npm - @intranefr/superbackend - Versions diffs - 1.4.4 → 1.5.1 - Mend

@intranefr/superbackend 1.4.4 → 1.5.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (195) hide show

package/.env.example +5 -0
package/README.md +11 -0
package/index.js +39 -1
package/package.json +11 -3
package/public/sdk/ui-components.iife.js +191 -0
package/sdk/ui-components/browser/src/index.js +228 -0
package/src/admin/endpointRegistry.js +120 -0
package/src/controllers/admin.controller.js +111 -5
package/src/controllers/adminBlockDefinitions.controller.js +127 -0
package/src/controllers/adminBlockDefinitionsAi.controller.js +54 -0
package/src/controllers/adminCache.controller.js +342 -0
package/src/controllers/adminContextBlockDefinitions.controller.js +141 -0
package/src/controllers/adminCrons.controller.js +388 -0
package/src/controllers/adminDbBrowser.controller.js +124 -0
package/src/controllers/adminEjsVirtual.controller.js +13 -3
package/src/controllers/adminHeadless.controller.js +91 -2
package/src/controllers/adminHealthChecks.controller.js +570 -0
package/src/controllers/adminI18n.controller.js +51 -29
package/src/controllers/adminLlm.controller.js +126 -2
package/src/controllers/adminPages.controller.js +720 -0
package/src/controllers/adminPagesContextBlocksAi.controller.js +54 -0
package/src/controllers/adminProxy.controller.js +113 -0
package/src/controllers/adminRateLimits.controller.js +138 -0
package/src/controllers/adminRbac.controller.js +803 -0
package/src/controllers/adminScripts.controller.js +320 -0
package/src/controllers/adminSeoConfig.controller.js +71 -48
package/src/controllers/adminTerminals.controller.js +39 -0
package/src/controllers/adminUiComponents.controller.js +315 -0
package/src/controllers/adminUiComponentsAi.controller.js +34 -0
package/src/controllers/blogAdmin.controller.js +279 -0
package/src/controllers/blogAiAdmin.controller.js +224 -0
package/src/controllers/blogAutomationAdmin.controller.js +141 -0
package/src/controllers/blogInternal.controller.js +26 -0
package/src/controllers/blogPublic.controller.js +89 -0
package/src/controllers/fileManager.controller.js +190 -0
package/src/controllers/fileManagerStoragePolicy.controller.js +23 -0
package/src/controllers/healthChecksPublic.controller.js +196 -0
package/src/controllers/metrics.controller.js +64 -4
package/src/controllers/orgAdmin.controller.js +366 -0
package/src/controllers/uiComponentsPublic.controller.js +118 -0
package/src/middleware/auth.js +7 -0
package/src/middleware/internalCronAuth.js +29 -0
package/src/middleware/rbac.js +62 -0
package/src/middleware.js +879 -56
package/src/models/BlockDefinition.js +27 -0
package/src/models/BlogAutomationLock.js +14 -0
package/src/models/BlogAutomationRun.js +39 -0
package/src/models/BlogPost.js +42 -0
package/src/models/CacheEntry.js +26 -0
package/src/models/ConsoleEntry.js +32 -0
package/src/models/ConsoleLog.js +23 -0
package/src/models/ContextBlockDefinition.js +33 -0
package/src/models/CronExecution.js +47 -0
package/src/models/CronJob.js +70 -0
package/src/models/ExternalDbConnection.js +49 -0
package/src/models/FileEntry.js +22 -0
package/src/models/HeadlessModelDefinition.js +10 -0
package/src/models/HealthAutoHealAttempt.js +57 -0
package/src/models/HealthCheck.js +132 -0
package/src/models/HealthCheckRun.js +51 -0
package/src/models/HealthIncident.js +49 -0
package/src/models/Page.js +95 -0
package/src/models/PageCollection.js +42 -0
package/src/models/ProxyEntry.js +66 -0
package/src/models/RateLimitCounter.js +19 -0
package/src/models/RateLimitMetricBucket.js +20 -0
package/src/models/RbacGrant.js +25 -0
package/src/models/RbacGroup.js +16 -0
package/src/models/RbacGroupMember.js +13 -0
package/src/models/RbacGroupRole.js +13 -0
package/src/models/RbacRole.js +25 -0
package/src/models/RbacUserRole.js +13 -0
package/src/models/ScriptDefinition.js +42 -0
package/src/models/ScriptRun.js +22 -0
package/src/models/UiComponent.js +29 -0
package/src/models/UiComponentProject.js +26 -0
package/src/models/UiComponentProjectComponent.js +18 -0
package/src/routes/admin.routes.js +1 -0
package/src/routes/adminBlog.routes.js +21 -0
package/src/routes/adminBlogAi.routes.js +16 -0
package/src/routes/adminBlogAutomation.routes.js +27 -0
package/src/routes/adminCache.routes.js +20 -0
package/src/routes/adminConsoleManager.routes.js +302 -0
package/src/routes/adminCrons.routes.js +25 -0
package/src/routes/adminDbBrowser.routes.js +65 -0
package/src/routes/adminEjsVirtual.routes.js +2 -1
package/src/routes/adminHeadless.routes.js +8 -1
package/src/routes/adminHealthChecks.routes.js +28 -0
package/src/routes/adminI18n.routes.js +4 -3
package/src/routes/adminLlm.routes.js +4 -2
package/src/routes/adminPages.routes.js +55 -0
package/src/routes/adminProxy.routes.js +15 -0
package/src/routes/adminRateLimits.routes.js +17 -0
package/src/routes/adminRbac.routes.js +38 -0
package/src/routes/adminScripts.routes.js +21 -0
package/src/routes/adminSeoConfig.routes.js +5 -4
package/src/routes/adminTerminals.routes.js +13 -0
package/src/routes/adminUiComponents.routes.js +30 -0
package/src/routes/blogInternal.routes.js +14 -0
package/src/routes/blogPublic.routes.js +9 -0
package/src/routes/fileManager.routes.js +62 -0
package/src/routes/fileManagerStoragePolicy.routes.js +9 -0
package/src/routes/healthChecksPublic.routes.js +9 -0
package/src/routes/log.routes.js +43 -60
package/src/routes/metrics.routes.js +4 -2
package/src/routes/orgAdmin.routes.js +6 -0
package/src/routes/pages.routes.js +123 -0
package/src/routes/proxy.routes.js +46 -0
package/src/routes/rbac.routes.js +47 -0
package/src/routes/uiComponentsPublic.routes.js +9 -0
package/src/routes/webhook.routes.js +2 -1
package/src/routes/workflows.routes.js +4 -0
package/src/services/blockDefinitionsAi.service.js +247 -0
package/src/services/blog.service.js +99 -0
package/src/services/blogAutomation.service.js +978 -0
package/src/services/blogCronsBootstrap.service.js +184 -0
package/src/services/blogPublishing.service.js +58 -0
package/src/services/cacheLayer.service.js +696 -0
package/src/services/consoleManager.service.js +700 -0
package/src/services/consoleOverride.service.js +6 -1
package/src/services/cronScheduler.service.js +350 -0
package/src/services/dbBrowser.service.js +536 -0
package/src/services/ejsVirtual.service.js +102 -32
package/src/services/fileManager.service.js +475 -0
package/src/services/fileManagerStoragePolicy.service.js +285 -0
package/src/services/headlessExternalModels.service.js +292 -0
package/src/services/headlessModels.service.js +26 -6
package/src/services/healthChecks.service.js +650 -0
package/src/services/healthChecksBootstrap.service.js +109 -0
package/src/services/healthChecksScheduler.service.js +106 -0
package/src/services/llmDefaults.service.js +190 -0
package/src/services/migrationAssets/s3.js +2 -2
package/src/services/pages.service.js +602 -0
package/src/services/pagesContext.service.js +331 -0
package/src/services/pagesContextBlocksAi.service.js +349 -0
package/src/services/proxy.service.js +535 -0
package/src/services/rateLimiter.service.js +623 -0
package/src/services/rbac.service.js +212 -0
package/src/services/scriptsRunner.service.js +259 -0
package/src/services/terminals.service.js +152 -0
package/src/services/terminalsWs.service.js +100 -0
package/src/services/uiComponentsAi.service.js +299 -0
package/src/services/uiComponentsCrypto.service.js +39 -0
package/src/services/workflow.service.js +23 -8
package/src/utils/orgRoles.js +14 -0
package/src/utils/rbac/engine.js +60 -0
package/src/utils/rbac/rightsRegistry.js +29 -0
package/views/admin-blog-automation.ejs +877 -0
package/views/admin-blog-edit.ejs +542 -0
package/views/admin-blog.ejs +399 -0
package/views/admin-cache.ejs +681 -0
package/views/admin-console-manager.ejs +680 -0
package/views/admin-crons.ejs +645 -0
package/views/admin-db-browser.ejs +445 -0
package/views/admin-ejs-virtual.ejs +16 -10
package/views/admin-file-manager.ejs +942 -0
package/views/admin-headless.ejs +294 -24
package/views/admin-health-checks.ejs +725 -0
package/views/admin-i18n.ejs +59 -5
package/views/admin-llm.ejs +99 -1
package/views/admin-organizations.ejs +528 -10
package/views/admin-pages.ejs +2424 -0
package/views/admin-proxy.ejs +491 -0
package/views/admin-rate-limiter.ejs +625 -0
package/views/admin-rbac.ejs +1331 -0
package/views/admin-scripts.ejs +497 -0
package/views/admin-seo-config.ejs +61 -7
package/views/admin-terminals.ejs +328 -0
package/views/admin-ui-components.ejs +741 -0
package/views/admin-users.ejs +261 -4
package/views/admin-workflows.ejs +7 -7
package/views/file-manager.ejs +866 -0
package/views/pages/blocks/contact.ejs +27 -0
package/views/pages/blocks/cta.ejs +18 -0
package/views/pages/blocks/faq.ejs +20 -0
package/views/pages/blocks/features.ejs +19 -0
package/views/pages/blocks/hero.ejs +13 -0
package/views/pages/blocks/html.ejs +5 -0
package/views/pages/blocks/image.ejs +14 -0
package/views/pages/blocks/testimonials.ejs +26 -0
package/views/pages/blocks/text.ejs +10 -0
package/views/pages/layouts/default.ejs +51 -0
package/views/pages/layouts/minimal.ejs +42 -0
package/views/pages/layouts/sidebar.ejs +54 -0
package/views/pages/partials/footer.ejs +13 -0
package/views/pages/partials/header.ejs +12 -0
package/views/pages/partials/sidebar.ejs +8 -0
package/views/pages/runtime/page.ejs +10 -0
package/views/pages/templates/article.ejs +20 -0
package/views/pages/templates/default.ejs +12 -0
package/views/pages/templates/landing.ejs +14 -0
package/views/pages/templates/listing.ejs +15 -0
package/views/partials/admin-image-upload-modal.ejs +221 -0
package/views/partials/dashboard/nav-items.ejs +14 -0
package/views/partials/llm-provider-model-picker.ejs +183 -0

package/src/services/pagesContext.service.js ADDED Viewed

@@ -0,0 +1,331 @@
+const crypto = require('crypto');
+const mongoose = require('mongoose');
+const cacheLayer = require('./cacheLayer.service');
+const globalSettingsService = require('./globalSettings.service');
+function sha1(text) {
+  return crypto.createHash('sha1').update(String(text || ''), 'utf8').digest('hex');
+}
+function parseDurationToMs(input) {
+  if (input === null || input === undefined) return null;
+  if (typeof input === 'number' && Number.isFinite(input)) return input;
+  const s = String(input).trim().toLowerCase();
+  if (!s) return null;
+  const m = s.match(/^([0-9]+(?:\.[0-9]+)?)\s*(ms|s|m)$/);
+  if (!m) return null;
+  const n = Number(m[1]);
+  const unit = m[2];
+  if (!Number.isFinite(n)) return null;
+  if (unit === 'ms') return Math.round(n);
+  if (unit === 's') return Math.round(n * 1000);
+  if (unit === 'm') return Math.round(n * 60 * 1000);
+  return null;
+}
+async function getDefaultTimeoutMs() {
+  const fromSetting = await globalSettingsService.getSettingValue('PAGES_CONTEXT_BLOCK_TIMEOUT', null).catch(() => null);
+  const fromEnv = process.env.PAGES_CONTEXT_BLOCK_TIMEOUT;
+  const v = fromSetting !== null && fromSetting !== undefined ? fromSetting : (fromEnv !== undefined ? fromEnv : '30s');
+  const ms = parseDurationToMs(v);
+  return ms === null ? 30_000 : ms;
+}
+function getByPath(obj, path) {
+  const parts = String(path || '').split('.').filter(Boolean);
+  let cur = obj;
+  for (const p of parts) {
+    if (!cur || typeof cur !== 'object') return undefined;
+    cur = cur[p];
+  }
+  return cur;
+}
+function interpolateCtx(value, ctxRoot) {
+  if (value === null || value === undefined) return value;
+  if (Array.isArray(value)) {
+    return value.map((v) => interpolateCtx(v, ctxRoot));
+  }
+  if (typeof value === 'object') {
+    const keys = Object.keys(value);
+    if (keys.length === 1 && keys[0] === '$ctx') {
+      return getByPath(ctxRoot, value.$ctx);
+    }
+    const out = {};
+    for (const k of keys) {
+      out[k] = interpolateCtx(value[k], ctxRoot);
+    }
+    return out;
+  }
+  return value;
+}
+function buildHelpers() {
+  const sb = globalThis.superbackend || globalThis.saasbackend || null;
+  const services = (sb && sb.services) ? sb.services : {};
+  const models = (sb && sb.models) ? sb.models : {};
+  const denyServices = new Set([
+    'globalSettings',
+    'migration',
+    'workflow',
+  ]);
+  const safeServices = {};
+  for (const [k, v] of Object.entries(services || {})) {
+    if (denyServices.has(k)) continue;
+    safeServices[k] = v;
+  }
+  return {
+    services: safeServices,
+    models,
+    mongoose,
+  };
+}
+function buildAuthContext(req) {
+  const user = req?.user ? req.user : null;
+  if (!user) return null;
+  return {
+    userId: user._id ? String(user._id) : null,
+    role: user.role || null,
+  };
+}
+function buildSessionContext(req) {
+  const session = req?.session || null;
+  if (!session || typeof session !== 'object') return null;
+  const safe = {};
+  for (const [k, v] of Object.entries(session)) {
+    if (k.toLowerCase().includes('token')) continue;
+    if (k.toLowerCase().includes('secret')) continue;
+    safe[k] = v;
+  }
+  return safe;
+}
+async function withOptionalTimeout(promise, { enabled, timeoutMs }) {
+  if (!enabled) return promise;
+  const ms = Number(timeoutMs);
+  if (!Number.isFinite(ms) || ms <= 0) return promise;
+  let t;
+  const timeoutPromise = new Promise((_, reject) => {
+    t = setTimeout(() => {
+      const err = new Error('Context block timed out');
+      err.code = 'TIMEOUT';
+      reject(err);
+    }, ms);
+  });
+  try {
+    return await Promise.race([promise, timeoutPromise]);
+  } finally {
+    if (t) clearTimeout(t);
+  }
+}
+async function runDbQueryBlock(block, pageContext) {
+  const props = block?.props || {};
+  const modelName = String(props.model || '').trim();
+  if (!modelName) throw Object.assign(new Error('db.query requires props.model'), { code: 'VALIDATION' });
+  const op = String(props.op || (props.mode === 'one' ? 'findOne' : 'find')).trim();
+  const assignTo = String(props.assignTo || '').trim();
+  if (!assignTo) throw Object.assign(new Error('db.query requires props.assignTo'), { code: 'VALIDATION' });
+  const Model = mongoose.models[modelName] || (mongoose.modelNames().includes(modelName) ? mongoose.model(modelName) : null);
+  if (!Model) throw Object.assign(new Error(`Unknown model: ${modelName}`), { code: 'VALIDATION' });
+  const ctxRoot = {
+    pageContext,
+    auth: pageContext.auth,
+    session: pageContext.session,
+    vars: pageContext.vars,
+    params: pageContext.params,
+    query: pageContext.query,
+  };
+  const filter = interpolateCtx(props.filter || {}, ctxRoot);
+  const sort = interpolateCtx(props.sort || undefined, ctxRoot);
+  const select = interpolateCtx(props.select || undefined, ctxRoot);
+  const limit = interpolateCtx(props.limit || undefined, ctxRoot);
+  let q;
+  if (op === 'findOne') {
+    q = Model.findOne(filter);
+  } else if (op === 'find') {
+    q = Model.find(filter);
+  } else if (op === 'countDocuments') {
+    q = Model.countDocuments(filter);
+  } else {
+    throw Object.assign(new Error(`Unsupported db.query op: ${op}`), { code: 'VALIDATION' });
+  }
+  if (select !== undefined && select !== null && typeof q.select === 'function') {
+    q = q.select(select);
+  }
+  if (sort && typeof q.sort === 'function') {
+    q = q.sort(sort);
+  }
+  if (op === 'find' && limit !== undefined && limit !== null && typeof q.limit === 'function') {
+    const n = parseInt(String(limit), 10);
+    if (Number.isFinite(n) && n > 0) q = q.limit(n);
+  }
+  if (typeof q.lean === 'function') q = q.lean();
+  const result = await q;
+  pageContext.vars[assignTo] = result;
+  return result;
+}
+async function runServiceInvokeBlock(block, pageContext) {
+  const props = block?.props || {};
+  const servicePath = String(props.servicePath || '').trim();
+  if (!servicePath) throw Object.assign(new Error('service.invoke requires props.servicePath'), { code: 'VALIDATION' });
+  const assignTo = String(props.assignTo || '').trim();
+  if (!assignTo) throw Object.assign(new Error('service.invoke requires props.assignTo'), { code: 'VALIDATION' });
+  const ctxRoot = {
+    pageContext,
+    auth: pageContext.auth,
+    session: pageContext.session,
+    vars: pageContext.vars,
+    params: pageContext.params,
+    query: pageContext.query,
+  };
+  const args = interpolateCtx(props.args || [], ctxRoot);
+  const fn = getByPath(pageContext.helpers, servicePath);
+  if (typeof fn !== 'function') {
+    throw Object.assign(new Error(`service.invoke target is not a function: ${servicePath}`), { code: 'VALIDATION' });
+  }
+  const result = await fn(...(Array.isArray(args) ? args : [args]));
+  pageContext.vars[assignTo] = result;
+  return result;
+}
+function defaultCacheKeyForBlock({ pageId, routePath, block }) {
+  return sha1(JSON.stringify({ pageId, routePath, block }));
+}
+async function runContextBlock(block, { pageId, routePath, pageContext }) {
+  const type = String(block?.type || '').trim();
+  const cache = block?.props?.cache || null;
+  const cacheEnabled = Boolean(cache?.enabled);
+  const namespace = cache?.namespace ? String(cache.namespace) : 'pages:ssr';
+  const ttlSeconds = cache?.ttlSeconds === undefined ? undefined : cache.ttlSeconds;
+  const timeoutEnabled = Boolean(block?.props?.timeout?.enabled);
+  const timeoutMsRaw = block?.props?.timeout?.ms || block?.props?.timeout?.value || null;
+  const defaultTimeoutMs = await getDefaultTimeoutMs();
+  const timeoutMs = parseDurationToMs(timeoutMsRaw) ?? defaultTimeoutMs;
+  const compute = async () => {
+    if (type === 'context.db_query') {
+      return runDbQueryBlock(block, pageContext);
+    }
+    if (type === 'context.service_invoke') {
+      return runServiceInvokeBlock(block, pageContext);
+    }
+    throw Object.assign(new Error(`Unknown context block type: ${type}`), { code: 'VALIDATION' });
+  };
+  const run = async () => withOptionalTimeout(compute(), { enabled: timeoutEnabled, timeoutMs });
+  if (!cacheEnabled) {
+    return run();
+  }
+  const key = cache?.key
+    ? String(interpolateCtx(cache.key, { pageContext, vars: pageContext.vars, params: pageContext.params, query: pageContext.query, auth: pageContext.auth, session: pageContext.session }))
+    : defaultCacheKeyForBlock({ pageId, routePath, block });
+  const cached = await cacheLayer.get(key, { namespace }).catch(() => null);
+  if (cached !== null && cached !== undefined) {
+    return cached;
+  }
+  const value = await run();
+  await cacheLayer.set(key, value, { namespace, ttlSeconds }).catch(() => {});
+  return value;
+}
+function splitBlocks(page) {
+  const blocks = Array.isArray(page?.blocks) ? page.blocks : [];
+  const contextBlocks = [];
+  const renderBlocks = [];
+  for (const b of blocks) {
+    const t = String(b?.type || '').trim();
+    if (t.startsWith('context.')) {
+      contextBlocks.push(b);
+    } else {
+      renderBlocks.push(b);
+    }
+  }
+  return { contextBlocks, renderBlocks };
+}
+async function resolvePageContext({ page, req, res, routePath, params = {}, mockContext = null }) {
+  const pageContext = {
+    vars: {},
+    helpers: buildHelpers(),
+    auth: buildAuthContext(req),
+    session: buildSessionContext(req),
+    params: params || {},
+    query: (req && req.query) ? req.query : {},
+    request: {
+      path: routePath || (req ? req.path : null),
+      method: req ? req.method : null,
+    },
+  };
+  if (mockContext && typeof mockContext === 'object') {
+    if (mockContext.auth !== undefined) pageContext.auth = mockContext.auth;
+    if (mockContext.session !== undefined) pageContext.session = mockContext.session;
+    if (mockContext.params !== undefined) pageContext.params = mockContext.params;
+    if (mockContext.query !== undefined) pageContext.query = mockContext.query;
+  }
+  const { contextBlocks, renderBlocks } = splitBlocks(page);
+  for (const block of contextBlocks) {
+    await runContextBlock(block, {
+      pageId: page?._id ? String(page._id) : null,
+      routePath: routePath || (req ? req.path : null),
+      pageContext,
+    });
+  }
+  return { pageContext, contextBlocks, renderBlocks };
+}
+module.exports = {
+  parseDurationToMs,
+  getDefaultTimeoutMs,
+  interpolateCtx,
+  resolvePageContext,
+};

package/src/services/pagesContextBlocksAi.service.js ADDED Viewed

@@ -0,0 +1,349 @@
+const llmService = require('./llm.service');
+const { resolveLlmProviderModel } = require('./llmDefaults.service');
+const { createAuditEvent } = require('./audit.service');
+const ALLOWED_BLOCK_TYPES = new Set(['context.db_query', 'context.service_invoke']);
+function parseJsonFromModelOutput(raw) {
+  const text = String(raw || '').trim();
+  try {
+    return JSON.parse(text);
+  } catch (_) {
+    const m = text.match(/```json\s*([\s\S]*?)\s*```/i) || text.match(/```\s*([\s\S]*?)\s*```/i);
+    if (m) {
+      return JSON.parse(String(m[1] || '').trim());
+    }
+    const idx = text.indexOf('{');
+    const last = text.lastIndexOf('}');
+    if (idx !== -1 && last !== -1 && last > idx) {
+      return JSON.parse(text.slice(idx, last + 1));
+    }
+    const err = new Error('AI response was not valid JSON');
+    err.code = 'AI_INVALID';
+    throw err;
+  }
+}
+function normalizeBlockType(v) {
+  return String(v || '').trim();
+}
+function validateProposalShape(obj) {
+  if (!obj || typeof obj !== 'object' || Array.isArray(obj)) {
+    const err = new Error('AI proposal must be a JSON object');
+    err.code = 'AI_INVALID';
+    throw err;
+  }
+  const type = normalizeBlockType(obj.type);
+  if (!ALLOWED_BLOCK_TYPES.has(type)) {
+    const err = new Error(`AI proposal type must be one of: ${Array.from(ALLOWED_BLOCK_TYPES).join(', ')}`);
+    err.code = 'AI_INVALID';
+    throw err;
+  }
+  const props = obj.props;
+  if (!props || typeof props !== 'object' || Array.isArray(props)) {
+    const err = new Error('AI proposal props must be an object');
+    err.code = 'AI_INVALID';
+    throw err;
+  }
+  if (props.cache !== undefined && props.cache !== null) {
+    if (typeof props.cache !== 'object' || Array.isArray(props.cache)) {
+      const err = new Error('AI proposal props.cache must be an object');
+      err.code = 'AI_INVALID';
+      throw err;
+    }
+    if (props.cache.ttlSeconds !== undefined && props.cache.ttlSeconds !== null) {
+      const n = Number(props.cache.ttlSeconds);
+      if (!Number.isFinite(n) || n < 0) {
+        const err = new Error('AI proposal props.cache.ttlSeconds must be a number >= 0');
+        err.code = 'AI_INVALID';
+        throw err;
+      }
+    }
+  }
+  if (props.timeout !== undefined && props.timeout !== null) {
+    if (typeof props.timeout !== 'object' || Array.isArray(props.timeout)) {
+      const err = new Error('AI proposal props.timeout must be an object');
+      err.code = 'AI_INVALID';
+      throw err;
+    }
+    if (props.timeout.value !== undefined && props.timeout.value !== null && typeof props.timeout.value !== 'string') {
+      const err = new Error('AI proposal props.timeout.value must be a string');
+      err.code = 'AI_INVALID';
+      throw err;
+    }
+  }
+  return { type, props };
+}
+function buildHelpersContextForPrompt() {
+  const sb = globalThis.superbackend || globalThis.saasbackend || null;
+  const services = (sb && sb.services) ? sb.services : {};
+  const models = (sb && sb.models) ? sb.models : {};
+  const denyServices = new Set(['globalSettings', 'migration', 'workflow']);
+  const serviceKeys = Object.keys(services || {}).filter((k) => !denyServices.has(k)).sort();
+  const modelKeys = Object.keys(models || {}).sort();
+  return {
+    denyServices: Array.from(denyServices),
+    serviceKeys,
+    modelKeys,
+  };
+}
+function capList(list, max) {
+  const arr = Array.isArray(list) ? list : [];
+  if (arr.length <= max) return arr;
+  return arr.slice(0, max);
+}
+function buildSystemPrompt({ helpersInfo }) {
+  const servicesPreview = capList(helpersInfo.serviceKeys, 80);
+  const modelsPreview = capList(helpersInfo.modelKeys, 80);
+  return [
+    'You are an assistant that outputs a single JSON object describing a Pages SSR Context Block.',
+    'Return ONLY JSON. No markdown, no extra keys, no explanation.',
+    '',
+    'Output schema:',
+    '{',
+    '  "type": "context.db_query|context.service_invoke",',
+    '  "props": { ... }',
+    '}',
+    '',
+    'Allowed type values: context.db_query, context.service_invoke',
+    '',
+    'Shared props patterns:',
+    '- "assignTo": string key for pageContext.vars (required)',
+    '- "cache": { "enabled": boolean, "namespace"?: string, "ttlSeconds"?: number, "key"?: any } (optional)',
+    '- "timeout": { "enabled": boolean, "value"?: "250ms"|"5s"|"1m" } (optional)',
+    '',
+    '$ctx interpolation:',
+    'You can reference runtime values inside props using a JSON object with a single key "$ctx".',
+    'Example: {"slug": {"$ctx": "params.slug"}}',
+    '',
+    'Allowed $ctx roots:',
+    '- params.* (repeat params like params.slug)',
+    '- query.* (req.query)',
+    '- auth.*',
+    '- session.*',
+    '- vars.* (results from previous context blocks)',
+    '- pageContext.*',
+    '',
+    'context.db_query props:',
+    '{',
+    '  "model": "MongooseModelName",',
+    '  "op": "find|findOne|countDocuments",',
+    '  "filter": { ... },',
+    '  "sort"?: { ... },',
+    '  "select"?: { ... },',
+    '  "limit"?: number,',
+    '  "assignTo": "post"',
+    '}',
+    '',
+    'context.service_invoke props:',
+    '{',
+    '  "servicePath": "services.someService.someFn" | "models.SomeModel.someStatic" | "mongoose.someFn",',
+    '  "args": [ ... ] | <any>,',
+    '  "assignTo": "result"',
+    '}',
+    '',
+    'Invokable helper namespaces:',
+    '- helpers.services.<serviceName>.*',
+    '- helpers.models.<ModelName>.*',
+    '- helpers.mongoose.*',
+    '',
+    `services available (preview): ${JSON.stringify(servicesPreview)}`,
+    `models available (preview): ${JSON.stringify(modelsPreview)}`,
+    `services denylist (cannot be referenced): ${JSON.stringify(helpersInfo.denyServices)}`,
+    '',
+    'Examples:',
+    '{"type":"context.db_query","props":{"model":"BlogPost","op":"findOne","filter":{"slug":{"$ctx":"params.slug"},"status":"published"},"assignTo":"post"}}',
+    '{"type":"context.db_query","props":{"model":"BlogPost","op":"find","filter":{"status":"published"},"sort":{"publishedAt":-1},"limit":10,"assignTo":"latestPosts","cache":{"enabled":true,"ttlSeconds":30,"key":{"$ctx":"params.slug"}}}}',
+    '{"type":"context.service_invoke","props":{"servicePath":"services.i18n.translate","args":[{"$ctx":"query.text"}],"assignTo":"t"}}',
+  ].join('\n');
+}
+function computeWarnings({ proposal }) {
+  const warnings = [];
+  const props = proposal?.props || {};
+  if (props.cache && props.cache.enabled && !Object.prototype.hasOwnProperty.call(props.cache, 'key')) {
+    warnings.push('Caching is enabled but props.cache.key is missing; key will be auto-derived (may be OK but can reduce cache hit rate).');
+  }
+  if (proposal?.type === 'context.db_query') {
+    const limit = props.limit;
+    const n = limit === undefined || limit === null ? null : Number(limit);
+    if (n !== null && Number.isFinite(n) && n > 200) {
+      warnings.push('db_query limit is > 200; consider lowering it to reduce SSR latency and payload size.');
+    }
+  }
+  if (proposal?.type === 'context.service_invoke') {
+    const sp = String(props.servicePath || '');
+    if (sp.startsWith('services.globalSettings') || sp.startsWith('services.migration') || sp.startsWith('services.workflow')) {
+      warnings.push('servicePath references a denylisted service namespace and will fail at runtime.');
+    }
+  }
+  return warnings;
+}
+async function resolveLlmDefaults({ systemKey, providerKey, model }) {
+  return resolveLlmProviderModel({ systemKey, providerKey, model });
+}
+async function generateContextBlock({ prompt, blockType, providerKey, model, actor }) {
+  const instruction = String(prompt || '').trim();
+  if (!instruction) {
+    const err = new Error('prompt is required');
+    err.code = 'VALIDATION';
+    throw err;
+  }
+  const type = normalizeBlockType(blockType);
+  if (!ALLOWED_BLOCK_TYPES.has(type)) {
+    const err = new Error(`blockType must be one of: ${Array.from(ALLOWED_BLOCK_TYPES).join(', ')}`);
+    err.code = 'VALIDATION';
+    throw err;
+  }
+  const helpersInfo = buildHelpersContextForPrompt();
+  const llmDefaults = await resolveLlmDefaults({
+    systemKey: 'pageBuilder.blocks.generate',
+    providerKey,
+    model,
+  });
+  const result = await llmService.callAdhoc(
+    {
+      providerKey: llmDefaults.providerKey,
+      model: llmDefaults.model,
+      messages: [
+        { role: 'system', content: buildSystemPrompt({ helpersInfo }) },
+        { role: 'user', content: `Block type: ${type}\nInstruction:\n${instruction}` },
+      ],
+      promptKeyForAudit: 'pages.contextBlocks.ai.generate',
+    },
+    { temperature: 0.2 },
+  );
+  const raw = String(result.content || '');
+  const json = parseJsonFromModelOutput(raw);
+  const proposal = validateProposalShape(json);
+  if (proposal.type !== type) {
+    const err = new Error('AI proposal type must match requested blockType');
+    err.code = 'AI_INVALID';
+    throw err;
+  }
+  const warnings = computeWarnings({ proposal });
+  await createAuditEvent({
+    ...(actor || { actorType: 'system', actorId: null }),
+    action: 'pages.contextBlocks.ai.generate',
+    entityType: 'PagesContextBlock',
+    entityId: proposal.type,
+    before: null,
+    after: { type: proposal.type },
+    meta: {
+      providerKey: llmDefaults.providerKey,
+      model: llmDefaults.model,
+      responsePreview: raw.slice(0, 4000),
+      warnings,
+    },
+  });
+  return {
+    proposal,
+    providerKey: llmDefaults.providerKey,
+    model: llmDefaults.model,
+    warnings,
+  };
+}
+async function proposeContextBlockEdit({ prompt, currentBlock, providerKey, model, actor }) {
+  const instruction = String(prompt || '').trim();
+  if (!instruction) {
+    const err = new Error('prompt is required');
+    err.code = 'VALIDATION';
+    throw err;
+  }
+  const current = validateProposalShape(currentBlock);
+  const helpersInfo = buildHelpersContextForPrompt();
+  const llmDefaults = await resolveLlmDefaults({
+    systemKey: 'pageBuilder.blocks.propose',
+    providerKey,
+    model,
+  });
+  const result = await llmService.callAdhoc(
+    {
+      providerKey: llmDefaults.providerKey,
+      model: llmDefaults.model,
+      messages: [
+        { role: 'system', content: buildSystemPrompt({ helpersInfo }) },
+        { role: 'user', content: `Instruction:\n${instruction}` },
+        { role: 'user', content: `Current block:\n${JSON.stringify(current, null, 2)}` },
+      ],
+      promptKeyForAudit: 'pages.contextBlocks.ai.propose',
+    },
+    { temperature: 0.2 },
+  );
+  const raw = String(result.content || '');
+  const json = parseJsonFromModelOutput(raw);
+  const proposal = validateProposalShape(json);
+  if (proposal.type !== current.type) {
+    const err = new Error('AI proposal type must match currentBlock type');
+    err.code = 'AI_INVALID';
+    throw err;
+  }
+  const warnings = computeWarnings({ proposal });
+  await createAuditEvent({
+    ...(actor || { actorType: 'system', actorId: null }),
+    action: 'pages.contextBlocks.ai.propose',
+    entityType: 'PagesContextBlock',
+    entityId: proposal.type,
+    before: { type: current.type },
+    after: { type: proposal.type },
+    meta: {
+      providerKey: llmDefaults.providerKey,
+      model: llmDefaults.model,
+      responsePreview: raw.slice(0, 4000),
+      warnings,
+    },
+  });
+  return {
+    currentBlock: current,
+    proposal,
+    providerKey: llmDefaults.providerKey,
+    model: llmDefaults.model,
+    warnings,
+  };
+}
+module.exports = {
+  generateContextBlock,
+  proposeContextBlockEdit,
+};