flarecms 0.1.0 → 0.1.2

package/package.json

@@ -1,8 +1,11 @@
 {
   "name": "flarecms",
-  "version": "0.1.0",
+  "version": "0.1.2",
   "license": "MIT",
   "description": "FlareCMS Monorepo: A lightweight CsMS for the AI era.",
+  "files": [
+    "dist"
+  ],
   "keywords": [
     "cloudflare",
     "workers",
@@ -27,8 +30,7 @@
   "homepage": "https://flarecms.francy.dev",
   "scripts": {
     "build:style": "node ./scripts/prefix-css.mjs",
-    "build:client": "bun build ./src/client/main.tsx --outfile ./dist/main.js --minify",
-    "build:all": "bun run build:style && bun run build:client"
+    "build": "bun ../../scripts/build.ts"
   },
   "type": "module",
   "main": "./dist/index.js",
@@ -40,50 +42,43 @@
     "./server": "./dist/server/index.js",
     "./client": "./dist/client/index.js",
     "./style.css": {
-      "types": "./style.css.d.ts",
+      "types": "./dist/style.css.d.ts",
       "default": "./dist/style.css"
     },
     "./auth": "./dist/auth/index.js",
     "./db": "./dist/db/index.js",
     "./cli": "./dist/cli/index.js"
   },
-  "dependencies": {
-    "@base-ui/react": "^1.3.0",
+  "dependencies": {},
+  "devDependencies": {
     "@clack/prompts": "^0.7.0",
+    "@cloudflare/workers-types": "^4.20241022.0",
     "@fontsource-variable/geist": "^5.2.8",
-    "@hono/react-renderer": "^0.1.0",
     "@nanostores/persistent": "^1.3.3",
-    "@nanostores/query": "^0.1.0",
-    "@nanostores/react": "^0.8.4",
+    "@nanostores/query": "^0.3.4",
+    "@nanostores/react": "^1.1.0",
     "@nanostores/router": "^1.0.0",
     "@oslojs/crypto": "^1.0.1",
     "@oslojs/encoding": "^1.1.0",
-    "@radix-ui/react-avatar": "^1.1.11",
-    "@radix-ui/react-dialog": "^1.1.15",
-    "@radix-ui/react-label": "^2.1.8",
-    "@radix-ui/react-popover": "^1.1.15",
-    "@radix-ui/react-separator": "^1.1.8",
-    "@radix-ui/react-slot": "^1.2.4",
-    "@radix-ui/react-tabs": "^1.1.13",
-    "@radix-ui/react-tooltip": "^1.2.8",
     "@simplewebauthn/browser": "^13.3.0",
     "@simplewebauthn/server": "^13.3.0",
+    "@tailwindcss/cli": "^4.0.0",
+    "@tailwindcss/postcss": "^4.2.2",
     "@tanstack/react-virtual": "^3.13.23",
+    "@types/bun": "latest",
+    "autoprefixer": "^10.4.27",
     "class-variance-authority": "^0.7.1",
     "clsx": "^2.1.1",
     "fuse.js": "^7.3.0",
     "giget": "^3.2.0",
-    "hono": "^4.6.0",
     "ky": "^2.0.0",
     "kysely": "^0.28.15",
     "kysely-d1": "^0.4.0",
-    "lucide-react": "^1.7.0",
     "nanostores": "^1.2.0",
     "next-themes": "^0.4.6",
     "picocolors": "^1.0.0",
-    "radix-ui": "^1.4.3",
-    "react": "^18.3.1",
-    "react-dom": "^18.3.1",
+    "postcss": "^8.5.9",
+    "postcss-prefix-selector": "^2.1.1",
     "shadcn": "^4.2.0",
     "sonner": "^2.0.7",
     "tailwind-merge": "^3.5.0",
@@ -93,13 +88,21 @@
     "usehooks-ts": "^3.1.1",
     "zod": "^4.3.6"
   },
-  "devDependencies": {
-    "@cloudflare/workers-types": "^4.20241022.0",
-    "@tailwindcss/cli": "^4.0.0",
-    "@tailwindcss/postcss": "^4.2.2",
-    "@types/node": "^20.0.0",
-    "autoprefixer": "^10.4.27",
-    "postcss": "^8.5.9",
-    "postcss-prefix-selector": "^2.1.1"
+  "peerDependencies": {
+    "@base-ui/react": "^1.3.0",
+    "@hono/react-renderer": "^0.1.0",
+    "@radix-ui/react-avatar": "^1.1.11",
+    "@radix-ui/react-dialog": "^1.1.15",
+    "@radix-ui/react-label": "^2.1.8",
+    "@radix-ui/react-popover": "^1.1.15",
+    "@radix-ui/react-separator": "^1.1.8",
+    "@radix-ui/react-slot": "^1.2.4",
+    "@radix-ui/react-tabs": "^1.1.13",
+    "@radix-ui/react-tooltip": "^1.2.8",
+    "hono": "^4.6.0",
+    "lucide-react": "^1.7.0",
+    "radix-ui": "^1.4.3",
+    "react": "^18.3.1",
+    "react-dom": "^18.3.1"
   }
 }

package/scripts/fix-api-paths.mjs

@@ -1,32 +0,0 @@
-import fs from 'node:fs';
-import { resolve, dirname } from 'node:path';
-
-function getFiles(dir) {
-  const dirents = fs.readdirSync(dir, { withFileTypes: true });
-  const files = dirents.map((dirent) => {
-    const res = resolve(dir, dirent.name);
-    return dirent.isDirectory() ? getFiles(res) : res;
-  });
-  return Array.prototype.concat(...files);
-}
-
-const clientRoot = resolve('src/client');
-const files = getFiles(clientRoot).filter(f => f.endsWith('.ts') || f.endsWith('.tsx'));
-
-files.forEach(filePath => {
-  let content = fs.readFileSync(filePath, 'utf8');
-  let changed = false;
-
-  // Replace apiFetch('/api/...') with apiFetch('/...')
-  const newContent = content.replace(/apiFetch\((['"`])\/api\//g, (match, quote) => {
-    changed = true;
-    return `apiFetch(${quote}/`;
-  });
-
-  if (changed) {
-    fs.writeFileSync(filePath, newContent);
-    console.log(`Updated API paths in: ${filePath}`);
-  }
-});
-
-console.log('API path refactoring complete.');

package/scripts/fix-imports.mjs

@@ -1,38 +0,0 @@
-import fs from 'node:fs';
-import { resolve, relative, dirname } from 'node:path';
-
-function getFiles(dir) {
-  const dirents = fs.readdirSync(dir, { withFileTypes: true });
-  const files = dirents.map((dirent) => {
-    const res = resolve(dir, dirent.name);
-    return dirent.isDirectory() ? getFiles(res) : res;
-  });
-  return Array.prototype.concat(...files);
-}
-
-const clientRoot = resolve('src/client');
-const files = getFiles(clientRoot).filter(f => f.endsWith('.ts') || f.endsWith('.tsx'));
-
-files.forEach(filePath => {
-  const fileDir = dirname(filePath);
-  let content = fs.readFileSync(filePath, 'utf8');
-
-  // Robust Multiline Regex for @/ imports
-  // Matches (import|export) ... from '@/...'
-  content = content.replace(/(import|export)([\s\S]*?)from\s+['"]@\/(.*?)['"]/g, (match, type, body, importPath) => {
-    const targetPath = resolve(clientRoot, importPath);
-    let relPath = relative(fileDir, targetPath).replace(/\\/g, '/');
-    
-    if (!relPath.startsWith('.')) {
-      relPath = './' + relPath;
-    }
-    
-    // We replace specifically the matched @/path part
-    const fullPattern = `@/${importPath}`;
-    return match.replace(fullPattern, relPath);
-  });
-
-  fs.writeFileSync(filePath, content);
-});
-
-console.log(`Aggressively fixed imports in ${files.length} files.`);

package/scripts/prefix-css.mjs

@@ -1,45 +0,0 @@
-import fs from 'node:fs';
-import postcss from 'postcss';
-import tailwindcss from '@tailwindcss/postcss';
-import autoprefixer from 'autoprefixer';
-import prefixer from 'postcss-prefix-selector';
-
-async function build() {
-  const input = './src/client/index.css';
-  const output = './dist/style.css';
-
-  if (!fs.existsSync(input)) {
-    console.error(`Input file ${input} not found`);
-    process.exit(1);
-  }
-
-  const css = fs.readFileSync(input, 'utf8');
-
-  try {
-    const result = await postcss([
-      tailwindcss(),
-      autoprefixer(),
-      prefixer({
-        prefix: '.flare-admin',
-        transform(prefix, selector, prefixedSelector, filePath, rule) {
-          if (selector === ':root') {
-            return selector;
-          }
-          if (selector === 'html' || selector === 'body') {
-            return prefix;
-          }
-          return prefixedSelector;
-        }
-      })
-    ]).process(css, { from: input, to: output });
-
-    if (!fs.existsSync('./dist')) fs.mkdirSync('./dist', { recursive: true });
-    fs.writeFileSync(output, result.css);
-    console.log('Successfully built prefixed CSS to ./dist/style.css');
-  } catch (err) {
-    console.error('CSS Build failed:', err);
-    process.exit(1);
-  }
-}
-
-build();

package/src/api/lib/cache.ts

@@ -1,45 +0,0 @@
-import type { KVNamespace } from "@cloudflare/workers-types";
-
-export interface SchemaCache {
-  id: string;
-  slug: string;
-  label: string;
-  is_public: number;
-  features: string[];
-  url_pattern: string | null;
-  fields: any[];
-}
-
-export const cache = {
-  async getSchema(kv: KVNamespace, slug: string): Promise<SchemaCache | null> {
-    const data = await kv.get(`schema:${slug}`);
-    if (!data) return null;
-    return JSON.parse(data);
-  },
-
-  async setSchema(kv: KVNamespace, slug: string, schema: SchemaCache) {
-    await kv.put(`schema:${slug}`, JSON.stringify(schema), {
-      expirationTtl: 60 * 60 * 24, // 24 hours (metadata is stable)
-    });
-  },
-
-  async invalidateSchema(kv: KVNamespace, slug: string) {
-    await kv.delete(`schema:${slug}`);
-  },
-
-  async getCollectionList(kv: KVNamespace): Promise<any[] | null> {
-    const data = await kv.get('collections:list');
-    if (!data) return null;
-    return JSON.parse(data);
-  },
-
-  async setCollectionList(kv: KVNamespace, collections: any[]) {
-    await kv.put('collections:list', JSON.stringify(collections), {
-      expirationTtl: 60 * 60 * 24, // 24 hours
-    });
-  },
-
-  async invalidateCollectionList(kv: KVNamespace) {
-    await kv.delete('collections:list');
-  }
-};

package/src/api/lib/response.ts

@@ -1,40 +0,0 @@
-import type { Context } from 'hono';
-
-export interface PaginationMeta {
-  page: number;
-  limit: number;
-  total: number;
-  totalPages: number;
-  hasNextPage: boolean;
-  hasPrevPage: boolean;
-}
-
-export const apiResponse = {
-  /**
-   * Send a successful response with data and optional metadata
-   */
-  ok: (c: Context, data: any, meta?: any, status: number = 200) => {
-    return c.json({ data, meta }, status as any);
-  },
-
-  /**
-   * Send a paginated response
-   */
-  paginated: (c: Context, data: any[], meta: PaginationMeta, status: number = 200) => {
-    return c.json({ data, meta }, status as any);
-  },
-
-  /**
-   * Send an error response
-   */
-  error: (c: Context, message: string | any, status: number = 400) => {
-    return c.json({ error: message }, status as any);
-  },
-
-  /**
-   * Specialized success response for creations
-   */
-  created: (c: Context, data: any) => {
-    return c.json({ data }, 201);
-  }
-};

package/src/api/middlewares/auth.ts

@@ -1,186 +0,0 @@
-import type { Context, Next } from 'hono';
-import { getCookie } from 'hono/cookie';
-import { createDb } from '../../db';
-
-export const authMiddleware = async (c: Context, next: Next) => {
-  const path = c.req.path;
-  
-  // Skip auth for login, setup, device public flows, and magic/oauth routes
-  // We check for segments to be path-agnostic (handles /api/auth/login, /cms/auth/login, etc.)
-  const isPublicRoute = 
-    path.endsWith('/auth/login') ||
-    path.endsWith('/auth/signup') ||
-    path.endsWith('/auth/registration-settings') ||
-    path.endsWith('/auth/passkey/options') ||
-    path.endsWith('/auth/passkey/verify') ||
-    path.includes('/setup') ||
-    path.endsWith('/health') || // Match exactly /health or /api/health
-    path.includes('/health/') || 
-    path.includes('/device/code') ||
-    path.includes('/device/token') ||
-    path.includes('/magic') ||
-    path.includes('/oauth');
-
-  if (isPublicRoute) {
-    return next();
-  }
-
-  // Allow test mock bypass for rapid test building
-  const authHeader = c.req.header('Authorization');
-  if (authHeader?.startsWith('Bearer test-secret')) {
-    // Inject a dummy admin user into context for tests
-    c.set('user', { id: 'test-user', role: 'admin' });
-    c.set('scopes', ['*']);
-    return next();
-  }
-
-  const db = createDb(c.env.DB);
-
-  // 1. Try Token Auth (PATs)
-  if (authHeader?.startsWith('Bearer ec_pat_')) {
-    const rawToken = authHeader.split(' ')[1];
-
-    if (!rawToken) return c.json({ error: 'Invalid API Token' }, 401);
-
-    // Tokens are formatted as ec_pat_ULID_SECRET
-    const lastUnderscore = rawToken.lastIndexOf('_');
-    if (lastUnderscore === -1) return c.json({ error: 'Invalid Token Format' }, 401);
-
-    const tokenId = rawToken.substring(0, lastUnderscore);
-    const suffix = rawToken.substring(lastUnderscore + 1);
-
-    const tokenRecord = await db.selectFrom('fc_api_tokens')
-      .selectAll()
-      .where('id', '=', tokenId)
-      .executeTakeFirst();
-
-
-    if (!tokenRecord) return c.json({ error: 'Invalid API Token' }, 401);
-
-    // Verify the hash of the provided suffix
-    const encoder = new TextEncoder();
-    const hashBuffer = await crypto.subtle.digest("SHA-256", encoder.encode(suffix));
-    const hashHex = Array.from(new Uint8Array(hashBuffer))
-      .map(b => b.toString(16).padStart(2, '0'))
-      .join('');
-
-    if (hashHex !== tokenRecord.hash) {
-      return c.json({ error: 'Invalid API Token' }, 401);
-    }
-
-    const user = await db.selectFrom('fc_users')
-      .select(['id', 'role', 'email', 'disabled'])
-      .where('id', '=', tokenRecord.user_id)
-      .executeTakeFirst();
-
-    if (!user || user.disabled) return c.json({ error: 'Account disabled or not found' }, 403);
-
-    // Update last_used_at async
-    const updateQuery = db.updateTable('fc_api_tokens')
-      .set({ last_used_at: new Date().toISOString() })
-      .where('id', '=', tokenId);
-
-    let hasCtx = false;
-    try {
-      hasCtx = !!c.executionCtx;
-    } catch {
-      hasCtx = false;
-    }
-
-    if (hasCtx) {
-      c.executionCtx.waitUntil(updateQuery.execute());
-    } else {
-      await updateQuery.execute();
-    }
-
-
-    c.set('user', user);
-    c.set('scopes', JSON.parse(tokenRecord.scopes));
-    return next();
-  }
-
-
-  // 2. Try Cookie Session Auth
-  const sessionId = getCookie(c, 'session');
-  if (!sessionId) {
-    // Special case: Allow anonymous GET on content for Public API Visibility
-    if (c.req.method === 'GET' && c.req.path.startsWith('/api/content')) {
-      c.set('scopes', []); // Empty scopes for anonymous
-      return next();
-    }
-    return c.json({ error: 'Unauthorized' }, 401);
-  }
-
-  const session = await db.selectFrom('fc_sessions')
-    .innerJoin('fc_users', 'fc_sessions.user_id', 'fc_users.id')
-    .select(['fc_users.id', 'fc_users.role', 'fc_users.email', 'fc_users.disabled', 'fc_sessions.expires_at'])
-    .where('fc_sessions.id', '=', sessionId)
-    .executeTakeFirst();
-
-  if (!session) {
-    return c.json({ error: 'Invalid session' }, 401);
-  }
-
-  if (new Date(session.expires_at) < new Date()) {
-    // Delete expired session
-    await db.deleteFrom('fc_sessions').where('id', '=', sessionId).execute();
-    return c.json({ error: 'Session expired' }, 401);
-  }
-
-  if (session.disabled) {
-    return c.json({ error: 'Account disabled' }, 403);
-  }
-
-  // Inject user into context for downstream usage
-  c.set('user', session);
-  // Full UI Sessions have 'all' scopes implicitly because they are user-driven
-  c.set('scopes', ['*']);
-
-  return next();
-};
-
-export const setupMiddleware = async (c: Context, next: Next) => {
-  const path = c.req.path;
-
-  // If hitting setup, let it pass
-  if (path.includes('/setup')) return next();
-
-
-  try {
-    const db = createDb(c.env.DB);
-    const setupComplete = await db.selectFrom('options')
-      .select('value')
-      .where('name', '=', 'flare:setup_complete')
-      .executeTakeFirst();
-
-    let isComplete = false;
-    try {
-      isComplete = setupComplete?.value === 'true' || setupComplete?.value === '1';
-    } catch {
-      isComplete = false;
-    }
-
-    if (!isComplete) {
-      return c.json({ error: 'Setup required', code: 'SETUP_REQUIRED' }, 403);
-    }
-
-    // Check if any user exists
-    const userCount = await db.selectFrom('fc_users')
-      .select((eb) => eb.fn.countAll<number>().as('count'))
-      .executeTakeFirst();
-
-    if (!userCount || userCount.count === 0) {
-      return c.json({ error: 'Setup required (Admin missing)', code: 'SETUP_REQUIRED' }, 403);
-    }
-  } catch (err: any) {
-    // Table doesn't exist yet (fresh install)
-    const msg = err.message?.toLowerCase() || '';
-    if (msg.includes('no such table') || msg.includes('not found')) {
-      return c.json({ error: 'Setup required', code: 'SETUP_REQUIRED' }, 403);
-    }
-    // If it's another error, we might want to log it or handle it, but for setup we'll pass it
-  }
-
-
-  return next();
-};

package/src/api/middlewares/cors.ts

@@ -1,10 +0,0 @@
-import { cors } from 'hono/cors';
-
-export const corsMiddleware = cors({
-  origin: (origin) => origin,
-  credentials: true,
-  allowMethods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS', 'PATCH'],
-  allowHeaders: ['Content-Type', 'Authorization', 'X-Requested-With'],
-  exposeHeaders: ['Content-Length'],
-  maxAge: 600,
-});

package/src/api/middlewares/rbac.ts

@@ -1,85 +0,0 @@
-import type { Context, Next } from 'hono';
-import { createDb } from '../../db';
-
-/**
- * Ensures the authenticated user has one of the allowed roles.
- * Must be used AFTER authMiddleware.
- */
-export const requireRole = (allowedRoles: string[]) => {
-  return async (c: Context, next: Next) => {
-    const user = c.get('user');
-
-    if (!user) {
-      return c.json({ error: 'Unauthorized' }, 401);
-    }
-
-    if (!allowedRoles.includes(user.role)) {
-      return c.json({ error: 'Forbidden', requiredRoles: allowedRoles }, 403);
-    }
-
-    return next();
-  };
-};
-
-export const requireScope = (action: string, resourceOrParamName: string = '*') => {
-  return async (c: Context, next: Next) => {
-    // Determine the actual resource ID (e.g. from param)
-    const resource = resourceOrParamName.startsWith(':') || resourceOrParamName === 'collection_slug'
-      ? c.req.param(resourceOrParamName.replace(':', '')) || c.req.param('collection')
-      : resourceOrParamName;
-
-    // Check if collection is public (only for 'read' action) - DO THIS FIRST for anonymous access
-    if (action === 'read' && resource) {
-      const db = createDb(c.env.DB);
-      const collection = await db.selectFrom('fc_collections')
-        .select('is_public')
-        .where('slug', '=', resource)
-        .executeTakeFirst();
-      
-      if (collection && collection.is_public === 1) {
-        return next();
-      }
-    }
-
-    const scopes = c.get('scopes');
-
-    if (!scopes || !Array.isArray(scopes)) {
-      return c.json({ error: 'Unauthorized', code: 'NO_SCOPES' }, 401);
-    }
-
-    // Fast path: Full access
-    if (scopes.includes('*')) {
-      return next();
-    }
-
-    if (!scopes || !Array.isArray(scopes)) {
-      return c.json({ error: 'Unauthorized', code: 'NO_SCOPES' }, 401);
-    }
-
-    // Check for granular match
-    const hasPermission = scopes.some((s: any) => {
-      // Handle legacy string scopes (e.g. "content:read")
-      if (typeof s === 'string') {
-        return s === `${resource}:${action}` || s === `*:${action}` || s === `${resource}:*`;
-      }
-      
-      // Handle new structured scopes { resource: "posts", actions: ["read"] }
-      if (typeof s === 'object' && s !== null) {
-        const matchesResource = s.resource === '*' || s.resource === resource;
-        const matchesAction = s.actions?.includes('*') || s.actions?.includes(action);
-        return matchesResource && matchesAction;
-      }
-
-      return false;
-    });
-
-    if (!hasPermission) {
-      return c.json({ 
-        error: 'Forbidden: Insufficient API Token Scope', 
-        required: { action, resource } 
-      }, 403);
-    }
-
-    return next();
-  };
-};