dineway 0.1.8 → 0.1.11

package/src/astro/routes/api/mcp.ts

@@ -1,125 +0,0 @@
-/**
- * MCP Streamable HTTP endpoint
- *
- * Exposes an MCP server at /_dineway/api/mcp using the Streamable HTTP
- * transport (Web Standard variant). The server runs stateless — each
- * request creates a fresh transport, so no session tracking is needed.
- * Authentication is handled by the existing Dineway auth middleware.
- *
- * POST /_dineway/api/mcp — JSON-RPC tool calls
- * GET  /_dineway/api/mcp — SSE stream (not used in stateless mode)
- * DELETE /_dineway/api/mcp — Session close (not used in stateless mode)
- */
-
-import { WebStandardStreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/webStandardStreamableHttp.js";
-import type { APIRoute } from "astro";
-
-import { apiError } from "#api/error.js";
-import { createMcpServer } from "#mcp/server.js";
-
-export const prerender = false;
-
-export const POST: APIRoute = async ({ request, locals }) => {
-	const { dineway, user } = locals;
-
-	if (!dineway) {
-		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
-	}
-
-	if (!user) {
-		return apiError("UNAUTHORIZED", "Authentication required", 401);
-	}
-
-	const server = createMcpServer();
-
-	try {
-		const transport = new WebStandardStreamableHTTPServerTransport({
-			// Stateless: no session management
-			sessionIdGenerator: undefined,
-		});
-
-		await server.connect(transport);
-
-		return await transport.handleRequest(request, {
-			authInfo: {
-				token: "",
-				clientId: "dineway-admin",
-				scopes: [],
-				extra: {
-					dineway,
-					userId: user.id,
-					userRole: user.role,
-					tokenScopes: locals.tokenScopes,
-					authToken: locals.authToken,
-				},
-			},
-		});
-	} catch (error) {
-		console.error("[MCP]", error);
-		await server.close().catch(() => {});
-
-		return new Response(
-			JSON.stringify({
-				jsonrpc: "2.0",
-				error: {
-					code: -32603,
-					message: "Internal server error",
-				},
-				id: null,
-			}),
-			{
-				status: 500,
-				headers: {
-					"Content-Type": "application/json",
-					"Cache-Control": "private, no-store",
-				},
-			},
-		);
-	}
-};
-
-/**
- * GET — SSE stream. Not used in stateless mode.
- */
-export const GET: APIRoute = async () => {
-	return new Response(
-		JSON.stringify({
-			jsonrpc: "2.0",
-			error: {
-				code: -32000,
-				message: "Method not allowed. This is a stateless MCP endpoint — use POST.",
-			},
-			id: null,
-		}),
-		{
-			status: 405,
-			headers: {
-				"Content-Type": "application/json",
-				"Cache-Control": "private, no-store",
-			},
-		},
-	);
-};
-
-/**
- * DELETE — Session close. Not used in stateless mode.
- */
-export const DELETE: APIRoute = async () => {
-	return new Response(
-		JSON.stringify({
-			jsonrpc: "2.0",
-			error: {
-				code: -32000,
-				message: "Method not allowed. This is a stateless MCP endpoint.",
-			},
-			id: null,
-		}),
-		{
-			status: 405,
-			headers: {
-				"Content-Type": "application/json",
-				"Cache-Control": "private, no-store",
-			},
-		},
-	);
-};

package/src/astro/routes/api/media/[id]/confirm.ts

@@ -1,93 +0,0 @@
-/**
- * Confirm media upload endpoint
- *
- * POST /_dineway/api/media/{id}/confirm
- *
- * Confirms that the client has successfully uploaded the file to storage.
- * Marks the media record as ready and optionally updates metadata.
- */
-
-import type { APIRoute } from "astro";
-import { MediaRepository } from "dineway";
-
-import { requirePerm } from "#api/authorize.js";
-import { apiError, apiSuccess, handleError } from "#api/error.js";
-import { isParseError, parseOptionalBody } from "#api/parse.js";
-import { mediaConfirmBody } from "#api/schemas.js";
-import type { MediaItem } from "#types";
-
-export const prerender = false;
-
-/**
- * Add URL to media item (relative URL for portability)
- */
-function addUrlToMedia(item: MediaItem): MediaItem & { url: string } {
-	return {
-		...item,
-		url: `/_dineway/api/media/file/${item.storageKey}`,
-	};
-}
-
-/**
- * Confirm upload completion
- */
-export const POST: APIRoute = async ({ params, request, locals }) => {
-	const { dineway, user } = locals;
-	const { id } = params;
-
-	const denied = requirePerm(user, "media:upload");
-	if (denied) return denied;
-
-	if (!id) {
-		return apiError("INVALID_REQUEST", "Media ID is required", 400);
-	}
-
-	if (!dineway?.db) {
-		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
-	}
-
-	try {
-		const body = await parseOptionalBody(request, mediaConfirmBody, {});
-		if (isParseError(body)) return body;
-
-		const repo = new MediaRepository(dineway.db);
-
-		// Get the media item first to check status
-		const existing = await repo.findById(id);
-		if (!existing) {
-			return apiError("NOT_FOUND", `Media item not found: ${id}`, 404);
-		}
-
-		if (existing.status !== "pending") {
-			return apiError("INVALID_STATE", `Media item is not pending: ${existing.status}`, 400);
-		}
-
-		// Optionally verify the file exists in storage
-		if (dineway.storage) {
-			const exists = await dineway.storage.exists(existing.storageKey);
-			if (!exists) {
-				// Mark as failed
-				await repo.markFailed(id);
-				return apiError("FILE_NOT_FOUND", "File was not uploaded to storage", 400);
-			}
-		}
-
-		// Confirm the upload
-		const item = await repo.confirmUpload(id, {
-			size: body.size,
-			width: body.width,
-			height: body.height,
-		});
-
-		if (!item) {
-			return apiError("CONFIRM_FAILED", "Failed to confirm upload", 500);
-		}
-
-		// Add URL to the response (relative URL for portability)
-		const itemWithUrl = addUrlToMedia(item);
-
-		return apiSuccess({ item: itemWithUrl });
-	} catch (error) {
-		return handleError(error, "Failed to confirm upload", "CONFIRM_ERROR");
-	}
-};

package/src/astro/routes/api/media/[id].ts

@@ -1,145 +0,0 @@
-/**
- * Single media item endpoint
- *
- * GET /_dineway/api/media/:id - Get media item
- * PUT /_dineway/api/media/:id - Update media metadata
- * DELETE /_dineway/api/media/:id - Delete media item
- */
-
-import type { APIRoute } from "astro";
-
-import { requireOwnerPerm, requirePerm } from "#api/authorize.js";
-import { apiError, handleError, unwrapResult } from "#api/error.js";
-import { isParseError, parseBody } from "#api/parse.js";
-import { mediaUpdateBody } from "#api/schemas.js";
-
-export const prerender = false;
-
-/**
- * Get media item
- */
-export const GET: APIRoute = async ({ params, locals }) => {
-	const { dineway, user } = locals;
-	const { id } = params;
-
-	const readDenied = requirePerm(user, "media:read");
-	if (readDenied) return readDenied;
-
-	if (!id) {
-		return apiError("INVALID_REQUEST", "Media ID required", 400);
-	}
-
-	if (!dineway?.handleMediaGet) {
-		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
-	}
-
-	const result = await dineway.handleMediaGet(id);
-	return unwrapResult(result);
-};
-
-/**
- * Update media metadata
- *
- * Authors can edit their own media; editors+ can edit any.
- */
-export const PUT: APIRoute = async ({ params, request, locals }) => {
-	const { dineway, user } = locals;
-	const { id } = params;
-
-	// Minimum permission gate — ownership checked below
-	const editDenied = requirePerm(user, "media:edit_own");
-	if (editDenied) return editDenied;
-
-	if (!id) {
-		return apiError("INVALID_REQUEST", "Media ID required", 400);
-	}
-
-	if (!dineway?.handleMediaGet || !dineway?.handleMediaUpdate) {
-		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
-	}
-
-	try {
-		// Fetch media item for ownership check
-		const getResult = await dineway.handleMediaGet(id);
-		if (!getResult.success || !getResult.data?.item) {
-			return apiError("NOT_FOUND", "Media item not found", 404);
-		}
-
-		const media = getResult.data.item;
-
-		// Ownership check: authors can edit own, editors+ can edit any
-		const ownerDenied = requireOwnerPerm(user, media.authorId, "media:edit_own", "media:edit_any");
-		if (ownerDenied) return ownerDenied;
-
-		const body = await parseBody(request, mediaUpdateBody);
-		if (isParseError(body)) return body;
-
-		const result = await dineway.handleMediaUpdate(id, {
-			alt: body.alt,
-			caption: body.caption,
-			width: body.width,
-			height: body.height,
-		});
-
-		return unwrapResult(result);
-	} catch (error) {
-		return handleError(error, "Failed to update media", "MEDIA_UPDATE_ERROR");
-	}
-};
-
-/**
- * Delete media item
- *
- * Authors can delete their own media; editors+ can delete any.
- */
-export const DELETE: APIRoute = async ({ params, locals }) => {
-	const { dineway, user } = locals;
-	const { id } = params;
-
-	// Minimum permission gate — ownership checked below
-	const deleteDenied = requirePerm(user, "media:delete_own");
-	if (deleteDenied) return deleteDenied;
-
-	if (!id) {
-		return apiError("INVALID_REQUEST", "Media ID required", 400);
-	}
-
-	if (!dineway?.handleMediaGet || !dineway?.handleMediaDelete) {
-		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
-	}
-
-	try {
-		// Fetch media item for ownership check and storage key
-		const getResult = await dineway.handleMediaGet(id);
-		if (!getResult.success || !getResult.data?.item) {
-			return apiError("NOT_FOUND", "Media item not found", 404);
-		}
-
-		const media = getResult.data.item;
-
-		// Ownership check: authors can delete own, editors+ can delete any
-		const ownerDenied = requireOwnerPerm(
-			user,
-			media.authorId,
-			"media:delete_own",
-			"media:delete_any",
-		);
-		if (ownerDenied) return ownerDenied;
-
-		// Delete file from storage via the storage adapter
-		if (dineway.storage) {
-			try {
-				await dineway.storage.delete(media.storageKey);
-			} catch {
-				// Best-effort — continue with database deletion
-			}
-		}
-
-		// Delete from database
-		const result = await dineway.handleMediaDelete(id);
-
-		return unwrapResult(result);
-	} catch (error) {
-		return handleError(error, "Failed to delete media", "MEDIA_DELETE_ERROR");
-	}
-};

package/src/astro/routes/api/media/file/[...key].ts

@@ -1,79 +0,0 @@
-/**
- * Serve uploaded media files
- *
- * GET /_dineway/api/media/file/:key - Serve file from storage
- */
-
-import type { APIRoute } from "astro";
-
-import { apiError, handleError } from "#api/error.js";
-
-export const prerender = false;
-
-/**
- * Content types that are safe to display inline (simple raster/vector images, video, audio).
- * Everything else gets Content-Disposition: attachment to prevent script execution.
- */
-const SAFE_INLINE_TYPES = new Set([
-	"image/jpeg",
-	"image/png",
-	"image/gif",
-	"image/webp",
-	"image/avif",
-	"image/x-icon",
-	"video/mp4",
-	"video/webm",
-	"audio/mpeg",
-	"audio/wav",
-	"audio/ogg",
-]);
-
-export const GET: APIRoute = async ({ params, locals }) => {
-	const { key } = params;
-	const { dineway } = locals;
-
-	if (!key) {
-		return apiError("NOT_FOUND", "File not found", 404);
-	}
-
-	if (!dineway?.storage) {
-		return apiError("NOT_CONFIGURED", "Storage not configured", 500);
-	}
-
-	try {
-		const result = await dineway.storage.download(key);
-
-		const headers: Record<string, string> = {
-			"Content-Type": result.contentType,
-			"Cache-Control": "public, max-age=31536000, immutable",
-			"X-Content-Type-Options": "nosniff",
-			// Sandbox CSP on all user-uploaded content — prevents script execution
-			// even for SVGs navigated to directly or content types that support scripting.
-			"Content-Security-Policy":
-				"sandbox; default-src 'none'; img-src 'self'; style-src 'unsafe-inline'",
-		};
-
-		if (result.size) {
-			headers["Content-Length"] = String(result.size);
-		}
-
-		// Safe image/media types can render inline; everything else (SVG, PDF,
-		// HTML, JS, etc.) must be downloaded to prevent stored XSS.
-		if (SAFE_INLINE_TYPES.has(result.contentType)) {
-			headers["Content-Disposition"] = "inline";
-		} else {
-			headers["Content-Disposition"] = "attachment";
-		}
-
-		return new Response(result.body, { status: 200, headers });
-	} catch (error) {
-		// Check if it's a "not found" error
-		if (
-			error instanceof Error &&
-			(error.message.includes("not found") || error.message.includes("NOT_FOUND"))
-		) {
-			return apiError("NOT_FOUND", "File not found", 404);
-		}
-		return handleError(error, "Failed to serve file", "FILE_SERVE_ERROR");
-	}
-};

package/src/astro/routes/api/media/providers/[providerId]/[itemId].ts

@@ -1,91 +0,0 @@
-/**
- * Media Provider Item Endpoint
- *
- * GET /_dineway/api/media/providers/:providerId/:itemId - Get single item
- * DELETE /_dineway/api/media/providers/:providerId/:itemId - Delete item
- */
-
-import type { APIRoute } from "astro";
-
-import { requirePerm } from "#api/authorize.js";
-import { apiError, apiSuccess, handleError } from "#api/error.js";
-
-export const prerender = false;
-
-/**
- * Get a single media item from a provider
- */
-export const GET: APIRoute = async ({ params, locals }) => {
-	const { dineway, user } = locals;
-	const denied = requirePerm(user, "media:read");
-	if (denied) return denied;
-	const { providerId, itemId } = params;
-
-	if (!providerId || !itemId) {
-		return apiError("INVALID_REQUEST", "Provider ID and Item ID required", 400);
-	}
-
-	if (!dineway?.getMediaProvider) {
-		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
-	}
-
-	const provider = dineway.getMediaProvider(providerId);
-	if (!provider) {
-		return apiError("NOT_FOUND", `Provider "${providerId}" not found`, 404);
-	}
-
-	if (!provider.get) {
-		return apiError(
-			"NOT_SUPPORTED",
-			`Provider "${providerId}" does not support getting individual items`,
-			400,
-		);
-	}
-
-	try {
-		const item = await provider.get(itemId);
-
-		if (!item) {
-			return apiError("NOT_FOUND", "Item not found", 404);
-		}
-
-		return apiSuccess({ item });
-	} catch (error) {
-		return handleError(error, "Failed to get item from provider", "PROVIDER_GET_ERROR");
-	}
-};
-
-/**
- * Delete a media item from a provider
- */
-export const DELETE: APIRoute = async ({ params, locals }) => {
-	const { dineway, user } = locals;
-	const denied = requirePerm(user, "media:delete_any");
-	if (denied) return denied;
-	const { providerId, itemId } = params;
-
-	if (!providerId || !itemId) {
-		return apiError("INVALID_REQUEST", "Provider ID and Item ID required", 400);
-	}
-
-	if (!dineway?.getMediaProvider) {
-		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
-	}
-
-	const provider = dineway.getMediaProvider(providerId);
-	if (!provider) {
-		return apiError("NOT_FOUND", `Provider "${providerId}" not found`, 404);
-	}
-
-	if (!provider.delete) {
-		return apiError("NOT_SUPPORTED", `Provider "${providerId}" does not support deletion`, 400);
-	}
-
-	try {
-		await provider.delete(itemId);
-
-		return apiSuccess({ deleted: true });
-	} catch (error) {
-		return handleError(error, "Failed to delete item from provider", "PROVIDER_DELETE_ERROR");
-	}
-};

package/src/astro/routes/api/media/providers/[providerId]/index.ts

@@ -1,111 +0,0 @@
-/**
- * Media Provider List/Upload Endpoint
- *
- * GET /_dineway/api/media/providers/:providerId - List media from provider
- * POST /_dineway/api/media/providers/:providerId - Upload to provider
- */
-
-import type { APIRoute } from "astro";
-
-import { requirePerm } from "#api/authorize.js";
-import { apiError, apiSuccess, handleError } from "#api/error.js";
-
-export const prerender = false;
-
-/**
- * List media from a specific provider
- */
-export const GET: APIRoute = async ({ params, request, locals }) => {
-	const { dineway, user } = locals;
-	const { providerId } = params;
-
-	const readDenied = requirePerm(user, "media:read");
-	if (readDenied) return readDenied;
-
-	if (!providerId) {
-		return apiError("INVALID_REQUEST", "Provider ID required", 400);
-	}
-
-	if (!dineway?.getMediaProvider) {
-		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
-	}
-
-	const provider = dineway.getMediaProvider(providerId);
-	if (!provider) {
-		return apiError("NOT_FOUND", `Provider "${providerId}" not found`, 404);
-	}
-
-	const url = new URL(request.url);
-	const cursor = url.searchParams.get("cursor") || undefined;
-	const limit = url.searchParams.get("limit")
-		? parseInt(url.searchParams.get("limit")!, 10)
-		: undefined;
-	const query = url.searchParams.get("query") || undefined;
-	const mimeType = url.searchParams.get("mimeType") || undefined;
-
-	try {
-		const result = await provider.list({
-			cursor,
-			limit,
-			query,
-			mimeType,
-		});
-
-		return apiSuccess({
-			items: result.items,
-			nextCursor: result.nextCursor,
-		});
-	} catch (error) {
-		return handleError(error, "Failed to list media from provider", "PROVIDER_LIST_ERROR");
-	}
-};
-
-/**
- * Upload media to a specific provider
- */
-export const POST: APIRoute = async ({ params, request, locals }) => {
-	const { dineway, user } = locals;
-	const { providerId } = params;
-
-	const uploadDenied = requirePerm(user, "media:upload");
-	if (uploadDenied) return uploadDenied;
-
-	if (!providerId) {
-		return apiError("INVALID_REQUEST", "Provider ID required", 400);
-	}
-
-	if (!dineway?.getMediaProvider) {
-		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
-	}
-
-	const provider = dineway.getMediaProvider(providerId);
-	if (!provider) {
-		return apiError("NOT_FOUND", `Provider "${providerId}" not found`, 404);
-	}
-
-	if (!provider.upload) {
-		return apiError("NOT_SUPPORTED", `Provider "${providerId}" does not support uploads`, 400);
-	}
-
-	try {
-		const formData = await request.formData();
-		const fileEntry = formData.get("file");
-		const file = fileEntry instanceof File ? fileEntry : null;
-		const altEntry = formData.get("alt");
-		const alt = typeof altEntry === "string" ? altEntry : null;
-
-		if (!file) {
-			return apiError("NO_FILE", "No file provided", 400);
-		}
-
-		const item = await provider.upload({
-			file,
-			filename: file.name,
-			alt: alt || undefined,
-		});
-
-		return apiSuccess({ item }, 201);
-	} catch (error) {
-		return handleError(error, "Failed to upload to provider", "PROVIDER_UPLOAD_ERROR");
-	}
-};

package/src/astro/routes/api/media/providers/index.ts

@@ -1,30 +0,0 @@
-/**
- * Media Providers List Endpoint
- *
- * GET /_dineway/api/media/providers - List all configured media providers
- */
-
-import type { APIRoute } from "astro";
-
-import { requirePerm } from "#api/authorize.js";
-import { apiError, apiSuccess } from "#api/error.js";
-
-export const prerender = false;
-
-/**
- * List all configured media providers
- */
-export const GET: APIRoute = async ({ locals }) => {
-	const { dineway, user } = locals;
-
-	const denied = requirePerm(user, "media:read");
-	if (denied) return denied;
-
-	if (!dineway?.getMediaProviderList) {
-		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
-	}
-
-	const providers = dineway.getMediaProviderList();
-
-	return apiSuccess({ items: providers });
-};