emdash 0.13.0 → 0.15.0

package/dist/{oauth-authorization-62GmpGIH.mjs.map → oauth-authorization-CTMeVfvj.mjs.map}

@@ -1 +1 @@
-{"version":3,"file":"oauth-authorization-62GmpGIH.mjs","names":[],"sources":["../src/api/handlers/oauth-authorization.ts"],"sourcesContent":["/**\n * OAuth 2.1 Authorization Code + PKCE handlers.\n *\n * Implements the server side of the authorization code grant for MCP clients\n * (Claude Desktop, VS Code, etc.) per the MCP authorization spec (draft).\n *\n * Uses arctic for PKCE challenge generation and @emdash-cms/auth for token\n * utilities. Token infrastructure is shared with the device flow.\n */\n\nimport { clampScopes, computeS256Challenge, secureCompare } from \"@emdash-cms/auth\";\nimport type { RoleLevel } from \"@emdash-cms/auth\";\nimport { generateCodeVerifier } from \"arctic\";\nimport type { Kysely } from \"kysely\";\n\nimport {\n\tgeneratePrefixedToken,\n\thashApiToken,\n\tTOKEN_PREFIXES,\n\tVALID_SCOPES,\n} from \"../../auth/api-tokens.js\";\nimport { withTransaction } from \"../../database/transaction.js\";\nimport type { Database } from \"../../database/types.js\";\nimport { validateRedirectUri } from \"../oauth/redirect-uri.js\";\nimport type { ApiResult } from \"../types.js\";\nimport { lookupOAuthClient, validateClientRedirectUri } from \"./oauth-clients.js\";\nimport { lookupUserRoleAndStatus } from \"./oauth-user-lookup.js\";\n\n// ---------------------------------------------------------------------------\n// Constants\n// ---------------------------------------------------------------------------\n\n/** Authorization codes expire after 10 minutes (RFC 6749 §4.1.2 recommends short-lived) */\nconst AUTH_CODE_TTL_SECONDS = 10 * 60;\n\n/** Access token TTL: 1 hour */\nconst ACCESS_TOKEN_TTL_SECONDS = 60 * 60;\n\n/** Refresh token TTL: 90 days */\nconst REFRESH_TOKEN_TTL_SECONDS = 90 * 24 * 60 * 60;\n\n// ---------------------------------------------------------------------------\n// Types\n// ---------------------------------------------------------------------------\n\nexport interface AuthorizationParams {\n\tresponse_type: string;\n\tclient_id: string;\n\tredirect_uri: string;\n\tscope?: string;\n\tstate?: string;\n\tcode_challenge: string;\n\tcode_challenge_method: string;\n\tresource?: string;\n}\n\nexport interface TokenExchangeParams {\n\tgrant_type: string;\n\tcode: string;\n\tredirect_uri: string;\n\tclient_id: string;\n\tcode_verifier: string;\n\tresource?: string;\n}\n\nexport interface TokenResponse {\n\taccess_token: string;\n\trefresh_token: string;\n\ttoken_type: \"Bearer\";\n\texpires_in: number;\n\tscope: string;\n}\n\n// ---------------------------------------------------------------------------\n// Helpers\n// ---------------------------------------------------------------------------\n\nfunction expiresAt(seconds: number): string {\n\treturn new Date(Date.now() + seconds * 1000).toISOString();\n}\n\nexport { validateRedirectUri };\n\n/**\n * Validate and normalize scopes. Returns validated scope list.\n */\nfunction normalizeScopes(requested?: string): string[] {\n\tif (!requested) return [];\n\n\tconst validSet = new Set<string>(VALID_SCOPES);\n\tconst scopes = requested\n\t\t.split(\" \")\n\t\t.filter(Boolean)\n\t\t.filter((s) => validSet.has(s));\n\n\treturn scopes;\n}\n\n// ---------------------------------------------------------------------------\n// Handlers\n// ---------------------------------------------------------------------------\n\n/**\n * Process an authorization request after the user approves consent.\n *\n * Generates an authorization code, stores it with the PKCE challenge,\n * and returns the redirect URL with the code appended.\n *\n * Scopes are clamped to the user's role to prevent scope escalation.\n */\nexport async function handleAuthorizationApproval(\n\tdb: Kysely<Database>,\n\tuserId: string,\n\tuserRole: RoleLevel,\n\tparams: AuthorizationParams,\n): Promise<ApiResult<{ redirect_url: string }>> {\n\ttry {\n\t\t// Validate response_type\n\t\tif (params.response_type !== \"code\") {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: {\n\t\t\t\t\tcode: \"UNSUPPORTED_RESPONSE_TYPE\",\n\t\t\t\t\tmessage: \"Only response_type=code is supported\",\n\t\t\t\t},\n\t\t\t};\n\t\t}\n\n\t\t// Validate redirect_uri scheme/host (basic security check)\n\t\tconst uriError = validateRedirectUri(params.redirect_uri);\n\t\tif (uriError) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"INVALID_REDIRECT_URI\", message: uriError },\n\t\t\t};\n\t\t}\n\n\t\t// Look up the registered OAuth client\n\t\tconst client = await lookupOAuthClient(db, params.client_id);\n\t\tif (!client) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: {\n\t\t\t\t\tcode: \"INVALID_CLIENT\",\n\t\t\t\t\tmessage: \"Unknown client_id\",\n\t\t\t\t},\n\t\t\t};\n\t\t}\n\n\t\t// Validate redirect_uri against client's registered URIs\n\t\tconst clientUriError = validateClientRedirectUri(params.redirect_uri, client.redirectUris);\n\t\tif (clientUriError) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"INVALID_REDIRECT_URI\", message: clientUriError },\n\t\t\t};\n\t\t}\n\n\t\t// Validate code_challenge_method\n\t\tif (params.code_challenge_method !== \"S256\") {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: {\n\t\t\t\t\tcode: \"INVALID_REQUEST\",\n\t\t\t\t\tmessage: \"Only S256 code_challenge_method is supported\",\n\t\t\t\t},\n\t\t\t};\n\t\t}\n\n\t\t// Validate code_challenge is present\n\t\tif (!params.code_challenge) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"INVALID_REQUEST\", message: \"code_challenge is required\" },\n\t\t\t};\n\t\t}\n\n\t\t// Validate scopes, then clamp to user's role\n\t\tconst userScopes = clampScopes(normalizeScopes(params.scope), userRole);\n\n\t\t// SEC-41: Intersect with client's registered scopes (if restricted).\n\t\t// A client registered with scopes: [\"content:read\"] should never receive\n\t\t// admin or schema:write, regardless of the approving user's role.\n\t\tconst clientScopes = client.scopes;\n\t\tconst scopes = clientScopes?.length\n\t\t\t? userScopes.filter((s: string) => clientScopes.includes(s))\n\t\t\t: userScopes;\n\n\t\tif (scopes.length === 0) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"INVALID_SCOPE\", message: \"No valid scopes requested\" },\n\t\t\t};\n\t\t}\n\n\t\t// Generate authorization code (high entropy, base64url)\n\t\tconst code = generateCodeVerifier(); // 32 bytes random, base64url\n\t\tconst codeHash = hashApiToken(code);\n\n\t\t// Store the authorization code\n\t\tawait db\n\t\t\t.insertInto(\"_emdash_authorization_codes\")\n\t\t\t.values({\n\t\t\t\tcode_hash: codeHash,\n\t\t\t\tclient_id: params.client_id,\n\t\t\t\tredirect_uri: params.redirect_uri,\n\t\t\t\tuser_id: userId,\n\t\t\t\tscopes: JSON.stringify(scopes),\n\t\t\t\tcode_challenge: params.code_challenge,\n\t\t\t\tcode_challenge_method: params.code_challenge_method,\n\t\t\t\tresource: params.resource ?? null,\n\t\t\t\texpires_at: expiresAt(AUTH_CODE_TTL_SECONDS),\n\t\t\t})\n\t\t\t.execute();\n\n\t\t// Build the redirect URL\n\t\tconst redirectUrl = new URL(params.redirect_uri);\n\t\tredirectUrl.searchParams.set(\"code\", code);\n\t\tif (params.state) {\n\t\t\tredirectUrl.searchParams.set(\"state\", params.state);\n\t\t}\n\n\t\treturn {\n\t\t\tsuccess: true,\n\t\t\tdata: { redirect_url: redirectUrl.toString() },\n\t\t};\n\t} catch (error) {\n\t\tconsole.error(\"Authorization error:\", error);\n\t\treturn {\n\t\t\tsuccess: false,\n\t\t\terror: {\n\t\t\t\tcode: \"AUTHORIZATION_ERROR\",\n\t\t\t\tmessage: \"Failed to process authorization\",\n\t\t\t},\n\t\t};\n\t}\n}\n\n/**\n * Exchange an authorization code for access + refresh tokens.\n *\n * Validates the code, verifies PKCE, and issues tokens using the same\n * infrastructure as the device flow (ec_oat_*, ec_ort_*).\n */\nexport async function handleAuthorizationCodeExchange(\n\tdb: Kysely<Database>,\n\tparams: TokenExchangeParams,\n): Promise<ApiResult<TokenResponse>> {\n\ttry {\n\t\t// Validate grant_type\n\t\tif (params.grant_type !== \"authorization_code\") {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"unsupported_grant_type\", message: \"Invalid grant_type\" },\n\t\t\t};\n\t\t}\n\n\t\t// SEC-39: Atomically consume the authorization code using DELETE...RETURNING.\n\t\t// This prevents TOCTOU double-exchange: two concurrent requests with the\n\t\t// same code will race on the DELETE, and only one will get a row back.\n\t\tconst codeHash = hashApiToken(params.code);\n\n\t\tconst row = await db\n\t\t\t.deleteFrom(\"_emdash_authorization_codes\")\n\t\t\t.where(\"code_hash\", \"=\", codeHash)\n\t\t\t.returningAll()\n\t\t\t.executeTakeFirst();\n\n\t\tif (!row) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"invalid_grant\", message: \"Invalid authorization code\" },\n\t\t\t};\n\t\t}\n\n\t\t// Check expiry\n\t\tif (new Date(row.expires_at) < new Date()) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"invalid_grant\", message: \"Authorization code expired\" },\n\t\t\t};\n\t\t}\n\n\t\t// Verify redirect_uri matches exactly\n\t\tif (row.redirect_uri !== params.redirect_uri) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"invalid_grant\", message: \"redirect_uri mismatch\" },\n\t\t\t};\n\t\t}\n\n\t\t// Verify client_id matches\n\t\tif (row.client_id !== params.client_id) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"invalid_grant\", message: \"client_id mismatch\" },\n\t\t\t};\n\t\t}\n\n\t\t// PKCE verification: SHA256(code_verifier) must match stored code_challenge\n\t\t// Use constant-time comparison to prevent timing side-channels\n\t\tconst derivedChallenge = computeS256Challenge(params.code_verifier);\n\t\tif (!secureCompare(derivedChallenge, row.code_challenge)) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"invalid_grant\", message: \"PKCE verification failed\" },\n\t\t\t};\n\t\t}\n\n\t\t// Verify resource matches (if stored)\n\t\tif (row.resource && params.resource && row.resource !== params.resource) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"invalid_grant\", message: \"resource mismatch\" },\n\t\t\t};\n\t\t}\n\n\t\t// Revalidate user role before issuing tokens (same pattern as handleTokenRefresh).\n\t\t// The user's role may have changed since the authorization code was issued.\n\t\tconst userInfo = await lookupUserRoleAndStatus(db, row.user_id);\n\t\tif (!userInfo) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"invalid_grant\", message: \"User not found\" },\n\t\t\t};\n\t\t}\n\n\t\tif (userInfo.disabled) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"invalid_grant\", message: \"User account is disabled\" },\n\t\t\t};\n\t\t}\n\n\t\t// Re-clamp scopes against the user's current role\n\t\tconst storedScopes = JSON.parse(row.scopes) as string[];\n\t\tlet scopes = clampScopes(storedScopes, userInfo.role);\n\n\t\t// Intersect with client's registered scopes (if restricted)\n\t\tconst client = await lookupOAuthClient(db, row.client_id);\n\t\tif (client?.scopes?.length) {\n\t\t\tscopes = scopes.filter((s: string) => client.scopes!.includes(s));\n\t\t}\n\n\t\tif (scopes.length === 0) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: {\n\t\t\t\t\tcode: \"invalid_grant\",\n\t\t\t\t\tmessage: \"User role no longer supports any of the requested scopes\",\n\t\t\t\t},\n\t\t\t};\n\t\t}\n\n\t\t// Issue tokens (same as device flow)\n\t\tconst accessToken = generatePrefixedToken(TOKEN_PREFIXES.OAUTH_ACCESS);\n\t\tconst accessExpires = expiresAt(ACCESS_TOKEN_TTL_SECONDS);\n\n\t\tconst refreshToken = generatePrefixedToken(TOKEN_PREFIXES.OAUTH_REFRESH);\n\t\tconst refreshExpires = expiresAt(REFRESH_TOKEN_TTL_SECONDS);\n\n\t\t// Atomically store both tokens in a transaction\n\t\tawait withTransaction(db, async (trx) => {\n\t\t\tawait trx\n\t\t\t\t.insertInto(\"_emdash_oauth_tokens\")\n\t\t\t\t.values({\n\t\t\t\t\ttoken_hash: accessToken.hash,\n\t\t\t\t\ttoken_type: \"access\",\n\t\t\t\t\tuser_id: row.user_id,\n\t\t\t\t\tscopes: JSON.stringify(scopes),\n\t\t\t\t\tclient_type: \"mcp\",\n\t\t\t\t\texpires_at: accessExpires,\n\t\t\t\t\trefresh_token_hash: refreshToken.hash,\n\t\t\t\t\tclient_id: row.client_id,\n\t\t\t\t})\n\t\t\t\t.execute();\n\n\t\t\tawait trx\n\t\t\t\t.insertInto(\"_emdash_oauth_tokens\")\n\t\t\t\t.values({\n\t\t\t\t\ttoken_hash: refreshToken.hash,\n\t\t\t\t\ttoken_type: \"refresh\",\n\t\t\t\t\tuser_id: row.user_id,\n\t\t\t\t\tscopes: JSON.stringify(scopes),\n\t\t\t\t\tclient_type: \"mcp\",\n\t\t\t\t\texpires_at: refreshExpires,\n\t\t\t\t\trefresh_token_hash: null,\n\t\t\t\t\tclient_id: row.client_id,\n\t\t\t\t})\n\t\t\t\t.execute();\n\t\t});\n\n\t\treturn {\n\t\t\tsuccess: true,\n\t\t\tdata: {\n\t\t\t\taccess_token: accessToken.raw,\n\t\t\t\trefresh_token: refreshToken.raw,\n\t\t\t\ttoken_type: \"Bearer\",\n\t\t\t\texpires_in: ACCESS_TOKEN_TTL_SECONDS,\n\t\t\t\tscope: scopes.join(\" \"),\n\t\t\t},\n\t\t};\n\t} catch (error) {\n\t\tconsole.error(\"Token exchange error:\", error);\n\t\treturn {\n\t\t\tsuccess: false,\n\t\t\terror: {\n\t\t\t\tcode: \"TOKEN_EXCHANGE_ERROR\",\n\t\t\t\tmessage: \"Failed to exchange authorization code\",\n\t\t\t},\n\t\t};\n\t}\n}\n\n/**\n * Build the authorization denied redirect URL.\n */\nexport function buildDeniedRedirect(redirectUri: string, state?: string): string {\n\tconst url = new URL(redirectUri);\n\turl.searchParams.set(\"error\", \"access_denied\");\n\turl.searchParams.set(\"error_description\", \"The user denied the authorization request\");\n\tif (state) {\n\t\turl.searchParams.set(\"state\", state);\n\t}\n\treturn url.toString();\n}\n\n/**\n * Clean up expired authorization codes.\n */\nexport async function cleanupExpiredAuthorizationCodes(db: Kysely<Database>): Promise<number> {\n\tconst result = await db\n\t\t.deleteFrom(\"_emdash_authorization_codes\")\n\t\t.where(\"expires_at\", \"<\", new Date().toISOString())\n\t\t.executeTakeFirst();\n\n\treturn Number(result.numDeletedRows);\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;AAiCA,MAAM,wBAAwB;;AAG9B,MAAM,2BAA2B;;AAGjC,MAAM,4BAA4B,OAAU,KAAK;AAsCjD,SAAS,UAAU,SAAyB;AAC3C,QAAO,IAAI,KAAK,KAAK,KAAK,GAAG,UAAU,IAAK,CAAC,aAAa;;;;;AAQ3D,SAAS,gBAAgB,WAA8B;AACtD,KAAI,CAAC,UAAW,QAAO,EAAE;CAEzB,MAAM,WAAW,IAAI,IAAY,aAAa;AAM9C,QALe,UACb,MAAM,IAAI,CACV,OAAO,QAAQ,CACf,QAAQ,MAAM,SAAS,IAAI,EAAE,CAAC;;;;;;;;;;AAiBjC,eAAsB,4BACrB,IACA,QACA,UACA,QAC+C;AAC/C,KAAI;AAEH,MAAI,OAAO,kBAAkB,OAC5B,QAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;EAIF,MAAM,WAAW,oBAAoB,OAAO,aAAa;AACzD,MAAI,SACH,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAwB,SAAS;IAAU;GAC1D;EAIF,MAAM,SAAS,MAAM,kBAAkB,IAAI,OAAO,UAAU;AAC5D,MAAI,CAAC,OACJ,QAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;EAIF,MAAM,iBAAiB,0BAA0B,OAAO,cAAc,OAAO,aAAa;AAC1F,MAAI,eACH,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAwB,SAAS;IAAgB;GAChE;AAIF,MAAI,OAAO,0BAA0B,OACpC,QAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;AAIF,MAAI,CAAC,OAAO,eACX,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAmB,SAAS;IAA8B;GACzE;EAIF,MAAM,aAAa,YAAY,gBAAgB,OAAO,MAAM,EAAE,SAAS;EAKvE,MAAM,eAAe,OAAO;EAC5B,MAAM,SAAS,cAAc,SAC1B,WAAW,QAAQ,MAAc,aAAa,SAAS,EAAE,CAAC,GAC1D;AAEH,MAAI,OAAO,WAAW,EACrB,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAiB,SAAS;IAA6B;GACtE;EAIF,MAAM,OAAO,sBAAsB;EACnC,MAAM,WAAW,aAAa,KAAK;AAGnC,QAAM,GACJ,WAAW,8BAA8B,CACzC,OAAO;GACP,WAAW;GACX,WAAW,OAAO;GAClB,cAAc,OAAO;GACrB,SAAS;GACT,QAAQ,KAAK,UAAU,OAAO;GAC9B,gBAAgB,OAAO;GACvB,uBAAuB,OAAO;GAC9B,UAAU,OAAO,YAAY;GAC7B,YAAY,UAAU,sBAAsB;GAC5C,CAAC,CACD,SAAS;EAGX,MAAM,cAAc,IAAI,IAAI,OAAO,aAAa;AAChD,cAAY,aAAa,IAAI,QAAQ,KAAK;AAC1C,MAAI,OAAO,MACV,aAAY,aAAa,IAAI,SAAS,OAAO,MAAM;AAGpD,SAAO;GACN,SAAS;GACT,MAAM,EAAE,cAAc,YAAY,UAAU,EAAE;GAC9C;UACO,OAAO;AACf,UAAQ,MAAM,wBAAwB,MAAM;AAC5C,SAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;;;;;;;;;AAUH,eAAsB,gCACrB,IACA,QACoC;AACpC,KAAI;AAEH,MAAI,OAAO,eAAe,qBACzB,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAA0B,SAAS;IAAsB;GACxE;EAMF,MAAM,WAAW,aAAa,OAAO,KAAK;EAE1C,MAAM,MAAM,MAAM,GAChB,WAAW,8BAA8B,CACzC,MAAM,aAAa,KAAK,SAAS,CACjC,cAAc,CACd,kBAAkB;AAEpB,MAAI,CAAC,IACJ,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAiB,SAAS;IAA8B;GACvE;AAIF,MAAI,IAAI,KAAK,IAAI,WAAW,mBAAG,IAAI,MAAM,CACxC,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAiB,SAAS;IAA8B;GACvE;AAIF,MAAI,IAAI,iBAAiB,OAAO,aAC/B,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAiB,SAAS;IAAyB;GAClE;AAIF,MAAI,IAAI,cAAc,OAAO,UAC5B,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAiB,SAAS;IAAsB;GAC/D;AAMF,MAAI,CAAC,cADoB,qBAAqB,OAAO,cAAc,EAC9B,IAAI,eAAe,CACvD,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAiB,SAAS;IAA4B;GACrE;AAIF,MAAI,IAAI,YAAY,OAAO,YAAY,IAAI,aAAa,OAAO,SAC9D,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAiB,SAAS;IAAqB;GAC9D;EAKF,MAAM,WAAW,MAAM,wBAAwB,IAAI,IAAI,QAAQ;AAC/D,MAAI,CAAC,SACJ,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAiB,SAAS;IAAkB;GAC3D;AAGF,MAAI,SAAS,SACZ,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAiB,SAAS;IAA4B;GACrE;EAKF,IAAI,SAAS,YADQ,KAAK,MAAM,IAAI,OAAO,EACJ,SAAS,KAAK;EAGrD,MAAM,SAAS,MAAM,kBAAkB,IAAI,IAAI,UAAU;AACzD,MAAI,QAAQ,QAAQ,OACnB,UAAS,OAAO,QAAQ,MAAc,OAAO,OAAQ,SAAS,EAAE,CAAC;AAGlE,MAAI,OAAO,WAAW,EACrB,QAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;EAIF,MAAM,cAAc,sBAAsB,eAAe,aAAa;EACtE,MAAM,gBAAgB,UAAU,yBAAyB;EAEzD,MAAM,eAAe,sBAAsB,eAAe,cAAc;EACxE,MAAM,iBAAiB,UAAU,0BAA0B;AAG3D,QAAM,gBAAgB,IAAI,OAAO,QAAQ;AACxC,SAAM,IACJ,WAAW,uBAAuB,CAClC,OAAO;IACP,YAAY,YAAY;IACxB,YAAY;IACZ,SAAS,IAAI;IACb,QAAQ,KAAK,UAAU,OAAO;IAC9B,aAAa;IACb,YAAY;IACZ,oBAAoB,aAAa;IACjC,WAAW,IAAI;IACf,CAAC,CACD,SAAS;AAEX,SAAM,IACJ,WAAW,uBAAuB,CAClC,OAAO;IACP,YAAY,aAAa;IACzB,YAAY;IACZ,SAAS,IAAI;IACb,QAAQ,KAAK,UAAU,OAAO;IAC9B,aAAa;IACb,YAAY;IACZ,oBAAoB;IACpB,WAAW,IAAI;IACf,CAAC,CACD,SAAS;IACV;AAEF,SAAO;GACN,SAAS;GACT,MAAM;IACL,cAAc,YAAY;IAC1B,eAAe,aAAa;IAC5B,YAAY;IACZ,YAAY;IACZ,OAAO,OAAO,KAAK,IAAI;IACvB;GACD;UACO,OAAO;AACf,UAAQ,MAAM,yBAAyB,MAAM;AAC7C,SAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;;;;;;AAOH,SAAgB,oBAAoB,aAAqB,OAAwB;CAChF,MAAM,MAAM,IAAI,IAAI,YAAY;AAChC,KAAI,aAAa,IAAI,SAAS,gBAAgB;AAC9C,KAAI,aAAa,IAAI,qBAAqB,4CAA4C;AACtF,KAAI,MACH,KAAI,aAAa,IAAI,SAAS,MAAM;AAErC,QAAO,IAAI,UAAU"}
+{"version":3,"file":"oauth-authorization-CTMeVfvj.mjs","names":[],"sources":["../src/api/handlers/oauth-authorization.ts"],"sourcesContent":["/**\n * OAuth 2.1 Authorization Code + PKCE handlers.\n *\n * Implements the server side of the authorization code grant for MCP clients\n * (Claude Desktop, VS Code, etc.) per the MCP authorization spec (draft).\n *\n * Uses arctic for PKCE challenge generation and @emdash-cms/auth for token\n * utilities. Token infrastructure is shared with the device flow.\n */\n\nimport { clampScopes, computeS256Challenge, secureCompare } from \"@emdash-cms/auth\";\nimport type { RoleLevel } from \"@emdash-cms/auth\";\nimport { generateCodeVerifier } from \"arctic\";\nimport type { Kysely } from \"kysely\";\n\nimport {\n\tgeneratePrefixedToken,\n\thashApiToken,\n\tTOKEN_PREFIXES,\n\tVALID_SCOPES,\n} from \"../../auth/api-tokens.js\";\nimport { withTransaction } from \"../../database/transaction.js\";\nimport type { Database } from \"../../database/types.js\";\nimport { validateRedirectUri } from \"../oauth/redirect-uri.js\";\nimport type { ApiResult } from \"../types.js\";\nimport { lookupOAuthClient, validateClientRedirectUri } from \"./oauth-clients.js\";\nimport { lookupUserRoleAndStatus } from \"./oauth-user-lookup.js\";\n\n// ---------------------------------------------------------------------------\n// Constants\n// ---------------------------------------------------------------------------\n\n/** Authorization codes expire after 10 minutes (RFC 6749 §4.1.2 recommends short-lived) */\nconst AUTH_CODE_TTL_SECONDS = 10 * 60;\n\n/** Access token TTL: 1 hour */\nconst ACCESS_TOKEN_TTL_SECONDS = 60 * 60;\n\n/** Refresh token TTL: 90 days */\nconst REFRESH_TOKEN_TTL_SECONDS = 90 * 24 * 60 * 60;\n\n// ---------------------------------------------------------------------------\n// Types\n// ---------------------------------------------------------------------------\n\nexport interface AuthorizationParams {\n\tresponse_type: string;\n\tclient_id: string;\n\tredirect_uri: string;\n\tscope?: string;\n\tstate?: string;\n\tcode_challenge: string;\n\tcode_challenge_method: string;\n\tresource?: string;\n}\n\nexport interface TokenExchangeParams {\n\tgrant_type: string;\n\tcode: string;\n\tredirect_uri: string;\n\tclient_id: string;\n\tcode_verifier: string;\n\tresource?: string;\n}\n\nexport interface TokenResponse {\n\taccess_token: string;\n\trefresh_token: string;\n\ttoken_type: \"Bearer\";\n\texpires_in: number;\n\tscope: string;\n}\n\n// ---------------------------------------------------------------------------\n// Helpers\n// ---------------------------------------------------------------------------\n\nfunction expiresAt(seconds: number): string {\n\treturn new Date(Date.now() + seconds * 1000).toISOString();\n}\n\nexport { validateRedirectUri };\n\n/**\n * Validate and normalize scopes. Returns validated scope list.\n */\nfunction normalizeScopes(requested?: string): string[] {\n\tif (!requested) return [];\n\n\tconst validSet = new Set<string>(VALID_SCOPES);\n\tconst scopes = requested\n\t\t.split(\" \")\n\t\t.filter(Boolean)\n\t\t.filter((s) => validSet.has(s));\n\n\treturn scopes;\n}\n\n// ---------------------------------------------------------------------------\n// Handlers\n// ---------------------------------------------------------------------------\n\n/**\n * Process an authorization request after the user approves consent.\n *\n * Generates an authorization code, stores it with the PKCE challenge,\n * and returns the redirect URL with the code appended.\n *\n * Scopes are clamped to the user's role to prevent scope escalation.\n */\nexport async function handleAuthorizationApproval(\n\tdb: Kysely<Database>,\n\tuserId: string,\n\tuserRole: RoleLevel,\n\tparams: AuthorizationParams,\n): Promise<ApiResult<{ redirect_url: string }>> {\n\ttry {\n\t\t// Validate response_type\n\t\tif (params.response_type !== \"code\") {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: {\n\t\t\t\t\tcode: \"UNSUPPORTED_RESPONSE_TYPE\",\n\t\t\t\t\tmessage: \"Only response_type=code is supported\",\n\t\t\t\t},\n\t\t\t};\n\t\t}\n\n\t\t// Validate redirect_uri scheme/host (basic security check)\n\t\tconst uriError = validateRedirectUri(params.redirect_uri);\n\t\tif (uriError) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"INVALID_REDIRECT_URI\", message: uriError },\n\t\t\t};\n\t\t}\n\n\t\t// Look up the registered OAuth client\n\t\tconst client = await lookupOAuthClient(db, params.client_id);\n\t\tif (!client) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: {\n\t\t\t\t\tcode: \"INVALID_CLIENT\",\n\t\t\t\t\tmessage: \"Unknown client_id\",\n\t\t\t\t},\n\t\t\t};\n\t\t}\n\n\t\t// Validate redirect_uri against client's registered URIs\n\t\tconst clientUriError = validateClientRedirectUri(params.redirect_uri, client.redirectUris);\n\t\tif (clientUriError) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"INVALID_REDIRECT_URI\", message: clientUriError },\n\t\t\t};\n\t\t}\n\n\t\t// Validate code_challenge_method\n\t\tif (params.code_challenge_method !== \"S256\") {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: {\n\t\t\t\t\tcode: \"INVALID_REQUEST\",\n\t\t\t\t\tmessage: \"Only S256 code_challenge_method is supported\",\n\t\t\t\t},\n\t\t\t};\n\t\t}\n\n\t\t// Validate code_challenge is present\n\t\tif (!params.code_challenge) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"INVALID_REQUEST\", message: \"code_challenge is required\" },\n\t\t\t};\n\t\t}\n\n\t\t// Validate scopes, then clamp to user's role\n\t\tconst userScopes = clampScopes(normalizeScopes(params.scope), userRole);\n\n\t\t// SEC-41: Intersect with client's registered scopes (if restricted).\n\t\t// A client registered with scopes: [\"content:read\"] should never receive\n\t\t// admin or schema:write, regardless of the approving user's role.\n\t\tconst clientScopes = client.scopes;\n\t\tconst scopes = clientScopes?.length\n\t\t\t? userScopes.filter((s: string) => clientScopes.includes(s))\n\t\t\t: userScopes;\n\n\t\tif (scopes.length === 0) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"INVALID_SCOPE\", message: \"No valid scopes requested\" },\n\t\t\t};\n\t\t}\n\n\t\t// Generate authorization code (high entropy, base64url)\n\t\tconst code = generateCodeVerifier(); // 32 bytes random, base64url\n\t\tconst codeHash = hashApiToken(code);\n\n\t\t// Store the authorization code\n\t\tawait db\n\t\t\t.insertInto(\"_emdash_authorization_codes\")\n\t\t\t.values({\n\t\t\t\tcode_hash: codeHash,\n\t\t\t\tclient_id: params.client_id,\n\t\t\t\tredirect_uri: params.redirect_uri,\n\t\t\t\tuser_id: userId,\n\t\t\t\tscopes: JSON.stringify(scopes),\n\t\t\t\tcode_challenge: params.code_challenge,\n\t\t\t\tcode_challenge_method: params.code_challenge_method,\n\t\t\t\tresource: params.resource ?? null,\n\t\t\t\texpires_at: expiresAt(AUTH_CODE_TTL_SECONDS),\n\t\t\t})\n\t\t\t.execute();\n\n\t\t// Build the redirect URL\n\t\tconst redirectUrl = new URL(params.redirect_uri);\n\t\tredirectUrl.searchParams.set(\"code\", code);\n\t\tif (params.state) {\n\t\t\tredirectUrl.searchParams.set(\"state\", params.state);\n\t\t}\n\n\t\treturn {\n\t\t\tsuccess: true,\n\t\t\tdata: { redirect_url: redirectUrl.toString() },\n\t\t};\n\t} catch (error) {\n\t\tconsole.error(\"Authorization error:\", error);\n\t\treturn {\n\t\t\tsuccess: false,\n\t\t\terror: {\n\t\t\t\tcode: \"AUTHORIZATION_ERROR\",\n\t\t\t\tmessage: \"Failed to process authorization\",\n\t\t\t},\n\t\t};\n\t}\n}\n\n/**\n * Exchange an authorization code for access + refresh tokens.\n *\n * Validates the code, verifies PKCE, and issues tokens using the same\n * infrastructure as the device flow (ec_oat_*, ec_ort_*).\n */\nexport async function handleAuthorizationCodeExchange(\n\tdb: Kysely<Database>,\n\tparams: TokenExchangeParams,\n): Promise<ApiResult<TokenResponse>> {\n\ttry {\n\t\t// Validate grant_type\n\t\tif (params.grant_type !== \"authorization_code\") {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"unsupported_grant_type\", message: \"Invalid grant_type\" },\n\t\t\t};\n\t\t}\n\n\t\t// SEC-39: Atomically consume the authorization code using DELETE...RETURNING.\n\t\t// This prevents TOCTOU double-exchange: two concurrent requests with the\n\t\t// same code will race on the DELETE, and only one will get a row back.\n\t\tconst codeHash = hashApiToken(params.code);\n\n\t\tconst row = await db\n\t\t\t.deleteFrom(\"_emdash_authorization_codes\")\n\t\t\t.where(\"code_hash\", \"=\", codeHash)\n\t\t\t.returningAll()\n\t\t\t.executeTakeFirst();\n\n\t\tif (!row) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"invalid_grant\", message: \"Invalid authorization code\" },\n\t\t\t};\n\t\t}\n\n\t\t// Check expiry\n\t\tif (new Date(row.expires_at) < new Date()) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"invalid_grant\", message: \"Authorization code expired\" },\n\t\t\t};\n\t\t}\n\n\t\t// Verify redirect_uri matches exactly\n\t\tif (row.redirect_uri !== params.redirect_uri) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"invalid_grant\", message: \"redirect_uri mismatch\" },\n\t\t\t};\n\t\t}\n\n\t\t// Verify client_id matches\n\t\tif (row.client_id !== params.client_id) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"invalid_grant\", message: \"client_id mismatch\" },\n\t\t\t};\n\t\t}\n\n\t\t// PKCE verification: SHA256(code_verifier) must match stored code_challenge\n\t\t// Use constant-time comparison to prevent timing side-channels\n\t\tconst derivedChallenge = computeS256Challenge(params.code_verifier);\n\t\tif (!secureCompare(derivedChallenge, row.code_challenge)) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"invalid_grant\", message: \"PKCE verification failed\" },\n\t\t\t};\n\t\t}\n\n\t\t// Verify resource matches (if stored)\n\t\tif (row.resource && params.resource && row.resource !== params.resource) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"invalid_grant\", message: \"resource mismatch\" },\n\t\t\t};\n\t\t}\n\n\t\t// Revalidate user role before issuing tokens (same pattern as handleTokenRefresh).\n\t\t// The user's role may have changed since the authorization code was issued.\n\t\tconst userInfo = await lookupUserRoleAndStatus(db, row.user_id);\n\t\tif (!userInfo) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"invalid_grant\", message: \"User not found\" },\n\t\t\t};\n\t\t}\n\n\t\tif (userInfo.disabled) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"invalid_grant\", message: \"User account is disabled\" },\n\t\t\t};\n\t\t}\n\n\t\t// Re-clamp scopes against the user's current role\n\t\tconst storedScopes = JSON.parse(row.scopes) as string[];\n\t\tlet scopes = clampScopes(storedScopes, userInfo.role);\n\n\t\t// Intersect with client's registered scopes (if restricted)\n\t\tconst client = await lookupOAuthClient(db, row.client_id);\n\t\tif (client?.scopes?.length) {\n\t\t\tscopes = scopes.filter((s: string) => client.scopes!.includes(s));\n\t\t}\n\n\t\tif (scopes.length === 0) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: {\n\t\t\t\t\tcode: \"invalid_grant\",\n\t\t\t\t\tmessage: \"User role no longer supports any of the requested scopes\",\n\t\t\t\t},\n\t\t\t};\n\t\t}\n\n\t\t// Issue tokens (same as device flow)\n\t\tconst accessToken = generatePrefixedToken(TOKEN_PREFIXES.OAUTH_ACCESS);\n\t\tconst accessExpires = expiresAt(ACCESS_TOKEN_TTL_SECONDS);\n\n\t\tconst refreshToken = generatePrefixedToken(TOKEN_PREFIXES.OAUTH_REFRESH);\n\t\tconst refreshExpires = expiresAt(REFRESH_TOKEN_TTL_SECONDS);\n\n\t\t// Atomically store both tokens in a transaction\n\t\tawait withTransaction(db, async (trx) => {\n\t\t\tawait trx\n\t\t\t\t.insertInto(\"_emdash_oauth_tokens\")\n\t\t\t\t.values({\n\t\t\t\t\ttoken_hash: accessToken.hash,\n\t\t\t\t\ttoken_type: \"access\",\n\t\t\t\t\tuser_id: row.user_id,\n\t\t\t\t\tscopes: JSON.stringify(scopes),\n\t\t\t\t\tclient_type: \"mcp\",\n\t\t\t\t\texpires_at: accessExpires,\n\t\t\t\t\trefresh_token_hash: refreshToken.hash,\n\t\t\t\t\tclient_id: row.client_id,\n\t\t\t\t})\n\t\t\t\t.execute();\n\n\t\t\tawait trx\n\t\t\t\t.insertInto(\"_emdash_oauth_tokens\")\n\t\t\t\t.values({\n\t\t\t\t\ttoken_hash: refreshToken.hash,\n\t\t\t\t\ttoken_type: \"refresh\",\n\t\t\t\t\tuser_id: row.user_id,\n\t\t\t\t\tscopes: JSON.stringify(scopes),\n\t\t\t\t\tclient_type: \"mcp\",\n\t\t\t\t\texpires_at: refreshExpires,\n\t\t\t\t\trefresh_token_hash: null,\n\t\t\t\t\tclient_id: row.client_id,\n\t\t\t\t})\n\t\t\t\t.execute();\n\t\t});\n\n\t\treturn {\n\t\t\tsuccess: true,\n\t\t\tdata: {\n\t\t\t\taccess_token: accessToken.raw,\n\t\t\t\trefresh_token: refreshToken.raw,\n\t\t\t\ttoken_type: \"Bearer\",\n\t\t\t\texpires_in: ACCESS_TOKEN_TTL_SECONDS,\n\t\t\t\tscope: scopes.join(\" \"),\n\t\t\t},\n\t\t};\n\t} catch (error) {\n\t\tconsole.error(\"Token exchange error:\", error);\n\t\treturn {\n\t\t\tsuccess: false,\n\t\t\terror: {\n\t\t\t\tcode: \"TOKEN_EXCHANGE_ERROR\",\n\t\t\t\tmessage: \"Failed to exchange authorization code\",\n\t\t\t},\n\t\t};\n\t}\n}\n\n/**\n * Build the authorization denied redirect URL.\n */\nexport function buildDeniedRedirect(redirectUri: string, state?: string): string {\n\tconst url = new URL(redirectUri);\n\turl.searchParams.set(\"error\", \"access_denied\");\n\turl.searchParams.set(\"error_description\", \"The user denied the authorization request\");\n\tif (state) {\n\t\turl.searchParams.set(\"state\", state);\n\t}\n\treturn url.toString();\n}\n\n/**\n * Clean up expired authorization codes.\n */\nexport async function cleanupExpiredAuthorizationCodes(db: Kysely<Database>): Promise<number> {\n\tconst result = await db\n\t\t.deleteFrom(\"_emdash_authorization_codes\")\n\t\t.where(\"expires_at\", \"<\", new Date().toISOString())\n\t\t.executeTakeFirst();\n\n\treturn Number(result.numDeletedRows);\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;AAiCA,MAAM,wBAAwB;;AAG9B,MAAM,2BAA2B;;AAGjC,MAAM,4BAA4B,OAAU,KAAK;AAsCjD,SAAS,UAAU,SAAyB;AAC3C,QAAO,IAAI,KAAK,KAAK,KAAK,GAAG,UAAU,IAAK,CAAC,aAAa;;;;;AAQ3D,SAAS,gBAAgB,WAA8B;AACtD,KAAI,CAAC,UAAW,QAAO,EAAE;CAEzB,MAAM,WAAW,IAAI,IAAY,aAAa;AAM9C,QALe,UACb,MAAM,IAAI,CACV,OAAO,QAAQ,CACf,QAAQ,MAAM,SAAS,IAAI,EAAE,CAAC;;;;;;;;;;AAiBjC,eAAsB,4BACrB,IACA,QACA,UACA,QAC+C;AAC/C,KAAI;AAEH,MAAI,OAAO,kBAAkB,OAC5B,QAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;EAIF,MAAM,WAAW,oBAAoB,OAAO,aAAa;AACzD,MAAI,SACH,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAwB,SAAS;IAAU;GAC1D;EAIF,MAAM,SAAS,MAAM,kBAAkB,IAAI,OAAO,UAAU;AAC5D,MAAI,CAAC,OACJ,QAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;EAIF,MAAM,iBAAiB,0BAA0B,OAAO,cAAc,OAAO,aAAa;AAC1F,MAAI,eACH,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAwB,SAAS;IAAgB;GAChE;AAIF,MAAI,OAAO,0BAA0B,OACpC,QAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;AAIF,MAAI,CAAC,OAAO,eACX,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAmB,SAAS;IAA8B;GACzE;EAIF,MAAM,aAAa,YAAY,gBAAgB,OAAO,MAAM,EAAE,SAAS;EAKvE,MAAM,eAAe,OAAO;EAC5B,MAAM,SAAS,cAAc,SAC1B,WAAW,QAAQ,MAAc,aAAa,SAAS,EAAE,CAAC,GAC1D;AAEH,MAAI,OAAO,WAAW,EACrB,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAiB,SAAS;IAA6B;GACtE;EAIF,MAAM,OAAO,sBAAsB;EACnC,MAAM,WAAW,aAAa,KAAK;AAGnC,QAAM,GACJ,WAAW,8BAA8B,CACzC,OAAO;GACP,WAAW;GACX,WAAW,OAAO;GAClB,cAAc,OAAO;GACrB,SAAS;GACT,QAAQ,KAAK,UAAU,OAAO;GAC9B,gBAAgB,OAAO;GACvB,uBAAuB,OAAO;GAC9B,UAAU,OAAO,YAAY;GAC7B,YAAY,UAAU,sBAAsB;GAC5C,CAAC,CACD,SAAS;EAGX,MAAM,cAAc,IAAI,IAAI,OAAO,aAAa;AAChD,cAAY,aAAa,IAAI,QAAQ,KAAK;AAC1C,MAAI,OAAO,MACV,aAAY,aAAa,IAAI,SAAS,OAAO,MAAM;AAGpD,SAAO;GACN,SAAS;GACT,MAAM,EAAE,cAAc,YAAY,UAAU,EAAE;GAC9C;UACO,OAAO;AACf,UAAQ,MAAM,wBAAwB,MAAM;AAC5C,SAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;;;;;;;;;AAUH,eAAsB,gCACrB,IACA,QACoC;AACpC,KAAI;AAEH,MAAI,OAAO,eAAe,qBACzB,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAA0B,SAAS;IAAsB;GACxE;EAMF,MAAM,WAAW,aAAa,OAAO,KAAK;EAE1C,MAAM,MAAM,MAAM,GAChB,WAAW,8BAA8B,CACzC,MAAM,aAAa,KAAK,SAAS,CACjC,cAAc,CACd,kBAAkB;AAEpB,MAAI,CAAC,IACJ,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAiB,SAAS;IAA8B;GACvE;AAIF,MAAI,IAAI,KAAK,IAAI,WAAW,mBAAG,IAAI,MAAM,CACxC,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAiB,SAAS;IAA8B;GACvE;AAIF,MAAI,IAAI,iBAAiB,OAAO,aAC/B,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAiB,SAAS;IAAyB;GAClE;AAIF,MAAI,IAAI,cAAc,OAAO,UAC5B,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAiB,SAAS;IAAsB;GAC/D;AAMF,MAAI,CAAC,cADoB,qBAAqB,OAAO,cAAc,EAC9B,IAAI,eAAe,CACvD,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAiB,SAAS;IAA4B;GACrE;AAIF,MAAI,IAAI,YAAY,OAAO,YAAY,IAAI,aAAa,OAAO,SAC9D,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAiB,SAAS;IAAqB;GAC9D;EAKF,MAAM,WAAW,MAAM,wBAAwB,IAAI,IAAI,QAAQ;AAC/D,MAAI,CAAC,SACJ,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAiB,SAAS;IAAkB;GAC3D;AAGF,MAAI,SAAS,SACZ,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAiB,SAAS;IAA4B;GACrE;EAKF,IAAI,SAAS,YADQ,KAAK,MAAM,IAAI,OAAO,EACJ,SAAS,KAAK;EAGrD,MAAM,SAAS,MAAM,kBAAkB,IAAI,IAAI,UAAU;AACzD,MAAI,QAAQ,QAAQ,OACnB,UAAS,OAAO,QAAQ,MAAc,OAAO,OAAQ,SAAS,EAAE,CAAC;AAGlE,MAAI,OAAO,WAAW,EACrB,QAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;EAIF,MAAM,cAAc,sBAAsB,eAAe,aAAa;EACtE,MAAM,gBAAgB,UAAU,yBAAyB;EAEzD,MAAM,eAAe,sBAAsB,eAAe,cAAc;EACxE,MAAM,iBAAiB,UAAU,0BAA0B;AAG3D,QAAM,gBAAgB,IAAI,OAAO,QAAQ;AACxC,SAAM,IACJ,WAAW,uBAAuB,CAClC,OAAO;IACP,YAAY,YAAY;IACxB,YAAY;IACZ,SAAS,IAAI;IACb,QAAQ,KAAK,UAAU,OAAO;IAC9B,aAAa;IACb,YAAY;IACZ,oBAAoB,aAAa;IACjC,WAAW,IAAI;IACf,CAAC,CACD,SAAS;AAEX,SAAM,IACJ,WAAW,uBAAuB,CAClC,OAAO;IACP,YAAY,aAAa;IACzB,YAAY;IACZ,SAAS,IAAI;IACb,QAAQ,KAAK,UAAU,OAAO;IAC9B,aAAa;IACb,YAAY;IACZ,oBAAoB;IACpB,WAAW,IAAI;IACf,CAAC,CACD,SAAS;IACV;AAEF,SAAO;GACN,SAAS;GACT,MAAM;IACL,cAAc,YAAY;IAC1B,eAAe,aAAa;IAC5B,YAAY;IACZ,YAAY;IACZ,OAAO,OAAO,KAAK,IAAI;IACvB;GACD;UACO,OAAO;AACf,UAAQ,MAAM,yBAAyB,MAAM;AAC7C,SAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;;;;;;AAOH,SAAgB,oBAAoB,aAAqB,OAAwB;CAChF,MAAM,MAAM,IAAI,IAAI,YAAY;AAChC,KAAI,aAAa,IAAI,SAAS,gBAAgB;AAC9C,KAAI,aAAa,IAAI,qBAAqB,4CAA4C;AACtF,KAAI,MACH,KAAI,aAAa,IAAI,SAAS,MAAM;AAErC,QAAO,IAAI,UAAU"}

package/dist/{oauth-clients-D_B0_-Bz.mjs → oauth-clients-eJCbkVSG.mjs}

@@ -263,4 +263,4 @@ function validateClientRedirectUri(redirectUri, allowedUris) {
 
 //#endregion
 export { handleOAuthClientUpdate as a, validateRedirectUri as c, handleOAuthClientList as i, handleOAuthClientDelete as n, lookupOAuthClient as o, handleOAuthClientGet as r, validateClientRedirectUri as s, handleOAuthClientCreate as t };
-//# sourceMappingURL=oauth-clients-D_B0_-Bz.mjs.map
+//# sourceMappingURL=oauth-clients-eJCbkVSG.mjs.map

package/dist/oauth-clients-eJCbkVSG.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-clients-eJCbkVSG.mjs","names":[],"sources":["../src/api/oauth/redirect-uri.ts","../src/api/handlers/oauth-clients.ts"],"sourcesContent":["/**\n * Validate a redirect URI per OAuth 2.1 security requirements.\n *\n * Allows localhost / loopback redirect URIs over HTTP for native clients,\n * and any HTTPS URL for web-based flows.\n */\nexport function validateRedirectUri(uri: string): string | null {\n\ttry {\n\t\tconst url = new URL(uri);\n\n\t\t// Reject protocol-relative URLs\n\t\tif (uri.startsWith(\"//\")) {\n\t\t\treturn \"Protocol-relative redirect URIs are not allowed\";\n\t\t}\n\n\t\t// Allow localhost/loopback over HTTP (for desktop MCP clients)\n\t\tif (url.protocol === \"http:\") {\n\t\t\tconst host = url.hostname;\n\t\t\tif (host === \"127.0.0.1\" || host === \"localhost\" || host === \"[::1]\") {\n\t\t\t\treturn null;\n\t\t\t}\n\t\t\treturn \"HTTP redirect URIs are only allowed for localhost\";\n\t\t}\n\n\t\t// Allow HTTPS\n\t\tif (url.protocol === \"https:\") {\n\t\t\treturn null;\n\t\t}\n\n\t\treturn `Unsupported redirect URI scheme: ${url.protocol}`;\n\t} catch {\n\t\treturn \"Invalid redirect URI\";\n\t}\n}\n","/**\n * OAuth client management handlers.\n *\n * CRUD operations for registered OAuth clients. Each client has a set\n * of pre-registered redirect URIs. The authorization endpoint rejects\n * any redirect_uri not in the client's registered set.\n */\n\nimport type { Kysely } from \"kysely\";\n\nimport type { Database } from \"../../database/types.js\";\nimport { validateRedirectUri } from \"../oauth/redirect-uri.js\";\nimport type { ApiResult } from \"../types.js\";\n\n// ---------------------------------------------------------------------------\n// Helpers\n// ---------------------------------------------------------------------------\n\n/** Parse a JSON string column into a typed value. */\nfunction parseJsonColumn<T>(value: string): T {\n\t// eslint-disable-next-line typescript/no-unsafe-type-assertion -- JSON.parse returns unknown, callers provide the expected shape\n\treturn JSON.parse(value) as T;\n}\n\nfunction validateRegisteredRedirectUris(redirectUris: string[]): string | null {\n\tfor (const redirectUri of redirectUris) {\n\t\tconst error = validateRedirectUri(redirectUri);\n\t\tif (error) {\n\t\t\treturn `Invalid redirect URI: ${error}`;\n\t\t}\n\t}\n\treturn null;\n}\n\n// ---------------------------------------------------------------------------\n// Types\n// ---------------------------------------------------------------------------\n\nexport interface OAuthClientInfo {\n\tid: string;\n\tname: string;\n\tredirectUris: string[];\n\tscopes: string[] | null;\n\tcreatedAt: string;\n\tupdatedAt: string;\n}\n\n// ---------------------------------------------------------------------------\n// Handlers\n// ---------------------------------------------------------------------------\n\n/**\n * Create a new OAuth client.\n */\nexport async function handleOAuthClientCreate(\n\tdb: Kysely<Database>,\n\tinput: {\n\t\tid: string;\n\t\tname: string;\n\t\tredirectUris: string[];\n\t\tscopes?: string[] | null;\n\t},\n): Promise<ApiResult<OAuthClientInfo>> {\n\ttry {\n\t\tif (input.redirectUris.length === 0) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: {\n\t\t\t\t\tcode: \"VALIDATION_ERROR\",\n\t\t\t\t\tmessage: \"At least one redirect URI is required\",\n\t\t\t\t},\n\t\t\t};\n\t\t}\n\n\t\tconst redirectUriError = validateRegisteredRedirectUris(input.redirectUris);\n\t\tif (redirectUriError) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: {\n\t\t\t\t\tcode: \"VALIDATION_ERROR\",\n\t\t\t\t\tmessage: redirectUriError,\n\t\t\t\t},\n\t\t\t};\n\t\t}\n\n\t\t// Check for duplicate client ID\n\t\tconst existing = await db\n\t\t\t.selectFrom(\"_emdash_oauth_clients\")\n\t\t\t.select(\"id\")\n\t\t\t.where(\"id\", \"=\", input.id)\n\t\t\t.executeTakeFirst();\n\n\t\tif (existing) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"CONFLICT\", message: \"OAuth client with this ID already exists\" },\n\t\t\t};\n\t\t}\n\n\t\tconst now = new Date().toISOString();\n\n\t\tawait db\n\t\t\t.insertInto(\"_emdash_oauth_clients\")\n\t\t\t.values({\n\t\t\t\tid: input.id,\n\t\t\t\tname: input.name,\n\t\t\t\tredirect_uris: JSON.stringify(input.redirectUris),\n\t\t\t\tscopes: input.scopes && input.scopes.length > 0 ? JSON.stringify(input.scopes) : null,\n\t\t\t})\n\t\t\t.execute();\n\n\t\treturn {\n\t\t\tsuccess: true,\n\t\t\tdata: {\n\t\t\t\tid: input.id,\n\t\t\t\tname: input.name,\n\t\t\t\tredirectUris: input.redirectUris,\n\t\t\t\tscopes: input.scopes && input.scopes.length > 0 ? input.scopes : null,\n\t\t\t\tcreatedAt: now,\n\t\t\t\tupdatedAt: now,\n\t\t\t},\n\t\t};\n\t} catch {\n\t\treturn {\n\t\t\tsuccess: false,\n\t\t\terror: {\n\t\t\t\tcode: \"CLIENT_CREATE_ERROR\",\n\t\t\t\tmessage: \"Failed to create OAuth client\",\n\t\t\t},\n\t\t};\n\t}\n}\n\n/**\n * List all registered OAuth clients.\n */\nexport async function handleOAuthClientList(\n\tdb: Kysely<Database>,\n): Promise<ApiResult<{ items: OAuthClientInfo[] }>> {\n\ttry {\n\t\tconst rows = await db\n\t\t\t.selectFrom(\"_emdash_oauth_clients\")\n\t\t\t.selectAll()\n\t\t\t.orderBy(\"created_at\", \"desc\")\n\t\t\t.execute();\n\n\t\tconst items: OAuthClientInfo[] = rows.map((row) => ({\n\t\t\tid: row.id,\n\t\t\tname: row.name,\n\t\t\tredirectUris: parseJsonColumn<string[]>(row.redirect_uris),\n\t\t\tscopes: row.scopes ? parseJsonColumn<string[]>(row.scopes) : null,\n\t\t\tcreatedAt: row.created_at,\n\t\t\tupdatedAt: row.updated_at,\n\t\t}));\n\n\t\treturn { success: true, data: { items } };\n\t} catch {\n\t\treturn {\n\t\t\tsuccess: false,\n\t\t\terror: {\n\t\t\t\tcode: \"CLIENT_LIST_ERROR\",\n\t\t\t\tmessage: \"Failed to list OAuth clients\",\n\t\t\t},\n\t\t};\n\t}\n}\n\n/**\n * Get a single OAuth client by ID.\n */\nexport async function handleOAuthClientGet(\n\tdb: Kysely<Database>,\n\tclientId: string,\n): Promise<ApiResult<OAuthClientInfo>> {\n\ttry {\n\t\tconst row = await db\n\t\t\t.selectFrom(\"_emdash_oauth_clients\")\n\t\t\t.selectAll()\n\t\t\t.where(\"id\", \"=\", clientId)\n\t\t\t.executeTakeFirst();\n\n\t\tif (!row) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"NOT_FOUND\", message: \"OAuth client not found\" },\n\t\t\t};\n\t\t}\n\n\t\treturn {\n\t\t\tsuccess: true,\n\t\t\tdata: {\n\t\t\t\tid: row.id,\n\t\t\t\tname: row.name,\n\t\t\t\tredirectUris: parseJsonColumn<string[]>(row.redirect_uris),\n\t\t\t\tscopes: row.scopes ? parseJsonColumn<string[]>(row.scopes) : null,\n\t\t\t\tcreatedAt: row.created_at,\n\t\t\t\tupdatedAt: row.updated_at,\n\t\t\t},\n\t\t};\n\t} catch {\n\t\treturn {\n\t\t\tsuccess: false,\n\t\t\terror: {\n\t\t\t\tcode: \"CLIENT_GET_ERROR\",\n\t\t\t\tmessage: \"Failed to get OAuth client\",\n\t\t\t},\n\t\t};\n\t}\n}\n\n/**\n * Update an OAuth client.\n */\nexport async function handleOAuthClientUpdate(\n\tdb: Kysely<Database>,\n\tclientId: string,\n\tinput: {\n\t\tname?: string;\n\t\tredirectUris?: string[];\n\t\tscopes?: string[] | null;\n\t},\n): Promise<ApiResult<OAuthClientInfo>> {\n\ttry {\n\t\tconst existing = await db\n\t\t\t.selectFrom(\"_emdash_oauth_clients\")\n\t\t\t.selectAll()\n\t\t\t.where(\"id\", \"=\", clientId)\n\t\t\t.executeTakeFirst();\n\n\t\tif (!existing) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"NOT_FOUND\", message: \"OAuth client not found\" },\n\t\t\t};\n\t\t}\n\n\t\tif (input.redirectUris !== undefined && input.redirectUris.length === 0) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: {\n\t\t\t\t\tcode: \"VALIDATION_ERROR\",\n\t\t\t\t\tmessage: \"At least one redirect URI is required\",\n\t\t\t\t},\n\t\t\t};\n\t\t}\n\n\t\tif (input.redirectUris !== undefined) {\n\t\t\tconst redirectUriError = validateRegisteredRedirectUris(input.redirectUris);\n\t\t\tif (redirectUriError) {\n\t\t\t\treturn {\n\t\t\t\t\tsuccess: false,\n\t\t\t\t\terror: {\n\t\t\t\t\t\tcode: \"VALIDATION_ERROR\",\n\t\t\t\t\t\tmessage: redirectUriError,\n\t\t\t\t\t},\n\t\t\t\t};\n\t\t\t}\n\t\t}\n\n\t\tconst updates: Record<string, string | null> = {\n\t\t\tupdated_at: new Date().toISOString(),\n\t\t};\n\n\t\tif (input.name !== undefined) {\n\t\t\tupdates.name = input.name;\n\t\t}\n\t\tif (input.redirectUris !== undefined) {\n\t\t\tupdates.redirect_uris = JSON.stringify(input.redirectUris);\n\t\t}\n\t\tif (input.scopes !== undefined) {\n\t\t\tupdates.scopes =\n\t\t\t\tinput.scopes && input.scopes.length > 0 ? JSON.stringify(input.scopes) : null;\n\t\t}\n\n\t\tawait db.updateTable(\"_emdash_oauth_clients\").set(updates).where(\"id\", \"=\", clientId).execute();\n\n\t\t// Fetch the updated row\n\t\tconst updated = await db\n\t\t\t.selectFrom(\"_emdash_oauth_clients\")\n\t\t\t.selectAll()\n\t\t\t.where(\"id\", \"=\", clientId)\n\t\t\t.executeTakeFirst();\n\n\t\tif (!updated) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"NOT_FOUND\", message: \"OAuth client not found after update\" },\n\t\t\t};\n\t\t}\n\n\t\treturn {\n\t\t\tsuccess: true,\n\t\t\tdata: {\n\t\t\t\tid: updated.id,\n\t\t\t\tname: updated.name,\n\t\t\t\tredirectUris: parseJsonColumn<string[]>(updated.redirect_uris),\n\t\t\t\tscopes: updated.scopes ? parseJsonColumn<string[]>(updated.scopes) : null,\n\t\t\t\tcreatedAt: updated.created_at,\n\t\t\t\tupdatedAt: updated.updated_at,\n\t\t\t},\n\t\t};\n\t} catch {\n\t\treturn {\n\t\t\tsuccess: false,\n\t\t\terror: {\n\t\t\t\tcode: \"CLIENT_UPDATE_ERROR\",\n\t\t\t\tmessage: \"Failed to update OAuth client\",\n\t\t\t},\n\t\t};\n\t}\n}\n\n/**\n * Delete an OAuth client.\n */\nexport async function handleOAuthClientDelete(\n\tdb: Kysely<Database>,\n\tclientId: string,\n): Promise<ApiResult<{ deleted: true }>> {\n\ttry {\n\t\tconst result = await db\n\t\t\t.deleteFrom(\"_emdash_oauth_clients\")\n\t\t\t.where(\"id\", \"=\", clientId)\n\t\t\t.executeTakeFirst();\n\n\t\tif (result.numDeletedRows === 0n) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"NOT_FOUND\", message: \"OAuth client not found\" },\n\t\t\t};\n\t\t}\n\n\t\treturn { success: true, data: { deleted: true } };\n\t} catch {\n\t\treturn {\n\t\t\tsuccess: false,\n\t\t\terror: {\n\t\t\t\tcode: \"CLIENT_DELETE_ERROR\",\n\t\t\t\tmessage: \"Failed to delete OAuth client\",\n\t\t\t},\n\t\t};\n\t}\n}\n\n// ---------------------------------------------------------------------------\n// Lookup helpers (used by authorization handler)\n// ---------------------------------------------------------------------------\n\n/**\n * Look up a registered OAuth client by ID.\n * Returns the client's redirect URIs or null if the client is not registered.\n */\nexport async function lookupOAuthClient(\n\tdb: Kysely<Database>,\n\tclientId: string,\n): Promise<{ redirectUris: string[]; scopes: string[] | null } | null> {\n\tconst row = await db\n\t\t.selectFrom(\"_emdash_oauth_clients\")\n\t\t.select([\"redirect_uris\", \"scopes\"])\n\t\t.where(\"id\", \"=\", clientId)\n\t\t.executeTakeFirst();\n\n\tif (!row) return null;\n\n\treturn {\n\t\tredirectUris: parseJsonColumn<string[]>(row.redirect_uris),\n\t\tscopes: row.scopes ? parseJsonColumn<string[]>(row.scopes) : null,\n\t};\n}\n\n/**\n * Validate that a redirect URI is in the client's registered set.\n *\n * Comparison is exact string match (per RFC 6749 §3.1.2.3).\n * Returns null if valid, or an error message if not.\n */\nexport function validateClientRedirectUri(\n\tredirectUri: string,\n\tallowedUris: string[],\n): string | null {\n\tif (allowedUris.includes(redirectUri)) {\n\t\treturn null; // OK\n\t}\n\treturn \"redirect_uri is not registered for this client\";\n}\n"],"mappings":";;;;;;;AAMA,SAAgB,oBAAoB,KAA4B;AAC/D,KAAI;EACH,MAAM,MAAM,IAAI,IAAI,IAAI;AAGxB,MAAI,IAAI,WAAW,KAAK,CACvB,QAAO;AAIR,MAAI,IAAI,aAAa,SAAS;GAC7B,MAAM,OAAO,IAAI;AACjB,OAAI,SAAS,eAAe,SAAS,eAAe,SAAS,QAC5D,QAAO;AAER,UAAO;;AAIR,MAAI,IAAI,aAAa,SACpB,QAAO;AAGR,SAAO,oCAAoC,IAAI;SACxC;AACP,SAAO;;;;;;;ACZT,SAAS,gBAAmB,OAAkB;AAE7C,QAAO,KAAK,MAAM,MAAM;;AAGzB,SAAS,+BAA+B,cAAuC;AAC9E,MAAK,MAAM,eAAe,cAAc;EACvC,MAAM,QAAQ,oBAAoB,YAAY;AAC9C,MAAI,MACH,QAAO,yBAAyB;;AAGlC,QAAO;;;;;AAuBR,eAAsB,wBACrB,IACA,OAMsC;AACtC,KAAI;AACH,MAAI,MAAM,aAAa,WAAW,EACjC,QAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;EAGF,MAAM,mBAAmB,+BAA+B,MAAM,aAAa;AAC3E,MAAI,iBACH,QAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;AAUF,MANiB,MAAM,GACrB,WAAW,wBAAwB,CACnC,OAAO,KAAK,CACZ,MAAM,MAAM,KAAK,MAAM,GAAG,CAC1B,kBAAkB,CAGnB,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAY,SAAS;IAA4C;GAChF;EAGF,MAAM,uBAAM,IAAI,MAAM,EAAC,aAAa;AAEpC,QAAM,GACJ,WAAW,wBAAwB,CACnC,OAAO;GACP,IAAI,MAAM;GACV,MAAM,MAAM;GACZ,eAAe,KAAK,UAAU,MAAM,aAAa;GACjD,QAAQ,MAAM,UAAU,MAAM,OAAO,SAAS,IAAI,KAAK,UAAU,MAAM,OAAO,GAAG;GACjF,CAAC,CACD,SAAS;AAEX,SAAO;GACN,SAAS;GACT,MAAM;IACL,IAAI,MAAM;IACV,MAAM,MAAM;IACZ,cAAc,MAAM;IACpB,QAAQ,MAAM,UAAU,MAAM,OAAO,SAAS,IAAI,MAAM,SAAS;IACjE,WAAW;IACX,WAAW;IACX;GACD;SACM;AACP,SAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;;;;;;AAOH,eAAsB,sBACrB,IACmD;AACnD,KAAI;AAgBH,SAAO;GAAE,SAAS;GAAM,MAAM,EAAE,QAfnB,MAAM,GACjB,WAAW,wBAAwB,CACnC,WAAW,CACX,QAAQ,cAAc,OAAO,CAC7B,SAAS,EAE2B,KAAK,SAAS;IACnD,IAAI,IAAI;IACR,MAAM,IAAI;IACV,cAAc,gBAA0B,IAAI,cAAc;IAC1D,QAAQ,IAAI,SAAS,gBAA0B,IAAI,OAAO,GAAG;IAC7D,WAAW,IAAI;IACf,WAAW,IAAI;IACf,EAAE,EAEoC;GAAE;SAClC;AACP,SAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;;;;;;AAOH,eAAsB,qBACrB,IACA,UACsC;AACtC,KAAI;EACH,MAAM,MAAM,MAAM,GAChB,WAAW,wBAAwB,CACnC,WAAW,CACX,MAAM,MAAM,KAAK,SAAS,CAC1B,kBAAkB;AAEpB,MAAI,CAAC,IACJ,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAa,SAAS;IAA0B;GAC/D;AAGF,SAAO;GACN,SAAS;GACT,MAAM;IACL,IAAI,IAAI;IACR,MAAM,IAAI;IACV,cAAc,gBAA0B,IAAI,cAAc;IAC1D,QAAQ,IAAI,SAAS,gBAA0B,IAAI,OAAO,GAAG;IAC7D,WAAW,IAAI;IACf,WAAW,IAAI;IACf;GACD;SACM;AACP,SAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;;;;;;AAOH,eAAsB,wBACrB,IACA,UACA,OAKsC;AACtC,KAAI;AAOH,MAAI,CANa,MAAM,GACrB,WAAW,wBAAwB,CACnC,WAAW,CACX,MAAM,MAAM,KAAK,SAAS,CAC1B,kBAAkB,CAGnB,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAa,SAAS;IAA0B;GAC/D;AAGF,MAAI,MAAM,iBAAiB,UAAa,MAAM,aAAa,WAAW,EACrE,QAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;AAGF,MAAI,MAAM,iBAAiB,QAAW;GACrC,MAAM,mBAAmB,+BAA+B,MAAM,aAAa;AAC3E,OAAI,iBACH,QAAO;IACN,SAAS;IACT,OAAO;KACN,MAAM;KACN,SAAS;KACT;IACD;;EAIH,MAAM,UAAyC,EAC9C,6BAAY,IAAI,MAAM,EAAC,aAAa,EACpC;AAED,MAAI,MAAM,SAAS,OAClB,SAAQ,OAAO,MAAM;AAEtB,MAAI,MAAM,iBAAiB,OAC1B,SAAQ,gBAAgB,KAAK,UAAU,MAAM,aAAa;AAE3D,MAAI,MAAM,WAAW,OACpB,SAAQ,SACP,MAAM,UAAU,MAAM,OAAO,SAAS,IAAI,KAAK,UAAU,MAAM,OAAO,GAAG;AAG3E,QAAM,GAAG,YAAY,wBAAwB,CAAC,IAAI,QAAQ,CAAC,MAAM,MAAM,KAAK,SAAS,CAAC,SAAS;EAG/F,MAAM,UAAU,MAAM,GACpB,WAAW,wBAAwB,CACnC,WAAW,CACX,MAAM,MAAM,KAAK,SAAS,CAC1B,kBAAkB;AAEpB,MAAI,CAAC,QACJ,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAa,SAAS;IAAuC;GAC5E;AAGF,SAAO;GACN,SAAS;GACT,MAAM;IACL,IAAI,QAAQ;IACZ,MAAM,QAAQ;IACd,cAAc,gBAA0B,QAAQ,cAAc;IAC9D,QAAQ,QAAQ,SAAS,gBAA0B,QAAQ,OAAO,GAAG;IACrE,WAAW,QAAQ;IACnB,WAAW,QAAQ;IACnB;GACD;SACM;AACP,SAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;;;;;;AAOH,eAAsB,wBACrB,IACA,UACwC;AACxC,KAAI;AAMH,OALe,MAAM,GACnB,WAAW,wBAAwB,CACnC,MAAM,MAAM,KAAK,SAAS,CAC1B,kBAAkB,EAET,mBAAmB,GAC7B,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAa,SAAS;IAA0B;GAC/D;AAGF,SAAO;GAAE,SAAS;GAAM,MAAM,EAAE,SAAS,MAAM;GAAE;SAC1C;AACP,SAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;;;;;;;AAYH,eAAsB,kBACrB,IACA,UACsE;CACtE,MAAM,MAAM,MAAM,GAChB,WAAW,wBAAwB,CACnC,OAAO,CAAC,iBAAiB,SAAS,CAAC,CACnC,MAAM,MAAM,KAAK,SAAS,CAC1B,kBAAkB;AAEpB,KAAI,CAAC,IAAK,QAAO;AAEjB,QAAO;EACN,cAAc,gBAA0B,IAAI,cAAc;EAC1D,QAAQ,IAAI,SAAS,gBAA0B,IAAI,OAAO,GAAG;EAC7D;;;;;;;;AASF,SAAgB,0BACf,aACA,aACgB;AAChB,KAAI,YAAY,SAAS,YAAY,CACpC,QAAO;AAER,QAAO"}

package/dist/{oauth-state-store-DpsZViTu.mjs → oauth-state-store-vOSdOeGe.mjs}

@@ -46,4 +46,4 @@ function createOAuthStateStore(db) {
 
 //#endregion
 export { createOAuthStateStore as t };
-//# sourceMappingURL=oauth-state-store-DpsZViTu.mjs.map
+//# sourceMappingURL=oauth-state-store-vOSdOeGe.mjs.map

package/dist/{oauth-state-store-DpsZViTu.mjs.map → oauth-state-store-vOSdOeGe.mjs.map}

@@ -1 +1 @@
-{"version":3,"file":"oauth-state-store-DpsZViTu.mjs","names":[],"sources":["../src/auth/oauth-state-store.ts"],"sourcesContent":["/**\n * OAuth state store\n *\n * Stores OAuth state in the auth_challenges table with automatic expiration.\n * Uses the existing table but with type=\"oauth\" to distinguish from WebAuthn challenges.\n */\n\nimport type { StateStore, OAuthState } from \"@emdash-cms/auth\";\nimport type { Kysely } from \"kysely\";\n\nimport type { Database } from \"../database/types.js\";\n\nconst OAUTH_STATE_TTL_MS = 10 * 60 * 1000; // 10 minutes\n\nexport function createOAuthStateStore(db: Kysely<Database>): StateStore {\n\treturn {\n\t\tasync set(state: string, data: OAuthState): Promise<void> {\n\t\t\tconst expiresAt = new Date(Date.now() + OAUTH_STATE_TTL_MS).toISOString();\n\n\t\t\tawait db\n\t\t\t\t.insertInto(\"auth_challenges\")\n\t\t\t\t.values({\n\t\t\t\t\tchallenge: state,\n\t\t\t\t\ttype: \"oauth\",\n\t\t\t\t\tuser_id: null,\n\t\t\t\t\tdata: JSON.stringify(data),\n\t\t\t\t\texpires_at: expiresAt,\n\t\t\t\t})\n\t\t\t\t.onConflict((oc) =>\n\t\t\t\t\toc.column(\"challenge\").doUpdateSet({\n\t\t\t\t\t\ttype: \"oauth\",\n\t\t\t\t\t\tdata: JSON.stringify(data),\n\t\t\t\t\t\texpires_at: expiresAt,\n\t\t\t\t\t}),\n\t\t\t\t)\n\t\t\t\t.execute();\n\t\t},\n\n\t\tasync get(state: string): Promise<OAuthState | null> {\n\t\t\tconst row = await db\n\t\t\t\t.selectFrom(\"auth_challenges\")\n\t\t\t\t.selectAll()\n\t\t\t\t.where(\"challenge\", \"=\", state)\n\t\t\t\t.where(\"type\", \"=\", \"oauth\")\n\t\t\t\t.executeTakeFirst();\n\n\t\t\tif (!row) return null;\n\n\t\t\tconst expiresAt = new Date(row.expires_at).getTime();\n\n\t\t\t// Check expiration\n\t\t\tif (expiresAt < Date.now()) {\n\t\t\t\t// Expired, delete and return null\n\t\t\t\tawait this.delete(state);\n\t\t\t\treturn null;\n\t\t\t}\n\n\t\t\tif (!row.data) return null;\n\n\t\t\ttry {\n\t\t\t\tconst parsed: unknown = JSON.parse(row.data);\n\t\t\t\tif (\n\t\t\t\t\ttypeof parsed !== \"object\" ||\n\t\t\t\t\tparsed === null ||\n\t\t\t\t\t!(\"provider\" in parsed) ||\n\t\t\t\t\ttypeof parsed.provider !== \"string\" ||\n\t\t\t\t\t!(\"redirectUri\" in parsed) ||\n\t\t\t\t\ttypeof parsed.redirectUri !== \"string\"\n\t\t\t\t) {\n\t\t\t\t\treturn null;\n\t\t\t\t}\n\t\t\t\tconst oauthState: OAuthState = {\n\t\t\t\t\tprovider: parsed.provider,\n\t\t\t\t\tredirectUri: parsed.redirectUri,\n\t\t\t\t};\n\t\t\t\tif (\"codeVerifier\" in parsed && typeof parsed.codeVerifier === \"string\") {\n\t\t\t\t\toauthState.codeVerifier = parsed.codeVerifier;\n\t\t\t\t}\n\t\t\t\tif (\"nonce\" in parsed && typeof parsed.nonce === \"string\") {\n\t\t\t\t\toauthState.nonce = parsed.nonce;\n\t\t\t\t}\n\t\t\t\treturn oauthState;\n\t\t\t} catch {\n\t\t\t\treturn null;\n\t\t\t}\n\t\t},\n\n\t\tasync delete(state: string): Promise<void> {\n\t\t\tawait db\n\t\t\t\t.deleteFrom(\"auth_challenges\")\n\t\t\t\t.where(\"challenge\", \"=\", state)\n\t\t\t\t.where(\"type\", \"=\", \"oauth\")\n\t\t\t\t.execute();\n\t\t},\n\t};\n}\n"],"mappings":";AAYA,MAAM,qBAAqB,MAAU;AAErC,SAAgB,sBAAsB,IAAkC;AACvE,QAAO;EACN,MAAM,IAAI,OAAe,MAAiC;GACzD,MAAM,YAAY,IAAI,KAAK,KAAK,KAAK,GAAG,mBAAmB,CAAC,aAAa;AAEzE,SAAM,GACJ,WAAW,kBAAkB,CAC7B,OAAO;IACP,WAAW;IACX,MAAM;IACN,SAAS;IACT,MAAM,KAAK,UAAU,KAAK;IAC1B,YAAY;IACZ,CAAC,CACD,YAAY,OACZ,GAAG,OAAO,YAAY,CAAC,YAAY;IAClC,MAAM;IACN,MAAM,KAAK,UAAU,KAAK;IAC1B,YAAY;IACZ,CAAC,CACF,CACA,SAAS;;EAGZ,MAAM,IAAI,OAA2C;GACpD,MAAM,MAAM,MAAM,GAChB,WAAW,kBAAkB,CAC7B,WAAW,CACX,MAAM,aAAa,KAAK,MAAM,CAC9B,MAAM,QAAQ,KAAK,QAAQ,CAC3B,kBAAkB;AAEpB,OAAI,CAAC,IAAK,QAAO;AAKjB,OAHkB,IAAI,KAAK,IAAI,WAAW,CAAC,SAAS,GAGpC,KAAK,KAAK,EAAE;AAE3B,UAAM,KAAK,OAAO,MAAM;AACxB,WAAO;;AAGR,OAAI,CAAC,IAAI,KAAM,QAAO;AAEtB,OAAI;IACH,MAAM,SAAkB,KAAK,MAAM,IAAI,KAAK;AAC5C,QACC,OAAO,WAAW,YAClB,WAAW,QACX,EAAE,cAAc,WAChB,OAAO,OAAO,aAAa,YAC3B,EAAE,iBAAiB,WACnB,OAAO,OAAO,gBAAgB,SAE9B,QAAO;IAER,MAAM,aAAyB;KAC9B,UAAU,OAAO;KACjB,aAAa,OAAO;KACpB;AACD,QAAI,kBAAkB,UAAU,OAAO,OAAO,iBAAiB,SAC9D,YAAW,eAAe,OAAO;AAElC,QAAI,WAAW,UAAU,OAAO,OAAO,UAAU,SAChD,YAAW,QAAQ,OAAO;AAE3B,WAAO;WACA;AACP,WAAO;;;EAIT,MAAM,OAAO,OAA8B;AAC1C,SAAM,GACJ,WAAW,kBAAkB,CAC7B,MAAM,aAAa,KAAK,MAAM,CAC9B,MAAM,QAAQ,KAAK,QAAQ,CAC3B,SAAS;;EAEZ"}
+{"version":3,"file":"oauth-state-store-vOSdOeGe.mjs","names":[],"sources":["../src/auth/oauth-state-store.ts"],"sourcesContent":["/**\n * OAuth state store\n *\n * Stores OAuth state in the auth_challenges table with automatic expiration.\n * Uses the existing table but with type=\"oauth\" to distinguish from WebAuthn challenges.\n */\n\nimport type { StateStore, OAuthState } from \"@emdash-cms/auth\";\nimport type { Kysely } from \"kysely\";\n\nimport type { Database } from \"../database/types.js\";\n\nconst OAUTH_STATE_TTL_MS = 10 * 60 * 1000; // 10 minutes\n\nexport function createOAuthStateStore(db: Kysely<Database>): StateStore {\n\treturn {\n\t\tasync set(state: string, data: OAuthState): Promise<void> {\n\t\t\tconst expiresAt = new Date(Date.now() + OAUTH_STATE_TTL_MS).toISOString();\n\n\t\t\tawait db\n\t\t\t\t.insertInto(\"auth_challenges\")\n\t\t\t\t.values({\n\t\t\t\t\tchallenge: state,\n\t\t\t\t\ttype: \"oauth\",\n\t\t\t\t\tuser_id: null,\n\t\t\t\t\tdata: JSON.stringify(data),\n\t\t\t\t\texpires_at: expiresAt,\n\t\t\t\t})\n\t\t\t\t.onConflict((oc) =>\n\t\t\t\t\toc.column(\"challenge\").doUpdateSet({\n\t\t\t\t\t\ttype: \"oauth\",\n\t\t\t\t\t\tdata: JSON.stringify(data),\n\t\t\t\t\t\texpires_at: expiresAt,\n\t\t\t\t\t}),\n\t\t\t\t)\n\t\t\t\t.execute();\n\t\t},\n\n\t\tasync get(state: string): Promise<OAuthState | null> {\n\t\t\tconst row = await db\n\t\t\t\t.selectFrom(\"auth_challenges\")\n\t\t\t\t.selectAll()\n\t\t\t\t.where(\"challenge\", \"=\", state)\n\t\t\t\t.where(\"type\", \"=\", \"oauth\")\n\t\t\t\t.executeTakeFirst();\n\n\t\t\tif (!row) return null;\n\n\t\t\tconst expiresAt = new Date(row.expires_at).getTime();\n\n\t\t\t// Check expiration\n\t\t\tif (expiresAt < Date.now()) {\n\t\t\t\t// Expired, delete and return null\n\t\t\t\tawait this.delete(state);\n\t\t\t\treturn null;\n\t\t\t}\n\n\t\t\tif (!row.data) return null;\n\n\t\t\ttry {\n\t\t\t\tconst parsed: unknown = JSON.parse(row.data);\n\t\t\t\tif (\n\t\t\t\t\ttypeof parsed !== \"object\" ||\n\t\t\t\t\tparsed === null ||\n\t\t\t\t\t!(\"provider\" in parsed) ||\n\t\t\t\t\ttypeof parsed.provider !== \"string\" ||\n\t\t\t\t\t!(\"redirectUri\" in parsed) ||\n\t\t\t\t\ttypeof parsed.redirectUri !== \"string\"\n\t\t\t\t) {\n\t\t\t\t\treturn null;\n\t\t\t\t}\n\t\t\t\tconst oauthState: OAuthState = {\n\t\t\t\t\tprovider: parsed.provider,\n\t\t\t\t\tredirectUri: parsed.redirectUri,\n\t\t\t\t};\n\t\t\t\tif (\"codeVerifier\" in parsed && typeof parsed.codeVerifier === \"string\") {\n\t\t\t\t\toauthState.codeVerifier = parsed.codeVerifier;\n\t\t\t\t}\n\t\t\t\tif (\"nonce\" in parsed && typeof parsed.nonce === \"string\") {\n\t\t\t\t\toauthState.nonce = parsed.nonce;\n\t\t\t\t}\n\t\t\t\treturn oauthState;\n\t\t\t} catch {\n\t\t\t\treturn null;\n\t\t\t}\n\t\t},\n\n\t\tasync delete(state: string): Promise<void> {\n\t\t\tawait db\n\t\t\t\t.deleteFrom(\"auth_challenges\")\n\t\t\t\t.where(\"challenge\", \"=\", state)\n\t\t\t\t.where(\"type\", \"=\", \"oauth\")\n\t\t\t\t.execute();\n\t\t},\n\t};\n}\n"],"mappings":";AAYA,MAAM,qBAAqB,MAAU;AAErC,SAAgB,sBAAsB,IAAkC;AACvE,QAAO;EACN,MAAM,IAAI,OAAe,MAAiC;GACzD,MAAM,YAAY,IAAI,KAAK,KAAK,KAAK,GAAG,mBAAmB,CAAC,aAAa;AAEzE,SAAM,GACJ,WAAW,kBAAkB,CAC7B,OAAO;IACP,WAAW;IACX,MAAM;IACN,SAAS;IACT,MAAM,KAAK,UAAU,KAAK;IAC1B,YAAY;IACZ,CAAC,CACD,YAAY,OACZ,GAAG,OAAO,YAAY,CAAC,YAAY;IAClC,MAAM;IACN,MAAM,KAAK,UAAU,KAAK;IAC1B,YAAY;IACZ,CAAC,CACF,CACA,SAAS;;EAGZ,MAAM,IAAI,OAA2C;GACpD,MAAM,MAAM,MAAM,GAChB,WAAW,kBAAkB,CAC7B,WAAW,CACX,MAAM,aAAa,KAAK,MAAM,CAC9B,MAAM,QAAQ,KAAK,QAAQ,CAC3B,kBAAkB;AAEpB,OAAI,CAAC,IAAK,QAAO;AAKjB,OAHkB,IAAI,KAAK,IAAI,WAAW,CAAC,SAAS,GAGpC,KAAK,KAAK,EAAE;AAE3B,UAAM,KAAK,OAAO,MAAM;AACxB,WAAO;;AAGR,OAAI,CAAC,IAAI,KAAM,QAAO;AAEtB,OAAI;IACH,MAAM,SAAkB,KAAK,MAAM,IAAI,KAAK;AAC5C,QACC,OAAO,WAAW,YAClB,WAAW,QACX,EAAE,cAAc,WAChB,OAAO,OAAO,aAAa,YAC3B,EAAE,iBAAiB,WACnB,OAAO,OAAO,gBAAgB,SAE9B,QAAO;IAER,MAAM,aAAyB;KAC9B,UAAU,OAAO;KACjB,aAAa,OAAO;KACpB;AACD,QAAI,kBAAkB,UAAU,OAAO,OAAO,iBAAiB,SAC9D,YAAW,eAAe,OAAO;AAElC,QAAI,WAAW,UAAU,OAAO,OAAO,UAAU,SAChD,YAAW,QAAQ,OAAO;AAE3B,WAAO;WACA;AACP,WAAO;;;EAIT,MAAM,OAAO,OAA8B;AAC1C,SAAM,GACJ,WAAW,kBAAkB,CAC7B,MAAM,aAAa,KAAK,MAAM,CAC9B,MAAM,QAAQ,KAAK,QAAQ,CAC3B,SAAS;;EAEZ"}

package/dist/{oauth-user-lookup-meyS2oB1.mjs → oauth-user-lookup-3JwsVw6N.mjs}

@@ -23,4 +23,4 @@ async function lookupUserRoleAndStatus(db, userId) {
 
 //#endregion
 export { lookupUserRoleAndStatus as t };
-//# sourceMappingURL=oauth-user-lookup-meyS2oB1.mjs.map
+//# sourceMappingURL=oauth-user-lookup-3JwsVw6N.mjs.map

package/dist/{oauth-user-lookup-meyS2oB1.mjs.map → oauth-user-lookup-3JwsVw6N.mjs.map}

@@ -1 +1 @@
-{"version":3,"file":"oauth-user-lookup-meyS2oB1.mjs","names":[],"sources":["../src/api/handlers/oauth-user-lookup.ts"],"sourcesContent":["/**\n * Shared user lookup for OAuth token operations.\n *\n * Extracts user role and disabled status from the database. Used by\n * handleTokenRefresh() to revalidate scopes against the user's current\n * role and reject disabled users.\n */\n\nimport { toRoleLevel, type RoleLevel } from \"@emdash-cms/auth\";\nimport type { Kysely } from \"kysely\";\n\nimport type { Database } from \"../../database/types.js\";\n\nexport interface UserRoleAndStatus {\n\trole: RoleLevel;\n\tdisabled: boolean;\n}\n\n/**\n * Look up a user's current role and disabled status.\n * Returns null if the user doesn't exist.\n */\nexport async function lookupUserRoleAndStatus(\n\tdb: Kysely<Database>,\n\tuserId: string,\n): Promise<UserRoleAndStatus | null> {\n\tconst row = await db\n\t\t.selectFrom(\"users\")\n\t\t.select([\"role\", \"disabled\"])\n\t\t.where(\"id\", \"=\", userId)\n\t\t.executeTakeFirst();\n\n\tif (!row) return null;\n\n\treturn {\n\t\trole: toRoleLevel(row.role),\n\t\tdisabled: row.disabled === 1,\n\t};\n}\n"],"mappings":";;;;;;;;;;;;;;AAsBA,eAAsB,wBACrB,IACA,QACoC;CACpC,MAAM,MAAM,MAAM,GAChB,WAAW,QAAQ,CACnB,OAAO,CAAC,QAAQ,WAAW,CAAC,CAC5B,MAAM,MAAM,KAAK,OAAO,CACxB,kBAAkB;AAEpB,KAAI,CAAC,IAAK,QAAO;AAEjB,QAAO;EACN,MAAM,YAAY,IAAI,KAAK;EAC3B,UAAU,IAAI,aAAa;EAC3B"}
+{"version":3,"file":"oauth-user-lookup-3JwsVw6N.mjs","names":[],"sources":["../src/api/handlers/oauth-user-lookup.ts"],"sourcesContent":["/**\n * Shared user lookup for OAuth token operations.\n *\n * Extracts user role and disabled status from the database. Used by\n * handleTokenRefresh() to revalidate scopes against the user's current\n * role and reject disabled users.\n */\n\nimport { toRoleLevel, type RoleLevel } from \"@emdash-cms/auth\";\nimport type { Kysely } from \"kysely\";\n\nimport type { Database } from \"../../database/types.js\";\n\nexport interface UserRoleAndStatus {\n\trole: RoleLevel;\n\tdisabled: boolean;\n}\n\n/**\n * Look up a user's current role and disabled status.\n * Returns null if the user doesn't exist.\n */\nexport async function lookupUserRoleAndStatus(\n\tdb: Kysely<Database>,\n\tuserId: string,\n): Promise<UserRoleAndStatus | null> {\n\tconst row = await db\n\t\t.selectFrom(\"users\")\n\t\t.select([\"role\", \"disabled\"])\n\t\t.where(\"id\", \"=\", userId)\n\t\t.executeTakeFirst();\n\n\tif (!row) return null;\n\n\treturn {\n\t\trole: toRoleLevel(row.role),\n\t\tdisabled: row.disabled === 1,\n\t};\n}\n"],"mappings":";;;;;;;;;;;;;;AAsBA,eAAsB,wBACrB,IACA,QACoC;CACpC,MAAM,MAAM,MAAM,GAChB,WAAW,QAAQ,CACnB,OAAO,CAAC,QAAQ,WAAW,CAAC,CAC5B,MAAM,MAAM,KAAK,OAAO,CACxB,kBAAkB;AAEpB,KAAI,CAAC,IAAK,QAAO;AAEjB,QAAO;EACN,MAAM,YAAY,IAAI,KAAK;EAC3B,UAAU,IAAI,aAAa;EAC3B"}

package/dist/options-BL4X94qY.mjs.map

@@ -1 +1 @@
-{"version":3,"file":"options-BL4X94qY.mjs","names":[],"sources":["../src/database/repositories/options.ts"],"sourcesContent":["import { sql, type Kysely, type SqlBool } from \"kysely\";\n\nimport type { Database, OptionTable } from \"../types.js\";\n\nfunction escapeLike(value: string): string {\n\treturn value.replaceAll(\"\\\\\", \"\\\\\\\\\").replaceAll(\"%\", \"\\\\%\").replaceAll(\"_\", \"\\\\_\");\n}\n\n/**\n * Options repository for key-value settings storage\n *\n * Used for site settings, plugin configuration, and other arbitrary key-value data.\n * Values are stored as JSON for flexibility.\n */\nexport class OptionsRepository {\n\tconstructor(private db: Kysely<Database>) {}\n\n\t/**\n\t * Get an option value\n\t */\n\tasync get<T = unknown>(name: string): Promise<T | null> {\n\t\tconst row = await this.db\n\t\t\t.selectFrom(\"options\")\n\t\t\t.select(\"value\")\n\t\t\t.where(\"name\", \"=\", name)\n\t\t\t.executeTakeFirst();\n\n\t\tif (!row) return null;\n\t\t// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- JSON.parse returns any; generic callers provide T\n\t\treturn JSON.parse(row.value) as T;\n\t}\n\n\t/**\n\t * Get an option value with a default\n\t */\n\tasync getOrDefault<T>(name: string, defaultValue: T): Promise<T> {\n\t\tconst value = await this.get<T>(name);\n\t\treturn value ?? defaultValue;\n\t}\n\n\t/**\n\t * Set an option value (creates or updates)\n\t */\n\tasync set<T = unknown>(name: string, value: T): Promise<void> {\n\t\tconst row: OptionTable = {\n\t\t\tname,\n\t\t\tvalue: JSON.stringify(value),\n\t\t};\n\n\t\t// Upsert: insert or replace\n\t\tawait this.db\n\t\t\t.insertInto(\"options\")\n\t\t\t.values(row)\n\t\t\t.onConflict((oc) => oc.column(\"name\").doUpdateSet({ value: row.value }))\n\t\t\t.execute();\n\t}\n\n\t/**\n\t * Set an option value only if no row with that name exists. Atomic at the\n\t * database level via INSERT ... ON CONFLICT DO NOTHING, so concurrent\n\t * callers can't race past the check.\n\t *\n\t * Returns true when the row was inserted, false when a row already\n\t * existed (regardless of its value — even an empty string or null).\n\t */\n\tasync setIfAbsent<T = unknown>(name: string, value: T): Promise<boolean> {\n\t\tconst row: OptionTable = {\n\t\t\tname,\n\t\t\tvalue: JSON.stringify(value),\n\t\t};\n\n\t\tconst result = await this.db\n\t\t\t.insertInto(\"options\")\n\t\t\t.values(row)\n\t\t\t.onConflict((oc) => oc.column(\"name\").doNothing())\n\t\t\t.executeTakeFirst();\n\n\t\t// SQLite reports numInsertedOrUpdatedRows; Postgres reports the same.\n\t\t// When the ON CONFLICT branch fires and does nothing, the count is 0.\n\t\treturn (result.numInsertedOrUpdatedRows ?? 0n) > 0n;\n\t}\n\n\t/**\n\t * Delete an option\n\t */\n\tasync delete(name: string): Promise<boolean> {\n\t\tconst result = await this.db.deleteFrom(\"options\").where(\"name\", \"=\", name).executeTakeFirst();\n\n\t\treturn (result.numDeletedRows ?? 0) > 0;\n\t}\n\n\t/**\n\t * Check if an option exists\n\t */\n\tasync exists(name: string): Promise<boolean> {\n\t\tconst row = await this.db\n\t\t\t.selectFrom(\"options\")\n\t\t\t.select(\"name\")\n\t\t\t.where(\"name\", \"=\", name)\n\t\t\t.executeTakeFirst();\n\n\t\treturn !!row;\n\t}\n\n\t/**\n\t * Get multiple options at once\n\t */\n\tasync getMany<T = unknown>(names: string[]): Promise<Map<string, T>> {\n\t\tif (names.length === 0) return new Map();\n\n\t\tconst rows = await this.db\n\t\t\t.selectFrom(\"options\")\n\t\t\t.select([\"name\", \"value\"])\n\t\t\t.where(\"name\", \"in\", names)\n\t\t\t.execute();\n\n\t\tconst result = new Map<string, T>();\n\t\tfor (const row of rows) {\n\t\t\t// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- JSON.parse returns any; generic callers provide T\n\t\t\tresult.set(row.name, JSON.parse(row.value) as T);\n\t\t}\n\t\treturn result;\n\t}\n\n\t/**\n\t * Set multiple options at once\n\t */\n\tasync setMany<T = unknown>(options: Record<string, T>): Promise<void> {\n\t\tconst entries = Object.entries(options);\n\t\tif (entries.length === 0) return;\n\n\t\tfor (const [name, value] of entries) {\n\t\t\tawait this.set(name, value);\n\t\t}\n\t}\n\n\t/**\n\t * Get all options (use sparingly)\n\t */\n\tasync getAll(): Promise<Map<string, unknown>> {\n\t\tconst rows = await this.db.selectFrom(\"options\").select([\"name\", \"value\"]).execute();\n\n\t\tconst result = new Map<string, unknown>();\n\t\tfor (const row of rows) {\n\t\t\tresult.set(row.name, JSON.parse(row.value));\n\t\t}\n\t\treturn result;\n\t}\n\n\t/**\n\t * Get all options matching a prefix\n\t */\n\tasync getByPrefix<T = unknown>(prefix: string): Promise<Map<string, T>> {\n\t\tconst pattern = `${escapeLike(prefix)}%`;\n\t\tconst rows = await this.db\n\t\t\t.selectFrom(\"options\")\n\t\t\t.select([\"name\", \"value\"])\n\t\t\t.where(sql<SqlBool>`name LIKE ${pattern} ESCAPE '\\\\'`)\n\t\t\t.execute();\n\n\t\tconst result = new Map<string, T>();\n\t\tfor (const row of rows) {\n\t\t\t// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- JSON.parse returns any; generic callers provide T\n\t\t\tresult.set(row.name, JSON.parse(row.value) as T);\n\t\t}\n\t\treturn result;\n\t}\n\n\t/**\n\t * Delete all options matching a prefix\n\t */\n\tasync deleteByPrefix(prefix: string): Promise<number> {\n\t\tconst pattern = `${escapeLike(prefix)}%`;\n\t\tconst result = await this.db\n\t\t\t.deleteFrom(\"options\")\n\t\t\t.where(sql<SqlBool>`name LIKE ${pattern} ESCAPE '\\\\'`)\n\t\t\t.executeTakeFirst();\n\n\t\treturn Number(result.numDeletedRows ?? 0);\n\t}\n}\n"],"mappings":";;;AAIA,SAAS,WAAW,OAAuB;AAC1C,QAAO,MAAM,WAAW,MAAM,OAAO,CAAC,WAAW,KAAK,MAAM,CAAC,WAAW,KAAK,MAAM;;;;;;;;AASpF,IAAa,oBAAb,MAA+B;CAC9B,YAAY,AAAQ,IAAsB;EAAtB;;;;;CAKpB,MAAM,IAAiB,MAAiC;EACvD,MAAM,MAAM,MAAM,KAAK,GACrB,WAAW,UAAU,CACrB,OAAO,QAAQ,CACf,MAAM,QAAQ,KAAK,KAAK,CACxB,kBAAkB;AAEpB,MAAI,CAAC,IAAK,QAAO;AAEjB,SAAO,KAAK,MAAM,IAAI,MAAM;;;;;CAM7B,MAAM,aAAgB,MAAc,cAA6B;AAEhE,SADc,MAAM,KAAK,IAAO,KAAK,IACrB;;;;;CAMjB,MAAM,IAAiB,MAAc,OAAyB;EAC7D,MAAM,MAAmB;GACxB;GACA,OAAO,KAAK,UAAU,MAAM;GAC5B;AAGD,QAAM,KAAK,GACT,WAAW,UAAU,CACrB,OAAO,IAAI,CACX,YAAY,OAAO,GAAG,OAAO,OAAO,CAAC,YAAY,EAAE,OAAO,IAAI,OAAO,CAAC,CAAC,CACvE,SAAS;;;;;;;;;;CAWZ,MAAM,YAAyB,MAAc,OAA4B;EACxE,MAAM,MAAmB;GACxB;GACA,OAAO,KAAK,UAAU,MAAM;GAC5B;AAUD,WARe,MAAM,KAAK,GACxB,WAAW,UAAU,CACrB,OAAO,IAAI,CACX,YAAY,OAAO,GAAG,OAAO,OAAO,CAAC,WAAW,CAAC,CACjD,kBAAkB,EAIL,4BAA4B,MAAM;;;;;CAMlD,MAAM,OAAO,MAAgC;AAG5C,WAFe,MAAM,KAAK,GAAG,WAAW,UAAU,CAAC,MAAM,QAAQ,KAAK,KAAK,CAAC,kBAAkB,EAE/E,kBAAkB,KAAK;;;;;CAMvC,MAAM,OAAO,MAAgC;AAO5C,SAAO,CAAC,CANI,MAAM,KAAK,GACrB,WAAW,UAAU,CACrB,OAAO,OAAO,CACd,MAAM,QAAQ,KAAK,KAAK,CACxB,kBAAkB;;;;;CAQrB,MAAM,QAAqB,OAA0C;AACpE,MAAI,MAAM,WAAW,EAAG,wBAAO,IAAI,KAAK;EAExC,MAAM,OAAO,MAAM,KAAK,GACtB,WAAW,UAAU,CACrB,OAAO,CAAC,QAAQ,QAAQ,CAAC,CACzB,MAAM,QAAQ,MAAM,MAAM,CAC1B,SAAS;EAEX,MAAM,yBAAS,IAAI,KAAgB;AACnC,OAAK,MAAM,OAAO,KAEjB,QAAO,IAAI,IAAI,MAAM,KAAK,MAAM,IAAI,MAAM,CAAM;AAEjD,SAAO;;;;;CAMR,MAAM,QAAqB,SAA2C;EACrE,MAAM,UAAU,OAAO,QAAQ,QAAQ;AACvC,MAAI,QAAQ,WAAW,EAAG;AAE1B,OAAK,MAAM,CAAC,MAAM,UAAU,QAC3B,OAAM,KAAK,IAAI,MAAM,MAAM;;;;;CAO7B,MAAM,SAAwC;EAC7C,MAAM,OAAO,MAAM,KAAK,GAAG,WAAW,UAAU,CAAC,OAAO,CAAC,QAAQ,QAAQ,CAAC,CAAC,SAAS;EAEpF,MAAM,yBAAS,IAAI,KAAsB;AACzC,OAAK,MAAM,OAAO,KACjB,QAAO,IAAI,IAAI,MAAM,KAAK,MAAM,IAAI,MAAM,CAAC;AAE5C,SAAO;;;;;CAMR,MAAM,YAAyB,QAAyC;EACvE,MAAM,UAAU,GAAG,WAAW,OAAO,CAAC;EACtC,MAAM,OAAO,MAAM,KAAK,GACtB,WAAW,UAAU,CACrB,OAAO,CAAC,QAAQ,QAAQ,CAAC,CACzB,MAAM,GAAY,aAAa,QAAQ,cAAc,CACrD,SAAS;EAEX,MAAM,yBAAS,IAAI,KAAgB;AACnC,OAAK,MAAM,OAAO,KAEjB,QAAO,IAAI,IAAI,MAAM,KAAK,MAAM,IAAI,MAAM,CAAM;AAEjD,SAAO;;;;;CAMR,MAAM,eAAe,QAAiC;EACrD,MAAM,UAAU,GAAG,WAAW,OAAO,CAAC;EACtC,MAAM,SAAS,MAAM,KAAK,GACxB,WAAW,UAAU,CACrB,MAAM,GAAY,aAAa,QAAQ,cAAc,CACrD,kBAAkB;AAEpB,SAAO,OAAO,OAAO,kBAAkB,EAAE"}
+{"version":3,"file":"options-BL4X94qY.mjs","names":[],"sources":["../src/database/repositories/options.ts"],"sourcesContent":["import { sql, type Kysely, type SqlBool } from \"kysely\";\n\nimport type { Database, OptionTable } from \"../types.js\";\n\nfunction escapeLike(value: string): string {\n\treturn value.replaceAll(\"\\\\\", \"\\\\\\\\\").replaceAll(\"%\", \"\\\\%\").replaceAll(\"_\", \"\\\\_\");\n}\n\n/**\n * Options repository for key-value settings storage\n *\n * Used for site settings, plugin configuration, and other arbitrary key-value data.\n * Values are stored as JSON for flexibility.\n */\nexport class OptionsRepository {\n\tconstructor(private db: Kysely<Database>) {}\n\n\t/**\n\t * Get an option value\n\t */\n\tasync get<T = unknown>(name: string): Promise<T | null> {\n\t\tconst row = await this.db\n\t\t\t.selectFrom(\"options\")\n\t\t\t.select(\"value\")\n\t\t\t.where(\"name\", \"=\", name)\n\t\t\t.executeTakeFirst();\n\n\t\tif (!row) return null;\n\t\t// eslint-disable-next-line typescript/no-unsafe-type-assertion -- JSON.parse returns any; generic callers provide T\n\t\treturn JSON.parse(row.value) as T;\n\t}\n\n\t/**\n\t * Get an option value with a default\n\t */\n\tasync getOrDefault<T>(name: string, defaultValue: T): Promise<T> {\n\t\tconst value = await this.get<T>(name);\n\t\treturn value ?? defaultValue;\n\t}\n\n\t/**\n\t * Set an option value (creates or updates)\n\t */\n\tasync set<T = unknown>(name: string, value: T): Promise<void> {\n\t\tconst row: OptionTable = {\n\t\t\tname,\n\t\t\tvalue: JSON.stringify(value),\n\t\t};\n\n\t\t// Upsert: insert or replace\n\t\tawait this.db\n\t\t\t.insertInto(\"options\")\n\t\t\t.values(row)\n\t\t\t.onConflict((oc) => oc.column(\"name\").doUpdateSet({ value: row.value }))\n\t\t\t.execute();\n\t}\n\n\t/**\n\t * Set an option value only if no row with that name exists. Atomic at the\n\t * database level via INSERT ... ON CONFLICT DO NOTHING, so concurrent\n\t * callers can't race past the check.\n\t *\n\t * Returns true when the row was inserted, false when a row already\n\t * existed (regardless of its value — even an empty string or null).\n\t */\n\tasync setIfAbsent<T = unknown>(name: string, value: T): Promise<boolean> {\n\t\tconst row: OptionTable = {\n\t\t\tname,\n\t\t\tvalue: JSON.stringify(value),\n\t\t};\n\n\t\tconst result = await this.db\n\t\t\t.insertInto(\"options\")\n\t\t\t.values(row)\n\t\t\t.onConflict((oc) => oc.column(\"name\").doNothing())\n\t\t\t.executeTakeFirst();\n\n\t\t// SQLite reports numInsertedOrUpdatedRows; Postgres reports the same.\n\t\t// When the ON CONFLICT branch fires and does nothing, the count is 0.\n\t\treturn (result.numInsertedOrUpdatedRows ?? 0n) > 0n;\n\t}\n\n\t/**\n\t * Delete an option\n\t */\n\tasync delete(name: string): Promise<boolean> {\n\t\tconst result = await this.db.deleteFrom(\"options\").where(\"name\", \"=\", name).executeTakeFirst();\n\n\t\treturn (result.numDeletedRows ?? 0) > 0;\n\t}\n\n\t/**\n\t * Check if an option exists\n\t */\n\tasync exists(name: string): Promise<boolean> {\n\t\tconst row = await this.db\n\t\t\t.selectFrom(\"options\")\n\t\t\t.select(\"name\")\n\t\t\t.where(\"name\", \"=\", name)\n\t\t\t.executeTakeFirst();\n\n\t\treturn !!row;\n\t}\n\n\t/**\n\t * Get multiple options at once\n\t */\n\tasync getMany<T = unknown>(names: string[]): Promise<Map<string, T>> {\n\t\tif (names.length === 0) return new Map();\n\n\t\tconst rows = await this.db\n\t\t\t.selectFrom(\"options\")\n\t\t\t.select([\"name\", \"value\"])\n\t\t\t.where(\"name\", \"in\", names)\n\t\t\t.execute();\n\n\t\tconst result = new Map<string, T>();\n\t\tfor (const row of rows) {\n\t\t\t// eslint-disable-next-line typescript/no-unsafe-type-assertion -- JSON.parse returns any; generic callers provide T\n\t\t\tresult.set(row.name, JSON.parse(row.value) as T);\n\t\t}\n\t\treturn result;\n\t}\n\n\t/**\n\t * Set multiple options at once\n\t */\n\tasync setMany<T = unknown>(options: Record<string, T>): Promise<void> {\n\t\tconst entries = Object.entries(options);\n\t\tif (entries.length === 0) return;\n\n\t\tfor (const [name, value] of entries) {\n\t\t\tawait this.set(name, value);\n\t\t}\n\t}\n\n\t/**\n\t * Get all options (use sparingly)\n\t */\n\tasync getAll(): Promise<Map<string, unknown>> {\n\t\tconst rows = await this.db.selectFrom(\"options\").select([\"name\", \"value\"]).execute();\n\n\t\tconst result = new Map<string, unknown>();\n\t\tfor (const row of rows) {\n\t\t\tresult.set(row.name, JSON.parse(row.value));\n\t\t}\n\t\treturn result;\n\t}\n\n\t/**\n\t * Get all options matching a prefix\n\t */\n\tasync getByPrefix<T = unknown>(prefix: string): Promise<Map<string, T>> {\n\t\tconst pattern = `${escapeLike(prefix)}%`;\n\t\tconst rows = await this.db\n\t\t\t.selectFrom(\"options\")\n\t\t\t.select([\"name\", \"value\"])\n\t\t\t.where(sql<SqlBool>`name LIKE ${pattern} ESCAPE '\\\\'`)\n\t\t\t.execute();\n\n\t\tconst result = new Map<string, T>();\n\t\tfor (const row of rows) {\n\t\t\t// eslint-disable-next-line typescript/no-unsafe-type-assertion -- JSON.parse returns any; generic callers provide T\n\t\t\tresult.set(row.name, JSON.parse(row.value) as T);\n\t\t}\n\t\treturn result;\n\t}\n\n\t/**\n\t * Delete all options matching a prefix\n\t */\n\tasync deleteByPrefix(prefix: string): Promise<number> {\n\t\tconst pattern = `${escapeLike(prefix)}%`;\n\t\tconst result = await this.db\n\t\t\t.deleteFrom(\"options\")\n\t\t\t.where(sql<SqlBool>`name LIKE ${pattern} ESCAPE '\\\\'`)\n\t\t\t.executeTakeFirst();\n\n\t\treturn Number(result.numDeletedRows ?? 0);\n\t}\n}\n"],"mappings":";;;AAIA,SAAS,WAAW,OAAuB;AAC1C,QAAO,MAAM,WAAW,MAAM,OAAO,CAAC,WAAW,KAAK,MAAM,CAAC,WAAW,KAAK,MAAM;;;;;;;;AASpF,IAAa,oBAAb,MAA+B;CAC9B,YAAY,AAAQ,IAAsB;EAAtB;;;;;CAKpB,MAAM,IAAiB,MAAiC;EACvD,MAAM,MAAM,MAAM,KAAK,GACrB,WAAW,UAAU,CACrB,OAAO,QAAQ,CACf,MAAM,QAAQ,KAAK,KAAK,CACxB,kBAAkB;AAEpB,MAAI,CAAC,IAAK,QAAO;AAEjB,SAAO,KAAK,MAAM,IAAI,MAAM;;;;;CAM7B,MAAM,aAAgB,MAAc,cAA6B;AAEhE,SADc,MAAM,KAAK,IAAO,KAAK,IACrB;;;;;CAMjB,MAAM,IAAiB,MAAc,OAAyB;EAC7D,MAAM,MAAmB;GACxB;GACA,OAAO,KAAK,UAAU,MAAM;GAC5B;AAGD,QAAM,KAAK,GACT,WAAW,UAAU,CACrB,OAAO,IAAI,CACX,YAAY,OAAO,GAAG,OAAO,OAAO,CAAC,YAAY,EAAE,OAAO,IAAI,OAAO,CAAC,CAAC,CACvE,SAAS;;;;;;;;;;CAWZ,MAAM,YAAyB,MAAc,OAA4B;EACxE,MAAM,MAAmB;GACxB;GACA,OAAO,KAAK,UAAU,MAAM;GAC5B;AAUD,WARe,MAAM,KAAK,GACxB,WAAW,UAAU,CACrB,OAAO,IAAI,CACX,YAAY,OAAO,GAAG,OAAO,OAAO,CAAC,WAAW,CAAC,CACjD,kBAAkB,EAIL,4BAA4B,MAAM;;;;;CAMlD,MAAM,OAAO,MAAgC;AAG5C,WAFe,MAAM,KAAK,GAAG,WAAW,UAAU,CAAC,MAAM,QAAQ,KAAK,KAAK,CAAC,kBAAkB,EAE/E,kBAAkB,KAAK;;;;;CAMvC,MAAM,OAAO,MAAgC;AAO5C,SAAO,CAAC,CANI,MAAM,KAAK,GACrB,WAAW,UAAU,CACrB,OAAO,OAAO,CACd,MAAM,QAAQ,KAAK,KAAK,CACxB,kBAAkB;;;;;CAQrB,MAAM,QAAqB,OAA0C;AACpE,MAAI,MAAM,WAAW,EAAG,wBAAO,IAAI,KAAK;EAExC,MAAM,OAAO,MAAM,KAAK,GACtB,WAAW,UAAU,CACrB,OAAO,CAAC,QAAQ,QAAQ,CAAC,CACzB,MAAM,QAAQ,MAAM,MAAM,CAC1B,SAAS;EAEX,MAAM,yBAAS,IAAI,KAAgB;AACnC,OAAK,MAAM,OAAO,KAEjB,QAAO,IAAI,IAAI,MAAM,KAAK,MAAM,IAAI,MAAM,CAAM;AAEjD,SAAO;;;;;CAMR,MAAM,QAAqB,SAA2C;EACrE,MAAM,UAAU,OAAO,QAAQ,QAAQ;AACvC,MAAI,QAAQ,WAAW,EAAG;AAE1B,OAAK,MAAM,CAAC,MAAM,UAAU,QAC3B,OAAM,KAAK,IAAI,MAAM,MAAM;;;;;CAO7B,MAAM,SAAwC;EAC7C,MAAM,OAAO,MAAM,KAAK,GAAG,WAAW,UAAU,CAAC,OAAO,CAAC,QAAQ,QAAQ,CAAC,CAAC,SAAS;EAEpF,MAAM,yBAAS,IAAI,KAAsB;AACzC,OAAK,MAAM,OAAO,KACjB,QAAO,IAAI,IAAI,MAAM,KAAK,MAAM,IAAI,MAAM,CAAC;AAE5C,SAAO;;;;;CAMR,MAAM,YAAyB,QAAyC;EACvE,MAAM,UAAU,GAAG,WAAW,OAAO,CAAC;EACtC,MAAM,OAAO,MAAM,KAAK,GACtB,WAAW,UAAU,CACrB,OAAO,CAAC,QAAQ,QAAQ,CAAC,CACzB,MAAM,GAAY,aAAa,QAAQ,cAAc,CACrD,SAAS;EAEX,MAAM,yBAAS,IAAI,KAAgB;AACnC,OAAK,MAAM,OAAO,KAEjB,QAAO,IAAI,IAAI,MAAM,KAAK,MAAM,IAAI,MAAM,CAAM;AAEjD,SAAO;;;;;CAMR,MAAM,eAAe,QAAiC;EACrD,MAAM,UAAU,GAAG,WAAW,OAAO,CAAC;EACtC,MAAM,SAAS,MAAM,KAAK,GACxB,WAAW,UAAU,CACrB,MAAM,GAAY,aAAa,QAAQ,cAAc,CACrD,kBAAkB;AAEpB,SAAO,OAAO,OAAO,kBAAkB,EAAE"}

package/dist/{options-Cq64Wx0O.d.mts → options-DhV-gwJb.d.mts}

@@ -1,5 +1,5 @@
-import { r as ContentItem } from "./types-CzvJd1ND.mjs";
-import { t as Database } from "./types-C1KKK4VP.mjs";
+import { r as ContentItem } from "./types-DaYDYW6g.mjs";
+import { t as Database } from "./types-DaqNzqVt.mjs";
 import { Kysely } from "kysely";
 import { z } from "zod";
 
@@ -97,7 +97,7 @@ interface ApiContext {
  * Always returns `{ error: { code, message } }` with correct Content-Type.
  * Use this for all error responses in API routes.
  */
-declare function apiError(code: string, message: string, status: number): Response;
+declare function apiError(code: string, message: string, status: number, details?: Record<string, unknown>): Response;
 /**
  * Create a standardized success response.
  *
@@ -204,4 +204,4 @@ declare class OptionsRepository {
 }
 //#endregion
 export { parseQuery as a, handleError as c, ContentListResponse as d, ContentResponse as f, ManifestResponse as h, parseBody as i, ApiContext as l, ListResponse as m, ParseResult as n, apiError as o, FieldDescriptor as p, isParseError as r, apiSuccess as s, OptionsRepository as t, ApiResult as u };
-//# sourceMappingURL=options-Cq64Wx0O.d.mts.map
+//# sourceMappingURL=options-DhV-gwJb.d.mts.map

package/dist/options-DhV-gwJb.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"options-DhV-gwJb.d.mts","names":[],"sources":["../src/api/types.ts","../src/api/error.ts","../src/api/parse.ts","../src/database/repositories/options.ts"],"mappings":";;;;;;;;AASA;UAAiB,YAAA;EAChB,KAAA,EAAO,CAAA;EACP,UAAA;EAF6B;;;;;EAQ7B,KAAA;AAAA;AAMD;;;AAAA,UAAiB,mBAAA,SAA4B,YAAA,CAAa,WAAA;AAAA,UAEzC,eAAA;EAChB,IAAA,EAAM,WAAA;;EAEN,IAAA;AAAA;;;;UAMgB,gBAAA;EAChB,OAAA;EACA,IAAA;EACA,WAAA,EAAa,MAAA;IAGX,KAAA;IACA,aAAA;IACA,QAAA;IACA,MAAA,EAAQ,MAAA,SAAe,eAAA;EAAA;EAGzB,OAAA,EAAS,MAAA;IAGP,UAAA,GAAa,KAAA;MAAQ,IAAA;MAAc,SAAA;IAAA;IACnC,OAAA;EAAA;AAAA;AAAA,UAKc,eAAA;EAChB,IAAA;EACA,KAAA;EACA,QAAA;EAZA;;;;EAiBA,OAAA,GAAU,KAAA;IAAQ,KAAA;IAAe,KAAA;EAAA,KAAmB,MAAA;AAAA;AARrD;;;;;;;;;;;;AAAA,KAuBY,SAAA;EACP,OAAA;EAAe,IAAA,EAAM,CAAA;AAAA;EAEvB,OAAA;EACA,KAAA;IAAS,IAAA,EAAM,CAAA;IAAG,OAAA;IAAiB,OAAA,GAAU,MAAA;EAAA;AAAA;;;;UAM/B,UAAA;EAChB,MAAA;EACA,QAAA;AAAA;;;;;;;;;iBC5De,QAAA,CACf,IAAA,UACA,OAAA,UACA,MAAA,UACA,OAAA,GAAU,MAAA,oBACR,QAAA;;;ADZH;;;;iBC2BgB,UAAA,GAAA,CAAc,IAAA,EAAM,CAAA,EAAG,MAAA,YAAe,QAAA;ADzBtD;;;;;;;;AAAA,iBCqCgB,WAAA,CACf,KAAA,WACA,eAAA,UACA,YAAA,WACE,QAAA;;;;;;;KChDS,WAAA,MAAiB,CAAA,GAAI,QAAA;;;;;;AFKjC;iBEGsB,SAAA,WAAoB,CAAA,CAAE,OAAA,CAAA,CAC3C,OAAA,EAAS,OAAA,EACT,MAAA,EAAQ,CAAA,GACN,OAAA,CAAQ,WAAA,CAAY,CAAA,CAAE,KAAA,CAAM,CAAA;;;;;;AFK/B;;iBEyDgB,UAAA,WAAqB,CAAA,CAAE,OAAA,CAAA,CAAS,GAAA,EAAK,GAAA,EAAK,MAAA,EAAQ,CAAA,GAAI,WAAA,CAAY,CAAA,CAAE,KAAA,CAAM,CAAA;;;;;iBA6C1E,YAAA,GAAA,CAAgB,MAAA,EAAQ,WAAA,CAAY,CAAA,IAAK,MAAA,IAAU,QAAA;;;;;;;AF/HnE;;cGKa,iBAAA;EAAA,QACQ,EAAA;cAAA,EAAA,EAAI,MAAA,CAAO,QAAA;EHL/B;;;EGUM,GAAA,aAAA,CAAiB,IAAA,WAAe,OAAA,CAAQ,CAAA;EHHzC;;AAMN;EGYO,YAAA,GAAA,CAAgB,IAAA,UAAc,YAAA,EAAc,CAAA,GAAI,OAAA,CAAQ,CAAA;;;;EAQxD,GAAA,aAAA,CAAiB,IAAA,UAAc,KAAA,EAAO,CAAA,GAAI,OAAA;EHlBjB;;;;;;;;EGwCzB,WAAA,aAAA,CAAyB,IAAA,UAAc,KAAA,EAAO,CAAA,GAAI,OAAA;EH/BxB;;;EGmD1B,MAAA,CAAO,IAAA,WAAe,OAAA;EHhDf;;;EGyDP,MAAA,CAAO,IAAA,WAAe,OAAA;EHhDb;;;EG6DT,OAAA,aAAA,CAAqB,KAAA,aAAkB,OAAA,CAAQ,GAAA,SAAY,CAAA;EHtEpD;;;EG0FP,OAAA,aAAA,CAAqB,OAAA,EAAS,MAAA,SAAe,CAAA,IAAK,OAAA;EHpFtD;;;EGgGI,MAAA,CAAA,GAAU,OAAA,CAAQ,GAAA;EH7Ff;;;EG0GH,WAAA,aAAA,CAAyB,MAAA,WAAiB,OAAA,CAAQ,GAAA,SAAY,CAAA;EHvG/B;;;EG0H/B,cAAA,CAAe,MAAA,WAAiB,OAAA;AAAA"}

package/dist/page/index.d.mts

@@ -1,5 +1,5 @@
-import { J as PageFragmentContribution, Z as PageMetadataContribution, et as PageMetadataLinkRel, mt as PublicPageContext, t as BreadcrumbItem, tt as PagePlacement } from "../types-B05e2naf.mjs";
-import { n as SeoSettings } from "../types-DW1l0gCv.mjs";
+import { J as PageFragmentContribution, Z as PageMetadataContribution, et as PageMetadataLinkRel, ht as PublicPageContext, t as BreadcrumbItem, tt as PagePlacement } from "../types-DGHWRQgr.mjs";
+import { n as SeoSettings } from "../types-Dgo6y-Ut.mjs";
 
 //#region src/page/context.d.ts
 /** Fields shared by both input forms */

package/dist/{parse-BFTPon-J.mjs → parse-3-caTKgt.mjs}

@@ -1,4 +1,4 @@
-import { t as apiError } from "./error-tSQWIl5U.mjs";
+import { t as apiError } from "./error-CPh_8eLq.mjs";
 import { z } from "zod";
 
 //#region src/api/parse.ts
@@ -86,4 +86,4 @@ function isParseError(result) {
 
 //#endregion
 export { parseQuery as i, parseBody as n, parseOptionalBody as r, isParseError as t };
-//# sourceMappingURL=parse-BFTPon-J.mjs.map
+//# sourceMappingURL=parse-3-caTKgt.mjs.map

package/dist/{parse-BFTPon-J.mjs.map → parse-3-caTKgt.mjs.map}

@@ -1 +1 @@
-{"version":3,"file":"parse-BFTPon-J.mjs","names":[],"sources":["../src/api/parse.ts"],"sourcesContent":["/**\n * Request body and query parameter parsing with Zod validation.\n *\n * All API routes should use these utilities instead of `request.json() as T`\n * or raw `url.searchParams.get()` with manual coercion.\n */\n\nimport { z } from \"zod\";\n\nimport { apiError } from \"./error.js\";\n\n/** Maximum allowed JSON request body size (10 MB). */\nconst MAX_BODY_SIZE = 10 * 1024 * 1024;\n\n/**\n * Result of parsing: either the validated data or an error Response.\n * Routes should check `if (result instanceof Response) return result;`\n */\nexport type ParseResult<T> = T | Response;\n\n/**\n * Parse and validate a JSON request body against a Zod schema.\n *\n * Returns the validated data on success, or a 400 Response on failure.\n * Replaces all `(await request.json()) as T` casts.\n */\nexport async function parseBody<T extends z.ZodType>(\n\trequest: Request,\n\tschema: T,\n): Promise<ParseResult<z.infer<T>>> {\n\t// Best-effort size check via Content-Length (can be absent with chunked encoding)\n\tconst contentLength = request.headers.get(\"Content-Length\");\n\tif (contentLength && parseInt(contentLength, 10) > MAX_BODY_SIZE) {\n\t\treturn apiError(\"PAYLOAD_TOO_LARGE\", \"Request body too large\", 413);\n\t}\n\n\tlet raw: unknown;\n\ttry {\n\t\traw = await request.json();\n\t} catch {\n\t\treturn apiError(\"INVALID_JSON\", \"Request body must be valid JSON\", 400);\n\t}\n\n\treturn validate(schema, raw);\n}\n\n/**\n * Parse and validate an optional JSON request body.\n *\n * Returns `defaultValue` if the body is empty, or the validated data if present.\n * For endpoints where the body is optional (e.g., preview-url, confirm).\n */\nexport async function parseOptionalBody<T extends z.ZodType>(\n\trequest: Request,\n\tschema: T,\n\tdefaultValue: z.infer<T>,\n): Promise<ParseResult<z.infer<T>>> {\n\t// Best-effort size check via Content-Length (can be absent with chunked encoding)\n\tconst contentLength = request.headers.get(\"Content-Length\");\n\tif (contentLength && parseInt(contentLength, 10) > MAX_BODY_SIZE) {\n\t\treturn apiError(\"PAYLOAD_TOO_LARGE\", \"Request body too large\", 413);\n\t}\n\n\tlet text: string;\n\ttry {\n\t\ttext = await request.text();\n\t} catch {\n\t\treturn defaultValue;\n\t}\n\n\tif (!text.trim()) {\n\t\treturn defaultValue;\n\t}\n\n\tlet raw: unknown;\n\ttry {\n\t\traw = JSON.parse(text);\n\t} catch {\n\t\treturn apiError(\"INVALID_JSON\", \"Request body must be valid JSON\", 400);\n\t}\n\n\treturn validate(schema, raw);\n}\n\n/**\n * Parse and validate URL search params against a Zod schema.\n *\n * Converts searchParams to a plain object before validation.\n * Zod coercion handles string -> number/boolean conversion.\n * Replaces manual `url.searchParams.get()` + `parseInt()` patterns.\n */\nexport function parseQuery<T extends z.ZodType>(url: URL, schema: T): ParseResult<z.infer<T>> {\n\tconst raw: Record<string, string> = {};\n\tfor (const [key, value] of url.searchParams) {\n\t\traw[key] = value;\n\t}\n\treturn validate(schema, raw);\n}\n\n/**\n * Validate raw data against a schema. Returns data or error Response.\n */\nfunction validate<T extends z.ZodType>(schema: T, data: unknown): ParseResult<z.infer<T>> {\n\tconst result = schema.safeParse(data);\n\n\tif (result.success) {\n\t\treturn result.data as z.infer<T>;\n\t}\n\n\t// Format Zod errors into a readable structure\n\tconst issues = result.error.issues.map((issue: z.ZodIssue) => ({\n\t\tpath: issue.path.join(\".\"),\n\t\tmessage: issue.message,\n\t}));\n\n\treturn Response.json(\n\t\t{\n\t\t\terror: {\n\t\t\t\tcode: \"VALIDATION_ERROR\",\n\t\t\t\tmessage: \"Invalid request data\",\n\t\t\t\tdetails: { issues },\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tstatus: 400,\n\t\t\theaders: {\n\t\t\t\t\"Cache-Control\": \"private, no-store\",\n\t\t\t},\n\t\t},\n\t);\n}\n\n/**\n * Type guard to check if a ParseResult is an error Response.\n * Usage: `if (isParseError(result)) return result;`\n */\nexport function isParseError<T>(result: ParseResult<T>): result is Response {\n\treturn result instanceof Response;\n}\n"],"mappings":";;;;;AAYA,MAAM,gBAAgB,KAAK,OAAO;;;;;;;AAclC,eAAsB,UACrB,SACA,QACmC;CAEnC,MAAM,gBAAgB,QAAQ,QAAQ,IAAI,iBAAiB;AAC3D,KAAI,iBAAiB,SAAS,eAAe,GAAG,GAAG,cAClD,QAAO,SAAS,qBAAqB,0BAA0B,IAAI;CAGpE,IAAI;AACJ,KAAI;AACH,QAAM,MAAM,QAAQ,MAAM;SACnB;AACP,SAAO,SAAS,gBAAgB,mCAAmC,IAAI;;AAGxE,QAAO,SAAS,QAAQ,IAAI;;;;;;;;AAS7B,eAAsB,kBACrB,SACA,QACA,cACmC;CAEnC,MAAM,gBAAgB,QAAQ,QAAQ,IAAI,iBAAiB;AAC3D,KAAI,iBAAiB,SAAS,eAAe,GAAG,GAAG,cAClD,QAAO,SAAS,qBAAqB,0BAA0B,IAAI;CAGpE,IAAI;AACJ,KAAI;AACH,SAAO,MAAM,QAAQ,MAAM;SACpB;AACP,SAAO;;AAGR,KAAI,CAAC,KAAK,MAAM,CACf,QAAO;CAGR,IAAI;AACJ,KAAI;AACH,QAAM,KAAK,MAAM,KAAK;SACf;AACP,SAAO,SAAS,gBAAgB,mCAAmC,IAAI;;AAGxE,QAAO,SAAS,QAAQ,IAAI;;;;;;;;;AAU7B,SAAgB,WAAgC,KAAU,QAAoC;CAC7F,MAAM,MAA8B,EAAE;AACtC,MAAK,MAAM,CAAC,KAAK,UAAU,IAAI,aAC9B,KAAI,OAAO;AAEZ,QAAO,SAAS,QAAQ,IAAI;;;;;AAM7B,SAAS,SAA8B,QAAW,MAAwC;CACzF,MAAM,SAAS,OAAO,UAAU,KAAK;AAErC,KAAI,OAAO,QACV,QAAO,OAAO;CAIf,MAAM,SAAS,OAAO,MAAM,OAAO,KAAK,WAAuB;EAC9D,MAAM,MAAM,KAAK,KAAK,IAAI;EAC1B,SAAS,MAAM;EACf,EAAE;AAEH,QAAO,SAAS,KACf,EACC,OAAO;EACN,MAAM;EACN,SAAS;EACT,SAAS,EAAE,QAAQ;EACnB,EACD,EACD;EACC,QAAQ;EACR,SAAS,EACR,iBAAiB,qBACjB;EACD,CACD;;;;;;AAOF,SAAgB,aAAgB,QAA4C;AAC3E,QAAO,kBAAkB"}
+{"version":3,"file":"parse-3-caTKgt.mjs","names":[],"sources":["../src/api/parse.ts"],"sourcesContent":["/**\n * Request body and query parameter parsing with Zod validation.\n *\n * All API routes should use these utilities instead of `request.json() as T`\n * or raw `url.searchParams.get()` with manual coercion.\n */\n\nimport { z } from \"zod\";\n\nimport { apiError } from \"./error.js\";\n\n/** Maximum allowed JSON request body size (10 MB). */\nconst MAX_BODY_SIZE = 10 * 1024 * 1024;\n\n/**\n * Result of parsing: either the validated data or an error Response.\n * Routes should check `if (result instanceof Response) return result;`\n */\nexport type ParseResult<T> = T | Response;\n\n/**\n * Parse and validate a JSON request body against a Zod schema.\n *\n * Returns the validated data on success, or a 400 Response on failure.\n * Replaces all `(await request.json()) as T` casts.\n */\nexport async function parseBody<T extends z.ZodType>(\n\trequest: Request,\n\tschema: T,\n): Promise<ParseResult<z.infer<T>>> {\n\t// Best-effort size check via Content-Length (can be absent with chunked encoding)\n\tconst contentLength = request.headers.get(\"Content-Length\");\n\tif (contentLength && parseInt(contentLength, 10) > MAX_BODY_SIZE) {\n\t\treturn apiError(\"PAYLOAD_TOO_LARGE\", \"Request body too large\", 413);\n\t}\n\n\tlet raw: unknown;\n\ttry {\n\t\traw = await request.json();\n\t} catch {\n\t\treturn apiError(\"INVALID_JSON\", \"Request body must be valid JSON\", 400);\n\t}\n\n\treturn validate(schema, raw);\n}\n\n/**\n * Parse and validate an optional JSON request body.\n *\n * Returns `defaultValue` if the body is empty, or the validated data if present.\n * For endpoints where the body is optional (e.g., preview-url, confirm).\n */\nexport async function parseOptionalBody<T extends z.ZodType>(\n\trequest: Request,\n\tschema: T,\n\tdefaultValue: z.infer<T>,\n): Promise<ParseResult<z.infer<T>>> {\n\t// Best-effort size check via Content-Length (can be absent with chunked encoding)\n\tconst contentLength = request.headers.get(\"Content-Length\");\n\tif (contentLength && parseInt(contentLength, 10) > MAX_BODY_SIZE) {\n\t\treturn apiError(\"PAYLOAD_TOO_LARGE\", \"Request body too large\", 413);\n\t}\n\n\tlet text: string;\n\ttry {\n\t\ttext = await request.text();\n\t} catch {\n\t\treturn defaultValue;\n\t}\n\n\tif (!text.trim()) {\n\t\treturn defaultValue;\n\t}\n\n\tlet raw: unknown;\n\ttry {\n\t\traw = JSON.parse(text);\n\t} catch {\n\t\treturn apiError(\"INVALID_JSON\", \"Request body must be valid JSON\", 400);\n\t}\n\n\treturn validate(schema, raw);\n}\n\n/**\n * Parse and validate URL search params against a Zod schema.\n *\n * Converts searchParams to a plain object before validation.\n * Zod coercion handles string -> number/boolean conversion.\n * Replaces manual `url.searchParams.get()` + `parseInt()` patterns.\n */\nexport function parseQuery<T extends z.ZodType>(url: URL, schema: T): ParseResult<z.infer<T>> {\n\tconst raw: Record<string, string> = {};\n\tfor (const [key, value] of url.searchParams) {\n\t\traw[key] = value;\n\t}\n\treturn validate(schema, raw);\n}\n\n/**\n * Validate raw data against a schema. Returns data or error Response.\n */\nfunction validate<T extends z.ZodType>(schema: T, data: unknown): ParseResult<z.infer<T>> {\n\tconst result = schema.safeParse(data);\n\n\tif (result.success) {\n\t\treturn result.data as z.infer<T>;\n\t}\n\n\t// Format Zod errors into a readable structure\n\tconst issues = result.error.issues.map((issue: z.ZodIssue) => ({\n\t\tpath: issue.path.join(\".\"),\n\t\tmessage: issue.message,\n\t}));\n\n\treturn Response.json(\n\t\t{\n\t\t\terror: {\n\t\t\t\tcode: \"VALIDATION_ERROR\",\n\t\t\t\tmessage: \"Invalid request data\",\n\t\t\t\tdetails: { issues },\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tstatus: 400,\n\t\t\theaders: {\n\t\t\t\t\"Cache-Control\": \"private, no-store\",\n\t\t\t},\n\t\t},\n\t);\n}\n\n/**\n * Type guard to check if a ParseResult is an error Response.\n * Usage: `if (isParseError(result)) return result;`\n */\nexport function isParseError<T>(result: ParseResult<T>): result is Response {\n\treturn result instanceof Response;\n}\n"],"mappings":";;;;;AAYA,MAAM,gBAAgB,KAAK,OAAO;;;;;;;AAclC,eAAsB,UACrB,SACA,QACmC;CAEnC,MAAM,gBAAgB,QAAQ,QAAQ,IAAI,iBAAiB;AAC3D,KAAI,iBAAiB,SAAS,eAAe,GAAG,GAAG,cAClD,QAAO,SAAS,qBAAqB,0BAA0B,IAAI;CAGpE,IAAI;AACJ,KAAI;AACH,QAAM,MAAM,QAAQ,MAAM;SACnB;AACP,SAAO,SAAS,gBAAgB,mCAAmC,IAAI;;AAGxE,QAAO,SAAS,QAAQ,IAAI;;;;;;;;AAS7B,eAAsB,kBACrB,SACA,QACA,cACmC;CAEnC,MAAM,gBAAgB,QAAQ,QAAQ,IAAI,iBAAiB;AAC3D,KAAI,iBAAiB,SAAS,eAAe,GAAG,GAAG,cAClD,QAAO,SAAS,qBAAqB,0BAA0B,IAAI;CAGpE,IAAI;AACJ,KAAI;AACH,SAAO,MAAM,QAAQ,MAAM;SACpB;AACP,SAAO;;AAGR,KAAI,CAAC,KAAK,MAAM,CACf,QAAO;CAGR,IAAI;AACJ,KAAI;AACH,QAAM,KAAK,MAAM,KAAK;SACf;AACP,SAAO,SAAS,gBAAgB,mCAAmC,IAAI;;AAGxE,QAAO,SAAS,QAAQ,IAAI;;;;;;;;;AAU7B,SAAgB,WAAgC,KAAU,QAAoC;CAC7F,MAAM,MAA8B,EAAE;AACtC,MAAK,MAAM,CAAC,KAAK,UAAU,IAAI,aAC9B,KAAI,OAAO;AAEZ,QAAO,SAAS,QAAQ,IAAI;;;;;AAM7B,SAAS,SAA8B,QAAW,MAAwC;CACzF,MAAM,SAAS,OAAO,UAAU,KAAK;AAErC,KAAI,OAAO,QACV,QAAO,OAAO;CAIf,MAAM,SAAS,OAAO,MAAM,OAAO,KAAK,WAAuB;EAC9D,MAAM,MAAM,KAAK,KAAK,IAAI;EAC1B,SAAS,MAAM;EACf,EAAE;AAEH,QAAO,SAAS,KACf,EACC,OAAO;EACN,MAAM;EACN,SAAS;EACT,SAAS,EAAE,QAAQ;EACnB,EACD,EACD;EACC,QAAQ;EACR,SAAS,EACR,iBAAiB,qBACjB;EACD,CACD;;;;;;AAOF,SAAgB,aAAgB,QAA4C;AAC3E,QAAO,kBAAkB"}

package/dist/{passkey-config-Cg86_ISa.mjs → passkey-config-BloQOT3y.mjs}

@@ -43,4 +43,4 @@ function getPasskeyConfig(url, siteName, siteUrl, allowedOrigins) {
 
 //#endregion
 export { getPasskeyConfig as t };
-//# sourceMappingURL=passkey-config-Cg86_ISa.mjs.map
+//# sourceMappingURL=passkey-config-BloQOT3y.mjs.map

package/dist/{passkey-config-Cg86_ISa.mjs.map → passkey-config-BloQOT3y.mjs.map}

@@ -1 +1 @@
-{"version":3,"file":"passkey-config-Cg86_ISa.mjs","names":[],"sources":["../src/auth/passkey-config.ts"],"sourcesContent":["/**\n * Passkey configuration helper\n *\n * Extracts passkey configuration from the request URL.\n * This ensures the rpId and origin are correctly set for both\n * localhost development and production deployments.\n */\n\nexport interface PasskeyConfig {\n\trpName: string;\n\trpId: string;\n\t/**\n\t * Accepted client-data origins. First entry is the canonical/preferred origin;\n\t * additional entries support multi-origin deployments (e.g. apex + preview\n\t * subdomain sharing the same `rpId`). See `allowedOrigins` parameter.\n\t */\n\torigins: string[];\n}\n\n/**\n * Get passkey configuration from request URL\n *\n * @param url The request URL (typically `new URL(Astro.request.url)` or `new URL(request.url)`)\n * @param siteName Optional site name for rpName (defaults to hostname from `url` or public origin)\n * @param siteUrl Optional browser-facing origin (see `EmDashConfig.siteUrl`).\n *        When set, the canonical **origin** and **rpId** are taken from this URL.\n * @param allowedOrigins Optional list of additional accepted origins for verification.\n *        Each must share `rpId` with the canonical origin (WebAuthn requirement).\n *        Typical use: apex + preview subdomain on the same registrable domain.\n * @throws If `siteUrl` is non-empty but not parseable by `new URL()`.\n */\nexport function getPasskeyConfig(\n\turl: URL,\n\tsiteName?: string,\n\tsiteUrl?: string,\n\tallowedOrigins?: string[],\n): PasskeyConfig {\n\tlet rpName: string;\n\tlet rpId: string;\n\tlet canonicalOrigin: string;\n\n\tif (siteUrl) {\n\t\tlet publicUrl: URL;\n\t\ttry {\n\t\t\tpublicUrl = new URL(siteUrl);\n\t\t} catch (e) {\n\t\t\tthrow new Error(`Invalid siteUrl: \"${siteUrl}\"`, { cause: e });\n\t\t}\n\t\trpName = siteName || publicUrl.hostname;\n\t\trpId = publicUrl.hostname;\n\t\tcanonicalOrigin = publicUrl.origin;\n\t} else {\n\t\trpName = siteName || url.hostname;\n\t\trpId = url.hostname;\n\t\tcanonicalOrigin = url.origin;\n\t}\n\n\tconst origins = [canonicalOrigin];\n\tif (allowedOrigins) {\n\t\tfor (const extra of allowedOrigins) {\n\t\t\tif (extra && !origins.includes(extra)) origins.push(extra);\n\t\t}\n\t}\n\n\treturn { rpName, rpId, origins };\n}\n"],"mappings":";;;;;;;;;;;;;AA+BA,SAAgB,iBACf,KACA,UACA,SACA,gBACgB;CAChB,IAAI;CACJ,IAAI;CACJ,IAAI;AAEJ,KAAI,SAAS;EACZ,IAAI;AACJ,MAAI;AACH,eAAY,IAAI,IAAI,QAAQ;WACpB,GAAG;AACX,SAAM,IAAI,MAAM,qBAAqB,QAAQ,IAAI,EAAE,OAAO,GAAG,CAAC;;AAE/D,WAAS,YAAY,UAAU;AAC/B,SAAO,UAAU;AACjB,oBAAkB,UAAU;QACtB;AACN,WAAS,YAAY,IAAI;AACzB,SAAO,IAAI;AACX,oBAAkB,IAAI;;CAGvB,MAAM,UAAU,CAAC,gBAAgB;AACjC,KAAI,gBACH;OAAK,MAAM,SAAS,eACnB,KAAI,SAAS,CAAC,QAAQ,SAAS,MAAM,CAAE,SAAQ,KAAK,MAAM;;AAI5D,QAAO;EAAE;EAAQ;EAAM;EAAS"}
+{"version":3,"file":"passkey-config-BloQOT3y.mjs","names":[],"sources":["../src/auth/passkey-config.ts"],"sourcesContent":["/**\n * Passkey configuration helper\n *\n * Extracts passkey configuration from the request URL.\n * This ensures the rpId and origin are correctly set for both\n * localhost development and production deployments.\n */\n\nexport interface PasskeyConfig {\n\trpName: string;\n\trpId: string;\n\t/**\n\t * Accepted client-data origins. First entry is the canonical/preferred origin;\n\t * additional entries support multi-origin deployments (e.g. apex + preview\n\t * subdomain sharing the same `rpId`). See `allowedOrigins` parameter.\n\t */\n\torigins: string[];\n}\n\n/**\n * Get passkey configuration from request URL\n *\n * @param url The request URL (typically `new URL(Astro.request.url)` or `new URL(request.url)`)\n * @param siteName Optional site name for rpName (defaults to hostname from `url` or public origin)\n * @param siteUrl Optional browser-facing origin (see `EmDashConfig.siteUrl`).\n *        When set, the canonical **origin** and **rpId** are taken from this URL.\n * @param allowedOrigins Optional list of additional accepted origins for verification.\n *        Each must share `rpId` with the canonical origin (WebAuthn requirement).\n *        Typical use: apex + preview subdomain on the same registrable domain.\n * @throws If `siteUrl` is non-empty but not parseable by `new URL()`.\n */\nexport function getPasskeyConfig(\n\turl: URL,\n\tsiteName?: string,\n\tsiteUrl?: string,\n\tallowedOrigins?: string[],\n): PasskeyConfig {\n\tlet rpName: string;\n\tlet rpId: string;\n\tlet canonicalOrigin: string;\n\n\tif (siteUrl) {\n\t\tlet publicUrl: URL;\n\t\ttry {\n\t\t\tpublicUrl = new URL(siteUrl);\n\t\t} catch (e) {\n\t\t\tthrow new Error(`Invalid siteUrl: \"${siteUrl}\"`, { cause: e });\n\t\t}\n\t\trpName = siteName || publicUrl.hostname;\n\t\trpId = publicUrl.hostname;\n\t\tcanonicalOrigin = publicUrl.origin;\n\t} else {\n\t\trpName = siteName || url.hostname;\n\t\trpId = url.hostname;\n\t\tcanonicalOrigin = url.origin;\n\t}\n\n\tconst origins = [canonicalOrigin];\n\tif (allowedOrigins) {\n\t\tfor (const extra of allowedOrigins) {\n\t\t\tif (extra && !origins.includes(extra)) origins.push(extra);\n\t\t}\n\t}\n\n\treturn { rpName, rpId, origins };\n}\n"],"mappings":";;;;;;;;;;;;;AA+BA,SAAgB,iBACf,KACA,UACA,SACA,gBACgB;CAChB,IAAI;CACJ,IAAI;CACJ,IAAI;AAEJ,KAAI,SAAS;EACZ,IAAI;AACJ,MAAI;AACH,eAAY,IAAI,IAAI,QAAQ;WACpB,GAAG;AACX,SAAM,IAAI,MAAM,qBAAqB,QAAQ,IAAI,EAAE,OAAO,GAAG,CAAC;;AAE/D,WAAS,YAAY,UAAU;AAC/B,SAAO,UAAU;AACjB,oBAAkB,UAAU;QACtB;AACN,WAAS,YAAY,IAAI;AACzB,SAAO,IAAI;AACX,oBAAkB,IAAI;;CAGvB,MAAM,UAAU,CAAC,gBAAgB;AACjC,KAAI,gBACH;OAAK,MAAM,SAAS,eACnB,KAAI,SAAS,CAAC,QAAQ,SAAS,MAAM,CAAE,SAAQ,KAAK,MAAM;;AAI5D,QAAO;EAAE;EAAQ;EAAM;EAAS"}

package/dist/{placeholder-D3cFCU9y.d.mts → placeholder-KCkkCtgQ.d.mts}

@@ -282,4 +282,4 @@ declare function generatePlaceholder(buffer: Uint8Array, mimeType: string, dimen
 }): Promise<PlaceholderData | null>;
 //#endregion
 export { MediaValue as _, ComponentEmbed as a, mediaItemToValue as b, EmbedResult as c, MediaListResult as d, MediaProvider as f, MediaUploadInput as g, MediaProviderItem as h, AudioEmbed as i, ImageEmbed as l, MediaProviderDescriptor as m, generatePlaceholder as n, CreateMediaProviderFn as o, MediaProviderCapabilities as p, normalizeMediaValue as r, EmbedOptions as s, PlaceholderData as t, MediaListOptions as u, ThumbnailOptions as v, VideoEmbed as y };
-//# sourceMappingURL=placeholder-D3cFCU9y.d.mts.map
+//# sourceMappingURL=placeholder-KCkkCtgQ.d.mts.map

package/dist/{placeholder-D3cFCU9y.d.mts.map → placeholder-KCkkCtgQ.d.mts.map}

@@ -1 +1 @@
-{"version":3,"file":"placeholder-D3cFCU9y.d.mts","names":[],"sources":["../src/media/types.ts","../src/media/normalize.ts","../src/media/placeholder.ts"],"mappings":";;AAYA;;;;;;;;;;UAAiB,uBAAA,WAAkC,MAAA;EAKlD;EAHA,EAAA;EASA;EANA,IAAA;EAYA;EATA,IAAA;EAYA;EATA,UAAA;EASe;EANf,WAAA;EAYgB;EAThB,YAAA,EAAc,yBAAA;;EAGd,MAAA,EAAQ,OAAA;AAAA;;;;UAMQ,yBAAA;EAQV;EANN,MAAA;EAYgC;EAVhC,MAAA;EAUgC;EARhC,MAAA;EAYA;EAVA,MAAA;AAAA;;;AAoBD;UAdiB,gBAAA;;EAEhB,MAAA;EAaA;EAXA,KAAA;EAYA;EAVA,KAAA;EAUU;EARV,QAAA;AAAA;;;;UAMgB,eAAA;EAChB,KAAA,EAAO,iBAAA;EACP,UAAA;AAAA;;;;;UAOgB,iBAAA;EAiBH;EAfb,EAAA;EAqBgB;EAnBhB,QAAA;;EAEA,QAAA;EAkBA;EAhBA,IAAA;EAiBA;EAfA,KAAA;EACA,MAAA;EAeG;EAbH,GAAA;EAmB4B;EAjB5B,UAAA;EAiB4B;EAf5B,IAAA,GAAO,MAAA;AAAA;;;;UAMS,gBAAA;EAChB,IAAA,EAAM,IAAA;EACN,QAAA;EACA,GAAA;AAAA;;;;UAMgB,YAAA;EAYS;EAVzB,KAAA;EAUmD;EARnD,MAAA;EAQ8E;EAN9E,MAAA;AAAA;;;;KAMW,WAAA,GAAc,UAAA,GAAa,UAAA,GAAa,UAAA,GAAa,cAAA;AAAA,UAEhD,UAAA;EAChB,IAAA;EACA,GAAA;EACA,MAAA;EACA,KAAA;EACA,KAAA;EACA,MAAA;EACA,GAAA;EAIkB;EAFlB,UAAA;EAEmD;EAAnD,MAAA,IAAU,IAAA;IAAQ,KAAA;IAAgB,MAAA;IAAiB,MAAA;EAAA;AAAA;AAAA,UAGnC,UAAA;EAChB,IAAA;EAEA;EAAA,GAAA;EAEU;EAAV,OAAA,GAAU,KAAA;IAAQ,GAAA;IAAa,IAAA;EAAA;EAI/B;EAFA,MAAA;EACA,KAAA;EACA,MAAA;EAKA;EAHA,QAAA;EACA,QAAA;EACA,KAAA;EACA,IAAA;EACA,WAAA;EACA,OAAA;EACA,WAAA;AAAA;AAAA,UAGgB,UAAA;EAChB,IAAA;EACA,GAAA;EACA,OAAA,GAAU,KAAA;IAAQ,GAAA;IAAa,IAAA;EAAA;EAC/B,QAAA;EACA,QAAA;EACA,KAAA;EACA,IAAA;EACA,OAAA;AAAA;AAAA,UAGgB,cAAA;EAChB,IAAA;EAD8B;EAG9B,OAAA;EAIa;EAFb,MAAA;EAFA;EAIA,KAAA,EAAO,MAAA;AAAA;;;;UAMS,gBAAA;EAAgB;EAEhC,KAAA;EAAA;EAEA,MAAA;AAAA;;;;;UAOgB,aAAA;EASU;;;EAL1B,IAAA,CAAK,OAAA,EAAS,gBAAA,GAAmB,OAAA,CAAQ,eAAA;EAUP;;;EALlC,GAAA,EAAK,EAAA,WAAa,OAAA,CAAQ,iBAAA;EAgBmC;;;EAX7D,MAAA,EAAQ,KAAA,EAAO,gBAAA,GAAmB,OAAA,CAAQ,iBAAA;EAkBgC;;;EAb1E,MAAA,EAAQ,EAAA,WAAa,OAAA;EAfhB;;;;EAqBL,QAAA,CAAS,KAAA,EAAO,UAAA,EAAY,OAAA,GAAU,YAAA,GAAe,OAAA,CAAQ,WAAA,IAAe,WAAA;EAhB1D;;;;;EAuBlB,eAAA,EAAiB,EAAA,UAAY,QAAA,WAAmB,OAAA,GAAU,gBAAA;AAAA;;;;KAM/C,qBAAA,WAAgC,MAAA,sBAC3C,MAAA,EAAQ,OAAA,KACJ,aAAA;;;;;;;;;UAUY,UAAA;EAlBa;EAoB7B,QAAA;EApBgD;EAuBhD,EAAA;EAvB0E;EA0B1E,GAAA;EApBgC;EAuBhC,UAAA;EAvB2C;EA0B3C,QAAA;EACA,QAAA;EACA,KAAA;EACA,MAAA;EACA,GAAA;EA9B2C;EAiC3C,IAAA,GAAO,MAAA;AAAA;;;;iBAMQ,gBAAA,CAAiB,UAAA,UAAoB,IAAA,EAAM,iBAAA,GAAoB,UAAA;;;;;;;;;;;;iBClPzD,mBAAA,CACrB,KAAA,WACA,WAAA,GAAc,EAAA,aAAe,aAAA,eAC3B,OAAA,CAAQ,UAAA;;;;ADhBX;;;;;;UEDiB,eAAA;EAChB,QAAA;EACA,aAAA;AAAA;;;;;;;;;;iBAgGqB,mBAAA,CACrB,MAAA,EAAQ,UAAA,EACR,QAAA,UACA,UAAA;EAAe,KAAA;EAAe,MAAA;AAAA,IAC5B,OAAA,CAAQ,eAAA"}
+{"version":3,"file":"placeholder-KCkkCtgQ.d.mts","names":[],"sources":["../src/media/types.ts","../src/media/normalize.ts","../src/media/placeholder.ts"],"mappings":";;AAYA;;;;;;;;;;UAAiB,uBAAA,WAAkC,MAAA;EAKlD;EAHA,EAAA;EASA;EANA,IAAA;EAYA;EATA,IAAA;EAYA;EATA,UAAA;EASe;EANf,WAAA;EAYgB;EAThB,YAAA,EAAc,yBAAA;;EAGd,MAAA,EAAQ,OAAA;AAAA;;;;UAMQ,yBAAA;EAQV;EANN,MAAA;EAYgC;EAVhC,MAAA;EAUgC;EARhC,MAAA;EAYA;EAVA,MAAA;AAAA;;;AAoBD;UAdiB,gBAAA;;EAEhB,MAAA;EAaA;EAXA,KAAA;EAYA;EAVA,KAAA;EAUU;EARV,QAAA;AAAA;;;;UAMgB,eAAA;EAChB,KAAA,EAAO,iBAAA;EACP,UAAA;AAAA;;;;;UAOgB,iBAAA;EAiBH;EAfb,EAAA;EAqBgB;EAnBhB,QAAA;;EAEA,QAAA;EAkBA;EAhBA,IAAA;EAiBA;EAfA,KAAA;EACA,MAAA;EAeG;EAbH,GAAA;EAmB4B;EAjB5B,UAAA;EAiB4B;EAf5B,IAAA,GAAO,MAAA;AAAA;;;;UAMS,gBAAA;EAChB,IAAA,EAAM,IAAA;EACN,QAAA;EACA,GAAA;AAAA;;;;UAMgB,YAAA;EAYS;EAVzB,KAAA;EAUmD;EARnD,MAAA;EAQ8E;EAN9E,MAAA;AAAA;;;;KAMW,WAAA,GAAc,UAAA,GAAa,UAAA,GAAa,UAAA,GAAa,cAAA;AAAA,UAEhD,UAAA;EAChB,IAAA;EACA,GAAA;EACA,MAAA;EACA,KAAA;EACA,KAAA;EACA,MAAA;EACA,GAAA;EAIkB;EAFlB,UAAA;EAEmD;EAAnD,MAAA,IAAU,IAAA;IAAQ,KAAA;IAAgB,MAAA;IAAiB,MAAA;EAAA;AAAA;AAAA,UAGnC,UAAA;EAChB,IAAA;EAEA;EAAA,GAAA;EAEU;EAAV,OAAA,GAAU,KAAA;IAAQ,GAAA;IAAa,IAAA;EAAA;EAI/B;EAFA,MAAA;EACA,KAAA;EACA,MAAA;EAKA;EAHA,QAAA;EACA,QAAA;EACA,KAAA;EACA,IAAA;EACA,WAAA;EACA,OAAA;EACA,WAAA;AAAA;AAAA,UAGgB,UAAA;EAChB,IAAA;EACA,GAAA;EACA,OAAA,GAAU,KAAA;IAAQ,GAAA;IAAa,IAAA;EAAA;EAC/B,QAAA;EACA,QAAA;EACA,KAAA;EACA,IAAA;EACA,OAAA;AAAA;AAAA,UAGgB,cAAA;EAChB,IAAA;EAD8B;EAG9B,OAAA;EAIa;EAFb,MAAA;EAFA;EAIA,KAAA,EAAO,MAAA;AAAA;;;;UAMS,gBAAA;EAAgB;EAEhC,KAAA;EAAA;EAEA,MAAA;AAAA;;;;;UAOgB,aAAA;EASU;;;EAL1B,IAAA,CAAK,OAAA,EAAS,gBAAA,GAAmB,OAAA,CAAQ,eAAA;EAUP;;;EALlC,GAAA,EAAK,EAAA,WAAa,OAAA,CAAQ,iBAAA;EAgBmC;;;EAX7D,MAAA,EAAQ,KAAA,EAAO,gBAAA,GAAmB,OAAA,CAAQ,iBAAA;EAkBgC;;;EAb1E,MAAA,EAAQ,EAAA,WAAa,OAAA;EAfhB;;;;EAqBL,QAAA,CAAS,KAAA,EAAO,UAAA,EAAY,OAAA,GAAU,YAAA,GAAe,OAAA,CAAQ,WAAA,IAAe,WAAA;EAhB1D;;;;;EAuBlB,eAAA,EAAiB,EAAA,UAAY,QAAA,WAAmB,OAAA,GAAU,gBAAA;AAAA;;;;KAM/C,qBAAA,WAAgC,MAAA,sBAC3C,MAAA,EAAQ,OAAA,KACJ,aAAA;;;;;;;;;UAUY,UAAA;EAlBa;EAoB7B,QAAA;EApBgD;EAuBhD,EAAA;EAvB0E;EA0B1E,GAAA;EApBgC;EAuBhC,UAAA;EAvB2C;EA0B3C,QAAA;EACA,QAAA;EACA,KAAA;EACA,MAAA;EACA,GAAA;EA9B2C;EAiC3C,IAAA,GAAO,MAAA;AAAA;;;;iBAMQ,gBAAA,CAAiB,UAAA,UAAoB,IAAA,EAAM,iBAAA,GAAoB,UAAA;;;;;;;;;;;;iBClPzD,mBAAA,CACrB,KAAA,WACA,WAAA,GAAc,EAAA,aAAe,aAAA,eAC3B,OAAA,CAAQ,UAAA;;;;ADhBX;;;;;;UEDiB,eAAA;EAChB,QAAA;EACA,aAAA;AAAA;;;;;;;;;;iBAgGqB,mBAAA,CACrB,MAAA,EAAQ,UAAA,EACR,QAAA,UACA,UAAA;EAAe,KAAA;EAAe,MAAA;AAAA,IAC5B,OAAA,CAAQ,eAAA"}

package/dist/plugin-types.d.mts

@@ -1,4 +1,4 @@
-import { $ as PageMetadataHandler, A as EmailDeliverEvent, C as CronHandler, Ct as UninstallEvent, D as EmailAfterSendHandler, E as EmailAfterSendEvent, H as MediaAfterUploadEvent, K as MediaUploadEvent, O as EmailBeforeSendEvent, Q as PageMetadataEvent, R as LifecycleEvent, S as CronEvent, U as MediaAfterUploadHandler, W as MediaBeforeUploadHandler, X as PageFragmentHandler, Y as PageFragmentEvent, _ as ContentBeforeDeleteHandler, a as CommentAfterCreateHandler, b as ContentHookEvent, c as CommentBeforeCreateEvent, d as CommentModerateHandler, g as ContentAfterUnpublishHandler, h as ContentAfterSaveHandler, i as CommentAfterCreateEvent, j as EmailDeliverHandler, k as EmailBeforeSendHandler, l as CommentBeforeCreateHandler, m as ContentAfterPublishHandler, o as CommentAfterModerateEvent, ot as PluginContext, p as ContentAfterDeleteHandler, s as CommentAfterModerateHandler, u as CommentModerateEvent, v as ContentBeforeSaveHandler, wt as UninstallHandler, x as ContentPublishStateChangeEvent, y as ContentDeleteEvent, z as LifecycleHandler } from "./types-B05e2naf.mjs";
+import { $ as PageMetadataHandler, A as EmailDeliverEvent, C as CronHandler, D as EmailAfterSendHandler, E as EmailAfterSendEvent, Et as UninstallHandler, H as MediaAfterUploadEvent, K as MediaUploadEvent, O as EmailBeforeSendEvent, Q as PageMetadataEvent, R as LifecycleEvent, S as CronEvent, Tt as UninstallEvent, U as MediaAfterUploadHandler, W as MediaBeforeUploadHandler, X as PageFragmentHandler, Y as PageFragmentEvent, _ as ContentBeforeDeleteHandler, a as CommentAfterCreateHandler, b as ContentHookEvent, c as CommentBeforeCreateEvent, d as CommentModerateHandler, g as ContentAfterUnpublishHandler, h as ContentAfterSaveHandler, i as CommentAfterCreateEvent, j as EmailDeliverHandler, k as EmailBeforeSendHandler, l as CommentBeforeCreateHandler, m as ContentAfterPublishHandler, o as CommentAfterModerateEvent, p as ContentAfterDeleteHandler, s as CommentAfterModerateHandler, st as PluginContext, u as CommentModerateEvent, v as ContentBeforeSaveHandler, x as ContentPublishStateChangeEvent, y as ContentDeleteEvent, z as LifecycleHandler } from "./types-DGHWRQgr.mjs";
 
 //#region src/plugin-types.d.ts
 /**

package/dist/plugins/adapt-sandbox-entry.d.mts

@@ -1,13 +1,13 @@
-import "../options-Cq64Wx0O.mjs";
-import "../types-C1KKK4VP.mjs";
-import { _t as ResolvedPlugin } from "../types-B05e2naf.mjs";
-import "../bylines-C6eYUWlZ.mjs";
-import { Ft as PluginDescriptor } from "../index-UmOMt9T-.mjs";
-import "../runner-DcfZewkO.mjs";
-import "../index-D2gvztOP.mjs";
+import "../options-DhV-gwJb.mjs";
+import "../types-DaqNzqVt.mjs";
+import { yt as ResolvedPlugin } from "../types-DGHWRQgr.mjs";
+import "../bylines-DtDRNF1n.mjs";
+import { Lt as PluginDescriptor } from "../index-Bv1Wf1zB.mjs";
+import "../runner-CNHRo1mT.mjs";
+import "../index-CC42STEm.mjs";
 import { SandboxedPlugin } from "../plugin-types.mjs";
-import "../types-Cb2UCDJg.mjs";
-import "../validate-BpQGsmd7.mjs";
+import "../types-bYmRn_Uy.mjs";
+import "../validate-DQtHw9NT.mjs";
 
 //#region src/plugins/adapt-sandbox-entry.d.ts
 /**

package/dist/plugins/adapt-sandbox-entry.d.mts.map

@@ -1 +1 @@
-{"version":3,"file":"adapt-sandbox-entry.d.mts","names":[],"sources":["../../src/plugins/adapt-sandbox-entry.ts"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;iBAoHgB,iBAAA,CACf,UAAA,EAAY,eAAA,EACZ,UAAA,EAAY,gBAAA,GACV,cAAA"}
+{"version":3,"file":"adapt-sandbox-entry.d.mts","names":[],"sources":["../../src/plugins/adapt-sandbox-entry.ts"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;iBA6IgB,iBAAA,CACf,UAAA,EAAY,eAAA,EACZ,UAAA,EAAY,gBAAA,GACV,cAAA"}

package/dist/plugins/adapt-sandbox-entry.mjs

@@ -1,5 +1,5 @@
-import { n as PLUGIN_CAPABILITIES, t as HOOK_NAMES } from "../manifest-schema-HCtSh4Jq.mjs";
-import { r as normalizeCapabilities } from "../types-Db67HHlU.mjs";
+import { n as PLUGIN_CAPABILITIES, t as HOOK_NAMES } from "../manifest-schema-Czqf0TLu.mjs";
+import { r as normalizeCapabilities } from "../types-1NNkmTIn.mjs";
 
 //#region src/plugins/adapt-sandbox-entry.ts
 /**
@@ -44,6 +44,23 @@ function resolveSandboxedHook(entry, pluginId) {
 		pluginId
 	};
 }
+/**
+* Normalise a `RouteEntry` (bare handler or `{ handler, public?, input? }`
+* config) to the config form. The `input` schema is intentionally typed
+* `unknown` in `RouteEntry` — sandboxed plugins describe it loosely
+* because the strict `z.ZodType<TInput>` constraint of the runtime's
+* `PluginRoute` only narrows once the route is wired into the router.
+* The wider type flows through to the runtime which validates at
+* invocation time.
+*/
+function normalizeRouteEntry(entry) {
+	if (typeof entry === "function") return { handler: entry };
+	return {
+		handler: entry.handler,
+		public: entry.public,
+		input: entry.input
+	};
+}
 const VALID_CAPABILITIES_SET = new Set(PLUGIN_CAPABILITIES);
 const VALID_HOOK_NAMES_SET = new Set(HOOK_NAMES);
 /**
@@ -74,24 +91,18 @@ function adaptSandboxEntry(definition, descriptor) {
 	}
 	const resolvedRoutes = {};
 	if (definition.routes) for (const [routeName, rawEntry] of Object.entries(definition.routes)) {
-		const isConfig = typeof rawEntry === "object" && rawEntry !== null && "handler" in rawEntry;
-		const handler = isConfig ? rawEntry.handler : rawEntry;
-		const publicFlag = isConfig ? rawEntry.public : void 0;
+		const { handler, public: publicFlag, input: inputSchema } = normalizeRouteEntry(rawEntry);
 		resolvedRoutes[routeName] = {
-			input: isConfig ? rawEntry.input : void 0,
+			input: inputSchema,
 			public: publicFlag,
 			handler: async (ctx) => {
 				const headers = {};
-				if (ctx.request && typeof ctx.request === "object") {
-					const h = ctx.request.headers;
-					if (h && typeof h === "object") if (typeof h.forEach === "function") h.forEach((value, name) => {
-						headers[name] = value;
-					});
-					else for (const [name, value] of Object.entries(h)) headers[name] = value;
-				}
+				ctx.request.headers.forEach((value, name) => {
+					headers[name] = value;
+				});
 				const requestShape = {
-					url: ctx.request?.url && typeof ctx.request.url === "string" ? ctx.request.url : "",
-					method: ctx.request?.method && typeof ctx.request.method === "string" ? ctx.request.method : "GET",
+					url: ctx.request.url,
+					method: ctx.request.method,
 					headers
 				};
 				const routeCtx = {

package/dist/plugins/adapt-sandbox-entry.mjs.map

@@ -1 +1 @@
-{"version":3,"file":"adapt-sandbox-entry.mjs","names":[],"sources":["../../src/plugins/adapt-sandbox-entry.ts"],"sourcesContent":["/**\n * In-Process Adapter for Standard-Format Plugins\n *\n * Converts a standard plugin definition ({ hooks, routes }) into a\n * ResolvedPlugin compatible with HookPipeline. This allows standard-format\n * plugins to run in-process when placed in the `plugins: []` config array.\n *\n * The adapter wraps each hook and route handler so that the PluginContextFactory\n * provides the same capability-gated context as the native path.\n *\n */\n\nimport type { PluginDescriptor } from \"../astro/integration/runtime.js\";\nimport type { SandboxedPlugin } from \"../plugin-types.js\";\nimport { PLUGIN_CAPABILITIES, HOOK_NAMES } from \"./manifest-schema.js\";\nimport { normalizeCapabilities } from \"./types.js\";\nimport type {\n\tResolvedPlugin,\n\tResolvedPluginHooks,\n\tResolvedHook,\n\tPluginRoute,\n\tPluginCapability,\n\tPluginStorageConfig,\n\tPluginAdminConfig,\n} from \"./types.js\";\n\n/**\n * Loose per-hook entry shape used inside the adapter's iteration loop.\n *\n * `SandboxedPlugin.hooks` is a mapped type keyed by hook name, so each\n * entry's type depends on the key. When the adapter iterates with\n * `Object.entries`, the key is `string` (TypeScript can't see the\n * narrowing), so we need a *union* type that covers every hook entry\n * shape — bare handler or config form. This is that union, kept local\n * because it has no use outside the adapter.\n */\n// eslint-disable-next-line typescript-eslint/no-explicit-any -- must accept handlers with specific event types across all hook names\ntype AnyHookHandler = (...args: any[]) => Promise<any>;\ntype AnyHookEntry =\n\t| AnyHookHandler\n\t| {\n\t\t\thandler: AnyHookHandler;\n\t\t\tpriority?: number;\n\t\t\ttimeout?: number;\n\t\t\tdependencies?: string[];\n\t\t\terrorPolicy?: \"continue\" | \"abort\";\n\t\t\texclusive?: boolean;\n\t  };\n\n/**\n * Default hook configuration values\n */\nconst DEFAULT_PRIORITY = 100;\nconst DEFAULT_TIMEOUT = 5000;\nconst DEFAULT_ERROR_POLICY = \"abort\" as const;\n\n/**\n * Check if a hook entry is the config form (has a `handler` property).\n */\nfunction isHookConfig(entry: AnyHookEntry): entry is Exclude<AnyHookEntry, AnyHookHandler> {\n\treturn typeof entry === \"object\" && entry !== null && \"handler\" in entry;\n}\n\n/**\n * Resolve a single hook entry to a ResolvedHook.\n *\n * Sandboxed-format hooks use the standard two-arg convention:\n *   handler(event, ctx)\n *\n * The HookPipeline dispatch methods also call handlers with (event, ctx),\n * so the handler is compatible as-is — we just normalise the\n * surrounding config (priority, timeout, etc.) to its defaults.\n */\nfunction resolveSandboxedHook(entry: AnyHookEntry, pluginId: string): ResolvedHook<AnyHookHandler> {\n\tif (isHookConfig(entry)) {\n\t\treturn {\n\t\t\tpriority: entry.priority ?? DEFAULT_PRIORITY,\n\t\t\ttimeout: entry.timeout ?? DEFAULT_TIMEOUT,\n\t\t\tdependencies: entry.dependencies ?? [],\n\t\t\terrorPolicy: entry.errorPolicy ?? DEFAULT_ERROR_POLICY,\n\t\t\texclusive: entry.exclusive ?? false,\n\t\t\thandler: entry.handler,\n\t\t\tpluginId,\n\t\t};\n\t}\n\n\t// Bare function handler\n\treturn {\n\t\tpriority: DEFAULT_PRIORITY,\n\t\ttimeout: DEFAULT_TIMEOUT,\n\t\tdependencies: [],\n\t\terrorPolicy: DEFAULT_ERROR_POLICY,\n\t\texclusive: false,\n\t\thandler: entry,\n\t\tpluginId,\n\t};\n}\n\nconst VALID_CAPABILITIES_SET = new Set<string>(PLUGIN_CAPABILITIES);\n\nconst VALID_HOOK_NAMES_SET = new Set<string>(HOOK_NAMES);\n\n/**\n * Adapt a sandboxed plugin's default export into a ResolvedPlugin.\n *\n * This is the in-process side of sandboxed-format plugins: it takes\n * the `{ hooks, routes }` default export of a sandboxed plugin and\n * produces a `ResolvedPlugin` that enters the HookPipeline alongside\n * native plugins. The descriptor supplies identity (id, version) and\n * the trust contract (capabilities, allowedHosts, storage); the\n * definition supplies behaviour.\n *\n * @param definition - The plugin's default export (matching `SandboxedPlugin` from `emdash/plugin`).\n * @param descriptor - The plugin descriptor with id, version, capabilities, etc.\n * @returns A ResolvedPlugin compatible with HookPipeline.\n */\nexport function adaptSandboxEntry(\n\tdefinition: SandboxedPlugin,\n\tdescriptor: PluginDescriptor,\n): ResolvedPlugin {\n\tconst pluginId = descriptor.id;\n\tconst version = descriptor.version;\n\n\t// A null / array / non-object `definition` would throw a generic\n\t// `TypeError: Cannot read properties of null` further down the\n\t// loop without the plugin id; surface a useful error first.\n\tif (typeof definition !== \"object\" || definition === null || Array.isArray(definition)) {\n\t\tthrow new Error(\n\t\t\t`Plugin \"${pluginId}\" default export must be an object with ` +\n\t\t\t\t`\\`hooks\\` and/or \\`routes\\` (got ${\n\t\t\t\t\tArray.isArray(definition) ? \"array\" : typeof definition\n\t\t\t\t}). Did you forget \\`export default {...} satisfies SandboxedPlugin\\`?`,\n\t\t);\n\t}\n\n\t// Resolve hooks. `SandboxedPlugin.hooks` is keyed by hook name with\n\t// per-key entry types; iterating with `Object.entries` collapses\n\t// keys to `string`, so we treat each entry as the union `AnyHookEntry`\n\t// for the duration of the loop.\n\tconst resolvedHooks: ResolvedPluginHooks = {};\n\tif (definition.hooks) {\n\t\tconst hookMap = definition.hooks as Record<string, AnyHookEntry>;\n\t\tfor (const [hookName, entry] of Object.entries(hookMap)) {\n\t\t\tif (!VALID_HOOK_NAMES_SET.has(hookName)) {\n\t\t\t\tthrow new Error(\n\t\t\t\t\t`Plugin \"${pluginId}\" declares unknown hook \"${hookName}\". ` +\n\t\t\t\t\t\t`Valid hooks: ${[...VALID_HOOK_NAMES_SET].join(\", \")}`,\n\t\t\t\t);\n\t\t\t}\n\t\t\t// The resolved hook has the correct handler type for the hook name.\n\t\t\t// We store it as the generic type and let HookPipeline's typed dispatch\n\t\t\t// methods handle the type narrowing at call time.\n\t\t\t// eslint-disable-next-line typescript-eslint/no-unsafe-type-assertion -- bridging untyped map to typed interface\n\t\t\t(resolvedHooks as Record<string, unknown>)[hookName] = resolveSandboxedHook(entry, pluginId);\n\t\t}\n\t}\n\n\t// Resolve routes: sandboxed format uses (routeCtx, pluginCtx) two-arg\n\t// pattern. Native format uses (ctx: RouteContext) single-arg pattern\n\t// where RouteContext extends PluginContext with\n\t// { input, request, requestMeta }. We wrap sandboxed route handlers\n\t// to merge the two args into one.\n\t//\n\t// Route entries can be bare functions or `{ handler, public?, input? }`\n\t// config objects; normalise to the config shape inside the loop.\n\tconst resolvedRoutes: Record<string, PluginRoute> = {};\n\tif (definition.routes) {\n\t\tfor (const [routeName, rawEntry] of Object.entries(definition.routes)) {\n\t\t\tconst isConfig = typeof rawEntry === \"object\" && rawEntry !== null && \"handler\" in rawEntry;\n\t\t\tconst handler = isConfig\n\t\t\t\t? (rawEntry as { handler: (...args: unknown[]) => Promise<unknown> }).handler\n\t\t\t\t: (rawEntry as (...args: unknown[]) => Promise<unknown>);\n\t\t\tconst publicFlag = isConfig ? (rawEntry as { public?: boolean }).public : undefined;\n\t\t\tconst inputSchema = isConfig ? (rawEntry as { input?: unknown }).input : undefined;\n\t\t\tresolvedRoutes[routeName] = {\n\t\t\t\t// eslint-disable-next-line @typescript-eslint/no-unsafe-type-assertion -- route entry.input is intentionally loosely typed; callers validate at runtime\n\t\t\t\tinput: inputSchema as PluginRoute[\"input\"],\n\t\t\t\tpublic: publicFlag,\n\t\t\t\thandler: async (ctx) => {\n\t\t\t\t\t// In-process, `ctx.request` is a real WHATWG `Request`\n\t\t\t\t\t// with a `Headers` object. The author-facing\n\t\t\t\t\t// `SandboxedRequest` type promises a plain\n\t\t\t\t\t// `Record<string, string>` (the shape the sandbox's\n\t\t\t\t\t// serialised form delivers). Normalise so handlers\n\t\t\t\t\t// behave the same in-process and in-isolate.\n\t\t\t\t\tconst headers: Record<string, string> = {};\n\t\t\t\t\tif (ctx.request && typeof ctx.request === \"object\") {\n\t\t\t\t\t\tconst h: unknown = (ctx.request as { headers?: unknown }).headers;\n\t\t\t\t\t\tif (h && typeof h === \"object\") {\n\t\t\t\t\t\t\tif (typeof (h as Headers).forEach === \"function\") {\n\t\t\t\t\t\t\t\t(h as Headers).forEach((value, name) => {\n\t\t\t\t\t\t\t\t\theaders[name] = value;\n\t\t\t\t\t\t\t\t});\n\t\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\t\tfor (const [name, value] of Object.entries(h as Record<string, string>)) {\n\t\t\t\t\t\t\t\t\theaders[name] = value;\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t\tconst requestShape = {\n\t\t\t\t\t\turl:\n\t\t\t\t\t\t\t(ctx.request as { url?: unknown } | undefined)?.url &&\n\t\t\t\t\t\t\ttypeof (ctx.request as { url: unknown }).url === \"string\"\n\t\t\t\t\t\t\t\t? (ctx.request as { url: string }).url\n\t\t\t\t\t\t\t\t: \"\",\n\t\t\t\t\t\tmethod:\n\t\t\t\t\t\t\t(ctx.request as { method?: unknown } | undefined)?.method &&\n\t\t\t\t\t\t\ttypeof (ctx.request as { method: unknown }).method === \"string\"\n\t\t\t\t\t\t\t\t? (ctx.request as { method: string }).method\n\t\t\t\t\t\t\t\t: \"GET\",\n\t\t\t\t\t\theaders,\n\t\t\t\t\t};\n\t\t\t\t\tconst routeCtx = {\n\t\t\t\t\t\tinput: ctx.input,\n\t\t\t\t\t\trequest: requestShape,\n\t\t\t\t\t\trequestMeta: ctx.requestMeta,\n\t\t\t\t\t};\n\t\t\t\t\tconst { input: _, request: __, requestMeta: ___, ...pluginCtx } = ctx;\n\t\t\t\t\treturn handler(routeCtx, pluginCtx);\n\t\t\t\t},\n\t\t\t};\n\t\t}\n\t}\n\n\t// Build capabilities from descriptor.\n\t// Validate against the known set (same as defineNativePlugin). Both\n\t// current and deprecated names are accepted; deprecated names are\n\t// silently normalized to current names below so the runtime only ever\n\t// sees the canonical form.\n\tconst rawCapabilities = descriptor.capabilities ?? [];\n\tfor (const cap of rawCapabilities) {\n\t\tif (!VALID_CAPABILITIES_SET.has(cap)) {\n\t\t\tthrow new Error(\n\t\t\t\t`Invalid capability \"${cap}\" in plugin \"${pluginId}\". ` +\n\t\t\t\t\t`Valid capabilities: ${[...VALID_CAPABILITIES_SET].join(\", \")}`,\n\t\t\t);\n\t\t}\n\t}\n\n\t// Silent normalization: rewrite deprecated names to current names.\n\t// Safe assertion — `normalizeCapabilities` only emits validated input\n\t// plus current names from the rename map, all of which are in the union.\n\t// eslint-disable-next-line @typescript-eslint/no-unsafe-type-assertion -- validated above; normalizeCapabilities only returns capabilities from the union\n\tconst capabilities = normalizeCapabilities(rawCapabilities) as PluginCapability[];\n\tconst allowedHosts = descriptor.allowedHosts ?? [];\n\n\t// Capability implications: broader capabilities imply narrower ones\n\t// (mirrors the normalization in define-plugin.ts for native format).\n\t// Operates on canonical names only.\n\tif (capabilities.includes(\"content:write\") && !capabilities.includes(\"content:read\")) {\n\t\tcapabilities.push(\"content:read\");\n\t}\n\tif (capabilities.includes(\"media:write\") && !capabilities.includes(\"media:read\")) {\n\t\tcapabilities.push(\"media:read\");\n\t}\n\tif (\n\t\tcapabilities.includes(\"network:request:unrestricted\") &&\n\t\t!capabilities.includes(\"network:request\")\n\t) {\n\t\tcapabilities.push(\"network:request\");\n\t}\n\n\t// Build storage config from descriptor.\n\t// StorageCollectionDeclaration uses optional indexes, but PluginStorageConfig\n\t// requires them. Ensure every collection has an indexes array.\n\tconst rawStorage = descriptor.storage ?? {};\n\tconst storage: PluginStorageConfig = {};\n\tfor (const [name, config] of Object.entries(rawStorage)) {\n\t\tstorage[name] = {\n\t\t\tindexes: config.indexes ?? [],\n\t\t\tuniqueIndexes: config.uniqueIndexes,\n\t\t};\n\t}\n\n\t// Build admin config from descriptor\n\tconst admin: PluginAdminConfig = {};\n\tif (descriptor.adminPages) {\n\t\tadmin.pages = descriptor.adminPages;\n\t}\n\tif (descriptor.adminWidgets) {\n\t\tadmin.widgets = descriptor.adminWidgets;\n\t}\n\n\treturn {\n\t\tid: pluginId,\n\t\tversion,\n\t\tcapabilities,\n\t\tallowedHosts,\n\t\tstorage,\n\t\thooks: resolvedHooks,\n\t\troutes: resolvedRoutes,\n\t\tadmin,\n\t};\n}\n"],"mappings":";;;;;;;AAoDA,MAAM,mBAAmB;AACzB,MAAM,kBAAkB;AACxB,MAAM,uBAAuB;;;;AAK7B,SAAS,aAAa,OAAqE;AAC1F,QAAO,OAAO,UAAU,YAAY,UAAU,QAAQ,aAAa;;;;;;;;;;;;AAapE,SAAS,qBAAqB,OAAqB,UAAgD;AAClG,KAAI,aAAa,MAAM,CACtB,QAAO;EACN,UAAU,MAAM,YAAY;EAC5B,SAAS,MAAM,WAAW;EAC1B,cAAc,MAAM,gBAAgB,EAAE;EACtC,aAAa,MAAM,eAAe;EAClC,WAAW,MAAM,aAAa;EAC9B,SAAS,MAAM;EACf;EACA;AAIF,QAAO;EACN,UAAU;EACV,SAAS;EACT,cAAc,EAAE;EAChB,aAAa;EACb,WAAW;EACX,SAAS;EACT;EACA;;AAGF,MAAM,yBAAyB,IAAI,IAAY,oBAAoB;AAEnE,MAAM,uBAAuB,IAAI,IAAY,WAAW;;;;;;;;;;;;;;;AAgBxD,SAAgB,kBACf,YACA,YACiB;CACjB,MAAM,WAAW,WAAW;CAC5B,MAAM,UAAU,WAAW;AAK3B,KAAI,OAAO,eAAe,YAAY,eAAe,QAAQ,MAAM,QAAQ,WAAW,CACrF,OAAM,IAAI,MACT,WAAW,SAAS,2EAElB,MAAM,QAAQ,WAAW,GAAG,UAAU,OAAO,WAC7C,uEACF;CAOF,MAAM,gBAAqC,EAAE;AAC7C,KAAI,WAAW,OAAO;EACrB,MAAM,UAAU,WAAW;AAC3B,OAAK,MAAM,CAAC,UAAU,UAAU,OAAO,QAAQ,QAAQ,EAAE;AACxD,OAAI,CAAC,qBAAqB,IAAI,SAAS,CACtC,OAAM,IAAI,MACT,WAAW,SAAS,2BAA2B,SAAS,kBACvC,CAAC,GAAG,qBAAqB,CAAC,KAAK,KAAK,GACrD;AAMF,GAAC,cAA0C,YAAY,qBAAqB,OAAO,SAAS;;;CAY9F,MAAM,iBAA8C,EAAE;AACtD,KAAI,WAAW,OACd,MAAK,MAAM,CAAC,WAAW,aAAa,OAAO,QAAQ,WAAW,OAAO,EAAE;EACtE,MAAM,WAAW,OAAO,aAAa,YAAY,aAAa,QAAQ,aAAa;EACnF,MAAM,UAAU,WACZ,SAAmE,UACnE;EACJ,MAAM,aAAa,WAAY,SAAkC,SAAS;AAE1E,iBAAe,aAAa;GAE3B,OAHmB,WAAY,SAAiC,QAAQ;GAIxE,QAAQ;GACR,SAAS,OAAO,QAAQ;IAOvB,MAAM,UAAkC,EAAE;AAC1C,QAAI,IAAI,WAAW,OAAO,IAAI,YAAY,UAAU;KACnD,MAAM,IAAc,IAAI,QAAkC;AAC1D,SAAI,KAAK,OAAO,MAAM,SACrB,KAAI,OAAQ,EAAc,YAAY,WACrC,CAAC,EAAc,SAAS,OAAO,SAAS;AACvC,cAAQ,QAAQ;OACf;SAEF,MAAK,MAAM,CAAC,MAAM,UAAU,OAAO,QAAQ,EAA4B,CACtE,SAAQ,QAAQ;;IAKpB,MAAM,eAAe;KACpB,KACE,IAAI,SAA2C,OAChD,OAAQ,IAAI,QAA6B,QAAQ,WAC7C,IAAI,QAA4B,MACjC;KACJ,QACE,IAAI,SAA8C,UACnD,OAAQ,IAAI,QAAgC,WAAW,WACnD,IAAI,QAA+B,SACpC;KACJ;KACA;IACD,MAAM,WAAW;KAChB,OAAO,IAAI;KACX,SAAS;KACT,aAAa,IAAI;KACjB;IACD,MAAM,EAAE,OAAO,GAAG,SAAS,IAAI,aAAa,KAAK,GAAG,cAAc;AAClE,WAAO,QAAQ,UAAU,UAAU;;GAEpC;;CASH,MAAM,kBAAkB,WAAW,gBAAgB,EAAE;AACrD,MAAK,MAAM,OAAO,gBACjB,KAAI,CAAC,uBAAuB,IAAI,IAAI,CACnC,OAAM,IAAI,MACT,uBAAuB,IAAI,eAAe,SAAS,yBAC3B,CAAC,GAAG,uBAAuB,CAAC,KAAK,KAAK,GAC9D;CAQH,MAAM,eAAe,sBAAsB,gBAAgB;CAC3D,MAAM,eAAe,WAAW,gBAAgB,EAAE;AAKlD,KAAI,aAAa,SAAS,gBAAgB,IAAI,CAAC,aAAa,SAAS,eAAe,CACnF,cAAa,KAAK,eAAe;AAElC,KAAI,aAAa,SAAS,cAAc,IAAI,CAAC,aAAa,SAAS,aAAa,CAC/E,cAAa,KAAK,aAAa;AAEhC,KACC,aAAa,SAAS,+BAA+B,IACrD,CAAC,aAAa,SAAS,kBAAkB,CAEzC,cAAa,KAAK,kBAAkB;CAMrC,MAAM,aAAa,WAAW,WAAW,EAAE;CAC3C,MAAM,UAA+B,EAAE;AACvC,MAAK,MAAM,CAAC,MAAM,WAAW,OAAO,QAAQ,WAAW,CACtD,SAAQ,QAAQ;EACf,SAAS,OAAO,WAAW,EAAE;EAC7B,eAAe,OAAO;EACtB;CAIF,MAAM,QAA2B,EAAE;AACnC,KAAI,WAAW,WACd,OAAM,QAAQ,WAAW;AAE1B,KAAI,WAAW,aACd,OAAM,UAAU,WAAW;AAG5B,QAAO;EACN,IAAI;EACJ;EACA;EACA;EACA;EACA,OAAO;EACP,QAAQ;EACR;EACA"}
+{"version":3,"file":"adapt-sandbox-entry.mjs","names":[],"sources":["../../src/plugins/adapt-sandbox-entry.ts"],"sourcesContent":["/**\n * In-Process Adapter for Standard-Format Plugins\n *\n * Converts a standard plugin definition ({ hooks, routes }) into a\n * ResolvedPlugin compatible with HookPipeline. This allows standard-format\n * plugins to run in-process when placed in the `plugins: []` config array.\n *\n * The adapter wraps each hook and route handler so that the PluginContextFactory\n * provides the same capability-gated context as the native path.\n *\n */\n\nimport type { PluginDescriptor } from \"../astro/integration/runtime.js\";\nimport type { RouteEntry, RouteHandler, SandboxedPlugin } from \"../plugin-types.js\";\nimport { PLUGIN_CAPABILITIES, HOOK_NAMES } from \"./manifest-schema.js\";\nimport { normalizeCapabilities } from \"./types.js\";\nimport type {\n\tResolvedPlugin,\n\tResolvedPluginHooks,\n\tResolvedHook,\n\tPluginRoute,\n\tPluginCapability,\n\tPluginStorageConfig,\n\tPluginAdminConfig,\n} from \"./types.js\";\n\n/**\n * Loose per-hook entry shape used inside the adapter's iteration loop.\n *\n * `SandboxedPlugin.hooks` is a mapped type keyed by hook name, so each\n * entry's type depends on the key. When the adapter iterates with\n * `Object.entries`, the key is `string` (TypeScript can't see the\n * narrowing), so we need a *union* type that covers every hook entry\n * shape — bare handler or config form. This is that union, kept local\n * because it has no use outside the adapter.\n */\n// eslint-disable-next-line typescript-eslint/no-explicit-any -- must accept handlers with specific event types across all hook names\ntype AnyHookHandler = (...args: any[]) => Promise<any>;\ntype AnyHookEntry =\n\t| AnyHookHandler\n\t| {\n\t\t\thandler: AnyHookHandler;\n\t\t\tpriority?: number;\n\t\t\ttimeout?: number;\n\t\t\tdependencies?: string[];\n\t\t\terrorPolicy?: \"continue\" | \"abort\";\n\t\t\texclusive?: boolean;\n\t  };\n\n/**\n * Default hook configuration values\n */\nconst DEFAULT_PRIORITY = 100;\nconst DEFAULT_TIMEOUT = 5000;\nconst DEFAULT_ERROR_POLICY = \"abort\" as const;\n\n/**\n * Check if a hook entry is the config form (has a `handler` property).\n */\nfunction isHookConfig(entry: AnyHookEntry): entry is Exclude<AnyHookEntry, AnyHookHandler> {\n\treturn typeof entry === \"object\" && entry !== null && \"handler\" in entry;\n}\n\n/**\n * Resolve a single hook entry to a ResolvedHook.\n *\n * Sandboxed-format hooks use the standard two-arg convention:\n *   handler(event, ctx)\n *\n * The HookPipeline dispatch methods also call handlers with (event, ctx),\n * so the handler is compatible as-is — we just normalise the\n * surrounding config (priority, timeout, etc.) to its defaults.\n */\nfunction resolveSandboxedHook(entry: AnyHookEntry, pluginId: string): ResolvedHook<AnyHookHandler> {\n\tif (isHookConfig(entry)) {\n\t\treturn {\n\t\t\tpriority: entry.priority ?? DEFAULT_PRIORITY,\n\t\t\ttimeout: entry.timeout ?? DEFAULT_TIMEOUT,\n\t\t\tdependencies: entry.dependencies ?? [],\n\t\t\terrorPolicy: entry.errorPolicy ?? DEFAULT_ERROR_POLICY,\n\t\t\texclusive: entry.exclusive ?? false,\n\t\t\thandler: entry.handler,\n\t\t\tpluginId,\n\t\t};\n\t}\n\n\t// Bare function handler\n\treturn {\n\t\tpriority: DEFAULT_PRIORITY,\n\t\ttimeout: DEFAULT_TIMEOUT,\n\t\tdependencies: [],\n\t\terrorPolicy: DEFAULT_ERROR_POLICY,\n\t\texclusive: false,\n\t\thandler: entry,\n\t\tpluginId,\n\t};\n}\n\n/**\n * Normalise a `RouteEntry` (bare handler or `{ handler, public?, input? }`\n * config) to the config form. The `input` schema is intentionally typed\n * `unknown` in `RouteEntry` — sandboxed plugins describe it loosely\n * because the strict `z.ZodType<TInput>` constraint of the runtime's\n * `PluginRoute` only narrows once the route is wired into the router.\n * The wider type flows through to the runtime which validates at\n * invocation time.\n */\nfunction normalizeRouteEntry(entry: RouteEntry): {\n\thandler: RouteHandler;\n\tpublic?: boolean;\n\tinput?: PluginRoute[\"input\"];\n} {\n\tif (typeof entry === \"function\") {\n\t\treturn { handler: entry };\n\t}\n\treturn {\n\t\thandler: entry.handler,\n\t\tpublic: entry.public,\n\t\t// eslint-disable-next-line typescript-eslint/no-unsafe-type-assertion -- RouteEntry.input is intentionally `unknown` (sandboxed plugins) and validated by the runtime at invocation time\n\t\tinput: entry.input as PluginRoute[\"input\"],\n\t};\n}\n\nconst VALID_CAPABILITIES_SET = new Set<string>(PLUGIN_CAPABILITIES);\n\nconst VALID_HOOK_NAMES_SET = new Set<string>(HOOK_NAMES);\n\n/**\n * Adapt a sandboxed plugin's default export into a ResolvedPlugin.\n *\n * This is the in-process side of sandboxed-format plugins: it takes\n * the `{ hooks, routes }` default export of a sandboxed plugin and\n * produces a `ResolvedPlugin` that enters the HookPipeline alongside\n * native plugins. The descriptor supplies identity (id, version) and\n * the trust contract (capabilities, allowedHosts, storage); the\n * definition supplies behaviour.\n *\n * @param definition - The plugin's default export (matching `SandboxedPlugin` from `emdash/plugin`).\n * @param descriptor - The plugin descriptor with id, version, capabilities, etc.\n * @returns A ResolvedPlugin compatible with HookPipeline.\n */\nexport function adaptSandboxEntry(\n\tdefinition: SandboxedPlugin,\n\tdescriptor: PluginDescriptor,\n): ResolvedPlugin {\n\tconst pluginId = descriptor.id;\n\tconst version = descriptor.version;\n\n\t// A null / array / non-object `definition` would throw a generic\n\t// `TypeError: Cannot read properties of null` further down the\n\t// loop without the plugin id; surface a useful error first.\n\tif (typeof definition !== \"object\" || definition === null || Array.isArray(definition)) {\n\t\tthrow new Error(\n\t\t\t`Plugin \"${pluginId}\" default export must be an object with ` +\n\t\t\t\t`\\`hooks\\` and/or \\`routes\\` (got ${\n\t\t\t\t\tArray.isArray(definition) ? \"array\" : typeof definition\n\t\t\t\t}). Did you forget \\`export default {...} satisfies SandboxedPlugin\\`?`,\n\t\t);\n\t}\n\n\t// Resolve hooks. `SandboxedPlugin.hooks` is keyed by hook name with\n\t// per-key entry types; iterating with `Object.entries` collapses\n\t// keys to `string`, so we treat each entry as the union `AnyHookEntry`\n\t// for the duration of the loop. The widening from the strict mapped\n\t// type to a plain record is sound because each entry still matches\n\t// one of the bare-handler / config-object shapes captured by\n\t// `AnyHookEntry`.\n\tconst resolvedHooks: ResolvedPluginHooks = {};\n\tif (definition.hooks) {\n\t\t// eslint-disable-next-line typescript-eslint/no-unsafe-type-assertion -- widening the strict mapped type to a string-keyed record for iteration; entries still match AnyHookEntry\n\t\tconst hookMap = definition.hooks as Record<string, AnyHookEntry>;\n\t\tfor (const [hookName, entry] of Object.entries(hookMap)) {\n\t\t\tif (!VALID_HOOK_NAMES_SET.has(hookName)) {\n\t\t\t\tthrow new Error(\n\t\t\t\t\t`Plugin \"${pluginId}\" declares unknown hook \"${hookName}\". ` +\n\t\t\t\t\t\t`Valid hooks: ${[...VALID_HOOK_NAMES_SET].join(\", \")}`,\n\t\t\t\t);\n\t\t\t}\n\t\t\t// The resolved hook has the correct handler type for the hook name.\n\t\t\t// We store it as the generic type and let HookPipeline's typed dispatch\n\t\t\t// methods handle the type narrowing at call time.\n\t\t\t// eslint-disable-next-line typescript-eslint/no-unsafe-type-assertion -- bridging untyped map to typed interface\n\t\t\t(resolvedHooks as Record<string, unknown>)[hookName] = resolveSandboxedHook(entry, pluginId);\n\t\t}\n\t}\n\n\t// Resolve routes: sandboxed format uses (routeCtx, pluginCtx) two-arg\n\t// pattern. Native format uses (ctx: RouteContext) single-arg pattern\n\t// where RouteContext extends PluginContext with\n\t// { input, request, requestMeta }. We wrap sandboxed route handlers\n\t// to merge the two args into one.\n\t//\n\t// Route entries can be bare functions or `{ handler, public?, input? }`\n\t// config objects; normalise to the config shape inside the loop.\n\tconst resolvedRoutes: Record<string, PluginRoute> = {};\n\tif (definition.routes) {\n\t\tfor (const [routeName, rawEntry] of Object.entries(definition.routes)) {\n\t\t\tconst normalized = normalizeRouteEntry(rawEntry);\n\t\t\tconst { handler, public: publicFlag, input: inputSchema } = normalized;\n\t\t\tresolvedRoutes[routeName] = {\n\t\t\t\tinput: inputSchema,\n\t\t\t\tpublic: publicFlag,\n\t\t\t\thandler: async (ctx) => {\n\t\t\t\t\t// `ctx.request` is a real WHATWG `Request` (this is the\n\t\t\t\t\t// in-process adapter; the worker-sandbox adapter handles\n\t\t\t\t\t// the serialised case). Flatten `Headers` to the plain\n\t\t\t\t\t// `Record<string, string>` shape that author-facing\n\t\t\t\t\t// `SandboxedRequest` promises so handler bodies are\n\t\t\t\t\t// identical across both adapters.\n\t\t\t\t\tconst headers: Record<string, string> = {};\n\t\t\t\t\tctx.request.headers.forEach((value, name) => {\n\t\t\t\t\t\theaders[name] = value;\n\t\t\t\t\t});\n\t\t\t\t\tconst requestShape = {\n\t\t\t\t\t\turl: ctx.request.url,\n\t\t\t\t\t\tmethod: ctx.request.method,\n\t\t\t\t\t\theaders,\n\t\t\t\t\t};\n\t\t\t\t\tconst routeCtx = {\n\t\t\t\t\t\tinput: ctx.input,\n\t\t\t\t\t\trequest: requestShape,\n\t\t\t\t\t\trequestMeta: ctx.requestMeta,\n\t\t\t\t\t};\n\t\t\t\t\tconst { input: _, request: __, requestMeta: ___, ...pluginCtx } = ctx;\n\t\t\t\t\treturn handler(routeCtx, pluginCtx);\n\t\t\t\t},\n\t\t\t};\n\t\t}\n\t}\n\n\t// Build capabilities from descriptor.\n\t// Validate against the known set (same as defineNativePlugin). Both\n\t// current and deprecated names are accepted; deprecated names are\n\t// silently normalized to current names below so the runtime only ever\n\t// sees the canonical form.\n\tconst rawCapabilities = descriptor.capabilities ?? [];\n\tfor (const cap of rawCapabilities) {\n\t\tif (!VALID_CAPABILITIES_SET.has(cap)) {\n\t\t\tthrow new Error(\n\t\t\t\t`Invalid capability \"${cap}\" in plugin \"${pluginId}\". ` +\n\t\t\t\t\t`Valid capabilities: ${[...VALID_CAPABILITIES_SET].join(\", \")}`,\n\t\t\t);\n\t\t}\n\t}\n\n\t// Silent normalization: rewrite deprecated names to current names.\n\t// Safe assertion — `normalizeCapabilities` only emits validated input\n\t// plus current names from the rename map, all of which are in the union.\n\t// eslint-disable-next-line @typescript-eslint/no-unsafe-type-assertion -- validated above; normalizeCapabilities only returns capabilities from the union\n\tconst capabilities = normalizeCapabilities(rawCapabilities) as PluginCapability[];\n\tconst allowedHosts = descriptor.allowedHosts ?? [];\n\n\t// Capability implications: broader capabilities imply narrower ones\n\t// (mirrors the normalization in define-plugin.ts for native format).\n\t// Operates on canonical names only.\n\tif (capabilities.includes(\"content:write\") && !capabilities.includes(\"content:read\")) {\n\t\tcapabilities.push(\"content:read\");\n\t}\n\tif (capabilities.includes(\"media:write\") && !capabilities.includes(\"media:read\")) {\n\t\tcapabilities.push(\"media:read\");\n\t}\n\tif (\n\t\tcapabilities.includes(\"network:request:unrestricted\") &&\n\t\t!capabilities.includes(\"network:request\")\n\t) {\n\t\tcapabilities.push(\"network:request\");\n\t}\n\n\t// Build storage config from descriptor.\n\t// StorageCollectionDeclaration uses optional indexes, but PluginStorageConfig\n\t// requires them. Ensure every collection has an indexes array.\n\tconst rawStorage = descriptor.storage ?? {};\n\tconst storage: PluginStorageConfig = {};\n\tfor (const [name, config] of Object.entries(rawStorage)) {\n\t\tstorage[name] = {\n\t\t\tindexes: config.indexes ?? [],\n\t\t\tuniqueIndexes: config.uniqueIndexes,\n\t\t};\n\t}\n\n\t// Build admin config from descriptor\n\tconst admin: PluginAdminConfig = {};\n\tif (descriptor.adminPages) {\n\t\tadmin.pages = descriptor.adminPages;\n\t}\n\tif (descriptor.adminWidgets) {\n\t\tadmin.widgets = descriptor.adminWidgets;\n\t}\n\n\treturn {\n\t\tid: pluginId,\n\t\tversion,\n\t\tcapabilities,\n\t\tallowedHosts,\n\t\tstorage,\n\t\thooks: resolvedHooks,\n\t\troutes: resolvedRoutes,\n\t\tadmin,\n\t};\n}\n"],"mappings":";;;;;;;AAoDA,MAAM,mBAAmB;AACzB,MAAM,kBAAkB;AACxB,MAAM,uBAAuB;;;;AAK7B,SAAS,aAAa,OAAqE;AAC1F,QAAO,OAAO,UAAU,YAAY,UAAU,QAAQ,aAAa;;;;;;;;;;;;AAapE,SAAS,qBAAqB,OAAqB,UAAgD;AAClG,KAAI,aAAa,MAAM,CACtB,QAAO;EACN,UAAU,MAAM,YAAY;EAC5B,SAAS,MAAM,WAAW;EAC1B,cAAc,MAAM,gBAAgB,EAAE;EACtC,aAAa,MAAM,eAAe;EAClC,WAAW,MAAM,aAAa;EAC9B,SAAS,MAAM;EACf;EACA;AAIF,QAAO;EACN,UAAU;EACV,SAAS;EACT,cAAc,EAAE;EAChB,aAAa;EACb,WAAW;EACX,SAAS;EACT;EACA;;;;;;;;;;;AAYF,SAAS,oBAAoB,OAI3B;AACD,KAAI,OAAO,UAAU,WACpB,QAAO,EAAE,SAAS,OAAO;AAE1B,QAAO;EACN,SAAS,MAAM;EACf,QAAQ,MAAM;EAEd,OAAO,MAAM;EACb;;AAGF,MAAM,yBAAyB,IAAI,IAAY,oBAAoB;AAEnE,MAAM,uBAAuB,IAAI,IAAY,WAAW;;;;;;;;;;;;;;;AAgBxD,SAAgB,kBACf,YACA,YACiB;CACjB,MAAM,WAAW,WAAW;CAC5B,MAAM,UAAU,WAAW;AAK3B,KAAI,OAAO,eAAe,YAAY,eAAe,QAAQ,MAAM,QAAQ,WAAW,CACrF,OAAM,IAAI,MACT,WAAW,SAAS,2EAElB,MAAM,QAAQ,WAAW,GAAG,UAAU,OAAO,WAC7C,uEACF;CAUF,MAAM,gBAAqC,EAAE;AAC7C,KAAI,WAAW,OAAO;EAErB,MAAM,UAAU,WAAW;AAC3B,OAAK,MAAM,CAAC,UAAU,UAAU,OAAO,QAAQ,QAAQ,EAAE;AACxD,OAAI,CAAC,qBAAqB,IAAI,SAAS,CACtC,OAAM,IAAI,MACT,WAAW,SAAS,2BAA2B,SAAS,kBACvC,CAAC,GAAG,qBAAqB,CAAC,KAAK,KAAK,GACrD;AAMF,GAAC,cAA0C,YAAY,qBAAqB,OAAO,SAAS;;;CAY9F,MAAM,iBAA8C,EAAE;AACtD,KAAI,WAAW,OACd,MAAK,MAAM,CAAC,WAAW,aAAa,OAAO,QAAQ,WAAW,OAAO,EAAE;EAEtE,MAAM,EAAE,SAAS,QAAQ,YAAY,OAAO,gBADzB,oBAAoB,SAAS;AAEhD,iBAAe,aAAa;GAC3B,OAAO;GACP,QAAQ;GACR,SAAS,OAAO,QAAQ;IAOvB,MAAM,UAAkC,EAAE;AAC1C,QAAI,QAAQ,QAAQ,SAAS,OAAO,SAAS;AAC5C,aAAQ,QAAQ;MACf;IACF,MAAM,eAAe;KACpB,KAAK,IAAI,QAAQ;KACjB,QAAQ,IAAI,QAAQ;KACpB;KACA;IACD,MAAM,WAAW;KAChB,OAAO,IAAI;KACX,SAAS;KACT,aAAa,IAAI;KACjB;IACD,MAAM,EAAE,OAAO,GAAG,SAAS,IAAI,aAAa,KAAK,GAAG,cAAc;AAClE,WAAO,QAAQ,UAAU,UAAU;;GAEpC;;CASH,MAAM,kBAAkB,WAAW,gBAAgB,EAAE;AACrD,MAAK,MAAM,OAAO,gBACjB,KAAI,CAAC,uBAAuB,IAAI,IAAI,CACnC,OAAM,IAAI,MACT,uBAAuB,IAAI,eAAe,SAAS,yBAC3B,CAAC,GAAG,uBAAuB,CAAC,KAAK,KAAK,GAC9D;CAQH,MAAM,eAAe,sBAAsB,gBAAgB;CAC3D,MAAM,eAAe,WAAW,gBAAgB,EAAE;AAKlD,KAAI,aAAa,SAAS,gBAAgB,IAAI,CAAC,aAAa,SAAS,eAAe,CACnF,cAAa,KAAK,eAAe;AAElC,KAAI,aAAa,SAAS,cAAc,IAAI,CAAC,aAAa,SAAS,aAAa,CAC/E,cAAa,KAAK,aAAa;AAEhC,KACC,aAAa,SAAS,+BAA+B,IACrD,CAAC,aAAa,SAAS,kBAAkB,CAEzC,cAAa,KAAK,kBAAkB;CAMrC,MAAM,aAAa,WAAW,WAAW,EAAE;CAC3C,MAAM,UAA+B,EAAE;AACvC,MAAK,MAAM,CAAC,MAAM,WAAW,OAAO,QAAQ,WAAW,CACtD,SAAQ,QAAQ;EACf,SAAS,OAAO,WAAW,EAAE;EAC7B,eAAe,OAAO;EACtB;CAIF,MAAM,QAA2B,EAAE;AACnC,KAAI,WAAW,WACd,OAAM,QAAQ,WAAW;AAE1B,KAAI,WAAW,aACd,OAAM,UAAU,WAAW;AAG5B,QAAO;EACN,IAAI;EACJ;EACA;EACA;EACA;EACA,OAAO;EACP,QAAQ;EACR;EACA"}

package/dist/{preview-C1LOEbWZ.mjs → preview-D4z0WONU.mjs}

@@ -1,4 +1,4 @@
-import { t as generatePreviewToken } from "./tokens-DILYNZMi.mjs";
+import { t as generatePreviewToken } from "./tokens-N8otWMmj.mjs";
 
 //#region src/preview/urls.ts
 /**
@@ -104,4 +104,4 @@ function getPreviewToken(url) {
 
 //#endregion
 export { getPreviewUrl as i, isPreviewRequest as n, buildPreviewUrl as r, getPreviewToken as t };
-//# sourceMappingURL=preview-C1LOEbWZ.mjs.map
+//# sourceMappingURL=preview-D4z0WONU.mjs.map

package/dist/{preview-C1LOEbWZ.mjs.map → preview-D4z0WONU.mjs.map}

@@ -1 +1 @@
-{"version":3,"file":"preview-C1LOEbWZ.mjs","names":[],"sources":["../src/preview/urls.ts","../src/preview/helpers.ts"],"sourcesContent":["/**\n * Preview URL generation\n *\n * Creates preview URLs that include a signed token for accessing draft content.\n */\n\nimport { generatePreviewToken } from \"./tokens.js\";\n\nconst REPEATED_SLASHES = /\\/{2,}/g;\n\n/**\n * Options for generating a preview URL\n */\nexport interface GetPreviewUrlOptions {\n\t/** Collection slug (e.g., \"posts\") */\n\tcollection: string;\n\t/** Content ID or slug */\n\tid: string;\n\t/** Secret key for signing the token */\n\tsecret: string;\n\t/** How long the preview URL is valid. Default: \"1h\" */\n\texpiresIn?: string | number;\n\t/** Base URL of the site. If not provided, returns a relative URL. */\n\tbaseUrl?: string;\n\t/**\n\t * Custom path pattern. Supports `{collection}`, `{id}` and `{locale}`\n\t * placeholders. Default: `\"/{collection}/{id}\"`.\n\t */\n\tpathPattern?: string;\n\t/**\n\t * Locale segment substituted for the `{locale}` placeholder in `pathPattern`.\n\t * Pass an empty string to omit the locale prefix (e.g. for the default locale\n\t * when `prefixDefaultLocale` is `false`); adjacent slashes left by an empty\n\t * value are collapsed and any trailing slash is trimmed.\n\t */\n\tlocale?: string;\n}\n\n/**\n * Generate a preview URL for content\n *\n * The URL includes a `_preview` query parameter with a signed token.\n *\n * @example\n * ```ts\n * const url = await getPreviewUrl({\n *   collection: \"posts\",\n *   id: \"hello-world\",\n *   secret: process.env.PREVIEW_SECRET!,\n * });\n * // Returns: /posts/hello-world?_preview=eyJj...\n *\n * // With base URL:\n * const fullUrl = await getPreviewUrl({\n *   collection: \"posts\",\n *   id: \"hello-world\",\n *   secret: process.env.PREVIEW_SECRET!,\n *   baseUrl: \"https://example.com\",\n * });\n * // Returns: https://example.com/posts/hello-world?_preview=eyJj...\n *\n * // Custom path pattern:\n * const customUrl = await getPreviewUrl({\n *   collection: \"posts\",\n *   id: \"hello-world\",\n *   secret: process.env.PREVIEW_SECRET!,\n *   pathPattern: \"/blog/{id}\",\n * });\n * // Returns: /blog/hello-world?_preview=eyJj...\n * ```\n */\nexport async function getPreviewUrl(options: GetPreviewUrlOptions): Promise<string> {\n\tconst {\n\t\tcollection,\n\t\tid,\n\t\tsecret,\n\t\texpiresIn = \"1h\",\n\t\tbaseUrl,\n\t\tpathPattern = \"/{collection}/{id}\",\n\t\tlocale = \"\",\n\t} = options;\n\n\t// Generate the signed token\n\tconst token = await generatePreviewToken({\n\t\tcontentId: `${collection}:${id}`,\n\t\texpiresIn,\n\t\tsecret,\n\t});\n\n\t// Build the path. `{locale}` may resolve to an empty string (default locale\n\t// without a prefix); collapse the resulting double slashes and trim a\n\t// trailing slash so the URL stays clean.\n\tlet path = pathPattern\n\t\t.replace(\"{collection}\", collection)\n\t\t.replace(\"{id}\", id)\n\t\t.replace(\"{locale}\", locale);\n\tpath = path.replace(REPEATED_SLASHES, \"/\");\n\tif (path.length > 1 && path.endsWith(\"/\")) path = path.slice(0, -1);\n\n\t// Add token as query parameter\n\tconst url = new URL(path, baseUrl || \"http://placeholder\");\n\turl.searchParams.set(\"_preview\", token);\n\n\t// Return relative URL if no baseUrl provided\n\tif (!baseUrl) {\n\t\treturn `${url.pathname}${url.search}`;\n\t}\n\n\treturn url.toString();\n}\n\n/**\n * Build a preview URL from a token (when you already have the token)\n *\n * @example\n * ```ts\n * const url = buildPreviewUrl({\n *   path: \"/posts/hello-world\",\n *   token: existingToken,\n * });\n * ```\n */\nexport function buildPreviewUrl(options: {\n\tpath: string;\n\ttoken: string;\n\tbaseUrl?: string;\n}): string {\n\tconst { path, token, baseUrl } = options;\n\n\tconst url = new URL(path, baseUrl || \"http://placeholder\");\n\turl.searchParams.set(\"_preview\", token);\n\n\tif (!baseUrl) {\n\t\treturn `${url.pathname}${url.search}`;\n\t}\n\n\treturn url.toString();\n}\n","/**\n * Preview helpers for Astro pages\n */\n\n/**\n * Check if a request is a preview request\n *\n * @example\n * ```ts\n * const isPreview = isPreviewRequest(Astro.url);\n * ```\n */\nexport function isPreviewRequest(url: URL): boolean {\n\treturn url.searchParams.has(\"_preview\");\n}\n\n/**\n * Get the preview token from a URL\n *\n * @example\n * ```ts\n * const token = getPreviewToken(Astro.url);\n * ```\n */\nexport function getPreviewToken(url: URL): string | null {\n\treturn url.searchParams.get(\"_preview\");\n}\n"],"mappings":";;;;;;;;AAQA,MAAM,mBAAmB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA+DzB,eAAsB,cAAc,SAAgD;CACnF,MAAM,EACL,YACA,IACA,QACA,YAAY,MACZ,SACA,cAAc,sBACd,SAAS,OACN;CAGJ,MAAM,QAAQ,MAAM,qBAAqB;EACxC,WAAW,GAAG,WAAW,GAAG;EAC5B;EACA;EACA,CAAC;CAKF,IAAI,OAAO,YACT,QAAQ,gBAAgB,WAAW,CACnC,QAAQ,QAAQ,GAAG,CACnB,QAAQ,YAAY,OAAO;AAC7B,QAAO,KAAK,QAAQ,kBAAkB,IAAI;AAC1C,KAAI,KAAK,SAAS,KAAK,KAAK,SAAS,IAAI,CAAE,QAAO,KAAK,MAAM,GAAG,GAAG;CAGnE,MAAM,MAAM,IAAI,IAAI,MAAM,WAAW,qBAAqB;AAC1D,KAAI,aAAa,IAAI,YAAY,MAAM;AAGvC,KAAI,CAAC,QACJ,QAAO,GAAG,IAAI,WAAW,IAAI;AAG9B,QAAO,IAAI,UAAU;;;;;;;;;;;;;AActB,SAAgB,gBAAgB,SAIrB;CACV,MAAM,EAAE,MAAM,OAAO,YAAY;CAEjC,MAAM,MAAM,IAAI,IAAI,MAAM,WAAW,qBAAqB;AAC1D,KAAI,aAAa,IAAI,YAAY,MAAM;AAEvC,KAAI,CAAC,QACJ,QAAO,GAAG,IAAI,WAAW,IAAI;AAG9B,QAAO,IAAI,UAAU;;;;;;;;;;;;;;;;AC5HtB,SAAgB,iBAAiB,KAAmB;AACnD,QAAO,IAAI,aAAa,IAAI,WAAW;;;;;;;;;;AAWxC,SAAgB,gBAAgB,KAAyB;AACxD,QAAO,IAAI,aAAa,IAAI,WAAW"}
+{"version":3,"file":"preview-D4z0WONU.mjs","names":[],"sources":["../src/preview/urls.ts","../src/preview/helpers.ts"],"sourcesContent":["/**\n * Preview URL generation\n *\n * Creates preview URLs that include a signed token for accessing draft content.\n */\n\nimport { generatePreviewToken } from \"./tokens.js\";\n\nconst REPEATED_SLASHES = /\\/{2,}/g;\n\n/**\n * Options for generating a preview URL\n */\nexport interface GetPreviewUrlOptions {\n\t/** Collection slug (e.g., \"posts\") */\n\tcollection: string;\n\t/** Content ID or slug */\n\tid: string;\n\t/** Secret key for signing the token */\n\tsecret: string;\n\t/** How long the preview URL is valid. Default: \"1h\" */\n\texpiresIn?: string | number;\n\t/** Base URL of the site. If not provided, returns a relative URL. */\n\tbaseUrl?: string;\n\t/**\n\t * Custom path pattern. Supports `{collection}`, `{id}` and `{locale}`\n\t * placeholders. Default: `\"/{collection}/{id}\"`.\n\t */\n\tpathPattern?: string;\n\t/**\n\t * Locale segment substituted for the `{locale}` placeholder in `pathPattern`.\n\t * Pass an empty string to omit the locale prefix (e.g. for the default locale\n\t * when `prefixDefaultLocale` is `false`); adjacent slashes left by an empty\n\t * value are collapsed and any trailing slash is trimmed.\n\t */\n\tlocale?: string;\n}\n\n/**\n * Generate a preview URL for content\n *\n * The URL includes a `_preview` query parameter with a signed token.\n *\n * @example\n * ```ts\n * const url = await getPreviewUrl({\n *   collection: \"posts\",\n *   id: \"hello-world\",\n *   secret: process.env.PREVIEW_SECRET!,\n * });\n * // Returns: /posts/hello-world?_preview=eyJj...\n *\n * // With base URL:\n * const fullUrl = await getPreviewUrl({\n *   collection: \"posts\",\n *   id: \"hello-world\",\n *   secret: process.env.PREVIEW_SECRET!,\n *   baseUrl: \"https://example.com\",\n * });\n * // Returns: https://example.com/posts/hello-world?_preview=eyJj...\n *\n * // Custom path pattern:\n * const customUrl = await getPreviewUrl({\n *   collection: \"posts\",\n *   id: \"hello-world\",\n *   secret: process.env.PREVIEW_SECRET!,\n *   pathPattern: \"/blog/{id}\",\n * });\n * // Returns: /blog/hello-world?_preview=eyJj...\n * ```\n */\nexport async function getPreviewUrl(options: GetPreviewUrlOptions): Promise<string> {\n\tconst {\n\t\tcollection,\n\t\tid,\n\t\tsecret,\n\t\texpiresIn = \"1h\",\n\t\tbaseUrl,\n\t\tpathPattern = \"/{collection}/{id}\",\n\t\tlocale = \"\",\n\t} = options;\n\n\t// Generate the signed token\n\tconst token = await generatePreviewToken({\n\t\tcontentId: `${collection}:${id}`,\n\t\texpiresIn,\n\t\tsecret,\n\t});\n\n\t// Build the path. `{locale}` may resolve to an empty string (default locale\n\t// without a prefix); collapse the resulting double slashes and trim a\n\t// trailing slash so the URL stays clean.\n\tlet path = pathPattern\n\t\t.replace(\"{collection}\", collection)\n\t\t.replace(\"{id}\", id)\n\t\t.replace(\"{locale}\", locale);\n\tpath = path.replace(REPEATED_SLASHES, \"/\");\n\tif (path.length > 1 && path.endsWith(\"/\")) path = path.slice(0, -1);\n\n\t// Add token as query parameter\n\tconst url = new URL(path, baseUrl || \"http://placeholder\");\n\turl.searchParams.set(\"_preview\", token);\n\n\t// Return relative URL if no baseUrl provided\n\tif (!baseUrl) {\n\t\treturn `${url.pathname}${url.search}`;\n\t}\n\n\treturn url.toString();\n}\n\n/**\n * Build a preview URL from a token (when you already have the token)\n *\n * @example\n * ```ts\n * const url = buildPreviewUrl({\n *   path: \"/posts/hello-world\",\n *   token: existingToken,\n * });\n * ```\n */\nexport function buildPreviewUrl(options: {\n\tpath: string;\n\ttoken: string;\n\tbaseUrl?: string;\n}): string {\n\tconst { path, token, baseUrl } = options;\n\n\tconst url = new URL(path, baseUrl || \"http://placeholder\");\n\turl.searchParams.set(\"_preview\", token);\n\n\tif (!baseUrl) {\n\t\treturn `${url.pathname}${url.search}`;\n\t}\n\n\treturn url.toString();\n}\n","/**\n * Preview helpers for Astro pages\n */\n\n/**\n * Check if a request is a preview request\n *\n * @example\n * ```ts\n * const isPreview = isPreviewRequest(Astro.url);\n * ```\n */\nexport function isPreviewRequest(url: URL): boolean {\n\treturn url.searchParams.has(\"_preview\");\n}\n\n/**\n * Get the preview token from a URL\n *\n * @example\n * ```ts\n * const token = getPreviewToken(Astro.url);\n * ```\n */\nexport function getPreviewToken(url: URL): string | null {\n\treturn url.searchParams.get(\"_preview\");\n}\n"],"mappings":";;;;;;;;AAQA,MAAM,mBAAmB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA+DzB,eAAsB,cAAc,SAAgD;CACnF,MAAM,EACL,YACA,IACA,QACA,YAAY,MACZ,SACA,cAAc,sBACd,SAAS,OACN;CAGJ,MAAM,QAAQ,MAAM,qBAAqB;EACxC,WAAW,GAAG,WAAW,GAAG;EAC5B;EACA;EACA,CAAC;CAKF,IAAI,OAAO,YACT,QAAQ,gBAAgB,WAAW,CACnC,QAAQ,QAAQ,GAAG,CACnB,QAAQ,YAAY,OAAO;AAC7B,QAAO,KAAK,QAAQ,kBAAkB,IAAI;AAC1C,KAAI,KAAK,SAAS,KAAK,KAAK,SAAS,IAAI,CAAE,QAAO,KAAK,MAAM,GAAG,GAAG;CAGnE,MAAM,MAAM,IAAI,IAAI,MAAM,WAAW,qBAAqB;AAC1D,KAAI,aAAa,IAAI,YAAY,MAAM;AAGvC,KAAI,CAAC,QACJ,QAAO,GAAG,IAAI,WAAW,IAAI;AAG9B,QAAO,IAAI,UAAU;;;;;;;;;;;;;AActB,SAAgB,gBAAgB,SAIrB;CACV,MAAM,EAAE,MAAM,OAAO,YAAY;CAEjC,MAAM,MAAM,IAAI,IAAI,MAAM,WAAW,qBAAqB;AAC1D,KAAI,aAAa,IAAI,YAAY,MAAM;AAEvC,KAAI,CAAC,QACJ,QAAO,GAAG,IAAI,WAAW,IAAI;AAG9B,QAAO,IAAI,UAAU;;;;;;;;;;;;;;;;AC5HtB,SAAgB,iBAAiB,KAAmB;AACnD,QAAO,IAAI,aAAa,IAAI,WAAW;;;;;;;;;;AAWxC,SAAgB,gBAAgB,KAAyB;AACxD,QAAO,IAAI,aAAa,IAAI,WAAW"}