@jant/core 0.3.42 → 0.3.44

package/src/lib/feed.ts

@@ -10,12 +10,7 @@
  * ```
  */
 
-import type {
-  FeedData,
-  FeedPostView,
-  PostView,
-  SitemapData,
-} from "../types.js";
+import type { FeedData, FeedPostView, PostView } from "../types.js";
 import { extractDisplayDomain } from "./url.js";
 
 /**
@@ -242,40 +237,81 @@ export function defaultFeedRenderer(data: FeedData): string {
 }
 
 /**
- * Default Sitemap renderer.
- *
- * @param data - Sitemap data with PostView[]
- * @returns Sitemap XML string
+ * Maximum URLs per sitemap shard. The sitemap.xml spec allows up to 50,000
+ * per file; 500 keeps individual shards cheap to generate on D1 and makes old
+ * (already-filled) shards small enough to cache aggressively at the edge.
  */
-export function defaultSitemapRenderer(data: SitemapData): string {
-  const { siteUrl, sitemapUrl, posts } = data;
+export const SITEMAP_SHARD_SIZE = 500;
 
-  const postUrls = posts
-    .map((post) => {
-      const loc = escapeXml(new URL(post.permalink, siteUrl).toString());
-      const lastmod = post.updatedAt.split("T")[0];
-      const priority = post.featured ? "0.8" : "0.6";
+/** One `<url>` entry inside a sitemap `<urlset>`. */
+export interface SitemapUrlEntry {
+  loc: string;
+  /** ISO date (YYYY-MM-DD) or full ISO datetime */
+  lastmod?: string;
+  changefreq?:
+    | "always"
+    | "hourly"
+    | "daily"
+    | "weekly"
+    | "monthly"
+    | "yearly"
+    | "never";
+  /** "0.0" – "1.0" */
+  priority?: string;
+}
 
-      return `
-  <url>
-    <loc>${loc}</loc>
-    <lastmod>${lastmod}</lastmod>
-    <priority>${priority}</priority>
-  </url>`;
-    })
-    .join("");
+/** One `<sitemap>` entry inside a `<sitemapindex>`. */
+export interface SitemapIndexEntry {
+  loc: string;
+  lastmod?: string;
+}
 
-  const homepageUrl = `
-  <url>
-    <loc>${escapeXml(siteUrl)}</loc>
-    <priority>1.0</priority>
-    <changefreq>daily</changefreq>
-  </url>`;
+/**
+ * Render a sitemap `<urlset>` XML document from a list of URL entries.
+ *
+ * Used by the sharded sitemap endpoints in `routes/feed/sitemap.ts`.
+ */
+export function renderSitemapUrlSet(entries: SitemapUrlEntry[]): string {
+  const urls = entries
+    .map((entry) => {
+      const parts = [`    <loc>${escapeXml(entry.loc)}</loc>`];
+      if (entry.lastmod) {
+        parts.push(`    <lastmod>${escapeXml(entry.lastmod)}</lastmod>`);
+      }
+      if (entry.changefreq) {
+        parts.push(
+          `    <changefreq>${escapeXml(entry.changefreq)}</changefreq>`,
+        );
+      }
+      if (entry.priority) {
+        parts.push(`    <priority>${escapeXml(entry.priority)}</priority>`);
+      }
+      return `  <url>\n${parts.join("\n")}\n  </url>`;
+    })
+    .join("\n");
 
   return `<?xml version="1.0" encoding="UTF-8"?>
 <urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
-  <!-- Generated from ${escapeXml(sitemapUrl)} -->
-  ${homepageUrl}
-  ${postUrls}
+${urls}
 </urlset>`;
 }
+
+/**
+ * Render a `<sitemapindex>` XML document listing shard sitemap URLs.
+ */
+export function renderSitemapIndex(entries: SitemapIndexEntry[]): string {
+  const items = entries
+    .map((entry) => {
+      const parts = [`    <loc>${escapeXml(entry.loc)}</loc>`];
+      if (entry.lastmod) {
+        parts.push(`    <lastmod>${escapeXml(entry.lastmod)}</lastmod>`);
+      }
+      return `  <sitemap>\n${parts.join("\n")}\n  </sitemap>`;
+    })
+    .join("\n");
+
+  return `<?xml version="1.0" encoding="UTF-8"?>
+<sitemapindex xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
+${items}
+</sitemapindex>`;
+}

package/src/lib/hosted-signin.ts

@@ -3,10 +3,15 @@ import {
   getHostedControlPlaneProviderLabel as getConfiguredHostedControlPlaneProviderLabel,
   getSiteResolutionMode,
 } from "./env.js";
+import { isSafeInternalRedirect } from "./url.js";
 
-function getHostedAdminContinuationPath(publicRequestUrl: string): string {
+function getHostedAdminContinuationPath(
+  publicRequestUrl: string,
+  redirect?: string,
+): string {
   const currentHost = new URL(publicRequestUrl).host;
-  return `/auth/handoff/start?host=${encodeURIComponent(currentHost)}&redirect=${encodeURIComponent("/")}`;
+  const safeRedirect = isSafeInternalRedirect(redirect) ? redirect : "/";
+  return `/auth/handoff/start?host=${encodeURIComponent(currentHost)}&redirect=${encodeURIComponent(safeRedirect)}`;
 }
 
 function buildHostedControlPlaneUrl(
@@ -31,11 +36,12 @@ function buildHostedControlPlaneUrl(
 export function getHostedControlPlaneSigninUrl(
   env: object | undefined | null,
   publicRequestUrl: string,
+  redirect?: string,
 ): string | null {
   return buildHostedControlPlaneUrl(
     env,
     "/auth/handoff/start",
-    getHostedAdminContinuationPath(publicRequestUrl).replace(
+    getHostedAdminContinuationPath(publicRequestUrl, redirect).replace(
       /^\/auth\/handoff\/start/,
       "",
     ),

package/src/lib/icons.ts

@@ -36,3 +36,40 @@ export function getIconSvg(name: string): string | null {
   const svg = (lucideIcons as Record<string, string>)[pascalName];
   return typeof svg === "string" ? svg : null;
 }
+
+/**
+ * Get the inner SVG contents for a Lucide icon (the path children only,
+ * without the outer <svg> wrapper). Used by the icon sprite to build
+ * <symbol> definitions.
+ *
+ * @param name - Kebab-case icon name
+ * @returns Inner SVG markup (e.g. "<path ... />"), or null when unknown
+ *
+ * @example
+ * ```ts
+ * getIconInnerSvg("book-open");
+ * // -> "<path d=\"...\"/><path d=\"...\"/>"
+ * ```
+ */
+export function getIconInnerSvg(name: string): string | null {
+  const svg = getIconSvg(name);
+  if (!svg) return null;
+  // lucide-static output looks like:
+  //   <svg ... viewBox="0 0 24 24" ...><path .../>...<line .../></svg>
+  // Strip the outer <svg ...> and </svg>.
+  const openTagEnd = svg.indexOf(">");
+  const closeTagStart = svg.lastIndexOf("</svg>");
+  if (openTagEnd < 0 || closeTagStart < 0) return null;
+  return svg.slice(openTagEnd + 1, closeTagStart);
+}
+
+/**
+ * Default stroke/fill attributes inherited by <symbol> children when a
+ * lucide icon is referenced via <use>. These mirror the attributes lucide
+ * normally sets on the outer <svg> so the currentColor-based theming keeps
+ * working through <use>.
+ */
+export const LUCIDE_SYMBOL_ATTRS =
+  'fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"';
+
+export const LUCIDE_VIEWBOX = "0 0 24 24";

package/src/lib/navigation.ts

@@ -60,8 +60,15 @@ export function getHomeDefaultViewFromNavItems(
  * });
  * ```
  */
-export async function getNavigationData(c: Context): Promise<NavigationData> {
-  const items = await c.var.services.navItems.list();
+export async function getNavigationData(
+  c: Context,
+  options?: { preloadedItems?: NavItem[] },
+): Promise<NavigationData> {
+  // Callers that already fetched nav items (e.g. home route, which needs
+  // `homeDefaultView` before deciding which timeline to assemble) can pass
+  // them in to avoid a redundant DB round-trip.
+  const items =
+    options?.preloadedItems ?? (await c.var.services.navItems.list());
   const currentPath = c.var.publicPath;
   const appConfig = c.var.appConfig;
 
@@ -86,17 +93,9 @@ export async function getNavigationData(c: Context): Promise<NavigationData> {
   // Render footer markdown
   const siteFooterHtml = siteFooter ? renderMarkdown(siteFooter) : undefined;
 
-  // Check auth status (needed for compose button and system nav items)
-  let isAuthenticated = false;
+  // Auth state is populated once per request by `attachSession` middleware.
+  const isAuthenticated = c.var.isAuthenticated;
   let collections: Collection[] = [];
-  try {
-    const session = await c.var.auth.api.getSession({
-      headers: c.req.raw.headers,
-    });
-    isAuthenticated = !!session?.user;
-  } catch {
-    // Not authenticated
-  }
 
   // Compute freshness for collection nav items
   const collectionNavIds: string[] = [];

package/src/lib/post-meta.ts

@@ -1,9 +1,27 @@
 import type { Post } from "../types.js";
 import { extractDisplayDomain } from "./url.js";
+import { extractBodyText } from "./summary.js";
 
 const TITLE_MAX_CHARS = 72;
 const DESCRIPTION_MAX_CHARS = 160;
 
+/**
+ * Derive a clean plain-text projection of the body for human-facing meta.
+ *
+ * We cannot reuse `post.bodyText` here: that column is written with
+ * `includeLinkHrefs: true` so inline link URLs land in the FTS index, which
+ * pollutes the stored text with trailing URLs. Re-derive from the source
+ * TipTap JSON (`post.body`) without that option.
+ */
+function getCleanBodyText(post: Post): string {
+  // Prefer re-derivation from `post.body` (TipTap JSON). Fall back to
+  // `post.bodyText` only when `body` is absent (legacy rows / fixtures);
+  // without link marks in the source, there is no URL pollution to worry
+  // about.
+  if (post.body) return extractBodyText(post.body) ?? "";
+  return post.bodyText ?? "";
+}
+
 function normalizeText(text: string | null | undefined): string {
   return (text ?? "").replace(/\s+/g, " ").trim();
 }
@@ -49,7 +67,7 @@ function getTitleCandidate(post: Post): string {
   const summarySnippet = getFirstParagraph(post.summary);
   if (summarySnippet) return clipText(summarySnippet, TITLE_MAX_CHARS);
 
-  const bodySnippet = getFirstParagraph(post.bodyText);
+  const bodySnippet = getFirstParagraph(getCleanBodyText(post));
   if (bodySnippet) return clipText(bodySnippet, TITLE_MAX_CHARS);
 
   if (post.format === "link" && post.url) {
@@ -68,7 +86,7 @@ function getDescriptionCandidate(post: Post): string {
   const summaryText = normalizeText(post.summary);
   if (summaryText) return clipText(summaryText, DESCRIPTION_MAX_CHARS);
 
-  const bodyText = normalizeText(post.bodyText);
+  const bodyText = normalizeText(getCleanBodyText(post));
   if (bodyText) return clipText(bodyText, DESCRIPTION_MAX_CHARS);
 
   const quoteText = normalizeText(post.quoteText);

package/src/lib/rate-limit-d1.ts

@@ -0,0 +1,99 @@
+/**
+ * D1 Sliding-Window Rate Limiter
+ *
+ * Used by the Cloudflare Workers runtime where isolates are ephemeral and
+ * memory-based limiters would silently drop state between requests. Each
+ * check performs one SELECT (over a two-row range) plus one UPSERT — both
+ * hit a composite primary key so the round-trips are cheap.
+ *
+ * Algorithm: two-window weighted counter. The previous window's tally
+ * decays linearly as the current window fills, giving a smoother limit
+ * than a naive fixed window (which would allow a 2x burst at the
+ * boundary) while remaining a single-key storage primitive.
+ *
+ * For Node deployments use `createMemoryRateLimiter` instead.
+ */
+
+import { and, eq, inArray, lt, sql } from "drizzle-orm";
+import type { Database } from "../db/index.js";
+import type { DatabaseSchema } from "../db/schema-bundle.js";
+import type {
+  RateLimitCheckOptions,
+  RateLimitResult,
+  RateLimiter,
+} from "./rate-limit.js";
+
+/**
+ * Probability of running opportunistic cleanup on any given write.
+ * 1% strikes a balance between bounded table growth and per-request cost.
+ */
+const CLEANUP_PROBABILITY = 0.01;
+
+export function createD1RateLimiter(
+  db: Database,
+  schema: DatabaseSchema,
+  now: () => number = () => Math.floor(Date.now() / 1000),
+): RateLimiter {
+  const { rateLimit } = schema;
+
+  return {
+    async check(
+      key: string,
+      opts: RateLimitCheckOptions,
+    ): Promise<RateLimitResult> {
+      const { limit, windowSec } = opts;
+      const nowSec = now();
+      const currentWindow = Math.floor(nowSec / windowSec) * windowSec;
+      const previousWindow = currentWindow - windowSec;
+
+      const rows = await db
+        .select({
+          windowStart: rateLimit.windowStart,
+          count: rateLimit.count,
+        })
+        .from(rateLimit)
+        .where(
+          and(
+            eq(rateLimit.key, key),
+            inArray(rateLimit.windowStart, [currentWindow, previousWindow]),
+          ),
+        );
+
+      let currentCount = 0;
+      let previousCount = 0;
+      for (const row of rows) {
+        if (row.windowStart === currentWindow) currentCount = row.count;
+        else if (row.windowStart === previousWindow) previousCount = row.count;
+      }
+
+      const elapsed = nowSec - currentWindow;
+      const prevWeight = 1 - elapsed / windowSec;
+      const estimate = previousCount * prevWeight + currentCount;
+
+      if (estimate >= limit) {
+        // Don't record the rejected hit — otherwise a sustained flood
+        // would keep increasing `count` past the limit for no benefit.
+        const retryAfterSec = Math.max(1, windowSec - elapsed);
+        return { ok: false, retryAfterSec };
+      }
+
+      await db
+        .insert(rateLimit)
+        .values({ key, windowStart: currentWindow, count: 1 })
+        .onConflictDoUpdate({
+          target: [rateLimit.key, rateLimit.windowStart],
+          set: { count: sql`${rateLimit.count} + 1` },
+        });
+
+      // Opportunistic cleanup: keep the table bounded without writing
+      // a DELETE on every request.
+      if (Math.random() < CLEANUP_PROBABILITY) {
+        await db
+          .delete(rateLimit)
+          .where(lt(rateLimit.windowStart, currentWindow - windowSec * 2));
+      }
+
+      return { ok: true };
+    },
+  };
+}

package/src/lib/rate-limit-memory.ts

@@ -0,0 +1,105 @@
+/**
+ * In-Memory Rate Limiter
+ *
+ * Used by the Node runtime. The server process is long-lived and
+ * single-instance, so a local `Map` is reliable and avoids unnecessary DB
+ * round-trips. Uses the classic sliding-window-counter algorithm (two
+ * aligned buckets with a weighted estimate) for smooth limiting without
+ * the 2x boundary burst of a fixed window.
+ *
+ * On Cloudflare Workers use `createD1RateLimiter` instead — isolates are
+ * ephemeral and cannot share memory across requests.
+ */
+
+import type {
+  RateLimitCheckOptions,
+  RateLimitResult,
+  RateLimiter,
+} from "./rate-limit.js";
+
+interface Bucket {
+  /** Unix seconds, aligned to the start of the current window. */
+  windowStart: number;
+  /** Hits recorded in the current window. */
+  count: number;
+  /** Hits recorded in the previous window (used for weighted estimate). */
+  prevCount: number;
+}
+
+/**
+ * Number of live keys after which we prune old buckets on the next write.
+ * Keeps the Map bounded under abuse without paying for eager sweeps.
+ */
+const SWEEP_THRESHOLD = 10_000;
+
+/**
+ * Creates an isolated in-memory limiter. Tests construct one per test app;
+ * the Node runtime holds a single module-level instance across requests.
+ *
+ * `now` is injectable so tests can assert window-rollover behavior without
+ * relying on real time.
+ */
+export function createMemoryRateLimiter(
+  now: () => number = () => Math.floor(Date.now() / 1000),
+): RateLimiter {
+  const buckets = new Map<string, Bucket>();
+
+  function sweep(nowSec: number) {
+    if (buckets.size < SWEEP_THRESHOLD) return;
+    // Drop entries whose window is older than 2 windows in the past. We
+    // use the bucket's stored windowSize via the difference between prev
+    // hits existing and the current time; since the sweep runs rarely we
+    // simply drop anything with windowStart < nowSec - 2 * largestWindow.
+    // In practice callers use a single window size; we approximate by
+    // dropping anything more than 10 minutes stale, which is generous.
+    const cutoff = nowSec - 600;
+    for (const [key, bucket] of buckets) {
+      if (bucket.windowStart < cutoff) buckets.delete(key);
+    }
+  }
+
+  return {
+    async check(
+      key: string,
+      opts: RateLimitCheckOptions,
+    ): Promise<RateLimitResult> {
+      const { limit, windowSec } = opts;
+      const nowSec = now();
+      const currentWindow = Math.floor(nowSec / windowSec) * windowSec;
+
+      let bucket = buckets.get(key);
+      if (!bucket) {
+        bucket = { windowStart: currentWindow, count: 0, prevCount: 0 };
+        buckets.set(key, bucket);
+      } else if (bucket.windowStart !== currentWindow) {
+        // Roll forward: if exactly one window ago, preserve prev count for
+        // the weighted estimate; otherwise treat the gap as cold-start.
+        if (bucket.windowStart === currentWindow - windowSec) {
+          bucket.prevCount = bucket.count;
+        } else {
+          bucket.prevCount = 0;
+        }
+        bucket.count = 0;
+        bucket.windowStart = currentWindow;
+      }
+
+      const elapsed = nowSec - currentWindow;
+      const prevWeight = 1 - elapsed / windowSec;
+      const estimate = bucket.prevCount * prevWeight + bucket.count;
+
+      if (estimate >= limit) {
+        // Suggest waiting until the current window ends. This is
+        // deliberately coarse; a more precise retry-after would require
+        // computing when the weighted estimate drops back under the
+        // limit, which is more complexity than this DoS-mitigation
+        // feature warrants.
+        const retryAfterSec = Math.max(1, windowSec - elapsed);
+        return { ok: false, retryAfterSec };
+      }
+
+      bucket.count += 1;
+      sweep(nowSec);
+      return { ok: true };
+    },
+  };
+}

package/src/lib/rate-limit.ts

@@ -0,0 +1,63 @@
+/**
+ * Rate Limiting Abstraction
+ *
+ * Shared interface for per-key rate limiting. Runtimes provide their own
+ * implementation: Cloudflare Workers uses a D1-backed sliding-window table
+ * (ephemeral isolates can't hold memory state), while Node uses an
+ * in-process Map (the process is persistent and avoids DB round-trips).
+ *
+ * Consumers depend only on this interface; they are runtime-agnostic.
+ */
+
+import type { Context } from "hono";
+
+export interface RateLimitCheckOptions {
+  /** Max requests allowed within `windowSec`. */
+  limit: number;
+  /** Sliding window size in seconds. */
+  windowSec: number;
+}
+
+export interface RateLimitResult {
+  /** True when the request is under the limit (already counted). */
+  ok: boolean;
+  /**
+   * When `ok` is false, suggested seconds the client should wait before
+   * retrying. Implementations may return the full window as a safe default.
+   */
+  retryAfterSec?: number;
+}
+
+export interface RateLimiter {
+  /**
+   * Records a hit against `key` and reports whether the request is under
+   * the configured limit. Implementations must be race-safe enough that
+   * concurrent callers cannot durably exceed the limit.
+   */
+  check(key: string, opts: RateLimitCheckOptions): Promise<RateLimitResult>;
+}
+
+/**
+ * Extracts the client IP from a Hono request context.
+ *
+ * On Cloudflare Workers, `cf-connecting-ip` is set by the edge and is
+ * authoritative. On Node deployments we fall back to the leftmost
+ * `x-forwarded-for` entry, which is the conventional client IP when the
+ * app sits behind a single trusted proxy. When neither header is
+ * available we return `"unknown"` so all such requests share a bucket —
+ * preferable to skipping the rate limit entirely.
+ *
+ * Note: this helper does not verify proxy trust. It is used for DoS
+ * protection, not authentication. If header-forgery resistance becomes
+ * important, gate the `x-forwarded-for` branch on `shouldTrustProxy`.
+ */
+export function getClientIp(c: Context): string {
+  const cf = c.req.header("cf-connecting-ip");
+  if (cf) return cf;
+  const fwd = c.req.header("x-forwarded-for");
+  if (fwd) {
+    const first = fwd.split(",")[0]?.trim();
+    if (first) return first;
+  }
+  return "unknown";
+}

package/src/lib/render.tsx

@@ -24,6 +24,13 @@ export interface RenderPublicPageOptions {
   appleTouchHref?: string;
   /** Optional explicit social image href */
   socialImageUrl?: string;
+  /**
+   * Absolute canonical URL for this page. Forwarded to `BaseLayout` and
+   * rendered as `<link rel="canonical">`. Only set when the page has a
+   * different canonical location (e.g. thread reply pages point back to the
+   * thread root).
+   */
+  canonicalHref?: string;
   /** Navigation data (from getNavigationData) */
   navData: NavigationData;
   /** Page content JSX to render inside SiteLayout */
@@ -66,6 +73,7 @@ export function renderPublicPage(c: Context, options: RenderPublicPageOptions) {
     faviconHref,
     appleTouchHref,
     socialImageUrl,
+    canonicalHref,
     navData,
     content,
     sidebar,
@@ -116,6 +124,7 @@ export function renderPublicPage(c: Context, options: RenderPublicPageOptions) {
       faviconHref={faviconHref}
       appleTouchHref={appleTouchHref}
       socialImageUrl={socialImageUrl}
+      canonicalHref={canonicalHref}
       faviconUrl={faviconUrl}
       faviconVersion={faviconVersion}
       noindex={noindex}

package/src/lib/resolve-config.ts

@@ -228,6 +228,15 @@ export function resolveConfig(
     siteAvatarUrl,
     faviconVersion: allSettings["SITE_FAVICON_VERSION"] ?? "",
 
+    // Rate limiting (ENV only). Defaults are conservative enough for a
+    // human typing in the search UI but reject bot floods.
+    rateLimit: {
+      disabled: getEnvString(env, "RATE_LIMIT_DISABLED") === "true",
+      searchPerMinute:
+        parseInt(getEnvString(env, "RATE_LIMIT_SEARCH_PER_MIN") ?? "30", 10) ||
+        30,
+    },
+
     // Settings form placeholders (ENV > Default, without DB)
     fallbacks: {
       siteName: resolveFallback("SITE_NAME", env),