put.ts +20 -1
package/server/api/admin/users/[id]/roles.get.ts +10 -0
package/server/api/admin/users/[id]/roles.put.ts +17 -0
package/server/api/auth/federated/login.post.ts +12 -5
package/server/api/content/[id]/__tests__/versions.get.test.ts +127 -0
package/server/api/content/[id]/build.get.ts +11 -0
package/server/api/content/[id]/report.post.ts +2 -0
package/server/api/content/[id]/versions.get.ts +15 -0
package/server/api/contests/[slug]/advance.post.ts +10 -5
package/server/api/contests/[slug]/entries/[entryId]/private.get.ts +48 -0
package/server/api/contests/[slug]/entries/[entryId]/submission.put.ts +1 -1
package/server/api/contests/[slug]/entries/[entryId]/vote.delete.ts +1 -2
package/server/api/contests/[slug]/entries/[entryId]/vote.post.ts +1 -2
package/server/api/contests/[slug]/export.get.ts +43 -0
package/server/api/contests/[slug]/index.get.ts +10 -2
package/server/api/contests/[slug]/index.put.ts +11 -2
package/server/api/contests/[slug]/judge.post.ts +8 -2
package/server/api/contests/[slug]/proposal.post.ts +36 -0
package/server/api/contests/[slug]/stakeholders/index.post.ts +12 -3
package/server/api/contests/[slug]/transition.post.ts +8 -3
package/server/api/contests/[slug]/user-search.get.ts +30 -0
package/server/api/contests/index.post.ts +1 -1
package/server/api/docs/[siteSlug]/nav.get.ts +6 -1
package/server/api/docs/[siteSlug]/pages/[pageId].get.ts +5 -1
package/server/api/docs/[siteSlug]/pages/index.get.ts +6 -1
package/server/api/docs/[siteSlug]/search.get.ts +7 -1
package/server/api/events/[slug]/attendees.get.ts +10 -0
package/server/api/events/[slug].get.ts +9 -0
package/server/api/events/index.get.ts +8 -1
package/server/api/federated-hubs/[id]/posts/[postId]/replies.get.ts +1 -1
package/server/api/federation/content/[id]/build.get.ts +10 -0
package/server/api/hubs/[slug]/invites/[id].delete.ts +17 -0
package/server/api/hubs/[slug]/invites.get.ts +5 -3
package/server/api/hubs/[slug]/posts/[postId]/poll-options.get.ts +1 -2
package/server/api/hubs/[slug]/posts/[postId]/poll-vote.post.ts +1 -2
package/server/api/hubs/[slug]/posts/[postId]/vote.post.ts +1 -2
package/server/api/hubs/[slug]/requests/[userId]/approve.post.ts +15 -0
package/server/api/hubs/[slug]/requests/[userId]/deny.post.ts +15 -0
package/server/api/hubs/[slug]/requests.get.ts +20 -0
package/server/api/hubs/[slug]/resources/[id].delete.ts +1 -2
package/server/api/hubs/[slug]/resources/[id].put.ts +1 -2
package/server/api/me.get.ts +7 -0
package/server/api/products/[id].delete.ts +22 -2
package/server/api/registry/ping.post.ts +17 -3
package/server/api/search/index.get.ts +5 -3
package/server/api/social/bookmark.get.ts +1 -0
package/server/api/social/bookmark.post.ts +1 -0
package/server/api/social/bookmarks.get.ts +1 -0
package/server/api/social/comments/[id].delete.ts +1 -0
package/server/api/social/comments.get.ts +1 -0
package/server/api/social/comments.post.ts +1 -0
package/server/api/social/like.get.ts +1 -0
package/server/api/social/like.post.ts +1 -0
package/server/api/users/[username]/content.get.ts +15 -3
package/server/api/users/[username]/follow.delete.ts +1 -0
package/server/api/users/[username]/follow.post.ts +1 -0
package/server/api/users/[username]/followers.get.ts +2 -1
package/server/api/users/[username]/following.get.ts +2 -1
package/server/middleware/content-ap.ts +8 -3
package/server/middleware/csrf.ts +93 -0
package/server/plugins/federation-hub-sync.ts +48 -17
package/server/plugins/notification-email.ts +22 -3
package/server/routes/hubs/[slug]/inbox.ts +13 -1
package/server/routes/inbox.ts +14 -1
package/server/routes/users/[username]/inbox.ts +13 -1
package/server/utils/inbox.ts +7 -2
package/server/utils/validate.ts +22 -0
package/theme/base.css +5 -0
package/theme/prose.css +20 -0
package/theme/stoa-dark.css +4 -0
package/types/contestBlocks.ts +122 -0
package/utils/contestBlocks.ts +107 -0
package/utils/contestBody.ts +25 -0
package/utils/contestStages.ts +62 -0
package/utils/contestSubmission.ts +97 -0
package/utils/datetime.ts +45 -0
package/utils/projectBlocks.ts +162 -0
package/components/editors/BlogEditor.vue +0 -648

package/server/api/social/comments/[id].delete.ts CHANGED Viewed

@@ -1,6 +1,7 @@
 import { deleteComment } from '@commonpub/server';
 export default defineEventHandler(async (event): Promise<{ success: boolean }> => {
+  requireFeature('social');
   const user = requireAuth(event);
   const db = useDB();
   const { id } = parseParams(event, { id: 'uuid' });

package/server/api/social/comments.get.ts CHANGED Viewed

@@ -11,6 +11,7 @@ const commentsQuerySchema = z.object({
 });
 export default defineEventHandler(async (event): Promise<CommentItem[]> => {
+  requireFeature('social');
   const db = useDB();
   const query = parseQueryParams(event, commentsQuerySchema);

package/server/api/social/comments.post.ts CHANGED Viewed

@@ -6,6 +6,7 @@ import { createCommentSchema } from '@commonpub/schema';
 const FEDERABLE_COMMENT_TYPES = new Set(['project', 'article', 'blog', 'explainer']);
 export default defineEventHandler(async (event): Promise<CommentItem> => {
+  requireFeature('social');
   const user = requireAuth(event);
   const db = useDB();
   const config = useConfig();

package/server/api/social/like.get.ts CHANGED Viewed

@@ -8,6 +8,7 @@ const likeQuerySchema = z.object({
 });
 export default defineEventHandler(async (event): Promise<{ liked: boolean }> => {
+  requireFeature('social');
   const user = requireAuth(event);
   const db = useDB();
   const query = parseQueryParams(event, likeQuerySchema);

package/server/api/social/like.post.ts CHANGED Viewed

@@ -11,6 +11,7 @@ const toggleLikeSchema = z.object({
 const FEDERABLE_LIKE_TYPES = new Set(['project', 'article', 'blog', 'explainer']);
 export default defineEventHandler(async (event): Promise<{ liked: boolean }> => {
+  requireFeature('social');
   const user = requireAuth(event);
   const db = useDB();
   const config = useConfig();

package/server/api/users/[username]/content.get.ts CHANGED Viewed

@@ -1,21 +1,33 @@
 import { getUserByUsername, getUserContent } from '@commonpub/server';
-import type { PaginatedResponse, ContentListItem } from '@commonpub/server';
+import type { ContentListItem } from '@commonpub/server';
 import { contentTypeSchema } from '@commonpub/schema';
 import { z } from 'zod';
 const userContentQuerySchema = z.object({
   type: contentTypeSchema.optional(),
+  cursor: z.string().optional(),
+  limit: z.coerce.number().int().positive().max(100).optional(),
+  // `?drafts=true` requests the owner's unpublished work; honoured server-side
+  // only when the authenticated viewer IS the profile owner (never trusted as-is).
+  drafts: z.enum(['true', 'false']).optional(),
 });
-export default defineEventHandler(async (event): Promise<PaginatedResponse<ContentListItem>> => {
+export default defineEventHandler(async (event): Promise<{ items: ContentListItem[]; nextCursor: string | null }> => {
   const db = useDB();
   const { username } = parseParams(event, { username: 'string' });
   const query = parseQueryParams(event, userContentQuerySchema);
+  const viewer = getOptionalUser(event);
   const user = await getUserByUsername(db, username);
   if (!user) {
     throw createError({ statusCode: 404, statusMessage: 'User not found' });
   }
-  return getUserContent(db, user.id, query.type);
+  return getUserContent(db, user.id, {
+    type: query.type,
+    cursor: query.cursor,
+    limit: query.limit,
+    drafts: query.drafts === 'true',
+    viewerId: viewer?.id,
+  });
 });

package/server/api/users/[username]/follow.delete.ts CHANGED Viewed

@@ -1,6 +1,7 @@
 import { getUserByUsername, unfollowUser } from '@commonpub/server';
 export default defineEventHandler(async (event): Promise<{ unfollowed: boolean }> => {
+  requireFeature('social');
   const db = useDB();
   const user = requireAuth(event);
   const { username } = parseParams(event, { username: 'string' });

package/server/api/users/[username]/follow.post.ts CHANGED Viewed

@@ -1,6 +1,7 @@
 import { getUserByUsername, followUser } from '@commonpub/server';
 export default defineEventHandler(async (event): Promise<{ followed: boolean }> => {
+  requireFeature('social');
   const db = useDB();
   const user = requireAuth(event);
   const { username } = parseParams(event, { username: 'string' });

package/server/api/users/[username]/followers.get.ts CHANGED Viewed

@@ -18,5 +18,6 @@ export default defineEventHandler(async (event): Promise<PaginatedResponse<Follo
     throw createError({ statusCode: 404, statusMessage: 'User not found' });
   }
-  return listFollowers(db, target.id, query);
+  // Pass the viewer so each row carries isFollowing for the VIEWER (not the owner).
+  return listFollowers(db, target.id, query, getOptionalUser(event)?.id);
 });

package/server/api/users/[username]/following.get.ts CHANGED Viewed

@@ -18,5 +18,6 @@ export default defineEventHandler(async (event): Promise<PaginatedResponse<Follo
     throw createError({ statusCode: 404, statusMessage: 'User not found' });
   }
-  return listFollowing(db, target.id, query);
+  // Pass the viewer so each row carries isFollowing for the VIEWER (not the owner).
+  return listFollowing(db, target.id, query, getOptionalUser(event)?.id);
 });

package/server/middleware/content-ap.ts CHANGED Viewed

@@ -53,6 +53,10 @@ export default defineEventHandler(async (event) => {
       typeFilter,
       eq(contentItems.slug, slug),
       eq(contentItems.status, 'published'),
+      // Only PUBLIC content is dereferenceable over ActivityPub. Without this,
+      // an unauthenticated Accept: application/activity+json request would return
+      // the full body of a members-only/private item (audit session 204 — P0).
+      eq(contentItems.visibility, 'public'),
       isNull(contentItems.deletedAt),
     ))
     .limit(1);
@@ -68,9 +72,10 @@ export default defineEventHandler(async (event) => {
       title: row.content.title,
       slug: row.content.slug,
       description: row.content.description,
-      content: typeof row.content.content === 'string'
-        ? row.content.content
-        : JSON.stringify(row.content.content),
+      // Pass blocks through as-is: contentToArticle renders BlockTuple[] to HTML.
+      // Pre-stringifying forced the string branch, shipping raw JSON as the AP
+      // `content` (remote instances showed JSON instead of rendered HTML). (session 204)
+      content: row.content.content,
       coverImageUrl: row.content.coverImageUrl,
       publishedAt: row.content.publishedAt,
       updatedAt: row.content.updatedAt,

package/server/middleware/csrf.ts ADDED Viewed

@@ -0,0 +1,93 @@
+// CSRF defense for cookie-authenticated custom `/api/*` routes (audit session 204).
+//
+// The custom Nitro `/api/*` routes authenticate the browser via the Better Auth
+// SESSION COOKIE (resolved in middleware/auth.ts). Cookies are sent automatically
+// on cross-site requests, so without an Origin check a malicious page could drive
+// a logged-in user's browser to issue state-changing POST/PUT/PATCH/DELETE calls
+// (classic CSRF).
+//
+// This middleware runs ahead of the route handler (Nitro runs middleware
+// alphabetically — `csrf.ts` sorts before `features.ts`, `public-api-auth.ts`,
+// `security.ts`, `theme.ts`; after `auth.ts`, `content-*`. It does NOT depend on
+// auth's resolved session — it makes its own decision purely from the presence of
+// the session cookie + the Origin/Referer header, so ordering relative to auth.ts
+// is irrelevant) and rejects any unsafe-method `/api/*` request that:
+//   1. carries a Better Auth session cookie (i.e. is cookie-authenticated), AND
+//   2. whose Origin (or, lacking that, Referer) host does NOT match the request host.
+//
+// Requests with NO session cookie pass through untouched: bearer-token public-API
+// callers (`/api/public/*`), AP inbox (`/`-level, HTTP-signature auth), and plain
+// unauthenticated requests are not cookie-CSRF-able.
+//
+// Exemptions:
+//   - `/api/auth/*`  — Better Auth enforces its own CSRF via trustedOrigins.
+//   - `/api/public/*` — bearer-token auth, no cookie reliance.
+//
+// Why legit usage is unaffected: a same-origin browser fetch/XHR always sends an
+// `Origin` header whose host equals the page host (and the API host, same origin),
+// so the host comparison passes. Cross-site attacker requests send the attacker's
+// Origin (or, for top-level form posts, a Referer from the attacker's page), which
+// won't match — and even Origin-less navigations carrying the cookie are blocked.
+import { getBetterAuthSessionCookieName } from '../utils/betterAuthCookie';
+const UNSAFE_METHODS = new Set(['POST', 'PUT', 'PATCH', 'DELETE']);
+/** Extract the host (host:port) from an absolute URL string; null if unparseable. */
+function hostOf(value: string | undefined): string | null {
+  if (!value) return null;
+  try {
+    return new URL(value).host;
+  } catch {
+    return null;
+  }
+}
+export default defineEventHandler((event) => {
+  const method = event.method.toUpperCase();
+  if (!UNSAFE_METHODS.has(method)) return;
+  const url = getRequestURL(event);
+  const pathname = url.pathname;
+  // Only guard custom cookie-auth API routes.
+  if (!pathname.startsWith('/api/')) return;
+  // Better Auth owns its own CSRF; bearer-token public API doesn't use the cookie.
+  if (pathname.startsWith('/api/auth/') || pathname.startsWith('/api/public/')) return;
+  // Is this request cookie-authenticated? Check both possible cookie names
+  // (`__Secure-`-prefixed in prod / HTTPS, bare otherwise) so we don't depend on
+  // env detection being perfectly in sync — if EITHER is present, treat it as a
+  // cookie-auth attempt and enforce the origin check.
+  const hasSessionCookie =
+    getCookie(event, getBetterAuthSessionCookieName(true)) !== undefined ||
+    getCookie(event, getBetterAuthSessionCookieName(false)) !== undefined;
+  // No session cookie => not cookie-CSRF-able (bearer / public / anonymous). Pass.
+  if (!hasSessionCookie) return;
+  const requestHost = url.host;
+  // Prefer Origin (sent on all CORS-relevant requests incl. same-origin fetch);
+  // fall back to Referer for environments/requests that omit Origin.
+  const originHeader = getRequestHeader(event, 'origin');
+  const originHost = hostOf(originHeader);
+  if (originHost !== null) {
+    if (originHost !== requestHost) {
+      throw createError({ statusCode: 403, statusMessage: 'CSRF origin check failed' });
+    }
+    return;
+  }
+  const refererHost = hostOf(getRequestHeader(event, 'referer'));
+  if (refererHost !== null) {
+    if (refererHost !== requestHost) {
+      throw createError({ statusCode: 403, statusMessage: 'CSRF origin check failed' });
+    }
+    return;
+  }
+  // Cookie-authenticated unsafe request with NO Origin AND NO Referer: cannot be
+  // proven same-origin, so reject. Legitimate browser XHR/fetch always sends one.
+  throw createError({ statusCode: 403, statusMessage: 'CSRF origin check failed' });
+});

package/server/plugins/federation-hub-sync.ts CHANGED Viewed

@@ -9,7 +9,7 @@ import {
   fetchRemoteHubFollowers,
 } from '@commonpub/server';
 import { federatedHubs } from '@commonpub/schema';
-import { eq, and, or, lt, isNull } from 'drizzle-orm';
+import { eq, and, or, lt, isNull, inArray } from 'drizzle-orm';
 const MAX_HUBS_PER_CYCLE = 5;
 const STAGGER_DELAY_MS = 2_000;
@@ -56,28 +56,57 @@ export default defineNitroPlugin((nitro) => {
       const now = new Date();
       const staleThreshold = new Date(now.getTime() - intervalMs);
-      // Find accepted, non-hidden hubs where lastSyncAt is older than the interval or null
-      const staleHubs = await db
-        .select({
-          id: federatedHubs.id,
-          actorUri: federatedHubs.actorUri,
-          name: federatedHubs.name,
-          lastSyncAt: federatedHubs.lastSyncAt,
-        })
+      // Stale predicate: lastSyncAt is null or older than the interval. Reused for
+      // both the candidate select and the atomic claim so the claim only succeeds
+      // while the row is still stale (compare-and-claim).
+      const isStale = or(
+        isNull(federatedHubs.lastSyncAt),
+        lt(federatedHubs.lastSyncAt, staleThreshold),
+      );
+      // Find accepted, non-hidden hubs that are stale (candidates). We capture the
+      // prior lastSyncAt here (before the claim overwrites it) so first-sync
+      // detection survives the atomic claim below.
+      const candidates = await db
+        .select({ id: federatedHubs.id, lastSyncAt: federatedHubs.lastSyncAt })
         .from(federatedHubs)
         .where(and(
           eq(federatedHubs.status, 'accepted'),
           eq(federatedHubs.isHidden, false),
-          or(
-            isNull(federatedHubs.lastSyncAt),
-            lt(federatedHubs.lastSyncAt, staleThreshold),
-          ),
+          isStale,
         ))
         .limit(MAX_HUBS_PER_CYCLE);
-      if (staleHubs.length === 0) return;
+      if (candidates.length === 0) return;
+      // Map id -> was-this-a-first-sync (prior lastSyncAt null), captured pre-claim.
+      const wasFirstSync = new Map<string, boolean>(
+        candidates.map((c) => [c.id, c.lastSyncAt === null]),
+      );
+      // Atomic claim (mirrors federation-delivery's compare-and-claim): set
+      // lastSyncAt = now() on the selected ids, but only WHERE still stale. On N
+      // replicas selecting the same hubs, exactly one replica's UPDATE matches the
+      // stale predicate per row, so each hub is claimed (and fetched from remotes)
+      // once per cycle instead of N times. RETURNING gives us the rows we won.
+      const candidateIds = candidates.map((c) => c.id);
+      const claimedAt = new Date();
+      const staleHubs = await db
+        .update(federatedHubs)
+        .set({ lastSyncAt: claimedAt })
+        .where(and(
+          inArray(federatedHubs.id, candidateIds),
+          isStale,
+        ))
+        .returning({
+          id: federatedHubs.id,
+          actorUri: federatedHubs.actorUri,
+          name: federatedHubs.name,
+        });
+      if (staleHubs.length === 0) return; // another replica claimed them first
-      console.log(`[hub-sync] Found ${staleHubs.length} stale hub(s) to sync`);
+      console.log(`[hub-sync] Claimed ${staleHubs.length} stale hub(s) to sync`);
       for (const hub of staleHubs) {
         try {
@@ -85,7 +114,7 @@ export default defineNitroPlugin((nitro) => {
           await refreshFederatedHubMetadata(db, hub.id, hub.actorUri);
           // Fetch followers to populate members list (first sync or periodic refresh)
-          if (!hub.lastSyncAt) {
+          if (wasFirstSync.get(hub.id)) {
             // First sync — fetch followers to seed the members table
             try {
               const result = await fetchRemoteHubFollowers(db, hub.id, domain);
@@ -105,7 +134,9 @@ export default defineNitroPlugin((nitro) => {
             }
           }
-          // Update lastSyncAt
+          // Refresh lastSyncAt to completion time. The atomic claim above already
+          // set it to the claim time (which is what prevents other replicas from
+          // re-claiming); this just advances it to reflect successful completion.
           await db.update(federatedHubs).set({
             lastSyncAt: new Date(),
           }).where(eq(federatedHubs.id, hub.id));

package/server/plugins/notification-email.ts CHANGED Viewed

@@ -11,7 +11,7 @@ import {
   listNotifications,
 } from '@commonpub/server';
 import type { NotificationType } from '@commonpub/server';
-import { users } from '@commonpub/schema';
+import { users, digestRuns } from '@commonpub/schema';
 import { and, isNotNull, eq } from 'drizzle-orm';
 export default defineNitroPlugin((nitro) => {
@@ -76,7 +76,9 @@ export default defineNitroPlugin((nitro) => {
     }
   }, 5_000);
-  // Track the last date digests were sent to prevent duplicates on server restart during 8am hour
+  // Cheap in-process pre-check to avoid hitting the DB once this replica has already
+  // observed today's digest as claimed. The DB claim (digest_runs) is the authority:
+  // it guarantees exactly-one-replica-wins across N replicas / restarts.
   let lastDigestDate = '';
   async function runDigest(siteUrl: string, siteName: string): Promise<void> {
@@ -91,11 +93,28 @@ export default defineNitroPlugin((nitro) => {
       if (!isDigestHour) return;
-      // Prevent duplicate sends if server restarts during digest hour
+      // Deterministic UTC date key (YYYY-MM-DD). toISOString() is always UTC.
       const todayKey = now.toISOString().slice(0, 10);
+      // Cheap pre-check: this replica already knows today's digest is handled.
       if (lastDigestDate === todayKey) return;
+      // Atomic cross-replica claim: INSERT today's row, ON CONFLICT DO NOTHING.
+      // Exactly one replica gets a returned row (it won the claim); the rest get
+      // an empty array and bail without sending. Replaces the per-process guard
+      // that sent N duplicate digests on N replicas.
+      const claimed = await db
+        .insert(digestRuns)
+        .values({ digestDate: todayKey })
+        .onConflictDoNothing({ target: digestRuns.digestDate })
+        .returning({ digestDate: digestRuns.digestDate });
+      // Record locally regardless of outcome so this replica skips the DB on
+      // subsequent hourly ticks within the same UTC day.
       lastDigestDate = todayKey;
+      if (claimed.length === 0) return; // another replica already claimed today
       // Find users with digest preferences
       const digestUsers = await db
         .select({

package/server/routes/hubs/[slug]/inbox.ts CHANGED Viewed

@@ -1,5 +1,5 @@
 import { processInboxActivity } from '@commonpub/protocol';
-import { createInboxHandlers } from '@commonpub/server';
+import { createInboxHandlers, recordActivitySeen } from '@commonpub/server';
 import { verifyInboxRequest, assertActorMatchesSigner } from '../../../utils/inbox';
 /**
@@ -22,6 +22,18 @@ export default defineEventHandler(async (event) => {
   assertActorMatchesSigner(actorUri, body, 'hub-inbox');
   const db = useDB();
+  // Replay dedup: claim the verified activity id BEFORE dispatch so a replayed,
+  // validly-signed activity can't double-apply side effects. No id = process
+  // normally. Placed after verification so attacker-chosen ids can't be seeded.
+  const activityId = body.id;
+  if (typeof activityId === 'string' && activityId.length > 0) {
+    const first = await recordActivitySeen(db, activityId);
+    if (!first) {
+      return { status: 'accepted' };
+    }
+  }
   const domain = config.instance.domain;
   const slug = getRouterParam(event, 'slug');
   const handlers = createInboxHandlers({ db, domain, hubContext: slug ? { hubSlug: slug } : undefined });

package/server/routes/inbox.ts CHANGED Viewed

@@ -1,5 +1,5 @@
 import { processInboxActivity } from '@commonpub/protocol';
-import { createInboxHandlers } from '@commonpub/server';
+import { createInboxHandlers, recordActivitySeen } from '@commonpub/server';
 import { verifyInboxRequest, assertActorMatchesSigner, extractDomain } from '../utils/inbox';
 export default defineEventHandler(async (event) => {
@@ -18,6 +18,19 @@ export default defineEventHandler(async (event) => {
   assertActorMatchesSigner(actorUri, body, 'shared-inbox');
   const db = useDB();
+  // Replay dedup: claim the verified activity id BEFORE dispatch so a replayed,
+  // validly-signed activity can't double-apply side effects. No id = process
+  // normally (can't dedup what isn't addressable). Placed after verification so
+  // attacker-chosen ids can't be seeded.
+  const activityId = body.id;
+  if (typeof activityId === 'string' && activityId.length > 0) {
+    const first = await recordActivitySeen(db, activityId);
+    if (!first) {
+      return { status: 'accepted' };
+    }
+  }
   const runtimeConfig = useRuntimeConfig();
   const domain = extractDomain((runtimeConfig.public?.siteUrl as string) || `https://${config.instance.domain}`);
   const callbacks = createInboxHandlers({ db, domain });

package/server/routes/users/[username]/inbox.ts CHANGED Viewed

@@ -1,5 +1,5 @@
 import { processInboxActivity } from '@commonpub/protocol';
-import { createInboxHandlers } from '@commonpub/server';
+import { createInboxHandlers, recordActivitySeen } from '@commonpub/server';
 import { verifyInboxRequest, assertActorMatchesSigner, extractDomain } from '../../../utils/inbox';
 export default defineEventHandler(async (event) => {
@@ -17,6 +17,18 @@ export default defineEventHandler(async (event) => {
   assertActorMatchesSigner(actorUri, body, 'user-inbox');
   const db = useDB();
+  // Replay dedup: claim the verified activity id BEFORE dispatch so a replayed,
+  // validly-signed activity can't double-apply side effects. No id = process
+  // normally. Placed after verification so attacker-chosen ids can't be seeded.
+  const activityId = body.id;
+  if (typeof activityId === 'string' && activityId.length > 0) {
+    const first = await recordActivitySeen(db, activityId);
+    if (!first) {
+      return { status: 'accepted' };
+    }
+  }
   const runtimeConfig = useRuntimeConfig();
   const domain = extractDomain((runtimeConfig.public?.siteUrl as string) || `https://${config.instance.domain}`);
   const callbacks = createInboxHandlers({ db, domain });

package/server/utils/inbox.ts CHANGED Viewed

@@ -4,6 +4,7 @@
  * body size limits, and Date header freshness checks.
  */
 import { verifyHttpSignature, resolveActor } from '@commonpub/protocol';
+import { createSafeActorFetchFn } from '@commonpub/server';
 import type { H3Event } from 'h3';
 /** Maximum allowed body size for inbox POSTs (1 MB) */
@@ -97,8 +98,12 @@ export async function verifyInboxRequest(event: H3Event, label: string): Promise
   const actorUri = keyId.replace(/#.*$/, '');
-  // 4. Resolve actor and public key
-  const actor = await resolveActor(actorUri, fetch);
+  // 4. Resolve actor and public key.
+  // Use the SSRF-pinned fetch (DNS-rebind safe), NOT raw global fetch: actorUri here is
+  // the attacker-controlled keyId resolved BEFORE signature verification, so an
+  // unauthenticated POST /inbox could otherwise drive a server-side GET to internal
+  // addresses (cloud metadata, RFC1918). Audit session 204 — P0.
+  const actor = await resolveActor(actorUri, createSafeActorFetchFn());
   if (!actor?.publicKey?.publicKeyPem) {
     throw createError({ statusCode: 401, statusMessage: 'Could not resolve actor public key' });
   }

package/server/utils/validate.ts CHANGED Viewed

@@ -9,6 +9,13 @@ import type { ZodType } from 'zod';
 const UUID_REGEX = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
 const SLUG_REGEX = /^[a-z0-9][a-z0-9-]*$/;
+/** True when `value` is a syntactically-valid UUID. Use to guard untrusted
+ *  query/body values that feed a uuid SQL bind (a non-uuid string reaching
+ *  the bind throws an unhandled 500). Router params should use `parseParams`. */
+export function isUuid(value: string): boolean {
+  return UUID_REGEX.test(value);
+}
 /**
  * Hard ceiling on JSON request bodies (10 MB). Every JSON write route funnels
  * through `parseBody`, so this one guard caps them all. It rejects on the
@@ -33,10 +40,25 @@ type ParamType = 'uuid' | 'slug' | 'string';
 /** Parse and validate request body against a Zod schema. Throws 400 on failure, 413 if oversized. */
 export async function parseBody<T>(event: H3Event, schema: ZodType<T>): Promise<T> {
+  // Fast-path: reject on the declared Content-Length before buffering anything.
   const declaredLength = Number(getRequestHeader(event, 'content-length') ?? 0);
   if (Number.isFinite(declaredLength) && declaredLength > MAX_JSON_BODY_BYTES) {
     throw createError({ statusCode: 413, statusMessage: 'Payload too large' });
   }
+  // The header is advisory and absent on chunked (Transfer-Encoding: chunked)
+  // requests — a client can stream an unbounded body with no Content-Length and
+  // slip past the fast-path. Read the RAW body once and enforce the cap on the
+  // ACTUAL buffered byte size before JSON.parse. `readBody` reuses this cached
+  // raw body, so there is no double read.
+  const raw: string | Buffer | undefined = await readRawBody(event, false);
+  if (raw != null) {
+    const size = typeof raw === 'string' ? Buffer.byteLength(raw) : raw.length;
+    if (size > MAX_JSON_BODY_BYTES) {
+      throw createError({ statusCode: 413, statusMessage: 'Payload too large' });
+    }
+  }
   const body = await readBody(event);
   const parsed = schema.safeParse(body);
   if (!parsed.success) {

package/theme/base.css CHANGED Viewed

@@ -7,6 +7,11 @@
    =========================================== */
 :root {
+  /* Theme native UI (date/time pickers, scrollbars, form controls) to the light
+     palette; dark.css overrides to `dark`. Without this, native popups (e.g. the
+     datetime-local calendar) render in the OS default scheme and clash. */
+  color-scheme: light;
   /* === SURFACES === */
   --bg: #fafaf9;
   --surface: #ffffff;

package/theme/prose.css CHANGED Viewed

@@ -339,4 +339,24 @@
   text-transform: uppercase;
   letter-spacing: var(--tracking-wide);
 }
+/* ===========================================
+   Full-HTML author content (CpubMarkdown format=html)
+   The v-html children carry no scoped styles, so this global, theme-aware
+   baseline keeps un-styled (or var()-based) author HTML readable in BOTH
+   themes. Hardcoded color literals are neutralized at sanitize time
+   (sanitizeRichHtml neutralizeColors), so this baseline shows through.
+   =========================================== */
+.cpub-md-html {
+  color: var(--text);
+  line-height: var(--leading-normal);
+}
+.cpub-md-html a { color: var(--accent); }
+.cpub-md-html h1, .cpub-md-html h2, .cpub-md-html h3,
+.cpub-md-html h4, .cpub-md-html h5, .cpub-md-html h6 { color: var(--text); }
+.cpub-md-html img { max-width: 100%; height: auto; }
+.cpub-md-html hr { border: 0; border-top: var(--border-width-default) solid var(--border); }
+.cpub-md-html blockquote { border-left: 3px solid var(--border); color: var(--text-dim); padding-left: var(--space-4); }
+.cpub-md-html th, .cpub-md-html td { border: var(--border-width-default) solid var(--border); }
+.cpub-md-html pre, .cpub-md-html code { background: var(--surface2); color: var(--text); }
 }

package/theme/stoa-dark.css CHANGED Viewed

@@ -11,6 +11,10 @@
    =========================================== */
 [data-theme="stoa-dark"] {
+  /* Theme native UI (date/time pickers, scrollbars) dark — dark.css/agora-dark.css
+     already do this; stoa-dark was missing it, so native controls rendered light. */
+  color-scheme: dark;
   /* === SURFACES (warm near-black) === */
   --bg: #15130d;
   --surface: #1f1c14;