@jant/core 0.3.46 → 0.3.47

package/src/middleware/secure-headers.ts

@@ -47,6 +47,20 @@ function shouldBlockFraming(path: string): boolean {
   );
 }
 
+/**
+ * Paths whose responses are not HTML rendered by `BaseLayout` and therefore
+ * never carry author-pasted `customHeadHtml` / `customBodyEndHtml`. Skipping
+ * the settings lookup for these avoids two DB roundtrips on every static
+ * asset request.
+ */
+function couldRenderCodeInjection(path: string): boolean {
+  if (shouldBlockFraming(path)) return false;
+  if (path === "/favicon.ico" || path === "/apple-touch-icon.png") return false;
+  if (path === "/healthz" || path === "/readyz") return false;
+  if (path.startsWith("/media/") || path.startsWith("/sites/")) return false;
+  return true;
+}
+
 function tryGetOrigin(value: string | undefined): string | null {
   if (!value) return null;
   try {
@@ -109,6 +123,7 @@ function toHonoCspOptions(
 function buildSecureHeadersOptions(
   path: string,
   env: Bindings,
+  allowInlineScript: boolean,
 ): SecureHeadersOptions {
   const directives = buildCspDirectives({
     path,
@@ -116,6 +131,7 @@ function buildSecureHeadersOptions(
     assetOrigin: tryGetOrigin(getEnvString(env, "ASSET_BASE_URL")),
     uploadConnectSources: getDirectUploadConnectSources(env),
     isDev: IS_VITE_DEV,
+    allowInlineScript,
   });
 
   return {
@@ -134,8 +150,38 @@ function buildSecureHeadersOptions(
   };
 }
 
+/**
+ * Probe the settings service for any author-saved code injection. Resolves to
+ * `false` whenever the lookup is unavailable (e.g. in unit tests that skip the
+ * runtime middleware) or the path can't render `BaseLayout`.
+ *
+ * Costs two settings reads on public HTML routes; static asset and
+ * frame-protected paths are short-circuited above.
+ */
+async function detectInlineScriptOptIn(
+  path: string,
+  settings: { get(key: string): Promise<string | null> } | undefined,
+): Promise<boolean> {
+  if (!settings) return false;
+  if (!couldRenderCodeInjection(path)) return false;
+  const [head, bodyEnd] = await Promise.all([
+    settings.get("CUSTOM_HEAD_HTML"),
+    settings.get("CUSTOM_BODY_END_HTML"),
+  ]);
+  return Boolean(head?.trim() || bodyEnd?.trim());
+}
+
 export function secureHeadersMiddleware(): MiddlewareHandler<Env> {
   return async (c, next) => {
-    return secureHeaders(buildSecureHeadersOptions(c.req.path, c.env))(c, next);
+    // `services` is set by the runtime bootstrap middleware. Cast through
+    // `undefined` so unit tests that skip that middleware still work.
+    const services = c.var.services as AppVariables["services"] | undefined;
+    const allowInlineScript = await detectInlineScriptOptIn(
+      c.req.path,
+      services?.settings,
+    );
+    return secureHeaders(
+      buildSecureHeadersOptions(c.req.path, c.env, allowInlineScript),
+    )(c, next);
   };
 }

package/src/node/__tests__/cli-runtime-target.test.ts

@@ -1,5 +1,12 @@
-import { describe, expect, it } from "vitest";
-import { resolveCliRuntime } from "../../../bin/lib/runtime-target.js";
+import { mkdtempSync, writeFileSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
+import { loadNodeEnvFile } from "../../../bin/lib/node-env.js";
+import {
+  formatRuntimeBanner,
+  resolveCliRuntime,
+} from "../../../bin/lib/runtime-target.js";
 
 describe("resolveCliRuntime", () => {
   it("prefers the Node database runtime when DATABASE_URL is present", () => {
@@ -34,4 +41,105 @@ describe("resolveCliRuntime", () => {
       /Choose only one of --local, --remote/,
     );
   });
+
+  it("forces the Node runtime when --node is passed even without DATABASE_URL", () => {
+    expect(resolveCliRuntime({ node: true }, {})).toBe("node");
+  });
+});
+
+describe("loadNodeEnvFile", () => {
+  let tmpDir: string;
+
+  beforeEach(() => {
+    tmpDir = mkdtempSync(join(tmpdir(), "jant-env-"));
+  });
+
+  it("assigns missing keys but never overwrites existing ones", () => {
+    const envPath = join(tmpDir, ".env.node");
+    writeFileSync(
+      envPath,
+      [
+        "# comment",
+        "",
+        "DATABASE_URL=postgres://example/db",
+        "AUTH_SECRET=already-set-in-shell",
+      ].join("\n"),
+    );
+
+    const env: Record<string, string> = {
+      AUTH_SECRET: "shell-wins",
+    };
+    const result = loadNodeEnvFile(envPath, env);
+
+    expect(result.found).toBe(true);
+    expect(result.assignedKeys).toEqual(["DATABASE_URL"]);
+    expect(result.skippedKeys).toEqual(["AUTH_SECRET"]);
+    expect(env.DATABASE_URL).toBe("postgres://example/db");
+    expect(env.AUTH_SECRET).toBe("shell-wins");
+  });
+
+  it("returns found=false when the file does not exist", () => {
+    const result = loadNodeEnvFile(join(tmpDir, "missing"));
+    expect(result.found).toBe(false);
+    expect(result.assignedKeys).toEqual([]);
+  });
+
+  it("strips matching surrounding quotes from values", () => {
+    const envPath = join(tmpDir, ".env.node");
+    writeFileSync(
+      envPath,
+      [
+        'STORAGE_DRIVER="local"',
+        "SITE_NAME='Quoted Title'",
+        "PUBLIC_URL=https://example.com",
+        'MIXED="left only',
+      ].join("\n"),
+    );
+
+    const env: Record<string, string> = {};
+    loadNodeEnvFile(envPath, env);
+
+    expect(env.STORAGE_DRIVER).toBe("local");
+    expect(env.SITE_NAME).toBe("Quoted Title");
+    expect(env.PUBLIC_URL).toBe("https://example.com");
+    expect(env.MIXED).toBe('"left only');
+  });
+});
+
+describe("formatRuntimeBanner", () => {
+  const originalLog = console.log;
+  beforeEach(() => {
+    console.log = vi.fn();
+  });
+  afterEach(() => {
+    console.log = originalLog;
+  });
+
+  it("describes a postgres node target", () => {
+    const banner = formatRuntimeBanner("node", {
+      DATABASE_URL: "postgresql://app@db.local:5432/jant_main",
+    });
+    expect(banner).toBe(
+      "[jant] target = node (postgresql db.local:5432/jant_main)",
+    );
+  });
+
+  it("describes a sqlite node target", () => {
+    const banner = formatRuntimeBanner("node", {
+      DATABASE_URL: "file:./local.sqlite",
+    });
+    expect(banner).toBe("[jant] target = node (sqlite file:./local.sqlite)");
+  });
+
+  it("describes wrangler local D1", () => {
+    expect(formatRuntimeBanner("d1-local", {})).toBe(
+      "[jant] target = local D1 (wrangler)",
+    );
+  });
+
+  it("describes wrangler remote D1", () => {
+    expect(formatRuntimeBanner("d1-remote", {})).toBe(
+      "[jant] target = remote D1 (wrangler)",
+    );
+  });
 });

package/src/node/__tests__/cli-site-snapshot.test.ts

@@ -1,3 +1,4 @@
+import { existsSync } from "node:fs";
 import { mkdir, mkdtemp, readFile, rm, writeFile } from "node:fs/promises";
 import { tmpdir } from "node:os";
 import { join } from "node:path";
@@ -18,6 +19,7 @@ const SNAPSHOT_POST_ID = "pst_01jpyy18fh4w2m7r8k3c5t9qdn";
 const SNAPSHOT_PATH_ID = "pth_01jpyy1k2v6m4s8r1t5c9b3qgh";
 const SNAPSHOT_MEDIA_ID = "med_01jpyy1vxh4m7s2k8r5c9t3qbn";
 const SNAPSHOT_AVATAR_MEDIA_ID = "med_01jpyy1zs6m4v8r2k5t9c3b7qh";
+const SNAPSHOT_APPLE_TOUCH_MEDIA_ID = "med_01jpyy20kt5n9r3k8t6c4d2qhf";
 const SNAPSHOT_MEDIA_KEY = `media/${SNAPSHOT_SITE_ID}/files/${SNAPSHOT_MEDIA_ID}.png`;
 const SNAPSHOT_POSTER_KEY = `media/${SNAPSHOT_SITE_ID}/posters/${SNAPSHOT_MEDIA_ID}.webp`;
 const SNAPSHOT_AVATAR_KEY = `media/${SNAPSHOT_SITE_ID}/assets/avatar/${SNAPSHOT_AVATAR_MEDIA_ID}.png`;
@@ -154,6 +156,24 @@ describe("jant site snapshot export/import", () => {
           'local', 1, 1, 'Sample alt', 'a0', '${SNAPSHOT_POSTER_KEY}', 'image',
           1774009200, 1774009200
         );
+
+        INSERT INTO "media" (
+          "id", "site_id", "post_id", "filename", "original_name", "mime_type", "size", "storage_key",
+          "provider", "position", "media_kind", "created_at", "updated_at"
+        ) VALUES (
+          '${SNAPSHOT_AVATAR_MEDIA_ID}', '${SNAPSHOT_SITE_ID}', NULL,
+          '${SNAPSHOT_AVATAR_MEDIA_ID}.png', 'avatar.png', 'image/png', 3, '${SNAPSHOT_AVATAR_KEY}',
+          'local', 'a0', 'image', 1774009202, 1774009202
+        );
+
+        INSERT INTO "media" (
+          "id", "site_id", "post_id", "filename", "original_name", "mime_type", "size", "storage_key",
+          "provider", "position", "media_kind", "created_at", "updated_at"
+        ) VALUES (
+          '${SNAPSHOT_APPLE_TOUCH_MEDIA_ID}', '${SNAPSHOT_SITE_ID}', NULL,
+          'apple-touch-icon.png', 'apple-touch-icon.png', 'image/png', 3, '${SNAPSHOT_APPLE_TOUCH_KEY}',
+          'local', 'a0', 'image', 1774009203, 1774009203
+        );
       `);
 
       targetSqlite.exec(`
@@ -207,15 +227,16 @@ describe("jant site snapshot export/import", () => {
       await import("../../../bin/commands/site/snapshot/export.js");
     await runExport(["--output", snapshotPath]);
 
-    const manifest = JSON.parse(
-      await readFile(join(snapshotPath, "storage-manifest.json"), "utf-8"),
+    const meta = JSON.parse(
+      await readFile(join(snapshotPath, "meta.json"), "utf-8"),
     );
-    expect(manifest.objects.map((object) => object.key)).toEqual([
-      SNAPSHOT_AVATAR_KEY,
-      SNAPSHOT_APPLE_TOUCH_KEY,
-      SNAPSHOT_MEDIA_KEY,
-      SNAPSHOT_POSTER_KEY,
-    ]);
+    expect(meta).toEqual({
+      format: "jant-site-snapshot",
+      version: 1,
+      dialect: "sqlite",
+      site: { id: SNAPSHOT_SITE_ID, key: SNAPSHOT_SITE_KEY },
+    });
+    expect(existsSync(join(snapshotPath, "storage-manifest.json"))).toBe(false);
     expect(exportLogSpy).toHaveBeenCalledWith(
       `Exported Node database snapshot to ${snapshotPath}`,
     );
@@ -311,6 +332,249 @@ describe("jant site snapshot export/import", () => {
     );
   });
 
+  it("skips downloading storage objects when --skip-objects is passed", async () => {
+    const root = await mkdtemp(
+      join(tmpdir(), "jant-site-snapshot-skip-objects-"),
+    );
+    tempDirs.push(root);
+
+    const sourceDbPath = join(root, "source.sqlite");
+    const sourceStoragePath = join(root, "source-media");
+    const snapshotPath = join(root, "snapshot");
+
+    await migrate({ DATABASE_URL: `file:${sourceDbPath}` } as Bindings);
+    const sourceStorage = createLocalDriver({ rootPath: sourceStoragePath });
+    await sourceStorage.put(SNAPSHOT_MEDIA_KEY, new Uint8Array([1, 2, 3, 4]), {
+      contentType: "image/png",
+    });
+
+    const sourceSqlite = new Database(sourceDbPath);
+    try {
+      sourceSqlite.exec(`
+        INSERT INTO "site" ("id", "key", "status", "created_at", "updated_at")
+        VALUES ('${SNAPSHOT_SITE_ID}', '${SNAPSHOT_SITE_KEY}', 'active', 1774009100, 1774009100);
+
+        INSERT INTO "site_setting" ("site_id", "key", "value", "updated_at") VALUES
+          ('${SNAPSHOT_SITE_ID}', 'SITE_NAME', 'Skip Objects Source', 1774009200);
+
+        INSERT INTO "post" (
+          "id", "site_id", "format", "status", "visibility", "title", "body", "body_html", "body_text",
+          "thread_id", "published_at", "last_activity_at", "created_at", "updated_at"
+        ) VALUES (
+          '${SNAPSHOT_POST_ID}', '${SNAPSHOT_SITE_ID}', 'note', 'published', 'public',
+          'Snapshot post', 'Hello snapshot', '<p>Hello snapshot</p>', 'Hello snapshot',
+          '${SNAPSHOT_POST_ID}', 1774009200, 1774009200, 1774009200, 1774009200
+        );
+
+        INSERT INTO "media" (
+          "id", "site_id", "post_id", "filename", "original_name", "mime_type", "size", "storage_key",
+          "provider", "position", "media_kind", "created_at", "updated_at"
+        ) VALUES (
+          '${SNAPSHOT_MEDIA_ID}', '${SNAPSHOT_SITE_ID}', '${SNAPSHOT_POST_ID}',
+          '${SNAPSHOT_MEDIA_ID}.png', 'sample.png', 'image/png', 4, '${SNAPSHOT_MEDIA_KEY}',
+          'local', 'a0', 'image', 1774009200, 1774009200
+        );
+      `);
+    } finally {
+      sourceSqlite.close();
+    }
+
+    process.env.DATABASE_URL = `file:${sourceDbPath}`;
+    process.env.LOCAL_STORAGE_PATH = sourceStoragePath;
+
+    vi.spyOn(console, "log").mockImplementation(() => {});
+    const { run: runExport } =
+      await import("../../../bin/commands/site/snapshot/export.js");
+    await runExport(["--output", snapshotPath, "--skip-objects"]);
+
+    expect(existsSync(join(snapshotPath, "meta.json"))).toBe(true);
+    expect(existsSync(join(snapshotPath, "db.sql"))).toBe(true);
+    expect(existsSync(join(snapshotPath, "objects"))).toBe(false);
+
+    const dbSql = await readFile(join(snapshotPath, "db.sql"), "utf-8");
+    expect(dbSql).toContain(SNAPSHOT_MEDIA_KEY);
+  });
+
+  it("aborts import when objects/ is missing keys referenced by db.sql", async () => {
+    const root = await mkdtemp(
+      join(tmpdir(), "jant-site-snapshot-missing-objects-"),
+    );
+    tempDirs.push(root);
+
+    const sourceDbPath = join(root, "source.sqlite");
+    const sourceStoragePath = join(root, "source-media");
+    const targetDbPath = join(root, "target.sqlite");
+    const targetStoragePath = join(root, "target-media");
+    const snapshotPath = join(root, "snapshot");
+
+    await migrate({ DATABASE_URL: `file:${sourceDbPath}` } as Bindings);
+    await migrate({ DATABASE_URL: `file:${targetDbPath}` } as Bindings);
+
+    const sourceStorage = createLocalDriver({ rootPath: sourceStoragePath });
+    await sourceStorage.put(SNAPSHOT_MEDIA_KEY, new Uint8Array([1, 2, 3, 4]), {
+      contentType: "image/png",
+    });
+
+    const sourceSqlite = new Database(sourceDbPath);
+    const targetSqlite = new Database(targetDbPath);
+    try {
+      sourceSqlite.exec(`
+        INSERT INTO "site" ("id", "key", "status", "created_at", "updated_at")
+        VALUES ('${SNAPSHOT_SITE_ID}', '${SNAPSHOT_SITE_KEY}', 'active', 1774009100, 1774009100);
+
+        INSERT INTO "site_setting" ("site_id", "key", "value", "updated_at") VALUES
+          ('${SNAPSHOT_SITE_ID}', 'SITE_NAME', 'Source', 1774009200);
+
+        INSERT INTO "post" (
+          "id", "site_id", "format", "status", "visibility", "title", "body", "body_html", "body_text",
+          "thread_id", "published_at", "last_activity_at", "created_at", "updated_at"
+        ) VALUES (
+          '${SNAPSHOT_POST_ID}', '${SNAPSHOT_SITE_ID}', 'note', 'published', 'public',
+          'Snapshot post', 'Hello snapshot', '<p>Hello snapshot</p>', 'Hello snapshot',
+          '${SNAPSHOT_POST_ID}', 1774009200, 1774009200, 1774009200, 1774009200
+        );
+
+        INSERT INTO "media" (
+          "id", "site_id", "post_id", "filename", "original_name", "mime_type", "size", "storage_key",
+          "provider", "position", "media_kind", "created_at", "updated_at"
+        ) VALUES (
+          '${SNAPSHOT_MEDIA_ID}', '${SNAPSHOT_SITE_ID}', '${SNAPSHOT_POST_ID}',
+          '${SNAPSHOT_MEDIA_ID}.png', 'sample.png', 'image/png', 4, '${SNAPSHOT_MEDIA_KEY}',
+          'local', 'a0', 'image', 1774009200, 1774009200
+        );
+      `);
+
+      targetSqlite.exec(`
+        INSERT INTO "site" ("id", "key", "status", "created_at", "updated_at")
+        VALUES ('${SNAPSHOT_SITE_ID}', '${SNAPSHOT_SITE_KEY}', 'active', 1774009000, 1774009000);
+      `);
+    } finally {
+      sourceSqlite.close();
+      targetSqlite.close();
+    }
+
+    process.env.DATABASE_URL = `file:${sourceDbPath}`;
+    process.env.LOCAL_STORAGE_PATH = sourceStoragePath;
+
+    vi.spyOn(console, "log").mockImplementation(() => {});
+    const { run: runExport } =
+      await import("../../../bin/commands/site/snapshot/export.js");
+    await runExport(["--output", snapshotPath, "--skip-objects"]);
+
+    process.env.DATABASE_URL = `file:${targetDbPath}`;
+    process.env.LOCAL_STORAGE_PATH = targetStoragePath;
+
+    const warnSpy = vi.spyOn(console, "warn").mockImplementation(() => {});
+    const { run: runImport } =
+      await import("../../../bin/commands/site/snapshot/import.js");
+
+    await expect(
+      runImport(["--path", snapshotPath, "--replace"]),
+    ).rejects.toThrow(/missing storage objects/);
+
+    expect(warnSpy.mock.calls.flat().join("\n")).toContain(SNAPSHOT_MEDIA_KEY);
+  });
+
+  it("imports a --skip-objects snapshot when --allow-missing-objects is passed", async () => {
+    const root = await mkdtemp(
+      join(tmpdir(), "jant-site-snapshot-allow-missing-"),
+    );
+    tempDirs.push(root);
+
+    const sourceDbPath = join(root, "source.sqlite");
+    const sourceStoragePath = join(root, "source-media");
+    const targetDbPath = join(root, "target.sqlite");
+    const targetStoragePath = join(root, "target-media");
+    const snapshotPath = join(root, "snapshot");
+
+    await migrate({ DATABASE_URL: `file:${sourceDbPath}` } as Bindings);
+    await migrate({ DATABASE_URL: `file:${targetDbPath}` } as Bindings);
+
+    const sourceStorage = createLocalDriver({ rootPath: sourceStoragePath });
+    const targetStorage = createLocalDriver({ rootPath: targetStoragePath });
+    await sourceStorage.put(SNAPSHOT_MEDIA_KEY, new Uint8Array([1, 2, 3, 4]), {
+      contentType: "image/png",
+    });
+    // Simulate a shared bucket: target already has the file.
+    await targetStorage.put(SNAPSHOT_MEDIA_KEY, new Uint8Array([1, 2, 3, 4]), {
+      contentType: "image/png",
+    });
+
+    const sourceSqlite = new Database(sourceDbPath);
+    const targetSqlite = new Database(targetDbPath);
+    try {
+      sourceSqlite.exec(`
+        INSERT INTO "site" ("id", "key", "status", "created_at", "updated_at")
+        VALUES ('${SNAPSHOT_SITE_ID}', '${SNAPSHOT_SITE_KEY}', 'active', 1774009100, 1774009100);
+
+        INSERT INTO "site_setting" ("site_id", "key", "value", "updated_at") VALUES
+          ('${SNAPSHOT_SITE_ID}', 'SITE_NAME', 'Source', 1774009200);
+
+        INSERT INTO "post" (
+          "id", "site_id", "format", "status", "visibility", "title", "body", "body_html", "body_text",
+          "thread_id", "published_at", "last_activity_at", "created_at", "updated_at"
+        ) VALUES (
+          '${SNAPSHOT_POST_ID}', '${SNAPSHOT_SITE_ID}', 'note', 'published', 'public',
+          'Snapshot post', 'Hello snapshot', '<p>Hello snapshot</p>', 'Hello snapshot',
+          '${SNAPSHOT_POST_ID}', 1774009200, 1774009200, 1774009200, 1774009200
+        );
+
+        INSERT INTO "media" (
+          "id", "site_id", "post_id", "filename", "original_name", "mime_type", "size", "storage_key",
+          "provider", "position", "media_kind", "created_at", "updated_at"
+        ) VALUES (
+          '${SNAPSHOT_MEDIA_ID}', '${SNAPSHOT_SITE_ID}', '${SNAPSHOT_POST_ID}',
+          '${SNAPSHOT_MEDIA_ID}.png', 'sample.png', 'image/png', 4, '${SNAPSHOT_MEDIA_KEY}',
+          'local', 'a0', 'image', 1774009200, 1774009200
+        );
+      `);
+
+      targetSqlite.exec(`
+        INSERT INTO "site" ("id", "key", "status", "created_at", "updated_at")
+        VALUES ('${SNAPSHOT_SITE_ID}', '${SNAPSHOT_SITE_KEY}', 'active', 1774009000, 1774009000);
+      `);
+    } finally {
+      sourceSqlite.close();
+      targetSqlite.close();
+    }
+
+    process.env.DATABASE_URL = `file:${sourceDbPath}`;
+    process.env.LOCAL_STORAGE_PATH = sourceStoragePath;
+
+    vi.spyOn(console, "log").mockImplementation(() => {});
+    const { run: runExport } =
+      await import("../../../bin/commands/site/snapshot/export.js");
+    await runExport(["--output", snapshotPath, "--skip-objects"]);
+
+    process.env.DATABASE_URL = `file:${targetDbPath}`;
+    process.env.LOCAL_STORAGE_PATH = targetStoragePath;
+
+    vi.spyOn(console, "warn").mockImplementation(() => {});
+    const { run: runImport } =
+      await import("../../../bin/commands/site/snapshot/import.js");
+    await runImport([
+      "--path",
+      snapshotPath,
+      "--replace",
+      "--allow-missing-objects",
+    ]);
+
+    const verifySqlite = new Database(targetDbPath, { readonly: true });
+    try {
+      const mediaRow = verifySqlite
+        .prepare(
+          `SELECT "storage_key" FROM "media" WHERE "id" = '${SNAPSHOT_MEDIA_ID}'`,
+        )
+        .get() as { storage_key: string } | undefined;
+      expect(mediaRow?.storage_key).toBe(SNAPSHOT_MEDIA_KEY);
+    } finally {
+      verifySqlite.close();
+    }
+
+    // Target storage still has the pre-existing file (we didn't try to upload).
+    expect(await targetStorage.get(SNAPSHOT_MEDIA_KEY)).not.toBeNull();
+  });
+
   it("requires --replace for snapshot import", async () => {
     const root = await mkdtemp(join(tmpdir(), "jant-site-snapshot-replace-"));
     tempDirs.push(root);
@@ -328,16 +592,11 @@ describe("jant site snapshot export/import", () => {
           {
             format: "jant-site-snapshot",
             version: 1,
-            scope: "content",
           },
           null,
           2,
         ),
       ),
-      writeFile(
-        join(snapshotPath, "storage-manifest.json"),
-        JSON.stringify({ version: 1, objects: [] }, null, 2),
-      ),
       writeFile(join(snapshotPath, "db.sql"), ""),
     ]);
 
@@ -414,6 +673,24 @@ describe("jant site snapshot export/import", () => {
           'local', 1, 1, 'Sample alt', 'a0', '${SNAPSHOT_POSTER_KEY}', 'image',
           1774009200, 1774009200
         );
+
+        INSERT INTO "media" (
+          "id", "site_id", "post_id", "filename", "original_name", "mime_type", "size", "storage_key",
+          "provider", "position", "media_kind", "created_at", "updated_at"
+        ) VALUES (
+          '${SNAPSHOT_AVATAR_MEDIA_ID}', '${SNAPSHOT_SITE_ID}', NULL,
+          '${SNAPSHOT_AVATAR_MEDIA_ID}.png', 'avatar.png', 'image/png', 3, '${SNAPSHOT_AVATAR_KEY}',
+          'local', 'a0', 'image', 1774009202, 1774009202
+        );
+
+        INSERT INTO "media" (
+          "id", "site_id", "post_id", "filename", "original_name", "mime_type", "size", "storage_key",
+          "provider", "position", "media_kind", "created_at", "updated_at"
+        ) VALUES (
+          '${SNAPSHOT_APPLE_TOUCH_MEDIA_ID}', '${SNAPSHOT_SITE_ID}', NULL,
+          'apple-touch-icon.png', 'apple-touch-icon.png', 'image/png', 3, '${SNAPSHOT_APPLE_TOUCH_KEY}',
+          'local', 'a0', 'image', 1774009203, 1774009203
+        );
       `);
 
       targetSqlite.exec(`
@@ -562,6 +839,24 @@ describe("jant site snapshot export/import", () => {
           'local', 1, 1, 'Sample alt', 'a0', '${SNAPSHOT_POSTER_KEY}', 'image',
           1774009200, 1774009200
         );
+
+        INSERT INTO "media" (
+          "id", "site_id", "post_id", "filename", "original_name", "mime_type", "size", "storage_key",
+          "provider", "position", "media_kind", "created_at", "updated_at"
+        ) VALUES (
+          '${SNAPSHOT_AVATAR_MEDIA_ID}', '${SNAPSHOT_SITE_ID}', NULL,
+          '${SNAPSHOT_AVATAR_MEDIA_ID}.png', 'avatar.png', 'image/png', 3, '${SNAPSHOT_AVATAR_KEY}',
+          'local', 'a0', 'image', 1774009202, 1774009202
+        );
+
+        INSERT INTO "media" (
+          "id", "site_id", "post_id", "filename", "original_name", "mime_type", "size", "storage_key",
+          "provider", "position", "media_kind", "created_at", "updated_at"
+        ) VALUES (
+          '${SNAPSHOT_APPLE_TOUCH_MEDIA_ID}', '${SNAPSHOT_SITE_ID}', NULL,
+          'apple-touch-icon.png', 'apple-touch-icon.png', 'image/png', 3, '${SNAPSHOT_APPLE_TOUCH_KEY}',
+          'local', 'a0', 'image', 1774009203, 1774009203
+        );
       `);
 
       targetSqlite.exec(`

package/src/node/__tests__/cli-site-token-env.test.ts

@@ -65,7 +65,6 @@ describe("site CLI token env", () => {
     vi.spyOn(console, "log").mockImplementation(() => {});
 
     await runSiteExport([
-      "--url",
       "https://example.com",
       "--output",
       outputPath,
@@ -95,7 +94,6 @@ describe("site CLI token env", () => {
 
     await expect(
       runImportSite([
-        "--url",
         "https://example.com",
         "--path",
         "/definitely-missing-jant-import-source",
@@ -106,9 +104,7 @@ describe("site CLI token env", () => {
       "Path not found: /definitely-missing-jant-import-source",
     );
     expect(errorSpy).not.toHaveBeenCalledWith(
-      expect.stringContaining(
-        "remote import requires JANT_API_TOKEN or --token",
-      ),
+      expect.stringContaining("site import requires JANT_API_TOKEN or --token"),
     );
   });
 
@@ -123,7 +119,6 @@ describe("site CLI token env", () => {
 
     await expect(
       runImportSite([
-        "--url",
         "https://example.com",
         "--path",
         "/definitely-missing-jant-import-source",
@@ -131,7 +126,7 @@ describe("site CLI token env", () => {
     ).rejects.toThrow("process.exit:1");
 
     expect(errorSpy).toHaveBeenCalledWith(
-      "Error: remote import requires JANT_API_TOKEN or --token (unless using --dry-run)",
+      "Error: site import requires JANT_API_TOKEN or --token (unless using --dry-run)",
     );
   });
 });