npm - dineway - Versions diffs - 0.1.9 → 0.1.12 - Mend

dineway 0.1.9 → 0.1.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (720) hide show

package/src/astro/routes/api/plugins/[pluginId]/[...path].ts DELETED Viewed

@@ -1,109 +0,0 @@
-/**
- * Plugin API routes - dynamic handler for plugin-defined endpoints
- *
- * Routes are mounted at /_dineway/api/plugins/{pluginId}/*
- * Plugins register routes like "POST /do-something" which becomes
- * POST /_dineway/api/plugins/{pluginId}/do-something
- *
- * Routes marked as `public: true` skip authentication and CSRF checks.
- * Private routes (the default) require authentication and appropriate permissions.
- */
-import type { APIRoute } from "astro";
-import { requirePerm } from "#api/authorize.js";
-import { apiError, apiSuccess } from "#api/error.js";
-import { requireScope } from "#auth/scopes.js";
-export const prerender = false;
-/**
- * Handle all methods by matching against plugin-defined routes
- */
-const handleRequest: APIRoute = async ({ params, request, locals }) => {
-	const { dineway, user } = locals;
-	const pluginId = params.pluginId!;
-	const path = params.path || "";
-	const method = request.method.toUpperCase();
-	if (!dineway?.handlePluginApiRoute) {
-		return apiError("NOT_CONFIGURED", "Dineway is not configured", 500);
-	}
-	// Resolve route metadata to decide auth before dispatch
-	const routeMeta = dineway.getPluginRouteMeta(pluginId, `/${path}`);
-	if (!routeMeta) {
-		return apiError("NOT_FOUND", "Plugin route not found", 404);
-	}
-	// Public routes skip auth, CSRF, and scope checks entirely
-	if (!routeMeta.public) {
-		const isStateChangingMethod = !["GET", "HEAD", "OPTIONS"].includes(method);
-		// Private routes require authentication and permission checks
-		const permission = isStateChangingMethod ? "plugins:manage" : "plugins:read";
-		const denied = requirePerm(user, permission);
-		if (denied) return denied;
-		// Token scope enforcement — plugin routes require "admin" scope.
-		// Session auth is implicitly full-access (requireScope returns null).
-		const scopeError = requireScope(locals, "admin");
-		if (scopeError) return scopeError;
-		// Generic private plugin routes can carry arbitrary plugin-defined payloads,
-		// including secret-bearing config. Until route metadata can describe a
-		// redacted review payload plus immutable reviewed target, API-token writes
-		// stay blocked instead of being routed through generic HITL.
-		if (isStateChangingMethod && locals.authToken?.type === "api_token") {
-			return apiError(
-				"HITL_UNSUPPORTED",
-				"Private plugin routes do not yet support API-token writes without a reviewed redaction contract",
-				409,
-				{
-					reason: "review_contract_missing",
-					pluginId,
-					path: `/${path}`,
-				},
-			);
-		}
-		// CSRF protection for state-changing requests on private routes.
-		// Plugin routes use soft auth in the middleware (user resolved but not required),
-		// so the middleware's CSRF check doesn't run. We enforce it here for private routes.
-		// Token-authed requests (which set tokenScopes) are exempt — tokens aren't
-		// ambient credentials like cookies.
-		if (
-			isStateChangingMethod &&
-			!locals.tokenScopes &&
-			request.headers.get("X-Dineway-Request") !== "1"
-		) {
-			return apiError("CSRF_REJECTED", "Missing required header", 403);
-		}
-	}
-	const result = await dineway.handlePluginApiRoute(pluginId, method, `/${path}`, request);
-	if (!result.success) {
-		const code = result.error?.code ?? "PLUGIN_ERROR";
-		// Pass through messages from known plugin errors (PluginRouteError),
-		// but mask internal errors (unhandled exceptions) to avoid leaking
-		// database errors, file paths, etc. from sandboxed plugins.
-		const message =
-			code === "INTERNAL_ERROR"
-				? "Plugin route error"
-				: (result.error?.message ?? "Plugin route error");
-		// PluginRouteError status is returned at the top level of the result
-		const status = (result as { status?: number }).status ?? (code === "NOT_FOUND" ? 404 : 400);
-		return apiError(code, message, status);
-	}
-	return apiSuccess(result.data);
-};
-// Export handlers for all HTTP methods
-export const GET = handleRequest;
-export const POST = handleRequest;
-export const PUT = handleRequest;
-export const PATCH = handleRequest;
-export const DELETE = handleRequest;

package/src/astro/routes/api/redirects/404s/index.ts DELETED Viewed

@@ -1,72 +0,0 @@
-/**
- * 404 log list and management endpoints
- *
- * GET    /_dineway/api/redirects/404s - List 404 log entries
- * DELETE /_dineway/api/redirects/404s - Clear all 404 log entries
- * POST   /_dineway/api/redirects/404s - Prune 404 log entries older than date
- */
-import type { APIRoute } from "astro";
-import { requirePerm } from "#api/authorize.js";
-import { handleError, unwrapResult } from "#api/error.js";
-import {
-	handleNotFoundClear,
-	handleNotFoundList,
-	handleNotFoundPrune,
-} from "#api/handlers/redirects.js";
-import { isParseError, parseBody, parseQuery } from "#api/parse.js";
-import { notFoundListQuery, notFoundPruneBody } from "#api/schemas.js";
-export const prerender = false;
-export const GET: APIRoute = async ({ url, locals }) => {
-	const { dineway, user } = locals;
-	const db = dineway.db;
-	const denied = requirePerm(user, "redirects:read");
-	if (denied) return denied;
-	try {
-		const query = parseQuery(url, notFoundListQuery);
-		if (isParseError(query)) return query;
-		const result = await handleNotFoundList(db, query);
-		return unwrapResult(result);
-	} catch (error) {
-		return handleError(error, "Failed to fetch 404 log", "NOT_FOUND_LIST_ERROR");
-	}
-};
-export const DELETE: APIRoute = async ({ locals }) => {
-	const { dineway, user } = locals;
-	const db = dineway.db;
-	const denied = requirePerm(user, "redirects:manage");
-	if (denied) return denied;
-	try {
-		const result = await handleNotFoundClear(db);
-		return unwrapResult(result);
-	} catch (error) {
-		return handleError(error, "Failed to clear 404 log", "NOT_FOUND_CLEAR_ERROR");
-	}
-};
-export const POST: APIRoute = async ({ request, locals }) => {
-	const { dineway, user } = locals;
-	const db = dineway.db;
-	const denied = requirePerm(user, "redirects:manage");
-	if (denied) return denied;
-	try {
-		const body = await parseBody(request, notFoundPruneBody);
-		if (isParseError(body)) return body;
-		const result = await handleNotFoundPrune(db, body.olderThan);
-		return unwrapResult(result);
-	} catch (error) {
-		return handleError(error, "Failed to prune 404 log", "NOT_FOUND_PRUNE_ERROR");
-	}
-};

package/src/astro/routes/api/redirects/404s/summary.ts DELETED Viewed

@@ -1,33 +0,0 @@
-/**
- * 404 summary endpoint
- *
- * GET /_dineway/api/redirects/404s/summary - Get 404 summary grouped by path
- */
-import type { APIRoute } from "astro";
-import { requirePerm } from "#api/authorize.js";
-import { handleError, unwrapResult } from "#api/error.js";
-import { handleNotFoundSummary } from "#api/handlers/redirects.js";
-import { isParseError, parseQuery } from "#api/parse.js";
-import { notFoundSummaryQuery } from "#api/schemas.js";
-export const prerender = false;
-export const GET: APIRoute = async ({ url, locals }) => {
-	const { dineway, user } = locals;
-	const db = dineway.db;
-	const denied = requirePerm(user, "redirects:read");
-	if (denied) return denied;
-	try {
-		const query = parseQuery(url, notFoundSummaryQuery);
-		if (isParseError(query)) return query;
-		const result = await handleNotFoundSummary(db, query.limit);
-		return unwrapResult(result);
-	} catch (error) {
-		return handleError(error, "Failed to fetch 404 summary", "NOT_FOUND_SUMMARY_ERROR");
-	}
-};

package/src/astro/routes/api/redirects/[id].ts DELETED Viewed

@@ -1,183 +0,0 @@
-/**
- * Redirect by ID endpoints
- *
- * GET    /_dineway/api/redirects/:id - Get redirect
- * PUT    /_dineway/api/redirects/:id - Update redirect
- * DELETE /_dineway/api/redirects/:id - Delete redirect
- */
-import type { APIRoute } from "astro";
-import { z } from "zod";
-import { requirePerm } from "#api/authorize.js";
-import { apiError, handleError, unwrapResult } from "#api/error.js";
-import {
-	handleRedirectDelete,
-	handleRedirectGet,
-	handleRedirectUpdate,
-} from "#api/handlers/redirects.js";
-import {
-	ensureWorkflowHitlRouteRequest,
-	hitlRequiredRouteError,
-	resolveHitlRouteActor,
-} from "#api/hitl-route-helpers.js";
-import { isParseError, parseBody, parseQuery } from "#api/parse.js";
-import { updateRedirectBody } from "#api/schemas.js";
-import {
-	activityChangedKeys,
-	logRedirectActivity,
-	redirectApiRouteSource,
-	RedirectHitlPayloadBuilder,
-	RiskPolicyEvaluator,
-} from "#site-context/index.js";
-export const prerender = false;
-const updateRedirectHitlBody = updateRedirectBody.extend({
-	hitlRequestId: z.string().min(1).optional(),
-});
-const deleteRedirectQuery = z.object({
-	hitlRequestId: z.string().min(1).optional(),
-});
-export const GET: APIRoute = async ({ params, locals }) => {
-	const { dineway, user } = locals;
-	const db = dineway.db;
-	const { id } = params;
-	const denied = requirePerm(user, "redirects:read");
-	if (denied) return denied;
-	if (!id) {
-		return apiError("VALIDATION_ERROR", "id is required", 400);
-	}
-	try {
-		const result = await handleRedirectGet(db, id);
-		return unwrapResult(result);
-	} catch (error) {
-		return handleError(error, "Failed to fetch redirect", "REDIRECT_GET_ERROR");
-	}
-};
-export const PUT: APIRoute = async ({ params, request, locals }) => {
-	const { dineway, user } = locals;
-	const db = dineway.db;
-	const { id } = params;
-	const denied = requirePerm(user, "redirects:manage");
-	if (denied) return denied;
-	if (!id) {
-		return apiError("VALIDATION_ERROR", "id is required", 400);
-	}
-	try {
-		const body = await parseBody(request, updateRedirectHitlBody);
-		if (isParseError(body)) return body;
-		const current = await handleRedirectGet(db, id);
-		if (!current.success) return unwrapResult(current);
-		const { hitlRequestId, ...redirectInput } = body;
-		const actor = resolveHitlRouteActor(locals);
-		const action = await new RedirectHitlPayloadBuilder().buildUpdateRedirectRequest({
-			redirect: current.data,
-			...redirectInput,
-		});
-		const decision = await new RiskPolicyEvaluator({
-			db,
-			handlers: dineway,
-		}).evaluateWorkflowHitl({
-			actor: actor.identity,
-			hitlRequestId,
-			action,
-		});
-		if (!decision.allowed) {
-			const ensured = await ensureWorkflowHitlRouteRequest(db, locals, decision.action);
-			return hitlRequiredRouteError(decision, ensured);
-		}
-		const result = await handleRedirectUpdate(db, id, redirectInput);
-		if (!result.success) return unwrapResult(result);
-		await logRedirectActivity(db, locals, {
-			action: "updated",
-			redirectId: result.data.id,
-			source: result.data.source,
-			destination: result.data.destination,
-			...redirectApiRouteSource("updated"),
-			summary: `Updated redirect ${result.data.source} -> ${result.data.destination}`,
-			detail: {
-				changedKeys: activityChangedKeys(redirectInput),
-				type: result.data.type,
-				enabled: result.data.enabled,
-				groupName: result.data.groupName,
-				hitlRequestId: decision.required ? decision.hitlRequest.id : null,
-			},
-		});
-		return unwrapResult(result);
-	} catch (error) {
-		return handleError(error, "Failed to update redirect", "REDIRECT_UPDATE_ERROR");
-	}
-};
-export const DELETE: APIRoute = async ({ params, request, locals }) => {
-	const { dineway, user } = locals;
-	const db = dineway.db;
-	const { id } = params;
-	const denied = requirePerm(user, "redirects:manage");
-	if (denied) return denied;
-	if (!id) {
-		return apiError("VALIDATION_ERROR", "id is required", 400);
-	}
-	const query = parseQuery(new URL(request.url), deleteRedirectQuery);
-	if (isParseError(query)) return query;
-	try {
-		const current = await handleRedirectGet(db, id);
-		if (!current.success) return unwrapResult(current);
-		const actor = resolveHitlRouteActor(locals);
-		const action = await new RedirectHitlPayloadBuilder().buildDeleteRedirectRequest({
-			redirect: current.data,
-		});
-		const decision = await new RiskPolicyEvaluator({
-			db,
-			handlers: dineway,
-		}).evaluateWorkflowHitl({
-			actor: actor.identity,
-			hitlRequestId: query.hitlRequestId,
-			action,
-		});
-		if (!decision.allowed) {
-			const ensured = await ensureWorkflowHitlRouteRequest(db, locals, decision.action);
-			return hitlRequiredRouteError(decision, ensured);
-		}
-		const result = await handleRedirectDelete(db, id);
-		if (!result.success) return unwrapResult(result);
-		await logRedirectActivity(db, locals, {
-			action: "deleted",
-			redirectId: current.data.id,
-			source: current.data.source,
-			destination: current.data.destination,
-			...redirectApiRouteSource("deleted"),
-			summary: `Deleted redirect ${current.data.source} -> ${current.data.destination}`,
-			detail: {
-				type: current.data.type,
-				enabled: current.data.enabled,
-				groupName: current.data.groupName,
-				hitlRequestId: decision.required ? decision.hitlRequest.id : null,
-			},
-		});
-		return unwrapResult(result);
-	} catch (error) {
-		return handleError(error, "Failed to delete redirect", "REDIRECT_DELETE_ERROR");
-	}
-};

package/src/astro/routes/api/redirects/index.ts DELETED Viewed

@@ -1,100 +0,0 @@
-/**
- * Redirects list and create endpoints
- *
- * GET  /_dineway/api/redirects - List redirects (with filters)
- * POST /_dineway/api/redirects - Create redirect
- */
-import type { APIRoute } from "astro";
-import { z } from "zod";
-import { requirePerm } from "#api/authorize.js";
-import { handleError, unwrapResult } from "#api/error.js";
-import { handleRedirectCreate, handleRedirectList } from "#api/handlers/redirects.js";
-import {
-	ensureWorkflowHitlRouteRequest,
-	hitlRequiredRouteError,
-	resolveHitlRouteActor,
-} from "#api/hitl-route-helpers.js";
-import { isParseError, parseBody, parseQuery } from "#api/parse.js";
-import { createRedirectBody, redirectsListQuery } from "#api/schemas.js";
-import {
-	logRedirectActivity,
-	redirectApiRouteSource,
-	RedirectHitlPayloadBuilder,
-	RiskPolicyEvaluator,
-} from "#site-context/index.js";
-export const prerender = false;
-const createRedirectHitlBody = createRedirectBody.extend({
-	hitlRequestId: z.string().min(1).optional(),
-});
-export const GET: APIRoute = async ({ url, locals }) => {
-	const { dineway, user } = locals;
-	const db = dineway.db;
-	const denied = requirePerm(user, "redirects:read");
-	if (denied) return denied;
-	try {
-		const query = parseQuery(url, redirectsListQuery);
-		if (isParseError(query)) return query;
-		const result = await handleRedirectList(db, query);
-		return unwrapResult(result);
-	} catch (error) {
-		return handleError(error, "Failed to fetch redirects", "REDIRECT_LIST_ERROR");
-	}
-};
-export const POST: APIRoute = async ({ request, locals }) => {
-	const { dineway, user } = locals;
-	const db = dineway.db;
-	const denied = requirePerm(user, "redirects:manage");
-	if (denied) return denied;
-	try {
-		const body = await parseBody(request, createRedirectHitlBody);
-		if (isParseError(body)) return body;
-		const { hitlRequestId, ...redirectInput } = body;
-		const actor = resolveHitlRouteActor(locals);
-		const action = await new RedirectHitlPayloadBuilder().buildCreateRedirectRequest(redirectInput);
-		const decision = await new RiskPolicyEvaluator({
-			db,
-			handlers: dineway,
-		}).evaluateWorkflowHitl({
-			actor: actor.identity,
-			hitlRequestId,
-			action,
-		});
-		if (!decision.allowed) {
-			const ensured = await ensureWorkflowHitlRouteRequest(db, locals, decision.action);
-			return hitlRequiredRouteError(decision, ensured);
-		}
-		const result = await handleRedirectCreate(db, redirectInput);
-		if (!result.success) return unwrapResult(result, 201);
-		await logRedirectActivity(db, locals, {
-			action: "created",
-			redirectId: result.data.id,
-			source: result.data.source,
-			destination: result.data.destination,
-			...redirectApiRouteSource("created"),
-			summary: `Created redirect ${result.data.source} -> ${result.data.destination}`,
-			detail: {
-				type: result.data.type,
-				enabled: result.data.enabled,
-				groupName: result.data.groupName,
-				hitlRequestId: decision.required ? decision.hitlRequest.id : null,
-			},
-		});
-		return unwrapResult(result, 201);
-	} catch (error) {
-		return handleError(error, "Failed to create redirect", "REDIRECT_CREATE_ERROR");
-	}
-};

package/src/astro/routes/api/revisions/[revisionId]/index.ts DELETED Viewed

@@ -1,29 +0,0 @@
-/**
- * Single revision endpoint - injected by Dineway integration
- *
- * GET  /_dineway/api/revisions/{revisionId} - Get revision details
- * POST /_dineway/api/revisions/{revisionId}/restore - Restore revision
- */
-import type { APIRoute } from "astro";
-import { requirePerm } from "#api/authorize.js";
-import { apiError, unwrapResult } from "#api/error.js";
-export const prerender = false;
-export const GET: APIRoute = async ({ params, locals }) => {
-	const { dineway, user } = locals;
-	const revisionId = params.revisionId!;
-	const denied = requirePerm(user, "content:read");
-	if (denied) return denied;
-	if (!dineway?.handleRevisionGet) {
-		return apiError("NOT_CONFIGURED", "Dineway is not configured", 500);
-	}
-	const result = await dineway.handleRevisionGet(revisionId);
-	return unwrapResult(result);
-};

package/src/astro/routes/api/revisions/[revisionId]/restore.ts DELETED Viewed

@@ -1,62 +0,0 @@
-/**
- * Restore revision endpoint - injected by Dineway integration
- *
- * POST /_dineway/api/revisions/{revisionId}/restore - Restore revision
- */
-import type { APIRoute } from "astro";
-import { requireOwnerPerm } from "#api/authorize.js";
-import { apiError, mapErrorStatus, unwrapResult } from "#api/error.js";
-export const prerender = false;
-export const POST: APIRoute = async ({ params, locals }) => {
-	const { dineway, user } = locals;
-	const revisionId = params.revisionId!;
-	if (
-		!dineway?.handleRevisionRestore ||
-		!dineway?.handleRevisionGet ||
-		!dineway?.handleContentGet
-	) {
-		return apiError("NOT_CONFIGURED", "Dineway is not configured", 500);
-	}
-	// Fetch the revision to discover which content entry it belongs to
-	const revision = await dineway.handleRevisionGet(revisionId);
-	if (!revision.success) {
-		return apiError(
-			revision.error?.code ?? "UNKNOWN_ERROR",
-			revision.error?.message ?? "Revision not found",
-			mapErrorStatus(revision.error?.code),
-		);
-	}
-	const collection = revision.data?.item?.collection;
-	const entryId = revision.data?.item?.entryId;
-	if (!collection || !entryId) {
-		return apiError("INVALID_REVISION", "Revision is missing collection or entry reference", 400);
-	}
-	// Fetch the content entry to check ownership
-	const existing = await dineway.handleContentGet(collection, entryId);
-	if (!existing.success) {
-		return apiError(
-			existing.error?.code ?? "UNKNOWN_ERROR",
-			existing.error?.message ?? "Content not found",
-			mapErrorStatus(existing.error?.code),
-		);
-	}
-	const authorId = existing.data?.item?.authorId ?? "";
-	// Check ownership: authors can only restore their own content, editors+ can restore any
-	const denied = requireOwnerPerm(user, authorId, "content:edit_own", "content:edit_any");
-	if (denied) return denied;
-	const result = await dineway.handleRevisionRestore(revisionId, user!.id);
-	return unwrapResult(result);
-};

package/src/astro/routes/api/schema/collections/[slug]/fields/[fieldSlug].ts DELETED Viewed

@@ -1,104 +0,0 @@
-/**
- * Schema field CRUD endpoints
- *
- * GET    /_dineway/api/schema/collections/{slug}/fields/{fieldSlug} - Get field
- * PUT    /_dineway/api/schema/collections/{slug}/fields/{fieldSlug} - Update field
- * DELETE /_dineway/api/schema/collections/{slug}/fields/{fieldSlug} - Delete field
- */
-import type { APIRoute } from "astro";
-import { requirePerm } from "#api/authorize.js";
-import { requireDb, unwrapResult } from "#api/error.js";
-import {
-	handleSchemaFieldGet,
-	handleSchemaFieldUpdate,
-	handleSchemaFieldDelete,
-} from "#api/index.js";
-import { parseBody, isParseError } from "#api/parse.js";
-import { updateFieldBody } from "#api/schemas.js";
-import type { UpdateFieldInput } from "#schema/types.js";
-import {
-	activityChangedKeys,
-	logSchemaActivity,
-	schemaApiRouteSource,
-} from "#site-context/activity-events.js";
-export const prerender = false;
-export const GET: APIRoute = async ({ params, locals }) => {
-	const { dineway, user } = locals;
-	const collectionSlug = params.slug!;
-	const fieldSlug = params.fieldSlug!;
-	const dbErr = requireDb(dineway?.db);
-	if (dbErr) return dbErr;
-	const denied = requirePerm(user, "schema:read");
-	if (denied) return denied;
-	const result = await handleSchemaFieldGet(dineway.db, collectionSlug, fieldSlug);
-	return unwrapResult(result);
-};
-export const PUT: APIRoute = async ({ params, request, locals }) => {
-	const { dineway, user } = locals;
-	const collectionSlug = params.slug!;
-	const fieldSlug = params.fieldSlug!;
-	const dbErr = requireDb(dineway?.db);
-	if (dbErr) return dbErr;
-	const denied = requirePerm(user, "schema:manage");
-	if (denied) return denied;
-	const body = await parseBody(request, updateFieldBody);
-	if (isParseError(body)) return body;
-	// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- body is Zod-validated via parseBody(request, updateFieldBody) above
-	const result = await handleSchemaFieldUpdate(
-		dineway.db,
-		collectionSlug,
-		fieldSlug,
-		body as UpdateFieldInput,
-	);
-	if (result.success) dineway.invalidateManifest();
-	if (result.success) {
-		await logSchemaActivity(dineway.db, locals, {
-			action: "field_updated",
-			collection: collectionSlug,
-			field: fieldSlug,
-			...schemaApiRouteSource("field_updated"),
-			summary: `Updated field ${fieldSlug} in ${collectionSlug}`,
-			detail: {
-				changedFields: activityChangedKeys(body),
-			},
-		});
-	}
-	return unwrapResult(result);
-};
-export const DELETE: APIRoute = async ({ params, locals }) => {
-	const { dineway, user } = locals;
-	const collectionSlug = params.slug!;
-	const fieldSlug = params.fieldSlug!;
-	const dbErr = requireDb(dineway?.db);
-	if (dbErr) return dbErr;
-	const denied = requirePerm(user, "schema:manage");
-	if (denied) return denied;
-	const result = await handleSchemaFieldDelete(dineway.db, collectionSlug, fieldSlug);
-	if (result.success) dineway.invalidateManifest();
-	if (result.success) {
-		await logSchemaActivity(dineway.db, locals, {
-			action: "field_deleted",
-			collection: collectionSlug,
-			field: fieldSlug,
-			...schemaApiRouteSource("field_deleted"),
-			summary: `Deleted field ${fieldSlug} from ${collectionSlug}`,
-		});
-	}
-	return unwrapResult(result);
-};