npm - @jant/core - Versions diffs - 0.3.35 → 0.3.37 - Mend

@jant/core 0.3.35 → 0.3.37

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (307) hide show

package/bin/commands/export.js +1 -1
package/bin/commands/import-site.js +529 -0
package/bin/commands/reset-password.js +3 -2
package/dist/client/assets/heic-to-DIRPI3VF.js +1 -0
package/dist/client/assets/module-RjUF93sV.js +716 -0
package/dist/client/assets/native-48B9X9Wg.js +1 -0
package/dist/client/assets/url-FWFqPJPb.js +1 -0
package/dist/client/client.css +1 -1
package/dist/client/client.js +4564 -3013
package/dist/index.js +12885 -8161
package/package.json +23 -6
package/src/__tests__/helpers/app.ts +10 -10
package/src/__tests__/helpers/db.ts +91 -87
package/src/app.tsx +157 -31
package/src/auth.ts +20 -2
package/src/client/archive-nav.js +187 -0
package/src/client/audio-player.ts +478 -0
package/src/client/audio-processor.ts +84 -0
package/src/{lib → client}/avatar-upload.ts +4 -3
package/src/{lib → client}/collection-form-bridge.ts +2 -2
package/src/{ui → client}/components/__tests__/jant-collection-form.test.ts +26 -9
package/src/client/components/__tests__/jant-compose-dialog.test.ts +1140 -0
package/src/client/components/__tests__/jant-compose-editor.test.ts +504 -0
package/src/{ui → client}/components/__tests__/jant-post-form.test.ts +37 -17
package/src/{ui → client}/components/__tests__/jant-settings-avatar.test.ts +2 -2
package/src/{ui → client}/components/__tests__/jant-settings-general.test.ts +3 -3
package/src/client/components/collection-sidebar-types.ts +43 -0
package/src/{ui → client}/components/collection-types.ts +3 -4
package/src/client/components/compose-types.ts +174 -0
package/src/client/components/jant-collection-form.ts +667 -0
package/src/client/components/jant-collection-sidebar.ts +805 -0
package/src/client/components/jant-compose-dialog.ts +2161 -0
package/src/client/components/jant-compose-editor.ts +1813 -0
package/src/client/components/jant-compose-fullscreen.ts +283 -0
package/src/client/components/jant-media-lightbox.ts +259 -0
package/src/{ui → client}/components/jant-nav-manager.ts +97 -298
package/src/{ui → client}/components/jant-post-form.ts +141 -12
package/src/client/components/jant-post-menu.ts +1019 -0
package/src/{ui → client}/components/jant-settings-avatar.ts +3 -3
package/src/{ui → client}/components/jant-settings-general.ts +38 -4
package/src/client/components/jant-text-preview.ts +232 -0
package/src/{ui → client}/components/nav-manager-types.ts +6 -18
package/src/{ui → client}/components/post-form-template.ts +137 -38
package/src/{ui → client}/components/post-form-types.ts +15 -4
package/src/client/compose-bridge.ts +583 -0
package/src/{lib → client}/image-processor.ts +26 -8
package/src/client/lazy-slugify.ts +51 -0
package/src/client/media-metadata.ts +247 -0
package/src/client/multipart-upload.ts +160 -0
package/src/{lib → client}/nav-manager-bridge.ts +1 -1
package/src/{lib → client}/post-form-bridge.ts +53 -2
package/src/{lib → client}/settings-bridge.ts +3 -15
package/src/client/thread-context.ts +140 -0
package/src/client/tiptap/bubble-menu.ts +205 -0
package/src/client/tiptap/create-editor.ts +86 -0
package/src/client/tiptap/exitable-marks.ts +73 -0
package/src/client/tiptap/extensions.ts +65 -0
package/src/client/tiptap/image-node.ts +482 -0
package/src/client/tiptap/link-toolbar.ts +371 -0
package/src/client/tiptap/more-break.ts +50 -0
package/src/client/tiptap/paste-image.ts +129 -0
package/src/client/tiptap/slash-commands.ts +438 -0
package/src/{lib → client}/toast.ts +101 -3
package/src/client/types/sortablejs.d.ts +44 -0
package/src/client/upload-with-metadata.ts +54 -0
package/src/client/video-processor.ts +207 -0
package/src/client.ts +27 -17
package/src/db/__tests__/migrations.test.ts +118 -0
package/src/db/index.ts +52 -0
package/src/db/migrations/0000_baseline.sql +269 -0
package/src/db/migrations/0001_fts_setup.sql +31 -0
package/src/db/migrations/meta/0000_snapshot.json +703 -119
package/src/db/migrations/meta/0001_snapshot.json +1337 -0
package/src/db/migrations/meta/_journal.json +4 -39
package/src/db/schema.ts +409 -140
package/src/i18n/__tests__/detect.test.ts +115 -0
package/src/i18n/context.tsx +2 -2
package/src/i18n/detect.ts +85 -1
package/src/i18n/i18n.ts +1 -1
package/src/i18n/index.ts +2 -1
package/src/i18n/locales/en.po +783 -1087
package/src/i18n/locales/en.ts +1 -1
package/src/i18n/locales/zh-Hans.po +867 -812
package/src/i18n/locales/zh-Hans.ts +1 -1
package/src/i18n/locales/zh-Hant.po +878 -823
package/src/i18n/locales/zh-Hant.ts +1 -1
package/src/i18n/middleware.ts +6 -0
package/src/index.ts +5 -7
package/src/lib/__tests__/blurhash-placeholder.test.ts +75 -0
package/src/lib/__tests__/constants.test.ts +0 -1
package/src/lib/__tests__/markdown-to-tiptap.test.ts +358 -0
package/src/lib/__tests__/nanoid.test.ts +26 -0
package/src/lib/__tests__/resolve-config.test.ts +2 -2
package/src/lib/__tests__/schemas.test.ts +186 -65
package/src/lib/__tests__/slug.test.ts +126 -0
package/src/lib/__tests__/sse.test.ts +6 -6
package/src/lib/__tests__/summary.test.ts +264 -0
package/src/lib/__tests__/theme.test.ts +1 -1
package/src/lib/__tests__/timeline.test.ts +33 -30
package/src/lib/__tests__/tiptap-to-markdown.test.ts +346 -0
package/src/lib/__tests__/url.test.ts +2 -2
package/src/lib/__tests__/view.test.ts +140 -65
package/src/lib/blurhash-placeholder.ts +102 -0
package/src/lib/constants.ts +3 -1
package/src/lib/emoji-catalog.ts +963 -0
package/src/lib/errors.ts +11 -8
package/src/lib/feed.ts +77 -31
package/src/lib/html.ts +2 -1
package/src/lib/icon-catalog.ts +5033 -1
package/src/lib/icons.ts +3 -2
package/src/lib/index.ts +0 -1
package/src/lib/markdown-to-tiptap.ts +286 -0
package/src/lib/media-helpers.ts +22 -12
package/src/lib/nanoid.ts +29 -0
package/src/lib/navigation.ts +1 -1
package/src/lib/render.tsx +24 -5
package/src/lib/resolve-config.ts +13 -2
package/src/lib/schemas.ts +226 -58
package/src/lib/search-snippet.ts +34 -0
package/src/lib/slug.ts +96 -0
package/src/lib/sse.ts +6 -6
package/src/lib/storage.ts +115 -7
package/src/lib/summary.ts +158 -0
package/src/lib/theme.ts +11 -8
package/src/lib/timeline.ts +76 -34
package/src/lib/tiptap-render.ts +191 -0
package/src/lib/tiptap-to-markdown.ts +305 -0
package/src/lib/upload.ts +263 -14
package/src/lib/url.ts +37 -22
package/src/lib/view.ts +236 -55
package/src/middleware/__tests__/auth.test.ts +191 -11
package/src/middleware/__tests__/onboarding.test.ts +12 -10
package/src/middleware/auth.ts +63 -9
package/src/middleware/error-handler.ts +3 -3
package/src/middleware/onboarding.ts +1 -1
package/src/middleware/secure-headers.ts +40 -0
package/src/preset.css +83 -2
package/src/routes/__tests__/compose.test.ts +17 -24
package/src/routes/api/__tests__/collections.test.ts +109 -61
package/src/routes/api/__tests__/nav-items.test.ts +46 -29
package/src/routes/api/__tests__/posts.test.ts +132 -68
package/src/routes/api/__tests__/search.test.ts +15 -2
package/src/routes/api/__tests__/upload-multipart.test.ts +534 -0
package/src/routes/api/collections.ts +57 -31
package/src/routes/api/custom-urls.ts +80 -0
package/src/routes/api/export.ts +31 -0
package/src/routes/api/nav-items.ts +23 -19
package/src/routes/api/posts.ts +81 -62
package/src/routes/api/search.ts +3 -4
package/src/routes/api/upload-multipart.ts +245 -0
package/src/routes/api/upload.ts +92 -24
package/src/routes/auth/__tests__/setup.test.ts +20 -60
package/src/routes/auth/reset.tsx +5 -4
package/src/routes/auth/setup.tsx +39 -31
package/src/routes/auth/signin.tsx +13 -14
package/src/routes/compose.tsx +27 -63
package/src/routes/dash/__tests__/settings-avatar.test.ts +44 -9
package/src/routes/dash/custom-urls.tsx +414 -0
package/src/routes/dash/settings.tsx +475 -99
package/src/routes/feed/__tests__/rss.test.ts +22 -23
package/src/routes/feed/rss.ts +6 -2
package/src/routes/feed/sitemap.ts +2 -12
package/src/routes/pages/__tests__/collections.test.ts +5 -6
package/src/routes/pages/__tests__/featured.test.ts +36 -18
package/src/routes/pages/archive.tsx +177 -37
package/src/routes/pages/collection.tsx +43 -14
package/src/routes/pages/collections.tsx +11 -2
package/src/routes/pages/featured.tsx +27 -3
package/src/routes/pages/home.tsx +15 -14
package/src/routes/pages/latest.tsx +1 -11
package/src/routes/pages/new.tsx +39 -0
package/src/routes/pages/page.tsx +95 -49
package/src/routes/pages/search.tsx +1 -1
package/src/services/__tests__/api-token.test.ts +135 -0
package/src/services/__tests__/collection.test.ts +275 -227
package/src/services/__tests__/custom-url.test.ts +213 -0
package/src/services/__tests__/media.test.ts +162 -22
package/src/services/__tests__/navigation.test.ts +109 -68
package/src/services/__tests__/post-timeline.test.ts +205 -32
package/src/services/__tests__/post.test.ts +800 -230
package/src/services/__tests__/search.test.ts +67 -10
package/src/services/__tests__/settings.test.ts +3 -3
package/src/services/api-token.ts +166 -0
package/src/services/auth.ts +17 -2
package/src/services/collection.ts +397 -131
package/src/services/custom-url.ts +188 -0
package/src/services/export.ts +802 -0
package/src/services/index.ts +26 -19
package/src/services/media.ts +100 -22
package/src/services/navigation.ts +158 -47
package/src/services/path.ts +339 -0
package/src/services/post.ts +764 -172
package/src/services/search.ts +161 -74
package/src/services/settings.ts +6 -2
package/src/styles/components.css +293 -62
package/src/styles/tokens.css +93 -5
package/src/styles/ui.css +4349 -766
package/src/types/bindings.ts +8 -0
package/src/types/config.ts +34 -4
package/src/types/constants.ts +17 -2
package/src/types/entities.ts +83 -37
package/src/types/operations.ts +20 -27
package/src/types/props.ts +52 -17
package/src/types/views.ts +48 -24
package/src/ui/color-themes.ts +133 -23
package/src/ui/compose/ComposeDialog.tsx +255 -16
package/src/ui/compose/ComposePrompt.tsx +1 -1
package/src/ui/dash/CrudPageHeader.tsx +1 -1
package/src/ui/dash/ListItemRow.tsx +1 -1
package/src/ui/dash/StatusBadge.tsx +12 -2
package/src/ui/dash/appearance/AdvancedContent.tsx +71 -59
package/src/ui/dash/appearance/ColorThemeContent.tsx +48 -33
package/src/ui/dash/appearance/FontThemeContent.tsx +65 -73
package/src/ui/dash/appearance/NavigationContent.tsx +106 -135
package/src/ui/dash/index.ts +0 -3
package/src/ui/dash/settings/AccountContent.tsx +87 -146
package/src/ui/dash/settings/AccountMenuContent.tsx +147 -0
package/src/ui/dash/settings/ApiTokensContent.tsx +232 -0
package/src/ui/dash/settings/AvatarContent.tsx +78 -0
package/src/ui/dash/settings/GeneralContent.tsx +3 -62
package/src/ui/dash/settings/SessionsContent.tsx +159 -0
package/src/ui/dash/settings/SettingsRootContent.tsx +266 -0
package/src/ui/feed/LinkCard.tsx +89 -40
package/src/ui/feed/NoteCard.tsx +39 -25
package/src/ui/feed/PostStatusBadges.tsx +67 -0
package/src/ui/feed/QuoteCard.tsx +38 -23
package/src/ui/feed/ThreadPreview.tsx +90 -26
package/src/ui/feed/TimelineFeed.tsx +3 -2
package/src/ui/feed/TimelineItem.tsx +15 -6
package/src/ui/feed/__tests__/thread-preview.test.ts +107 -0
package/src/ui/feed/thread-preview-state.ts +61 -0
package/src/ui/font-themes.ts +2 -2
package/src/ui/layouts/BaseLayout.tsx +2 -2
package/src/ui/layouts/SiteLayout.tsx +116 -103
package/src/ui/pages/ArchivePage.tsx +923 -95
package/src/ui/pages/CollectionPage.tsx +6 -35
package/src/ui/pages/CollectionsPage.tsx +2 -1
package/src/ui/pages/ComposePage.tsx +54 -0
package/src/ui/pages/FeaturedPage.tsx +2 -1
package/src/ui/pages/HomePage.tsx +1 -1
package/src/ui/pages/PostPage.tsx +30 -45
package/src/ui/pages/SearchPage.tsx +182 -38
package/src/ui/shared/AdminBreadcrumb.tsx +29 -0
package/src/ui/shared/CollectionsSidebar.tsx +239 -4
package/src/ui/shared/MediaGallery.tsx +475 -41
package/src/ui/shared/PostFooter.tsx +204 -0
package/src/ui/shared/StarRating.tsx +27 -0
package/src/ui/shared/__tests__/format-chars.test.ts +35 -0
package/src/ui/shared/index.ts +0 -1
package/src/db/migrations/0000_square_wallflower.sql +0 -118
package/src/db/migrations/0001_add_search_fts.sql +0 -34
package/src/db/migrations/0002_add_media_attachments.sql +0 -3
package/src/db/migrations/0003_add_navigation_links.sql +0 -8
package/src/db/migrations/0004_add_storage_provider.sql +0 -3
package/src/db/migrations/0005_v2_schema_migration.sql +0 -268
package/src/db/migrations/0006_rename_slug_to_path.sql +0 -5
package/src/db/migrations/0007_post_collections_m2m.sql +0 -94
package/src/db/migrations/0008_add_collection_dividers.sql +0 -8
package/src/db/migrations/0009_drop_collection_show_divider.sql +0 -2
package/src/db/migrations/0010_add_performance_indexes.sql +0 -16
package/src/db/migrations/0011_add_path_registry.sql +0 -23
package/src/db/migrations/meta/0003_snapshot.json +0 -821
package/src/lib/__tests__/sqid.test.ts +0 -65
package/src/lib/collections-reorder.ts +0 -28
package/src/lib/compose-bridge.ts +0 -280
package/src/lib/media-upload.ts +0 -148
package/src/lib/sqid.ts +0 -79
package/src/routes/api/__tests__/pages.test.ts +0 -218
package/src/routes/api/pages.ts +0 -73
package/src/routes/dash/__tests__/pages.test.ts +0 -226
package/src/routes/dash/appearance.tsx +0 -240
package/src/routes/dash/collections.tsx +0 -211
package/src/routes/dash/index.tsx +0 -103
package/src/routes/dash/media.tsx +0 -132
package/src/routes/dash/pages.tsx +0 -239
package/src/routes/dash/posts.tsx +0 -334
package/src/routes/dash/redirects.tsx +0 -257
package/src/routes/pages/post.tsx +0 -59
package/src/services/__tests__/page.test.ts +0 -298
package/src/services/__tests__/path-registry.test.ts +0 -165
package/src/services/__tests__/redirect.test.ts +0 -159
package/src/services/page.ts +0 -203
package/src/services/path-registry.ts +0 -160
package/src/services/redirect.ts +0 -97
package/src/types/sortablejs.d.ts +0 -29
package/src/ui/components/__tests__/jant-compose-dialog.test.ts +0 -512
package/src/ui/components/__tests__/jant-compose-editor.test.ts +0 -272
package/src/ui/components/compose-types.ts +0 -75
package/src/ui/components/jant-collection-form.ts +0 -512
package/src/ui/components/jant-compose-dialog.ts +0 -495
package/src/ui/components/jant-compose-editor.ts +0 -814
package/src/ui/dash/PageForm.tsx +0 -185
package/src/ui/dash/PostList.tsx +0 -95
package/src/ui/dash/appearance/AppearanceNav.tsx +0 -60
package/src/ui/dash/collections/CollectionForm.tsx +0 -166
package/src/ui/dash/collections/CollectionsListContent.tsx +0 -146
package/src/ui/dash/collections/IconPickerGrid.tsx +0 -50
package/src/ui/dash/collections/ViewCollectionContent.tsx +0 -103
package/src/ui/dash/media/MediaListContent.tsx +0 -201
package/src/ui/dash/media/ViewMediaContent.tsx +0 -208
package/src/ui/dash/pages/PagesContent.tsx +0 -74
package/src/ui/dash/posts/PostForm.tsx +0 -248
package/src/ui/dash/settings/SettingsNav.tsx +0 -52
package/src/ui/layouts/DashLayout.tsx +0 -165
package/src/ui/pages/SinglePage.tsx +0 -23
package/src/ui/shared/ThreadView.tsx +0 -136
/package/src/{ui → client}/components/settings-types.ts +0 -0

package/src/middleware/__tests__/auth.test.ts CHANGED Viewed

@@ -1,6 +1,6 @@
-import { describe, it, expect } from "vitest";
+import { describe, it, expect, vi } from "vitest";
 import { Hono } from "hono";
-import { requireAuth, requireAuthApi } from "../auth.js";
+import { requireAuth, requireAuthApi, isLocalHostname } from "../auth.js";
 import { errorHandler } from "../error-handler.js";
 import type { Bindings } from "../../types.js";
 import type { AppVariables } from "../../types/app-context.js";
@@ -21,6 +21,32 @@ function createMockAuth(authenticated: boolean) {
   } as AppVariables["auth"];
 }
+function createMockApiTokenService(validToken?: string) {
+  const tokenId = "token-id-1";
+  return {
+    verify: vi.fn(async (raw: string) => (raw === validToken ? tokenId : null)),
+    updateLastUsed: vi.fn(async () => {}),
+    create: vi.fn(),
+    list: vi.fn(),
+    delete: vi.fn(),
+  };
+}
+describe("isLocalHostname", () => {
+  it.each([
+    ["localhost", true],
+    ["127.0.0.1", true],
+    ["::1", true],
+    ["jant.localtest.me", true],
+    ["sub.localtest.me", true],
+    ["myblog.com", false],
+    ["demo.jant.me", false],
+    ["localtest.me.evil.com", false],
+  ])("isLocalHostname(%s) → %s", (hostname, expected) => {
+    expect(isLocalHostname(hostname)).toBe(expected);
+  });
+});
 describe("requireAuth", () => {
   it("allows authenticated requests", async () => {
     const app = new Hono<Env>();
@@ -28,11 +54,11 @@ describe("requireAuth", () => {
       c.set("auth", createMockAuth(true));
       await next();
     });
-    app.get("/dash", requireAuth(), (c) => c.text("Dashboard"));
+    app.get("/settings", requireAuth(), (c) => c.text("Settings"));
-    const res = await app.request("/dash");
+    const res = await app.request("/settings");
     expect(res.status).toBe(200);
-    expect(await res.text()).toBe("Dashboard");
+    expect(await res.text()).toBe("Settings");
   });
   it("redirects unauthenticated requests to /signin", async () => {
@@ -41,9 +67,9 @@ describe("requireAuth", () => {
       c.set("auth", createMockAuth(false));
       await next();
     });
-    app.get("/dash", requireAuth(), (c) => c.text("Dashboard"));
+    app.get("/settings", requireAuth(), (c) => c.text("Settings"));
-    const res = await app.request("/dash", { redirect: "manual" });
+    const res = await app.request("/settings", { redirect: "manual" });
     expect(res.status).toBe(302);
     expect(res.headers.get("Location")).toBe("/signin");
   });
@@ -54,20 +80,23 @@ describe("requireAuth", () => {
       c.set("auth", createMockAuth(false));
       await next();
     });
-    app.get("/dash", requireAuth("/login"), (c) => c.text("Dashboard"));
+    app.get("/settings", requireAuth("/login"), (c) => c.text("Settings"));
-    const res = await app.request("/dash", { redirect: "manual" });
+    const res = await app.request("/settings", { redirect: "manual" });
     expect(res.status).toBe(302);
     expect(res.headers.get("Location")).toBe("/login");
   });
 });
 describe("requireAuthApi", () => {
-  it("allows authenticated requests", async () => {
+  it("allows authenticated requests via session", async () => {
     const app = new Hono<Env>();
     app.onError(errorHandler);
     app.use("*", async (c, next) => {
       c.set("auth", createMockAuth(true));
+      c.set("services", {
+        apiTokens: createMockApiTokenService(),
+      } as AppVariables["services"]);
       await next();
     });
     app.get("/api/data", requireAuthApi(), (c) => c.json({ data: "secret" }));
@@ -79,11 +108,14 @@ describe("requireAuthApi", () => {
     expect(body.data).toBe("secret");
   });
-  it("returns 401 for unauthenticated requests", async () => {
+  it("returns 401 for unauthenticated requests without Bearer token", async () => {
     const app = new Hono<Env>();
     app.onError(errorHandler);
     app.use("*", async (c, next) => {
       c.set("auth", createMockAuth(false));
+      c.set("services", {
+        apiTokens: createMockApiTokenService(),
+      } as AppVariables["services"]);
       await next();
     });
     app.get("/api/data", requireAuthApi(), (c) => c.json({ data: "secret" }));
@@ -107,6 +139,9 @@ describe("requireAuthApi", () => {
           },
         },
       } as AppVariables["auth"]);
+      c.set("services", {
+        apiTokens: createMockApiTokenService(),
+      } as AppVariables["services"]);
       await next();
     });
     app.get("/api/data", requireAuthApi(), (c) => c.json({ data: "secret" }));
@@ -114,4 +149,149 @@ describe("requireAuthApi", () => {
     const res = await app.request("/api/data");
     expect(res.status).toBe(401);
   });
+  it("allows requests with valid Bearer token when session auth fails", async () => {
+    const validToken = "jnt_abc123";
+    const mockApiTokens = createMockApiTokenService(validToken);
+    const app = new Hono<Env>();
+    app.onError(errorHandler);
+    app.use("*", async (c, next) => {
+      c.set("auth", createMockAuth(false));
+      c.set("services", {
+        apiTokens: mockApiTokens,
+      } as AppVariables["services"]);
+      await next();
+    });
+    app.get("/api/data", requireAuthApi(), (c) => c.json({ data: "secret" }));
+    const res = await app.request("/api/data", {
+      headers: { Authorization: `Bearer ${validToken}` },
+    });
+    expect(res.status).toBe(200);
+    const body = await res.json();
+    expect(body.data).toBe("secret");
+    expect(mockApiTokens.verify).toHaveBeenCalledWith(validToken);
+    expect(mockApiTokens.updateLastUsed).toHaveBeenCalledWith("token-id-1");
+  });
+  it("returns 401 for invalid Bearer token", async () => {
+    const mockApiTokens = createMockApiTokenService("jnt_valid");
+    const app = new Hono<Env>();
+    app.onError(errorHandler);
+    app.use("*", async (c, next) => {
+      c.set("auth", createMockAuth(false));
+      c.set("services", {
+        apiTokens: mockApiTokens,
+      } as AppVariables["services"]);
+      await next();
+    });
+    app.get("/api/data", requireAuthApi(), (c) => c.json({ data: "secret" }));
+    const res = await app.request("/api/data", {
+      headers: { Authorization: "Bearer jnt_invalid" },
+    });
+    expect(res.status).toBe(401);
+    expect(mockApiTokens.verify).toHaveBeenCalledWith("jnt_invalid");
+  });
+  it("prefers session auth over Bearer token", async () => {
+    const mockApiTokens = createMockApiTokenService("jnt_valid");
+    const app = new Hono<Env>();
+    app.onError(errorHandler);
+    app.use("*", async (c, next) => {
+      c.set("auth", createMockAuth(true));
+      c.set("services", {
+        apiTokens: mockApiTokens,
+      } as AppVariables["services"]);
+      await next();
+    });
+    app.get("/api/data", requireAuthApi(), (c) => c.json({ data: "secret" }));
+    const res = await app.request("/api/data", {
+      headers: { Authorization: "Bearer jnt_valid" },
+    });
+    expect(res.status).toBe(200);
+    // Should not check the token since session auth succeeded
+    expect(mockApiTokens.verify).not.toHaveBeenCalled();
+  });
+  it("allows DEV_API_TOKEN on localhost", async () => {
+    const devToken = "jnt_dev_test123";
+    const mockApiTokens = createMockApiTokenService();
+    const app = new Hono<Env>();
+    app.onError(errorHandler);
+    app.use("*", async (c, next) => {
+      c.env = { ...c.env, DEV_API_TOKEN: devToken } as Bindings;
+      c.set("auth", createMockAuth(false));
+      c.set("services", {
+        apiTokens: mockApiTokens,
+      } as AppVariables["services"]);
+      await next();
+    });
+    app.get("/api/data", requireAuthApi(), (c) => c.json({ data: "secret" }));
+    const res = await app.request("http://localhost:9020/api/data", {
+      headers: { Authorization: `Bearer ${devToken}` },
+    });
+    expect(res.status).toBe(200);
+    // Should NOT hit DB verification
+    expect(mockApiTokens.verify).not.toHaveBeenCalled();
+  });
+  it("rejects DEV_API_TOKEN on non-local hostname", async () => {
+    const devToken = "jnt_dev_test123";
+    const mockApiTokens = createMockApiTokenService();
+    const app = new Hono<Env>();
+    app.onError(errorHandler);
+    app.use("*", async (c, next) => {
+      c.env = { ...c.env, DEV_API_TOKEN: devToken } as Bindings;
+      c.set("auth", createMockAuth(false));
+      c.set("services", {
+        apiTokens: mockApiTokens,
+      } as AppVariables["services"]);
+      await next();
+    });
+    app.get("/api/data", requireAuthApi(), (c) => c.json({ data: "secret" }));
+    const res = await app.request("https://myblog.com/api/data", {
+      headers: { Authorization: `Bearer ${devToken}` },
+    });
+    expect(res.status).toBe(401);
+    // Falls through to normal DB verification (which also fails)
+    expect(mockApiTokens.verify).toHaveBeenCalledWith(devToken);
+  });
+  it("allows DEV_API_TOKEN on *.localtest.me", async () => {
+    const devToken = "jnt_dev_test123";
+    const mockApiTokens = createMockApiTokenService();
+    const app = new Hono<Env>();
+    app.onError(errorHandler);
+    app.use("*", async (c, next) => {
+      c.env = { ...c.env, DEV_API_TOKEN: devToken } as Bindings;
+      c.set("auth", createMockAuth(false));
+      c.set("services", {
+        apiTokens: mockApiTokens,
+      } as AppVariables["services"]);
+      await next();
+    });
+    app.get("/api/data", requireAuthApi(), (c) => c.json({ data: "secret" }));
+    const res = await app.request("https://jant.localtest.me/api/data", {
+      headers: { Authorization: `Bearer ${devToken}` },
+    });
+    expect(res.status).toBe(200);
+    expect(mockApiTokens.verify).not.toHaveBeenCalled();
+  });
 });

package/src/middleware/__tests__/onboarding.test.ts CHANGED Viewed

@@ -31,14 +31,14 @@ function createApp(complete: boolean) {
   // Register routes for testing
   app.get("/", (c) => c.text("Home"));
-  app.get("/dash", (c) => c.text("Dashboard"));
-  app.get("/dash/posts", (c) => c.text("Posts"));
+  app.get("/settings", (c) => c.text("Settings"));
+  app.get("/settings/general", (c) => c.text("General"));
   app.get("/archive", (c) => c.text("Archive"));
   app.get("/p/abc", (c) => c.text("Post"));
   app.get("/setup", (c) => c.text("Setup"));
   app.get("/health", (c) => c.text("OK"));
   app.get("/signin", (c) => c.text("Signin"));
-  app.get("/signout", (c) => c.text("Signout"));
+  app.post("/signout", (c) => c.text("Signout"));
   app.get("/reset", (c) => c.text("Reset"));
   app.get("/api/auth/session", (c) => c.json({ ok: true }));
   app.get("/assets/client-B2b-1X3C.js", (c) => c.text("js"));
@@ -63,16 +63,18 @@ describe("requireOnboarding", () => {
       expect(res.headers.get("Location")).toBe("/setup");
     });
-    it("redirects /dash to /setup when onboarding not complete", async () => {
+    it("redirects /settings to /setup when onboarding not complete", async () => {
       const { app } = createApp(false);
-      const res = await app.request("/dash", { redirect: "manual" });
+      const res = await app.request("/settings", { redirect: "manual" });
       expect(res.status).toBe(302);
       expect(res.headers.get("Location")).toBe("/setup");
     });
-    it("redirects /dash/* to /setup when onboarding not complete", async () => {
+    it("redirects /settings/* to /setup when onboarding not complete", async () => {
       const { app } = createApp(false);
-      const res = await app.request("/dash/posts", { redirect: "manual" });
+      const res = await app.request("/settings/general", {
+        redirect: "manual",
+      });
       expect(res.status).toBe(302);
       expect(res.headers.get("Location")).toBe("/setup");
     });
@@ -105,7 +107,7 @@ describe("requireOnboarding", () => {
     await app.request("/");
     expect(getCallCount()).toBe(1);
-    await app.request("/dash");
+    await app.request("/settings");
     expect(getCallCount()).toBe(1); // still 1 — cached
   });
@@ -115,7 +117,7 @@ describe("requireOnboarding", () => {
     await app.request("/", { redirect: "manual" });
     expect(getCallCount()).toBe(1);
-    await app.request("/dash", { redirect: "manual" });
+    await app.request("/settings", { redirect: "manual" });
     expect(getCallCount()).toBe(2); // queried again
   });
@@ -136,7 +138,7 @@ describe("requireOnboarding", () => {
     it("allows /signout", async () => {
       const { app, getCallCount } = createApp(false);
-      const res = await app.request("/signout");
+      const res = await app.request("/signout", { method: "POST" });
       expect(res.status).toBe(200);
       expect(getCallCount()).toBe(0);
     });

package/src/middleware/auth.ts CHANGED Viewed

@@ -1,19 +1,42 @@
 /**
  * Authentication Middleware
  *
- * Protects routes by requiring authentication
+ * Protects routes by requiring authentication via session cookies
+ * or Bearer API tokens.
  */
 import type { MiddlewareHandler } from "hono";
 import type { Bindings } from "../types.js";
 import type { AppVariables } from "../types/app-context.js";
-import { DomainError, UnauthorizedError } from "../lib/errors.js";
+import { UnauthorizedError } from "../lib/errors.js";
 type Env = { Bindings: Bindings; Variables: AppVariables };
+/**
+ * Checks whether a hostname is local (dev environment).
+ *
+ * @param hostname - The hostname to check
+ * @returns `true` for localhost, 127.0.0.1, ::1, and *.localtest.me
+ *
+ * @example
+ * ```ts
+ * isLocalHostname("localhost") // true
+ * isLocalHostname("myblog.com") // false
+ * ```
+ */
+export function isLocalHostname(hostname: string): boolean {
+  return (
+    hostname === "localhost" ||
+    hostname === "127.0.0.1" ||
+    hostname === "::1" ||
+    hostname.endsWith(".localtest.me")
+  );
+}
 /**
  * Middleware that requires authentication.
  * Redirects to signin page if not authenticated.
+ * Session-only — Bearer tokens are not accepted for dashboard pages.
  */
 export function requireAuth(redirectTo = "/signin"): MiddlewareHandler<Env> {
   return async (c, next) => {
@@ -35,23 +58,54 @@ export function requireAuth(redirectTo = "/signin"): MiddlewareHandler<Env> {
 /**
  * Middleware for API routes that requires authentication.
- * Returns 401 if not authenticated.
+ * Tries session auth first, then falls back to Bearer API token.
+ * Returns 401 if neither method succeeds.
  */
 export function requireAuthApi(): MiddlewareHandler<Env> {
   return async (c, next) => {
+    // 1. Try session auth (existing behavior)
     try {
       const session = await c.var.auth.api.getSession({
         headers: c.req.raw.headers,
       });
-      if (!session?.user) {
-        throw new UnauthorizedError();
+      if (session?.user) {
+        await next();
+        return;
       }
+    } catch {
+      // Session check failed — fall through to Bearer token
+    }
-      await next();
-    } catch (err) {
-      if (err instanceof DomainError) throw err;
-      throw new UnauthorizedError();
+    // 2. Try Bearer token auth
+    const authHeader = c.req.header("Authorization");
+    if (authHeader?.startsWith("Bearer ")) {
+      const rawToken = authHeader.slice(7);
+      // Dev shortcut: bypass DB lookup when DEV_API_TOKEN matches on a local hostname
+      const devToken = c.env?.DEV_API_TOKEN;
+      if (devToken && rawToken === devToken) {
+        const hostname = new URL(c.req.url).hostname;
+        if (isLocalHostname(hostname)) {
+          await next();
+          return;
+        }
+      }
+      const tokenId = await c.var.services.apiTokens.verify(rawToken);
+      if (tokenId) {
+        // Fire-and-forget last-used update (non-blocking)
+        const updatePromise = c.var.services.apiTokens.updateLastUsed(tokenId);
+        try {
+          c.executionCtx.waitUntil(updatePromise);
+        } catch {
+          // executionCtx not available (e.g. in tests) — ignore
+        }
+        await next();
+        return;
+      }
     }
+    throw new UnauthorizedError();
   };
 }

package/src/middleware/error-handler.ts CHANGED Viewed

@@ -33,7 +33,7 @@ export const errorHandler: ErrorHandler<Env> = (err, c) => {
     // Unknown API error
     // eslint-disable-next-line no-console -- Server error logging is intentional
     console.error("[Jant] Unhandled error:", err);
-    return c.json({ error: "Internal server error" }, 500);
+    return c.json({ error: "Something went wrong on our end" }, 500);
   }
   // Datastar requests: return toast
@@ -43,7 +43,7 @@ export const errorHandler: ErrorHandler<Env> = (err, c) => {
     }
     // eslint-disable-next-line no-console -- Server error logging is intentional
     console.error("[Jant] Unhandled error:", err);
-    return dsToast("An unexpected error occurred", "error");
+    return dsToast("Something went wrong. Try refreshing the page.", "error");
   }
   // JSON-accepting requests (Lit bridges)
@@ -59,7 +59,7 @@ export const errorHandler: ErrorHandler<Env> = (err, c) => {
     }
     // eslint-disable-next-line no-console -- Server error logging is intentional
     console.error("[Jant] Unhandled error:", err);
-    return c.json({ error: "Internal server error" }, 500);
+    return c.json({ error: "Something went wrong on our end" }, 500);
   }
   // Non-API routes: map NotFoundError to Hono's built-in 404

package/src/middleware/onboarding.ts CHANGED Viewed

@@ -51,7 +51,7 @@ function shouldRedirect(path: string): boolean {
     path === "/" ||
     path === "/signin" ||
     path === "/reset" ||
-    path.startsWith("/dash")
+    path.startsWith("/settings")
   );
 }

package/src/middleware/secure-headers.ts ADDED Viewed

@@ -0,0 +1,40 @@
+/**
+ * Security Headers Middleware
+ *
+ * Adds Content-Security-Policy and other security headers via Hono's
+ * built-in secureHeaders middleware. Uses a baseline CSP that works with
+ * the current tech stack (Datastar, Lit, inline theme styles).
+ */
+import { secureHeaders } from "hono/secure-headers";
+import type { MiddlewareHandler } from "hono";
+import type { Bindings } from "../types.js";
+import type { AppVariables } from "../types/app-context.js";
+import { IS_VITE_DEV } from "../lib/version.js";
+type Env = { Bindings: Bindings; Variables: AppVariables };
+export function secureHeadersMiddleware(): MiddlewareHandler<Env> {
+  return secureHeaders({
+    contentSecurityPolicy: {
+      defaultSrc: ["'self'"],
+      scriptSrc: [
+        "'self'",
+        // Datastar evaluates expressions in data-on-* / data-signals attributes
+        "'unsafe-eval'",
+      ],
+      styleSrc: [
+        "'self'",
+        // Theme styles and custom CSS are injected as inline <style> tags
+        "'unsafe-inline'",
+      ],
+      imgSrc: ["'self'", "data:", "blob:", "https:"],
+      fontSrc: ["'self'"],
+      connectSrc: IS_VITE_DEV ? ["'self'", "ws:"] : ["'self'"],
+      frameSrc: ["'none'"],
+      objectSrc: ["'none'"],
+      baseUri: ["'self'"],
+      formAction: ["'self'"],
+    },
+  });
+}

package/src/preset.css CHANGED Viewed

@@ -13,6 +13,12 @@
 @import "./styles/tokens.css";
 @import "./styles/ui.css";
+/*
+ * Override BaseCoat's class-based dark mode with media-query-based.
+ * Jant follows system preference automatically — no manual toggle.
+ */
+@custom-variant dark (@media (prefers-color-scheme: dark));
 @theme {
   --radius-default: 0.5rem;
   --color-success: var(--success);
@@ -24,8 +30,45 @@
   --success: oklch(0.518 0.16 145.071);
 }
-.dark {
-  --success: oklch(0.627 0.194 149.214);
+/*
+ * BaseCoat dark mode fallback — mirrors BaseCoat's `.dark { }` variables
+ * via media query so dark mode works without JS class toggling.
+ * These are overridden by the active color theme (higher specificity).
+ *
+ * Source: basecoat-css@0.3.11 .dark { } block
+ */
+@media (prefers-color-scheme: dark) {
+  :root {
+    color-scheme: dark;
+    --background: oklch(0.145 0 0);
+    --foreground: oklch(0.985 0 0);
+    --card: oklch(0.205 0 0);
+    --card-foreground: oklch(0.985 0 0);
+    --popover: oklch(0.269 0 0);
+    --popover-foreground: oklch(0.985 0 0);
+    --primary: oklch(0.922 0 0);
+    --primary-foreground: oklch(0.205 0 0);
+    --secondary: oklch(0.269 0 0);
+    --secondary-foreground: oklch(0.985 0 0);
+    --muted: oklch(0.269 0 0);
+    --muted-foreground: oklch(0.708 0 0);
+    --accent: oklch(0.371 0 0);
+    --accent-foreground: oklch(0.985 0 0);
+    --destructive: oklch(0.704 0.191 22.216);
+    --border: oklch(1 0 0 / 10%);
+    --input: oklch(1 0 0 / 15%);
+    --ring: oklch(0.556 0 0);
+    --sidebar: oklch(0.205 0 0);
+    --sidebar-foreground: oklch(0.985 0 0);
+    --sidebar-primary: oklch(0.488 0.243 264.376);
+    --sidebar-primary-foreground: oklch(0.985 0 0);
+    --sidebar-accent: oklch(0.269 0 0);
+    --sidebar-accent-foreground: oklch(0.985 0 0);
+    --sidebar-border: oklch(1 0 0 / 10%);
+    --sidebar-ring: oklch(0.439 0 0);
+    --scrollbar-thumb: rgba(255, 255, 255, 0.3);
+    --success: oklch(0.627 0.194 149.214);
+  }
 }
 /**
@@ -73,4 +116,42 @@
   :where(h1, h2, h3, h4, h5, h6) {
     font-family: var(--font-heading);
   }
+  /* Image figures */
+  figure {
+    margin: 1.5em 0;
+  }
+  figure img {
+    width: 100%;
+    max-height: 500px;
+    object-fit: contain;
+    border-radius: 6px;
+    cursor: pointer;
+  }
+  figcaption {
+    text-align: center;
+    font-size: 0.875rem;
+    color: var(--tw-prose-captions);
+    margin-top: 0.5em;
+  }
+  /* Layout variants — center-breakout via margin+transform (no scrollbars) */
+  figure[data-layout="wide"] {
+    width: 1200px;
+    max-width: 100vw;
+    margin-left: 50%;
+    transform: translateX(-50%);
+  }
+  figure[data-layout="full"] {
+    width: 100vw;
+    margin-left: 50%;
+    transform: translateX(-50%);
+  }
+  figure[data-layout="full"] img {
+    border-radius: 0;
+  }
 }