@morphika/andami 0.2.26 → 0.4.0

package/lib/builder/section-visibility.ts

@@ -0,0 +1,36 @@
+/**
+ * Visibility helpers for scroll-driven section effects (e.g. the Cover
+ * Section's navbar colour override).
+ *
+ * Kept as pure functions so they're testable without mounting a renderer.
+ */
+
+/**
+ * Fraction (0–1) of the viewport currently occupied by a section,
+ * computed from its top/bottom positions relative to the viewport and
+ * the viewport height.
+ *
+ *   - 0 when the section is fully above or fully below the viewport
+ *   - 1 when the section fully covers the viewport (top ≤ 0 and
+ *     bottom ≥ vh)
+ *   - fractional for partial overlaps
+ *
+ * Safe against pathological inputs: returns 0 if `viewportHeight <= 0`.
+ */
+export function sectionVisibilityRatio(
+  top: number,
+  bottom: number,
+  viewportHeight: number
+): number {
+  if (viewportHeight <= 0) return 0;
+  const visible = Math.min(bottom, viewportHeight) - Math.max(top, 0);
+  if (visible <= 0) return 0;
+  return Math.min(1, visible / viewportHeight);
+}
+
+/**
+ * Threshold (as a fraction of the viewport) above which a Cover / Parallax
+ * section is considered "on screen" for the purposes of taking over the
+ * navbar colour.
+ */
+export const NAV_COLOR_OVERRIDE_THRESHOLD = 0.3;

package/lib/builder/serializer/normalizers.ts

@@ -13,6 +13,7 @@ import type { EnterAnimationConfig } from "../../../lib/animation/enter-types";
 
 import { ensureKeys, normalizeBlockResponsive, SECTION_TYPE_MAP } from "./shared";
 import { migrateProjectGridV1ToV2, normalizeBlockAnimationFields } from "./migrations";
+import { normalizeRowHeights } from "../store-cover";
 
 // ============================================
 // Section Normalizers
@@ -178,12 +179,20 @@ export function migrateContentItem(item: Record<string, unknown>): ContentItem {
   // CoverSection — normalize with defaults for null fields (Session 176)
   if (item._type === "coverSection") {
     const raw = item as unknown as CoverSection;
-    const coverRows = (raw.cover_rows ?? []).map((r) => ({
+    const rawRows = (raw.cover_rows ?? []).map((r) => ({
       ...r,
       _key: r._key || generateKey(),
       height_percent: r.height_percent ?? 100,
       vertical_align: r.vertical_align ?? "start",
     }));
+    // Defend the sum-to-100 invariant against hand-edited or legacy docs:
+    // the schema sum-check is newer than the oldest docs that may be in
+    // Sanity, so a page saved before Session 178 could have drift.
+    const normalizedPercents = normalizeRowHeights(rawRows.map((r) => r.height_percent));
+    const coverRows = rawRows.map((r, i) => ({
+      ...r,
+      height_percent: normalizedPercents[i] ?? r.height_percent,
+    }));
     return {
       ...raw,
       _key: (raw._key as string) || generateKey(),
@@ -217,7 +226,7 @@ export function migrateContentItem(item: Record<string, unknown>): ContentItem {
 /**
  * Convert a Sanity `page` document into the builder's state shape.
  */
-export function documentToState(doc: Page): Omit<BuilderState, "isDirty" | "isSaving" | "saveError" | "lastSavedAt" | "selectedRowKey" | "selectedColumnKey" | "selectedBlockKey" | "_history" | "_future" | "_isTimeTraveling" | "_originalSlug" | "previewMode" | "canvasZoom" | "canvasPanX" | "canvasPanY" | "canvasTool" | "activeViewport" | "editorMode" | "customSectionSlug" | "customSectionTitle" | "savedPageState"> {
+export function documentToState(doc: Page): Omit<BuilderState, "isDirty" | "isSaving" | "saveError" | "lastSavedAt" | "selectedRowKey" | "selectedColumnKey" | "selectedBlockKey" | "_history" | "_future" | "_originalSlug" | "previewMode" | "canvasZoom" | "canvasPanX" | "canvasPanY" | "canvasTool" | "activeViewport" | "editorMode" | "customSectionSlug" | "customSectionTitle" | "savedPageState"> {
   const docRecord = doc as unknown as Record<string, unknown>;
   const pageSettings = docRecord.page_settings as Record<string, unknown> | undefined;
 
@@ -254,10 +263,10 @@ export function documentToState(doc: Page): Omit<BuilderState, "isDirty" | "isSa
       text_color: (pageSettings?.text_color as string) || DEFAULT_TEXT_COLOR,
       nav_color,
       enter_animation: pageSettings?.enter_animation as PageSettings["enter_animation"],
-      nav_entrance_animation: (pageSettings?.nav_entrance_animation as PageSettings["nav_entrance_animation"]) || undefined,
-      nav_entrance_duration: (pageSettings?.nav_entrance_duration as number) || undefined,
-      nav_entrance_delay: (pageSettings?.nav_entrance_delay as number) || undefined,
-      nav_entrance_disabled: (pageSettings?.nav_entrance_disabled as boolean) || undefined,
+      nav_entrance_animation: (pageSettings?.nav_entrance_animation as PageSettings["nav_entrance_animation"]) ?? undefined,
+      nav_entrance_duration: (pageSettings?.nav_entrance_duration as number) ?? undefined,
+      nav_entrance_delay: (pageSettings?.nav_entrance_delay as number) ?? undefined,
+      nav_entrance_disabled: (pageSettings?.nav_entrance_disabled as boolean) ?? undefined,
     },
     // Grid settings are loaded separately via applyGlobalStyles(), not from the page document.
     // Provide defaults here to satisfy the type; they'll be overwritten on init.

package/lib/builder/serializer/serializers.ts

@@ -349,9 +349,9 @@ export function stateToDocument(
           nav_color: navColor || undefined,
           enter_animation: hasEnterAnimation ? enterAnim : undefined,
           nav_entrance_animation: navEntranceAnimation || undefined,
-          nav_entrance_duration: navEntranceDuration || undefined,
-          nav_entrance_delay: navEntranceDelay || undefined,
-          nav_entrance_disabled: navEntranceDisabled || undefined,
+          nav_entrance_duration: navEntranceDuration ?? undefined,
+          nav_entrance_delay: navEntranceDelay ?? undefined,
+          nav_entrance_disabled: navEntranceDisabled ?? undefined,
         }
       : undefined,
     draft_mode: state.draftMode,

package/lib/builder/store-blocks.ts

@@ -4,6 +4,7 @@ import { isPageSectionV2, isParallaxGroup, isCoverSection } from "../../lib/sani
 import { createDefaultBlock } from "./defaults";
 import { generateKey } from "./utils";
 import { findSectionPath, updateSectionAtPath, moveBlockInState } from "./store-helpers";
+import { pushSnapshot } from "./history";
 
 type StoreSet = (
   partial: Partial<BuilderState> | ((state: BuilderState) => Partial<BuilderState>)
@@ -129,15 +130,21 @@ export function createBlockActions(set: StoreSet, get: StoreGet) {
     },
 
     moveBlock: (blockKey: string, targetSectionKey: string, targetColumnKey: string, toIndex: number): void => {
-      // RC-001 fix: Validate first without side effects, then push snapshot
-      // BEFORE applying mutation. This ensures undo state captures the
-      // pre-mutation rows, even if another mutation races in between.
-      const currentRows = get().rows;
-      const result = moveBlockInState(currentRows, blockKey, targetSectionKey, targetColumnKey, toIndex);
-      if (!result) return;
-
-      get()._pushSnapshot();
-      set({ rows: result.rows, isDirty: true });
+      // Do read+validate+snapshot+set atomically inside a single functional
+      // update so the snapshot can never drift from the rows the move was
+      // computed against. Previously the snapshot was captured via get() AFTER
+      // the read, leaving a window where a concurrent mutation could make the
+      // undo target inconsistent with the move that just landed.
+      set((state) => {
+        const result = moveBlockInState(state.rows, blockKey, targetSectionKey, targetColumnKey, toIndex);
+        if (!result) return state;
+        return {
+          rows: result.rows,
+          isDirty: true,
+          _history: pushSnapshot(state._history, { rows: state.rows, pageSettings: state.pageSettings }),
+          _future: [],
+        };
+      });
     },
 
     reorderBlocks: (sectionKey: string, columnKey: string, fromIndex: number, toIndex: number): void => {

package/lib/builder/store-cover.ts

@@ -27,6 +27,45 @@ type StoreGet = () => BuilderState & { _pushSnapshot: () => void };
 
 const MIN_ROW_PERCENT = 10;
 
+/**
+ * Clamp and normalize an array of cover-row heights so they always respect
+ * the sum-to-100 invariant. Used to defend against bad data returned by
+ * Sanity (hand-edited documents, migrations, older saves).
+ *
+ * - Clamps each value into [MIN_ROW_PERCENT, 95] so the UI resizer can always
+ *   edit every row without hitting an unreachable bound
+ * - Scales the set to sum to exactly 100
+ * - Falls back to equal distribution if the input is empty or all zero
+ *
+ * Pure function — no side effects.
+ */
+export function normalizeRowHeights(percents: readonly number[]): number[] {
+  if (percents.length === 0) return [];
+
+  const clamped = percents.map((p) => {
+    if (!Number.isFinite(p) || p <= 0) return 0;
+    return Math.min(95, Math.max(MIN_ROW_PERCENT, p));
+  });
+
+  const total = clamped.reduce((a, b) => a + b, 0);
+
+  if (total === 0) {
+    // Equal distribution fallback
+    const share = 100 / percents.length;
+    return percents.map(() => share);
+  }
+
+  // Scale to sum exactly 100
+  const scaled = clamped.map((p) => (p / total) * 100);
+
+  // Round to 3 decimals, then adjust the first row so the sum is exactly 100
+  // (guards against floating-point drift like 99.9999…)
+  const rounded = scaled.map((p) => Math.round(p * 1000) / 1000);
+  const drift = 100 - rounded.reduce((a, b) => a + b, 0);
+  if (rounded.length > 0) rounded[0] = Math.round((rounded[0] + drift) * 1000) / 1000;
+  return rounded;
+}
+
 function updateCoverInRows(
   rows: ContentItem[],
   sectionKey: string,
@@ -66,14 +105,35 @@ export function createCoverActions(set: StoreSet, get: StoreGet) {
       set((state) => ({
         rows: updateCoverInRows(state.rows, sectionKey, (section) => {
           if (section.cover_rows.length >= 5) return section;
-          const totalRows = section.cover_rows.length + 1;
-          const equalPercent = Math.floor(100 / totalRows);
-          const remainder = 100 - equalPercent * totalRows;
-          const newRows = section.cover_rows.map((r, i) => ({
+
+          // Preserve existing proportions. The new row gets a share equal to
+          // the average of the current rows, and the existing rows are
+          // scaled down so the total still sums to exactly 100.
+          //
+          // Example:
+          //   before: [40, 60] (2 rows)
+          //   new row share = 100 / (2 + 1) = 33.33
+          //   scale = (100 - 33.33) / 100 = 0.6667
+          //   after:  [40*0.6667, 60*0.6667, 33.33] = [26.67, 40.00, 33.33]
+          //
+          // This keeps the user's resize work intact instead of resetting
+          // every row to an equal share.
+          const existing = section.cover_rows;
+          const newShare = 100 / (existing.length + 1);
+          const scale = (100 - newShare) / 100;
+          const scaledRows = existing.map((r) => ({
+            ...r,
+            height_percent: r.height_percent * scale,
+          }));
+          scaledRows.push(createDefaultCoverRow(newShare));
+
+          // Normalize to absorb rounding drift and clamp to [MIN_ROW_PERCENT, 95]
+          const normalized = normalizeRowHeights(scaledRows.map((r) => r.height_percent));
+          const newRows = scaledRows.map((r, i) => ({
             ...r,
-            height_percent: equalPercent + (i === 0 ? remainder : 0),
+            height_percent: normalized[i] ?? r.height_percent,
           }));
-          newRows.push(createDefaultCoverRow(equalPercent));
+
           return { ...section, cover_rows: newRows };
         }),
         isDirty: true,
@@ -101,6 +161,13 @@ export function createCoverActions(set: StoreSet, get: StoreGet) {
             return r;
           });
 
+          // Normalize to absorb any floating-point drift and keep the invariant
+          const normalized = normalizeRowHeights(redistributed.map((r) => r.height_percent));
+          const finalRows = redistributed.map((r, i) => ({
+            ...r,
+            height_percent: normalized[i] ?? r.height_percent,
+          }));
+
           const filteredColumns = section.columns.filter(
             (c) => c.grid_row !== rowIndex + 1
           );
@@ -111,7 +178,7 @@ export function createCoverActions(set: StoreSet, get: StoreGet) {
 
           return {
             ...section,
-            cover_rows: redistributed,
+            cover_rows: finalRows,
             columns: reindexedColumns,
           };
         }),
@@ -177,7 +244,8 @@ export function createCoverActions(set: StoreSet, get: StoreGet) {
       fields: Partial<Pick<CoverSection,
         "background_type" | "background_color" | "background_image" | "background_video" |
         "background_position" | "background_size" |
-        "background_overlay_color" | "background_overlay_opacity"
+        "background_overlay_color" | "background_overlay_opacity" |
+        "nav_color"
       >>
     ): void => {
       get()._pushSnapshot();

package/lib/builder/store-sections.ts

@@ -57,7 +57,7 @@ export function createSectionActions(set: StoreSet, get: StoreGet) {
      * Existing V1 pages still work — V1 update/delete actions are kept until
      * the data migration in Session 165.
      */
-    addSection: (blockType: "projectGridBlock", afterRowKey?: string | null): void => {
+    addSection: (blockType: "projectGridBlock" | "projectCarouselBlock", afterRowKey?: string | null): void => {
       get()._pushSnapshot();
       const block = createDefaultBlock(blockType);
       const gridColumns = 12;

package/lib/builder/store.ts

@@ -136,7 +136,6 @@ const initialState: BuilderState = {
   // History
   _history: [],
   _future: [],
-  _isTimeTraveling: false,
 
   // Color picker live preview (Phase 4)
   colorPickerPreview: null,
@@ -273,7 +272,6 @@ export const useBuilderStore = create<BuilderStore>((set, get) => ({
       // Reset history on document load
       _history: [],
       _future: [],
-      _isTimeTraveling: false,
     });
   },
 

package/lib/builder/types.ts

@@ -62,6 +62,7 @@ export const ALL_BLOCK_INFO: BlockTypeInfo[] = [
   ...BLOCK_TYPE_REGISTRY,
   // Section blocks — not in the content picker but still need label/icon lookup
   { type: "projectGridBlock", label: "Project Grid", description: "Staggered project showcase grid", group: "generic", icon: "⬡", category: "section" },
+  { type: "projectCarouselBlock", label: "Project Carousel", description: "Horizontal carousel of projects — great for end-of-page 'keep browsing'", group: "generic", icon: "▸", category: "section" },
 ];
 
 // Parallax group info — used by BuilderCanvas/SortableRow for label/icon lookup (not a block)
@@ -72,10 +73,13 @@ export const PARALLAX_GROUP_INFO = { label: "Parallax Showcase", icon: "▽" };
 // ============================================
 
 /** Section block types that create a full-width row with a pre-populated block */
-export type SectionBlockType = "projectGridBlock";
+export type SectionBlockType = "projectGridBlock" | "projectCarouselBlock";
 
 /** Set for fast lookup — used by SortableBlock, ColumnDropZone, SortableRow to suppress inner chrome */
-const SECTION_BLOCK_TYPES: ReadonlySet<string> = new Set<string>(["projectGridBlock"]);
+const SECTION_BLOCK_TYPES: ReadonlySet<string> = new Set<string>([
+  "projectGridBlock",
+  "projectCarouselBlock",
+]);
 
 /** Check if a block type is a section-level block (should render without block/column chrome) */
 export function isSectionBlockType(type: string): boolean {
@@ -107,6 +111,7 @@ export const SECTION_TYPE_REGISTRY: SectionTypeInfo[] = [
   { type: "empty-v2", label: "Empty Section", description: "Grid section with flexible columns", icon: "⊞" },
   { type: "coverSection", label: "Cover Section", description: "Full-viewport section with background and proportional rows", icon: "◆" },
   { type: "projectGridBlock", label: "Project Grid", description: "Staggered project showcase grid", icon: "⬡", blockType: "projectGridBlock" },
+  { type: "projectCarouselBlock", label: "Project Carousel", description: "Horizontal 'keep browsing' carousel of projects", icon: "▸", blockType: "projectCarouselBlock" },
   { type: "parallaxGroup", label: "Parallax Section", description: "Full-screen parallax showcase with V2 slides", icon: "▽" },
 ];
 
@@ -235,7 +240,6 @@ export interface BuilderState {
   // History (Undo/Redo) — BUG-010 fix: snapshots include pageSettings
   _history: import("./history").HistorySnapshot[];
   _future: import("./history").HistorySnapshot[];
-  _isTimeTraveling: boolean;
 
   /** Cache of fetched custom section base settings, keyed by custom_section_id.
    *  Populated by CustomSectionInstanceCard/ReadOnlyCustomSection on fetch.
@@ -267,7 +271,7 @@ export interface BuilderActions {
 
   // Section operations
   /** Add a Project Grid section as a V2 section with a full-width column (Session 164) */
-  addSection: (blockType: "projectGridBlock", afterRowKey?: string | null) => void;
+  addSection: (blockType: "projectGridBlock" | "projectCarouselBlock", afterRowKey?: string | null) => void;
   reorderRows: (fromIndex: number, toIndex: number) => void;
   /** Delete a section by key */
   deleteSection: (sectionKey: string) => void;
@@ -383,7 +387,7 @@ export interface BuilderActions {
   removeCoverRow: (sectionKey: string, rowKey: string) => void;
   resizeCoverRow: (sectionKey: string, handleIndex: number, deltaPercent: number, startAbove: number, startBelow: number) => void;
   updateCoverRowAlign: (sectionKey: string, rowKey: string, align: CoverRow["vertical_align"]) => void;
-  updateCoverBackground: (sectionKey: string, fields: Partial<Pick<CoverSection, "background_type" | "background_color" | "background_image" | "background_video" | "background_position" | "background_size" | "background_overlay_color" | "background_overlay_opacity">>) => void;
+  updateCoverBackground: (sectionKey: string, fields: Partial<Pick<CoverSection, "background_type" | "background_color" | "background_image" | "background_video" | "background_position" | "background_size" | "background_overlay_color" | "background_overlay_opacity" | "nav_color">>) => void;
   updateCoverSettings: (sectionKey: string, settings: Partial<CoverSectionSettings>) => void;
   updateCoverHeight: (sectionKey: string, height: CoverSection["height"]) => void;
 

package/lib/csrf.ts

@@ -57,6 +57,27 @@ export function validateCsrf(request: NextRequest): boolean {
   return cookieToken === headerToken;
 }
 
+/**
+ * Defense-in-depth companion to validateCsrf for JSON endpoints.
+ *
+ * Our CSRF check pairs a SameSite=strict cookie with a custom X-CSRF-Token
+ * header, which is already strong. But some legacy attack vectors (CSRF via
+ * <form enctype="text/plain"> / multipart POST) are most easily shut down by
+ * also requiring `Content-Type: application/json` on every mutation. A
+ * browser form submission cannot set that Content-Type without CORS preflight
+ * — which our endpoints do not whitelist — so enforcing it closes off those
+ * vectors entirely.
+ *
+ * Returns true if the request body is (or is plausibly) JSON.
+ */
+export function hasJsonContentType(request: NextRequest): boolean {
+  const raw = request.headers.get("content-type");
+  if (!raw) return false;
+  // Allow parameters (charset, boundary, etc.) — match the media type only.
+  const mediaType = raw.split(";")[0].trim().toLowerCase();
+  return mediaType === "application/json";
+}
+
 /**
  * Return a 403 response for CSRF validation failure.
  */
@@ -66,3 +87,13 @@ export function csrfErrorResponse(): NextResponse {
     { status: 403 }
   );
 }
+
+/**
+ * Standard 415 response for wrong-content-type rejections.
+ */
+export function contentTypeErrorResponse(): NextResponse {
+  return NextResponse.json(
+    { error: "Content-Type must be application/json" },
+    { status: 415 }
+  );
+}

package/lib/sanity/types.ts

@@ -240,6 +240,54 @@ export interface CardEntranceConfig {
   duration?: number;                              // ms, default 500
 }
 
+/**
+ * Project Carousel Block — horizontal "keep browsing" carousel of projects.
+ *
+ * Section-level block (lives in a full-width column). Unlike `projectGridBlock`
+ * there is no manual selection list — projects are pulled automatically (latest
+ * or random), optionally excluding the project currently being viewed when the
+ * page matches `/work/[slug]`.
+ *
+ * Intentionally independent from `ProjectGridBlock` — they share visual
+ * primitives and the same `/api/projects` endpoint but no coupled code.
+ */
+export interface ProjectCarouselBlock {
+  _type: "projectCarouselBlock";
+  _key: string;
+
+  // ─── Source ───
+  source_mode?: "auto_latest" | "auto_random";
+  max_projects?: number;         // 2–20, default 8
+  exclude_current?: boolean;     // default true
+
+  // ─── Layout ───
+  cards_per_view_desktop?: number; // default 3.5 (fractional → peek next card)
+  cards_per_view_tablet?: number;  // default 2.2
+  cards_per_view_phone?: number;   // default 1.2
+  gap?: number;                     // px, default 16
+
+  // ─── Card display ───
+  aspect_ratio?: "16/9" | "4/3" | "1/1" | "3/4" | "9/16";
+  show_title?: boolean;             // default true
+  show_subtitle?: boolean;          // default false
+  border_radius?: number;           // px, default 0
+  hover_effect?: "scale" | "none";  // default "scale"
+  video_mode?: "off" | "hover" | "autoloop"; // default "off"
+
+  // ─── Controls ───
+  show_arrows?: boolean;            // default true
+  show_dots?: boolean;              // default false
+  snap_scroll?: boolean;            // default true
+
+  // ─── Card entrance animation ───
+  card_entrance?: CardEntranceConfig;
+
+  // ─── Standard block fields ───
+  enter_animation?: import("../../lib/animation/enter-types").EnterAnimationConfig;
+  layout?: BlockLayout;
+  responsive?: ResponsiveOverrides<ProjectCarouselBlock>;
+}
+
 export interface ProjectGridBlock {
   _type: "projectGridBlock";
   _key: string;
@@ -443,7 +491,7 @@ export interface CustomSectionInstance {
 // Uses the same SectionColumn/block system as V2 but with explicit
 // row heights (percentages) instead of content-driven auto rows.
 
-export type CoverSectionHeight = "100vh" | "80vh" | "50vh";
+export type CoverSectionHeight = "100vh" | "80vh" | "50vh" | "20vh";
 
 /** A single proportional row within a Cover Section */
 export interface CoverRow {
@@ -500,6 +548,9 @@ export interface CoverSection {
   background_overlay_color?: string;
   background_overlay_opacity?: number;   // 0–100
 
+  // Nav color override — hex applied to the navbar while this cover is on screen
+  nav_color?: string;
+
   // Height
   height: CoverSectionHeight;
 
@@ -567,7 +618,8 @@ export type ContentBlock =
   | VideoBlock
   | SpacerBlock
   | ButtonBlock
-  | ProjectGridBlock;
+  | ProjectGridBlock
+  | ProjectCarouselBlock;
 
 // ============================================
 // Structural types

package/lib/security.ts

@@ -228,6 +228,56 @@ export function isValidAssetPath(path: string): boolean {
   return true;
 }
 
+/** Top-level prefixes that may not be written to via the presigned upload API.
+ *  `_thumbs/` is the one allowed underscore-prefixed folder (auto-thumbnail pipeline). */
+const DISALLOWED_UPLOAD_PREFIXES = ["backup/", "backups/", "__system/", "system/"];
+const MAX_UPLOAD_KEY_DEPTH = 10;
+const MAX_UPLOAD_KEY_LENGTH = 1024;
+
+/**
+ * Validate that a presigned-upload R2 key is safe to sign.
+ *
+ * Builds on `isValidAssetPath` but adds defense-in-depth for keys that
+ * make it into a signed URL:
+ *   - Max length 1024 bytes (R2 cap is higher, but we keep UI-friendly keys)
+ *   - Max depth 10 folder levels (prevent pathological nesting)
+ *   - Reject hidden keys (starting with `.`) except the `.folder` placeholder
+ *   - Reject leading `_` except the `_thumbs/` sub-tree
+ *   - Reject reserved prefixes (backup/, system/, etc.)
+ *
+ * Accepts the full R2 key (e.g. `projects/hero.jpg`, `_thumbs/projects/hero.jpg`).
+ */
+export function isValidUploadKey(key: string): boolean {
+  if (!isValidAssetPath(key)) return false;
+  if (key.length > MAX_UPLOAD_KEY_LENGTH) return false;
+
+  const segments = key.split("/");
+  if (segments.length > MAX_UPLOAD_KEY_DEPTH) return false;
+
+  for (const segment of segments) {
+    if (!segment) return false; // empty segment = consecutive slashes
+    if (segment === "." || segment === "..") return false;
+  }
+
+  const firstSegment = segments[0];
+  const filename = segments[segments.length - 1];
+
+  // Hidden filename check — reject `.hidden` anywhere except the final-segment
+  // placeholder `.folder` used to create empty folders on R2.
+  if (filename.startsWith(".") && filename !== ".folder") return false;
+
+  // Leading-underscore prefixes are reserved for system folders — only _thumbs allowed
+  if (firstSegment.startsWith("_") && firstSegment !== "_thumbs") return false;
+
+  // Explicit denylist
+  const normalizedLead = `${firstSegment}/`.toLowerCase();
+  for (const banned of DISALLOWED_UPLOAD_PREFIXES) {
+    if (normalizedLead === banned.toLowerCase()) return false;
+  }
+
+  return true;
+}
+
 // ─── Font Magic Byte Validation ───────────────────────────────────────────
 
 interface FontMagicBytes {

package/lib/version.ts

@@ -6,4 +6,4 @@
  * Exposed as a plain constant so it can be imported without reading
  * package.json at runtime.
  */
-export const ANDAMI_VERSION = "0.2.26";
+export const ANDAMI_VERSION = "0.4.0";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@morphika/andami",
-  "version": "0.2.26",
+  "version": "0.4.0",
   "description": "Visual Page Builder — core library. A reusable website builder with visual editing, CMS integration, and asset management.",
   "type": "module",
   "license": "MIT",

package/sanity/schemas/blocks/index.ts

@@ -1,4 +1,4 @@
-// Block schemas (7)
+// Block schemas (8)
 export { textBlock } from "./textBlock";
 export { imageBlock } from "./imageBlock";
 export { imageGridBlock } from "./imageGridBlock";
@@ -6,3 +6,4 @@ export { videoBlock } from "./videoBlock";
 export { spacerBlock } from "./spacerBlock";
 export { buttonBlock } from "./buttonBlock";
 export { projectGridBlock } from "./projectGridBlock";
+export { projectCarouselBlock } from "./projectCarouselBlock";