@sourcepress/server 0.1.0

package/src/middleware/cors.ts

@@ -0,0 +1,15 @@
+import { cors } from "hono/cors";
+
+// Default to localhost only when no origins are configured (deny-by-default in production)
+const DEFAULT_ORIGINS = ["http://localhost:3000", "http://localhost:4321", "http://localhost:5173"];
+
+export function corsMiddleware(origins?: string | string[]) {
+	const origin = origins ?? DEFAULT_ORIGINS;
+
+	return cors({
+		origin,
+		allowMethods: ["GET", "POST", "PUT", "DELETE", "OPTIONS"],
+		allowHeaders: ["Content-Type", "Authorization"],
+		maxAge: 86400,
+	});
+}

package/src/middleware/error-handler.ts

@@ -0,0 +1,42 @@
+import type { Context, Next } from "hono";
+import { handleRouteError } from "./route-error-handler.js";
+
+export interface ApiError {
+	status: number;
+	message: string;
+	code: string;
+	details?: unknown;
+}
+
+export class SourcePressError extends Error {
+	status: number;
+	code: string;
+	details?: unknown;
+
+	constructor(status: number, code: string, message: string, details?: unknown) {
+		super(message);
+		this.name = "SourcePressError";
+		this.status = status;
+		this.code = code;
+		this.details = details;
+	}
+}
+
+export function errorHandler() {
+	return async (c: Context, next: Next) => {
+		try {
+			await next();
+		} catch (err) {
+			if (err instanceof Error) {
+				if (!(err instanceof SourcePressError)) {
+					console.error("Unhandled error:", err);
+				}
+				return handleRouteError(err, c);
+			}
+			return c.json<ApiError>(
+				{ status: 500, message: "Internal server error", code: "INTERNAL_ERROR" },
+				500,
+			);
+		}
+	};
+}

package/src/middleware/index.ts

@@ -0,0 +1,6 @@
+export { corsMiddleware } from "./cors.js";
+export { errorHandler, SourcePressError } from "./error-handler.js";
+export type { ApiError } from "./error-handler.js";
+export { authMiddleware, requireAuth } from "./auth.js";
+export type { AuthContext } from "./auth.js";
+export { handleRouteError } from "./route-error-handler.js";

package/src/middleware/rate-limit.ts

@@ -0,0 +1,27 @@
+import { rateLimiter } from "hono-rate-limiter";
+
+/**
+ * Rate limiter for AI-consuming endpoints (expensive operations).
+ * 10 requests per minute per IP.
+ */
+export function aiRateLimit() {
+	return rateLimiter({
+		windowMs: 60 * 1000,
+		limit: 10,
+		standardHeaders: "draft-6",
+		keyGenerator: (c) => c.req.header("x-forwarded-for") ?? c.req.header("x-real-ip") ?? "unknown",
+	});
+}
+
+/**
+ * Rate limiter for general endpoints.
+ * 100 requests per minute per IP.
+ */
+export function generalRateLimit() {
+	return rateLimiter({
+		windowMs: 60 * 1000,
+		limit: 100,
+		standardHeaders: "draft-6",
+		keyGenerator: (c) => c.req.header("x-forwarded-for") ?? c.req.header("x-real-ip") ?? "unknown",
+	});
+}

package/src/middleware/route-error-handler.ts

@@ -0,0 +1,13 @@
+import type { Context } from "hono";
+import { SourcePressError } from "./error-handler.js";
+
+export function handleRouteError(err: Error, c: Context) {
+	if (err instanceof SourcePressError) {
+		return c.json(
+			{ status: err.status, message: err.message, code: err.code, details: err.details },
+			err.status as 400 | 404 | 500 | 501,
+		);
+	}
+	console.error("Unhandled route error:", err);
+	return c.json({ status: 500, message: "Internal server error", code: "INTERNAL_ERROR" }, 500);
+}

package/src/routes/approval.ts

@@ -0,0 +1,90 @@
+import type { ContentChange } from "@sourcepress/core";
+import { Hono } from "hono";
+import type { EngineContext } from "../engine.js";
+import { resolveApprovalRule } from "../engine.js";
+import { SourcePressError } from "../middleware/error-handler.js";
+import { handleRouteError } from "../middleware/route-error-handler.js";
+
+export function approvalRoutes(engine: EngineContext) {
+	const app = new Hono();
+
+	// GET /approval/pending — list pending approval requests
+	app.get("/approval/pending", async (c) => {
+		if (!engine.approval) {
+			throw new SourcePressError(501, "APPROVAL_NOT_CONFIGURED", "Approval not configured");
+		}
+		const items = await engine.approval.pending();
+		return c.json({ items, total: items.length });
+	});
+
+	// GET /approval/:id — get single approval request status
+	app.get("/approval/:id", async (c) => {
+		if (!engine.approval) {
+			throw new SourcePressError(501, "APPROVAL_NOT_CONFIGURED", "Approval not configured");
+		}
+		const id = c.req.param("id");
+		const status = await engine.approval.status(id);
+		return c.json({ id, status });
+	});
+
+	// POST /approval — submit content for approval (creates PR or commits directly)
+	app.post("/approval", async (c) => {
+		if (!engine.approval) {
+			throw new SourcePressError(501, "APPROVAL_NOT_CONFIGURED", "Approval not configured");
+		}
+		const body = await c.req.json<ContentChange>();
+		if (!body.collection || !body.slug || !body.path || !body.action || !body.content) {
+			throw new SourcePressError(
+				400,
+				"INVALID_INPUT",
+				"collection, slug, path, action, and content are required",
+			);
+		}
+
+		const rule = resolveApprovalRule(engine.config, body.collection, body.path);
+
+		if (rule === "direct") {
+			await engine.github.createOrUpdateFile(
+				body.path,
+				body.content,
+				`chore: direct publish ${body.collection}/${body.slug}`,
+			);
+			return c.json({ status: "direct", path: body.path }, 201);
+		}
+
+		const request = await engine.approval.submit(body);
+		return c.json(request, 201);
+	});
+
+	// POST /approval/:id/approve — approve (merge PR)
+	app.post("/approval/:id/approve", async (c) => {
+		if (!engine.approval) {
+			throw new SourcePressError(501, "APPROVAL_NOT_CONFIGURED", "Approval not configured");
+		}
+		const id = c.req.param("id");
+		const body = await c.req.json<{ by: string; comment?: string }>();
+		if (!body.by) {
+			throw new SourcePressError(400, "INVALID_INPUT", "by is required");
+		}
+		await engine.approval.approve(id, body.by, body.comment);
+		return c.json({ status: "approved" });
+	});
+
+	// POST /approval/:id/reject — reject (close PR)
+	app.post("/approval/:id/reject", async (c) => {
+		if (!engine.approval) {
+			throw new SourcePressError(501, "APPROVAL_NOT_CONFIGURED", "Approval not configured");
+		}
+		const id = c.req.param("id");
+		const body = await c.req.json<{ by: string; reason: string }>();
+		if (!body.by || !body.reason) {
+			throw new SourcePressError(400, "INVALID_INPUT", "by and reason are required");
+		}
+		await engine.approval.reject(id, body.by, body.reason);
+		return c.json({ status: "rejected" });
+	});
+
+	app.onError(handleRouteError);
+
+	return app;
+}

package/src/routes/content.ts

@@ -0,0 +1,256 @@
+import { Hono } from "hono";
+import type { EngineContext } from "../engine.js";
+import { SourcePressError } from "../middleware/error-handler.js";
+import { handleRouteError } from "../middleware/route-error-handler.js";
+
+function validateSlug(slug: string): void {
+	if (!/^[a-z0-9-]+$/.test(slug)) {
+		throw new SourcePressError(
+			400,
+			"INVALID_SLUG",
+			`Slug "${slug}" is invalid. Only lowercase letters, digits, and hyphens are allowed.`,
+		);
+	}
+}
+
+export function contentRoutes(engine: EngineContext) {
+	const app = new Hono();
+
+	app.onError(handleRouteError);
+
+	// GET /content — list all content across all collections
+	app.get("/content", async (c) => {
+		const collections = engine.listCollections();
+		const allContent: Array<{
+			collection: string;
+			slug: string;
+			path: string;
+			frontmatter: Record<string, unknown>;
+		}> = [];
+
+		for (const collection of collections) {
+			const files = await engine.listContent(collection);
+			for (const file of files) {
+				allContent.push({
+					collection: file.collection,
+					slug: file.slug,
+					path: file.path,
+					frontmatter: file.frontmatter,
+				});
+			}
+		}
+
+		return c.json({ items: allContent, total: allContent.length });
+	});
+
+	// GET /content/:collection — list content in a collection
+	app.get("/content/:collection", async (c) => {
+		const collection = c.req.param("collection");
+		const def = engine.getCollectionDef(collection);
+
+		if (!def) {
+			throw new SourcePressError(
+				404,
+				"COLLECTION_NOT_FOUND",
+				`Collection "${collection}" not found`,
+			);
+		}
+
+		const files = await engine.listContent(collection);
+		const items = files.map((f) => ({
+			collection: f.collection,
+			slug: f.slug,
+			path: f.path,
+			frontmatter: f.frontmatter,
+			body: f.body,
+		}));
+
+		return c.json({ items, total: items.length, collection: def });
+	});
+
+	// GET /content/:collection/:slug — get a single content file
+	app.get("/content/:collection/:slug", async (c) => {
+		const collection = c.req.param("collection");
+		const slug = c.req.param("slug");
+		validateSlug(slug);
+		const def = engine.getCollectionDef(collection);
+
+		if (!def) {
+			throw new SourcePressError(
+				404,
+				"COLLECTION_NOT_FOUND",
+				`Collection "${collection}" not found`,
+			);
+		}
+
+		const file = await engine.getContent(collection, slug);
+		if (!file) {
+			throw new SourcePressError(
+				404,
+				"CONTENT_NOT_FOUND",
+				`Content "${slug}" not found in "${collection}"`,
+			);
+		}
+
+		return c.json(file);
+	});
+
+	// POST /content/:collection — create new content (returns PR)
+	app.post("/content/:collection", async (c) => {
+		const collection = c.req.param("collection");
+		const def = engine.getCollectionDef(collection);
+
+		if (!def) {
+			throw new SourcePressError(
+				404,
+				"COLLECTION_NOT_FOUND",
+				`Collection "${collection}" not found`,
+			);
+		}
+
+		const body = await c.req.json<{
+			slug: string;
+			frontmatter: Record<string, unknown>;
+			body: string;
+		}>();
+
+		if (!body.slug || !body.body) {
+			throw new SourcePressError(400, "INVALID_INPUT", "slug and body are required");
+		}
+		validateSlug(body.slug);
+
+		// Build file content with frontmatter
+		const ext = def.format === "yaml" ? "yaml" : def.format === "json" ? "json" : def.format;
+		const basePath = def.path.replace(/\/+$/, "");
+		const filePath = `${basePath}/${body.slug}.${ext}`;
+		const frontmatterYaml = Object.entries(body.frontmatter ?? {})
+			.map(([key, value]) => `${key}: ${JSON.stringify(value)}`)
+			.join("\n");
+		const fileContent = `---\n${frontmatterYaml}\n---\n\n${body.body}`;
+
+		// Create branch + commit + PR
+		const branchName = `sourcepress/create-${collection}-${body.slug}-${Date.now()}`;
+		await engine.github.createBranch(branchName);
+		await engine.github.createOrUpdateFile(
+			filePath,
+			fileContent,
+			`feat(${collection}): create ${body.slug}`,
+			branchName,
+		);
+		const pr = await engine.github.createPR(
+			`Create ${collection}: ${body.slug}`,
+			`Created by SourcePress API.\n\nCollection: ${collection}\nSlug: ${body.slug}`,
+			branchName,
+		);
+
+		return c.json(
+			{ created: true, path: filePath, pr: { number: pr.number, url: pr.html_url } },
+			201,
+		);
+	});
+
+	// PUT /content/:collection/:slug — update content (returns PR)
+	app.put("/content/:collection/:slug", async (c) => {
+		const collection = c.req.param("collection");
+		const slug = c.req.param("slug");
+		validateSlug(slug);
+		const def = engine.getCollectionDef(collection);
+
+		if (!def) {
+			throw new SourcePressError(
+				404,
+				"COLLECTION_NOT_FOUND",
+				`Collection "${collection}" not found`,
+			);
+		}
+
+		const existing = await engine.getContent(collection, slug);
+		if (!existing) {
+			throw new SourcePressError(
+				404,
+				"CONTENT_NOT_FOUND",
+				`Content "${slug}" not found in "${collection}"`,
+			);
+		}
+
+		const body = await c.req.json<{
+			frontmatter?: Record<string, unknown>;
+			body?: string;
+		}>();
+
+		const mergedFrontmatter = { ...existing.frontmatter, ...(body.frontmatter ?? {}) };
+		const mergedBody = body.body ?? existing.body;
+
+		const frontmatterYaml = Object.entries(mergedFrontmatter)
+			.map(([key, value]) => `${key}: ${JSON.stringify(value)}`)
+			.join("\n");
+		const fileContent = `---\n${frontmatterYaml}\n---\n\n${mergedBody}`;
+
+		// Get existing file SHA for update
+		const ext = def.format === "yaml" ? "yaml" : def.format === "json" ? "json" : def.format;
+		const filePath = `${def.path}/${slug}.${ext}`;
+		const existingFile = await engine.github.getFile(filePath);
+		const existingSha = existingFile?.sha;
+
+		const branchName = `sourcepress/update-${collection}-${slug}-${Date.now()}`;
+		await engine.github.createBranch(branchName);
+		await engine.github.createOrUpdateFile(
+			filePath,
+			fileContent,
+			`update(${collection}): update ${slug}`,
+			branchName,
+			existingSha,
+		);
+		const pr = await engine.github.createPR(
+			`Update ${collection}: ${slug}`,
+			`Updated by SourcePress API.\n\nCollection: ${collection}\nSlug: ${slug}`,
+			branchName,
+		);
+
+		return c.json({ updated: true, path: filePath, pr: { number: pr.number, url: pr.html_url } });
+	});
+
+	// DELETE /content/:collection/:slug — delete content (returns PR)
+	app.delete("/content/:collection/:slug", async (c) => {
+		const collection = c.req.param("collection");
+		const slug = c.req.param("slug");
+		validateSlug(slug);
+		const def = engine.getCollectionDef(collection);
+
+		if (!def) {
+			throw new SourcePressError(
+				404,
+				"COLLECTION_NOT_FOUND",
+				`Collection "${collection}" not found`,
+			);
+		}
+
+		const existing = await engine.getContent(collection, slug);
+		if (!existing) {
+			throw new SourcePressError(
+				404,
+				"CONTENT_NOT_FOUND",
+				`Content "${slug}" not found in "${collection}"`,
+			);
+		}
+
+		// Delete is implemented as creating a PR that removes the file
+		// For now, we create a branch and commit an empty update with a delete marker
+		const branchName = `sourcepress/delete-${collection}-${slug}-${Date.now()}`;
+		await engine.github.createBranch(branchName);
+
+		const pr = await engine.github.createPR(
+			`Delete ${collection}: ${slug}`,
+			`Deletion requested by SourcePress API.\n\nCollection: ${collection}\nSlug: ${slug}\nPath: ${existing.path}`,
+			branchName,
+		);
+
+		return c.json({
+			deleted: true,
+			path: existing.path,
+			pr: { number: pr.number, url: pr.html_url },
+		});
+	});
+
+	return app;
+}