npm - @isomoes/iread - Versions diffs - 0.1.0 - Mend

@isomoes/iread 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (44) hide show

package/LICENSE +21 -0
package/README.md +127 -0
package/dist/server/cli.js +84 -0
package/dist/server/cli.js.map +1 -0
package/dist/server/db.js +158 -0
package/dist/server/db.js.map +1 -0
package/dist/server/feed-service.js +523 -0
package/dist/server/feed-service.js.map +1 -0
package/dist/server/fetch-feed.js +83 -0
package/dist/server/fetch-feed.js.map +1 -0
package/dist/server/index.js +62 -0
package/dist/server/index.js.map +1 -0
package/dist/server/opml.js +137 -0
package/dist/server/opml.js.map +1 -0
package/dist/server/routes/feeds.js +68 -0
package/dist/server/routes/feeds.js.map +1 -0
package/dist/server/routes/helpers.js +44 -0
package/dist/server/routes/helpers.js.map +1 -0
package/dist/server/routes/items.js +95 -0
package/dist/server/routes/items.js.map +1 -0
package/dist/server/routes/opml.js +50 -0
package/dist/server/routes/opml.js.map +1 -0
package/dist/server/sanitize.js +75 -0
package/dist/server/sanitize.js.map +1 -0
package/dist/server/ssrf.js +275 -0
package/dist/server/ssrf.js.map +1 -0
package/dist/shared/types.js +5 -0
package/dist/shared/types.js.map +1 -0
package/dist/web/assets/geist-cyrillic-ext-wght-normal-DjL33-gN.woff2 +0 -0
package/dist/web/assets/geist-cyrillic-wght-normal-BEAKL7Jp.woff2 +0 -0
package/dist/web/assets/geist-latin-ext-wght-normal-DC-KSUi6.woff2 +0 -0
package/dist/web/assets/geist-latin-wght-normal-BgDaEnEv.woff2 +0 -0
package/dist/web/assets/geist-mono-cyrillic-ext-wght-normal-I4S5GZfc.woff2 +0 -0
package/dist/web/assets/geist-mono-cyrillic-wght-normal-BmXc_FBt.woff2 +0 -0
package/dist/web/assets/geist-mono-latin-ext-wght-normal-DrnZ1wKl.woff2 +0 -0
package/dist/web/assets/geist-mono-latin-wght-normal-B_7UjwxQ.woff2 +0 -0
package/dist/web/assets/geist-mono-symbols2-wght-normal-GZpp1pK2.woff2 +0 -0
package/dist/web/assets/geist-mono-vietnamese-wght-normal-D8KDMBhC.woff2 +0 -0
package/dist/web/assets/geist-vietnamese-wght-normal-6IgcOCM7.woff2 +0 -0
package/dist/web/assets/index-BI1j2sXf.css +2 -0
package/dist/web/assets/index-HhCr0pHx.js +17 -0
package/dist/web/assets/index-HhCr0pHx.js.map +1 -0
package/dist/web/index.html +25 -0
package/package.json +75 -0

package/dist/server/index.js ADDED Viewed

@@ -0,0 +1,62 @@
+// src/server/index.ts
+// Hono entry point. Registers all /api/* routers FIRST; unknown /api/* paths
+// return a JSON 404 in the uniform error shape (never HTML). In production serves
+// the static web bundle from ../web (relative to the emitted dist/server/index.js)
+// with SPA fallback to index.html for non-/api GET requests. (PLAN 7, 9, 10)
+import { fileURLToPath } from 'node:url';
+import { dirname, resolve } from 'node:path';
+import { readFile } from 'node:fs/promises';
+import { Hono } from 'hono';
+import { serve } from '@hono/node-server';
+import { serveStatic } from '@hono/node-server/serve-static';
+import { feeds } from './routes/feeds.js';
+import { items } from './routes/items.js';
+import { opml } from './routes/opml.js';
+const PORT = Number(process.env.PORT ?? 8787);
+const IS_PROD = process.env.NODE_ENV === 'production';
+// Importing ./db has the side effect of opening the DB and running migrations.
+// Do it explicitly so startup failures surface immediately.
+import './db.js';
+const app = new Hono();
+// --- API routes (registered FIRST) -----------------------------------------
+const api = new Hono();
+api.route('/feeds', feeds);
+api.route('/items', items);
+api.route('/opml', opml);
+app.route('/api', api);
+// Unknown /api/* -> JSON 404 in the uniform error shape, never the SPA HTML.
+app.all('/api/*', (c) => {
+    const body = {
+        error: { message: `Not found: ${c.req.method} ${c.req.path}`, code: 'NOT_FOUND' },
+    };
+    return c.json(body, 404);
+});
+// --- Static + SPA fallback (production only) --------------------------------
+if (IS_PROD) {
+    // Emitted file is dist/server/index.js; the web bundle is dist/web. The static
+    // root is therefore ../web relative to this module. serveStatic resolves only
+    // within that root (no ../ traversal escapes it).
+    const serverDir = dirname(fileURLToPath(import.meta.url));
+    const webRoot = resolve(serverDir, '../web');
+    const indexHtmlPath = resolve(webRoot, 'index.html');
+    // Serve real static assets first.
+    app.use('/*', serveStatic({ root: webRoot }));
+    // SPA fallback: any non-/api GET that did not match a static file returns
+    // index.html. (The /api/* handlers above already returned for API paths.)
+    app.get('/*', async (c) => {
+        try {
+            const html = await readFile(indexHtmlPath, 'utf-8');
+            return c.html(html);
+        }
+        catch {
+            return c.text('Web bundle not found. Run `pnpm build` first.', 500);
+        }
+    });
+}
+// --- Start ------------------------------------------------------------------
+serve({ fetch: app.fetch, port: PORT }, (info) => {
+    const url = `http://localhost:${info.port}`;
+    console.log(`[iread] listening on ${url}`);
+});
+export { app };
+//# sourceMappingURL=index.js.map

package/dist/server/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/server/index.ts"],"names":[],"mappings":"AAAA,sBAAsB;AACtB,6EAA6E;AAC7E,kFAAkF;AAClF,mFAAmF;AACnF,6EAA6E;AAE7E,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACzC,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAC7C,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAC5B,OAAO,EAAE,KAAK,EAAE,MAAM,mBAAmB,CAAC;AAC1C,OAAO,EAAE,WAAW,EAAE,MAAM,gCAAgC,CAAC;AAE7D,OAAO,EAAE,KAAK,EAAE,MAAM,mBAAmB,CAAC;AAC1C,OAAO,EAAE,KAAK,EAAE,MAAM,mBAAmB,CAAC;AAC1C,OAAO,EAAE,IAAI,EAAE,MAAM,kBAAkB,CAAC;AAExC,MAAM,IAAI,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,IAAI,CAAC,CAAC;AAC9C,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,CAAC;AAEtD,+EAA+E;AAC/E,4DAA4D;AAC5D,OAAO,SAAS,CAAC;AAEjB,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;AAEvB,8EAA8E;AAE9E,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;AACvB,GAAG,CAAC,KAAK,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;AAC3B,GAAG,CAAC,KAAK,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;AAC3B,GAAG,CAAC,KAAK,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;AAEzB,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;AAEvB,6EAA6E;AAC7E,GAAG,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC,CAAC,EAAE,EAAE;IACtB,MAAM,IAAI,GAAa;QACrB,KAAK,EAAE,EAAE,OAAO,EAAE,cAAc,CAAC,CAAC,GAAG,CAAC,MAAM,IAAI,CAAC,CAAC,GAAG,CAAC,IAAI,EAAE,EAAE,IAAI,EAAE,WAAW,EAAE;KAClF,CAAC;IACF,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;AAC3B,CAAC,CAAC,CAAC;AAEH,+EAA+E;AAE/E,IAAI,OAAO,EAAE,CAAC;IACZ,+EAA+E;IAC/E,8EAA8E;IAC9E,kDAAkD;IAClD,MAAM,SAAS,GAAG,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;IAC1D,MAAM,OAAO,GAAG,OAAO,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;IAC7C,MAAM,aAAa,GAAG,OAAO,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;IAErD,kCAAkC;IAClC,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,WAAW,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC;IAE9C,0EAA0E;IAC1E,0EAA0E;IAC1E,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;QACxB,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,aAAa,EAAE,OAAO,CAAC,CAAC;YACpD,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACtB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,CAAC,CAAC,IAAI,CAAC,+CAA+C,EAAE,GAAG,CAAC,CAAC;QACtE,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC;AAED,+EAA+E;AAE/E,KAAK,CAAC,EAAE,KAAK,EAAE,GAAG,CAAC,KAAK,EAAE,IAAI,EAAE,IAAI,EAAE,EAAE,CAAC,IAAI,EAAE,EAAE;IAC/C,MAAM,GAAG,GAAG,oBAAoB,IAAI,CAAC,IAAI,EAAE,CAAC;IAC5C,OAAO,CAAC,GAAG,CAAC,wBAAwB,GAAG,EAAE,CAAC,CAAC;AAC7C,CAAC,CAAC,CAAC;AAEH,OAAO,EAAE,GAAG,EAAE,CAAC"}

package/dist/server/opml.js ADDED Viewed

@@ -0,0 +1,137 @@
+// src/server/opml.ts
+// OPML import (XXE-safe parse -> feed URLs) and export (feeds -> OPML 2.0 XML).
+// (PLAN 7 OPML, 10 XXE)
+import { XMLParser } from 'fast-xml-parser';
+const MAX_OPML_BYTES = 5 * 1024 * 1024; // 5 MB
+export class OpmlError extends Error {
+    name = 'OpmlError';
+}
+// ---------------------------------------------------------------------------
+// Import
+// ---------------------------------------------------------------------------
+const parser = new XMLParser({
+    ignoreAttributes: false,
+    attributeNamePrefix: '@_',
+    // XXE / billion-laughs defense: do NOT process DOCTYPE or expand any entities.
+    processEntities: false,
+    allowBooleanAttributes: true,
+    // Treat every <outline> as a potential array element so nested structures and
+    // single-child documents are handled uniformly.
+    isArray: (name) => name === 'outline',
+});
+/**
+ * Recursively collect every `xmlUrl` from the parsed OPML object tree. OPML nests
+ * <outline> elements under <body> and allows folder hierarchies; we walk every
+ * object/array value depth-first and flatten, since iread has no folder concept.
+ */
+function collectXmlUrls(node, out) {
+    if (node === null || typeof node !== 'object')
+        return;
+    if (Array.isArray(node)) {
+        for (const child of node)
+            collectXmlUrls(child, out);
+        return;
+    }
+    const obj = node;
+    // Pick up an xmlUrl attribute on this node (attributeNamePrefix '@_'). Some
+    // exporters vary the casing of the attribute name.
+    const xmlUrl = obj['@_xmlUrl'] ?? obj['@_xmlurl'] ?? obj['@_xmlURL'];
+    if (typeof xmlUrl === 'string') {
+        const trimmed = xmlUrl.trim();
+        if (trimmed)
+            out.push(trimmed);
+    }
+    // Recurse into every child value so nested <body>/<outline> trees are reached
+    // regardless of depth. Attribute values (string/number) are skipped by the
+    // typeof guard at the top.
+    for (const key of Object.keys(obj)) {
+        if (key.startsWith('@_'))
+            continue; // attributes, not child elements
+        collectXmlUrls(obj[key], out);
+    }
+}
+/**
+ * Parse an OPML document and return the de-duplicated list of feed `xmlUrl`s in
+ * first-seen order. Rejects oversized input and documents that declare a DOCTYPE.
+ * Throws OpmlError on parse failure / size violation.
+ */
+export function importOpml(xml) {
+    if (typeof xml !== 'string' || xml.trim() === '') {
+        throw new OpmlError('OPML body is empty.');
+    }
+    // Byte length, not character count, to match the on-wire size.
+    if (Buffer.byteLength(xml, 'utf-8') > MAX_OPML_BYTES) {
+        throw new OpmlError('OPML document exceeds the 5 MB size limit.');
+    }
+    // Defense in depth: reject any DOCTYPE outright (processEntities:false already
+    // refuses to expand entities, but we never want to even see a DTD).
+    if (/<!DOCTYPE/i.test(xml)) {
+        throw new OpmlError('OPML documents with a DOCTYPE are not allowed.');
+    }
+    let doc;
+    try {
+        doc = parser.parse(xml);
+    }
+    catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        throw new OpmlError(`Could not parse OPML: ${message}`);
+    }
+    if (doc === null || typeof doc !== 'object') {
+        throw new OpmlError('OPML document is not well-formed.');
+    }
+    const root = doc;
+    const opml = root['opml'];
+    // Body lives at opml.body.outline, but some exporters omit the <opml> wrapper.
+    // Collect from the whole tree to be liberal in what we accept.
+    const urls = [];
+    collectXmlUrls(opml ?? root, urls);
+    // De-dup within the file, preserving first-seen order, so two identical
+    // xmlUrls do not collide on the UNIQUE index mid-transaction.
+    const seen = new Set();
+    const deduped = [];
+    for (const u of urls) {
+        if (!seen.has(u)) {
+            seen.add(u);
+            deduped.push(u);
+        }
+    }
+    return deduped;
+}
+// ---------------------------------------------------------------------------
+// Export
+// ---------------------------------------------------------------------------
+function escapeXmlAttr(value) {
+    return value
+        .replace(/&/g, '&amp;')
+        .replace(/</g, '&lt;')
+        .replace(/>/g, '&gt;')
+        .replace(/"/g, '&quot;')
+        .replace(/'/g, '&apos;');
+}
+/**
+ * Produce an OPML 2.0 document, one <outline type="rss"> per feed with
+ * text/title/xmlUrl (and htmlUrl when a site URL is known). Attributes are
+ * XML-escaped.
+ */
+export function exportOpml(feeds) {
+    const now = new Date().toUTCString();
+    const lines = [];
+    lines.push('<?xml version="1.0" encoding="UTF-8"?>');
+    lines.push('<opml version="2.0">');
+    lines.push('  <head>');
+    lines.push('    <title>iread subscriptions</title>');
+    lines.push(`    <dateCreated>${escapeXmlAttr(now)}</dateCreated>`);
+    lines.push('  </head>');
+    lines.push('  <body>');
+    for (const feed of feeds) {
+        const text = escapeXmlAttr(feed.title || feed.feedUrl);
+        const xmlUrl = escapeXmlAttr(feed.feedUrl);
+        const htmlUrlAttr = feed.siteUrl ? ` htmlUrl="${escapeXmlAttr(feed.siteUrl)}"` : '';
+        lines.push(`    <outline type="rss" text="${text}" title="${text}" xmlUrl="${xmlUrl}"${htmlUrlAttr} />`);
+    }
+    lines.push('  </body>');
+    lines.push('</opml>');
+    lines.push('');
+    return lines.join('\n');
+}
+//# sourceMappingURL=opml.js.map

package/dist/server/opml.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"opml.js","sourceRoot":"","sources":["../../src/server/opml.ts"],"names":[],"mappings":"AAAA,qBAAqB;AACrB,gFAAgF;AAChF,wBAAwB;AAExB,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAG5C,MAAM,cAAc,GAAG,CAAC,GAAG,IAAI,GAAG,IAAI,CAAC,CAAC,OAAO;AAE/C,MAAM,OAAO,SAAU,SAAQ,KAAK;IACzB,IAAI,GAAG,WAAW,CAAC;CAC7B;AAED,8EAA8E;AAC9E,SAAS;AACT,8EAA8E;AAE9E,MAAM,MAAM,GAAG,IAAI,SAAS,CAAC;IAC3B,gBAAgB,EAAE,KAAK;IACvB,mBAAmB,EAAE,IAAI;IACzB,+EAA+E;IAC/E,eAAe,EAAE,KAAK;IACtB,sBAAsB,EAAE,IAAI;IAC5B,8EAA8E;IAC9E,gDAAgD;IAChD,OAAO,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,KAAK,SAAS;CACtC,CAAC,CAAC;AAEH;;;;GAIG;AACH,SAAS,cAAc,CAAC,IAAa,EAAE,GAAa;IAClD,IAAI,IAAI,KAAK,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ;QAAE,OAAO;IAEtD,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QACxB,KAAK,MAAM,KAAK,IAAI,IAAI;YAAE,cAAc,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QACrD,OAAO;IACT,CAAC;IAED,MAAM,GAAG,GAAG,IAA+B,CAAC;IAE5C,4EAA4E;IAC5E,mDAAmD;IACnD,MAAM,MAAM,GAAG,GAAG,CAAC,UAAU,CAAC,IAAI,GAAG,CAAC,UAAU,CAAC,IAAI,GAAG,CAAC,UAAU,CAAC,CAAC;IACrE,IAAI,OAAO,MAAM,KAAK,QAAQ,EAAE,CAAC;QAC/B,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC;QAC9B,IAAI,OAAO;YAAE,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACjC,CAAC;IAED,8EAA8E;IAC9E,2EAA2E;IAC3E,2BAA2B;IAC3B,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QACnC,IAAI,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC;YAAE,SAAS,CAAC,iCAAiC;QACrE,cAAc,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,GAAG,CAAC,CAAC;IAChC,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,UAAU,CAAC,GAAW;IACpC,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;QACjD,MAAM,IAAI,SAAS,CAAC,qBAAqB,CAAC,CAAC;IAC7C,CAAC;IACD,+DAA+D;IAC/D,IAAI,MAAM,CAAC,UAAU,CAAC,GAAG,EAAE,OAAO,CAAC,GAAG,cAAc,EAAE,CAAC;QACrD,MAAM,IAAI,SAAS,CAAC,4CAA4C,CAAC,CAAC;IACpE,CAAC;IACD,+EAA+E;IAC/E,oEAAoE;IACpE,IAAI,YAAY,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QAC3B,MAAM,IAAI,SAAS,CAAC,gDAAgD,CAAC,CAAC;IACxE,CAAC;IAED,IAAI,GAAY,CAAC;IACjB,IAAI,CAAC;QACH,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC1B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACjE,MAAM,IAAI,SAAS,CAAC,yBAAyB,OAAO,EAAE,CAAC,CAAC;IAC1D,CAAC;IAED,IAAI,GAAG,KAAK,IAAI,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC5C,MAAM,IAAI,SAAS,CAAC,mCAAmC,CAAC,CAAC;IAC3D,CAAC;IAED,MAAM,IAAI,GAAG,GAA8B,CAAC;IAC5C,MAAM,IAAI,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC;IAC1B,+EAA+E;IAC/E,+DAA+D;IAC/D,MAAM,IAAI,GAAa,EAAE,CAAC;IAC1B,cAAc,CAAC,IAAI,IAAI,IAAI,EAAE,IAAI,CAAC,CAAC;IAEnC,wEAAwE;IACxE,8DAA8D;IAC9D,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/B,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,KAAK,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;QACrB,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;YACjB,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YACZ,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,8EAA8E;AAC9E,SAAS;AACT,8EAA8E;AAE9E,SAAS,aAAa,CAAC,KAAa;IAClC,OAAO,KAAK;SACT,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC;SACtB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC;SACrB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC;SACrB,OAAO,CAAC,IAAI,EAAE,QAAQ,CAAC;SACvB,OAAO,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;AAC7B,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,UAAU,CAAC,KAAa;IACtC,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IACrC,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,KAAK,CAAC,IAAI,CAAC,wCAAwC,CAAC,CAAC;IACrD,KAAK,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC;IACnC,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IACvB,KAAK,CAAC,IAAI,CAAC,wCAAwC,CAAC,CAAC;IACrD,KAAK,CAAC,IAAI,CAAC,oBAAoB,aAAa,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;IACnE,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IACxB,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IACvB,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,IAAI,GAAG,aAAa,CAAC,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,OAAO,CAAC,CAAC;QACvD,MAAM,MAAM,GAAG,aAAa,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC3C,MAAM,WAAW,GAAG,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,aAAa,aAAa,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;QACpF,KAAK,CAAC,IAAI,CACR,iCAAiC,IAAI,YAAY,IAAI,aAAa,MAAM,IAAI,WAAW,KAAK,CAC7F,CAAC;IACJ,CAAC;IACD,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IACxB,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IACtB,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC"}

package/dist/server/routes/feeds.js ADDED Viewed

@@ -0,0 +1,68 @@
+// src/server/routes/feeds.ts
+// /api/feeds router: list, add, delete, refresh-one, refresh-all. (PLAN 7 Feeds)
+import { Hono } from 'hono';
+import { addFeed, deleteFeed, listFeeds, refreshAll, refreshFeed, } from '../feed-service.js';
+import { errorResponse, parseId, serviceErrorToResponse } from './helpers.js';
+export const feeds = new Hono();
+// IMPORTANT: register the static "/refresh" route before the parameterized
+// ":id/refresh" route so "refresh" is never captured as an :id.
+// GET /api/feeds — list feeds with counts + global totals.
+feeds.get('/', (c) => {
+    const body = listFeeds();
+    return c.json(body, 200);
+});
+// POST /api/feeds — add a feed by URL (fetches immediately).
+feeds.post('/', async (c) => {
+    let payload;
+    try {
+        payload = await c.req.json();
+    }
+    catch {
+        return errorResponse(c, 400, 'Request body must be JSON.');
+    }
+    if (!payload || typeof payload.url !== 'string') {
+        return errorResponse(c, 400, 'Body must include a "url" string.', 'BAD_INPUT');
+    }
+    try {
+        const feed = await addFeed(payload.url);
+        const body = { feed };
+        return c.json(body, 201);
+    }
+    catch (err) {
+        return serviceErrorToResponse(c, err);
+    }
+});
+// POST /api/feeds/refresh — refresh all feeds (always 200).
+feeds.post('/refresh', async (c) => {
+    const result = await refreshAll();
+    const body = result;
+    return c.json(body, 200);
+});
+// POST /api/feeds/:id/refresh — refresh one feed.
+feeds.post('/:id/refresh', async (c) => {
+    const id = parseId(c.req.param('id'));
+    if (id === null)
+        return errorResponse(c, 400, 'Invalid feed id.', 'BAD_INPUT');
+    try {
+        const result = await refreshFeed(id);
+        const body = result;
+        return c.json(body, 200);
+    }
+    catch (err) {
+        return serviceErrorToResponse(c, err);
+    }
+});
+// DELETE /api/feeds/:id — delete a feed (cascades to items).
+feeds.delete('/:id', (c) => {
+    const id = parseId(c.req.param('id'));
+    if (id === null)
+        return errorResponse(c, 400, 'Invalid feed id.', 'BAD_INPUT');
+    try {
+        deleteFeed(id);
+        return c.body(null, 204);
+    }
+    catch (err) {
+        return serviceErrorToResponse(c, err);
+    }
+});
+//# sourceMappingURL=feeds.js.map

package/dist/server/routes/feeds.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"feeds.js","sourceRoot":"","sources":["../../../src/server/routes/feeds.ts"],"names":[],"mappings":"AAAA,6BAA6B;AAC7B,iFAAiF;AAEjF,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAQ5B,OAAO,EACL,OAAO,EACP,UAAU,EACV,SAAS,EACT,UAAU,EACV,WAAW,GACZ,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,aAAa,EAAE,OAAO,EAAE,sBAAsB,EAAE,MAAM,cAAc,CAAC;AAE9E,MAAM,CAAC,MAAM,KAAK,GAAG,IAAI,IAAI,EAAE,CAAC;AAEhC,2EAA2E;AAC3E,gEAAgE;AAEhE,2DAA2D;AAC3D,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,EAAE;IACnB,MAAM,IAAI,GAAsB,SAAS,EAAE,CAAC;IAC5C,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;AAC3B,CAAC,CAAC,CAAC;AAEH,6DAA6D;AAC7D,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC1B,IAAI,OAAgC,CAAC;IACrC,IAAI,CAAC;QACH,OAAO,GAAG,MAAM,CAAC,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;IAC/B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,aAAa,CAAC,CAAC,EAAE,GAAG,EAAE,4BAA4B,CAAC,CAAC;IAC7D,CAAC;IACD,IAAI,CAAC,OAAO,IAAI,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;QAChD,OAAO,aAAa,CAAC,CAAC,EAAE,GAAG,EAAE,mCAAmC,EAAE,WAAW,CAAC,CAAC;IACjF,CAAC;IAED,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACxC,MAAM,IAAI,GAAoB,EAAE,IAAI,EAAE,CAAC;QACvC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IAC3B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,sBAAsB,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IACxC,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,4DAA4D;AAC5D,KAAK,CAAC,IAAI,CAAC,UAAU,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACjC,MAAM,MAAM,GAAG,MAAM,UAAU,EAAE,CAAC;IAClC,MAAM,IAAI,GAAuB,MAAM,CAAC;IACxC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;AAC3B,CAAC,CAAC,CAAC;AAEH,kDAAkD;AAClD,KAAK,CAAC,IAAI,CAAC,cAAc,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACrC,MAAM,EAAE,GAAG,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC;IACtC,IAAI,EAAE,KAAK,IAAI;QAAE,OAAO,aAAa,CAAC,CAAC,EAAE,GAAG,EAAE,kBAAkB,EAAE,WAAW,CAAC,CAAC;IAC/E,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,EAAE,CAAC,CAAC;QACrC,MAAM,IAAI,GAAwB,MAAM,CAAC;QACzC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IAC3B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,sBAAsB,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IACxC,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,6DAA6D;AAC7D,KAAK,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC,EAAE,EAAE;IACzB,MAAM,EAAE,GAAG,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC;IACtC,IAAI,EAAE,KAAK,IAAI;QAAE,OAAO,aAAa,CAAC,CAAC,EAAE,GAAG,EAAE,kBAAkB,EAAE,WAAW,CAAC,CAAC;IAC/E,IAAI,CAAC;QACH,UAAU,CAAC,EAAE,CAAC,CAAC;QACf,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IAC3B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,sBAAsB,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IACxC,CAAC;AACH,CAAC,CAAC,CAAC"}

package/dist/server/routes/helpers.js ADDED Viewed

@@ -0,0 +1,44 @@
+// src/server/routes/helpers.ts
+// Shared route utilities: uniform error responses, id/number parsing, and a
+// mapping from ServiceError codes to HTTP statuses.
+import { ServiceError } from '../feed-service.js';
+/** Emit the uniform error shape `{ error: { message, code? } }`. */
+export function errorResponse(c, status, message, code) {
+    const body = { error: code ? { message, code } : { message } };
+    return c.json(body, status);
+}
+const CODE_TO_STATUS = {
+    BAD_INPUT: 400,
+    UNSAFE_URL: 400,
+    NOT_FOUND: 404,
+    DUPLICATE: 409,
+    UNPARSEABLE: 422,
+};
+/**
+ * Map any thrown error to a response. ServiceError carries an explicit code;
+ * anything else becomes a 500 with a generic message (details are logged).
+ */
+export function serviceErrorToResponse(c, err) {
+    if (err instanceof ServiceError) {
+        return errorResponse(c, CODE_TO_STATUS[err.code], err.message, err.code);
+    }
+    console.error('[iread] unexpected error:', err);
+    return errorResponse(c, 500, 'An unexpected error occurred.', 'INTERNAL');
+}
+/** Parse a positive integer id from a path param; null if invalid. */
+export function parseId(raw) {
+    if (raw === undefined)
+        return null;
+    if (!/^\d+$/.test(raw))
+        return null;
+    const n = Number.parseInt(raw, 10);
+    return Number.isSafeInteger(n) && n > 0 ? n : null;
+}
+/** Parse an optional integer query param; returns undefined when absent/blank. */
+export function parseOptionalInt(raw) {
+    if (raw === undefined || raw.trim() === '')
+        return undefined;
+    const n = Number(raw);
+    return Number.isFinite(n) ? Math.trunc(n) : undefined;
+}
+//# sourceMappingURL=helpers.js.map

package/dist/server/routes/helpers.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"helpers.js","sourceRoot":"","sources":["../../../src/server/routes/helpers.ts"],"names":[],"mappings":"AAAA,+BAA+B;AAC/B,4EAA4E;AAC5E,oDAAoD;AAKpD,OAAO,EAAE,YAAY,EAAyB,MAAM,oBAAoB,CAAC;AAEzE,oEAAoE;AACpE,MAAM,UAAU,aAAa,CAC3B,CAAU,EACV,MAA4B,EAC5B,OAAe,EACf,IAAa;IAEb,MAAM,IAAI,GAAa,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,EAAE,CAAC;IACzE,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;AAC9B,CAAC;AAED,MAAM,cAAc,GAAmD;IACrE,SAAS,EAAE,GAAG;IACd,UAAU,EAAE,GAAG;IACf,SAAS,EAAE,GAAG;IACd,SAAS,EAAE,GAAG;IACd,WAAW,EAAE,GAAG;CACjB,CAAC;AAEF;;;GAGG;AACH,MAAM,UAAU,sBAAsB,CAAC,CAAU,EAAE,GAAY;IAC7D,IAAI,GAAG,YAAY,YAAY,EAAE,CAAC;QAChC,OAAO,aAAa,CAAC,CAAC,EAAE,cAAc,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,GAAG,CAAC,OAAO,EAAE,GAAG,CAAC,IAAI,CAAC,CAAC;IAC3E,CAAC;IACD,OAAO,CAAC,KAAK,CAAC,2BAA2B,EAAE,GAAG,CAAC,CAAC;IAChD,OAAO,aAAa,CAAC,CAAC,EAAE,GAAG,EAAE,+BAA+B,EAAE,UAAU,CAAC,CAAC;AAC5E,CAAC;AAED,sEAAsE;AACtE,MAAM,UAAU,OAAO,CAAC,GAAuB;IAC7C,IAAI,GAAG,KAAK,SAAS;QAAE,OAAO,IAAI,CAAC;IACnC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IACpC,MAAM,CAAC,GAAG,MAAM,CAAC,QAAQ,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;IACnC,OAAO,MAAM,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;AACrD,CAAC;AAED,kFAAkF;AAClF,MAAM,UAAU,gBAAgB,CAAC,GAAuB;IACtD,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,CAAC,IAAI,EAAE,KAAK,EAAE;QAAE,OAAO,SAAS,CAAC;IAC7D,MAAM,CAAC,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC;IACtB,OAAO,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;AACxD,CAAC"}

package/dist/server/routes/items.js ADDED Viewed

@@ -0,0 +1,95 @@
+// src/server/routes/items.ts
+// /api/items router: list, get, patch (read/star), mark-all-read. (PLAN 7 Items)
+import { Hono } from 'hono';
+import { getItem, listItems, markAllRead, patchItem, } from '../feed-service.js';
+import { errorResponse, parseId, parseOptionalInt, serviceErrorToResponse } from './helpers.js';
+export const items = new Hono();
+function parseView(raw) {
+    if (raw === 'all' || raw === 'unread' || raw === 'starred')
+        return raw;
+    return undefined;
+}
+// GET /api/items — list item summaries.
+items.get('/', (c) => {
+    const view = parseView(c.req.query('view')) ?? 'all';
+    const q = c.req.query('q') ?? '';
+    const feedId = parseOptionalInt(c.req.query('feedId'));
+    const limit = parseOptionalInt(c.req.query('limit'));
+    const offset = parseOptionalInt(c.req.query('offset'));
+    const query = { view, q };
+    if (feedId !== undefined)
+        query.feedId = feedId;
+    if (limit !== undefined)
+        query.limit = limit;
+    if (offset !== undefined)
+        query.offset = offset;
+    const body = listItems(query);
+    return c.json(body, 200);
+});
+// POST /api/items/mark-all-read — mark a scope read. Registered before /:id so
+// "mark-all-read" is never captured as an item id.
+items.post('/mark-all-read', async (c) => {
+    let payload = {};
+    try {
+        const text = await c.req.text();
+        if (text.trim() !== '')
+            payload = JSON.parse(text);
+    }
+    catch {
+        return errorResponse(c, 400, 'Request body must be JSON.', 'BAD_INPUT');
+    }
+    const scope = {};
+    if (typeof payload.feedId === 'number' && Number.isFinite(payload.feedId)) {
+        scope.feedId = Math.trunc(payload.feedId);
+    }
+    const view = parseView(payload.view);
+    if (view !== undefined)
+        scope.view = view;
+    const updated = markAllRead(scope);
+    const body = { updated };
+    return c.json(body, 200);
+});
+// GET /api/items/:id — full item for the reader pane.
+items.get('/:id', (c) => {
+    const id = parseId(c.req.param('id'));
+    if (id === null)
+        return errorResponse(c, 400, 'Invalid item id.', 'BAD_INPUT');
+    try {
+        const item = getItem(id);
+        const body = { item };
+        return c.json(body, 200);
+    }
+    catch (err) {
+        return serviceErrorToResponse(c, err);
+    }
+});
+// PATCH /api/items/:id — update read/starred state.
+items.patch('/:id', async (c) => {
+    const id = parseId(c.req.param('id'));
+    if (id === null)
+        return errorResponse(c, 400, 'Invalid item id.', 'BAD_INPUT');
+    let payload;
+    try {
+        payload = await c.req.json();
+    }
+    catch {
+        return errorResponse(c, 400, 'Request body must be JSON.', 'BAD_INPUT');
+    }
+    const patch = {};
+    if (typeof payload.isRead === 'boolean')
+        patch.isRead = payload.isRead;
+    if (typeof payload.isStarred === 'boolean')
+        patch.isStarred = payload.isStarred;
+    if (patch.isRead === undefined && patch.isStarred === undefined) {
+        return errorResponse(c, 400, 'Provide at least one of isRead or isStarred (boolean).', 'BAD_INPUT');
+    }
+    try {
+        const item = patchItem(id, patch);
+        const body = { item };
+        return c.json(body, 200);
+    }
+    catch (err) {
+        return serviceErrorToResponse(c, err);
+    }
+});
+//# sourceMappingURL=items.js.map

package/dist/server/routes/items.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"items.js","sourceRoot":"","sources":["../../../src/server/routes/items.ts"],"names":[],"mappings":"AAAA,6BAA6B;AAC7B,iFAAiF;AAEjF,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAW5B,OAAO,EACL,OAAO,EACP,SAAS,EACT,WAAW,EACX,SAAS,GACV,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,aAAa,EAAE,OAAO,EAAE,gBAAgB,EAAE,sBAAsB,EAAE,MAAM,cAAc,CAAC;AAEhG,MAAM,CAAC,MAAM,KAAK,GAAG,IAAI,IAAI,EAAE,CAAC;AAEhC,SAAS,SAAS,CAAC,GAAuB;IACxC,IAAI,GAAG,KAAK,KAAK,IAAI,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,SAAS;QAAE,OAAO,GAAG,CAAC;IACvE,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,wCAAwC;AACxC,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,EAAE;IACnB,MAAM,IAAI,GAAG,SAAS,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,IAAI,KAAK,CAAC;IACrD,MAAM,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;IACjC,MAAM,MAAM,GAAG,gBAAgB,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC;IACvD,MAAM,KAAK,GAAG,gBAAgB,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC;IACrD,MAAM,MAAM,GAAG,gBAAgB,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC;IAEvD,MAAM,KAAK,GAAmB,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;IAC1C,IAAI,MAAM,KAAK,SAAS;QAAE,KAAK,CAAC,MAAM,GAAG,MAAM,CAAC;IAChD,IAAI,KAAK,KAAK,SAAS;QAAE,KAAK,CAAC,KAAK,GAAG,KAAK,CAAC;IAC7C,IAAI,MAAM,KAAK,SAAS;QAAE,KAAK,CAAC,MAAM,GAAG,MAAM,CAAC;IAEhD,MAAM,IAAI,GAAsB,SAAS,CAAC,KAAK,CAAC,CAAC;IACjD,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;AAC3B,CAAC,CAAC,CAAC;AAEH,+EAA+E;AAC/E,mDAAmD;AACnD,KAAK,CAAC,IAAI,CAAC,gBAAgB,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACvC,IAAI,OAAO,GAAgC,EAAE,CAAC;IAC9C,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,MAAM,CAAC,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;QAChC,IAAI,IAAI,CAAC,IAAI,EAAE,KAAK,EAAE;YAAE,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAgC,CAAC;IACpF,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,aAAa,CAAC,CAAC,EAAE,GAAG,EAAE,4BAA4B,EAAE,WAAW,CAAC,CAAC;IAC1E,CAAC;IAED,MAAM,KAAK,GAAuB,EAAE,CAAC;IACrC,IAAI,OAAO,OAAO,CAAC,MAAM,KAAK,QAAQ,IAAI,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAC1E,KAAK,CAAC,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IAC5C,CAAC;IACD,MAAM,IAAI,GAAG,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IACrC,IAAI,IAAI,KAAK,SAAS;QAAE,KAAK,CAAC,IAAI,GAAG,IAAI,CAAC;IAE1C,MAAM,OAAO,GAAG,WAAW,CAAC,KAAK,CAAC,CAAC;IACnC,MAAM,IAAI,GAAwB,EAAE,OAAO,EAAE,CAAC;IAC9C,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;AAC3B,CAAC,CAAC,CAAC;AAEH,sDAAsD;AACtD,KAAK,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC,EAAE,EAAE;IACtB,MAAM,EAAE,GAAG,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC;IACtC,IAAI,EAAE,KAAK,IAAI;QAAE,OAAO,aAAa,CAAC,CAAC,EAAE,GAAG,EAAE,kBAAkB,EAAE,WAAW,CAAC,CAAC;IAC/E,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,OAAO,CAAC,EAAE,CAAC,CAAC;QACzB,MAAM,IAAI,GAAoB,EAAE,IAAI,EAAE,CAAC;QACvC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IAC3B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,sBAAsB,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IACxC,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,oDAAoD;AACpD,KAAK,CAAC,KAAK,CAAC,MAAM,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC9B,MAAM,EAAE,GAAG,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC;IACtC,IAAI,EAAE,KAAK,IAAI;QAAE,OAAO,aAAa,CAAC,CAAC,EAAE,GAAG,EAAE,kBAAkB,EAAE,WAAW,CAAC,CAAC;IAE/E,IAAI,OAAkC,CAAC;IACvC,IAAI,CAAC;QACH,OAAO,GAAG,MAAM,CAAC,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;IAC/B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,aAAa,CAAC,CAAC,EAAE,GAAG,EAAE,4BAA4B,EAAE,WAAW,CAAC,CAAC;IAC1E,CAAC;IAED,MAAM,KAAK,GAAqB,EAAE,CAAC;IACnC,IAAI,OAAO,OAAO,CAAC,MAAM,KAAK,SAAS;QAAE,KAAK,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IACvE,IAAI,OAAO,OAAO,CAAC,SAAS,KAAK,SAAS;QAAE,KAAK,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,CAAC;IAChF,IAAI,KAAK,CAAC,MAAM,KAAK,SAAS,IAAI,KAAK,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;QAChE,OAAO,aAAa,CAAC,CAAC,EAAE,GAAG,EAAE,wDAAwD,EAAE,WAAW,CAAC,CAAC;IACtG,CAAC;IAED,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,SAAS,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC;QAClC,MAAM,IAAI,GAAsB,EAAE,IAAI,EAAE,CAAC;QACzC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IAC3B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,sBAAsB,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IACxC,CAAC;AACH,CAAC,CAAC,CAAC"}

package/dist/server/routes/opml.js ADDED Viewed

@@ -0,0 +1,50 @@
+// src/server/routes/opml.ts
+// /api/opml router: export (GET) and import (POST). (PLAN 7 OPML)
+import { Hono } from 'hono';
+import { importFeeds, listFeedsForExport } from '../feed-service.js';
+import { exportOpml, importOpml, OpmlError } from '../opml.js';
+import { errorResponse } from './helpers.js';
+export const opml = new Hono();
+// GET /api/opml — export subscriptions as OPML 2.0.
+opml.get('/', (c) => {
+    const xml = exportOpml(listFeedsForExport());
+    c.header('Content-Type', 'text/x-opml; charset=utf-8');
+    c.header('Content-Disposition', 'attachment; filename="iread.opml"');
+    return c.body(xml, 200);
+});
+// POST /api/opml — import. Accepts a raw OPML body (application/xml,
+// text/x-opml) or JSON { opml: string }.
+opml.post('/', async (c) => {
+    const contentType = (c.req.header('content-type') ?? '').toLowerCase();
+    let xml;
+    try {
+        if (contentType.includes('application/json')) {
+            const payload = (await c.req.json());
+            if (!payload || typeof payload.opml !== 'string') {
+                return errorResponse(c, 400, 'JSON body must include an "opml" string.', 'BAD_INPUT');
+            }
+            xml = payload.opml;
+        }
+        else {
+            // Raw OPML body (application/xml, text/x-opml, or unspecified).
+            xml = await c.req.text();
+        }
+    }
+    catch {
+        return errorResponse(c, 400, 'Could not read the request body.', 'BAD_INPUT');
+    }
+    let urls;
+    try {
+        urls = importOpml(xml);
+    }
+    catch (err) {
+        if (err instanceof OpmlError) {
+            return errorResponse(c, 400, err.message, 'BAD_OPML');
+        }
+        return errorResponse(c, 400, 'Could not parse the OPML document.', 'BAD_OPML');
+    }
+    const result = await importFeeds(urls);
+    const body = result;
+    return c.json(body, 200);
+});
+//# sourceMappingURL=opml.js.map

package/dist/server/routes/opml.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"opml.js","sourceRoot":"","sources":["../../../src/server/routes/opml.ts"],"names":[],"mappings":"AAAA,4BAA4B;AAC5B,kEAAkE;AAElE,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAE5B,OAAO,EAAE,WAAW,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AACrE,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAC/D,OAAO,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAE7C,MAAM,CAAC,MAAM,IAAI,GAAG,IAAI,IAAI,EAAE,CAAC;AAE/B,oDAAoD;AACpD,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,EAAE;IAClB,MAAM,GAAG,GAAG,UAAU,CAAC,kBAAkB,EAAE,CAAC,CAAC;IAC7C,CAAC,CAAC,MAAM,CAAC,cAAc,EAAE,4BAA4B,CAAC,CAAC;IACvD,CAAC,CAAC,MAAM,CAAC,qBAAqB,EAAE,mCAAmC,CAAC,CAAC;IACrE,OAAO,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;AAC1B,CAAC,CAAC,CAAC;AAEH,qEAAqE;AACrE,yCAAyC;AACzC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACzB,MAAM,WAAW,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,cAAc,CAAC,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;IAEvE,IAAI,GAAW,CAAC;IAChB,IAAI,CAAC;QACH,IAAI,WAAW,CAAC,QAAQ,CAAC,kBAAkB,CAAC,EAAE,CAAC;YAC7C,MAAM,OAAO,GAAG,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,IAAI,EAAE,CAA+B,CAAC;YACnE,IAAI,CAAC,OAAO,IAAI,OAAO,OAAO,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;gBACjD,OAAO,aAAa,CAAC,CAAC,EAAE,GAAG,EAAE,0CAA0C,EAAE,WAAW,CAAC,CAAC;YACxF,CAAC;YACD,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC;QACrB,CAAC;aAAM,CAAC;YACN,gEAAgE;YAChE,GAAG,GAAG,MAAM,CAAC,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;QAC3B,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,aAAa,CAAC,CAAC,EAAE,GAAG,EAAE,kCAAkC,EAAE,WAAW,CAAC,CAAC;IAChF,CAAC;IAED,IAAI,IAAc,CAAC;IACnB,IAAI,CAAC;QACH,IAAI,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC;IACzB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG,YAAY,SAAS,EAAE,CAAC;YAC7B,OAAO,aAAa,CAAC,CAAC,EAAE,GAAG,EAAE,GAAG,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;QACxD,CAAC;QACD,OAAO,aAAa,CAAC,CAAC,EAAE,GAAG,EAAE,oCAAoC,EAAE,UAAU,CAAC,CAAC;IACjF,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,IAAI,CAAC,CAAC;IACvC,MAAM,IAAI,GAAuB,MAAM,CAAC;IACxC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;AAC3B,CAAC,CAAC,CAAC"}

package/dist/server/sanitize.js ADDED Viewed

@@ -0,0 +1,75 @@
+// src/server/sanitize.ts
+// Server-side HTML sanitization. Bodies are sanitized before they touch the DB,
+// so stored content_html is already safe and the client renders it via
+// dangerouslySetInnerHTML without re-sanitizing. (PLAN Section 5.4)
+import sanitizeHtml from 'sanitize-html';
+export const SANITIZE_OPTS = {
+    allowedTags: [
+        'h1', 'h2', 'h3', 'h4', 'h5', 'h6',
+        'p', 'blockquote', 'pre', 'code',
+        'ul', 'ol', 'li', 'dl', 'dt', 'dd',
+        'a', 'b', 'i', 'strong', 'em', 'mark', 'small', 'sub', 'sup', 'u', 's', 'span', 'br', 'hr',
+        'img', 'figure', 'figcaption',
+        'table', 'thead', 'tbody', 'tfoot', 'tr', 'th', 'td', 'caption',
+        'video', 'audio', 'source',
+    ],
+    allowedAttributes: {
+        a: ['href', 'name', 'target', 'rel'],
+        img: ['src', 'srcset', 'alt', 'title', 'width', 'height', 'loading'],
+        video: ['src', 'controls', 'poster', 'width', 'height'],
+        audio: ['src', 'controls'],
+        source: ['src', 'srcset', 'type', 'media'],
+        td: ['colspan', 'rowspan'],
+        th: ['colspan', 'rowspan', 'scope'],
+        '*': ['class'],
+    },
+    allowedSchemes: ['http', 'https', 'mailto'],
+    // Raster data: images only. NO data: svg (can carry script in some renderers);
+    // the second pass below strips any non-raster data: URL that slips through here.
+    allowedSchemesByTag: { img: ['http', 'https', 'data'] },
+    allowedSchemesAppliedToAttributes: ['href', 'src', 'srcset'],
+    allowProtocolRelative: true,
+    // nonTextTags drops the TEXT CONTENT of these, not just the tags.
+    nonTextTags: ['script', 'style', 'textarea', 'option', 'noscript', 'iframe'],
+    transformTags: {
+        a: sanitizeHtml.simpleTransform('a', { target: '_blank', rel: 'noopener noreferrer nofollow' }),
+        img: sanitizeHtml.simpleTransform('img', { loading: 'lazy' }),
+    },
+    disallowedTagsMode: 'discard',
+};
+// Allowed raster data: image MIME types. data:image/svg+xml (and anything else)
+// is stripped in the second pass below.
+const RASTER_DATA_RE = /^data:image\/(?:png|jpeg|jpg|gif|webp)(?:;|,)/i;
+// Matches a single `attr="data:..."` or `attr='data:...'` occurrence. We only
+// need to scrub src / srcset / href because those are the only attributes
+// allowedSchemesAppliedToAttributes lets data: through on, and img is the only
+// tag with `data` in its scheme allowlist.
+const DATA_URL_ATTR_RE = /\b(src|srcset|href)\s*=\s*("data:[^"]*"|'data:[^']*')/gi;
+function isSafeDataUrl(rawUrl) {
+    // srcset can hold multiple comma-separated candidates and a data: URL itself
+    // contains a comma (data:<mime>,<payload>), so we cannot split on commas.
+    // Instead find every "data:" token (the MIME-type prefix up to the comma or
+    // semicolon) and require each one to be a raster image.
+    const matches = rawUrl.match(/data:[^\s]*/gi);
+    if (!matches)
+        return true; // no data: URL present, nothing to reject
+    return matches.every((m) => RASTER_DATA_RE.test(m));
+}
+/**
+ * Sanitize feed-provided article HTML. Runs sanitize-html with SANITIZE_OPTS,
+ * then a second regex pass strips any data: image URL that is not a raster
+ * format (notably data:image/svg+xml, which can carry script in some renderers).
+ */
+export function sanitizeArticleHtml(raw) {
+    const clean = sanitizeHtml(raw, SANITIZE_OPTS);
+    // Second pass: remove src/srcset/href attributes whose data: URL is not raster.
+    return clean.replace(DATA_URL_ATTR_RE, (full, attr, quoted) => {
+        const value = quoted.slice(1, -1); // strip surrounding quotes
+        return isSafeDataUrl(value) ? full : `${attr}=""`;
+    });
+}
+/** Strip all markup, returning plain text. Used for list-view summaries. */
+export function toPlainText(raw) {
+    return sanitizeHtml(raw, { allowedTags: [], allowedAttributes: {} });
+}
+//# sourceMappingURL=sanitize.js.map

package/dist/server/sanitize.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"sanitize.js","sourceRoot":"","sources":["../../src/server/sanitize.ts"],"names":[],"mappings":"AAAA,yBAAyB;AACzB,gFAAgF;AAChF,uEAAuE;AACvE,oEAAoE;AAEpE,OAAO,YAAY,MAAM,eAAe,CAAC;AAEzC,MAAM,CAAC,MAAM,aAAa,GAA0B;IAClD,WAAW,EAAE;QACX,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI;QAClC,GAAG,EAAE,YAAY,EAAE,KAAK,EAAE,MAAM;QAChC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI;QAClC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI;QAC1F,KAAK,EAAE,QAAQ,EAAE,YAAY;QAC7B,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,SAAS;QAC/D,OAAO,EAAE,OAAO,EAAE,QAAQ;KAC3B;IACD,iBAAiB,EAAE;QACjB,CAAC,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,CAAC;QACpC,GAAG,EAAE,CAAC,KAAK,EAAE,QAAQ,EAAE,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,SAAS,CAAC;QACpE,KAAK,EAAE,CAAC,KAAK,EAAE,UAAU,EAAE,QAAQ,EAAE,OAAO,EAAE,QAAQ,CAAC;QACvD,KAAK,EAAE,CAAC,KAAK,EAAE,UAAU,CAAC;QAC1B,MAAM,EAAE,CAAC,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,OAAO,CAAC;QAC1C,EAAE,EAAE,CAAC,SAAS,EAAE,SAAS,CAAC;QAC1B,EAAE,EAAE,CAAC,SAAS,EAAE,SAAS,EAAE,OAAO,CAAC;QACnC,GAAG,EAAE,CAAC,OAAO,CAAC;KACf;IACD,cAAc,EAAE,CAAC,MAAM,EAAE,OAAO,EAAE,QAAQ,CAAC;IAC3C,+EAA+E;IAC/E,iFAAiF;IACjF,mBAAmB,EAAE,EAAE,GAAG,EAAE,CAAC,MAAM,EAAE,OAAO,EAAE,MAAM,CAAC,EAAE;IACvD,iCAAiC,EAAE,CAAC,MAAM,EAAE,KAAK,EAAE,QAAQ,CAAC;IAC5D,qBAAqB,EAAE,IAAI;IAC3B,kEAAkE;IAClE,WAAW,EAAE,CAAC,QAAQ,EAAE,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,UAAU,EAAE,QAAQ,CAAC;IAC5E,aAAa,EAAE;QACb,CAAC,EAAE,YAAY,CAAC,eAAe,CAAC,GAAG,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE,GAAG,EAAE,8BAA8B,EAAE,CAAC;QAC/F,GAAG,EAAE,YAAY,CAAC,eAAe,CAAC,KAAK,EAAE,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC;KAC9D;IACD,kBAAkB,EAAE,SAAS;CAC9B,CAAC;AAEF,gFAAgF;AAChF,wCAAwC;AACxC,MAAM,cAAc,GAAG,gDAAgD,CAAC;AAExE,8EAA8E;AAC9E,0EAA0E;AAC1E,+EAA+E;AAC/E,2CAA2C;AAC3C,MAAM,gBAAgB,GAAG,yDAAyD,CAAC;AAEnF,SAAS,aAAa,CAAC,MAAc;IACnC,6EAA6E;IAC7E,0EAA0E;IAC1E,4EAA4E;IAC5E,wDAAwD;IACxD,MAAM,OAAO,GAAG,MAAM,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC;IAC9C,IAAI,CAAC,OAAO;QAAE,OAAO,IAAI,CAAC,CAAC,0CAA0C;IACrE,OAAO,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;AACtD,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,mBAAmB,CAAC,GAAW;IAC7C,MAAM,KAAK,GAAG,YAAY,CAAC,GAAG,EAAE,aAAa,CAAC,CAAC;IAC/C,gFAAgF;IAChF,OAAO,KAAK,CAAC,OAAO,CAAC,gBAAgB,EAAE,CAAC,IAAI,EAAE,IAAY,EAAE,MAAc,EAAE,EAAE;QAC5E,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,2BAA2B;QAC9D,OAAO,aAAa,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,IAAI,KAAK,CAAC;IACpD,CAAC,CAAC,CAAC;AACL,CAAC;AAED,4EAA4E;AAC5E,MAAM,UAAU,WAAW,CAAC,GAAW;IACrC,OAAO,YAAY,CAAC,GAAG,EAAE,EAAE,WAAW,EAAE,EAAE,EAAE,iBAAiB,EAAE,EAAE,EAAE,CAAC,CAAC;AACvE,CAAC"}