@htmless/core 0.1.0

package/dist/auth/middleware.js

@@ -0,0 +1,99 @@
+import { verifyJwt } from './jwt.js';
+import { prisma } from '../db.js';
+import { createHash } from 'crypto';
+function hashToken(token) {
+    return createHash('sha256').update(token).digest('hex');
+}
+export function authenticate(options = {}) {
+    const { required = true, allowPreview = false, allowQueryToken = false } = options;
+    return async (req, res, next) => {
+        const authHeader = req.headers.authorization;
+        // Support ?token= query param for SSE (EventSource can't set headers)
+        const queryToken = allowQueryToken ? req.query['token'] : undefined;
+        if (!authHeader && !queryToken) {
+            if (required) {
+                res.status(401).json({ error: 'authentication_required', message: 'Bearer token required' });
+                return;
+            }
+            next();
+            return;
+        }
+        const token = queryToken ?? authHeader.replace('Bearer ', '');
+        // Try API token (hle_ prefix)
+        if (token.startsWith('hle_')) {
+            const tokenHash = hashToken(token);
+            const apiToken = await prisma.apiToken.findUnique({
+                where: { tokenHash },
+            });
+            if (!apiToken || (apiToken.expiresAt && apiToken.expiresAt < new Date())) {
+                res.status(401).json({ error: 'invalid_token', message: 'Invalid or expired API token' });
+                return;
+            }
+            await prisma.apiToken.update({ where: { id: apiToken.id }, data: { lastUsedAt: new Date() } });
+            req.auth = {
+                userId: apiToken.createdById,
+                email: '',
+                type: 'api_token',
+                scopes: apiToken.scopes,
+                spaceId: apiToken.spaceId,
+            };
+            next();
+            return;
+        }
+        // Try preview token (hlp_ prefix)
+        if (allowPreview && token.startsWith('hlp_')) {
+            const tokenHash = hashToken(token);
+            const previewToken = await prisma.previewToken.findUnique({
+                where: { tokenHash },
+            });
+            if (!previewToken || previewToken.expiresAt < new Date()) {
+                res.status(401).json({ error: 'invalid_token', message: 'Invalid or expired preview token' });
+                return;
+            }
+            req.auth = {
+                userId: previewToken.createdById,
+                email: '',
+                type: 'preview_token',
+                spaceId: previewToken.spaceId,
+                previewEntryId: previewToken.entryId,
+                previewRoute: previewToken.route,
+            };
+            next();
+            return;
+        }
+        // Try JWT (user session)
+        try {
+            const payload = await verifyJwt(token);
+            req.auth = {
+                userId: payload.sub,
+                email: payload.email,
+                type: 'user',
+            };
+            next();
+        }
+        catch {
+            res.status(401).json({ error: 'invalid_token', message: 'Invalid or expired JWT' });
+        }
+    };
+}
+export function requireScope(...scopes) {
+    return (req, res, next) => {
+        if (!req.auth) {
+            res.status(401).json({ error: 'authentication_required' });
+            return;
+        }
+        if (req.auth.type === 'user') {
+            next();
+            return;
+        }
+        if (req.auth.scopes) {
+            const hasScope = scopes.some(s => req.auth.scopes.includes(s));
+            if (hasScope) {
+                next();
+                return;
+            }
+        }
+        res.status(403).json({ error: 'insufficient_scope', message: `Requires one of: ${scopes.join(', ')}` });
+    };
+}
+//# sourceMappingURL=middleware.js.map

package/dist/auth/middleware.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.js","sourceRoot":"","sources":["../../src/auth/middleware.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,SAAS,EAAE,MAAM,UAAU,CAAC;AACrC,OAAO,EAAE,MAAM,EAAE,MAAM,UAAU,CAAC;AAClC,OAAO,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AAoBpC,SAAS,SAAS,CAAC,KAAa;IAC9B,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAC1D,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,UAAqF,EAAE;IAClH,MAAM,EAAE,QAAQ,GAAG,IAAI,EAAE,YAAY,GAAG,KAAK,EAAE,eAAe,GAAG,KAAK,EAAE,GAAG,OAAO,CAAC;IAEnF,OAAO,KAAK,EAAE,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAiB,EAAE;QAC9E,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC;QAE7C,sEAAsE;QACtE,MAAM,UAAU,GAAG,eAAe,CAAC,CAAC,CAAE,GAAG,CAAC,KAAK,CAAC,OAAO,CAAwB,CAAC,CAAC,CAAC,SAAS,CAAC;QAE5F,IAAI,CAAC,UAAU,IAAI,CAAC,UAAU,EAAE,CAAC;YAC/B,IAAI,QAAQ,EAAE,CAAC;gBACb,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,yBAAyB,EAAE,OAAO,EAAE,uBAAuB,EAAE,CAAC,CAAC;gBAC7F,OAAO;YACT,CAAC;YACD,IAAI,EAAE,CAAC;YACP,OAAO;QACT,CAAC;QAED,MAAM,KAAK,GAAG,UAAU,IAAI,UAAW,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;QAE/D,8BAA8B;QAC9B,IAAI,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;YAC7B,MAAM,SAAS,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;YACnC,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAC;gBAChD,KAAK,EAAE,EAAE,SAAS,EAAE;aACrB,CAAC,CAAC;YAEH,IAAI,CAAC,QAAQ,IAAI,CAAC,QAAQ,CAAC,SAAS,IAAI,QAAQ,CAAC,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC,EAAE,CAAC;gBACzE,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,eAAe,EAAE,OAAO,EAAE,8BAA8B,EAAE,CAAC,CAAC;gBAC1F,OAAO;YACT,CAAC;YAED,MAAM,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE,QAAQ,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,EAAE,UAAU,EAAE,IAAI,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC;YAE/F,GAAG,CAAC,IAAI,GAAG;gBACT,MAAM,EAAE,QAAQ,CAAC,WAAW;gBAC5B,KAAK,EAAE,EAAE;gBACT,IAAI,EAAE,WAAW;gBACjB,MAAM,EAAE,QAAQ,CAAC,MAAkB;gBACnC,OAAO,EAAE,QAAQ,CAAC,OAAO;aAC1B,CAAC;YACF,IAAI,EAAE,CAAC;YACP,OAAO;QACT,CAAC;QAED,kCAAkC;QAClC,IAAI,YAAY,IAAI,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;YAC7C,MAAM,SAAS,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;YACnC,MAAM,YAAY,GAAG,MAAM,MAAM,CAAC,YAAY,CAAC,UAAU,CAAC;gBACxD,KAAK,EAAE,EAAE,SAAS,EAAE;aACrB,CAAC,CAAC;YAEH,IAAI,CAAC,YAAY,IAAI,YAAY,CAAC,SAAS,GAAG,IAAI,IAAI,EAAE,EAAE,CAAC;gBACzD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,eAAe,EAAE,OAAO,EAAE,kCAAkC,EAAE,CAAC,CAAC;gBAC9F,OAAO;YACT,CAAC;YAED,GAAG,CAAC,IAAI,GAAG;gBACT,MAAM,EAAE,YAAY,CAAC,WAAW;gBAChC,KAAK,EAAE,EAAE;gBACT,IAAI,EAAE,eAAe;gBACrB,OAAO,EAAE,YAAY,CAAC,OAAO;gBAC7B,cAAc,EAAE,YAAY,CAAC,OAAO;gBACpC,YAAY,EAAE,YAAY,CAAC,KAAK;aACjC,CAAC;YACF,IAAI,EAAE,CAAC;YACP,OAAO;QACT,CAAC;QAED,yBAAyB;QACzB,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,SAAS,CAAC,KAAK,CAAC,CAAC;YACvC,GAAG,CAAC,IAAI,GAAG;gBACT,MAAM,EAAE,OAAO,CAAC,GAAG;gBACnB,KAAK,EAAE,OAAO,CAAC,KAAK;gBACpB,IAAI,EAAE,MAAM;aACb,CAAC;YACF,IAAI,EAAE,CAAC;QACT,CAAC;QAAC,MAAM,CAAC;YACP,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,eAAe,EAAE,OAAO,EAAE,wBAAwB,EAAE,CAAC,CAAC;QACtF,CAAC;IACH,CAAC,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,GAAG,MAAgB;IAC9C,OAAO,CAAC,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAQ,EAAE;QAC/D,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;YACd,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,yBAAyB,EAAE,CAAC,CAAC;YAC3D,OAAO;QACT,CAAC;QAED,IAAI,GAAG,CAAC,IAAI,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;YAC7B,IAAI,EAAE,CAAC;YACP,OAAO;QACT,CAAC;QAED,IAAI,GAAG,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YACpB,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,IAAK,CAAC,MAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;YACjE,IAAI,QAAQ,EAAE,CAAC;gBACb,IAAI,EAAE,CAAC;gBACP,OAAO;YACT,CAAC;QACH,CAAC;QAED,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,oBAAoB,EAAE,OAAO,EAAE,oBAAoB,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC,CAAC;IAC1G,CAAC,CAAC;AACJ,CAAC"}

package/dist/auth/password.d.ts

@@ -0,0 +1,3 @@
+export declare function hashPassword(password: string): Promise<string>;
+export declare function verifyPassword(password: string, hash: string): Promise<boolean>;
+//# sourceMappingURL=password.d.ts.map

package/dist/auth/password.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"password.d.ts","sourceRoot":"","sources":["../../src/auth/password.ts"],"names":[],"mappings":"AAIA,wBAAsB,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAEpE;AAED,wBAAsB,cAAc,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAErF"}

package/dist/auth/password.js

@@ -0,0 +1,9 @@
+import bcrypt from 'bcryptjs';
+const SALT_ROUNDS = 12;
+export async function hashPassword(password) {
+    return bcrypt.hash(password, SALT_ROUNDS);
+}
+export async function verifyPassword(password, hash) {
+    return bcrypt.compare(password, hash);
+}
+//# sourceMappingURL=password.js.map

package/dist/auth/password.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"password.js","sourceRoot":"","sources":["../../src/auth/password.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,UAAU,CAAC;AAE9B,MAAM,WAAW,GAAG,EAAE,CAAC;AAEvB,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,QAAgB;IACjD,OAAO,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC;AAC5C,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,QAAgB,EAAE,IAAY;IACjE,OAAO,MAAM,CAAC,OAAO,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;AACxC,CAAC"}

package/dist/auth/rate-limit.d.ts

@@ -0,0 +1,19 @@
+import type { Request, Response, NextFunction } from 'express';
+interface RateLimiterOptions {
+    windowMs: number;
+    maxRequests: number;
+    keyFn?: (req: Request) => string;
+}
+/**
+ * In-memory sliding-window rate limiter.
+ * Uses a Map with periodic cleanup to avoid unbounded memory growth.
+ */
+export declare function rateLimiter(options: RateLimiterOptions): (req: Request, res: Response, next: NextFunction) => void;
+/** 10 attempts per minute per IP — for login routes */
+export declare const loginRateLimiter: (req: Request, res: Response, next: NextFunction) => void;
+/** 1000 requests per minute per token/IP — for general CMA API */
+export declare const apiRateLimiter: (req: Request, res: Response, next: NextFunction) => void;
+/** 20 uploads per minute per token — for upload routes */
+export declare const uploadRateLimiter: (req: Request, res: Response, next: NextFunction) => void;
+export {};
+//# sourceMappingURL=rate-limit.d.ts.map

package/dist/auth/rate-limit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rate-limit.d.ts","sourceRoot":"","sources":["../../src/auth/rate-limit.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAO/D,UAAU,kBAAkB;IAC1B,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,OAAO,KAAK,MAAM,CAAC;CAClC;AAED;;;GAGG;AACH,wBAAgB,WAAW,CAAC,OAAO,EAAE,kBAAkB,IAmB7C,KAAK,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY,KAAG,IAAI,CAgC/D;AAID,uDAAuD;AACvD,eAAO,MAAM,gBAAgB,QArCd,OAAO,OAAO,QAAQ,QAAQ,YAAY,KAAG,IAwC1D,CAAC;AAEH,kEAAkE;AAClE,eAAO,MAAM,cAAc,QA3CZ,OAAO,OAAO,QAAQ,QAAQ,YAAY,KAAG,IAoD1D,CAAC;AAEH,0DAA0D;AAC1D,eAAO,MAAM,iBAAiB,QAvDf,OAAO,OAAO,QAAQ,QAAQ,YAAY,KAAG,IA+D1D,CAAC"}

package/dist/auth/rate-limit.js

@@ -0,0 +1,77 @@
+/**
+ * In-memory sliding-window rate limiter.
+ * Uses a Map with periodic cleanup to avoid unbounded memory growth.
+ */
+export function rateLimiter(options) {
+    const { windowMs, maxRequests, keyFn } = options;
+    const store = new Map();
+    // Periodic cleanup every 60 seconds
+    const cleanupInterval = setInterval(() => {
+        const now = Date.now();
+        for (const [key, entry] of store) {
+            if (entry.resetAt <= now) {
+                store.delete(key);
+            }
+        }
+    }, 60_000);
+    // Allow the timer to not prevent Node from exiting
+    if (cleanupInterval.unref) {
+        cleanupInterval.unref();
+    }
+    return (req, res, next) => {
+        const key = keyFn ? keyFn(req) : req.ip ?? 'unknown';
+        const now = Date.now();
+        let entry = store.get(key);
+        if (!entry || entry.resetAt <= now) {
+            entry = { count: 0, resetAt: now + windowMs };
+            store.set(key, entry);
+        }
+        entry.count++;
+        // Set rate-limit headers
+        const remaining = Math.max(0, maxRequests - entry.count);
+        res.set('X-RateLimit-Limit', String(maxRequests));
+        res.set('X-RateLimit-Remaining', String(remaining));
+        res.set('X-RateLimit-Reset', String(Math.ceil(entry.resetAt / 1000)));
+        if (entry.count > maxRequests) {
+            const retryAfter = Math.ceil((entry.resetAt - now) / 1000);
+            res.set('Retry-After', String(retryAfter));
+            res.status(429).json({
+                error: 'too_many_requests',
+                message: 'Rate limit exceeded. Try again later.',
+                retryAfter,
+            });
+            return;
+        }
+        next();
+    };
+}
+// ─── Pre-configured limiters ───
+/** 10 attempts per minute per IP — for login routes */
+export const loginRateLimiter = rateLimiter({
+    windowMs: 60_000,
+    maxRequests: 10,
+});
+/** 1000 requests per minute per token/IP — for general CMA API */
+export const apiRateLimiter = rateLimiter({
+    windowMs: 60_000,
+    maxRequests: 1000,
+    keyFn: (req) => {
+        // Use the auth token (if present) as key, else fall back to IP
+        const auth = req.headers.authorization;
+        if (auth)
+            return auth;
+        return req.ip ?? 'unknown';
+    },
+});
+/** 20 uploads per minute per token — for upload routes */
+export const uploadRateLimiter = rateLimiter({
+    windowMs: 60_000,
+    maxRequests: 20,
+    keyFn: (req) => {
+        const auth = req.headers.authorization;
+        if (auth)
+            return `upload:${auth}`;
+        return `upload:${req.ip ?? 'unknown'}`;
+    },
+});
+//# sourceMappingURL=rate-limit.js.map

package/dist/auth/rate-limit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rate-limit.js","sourceRoot":"","sources":["../../src/auth/rate-limit.ts"],"names":[],"mappings":"AAaA;;;GAGG;AACH,MAAM,UAAU,WAAW,CAAC,OAA2B;IACrD,MAAM,EAAE,QAAQ,EAAE,WAAW,EAAE,KAAK,EAAE,GAAG,OAAO,CAAC;IACjD,MAAM,KAAK,GAAG,IAAI,GAAG,EAA0B,CAAC;IAEhD,oCAAoC;IACpC,MAAM,eAAe,GAAG,WAAW,CAAC,GAAG,EAAE;QACvC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,KAAK,EAAE,CAAC;YACjC,IAAI,KAAK,CAAC,OAAO,IAAI,GAAG,EAAE,CAAC;gBACzB,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACpB,CAAC;QACH,CAAC;IACH,CAAC,EAAE,MAAM,CAAC,CAAC;IAEX,mDAAmD;IACnD,IAAI,eAAe,CAAC,KAAK,EAAE,CAAC;QAC1B,eAAe,CAAC,KAAK,EAAE,CAAC;IAC1B,CAAC;IAED,OAAO,CAAC,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAQ,EAAE;QAC/D,MAAM,GAAG,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,EAAE,IAAI,SAAS,CAAC;QACrD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAEvB,IAAI,KAAK,GAAG,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAE3B,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,OAAO,IAAI,GAAG,EAAE,CAAC;YACnC,KAAK,GAAG,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,EAAE,GAAG,GAAG,QAAQ,EAAE,CAAC;YAC9C,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QACxB,CAAC;QAED,KAAK,CAAC,KAAK,EAAE,CAAC;QAEd,yBAAyB;QACzB,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,WAAW,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC;QACzD,GAAG,CAAC,GAAG,CAAC,mBAAmB,EAAE,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC;QAClD,GAAG,CAAC,GAAG,CAAC,uBAAuB,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC;QACpD,GAAG,CAAC,GAAG,CAAC,mBAAmB,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;QAEtE,IAAI,KAAK,CAAC,KAAK,GAAG,WAAW,EAAE,CAAC;YAC9B,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,OAAO,GAAG,GAAG,CAAC,GAAG,IAAI,CAAC,CAAC;YAC3D,GAAG,CAAC,GAAG,CAAC,aAAa,EAAE,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC;YAC3C,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACnB,KAAK,EAAE,mBAAmB;gBAC1B,OAAO,EAAE,uCAAuC;gBAChD,UAAU;aACX,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,IAAI,EAAE,CAAC;IACT,CAAC,CAAC;AACJ,CAAC;AAED,kCAAkC;AAElC,uDAAuD;AACvD,MAAM,CAAC,MAAM,gBAAgB,GAAG,WAAW,CAAC;IAC1C,QAAQ,EAAE,MAAM;IAChB,WAAW,EAAE,EAAE;CAChB,CAAC,CAAC;AAEH,kEAAkE;AAClE,MAAM,CAAC,MAAM,cAAc,GAAG,WAAW,CAAC;IACxC,QAAQ,EAAE,MAAM;IAChB,WAAW,EAAE,IAAI;IACjB,KAAK,EAAE,CAAC,GAAG,EAAE,EAAE;QACb,+DAA+D;QAC/D,MAAM,IAAI,GAAG,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC;QACvC,IAAI,IAAI;YAAE,OAAO,IAAI,CAAC;QACtB,OAAO,GAAG,CAAC,EAAE,IAAI,SAAS,CAAC;IAC7B,CAAC;CACF,CAAC,CAAC;AAEH,0DAA0D;AAC1D,MAAM,CAAC,MAAM,iBAAiB,GAAG,WAAW,CAAC;IAC3C,QAAQ,EAAE,MAAM;IAChB,WAAW,EAAE,EAAE;IACf,KAAK,EAAE,CAAC,GAAG,EAAE,EAAE;QACb,MAAM,IAAI,GAAG,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC;QACvC,IAAI,IAAI;YAAE,OAAO,UAAU,IAAI,EAAE,CAAC;QAClC,OAAO,UAAU,GAAG,CAAC,EAAE,IAAI,SAAS,EAAE,CAAC;IACzC,CAAC;CACF,CAAC,CAAC"}

package/dist/auth/rbac.d.ts

@@ -0,0 +1,10 @@
+import type { Request, Response, NextFunction } from 'express';
+/**
+ * Middleware that checks if the authenticated user has the required permission
+ * in the requested space, based on their role bindings.
+ *
+ * Skips check for API tokens (they use scope-based auth via requireScope).
+ * Skips check for preview tokens (they are read-only by design).
+ */
+export declare function requirePermission(...permissions: string[]): (req: Request, res: Response, next: NextFunction) => Promise<void>;
+//# sourceMappingURL=rbac.d.ts.map

package/dist/auth/rbac.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rbac.d.ts","sourceRoot":"","sources":["../../src/auth/rbac.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAG/D;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAAC,GAAG,WAAW,EAAE,MAAM,EAAE,IAC1C,KAAK,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY,KAAG,OAAO,CAAC,IAAI,CAAC,CA4D9E"}

package/dist/auth/rbac.js

@@ -0,0 +1,61 @@
+import { prisma } from '../db.js';
+/**
+ * Middleware that checks if the authenticated user has the required permission
+ * in the requested space, based on their role bindings.
+ *
+ * Skips check for API tokens (they use scope-based auth via requireScope).
+ * Skips check for preview tokens (they are read-only by design).
+ */
+export function requirePermission(...permissions) {
+    return async (req, res, next) => {
+        if (!req.auth) {
+            res.status(401).json({ error: 'authentication_required' });
+            return;
+        }
+        // API tokens use scope-based auth, not RBAC
+        if (req.auth.type === 'api_token') {
+            next();
+            return;
+        }
+        // Preview tokens are read-only
+        if (req.auth.type === 'preview_token') {
+            next();
+            return;
+        }
+        // For JWT users, check role bindings
+        const spaceId = (req.params.spaceId || req.headers['x-space-id']);
+        if (!spaceId) {
+            // No space context — skip RBAC (space will be validated by route)
+            next();
+            return;
+        }
+        const bindings = await prisma.roleBinding.findMany({
+            where: {
+                userId: req.auth.userId,
+                spaceId,
+            },
+            include: { role: true },
+        });
+        if (bindings.length === 0) {
+            res.status(403).json({
+                error: 'forbidden',
+                message: 'You do not have access to this space',
+            });
+            return;
+        }
+        // Check if any bound role has the required permission
+        const hasPermission = permissions.some((perm) => bindings.some((b) => {
+            const perms = b.role.permissions;
+            return perms[perm] === true;
+        }));
+        if (!hasPermission) {
+            res.status(403).json({
+                error: 'insufficient_permissions',
+                message: `Requires one of: ${permissions.join(', ')}`,
+            });
+            return;
+        }
+        next();
+    };
+}
+//# sourceMappingURL=rbac.js.map

package/dist/auth/rbac.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rbac.js","sourceRoot":"","sources":["../../src/auth/rbac.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,MAAM,EAAE,MAAM,UAAU,CAAC;AAElC;;;;;;GAMG;AACH,MAAM,UAAU,iBAAiB,CAAC,GAAG,WAAqB;IACxD,OAAO,KAAK,EAAE,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAiB,EAAE;QAC9E,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;YACd,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,yBAAyB,EAAE,CAAC,CAAC;YAC3D,OAAO;QACT,CAAC;QAED,4CAA4C;QAC5C,IAAI,GAAG,CAAC,IAAI,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;YAClC,IAAI,EAAE,CAAC;YACP,OAAO;QACT,CAAC;QAED,+BAA+B;QAC/B,IAAI,GAAG,CAAC,IAAI,CAAC,IAAI,KAAK,eAAe,EAAE,CAAC;YACtC,IAAI,EAAE,CAAC;YACP,OAAO;QACT,CAAC;QAED,qCAAqC;QACrC,MAAM,OAAO,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,OAAO,IAAI,GAAG,CAAC,OAAO,CAAC,YAAY,CAAC,CAAW,CAAC;QAC5E,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,kEAAkE;YAClE,IAAI,EAAE,CAAC;YACP,OAAO;QACT,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,WAAW,CAAC,QAAQ,CAAC;YACjD,KAAK,EAAE;gBACL,MAAM,EAAE,GAAG,CAAC,IAAI,CAAC,MAAM;gBACvB,OAAO;aACR;YACD,OAAO,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE;SACxB,CAAC,CAAC;QAEH,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC1B,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACnB,KAAK,EAAE,WAAW;gBAClB,OAAO,EAAE,sCAAsC;aAChD,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,sDAAsD;QACtD,MAAM,aAAa,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAC9C,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE;YAClB,MAAM,KAAK,GAAG,CAAC,CAAC,IAAI,CAAC,WAAsC,CAAC;YAC5D,OAAO,KAAK,CAAC,IAAI,CAAC,KAAK,IAAI,CAAC;QAC9B,CAAC,CAAC,CACH,CAAC;QAEF,IAAI,CAAC,aAAa,EAAE,CAAC;YACnB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACnB,KAAK,EAAE,0BAA0B;gBACjC,OAAO,EAAE,oBAAoB,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;aACtD,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,IAAI,EAAE,CAAC;IACT,CAAC,CAAC;AACJ,CAAC"}

package/dist/blocks/core-blocks.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Core block definitions shipped with HTMLess.
+ * Each entry carries a JSON Schema for its attributes.
+ */
+export interface CoreBlockDef {
+    key: string;
+    title: string;
+    description: string;
+    icon: string;
+    attributesSchema: Record<string, unknown>;
+}
+export declare const coreBlocks: CoreBlockDef[];
+//# sourceMappingURL=core-blocks.d.ts.map

package/dist/blocks/core-blocks.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"core-blocks.d.ts","sourceRoot":"","sources":["../../src/blocks/core-blocks.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,MAAM,WAAW,YAAY;IAC3B,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,EAAE,MAAM,CAAC;IACb,gBAAgB,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAC3C;AAED,eAAO,MAAM,UAAU,EAAE,YAAY,EA2GpC,CAAC"}

package/dist/blocks/core-blocks.js

@@ -0,0 +1,113 @@
+/**
+ * Core block definitions shipped with HTMLess.
+ * Each entry carries a JSON Schema for its attributes.
+ */
+export const coreBlocks = [
+    {
+        key: 'paragraph',
+        title: 'Paragraph',
+        description: 'A block of body text.',
+        icon: 'pilcrow',
+        attributesSchema: {
+            type: 'object',
+            required: ['text'],
+            properties: {
+                text: { type: 'string' },
+            },
+            additionalProperties: false,
+        },
+    },
+    {
+        key: 'heading',
+        title: 'Heading',
+        description: 'Section heading (h1 - h6).',
+        icon: 'heading',
+        attributesSchema: {
+            type: 'object',
+            required: ['level', 'text'],
+            properties: {
+                level: { type: 'integer', minimum: 1, maximum: 6 },
+                text: { type: 'string' },
+            },
+            additionalProperties: false,
+        },
+    },
+    {
+        key: 'image',
+        title: 'Image',
+        description: 'Image block referencing an asset.',
+        icon: 'image',
+        attributesSchema: {
+            type: 'object',
+            required: ['assetId'],
+            properties: {
+                assetId: { type: 'string' },
+                alt: { type: 'string' },
+                caption: { type: 'string' },
+            },
+            additionalProperties: false,
+        },
+    },
+    {
+        key: 'callout',
+        title: 'Callout',
+        description: 'Highlighted notice box (info, warning, success, danger).',
+        icon: 'megaphone',
+        attributesSchema: {
+            type: 'object',
+            required: ['tone', 'body'],
+            properties: {
+                tone: { type: 'string', enum: ['info', 'warning', 'success', 'danger'] },
+                title: { type: 'string' },
+                body: { type: 'string' },
+            },
+            additionalProperties: false,
+        },
+    },
+    {
+        key: 'embed',
+        title: 'Embed',
+        description: 'Embedded external content (video, tweet, etc.).',
+        icon: 'link',
+        attributesSchema: {
+            type: 'object',
+            required: ['url'],
+            properties: {
+                url: { type: 'string', format: 'uri' },
+                type: { type: 'string' },
+            },
+            additionalProperties: false,
+        },
+    },
+    {
+        key: 'list',
+        title: 'List',
+        description: 'Ordered or unordered list.',
+        icon: 'list',
+        attributesSchema: {
+            type: 'object',
+            required: ['ordered', 'items'],
+            properties: {
+                ordered: { type: 'boolean' },
+                items: { type: 'array', items: { type: 'string' } },
+            },
+            additionalProperties: false,
+        },
+    },
+    {
+        key: 'code',
+        title: 'Code',
+        description: 'Code block with optional syntax highlighting.',
+        icon: 'code',
+        attributesSchema: {
+            type: 'object',
+            required: ['code'],
+            properties: {
+                language: { type: 'string' },
+                code: { type: 'string' },
+            },
+            additionalProperties: false,
+        },
+    },
+];
+//# sourceMappingURL=core-blocks.js.map

package/dist/blocks/core-blocks.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"core-blocks.js","sourceRoot":"","sources":["../../src/blocks/core-blocks.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAUH,MAAM,CAAC,MAAM,UAAU,GAAmB;IACxC;QACE,GAAG,EAAE,WAAW;QAChB,KAAK,EAAE,WAAW;QAClB,WAAW,EAAE,uBAAuB;QACpC,IAAI,EAAE,SAAS;QACf,gBAAgB,EAAE;YAChB,IAAI,EAAE,QAAQ;YACd,QAAQ,EAAE,CAAC,MAAM,CAAC;YAClB,UAAU,EAAE;gBACV,IAAI,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;aACzB;YACD,oBAAoB,EAAE,KAAK;SAC5B;KACF;IACD;QACE,GAAG,EAAE,SAAS;QACd,KAAK,EAAE,SAAS;QAChB,WAAW,EAAE,4BAA4B;QACzC,IAAI,EAAE,SAAS;QACf,gBAAgB,EAAE;YAChB,IAAI,EAAE,QAAQ;YACd,QAAQ,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC;YAC3B,UAAU,EAAE;gBACV,KAAK,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE;gBAClD,IAAI,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;aACzB;YACD,oBAAoB,EAAE,KAAK;SAC5B;KACF;IACD;QACE,GAAG,EAAE,OAAO;QACZ,KAAK,EAAE,OAAO;QACd,WAAW,EAAE,mCAAmC;QAChD,IAAI,EAAE,OAAO;QACb,gBAAgB,EAAE;YAChB,IAAI,EAAE,QAAQ;YACd,QAAQ,EAAE,CAAC,SAAS,CAAC;YACrB,UAAU,EAAE;gBACV,OAAO,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;gBAC3B,GAAG,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;gBACvB,OAAO,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;aAC5B;YACD,oBAAoB,EAAE,KAAK;SAC5B;KACF;IACD;QACE,GAAG,EAAE,SAAS;QACd,KAAK,EAAE,SAAS;QAChB,WAAW,EAAE,0DAA0D;QACvE,IAAI,EAAE,WAAW;QACjB,gBAAgB,EAAE;YAChB,IAAI,EAAE,QAAQ;YACd,QAAQ,EAAE,CAAC,MAAM,EAAE,MAAM,CAAC;YAC1B,UAAU,EAAE;gBACV,IAAI,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,MAAM,EAAE,SAAS,EAAE,SAAS,EAAE,QAAQ,CAAC,EAAE;gBACxE,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;gBACzB,IAAI,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;aACzB;YACD,oBAAoB,EAAE,KAAK;SAC5B;KACF;IACD;QACE,GAAG,EAAE,OAAO;QACZ,KAAK,EAAE,OAAO;QACd,WAAW,EAAE,iDAAiD;QAC9D,IAAI,EAAE,MAAM;QACZ,gBAAgB,EAAE;YAChB,IAAI,EAAE,QAAQ;YACd,QAAQ,EAAE,CAAC,KAAK,CAAC;YACjB,UAAU,EAAE;gBACV,GAAG,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE;gBACtC,IAAI,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;aACzB;YACD,oBAAoB,EAAE,KAAK;SAC5B;KACF;IACD;QACE,GAAG,EAAE,MAAM;QACX,KAAK,EAAE,MAAM;QACb,WAAW,EAAE,4BAA4B;QACzC,IAAI,EAAE,MAAM;QACZ,gBAAgB,EAAE;YAChB,IAAI,EAAE,QAAQ;YACd,QAAQ,EAAE,CAAC,SAAS,EAAE,OAAO,CAAC;YAC9B,UAAU,EAAE;gBACV,OAAO,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE;gBAC5B,KAAK,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE;aACpD;YACD,oBAAoB,EAAE,KAAK;SAC5B;KACF;IACD;QACE,GAAG,EAAE,MAAM;QACX,KAAK,EAAE,MAAM;QACb,WAAW,EAAE,+CAA+C;QAC5D,IAAI,EAAE,MAAM;QACZ,gBAAgB,EAAE;YAChB,IAAI,EAAE,QAAQ;YACd,QAAQ,EAAE,CAAC,MAAM,CAAC;YAClB,UAAU,EAAE;gBACV,QAAQ,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;gBAC5B,IAAI,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;aACzB;YACD,oBAAoB,EAAE,KAAK;SAC5B;KACF;CACF,CAAC"}

package/dist/blocks/renderer-sdk.d.ts

@@ -0,0 +1,75 @@
+/**
+ * HTMLess Renderer SDK Contract
+ *
+ * This module defines the types and interfaces that frontend renderers
+ * must implement to render HTMLess block content.
+ *
+ * Usage in a Next.js/React frontend:
+ *
+ * ```tsx
+ * import type { BlockInstance, BlockRenderer, BlockRendererMap } from '@htmless/core/blocks/renderer-sdk';
+ *
+ * const renderers: BlockRendererMap = {
+ *   paragraph: ({ attrs }) => <p>{attrs.text}</p>,
+ *   heading: ({ attrs }) => {
+ *     const Tag = `h${attrs.level}` as keyof JSX.IntrinsicElements;
+ *     return <Tag>{attrs.text}</Tag>;
+ *   },
+ *   image: ({ attrs }) => <img src={attrs.url} alt={attrs.alt || ''} />,
+ *   callout: ({ attrs, children }) => (
+ *     <aside className={`callout callout-${attrs.tone}`}>
+ *       {attrs.title && <strong>{attrs.title}</strong>}
+ *       <p>{attrs.body}</p>
+ *       {children}
+ *     </aside>
+ *   ),
+ *   // ... etc
+ * };
+ *
+ * function RenderBlocks({ blocks }: { blocks: BlockInstance[] }) {
+ *   return <>{blocks.map((block, i) => renderBlock(block, renderers, i))}</>;
+ * }
+ * ```
+ */
+export interface BlockInstance {
+    /** Block definition key (e.g. "paragraph", "heading", "image") */
+    typeKey: string;
+    /** Block definition version this instance was created with */
+    version?: string;
+    /** Block attributes — shape depends on the block definition's attributesSchema */
+    attrs: Record<string, unknown>;
+    /** Nested child blocks (for container blocks like callout, columns, etc.) */
+    children?: BlockInstance[];
+}
+export interface BlockRendererProps {
+    /** The block instance being rendered */
+    block: BlockInstance;
+    /** Block attributes (shortcut for block.attrs) */
+    attrs: Record<string, unknown>;
+    /** Rendered children (if the block has nested blocks) */
+    children?: unknown;
+    /** Block index in the parent array */
+    index: number;
+}
+/** A function that renders a single block type */
+export type BlockRenderer = (props: BlockRendererProps) => unknown;
+/** Map of block type keys to their renderer functions */
+export type BlockRendererMap = Record<string, BlockRenderer>;
+/**
+ * Renders a single block using the provided renderer map.
+ * Falls back to a default renderer if no matching renderer is found.
+ */
+export declare function renderBlock(block: BlockInstance, renderers: BlockRendererMap, index?: number): unknown;
+/**
+ * Renders an array of blocks into an array of rendered outputs.
+ */
+export declare function renderBlocks(blocks: BlockInstance[], renderers: BlockRendererMap): unknown[];
+/**
+ * Extracts plain text from a block tree (useful for search indexing, excerpts).
+ */
+export declare function extractText(blocks: BlockInstance[]): string;
+/**
+ * Collects all asset IDs referenced in a block tree (for preloading, CDN hints).
+ */
+export declare function collectAssetIds(blocks: BlockInstance[]): string[];
+//# sourceMappingURL=renderer-sdk.d.ts.map

package/dist/blocks/renderer-sdk.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"renderer-sdk.d.ts","sourceRoot":"","sources":["../../src/blocks/renderer-sdk.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AAIH,MAAM,WAAW,aAAa;IAC5B,kEAAkE;IAClE,OAAO,EAAE,MAAM,CAAC;IAChB,8DAA8D;IAC9D,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,kFAAkF;IAClF,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC/B,6EAA6E;IAC7E,QAAQ,CAAC,EAAE,aAAa,EAAE,CAAC;CAC5B;AAED,MAAM,WAAW,kBAAkB;IACjC,wCAAwC;IACxC,KAAK,EAAE,aAAa,CAAC;IACrB,kDAAkD;IAClD,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC/B,yDAAyD;IACzD,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,sCAAsC;IACtC,KAAK,EAAE,MAAM,CAAC;CACf;AAED,kDAAkD;AAClD,MAAM,MAAM,aAAa,GAAG,CAAC,KAAK,EAAE,kBAAkB,KAAK,OAAO,CAAC;AAEnE,yDAAyD;AACzD,MAAM,MAAM,gBAAgB,GAAG,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC;AAI7D;;;GAGG;AACH,wBAAgB,WAAW,CACzB,KAAK,EAAE,aAAa,EACpB,SAAS,EAAE,gBAAgB,EAC3B,KAAK,GAAE,MAAU,GAChB,OAAO,CA0BT;AAED;;GAEG;AACH,wBAAgB,YAAY,CAC1B,MAAM,EAAE,aAAa,EAAE,EACvB,SAAS,EAAE,gBAAgB,GAC1B,OAAO,EAAE,CAEX;AAID;;GAEG;AACH,wBAAgB,WAAW,CAAC,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,CAsB3D;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,EAAE,CAajE"}

package/dist/blocks/renderer-sdk.js

@@ -0,0 +1,112 @@
+/**
+ * HTMLess Renderer SDK Contract
+ *
+ * This module defines the types and interfaces that frontend renderers
+ * must implement to render HTMLess block content.
+ *
+ * Usage in a Next.js/React frontend:
+ *
+ * ```tsx
+ * import type { BlockInstance, BlockRenderer, BlockRendererMap } from '@htmless/core/blocks/renderer-sdk';
+ *
+ * const renderers: BlockRendererMap = {
+ *   paragraph: ({ attrs }) => <p>{attrs.text}</p>,
+ *   heading: ({ attrs }) => {
+ *     const Tag = `h${attrs.level}` as keyof JSX.IntrinsicElements;
+ *     return <Tag>{attrs.text}</Tag>;
+ *   },
+ *   image: ({ attrs }) => <img src={attrs.url} alt={attrs.alt || ''} />,
+ *   callout: ({ attrs, children }) => (
+ *     <aside className={`callout callout-${attrs.tone}`}>
+ *       {attrs.title && <strong>{attrs.title}</strong>}
+ *       <p>{attrs.body}</p>
+ *       {children}
+ *     </aside>
+ *   ),
+ *   // ... etc
+ * };
+ *
+ * function RenderBlocks({ blocks }: { blocks: BlockInstance[] }) {
+ *   return <>{blocks.map((block, i) => renderBlock(block, renderers, i))}</>;
+ * }
+ * ```
+ */
+// ─── Render Function ───
+/**
+ * Renders a single block using the provided renderer map.
+ * Falls back to a default renderer if no matching renderer is found.
+ */
+export function renderBlock(block, renderers, index = 0) {
+    const renderer = renderers[block.typeKey];
+    // Recursively render children first
+    let children = undefined;
+    if (block.children && block.children.length > 0) {
+        children = block.children.map((child, i) => renderBlock(child, renderers, i));
+    }
+    if (!renderer) {
+        // Default: return the block data as-is for debugging/fallback
+        return {
+            _fallback: true,
+            typeKey: block.typeKey,
+            attrs: block.attrs,
+            children,
+            index,
+        };
+    }
+    return renderer({
+        block,
+        attrs: block.attrs,
+        children,
+        index,
+    });
+}
+/**
+ * Renders an array of blocks into an array of rendered outputs.
+ */
+export function renderBlocks(blocks, renderers) {
+    return blocks.map((block, index) => renderBlock(block, renderers, index));
+}
+// ─── Helpers ───
+/**
+ * Extracts plain text from a block tree (useful for search indexing, excerpts).
+ */
+export function extractText(blocks) {
+    const parts = [];
+    for (const block of blocks) {
+        const attrs = block.attrs;
+        if (typeof attrs.text === 'string')
+            parts.push(attrs.text);
+        if (typeof attrs.body === 'string')
+            parts.push(attrs.body);
+        if (typeof attrs.title === 'string')
+            parts.push(attrs.title);
+        if (typeof attrs.code === 'string')
+            parts.push(attrs.code);
+        if (Array.isArray(attrs.items)) {
+            for (const item of attrs.items) {
+                if (typeof item === 'string')
+                    parts.push(item);
+            }
+        }
+        if (block.children) {
+            parts.push(extractText(block.children));
+        }
+    }
+    return parts.filter(Boolean).join(' ');
+}
+/**
+ * Collects all asset IDs referenced in a block tree (for preloading, CDN hints).
+ */
+export function collectAssetIds(blocks) {
+    const ids = [];
+    for (const block of blocks) {
+        if (typeof block.attrs.assetId === 'string') {
+            ids.push(block.attrs.assetId);
+        }
+        if (block.children) {
+            ids.push(...collectAssetIds(block.children));
+        }
+    }
+    return [...new Set(ids)];
+}
+//# sourceMappingURL=renderer-sdk.js.map

package/dist/blocks/renderer-sdk.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"renderer-sdk.js","sourceRoot":"","sources":["../../src/blocks/renderer-sdk.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AAgCH,0BAA0B;AAE1B;;;GAGG;AACH,MAAM,UAAU,WAAW,CACzB,KAAoB,EACpB,SAA2B,EAC3B,QAAgB,CAAC;IAEjB,MAAM,QAAQ,GAAG,SAAS,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAE1C,oCAAoC;IACpC,IAAI,QAAQ,GAAY,SAAS,CAAC;IAClC,IAAI,KAAK,CAAC,QAAQ,IAAI,KAAK,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAChD,QAAQ,GAAG,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,CAAC,EAAE,EAAE,CAAC,WAAW,CAAC,KAAK,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC,CAAC;IAChF,CAAC;IAED,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,8DAA8D;QAC9D,OAAO;YACL,SAAS,EAAE,IAAI;YACf,OAAO,EAAE,KAAK,CAAC,OAAO;YACtB,KAAK,EAAE,KAAK,CAAC,KAAK;YAClB,QAAQ;YACR,KAAK;SACN,CAAC;IACJ,CAAC;IAED,OAAO,QAAQ,CAAC;QACd,KAAK;QACL,KAAK,EAAE,KAAK,CAAC,KAAK;QAClB,QAAQ;QACR,KAAK;KACN,CAAC,CAAC;AACL,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,YAAY,CAC1B,MAAuB,EACvB,SAA2B;IAE3B,OAAO,MAAM,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE,CAAC,WAAW,CAAC,KAAK,EAAE,SAAS,EAAE,KAAK,CAAC,CAAC,CAAC;AAC5E,CAAC;AAED,kBAAkB;AAElB;;GAEG;AACH,MAAM,UAAU,WAAW,CAAC,MAAuB;IACjD,MAAM,KAAK,GAAa,EAAE,CAAC;IAE3B,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC;QAE1B,IAAI,OAAO,KAAK,CAAC,IAAI,KAAK,QAAQ;YAAE,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAC3D,IAAI,OAAO,KAAK,CAAC,IAAI,KAAK,QAAQ;YAAE,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAC3D,IAAI,OAAO,KAAK,CAAC,KAAK,KAAK,QAAQ;YAAE,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QAC7D,IAAI,OAAO,KAAK,CAAC,IAAI,KAAK,QAAQ;YAAE,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAC3D,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;YAC/B,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;gBAC/B,IAAI,OAAO,IAAI,KAAK,QAAQ;oBAAE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACjD,CAAC;QACH,CAAC;QAED,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC;YACnB,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC;QAC1C,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AACzC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe,CAAC,MAAuB;IACrD,MAAM,GAAG,GAAa,EAAE,CAAC;IAEzB,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,IAAI,OAAO,KAAK,CAAC,KAAK,CAAC,OAAO,KAAK,QAAQ,EAAE,CAAC;YAC5C,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAChC,CAAC;QACD,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC;YACnB,GAAG,CAAC,IAAI,CAAC,GAAG,eAAe,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC;QAC/C,CAAC;IACH,CAAC;IAED,OAAO,CAAC,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC;AAC3B,CAAC"}