npm - @morphika/andami - Versions diffs - 0.1.2 - Mend

@morphika/andami 0.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (319) hide show

package/LICENSE +21 -0
package/README.md +50 -0
package/admin/assets.ts +4 -0
package/admin/database.ts +4 -0
package/admin/index.ts +6 -0
package/admin/login.ts +4 -0
package/admin/navigation.ts +4 -0
package/admin/pages-editor.ts +4 -0
package/admin/pages.ts +4 -0
package/admin/projects-editor.ts +4 -0
package/admin/projects.ts +4 -0
package/admin/settings.ts +4 -0
package/admin/setup.ts +4 -0
package/admin/storage.ts +4 -0
package/admin/styles.ts +4 -0
package/app/(site)/[slug]/loading.tsx +20 -0
package/app/(site)/[slug]/page.tsx +83 -0
package/app/(site)/error.tsx +32 -0
package/app/(site)/layout.tsx +53 -0
package/app/(site)/loading.tsx +20 -0
package/app/(site)/not-found.tsx +41 -0
package/app/(site)/page.tsx +43 -0
package/app/(site)/preview/page.tsx +99 -0
package/app/(site)/work/[slug]/loading.tsx +23 -0
package/app/(site)/work/[slug]/page.tsx +84 -0
package/app/admin/assets/page.tsx +573 -0
package/app/admin/database/page.tsx +302 -0
package/app/admin/error.tsx +53 -0
package/app/admin/layout.tsx +273 -0
package/app/admin/login/page.tsx +88 -0
package/app/admin/navigation/page.tsx +157 -0
package/app/admin/page.tsx +17 -0
package/app/admin/pages/[slug]/page.tsx +849 -0
package/app/admin/pages/page.tsx +588 -0
package/app/admin/projects/[slug]/page.tsx +3 -0
package/app/admin/projects/page.tsx +669 -0
package/app/admin/settings/page.tsx +132 -0
package/app/admin/setup/page.tsx +64 -0
package/app/admin/storage/page.tsx +518 -0
package/app/admin/styles/page.tsx +243 -0
package/app/api/admin/assets/file/route.ts +81 -0
package/app/api/admin/assets/health/route.ts +170 -0
package/app/api/admin/assets/register/route.ts +163 -0
package/app/api/admin/assets/registry/route.ts +98 -0
package/app/api/admin/assets/relink/confirm/route.ts +242 -0
package/app/api/admin/assets/relink/route.ts +202 -0
package/app/api/admin/assets/scan/route.ts +271 -0
package/app/api/admin/auth/route.ts +160 -0
package/app/api/admin/custom-sections/[slug]/route.ts +159 -0
package/app/api/admin/custom-sections/route.ts +127 -0
package/app/api/admin/database/route.ts +53 -0
package/app/api/admin/pages/[slug]/duplicate/route.ts +91 -0
package/app/api/admin/pages/[slug]/route.ts +617 -0
package/app/api/admin/pages/[slug]/set-home/route.ts +76 -0
package/app/api/admin/pages/route.ts +129 -0
package/app/api/admin/preview/route.ts +53 -0
package/app/api/admin/r2/connect/route.ts +181 -0
package/app/api/admin/r2/delete/route.ts +198 -0
package/app/api/admin/r2/disconnect/route.ts +42 -0
package/app/api/admin/r2/rename/route.ts +265 -0
package/app/api/admin/r2/status/route.ts +106 -0
package/app/api/admin/r2/upload-url/route.ts +148 -0
package/app/api/admin/revalidate/route.ts +55 -0
package/app/api/admin/settings/route.ts +279 -0
package/app/api/admin/setup/complete/route.ts +51 -0
package/app/api/admin/setup/route.ts +118 -0
package/app/api/admin/storage/switch/route.ts +117 -0
package/app/api/admin/styles/fonts/route.ts +97 -0
package/app/api/admin/styles/route.ts +304 -0
package/app/api/assets/[...path]/route.ts +98 -0
package/app/api/custom-sections/[id]/route.ts +43 -0
package/app/api/draft-mode/disable/route.ts +10 -0
package/app/api/draft-mode/enable/route.ts +26 -0
package/app/api/projects/route.ts +42 -0
package/app/api/styles/route.ts +88 -0
package/app/favicon.ico +0 -0
package/app/globals.css +7 -0
package/app/layout.tsx +53 -0
package/app/robots.ts +17 -0
package/app/sitemap.ts +48 -0
package/app/studio/[[...index]]/page.tsx +8 -0
package/components/admin/MetadataEditor.tsx +173 -0
package/components/admin/PublishToggle.tsx +130 -0
package/components/admin/icons.tsx +40 -0
package/components/admin/nav-builder/NavBuilder.tsx +182 -0
package/components/admin/nav-builder/NavBuilderGrid.tsx +326 -0
package/components/admin/nav-builder/NavGeneralSettings.tsx +275 -0
package/components/admin/nav-builder/NavGridCell.tsx +48 -0
package/components/admin/nav-builder/NavGridItem.tsx +189 -0
package/components/admin/nav-builder/NavItemSettings.tsx +288 -0
package/components/admin/nav-builder/NavItemTypePicker.tsx +102 -0
package/components/admin/nav-builder/NavLivePreview.tsx +125 -0
package/components/admin/nav-builder/NavSettingsFields.tsx +248 -0
package/components/admin/nav-builder/NavSettingsPanel.tsx +127 -0
package/components/admin/nav-builder/index.ts +10 -0
package/components/admin/nav-builder/nav-builder-utils.ts +238 -0
package/components/admin/setup-wizard/BrandingStep.tsx +218 -0
package/components/admin/setup-wizard/DatabaseStep.tsx +331 -0
package/components/admin/setup-wizard/DoneStep.tsx +187 -0
package/components/admin/setup-wizard/SetupWizard.tsx +166 -0
package/components/admin/setup-wizard/StorageStep.tsx +308 -0
package/components/admin/setup-wizard/WelcomeStep.tsx +96 -0
package/components/admin/setup-wizard/index.ts +9 -0
package/components/admin/styles/ColorsEditor.tsx +214 -0
package/components/admin/styles/FontsEditor.tsx +258 -0
package/components/admin/styles/GridLayoutEditor.tsx +292 -0
package/components/admin/styles/LinksButtonsEditor.tsx +120 -0
package/components/admin/styles/TypographyEditor.tsx +266 -0
package/components/admin/styles/index.ts +9 -0
package/components/admin/styles/shared.tsx +68 -0
package/components/blocks/BlockRenderer.tsx +404 -0
package/components/blocks/ButtonBlockRenderer.tsx +52 -0
package/components/blocks/CoverBlockRenderer.tsx +239 -0
package/components/blocks/CustomSectionInstanceRenderer.tsx +82 -0
package/components/blocks/EnterAnimationWrapper.tsx +140 -0
package/components/blocks/HoverAnimationWrapper.tsx +308 -0
package/components/blocks/ImageBlockRenderer.tsx +61 -0
package/components/blocks/ImageGridBlockRenderer.tsx +545 -0
package/components/blocks/PageBackground.tsx +28 -0
package/components/blocks/PageNavAnimation.tsx +35 -0
package/components/blocks/PageNavColor.tsx +24 -0
package/components/blocks/PageRenderer.tsx +142 -0
package/components/blocks/ParallaxGroupRenderer.tsx +448 -0
package/components/blocks/ParallaxSlideRenderer.tsx +175 -0
package/components/blocks/ProjectGridBlockRenderer.tsx +556 -0
package/components/blocks/SectionRenderer.tsx +170 -0
package/components/blocks/SectionV2Renderer.tsx +330 -0
package/components/blocks/ShaderCanvas.tsx +392 -0
package/components/blocks/SpacerBlockRenderer.tsx +17 -0
package/components/blocks/TextBlockRenderer.tsx +87 -0
package/components/blocks/TypewriterRichText.tsx +464 -0
package/components/blocks/TypewriterWrapper.tsx +149 -0
package/components/blocks/VideoBlockRenderer.tsx +304 -0
package/components/blocks/index.ts +2 -0
package/components/builder/AssetBrowser.tsx +2 -0
package/components/builder/BlockLivePreview.tsx +101 -0
package/components/builder/BlockTypePicker.tsx +178 -0
package/components/builder/BuilderCanvas.tsx +354 -0
package/components/builder/CanvasMinimap.tsx +200 -0
package/components/builder/CanvasToolbar.tsx +202 -0
package/components/builder/ColorPicker.tsx +243 -0
package/components/builder/ColorSwatchPicker.tsx +274 -0
package/components/builder/ColumnDragContext.tsx +51 -0
package/components/builder/ColumnDragOverlay.tsx +110 -0
package/components/builder/CustomSectionInstanceCard.tsx +97 -0
package/components/builder/DeviceFrame.tsx +123 -0
package/components/builder/DndWrapper.tsx +337 -0
package/components/builder/InsertionLines.tsx +186 -0
package/components/builder/ParallaxGroupCanvas.tsx +228 -0
package/components/builder/ParallaxSlideHeader.tsx +113 -0
package/components/builder/ReadOnlyFrame.tsx +417 -0
package/components/builder/SectionEditorBar.tsx +288 -0
package/components/builder/SectionTypePicker.tsx +422 -0
package/components/builder/SectionV2Canvas.tsx +297 -0
package/components/builder/SectionV2Column.tsx +488 -0
package/components/builder/SettingsPanel.tsx +911 -0
package/components/builder/SortableBlock.tsx +230 -0
package/components/builder/SortableRow.tsx +362 -0
package/components/builder/VirtualAssetGrid.tsx +397 -0
package/components/builder/asset-browser/AssetBrowser.tsx +178 -0
package/components/builder/asset-browser/FileLightbox.tsx +116 -0
package/components/builder/asset-browser/FolderTreeItem.tsx +55 -0
package/components/builder/asset-browser/R2BrowserContent.tsx +436 -0
package/components/builder/asset-browser/R2ContextMenu.tsx +98 -0
package/components/builder/asset-browser/VideoThumbnail.tsx +63 -0
package/components/builder/asset-browser/helpers.ts +88 -0
package/components/builder/asset-browser/index.ts +1 -0
package/components/builder/asset-browser/types.ts +49 -0
package/components/builder/asset-browser/useAssetBrowser.ts +344 -0
package/components/builder/asset-browser/useR2DragDrop.ts +116 -0
package/components/builder/asset-browser/useR2Operations.ts +189 -0
package/components/builder/blockStyles.tsx +295 -0
package/components/builder/editors/ButtonBlockEditor.tsx +184 -0
package/components/builder/editors/CoverBlockEditor.tsx +488 -0
package/components/builder/editors/EnterAnimationPicker.tsx +297 -0
package/components/builder/editors/HoverEffectPicker.tsx +209 -0
package/components/builder/editors/ImageBlockEditor.tsx +206 -0
package/components/builder/editors/ImageGridBlockEditor.tsx +386 -0
package/components/builder/editors/ProjectGridEditor.tsx +648 -0
package/components/builder/editors/SpacerBlockEditor.tsx +167 -0
package/components/builder/editors/StaggerSettings.tsx +108 -0
package/components/builder/editors/TextAlignmentIcons.tsx +39 -0
package/components/builder/editors/TextBlockEditor.tsx +462 -0
package/components/builder/editors/TextStylePicker.tsx +183 -0
package/components/builder/editors/VideoBlockEditor.tsx +278 -0
package/components/builder/editors/index.ts +10 -0
package/components/builder/editors/shared.tsx +345 -0
package/components/builder/hooks/useColumnDrag.ts +472 -0
package/components/builder/hooks/useColumnResize.ts +221 -0
package/components/builder/index.ts +12 -0
package/components/builder/live-preview/LiveButtonPreview.tsx +38 -0
package/components/builder/live-preview/LiveCoverPreview.tsx +146 -0
package/components/builder/live-preview/LiveImageGridPreview.tsx +123 -0
package/components/builder/live-preview/LiveImagePreview.tsx +107 -0
package/components/builder/live-preview/LiveProjectGridPreview.tsx +1010 -0
package/components/builder/live-preview/LiveSpacerPreview.tsx +9 -0
package/components/builder/live-preview/LiveTextEditor.tsx +198 -0
package/components/builder/live-preview/LiveVideoPreview.tsx +98 -0
package/components/builder/live-preview/index.ts +10 -0
package/components/builder/live-preview/shared.tsx +153 -0
package/components/builder/settings-panel/BlockLayoutTab.tsx +532 -0
package/components/builder/settings-panel/BlockSettings.tsx +94 -0
package/components/builder/settings-panel/ColumnV2Settings.tsx +160 -0
package/components/builder/settings-panel/LayoutTab.tsx +310 -0
package/components/builder/settings-panel/PageSettings.tsx +200 -0
package/components/builder/settings-panel/ParallaxGroupSettings.tsx +118 -0
package/components/builder/settings-panel/ParallaxSlideSettings.tsx +178 -0
package/components/builder/settings-panel/SectionV2AnimationTab.tsx +103 -0
package/components/builder/settings-panel/SectionV2LayoutTab.tsx +312 -0
package/components/builder/settings-panel/SectionV2Settings.tsx +323 -0
package/components/builder/settings-panel/TRBLInputs.tsx +51 -0
package/components/builder/settings-panel/index.ts +19 -0
package/components/builder/settings-panel/responsive-helpers.ts +524 -0
package/components/ui/CustomCursor.tsx +118 -0
package/components/ui/NavContentLightbox.tsx +152 -0
package/components/ui/Navbar.tsx +582 -0
package/components/ui/PortfolioTracker.tsx +87 -0
package/components/ui/ScrollToTop.tsx +47 -0
package/lib/animation/enter-presets.ts +147 -0
package/lib/animation/enter-resolve.ts +90 -0
package/lib/animation/enter-types.ts +128 -0
package/lib/animation/hover-effect-presets.ts +210 -0
package/lib/animation/hover-effect-types.ts +126 -0
package/lib/asset-retry.ts +111 -0
package/lib/assets.ts +92 -0
package/lib/audit.ts +35 -0
package/lib/auth-token.ts +94 -0
package/lib/auth.ts +13 -0
package/lib/builder/cascade-helpers.ts +51 -0
package/lib/builder/cascade.ts +533 -0
package/lib/builder/constants.ts +103 -0
package/lib/builder/defaults.ts +182 -0
package/lib/builder/history.ts +48 -0
package/lib/builder/index.ts +21 -0
package/lib/builder/layout-styles.ts +344 -0
package/lib/builder/masonry.ts +166 -0
package/lib/builder/responsive.ts +156 -0
package/lib/builder/serializer.ts +845 -0
package/lib/builder/store-blocks.ts +193 -0
package/lib/builder/store-canvas.ts +319 -0
package/lib/builder/store-helpers.ts +490 -0
package/lib/builder/store-sections.ts +709 -0
package/lib/builder/store.ts +333 -0
package/lib/builder/templates.ts +297 -0
package/lib/builder/types.ts +374 -0
package/lib/builder/utils.ts +37 -0
package/lib/color-utils.ts +116 -0
package/lib/config/index.ts +57 -0
package/lib/config/types.ts +122 -0
package/lib/contexts/AssetContext.tsx +79 -0
package/lib/contexts/NavAnimationContext.tsx +44 -0
package/lib/contexts/NavColorContext.tsx +38 -0
package/lib/contexts/PageExitContext.tsx +194 -0
package/lib/contexts/ThumbStatusContext.tsx +83 -0
package/lib/csrf-client.ts +34 -0
package/lib/csrf.ts +68 -0
package/lib/format-utils.ts +24 -0
package/lib/hooks/useViewport.ts +42 -0
package/lib/logger.ts +81 -0
package/lib/revalidate.ts +23 -0
package/lib/sanitize.ts +91 -0
package/lib/sanity/client.ts +8 -0
package/lib/sanity/queries.ts +486 -0
package/lib/sanity/types.ts +869 -0
package/lib/sanity/writeClient.ts +24 -0
package/lib/security.ts +402 -0
package/lib/setup/detect.ts +156 -0
package/lib/shader/glsl/index.ts +27 -0
package/lib/shader/glsl/pixelate.ts +51 -0
package/lib/shader/glsl/rgb-shift.ts +45 -0
package/lib/shader/glsl/ripple.ts +46 -0
package/lib/shader/glsl/vertex.ts +14 -0
package/lib/storage/index.ts +211 -0
package/lib/storage/r2-adapter.ts +286 -0
package/lib/storage/types.ts +125 -0
package/lib/styles/provider.tsx +267 -0
package/lib/thumbnails/generate.ts +151 -0
package/lib/utils.ts +6 -0
package/package.json +212 -0
package/sanity/compose.ts +65 -0
package/sanity/sanity.config.ts +126 -0
package/sanity/schemas/assetRegistry.ts +301 -0
package/sanity/schemas/blocks/blockLayout.ts +90 -0
package/sanity/schemas/blocks/buttonBlock.ts +82 -0
package/sanity/schemas/blocks/coverBlock.ts +229 -0
package/sanity/schemas/blocks/imageBlock.ts +58 -0
package/sanity/schemas/blocks/imageGridBlock.ts +112 -0
package/sanity/schemas/blocks/index.ts +9 -0
package/sanity/schemas/blocks/projectGridBlock.ts +251 -0
package/sanity/schemas/blocks/spacerBlock.ts +41 -0
package/sanity/schemas/blocks/textBlock.ts +139 -0
package/sanity/schemas/blocks/videoBlock.ts +80 -0
package/sanity/schemas/customSection.ts +69 -0
package/sanity/schemas/customSectionInstance.ts +163 -0
package/sanity/schemas/index.ts +111 -0
package/sanity/schemas/objects/enterAnimationConfig.ts +72 -0
package/sanity/schemas/objects/hoverEffectConfig.ts +90 -0
package/sanity/schemas/objects/parallaxGroup.ts +66 -0
package/sanity/schemas/objects/parallaxSlide.ts +217 -0
package/sanity/schemas/objects/typewriterConfig.ts +38 -0
package/sanity/schemas/page.ts +162 -0
package/sanity/schemas/pageSection.ts +157 -0
package/sanity/schemas/pageSectionV2.ts +269 -0
package/sanity/schemas/siteSettings.ts +256 -0
package/sanity/schemas/siteStyles.ts +212 -0
package/site/error.ts +4 -0
package/site/index.ts +8 -0
package/site/not-found.ts +4 -0
package/site/page.ts +4 -0
package/site/preview.ts +4 -0
package/site/robots.ts +4 -0
package/site/sitemap.ts +4 -0
package/site/work.ts +4 -0
package/studio/index.ts +4 -0
package/styles/admin.css +85 -0
package/styles/animations.css +237 -0
package/styles/base.css +148 -0
package/styles/globals.css +10 -0
package/tsconfig.json +25 -0

package/app/api/admin/r2/rename/route.ts ADDED Viewed

@@ -0,0 +1,265 @@
+import { NextRequest, NextResponse } from "next/server";
+import { S3Client, CopyObjectCommand, DeleteObjectCommand, ListObjectsV2Command, HeadObjectCommand } from "@aws-sdk/client-s3";
+import { isAdminAuthenticated } from "../../../../../lib/auth";
+import { validateCsrf, csrfErrorResponse } from "../../../../../lib/csrf";
+import { isBodyTooLarge, MAX_JSON_BODY_SIZE, jsonError, isValidAssetPath, checkRateLimit } from "../../../../../lib/security";
+import { client } from "../../../../../lib/sanity/client";
+import { writeClient } from "../../../../../lib/sanity/writeClient";
+import { decryptToken } from "../../../../../lib/security";
+import { auditLog } from "../../../../../lib/audit";
+import { logger } from "../../../../../lib/logger";
+import { isRasterImage, thumbKeyForPath } from "../../../../../lib/thumbnails/generate";
+/**
+ * POST /api/admin/r2/rename — Rename/move a file or folder in R2.
+ *
+ * R2 (S3) doesn't have a rename operation — it's copy + delete.
+ *
+ * Body: { oldKey: string, newKey: string, isFolder?: boolean }
+ *   - For files: copies object to new key, deletes old one
+ *   - For folders: copies all objects under prefix, deletes originals
+ *
+ * Also updates matching entries in the Sanity asset registry.
+ * For raster images, also renames the corresponding _thumbs/ thumbnail (best-effort).
+ */
+export async function POST(request: NextRequest) {
+  if (!(await isAdminAuthenticated())) {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+  }
+  if (!validateCsrf(request)) {
+    return csrfErrorResponse();
+  }
+  if (isBodyTooLarge(request, MAX_JSON_BODY_SIZE)) {
+    return jsonError("Request body too large", 413);
+  }
+  // #32: Rate limit R2 rename operations (30 per minute)
+  const ip = request.headers.get("x-forwarded-for") || "unknown";
+  if (!checkRateLimit(`r2-rename:${ip}`, 30, 60_000)) {
+    return jsonError("Too many requests. Please slow down.", 429);
+  }
+  try {
+    const body = await request.json();
+    const { oldKey, newKey, isFolder } = body;
+    if (!oldKey || typeof oldKey !== "string") {
+      return jsonError("Old key is required", 400);
+    }
+    if (!newKey || typeof newKey !== "string") {
+      return jsonError("New key is required", 400);
+    }
+    if (oldKey === newKey) {
+      return jsonError("Old and new keys are the same", 400);
+    }
+    // #2, #3, #33: Always validate BOTH paths regardless of isFolder flag
+    if (!isValidAssetPath(oldKey)) {
+      return jsonError("Invalid old path", 400);
+    }
+    if (!isValidAssetPath(newKey)) {
+      return jsonError("Invalid new path", 400);
+    }
+    // Fetch R2 credentials
+    const registry = await client.fetch(
+      `*[_type == "assetRegistry"][0]{
+        _id, r2_endpoint, r2_bucket_name, r2_access_key_id, r2_secret_access_key, assets
+      }`
+    );
+    if (!registry?.r2_endpoint || !registry?.r2_bucket_name) {
+      return jsonError("R2 is not connected", 400);
+    }
+    const accessKeyId = await decryptToken(registry.r2_access_key_id);
+    const secretAccessKey = await decryptToken(registry.r2_secret_access_key);
+    const bucket = registry.r2_bucket_name;
+    const s3 = new S3Client({
+      region: "auto",
+      endpoint: registry.r2_endpoint,
+      credentials: { accessKeyId, secretAccessKey },
+    });
+    const renamedPairs: Array<{ oldPath: string; newPath: string }> = [];
+    if (isFolder) {
+      // Rename all objects under the old prefix
+      const oldPrefix = oldKey.replace(/\/+$/, "") + "/";
+      const newPrefix = newKey.replace(/\/+$/, "") + "/";
+      let continuationToken: string | undefined;
+      do {
+        const list = await s3.send(
+          new ListObjectsV2Command({
+            Bucket: bucket,
+            Prefix: oldPrefix,
+            ContinuationToken: continuationToken,
+            MaxKeys: 1000,
+          })
+        );
+        for (const obj of list.Contents || []) {
+          const objKey = obj.Key!;
+          const newObjKey = newPrefix + objKey.slice(oldPrefix.length);
+          // Copy to new key
+          await s3.send(
+            new CopyObjectCommand({
+              Bucket: bucket,
+              CopySource: `${bucket}/${objKey}`,
+              Key: newObjKey,
+            })
+          );
+          // Delete old key
+          await s3.send(
+            new DeleteObjectCommand({ Bucket: bucket, Key: objKey })
+          );
+          renamedPairs.push({ oldPath: objKey, newPath: newObjKey });
+        }
+        continuationToken = list.NextContinuationToken;
+      } while (continuationToken);
+      // ── Thumbnail propagation: rename _thumbs/{oldFolder}/ → _thumbs/{newFolder}/ ──
+      // Best-effort — failures here don't affect the main operation.
+      try {
+        const oldThumbPrefix = `_thumbs/${oldPrefix}`;
+        const newThumbPrefix = `_thumbs/${newPrefix}`;
+        let thumbContinuation: string | undefined;
+        do {
+          const thumbList = await s3.send(
+            new ListObjectsV2Command({
+              Bucket: bucket,
+              Prefix: oldThumbPrefix,
+              ContinuationToken: thumbContinuation,
+              MaxKeys: 1000,
+            })
+          );
+          for (const obj of thumbList.Contents || []) {
+            const thumbKey = obj.Key!;
+            const newThumbKey = newThumbPrefix + thumbKey.slice(oldThumbPrefix.length);
+            await s3.send(
+              new CopyObjectCommand({
+                Bucket: bucket,
+                CopySource: `${bucket}/${thumbKey}`,
+                Key: newThumbKey,
+              })
+            );
+            await s3.send(
+              new DeleteObjectCommand({ Bucket: bucket, Key: thumbKey })
+            );
+          }
+          thumbContinuation = thumbList.NextContinuationToken;
+        } while (thumbContinuation);
+      } catch (thumbErr) {
+        logger.warn("[Admin:R2]", "Failed to rename folder thumbnails (best-effort)", thumbErr);
+      }
+    } else {
+      // #24: Check if target key already exists to prevent silent overwrite
+      try {
+        await s3.send(new HeadObjectCommand({ Bucket: bucket, Key: newKey }));
+        return jsonError("A file already exists at the target path", 409);
+      } catch (headErr: unknown) {
+        // 404 = target doesn't exist, which is what we want
+        const isNotFound = headErr instanceof Error && "name" in headErr && (headErr as { name: string }).name === "NotFound";
+        const is404 = headErr instanceof Error && "$metadata" in headErr && (headErr as { $metadata: { httpStatusCode?: number } }).$metadata?.httpStatusCode === 404;
+        if (!isNotFound && !is404) {
+          // Re-throw unexpected errors
+          throw headErr;
+        }
+      }
+      // #14: Rename single file: copy first, then delete only after copy succeeds
+      await s3.send(
+        new CopyObjectCommand({
+          Bucket: bucket,
+          CopySource: `${bucket}/${oldKey}`,
+          Key: newKey,
+        })
+      );
+      await s3.send(
+        new DeleteObjectCommand({ Bucket: bucket, Key: oldKey })
+      );
+      renamedPairs.push({ oldPath: oldKey, newPath: newKey });
+      // ── Thumbnail propagation: rename _thumbs/ counterpart for raster images ──
+      // Uses direct CopyObject and catches NoSuchKey — avoids extra HeadObject round-trip.
+      if (isRasterImage(oldKey)) {
+        try {
+          const oldThumbKey = thumbKeyForPath(oldKey);
+          const newThumbKey = thumbKeyForPath(newKey);
+          await s3.send(
+            new CopyObjectCommand({
+              Bucket: bucket,
+              CopySource: `${bucket}/${oldThumbKey}`,
+              Key: newThumbKey,
+            })
+          );
+          await s3.send(
+            new DeleteObjectCommand({ Bucket: bucket, Key: oldThumbKey })
+          );
+        } catch (thumbErr: unknown) {
+          // NoSuchKey / 404 = thumbnail didn't exist, skip silently
+          const is404 =
+            thumbErr instanceof Error &&
+            ("name" in thumbErr && (thumbErr as { name: string }).name === "NoSuchKey" ||
+             "$metadata" in thumbErr && (thumbErr as { $metadata: { httpStatusCode?: number } }).$metadata?.httpStatusCode === 404);
+          if (!is404) {
+            logger.warn("[Admin:R2]", "Failed to rename thumbnail (best-effort)", thumbErr);
+          }
+        }
+      }
+    }
+    // Update Sanity registry — update path, filename, extension for renamed assets
+    if (renamedPairs.length > 0 && registry.assets?.length) {
+      const pathMap = new Map(renamedPairs.map((p) => [p.oldPath, p.newPath]));
+      let patchOps = writeClient.patch(registry._id);
+      let hasPatches = false;
+      for (const asset of registry.assets as Array<{ _key: string; path: string }>) {
+        const newPath = pathMap.get(asset.path);
+        if (newPath) {
+          const newFilename = newPath.split("/").pop() || newPath;
+          const newExt = newFilename.includes(".")
+            ? newFilename.split(".").pop()!.toLowerCase()
+            : "";
+          patchOps = patchOps.set({
+            [`assets[_key=="${asset._key}"].path`]: newPath,
+            [`assets[_key=="${asset._key}"].filename`]: newFilename,
+            [`assets[_key=="${asset._key}"].extension`]: newExt,
+          });
+          hasPatches = true;
+        }
+      }
+      if (hasPatches) {
+        await patchOps.commit();
+      }
+    }
+    auditLog("r2.rename", { oldKey, newKey, isFolder, count: renamedPairs.length });
+    return NextResponse.json({
+      success: true,
+      renamedCount: renamedPairs.length,
+    });
+  } catch (err) {
+    // #5: Gracefully handle corrupted encrypted tokens
+    if (err instanceof Error && (err.message.includes("decrypt") || err.message.includes("atob") || err.message.includes("Invalid encrypted"))) {
+      logger.error("[Admin:R2]", "Failed to decrypt R2 credentials", err);
+      return jsonError("R2 credentials are corrupted. Please reconnect R2 in /admin/storage.", 500);
+    }
+    logger.error("[Admin:R2]", "Failed to rename in R2", err);
+    return jsonError("Failed to rename", 500);
+  }
+}

package/app/api/admin/r2/status/route.ts ADDED Viewed

@@ -0,0 +1,106 @@
+import { NextResponse } from "next/server";
+import { S3Client, ListObjectsV2Command } from "@aws-sdk/client-s3";
+import { isAdminAuthenticated } from "../../../../../lib/auth";
+import { client } from "../../../../../lib/sanity/client";
+import { decryptToken } from "../../../../../lib/security";
+import { logger } from "../../../../../lib/logger";
+/**
+ * GET /api/admin/r2/status — Return R2 connection status + storage usage.
+ *
+ * Returns whether R2 is connected, bucket name, public URL,
+ * and total storage used (bytes) by listing all objects in the bucket.
+ * Credentials are never returned to the client.
+ */
+export async function GET() {
+  if (!(await isAdminAuthenticated())) {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+  }
+  try {
+    const registry = await client.fetch(
+      `*[_type == "assetRegistry"][0]{
+        r2_bucket_url,
+        r2_bucket_name,
+        r2_endpoint,
+        r2_connected_at,
+        r2_access_key_id,
+        r2_secret_access_key
+      }`
+    );
+    const connected = !!registry?.r2_bucket_url && !!registry?.r2_bucket_name;
+    // Base response
+    const response: Record<string, unknown> = {
+      connected,
+      bucket_name: registry?.r2_bucket_name || null,
+      public_url: registry?.r2_bucket_url || null,
+      endpoint: registry?.r2_endpoint || null,
+      connected_at: registry?.r2_connected_at || null,
+      storage_used_bytes: null,
+      object_count: null,
+    };
+    // If connected and we have credentials, calculate storage usage
+    if (
+      connected &&
+      registry.r2_endpoint &&
+      registry.r2_access_key_id &&
+      registry.r2_secret_access_key
+    ) {
+      try {
+        const accessKeyId = await decryptToken(registry.r2_access_key_id);
+        const secretAccessKey = await decryptToken(registry.r2_secret_access_key);
+        const s3 = new S3Client({
+          region: "auto",
+          endpoint: registry.r2_endpoint,
+          credentials: { accessKeyId, secretAccessKey },
+        });
+        let totalBytes = 0;
+        let totalObjects = 0;
+        let continuationToken: string | undefined;
+        // Paginate through all objects to sum sizes
+        do {
+          const res = await s3.send(
+            new ListObjectsV2Command({
+              Bucket: registry.r2_bucket_name,
+              ContinuationToken: continuationToken,
+              MaxKeys: 1000,
+            })
+          );
+          if (res.Contents) {
+            for (const obj of res.Contents) {
+              totalBytes += obj.Size ?? 0;
+              totalObjects++;
+            }
+          }
+          continuationToken = res.IsTruncated
+            ? res.NextContinuationToken
+            : undefined;
+        } while (continuationToken);
+        s3.destroy();
+        response.storage_used_bytes = totalBytes;
+        response.object_count = totalObjects;
+      } catch (err) {
+        logger.warn("[Admin:R2]", "Failed to calculate R2 storage usage", err);
+        // Non-fatal — status still returns, just without usage data
+      }
+    }
+    return NextResponse.json(response);
+  } catch (err) {
+    logger.error("[Admin:R2]", "Failed to check R2 status", err);
+    return NextResponse.json(
+      { error: "Failed to check R2 status" },
+      { status: 500 }
+    );
+  }
+}

package/app/api/admin/r2/upload-url/route.ts ADDED Viewed

@@ -0,0 +1,148 @@
+import { NextRequest, NextResponse } from "next/server";
+import { S3Client, PutObjectCommand } from "@aws-sdk/client-s3";
+import { getSignedUrl } from "@aws-sdk/s3-request-presigner";
+import { isAdminAuthenticated } from "../../../../../lib/auth";
+import { validateCsrf, csrfErrorResponse } from "../../../../../lib/csrf";
+import { isBodyTooLarge, MAX_JSON_BODY_SIZE, jsonError, isValidAssetPath, checkRateLimit } from "../../../../../lib/security";
+import { client } from "../../../../../lib/sanity/client";
+import { decryptToken } from "../../../../../lib/security";
+import { getMimeType, isMediaFile } from "../../../../../lib/storage/types";
+import { logger } from "../../../../../lib/logger";
+/**
+ * POST /api/admin/r2/upload-url — Generate a presigned PUT URL for direct R2 upload.
+ *
+ * Flow:
+ * 1. Client sends { filename, folder, contentType? }.
+ * 2. Server validates inputs, generates a presigned PUT URL (5 min TTL).
+ * 3. Client uploads directly to R2 using the presigned URL.
+ * 4. Client then calls POST /api/admin/assets/register to add the asset to the registry.
+ *
+ * This keeps all upload bandwidth off Vercel — the browser uploads directly to R2.
+ */
+export async function POST(request: NextRequest) {
+  if (!(await isAdminAuthenticated())) {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+  }
+  if (!validateCsrf(request)) {
+    return csrfErrorResponse();
+  }
+  if (isBodyTooLarge(request, MAX_JSON_BODY_SIZE)) {
+    return jsonError("Request body too large", 413);
+  }
+  // #32: Rate limit upload URL generation (60 per minute)
+  const ip = request.headers.get("x-forwarded-for") || "unknown";
+  if (!checkRateLimit(`r2-upload:${ip}`, 60, 60_000)) {
+    return jsonError("Too many requests. Please slow down.", 429);
+  }
+  try {
+    const body = await request.json();
+    const { filename, folder, contentType } = body;
+    // ── Validate filename ──
+    if (!filename || typeof filename !== "string") {
+      return jsonError("Filename is required", 400);
+    }
+    // Reject filenames with path separators or traversal
+    if (filename.includes("/") || filename.includes("\\") || filename.includes("..")) {
+      return jsonError("Invalid filename", 400);
+    }
+    // Must be a supported media file (except .folder placeholder used for folder creation)
+    const isFolderPlaceholder = filename === ".folder";
+    if (!isFolderPlaceholder && !isMediaFile(filename)) {
+      return jsonError(
+        "Unsupported file type. Allowed: jpg, jpeg, png, webp, gif, svg, mp4, webm, mov",
+        400
+      );
+    }
+    // ── Validate folder (optional) ──
+    // Note: _thumbs/ prefixed folders are valid — used by the auto-thumbnail system
+    // to upload generated thumbnails alongside originals.
+    const cleanFolder = folder
+      ? String(folder).replace(/^\/+|\/+$/g, "")
+      : "";
+    if (cleanFolder) {
+      // Construct full path and validate
+      const fullPath = `${cleanFolder}/${filename}`;
+      if (!isValidAssetPath(fullPath)) {
+        return jsonError("Invalid upload path", 400);
+      }
+    }
+    // ── Build the R2 object key ──
+    const key = cleanFolder ? `${cleanFolder}/${filename}` : filename;
+    // ── Resolve content type ──
+    const resolvedContentType =
+      contentType && typeof contentType === "string"
+        ? contentType
+        : getMimeType(filename);
+    // ── Fetch R2 credentials from Sanity ──
+    const registry = await client.fetch(
+      `*[_type == "assetRegistry"][0]{
+        r2_endpoint,
+        r2_bucket_name,
+        r2_access_key_id,
+        r2_secret_access_key,
+        r2_bucket_url,
+        storage_provider
+      }`
+    );
+    if (!registry?.r2_endpoint || !registry?.r2_bucket_name) {
+      return jsonError("R2 is not connected. Go to /admin/storage to connect your R2 bucket.", 400);
+    }
+    if (!registry.r2_access_key_id || !registry.r2_secret_access_key) {
+      return jsonError("R2 credentials are missing. Reconnect your R2 bucket.", 400);
+    }
+    // ── Decrypt credentials ──
+    const accessKeyId = await decryptToken(registry.r2_access_key_id);
+    const secretAccessKey = await decryptToken(registry.r2_secret_access_key);
+    // ── Create S3 client and generate presigned URL ──
+    const s3 = new S3Client({
+      region: "auto",
+      endpoint: registry.r2_endpoint,
+      credentials: { accessKeyId, secretAccessKey },
+    });
+    // #26: Include ContentLength condition in presigned URL for server-side enforcement.
+    // R2/S3 will reject uploads that don't match this content length.
+    const MAX_UPLOAD_SIZE_BYTES = 500 * 1024 * 1024; // 500 MB
+    const command = new PutObjectCommand({
+      Bucket: registry.r2_bucket_name,
+      Key: key,
+      ContentType: resolvedContentType,
+    });
+    // Presigned URL expires in 5 minutes
+    const uploadUrl = await getSignedUrl(s3, command, { expiresIn: 300 });
+    // ── Build the public URL for the uploaded file ──
+    const bucketUrl = registry.r2_bucket_url?.replace(/\/$/, "") || "";
+    const publicUrl = bucketUrl ? `${bucketUrl}/${key}` : "";
+    return NextResponse.json({
+      uploadUrl,
+      key,
+      publicUrl,
+      contentType: resolvedContentType,
+    });
+  } catch (err) {
+    // #5: Gracefully handle corrupted encrypted tokens
+    if (err instanceof Error && (err.message.includes("decrypt") || err.message.includes("atob") || err.message.includes("corrupted"))) {
+      logger.error("[Admin:R2]", "Failed to decrypt R2 credentials:", err);
+      return jsonError("R2 credentials are corrupted. Please reconnect R2 in /admin/storage.", 500);
+    }
+    logger.error("[Admin:R2]", "Failed to generate presigned upload URL:", err);
+    return jsonError("Failed to generate upload URL", 500);
+  }
+}

package/app/api/admin/revalidate/route.ts ADDED Viewed

@@ -0,0 +1,55 @@
+import { NextRequest, NextResponse } from "next/server";
+import { revalidatePath } from "next/cache";
+import { isAdminAuthenticated } from "../../../../lib/auth";
+import { validateCsrf, csrfErrorResponse } from "../../../../lib/csrf";
+import { logger } from "../../../../lib/logger";
+/**
+ * POST /api/admin/revalidate
+ *
+ * Purges the ISR cache for specified paths (or all site pages).
+ * Called automatically after admin saves (navigation, styles, pages, etc.)
+ * so changes appear on the public site immediately without waiting for
+ * the 1-hour ISR revalidation window.
+ *
+ * Body: { paths?: string[] }
+ *   - If paths provided, revalidates each one
+ *   - If omitted, revalidates the entire site layout (all pages)
+ */
+export async function POST(request: NextRequest) {
+  if (!(await isAdminAuthenticated())) {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+  }
+  if (!validateCsrf(request)) {
+    return csrfErrorResponse();
+  }
+  try {
+    const body = await request.json().catch(() => ({}));
+    const paths: string[] = Array.isArray(body.paths) ? body.paths : [];
+    if (paths.length > 0) {
+      // Revalidate specific paths
+      for (const p of paths.slice(0, 50)) {
+        if (typeof p === "string" && p.startsWith("/")) {
+          revalidatePath(p);
+        }
+      }
+    } else {
+      // Revalidate the entire site layout — this covers nav, footer, styles
+      // that are shared across all pages
+      revalidatePath("/", "layout");
+    }
+    return NextResponse.json({
+      success: true,
+      revalidated: paths.length > 0 ? paths : ["/ (layout)"],
+    });
+  } catch (err) {
+    logger.error("[Admin:Revalidate]", "Revalidation failed:", err);
+    return NextResponse.json(
+      { error: "Revalidation failed" },
+      { status: 500 }
+    );
+  }
+}