dineway 0.1.3 → 0.1.5

package/src/astro/routes/api/widget-areas/[name]/widgets.ts

@@ -0,0 +1,126 @@
+/**
+ * Widgets CRUD endpoints
+ *
+ * POST /_dineway/api/widget-areas/:name/widgets - Add widget
+ */
+
+import type { APIRoute } from "astro";
+import { ulid } from "ulidx";
+import { z } from "zod";
+
+import { requirePerm } from "#api/authorize.js";
+import { apiError, apiSuccess, handleError } from "#api/error.js";
+import {
+	ensureWorkflowHitlRouteRequest,
+	hitlRequiredRouteError,
+	resolveHitlRouteActor,
+} from "#api/hitl-route-helpers.js";
+import { isParseError, parseBody } from "#api/parse.js";
+import { createWidgetBody } from "#api/schemas.js";
+import {
+	logWidgetActivity,
+	RiskPolicyEvaluator,
+	widgetApiRouteSource,
+	WidgetHitlPayloadBuilder,
+} from "#site-context/index.js";
+
+export const prerender = false;
+
+const createWidgetHitlBody = createWidgetBody.extend({
+	hitlRequestId: z.string().min(1).optional(),
+});
+
+export const POST: APIRoute = async ({ params, request, locals }) => {
+	const { dineway, user } = locals;
+	const db = dineway.db;
+	const { name } = params;
+
+	const denied = requirePerm(user, "widgets:manage");
+	if (denied) return denied;
+
+	if (!name) {
+		return apiError("VALIDATION_ERROR", "name is required", 400);
+	}
+
+	try {
+		const payloadBuilder = new WidgetHitlPayloadBuilder(db);
+		const area = await payloadBuilder.loadWidgetAreaSnapshot(name);
+
+		if (!area) {
+			return apiError("NOT_FOUND", `Widget area "${name}" not found`, 404);
+		}
+
+		const body = await parseBody(request, createWidgetHitlBody);
+		if (isParseError(body)) return body;
+		const { hitlRequestId, ...widgetInput } = body;
+
+		const actor = resolveHitlRouteActor(locals);
+		const evaluator = new RiskPolicyEvaluator({
+			db,
+			handlers: dineway,
+		});
+		let approvedHitlRequestId: string | null = null;
+
+		if (evaluator.requiresWorkflowHitl(actor.identity)) {
+			const action = await payloadBuilder.buildCreateWidgetRequest({
+				area,
+				...widgetInput,
+			});
+			const decision = await evaluator.evaluateWorkflowHitl({
+				actor: actor.identity,
+				hitlRequestId,
+				action,
+			});
+			if (!decision.allowed) {
+				const ensured = await ensureWorkflowHitlRouteRequest(db, locals, decision.action);
+				return hitlRequiredRouteError(decision, ensured);
+			}
+			approvedHitlRequestId = decision.hitlRequest.id;
+		}
+
+		const sortOrder = (area.widgets.at(-1)?.sortOrder ?? -1) + 1;
+
+		// Prepare values
+		const id = ulid();
+		await db
+			.insertInto("_dineway_widgets")
+			.values({
+				id,
+				area_id: area.id,
+				sort_order: sortOrder,
+				type: widgetInput.type,
+				title: widgetInput.title ?? null,
+				content: widgetInput.content ? JSON.stringify(widgetInput.content) : null,
+				menu_name: widgetInput.menuName ?? null,
+				component_id: widgetInput.componentId ?? null,
+				component_props: widgetInput.componentProps
+					? JSON.stringify(widgetInput.componentProps)
+					: null,
+			})
+			.execute();
+
+		const widget = await db
+			.selectFrom("_dineway_widgets")
+			.selectAll()
+			.where("id", "=", id)
+			.executeTakeFirstOrThrow();
+
+		await logWidgetActivity(db, locals, {
+			action: "created",
+			areaId: area.id,
+			areaName: area.name,
+			widgetId: widget.id,
+			...widgetApiRouteSource("created"),
+			detail: {
+				type: widget.type,
+				sortOrder: widget.sort_order,
+				title: widget.title,
+				hitlRequestId: approvedHitlRequestId,
+			},
+		});
+
+		return apiSuccess(widget, 201);
+	} catch (error) {
+		return handleError(error, "Failed to create widget", "WIDGET_CREATE_ERROR");
+	}
+};

package/src/astro/routes/api/widget-areas/[name].ts

@@ -0,0 +1,135 @@
+/**
+ * Widget area by name endpoints
+ *
+ * GET    /_dineway/api/widget-areas/:name - Get area with widgets
+ * DELETE /_dineway/api/widget-areas/:name - Delete area
+ */
+
+import type { APIRoute } from "astro";
+import { z } from "zod";
+
+import { requirePerm } from "#api/authorize.js";
+import { apiError, apiSuccess, handleError } from "#api/error.js";
+import {
+	ensureWorkflowHitlRouteRequest,
+	hitlRequiredRouteError,
+	resolveHitlRouteActor,
+} from "#api/hitl-route-helpers.js";
+import { isParseError, parseQuery } from "#api/parse.js";
+import {
+	logWidgetActivity,
+	RiskPolicyEvaluator,
+	widgetApiRouteSource,
+	WidgetHitlPayloadBuilder,
+} from "#site-context/index.js";
+
+export const prerender = false;
+
+const deleteWidgetAreaQuery = z.object({
+	hitlRequestId: z.string().min(1).optional(),
+});
+
+export const GET: APIRoute = async ({ params, locals }) => {
+	const { dineway, user } = locals;
+	const db = dineway.db;
+	const { name } = params;
+
+	const denied = requirePerm(user, "widgets:read");
+	if (denied) return denied;
+
+	if (!name) {
+		return apiError("VALIDATION_ERROR", "name is required", 400);
+	}
+
+	try {
+		// Get the area
+		const area = await db
+			.selectFrom("_dineway_widget_areas")
+			.selectAll()
+			.where("name", "=", name)
+			.executeTakeFirst();
+
+		if (!area) {
+			return apiError("NOT_FOUND", `Widget area "${name}" not found`, 404);
+		}
+
+		// Get widgets for this area
+		const widgets = await db
+			.selectFrom("_dineway_widgets")
+			.selectAll()
+			.where("area_id", "=", area.id)
+			.orderBy("sort_order", "asc")
+			.execute();
+
+		return apiSuccess({
+			...area,
+			widgets,
+		});
+	} catch (error) {
+		return handleError(error, "Failed to fetch widget area", "WIDGET_AREA_GET_ERROR");
+	}
+};
+
+export const DELETE: APIRoute = async ({ params, request, locals }) => {
+	const { dineway, user } = locals;
+	const db = dineway.db;
+	const { name } = params;
+
+	const denied = requirePerm(user, "widgets:manage");
+	if (denied) return denied;
+
+	if (!name) {
+		return apiError("VALIDATION_ERROR", "name is required", 400);
+	}
+
+	const query = parseQuery(new URL(request.url), deleteWidgetAreaQuery);
+	if (isParseError(query)) return query;
+
+	try {
+		const payloadBuilder = new WidgetHitlPayloadBuilder(db);
+		const area = await payloadBuilder.loadWidgetAreaSnapshot(name);
+
+		if (!area) {
+			return apiError("NOT_FOUND", `Widget area "${name}" not found`, 404);
+		}
+
+		const actor = resolveHitlRouteActor(locals);
+		const evaluator = new RiskPolicyEvaluator({
+			db,
+			handlers: dineway,
+		});
+		let approvedHitlRequestId: string | null = null;
+
+		if (evaluator.requiresWorkflowHitl(actor.identity)) {
+			const action = await payloadBuilder.buildDeleteWidgetAreaRequest({ area });
+			const decision = await evaluator.evaluateWorkflowHitl({
+				actor: actor.identity,
+				hitlRequestId: query.hitlRequestId,
+				action,
+			});
+			if (!decision.allowed) {
+				const ensured = await ensureWorkflowHitlRouteRequest(db, locals, decision.action);
+				return hitlRequiredRouteError(decision, ensured);
+			}
+			approvedHitlRequestId = decision.hitlRequest.id;
+		}
+
+		// Delete area (widgets cascade)
+		await db.deleteFrom("_dineway_widget_areas").where("id", "=", area.id).execute();
+
+		await logWidgetActivity(db, locals, {
+			action: "area_deleted",
+			areaId: area.id,
+			areaName: area.name,
+			...widgetApiRouteSource("area_deleted"),
+			detail: {
+				widgetCount: area.widgets.length,
+				hitlRequestId: approvedHitlRequestId,
+			},
+		});
+
+		return apiSuccess({ deleted: true });
+	} catch (error) {
+		return handleError(error, "Failed to delete widget area", "WIDGET_AREA_DELETE_ERROR");
+	}
+};

package/src/astro/routes/api/widget-areas/index.ts

@@ -0,0 +1,149 @@
+/**
+ * Widget areas list and create endpoints
+ *
+ * GET  /_dineway/api/widget-areas - List all widget areas
+ * POST /_dineway/api/widget-areas - Create widget area
+ */
+
+import type { APIRoute } from "astro";
+import { ulid } from "ulidx";
+import { z } from "zod";
+
+import { requirePerm } from "#api/authorize.js";
+import { apiError, apiSuccess, handleError } from "#api/error.js";
+import {
+	ensureWorkflowHitlRouteRequest,
+	hitlRequiredRouteError,
+	resolveHitlRouteActor,
+} from "#api/hitl-route-helpers.js";
+import { isParseError, parseBody } from "#api/parse.js";
+import { createWidgetAreaBody } from "#api/schemas.js";
+import {
+	logWidgetActivity,
+	RiskPolicyEvaluator,
+	widgetApiRouteSource,
+	WidgetHitlPayloadBuilder,
+} from "#site-context/index.js";
+
+export const prerender = false;
+
+const createWidgetAreaHitlBody = createWidgetAreaBody.extend({
+	hitlRequestId: z.string().min(1).optional(),
+});
+
+export const GET: APIRoute = async ({ locals }) => {
+	const { dineway, user } = locals;
+	const db = dineway.db;
+
+	const denied = requirePerm(user, "widgets:read");
+	if (denied) return denied;
+
+	try {
+		const areas = await db
+			.selectFrom("_dineway_widget_areas")
+			.selectAll()
+			.orderBy("name", "asc")
+			.execute();
+
+		// Get widgets for each area (needed for drag-and-drop reordering in admin UI)
+		const areasWithWidgets = await Promise.all(
+			areas.map(async (area) => {
+				const widgets = await db
+					.selectFrom("_dineway_widgets")
+					.selectAll()
+					.where("area_id", "=", area.id)
+					.orderBy("sort_order", "asc")
+					.execute();
+
+				return {
+					...area,
+					widgets,
+					widgetCount: widgets.length,
+				};
+			}),
+		);
+
+		return apiSuccess({ items: areasWithWidgets });
+	} catch (error) {
+		return handleError(error, "Failed to fetch widget areas", "WIDGET_AREA_LIST_ERROR");
+	}
+};
+
+export const POST: APIRoute = async ({ request, locals }) => {
+	const { dineway, user } = locals;
+	const db = dineway.db;
+
+	const denied = requirePerm(user, "widgets:manage");
+	if (denied) return denied;
+
+	try {
+		const body = await parseBody(request, createWidgetAreaHitlBody);
+		if (isParseError(body)) return body;
+		const { hitlRequestId, ...areaInput } = body;
+
+		// Check if area name already exists
+		const existing = await db
+			.selectFrom("_dineway_widget_areas")
+			.select("id")
+			.where("name", "=", areaInput.name)
+			.executeTakeFirst();
+
+		if (existing) {
+			return apiError("CONFLICT", `Widget area with name "${areaInput.name}" already exists`, 409);
+		}
+
+		const actor = resolveHitlRouteActor(locals);
+		const evaluator = new RiskPolicyEvaluator({
+			db,
+			handlers: dineway,
+		});
+		let approvedHitlRequestId: string | null = null;
+
+		if (evaluator.requiresWorkflowHitl(actor.identity)) {
+			const action = await new WidgetHitlPayloadBuilder(db).buildCreateWidgetAreaRequest(areaInput);
+			const decision = await evaluator.evaluateWorkflowHitl({
+				actor: actor.identity,
+				hitlRequestId,
+				action,
+			});
+			if (!decision.allowed) {
+				const ensured = await ensureWorkflowHitlRouteRequest(db, locals, decision.action);
+				return hitlRequiredRouteError(decision, ensured);
+			}
+			approvedHitlRequestId = decision.hitlRequest.id;
+		}
+
+		const id = ulid();
+		await db
+			.insertInto("_dineway_widget_areas")
+			.values({
+				id,
+				name: areaInput.name,
+				label: areaInput.label,
+				description: areaInput.description ?? null,
+			})
+			.execute();
+
+		const area = await db
+			.selectFrom("_dineway_widget_areas")
+			.selectAll()
+			.where("id", "=", id)
+			.executeTakeFirstOrThrow();
+
+		await logWidgetActivity(db, locals, {
+			action: "area_created",
+			areaId: area.id,
+			areaName: area.name,
+			...widgetApiRouteSource("area_created"),
+			detail: {
+				label: area.label,
+				description: area.description,
+				hitlRequestId: approvedHitlRequestId,
+			},
+		});
+
+		return apiSuccess(area, 201);
+	} catch (error) {
+		return handleError(error, "Failed to create widget area", "WIDGET_AREA_CREATE_ERROR");
+	}
+};

package/src/astro/routes/api/widget-components.ts

@@ -0,0 +1,22 @@
+/**
+ * Widget components registry endpoint
+ *
+ * GET /_dineway/api/widget-components - List available widget components
+ */
+
+import type { APIRoute } from "astro";
+
+import { apiSuccess, handleError } from "#api/error.js";
+import { getWidgetComponents } from "#widgets/components.js";
+
+export const prerender = false;
+
+export const GET: APIRoute = async () => {
+	try {
+		const components = getWidgetComponents();
+
+		return apiSuccess({ items: components });
+	} catch (error) {
+		return handleError(error, "Failed to fetch widget components", "WIDGET_COMPONENTS_ERROR");
+	}
+};

package/src/astro/routes/robots.txt.ts

@@ -0,0 +1,81 @@
+/**
+ * Robots.txt endpoint
+ *
+ * GET /robots.txt - Serves robots.txt with sitemap reference
+ *
+ * If a custom robots.txt is configured in SEO settings, that is returned.
+ * Otherwise generates a default that allows all crawlers and references
+ * the sitemap.
+ */
+
+import type { APIRoute } from "astro";
+
+import { getPublicOrigin } from "#api/public-url.js";
+import { getSiteSettingsWithDb } from "#settings/index.js";
+
+export const prerender = false;
+
+const TRAILING_SLASH_RE = /\/$/;
+
+export const GET: APIRoute = async ({ locals, url }) => {
+	const { dineway } = locals;
+
+	if (!dineway?.db) {
+		// Return a permissive default if CMS isn't initialized
+		return new Response("User-agent: *\nAllow: /\n", {
+			status: 200,
+			headers: { "Content-Type": "text/plain; charset=utf-8" },
+		});
+	}
+
+	try {
+		const settings = await getSiteSettingsWithDb(dineway.db);
+		const siteUrl = (settings.url || getPublicOrigin(url, dineway?.config)).replace(
+			TRAILING_SLASH_RE,
+			"",
+		);
+		const sitemapUrl = `${siteUrl}/sitemap.xml`;
+
+		// Use custom robots.txt if configured
+		if (settings.seo?.robotsTxt) {
+			// Append sitemap directive if not already present
+			let content = settings.seo.robotsTxt;
+			if (!content.toLowerCase().includes("sitemap:")) {
+				content = `${content.trimEnd()}\n\nSitemap: ${sitemapUrl}\n`;
+			}
+
+			return new Response(content, {
+				status: 200,
+				headers: {
+					"Content-Type": "text/plain; charset=utf-8",
+					"Cache-Control": "public, max-age=86400",
+				},
+			});
+		}
+
+		// Generate default robots.txt
+		const defaultRobots = [
+			"User-agent: *",
+			"Allow: /",
+			"",
+			"# Disallow admin and API routes",
+			"Disallow: /_dineway/",
+			"",
+			`Sitemap: ${sitemapUrl}`,
+			"",
+		].join("\n");
+
+		return new Response(defaultRobots, {
+			status: 200,
+			headers: {
+				"Content-Type": "text/plain; charset=utf-8",
+				"Cache-Control": "public, max-age=86400",
+			},
+		});
+	} catch {
+		return new Response("User-agent: *\nAllow: /\n", {
+			status: 200,
+			headers: { "Content-Type": "text/plain; charset=utf-8" },
+		});
+	}
+};

package/src/astro/routes/sitemap-[collection].xml.ts

@@ -0,0 +1,104 @@
+/**
+ * Per-collection sitemap endpoint
+ *
+ * GET /sitemap-{collection}.xml - Sitemap for a single content collection.
+ *
+ * Uses the collection's url_pattern to build URLs. Falls back to
+ * /{collection}/{slug} when no pattern is configured.
+ */
+
+import type { APIRoute } from "astro";
+
+import { handleSitemapData } from "#api/handlers/seo.js";
+import { getSiteSettingsWithDb } from "#settings/index.js";
+
+export const prerender = false;
+
+const TRAILING_SLASH_RE = /\/$/;
+const AMP_RE = /&/g;
+const LT_RE = /</g;
+const GT_RE = />/g;
+const QUOT_RE = /"/g;
+const APOS_RE = /'/g;
+const SLUG_PLACEHOLDER = "{slug}";
+const ID_PLACEHOLDER = "{id}";
+
+export const GET: APIRoute = async ({ params, locals, url }) => {
+	const { dineway } = locals;
+	const collectionSlug = params.collection;
+
+	if (!dineway?.db || !collectionSlug) {
+		return new Response("<!-- Dineway is not configured -->", {
+			status: 500,
+			headers: { "Content-Type": "application/xml" },
+		});
+	}
+
+	try {
+		const settings = await getSiteSettingsWithDb(dineway.db);
+		const siteUrl = (settings.url || url.origin).replace(TRAILING_SLASH_RE, "");
+
+		const result = await handleSitemapData(dineway.db, collectionSlug);
+
+		if (!result.success || !result.data) {
+			return new Response("<!-- Failed to generate sitemap -->", {
+				status: 500,
+				headers: { "Content-Type": "application/xml" },
+			});
+		}
+
+		const col = result.data.collections[0];
+		if (!col) {
+			return new Response("<!-- Collection not found or empty -->", {
+				status: 404,
+				headers: { "Content-Type": "application/xml" },
+			});
+		}
+
+		const lines: string[] = [
+			'<?xml version="1.0" encoding="UTF-8"?>',
+			'<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">',
+		];
+
+		for (const entry of col.entries) {
+			const slug = entry.slug || entry.id;
+			const path = col.urlPattern
+				? col.urlPattern
+						.replace(SLUG_PLACEHOLDER, encodeURIComponent(slug))
+						.replace(ID_PLACEHOLDER, encodeURIComponent(entry.id))
+				: `/${encodeURIComponent(col.collection)}/${encodeURIComponent(slug)}`;
+
+			const loc = `${siteUrl}${path}`;
+
+			lines.push("  <url>");
+			lines.push(`    <loc>${escapeXml(loc)}</loc>`);
+			lines.push(`    <lastmod>${escapeXml(entry.updatedAt)}</lastmod>`);
+			lines.push("  </url>");
+		}
+
+		lines.push("</urlset>");
+
+		return new Response(lines.join("\n"), {
+			status: 200,
+			headers: {
+				"Content-Type": "application/xml; charset=utf-8",
+				"Cache-Control": "public, max-age=3600",
+			},
+		});
+	} catch {
+		return new Response("<!-- Internal error generating sitemap -->", {
+			status: 500,
+			headers: { "Content-Type": "application/xml" },
+		});
+	}
+};
+
+/** Escape special XML characters in a string */
+function escapeXml(str: string): string {
+	return str
+		.replace(AMP_RE, "&amp;")
+		.replace(LT_RE, "&lt;")
+		.replace(GT_RE, "&gt;")
+		.replace(QUOT_RE, "&quot;")
+		.replace(APOS_RE, "&apos;");
+}

package/src/astro/routes/sitemap.xml.ts

@@ -0,0 +1,92 @@
+/**
+ * Sitemap index endpoint
+ *
+ * GET /sitemap.xml - Sitemap index listing one sitemap per collection.
+ *
+ * Each collection with published, indexable content gets its own
+ * child sitemap at /sitemap-{collection}.xml. The index includes
+ * a <lastmod> per child derived from the most recently updated entry.
+ */
+
+import type { APIRoute } from "astro";
+
+import { handleSitemapData } from "#api/handlers/seo.js";
+import { getPublicOrigin } from "#api/public-url.js";
+import { getSiteSettingsWithDb } from "#settings/index.js";
+
+export const prerender = false;
+
+const TRAILING_SLASH_RE = /\/$/;
+const AMP_RE = /&/g;
+const LT_RE = /</g;
+const GT_RE = />/g;
+const QUOT_RE = /"/g;
+const APOS_RE = /'/g;
+
+export const GET: APIRoute = async ({ locals, url }) => {
+	const { dineway } = locals;
+
+	if (!dineway?.db) {
+		return new Response("<!-- Dineway is not configured -->", {
+			status: 500,
+			headers: { "Content-Type": "application/xml" },
+		});
+	}
+
+	try {
+		const settings = await getSiteSettingsWithDb(dineway.db);
+		const siteUrl = (settings.url || getPublicOrigin(url, dineway?.config)).replace(
+			TRAILING_SLASH_RE,
+			"",
+		);
+
+		const result = await handleSitemapData(dineway.db);
+
+		if (!result.success || !result.data) {
+			return new Response("<!-- Failed to generate sitemap -->", {
+				status: 500,
+				headers: { "Content-Type": "application/xml" },
+			});
+		}
+
+		const { collections } = result.data;
+
+		const lines: string[] = [
+			'<?xml version="1.0" encoding="UTF-8"?>',
+			'<sitemapindex xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">',
+		];
+
+		for (const col of collections) {
+			const loc = `${siteUrl}/sitemap-${encodeURIComponent(col.collection)}.xml`;
+			lines.push("  <sitemap>");
+			lines.push(`    <loc>${escapeXml(loc)}</loc>`);
+			lines.push(`    <lastmod>${escapeXml(col.lastmod)}</lastmod>`);
+			lines.push("  </sitemap>");
+		}
+
+		lines.push("</sitemapindex>");
+
+		return new Response(lines.join("\n"), {
+			status: 200,
+			headers: {
+				"Content-Type": "application/xml; charset=utf-8",
+				"Cache-Control": "public, max-age=3600",
+			},
+		});
+	} catch {
+		return new Response("<!-- Internal error generating sitemap -->", {
+			status: 500,
+			headers: { "Content-Type": "application/xml" },
+		});
+	}
+};
+
+/** Escape special XML characters in a string */
+function escapeXml(str: string): string {
+	return str
+		.replace(AMP_RE, "&amp;")
+		.replace(LT_RE, "&lt;")
+		.replace(GT_RE, "&gt;")
+		.replace(QUOT_RE, "&quot;")
+		.replace(APOS_RE, "&apos;");
+}