emdash 0.1.1 → 0.3.0

package/dist/seed/index.d.mts

@@ -1,3 +1,3 @@
 import "../types-DRjfYOEv.mjs";
-import { _ as SeedTaxonomyTerm, a as applySeed, b as ValidationResult, c as SeedCollection, d as SeedFile, f as SeedMenu, g as SeedTaxonomy, h as SeedSection, i as defaultSeed, l as SeedContentEntry, m as SeedRedirect, n as loadSeed, o as SeedApplyOptions, p as SeedMenuItem, r as loadUserSeed, s as SeedApplyResult, t as validateSeed, u as SeedField, v as SeedWidget, y as SeedWidgetArea } from "../validate-HtxZeaBi.mjs";
+import { _ as SeedTaxonomyTerm, a as applySeed, b as ValidationResult, c as SeedCollection, d as SeedFile, f as SeedMenu, g as SeedTaxonomy, h as SeedSection, i as defaultSeed, l as SeedContentEntry, m as SeedRedirect, n as loadSeed, o as SeedApplyOptions, p as SeedMenuItem, r as loadUserSeed, s as SeedApplyResult, t as validateSeed, u as SeedField, v as SeedWidget, y as SeedWidgetArea } from "../validate-bfg9OR6N.mjs";
 export { type SeedApplyOptions, type SeedApplyResult, type SeedCollection, type SeedContentEntry, type SeedField, type SeedFile, type SeedMenu, type SeedMenuItem, type SeedRedirect, type SeedSection, type SeedTaxonomy, type SeedTaxonomyTerm, type SeedWidget, type SeedWidgetArea, type ValidationResult, applySeed, defaultSeed, loadSeed, loadUserSeed, validateSeed };

package/dist/seed/index.mjs

@@ -1,15 +1,15 @@
-import "../dialect-helpers-B9uSp2GJ.mjs";
-import "../content-D6C2WsZC.mjs";
+import "../dialect-helpers-DhTzaUxP.mjs";
+import "../content-BsBoyj8G.mjs";
 import "../base64-MBPo9ozB.mjs";
 import "../types-CMMN0pNg.mjs";
 import "../media-DqHVh136.mjs";
-import { t as applySeed } from "../apply-kC39ev1Z.mjs";
-import "../registry-BNYQKX_d.mjs";
-import "../redirect-DIfIni3r.mjs";
-import "../byline-CL847F26.mjs";
-import "../loader-fz8Q_3EO.mjs";
-import { t as validateSeed } from "../validate-_rsF-Dx_.mjs";
-import { t as defaultSeed } from "../default-Cyi4aAxu.mjs";
-import { n as loadUserSeed, t as loadSeed } from "../load-yOOlckBj.mjs";
+import { t as applySeed } from "../apply-Bqoekfbe.mjs";
+import "../registry-DU18yVo0.mjs";
+import "../redirect-DUAk-Yl_.mjs";
+import "../byline-BGj9p9Ht.mjs";
+import "../loader-BmYdf3Dr.mjs";
+import { t as validateSeed } from "../validate-CXnRKfJK.mjs";
+import { t as defaultSeed } from "../default-WYlzADZL.mjs";
+import { n as loadUserSeed, t as loadSeed } from "../load-Veizk2cT.mjs";
 
 export { applySeed, defaultSeed, loadSeed, loadUserSeed, validateSeed };

package/dist/seo/index.d.mts

@@ -1,4 +1,4 @@
-import { i as ContentSeo } from "../types-BRuPJGdV.mjs";
+import { i as ContentSeo } from "../types-BbsYgi_R.mjs";
 
 //#region src/seo/index.d.ts
 /**

package/dist/storage/local.d.mts

@@ -1,4 +1,4 @@
-import { a as ListOptions, d as Storage, l as SignedUploadOptions, n as DownloadResult, o as ListResult, p as UploadResult, s as LocalStorageConfig, u as SignedUploadUrl } from "../types-DaNLHo_T.mjs";
+import { a as ListOptions, d as Storage, l as SignedUploadOptions, n as DownloadResult, o as ListResult, p as UploadResult, s as LocalStorageConfig, u as SignedUploadUrl } from "../types-C1-PVaS_.mjs";
 
 //#region src/storage/local.d.ts
 /**

package/dist/storage/local.mjs

@@ -1,4 +1,4 @@
-import { t as EmDashStorageError } from "../types-CUBbjgmP.mjs";
+import { t as EmDashStorageError } from "../types-Bec-r_3_.mjs";
 import mime from "mime/lite";
 import * as path from "node:path";
 import { createReadStream, existsSync } from "node:fs";

package/dist/storage/s3.d.mts

@@ -1,6 +1,13 @@
-import { a as ListOptions, c as S3StorageConfig, d as Storage, l as SignedUploadOptions, n as DownloadResult, o as ListResult, p as UploadResult, u as SignedUploadUrl } from "../types-DaNLHo_T.mjs";
+import { a as ListOptions, c as S3StorageConfig, d as Storage, l as SignedUploadOptions, n as DownloadResult, o as ListResult, p as UploadResult, u as SignedUploadUrl } from "../types-C1-PVaS_.mjs";
 
 //#region src/storage/s3.d.ts
+/**
+ * Build the merged config: for each field, use the explicit value if present,
+ * otherwise fall back to the corresponding S3_* env var.  Validate once on the
+ * final merged result so a malformed env var never breaks the build when the
+ * caller provides that field explicitly.
+ */
+declare function resolveS3Config(partial: Record<string, unknown>): S3StorageConfig;
 /**
  * S3-compatible storage implementation
  */
@@ -24,9 +31,10 @@ declare class S3Storage implements Storage {
 }
 /**
  * Create S3 storage adapter
- * This is the factory function called at runtime
+ * This is the factory function called at runtime.
+ * Config fields are merged with S3_* env vars; env vars fill in any missing fields.
  */
 declare function createStorage(config: Record<string, unknown>): Storage;
 //#endregion
-export { S3Storage, createStorage };
+export { S3Storage, createStorage, resolveS3Config };
 //# sourceMappingURL=s3.d.mts.map

package/dist/storage/s3.d.mts.map

@@ -1 +1 @@
-{"version":3,"file":"s3.d.mts","names":[],"sources":["../../src/storage/s3.ts"],"mappings":";;;;;;cAwCa,SAAA,YAAqB,OAAA;EAAA,QACzB,MAAA;EAAA,QACA,MAAA;EAAA,QACA,SAAA;EAAA,QACA,QAAA;cAEI,MAAA,EAAQ,eAAA;EAiBd,MAAA,CAAO,OAAA;IACZ,GAAA;IACA,IAAA,EAAM,MAAA,GAAS,UAAA,GAAa,cAAA,CAAe,UAAA;IAC3C,WAAA;EAAA,IACG,OAAA,CAAQ,YAAA;EAoCN,QAAA,CAAS,GAAA,WAAc,OAAA,CAAQ,cAAA;EAgC/B,MAAA,CAAO,GAAA,WAAc,OAAA;EAgBrB,MAAA,CAAO,GAAA,WAAc,OAAA;EAiBrB,IAAA,CAAK,OAAA,GAAS,WAAA,GAAmB,OAAA,CAAQ,UAAA;EA4BzC,kBAAA,CAAmB,OAAA,EAAS,mBAAA,GAAsB,OAAA,CAAQ,eAAA;EAiChE,YAAA,CAAa,GAAA;AAAA;;;;;iBAaE,aAAA,CAAc,MAAA,EAAQ,MAAA,oBAA0B,OAAA"}
+{"version":3,"file":"s3.d.mts","names":[],"sources":["../../src/storage/s3.ts"],"mappings":";;;;;;;;AA0HA;iBA3DgB,eAAA,CAAgB,OAAA,EAAS,MAAA,oBAA0B,eAAA;;;;cA2DtD,SAAA,YAAqB,OAAA;EAAA,QACzB,MAAA;EAAA,QACA,MAAA;EAAA,QACA,SAAA;EAAA,QACA,QAAA;cAEI,MAAA,EAAQ,eAAA;EAqBd,MAAA,CAAO,OAAA;IACZ,GAAA;IACA,IAAA,EAAM,MAAA,GAAS,UAAA,GAAa,cAAA,CAAe,UAAA;IAC3C,WAAA;EAAA,IACG,OAAA,CAAQ,YAAA;EAoCN,QAAA,CAAS,GAAA,WAAc,OAAA,CAAQ,cAAA;EAgC/B,MAAA,CAAO,GAAA,WAAc,OAAA;EAgBrB,MAAA,CAAO,GAAA,WAAc,OAAA;EAiBrB,IAAA,CAAK,OAAA,GAAS,WAAA,GAAmB,OAAA,CAAQ,UAAA;EA4BzC,kBAAA,CAAmB,OAAA,EAAS,mBAAA,GAAsB,OAAA,CAAQ,eAAA;EAiChE,YAAA,CAAa,GAAA;AAAA;;;;;;iBAcE,aAAA,CAAc,MAAA,EAAQ,MAAA,oBAA0B,OAAA"}

package/dist/storage/s3.mjs

@@ -1,4 +1,5 @@
-import { t as EmDashStorageError } from "../types-CUBbjgmP.mjs";
+import { t as EmDashStorageError } from "../types-Bec-r_3_.mjs";
+import { z } from "zod";
 import { DeleteObjectCommand, GetObjectCommand, HeadObjectCommand, ListObjectsV2Command, PutObjectCommand, S3Client } from "@aws-sdk/client-s3";
 import { getSignedUrl } from "@aws-sdk/s3-request-presigner";
 
@@ -9,6 +10,74 @@ import { getSignedUrl } from "@aws-sdk/s3-request-presigner";
 * Uses the AWS SDK v3 for S3 operations.
 * Works with AWS S3, Cloudflare R2, Minio, and other S3-compatible services.
 */
+const ENV_KEYS = {
+	endpoint: "S3_ENDPOINT",
+	bucket: "S3_BUCKET",
+	accessKeyId: "S3_ACCESS_KEY_ID",
+	secretAccessKey: "S3_SECRET_ACCESS_KEY",
+	region: "S3_REGION",
+	publicUrl: "S3_PUBLIC_URL"
+};
+function fail(msg) {
+	throw new EmDashStorageError(msg, "MISSING_S3_CONFIG");
+}
+const s3ConfigSchema = z.object({
+	endpoint: z.url({
+		protocol: /^https?$/,
+		error: "is not a valid http/https URL"
+	}).optional(),
+	bucket: z.string().optional(),
+	accessKeyId: z.string().optional(),
+	secretAccessKey: z.string().optional(),
+	region: z.string().optional(),
+	publicUrl: z.string().optional()
+});
+function isConfigKey(key) {
+	return typeof key === "string" && key in ENV_KEYS;
+}
+/**
+* Build the merged config: for each field, use the explicit value if present,
+* otherwise fall back to the corresponding S3_* env var.  Validate once on the
+* final merged result so a malformed env var never breaks the build when the
+* caller provides that field explicitly.
+*/
+function resolveS3Config(partial) {
+	const raw = {};
+	for (const [field, envKey] of Object.entries(ENV_KEYS)) {
+		const explicit = partial[field];
+		if (explicit !== void 0 && explicit !== "") {
+			raw[field] = explicit;
+			continue;
+		}
+		const envVal = typeof process !== "undefined" && process.env ? process.env[envKey] : void 0;
+		if (envVal !== void 0 && envVal !== "") raw[field] = envVal;
+	}
+	const result = s3ConfigSchema.safeParse(raw);
+	if (!result.success) {
+		const issue = result.error.issues[0];
+		const pathKey = issue?.path[0];
+		if (!issue || !isConfigKey(pathKey)) fail("S3 config validation failed");
+		fail(`${partial[pathKey] !== void 0 && partial[pathKey] !== "" ? `s3({ ${pathKey} })` : ENV_KEYS[pathKey]} ${issue.message}`);
+	}
+	const merged = result.data;
+	const endpoint = merged.endpoint;
+	const bucket = merged.bucket;
+	if (!endpoint || !bucket) {
+		const missing = [];
+		if (!endpoint) missing.push(`endpoint: set ${ENV_KEYS.endpoint} or pass endpoint to s3({...})`);
+		if (!bucket) missing.push(`bucket: set ${ENV_KEYS.bucket} or pass bucket to s3({...})`);
+		fail(`missing required S3 config: ${missing.join("; ")}`);
+	}
+	const accessKeyId = merged.accessKeyId;
+	const secretAccessKey = merged.secretAccessKey;
+	if (accessKeyId && !secretAccessKey) fail(`S3 credentials incomplete: accessKeyId is set but secretAccessKey is missing (set ${ENV_KEYS.secretAccessKey} or pass secretAccessKey to s3({...}))`);
+	if (secretAccessKey && !accessKeyId) fail(`S3 credentials incomplete: secretAccessKey is set but accessKeyId is missing (set ${ENV_KEYS.accessKeyId} or pass accessKeyId to s3({...}))`);
+	return {
+		...merged,
+		endpoint,
+		bucket
+	};
+}
 const TRAILING_SLASH_PATTERN = /\/$/;
 /** Type guard for AWS SDK errors (have a `name` property) */
 function hasErrorName(error) {
@@ -29,10 +98,10 @@ var S3Storage = class {
 		this.client = new S3Client({
 			endpoint: config.endpoint,
 			region: config.region || "auto",
-			credentials: {
+			...config.accessKeyId && config.secretAccessKey ? { credentials: {
 				accessKeyId: config.accessKeyId,
 				secretAccessKey: config.secretAccessKey
-			},
+			} } : {},
 			forcePathStyle: true
 		});
 	}
@@ -155,21 +224,13 @@ var S3Storage = class {
 };
 /**
 * Create S3 storage adapter
-* This is the factory function called at runtime
+* This is the factory function called at runtime.
+* Config fields are merged with S3_* env vars; env vars fill in any missing fields.
 */
 function createStorage(config) {
-	const { endpoint, bucket, accessKeyId, secretAccessKey, region, publicUrl } = config;
-	if (typeof endpoint !== "string" || typeof bucket !== "string" || typeof accessKeyId !== "string" || typeof secretAccessKey !== "string") throw new Error("S3Storage requires 'endpoint', 'bucket', 'accessKeyId', and 'secretAccessKey' string config values");
-	return new S3Storage({
-		endpoint,
-		bucket,
-		accessKeyId,
-		secretAccessKey,
-		region: typeof region === "string" ? region : void 0,
-		publicUrl: typeof publicUrl === "string" ? publicUrl : void 0
-	});
+	return new S3Storage(resolveS3Config(config));
 }
 
 //#endregion
-export { S3Storage, createStorage };
+export { S3Storage, createStorage, resolveS3Config };
 //# sourceMappingURL=s3.mjs.map

package/dist/storage/s3.mjs.map

@@ -1 +1 @@
-{"version":3,"file":"s3.mjs","names":[],"sources":["../../src/storage/s3.ts"],"sourcesContent":["/**\n * S3-Compatible Storage Implementation\n *\n * Uses the AWS SDK v3 for S3 operations.\n * Works with AWS S3, Cloudflare R2, Minio, and other S3-compatible services.\n */\n\nimport {\n\tS3Client,\n\tPutObjectCommand,\n\tGetObjectCommand,\n\tDeleteObjectCommand,\n\tHeadObjectCommand,\n\tListObjectsV2Command,\n\ttype ListObjectsV2Response,\n} from \"@aws-sdk/client-s3\";\nimport { getSignedUrl } from \"@aws-sdk/s3-request-presigner\";\n\nimport type {\n\tStorage,\n\tS3StorageConfig,\n\tUploadResult,\n\tDownloadResult,\n\tListResult,\n\tListOptions,\n\tSignedUploadUrl,\n\tSignedUploadOptions,\n} from \"./types.js\";\nimport { EmDashStorageError } from \"./types.js\";\n\nconst TRAILING_SLASH_PATTERN = /\\/$/;\n\n/** Type guard for AWS SDK errors (have a `name` property) */\nfunction hasErrorName(error: unknown): error is Error & { name: string } {\n\treturn error instanceof Error && typeof error.name === \"string\";\n}\n\n/**\n * S3-compatible storage implementation\n */\nexport class S3Storage implements Storage {\n\tprivate client: S3Client;\n\tprivate bucket: string;\n\tprivate publicUrl?: string;\n\tprivate endpoint: string;\n\n\tconstructor(config: S3StorageConfig) {\n\t\tthis.bucket = config.bucket;\n\t\tthis.publicUrl = config.publicUrl;\n\t\tthis.endpoint = config.endpoint;\n\n\t\tthis.client = new S3Client({\n\t\t\tendpoint: config.endpoint,\n\t\t\tregion: config.region || \"auto\",\n\t\t\tcredentials: {\n\t\t\t\taccessKeyId: config.accessKeyId,\n\t\t\t\tsecretAccessKey: config.secretAccessKey,\n\t\t\t},\n\t\t\t// Required for R2 and some S3-compatible services\n\t\t\tforcePathStyle: true,\n\t\t});\n\t}\n\n\tasync upload(options: {\n\t\tkey: string;\n\t\tbody: Buffer | Uint8Array | ReadableStream<Uint8Array>;\n\t\tcontentType: string;\n\t}): Promise<UploadResult> {\n\t\ttry {\n\t\t\t// Convert ReadableStream to Buffer if needed\n\t\t\tlet body: Buffer | Uint8Array;\n\t\t\tif (options.body instanceof ReadableStream) {\n\t\t\t\tconst chunks: Uint8Array[] = [];\n\t\t\t\tconst reader = options.body.getReader();\n\t\t\t\twhile (true) {\n\t\t\t\t\tconst { done, value } = await reader.read();\n\t\t\t\t\tif (done) break;\n\t\t\t\t\tchunks.push(value);\n\t\t\t\t}\n\t\t\t\tbody = Buffer.concat(chunks);\n\t\t\t} else {\n\t\t\t\tbody = options.body;\n\t\t\t}\n\n\t\t\tawait this.client.send(\n\t\t\t\tnew PutObjectCommand({\n\t\t\t\t\tBucket: this.bucket,\n\t\t\t\t\tKey: options.key,\n\t\t\t\t\tBody: body,\n\t\t\t\t\tContentType: options.contentType,\n\t\t\t\t}),\n\t\t\t);\n\n\t\t\treturn {\n\t\t\t\tkey: options.key,\n\t\t\t\turl: this.getPublicUrl(options.key),\n\t\t\t\tsize: body.length,\n\t\t\t};\n\t\t} catch (error) {\n\t\t\tthrow new EmDashStorageError(`Failed to upload file: ${options.key}`, \"UPLOAD_FAILED\", error);\n\t\t}\n\t}\n\n\tasync download(key: string): Promise<DownloadResult> {\n\t\ttry {\n\t\t\tconst response = await this.client.send(\n\t\t\t\tnew GetObjectCommand({\n\t\t\t\t\tBucket: this.bucket,\n\t\t\t\t\tKey: key,\n\t\t\t\t}),\n\t\t\t);\n\n\t\t\tif (!response.Body) {\n\t\t\t\tthrow new EmDashStorageError(`File not found: ${key}`, \"NOT_FOUND\");\n\t\t\t}\n\n\t\t\t// Convert SDK stream to web ReadableStream\n\t\t\tconst body = response.Body.transformToWebStream();\n\n\t\t\treturn {\n\t\t\t\tbody,\n\t\t\t\tcontentType: response.ContentType || \"application/octet-stream\",\n\t\t\t\tsize: response.ContentLength || 0,\n\t\t\t};\n\t\t} catch (error) {\n\t\t\tif (\n\t\t\t\terror instanceof EmDashStorageError ||\n\t\t\t\t(hasErrorName(error) && error.name === \"NoSuchKey\")\n\t\t\t) {\n\t\t\t\tthrow new EmDashStorageError(`File not found: ${key}`, \"NOT_FOUND\", error);\n\t\t\t}\n\t\t\tthrow new EmDashStorageError(`Failed to download file: ${key}`, \"DOWNLOAD_FAILED\", error);\n\t\t}\n\t}\n\n\tasync delete(key: string): Promise<void> {\n\t\ttry {\n\t\t\tawait this.client.send(\n\t\t\t\tnew DeleteObjectCommand({\n\t\t\t\t\tBucket: this.bucket,\n\t\t\t\t\tKey: key,\n\t\t\t\t}),\n\t\t\t);\n\t\t} catch (error) {\n\t\t\t// S3 delete is idempotent, so we ignore \"not found\" errors\n\t\t\tif (!hasErrorName(error) || error.name !== \"NoSuchKey\") {\n\t\t\t\tthrow new EmDashStorageError(`Failed to delete file: ${key}`, \"DELETE_FAILED\", error);\n\t\t\t}\n\t\t}\n\t}\n\n\tasync exists(key: string): Promise<boolean> {\n\t\ttry {\n\t\t\tawait this.client.send(\n\t\t\t\tnew HeadObjectCommand({\n\t\t\t\t\tBucket: this.bucket,\n\t\t\t\t\tKey: key,\n\t\t\t\t}),\n\t\t\t);\n\t\t\treturn true;\n\t\t} catch (error) {\n\t\t\tif (hasErrorName(error) && error.name === \"NotFound\") {\n\t\t\t\treturn false;\n\t\t\t}\n\t\t\tthrow new EmDashStorageError(`Failed to check file existence: ${key}`, \"HEAD_FAILED\", error);\n\t\t}\n\t}\n\n\tasync list(options: ListOptions = {}): Promise<ListResult> {\n\t\ttry {\n\t\t\t// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- S3 client.send returns generic output; narrowing to ListObjectsV2Response\n\t\t\tconst response = (await this.client.send(\n\t\t\t\tnew ListObjectsV2Command({\n\t\t\t\t\tBucket: this.bucket,\n\t\t\t\t\tPrefix: options.prefix,\n\t\t\t\t\tMaxKeys: options.limit,\n\t\t\t\t\tContinuationToken: options.cursor,\n\t\t\t\t}),\n\t\t\t)) as ListObjectsV2Response;\n\n\t\t\treturn {\n\t\t\t\tfiles: (response.Contents || []).map(\n\t\t\t\t\t(item: { Key?: string; Size?: number; LastModified?: Date; ETag?: string }) => ({\n\t\t\t\t\t\tkey: item.Key!,\n\t\t\t\t\t\tsize: item.Size || 0,\n\t\t\t\t\t\tlastModified: item.LastModified || new Date(),\n\t\t\t\t\t\tetag: item.ETag,\n\t\t\t\t\t}),\n\t\t\t\t),\n\t\t\t\tnextCursor: response.NextContinuationToken,\n\t\t\t};\n\t\t} catch (error) {\n\t\t\tthrow new EmDashStorageError(\"Failed to list files\", \"LIST_FAILED\", error);\n\t\t}\n\t}\n\n\tasync getSignedUploadUrl(options: SignedUploadOptions): Promise<SignedUploadUrl> {\n\t\ttry {\n\t\t\tconst expiresIn = options.expiresIn || 3600; // 1 hour default\n\n\t\t\tconst command = new PutObjectCommand({\n\t\t\t\tBucket: this.bucket,\n\t\t\t\tKey: options.key,\n\t\t\t\tContentType: options.contentType,\n\t\t\t\tContentLength: options.size,\n\t\t\t});\n\n\t\t\tconst url = await getSignedUrl(this.client, command, { expiresIn });\n\n\t\t\tconst expiresAt = new Date(Date.now() + expiresIn * 1000).toISOString();\n\n\t\t\treturn {\n\t\t\t\turl,\n\t\t\t\tmethod: \"PUT\",\n\t\t\t\theaders: {\n\t\t\t\t\t\"Content-Type\": options.contentType,\n\t\t\t\t\t...(options.size ? { \"Content-Length\": String(options.size) } : {}),\n\t\t\t\t},\n\t\t\t\texpiresAt,\n\t\t\t};\n\t\t} catch (error) {\n\t\t\tthrow new EmDashStorageError(\n\t\t\t\t`Failed to generate signed URL for: ${options.key}`,\n\t\t\t\t\"SIGNED_URL_FAILED\",\n\t\t\t\terror,\n\t\t\t);\n\t\t}\n\t}\n\n\tgetPublicUrl(key: string): string {\n\t\tif (this.publicUrl) {\n\t\t\treturn `${this.publicUrl.replace(TRAILING_SLASH_PATTERN, \"\")}/${key}`;\n\t\t}\n\t\t// Default to endpoint + bucket + key\n\t\treturn `${this.endpoint.replace(TRAILING_SLASH_PATTERN, \"\")}/${this.bucket}/${key}`;\n\t}\n}\n\n/**\n * Create S3 storage adapter\n * This is the factory function called at runtime\n */\nexport function createStorage(config: Record<string, unknown>): Storage {\n\tconst { endpoint, bucket, accessKeyId, secretAccessKey, region, publicUrl } = config;\n\tif (\n\t\ttypeof endpoint !== \"string\" ||\n\t\ttypeof bucket !== \"string\" ||\n\t\ttypeof accessKeyId !== \"string\" ||\n\t\ttypeof secretAccessKey !== \"string\"\n\t) {\n\t\tthrow new Error(\n\t\t\t\"S3Storage requires 'endpoint', 'bucket', 'accessKeyId', and 'secretAccessKey' string config values\",\n\t\t);\n\t}\n\treturn new S3Storage({\n\t\tendpoint,\n\t\tbucket,\n\t\taccessKeyId,\n\t\tsecretAccessKey,\n\t\tregion: typeof region === \"string\" ? region : undefined,\n\t\tpublicUrl: typeof publicUrl === \"string\" ? publicUrl : undefined,\n\t});\n}\n"],"mappings":";;;;;;;;;;;AA8BA,MAAM,yBAAyB;;AAG/B,SAAS,aAAa,OAAmD;AACxE,QAAO,iBAAiB,SAAS,OAAO,MAAM,SAAS;;;;;AAMxD,IAAa,YAAb,MAA0C;CACzC,AAAQ;CACR,AAAQ;CACR,AAAQ;CACR,AAAQ;CAER,YAAY,QAAyB;AACpC,OAAK,SAAS,OAAO;AACrB,OAAK,YAAY,OAAO;AACxB,OAAK,WAAW,OAAO;AAEvB,OAAK,SAAS,IAAI,SAAS;GAC1B,UAAU,OAAO;GACjB,QAAQ,OAAO,UAAU;GACzB,aAAa;IACZ,aAAa,OAAO;IACpB,iBAAiB,OAAO;IACxB;GAED,gBAAgB;GAChB,CAAC;;CAGH,MAAM,OAAO,SAIa;AACzB,MAAI;GAEH,IAAI;AACJ,OAAI,QAAQ,gBAAgB,gBAAgB;IAC3C,MAAM,SAAuB,EAAE;IAC/B,MAAM,SAAS,QAAQ,KAAK,WAAW;AACvC,WAAO,MAAM;KACZ,MAAM,EAAE,MAAM,UAAU,MAAM,OAAO,MAAM;AAC3C,SAAI,KAAM;AACV,YAAO,KAAK,MAAM;;AAEnB,WAAO,OAAO,OAAO,OAAO;SAE5B,QAAO,QAAQ;AAGhB,SAAM,KAAK,OAAO,KACjB,IAAI,iBAAiB;IACpB,QAAQ,KAAK;IACb,KAAK,QAAQ;IACb,MAAM;IACN,aAAa,QAAQ;IACrB,CAAC,CACF;AAED,UAAO;IACN,KAAK,QAAQ;IACb,KAAK,KAAK,aAAa,QAAQ,IAAI;IACnC,MAAM,KAAK;IACX;WACO,OAAO;AACf,SAAM,IAAI,mBAAmB,0BAA0B,QAAQ,OAAO,iBAAiB,MAAM;;;CAI/F,MAAM,SAAS,KAAsC;AACpD,MAAI;GACH,MAAM,WAAW,MAAM,KAAK,OAAO,KAClC,IAAI,iBAAiB;IACpB,QAAQ,KAAK;IACb,KAAK;IACL,CAAC,CACF;AAED,OAAI,CAAC,SAAS,KACb,OAAM,IAAI,mBAAmB,mBAAmB,OAAO,YAAY;AAMpE,UAAO;IACN,MAHY,SAAS,KAAK,sBAAsB;IAIhD,aAAa,SAAS,eAAe;IACrC,MAAM,SAAS,iBAAiB;IAChC;WACO,OAAO;AACf,OACC,iBAAiB,sBAChB,aAAa,MAAM,IAAI,MAAM,SAAS,YAEvC,OAAM,IAAI,mBAAmB,mBAAmB,OAAO,aAAa,MAAM;AAE3E,SAAM,IAAI,mBAAmB,4BAA4B,OAAO,mBAAmB,MAAM;;;CAI3F,MAAM,OAAO,KAA4B;AACxC,MAAI;AACH,SAAM,KAAK,OAAO,KACjB,IAAI,oBAAoB;IACvB,QAAQ,KAAK;IACb,KAAK;IACL,CAAC,CACF;WACO,OAAO;AAEf,OAAI,CAAC,aAAa,MAAM,IAAI,MAAM,SAAS,YAC1C,OAAM,IAAI,mBAAmB,0BAA0B,OAAO,iBAAiB,MAAM;;;CAKxF,MAAM,OAAO,KAA+B;AAC3C,MAAI;AACH,SAAM,KAAK,OAAO,KACjB,IAAI,kBAAkB;IACrB,QAAQ,KAAK;IACb,KAAK;IACL,CAAC,CACF;AACD,UAAO;WACC,OAAO;AACf,OAAI,aAAa,MAAM,IAAI,MAAM,SAAS,WACzC,QAAO;AAER,SAAM,IAAI,mBAAmB,mCAAmC,OAAO,eAAe,MAAM;;;CAI9F,MAAM,KAAK,UAAuB,EAAE,EAAuB;AAC1D,MAAI;GAEH,MAAM,WAAY,MAAM,KAAK,OAAO,KACnC,IAAI,qBAAqB;IACxB,QAAQ,KAAK;IACb,QAAQ,QAAQ;IAChB,SAAS,QAAQ;IACjB,mBAAmB,QAAQ;IAC3B,CAAC,CACF;AAED,UAAO;IACN,QAAQ,SAAS,YAAY,EAAE,EAAE,KAC/B,UAA+E;KAC/E,KAAK,KAAK;KACV,MAAM,KAAK,QAAQ;KACnB,cAAc,KAAK,gCAAgB,IAAI,MAAM;KAC7C,MAAM,KAAK;KACX,EACD;IACD,YAAY,SAAS;IACrB;WACO,OAAO;AACf,SAAM,IAAI,mBAAmB,wBAAwB,eAAe,MAAM;;;CAI5E,MAAM,mBAAmB,SAAwD;AAChF,MAAI;GACH,MAAM,YAAY,QAAQ,aAAa;GAEvC,MAAM,UAAU,IAAI,iBAAiB;IACpC,QAAQ,KAAK;IACb,KAAK,QAAQ;IACb,aAAa,QAAQ;IACrB,eAAe,QAAQ;IACvB,CAAC;GAEF,MAAM,MAAM,MAAM,aAAa,KAAK,QAAQ,SAAS,EAAE,WAAW,CAAC;GAEnE,MAAM,YAAY,IAAI,KAAK,KAAK,KAAK,GAAG,YAAY,IAAK,CAAC,aAAa;AAEvE,UAAO;IACN;IACA,QAAQ;IACR,SAAS;KACR,gBAAgB,QAAQ;KACxB,GAAI,QAAQ,OAAO,EAAE,kBAAkB,OAAO,QAAQ,KAAK,EAAE,GAAG,EAAE;KAClE;IACD;IACA;WACO,OAAO;AACf,SAAM,IAAI,mBACT,sCAAsC,QAAQ,OAC9C,qBACA,MACA;;;CAIH,aAAa,KAAqB;AACjC,MAAI,KAAK,UACR,QAAO,GAAG,KAAK,UAAU,QAAQ,wBAAwB,GAAG,CAAC,GAAG;AAGjE,SAAO,GAAG,KAAK,SAAS,QAAQ,wBAAwB,GAAG,CAAC,GAAG,KAAK,OAAO,GAAG;;;;;;;AAQhF,SAAgB,cAAc,QAA0C;CACvE,MAAM,EAAE,UAAU,QAAQ,aAAa,iBAAiB,QAAQ,cAAc;AAC9E,KACC,OAAO,aAAa,YACpB,OAAO,WAAW,YAClB,OAAO,gBAAgB,YACvB,OAAO,oBAAoB,SAE3B,OAAM,IAAI,MACT,qGACA;AAEF,QAAO,IAAI,UAAU;EACpB;EACA;EACA;EACA;EACA,QAAQ,OAAO,WAAW,WAAW,SAAS;EAC9C,WAAW,OAAO,cAAc,WAAW,YAAY;EACvD,CAAC"}
+{"version":3,"file":"s3.mjs","names":[],"sources":["../../src/storage/s3.ts"],"sourcesContent":["/**\n * S3-Compatible Storage Implementation\n *\n * Uses the AWS SDK v3 for S3 operations.\n * Works with AWS S3, Cloudflare R2, Minio, and other S3-compatible services.\n */\n\nimport {\n\tS3Client,\n\tPutObjectCommand,\n\tGetObjectCommand,\n\tDeleteObjectCommand,\n\tHeadObjectCommand,\n\tListObjectsV2Command,\n\ttype ListObjectsV2Response,\n} from \"@aws-sdk/client-s3\";\nimport { getSignedUrl } from \"@aws-sdk/s3-request-presigner\";\nimport { z } from \"zod\";\n\nimport type {\n\tStorage,\n\tS3StorageConfig,\n\tUploadResult,\n\tDownloadResult,\n\tListResult,\n\tListOptions,\n\tSignedUploadUrl,\n\tSignedUploadOptions,\n} from \"./types.js\";\nimport { EmDashStorageError } from \"./types.js\";\n\nconst ENV_KEYS = {\n\tendpoint: \"S3_ENDPOINT\",\n\tbucket: \"S3_BUCKET\",\n\taccessKeyId: \"S3_ACCESS_KEY_ID\",\n\tsecretAccessKey: \"S3_SECRET_ACCESS_KEY\",\n\tregion: \"S3_REGION\",\n\tpublicUrl: \"S3_PUBLIC_URL\",\n} as const satisfies Record<keyof S3StorageConfig, string>;\n\nfunction fail(msg: string): never {\n\tthrow new EmDashStorageError(msg, \"MISSING_S3_CONFIG\");\n}\n\nconst s3ConfigSchema = z.object({\n\tendpoint: z.url({ protocol: /^https?$/, error: \"is not a valid http/https URL\" }).optional(),\n\tbucket: z.string().optional(),\n\taccessKeyId: z.string().optional(),\n\tsecretAccessKey: z.string().optional(),\n\tregion: z.string().optional(),\n\tpublicUrl: z.string().optional(),\n});\n\nfunction isConfigKey(key: unknown): key is keyof S3StorageConfig {\n\treturn typeof key === \"string\" && key in ENV_KEYS;\n}\n\n/**\n * Build the merged config: for each field, use the explicit value if present,\n * otherwise fall back to the corresponding S3_* env var.  Validate once on the\n * final merged result so a malformed env var never breaks the build when the\n * caller provides that field explicitly.\n */\nexport function resolveS3Config(partial: Record<string, unknown>): S3StorageConfig {\n\tconst raw: Record<string, unknown> = {};\n\tfor (const [field, envKey] of Object.entries(ENV_KEYS)) {\n\t\tconst explicit = partial[field];\n\t\tif (explicit !== undefined && explicit !== \"\") {\n\t\t\traw[field] = explicit;\n\t\t\tcontinue;\n\t\t}\n\t\tconst envVal = typeof process !== \"undefined\" && process.env ? process.env[envKey] : undefined;\n\t\tif (envVal !== undefined && envVal !== \"\") {\n\t\t\traw[field] = envVal;\n\t\t}\n\t}\n\n\tconst result = s3ConfigSchema.safeParse(raw);\n\tif (!result.success) {\n\t\tconst issue = result.error.issues[0];\n\t\tconst pathKey = issue?.path[0];\n\t\tif (!issue || !isConfigKey(pathKey)) fail(\"S3 config validation failed\");\n\t\tconst fromExplicit = partial[pathKey] !== undefined && partial[pathKey] !== \"\";\n\t\tconst label = fromExplicit ? `s3({ ${pathKey} })` : ENV_KEYS[pathKey];\n\t\tfail(`${label} ${issue.message}`);\n\t}\n\tconst merged = result.data;\n\n\tconst endpoint = merged.endpoint;\n\tconst bucket = merged.bucket;\n\tif (!endpoint || !bucket) {\n\t\tconst missing: string[] = [];\n\t\tif (!endpoint) missing.push(`endpoint: set ${ENV_KEYS.endpoint} or pass endpoint to s3({...})`);\n\t\tif (!bucket) missing.push(`bucket: set ${ENV_KEYS.bucket} or pass bucket to s3({...})`);\n\t\tfail(`missing required S3 config: ${missing.join(\"; \")}`);\n\t}\n\tconst accessKeyId = merged.accessKeyId;\n\tconst secretAccessKey = merged.secretAccessKey;\n\tif (accessKeyId && !secretAccessKey) {\n\t\tfail(\n\t\t\t`S3 credentials incomplete: accessKeyId is set but secretAccessKey is missing (set ${ENV_KEYS.secretAccessKey} or pass secretAccessKey to s3({...}))`,\n\t\t);\n\t}\n\tif (secretAccessKey && !accessKeyId) {\n\t\tfail(\n\t\t\t`S3 credentials incomplete: secretAccessKey is set but accessKeyId is missing (set ${ENV_KEYS.accessKeyId} or pass accessKeyId to s3({...}))`,\n\t\t);\n\t}\n\n\treturn { ...merged, endpoint, bucket };\n}\n\nconst TRAILING_SLASH_PATTERN = /\\/$/;\n\n/** Type guard for AWS SDK errors (have a `name` property) */\nfunction hasErrorName(error: unknown): error is Error & { name: string } {\n\treturn error instanceof Error && typeof error.name === \"string\";\n}\n\n/**\n * S3-compatible storage implementation\n */\nexport class S3Storage implements Storage {\n\tprivate client: S3Client;\n\tprivate bucket: string;\n\tprivate publicUrl?: string;\n\tprivate endpoint: string;\n\n\tconstructor(config: S3StorageConfig) {\n\t\tthis.bucket = config.bucket;\n\t\tthis.publicUrl = config.publicUrl;\n\t\tthis.endpoint = config.endpoint;\n\n\t\tthis.client = new S3Client({\n\t\t\tendpoint: config.endpoint,\n\t\t\tregion: config.region || \"auto\",\n\t\t\t...(config.accessKeyId && config.secretAccessKey\n\t\t\t\t? {\n\t\t\t\t\t\tcredentials: {\n\t\t\t\t\t\t\taccessKeyId: config.accessKeyId,\n\t\t\t\t\t\t\tsecretAccessKey: config.secretAccessKey,\n\t\t\t\t\t\t},\n\t\t\t\t\t}\n\t\t\t\t: {}),\n\t\t\t// Required for R2 and some S3-compatible services\n\t\t\tforcePathStyle: true,\n\t\t} as ConstructorParameters<typeof S3Client>[0]);\n\t}\n\n\tasync upload(options: {\n\t\tkey: string;\n\t\tbody: Buffer | Uint8Array | ReadableStream<Uint8Array>;\n\t\tcontentType: string;\n\t}): Promise<UploadResult> {\n\t\ttry {\n\t\t\t// Convert ReadableStream to Buffer if needed\n\t\t\tlet body: Buffer | Uint8Array;\n\t\t\tif (options.body instanceof ReadableStream) {\n\t\t\t\tconst chunks: Uint8Array[] = [];\n\t\t\t\tconst reader = options.body.getReader();\n\t\t\t\twhile (true) {\n\t\t\t\t\tconst { done, value } = await reader.read();\n\t\t\t\t\tif (done) break;\n\t\t\t\t\tchunks.push(value);\n\t\t\t\t}\n\t\t\t\tbody = Buffer.concat(chunks);\n\t\t\t} else {\n\t\t\t\tbody = options.body;\n\t\t\t}\n\n\t\t\tawait this.client.send(\n\t\t\t\tnew PutObjectCommand({\n\t\t\t\t\tBucket: this.bucket,\n\t\t\t\t\tKey: options.key,\n\t\t\t\t\tBody: body,\n\t\t\t\t\tContentType: options.contentType,\n\t\t\t\t}),\n\t\t\t);\n\n\t\t\treturn {\n\t\t\t\tkey: options.key,\n\t\t\t\turl: this.getPublicUrl(options.key),\n\t\t\t\tsize: body.length,\n\t\t\t};\n\t\t} catch (error) {\n\t\t\tthrow new EmDashStorageError(`Failed to upload file: ${options.key}`, \"UPLOAD_FAILED\", error);\n\t\t}\n\t}\n\n\tasync download(key: string): Promise<DownloadResult> {\n\t\ttry {\n\t\t\tconst response = await this.client.send(\n\t\t\t\tnew GetObjectCommand({\n\t\t\t\t\tBucket: this.bucket,\n\t\t\t\t\tKey: key,\n\t\t\t\t}),\n\t\t\t);\n\n\t\t\tif (!response.Body) {\n\t\t\t\tthrow new EmDashStorageError(`File not found: ${key}`, \"NOT_FOUND\");\n\t\t\t}\n\n\t\t\t// Convert SDK stream to web ReadableStream\n\t\t\tconst body = response.Body.transformToWebStream();\n\n\t\t\treturn {\n\t\t\t\tbody,\n\t\t\t\tcontentType: response.ContentType || \"application/octet-stream\",\n\t\t\t\tsize: response.ContentLength || 0,\n\t\t\t};\n\t\t} catch (error) {\n\t\t\tif (\n\t\t\t\terror instanceof EmDashStorageError ||\n\t\t\t\t(hasErrorName(error) && error.name === \"NoSuchKey\")\n\t\t\t) {\n\t\t\t\tthrow new EmDashStorageError(`File not found: ${key}`, \"NOT_FOUND\", error);\n\t\t\t}\n\t\t\tthrow new EmDashStorageError(`Failed to download file: ${key}`, \"DOWNLOAD_FAILED\", error);\n\t\t}\n\t}\n\n\tasync delete(key: string): Promise<void> {\n\t\ttry {\n\t\t\tawait this.client.send(\n\t\t\t\tnew DeleteObjectCommand({\n\t\t\t\t\tBucket: this.bucket,\n\t\t\t\t\tKey: key,\n\t\t\t\t}),\n\t\t\t);\n\t\t} catch (error) {\n\t\t\t// S3 delete is idempotent, so we ignore \"not found\" errors\n\t\t\tif (!hasErrorName(error) || error.name !== \"NoSuchKey\") {\n\t\t\t\tthrow new EmDashStorageError(`Failed to delete file: ${key}`, \"DELETE_FAILED\", error);\n\t\t\t}\n\t\t}\n\t}\n\n\tasync exists(key: string): Promise<boolean> {\n\t\ttry {\n\t\t\tawait this.client.send(\n\t\t\t\tnew HeadObjectCommand({\n\t\t\t\t\tBucket: this.bucket,\n\t\t\t\t\tKey: key,\n\t\t\t\t}),\n\t\t\t);\n\t\t\treturn true;\n\t\t} catch (error) {\n\t\t\tif (hasErrorName(error) && error.name === \"NotFound\") {\n\t\t\t\treturn false;\n\t\t\t}\n\t\t\tthrow new EmDashStorageError(`Failed to check file existence: ${key}`, \"HEAD_FAILED\", error);\n\t\t}\n\t}\n\n\tasync list(options: ListOptions = {}): Promise<ListResult> {\n\t\ttry {\n\t\t\t// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- S3 client.send returns generic output; narrowing to ListObjectsV2Response\n\t\t\tconst response = (await this.client.send(\n\t\t\t\tnew ListObjectsV2Command({\n\t\t\t\t\tBucket: this.bucket,\n\t\t\t\t\tPrefix: options.prefix,\n\t\t\t\t\tMaxKeys: options.limit,\n\t\t\t\t\tContinuationToken: options.cursor,\n\t\t\t\t}),\n\t\t\t)) as ListObjectsV2Response;\n\n\t\t\treturn {\n\t\t\t\tfiles: (response.Contents || []).map(\n\t\t\t\t\t(item: { Key?: string; Size?: number; LastModified?: Date; ETag?: string }) => ({\n\t\t\t\t\t\tkey: item.Key!,\n\t\t\t\t\t\tsize: item.Size || 0,\n\t\t\t\t\t\tlastModified: item.LastModified || new Date(),\n\t\t\t\t\t\tetag: item.ETag,\n\t\t\t\t\t}),\n\t\t\t\t),\n\t\t\t\tnextCursor: response.NextContinuationToken,\n\t\t\t};\n\t\t} catch (error) {\n\t\t\tthrow new EmDashStorageError(\"Failed to list files\", \"LIST_FAILED\", error);\n\t\t}\n\t}\n\n\tasync getSignedUploadUrl(options: SignedUploadOptions): Promise<SignedUploadUrl> {\n\t\ttry {\n\t\t\tconst expiresIn = options.expiresIn || 3600; // 1 hour default\n\n\t\t\tconst command = new PutObjectCommand({\n\t\t\t\tBucket: this.bucket,\n\t\t\t\tKey: options.key,\n\t\t\t\tContentType: options.contentType,\n\t\t\t\tContentLength: options.size,\n\t\t\t});\n\n\t\t\tconst url = await getSignedUrl(this.client, command, { expiresIn });\n\n\t\t\tconst expiresAt = new Date(Date.now() + expiresIn * 1000).toISOString();\n\n\t\t\treturn {\n\t\t\t\turl,\n\t\t\t\tmethod: \"PUT\",\n\t\t\t\theaders: {\n\t\t\t\t\t\"Content-Type\": options.contentType,\n\t\t\t\t\t...(options.size ? { \"Content-Length\": String(options.size) } : {}),\n\t\t\t\t},\n\t\t\t\texpiresAt,\n\t\t\t};\n\t\t} catch (error) {\n\t\t\tthrow new EmDashStorageError(\n\t\t\t\t`Failed to generate signed URL for: ${options.key}`,\n\t\t\t\t\"SIGNED_URL_FAILED\",\n\t\t\t\terror,\n\t\t\t);\n\t\t}\n\t}\n\n\tgetPublicUrl(key: string): string {\n\t\tif (this.publicUrl) {\n\t\t\treturn `${this.publicUrl.replace(TRAILING_SLASH_PATTERN, \"\")}/${key}`;\n\t\t}\n\t\t// Default to endpoint + bucket + key\n\t\treturn `${this.endpoint.replace(TRAILING_SLASH_PATTERN, \"\")}/${this.bucket}/${key}`;\n\t}\n}\n\n/**\n * Create S3 storage adapter\n * This is the factory function called at runtime.\n * Config fields are merged with S3_* env vars; env vars fill in any missing fields.\n */\nexport function createStorage(config: Record<string, unknown>): Storage {\n\treturn new S3Storage(resolveS3Config(config));\n}\n"],"mappings":";;;;;;;;;;;;AA+BA,MAAM,WAAW;CAChB,UAAU;CACV,QAAQ;CACR,aAAa;CACb,iBAAiB;CACjB,QAAQ;CACR,WAAW;CACX;AAED,SAAS,KAAK,KAAoB;AACjC,OAAM,IAAI,mBAAmB,KAAK,oBAAoB;;AAGvD,MAAM,iBAAiB,EAAE,OAAO;CAC/B,UAAU,EAAE,IAAI;EAAE,UAAU;EAAY,OAAO;EAAiC,CAAC,CAAC,UAAU;CAC5F,QAAQ,EAAE,QAAQ,CAAC,UAAU;CAC7B,aAAa,EAAE,QAAQ,CAAC,UAAU;CAClC,iBAAiB,EAAE,QAAQ,CAAC,UAAU;CACtC,QAAQ,EAAE,QAAQ,CAAC,UAAU;CAC7B,WAAW,EAAE,QAAQ,CAAC,UAAU;CAChC,CAAC;AAEF,SAAS,YAAY,KAA4C;AAChE,QAAO,OAAO,QAAQ,YAAY,OAAO;;;;;;;;AAS1C,SAAgB,gBAAgB,SAAmD;CAClF,MAAM,MAA+B,EAAE;AACvC,MAAK,MAAM,CAAC,OAAO,WAAW,OAAO,QAAQ,SAAS,EAAE;EACvD,MAAM,WAAW,QAAQ;AACzB,MAAI,aAAa,UAAa,aAAa,IAAI;AAC9C,OAAI,SAAS;AACb;;EAED,MAAM,SAAS,OAAO,YAAY,eAAe,QAAQ,MAAM,QAAQ,IAAI,UAAU;AACrF,MAAI,WAAW,UAAa,WAAW,GACtC,KAAI,SAAS;;CAIf,MAAM,SAAS,eAAe,UAAU,IAAI;AAC5C,KAAI,CAAC,OAAO,SAAS;EACpB,MAAM,QAAQ,OAAO,MAAM,OAAO;EAClC,MAAM,UAAU,OAAO,KAAK;AAC5B,MAAI,CAAC,SAAS,CAAC,YAAY,QAAQ,CAAE,MAAK,8BAA8B;AAGxE,OAAK,GAFgB,QAAQ,aAAa,UAAa,QAAQ,aAAa,KAC/C,QAAQ,QAAQ,OAAO,SAAS,SAC/C,GAAG,MAAM,UAAU;;CAElC,MAAM,SAAS,OAAO;CAEtB,MAAM,WAAW,OAAO;CACxB,MAAM,SAAS,OAAO;AACtB,KAAI,CAAC,YAAY,CAAC,QAAQ;EACzB,MAAM,UAAoB,EAAE;AAC5B,MAAI,CAAC,SAAU,SAAQ,KAAK,iBAAiB,SAAS,SAAS,gCAAgC;AAC/F,MAAI,CAAC,OAAQ,SAAQ,KAAK,eAAe,SAAS,OAAO,8BAA8B;AACvF,OAAK,+BAA+B,QAAQ,KAAK,KAAK,GAAG;;CAE1D,MAAM,cAAc,OAAO;CAC3B,MAAM,kBAAkB,OAAO;AAC/B,KAAI,eAAe,CAAC,gBACnB,MACC,qFAAqF,SAAS,gBAAgB,wCAC9G;AAEF,KAAI,mBAAmB,CAAC,YACvB,MACC,qFAAqF,SAAS,YAAY,oCAC1G;AAGF,QAAO;EAAE,GAAG;EAAQ;EAAU;EAAQ;;AAGvC,MAAM,yBAAyB;;AAG/B,SAAS,aAAa,OAAmD;AACxE,QAAO,iBAAiB,SAAS,OAAO,MAAM,SAAS;;;;;AAMxD,IAAa,YAAb,MAA0C;CACzC,AAAQ;CACR,AAAQ;CACR,AAAQ;CACR,AAAQ;CAER,YAAY,QAAyB;AACpC,OAAK,SAAS,OAAO;AACrB,OAAK,YAAY,OAAO;AACxB,OAAK,WAAW,OAAO;AAEvB,OAAK,SAAS,IAAI,SAAS;GAC1B,UAAU,OAAO;GACjB,QAAQ,OAAO,UAAU;GACzB,GAAI,OAAO,eAAe,OAAO,kBAC9B,EACA,aAAa;IACZ,aAAa,OAAO;IACpB,iBAAiB,OAAO;IACxB,EACD,GACA,EAAE;GAEL,gBAAgB;GAChB,CAA8C;;CAGhD,MAAM,OAAO,SAIa;AACzB,MAAI;GAEH,IAAI;AACJ,OAAI,QAAQ,gBAAgB,gBAAgB;IAC3C,MAAM,SAAuB,EAAE;IAC/B,MAAM,SAAS,QAAQ,KAAK,WAAW;AACvC,WAAO,MAAM;KACZ,MAAM,EAAE,MAAM,UAAU,MAAM,OAAO,MAAM;AAC3C,SAAI,KAAM;AACV,YAAO,KAAK,MAAM;;AAEnB,WAAO,OAAO,OAAO,OAAO;SAE5B,QAAO,QAAQ;AAGhB,SAAM,KAAK,OAAO,KACjB,IAAI,iBAAiB;IACpB,QAAQ,KAAK;IACb,KAAK,QAAQ;IACb,MAAM;IACN,aAAa,QAAQ;IACrB,CAAC,CACF;AAED,UAAO;IACN,KAAK,QAAQ;IACb,KAAK,KAAK,aAAa,QAAQ,IAAI;IACnC,MAAM,KAAK;IACX;WACO,OAAO;AACf,SAAM,IAAI,mBAAmB,0BAA0B,QAAQ,OAAO,iBAAiB,MAAM;;;CAI/F,MAAM,SAAS,KAAsC;AACpD,MAAI;GACH,MAAM,WAAW,MAAM,KAAK,OAAO,KAClC,IAAI,iBAAiB;IACpB,QAAQ,KAAK;IACb,KAAK;IACL,CAAC,CACF;AAED,OAAI,CAAC,SAAS,KACb,OAAM,IAAI,mBAAmB,mBAAmB,OAAO,YAAY;AAMpE,UAAO;IACN,MAHY,SAAS,KAAK,sBAAsB;IAIhD,aAAa,SAAS,eAAe;IACrC,MAAM,SAAS,iBAAiB;IAChC;WACO,OAAO;AACf,OACC,iBAAiB,sBAChB,aAAa,MAAM,IAAI,MAAM,SAAS,YAEvC,OAAM,IAAI,mBAAmB,mBAAmB,OAAO,aAAa,MAAM;AAE3E,SAAM,IAAI,mBAAmB,4BAA4B,OAAO,mBAAmB,MAAM;;;CAI3F,MAAM,OAAO,KAA4B;AACxC,MAAI;AACH,SAAM,KAAK,OAAO,KACjB,IAAI,oBAAoB;IACvB,QAAQ,KAAK;IACb,KAAK;IACL,CAAC,CACF;WACO,OAAO;AAEf,OAAI,CAAC,aAAa,MAAM,IAAI,MAAM,SAAS,YAC1C,OAAM,IAAI,mBAAmB,0BAA0B,OAAO,iBAAiB,MAAM;;;CAKxF,MAAM,OAAO,KAA+B;AAC3C,MAAI;AACH,SAAM,KAAK,OAAO,KACjB,IAAI,kBAAkB;IACrB,QAAQ,KAAK;IACb,KAAK;IACL,CAAC,CACF;AACD,UAAO;WACC,OAAO;AACf,OAAI,aAAa,MAAM,IAAI,MAAM,SAAS,WACzC,QAAO;AAER,SAAM,IAAI,mBAAmB,mCAAmC,OAAO,eAAe,MAAM;;;CAI9F,MAAM,KAAK,UAAuB,EAAE,EAAuB;AAC1D,MAAI;GAEH,MAAM,WAAY,MAAM,KAAK,OAAO,KACnC,IAAI,qBAAqB;IACxB,QAAQ,KAAK;IACb,QAAQ,QAAQ;IAChB,SAAS,QAAQ;IACjB,mBAAmB,QAAQ;IAC3B,CAAC,CACF;AAED,UAAO;IACN,QAAQ,SAAS,YAAY,EAAE,EAAE,KAC/B,UAA+E;KAC/E,KAAK,KAAK;KACV,MAAM,KAAK,QAAQ;KACnB,cAAc,KAAK,gCAAgB,IAAI,MAAM;KAC7C,MAAM,KAAK;KACX,EACD;IACD,YAAY,SAAS;IACrB;WACO,OAAO;AACf,SAAM,IAAI,mBAAmB,wBAAwB,eAAe,MAAM;;;CAI5E,MAAM,mBAAmB,SAAwD;AAChF,MAAI;GACH,MAAM,YAAY,QAAQ,aAAa;GAEvC,MAAM,UAAU,IAAI,iBAAiB;IACpC,QAAQ,KAAK;IACb,KAAK,QAAQ;IACb,aAAa,QAAQ;IACrB,eAAe,QAAQ;IACvB,CAAC;GAEF,MAAM,MAAM,MAAM,aAAa,KAAK,QAAQ,SAAS,EAAE,WAAW,CAAC;GAEnE,MAAM,YAAY,IAAI,KAAK,KAAK,KAAK,GAAG,YAAY,IAAK,CAAC,aAAa;AAEvE,UAAO;IACN;IACA,QAAQ;IACR,SAAS;KACR,gBAAgB,QAAQ;KACxB,GAAI,QAAQ,OAAO,EAAE,kBAAkB,OAAO,QAAQ,KAAK,EAAE,GAAG,EAAE;KAClE;IACD;IACA;WACO,OAAO;AACf,SAAM,IAAI,mBACT,sCAAsC,QAAQ,OAC9C,qBACA,MACA;;;CAIH,aAAa,KAAqB;AACjC,MAAI,KAAK,UACR,QAAO,GAAG,KAAK,UAAU,QAAQ,wBAAwB,GAAG,CAAC,GAAG;AAGjE,SAAO,GAAG,KAAK,SAAS,QAAQ,wBAAwB,GAAG,CAAC,GAAG,KAAK,OAAO,GAAG;;;;;;;;AAShF,SAAgB,cAAc,QAA0C;AACvE,QAAO,IAAI,UAAU,gBAAgB,OAAO,CAAC"}

package/dist/{tokens-DpgrkrXK.mjs → tokens-DrB-W6Q-.mjs}

@@ -168,4 +168,4 @@ function parseContentId(contentId) {
 
 //#endregion
 export { parseContentId as n, verifyPreviewToken as r, generatePreviewToken as t };
-//# sourceMappingURL=tokens-DpgrkrXK.mjs.map
+//# sourceMappingURL=tokens-DrB-W6Q-.mjs.map

package/dist/{tokens-DpgrkrXK.mjs.map → tokens-DrB-W6Q-.mjs.map}

@@ -1 +1 @@
-{"version":3,"file":"tokens-DpgrkrXK.mjs","names":[],"sources":["../src/preview/tokens.ts"],"sourcesContent":["/**\n * Preview token generation and verification\n *\n * Tokens are compact, URL-safe, and HMAC-signed.\n * Format: base64url(JSON payload).base64url(HMAC signature)\n *\n * Payload: { cid: contentId, exp: expiryTimestamp, iat: issuedAt }\n */\n\nimport { encodeBase64url, decodeBase64url } from \"../utils/base64.js\";\n\n// Regex pattern for duration parsing\nconst DURATION_PATTERN = /^(\\d+)([smhdw])$/;\n\n/**\n * Preview token payload\n */\nexport interface PreviewTokenPayload {\n\t/** Content ID in format \"collection:id\" (e.g., \"posts:abc123\") */\n\tcid: string;\n\t/** Expiry timestamp (seconds since epoch) */\n\texp: number;\n\t/** Issued at timestamp (seconds since epoch) */\n\tiat: number;\n}\n\n/**\n * Options for generating a preview token\n */\nexport interface GeneratePreviewTokenOptions {\n\t/** Content ID in format \"collection:id\" */\n\tcontentId: string;\n\t/** How long the token is valid. Accepts \"1h\", \"30m\", \"1d\", or seconds as number. Default: \"1h\" */\n\texpiresIn?: string | number;\n\t/** Secret key for signing. Should be from environment variable. */\n\tsecret: string;\n}\n\n/**\n * Parse duration string to seconds\n * Supports: \"1h\", \"30m\", \"1d\", \"2w\", or raw seconds\n */\nfunction parseDuration(duration: string | number): number {\n\tif (typeof duration === \"number\") {\n\t\treturn duration;\n\t}\n\n\tconst match = duration.match(DURATION_PATTERN);\n\tif (!match) {\n\t\tthrow new Error(\n\t\t\t`Invalid duration format: \"${duration}\". Use \"1h\", \"30m\", \"1d\", \"2w\", or seconds.`,\n\t\t);\n\t}\n\n\tconst value = parseInt(match[1], 10);\n\tconst unit = match[2];\n\n\tswitch (unit) {\n\t\tcase \"s\":\n\t\t\treturn value;\n\t\tcase \"m\":\n\t\t\treturn value * 60;\n\t\tcase \"h\":\n\t\t\treturn value * 60 * 60;\n\t\tcase \"d\":\n\t\t\treturn value * 60 * 60 * 24;\n\t\tcase \"w\":\n\t\t\treturn value * 60 * 60 * 24 * 7;\n\t\tdefault:\n\t\t\tthrow new Error(`Unknown duration unit: ${unit}`);\n\t}\n}\n\n/**\n * Create HMAC-SHA256 signature using Web Crypto API\n */\nasync function createSignature(data: string, secret: string): Promise<Uint8Array> {\n\tconst encoder = new TextEncoder();\n\tconst key = await crypto.subtle.importKey(\n\t\t\"raw\",\n\t\tencoder.encode(secret),\n\t\t{ name: \"HMAC\", hash: \"SHA-256\" },\n\t\tfalse,\n\t\t[\"sign\"],\n\t);\n\tconst signature = await crypto.subtle.sign(\"HMAC\", key, encoder.encode(data));\n\treturn new Uint8Array(signature);\n}\n\n/**\n * Verify HMAC-SHA256 signature\n */\nasync function verifySignature(\n\tdata: string,\n\tsignature: Uint8Array,\n\tsecret: string,\n): Promise<boolean> {\n\tconst encoder = new TextEncoder();\n\tconst key = await crypto.subtle.importKey(\n\t\t\"raw\",\n\t\tencoder.encode(secret),\n\t\t{ name: \"HMAC\", hash: \"SHA-256\" },\n\t\tfalse,\n\t\t[\"verify\"],\n\t);\n\t// Create a new ArrayBuffer from the signature to satisfy BufferSource typing\n\t// (Uint8Array.buffer is ArrayBufferLike which includes SharedArrayBuffer)\n\tconst sigBuffer: ArrayBuffer = new ArrayBuffer(signature.byteLength);\n\tnew Uint8Array(sigBuffer).set(signature);\n\treturn crypto.subtle.verify(\"HMAC\", key, sigBuffer, encoder.encode(data));\n}\n\n/**\n * Generate a preview token for content\n *\n * @example\n * ```ts\n * const token = await generatePreviewToken({\n *   contentId: \"posts:abc123\",\n *   expiresIn: \"1h\",\n *   secret: process.env.PREVIEW_SECRET!,\n * });\n * ```\n */\nexport async function generatePreviewToken(options: GeneratePreviewTokenOptions): Promise<string> {\n\tconst { contentId, expiresIn = \"1h\", secret } = options;\n\n\tif (!secret) {\n\t\tthrow new Error(\"Preview secret is required\");\n\t}\n\n\tif (!contentId || !contentId.includes(\":\")) {\n\t\tthrow new Error('Content ID must be in format \"collection:id\"');\n\t}\n\n\tconst now = Math.floor(Date.now() / 1000);\n\tconst duration = parseDuration(expiresIn);\n\n\tconst payload: PreviewTokenPayload = {\n\t\tcid: contentId,\n\t\texp: now + duration,\n\t\tiat: now,\n\t};\n\n\t// Encode payload\n\tconst payloadJson = JSON.stringify(payload);\n\tconst encodedPayload = encodeBase64url(new TextEncoder().encode(payloadJson));\n\n\t// Sign it\n\tconst signature = await createSignature(encodedPayload, secret);\n\tconst encodedSignature = encodeBase64url(signature);\n\n\treturn `${encodedPayload}.${encodedSignature}`;\n}\n\n/**\n * Result of verifying a preview token\n */\nexport type VerifyPreviewTokenResult =\n\t| { valid: true; payload: PreviewTokenPayload }\n\t| { valid: false; error: \"invalid\" | \"expired\" | \"malformed\" | \"none\" };\n\n/**\n * Options for verifyPreviewToken\n */\nexport type VerifyPreviewTokenOptions = {\n\t/** Secret key for verifying tokens */\n\tsecret: string;\n} & (\n\t| { /** URL to extract _preview token from */ url: URL }\n\t| {\n\t\t\t/** Preview token string (can be null) */ token: string | null | undefined;\n\t  }\n);\n\n/**\n * Verify a preview token and return the payload\n *\n * @example\n * ```ts\n * // With URL (extracts _preview query param)\n * const result = await verifyPreviewToken({\n *   url: Astro.url,\n *   secret: import.meta.env.PREVIEW_SECRET,\n * });\n *\n * // With token directly\n * const result = await verifyPreviewToken({\n *   token: someToken,\n *   secret: import.meta.env.PREVIEW_SECRET,\n * });\n *\n * if (result.valid) {\n *   console.log(result.payload.cid); // \"posts:abc123\"\n * }\n * ```\n */\nexport async function verifyPreviewToken(\n\toptions: VerifyPreviewTokenOptions,\n): Promise<VerifyPreviewTokenResult> {\n\tconst { secret } = options;\n\n\tif (!secret) {\n\t\tthrow new Error(\"Preview secret is required\");\n\t}\n\n\t// Extract token from URL or use provided token\n\tconst token = \"url\" in options ? options.url.searchParams.get(\"_preview\") : options.token;\n\n\t// Handle null/undefined token\n\tif (!token) {\n\t\treturn { valid: false, error: \"none\" };\n\t}\n\n\t// Split token into payload and signature\n\tconst parts = token.split(\".\");\n\tif (parts.length !== 2) {\n\t\treturn { valid: false, error: \"malformed\" };\n\t}\n\n\tconst [encodedPayload, encodedSignature] = parts;\n\n\t// Verify signature\n\tlet signature: Uint8Array;\n\ttry {\n\t\tsignature = decodeBase64url(encodedSignature);\n\t} catch {\n\t\treturn { valid: false, error: \"malformed\" };\n\t}\n\n\tconst isValid = await verifySignature(encodedPayload, signature, secret);\n\tif (!isValid) {\n\t\treturn { valid: false, error: \"invalid\" };\n\t}\n\n\t// Decode and parse payload\n\tlet payload: PreviewTokenPayload;\n\ttry {\n\t\tconst payloadBytes = decodeBase64url(encodedPayload);\n\t\tconst payloadJson = new TextDecoder().decode(payloadBytes);\n\t\tpayload = JSON.parse(payloadJson);\n\t} catch {\n\t\treturn { valid: false, error: \"malformed\" };\n\t}\n\n\t// Check required fields\n\tif (\n\t\ttypeof payload.cid !== \"string\" ||\n\t\ttypeof payload.exp !== \"number\" ||\n\t\ttypeof payload.iat !== \"number\"\n\t) {\n\t\treturn { valid: false, error: \"malformed\" };\n\t}\n\n\t// Check expiry\n\tconst now = Math.floor(Date.now() / 1000);\n\tif (payload.exp < now) {\n\t\treturn { valid: false, error: \"expired\" };\n\t}\n\n\treturn { valid: true, payload };\n}\n\n/**\n * Parse a content ID into collection and id\n */\nexport function parseContentId(contentId: string): {\n\tcollection: string;\n\tid: string;\n} {\n\tconst colonIndex = contentId.indexOf(\":\");\n\tif (colonIndex === -1) {\n\t\tthrow new Error('Content ID must be in format \"collection:id\"');\n\t}\n\treturn {\n\t\tcollection: contentId.slice(0, colonIndex),\n\t\tid: contentId.slice(colonIndex + 1),\n\t};\n}\n"],"mappings":";;;;;;;;;;;AAYA,MAAM,mBAAmB;;;;;AA8BzB,SAAS,cAAc,UAAmC;AACzD,KAAI,OAAO,aAAa,SACvB,QAAO;CAGR,MAAM,QAAQ,SAAS,MAAM,iBAAiB;AAC9C,KAAI,CAAC,MACJ,OAAM,IAAI,MACT,6BAA6B,SAAS,6CACtC;CAGF,MAAM,QAAQ,SAAS,MAAM,IAAI,GAAG;CACpC,MAAM,OAAO,MAAM;AAEnB,SAAQ,MAAR;EACC,KAAK,IACJ,QAAO;EACR,KAAK,IACJ,QAAO,QAAQ;EAChB,KAAK,IACJ,QAAO,QAAQ,KAAK;EACrB,KAAK,IACJ,QAAO,QAAQ,KAAK,KAAK;EAC1B,KAAK,IACJ,QAAO,QAAQ,KAAK,KAAK,KAAK;EAC/B,QACC,OAAM,IAAI,MAAM,0BAA0B,OAAO;;;;;;AAOpD,eAAe,gBAAgB,MAAc,QAAqC;CACjF,MAAM,UAAU,IAAI,aAAa;CACjC,MAAM,MAAM,MAAM,OAAO,OAAO,UAC/B,OACA,QAAQ,OAAO,OAAO,EACtB;EAAE,MAAM;EAAQ,MAAM;EAAW,EACjC,OACA,CAAC,OAAO,CACR;CACD,MAAM,YAAY,MAAM,OAAO,OAAO,KAAK,QAAQ,KAAK,QAAQ,OAAO,KAAK,CAAC;AAC7E,QAAO,IAAI,WAAW,UAAU;;;;;AAMjC,eAAe,gBACd,MACA,WACA,QACmB;CACnB,MAAM,UAAU,IAAI,aAAa;CACjC,MAAM,MAAM,MAAM,OAAO,OAAO,UAC/B,OACA,QAAQ,OAAO,OAAO,EACtB;EAAE,MAAM;EAAQ,MAAM;EAAW,EACjC,OACA,CAAC,SAAS,CACV;CAGD,MAAM,YAAyB,IAAI,YAAY,UAAU,WAAW;AACpE,KAAI,WAAW,UAAU,CAAC,IAAI,UAAU;AACxC,QAAO,OAAO,OAAO,OAAO,QAAQ,KAAK,WAAW,QAAQ,OAAO,KAAK,CAAC;;;;;;;;;;;;;;AAe1E,eAAsB,qBAAqB,SAAuD;CACjG,MAAM,EAAE,WAAW,YAAY,MAAM,WAAW;AAEhD,KAAI,CAAC,OACJ,OAAM,IAAI,MAAM,6BAA6B;AAG9C,KAAI,CAAC,aAAa,CAAC,UAAU,SAAS,IAAI,CACzC,OAAM,IAAI,MAAM,iDAA+C;CAGhE,MAAM,MAAM,KAAK,MAAM,KAAK,KAAK,GAAG,IAAK;CAGzC,MAAM,UAA+B;EACpC,KAAK;EACL,KAAK,MAJW,cAAc,UAAU;EAKxC,KAAK;EACL;CAGD,MAAM,cAAc,KAAK,UAAU,QAAQ;CAC3C,MAAM,iBAAiB,gBAAgB,IAAI,aAAa,CAAC,OAAO,YAAY,CAAC;AAM7E,QAAO,GAAG,eAAe,GAFA,gBADP,MAAM,gBAAgB,gBAAgB,OAAO,CACZ;;;;;;;;;;;;;;;;;;;;;;;;AA+CpD,eAAsB,mBACrB,SACoC;CACpC,MAAM,EAAE,WAAW;AAEnB,KAAI,CAAC,OACJ,OAAM,IAAI,MAAM,6BAA6B;CAI9C,MAAM,QAAQ,SAAS,UAAU,QAAQ,IAAI,aAAa,IAAI,WAAW,GAAG,QAAQ;AAGpF,KAAI,CAAC,MACJ,QAAO;EAAE,OAAO;EAAO,OAAO;EAAQ;CAIvC,MAAM,QAAQ,MAAM,MAAM,IAAI;AAC9B,KAAI,MAAM,WAAW,EACpB,QAAO;EAAE,OAAO;EAAO,OAAO;EAAa;CAG5C,MAAM,CAAC,gBAAgB,oBAAoB;CAG3C,IAAI;AACJ,KAAI;AACH,cAAY,gBAAgB,iBAAiB;SACtC;AACP,SAAO;GAAE,OAAO;GAAO,OAAO;GAAa;;AAI5C,KAAI,CADY,MAAM,gBAAgB,gBAAgB,WAAW,OAAO,CAEvE,QAAO;EAAE,OAAO;EAAO,OAAO;EAAW;CAI1C,IAAI;AACJ,KAAI;EACH,MAAM,eAAe,gBAAgB,eAAe;EACpD,MAAM,cAAc,IAAI,aAAa,CAAC,OAAO,aAAa;AAC1D,YAAU,KAAK,MAAM,YAAY;SAC1B;AACP,SAAO;GAAE,OAAO;GAAO,OAAO;GAAa;;AAI5C,KACC,OAAO,QAAQ,QAAQ,YACvB,OAAO,QAAQ,QAAQ,YACvB,OAAO,QAAQ,QAAQ,SAEvB,QAAO;EAAE,OAAO;EAAO,OAAO;EAAa;CAI5C,MAAM,MAAM,KAAK,MAAM,KAAK,KAAK,GAAG,IAAK;AACzC,KAAI,QAAQ,MAAM,IACjB,QAAO;EAAE,OAAO;EAAO,OAAO;EAAW;AAG1C,QAAO;EAAE,OAAO;EAAM;EAAS;;;;;AAMhC,SAAgB,eAAe,WAG7B;CACD,MAAM,aAAa,UAAU,QAAQ,IAAI;AACzC,KAAI,eAAe,GAClB,OAAM,IAAI,MAAM,iDAA+C;AAEhE,QAAO;EACN,YAAY,UAAU,MAAM,GAAG,WAAW;EAC1C,IAAI,UAAU,MAAM,aAAa,EAAE;EACnC"}
+{"version":3,"file":"tokens-DrB-W6Q-.mjs","names":[],"sources":["../src/preview/tokens.ts"],"sourcesContent":["/**\n * Preview token generation and verification\n *\n * Tokens are compact, URL-safe, and HMAC-signed.\n * Format: base64url(JSON payload).base64url(HMAC signature)\n *\n * Payload: { cid: contentId, exp: expiryTimestamp, iat: issuedAt }\n */\n\nimport { encodeBase64url, decodeBase64url } from \"../utils/base64.js\";\n\n// Regex pattern for duration parsing\nconst DURATION_PATTERN = /^(\\d+)([smhdw])$/;\n\n/**\n * Preview token payload\n */\nexport interface PreviewTokenPayload {\n\t/** Content ID in format \"collection:id\" (e.g., \"posts:abc123\") */\n\tcid: string;\n\t/** Expiry timestamp (seconds since epoch) */\n\texp: number;\n\t/** Issued at timestamp (seconds since epoch) */\n\tiat: number;\n}\n\n/**\n * Options for generating a preview token\n */\nexport interface GeneratePreviewTokenOptions {\n\t/** Content ID in format \"collection:id\" */\n\tcontentId: string;\n\t/** How long the token is valid. Accepts \"1h\", \"30m\", \"1d\", or seconds as number. Default: \"1h\" */\n\texpiresIn?: string | number;\n\t/** Secret key for signing. Should be from environment variable. */\n\tsecret: string;\n}\n\n/**\n * Parse duration string to seconds\n * Supports: \"1h\", \"30m\", \"1d\", \"2w\", or raw seconds\n */\nfunction parseDuration(duration: string | number): number {\n\tif (typeof duration === \"number\") {\n\t\treturn duration;\n\t}\n\n\tconst match = duration.match(DURATION_PATTERN);\n\tif (!match) {\n\t\tthrow new Error(\n\t\t\t`Invalid duration format: \"${duration}\". Use \"1h\", \"30m\", \"1d\", \"2w\", or seconds.`,\n\t\t);\n\t}\n\n\tconst value = parseInt(match[1], 10);\n\tconst unit = match[2];\n\n\tswitch (unit) {\n\t\tcase \"s\":\n\t\t\treturn value;\n\t\tcase \"m\":\n\t\t\treturn value * 60;\n\t\tcase \"h\":\n\t\t\treturn value * 60 * 60;\n\t\tcase \"d\":\n\t\t\treturn value * 60 * 60 * 24;\n\t\tcase \"w\":\n\t\t\treturn value * 60 * 60 * 24 * 7;\n\t\tdefault:\n\t\t\tthrow new Error(`Unknown duration unit: ${unit}`);\n\t}\n}\n\n/**\n * Create HMAC-SHA256 signature using Web Crypto API\n */\nasync function createSignature(data: string, secret: string): Promise<Uint8Array> {\n\tconst encoder = new TextEncoder();\n\tconst key = await crypto.subtle.importKey(\n\t\t\"raw\",\n\t\tencoder.encode(secret),\n\t\t{ name: \"HMAC\", hash: \"SHA-256\" },\n\t\tfalse,\n\t\t[\"sign\"],\n\t);\n\tconst signature = await crypto.subtle.sign(\"HMAC\", key, encoder.encode(data));\n\treturn new Uint8Array(signature);\n}\n\n/**\n * Verify HMAC-SHA256 signature\n */\nasync function verifySignature(\n\tdata: string,\n\tsignature: Uint8Array,\n\tsecret: string,\n): Promise<boolean> {\n\tconst encoder = new TextEncoder();\n\tconst key = await crypto.subtle.importKey(\n\t\t\"raw\",\n\t\tencoder.encode(secret),\n\t\t{ name: \"HMAC\", hash: \"SHA-256\" },\n\t\tfalse,\n\t\t[\"verify\"],\n\t);\n\t// Create a new ArrayBuffer from the signature to satisfy BufferSource typing\n\t// (Uint8Array.buffer is ArrayBufferLike which includes SharedArrayBuffer)\n\tconst sigBuffer: ArrayBuffer = new ArrayBuffer(signature.byteLength);\n\tnew Uint8Array(sigBuffer).set(signature);\n\treturn crypto.subtle.verify(\"HMAC\", key, sigBuffer, encoder.encode(data));\n}\n\n/**\n * Generate a preview token for content\n *\n * @example\n * ```ts\n * const token = await generatePreviewToken({\n *   contentId: \"posts:abc123\",\n *   expiresIn: \"1h\",\n *   secret: process.env.PREVIEW_SECRET!,\n * });\n * ```\n */\nexport async function generatePreviewToken(options: GeneratePreviewTokenOptions): Promise<string> {\n\tconst { contentId, expiresIn = \"1h\", secret } = options;\n\n\tif (!secret) {\n\t\tthrow new Error(\"Preview secret is required\");\n\t}\n\n\tif (!contentId || !contentId.includes(\":\")) {\n\t\tthrow new Error('Content ID must be in format \"collection:id\"');\n\t}\n\n\tconst now = Math.floor(Date.now() / 1000);\n\tconst duration = parseDuration(expiresIn);\n\n\tconst payload: PreviewTokenPayload = {\n\t\tcid: contentId,\n\t\texp: now + duration,\n\t\tiat: now,\n\t};\n\n\t// Encode payload\n\tconst payloadJson = JSON.stringify(payload);\n\tconst encodedPayload = encodeBase64url(new TextEncoder().encode(payloadJson));\n\n\t// Sign it\n\tconst signature = await createSignature(encodedPayload, secret);\n\tconst encodedSignature = encodeBase64url(signature);\n\n\treturn `${encodedPayload}.${encodedSignature}`;\n}\n\n/**\n * Result of verifying a preview token\n */\nexport type VerifyPreviewTokenResult =\n\t| { valid: true; payload: PreviewTokenPayload }\n\t| { valid: false; error: \"invalid\" | \"expired\" | \"malformed\" | \"none\" };\n\n/**\n * Options for verifyPreviewToken\n */\nexport type VerifyPreviewTokenOptions = {\n\t/** Secret key for verifying tokens */\n\tsecret: string;\n} & (\n\t| { /** URL to extract _preview token from */ url: URL }\n\t| {\n\t\t\t/** Preview token string (can be null) */ token: string | null | undefined;\n\t  }\n);\n\n/**\n * Verify a preview token and return the payload\n *\n * @example\n * ```ts\n * // With URL (extracts _preview query param)\n * const result = await verifyPreviewToken({\n *   url: Astro.url,\n *   secret: import.meta.env.PREVIEW_SECRET,\n * });\n *\n * // With token directly\n * const result = await verifyPreviewToken({\n *   token: someToken,\n *   secret: import.meta.env.PREVIEW_SECRET,\n * });\n *\n * if (result.valid) {\n *   console.log(result.payload.cid); // \"posts:abc123\"\n * }\n * ```\n */\nexport async function verifyPreviewToken(\n\toptions: VerifyPreviewTokenOptions,\n): Promise<VerifyPreviewTokenResult> {\n\tconst { secret } = options;\n\n\tif (!secret) {\n\t\tthrow new Error(\"Preview secret is required\");\n\t}\n\n\t// Extract token from URL or use provided token\n\tconst token = \"url\" in options ? options.url.searchParams.get(\"_preview\") : options.token;\n\n\t// Handle null/undefined token\n\tif (!token) {\n\t\treturn { valid: false, error: \"none\" };\n\t}\n\n\t// Split token into payload and signature\n\tconst parts = token.split(\".\");\n\tif (parts.length !== 2) {\n\t\treturn { valid: false, error: \"malformed\" };\n\t}\n\n\tconst [encodedPayload, encodedSignature] = parts;\n\n\t// Verify signature\n\tlet signature: Uint8Array;\n\ttry {\n\t\tsignature = decodeBase64url(encodedSignature);\n\t} catch {\n\t\treturn { valid: false, error: \"malformed\" };\n\t}\n\n\tconst isValid = await verifySignature(encodedPayload, signature, secret);\n\tif (!isValid) {\n\t\treturn { valid: false, error: \"invalid\" };\n\t}\n\n\t// Decode and parse payload\n\tlet payload: PreviewTokenPayload;\n\ttry {\n\t\tconst payloadBytes = decodeBase64url(encodedPayload);\n\t\tconst payloadJson = new TextDecoder().decode(payloadBytes);\n\t\tpayload = JSON.parse(payloadJson);\n\t} catch {\n\t\treturn { valid: false, error: \"malformed\" };\n\t}\n\n\t// Check required fields\n\tif (\n\t\ttypeof payload.cid !== \"string\" ||\n\t\ttypeof payload.exp !== \"number\" ||\n\t\ttypeof payload.iat !== \"number\"\n\t) {\n\t\treturn { valid: false, error: \"malformed\" };\n\t}\n\n\t// Check expiry\n\tconst now = Math.floor(Date.now() / 1000);\n\tif (payload.exp < now) {\n\t\treturn { valid: false, error: \"expired\" };\n\t}\n\n\treturn { valid: true, payload };\n}\n\n/**\n * Parse a content ID into collection and id\n */\nexport function parseContentId(contentId: string): {\n\tcollection: string;\n\tid: string;\n} {\n\tconst colonIndex = contentId.indexOf(\":\");\n\tif (colonIndex === -1) {\n\t\tthrow new Error('Content ID must be in format \"collection:id\"');\n\t}\n\treturn {\n\t\tcollection: contentId.slice(0, colonIndex),\n\t\tid: contentId.slice(colonIndex + 1),\n\t};\n}\n"],"mappings":";;;;;;;;;;;AAYA,MAAM,mBAAmB;;;;;AA8BzB,SAAS,cAAc,UAAmC;AACzD,KAAI,OAAO,aAAa,SACvB,QAAO;CAGR,MAAM,QAAQ,SAAS,MAAM,iBAAiB;AAC9C,KAAI,CAAC,MACJ,OAAM,IAAI,MACT,6BAA6B,SAAS,6CACtC;CAGF,MAAM,QAAQ,SAAS,MAAM,IAAI,GAAG;CACpC,MAAM,OAAO,MAAM;AAEnB,SAAQ,MAAR;EACC,KAAK,IACJ,QAAO;EACR,KAAK,IACJ,QAAO,QAAQ;EAChB,KAAK,IACJ,QAAO,QAAQ,KAAK;EACrB,KAAK,IACJ,QAAO,QAAQ,KAAK,KAAK;EAC1B,KAAK,IACJ,QAAO,QAAQ,KAAK,KAAK,KAAK;EAC/B,QACC,OAAM,IAAI,MAAM,0BAA0B,OAAO;;;;;;AAOpD,eAAe,gBAAgB,MAAc,QAAqC;CACjF,MAAM,UAAU,IAAI,aAAa;CACjC,MAAM,MAAM,MAAM,OAAO,OAAO,UAC/B,OACA,QAAQ,OAAO,OAAO,EACtB;EAAE,MAAM;EAAQ,MAAM;EAAW,EACjC,OACA,CAAC,OAAO,CACR;CACD,MAAM,YAAY,MAAM,OAAO,OAAO,KAAK,QAAQ,KAAK,QAAQ,OAAO,KAAK,CAAC;AAC7E,QAAO,IAAI,WAAW,UAAU;;;;;AAMjC,eAAe,gBACd,MACA,WACA,QACmB;CACnB,MAAM,UAAU,IAAI,aAAa;CACjC,MAAM,MAAM,MAAM,OAAO,OAAO,UAC/B,OACA,QAAQ,OAAO,OAAO,EACtB;EAAE,MAAM;EAAQ,MAAM;EAAW,EACjC,OACA,CAAC,SAAS,CACV;CAGD,MAAM,YAAyB,IAAI,YAAY,UAAU,WAAW;AACpE,KAAI,WAAW,UAAU,CAAC,IAAI,UAAU;AACxC,QAAO,OAAO,OAAO,OAAO,QAAQ,KAAK,WAAW,QAAQ,OAAO,KAAK,CAAC;;;;;;;;;;;;;;AAe1E,eAAsB,qBAAqB,SAAuD;CACjG,MAAM,EAAE,WAAW,YAAY,MAAM,WAAW;AAEhD,KAAI,CAAC,OACJ,OAAM,IAAI,MAAM,6BAA6B;AAG9C,KAAI,CAAC,aAAa,CAAC,UAAU,SAAS,IAAI,CACzC,OAAM,IAAI,MAAM,iDAA+C;CAGhE,MAAM,MAAM,KAAK,MAAM,KAAK,KAAK,GAAG,IAAK;CAGzC,MAAM,UAA+B;EACpC,KAAK;EACL,KAAK,MAJW,cAAc,UAAU;EAKxC,KAAK;EACL;CAGD,MAAM,cAAc,KAAK,UAAU,QAAQ;CAC3C,MAAM,iBAAiB,gBAAgB,IAAI,aAAa,CAAC,OAAO,YAAY,CAAC;AAM7E,QAAO,GAAG,eAAe,GAFA,gBADP,MAAM,gBAAgB,gBAAgB,OAAO,CACZ;;;;;;;;;;;;;;;;;;;;;;;;AA+CpD,eAAsB,mBACrB,SACoC;CACpC,MAAM,EAAE,WAAW;AAEnB,KAAI,CAAC,OACJ,OAAM,IAAI,MAAM,6BAA6B;CAI9C,MAAM,QAAQ,SAAS,UAAU,QAAQ,IAAI,aAAa,IAAI,WAAW,GAAG,QAAQ;AAGpF,KAAI,CAAC,MACJ,QAAO;EAAE,OAAO;EAAO,OAAO;EAAQ;CAIvC,MAAM,QAAQ,MAAM,MAAM,IAAI;AAC9B,KAAI,MAAM,WAAW,EACpB,QAAO;EAAE,OAAO;EAAO,OAAO;EAAa;CAG5C,MAAM,CAAC,gBAAgB,oBAAoB;CAG3C,IAAI;AACJ,KAAI;AACH,cAAY,gBAAgB,iBAAiB;SACtC;AACP,SAAO;GAAE,OAAO;GAAO,OAAO;GAAa;;AAI5C,KAAI,CADY,MAAM,gBAAgB,gBAAgB,WAAW,OAAO,CAEvE,QAAO;EAAE,OAAO;EAAO,OAAO;EAAW;CAI1C,IAAI;AACJ,KAAI;EACH,MAAM,eAAe,gBAAgB,eAAe;EACpD,MAAM,cAAc,IAAI,aAAa,CAAC,OAAO,aAAa;AAC1D,YAAU,KAAK,MAAM,YAAY;SAC1B;AACP,SAAO;GAAE,OAAO;GAAO,OAAO;GAAa;;AAI5C,KACC,OAAO,QAAQ,QAAQ,YACvB,OAAO,QAAQ,QAAQ,YACvB,OAAO,QAAQ,QAAQ,SAEvB,QAAO;EAAE,OAAO;EAAO,OAAO;EAAa;CAI5C,MAAM,MAAM,KAAK,MAAM,KAAK,KAAK,GAAG,IAAK;AACzC,KAAI,QAAQ,MAAM,IACjB,QAAO;EAAE,OAAO;EAAO,OAAO;EAAW;AAG1C,QAAO;EAAE,OAAO;EAAM;EAAS;;;;;AAMhC,SAAgB,eAAe,WAG7B;CACD,MAAM,aAAa,UAAU,QAAQ,IAAI;AACzC,KAAI,eAAe,GAClB,OAAM,IAAI,MAAM,iDAA+C;AAEhE,QAAO;EACN,YAAY,UAAU,MAAM,GAAG,WAAW;EAC1C,IAAI,UAAU,MAAM,aAAa,EAAE;EACnC"}

package/dist/{types-BRuPJGdV.d.mts → types-BbsYgi_R.d.mts}

@@ -9,6 +9,8 @@ interface CreateContentInput {
   locale?: string;
   translationOf?: string;
   publishedAt?: string | null;
+  /** Override created_at (ISO 8601). Used by importers to preserve original dates. */
+  createdAt?: string | null;
 }
 interface UpdateContentInput {
   data?: Record<string, unknown>;
@@ -99,4 +101,4 @@ declare class EmDashValidationError extends Error {
 }
 //#endregion
 export { ContentSeoInput as a, FindManyOptions as c, ContentSeo as i, FindManyResult as l, ContentBylineCredit as n, CreateContentInput as o, ContentItem as r, EmDashValidationError as s, BylineSummary as t, UpdateContentInput as u };
-//# sourceMappingURL=types-BRuPJGdV.d.mts.map
+//# sourceMappingURL=types-BbsYgi_R.d.mts.map

package/dist/types-BbsYgi_R.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types-BbsYgi_R.d.mts","names":[],"sources":["../src/database/repositories/types.ts"],"mappings":";UAEiB,kBAAA;EAChB,IAAA;EACA,IAAA;EACA,IAAA,EAAM,MAAA;EACN,MAAA;EACA,QAAA;EACA,eAAA;EACA,MAAA;EACA,aAAA;EACA,WAAA;EAJA;EAMA,SAAA;AAAA;AAAA,UAGgB,kBAAA;EAChB,IAAA,GAAO,MAAA;EACP,MAAA;EACA,IAAA;EACA,WAAA;EACA,WAAA;EACA,QAAA;EACA,eAAA;AAAA;;UAIgB,UAAA;EAChB,KAAA;EACA,WAAA;EACA,KAAA;EACA,SAAA;EACA,OAAA;AAAA;;UAIgB,eAAA;EAChB,KAAA;EACA,WAAA;EACA,KAAA;EACA,SAAA;EACA,OAAA;AAAA;AAAA,UAGgB,aAAA;EAChB,EAAA;EACA,IAAA;EACA,WAAA;EACA,GAAA;EACA,aAAA;EACA,UAAA;EACA,MAAA;EACA,OAAA;EACA,SAAA;EACA,SAAA;AAAA;AAAA,UAGgB,mBAAA;EAChB,MAAA,EAAQ,aAAA;EACR,SAAA;EACA,SAAA;EAhBgB;EAkBhB,MAAA;AAAA;AAAA,UAGgB,eAAA;EAChB,KAAA;IACC,MAAA;IACA,QAAA;IACA,MAAA;EAAA;EAED,OAAA;IACC,KAAA;IACA,SAAA;EAAA;EAED,KAAA;EACA,MAAA;AAAA;AAAA,UAGgB,cAAA;EAChB,KAAA,EAAO,CAAA;EACP,UAAA;AAAA;AAAA,UAqBgB,WAAA;EAChB,EAAA;EACA,IAAA;EACA,IAAA;EACA,MAAA;EACA,IAAA,EAAM,MAAA;EACN,QAAA;EACA,eAAA;EACA,MAAA,GAAS,aAAA;EACT,OAAA,GAAU,mBAAA;EACV,SAAA;EACA,SAAA;EACA,WAAA;EACA,WAAA;EACA,cAAA;EACA,eAAA;EACA,OAAA;EACA,MAAA;EACA,gBAAA;EAzC+B;EA2C/B,GAAA,GAAM,UAAA;AAAA;AAAA,cAGM,qBAAA,SAA8B,KAAA;EAGlC,OAAA;cADP,OAAA,UACO,OAAA;AAAA"}

package/dist/{types-CUBbjgmP.mjs → types-Bec-r_3_.mjs}

@@ -13,4 +13,4 @@ var EmDashStorageError = class extends Error {
 
 //#endregion
 export { EmDashStorageError as t };
-//# sourceMappingURL=types-CUBbjgmP.mjs.map
+//# sourceMappingURL=types-Bec-r_3_.mjs.map

package/dist/types-Bec-r_3_.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"types-Bec-r_3_.mjs","names":[],"sources":["../src/storage/types.ts"],"sourcesContent":["/**\n * Storage Layer Types\n *\n * Defines the interface for S3-compatible storage backends.\n * Works with R2, AWS S3, Minio, and other S3-compatible services.\n */\n\n/**\n * Storage configuration for S3-compatible backends\n */\nexport interface S3StorageConfig {\n\t/** S3 endpoint URL (e.g., \"https://xxx.r2.cloudflarestorage.com\") */\n\tendpoint: string;\n\t/** Bucket name */\n\tbucket: string;\n\t/**\n\t * AWS access key ID.\n\t * May be resolved from the `S3_ACCESS_KEY_ID` env var at runtime on Node.\n\t * Must be provided together with `secretAccessKey`, or both omitted.\n\t */\n\taccessKeyId?: string;\n\t/**\n\t * AWS secret access key.\n\t * May be resolved from the `S3_SECRET_ACCESS_KEY` env var at runtime on Node.\n\t * Must be provided together with `accessKeyId`, or both omitted.\n\t */\n\tsecretAccessKey?: string;\n\t/** Optional region (defaults to \"auto\") */\n\tregion?: string;\n\t/** Optional public URL prefix for generated URLs (e.g., CDN URL) */\n\tpublicUrl?: string;\n}\n\n/**\n * Local filesystem storage for development\n */\nexport interface LocalStorageConfig {\n\t/** Directory path for storing files */\n\tdirectory: string;\n\t/** Base URL for serving files */\n\tbaseUrl: string;\n}\n\n/**\n * Storage adapter descriptor (serializable config)\n */\nexport interface StorageDescriptor {\n\t/** Module path exporting createStorage function */\n\tentrypoint: string;\n\t/** Serializable config passed to createStorage at runtime */\n\tconfig: Record<string, unknown>;\n}\n\n/**\n * Factory function signature for storage adapters\n *\n * Each adapter accesses its own bindings directly:\n * - R2: imports from cloudflare:workers\n * - S3: uses credentials from config\n * - Local: uses filesystem path from config\n */\nexport type CreateStorageFn = (config: Record<string, unknown>) => Storage;\n\n/**\n * Upload result\n */\nexport interface UploadResult {\n\t/** Storage key (path within bucket) */\n\tkey: string;\n\t/** Public URL to access the file */\n\turl: string;\n\t/** File size in bytes */\n\tsize: number;\n}\n\n/**\n * Download result\n */\nexport interface DownloadResult {\n\t/** File content as readable stream */\n\tbody: ReadableStream<Uint8Array>;\n\t/** MIME type */\n\tcontentType: string;\n\t/** File size in bytes */\n\tsize: number;\n}\n\n/**\n * Signed URL for direct upload\n */\nexport interface SignedUploadUrl {\n\t/** Signed URL for PUT request */\n\turl: string;\n\t/** HTTP method (always PUT) */\n\tmethod: \"PUT\";\n\t/** Headers to include in the upload request */\n\theaders: Record<string, string>;\n\t/** URL expiration time (ISO string) */\n\texpiresAt: string;\n}\n\n/**\n * Options for generating signed upload URL\n */\nexport interface SignedUploadOptions {\n\t/** Storage key (path within bucket) */\n\tkey: string;\n\t/** MIME type of the file */\n\tcontentType: string;\n\t/** File size in bytes (for content-length validation) */\n\tsize?: number;\n\t/** URL expiration in seconds (default: 3600) */\n\texpiresIn?: number;\n}\n\n/**\n * File listing result\n */\nexport interface ListResult {\n\t/** List of files */\n\tfiles: FileInfo[];\n\t/** Cursor for next page (if more results) */\n\tnextCursor?: string;\n}\n\n/**\n * File info from listing\n */\nexport interface FileInfo {\n\t/** Storage key */\n\tkey: string;\n\t/** File size in bytes */\n\tsize: number;\n\t/** Last modified date */\n\tlastModified: Date;\n\t/** ETag (content hash) */\n\tetag?: string;\n}\n\n/**\n * Options for listing files\n */\nexport interface ListOptions {\n\t/** Filter by key prefix */\n\tprefix?: string;\n\t/** Maximum results per page */\n\tlimit?: number;\n\t/** Cursor from previous list call */\n\tcursor?: string;\n}\n\n/**\n * Storage interface\n *\n * All storage backends must implement this interface.\n */\nexport interface Storage {\n\t/**\n\t * Upload a file to storage\n\t */\n\tupload(options: {\n\t\tkey: string;\n\t\tbody: Buffer | Uint8Array | ReadableStream<Uint8Array>;\n\t\tcontentType: string;\n\t}): Promise<UploadResult>;\n\n\t/**\n\t * Download a file from storage\n\t */\n\tdownload(key: string): Promise<DownloadResult>;\n\n\t/**\n\t * Delete a file from storage\n\t * Idempotent - does not throw if file doesn't exist\n\t */\n\tdelete(key: string): Promise<void>;\n\n\t/**\n\t * Check if a file exists\n\t */\n\texists(key: string): Promise<boolean>;\n\n\t/**\n\t * List files in storage\n\t */\n\tlist(options?: ListOptions): Promise<ListResult>;\n\n\t/**\n\t * Generate a signed URL for direct upload\n\t * Client uploads directly to storage, bypassing the server\n\t */\n\tgetSignedUploadUrl(options: SignedUploadOptions): Promise<SignedUploadUrl>;\n\n\t/**\n\t * Get public URL for a file\n\t */\n\tgetPublicUrl(key: string): string;\n}\n\n/**\n * Storage error with additional context\n */\nexport class EmDashStorageError extends Error {\n\tconstructor(\n\t\tmessage: string,\n\t\tpublic code: string,\n\t\tpublic override cause?: unknown,\n\t) {\n\t\tsuper(message);\n\t\tthis.name = \"EmDashStorageError\";\n\t}\n}\n"],"mappings":";;;;AA0MA,IAAa,qBAAb,cAAwC,MAAM;CAC7C,YACC,SACA,AAAO,MACP,AAAgB,OACf;AACD,QAAM,QAAQ;EAHP;EACS;AAGhB,OAAK,OAAO"}

package/dist/{types-DaNLHo_T.d.mts → types-C1-PVaS_.d.mts}

@@ -13,11 +13,19 @@ interface S3StorageConfig {
   endpoint: string;
   /** Bucket name */
   bucket: string;
-  /** AWS access key ID */
-  accessKeyId: string;
-  /** AWS secret access key */
-  secretAccessKey: string;
-  /** Optional region (defaults to "auto" for R2) */
+  /**
+   * AWS access key ID.
+   * May be resolved from the `S3_ACCESS_KEY_ID` env var at runtime on Node.
+   * Must be provided together with `secretAccessKey`, or both omitted.
+   */
+  accessKeyId?: string;
+  /**
+   * AWS secret access key.
+   * May be resolved from the `S3_SECRET_ACCESS_KEY` env var at runtime on Node.
+   * Must be provided together with `accessKeyId`, or both omitted.
+   */
+  secretAccessKey?: string;
+  /** Optional region (defaults to "auto") */
   region?: string;
   /** Optional public URL prefix for generated URLs (e.g., CDN URL) */
   publicUrl?: string;
@@ -181,4 +189,4 @@ declare class EmDashStorageError extends Error {
 }
 //#endregion
 export { ListOptions as a, S3StorageConfig as c, Storage as d, StorageDescriptor as f, FileInfo as i, SignedUploadOptions as l, DownloadResult as n, ListResult as o, UploadResult as p, EmDashStorageError as r, LocalStorageConfig as s, CreateStorageFn as t, SignedUploadUrl as u };
-//# sourceMappingURL=types-DaNLHo_T.d.mts.map
+//# sourceMappingURL=types-C1-PVaS_.d.mts.map

package/dist/types-C1-PVaS_.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types-C1-PVaS_.d.mts","names":[],"sources":["../src/storage/types.ts"],"mappings":";;AAUA;;;;;;;;UAAiB,eAAA;EAoBhB;EAlBA,QAAA;EAkBS;EAhBT,MAAA;EAsBkC;;;;AAUnC;EA1BC,WAAA;;;;;;EAMA,eAAA;EAwBc;EAtBd,MAAA;EAiC0B;EA/B1B,SAAA;AAAA;;;;UAMgB,kBAAA;EAyByD;EAvBzE,SAAA;EA4B4B;EA1B5B,OAAA;AAAA;;;;UAMgB,iBAAA;EA0BZ;EAxBJ,UAAA;EA8B8B;EA5B9B,MAAA,EAAQ,MAAA;AAAA;;;;;;;;AAwCT;KA7BY,eAAA,IAAmB,MAAA,EAAQ,MAAA,sBAA4B,OAAA;;;;UAKlD,YAAA;EA8BhB;EA5BA,GAAA;EA8BA;EA5BA,GAAA;EA4BS;EA1BT,IAAA;AAAA;;;;UAMgB,cAAA;EAgChB;EA9BA,IAAA,EAAM,cAAA,CAAe,UAAA;EAgCZ;EA9BT,WAAA;EAoCgB;EAlChB,IAAA;AAAA;;;;UAMgB,eAAA;EAgCN;EA9BV,GAAA;EAoCgB;EAlChB,MAAA;;EAEA,OAAA,EAAS,MAAA;EAkCT;EAhCA,SAAA;AAAA;;;;UAMgB,mBAAA;EAsCA;EApChB,GAAA;;EAEA,WAAA;EAoCA;EAlCA,IAAA;EAsCA;EApCA,SAAA;AAAA;AA4CD;;;AAAA,UAtCiB,UAAA;EA4CA;EA1ChB,KAAA,EAAO,QAAA;EA0CsB;EAxC7B,UAAA;AAAA;;;;UAMgB,QAAA;EAyDD;EAvDf,GAAA;EAuD6B;EArD7B,IAAA;EA2D0D;EAzD1D,YAAA,EAAc,IAAA;EAyD2C;EAvDzD,IAAA;AAAA;;;;UAMgB,WAAA;EAoBa;EAlB7B,MAAA;EAmBC;EAjBD,KAAA;EAkBI;EAhBJ,MAAA;AAAA;;;;;;UAQgB,OAAA;EAwBhB;;;EApBA,MAAA,CAAO,OAAA;IACN,GAAA;IACA,IAAA,EAAM,MAAA,GAAS,UAAA,GAAa,cAAA,CAAe,UAAA;IAC3C,WAAA;EAAA,IACG,OAAA,CAAQ,YAAA;EA2BZ;;;EAtBA,QAAA,CAAS,GAAA,WAAc,OAAA,CAAQ,cAAA;EAsB2B;;;;EAhB1D,MAAA,CAAO,GAAA,WAAc,OAAA;EA2BT;;;EAtBZ,MAAA,CAAO,GAAA,WAAc,OAAA;EAsBkB;;;EAjBvC,IAAA,CAAK,OAAA,GAAU,WAAA,GAAc,OAAA,CAAQ,UAAA;EAmBpC;;;;EAbD,kBAAA,CAAmB,OAAA,EAAS,mBAAA,GAAsB,OAAA,CAAQ,eAAA;;;;EAK1D,YAAA,CAAa,GAAA;AAAA;;;;cAMD,kBAAA,SAA2B,KAAA;EAG/B,IAAA;EACS,KAAA;cAFhB,OAAA,UACO,IAAA,UACS,KAAA;AAAA"}

package/dist/types-CMMN0pNg.mjs.map

@@ -1 +1 @@
-{"version":3,"file":"types-CMMN0pNg.mjs","names":[],"sources":["../src/database/repositories/types.ts"],"sourcesContent":["import { encodeBase64, decodeBase64 } from \"../../utils/base64.js\";\n\nexport interface CreateContentInput {\n\ttype: string;\n\tslug?: string | null;\n\tdata: Record<string, unknown>;\n\tstatus?: string;\n\tauthorId?: string;\n\tprimaryBylineId?: string | null;\n\tlocale?: string;\n\ttranslationOf?: string;\n\tpublishedAt?: string | null;\n}\n\nexport interface UpdateContentInput {\n\tdata?: Record<string, unknown>;\n\tstatus?: string;\n\tslug?: string | null;\n\tpublishedAt?: string | null;\n\tscheduledAt?: string | null;\n\tauthorId?: string | null;\n\tprimaryBylineId?: string | null;\n}\n\n/** SEO fields for content items */\nexport interface ContentSeo {\n\ttitle: string | null;\n\tdescription: string | null;\n\timage: string | null;\n\tcanonical: string | null;\n\tnoIndex: boolean;\n}\n\n/** Input for updating SEO fields on content */\nexport interface ContentSeoInput {\n\ttitle?: string | null;\n\tdescription?: string | null;\n\timage?: string | null;\n\tcanonical?: string | null;\n\tnoIndex?: boolean;\n}\n\nexport interface BylineSummary {\n\tid: string;\n\tslug: string;\n\tdisplayName: string;\n\tbio: string | null;\n\tavatarMediaId: string | null;\n\twebsiteUrl: string | null;\n\tuserId: string | null;\n\tisGuest: boolean;\n\tcreatedAt: string;\n\tupdatedAt: string;\n}\n\nexport interface ContentBylineCredit {\n\tbyline: BylineSummary;\n\tsortOrder: number;\n\troleLabel: string | null;\n\t/** Whether this credit was explicitly assigned or inferred from authorId */\n\tsource?: \"explicit\" | \"inferred\";\n}\n\nexport interface FindManyOptions {\n\twhere?: {\n\t\tstatus?: string;\n\t\tauthorId?: string;\n\t\tlocale?: string;\n\t};\n\torderBy?: {\n\t\tfield: string;\n\t\tdirection: \"asc\" | \"desc\";\n\t};\n\tlimit?: number;\n\tcursor?: string; // Base64-encoded JSON: {orderValue: string, id: string}\n}\n\nexport interface FindManyResult<T> {\n\titems: T[];\n\tnextCursor?: string; // Base64-encoded JSON: {orderValue: string, id: string}\n}\n\n/** Encode a cursor from order value + id */\nexport function encodeCursor(orderValue: string, id: string): string {\n\treturn encodeBase64(JSON.stringify({ orderValue, id }));\n}\n\n/** Decode a cursor to order value + id. Returns null if invalid. */\nexport function decodeCursor(cursor: string): { orderValue: string; id: string } | null {\n\ttry {\n\t\tconst parsed = JSON.parse(decodeBase64(cursor));\n\t\tif (typeof parsed.orderValue === \"string\" && typeof parsed.id === \"string\") {\n\t\t\treturn parsed;\n\t\t}\n\t\treturn null;\n\t} catch {\n\t\treturn null;\n\t}\n}\n\nexport interface ContentItem {\n\tid: string;\n\ttype: string;\n\tslug: string | null;\n\tstatus: string;\n\tdata: Record<string, unknown>;\n\tauthorId: string | null;\n\tprimaryBylineId: string | null;\n\tbyline?: BylineSummary | null;\n\tbylines?: ContentBylineCredit[];\n\tcreatedAt: string;\n\tupdatedAt: string;\n\tpublishedAt: string | null;\n\tscheduledAt: string | null;\n\tliveRevisionId: string | null;\n\tdraftRevisionId: string | null;\n\tversion: number;\n\tlocale: string | null;\n\ttranslationGroup: string | null;\n\t/** SEO metadata — only populated for collections with `has_seo` enabled */\n\tseo?: ContentSeo;\n}\n\nexport class EmDashValidationError extends Error {\n\tconstructor(\n\t\tmessage: string,\n\t\tpublic details?: unknown,\n\t) {\n\t\tsuper(message);\n\t\tthis.name = \"EmDashValidationError\";\n\t}\n}\n"],"mappings":";;;;AAmFA,SAAgB,aAAa,YAAoB,IAAoB;AACpE,QAAO,aAAa,KAAK,UAAU;EAAE;EAAY;EAAI,CAAC,CAAC;;;AAIxD,SAAgB,aAAa,QAA2D;AACvF,KAAI;EACH,MAAM,SAAS,KAAK,MAAM,aAAa,OAAO,CAAC;AAC/C,MAAI,OAAO,OAAO,eAAe,YAAY,OAAO,OAAO,OAAO,SACjE,QAAO;AAER,SAAO;SACA;AACP,SAAO;;;AA2BT,IAAa,wBAAb,cAA2C,MAAM;CAChD,YACC,SACA,AAAO,SACN;AACD,QAAM,QAAQ;EAFP;AAGP,OAAK,OAAO"}
+{"version":3,"file":"types-CMMN0pNg.mjs","names":[],"sources":["../src/database/repositories/types.ts"],"sourcesContent":["import { encodeBase64, decodeBase64 } from \"../../utils/base64.js\";\n\nexport interface CreateContentInput {\n\ttype: string;\n\tslug?: string | null;\n\tdata: Record<string, unknown>;\n\tstatus?: string;\n\tauthorId?: string;\n\tprimaryBylineId?: string | null;\n\tlocale?: string;\n\ttranslationOf?: string;\n\tpublishedAt?: string | null;\n\t/** Override created_at (ISO 8601). Used by importers to preserve original dates. */\n\tcreatedAt?: string | null;\n}\n\nexport interface UpdateContentInput {\n\tdata?: Record<string, unknown>;\n\tstatus?: string;\n\tslug?: string | null;\n\tpublishedAt?: string | null;\n\tscheduledAt?: string | null;\n\tauthorId?: string | null;\n\tprimaryBylineId?: string | null;\n}\n\n/** SEO fields for content items */\nexport interface ContentSeo {\n\ttitle: string | null;\n\tdescription: string | null;\n\timage: string | null;\n\tcanonical: string | null;\n\tnoIndex: boolean;\n}\n\n/** Input for updating SEO fields on content */\nexport interface ContentSeoInput {\n\ttitle?: string | null;\n\tdescription?: string | null;\n\timage?: string | null;\n\tcanonical?: string | null;\n\tnoIndex?: boolean;\n}\n\nexport interface BylineSummary {\n\tid: string;\n\tslug: string;\n\tdisplayName: string;\n\tbio: string | null;\n\tavatarMediaId: string | null;\n\twebsiteUrl: string | null;\n\tuserId: string | null;\n\tisGuest: boolean;\n\tcreatedAt: string;\n\tupdatedAt: string;\n}\n\nexport interface ContentBylineCredit {\n\tbyline: BylineSummary;\n\tsortOrder: number;\n\troleLabel: string | null;\n\t/** Whether this credit was explicitly assigned or inferred from authorId */\n\tsource?: \"explicit\" | \"inferred\";\n}\n\nexport interface FindManyOptions {\n\twhere?: {\n\t\tstatus?: string;\n\t\tauthorId?: string;\n\t\tlocale?: string;\n\t};\n\torderBy?: {\n\t\tfield: string;\n\t\tdirection: \"asc\" | \"desc\";\n\t};\n\tlimit?: number;\n\tcursor?: string; // Base64-encoded JSON: {orderValue: string, id: string}\n}\n\nexport interface FindManyResult<T> {\n\titems: T[];\n\tnextCursor?: string; // Base64-encoded JSON: {orderValue: string, id: string}\n}\n\n/** Encode a cursor from order value + id */\nexport function encodeCursor(orderValue: string, id: string): string {\n\treturn encodeBase64(JSON.stringify({ orderValue, id }));\n}\n\n/** Decode a cursor to order value + id. Returns null if invalid. */\nexport function decodeCursor(cursor: string): { orderValue: string; id: string } | null {\n\ttry {\n\t\tconst parsed = JSON.parse(decodeBase64(cursor));\n\t\tif (typeof parsed.orderValue === \"string\" && typeof parsed.id === \"string\") {\n\t\t\treturn parsed;\n\t\t}\n\t\treturn null;\n\t} catch {\n\t\treturn null;\n\t}\n}\n\nexport interface ContentItem {\n\tid: string;\n\ttype: string;\n\tslug: string | null;\n\tstatus: string;\n\tdata: Record<string, unknown>;\n\tauthorId: string | null;\n\tprimaryBylineId: string | null;\n\tbyline?: BylineSummary | null;\n\tbylines?: ContentBylineCredit[];\n\tcreatedAt: string;\n\tupdatedAt: string;\n\tpublishedAt: string | null;\n\tscheduledAt: string | null;\n\tliveRevisionId: string | null;\n\tdraftRevisionId: string | null;\n\tversion: number;\n\tlocale: string | null;\n\ttranslationGroup: string | null;\n\t/** SEO metadata — only populated for collections with `has_seo` enabled */\n\tseo?: ContentSeo;\n}\n\nexport class EmDashValidationError extends Error {\n\tconstructor(\n\t\tmessage: string,\n\t\tpublic details?: unknown,\n\t) {\n\t\tsuper(message);\n\t\tthis.name = \"EmDashValidationError\";\n\t}\n}\n"],"mappings":";;;;AAqFA,SAAgB,aAAa,YAAoB,IAAoB;AACpE,QAAO,aAAa,KAAK,UAAU;EAAE;EAAY;EAAI,CAAC,CAAC;;;AAIxD,SAAgB,aAAa,QAA2D;AACvF,KAAI;EACH,MAAM,SAAS,KAAK,MAAM,aAAa,OAAO,CAAC;AAC/C,MAAI,OAAO,OAAO,eAAe,YAAY,OAAO,OAAO,OAAO,SACjE,QAAO;AAER,SAAO;SACA;AACP,SAAO;;;AA2BT,IAAa,wBAAb,cAA2C,MAAM;CAChD,YACC,SACA,AAAO,SACN;AACD,QAAM,QAAQ;EAFP;AAGP,OAAK,OAAO"}

package/dist/{types-BQo5JS0J.d.mts → types-CaKte3hR.d.mts}

@@ -207,6 +207,32 @@ interface KVAccess {
     value: unknown;
   }>>;
 }
+/**
+ * SEO metadata for a content item, as stored in the core SEO panel.
+ *
+ * Only present on items in collections with `has_seo = 1`. For collections
+ * without SEO enabled, `ContentItem.seo` is `undefined`.
+ */
+interface ContentItemSeo {
+  title: string | null;
+  description: string | null;
+  image: string | null;
+  canonical: string | null;
+  noIndex: boolean;
+}
+/**
+ * SEO input accepted by content write operations.
+ *
+ * All fields are optional — only fields that are present overwrite existing
+ * values. An empty object is treated as a no-op.
+ */
+interface ContentItemSeoInput {
+  title?: string | null;
+  description?: string | null;
+  image?: string | null;
+  canonical?: string | null;
+  noIndex?: boolean;
+}
 /**
  * Content item returned from content API
  */
@@ -214,6 +240,11 @@ interface ContentItem {
   id: string;
   type: string;
   data: Record<string, unknown>;
+  /**
+   * SEO metadata, populated when the collection has SEO enabled
+   * (`has_seo = 1`). `undefined` for non-SEO collections.
+   */
+  seo?: ContentItemSeo;
   createdAt: string;
   updatedAt: string;
 }
@@ -225,22 +256,33 @@ interface ContentListOptions {
   cursor?: string;
   orderBy?: Record<string, "asc" | "desc">;
 }
+/**
+ * Input accepted by `content.create` / `content.update`.
+ *
+ * Most entries are field slugs mapped to their values. The reserved `seo`
+ * key is extracted and routed to the core SEO panel (the `_emdash_seo`
+ * table), matching the shape accepted by the REST API. Passing `seo` for a
+ * collection that does not have SEO enabled throws a validation error.
+ */
+type ContentWriteInput = Record<string, unknown> & {
+  seo?: ContentItemSeoInput;
+};
 /**
  * Content access interface - capability-gated
  */
 interface ContentAccess {
   get(collection: string, id: string): Promise<ContentItem | null>;
   list(collection: string, options?: ContentListOptions): Promise<PaginatedResult<ContentItem>>;
-  create?(collection: string, data: Record<string, unknown>): Promise<ContentItem>;
-  update?(collection: string, id: string, data: Record<string, unknown>): Promise<ContentItem>;
+  create?(collection: string, data: ContentWriteInput): Promise<ContentItem>;
+  update?(collection: string, id: string, data: ContentWriteInput): Promise<ContentItem>;
   delete?(collection: string, id: string): Promise<boolean>;
 }
 /**
  * Full content access with write operations
  */
 interface ContentAccessWithWrite extends ContentAccess {
-  create(collection: string, data: Record<string, unknown>): Promise<ContentItem>;
-  update(collection: string, id: string, data: Record<string, unknown>): Promise<ContentItem>;
+  create(collection: string, data: ContentWriteInput): Promise<ContentItem>;
+  update(collection: string, id: string, data: ContentWriteInput): Promise<ContentItem>;
   delete(collection: string, id: string): Promise<boolean>;
 }
 /**
@@ -674,6 +716,16 @@ type LifecycleHandler = (event: LifecycleEvent, ctx: PluginContext) => Promise<v
 type UninstallHandler = (event: UninstallEvent, ctx: PluginContext) => Promise<void>;
 /** Placement targets for page fragment contributions */
 type PagePlacement = "head" | "body:start" | "body:end";
+/**
+ * A single breadcrumb trail item. Used by `PublicPageContext.breadcrumbs`
+ * so themes can publish breadcrumb trails that SEO plugins consume.
+ */
+interface BreadcrumbItem {
+  /** Display name for this crumb (e.g. "Home", "Blog", "My Post"). */
+  name: string;
+  /** Absolute or root-relative URL for this crumb. */
+  url: string;
+}
 /**
  * Describes the page being rendered. Passed to page hooks so plugins
  * can decide what to contribute without fetching content themselves.
@@ -684,7 +736,10 @@ interface PublicPageContext {
   locale: string | null;
   kind: "content" | "custom";
   pageType: string;
+  /** Full document title for the rendered page */
   title: string | null;
+  /** Page-only title for OG/Twitter/JSON-LD headline output */
+  pageTitle?: string | null;
   description: string | null;
   canonical: string | null;
   image: string | null;
@@ -708,6 +763,23 @@ interface PublicPageContext {
   };
   /** Site name for structured data and og:site_name */
   siteName?: string;
+  /**
+   * Optional breadcrumb trail for this page, root first. When set,
+   * SEO plugins should use this verbatim rather than deriving a trail
+   * from `path`. Themes typically populate this at the point they
+   * build the context (e.g. from a content hierarchy walk, taxonomy
+   * lookup, or per-`pageType` routing logic).
+   *
+   * Semantics for consumers:
+   *   - `undefined` — theme has no opinion; consumer falls back to
+   *     its own derivation.
+   *   - `[]` — this page has no breadcrumbs (e.g. homepage); consumer
+   *     should skip `BreadcrumbList` emission entirely.
+   *   - Non-empty array — used verbatim for `BreadcrumbList` output.
+   */
+  breadcrumbs?: BreadcrumbItem[];
+  /** Public-facing site URL (origin) for structured data */
+  siteUrl?: string;
 }
 interface PageMetadataEvent {
   page: PublicPageContext;
@@ -1120,5 +1192,5 @@ interface PluginManifest {
   admin: PluginAdminConfig;
 }
 //#endregion
-export { StandardRouteEntry as $, PageMetadataLinkRel as A, PluginRoute as B, ModerationDecision as C, PageMetadataContribution as D, PageFragmentHandler as E, PluginCapability as F, RequestMeta as G, PortableTextBlockConfig as H, PluginContext as I, ResolvedPluginHooks as J, ResolvedHook as K, PluginDefinition as L, PluginAdminConfig as M, PluginAdminExports as N, PageMetadataEvent as O, PluginAdminPage as P, StandardPluginDefinition as Q, PluginHooks as R, MediaUploadEvent as S, PageFragmentEvent as T, PortableTextBlockField as U, PluginStorageConfig as V, PublicPageContext as W, StandardHookEntry as X, RouteContext as Y, StandardHookHandler as Z, HttpAccess as _, CommentAfterModerateHandler as a, MediaAccess as b, CommentModerateEvent as c, ContentHookEvent as d, StandardRouteHandler as et, CronEvent as f, HookName as g, HookConfig as h, CommentAfterModerateEvent as i, Element as it, PagePlacement as j, PageMetadataHandler as k, CommentModerateHandler as l, FieldWidgetConfig as m, CommentAfterCreateEvent as n, StoredComment as nt, CommentBeforeCreateEvent as o, EmailMessage as p, ResolvedPlugin as q, CommentAfterCreateHandler as r, isStandardPluginDefinition as rt, CommentBeforeCreateHandler as s, CollectionCommentSettings as t, StorageCollection as tt, ContentAccess as u, KVAccess as v, PageFragmentContribution as w, MediaItem as x, LogAccess as y, PluginManifest as z };
-//# sourceMappingURL=types-BQo5JS0J.d.mts.map
+export { StandardPluginDefinition as $, PageMetadataHandler as A, PluginManifest as B, MediaUploadEvent as C, PageFragmentHandler as D, PageFragmentEvent as E, PluginAdminPage as F, PublicPageContext as G, PluginStorageConfig as H, PluginCapability as I, ResolvedPlugin as J, RequestMeta as K, PluginContext as L, PagePlacement as M, PluginAdminConfig as N, PageMetadataContribution as O, PluginAdminExports as P, StandardHookHandler as Q, PluginDefinition as R, MediaItem as S, PageFragmentContribution as T, PortableTextBlockConfig as U, PluginRoute as V, PortableTextBlockField as W, RouteContext as X, ResolvedPluginHooks as Y, StandardHookEntry as Z, HookName as _, CommentAfterModerateEvent as a, Element as at, LogAccess as b, CommentBeforeCreateHandler as c, ContentAccess as d, StandardRouteEntry as et, ContentHookEvent as f, HookConfig as g, FieldWidgetConfig as h, CommentAfterCreateHandler as i, isStandardPluginDefinition as it, PageMetadataLinkRel as j, PageMetadataEvent as k, CommentModerateEvent as l, EmailMessage as m, CollectionCommentSettings as n, StorageCollection as nt, CommentAfterModerateHandler as o, CronEvent as p, ResolvedHook as q, CommentAfterCreateEvent as r, StoredComment as rt, CommentBeforeCreateEvent as s, BreadcrumbItem as t, StandardRouteHandler as tt, CommentModerateHandler as u, HttpAccess as v, ModerationDecision as w, MediaAccess as x, KVAccess as y, PluginHooks as z };
+//# sourceMappingURL=types-CaKte3hR.d.mts.map