emdash 0.17.2 → 0.19.0

package/dist/{oauth-authorization-DvBAL75d.mjs.map → oauth-authorization-1aPAYjiC.mjs.map}

@@ -1 +1 @@
-{"version":3,"file":"oauth-authorization-DvBAL75d.mjs","names":[],"sources":["../src/api/handlers/oauth-authorization.ts"],"sourcesContent":["/**\n * OAuth 2.1 Authorization Code + PKCE handlers.\n *\n * Implements the server side of the authorization code grant for MCP clients\n * (Claude Desktop, VS Code, etc.) per the MCP authorization spec (draft).\n *\n * Uses arctic for PKCE challenge generation and @emdash-cms/auth for token\n * utilities. Token infrastructure is shared with the device flow.\n */\n\nimport { clampScopes, computeS256Challenge, secureCompare } from \"@emdash-cms/auth\";\nimport type { RoleLevel } from \"@emdash-cms/auth\";\nimport { generateCodeVerifier } from \"arctic\";\nimport type { Kysely } from \"kysely\";\n\nimport {\n\tgeneratePrefixedToken,\n\thashApiToken,\n\tTOKEN_PREFIXES,\n\tVALID_SCOPES,\n} from \"../../auth/api-tokens.js\";\nimport { withTransaction } from \"../../database/transaction.js\";\nimport type { Database } from \"../../database/types.js\";\nimport { validateRedirectUri } from \"../oauth/redirect-uri.js\";\nimport type { ApiResult } from \"../types.js\";\nimport { lookupOAuthClient, validateClientRedirectUri } from \"./oauth-clients.js\";\nimport { lookupUserRoleAndStatus } from \"./oauth-user-lookup.js\";\n\n// ---------------------------------------------------------------------------\n// Constants\n// ---------------------------------------------------------------------------\n\n/** Authorization codes expire after 10 minutes (RFC 6749 §4.1.2 recommends short-lived) */\nconst AUTH_CODE_TTL_SECONDS = 10 * 60;\n\n/** Access token TTL: 1 hour */\nconst ACCESS_TOKEN_TTL_SECONDS = 60 * 60;\n\n/** Refresh token TTL: 90 days */\nconst REFRESH_TOKEN_TTL_SECONDS = 90 * 24 * 60 * 60;\n\n// ---------------------------------------------------------------------------\n// Types\n// ---------------------------------------------------------------------------\n\nexport interface AuthorizationParams {\n\tresponse_type: string;\n\tclient_id: string;\n\tredirect_uri: string;\n\tscope?: string;\n\tstate?: string;\n\tcode_challenge: string;\n\tcode_challenge_method: string;\n\tresource?: string;\n}\n\nexport interface TokenExchangeParams {\n\tgrant_type: string;\n\tcode: string;\n\tredirect_uri: string;\n\tclient_id: string;\n\tcode_verifier: string;\n\tresource?: string;\n}\n\nexport interface TokenResponse {\n\taccess_token: string;\n\trefresh_token: string;\n\ttoken_type: \"Bearer\";\n\texpires_in: number;\n\tscope: string;\n}\n\n// ---------------------------------------------------------------------------\n// Helpers\n// ---------------------------------------------------------------------------\n\nfunction expiresAt(seconds: number): string {\n\treturn new Date(Date.now() + seconds * 1000).toISOString();\n}\n\nexport { validateRedirectUri };\n\n/**\n * Validate and normalize scopes. Returns validated scope list.\n */\nfunction normalizeScopes(requested?: string): string[] {\n\tif (!requested) return [];\n\n\tconst validSet = new Set<string>(VALID_SCOPES);\n\tconst scopes = requested\n\t\t.split(\" \")\n\t\t.filter(Boolean)\n\t\t.filter((s) => validSet.has(s));\n\n\treturn scopes;\n}\n\n// ---------------------------------------------------------------------------\n// Handlers\n// ---------------------------------------------------------------------------\n\n/**\n * Process an authorization request after the user approves consent.\n *\n * Generates an authorization code, stores it with the PKCE challenge,\n * and returns the redirect URL with the code appended.\n *\n * Scopes are clamped to the user's role to prevent scope escalation.\n */\nexport async function handleAuthorizationApproval(\n\tdb: Kysely<Database>,\n\tuserId: string,\n\tuserRole: RoleLevel,\n\tparams: AuthorizationParams,\n): Promise<ApiResult<{ redirect_url: string }>> {\n\ttry {\n\t\t// Validate response_type\n\t\tif (params.response_type !== \"code\") {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: {\n\t\t\t\t\tcode: \"UNSUPPORTED_RESPONSE_TYPE\",\n\t\t\t\t\tmessage: \"Only response_type=code is supported\",\n\t\t\t\t},\n\t\t\t};\n\t\t}\n\n\t\t// Validate redirect_uri scheme/host (basic security check)\n\t\tconst uriError = validateRedirectUri(params.redirect_uri);\n\t\tif (uriError) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"INVALID_REDIRECT_URI\", message: uriError },\n\t\t\t};\n\t\t}\n\n\t\t// Look up the registered OAuth client\n\t\tconst client = await lookupOAuthClient(db, params.client_id);\n\t\tif (!client) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: {\n\t\t\t\t\tcode: \"INVALID_CLIENT\",\n\t\t\t\t\tmessage: \"Unknown client_id\",\n\t\t\t\t},\n\t\t\t};\n\t\t}\n\n\t\t// Validate redirect_uri against client's registered URIs\n\t\tconst clientUriError = validateClientRedirectUri(params.redirect_uri, client.redirectUris);\n\t\tif (clientUriError) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"INVALID_REDIRECT_URI\", message: clientUriError },\n\t\t\t};\n\t\t}\n\n\t\t// Validate code_challenge_method\n\t\tif (params.code_challenge_method !== \"S256\") {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: {\n\t\t\t\t\tcode: \"INVALID_REQUEST\",\n\t\t\t\t\tmessage: \"Only S256 code_challenge_method is supported\",\n\t\t\t\t},\n\t\t\t};\n\t\t}\n\n\t\t// Validate code_challenge is present\n\t\tif (!params.code_challenge) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"INVALID_REQUEST\", message: \"code_challenge is required\" },\n\t\t\t};\n\t\t}\n\n\t\t// Validate scopes, then clamp to user's role\n\t\tconst userScopes = clampScopes(normalizeScopes(params.scope), userRole);\n\n\t\t// SEC-41: Intersect with client's registered scopes (if restricted).\n\t\t// A client registered with scopes: [\"content:read\"] should never receive\n\t\t// admin or schema:write, regardless of the approving user's role.\n\t\tconst clientScopes = client.scopes;\n\t\tconst scopes = clientScopes?.length\n\t\t\t? userScopes.filter((s: string) => clientScopes.includes(s))\n\t\t\t: userScopes;\n\n\t\tif (scopes.length === 0) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"INVALID_SCOPE\", message: \"No valid scopes requested\" },\n\t\t\t};\n\t\t}\n\n\t\t// Generate authorization code (high entropy, base64url)\n\t\tconst code = generateCodeVerifier(); // 32 bytes random, base64url\n\t\tconst codeHash = hashApiToken(code);\n\n\t\t// Store the authorization code\n\t\tawait db\n\t\t\t.insertInto(\"_emdash_authorization_codes\")\n\t\t\t.values({\n\t\t\t\tcode_hash: codeHash,\n\t\t\t\tclient_id: params.client_id,\n\t\t\t\tredirect_uri: params.redirect_uri,\n\t\t\t\tuser_id: userId,\n\t\t\t\tscopes: JSON.stringify(scopes),\n\t\t\t\tcode_challenge: params.code_challenge,\n\t\t\t\tcode_challenge_method: params.code_challenge_method,\n\t\t\t\tresource: params.resource ?? null,\n\t\t\t\texpires_at: expiresAt(AUTH_CODE_TTL_SECONDS),\n\t\t\t})\n\t\t\t.execute();\n\n\t\t// Build the redirect URL\n\t\tconst redirectUrl = new URL(params.redirect_uri);\n\t\tredirectUrl.searchParams.set(\"code\", code);\n\t\tif (params.state) {\n\t\t\tredirectUrl.searchParams.set(\"state\", params.state);\n\t\t}\n\n\t\treturn {\n\t\t\tsuccess: true,\n\t\t\tdata: { redirect_url: redirectUrl.toString() },\n\t\t};\n\t} catch (error) {\n\t\tconsole.error(\"Authorization error:\", error);\n\t\treturn {\n\t\t\tsuccess: false,\n\t\t\terror: {\n\t\t\t\tcode: \"AUTHORIZATION_ERROR\",\n\t\t\t\tmessage: \"Failed to process authorization\",\n\t\t\t},\n\t\t};\n\t}\n}\n\n/**\n * Exchange an authorization code for access + refresh tokens.\n *\n * Validates the code, verifies PKCE, and issues tokens using the same\n * infrastructure as the device flow (ec_oat_*, ec_ort_*).\n */\nexport async function handleAuthorizationCodeExchange(\n\tdb: Kysely<Database>,\n\tparams: TokenExchangeParams,\n): Promise<ApiResult<TokenResponse>> {\n\ttry {\n\t\t// Validate grant_type\n\t\tif (params.grant_type !== \"authorization_code\") {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"unsupported_grant_type\", message: \"Invalid grant_type\" },\n\t\t\t};\n\t\t}\n\n\t\t// SEC-39: Atomically consume the authorization code using DELETE...RETURNING.\n\t\t// This prevents TOCTOU double-exchange: two concurrent requests with the\n\t\t// same code will race on the DELETE, and only one will get a row back.\n\t\tconst codeHash = hashApiToken(params.code);\n\n\t\tconst row = await db\n\t\t\t.deleteFrom(\"_emdash_authorization_codes\")\n\t\t\t.where(\"code_hash\", \"=\", codeHash)\n\t\t\t.returningAll()\n\t\t\t.executeTakeFirst();\n\n\t\tif (!row) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"invalid_grant\", message: \"Invalid authorization code\" },\n\t\t\t};\n\t\t}\n\n\t\t// Check expiry\n\t\tif (new Date(row.expires_at) < new Date()) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"invalid_grant\", message: \"Authorization code expired\" },\n\t\t\t};\n\t\t}\n\n\t\t// Verify redirect_uri matches exactly\n\t\tif (row.redirect_uri !== params.redirect_uri) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"invalid_grant\", message: \"redirect_uri mismatch\" },\n\t\t\t};\n\t\t}\n\n\t\t// Verify client_id matches\n\t\tif (row.client_id !== params.client_id) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"invalid_grant\", message: \"client_id mismatch\" },\n\t\t\t};\n\t\t}\n\n\t\t// PKCE verification: SHA256(code_verifier) must match stored code_challenge\n\t\t// Use constant-time comparison to prevent timing side-channels\n\t\tconst derivedChallenge = computeS256Challenge(params.code_verifier);\n\t\tif (!secureCompare(derivedChallenge, row.code_challenge)) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"invalid_grant\", message: \"PKCE verification failed\" },\n\t\t\t};\n\t\t}\n\n\t\t// Verify resource matches (if stored)\n\t\tif (row.resource && params.resource && row.resource !== params.resource) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"invalid_grant\", message: \"resource mismatch\" },\n\t\t\t};\n\t\t}\n\n\t\t// Revalidate user role before issuing tokens (same pattern as handleTokenRefresh).\n\t\t// The user's role may have changed since the authorization code was issued.\n\t\tconst userInfo = await lookupUserRoleAndStatus(db, row.user_id);\n\t\tif (!userInfo) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"invalid_grant\", message: \"User not found\" },\n\t\t\t};\n\t\t}\n\n\t\tif (userInfo.disabled) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"invalid_grant\", message: \"User account is disabled\" },\n\t\t\t};\n\t\t}\n\n\t\t// Re-clamp scopes against the user's current role\n\t\tconst storedScopes = JSON.parse(row.scopes) as string[];\n\t\tlet scopes = clampScopes(storedScopes, userInfo.role);\n\n\t\t// Intersect with client's registered scopes (if restricted)\n\t\tconst client = await lookupOAuthClient(db, row.client_id);\n\t\tif (client?.scopes?.length) {\n\t\t\tscopes = scopes.filter((s: string) => client.scopes!.includes(s));\n\t\t}\n\n\t\tif (scopes.length === 0) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: {\n\t\t\t\t\tcode: \"invalid_grant\",\n\t\t\t\t\tmessage: \"User role no longer supports any of the requested scopes\",\n\t\t\t\t},\n\t\t\t};\n\t\t}\n\n\t\t// Issue tokens (same as device flow)\n\t\tconst accessToken = generatePrefixedToken(TOKEN_PREFIXES.OAUTH_ACCESS);\n\t\tconst accessExpires = expiresAt(ACCESS_TOKEN_TTL_SECONDS);\n\n\t\tconst refreshToken = generatePrefixedToken(TOKEN_PREFIXES.OAUTH_REFRESH);\n\t\tconst refreshExpires = expiresAt(REFRESH_TOKEN_TTL_SECONDS);\n\n\t\t// Atomically store both tokens in a transaction\n\t\tawait withTransaction(db, async (trx) => {\n\t\t\tawait trx\n\t\t\t\t.insertInto(\"_emdash_oauth_tokens\")\n\t\t\t\t.values({\n\t\t\t\t\ttoken_hash: accessToken.hash,\n\t\t\t\t\ttoken_type: \"access\",\n\t\t\t\t\tuser_id: row.user_id,\n\t\t\t\t\tscopes: JSON.stringify(scopes),\n\t\t\t\t\tclient_type: \"mcp\",\n\t\t\t\t\texpires_at: accessExpires,\n\t\t\t\t\trefresh_token_hash: refreshToken.hash,\n\t\t\t\t\tclient_id: row.client_id,\n\t\t\t\t})\n\t\t\t\t.execute();\n\n\t\t\tawait trx\n\t\t\t\t.insertInto(\"_emdash_oauth_tokens\")\n\t\t\t\t.values({\n\t\t\t\t\ttoken_hash: refreshToken.hash,\n\t\t\t\t\ttoken_type: \"refresh\",\n\t\t\t\t\tuser_id: row.user_id,\n\t\t\t\t\tscopes: JSON.stringify(scopes),\n\t\t\t\t\tclient_type: \"mcp\",\n\t\t\t\t\texpires_at: refreshExpires,\n\t\t\t\t\trefresh_token_hash: null,\n\t\t\t\t\tclient_id: row.client_id,\n\t\t\t\t})\n\t\t\t\t.execute();\n\t\t});\n\n\t\treturn {\n\t\t\tsuccess: true,\n\t\t\tdata: {\n\t\t\t\taccess_token: accessToken.raw,\n\t\t\t\trefresh_token: refreshToken.raw,\n\t\t\t\ttoken_type: \"Bearer\",\n\t\t\t\texpires_in: ACCESS_TOKEN_TTL_SECONDS,\n\t\t\t\tscope: scopes.join(\" \"),\n\t\t\t},\n\t\t};\n\t} catch (error) {\n\t\tconsole.error(\"Token exchange error:\", error);\n\t\treturn {\n\t\t\tsuccess: false,\n\t\t\terror: {\n\t\t\t\tcode: \"TOKEN_EXCHANGE_ERROR\",\n\t\t\t\tmessage: \"Failed to exchange authorization code\",\n\t\t\t},\n\t\t};\n\t}\n}\n\n/**\n * Build the authorization denied redirect URL.\n */\nexport function buildDeniedRedirect(redirectUri: string, state?: string): string {\n\tconst url = new URL(redirectUri);\n\turl.searchParams.set(\"error\", \"access_denied\");\n\turl.searchParams.set(\"error_description\", \"The user denied the authorization request\");\n\tif (state) {\n\t\turl.searchParams.set(\"state\", state);\n\t}\n\treturn url.toString();\n}\n\n/**\n * Clean up expired authorization codes.\n */\nexport async function cleanupExpiredAuthorizationCodes(db: Kysely<Database>): Promise<number> {\n\tconst result = await db\n\t\t.deleteFrom(\"_emdash_authorization_codes\")\n\t\t.where(\"expires_at\", \"<\", new Date().toISOString())\n\t\t.executeTakeFirst();\n\n\treturn Number(result.numDeletedRows);\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;AAiCA,MAAM,wBAAwB;;AAG9B,MAAM,2BAA2B;;AAGjC,MAAM,4BAA4B,OAAU,KAAK;AAsCjD,SAAS,UAAU,SAAyB;AAC3C,QAAO,IAAI,KAAK,KAAK,KAAK,GAAG,UAAU,IAAK,CAAC,aAAa;;;;;AAQ3D,SAAS,gBAAgB,WAA8B;AACtD,KAAI,CAAC,UAAW,QAAO,EAAE;CAEzB,MAAM,WAAW,IAAI,IAAY,aAAa;AAM9C,QALe,UACb,MAAM,IAAI,CACV,OAAO,QAAQ,CACf,QAAQ,MAAM,SAAS,IAAI,EAAE,CAAC;;;;;;;;;;AAiBjC,eAAsB,4BACrB,IACA,QACA,UACA,QAC+C;AAC/C,KAAI;AAEH,MAAI,OAAO,kBAAkB,OAC5B,QAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;EAIF,MAAM,WAAW,oBAAoB,OAAO,aAAa;AACzD,MAAI,SACH,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAwB,SAAS;IAAU;GAC1D;EAIF,MAAM,SAAS,MAAM,kBAAkB,IAAI,OAAO,UAAU;AAC5D,MAAI,CAAC,OACJ,QAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;EAIF,MAAM,iBAAiB,0BAA0B,OAAO,cAAc,OAAO,aAAa;AAC1F,MAAI,eACH,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAwB,SAAS;IAAgB;GAChE;AAIF,MAAI,OAAO,0BAA0B,OACpC,QAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;AAIF,MAAI,CAAC,OAAO,eACX,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAmB,SAAS;IAA8B;GACzE;EAIF,MAAM,aAAa,YAAY,gBAAgB,OAAO,MAAM,EAAE,SAAS;EAKvE,MAAM,eAAe,OAAO;EAC5B,MAAM,SAAS,cAAc,SAC1B,WAAW,QAAQ,MAAc,aAAa,SAAS,EAAE,CAAC,GAC1D;AAEH,MAAI,OAAO,WAAW,EACrB,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAiB,SAAS;IAA6B;GACtE;EAIF,MAAM,OAAO,sBAAsB;EACnC,MAAM,WAAW,aAAa,KAAK;AAGnC,QAAM,GACJ,WAAW,8BAA8B,CACzC,OAAO;GACP,WAAW;GACX,WAAW,OAAO;GAClB,cAAc,OAAO;GACrB,SAAS;GACT,QAAQ,KAAK,UAAU,OAAO;GAC9B,gBAAgB,OAAO;GACvB,uBAAuB,OAAO;GAC9B,UAAU,OAAO,YAAY;GAC7B,YAAY,UAAU,sBAAsB;GAC5C,CAAC,CACD,SAAS;EAGX,MAAM,cAAc,IAAI,IAAI,OAAO,aAAa;AAChD,cAAY,aAAa,IAAI,QAAQ,KAAK;AAC1C,MAAI,OAAO,MACV,aAAY,aAAa,IAAI,SAAS,OAAO,MAAM;AAGpD,SAAO;GACN,SAAS;GACT,MAAM,EAAE,cAAc,YAAY,UAAU,EAAE;GAC9C;UACO,OAAO;AACf,UAAQ,MAAM,wBAAwB,MAAM;AAC5C,SAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;;;;;;;;;AAUH,eAAsB,gCACrB,IACA,QACoC;AACpC,KAAI;AAEH,MAAI,OAAO,eAAe,qBACzB,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAA0B,SAAS;IAAsB;GACxE;EAMF,MAAM,WAAW,aAAa,OAAO,KAAK;EAE1C,MAAM,MAAM,MAAM,GAChB,WAAW,8BAA8B,CACzC,MAAM,aAAa,KAAK,SAAS,CACjC,cAAc,CACd,kBAAkB;AAEpB,MAAI,CAAC,IACJ,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAiB,SAAS;IAA8B;GACvE;AAIF,MAAI,IAAI,KAAK,IAAI,WAAW,mBAAG,IAAI,MAAM,CACxC,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAiB,SAAS;IAA8B;GACvE;AAIF,MAAI,IAAI,iBAAiB,OAAO,aAC/B,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAiB,SAAS;IAAyB;GAClE;AAIF,MAAI,IAAI,cAAc,OAAO,UAC5B,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAiB,SAAS;IAAsB;GAC/D;AAMF,MAAI,CAAC,cADoB,qBAAqB,OAAO,cAAc,EAC9B,IAAI,eAAe,CACvD,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAiB,SAAS;IAA4B;GACrE;AAIF,MAAI,IAAI,YAAY,OAAO,YAAY,IAAI,aAAa,OAAO,SAC9D,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAiB,SAAS;IAAqB;GAC9D;EAKF,MAAM,WAAW,MAAM,wBAAwB,IAAI,IAAI,QAAQ;AAC/D,MAAI,CAAC,SACJ,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAiB,SAAS;IAAkB;GAC3D;AAGF,MAAI,SAAS,SACZ,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAiB,SAAS;IAA4B;GACrE;EAKF,IAAI,SAAS,YADQ,KAAK,MAAM,IAAI,OAAO,EACJ,SAAS,KAAK;EAGrD,MAAM,SAAS,MAAM,kBAAkB,IAAI,IAAI,UAAU;AACzD,MAAI,QAAQ,QAAQ,OACnB,UAAS,OAAO,QAAQ,MAAc,OAAO,OAAQ,SAAS,EAAE,CAAC;AAGlE,MAAI,OAAO,WAAW,EACrB,QAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;EAIF,MAAM,cAAc,sBAAsB,eAAe,aAAa;EACtE,MAAM,gBAAgB,UAAU,yBAAyB;EAEzD,MAAM,eAAe,sBAAsB,eAAe,cAAc;EACxE,MAAM,iBAAiB,UAAU,0BAA0B;AAG3D,QAAM,gBAAgB,IAAI,OAAO,QAAQ;AACxC,SAAM,IACJ,WAAW,uBAAuB,CAClC,OAAO;IACP,YAAY,YAAY;IACxB,YAAY;IACZ,SAAS,IAAI;IACb,QAAQ,KAAK,UAAU,OAAO;IAC9B,aAAa;IACb,YAAY;IACZ,oBAAoB,aAAa;IACjC,WAAW,IAAI;IACf,CAAC,CACD,SAAS;AAEX,SAAM,IACJ,WAAW,uBAAuB,CAClC,OAAO;IACP,YAAY,aAAa;IACzB,YAAY;IACZ,SAAS,IAAI;IACb,QAAQ,KAAK,UAAU,OAAO;IAC9B,aAAa;IACb,YAAY;IACZ,oBAAoB;IACpB,WAAW,IAAI;IACf,CAAC,CACD,SAAS;IACV;AAEF,SAAO;GACN,SAAS;GACT,MAAM;IACL,cAAc,YAAY;IAC1B,eAAe,aAAa;IAC5B,YAAY;IACZ,YAAY;IACZ,OAAO,OAAO,KAAK,IAAI;IACvB;GACD;UACO,OAAO;AACf,UAAQ,MAAM,yBAAyB,MAAM;AAC7C,SAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;;;;;;AAOH,SAAgB,oBAAoB,aAAqB,OAAwB;CAChF,MAAM,MAAM,IAAI,IAAI,YAAY;AAChC,KAAI,aAAa,IAAI,SAAS,gBAAgB;AAC9C,KAAI,aAAa,IAAI,qBAAqB,4CAA4C;AACtF,KAAI,MACH,KAAI,aAAa,IAAI,SAAS,MAAM;AAErC,QAAO,IAAI,UAAU"}
+{"version":3,"file":"oauth-authorization-1aPAYjiC.mjs","names":[],"sources":["../src/api/handlers/oauth-authorization.ts"],"sourcesContent":["/**\n * OAuth 2.1 Authorization Code + PKCE handlers.\n *\n * Implements the server side of the authorization code grant for MCP clients\n * (Claude Desktop, VS Code, etc.) per the MCP authorization spec (draft).\n *\n * Uses arctic for PKCE challenge generation and @emdash-cms/auth for token\n * utilities. Token infrastructure is shared with the device flow.\n */\n\nimport { clampScopes, computeS256Challenge, secureCompare } from \"@emdash-cms/auth\";\nimport type { RoleLevel } from \"@emdash-cms/auth\";\nimport { generateCodeVerifier } from \"arctic\";\nimport type { Kysely } from \"kysely\";\n\nimport {\n\tgeneratePrefixedToken,\n\thashApiToken,\n\tTOKEN_PREFIXES,\n\tVALID_SCOPES,\n} from \"../../auth/api-tokens.js\";\nimport { withTransaction } from \"../../database/transaction.js\";\nimport type { Database } from \"../../database/types.js\";\nimport { validateRedirectUri } from \"../oauth/redirect-uri.js\";\nimport type { ApiResult } from \"../types.js\";\nimport { lookupOAuthClient, validateClientRedirectUri } from \"./oauth-clients.js\";\nimport { lookupUserRoleAndStatus } from \"./oauth-user-lookup.js\";\n\n// ---------------------------------------------------------------------------\n// Constants\n// ---------------------------------------------------------------------------\n\n/** Authorization codes expire after 10 minutes (RFC 6749 §4.1.2 recommends short-lived) */\nconst AUTH_CODE_TTL_SECONDS = 10 * 60;\n\n/** Access token TTL: 1 hour */\nconst ACCESS_TOKEN_TTL_SECONDS = 60 * 60;\n\n/** Refresh token TTL: 90 days */\nconst REFRESH_TOKEN_TTL_SECONDS = 90 * 24 * 60 * 60;\n\n// ---------------------------------------------------------------------------\n// Types\n// ---------------------------------------------------------------------------\n\nexport interface AuthorizationParams {\n\tresponse_type: string;\n\tclient_id: string;\n\tredirect_uri: string;\n\tscope?: string;\n\tstate?: string;\n\tcode_challenge: string;\n\tcode_challenge_method: string;\n\tresource?: string;\n}\n\nexport interface TokenExchangeParams {\n\tgrant_type: string;\n\tcode: string;\n\tredirect_uri: string;\n\tclient_id: string;\n\tcode_verifier: string;\n\tresource?: string;\n}\n\nexport interface TokenResponse {\n\taccess_token: string;\n\trefresh_token: string;\n\ttoken_type: \"Bearer\";\n\texpires_in: number;\n\tscope: string;\n}\n\n// ---------------------------------------------------------------------------\n// Helpers\n// ---------------------------------------------------------------------------\n\nfunction expiresAt(seconds: number): string {\n\treturn new Date(Date.now() + seconds * 1000).toISOString();\n}\n\nexport { validateRedirectUri };\n\n/**\n * Validate and normalize scopes. Returns validated scope list.\n */\nfunction normalizeScopes(requested?: string): string[] {\n\tif (!requested) return [];\n\n\tconst validSet = new Set<string>(VALID_SCOPES);\n\tconst scopes = requested\n\t\t.split(\" \")\n\t\t.filter(Boolean)\n\t\t.filter((s) => validSet.has(s));\n\n\treturn scopes;\n}\n\n// ---------------------------------------------------------------------------\n// Handlers\n// ---------------------------------------------------------------------------\n\n/**\n * Process an authorization request after the user approves consent.\n *\n * Generates an authorization code, stores it with the PKCE challenge,\n * and returns the redirect URL with the code appended.\n *\n * Scopes are clamped to the user's role to prevent scope escalation.\n */\nexport async function handleAuthorizationApproval(\n\tdb: Kysely<Database>,\n\tuserId: string,\n\tuserRole: RoleLevel,\n\tparams: AuthorizationParams,\n): Promise<ApiResult<{ redirect_url: string }>> {\n\ttry {\n\t\t// Validate response_type\n\t\tif (params.response_type !== \"code\") {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: {\n\t\t\t\t\tcode: \"UNSUPPORTED_RESPONSE_TYPE\",\n\t\t\t\t\tmessage: \"Only response_type=code is supported\",\n\t\t\t\t},\n\t\t\t};\n\t\t}\n\n\t\t// Validate redirect_uri scheme/host (basic security check)\n\t\tconst uriError = validateRedirectUri(params.redirect_uri);\n\t\tif (uriError) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"INVALID_REDIRECT_URI\", message: uriError },\n\t\t\t};\n\t\t}\n\n\t\t// Look up the registered OAuth client\n\t\tconst client = await lookupOAuthClient(db, params.client_id);\n\t\tif (!client) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: {\n\t\t\t\t\tcode: \"INVALID_CLIENT\",\n\t\t\t\t\tmessage: \"Unknown client_id\",\n\t\t\t\t},\n\t\t\t};\n\t\t}\n\n\t\t// Validate redirect_uri against client's registered URIs\n\t\tconst clientUriError = validateClientRedirectUri(params.redirect_uri, client.redirectUris);\n\t\tif (clientUriError) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"INVALID_REDIRECT_URI\", message: clientUriError },\n\t\t\t};\n\t\t}\n\n\t\t// Validate code_challenge_method\n\t\tif (params.code_challenge_method !== \"S256\") {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: {\n\t\t\t\t\tcode: \"INVALID_REQUEST\",\n\t\t\t\t\tmessage: \"Only S256 code_challenge_method is supported\",\n\t\t\t\t},\n\t\t\t};\n\t\t}\n\n\t\t// Validate code_challenge is present\n\t\tif (!params.code_challenge) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"INVALID_REQUEST\", message: \"code_challenge is required\" },\n\t\t\t};\n\t\t}\n\n\t\t// Validate scopes, then clamp to user's role\n\t\tconst userScopes = clampScopes(normalizeScopes(params.scope), userRole);\n\n\t\t// SEC-41: Intersect with client's registered scopes (if restricted).\n\t\t// A client registered with scopes: [\"content:read\"] should never receive\n\t\t// admin or schema:write, regardless of the approving user's role.\n\t\tconst clientScopes = client.scopes;\n\t\tconst scopes = clientScopes?.length\n\t\t\t? userScopes.filter((s: string) => clientScopes.includes(s))\n\t\t\t: userScopes;\n\n\t\tif (scopes.length === 0) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"INVALID_SCOPE\", message: \"No valid scopes requested\" },\n\t\t\t};\n\t\t}\n\n\t\t// Generate authorization code (high entropy, base64url)\n\t\tconst code = generateCodeVerifier(); // 32 bytes random, base64url\n\t\tconst codeHash = hashApiToken(code);\n\n\t\t// Store the authorization code\n\t\tawait db\n\t\t\t.insertInto(\"_emdash_authorization_codes\")\n\t\t\t.values({\n\t\t\t\tcode_hash: codeHash,\n\t\t\t\tclient_id: params.client_id,\n\t\t\t\tredirect_uri: params.redirect_uri,\n\t\t\t\tuser_id: userId,\n\t\t\t\tscopes: JSON.stringify(scopes),\n\t\t\t\tcode_challenge: params.code_challenge,\n\t\t\t\tcode_challenge_method: params.code_challenge_method,\n\t\t\t\tresource: params.resource ?? null,\n\t\t\t\texpires_at: expiresAt(AUTH_CODE_TTL_SECONDS),\n\t\t\t})\n\t\t\t.execute();\n\n\t\t// Build the redirect URL\n\t\tconst redirectUrl = new URL(params.redirect_uri);\n\t\tredirectUrl.searchParams.set(\"code\", code);\n\t\tif (params.state) {\n\t\t\tredirectUrl.searchParams.set(\"state\", params.state);\n\t\t}\n\n\t\treturn {\n\t\t\tsuccess: true,\n\t\t\tdata: { redirect_url: redirectUrl.toString() },\n\t\t};\n\t} catch (error) {\n\t\tconsole.error(\"Authorization error:\", error);\n\t\treturn {\n\t\t\tsuccess: false,\n\t\t\terror: {\n\t\t\t\tcode: \"AUTHORIZATION_ERROR\",\n\t\t\t\tmessage: \"Failed to process authorization\",\n\t\t\t},\n\t\t};\n\t}\n}\n\n/**\n * Exchange an authorization code for access + refresh tokens.\n *\n * Validates the code, verifies PKCE, and issues tokens using the same\n * infrastructure as the device flow (ec_oat_*, ec_ort_*).\n */\nexport async function handleAuthorizationCodeExchange(\n\tdb: Kysely<Database>,\n\tparams: TokenExchangeParams,\n): Promise<ApiResult<TokenResponse>> {\n\ttry {\n\t\t// Validate grant_type\n\t\tif (params.grant_type !== \"authorization_code\") {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"unsupported_grant_type\", message: \"Invalid grant_type\" },\n\t\t\t};\n\t\t}\n\n\t\t// SEC-39: Atomically consume the authorization code using DELETE...RETURNING.\n\t\t// This prevents TOCTOU double-exchange: two concurrent requests with the\n\t\t// same code will race on the DELETE, and only one will get a row back.\n\t\tconst codeHash = hashApiToken(params.code);\n\n\t\tconst row = await db\n\t\t\t.deleteFrom(\"_emdash_authorization_codes\")\n\t\t\t.where(\"code_hash\", \"=\", codeHash)\n\t\t\t.returningAll()\n\t\t\t.executeTakeFirst();\n\n\t\tif (!row) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"invalid_grant\", message: \"Invalid authorization code\" },\n\t\t\t};\n\t\t}\n\n\t\t// Check expiry\n\t\tif (new Date(row.expires_at) < new Date()) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"invalid_grant\", message: \"Authorization code expired\" },\n\t\t\t};\n\t\t}\n\n\t\t// Verify redirect_uri matches exactly\n\t\tif (row.redirect_uri !== params.redirect_uri) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"invalid_grant\", message: \"redirect_uri mismatch\" },\n\t\t\t};\n\t\t}\n\n\t\t// Verify client_id matches\n\t\tif (row.client_id !== params.client_id) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"invalid_grant\", message: \"client_id mismatch\" },\n\t\t\t};\n\t\t}\n\n\t\t// PKCE verification: SHA256(code_verifier) must match stored code_challenge\n\t\t// Use constant-time comparison to prevent timing side-channels\n\t\tconst derivedChallenge = computeS256Challenge(params.code_verifier);\n\t\tif (!secureCompare(derivedChallenge, row.code_challenge)) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"invalid_grant\", message: \"PKCE verification failed\" },\n\t\t\t};\n\t\t}\n\n\t\t// Verify resource matches (if stored)\n\t\tif (row.resource && params.resource && row.resource !== params.resource) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"invalid_grant\", message: \"resource mismatch\" },\n\t\t\t};\n\t\t}\n\n\t\t// Revalidate user role before issuing tokens (same pattern as handleTokenRefresh).\n\t\t// The user's role may have changed since the authorization code was issued.\n\t\tconst userInfo = await lookupUserRoleAndStatus(db, row.user_id);\n\t\tif (!userInfo) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"invalid_grant\", message: \"User not found\" },\n\t\t\t};\n\t\t}\n\n\t\tif (userInfo.disabled) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"invalid_grant\", message: \"User account is disabled\" },\n\t\t\t};\n\t\t}\n\n\t\t// Re-clamp scopes against the user's current role\n\t\tconst storedScopes = JSON.parse(row.scopes) as string[];\n\t\tlet scopes = clampScopes(storedScopes, userInfo.role);\n\n\t\t// Intersect with client's registered scopes (if restricted)\n\t\tconst client = await lookupOAuthClient(db, row.client_id);\n\t\tif (client?.scopes?.length) {\n\t\t\tscopes = scopes.filter((s: string) => client.scopes!.includes(s));\n\t\t}\n\n\t\tif (scopes.length === 0) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: {\n\t\t\t\t\tcode: \"invalid_grant\",\n\t\t\t\t\tmessage: \"User role no longer supports any of the requested scopes\",\n\t\t\t\t},\n\t\t\t};\n\t\t}\n\n\t\t// Issue tokens (same as device flow)\n\t\tconst accessToken = generatePrefixedToken(TOKEN_PREFIXES.OAUTH_ACCESS);\n\t\tconst accessExpires = expiresAt(ACCESS_TOKEN_TTL_SECONDS);\n\n\t\tconst refreshToken = generatePrefixedToken(TOKEN_PREFIXES.OAUTH_REFRESH);\n\t\tconst refreshExpires = expiresAt(REFRESH_TOKEN_TTL_SECONDS);\n\n\t\t// Atomically store both tokens in a transaction\n\t\tawait withTransaction(db, async (trx) => {\n\t\t\tawait trx\n\t\t\t\t.insertInto(\"_emdash_oauth_tokens\")\n\t\t\t\t.values({\n\t\t\t\t\ttoken_hash: accessToken.hash,\n\t\t\t\t\ttoken_type: \"access\",\n\t\t\t\t\tuser_id: row.user_id,\n\t\t\t\t\tscopes: JSON.stringify(scopes),\n\t\t\t\t\tclient_type: \"mcp\",\n\t\t\t\t\texpires_at: accessExpires,\n\t\t\t\t\trefresh_token_hash: refreshToken.hash,\n\t\t\t\t\tclient_id: row.client_id,\n\t\t\t\t})\n\t\t\t\t.execute();\n\n\t\t\tawait trx\n\t\t\t\t.insertInto(\"_emdash_oauth_tokens\")\n\t\t\t\t.values({\n\t\t\t\t\ttoken_hash: refreshToken.hash,\n\t\t\t\t\ttoken_type: \"refresh\",\n\t\t\t\t\tuser_id: row.user_id,\n\t\t\t\t\tscopes: JSON.stringify(scopes),\n\t\t\t\t\tclient_type: \"mcp\",\n\t\t\t\t\texpires_at: refreshExpires,\n\t\t\t\t\trefresh_token_hash: null,\n\t\t\t\t\tclient_id: row.client_id,\n\t\t\t\t})\n\t\t\t\t.execute();\n\t\t});\n\n\t\treturn {\n\t\t\tsuccess: true,\n\t\t\tdata: {\n\t\t\t\taccess_token: accessToken.raw,\n\t\t\t\trefresh_token: refreshToken.raw,\n\t\t\t\ttoken_type: \"Bearer\",\n\t\t\t\texpires_in: ACCESS_TOKEN_TTL_SECONDS,\n\t\t\t\tscope: scopes.join(\" \"),\n\t\t\t},\n\t\t};\n\t} catch (error) {\n\t\tconsole.error(\"Token exchange error:\", error);\n\t\treturn {\n\t\t\tsuccess: false,\n\t\t\terror: {\n\t\t\t\tcode: \"TOKEN_EXCHANGE_ERROR\",\n\t\t\t\tmessage: \"Failed to exchange authorization code\",\n\t\t\t},\n\t\t};\n\t}\n}\n\n/**\n * Build the authorization denied redirect URL.\n */\nexport function buildDeniedRedirect(redirectUri: string, state?: string): string {\n\tconst url = new URL(redirectUri);\n\turl.searchParams.set(\"error\", \"access_denied\");\n\turl.searchParams.set(\"error_description\", \"The user denied the authorization request\");\n\tif (state) {\n\t\turl.searchParams.set(\"state\", state);\n\t}\n\treturn url.toString();\n}\n\n/**\n * Clean up expired authorization codes.\n */\nexport async function cleanupExpiredAuthorizationCodes(db: Kysely<Database>): Promise<number> {\n\tconst result = await db\n\t\t.deleteFrom(\"_emdash_authorization_codes\")\n\t\t.where(\"expires_at\", \"<\", new Date().toISOString())\n\t\t.executeTakeFirst();\n\n\treturn Number(result.numDeletedRows);\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;AAiCA,MAAM,wBAAwB;;AAG9B,MAAM,2BAA2B;;AAGjC,MAAM,4BAA4B,OAAU,KAAK;AAsCjD,SAAS,UAAU,SAAyB;AAC3C,QAAO,IAAI,KAAK,KAAK,KAAK,GAAG,UAAU,IAAK,CAAC,aAAa;;;;;AAQ3D,SAAS,gBAAgB,WAA8B;AACtD,KAAI,CAAC,UAAW,QAAO,EAAE;CAEzB,MAAM,WAAW,IAAI,IAAY,aAAa;AAM9C,QALe,UACb,MAAM,IAAI,CACV,OAAO,QAAQ,CACf,QAAQ,MAAM,SAAS,IAAI,EAAE,CAAC;;;;;;;;;;AAiBjC,eAAsB,4BACrB,IACA,QACA,UACA,QAC+C;AAC/C,KAAI;AAEH,MAAI,OAAO,kBAAkB,OAC5B,QAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;EAIF,MAAM,WAAW,oBAAoB,OAAO,aAAa;AACzD,MAAI,SACH,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAwB,SAAS;IAAU;GAC1D;EAIF,MAAM,SAAS,MAAM,kBAAkB,IAAI,OAAO,UAAU;AAC5D,MAAI,CAAC,OACJ,QAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;EAIF,MAAM,iBAAiB,0BAA0B,OAAO,cAAc,OAAO,aAAa;AAC1F,MAAI,eACH,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAwB,SAAS;IAAgB;GAChE;AAIF,MAAI,OAAO,0BAA0B,OACpC,QAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;AAIF,MAAI,CAAC,OAAO,eACX,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAmB,SAAS;IAA8B;GACzE;EAIF,MAAM,aAAa,YAAY,gBAAgB,OAAO,MAAM,EAAE,SAAS;EAKvE,MAAM,eAAe,OAAO;EAC5B,MAAM,SAAS,cAAc,SAC1B,WAAW,QAAQ,MAAc,aAAa,SAAS,EAAE,CAAC,GAC1D;AAEH,MAAI,OAAO,WAAW,EACrB,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAiB,SAAS;IAA6B;GACtE;EAIF,MAAM,OAAO,sBAAsB;EACnC,MAAM,WAAW,aAAa,KAAK;AAGnC,QAAM,GACJ,WAAW,8BAA8B,CACzC,OAAO;GACP,WAAW;GACX,WAAW,OAAO;GAClB,cAAc,OAAO;GACrB,SAAS;GACT,QAAQ,KAAK,UAAU,OAAO;GAC9B,gBAAgB,OAAO;GACvB,uBAAuB,OAAO;GAC9B,UAAU,OAAO,YAAY;GAC7B,YAAY,UAAU,sBAAsB;GAC5C,CAAC,CACD,SAAS;EAGX,MAAM,cAAc,IAAI,IAAI,OAAO,aAAa;AAChD,cAAY,aAAa,IAAI,QAAQ,KAAK;AAC1C,MAAI,OAAO,MACV,aAAY,aAAa,IAAI,SAAS,OAAO,MAAM;AAGpD,SAAO;GACN,SAAS;GACT,MAAM,EAAE,cAAc,YAAY,UAAU,EAAE;GAC9C;UACO,OAAO;AACf,UAAQ,MAAM,wBAAwB,MAAM;AAC5C,SAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;;;;;;;;;AAUH,eAAsB,gCACrB,IACA,QACoC;AACpC,KAAI;AAEH,MAAI,OAAO,eAAe,qBACzB,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAA0B,SAAS;IAAsB;GACxE;EAMF,MAAM,WAAW,aAAa,OAAO,KAAK;EAE1C,MAAM,MAAM,MAAM,GAChB,WAAW,8BAA8B,CACzC,MAAM,aAAa,KAAK,SAAS,CACjC,cAAc,CACd,kBAAkB;AAEpB,MAAI,CAAC,IACJ,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAiB,SAAS;IAA8B;GACvE;AAIF,MAAI,IAAI,KAAK,IAAI,WAAW,mBAAG,IAAI,MAAM,CACxC,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAiB,SAAS;IAA8B;GACvE;AAIF,MAAI,IAAI,iBAAiB,OAAO,aAC/B,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAiB,SAAS;IAAyB;GAClE;AAIF,MAAI,IAAI,cAAc,OAAO,UAC5B,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAiB,SAAS;IAAsB;GAC/D;AAMF,MAAI,CAAC,cADoB,qBAAqB,OAAO,cAAc,EAC9B,IAAI,eAAe,CACvD,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAiB,SAAS;IAA4B;GACrE;AAIF,MAAI,IAAI,YAAY,OAAO,YAAY,IAAI,aAAa,OAAO,SAC9D,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAiB,SAAS;IAAqB;GAC9D;EAKF,MAAM,WAAW,MAAM,wBAAwB,IAAI,IAAI,QAAQ;AAC/D,MAAI,CAAC,SACJ,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAiB,SAAS;IAAkB;GAC3D;AAGF,MAAI,SAAS,SACZ,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAiB,SAAS;IAA4B;GACrE;EAKF,IAAI,SAAS,YADQ,KAAK,MAAM,IAAI,OAAO,EACJ,SAAS,KAAK;EAGrD,MAAM,SAAS,MAAM,kBAAkB,IAAI,IAAI,UAAU;AACzD,MAAI,QAAQ,QAAQ,OACnB,UAAS,OAAO,QAAQ,MAAc,OAAO,OAAQ,SAAS,EAAE,CAAC;AAGlE,MAAI,OAAO,WAAW,EACrB,QAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;EAIF,MAAM,cAAc,sBAAsB,eAAe,aAAa;EACtE,MAAM,gBAAgB,UAAU,yBAAyB;EAEzD,MAAM,eAAe,sBAAsB,eAAe,cAAc;EACxE,MAAM,iBAAiB,UAAU,0BAA0B;AAG3D,QAAM,gBAAgB,IAAI,OAAO,QAAQ;AACxC,SAAM,IACJ,WAAW,uBAAuB,CAClC,OAAO;IACP,YAAY,YAAY;IACxB,YAAY;IACZ,SAAS,IAAI;IACb,QAAQ,KAAK,UAAU,OAAO;IAC9B,aAAa;IACb,YAAY;IACZ,oBAAoB,aAAa;IACjC,WAAW,IAAI;IACf,CAAC,CACD,SAAS;AAEX,SAAM,IACJ,WAAW,uBAAuB,CAClC,OAAO;IACP,YAAY,aAAa;IACzB,YAAY;IACZ,SAAS,IAAI;IACb,QAAQ,KAAK,UAAU,OAAO;IAC9B,aAAa;IACb,YAAY;IACZ,oBAAoB;IACpB,WAAW,IAAI;IACf,CAAC,CACD,SAAS;IACV;AAEF,SAAO;GACN,SAAS;GACT,MAAM;IACL,cAAc,YAAY;IAC1B,eAAe,aAAa;IAC5B,YAAY;IACZ,YAAY;IACZ,OAAO,OAAO,KAAK,IAAI;IACvB;GACD;UACO,OAAO;AACf,UAAQ,MAAM,yBAAyB,MAAM;AAC7C,SAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;;;;;;AAOH,SAAgB,oBAAoB,aAAqB,OAAwB;CAChF,MAAM,MAAM,IAAI,IAAI,YAAY;AAChC,KAAI,aAAa,IAAI,SAAS,gBAAgB;AAC9C,KAAI,aAAa,IAAI,qBAAqB,4CAA4C;AACtF,KAAI,MACH,KAAI,aAAa,IAAI,SAAS,MAAM;AAErC,QAAO,IAAI,UAAU"}

package/dist/{options-BL4X94qY.mjs → options-BPCVnesz.mjs}

@@ -114,4 +114,4 @@ var OptionsRepository = class {
 
 //#endregion
 export { OptionsRepository as t };
-//# sourceMappingURL=options-BL4X94qY.mjs.map
+//# sourceMappingURL=options-BPCVnesz.mjs.map

package/dist/{options-BL4X94qY.mjs.map → options-BPCVnesz.mjs.map}

@@ -1 +1 @@
-{"version":3,"file":"options-BL4X94qY.mjs","names":[],"sources":["../src/database/repositories/options.ts"],"sourcesContent":["import { sql, type Kysely, type SqlBool } from \"kysely\";\n\nimport type { Database, OptionTable } from \"../types.js\";\n\nfunction escapeLike(value: string): string {\n\treturn value.replaceAll(\"\\\\\", \"\\\\\\\\\").replaceAll(\"%\", \"\\\\%\").replaceAll(\"_\", \"\\\\_\");\n}\n\n/**\n * Options repository for key-value settings storage\n *\n * Used for site settings, plugin configuration, and other arbitrary key-value data.\n * Values are stored as JSON for flexibility.\n */\nexport class OptionsRepository {\n\tconstructor(private db: Kysely<Database>) {}\n\n\t/**\n\t * Get an option value\n\t */\n\tasync get<T = unknown>(name: string): Promise<T | null> {\n\t\tconst row = await this.db\n\t\t\t.selectFrom(\"options\")\n\t\t\t.select(\"value\")\n\t\t\t.where(\"name\", \"=\", name)\n\t\t\t.executeTakeFirst();\n\n\t\tif (!row) return null;\n\t\t// eslint-disable-next-line typescript/no-unsafe-type-assertion -- JSON.parse returns any; generic callers provide T\n\t\treturn JSON.parse(row.value) as T;\n\t}\n\n\t/**\n\t * Get an option value with a default\n\t */\n\tasync getOrDefault<T>(name: string, defaultValue: T): Promise<T> {\n\t\tconst value = await this.get<T>(name);\n\t\treturn value ?? defaultValue;\n\t}\n\n\t/**\n\t * Set an option value (creates or updates)\n\t */\n\tasync set<T = unknown>(name: string, value: T): Promise<void> {\n\t\tconst row: OptionTable = {\n\t\t\tname,\n\t\t\tvalue: JSON.stringify(value),\n\t\t};\n\n\t\t// Upsert: insert or replace\n\t\tawait this.db\n\t\t\t.insertInto(\"options\")\n\t\t\t.values(row)\n\t\t\t.onConflict((oc) => oc.column(\"name\").doUpdateSet({ value: row.value }))\n\t\t\t.execute();\n\t}\n\n\t/**\n\t * Set an option value only if no row with that name exists. Atomic at the\n\t * database level via INSERT ... ON CONFLICT DO NOTHING, so concurrent\n\t * callers can't race past the check.\n\t *\n\t * Returns true when the row was inserted, false when a row already\n\t * existed (regardless of its value — even an empty string or null).\n\t */\n\tasync setIfAbsent<T = unknown>(name: string, value: T): Promise<boolean> {\n\t\tconst row: OptionTable = {\n\t\t\tname,\n\t\t\tvalue: JSON.stringify(value),\n\t\t};\n\n\t\tconst result = await this.db\n\t\t\t.insertInto(\"options\")\n\t\t\t.values(row)\n\t\t\t.onConflict((oc) => oc.column(\"name\").doNothing())\n\t\t\t.executeTakeFirst();\n\n\t\t// SQLite reports numInsertedOrUpdatedRows; Postgres reports the same.\n\t\t// When the ON CONFLICT branch fires and does nothing, the count is 0.\n\t\treturn (result.numInsertedOrUpdatedRows ?? 0n) > 0n;\n\t}\n\n\t/**\n\t * Delete an option\n\t */\n\tasync delete(name: string): Promise<boolean> {\n\t\tconst result = await this.db.deleteFrom(\"options\").where(\"name\", \"=\", name).executeTakeFirst();\n\n\t\treturn (result.numDeletedRows ?? 0) > 0;\n\t}\n\n\t/**\n\t * Check if an option exists\n\t */\n\tasync exists(name: string): Promise<boolean> {\n\t\tconst row = await this.db\n\t\t\t.selectFrom(\"options\")\n\t\t\t.select(\"name\")\n\t\t\t.where(\"name\", \"=\", name)\n\t\t\t.executeTakeFirst();\n\n\t\treturn !!row;\n\t}\n\n\t/**\n\t * Get multiple options at once\n\t */\n\tasync getMany<T = unknown>(names: string[]): Promise<Map<string, T>> {\n\t\tif (names.length === 0) return new Map();\n\n\t\tconst rows = await this.db\n\t\t\t.selectFrom(\"options\")\n\t\t\t.select([\"name\", \"value\"])\n\t\t\t.where(\"name\", \"in\", names)\n\t\t\t.execute();\n\n\t\tconst result = new Map<string, T>();\n\t\tfor (const row of rows) {\n\t\t\t// eslint-disable-next-line typescript/no-unsafe-type-assertion -- JSON.parse returns any; generic callers provide T\n\t\t\tresult.set(row.name, JSON.parse(row.value) as T);\n\t\t}\n\t\treturn result;\n\t}\n\n\t/**\n\t * Set multiple options at once\n\t */\n\tasync setMany<T = unknown>(options: Record<string, T>): Promise<void> {\n\t\tconst entries = Object.entries(options);\n\t\tif (entries.length === 0) return;\n\n\t\tfor (const [name, value] of entries) {\n\t\t\tawait this.set(name, value);\n\t\t}\n\t}\n\n\t/**\n\t * Get all options (use sparingly)\n\t */\n\tasync getAll(): Promise<Map<string, unknown>> {\n\t\tconst rows = await this.db.selectFrom(\"options\").select([\"name\", \"value\"]).execute();\n\n\t\tconst result = new Map<string, unknown>();\n\t\tfor (const row of rows) {\n\t\t\tresult.set(row.name, JSON.parse(row.value));\n\t\t}\n\t\treturn result;\n\t}\n\n\t/**\n\t * Get all options matching a prefix\n\t */\n\tasync getByPrefix<T = unknown>(prefix: string): Promise<Map<string, T>> {\n\t\tconst pattern = `${escapeLike(prefix)}%`;\n\t\tconst rows = await this.db\n\t\t\t.selectFrom(\"options\")\n\t\t\t.select([\"name\", \"value\"])\n\t\t\t.where(sql<SqlBool>`name LIKE ${pattern} ESCAPE '\\\\'`)\n\t\t\t.execute();\n\n\t\tconst result = new Map<string, T>();\n\t\tfor (const row of rows) {\n\t\t\t// eslint-disable-next-line typescript/no-unsafe-type-assertion -- JSON.parse returns any; generic callers provide T\n\t\t\tresult.set(row.name, JSON.parse(row.value) as T);\n\t\t}\n\t\treturn result;\n\t}\n\n\t/**\n\t * Delete all options matching a prefix\n\t */\n\tasync deleteByPrefix(prefix: string): Promise<number> {\n\t\tconst pattern = `${escapeLike(prefix)}%`;\n\t\tconst result = await this.db\n\t\t\t.deleteFrom(\"options\")\n\t\t\t.where(sql<SqlBool>`name LIKE ${pattern} ESCAPE '\\\\'`)\n\t\t\t.executeTakeFirst();\n\n\t\treturn Number(result.numDeletedRows ?? 0);\n\t}\n}\n"],"mappings":";;;AAIA,SAAS,WAAW,OAAuB;AAC1C,QAAO,MAAM,WAAW,MAAM,OAAO,CAAC,WAAW,KAAK,MAAM,CAAC,WAAW,KAAK,MAAM;;;;;;;;AASpF,IAAa,oBAAb,MAA+B;CAC9B,YAAY,AAAQ,IAAsB;EAAtB;;;;;CAKpB,MAAM,IAAiB,MAAiC;EACvD,MAAM,MAAM,MAAM,KAAK,GACrB,WAAW,UAAU,CACrB,OAAO,QAAQ,CACf,MAAM,QAAQ,KAAK,KAAK,CACxB,kBAAkB;AAEpB,MAAI,CAAC,IAAK,QAAO;AAEjB,SAAO,KAAK,MAAM,IAAI,MAAM;;;;;CAM7B,MAAM,aAAgB,MAAc,cAA6B;AAEhE,SADc,MAAM,KAAK,IAAO,KAAK,IACrB;;;;;CAMjB,MAAM,IAAiB,MAAc,OAAyB;EAC7D,MAAM,MAAmB;GACxB;GACA,OAAO,KAAK,UAAU,MAAM;GAC5B;AAGD,QAAM,KAAK,GACT,WAAW,UAAU,CACrB,OAAO,IAAI,CACX,YAAY,OAAO,GAAG,OAAO,OAAO,CAAC,YAAY,EAAE,OAAO,IAAI,OAAO,CAAC,CAAC,CACvE,SAAS;;;;;;;;;;CAWZ,MAAM,YAAyB,MAAc,OAA4B;EACxE,MAAM,MAAmB;GACxB;GACA,OAAO,KAAK,UAAU,MAAM;GAC5B;AAUD,WARe,MAAM,KAAK,GACxB,WAAW,UAAU,CACrB,OAAO,IAAI,CACX,YAAY,OAAO,GAAG,OAAO,OAAO,CAAC,WAAW,CAAC,CACjD,kBAAkB,EAIL,4BAA4B,MAAM;;;;;CAMlD,MAAM,OAAO,MAAgC;AAG5C,WAFe,MAAM,KAAK,GAAG,WAAW,UAAU,CAAC,MAAM,QAAQ,KAAK,KAAK,CAAC,kBAAkB,EAE/E,kBAAkB,KAAK;;;;;CAMvC,MAAM,OAAO,MAAgC;AAO5C,SAAO,CAAC,CANI,MAAM,KAAK,GACrB,WAAW,UAAU,CACrB,OAAO,OAAO,CACd,MAAM,QAAQ,KAAK,KAAK,CACxB,kBAAkB;;;;;CAQrB,MAAM,QAAqB,OAA0C;AACpE,MAAI,MAAM,WAAW,EAAG,wBAAO,IAAI,KAAK;EAExC,MAAM,OAAO,MAAM,KAAK,GACtB,WAAW,UAAU,CACrB,OAAO,CAAC,QAAQ,QAAQ,CAAC,CACzB,MAAM,QAAQ,MAAM,MAAM,CAC1B,SAAS;EAEX,MAAM,yBAAS,IAAI,KAAgB;AACnC,OAAK,MAAM,OAAO,KAEjB,QAAO,IAAI,IAAI,MAAM,KAAK,MAAM,IAAI,MAAM,CAAM;AAEjD,SAAO;;;;;CAMR,MAAM,QAAqB,SAA2C;EACrE,MAAM,UAAU,OAAO,QAAQ,QAAQ;AACvC,MAAI,QAAQ,WAAW,EAAG;AAE1B,OAAK,MAAM,CAAC,MAAM,UAAU,QAC3B,OAAM,KAAK,IAAI,MAAM,MAAM;;;;;CAO7B,MAAM,SAAwC;EAC7C,MAAM,OAAO,MAAM,KAAK,GAAG,WAAW,UAAU,CAAC,OAAO,CAAC,QAAQ,QAAQ,CAAC,CAAC,SAAS;EAEpF,MAAM,yBAAS,IAAI,KAAsB;AACzC,OAAK,MAAM,OAAO,KACjB,QAAO,IAAI,IAAI,MAAM,KAAK,MAAM,IAAI,MAAM,CAAC;AAE5C,SAAO;;;;;CAMR,MAAM,YAAyB,QAAyC;EACvE,MAAM,UAAU,GAAG,WAAW,OAAO,CAAC;EACtC,MAAM,OAAO,MAAM,KAAK,GACtB,WAAW,UAAU,CACrB,OAAO,CAAC,QAAQ,QAAQ,CAAC,CACzB,MAAM,GAAY,aAAa,QAAQ,cAAc,CACrD,SAAS;EAEX,MAAM,yBAAS,IAAI,KAAgB;AACnC,OAAK,MAAM,OAAO,KAEjB,QAAO,IAAI,IAAI,MAAM,KAAK,MAAM,IAAI,MAAM,CAAM;AAEjD,SAAO;;;;;CAMR,MAAM,eAAe,QAAiC;EACrD,MAAM,UAAU,GAAG,WAAW,OAAO,CAAC;EACtC,MAAM,SAAS,MAAM,KAAK,GACxB,WAAW,UAAU,CACrB,MAAM,GAAY,aAAa,QAAQ,cAAc,CACrD,kBAAkB;AAEpB,SAAO,OAAO,OAAO,kBAAkB,EAAE"}
+{"version":3,"file":"options-BPCVnesz.mjs","names":[],"sources":["../src/database/repositories/options.ts"],"sourcesContent":["import { sql, type Kysely, type SqlBool } from \"kysely\";\n\nimport type { Database, OptionTable } from \"../types.js\";\n\nfunction escapeLike(value: string): string {\n\treturn value.replaceAll(\"\\\\\", \"\\\\\\\\\").replaceAll(\"%\", \"\\\\%\").replaceAll(\"_\", \"\\\\_\");\n}\n\n/**\n * Options repository for key-value settings storage\n *\n * Used for site settings, plugin configuration, and other arbitrary key-value data.\n * Values are stored as JSON for flexibility.\n */\nexport class OptionsRepository {\n\tconstructor(private db: Kysely<Database>) {}\n\n\t/**\n\t * Get an option value\n\t */\n\tasync get<T = unknown>(name: string): Promise<T | null> {\n\t\tconst row = await this.db\n\t\t\t.selectFrom(\"options\")\n\t\t\t.select(\"value\")\n\t\t\t.where(\"name\", \"=\", name)\n\t\t\t.executeTakeFirst();\n\n\t\tif (!row) return null;\n\t\t// eslint-disable-next-line typescript/no-unsafe-type-assertion -- JSON.parse returns any; generic callers provide T\n\t\treturn JSON.parse(row.value) as T;\n\t}\n\n\t/**\n\t * Get an option value with a default\n\t */\n\tasync getOrDefault<T>(name: string, defaultValue: T): Promise<T> {\n\t\tconst value = await this.get<T>(name);\n\t\treturn value ?? defaultValue;\n\t}\n\n\t/**\n\t * Set an option value (creates or updates)\n\t */\n\tasync set<T = unknown>(name: string, value: T): Promise<void> {\n\t\tconst row: OptionTable = {\n\t\t\tname,\n\t\t\tvalue: JSON.stringify(value),\n\t\t};\n\n\t\t// Upsert: insert or replace\n\t\tawait this.db\n\t\t\t.insertInto(\"options\")\n\t\t\t.values(row)\n\t\t\t.onConflict((oc) => oc.column(\"name\").doUpdateSet({ value: row.value }))\n\t\t\t.execute();\n\t}\n\n\t/**\n\t * Set an option value only if no row with that name exists. Atomic at the\n\t * database level via INSERT ... ON CONFLICT DO NOTHING, so concurrent\n\t * callers can't race past the check.\n\t *\n\t * Returns true when the row was inserted, false when a row already\n\t * existed (regardless of its value — even an empty string or null).\n\t */\n\tasync setIfAbsent<T = unknown>(name: string, value: T): Promise<boolean> {\n\t\tconst row: OptionTable = {\n\t\t\tname,\n\t\t\tvalue: JSON.stringify(value),\n\t\t};\n\n\t\tconst result = await this.db\n\t\t\t.insertInto(\"options\")\n\t\t\t.values(row)\n\t\t\t.onConflict((oc) => oc.column(\"name\").doNothing())\n\t\t\t.executeTakeFirst();\n\n\t\t// SQLite reports numInsertedOrUpdatedRows; Postgres reports the same.\n\t\t// When the ON CONFLICT branch fires and does nothing, the count is 0.\n\t\treturn (result.numInsertedOrUpdatedRows ?? 0n) > 0n;\n\t}\n\n\t/**\n\t * Delete an option\n\t */\n\tasync delete(name: string): Promise<boolean> {\n\t\tconst result = await this.db.deleteFrom(\"options\").where(\"name\", \"=\", name).executeTakeFirst();\n\n\t\treturn (result.numDeletedRows ?? 0) > 0;\n\t}\n\n\t/**\n\t * Check if an option exists\n\t */\n\tasync exists(name: string): Promise<boolean> {\n\t\tconst row = await this.db\n\t\t\t.selectFrom(\"options\")\n\t\t\t.select(\"name\")\n\t\t\t.where(\"name\", \"=\", name)\n\t\t\t.executeTakeFirst();\n\n\t\treturn !!row;\n\t}\n\n\t/**\n\t * Get multiple options at once\n\t */\n\tasync getMany<T = unknown>(names: string[]): Promise<Map<string, T>> {\n\t\tif (names.length === 0) return new Map();\n\n\t\tconst rows = await this.db\n\t\t\t.selectFrom(\"options\")\n\t\t\t.select([\"name\", \"value\"])\n\t\t\t.where(\"name\", \"in\", names)\n\t\t\t.execute();\n\n\t\tconst result = new Map<string, T>();\n\t\tfor (const row of rows) {\n\t\t\t// eslint-disable-next-line typescript/no-unsafe-type-assertion -- JSON.parse returns any; generic callers provide T\n\t\t\tresult.set(row.name, JSON.parse(row.value) as T);\n\t\t}\n\t\treturn result;\n\t}\n\n\t/**\n\t * Set multiple options at once\n\t */\n\tasync setMany<T = unknown>(options: Record<string, T>): Promise<void> {\n\t\tconst entries = Object.entries(options);\n\t\tif (entries.length === 0) return;\n\n\t\tfor (const [name, value] of entries) {\n\t\t\tawait this.set(name, value);\n\t\t}\n\t}\n\n\t/**\n\t * Get all options (use sparingly)\n\t */\n\tasync getAll(): Promise<Map<string, unknown>> {\n\t\tconst rows = await this.db.selectFrom(\"options\").select([\"name\", \"value\"]).execute();\n\n\t\tconst result = new Map<string, unknown>();\n\t\tfor (const row of rows) {\n\t\t\tresult.set(row.name, JSON.parse(row.value));\n\t\t}\n\t\treturn result;\n\t}\n\n\t/**\n\t * Get all options matching a prefix\n\t */\n\tasync getByPrefix<T = unknown>(prefix: string): Promise<Map<string, T>> {\n\t\tconst pattern = `${escapeLike(prefix)}%`;\n\t\tconst rows = await this.db\n\t\t\t.selectFrom(\"options\")\n\t\t\t.select([\"name\", \"value\"])\n\t\t\t.where(sql<SqlBool>`name LIKE ${pattern} ESCAPE '\\\\'`)\n\t\t\t.execute();\n\n\t\tconst result = new Map<string, T>();\n\t\tfor (const row of rows) {\n\t\t\t// eslint-disable-next-line typescript/no-unsafe-type-assertion -- JSON.parse returns any; generic callers provide T\n\t\t\tresult.set(row.name, JSON.parse(row.value) as T);\n\t\t}\n\t\treturn result;\n\t}\n\n\t/**\n\t * Delete all options matching a prefix\n\t */\n\tasync deleteByPrefix(prefix: string): Promise<number> {\n\t\tconst pattern = `${escapeLike(prefix)}%`;\n\t\tconst result = await this.db\n\t\t\t.deleteFrom(\"options\")\n\t\t\t.where(sql<SqlBool>`name LIKE ${pattern} ESCAPE '\\\\'`)\n\t\t\t.executeTakeFirst();\n\n\t\treturn Number(result.numDeletedRows ?? 0);\n\t}\n}\n"],"mappings":";;;AAIA,SAAS,WAAW,OAAuB;AAC1C,QAAO,MAAM,WAAW,MAAM,OAAO,CAAC,WAAW,KAAK,MAAM,CAAC,WAAW,KAAK,MAAM;;;;;;;;AASpF,IAAa,oBAAb,MAA+B;CAC9B,YAAY,AAAQ,IAAsB;EAAtB;;;;;CAKpB,MAAM,IAAiB,MAAiC;EACvD,MAAM,MAAM,MAAM,KAAK,GACrB,WAAW,UAAU,CACrB,OAAO,QAAQ,CACf,MAAM,QAAQ,KAAK,KAAK,CACxB,kBAAkB;AAEpB,MAAI,CAAC,IAAK,QAAO;AAEjB,SAAO,KAAK,MAAM,IAAI,MAAM;;;;;CAM7B,MAAM,aAAgB,MAAc,cAA6B;AAEhE,SADc,MAAM,KAAK,IAAO,KAAK,IACrB;;;;;CAMjB,MAAM,IAAiB,MAAc,OAAyB;EAC7D,MAAM,MAAmB;GACxB;GACA,OAAO,KAAK,UAAU,MAAM;GAC5B;AAGD,QAAM,KAAK,GACT,WAAW,UAAU,CACrB,OAAO,IAAI,CACX,YAAY,OAAO,GAAG,OAAO,OAAO,CAAC,YAAY,EAAE,OAAO,IAAI,OAAO,CAAC,CAAC,CACvE,SAAS;;;;;;;;;;CAWZ,MAAM,YAAyB,MAAc,OAA4B;EACxE,MAAM,MAAmB;GACxB;GACA,OAAO,KAAK,UAAU,MAAM;GAC5B;AAUD,WARe,MAAM,KAAK,GACxB,WAAW,UAAU,CACrB,OAAO,IAAI,CACX,YAAY,OAAO,GAAG,OAAO,OAAO,CAAC,WAAW,CAAC,CACjD,kBAAkB,EAIL,4BAA4B,MAAM;;;;;CAMlD,MAAM,OAAO,MAAgC;AAG5C,WAFe,MAAM,KAAK,GAAG,WAAW,UAAU,CAAC,MAAM,QAAQ,KAAK,KAAK,CAAC,kBAAkB,EAE/E,kBAAkB,KAAK;;;;;CAMvC,MAAM,OAAO,MAAgC;AAO5C,SAAO,CAAC,CANI,MAAM,KAAK,GACrB,WAAW,UAAU,CACrB,OAAO,OAAO,CACd,MAAM,QAAQ,KAAK,KAAK,CACxB,kBAAkB;;;;;CAQrB,MAAM,QAAqB,OAA0C;AACpE,MAAI,MAAM,WAAW,EAAG,wBAAO,IAAI,KAAK;EAExC,MAAM,OAAO,MAAM,KAAK,GACtB,WAAW,UAAU,CACrB,OAAO,CAAC,QAAQ,QAAQ,CAAC,CACzB,MAAM,QAAQ,MAAM,MAAM,CAC1B,SAAS;EAEX,MAAM,yBAAS,IAAI,KAAgB;AACnC,OAAK,MAAM,OAAO,KAEjB,QAAO,IAAI,IAAI,MAAM,KAAK,MAAM,IAAI,MAAM,CAAM;AAEjD,SAAO;;;;;CAMR,MAAM,QAAqB,SAA2C;EACrE,MAAM,UAAU,OAAO,QAAQ,QAAQ;AACvC,MAAI,QAAQ,WAAW,EAAG;AAE1B,OAAK,MAAM,CAAC,MAAM,UAAU,QAC3B,OAAM,KAAK,IAAI,MAAM,MAAM;;;;;CAO7B,MAAM,SAAwC;EAC7C,MAAM,OAAO,MAAM,KAAK,GAAG,WAAW,UAAU,CAAC,OAAO,CAAC,QAAQ,QAAQ,CAAC,CAAC,SAAS;EAEpF,MAAM,yBAAS,IAAI,KAAsB;AACzC,OAAK,MAAM,OAAO,KACjB,QAAO,IAAI,IAAI,MAAM,KAAK,MAAM,IAAI,MAAM,CAAC;AAE5C,SAAO;;;;;CAMR,MAAM,YAAyB,QAAyC;EACvE,MAAM,UAAU,GAAG,WAAW,OAAO,CAAC;EACtC,MAAM,OAAO,MAAM,KAAK,GACtB,WAAW,UAAU,CACrB,OAAO,CAAC,QAAQ,QAAQ,CAAC,CACzB,MAAM,GAAY,aAAa,QAAQ,cAAc,CACrD,SAAS;EAEX,MAAM,yBAAS,IAAI,KAAgB;AACnC,OAAK,MAAM,OAAO,KAEjB,QAAO,IAAI,IAAI,MAAM,KAAK,MAAM,IAAI,MAAM,CAAM;AAEjD,SAAO;;;;;CAMR,MAAM,eAAe,QAAiC;EACrD,MAAM,UAAU,GAAG,WAAW,OAAO,CAAC;EACtC,MAAM,SAAS,MAAM,KAAK,GACxB,WAAW,UAAU,CACrB,MAAM,GAAY,aAAa,QAAQ,cAAc,CACrD,kBAAkB;AAEpB,SAAO,OAAO,OAAO,kBAAkB,EAAE"}

package/dist/{options-tb7DJROi.d.mts → options-D4MnavW_.d.mts}

@@ -1,5 +1,5 @@
-import { r as ContentItem } from "./types-i8_uzhMD.mjs";
-import { t as Database } from "./types-DawhLFwy.mjs";
+import { i as ContentItem } from "./types-WVmpZBJV.mjs";
+import { t as Database } from "./types-OT_Es5mp.mjs";
 import { Kysely } from "kysely";
 import { z } from "zod";
 
@@ -204,4 +204,4 @@ declare class OptionsRepository {
 }
 //#endregion
 export { parseQuery as a, handleError as c, ContentListResponse as d, ContentResponse as f, ManifestResponse as h, parseBody as i, ApiContext as l, ListResponse as m, ParseResult as n, apiError as o, FieldDescriptor as p, isParseError as r, apiSuccess as s, OptionsRepository as t, ApiResult as u };
-//# sourceMappingURL=options-tb7DJROi.d.mts.map
+//# sourceMappingURL=options-D4MnavW_.d.mts.map

package/dist/{options-tb7DJROi.d.mts.map → options-D4MnavW_.d.mts.map}

@@ -1 +1 @@
-{"version":3,"file":"options-tb7DJROi.d.mts","names":[],"sources":["../src/api/types.ts","../src/api/error.ts","../src/api/parse.ts","../src/database/repositories/options.ts"],"mappings":";;;;;;;;AASA;UAAiB,YAAA;EAChB,KAAA,EAAO,CAAA;EACP,UAAA;EAF6B;;;;;EAQ7B,KAAA;AAAA;AAMD;;;AAAA,UAAiB,mBAAA,SAA4B,YAAA,CAAa,WAAA;AAAA,UAEzC,eAAA;EAChB,IAAA,EAAM,WAAA;;EAEN,IAAA;AAAA;;;;UAMgB,gBAAA;EAChB,OAAA;EACA,IAAA;EACA,WAAA,EAAa,MAAA;IAGX,KAAA;IACA,aAAA;IACA,QAAA;IACA,MAAA,EAAQ,MAAA,SAAe,eAAA;EAAA;EAGzB,OAAA,EAAS,MAAA;IAGP,UAAA,GAAa,KAAA;MAAQ,IAAA;MAAc,SAAA;IAAA;IACnC,OAAA;EAAA;AAAA;AAAA,UAKc,eAAA;EAChB,IAAA;EACA,KAAA;EACA,QAAA;EAZA;;;;EAiBA,OAAA,GAAU,KAAA;IAAQ,KAAA;IAAe,KAAA;EAAA,KAAmB,MAAA;AAAA;AARrD;;;;;;;;;;;;AAAA,KAuBY,SAAA;EACP,OAAA;EAAe,IAAA,EAAM,CAAA;AAAA;EAEvB,OAAA;EACA,KAAA;IAAS,IAAA,EAAM,CAAA;IAAG,OAAA;IAAiB,OAAA,GAAU,MAAA;EAAA;AAAA;;;;UAM/B,UAAA;EAChB,MAAA;EACA,QAAA;AAAA;;;;;;;;;iBC5De,QAAA,CACf,IAAA,UACA,OAAA,UACA,MAAA,UACA,OAAA,GAAU,MAAA,oBACR,QAAA;;;ADZH;;;;iBC2BgB,UAAA,GAAA,CAAc,IAAA,EAAM,CAAA,EAAG,MAAA,YAAe,QAAA;ADzBtD;;;;;;;;AAAA,iBCqCgB,WAAA,CACf,KAAA,WACA,eAAA,UACA,YAAA,WACE,QAAA;;;;;;;KChDS,WAAA,MAAiB,CAAA,GAAI,QAAA;;;;;;AFKjC;iBEGsB,SAAA,WAAoB,CAAA,CAAE,OAAA,CAAA,CAC3C,OAAA,EAAS,OAAA,EACT,MAAA,EAAQ,CAAA,GACN,OAAA,CAAQ,WAAA,CAAY,CAAA,CAAE,KAAA,CAAM,CAAA;;;;;;AFK/B;;iBEyDgB,UAAA,WAAqB,CAAA,CAAE,OAAA,CAAA,CAAS,GAAA,EAAK,GAAA,EAAK,MAAA,EAAQ,CAAA,GAAI,WAAA,CAAY,CAAA,CAAE,KAAA,CAAM,CAAA;;;;;iBA6C1E,YAAA,GAAA,CAAgB,MAAA,EAAQ,WAAA,CAAY,CAAA,IAAK,MAAA,IAAU,QAAA;;;;;;;AF/HnE;;cGKa,iBAAA;EAAA,QACQ,EAAA;cAAA,EAAA,EAAI,MAAA,CAAO,QAAA;EHL/B;;;EGUM,GAAA,aAAA,CAAiB,IAAA,WAAe,OAAA,CAAQ,CAAA;EHHzC;;AAMN;EGYO,YAAA,GAAA,CAAgB,IAAA,UAAc,YAAA,EAAc,CAAA,GAAI,OAAA,CAAQ,CAAA;;;;EAQxD,GAAA,aAAA,CAAiB,IAAA,UAAc,KAAA,EAAO,CAAA,GAAI,OAAA;EHlBjB;;;;;;;;EGwCzB,WAAA,aAAA,CAAyB,IAAA,UAAc,KAAA,EAAO,CAAA,GAAI,OAAA;EH/BxB;;;EGmD1B,MAAA,CAAO,IAAA,WAAe,OAAA;EHhDf;;;EGyDP,MAAA,CAAO,IAAA,WAAe,OAAA;EHhDb;;;EG6DT,OAAA,aAAA,CAAqB,KAAA,aAAkB,OAAA,CAAQ,GAAA,SAAY,CAAA;EHtEpD;;;EG0FP,OAAA,aAAA,CAAqB,OAAA,EAAS,MAAA,SAAe,CAAA,IAAK,OAAA;EHpFtD;;;EGgGI,MAAA,CAAA,GAAU,OAAA,CAAQ,GAAA;EH7Ff;;;EG0GH,WAAA,aAAA,CAAyB,MAAA,WAAiB,OAAA,CAAQ,GAAA,SAAY,CAAA;EHvG/B;;;EG0H/B,cAAA,CAAe,MAAA,WAAiB,OAAA;AAAA"}
+{"version":3,"file":"options-D4MnavW_.d.mts","names":[],"sources":["../src/api/types.ts","../src/api/error.ts","../src/api/parse.ts","../src/database/repositories/options.ts"],"mappings":";;;;;;;;AASA;UAAiB,YAAA;EAChB,KAAA,EAAO,CAAA;EACP,UAAA;EAF6B;;;;;EAQ7B,KAAA;AAAA;AAMD;;;AAAA,UAAiB,mBAAA,SAA4B,YAAA,CAAa,WAAA;AAAA,UAEzC,eAAA;EAChB,IAAA,EAAM,WAAA;;EAEN,IAAA;AAAA;;;;UAMgB,gBAAA;EAChB,OAAA;EACA,IAAA;EACA,WAAA,EAAa,MAAA;IAGX,KAAA;IACA,aAAA;IACA,QAAA;IACA,MAAA,EAAQ,MAAA,SAAe,eAAA;EAAA;EAGzB,OAAA,EAAS,MAAA;IAGP,UAAA,GAAa,KAAA;MAAQ,IAAA;MAAc,SAAA;IAAA;IACnC,OAAA;EAAA;AAAA;AAAA,UAKc,eAAA;EAChB,IAAA;EACA,KAAA;EACA,QAAA;EAZA;;;;EAiBA,OAAA,GAAU,KAAA;IAAQ,KAAA;IAAe,KAAA;EAAA,KAAmB,MAAA;AAAA;AARrD;;;;;;;;;;;;AAAA,KAuBY,SAAA;EACP,OAAA;EAAe,IAAA,EAAM,CAAA;AAAA;EAEvB,OAAA;EACA,KAAA;IAAS,IAAA,EAAM,CAAA;IAAG,OAAA;IAAiB,OAAA,GAAU,MAAA;EAAA;AAAA;;;;UAM/B,UAAA;EAChB,MAAA;EACA,QAAA;AAAA;;;;;;;;;iBC5De,QAAA,CACf,IAAA,UACA,OAAA,UACA,MAAA,UACA,OAAA,GAAU,MAAA,oBACR,QAAA;;;ADZH;;;;iBC2BgB,UAAA,GAAA,CAAc,IAAA,EAAM,CAAA,EAAG,MAAA,YAAe,QAAA;ADzBtD;;;;;;;;AAAA,iBCqCgB,WAAA,CACf,KAAA,WACA,eAAA,UACA,YAAA,WACE,QAAA;;;;;;;KChDS,WAAA,MAAiB,CAAA,GAAI,QAAA;;;;;;AFKjC;iBEGsB,SAAA,WAAoB,CAAA,CAAE,OAAA,CAAA,CAC3C,OAAA,EAAS,OAAA,EACT,MAAA,EAAQ,CAAA,GACN,OAAA,CAAQ,WAAA,CAAY,CAAA,CAAE,KAAA,CAAM,CAAA;;;;;;AFK/B;;iBEyDgB,UAAA,WAAqB,CAAA,CAAE,OAAA,CAAA,CAAS,GAAA,EAAK,GAAA,EAAK,MAAA,EAAQ,CAAA,GAAI,WAAA,CAAY,CAAA,CAAE,KAAA,CAAM,CAAA;;;;;iBA6C1E,YAAA,GAAA,CAAgB,MAAA,EAAQ,WAAA,CAAY,CAAA,IAAK,MAAA,IAAU,QAAA;;;;;;;AF/HnE;;cGKa,iBAAA;EAAA,QACQ,EAAA;cAAA,EAAA,EAAI,MAAA,CAAO,QAAA;EHL/B;;;EGUM,GAAA,aAAA,CAAiB,IAAA,WAAe,OAAA,CAAQ,CAAA;EHHzC;;AAMN;EGYO,YAAA,GAAA,CAAgB,IAAA,UAAc,YAAA,EAAc,CAAA,GAAI,OAAA,CAAQ,CAAA;;;;EAQxD,GAAA,aAAA,CAAiB,IAAA,UAAc,KAAA,EAAO,CAAA,GAAI,OAAA;EHlBjB;;;;;;;;EGwCzB,WAAA,aAAA,CAAyB,IAAA,UAAc,KAAA,EAAO,CAAA,GAAI,OAAA;EH/BxB;;;EGmD1B,MAAA,CAAO,IAAA,WAAe,OAAA;EHhDf;;;EGyDP,MAAA,CAAO,IAAA,WAAe,OAAA;EHhDb;;;EG6DT,OAAA,aAAA,CAAqB,KAAA,aAAkB,OAAA,CAAQ,GAAA,SAAY,CAAA;EHtEpD;;;EG0FP,OAAA,aAAA,CAAqB,OAAA,EAAS,MAAA,SAAe,CAAA,IAAK,OAAA;EHpFtD;;;EGgGI,MAAA,CAAA,GAAU,OAAA,CAAQ,GAAA;EH7Ff;;;EG0GH,WAAA,aAAA,CAAyB,MAAA,WAAiB,OAAA,CAAQ,GAAA,SAAY,CAAA;EHvG/B;;;EG0H/B,cAAA,CAAe,MAAA,WAAiB,OAAA;AAAA"}

package/dist/{parse-B-K21lvm.mjs → parse-CrGndy1A.mjs}

@@ -1,4 +1,4 @@
-import { t as apiError } from "./error-Bk9s3Ism.mjs";
+import { t as apiError } from "./error-RwM4dD35.mjs";
 import { z } from "zod";
 
 //#region src/api/parse.ts
@@ -86,4 +86,4 @@ function isParseError(result) {
 
 //#endregion
 export { parseQuery as i, parseBody as n, parseOptionalBody as r, isParseError as t };
-//# sourceMappingURL=parse-B-K21lvm.mjs.map
+//# sourceMappingURL=parse-CrGndy1A.mjs.map

package/dist/{parse-B-K21lvm.mjs.map → parse-CrGndy1A.mjs.map}

@@ -1 +1 @@
-{"version":3,"file":"parse-B-K21lvm.mjs","names":[],"sources":["../src/api/parse.ts"],"sourcesContent":["/**\n * Request body and query parameter parsing with Zod validation.\n *\n * All API routes should use these utilities instead of `request.json() as T`\n * or raw `url.searchParams.get()` with manual coercion.\n */\n\nimport { z } from \"zod\";\n\nimport { apiError } from \"./error.js\";\n\n/** Maximum allowed JSON request body size (10 MB). */\nconst MAX_BODY_SIZE = 10 * 1024 * 1024;\n\n/**\n * Result of parsing: either the validated data or an error Response.\n * Routes should check `if (result instanceof Response) return result;`\n */\nexport type ParseResult<T> = T | Response;\n\n/**\n * Parse and validate a JSON request body against a Zod schema.\n *\n * Returns the validated data on success, or a 400 Response on failure.\n * Replaces all `(await request.json()) as T` casts.\n */\nexport async function parseBody<T extends z.ZodType>(\n\trequest: Request,\n\tschema: T,\n): Promise<ParseResult<z.infer<T>>> {\n\t// Best-effort size check via Content-Length (can be absent with chunked encoding)\n\tconst contentLength = request.headers.get(\"Content-Length\");\n\tif (contentLength && parseInt(contentLength, 10) > MAX_BODY_SIZE) {\n\t\treturn apiError(\"PAYLOAD_TOO_LARGE\", \"Request body too large\", 413);\n\t}\n\n\tlet raw: unknown;\n\ttry {\n\t\traw = await request.json();\n\t} catch {\n\t\treturn apiError(\"INVALID_JSON\", \"Request body must be valid JSON\", 400);\n\t}\n\n\treturn validate(schema, raw);\n}\n\n/**\n * Parse and validate an optional JSON request body.\n *\n * Returns `defaultValue` if the body is empty, or the validated data if present.\n * For endpoints where the body is optional (e.g., preview-url, confirm).\n */\nexport async function parseOptionalBody<T extends z.ZodType>(\n\trequest: Request,\n\tschema: T,\n\tdefaultValue: z.infer<T>,\n): Promise<ParseResult<z.infer<T>>> {\n\t// Best-effort size check via Content-Length (can be absent with chunked encoding)\n\tconst contentLength = request.headers.get(\"Content-Length\");\n\tif (contentLength && parseInt(contentLength, 10) > MAX_BODY_SIZE) {\n\t\treturn apiError(\"PAYLOAD_TOO_LARGE\", \"Request body too large\", 413);\n\t}\n\n\tlet text: string;\n\ttry {\n\t\ttext = await request.text();\n\t} catch {\n\t\treturn defaultValue;\n\t}\n\n\tif (!text.trim()) {\n\t\treturn defaultValue;\n\t}\n\n\tlet raw: unknown;\n\ttry {\n\t\traw = JSON.parse(text);\n\t} catch {\n\t\treturn apiError(\"INVALID_JSON\", \"Request body must be valid JSON\", 400);\n\t}\n\n\treturn validate(schema, raw);\n}\n\n/**\n * Parse and validate URL search params against a Zod schema.\n *\n * Converts searchParams to a plain object before validation.\n * Zod coercion handles string -> number/boolean conversion.\n * Replaces manual `url.searchParams.get()` + `parseInt()` patterns.\n */\nexport function parseQuery<T extends z.ZodType>(url: URL, schema: T): ParseResult<z.infer<T>> {\n\tconst raw: Record<string, string> = {};\n\tfor (const [key, value] of url.searchParams) {\n\t\traw[key] = value;\n\t}\n\treturn validate(schema, raw);\n}\n\n/**\n * Validate raw data against a schema. Returns data or error Response.\n */\nfunction validate<T extends z.ZodType>(schema: T, data: unknown): ParseResult<z.infer<T>> {\n\tconst result = schema.safeParse(data);\n\n\tif (result.success) {\n\t\treturn result.data as z.infer<T>;\n\t}\n\n\t// Format Zod errors into a readable structure\n\tconst issues = result.error.issues.map((issue: z.ZodIssue) => ({\n\t\tpath: issue.path.join(\".\"),\n\t\tmessage: issue.message,\n\t}));\n\n\treturn Response.json(\n\t\t{\n\t\t\terror: {\n\t\t\t\tcode: \"VALIDATION_ERROR\",\n\t\t\t\tmessage: \"Invalid request data\",\n\t\t\t\tdetails: { issues },\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tstatus: 400,\n\t\t\theaders: {\n\t\t\t\t\"Cache-Control\": \"private, no-store\",\n\t\t\t},\n\t\t},\n\t);\n}\n\n/**\n * Type guard to check if a ParseResult is an error Response.\n * Usage: `if (isParseError(result)) return result;`\n */\nexport function isParseError<T>(result: ParseResult<T>): result is Response {\n\treturn result instanceof Response;\n}\n"],"mappings":";;;;;AAYA,MAAM,gBAAgB,KAAK,OAAO;;;;;;;AAclC,eAAsB,UACrB,SACA,QACmC;CAEnC,MAAM,gBAAgB,QAAQ,QAAQ,IAAI,iBAAiB;AAC3D,KAAI,iBAAiB,SAAS,eAAe,GAAG,GAAG,cAClD,QAAO,SAAS,qBAAqB,0BAA0B,IAAI;CAGpE,IAAI;AACJ,KAAI;AACH,QAAM,MAAM,QAAQ,MAAM;SACnB;AACP,SAAO,SAAS,gBAAgB,mCAAmC,IAAI;;AAGxE,QAAO,SAAS,QAAQ,IAAI;;;;;;;;AAS7B,eAAsB,kBACrB,SACA,QACA,cACmC;CAEnC,MAAM,gBAAgB,QAAQ,QAAQ,IAAI,iBAAiB;AAC3D,KAAI,iBAAiB,SAAS,eAAe,GAAG,GAAG,cAClD,QAAO,SAAS,qBAAqB,0BAA0B,IAAI;CAGpE,IAAI;AACJ,KAAI;AACH,SAAO,MAAM,QAAQ,MAAM;SACpB;AACP,SAAO;;AAGR,KAAI,CAAC,KAAK,MAAM,CACf,QAAO;CAGR,IAAI;AACJ,KAAI;AACH,QAAM,KAAK,MAAM,KAAK;SACf;AACP,SAAO,SAAS,gBAAgB,mCAAmC,IAAI;;AAGxE,QAAO,SAAS,QAAQ,IAAI;;;;;;;;;AAU7B,SAAgB,WAAgC,KAAU,QAAoC;CAC7F,MAAM,MAA8B,EAAE;AACtC,MAAK,MAAM,CAAC,KAAK,UAAU,IAAI,aAC9B,KAAI,OAAO;AAEZ,QAAO,SAAS,QAAQ,IAAI;;;;;AAM7B,SAAS,SAA8B,QAAW,MAAwC;CACzF,MAAM,SAAS,OAAO,UAAU,KAAK;AAErC,KAAI,OAAO,QACV,QAAO,OAAO;CAIf,MAAM,SAAS,OAAO,MAAM,OAAO,KAAK,WAAuB;EAC9D,MAAM,MAAM,KAAK,KAAK,IAAI;EAC1B,SAAS,MAAM;EACf,EAAE;AAEH,QAAO,SAAS,KACf,EACC,OAAO;EACN,MAAM;EACN,SAAS;EACT,SAAS,EAAE,QAAQ;EACnB,EACD,EACD;EACC,QAAQ;EACR,SAAS,EACR,iBAAiB,qBACjB;EACD,CACD;;;;;;AAOF,SAAgB,aAAgB,QAA4C;AAC3E,QAAO,kBAAkB"}
+{"version":3,"file":"parse-CrGndy1A.mjs","names":[],"sources":["../src/api/parse.ts"],"sourcesContent":["/**\n * Request body and query parameter parsing with Zod validation.\n *\n * All API routes should use these utilities instead of `request.json() as T`\n * or raw `url.searchParams.get()` with manual coercion.\n */\n\nimport { z } from \"zod\";\n\nimport { apiError } from \"./error.js\";\n\n/** Maximum allowed JSON request body size (10 MB). */\nconst MAX_BODY_SIZE = 10 * 1024 * 1024;\n\n/**\n * Result of parsing: either the validated data or an error Response.\n * Routes should check `if (result instanceof Response) return result;`\n */\nexport type ParseResult<T> = T | Response;\n\n/**\n * Parse and validate a JSON request body against a Zod schema.\n *\n * Returns the validated data on success, or a 400 Response on failure.\n * Replaces all `(await request.json()) as T` casts.\n */\nexport async function parseBody<T extends z.ZodType>(\n\trequest: Request,\n\tschema: T,\n): Promise<ParseResult<z.infer<T>>> {\n\t// Best-effort size check via Content-Length (can be absent with chunked encoding)\n\tconst contentLength = request.headers.get(\"Content-Length\");\n\tif (contentLength && parseInt(contentLength, 10) > MAX_BODY_SIZE) {\n\t\treturn apiError(\"PAYLOAD_TOO_LARGE\", \"Request body too large\", 413);\n\t}\n\n\tlet raw: unknown;\n\ttry {\n\t\traw = await request.json();\n\t} catch {\n\t\treturn apiError(\"INVALID_JSON\", \"Request body must be valid JSON\", 400);\n\t}\n\n\treturn validate(schema, raw);\n}\n\n/**\n * Parse and validate an optional JSON request body.\n *\n * Returns `defaultValue` if the body is empty, or the validated data if present.\n * For endpoints where the body is optional (e.g., preview-url, confirm).\n */\nexport async function parseOptionalBody<T extends z.ZodType>(\n\trequest: Request,\n\tschema: T,\n\tdefaultValue: z.infer<T>,\n): Promise<ParseResult<z.infer<T>>> {\n\t// Best-effort size check via Content-Length (can be absent with chunked encoding)\n\tconst contentLength = request.headers.get(\"Content-Length\");\n\tif (contentLength && parseInt(contentLength, 10) > MAX_BODY_SIZE) {\n\t\treturn apiError(\"PAYLOAD_TOO_LARGE\", \"Request body too large\", 413);\n\t}\n\n\tlet text: string;\n\ttry {\n\t\ttext = await request.text();\n\t} catch {\n\t\treturn defaultValue;\n\t}\n\n\tif (!text.trim()) {\n\t\treturn defaultValue;\n\t}\n\n\tlet raw: unknown;\n\ttry {\n\t\traw = JSON.parse(text);\n\t} catch {\n\t\treturn apiError(\"INVALID_JSON\", \"Request body must be valid JSON\", 400);\n\t}\n\n\treturn validate(schema, raw);\n}\n\n/**\n * Parse and validate URL search params against a Zod schema.\n *\n * Converts searchParams to a plain object before validation.\n * Zod coercion handles string -> number/boolean conversion.\n * Replaces manual `url.searchParams.get()` + `parseInt()` patterns.\n */\nexport function parseQuery<T extends z.ZodType>(url: URL, schema: T): ParseResult<z.infer<T>> {\n\tconst raw: Record<string, string> = {};\n\tfor (const [key, value] of url.searchParams) {\n\t\traw[key] = value;\n\t}\n\treturn validate(schema, raw);\n}\n\n/**\n * Validate raw data against a schema. Returns data or error Response.\n */\nfunction validate<T extends z.ZodType>(schema: T, data: unknown): ParseResult<z.infer<T>> {\n\tconst result = schema.safeParse(data);\n\n\tif (result.success) {\n\t\treturn result.data as z.infer<T>;\n\t}\n\n\t// Format Zod errors into a readable structure\n\tconst issues = result.error.issues.map((issue: z.ZodIssue) => ({\n\t\tpath: issue.path.join(\".\"),\n\t\tmessage: issue.message,\n\t}));\n\n\treturn Response.json(\n\t\t{\n\t\t\terror: {\n\t\t\t\tcode: \"VALIDATION_ERROR\",\n\t\t\t\tmessage: \"Invalid request data\",\n\t\t\t\tdetails: { issues },\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tstatus: 400,\n\t\t\theaders: {\n\t\t\t\t\"Cache-Control\": \"private, no-store\",\n\t\t\t},\n\t\t},\n\t);\n}\n\n/**\n * Type guard to check if a ParseResult is an error Response.\n * Usage: `if (isParseError(result)) return result;`\n */\nexport function isParseError<T>(result: ParseResult<T>): result is Response {\n\treturn result instanceof Response;\n}\n"],"mappings":";;;;;AAYA,MAAM,gBAAgB,KAAK,OAAO;;;;;;;AAclC,eAAsB,UACrB,SACA,QACmC;CAEnC,MAAM,gBAAgB,QAAQ,QAAQ,IAAI,iBAAiB;AAC3D,KAAI,iBAAiB,SAAS,eAAe,GAAG,GAAG,cAClD,QAAO,SAAS,qBAAqB,0BAA0B,IAAI;CAGpE,IAAI;AACJ,KAAI;AACH,QAAM,MAAM,QAAQ,MAAM;SACnB;AACP,SAAO,SAAS,gBAAgB,mCAAmC,IAAI;;AAGxE,QAAO,SAAS,QAAQ,IAAI;;;;;;;;AAS7B,eAAsB,kBACrB,SACA,QACA,cACmC;CAEnC,MAAM,gBAAgB,QAAQ,QAAQ,IAAI,iBAAiB;AAC3D,KAAI,iBAAiB,SAAS,eAAe,GAAG,GAAG,cAClD,QAAO,SAAS,qBAAqB,0BAA0B,IAAI;CAGpE,IAAI;AACJ,KAAI;AACH,SAAO,MAAM,QAAQ,MAAM;SACpB;AACP,SAAO;;AAGR,KAAI,CAAC,KAAK,MAAM,CACf,QAAO;CAGR,IAAI;AACJ,KAAI;AACH,QAAM,KAAK,MAAM,KAAK;SACf;AACP,SAAO,SAAS,gBAAgB,mCAAmC,IAAI;;AAGxE,QAAO,SAAS,QAAQ,IAAI;;;;;;;;;AAU7B,SAAgB,WAAgC,KAAU,QAAoC;CAC7F,MAAM,MAA8B,EAAE;AACtC,MAAK,MAAM,CAAC,KAAK,UAAU,IAAI,aAC9B,KAAI,OAAO;AAEZ,QAAO,SAAS,QAAQ,IAAI;;;;;AAM7B,SAAS,SAA8B,QAAW,MAAwC;CACzF,MAAM,SAAS,OAAO,UAAU,KAAK;AAErC,KAAI,OAAO,QACV,QAAO,OAAO;CAIf,MAAM,SAAS,OAAO,MAAM,OAAO,KAAK,WAAuB;EAC9D,MAAM,MAAM,KAAK,KAAK,IAAI;EAC1B,SAAS,MAAM;EACf,EAAE;AAEH,QAAO,SAAS,KACf,EACC,OAAO;EACN,MAAM;EACN,SAAS;EACT,SAAS,EAAE,QAAQ;EACnB,EACD,EACD;EACC,QAAQ;EACR,SAAS,EACR,iBAAiB,qBACjB;EACD,CACD;;;;;;AAOF,SAAgB,aAAgB,QAA4C;AAC3E,QAAO,kBAAkB"}

package/dist/{patterns-CqG5Ya3i.mjs → patterns-p-RBdTbM.mjs}

@@ -142,4 +142,4 @@ function interpolateDestination(destination, params) {
 
 //#endregion
 export { validateDestinationParams as a, matchPattern as i, interpolateDestination as n, validatePattern as o, isPattern as r, compilePattern as t };
-//# sourceMappingURL=patterns-CqG5Ya3i.mjs.map
+//# sourceMappingURL=patterns-p-RBdTbM.mjs.map

package/dist/{patterns-CqG5Ya3i.mjs.map → patterns-p-RBdTbM.mjs.map}

@@ -1 +1 @@
-{"version":3,"file":"patterns-CqG5Ya3i.mjs","names":[],"sources":["../src/redirects/patterns.ts"],"sourcesContent":["/**\n * URL pattern matching for redirects.\n *\n * Uses Astro's route syntax: [param] for named segments, [...rest] for catch-all.\n * Compiles patterns to safe regexes -- no user-supplied regex, no ReDoS risk.\n *\n * @example\n * ```ts\n * const compiled = compilePattern(\"/old-blog/[...path]\");\n * const match = matchPattern(compiled, \"/old-blog/2024/01/post\");\n * // match = { path: \"2024/01/post\" }\n *\n * interpolateDestination(\"/blog/[...path]\", match);\n * // \"/blog/2024/01/post\"\n * ```\n */\n\n/** Matches [paramName] placeholders */\nconst PARAM_PATTERN = /\\[(\\w+)\\]/g;\n\n/** Matches [...splatName] placeholders */\nconst SPLAT_PATTERN = /\\[\\.\\.\\.(\\w+)\\]/g;\n\n/** Combined pattern for validation: matches both [param] and [...splat] */\nconst ANY_PLACEHOLDER = /\\[(?:\\.\\.\\.)?(\\w+)\\]/g;\n\n/** Nested brackets check: [foo[ */\nconst NESTED_BRACKETS = /\\[[^\\]]*\\[/;\n\n/** Empty brackets: [] */\nconst EMPTY_BRACKETS = /\\[\\]/;\n\n/** Count open brackets */\nconst OPEN_BRACKET = /\\[/g;\n\n/** Count close brackets */\nconst CLOSE_BRACKET = /\\]/g;\n\n/** Split on capture groups in compiled regex string */\nconst CAPTURE_GROUP_SPLIT = /(\\([^)]+\\))/;\n\n/** Escape regex-special characters in literal parts */\nconst REGEX_SPECIAL_CHARS = /[.*+?^${}|\\\\]/g;\n\nexport interface CompiledPattern {\n\tregex: RegExp;\n\tparamNames: string[];\n\tsource: string;\n}\n\n/**\n * Returns true if a source string contains [param] or [...splat] placeholders.\n */\nexport function isPattern(source: string): boolean {\n\t// Use match() instead of test() to avoid lastIndex issues with the global regex\n\treturn source.match(ANY_PLACEHOLDER) !== null;\n}\n\n/**\n * Validate that a pattern string is well-formed.\n * Returns null if valid, or an error message if invalid.\n */\nexport function validatePattern(source: string): string | null {\n\tif (!source.startsWith(\"/\")) {\n\t\treturn \"Pattern must start with /\";\n\t}\n\n\t// Check for nested brackets\n\tif (NESTED_BRACKETS.test(source)) {\n\t\treturn \"Nested brackets are not allowed\";\n\t}\n\n\t// Check for empty brackets\n\tif (EMPTY_BRACKETS.test(source)) {\n\t\treturn \"Empty brackets are not allowed\";\n\t}\n\n\t// Check for unmatched brackets\n\tconst openCount = (source.match(OPEN_BRACKET) ?? []).length;\n\tconst closeCount = (source.match(CLOSE_BRACKET) ?? []).length;\n\tif (openCount !== closeCount) {\n\t\treturn \"Unmatched brackets\";\n\t}\n\n\t// Check that [...splat] is only in the last segment\n\tconst segments = source.split(\"/\").filter(Boolean);\n\tfor (let i = 0; i < segments.length; i++) {\n\t\tconst segment = segments[i];\n\t\tif (SPLAT_PATTERN.test(segment) && i !== segments.length - 1) {\n\t\t\tSPLAT_PATTERN.lastIndex = 0;\n\t\t\treturn \"Catch-all [...param] must be in the last segment\";\n\t\t}\n\t\tSPLAT_PATTERN.lastIndex = 0;\n\t}\n\n\t// Check that a segment is either all literal or a single placeholder\n\tfor (const segment of segments) {\n\t\tconst placeholders = segment.match(ANY_PLACEHOLDER);\n\t\tif (placeholders && placeholders.length > 1) {\n\t\t\treturn \"Each segment can contain at most one placeholder\";\n\t\t}\n\t\tif (placeholders && placeholders[0] !== segment) {\n\t\t\treturn \"A placeholder must be the entire segment, not mixed with literal text\";\n\t\t}\n\t}\n\n\t// Check for duplicate param names\n\tconst names: string[] = [];\n\tfor (const m of source.matchAll(ANY_PLACEHOLDER)) {\n\t\tconst name = m[1];\n\t\tif (names.includes(name)) {\n\t\t\treturn `Duplicate parameter name: ${name}`;\n\t\t}\n\t\tnames.push(name);\n\t}\n\n\treturn null;\n}\n\n/**\n * Validate that all placeholders in a destination exist in the source.\n * Returns null if valid, or an error message if invalid.\n */\nexport function validateDestinationParams(source: string, destination: string): string | null {\n\tconst sourceNames = new Set<string>();\n\tfor (const m of source.matchAll(ANY_PLACEHOLDER)) {\n\t\tsourceNames.add(m[1]);\n\t}\n\n\tfor (const m of destination.matchAll(ANY_PLACEHOLDER)) {\n\t\tconst name = m[1];\n\t\tif (!sourceNames.has(name)) {\n\t\t\treturn `Destination references [${name}] which is not captured in the source pattern`;\n\t\t}\n\t}\n\n\treturn null;\n}\n\n/**\n * Compile a URL pattern into a regex for matching.\n *\n * - `[param]` matches a single path segment (`[^/]+`)\n * - `[...rest]` matches one or more remaining segments (`.+`)\n */\nexport function compilePattern(source: string): CompiledPattern {\n\tconst paramNames: string[] = [];\n\n\t// Replace [...splat] first (before [param]) since [...x] contains [x]\n\tlet regexStr = source.replace(SPLAT_PATTERN, (_match, name: string) => {\n\t\tparamNames.push(name);\n\t\treturn \"(.+)\";\n\t});\n\n\t// Then replace [param]\n\tregexStr = regexStr.replace(PARAM_PATTERN, (_match, name: string) => {\n\t\tparamNames.push(name);\n\t\treturn \"([^/]+)\";\n\t});\n\n\t// Escape any regex-special characters in the literal parts\n\t// We need to be careful: the replacement groups are already valid regex\n\t// Split on capture groups, escape literals, rejoin\n\tconst parts = regexStr.split(CAPTURE_GROUP_SPLIT);\n\tconst escaped = parts\n\t\t.map((part, i) => {\n\t\t\t// Odd indices are the capture groups -- leave them alone\n\t\t\tif (i % 2 === 1) return part;\n\t\t\t// Even indices are literal text -- escape special regex chars\n\t\t\treturn part.replace(REGEX_SPECIAL_CHARS, \"\\\\$&\");\n\t\t})\n\t\t.join(\"\");\n\n\treturn {\n\t\tregex: new RegExp(`^${escaped}$`),\n\t\tparamNames,\n\t\tsource,\n\t};\n}\n\n/**\n * Match a path against a compiled pattern.\n * Returns captured params or null if no match.\n */\nexport function matchPattern(\n\tcompiled: CompiledPattern,\n\tpath: string,\n): Record<string, string> | null {\n\tconst match = path.match(compiled.regex);\n\tif (!match) return null;\n\n\tconst params: Record<string, string> = {};\n\tfor (let i = 0; i < compiled.paramNames.length; i++) {\n\t\tconst value = match[i + 1];\n\t\tif (value !== undefined) {\n\t\t\tparams[compiled.paramNames[i]] = value;\n\t\t}\n\t}\n\treturn params;\n}\n\n/**\n * Interpolate captured params into a destination pattern.\n *\n * @example\n * interpolateDestination(\"/blog/[...path]\", { path: \"2024/01/post\" })\n * // \"/blog/2024/01/post\"\n */\nexport function interpolateDestination(\n\tdestination: string,\n\tparams: Record<string, string>,\n): string {\n\t// Replace [...splat] first\n\tlet result = destination.replace(SPLAT_PATTERN, (_match, name: string) => {\n\t\treturn params[name] ?? \"\";\n\t});\n\n\t// Then [param]\n\tresult = result.replace(PARAM_PATTERN, (_match, name: string) => {\n\t\treturn params[name] ?? \"\";\n\t});\n\n\treturn result;\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;AAkBA,MAAM,gBAAgB;;AAGtB,MAAM,gBAAgB;;AAGtB,MAAM,kBAAkB;;AAGxB,MAAM,kBAAkB;;AAGxB,MAAM,iBAAiB;;AAGvB,MAAM,eAAe;;AAGrB,MAAM,gBAAgB;;AAGtB,MAAM,sBAAsB;;AAG5B,MAAM,sBAAsB;;;;AAW5B,SAAgB,UAAU,QAAyB;AAElD,QAAO,OAAO,MAAM,gBAAgB,KAAK;;;;;;AAO1C,SAAgB,gBAAgB,QAA+B;AAC9D,KAAI,CAAC,OAAO,WAAW,IAAI,CAC1B,QAAO;AAIR,KAAI,gBAAgB,KAAK,OAAO,CAC/B,QAAO;AAIR,KAAI,eAAe,KAAK,OAAO,CAC9B,QAAO;AAMR,MAFmB,OAAO,MAAM,aAAa,IAAI,EAAE,EAAE,YACjC,OAAO,MAAM,cAAc,IAAI,EAAE,EAAE,OAEtD,QAAO;CAIR,MAAM,WAAW,OAAO,MAAM,IAAI,CAAC,OAAO,QAAQ;AAClD,MAAK,IAAI,IAAI,GAAG,IAAI,SAAS,QAAQ,KAAK;EACzC,MAAM,UAAU,SAAS;AACzB,MAAI,cAAc,KAAK,QAAQ,IAAI,MAAM,SAAS,SAAS,GAAG;AAC7D,iBAAc,YAAY;AAC1B,UAAO;;AAER,gBAAc,YAAY;;AAI3B,MAAK,MAAM,WAAW,UAAU;EAC/B,MAAM,eAAe,QAAQ,MAAM,gBAAgB;AACnD,MAAI,gBAAgB,aAAa,SAAS,EACzC,QAAO;AAER,MAAI,gBAAgB,aAAa,OAAO,QACvC,QAAO;;CAKT,MAAM,QAAkB,EAAE;AAC1B,MAAK,MAAM,KAAK,OAAO,SAAS,gBAAgB,EAAE;EACjD,MAAM,OAAO,EAAE;AACf,MAAI,MAAM,SAAS,KAAK,CACvB,QAAO,6BAA6B;AAErC,QAAM,KAAK,KAAK;;AAGjB,QAAO;;;;;;AAOR,SAAgB,0BAA0B,QAAgB,aAAoC;CAC7F,MAAM,8BAAc,IAAI,KAAa;AACrC,MAAK,MAAM,KAAK,OAAO,SAAS,gBAAgB,CAC/C,aAAY,IAAI,EAAE,GAAG;AAGtB,MAAK,MAAM,KAAK,YAAY,SAAS,gBAAgB,EAAE;EACtD,MAAM,OAAO,EAAE;AACf,MAAI,CAAC,YAAY,IAAI,KAAK,CACzB,QAAO,2BAA2B,KAAK;;AAIzC,QAAO;;;;;;;;AASR,SAAgB,eAAe,QAAiC;CAC/D,MAAM,aAAuB,EAAE;CAG/B,IAAI,WAAW,OAAO,QAAQ,gBAAgB,QAAQ,SAAiB;AACtE,aAAW,KAAK,KAAK;AACrB,SAAO;GACN;AAGF,YAAW,SAAS,QAAQ,gBAAgB,QAAQ,SAAiB;AACpE,aAAW,KAAK,KAAK;AACrB,SAAO;GACN;CAMF,MAAM,UADQ,SAAS,MAAM,oBAAoB,CAE/C,KAAK,MAAM,MAAM;AAEjB,MAAI,IAAI,MAAM,EAAG,QAAO;AAExB,SAAO,KAAK,QAAQ,qBAAqB,OAAO;GAC/C,CACD,KAAK,GAAG;AAEV,QAAO;EACN,OAAO,IAAI,OAAO,IAAI,QAAQ,GAAG;EACjC;EACA;EACA;;;;;;AAOF,SAAgB,aACf,UACA,MACgC;CAChC,MAAM,QAAQ,KAAK,MAAM,SAAS,MAAM;AACxC,KAAI,CAAC,MAAO,QAAO;CAEnB,MAAM,SAAiC,EAAE;AACzC,MAAK,IAAI,IAAI,GAAG,IAAI,SAAS,WAAW,QAAQ,KAAK;EACpD,MAAM,QAAQ,MAAM,IAAI;AACxB,MAAI,UAAU,OACb,QAAO,SAAS,WAAW,MAAM;;AAGnC,QAAO;;;;;;;;;AAUR,SAAgB,uBACf,aACA,QACS;CAET,IAAI,SAAS,YAAY,QAAQ,gBAAgB,QAAQ,SAAiB;AACzE,SAAO,OAAO,SAAS;GACtB;AAGF,UAAS,OAAO,QAAQ,gBAAgB,QAAQ,SAAiB;AAChE,SAAO,OAAO,SAAS;GACtB;AAEF,QAAO"}
+{"version":3,"file":"patterns-p-RBdTbM.mjs","names":[],"sources":["../src/redirects/patterns.ts"],"sourcesContent":["/**\n * URL pattern matching for redirects.\n *\n * Uses Astro's route syntax: [param] for named segments, [...rest] for catch-all.\n * Compiles patterns to safe regexes -- no user-supplied regex, no ReDoS risk.\n *\n * @example\n * ```ts\n * const compiled = compilePattern(\"/old-blog/[...path]\");\n * const match = matchPattern(compiled, \"/old-blog/2024/01/post\");\n * // match = { path: \"2024/01/post\" }\n *\n * interpolateDestination(\"/blog/[...path]\", match);\n * // \"/blog/2024/01/post\"\n * ```\n */\n\n/** Matches [paramName] placeholders */\nconst PARAM_PATTERN = /\\[(\\w+)\\]/g;\n\n/** Matches [...splatName] placeholders */\nconst SPLAT_PATTERN = /\\[\\.\\.\\.(\\w+)\\]/g;\n\n/** Combined pattern for validation: matches both [param] and [...splat] */\nconst ANY_PLACEHOLDER = /\\[(?:\\.\\.\\.)?(\\w+)\\]/g;\n\n/** Nested brackets check: [foo[ */\nconst NESTED_BRACKETS = /\\[[^\\]]*\\[/;\n\n/** Empty brackets: [] */\nconst EMPTY_BRACKETS = /\\[\\]/;\n\n/** Count open brackets */\nconst OPEN_BRACKET = /\\[/g;\n\n/** Count close brackets */\nconst CLOSE_BRACKET = /\\]/g;\n\n/** Split on capture groups in compiled regex string */\nconst CAPTURE_GROUP_SPLIT = /(\\([^)]+\\))/;\n\n/** Escape regex-special characters in literal parts */\nconst REGEX_SPECIAL_CHARS = /[.*+?^${}|\\\\]/g;\n\nexport interface CompiledPattern {\n\tregex: RegExp;\n\tparamNames: string[];\n\tsource: string;\n}\n\n/**\n * Returns true if a source string contains [param] or [...splat] placeholders.\n */\nexport function isPattern(source: string): boolean {\n\t// Use match() instead of test() to avoid lastIndex issues with the global regex\n\treturn source.match(ANY_PLACEHOLDER) !== null;\n}\n\n/**\n * Validate that a pattern string is well-formed.\n * Returns null if valid, or an error message if invalid.\n */\nexport function validatePattern(source: string): string | null {\n\tif (!source.startsWith(\"/\")) {\n\t\treturn \"Pattern must start with /\";\n\t}\n\n\t// Check for nested brackets\n\tif (NESTED_BRACKETS.test(source)) {\n\t\treturn \"Nested brackets are not allowed\";\n\t}\n\n\t// Check for empty brackets\n\tif (EMPTY_BRACKETS.test(source)) {\n\t\treturn \"Empty brackets are not allowed\";\n\t}\n\n\t// Check for unmatched brackets\n\tconst openCount = (source.match(OPEN_BRACKET) ?? []).length;\n\tconst closeCount = (source.match(CLOSE_BRACKET) ?? []).length;\n\tif (openCount !== closeCount) {\n\t\treturn \"Unmatched brackets\";\n\t}\n\n\t// Check that [...splat] is only in the last segment\n\tconst segments = source.split(\"/\").filter(Boolean);\n\tfor (let i = 0; i < segments.length; i++) {\n\t\tconst segment = segments[i];\n\t\tif (SPLAT_PATTERN.test(segment) && i !== segments.length - 1) {\n\t\t\tSPLAT_PATTERN.lastIndex = 0;\n\t\t\treturn \"Catch-all [...param] must be in the last segment\";\n\t\t}\n\t\tSPLAT_PATTERN.lastIndex = 0;\n\t}\n\n\t// Check that a segment is either all literal or a single placeholder\n\tfor (const segment of segments) {\n\t\tconst placeholders = segment.match(ANY_PLACEHOLDER);\n\t\tif (placeholders && placeholders.length > 1) {\n\t\t\treturn \"Each segment can contain at most one placeholder\";\n\t\t}\n\t\tif (placeholders && placeholders[0] !== segment) {\n\t\t\treturn \"A placeholder must be the entire segment, not mixed with literal text\";\n\t\t}\n\t}\n\n\t// Check for duplicate param names\n\tconst names: string[] = [];\n\tfor (const m of source.matchAll(ANY_PLACEHOLDER)) {\n\t\tconst name = m[1];\n\t\tif (names.includes(name)) {\n\t\t\treturn `Duplicate parameter name: ${name}`;\n\t\t}\n\t\tnames.push(name);\n\t}\n\n\treturn null;\n}\n\n/**\n * Validate that all placeholders in a destination exist in the source.\n * Returns null if valid, or an error message if invalid.\n */\nexport function validateDestinationParams(source: string, destination: string): string | null {\n\tconst sourceNames = new Set<string>();\n\tfor (const m of source.matchAll(ANY_PLACEHOLDER)) {\n\t\tsourceNames.add(m[1]);\n\t}\n\n\tfor (const m of destination.matchAll(ANY_PLACEHOLDER)) {\n\t\tconst name = m[1];\n\t\tif (!sourceNames.has(name)) {\n\t\t\treturn `Destination references [${name}] which is not captured in the source pattern`;\n\t\t}\n\t}\n\n\treturn null;\n}\n\n/**\n * Compile a URL pattern into a regex for matching.\n *\n * - `[param]` matches a single path segment (`[^/]+`)\n * - `[...rest]` matches one or more remaining segments (`.+`)\n */\nexport function compilePattern(source: string): CompiledPattern {\n\tconst paramNames: string[] = [];\n\n\t// Replace [...splat] first (before [param]) since [...x] contains [x]\n\tlet regexStr = source.replace(SPLAT_PATTERN, (_match, name: string) => {\n\t\tparamNames.push(name);\n\t\treturn \"(.+)\";\n\t});\n\n\t// Then replace [param]\n\tregexStr = regexStr.replace(PARAM_PATTERN, (_match, name: string) => {\n\t\tparamNames.push(name);\n\t\treturn \"([^/]+)\";\n\t});\n\n\t// Escape any regex-special characters in the literal parts\n\t// We need to be careful: the replacement groups are already valid regex\n\t// Split on capture groups, escape literals, rejoin\n\tconst parts = regexStr.split(CAPTURE_GROUP_SPLIT);\n\tconst escaped = parts\n\t\t.map((part, i) => {\n\t\t\t// Odd indices are the capture groups -- leave them alone\n\t\t\tif (i % 2 === 1) return part;\n\t\t\t// Even indices are literal text -- escape special regex chars\n\t\t\treturn part.replace(REGEX_SPECIAL_CHARS, \"\\\\$&\");\n\t\t})\n\t\t.join(\"\");\n\n\treturn {\n\t\tregex: new RegExp(`^${escaped}$`),\n\t\tparamNames,\n\t\tsource,\n\t};\n}\n\n/**\n * Match a path against a compiled pattern.\n * Returns captured params or null if no match.\n */\nexport function matchPattern(\n\tcompiled: CompiledPattern,\n\tpath: string,\n): Record<string, string> | null {\n\tconst match = path.match(compiled.regex);\n\tif (!match) return null;\n\n\tconst params: Record<string, string> = {};\n\tfor (let i = 0; i < compiled.paramNames.length; i++) {\n\t\tconst value = match[i + 1];\n\t\tif (value !== undefined) {\n\t\t\tparams[compiled.paramNames[i]] = value;\n\t\t}\n\t}\n\treturn params;\n}\n\n/**\n * Interpolate captured params into a destination pattern.\n *\n * @example\n * interpolateDestination(\"/blog/[...path]\", { path: \"2024/01/post\" })\n * // \"/blog/2024/01/post\"\n */\nexport function interpolateDestination(\n\tdestination: string,\n\tparams: Record<string, string>,\n): string {\n\t// Replace [...splat] first\n\tlet result = destination.replace(SPLAT_PATTERN, (_match, name: string) => {\n\t\treturn params[name] ?? \"\";\n\t});\n\n\t// Then [param]\n\tresult = result.replace(PARAM_PATTERN, (_match, name: string) => {\n\t\treturn params[name] ?? \"\";\n\t});\n\n\treturn result;\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;AAkBA,MAAM,gBAAgB;;AAGtB,MAAM,gBAAgB;;AAGtB,MAAM,kBAAkB;;AAGxB,MAAM,kBAAkB;;AAGxB,MAAM,iBAAiB;;AAGvB,MAAM,eAAe;;AAGrB,MAAM,gBAAgB;;AAGtB,MAAM,sBAAsB;;AAG5B,MAAM,sBAAsB;;;;AAW5B,SAAgB,UAAU,QAAyB;AAElD,QAAO,OAAO,MAAM,gBAAgB,KAAK;;;;;;AAO1C,SAAgB,gBAAgB,QAA+B;AAC9D,KAAI,CAAC,OAAO,WAAW,IAAI,CAC1B,QAAO;AAIR,KAAI,gBAAgB,KAAK,OAAO,CAC/B,QAAO;AAIR,KAAI,eAAe,KAAK,OAAO,CAC9B,QAAO;AAMR,MAFmB,OAAO,MAAM,aAAa,IAAI,EAAE,EAAE,YACjC,OAAO,MAAM,cAAc,IAAI,EAAE,EAAE,OAEtD,QAAO;CAIR,MAAM,WAAW,OAAO,MAAM,IAAI,CAAC,OAAO,QAAQ;AAClD,MAAK,IAAI,IAAI,GAAG,IAAI,SAAS,QAAQ,KAAK;EACzC,MAAM,UAAU,SAAS;AACzB,MAAI,cAAc,KAAK,QAAQ,IAAI,MAAM,SAAS,SAAS,GAAG;AAC7D,iBAAc,YAAY;AAC1B,UAAO;;AAER,gBAAc,YAAY;;AAI3B,MAAK,MAAM,WAAW,UAAU;EAC/B,MAAM,eAAe,QAAQ,MAAM,gBAAgB;AACnD,MAAI,gBAAgB,aAAa,SAAS,EACzC,QAAO;AAER,MAAI,gBAAgB,aAAa,OAAO,QACvC,QAAO;;CAKT,MAAM,QAAkB,EAAE;AAC1B,MAAK,MAAM,KAAK,OAAO,SAAS,gBAAgB,EAAE;EACjD,MAAM,OAAO,EAAE;AACf,MAAI,MAAM,SAAS,KAAK,CACvB,QAAO,6BAA6B;AAErC,QAAM,KAAK,KAAK;;AAGjB,QAAO;;;;;;AAOR,SAAgB,0BAA0B,QAAgB,aAAoC;CAC7F,MAAM,8BAAc,IAAI,KAAa;AACrC,MAAK,MAAM,KAAK,OAAO,SAAS,gBAAgB,CAC/C,aAAY,IAAI,EAAE,GAAG;AAGtB,MAAK,MAAM,KAAK,YAAY,SAAS,gBAAgB,EAAE;EACtD,MAAM,OAAO,EAAE;AACf,MAAI,CAAC,YAAY,IAAI,KAAK,CACzB,QAAO,2BAA2B,KAAK;;AAIzC,QAAO;;;;;;;;AASR,SAAgB,eAAe,QAAiC;CAC/D,MAAM,aAAuB,EAAE;CAG/B,IAAI,WAAW,OAAO,QAAQ,gBAAgB,QAAQ,SAAiB;AACtE,aAAW,KAAK,KAAK;AACrB,SAAO;GACN;AAGF,YAAW,SAAS,QAAQ,gBAAgB,QAAQ,SAAiB;AACpE,aAAW,KAAK,KAAK;AACrB,SAAO;GACN;CAMF,MAAM,UADQ,SAAS,MAAM,oBAAoB,CAE/C,KAAK,MAAM,MAAM;AAEjB,MAAI,IAAI,MAAM,EAAG,QAAO;AAExB,SAAO,KAAK,QAAQ,qBAAqB,OAAO;GAC/C,CACD,KAAK,GAAG;AAEV,QAAO;EACN,OAAO,IAAI,OAAO,IAAI,QAAQ,GAAG;EACjC;EACA;EACA;;;;;;AAOF,SAAgB,aACf,UACA,MACgC;CAChC,MAAM,QAAQ,KAAK,MAAM,SAAS,MAAM;AACxC,KAAI,CAAC,MAAO,QAAO;CAEnB,MAAM,SAAiC,EAAE;AACzC,MAAK,IAAI,IAAI,GAAG,IAAI,SAAS,WAAW,QAAQ,KAAK;EACpD,MAAM,QAAQ,MAAM,IAAI;AACxB,MAAI,UAAU,OACb,QAAO,SAAS,WAAW,MAAM;;AAGnC,QAAO;;;;;;;;;AAUR,SAAgB,uBACf,aACA,QACS;CAET,IAAI,SAAS,YAAY,QAAQ,gBAAgB,QAAQ,SAAiB;AACzE,SAAO,OAAO,SAAS;GACtB;AAGF,UAAS,OAAO,QAAQ,gBAAgB,QAAQ,SAAiB;AAChE,SAAO,OAAO,SAAS;GACtB;AAEF,QAAO"}

package/dist/plugin-utils.d.mts

@@ -1,12 +1,12 @@
-import "./options-tb7DJROi.mjs";
-import "./types-DawhLFwy.mjs";
+import "./options-D4MnavW_.mjs";
+import "./types-OT_Es5mp.mjs";
 import "./types-DMwSpvcw.mjs";
-import "./byline-fields-CR5hGLMw.mjs";
-import "./index-C8ciqSMJ.mjs";
-import "./runner-DM1yR5qd.mjs";
-import "./index-D60_SzHG.mjs";
+import "./byline-fields-DYXKDuNX.mjs";
+import "./index-FfiTQJq2.mjs";
+import "./runner-BcRuXq_h.mjs";
+import "./index-BpYeJO1E.mjs";
 import "./types-DWnN7weG.mjs";
-import "./validate-Dy6nkNls.mjs";
+import "./validate-BPAHUSge.mjs";
 import { EmDashHandlers } from "./astro/types.mjs";
 
 //#region src/plugin-utils.d.ts

package/dist/plugins/adapt-sandbox-entry.d.mts

@@ -1,13 +1,13 @@
-import "../options-tb7DJROi.mjs";
-import "../types-DawhLFwy.mjs";
+import "../options-D4MnavW_.mjs";
+import "../types-OT_Es5mp.mjs";
 import { yt as ResolvedPlugin } from "../types-DMwSpvcw.mjs";
-import "../byline-fields-CR5hGLMw.mjs";
-import { Lt as PluginDescriptor } from "../index-C8ciqSMJ.mjs";
-import "../runner-DM1yR5qd.mjs";
-import "../index-D60_SzHG.mjs";
+import "../byline-fields-DYXKDuNX.mjs";
+import { Vt as PluginDescriptor } from "../index-FfiTQJq2.mjs";
+import "../runner-BcRuXq_h.mjs";
+import "../index-BpYeJO1E.mjs";
 import { SandboxedPlugin } from "../plugin-types.mjs";
 import "../types-DWnN7weG.mjs";
-import "../validate-Dy6nkNls.mjs";
+import "../validate-BPAHUSge.mjs";
 
 //#region src/plugins/adapt-sandbox-entry.d.ts
 /**

package/dist/{query-Cc649nDl.mjs → query-BFQ029Ts.mjs}

@@ -1,10 +1,10 @@
-import { i as __exportAll } from "./runner-BiuUfx-V.mjs";
+import { a as __exportAll } from "./runner--4wMWwKM.mjs";
 import { n as getI18nConfig, r as isI18nEnabled, t as getFallbackChain } from "./config-CVssduLe.mjs";
-import { i as encodeCursor } from "./types-CfyYQ7eY.mjs";
+import { a as encodeCursor } from "./types-BXSUSAjt.mjs";
 import { getRequestContext } from "./request-context.mjs";
-import { r as requestCached } from "./request-cache-BYMs-BGX.mjs";
+import { r as requestCached } from "./request-cache-D32LpnmI.mjs";
 import { n as isMissingTableError } from "./db-errors-CtzxKBxe.mjs";
-import { t as CURSOR_RAW_VALUES } from "./loader-BxyvbrZP.mjs";
+import { t as CURSOR_RAW_VALUES } from "./loader-CpZKpFz0.mjs";
 
 //#region src/visual-editing/editable.ts
 /**
@@ -338,7 +338,7 @@ async function getEmDashCollectionUncached(type, filter) {
 			edit: isEditMode ? createEditable(type, dbId, entryEditOptions(entry)) : createNoop()
 		};
 	});
-	await Promise.all([hydrateEntryBylines(type, entriesWithEdit), hydrateEntryTerms(type, entriesWithEdit)]);
+	await Promise.all([hydrateEntryBylines(type, entriesWithEdit), hydrateEntryTerms(type, entriesWithEdit, resolvedLocale)]);
 	return {
 		entries: entriesWithEdit,
 		nextCursor,
@@ -392,7 +392,8 @@ async function getEmDashEntry(type, id, options) {
 	const localeChain = requestedLocale && isI18nEnabled() ? getFallbackChain(requestedLocale) : [requestedLocale];
 	/** Return a successful EntryResult with bylines and taxonomy terms hydrated */
 	async function successResult(wrapped, opts) {
-		await Promise.all([hydrateEntryBylines(type, [wrapped]), hydrateEntryTerms(type, [wrapped])]);
+		const termLocale = isI18nEnabled() ? dataStr(entryData(wrapped), "locale") || void 0 : void 0;
+		await Promise.all([hydrateEntryBylines(type, [wrapped]), hydrateEntryTerms(type, [wrapped], termLocale)]);
 		return {
 			entry: wrapped,
 			isPreview: opts.isPreview,
@@ -491,7 +492,7 @@ async function getEmDashEntry(type, id, options) {
 async function hydrateEntryBylines(type, entries) {
 	if (entries.length === 0) return;
 	try {
-		const { getBylinesForEntries } = await import("./bylines-DCczH3AV.mjs").then((n) => n.t);
+		const { getBylinesForEntries } = await import("./bylines-wurS258E.mjs").then((n) => n.t);
 		const refs = entries.map((e) => {
 			const data = entryData(e);
 			const id = dataStr(data, "id");
@@ -532,15 +533,20 @@ async function hydrateEntryBylines(type, entries) {
 * results and call getEntryTerms() per entry. With hydration, the list page
 * stays at a single round-trip for term data.
 *
+* `locale` must be the locale the entries were resolved to. It is forwarded to
+* `getAllTermsForEntries` so terms are returned in the entry's locale rather
+* than falling back to the request-context / default locale (#1441). Pass
+* `undefined` to keep the legacy "do not filter by locale" behaviour.
+*
 * Fails silently if the taxonomy tables don't exist yet (pre-migration).
 */
-async function hydrateEntryTerms(type, entries) {
+async function hydrateEntryTerms(type, entries, locale) {
 	if (entries.length === 0) return;
 	try {
-		const { getAllTermsForEntries } = await import("./taxonomies-CGD6y79Q.mjs").then((n) => n.u);
+		const { getAllTermsForEntries } = await import("./taxonomies-BEW7S5AI.mjs").then((n) => n.u);
 		const ids = entries.map((e) => dataStr(entryData(e), "id")).filter(Boolean);
 		if (ids.length === 0) return;
-		const termsMap = await getAllTermsForEntries(type, ids);
+		const termsMap = await getAllTermsForEntries(type, ids, { locale });
 		for (const entry of entries) {
 			const data = entryData(entry);
 			const dbId = dataStr(data, "id");
@@ -571,9 +577,9 @@ async function hydrateEntryTerms(type, entries) {
 */
 async function getTranslations(type, id) {
 	try {
-		const db = (await import("./loader-BxyvbrZP.mjs").then((n) => n.i)).getDb;
+		const db = (await import("./loader-CpZKpFz0.mjs").then((n) => n.i)).getDb;
 		const dbInstance = await db();
-		const { ContentRepository } = await import("./content-C7aJ7keg.mjs").then((n) => n.n);
+		const { ContentRepository } = await import("./content-BIlVx-RX.mjs").then((n) => n.n);
 		const repo = new ContentRepository(dbInstance);
 		const item = await repo.findByIdOrSlug(type, id);
 		if (!item) return {
@@ -642,8 +648,8 @@ function invalidateUrlPatternCache() {
 */
 async function resolveEmDashPath(path) {
 	if (!cachedUrlPatterns) {
-		const { getDb } = await import("./loader-BxyvbrZP.mjs").then((n) => n.i);
-		const { SchemaRegistry } = await import("./registry-C-T_PWgp.mjs").then((n) => n.r);
+		const { getDb } = await import("./loader-CpZKpFz0.mjs").then((n) => n.i);
+		const { SchemaRegistry } = await import("./registry-brYh-rAT.mjs").then((n) => n.r);
 		const collections = await new SchemaRegistry(await getDb()).listCollections();
 		cachedUrlPatterns = [];
 		for (const collection of collections) {
@@ -675,4 +681,4 @@ async function resolveEmDashPath(path) {
 
 //#endregion
 export { invalidateUrlPatternCache as a, createEditable as c, getTranslations as i, createNoop as l, getEmDashCollection as n, query_exports as o, getEmDashEntry as r, resolveEmDashPath as s, getEditMeta as t };
-//# sourceMappingURL=query-Cc649nDl.mjs.map
+//# sourceMappingURL=query-BFQ029Ts.mjs.map

package/dist/query-BFQ029Ts.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"query-BFQ029Ts.mjs","names":[],"sources":["../src/visual-editing/editable.ts","../src/query.ts"],"sourcesContent":["/**\n * Visual editing annotation system\n *\n * Creates Proxy objects that emit data-emdash-ref attributes when spread onto elements.\n */\n\nexport interface CMSAnnotation {\n\tcollection: string;\n\tid: string;\n\tfield?: string;\n\t/** Entry status — only present on entry-level annotations (not field-level) */\n\tstatus?: string;\n\t/** Whether the entry has unpublished draft changes */\n\thasDraft?: boolean;\n}\n\n/** The shape returned when spreading an edit annotation onto an element */\nexport interface FieldAnnotation {\n\t\"data-emdash-ref\": string;\n}\n\nexport interface EditableOptions {\n\t/** Entry status: \"draft\", \"published\", \"scheduled\" */\n\tstatus?: string;\n\t/** true when draftRevisionId exists and differs from liveRevisionId */\n\thasDraft?: boolean;\n}\n\n/**\n * Create an editable proxy for an entry.\n *\n * Usage:\n * - `{...entry.edit}` - entry-level annotation (includes status/hasDraft)\n * - `{...entry.edit.title}` - field-level annotation\n * - `{...entry.edit['nested.field']}` - nested field (bracket notation)\n */\nexport function createEditable(\n\tcollection: string,\n\tid: string,\n\toptions?: EditableOptions,\n): EditProxy {\n\tconst base: CMSAnnotation = {\n\t\tcollection,\n\t\tid,\n\t\t...(options?.status && { status: options.status }),\n\t\t...(options?.hasDraft && { hasDraft: true }),\n\t};\n\n\treturn new Proxy({} as EditProxy, {\n\t\tget(_, prop) {\n\t\t\tif (prop === \"toJSON\") return () => ({ \"data-emdash-ref\": JSON.stringify(base) });\n\t\t\tif (typeof prop === \"symbol\") return undefined;\n\n\t\t\t// data-emdash-ref access returns the entry-level string\n\t\t\tif (prop === \"data-emdash-ref\") return JSON.stringify(base);\n\n\t\t\t// Field-level: return a FieldAnnotation for the specific field\n\t\t\treturn {\n\t\t\t\t\"data-emdash-ref\": JSON.stringify({ ...base, field: String(prop) }),\n\t\t\t} satisfies FieldAnnotation;\n\t\t},\n\t\townKeys() {\n\t\t\treturn [\"data-emdash-ref\"];\n\t\t},\n\t\tgetOwnPropertyDescriptor(_, prop) {\n\t\t\tif (prop === \"data-emdash-ref\") {\n\t\t\t\treturn {\n\t\t\t\t\tconfigurable: true,\n\t\t\t\t\tenumerable: true,\n\t\t\t\t\tvalue: JSON.stringify(base),\n\t\t\t\t};\n\t\t\t}\n\t\t\treturn undefined;\n\t\t},\n\t});\n}\n\n/**\n * Create a noop proxy for production mode.\n * Spreading this produces no attributes.\n */\nexport function createNoop(): EditProxy {\n\treturn new Proxy({} as EditProxy, {\n\t\tget(_, prop) {\n\t\t\tif (typeof prop === \"symbol\") return undefined;\n\t\t\t// All property access returns undefined in noop mode\n\t\t\treturn undefined;\n\t\t},\n\t\townKeys() {\n\t\t\treturn [];\n\t\t},\n\t\tgetOwnPropertyDescriptor() {\n\t\t\treturn undefined;\n\t\t},\n\t});\n}\n\n/**\n * Visual editing proxy type.\n *\n * Spread directly onto elements for entry-level annotations: `{...entry.edit}`\n * Access a field for field-level annotations: `{...entry.edit.title}`\n *\n * In production, spreading produces no attributes (noop).\n */\nexport type EditProxy = {\n\treadonly [field: string]: Partial<FieldAnnotation>;\n};\n","/// <reference types=\"astro/client\" />\n/**\n * Query functions for EmDash content\n *\n * These wrap Astro's getLiveCollection/getLiveEntry with type filtering.\n * Use these instead of calling Astro's functions directly.\n *\n * Error handling follows Astro's pattern - returns { entries/entry, error }\n * so callers can gracefully handle errors (including 404s).\n *\n * Preview mode is handled implicitly via ALS request context —\n * no parameters needed. The middleware verifies the preview token\n * and sets the context; query functions read it automatically.\n *\n * The triple-slash directive above pulls in the ambient declaration for\n * `astro:content` (used by the dynamic imports below) so this source\n * file typechecks even when reached transitively by a sibling package\n * whose tsconfig doesn't list `astro/client` in `compilerOptions.types`.\n *\n * Note: the directive is stripped from the compiled output (`dist/*`)\n * by tsdown, so it does not propagate to downstream consumers of the\n * published package. Consumers are Astro sites and already provide their\n * own `astro/client` ambient surface anyway, so the runtime dynamic\n * import resolves there at typecheck time without our help.\n */\n\nimport { encodeCursor } from \"./database/repositories/types.js\";\nimport { getFallbackChain, getI18nConfig, isI18nEnabled } from \"./i18n/config.js\";\nimport { CURSOR_RAW_VALUES, type WhereRange, type WhereValue } from \"./loader.js\";\nimport { requestCached } from \"./request-cache.js\";\nimport { getRequestContext } from \"./request-context.js\";\nimport { isMissingTableError } from \"./utils/db-errors.js\";\nimport {\n\tcreateEditable,\n\tcreateNoop,\n\ttype EditProxy,\n\ttype EditableOptions,\n} from \"./visual-editing/editable.js\";\n\n/**\n * Collection type registry for type-safe queries.\n *\n * This interface is extended by the generated emdash-env.d.ts file\n * to provide type inference for collection names and their data shapes.\n *\n * @example\n * ```ts\n * // In emdash-env.d.ts (generated):\n * declare module \"emdash\" {\n *   interface EmDashCollections {\n *     posts: { title: string; content: PortableTextBlock[]; };\n *     pages: { title: string; body: PortableTextBlock[]; };\n *   }\n * }\n *\n * // Then in your code:\n * const { entries } = await getEmDashCollection(\"posts\");\n * // entries[0].data.title is typed as string\n * ```\n */\n// eslint-disable-next-line @typescript-eslint/no-empty-object-type\nexport interface EmDashCollections {}\n\n/**\n * Helper type to infer the data type for a collection.\n * Returns the registered type if known, otherwise falls back to Record<string, unknown>.\n */\nexport type InferCollectionData<T extends string> = T extends keyof EmDashCollections\n\t? EmDashCollections[T]\n\t: Record<string, unknown>;\n\n/**\n * Sort direction\n */\nexport type SortDirection = \"asc\" | \"desc\";\n\n/**\n * Order by specification - field name to direction\n * @example { created_at: \"desc\" } - Sort by created_at descending\n * @example { title: \"asc\" } - Sort by title ascending\n * @example { published_at: \"desc\", title: \"asc\" } - Multi-field sort\n */\nexport type OrderBySpec = Record<string, SortDirection>;\n\nexport type { WhereRange, WhereValue };\n\nexport interface CollectionFilter {\n\tstatus?: \"draft\" | \"published\" | \"archived\";\n\tlimit?: number;\n\t/**\n\t * Opaque cursor for keyset pagination.\n\t * Pass the `nextCursor` value from a previous result to fetch the next page.\n\t * @example\n\t * ```ts\n\t * const cursor = Astro.url.searchParams.get(\"cursor\") ?? undefined;\n\t * const { entries, nextCursor } = await getEmDashCollection(\"posts\", {\n\t *   limit: 10,\n\t *   cursor,\n\t * });\n\t * ```\n\t */\n\tcursor?: string;\n\t/**\n\t * Filter by field values, taxonomy terms, byline credits, or ranges.\n\t *\n\t * Taxonomy names are detected automatically and filtered via JOIN.\n\t * The reserved `byline` key filters by byline credit (any credit, not\n\t * just the primary one) via the `_emdash_content_bylines` junction\n\t * table; its value is one or more byline translation groups. This\n\t * matches co-authored entries, which `primary_byline_id` alone misses.\n\t * Other keys are treated as column filters on the content table.\n\t *\n\t * @example { category: 'news' } - Filter by taxonomy term\n\t * @example { category: ['news', 'featured'] } - Filter by multiple terms (OR)\n\t * @example { byline: '01HXYZ...' } - Entries credited to a byline (any position)\n\t * @example { byline: ['01HXYZ...', '01HABC...'] } - Credited to any of these bylines (OR)\n\t * @example { series: 'main' } - Exact match on a content field\n\t * @example { published_at: { gte: '2024-01-01', lt: '2025-01-01' } } - Date range\n\t */\n\twhere?: Record<string, WhereValue>;\n\t/**\n\t * Order results by field(s)\n\t * @default { created_at: \"desc\" }\n\t * @example { created_at: \"desc\" } - Sort by created_at descending (default)\n\t * @example { title: \"asc\" } - Sort by title ascending\n\t * @example { published_at: \"desc\", title: \"asc\" } - Multi-field sort\n\t */\n\torderBy?: OrderBySpec;\n\t/**\n\t * Filter by locale. When set, only returns entries in this locale.\n\t * Only relevant when i18n is configured.\n\t * @example \"en\" — English entries only\n\t * @example \"fr\" — French entries only\n\t */\n\tlocale?: string;\n}\n\nexport interface ContentEntry<T = Record<string, unknown>> {\n\tid: string;\n\tdata: T;\n\t/** Visual editing annotations. Spread onto elements: {...entry.edit.title} */\n\tedit: EditProxy;\n}\n\n/** Cache hint returned by the content loader for route caching */\nexport interface CacheHint {\n\ttags?: string[];\n\tlastModified?: Date;\n}\n\n/**\n * Result from getEmDashCollection\n */\nexport interface CollectionResult<T> {\n\t/** The entries (empty array if error or none found) */\n\tentries: ContentEntry<T>[];\n\t/** Error if the query failed */\n\terror?: Error;\n\t/** Cache hint for route caching (pass to Astro.cache.set()) */\n\tcacheHint: CacheHint;\n\t/**\n\t * Opaque cursor for the next page.\n\t * Undefined when there are no more results.\n\t * Pass this as `cursor` in the next query to get the next page.\n\t */\n\tnextCursor?: string;\n}\n\n/**\n * Result from getEmDashEntry\n */\nexport interface EntryResult<T> {\n\t/** The entry, or null if not found */\n\tentry: ContentEntry<T> | null;\n\t/** Error if the query failed (not set for \"not found\", only for actual errors) */\n\terror?: Error;\n\t/** Whether we're in preview mode (valid token was provided) */\n\tisPreview: boolean;\n\t/** Set when a fallback locale was used instead of the requested locale */\n\tfallbackLocale?: string;\n\t/** Cache hint for route caching (pass to Astro.cache.set()) */\n\tcacheHint: CacheHint;\n}\n\nconst COLLECTION_NAME = \"_emdash\";\n\n/** Symbol key for edit metadata on PT arrays — avoids collision with user data */\nconst EMDASH_EDIT = Symbol.for(\"__emdash\");\n\n/** Edit metadata attached to PT arrays in edit mode */\nexport interface EditFieldMeta {\n\tcollection: string;\n\tid: string;\n\tfield: string;\n}\n\n/** Type guard for EditFieldMeta */\nfunction isEditFieldMeta(value: unknown): value is EditFieldMeta {\n\tif (typeof value !== \"object\" || value === null) return false;\n\tif (!(\"collection\" in value) || !(\"id\" in value) || !(\"field\" in value)) return false;\n\t// After `in` checks, TS narrows to Record<\"collection\" | \"id\" | \"field\", unknown>\n\tconst { collection, id, field } = value;\n\treturn typeof collection === \"string\" && typeof id === \"string\" && typeof field === \"string\";\n}\n\n/**\n * Read edit metadata from a value (returns undefined if not tagged).\n * Uses Object.getOwnPropertyDescriptor to access Symbol-keyed property\n * without an unsafe type assertion.\n */\nexport function getEditMeta(value: unknown): EditFieldMeta | undefined {\n\tif (value && typeof value === \"object\") {\n\t\tconst desc = Object.getOwnPropertyDescriptor(value, EMDASH_EDIT);\n\t\tconst meta: unknown = desc?.value;\n\t\tif (isEditFieldMeta(meta)) {\n\t\t\treturn meta;\n\t\t}\n\t}\n\treturn undefined;\n}\n\n/**\n * Tag PT-like arrays in entry data with edit metadata (non-enumerable).\n * A PT array is identified by: is an array, first element has _type property.\n */\nfunction tagEditableFields(data: Record<string, unknown>, collection: string, id: string): void {\n\tfor (const [field, value] of Object.entries(data)) {\n\t\tif (\n\t\t\tArray.isArray(value) &&\n\t\t\tvalue.length > 0 &&\n\t\t\tvalue[0] &&\n\t\t\ttypeof value[0] === \"object\" &&\n\t\t\t\"_type\" in value[0]\n\t\t) {\n\t\t\tObject.defineProperty(value, EMDASH_EDIT, {\n\t\t\t\tvalue: { collection, id, field } satisfies EditFieldMeta,\n\t\t\t\tenumerable: false,\n\t\t\t\tconfigurable: true,\n\t\t\t});\n\t\t}\n\t}\n}\n\n/** Safely read a string field from a Record, with optional fallback */\nfunction dataStr(data: Record<string, unknown>, key: string, fallback = \"\"): string {\n\tconst val = data[key];\n\treturn typeof val === \"string\" ? val : fallback;\n}\n\n/** Type guard for Record<string, unknown> */\nfunction isRecord(value: unknown): value is Record<string, unknown> {\n\treturn typeof value === \"object\" && value !== null && !Array.isArray(value);\n}\n\n/** Extract data as Record from an Astro entry (which is any-typed) */\nfunction entryData(entry: { data?: unknown }): Record<string, unknown> {\n\treturn isRecord(entry.data) ? entry.data : {};\n}\n\n/** Extract the database ID from entry data (data.id is the ULID, entry.id is the slug) */\nfunction entryDatabaseId(entry: { id: string; data?: unknown }): string {\n\tconst d = entryData(entry);\n\treturn dataStr(d, \"id\") || entry.id;\n}\n\n/** Extract edit options from entry data for the proxy */\nfunction entryEditOptions(entry: { data?: unknown }): EditableOptions {\n\tconst data = entryData(entry);\n\tconst status = dataStr(data, \"status\", \"draft\");\n\tconst draftRevisionId = dataStr(data, \"draftRevisionId\") || undefined;\n\tconst liveRevisionId = dataStr(data, \"liveRevisionId\") || undefined;\n\tconst hasDraft = !!draftRevisionId && draftRevisionId !== liveRevisionId;\n\treturn { status, hasDraft };\n}\n\n/**\n * Get all entries of a content type\n *\n * Returns { entries, error } for graceful error handling.\n *\n * When emdash-env.d.ts is generated, the collection name will be\n * type-checked and the return type will be inferred automatically.\n *\n * @example\n * ```ts\n * import { getEmDashCollection } from \"emdash\";\n *\n * const { entries: posts, error } = await getEmDashCollection(\"posts\");\n * if (error) {\n *   console.error(\"Failed to load posts:\", error);\n *   return;\n * }\n * // posts[0].data.title is typed (if emdash-env.d.ts exists)\n *\n * // With filters\n * const { entries: drafts } = await getEmDashCollection(\"posts\", { status: \"draft\" });\n * ```\n */\nexport async function getEmDashCollection<T extends string, D = InferCollectionData<T>>(\n\ttype: T,\n\tfilter?: CollectionFilter,\n): Promise<CollectionResult<D>> {\n\t// Cache per (type, filter) within a single request. Edit mode and\n\t// preview are request-scoped and stable, so they don't need to be\n\t// part of the key. Widgets and layouts frequently request the same\n\t// collection shape as the page itself (e.g. a \"recent posts\" list\n\t// appears on the home page AND in the sidebar) — caching collapses\n\t// those duplicate queries, along with the bylines and taxonomy-term\n\t// hydration each call would otherwise re-do.\n\t//\n\t// Bucket small limits to a shared minimum so a page with several\n\t// \"recent N posts\" widgets at slightly different limits (e.g. a\n\t// post-detail page asking for 4 in the body and 5 in the sidebar)\n\t// shares one fetch + hydration round-trip rather than running two.\n\t// Cursor-paginated calls are exempt: their limit is part of the\n\t// pagination contract.\n\tconst bucketed = bucketFilter(filter);\n\tconst cached = await requestCached(collectionCacheKey(type, bucketed.fetchFilter), () =>\n\t\tgetEmDashCollectionUncached<T, D>(type, bucketed.fetchFilter),\n\t);\n\treturn bucketed.requestedLimit === undefined\n\t\t? cached\n\t\t: sliceCollectionResult(cached, bucketed.requestedLimit, filter?.orderBy);\n}\n\n/**\n * Threshold for limit bucketing. Page templates routinely render small\n * \"recent posts\" widgets at limits 3-8; rounding those up to a single\n * shared bucket lets one fetch satisfy several widgets within a request.\n * Above this, the requested limit is honoured exactly — bucketing limit:50\n * to limit:64 would waste hydration work for callers fetching real pages.\n */\nconst BUCKET_LIMIT_THRESHOLD = 10;\n\ninterface BucketedFilter {\n\t/** Filter to pass to the loader (with limit possibly raised). */\n\tfetchFilter: CollectionFilter | undefined;\n\t/** Original limit; defined only when bucketing was applied. */\n\trequestedLimit: number | undefined;\n}\n\n/** @internal exported for unit tests; not part of the public API. */\nexport function bucketFilter(filter: CollectionFilter | undefined): BucketedFilter {\n\tconst limit = filter?.limit;\n\tif (\n\t\tlimit === undefined ||\n\t\tlimit >= BUCKET_LIMIT_THRESHOLD ||\n\t\tlimit <= 0 ||\n\t\tfilter?.cursor !== undefined\n\t) {\n\t\treturn { fetchFilter: filter, requestedLimit: undefined };\n\t}\n\treturn {\n\t\tfetchFilter: { ...filter, limit: BUCKET_LIMIT_THRESHOLD },\n\t\trequestedLimit: limit,\n\t};\n}\n\n/**\n * Slice a cached bucketed result down to the originally-requested limit\n * and recompute `nextCursor` from the row that would have been the\n * over-fetch detector for that limit. When truncation is needed, returns\n * a shallow-copied result with a new `entries` array; otherwise returns\n * the cached result unchanged (including error results and results\n * already within the requested limit).\n */\n/** @internal exported for unit tests; not part of the public API. */\nexport function sliceCollectionResult<D>(\n\tcached: CollectionResult<D>,\n\tlimit: number,\n\torderBy: OrderBySpec | undefined,\n): CollectionResult<D> {\n\tif (cached.error) return cached;\n\tif (cached.entries.length <= limit) return cached;\n\tconst sliced = cached.entries.slice(0, limit);\n\t// Mirror the loader's encoding: cursor points at the last returned row,\n\t// so \"next page\" picks up at the row immediately after it. See\n\t// buildCursorCondition in loader.ts — it filters strictly past this row.\n\tconst lastEntry = sliced.at(-1);\n\tconst nextCursor = lastEntry ? encodeEntryCursor(lastEntry, orderBy) : undefined;\n\treturn { ...cached, entries: sliced, nextCursor };\n}\n\n/** Map of database column names to camelCase keys present on entry.data. */\nconst ENTRY_DATA_KEY_MAP: Record<string, string> = {\n\tcreated_at: \"createdAt\",\n\tupdated_at: \"updatedAt\",\n\tpublished_at: \"publishedAt\",\n\tscheduled_at: \"scheduledAt\",\n\tauthor_id: \"authorId\",\n\tprimary_byline_id: \"primaryBylineId\",\n};\n\n// Mirror loader.ts FIELD_NAME_PATTERN. Kept in sync intentionally — diverging\n// would let the encoder accept a field name the loader's getPrimarySort then\n// rejected, producing a cursor that paginates against a different column.\nconst FIELD_NAME_PATTERN = /^[a-zA-Z_][a-zA-Z0-9_]*$/;\n\n/**\n * Encode a `nextCursor` from a content entry, mirroring the loader's\n * encoding scheme: `(orderValue, id)` where `orderValue` is the primary\n * sort field's stringified value. For date columns, reads the raw DB\n * string the loader stashed via CURSOR_RAW_VALUES — round-tripping the\n * parsed Date through `toISOString()` would lose precision for stored\n * values that aren't already ISO-with-milliseconds.\n */\nfunction encodeEntryCursor<D>(\n\tentry: ContentEntry<D>,\n\torderBy: OrderBySpec | undefined,\n): string | undefined {\n\tconst data = entryData(entry);\n\tconst id = dataStr(data, \"id\");\n\tif (!id) return undefined;\n\n\t// Match loader.ts getPrimarySort: take the first valid field, default to created_at.\n\tlet dbField = \"created_at\";\n\tif (orderBy) {\n\t\tfor (const field of Object.keys(orderBy)) {\n\t\t\tif (FIELD_NAME_PATTERN.test(field)) {\n\t\t\t\tdbField = field;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t}\n\n\t// Date columns: prefer the raw stored string captured by the loader so\n\t// the cursor matches what a direct loader fetch would emit, regardless\n\t// of how the DB stored the timestamp.\n\tconst rawDateValuesRaw = Reflect.get(data, CURSOR_RAW_VALUES);\n\tif (rawDateValuesRaw !== null && typeof rawDateValuesRaw === \"object\") {\n\t\tconst raw = Reflect.get(rawDateValuesRaw, dbField);\n\t\tif (typeof raw === \"string\") return encodeCursor(raw, id);\n\t}\n\n\tconst dataKey = ENTRY_DATA_KEY_MAP[dbField] ?? dbField;\n\tconst value = data[dataKey];\n\tlet orderValue: string;\n\tif (value instanceof Date) {\n\t\torderValue = value.toISOString();\n\t} else if (typeof value === \"string\" || typeof value === \"number\") {\n\t\torderValue = String(value);\n\t} else {\n\t\t// Match the loader's empty-string fallback for null/undefined order\n\t\t// values so cursor decoding stays valid even at the boundary.\n\t\torderValue = \"\";\n\t}\n\treturn encodeCursor(orderValue, id);\n}\n\n/**\n * Build a canonical cache key for `getEmDashCollection`.\n *\n * `JSON.stringify` is insertion-order-sensitive, so two callers passing\n * semantically identical filters with different key orders would miss\n * the cache. We fix the top-level field order and sort `where` keys\n * (order there is irrelevant), while preserving `orderBy` key order\n * because that's the sort priority.\n */\nfunction collectionCacheKey(type: string, filter?: CollectionFilter): string {\n\tif (!filter) return `collection:${type}:`;\n\tconst parts = [\n\t\tfilter.status ?? \"\",\n\t\tfilter.limit ?? \"\",\n\t\tfilter.cursor ?? \"\",\n\t\tfilter.where ? stableStringify(filter.where) : \"\",\n\t\tfilter.orderBy ? JSON.stringify(filter.orderBy) : \"\",\n\t\tfilter.locale ?? \"\",\n\t];\n\treturn `collection:${type}:${parts.join(\"|\")}`;\n}\n\nfunction stableStringify(value: Record<string, unknown>): string {\n\treturn JSON.stringify(stableOrder(value));\n}\n\nfunction stableOrder(value: Record<string, unknown>): Record<string, unknown> {\n\tconst keys = Object.keys(value).toSorted();\n\tconst ordered: Record<string, unknown> = {};\n\tfor (const k of keys) {\n\t\tconst v = value[k];\n\t\tif (isRecord(v)) {\n\t\t\tordered[k] = stableOrder(v);\n\t\t} else {\n\t\t\tordered[k] = v;\n\t\t}\n\t}\n\treturn ordered;\n}\n\nasync function getEmDashCollectionUncached<T extends string, D = InferCollectionData<T>>(\n\ttype: T,\n\tfilter?: CollectionFilter,\n): Promise<CollectionResult<D>> {\n\t// Dynamic import to avoid build-time issues\n\tconst { getLiveCollection } = await import(\"astro:content\");\n\n\t// Resolve locale: explicit filter > ALS context > defaultLocale (when i18n enabled)\n\t// Without this, queries return all locale rows, producing broken IDs\n\tconst ctx = getRequestContext();\n\tconst i18nConfig = getI18nConfig();\n\tconst resolvedLocale =\n\t\tfilter?.locale ?? ctx?.locale ?? (isI18nEnabled() ? i18nConfig!.defaultLocale : undefined);\n\n\tconst requestedLimit = filter?.limit;\n\tconst result = await getLiveCollection(COLLECTION_NAME, {\n\t\ttype,\n\t\tstatus: filter?.status,\n\t\tlimit: requestedLimit && requestedLimit > 0 ? requestedLimit + 1 : filter?.limit,\n\t\tcursor: filter?.cursor,\n\t\twhere: filter?.where,\n\t\torderBy: filter?.orderBy,\n\t\tlocale: resolvedLocale,\n\t});\n\n\tconst { entries, error, cacheHint } = result;\n\n\tif (error) {\n\t\treturn { entries: [], error, cacheHint: {} };\n\t}\n\n\tconst hasMore = requestedLimit != null && requestedLimit > 0 && entries.length > requestedLimit;\n\tconst pageEntries = hasMore ? entries.slice(0, requestedLimit) : entries;\n\tconst nextCursor = hasMore ? encodeEntryCursor(pageEntries.at(-1), filter?.orderBy) : undefined;\n\n\tconst isEditMode = ctx?.editMode ?? false;\n\tconst entriesWithEdit = pageEntries.map((entry: ContentEntry<D>) => {\n\t\tconst dbId = entryDatabaseId(entry);\n\t\tif (isEditMode) {\n\t\t\ttagEditableFields(entryData(entry), type, dbId);\n\t\t}\n\t\treturn {\n\t\t\t...entry,\n\t\t\tedit: isEditMode ? createEditable(type, dbId, entryEditOptions(entry)) : createNoop(),\n\t\t};\n\t});\n\n\t// Eagerly hydrate bylines and taxonomy terms for all entries in parallel.\n\t// Both are independent queries, so running them concurrently halves the\n\t// round-trip cost on remote databases (D1 replicas, etc.).\n\tawait Promise.all([\n\t\thydrateEntryBylines(type, entriesWithEdit),\n\t\t// Hydrate terms in the same locale the content rows were resolved to,\n\t\t// otherwise localized entries get default-locale taxonomy terms (#1441).\n\t\thydrateEntryTerms(type, entriesWithEdit, resolvedLocale),\n\t]);\n\n\treturn { entries: entriesWithEdit, nextCursor, cacheHint: cacheHint ?? {} };\n}\n\n/**\n * Get a single entry by type and ID/slug\n *\n * Returns { entry, error, isPreview } for graceful error handling.\n * - entry is null if not found (not an error)\n * - error is set only for actual errors (db issues, etc.)\n *\n * Preview mode is detected automatically from request context (ALS).\n * When the URL has a valid `_preview` token, the middleware sets preview\n * context and this function serves draft revision data if available.\n *\n * @example\n * ```ts\n * import { getEmDashEntry } from \"emdash\";\n *\n * // Simple usage — preview just works via middleware\n * const { entry: post, isPreview, error } = await getEmDashEntry(\"posts\", \"my-slug\");\n * if (!post) return Astro.redirect(\"/404\");\n * ```\n */\nexport async function getEmDashEntry<T extends string, D = InferCollectionData<T>>(\n\ttype: T,\n\tid: string,\n\toptions?: { locale?: string },\n): Promise<EntryResult<D>> {\n\t// Dynamic import to avoid build-time issues\n\tconst { getLiveEntry } = await import(\"astro:content\");\n\n\t// Check ALS for preview and edit mode context\n\tconst ctx = getRequestContext();\n\tconst preview = ctx?.preview;\n\tconst isEditMode = ctx?.editMode ?? false;\n\tconst isPreviewMode = !!preview && preview.collection === type;\n\t// Edit mode implies preview — editors should see draft content\n\tconst serveDrafts = isPreviewMode || isEditMode;\n\n\t// Resolve locale: explicit option > ALS context > undefined (no filter)\n\tconst requestedLocale = options?.locale ?? ctx?.locale;\n\n\t/** Wrap a raw Astro entry with edit proxy, tagging editable fields if needed */\n\tfunction wrapEntry(raw: ContentEntry<D>): ContentEntry<D> {\n\t\tconst dbId = entryDatabaseId(raw);\n\t\tif (isEditMode) {\n\t\t\ttagEditableFields(entryData(raw), type, dbId);\n\t\t}\n\t\treturn {\n\t\t\t...raw,\n\t\t\tedit: isEditMode ? createEditable(type, dbId, entryEditOptions(raw)) : createNoop(),\n\t\t};\n\t}\n\n\t/** Check if an entry is publicly visible (published or scheduled past its time) */\n\tfunction isVisible(entry: ContentEntry<D>): boolean {\n\t\tconst data = entryData(entry);\n\t\tconst status = dataStr(data, \"status\");\n\t\tconst scheduledAt = dataStr(data, \"scheduledAt\") || undefined;\n\t\tconst isPublished = status === \"published\";\n\t\tconst isScheduledAndReady =\n\t\t\tstatus === \"scheduled\" && scheduledAt && new Date(scheduledAt) <= new Date();\n\t\treturn isPublished || !!isScheduledAndReady;\n\t}\n\n\t// Build the fallback chain: [requestedLocale, fallback1, ..., defaultLocale]\n\t// When i18n is disabled or no locale requested, just use a single-element chain\n\tconst localeChain =\n\t\trequestedLocale && isI18nEnabled() ? getFallbackChain(requestedLocale) : [requestedLocale];\n\n\t/** Return a successful EntryResult with bylines and taxonomy terms hydrated */\n\tasync function successResult(\n\t\twrapped: ContentEntry<D>,\n\t\topts: { isPreview: boolean; fallbackLocale?: string; cacheHint: CacheHint },\n\t): Promise<EntryResult<D>> {\n\t\t// Hydrate terms in the entry's resolved locale (fallback-aware) so a\n\t\t// localized entry never picks up default-locale taxonomy terms (#1441).\n\t\t// When i18n is disabled we leave the locale unset to preserve the\n\t\t// legacy \"do not filter by locale\" behaviour.\n\t\tconst termLocale = isI18nEnabled()\n\t\t\t? dataStr(entryData(wrapped), \"locale\") || undefined\n\t\t\t: undefined;\n\t\tawait Promise.all([\n\t\t\thydrateEntryBylines(type, [wrapped]),\n\t\t\thydrateEntryTerms(type, [wrapped], termLocale),\n\t\t]);\n\t\treturn {\n\t\t\tentry: wrapped,\n\t\t\tisPreview: opts.isPreview,\n\t\t\tfallbackLocale: opts.fallbackLocale,\n\t\t\tcacheHint: opts.cacheHint,\n\t\t};\n\t}\n\n\tif (serveDrafts) {\n\t\t// Draft mode: try each locale in the fallback chain\n\t\tfor (let i = 0; i < localeChain.length; i++) {\n\t\t\tconst locale = localeChain[i];\n\t\t\tconst fallbackLocale = i > 0 ? locale : undefined;\n\n\t\t\tconst {\n\t\t\t\tentry: baseEntry,\n\t\t\t\terror: baseError,\n\t\t\t\tcacheHint,\n\t\t\t} = await getLiveEntry(COLLECTION_NAME, {\n\t\t\t\ttype,\n\t\t\t\tid,\n\t\t\t\tlocale,\n\t\t\t});\n\n\t\t\tif (baseError) {\n\t\t\t\treturn { entry: null, error: baseError, isPreview: serveDrafts, cacheHint: {} };\n\t\t\t}\n\n\t\t\tif (!baseEntry) continue; // Try next locale in chain\n\n\t\t\t// Preview tokens are item-scoped: verify the resolved entry matches.\n\t\t\t// Edit mode (authenticated editors) has collection-wide draft access.\n\t\t\tif (isPreviewMode && !isEditMode) {\n\t\t\t\tconst dbId = entryDatabaseId(baseEntry);\n\t\t\t\tif (preview.id !== dbId && preview.id !== id) {\n\t\t\t\t\t// Token doesn't match — serve only if publicly visible, without draft access\n\t\t\t\t\tif (isVisible(baseEntry)) {\n\t\t\t\t\t\treturn successResult(wrapEntry(baseEntry), {\n\t\t\t\t\t\t\tisPreview: false,\n\t\t\t\t\t\t\tfallbackLocale,\n\t\t\t\t\t\t\tcacheHint: cacheHint ?? {},\n\t\t\t\t\t\t});\n\t\t\t\t\t}\n\t\t\t\t\t// Not visible — try next locale in fallback chain\n\t\t\t\t\tcontinue;\n\t\t\t\t}\n\t\t\t}\n\n\t\t\t// Check if entry has a draft revision — if so, re-fetch with revision data\n\t\t\tconst baseData = entryData(baseEntry);\n\t\t\tconst draftRevisionId = dataStr(baseData, \"draftRevisionId\") || undefined;\n\n\t\t\tif (draftRevisionId) {\n\t\t\t\tconst { entry: draftEntry, error: draftError } = await getLiveEntry(COLLECTION_NAME, {\n\t\t\t\t\ttype,\n\t\t\t\t\tid,\n\t\t\t\t\trevisionId: draftRevisionId,\n\t\t\t\t\tlocale,\n\t\t\t\t});\n\n\t\t\t\tif (!draftError && draftEntry) {\n\t\t\t\t\treturn successResult(wrapEntry(draftEntry), {\n\t\t\t\t\t\tisPreview: serveDrafts,\n\t\t\t\t\t\tfallbackLocale,\n\t\t\t\t\t\tcacheHint: cacheHint ?? {},\n\t\t\t\t\t});\n\t\t\t\t}\n\t\t\t}\n\n\t\t\treturn successResult(wrapEntry(baseEntry), {\n\t\t\t\tisPreview: serveDrafts,\n\t\t\t\tfallbackLocale,\n\t\t\t\tcacheHint: cacheHint ?? {},\n\t\t\t});\n\t\t}\n\n\t\t// No entry found in any locale\n\t\treturn { entry: null, isPreview: serveDrafts, cacheHint: {} };\n\t}\n\n\t// Normal mode: try each locale in the fallback chain, only return published content\n\tfor (let i = 0; i < localeChain.length; i++) {\n\t\tconst locale = localeChain[i];\n\t\tconst fallbackLocale = i > 0 ? locale : undefined;\n\n\t\tconst { entry, error, cacheHint } = await getLiveEntry(COLLECTION_NAME, { type, id, locale });\n\t\tif (error) {\n\t\t\treturn { entry: null, error, isPreview: false, cacheHint: {} };\n\t\t}\n\n\t\tif (entry && isVisible(entry)) {\n\t\t\treturn successResult(wrapEntry(entry), {\n\t\t\t\tisPreview: false,\n\t\t\t\tfallbackLocale,\n\t\t\t\tcacheHint: cacheHint ?? {},\n\t\t\t});\n\t\t}\n\t\t// Entry not found or not visible in this locale — try next\n\t}\n\n\treturn { entry: null, isPreview: false, cacheHint: {} };\n}\n\n/**\n * Eagerly hydrate byline data onto entry.data for one or more entries.\n *\n * Attaches `bylines` (array of ContentBylineCredit) and `byline`\n * (primary BylineSummary or null) to each entry's data object.\n * Uses batch queries to avoid N+1.\n *\n * Fails silently if the byline tables don't exist yet (pre-migration).\n */\nasync function hydrateEntryBylines<D>(type: string, entries: ContentEntry<D>[]): Promise<void> {\n\tif (entries.length === 0) return;\n\n\ttry {\n\t\tconst { getBylinesForEntries } = await import(\"./bylines/index.js\");\n\n\t\tconst refs = entries\n\t\t\t.map((e) => {\n\t\t\t\tconst data = entryData(e);\n\t\t\t\tconst id = dataStr(data, \"id\");\n\t\t\t\tif (!id) return null;\n\t\t\t\treturn {\n\t\t\t\t\tid,\n\t\t\t\t\tauthorId: dataStr(data, \"authorId\") || null,\n\t\t\t\t\tprimaryBylineId: dataStr(data, \"primaryBylineId\") || null,\n\t\t\t\t\tlocale: dataStr(data, \"locale\") || null,\n\t\t\t\t};\n\t\t\t})\n\t\t\t.filter(\n\t\t\t\t(\n\t\t\t\t\tr,\n\t\t\t\t): r is {\n\t\t\t\t\tid: string;\n\t\t\t\t\tauthorId: string | null;\n\t\t\t\t\tprimaryBylineId: string | null;\n\t\t\t\t\tlocale: string | null;\n\t\t\t\t} => r !== null,\n\t\t\t);\n\t\tif (refs.length === 0) return;\n\n\t\tconst bylinesMap = await getBylinesForEntries(type, refs);\n\n\t\tfor (const entry of entries) {\n\t\t\tconst data = entryData(entry);\n\t\t\tconst dbId = dataStr(data, \"id\");\n\t\t\tif (!dbId) continue;\n\n\t\t\tconst credits = bylinesMap.get(dbId) ?? [];\n\t\t\tdata.bylines = credits;\n\t\t\tdata.byline = credits[0]?.byline ?? null;\n\t\t}\n\t} catch (err) {\n\t\t// Only swallow \"table not found\" errors from pre-migration databases.\n\t\t// Matches SQLite/D1 (\"no such table\") and PostgreSQL (\"relation/table\n\t\t// ... does not exist\") via the shared helper.\n\t\tif (!isMissingTableError(err)) {\n\t\t\tconst msg = err instanceof Error ? err.message : String(err);\n\t\t\tconsole.warn(\"[emdash] Failed to hydrate bylines:\", msg);\n\t\t}\n\t}\n}\n\n/**\n * Eagerly hydrate taxonomy term data onto entry.data for one or more entries.\n *\n * Attaches `terms` (Record keyed by taxonomy name with an array of TaxonomyTerm\n * values) to each entry's data object. Uses a single batched JOIN query across\n * all taxonomies so the cost is O(1) regardless of the number of entries or\n * taxonomies on the site.\n *\n * This eliminates the common N+1 pattern where templates loop over list\n * results and call getEntryTerms() per entry. With hydration, the list page\n * stays at a single round-trip for term data.\n *\n * `locale` must be the locale the entries were resolved to. It is forwarded to\n * `getAllTermsForEntries` so terms are returned in the entry's locale rather\n * than falling back to the request-context / default locale (#1441). Pass\n * `undefined` to keep the legacy \"do not filter by locale\" behaviour.\n *\n * Fails silently if the taxonomy tables don't exist yet (pre-migration).\n */\nasync function hydrateEntryTerms<D>(\n\ttype: string,\n\tentries: ContentEntry<D>[],\n\tlocale?: string,\n): Promise<void> {\n\tif (entries.length === 0) return;\n\n\ttry {\n\t\tconst { getAllTermsForEntries } = await import(\"./taxonomies/index.js\");\n\n\t\tconst ids = entries.map((e) => dataStr(entryData(e), \"id\")).filter(Boolean);\n\t\tif (ids.length === 0) return;\n\n\t\tconst termsMap = await getAllTermsForEntries(type, ids, { locale });\n\n\t\tfor (const entry of entries) {\n\t\t\tconst data = entryData(entry);\n\t\t\tconst dbId = dataStr(data, \"id\");\n\t\t\tif (!dbId) continue;\n\n\t\t\tdata.terms = termsMap.get(dbId) ?? {};\n\t\t}\n\t} catch (err) {\n\t\t// Only swallow \"table not found\" errors from pre-migration databases.\n\t\t// Matches SQLite/D1 (\"no such table\") and PostgreSQL (\"relation/table\n\t\t// ... does not exist\") via the shared helper.\n\t\tif (!isMissingTableError(err)) {\n\t\t\tconst msg = err instanceof Error ? err.message : String(err);\n\t\t\tconsole.warn(\"[emdash] Failed to hydrate terms:\", msg);\n\t\t}\n\t}\n}\n\n/**\n * Translation summary for a single locale variant\n */\nexport interface TranslationSummary {\n\t/** Content item ID */\n\tid: string;\n\t/** Locale code (e.g. \"en\", \"fr\") */\n\tlocale: string;\n\t/** URL slug */\n\tslug: string | null;\n\t/** Current status */\n\tstatus: string;\n}\n\n/**\n * Result from getTranslations\n */\nexport interface TranslationsResult {\n\t/** The translation group ID (shared across locales) */\n\ttranslationGroup: string;\n\t/** All locale variants in this group */\n\ttranslations: TranslationSummary[];\n\t/** Error if the query failed */\n\terror?: Error;\n}\n\n/**\n * Get all translations of a content item.\n *\n * Given a content entry, returns all locale variants that share the same\n * translation group. This is useful for building language switcher UI.\n *\n * @example\n * ```ts\n * import { getEmDashEntry, getTranslations } from \"emdash\";\n *\n * const { entry: post } = await getEmDashEntry(\"posts\", \"hello-world\", { locale: \"en\" });\n * const { translations } = await getTranslations(\"posts\", post.data.id);\n * // translations = [{ id: \"...\", locale: \"en\", slug: \"hello-world\", status: \"published\" }, ...]\n * ```\n */\nexport async function getTranslations(type: string, id: string): Promise<TranslationsResult> {\n\ttry {\n\t\tconst db = (await import(\"./loader.js\")).getDb;\n\t\tconst dbInstance = await db();\n\t\tconst { ContentRepository } = await import(\"./database/repositories/content.js\");\n\t\tconst repo = new ContentRepository(dbInstance);\n\n\t\t// Find the item to get its translation group\n\t\tconst item = await repo.findByIdOrSlug(type, id);\n\t\tif (!item) {\n\t\t\treturn {\n\t\t\t\ttranslationGroup: \"\",\n\t\t\t\ttranslations: [],\n\t\t\t\terror: new Error(`Content item not found: ${id}`),\n\t\t\t};\n\t\t}\n\n\t\tconst group = item.translationGroup || item.id;\n\t\tconst translations = await repo.findTranslations(type, group);\n\n\t\treturn {\n\t\t\ttranslationGroup: group,\n\t\t\ttranslations: translations.map((t) => ({\n\t\t\t\tid: t.id,\n\t\t\t\tlocale: t.locale || \"en\",\n\t\t\t\tslug: t.slug,\n\t\t\t\tstatus: t.status,\n\t\t\t})),\n\t\t};\n\t} catch (error) {\n\t\treturn {\n\t\t\ttranslationGroup: \"\",\n\t\t\ttranslations: [],\n\t\t\terror: error instanceof Error ? error : new Error(String(error)),\n\t\t};\n\t}\n}\n\n/**\n * Result from resolveEmDashPath\n */\nexport interface ResolvePathResult<T = Record<string, unknown>> {\n\t/** The matched entry */\n\tentry: ContentEntry<T>;\n\t/** The collection slug that matched */\n\tcollection: string;\n\t/** Extracted parameters from the URL pattern (e.g. { slug: \"my-post\" }) */\n\tparams: Record<string, string>;\n}\n\n/** Matches `{paramName}` placeholders in URL patterns */\nconst URL_PARAM_PATTERN = /\\{(\\w+)\\}/g;\n\n/** Convert a URL pattern like \"/blog/{slug}\" to a regex and param name list */\nfunction patternToRegex(pattern: string): { regex: RegExp; paramNames: string[] } {\n\tconst paramNames: string[] = [];\n\tconst regexStr = pattern.replace(URL_PARAM_PATTERN, (_match, name: string) => {\n\t\tparamNames.push(name);\n\t\treturn \"([^/]+)\";\n\t});\n\treturn { regex: new RegExp(`^${regexStr}$`), paramNames };\n}\n\n/** Cached compiled URL patterns for resolveEmDashPath */\ninterface CachedPattern {\n\tslug: string;\n\tregex: RegExp;\n\tparamNames: string[];\n}\nlet cachedUrlPatterns: CachedPattern[] | null = null;\n\n/**\n * Invalidate the cached URL patterns used by resolveEmDashPath.\n * Call when collection URL patterns change (schema updates).\n */\nexport function invalidateUrlPatternCache(): void {\n\tcachedUrlPatterns = null;\n}\n\n/**\n * Resolve a URL path to a content entry by matching against collection URL patterns.\n *\n * Loads all collections with a `urlPattern` set, converts each pattern to a regex,\n * and tests the given path. On match, extracts the slug and fetches the entry.\n *\n * @example\n * ```ts\n * import { resolveEmDashPath } from \"emdash\";\n *\n * // Given pages with urlPattern \"/{slug}\" and posts with \"/blog/{slug}\":\n * const result = await resolveEmDashPath(\"/blog/hello-world\");\n * if (result) {\n *   console.log(result.collection); // \"posts\"\n *   console.log(result.params.slug); // \"hello-world\"\n *   console.log(result.entry.data); // post data\n * }\n * ```\n */\nexport async function resolveEmDashPath<T = Record<string, unknown>>(\n\tpath: string,\n): Promise<ResolvePathResult<T> | null> {\n\t// Build and cache compiled patterns on first call\n\tif (!cachedUrlPatterns) {\n\t\tconst { getDb } = await import(\"./loader.js\");\n\t\tconst { SchemaRegistry } = await import(\"./schema/registry.js\");\n\t\tconst db = await getDb();\n\t\tconst registry = new SchemaRegistry(db);\n\t\tconst collections = await registry.listCollections();\n\n\t\tcachedUrlPatterns = [];\n\t\tfor (const collection of collections) {\n\t\t\tif (!collection.urlPattern) continue;\n\t\t\tconst { regex, paramNames } = patternToRegex(collection.urlPattern);\n\t\t\tcachedUrlPatterns.push({ slug: collection.slug, regex, paramNames });\n\t\t}\n\t}\n\n\tfor (const pattern of cachedUrlPatterns) {\n\t\tconst match = path.match(pattern.regex);\n\t\tif (!match) continue;\n\n\t\t// Extract params\n\t\tconst params: Record<string, string> = {};\n\t\tfor (let i = 0; i < pattern.paramNames.length; i++) {\n\t\t\tparams[pattern.paramNames[i]] = match[i + 1];\n\t\t}\n\n\t\t// Look up entry by slug (most common pattern)\n\t\tconst slug = params.slug;\n\t\tif (!slug) continue;\n\n\t\tconst { entry } = await getEmDashEntry<string, T>(pattern.slug, slug);\n\t\tif (entry) {\n\t\t\treturn { entry, collection: pattern.slug, params };\n\t\t}\n\t}\n\n\treturn null;\n}\n"],"mappings":";;;;;;;;;;;;;;;;;AAoCA,SAAgB,eACf,YACA,IACA,SACY;CACZ,MAAM,OAAsB;EAC3B;EACA;EACA,GAAI,SAAS,UAAU,EAAE,QAAQ,QAAQ,QAAQ;EACjD,GAAI,SAAS,YAAY,EAAE,UAAU,MAAM;EAC3C;AAED,QAAO,IAAI,MAAM,EAAE,EAAe;EACjC,IAAI,GAAG,MAAM;AACZ,OAAI,SAAS,SAAU,eAAc,EAAE,mBAAmB,KAAK,UAAU,KAAK,EAAE;AAChF,OAAI,OAAO,SAAS,SAAU,QAAO;AAGrC,OAAI,SAAS,kBAAmB,QAAO,KAAK,UAAU,KAAK;AAG3D,UAAO,EACN,mBAAmB,KAAK,UAAU;IAAE,GAAG;IAAM,OAAO,OAAO,KAAK;IAAE,CAAC,EACnE;;EAEF,UAAU;AACT,UAAO,CAAC,kBAAkB;;EAE3B,yBAAyB,GAAG,MAAM;AACjC,OAAI,SAAS,kBACZ,QAAO;IACN,cAAc;IACd,YAAY;IACZ,OAAO,KAAK,UAAU,KAAK;IAC3B;;EAIH,CAAC;;;;;;AAOH,SAAgB,aAAwB;AACvC,QAAO,IAAI,MAAM,EAAE,EAAe;EACjC,IAAI,GAAG,MAAM;AACZ,OAAI,OAAO,SAAS,SAAU,QAAO;;EAItC,UAAU;AACT,UAAO,EAAE;;EAEV,2BAA2B;EAG3B,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AC0FH,MAAM,kBAAkB;;AAGxB,MAAM,cAAc,OAAO,IAAI,WAAW;;AAU1C,SAAS,gBAAgB,OAAwC;AAChE,KAAI,OAAO,UAAU,YAAY,UAAU,KAAM,QAAO;AACxD,KAAI,EAAE,gBAAgB,UAAU,EAAE,QAAQ,UAAU,EAAE,WAAW,OAAQ,QAAO;CAEhF,MAAM,EAAE,YAAY,IAAI,UAAU;AAClC,QAAO,OAAO,eAAe,YAAY,OAAO,OAAO,YAAY,OAAO,UAAU;;;;;;;AAQrF,SAAgB,YAAY,OAA2C;AACtE,KAAI,SAAS,OAAO,UAAU,UAAU;EAEvC,MAAM,OADO,OAAO,yBAAyB,OAAO,YAAY,EACpC;AAC5B,MAAI,gBAAgB,KAAK,CACxB,QAAO;;;;;;;AAUV,SAAS,kBAAkB,MAA+B,YAAoB,IAAkB;AAC/F,MAAK,MAAM,CAAC,OAAO,UAAU,OAAO,QAAQ,KAAK,CAChD,KACC,MAAM,QAAQ,MAAM,IACpB,MAAM,SAAS,KACf,MAAM,MACN,OAAO,MAAM,OAAO,YACpB,WAAW,MAAM,GAEjB,QAAO,eAAe,OAAO,aAAa;EACzC,OAAO;GAAE;GAAY;GAAI;GAAO;EAChC,YAAY;EACZ,cAAc;EACd,CAAC;;;AAML,SAAS,QAAQ,MAA+B,KAAa,WAAW,IAAY;CACnF,MAAM,MAAM,KAAK;AACjB,QAAO,OAAO,QAAQ,WAAW,MAAM;;;AAIxC,SAAS,SAAS,OAAkD;AACnE,QAAO,OAAO,UAAU,YAAY,UAAU,QAAQ,CAAC,MAAM,QAAQ,MAAM;;;AAI5E,SAAS,UAAU,OAAoD;AACtE,QAAO,SAAS,MAAM,KAAK,GAAG,MAAM,OAAO,EAAE;;;AAI9C,SAAS,gBAAgB,OAA+C;AAEvE,QAAO,QADG,UAAU,MAAM,EACR,KAAK,IAAI,MAAM;;;AAIlC,SAAS,iBAAiB,OAA4C;CACrE,MAAM,OAAO,UAAU,MAAM;CAC7B,MAAM,SAAS,QAAQ,MAAM,UAAU,QAAQ;CAC/C,MAAM,kBAAkB,QAAQ,MAAM,kBAAkB,IAAI;CAC5D,MAAM,iBAAiB,QAAQ,MAAM,iBAAiB,IAAI;AAE1D,QAAO;EAAE;EAAQ,UADA,CAAC,CAAC,mBAAmB,oBAAoB;EAC/B;;;;;;;;;;;;;;;;;;;;;;;;;AA0B5B,eAAsB,oBACrB,MACA,QAC+B;CAe/B,MAAM,WAAW,aAAa,OAAO;CACrC,MAAM,SAAS,MAAM,cAAc,mBAAmB,MAAM,SAAS,YAAY,QAChF,4BAAkC,MAAM,SAAS,YAAY,CAC7D;AACD,QAAO,SAAS,mBAAmB,SAChC,SACA,sBAAsB,QAAQ,SAAS,gBAAgB,QAAQ,QAAQ;;;;;;;;;AAU3E,MAAM,yBAAyB;;AAU/B,SAAgB,aAAa,QAAsD;CAClF,MAAM,QAAQ,QAAQ;AACtB,KACC,UAAU,UACV,SAAS,0BACT,SAAS,KACT,QAAQ,WAAW,OAEnB,QAAO;EAAE,aAAa;EAAQ,gBAAgB;EAAW;AAE1D,QAAO;EACN,aAAa;GAAE,GAAG;GAAQ,OAAO;GAAwB;EACzD,gBAAgB;EAChB;;;;;;;;;;;AAYF,SAAgB,sBACf,QACA,OACA,SACsB;AACtB,KAAI,OAAO,MAAO,QAAO;AACzB,KAAI,OAAO,QAAQ,UAAU,MAAO,QAAO;CAC3C,MAAM,SAAS,OAAO,QAAQ,MAAM,GAAG,MAAM;CAI7C,MAAM,YAAY,OAAO,GAAG,GAAG;CAC/B,MAAM,aAAa,YAAY,kBAAkB,WAAW,QAAQ,GAAG;AACvE,QAAO;EAAE,GAAG;EAAQ,SAAS;EAAQ;EAAY;;;AAIlD,MAAM,qBAA6C;CAClD,YAAY;CACZ,YAAY;CACZ,cAAc;CACd,cAAc;CACd,WAAW;CACX,mBAAmB;CACnB;AAKD,MAAM,qBAAqB;;;;;;;;;AAU3B,SAAS,kBACR,OACA,SACqB;CACrB,MAAM,OAAO,UAAU,MAAM;CAC7B,MAAM,KAAK,QAAQ,MAAM,KAAK;AAC9B,KAAI,CAAC,GAAI,QAAO;CAGhB,IAAI,UAAU;AACd,KAAI,SACH;OAAK,MAAM,SAAS,OAAO,KAAK,QAAQ,CACvC,KAAI,mBAAmB,KAAK,MAAM,EAAE;AACnC,aAAU;AACV;;;CAQH,MAAM,mBAAmB,QAAQ,IAAI,MAAM,kBAAkB;AAC7D,KAAI,qBAAqB,QAAQ,OAAO,qBAAqB,UAAU;EACtE,MAAM,MAAM,QAAQ,IAAI,kBAAkB,QAAQ;AAClD,MAAI,OAAO,QAAQ,SAAU,QAAO,aAAa,KAAK,GAAG;;CAI1D,MAAM,QAAQ,KADE,mBAAmB,YAAY;CAE/C,IAAI;AACJ,KAAI,iBAAiB,KACpB,cAAa,MAAM,aAAa;UACtB,OAAO,UAAU,YAAY,OAAO,UAAU,SACxD,cAAa,OAAO,MAAM;KAI1B,cAAa;AAEd,QAAO,aAAa,YAAY,GAAG;;;;;;;;;;;AAYpC,SAAS,mBAAmB,MAAc,QAAmC;AAC5E,KAAI,CAAC,OAAQ,QAAO,cAAc,KAAK;AASvC,QAAO,cAAc,KAAK,GARZ;EACb,OAAO,UAAU;EACjB,OAAO,SAAS;EAChB,OAAO,UAAU;EACjB,OAAO,QAAQ,gBAAgB,OAAO,MAAM,GAAG;EAC/C,OAAO,UAAU,KAAK,UAAU,OAAO,QAAQ,GAAG;EAClD,OAAO,UAAU;EACjB,CACkC,KAAK,IAAI;;AAG7C,SAAS,gBAAgB,OAAwC;AAChE,QAAO,KAAK,UAAU,YAAY,MAAM,CAAC;;AAG1C,SAAS,YAAY,OAAyD;CAC7E,MAAM,OAAO,OAAO,KAAK,MAAM,CAAC,UAAU;CAC1C,MAAM,UAAmC,EAAE;AAC3C,MAAK,MAAM,KAAK,MAAM;EACrB,MAAM,IAAI,MAAM;AAChB,MAAI,SAAS,EAAE,CACd,SAAQ,KAAK,YAAY,EAAE;MAE3B,SAAQ,KAAK;;AAGf,QAAO;;AAGR,eAAe,4BACd,MACA,QAC+B;CAE/B,MAAM,EAAE,sBAAsB,MAAM,OAAO;CAI3C,MAAM,MAAM,mBAAmB;CAC/B,MAAM,aAAa,eAAe;CAClC,MAAM,iBACL,QAAQ,UAAU,KAAK,WAAW,eAAe,GAAG,WAAY,gBAAgB;CAEjF,MAAM,iBAAiB,QAAQ;CAW/B,MAAM,EAAE,SAAS,OAAO,cAVT,MAAM,kBAAkB,iBAAiB;EACvD;EACA,QAAQ,QAAQ;EAChB,OAAO,kBAAkB,iBAAiB,IAAI,iBAAiB,IAAI,QAAQ;EAC3E,QAAQ,QAAQ;EAChB,OAAO,QAAQ;EACf,SAAS,QAAQ;EACjB,QAAQ;EACR,CAAC;AAIF,KAAI,MACH,QAAO;EAAE,SAAS,EAAE;EAAE;EAAO,WAAW,EAAE;EAAE;CAG7C,MAAM,UAAU,kBAAkB,QAAQ,iBAAiB,KAAK,QAAQ,SAAS;CACjF,MAAM,cAAc,UAAU,QAAQ,MAAM,GAAG,eAAe,GAAG;CACjE,MAAM,aAAa,UAAU,kBAAkB,YAAY,GAAG,GAAG,EAAE,QAAQ,QAAQ,GAAG;CAEtF,MAAM,aAAa,KAAK,YAAY;CACpC,MAAM,kBAAkB,YAAY,KAAK,UAA2B;EACnE,MAAM,OAAO,gBAAgB,MAAM;AACnC,MAAI,WACH,mBAAkB,UAAU,MAAM,EAAE,MAAM,KAAK;AAEhD,SAAO;GACN,GAAG;GACH,MAAM,aAAa,eAAe,MAAM,MAAM,iBAAiB,MAAM,CAAC,GAAG,YAAY;GACrF;GACA;AAKF,OAAM,QAAQ,IAAI,CACjB,oBAAoB,MAAM,gBAAgB,EAG1C,kBAAkB,MAAM,iBAAiB,eAAe,CACxD,CAAC;AAEF,QAAO;EAAE,SAAS;EAAiB;EAAY,WAAW,aAAa,EAAE;EAAE;;;;;;;;;;;;;;;;;;;;;;AAuB5E,eAAsB,eACrB,MACA,IACA,SAC0B;CAE1B,MAAM,EAAE,iBAAiB,MAAM,OAAO;CAGtC,MAAM,MAAM,mBAAmB;CAC/B,MAAM,UAAU,KAAK;CACrB,MAAM,aAAa,KAAK,YAAY;CACpC,MAAM,gBAAgB,CAAC,CAAC,WAAW,QAAQ,eAAe;CAE1D,MAAM,cAAc,iBAAiB;CAGrC,MAAM,kBAAkB,SAAS,UAAU,KAAK;;CAGhD,SAAS,UAAU,KAAuC;EACzD,MAAM,OAAO,gBAAgB,IAAI;AACjC,MAAI,WACH,mBAAkB,UAAU,IAAI,EAAE,MAAM,KAAK;AAE9C,SAAO;GACN,GAAG;GACH,MAAM,aAAa,eAAe,MAAM,MAAM,iBAAiB,IAAI,CAAC,GAAG,YAAY;GACnF;;;CAIF,SAAS,UAAU,OAAiC;EACnD,MAAM,OAAO,UAAU,MAAM;EAC7B,MAAM,SAAS,QAAQ,MAAM,SAAS;EACtC,MAAM,cAAc,QAAQ,MAAM,cAAc,IAAI;AAIpD,SAHoB,WAAW,eAGT,CAAC,EADtB,WAAW,eAAe,eAAe,IAAI,KAAK,YAAY,oBAAI,IAAI,MAAM;;CAM9E,MAAM,cACL,mBAAmB,eAAe,GAAG,iBAAiB,gBAAgB,GAAG,CAAC,gBAAgB;;CAG3F,eAAe,cACd,SACA,MAC0B;EAK1B,MAAM,aAAa,eAAe,GAC/B,QAAQ,UAAU,QAAQ,EAAE,SAAS,IAAI,SACzC;AACH,QAAM,QAAQ,IAAI,CACjB,oBAAoB,MAAM,CAAC,QAAQ,CAAC,EACpC,kBAAkB,MAAM,CAAC,QAAQ,EAAE,WAAW,CAC9C,CAAC;AACF,SAAO;GACN,OAAO;GACP,WAAW,KAAK;GAChB,gBAAgB,KAAK;GACrB,WAAW,KAAK;GAChB;;AAGF,KAAI,aAAa;AAEhB,OAAK,IAAI,IAAI,GAAG,IAAI,YAAY,QAAQ,KAAK;GAC5C,MAAM,SAAS,YAAY;GAC3B,MAAM,iBAAiB,IAAI,IAAI,SAAS;GAExC,MAAM,EACL,OAAO,WACP,OAAO,WACP,cACG,MAAM,aAAa,iBAAiB;IACvC;IACA;IACA;IACA,CAAC;AAEF,OAAI,UACH,QAAO;IAAE,OAAO;IAAM,OAAO;IAAW,WAAW;IAAa,WAAW,EAAE;IAAE;AAGhF,OAAI,CAAC,UAAW;AAIhB,OAAI,iBAAiB,CAAC,YAAY;IACjC,MAAM,OAAO,gBAAgB,UAAU;AACvC,QAAI,QAAQ,OAAO,QAAQ,QAAQ,OAAO,IAAI;AAE7C,SAAI,UAAU,UAAU,CACvB,QAAO,cAAc,UAAU,UAAU,EAAE;MAC1C,WAAW;MACX;MACA,WAAW,aAAa,EAAE;MAC1B,CAAC;AAGH;;;GAMF,MAAM,kBAAkB,QADP,UAAU,UAAU,EACK,kBAAkB,IAAI;AAEhE,OAAI,iBAAiB;IACpB,MAAM,EAAE,OAAO,YAAY,OAAO,eAAe,MAAM,aAAa,iBAAiB;KACpF;KACA;KACA,YAAY;KACZ;KACA,CAAC;AAEF,QAAI,CAAC,cAAc,WAClB,QAAO,cAAc,UAAU,WAAW,EAAE;KAC3C,WAAW;KACX;KACA,WAAW,aAAa,EAAE;KAC1B,CAAC;;AAIJ,UAAO,cAAc,UAAU,UAAU,EAAE;IAC1C,WAAW;IACX;IACA,WAAW,aAAa,EAAE;IAC1B,CAAC;;AAIH,SAAO;GAAE,OAAO;GAAM,WAAW;GAAa,WAAW,EAAE;GAAE;;AAI9D,MAAK,IAAI,IAAI,GAAG,IAAI,YAAY,QAAQ,KAAK;EAC5C,MAAM,SAAS,YAAY;EAC3B,MAAM,iBAAiB,IAAI,IAAI,SAAS;EAExC,MAAM,EAAE,OAAO,OAAO,cAAc,MAAM,aAAa,iBAAiB;GAAE;GAAM;GAAI;GAAQ,CAAC;AAC7F,MAAI,MACH,QAAO;GAAE,OAAO;GAAM;GAAO,WAAW;GAAO,WAAW,EAAE;GAAE;AAG/D,MAAI,SAAS,UAAU,MAAM,CAC5B,QAAO,cAAc,UAAU,MAAM,EAAE;GACtC,WAAW;GACX;GACA,WAAW,aAAa,EAAE;GAC1B,CAAC;;AAKJ,QAAO;EAAE,OAAO;EAAM,WAAW;EAAO,WAAW,EAAE;EAAE;;;;;;;;;;;AAYxD,eAAe,oBAAuB,MAAc,SAA2C;AAC9F,KAAI,QAAQ,WAAW,EAAG;AAE1B,KAAI;EACH,MAAM,EAAE,yBAAyB,MAAM,OAAO;EAE9C,MAAM,OAAO,QACX,KAAK,MAAM;GACX,MAAM,OAAO,UAAU,EAAE;GACzB,MAAM,KAAK,QAAQ,MAAM,KAAK;AAC9B,OAAI,CAAC,GAAI,QAAO;AAChB,UAAO;IACN;IACA,UAAU,QAAQ,MAAM,WAAW,IAAI;IACvC,iBAAiB,QAAQ,MAAM,kBAAkB,IAAI;IACrD,QAAQ,QAAQ,MAAM,SAAS,IAAI;IACnC;IACA,CACD,QAEC,MAMI,MAAM,KACX;AACF,MAAI,KAAK,WAAW,EAAG;EAEvB,MAAM,aAAa,MAAM,qBAAqB,MAAM,KAAK;AAEzD,OAAK,MAAM,SAAS,SAAS;GAC5B,MAAM,OAAO,UAAU,MAAM;GAC7B,MAAM,OAAO,QAAQ,MAAM,KAAK;AAChC,OAAI,CAAC,KAAM;GAEX,MAAM,UAAU,WAAW,IAAI,KAAK,IAAI,EAAE;AAC1C,QAAK,UAAU;AACf,QAAK,SAAS,QAAQ,IAAI,UAAU;;UAE7B,KAAK;AAIb,MAAI,CAAC,oBAAoB,IAAI,EAAE;GAC9B,MAAM,MAAM,eAAe,QAAQ,IAAI,UAAU,OAAO,IAAI;AAC5D,WAAQ,KAAK,uCAAuC,IAAI;;;;;;;;;;;;;;;;;;;;;;;AAwB3D,eAAe,kBACd,MACA,SACA,QACgB;AAChB,KAAI,QAAQ,WAAW,EAAG;AAE1B,KAAI;EACH,MAAM,EAAE,0BAA0B,MAAM,OAAO;EAE/C,MAAM,MAAM,QAAQ,KAAK,MAAM,QAAQ,UAAU,EAAE,EAAE,KAAK,CAAC,CAAC,OAAO,QAAQ;AAC3E,MAAI,IAAI,WAAW,EAAG;EAEtB,MAAM,WAAW,MAAM,sBAAsB,MAAM,KAAK,EAAE,QAAQ,CAAC;AAEnE,OAAK,MAAM,SAAS,SAAS;GAC5B,MAAM,OAAO,UAAU,MAAM;GAC7B,MAAM,OAAO,QAAQ,MAAM,KAAK;AAChC,OAAI,CAAC,KAAM;AAEX,QAAK,QAAQ,SAAS,IAAI,KAAK,IAAI,EAAE;;UAE9B,KAAK;AAIb,MAAI,CAAC,oBAAoB,IAAI,EAAE;GAC9B,MAAM,MAAM,eAAe,QAAQ,IAAI,UAAU,OAAO,IAAI;AAC5D,WAAQ,KAAK,qCAAqC,IAAI;;;;;;;;;;;;;;;;;;;AA8CzD,eAAsB,gBAAgB,MAAc,IAAyC;AAC5F,KAAI;EACH,MAAM,MAAM,MAAM,OAAO,2CAAgB;EACzC,MAAM,aAAa,MAAM,IAAI;EAC7B,MAAM,EAAE,sBAAsB,MAAM,OAAO;EAC3C,MAAM,OAAO,IAAI,kBAAkB,WAAW;EAG9C,MAAM,OAAO,MAAM,KAAK,eAAe,MAAM,GAAG;AAChD,MAAI,CAAC,KACJ,QAAO;GACN,kBAAkB;GAClB,cAAc,EAAE;GAChB,uBAAO,IAAI,MAAM,2BAA2B,KAAK;GACjD;EAGF,MAAM,QAAQ,KAAK,oBAAoB,KAAK;AAG5C,SAAO;GACN,kBAAkB;GAClB,eAJoB,MAAM,KAAK,iBAAiB,MAAM,MAAM,EAIjC,KAAK,OAAO;IACtC,IAAI,EAAE;IACN,QAAQ,EAAE,UAAU;IACpB,MAAM,EAAE;IACR,QAAQ,EAAE;IACV,EAAE;GACH;UACO,OAAO;AACf,SAAO;GACN,kBAAkB;GAClB,cAAc,EAAE;GAChB,OAAO,iBAAiB,QAAQ,QAAQ,IAAI,MAAM,OAAO,MAAM,CAAC;GAChE;;;;AAiBH,MAAM,oBAAoB;;AAG1B,SAAS,eAAe,SAA0D;CACjF,MAAM,aAAuB,EAAE;CAC/B,MAAM,WAAW,QAAQ,QAAQ,oBAAoB,QAAQ,SAAiB;AAC7E,aAAW,KAAK,KAAK;AACrB,SAAO;GACN;AACF,QAAO;EAAE,OAAO,IAAI,OAAO,IAAI,SAAS,GAAG;EAAE;EAAY;;AAS1D,IAAI,oBAA4C;;;;;AAMhD,SAAgB,4BAAkC;AACjD,qBAAoB;;;;;;;;;;;;;;;;;;;;;AAsBrB,eAAsB,kBACrB,MACuC;AAEvC,KAAI,CAAC,mBAAmB;EACvB,MAAM,EAAE,UAAU,MAAM,OAAO;EAC/B,MAAM,EAAE,mBAAmB,MAAM,OAAO;EAGxC,MAAM,cAAc,MADH,IAAI,eADV,MAAM,OAAO,CACe,CACJ,iBAAiB;AAEpD,sBAAoB,EAAE;AACtB,OAAK,MAAM,cAAc,aAAa;AACrC,OAAI,CAAC,WAAW,WAAY;GAC5B,MAAM,EAAE,OAAO,eAAe,eAAe,WAAW,WAAW;AACnE,qBAAkB,KAAK;IAAE,MAAM,WAAW;IAAM;IAAO;IAAY,CAAC;;;AAItE,MAAK,MAAM,WAAW,mBAAmB;EACxC,MAAM,QAAQ,KAAK,MAAM,QAAQ,MAAM;AACvC,MAAI,CAAC,MAAO;EAGZ,MAAM,SAAiC,EAAE;AACzC,OAAK,IAAI,IAAI,GAAG,IAAI,QAAQ,WAAW,QAAQ,IAC9C,QAAO,QAAQ,WAAW,MAAM,MAAM,IAAI;EAI3C,MAAM,OAAO,OAAO;AACpB,MAAI,CAAC,KAAM;EAEX,MAAM,EAAE,UAAU,MAAM,eAA0B,QAAQ,MAAM,KAAK;AACrE,MAAI,MACH,QAAO;GAAE;GAAO,YAAY,QAAQ;GAAM;GAAQ;;AAIpD,QAAO"}

package/dist/{rate-limit-BI1OdpQH.mjs → rate-limit-ClFFUga6.mjs}

@@ -1,4 +1,4 @@
-import { t as apiError } from "./error-Bk9s3Ism.mjs";
+import { t as apiError } from "./error-RwM4dD35.mjs";
 import { sql } from "kysely";
 
 //#region src/auth/rate-limit.ts
@@ -117,4 +117,4 @@ async function cleanupExpiredRateLimits(db, maxAgeSeconds = 3600) {
 
 //#endregion
 export { getClientIp as n, rateLimitResponse as r, checkRateLimit as t };
-//# sourceMappingURL=rate-limit-BI1OdpQH.mjs.map
+//# sourceMappingURL=rate-limit-ClFFUga6.mjs.map

package/dist/{rate-limit-BI1OdpQH.mjs.map → rate-limit-ClFFUga6.mjs.map}

@@ -1 +1 @@
-{"version":3,"file":"rate-limit-BI1OdpQH.mjs","names":[],"sources":["../src/auth/rate-limit.ts"],"sourcesContent":["/**\n * Database-backed rate limiter for unauthenticated endpoints.\n *\n * Uses a `_emdash_rate_limits` table with composite primary key (key, window).\n * Each call to `checkRateLimit` atomically upserts a counter and returns\n * whether the request is within the allowed limit.\n *\n * Key format: `{ip}:{endpoint}` — limits are per-IP, per-endpoint.\n * Window format: ISO timestamp truncated to the window size.\n */\n\nimport type { Kysely } from \"kysely\";\nimport { sql } from \"kysely\";\n\nimport { apiError } from \"../api/error.js\";\nimport type { Database } from \"../database/types.js\";\n\n/** Loose validation for IPv4 and IPv6 addresses. */\nconst IP_PATTERN = /^[\\da-fA-F.:]+$/;\n\n/**\n * Result of a rate limit check.\n */\nexport interface RateLimitResult {\n\t/** Whether the request is allowed (within limit). */\n\tallowed: boolean;\n\t/** Current request count in this window. */\n\tcount: number;\n\t/** Maximum requests allowed in this window. */\n\tlimit: number;\n}\n\n/**\n * Check (and increment) the rate limit for a given IP + endpoint.\n *\n * If `ip` is null (no trusted IP available), rate limiting is skipped\n * and the request is allowed. There's no meaningful key to rate limit\n * on when the IP is unknown.\n *\n * Returns whether the request is allowed. The counter is always\n * incremented — even when the limit is exceeded — so that repeated\n * abuse doesn't reset the window.\n *\n * Piggybacks cleanup of expired entries with a 1% probability\n * to prevent unbounded table growth.\n */\nexport async function checkRateLimit(\n\tdb: Kysely<Database>,\n\tip: string | null,\n\tendpoint: string,\n\tmaxRequests: number,\n\twindowSeconds: number,\n): Promise<RateLimitResult> {\n\t// No trusted IP — skip rate limiting entirely\n\tif (!ip) {\n\t\treturn { allowed: true, count: 0, limit: maxRequests };\n\t}\n\n\tconst windowStart = new Date(\n\t\tMath.floor(Date.now() / (windowSeconds * 1000)) * windowSeconds * 1000,\n\t).toISOString();\n\tconst key = `${ip}:${endpoint}`;\n\n\t// Atomic upsert: insert or increment, return current count\n\tconst result = await sql<{ count: number }>`\n\t\tINSERT INTO _emdash_rate_limits (key, \"window\", count)\n\t\tVALUES (${key}, ${windowStart}, 1)\n\t\tON CONFLICT (key, \"window\")\n\t\tDO UPDATE SET count = _emdash_rate_limits.count + 1\n\t\tRETURNING count\n\t`.execute(db);\n\n\tconst count = result.rows[0]?.count ?? 1;\n\n\t// Piggyback cleanup: 1% chance per request to clean expired entries\n\tif (Math.random() < 0.01) {\n\t\tcleanupExpiredRateLimits(db).catch(() => {\n\t\t\t// Swallow errors — cleanup is best-effort\n\t\t});\n\t}\n\n\treturn {\n\t\tallowed: count <= maxRequests,\n\t\tcount,\n\t\tlimit: maxRequests,\n\t};\n}\n\n/**\n * Build a 429 Too Many Requests response with standard headers.\n */\nexport function rateLimitResponse(retryAfterSeconds: number): Response {\n\tconst response = apiError(\"RATE_LIMITED\", \"Too many requests. Please try again later.\", 429);\n\tresponse.headers.set(\"Retry-After\", String(retryAfterSeconds));\n\treturn response;\n}\n\n/**\n * Extract client IP from a Request.\n *\n * Resolution order:\n * 1. `CF-Connecting-IP` — trusted only when the Cloudflare `cf` object is\n *    present. CF edge overwrites any client-supplied value, so this is the\n *    cryptographically trustworthy path on Workers. Operator-declared\n *    trusted headers cannot override it.\n * 2. `X-Forwarded-For` (first entry) — trusted only when the `cf` object\n *    is present (CF sets this reliably).\n * 3. Operator-declared trusted proxy headers (ordered list) — used as a\n *    fallback for non-CF deployments behind a reverse proxy the operator\n *    controls. Also applies as a fill-in on CF when the CF headers are\n *    absent (e.g. internal cron handlers).\n * 4. `null` — no trusted IP available. Callers must handle this gracefully\n *    (e.g. skip rate limiting).\n *\n * Pass `trustedHeaders` from `getTrustedProxyHeaders(emdash.config)` so\n * self-hosted non-CF deployments can opt into reading a specific header.\n *\n * Aligned with `extractRequestMeta` in `plugins/request-meta.ts`.\n */\nexport function getClientIp(request: Request, trustedHeaders: string[] = []): string | null {\n\tconst headers = request.headers;\n\t// eslint-disable-next-line typescript/no-unsafe-type-assertion -- CF Workers runtime shape\n\tconst cf = (request as unknown as { cf?: Record<string, unknown> }).cf;\n\n\t// On Cloudflare, prefer the cryptographically trustworthy headers. An\n\t// attacker can't spoof these — the CF edge strips/overwrites them.\n\tif (cf) {\n\t\tconst cfIp = headers.get(\"cf-connecting-ip\")?.trim();\n\t\tif (cfIp && IP_PATTERN.test(cfIp)) {\n\t\t\treturn cfIp;\n\t\t}\n\n\t\tconst xff = headers.get(\"x-forwarded-for\");\n\t\tif (xff) {\n\t\t\tconst first = xff.split(\",\")[0]?.trim();\n\t\t\tif (first && IP_PATTERN.test(first)) {\n\t\t\t\treturn first;\n\t\t\t}\n\t\t}\n\t}\n\n\t// Fall through to operator-declared trusted headers. On CF this fills\n\t// in when the CF headers are absent; off-CF it's the primary source.\n\tfor (const name of trustedHeaders) {\n\t\tconst value = readIpFromHeader(headers, name);\n\t\tif (value) return value;\n\t}\n\n\treturn null;\n}\n\n/**\n * Read an IP from an operator-declared trusted header. XFF-style headers\n * are parsed as comma-separated lists and the first entry is used.\n */\nfunction readIpFromHeader(headers: Headers, name: string): string | null {\n\tconst value = headers.get(name);\n\tif (!value) return null;\n\tif (name.toLowerCase().endsWith(\"forwarded-for\")) {\n\t\tconst first = value.split(\",\")[0]?.trim();\n\t\tif (!first) return null;\n\t\treturn IP_PATTERN.test(first) ? first : null;\n\t}\n\tconst trimmed = value.trim();\n\tif (!trimmed) return null;\n\treturn IP_PATTERN.test(trimmed) ? trimmed : null;\n}\n\n/**\n * Delete expired rate limit entries.\n *\n * Entries with a window timestamp older than `maxAgeSeconds` are removed.\n * Safe to call periodically (e.g., from cron cleanup or on-request piggyback).\n */\nexport async function cleanupExpiredRateLimits(\n\tdb: Kysely<Database>,\n\tmaxAgeSeconds = 3600,\n): Promise<number> {\n\tconst cutoff = new Date(Date.now() - maxAgeSeconds * 1000).toISOString();\n\n\tconst result = await sql`\n\t\tDELETE FROM _emdash_rate_limits WHERE \"window\" < ${cutoff}\n\t`.execute(db);\n\n\treturn Number(result.numAffectedRows ?? 0);\n}\n"],"mappings":";;;;;AAkBA,MAAM,aAAa;;;;;;;;;;;;;;;AA4BnB,eAAsB,eACrB,IACA,IACA,UACA,aACA,eAC2B;AAE3B,KAAI,CAAC,GACJ,QAAO;EAAE,SAAS;EAAM,OAAO;EAAG,OAAO;EAAa;CAGvD,MAAM,+BAAc,IAAI,KACvB,KAAK,MAAM,KAAK,KAAK,IAAI,gBAAgB,KAAM,GAAG,gBAAgB,IAClE,EAAC,aAAa;CAYf,MAAM,SARS,MAAM,GAAsB;;YAH/B,GAAG,GAAG,GAAG,WAKN,IAAI,YAAY;;;;GAI7B,QAAQ,GAAG,EAEQ,KAAK,IAAI,SAAS;AAGvC,KAAI,KAAK,QAAQ,GAAG,IACnB,0BAAyB,GAAG,CAAC,YAAY,GAEvC;AAGH,QAAO;EACN,SAAS,SAAS;EAClB;EACA,OAAO;EACP;;;;;AAMF,SAAgB,kBAAkB,mBAAqC;CACtE,MAAM,WAAW,SAAS,gBAAgB,8CAA8C,IAAI;AAC5F,UAAS,QAAQ,IAAI,eAAe,OAAO,kBAAkB,CAAC;AAC9D,QAAO;;;;;;;;;;;;;;;;;;;;;;;;AAyBR,SAAgB,YAAY,SAAkB,iBAA2B,EAAE,EAAiB;CAC3F,MAAM,UAAU,QAAQ;AAMxB,KAJY,QAAwD,IAI5D;EACP,MAAM,OAAO,QAAQ,IAAI,mBAAmB,EAAE,MAAM;AACpD,MAAI,QAAQ,WAAW,KAAK,KAAK,CAChC,QAAO;EAGR,MAAM,MAAM,QAAQ,IAAI,kBAAkB;AAC1C,MAAI,KAAK;GACR,MAAM,QAAQ,IAAI,MAAM,IAAI,CAAC,IAAI,MAAM;AACvC,OAAI,SAAS,WAAW,KAAK,MAAM,CAClC,QAAO;;;AAOV,MAAK,MAAM,QAAQ,gBAAgB;EAClC,MAAM,QAAQ,iBAAiB,SAAS,KAAK;AAC7C,MAAI,MAAO,QAAO;;AAGnB,QAAO;;;;;;AAOR,SAAS,iBAAiB,SAAkB,MAA6B;CACxE,MAAM,QAAQ,QAAQ,IAAI,KAAK;AAC/B,KAAI,CAAC,MAAO,QAAO;AACnB,KAAI,KAAK,aAAa,CAAC,SAAS,gBAAgB,EAAE;EACjD,MAAM,QAAQ,MAAM,MAAM,IAAI,CAAC,IAAI,MAAM;AACzC,MAAI,CAAC,MAAO,QAAO;AACnB,SAAO,WAAW,KAAK,MAAM,GAAG,QAAQ;;CAEzC,MAAM,UAAU,MAAM,MAAM;AAC5B,KAAI,CAAC,QAAS,QAAO;AACrB,QAAO,WAAW,KAAK,QAAQ,GAAG,UAAU;;;;;;;;AAS7C,eAAsB,yBACrB,IACA,gBAAgB,MACE;CAGlB,MAAM,SAAS,MAAM,GAAG;sEAFT,IAAI,KAAK,KAAK,KAAK,GAAG,gBAAgB,IAAK,EAAC,aAAa,CAGb;GACzD,QAAQ,GAAG;AAEb,QAAO,OAAO,OAAO,mBAAmB,EAAE"}
+{"version":3,"file":"rate-limit-ClFFUga6.mjs","names":[],"sources":["../src/auth/rate-limit.ts"],"sourcesContent":["/**\n * Database-backed rate limiter for unauthenticated endpoints.\n *\n * Uses a `_emdash_rate_limits` table with composite primary key (key, window).\n * Each call to `checkRateLimit` atomically upserts a counter and returns\n * whether the request is within the allowed limit.\n *\n * Key format: `{ip}:{endpoint}` — limits are per-IP, per-endpoint.\n * Window format: ISO timestamp truncated to the window size.\n */\n\nimport type { Kysely } from \"kysely\";\nimport { sql } from \"kysely\";\n\nimport { apiError } from \"../api/error.js\";\nimport type { Database } from \"../database/types.js\";\n\n/** Loose validation for IPv4 and IPv6 addresses. */\nconst IP_PATTERN = /^[\\da-fA-F.:]+$/;\n\n/**\n * Result of a rate limit check.\n */\nexport interface RateLimitResult {\n\t/** Whether the request is allowed (within limit). */\n\tallowed: boolean;\n\t/** Current request count in this window. */\n\tcount: number;\n\t/** Maximum requests allowed in this window. */\n\tlimit: number;\n}\n\n/**\n * Check (and increment) the rate limit for a given IP + endpoint.\n *\n * If `ip` is null (no trusted IP available), rate limiting is skipped\n * and the request is allowed. There's no meaningful key to rate limit\n * on when the IP is unknown.\n *\n * Returns whether the request is allowed. The counter is always\n * incremented — even when the limit is exceeded — so that repeated\n * abuse doesn't reset the window.\n *\n * Piggybacks cleanup of expired entries with a 1% probability\n * to prevent unbounded table growth.\n */\nexport async function checkRateLimit(\n\tdb: Kysely<Database>,\n\tip: string | null,\n\tendpoint: string,\n\tmaxRequests: number,\n\twindowSeconds: number,\n): Promise<RateLimitResult> {\n\t// No trusted IP — skip rate limiting entirely\n\tif (!ip) {\n\t\treturn { allowed: true, count: 0, limit: maxRequests };\n\t}\n\n\tconst windowStart = new Date(\n\t\tMath.floor(Date.now() / (windowSeconds * 1000)) * windowSeconds * 1000,\n\t).toISOString();\n\tconst key = `${ip}:${endpoint}`;\n\n\t// Atomic upsert: insert or increment, return current count\n\tconst result = await sql<{ count: number }>`\n\t\tINSERT INTO _emdash_rate_limits (key, \"window\", count)\n\t\tVALUES (${key}, ${windowStart}, 1)\n\t\tON CONFLICT (key, \"window\")\n\t\tDO UPDATE SET count = _emdash_rate_limits.count + 1\n\t\tRETURNING count\n\t`.execute(db);\n\n\tconst count = result.rows[0]?.count ?? 1;\n\n\t// Piggyback cleanup: 1% chance per request to clean expired entries\n\tif (Math.random() < 0.01) {\n\t\tcleanupExpiredRateLimits(db).catch(() => {\n\t\t\t// Swallow errors — cleanup is best-effort\n\t\t});\n\t}\n\n\treturn {\n\t\tallowed: count <= maxRequests,\n\t\tcount,\n\t\tlimit: maxRequests,\n\t};\n}\n\n/**\n * Build a 429 Too Many Requests response with standard headers.\n */\nexport function rateLimitResponse(retryAfterSeconds: number): Response {\n\tconst response = apiError(\"RATE_LIMITED\", \"Too many requests. Please try again later.\", 429);\n\tresponse.headers.set(\"Retry-After\", String(retryAfterSeconds));\n\treturn response;\n}\n\n/**\n * Extract client IP from a Request.\n *\n * Resolution order:\n * 1. `CF-Connecting-IP` — trusted only when the Cloudflare `cf` object is\n *    present. CF edge overwrites any client-supplied value, so this is the\n *    cryptographically trustworthy path on Workers. Operator-declared\n *    trusted headers cannot override it.\n * 2. `X-Forwarded-For` (first entry) — trusted only when the `cf` object\n *    is present (CF sets this reliably).\n * 3. Operator-declared trusted proxy headers (ordered list) — used as a\n *    fallback for non-CF deployments behind a reverse proxy the operator\n *    controls. Also applies as a fill-in on CF when the CF headers are\n *    absent (e.g. internal cron handlers).\n * 4. `null` — no trusted IP available. Callers must handle this gracefully\n *    (e.g. skip rate limiting).\n *\n * Pass `trustedHeaders` from `getTrustedProxyHeaders(emdash.config)` so\n * self-hosted non-CF deployments can opt into reading a specific header.\n *\n * Aligned with `extractRequestMeta` in `plugins/request-meta.ts`.\n */\nexport function getClientIp(request: Request, trustedHeaders: string[] = []): string | null {\n\tconst headers = request.headers;\n\t// eslint-disable-next-line typescript/no-unsafe-type-assertion -- CF Workers runtime shape\n\tconst cf = (request as unknown as { cf?: Record<string, unknown> }).cf;\n\n\t// On Cloudflare, prefer the cryptographically trustworthy headers. An\n\t// attacker can't spoof these — the CF edge strips/overwrites them.\n\tif (cf) {\n\t\tconst cfIp = headers.get(\"cf-connecting-ip\")?.trim();\n\t\tif (cfIp && IP_PATTERN.test(cfIp)) {\n\t\t\treturn cfIp;\n\t\t}\n\n\t\tconst xff = headers.get(\"x-forwarded-for\");\n\t\tif (xff) {\n\t\t\tconst first = xff.split(\",\")[0]?.trim();\n\t\t\tif (first && IP_PATTERN.test(first)) {\n\t\t\t\treturn first;\n\t\t\t}\n\t\t}\n\t}\n\n\t// Fall through to operator-declared trusted headers. On CF this fills\n\t// in when the CF headers are absent; off-CF it's the primary source.\n\tfor (const name of trustedHeaders) {\n\t\tconst value = readIpFromHeader(headers, name);\n\t\tif (value) return value;\n\t}\n\n\treturn null;\n}\n\n/**\n * Read an IP from an operator-declared trusted header. XFF-style headers\n * are parsed as comma-separated lists and the first entry is used.\n */\nfunction readIpFromHeader(headers: Headers, name: string): string | null {\n\tconst value = headers.get(name);\n\tif (!value) return null;\n\tif (name.toLowerCase().endsWith(\"forwarded-for\")) {\n\t\tconst first = value.split(\",\")[0]?.trim();\n\t\tif (!first) return null;\n\t\treturn IP_PATTERN.test(first) ? first : null;\n\t}\n\tconst trimmed = value.trim();\n\tif (!trimmed) return null;\n\treturn IP_PATTERN.test(trimmed) ? trimmed : null;\n}\n\n/**\n * Delete expired rate limit entries.\n *\n * Entries with a window timestamp older than `maxAgeSeconds` are removed.\n * Safe to call periodically (e.g., from cron cleanup or on-request piggyback).\n */\nexport async function cleanupExpiredRateLimits(\n\tdb: Kysely<Database>,\n\tmaxAgeSeconds = 3600,\n): Promise<number> {\n\tconst cutoff = new Date(Date.now() - maxAgeSeconds * 1000).toISOString();\n\n\tconst result = await sql`\n\t\tDELETE FROM _emdash_rate_limits WHERE \"window\" < ${cutoff}\n\t`.execute(db);\n\n\treturn Number(result.numAffectedRows ?? 0);\n}\n"],"mappings":";;;;;AAkBA,MAAM,aAAa;;;;;;;;;;;;;;;AA4BnB,eAAsB,eACrB,IACA,IACA,UACA,aACA,eAC2B;AAE3B,KAAI,CAAC,GACJ,QAAO;EAAE,SAAS;EAAM,OAAO;EAAG,OAAO;EAAa;CAGvD,MAAM,+BAAc,IAAI,KACvB,KAAK,MAAM,KAAK,KAAK,IAAI,gBAAgB,KAAM,GAAG,gBAAgB,IAClE,EAAC,aAAa;CAYf,MAAM,SARS,MAAM,GAAsB;;YAH/B,GAAG,GAAG,GAAG,WAKN,IAAI,YAAY;;;;GAI7B,QAAQ,GAAG,EAEQ,KAAK,IAAI,SAAS;AAGvC,KAAI,KAAK,QAAQ,GAAG,IACnB,0BAAyB,GAAG,CAAC,YAAY,GAEvC;AAGH,QAAO;EACN,SAAS,SAAS;EAClB;EACA,OAAO;EACP;;;;;AAMF,SAAgB,kBAAkB,mBAAqC;CACtE,MAAM,WAAW,SAAS,gBAAgB,8CAA8C,IAAI;AAC5F,UAAS,QAAQ,IAAI,eAAe,OAAO,kBAAkB,CAAC;AAC9D,QAAO;;;;;;;;;;;;;;;;;;;;;;;;AAyBR,SAAgB,YAAY,SAAkB,iBAA2B,EAAE,EAAiB;CAC3F,MAAM,UAAU,QAAQ;AAMxB,KAJY,QAAwD,IAI5D;EACP,MAAM,OAAO,QAAQ,IAAI,mBAAmB,EAAE,MAAM;AACpD,MAAI,QAAQ,WAAW,KAAK,KAAK,CAChC,QAAO;EAGR,MAAM,MAAM,QAAQ,IAAI,kBAAkB;AAC1C,MAAI,KAAK;GACR,MAAM,QAAQ,IAAI,MAAM,IAAI,CAAC,IAAI,MAAM;AACvC,OAAI,SAAS,WAAW,KAAK,MAAM,CAClC,QAAO;;;AAOV,MAAK,MAAM,QAAQ,gBAAgB;EAClC,MAAM,QAAQ,iBAAiB,SAAS,KAAK;AAC7C,MAAI,MAAO,QAAO;;AAGnB,QAAO;;;;;;AAOR,SAAS,iBAAiB,SAAkB,MAA6B;CACxE,MAAM,QAAQ,QAAQ,IAAI,KAAK;AAC/B,KAAI,CAAC,MAAO,QAAO;AACnB,KAAI,KAAK,aAAa,CAAC,SAAS,gBAAgB,EAAE;EACjD,MAAM,QAAQ,MAAM,MAAM,IAAI,CAAC,IAAI,MAAM;AACzC,MAAI,CAAC,MAAO,QAAO;AACnB,SAAO,WAAW,KAAK,MAAM,GAAG,QAAQ;;CAEzC,MAAM,UAAU,MAAM,MAAM;AAC5B,KAAI,CAAC,QAAS,QAAO;AACrB,QAAO,WAAW,KAAK,QAAQ,GAAG,UAAU;;;;;;;;AAS7C,eAAsB,yBACrB,IACA,gBAAgB,MACE;CAGlB,MAAM,SAAS,MAAM,GAAG;sEAFT,IAAI,KAAK,KAAK,KAAK,GAAG,gBAAgB,IAAK,EAAC,aAAa,CAGb;GACzD,QAAQ,GAAG;AAEb,QAAO,OAAO,OAAO,mBAAmB,EAAE"}