@ossy/resources 1.6.0 → 1.8.0

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@ossy/resources",
   "description": "Resource domain — aggregate and events for the Ossy resource model",
-  "version": "1.6.0",
+  "version": "1.8.0",
   "private": false,
   "type": "module",
   "main": "./src/index.js",
@@ -9,11 +9,20 @@
   "exports": {
     ".": "./src/index.js"
   },
+  "scripts": {
+    "test": "NODE_OPTIONS=--experimental-vm-modules jest --verbose"
+  },
   "author": "Ossy <yourfriends@ossy.se> (https://ossy.se)",
   "license": "MIT",
   "ossy": {
     "src": "./src"
   },
+  "devDependencies": {
+    "@jest/globals": "^30.2.0",
+    "@ossy/platform": "^1.35.0",
+    "casual": "^1.6.2",
+    "jest": "^30.2.0"
+  },
   "publishConfig": {
     "access": "public",
     "registry": "https://registry.npmjs.org"
@@ -22,5 +31,5 @@
     "/src",
     "README.md"
   ],
-  "gitHead": "46cdd391ec01ea9210543ee7b14661f77079a7e7"
+  "gitHead": "24df2bde0d5d8794c5a82b9e802a2594ca73a5d9"
 }

package/src/access-filter.spec.js

@@ -0,0 +1,134 @@
+import { accessFilter } from './resources.queries.js'
+
+// Helper to build a minimal Policy aggregate document that policyToQueryClause expects.
+function makePolicy({ effect = 'allow', actions = ['resource:read'], where = {} } = {}) {
+  return {
+    state: {
+      effect,
+      actions,
+      where: {
+        workspace: '*',
+        location: '*',
+        type: '*',
+        ...where,
+      },
+    },
+  }
+}
+
+// ---------------------------------------------------------------------------
+// accessFilter
+// ---------------------------------------------------------------------------
+
+describe('accessFilter', () => {
+
+  describe('anonymous user', () => {
+    it('returns only the public condition', () => {
+      const filter = accessFilter({ anonymous: true })
+      expect(filter).toEqual({
+        $or: [
+          { 'state.access': 'public' },
+        ],
+      })
+    })
+  })
+
+  describe('authenticated user with no workspaces and no policies', () => {
+    it('returns only the public condition', () => {
+      const user = { id: 'u-1', workspaces: [], policies: [] }
+      const filter = accessFilter(user)
+      expect(filter).toEqual({
+        $or: [
+          { 'state.access': 'public' },
+        ],
+      })
+    })
+  })
+
+  describe('authenticated user with workspaces', () => {
+    it('includes workspace condition with all workspace ids in $in', () => {
+      const user = { id: 'u-1', workspaces: ['ws-1', 'ws-2'], policies: [] }
+      const filter = accessFilter(user)
+      expect(filter.$or).toContainEqual({
+        'state.access': { $in: ['public', 'workspace'] },
+        'state.belongsTo': { $in: ['ws-1', 'ws-2'] },
+      })
+    })
+
+    it('still includes the public condition alongside the workspace condition', () => {
+      const user = { id: 'u-1', workspaces: ['ws-1'], policies: [] }
+      const filter = accessFilter(user)
+      expect(filter.$or).toContainEqual({ 'state.access': 'public' })
+    })
+
+    it('includes all workspace ids in the $in clause', () => {
+      const workspaces = ['ws-a', 'ws-b', 'ws-c']
+      const filter = accessFilter({ id: 'u-1', workspaces, policies: [] })
+      const workspaceCondition = filter.$or.find(c => c['state.belongsTo'])
+      expect(workspaceCondition['state.belongsTo'].$in).toEqual(workspaces)
+    })
+  })
+
+  describe('authenticated user with allow policies', () => {
+    it('includes a restricted condition for each matching allow policy', () => {
+      const policy = makePolicy({ where: { workspace: 'ws-1' } })
+      const user = { id: 'u-1', workspaces: [], policies: [policy] }
+      const filter = accessFilter(user)
+      expect(filter.$or).toContainEqual(
+        expect.objectContaining({ 'state.access': 'restricted', 'state.belongsTo': 'ws-1' })
+      )
+    })
+
+    it('policy with effect deny is not included', () => {
+      const denyPolicy = makePolicy({ effect: 'deny' })
+      const user = { id: 'u-1', workspaces: [], policies: [denyPolicy] }
+      const filter = accessFilter(user)
+      const restrictedConditions = filter.$or.filter(c => c['state.access'] === 'restricted')
+      expect(restrictedConditions).toHaveLength(0)
+    })
+
+    it('policy without resource:read action is not included', () => {
+      const writeOnlyPolicy = makePolicy({ actions: ['resource:write'] })
+      const user = { id: 'u-1', workspaces: [], policies: [writeOnlyPolicy] }
+      const filter = accessFilter(user)
+      const restrictedConditions = filter.$or.filter(c => c['state.access'] === 'restricted')
+      expect(restrictedConditions).toHaveLength(0)
+    })
+
+    it('wildcard workspace policy does not add state.belongsTo to the clause', () => {
+      const policy = makePolicy({ where: { workspace: '*' } })
+      const user = { id: 'u-1', workspaces: [], policies: [policy] }
+      const filter = accessFilter(user)
+      const restrictedCondition = filter.$or.find(c => c['state.access'] === 'restricted')
+      expect(restrictedCondition['state.belongsTo']).toBeUndefined()
+    })
+
+    it('includes one restricted clause per valid allow policy', () => {
+      const policies = [
+        makePolicy({ where: { workspace: 'ws-1' } }),
+        makePolicy({ where: { workspace: 'ws-2' } }),
+      ]
+      const user = { id: 'u-1', workspaces: [], policies }
+      const filter = accessFilter(user)
+      const restrictedConditions = filter.$or.filter(c => c['state.access'] === 'restricted')
+      expect(restrictedConditions).toHaveLength(2)
+    })
+  })
+
+  describe('null / undefined user', () => {
+    it('returns only the public condition for null user', () => {
+      const filter = accessFilter(null)
+      expect(filter.$or).toContainEqual({ 'state.access': 'public' })
+      const nonPublic = filter.$or.filter(c => c['state.access'] !== 'public')
+      expect(nonPublic).toHaveLength(0)
+    })
+
+    it('returns only the public condition for undefined user', () => {
+      const filter = accessFilter(undefined)
+      expect(filter.$or).toContainEqual({ 'state.access': 'public' })
+      const nonPublic = filter.$or.filter(c => c['state.access'] !== 'public')
+      expect(nonPublic).toHaveLength(0)
+    })
+  })
+
+})

package/src/create-page-view.action.js

@@ -0,0 +1,38 @@
+import { Aggregate } from '@ossy/event-store'
+import { Resource, ResourcesEvents } from '@ossy/resources'
+import { Workspace } from '@ossy/workspaces'
+import { normalizeAndValidateDocumentContent } from '@ossy/platform'
+
+export const id = 'resources/create-page-view'
+export const access = 'workspace'
+
+const PAGE_VIEW_TEMPLATE_ID = '@ossy/web/page-view'
+const PAGE_VIEW_LOCATION = '/@ossy/analytics/page-views/'
+
+export async function run({ payload, req }) {
+  const workspaceId = payload?.workspaceId ?? req?.workspaceId
+  if (!workspaceId) throw Object.assign(new Error('workspaceId is required'), { status: 400 })
+
+  const workspace = await Aggregate.Of(Workspace, workspaceId).then(Aggregate.View())
+
+  // Page-view template is a built-in; instantiate directly without schema validation
+  const contentInput = {
+    ...(payload ?? {}),
+    userAgent: payload?.userAgent ?? req?.headers?.['user-agent'],
+    eventAt: payload?.eventAt ?? Date.now(),
+    path: payload?.path ?? '/',
+  }
+
+  const event = ResourcesEvents.Created({
+    type: PAGE_VIEW_TEMPLATE_ID,
+    createdBy: payload?.userId ?? req?.userId ?? 'public',
+    belongsTo: workspace.id,
+    location: PAGE_VIEW_LOCATION,
+    name: `${Date.now()}`,
+    content: contentInput,
+    access: 'restricted',
+  })
+
+  const resource = await Aggregate.Of(Resource, event).then(Aggregate.View())
+  return { id: resource.id }
+}

package/src/create.action.js

@@ -0,0 +1,98 @@
+import { is } from 'ramda'
+import { nanoid } from 'nanoid'
+import { Aggregate } from '@ossy/event-store'
+import { Resource, ResourcesEvents } from '@ossy/resources'
+import { Workspace } from '@ossy/workspaces'
+import { getSystemResourceTemplates, normalizeAndValidateDocumentContent } from '@ossy/platform'
+
+export const id = 'resources/create'
+export const access = 'workspace'
+
+const NativeResourceTypes = { DIRECTORY: 'directory' }
+
+export async function run({ payload, integrations, req }) {
+  const createdBy = payload?.userId ?? req?.userId
+  const workspaceId = payload?.workspaceId ?? req?.workspaceId
+
+  const workspace = await Aggregate.Of(Workspace, workspaceId).then(Aggregate.View())
+  let location = payload?.location
+  const type = payload?.type
+  const name = payload?.name
+  const fileExtension = name?.split?.('.')?.pop?.()
+  const content = payload?.content
+  const size = payload?.size
+
+  if (!is(String, location)) {
+    throw Object.assign(new Error(`Not a valid location path: ${location}`), { status: 400, type: 'INVALID_PATH' })
+  }
+
+  location = location.endsWith('/') ? location : location + '/'
+  location = location.startsWith('/') ? location : '/' + location
+
+  const systemTemplates = getSystemResourceTemplates()
+  const allTemplates = [
+    ...systemTemplates,
+    ...(workspace.resourceTemplates || []).filter(t => !systemTemplates.find(s => s.id === t.id)),
+  ]
+  const isResourceTemplateType = allTemplates.map(t => t.id).includes(type)
+
+  if (type === NativeResourceTypes.DIRECTORY) {
+    const event = ResourcesEvents.Created({
+      type: NativeResourceTypes.DIRECTORY,
+      createdBy,
+      belongsTo: workspace.id,
+      location,
+      name,
+      access: 'workspace',
+    })
+    return Aggregate.Of(Resource, event).then(Aggregate.View())
+  }
+
+  if (isResourceTemplateType) {
+    const template = allTemplates.find(t => t.id === type)
+    const normalized = normalizeAndValidateDocumentContent(content, template)
+    if (!normalized.ok) {
+      throw Object.assign(new Error(normalized.message), { status: 400, type: normalized.code })
+    }
+    const event = ResourcesEvents.Created({
+      type,
+      createdBy,
+      belongsTo: workspace.id,
+      location,
+      name,
+      content: normalized.content,
+    })
+    return Aggregate.Of(Resource, event).then(Aggregate.View())
+  }
+
+  if (!fileExtension) {
+    throw Object.assign(new Error('Missing valid file extension'), { status: 400 })
+  }
+
+  const aggregateId = nanoid()
+  const event = ResourcesEvents.Created({
+    aggregateId,
+    type,
+    createdBy,
+    belongsTo: workspace.id,
+    location,
+    name,
+    content: {
+      Key: `media/${workspace.id}/${aggregateId}/original.${fileExtension}`,
+      ContentLength: size,
+      ContentType: type,
+    },
+  })
+
+  const storageClient = integrations?.get?.('storage')
+  const uploadHeaders = {
+    ContentLength: event.payload.content.ContentLength,
+    ContentType: event.payload.content.ContentType,
+    Key: event.payload.content.Key,
+  }
+  const uploadUrl = storageClient ? await storageClient.createUploadUrl(uploadHeaders) : null
+  const resource = await Aggregate.Of(Resource, event).then(Aggregate.View())
+  return uploadUrl
+    ? { ...resource, content: { ...resource.content, uploadUrl } }
+    : resource
+}

package/src/delete.action.js

@@ -0,0 +1,31 @@
+import { Aggregate } from '@ossy/event-store'
+import { Resource, ResourcesEvents } from '@ossy/resources'
+import { ResourcesQueries } from './resources.queries.js'
+
+export const id = 'resources/delete'
+export const access = 'workspace'
+
+const DIRECTORY_TYPE = 'directory'
+
+export async function run({ payload, req }) {
+  const createdBy = payload?.userId ?? req?.userId
+  const resourceId = payload?.resourceId ?? req?.params?.resourceId
+
+  if (!resourceId) throw Object.assign(new Error('resourceId is required'), { status: 400 })
+
+  const aggregate = await Aggregate.Of(Resource, resourceId)
+  const resource = Aggregate.View()(aggregate)
+
+  if (resource.type === DIRECTORY_TYPE) {
+    const nestedResources = await ResourcesQueries.GetNestedResources({
+      location: resource.location + resource.name + '/',
+    })
+    await Promise.all(nestedResources.map(nested =>
+      Aggregate.Of(Resource, nested.id)
+        .then(Aggregate.Add(ResourcesEvents.Deleted({ createdBy })))
+    ))
+  }
+
+  await Aggregate.Add(ResourcesEvents.Deleted({ createdBy }))(aggregate)
+  return null
+}

package/src/get-page-view-stats.action.js

@@ -0,0 +1,65 @@
+import { Aggregate } from '@ossy/event-store'
+import { Workspace } from '@ossy/workspaces'
+
+export const id = 'resources/get-page-view-stats'
+export const access = 'workspace'
+
+const PAGE_VIEW_TEMPLATE_ID = '@ossy/web/page-view'
+const PAGE_VIEW_LOCATION = '/@ossy/analytics/page-views/'
+
+function parseMillis(input, fallback) {
+  if (input === undefined || input === null || input === '') return fallback
+  const n = Number(input)
+  if (!Number.isFinite(n) || n <= 0) return fallback
+  return n
+}
+
+export async function run({ payload, req }) {
+  const workspaceId = payload?.workspaceId ?? req?.workspaceId
+  if (!workspaceId) throw Object.assign(new Error('workspaceId is required'), { status: 400 })
+
+  const workspace = await Aggregate.Of(Workspace, workspaceId).then(Aggregate.View())
+
+  const now = Date.now()
+  const defaultFrom = now - (30 * 24 * 60 * 60 * 1000)
+  const from = parseMillis(payload?.from ?? req?.query?.from, defaultFrom)
+  const to = parseMillis(payload?.to ?? req?.query?.to, now)
+  const topLimit = Math.min(Math.max(Number(payload?.limit ?? req?.query?.limit ?? 10), 1), 50)
+
+  const baseMatch = {
+    type: 'Resource',
+    'state.status': { $ne: 'removed' },
+    'state.belongsTo': workspace.id,
+    'state.type': PAGE_VIEW_TEMPLATE_ID,
+    'state.location': PAGE_VIEW_LOCATION,
+    'state.content.eventAt': { $gte: from, $lte: to },
+  }
+
+  const [dailyViews, topPaths, totals] = await Promise.all([
+    Aggregate.Collection.aggregate([
+      { $match: baseMatch },
+      { $project: { date: { $dateToString: { format: '%Y-%m-%d', date: { $toDate: '$state.content.eventAt' } } } } },
+      { $group: { _id: '$date', views: { $sum: 1 } } },
+      { $sort: { _id: 1 } },
+    ]).toArray(),
+    Aggregate.Collection.aggregate([
+      { $match: baseMatch },
+      { $group: { _id: '$state.content.path', views: { $sum: 1 } } },
+      { $sort: { views: -1 } },
+      { $limit: topLimit },
+      { $project: { _id: 0, path: '$_id', views: 1 } },
+    ]).toArray(),
+    Aggregate.Collection.aggregate([
+      { $match: baseMatch },
+      { $count: 'views' },
+    ]).toArray(),
+  ])
+
+  return {
+    from,
+    to,
+    totalViews: totals?.[0]?.views || 0,
+    dailyViews: dailyViews.map(x => ({ date: x._id, views: x.views })),
+    topPaths,
+  }
+}

package/src/get.action.js

@@ -0,0 +1,14 @@
+import { Aggregate } from '@ossy/event-store'
+import { Resource } from '@ossy/resources'
+
+export const id = 'resources/get'
+export const access = 'workspace'
+
+export async function run({ payload, req }) {
+  const resourceId = payload?.resourceId ?? req?.params?.resourceId
+  if (!resourceId) throw Object.assign(new Error('resourceId is required'), { status: 400 })
+
+  const resource = await Aggregate.Of(Resource, resourceId).then(Aggregate.View())
+  if (!resource?.id) throw Object.assign(new Error('Resource not found'), { status: 404 })
+  return resource
+}

package/src/item-access.api.js

@@ -0,0 +1,34 @@
+import { ActionService } from '@ossy/platform'
+import { attachResourceMediaUrls } from './resources.attach-media-urls.js'
+
+const pathRe = /^\/api\/v0\/resources\/([^/]+)\/access$/
+
+export const metadata = {
+  id: 'resources.item.access',
+  path: '/api/v0/resources/:resourceId/access',
+}
+
+export default async function handle(req, res) {
+  if (req.method !== 'PUT') {
+    res.setHeader('Allow', 'PUT')
+    res.status(405).json({ error: 'Method Not Allowed' })
+    return
+  }
+  const pathname = (req.path || new URL(req.originalUrl, 'http://localhost').pathname).replace(/\/+$/, '')
+  const m = pathname.match(pathRe)
+  if (!m) {
+    res.status(404).json('')
+    return
+  }
+  const resourceId = decodeURIComponent(m[1])
+  try {
+    const resource = await ActionService.invoke('resources/update-access', {
+      payload: { resourceId, access: req.body?.access, userId: req.userId },
+      req,
+    })
+    const withUrls = await attachResourceMediaUrls(resource, { userId: req.userId, workspaceId: req.workspaceId })
+    res.json(withUrls)
+  } catch (err) {
+    res.status(err?.status ?? 500).json({ error: err?.message })
+  }
+}

package/src/item-content.api.js

@@ -0,0 +1,35 @@
+import { ActionService } from '@ossy/platform'
+import { attachResourceMediaUrls } from './resources.attach-media-urls.js'
+
+const pathRe = /^\/api\/v0\/resources\/([^/]+)\/content$/
+
+export const metadata = {
+  id: 'resources.item.content',
+  path: '/api/v0/resources/:resourceId/content',
+}
+
+export default async function handle(req, res) {
+  if (req.method !== 'PUT') {
+    res.setHeader('Allow', 'PUT')
+    res.status(405).json({ error: 'Method Not Allowed' })
+    return
+  }
+  const pathname = (req.path || new URL(req.originalUrl, 'http://localhost').pathname).replace(/\/+$/, '')
+  const m = pathname.match(pathRe)
+  if (!m) {
+    res.status(404).json('')
+    return
+  }
+  const resourceId = decodeURIComponent(m[1])
+  try {
+    const resource = await ActionService.invoke('resources/update-content', {
+      payload: { resourceId, content: req.body?.content, userId: req.userId, workspaceId: req.workspaceId },
+      req,
+    })
+    if (resource === null || resource === undefined) return
+    const withUrls = await attachResourceMediaUrls(resource, { userId: req.userId, workspaceId: req.workspaceId })
+    res.json(withUrls)
+  } catch (err) {
+    res.status(err?.status ?? 400).json({ type: err?.type, message: err?.message })
+  }
+}

package/src/item-location.api.js

@@ -0,0 +1,34 @@
+import { ActionService } from '@ossy/platform'
+import { attachResourceMediaUrls } from './resources.attach-media-urls.js'
+
+const pathRe = /^\/api\/v0\/resources\/([^/]+)\/location$/
+
+export const metadata = {
+  id: 'resources.item.location',
+  path: '/api/v0/resources/:resourceId/location',
+}
+
+export default async function handle(req, res) {
+  if (req.method !== 'PUT') {
+    res.setHeader('Allow', 'PUT')
+    res.status(405).json({ error: 'Method Not Allowed' })
+    return
+  }
+  const pathname = (req.path || new URL(req.originalUrl, 'http://localhost').pathname).replace(/\/+$/, '')
+  const m = pathname.match(pathRe)
+  if (!m) {
+    res.status(404).json('')
+    return
+  }
+  const resourceId = decodeURIComponent(m[1])
+  try {
+    const resource = await ActionService.invoke('resources/update-location', {
+      payload: { resourceId, target: req.body?.target, userId: req.userId },
+      req,
+    })
+    const withUrls = await attachResourceMediaUrls(resource, { userId: req.userId, workspaceId: req.workspaceId })
+    res.json(withUrls)
+  } catch (err) {
+    res.status(err?.status ?? 500).json({ error: err?.message })
+  }
+}

package/src/item-name.api.js

@@ -0,0 +1,34 @@
+import { ActionService } from '@ossy/platform'
+import { attachResourceMediaUrls } from './resources.attach-media-urls.js'
+
+const pathRe = /^\/api\/v0\/resources\/([^/]+)\/name$/
+
+export const metadata = {
+  id: 'resources.item.name',
+  path: '/api/v0/resources/:resourceId/name',
+}
+
+export default async function handle(req, res) {
+  if (req.method !== 'PUT') {
+    res.setHeader('Allow', 'PUT')
+    res.status(405).json({ error: 'Method Not Allowed' })
+    return
+  }
+  const pathname = (req.path || new URL(req.originalUrl, 'http://localhost').pathname).replace(/\/+$/, '')
+  const m = pathname.match(pathRe)
+  if (!m) {
+    res.status(404).json('')
+    return
+  }
+  const resourceId = decodeURIComponent(m[1])
+  try {
+    const resource = await ActionService.invoke('resources/update-name', {
+      payload: { resourceId, name: req.body?.name, userId: req.userId },
+      req,
+    })
+    const withUrls = await attachResourceMediaUrls(resource, { userId: req.userId, workspaceId: req.workspaceId })
+    res.json(withUrls)
+  } catch (err) {
+    res.status(err?.status ?? 500).json({ error: err?.message })
+  }
+}

package/src/item-version.api.js

@@ -0,0 +1,48 @@
+import { ActionService } from '@ossy/platform'
+import { attachResourceMediaUrls } from './resources.attach-media-urls.js'
+
+const pathRe = /^\/api\/v0\/resources\/([^/]+)\/([^/]+)$/
+const reservedSecond = new Set(['name', 'location', 'content', 'access'])
+
+export const metadata = {
+  id: 'resources.item.version',
+  path: '/api/v0/resources/:resourceId/:namedVersion',
+}
+
+export default async function handle(req, res) {
+  if (req.method !== 'PUT') {
+    res.setHeader('Allow', 'PUT')
+    res.status(405).json({ error: 'Method Not Allowed' })
+    return
+  }
+  const pathname = (req.path || new URL(req.originalUrl, 'http://localhost').pathname).replace(/\/+$/, '')
+  const m = pathname.match(pathRe)
+  if (!m) {
+    res.status(404).json('')
+    return
+  }
+  const namedVersion = decodeURIComponent(m[2])
+  if (reservedSecond.has(namedVersion)) {
+    res.status(404).json('')
+    return
+  }
+  const resourceId = decodeURIComponent(m[1])
+  try {
+    const resource = await ActionService.invoke('resources/upload-named-version', {
+      payload: {
+        resourceId,
+        namedVersion,
+        type: req.body?.type,
+        size: req.body?.size,
+        userId: req.userId,
+        workspaceId: req.workspaceId,
+      },
+      integrations: req.integrations,
+      req,
+    })
+    const withUrls = await attachResourceMediaUrls(resource, { userId: req.userId, workspaceId: req.workspaceId })
+    res.json(withUrls)
+  } catch (err) {
+    res.status(err?.status ?? 400).json({ error: err?.message })
+  }
+}

package/src/item.api.js

@@ -0,0 +1,58 @@
+import { ActionService } from '@ossy/platform'
+import { attachResourceMediaUrls } from './resources.attach-media-urls.js'
+
+const pathRe = /^\/api\/v0\/resources\/([^/]+)$/
+
+export const metadata = {
+  id: 'resources.item',
+  path: '/api/v0/resources/:resourceId',
+}
+
+function mediaContext(req) {
+  return { userId: req.userId, workspaceId: req.workspaceId }
+}
+
+export default async function handle(req, res) {
+  const pathname = (req.path || new URL(req.originalUrl, 'http://localhost').pathname).replace(/\/+$/, '')
+  const m = pathname.match(pathRe)
+  if (!m) {
+    res.status(404).json('')
+    return
+  }
+  const segment = decodeURIComponent(m[1])
+  const reserved = new Set(['search', 'page-views'])
+  if (reserved.has(segment)) {
+    res.status(404).json('')
+    return
+  }
+
+  req.params = { ...req.params, resourceId: segment }
+
+  if (req.method === 'GET') {
+    try {
+      const resource = await ActionService.invoke('resources/get', {
+        payload: { resourceId: segment },
+        req,
+      })
+      const withUrls = await attachResourceMediaUrls(resource, mediaContext(req))
+      res.json(withUrls)
+    } catch (err) {
+      res.status(err?.status ?? 500).json({ error: err?.message })
+    }
+    return
+  }
+  if (req.method === 'DELETE') {
+    try {
+      await ActionService.invoke('resources/delete', {
+        payload: { resourceId: segment, userId: req.userId },
+        req,
+      })
+      res.status(204).end()
+    } catch (err) {
+      res.status(err?.status ?? 500).json({ error: err?.message })
+    }
+    return
+  }
+  res.setHeader('Allow', 'GET, DELETE')
+  res.status(405).json({ error: 'Method Not Allowed' })
+}

package/src/list.action.js

@@ -0,0 +1,19 @@
+import { ResourcesQueries } from './resources.queries.js'
+
+export const id = 'resources/list'
+export const access = 'workspace'
+
+export async function run({ payload, req }) {
+  const query = { ...(payload?.query ?? {}) }
+  const workspaceId = payload?.workspaceId ?? req?.workspaceId
+  const user = payload?.user ?? req?.user
+  let location = payload?.location ?? query.location
+
+  if (location && !location.endsWith('/')) location += '/'
+  if (location && !location.startsWith('/')) location = '/' + location
+  if (location) query.location = location
+
+  if (workspaceId) query.belongsTo = workspaceId
+
+  return ResourcesQueries.GetResources(query, user)
+}

package/src/list.api.js

@@ -0,0 +1,43 @@
+import { ActionService } from '@ossy/platform'
+import { attachResourceMediaUrls } from './resources.attach-media-urls.js'
+
+export const metadata = {
+  id: 'resources.list',
+  path: '/api/v0/resources',
+}
+
+function mediaContext(req) {
+  return { userId: req.userId, workspaceId: req.workspaceId }
+}
+
+export default async function handle(req, res) {
+  if (req.method === 'POST') {
+    try {
+      const resource = await ActionService.invoke('resources/create', {
+        payload: { ...req.body, userId: req.userId, workspaceId: req.workspaceId },
+        integrations: req.integrations,
+        req,
+      })
+      const withUrls = await attachResourceMediaUrls(resource, mediaContext(req))
+      res.json(withUrls)
+    } catch (err) {
+      res.status(err?.status ?? 500).json({ error: err?.message })
+    }
+    return
+  }
+  if (req.method === 'GET') {
+    try {
+      const resources = await ActionService.invoke('resources/list', {
+        payload: { query: req.query, workspaceId: req.workspaceId, userId: req.userId, user: req.user },
+        req,
+      })
+      const withUrls = await Promise.all(resources.map(r => attachResourceMediaUrls(r, mediaContext(req))))
+      res.json(withUrls)
+    } catch (err) {
+      res.status(err?.status ?? 500).json({ error: err?.message })
+    }
+    return
+  }
+  res.setHeader('Allow', 'GET, POST')
+  res.status(405).json({ error: 'Method Not Allowed' })
+}

package/src/page-views-stats.api.js

@@ -0,0 +1,23 @@
+import { ActionService } from '@ossy/platform'
+
+export const metadata = {
+  id: 'resources.pageViews.stats',
+  path: '/api/v0/resources/page-views/stats',
+}
+
+export default async function handle(req, res) {
+  if (req.method !== 'GET') {
+    res.setHeader('Allow', 'GET')
+    res.status(405).json({ error: 'Method Not Allowed' })
+    return
+  }
+  try {
+    const result = await ActionService.invoke('resources/get-page-view-stats', {
+      payload: { workspaceId: req.workspaceId, from: req.query?.from, to: req.query?.to, limit: req.query?.limit },
+      req,
+    })
+    res.json(result)
+  } catch (err) {
+    res.status(err?.status ?? 500).json({ error: err?.message })
+  }
+}

package/src/page-views.api.js

@@ -0,0 +1,23 @@
+import { ActionService } from '@ossy/platform'
+
+export const metadata = {
+  id: 'resources.pageViews',
+  path: '/api/v0/resources/page-views',
+}
+
+export default async function handle(req, res) {
+  if (req.method !== 'POST') {
+    res.setHeader('Allow', 'POST')
+    res.status(405).json({ error: 'Method Not Allowed' })
+    return
+  }
+  try {
+    const result = await ActionService.invoke('resources/create-page-view', {
+      payload: { ...req.body, workspaceId: req.workspaceId, userId: req.userId },
+      req,
+    })
+    res.status(201).json(result)
+  } catch (err) {
+    res.status(err?.status ?? 500).json({ error: err?.message })
+  }
+}

package/src/resources.attach-media-urls.js

@@ -0,0 +1,60 @@
+import { StorageClient } from '@ossy/platform'
+import { Aggregate } from '@ossy/event-store'
+import { Workspace } from '@ossy/workspaces'
+
+/**
+ * Adds `content.src` (and `content.sizes[*]` URLs) for file resources, respecting
+ * `access` and workspace membership. Restricted resources get short-lived S3 presigned GETs
+ * for members only; public resources get CDN URLs for any caller.
+ *
+ * @param {object} resource - Resource view
+ * @param {{ userId?: string, workspaceId?: string }} context
+ * @returns {Promise<object>}
+ */
+export async function attachResourceMediaUrls(resource, { userId, workspaceId } = {}) {
+  if (!resource?.content) return resource
+  const workspace = workspaceId
+    ? await Aggregate.Of(Workspace, workspaceId).then(Aggregate.View())
+    : null
+  const { Key, sizes } = resource.content
+  const hasSizes = sizes && typeof sizes === 'object' && Object.keys(sizes).length > 0
+  if (!Key && !hasSizes) return resource
+
+  const access = resource.access || 'restricted'
+  const isMember = Boolean(userId && workspace?.users?.includes(userId))
+  const allowMedia = access === 'public' || (access === 'restricted' && isMember)
+
+  const nextContent = { ...resource.content }
+
+  if (!allowMedia) {
+    delete nextContent.Key
+    delete nextContent.src
+    if (hasSizes) nextContent.sizes = {}
+    return { ...resource, content: nextContent }
+  }
+
+  if (Key) {
+    nextContent.src =
+      access === 'public'
+        ? StorageClient.createDownloadUrl(Key)
+        : await StorageClient.createPresignedDownloadUrl(Key)
+  }
+
+  if (hasSizes) {
+    const nextSizes = {}
+    for (const [name, value] of Object.entries(sizes)) {
+      if (value == null || typeof value !== 'string') continue
+      if (value.startsWith('http://') || value.startsWith('https://')) {
+        nextSizes[name] = value
+        continue
+      }
+      nextSizes[name] =
+        access === 'public'
+          ? StorageClient.createDownloadUrl(value)
+          : await StorageClient.createPresignedDownloadUrl(value)
+    }
+    nextContent.sizes = nextSizes
+  }
+
+  return { ...resource, content: nextContent }
+}

package/src/resources.queries.js

@@ -0,0 +1,95 @@
+import { Aggregate } from '@ossy/event-store'
+import { createLogger } from '@ossy/observability'
+
+const log = createLogger('resources')
+
+function globToRegex(pattern) {
+  const escaped = pattern
+    .replace(/\./g, '\\.')
+    .replace(/\*\*/g, '§§')
+    .replace(/\*/g, '[^/]*')
+    .replace(/§§/g, '.*')
+  return new RegExp('^' + escaped + '$')
+}
+
+function policyToQueryClause(policy) {
+  const { where, actions, effect } = policy.state
+  if (effect !== 'allow' || !actions.includes('resource:read')) return null
+
+  const clause = { 'state.access': 'restricted' }
+
+  if (where.workspace && where.workspace !== '*')
+    clause['state.belongsTo'] = where.workspace
+
+  if (where.location && where.location !== '*')
+    clause['state.location'] = { $regex: globToRegex(where.location).source }
+
+  if (where.type && where.type !== '*')
+    clause['state.type'] = { $regex: globToRegex(where.type).source }
+
+  return clause
+}
+
+export function accessFilter(user) {
+  const conditions = [{ 'state.access': 'public' }]
+
+  if (!user?.anonymous) {
+    if (user?.workspaces?.length) {
+      conditions.push({
+        'state.access': { $in: ['public', 'workspace'] },
+        'state.belongsTo': { $in: user.workspaces },
+      })
+    }
+    for (const policy of (user?.policies ?? [])) {
+      const clause = policyToQueryClause(policy)
+      if (clause) conditions.push(clause)
+    }
+  }
+
+  return { $or: conditions }
+}
+
+export class ResourcesQueries {
+  static #prefixKey(key) {
+    if (key.startsWith('$')) return key
+    return `state.${key}`
+  }
+
+  static #prefixQuery(query) {
+    if (Array.isArray(query)) return query.map(item => ResourcesQueries.#prefixQuery(item))
+    if (query !== null && typeof query === 'object') {
+      return Object.entries(query).reduce((acc, [key, value]) => {
+        const prefixedKey = ResourcesQueries.#prefixKey(key)
+        const prefixedValue = key.startsWith('$') ? ResourcesQueries.#prefixQuery(value) : value
+        return { ...acc, [prefixedKey]: prefixedValue }
+      }, {})
+    }
+    return query
+  }
+
+  static GetResources(_query = {}, user = null) {
+    log.info('[ResourcesQueries][GetResources] Building query')
+    const query = ResourcesQueries.#prefixQuery({ ..._query, status: { $ne: 'removed' } })
+    const workspaceScope = query['state.belongsTo'] ?? '(no workspace scope)'
+    log.info(`[ResourcesQueries][GetResources] Fetching resources for ${workspaceScope}`)
+
+    const baseQuery = { ...query, type: 'Resource' }
+    const mongoQuery = user ? { $and: [baseQuery, accessFilter(user)] } : baseQuery
+
+    return Aggregate.Collection.find(mongoQuery, { state: true }).toArray()
+      .then(resources => {
+        log.info(`[ResourcesQueries][GetResources] Found ${resources.length} resources`)
+        return resources.map(resource => resource.state)
+      })
+  }
+
+  static GetNestedResources({ location }) {
+    log.info(`[ResourcesQueries][GetNestedResources] Fetching nested resources for ${location}`)
+    const regex = new RegExp(`^${location}`)
+    return Aggregate.Collection.find({
+      'state.location': { $regex: regex },
+      'state.status': { $ne: 'removed' },
+    }, { state: true }).toArray()
+      .then(resources => resources.map(resource => resource.state))
+  }
+}

package/src/resources.spec.js

@@ -0,0 +1,147 @@
+import casual from 'casual'
+import { TestUtil } from '@ossy/platform/test'
+
+function workspaceHeaders(userToken, workspaceId) {
+  return {
+    'Content-Type': 'application/json',
+    Authorization: userToken,
+    workspaceId,
+  }
+}
+
+describe('[/resources][POST]', () => {
+
+  TestUtil.AssertAuthenticationNeeded({
+    endpoint: '/resources',
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json', 'workspaceId': 'ws-test' },
+  })
+
+})
+
+describe('[/resources][GET]', () => {
+  TestUtil.AssertAuthenticationNeeded({
+    endpoint: '/resources',
+    method: 'GET',
+    headers: { 'Content-Type': 'application/json', 'workspaceId': 'ws-test' },
+  })
+})
+
+describe('[/resources/:resourceId][GET]', () => {
+  TestUtil.AssertAuthenticationNeeded({
+    endpoint: '/resources/r1',
+    method: 'GET',
+    headers: { 'Content-Type': 'application/json', 'workspaceId': 'ws-test' },
+  })
+})
+
+describe('[/resources/:resourceId/name][PUT]', () => {
+  TestUtil.AssertAuthenticationNeeded({
+    endpoint: '/resources/r1/name',
+    method: 'PUT',
+    headers: { 'Content-Type': 'application/json', 'workspaceId': 'ws-test' },
+  })
+})
+
+describe('[/resources/:resourceId/location][PUT]', () => {
+  TestUtil.AssertAuthenticationNeeded({
+    endpoint: '/resources/r1/location',
+    method: 'PUT',
+    headers: { 'Content-Type': 'application/json', 'workspaceId': 'ws-test' },
+  })
+})
+
+describe('[/resources/:resourceId/content][PUT]', () => {
+  TestUtil.AssertAuthenticationNeeded({
+    endpoint: '/resources/r1/content',
+    method: 'PUT',
+    headers: { 'Content-Type': 'application/json', 'workspaceId': 'ws-test' },
+  })
+})
+
+describe('[/resources/:resourceId][DELETE]', () => {
+  TestUtil.AssertAuthenticationNeeded({
+    endpoint: '/resources/r1',
+    method: 'DELETE',
+    headers: { 'Content-Type': 'application/json', 'workspaceId': 'ws-test' },
+  })
+})
+
+describe('E2E: template-backed resource (workspaceId header)', () => {
+  it('create → update content → delete', async () => {
+    const user = await TestUtil.GetAuthenticatedTestUser()
+    const workspace = await TestUtil.MakeRequest({
+      endpoint: '/workspaces',
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json', Authorization: user.token },
+      body: JSON.stringify({ name: casual.word }),
+    }).then(r => r.json())
+
+    const templateType = '@ossy/web/page'
+    const createBody = {
+      location: '/',
+      type: templateType,
+      name: `page-${casual.word}.json`,
+      content: {
+        title: 'Hello',
+        description: 'D',
+        body: '<p>initial</p>',
+      },
+    }
+
+    const createRes = await TestUtil.MakeRequest({
+      endpoint: '/resources',
+      method: 'POST',
+      headers: workspaceHeaders(user.token, workspace.id),
+      body: JSON.stringify(createBody),
+    })
+
+    expect(createRes.status).toEqual(200)
+    const created = await createRes.json()
+    expect(created.type).toEqual(templateType)
+    expect(created.content).toEqual({
+      title: 'Hello',
+      description: 'D',
+      body: '<p>initial</p>',
+    })
+
+    const updateRes = await TestUtil.MakeRequest({
+      endpoint: `/resources/${created.id}/content`,
+      method: 'PUT',
+      headers: workspaceHeaders(user.token, workspace.id),
+      body: JSON.stringify({
+        content: {
+          title: 'Updated',
+          description: 'D2',
+          body: '<p>revised</p>',
+        },
+      }),
+    })
+
+    expect(updateRes.status).toEqual(200)
+    const updated = await updateRes.json()
+    expect(updated.content).toEqual({
+      title: 'Updated',
+      description: 'D2',
+      body: '<p>revised</p>',
+    })
+
+    const deleteRes = await TestUtil.MakeRequest({
+      endpoint: `/resources/${created.id}`,
+      method: 'DELETE',
+      headers: workspaceHeaders(user.token, workspace.id),
+    })
+
+    expect(deleteRes.status).toEqual(204)
+
+    const listRes = await TestUtil.MakeRequest({
+      endpoint: '/resources?location=/',
+      method: 'GET',
+      headers: workspaceHeaders(user.token, workspace.id),
+    })
+
+    expect(listRes.status).toEqual(200)
+    const list = await listRes.json()
+    expect(list.some(r => r.id === created.id)).toBe(false)
+  })
+})

package/src/search.action.js

@@ -0,0 +1,19 @@
+import { ResourcesQueries } from './resources.queries.js'
+
+export const id = 'resources/search'
+export const access = 'workspace'
+
+export async function run({ payload, req }) {
+  const query = { ...(payload ?? {}) }
+  const workspaceId = payload?.workspaceId ?? req?.workspaceId
+  const user = payload?.user ?? req?.user
+  let location = query.location
+
+  if (location && !location.endsWith('/')) location += '/'
+  if (location && !location.startsWith('/')) location = '/' + location
+  if (location) query.location = location
+
+  if (workspaceId) query.belongsTo = workspaceId
+
+  return ResourcesQueries.GetResources(query, user)
+}

package/src/search.api.js

@@ -0,0 +1,27 @@
+import { ActionService } from '@ossy/platform'
+import { attachResourceMediaUrls } from './resources.attach-media-urls.js'
+
+export const metadata = {
+  id: 'resources.search',
+  path: '/api/v0/resources/search',
+}
+
+export default async function handle(req, res) {
+  if (req.method !== 'POST') {
+    res.setHeader('Allow', 'POST')
+    res.status(405).json({ error: 'Method Not Allowed' })
+    return
+  }
+  try {
+    const resources = await ActionService.invoke('resources/search', {
+      payload: { ...req.body, workspaceId: req.workspaceId, user: req.user },
+      req,
+    })
+    const withUrls = await Promise.all(
+      resources.map(r => attachResourceMediaUrls(r, { userId: req.userId, workspaceId: req.workspaceId }))
+    )
+    res.json(withUrls)
+  } catch (err) {
+    res.status(err?.status ?? 500).json({ error: err?.message })
+  }
+}

package/src/update-access.action.js

@@ -0,0 +1,20 @@
+import { Aggregate } from '@ossy/event-store'
+import { Resource, ResourcesEvents } from '@ossy/resources'
+
+export const id = 'resources/update-access'
+export const access = 'workspace'
+
+export async function run({ payload, req }) {
+  const createdBy = payload?.userId ?? req?.userId
+  const resourceId = payload?.resourceId ?? req?.params?.resourceId
+  const resourceAccess = payload?.access
+
+  if (!resourceId) throw Object.assign(new Error('resourceId is required'), { status: 400 })
+  if (!['public', 'restricted'].includes(resourceAccess)) {
+    throw Object.assign(new Error(`Invalid access value: ${resourceAccess}`), { status: 400 })
+  }
+
+  return Aggregate.Of(Resource, resourceId)
+    .then(Aggregate.Add(ResourcesEvents.AccessUpdated({ createdBy, access: resourceAccess })))
+    .then(Aggregate.View())
+}

package/src/update-content.action.js

@@ -0,0 +1,39 @@
+import { Aggregate } from '@ossy/event-store'
+import { Resource, ResourcesEvents } from '@ossy/resources'
+import { Workspace } from '@ossy/workspaces'
+import { getSystemResourceTemplates, normalizeAndValidateDocumentContent } from '@ossy/platform'
+
+export const id = 'resources/update-content'
+export const access = 'workspace'
+
+export async function run({ payload, req }) {
+  const createdBy = payload?.userId ?? req?.userId
+  const resourceId = payload?.resourceId ?? req?.params?.resourceId
+  const content = payload?.content
+  const workspaceId = payload?.workspaceId ?? req?.workspaceId
+
+  if (!resourceId) throw Object.assign(new Error('resourceId is required'), { status: 400 })
+
+  const workspace = await Aggregate.Of(Workspace, workspaceId).then(Aggregate.View())
+
+  return Aggregate.Of(Resource, resourceId)
+    .then(aggregate => {
+      const resource = Aggregate.View()(aggregate)
+      const systemTemplates = getSystemResourceTemplates()
+      const allTemplates = [
+        ...systemTemplates,
+        ...(workspace.resourceTemplates || []).filter(t => !systemTemplates.find(s => s.id === t.id)),
+      ]
+      const template = allTemplates.find(t => t.id === resource.type)
+      let finalContent = content
+      if (template) {
+        const normalized = normalizeAndValidateDocumentContent(content, template)
+        if (!normalized.ok) {
+          throw Object.assign(new Error(normalized.message), { status: 400, type: normalized.code })
+        }
+        finalContent = normalized.content
+      }
+      return Aggregate.Add(ResourcesEvents.ContentUpdated({ createdBy, content: finalContent }))(aggregate)
+    })
+    .then(Aggregate.View())
+}

package/src/update-location.action.js

@@ -0,0 +1,18 @@
+import { Aggregate } from '@ossy/event-store'
+import { Resource, ResourcesEvents } from '@ossy/resources'
+
+export const id = 'resources/update-location'
+export const access = 'workspace'
+
+export async function run({ payload, req }) {
+  const createdBy = payload?.userId ?? req?.userId
+  const resourceId = payload?.resourceId ?? req?.params?.resourceId
+  const location = payload?.target ?? payload?.location
+
+  if (!resourceId) throw Object.assign(new Error('resourceId is required'), { status: 400 })
+  if (!location) throw Object.assign(new Error('target location is required'), { status: 400 })
+
+  return Aggregate.Of(Resource, resourceId)
+    .then(Aggregate.Add(ResourcesEvents.LocationUpdated({ createdBy, location })))
+    .then(Aggregate.View())
+}

package/src/update-name.action.js

@@ -0,0 +1,18 @@
+import { Aggregate } from '@ossy/event-store'
+import { Resource, ResourcesEvents } from '@ossy/resources'
+
+export const id = 'resources/update-name'
+export const access = 'workspace'
+
+export async function run({ payload, req }) {
+  const createdBy = payload?.userId ?? req?.userId
+  const resourceId = payload?.resourceId ?? req?.params?.resourceId
+  const name = payload?.name
+
+  if (!resourceId) throw Object.assign(new Error('resourceId is required'), { status: 400 })
+  if (!name) throw Object.assign(new Error('name is required'), { status: 400 })
+
+  return Aggregate.Of(Resource, resourceId)
+    .then(Aggregate.Add(ResourcesEvents.NameUpdated({ createdBy, name })))
+    .then(Aggregate.View())
+}

package/src/upload-named-version.action.js

@@ -0,0 +1,42 @@
+import { Aggregate } from '@ossy/event-store'
+import { Resource, ResourcesEvents } from '@ossy/resources'
+import { Workspace } from '@ossy/workspaces'
+
+export const id = 'resources/upload-named-version'
+export const access = 'workspace'
+
+export async function run({ payload, integrations, req }) {
+  const createdBy = payload?.userId ?? req?.userId
+  const workspaceId = payload?.workspaceId ?? req?.workspaceId
+  const resourceId = payload?.resourceId ?? req?.params?.resourceId
+  const namedVersion = payload?.namedVersion ?? req?.params?.namedVersion
+  const type = payload?.type
+  const size = payload?.size
+
+  if (!resourceId) throw Object.assign(new Error('resourceId is required'), { status: 400 })
+  if (!namedVersion) throw Object.assign(new Error('namedVersion is required'), { status: 400 })
+
+  const workspace = await Aggregate.Of(Workspace, workspaceId).then(Aggregate.View())
+
+  const event = ResourcesEvents.NamedVersionUploaded({
+    createdBy,
+    namedVersion,
+    Key: `media/${workspace.id}/${resourceId}/${namedVersion}.${type.replace('image/', '')}`,
+    ContentLength: size,
+    ContentType: type,
+  })
+
+  const storageClient = integrations?.get?.('storage')
+  const uploadHeaders = {
+    ContentLength: event.payload.ContentLength,
+    ContentType: event.payload.ContentType,
+    Key: event.payload.Key,
+  }
+  const uploadUrl = storageClient ? await storageClient.createUploadUrl(uploadHeaders) : null
+  const resource = await Aggregate.Of(Resource, resourceId)
+    .then(Aggregate.Add(event))
+    .then(Aggregate.View())
+  return uploadUrl
+    ? { ...resource, content: { ...resource.content, uploadUrl } }
+    : resource
+}