@valentinkolb/cloud 0.4.0 → 0.5.0

package/src/config/ssr.ts

@@ -7,6 +7,7 @@ import { createSSRHandler } from "@valentinkolb/ssr/hono";
 import { env } from "./env";
 import { dirname, resolve } from "node:path";
 import { fileURLToPath } from "node:url";
+import { themeBootstrapScript } from "../shared/theme";
 
 /** Cache-busting version stamp — changes on every server start / rebuild. */
 const v = Date.now();
@@ -37,15 +38,7 @@ export const { config, plugin, html } = createConfig<PageOptions>({
     <link rel="icon" href="/branding/favicon">
     <link rel="stylesheet" href="/public/build.css?v=${v}">
     <link rel="stylesheet" href="/public/katex.css?v=${v}">
-    <script>
-      (function() {
-        var el = document.documentElement;
-        if (!el.hasAttribute('data-theme-fixed')) {
-          var theme = document.cookie.match(/theme=([^;]+)/)?.[1] || 'light';
-          el.classList.add(theme);
-        }
-      })();
-    </script>
+    <script>${themeBootstrapScript}</script>
   </head>
   <body>
     ${body}

package/src/contracts/announcements.test.ts

@@ -0,0 +1,37 @@
+import { describe, expect, test } from "bun:test";
+import {
+  ANNOUNCEMENTS_COOKIE,
+  mergeAnnouncementCookieState,
+  parseAnnouncementCookieHeader,
+  parseAnnouncementCookieValue,
+  serializeAnnouncementCookieState,
+} from "./announcements";
+
+describe("announcement cookie state", () => {
+  test("returns defaults for empty or malformed cookies", () => {
+    expect(parseAnnouncementCookieValue(null)).toEqual({ seenAnnouncementVersion: 0, dismissedBannerVersions: [] });
+    expect(parseAnnouncementCookieValue("%7Bbad")).toEqual({ seenAnnouncementVersion: 0, dismissedBannerVersions: [] });
+    expect(parseAnnouncementCookieHeader("theme=dark")).toEqual({ seenAnnouncementVersion: 0, dismissedBannerVersions: [] });
+  });
+
+  test("parses state from a cookie header", () => {
+    const value = serializeAnnouncementCookieState({
+      seenAnnouncementVersion: 12,
+      dismissedBannerVersions: [3, 2, 3],
+    });
+
+    expect(parseAnnouncementCookieHeader(`theme=dark; ${ANNOUNCEMENTS_COOKIE}=${value}; other=1`)).toEqual({
+      seenAnnouncementVersion: 12,
+      dismissedBannerVersions: [3, 2],
+    });
+  });
+
+  test("merges state monotonically", () => {
+    expect(
+      mergeAnnouncementCookieState(
+        { seenAnnouncementVersion: 10, dismissedBannerVersions: [4] },
+        { seenAnnouncementVersion: 8, dismissedBannerVersions: [5, 4] },
+      ),
+    ).toEqual({ seenAnnouncementVersion: 10, dismissedBannerVersions: [5, 4] });
+  });
+});

package/src/contracts/announcements.ts

@@ -0,0 +1,121 @@
+import { z } from "zod";
+
+export const ANNOUNCEMENTS_COOKIE = "cloud_announcements";
+export const ANNOUNCEMENTS_COOKIE_MAX_AGE_SECONDS = 60 * 60 * 24 * 365;
+export const MAX_DISMISSED_BANNER_VERSIONS = 50;
+
+export const AnnouncementKindSchema = z.enum(["announcement", "banner"]);
+export type AnnouncementKind = z.infer<typeof AnnouncementKindSchema>;
+
+export const AnnouncementToneSchema = z.enum(["info", "success", "warning", "danger"]);
+export type AnnouncementTone = z.infer<typeof AnnouncementToneSchema>;
+
+export const AnnouncementCookieStateSchema = z.object({
+  seenAnnouncementVersion: z.number().int().nonnegative().default(0),
+  dismissedBannerVersions: z.array(z.number().int().positive()).default([]),
+});
+export type AnnouncementCookieState = z.infer<typeof AnnouncementCookieStateSchema>;
+
+export const DEFAULT_ANNOUNCEMENT_COOKIE_STATE: AnnouncementCookieState = {
+  seenAnnouncementVersion: 0,
+  dismissedBannerVersions: [],
+};
+
+export const AnnouncementEntrySchema = z.object({
+  id: z.uuid(),
+  version: z.number().int().positive(),
+  kind: AnnouncementKindSchema,
+  title: z.string(),
+  body: z.string(),
+  tone: AnnouncementToneSchema,
+  publishedAt: z.string().datetime(),
+  expiresAt: z.string().datetime().nullable(),
+  createdAt: z.string().datetime(),
+  updatedAt: z.string().datetime(),
+  createdBy: z.uuid().nullable(),
+  updatedBy: z.uuid().nullable(),
+});
+export type AnnouncementEntry = z.infer<typeof AnnouncementEntrySchema>;
+
+export const AnnouncementDisplayEntrySchema = AnnouncementEntrySchema.omit({ body: true }).extend({
+  bodyHtml: z.string(),
+});
+export type AnnouncementDisplayEntry = z.infer<typeof AnnouncementDisplayEntrySchema>;
+
+const DatetimeInputSchema = z.string().datetime();
+const NullableDatetimeInputSchema = z.string().datetime().nullable();
+
+export const CreateAnnouncementSchema = z.object({
+  kind: AnnouncementKindSchema,
+  title: z.string().trim().min(1).max(180),
+  body: z.string().trim().min(1).max(20_000),
+  tone: AnnouncementToneSchema.default("info"),
+  publishedAt: DatetimeInputSchema.optional(),
+  expiresAt: NullableDatetimeInputSchema.optional(),
+});
+export type CreateAnnouncement = z.infer<typeof CreateAnnouncementSchema>;
+
+export const UpdateAnnouncementSchema = z
+  .object({
+    kind: AnnouncementKindSchema.optional(),
+    title: z.string().trim().min(1).max(180).optional(),
+    body: z.string().trim().min(1).max(20_000).optional(),
+    tone: AnnouncementToneSchema.optional(),
+    publishedAt: DatetimeInputSchema.optional(),
+    expiresAt: NullableDatetimeInputSchema.optional(),
+  })
+  .refine((value) => Object.keys(value).length > 0, "Provide at least one field to update.");
+export type UpdateAnnouncement = z.infer<typeof UpdateAnnouncementSchema>;
+
+export const AnnouncementListResponseSchema = z.object({
+  items: z.array(AnnouncementEntrySchema),
+});
+export type AnnouncementListResponse = z.infer<typeof AnnouncementListResponseSchema>;
+
+export const ActiveAnnouncementsResponseSchema = z.object({
+  banners: z.array(AnnouncementDisplayEntrySchema),
+  announcements: z.array(AnnouncementDisplayEntrySchema),
+  latestAnnouncementVersion: z.number().int().nonnegative(),
+});
+export type ActiveAnnouncementsResponse = z.infer<typeof ActiveAnnouncementsResponseSchema>;
+
+const normalizeCookieState = (value: unknown): AnnouncementCookieState => {
+  const parsed = AnnouncementCookieStateSchema.safeParse(value);
+  if (!parsed.success) return DEFAULT_ANNOUNCEMENT_COOKIE_STATE;
+  const dismissed = [...new Set(parsed.data.dismissedBannerVersions)]
+    .filter((version) => Number.isInteger(version) && version > 0)
+    .sort((a, b) => b - a)
+    .slice(0, MAX_DISMISSED_BANNER_VERSIONS);
+
+  return {
+    seenAnnouncementVersion: Math.max(0, parsed.data.seenAnnouncementVersion),
+    dismissedBannerVersions: dismissed,
+  };
+};
+
+export const parseAnnouncementCookieValue = (value: string | null | undefined): AnnouncementCookieState => {
+  if (!value) return DEFAULT_ANNOUNCEMENT_COOKIE_STATE;
+  try {
+    return normalizeCookieState(JSON.parse(decodeURIComponent(value)));
+  } catch {
+    return DEFAULT_ANNOUNCEMENT_COOKIE_STATE;
+  }
+};
+
+export const parseAnnouncementCookieHeader = (cookieHeader: string | null | undefined): AnnouncementCookieState => {
+  if (!cookieHeader) return DEFAULT_ANNOUNCEMENT_COOKIE_STATE;
+  const match = cookieHeader.match(new RegExp(`(?:^|;\\s*)${ANNOUNCEMENTS_COOKIE}=([^;]+)`));
+  return parseAnnouncementCookieValue(match?.[1]);
+};
+
+export const serializeAnnouncementCookieState = (state: AnnouncementCookieState): string =>
+  encodeURIComponent(JSON.stringify(normalizeCookieState(state)));
+
+export const mergeAnnouncementCookieState = (
+  current: AnnouncementCookieState,
+  patch: Partial<AnnouncementCookieState>,
+): AnnouncementCookieState =>
+  normalizeCookieState({
+    seenAnnouncementVersion: Math.max(current.seenAnnouncementVersion, patch.seenAnnouncementVersion ?? 0),
+    dismissedBannerVersions: [...current.dismissedBannerVersions, ...(patch.dismissedBannerVersions ?? [])],
+  });

package/src/contracts/app.ts

@@ -43,6 +43,8 @@ export type AppMeta = {
    * silently skip rendering for the current user.
    */
   widgets?: WidgetEndpoint[];
+  /** Setting keys declared by this app. Used by admin tooling to protect active app-owned settings. */
+  settingKeys?: readonly string[];
   /** Gateway-relative URL where this app's OpenAPI JSON is served, or undefined. */
   openapi?: string;
 };

package/src/contracts/index.ts

@@ -1,5 +1,6 @@
+export * from "./announcements";
 export * from "./app";
-export * from "./shared";
-export * from "./registry";
 export * from "./profile";
+export * from "./registry";
+export * from "./shared";
 export * from "./widgets";

package/src/contracts/registry.ts

@@ -47,6 +47,8 @@ export type AppRegistryEntry = {
   search?: AppRegistrySearch;
   legalLinks?: AppRegistryLegalLink[];
   widgets?: AppRegistryWidget[];
+  /** Setting keys declared by this app. Used by admin tooling to avoid treating live app-owned settings as legacy. */
+  settingKeys?: readonly string[];
   /** Gateway-relative URL where this app serves its OpenAPI JSON spec. */
   openapi?: string;
 };

package/src/contracts/shared.ts

@@ -93,7 +93,7 @@ export const BaseGroupSchema = z.object({
 });
 export type BaseGroup = z.infer<typeof BaseGroupSchema>;
 
-export const EntityKindSchema = z.enum(["user", "group"]);
+export const EntityKindSchema = z.enum(["user", "group", "service_account"]);
 export type EntityKind = z.infer<typeof EntityKindSchema>;
 
 export const EntityRelationSchema = z.object({
@@ -112,6 +112,22 @@ export const EntityListItemSchema = z.discriminatedUnion("kind", [
     group: BaseGroupSchema,
     relation: EntityRelationSchema.optional(),
   }),
+  z.object({
+    kind: z.literal("service_account"),
+    serviceAccount: z.object({
+      id: z.uuid(),
+      name: z.string(),
+      kind: z.enum(["user_delegated", "resource_bound"]),
+      status: z.enum(["active", "disabled"]),
+      delegatedUserId: z.uuid().nullable(),
+      appId: z.string().nullable(),
+      resourceType: z.string().nullable(),
+      resourceId: z.string().nullable(),
+      createdBy: z.uuid().nullable(),
+      createdAt: z.string(),
+    }),
+    relation: EntityRelationSchema.optional(),
+  }),
 ]);
 export type EntityListItem = z.infer<typeof EntityListItemSchema>;
 
@@ -181,9 +197,100 @@ export type MutationResult<T = void> = { ok: true; data: T } | { ok: false; erro
 export const PermissionLevelSchema = z.enum(["none", "read", "write", "admin"]);
 export type PermissionLevel = z.infer<typeof PermissionLevelSchema>;
 
+export const ServiceAccountKindSchema = z.enum(["user_delegated", "resource_bound"]);
+export type ServiceAccountKind = z.infer<typeof ServiceAccountKindSchema>;
+
+export const ServiceAccountStatusSchema = z.enum(["active", "disabled"]);
+export type ServiceAccountStatus = z.infer<typeof ServiceAccountStatusSchema>;
+
+export const ServiceAccountSchema = z.object({
+  id: z.uuid(),
+  name: z.string(),
+  kind: ServiceAccountKindSchema,
+  status: ServiceAccountStatusSchema,
+  delegatedUserId: z.uuid().nullable(),
+  appId: z.string().nullable(),
+  resourceType: z.string().nullable(),
+  resourceId: z.string().nullable(),
+  createdBy: z.uuid().nullable(),
+  createdAt: z.string(),
+});
+export type ServiceAccount = z.infer<typeof ServiceAccountSchema>;
+
+export const ServiceAccountCredentialStatusSchema = z.enum(["active", "revoked"]);
+export type ServiceAccountCredentialStatus = z.infer<typeof ServiceAccountCredentialStatusSchema>;
+
+export const ServiceAccountCredentialSchema = z.object({
+  id: z.uuid(),
+  serviceAccountId: z.uuid(),
+  name: z.string(),
+  kind: z.literal("api_token"),
+  status: ServiceAccountCredentialStatusSchema,
+  tokenPrefix: z.string(),
+  scopes: z.array(z.string()),
+  expiresAt: z.string().nullable(),
+  lastUsedAt: z.string().nullable(),
+  createdBy: z.uuid().nullable(),
+  createdAt: z.string(),
+  revokedAt: z.string().nullable(),
+  revokedBy: z.uuid().nullable(),
+});
+export type ServiceAccountCredential = z.infer<typeof ServiceAccountCredentialSchema>;
+
+export const CreateUserApiKeySchema = z.object({
+  name: z.string().trim().min(1).max(120),
+  expiresAt: z.string().datetime().nullable().optional(),
+});
+export type CreateUserApiKey = z.infer<typeof CreateUserApiKeySchema>;
+
+export const CreateUserApiKeyResponseSchema = z.object({
+  credential: ServiceAccountCredentialSchema,
+  token: z.string(),
+});
+export type CreateUserApiKeyResponse = z.infer<typeof CreateUserApiKeyResponseSchema>;
+
+export const WebAuthnPasskeySchema = z.object({
+  id: z.uuid(),
+  userId: z.uuid(),
+  name: z.string(),
+  transports: z.array(z.string()),
+  deviceType: z.string().nullable(),
+  backedUp: z.boolean(),
+  createdAt: z.string(),
+  lastUsedAt: z.string().nullable(),
+});
+export type WebAuthnPasskey = z.infer<typeof WebAuthnPasskeySchema>;
+
+export const CreateWebAuthnPasskeySchema = z.object({
+  name: z.string().trim().min(1).max(120),
+  response: z.unknown(),
+});
+export type CreateWebAuthnPasskey = z.infer<typeof CreateWebAuthnPasskeySchema>;
+
+export const ListWebAuthnPasskeysResponseSchema = z.object({
+  items: z.array(WebAuthnPasskeySchema),
+});
+export type ListWebAuthnPasskeysResponse = z.infer<typeof ListWebAuthnPasskeysResponseSchema>;
+
+export const AccountActivitySchema = z.object({
+  id: z.number(),
+  createdAt: z.string(),
+  action: z.string(),
+  label: z.string(),
+  outcome: z.enum(["allowed", "denied", "failed"]),
+  context: z.string().nullable(),
+});
+export type AccountActivity = z.infer<typeof AccountActivitySchema>;
+
+export const AccountActivityListResponseSchema = z.object({
+  items: z.array(AccountActivitySchema),
+});
+export type AccountActivityListResponse = z.infer<typeof AccountActivityListResponseSchema>;
+
 export const PrincipalSchema = z.discriminatedUnion("type", [
   z.object({ type: z.literal("user"), userId: z.uuid() }),
   z.object({ type: z.literal("group"), groupId: z.uuid() }),
+  z.object({ type: z.literal("service_account"), serviceAccountId: z.uuid() }),
   z.object({ type: z.literal("authenticated") }),
   z.object({ type: z.literal("public") }),
 ]);