npm - @morphika/andami - Versions diffs - 0.1.2 - Mend

@morphika/andami 0.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (319) hide show

package/LICENSE +21 -0
package/README.md +50 -0
package/admin/assets.ts +4 -0
package/admin/database.ts +4 -0
package/admin/index.ts +6 -0
package/admin/login.ts +4 -0
package/admin/navigation.ts +4 -0
package/admin/pages-editor.ts +4 -0
package/admin/pages.ts +4 -0
package/admin/projects-editor.ts +4 -0
package/admin/projects.ts +4 -0
package/admin/settings.ts +4 -0
package/admin/setup.ts +4 -0
package/admin/storage.ts +4 -0
package/admin/styles.ts +4 -0
package/app/(site)/[slug]/loading.tsx +20 -0
package/app/(site)/[slug]/page.tsx +83 -0
package/app/(site)/error.tsx +32 -0
package/app/(site)/layout.tsx +53 -0
package/app/(site)/loading.tsx +20 -0
package/app/(site)/not-found.tsx +41 -0
package/app/(site)/page.tsx +43 -0
package/app/(site)/preview/page.tsx +99 -0
package/app/(site)/work/[slug]/loading.tsx +23 -0
package/app/(site)/work/[slug]/page.tsx +84 -0
package/app/admin/assets/page.tsx +573 -0
package/app/admin/database/page.tsx +302 -0
package/app/admin/error.tsx +53 -0
package/app/admin/layout.tsx +273 -0
package/app/admin/login/page.tsx +88 -0
package/app/admin/navigation/page.tsx +157 -0
package/app/admin/page.tsx +17 -0
package/app/admin/pages/[slug]/page.tsx +849 -0
package/app/admin/pages/page.tsx +588 -0
package/app/admin/projects/[slug]/page.tsx +3 -0
package/app/admin/projects/page.tsx +669 -0
package/app/admin/settings/page.tsx +132 -0
package/app/admin/setup/page.tsx +64 -0
package/app/admin/storage/page.tsx +518 -0
package/app/admin/styles/page.tsx +243 -0
package/app/api/admin/assets/file/route.ts +81 -0
package/app/api/admin/assets/health/route.ts +170 -0
package/app/api/admin/assets/register/route.ts +163 -0
package/app/api/admin/assets/registry/route.ts +98 -0
package/app/api/admin/assets/relink/confirm/route.ts +242 -0
package/app/api/admin/assets/relink/route.ts +202 -0
package/app/api/admin/assets/scan/route.ts +271 -0
package/app/api/admin/auth/route.ts +160 -0
package/app/api/admin/custom-sections/[slug]/route.ts +159 -0
package/app/api/admin/custom-sections/route.ts +127 -0
package/app/api/admin/database/route.ts +53 -0
package/app/api/admin/pages/[slug]/duplicate/route.ts +91 -0
package/app/api/admin/pages/[slug]/route.ts +617 -0
package/app/api/admin/pages/[slug]/set-home/route.ts +76 -0
package/app/api/admin/pages/route.ts +129 -0
package/app/api/admin/preview/route.ts +53 -0
package/app/api/admin/r2/connect/route.ts +181 -0
package/app/api/admin/r2/delete/route.ts +198 -0
package/app/api/admin/r2/disconnect/route.ts +42 -0
package/app/api/admin/r2/rename/route.ts +265 -0
package/app/api/admin/r2/status/route.ts +106 -0
package/app/api/admin/r2/upload-url/route.ts +148 -0
package/app/api/admin/revalidate/route.ts +55 -0
package/app/api/admin/settings/route.ts +279 -0
package/app/api/admin/setup/complete/route.ts +51 -0
package/app/api/admin/setup/route.ts +118 -0
package/app/api/admin/storage/switch/route.ts +117 -0
package/app/api/admin/styles/fonts/route.ts +97 -0
package/app/api/admin/styles/route.ts +304 -0
package/app/api/assets/[...path]/route.ts +98 -0
package/app/api/custom-sections/[id]/route.ts +43 -0
package/app/api/draft-mode/disable/route.ts +10 -0
package/app/api/draft-mode/enable/route.ts +26 -0
package/app/api/projects/route.ts +42 -0
package/app/api/styles/route.ts +88 -0
package/app/favicon.ico +0 -0
package/app/globals.css +7 -0
package/app/layout.tsx +53 -0
package/app/robots.ts +17 -0
package/app/sitemap.ts +48 -0
package/app/studio/[[...index]]/page.tsx +8 -0
package/components/admin/MetadataEditor.tsx +173 -0
package/components/admin/PublishToggle.tsx +130 -0
package/components/admin/icons.tsx +40 -0
package/components/admin/nav-builder/NavBuilder.tsx +182 -0
package/components/admin/nav-builder/NavBuilderGrid.tsx +326 -0
package/components/admin/nav-builder/NavGeneralSettings.tsx +275 -0
package/components/admin/nav-builder/NavGridCell.tsx +48 -0
package/components/admin/nav-builder/NavGridItem.tsx +189 -0
package/components/admin/nav-builder/NavItemSettings.tsx +288 -0
package/components/admin/nav-builder/NavItemTypePicker.tsx +102 -0
package/components/admin/nav-builder/NavLivePreview.tsx +125 -0
package/components/admin/nav-builder/NavSettingsFields.tsx +248 -0
package/components/admin/nav-builder/NavSettingsPanel.tsx +127 -0
package/components/admin/nav-builder/index.ts +10 -0
package/components/admin/nav-builder/nav-builder-utils.ts +238 -0
package/components/admin/setup-wizard/BrandingStep.tsx +218 -0
package/components/admin/setup-wizard/DatabaseStep.tsx +331 -0
package/components/admin/setup-wizard/DoneStep.tsx +187 -0
package/components/admin/setup-wizard/SetupWizard.tsx +166 -0
package/components/admin/setup-wizard/StorageStep.tsx +308 -0
package/components/admin/setup-wizard/WelcomeStep.tsx +96 -0
package/components/admin/setup-wizard/index.ts +9 -0
package/components/admin/styles/ColorsEditor.tsx +214 -0
package/components/admin/styles/FontsEditor.tsx +258 -0
package/components/admin/styles/GridLayoutEditor.tsx +292 -0
package/components/admin/styles/LinksButtonsEditor.tsx +120 -0
package/components/admin/styles/TypographyEditor.tsx +266 -0
package/components/admin/styles/index.ts +9 -0
package/components/admin/styles/shared.tsx +68 -0
package/components/blocks/BlockRenderer.tsx +404 -0
package/components/blocks/ButtonBlockRenderer.tsx +52 -0
package/components/blocks/CoverBlockRenderer.tsx +239 -0
package/components/blocks/CustomSectionInstanceRenderer.tsx +82 -0
package/components/blocks/EnterAnimationWrapper.tsx +140 -0
package/components/blocks/HoverAnimationWrapper.tsx +308 -0
package/components/blocks/ImageBlockRenderer.tsx +61 -0
package/components/blocks/ImageGridBlockRenderer.tsx +545 -0
package/components/blocks/PageBackground.tsx +28 -0
package/components/blocks/PageNavAnimation.tsx +35 -0
package/components/blocks/PageNavColor.tsx +24 -0
package/components/blocks/PageRenderer.tsx +142 -0
package/components/blocks/ParallaxGroupRenderer.tsx +448 -0
package/components/blocks/ParallaxSlideRenderer.tsx +175 -0
package/components/blocks/ProjectGridBlockRenderer.tsx +556 -0
package/components/blocks/SectionRenderer.tsx +170 -0
package/components/blocks/SectionV2Renderer.tsx +330 -0
package/components/blocks/ShaderCanvas.tsx +392 -0
package/components/blocks/SpacerBlockRenderer.tsx +17 -0
package/components/blocks/TextBlockRenderer.tsx +87 -0
package/components/blocks/TypewriterRichText.tsx +464 -0
package/components/blocks/TypewriterWrapper.tsx +149 -0
package/components/blocks/VideoBlockRenderer.tsx +304 -0
package/components/blocks/index.ts +2 -0
package/components/builder/AssetBrowser.tsx +2 -0
package/components/builder/BlockLivePreview.tsx +101 -0
package/components/builder/BlockTypePicker.tsx +178 -0
package/components/builder/BuilderCanvas.tsx +354 -0
package/components/builder/CanvasMinimap.tsx +200 -0
package/components/builder/CanvasToolbar.tsx +202 -0
package/components/builder/ColorPicker.tsx +243 -0
package/components/builder/ColorSwatchPicker.tsx +274 -0
package/components/builder/ColumnDragContext.tsx +51 -0
package/components/builder/ColumnDragOverlay.tsx +110 -0
package/components/builder/CustomSectionInstanceCard.tsx +97 -0
package/components/builder/DeviceFrame.tsx +123 -0
package/components/builder/DndWrapper.tsx +337 -0
package/components/builder/InsertionLines.tsx +186 -0
package/components/builder/ParallaxGroupCanvas.tsx +228 -0
package/components/builder/ParallaxSlideHeader.tsx +113 -0
package/components/builder/ReadOnlyFrame.tsx +417 -0
package/components/builder/SectionEditorBar.tsx +288 -0
package/components/builder/SectionTypePicker.tsx +422 -0
package/components/builder/SectionV2Canvas.tsx +297 -0
package/components/builder/SectionV2Column.tsx +488 -0
package/components/builder/SettingsPanel.tsx +911 -0
package/components/builder/SortableBlock.tsx +230 -0
package/components/builder/SortableRow.tsx +362 -0
package/components/builder/VirtualAssetGrid.tsx +397 -0
package/components/builder/asset-browser/AssetBrowser.tsx +178 -0
package/components/builder/asset-browser/FileLightbox.tsx +116 -0
package/components/builder/asset-browser/FolderTreeItem.tsx +55 -0
package/components/builder/asset-browser/R2BrowserContent.tsx +436 -0
package/components/builder/asset-browser/R2ContextMenu.tsx +98 -0
package/components/builder/asset-browser/VideoThumbnail.tsx +63 -0
package/components/builder/asset-browser/helpers.ts +88 -0
package/components/builder/asset-browser/index.ts +1 -0
package/components/builder/asset-browser/types.ts +49 -0
package/components/builder/asset-browser/useAssetBrowser.ts +344 -0
package/components/builder/asset-browser/useR2DragDrop.ts +116 -0
package/components/builder/asset-browser/useR2Operations.ts +189 -0
package/components/builder/blockStyles.tsx +295 -0
package/components/builder/editors/ButtonBlockEditor.tsx +184 -0
package/components/builder/editors/CoverBlockEditor.tsx +488 -0
package/components/builder/editors/EnterAnimationPicker.tsx +297 -0
package/components/builder/editors/HoverEffectPicker.tsx +209 -0
package/components/builder/editors/ImageBlockEditor.tsx +206 -0
package/components/builder/editors/ImageGridBlockEditor.tsx +386 -0
package/components/builder/editors/ProjectGridEditor.tsx +648 -0
package/components/builder/editors/SpacerBlockEditor.tsx +167 -0
package/components/builder/editors/StaggerSettings.tsx +108 -0
package/components/builder/editors/TextAlignmentIcons.tsx +39 -0
package/components/builder/editors/TextBlockEditor.tsx +462 -0
package/components/builder/editors/TextStylePicker.tsx +183 -0
package/components/builder/editors/VideoBlockEditor.tsx +278 -0
package/components/builder/editors/index.ts +10 -0
package/components/builder/editors/shared.tsx +345 -0
package/components/builder/hooks/useColumnDrag.ts +472 -0
package/components/builder/hooks/useColumnResize.ts +221 -0
package/components/builder/index.ts +12 -0
package/components/builder/live-preview/LiveButtonPreview.tsx +38 -0
package/components/builder/live-preview/LiveCoverPreview.tsx +146 -0
package/components/builder/live-preview/LiveImageGridPreview.tsx +123 -0
package/components/builder/live-preview/LiveImagePreview.tsx +107 -0
package/components/builder/live-preview/LiveProjectGridPreview.tsx +1010 -0
package/components/builder/live-preview/LiveSpacerPreview.tsx +9 -0
package/components/builder/live-preview/LiveTextEditor.tsx +198 -0
package/components/builder/live-preview/LiveVideoPreview.tsx +98 -0
package/components/builder/live-preview/index.ts +10 -0
package/components/builder/live-preview/shared.tsx +153 -0
package/components/builder/settings-panel/BlockLayoutTab.tsx +532 -0
package/components/builder/settings-panel/BlockSettings.tsx +94 -0
package/components/builder/settings-panel/ColumnV2Settings.tsx +160 -0
package/components/builder/settings-panel/LayoutTab.tsx +310 -0
package/components/builder/settings-panel/PageSettings.tsx +200 -0
package/components/builder/settings-panel/ParallaxGroupSettings.tsx +118 -0
package/components/builder/settings-panel/ParallaxSlideSettings.tsx +178 -0
package/components/builder/settings-panel/SectionV2AnimationTab.tsx +103 -0
package/components/builder/settings-panel/SectionV2LayoutTab.tsx +312 -0
package/components/builder/settings-panel/SectionV2Settings.tsx +323 -0
package/components/builder/settings-panel/TRBLInputs.tsx +51 -0
package/components/builder/settings-panel/index.ts +19 -0
package/components/builder/settings-panel/responsive-helpers.ts +524 -0
package/components/ui/CustomCursor.tsx +118 -0
package/components/ui/NavContentLightbox.tsx +152 -0
package/components/ui/Navbar.tsx +582 -0
package/components/ui/PortfolioTracker.tsx +87 -0
package/components/ui/ScrollToTop.tsx +47 -0
package/lib/animation/enter-presets.ts +147 -0
package/lib/animation/enter-resolve.ts +90 -0
package/lib/animation/enter-types.ts +128 -0
package/lib/animation/hover-effect-presets.ts +210 -0
package/lib/animation/hover-effect-types.ts +126 -0
package/lib/asset-retry.ts +111 -0
package/lib/assets.ts +92 -0
package/lib/audit.ts +35 -0
package/lib/auth-token.ts +94 -0
package/lib/auth.ts +13 -0
package/lib/builder/cascade-helpers.ts +51 -0
package/lib/builder/cascade.ts +533 -0
package/lib/builder/constants.ts +103 -0
package/lib/builder/defaults.ts +182 -0
package/lib/builder/history.ts +48 -0
package/lib/builder/index.ts +21 -0
package/lib/builder/layout-styles.ts +344 -0
package/lib/builder/masonry.ts +166 -0
package/lib/builder/responsive.ts +156 -0
package/lib/builder/serializer.ts +845 -0
package/lib/builder/store-blocks.ts +193 -0
package/lib/builder/store-canvas.ts +319 -0
package/lib/builder/store-helpers.ts +490 -0
package/lib/builder/store-sections.ts +709 -0
package/lib/builder/store.ts +333 -0
package/lib/builder/templates.ts +297 -0
package/lib/builder/types.ts +374 -0
package/lib/builder/utils.ts +37 -0
package/lib/color-utils.ts +116 -0
package/lib/config/index.ts +57 -0
package/lib/config/types.ts +122 -0
package/lib/contexts/AssetContext.tsx +79 -0
package/lib/contexts/NavAnimationContext.tsx +44 -0
package/lib/contexts/NavColorContext.tsx +38 -0
package/lib/contexts/PageExitContext.tsx +194 -0
package/lib/contexts/ThumbStatusContext.tsx +83 -0
package/lib/csrf-client.ts +34 -0
package/lib/csrf.ts +68 -0
package/lib/format-utils.ts +24 -0
package/lib/hooks/useViewport.ts +42 -0
package/lib/logger.ts +81 -0
package/lib/revalidate.ts +23 -0
package/lib/sanitize.ts +91 -0
package/lib/sanity/client.ts +8 -0
package/lib/sanity/queries.ts +486 -0
package/lib/sanity/types.ts +869 -0
package/lib/sanity/writeClient.ts +24 -0
package/lib/security.ts +402 -0
package/lib/setup/detect.ts +156 -0
package/lib/shader/glsl/index.ts +27 -0
package/lib/shader/glsl/pixelate.ts +51 -0
package/lib/shader/glsl/rgb-shift.ts +45 -0
package/lib/shader/glsl/ripple.ts +46 -0
package/lib/shader/glsl/vertex.ts +14 -0
package/lib/storage/index.ts +211 -0
package/lib/storage/r2-adapter.ts +286 -0
package/lib/storage/types.ts +125 -0
package/lib/styles/provider.tsx +267 -0
package/lib/thumbnails/generate.ts +151 -0
package/lib/utils.ts +6 -0
package/package.json +212 -0
package/sanity/compose.ts +65 -0
package/sanity/sanity.config.ts +126 -0
package/sanity/schemas/assetRegistry.ts +301 -0
package/sanity/schemas/blocks/blockLayout.ts +90 -0
package/sanity/schemas/blocks/buttonBlock.ts +82 -0
package/sanity/schemas/blocks/coverBlock.ts +229 -0
package/sanity/schemas/blocks/imageBlock.ts +58 -0
package/sanity/schemas/blocks/imageGridBlock.ts +112 -0
package/sanity/schemas/blocks/index.ts +9 -0
package/sanity/schemas/blocks/projectGridBlock.ts +251 -0
package/sanity/schemas/blocks/spacerBlock.ts +41 -0
package/sanity/schemas/blocks/textBlock.ts +139 -0
package/sanity/schemas/blocks/videoBlock.ts +80 -0
package/sanity/schemas/customSection.ts +69 -0
package/sanity/schemas/customSectionInstance.ts +163 -0
package/sanity/schemas/index.ts +111 -0
package/sanity/schemas/objects/enterAnimationConfig.ts +72 -0
package/sanity/schemas/objects/hoverEffectConfig.ts +90 -0
package/sanity/schemas/objects/parallaxGroup.ts +66 -0
package/sanity/schemas/objects/parallaxSlide.ts +217 -0
package/sanity/schemas/objects/typewriterConfig.ts +38 -0
package/sanity/schemas/page.ts +162 -0
package/sanity/schemas/pageSection.ts +157 -0
package/sanity/schemas/pageSectionV2.ts +269 -0
package/sanity/schemas/siteSettings.ts +256 -0
package/sanity/schemas/siteStyles.ts +212 -0
package/site/error.ts +4 -0
package/site/index.ts +8 -0
package/site/not-found.ts +4 -0
package/site/page.ts +4 -0
package/site/preview.ts +4 -0
package/site/robots.ts +4 -0
package/site/sitemap.ts +4 -0
package/site/work.ts +4 -0
package/studio/index.ts +4 -0
package/styles/admin.css +85 -0
package/styles/animations.css +237 -0
package/styles/base.css +148 -0
package/styles/globals.css +10 -0
package/tsconfig.json +25 -0

package/app/api/admin/pages/route.ts ADDED Viewed

@@ -0,0 +1,129 @@
+import { NextRequest, NextResponse } from "next/server";
+import { client } from "../../../../lib/sanity/client";
+import { writeClient } from "../../../../lib/sanity/writeClient";
+import { allPagesQuery } from "../../../../lib/sanity/queries";
+import { isAdminAuthenticated } from "../../../../lib/auth";
+import { validateCsrf, csrfErrorResponse } from "../../../../lib/csrf";
+import { isBodyTooLarge, MAX_JSON_BODY_SIZE } from "../../../../lib/security";
+import { auditLog } from "../../../../lib/audit";
+import { logger } from "../../../../lib/logger";
+/**
+ * GET /api/admin/pages — List all pages
+ */
+export async function GET() {
+  if (!(await isAdminAuthenticated())) {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+  }
+  try {
+    const pages = await client.fetch(allPagesQuery);
+    return NextResponse.json({ pages });
+  } catch (err) {
+    logger.error("[Admin:Pages]", "Failed to fetch pages", err);
+    return NextResponse.json(
+      { error: "Failed to fetch pages" },
+      { status: 500 }
+    );
+  }
+}
+/**
+ * POST /api/admin/pages — Create a new page
+ * Body: { title, slug, page_type }
+ */
+export async function POST(request: NextRequest) {
+  if (!(await isAdminAuthenticated())) {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+  }
+  if (!validateCsrf(request)) {
+    return csrfErrorResponse();
+  }
+  if (isBodyTooLarge(request, MAX_JSON_BODY_SIZE)) {
+    return NextResponse.json({ error: "Request body too large" }, { status: 413 });
+  }
+  try {
+    const body = await request.json();
+    const { title, slug, page_type, thumbnail_path, cover_video, content_rows } = body;
+    // Validate required fields
+    if (!title || !slug) {
+      return NextResponse.json(
+        { error: "Missing required fields: title, slug" },
+        { status: 400 }
+      );
+    }
+    // Validate title length
+    if (typeof title === "string" && title.length > 500) {
+      return NextResponse.json(
+        { error: "Title exceeds maximum length of 500 characters" },
+        { status: 400 }
+      );
+    }
+    // Validate slug format: lowercase alphanumeric + hyphens only
+    if (typeof slug !== "string" || !/^[a-z0-9]+(?:-[a-z0-9]+)*$/.test(slug)) {
+      return NextResponse.json(
+        { error: "Slug must be lowercase alphanumeric with hyphens only (e.g. 'my-page')" },
+        { status: 400 }
+      );
+    }
+    // Validate page_type (defaults to "page" if not provided)
+    const resolvedPageType = page_type || "page";
+    const validTypes = ["page", "project"];
+    if (!validTypes.includes(resolvedPageType)) {
+      return NextResponse.json(
+        { error: "Invalid page type" },
+        { status: 400 }
+      );
+    }
+    // Check for duplicate slug
+    const existing = await client.fetch(
+      `*[_type == "page" && slug.current == $slug][0]._id`,
+      { slug }
+    );
+    if (existing) {
+      return NextResponse.json(
+        { error: "A page with this slug already exists" },
+        { status: 409 }
+      );
+    }
+    // Create the page document
+    const doc = {
+      _type: "page",
+      title,
+      slug: { _type: "slug", current: slug },
+      page_type: resolvedPageType,
+      is_home: false,
+      content_rows: Array.isArray(content_rows) ? content_rows : [],
+      page_settings: {
+        background_color: "#ffffff",
+        text_color: "#000000",
+      },
+      metadata: {
+        seo_title: title,
+        seo_description: "",
+      },
+      draft_mode: true,
+      ...(thumbnail_path ? { thumbnail_path } : {}),
+      ...(cover_video ? { cover_video } : {}),
+    };
+    const created = await writeClient.create(doc);
+    auditLog("page.create", { slug, page_type: resolvedPageType, title });
+    return NextResponse.json({ page: created }, { status: 201 });
+  } catch (err) {
+    logger.error("[Admin:Pages]", "Failed to create page", err);
+    return NextResponse.json(
+      { error: "Failed to create page" },
+      { status: 500 }
+    );
+  }
+}

package/app/api/admin/preview/route.ts ADDED Viewed

@@ -0,0 +1,53 @@
+import { NextRequest, NextResponse } from "next/server";
+import { client } from "../../../../lib/sanity/client";
+import { pageBySlugQuery } from "../../../../lib/sanity/queries";
+import { isAdminAuthenticated } from "../../../../lib/auth";
+import { logger } from "../../../../lib/logger";
+import type { Page } from "../../../../lib/sanity/types";
+/**
+ * Preview API — fetches a page including drafts.
+ *
+ * Used by the builder "Preview" button to show content that
+ * hasn't been published yet.
+ *
+ * Query params:
+ *   ?slug=about        → fetch by slug (includes drafts)
+ */
+export async function GET(req: NextRequest) {
+  if (!(await isAdminAuthenticated())) {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+  }
+  const { searchParams } = new URL(req.url);
+  const slug = searchParams.get("slug");
+  try {
+    let page: Page | null = null;
+    if (slug) {
+      // pageBySlugQuery already includes drafts (no draft_mode filter)
+      page = await client.fetch<Page>(pageBySlugQuery, { slug });
+    } else {
+      return NextResponse.json(
+        { error: "Provide ?slug= parameter" },
+        { status: 400 }
+      );
+    }
+    if (!page) {
+      return NextResponse.json(
+        { error: "Page not found" },
+        { status: 404 }
+      );
+    }
+    return NextResponse.json({ page });
+  } catch (error) {
+    logger.error("[Admin:Preview]", "Preview API error", error);
+    return NextResponse.json(
+      { error: "Failed to fetch page" },
+      { status: 500 }
+    );
+  }
+}

package/app/api/admin/r2/connect/route.ts ADDED Viewed

@@ -0,0 +1,181 @@
+import { NextRequest, NextResponse } from "next/server";
+import { S3Client, HeadBucketCommand, PutBucketCorsCommand } from "@aws-sdk/client-s3";
+import { isAdminAuthenticated } from "../../../../../lib/auth";
+import { writeClient } from "../../../../../lib/sanity/writeClient";
+import { validateCsrf, csrfErrorResponse } from "../../../../../lib/csrf";
+import { encryptToken, isBodyTooLarge, MAX_JSON_BODY_SIZE, jsonError } from "../../../../../lib/security";
+import { logger } from "../../../../../lib/logger";
+/**
+ * POST /api/admin/r2/connect — Validate and store R2 credentials.
+ *
+ * 1. Receives { endpoint, bucketName, accessKeyId, secretAccessKey, publicUrl }.
+ * 2. Validates all fields are present and well-formed.
+ * 3. Tests connectivity by sending a HEAD request to the public URL.
+ * 4. Encrypts accessKeyId and secretAccessKey with AES-GCM.
+ * 5. Stores everything in the assetRegistry document.
+ *
+ * Does NOT switch the active storage_provider — that's Phase 4.
+ */
+export async function POST(request: NextRequest) {
+  if (!(await isAdminAuthenticated())) {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+  }
+  if (!validateCsrf(request)) {
+    return csrfErrorResponse();
+  }
+  if (isBodyTooLarge(request, MAX_JSON_BODY_SIZE)) {
+    return jsonError("Request body too large", 413);
+  }
+  try {
+    const body = await request.json();
+    const { endpoint, bucketName, accessKeyId, secretAccessKey, publicUrl } = body;
+    // ── Validate required fields ──
+    if (!endpoint || typeof endpoint !== "string") {
+      return jsonError("S3 endpoint is required", 400);
+    }
+    if (!bucketName || typeof bucketName !== "string") {
+      return jsonError("Bucket name is required", 400);
+    }
+    if (!accessKeyId || typeof accessKeyId !== "string") {
+      return jsonError("Access Key ID is required", 400);
+    }
+    if (!secretAccessKey || typeof secretAccessKey !== "string") {
+      return jsonError("Secret Access Key is required", 400);
+    }
+    if (!publicUrl || typeof publicUrl !== "string") {
+      return jsonError("Public bucket URL is required", 400);
+    }
+    // ── Validate URL formats ──
+    try {
+      const endpointUrl = new URL(endpoint);
+      if (endpointUrl.protocol !== "https:") {
+        return jsonError("S3 endpoint must use HTTPS", 400);
+      }
+      // #13: Whitelist known Cloudflare R2 endpoint patterns to prevent credential theft
+      const hostname = endpointUrl.hostname.toLowerCase();
+      if (!hostname.endsWith(".r2.cloudflarestorage.com") && !hostname.endsWith(".cloudflare.com")) {
+        return jsonError(
+          "S3 endpoint must be a Cloudflare R2 endpoint (*.r2.cloudflarestorage.com). Custom endpoints are not allowed for security.",
+          400
+        );
+      }
+    } catch {
+      return jsonError("Invalid S3 endpoint URL", 400);
+    }
+    try {
+      const pubUrl = new URL(publicUrl);
+      if (pubUrl.protocol !== "https:" && pubUrl.protocol !== "http:") {
+        return jsonError("Public URL must use HTTP or HTTPS", 400);
+      }
+    } catch {
+      return jsonError("Invalid public bucket URL", 400);
+    }
+    // ── Test connection — HEAD request to the public URL ──
+    // A properly configured public R2 bucket returns 200 or 404 (no index)
+    // but NOT a connection error or auth error (403)
+    try {
+      const testRes = await fetch(publicUrl.replace(/\/$/, ""), {
+        method: "HEAD",
+        signal: AbortSignal.timeout(8000),
+      });
+      if (!testRes.ok && testRes.status !== 404) {
+        return jsonError(
+          `Connection test failed: public URL returned HTTP ${testRes.status}. Ensure the bucket has public access enabled.`,
+          400
+        );
+      }
+    } catch (err) {
+      return jsonError(
+        "Cannot reach public URL. Check the URL and try again.",
+        400
+      );
+    }
+    // #17: Test S3 API credentials (not just public URL) using HeadBucket
+    try {
+      const testS3 = new S3Client({
+        region: "auto",
+        endpoint: endpoint.trim().replace(/\/$/, ""),
+        credentials: {
+          accessKeyId: accessKeyId.trim(),
+          secretAccessKey: secretAccessKey.trim(),
+        },
+      });
+      await testS3.send(new HeadBucketCommand({ Bucket: bucketName.trim() }));
+      // ── Configure CORS for browser-direct uploads ──
+      // Presigned PUT URLs require the bucket to allow cross-origin requests
+      // from the Vercel deployment origin. We allow all origins with * because
+      // the presigned URL itself is the auth gate — only holders of a valid
+      // signed URL can upload. This also covers preview deploys and localhost.
+      try {
+        await testS3.send(
+          new PutBucketCorsCommand({
+            Bucket: bucketName.trim(),
+            CORSConfiguration: {
+              CORSRules: [
+                {
+                  AllowedOrigins: ["*"],
+                  AllowedMethods: ["GET", "PUT", "HEAD"],
+                  AllowedHeaders: ["*"],
+                  ExposeHeaders: ["ETag", "Content-Length"],
+                  MaxAgeSeconds: 86400,
+                },
+              ],
+            },
+          })
+        );
+      } catch (corsErr) {
+        logger.warn("[Admin:R2]", "Failed to auto-configure CORS on R2 bucket", corsErr);
+        // Non-fatal — user can configure CORS manually in Cloudflare dashboard
+      }
+      testS3.destroy();
+    } catch (s3Err) {
+      return jsonError(
+        `S3 credential validation failed: ${s3Err instanceof Error ? s3Err.message : "Could not authenticate with the provided credentials"}. Check your Access Key ID, Secret Access Key, and bucket name.`,
+        400
+      );
+    }
+    // ── Encrypt credentials ──
+    const encryptedAccessKeyId = await encryptToken(accessKeyId.trim());
+    const encryptedSecretAccessKey = await encryptToken(secretAccessKey.trim());
+    // #38: Normalize publicUrl using URL constructor for consistent format
+    const normalizedPublicUrl = new URL(publicUrl.trim()).href.replace(/\/+$/, "");
+    const normalizedEndpoint = new URL(endpoint.trim()).href.replace(/\/+$/, "");
+    // ── Store in Sanity ──
+    await writeClient
+      .patch("assetRegistry")
+      .set({
+        r2_bucket_url: normalizedPublicUrl,
+        r2_endpoint: normalizedEndpoint,
+        r2_bucket_name: bucketName.trim(),
+        r2_access_key_id: encryptedAccessKeyId,
+        r2_secret_access_key: encryptedSecretAccessKey,
+        r2_connected_at: new Date().toISOString(),
+      })
+      .commit();
+    return NextResponse.json({
+      success: true,
+      bucketName: bucketName.trim(),
+      publicUrl: publicUrl.trim().replace(/\/$/, ""),
+    });
+  } catch (err) {
+    logger.error("[Admin:R2]", "Failed to connect R2", err);
+    return NextResponse.json(
+      { error: "Failed to store R2 configuration" },
+      { status: 500 }
+    );
+  }
+}

package/app/api/admin/r2/delete/route.ts ADDED Viewed

@@ -0,0 +1,198 @@
+import { NextRequest, NextResponse } from "next/server";
+import { S3Client, DeleteObjectCommand, ListObjectsV2Command, DeleteObjectsCommand } from "@aws-sdk/client-s3";
+import { isAdminAuthenticated } from "../../../../../lib/auth";
+import { validateCsrf, csrfErrorResponse } from "../../../../../lib/csrf";
+import { isBodyTooLarge, MAX_JSON_BODY_SIZE, jsonError, isValidAssetPath, checkRateLimit } from "../../../../../lib/security";
+import { client } from "../../../../../lib/sanity/client";
+import { writeClient } from "../../../../../lib/sanity/writeClient";
+import { decryptToken } from "../../../../../lib/security";
+import { auditLog } from "../../../../../lib/audit";
+import { logger } from "../../../../../lib/logger";
+import { isRasterImage, thumbKeyForPath } from "../../../../../lib/thumbnails/generate";
+/**
+ * POST /api/admin/r2/delete — Delete a file or folder from R2.
+ *
+ * Body: { key: string, isFolder?: boolean }
+ *   - key: relative path (e.g. "Projects/hero.jpg" or "Projects/MyFolder")
+ *   - isFolder: if true, deletes all objects with the key as prefix
+ *
+ * Also removes matching entries from the Sanity asset registry.
+ * For raster images, also deletes the corresponding _thumbs/ thumbnail (best-effort).
+ */
+export async function POST(request: NextRequest) {
+  if (!(await isAdminAuthenticated())) {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+  }
+  if (!validateCsrf(request)) {
+    return csrfErrorResponse();
+  }
+  if (isBodyTooLarge(request, MAX_JSON_BODY_SIZE)) {
+    return jsonError("Request body too large", 413);
+  }
+  // #32: Rate limit R2 delete operations (30 per minute)
+  const ip = request.headers.get("x-forwarded-for") || "unknown";
+  if (!checkRateLimit(`r2-delete:${ip}`, 30, 60_000)) {
+    return jsonError("Too many requests. Please slow down.", 429);
+  }
+  try {
+    const body = await request.json();
+    const { key, isFolder } = body;
+    if (!key || typeof key !== "string") {
+      return jsonError("Key is required", 400);
+    }
+    // #1, #16: Always validate path regardless of isFolder flag — prevents path traversal
+    if (!isValidAssetPath(key)) {
+      return jsonError("Invalid path", 400);
+    }
+    // Fetch R2 credentials
+    const registry = await client.fetch(
+      `*[_type == "assetRegistry"][0]{
+        _id, r2_endpoint, r2_bucket_name, r2_access_key_id, r2_secret_access_key, assets
+      }`
+    );
+    if (!registry?.r2_endpoint || !registry?.r2_bucket_name) {
+      return jsonError("R2 is not connected", 400);
+    }
+    const accessKeyId = await decryptToken(registry.r2_access_key_id);
+    const secretAccessKey = await decryptToken(registry.r2_secret_access_key);
+    const s3 = new S3Client({
+      region: "auto",
+      endpoint: registry.r2_endpoint,
+      credentials: { accessKeyId, secretAccessKey },
+    });
+    let deletedKeys: string[] = [];
+    if (isFolder) {
+      // List all objects with this prefix and delete them
+      const prefix = key.replace(/\/+$/, "") + "/";
+      let continuationToken: string | undefined;
+      do {
+        const list = await s3.send(
+          new ListObjectsV2Command({
+            Bucket: registry.r2_bucket_name,
+            Prefix: prefix,
+            ContinuationToken: continuationToken,
+            MaxKeys: 1000,
+          })
+        );
+        const objects = (list.Contents || []).map((obj) => ({ Key: obj.Key! }));
+        if (objects.length > 0) {
+          // #15: Check for partial failures in batch delete
+          const deleteResult = await s3.send(
+            new DeleteObjectsCommand({
+              Bucket: registry.r2_bucket_name,
+              Delete: { Objects: objects },
+            })
+          );
+          const errors = deleteResult.Errors || [];
+          if (errors.length > 0) {
+            logger.error("[Admin:R2]", `Partial failure: ${errors.length} of ${objects.length} objects failed`, errors);
+          }
+          // Only count successfully deleted keys
+          const failedKeys = new Set(errors.map((e) => e.Key));
+          const succeeded = objects.filter((o) => !failedKeys.has(o.Key));
+          deletedKeys.push(...succeeded.map((o) => o.Key));
+        }
+        continuationToken = list.NextContinuationToken;
+      } while (continuationToken);
+      // ── Thumbnail propagation: also delete _thumbs/{folder}/ contents ──
+      // Best-effort — failures here don't affect the main operation.
+      try {
+        const thumbPrefix = `_thumbs/${prefix}`;
+        let thumbContinuation: string | undefined;
+        do {
+          const thumbList = await s3.send(
+            new ListObjectsV2Command({
+              Bucket: registry.r2_bucket_name,
+              Prefix: thumbPrefix,
+              ContinuationToken: thumbContinuation,
+              MaxKeys: 1000,
+            })
+          );
+          const thumbObjects = (thumbList.Contents || []).map((obj) => ({ Key: obj.Key! }));
+          if (thumbObjects.length > 0) {
+            await s3.send(
+              new DeleteObjectsCommand({
+                Bucket: registry.r2_bucket_name,
+                Delete: { Objects: thumbObjects },
+              })
+            );
+          }
+          thumbContinuation = thumbList.NextContinuationToken;
+        } while (thumbContinuation);
+      } catch (thumbErr) {
+        logger.warn("[Admin:R2]", "Failed to delete folder thumbnails (best-effort)", thumbErr);
+      }
+    } else {
+      // Delete single file
+      await s3.send(
+        new DeleteObjectCommand({
+          Bucket: registry.r2_bucket_name,
+          Key: key,
+        })
+      );
+      deletedKeys = [key];
+      // ── Thumbnail propagation: delete _thumbs/ counterpart for raster images ──
+      // S3 DeleteObject on a non-existent key is a no-op, so no need to check existence.
+      if (isRasterImage(key)) {
+        try {
+          const thumbKey = thumbKeyForPath(key);
+          await s3.send(
+            new DeleteObjectCommand({
+              Bucket: registry.r2_bucket_name,
+              Key: thumbKey,
+            })
+          );
+        } catch (thumbErr) {
+          logger.warn("[Admin:R2]", "Failed to delete thumbnail (best-effort)", thumbErr);
+        }
+      }
+    }
+    // Remove matching entries from Sanity registry
+    if (deletedKeys.length > 0 && registry.assets?.length) {
+      const keysToRemove = new Set(deletedKeys);
+      const toUnset = registry.assets
+        .filter((a: { path: string; _key: string }) => keysToRemove.has(a.path))
+        .map((a: { _key: string }) => `assets[_key=="${a._key}"]`);
+      if (toUnset.length > 0) {
+        await writeClient
+          .patch(registry._id)
+          .unset(toUnset)
+          .commit();
+      }
+    }
+    auditLog("r2.delete", { key, isFolder, deletedCount: deletedKeys.length });
+    return NextResponse.json({
+      success: true,
+      deletedCount: deletedKeys.length,
+    });
+  } catch (err) {
+    // #5: Gracefully handle corrupted encrypted tokens
+    if (err instanceof Error && (err.message.includes("decrypt") || err.message.includes("atob") || err.message.includes("Invalid encrypted"))) {
+      logger.error("[Admin:R2]", "Failed to decrypt R2 credentials", err);
+      return jsonError("R2 credentials are corrupted. Please reconnect R2 in /admin/storage.", 500);
+    }
+    logger.error("[Admin:R2]", "Failed to delete from R2", err);
+    return jsonError("Failed to delete", 500);
+  }
+}

package/app/api/admin/r2/disconnect/route.ts ADDED Viewed

@@ -0,0 +1,42 @@
+import { NextRequest, NextResponse } from "next/server";
+import { isAdminAuthenticated } from "../../../../../lib/auth";
+import { writeClient } from "../../../../../lib/sanity/writeClient";
+import { validateCsrf, csrfErrorResponse } from "../../../../../lib/csrf";
+import { logger } from "../../../../../lib/logger";
+/**
+ * POST /api/admin/r2/disconnect — Clear R2 credentials from the registry.
+ *
+ * Removes all R2-specific fields. Does NOT change storage_provider —
+ * if R2 was the active provider, the caller should handle that separately.
+ */
+export async function POST(request: NextRequest) {
+  if (!(await isAdminAuthenticated())) {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+  }
+  if (!validateCsrf(request)) {
+    return csrfErrorResponse();
+  }
+  try {
+    await writeClient
+      .patch("assetRegistry")
+      .unset([
+        "r2_bucket_url",
+        "r2_access_key_id",
+        "r2_secret_access_key",
+        "r2_endpoint",
+        "r2_bucket_name",
+        "r2_connected_at",
+      ])
+      .commit();
+    return NextResponse.json({ success: true });
+  } catch (err) {
+    logger.error("[Admin:R2]", "Failed to disconnect R2", err);
+    return NextResponse.json(
+      { error: "Failed to disconnect R2" },
+      { status: 500 }
+    );
+  }
+}