domma-cms 0.18.0 → 0.21.0

package/server/server.js

@@ -12,6 +12,7 @@ import cors from '@fastify/cors';
 import multipart from '@fastify/multipart';
 import rateLimit from '@fastify/rate-limit';
 import helmet from '@fastify/helmet';
+import compress from '@fastify/compress';
 import path from 'path';
 import fs from 'fs/promises';
 import {fileURLToPath} from 'url';
@@ -105,6 +106,14 @@ await app.register(rateLimit, {
     allowList: ['127.0.0.1', '::1', '::ffff:127.0.0.1'],
 });
 
+// Negotiates brotli/gzip/deflate per Accept-Encoding. Skips already-compressed
+// content types (images, fonts, video) and responses under threshold.
+await app.register(compress, {
+    global: true,
+    threshold: 1024,
+    encodings: ['br', 'gzip', 'deflate']
+});
+
 // ---------------------------------------------------------------------------
 // Static Assets
 // ---------------------------------------------------------------------------
@@ -179,6 +188,24 @@ await seedDefaultBlocks();
 await seedDefaultComponents();
 await refreshComponentTagAllowlist();
 
+// ---------------------------------------------------------------------------
+// Menus — one-shot migration from legacy navigation.json + site footer links
+// ---------------------------------------------------------------------------
+
+try {
+    const {runMigration: runMenusMigration} = await import('./services/menus-migration.js');
+    await runMenusMigration();
+} catch (err) {
+    app.log.warn(`[menus] Migration skipped: ${err.message}`);
+}
+
+try {
+    const {runMigration: runSidebarMigration} = await import('./services/sidebar-migration.js');
+    await runSidebarMigration();
+} catch (err) {
+    app.log.warn(`[admin-sidebar] Migration skipped: ${err.message}`);
+}
+
 // Initialise response cache (Memory/None/Redis driver per config.cache).
 await cache.initCache(config.cache);
 console.log(`[cache] driver=${cache.isEnabled() ? config.cache.driver : 'disabled'}`);
@@ -247,6 +274,10 @@ const { pagesRoutes }      = await import('./routes/api/pages.js');
 const { settingsRoutes }   = await import('./routes/api/settings.js');
 const { layoutsRoutes }    = await import('./routes/api/layouts.js');
 const { navigationRoutes } = await import('./routes/api/navigation.js');
+const {menusRoutes}         = await import('./routes/api/menus.js');
+const {menuLocationsRoutes} = await import('./routes/api/menu-locations.js');
+const {projectsRoutes}      = await import('./routes/api/projects.js');
+const {sidebarRoutes}       = await import('./routes/api/sidebar.js');
 const { mediaRoutes }      = await import('./routes/api/media.js');
 const { usersRoutes }      = await import('./routes/api/users.js');
 const { pluginsRoutes }            = await import('./routes/api/plugins.js');
@@ -262,11 +293,16 @@ const {effectsRoutes} = await import('./routes/api/effects.js');
 const {notificationsRoutes} = await import('./routes/api/notifications.js');
 const {dashboardRoutes} = await import('./routes/api/dashboard.js');
 const {cacheRoutes} = await import('./routes/api/cache.js');
+const {scaffoldRoutes} = await import('./routes/api/scaffold.js');
 
 await app.register(pagesRoutes,       { prefix: '/api' });
 await app.register(settingsRoutes,    { prefix: '/api' });
 await app.register(layoutsRoutes,     { prefix: '/api' });
 await app.register(navigationRoutes,  { prefix: '/api' });
+await app.register(menusRoutes,         {prefix: '/api'});
+await app.register(menuLocationsRoutes, {prefix: '/api'});
+await app.register(projectsRoutes,      {prefix: '/api'});
+await app.register(sidebarRoutes,       {prefix: '/api'});
 await app.register(mediaRoutes,       { prefix: '/api' });
 await app.register(usersRoutes,       { prefix: '/api' });
 await app.register(pluginsRoutes,            { prefix: '/api' });
@@ -282,6 +318,7 @@ await app.register(effectsRoutes, {prefix: '/api'});
 await app.register(notificationsRoutes, {prefix: '/api'});
 await app.register(dashboardRoutes, {prefix: '/api'});
 await app.register(cacheRoutes, {prefix: '/api'});
+await app.register(scaffoldRoutes, {prefix: '/api'});
 
 // ---------------------------------------------------------------------------
 // CMS Plugins (server-side Fastify plugins from plugins/ directory)
@@ -338,3 +375,4 @@ try {
     app.log.error(err);
     process.exit(1);
 }
+// scaffold-restart 1779615684

package/server/services/actions.js

@@ -4,13 +4,23 @@
  * Action configs are stored in MongoDB `cms__actions` on the 'default' connection.
  * Executing an action runs a sequence of steps against a target collection entry.
  *
- * Phase 1 step types:
- *   updateField, deleteEntry, moveToCollection, webhook, email
+ * Supported step types:
+ *   updateField         — overwrite one field on the source entry
+ *   deleteEntry         — remove the source entry
+ *   moveToCollection    — copy source entry into target collection AND delete source
+ *   createInCollection  — create a new entry in another collection; source untouched
+ *                         (used for apply/follow/bookmark/upvote-style relations)
+ *   webhook             — POST/PUT/GET to an external URL with interpolated body
+ *   email               — send a transactional email via configured SMTP
  *
  * Template interpolation in step configs:
- *   {{entry.data.field}} → entry field value
+ *   {{entry.id}}         → source entry id
+ *   {{entry.data.field}} → source entry field value
  *   {{now}}              → current ISO timestamp
+ *   {{user.id}}          → executing user's id
  *   {{user.name}}        → executing user's name
+ *   {{user.email}}       → executing user's email
+ *   {{user.role}}        → executing user's role
  *   {{env.CMS_PUBLIC_*}} → environment variables with CMS_PUBLIC_ prefix only
  *
  * Note: execution is not transactional — partial results are returned on failure
@@ -140,6 +150,35 @@ async function executeStep(step, collection, entry, context) {
             return { moved: entry.id, to: target };
         }
 
+        /*
+         * createInCollection — append an entry to another collection without
+         * touching the source. Designed for relational patterns like:
+         *   - Apply for job  → create entry in `applications` { jobId, candidateId, status }
+         *   - Bookmark page  → create entry in `bookmarks`    { pageId, userId }
+         *   - Upvote item    → create entry in `votes`        { itemId, userId, value: 1 }
+         *
+         * Config:
+         *   targetCollection {string} required — slug of the collection to append to
+         *   data             {object} required — field map; values are template-interpolated
+         *   createdBy        {string} optional — '{{user.id}}' is the conventional value;
+         *                                       enables row-level "mine" filtering downstream
+         *
+         * Returns: { created: <new entry id>, in: <targetCollection> }
+         */
+        case 'createInCollection': {
+            const target = cfg.targetCollection;
+            if (!target) throw new Error('createInCollection: targetCollection is required');
+            if (!cfg.data || typeof cfg.data !== 'object') {
+                throw new Error('createInCollection: data object is required');
+            }
+            const data       = interpolateValue(cfg.data, context);
+            const createdBy  = cfg.createdBy
+                ? interpolate(String(cfg.createdBy), context)
+                : (context.user?.id || null);
+            const created    = await createEntry(target, data, { createdBy, source: 'action' });
+            return { created: created.id, in: target };
+        }
+
         case 'webhook': {
             const url     = interpolate(cfg.url || '', context);
             const method  = (cfg.method || 'POST').toUpperCase();
@@ -239,7 +278,7 @@ export async function getAction(slug) {
  */
 export async function createAction(data, userId = null) {
     const db = await getMetaDb();
-    const { title, description = '', collection, trigger, steps = [], access } = data;
+    const { title, description = '', collection, trigger, steps = [], access, transition, meta: inputMeta } = data;
 
     if (!title)      throw new Error('title is required');
     if (!collection) throw new Error('collection is required');
@@ -264,11 +303,25 @@ export async function createAction(data, userId = null) {
             confirmMessage: trigger?.confirmMessage || null
         },
         steps,
+        // State-machine transition — when set, the action is gated by the
+        // entry's current value of `field` matching one of the `from` values,
+        // and is advertised as an "available transition" for that state.
+        // Optional `to` is informational only (steps still do the actual write).
+        transition: transition ? {
+            field: transition.field,
+            from:  Array.isArray(transition.from) ? transition.from : [transition.from].filter(Boolean),
+            to:    transition.to
+        } : null,
         access: {
             roles: access?.roles || ['admin', 'super-admin'],
             rowLevel: access?.rowLevel || null
         },
-        meta: { createdAt: now, updatedAt: now, createdBy: userId }
+        meta: {
+            createdAt: now,
+            updatedAt: now,
+            createdBy: userId,
+            ...(inputMeta?.project != null && {project: inputMeta.project})
+        }
     };
 
     await db.collection(ACTIONS_COLLECTION).insertOne({ ...action });
@@ -288,12 +341,18 @@ export async function updateAction(slug, data) {
     const existing = await db.collection(ACTIONS_COLLECTION).findOne({ slug });
     if (!existing) throw new Error(`Action "${slug}" not found`);
 
-    const { _id, id, meta, ...rest } = data;
+    const { _id, id, meta: inputMeta, ...rest } = data;
     const updated = {
         ...existing,
         ...rest,
         slug,
-        meta: { ...existing.meta, updatedAt: new Date().toISOString() }
+        meta: {
+            ...existing.meta,
+            ...(inputMeta && typeof inputMeta === 'object'
+                ? ('project' in inputMeta ? {project: inputMeta.project} : {})
+                : {}),
+            updatedAt: new Date().toISOString()
+        }
     };
 
     await db.collection(ACTIONS_COLLECTION).replaceOne({ slug }, { ...updated });
@@ -328,6 +387,59 @@ export async function listActionsForCollection(collectionSlug) {
         .toArray();
 }
 
+/**
+ * List the actions that represent valid next-state transitions for a given
+ * entry as seen by a given user. Used by the per-row transitions UI in the
+ * Collection Browser and the `[transitions]` shortcode.
+ *
+ * Criteria for inclusion:
+ *   1. action.collection matches the entry's collection
+ *   2. action.transition is set and action.transition.from includes the
+ *      entry's current value of action.transition.field
+ *   3. action.access.roles allows the user (compared by role level so
+ *      higher-privileged roles inherit access automatically)
+ *
+ * Returns a stripped projection — slug, title, trigger config, transition —
+ * so the client can render buttons without leaking step internals.
+ *
+ * @param {string} collectionSlug
+ * @param {object} entry          - The entry being inspected (needed for field-value match)
+ * @param {object} [user]         - { role } — anonymous if missing
+ * @returns {Promise<object[]>}
+ */
+export async function listTransitionsForEntry(collectionSlug, entry, user = null) {
+    const all = await listActionsForCollection(collectionSlug);
+    if (!Array.isArray(all) || !all.length) return [];
+
+    const { getRoleLevel } = await import('./roles.js');
+    const { getEffectiveLevel } = await import('./userRoles.js');
+    // Use effective level so multi-role users see transitions any of their
+    // roles permit — e.g. a user who's primarily a candidate but also an
+    // admin sees BOTH the candidate-only "withdraw" AND the admin-only
+    // "approve" transitions on the same entry.
+    const userLevel = getEffectiveLevel(user);
+
+    return all
+        .filter(a => {
+            if (!a.transition) return false;
+            const allowedFrom = Array.isArray(a.transition.from) ? a.transition.from : [a.transition.from].filter(Boolean);
+            if (allowedFrom.length) {
+                const current = entry.data?.[a.transition.field];
+                if (!allowedFrom.includes(current)) return false;
+            }
+            const roles    = a.access?.roles || ['admin', 'super-admin'];
+            const minLevel = Math.min(...roles.map(r => getRoleLevel(r)));
+            if (!(userLevel <= minLevel)) return false;
+            return true;
+        })
+        .map(a => ({
+            slug:       a.slug,
+            title:      a.title,
+            trigger:    a.trigger,
+            transition: a.transition
+        }));
+}
+
 // ---------------------------------------------------------------------------
 // Execution
 // ---------------------------------------------------------------------------
@@ -351,12 +463,29 @@ export async function executeAction(slug, entryId, { user = null } = {}) {
     const entry = await getEntry(action.collection, entryId);
     if (!entry) throw new Error(`Entry "${entryId}" not found in collection "${action.collection}"`);
 
-    if (!checkEntryAccess(entry, user, action.access?.rowLevel)) {
+    if (!(await checkEntryAccess(entry, user, action.access?.rowLevel))) {
         const err = new Error('Row-level access denied');
         err.statusCode = 403;
         throw err;
     }
 
+    // State-machine guard — an action with a transition config only runs when
+    // the entry's current value of `field` is in `from`. Stops illegal moves
+    // like "withdraw" on an already-rejected application; the API returns 409
+    // so the client can present a meaningful "no longer available" message
+    // (we use 409 = Conflict rather than 403 because the request itself was
+    // authorised, just inconsistent with current state).
+    if (action.transition) {
+        const t            = action.transition;
+        const currentValue = entry.data?.[t.field];
+        const allowed      = Array.isArray(t.from) ? t.from : (t.from ? [t.from] : []);
+        if (allowed.length && !allowed.includes(currentValue)) {
+            const err = new Error(`Cannot apply "${action.title}" — current ${t.field} is "${currentValue ?? '(none)'}", allowed: ${allowed.join(', ')}`);
+            err.statusCode = 409;
+            throw err;
+        }
+    }
+
     const context = {
         entry,
         now:  new Date().toISOString(),

package/server/services/adapters/FileAdapter.js

@@ -19,6 +19,7 @@
 import fs from 'fs/promises';
 import path from 'path';
 import { config } from '../../config.js';
+import { applyFilter } from '../filterEngine.js';
 
 const COLLECTIONS_DIR = path.resolve(config.content.collectionsDir);
 
@@ -50,18 +51,25 @@ async function write(slug, entries) {
 export class FileAdapter {
 
     /**
-     * List entries with optional pagination, sorting, and search.
+     * List entries with optional pagination, sorting, free-text search,
+     * and structured filtering.
+     *
+     * `search` is a simple substring match across all field values (legacy
+     * behaviour, kept for the admin search box). `filter` is the structured
+     * DSL — see `filterEngine.js` for operator syntax. Both may be combined;
+     * search runs first, then filter.
      *
      * @param {string} slug
      * @param {object} [opts]
-     * @param {number}  [opts.page=1]
-     * @param {number}  [opts.limit=50]
-     * @param {string}  [opts.sort='createdAt']
-     * @param {string}  [opts.order='desc']
-     * @param {string}  [opts.search]
+     * @param {number}                    [opts.page=1]
+     * @param {number}                    [opts.limit=50]      - Use 0 for "no limit" (returns all)
+     * @param {string}                    [opts.sort='createdAt']
+     * @param {string}                    [opts.order='desc']  - 'asc' | 'desc'
+     * @param {string}                    [opts.search]        - Free-text substring across all fields
+     * @param {Record<string, unknown>}   [opts.filter]        - Structured filter; see filterEngine.js
      * @returns {Promise<{ entries: object[], total: number, page: number, limit: number }>}
      */
-    async list(slug, { page = 1, limit = 50, sort = 'createdAt', order = 'desc', search } = {}) {
+    async list(slug, { page = 1, limit = 50, sort = 'createdAt', order = 'desc', search, filter } = {}) {
         let entries = await read(slug);
 
         if (search) {
@@ -71,6 +79,10 @@ export class FileAdapter {
             );
         }
 
+        if (filter) {
+            entries = applyFilter(entries, filter);
+        }
+
         entries.sort((a, b) => {
             const aVal = sort === 'createdAt' ? a.meta?.createdAt : (a.data?.[sort] ?? '');
             const bVal = sort === 'createdAt' ? b.meta?.createdAt : (b.data?.[sort] ?? '');
@@ -78,7 +90,10 @@ export class FileAdapter {
             return order === 'desc' ? -cmp : cmp;
         });
 
-        const total  = entries.length;
+        const total = entries.length;
+        if (limit === 0 || limit == null) {
+            return { entries, total, page: 1, limit: total };
+        }
         const offset = (page - 1) * limit;
         return { entries: entries.slice(offset, offset + limit), total, page, limit };
     }

package/server/services/adapters/MongoAdapter.js

@@ -18,6 +18,7 @@
  *   insertMany(slug, entries) → { imported, skipped, errors }
  *   count(slug)               → number
  */
+import { toMongoQuery } from '../filterEngine.js';
 
 /** Prefix applied to all CMS collection names in MongoDB to avoid collisions. */
 const PREFIX = 'cms_';
@@ -61,32 +62,39 @@ export class MongoAdapter {
     }
 
     /**
-     * List entries with optional pagination, sorting, and search.
+     * List entries with optional pagination, sorting, free-text search,
+     * and structured filtering.
      *
-     * When no search term is provided, pagination and sorting are pushed to MongoDB
-     * for efficiency. When a search term is provided, all documents are fetched and
-     * filtered in memory — identical behaviour to FileAdapter. For large collections
-     * requiring efficient full-text search, configure a MongoDB Atlas Search index.
+     * `filter` is translated to native MongoDB query operators via
+     * `filterEngine.toMongoQuery()` and pushed down to the database — page
+     * authors writing `[collection where_salary_gte="50000"]` get index-aware
+     * queries automatically. When `search` is present, all documents are
+     * fetched and filtered in memory (same behaviour as FileAdapter, kept
+     * for parity); combine with `filter` to keep the in-memory set small.
      *
      * @param {string} slug
      * @param {object} [opts]
-     * @param {number}  [opts.page=1]
-     * @param {number}  [opts.limit=50]
-     * @param {string}  [opts.sort='createdAt']
-     * @param {string}  [opts.order='desc']
-     * @param {string}  [opts.search]
+     * @param {number}                    [opts.page=1]
+     * @param {number}                    [opts.limit=50]      - Use 0 for "no limit"
+     * @param {string}                    [opts.sort='createdAt']
+     * @param {string}                    [opts.order='desc']  - 'asc' | 'desc'
+     * @param {string}                    [opts.search]        - Free-text substring across all fields
+     * @param {Record<string, unknown>}   [opts.filter]        - Structured filter; see filterEngine.js
      * @returns {Promise<{ entries: object[], total: number, page: number, limit: number }>}
      */
-    async list(slug, { page = 1, limit = 50, sort = 'createdAt', order = 'desc', search } = {}) {
+    async list(slug, { page = 1, limit = 50, sort = 'createdAt', order = 'desc', search, filter } = {}) {
         const col = await this._col(slug);
 
         const sortField = sort === 'createdAt' ? 'meta.createdAt' : `data.${sort}`;
         const sortDir   = order === 'desc' ? -1 : 1;
+        const query     = filter ? toMongoQuery(filter) : {};
 
         if (search) {
-            // Fetch all and filter in memory to avoid $where (often disabled in Atlas).
+            // Fetch matching (by filter) docs and substring-match in memory.
+            // Atlas Search is the right tool for large datasets; this is the
+            // portable fallback that matches FileAdapter semantics exactly.
             const all = await col
-                .find({}, { projection: { _id: 0 } })
+                .find(query, { projection: { _id: 0 } })
                 .sort({ [sortField]: sortDir })
                 .toArray();
 
@@ -95,16 +103,26 @@ export class MongoAdapter {
                 Object.values(entry.data || {}).some(v => String(v).toLowerCase().includes(term))
             );
 
-            const total  = matched.length;
+            const total = matched.length;
+            if (limit === 0 || limit == null) {
+                return { entries: matched, total, page: 1, limit: total };
+            }
             const offset = (page - 1) * limit;
             return { entries: matched.slice(offset, offset + limit), total, page, limit };
         }
 
-        const total  = await col.countDocuments({});
-        const offset = (page - 1) * limit;
+        const total = await col.countDocuments(query);
+        if (limit === 0 || limit == null) {
+            const docs = await col
+                .find(query, { projection: { _id: 0 } })
+                .sort({ [sortField]: sortDir })
+                .toArray();
+            return { entries: docs, total, page: 1, limit: total };
+        }
 
-        const docs = await col
-            .find({}, { projection: { _id: 0 } })
+        const offset = (page - 1) * limit;
+        const docs   = await col
+            .find(query, { projection: { _id: 0 } })
             .sort({ [sortField]: sortDir })
             .skip(offset)
             .limit(limit)

package/server/services/blocks.js

@@ -258,9 +258,12 @@ export async function listBlocks() {
         const name = file.slice(0, -5);
         const fileStat = await fs.stat(path.join(BLOCKS_DIR, file)).catch(() => null);
         let bundled = false;
+        let meta = null;
         try {
-            const meta = JSON.parse(await fs.readFile(path.join(BLOCKS_DIR, `${name}.meta.json`), 'utf8'));
-            bundled = !!meta.bundled;
+            const m = JSON.parse(await fs.readFile(path.join(BLOCKS_DIR, `${name}.meta.json`), 'utf8'));
+            bundled = !!m.bundled;
+            // Surface the full sidecar so callers can filter by meta.project etc.
+            meta = m;
         } catch { /* no meta file */
         }
         blocks.push({
@@ -268,6 +271,7 @@ export async function listBlocks() {
             size: fileStat?.size ?? 0,
             updatedAt: fileStat?.mtime?.toISOString() ?? null,
             bundled,
+            ...(meta && {meta}),
         });
     }
     return blocks.sort((a, b) => a.name.localeCompare(b.name));
@@ -285,9 +289,12 @@ export async function getBlock(name) {
     try {
         const content = await fs.readFile(blockFilePath(name), 'utf8');
         let bundled = false;
+        let meta = null;
         try {
-            const meta = JSON.parse(await fs.readFile(blockMetaPath(name), 'utf8'));
-            bundled = !!meta.bundled;
+            const metaFile = JSON.parse(await fs.readFile(blockMetaPath(name), 'utf8'));
+            bundled = !!metaFile.bundled;
+            // Preserve the full meta sidecar so callers can read meta.project etc.
+            meta = metaFile;
         } catch { /* no meta file */
         }
         let css = '';
@@ -295,7 +302,7 @@ export async function getBlock(name) {
             css = await fs.readFile(blockCssPath(name), 'utf8');
         } catch { /* no CSS file — treat as empty */
         }
-        return {name, content, css, bundled};
+        return {name, content, css, bundled, ...(meta && {meta})};
     } catch (err) {
         if (err.code === 'ENOENT') {
             const notFound = new Error('Block not found');
@@ -317,7 +324,7 @@ export async function getBlock(name) {
  * @returns {Promise<{success: boolean, name: string}>}
  * @throws {Error} With code INVALID_NAME on bad name, or CSS_TOO_LARGE when CSS exceeds cap
  */
-export async function saveBlock(name, content, {bundled, css} = {}) {
+export async function saveBlock(name, content, {bundled, css, meta} = {}) {
     assertValidName(name);
     if (typeof css === 'string' && css.length > MAX_CSS_SIZE) {
         const err = new Error(`CSS exceeds ${MAX_CSS_SIZE} byte limit`);
@@ -327,8 +334,13 @@ export async function saveBlock(name, content, {bundled, css} = {}) {
     await fs.mkdir(BLOCKS_DIR, {recursive: true});
     await fs.writeFile(blockFilePath(name), content, 'utf8');
     const metaPath = blockMetaPath(name);
-    if (bundled) {
-        await fs.writeFile(metaPath, JSON.stringify({bundled: true}, null, 2) + '\n', 'utf8');
+    // Merge sidecar meta — bundled flag plus any caller-supplied fields (eg meta.project).
+    const sidecar = {
+        ...(meta && typeof meta === 'object' ? meta : {}),
+        ...(bundled ? {bundled: true} : {})
+    };
+    if (Object.keys(sidecar).length > 0) {
+        await fs.writeFile(metaPath, JSON.stringify(sidecar, null, 2) + '\n', 'utf8');
     } else {
         await fs.unlink(metaPath).catch(() => {
         });