@xtrable-ltd/nanoesis 0.1.0

package/dist/editor-api.js

@@ -0,0 +1,592 @@
+import {
+  buildAuthoringReference,
+  canEdit,
+  contentTypeFor,
+  deriveFields,
+  hasRole,
+  loadComponents,
+  loadTemplate,
+  renderReferenceMarkdown,
+  validateSite
+} from "./chunk-G2UEZTYC.js";
+
+// ../editor-api/src/api.ts
+var MAX_LOGO_BYTES = 1024 * 1024;
+function requiredWriteRole(path) {
+  const top = path.split("/")[0];
+  if (top === "content") return "author";
+  if (top === "templates" || top === "components" || top === "public") return "developer";
+  return "admin";
+}
+function denyWrite(principal, path) {
+  if (hasRole(principal, requiredWriteRole(path))) return null;
+  return json(403, { ok: false, error: "your role cannot modify this path" });
+}
+function json(status, data) {
+  return {
+    status,
+    headers: { "content-type": "application/json" },
+    body: JSON.stringify(data)
+  };
+}
+function methodNotAllowed() {
+  return json(405, { ok: false, error: "POST only" });
+}
+var BEARER_PREFIX = /^Bearer\s+/i;
+function bearerToken(getHeader) {
+  const raw = getHeader("authorization") ?? getHeader("Authorization");
+  if (raw === void 0) return void 0;
+  const match = BEARER_PREFIX.exec(raw);
+  return match ? raw.slice(match[0].length).trim() : void 0;
+}
+async function parseJsonBody(req) {
+  const bytes = await req.body();
+  if (bytes.byteLength === 0) return null;
+  try {
+    return JSON.parse(new TextDecoder().decode(bytes));
+  } catch {
+    return null;
+  }
+}
+function isLoginRequest(value) {
+  return typeof value === "object" && value !== null && typeof value["username"] === "string" && typeof value["password"] === "string";
+}
+function isChangePasswordRequest(value) {
+  return typeof value === "object" && value !== null && typeof value["currentPassword"] === "string" && typeof value["newPassword"] === "string";
+}
+async function handleAuthRoute(deps, req) {
+  const endpoints = deps.authEndpoints;
+  if (endpoints === void 0) return void 0;
+  switch (req.path) {
+    case "/api/auth/state":
+      return json(200, await endpoints.state());
+    case "/api/login": {
+      if (req.method !== "POST") return methodNotAllowed();
+      const body = await parseJsonBody(req);
+      if (!isLoginRequest(body)) {
+        return json(400, { ok: false, error: "JSON body with username + password required" });
+      }
+      const result = await endpoints.login(body);
+      if (result.ok) {
+        return json(200, {
+          ok: true,
+          token: result.value.token,
+          principal: result.value.principal,
+          firstRunBootstrap: result.value.firstRunBootstrap
+        });
+      }
+      return json(result.status, { ok: false, error: result.error });
+    }
+    case "/api/refresh": {
+      if (req.method !== "POST") return methodNotAllowed();
+      const token = bearerToken(req.getHeader);
+      if (token === void 0) return json(401, { ok: false, error: "no token" });
+      const result = await endpoints.refresh(token);
+      if (result.ok) {
+        return json(200, {
+          ok: true,
+          token: result.value.token,
+          principal: result.value.principal
+        });
+      }
+      return json(result.status, { ok: false, error: result.error });
+    }
+    case "/api/logout": {
+      if (req.method !== "POST") return methodNotAllowed();
+      const token = bearerToken(req.getHeader);
+      await endpoints.logout(token ?? "");
+      return json(200, { ok: true });
+    }
+    default:
+      return void 0;
+  }
+}
+function isObject(value) {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+function fromAuthResult(result) {
+  return result.ok ? json(200, result.value) : json(result.status, { ok: false, error: result.error });
+}
+async function handleUserAdminRoute(deps, req, caller) {
+  const userAdmin = deps.userAdmin;
+  if (userAdmin === void 0) {
+    return json(404, { ok: false, error: "user management is not available on this host" });
+  }
+  if (!hasRole(caller, "admin")) {
+    return json(403, { ok: false, error: "admin role required" });
+  }
+  const segments = req.path.slice("/api/users".length).split("/").filter((s) => s !== "");
+  if (segments.length === 0) {
+    if (req.method === "GET") return fromAuthResult(await userAdmin.listUsers());
+    if (req.method === "POST") {
+      const body = await parseJsonBody(req);
+      if (!isObject(body)) return json(400, { ok: false, error: "JSON body required" });
+      return fromAuthResult(await userAdmin.createUser(body));
+    }
+    return json(405, { ok: false, error: "method not allowed" });
+  }
+  const targetId = segments[0];
+  if (segments.length === 2 && segments[1] === "password") {
+    if (req.method !== "POST") return json(405, { ok: false, error: "method not allowed" });
+    const body = await parseJsonBody(req);
+    if (!isObject(body)) return json(400, { ok: false, error: "JSON body required" });
+    return fromAuthResult(
+      await userAdmin.resetPassword(targetId, body)
+    );
+  }
+  if (segments.length === 1) {
+    if (req.method === "PATCH") {
+      const body = await parseJsonBody(req);
+      if (!isObject(body)) return json(400, { ok: false, error: "JSON body required" });
+      return fromAuthResult(
+        await userAdmin.updateUser(caller.userId, targetId, body)
+      );
+    }
+    if (req.method === "DELETE") {
+      return fromAuthResult(await userAdmin.deleteUser(caller.userId, targetId));
+    }
+    return json(405, { ok: false, error: "method not allowed" });
+  }
+  return json(404, { ok: false, error: `Unknown API route: ${req.path}` });
+}
+async function handleBrandingRoute(deps, req) {
+  if (req.path !== "/api/branding" && req.path !== "/api/branding/logo") return void 0;
+  const store = deps.branding;
+  if (req.method === "GET") {
+    if (req.path === "/api/branding") {
+      if (store === void 0) return json(200, { name: null, logoUrl: null });
+      const state = await store.get();
+      const logoUrl = state.logo === null ? null : `/api/branding/logo?v=${state.logo.updatedAt}`;
+      return json(200, { name: state.name, logoUrl });
+    }
+    const logo = store === void 0 ? null : await store.getLogo();
+    if (logo === null) return { status: 404, body: "" };
+    return {
+      status: 200,
+      headers: { "content-type": logo.contentType, "cache-control": "public, max-age=31536000" },
+      body: logo.bytes
+    };
+  }
+  if (store === void 0) {
+    return json(404, { ok: false, error: "branding is not available on this host" });
+  }
+  if (!hasRole(await deps.identity.authenticate(req.getHeader), "admin")) {
+    return json(403, { ok: false, error: "admin role required" });
+  }
+  if (req.path === "/api/branding") {
+    if (req.method !== "PUT") return json(405, { ok: false, error: "method not allowed" });
+    const body = await parseJsonBody(req);
+    if (!isObject(body)) return json(400, { ok: false, error: "JSON body required" });
+    const raw = body["name"];
+    const name = typeof raw === "string" && raw.trim() !== "" ? raw.trim() : null;
+    await store.setName(name);
+    return json(200, { ok: true });
+  }
+  if (req.method === "POST") {
+    const contentType = req.getHeader("content-type") ?? "";
+    if (!contentType.startsWith("image/")) {
+      return json(415, { ok: false, error: "logo must be an image" });
+    }
+    const bytes = await req.body();
+    if (bytes.byteLength === 0) return json(400, { ok: false, error: "empty body" });
+    if (bytes.byteLength > MAX_LOGO_BYTES) return json(413, { ok: false, error: "logo too large" });
+    await store.setLogo(bytes, contentType);
+    return json(200, { ok: true });
+  }
+  if (req.method === "DELETE") {
+    await store.clearLogo();
+    return json(200, { ok: true });
+  }
+  return json(405, { ok: false, error: "method not allowed" });
+}
+async function handleApi(deps, req) {
+  const authResponse = await handleAuthRoute(deps, req);
+  if (authResponse !== void 0) return authResponse;
+  const brandingResponse = await handleBrandingRoute(deps, req);
+  if (brandingResponse !== void 0) return brandingResponse;
+  const principal = await deps.identity.authenticate(req.getHeader);
+  if (!canEdit(principal)) {
+    return json(401, { ok: false, error: "Unauthorized" });
+  }
+  if (req.path === "/api/users" || req.path.startsWith("/api/users/")) {
+    return handleUserAdminRoute(deps, req, principal);
+  }
+  const get = (key) => req.query.get(key) ?? "";
+  switch (req.path) {
+    case "/api/list": {
+      try {
+        return json(200, await deps.store.list(get("dir")));
+      } catch {
+        return json(200, []);
+      }
+    }
+    case "/api/read": {
+      const path = get("path");
+      try {
+        const bytes = await deps.store.readBytes(path);
+        return { status: 200, headers: { "content-type": contentTypeFor(path) }, body: bytes };
+      } catch {
+        return { status: 404, body: "" };
+      }
+    }
+    case "/api/exists":
+      return json(200, { exists: await deps.store.exists(get("path")) });
+    case "/api/validate":
+      return json(200, await validateSite(deps.store));
+    case "/api/authors":
+      return json(200, deps.authors ? await deps.authors() : []);
+    case "/api/template-fields": {
+      try {
+        const [template, components] = await Promise.all([
+          loadTemplate(deps.store, get("name")),
+          loadComponents(deps.store)
+        ]);
+        return json(200, deriveFields(template, components));
+      } catch {
+        return { status: 404, body: "" };
+      }
+    }
+    case "/api/write": {
+      if (req.method !== "POST") return methodNotAllowed();
+      const denied = denyWrite(principal, get("path"));
+      if (denied) return denied;
+      try {
+        await deps.store.write(get("path"), await req.body());
+        return json(200, { ok: true });
+      } catch (error) {
+        return json(500, { ok: false, error: String(error) });
+      }
+    }
+    case "/api/delete": {
+      if (req.method !== "POST") return methodNotAllowed();
+      const denied = denyWrite(principal, get("path"));
+      if (denied) return denied;
+      try {
+        await deps.store.delete(get("path"));
+        return json(200, { ok: true });
+      } catch (error) {
+        return json(500, { ok: false, error: String(error) });
+      }
+    }
+    case "/api/rename": {
+      if (req.method !== "POST") return methodNotAllowed();
+      const denied = denyWrite(principal, get("from")) ?? denyWrite(principal, get("to"));
+      if (denied) return denied;
+      const result = await deps.store.rename(get("from"), get("to"));
+      if (result.ok) return json(200, { ok: true });
+      const status = result.reason === "exists" ? 409 : 404;
+      return json(status, { ok: false, error: result.reason });
+    }
+    case "/api/publish": {
+      if (req.method !== "POST") return methodNotAllowed();
+      const result = await deps.publish();
+      if (result.ok) return json(200, { ok: true, written: result.written.length });
+      return json(422, { ok: false, errors: result.validation.errors.map((e) => e.message) });
+    }
+    case "/api/me/password": {
+      if (req.method !== "POST") return methodNotAllowed();
+      if (deps.authEndpoints === void 0) {
+        return json(404, { ok: false, error: "no credential provider configured" });
+      }
+      const body = await parseJsonBody(req);
+      if (!isChangePasswordRequest(body)) {
+        return json(400, {
+          ok: false,
+          error: "JSON body with currentPassword + newPassword required"
+        });
+      }
+      const result = await deps.authEndpoints.changePassword(principal.userId, body);
+      if (result.ok) return json(200, { ok: true, token: result.value.token });
+      return json(result.status, { ok: false, error: result.error });
+    }
+    case "/api/me/token": {
+      const endpoints = deps.authEndpoints;
+      if (req.method === "POST") {
+        if (endpoints?.createToken === void 0) {
+          return json(404, { ok: false, error: "tokens are not available on this host" });
+        }
+        const result = await endpoints.createToken(principal.userId);
+        return result.ok ? json(200, { ok: true, token: result.value.token, expiresAt: result.value.expiresAt }) : json(result.status, { ok: false, error: result.error });
+      }
+      if (req.method === "DELETE") {
+        if (endpoints?.revokeTokens === void 0) {
+          return json(404, { ok: false, error: "token revocation is not available" });
+        }
+        const result = await endpoints.revokeTokens(principal.userId);
+        return result.ok ? json(200, { ok: true }) : json(result.status, { ok: false, error: result.error });
+      }
+      return json(405, { ok: false, error: "method not allowed" });
+    }
+    default:
+      return json(404, { ok: false, error: `Unknown API route: ${req.path}` });
+  }
+}
+
+// ../editor-api/src/authors.ts
+function displayNameOf(user) {
+  const explicit = user.displayName?.trim();
+  return explicit !== void 0 && explicit !== "" ? explicit : user.username;
+}
+function authorOptions(users) {
+  return users.map((user) => ({ name: displayNameOf(user), user: user.username })).sort((a, b) => a.name.localeCompare(b.name));
+}
+function authorDirectory(users) {
+  const byUser = new Map(users.map((user) => [user.username, displayNameOf(user)]));
+  return (user) => {
+    const displayName = byUser.get(user);
+    return displayName === void 0 ? void 0 : { displayName };
+  };
+}
+
+// ../editor-api/src/mcp.ts
+function str(args, key) {
+  const value = args[key];
+  return typeof value === "string" ? value : "";
+}
+function request(method, path, query, bodyText, token) {
+  const body = bodyText === void 0 ? new Uint8Array() : new TextEncoder().encode(bodyText);
+  return {
+    method,
+    path,
+    query: new URLSearchParams(query),
+    getHeader: (name) => name.toLowerCase() === "authorization" && token !== void 0 ? `Bearer ${token}` : void 0,
+    body: async () => body
+  };
+}
+var pathArg = {
+  type: "string",
+  description: 'Site-relative path with forward slashes, e.g. "content/blog/post.json".'
+};
+var TOOL_SPECS = [
+  {
+    name: "list_dir",
+    description: "List the immediate children (files and folders) of a site directory. Use '' or omit for the site root; the top-level folders are content/ (pages), templates/, components/, and public/.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        path: { type: "string", description: "Directory path, '' for the site root." }
+      },
+      additionalProperties: false
+    },
+    toRequest: (args, token) => request("GET", "/api/list", { dir: str(args, "path") }, void 0, token)
+  },
+  {
+    name: "read_file",
+    description: "Read a file's text contents (content JSON, a template/component's HTML, CSS, etc.). Reports an error if the file does not exist.",
+    inputSchema: {
+      type: "object",
+      properties: { path: pathArg },
+      required: ["path"],
+      additionalProperties: false
+    },
+    toRequest: (args, token) => request("GET", "/api/read", { path: str(args, "path") }, void 0, token)
+  },
+  {
+    name: "describe_template",
+    description: "List the fields a template defines (name, type, label, whether required, length limits), so you know what a page using it needs. Pass the template name without its path or extension, e.g. 'article' for templates/article.html.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        name: {
+          type: "string",
+          description: 'Template name without path or extension, e.g. "article".'
+        }
+      },
+      required: ["name"],
+      additionalProperties: false
+    },
+    toRequest: (args, token) => request("GET", "/api/template-fields", { name: str(args, "name") }, void 0, token)
+  },
+  {
+    name: "write_file",
+    description: "Create or overwrite a text file. content/ requires the author role; templates/, components/, and public/ require the developer role. Read the nanoesis://reference resource first for the authoring syntax.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        path: pathArg,
+        contents: { type: "string", description: "The full new text contents of the file." }
+      },
+      required: ["path", "contents"],
+      additionalProperties: false
+    },
+    toRequest: (args, token) => request("POST", "/api/write", { path: str(args, "path") }, str(args, "contents"), token)
+  },
+  {
+    name: "delete_path",
+    description: "Delete a file or a whole folder subtree. Same role rules as write_file. Deleting a path that does not exist is a no-op.",
+    inputSchema: {
+      type: "object",
+      properties: { path: pathArg },
+      required: ["path"],
+      additionalProperties: false
+    },
+    toRequest: (args, token) => request("POST", "/api/delete", { path: str(args, "path") }, void 0, token)
+  },
+  {
+    name: "rename_path",
+    description: "Move or rename a file or folder subtree. Refuses to overwrite an existing destination. Requires write rights at both the source and the destination.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        from: { type: "string", description: "The current path." },
+        to: { type: "string", description: "The new path." }
+      },
+      required: ["from", "to"],
+      additionalProperties: false
+    },
+    toRequest: (args, token) => request(
+      "POST",
+      "/api/rename",
+      { from: str(args, "from"), to: str(args, "to") },
+      void 0,
+      token
+    )
+  },
+  {
+    name: "validate",
+    description: "Run the validation gate over the whole site and return its diagnostics, without publishing. Use it to check your work: errors would block a publish, warnings (e.g. length constraints) only inform.",
+    inputSchema: { type: "object", properties: {}, additionalProperties: false },
+    toRequest: (_args, token) => request("GET", "/api/validate", {}, void 0, token)
+  },
+  {
+    name: "publish",
+    description: "Compile and publish the whole site. Runs the validation gate first; if anything would break, it reports the problems and writes nothing.",
+    inputSchema: { type: "object", properties: {}, additionalProperties: false },
+    toRequest: (_args, token) => request("POST", "/api/publish", {}, void 0, token)
+  }
+];
+var MCP_TOOLS = TOOL_SPECS.map(
+  ({ name, description, inputSchema }) => ({ name, description, inputSchema })
+);
+function toResult(response) {
+  const text = typeof response.body === "string" ? response.body : response.body === void 0 ? "" : new TextDecoder().decode(response.body);
+  return { text, isError: response.status >= 400 };
+}
+async function callMcpTool(deps, name, args = {}, options = {}) {
+  const spec = TOOL_SPECS.find((tool) => tool.name === name);
+  if (spec === void 0) return { text: `Unknown tool: ${name}`, isError: true };
+  return toResult(await handleApi(deps, spec.toRequest(args, options.token)));
+}
+var REFERENCE_URI = "nanoesis://reference";
+var MCP_RESOURCES = [
+  {
+    uri: REFERENCE_URI,
+    name: "nanoesis authoring reference",
+    description: "The generated reference for nanoesis templates and content: tokens, field types, annotations, loops, components, and the document shell. Read this before writing templates or content.",
+    mimeType: "text/markdown"
+  }
+];
+function readMcpResource(uri) {
+  if (uri === REFERENCE_URI) {
+    return { text: renderReferenceMarkdown(buildAuthoringReference()), mimeType: "text/markdown" };
+  }
+  return void 0;
+}
+
+// ../editor-api/src/branding.ts
+import { mkdir, readFile, rename, rm, writeFile } from "fs/promises";
+import { dirname, join } from "path";
+var EMPTY = { name: null, logo: null };
+var InMemoryBrandingStore = class {
+  constructor(now = Date.now) {
+    this.now = now;
+  }
+  now;
+  name = null;
+  logo = null;
+  logoUpdatedAt = 0;
+  async get() {
+    return {
+      name: this.name,
+      logo: this.logo === null ? null : { contentType: this.logo.contentType, updatedAt: this.logoUpdatedAt }
+    };
+  }
+  async getLogo() {
+    return this.logo;
+  }
+  async setName(name) {
+    this.name = name;
+  }
+  async setLogo(bytes, contentType) {
+    this.logo = { bytes, contentType };
+    this.logoUpdatedAt = this.now();
+  }
+  async clearLogo() {
+    this.logo = null;
+  }
+};
+var FileBrandingStore = class {
+  constructor(metaPath, now = Date.now) {
+    this.metaPath = metaPath;
+    this.now = now;
+    this.logoPath = join(dirname(metaPath), "branding-logo");
+  }
+  metaPath;
+  now;
+  logoPath;
+  async loadMeta() {
+    try {
+      const raw = await readFile(this.metaPath, "utf8");
+      const text = raw.charCodeAt(0) === 65279 ? raw.slice(1) : raw;
+      const parsed = JSON.parse(text);
+      return {
+        name: typeof parsed.name === "string" ? parsed.name : null,
+        logo: parsed.logo && typeof parsed.logo.contentType === "string" ? {
+          contentType: parsed.logo.contentType,
+          updatedAt: Number(parsed.logo.updatedAt) || 0
+        } : null
+      };
+    } catch (error) {
+      if (error.code === "ENOENT") return EMPTY;
+      throw error;
+    }
+  }
+  async saveMeta(state) {
+    await mkdir(dirname(this.metaPath), { recursive: true });
+    const tmp = `${this.metaPath}.tmp`;
+    await writeFile(tmp, JSON.stringify(state, null, 2), "utf8");
+    await rename(tmp, this.metaPath);
+  }
+  async get() {
+    return this.loadMeta();
+  }
+  async getLogo() {
+    const meta = await this.loadMeta();
+    if (meta.logo === null) return null;
+    try {
+      const bytes = await readFile(this.logoPath);
+      return { bytes: new Uint8Array(bytes), contentType: meta.logo.contentType };
+    } catch (error) {
+      if (error.code === "ENOENT") return null;
+      throw error;
+    }
+  }
+  async setName(name) {
+    const meta = await this.loadMeta();
+    await this.saveMeta({ name, logo: meta.logo });
+  }
+  async setLogo(bytes, contentType) {
+    const meta = await this.loadMeta();
+    await mkdir(dirname(this.logoPath), { recursive: true });
+    const tmp = `${this.logoPath}.tmp`;
+    await writeFile(tmp, bytes);
+    await rename(tmp, this.logoPath);
+    await this.saveMeta({ name: meta.name, logo: { contentType, updatedAt: this.now() } });
+  }
+  async clearLogo() {
+    const meta = await this.loadMeta();
+    await rm(this.logoPath, { force: true });
+    await this.saveMeta({ name: meta.name, logo: null });
+  }
+};
+export {
+  FileBrandingStore,
+  InMemoryBrandingStore,
+  MCP_RESOURCES,
+  MCP_TOOLS,
+  authorDirectory,
+  authorOptions,
+  callMcpTool,
+  handleApi,
+  readMcpResource
+};

package/dist/editor.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Absolute path to the bundled editor SPA (static files) shipped inside this package
+ * (DESIGN §11c). Point your host's static file server at it; it contains `index.html`
+ * and the editor's assets. Example:
+ *
+ * ```ts
+ * import { editorDist } from '@xtrable-ltd/nanoesis/editor';
+ * // serve files from `editorDist`, falling back to index.html for client-side routing.
+ * ```
+ */
+declare const editorDist: string;
+
+export { editorDist };

package/dist/editor.js

@@ -0,0 +1,6 @@
+// src/editor.ts
+import { fileURLToPath } from "url";
+var editorDist = fileURLToPath(new URL("../editor", import.meta.url));
+export {
+  editorDist
+};