emdash 0.0.0-b → 0.0.2

package/src/astro/routes/api/setup/dev-bypass.ts

@@ -0,0 +1,199 @@
+/**
+ * POST /_emdash/api/setup/dev-bypass
+ * GET  /_emdash/api/setup/dev-bypass
+ *
+ * Development-only endpoint to bypass the setup wizard.
+ * Runs migrations, creates a dev admin user, and marks setup complete.
+ *
+ * ONLY available when import.meta.env.DEV is true.
+ *
+ * Usage:
+ * - GET with redirect: /_emdash/api/setup/dev-bypass?redirect=/_emdash/admin
+ * - POST for API: Returns JSON with setup info
+ *
+ * For agent/browser testing, navigate to:
+ *   /_emdash/api/setup/dev-bypass?redirect=/_emdash/admin
+ */
+
+import type { APIRoute } from "astro";
+
+export const prerender = false;
+
+import { ulid } from "ulidx";
+
+import { apiError, apiSuccess, handleError } from "#api/error.js";
+import { escapeHtml } from "#api/escape.js";
+import { handleApiTokenCreate } from "#api/handlers/api-tokens.js";
+import { isSafeRedirect } from "#api/redirect.js";
+import { runMigrations } from "#db/migrations/runner.js";
+import { OptionsRepository } from "#db/repositories/options.js";
+import { applySeed } from "#seed/apply.js";
+import { loadSeed } from "#seed/load.js";
+import { validateSeed } from "#seed/validate.js";
+
+// RBAC role levels (matching @emdash-cms/auth)
+const ROLE_ADMIN = 50;
+
+const DEV_USER_EMAIL = "dev@emdash.local";
+const DEV_USER_NAME = "Dev Admin";
+const DEV_SITE_TITLE = "EmDash Dev Site";
+
+async function handleDevBypass(context: Parameters<APIRoute>[0]): Promise<Response> {
+	// CRITICAL: Only allow in development mode
+	if (!import.meta.env.DEV) {
+		return apiError("FORBIDDEN", "Dev bypass is only available in development mode", 403);
+	}
+
+	const { locals, url, session } = context;
+	const { emdash } = locals;
+
+	if (!emdash?.db) {
+		return apiError("NOT_CONFIGURED", "EmDash is not initialized", 500);
+	}
+
+	try {
+		// Run migrations
+		const migrations = await runMigrations(emdash.db);
+		console.log("[setup-dev-bypass] Migrations applied:", migrations.applied);
+
+		// Apply seed (user seed or built-in default)
+		const seed = await loadSeed();
+		const validation = validateSeed(seed);
+		if (validation.valid) {
+			const seedResult = await applySeed(emdash.db, seed, {
+				includeContent: true,
+				onConflict: "skip",
+				storage: emdash.storage ?? undefined,
+			});
+			console.log(
+				`[setup-dev-bypass] Seed applied: ${seedResult.collections.created} collections, ${seedResult.fields.created} fields`,
+			);
+		}
+
+		const options = new OptionsRepository(emdash.db);
+
+		// Find or create dev user (direct DB access to avoid @emdash-cms/auth import issues in dev)
+		const existingUser = await emdash.db
+			.selectFrom("users")
+			.selectAll()
+			.where("email", "=", DEV_USER_EMAIL)
+			.executeTakeFirst();
+
+		let user: { id: string; email: string; name: string; role: number };
+		let userCreated = false;
+
+		if (!existingUser) {
+			const now = new Date().toISOString();
+			const newUser = {
+				id: ulid(),
+				email: DEV_USER_EMAIL,
+				name: DEV_USER_NAME,
+				role: ROLE_ADMIN,
+				email_verified: 1,
+				created_at: now,
+				updated_at: now,
+			};
+
+			await emdash.db.insertInto("users").values(newUser).execute();
+
+			user = {
+				id: newUser.id,
+				email: newUser.email,
+				name: newUser.name,
+				role: newUser.role,
+			};
+			userCreated = true;
+			console.log("[setup-dev-bypass] Created dev admin user:", user.email);
+		} else {
+			user = {
+				id: existingUser.id,
+				email: existingUser.email,
+				name: existingUser.name || DEV_USER_NAME,
+				role: existingUser.role,
+			};
+		}
+
+		// Set site title if not already set
+		const existingTitle = await options.get("emdash:site_title");
+		if (!existingTitle) {
+			await options.set("emdash:site_title", DEV_SITE_TITLE);
+		}
+
+		// Store canonical site URL (used by magic-link/recovery emails)
+		await options.set("emdash:site_url", url.origin);
+
+		// Mark setup complete
+		await options.set("emdash:setup_complete", true);
+
+		// Create session
+		if (session) {
+			session.set("user", { id: user.id });
+		}
+
+		// Optionally create a PAT token (?token=1) for headless/CLI testing.
+		let token: string | undefined;
+		if (url.searchParams.has("token")) {
+			const result = await handleApiTokenCreate(emdash.db, user.id, {
+				name: "dev-bypass-token",
+				scopes: [
+					"content:read",
+					"content:write",
+					"media:read",
+					"media:write",
+					"schema:read",
+					"schema:write",
+					"admin",
+				],
+			});
+			if (result.success) {
+				token = result.data.token;
+			}
+		}
+
+		// Check for redirect parameter
+		const redirect = url.searchParams.get("redirect");
+
+		if (redirect) {
+			// Validate redirect is a safe local path (prevent open redirect via //evil.com or /\evil.com)
+			if (!isSafeRedirect(redirect)) {
+				return apiError("INVALID_REDIRECT", "Redirect must be a local path", 400);
+			}
+
+			// Return an HTML page with meta-refresh redirect
+			// This ensures the session is fully saved before redirect
+			const safeRedirect = escapeHtml(redirect);
+			const html = `<!DOCTYPE html>
+<html>
+<head>
+	<meta http-equiv="refresh" content="0;url=${safeRedirect}">
+</head>
+<body>Redirecting...</body>
+</html>`;
+			return new Response(html, {
+				status: 200,
+				headers: { "Content-Type": "text/html" },
+			});
+		}
+
+		// Return JSON response
+		return apiSuccess({
+			success: true,
+			message: "Dev setup complete",
+			migrations: migrations.applied,
+			userCreated,
+			user: {
+				id: user.id,
+				email: user.email,
+				name: user.name,
+				role: user.role,
+			},
+			...(token ? { token } : {}),
+		});
+	} catch (error) {
+		return handleError(error, "Dev bypass failed", "DEV_BYPASS_ERROR");
+	}
+}
+
+// Support both GET and POST
+export const GET: APIRoute = handleDevBypass;
+export const POST: APIRoute = handleDevBypass;

package/src/astro/routes/api/setup/dev-reset.ts

@@ -0,0 +1,40 @@
+/**
+ * POST /_emdash/api/setup/dev-reset
+ *
+ * Development-only endpoint to reset setup state for testing.
+ * Clears the setup_complete flag and deletes all users,
+ * returning the site to the pre-setup state.
+ *
+ * ONLY available when import.meta.env.DEV is true.
+ */
+
+import type { APIRoute } from "astro";
+
+export const prerender = false;
+
+import { apiError, apiSuccess, handleError } from "#api/error.js";
+import { OptionsRepository } from "#db/repositories/options.js";
+
+export const POST: APIRoute = async ({ locals }) => {
+	if (!import.meta.env.DEV) {
+		return apiError("FORBIDDEN", "Dev reset is only available in development mode", 403);
+	}
+
+	const { emdash } = locals;
+
+	if (!emdash?.db) {
+		return apiError("NOT_CONFIGURED", "EmDash is not initialized", 500);
+	}
+
+	try {
+		const options = new OptionsRepository(emdash.db);
+
+		await options.delete("emdash:setup_complete");
+		await options.delete("emdash:setup_state");
+		await emdash.db.deleteFrom("users").execute();
+
+		return apiSuccess({ success: true });
+	} catch (error) {
+		return handleError(error, "Dev reset failed", "DEV_RESET_ERROR");
+	}
+};

package/src/astro/routes/api/setup/index.ts

@@ -0,0 +1,126 @@
+/**
+ * POST /_emdash/api/setup
+ *
+ * Executes the setup wizard - applies seed file and marks setup complete
+ */
+
+import type { APIRoute } from "astro";
+
+export const prerender = false;
+
+import { apiError, apiSuccess, handleError } from "#api/error.js";
+import { isParseError, parseBody } from "#api/parse.js";
+import { setupBody } from "#api/schemas.js";
+import { getAuthMode } from "#auth/mode.js";
+import { runMigrations } from "#db/migrations/runner.js";
+import { OptionsRepository } from "#db/repositories/options.js";
+import { applySeed } from "#seed/apply.js";
+import { loadSeed } from "#seed/load.js";
+import { validateSeed } from "#seed/validate.js";
+
+export const POST: APIRoute = async ({ request, locals }) => {
+	const { emdash } = locals;
+
+	if (!emdash?.db) {
+		return apiError("NOT_CONFIGURED", "EmDash is not initialized", 500);
+	}
+
+	try {
+		// Guard: reject if setup has already been completed.
+		// The options table may not exist on first-ever setup (pre-migration),
+		// so a query failure means setup hasn't run yet — allow it to proceed.
+		try {
+			const options = new OptionsRepository(emdash.db);
+			const setupComplete = await options.get("emdash:setup_complete");
+
+			if (setupComplete === true || setupComplete === "true") {
+				return apiError("ALREADY_CONFIGURED", "Setup has already been completed", 409);
+			}
+		} catch {
+			// Options table doesn't exist yet — first-ever setup, allow it
+		}
+
+		// Parse request body
+		const body = await parseBody(request, setupBody);
+		if (isParseError(body)) return body;
+
+		// 1. Run core migrations
+		try {
+			await runMigrations(emdash.db);
+		} catch (error) {
+			return handleError(error, "Failed to run database migrations", "MIGRATION_ERROR");
+		}
+
+		// 2. Load seed file (user seed or built-in default)
+		const seed = await loadSeed();
+
+		// 3. Override seed settings with form values
+		seed.settings = {
+			...seed.settings,
+			title: body.title,
+			tagline: body.tagline,
+		};
+
+		// 4. Apply seed
+		const validation = validateSeed(seed);
+		if (!validation.valid) {
+			return apiError("INVALID_SEED", `Invalid seed file: ${validation.errors.join(", ")}`, 400);
+		}
+
+		let result;
+		try {
+			result = await applySeed(emdash.db, seed, {
+				includeContent: body.includeContent,
+				onConflict: "skip",
+				storage: emdash.storage ?? undefined,
+			});
+		} catch (error) {
+			return handleError(error, "Failed to apply seed", "SEED_ERROR");
+		}
+
+		// 5. Store setup state
+		// In external auth mode, mark setup complete immediately (first user to login becomes admin)
+		// In passkey mode, setup_complete is set after admin user is created
+		const authMode = getAuthMode(emdash.config);
+		const useExternalAuth = authMode.type === "external";
+
+		try {
+			const options = new OptionsRepository(emdash.db);
+
+			// Store the canonical site URL from the setup request.
+			// This is trusted because setup runs on the real domain.
+			const siteUrl = new URL(request.url).origin;
+			await options.set("emdash:site_url", siteUrl);
+
+			if (useExternalAuth) {
+				// External auth mode: mark setup complete now
+				// First user to log in via external provider will become admin
+				await options.set("emdash:setup_complete", true);
+				await options.set("emdash:site_title", body.title);
+				if (body.tagline) {
+					await options.set("emdash:site_tagline", body.tagline);
+				}
+			} else {
+				// Passkey mode: store state for next step (admin creation)
+				await options.set("emdash:setup_state", {
+					step: "site_complete",
+					title: body.title,
+					tagline: body.tagline,
+				});
+			}
+		} catch (error) {
+			console.error("Failed to save setup state:", error);
+			// Non-fatal - continue anyway
+		}
+
+		// 6. Return success with result
+		return apiSuccess({
+			success: true,
+			// In external auth mode, setup is complete - redirect to admin
+			setupComplete: useExternalAuth,
+			result,
+		});
+	} catch (error) {
+		return handleError(error, "Setup failed", "SETUP_ERROR");
+	}
+};

package/src/astro/routes/api/setup/status.ts

@@ -0,0 +1,122 @@
+/**
+ * GET /_emdash/api/setup/status
+ *
+ * Returns setup status and seed file information
+ */
+
+import type { APIRoute } from "astro";
+
+export const prerender = false;
+
+import { apiError, apiSuccess, handleError } from "#api/error.js";
+import { getAuthMode } from "#auth/mode.js";
+import { loadUserSeed } from "#seed/load.js";
+
+export const GET: APIRoute = async ({ locals }) => {
+	const { emdash } = locals;
+
+	if (!emdash?.db) {
+		return apiError("NOT_CONFIGURED", "EmDash is not initialized", 500);
+	}
+
+	try {
+		// Check if setup is complete
+		const setupComplete = await emdash.db
+			.selectFrom("options")
+			.select("value")
+			.where("name", "=", "emdash:setup_complete")
+			.executeTakeFirst();
+
+		// Value is JSON-encoded, parse it. Accepts both boolean true and string "true"
+		const isComplete =
+			setupComplete &&
+			(() => {
+				try {
+					const parsed = JSON.parse(setupComplete.value);
+					return parsed === true || parsed === "true";
+				} catch {
+					return false;
+				}
+			})();
+
+		// Also check if users exist
+		let hasUsers = false;
+		try {
+			const userCount = await emdash.db
+				.selectFrom("users")
+				.select((eb) => eb.fn.countAll<number>().as("count"))
+				.executeTakeFirstOrThrow();
+			hasUsers = userCount.count > 0;
+		} catch {
+			// Users table might not exist yet
+		}
+
+		// Setup is complete only if flag is set AND users exist
+		if (isComplete && hasUsers) {
+			return apiSuccess({
+				needsSetup: false,
+			});
+		}
+
+		// Determine current step
+		// step: "start" | "site" | "admin" | "complete"
+		let step: "start" | "site" | "admin" = "start";
+
+		// Get setup state if it exists
+		const setupState = await emdash.db
+			.selectFrom("options")
+			.select("value")
+			.where("name", "=", "emdash:setup_state")
+			.executeTakeFirst();
+
+		if (setupState) {
+			try {
+				const state = JSON.parse(setupState.value);
+				if (state.step === "admin") {
+					step = "admin";
+				} else if (state.step === "site") {
+					step = "site";
+				}
+			} catch {
+				// Invalid state, stay at start
+			}
+		}
+
+		// If setup_complete but no users, jump to admin step
+		if (isComplete && !hasUsers) {
+			step = "admin";
+		}
+
+		// Check auth mode
+		const authMode = getAuthMode(emdash.config);
+		const useExternalAuth = authMode.type === "external";
+
+		// In external auth mode, setup is complete if flag is set (no users required initially)
+		if (useExternalAuth && isComplete) {
+			return apiSuccess({
+				needsSetup: false,
+			});
+		}
+
+		// Setup needed - try to load seed file info
+		const seed = await loadUserSeed();
+		const seedInfo = seed
+			? {
+					name: seed.meta?.name || "Unknown Template",
+					description: seed.meta?.description || "",
+					collections: seed.collections?.length || 0,
+					hasContent: !!(seed.content && Object.keys(seed.content).length > 0),
+				}
+			: null;
+
+		return apiSuccess({
+			needsSetup: true,
+			step,
+			seedInfo,
+			// Tell the wizard which auth mode is active
+			authMode: useExternalAuth ? authMode.providerType : "passkey",
+		});
+	} catch (error) {
+		return handleError(error, "Failed to check setup status", "SETUP_STATUS_ERROR");
+	}
+};

package/src/astro/routes/api/snapshot.ts

@@ -0,0 +1,75 @@
+/**
+ * Snapshot endpoint — exports a portable database snapshot for preview mode.
+ *
+ * Security:
+ * - Authenticated users: requires content:read + schema:read permissions
+ * - Preview services: requires valid X-Preview-Signature header (HMAC-SHA256)
+ * - Excludes auth/user/session/token tables
+ */
+
+import type { APIRoute } from "astro";
+
+import { requirePerm } from "#api/authorize.js";
+import { apiError, apiSuccess, handleError } from "#api/error.js";
+import {
+	generateSnapshot,
+	parsePreviewSignatureHeader,
+	verifyPreviewSignature,
+} from "#api/handlers/snapshot.js";
+
+export const prerender = false;
+
+export const GET: APIRoute = async ({ request, locals, url }) => {
+	const { emdash, user } = locals;
+
+	if (!emdash?.db) {
+		return apiError("NOT_CONFIGURED", "EmDash is not initialized", 500);
+	}
+
+	// Check for preview signature auth (used by DO preview services)
+	const previewSig = request.headers.get("X-Preview-Signature");
+	let authorized = false;
+
+	if (previewSig) {
+		const secret = import.meta.env.EMDASH_PREVIEW_SECRET || import.meta.env.PREVIEW_SECRET || "";
+		if (!secret) {
+			console.warn(
+				"[snapshot] X-Preview-Signature header present but no PREVIEW_SECRET configured",
+			);
+		} else {
+			const parsed = parsePreviewSignatureHeader(previewSig);
+			if (!parsed) {
+				console.warn("[snapshot] Failed to parse X-Preview-Signature header");
+			} else {
+				authorized = await verifyPreviewSignature(parsed.source, parsed.exp, parsed.sig, secret);
+				if (!authorized) {
+					console.warn("[snapshot] Preview signature verification failed", {
+						source: parsed.source,
+						exp: parsed.exp,
+						expired: parsed.exp < Date.now() / 1000,
+					});
+				}
+			}
+		}
+	}
+
+	if (!authorized) {
+		// Fall back to standard user auth
+		const contentDenied = requirePerm(user, "content:read");
+		if (contentDenied) return contentDenied;
+		const schemaDenied = requirePerm(user, "schema:read");
+		if (schemaDenied) return schemaDenied;
+	}
+
+	try {
+		const includeDrafts = url.searchParams.get("drafts") === "true";
+		const snapshot = await generateSnapshot(emdash.db, {
+			includeDrafts,
+			origin: url.origin,
+		});
+
+		return apiSuccess(snapshot);
+	} catch (error) {
+		return handleError(error, "Failed to generate snapshot", "SNAPSHOT_ERROR");
+	}
+};

package/src/astro/routes/api/taxonomies/[name]/terms/[slug].ts

@@ -0,0 +1,95 @@
+/**
+ * Single term endpoint
+ *
+ * GET /_emdash/api/taxonomies/:name/terms/:slug - Get a single term
+ * PUT /_emdash/api/taxonomies/:name/terms/:slug - Update a term
+ * DELETE /_emdash/api/taxonomies/:name/terms/:slug - Delete a term
+ */
+
+import type { APIRoute } from "astro";
+
+import { requirePerm } from "#api/authorize.js";
+import { apiError, handleError, requireDb, unwrapResult } from "#api/error.js";
+import { handleTermDelete, handleTermGet, handleTermUpdate } from "#api/handlers/taxonomies.js";
+import { isParseError, parseBody } from "#api/parse.js";
+import { updateTermBody } from "#api/schemas.js";
+
+export const prerender = false;
+
+/**
+ * Get a single term
+ */
+export const GET: APIRoute = async ({ params, locals }) => {
+	const { emdash, user } = locals;
+	const { name, slug } = params;
+
+	if (!name || !slug) {
+		return apiError("VALIDATION_ERROR", "Taxonomy name and slug required", 400);
+	}
+
+	const dbErr = requireDb(emdash?.db);
+	if (dbErr) return dbErr;
+
+	const denied = requirePerm(user, "taxonomies:read");
+	if (denied) return denied;
+
+	try {
+		const result = await handleTermGet(emdash.db, name, slug);
+		return unwrapResult(result);
+	} catch (error) {
+		return handleError(error, "Failed to get term", "TERM_GET_ERROR");
+	}
+};
+
+/**
+ * Update a term
+ */
+export const PUT: APIRoute = async ({ params, request, locals }) => {
+	const { emdash, user } = locals;
+	const { name, slug } = params;
+
+	if (!name || !slug) {
+		return apiError("VALIDATION_ERROR", "Taxonomy name and slug required", 400);
+	}
+
+	const dbErr = requireDb(emdash?.db);
+	if (dbErr) return dbErr;
+
+	const denied = requirePerm(user, "taxonomies:manage");
+	if (denied) return denied;
+
+	try {
+		const body = await parseBody(request, updateTermBody);
+		if (isParseError(body)) return body;
+
+		const result = await handleTermUpdate(emdash.db, name, slug, body);
+		return unwrapResult(result);
+	} catch (error) {
+		return handleError(error, "Failed to update term", "TERM_UPDATE_ERROR");
+	}
+};
+
+/**
+ * Delete a term
+ */
+export const DELETE: APIRoute = async ({ params, locals }) => {
+	const { emdash, user } = locals;
+	const { name, slug } = params;
+
+	if (!name || !slug) {
+		return apiError("VALIDATION_ERROR", "Taxonomy name and slug required", 400);
+	}
+
+	const dbErr = requireDb(emdash?.db);
+	if (dbErr) return dbErr;
+
+	const denied = requirePerm(user, "taxonomies:manage");
+	if (denied) return denied;
+
+	try {
+		const result = await handleTermDelete(emdash.db, name, slug);
+		return unwrapResult(result);
+	} catch (error) {
+		return handleError(error, "Failed to delete term", "TERM_DELETE_ERROR");
+	}
+};