@digiko-npm/cms 0.1.0

package/src/supabase/client.ts

@@ -0,0 +1,10 @@
+import { createClient, type SupabaseClient } from '@supabase/supabase-js'
+import type { SupabaseConfig } from '../types/config'
+
+/**
+ * Browser-side Supabase client with anon key.
+ * Respects RLS — only reads published content.
+ */
+export function createBrowserClient(config: SupabaseConfig): SupabaseClient {
+  return createClient(config.url, config.anonKey)
+}

package/src/supabase/index.ts

@@ -0,0 +1,2 @@
+export { createBrowserClient } from './client'
+export { createAdminClient, createPublicClient } from './server'

package/src/supabase/server.ts

@@ -0,0 +1,21 @@
+import { createClient, type SupabaseClient } from '@supabase/supabase-js'
+import type { SupabaseConfig } from '../types/config'
+
+/**
+ * Server-side Supabase client with service role key.
+ * Bypasses RLS — full read/write access.
+ */
+export function createAdminClient(config: SupabaseConfig): SupabaseClient {
+  if (!config.serviceRoleKey) {
+    throw new Error('@digiko-npm/cms: serviceRoleKey is required for createAdminClient')
+  }
+  return createClient(config.url, config.serviceRoleKey)
+}
+
+/**
+ * Server-side Supabase client with anon key.
+ * Respects RLS — safe for public data fetching.
+ */
+export function createPublicClient(config: SupabaseConfig): SupabaseClient {
+  return createClient(config.url, config.anonKey)
+}

package/src/types/auth.ts

@@ -0,0 +1,27 @@
+/** Server-side session data stored in Redis */
+export interface Session {
+  createdAt: number
+  expiresAt: number
+  ip?: string
+  userAgent?: string
+}
+
+/** Result of an authentication attempt */
+export interface AuthResult {
+  success: boolean
+  message: string
+  sessionToken?: string
+  expiresAt?: number
+}
+
+/** Result of admin request verification */
+export type VerifyResult =
+  | { authorized: true; token: string }
+  | { authorized: false; status: number; message: string }
+
+/** Rate limit check result */
+export interface RateLimitResult {
+  allowed: boolean
+  remaining: number
+  retryAfterMs?: number
+}

package/src/types/config.ts

@@ -0,0 +1,65 @@
+/** Supabase connection config */
+export interface SupabaseConfig {
+  url: string
+  anonKey: string
+  serviceRoleKey?: string
+}
+
+/** Cloudflare R2 storage config */
+export interface R2Config {
+  accountId: string
+  accessKeyId: string
+  secretAccessKey: string
+  bucketName: string
+  publicUrl: string
+}
+
+/** Redis session store config */
+export interface SessionStoreConfig {
+  redisUrl: string
+  redisToken: string
+  /** Key namespace prefix (e.g. "marketplace:", "portfolio:") */
+  keyPrefix: string
+  /** Session TTL in milliseconds. Default: 24 hours */
+  sessionDuration?: number
+}
+
+/** Rate limiter config */
+export interface RateLimiterConfig {
+  redisUrl: string
+  redisToken: string
+  keyPrefix: string
+  /** Max attempts before blocking. Default: 10 */
+  maxAttempts?: number
+  /** Time window in milliseconds. Default: 15 minutes */
+  windowMs?: number
+}
+
+/** Auth/password config */
+export interface AuthConfig {
+  /** Cookie name for admin session. Default: "admin_session" */
+  cookieName?: string
+  pbkdf2?: {
+    iterations?: number
+    keyLength?: number
+    digest?: string
+  }
+  /** Session token length in bytes. Default: 32 (64-char hex) */
+  tokenBytes?: number
+}
+
+/** Client-side upload config (API endpoint paths) */
+export interface UploadConfig {
+  /** Endpoint that returns presigned R2 URL (e.g. "/api/admin/upload") */
+  uploadEndpoint: string
+  /** Endpoint to register media in DB (e.g. "/api/admin/media") */
+  mediaEndpoint: string
+}
+
+/** Next.js request verifier config */
+export interface RequestVerifierConfig {
+  cookieName?: string
+  getSession: (token: string) => Promise<{ createdAt: number; expiresAt: number } | undefined>
+  unauthorizedMessage?: string
+  sessionExpiredMessage?: string
+}

package/src/types/index.ts

@@ -0,0 +1,22 @@
+export type {
+  SupabaseConfig,
+  R2Config,
+  SessionStoreConfig,
+  RateLimiterConfig,
+  AuthConfig,
+  UploadConfig,
+  RequestVerifierConfig,
+} from './config'
+
+export type {
+  MediaRecord,
+  MediaInsert,
+  MediaUpdate,
+} from './media'
+
+export type {
+  Session,
+  AuthResult,
+  VerifyResult,
+  RateLimitResult,
+} from './auth'

package/src/types/media.ts

@@ -0,0 +1,19 @@
+/** Generic media record — shared across all projects that use R2 uploads */
+export interface MediaRecord {
+  id: string
+  filename: string
+  original_name: string
+  mime_type: string
+  size_bytes: number
+  url: string
+  width?: number | null
+  height?: number | null
+  alt_text?: string | null
+  created_at: string
+}
+
+/** Fields required when creating a media record */
+export type MediaInsert = Omit<MediaRecord, 'id' | 'created_at'>
+
+/** Fields that can be updated on an existing media record */
+export type MediaUpdate = Partial<Pick<MediaRecord, 'alt_text' | 'filename'>>