npm - dineway - Versions diffs - 0.1.3 → 0.1.5 - Mend

dineway 0.1.3 → 0.1.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (296) hide show

package/README.md +6 -3
package/dist/{apply-CAPvMfoU.mjs → apply-iVSqz2qs.mjs} +132 -39
package/dist/astro/index.d.mts +18 -9
package/dist/astro/index.mjs +238 -16
package/dist/astro/middleware/auth.d.mts +16 -5
package/dist/astro/middleware/auth.mjs +74 -37
package/dist/astro/middleware/redirect.mjs +24 -8
package/dist/astro/middleware/request-context.mjs +18 -5
package/dist/astro/middleware/setup.mjs +1 -1
package/dist/astro/middleware.mjs +411 -169
package/dist/astro/types.d.mts +25 -8
package/dist/{byline-DeWCMU_i.mjs → byline-OhH2dlRu.mjs} +6 -21
package/dist/{bylines-DyqBV9EQ.mjs → bylines-BGpD9_hy.mjs} +16 -6
package/dist/cache-BdSY-gQN.mjs +42 -0
package/dist/chunks--4F8ddV4.mjs +18 -0
package/dist/cli/index.mjs +935 -15
package/dist/client/external-auth-headers.d.mts +1 -1
package/dist/client/index.d.mts +11 -3
package/dist/client/index.mjs +4 -3
package/dist/{connection-C9pxzuag.mjs → connection-BCNICDWN.mjs} +22 -5
package/dist/{content-zSgdNmnt.mjs → content-DWi4d0rT.mjs} +41 -2
package/dist/database/instrumentation.d.mts +34 -0
package/dist/database/instrumentation.mjs +53 -0
package/dist/db/index.d.mts +3 -3
package/dist/db/index.mjs +2 -2
package/dist/db/libsql.d.mts +1 -1
package/dist/db/libsql.mjs +11 -5
package/dist/db/postgres.d.mts +1 -1
package/dist/db/sqlite.d.mts +1 -1
package/dist/db/sqlite.mjs +7 -1
package/dist/db-errors-CEqD7qH9.mjs +23 -0
package/dist/{default-WYlzADZL.mjs → default-VjJyuuG9.mjs} +2 -0
package/dist/{dialect-helpers-B9uSp2GJ.mjs → dialect-helpers-DhTzaUxP.mjs} +3 -0
package/dist/{error-DrxtnGPg.mjs → error-BmL6QipT.mjs} +7 -3
package/dist/{index-C-jx21qs.d.mts → index-yvc6E_17.d.mts} +157 -30
package/dist/index.d.mts +11 -11
package/dist/index.mjs +24 -22
package/dist/{loader-qKmo0wAY.mjs → loader-sMG4TZ-u.mjs} +9 -3
package/dist/media/index.d.mts +1 -1
package/dist/media/index.mjs +1 -1
package/dist/media/local-runtime.d.mts +7 -7
package/dist/page/index.d.mts +10 -2
package/dist/page/index.mjs +22 -1
package/dist/patterns-CrCYkMBb.mjs +92 -0
package/dist/{placeholder-bOx1xCTY.d.mts → placeholder--wOi4TbO.d.mts} +1 -1
package/dist/{placeholder-B3knXwNc.mjs → placeholder-Cp8g5Emj.mjs} +1 -1
package/dist/plugins/adapt-sandbox-entry.d.mts +5 -5
package/dist/plugins/adapt-sandbox-entry.mjs +1 -1
package/dist/{query-BiaPl_g2.mjs → query-kDmwCsHh.mjs} +118 -50
package/dist/{redirect-JPqLAbxa.mjs → redirect-DnEWAkVg.mjs} +43 -99
package/dist/{registry-DSd1GWB8.mjs → registry-C0zjeB9P.mjs} +191 -123
package/dist/request-cache-Dk5qPSOx.mjs +66 -0
package/dist/request-context.d.mts +4 -16
package/dist/{runner-B5l1JfOj.d.mts → runner-CFI6B6J2.d.mts} +1 -1
package/dist/{runner-BGUGywgG.mjs → runner-DWZm2KQm.mjs} +589 -137
package/dist/runtime.d.mts +6 -6
package/dist/runtime.mjs +2 -2
package/dist/{search-BNruJHDL.mjs → search-ByRGV2pq.mjs} +570 -424
package/dist/seed/index.d.mts +2 -2
package/dist/seed/index.mjs +11 -10
package/dist/seo/index.d.mts +1 -1
package/dist/storage/local.d.mts +1 -1
package/dist/storage/local.mjs +1 -1
package/dist/storage/s3.d.mts +11 -3
package/dist/storage/s3.mjs +78 -15
package/dist/taxonomies-1s5PaS_8.mjs +266 -0
package/dist/transaction-Cn2rjY78.mjs +27 -0
package/dist/{types-BgQeVaPj.d.mts → types-BuMDPy5C.d.mts} +52 -3
package/dist/{types-DuNbGKjF.mjs → types-COeOq9nK.mjs} +6 -1
package/dist/{types-ju-_ORz7.d.mts → types-CWbdtiux.d.mts} +13 -5
package/dist/{types-D38djUXv.d.mts → types-Cj0KMIZV.d.mts} +16 -3
package/dist/{types-DkvMXalq.d.mts → types-DOrVigru.d.mts} +159 -0
package/dist/{validate-CXnRKfJK.mjs → validate-BZ5wnLLp.mjs} +2 -1
package/dist/{validate-DVKJJ-M_.d.mts → validate-IPf8n4Fj.d.mts} +4 -51
package/dist/{validate-CqRJb_xU.mjs → validate-VPnKoIzW.mjs} +10 -10
package/dist/version-BKXPsfmJ.mjs +6 -0
package/package.json +53 -39
package/src/astro/routes/PluginRegistry.tsx +21 -0
package/src/astro/routes/admin.astro +99 -0
package/src/astro/routes/api/admin/allowed-domains/[domain].ts +112 -0
package/src/astro/routes/api/admin/allowed-domains/index.ts +108 -0
package/src/astro/routes/api/admin/api-tokens/[id].ts +44 -0
package/src/astro/routes/api/admin/api-tokens/index.ts +90 -0
package/src/astro/routes/api/admin/briefing.ts +76 -0
package/src/astro/routes/api/admin/bylines/[id]/index.ts +90 -0
package/src/astro/routes/api/admin/bylines/index.ts +74 -0
package/src/astro/routes/api/admin/comments/[id]/status.ts +120 -0
package/src/astro/routes/api/admin/comments/[id].ts +64 -0
package/src/astro/routes/api/admin/comments/bulk.ts +42 -0
package/src/astro/routes/api/admin/comments/counts.ts +30 -0
package/src/astro/routes/api/admin/comments/index.ts +46 -0
package/src/astro/routes/api/admin/context/[id]/history.ts +35 -0
package/src/astro/routes/api/admin/context/[id]/index.ts +35 -0
package/src/astro/routes/api/admin/context/[id]/review.ts +57 -0
package/src/astro/routes/api/admin/context/[id]/supersede.ts +58 -0
package/src/astro/routes/api/admin/context/diff.ts +35 -0
package/src/astro/routes/api/admin/context/index.ts +69 -0
package/src/astro/routes/api/admin/context/stale.ts +35 -0
package/src/astro/routes/api/admin/hitl-requests/[id]/index.ts +38 -0
package/src/astro/routes/api/admin/hitl-requests/[id]/resolve.ts +54 -0
package/src/astro/routes/api/admin/hitl-requests/index.ts +38 -0
package/src/astro/routes/api/admin/hooks/exclusive/[hookName].ts +132 -0
package/src/astro/routes/api/admin/hooks/exclusive/index.ts +51 -0
package/src/astro/routes/api/admin/oauth-clients/[id].ts +137 -0
package/src/astro/routes/api/admin/oauth-clients/index.ts +95 -0
package/src/astro/routes/api/admin/plugins/[id]/disable.ts +91 -0
package/src/astro/routes/api/admin/plugins/[id]/enable.ts +91 -0
package/src/astro/routes/api/admin/plugins/[id]/index.ts +38 -0
package/src/astro/routes/api/admin/plugins/[id]/uninstall.ts +98 -0
package/src/astro/routes/api/admin/plugins/[id]/update.ts +154 -0
package/src/astro/routes/api/admin/plugins/index.ts +32 -0
package/src/astro/routes/api/admin/plugins/marketplace/[id]/icon.ts +62 -0
package/src/astro/routes/api/admin/plugins/marketplace/[id]/index.ts +33 -0
package/src/astro/routes/api/admin/plugins/marketplace/[id]/install.ts +135 -0
package/src/astro/routes/api/admin/plugins/marketplace/index.ts +38 -0
package/src/astro/routes/api/admin/plugins/updates.ts +28 -0
package/src/astro/routes/api/admin/review-requests/[id]/index.ts +35 -0
package/src/astro/routes/api/admin/review-requests/[id]/resolve.ts +52 -0
package/src/astro/routes/api/admin/review-requests/index.ts +35 -0
package/src/astro/routes/api/admin/themes/marketplace/[id]/index.ts +33 -0
package/src/astro/routes/api/admin/themes/marketplace/[id]/thumbnail.ts +62 -0
package/src/astro/routes/api/admin/themes/marketplace/index.ts +45 -0
package/src/astro/routes/api/admin/users/[id]/disable.ts +72 -0
package/src/astro/routes/api/admin/users/[id]/enable.ts +48 -0
package/src/astro/routes/api/admin/users/[id]/index.ts +166 -0
package/src/astro/routes/api/admin/users/[id]/send-recovery.ts +72 -0
package/src/astro/routes/api/admin/users/index.ts +66 -0
package/src/astro/routes/api/auth/dev-bypass.ts +139 -0
package/src/astro/routes/api/auth/invite/accept.ts +52 -0
package/src/astro/routes/api/auth/invite/complete.ts +86 -0
package/src/astro/routes/api/auth/invite/index.ts +99 -0
package/src/astro/routes/api/auth/invite/register-options.ts +73 -0
package/src/astro/routes/api/auth/logout.ts +40 -0
package/src/astro/routes/api/auth/magic-link/send.ts +90 -0
package/src/astro/routes/api/auth/magic-link/verify.ts +71 -0
package/src/astro/routes/api/auth/me.ts +60 -0
package/src/astro/routes/api/auth/oauth/[provider]/callback.ts +221 -0
package/src/astro/routes/api/auth/oauth/[provider].ts +120 -0
package/src/astro/routes/api/auth/passkey/[id].ts +124 -0
package/src/astro/routes/api/auth/passkey/index.ts +54 -0
package/src/astro/routes/api/auth/passkey/options.ts +85 -0
package/src/astro/routes/api/auth/passkey/register/options.ts +88 -0
package/src/astro/routes/api/auth/passkey/register/verify.ts +119 -0
package/src/astro/routes/api/auth/passkey/verify.ts +72 -0
package/src/astro/routes/api/auth/signup/complete.ts +87 -0
package/src/astro/routes/api/auth/signup/request.ts +89 -0
package/src/astro/routes/api/auth/signup/verify.ts +53 -0
package/src/astro/routes/api/comments/[collection]/[contentId]/index.ts +310 -0
package/src/astro/routes/api/content/[collection]/[id]/compare.ts +28 -0
package/src/astro/routes/api/content/[collection]/[id]/discard-draft.ts +68 -0
package/src/astro/routes/api/content/[collection]/[id]/duplicate.ts +77 -0
package/src/astro/routes/api/content/[collection]/[id]/permanent.ts +42 -0
package/src/astro/routes/api/content/[collection]/[id]/preview-url.ts +107 -0
package/src/astro/routes/api/content/[collection]/[id]/publish.ts +100 -0
package/src/astro/routes/api/content/[collection]/[id]/restore.ts +64 -0
package/src/astro/routes/api/content/[collection]/[id]/revisions.ts +31 -0
package/src/astro/routes/api/content/[collection]/[id]/schedule.ts +129 -0
package/src/astro/routes/api/content/[collection]/[id]/terms/[taxonomy].ts +143 -0
package/src/astro/routes/api/content/[collection]/[id]/translations.ts +50 -0
package/src/astro/routes/api/content/[collection]/[id]/unpublish.ts +69 -0
package/src/astro/routes/api/content/[collection]/[id].ts +173 -0
package/src/astro/routes/api/content/[collection]/index.ts +103 -0
package/src/astro/routes/api/content/[collection]/trash.ts +33 -0
package/src/astro/routes/api/dashboard.ts +32 -0
package/src/astro/routes/api/dev/emails.ts +36 -0
package/src/astro/routes/api/health.ts +54 -0
package/src/astro/routes/api/import/probe.ts +47 -0
package/src/astro/routes/api/import/wordpress/analyze.ts +523 -0
package/src/astro/routes/api/import/wordpress/execute.ts +330 -0
package/src/astro/routes/api/import/wordpress/media.ts +338 -0
package/src/astro/routes/api/import/wordpress/prepare.ts +212 -0
package/src/astro/routes/api/import/wordpress/rewrite-urls.ts +425 -0
package/src/astro/routes/api/import/wordpress-plugin/analyze.ts +111 -0
package/src/astro/routes/api/import/wordpress-plugin/callback.ts +58 -0
package/src/astro/routes/api/import/wordpress-plugin/execute.ts +399 -0
package/src/astro/routes/api/manifest.ts +75 -0
package/src/astro/routes/api/mcp.ts +125 -0
package/src/astro/routes/api/media/[id]/confirm.ts +93 -0
package/src/astro/routes/api/media/[id].ts +145 -0
package/src/astro/routes/api/media/file/[...key].ts +79 -0
package/src/astro/routes/api/media/providers/[providerId]/[itemId].ts +91 -0
package/src/astro/routes/api/media/providers/[providerId]/index.ts +111 -0
package/src/astro/routes/api/media/providers/index.ts +30 -0
package/src/astro/routes/api/media/upload-url.ts +146 -0
package/src/astro/routes/api/media.ts +204 -0
package/src/astro/routes/api/menus/[name]/items.ts +206 -0
package/src/astro/routes/api/menus/[name]/reorder.ts +79 -0
package/src/astro/routes/api/menus/[name].ts +145 -0
package/src/astro/routes/api/menus/index.ts +91 -0
package/src/astro/routes/api/oauth/authorize.ts +430 -0
package/src/astro/routes/api/oauth/device/authorize.ts +45 -0
package/src/astro/routes/api/oauth/device/code.ts +56 -0
package/src/astro/routes/api/oauth/device/token.ts +70 -0
package/src/astro/routes/api/oauth/register.ts +182 -0
package/src/astro/routes/api/oauth/token/refresh.ts +38 -0
package/src/astro/routes/api/oauth/token/revoke.ts +38 -0
package/src/astro/routes/api/oauth/token.ts +195 -0
package/src/astro/routes/api/openapi.json.ts +33 -0
package/src/astro/routes/api/plugins/[pluginId]/[...path].ts +109 -0
package/src/astro/routes/api/redirects/404s/index.ts +72 -0
package/src/astro/routes/api/redirects/404s/summary.ts +33 -0
package/src/astro/routes/api/redirects/[id].ts +183 -0
package/src/astro/routes/api/redirects/index.ts +100 -0
package/src/astro/routes/api/revisions/[revisionId]/index.ts +29 -0
package/src/astro/routes/api/revisions/[revisionId]/restore.ts +62 -0
package/src/astro/routes/api/schema/collections/[slug]/fields/[fieldSlug].ts +104 -0
package/src/astro/routes/api/schema/collections/[slug]/fields/index.ts +67 -0
package/src/astro/routes/api/schema/collections/[slug]/fields/reorder.ts +45 -0
package/src/astro/routes/api/schema/collections/[slug]/index.ts +107 -0
package/src/astro/routes/api/schema/collections/index.ts +61 -0
package/src/astro/routes/api/schema/index.ts +109 -0
package/src/astro/routes/api/schema/orphans/[slug].ts +36 -0
package/src/astro/routes/api/schema/orphans/index.ts +26 -0
package/src/astro/routes/api/search/enable.ts +64 -0
package/src/astro/routes/api/search/index.ts +52 -0
package/src/astro/routes/api/search/rebuild.ts +72 -0
package/src/astro/routes/api/search/stats.ts +35 -0
package/src/astro/routes/api/search/suggest.ts +50 -0
package/src/astro/routes/api/sections/[slug].ts +203 -0
package/src/astro/routes/api/sections/index.ts +107 -0
package/src/astro/routes/api/settings/email.ts +150 -0
package/src/astro/routes/api/settings.ts +116 -0
package/src/astro/routes/api/setup/admin-verify.ts +122 -0
package/src/astro/routes/api/setup/admin.ts +104 -0
package/src/astro/routes/api/setup/dev-bypass.ts +200 -0
package/src/astro/routes/api/setup/dev-reset.ts +40 -0
package/src/astro/routes/api/setup/index.ts +128 -0
package/src/astro/routes/api/setup/status.ts +122 -0
package/src/astro/routes/api/snapshot.ts +76 -0
package/src/astro/routes/api/taxonomies/[name]/terms/[slug].ts +232 -0
package/src/astro/routes/api/taxonomies/[name]/terms/index.ts +131 -0
package/src/astro/routes/api/taxonomies/index.ts +114 -0
package/src/astro/routes/api/themes/preview.ts +78 -0
package/src/astro/routes/api/typegen.ts +114 -0
package/src/astro/routes/api/well-known/auth.ts +71 -0
package/src/astro/routes/api/well-known/oauth-authorization-server.ts +48 -0
package/src/astro/routes/api/well-known/oauth-protected-resource.ts +39 -0
package/src/astro/routes/api/widget-areas/[name]/reorder.ts +114 -0
package/src/astro/routes/api/widget-areas/[name]/widgets/[id].ts +213 -0
package/src/astro/routes/api/widget-areas/[name]/widgets.ts +126 -0
package/src/astro/routes/api/widget-areas/[name].ts +135 -0
package/src/astro/routes/api/widget-areas/index.ts +149 -0
package/src/astro/routes/api/widget-components.ts +22 -0
package/src/astro/routes/robots.txt.ts +81 -0
package/src/astro/routes/sitemap-[collection].xml.ts +104 -0
package/src/astro/routes/sitemap.xml.ts +92 -0
package/src/components/Break.astro +45 -0
package/src/components/Button.astro +71 -0
package/src/components/Buttons.astro +49 -0
package/src/components/Code.astro +59 -0
package/src/components/Columns.astro +59 -0
package/src/components/CommentForm.astro +315 -0
package/src/components/Comments.astro +232 -0
package/src/components/Cover.astro +128 -0
package/src/components/DinewayBodyEnd.astro +32 -0
package/src/components/DinewayBodyStart.astro +32 -0
package/src/components/DinewayHead.astro +61 -0
package/src/components/DinewayImage.astro +178 -0
package/src/components/DinewayMedia.astro +167 -0
package/src/components/Embed.astro +128 -0
package/src/components/File.astro +122 -0
package/src/components/Gallery.astro +93 -0
package/src/components/HtmlBlock.astro +33 -0
package/src/components/Image.astro +178 -0
package/src/components/InlineEditor.astro +27 -0
package/src/components/InlinePortableTextEditor.tsx +1937 -0
package/src/components/LiveSearch.astro +614 -0
package/src/components/PortableText.astro +51 -0
package/src/components/Pullquote.astro +51 -0
package/src/components/Table.astro +135 -0
package/src/components/WidgetArea.astro +22 -0
package/src/components/WidgetRenderer.astro +72 -0
package/src/components/index.ts +106 -0
package/src/components/marks/Link.astro +31 -0
package/src/components/marks/StrikeThrough.astro +7 -0
package/src/components/marks/Subscript.astro +7 -0
package/src/components/marks/Superscript.astro +7 -0
package/src/components/marks/Underline.astro +7 -0
package/src/components/marks.ts +19 -0
package/src/components/widgets/Archives.astro +65 -0
package/src/components/widgets/Categories.astro +35 -0
package/src/components/widgets/RecentPosts.astro +51 -0
package/src/components/widgets/Search.astro +18 -0
package/src/components/widgets/Tags.astro +38 -0
package/src/ui.ts +75 -0
package/LICENSE +0 -9
/package/dist/{adapters-BlzWJG82.d.mts → adapters-C2ypTrZZ.d.mts} +0 -0
/package/dist/{config-Cq8H0SfX.mjs → config-BXwuX8Bx.mjs} +0 -0
/package/dist/{load-C6FCD1FU.mjs → load-Coc9HpHH.mjs} +0 -0
/package/dist/{manifest-schema-CTSEyIJ3.mjs → manifest-schema-D1MSVnoI.mjs} +0 -0
/package/dist/{mode-BlyYtIFO.mjs → mode-47goXBBK.mjs} +0 -0
/package/dist/{tokens-4vgYuXsZ.mjs → tokens-CJz9ubV6.mjs} +0 -0
/package/dist/{transport-C5FYnid7.mjs → transport-DB5eDN4x.mjs} +0 -0
/package/dist/{transport-gIL-e43D.d.mts → transport-Wge_IzKl.d.mts} +0 -0
/package/dist/{types-CLLdsG3g.d.mts → types-BzcUjoqg.d.mts} +0 -0
/package/dist/{types-DShnjzb6.mjs → types-griIBQOQ.mjs} +0 -0

package/src/astro/routes/api/mcp.ts ADDED Viewed

@@ -0,0 +1,125 @@
+/**
+ * MCP Streamable HTTP endpoint
+ *
+ * Exposes an MCP server at /_dineway/api/mcp using the Streamable HTTP
+ * transport (Web Standard variant). The server runs stateless — each
+ * request creates a fresh transport, so no session tracking is needed.
+ * Authentication is handled by the existing Dineway auth middleware.
+ *
+ * POST /_dineway/api/mcp — JSON-RPC tool calls
+ * GET  /_dineway/api/mcp — SSE stream (not used in stateless mode)
+ * DELETE /_dineway/api/mcp — Session close (not used in stateless mode)
+ */
+import { WebStandardStreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/webStandardStreamableHttp.js";
+import type { APIRoute } from "astro";
+import { apiError } from "#api/error.js";
+import { createMcpServer } from "#mcp/server.js";
+export const prerender = false;
+export const POST: APIRoute = async ({ request, locals }) => {
+	const { dineway, user } = locals;
+	if (!dineway) {
+		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	}
+	if (!user) {
+		return apiError("UNAUTHORIZED", "Authentication required", 401);
+	}
+	const server = createMcpServer();
+	try {
+		const transport = new WebStandardStreamableHTTPServerTransport({
+			// Stateless: no session management
+			sessionIdGenerator: undefined,
+		});
+		await server.connect(transport);
+		return await transport.handleRequest(request, {
+			authInfo: {
+				token: "",
+				clientId: "dineway-admin",
+				scopes: [],
+				extra: {
+					dineway,
+					userId: user.id,
+					userRole: user.role,
+					tokenScopes: locals.tokenScopes,
+					authToken: locals.authToken,
+				},
+			},
+		});
+	} catch (error) {
+		console.error("[MCP]", error);
+		await server.close().catch(() => {});
+		return new Response(
+			JSON.stringify({
+				jsonrpc: "2.0",
+				error: {
+					code: -32603,
+					message: "Internal server error",
+				},
+				id: null,
+			}),
+			{
+				status: 500,
+				headers: {
+					"Content-Type": "application/json",
+					"Cache-Control": "private, no-store",
+				},
+			},
+		);
+	}
+};
+/**
+ * GET — SSE stream. Not used in stateless mode.
+ */
+export const GET: APIRoute = async () => {
+	return new Response(
+		JSON.stringify({
+			jsonrpc: "2.0",
+			error: {
+				code: -32000,
+				message: "Method not allowed. This is a stateless MCP endpoint — use POST.",
+			},
+			id: null,
+		}),
+		{
+			status: 405,
+			headers: {
+				"Content-Type": "application/json",
+				"Cache-Control": "private, no-store",
+			},
+		},
+	);
+};
+/**
+ * DELETE — Session close. Not used in stateless mode.
+ */
+export const DELETE: APIRoute = async () => {
+	return new Response(
+		JSON.stringify({
+			jsonrpc: "2.0",
+			error: {
+				code: -32000,
+				message: "Method not allowed. This is a stateless MCP endpoint.",
+			},
+			id: null,
+		}),
+		{
+			status: 405,
+			headers: {
+				"Content-Type": "application/json",
+				"Cache-Control": "private, no-store",
+			},
+		},
+	);
+};

package/src/astro/routes/api/media/[id]/confirm.ts ADDED Viewed

@@ -0,0 +1,93 @@
+/**
+ * Confirm media upload endpoint
+ *
+ * POST /_dineway/api/media/{id}/confirm
+ *
+ * Confirms that the client has successfully uploaded the file to storage.
+ * Marks the media record as ready and optionally updates metadata.
+ */
+import type { APIRoute } from "astro";
+import { MediaRepository } from "dineway";
+import { requirePerm } from "#api/authorize.js";
+import { apiError, apiSuccess, handleError } from "#api/error.js";
+import { isParseError, parseOptionalBody } from "#api/parse.js";
+import { mediaConfirmBody } from "#api/schemas.js";
+import type { MediaItem } from "#types";
+export const prerender = false;
+/**
+ * Add URL to media item (relative URL for portability)
+ */
+function addUrlToMedia(item: MediaItem): MediaItem & { url: string } {
+	return {
+		...item,
+		url: `/_dineway/api/media/file/${item.storageKey}`,
+	};
+}
+/**
+ * Confirm upload completion
+ */
+export const POST: APIRoute = async ({ params, request, locals }) => {
+	const { dineway, user } = locals;
+	const { id } = params;
+	const denied = requirePerm(user, "media:upload");
+	if (denied) return denied;
+	if (!id) {
+		return apiError("INVALID_REQUEST", "Media ID is required", 400);
+	}
+	if (!dineway?.db) {
+		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	}
+	try {
+		const body = await parseOptionalBody(request, mediaConfirmBody, {});
+		if (isParseError(body)) return body;
+		const repo = new MediaRepository(dineway.db);
+		// Get the media item first to check status
+		const existing = await repo.findById(id);
+		if (!existing) {
+			return apiError("NOT_FOUND", `Media item not found: ${id}`, 404);
+		}
+		if (existing.status !== "pending") {
+			return apiError("INVALID_STATE", `Media item is not pending: ${existing.status}`, 400);
+		}
+		// Optionally verify the file exists in storage
+		if (dineway.storage) {
+			const exists = await dineway.storage.exists(existing.storageKey);
+			if (!exists) {
+				// Mark as failed
+				await repo.markFailed(id);
+				return apiError("FILE_NOT_FOUND", "File was not uploaded to storage", 400);
+			}
+		}
+		// Confirm the upload
+		const item = await repo.confirmUpload(id, {
+			size: body.size,
+			width: body.width,
+			height: body.height,
+		});
+		if (!item) {
+			return apiError("CONFIRM_FAILED", "Failed to confirm upload", 500);
+		}
+		// Add URL to the response (relative URL for portability)
+		const itemWithUrl = addUrlToMedia(item);
+		return apiSuccess({ item: itemWithUrl });
+	} catch (error) {
+		return handleError(error, "Failed to confirm upload", "CONFIRM_ERROR");
+	}
+};

package/src/astro/routes/api/media/[id].ts ADDED Viewed

@@ -0,0 +1,145 @@
+/**
+ * Single media item endpoint
+ *
+ * GET /_dineway/api/media/:id - Get media item
+ * PUT /_dineway/api/media/:id - Update media metadata
+ * DELETE /_dineway/api/media/:id - Delete media item
+ */
+import type { APIRoute } from "astro";
+import { requireOwnerPerm, requirePerm } from "#api/authorize.js";
+import { apiError, handleError, unwrapResult } from "#api/error.js";
+import { isParseError, parseBody } from "#api/parse.js";
+import { mediaUpdateBody } from "#api/schemas.js";
+export const prerender = false;
+/**
+ * Get media item
+ */
+export const GET: APIRoute = async ({ params, locals }) => {
+	const { dineway, user } = locals;
+	const { id } = params;
+	const readDenied = requirePerm(user, "media:read");
+	if (readDenied) return readDenied;
+	if (!id) {
+		return apiError("INVALID_REQUEST", "Media ID required", 400);
+	}
+	if (!dineway?.handleMediaGet) {
+		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	}
+	const result = await dineway.handleMediaGet(id);
+	return unwrapResult(result);
+};
+/**
+ * Update media metadata
+ *
+ * Authors can edit their own media; editors+ can edit any.
+ */
+export const PUT: APIRoute = async ({ params, request, locals }) => {
+	const { dineway, user } = locals;
+	const { id } = params;
+	// Minimum permission gate — ownership checked below
+	const editDenied = requirePerm(user, "media:edit_own");
+	if (editDenied) return editDenied;
+	if (!id) {
+		return apiError("INVALID_REQUEST", "Media ID required", 400);
+	}
+	if (!dineway?.handleMediaGet || !dineway?.handleMediaUpdate) {
+		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	}
+	try {
+		// Fetch media item for ownership check
+		const getResult = await dineway.handleMediaGet(id);
+		if (!getResult.success || !getResult.data?.item) {
+			return apiError("NOT_FOUND", "Media item not found", 404);
+		}
+		const media = getResult.data.item;
+		// Ownership check: authors can edit own, editors+ can edit any
+		const ownerDenied = requireOwnerPerm(user, media.authorId, "media:edit_own", "media:edit_any");
+		if (ownerDenied) return ownerDenied;
+		const body = await parseBody(request, mediaUpdateBody);
+		if (isParseError(body)) return body;
+		const result = await dineway.handleMediaUpdate(id, {
+			alt: body.alt,
+			caption: body.caption,
+			width: body.width,
+			height: body.height,
+		});
+		return unwrapResult(result);
+	} catch (error) {
+		return handleError(error, "Failed to update media", "MEDIA_UPDATE_ERROR");
+	}
+};
+/**
+ * Delete media item
+ *
+ * Authors can delete their own media; editors+ can delete any.
+ */
+export const DELETE: APIRoute = async ({ params, locals }) => {
+	const { dineway, user } = locals;
+	const { id } = params;
+	// Minimum permission gate — ownership checked below
+	const deleteDenied = requirePerm(user, "media:delete_own");
+	if (deleteDenied) return deleteDenied;
+	if (!id) {
+		return apiError("INVALID_REQUEST", "Media ID required", 400);
+	}
+	if (!dineway?.handleMediaGet || !dineway?.handleMediaDelete) {
+		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	}
+	try {
+		// Fetch media item for ownership check and storage key
+		const getResult = await dineway.handleMediaGet(id);
+		if (!getResult.success || !getResult.data?.item) {
+			return apiError("NOT_FOUND", "Media item not found", 404);
+		}
+		const media = getResult.data.item;
+		// Ownership check: authors can delete own, editors+ can delete any
+		const ownerDenied = requireOwnerPerm(
+			user,
+			media.authorId,
+			"media:delete_own",
+			"media:delete_any",
+		);
+		if (ownerDenied) return ownerDenied;
+		// Delete file from storage via the storage adapter
+		if (dineway.storage) {
+			try {
+				await dineway.storage.delete(media.storageKey);
+			} catch {
+				// Best-effort — continue with database deletion
+			}
+		}
+		// Delete from database
+		const result = await dineway.handleMediaDelete(id);
+		return unwrapResult(result);
+	} catch (error) {
+		return handleError(error, "Failed to delete media", "MEDIA_DELETE_ERROR");
+	}
+};

package/src/astro/routes/api/media/file/[...key].ts ADDED Viewed

@@ -0,0 +1,79 @@
+/**
+ * Serve uploaded media files
+ *
+ * GET /_dineway/api/media/file/:key - Serve file from storage
+ */
+import type { APIRoute } from "astro";
+import { apiError, handleError } from "#api/error.js";
+export const prerender = false;
+/**
+ * Content types that are safe to display inline (simple raster/vector images, video, audio).
+ * Everything else gets Content-Disposition: attachment to prevent script execution.
+ */
+const SAFE_INLINE_TYPES = new Set([
+	"image/jpeg",
+	"image/png",
+	"image/gif",
+	"image/webp",
+	"image/avif",
+	"image/x-icon",
+	"video/mp4",
+	"video/webm",
+	"audio/mpeg",
+	"audio/wav",
+	"audio/ogg",
+]);
+export const GET: APIRoute = async ({ params, locals }) => {
+	const { key } = params;
+	const { dineway } = locals;
+	if (!key) {
+		return apiError("NOT_FOUND", "File not found", 404);
+	}
+	if (!dineway?.storage) {
+		return apiError("NOT_CONFIGURED", "Storage not configured", 500);
+	}
+	try {
+		const result = await dineway.storage.download(key);
+		const headers: Record<string, string> = {
+			"Content-Type": result.contentType,
+			"Cache-Control": "public, max-age=31536000, immutable",
+			"X-Content-Type-Options": "nosniff",
+			// Sandbox CSP on all user-uploaded content — prevents script execution
+			// even for SVGs navigated to directly or content types that support scripting.
+			"Content-Security-Policy":
+				"sandbox; default-src 'none'; img-src 'self'; style-src 'unsafe-inline'",
+		};
+		if (result.size) {
+			headers["Content-Length"] = String(result.size);
+		}
+		// Safe image/media types can render inline; everything else (SVG, PDF,
+		// HTML, JS, etc.) must be downloaded to prevent stored XSS.
+		if (SAFE_INLINE_TYPES.has(result.contentType)) {
+			headers["Content-Disposition"] = "inline";
+		} else {
+			headers["Content-Disposition"] = "attachment";
+		}
+		return new Response(result.body, { status: 200, headers });
+	} catch (error) {
+		// Check if it's a "not found" error
+		if (
+			error instanceof Error &&
+			(error.message.includes("not found") || error.message.includes("NOT_FOUND"))
+		) {
+			return apiError("NOT_FOUND", "File not found", 404);
+		}
+		return handleError(error, "Failed to serve file", "FILE_SERVE_ERROR");
+	}
+};

package/src/astro/routes/api/media/providers/[providerId]/[itemId].ts ADDED Viewed

@@ -0,0 +1,91 @@
+/**
+ * Media Provider Item Endpoint
+ *
+ * GET /_dineway/api/media/providers/:providerId/:itemId - Get single item
+ * DELETE /_dineway/api/media/providers/:providerId/:itemId - Delete item
+ */
+import type { APIRoute } from "astro";
+import { requirePerm } from "#api/authorize.js";
+import { apiError, apiSuccess, handleError } from "#api/error.js";
+export const prerender = false;
+/**
+ * Get a single media item from a provider
+ */
+export const GET: APIRoute = async ({ params, locals }) => {
+	const { dineway, user } = locals;
+	const denied = requirePerm(user, "media:read");
+	if (denied) return denied;
+	const { providerId, itemId } = params;
+	if (!providerId || !itemId) {
+		return apiError("INVALID_REQUEST", "Provider ID and Item ID required", 400);
+	}
+	if (!dineway?.getMediaProvider) {
+		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	}
+	const provider = dineway.getMediaProvider(providerId);
+	if (!provider) {
+		return apiError("NOT_FOUND", `Provider "${providerId}" not found`, 404);
+	}
+	if (!provider.get) {
+		return apiError(
+			"NOT_SUPPORTED",
+			`Provider "${providerId}" does not support getting individual items`,
+			400,
+		);
+	}
+	try {
+		const item = await provider.get(itemId);
+		if (!item) {
+			return apiError("NOT_FOUND", "Item not found", 404);
+		}
+		return apiSuccess({ item });
+	} catch (error) {
+		return handleError(error, "Failed to get item from provider", "PROVIDER_GET_ERROR");
+	}
+};
+/**
+ * Delete a media item from a provider
+ */
+export const DELETE: APIRoute = async ({ params, locals }) => {
+	const { dineway, user } = locals;
+	const denied = requirePerm(user, "media:delete_any");
+	if (denied) return denied;
+	const { providerId, itemId } = params;
+	if (!providerId || !itemId) {
+		return apiError("INVALID_REQUEST", "Provider ID and Item ID required", 400);
+	}
+	if (!dineway?.getMediaProvider) {
+		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	}
+	const provider = dineway.getMediaProvider(providerId);
+	if (!provider) {
+		return apiError("NOT_FOUND", `Provider "${providerId}" not found`, 404);
+	}
+	if (!provider.delete) {
+		return apiError("NOT_SUPPORTED", `Provider "${providerId}" does not support deletion`, 400);
+	}
+	try {
+		await provider.delete(itemId);
+		return apiSuccess({ deleted: true });
+	} catch (error) {
+		return handleError(error, "Failed to delete item from provider", "PROVIDER_DELETE_ERROR");
+	}
+};

package/src/astro/routes/api/media/providers/[providerId]/index.ts ADDED Viewed

@@ -0,0 +1,111 @@
+/**
+ * Media Provider List/Upload Endpoint
+ *
+ * GET /_dineway/api/media/providers/:providerId - List media from provider
+ * POST /_dineway/api/media/providers/:providerId - Upload to provider
+ */
+import type { APIRoute } from "astro";
+import { requirePerm } from "#api/authorize.js";
+import { apiError, apiSuccess, handleError } from "#api/error.js";
+export const prerender = false;
+/**
+ * List media from a specific provider
+ */
+export const GET: APIRoute = async ({ params, request, locals }) => {
+	const { dineway, user } = locals;
+	const { providerId } = params;
+	const readDenied = requirePerm(user, "media:read");
+	if (readDenied) return readDenied;
+	if (!providerId) {
+		return apiError("INVALID_REQUEST", "Provider ID required", 400);
+	}
+	if (!dineway?.getMediaProvider) {
+		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	}
+	const provider = dineway.getMediaProvider(providerId);
+	if (!provider) {
+		return apiError("NOT_FOUND", `Provider "${providerId}" not found`, 404);
+	}
+	const url = new URL(request.url);
+	const cursor = url.searchParams.get("cursor") || undefined;
+	const limit = url.searchParams.get("limit")
+		? parseInt(url.searchParams.get("limit")!, 10)
+		: undefined;
+	const query = url.searchParams.get("query") || undefined;
+	const mimeType = url.searchParams.get("mimeType") || undefined;
+	try {
+		const result = await provider.list({
+			cursor,
+			limit,
+			query,
+			mimeType,
+		});
+		return apiSuccess({
+			items: result.items,
+			nextCursor: result.nextCursor,
+		});
+	} catch (error) {
+		return handleError(error, "Failed to list media from provider", "PROVIDER_LIST_ERROR");
+	}
+};
+/**
+ * Upload media to a specific provider
+ */
+export const POST: APIRoute = async ({ params, request, locals }) => {
+	const { dineway, user } = locals;
+	const { providerId } = params;
+	const uploadDenied = requirePerm(user, "media:upload");
+	if (uploadDenied) return uploadDenied;
+	if (!providerId) {
+		return apiError("INVALID_REQUEST", "Provider ID required", 400);
+	}
+	if (!dineway?.getMediaProvider) {
+		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	}
+	const provider = dineway.getMediaProvider(providerId);
+	if (!provider) {
+		return apiError("NOT_FOUND", `Provider "${providerId}" not found`, 404);
+	}
+	if (!provider.upload) {
+		return apiError("NOT_SUPPORTED", `Provider "${providerId}" does not support uploads`, 400);
+	}
+	try {
+		const formData = await request.formData();
+		const fileEntry = formData.get("file");
+		const file = fileEntry instanceof File ? fileEntry : null;
+		const altEntry = formData.get("alt");
+		const alt = typeof altEntry === "string" ? altEntry : null;
+		if (!file) {
+			return apiError("NO_FILE", "No file provided", 400);
+		}
+		const item = await provider.upload({
+			file,
+			filename: file.name,
+			alt: alt || undefined,
+		});
+		return apiSuccess({ item }, 201);
+	} catch (error) {
+		return handleError(error, "Failed to upload to provider", "PROVIDER_UPLOAD_ERROR");
+	}
+};

package/src/astro/routes/api/media/providers/index.ts ADDED Viewed

@@ -0,0 +1,30 @@
+/**
+ * Media Providers List Endpoint
+ *
+ * GET /_dineway/api/media/providers - List all configured media providers
+ */
+import type { APIRoute } from "astro";
+import { requirePerm } from "#api/authorize.js";
+import { apiError, apiSuccess } from "#api/error.js";
+export const prerender = false;
+/**
+ * List all configured media providers
+ */
+export const GET: APIRoute = async ({ locals }) => {
+	const { dineway, user } = locals;
+	const denied = requirePerm(user, "media:read");
+	if (denied) return denied;
+	if (!dineway?.getMediaProviderList) {
+		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	}
+	const providers = dineway.getMediaProviderList();
+	return apiSuccess({ items: providers });
+};