dineway 0.1.3 → 0.1.5

package/src/astro/routes/api/search/suggest.ts

@@ -0,0 +1,50 @@
+/**
+ * Search suggestions endpoint - Autocomplete
+ *
+ * GET /_dineway/api/search/suggest?q=hel&limit=5
+ */
+
+import type { APIRoute } from "astro";
+
+import { apiError, apiSuccess, handleError } from "#api/error.js";
+import { isParseError, parseQuery } from "#api/parse.js";
+import { searchSuggestQuery } from "#api/schemas.js";
+import { getSuggestions } from "#search/index.js";
+
+export const prerender = false;
+
+/**
+ * Get search suggestions for autocomplete
+ *
+ * Query parameters:
+ * - q: Partial search query (required)
+ * - collections: Comma-separated list of collection slugs (optional)
+ * - limit: Maximum suggestions (optional, defaults to 5)
+ */
+export const GET: APIRoute = async ({ url, locals }) => {
+	const { dineway } = locals;
+
+	if (!dineway?.db) {
+		return apiError("NOT_CONFIGURED", "Dineway is not configured", 500);
+	}
+
+	const query = parseQuery(url, searchSuggestQuery);
+	if (isParseError(query)) return query;
+
+	const collections = query.collections
+		? query.collections.split(",").map((c: string) => c.trim())
+		: undefined;
+
+	try {
+		await dineway.ensureSearchHealthy?.();
+		const suggestions = await getSuggestions(dineway.db, query.q, {
+			collections,
+			locale: query.locale,
+			limit: query.limit,
+		});
+
+		return apiSuccess({ items: suggestions });
+	} catch (error) {
+		return handleError(error, "Failed to get suggestions", "SUGGESTION_ERROR");
+	}
+};

package/src/astro/routes/api/sections/[slug].ts

@@ -0,0 +1,203 @@
+/**
+ * Section by slug endpoints
+ *
+ * GET    /_dineway/api/sections/:slug - Get section
+ * PUT    /_dineway/api/sections/:slug - Update section
+ * DELETE /_dineway/api/sections/:slug - Delete section
+ */
+
+import type { APIRoute } from "astro";
+import { z } from "zod";
+
+import { requirePerm } from "#api/authorize.js";
+import { apiError, handleError, unwrapResult } from "#api/error.js";
+import {
+	handleSectionDelete,
+	handleSectionGet,
+	handleSectionUpdate,
+} from "#api/handlers/sections.js";
+import {
+	ensureWorkflowHitlRouteRequest,
+	hitlRequiredRouteError,
+	resolveHitlRouteActor,
+} from "#api/hitl-route-helpers.js";
+import { isParseError, parseBody, parseQuery } from "#api/parse.js";
+import { updateSectionBody } from "#api/schemas.js";
+import {
+	activityChangedKeys,
+	logSectionActivity,
+	RiskPolicyEvaluator,
+	sectionApiRouteSource,
+	SectionHitlPayloadBuilder,
+} from "#site-context/index.js";
+
+export const prerender = false;
+
+const updateSectionHitlBody = updateSectionBody.extend({
+	hitlRequestId: z.string().min(1).optional(),
+});
+
+const deleteSectionQuery = z.object({
+	hitlRequestId: z.string().min(1).optional(),
+});
+
+export const GET: APIRoute = async ({ params, locals }) => {
+	const { dineway, user } = locals;
+	const db = dineway.db;
+	const { slug } = params;
+
+	const denied = requirePerm(user, "sections:read");
+	if (denied) return denied;
+
+	if (!slug) {
+		return apiError("VALIDATION_ERROR", "slug is required", 400);
+	}
+
+	try {
+		const result = await handleSectionGet(db, slug);
+		return unwrapResult(result);
+	} catch (error) {
+		return handleError(error, "Failed to fetch section", "SECTION_GET_ERROR");
+	}
+};
+
+export const PUT: APIRoute = async ({ params, request, locals }) => {
+	const { dineway, user } = locals;
+	const db = dineway.db;
+	const { slug } = params;
+
+	const denied = requirePerm(user, "sections:manage");
+	if (denied) return denied;
+
+	if (!slug) {
+		return apiError("VALIDATION_ERROR", "slug is required", 400);
+	}
+
+	try {
+		const body = await parseBody(request, updateSectionHitlBody);
+		if (isParseError(body)) return body;
+
+		const current = await new SectionHitlPayloadBuilder(db).loadSectionSnapshot(slug);
+		if (!current) {
+			return apiError("NOT_FOUND", `Section "${slug}" not found`, 404);
+		}
+
+		const { hitlRequestId, ...sectionInput } = body;
+		const actor = resolveHitlRouteActor(locals);
+		const evaluator = new RiskPolicyEvaluator({
+			db,
+			handlers: dineway,
+		});
+		let approvedHitlRequestId: string | null = null;
+
+		if (evaluator.requiresWorkflowHitl(actor.identity)) {
+			const action = await new SectionHitlPayloadBuilder(db).buildUpdateSectionRequest({
+				section: current,
+				...sectionInput,
+			});
+			const decision = await evaluator.evaluateWorkflowHitl({
+				actor: actor.identity,
+				hitlRequestId,
+				action,
+			});
+			if (!decision.allowed) {
+				const ensured = await ensureWorkflowHitlRouteRequest(db, locals, decision.action);
+				return hitlRequiredRouteError(decision, ensured);
+			}
+			approvedHitlRequestId = decision.hitlRequest.id;
+		}
+
+		const result = await handleSectionUpdate(db, slug, sectionInput);
+		if (result.success) {
+			await logSectionActivity(db, locals, {
+				action: "updated",
+				sectionId: result.data.id,
+				sectionSlug: result.data.slug,
+				...sectionApiRouteSource("updated"),
+				detail: {
+					changedKeys: activityChangedKeys(sectionInput),
+					source: current.source,
+					themeId: current.themeId,
+					previewMediaId:
+						sectionInput.previewMediaId !== undefined
+							? sectionInput.previewMediaId
+							: current.previewMediaId,
+					hitlRequestId: approvedHitlRequestId,
+				},
+			});
+		}
+		return unwrapResult(result);
+	} catch (error) {
+		return handleError(error, "Failed to update section", "SECTION_UPDATE_ERROR");
+	}
+};
+
+export const DELETE: APIRoute = async ({ params, request, locals }) => {
+	const { dineway, user } = locals;
+	const db = dineway.db;
+	const { slug } = params;
+
+	const denied = requirePerm(user, "sections:manage");
+	if (denied) return denied;
+
+	if (!slug) {
+		return apiError("VALIDATION_ERROR", "slug is required", 400);
+	}
+
+	const query = parseQuery(new URL(request.url), deleteSectionQuery);
+	if (isParseError(query)) return query;
+
+	try {
+		const current = await new SectionHitlPayloadBuilder(db).loadSectionSnapshot(slug);
+		if (!current) {
+			return apiError("NOT_FOUND", `Section "${slug}" not found`, 404);
+		}
+
+		if (current.source === "theme") {
+			const result = await handleSectionDelete(db, slug);
+			return unwrapResult(result);
+		}
+
+		const actor = resolveHitlRouteActor(locals);
+		const evaluator = new RiskPolicyEvaluator({
+			db,
+			handlers: dineway,
+		});
+		let approvedHitlRequestId: string | null = null;
+
+		if (evaluator.requiresWorkflowHitl(actor.identity)) {
+			const action = await new SectionHitlPayloadBuilder(db).buildDeleteSectionRequest({
+				section: current,
+			});
+			const decision = await evaluator.evaluateWorkflowHitl({
+				actor: actor.identity,
+				hitlRequestId: query.hitlRequestId,
+				action,
+			});
+			if (!decision.allowed) {
+				const ensured = await ensureWorkflowHitlRouteRequest(db, locals, decision.action);
+				return hitlRequiredRouteError(decision, ensured);
+			}
+			approvedHitlRequestId = decision.hitlRequest.id;
+		}
+
+		const result = await handleSectionDelete(db, slug);
+		if (result.success) {
+			await logSectionActivity(db, locals, {
+				action: "deleted",
+				sectionId: current.id,
+				sectionSlug: current.slug,
+				...sectionApiRouteSource("deleted"),
+				detail: {
+					source: current.source,
+					themeId: current.themeId,
+					previewMediaId: current.previewMediaId,
+					hitlRequestId: approvedHitlRequestId,
+				},
+			});
+		}
+		return unwrapResult(result);
+	} catch (error) {
+		return handleError(error, "Failed to delete section", "SECTION_DELETE_ERROR");
+	}
+};

package/src/astro/routes/api/sections/index.ts

@@ -0,0 +1,107 @@
+/**
+ * Sections list and create endpoints
+ *
+ * GET  /_dineway/api/sections - List all sections (with filters)
+ * POST /_dineway/api/sections - Create section
+ */
+
+import type { APIRoute } from "astro";
+import { z } from "zod";
+
+import { requirePerm } from "#api/authorize.js";
+import { handleError, unwrapResult } from "#api/error.js";
+import { handleSectionCreate, handleSectionList } from "#api/handlers/sections.js";
+import {
+	ensureWorkflowHitlRouteRequest,
+	hitlRequiredRouteError,
+	resolveHitlRouteActor,
+} from "#api/hitl-route-helpers.js";
+import { isParseError, parseBody, parseQuery } from "#api/parse.js";
+import { createSectionBody, sectionsListQuery } from "#api/schemas.js";
+import {
+	logSectionActivity,
+	RiskPolicyEvaluator,
+	sectionApiRouteSource,
+	SectionHitlPayloadBuilder,
+} from "#site-context/index.js";
+
+export const prerender = false;
+
+const createSectionHitlBody = createSectionBody.extend({
+	hitlRequestId: z.string().min(1).optional(),
+});
+
+export const GET: APIRoute = async ({ url, locals }) => {
+	const { dineway, user } = locals;
+	const db = dineway.db;
+
+	const denied = requirePerm(user, "sections:read");
+	if (denied) return denied;
+
+	try {
+		const query = parseQuery(url, sectionsListQuery);
+		if (isParseError(query)) return query;
+
+		const result = await handleSectionList(db, query);
+		return unwrapResult(result);
+	} catch (error) {
+		return handleError(error, "Failed to fetch sections", "SECTION_LIST_ERROR");
+	}
+};
+
+export const POST: APIRoute = async ({ request, locals }) => {
+	const { dineway, user } = locals;
+	const db = dineway.db;
+
+	const denied = requirePerm(user, "sections:manage");
+	if (denied) return denied;
+
+	try {
+		const body = await parseBody(request, createSectionHitlBody);
+		if (isParseError(body)) return body;
+
+		const { hitlRequestId, ...sectionInput } = body;
+		const actor = resolveHitlRouteActor(locals);
+		const evaluator = new RiskPolicyEvaluator({
+			db,
+			handlers: dineway,
+		});
+		let approvedHitlRequestId: string | null = null;
+
+		if (evaluator.requiresWorkflowHitl(actor.identity)) {
+			const action = await new SectionHitlPayloadBuilder(db).buildCreateSectionRequest(
+				sectionInput,
+			);
+			const decision = await evaluator.evaluateWorkflowHitl({
+				actor: actor.identity,
+				hitlRequestId,
+				action,
+			});
+			if (!decision.allowed) {
+				const ensured = await ensureWorkflowHitlRouteRequest(db, locals, decision.action);
+				return hitlRequiredRouteError(decision, ensured);
+			}
+			approvedHitlRequestId = decision.hitlRequest.id;
+		}
+
+		const result = await handleSectionCreate(db, sectionInput);
+		if (result.success) {
+			await logSectionActivity(db, locals, {
+				action: "created",
+				sectionId: result.data.id,
+				sectionSlug: result.data.slug,
+				...sectionApiRouteSource("created"),
+				detail: {
+					title: result.data.title,
+					source: result.data.source,
+					themeId: result.data.themeId ?? null,
+					previewMediaId: sectionInput.previewMediaId ?? null,
+					hitlRequestId: approvedHitlRequestId,
+				},
+			});
+		}
+		return unwrapResult(result, 201);
+	} catch (error) {
+		return handleError(error, "Failed to create section", "SECTION_CREATE_ERROR");
+	}
+};

package/src/astro/routes/api/settings/email.ts

@@ -0,0 +1,150 @@
+/**
+ * Email Settings API endpoint
+ *
+ * GET  /_dineway/api/settings/email      — current provider, available providers, middleware
+ * POST /_dineway/api/settings/email/test — send a test email through the full pipeline
+ */
+
+import { escapeHtml } from "@dineway-ai/auth";
+import type { APIRoute } from "astro";
+import { z } from "zod";
+
+import { requirePerm } from "#api/authorize.js";
+import { apiError, apiSuccess, handleError } from "#api/error.js";
+import { isParseError, parseBody } from "#api/parse.js";
+import { OptionsRepository } from "#db/repositories/options.js";
+
+export const prerender = false;
+
+const EMAIL_DELIVER_HOOK = "email:deliver";
+const EMAIL_BEFORE_SEND_HOOK = "email:beforeSend";
+const EMAIL_AFTER_SEND_HOOK = "email:afterSend";
+
+/**
+ * GET /_dineway/api/settings/email
+ *
+ * Returns the email configuration state:
+ * - Current provider selection
+ * - Available providers (plugins with email:deliver)
+ * - Active middleware (email:beforeSend / email:afterSend plugins)
+ * - Whether email is available
+ */
+export const GET: APIRoute = async ({ locals }) => {
+	const { dineway, user } = locals;
+
+	if (!dineway?.db) {
+		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	}
+
+	const denied = requirePerm(user, "settings:manage");
+	if (denied) return denied;
+
+	try {
+		const pipeline = dineway.hooks;
+		const optionsRepo = new OptionsRepository(dineway.db);
+
+		// Get email:deliver providers and current selection
+		const providers = pipeline.getExclusiveHookProviders(EMAIL_DELIVER_HOOK);
+		const selectedProviderId = await optionsRepo.get<string>(
+			`dineway:exclusive_hook:${EMAIL_DELIVER_HOOK}`,
+		);
+
+		// Get middleware hooks (beforeSend / afterSend)
+		const beforeSendPlugins = pipeline
+			.getExclusiveHookProviders(EMAIL_BEFORE_SEND_HOOK)
+			.map((p) => p.pluginId);
+		const afterSendPlugins = pipeline
+			.getExclusiveHookProviders(EMAIL_AFTER_SEND_HOOK)
+			.map((p) => p.pluginId);
+
+		// Note: beforeSend/afterSend are NOT exclusive hooks, but getExclusiveHookProviders
+		// only finds exclusive ones. We need all hooks for those names.
+		// For now, report what we can from the exclusive hook system.
+		// Middleware is non-exclusive so we'd need a different query.
+		// TODO: Add getHookProviders() for non-exclusive hooks to the pipeline.
+
+		return apiSuccess({
+			available: dineway.email?.isAvailable() ?? false,
+			providers: providers.map((p) => ({
+				pluginId: p.pluginId,
+			})),
+			selectedProviderId: selectedProviderId ?? null,
+			middleware: {
+				beforeSend: beforeSendPlugins,
+				afterSend: afterSendPlugins,
+			},
+		});
+	} catch (error) {
+		return handleError(error, "Failed to get email settings", "EMAIL_SETTINGS_READ_ERROR");
+	}
+};
+
+/**
+ * POST /_dineway/api/settings/email/test
+ *
+ * Send a test email through the full pipeline.
+ * Validates the pipeline is configured and the provider works.
+ */
+const testEmailBody = z.object({
+	to: z.string().email(),
+});
+
+export const POST: APIRoute = async ({ request, locals }) => {
+	const { dineway, user } = locals;
+
+	if (!dineway?.db) {
+		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	}
+
+	const denied = requirePerm(user, "settings:manage");
+	if (denied) return denied;
+
+	if (!dineway.email?.isAvailable()) {
+		return apiError(
+			"EMAIL_NOT_CONFIGURED",
+			"No email provider is configured. Install and activate an email provider plugin.",
+			503,
+		);
+	}
+
+	try {
+		const body = await parseBody(request, testEmailBody);
+		if (isParseError(body)) return body;
+
+		const optionsRepo = new OptionsRepository(dineway.db);
+		const siteName = (await optionsRepo.get<string>("dineway:site_title")) ?? "Dineway";
+		const safeName = escapeHtml(siteName);
+
+		await dineway.email.send(
+			{
+				to: body.to,
+				subject: `Test email from ${siteName}`,
+				text: `This is a test email from ${siteName}.\n\nIf you received this, your email provider is working correctly.`,
+				html: `
+<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+</head>
+<body style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; line-height: 1.5; color: #333; max-width: 600px; margin: 0 auto; padding: 20px;">
+  <h1 style="font-size: 24px; margin-bottom: 20px;">Test Email</h1>
+  <p>This is a test email from <strong>${safeName}</strong>.</p>
+  <p>If you received this, your email provider is working correctly.</p>
+  <p style="color: #666; font-size: 14px; margin-top: 30px;">
+    Sent via the Dineway email pipeline.
+  </p>
+</body>
+</html>`,
+			},
+			"admin",
+		);
+
+		return apiSuccess({
+			success: true,
+			message: `Test email sent to ${body.to}`,
+		});
+	} catch (error) {
+		return handleError(error, "Failed to send test email", "EMAIL_TEST_ERROR");
+	}
+};

package/src/astro/routes/api/settings.ts

@@ -0,0 +1,116 @@
+/**
+ * Site Settings API endpoint
+ *
+ * GET  /_dineway/api/settings - Get all site settings
+ * POST /_dineway/api/settings - Update site settings
+ */
+
+import type { APIRoute } from "astro";
+import { z } from "zod";
+
+import { requirePerm } from "#api/authorize.js";
+import { apiError, handleError, unwrapResult } from "#api/error.js";
+import { handleSettingsGet, handleSettingsUpdate } from "#api/handlers/settings.js";
+import {
+	ensureWorkflowHitlRouteRequest,
+	hitlRequiredRouteError,
+	resolveHitlRouteActor,
+} from "#api/hitl-route-helpers.js";
+import { isParseError, parseBody } from "#api/parse.js";
+import { settingsUpdateBody } from "#api/schemas.js";
+import {
+	logSiteActivitySafely,
+	RiskPolicyEvaluator,
+	settingsApiRouteSource,
+	SettingsHitlPayloadBuilder,
+} from "#site-context/index.js";
+
+export const prerender = false;
+
+const settingsHitlBody = settingsUpdateBody.extend({
+	hitlRequestId: z.string().min(1).optional(),
+});
+
+/**
+ * GET /_dineway/api/settings
+ *
+ * Returns all site settings as a JSON object.
+ * Unset values are undefined. Media references include resolved URLs.
+ */
+export const GET: APIRoute = async ({ locals }) => {
+	const { dineway, user } = locals;
+
+	if (!dineway?.db) {
+		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	}
+
+	const denied = requirePerm(user, "settings:read");
+	if (denied) return denied;
+
+	try {
+		const result = await handleSettingsGet(dineway.db, dineway.storage);
+		return unwrapResult(result);
+	} catch (error) {
+		return handleError(error, "Failed to get settings", "SETTINGS_READ_ERROR");
+	}
+};
+
+/**
+ * POST /_dineway/api/settings
+ *
+ * Updates site settings. Accepts a partial settings object.
+ * Merges with existing settings and returns the updated settings.
+ */
+export const POST: APIRoute = async ({ request, locals }) => {
+	const { dineway, user } = locals;
+
+	if (!dineway?.db) {
+		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	}
+
+	const denied = requirePerm(user, "settings:manage");
+	if (denied) return denied;
+
+	try {
+		const body = await parseBody(request, settingsHitlBody);
+		if (isParseError(body)) return body;
+
+		const { hitlRequestId, ...settingsInput } = body;
+		const actor = resolveHitlRouteActor(locals);
+		const action = await new SettingsHitlPayloadBuilder(dineway.db).buildUpdateSettingsRequest(
+			settingsInput,
+		);
+		const decision = await new RiskPolicyEvaluator({
+			db: dineway.db,
+			handlers: dineway,
+		}).evaluateWorkflowHitl({
+			actor: actor.identity,
+			hitlRequestId,
+			action,
+		});
+		if (!decision.allowed) {
+			const ensured = await ensureWorkflowHitlRouteRequest(dineway.db, locals, decision.action);
+			return hitlRequiredRouteError(decision, ensured);
+		}
+
+		const result = await handleSettingsUpdate(dineway.db, dineway.storage, settingsInput);
+		if (!result.success) return unwrapResult(result);
+
+		await logSiteActivitySafely(dineway.db, locals, {
+			actionType: "settings.updated",
+			subjectType: "site_settings",
+			subjectId: "site",
+			scope: "site",
+			...settingsApiRouteSource("updated"),
+			summary: action.summary ?? "Updated site settings",
+			detail: {
+				changedKeys: Object.keys(settingsInput).toSorted(),
+				touchesSeo: Object.hasOwn(settingsInput, "seo"),
+				hitlRequestId: decision.required ? decision.hitlRequest.id : null,
+			},
+		});
+		return unwrapResult(result);
+	} catch (error) {
+		return handleError(error, "Failed to update settings", "SETTINGS_UPDATE_ERROR");
+	}
+};