@kidecms/core 0.1.0

package/dist/integration.js

@@ -0,0 +1,256 @@
+import { execSync } from "node:child_process";
+import { existsSync, mkdirSync, readFileSync, readdirSync, watch, writeFileSync } from "node:fs";
+import path from "node:path";
+import { fileURLToPath } from "node:url";
+function runGenerator(cwd, generatorPath) {
+    execSync(`node --import tsx ${generatorPath}`, {
+        stdio: "inherit",
+        cwd,
+    });
+}
+function pushSchema(cwd) {
+    execSync("npx drizzle-kit push --force", {
+        stdio: "inherit",
+        cwd,
+    });
+}
+function isCloudflareD1(cwd) {
+    const wranglerPath = path.join(cwd, "wrangler.toml");
+    if (!existsSync(wranglerPath))
+        return false;
+    try {
+        const content = readFileSync(wranglerPath, "utf-8");
+        return content.includes("[[d1_databases]]");
+    }
+    catch {
+        return false;
+    }
+}
+function hasLocalD1Database(cwd) {
+    const dir = path.join(cwd, ".wrangler/state/v3/d1/miniflare-D1DatabaseObject");
+    try {
+        return readdirSync(dir).some((file) => file.endsWith(".sqlite") && file !== "*.sqlite");
+    }
+    catch {
+        return false;
+    }
+}
+function getD1DatabaseName(cwd) {
+    const wranglerPath = path.join(cwd, "wrangler.toml");
+    try {
+        const content = readFileSync(wranglerPath, "utf-8");
+        const match = content.match(/database_name\s*=\s*"([^"]+)"/);
+        return match ? match[1] : null;
+    }
+    catch {
+        return null;
+    }
+}
+function initLocalD1(cwd) {
+    const dbName = getD1DatabaseName(cwd);
+    if (!dbName)
+        throw new Error("No database_name found in wrangler.toml");
+    execSync(`npx wrangler d1 execute "${dbName}" --local --command="SELECT 1"`, {
+        stdio: "pipe",
+        cwd,
+    });
+}
+export default function cmsIntegration(options) {
+    const configPath = options?.configPath ?? "src/cms/cms.config";
+    const runtimePath = options?.runtimePath ?? "src/cms/internals/runtime";
+    const generatedPath = options?.generatedPath ?? "src/cms/.generated";
+    const adaptersPath = options?.adaptersPath ?? "src/cms/adapters";
+    const generatorPath = options?.generatorPath ?? "src/cms/internals/generator.ts";
+    return {
+        name: "kide-cms",
+        hooks: {
+            "astro:config:setup": ({ command, updateConfig, injectRoute, addMiddleware }) => {
+                const root = process.cwd();
+                // Generate a wrapper CSS that adds @source directives and imports user's admin CSS
+                const corePkgDir = path.dirname(path.dirname(fileURLToPath(import.meta.url)));
+                const adminDir = path.join(corePkgDir, "admin");
+                const routesDir = path.join(corePkgDir, "routes");
+                const twAnimateCssPath = path.join(corePkgDir, "node_modules", "tw-animate-css", "dist", "tw-animate.css");
+                const userAdminCss = path.resolve(root, "src/styles/admin.css");
+                const generatedDir = path.join(root, "node_modules", ".kide");
+                mkdirSync(generatedDir, { recursive: true });
+                const wrapperCss = path.join(generatedDir, "admin.css");
+                writeFileSync(wrapperCss, [
+                    `@source "${adminDir}";`,
+                    `@source "${routesDir}";`,
+                    `@import "${twAnimateCssPath}";`,
+                    `@import "${userAdminCss}";`,
+                    "",
+                    "/* shadcn component styles (accordion, state variants) */",
+                    "@theme inline {",
+                    "  @keyframes accordion-down { from { height: 0 } to { height: var(--radix-accordion-content-height, var(--accordion-panel-height, auto)) } }",
+                    "  @keyframes accordion-up { from { height: var(--radix-accordion-content-height, var(--accordion-panel-height, auto)) } to { height: 0 } }",
+                    "}",
+                    '@custom-variant data-open { &:where([data-state="open"]), &:where([data-open]:not([data-open="false"])) { @slot; } }',
+                    '@custom-variant data-closed { &:where([data-state="closed"]), &:where([data-closed]:not([data-closed="false"])) { @slot; } }',
+                    '@custom-variant data-checked { &:where([data-state="checked"]), &:where([data-checked]:not([data-checked="false"])) { @slot; } }',
+                    '@custom-variant data-unchecked { &:where([data-state="unchecked"]), &:where([data-unchecked]:not([data-unchecked="false"])) { @slot; } }',
+                    '@custom-variant data-selected { &:where([data-selected="true"]) { @slot; } }',
+                    '@custom-variant data-disabled { &:where([data-disabled="true"]), &:where([data-disabled]:not([data-disabled="false"])) { @slot; } }',
+                    '@custom-variant data-active { &:where([data-state="active"]), &:where([data-active]:not([data-active="false"])) { @slot; } }',
+                    '@custom-variant data-horizontal { &:where([data-orientation="horizontal"]) { @slot; } }',
+                    '@custom-variant data-vertical { &:where([data-orientation="vertical"]) { @slot; } }',
+                    "@utility no-scrollbar { -ms-overflow-style: none; scrollbar-width: none; &::-webkit-scrollbar { display: none; } }",
+                    "",
+                ].join("\n"));
+                // Generate custom field components barrel
+                const customFieldsDir = path.resolve(root, "src/cms/admin/fields");
+                const customFieldsBarrel = path.join(generatedDir, "custom-fields.ts");
+                const generateFieldsBarrel = () => {
+                    if (existsSync(customFieldsDir)) {
+                        const files = readdirSync(customFieldsDir).filter((f) => f.endsWith(".tsx"));
+                        const imports = files.map((f) => {
+                            const name = f.replace(".tsx", "");
+                            return `  "${name}": (await import("${path.join(customFieldsDir, f)}")).default,`;
+                        });
+                        writeFileSync(customFieldsBarrel, `export const customFields: Record<string, any> = {\n${imports.join("\n")}\n};\n`);
+                    }
+                    else {
+                        writeFileSync(customFieldsBarrel, "export const customFields: Record<string, any> = {};\n");
+                    }
+                };
+                generateFieldsBarrel();
+                // Virtual module aliases — resolve route imports to the user's app files
+                updateConfig({
+                    vite: {
+                        resolve: {
+                            alias: {
+                                "virtual:kide/config": path.resolve(root, configPath),
+                                "virtual:kide/api": path.resolve(root, generatedPath, "api"),
+                                "virtual:kide/schema": path.resolve(root, generatedPath, "schema"),
+                                "virtual:kide/runtime": path.resolve(root, runtimePath),
+                                "virtual:kide/db": path.resolve(root, adaptersPath, "db"),
+                                "virtual:kide/email": path.resolve(root, adaptersPath, "email"),
+                                "virtual:kide/block-renderer": path.resolve(root, "src/components/BlockRenderer.astro"),
+                                "virtual:kide/admin-css": wrapperCss,
+                                "virtual:kide/custom-fields": customFieldsBarrel,
+                            },
+                        },
+                    },
+                });
+                // Inject admin pages
+                injectRoute({ pattern: "/admin/login", entrypoint: "@kidecms/core/routes/pages/admin/login.astro" });
+                injectRoute({ pattern: "/admin/setup", entrypoint: "@kidecms/core/routes/pages/admin/setup.astro" });
+                injectRoute({ pattern: "/admin/invite", entrypoint: "@kidecms/core/routes/pages/admin/invite.astro" });
+                injectRoute({ pattern: "/admin/assets", entrypoint: "@kidecms/core/routes/pages/admin/assets/index.astro" });
+                injectRoute({ pattern: "/admin/assets/[id]", entrypoint: "@kidecms/core/routes/pages/admin/assets/[id].astro" });
+                injectRoute({ pattern: "/admin/[...path]", entrypoint: "@kidecms/core/routes/pages/admin/[...path].astro" });
+                // Inject API routes
+                injectRoute({ pattern: "/api/cms/auth/login", entrypoint: "@kidecms/core/routes/api/cms/auth/login.ts" });
+                injectRoute({ pattern: "/api/cms/auth/logout", entrypoint: "@kidecms/core/routes/api/cms/auth/logout.ts" });
+                injectRoute({ pattern: "/api/cms/auth/setup", entrypoint: "@kidecms/core/routes/api/cms/auth/setup.ts" });
+                injectRoute({ pattern: "/api/cms/auth/invite", entrypoint: "@kidecms/core/routes/api/cms/auth/invite.ts" });
+                injectRoute({ pattern: "/api/cms/assets/upload", entrypoint: "@kidecms/core/routes/api/cms/assets/upload.ts" });
+                injectRoute({ pattern: "/api/cms/assets/folders", entrypoint: "@kidecms/core/routes/api/cms/assets/folders.ts" });
+                injectRoute({ pattern: "/api/cms/assets/[id]", entrypoint: "@kidecms/core/routes/api/cms/assets/[id].ts" });
+                injectRoute({ pattern: "/api/cms/assets", entrypoint: "@kidecms/core/routes/api/cms/assets/index.ts" });
+                injectRoute({ pattern: "/api/cms/ai/alt-text", entrypoint: "@kidecms/core/routes/api/cms/ai/alt-text.ts" });
+                injectRoute({ pattern: "/api/cms/ai/seo", entrypoint: "@kidecms/core/routes/api/cms/ai/seo.ts" });
+                injectRoute({ pattern: "/api/cms/ai/translate", entrypoint: "@kidecms/core/routes/api/cms/ai/translate.ts" });
+                injectRoute({ pattern: "/api/cms/cron/publish", entrypoint: "@kidecms/core/routes/api/cms/cron/publish.ts" });
+                injectRoute({
+                    pattern: "/api/cms/locks/[...path]",
+                    entrypoint: "@kidecms/core/routes/api/cms/locks/[...path].ts",
+                });
+                injectRoute({ pattern: "/api/cms/preview/render", entrypoint: "@kidecms/core/routes/api/cms/preview/render.ts" });
+                injectRoute({
+                    pattern: "/api/cms/references/[collection]/[id]",
+                    entrypoint: "@kidecms/core/routes/api/cms/references/[collection]/[id].ts",
+                });
+                injectRoute({ pattern: "/api/cms/img/[...path]", entrypoint: "@kidecms/core/routes/api/cms/img/[...path].ts" });
+                injectRoute({
+                    pattern: "/api/cms/[collection]/[...path]",
+                    entrypoint: "@kidecms/core/routes/api/cms/[collection]/[...path].ts",
+                });
+                // Inject auth middleware
+                addMiddleware({ entrypoint: "@kidecms/core/middleware/auth.ts", order: "pre" });
+                // Generate schema, types, validators, and API
+                console.log("  [cms] Generating schema, types, validators, and API...");
+                try {
+                    runGenerator(root, generatorPath);
+                }
+                catch (error) {
+                    console.error("  [cms] Generator failed:", error.message);
+                }
+                if (command === "dev") {
+                    const useD1 = isCloudflareD1(root);
+                    if (useD1) {
+                        const isFirstRun = !hasLocalD1Database(root);
+                        if (isFirstRun) {
+                            console.log("  \x1b[36m[cms]\x1b[0m First run — setting up database...");
+                            try {
+                                initLocalD1(root);
+                            }
+                            catch (error) {
+                                console.error("  \x1b[31m[cms]\x1b[0m Failed to initialize D1:", error.message);
+                            }
+                        }
+                        try {
+                            pushSchema(root);
+                            if (isFirstRun) {
+                                console.log("  \x1b[36m[cms]\x1b[0m Database ready. Open /admin to create your admin account.");
+                            }
+                        }
+                        catch (error) {
+                            console.error("  \x1b[31m[cms]\x1b[0m Database setup failed:", error.message);
+                            console.error("  \x1b[31m[cms]\x1b[0m Try running: npx drizzle-kit push --force");
+                        }
+                    }
+                    else {
+                        const dbPath = path.join(root, "data", "cms.db");
+                        const isFirstRun = !existsSync(dbPath);
+                        if (isFirstRun) {
+                            console.log("  \x1b[36m[cms]\x1b[0m First run — setting up database...");
+                        }
+                        try {
+                            mkdirSync(path.join(root, "data"), { recursive: true });
+                            pushSchema(root);
+                            if (isFirstRun) {
+                                console.log("  \x1b[36m[cms]\x1b[0m Database ready. Open /admin to create your admin account.");
+                            }
+                        }
+                        catch (error) {
+                            console.error("  \x1b[31m[cms]\x1b[0m Database setup failed:", error.message);
+                            console.error("  \x1b[31m[cms]\x1b[0m Try running: npx drizzle-kit push --force");
+                        }
+                    }
+                    const configFilePath = path.join(root, configPath.replace(/\/?$/, ".ts"));
+                    let debounceTimer = null;
+                    watch(configFilePath, () => {
+                        if (debounceTimer)
+                            clearTimeout(debounceTimer);
+                        debounceTimer = setTimeout(() => {
+                            console.log("  [cms] Config changed, regenerating...");
+                            try {
+                                runGenerator(root, generatorPath);
+                                pushSchema(root);
+                                console.log("  [cms] Schema updated.");
+                            }
+                            catch (error) {
+                                console.error("  [cms] Regeneration failed:", error.message);
+                            }
+                        }, 500);
+                    });
+                }
+            },
+            "astro:server:start": ({ address }) => {
+                const host = address.family === "IPv6" ? `[${address.address}]` : address.address;
+                const base = `http://${host === "[::1]" || host === "127.0.0.1" || host === "[::]" ? "localhost" : host}:${address.port}`;
+                console.log(`  \x1b[36m[cms]\x1b[0m Admin panel: \x1b[36m${base}/admin\x1b[0m`);
+            },
+            "astro:build:done": () => {
+                const entryPath = path.join(process.cwd(), "dist/server/entry.mjs");
+                if (!existsSync(entryPath))
+                    return;
+                let content = readFileSync(entryPath, "utf-8");
+                content = content.replace(/export\s*\{\s*(\w+)\s+as\s+default\s*\}/, (_, name) => `const _astroWorker = ${name};\nexport default {\n  fetch: (...args) => _astroWorker.fetch(...args),\n  async scheduled(event, env, ctx) {\n    const headers = env.CRON_SECRET ? { Authorization: "Bearer " + env.CRON_SECRET } : {};\n    const res = await _astroWorker.fetch(new Request("https://dummy/api/cms/cron/publish", { headers }), env, ctx);\n    if (!res.ok) console.error("Cron publish failed:", res.status, await res.text());\n    else console.log("Cron publish:", await res.text());\n  }\n};`);
+                writeFileSync(entryPath, content);
+            },
+        },
+    };
+}

package/dist/locks.js

@@ -0,0 +1,37 @@
+import { and, eq, lte } from "drizzle-orm";
+import { nanoid } from "nanoid";
+import { getDb } from "./runtime";
+import { getSchema } from "./schema";
+const LOCK_TTL_MS = 5 * 60 * 1000;
+const getLockTable = () => getSchema().cmsLocks;
+const isExpired = (lockedAt) => new Date(lockedAt).getTime() + LOCK_TTL_MS < Date.now();
+export const acquireLock = async (collection, documentId, userId, userEmail) => {
+    const db = await getDb();
+    const table = getLockTable();
+    await db.delete(table).where(lte(table.lockedAt, new Date(Date.now() - LOCK_TTL_MS).toISOString()));
+    const rows = await db
+        .select()
+        .from(table)
+        .where(and(eq(table.collection, collection), eq(table.documentId, documentId)));
+    const existing = rows[0];
+    const now = new Date().toISOString();
+    if (existing) {
+        if (existing.userId === userId) {
+            await db.update(table).set({ lockedAt: now }).where(eq(table._id, existing._id));
+            return { acquired: true };
+        }
+        if (!isExpired(existing.lockedAt)) {
+            return { acquired: false, userEmail: existing.userEmail };
+        }
+        await db.delete(table).where(eq(table._id, existing._id));
+    }
+    await db.insert(table).values({ _id: nanoid(), collection, documentId, userId, userEmail, lockedAt: now });
+    return { acquired: true };
+};
+export const releaseLock = async (collection, documentId, userId) => {
+    const db = await getDb();
+    const table = getLockTable();
+    await db
+        .delete(table)
+        .where(and(eq(table.collection, collection), eq(table.documentId, documentId), eq(table.userId, userId)));
+};

package/dist/richtext.js

@@ -0,0 +1 @@
+export { createRichTextFromPlainText, renderRichText, richTextToPlainText } from "./values";

package/dist/runtime.js

@@ -0,0 +1,26 @@
+let runtime = null;
+const runtimeError = () => new Error("@kidecms/core runtime not initialized. Call configureCmsRuntime(...) and initSchema(...) from your app before using runtime APIs.");
+export const configureCmsRuntime = (config) => {
+    runtime = config;
+};
+export const resetCmsRuntime = () => {
+    runtime = null;
+};
+export const getCmsRuntime = () => {
+    if (!runtime)
+        throw runtimeError();
+    return runtime;
+};
+export const getDb = () => getCmsRuntime().getDb();
+export const closeDb = () => {
+    getCmsRuntime().closeDb?.();
+};
+export const getStorage = () => getCmsRuntime().storage;
+export const getEmail = () => {
+    const email = getCmsRuntime().email;
+    return (email ?? {
+        sendInviteEmail: async () => false,
+        isEmailConfigured: () => false,
+    });
+};
+export const readEnv = (key) => getCmsRuntime().env?.(key) ?? process.env[key];

package/dist/schema.js

@@ -0,0 +1,13 @@
+let schema = null;
+export const initSchema = (nextSchema) => {
+    schema = nextSchema;
+};
+export const resetSchema = () => {
+    schema = null;
+};
+export const getSchema = () => {
+    if (!schema) {
+        throw new Error("@kidecms/core schema not initialized. Call initSchema(...) from your app before using runtime APIs.");
+    }
+    return schema;
+};

package/dist/seed.js

@@ -0,0 +1,84 @@
+import { sql } from "drizzle-orm";
+import { nanoid } from "nanoid";
+import { hashPassword } from "./auth";
+import { getDb } from "./runtime";
+import { getSchema } from "./schema";
+import { cloneValue, slugify } from "./values";
+const isJsonField = (field) => field.type === "richText" ||
+    field.type === "array" ||
+    field.type === "json" ||
+    field.type === "blocks" ||
+    (field.type === "relation" && field.hasMany);
+const serializeForDb = (collection, data) => {
+    const result = {};
+    for (const [key, value] of Object.entries(data)) {
+        const field = collection.fields[key];
+        result[key] = field && isJsonField(field) && value !== undefined && value !== null ? JSON.stringify(value) : value;
+    }
+    return result;
+};
+export const seedDatabase = async (config, seedData) => {
+    const db = await getDb();
+    const schema = getSchema();
+    for (const collection of config.collections) {
+        const collectionSeed = seedData[collection.slug];
+        if (!collectionSeed || collectionSeed.length === 0)
+            continue;
+        const tables = schema.cmsTables[collection.slug];
+        if (!tables)
+            continue;
+        const countResult = await db.select({ count: sql `count(*)` }).from(tables.main);
+        const rowCount = Number(countResult[0]?.count ?? 0);
+        if (rowCount > 0)
+            continue;
+        console.log(`  Seeding ${collection.labels.plural}...`);
+        for (const seedDoc of collectionSeed) {
+            const timestamp = new Date().toISOString();
+            const docId = typeof seedDoc._id === "string" ? String(seedDoc._id) : nanoid();
+            const { _id, _status, ...fieldData } = seedDoc;
+            for (const [fieldName, field] of Object.entries(collection.fields)) {
+                if (field.type !== "slug")
+                    continue;
+                if (fieldData[fieldName]) {
+                    fieldData[fieldName] = slugify(String(fieldData[fieldName]));
+                }
+                else if (field.from && fieldData[field.from]) {
+                    fieldData[fieldName] = slugify(String(fieldData[field.from]));
+                }
+            }
+            for (const [fieldName, field] of Object.entries(collection.fields)) {
+                if (fieldData[fieldName] === undefined && field.defaultValue !== undefined) {
+                    fieldData[fieldName] = cloneValue(field.defaultValue);
+                }
+            }
+            if (collection.auth && typeof fieldData.password === "string") {
+                fieldData.password = await hashPassword(fieldData.password);
+            }
+            const serialized = serializeForDb(collection, fieldData);
+            const docValues = {
+                _id: docId,
+                ...serialized,
+            };
+            if (collection.drafts) {
+                const status = _status === "published" ? "published" : "draft";
+                docValues._status = status;
+                if (status === "published")
+                    docValues._publishedAt = timestamp;
+            }
+            if (collection.timestamps !== false) {
+                docValues._createdAt = timestamp;
+                docValues._updatedAt = timestamp;
+            }
+            await db.insert(tables.main).values(docValues);
+            if (collection.versions && tables.versions) {
+                await db.insert(tables.versions).values({
+                    _id: nanoid(),
+                    _docId: docId,
+                    _version: 1,
+                    _snapshot: JSON.stringify({ ...fieldData, _status: docValues._status }),
+                    _createdAt: timestamp,
+                });
+            }
+        }
+    }
+};

package/dist/values.js

@@ -0,0 +1,102 @@
+import { cmsImage, cmsSrcset } from "./image";
+export const cloneValue = (value) => JSON.parse(JSON.stringify(value));
+export const slugify = (value) => value
+    .normalize("NFKD")
+    .replace(/[^\w\s-]/g, "")
+    .trim()
+    .toLowerCase()
+    .replace(/[\s_-]+/g, "-")
+    .replace(/^-+|-+$/g, "");
+export const escapeHtml = (value) => value
+    .replaceAll("&", "&")
+    .replaceAll("<", "&lt;")
+    .replaceAll(">", "&gt;")
+    .replaceAll('"', "&quot;")
+    .replaceAll("'", "&#39;");
+export const createRichTextFromPlainText = (text) => ({
+    type: "root",
+    children: text
+        .split(/\n{2,}/)
+        .map((paragraph) => paragraph.trim())
+        .filter(Boolean)
+        .map((paragraph) => ({
+        type: "paragraph",
+        children: paragraph
+            .split("\n")
+            .map((line, index, lines) => `${line}${index < lines.length - 1 ? "\n" : ""}`)
+            .filter(Boolean)
+            .map((line) => ({ type: "text", value: line })),
+    })),
+});
+const renderNode = (node) => {
+    if (node.type === "text") {
+        let content = escapeHtml(String(node.value ?? ""));
+        if (node.bold)
+            content = `<strong>${content}</strong>`;
+        if (node.italic)
+            content = `<em>${content}</em>`;
+        if (node.href) {
+            const href = escapeHtml(String(node.href));
+            const isExternal = String(node.href).startsWith("http://") || String(node.href).startsWith("https://");
+            const target = isExternal ? ' target="_blank" rel="noopener noreferrer"' : "";
+            content = `<a href="${href}"${target}>${content}</a>`;
+        }
+        return content;
+    }
+    if (node.type === "paragraph") {
+        return `<p>${(node.children ?? []).map(renderNode).join("")}</p>`;
+    }
+    if (node.type === "heading") {
+        const level = Math.min(Math.max(Number(node.level ?? 2), 1), 6);
+        return `<h${level}>${(node.children ?? []).map(renderNode).join("")}</h${level}>`;
+    }
+    if (node.type === "list") {
+        const tag = node.ordered ? "ol" : "ul";
+        return `<${tag}>${(node.children ?? []).map(renderNode).join("")}</${tag}>`;
+    }
+    if (node.type === "list-item") {
+        return `<li>${(node.children ?? []).map(renderNode).join("")}</li>`;
+    }
+    if (node.type === "quote") {
+        return `<blockquote>${(node.children ?? []).map(renderNode).join("")}</blockquote>`;
+    }
+    if (node.type === "image") {
+        const src = String(node.src ?? "");
+        const alt = escapeHtml(String(node.alt ?? ""));
+        const isLocal = src.startsWith("/uploads/");
+        if (isLocal) {
+            return `<img src="${escapeHtml(cmsImage(src, 1024))}" srcset="${escapeHtml(cmsSrcset(src))}" sizes="(max-width: 768px) 100vw, 768px" alt="${alt}" loading="lazy" class="h-auto max-w-full rounded-lg" />`;
+        }
+        return `<img src="${escapeHtml(src)}" alt="${alt}" loading="lazy" class="max-w-full rounded-lg" />`;
+    }
+    return "";
+};
+export const renderRichText = (document) => {
+    if (!document || document.type !== "root")
+        return "";
+    return document.children.map(renderNode).join("");
+};
+export const richTextToPlainText = (document) => {
+    if (!document?.children)
+        return "";
+    const flatten = (node) => {
+        if (node.type === "text") {
+            return String(node.value ?? "");
+        }
+        return (node.children ?? []).map(flatten).join("");
+    };
+    return document.children.map(flatten).join("\n\n").trim();
+};
+export const serializeFieldValue = (field, value) => {
+    if (value === null || value === undefined)
+        return "";
+    if (field.type === "richText")
+        return richTextToPlainText(value);
+    if (field.type === "array")
+        return Array.isArray(value) ? value.map((item) => String(item ?? "")).join(", ") : "";
+    if (field.type === "json" || field.type === "blocks")
+        return JSON.stringify(value, null, 2);
+    if (field.type === "boolean")
+        return value ? "true" : "false";
+    return String(value);
+};

package/middleware/auth.ts

@@ -0,0 +1,100 @@
+import { defineMiddleware } from "astro:middleware";
+import { getSessionUser } from "virtual:kide/runtime";
+import { getDb } from "virtual:kide/db";
+
+let hasUsers: boolean | null = null;
+
+export const resetUserCache = () => {
+  hasUsers = null;
+};
+
+export const onRequest = defineMiddleware(async (context, next) => {
+  const { pathname } = context.url;
+
+  // Skip auth for public pages and static assets
+  const isAdminRoute = pathname.startsWith("/admin");
+  const isAdminApiRoute = pathname.startsWith("/api/cms");
+  const isLoginPage = pathname === "/admin/login";
+  const isLoginApi = pathname === "/api/cms/auth/login";
+  const isSetupPage = pathname === "/admin/setup";
+  const isSetupApi = pathname === "/api/cms/auth/setup";
+  const isInvitePage = pathname === "/admin/invite";
+  const isInviteApi = pathname === "/api/cms/auth/invite";
+
+  if (!isAdminRoute && !isAdminApiRoute) {
+    return next();
+  }
+
+  // Security headers for all admin routes
+  const addSecurityHeaders = (response: Response) => {
+    response.headers.set("X-Content-Type-Options", "nosniff");
+    response.headers.set("X-Frame-Options", "DENY");
+    return response;
+  };
+
+  // CSRF protection: verify Origin on state-changing requests
+  if (context.request.method !== "GET" && context.request.method !== "HEAD") {
+    const origin = context.request.headers.get("origin");
+    const host = context.url.origin;
+    if (origin && origin !== host) {
+      return new Response(JSON.stringify({ error: "Forbidden" }), { status: 403 });
+    }
+  }
+
+  // Check if any users exist (cached after first check)
+  if (hasUsers === null || !hasUsers) {
+    try {
+      const db = await getDb();
+      const schema = await import("virtual:kide/schema");
+      const tables = schema.cmsTables as Record<string, { main: any }>;
+      if (tables.users) {
+        const rows = await db.select().from(tables.users.main).limit(1);
+        hasUsers = rows.length > 0;
+      } else {
+        hasUsers = true;
+      }
+    } catch {
+      // Tables may not exist yet (first run, schema not pushed)
+      hasUsers = false;
+    }
+  }
+
+  // No users yet — redirect to setup
+  if (!hasUsers) {
+    if (isSetupPage || isSetupApi) return addSecurityHeaders(await next());
+    if (isAdminApiRoute) {
+      return new Response(JSON.stringify({ error: "Setup required" }), { status: 403 });
+    }
+    return context.redirect("/admin/setup");
+  }
+
+  // After setup, always allow setup API (it self-guards) but redirect setup page to login
+  if (isSetupPage) {
+    return context.redirect("/admin/login");
+  }
+
+  // Always allow login page, login API, and cron endpoint (has its own auth)
+  const isCronApi = pathname === "/api/cms/cron/publish";
+  if (isLoginPage || isLoginApi || isSetupApi || isCronApi || isInvitePage || isInviteApi) {
+    return addSecurityHeaders(await next());
+  }
+
+  const user = await getSessionUser(context.request);
+
+  if (!user) {
+    // API routes → 401
+    if (isAdminApiRoute) {
+      return new Response(JSON.stringify({ error: "Unauthorized" }), {
+        status: 401,
+        headers: { "Content-Type": "application/json" },
+      });
+    }
+    // Admin pages → redirect to login
+    return context.redirect("/admin/login");
+  }
+
+  // Attach user to locals for downstream use
+  context.locals.user = user;
+
+  return addSecurityHeaders(await next());
+});