@morphika/andami 0.1.2

package/lib/sanity/writeClient.ts

@@ -0,0 +1,24 @@
+import { createClient } from "next-sanity";
+
+/**
+ * Sanity client with write capabilities.
+ * Only used server-side in API routes — never exposed to the browser.
+ * Requires SANITY_API_TOKEN environment variable.
+ */
+
+const token = process.env.SANITY_API_TOKEN;
+
+if (!token && process.env.NODE_ENV === "production") {
+  console.warn(
+    "SANITY_API_TOKEN is not configured. Write operations to Sanity will fail at runtime. " +
+    "Set this variable in your hosting dashboard or .env.local file."
+  );
+}
+
+export const writeClient = createClient({
+  projectId: process.env.NEXT_PUBLIC_SANITY_PROJECT_ID,
+  dataset: process.env.NEXT_PUBLIC_SANITY_DATASET || "production",
+  apiVersion: "2024-01-01",
+  useCdn: false,
+  token,
+});

package/lib/security.ts

@@ -0,0 +1,402 @@
+/**
+ * Shared security utilities for input validation and sanitization.
+ * Used across API routes and components.
+ */
+
+// ─── Request Body Size Limits ─────────────────────────────────────────────
+
+/** Default max body size for JSON API routes: 1MB */
+export const MAX_JSON_BODY_SIZE = 1 * 1024 * 1024;
+
+/** Max body size for page builder saves (larger due to block content): 5MB */
+export const MAX_PAGE_BODY_SIZE = 5 * 1024 * 1024;
+
+/**
+ * Check if a request's Content-Length exceeds the specified limit.
+ * Returns true if the body is too large.
+ * #11: Also rejects requests without Content-Length header (chunked encoding bypass).
+ */
+export function isBodyTooLarge(request: Request, maxBytes: number): boolean {
+  const contentLength = request.headers.get("content-length");
+  if (!contentLength) {
+    // #11: No Content-Length means chunked transfer encoding — reject to prevent
+    // bypassing size limits. All our JSON mutation endpoints should send Content-Length.
+    return true;
+  }
+  const size = parseInt(contentLength, 10);
+  if (isNaN(size) || size > maxBytes) return true;
+  return false;
+}
+
+/**
+ * Read and validate request body with streaming size enforcement.
+ * Use this as a safer alternative for endpoints that need to accept
+ * bodies without Content-Length headers.
+ */
+export async function readBodyWithLimit(request: Request, maxBytes: number): Promise<string> {
+  const reader = request.body?.getReader();
+  if (!reader) throw new Error("No request body");
+
+  const chunks: Uint8Array[] = [];
+  let totalSize = 0;
+
+  while (true) {
+    const { done, value } = await reader.read();
+    if (done) break;
+    totalSize += value.byteLength;
+    if (totalSize > maxBytes) {
+      reader.cancel();
+      throw new Error("Request body too large");
+    }
+    chunks.push(value);
+  }
+
+  const combined = new Uint8Array(totalSize);
+  let offset = 0;
+  for (const chunk of chunks) {
+    combined.set(chunk, offset);
+    offset += chunk.byteLength;
+  }
+  return new TextDecoder().decode(combined);
+}
+
+// ─── Standardized Error Responses ──────────────────────────────────────────
+
+import { NextResponse } from "next/server";
+
+/**
+ * Return a standardized JSON error response.
+ * All error responses use consistent format: { error: string }
+ * with explicit Content-Type header.
+ */
+export function jsonError(message: string, status: number): NextResponse {
+  return NextResponse.json(
+    { error: message },
+    {
+      status,
+      headers: { "Content-Type": "application/json" },
+    }
+  );
+}
+
+// ─── URL Validation ───────────────────────────────────────────────────────
+
+/** Allowed URL protocols for user-provided links */
+const SAFE_URL_PROTOCOLS = ["https:", "http:", "mailto:", "tel:"];
+
+/**
+ * Validate a URL string. Returns true if the URL uses a safe protocol.
+ * Rejects javascript:, data:, vbscript:, and other dangerous schemes.
+ */
+export function isSafeUrl(url: string): boolean {
+  if (!url || typeof url !== "string") return false;
+  const trimmed = url.trim();
+  if (!trimmed) return false;
+
+  // Relative URLs and anchors are safe
+  if (trimmed.startsWith("/") || trimmed.startsWith("#")) return true;
+
+  try {
+    const parsed = new URL(trimmed);
+    return SAFE_URL_PROTOCOLS.includes(parsed.protocol);
+  } catch {
+    // If URL parsing fails, reject it
+    return false;
+  }
+}
+
+/**
+ * Validate and sanitize a URL. Returns the URL if safe, or null if dangerous.
+ */
+export function sanitizeUrl(url: string): string | null {
+  if (!url || typeof url !== "string") return null;
+  return isSafeUrl(url) ? url.trim() : null;
+}
+
+// ─── CSS Value Sanitization ───────────────────────────────────────────────
+
+/** Match valid CSS hex colors: #rgb, #rrggbb, #rrggbbaa */
+const HEX_COLOR_RE = /^#([0-9a-fA-F]{3,4}|[0-9a-fA-F]{6}|[0-9a-fA-F]{8})$/;
+
+/** Match valid CSS numeric values: 0, 12px, 1.5rem, 100%, -2em, etc. */
+const CSS_NUMERIC_RE = /^-?\d+(\.\d+)?(px|rem|em|%|vh|vw|pt|ch|ex|vmin|vmax)?$/;
+
+/** Match valid CSS font-weight values */
+const FONT_WEIGHT_RE = /^(normal|bold|bolder|lighter|\d{3})$/;
+
+/** Match valid font-style values */
+const FONT_STYLE_RE = /^(normal|italic|oblique)$/;
+
+/** Match safe font-family names: alphanumeric, spaces, hyphens */
+const FONT_FAMILY_RE = /^[a-zA-Z0-9\s\-_]+$/;
+
+/** Match safe font file URL — must be relative path or https */
+const FONT_URL_RE = /^(\/[a-zA-Z0-9\-_/.]+|https:\/\/[a-zA-Z0-9\-_.]+\.[a-z]{2,}\/[^\s'"()]+)$/;
+
+/**
+ * Sanitize a CSS color value. Returns fallback if invalid.
+ */
+export function sanitizeCssColor(value: string, fallback: string = "#000000"): string {
+  if (!value || typeof value !== "string") return fallback;
+  const v = value.trim();
+  // Allow hex colors
+  if (HEX_COLOR_RE.test(v)) return v;
+  // Allow named CSS colors (basic set)
+  if (/^[a-zA-Z]{3,20}$/.test(v)) return v;
+  // Allow rgb()/rgba()/hsl()/hsla() — validate no url() or expressions
+  if (/^(rgb|hsl)a?\(\s*[\d.,\s%]+\)$/.test(v)) return v;
+  return fallback;
+}
+
+/**
+ * Sanitize a CSS numeric value (sizes, spacing). Returns fallback if invalid.
+ */
+export function sanitizeCssNumeric(value: string, fallback: string = "0"): string {
+  if (!value || typeof value !== "string") return fallback;
+  const v = value.trim();
+  if (CSS_NUMERIC_RE.test(v)) return v;
+  return fallback;
+}
+
+/**
+ * Sanitize a font family name. Returns fallback if invalid.
+ */
+export function sanitizeFontFamily(value: string, fallback: string = "monospace"): string {
+  if (!value || typeof value !== "string") return fallback;
+  const v = value.trim();
+  if (FONT_FAMILY_RE.test(v)) return v;
+  return fallback;
+}
+
+/**
+ * Sanitize a font weight value.
+ */
+export function sanitizeFontWeight(value: string, fallback: string = "400"): string {
+  if (!value || typeof value !== "string") return fallback;
+  const v = value.trim();
+  if (FONT_WEIGHT_RE.test(v)) return v;
+  return fallback;
+}
+
+/**
+ * Sanitize a font style value.
+ */
+export function sanitizeFontStyle(value: string, fallback: string = "normal"): string {
+  if (!value || typeof value !== "string") return fallback;
+  const v = value.trim();
+  if (FONT_STYLE_RE.test(v)) return v;
+  return fallback;
+}
+
+/**
+ * Sanitize a font file URL. Returns empty string if invalid.
+ */
+export function sanitizeFontUrl(value: string): string {
+  if (!value || typeof value !== "string") return "";
+  const v = value.trim();
+  if (FONT_URL_RE.test(v)) return v;
+  return "";
+}
+
+/**
+ * Sanitize a CSS underline/decoration value.
+ */
+export function sanitizeCssDecoration(value: string, fallback: string = "none"): string {
+  const allowed = ["none", "underline", "overline", "line-through"];
+  if (!value || typeof value !== "string") return fallback;
+  return allowed.includes(value.trim()) ? value.trim() : fallback;
+}
+
+// ─── Asset Path Validation ────────────────────────────────────────────────
+
+/**
+ * Validate an asset path. Rejects path traversal and absolute paths.
+ */
+export function isValidAssetPath(path: string): boolean {
+  if (!path || typeof path !== "string") return false;
+  const trimmed = path.trim();
+  // #34: Reject empty, slash-only, absolute paths, or path traversal
+  if (!trimmed) return false;
+  if (trimmed.startsWith("/")) return false;
+  if (trimmed.includes("..")) return false;
+  // #34: Reject slash-only paths or trailing-only slash paths
+  if (trimmed.replace(/\//g, "") === "") return false;
+  // Reject query strings or fragments
+  if (trimmed.includes("?") || trimmed.includes("#")) return false;
+  // Reject control characters and null bytes
+  if (/[\x00-\x1f\x7f]/.test(trimmed)) return false;
+  return true;
+}
+
+// ─── Font Magic Byte Validation ───────────────────────────────────────────
+
+interface FontMagicBytes {
+  bytes: number[];
+  offset: number;
+}
+
+const FONT_MAGIC: Record<string, FontMagicBytes[]> = {
+  ".woff2": [{ bytes: [0x77, 0x4f, 0x46, 0x32], offset: 0 }], // wOF2
+  ".woff": [{ bytes: [0x77, 0x4f, 0x46, 0x46], offset: 0 }],  // wOFF
+  ".ttf": [
+    { bytes: [0x00, 0x01, 0x00, 0x00], offset: 0 },            // TrueType
+    { bytes: [0x74, 0x72, 0x75, 0x65], offset: 0 },            // 'true'
+  ],
+  ".otf": [{ bytes: [0x4f, 0x54, 0x54, 0x4f], offset: 0 }],   // OTTO
+};
+
+/**
+ * Validate that a file's magic bytes match the expected font format.
+ */
+export function validateFontMagicBytes(
+  buffer: ArrayBuffer,
+  extension: string
+): boolean {
+  const magicList = FONT_MAGIC[extension];
+  if (!magicList) return false;
+
+  const view = new Uint8Array(buffer);
+  if (view.length < 4) return false;
+
+  return magicList.some((magic) =>
+    magic.bytes.every(
+      (byte, i) => view[magic.offset + i] === byte
+    )
+  );
+}
+
+// ─── Token Encryption (for credentials at rest) ──────────────────────────
+
+const ENCRYPTION_ALGORITHM = "AES-GCM";
+const IV_LENGTH = 12; // 96 bits for AES-GCM
+
+/**
+ * Get or derive an encryption key from ADMIN_TOKEN_SECRET.
+ */
+async function getEncryptionKey(): Promise<CryptoKey | null> {
+  const secret = process.env.ADMIN_TOKEN_SECRET;
+  if (!secret) return null;
+
+  // Derive a 256-bit key from the secret using SHA-256
+  const encoder = new TextEncoder();
+  const hash = await crypto.subtle.digest("SHA-256", encoder.encode(secret));
+
+  return crypto.subtle.importKey(
+    "raw",
+    hash,
+    { name: ENCRYPTION_ALGORITHM },
+    false,
+    ["encrypt", "decrypt"]
+  );
+}
+
+/**
+ * Encrypt a plaintext string. Returns base64-encoded "iv:ciphertext".
+ * Returns the plaintext as-is if no encryption key is configured.
+ */
+export async function encryptToken(plaintext: string): Promise<string> {
+  const key = await getEncryptionKey();
+  if (!key) return plaintext; // Graceful fallback if no secret configured
+
+  const encoder = new TextEncoder();
+  const iv = crypto.getRandomValues(new Uint8Array(IV_LENGTH));
+
+  const ciphertext = await crypto.subtle.encrypt(
+    { name: ENCRYPTION_ALGORITHM, iv },
+    key,
+    encoder.encode(plaintext)
+  );
+
+  // Encode as "enc:base64(iv):base64(ciphertext)"
+  const ivB64 = btoa(String.fromCharCode(...iv));
+  const ctB64 = btoa(String.fromCharCode(...new Uint8Array(ciphertext)));
+  return `enc:${ivB64}:${ctB64}`;
+}
+
+/**
+ * Decrypt a token string. Handles both encrypted ("enc:...") and
+ * legacy plaintext tokens for backward compatibility.
+ *
+ * #5: Wrapped in try/catch to prevent crashes from corrupted tokens.
+ * Throws a descriptive error instead of raw atob/crypto failures.
+ */
+export async function decryptToken(stored: string): Promise<string> {
+  if (!stored || typeof stored !== "string") {
+    throw new Error("Cannot decrypt: empty or invalid token value");
+  }
+
+  // Not encrypted — return as-is (legacy/fallback)
+  if (!stored.startsWith("enc:")) return stored;
+
+  const key = await getEncryptionKey();
+  if (!key) {
+    throw new Error("Cannot decrypt token: ADMIN_TOKEN_SECRET not configured");
+  }
+
+  const parts = stored.split(":");
+  if (parts.length !== 3) {
+    throw new Error("Invalid encrypted token format — expected enc:iv:ciphertext");
+  }
+
+  try {
+    const iv = Uint8Array.from(atob(parts[1]), (c) => c.charCodeAt(0));
+    const ciphertext = Uint8Array.from(atob(parts[2]), (c) => c.charCodeAt(0));
+
+    const plaintext = await crypto.subtle.decrypt(
+      { name: ENCRYPTION_ALGORITHM, iv },
+      key,
+      ciphertext
+    );
+
+    return new TextDecoder().decode(plaintext);
+  } catch (err) {
+    // #5: Provide a meaningful error instead of raw atob/crypto crash
+    throw new Error(
+      `Failed to decrypt token: ${err instanceof Error ? err.message : "corrupted data"}. ` +
+      "Credentials may be corrupted in Sanity. Please reconnect the storage provider."
+    );
+  }
+}
+
+// ─── Rate Limiting (#32) ──────────────────────────────────────────────────
+
+interface RateLimitBucket {
+  count: number;
+  windowStart: number;
+}
+
+const rateLimitBuckets = new Map<string, RateLimitBucket>();
+let lastRateLimitCleanup = Date.now();
+
+function cleanupRateLimitBuckets(windowMs: number) {
+  const now = Date.now();
+  if (now - lastRateLimitCleanup < 60_000) return; // cleanup max once per minute
+  lastRateLimitCleanup = now;
+  for (const [key, bucket] of rateLimitBuckets) {
+    if (now - bucket.windowStart > windowMs) {
+      rateLimitBuckets.delete(key);
+    }
+  }
+}
+
+/**
+ * #32: Simple in-memory rate limiter for mutation endpoints.
+ * Returns true if the request should be allowed, false if rate limited.
+ *
+ * @param key - Unique key for the rate limit bucket (e.g. "r2-delete:IP")
+ * @param maxRequests - Max requests per window
+ * @param windowMs - Window size in milliseconds
+ */
+export function checkRateLimit(key: string, maxRequests: number, windowMs: number): boolean {
+  cleanupRateLimitBuckets(windowMs);
+  const now = Date.now();
+  const bucket = rateLimitBuckets.get(key);
+
+  if (!bucket || now - bucket.windowStart > windowMs) {
+    rateLimitBuckets.set(key, { count: 1, windowStart: now });
+    return true;
+  }
+
+  bucket.count++;
+  return bucket.count <= maxRequests;
+}

package/lib/setup/detect.ts

@@ -0,0 +1,156 @@
+import { client } from "../../lib/sanity/client";
+
+/**
+ * Setup Detection — checks whether a new instance has been configured.
+ *
+ * The wizard guides new instances through: Database → Storage → Branding.
+ * An already-configured instance (like the root Morphika deployment) skips
+ * the wizard entirely because all three checks pass.
+ *
+ * Each step check is independent so the wizard can resume from where the
+ * user left off.
+ *
+ * Completion flag: When the wizard's "Start Building" button is clicked,
+ * `setup_complete: true` is written to siteSettings. This ensures:
+ * - Users who skipped optional steps don't see the wizard again
+ * - Already-configured instances (Morphika) pass via `isSetupComplete()`
+ *   because `setup_complete` is set, OR all individual checks pass
+ */
+
+// ── Individual step checks ──
+
+/**
+ * Check if Sanity is connected and the core documents exist.
+ * Returns true when siteSettings, siteStyles, and assetRegistry docs are present.
+ */
+export async function isDatabaseConfigured(): Promise<boolean> {
+  const projectId = process.env.NEXT_PUBLIC_SANITY_PROJECT_ID;
+  if (!projectId) return false;
+
+  try {
+    const counts = await client.fetch<{
+      siteSettings: number;
+      siteStyles: number;
+      assetRegistry: number;
+    }>(`{
+      "siteSettings": count(*[_type == "siteSettings"]),
+      "siteStyles": count(*[_type == "siteStyles"]),
+      "assetRegistry": count(*[_type == "assetRegistry"])
+    }`);
+
+    return (
+      counts.siteSettings > 0 &&
+      counts.siteStyles > 0 &&
+      counts.assetRegistry > 0
+    );
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Check if a storage provider (R2) is connected.
+ * Reads the assetRegistry document for a non-empty storage_provider field.
+ */
+export async function isStorageConfigured(): Promise<boolean> {
+  const projectId = process.env.NEXT_PUBLIC_SANITY_PROJECT_ID;
+  if (!projectId) return false;
+
+  try {
+    const result = await client.fetch<{ provider: string | null }>(
+      `*[_type == "assetRegistry"][0]{ "provider": storage_provider }`
+    );
+    return !!result?.provider;
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Check if branding has been configured.
+ * True when siteStyles has at least one font or a non-empty color palette,
+ * OR siteSettings has a non-empty default_title.
+ */
+export async function isBrandingConfigured(): Promise<boolean> {
+  const projectId = process.env.NEXT_PUBLIC_SANITY_PROJECT_ID;
+  if (!projectId) return false;
+
+  try {
+    const result = await client.fetch<{
+      hasTitle: boolean;
+      hasPalette: boolean;
+      hasFonts: boolean;
+    }>(`{
+      "hasTitle": count(*[_type == "siteSettings" && defined(default_title) && default_title != ""]) > 0,
+      "hasPalette": count(*[_type == "siteStyles" && defined(color_palette) && length(color_palette) > 0]) > 0,
+      "hasFonts": count(*[_type == "siteStyles" && defined(fonts) && length(fonts) > 0]) > 0
+    }`);
+
+    // Branding is "done" if the user has set a title or customized colors/fonts
+    return result.hasTitle || result.hasPalette || result.hasFonts;
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Check if the setup_complete flag has been explicitly set on siteSettings.
+ * This is set when the user clicks "Start Building" in the wizard.
+ */
+export async function isSetupMarkedComplete(): Promise<boolean> {
+  const projectId = process.env.NEXT_PUBLIC_SANITY_PROJECT_ID;
+  if (!projectId) return false;
+
+  try {
+    const result = await client.fetch<{ complete: boolean }>(
+      `*[_type == "siteSettings"][0]{ "complete": setup_complete == true }`
+    );
+    return !!result?.complete;
+  } catch {
+    return false;
+  }
+}
+
+// ── Aggregate check ──
+
+export interface SetupStatus {
+  complete: boolean;
+  steps: {
+    database: boolean;
+    storage: boolean;
+    branding: boolean;
+  };
+}
+
+/**
+ * Full setup status — used by the admin layout to decide whether to
+ * show the onboarding wizard.
+ *
+ * Setup is "complete" when:
+ * - The explicit `setup_complete` flag is set (user finished wizard), OR
+ * - All three individual checks pass (pre-existing configured instance)
+ */
+export async function getSetupStatus(): Promise<SetupStatus> {
+  const [database, storage, branding, markedComplete] = await Promise.all([
+    isDatabaseConfigured(),
+    isStorageConfigured(),
+    isBrandingConfigured(),
+    isSetupMarkedComplete(),
+  ]);
+
+  // Complete if explicitly marked OR all individual checks pass
+  const complete = markedComplete || (database && storage && branding);
+
+  return {
+    complete,
+    steps: { database, storage, branding },
+  };
+}
+
+/**
+ * Quick boolean check — true when the instance is fully configured.
+ */
+export async function isSetupComplete(): Promise<boolean> {
+  const status = await getSetupStatus();
+  return status.complete;
+}

package/lib/shader/glsl/index.ts

@@ -0,0 +1,27 @@
+/**
+ * GLSL shader lookup — maps preset ID to fragment shader source.
+ *
+ * Session 71.
+ */
+
+import type { ShaderHoverPreset } from "../../../lib/animation/hover-effect-types";
+import { rippleFragment } from "./ripple";
+import { rgbShiftFragment } from "./rgb-shift";
+import { pixelateFragment } from "./pixelate";
+
+const FRAGMENT_SHADERS: Partial<Record<ShaderHoverPreset, string>> = {
+  ripple: rippleFragment,
+  "rgb-shift": rgbShiftFragment,
+  pixelate: pixelateFragment,
+};
+
+/**
+ * Get the fragment shader source for a given preset.
+ * Returns undefined for "none" or unknown presets.
+ */
+export function getFragmentShader(preset: ShaderHoverPreset | "none"): string | undefined {
+  if (preset === "none") return undefined;
+  return FRAGMENT_SHADERS[preset];
+}
+
+export { vertexShader } from "./vertex";

package/lib/shader/glsl/pixelate.ts

@@ -0,0 +1,51 @@
+/**
+ * Pixelate fragment shader.
+ *
+ * Quantizes UV coordinates to a grid — sharp image that pixelates
+ * on hover (uHover 0→1 = sharp→pixelated).
+ *
+ * Uniforms:
+ *   uTexture     — image texture
+ *   uMouse       — normalized cursor position (0–1)
+ *   uIntensity   — config intensity (0.5–2.0)
+ *   uSpeed       — config speed (0.5–3.0) — controls transition curve
+ *   uTime        — elapsed time (seconds) — unused for this preset
+ *   uHover       — lerped hover state (0=not hovering, 1=hovering)
+ *   uResolution  — canvas size in pixels
+ *
+ * Session 72 — original scroll-driven shader.
+ * Session 123 — inverted for hover trigger (0=sharp, 1=pixelated).
+ */
+export const pixelateFragment = /* glsl */ `
+precision highp float;
+
+uniform sampler2D uTexture;
+uniform vec2 uMouse;
+uniform float uIntensity;
+uniform float uSpeed;
+uniform float uTime;
+uniform float uHover;
+uniform vec2 uResolution;
+
+varying vec2 vUv;
+
+void main() {
+  vec2 uv = vUv;
+
+  // Hover drives pixelation: 0=sharp (not hovering), 1=fully pixelated (hovering)
+  float hover = clamp(uHover, 0.0, 1.0);
+
+  // Pixel grid size — from tiny (1px = sharp) to large (48px blocks)
+  float maxPixelSize = 48.0 * uIntensity;
+  float pixelSize = mix(1.0, maxPixelSize, pow(hover, uSpeed));
+
+  // Quantize UV to pixel grid
+  vec2 gridSize = uResolution / pixelSize;
+  vec2 quantized = floor(uv * gridSize + 0.5) / gridSize;
+
+  // Smooth blend — near sharp end, interpolate for anti-alias
+  vec2 finalUv = mix(uv, quantized, smoothstep(0.0, 0.15, hover));
+
+  gl_FragColor = texture2D(uTexture, finalUv);
+}
+`;