@webmaster-droid/server 0.1.0-alpha.0 → 0.2.0

package/dist/chunk-SIXK4BMG.js

@@ -0,0 +1,138 @@
+// src/api-aws/auth.ts
+import { createRemoteJWKSet, decodeProtectedHeader, jwtVerify } from "jose";
+var jwksCache = null;
+function getJwks() {
+  const jwksUrl = process.env.SUPABASE_JWKS_URL;
+  if (!jwksUrl) {
+    throw new Error("SUPABASE_JWKS_URL is not configured");
+  }
+  if (!jwksCache) {
+    jwksCache = createRemoteJWKSet(new URL(jwksUrl));
+  }
+  return jwksCache;
+}
+function buildSupabaseUserEndpoint() {
+  const explicitBaseUrl = process.env.SUPABASE_URL?.trim();
+  if (explicitBaseUrl) {
+    return `${explicitBaseUrl.replace(/\/$/, "")}/auth/v1/user`;
+  }
+  const jwksUrl = process.env.SUPABASE_JWKS_URL?.trim();
+  if (!jwksUrl) {
+    throw new Error("SUPABASE_JWKS_URL is not configured");
+  }
+  const parsed = new URL(jwksUrl);
+  return `${parsed.origin}/auth/v1/user`;
+}
+function getSupabaseAnonKey() {
+  const key = process.env.SUPABASE_ANON_KEY?.trim() ?? process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY?.trim();
+  if (!key) {
+    throw new Error("SUPABASE_ANON_KEY is required for HS256 token verification fallback.");
+  }
+  return key;
+}
+async function verifyHs256ViaSupabase(token) {
+  const response = await fetch(buildSupabaseUserEndpoint(), {
+    method: "GET",
+    headers: {
+      authorization: `Bearer ${token}`,
+      apikey: getSupabaseAnonKey()
+    }
+  });
+  if (!response.ok) {
+    const detail = await response.text();
+    throw new Error(`Supabase token verification failed: ${response.status} ${detail}`);
+  }
+  const user = await response.json();
+  const sub = typeof user.id === "string" ? user.id : "";
+  if (!sub) {
+    throw new Error("Supabase token verification returned no user id.");
+  }
+  return {
+    sub,
+    email: typeof user.email === "string" ? user.email : void 0,
+    role: typeof user.role === "string" ? user.role : void 0
+  };
+}
+function getBearerToken(headers) {
+  const value = headers.authorization ?? headers.Authorization;
+  if (!value) {
+    return null;
+  }
+  const [prefix, token] = value.split(" ");
+  if (prefix?.toLowerCase() !== "bearer" || !token) {
+    return null;
+  }
+  return token;
+}
+async function verifyAdminToken(token) {
+  const header = decodeProtectedHeader(token);
+  const algorithm = typeof header.alg === "string" ? header.alg : "";
+  if (algorithm === "HS256") {
+    const secret = process.env.SUPABASE_JWT_SECRET?.trim();
+    if (secret) {
+      const result2 = await jwtVerify(token, new TextEncoder().encode(secret), {
+        algorithms: ["HS256"]
+      });
+      const payload2 = result2.payload;
+      const identity3 = {
+        sub: String(payload2.sub ?? ""),
+        email: typeof payload2.email === "string" ? payload2.email : void 0,
+        role: typeof payload2.role === "string" ? payload2.role : typeof payload2.user_role === "string" ? payload2.user_role : void 0
+      };
+      if (!identity3.sub) {
+        throw new Error("Invalid token: subject is missing.");
+      }
+      const enforcedAdminEmail3 = process.env.ADMIN_EMAIL;
+      if (enforcedAdminEmail3 && identity3.email?.toLowerCase() !== enforcedAdminEmail3.toLowerCase()) {
+        throw new Error("Authenticated user is not allowed for admin access.");
+      }
+      return identity3;
+    }
+    const identity2 = await verifyHs256ViaSupabase(token);
+    const enforcedAdminEmail2 = process.env.ADMIN_EMAIL;
+    if (enforcedAdminEmail2 && identity2.email?.toLowerCase() !== enforcedAdminEmail2.toLowerCase()) {
+      throw new Error("Authenticated user is not allowed for admin access.");
+    }
+    return identity2;
+  }
+  const result = await jwtVerify(token, getJwks(), {
+    algorithms: ["RS256", "ES256"]
+  });
+  const payload = result.payload;
+  const identity = {
+    sub: String(payload.sub ?? ""),
+    email: typeof payload.email === "string" ? payload.email : void 0,
+    role: typeof payload.role === "string" ? payload.role : typeof payload.user_role === "string" ? payload.user_role : void 0
+  };
+  if (!identity.sub) {
+    throw new Error("Invalid token: subject is missing.");
+  }
+  const enforcedAdminEmail = process.env.ADMIN_EMAIL;
+  if (enforcedAdminEmail && identity.email?.toLowerCase() !== enforcedAdminEmail.toLowerCase()) {
+    throw new Error("Authenticated user is not allowed for admin access.");
+  }
+  return identity;
+}
+
+// src/api-aws/normalize-editable-path.ts
+var EDITABLE_ROOTS = ["pages.", "layout.", "seo.", "themeTokens."];
+var MAX_PATH_LENGTH = 320;
+function normalizeEditablePath(value) {
+  if (typeof value !== "string") {
+    return null;
+  }
+  const trimmed = value.trim();
+  if (!trimmed || trimmed.length > MAX_PATH_LENGTH) {
+    return null;
+  }
+  if (!EDITABLE_ROOTS.some((prefix) => trimmed.startsWith(prefix))) {
+    return null;
+  }
+  return trimmed;
+}
+
+export {
+  getBearerToken,
+  verifyAdminToken,
+  normalizeEditablePath
+};

package/dist/core/index.d.ts

@@ -3,8 +3,9 @@ export { A as AgentBatchMutationInput, a as AnyCmsDocument, C as CmsMutationInpu
 import { CmsDocument, CmsPatch, ThemeTokenPatch } from '@webmaster-droid/contracts';
 export { C as CmsService, c as createPatchFromAgentOperations, a as createThemePatchFromAgentOperations } from '../service-BYwdlvCI.js';
 
+declare function readByPath(input: unknown, path: string): unknown;
 declare function validatePatch(patch: CmsPatch, source: CmsDocument, options: PatchApplicationOptions): PatchValidationResult;
 declare function applyPatch(source: CmsDocument, patch: CmsPatch, options: PatchApplicationOptions): PatchApplyResult;
 declare function applyThemeTokenPatch(source: CmsDocument, patch: ThemeTokenPatch): ThemeApplyResult;
 
-export { PatchApplicationOptions, PatchApplyResult, PatchValidationResult, ThemeApplyResult, applyPatch, applyThemeTokenPatch, validatePatch };
+export { PatchApplicationOptions, PatchApplyResult, PatchValidationResult, ThemeApplyResult, applyPatch, applyThemeTokenPatch, readByPath, validatePatch };

package/dist/core/index.js

@@ -4,13 +4,15 @@ import {
   applyThemeTokenPatch,
   createPatchFromAgentOperations,
   createThemePatchFromAgentOperations,
+  readByPath,
   validatePatch
-} from "../chunk-2LAI3MY2.js";
+} from "../chunk-EYY23AAK.js";
 export {
   CmsService,
   applyPatch,
   applyThemeTokenPatch,
   createPatchFromAgentOperations,
   createThemePatchFromAgentOperations,
+  readByPath,
   validatePatch
 };

package/dist/index.d.ts

@@ -1,9 +1,12 @@
 export { A as AgentBatchMutationInput, a as AnyCmsDocument, C as CmsMutationInput, b as CmsServiceConfig, M as ModelAdapter, c as ModelAdapterInput, d as ModelAdapterOutput, e as MutationResult, P as PatchApplicationOptions, f as PatchApplyResult, g as PatchValidationResult, S as StorageAdapter, T as ThemeApplyResult, h as ThemeMutationInput, i as ThemeMutationResult, j as ToolRegistry } from './types-OKJgq7Oo.js';
-export { applyPatch, applyThemeTokenPatch, validatePatch } from './core/index.js';
+export { applyPatch, applyThemeTokenPatch, readByPath, validatePatch } from './core/index.js';
 export { C as CmsService, c as createPatchFromAgentOperations, a as createThemePatchFromAgentOperations } from './service-BYwdlvCI.js';
 export { S3CmsStorage } from './storage-s3/index.js';
+export { SupabaseCmsStorage } from './storage-supabase/index.js';
 export { AgentRunnerInput, AgentRunnerResult, StaticToolName, listStaticToolNames, runAgentTurn } from './agent/index.js';
 export { handler, streamHandler } from './api-aws/index.js';
+export { default as supabaseHandler } from './api-supabase/index.js';
 import '@webmaster-droid/contracts';
 import '@aws-sdk/client-s3';
+import '@supabase/supabase-js';
 import 'aws-lambda';

package/dist/index.js

@@ -1,32 +1,43 @@
 import {
   handler,
   streamHandler
-} from "./chunk-5CVLHGGO.js";
+} from "./chunk-6M55DMUE.js";
+import {
+  handler as handler2
+} from "./chunk-JIGCFERP.js";
+import "./chunk-SIXK4BMG.js";
 import {
   listStaticToolNames,
   runAgentTurn
-} from "./chunk-X6TU47KZ.js";
+} from "./chunk-PS4GESOZ.js";
 import {
   CmsService,
   applyPatch,
   applyThemeTokenPatch,
   createPatchFromAgentOperations,
   createThemePatchFromAgentOperations,
+  readByPath,
   validatePatch
-} from "./chunk-2LAI3MY2.js";
+} from "./chunk-EYY23AAK.js";
 import {
   S3CmsStorage
 } from "./chunk-MLID7STX.js";
+import {
+  SupabaseCmsStorage
+} from "./chunk-OWXROQ4O.js";
 export {
   CmsService,
   S3CmsStorage,
+  SupabaseCmsStorage,
   applyPatch,
   applyThemeTokenPatch,
   createPatchFromAgentOperations,
   createThemePatchFromAgentOperations,
   handler,
   listStaticToolNames,
+  readByPath,
   runAgentTurn,
   streamHandler,
+  handler2 as supabaseHandler,
   validatePatch
 };

package/dist/storage-supabase/index.d.ts

@@ -0,0 +1,50 @@
+import { SupabaseClient } from '@supabase/supabase-js';
+import { CmsDocument, CmsStage, CheckpointMeta, PublishedVersionMeta, RollbackRequest, AuditEvent } from '@webmaster-droid/contracts';
+import { S as StorageAdapter } from '../types-OKJgq7Oo.js';
+
+interface SupabaseCmsStorageOptions {
+    supabaseUrl: string;
+    serviceRoleKey: string;
+    bucket: string;
+    prefix?: string;
+    client?: SupabaseClient;
+}
+declare class SupabaseCmsStorage implements StorageAdapter {
+    private readonly bucket;
+    private readonly client;
+    private readonly prefix;
+    constructor(options: SupabaseCmsStorageOptions);
+    ensureInitialized(seed: CmsDocument): Promise<void>;
+    getContent(stage: CmsStage): Promise<CmsDocument>;
+    saveDraft(content: CmsDocument): Promise<void>;
+    saveLive(content: CmsDocument): Promise<void>;
+    putPublicAsset(input: {
+        key: string;
+        body: Uint8Array;
+        contentType: string;
+        cacheControl?: string;
+    }): Promise<void>;
+    createCheckpoint(content: CmsDocument, input: {
+        createdBy?: string;
+        reason: string;
+    }): Promise<CheckpointMeta>;
+    deleteCheckpoint(id: string): Promise<boolean>;
+    listCheckpoints(): Promise<CheckpointMeta[]>;
+    publishDraft(input: {
+        content: CmsDocument;
+        createdBy?: string;
+    }): Promise<PublishedVersionMeta>;
+    listPublishedVersions(): Promise<PublishedVersionMeta[]>;
+    getSnapshot(input: RollbackRequest): Promise<CmsDocument | null>;
+    appendEvent(event: AuditEvent): Promise<void>;
+    private tryGetStage;
+    private saveStage;
+    private stageKey;
+    private putJson;
+    private listKeys;
+    private tryGetText;
+    private getText;
+    private isMissingObjectError;
+}
+
+export { SupabaseCmsStorage };

package/dist/storage-supabase/index.js

@@ -0,0 +1,6 @@
+import {
+  SupabaseCmsStorage
+} from "../chunk-OWXROQ4O.js";
+export {
+  SupabaseCmsStorage
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@webmaster-droid/server",
-  "version": "0.1.0-alpha.0",
+  "version": "0.2.0",
   "type": "module",
   "main": "./dist/index.js",
   "types": "./dist/index.d.ts",
@@ -17,6 +17,10 @@
       "types": "./dist/storage-s3/index.d.ts",
       "import": "./dist/storage-s3/index.js"
     },
+    "./storage-supabase": {
+      "types": "./dist/storage-supabase/index.d.ts",
+      "import": "./dist/storage-supabase/index.js"
+    },
     "./agent": {
       "types": "./dist/agent/index.d.ts",
       "import": "./dist/agent/index.js"
@@ -24,6 +28,10 @@
     "./api-aws": {
       "types": "./dist/api-aws/index.d.ts",
       "import": "./dist/api-aws/index.js"
+    },
+    "./api-supabase": {
+      "types": "./dist/api-supabase/index.d.ts",
+      "import": "./dist/api-supabase/index.js"
     }
   },
   "files": [
@@ -36,7 +44,8 @@
     "@ai-sdk/google": "^3.0.29",
     "@ai-sdk/openai": "^3.0.29",
     "@aws-sdk/client-s3": "^3.888.0",
-    "@webmaster-droid/contracts": "^0.1.0-alpha.2",
+    "@supabase/supabase-js": "^2.57.2",
+    "@webmaster-droid/contracts": "^0.1.0",
     "ai": "^6.0.86",
     "aws-lambda": "^1.0.7",
     "jose": "^6.1.0",
@@ -44,12 +53,13 @@
   },
   "scripts": {
     "typecheck": "tsc --noEmit",
-    "build": "tsup src/index.ts src/core/index.ts src/storage-s3/index.ts src/agent/index.ts src/api-aws/index.ts --format esm --dts --clean"
+    "build": "tsup src/index.ts src/core/index.ts src/storage-s3/index.ts src/storage-supabase/index.ts src/agent/index.ts src/api-aws/index.ts src/api-supabase/index.ts --format esm --dts --clean && node scripts/copy-agent-assets.mjs",
+    "test": "node ../../scripts/run-workspace-tests.mjs"
   },
   "devDependencies": {
     "@types/aws-lambda": "^8.10.160"
   },
-  "description": "Unified backend runtime: core service, S3 storage, AI agent, and AWS API adapters.",
+  "description": "Unified backend runtime: core service, storage adapters, AI agent, and API adapters for AWS and Supabase.",
   "license": "MIT",
   "repository": {
     "type": "git",