@morphika/andami 0.2.9 → 0.2.10

package/lib/backup/sanity-ops.ts

@@ -0,0 +1,194 @@
+/**
+ * Sanity bulk operations for backup restore.
+ *
+ * Provides wipe (delete all) and restore (createOrReplace) for the
+ * 5 Andami document types. Uses the writeClient for mutations and
+ * adminClient for reads. Operations are batched to stay within
+ * Sanity's transaction limits (~200 mutations per transaction).
+ */
+
+import { writeClient } from "../sanity/writeClient";
+import { adminClient } from "../sanity/client";
+import { logger } from "../logger";
+
+// ============================================
+// Constants
+// ============================================
+
+/** All Sanity document types managed by Andami */
+export const ANDAMI_DOC_TYPES = [
+  "page",
+  "siteSettings",
+  "siteStyles",
+  "assetRegistry",
+  "customSection",
+] as const;
+
+export type AndamiDocType = (typeof ANDAMI_DOC_TYPES)[number];
+
+/** Max mutations per Sanity transaction (conservative limit) */
+const BATCH_SIZE = 200;
+
+// ============================================
+// Wipe operations
+// ============================================
+
+/**
+ * Delete ALL Andami documents from Sanity.
+ * Fetches document IDs per type, then batch-deletes them.
+ *
+ * Returns a summary of how many documents were deleted per type.
+ */
+export async function wipeAllDocuments(): Promise<Record<string, number>> {
+  const summary: Record<string, number> = {};
+
+  for (const docType of ANDAMI_DOC_TYPES) {
+    try {
+      // Fetch all _id values for this type
+      const ids: string[] = await adminClient.fetch(
+        `*[_type == $type]._id`,
+        { type: docType }
+      );
+
+      if (!ids || ids.length === 0) {
+        summary[docType] = 0;
+        continue;
+      }
+
+      // Delete in batches
+      let deleted = 0;
+      for (let i = 0; i < ids.length; i += BATCH_SIZE) {
+        const batch = ids.slice(i, i + BATCH_SIZE);
+        const tx = writeClient.transaction();
+
+        for (const id of batch) {
+          // Delete both the published and draft versions
+          tx.delete(id);
+          tx.delete(`drafts.${id}`);
+        }
+
+        await tx.commit({ visibility: "async" });
+        deleted += batch.length;
+      }
+
+      summary[docType] = deleted;
+      logger.info(
+        "[Backup:Restore]",
+        `Wiped ${deleted} ${docType} document(s)`
+      );
+    } catch (err) {
+      logger.error(
+        "[Backup:Restore]",
+        `Failed to wipe ${docType} documents`,
+        err
+      );
+      throw new Error(
+        `Wipe failed for ${docType}: ${err instanceof Error ? err.message : "Unknown error"}`
+      );
+    }
+  }
+
+  return summary;
+}
+
+// ============================================
+// Restore operations
+// ============================================
+
+/**
+ * Restore documents of a given type into Sanity.
+ * Uses createOrReplace to preserve original _id values.
+ *
+ * - Array types (page, customSection): expects an array of docs
+ * - Singleton types (siteSettings, siteStyles, assetRegistry): expects a single doc
+ *
+ * Returns the number of documents restored.
+ */
+export async function restoreDocuments(
+  docType: AndamiDocType,
+  docs: unknown
+): Promise<number> {
+  // Normalize to array
+  const docArray = Array.isArray(docs) ? docs : docs ? [docs] : [];
+  if (docArray.length === 0) return 0;
+
+  let restored = 0;
+  const failed: string[] = [];
+
+  for (let i = 0; i < docArray.length; i += BATCH_SIZE) {
+    const batch = docArray.slice(i, i + BATCH_SIZE);
+    const tx = writeClient.transaction();
+
+    for (const doc of batch) {
+      if (!doc || typeof doc !== "object") continue;
+
+      const d = doc as Record<string, unknown>;
+
+      // Safety net: verify the document's _type matches the expected type
+      // for this batch. If it doesn't, skip the document rather than
+      // silently overwriting _type (which would make Sanity store it under
+      // the wrong type and later surface as a broken document). This guards
+      // against future bugs where a wrong key/type mapping is passed in.
+      if (d._type && d._type !== docType) {
+        logger.warn(
+          "[Backup:Restore]",
+          `Skipping document ${String(d._id)} — type mismatch (${String(d._type)} ≠ ${docType})`
+        );
+        continue;
+      }
+      d._type = docType;
+
+      // Remove _rev — Sanity generates this on write.
+      // Keeping it would cause "document already exists with different revision" errors.
+      delete d._rev;
+
+      // L-11: drop `_updatedAt` so Sanity stamps a fresh value on write.
+      // `_updatedAt` is an audit field that semantically should reflect the
+      // time of the *restore*, not the time of the original save. Leaving
+      // it on the payload would back-date the document and confuse any
+      // "recently edited" UI in the Studio.
+      //
+      // `_createdAt` however is intentionally preserved: it's a provenance
+      // field that should survive a backup round-trip (otherwise every
+      // restore looks like the entire dataset was created today). Sanity
+      // accepts `_createdAt` on createOrReplace and honours it, unlike
+      // `_updatedAt` which it always regenerates.
+      delete d._updatedAt;
+
+      // NOTE: the export stores raw references as { _ref, _type: "reference" }.
+      // No post-processing needed here — Sanity accepts them directly.
+
+      tx.createOrReplace(d as { _id: string; _type: string });
+    }
+
+    try {
+      await tx.commit({ visibility: "async" });
+      restored += batch.length;
+    } catch (err) {
+      // Log which batch failed but continue with remaining batches
+      const batchIds = batch
+        .map((d: Record<string, unknown>) => d._id || "?")
+        .join(", ");
+      logger.error(
+        "[Backup:Restore]",
+        `Batch restore failed for ${docType} [${batchIds}]`,
+        err
+      );
+      failed.push(...batch.map((d: Record<string, unknown>) => String(d._id || "?")));
+    }
+  }
+
+  if (failed.length > 0) {
+    logger.warn(
+      "[Backup:Restore]",
+      `${failed.length} ${docType} document(s) failed to restore: ${failed.join(", ")}`
+    );
+  }
+
+  logger.info(
+    "[Backup:Restore]",
+    `Restored ${restored}/${docArray.length} ${docType} document(s)`
+  );
+
+  return restored;
+}

package/lib/builder/serializer/normalizers.ts

@@ -213,6 +213,7 @@ export function documentToState(doc: Page): Omit<BuilderState, "isDirty" | "isSa
     draftMode: doc.draft_mode ?? true,
     rows,
     _customSectionCache: {},
+    _customSectionRefetchTick: 0,
     // BUG-014 fix: flag whether colors came from the document
     _hasDocumentPageSettings: hasDocumentPageSettings,
     pageSettings: {

package/lib/builder/store-canvas.ts

@@ -93,6 +93,10 @@ export function createCanvasActions(set: StoreSet, get: StoreGet) {
         selectedProjectCardKey: null,
         // m1 fix: only mark page dirty if the section was actually saved (Session 110)
         isDirty: wasSaved ? true : state.isDirty,
+        // Bump refetch tick so CustomSectionInstanceCard re-fetches fresh data
+        _customSectionRefetchTick: wasSaved
+          ? state._customSectionRefetchTick + 1
+          : state._customSectionRefetchTick,
         // Reset history back to page context
         _history: [],
         _future: [],

package/lib/builder/store.ts

@@ -88,6 +88,7 @@ const initialState: BuilderState = {
 
   rows: [],
   _customSectionCache: {},
+  _customSectionRefetchTick: 0,
 
   selectedRowKey: null,
   selectedColumnKey: null,

package/lib/builder/types.ts

@@ -239,6 +239,10 @@ export interface BuilderState {
    *  Used by SortableRow to merge base settings with per-instance overrides. */
   _customSectionCache: Record<string, import("../../lib/sanity/types").SectionV2Settings>;
 
+  /** Counter incremented after a custom section is saved via the section editor.
+   *  Used as a useEffect dependency in CustomSectionInstanceCard to trigger refetch. */
+  _customSectionRefetchTick: number;
+
   /** Live preview overlay from color picker — shown on canvas without persisting to Sanity.
    *  Set while user is dragging in the color picker; cleared on close. */
   colorPickerPreview: {

package/lib/security.ts

@@ -359,6 +359,32 @@ export async function decryptToken(stored: string): Promise<string> {
 }
 
 // ─── Rate Limiting (#32) ──────────────────────────────────────────────────
+//
+// IMPORTANT — this is a best-effort, PER-INSTANCE in-memory limiter. It is
+// intentionally simple and runs entirely inside the Node.js process that
+// handles the request. That design has known blind spots in a serverless
+// environment like Vercel:
+//
+//   - Every cold start wipes `rateLimitBuckets`, so a caller that hits a
+//     newly-warm instance resets their counter even if they exceeded the
+//     limit on a sibling instance moments earlier.
+//   - Vercel routes requests across many concurrent invocations. Two
+//     requests from the same IP can hit two different instances and both
+//     see an empty bucket.
+//   - Horizontal scale makes the effective limit ~ maxRequests * N per
+//     window, where N is the live instance count.
+//
+// For the backups flow specifically (L-1 in docs/audits/BACKUPS-V2-AUDIT.md),
+// the "1 restore per 5 minutes" guarantee is therefore soft. It still
+// prevents accidental double-submits from the admin UI (same browser, same
+// instance within the keep-alive window) but it is NOT a hard rate limit
+// and MUST NOT be relied on for adversarial scenarios. Auth + CSRF are the
+// real access gates.
+//
+// A stronger implementation would back this with Redis / Upstash / Vercel KV
+// so all invocations share the same counters. That is tracked as a
+// follow-up ("pending infra decision") in the audit doc — not implemented
+// here because it requires an infra choice by the host instance.
 
 interface RateLimitBucket {
   count: number;
@@ -383,6 +409,10 @@ function cleanupRateLimitBuckets(windowMs: number) {
  * #32: Simple in-memory rate limiter for mutation endpoints.
  * Returns true if the request should be allowed, false if rate limited.
  *
+ * Best-effort semantics only (see block comment above). Do not treat this
+ * as a hard security boundary — use it to protect against honest double-
+ * submits and accidental loops, not against a determined attacker.
+ *
  * @param key - Unique key for the rate limit bucket (e.g. "r2-delete:IP")
  * @param maxRequests - Max requests per window
  * @param windowMs - Window size in milliseconds

package/lib/security.ts.new

@@ -0,0 +1,27 @@
+/**
+ * Shared security utilities for input validation and sanitization.
+ * Used across API routes and components.
+ */
+
+// ─── Request Body Size Limits ─────────────────────────────────────────────
+
+/** Default max body size for JSON API routes: 1MB */
+export const MAX_JSON_BODY_SIZE = 1 * 1024 * 1024;
+
+/** Max body size for page builder saves (larger due to block content): 5MB */
+export const MAX_PAGE_BODY_SIZE = 5 * 1024 * 1024;
+
+/**
+ * Check if a request's Content-Length exceeds the specified limit.
+ * Returns true if the body is too large.
+ * #11: Also rejects requests without Content-Length header (chunked encoding bypass).
+ */
+export function isBodyTooLarge(request: Request, maxBytes: number): boolean {
+  const contentLength = request.headers.get("content-length");
+  if (!contentLength) {
+    return true;
+  }
+  const size = parseInt(contentLength, 10);
+  if (isNaN(size) || size > maxBytes) return true;
+  return false;
+}

package/lib/storage/types.ts

@@ -91,24 +91,46 @@ export interface StorageAdapter {
 // ============================================
 
 const MIME_TYPES: Record<string, string> = {
+  // Raster / vector images
   jpg: "image/jpeg",
   jpeg: "image/jpeg",
   png: "image/png",
   webp: "image/webp",
+  avif: "image/avif",
   gif: "image/gif",
   svg: "image/svg+xml",
+  // Video
   mp4: "video/mp4",
   webm: "video/webm",
   mov: "video/quicktime",
+  // Documents
   pdf: "application/pdf",
+  // Fonts — served from R2 when instances use custom typography via
+  // the /api/admin/styles/fonts uploader. Correct MIME matters for
+  // browser caching, CORS font fetches, and presigned-URL signatures.
+  woff: "font/woff",
+  woff2: "font/woff2",
+  ttf: "font/ttf",
+  otf: "font/otf",
 };
 
-/** Supported media file extensions (for filtering during scans) */
+/** Supported media file extensions (for filtering during asset-browser scans) */
 export const MEDIA_EXTENSIONS = new Set([
   "jpg", "jpeg", "png", "webp", "gif", "svg",
   "mp4", "webm", "mov",
 ]);
 
+/**
+ * Extensions allowed in backup restore uploads.
+ * Superset of MEDIA_EXTENSIONS — includes fonts and documents so a full
+ * site backup can round-trip without losing typography or PDF assets.
+ */
+export const BACKUP_ASSET_EXTENSIONS = new Set<string>([
+  ...MEDIA_EXTENSIONS,
+  "pdf",
+  "woff", "woff2", "ttf", "otf",
+]);
+
 /** Get MIME type from a filename or extension */
 export function getMimeType(filenameOrExt: string): string {
   const ext = filenameOrExt.includes(".")
@@ -123,3 +145,13 @@ export function isMediaFile(key: string | undefined): boolean {
   const ext = key.split(".").pop()?.toLowerCase() || "";
   return MEDIA_EXTENSIONS.has(ext);
 }
+
+/**
+ * Check if a filename/key is allowed as a backup asset
+ * (media files + fonts + PDFs).
+ */
+export function isBackupAssetFile(key: string | undefined): boolean {
+  if (!key) return false;
+  const ext = key.split(".").pop()?.toLowerCase() || "";
+  return BACKUP_ASSET_EXTENSIONS.has(ext);
+}

package/lib/version.ts

@@ -1,6 +1,9 @@
 /**
- * Framework version — auto-read from package.json at build time.
- * Kept as a simple constant so it can be imported without reading
- * the full package.json at runtime.
+ * Framework version — kept in sync with package.json at publish time by
+ * `scripts/prepack.mjs`. Do not edit manually; any change here will be
+ * overwritten on the next `npm publish`.
+ *
+ * Exposed as a plain constant so it can be imported without reading
+ * package.json at runtime.
  */
-export const ANDAMI_VERSION = "0.1.5";
+export const ANDAMI_VERSION = "0.2.10";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@morphika/andami",
-  "version": "0.2.9",
+  "version": "0.2.10",
   "description": "Visual Page Builder — core library. A reusable website builder with visual editing, CMS integration, and asset management.",
   "type": "module",
   "license": "MIT",
@@ -83,6 +83,9 @@
     "./lib/editor/*": "./lib/editor/*.ts",
     "./lib/animation/*": "./lib/animation/*.ts",
     "./lib/shader/glsl": "./lib/shader/glsl/index.ts",
+    "./lib/backup/manifest": "./lib/backup/manifest.ts",
+    "./lib/backup/export": "./lib/backup/export.ts",
+    "./lib/backup/r2-helpers": "./lib/backup/r2-helpers.ts",
     "./lib/storage": "./lib/storage/index.ts",
     "./lib/storage/*": "./lib/storage/*.ts",
     "./lib/contexts/*": "./lib/contexts/*.tsx",
@@ -135,6 +138,7 @@
     "./admin/assets": "./admin/assets.ts",
     "./admin/database": "./admin/database.ts",
     "./admin/settings": "./admin/settings.ts",
+    "./admin/backups": "./admin/backups.ts",
     "./admin/setup": "./admin/setup.ts",
     "./components/admin/setup-wizard": "./components/admin/setup-wizard/index.ts",
     "./components/admin/setup-wizard/*": "./components/admin/setup-wizard/*.tsx",
@@ -173,6 +177,13 @@
     "./api/projects": "./app/api/projects/route.ts",
     "./api/assets": "./app/api/assets/[...path]/route.ts",
     "./api/custom-sections": "./app/api/custom-sections/[id]/route.ts",
+    "./api/admin/backups/export": "./app/api/admin/backups/export/route.ts",
+    "./api/admin/backups/status": "./app/api/admin/backups/status/route.ts",
+    "./api/admin/backups/restore": "./app/api/admin/backups/restore/route.ts",
+    "./api/admin/backups/prepare-export": "./app/api/admin/backups/prepare-export/route.ts",
+    "./api/admin/backups/restore-data": "./app/api/admin/backups/restore-data/route.ts",
+    "./lib/backup/restore": "./lib/backup/restore.ts",
+    "./lib/backup/sanity-ops": "./lib/backup/sanity-ops.ts",
     "./api/draft-mode/enable": "./app/api/draft-mode/enable/route.ts",
     "./api/draft-mode/disable": "./app/api/draft-mode/disable/route.ts"
   },
@@ -182,6 +193,7 @@
     "react-dom": ">=19.0.0"
   },
   "dependencies": {
+    "archiver": "^7.0.1",
     "@aws-sdk/client-s3": "^3.1021.0",
     "@aws-sdk/s3-request-presigner": "^3.1021.0",
     "@dnd-kit/core": "^6.3.1",
@@ -196,12 +208,16 @@
     "@tiptap/pm": "^2.12.0",
     "@tiptap/react": "^2.12.0",
     "@tiptap/starter-kit": "^2.12.0",
+    "jszip": "^3.10.1",
     "next-sanity": "^12.1.5",
     "ogl": "^1.0.8",
     "sanity": "^5.17.1",
+    "unzipper": "^0.12.3",
     "zustand": "^5.0.12"
   },
   "devDependencies": {
+    "@types/archiver": "^6.0.3",
+    "@types/unzipper": "^0.10.10",
     "@tailwindcss/postcss": "^4",
     "@testing-library/dom": "^10.4.1",
     "@testing-library/jest-dom": "^6.6.3",