dineway 0.1.3 → 0.1.5

package/src/astro/routes/api/content/[collection]/[id]/publish.ts

@@ -0,0 +1,100 @@
+/**
+ * Publish content - promotes draft to live
+ *
+ * POST /_dineway/api/content/{collection}/{id}/publish
+ */
+
+import type { APIRoute } from "astro";
+
+import { requireOwnerPerm } from "#api/authorize.js";
+import { apiError, mapErrorStatus, unwrapResult } from "#api/error.js";
+import { isParseError, parseOptionalBody } from "#api/parse.js";
+import { contentPublishBody } from "#api/schemas.js";
+import {
+	contentApiRouteSource,
+	extractActivityItemId,
+	logContentActivity,
+} from "#site-context/activity-events.js";
+import { resolveActorIdentity, RiskPolicyEvaluator } from "#site-context/index.js";
+
+export const prerender = false;
+
+export const POST: APIRoute = async ({ params, request, locals, cache }) => {
+	const { dineway, user } = locals;
+	const collection = params.collection!;
+	const id = params.id!;
+
+	if (!dineway?.handleContentPublish || !dineway?.handleContentGet) {
+		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	}
+
+	// Fetch item to check ownership
+	const existing = await dineway.handleContentGet(collection, id);
+	if (!existing.success) {
+		return apiError(
+			existing.error?.code ?? "UNKNOWN_ERROR",
+			existing.error?.message ?? "Unknown error",
+			mapErrorStatus(existing.error?.code),
+		);
+	}
+
+	const existingData =
+		existing.data && typeof existing.data === "object"
+			? // eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- handler returns unknown data; narrowed by typeof check above
+				(existing.data as Record<string, unknown>)
+			: undefined;
+	const existingItem =
+		existingData?.item && typeof existingData.item === "object"
+			? // eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- narrowed by typeof check above
+				(existingData.item as Record<string, unknown>)
+			: existingData;
+	const authorId = typeof existingItem?.authorId === "string" ? existingItem.authorId : "";
+	const denied = requireOwnerPerm(user, authorId, "content:publish_own", "content:publish_any");
+	if (denied) return denied;
+
+	const resolvedId = typeof existingItem?.id === "string" ? existingItem.id : id;
+	const body = await parseOptionalBody(request, contentPublishBody, {});
+	if (isParseError(body)) return body;
+
+	const actor = resolveActorIdentity({
+		user: user ? { id: user.id } : null,
+		tokenScopes: locals.tokenScopes,
+		authToken: locals.authToken,
+	});
+	const evaluator = new RiskPolicyEvaluator({
+		db: dineway.db,
+		handlers: dineway,
+	});
+	const reviewRequestId = body.reviewRequestId ?? body.review_request_id;
+	const decision = await evaluator.evaluateContentPublishReview({
+		actor,
+		collection,
+		id: resolvedId,
+		reviewRequestId,
+	});
+	if (!decision.allowed) {
+		return apiError("REVIEW_REQUEST_REQUIRED", decision.message, 409, {
+			reason: decision.reason,
+			target: decision.target ?? null,
+		});
+	}
+
+	const result = await dineway.handleContentPublish(collection, resolvedId);
+
+	if (!result.success) return unwrapResult(result);
+
+	if (cache.enabled) await cache.invalidate({ tags: [collection, resolvedId] });
+
+	await logContentActivity(dineway.db, locals, {
+		action: "published",
+		collection,
+		entryId: extractActivityItemId(result.data, resolvedId),
+		...contentApiRouteSource("published"),
+		summary: `Published content in ${collection}`,
+		detail: {
+			reviewRequestId: decision.required ? decision.reviewRequest.id : null,
+		},
+	});
+
+	return unwrapResult(result);
+};

package/src/astro/routes/api/content/[collection]/[id]/restore.ts

@@ -0,0 +1,64 @@
+/**
+ * Restore content from trash endpoint - injected by Dineway integration
+ *
+ * POST /_dineway/api/content/{collection}/{id}/restore - Restore from trash
+ */
+
+import type { APIRoute } from "astro";
+
+import { requireOwnerPerm } from "#api/authorize.js";
+import { apiError, mapErrorStatus, unwrapResult } from "#api/error.js";
+import { contentApiRouteSource, logContentActivity } from "#site-context/activity-events.js";
+
+export const prerender = false;
+
+export const POST: APIRoute = async ({ params, locals, cache }) => {
+	const { dineway, user } = locals;
+	const collection = params.collection!;
+	const id = params.id!;
+
+	if (!dineway?.handleContentRestore || !dineway?.handleContentGetIncludingTrashed) {
+		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	}
+
+	// Fetch item including trashed items to check ownership
+	const existing = await dineway.handleContentGetIncludingTrashed(collection, id);
+	if (!existing.success) {
+		return apiError(
+			existing.error?.code ?? "UNKNOWN_ERROR",
+			existing.error?.message ?? "Unknown error",
+			mapErrorStatus(existing.error?.code),
+		);
+	}
+	const existingData =
+		existing.data && typeof existing.data === "object"
+			? // eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- handler returns unknown data; narrowed by typeof check above
+				(existing.data as Record<string, unknown>)
+			: undefined;
+	// Handler returns { item, _rev } — extract the item for ownership check
+	const existingItem =
+		existingData?.item && typeof existingData.item === "object"
+			? // eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- narrowed by typeof check above
+				(existingData.item as Record<string, unknown>)
+			: existingData;
+	const authorId = typeof existingItem?.authorId === "string" ? existingItem.authorId : "";
+	const denied = requireOwnerPerm(user, authorId, "content:edit_own", "content:edit_any");
+	if (denied) return denied;
+	const resolvedId = typeof existingItem?.id === "string" ? existingItem.id : id;
+
+	const result = await dineway.handleContentRestore(collection, resolvedId);
+
+	if (!result.success) return unwrapResult(result);
+
+	if (cache.enabled) await cache.invalidate({ tags: [collection, resolvedId] });
+
+	await logContentActivity(dineway.db, locals, {
+		action: "restored",
+		collection,
+		entryId: resolvedId,
+		...contentApiRouteSource("restored"),
+		summary: `Restored content in ${collection}`,
+	});
+
+	return unwrapResult(result);
+};

package/src/astro/routes/api/content/[collection]/[id]/revisions.ts

@@ -0,0 +1,31 @@
+/**
+ * Revisions API endpoint - injected by Dineway integration
+ *
+ * GET /_dineway/api/content/{collection}/{id}/revisions - List revisions
+ */
+
+import type { APIRoute } from "astro";
+
+import { requirePerm } from "#api/authorize.js";
+import { apiError, unwrapResult } from "#api/error.js";
+
+export const prerender = false;
+
+export const GET: APIRoute = async ({ params, url, locals }) => {
+	const { dineway, user } = locals;
+	const denied = requirePerm(user, "content:read_drafts");
+	if (denied) return denied;
+	const collection = params.collection!;
+	const id = params.id!;
+
+	if (!dineway?.handleRevisionList) {
+		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	}
+
+	const limit = url.searchParams.get("limit");
+	const result = await dineway.handleRevisionList(collection, id, {
+		limit: limit ? parseInt(limit, 10) : undefined,
+	});
+
+	return unwrapResult(result);
+};

package/src/astro/routes/api/content/[collection]/[id]/schedule.ts

@@ -0,0 +1,129 @@
+/**
+ * Schedule content for future publishing - injected by Dineway integration
+ *
+ * POST /_dineway/api/content/{collection}/{id}/schedule - Schedule for publishing
+ * DELETE /_dineway/api/content/{collection}/{id}/schedule - Unschedule (clear scheduled time)
+ */
+
+import type { APIRoute } from "astro";
+
+import { requireOwnerPerm } from "#api/authorize.js";
+import { apiError, mapErrorStatus, unwrapResult } from "#api/error.js";
+import { parseBody, isParseError } from "#api/parse.js";
+import { contentScheduleBody } from "#api/schemas.js";
+import {
+	contentApiRouteSource,
+	extractActivityItemId,
+	logContentActivity,
+} from "#site-context/activity-events.js";
+
+export const prerender = false;
+
+/**
+ * Extract author ID from a content item response (shared by POST and DELETE).
+ */
+function extractOwnership(data: unknown): { authorId: string; resolvedId: string | undefined } {
+	const obj =
+		data && typeof data === "object"
+			? // eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- handler returns unknown; narrowed by typeof
+				(data as Record<string, unknown>)
+			: undefined;
+	const item =
+		obj?.item && typeof obj.item === "object"
+			? // eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- narrowed by typeof
+				(obj.item as Record<string, unknown>)
+			: obj;
+	return {
+		authorId: typeof item?.authorId === "string" ? item.authorId : "",
+		resolvedId: typeof item?.id === "string" ? item.id : undefined,
+	};
+}
+
+export const POST: APIRoute = async ({ params, request, locals, cache }) => {
+	const { dineway, user } = locals;
+	const collection = params.collection!;
+	const id = params.id!;
+	const body = await parseBody(request, contentScheduleBody);
+	if (isParseError(body)) return body;
+
+	if (!dineway?.handleContentSchedule || !dineway?.handleContentGet) {
+		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	}
+
+	// Fetch item to check ownership
+	const existing = await dineway.handleContentGet(collection, id);
+	if (!existing.success) {
+		return apiError(
+			existing.error?.code ?? "UNKNOWN_ERROR",
+			existing.error?.message ?? "Unknown error",
+			mapErrorStatus(existing.error?.code),
+		);
+	}
+
+	const { authorId, resolvedId } = extractOwnership(existing.data);
+	const denied = requireOwnerPerm(user, authorId, "content:publish_own", "content:publish_any");
+	if (denied) return denied;
+
+	const result = await dineway.handleContentSchedule(
+		collection,
+		resolvedId ?? id,
+		body.scheduledAt,
+	);
+
+	if (!result.success) return unwrapResult(result);
+
+	if (cache.enabled) await cache.invalidate({ tags: [collection, resolvedId ?? id] });
+
+	await logContentActivity(dineway.db, locals, {
+		action: "scheduled",
+		collection,
+		entryId: extractActivityItemId(result.data, resolvedId ?? id),
+		...contentApiRouteSource("scheduled"),
+		summary: `Scheduled content in ${collection}`,
+		detail: {
+			scheduledAt: body.scheduledAt,
+		},
+	});
+
+	return unwrapResult(result);
+};
+
+export const DELETE: APIRoute = async ({ params, locals, cache }) => {
+	const { dineway, user } = locals;
+	const collection = params.collection!;
+	const id = params.id!;
+
+	if (!dineway?.handleContentUnschedule || !dineway?.handleContentGet) {
+		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	}
+
+	// Fetch item to check ownership
+	const existing = await dineway.handleContentGet(collection, id);
+	if (!existing.success) {
+		return apiError(
+			existing.error?.code ?? "UNKNOWN_ERROR",
+			existing.error?.message ?? "Unknown error",
+			mapErrorStatus(existing.error?.code),
+		);
+	}
+
+	const { authorId, resolvedId } = extractOwnership(existing.data);
+	const denied = requireOwnerPerm(user, authorId, "content:publish_own", "content:publish_any");
+	if (denied) return denied;
+
+	const result = await dineway.handleContentUnschedule(collection, resolvedId ?? id);
+
+	if (!result.success) return unwrapResult(result);
+
+	if (cache.enabled) await cache.invalidate({ tags: [collection, resolvedId ?? id] });
+
+	await logContentActivity(dineway.db, locals, {
+		action: "unscheduled",
+		collection,
+		entryId: extractActivityItemId(result.data, resolvedId ?? id),
+		...contentApiRouteSource("unscheduled"),
+		summary: `Unscheduled content in ${collection}`,
+	});
+
+	return unwrapResult(result);
+};

package/src/astro/routes/api/content/[collection]/[id]/terms/[taxonomy].ts

@@ -0,0 +1,143 @@
+/**
+ * Content-taxonomy association endpoint
+ *
+ * GET /_dineway/api/content/:collection/:id/terms/:taxonomy - Get terms for an entry
+ * POST /_dineway/api/content/:collection/:id/terms/:taxonomy - Set terms for an entry
+ */
+
+import type { APIRoute } from "astro";
+
+import { requirePerm, requireOwnerPerm } from "#api/authorize.js";
+import { apiError, apiSuccess, handleError, requireDb } from "#api/error.js";
+import { parseBody, isParseError } from "#api/parse.js";
+import { contentTermsBody } from "#api/schemas.js";
+import { TaxonomyRepository } from "#db/repositories/taxonomy.js";
+import { invalidateTermCache } from "#taxonomies/index.js";
+
+export const prerender = false;
+
+/**
+ * Get terms assigned to an entry
+ */
+export const GET: APIRoute = async ({ params, locals }) => {
+	const { dineway, user } = locals;
+	const { collection, id, taxonomy } = params;
+
+	const denied = requirePerm(user, "content:read");
+	if (denied) return denied;
+
+	if (!collection || !id || !taxonomy) {
+		return apiError("VALIDATION_ERROR", "Collection, id, and taxonomy required", 400);
+	}
+
+	const dbErr = requireDb(dineway?.db);
+	if (dbErr) return dbErr;
+
+	try {
+		const repo = new TaxonomyRepository(dineway!.db);
+		const terms = await repo.getTermsForEntry(collection, id, taxonomy);
+
+		return apiSuccess({
+			terms: terms.map((t) => ({
+				id: t.id,
+				name: t.name,
+				slug: t.slug,
+				label: t.label,
+				parentId: t.parentId,
+			})),
+		});
+	} catch (error) {
+		return handleError(error, "Failed to get entry terms", "TERMS_GET_ERROR");
+	}
+};
+
+/**
+ * Set terms for an entry (replaces existing)
+ */
+export const POST: APIRoute = async ({ params, request, locals }) => {
+	const { dineway, user } = locals;
+	const { collection, id, taxonomy } = params;
+
+	if (!collection || !id || !taxonomy) {
+		return apiError("VALIDATION_ERROR", "Collection, id, and taxonomy required", 400);
+	}
+
+	const denied = requirePerm(user, "content:edit_own");
+	if (denied) return denied;
+
+	const dbErr = requireDb(dineway?.db);
+	if (dbErr) return dbErr;
+
+	if (!dineway!.handleContentGet) {
+		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	}
+
+	// Verify the content exists before modifying its terms
+	const existing = await dineway!.handleContentGet(collection, id);
+	if (!existing.success) {
+		return apiError(
+			existing.error?.code ?? "NOT_FOUND",
+			existing.error?.message ?? "Content not found",
+			existing.error?.code === "NOT_FOUND" ? 404 : 500,
+		);
+	}
+
+	// Check ownership for edit permission
+	const existingData =
+		existing.data && typeof existing.data === "object"
+			? // eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- handler returns unknown data; narrowed by typeof check above
+				(existing.data as Record<string, unknown>)
+			: undefined;
+	// Handler returns { item, _rev } — extract the item for ownership check
+	const existingItem =
+		existingData?.item && typeof existingData.item === "object"
+			? // eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- narrowed by typeof check above
+				(existingData.item as Record<string, unknown>)
+			: existingData;
+	const authorId = typeof existingItem?.authorId === "string" ? existingItem.authorId : "";
+	const editDenied = requireOwnerPerm(user, authorId, "content:edit_own", "content:edit_any");
+	if (editDenied) return editDenied;
+
+	try {
+		const body = await parseBody(request, contentTermsBody);
+		if (isParseError(body)) return body;
+		const { termIds } = body;
+
+		const repo = new TaxonomyRepository(dineway!.db);
+
+		// Verify all term IDs exist and belong to the correct taxonomy
+		for (const termId of termIds) {
+			const term = await repo.findById(termId);
+			if (!term) {
+				return apiError("NOT_FOUND", `Term ID '${termId}' not found`, 404);
+			}
+			if (term.name !== taxonomy) {
+				return apiError(
+					"VALIDATION_ERROR",
+					`Term ID '${termId}' does not belong to taxonomy '${taxonomy}'`,
+					400,
+				);
+			}
+		}
+
+		// Set the terms (replaces existing)
+		await repo.setTermsForEntry(collection, id, taxonomy, termIds);
+
+		invalidateTermCache();
+
+		// Get the updated terms
+		const terms = await repo.getTermsForEntry(collection, id, taxonomy);
+
+		return apiSuccess({
+			terms: terms.map((t) => ({
+				id: t.id,
+				name: t.name,
+				slug: t.slug,
+				label: t.label,
+				parentId: t.parentId,
+			})),
+		});
+	} catch (error) {
+		return handleError(error, "Failed to set entry terms", "TERMS_SET_ERROR");
+	}
+};

package/src/astro/routes/api/content/[collection]/[id]/translations.ts

@@ -0,0 +1,50 @@
+/**
+ * Content translations endpoint
+ *
+ * GET /_dineway/api/content/{collection}/{id}/translations
+ *
+ * Returns all locale variants linked to the same translation group.
+ */
+
+import { hasPermission } from "@dineway-ai/auth";
+import type { APIRoute } from "astro";
+
+import { requirePerm } from "#api/authorize.js";
+import { apiError, unwrapResult } from "#api/error.js";
+
+export const prerender = false;
+
+function isPublishedTranslation(value: unknown): boolean {
+	return (
+		typeof value === "object" && value !== null && "status" in value && value.status === "published"
+	);
+}
+
+export const GET: APIRoute = async ({ params, locals }) => {
+	const { dineway, user } = locals;
+	const denied = requirePerm(user, "content:read");
+	if (denied) return denied;
+	const collection = params.collection!;
+	const id = params.id!;
+
+	if (!dineway?.handleContentTranslations) {
+		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	}
+
+	const result = await dineway.handleContentTranslations(collection, id);
+
+	if (result.success && !hasPermission(user, "content:read_drafts")) {
+		const data = result.data && typeof result.data === "object" ? result.data : {};
+		const translations =
+			"translations" in data && Array.isArray(data.translations) ? data.translations : [];
+		return unwrapResult({
+			success: true,
+			data: {
+				...data,
+				translations: translations.filter(isPublishedTranslation),
+			},
+		});
+	}
+
+	return unwrapResult(result);
+};

package/src/astro/routes/api/content/[collection]/[id]/unpublish.ts

@@ -0,0 +1,69 @@
+/**
+ * Unpublish content - removes from public view, preserves draft
+ *
+ * POST /_dineway/api/content/{collection}/{id}/unpublish
+ */
+
+import type { APIRoute } from "astro";
+
+import { requireOwnerPerm } from "#api/authorize.js";
+import { apiError, mapErrorStatus, unwrapResult } from "#api/error.js";
+import {
+	contentApiRouteSource,
+	extractActivityItemId,
+	logContentActivity,
+} from "#site-context/activity-events.js";
+
+export const prerender = false;
+
+export const POST: APIRoute = async ({ params, locals, cache }) => {
+	const { dineway, user } = locals;
+	const collection = params.collection!;
+	const id = params.id!;
+
+	if (!dineway?.handleContentUnpublish || !dineway?.handleContentGet) {
+		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	}
+
+	// Fetch item to check ownership
+	const existing = await dineway.handleContentGet(collection, id);
+	if (!existing.success) {
+		return apiError(
+			existing.error?.code ?? "UNKNOWN_ERROR",
+			existing.error?.message ?? "Unknown error",
+			mapErrorStatus(existing.error?.code),
+		);
+	}
+
+	const existingData =
+		existing.data && typeof existing.data === "object"
+			? // eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- handler returns unknown data; narrowed by typeof check above
+				(existing.data as Record<string, unknown>)
+			: undefined;
+	const existingItem =
+		existingData?.item && typeof existingData.item === "object"
+			? // eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- narrowed by typeof check above
+				(existingData.item as Record<string, unknown>)
+			: existingData;
+	const authorId = typeof existingItem?.authorId === "string" ? existingItem.authorId : "";
+	const denied = requireOwnerPerm(user, authorId, "content:publish_own", "content:publish_any");
+	if (denied) return denied;
+
+	const resolvedId = typeof existingItem?.id === "string" ? existingItem.id : id;
+
+	const result = await dineway.handleContentUnpublish(collection, resolvedId);
+
+	if (!result.success) return unwrapResult(result);
+
+	if (cache.enabled) await cache.invalidate({ tags: [collection, resolvedId] });
+
+	await logContentActivity(dineway.db, locals, {
+		action: "unpublished",
+		collection,
+		entryId: extractActivityItemId(result.data, resolvedId),
+		...contentApiRouteSource("unpublished"),
+		summary: `Unpublished content in ${collection}`,
+	});
+
+	return unwrapResult(result);
+};