dineway 0.1.3

package/dist/tokens-4vgYuXsZ.mjs

@@ -0,0 +1,170 @@
+import { i as encodeBase64url, n as decodeBase64url } from "./base64-F8-DUraK.mjs";
+
+//#region src/preview/tokens.ts
+/**
+* Preview token generation and verification
+*
+* Tokens are compact, URL-safe, and HMAC-signed.
+* Format: base64url(JSON payload).base64url(HMAC signature)
+*
+* Payload: { cid: contentId, exp: expiryTimestamp, iat: issuedAt }
+*/
+const DURATION_PATTERN = /^(\d+)([smhdw])$/;
+/**
+* Parse duration string to seconds
+* Supports: "1h", "30m", "1d", "2w", or raw seconds
+*/
+function parseDuration(duration) {
+	if (typeof duration === "number") return duration;
+	const match = duration.match(DURATION_PATTERN);
+	if (!match) throw new Error(`Invalid duration format: "${duration}". Use "1h", "30m", "1d", "2w", or seconds.`);
+	const value = parseInt(match[1], 10);
+	const unit = match[2];
+	switch (unit) {
+		case "s": return value;
+		case "m": return value * 60;
+		case "h": return value * 60 * 60;
+		case "d": return value * 60 * 60 * 24;
+		case "w": return value * 60 * 60 * 24 * 7;
+		default: throw new Error(`Unknown duration unit: ${unit}`);
+	}
+}
+/**
+* Create HMAC-SHA256 signature using Web Crypto API
+*/
+async function createSignature(data, secret) {
+	const encoder = new TextEncoder();
+	const key = await crypto.subtle.importKey("raw", encoder.encode(secret), {
+		name: "HMAC",
+		hash: "SHA-256"
+	}, false, ["sign"]);
+	const signature = await crypto.subtle.sign("HMAC", key, encoder.encode(data));
+	return new Uint8Array(signature);
+}
+/**
+* Verify HMAC-SHA256 signature
+*/
+async function verifySignature(data, signature, secret) {
+	const encoder = new TextEncoder();
+	const key = await crypto.subtle.importKey("raw", encoder.encode(secret), {
+		name: "HMAC",
+		hash: "SHA-256"
+	}, false, ["verify"]);
+	const sigBuffer = new ArrayBuffer(signature.byteLength);
+	new Uint8Array(sigBuffer).set(signature);
+	return crypto.subtle.verify("HMAC", key, sigBuffer, encoder.encode(data));
+}
+/**
+* Generate a preview token for content
+*
+* @example
+* ```ts
+* const token = await generatePreviewToken({
+*   contentId: "posts:abc123",
+*   expiresIn: "1h",
+*   secret: process.env.PREVIEW_SECRET!,
+* });
+* ```
+*/
+async function generatePreviewToken(options) {
+	const { contentId, expiresIn = "1h", secret } = options;
+	if (!secret) throw new Error("Preview secret is required");
+	if (!contentId || !contentId.includes(":")) throw new Error("Content ID must be in format \"collection:id\"");
+	const now = Math.floor(Date.now() / 1e3);
+	const payload = {
+		cid: contentId,
+		exp: now + parseDuration(expiresIn),
+		iat: now
+	};
+	const payloadJson = JSON.stringify(payload);
+	const encodedPayload = encodeBase64url(new TextEncoder().encode(payloadJson));
+	return `${encodedPayload}.${encodeBase64url(await createSignature(encodedPayload, secret))}`;
+}
+/**
+* Verify a preview token and return the payload
+*
+* @example
+* ```ts
+* // With URL (extracts _preview query param)
+* const result = await verifyPreviewToken({
+*   url: Astro.url,
+*   secret: import.meta.env.PREVIEW_SECRET,
+* });
+*
+* // With token directly
+* const result = await verifyPreviewToken({
+*   token: someToken,
+*   secret: import.meta.env.PREVIEW_SECRET,
+* });
+*
+* if (result.valid) {
+*   console.log(result.payload.cid); // "posts:abc123"
+* }
+* ```
+*/
+async function verifyPreviewToken(options) {
+	const { secret } = options;
+	if (!secret) throw new Error("Preview secret is required");
+	const token = "url" in options ? options.url.searchParams.get("_preview") : options.token;
+	if (!token) return {
+		valid: false,
+		error: "none"
+	};
+	const parts = token.split(".");
+	if (parts.length !== 2) return {
+		valid: false,
+		error: "malformed"
+	};
+	const [encodedPayload, encodedSignature] = parts;
+	let signature;
+	try {
+		signature = decodeBase64url(encodedSignature);
+	} catch {
+		return {
+			valid: false,
+			error: "malformed"
+		};
+	}
+	if (!await verifySignature(encodedPayload, signature, secret)) return {
+		valid: false,
+		error: "invalid"
+	};
+	let payload;
+	try {
+		const payloadBytes = decodeBase64url(encodedPayload);
+		const payloadJson = new TextDecoder().decode(payloadBytes);
+		payload = JSON.parse(payloadJson);
+	} catch {
+		return {
+			valid: false,
+			error: "malformed"
+		};
+	}
+	if (typeof payload.cid !== "string" || typeof payload.exp !== "number" || typeof payload.iat !== "number") return {
+		valid: false,
+		error: "malformed"
+	};
+	const now = Math.floor(Date.now() / 1e3);
+	if (payload.exp < now) return {
+		valid: false,
+		error: "expired"
+	};
+	return {
+		valid: true,
+		payload
+	};
+}
+/**
+* Parse a content ID into collection and id
+*/
+function parseContentId(contentId) {
+	const colonIndex = contentId.indexOf(":");
+	if (colonIndex === -1) throw new Error("Content ID must be in format \"collection:id\"");
+	return {
+		collection: contentId.slice(0, colonIndex),
+		id: contentId.slice(colonIndex + 1)
+	};
+}
+
+//#endregion
+export { parseContentId as n, verifyPreviewToken as r, generatePreviewToken as t };

package/dist/transport-C5FYnid7.mjs

@@ -0,0 +1,417 @@
+//#region src/client/portable-text.ts
+/**
+* Convert Portable Text blocks to Markdown.
+* Unknown block types are serialized as opaque fences.
+*/
+function portableTextToMarkdown(blocks) {
+	const lines = [];
+	let prevWasList = false;
+	for (let i = 0; i < blocks.length; i++) {
+		const block = blocks[i];
+		if (block._type === "block") {
+			const isList = !!block.listItem;
+			if (i > 0 && (!isList || !prevWasList)) lines.push("");
+			lines.push(renderStandardBlock(block));
+			prevWasList = isList;
+		} else if (block._type === "code") {
+			if (i > 0) lines.push("");
+			const lang = block.language || "";
+			const code = block.code || "";
+			lines.push("```" + lang);
+			lines.push(code);
+			lines.push("```");
+			prevWasList = false;
+		} else if (block._type === "image") {
+			if (i > 0) lines.push("");
+			const alt = block.alt || "";
+			const url = block.asset?.url || "";
+			lines.push(`![${alt}](${url})`);
+			prevWasList = false;
+		} else {
+			if (i > 0) lines.push("");
+			lines.push(`<!--ec:block ${JSON.stringify(block)} -->`);
+			prevWasList = false;
+		}
+	}
+	return lines.join("\n") + "\n";
+}
+function renderStandardBlock(block) {
+	const text = renderSpans(block.children ?? [], block.markDefs ?? []);
+	if (block.listItem) return `${"  ".repeat(Math.max(0, (block.level ?? 1) - 1))}${block.listItem === "number" ? "1." : "-"} ${text}`;
+	if (block.style && block.style.startsWith("h")) {
+		const level = parseInt(block.style.substring(1), 10);
+		if (level >= 1 && level <= 6) return `${"#".repeat(level)} ${text}`;
+	}
+	if (block.style === "blockquote") return `> ${text}`;
+	return text;
+}
+function renderSpans(spans, markDefs) {
+	let result = "";
+	for (const span of spans) {
+		if (span._type !== "span") continue;
+		let text = span.text ?? "";
+		const marks = span.marks ?? [];
+		for (const mark of marks) {
+			const def = markDefs.find((d) => d._key === mark);
+			if (def) {
+				if (def._type === "link") text = `[${text}](${def.href ?? ""})`;
+			} else switch (mark) {
+				case "strong":
+					text = `**${text}**`;
+					break;
+				case "em":
+					text = `_${text}_`;
+					break;
+				case "code":
+					text = `\`${text}\``;
+					break;
+				case "strike-through":
+				case "strikethrough":
+					text = `~~${text}~~`;
+					break;
+			}
+		}
+		result += text;
+	}
+	return result;
+}
+const OPAQUE_FENCE_PATTERN = /^<!--ec:block (.+) -->$/;
+const HEADING_PATTERN = /^(#{1,6})\s+(.+)$/;
+const UNORDERED_LIST_PATTERN = /^(\s*)[-*+]\s+(.+)$/;
+const ORDERED_LIST_PATTERN = /^(\s*)\d+\.\s+(.+)$/;
+const IMAGE_PATTERN = /^!\[([^\]]*)\]\(([^)]+)\)$/;
+const INLINE_MARKDOWN_PATTERN = /(\*\*(.+?)\*\*)|(_(.+?)_)|(`(.+?)`)|(\[(.+?)\]\((.+?)\))|(~~(.+?)~~)/g;
+/**
+* Convert Markdown to Portable Text blocks.
+* Opaque fences (<!--ec:block ... -->) are deserialized and spliced back in.
+*/
+function markdownToPortableText(markdown) {
+	const blocks = [];
+	const lines = markdown.split("\n");
+	let i = 0;
+	while (i < lines.length) {
+		const line = lines[i];
+		const opaqueMatch = line.match(OPAQUE_FENCE_PATTERN);
+		if (opaqueMatch) {
+			try {
+				blocks.push(JSON.parse(opaqueMatch[1]));
+			} catch {
+				blocks.push(makeBlock(line));
+			}
+			i++;
+			continue;
+		}
+		if (line.startsWith("```")) {
+			const lang = line.slice(3).trim();
+			const codeLines = [];
+			i++;
+			while (i < lines.length && !lines[i].startsWith("```")) {
+				codeLines.push(lines[i]);
+				i++;
+			}
+			blocks.push({
+				_type: "code",
+				_key: generateKey(),
+				language: lang || void 0,
+				code: codeLines.join("\n")
+			});
+			i++;
+			continue;
+		}
+		if (line.trim() === "") {
+			i++;
+			continue;
+		}
+		const headingMatch = line.match(HEADING_PATTERN);
+		if (headingMatch) {
+			blocks.push(makeBlock(headingMatch[2], `h${headingMatch[1].length}`));
+			i++;
+			continue;
+		}
+		if (line.startsWith("> ")) {
+			blocks.push(makeBlock(line.slice(2), "blockquote"));
+			i++;
+			continue;
+		}
+		const ulMatch = line.match(UNORDERED_LIST_PATTERN);
+		if (ulMatch) {
+			const level = Math.floor(ulMatch[1].length / 2) + 1;
+			blocks.push(makeListBlock(ulMatch[2], "bullet", level));
+			i++;
+			continue;
+		}
+		const olMatch = line.match(ORDERED_LIST_PATTERN);
+		if (olMatch) {
+			const level = Math.floor(olMatch[1].length / 2) + 1;
+			blocks.push(makeListBlock(olMatch[2], "number", level));
+			i++;
+			continue;
+		}
+		const imgMatch = line.match(IMAGE_PATTERN);
+		if (imgMatch) {
+			blocks.push({
+				_type: "image",
+				_key: generateKey(),
+				alt: imgMatch[1],
+				asset: { url: imgMatch[2] }
+			});
+			i++;
+			continue;
+		}
+		blocks.push(makeBlock(line));
+		i++;
+	}
+	return blocks;
+}
+function makeBlock(text, style = "normal") {
+	const { spans, markDefs } = parseInline(text);
+	return {
+		_type: "block",
+		_key: generateKey(),
+		style,
+		markDefs,
+		children: spans
+	};
+}
+function makeListBlock(text, listItem, level) {
+	const { spans, markDefs } = parseInline(text);
+	return {
+		_type: "block",
+		_key: generateKey(),
+		style: "normal",
+		listItem,
+		level,
+		markDefs,
+		children: spans
+	};
+}
+/**
+* Parse inline markdown (bold, italic, code, links, strikethrough) into PT spans + markDefs.
+*/
+function parseInline(text) {
+	const spans = [];
+	const markDefs = [];
+	const regex = INLINE_MARKDOWN_PATTERN;
+	let lastIndex = 0;
+	let match;
+	while ((match = regex.exec(text)) !== null) {
+		if (match.index > lastIndex) spans.push({
+			_type: "span",
+			_key: generateKey(),
+			text: text.slice(lastIndex, match.index),
+			marks: []
+		});
+		if (match[2] != null) spans.push({
+			_type: "span",
+			_key: generateKey(),
+			text: match[2],
+			marks: ["strong"]
+		});
+		else if (match[4] != null) spans.push({
+			_type: "span",
+			_key: generateKey(),
+			text: match[4],
+			marks: ["em"]
+		});
+		else if (match[6] != null) spans.push({
+			_type: "span",
+			_key: generateKey(),
+			text: match[6],
+			marks: ["code"]
+		});
+		else if (match[8] != null && match[9] != null) {
+			const key = generateKey();
+			markDefs.push({
+				_key: key,
+				_type: "link",
+				href: match[9]
+			});
+			spans.push({
+				_type: "span",
+				_key: generateKey(),
+				text: match[8],
+				marks: [key]
+			});
+		} else if (match[11] != null) spans.push({
+			_type: "span",
+			_key: generateKey(),
+			text: match[11],
+			marks: ["strike-through"]
+		});
+		lastIndex = match.index + match[0].length;
+	}
+	if (lastIndex < text.length) spans.push({
+		_type: "span",
+		_key: generateKey(),
+		text: text.slice(lastIndex),
+		marks: []
+	});
+	if (spans.length === 0) spans.push({
+		_type: "span",
+		_key: generateKey(),
+		text,
+		marks: []
+	});
+	return {
+		spans,
+		markDefs
+	};
+}
+let keyCounter = 0;
+function generateKey() {
+	return `k${(keyCounter++).toString(36)}`;
+}
+/**
+* Convert content data for reading: PT fields -> markdown strings.
+* Only converts fields with type "portableText" that contain arrays.
+*/
+function convertDataForRead(data, fields, raw = false) {
+	if (raw) return data;
+	const result = { ...data };
+	for (const field of fields) if (field.type === "portableText" && Array.isArray(result[field.slug])) result[field.slug] = portableTextToMarkdown(result[field.slug]);
+	return result;
+}
+/**
+* Convert content data for writing: markdown strings -> PT arrays.
+* Only converts fields with type "portableText" that contain strings.
+*/
+function convertDataForWrite(data, fields) {
+	const result = { ...data };
+	for (const field of fields) if (field.type === "portableText" && typeof result[field.slug] === "string") result[field.slug] = markdownToPortableText(result[field.slug]);
+	return result;
+}
+
+//#endregion
+//#region src/client/transport.ts
+/**
+* Transport layer for the Dineway client.
+*
+* Implements a composable interceptor pipeline that modifies requests
+* and responses. The client calls `transport.fetch(request)` — everything
+* else (auth, CSRF, retry) is handled by interceptors.
+*/
+const COOKIE_NAME_VALUE_PATTERN = /^([^;]+)/;
+function baseFetch(request) {
+	return globalThis.fetch(request);
+}
+/**
+* Creates a fetch function that runs requests through an interceptor pipeline.
+*/
+function createTransport(options = {}) {
+	const interceptors = options.interceptors ?? [];
+	let chain = baseFetch;
+	for (let i = interceptors.length - 1; i >= 0; i--) {
+		const interceptor = interceptors[i];
+		const next = chain;
+		chain = (req) => interceptor(req, next);
+	}
+	return { fetch: chain };
+}
+/**
+* Adds X-Dineway-Request: 1 and Origin headers to mutation requests
+* (POST, PUT, DELETE). The custom header satisfies Dineway's CSRF check;
+* the Origin header satisfies Astro's built-in origin verification which
+* rejects server-side POST requests that lack a matching Origin.
+*/
+function csrfInterceptor() {
+	const MUTATION_METHODS = new Set([
+		"POST",
+		"PUT",
+		"DELETE",
+		"PATCH"
+	]);
+	return (request, next) => {
+		if (MUTATION_METHODS.has(request.method)) {
+			const headers = new Headers(request.headers);
+			headers.set("X-Dineway-Request", "1");
+			if (!headers.has("Origin")) {
+				const url = new URL(request.url);
+				headers.set("Origin", url.origin);
+			}
+			return next(new Request(request, { headers }));
+		}
+		return next(request);
+	};
+}
+/**
+* Adds Authorization: Bearer header from a static token.
+*/
+function tokenInterceptor(token) {
+	return (request, next) => {
+		const headers = new Headers(request.headers);
+		headers.set("Authorization", `Bearer ${token}`);
+		return next(new Request(request, { headers }));
+	};
+}
+/**
+* Dev bypass interceptor. Calls the dev-bypass endpoint on first request
+* to establish a session, then forwards the session cookie on subsequent
+* requests.
+*/
+function devBypassInterceptor(baseUrl) {
+	let sessionCookie = null;
+	let initializing = null;
+	async function init() {
+		const bypassUrl = new URL("/_dineway/api/auth/dev-bypass", baseUrl);
+		const res = await globalThis.fetch(bypassUrl, { redirect: "manual" });
+		const setCookie = res.headers.get("set-cookie");
+		if (setCookie) {
+			const match = setCookie.match(COOKIE_NAME_VALUE_PATTERN);
+			if (match) sessionCookie = match[1];
+		}
+		if (res.body) await res.text().catch(() => {});
+	}
+	return async (request, next) => {
+		if (!sessionCookie) {
+			if (!initializing) initializing = init();
+			await initializing;
+		}
+		if (sessionCookie) {
+			const headers = new Headers(request.headers);
+			const existing = headers.get("cookie");
+			headers.set("cookie", existing ? `${existing}; ${sessionCookie}` : sessionCookie);
+			return next(new Request(request, { headers }));
+		}
+		return next(request);
+	};
+}
+/**
+* Auto-refreshes expired OAuth tokens on 401 responses.
+* Requires a refresh token and the token endpoint URL.
+*/
+function refreshInterceptor(options) {
+	let refreshing = null;
+	async function refresh() {
+		const res = await globalThis.fetch(options.tokenEndpoint, {
+			method: "POST",
+			headers: { "Content-Type": "application/json" },
+			body: JSON.stringify({
+				grant_type: "refresh_token",
+				refresh_token: options.refreshToken
+			})
+		});
+		if (!res.ok) return null;
+		const data = await res.json();
+		const expiresAt = data.expires_in ? new Date(Date.now() + data.expires_in * 1e3).toISOString() : new Date(Date.now() + 36e5).toISOString();
+		if (options.onTokenRefreshed) options.onTokenRefreshed(data.access_token, data.refresh_token ?? options.refreshToken, expiresAt);
+		return data.access_token;
+	}
+	return async (request, next) => {
+		const response = await next(request);
+		if (response.status === 401) {
+			if (!refreshing) refreshing = refresh().finally(() => {
+				refreshing = null;
+			});
+			const newToken = await refreshing;
+			if (newToken) {
+				const headers = new Headers(request.headers);
+				headers.set("Authorization", `Bearer ${newToken}`);
+				return next(new Request(request, { headers }));
+			}
+		}
+		return response;
+	};
+}
+
+//#endregion
+export { tokenInterceptor as a, markdownToPortableText as c, refreshInterceptor as i, portableTextToMarkdown as l, csrfInterceptor as n, convertDataForRead as o, devBypassInterceptor as r, convertDataForWrite as s, createTransport as t };

package/dist/transport-gIL-e43D.d.mts

@@ -0,0 +1,41 @@
+//#region src/client/transport.d.ts
+/**
+ * Transport layer for the Dineway client.
+ *
+ * Implements a composable interceptor pipeline that modifies requests
+ * and responses. The client calls `transport.fetch(request)` — everything
+ * else (auth, CSRF, retry) is handled by interceptors.
+ */
+/**
+ * An interceptor can modify the request, call next(), inspect
+ * the response, and optionally retry.
+ */
+type Interceptor = (request: Request, next: (request: Request) => Promise<Response>) => Promise<Response>;
+interface TransportOptions {
+  interceptors?: Interceptor[];
+}
+/**
+ * Creates a fetch function that runs requests through an interceptor pipeline.
+ */
+declare function createTransport(options?: TransportOptions): {
+  fetch: (request: Request) => Promise<Response>;
+};
+/**
+ * Adds X-Dineway-Request: 1 and Origin headers to mutation requests
+ * (POST, PUT, DELETE). The custom header satisfies Dineway's CSRF check;
+ * the Origin header satisfies Astro's built-in origin verification which
+ * rejects server-side POST requests that lack a matching Origin.
+ */
+declare function csrfInterceptor(): Interceptor;
+/**
+ * Adds Authorization: Bearer header from a static token.
+ */
+declare function tokenInterceptor(token: string): Interceptor;
+/**
+ * Dev bypass interceptor. Calls the dev-bypass endpoint on first request
+ * to establish a session, then forwards the session cookie on subsequent
+ * requests.
+ */
+declare function devBypassInterceptor(baseUrl: string): Interceptor;
+//#endregion
+export { tokenInterceptor as a, devBypassInterceptor as i, createTransport as n, csrfInterceptor as r, Interceptor as t };

package/dist/types-BawVha09.mjs

@@ -0,0 +1,30 @@
+import { r as encodeBase64, t as decodeBase64 } from "./base64-F8-DUraK.mjs";
+
+//#region src/database/repositories/types.ts
+/** Encode a cursor from order value + id */
+function encodeCursor(orderValue, id) {
+	return encodeBase64(JSON.stringify({
+		orderValue,
+		id
+	}));
+}
+/** Decode a cursor to order value + id. Returns null if invalid. */
+function decodeCursor(cursor) {
+	try {
+		const parsed = JSON.parse(decodeBase64(cursor));
+		if (typeof parsed.orderValue === "string" && typeof parsed.id === "string") return parsed;
+		return null;
+	} catch {
+		return null;
+	}
+}
+var DinewayValidationError = class extends Error {
+	constructor(message, details) {
+		super(message);
+		this.details = details;
+		this.name = "DinewayValidationError";
+	}
+};
+
+//#endregion
+export { decodeCursor as n, encodeCursor as r, DinewayValidationError as t };