npm - @dalgoridim/headless-cms - Versions diffs - 0.2.0 → 0.3.0 - Mend

@dalgoridim/headless-cms 0.2.0 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (16) hide show

package/ARCHITECTURE.md +1 -2
package/README.md +5 -1
package/dist/auth/google/client/index.cjs +196 -0
package/dist/auth/google/client/index.cjs.map +1 -0
package/dist/auth/google/client/index.d.cts +74 -0
package/dist/auth/google/client/index.d.ts +74 -0
package/dist/auth/google/client/index.js +178 -0
package/dist/auth/google/client/index.js.map +1 -0
package/dist/auth/google/index.cjs +121 -0
package/dist/auth/google/index.cjs.map +1 -0
package/dist/auth/google/index.d.cts +45 -0
package/dist/auth/google/index.d.ts +45 -0
package/dist/auth/google/index.js +95 -0
package/dist/auth/google/index.js.map +1 -0
package/package.json +16 -4
package/REDESIGN.md +0 -250

package/ARCHITECTURE.md CHANGED Viewed

@@ -1,8 +1,7 @@
 # Architecture & design notes
 Core/internal documentation for `@dalgoridim/headless-cms`. For consumer usage,
-see the [README](./README.md). For the history of the headless redesign, see
-[REDESIGN.md](./REDESIGN.md).
+see the [README](./README.md).
 ## Philosophy: harness, not framework

package/README.md CHANGED Viewed

@@ -13,6 +13,11 @@ You build a thin skin over the primitives (see [Styling](#styling-bring-your-own
 the package never pushes a look onto your site. The design rationale and internals
 live in [ARCHITECTURE.md](./ARCHITECTURE.md).
+**Live example:** [dalgoridim.com](https://dalgoridim.com) runs on this package.
+Try it: anyone can toggle edit mode and change the content inline, right on the
+page — but saves are gated, so only the authenticated owner's edits actually
+persist. Your changes are yours alone to play with.
 ## Install
 ```bash
@@ -353,7 +358,6 @@ without ever changing how your site looks.
 - **[README](./README.md)** — this guide: install and usage.
 - **[ARCHITECTURE.md](./ARCHITECTURE.md)** — design rationale and internals
   (bundle boundaries, backend parity, the hybrid Postgres model, headless UI).
-- **[REDESIGN.md](./REDESIGN.md)** — the "harness, not framework" redesign spec.
 ## Build

package/dist/auth/google/client/index.cjs ADDED Viewed

@@ -0,0 +1,196 @@
+"use strict";
+"use client";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+// src/auth/google/client/index.tsx
+var client_exports = {};
+__export(client_exports, {
+  GoogleAuthProvider: () => GoogleAuthProvider,
+  useGoogleAuth: () => useGoogleAuth
+});
+module.exports = __toCommonJS(client_exports);
+var import_react = require("react");
+var import_client = require("@dalgoridim/headless-cms/client");
+var import_jsx_runtime = require("react/jsx-runtime");
+var GSI_SRC = "https://accounts.google.com/gsi/client";
+var GoogleAuthContext = (0, import_react.createContext)(
+  void 0
+);
+function setCookie(name, value) {
+  document.cookie = `${name}=${encodeURIComponent(value)}; path=/; samesite=lax`;
+}
+function deleteCookie(name) {
+  document.cookie = `${name}=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT`;
+}
+function readCookie(name) {
+  for (const part of document.cookie.split(";")) {
+    const [k, ...v] = part.trim().split("=");
+    if (k === name) return decodeURIComponent(v.join("="));
+  }
+  return null;
+}
+function decodeJwt(token) {
+  try {
+    const payload = token.split(".")[1];
+    const json = atob(payload.replace(/-/g, "+").replace(/_/g, "/"));
+    const data = JSON.parse(json);
+    return data;
+  } catch (e) {
+    return null;
+  }
+}
+function GoogleAuthProvider({
+  children,
+  clientId,
+  adminEmails,
+  cookieName = "adminToken",
+  onLogout
+}) {
+  const [user, setUser] = (0, import_react.useState)(null);
+  const [isAdmin, setIsAdmin] = (0, import_react.useState)(false);
+  const [isEditing, setIsEditing] = (0, import_react.useState)(false);
+  const [ready, setReady] = (0, import_react.useState)(false);
+  const allowed = (0, import_react.useRef)(
+    (adminEmails != null ? adminEmails : []).map((e) => e.trim().toLowerCase())
+  );
+  const applyToken = (0, import_react.useCallback)(
+    (token) => {
+      var _a;
+      const claims = decodeJwt(token);
+      if (!claims) return;
+      if (claims.exp && claims.exp * 1e3 <= Date.now()) {
+        deleteCookie(cookieName);
+        return;
+      }
+      const email = (_a = claims.email) == null ? void 0 : _a.toLowerCase();
+      const admin = allowed.current.length === 0 ? true : !!email && allowed.current.includes(email);
+      setCookie(cookieName, token);
+      setUser({
+        sub: claims.sub,
+        email: claims.email,
+        name: claims.name,
+        picture: claims.picture
+      });
+      setIsAdmin(admin);
+    },
+    [cookieName]
+  );
+  (0, import_react.useEffect)(() => {
+    const existing = readCookie(cookieName);
+    if (existing) applyToken(existing);
+  }, [cookieName, applyToken]);
+  (0, import_react.useEffect)(() => {
+    function init() {
+      if (!window.google) return;
+      window.google.accounts.id.initialize({
+        client_id: clientId,
+        callback: (res) => applyToken(res.credential),
+        auto_select: false,
+        cancel_on_tap_outside: true
+      });
+      setReady(true);
+    }
+    if (window.google) {
+      init();
+      return;
+    }
+    const existing = document.querySelector(
+      `script[src="${GSI_SRC}"]`
+    );
+    if (existing) {
+      existing.addEventListener("load", init);
+      return () => existing.removeEventListener("load", init);
+    }
+    const script = document.createElement("script");
+    script.src = GSI_SRC;
+    script.async = true;
+    script.defer = true;
+    script.onload = init;
+    document.head.appendChild(script);
+  }, [clientId, applyToken]);
+  (0, import_react.useEffect)(() => {
+    const originalFetch = window.fetch;
+    window.fetch = async (...args) => {
+      const response = await originalFetch(...args);
+      if (response.status === 401) {
+        try {
+          const data = await response.clone().json();
+          if (data == null ? void 0 : data.logout) doLogout();
+        } catch (e) {
+        }
+      }
+      return response;
+    };
+    return () => {
+      window.fetch = originalFetch;
+    };
+  }, []);
+  function doLogout() {
+    var _a;
+    (_a = window.google) == null ? void 0 : _a.accounts.id.disableAutoSelect();
+    deleteCookie(cookieName);
+    setUser(null);
+    setIsAdmin(false);
+    setIsEditing(false);
+    onLogout == null ? void 0 : onLogout();
+  }
+  const promptSignIn = (0, import_react.useCallback)(() => {
+    var _a;
+    if (!ready) return;
+    (_a = window.google) == null ? void 0 : _a.accounts.id.prompt();
+  }, [ready]);
+  const renderButton = (0, import_react.useCallback)(
+    (el, options) => {
+      var _a;
+      if (!ready) return;
+      (_a = window.google) == null ? void 0 : _a.accounts.id.renderButton(el, options);
+    },
+    [ready]
+  );
+  const toggleEdit = (0, import_react.useCallback)(() => setIsEditing((p) => !p), []);
+  return /* @__PURE__ */ (0, import_jsx_runtime.jsx)(
+    GoogleAuthContext.Provider,
+    {
+      value: {
+        user,
+        isAdmin,
+        isEditing,
+        toggleEdit,
+        ready,
+        promptSignIn,
+        renderButton,
+        logout: doLogout
+      },
+      children: /* @__PURE__ */ (0, import_jsx_runtime.jsx)(import_client.CmsAuthProvider, { value: { isAdmin, isEditing, toggleEdit }, children })
+    }
+  );
+}
+function useGoogleAuth() {
+  const ctx = (0, import_react.useContext)(GoogleAuthContext);
+  if (!ctx) {
+    throw new Error("useGoogleAuth must be used within a GoogleAuthProvider");
+  }
+  return ctx;
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  GoogleAuthProvider,
+  useGoogleAuth
+});
+//# sourceMappingURL=index.cjs.map

package/dist/auth/google/client/index.cjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../../../../src/auth/google/client/index.tsx"],"sourcesContent":["\"use client\";\n\nimport {\n createContext,\n useCallback,\n useContext,\n useEffect,\n useRef,\n useState,\n type ReactNode,\n} from \"react\";\n// Imported via the public specifier so we share the SAME context instance as\n// the consumer's edit primitives at runtime (see tsup `external` + tsconfig paths).\nimport { CmsAuthProvider } from \"@dalgoridim/headless-cms/client\";\n\n/**\n * Client provider for **Google Identity Services** sign-in — the Firebase-free\n * counterpart to `FirebaseAuthProvider`. It loads the GSI script, lets the user\n * sign in with Google, stashes the resulting ID token in a cookie for the\n * server `googleAuth` adapter to verify, and feeds the shared CMS auth context\n * so the edit primitives light up. Admin status is optimistic on the client\n * (via `adminEmails`); the server gate remains authoritative.\n */\n\nconst GSI_SRC = \"https://accounts.google.com/gsi/client\";\n\n/** Minimal slice of the Google Identity Services API we use. */\ninterface GsiCredentialResponse {\n credential: string;\n}\ninterface GsiButtonOptions {\n type?: \"standard\" | \"icon\";\n theme?: \"outline\" | \"filled_blue\" | \"filled_black\";\n size?: \"small\" | \"medium\" | \"large\";\n text?: \"signin_with\" | \"signup_with\" | \"continue_with\" | \"signin\";\n shape?: \"rectangular\" | \"pill\" | \"circle\" | \"square\";\n width?: number;\n}\ninterface GsiClient {\n accounts: {\n id: {\n initialize: (config: {\n client_id: string;\n callback: (res: GsiCredentialResponse) => void;\n auto_select?: boolean;\n cancel_on_tap_outside?: boolean;\n }) => void;\n prompt: () => void;\n renderButton: (el: HTMLElement, options?: GsiButtonOptions) => void;\n disableAutoSelect: () => void;\n };\n };\n}\n\ndeclare global {\n interface Window {\n google?: GsiClient;\n }\n}\n\nexport interface GoogleUser {\n sub: string;\n email?: string;\n name?: string;\n picture?: string;\n}\n\nexport interface GoogleAuthProviderProps {\n children: ReactNode;\n /** OAuth 2.0 Web client ID (from Google Cloud Console → Credentials). */\n clientId: string;\n /**\n * Optional admin allowlist for *optimistic* client-side `isAdmin`. The server\n * `googleAuth` adapter still enforces the real gate. Omit to treat any\n * successful sign-in as optimistically admin (server will correct via 401).\n */\n adminEmails?: string[];\n /** Cookie name for the ID token. Default `adminToken`. */\n cookieName?: string;\n /** Called when a 401 `{ logout: true }` response is intercepted. */\n onLogout?: () => void;\n}\n\nexport interface GoogleAuthContextValue {\n user: GoogleUser | null;\n isAdmin: boolean;\n isEditing: boolean;\n toggleEdit: () => void;\n /** True once the GSI script has loaded and the client is initialized. */\n ready: boolean;\n /** Trigger Google One Tap / sign-in prompt. */\n promptSignIn: () => void;\n /** Render the official Google button into `el` (most reliable trigger). */\n renderButton: (el: HTMLElement, options?: GsiButtonOptions) => void;\n logout: () => void;\n}\n\nconst GoogleAuthContext = createContext<GoogleAuthContextValue | undefined>(\n undefined,\n);\n\nfunction setCookie(name: string, value: string) {\n document.cookie = `${name}=${encodeURIComponent(value)}; path=/; samesite=lax`;\n}\nfunction deleteCookie(name: string) {\n document.cookie = `${name}=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT`;\n}\nfunction readCookie(name: string): string | null {\n for (const part of document.cookie.split(\";\")) {\n const [k, ...v] = part.trim().split(\"=\");\n if (k === name) return decodeURIComponent(v.join(\"=\"));\n }\n return null;\n}\n\n/** Decode a JWT payload client-side (no verification — the server does that). */\nfunction decodeJwt(token: string): (GoogleUser & { exp?: number }) | null {\n try {\n const payload = token.split(\".\")[1];\n const json = atob(payload.replace(/-/g, \"+\").replace(/_/g, \"/\"));\n const data = JSON.parse(json) as {\n sub: string;\n email?: string;\n name?: string;\n picture?: string;\n exp?: number;\n };\n return data;\n } catch {\n return null;\n }\n}\n\nexport function GoogleAuthProvider({\n children,\n clientId,\n adminEmails,\n cookieName = \"adminToken\",\n onLogout,\n}: GoogleAuthProviderProps) {\n const [user, setUser] = useState<GoogleUser | null>(null);\n const [isAdmin, setIsAdmin] = useState(false);\n const [isEditing, setIsEditing] = useState(false);\n const [ready, setReady] = useState(false);\n const allowed = useRef(\n (adminEmails ?? []).map((e) => e.trim().toLowerCase()),\n );\n\n const applyToken = useCallback(\n (token: string) => {\n const claims = decodeJwt(token);\n if (!claims) return;\n if (claims.exp && claims.exp * 1000 <= Date.now()) {\n deleteCookie(cookieName);\n return;\n }\n const email = claims.email?.toLowerCase();\n // Optimistic: if no allowlist supplied, trust the sign-in and let the\n // server correct a non-admin via the 401 interceptor below.\n const admin =\n allowed.current.length === 0\n ? true\n : !!email && allowed.current.includes(email);\n setCookie(cookieName, token);\n setUser({\n sub: claims.sub,\n email: claims.email,\n name: claims.name,\n picture: claims.picture,\n });\n setIsAdmin(admin);\n },\n [cookieName],\n );\n\n // Restore an existing session from the cookie on mount.\n useEffect(() => {\n const existing = readCookie(cookieName);\n if (existing) applyToken(existing);\n }, [cookieName, applyToken]);\n\n // Load the GSI script and initialize the One Tap / button client.\n useEffect(() => {\n function init() {\n if (!window.google) return;\n window.google.accounts.id.initialize({\n client_id: clientId,\n callback: (res) => applyToken(res.credential),\n auto_select: false,\n cancel_on_tap_outside: true,\n });\n setReady(true);\n }\n\n if (window.google) {\n init();\n return;\n }\n const existing = document.querySelector<HTMLScriptElement>(\n `script[src=\"${GSI_SRC}\"]`,\n );\n if (existing) {\n existing.addEventListener(\"load\", init);\n return () => existing.removeEventListener(\"load\", init);\n }\n const script = document.createElement(\"script\");\n script.src = GSI_SRC;\n script.async = true;\n script.defer = true;\n script.onload = init;\n document.head.appendChild(script);\n }, [clientId, applyToken]);\n\n // Intercept admin 401s so an expired/forbidden session forces sign-out.\n useEffect(() => {\n const originalFetch = window.fetch;\n window.fetch = async (...args: Parameters<typeof fetch>) => {\n const response = await originalFetch(...args);\n if (response.status === 401) {\n try {\n const data = await response.clone().json();\n if (data?.logout) doLogout();\n } catch {\n /* not a JSON body — ignore */\n }\n }\n return response;\n };\n return () => {\n window.fetch = originalFetch;\n };\n // eslint-disable-next-line react-hooks/exhaustive-deps\n }, []);\n\n function doLogout() {\n window.google?.accounts.id.disableAutoSelect();\n deleteCookie(cookieName);\n setUser(null);\n setIsAdmin(false);\n setIsEditing(false);\n onLogout?.();\n }\n\n const promptSignIn = useCallback(() => {\n if (!ready) return;\n window.google?.accounts.id.prompt();\n }, [ready]);\n\n const renderButton = useCallback(\n (el: HTMLElement, options?: GsiButtonOptions) => {\n if (!ready) return;\n window.google?.accounts.id.renderButton(el, options);\n },\n [ready],\n );\n\n const toggleEdit = useCallback(() => setIsEditing((p) => !p), []);\n\n return (\n <GoogleAuthContext.Provider\n value={{\n user,\n isAdmin,\n isEditing,\n toggleEdit,\n ready,\n promptSignIn,\n renderButton,\n logout: doLogout,\n }}\n >\n <CmsAuthProvider value={{ isAdmin, isEditing, toggleEdit }}>\n {children}\n </CmsAuthProvider>\n </GoogleAuthContext.Provider>\n );\n}\n\n/** Google auth API (user/login/logout) for login pages and toolbars. */\nexport function useGoogleAuth(): GoogleAuthContextValue {\n const ctx = useContext(GoogleAuthContext);\n if (!ctx) {\n throw new Error(\"useGoogleAuth must be used within a GoogleAuthProvider\");\n }\n return ctx;\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAEA,mBAQO;AAGP,oBAAgC;AAkQ1B;AAvPN,IAAM,UAAU;AAyEhB,IAAM,wBAAoB;AAAA,EACxB;AACF;AAEA,SAAS,UAAU,MAAc,OAAe;AAC9C,WAAS,SAAS,GAAG,IAAI,IAAI,mBAAmB,KAAK,CAAC;AACxD;AACA,SAAS,aAAa,MAAc;AAClC,WAAS,SAAS,GAAG,IAAI;AAC3B;AACA,SAAS,WAAW,MAA6B;AAC/C,aAAW,QAAQ,SAAS,OAAO,MAAM,GAAG,GAAG;AAC7C,UAAM,CAAC,GAAG,GAAG,CAAC,IAAI,KAAK,KAAK,EAAE,MAAM,GAAG;AACvC,QAAI,MAAM,KAAM,QAAO,mBAAmB,EAAE,KAAK,GAAG,CAAC;AAAA,EACvD;AACA,SAAO;AACT;AAGA,SAAS,UAAU,OAAuD;AACxE,MAAI;AACF,UAAM,UAAU,MAAM,MAAM,GAAG,EAAE,CAAC;AAClC,UAAM,OAAO,KAAK,QAAQ,QAAQ,MAAM,GAAG,EAAE,QAAQ,MAAM,GAAG,CAAC;AAC/D,UAAM,OAAO,KAAK,MAAM,IAAI;AAO5B,WAAO;AAAA,EACT,SAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEO,SAAS,mBAAmB;AAAA,EACjC;AAAA,EACA;AAAA,EACA;AAAA,EACA,aAAa;AAAA,EACb;AACF,GAA4B;AAC1B,QAAM,CAAC,MAAM,OAAO,QAAI,uBAA4B,IAAI;AACxD,QAAM,CAAC,SAAS,UAAU,QAAI,uBAAS,KAAK;AAC5C,QAAM,CAAC,WAAW,YAAY,QAAI,uBAAS,KAAK;AAChD,QAAM,CAAC,OAAO,QAAQ,QAAI,uBAAS,KAAK;AACxC,QAAM,cAAU;AAAA,KACb,oCAAe,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,YAAY,CAAC;AAAA,EACvD;AAEA,QAAM,iBAAa;AAAA,IACjB,CAAC,UAAkB;AArJvB;AAsJM,YAAM,SAAS,UAAU,KAAK;AAC9B,UAAI,CAAC,OAAQ;AACb,UAAI,OAAO,OAAO,OAAO,MAAM,OAAQ,KAAK,IAAI,GAAG;AACjD,qBAAa,UAAU;AACvB;AAAA,MACF;AACA,YAAM,SAAQ,YAAO,UAAP,mBAAc;AAG5B,YAAM,QACJ,QAAQ,QAAQ,WAAW,IACvB,OACA,CAAC,CAAC,SAAS,QAAQ,QAAQ,SAAS,KAAK;AAC/C,gBAAU,YAAY,KAAK;AAC3B,cAAQ;AAAA,QACN,KAAK,OAAO;AAAA,QACZ,OAAO,OAAO;AAAA,QACd,MAAM,OAAO;AAAA,QACb,SAAS,OAAO;AAAA,MAClB,CAAC;AACD,iBAAW,KAAK;AAAA,IAClB;AAAA,IACA,CAAC,UAAU;AAAA,EACb;AAGA,8BAAU,MAAM;AACd,UAAM,WAAW,WAAW,UAAU;AACtC,QAAI,SAAU,YAAW,QAAQ;AAAA,EACnC,GAAG,CAAC,YAAY,UAAU,CAAC;AAG3B,8BAAU,MAAM;AACd,aAAS,OAAO;AACd,UAAI,CAAC,OAAO,OAAQ;AACpB,aAAO,OAAO,SAAS,GAAG,WAAW;AAAA,QACnC,WAAW;AAAA,QACX,UAAU,CAAC,QAAQ,WAAW,IAAI,UAAU;AAAA,QAC5C,aAAa;AAAA,QACb,uBAAuB;AAAA,MACzB,CAAC;AACD,eAAS,IAAI;AAAA,IACf;AAEA,QAAI,OAAO,QAAQ;AACjB,WAAK;AACL;AAAA,IACF;AACA,UAAM,WAAW,SAAS;AAAA,MACxB,eAAe,OAAO;AAAA,IACxB;AACA,QAAI,UAAU;AACZ,eAAS,iBAAiB,QAAQ,IAAI;AACtC,aAAO,MAAM,SAAS,oBAAoB,QAAQ,IAAI;AAAA,IACxD;AACA,UAAM,SAAS,SAAS,cAAc,QAAQ;AAC9C,WAAO,MAAM;AACb,WAAO,QAAQ;AACf,WAAO,QAAQ;AACf,WAAO,SAAS;AAChB,aAAS,KAAK,YAAY,MAAM;AAAA,EAClC,GAAG,CAAC,UAAU,UAAU,CAAC;AAGzB,8BAAU,MAAM;AACd,UAAM,gBAAgB,OAAO;AAC7B,WAAO,QAAQ,UAAU,SAAmC;AAC1D,YAAM,WAAW,MAAM,cAAc,GAAG,IAAI;AAC5C,UAAI,SAAS,WAAW,KAAK;AAC3B,YAAI;AACF,gBAAM,OAAO,MAAM,SAAS,MAAM,EAAE,KAAK;AACzC,cAAI,6BAAM,OAAQ,UAAS;AAAA,QAC7B,SAAQ;AAAA,QAER;AAAA,MACF;AACA,aAAO;AAAA,IACT;AACA,WAAO,MAAM;AACX,aAAO,QAAQ;AAAA,IACjB;AAAA,EAEF,GAAG,CAAC,CAAC;AAEL,WAAS,WAAW;AA1OtB;AA2OI,iBAAO,WAAP,mBAAe,SAAS,GAAG;AAC3B,iBAAa,UAAU;AACvB,YAAQ,IAAI;AACZ,eAAW,KAAK;AAChB,iBAAa,KAAK;AAClB;AAAA,EACF;AAEA,QAAM,mBAAe,0BAAY,MAAM;AAnPzC;AAoPI,QAAI,CAAC,MAAO;AACZ,iBAAO,WAAP,mBAAe,SAAS,GAAG;AAAA,EAC7B,GAAG,CAAC,KAAK,CAAC;AAEV,QAAM,mBAAe;AAAA,IACnB,CAAC,IAAiB,YAA+B;AAzPrD;AA0PM,UAAI,CAAC,MAAO;AACZ,mBAAO,WAAP,mBAAe,SAAS,GAAG,aAAa,IAAI;AAAA,IAC9C;AAAA,IACA,CAAC,KAAK;AAAA,EACR;AAEA,QAAM,iBAAa,0BAAY,MAAM,aAAa,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,CAAC;AAEhE,SACE;AAAA,IAAC,kBAAkB;AAAA,IAAlB;AAAA,MACC,OAAO;AAAA,QACL;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA,QAAQ;AAAA,MACV;AAAA,MAEA,sDAAC,iCAAgB,OAAO,EAAE,SAAS,WAAW,WAAW,GACtD,UACH;AAAA;AAAA,EACF;AAEJ;AAGO,SAAS,gBAAwC;AACtD,QAAM,UAAM,yBAAW,iBAAiB;AACxC,MAAI,CAAC,KAAK;AACR,UAAM,IAAI,MAAM,wDAAwD;AAAA,EAC1E;AACA,SAAO;AACT;","names":[]}

package/dist/auth/google/client/index.d.cts ADDED Viewed

@@ -0,0 +1,74 @@
+import * as React from 'react';
+import { ReactNode } from 'react';
+/** Minimal slice of the Google Identity Services API we use. */
+interface GsiCredentialResponse {
+    credential: string;
+}
+interface GsiButtonOptions {
+    type?: "standard" | "icon";
+    theme?: "outline" | "filled_blue" | "filled_black";
+    size?: "small" | "medium" | "large";
+    text?: "signin_with" | "signup_with" | "continue_with" | "signin";
+    shape?: "rectangular" | "pill" | "circle" | "square";
+    width?: number;
+}
+interface GsiClient {
+    accounts: {
+        id: {
+            initialize: (config: {
+                client_id: string;
+                callback: (res: GsiCredentialResponse) => void;
+                auto_select?: boolean;
+                cancel_on_tap_outside?: boolean;
+            }) => void;
+            prompt: () => void;
+            renderButton: (el: HTMLElement, options?: GsiButtonOptions) => void;
+            disableAutoSelect: () => void;
+        };
+    };
+}
+declare global {
+    interface Window {
+        google?: GsiClient;
+    }
+}
+interface GoogleUser {
+    sub: string;
+    email?: string;
+    name?: string;
+    picture?: string;
+}
+interface GoogleAuthProviderProps {
+    children: ReactNode;
+    /** OAuth 2.0 Web client ID (from Google Cloud Console → Credentials). */
+    clientId: string;
+    /**
+     * Optional admin allowlist for *optimistic* client-side `isAdmin`. The server
+     * `googleAuth` adapter still enforces the real gate. Omit to treat any
+     * successful sign-in as optimistically admin (server will correct via 401).
+     */
+    adminEmails?: string[];
+    /** Cookie name for the ID token. Default `adminToken`. */
+    cookieName?: string;
+    /** Called when a 401 `{ logout: true }` response is intercepted. */
+    onLogout?: () => void;
+}
+interface GoogleAuthContextValue {
+    user: GoogleUser | null;
+    isAdmin: boolean;
+    isEditing: boolean;
+    toggleEdit: () => void;
+    /** True once the GSI script has loaded and the client is initialized. */
+    ready: boolean;
+    /** Trigger Google One Tap / sign-in prompt. */
+    promptSignIn: () => void;
+    /** Render the official Google button into `el` (most reliable trigger). */
+    renderButton: (el: HTMLElement, options?: GsiButtonOptions) => void;
+    logout: () => void;
+}
+declare function GoogleAuthProvider({ children, clientId, adminEmails, cookieName, onLogout, }: GoogleAuthProviderProps): React.JSX.Element;
+/** Google auth API (user/login/logout) for login pages and toolbars. */
+declare function useGoogleAuth(): GoogleAuthContextValue;
+export { type GoogleAuthContextValue, GoogleAuthProvider, type GoogleAuthProviderProps, type GoogleUser, useGoogleAuth };

package/dist/auth/google/client/index.d.ts ADDED Viewed

@@ -0,0 +1,74 @@
+import * as React from 'react';
+import { ReactNode } from 'react';
+/** Minimal slice of the Google Identity Services API we use. */
+interface GsiCredentialResponse {
+    credential: string;
+}
+interface GsiButtonOptions {
+    type?: "standard" | "icon";
+    theme?: "outline" | "filled_blue" | "filled_black";
+    size?: "small" | "medium" | "large";
+    text?: "signin_with" | "signup_with" | "continue_with" | "signin";
+    shape?: "rectangular" | "pill" | "circle" | "square";
+    width?: number;
+}
+interface GsiClient {
+    accounts: {
+        id: {
+            initialize: (config: {
+                client_id: string;
+                callback: (res: GsiCredentialResponse) => void;
+                auto_select?: boolean;
+                cancel_on_tap_outside?: boolean;
+            }) => void;
+            prompt: () => void;
+            renderButton: (el: HTMLElement, options?: GsiButtonOptions) => void;
+            disableAutoSelect: () => void;
+        };
+    };
+}
+declare global {
+    interface Window {
+        google?: GsiClient;
+    }
+}
+interface GoogleUser {
+    sub: string;
+    email?: string;
+    name?: string;
+    picture?: string;
+}
+interface GoogleAuthProviderProps {
+    children: ReactNode;
+    /** OAuth 2.0 Web client ID (from Google Cloud Console → Credentials). */
+    clientId: string;
+    /**
+     * Optional admin allowlist for *optimistic* client-side `isAdmin`. The server
+     * `googleAuth` adapter still enforces the real gate. Omit to treat any
+     * successful sign-in as optimistically admin (server will correct via 401).
+     */
+    adminEmails?: string[];
+    /** Cookie name for the ID token. Default `adminToken`. */
+    cookieName?: string;
+    /** Called when a 401 `{ logout: true }` response is intercepted. */
+    onLogout?: () => void;
+}
+interface GoogleAuthContextValue {
+    user: GoogleUser | null;
+    isAdmin: boolean;
+    isEditing: boolean;
+    toggleEdit: () => void;
+    /** True once the GSI script has loaded and the client is initialized. */
+    ready: boolean;
+    /** Trigger Google One Tap / sign-in prompt. */
+    promptSignIn: () => void;
+    /** Render the official Google button into `el` (most reliable trigger). */
+    renderButton: (el: HTMLElement, options?: GsiButtonOptions) => void;
+    logout: () => void;
+}
+declare function GoogleAuthProvider({ children, clientId, adminEmails, cookieName, onLogout, }: GoogleAuthProviderProps): React.JSX.Element;
+/** Google auth API (user/login/logout) for login pages and toolbars. */
+declare function useGoogleAuth(): GoogleAuthContextValue;
+export { type GoogleAuthContextValue, GoogleAuthProvider, type GoogleAuthProviderProps, type GoogleUser, useGoogleAuth };

package/dist/auth/google/client/index.js ADDED Viewed

@@ -0,0 +1,178 @@
+"use client";
+// src/auth/google/client/index.tsx
+import {
+  createContext,
+  useCallback,
+  useContext,
+  useEffect,
+  useRef,
+  useState
+} from "react";
+import { CmsAuthProvider } from "@dalgoridim/headless-cms/client";
+import { jsx } from "react/jsx-runtime";
+var GSI_SRC = "https://accounts.google.com/gsi/client";
+var GoogleAuthContext = createContext(
+  void 0
+);
+function setCookie(name, value) {
+  document.cookie = `${name}=${encodeURIComponent(value)}; path=/; samesite=lax`;
+}
+function deleteCookie(name) {
+  document.cookie = `${name}=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT`;
+}
+function readCookie(name) {
+  for (const part of document.cookie.split(";")) {
+    const [k, ...v] = part.trim().split("=");
+    if (k === name) return decodeURIComponent(v.join("="));
+  }
+  return null;
+}
+function decodeJwt(token) {
+  try {
+    const payload = token.split(".")[1];
+    const json = atob(payload.replace(/-/g, "+").replace(/_/g, "/"));
+    const data = JSON.parse(json);
+    return data;
+  } catch (e) {
+    return null;
+  }
+}
+function GoogleAuthProvider({
+  children,
+  clientId,
+  adminEmails,
+  cookieName = "adminToken",
+  onLogout
+}) {
+  const [user, setUser] = useState(null);
+  const [isAdmin, setIsAdmin] = useState(false);
+  const [isEditing, setIsEditing] = useState(false);
+  const [ready, setReady] = useState(false);
+  const allowed = useRef(
+    (adminEmails != null ? adminEmails : []).map((e) => e.trim().toLowerCase())
+  );
+  const applyToken = useCallback(
+    (token) => {
+      var _a;
+      const claims = decodeJwt(token);
+      if (!claims) return;
+      if (claims.exp && claims.exp * 1e3 <= Date.now()) {
+        deleteCookie(cookieName);
+        return;
+      }
+      const email = (_a = claims.email) == null ? void 0 : _a.toLowerCase();
+      const admin = allowed.current.length === 0 ? true : !!email && allowed.current.includes(email);
+      setCookie(cookieName, token);
+      setUser({
+        sub: claims.sub,
+        email: claims.email,
+        name: claims.name,
+        picture: claims.picture
+      });
+      setIsAdmin(admin);
+    },
+    [cookieName]
+  );
+  useEffect(() => {
+    const existing = readCookie(cookieName);
+    if (existing) applyToken(existing);
+  }, [cookieName, applyToken]);
+  useEffect(() => {
+    function init() {
+      if (!window.google) return;
+      window.google.accounts.id.initialize({
+        client_id: clientId,
+        callback: (res) => applyToken(res.credential),
+        auto_select: false,
+        cancel_on_tap_outside: true
+      });
+      setReady(true);
+    }
+    if (window.google) {
+      init();
+      return;
+    }
+    const existing = document.querySelector(
+      `script[src="${GSI_SRC}"]`
+    );
+    if (existing) {
+      existing.addEventListener("load", init);
+      return () => existing.removeEventListener("load", init);
+    }
+    const script = document.createElement("script");
+    script.src = GSI_SRC;
+    script.async = true;
+    script.defer = true;
+    script.onload = init;
+    document.head.appendChild(script);
+  }, [clientId, applyToken]);
+  useEffect(() => {
+    const originalFetch = window.fetch;
+    window.fetch = async (...args) => {
+      const response = await originalFetch(...args);
+      if (response.status === 401) {
+        try {
+          const data = await response.clone().json();
+          if (data == null ? void 0 : data.logout) doLogout();
+        } catch (e) {
+        }
+      }
+      return response;
+    };
+    return () => {
+      window.fetch = originalFetch;
+    };
+  }, []);
+  function doLogout() {
+    var _a;
+    (_a = window.google) == null ? void 0 : _a.accounts.id.disableAutoSelect();
+    deleteCookie(cookieName);
+    setUser(null);
+    setIsAdmin(false);
+    setIsEditing(false);
+    onLogout == null ? void 0 : onLogout();
+  }
+  const promptSignIn = useCallback(() => {
+    var _a;
+    if (!ready) return;
+    (_a = window.google) == null ? void 0 : _a.accounts.id.prompt();
+  }, [ready]);
+  const renderButton = useCallback(
+    (el, options) => {
+      var _a;
+      if (!ready) return;
+      (_a = window.google) == null ? void 0 : _a.accounts.id.renderButton(el, options);
+    },
+    [ready]
+  );
+  const toggleEdit = useCallback(() => setIsEditing((p) => !p), []);
+  return /* @__PURE__ */ jsx(
+    GoogleAuthContext.Provider,
+    {
+      value: {
+        user,
+        isAdmin,
+        isEditing,
+        toggleEdit,
+        ready,
+        promptSignIn,
+        renderButton,
+        logout: doLogout
+      },
+      children: /* @__PURE__ */ jsx(CmsAuthProvider, { value: { isAdmin, isEditing, toggleEdit }, children })
+    }
+  );
+}
+function useGoogleAuth() {
+  const ctx = useContext(GoogleAuthContext);
+  if (!ctx) {
+    throw new Error("useGoogleAuth must be used within a GoogleAuthProvider");
+  }
+  return ctx;
+}
+export {
+  GoogleAuthProvider,
+  useGoogleAuth
+};
+//# sourceMappingURL=index.js.map

package/dist/auth/google/client/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../../../../src/auth/google/client/index.tsx"],"sourcesContent":["\"use client\";\n\nimport {\n createContext,\n useCallback,\n useContext,\n useEffect,\n useRef,\n useState,\n type ReactNode,\n} from \"react\";\n// Imported via the public specifier so we share the SAME context instance as\n// the consumer's edit primitives at runtime (see tsup `external` + tsconfig paths).\nimport { CmsAuthProvider } from \"@dalgoridim/headless-cms/client\";\n\n/**\n * Client provider for **Google Identity Services** sign-in — the Firebase-free\n * counterpart to `FirebaseAuthProvider`. It loads the GSI script, lets the user\n * sign in with Google, stashes the resulting ID token in a cookie for the\n * server `googleAuth` adapter to verify, and feeds the shared CMS auth context\n * so the edit primitives light up. Admin status is optimistic on the client\n * (via `adminEmails`); the server gate remains authoritative.\n */\n\nconst GSI_SRC = \"https://accounts.google.com/gsi/client\";\n\n/** Minimal slice of the Google Identity Services API we use. */\ninterface GsiCredentialResponse {\n credential: string;\n}\ninterface GsiButtonOptions {\n type?: \"standard\" | \"icon\";\n theme?: \"outline\" | \"filled_blue\" | \"filled_black\";\n size?: \"small\" | \"medium\" | \"large\";\n text?: \"signin_with\" | \"signup_with\" | \"continue_with\" | \"signin\";\n shape?: \"rectangular\" | \"pill\" | \"circle\" | \"square\";\n width?: number;\n}\ninterface GsiClient {\n accounts: {\n id: {\n initialize: (config: {\n client_id: string;\n callback: (res: GsiCredentialResponse) => void;\n auto_select?: boolean;\n cancel_on_tap_outside?: boolean;\n }) => void;\n prompt: () => void;\n renderButton: (el: HTMLElement, options?: GsiButtonOptions) => void;\n disableAutoSelect: () => void;\n };\n };\n}\n\ndeclare global {\n interface Window {\n google?: GsiClient;\n }\n}\n\nexport interface GoogleUser {\n sub: string;\n email?: string;\n name?: string;\n picture?: string;\n}\n\nexport interface GoogleAuthProviderProps {\n children: ReactNode;\n /** OAuth 2.0 Web client ID (from Google Cloud Console → Credentials). */\n clientId: string;\n /**\n * Optional admin allowlist for *optimistic* client-side `isAdmin`. The server\n * `googleAuth` adapter still enforces the real gate. Omit to treat any\n * successful sign-in as optimistically admin (server will correct via 401).\n */\n adminEmails?: string[];\n /** Cookie name for the ID token. Default `adminToken`. */\n cookieName?: string;\n /** Called when a 401 `{ logout: true }` response is intercepted. */\n onLogout?: () => void;\n}\n\nexport interface GoogleAuthContextValue {\n user: GoogleUser | null;\n isAdmin: boolean;\n isEditing: boolean;\n toggleEdit: () => void;\n /** True once the GSI script has loaded and the client is initialized. */\n ready: boolean;\n /** Trigger Google One Tap / sign-in prompt. */\n promptSignIn: () => void;\n /** Render the official Google button into `el` (most reliable trigger). */\n renderButton: (el: HTMLElement, options?: GsiButtonOptions) => void;\n logout: () => void;\n}\n\nconst GoogleAuthContext = createContext<GoogleAuthContextValue | undefined>(\n undefined,\n);\n\nfunction setCookie(name: string, value: string) {\n document.cookie = `${name}=${encodeURIComponent(value)}; path=/; samesite=lax`;\n}\nfunction deleteCookie(name: string) {\n document.cookie = `${name}=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT`;\n}\nfunction readCookie(name: string): string | null {\n for (const part of document.cookie.split(\";\")) {\n const [k, ...v] = part.trim().split(\"=\");\n if (k === name) return decodeURIComponent(v.join(\"=\"));\n }\n return null;\n}\n\n/** Decode a JWT payload client-side (no verification — the server does that). */\nfunction decodeJwt(token: string): (GoogleUser & { exp?: number }) | null {\n try {\n const payload = token.split(\".\")[1];\n const json = atob(payload.replace(/-/g, \"+\").replace(/_/g, \"/\"));\n const data = JSON.parse(json) as {\n sub: string;\n email?: string;\n name?: string;\n picture?: string;\n exp?: number;\n };\n return data;\n } catch {\n return null;\n }\n}\n\nexport function GoogleAuthProvider({\n children,\n clientId,\n adminEmails,\n cookieName = \"adminToken\",\n onLogout,\n}: GoogleAuthProviderProps) {\n const [user, setUser] = useState<GoogleUser | null>(null);\n const [isAdmin, setIsAdmin] = useState(false);\n const [isEditing, setIsEditing] = useState(false);\n const [ready, setReady] = useState(false);\n const allowed = useRef(\n (adminEmails ?? []).map((e) => e.trim().toLowerCase()),\n );\n\n const applyToken = useCallback(\n (token: string) => {\n const claims = decodeJwt(token);\n if (!claims) return;\n if (claims.exp && claims.exp * 1000 <= Date.now()) {\n deleteCookie(cookieName);\n return;\n }\n const email = claims.email?.toLowerCase();\n // Optimistic: if no allowlist supplied, trust the sign-in and let the\n // server correct a non-admin via the 401 interceptor below.\n const admin =\n allowed.current.length === 0\n ? true\n : !!email && allowed.current.includes(email);\n setCookie(cookieName, token);\n setUser({\n sub: claims.sub,\n email: claims.email,\n name: claims.name,\n picture: claims.picture,\n });\n setIsAdmin(admin);\n },\n [cookieName],\n );\n\n // Restore an existing session from the cookie on mount.\n useEffect(() => {\n const existing = readCookie(cookieName);\n if (existing) applyToken(existing);\n }, [cookieName, applyToken]);\n\n // Load the GSI script and initialize the One Tap / button client.\n useEffect(() => {\n function init() {\n if (!window.google) return;\n window.google.accounts.id.initialize({\n client_id: clientId,\n callback: (res) => applyToken(res.credential),\n auto_select: false,\n cancel_on_tap_outside: true,\n });\n setReady(true);\n }\n\n if (window.google) {\n init();\n return;\n }\n const existing = document.querySelector<HTMLScriptElement>(\n `script[src=\"${GSI_SRC}\"]`,\n );\n if (existing) {\n existing.addEventListener(\"load\", init);\n return () => existing.removeEventListener(\"load\", init);\n }\n const script = document.createElement(\"script\");\n script.src = GSI_SRC;\n script.async = true;\n script.defer = true;\n script.onload = init;\n document.head.appendChild(script);\n }, [clientId, applyToken]);\n\n // Intercept admin 401s so an expired/forbidden session forces sign-out.\n useEffect(() => {\n const originalFetch = window.fetch;\n window.fetch = async (...args: Parameters<typeof fetch>) => {\n const response = await originalFetch(...args);\n if (response.status === 401) {\n try {\n const data = await response.clone().json();\n if (data?.logout) doLogout();\n } catch {\n /* not a JSON body — ignore */\n }\n }\n return response;\n };\n return () => {\n window.fetch = originalFetch;\n };\n // eslint-disable-next-line react-hooks/exhaustive-deps\n }, []);\n\n function doLogout() {\n window.google?.accounts.id.disableAutoSelect();\n deleteCookie(cookieName);\n setUser(null);\n setIsAdmin(false);\n setIsEditing(false);\n onLogout?.();\n }\n\n const promptSignIn = useCallback(() => {\n if (!ready) return;\n window.google?.accounts.id.prompt();\n }, [ready]);\n\n const renderButton = useCallback(\n (el: HTMLElement, options?: GsiButtonOptions) => {\n if (!ready) return;\n window.google?.accounts.id.renderButton(el, options);\n },\n [ready],\n );\n\n const toggleEdit = useCallback(() => setIsEditing((p) => !p), []);\n\n return (\n <GoogleAuthContext.Provider\n value={{\n user,\n isAdmin,\n isEditing,\n toggleEdit,\n ready,\n promptSignIn,\n renderButton,\n logout: doLogout,\n }}\n >\n <CmsAuthProvider value={{ isAdmin, isEditing, toggleEdit }}>\n {children}\n </CmsAuthProvider>\n </GoogleAuthContext.Provider>\n );\n}\n\n/** Google auth API (user/login/logout) for login pages and toolbars. */\nexport function useGoogleAuth(): GoogleAuthContextValue {\n const ctx = useContext(GoogleAuthContext);\n if (!ctx) {\n throw new Error(\"useGoogleAuth must be used within a GoogleAuthProvider\");\n }\n return ctx;\n}\n"],"mappings":";;;AAEA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OAEK;AAGP,SAAS,uBAAuB;AAkQ1B;AAvPN,IAAM,UAAU;AAyEhB,IAAM,oBAAoB;AAAA,EACxB;AACF;AAEA,SAAS,UAAU,MAAc,OAAe;AAC9C,WAAS,SAAS,GAAG,IAAI,IAAI,mBAAmB,KAAK,CAAC;AACxD;AACA,SAAS,aAAa,MAAc;AAClC,WAAS,SAAS,GAAG,IAAI;AAC3B;AACA,SAAS,WAAW,MAA6B;AAC/C,aAAW,QAAQ,SAAS,OAAO,MAAM,GAAG,GAAG;AAC7C,UAAM,CAAC,GAAG,GAAG,CAAC,IAAI,KAAK,KAAK,EAAE,MAAM,GAAG;AACvC,QAAI,MAAM,KAAM,QAAO,mBAAmB,EAAE,KAAK,GAAG,CAAC;AAAA,EACvD;AACA,SAAO;AACT;AAGA,SAAS,UAAU,OAAuD;AACxE,MAAI;AACF,UAAM,UAAU,MAAM,MAAM,GAAG,EAAE,CAAC;AAClC,UAAM,OAAO,KAAK,QAAQ,QAAQ,MAAM,GAAG,EAAE,QAAQ,MAAM,GAAG,CAAC;AAC/D,UAAM,OAAO,KAAK,MAAM,IAAI;AAO5B,WAAO;AAAA,EACT,SAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEO,SAAS,mBAAmB;AAAA,EACjC;AAAA,EACA;AAAA,EACA;AAAA,EACA,aAAa;AAAA,EACb;AACF,GAA4B;AAC1B,QAAM,CAAC,MAAM,OAAO,IAAI,SAA4B,IAAI;AACxD,QAAM,CAAC,SAAS,UAAU,IAAI,SAAS,KAAK;AAC5C,QAAM,CAAC,WAAW,YAAY,IAAI,SAAS,KAAK;AAChD,QAAM,CAAC,OAAO,QAAQ,IAAI,SAAS,KAAK;AACxC,QAAM,UAAU;AAAA,KACb,oCAAe,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,YAAY,CAAC;AAAA,EACvD;AAEA,QAAM,aAAa;AAAA,IACjB,CAAC,UAAkB;AArJvB;AAsJM,YAAM,SAAS,UAAU,KAAK;AAC9B,UAAI,CAAC,OAAQ;AACb,UAAI,OAAO,OAAO,OAAO,MAAM,OAAQ,KAAK,IAAI,GAAG;AACjD,qBAAa,UAAU;AACvB;AAAA,MACF;AACA,YAAM,SAAQ,YAAO,UAAP,mBAAc;AAG5B,YAAM,QACJ,QAAQ,QAAQ,WAAW,IACvB,OACA,CAAC,CAAC,SAAS,QAAQ,QAAQ,SAAS,KAAK;AAC/C,gBAAU,YAAY,KAAK;AAC3B,cAAQ;AAAA,QACN,KAAK,OAAO;AAAA,QACZ,OAAO,OAAO;AAAA,QACd,MAAM,OAAO;AAAA,QACb,SAAS,OAAO;AAAA,MAClB,CAAC;AACD,iBAAW,KAAK;AAAA,IAClB;AAAA,IACA,CAAC,UAAU;AAAA,EACb;AAGA,YAAU,MAAM;AACd,UAAM,WAAW,WAAW,UAAU;AACtC,QAAI,SAAU,YAAW,QAAQ;AAAA,EACnC,GAAG,CAAC,YAAY,UAAU,CAAC;AAG3B,YAAU,MAAM;AACd,aAAS,OAAO;AACd,UAAI,CAAC,OAAO,OAAQ;AACpB,aAAO,OAAO,SAAS,GAAG,WAAW;AAAA,QACnC,WAAW;AAAA,QACX,UAAU,CAAC,QAAQ,WAAW,IAAI,UAAU;AAAA,QAC5C,aAAa;AAAA,QACb,uBAAuB;AAAA,MACzB,CAAC;AACD,eAAS,IAAI;AAAA,IACf;AAEA,QAAI,OAAO,QAAQ;AACjB,WAAK;AACL;AAAA,IACF;AACA,UAAM,WAAW,SAAS;AAAA,MACxB,eAAe,OAAO;AAAA,IACxB;AACA,QAAI,UAAU;AACZ,eAAS,iBAAiB,QAAQ,IAAI;AACtC,aAAO,MAAM,SAAS,oBAAoB,QAAQ,IAAI;AAAA,IACxD;AACA,UAAM,SAAS,SAAS,cAAc,QAAQ;AAC9C,WAAO,MAAM;AACb,WAAO,QAAQ;AACf,WAAO,QAAQ;AACf,WAAO,SAAS;AAChB,aAAS,KAAK,YAAY,MAAM;AAAA,EAClC,GAAG,CAAC,UAAU,UAAU,CAAC;AAGzB,YAAU,MAAM;AACd,UAAM,gBAAgB,OAAO;AAC7B,WAAO,QAAQ,UAAU,SAAmC;AAC1D,YAAM,WAAW,MAAM,cAAc,GAAG,IAAI;AAC5C,UAAI,SAAS,WAAW,KAAK;AAC3B,YAAI;AACF,gBAAM,OAAO,MAAM,SAAS,MAAM,EAAE,KAAK;AACzC,cAAI,6BAAM,OAAQ,UAAS;AAAA,QAC7B,SAAQ;AAAA,QAER;AAAA,MACF;AACA,aAAO;AAAA,IACT;AACA,WAAO,MAAM;AACX,aAAO,QAAQ;AAAA,IACjB;AAAA,EAEF,GAAG,CAAC,CAAC;AAEL,WAAS,WAAW;AA1OtB;AA2OI,iBAAO,WAAP,mBAAe,SAAS,GAAG;AAC3B,iBAAa,UAAU;AACvB,YAAQ,IAAI;AACZ,eAAW,KAAK;AAChB,iBAAa,KAAK;AAClB;AAAA,EACF;AAEA,QAAM,eAAe,YAAY,MAAM;AAnPzC;AAoPI,QAAI,CAAC,MAAO;AACZ,iBAAO,WAAP,mBAAe,SAAS,GAAG;AAAA,EAC7B,GAAG,CAAC,KAAK,CAAC;AAEV,QAAM,eAAe;AAAA,IACnB,CAAC,IAAiB,YAA+B;AAzPrD;AA0PM,UAAI,CAAC,MAAO;AACZ,mBAAO,WAAP,mBAAe,SAAS,GAAG,aAAa,IAAI;AAAA,IAC9C;AAAA,IACA,CAAC,KAAK;AAAA,EACR;AAEA,QAAM,aAAa,YAAY,MAAM,aAAa,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,CAAC;AAEhE,SACE;AAAA,IAAC,kBAAkB;AAAA,IAAlB;AAAA,MACC,OAAO;AAAA,QACL;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA,QAAQ;AAAA,MACV;AAAA,MAEA,8BAAC,mBAAgB,OAAO,EAAE,SAAS,WAAW,WAAW,GACtD,UACH;AAAA;AAAA,EACF;AAEJ;AAGO,SAAS,gBAAwC;AACtD,QAAM,MAAM,WAAW,iBAAiB;AACxC,MAAI,CAAC,KAAK;AACR,UAAM,IAAI,MAAM,wDAAwD;AAAA,EAC1E;AACA,SAAO;AACT;","names":[]}

package/dist/auth/google/index.cjs ADDED Viewed

@@ -0,0 +1,121 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+// src/auth/google/index.ts
+var google_exports = {};
+__export(google_exports, {
+  googleAuth: () => googleAuth,
+  verifyGoogleIdToken: () => verifyGoogleIdToken
+});
+module.exports = __toCommonJS(google_exports);
+var import_node_crypto = require("crypto");
+var GOOGLE_CERTS_URL = "https://www.googleapis.com/oauth2/v3/certs";
+var GOOGLE_ISSUERS = ["https://accounts.google.com", "accounts.google.com"];
+var keyCache = null;
+async function getSigningKey(kid) {
+  var _a, _b;
+  const now = Date.now();
+  if (!keyCache || now >= keyCache.expiresAt) {
+    const res = await fetch(GOOGLE_CERTS_URL);
+    if (!res.ok) throw new Error(`Google JWKS fetch failed: ${res.status}`);
+    const body = await res.json();
+    const keys = new Map(body.keys.map((k) => [k.kid, k]));
+    const maxAge = /max-age=(\d+)/.exec((_a = res.headers.get("cache-control")) != null ? _a : "");
+    keyCache = {
+      keys,
+      expiresAt: now + (maxAge ? Number(maxAge[1]) * 1e3 : 36e5)
+    };
+  }
+  return (_b = keyCache.keys.get(kid)) != null ? _b : null;
+}
+function b64urlToBuffer(input) {
+  return Buffer.from(input.replace(/-/g, "+").replace(/_/g, "/"), "base64");
+}
+function b64urlToJson(input) {
+  return JSON.parse(b64urlToBuffer(input).toString("utf8"));
+}
+function readCookie(req, name) {
+  const header = req.headers.get("cookie");
+  if (!header) return null;
+  for (const part of header.split(";")) {
+    const [k, ...v] = part.trim().split("=");
+    if (k === name) return decodeURIComponent(v.join("="));
+  }
+  return null;
+}
+async function verifyGoogleIdToken(token, opts) {
+  var _a, _b, _c;
+  const parts = token.split(".");
+  if (parts.length !== 3) throw new Error("Malformed ID token");
+  const [headerB64, payloadB64, signatureB64] = parts;
+  const header = b64urlToJson(headerB64);
+  if (header.alg !== "RS256") throw new Error(`Unexpected alg: ${header.alg}`);
+  const jwk = await getSigningKey(header.kid);
+  if (!jwk) throw new Error("No matching Google signing key for token");
+  const publicKey = (0, import_node_crypto.createPublicKey)({
+    key: jwk,
+    format: "jwk"
+  });
+  const verifier = (0, import_node_crypto.createVerify)("RSA-SHA256");
+  verifier.update(`${headerB64}.${payloadB64}`);
+  verifier.end();
+  if (!verifier.verify(publicKey, b64urlToBuffer(signatureB64))) {
+    throw new Error("Invalid ID token signature");
+  }
+  const payload = b64urlToJson(payloadB64);
+  const nowSec = Math.floor(((_b = (_a = opts.now) == null ? void 0 : _a.call(opts)) != null ? _b : Date.now()) / 1e3);
+  if (payload.exp <= nowSec) throw new Error("ID token expired");
+  const issuers = (_c = opts.issuers) != null ? _c : GOOGLE_ISSUERS;
+  if (!issuers.includes(payload.iss)) {
+    throw new Error(`Untrusted issuer: ${payload.iss}`);
+  }
+  const audiences = Array.isArray(opts.clientId) ? opts.clientId : [opts.clientId];
+  if (!audiences.includes(payload.aud)) throw new Error("Audience mismatch");
+  return payload;
+}
+function googleAuth(config) {
+  var _a;
+  const cookieName = (_a = config.cookieName) != null ? _a : "adminToken";
+  const allowed = config.adminEmails.map((e) => e.trim().toLowerCase());
+  return {
+    async verifyRequest(req) {
+      var _a2;
+      const token = readCookie(req, cookieName);
+      if (!token) return null;
+      let payload;
+      try {
+        payload = await verifyGoogleIdToken(token, {
+          clientId: config.clientId,
+          issuers: config.issuers
+        });
+      } catch (e) {
+        return null;
+      }
+      const email = (_a2 = payload.email) == null ? void 0 : _a2.toLowerCase();
+      const isAdmin = !!email && payload.email_verified === true && allowed.includes(email);
+      return { userId: payload.sub, email: payload.email, isAdmin };
+    }
+  };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  googleAuth,
+  verifyGoogleIdToken
+});
+//# sourceMappingURL=index.cjs.map

package/dist/auth/google/index.cjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../../../src/auth/google/index.ts"],"sourcesContent":["import { createPublicKey, createVerify, type JsonWebKey } from \"node:crypto\";\nimport type { AuthAdapter, AuthIdentity } from \"../../types\";\n\n/**\n * Server auth adapter backed by **Google Identity Services** ID tokens — the\n * lightweight alternative to the Firebase adapter when all you want is \"Sign in\n * with Google\". No Firebase project, no service account: the browser obtains a\n * signed Google ID token (a JWT), drops it in a cookie, and this adapter\n * verifies it locally against Google's public keys, then gates on an email\n * allowlist.\n *\n * Verification is dependency-free (Node's built-in `crypto` + `fetch`), so the\n * package keeps its zero-runtime-deps contract.\n */\n\nconst GOOGLE_CERTS_URL = \"https://www.googleapis.com/oauth2/v3/certs\";\nconst GOOGLE_ISSUERS = [\"https://accounts.google.com\", \"accounts.google.com\"];\n\n/** A Google JWKS entry (RSA public key in JWK form). */\ninterface GoogleJwk {\n kid: string;\n kty: string;\n n: string;\n e: string;\n alg?: string;\n use?: string;\n}\n\nlet keyCache: { keys: Map<string, GoogleJwk>; expiresAt: number } | null = null;\n\n/** Fetch (and cache, honoring `cache-control: max-age`) Google's signing keys. */\nasync function getSigningKey(kid: string): Promise<GoogleJwk | null> {\n const now = Date.now();\n if (!keyCache || now >= keyCache.expiresAt) {\n const res = await fetch(GOOGLE_CERTS_URL);\n if (!res.ok) throw new Error(`Google JWKS fetch failed: ${res.status}`);\n const body = (await res.json()) as { keys: GoogleJwk[] };\n const keys = new Map(body.keys.map((k) => [k.kid, k]));\n const maxAge = /max-age=(\\d+)/.exec(res.headers.get(\"cache-control\") ?? \"\");\n keyCache = {\n keys,\n expiresAt: now + (maxAge ? Number(maxAge[1]) * 1000 : 3_600_000),\n };\n }\n return keyCache.keys.get(kid) ?? null;\n}\n\nfunction b64urlToBuffer(input: string): Buffer {\n return Buffer.from(input.replace(/-/g, \"+\").replace(/_/g, \"/\"), \"base64\");\n}\n\nfunction b64urlToJson<T>(input: string): T {\n return JSON.parse(b64urlToBuffer(input).toString(\"utf8\")) as T;\n}\n\nfunction readCookie(req: Request, name: string): string | null {\n const header = req.headers.get(\"cookie\");\n if (!header) return null;\n for (const part of header.split(\";\")) {\n const [k, ...v] = part.trim().split(\"=\");\n if (k === name) return decodeURIComponent(v.join(\"=\"));\n }\n return null;\n}\n\n/** Claims of interest from a verified Google ID token. */\nexport interface GoogleIdTokenPayload {\n iss: string;\n aud: string;\n sub: string;\n exp: number;\n iat: number;\n email?: string;\n email_verified?: boolean;\n name?: string;\n picture?: string;\n}\n\nexport interface VerifyGoogleIdTokenOptions {\n /** Expected audience — your OAuth 2.0 Web client ID(s). */\n clientId: string | string[];\n /** Accepted issuers. Defaults to Google's two canonical issuers. */\n issuers?: string[];\n /** Clock injection for tests. Defaults to `Date.now`. */\n now?: () => number;\n}\n\n/**\n * Verify a Google ID token end-to-end: RS256 signature against Google's JWKS,\n * plus `exp` / `iss` / `aud` checks. Throws on any failure; resolves with the\n * decoded payload on success. Exported standalone for custom flows/tests.\n */\nexport async function verifyGoogleIdToken(\n token: string,\n opts: VerifyGoogleIdTokenOptions,\n): Promise<GoogleIdTokenPayload> {\n const parts = token.split(\".\");\n if (parts.length !== 3) throw new Error(\"Malformed ID token\");\n const [headerB64, payloadB64, signatureB64] = parts;\n\n const header = b64urlToJson<{ alg: string; kid: string }>(headerB64);\n if (header.alg !== \"RS256\") throw new Error(`Unexpected alg: ${header.alg}`);\n\n const jwk = await getSigningKey(header.kid);\n if (!jwk) throw new Error(\"No matching Google signing key for token\");\n\n const publicKey = createPublicKey({\n key: jwk as unknown as JsonWebKey,\n format: \"jwk\",\n });\n const verifier = createVerify(\"RSA-SHA256\");\n verifier.update(`${headerB64}.${payloadB64}`);\n verifier.end();\n if (!verifier.verify(publicKey, b64urlToBuffer(signatureB64))) {\n throw new Error(\"Invalid ID token signature\");\n }\n\n const payload = b64urlToJson<GoogleIdTokenPayload>(payloadB64);\n const nowSec = Math.floor((opts.now?.() ?? Date.now()) / 1000);\n if (payload.exp <= nowSec) throw new Error(\"ID token expired\");\n\n const issuers = opts.issuers ?? GOOGLE_ISSUERS;\n if (!issuers.includes(payload.iss)) {\n throw new Error(`Untrusted issuer: ${payload.iss}`);\n }\n const audiences = Array.isArray(opts.clientId)\n ? opts.clientId\n : [opts.clientId];\n if (!audiences.includes(payload.aud)) throw new Error(\"Audience mismatch\");\n\n return payload;\n}\n\nexport interface GoogleAuthConfig {\n /** OAuth 2.0 Web client ID(s); the token's `aud` must match one of these. */\n clientId: string | string[];\n /** Allowlist of admin emails (compared case-insensitively). */\n adminEmails: string[];\n /** Cookie carrying the Google ID token. Default `adminToken`. */\n cookieName?: string;\n /** Accepted issuers (override for testing). */\n issuers?: string[];\n}\n\n/**\n * Build an {@link AuthAdapter} that verifies the Google ID token from the\n * request cookie and grants admin only to a verified email in `adminEmails`.\n */\nexport function googleAuth(config: GoogleAuthConfig): AuthAdapter {\n const cookieName = config.cookieName ?? \"adminToken\";\n const allowed = config.adminEmails.map((e) => e.trim().toLowerCase());\n\n return {\n async verifyRequest(req: Request): Promise<AuthIdentity | null> {\n const token = readCookie(req, cookieName);\n if (!token) return null;\n\n let payload: GoogleIdTokenPayload;\n try {\n payload = await verifyGoogleIdToken(token, {\n clientId: config.clientId,\n issuers: config.issuers,\n });\n } catch {\n // Expired/invalid/tampered → unauthorized, so the gate emits a\n // 401 { logout: true } and the client can force sign-out.\n return null;\n }\n\n const email = payload.email?.toLowerCase();\n const isAdmin =\n !!email && payload.email_verified === true && allowed.includes(email);\n\n return { userId: payload.sub, email: payload.email, isAdmin };\n },\n };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,yBAA+D;AAe/D,IAAM,mBAAmB;AACzB,IAAM,iBAAiB,CAAC,+BAA+B,qBAAqB;AAY5E,IAAI,WAAuE;AAG3E,eAAe,cAAc,KAAwC;AA/BrE;AAgCE,QAAM,MAAM,KAAK,IAAI;AACrB,MAAI,CAAC,YAAY,OAAO,SAAS,WAAW;AAC1C,UAAM,MAAM,MAAM,MAAM,gBAAgB;AACxC,QAAI,CAAC,IAAI,GAAI,OAAM,IAAI,MAAM,6BAA6B,IAAI,MAAM,EAAE;AACtE,UAAM,OAAQ,MAAM,IAAI,KAAK;AAC7B,UAAM,OAAO,IAAI,IAAI,KAAK,KAAK,IAAI,CAAC,MAAM,CAAC,EAAE,KAAK,CAAC,CAAC,CAAC;AACrD,UAAM,SAAS,gBAAgB,MAAK,SAAI,QAAQ,IAAI,eAAe,MAA/B,YAAoC,EAAE;AAC1E,eAAW;AAAA,MACT;AAAA,MACA,WAAW,OAAO,SAAS,OAAO,OAAO,CAAC,CAAC,IAAI,MAAO;AAAA,IACxD;AAAA,EACF;AACA,UAAO,cAAS,KAAK,IAAI,GAAG,MAArB,YAA0B;AACnC;AAEA,SAAS,eAAe,OAAuB;AAC7C,SAAO,OAAO,KAAK,MAAM,QAAQ,MAAM,GAAG,EAAE,QAAQ,MAAM,GAAG,GAAG,QAAQ;AAC1E;AAEA,SAAS,aAAgB,OAAkB;AACzC,SAAO,KAAK,MAAM,eAAe,KAAK,EAAE,SAAS,MAAM,CAAC;AAC1D;AAEA,SAAS,WAAW,KAAc,MAA6B;AAC7D,QAAM,SAAS,IAAI,QAAQ,IAAI,QAAQ;AACvC,MAAI,CAAC,OAAQ,QAAO;AACpB,aAAW,QAAQ,OAAO,MAAM,GAAG,GAAG;AACpC,UAAM,CAAC,GAAG,GAAG,CAAC,IAAI,KAAK,KAAK,EAAE,MAAM,GAAG;AACvC,QAAI,MAAM,KAAM,QAAO,mBAAmB,EAAE,KAAK,GAAG,CAAC;AAAA,EACvD;AACA,SAAO;AACT;AA6BA,eAAsB,oBACpB,OACA,MAC+B;AA/FjC;AAgGE,QAAM,QAAQ,MAAM,MAAM,GAAG;AAC7B,MAAI,MAAM,WAAW,EAAG,OAAM,IAAI,MAAM,oBAAoB;AAC5D,QAAM,CAAC,WAAW,YAAY,YAAY,IAAI;AAE9C,QAAM,SAAS,aAA2C,SAAS;AACnE,MAAI,OAAO,QAAQ,QAAS,OAAM,IAAI,MAAM,mBAAmB,OAAO,GAAG,EAAE;AAE3E,QAAM,MAAM,MAAM,cAAc,OAAO,GAAG;AAC1C,MAAI,CAAC,IAAK,OAAM,IAAI,MAAM,0CAA0C;AAEpE,QAAM,gBAAY,oCAAgB;AAAA,IAChC,KAAK;AAAA,IACL,QAAQ;AAAA,EACV,CAAC;AACD,QAAM,eAAW,iCAAa,YAAY;AAC1C,WAAS,OAAO,GAAG,SAAS,IAAI,UAAU,EAAE;AAC5C,WAAS,IAAI;AACb,MAAI,CAAC,SAAS,OAAO,WAAW,eAAe,YAAY,CAAC,GAAG;AAC7D,UAAM,IAAI,MAAM,4BAA4B;AAAA,EAC9C;AAEA,QAAM,UAAU,aAAmC,UAAU;AAC7D,QAAM,SAAS,KAAK,QAAO,gBAAK,QAAL,8CAAgB,KAAK,IAAI,KAAK,GAAI;AAC7D,MAAI,QAAQ,OAAO,OAAQ,OAAM,IAAI,MAAM,kBAAkB;AAE7D,QAAM,WAAU,UAAK,YAAL,YAAgB;AAChC,MAAI,CAAC,QAAQ,SAAS,QAAQ,GAAG,GAAG;AAClC,UAAM,IAAI,MAAM,qBAAqB,QAAQ,GAAG,EAAE;AAAA,EACpD;AACA,QAAM,YAAY,MAAM,QAAQ,KAAK,QAAQ,IACzC,KAAK,WACL,CAAC,KAAK,QAAQ;AAClB,MAAI,CAAC,UAAU,SAAS,QAAQ,GAAG,EAAG,OAAM,IAAI,MAAM,mBAAmB;AAEzE,SAAO;AACT;AAiBO,SAAS,WAAW,QAAuC;AApJlE;AAqJE,QAAM,cAAa,YAAO,eAAP,YAAqB;AACxC,QAAM,UAAU,OAAO,YAAY,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,YAAY,CAAC;AAEpE,SAAO;AAAA,IACL,MAAM,cAAc,KAA4C;AAzJpE,UAAAA;AA0JM,YAAM,QAAQ,WAAW,KAAK,UAAU;AACxC,UAAI,CAAC,MAAO,QAAO;AAEnB,UAAI;AACJ,UAAI;AACF,kBAAU,MAAM,oBAAoB,OAAO;AAAA,UACzC,UAAU,OAAO;AAAA,UACjB,SAAS,OAAO;AAAA,QAClB,CAAC;AAAA,MACH,SAAQ;AAGN,eAAO;AAAA,MACT;AAEA,YAAM,SAAQA,MAAA,QAAQ,UAAR,gBAAAA,IAAe;AAC7B,YAAM,UACJ,CAAC,CAAC,SAAS,QAAQ,mBAAmB,QAAQ,QAAQ,SAAS,KAAK;AAEtE,aAAO,EAAE,QAAQ,QAAQ,KAAK,OAAO,QAAQ,OAAO,QAAQ;AAAA,IAC9D;AAAA,EACF;AACF;","names":["_a"]}

package/dist/auth/google/index.d.cts ADDED Viewed

@@ -0,0 +1,45 @@
+import { AuthAdapter } from '../../index.cjs';
+/** Claims of interest from a verified Google ID token. */
+interface GoogleIdTokenPayload {
+    iss: string;
+    aud: string;
+    sub: string;
+    exp: number;
+    iat: number;
+    email?: string;
+    email_verified?: boolean;
+    name?: string;
+    picture?: string;
+}
+interface VerifyGoogleIdTokenOptions {
+    /** Expected audience — your OAuth 2.0 Web client ID(s). */
+    clientId: string | string[];
+    /** Accepted issuers. Defaults to Google's two canonical issuers. */
+    issuers?: string[];
+    /** Clock injection for tests. Defaults to `Date.now`. */
+    now?: () => number;
+}
+/**
+ * Verify a Google ID token end-to-end: RS256 signature against Google's JWKS,
+ * plus `exp` / `iss` / `aud` checks. Throws on any failure; resolves with the
+ * decoded payload on success. Exported standalone for custom flows/tests.
+ */
+declare function verifyGoogleIdToken(token: string, opts: VerifyGoogleIdTokenOptions): Promise<GoogleIdTokenPayload>;
+interface GoogleAuthConfig {
+    /** OAuth 2.0 Web client ID(s); the token's `aud` must match one of these. */
+    clientId: string | string[];
+    /** Allowlist of admin emails (compared case-insensitively). */
+    adminEmails: string[];
+    /** Cookie carrying the Google ID token. Default `adminToken`. */
+    cookieName?: string;
+    /** Accepted issuers (override for testing). */
+    issuers?: string[];
+}
+/**
+ * Build an {@link AuthAdapter} that verifies the Google ID token from the
+ * request cookie and grants admin only to a verified email in `adminEmails`.
+ */
+declare function googleAuth(config: GoogleAuthConfig): AuthAdapter;
+export { type GoogleAuthConfig, type GoogleIdTokenPayload, type VerifyGoogleIdTokenOptions, googleAuth, verifyGoogleIdToken };

package/dist/auth/google/index.d.ts ADDED Viewed

@@ -0,0 +1,45 @@
+import { AuthAdapter } from '../../index.js';
+/** Claims of interest from a verified Google ID token. */
+interface GoogleIdTokenPayload {
+    iss: string;
+    aud: string;
+    sub: string;
+    exp: number;
+    iat: number;
+    email?: string;
+    email_verified?: boolean;
+    name?: string;
+    picture?: string;
+}
+interface VerifyGoogleIdTokenOptions {
+    /** Expected audience — your OAuth 2.0 Web client ID(s). */
+    clientId: string | string[];
+    /** Accepted issuers. Defaults to Google's two canonical issuers. */
+    issuers?: string[];
+    /** Clock injection for tests. Defaults to `Date.now`. */
+    now?: () => number;
+}
+/**
+ * Verify a Google ID token end-to-end: RS256 signature against Google's JWKS,
+ * plus `exp` / `iss` / `aud` checks. Throws on any failure; resolves with the
+ * decoded payload on success. Exported standalone for custom flows/tests.
+ */
+declare function verifyGoogleIdToken(token: string, opts: VerifyGoogleIdTokenOptions): Promise<GoogleIdTokenPayload>;
+interface GoogleAuthConfig {
+    /** OAuth 2.0 Web client ID(s); the token's `aud` must match one of these. */
+    clientId: string | string[];
+    /** Allowlist of admin emails (compared case-insensitively). */
+    adminEmails: string[];
+    /** Cookie carrying the Google ID token. Default `adminToken`. */
+    cookieName?: string;
+    /** Accepted issuers (override for testing). */
+    issuers?: string[];
+}
+/**
+ * Build an {@link AuthAdapter} that verifies the Google ID token from the
+ * request cookie and grants admin only to a verified email in `adminEmails`.
+ */
+declare function googleAuth(config: GoogleAuthConfig): AuthAdapter;
+export { type GoogleAuthConfig, type GoogleIdTokenPayload, type VerifyGoogleIdTokenOptions, googleAuth, verifyGoogleIdToken };

package/dist/auth/google/index.js ADDED Viewed

@@ -0,0 +1,95 @@
+// src/auth/google/index.ts
+import { createPublicKey, createVerify } from "crypto";
+var GOOGLE_CERTS_URL = "https://www.googleapis.com/oauth2/v3/certs";
+var GOOGLE_ISSUERS = ["https://accounts.google.com", "accounts.google.com"];
+var keyCache = null;
+async function getSigningKey(kid) {
+  var _a, _b;
+  const now = Date.now();
+  if (!keyCache || now >= keyCache.expiresAt) {
+    const res = await fetch(GOOGLE_CERTS_URL);
+    if (!res.ok) throw new Error(`Google JWKS fetch failed: ${res.status}`);
+    const body = await res.json();
+    const keys = new Map(body.keys.map((k) => [k.kid, k]));
+    const maxAge = /max-age=(\d+)/.exec((_a = res.headers.get("cache-control")) != null ? _a : "");
+    keyCache = {
+      keys,
+      expiresAt: now + (maxAge ? Number(maxAge[1]) * 1e3 : 36e5)
+    };
+  }
+  return (_b = keyCache.keys.get(kid)) != null ? _b : null;
+}
+function b64urlToBuffer(input) {
+  return Buffer.from(input.replace(/-/g, "+").replace(/_/g, "/"), "base64");
+}
+function b64urlToJson(input) {
+  return JSON.parse(b64urlToBuffer(input).toString("utf8"));
+}
+function readCookie(req, name) {
+  const header = req.headers.get("cookie");
+  if (!header) return null;
+  for (const part of header.split(";")) {
+    const [k, ...v] = part.trim().split("=");
+    if (k === name) return decodeURIComponent(v.join("="));
+  }
+  return null;
+}
+async function verifyGoogleIdToken(token, opts) {
+  var _a, _b, _c;
+  const parts = token.split(".");
+  if (parts.length !== 3) throw new Error("Malformed ID token");
+  const [headerB64, payloadB64, signatureB64] = parts;
+  const header = b64urlToJson(headerB64);
+  if (header.alg !== "RS256") throw new Error(`Unexpected alg: ${header.alg}`);
+  const jwk = await getSigningKey(header.kid);
+  if (!jwk) throw new Error("No matching Google signing key for token");
+  const publicKey = createPublicKey({
+    key: jwk,
+    format: "jwk"
+  });
+  const verifier = createVerify("RSA-SHA256");
+  verifier.update(`${headerB64}.${payloadB64}`);
+  verifier.end();
+  if (!verifier.verify(publicKey, b64urlToBuffer(signatureB64))) {
+    throw new Error("Invalid ID token signature");
+  }
+  const payload = b64urlToJson(payloadB64);
+  const nowSec = Math.floor(((_b = (_a = opts.now) == null ? void 0 : _a.call(opts)) != null ? _b : Date.now()) / 1e3);
+  if (payload.exp <= nowSec) throw new Error("ID token expired");
+  const issuers = (_c = opts.issuers) != null ? _c : GOOGLE_ISSUERS;
+  if (!issuers.includes(payload.iss)) {
+    throw new Error(`Untrusted issuer: ${payload.iss}`);
+  }
+  const audiences = Array.isArray(opts.clientId) ? opts.clientId : [opts.clientId];
+  if (!audiences.includes(payload.aud)) throw new Error("Audience mismatch");
+  return payload;
+}
+function googleAuth(config) {
+  var _a;
+  const cookieName = (_a = config.cookieName) != null ? _a : "adminToken";
+  const allowed = config.adminEmails.map((e) => e.trim().toLowerCase());
+  return {
+    async verifyRequest(req) {
+      var _a2;
+      const token = readCookie(req, cookieName);
+      if (!token) return null;
+      let payload;
+      try {
+        payload = await verifyGoogleIdToken(token, {
+          clientId: config.clientId,
+          issuers: config.issuers
+        });
+      } catch (e) {
+        return null;
+      }
+      const email = (_a2 = payload.email) == null ? void 0 : _a2.toLowerCase();
+      const isAdmin = !!email && payload.email_verified === true && allowed.includes(email);
+      return { userId: payload.sub, email: payload.email, isAdmin };
+    }
+  };
+}
+export {
+  googleAuth,
+  verifyGoogleIdToken
+};
+//# sourceMappingURL=index.js.map

package/dist/auth/google/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../../../src/auth/google/index.ts"],"sourcesContent":["import { createPublicKey, createVerify, type JsonWebKey } from \"node:crypto\";\nimport type { AuthAdapter, AuthIdentity } from \"../../types\";\n\n/**\n * Server auth adapter backed by **Google Identity Services** ID tokens — the\n * lightweight alternative to the Firebase adapter when all you want is \"Sign in\n * with Google\". No Firebase project, no service account: the browser obtains a\n * signed Google ID token (a JWT), drops it in a cookie, and this adapter\n * verifies it locally against Google's public keys, then gates on an email\n * allowlist.\n *\n * Verification is dependency-free (Node's built-in `crypto` + `fetch`), so the\n * package keeps its zero-runtime-deps contract.\n */\n\nconst GOOGLE_CERTS_URL = \"https://www.googleapis.com/oauth2/v3/certs\";\nconst GOOGLE_ISSUERS = [\"https://accounts.google.com\", \"accounts.google.com\"];\n\n/** A Google JWKS entry (RSA public key in JWK form). */\ninterface GoogleJwk {\n kid: string;\n kty: string;\n n: string;\n e: string;\n alg?: string;\n use?: string;\n}\n\nlet keyCache: { keys: Map<string, GoogleJwk>; expiresAt: number } | null = null;\n\n/** Fetch (and cache, honoring `cache-control: max-age`) Google's signing keys. */\nasync function getSigningKey(kid: string): Promise<GoogleJwk | null> {\n const now = Date.now();\n if (!keyCache || now >= keyCache.expiresAt) {\n const res = await fetch(GOOGLE_CERTS_URL);\n if (!res.ok) throw new Error(`Google JWKS fetch failed: ${res.status}`);\n const body = (await res.json()) as { keys: GoogleJwk[] };\n const keys = new Map(body.keys.map((k) => [k.kid, k]));\n const maxAge = /max-age=(\\d+)/.exec(res.headers.get(\"cache-control\") ?? \"\");\n keyCache = {\n keys,\n expiresAt: now + (maxAge ? Number(maxAge[1]) * 1000 : 3_600_000),\n };\n }\n return keyCache.keys.get(kid) ?? null;\n}\n\nfunction b64urlToBuffer(input: string): Buffer {\n return Buffer.from(input.replace(/-/g, \"+\").replace(/_/g, \"/\"), \"base64\");\n}\n\nfunction b64urlToJson<T>(input: string): T {\n return JSON.parse(b64urlToBuffer(input).toString(\"utf8\")) as T;\n}\n\nfunction readCookie(req: Request, name: string): string | null {\n const header = req.headers.get(\"cookie\");\n if (!header) return null;\n for (const part of header.split(\";\")) {\n const [k, ...v] = part.trim().split(\"=\");\n if (k === name) return decodeURIComponent(v.join(\"=\"));\n }\n return null;\n}\n\n/** Claims of interest from a verified Google ID token. */\nexport interface GoogleIdTokenPayload {\n iss: string;\n aud: string;\n sub: string;\n exp: number;\n iat: number;\n email?: string;\n email_verified?: boolean;\n name?: string;\n picture?: string;\n}\n\nexport interface VerifyGoogleIdTokenOptions {\n /** Expected audience — your OAuth 2.0 Web client ID(s). */\n clientId: string | string[];\n /** Accepted issuers. Defaults to Google's two canonical issuers. */\n issuers?: string[];\n /** Clock injection for tests. Defaults to `Date.now`. */\n now?: () => number;\n}\n\n/**\n * Verify a Google ID token end-to-end: RS256 signature against Google's JWKS,\n * plus `exp` / `iss` / `aud` checks. Throws on any failure; resolves with the\n * decoded payload on success. Exported standalone for custom flows/tests.\n */\nexport async function verifyGoogleIdToken(\n token: string,\n opts: VerifyGoogleIdTokenOptions,\n): Promise<GoogleIdTokenPayload> {\n const parts = token.split(\".\");\n if (parts.length !== 3) throw new Error(\"Malformed ID token\");\n const [headerB64, payloadB64, signatureB64] = parts;\n\n const header = b64urlToJson<{ alg: string; kid: string }>(headerB64);\n if (header.alg !== \"RS256\") throw new Error(`Unexpected alg: ${header.alg}`);\n\n const jwk = await getSigningKey(header.kid);\n if (!jwk) throw new Error(\"No matching Google signing key for token\");\n\n const publicKey = createPublicKey({\n key: jwk as unknown as JsonWebKey,\n format: \"jwk\",\n });\n const verifier = createVerify(\"RSA-SHA256\");\n verifier.update(`${headerB64}.${payloadB64}`);\n verifier.end();\n if (!verifier.verify(publicKey, b64urlToBuffer(signatureB64))) {\n throw new Error(\"Invalid ID token signature\");\n }\n\n const payload = b64urlToJson<GoogleIdTokenPayload>(payloadB64);\n const nowSec = Math.floor((opts.now?.() ?? Date.now()) / 1000);\n if (payload.exp <= nowSec) throw new Error(\"ID token expired\");\n\n const issuers = opts.issuers ?? GOOGLE_ISSUERS;\n if (!issuers.includes(payload.iss)) {\n throw new Error(`Untrusted issuer: ${payload.iss}`);\n }\n const audiences = Array.isArray(opts.clientId)\n ? opts.clientId\n : [opts.clientId];\n if (!audiences.includes(payload.aud)) throw new Error(\"Audience mismatch\");\n\n return payload;\n}\n\nexport interface GoogleAuthConfig {\n /** OAuth 2.0 Web client ID(s); the token's `aud` must match one of these. */\n clientId: string | string[];\n /** Allowlist of admin emails (compared case-insensitively). */\n adminEmails: string[];\n /** Cookie carrying the Google ID token. Default `adminToken`. */\n cookieName?: string;\n /** Accepted issuers (override for testing). */\n issuers?: string[];\n}\n\n/**\n * Build an {@link AuthAdapter} that verifies the Google ID token from the\n * request cookie and grants admin only to a verified email in `adminEmails`.\n */\nexport function googleAuth(config: GoogleAuthConfig): AuthAdapter {\n const cookieName = config.cookieName ?? \"adminToken\";\n const allowed = config.adminEmails.map((e) => e.trim().toLowerCase());\n\n return {\n async verifyRequest(req: Request): Promise<AuthIdentity | null> {\n const token = readCookie(req, cookieName);\n if (!token) return null;\n\n let payload: GoogleIdTokenPayload;\n try {\n payload = await verifyGoogleIdToken(token, {\n clientId: config.clientId,\n issuers: config.issuers,\n });\n } catch {\n // Expired/invalid/tampered → unauthorized, so the gate emits a\n // 401 { logout: true } and the client can force sign-out.\n return null;\n }\n\n const email = payload.email?.toLowerCase();\n const isAdmin =\n !!email && payload.email_verified === true && allowed.includes(email);\n\n return { userId: payload.sub, email: payload.email, isAdmin };\n },\n };\n}\n"],"mappings":";AAAA,SAAS,iBAAiB,oBAAqC;AAe/D,IAAM,mBAAmB;AACzB,IAAM,iBAAiB,CAAC,+BAA+B,qBAAqB;AAY5E,IAAI,WAAuE;AAG3E,eAAe,cAAc,KAAwC;AA/BrE;AAgCE,QAAM,MAAM,KAAK,IAAI;AACrB,MAAI,CAAC,YAAY,OAAO,SAAS,WAAW;AAC1C,UAAM,MAAM,MAAM,MAAM,gBAAgB;AACxC,QAAI,CAAC,IAAI,GAAI,OAAM,IAAI,MAAM,6BAA6B,IAAI,MAAM,EAAE;AACtE,UAAM,OAAQ,MAAM,IAAI,KAAK;AAC7B,UAAM,OAAO,IAAI,IAAI,KAAK,KAAK,IAAI,CAAC,MAAM,CAAC,EAAE,KAAK,CAAC,CAAC,CAAC;AACrD,UAAM,SAAS,gBAAgB,MAAK,SAAI,QAAQ,IAAI,eAAe,MAA/B,YAAoC,EAAE;AAC1E,eAAW;AAAA,MACT;AAAA,MACA,WAAW,OAAO,SAAS,OAAO,OAAO,CAAC,CAAC,IAAI,MAAO;AAAA,IACxD;AAAA,EACF;AACA,UAAO,cAAS,KAAK,IAAI,GAAG,MAArB,YAA0B;AACnC;AAEA,SAAS,eAAe,OAAuB;AAC7C,SAAO,OAAO,KAAK,MAAM,QAAQ,MAAM,GAAG,EAAE,QAAQ,MAAM,GAAG,GAAG,QAAQ;AAC1E;AAEA,SAAS,aAAgB,OAAkB;AACzC,SAAO,KAAK,MAAM,eAAe,KAAK,EAAE,SAAS,MAAM,CAAC;AAC1D;AAEA,SAAS,WAAW,KAAc,MAA6B;AAC7D,QAAM,SAAS,IAAI,QAAQ,IAAI,QAAQ;AACvC,MAAI,CAAC,OAAQ,QAAO;AACpB,aAAW,QAAQ,OAAO,MAAM,GAAG,GAAG;AACpC,UAAM,CAAC,GAAG,GAAG,CAAC,IAAI,KAAK,KAAK,EAAE,MAAM,GAAG;AACvC,QAAI,MAAM,KAAM,QAAO,mBAAmB,EAAE,KAAK,GAAG,CAAC;AAAA,EACvD;AACA,SAAO;AACT;AA6BA,eAAsB,oBACpB,OACA,MAC+B;AA/FjC;AAgGE,QAAM,QAAQ,MAAM,MAAM,GAAG;AAC7B,MAAI,MAAM,WAAW,EAAG,OAAM,IAAI,MAAM,oBAAoB;AAC5D,QAAM,CAAC,WAAW,YAAY,YAAY,IAAI;AAE9C,QAAM,SAAS,aAA2C,SAAS;AACnE,MAAI,OAAO,QAAQ,QAAS,OAAM,IAAI,MAAM,mBAAmB,OAAO,GAAG,EAAE;AAE3E,QAAM,MAAM,MAAM,cAAc,OAAO,GAAG;AAC1C,MAAI,CAAC,IAAK,OAAM,IAAI,MAAM,0CAA0C;AAEpE,QAAM,YAAY,gBAAgB;AAAA,IAChC,KAAK;AAAA,IACL,QAAQ;AAAA,EACV,CAAC;AACD,QAAM,WAAW,aAAa,YAAY;AAC1C,WAAS,OAAO,GAAG,SAAS,IAAI,UAAU,EAAE;AAC5C,WAAS,IAAI;AACb,MAAI,CAAC,SAAS,OAAO,WAAW,eAAe,YAAY,CAAC,GAAG;AAC7D,UAAM,IAAI,MAAM,4BAA4B;AAAA,EAC9C;AAEA,QAAM,UAAU,aAAmC,UAAU;AAC7D,QAAM,SAAS,KAAK,QAAO,gBAAK,QAAL,8CAAgB,KAAK,IAAI,KAAK,GAAI;AAC7D,MAAI,QAAQ,OAAO,OAAQ,OAAM,IAAI,MAAM,kBAAkB;AAE7D,QAAM,WAAU,UAAK,YAAL,YAAgB;AAChC,MAAI,CAAC,QAAQ,SAAS,QAAQ,GAAG,GAAG;AAClC,UAAM,IAAI,MAAM,qBAAqB,QAAQ,GAAG,EAAE;AAAA,EACpD;AACA,QAAM,YAAY,MAAM,QAAQ,KAAK,QAAQ,IACzC,KAAK,WACL,CAAC,KAAK,QAAQ;AAClB,MAAI,CAAC,UAAU,SAAS,QAAQ,GAAG,EAAG,OAAM,IAAI,MAAM,mBAAmB;AAEzE,SAAO;AACT;AAiBO,SAAS,WAAW,QAAuC;AApJlE;AAqJE,QAAM,cAAa,YAAO,eAAP,YAAqB;AACxC,QAAM,UAAU,OAAO,YAAY,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,YAAY,CAAC;AAEpE,SAAO;AAAA,IACL,MAAM,cAAc,KAA4C;AAzJpE,UAAAA;AA0JM,YAAM,QAAQ,WAAW,KAAK,UAAU;AACxC,UAAI,CAAC,MAAO,QAAO;AAEnB,UAAI;AACJ,UAAI;AACF,kBAAU,MAAM,oBAAoB,OAAO;AAAA,UACzC,UAAU,OAAO;AAAA,UACjB,SAAS,OAAO;AAAA,QAClB,CAAC;AAAA,MACH,SAAQ;AAGN,eAAO;AAAA,MACT;AAEA,YAAM,SAAQA,MAAA,QAAQ,UAAR,gBAAAA,IAAe;AAC7B,YAAM,UACJ,CAAC,CAAC,SAAS,QAAQ,mBAAmB,QAAQ,QAAQ,SAAS,KAAK;AAEtE,aAAO,EAAE,QAAQ,QAAQ,KAAK,OAAO,QAAQ,OAAO,QAAQ;AAAA,IAC9D;AAAA,EACF;AACF;","names":["_a"]}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@dalgoridim/headless-cms",
-  "version": "0.2.0",
+  "version": "0.3.0",
   "description": "Database-agnostic, inline-edit headless CMS engine for React / Next.js apps",
   "license": "UNLICENSED",
   "author": "dalgoridim",
@@ -92,17 +92,28 @@
       "types": "./dist/auth/nextauth/index.d.ts",
       "import": "./dist/auth/nextauth/index.js",
       "require": "./dist/auth/nextauth/index.cjs"
+    },
+    "./auth/google": {
+      "types": "./dist/auth/google/index.d.ts",
+      "import": "./dist/auth/google/index.js",
+      "require": "./dist/auth/google/index.cjs"
+    },
+    "./auth/google/client": {
+      "types": "./dist/auth/google/client/index.d.ts",
+      "import": "./dist/auth/google/client/index.js",
+      "require": "./dist/auth/google/client/index.cjs"
     }
   },
   "files": [
     "dist",
-    "ARCHITECTURE.md",
-    "REDESIGN.md"
+    "ARCHITECTURE.md"
   ],
   "scripts": {
     "build": "tsup",
     "dev": "tsup --watch",
     "typecheck": "tsc --noEmit",
+    "test": "vitest run",
+    "test:watch": "vitest",
     "prepare": "tsup"
   },
   "peerDependencies": {
@@ -155,6 +166,7 @@
     "react": "^19.0.0",
     "react-dom": "^19.0.0",
     "tsup": "^8.5.1",
-    "typescript": "^5.7.0"
+    "typescript": "^5.7.0",
+    "vitest": "^3.0.0"
   }
 }

package/REDESIGN.md DELETED Viewed

@@ -1,250 +0,0 @@
-# Headless CMS — "Harness, Not Framework" Redesign
-> Full spec for the "harness, not framework" redesign. Living document — kept in
-> sync as the two tracks land.
-## Context
-`@dalgoridim/headless-cms` was extracted from `portfolio-2025`. An audit of what
-the package *forces* on its consumers found two layers with opposite philosophies:
-- **Data / server layer — already free.** `Section` is schemaless
-  (`{ id, collection, [key]: any }`), the Postgres adapter never drops unmapped
-  fields (JSONB `documents` fallback + `extra` column), and `DataAdapter` is
-  generic. Good.
-- **UI / client layer — a framework, not a harness.** The components ship a
-  finished, portfolio-specific look and hard dependencies. A consumer adopting
-  the package today **inherits portfolio-2025's visual design** and is forced
-  into Tailwind, a dark `neutral` palette, a `primary` design token,
-  `lucide-react`, `sonner`, and a bespoke text-mark syntax.
-The goal: make the **whole** package a harness — wire behavior, impose nothing.
-Two tracks, shipped together:
-- **Track A** — de-framework-ize the UI (the philosophy fix; highest impact).
-- **Track B** — close the four data-layer capability gaps (query power,
-  relations, loosened `id`/`collection`, auth flexibility).
-### Decisions locked in with the user
-- Package goes **pure headless**; the current dark/Tailwind look is **moved into
-  portfolio-2025's own shim components**, not kept in the package.
-- API optimized for **DX**: `className`/`style` passthrough + `data-*` state
-  attributes + injectable deps (icons / notifier / markup parser); render-props
-  / `asChild` only where it genuinely improves control.
-- **Both tracks in one pass.**
-### Guiding principles (apply to every change)
-1. Ship **unstyled** by default — no Tailwind, no palette, no `primary` token.
-2. Expose **styling hooks** — `className`, `style`, `data-*` state attributes,
-   and render-props/`asChild` for complex chrome.
-3. Make deps **injectable, not baked** — icons, toasts, markup parser.
-4. **No portfolio-specific code** in the package.
-5. Never silently break portfolio — package + portfolio shims change in lockstep.
----
-## Current forcing inventory (what we are removing)
-| Forced thing | Location | Resolution |
-|---|---|---|
-| Tailwind mandatory (`cn`, utility strings) | all client components, `client/utils.ts` | Strip utility strings; `cn`/`tailwind-merge` leaves core. |
-| Dark `neutral` palette + ring offsets | `ContentEditSpan`, `EditableImage`, `MarkdownEditor` | Move to portfolio shims. |
-| `primary` token (`var(--color-primary)`, `bg-primary`) | `ContentEditSpan.tsx:103`, `EditableImage`, `MarkdownEditor` | Removed from package; portfolio keeps it in its shims. |
-| `lucide-react` + `sonner` baked in | `EditableImage`, `MarkdownEditor`, `PageProvider` default notifier | Drop from hard deps; inject; portfolio supplies them. |
-| Bespoke text-mark syntax (`^^primary^^`, `~~br~~`, `__underline__`) | `ContentEditSpan.tsx:30` `PATTERNS` | Make parser/renderer injectable with a default. |
-| Portfolio leftovers: `collection = "portfolio"` default, `ProjectContentEditor` | `ContentEditSpan.tsx:151`, `MarkdownEditor.tsx:293` | Delete from package; move `ProjectContentEditor` to portfolio. |
-| Hardcoded English copy | `EditableImage`, `MarkdownEditor` | Replace with props/children defaults. |
-| `id` + `collection` forced on content type | `types.ts:12` | Split internal addressing from user's `T` (Track B3). |
-| Tiny query language | `types.ts:48` | Extend neutrally (Track B1). |
-| `AuthIdentity` forces `userId`+`isAdmin` | `types.ts:92` | Minimal contract + open payload + `authorize` predicate (Track B4). |
----
-## Track A — Headless UI
-### A1. `PageProvider` (`src/client/PageProvider.tsx`)
-- `Notifier` is already injectable — keep. **Change the default** from a `sonner`
-  toast sink to a dependency-free console/no-op default so `sonner` is no longer
-  required. Portfolio passes a sonner-backed notifier from its shim.
-- No other behavior change; this file is mostly backend-agnostic already.
-### A2. `ContentEditSpan` (`src/client/ContentEditSpan.tsx`)
-- Remove `collection = "portfolio"` default → `collection` becomes required (or
-  resolved from an optional provider-level default-collection context).
-- Extract the `PATTERNS` parser + `RenderStatic` into an **injectable markup
-  contract**: `parse(raw) => Node[]` + `render(nodes)`, defaulted to the current
-  implementation but overridable via prop or a `CmsMarkupContext`. Consumers who
-  want plain text or their own DSL drop in their own.
-- Strip all Tailwind/`primary`/`neutral` classes. Keep `className` passthrough.
-  Emit **state via data attributes**: `data-cms-editable`, `data-editing`,
-  `data-focused` so consumers style with their own CSS.
-- Keep the `as` prop; add `asChild` (lightweight Slot) so the consumer can supply
-  their own element/markup while the primitive wires `contentEditable`.
-### A3. `EditableImage` (`src/client/EditableImage.tsx`)
-- Keep the upload/url/pending-image behavior (it's correct and engine-wired).
-- Remove `lucide` icons and all dark modal/overlay styling. Expose a
-  **render-prop API**: the component manages state and hands the consumer
-  `{ src, isEditing, saving, openFilePicker, setUrl, error }`; the consumer
-  renders the overlay/modal. Provide a minimal **unstyled default** render so the
-  simple case still works without writing chrome.
-- Placeholder ("No image available") and modal copy become props/children.
-### A4. `MarkdownEditor` (`src/client/MarkdownEditor.tsx`)
-- This is the most styled file. Split into:
-  - **Headless core**: editor state + commands (`insertMarkdown`, preview
-    toggle, save/cancel, char count) exposed via hook/render-prop.
-  - The modal chrome, toolbar, icons (`lucide`), markdown guide, and
-    `react-markdown`/`remark-gfm` preview move to **portfolio**.
-- `react-markdown` + `remark-gfm` leave the package's hard deps (preview is a
-  consumer concern; the core only manages text).
-- **Delete `ProjectContentEditor`** from the package (portfolio-specific) → move
-  to portfolio.
-### A5. `client/utils.ts` + deps
-- `cn` relies on `tailwind-merge` (Tailwind-specific). Drop `tailwind-merge` from
-  the package; either remove `cn` from the public API or reduce it to a plain
-  `clsx` join. Tailwind-specific merging belongs in portfolio.
-### A6. `package.json` dependency surgery
-Move out of hard `dependencies` (→ removed from package; portfolio installs):
-`lucide-react`, `react-markdown`, `remark-gfm`, `sonner`, `tailwind-merge`.
-Keep only genuinely shared, non-opinion runtime deps (`clsx` at most). Update
-`client/index.ts` exports (remove `ProjectContentEditor`; keep `cn` only if
-retained).
----
-## Track B — Data-layer freedom
-Touch points: `src/types.ts`, `src/adapters/postgres/index.ts`,
-`src/adapters/firestore/index.ts` (read during impl), `src/server/*`.
-### B1. Query power (`types.ts:48`, both adapters)
-Extend the neutral `Query` without leaking any backend type:
-- Ops: add `ne`, `nin`, `contains` (case-insensitive substring → SQL `ILIKE
-  %v%`), keep existing.
-- **OR groups**: allow `filters` to nest — an `or: Filter[]` group alongside the
-  implicit top-level `AND`.
-- **Pagination**: add `offset` next to `limit`.
-- Implement fully in Postgres (`colExpr`/`OP_MAP` already structured for it).
-  Implement best-effort in Firestore and **throw a clear error** on ops the
-  backend can't honor (e.g. cross-field `OR`, `contains`) rather than returning
-  wrong results. Document the parity matrix.
-### B2. Relations (schemaless-friendly)
-- A reference is just a field holding an id (or `{ collection, id }`) or an array
-  of them — no schema change required to store one.
-- Add an optional `populate?: string[]` to `Query` and a neutral resolver in the
-  engine that, after the primary fetch, **batch-loads referenced docs** via an
-  `in` query and inlines them. Backend-agnostic (works on JSONB + Firestore).
-- Optional `RelationConfig` (field → target collection) so refs that are bare ids
-  know where to resolve.
-### B3. Loosen `id` / `collection` (`types.ts:12`)
-- Keep `id`/`collection` as the engine's **internal addressing**, but stop
-  forcing them onto the user's content type. Introduce `Editable<T> = T & {
-  id: string; collection: string }` used internally; public APIs accept the
-  user's clean `T`.
-- Make the field names **configurable** at the adapter level (`idField`,
-  `collectionField`) for consumers whose records use `_id` / `slug`.
-### B4. Auth flexibility (`types.ts:92`, `server/createAdminGate.ts`)
-- `AuthIdentity` → minimal `{ isAdmin: boolean }` plus an open payload
-  (`[key: string]: unknown`; `userId`/`email` optional).
-- `verifyRequest` may return any identity shape; the gate authorizes via an
-  injectable `authorize(identity, req) => boolean` predicate, **defaulting** to
-  `identity.isAdmin === true`. Lets consumers gate on roles/scopes without the
-  fixed contract.
-- Client `CmsAuthState` stays minimal but becomes extensible.
----
-## Portfolio-2025 migration (lockstep)
-Portfolio consumes the package only through **thin shims**, so the look moves
-there cleanly:
-- `lib/context/PageContent.tsx` — pass a **sonner-backed `notify`** to
-  `PageProvider` (restores toasts).
-- `components/customs/ContentEditSpan.tsx` — wrap the headless primitive,
-  re-apply the dark ring/`primary` Tailwind classes and the default `collection`.
-- `components/customs/EditableImage.tsx` — supply the styled overlay/modal +
-  `lucide` icons via the render-prop.
-- `components/customs/MarkdownEditor.tsx` — supply the modal chrome, toolbar,
-  `lucide` icons, `react-markdown` preview, guide; **define `ProjectContentEditor`
-  here**.
-- Install in portfolio what left the package: `lucide-react`, `sonner`,
-  `react-markdown`, `remark-gfm`, `tailwind-merge` (most already present).
-- `lib/cms/server.ts` / auth shim — adjust only if `AuthIdentity` field changes
-  ripple (expected: none, contract is widened not narrowed).
-Portfolio's `app/globals.css` already defines `--primary` / `--color-primary`,
-so its shims keep the exact current look.
----
-## Sequencing (so nothing breaks mid-flight)
-1. **Track B** first (additive, low-risk): `types.ts` Query/Auth widening, then
-   Postgres + Firestore adapter impls. Widening contracts won't break portfolio.
-2. **Track A** package changes: provider default notifier, headless
-   ContentEditSpan / EditableImage / MarkdownEditor, dep surgery, exports.
-3. **Portfolio shims** updated in the same change set to restore look + behavior.
-4. Drop this doc into the package root as `REDESIGN.md`.
----
-## Verification
-- **Package**: `npm run build` (tsup) and `npm run typecheck` in
-  `headless-cms` — both clean.
-- **Portfolio typecheck/build**: `npm run build` in `portfolio-2025` resolves all
-  shims against the new headless API.
-- **Postgres proof** (also a memory milestone): run `scripts/seed-postgres.ts`,
-  then exercise new query ops (`contains`, `or`, `offset`) and a `populate`
-  round-trip against the local `documents` table.
-- **Manual UI** (`/verify` or `/run`): in portfolio admin/edit mode, confirm
-  inline text edit, image upload + external-URL, and the markdown modal all still
-  look and behave as before — proving the look fully survived the move to shims.
-- **Headless smoke**: render `ContentEditSpan` / `EditableImage` with **no**
-  Tailwind/styles to confirm they work unstyled (harness proof).
-## Open risks
-- **Firestore query parity** — it cannot honor cross-field `OR` / `contains`
-  generally. Plan: throw explicit "unsupported by this adapter" errors and ship a
-  documented parity matrix rather than silent wrong results.
-- **`asChild`/render-prop surface** — adds API; mitigated by keeping unstyled
-  defaults so trivial cases stay one-liners.
----
-## Status (landed)
-- **Track B1 (query power)** — done. `QueryFilterOp` gains `ne`/`nin`/`contains`;
-  `Query` gains OR groups (`{ or: [...] }`) and `offset`. Postgres implements all;
-  Firestore throws clear errors on `contains` / OR groups.
-- **Track B2 (relations)** — done. `resolveRelations(adapter, docs, opts)` in
-  `src/server/relations.ts` (exported from `/server`); `Query.populate`,
-  `Ref`, `RelationConfig` added.
-- **Track B3 (id/collection)** — **type-level done** (`Editable<T>` +
-  `EntityAddress`; `T` unconstrained). **Deferred:** per-adapter configurable
-  physical `idField`/`collectionField` renaming — bigger SQL change, left as a
-  follow-up to avoid destabilizing the working schemaless path.
-- **Track B4 (auth)** — done. `AuthIdentity` widened to `{ isAdmin } + open
-  payload`; injectable `AuthorizeFn` on `createAdminGate` / `createCmsHandlers`.
-- **Track A (headless UI)** — done. `ContentEditSpan` (injectable `renderValue`,
-  `data-cms-*` attrs, no styles), `EditableImage` (render-prop), `MarkdownEditor`
-  → `useMarkdownEditor` hook. Removed `ProjectContentEditor`, `cn`/`utils.ts`,
-  and all of `lucide-react`/`sonner`/`react-markdown`/`remark-gfm`/`tailwind-merge`
-  from package deps (now **zero** runtime deps).
-- **Portfolio shims** — restyled to restore the exact look: `ContentEditSpan`,
-  `EditableImage`, `MarkdownEditor`+`ProjectContentEditor`, sonner `notify`.
-Verified: package `typecheck` + `build` clean; portfolio `tsc --noEmit` clean
-against the new API; portfolio **production build passes** (firebase mode, all
-routes); **Postgres round-trip 12/12** — `contains`, OR groups, `ne`/`nin`,
-`offset`+order (text + typed numeric), and `populate` via `RelationConfig`.
-Caveat surfaced: numeric fields in the schemaless JSONB `documents` table order
-as text (`data->>` is text); register a typed collection for true numeric
-ordering/comparison. Not yet run: manual edit-mode UI pass (needs admin login).