@jant/core 0.3.35 → 0.3.37

package/src/lib/schemas.ts

@@ -12,11 +12,48 @@ import { z } from "zod";
 import {
   FORMATS,
   STATUSES,
+  VISIBILITIES,
   SORT_ORDERS,
   NAV_ITEM_TYPES,
   MAX_MEDIA_ATTACHMENTS,
 } from "../types.js";
 import { ValidationError } from "./errors.js";
+import { sanitizeUrl, normalizePath } from "./url.js";
+
+// =============================================================================
+// Shared Transforms
+// =============================================================================
+
+/**
+ * Strip C0 control characters (except HT, LF, CR) that can break rendering
+ * or interfere with FTS5 highlight sentinels (STX/ETX).
+ */
+// eslint-disable-next-line no-control-regex -- intentionally matching C0 control characters
+const CONTROL_CHAR_RE = /[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/g;
+
+/**
+ * Normalize an email address for storage and lookup.
+ *
+ * @param email - Raw email input
+ * @returns Trimmed, lowercased email
+ * @example
+ * ```ts
+ * normalizeEmail("  User@Example.COM ");
+ * // Returns: "user@example.com"
+ * ```
+ */
+export function normalizeEmail(email: string): string {
+  return email.trim().toLowerCase();
+}
+
+/** Trim, strip control characters, and collapse to undefined when empty. */
+function sanitizeText(maxLength: number) {
+  return z
+    .string()
+    .trim()
+    .max(maxLength)
+    .transform((s) => s.replace(CONTROL_CHAR_RE, "") || undefined);
+}
 
 /**
  * Post format enum schema
@@ -46,6 +83,15 @@ export const NavItemTypeSchema = z.enum(NAV_ITEM_TYPES);
  */
 export const RedirectTypeSchema = z.enum(["301", "302"]);
 
+/**
+ * Custom URL target type enum schema
+ */
+export const CustomUrlTargetTypeSchema = z.enum([
+  "post",
+  "collection",
+  "redirect",
+]);
+
 /**
  * Rating schema (1-5 integer)
  */
@@ -59,75 +105,160 @@ export const RatingSchema = z.coerce
   .transform((v) => (v === 0 ? undefined : v));
 
 /**
- * API request body schema for creating a post
+ * Base post fields (shared between create and update schemas)
  */
-export const CreatePostSchema = z.object({
+const PostFieldsSchema = z.object({
   format: FormatSchema,
+  slug: z
+    .string()
+    .min(1)
+    .transform(normalizeSlug)
+    .pipe(
+      z
+        .string()
+        .min(1)
+        .regex(/^[a-z0-9][a-z0-9-]*[a-z0-9]$|^[a-z0-9]$/),
+    )
+    .optional()
+    .or(z.literal("").transform(() => undefined)),
   path: z
     .string()
-    .regex(/^[a-z0-9]([a-z0-9-]*[a-z0-9])?(\/[a-z0-9]([a-z0-9-]*[a-z0-9])?)*$/)
+    .min(1)
+    .transform(normalizePath)
+    .pipe(z.string().min(1))
+    .optional()
+    .or(z.literal("").transform(() => undefined)),
+  title: sanitizeText(300)
     .optional()
     .or(z.literal("").transform(() => undefined)),
-  title: z.string().optional(),
   body: z.string().optional(),
+  bodyMarkdown: z.string().optional(),
   status: StatusSchema.optional(),
-  featured: z
-    .union([z.boolean(), z.literal("on").transform(() => true)])
-    .optional(),
+  visibility: z.enum(VISIBILITIES).optional(),
   pinned: z
     .union([z.boolean(), z.literal("on").transform(() => true)])
     .optional(),
-  url: z.url().optional().or(z.literal("")),
+  featured: z.boolean().optional(),
+  url: z
+    .url()
+    .refine((val) => sanitizeUrl(val) !== "", {
+      message: "URL must use http:, https:, or mailto: protocol",
+    })
+    .optional()
+    .or(z.literal("")),
   quoteText: z.string().optional(),
   rating: RatingSchema,
   collectionIds: z
-    .array(z.coerce.number().int().positive())
+    .array(z.string().min(1))
     .optional()
     .or(z.literal("").transform(() => undefined)),
-  replyToId: z.string().optional(), // Sqid format
+  replyToId: z.string().optional(),
   publishedAt: z.number().int().positive().optional(),
   mediaIds: z.array(z.string()).max(MAX_MEDIA_ATTACHMENTS).optional(),
   mediaAlts: z.record(z.string(), z.string()).optional(),
 });
 
-/**
- * API request body schema for updating a post
- */
-export const UpdatePostSchema = CreatePostSchema.partial();
+/** Mutual exclusivity: body and bodyMarkdown cannot both be provided */
+function refineBodyExclusivity<
+  T extends { body?: string; bodyMarkdown?: string },
+>(schema: z.ZodType<T>) {
+  return schema.refine((data) => !(data.body && data.bodyMarkdown), {
+    message: "Provide either body or bodyMarkdown, not both",
+    path: ["bodyMarkdown"],
+  });
+}
+
+function hasNonEmptyText(value: string | null | undefined): boolean {
+  return typeof value === "string" && value.trim().length > 0;
+}
+
+function refineCreatePostFormatShape<
+  T extends { format: string; url?: string; quoteText?: string },
+>(schema: z.ZodType<T>) {
+  return schema.superRefine((data, ctx) => {
+    const hasUrl = hasNonEmptyText(data.url);
+    const hasQuoteText = hasNonEmptyText(data.quoteText);
+
+    if (data.format === "note") {
+      if (hasUrl) {
+        ctx.addIssue({
+          code: z.ZodIssueCode.custom,
+          path: ["url"],
+          message: "Notes can't include a URL.",
+        });
+      }
+      if (hasQuoteText) {
+        ctx.addIssue({
+          code: z.ZodIssueCode.custom,
+          path: ["quoteText"],
+          message: "Notes can't include quoted text.",
+        });
+      }
+    }
+
+    if (data.format === "link") {
+      if (!hasUrl) {
+        ctx.addIssue({
+          code: z.ZodIssueCode.custom,
+          path: ["url"],
+          message: "Link posts need a URL.",
+        });
+      }
+      if (hasQuoteText) {
+        ctx.addIssue({
+          code: z.ZodIssueCode.custom,
+          path: ["quoteText"],
+          message: "Link posts can't include quoted text.",
+        });
+      }
+    }
+
+    if (data.format === "quote" && !hasQuoteText) {
+      ctx.addIssue({
+        code: z.ZodIssueCode.custom,
+        path: ["quoteText"],
+        message: "Quote posts need quoted text.",
+      });
+    }
+  });
+}
+
+/** Mutual exclusivity: slug and path cannot both be provided */
+function refineSlugPathExclusivity<T extends { slug?: string; path?: string }>(
+  schema: z.ZodType<T>,
+) {
+  return schema.refine((data) => !(data.slug && data.path), {
+    message: "Provide either slug or path, not both",
+    path: ["path"],
+  });
+}
 
 /**
- * API request body schema for creating a page
+ * API request body schema for creating a post
  */
-export const CreatePageSchema = z.object({
-  slug: z
-    .string()
-    .min(1)
-    .transform(normalizeSlug)
-    .pipe(
-      z
-        .string()
-        .min(1)
-        .regex(/^[a-z0-9][a-z0-9-]*[a-z0-9]$|^[a-z0-9]$/),
-    ),
-  title: z.string().optional(),
-  body: z.string().optional(),
-  status: StatusSchema.optional(),
-});
+export const CreatePostSchema = refineSlugPathExclusivity(
+  refineCreatePostFormatShape(refineBodyExclusivity(PostFieldsSchema)),
+);
 
 /**
- * API request body schema for updating a page
+ * API request body schema for updating a post
  */
-export const UpdatePageSchema = CreatePageSchema.partial();
+export const UpdatePostSchema = refineSlugPathExclusivity(
+  refineBodyExclusivity(PostFieldsSchema.partial()),
+);
 
 /**
  * API request body schema for creating a navigation item
  */
 export const CreateNavItemSchema = z.object({
   type: NavItemTypeSchema,
-  label: z.string().min(1),
-  url: z.string().min(1),
-  pageId: z.coerce.number().int().positive().optional(),
-  position: z.coerce.number().int().min(0).optional(),
+  label: sanitizeText(100).pipe(z.string().min(1)),
+  url: z
+    .string()
+    .min(1)
+    .refine((val) => sanitizeUrl(val) !== "", {
+      message: "URL must use http:, https:, or mailto: protocol",
+    }),
 });
 
 /**
@@ -149,11 +280,29 @@ export const CreateCollectionSchema = z.object({
         .min(1)
         .regex(/^[a-z0-9][a-z0-9-]*[a-z0-9]$|^[a-z0-9]$/),
     ),
-  title: z.string().min(1),
-  description: z.string().optional(),
-  icon: z.string().optional(),
+  title: sanitizeText(300).pipe(z.string().min(1)),
+  description: sanitizeText(500)
+    .optional()
+    .or(z.literal("").transform(() => undefined)),
+  icon: z
+    .string()
+    .optional()
+    .refine(
+      (val) => {
+        if (!val || !val.startsWith("{")) return true;
+        try {
+          const parsed = JSON.parse(val) as Record<string, unknown>;
+          if (typeof parsed.color === "string") {
+            return /^#[0-9a-f]{3,6}$/i.test(parsed.color);
+          }
+          return true;
+        } catch {
+          return true; // non-JSON icons (legacy emoji) are fine
+        }
+      },
+      { message: "Icon color must be a valid hex color (e.g. #fff, #ff0000)" },
+    ),
   sortOrder: SortOrderSchema.optional(),
-  position: z.coerce.number().int().min(0).optional(),
 });
 
 /**
@@ -161,6 +310,24 @@ export const CreateCollectionSchema = z.object({
  */
 export const UpdateCollectionSchema = CreateCollectionSchema.partial();
 
+/**
+ * API request body schema for creating a custom URL
+ */
+export const CreateCustomUrlSchema = z.object({
+  path: z
+    .string()
+    .min(1)
+    .max(512)
+    .regex(
+      /^\/[a-z0-9][a-z0-9\-/]*$/,
+      "Path must start with / and contain only lowercase alphanumeric characters, hyphens, and slashes",
+    ),
+  targetType: CustomUrlTargetTypeSchema,
+  targetId: z.string().optional(),
+  toPath: z.string().optional(),
+  redirectType: RedirectTypeSchema.optional(),
+});
+
 // =============================================================================
 // Auth Schemas
 // =============================================================================
@@ -169,17 +336,26 @@ export const UpdateCollectionSchema = CreateCollectionSchema.partial();
  * Setup form validation schema
  */
 export const SetupSchema = z.object({
-  name: z.string().min(1, "Name is required"),
-  email: z.string().email("Invalid email address"),
-  password: z.string().min(8, "Password must be at least 8 characters"),
+  siteName: z.string().min(1, "Site name is required"),
+  email: z
+    .string()
+    .transform(normalizeEmail)
+    .pipe(z.string().email("Invalid email address")),
+  password: z
+    .string()
+    .min(8, "Password must be at least 8 characters")
+    .max(128),
 });
 
 /**
  * Sign-in form validation schema
  */
 export const SigninSchema = z.object({
-  email: z.string().email("Invalid email address"),
-  password: z.string().min(1, "Password is required"),
+  email: z
+    .string()
+    .transform(normalizeEmail)
+    .pipe(z.string().email("Invalid email address")),
+  password: z.string().min(1, "Password is required").max(128),
 });
 
 /**
@@ -187,7 +363,10 @@ export const SigninSchema = z.object({
  */
 export const ResetPasswordSchema = z
   .object({
-    password: z.string().min(8, "Password must be at least 8 characters"),
+    password: z
+      .string()
+      .min(8, "Password must be at least 8 characters")
+      .max(128),
     confirmPassword: z.string().min(1),
     token: z.string().min(1),
   })
@@ -221,17 +400,6 @@ export function normalizeSlug(s: string): string {
     .replace(/^-|-$/g, "");
 }
 
-// =============================================================================
-// Reorder Schemas
-// =============================================================================
-
-/**
- * Reorder request schema for simple ID-based reordering
- */
-export const ReorderSchema = z.object({
-  ids: z.array(z.coerce.number().int().positive()),
-});
-
 // =============================================================================
 // Form Data Helpers
 // =============================================================================
@@ -300,7 +468,7 @@ export function validateMediaCount(mediaIds: string[]): string | null {
  * @returns Validated data
  * @example
  * ```ts
- * const body = parseValidated(CreatePageSchema, await c.req.json());
+ * const body = parseValidated(CreatePostSchema, await c.req.json());
  * ```
  */
 export function parseValidated<T>(schema: z.ZodSchema<T>, data: unknown): T {

package/src/lib/search-snippet.ts

@@ -0,0 +1,34 @@
+import { escapeHtml } from "./html.js";
+
+/**
+ * Search Snippet Utilities
+ *
+ * Application-layer text highlighting for search results.
+ * Used for fields not covered by FTS5 snippet() (title, quoteText).
+ *
+ * @param text - Plain text to highlight (already stored content, not user input)
+ * @param query - Raw search query string (space-separated terms)
+ * @returns HTML-safe string with matched terms wrapped in <mark> tags; escaped original if no terms
+ *
+ * @example
+ * ```ts
+ * highlightText("Hello world", "world")
+ * // → "Hello <mark>world</mark>"
+ *
+ * highlightText("TypeScript basics", "type script")
+ * // → "<mark>TypeScript</mark> basics"
+ * ```
+ */
+export function highlightText(text: string, query: string): string {
+  const escaped = escapeHtml(text);
+  const terms = query
+    .trim()
+    .split(/\s+/)
+    .filter((t) => t.length > 0)
+    .map((t) => t.replace(/[.*+?^${}()|[\]\\]/g, "\\$&"));
+
+  if (terms.length === 0) return escaped;
+
+  const pattern = new RegExp(`(${terms.join("|")})`, "gi");
+  return escaped.replace(pattern, "<mark>$1</mark>");
+}

package/src/lib/slug.ts

@@ -0,0 +1,96 @@
+/**
+ * Slug Generation
+ *
+ * Generates URL slugs for posts with conflict resolution.
+ * Handles three cases: user-provided slug, title-based slug, and random-only slug.
+ */
+
+import { slugify } from "./url.js";
+import { generateRandomId } from "./nanoid.js";
+import { isReservedPath } from "./constants.js";
+import { ValidationError, ConflictError } from "./errors.js";
+
+const MAX_RETRIES = 10;
+
+export interface SlugOptions {
+  /** User-provided slug (takes priority) */
+  slug?: string;
+  /** Post title (used for slug generation if no explicit slug) */
+  title?: string;
+  /** Length of random IDs */
+  idLength: number;
+  /** Callback to check if a slug is available (checks posts.slug + custom_urls.path) */
+  isAvailable: (slug: string) => Promise<boolean>;
+}
+
+/**
+ * Generates a post slug with conflict resolution.
+ *
+ * Resolution order:
+ * 1. User-provided slug → validate format, check reserved, check availability
+ * 2. Title exists → slugify(title), append -{randomId} if conflict
+ * 3. No title → pure random ID
+ *
+ * @param opts - Slug generation options
+ * @returns A unique, valid slug
+ *
+ * @example
+ * ```ts
+ * // User-provided
+ * await generatePostSlug({ slug: "my-post", idLength: 5, isAvailable: check });
+ *
+ * // Title-based
+ * await generatePostSlug({ title: "Hello World", idLength: 5, isAvailable: check });
+ *
+ * // Random
+ * await generatePostSlug({ idLength: 5, isAvailable: check });
+ * ```
+ */
+export async function generatePostSlug(opts: SlugOptions): Promise<string> {
+  const { slug, title, idLength, isAvailable } = opts;
+
+  // Case 1: User-provided slug
+  if (slug) {
+    if (isReservedPath(slug)) {
+      throw new ValidationError(
+        `Slug "${slug}" is reserved and cannot be used`,
+      );
+    }
+    const available = await isAvailable(slug);
+    if (!available) {
+      throw new ConflictError(`Slug "${slug}" is already in use`);
+    }
+    return slug;
+  }
+
+  // Case 2: Title-based slug
+  if (title) {
+    const base = slugify(title);
+    if (base && !isReservedPath(base)) {
+      const available = await isAvailable(base);
+      if (available) return base;
+    }
+
+    // Append random suffix on conflict or reserved base
+    for (let i = 0; i < MAX_RETRIES; i++) {
+      const candidate = `${base || generateRandomId(idLength)}-${generateRandomId(idLength)}`;
+      if (!isReservedPath(candidate) && (await isAvailable(candidate))) {
+        return candidate;
+      }
+    }
+    throw new ConflictError(
+      "Could not generate a unique slug after multiple attempts",
+    );
+  }
+
+  // Case 3: Pure random
+  for (let i = 0; i < MAX_RETRIES; i++) {
+    const candidate = generateRandomId(idLength);
+    if (!isReservedPath(candidate) && (await isAvailable(candidate))) {
+      return candidate;
+    }
+  }
+  throw new ConflictError(
+    "Could not generate a unique slug after multiple attempts",
+  );
+}

package/src/lib/sse.ts

@@ -91,7 +91,7 @@ export interface SSEStream {
    *
    * @example
    * ```ts
-   * await stream.redirect('/dash/posts');
+   * await stream.redirect('/settings');
    * ```
    */
   redirect(url: string): void;
@@ -132,7 +132,7 @@ export interface SSEStream {
 /** Build the redirect script tag for Datastar patch-elements */
 function buildRedirectScript(url: string): string {
   const escapedUrl = url.replace(/\\/g, "\\\\").replace(/'/g, "\\'");
-  return `<script data-effect="el.remove()">window.location.href='${escapedUrl}'</script>`;
+  return `<div data-init="window.location.href='${escapedUrl}'; el.remove()"></div>`;
 }
 
 /** Build a toast notification HTML element */
@@ -147,7 +147,7 @@ function buildToastHtml(message: string, type: "success" | "error"): string {
     .replace(/&/g, "&amp;")
     .replace(/</g, "&lt;")
     .replace(/>/g, "&gt;");
-  return `<div class="toast ${cls}" data-init="setTimeout(() => { el.classList.add('toast-out'); el.addEventListener('animationend', () => el.remove()) }, 3000)">${icon}<span>${escapedMessage}</span>${closeBtn}</div>`;
+  return `<div class="toast ${cls}" data-init="el.closest('[popover]')?.showPopover(); setTimeout(() => { el.classList.add('toast-out'); el.addEventListener('animationend', () => el.remove()) }, 3000)">${icon}<span>${escapedMessage}</span>${closeBtn}</div>`;
 }
 
 // ---------------------------------------------------------------------------
@@ -193,7 +193,7 @@ function formatEvent(eventType: string, dataLines: readonly string[]): string {
  * // With cookie forwarding (for auth)
  * app.post("/signin", (c) => {
  *   return sse(c, async (stream) => {
- *     await stream.redirect('/dash');
+ *     await stream.redirect('/settings');
  *   }, { headers: { 'Set-Cookie': cookieValue } });
  * });
  * ```
@@ -304,10 +304,10 @@ export function sse(
  *
  * @example
  * ```ts
- * return dsRedirect("/dash/posts");
+ * return dsRedirect("/settings");
  *
  * // With cookie forwarding (for auth)
- * return dsRedirect("/dash", { headers: authResponse.headers });
+ * return dsRedirect("/settings", { headers: authResponse.headers });
  * ```
  */
 export function dsRedirect(