dineway 0.1.3 → 0.1.5

package/src/astro/routes/api/themes/preview.ts

@@ -0,0 +1,78 @@
+/**
+ * Theme preview signing endpoint
+ *
+ * POST /_dineway/api/themes/preview
+ *
+ * Generates a signed preview URL for the "Try with my data" feature.
+ * The PREVIEW_SECRET must be set in the environment (shared with the preview sidecar).
+ */
+
+import type { APIRoute } from "astro";
+
+import { requirePerm } from "#api/authorize.js";
+import { apiError, apiSuccess } from "#api/error.js";
+import { getPublicOrigin } from "#api/public-url.js";
+
+export const prerender = false;
+
+export const POST: APIRoute = async ({ request, url, locals }) => {
+	const { dineway, user } = locals;
+
+	if (!dineway?.db) {
+		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	}
+
+	const denied = requirePerm(user, "plugins:read");
+	if (denied) return denied;
+
+	const secret = import.meta.env.DINEWAY_PREVIEW_SECRET || import.meta.env.PREVIEW_SECRET || "";
+	if (!secret) {
+		return apiError("NOT_CONFIGURED", "PREVIEW_SECRET is not configured", 500);
+	}
+
+	let body: { previewUrl: string };
+	try {
+		body = await request.json();
+	} catch {
+		return apiError("INVALID_REQUEST", "Invalid JSON body", 400);
+	}
+
+	if (!body.previewUrl || typeof body.previewUrl !== "string") {
+		return apiError("INVALID_REQUEST", "previewUrl is required", 400);
+	}
+
+	// Validate previewUrl is a valid HTTPS URL
+	let parsedPreviewUrl: URL;
+	try {
+		parsedPreviewUrl = new URL(body.previewUrl);
+	} catch {
+		return apiError("INVALID_REQUEST", "previewUrl must be a valid URL", 400);
+	}
+
+	if (parsedPreviewUrl.protocol !== "https:") {
+		return apiError("INVALID_REQUEST", "previewUrl must use HTTPS", 400);
+	}
+
+	const source = getPublicOrigin(url, dineway?.config);
+	const ttl = 3600; // 1 hour
+	const exp = Math.floor(Date.now() / 1000) + ttl;
+
+	// HMAC-SHA256 sign: message = "source:exp"
+	const encoder = new TextEncoder();
+	const key = await crypto.subtle.importKey(
+		"raw",
+		encoder.encode(secret),
+		{ name: "HMAC", hash: "SHA-256" },
+		false,
+		["sign"],
+	);
+	const buffer = await crypto.subtle.sign("HMAC", key, encoder.encode(`${source}:${exp}`));
+	const sig = Array.from(new Uint8Array(buffer), (b) => b.toString(16).padStart(2, "0")).join("");
+
+	const previewUrl = new URL(body.previewUrl);
+	previewUrl.searchParams.set("source", source);
+	previewUrl.searchParams.set("exp", String(exp));
+	previewUrl.searchParams.set("sig", sig);
+
+	return apiSuccess({ url: previewUrl.toString() });
+};

package/src/astro/routes/api/typegen.ts

@@ -0,0 +1,114 @@
+/**
+ * Typegen endpoint - generates dineway-env.d.ts content
+ *
+ * POST /_dineway/api/typegen - Generate types and return as JSON
+ * GET /_dineway/api/typegen - Return types as text (for preview/debugging)
+ *
+ * The caller (integration or CLI) is responsible for writing the file to disk.
+ * This endpoint only generates the content — it has no filesystem access, so it
+ * stays portable across runtimes where the project root or Node filesystem APIs
+ * are not available here.
+ *
+ * Dev-only endpoint - disabled in production.
+ */
+
+import type { APIRoute } from "astro";
+
+import { apiError, apiSuccess, handleError } from "#api/error.js";
+import type { SchemaRegistry } from "#schema/registry.js";
+
+export const prerender = false;
+
+/**
+ * Safely list collections, returning empty array if tables don't exist yet
+ */
+async function safeListCollections(registry: SchemaRegistry) {
+	try {
+		return await registry.listCollections();
+	} catch (error) {
+		// Handle missing tables for new sites that haven't run setup yet
+		if (error instanceof Error && error.message.includes("no such table")) {
+			return [];
+		}
+		throw error;
+	}
+}
+
+/**
+ * Generate types content and metadata from the current schema.
+ */
+async function generateTypes(registry: SchemaRegistry) {
+	const { generateTypesFile, generateSchemaHash } = await import("#schema/zod-generator.js");
+
+	const collections = await safeListCollections(registry);
+	const collectionsWithFields = await Promise.all(
+		collections.map(async (c) => {
+			const fields = await registry.listFields(c.id);
+			return { ...c, fields };
+		}),
+	);
+
+	const types = generateTypesFile(collectionsWithFields);
+	const hash: string = await generateSchemaHash(collectionsWithFields);
+
+	return { types, hash, collections: collections.length };
+}
+
+/**
+ * GET - Return types as plain text (for preview/debugging)
+ */
+export const GET: APIRoute = async ({ locals }) => {
+	if (!import.meta.env.DEV) {
+		return apiError("FORBIDDEN", "Typegen is only available in development", 403);
+	}
+
+	const { dineway } = locals;
+
+	if (!dineway?.db) {
+		return apiError("NOT_CONFIGURED", "Dineway is not configured", 500);
+	}
+
+	try {
+		const { SchemaRegistry } = await import("#schema/registry.js");
+		const registry = new SchemaRegistry(dineway.db);
+		const { types } = await generateTypes(registry);
+
+		return new Response(types, {
+			status: 200,
+			headers: {
+				"Content-Type": "text/typescript",
+				"Cache-Control": "private, no-store",
+			},
+		});
+	} catch (error) {
+		return handleError(error, "Typegen failed", "TYPEGEN_ERROR");
+	}
+};
+
+/**
+ * POST - Generate types and return as JSON
+ *
+ * The caller writes the file to disk. Response shape:
+ * { types: string, hash: string, collections: number }
+ */
+export const POST: APIRoute = async ({ locals }) => {
+	if (!import.meta.env.DEV) {
+		return apiError("FORBIDDEN", "Typegen is only available in development", 403);
+	}
+
+	const { dineway } = locals;
+
+	if (!dineway?.db) {
+		return apiError("NOT_CONFIGURED", "Dineway is not configured", 500);
+	}
+
+	try {
+		const { SchemaRegistry } = await import("#schema/registry.js");
+		const registry = new SchemaRegistry(dineway.db);
+		const result = await generateTypes(registry);
+
+		return apiSuccess(result);
+	} catch (error) {
+		return handleError(error, "Typegen failed", "TYPEGEN_ERROR");
+	}
+};

package/src/astro/routes/api/well-known/auth.ts

@@ -0,0 +1,71 @@
+/**
+ * GET /_dineway/.well-known/auth
+ *
+ * Auth discovery endpoint. Returns available auth mechanisms.
+ * Public, unauthenticated. Used by CLI to determine how to authenticate.
+ */
+
+import type { APIRoute } from "astro";
+
+import { getAuthMode } from "#auth/mode.js";
+import { OptionsRepository } from "#db/repositories/options.js";
+
+import { VERSION } from "../../../../version.js";
+
+export const prerender = false;
+
+export const GET: APIRoute = async ({ locals }) => {
+	const { dineway } = locals;
+
+	// Build discovery response
+	const config = dineway?.config;
+	const authMode = config ? getAuthMode(config) : null;
+
+	const isExternal = authMode?.type === "external";
+
+	// Try to read site name from DB options
+	let siteName = "Dineway";
+	if (dineway?.db) {
+		try {
+			const options = new OptionsRepository(dineway.db);
+			siteName = (await options.get<string>("dineway:site_title")) || "Dineway";
+		} catch {
+			// DB may not be initialized yet
+		}
+	}
+
+	const response: Record<string, unknown> = {
+		instance: {
+			name: siteName,
+			version: VERSION,
+		},
+		auth: {
+			mode: isExternal ? "external" : "passkey",
+			...(isExternal && authMode.type === "external"
+				? { external_provider: authMode.entrypoint }
+				: {}),
+			methods: {
+				device_flow: !isExternal
+					? {
+							client_id: "dineway-cli",
+							device_authorization_endpoint: "/_dineway/api/oauth/device/code",
+							token_endpoint: "/_dineway/api/oauth/device/token",
+						}
+					: undefined,
+				authorization_code: !isExternal
+					? {
+							authorization_endpoint: "/_dineway/oauth/authorize",
+							token_endpoint: "/_dineway/api/oauth/token",
+						}
+					: undefined,
+				api_tokens: true,
+			},
+		},
+	};
+
+	return Response.json(response, {
+		headers: {
+			"Cache-Control": "no-store",
+		},
+	});
+};

package/src/astro/routes/api/well-known/oauth-authorization-server.ts

@@ -0,0 +1,48 @@
+/**
+ * GET /.well-known/oauth-authorization-server/_dineway
+ *
+ * RFC 8414 Authorization Server Metadata. The issuer pathname (`/_dineway`)
+ * is appended after the well-known prefix so standards-compliant OAuth/MCP
+ * clients can discover the metadata from the issuer URL.
+ *
+ * Public, unauthenticated.
+ */
+
+import type { APIRoute } from "astro";
+
+import { getPublicOrigin } from "#api/public-url.js";
+import { ALL_VALID_SCOPES } from "#auth/api-tokens.js";
+import { filterExperimentalSiteContextWorkflowScopes } from "#site-context/experimental-workflows.js";
+
+export const prerender = false;
+
+export const GET: APIRoute = async ({ url, locals }) => {
+	const origin = getPublicOrigin(url, locals.dineway?.config);
+	const issuer = `${origin}/_dineway`;
+
+	return Response.json(
+		{
+			issuer,
+			authorization_endpoint: `${origin}/_dineway/oauth/authorize`,
+			token_endpoint: `${origin}/_dineway/api/oauth/token`,
+			scopes_supported: filterExperimentalSiteContextWorkflowScopes(ALL_VALID_SCOPES),
+			response_types_supported: ["code"],
+			grant_types_supported: [
+				"authorization_code",
+				"refresh_token",
+				"urn:ietf:params:oauth:grant-type:device_code",
+			],
+			code_challenge_methods_supported: ["S256"],
+			registration_endpoint: `${origin}/_dineway/api/oauth/register`,
+			token_endpoint_auth_methods_supported: ["none"],
+			client_id_metadata_document_supported: true,
+			device_authorization_endpoint: `${origin}/_dineway/api/oauth/device/code`,
+		},
+		{
+			headers: {
+				"Cache-Control": "public, max-age=3600",
+				"Access-Control-Allow-Origin": "*",
+			},
+		},
+	);
+};

package/src/astro/routes/api/well-known/oauth-protected-resource.ts

@@ -0,0 +1,39 @@
+/**
+ * GET /.well-known/oauth-protected-resource
+ *
+ * RFC 9728 Protected Resource Metadata. Tells MCP clients where to find
+ * the authorization server. Injected at the site root (not under /_dineway/)
+ * because RFC 9728 requires it at the well-known URI of the resource's origin.
+ *
+ * Also serves as `/.well-known/oauth-protected-resource/_dineway/api/mcp`
+ * (path-scoped variant) when Astro's routing allows.
+ *
+ * Public, unauthenticated.
+ */
+
+import type { APIRoute } from "astro";
+
+import { getPublicOrigin } from "#api/public-url.js";
+import { ALL_VALID_SCOPES } from "#auth/api-tokens.js";
+import { filterExperimentalSiteContextWorkflowScopes } from "#site-context/experimental-workflows.js";
+
+export const prerender = false;
+
+export const GET: APIRoute = async ({ url, locals }) => {
+	const origin = getPublicOrigin(url, locals.dineway?.config);
+
+	return Response.json(
+		{
+			resource: `${origin}/_dineway/api/mcp`,
+			authorization_servers: [`${origin}/_dineway`],
+			scopes_supported: filterExperimentalSiteContextWorkflowScopes(ALL_VALID_SCOPES),
+			bearer_methods_supported: ["header"],
+		},
+		{
+			headers: {
+				"Cache-Control": "public, max-age=3600",
+				"Access-Control-Allow-Origin": "*",
+			},
+		},
+	);
+};

package/src/astro/routes/api/widget-areas/[name]/reorder.ts

@@ -0,0 +1,114 @@
+/**
+ * Reorder widgets endpoint
+ *
+ * POST /_dineway/api/widget-areas/:name/reorder
+ */
+
+import type { APIRoute } from "astro";
+import { z } from "zod";
+
+import { requirePerm } from "#api/authorize.js";
+import { apiError, apiSuccess, handleError } from "#api/error.js";
+import {
+	ensureWorkflowHitlRouteRequest,
+	hitlRequiredRouteError,
+	resolveHitlRouteActor,
+} from "#api/hitl-route-helpers.js";
+import { isParseError, parseBody } from "#api/parse.js";
+import { reorderWidgetsBody } from "#api/schemas.js";
+import {
+	logWidgetActivity,
+	RiskPolicyEvaluator,
+	widgetApiRouteSource,
+	WidgetHitlPayloadBuilder,
+} from "#site-context/index.js";
+
+export const prerender = false;
+
+const reorderWidgetsHitlBody = reorderWidgetsBody.extend({
+	hitlRequestId: z.string().min(1).optional(),
+});
+
+export const POST: APIRoute = async ({ params, request, locals }) => {
+	const { dineway, user } = locals;
+	const db = dineway.db;
+	const { name } = params;
+
+	const denied = requirePerm(user, "widgets:manage");
+	if (denied) return denied;
+
+	if (!name) {
+		return apiError("VALIDATION_ERROR", "name is required", 400);
+	}
+
+	try {
+		const payloadBuilder = new WidgetHitlPayloadBuilder(db);
+		const area = await payloadBuilder.loadWidgetAreaSnapshot(name);
+
+		if (!area) {
+			return apiError("NOT_FOUND", `Widget area "${name}" not found`, 404);
+		}
+
+		const body = await parseBody(request, reorderWidgetsHitlBody);
+		if (isParseError(body)) return body;
+		const { hitlRequestId, widgetIds } = body;
+
+		// Verify all widget IDs belong to this area
+		const existingIds = new Set(area.widgets.map((widget) => widget.id));
+		for (const id of widgetIds) {
+			if (!existingIds.has(id)) {
+				return apiError("VALIDATION_ERROR", `Widget "${id}" not found in area "${name}"`, 400);
+			}
+		}
+
+		const actor = resolveHitlRouteActor(locals);
+		const evaluator = new RiskPolicyEvaluator({
+			db,
+			handlers: dineway,
+		});
+		let approvedHitlRequestId: string | null = null;
+
+		if (evaluator.requiresWorkflowHitl(actor.identity)) {
+			const action = await payloadBuilder.buildReorderWidgetsRequest({
+				area,
+				widgetIds,
+			});
+			const decision = await evaluator.evaluateWorkflowHitl({
+				actor: actor.identity,
+				hitlRequestId,
+				action,
+			});
+			if (!decision.allowed) {
+				const ensured = await ensureWorkflowHitlRouteRequest(db, locals, decision.action);
+				return hitlRequiredRouteError(decision, ensured);
+			}
+			approvedHitlRequestId = decision.hitlRequest.id;
+		}
+
+		// Update sort_order for each widget
+		await Promise.all(
+			widgetIds.map((id, index) =>
+				db
+					.updateTable("_dineway_widgets")
+					.set({ sort_order: index })
+					.where("id", "=", id)
+					.execute(),
+			),
+		);
+
+		await logWidgetActivity(db, locals, {
+			action: "reordered",
+			areaId: area.id,
+			areaName: area.name,
+			...widgetApiRouteSource("reordered"),
+			detail: {
+				widgetIds,
+				hitlRequestId: approvedHitlRequestId,
+			},
+		});
+
+		return apiSuccess({ success: true });
+	} catch (error) {
+		return handleError(error, "Failed to reorder widgets", "WIDGET_REORDER_ERROR");
+	}
+};

package/src/astro/routes/api/widget-areas/[name]/widgets/[id].ts

@@ -0,0 +1,213 @@
+/**
+ * Single widget endpoints
+ *
+ * PUT    /_dineway/api/widget-areas/:name/widgets/:id - Update widget
+ * DELETE /_dineway/api/widget-areas/:name/widgets/:id - Delete widget
+ */
+
+import type { APIRoute } from "astro";
+import { z } from "zod";
+
+import { requirePerm } from "#api/authorize.js";
+import { apiError, apiSuccess, handleError } from "#api/error.js";
+import {
+	ensureWorkflowHitlRouteRequest,
+	hitlRequiredRouteError,
+	resolveHitlRouteActor,
+} from "#api/hitl-route-helpers.js";
+import { isParseError, parseBody, parseQuery } from "#api/parse.js";
+import { updateWidgetBody } from "#api/schemas.js";
+import {
+	activityChangedKeys,
+	logWidgetActivity,
+	RiskPolicyEvaluator,
+	widgetApiRouteSource,
+	WidgetHitlPayloadBuilder,
+} from "#site-context/index.js";
+
+export const prerender = false;
+
+const updateWidgetHitlBody = updateWidgetBody.extend({
+	hitlRequestId: z.string().min(1).optional(),
+});
+
+const deleteWidgetQuery = z.object({
+	hitlRequestId: z.string().min(1).optional(),
+});
+
+export const PUT: APIRoute = async ({ params, request, locals }) => {
+	const { dineway, user } = locals;
+	const db = dineway.db;
+	const { name, id } = params;
+
+	const denied = requirePerm(user, "widgets:manage");
+	if (denied) return denied;
+
+	if (!name || !id) {
+		return apiError("VALIDATION_ERROR", "name and id are required", 400);
+	}
+
+	try {
+		const payloadBuilder = new WidgetHitlPayloadBuilder(db);
+		const area = await payloadBuilder.loadWidgetAreaSnapshot(name);
+
+		if (!area) {
+			return apiError("NOT_FOUND", `Widget area "${name}" not found`, 404);
+		}
+
+		const existingWidget = area.widgets.find((widget) => widget.id === id);
+
+		if (!existingWidget) {
+			return apiError("NOT_FOUND", `Widget "${id}" not found in area "${name}"`, 404);
+		}
+
+		const body = await parseBody(request, updateWidgetHitlBody);
+		if (isParseError(body)) return body;
+		const { hitlRequestId, ...widgetInput } = body;
+
+		const actor = resolveHitlRouteActor(locals);
+		const evaluator = new RiskPolicyEvaluator({
+			db,
+			handlers: dineway,
+		});
+		let approvedHitlRequestId: string | null = null;
+
+		if (evaluator.requiresWorkflowHitl(actor.identity)) {
+			const action = await payloadBuilder.buildUpdateWidgetRequest({
+				area,
+				currentWidget: existingWidget,
+				...widgetInput,
+			});
+			const decision = await evaluator.evaluateWorkflowHitl({
+				actor: actor.identity,
+				hitlRequestId,
+				action,
+			});
+			if (!decision.allowed) {
+				const ensured = await ensureWorkflowHitlRouteRequest(db, locals, decision.action);
+				return hitlRequiredRouteError(decision, ensured);
+			}
+			approvedHitlRequestId = decision.hitlRequest.id;
+		}
+
+		// Build update object (only update provided fields)
+		const updates = buildWidgetUpdates(widgetInput);
+
+		if (Object.keys(updates).length === 0) {
+			return apiError("VALIDATION_ERROR", "No fields to update", 400);
+		}
+
+		await db.updateTable("_dineway_widgets").set(updates).where("id", "=", id).execute();
+
+		const widget = await db
+			.selectFrom("_dineway_widgets")
+			.selectAll()
+			.where("id", "=", id)
+			.executeTakeFirstOrThrow();
+
+		await logWidgetActivity(db, locals, {
+			action: "updated",
+			areaId: area.id,
+			areaName: area.name,
+			widgetId: widget.id,
+			...widgetApiRouteSource("updated"),
+			detail: {
+				changedKeys: activityChangedKeys(widgetInput as Record<string, unknown>),
+				type: widget.type,
+				hitlRequestId: approvedHitlRequestId,
+			},
+		});
+
+		return apiSuccess(widget);
+	} catch (error) {
+		return handleError(error, "Failed to update widget", "WIDGET_UPDATE_ERROR");
+	}
+};
+
+export const DELETE: APIRoute = async ({ params, request, locals }) => {
+	const { dineway, user } = locals;
+	const db = dineway.db;
+	const { name, id } = params;
+
+	const denied = requirePerm(user, "widgets:manage");
+	if (denied) return denied;
+
+	if (!name || !id) {
+		return apiError("VALIDATION_ERROR", "name and id are required", 400);
+	}
+
+	const query = parseQuery(new URL(request.url), deleteWidgetQuery);
+	if (isParseError(query)) return query;
+
+	try {
+		const payloadBuilder = new WidgetHitlPayloadBuilder(db);
+		const area = await payloadBuilder.loadWidgetAreaSnapshot(name);
+
+		if (!area) {
+			return apiError("NOT_FOUND", `Widget area "${name}" not found`, 404);
+		}
+
+		const existingWidget = area.widgets.find((widget) => widget.id === id);
+
+		if (!existingWidget) {
+			return apiError("NOT_FOUND", `Widget "${id}" not found in area "${name}"`, 404);
+		}
+
+		const actor = resolveHitlRouteActor(locals);
+		const evaluator = new RiskPolicyEvaluator({
+			db,
+			handlers: dineway,
+		});
+		let approvedHitlRequestId: string | null = null;
+
+		if (evaluator.requiresWorkflowHitl(actor.identity)) {
+			const action = await payloadBuilder.buildDeleteWidgetRequest({
+				area,
+				currentWidget: existingWidget,
+			});
+			const decision = await evaluator.evaluateWorkflowHitl({
+				actor: actor.identity,
+				hitlRequestId: query.hitlRequestId,
+				action,
+			});
+			if (!decision.allowed) {
+				const ensured = await ensureWorkflowHitlRouteRequest(db, locals, decision.action);
+				return hitlRequiredRouteError(decision, ensured);
+			}
+			approvedHitlRequestId = decision.hitlRequest.id;
+		}
+
+		await db.deleteFrom("_dineway_widgets").where("id", "=", id).execute();
+
+		await logWidgetActivity(db, locals, {
+			action: "deleted",
+			areaId: area.id,
+			areaName: area.name,
+			widgetId: existingWidget.id,
+			...widgetApiRouteSource("deleted"),
+			detail: {
+				type: existingWidget.type,
+				sortOrder: existingWidget.sortOrder,
+				hitlRequestId: approvedHitlRequestId,
+			},
+		});
+
+		return apiSuccess({ deleted: true });
+	} catch (error) {
+		return handleError(error, "Failed to delete widget", "WIDGET_DELETE_ERROR");
+	}
+};
+
+function buildWidgetUpdates(body: z.infer<typeof updateWidgetBody>): Record<string, unknown> {
+	const updates: Record<string, unknown> = {};
+	if (body.title !== undefined) updates.title = body.title || null;
+	if (body.type !== undefined) updates.type = body.type;
+	if (body.content !== undefined)
+		updates.content = body.content ? JSON.stringify(body.content) : null;
+	if (body.menuName !== undefined) updates.menu_name = body.menuName || null;
+	if (body.componentId !== undefined) updates.component_id = body.componentId || null;
+	if (body.componentProps !== undefined) {
+		updates.component_props = body.componentProps ? JSON.stringify(body.componentProps) : null;
+	}
+	return updates;
+}