@nuasite/notes 0.22.2 → 0.22.3

package/src/overlay/index.tsx

@@ -20,6 +20,7 @@ import OVERLAY_STYLES from './styles.css?inline'
 
 interface NuaNotesConfig {
 	urlFlag?: string
+	agencyFlag?: string
 }
 
 declare global {
@@ -34,6 +35,7 @@ function init(): void {
 
 	const config = window.__NuaNotesConfig ?? {}
 	const urlFlag = config.urlFlag ?? 'nua-notes'
+	const agencyFlag = config.agencyFlag ?? 'nua-agency'
 
 	if (!isReviewMode(urlFlag)) return
 	window.__nuasiteNotesMounted = true
@@ -59,7 +61,7 @@ function init(): void {
 	root.id = 'nua-notes-root'
 	shadow.appendChild(root)
 
-	render(<App urlFlag={urlFlag} />, root)
+	render(<App urlFlag={urlFlag} agencyFlag={agencyFlag} />, root)
 }
 
 if (typeof window !== 'undefined') {

package/src/overlay/lib/cms-bridge.ts

@@ -1,33 +1,83 @@
 /**
- * Mode-exclusivity bridge with `@nuasite/cms`.
+ * Host-page bridge: hide CMS chrome and reserve space for the notes UI.
  *
- * When notes review mode is active we hide the CMS editor chrome via a
- * single injected `<style>` tag in the host document. CMS uses a shadow DOM
- * mounted on `#cms-app-host`, so hiding that element + suppressing pointer
- * events on the data-cms-id markers is enough to make the two UIs not
- * collide. There's no postMessage handshake yet — Phase 5 may add one.
+ * Two responsibilities, both implemented as a single injected `<style>` tag
+ * in the host document so the page can be returned to its original layout
+ * by simply removing the tag.
  *
- * `enable()` is idempotent. `disable()` removes the style if it was added.
+ *   1. Hide CMS chrome (`#cms-app-host`, `[data-nuasite-cms]`) so we have
+ *      mode exclusivity with `@nuasite/cms`.
+ *   2. Reserve space for the notes toolbar (40px top) and sidebar (340px
+ *      right) by padding the body. Without this the fixed-position notes UI
+ *      sits on top of page content and the rightmost 340px of every page is
+ *      unreachable. The padding is toggled by a `data-nua-notes-collapsed`
+ *      attribute on `<html>` — when collapsed, only the toolbar gap stays.
+ *
+ * Note on `box-sizing: border-box` on `body`: most sites already inherit it
+ * via a global reset, but we set it explicitly so the math works regardless.
+ * The padding cuts into the body's box rather than expanding the page width
+ * past 100vw, which would create a horizontal scrollbar.
  */
 
 const STYLE_ID = 'nua-notes-cms-bridge'
+const COLLAPSE_ATTR = 'data-nua-notes-collapsed'
 
-const HIDE_CMS_CSS = `
+const STYLES = `
 	#cms-app-host { display: none !important; }
 	[data-nuasite-cms] { display: none !important; }
-	/* Allow notes to handle clicks on annotated elements without CMS interfering */
-	[data-cms-id] { cursor: default !important; }
+
+	/* Reserve space for the notes toolbar + sidebar so they don't sit on top
+	 * of host page content. Padding the body lets the page reflow into the
+	 * visible area instead of being clipped under fixed-position chrome. */
+	html:not([${COLLAPSE_ATTR}]) body {
+		box-sizing: border-box;
+		padding-top: 40px !important;
+		padding-right: 340px !important;
+	}
+
+	/* When the sidebar is collapsed, only reserve the toolbar height. */
+	html[${COLLAPSE_ATTR}] body {
+		box-sizing: border-box;
+		padding-top: 40px !important;
+	}
+
+	/* Page-fixed elements (sticky headers, fixed nav) don't get pushed by
+	 * body padding because they're positioned against the viewport. Offset
+	 * them via top/right so they slot into the same chrome-free area. We
+	 * scope this to elements the host page declared as fixed/sticky to
+	 * avoid touching the notes UI itself (which lives in a shadow DOM). */
+	html:not([${COLLAPSE_ATTR}]) body > header[class*="fixed"],
+	html:not([${COLLAPSE_ATTR}]) body > nav[class*="fixed"],
+	html:not([${COLLAPSE_ATTR}]) body > [class*="sticky"] {
+		right: 340px !important;
+	}
 `
 
 export function enableCmsBridge(): void {
 	if (document.getElementById(STYLE_ID)) return
 	const style = document.createElement('style')
 	style.id = STYLE_ID
-	style.textContent = HIDE_CMS_CSS
+	style.textContent = STYLES
 	document.head.appendChild(style)
 }
 
 export function disableCmsBridge(): void {
 	const existing = document.getElementById(STYLE_ID)
 	if (existing) existing.remove()
+	document.documentElement.removeAttribute(COLLAPSE_ATTR)
+}
+
+/** Toggle sidebar-collapsed mode. The toolbar stays visible, the sidebar
+ *  slides off, and the body's right padding is removed so page content can
+ *  use the full viewport width. */
+export function setSidebarCollapsed(collapsed: boolean): void {
+	if (collapsed) {
+		document.documentElement.setAttribute(COLLAPSE_ATTR, '')
+	} else {
+		document.documentElement.removeAttribute(COLLAPSE_ATTR)
+	}
+}
+
+export function isSidebarCollapsed(): boolean {
+	return document.documentElement.hasAttribute(COLLAPSE_ATTR)
 }

package/src/overlay/lib/notes-fetch.ts

@@ -3,17 +3,32 @@
  *
  * All methods return parsed JSON. Errors throw with the server-provided
  * message so the overlay can surface them in a banner.
+ *
+ * Every call sends the active role via the `x-nua-role` header. The server
+ * uses this to gate destructive routes (apply / delete / resolve / etc.) to
+ * agency callers only. The role is read once at module load from the cookie
+ * the URL helpers maintain.
  */
 
 import type { NoteItem, NoteRange, NotesPageFile, NoteStatus, NoteType } from '../types'
+import { resolveRole } from './url-mode'
 
 const BASE = '/_nua/notes'
 const TIMEOUT_MS = 10_000
 
+/**
+ * Resolve the current role on every call (cheap — just reads a cookie). This
+ * means a new tab that just gained agency mode picks it up immediately
+ * without a page reload.
+ */
+function authHeaders(): Record<string, string> {
+	return { 'x-nua-role': resolveRole('nua-agency') }
+}
+
 async function postJson<T>(path: string, body: unknown): Promise<T> {
 	const res = await fetch(`${BASE}${path}`, {
 		method: 'POST',
-		headers: { 'Content-Type': 'application/json' },
+		headers: { 'Content-Type': 'application/json', ...authHeaders() },
 		body: JSON.stringify(body),
 		signal: AbortSignal.timeout(TIMEOUT_MS),
 	})
@@ -32,7 +47,7 @@ async function postJson<T>(path: string, body: unknown): Promise<T> {
 
 export async function listNotes(page: string): Promise<NotesPageFile> {
 	const res = await fetch(`${BASE}/list?page=${encodeURIComponent(page)}`, {
-		headers: { Accept: 'application/json' },
+		headers: { Accept: 'application/json', ...authHeaders() },
 		signal: AbortSignal.timeout(TIMEOUT_MS),
 	})
 	if (!res.ok) throw new Error(`notes: list failed (${res.status})`)
@@ -77,8 +92,15 @@ export async function setNoteStatus(page: string, id: string, status: NoteStatus
 	return updateNote(page, id, { status })
 }
 
-export async function deleteNote(page: string, id: string): Promise<void> {
-	await postJson<{ ok: true }>('/delete', { page, id })
+/** Soft delete — server flips status to 'deleted' and returns the updated item. */
+export async function deleteNote(page: string, id: string): Promise<NoteItem> {
+	const res = await postJson<{ item: NoteItem }>('/delete', { page, id })
+	return res.item
+}
+
+/** Hard delete — agency only. Removes the item from disk entirely. */
+export async function purgeNote(page: string, id: string): Promise<void> {
+	await postJson<{ ok: true }>('/purge', { page, id })
 }
 
 export interface ApplyResponse {
@@ -99,7 +121,7 @@ export interface ApplyResponse {
 export async function applyNote(page: string, id: string): Promise<ApplyResponse> {
 	const res = await fetch(`${BASE}/apply`, {
 		method: 'POST',
-		headers: { 'Content-Type': 'application/json' },
+		headers: { 'Content-Type': 'application/json', ...authHeaders() },
 		body: JSON.stringify({ page, id }),
 		signal: AbortSignal.timeout(TIMEOUT_MS),
 	})

package/src/overlay/lib/url-mode.ts

@@ -1,36 +1,73 @@
 /**
- * URL flag + cookie helpers controlling notes review mode.
+ * URL flag + cookie helpers controlling notes review mode and the active role.
  *
  * Review mode is on when EITHER the URL has the `?<urlFlag>` query param OR
  * the `nua-notes-mode=1` cookie is set. Visiting a page with the flag the
  * first time sets the cookie so subsequent navigation stays in review mode.
  *
- * The toggle button in the toolbar clears the cookie + reloads, which drops
- * the user back into the regular CMS view.
+ * Agency mode is the same idea with a separate flag/cookie pair: visit
+ * `?nua-agency` once and the `nua-notes-role=agency` cookie sticks. The
+ * toolbar shows the active role so the agency knows when they have full
+ * controls vs the read-only client view.
  */
 
-const COOKIE = 'nua-notes-mode'
+import type { NoteRole } from '../types'
+
+const MODE_COOKIE = 'nua-notes-mode'
+const ROLE_COOKIE = 'nua-notes-role'
+
+function readCookie(name: string): string | null {
+	if (typeof document === 'undefined') return null
+	for (const part of document.cookie.split('; ')) {
+		const eq = part.indexOf('=')
+		if (eq < 0) continue
+		if (part.slice(0, eq) === name) return decodeURIComponent(part.slice(eq + 1))
+	}
+	return null
+}
 
 export function isReviewMode(urlFlag: string): boolean {
 	if (typeof window === 'undefined') return false
 	const url = new URL(window.location.href)
 	if (url.searchParams.has(urlFlag)) return true
-	return document.cookie.split('; ').some(c => c.startsWith(`${COOKIE}=1`))
+	return readCookie(MODE_COOKIE) === '1'
 }
 
 export function setReviewModeCookie(): void {
-	// Session cookie — cleared when the browser closes. Good enough for v0.1.
-	document.cookie = `${COOKIE}=1; path=/; SameSite=Lax`
+	// Session cookie — cleared when the browser closes. Good enough for v0.2.
+	document.cookie = `${MODE_COOKIE}=1; path=/; SameSite=Lax`
 }
 
 export function clearReviewModeCookie(): void {
-	document.cookie = `${COOKIE}=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT; SameSite=Lax`
+	document.cookie = `${MODE_COOKIE}=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT; SameSite=Lax`
+}
+
+/**
+ * Resolve the active role from the URL flag and the cookie. If `agencyFlag`
+ * is present in the URL, agency mode is on AND the cookie gets persisted so
+ * subsequent navigation stays in agency. If neither flag nor cookie is set,
+ * the role is `client`.
+ */
+export function resolveRole(agencyFlag: string): NoteRole {
+	if (typeof window === 'undefined') return 'client'
+	const url = new URL(window.location.href)
+	if (url.searchParams.has(agencyFlag)) {
+		document.cookie = `${ROLE_COOKIE}=agency; path=/; SameSite=Lax`
+		return 'agency'
+	}
+	return readCookie(ROLE_COOKIE) === 'agency' ? 'agency' : 'client'
+}
+
+export function clearRoleCookie(): void {
+	document.cookie = `${ROLE_COOKIE}=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT; SameSite=Lax`
 }
 
-export function exitReviewMode(urlFlag: string): void {
+export function exitReviewMode(urlFlag: string, agencyFlag: string): void {
 	clearReviewModeCookie()
+	clearRoleCookie()
 	const url = new URL(window.location.href)
 	url.searchParams.delete(urlFlag)
+	url.searchParams.delete(agencyFlag)
 	window.location.href = url.pathname + (url.search || '') + url.hash
 }