dineway 0.1.3 → 0.1.5

package/src/astro/routes/api/setup/status.ts

@@ -0,0 +1,122 @@
+/**
+ * GET /_dineway/api/setup/status
+ *
+ * Returns setup status and seed file information
+ */
+
+import type { APIRoute } from "astro";
+
+export const prerender = false;
+
+import { apiError, apiSuccess, handleError } from "#api/error.js";
+import { getAuthMode } from "#auth/mode.js";
+import { loadUserSeed } from "#seed/load.js";
+
+export const GET: APIRoute = async ({ locals }) => {
+	const { dineway } = locals;
+
+	if (!dineway?.db) {
+		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	}
+
+	try {
+		// Check if setup is complete
+		const setupComplete = await dineway.db
+			.selectFrom("options")
+			.select("value")
+			.where("name", "=", "dineway:setup_complete")
+			.executeTakeFirst();
+
+		// Value is JSON-encoded, parse it. Accepts both boolean true and string "true"
+		const isComplete =
+			setupComplete &&
+			(() => {
+				try {
+					const parsed = JSON.parse(setupComplete.value);
+					return parsed === true || parsed === "true";
+				} catch {
+					return false;
+				}
+			})();
+
+		// Also check if users exist
+		let hasUsers = false;
+		try {
+			const userCount = await dineway.db
+				.selectFrom("users")
+				.select((eb) => eb.fn.countAll<number>().as("count"))
+				.executeTakeFirstOrThrow();
+			hasUsers = userCount.count > 0;
+		} catch {
+			// Users table might not exist yet
+		}
+
+		// Setup is complete only if flag is set AND users exist
+		if (isComplete && hasUsers) {
+			return apiSuccess({
+				needsSetup: false,
+			});
+		}
+
+		// Determine current step
+		// step: "start" | "site" | "admin" | "complete"
+		let step: "start" | "site" | "admin" = "start";
+
+		// Get setup state if it exists
+		const setupState = await dineway.db
+			.selectFrom("options")
+			.select("value")
+			.where("name", "=", "dineway:setup_state")
+			.executeTakeFirst();
+
+		if (setupState) {
+			try {
+				const state = JSON.parse(setupState.value);
+				if (state.step === "admin") {
+					step = "admin";
+				} else if (state.step === "site") {
+					step = "site";
+				}
+			} catch {
+				// Invalid state, stay at start
+			}
+		}
+
+		// If setup_complete but no users, jump to admin step
+		if (isComplete && !hasUsers) {
+			step = "admin";
+		}
+
+		// Check auth mode
+		const authMode = getAuthMode(dineway.config);
+		const useExternalAuth = authMode.type === "external";
+
+		// In external auth mode, setup is complete if flag is set (no users required initially)
+		if (useExternalAuth && isComplete) {
+			return apiSuccess({
+				needsSetup: false,
+			});
+		}
+
+		// Setup needed - try to load seed file info
+		const seed = await loadUserSeed();
+		const seedInfo = seed
+			? {
+					name: seed.meta?.name || "Unknown Template",
+					description: seed.meta?.description || "",
+					collections: seed.collections?.length || 0,
+					hasContent: !!(seed.content && Object.keys(seed.content).length > 0),
+				}
+			: null;
+
+		return apiSuccess({
+			needsSetup: true,
+			step,
+			seedInfo,
+			// Tell the wizard which auth mode is active
+			authMode: useExternalAuth ? authMode.providerType : "passkey",
+		});
+	} catch (error) {
+		return handleError(error, "Failed to check setup status", "SETUP_STATUS_ERROR");
+	}
+};

package/src/astro/routes/api/snapshot.ts

@@ -0,0 +1,76 @@
+/**
+ * Snapshot endpoint — exports a portable database snapshot for preview mode.
+ *
+ * Security:
+ * - Authenticated users: requires content:read + schema:read permissions
+ * - Preview services: requires valid X-Preview-Signature header (HMAC-SHA256)
+ * - Excludes auth/user/session/token tables
+ */
+
+import type { APIRoute } from "astro";
+
+import { requirePerm } from "#api/authorize.js";
+import { apiError, apiSuccess, handleError } from "#api/error.js";
+import {
+	generateSnapshot,
+	parsePreviewSignatureHeader,
+	verifyPreviewSignature,
+} from "#api/handlers/snapshot.js";
+import { getPublicOrigin } from "#api/public-url.js";
+
+export const prerender = false;
+
+export const GET: APIRoute = async ({ request, locals, url }) => {
+	const { dineway, user } = locals;
+
+	if (!dineway?.db) {
+		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	}
+
+	// Check for preview signature auth (used by preview sidecars)
+	const previewSig = request.headers.get("X-Preview-Signature");
+	let authorized = false;
+
+	if (previewSig) {
+		const secret = import.meta.env.DINEWAY_PREVIEW_SECRET || import.meta.env.PREVIEW_SECRET || "";
+		if (!secret) {
+			console.warn(
+				"[snapshot] X-Preview-Signature header present but no PREVIEW_SECRET configured",
+			);
+		} else {
+			const parsed = parsePreviewSignatureHeader(previewSig);
+			if (!parsed) {
+				console.warn("[snapshot] Failed to parse X-Preview-Signature header");
+			} else {
+				authorized = await verifyPreviewSignature(parsed.source, parsed.exp, parsed.sig, secret);
+				if (!authorized) {
+					console.warn("[snapshot] Preview signature verification failed", {
+						source: parsed.source,
+						exp: parsed.exp,
+						expired: parsed.exp < Date.now() / 1000,
+					});
+				}
+			}
+		}
+	}
+
+	if (!authorized) {
+		// Fall back to standard user auth
+		const contentDenied = requirePerm(user, "content:read");
+		if (contentDenied) return contentDenied;
+		const schemaDenied = requirePerm(user, "schema:read");
+		if (schemaDenied) return schemaDenied;
+	}
+
+	try {
+		const includeDrafts = url.searchParams.get("drafts") === "true";
+		const snapshot = await generateSnapshot(dineway.db, {
+			includeDrafts,
+			origin: getPublicOrigin(url, dineway.config),
+		});
+
+		return apiSuccess(snapshot);
+	} catch (error) {
+		return handleError(error, "Failed to generate snapshot", "SNAPSHOT_ERROR");
+	}
+};

package/src/astro/routes/api/taxonomies/[name]/terms/[slug].ts

@@ -0,0 +1,232 @@
+/**
+ * Single term endpoint
+ *
+ * GET /_dineway/api/taxonomies/:name/terms/:slug - Get a single term
+ * PUT /_dineway/api/taxonomies/:name/terms/:slug - Update a term
+ * DELETE /_dineway/api/taxonomies/:name/terms/:slug - Delete a term
+ */
+
+import type { APIRoute } from "astro";
+import { z } from "zod";
+
+import { requirePerm } from "#api/authorize.js";
+import { apiError, handleError, requireDb, unwrapResult } from "#api/error.js";
+import { handleTermDelete, handleTermGet, handleTermUpdate } from "#api/handlers/taxonomies.js";
+import {
+	ensureWorkflowHitlRouteRequest,
+	hitlRequiredRouteError,
+	resolveHitlRouteActor,
+} from "#api/hitl-route-helpers.js";
+import { isParseError, parseBody, parseQuery } from "#api/parse.js";
+import { updateTermBody } from "#api/schemas.js";
+import {
+	activityChangedKeys,
+	logTaxonomyActivity,
+	RiskPolicyEvaluator,
+	taxonomyApiRouteSource,
+	TaxonomyHitlPayloadBuilder,
+} from "#site-context/index.js";
+
+export const prerender = false;
+
+const updateTermHitlBody = updateTermBody.extend({
+	hitlRequestId: z.string().min(1).optional(),
+});
+
+const deleteTermQuery = z.object({
+	hitlRequestId: z.string().min(1).optional(),
+});
+
+/**
+ * Get a single term
+ */
+export const GET: APIRoute = async ({ params, locals }) => {
+	const { dineway, user } = locals;
+	const { name, slug } = params;
+
+	if (!name || !slug) {
+		return apiError("VALIDATION_ERROR", "Taxonomy name and slug required", 400);
+	}
+
+	const dbErr = requireDb(dineway?.db);
+	if (dbErr) return dbErr;
+
+	const denied = requirePerm(user, "taxonomies:read");
+	if (denied) return denied;
+
+	try {
+		const result = await handleTermGet(dineway.db, name, slug);
+		return unwrapResult(result);
+	} catch (error) {
+		return handleError(error, "Failed to get term", "TERM_GET_ERROR");
+	}
+};
+
+/**
+ * Update a term
+ */
+export const PUT: APIRoute = async ({ params, request, locals }) => {
+	const { dineway, user } = locals;
+	const { name, slug } = params;
+
+	if (!name || !slug) {
+		return apiError("VALIDATION_ERROR", "Taxonomy name and slug required", 400);
+	}
+
+	const dbErr = requireDb(dineway?.db);
+	if (dbErr) return dbErr;
+
+	const denied = requirePerm(user, "taxonomies:manage");
+	if (denied) return denied;
+
+	try {
+		const body = await parseBody(request, updateTermHitlBody);
+		if (isParseError(body)) return body;
+
+		const current = await handleTermGet(dineway.db, name, slug);
+		if (!current.success) return unwrapResult(current);
+
+		const { hitlRequestId, ...termInput } = body;
+		const actor = resolveHitlRouteActor(locals);
+		const evaluator = new RiskPolicyEvaluator({
+			db: dineway.db,
+			handlers: dineway,
+		});
+		let approvedHitlRequestId: string | null = null;
+
+		if (evaluator.requiresWorkflowHitl(actor.identity)) {
+			const payloadBuilder = new TaxonomyHitlPayloadBuilder(dineway.db);
+			const taxonomy = await payloadBuilder.loadTaxonomyDefinition(name);
+			if (!taxonomy) {
+				return apiError("NOT_FOUND", `Taxonomy '${name}' not found`, 404);
+			}
+
+			const action = await payloadBuilder.buildUpdateTermRequest({
+				taxonomy,
+				currentTerm: {
+					id: current.data.term.id,
+					name: current.data.term.name,
+					slug: current.data.term.slug,
+					label: current.data.term.label,
+					parentId: current.data.term.parentId,
+					description: current.data.term.description ?? null,
+				},
+				...termInput,
+			});
+			const decision = await evaluator.evaluateWorkflowHitl({
+				actor: actor.identity,
+				hitlRequestId,
+				action,
+			});
+			if (!decision.allowed) {
+				const ensured = await ensureWorkflowHitlRouteRequest(dineway.db, locals, decision.action);
+				return hitlRequiredRouteError(decision, ensured);
+			}
+			approvedHitlRequestId = decision.hitlRequest.id;
+		}
+
+		const result = await handleTermUpdate(dineway.db, name, slug, termInput);
+		if (result.success) {
+			await logTaxonomyActivity(dineway.db, locals, {
+				action: "term_updated",
+				taxonomyName: name,
+				termId: result.data.term.id,
+				termSlug: result.data.term.slug,
+				...taxonomyApiRouteSource("term_updated"),
+				detail: {
+					changedKeys: activityChangedKeys(termInput),
+					label: result.data.term.label,
+					parentId: result.data.term.parentId,
+					description: result.data.term.description ?? null,
+					hitlRequestId: approvedHitlRequestId,
+				},
+			});
+		}
+		return unwrapResult(result);
+	} catch (error) {
+		return handleError(error, "Failed to update term", "TERM_UPDATE_ERROR");
+	}
+};
+
+/**
+ * Delete a term
+ */
+export const DELETE: APIRoute = async ({ params, request, locals }) => {
+	const { dineway, user } = locals;
+	const { name, slug } = params;
+
+	if (!name || !slug) {
+		return apiError("VALIDATION_ERROR", "Taxonomy name and slug required", 400);
+	}
+
+	const dbErr = requireDb(dineway?.db);
+	if (dbErr) return dbErr;
+
+	const denied = requirePerm(user, "taxonomies:manage");
+	if (denied) return denied;
+
+	const query = parseQuery(new URL(request.url), deleteTermQuery);
+	if (isParseError(query)) return query;
+
+	try {
+		const current = await handleTermGet(dineway.db, name, slug);
+		if (!current.success) return unwrapResult(current);
+
+		const actor = resolveHitlRouteActor(locals);
+		const evaluator = new RiskPolicyEvaluator({
+			db: dineway.db,
+			handlers: dineway,
+		});
+		let approvedHitlRequestId: string | null = null;
+
+		if (evaluator.requiresWorkflowHitl(actor.identity)) {
+			const payloadBuilder = new TaxonomyHitlPayloadBuilder(dineway.db);
+			const taxonomy = await payloadBuilder.loadTaxonomyDefinition(name);
+			if (!taxonomy) {
+				return apiError("NOT_FOUND", `Taxonomy '${name}' not found`, 404);
+			}
+
+			const action = await payloadBuilder.buildDeleteTermRequest({
+				taxonomy,
+				currentTerm: {
+					id: current.data.term.id,
+					name: current.data.term.name,
+					slug: current.data.term.slug,
+					label: current.data.term.label,
+					parentId: current.data.term.parentId,
+					description: current.data.term.description ?? null,
+				},
+			});
+			const decision = await evaluator.evaluateWorkflowHitl({
+				actor: actor.identity,
+				hitlRequestId: query.hitlRequestId,
+				action,
+			});
+			if (!decision.allowed) {
+				const ensured = await ensureWorkflowHitlRouteRequest(dineway.db, locals, decision.action);
+				return hitlRequiredRouteError(decision, ensured);
+			}
+			approvedHitlRequestId = decision.hitlRequest.id;
+		}
+
+		const result = await handleTermDelete(dineway.db, name, slug);
+		if (result.success) {
+			await logTaxonomyActivity(dineway.db, locals, {
+				action: "term_deleted",
+				taxonomyName: name,
+				termId: current.data.term.id,
+				termSlug: current.data.term.slug,
+				...taxonomyApiRouteSource("term_deleted"),
+				detail: {
+					label: current.data.term.label,
+					parentId: current.data.term.parentId,
+					description: current.data.term.description ?? null,
+					hitlRequestId: approvedHitlRequestId,
+				},
+			});
+		}
+		return unwrapResult(result);
+	} catch (error) {
+		return handleError(error, "Failed to delete term", "TERM_DELETE_ERROR");
+	}
+};

package/src/astro/routes/api/taxonomies/[name]/terms/index.ts

@@ -0,0 +1,131 @@
+/**
+ * Taxonomy terms list and create endpoint
+ *
+ * GET /_dineway/api/taxonomies/:name/terms - List all terms (tree for hierarchical)
+ * POST /_dineway/api/taxonomies/:name/terms - Create a new term
+ */
+
+import type { APIRoute } from "astro";
+import { z } from "zod";
+
+import { requirePerm } from "#api/authorize.js";
+import { apiError, handleError, requireDb, unwrapResult } from "#api/error.js";
+import { handleTermCreate, handleTermList } from "#api/handlers/taxonomies.js";
+import {
+	ensureWorkflowHitlRouteRequest,
+	hitlRequiredRouteError,
+	resolveHitlRouteActor,
+} from "#api/hitl-route-helpers.js";
+import { isParseError, parseBody } from "#api/parse.js";
+import { createTermBody } from "#api/schemas.js";
+import {
+	logTaxonomyActivity,
+	RiskPolicyEvaluator,
+	taxonomyApiRouteSource,
+	TaxonomyHitlPayloadBuilder,
+} from "#site-context/index.js";
+
+export const prerender = false;
+
+const createTermHitlBody = createTermBody.extend({
+	hitlRequestId: z.string().min(1).optional(),
+});
+
+/**
+ * List all terms for a taxonomy
+ */
+export const GET: APIRoute = async ({ params, locals }) => {
+	const { dineway, user } = locals;
+	const { name } = params;
+
+	if (!name) {
+		return apiError("VALIDATION_ERROR", "Taxonomy name required", 400);
+	}
+
+	const dbErr = requireDb(dineway?.db);
+	if (dbErr) return dbErr;
+
+	const denied = requirePerm(user, "taxonomies:read");
+	if (denied) return denied;
+
+	try {
+		const result = await handleTermList(dineway.db, name);
+		return unwrapResult(result);
+	} catch (error) {
+		return handleError(error, "Failed to list terms", "TERM_LIST_ERROR");
+	}
+};
+
+/**
+ * Create a new term
+ */
+export const POST: APIRoute = async ({ params, request, locals }) => {
+	const { dineway, user } = locals;
+	const { name } = params;
+
+	if (!name) {
+		return apiError("VALIDATION_ERROR", "Taxonomy name required", 400);
+	}
+
+	const dbErr = requireDb(dineway?.db);
+	if (dbErr) return dbErr;
+
+	const denied = requirePerm(user, "taxonomies:manage");
+	if (denied) return denied;
+
+	try {
+		const body = await parseBody(request, createTermHitlBody);
+		if (isParseError(body)) return body;
+
+		const { hitlRequestId, ...termInput } = body;
+		const actor = resolveHitlRouteActor(locals);
+		const evaluator = new RiskPolicyEvaluator({
+			db: dineway.db,
+			handlers: dineway,
+		});
+		let approvedHitlRequestId: string | null = null;
+
+		if (evaluator.requiresWorkflowHitl(actor.identity)) {
+			const payloadBuilder = new TaxonomyHitlPayloadBuilder(dineway.db);
+			const taxonomy = await payloadBuilder.loadTaxonomyDefinition(name);
+			if (!taxonomy) {
+				return apiError("NOT_FOUND", `Taxonomy '${name}' not found`, 404);
+			}
+
+			const action = await payloadBuilder.buildCreateTermRequest({
+				taxonomy,
+				...termInput,
+			});
+			const decision = await evaluator.evaluateWorkflowHitl({
+				actor: actor.identity,
+				hitlRequestId,
+				action,
+			});
+			if (!decision.allowed) {
+				const ensured = await ensureWorkflowHitlRouteRequest(dineway.db, locals, decision.action);
+				return hitlRequiredRouteError(decision, ensured);
+			}
+			approvedHitlRequestId = decision.hitlRequest.id;
+		}
+
+		const result = await handleTermCreate(dineway.db, name, termInput);
+		if (result.success) {
+			await logTaxonomyActivity(dineway.db, locals, {
+				action: "term_created",
+				taxonomyName: name,
+				termId: result.data.term.id,
+				termSlug: result.data.term.slug,
+				...taxonomyApiRouteSource("term_created"),
+				detail: {
+					label: result.data.term.label,
+					parentId: result.data.term.parentId,
+					description: result.data.term.description ?? null,
+					hitlRequestId: approvedHitlRequestId,
+				},
+			});
+		}
+		return unwrapResult(result, 201);
+	} catch (error) {
+		return handleError(error, "Failed to create term", "TERM_CREATE_ERROR");
+	}
+};

package/src/astro/routes/api/taxonomies/index.ts

@@ -0,0 +1,114 @@
+/**
+ * Taxonomy definitions endpoint
+ *
+ * GET  /_dineway/api/taxonomies - List all taxonomy definitions
+ * POST /_dineway/api/taxonomies - Create a custom taxonomy definition
+ */
+
+import type { APIRoute } from "astro";
+import { z } from "zod";
+
+import { requirePerm } from "#api/authorize.js";
+import { handleError, requireDb, unwrapResult } from "#api/error.js";
+import { handleTaxonomyCreate, handleTaxonomyList } from "#api/handlers/taxonomies.js";
+import {
+	ensureWorkflowHitlRouteRequest,
+	hitlRequiredRouteError,
+	resolveHitlRouteActor,
+} from "#api/hitl-route-helpers.js";
+import { isParseError, parseBody } from "#api/parse.js";
+import { createTaxonomyDefBody } from "#api/schemas.js";
+import {
+	logTaxonomyActivity,
+	RiskPolicyEvaluator,
+	taxonomyApiRouteSource,
+	TaxonomyHitlPayloadBuilder,
+} from "#site-context/index.js";
+
+export const prerender = false;
+
+const createTaxonomyHitlBody = createTaxonomyDefBody.extend({
+	hitlRequestId: z.string().min(1).optional(),
+});
+
+/**
+ * List taxonomy definitions
+ */
+export const GET: APIRoute = async ({ locals }) => {
+	const { dineway, user } = locals;
+
+	const dbErr = requireDb(dineway?.db);
+	if (dbErr) return dbErr;
+
+	const denied = requirePerm(user, "taxonomies:read");
+	if (denied) return denied;
+
+	try {
+		const result = await handleTaxonomyList(dineway.db);
+		return unwrapResult(result);
+	} catch (error) {
+		return handleError(error, "Failed to list taxonomies", "TAXONOMY_LIST_ERROR");
+	}
+};
+
+/**
+ * Create a custom taxonomy definition
+ */
+export const POST: APIRoute = async ({ request, locals }) => {
+	const { dineway, user } = locals;
+
+	const dbErr = requireDb(dineway?.db);
+	if (dbErr) return dbErr;
+
+	const denied = requirePerm(user, "taxonomies:manage");
+	if (denied) return denied;
+
+	try {
+		const body = await parseBody(request, createTaxonomyHitlBody);
+		if (isParseError(body)) return body;
+
+		const { hitlRequestId, ...taxonomyInput } = body;
+		const actor = resolveHitlRouteActor(locals);
+		const evaluator = new RiskPolicyEvaluator({
+			db: dineway.db,
+			handlers: dineway,
+		});
+		let approvedHitlRequestId: string | null = null;
+
+		if (evaluator.requiresWorkflowHitl(actor.identity)) {
+			const action = await new TaxonomyHitlPayloadBuilder(dineway.db).buildCreateTaxonomyRequest(
+				taxonomyInput,
+			);
+			const decision = await evaluator.evaluateWorkflowHitl({
+				actor: actor.identity,
+				hitlRequestId,
+				action,
+			});
+			if (!decision.allowed) {
+				const ensured = await ensureWorkflowHitlRouteRequest(dineway.db, locals, decision.action);
+				return hitlRequiredRouteError(decision, ensured);
+			}
+			approvedHitlRequestId = decision.hitlRequest.id;
+		}
+
+		const result = await handleTaxonomyCreate(dineway.db, taxonomyInput);
+		if (result.success) dineway.invalidateManifest();
+		if (result.success) {
+			await logTaxonomyActivity(dineway.db, locals, {
+				action: "created",
+				taxonomyId: result.data.taxonomy.id,
+				taxonomyName: result.data.taxonomy.name,
+				...taxonomyApiRouteSource("created"),
+				detail: {
+					label: result.data.taxonomy.label,
+					hierarchical: result.data.taxonomy.hierarchical,
+					collections: result.data.taxonomy.collections,
+					hitlRequestId: approvedHitlRequestId,
+				},
+			});
+		}
+		return unwrapResult(result, 201);
+	} catch (error) {
+		return handleError(error, "Failed to create taxonomy", "TAXONOMY_CREATE_ERROR");
+	}
+};