npm - gazetta - Versions diffs - 0.7.0 → 0.8.0 - Mend

gazetta 0.7.0 → 0.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (738) hide show

package/admin-dist/assets/index-CBeq0rRb.js +693 -0
package/admin-dist/assets/index-Dtg1dTZQ.css +1 -0
package/admin-dist/assets/rolldown-runtime-BYbx6iT9.js +1 -0
package/admin-dist/assets/{vendor-primevue-C0Q_YTCb.js → vendor-primevue-CBGHkaXv.js} +183 -39
package/admin-dist/assets/{vendor-react-BipDVGow.js → vendor-react-BdW_kNCG.js} +2 -2
package/admin-dist/assets/vendor-rjsf-lN2SztQt.js +33 -0
package/admin-dist/assets/vendor-tiptap-C36yDquB.js +141 -0
package/admin-dist/assets/vendor-vue-Bt5uR1VW.js +1 -0
package/admin-dist/assets/workbox-window.prod.es5-DGMtIXHc.js +2 -0
package/admin-dist/index.html +8 -8
package/admin-dist/sw.js +1 -0
package/dist/admin-api/archived-name-conflict.d.ts +31 -0
package/dist/admin-api/archived-name-conflict.d.ts.map +1 -0
package/dist/admin-api/archived-name-conflict.js +226 -0
package/dist/admin-api/archived-name-conflict.js.map +1 -0
package/dist/admin-api/cache-stats-logger.d.ts +83 -0
package/dist/admin-api/cache-stats-logger.d.ts.map +1 -0
package/dist/admin-api/cache-stats-logger.js +59 -0
package/dist/admin-api/cache-stats-logger.js.map +1 -0
package/dist/admin-api/hook-audit-emitter.d.ts +38 -0
package/dist/admin-api/hook-audit-emitter.d.ts.map +1 -0
package/dist/admin-api/hook-audit-emitter.js +21 -0
package/dist/admin-api/hook-audit-emitter.js.map +1 -0
package/dist/admin-api/index.d.ts +84 -0
package/dist/admin-api/index.d.ts.map +1 -1
package/dist/admin-api/index.js +254 -9
package/dist/admin-api/index.js.map +1 -1
package/dist/admin-api/middleware/audit.d.ts +25 -0
package/dist/admin-api/middleware/audit.d.ts.map +1 -0
package/dist/admin-api/middleware/audit.js +65 -0
package/dist/admin-api/middleware/audit.js.map +1 -0
package/dist/admin-api/middleware/capability.d.ts +8 -0
package/dist/admin-api/middleware/capability.d.ts.map +1 -0
package/dist/admin-api/middleware/capability.js +65 -0
package/dist/admin-api/middleware/capability.js.map +1 -0
package/dist/admin-api/middleware/principal.d.ts +18 -0
package/dist/admin-api/middleware/principal.d.ts.map +1 -0
package/dist/admin-api/middleware/principal.js +128 -0
package/dist/admin-api/middleware/principal.js.map +1 -0
package/dist/admin-api/routes/archive-review.d.ts +80 -0
package/dist/admin-api/routes/archive-review.d.ts.map +1 -0
package/dist/admin-api/routes/archive-review.js +70 -0
package/dist/admin-api/routes/archive-review.js.map +1 -0
package/dist/admin-api/routes/archive.d.ts +145 -0
package/dist/admin-api/routes/archive.d.ts.map +1 -0
package/dist/admin-api/routes/archive.js +540 -0
package/dist/admin-api/routes/archive.js.map +1 -0
package/dist/admin-api/routes/assets.d.ts +6 -1
package/dist/admin-api/routes/assets.d.ts.map +1 -1
package/dist/admin-api/routes/assets.js +167 -14
package/dist/admin-api/routes/assets.js.map +1 -1
package/dist/admin-api/routes/audit.d.ts +71 -0
package/dist/admin-api/routes/audit.d.ts.map +1 -0
package/dist/admin-api/routes/audit.js +178 -0
package/dist/admin-api/routes/audit.js.map +1 -0
package/dist/admin-api/routes/compare.d.ts.map +1 -1
package/dist/admin-api/routes/compare.js +3 -2
package/dist/admin-api/routes/compare.js.map +1 -1
package/dist/admin-api/routes/fields.d.ts.map +1 -1
package/dist/admin-api/routes/fields.js +2 -1
package/dist/admin-api/routes/fields.js.map +1 -1
package/dist/admin-api/routes/fragments.d.ts +13 -1
package/dist/admin-api/routes/fragments.d.ts.map +1 -1
package/dist/admin-api/routes/fragments.js +127 -92
package/dist/admin-api/routes/fragments.js.map +1 -1
package/dist/admin-api/routes/health.d.ts +60 -0
package/dist/admin-api/routes/health.d.ts.map +1 -0
package/dist/admin-api/routes/health.js +65 -0
package/dist/admin-api/routes/health.js.map +1 -0
package/dist/admin-api/routes/history.d.ts +2 -1
package/dist/admin-api/routes/history.d.ts.map +1 -1
package/dist/admin-api/routes/history.js +26 -4
package/dist/admin-api/routes/history.js.map +1 -1
package/dist/admin-api/routes/pages.d.ts +20 -1
package/dist/admin-api/routes/pages.d.ts.map +1 -1
package/dist/admin-api/routes/pages.js +157 -117
package/dist/admin-api/routes/pages.js.map +1 -1
package/dist/admin-api/routes/preview.d.ts.map +1 -1
package/dist/admin-api/routes/preview.js +56 -17
package/dist/admin-api/routes/preview.js.map +1 -1
package/dist/admin-api/routes/publish.d.ts +19 -1
package/dist/admin-api/routes/publish.d.ts.map +1 -1
package/dist/admin-api/routes/publish.js +508 -92
package/dist/admin-api/routes/publish.js.map +1 -1
package/dist/admin-api/routes/rename.d.ts +62 -0
package/dist/admin-api/routes/rename.d.ts.map +1 -0
package/dist/admin-api/routes/rename.js +366 -0
package/dist/admin-api/routes/rename.js.map +1 -0
package/dist/admin-api/routes/site.d.ts.map +1 -1
package/dist/admin-api/routes/site.js +6 -18
package/dist/admin-api/routes/site.js.map +1 -1
package/dist/admin-api/routes/system.d.ts +23 -0
package/dist/admin-api/routes/system.d.ts.map +1 -0
package/dist/admin-api/routes/system.js +115 -0
package/dist/admin-api/routes/system.js.map +1 -0
package/dist/admin-api/routes/templates.d.ts +11 -1
package/dist/admin-api/routes/templates.d.ts.map +1 -1
package/dist/admin-api/routes/templates.js +36 -3
package/dist/admin-api/routes/templates.js.map +1 -1
package/dist/admin-api/routes/validation.d.ts +47 -0
package/dist/admin-api/routes/validation.d.ts.map +1 -0
package/dist/admin-api/routes/validation.js +120 -0
package/dist/admin-api/routes/validation.js.map +1 -0
package/dist/admin-api/schemas/archive.d.ts +124 -0
package/dist/admin-api/schemas/archive.d.ts.map +1 -0
package/dist/admin-api/schemas/archive.js +93 -0
package/dist/admin-api/schemas/archive.js.map +1 -0
package/dist/admin-api/schemas/assets.d.ts +16 -0
package/dist/admin-api/schemas/assets.d.ts.map +1 -1
package/dist/admin-api/schemas/assets.js +15 -0
package/dist/admin-api/schemas/assets.js.map +1 -1
package/dist/admin-api/schemas/audit.d.ts +175 -0
package/dist/admin-api/schemas/audit.d.ts.map +1 -0
package/dist/admin-api/schemas/audit.js +91 -0
package/dist/admin-api/schemas/audit.js.map +1 -0
package/dist/admin-api/schemas/error.d.ts +94 -0
package/dist/admin-api/schemas/error.d.ts.map +1 -0
package/dist/admin-api/schemas/error.js +79 -0
package/dist/admin-api/schemas/error.js.map +1 -0
package/dist/admin-api/schemas/fragments.d.ts +2 -0
package/dist/admin-api/schemas/fragments.d.ts.map +1 -1
package/dist/admin-api/schemas/fragments.js +4 -0
package/dist/admin-api/schemas/fragments.js.map +1 -1
package/dist/admin-api/schemas/index.d.ts +8 -0
package/dist/admin-api/schemas/index.d.ts.map +1 -1
package/dist/admin-api/schemas/index.js +8 -0
package/dist/admin-api/schemas/index.js.map +1 -1
package/dist/admin-api/schemas/pages.d.ts +2 -0
package/dist/admin-api/schemas/pages.d.ts.map +1 -1
package/dist/admin-api/schemas/pages.js +11 -0
package/dist/admin-api/schemas/pages.js.map +1 -1
package/dist/admin-api/schemas/rename.d.ts +77 -0
package/dist/admin-api/schemas/rename.d.ts.map +1 -0
package/dist/admin-api/schemas/rename.js +75 -0
package/dist/admin-api/schemas/rename.js.map +1 -0
package/dist/admin-api/schemas/site.d.ts +3 -2
package/dist/admin-api/schemas/site.d.ts.map +1 -1
package/dist/admin-api/schemas/site.js +3 -2
package/dist/admin-api/schemas/site.js.map +1 -1
package/dist/admin-api/schemas/system.d.ts +28 -0
package/dist/admin-api/schemas/system.d.ts.map +1 -0
package/dist/admin-api/schemas/system.js +35 -0
package/dist/admin-api/schemas/system.js.map +1 -0
package/dist/admin-api/schemas/targets.d.ts +55 -0
package/dist/admin-api/schemas/targets.d.ts.map +1 -1
package/dist/admin-api/schemas/targets.js +46 -0
package/dist/admin-api/schemas/targets.js.map +1 -1
package/dist/admin-api/schemas/templates.d.ts +54 -0
package/dist/admin-api/schemas/templates.d.ts.map +1 -1
package/dist/admin-api/schemas/templates.js +21 -0
package/dist/admin-api/schemas/templates.js.map +1 -1
package/dist/admin-api/schemas/validation.d.ts +101 -0
package/dist/admin-api/schemas/validation.d.ts.map +1 -0
package/dist/admin-api/schemas/validation.js +57 -0
package/dist/admin-api/schemas/validation.js.map +1 -0
package/dist/admin-api/source-context.d.ts +66 -10
package/dist/admin-api/source-context.d.ts.map +1 -1
package/dist/admin-api/source-context.js +43 -5
package/dist/admin-api/source-context.js.map +1 -1
package/dist/ai/adapter-scaffold.d.ts +63 -0
package/dist/ai/adapter-scaffold.d.ts.map +1 -0
package/dist/ai/adapter-scaffold.js +89 -0
package/dist/ai/adapter-scaffold.js.map +1 -0
package/dist/ai/compose-prompt.d.ts +50 -0
package/dist/ai/compose-prompt.d.ts.map +1 -0
package/dist/ai/compose-prompt.js +49 -0
package/dist/ai/compose-prompt.js.map +1 -0
package/dist/ai/errors.d.ts +65 -0
package/dist/ai/errors.d.ts.map +1 -0
package/dist/ai/errors.js +59 -0
package/dist/ai/errors.js.map +1 -0
package/dist/ai/index.d.ts +17 -0
package/dist/ai/index.d.ts.map +1 -0
package/dist/ai/index.js +16 -0
package/dist/ai/index.js.map +1 -0
package/dist/ai/provider.d.ts +76 -0
package/dist/ai/provider.d.ts.map +1 -0
package/dist/ai/provider.js +13 -0
package/dist/ai/provider.js.map +1 -0
package/dist/ai/refusal.d.ts +50 -0
package/dist/ai/refusal.d.ts.map +1 -0
package/dist/ai/refusal.js +100 -0
package/dist/ai/refusal.js.map +1 -0
package/dist/ai/vision-prep.d.ts +32 -0
package/dist/ai/vision-prep.d.ts.map +1 -0
package/dist/ai/vision-prep.js +113 -0
package/dist/ai/vision-prep.js.map +1 -0
package/dist/alt/adapter.d.ts +140 -0
package/dist/alt/adapter.d.ts.map +1 -0
package/dist/alt/adapter.js +7 -0
package/dist/alt/adapter.js.map +1 -0
package/dist/alt/anthropic.d.ts +63 -0
package/dist/alt/anthropic.d.ts.map +1 -0
package/dist/alt/anthropic.js +147 -0
package/dist/alt/anthropic.js.map +1 -0
package/dist/alt/config.d.ts +67 -0
package/dist/alt/config.d.ts.map +1 -0
package/dist/alt/config.js +41 -0
package/dist/alt/config.js.map +1 -0
package/dist/alt/factory.d.ts +19 -0
package/dist/alt/factory.d.ts.map +1 -0
package/dist/alt/factory.js +69 -0
package/dist/alt/factory.js.map +1 -0
package/dist/alt/null-adapter.d.ts +3 -0
package/dist/alt/null-adapter.d.ts.map +1 -0
package/dist/alt/null-adapter.js +43 -0
package/dist/alt/null-adapter.js.map +1 -0
package/dist/alt/ollama.d.ts +40 -0
package/dist/alt/ollama.d.ts.map +1 -0
package/dist/alt/ollama.js +139 -0
package/dist/alt/ollama.js.map +1 -0
package/dist/alt/openai.d.ts +46 -0
package/dist/alt/openai.d.ts.map +1 -0
package/dist/alt/openai.js +118 -0
package/dist/alt/openai.js.map +1 -0
package/dist/alt/prompt-policies.d.ts +79 -0
package/dist/alt/prompt-policies.d.ts.map +1 -0
package/dist/alt/prompt-policies.js +67 -0
package/dist/alt/prompt-policies.js.map +1 -0
package/dist/alt/route-handler.d.ts +56 -0
package/dist/alt/route-handler.d.ts.map +1 -0
package/dist/alt/route-handler.js +122 -0
package/dist/alt/route-handler.js.map +1 -0
package/dist/alt/suggester.d.ts +57 -0
package/dist/alt/suggester.d.ts.map +1 -0
package/dist/alt/suggester.js +133 -0
package/dist/alt/suggester.js.map +1 -0
package/dist/app.js +1 -1
package/dist/app.js.map +1 -1
package/dist/archive-aliases.d.ts +79 -0
package/dist/archive-aliases.d.ts.map +1 -0
package/dist/archive-aliases.js +60 -0
package/dist/archive-aliases.js.map +1 -0
package/dist/archive-helpers.d.ts +73 -0
package/dist/archive-helpers.d.ts.map +1 -0
package/dist/archive-helpers.js +94 -0
package/dist/archive-helpers.js.map +1 -0
package/dist/assets/find-refs.d.ts +1 -1
package/dist/assets/find-refs.js +1 -1
package/dist/assets/find-refs.js.map +1 -1
package/dist/assets/rename.js +1 -1
package/dist/assets/rename.js.map +1 -1
package/dist/assets/replace.js +1 -1
package/dist/assets/replace.js.map +1 -1
package/dist/assets/resolve.js +4 -4
package/dist/assets/resolve.js.map +1 -1
package/dist/assets/serve-route.js +2 -2
package/dist/assets/serve-route.js.map +1 -1
package/dist/assets/validate.d.ts +1 -1
package/dist/assets/validate.js +1 -1
package/dist/audit/config.d.ts +75 -0
package/dist/audit/config.d.ts.map +1 -0
package/dist/audit/config.js +91 -0
package/dist/audit/config.js.map +1 -0
package/dist/audit/context.d.ts +98 -0
package/dist/audit/context.d.ts.map +1 -0
package/dist/audit/context.js +51 -0
package/dist/audit/context.js.map +1 -0
package/dist/audit/errors.d.ts +73 -0
package/dist/audit/errors.d.ts.map +1 -0
package/dist/audit/errors.js +78 -0
package/dist/audit/errors.js.map +1 -0
package/dist/audit/index.d.ts +16 -0
package/dist/audit/index.d.ts.map +1 -0
package/dist/audit/index.js +10 -0
package/dist/audit/index.js.map +1 -0
package/dist/audit/provider.d.ts +73 -0
package/dist/audit/provider.d.ts.map +1 -0
package/dist/audit/provider.js +2 -0
package/dist/audit/provider.js.map +1 -0
package/dist/audit/providers/history.d.ts +66 -0
package/dist/audit/providers/history.d.ts.map +1 -0
package/dist/audit/providers/history.js +102 -0
package/dist/audit/providers/history.js.map +1 -0
package/dist/audit/pseudonymize.d.ts +26 -0
package/dist/audit/pseudonymize.d.ts.map +1 -0
package/dist/audit/pseudonymize.js +86 -0
package/dist/audit/pseudonymize.js.map +1 -0
package/dist/audit/recorder.d.ts +102 -0
package/dist/audit/recorder.d.ts.map +1 -0
package/dist/audit/recorder.js +55 -0
package/dist/audit/recorder.js.map +1 -0
package/dist/audit/retention.d.ts +83 -0
package/dist/audit/retention.d.ts.map +1 -0
package/dist/audit/retention.js +142 -0
package/dist/audit/retention.js.map +1 -0
package/dist/audit/source-ip.d.ts +32 -0
package/dist/audit/source-ip.d.ts.map +1 -0
package/dist/audit/source-ip.js +164 -0
package/dist/audit/source-ip.js.map +1 -0
package/dist/audit/types.d.ts +143 -0
package/dist/audit/types.d.ts.map +1 -0
package/dist/audit/types.js +33 -0
package/dist/audit/types.js.map +1 -0
package/dist/audit/user-agent.d.ts +28 -0
package/dist/audit/user-agent.d.ts.map +1 -0
package/dist/audit/user-agent.js +63 -0
package/dist/audit/user-agent.js.map +1 -0
package/dist/auth/capabilities.d.ts +28 -0
package/dist/auth/capabilities.d.ts.map +1 -0
package/dist/auth/capabilities.js +101 -0
package/dist/auth/capabilities.js.map +1 -0
package/dist/auth/config.d.ts +109 -0
package/dist/auth/config.d.ts.map +1 -0
package/dist/auth/config.js +221 -0
package/dist/auth/config.js.map +1 -0
package/dist/auth/errors.d.ts +72 -0
package/dist/auth/errors.d.ts.map +1 -0
package/dist/auth/errors.js +78 -0
package/dist/auth/errors.js.map +1 -0
package/dist/auth/factory.d.ts +43 -0
package/dist/auth/factory.d.ts.map +1 -0
package/dist/auth/factory.js +48 -0
package/dist/auth/factory.js.map +1 -0
package/dist/auth/index.d.ts +21 -0
package/dist/auth/index.d.ts.map +1 -0
package/dist/auth/index.js +14 -0
package/dist/auth/index.js.map +1 -0
package/dist/auth/ip-match.d.ts +29 -0
package/dist/auth/ip-match.d.ts.map +1 -0
package/dist/auth/ip-match.js +162 -0
package/dist/auth/ip-match.js.map +1 -0
package/dist/auth/provider.d.ts +76 -0
package/dist/auth/provider.d.ts.map +1 -0
package/dist/auth/provider.js +2 -0
package/dist/auth/provider.js.map +1 -0
package/dist/auth/providers/aws-cognito.d.ts +55 -0
package/dist/auth/providers/aws-cognito.d.ts.map +1 -0
package/dist/auth/providers/aws-cognito.js +114 -0
package/dist/auth/providers/aws-cognito.js.map +1 -0
package/dist/auth/providers/azure-easy-auth.d.ts +7 -0
package/dist/auth/providers/azure-easy-auth.d.ts.map +1 -0
package/dist/auth/providers/azure-easy-auth.js +48 -0
package/dist/auth/providers/azure-easy-auth.js.map +1 -0
package/dist/auth/providers/cloudflare-access.d.ts +71 -0
package/dist/auth/providers/cloudflare-access.d.ts.map +1 -0
package/dist/auth/providers/cloudflare-access.js +120 -0
package/dist/auth/providers/cloudflare-access.js.map +1 -0
package/dist/auth/providers/forwarded-user.d.ts +31 -0
package/dist/auth/providers/forwarded-user.d.ts.map +1 -0
package/dist/auth/providers/forwarded-user.js +72 -0
package/dist/auth/providers/forwarded-user.js.map +1 -0
package/dist/auth/providers/none.d.ts +6 -0
package/dist/auth/providers/none.d.ts.map +1 -0
package/dist/auth/providers/none.js +19 -0
package/dist/auth/providers/none.js.map +1 -0
package/dist/auth/providers/tailscale.d.ts +7 -0
package/dist/auth/providers/tailscale.d.ts.map +1 -0
package/dist/auth/providers/tailscale.js +30 -0
package/dist/auth/providers/tailscale.js.map +1 -0
package/dist/auth/role-resolver.d.ts +38 -0
package/dist/auth/role-resolver.d.ts.map +1 -0
package/dist/auth/role-resolver.js +92 -0
package/dist/auth/role-resolver.js.map +1 -0
package/dist/auth/types.d.ts +150 -0
package/dist/auth/types.d.ts.map +1 -0
package/dist/auth/types.js +60 -0
package/dist/auth/types.js.map +1 -0
package/dist/cache/errors.d.ts +41 -0
package/dist/cache/errors.d.ts.map +1 -0
package/dist/cache/errors.js +44 -0
package/dist/cache/errors.js.map +1 -0
package/dist/cache/factories.d.ts +17 -0
package/dist/cache/factories.d.ts.map +1 -0
package/dist/cache/factories.js +17 -0
package/dist/cache/factories.js.map +1 -0
package/dist/cache/keys.d.ts +63 -0
package/dist/cache/keys.d.ts.map +1 -0
package/dist/cache/keys.js +145 -0
package/dist/cache/keys.js.map +1 -0
package/dist/cache/memory.d.ts +51 -0
package/dist/cache/memory.d.ts.map +1 -0
package/dist/cache/memory.js +204 -0
package/dist/cache/memory.js.map +1 -0
package/dist/cache/per-site.d.ts +22 -0
package/dist/cache/per-site.d.ts.map +1 -0
package/dist/cache/per-site.js +114 -0
package/dist/cache/per-site.js.map +1 -0
package/dist/cache/types.d.ts +142 -0
package/dist/cache/types.d.ts.map +1 -0
package/dist/cache/types.js +33 -0
package/dist/cache/types.js.map +1 -0
package/dist/cli/archive.d.ts +44 -0
package/dist/cli/archive.d.ts.map +1 -0
package/dist/cli/archive.js +310 -0
package/dist/cli/archive.js.map +1 -0
package/dist/cli/bootstrap.d.ts +15 -8
package/dist/cli/bootstrap.d.ts.map +1 -1
package/dist/cli/bootstrap.js +59 -23
package/dist/cli/bootstrap.js.map +1 -1
package/dist/cli/dev-template-watcher.d.ts +29 -0
package/dist/cli/dev-template-watcher.d.ts.map +1 -0
package/dist/cli/dev-template-watcher.js +38 -0
package/dist/cli/dev-template-watcher.js.map +1 -0
package/dist/cli/history.d.ts.map +1 -1
package/dist/cli/history.js +5 -3
package/dist/cli/history.js.map +1 -1
package/dist/cli/index.js +712 -395
package/dist/cli/index.js.map +1 -1
package/dist/cli/validate-flags.d.ts +29 -0
package/dist/cli/validate-flags.d.ts.map +1 -0
package/dist/cli/validate-flags.js +49 -0
package/dist/cli/validate-flags.js.map +1 -0
package/dist/compare.d.ts +1 -1
package/dist/compare.d.ts.map +1 -1
package/dist/compare.js +25 -23
package/dist/compare.js.map +1 -1
package/dist/component-ids.d.ts +25 -0
package/dist/component-ids.d.ts.map +1 -0
package/dist/component-ids.js +83 -0
package/dist/component-ids.js.map +1 -0
package/dist/config/define.d.ts +61 -0
package/dist/config/define.d.ts.map +1 -0
package/dist/config/define.js +64 -0
package/dist/config/define.js.map +1 -0
package/dist/config/errors.d.ts +32 -0
package/dist/config/errors.d.ts.map +1 -0
package/dist/config/errors.js +40 -0
package/dist/config/errors.js.map +1 -0
package/dist/config/index.d.ts +13 -0
package/dist/config/index.d.ts.map +1 -0
package/dist/config/index.js +20 -0
package/dist/config/index.js.map +1 -0
package/dist/config/loader.d.ts +105 -0
package/dist/config/loader.d.ts.map +1 -0
package/dist/config/loader.js +265 -0
package/dist/config/loader.js.map +1 -0
package/dist/config/schemas.d.ts +89 -0
package/dist/config/schemas.d.ts.map +1 -0
package/dist/config/schemas.js +172 -0
package/dist/config/schemas.js.map +1 -0
package/dist/config/types.d.ts +32 -0
package/dist/config/types.d.ts.map +1 -0
package/dist/config/types.js +15 -0
package/dist/config/types.js.map +1 -0
package/dist/deploy/cloudflare-workers.d.ts +46 -0
package/dist/deploy/cloudflare-workers.d.ts.map +1 -0
package/dist/deploy/cloudflare-workers.js +213 -0
package/dist/deploy/cloudflare-workers.js.map +1 -0
package/dist/deploy/errors.d.ts +66 -0
package/dist/deploy/errors.d.ts.map +1 -0
package/dist/deploy/errors.js +82 -0
package/dist/deploy/errors.js.map +1 -0
package/dist/deploy/index.d.ts +9 -0
package/dist/deploy/index.d.ts.map +1 -0
package/dist/deploy/index.js +3 -0
package/dist/deploy/index.js.map +1 -0
package/dist/deploy/types.d.ts +162 -0
package/dist/deploy/types.d.ts.map +1 -0
package/dist/deploy/types.js +2 -0
package/dist/deploy/types.js.map +1 -0
package/dist/fragments/create.d.ts +70 -0
package/dist/fragments/create.d.ts.map +1 -0
package/dist/fragments/create.js +93 -0
package/dist/fragments/create.js.map +1 -0
package/dist/fragments/publish.d.ts +37 -0
package/dist/fragments/publish.d.ts.map +1 -0
package/dist/fragments/publish.js +52 -0
package/dist/fragments/publish.js.map +1 -0
package/dist/fragments/save.d.ts +81 -0
package/dist/fragments/save.d.ts.map +1 -0
package/dist/fragments/save.js +105 -0
package/dist/fragments/save.js.map +1 -0
package/dist/history-recorder.d.ts +5 -5
package/dist/history-recorder.d.ts.map +1 -1
package/dist/history-recorder.js +4 -4
package/dist/history-recorder.js.map +1 -1
package/dist/history-restorer.js +2 -2
package/dist/history-restorer.js.map +1 -1
package/dist/history.d.ts +1 -1
package/dist/hooks/audit-emitter.d.ts +73 -0
package/dist/hooks/audit-emitter.d.ts.map +1 -0
package/dist/hooks/audit-emitter.js +13 -0
package/dist/hooks/audit-emitter.js.map +1 -0
package/dist/hooks/context.d.ts +78 -0
package/dist/hooks/context.d.ts.map +1 -0
package/dist/hooks/context.js +56 -0
package/dist/hooks/context.js.map +1 -0
package/dist/hooks/contribution.d.ts +90 -0
package/dist/hooks/contribution.d.ts.map +1 -0
package/dist/hooks/contribution.js +2 -0
package/dist/hooks/contribution.js.map +1 -0
package/dist/hooks/dispatch.d.ts +30 -0
package/dist/hooks/dispatch.d.ts.map +1 -0
package/dist/hooks/dispatch.js +252 -0
package/dist/hooks/dispatch.js.map +1 -0
package/dist/hooks/errors.d.ts +100 -0
package/dist/hooks/errors.d.ts.map +1 -0
package/dist/hooks/errors.js +103 -0
package/dist/hooks/errors.js.map +1 -0
package/dist/hooks/index.d.ts +15 -0
package/dist/hooks/index.d.ts.map +1 -0
package/dist/hooks/index.js +6 -0
package/dist/hooks/index.js.map +1 -0
package/dist/hooks/registry.d.ts +53 -0
package/dist/hooks/registry.d.ts.map +1 -0
package/dist/hooks/registry.js +139 -0
package/dist/hooks/registry.js.map +1 -0
package/dist/hooks/storage.d.ts +43 -0
package/dist/hooks/storage.d.ts.map +1 -0
package/dist/hooks/storage.js +2 -0
package/dist/hooks/storage.js.map +1 -0
package/dist/hooks/types.d.ts +324 -0
package/dist/hooks/types.d.ts.map +1 -0
package/dist/hooks/types.js +2 -0
package/dist/hooks/types.js.map +1 -0
package/dist/index.d.ts +26 -6
package/dist/index.d.ts.map +1 -1
package/dist/index.js +49 -5
package/dist/index.js.map +1 -1
package/dist/locale.d.ts +5 -1
package/dist/locale.d.ts.map +1 -1
package/dist/locale.js +6 -2
package/dist/locale.js.map +1 -1
package/dist/manifest-save.d.ts +255 -0
package/dist/manifest-save.d.ts.map +1 -0
package/dist/manifest-save.js +260 -0
package/dist/manifest-save.js.map +1 -0
package/dist/manifest.d.ts +1 -2
package/dist/manifest.d.ts.map +1 -1
package/dist/manifest.js +43 -44
package/dist/manifest.js.map +1 -1
package/dist/node-floor.d.ts +3 -0
package/dist/node-floor.d.ts.map +1 -0
package/dist/node-floor.js +3 -0
package/dist/node-floor.js.map +1 -0
package/dist/pages/create.d.ts +103 -0
package/dist/pages/create.d.ts.map +1 -0
package/dist/pages/create.js +117 -0
package/dist/pages/create.js.map +1 -0
package/dist/pages/publish.d.ts +59 -0
package/dist/pages/publish.d.ts.map +1 -0
package/dist/pages/publish.js +78 -0
package/dist/pages/publish.js.map +1 -0
package/dist/pages/save.d.ts +97 -0
package/dist/pages/save.d.ts.map +1 -0
package/dist/pages/save.js +138 -0
package/dist/pages/save.js.map +1 -0
package/dist/providers/factories.d.ts +65 -0
package/dist/providers/factories.d.ts.map +1 -0
package/dist/providers/factories.js +189 -0
package/dist/providers/factories.js.map +1 -0
package/dist/publish-item.d.ts +225 -0
package/dist/publish-item.d.ts.map +1 -0
package/dist/publish-item.js +210 -0
package/dist/publish-item.js.map +1 -0
package/dist/publish-rendered.d.ts.map +1 -1
package/dist/publish-rendered.js +75 -6
package/dist/publish-rendered.js.map +1 -1
package/dist/publish-renderers.d.ts +132 -0
package/dist/publish-renderers.d.ts.map +1 -0
package/dist/publish-renderers.js +240 -0
package/dist/publish-renderers.js.map +1 -0
package/dist/publish-run.d.ts +223 -0
package/dist/publish-run.d.ts.map +1 -0
package/dist/publish-run.js +307 -0
package/dist/publish-run.js.map +1 -0
package/dist/publish.d.ts.map +1 -1
package/dist/publish.js +1 -10
package/dist/publish.js.map +1 -1
package/dist/render-for-analysis.d.ts +24 -0
package/dist/render-for-analysis.d.ts.map +1 -0
package/dist/render-for-analysis.js +146 -0
package/dist/render-for-analysis.js.map +1 -0
package/dist/resolver.d.ts.map +1 -1
package/dist/resolver.js +47 -23
package/dist/resolver.js.map +1 -1
package/dist/runtime/archive-marker.d.ts +62 -0
package/dist/runtime/archive-marker.d.ts.map +1 -0
package/dist/runtime/archive-marker.js +88 -0
package/dist/runtime/archive-marker.js.map +1 -0
package/dist/runtime/capability-gap-warnings.d.ts +42 -0
package/dist/runtime/capability-gap-warnings.d.ts.map +1 -0
package/dist/runtime/capability-gap-warnings.js +28 -0
package/dist/runtime/capability-gap-warnings.js.map +1 -0
package/dist/runtime/redirects-emit.d.ts +93 -0
package/dist/runtime/redirects-emit.d.ts.map +1 -0
package/dist/runtime/redirects-emit.js +89 -0
package/dist/runtime/redirects-emit.js.map +1 -0
package/dist/runtime/runtime-capabilities.d.ts +79 -0
package/dist/runtime/runtime-capabilities.d.ts.map +1 -0
package/dist/runtime/runtime-capabilities.js +60 -0
package/dist/runtime/runtime-capabilities.js.map +1 -0
package/dist/save-etag.d.ts +69 -0
package/dist/save-etag.d.ts.map +1 -0
package/dist/save-etag.js +118 -0
package/dist/save-etag.js.map +1 -0
package/dist/site-loader.d.ts +42 -4
package/dist/site-loader.d.ts.map +1 -1
package/dist/site-loader.js +27 -8
package/dist/site-loader.js.map +1 -1
package/dist/targets.d.ts +21 -12
package/dist/targets.d.ts.map +1 -1
package/dist/targets.js +27 -95
package/dist/targets.js.map +1 -1
package/dist/testing/admin-cache-contract.d.ts +52 -0
package/dist/testing/admin-cache-contract.d.ts.map +1 -0
package/dist/testing/admin-cache-contract.js +203 -0
package/dist/testing/admin-cache-contract.js.map +1 -0
package/dist/testing/index.d.ts +11 -0
package/dist/testing/index.d.ts.map +1 -0
package/dist/testing/index.js +11 -0
package/dist/testing/index.js.map +1 -0
package/dist/transforms/factories.d.ts +16 -0
package/dist/transforms/factories.d.ts.map +1 -0
package/dist/transforms/factories.js +18 -0
package/dist/transforms/factories.js.map +1 -0
package/dist/transforms/index.d.ts +10 -17
package/dist/transforms/index.d.ts.map +1 -1
package/dist/transforms/index.js +4 -28
package/dist/transforms/index.js.map +1 -1
package/dist/transforms/sharp.d.ts +15 -1
package/dist/transforms/sharp.d.ts.map +1 -1
package/dist/transforms/sharp.js +34 -20
package/dist/transforms/sharp.js.map +1 -1
package/dist/types.d.ts +379 -52
package/dist/types.d.ts.map +1 -1
package/dist/types.js +20 -1
package/dist/types.js.map +1 -1
package/dist/validation/alt-required-walker.d.ts +27 -0
package/dist/validation/alt-required-walker.d.ts.map +1 -0
package/dist/validation/alt-required-walker.js +108 -0
package/dist/validation/alt-required-walker.js.map +1 -0
package/dist/validation/default-registry.d.ts +12 -0
package/dist/validation/default-registry.d.ts.map +1 -0
package/dist/validation/default-registry.js +55 -0
package/dist/validation/default-registry.js.map +1 -0
package/dist/validation/publish-audit.d.ts +44 -0
package/dist/validation/publish-audit.d.ts.map +1 -0
package/dist/validation/publish-audit.js +64 -0
package/dist/validation/publish-audit.js.map +1 -0
package/dist/validation/registry.d.ts +23 -0
package/dist/validation/registry.d.ts.map +1 -0
package/dist/validation/registry.js +15 -0
package/dist/validation/registry.js.map +1 -0
package/dist/validation/save-delta.d.ts +46 -0
package/dist/validation/save-delta.d.ts.map +1 -0
package/dist/validation/save-delta.js +57 -0
package/dist/validation/save-delta.js.map +1 -0
package/dist/validation/scanner.d.ts +91 -0
package/dist/validation/scanner.d.ts.map +1 -0
package/dist/validation/scanner.js +327 -0
package/dist/validation/scanner.js.map +1 -0
package/dist/validation/template-impact.d.ts +52 -0
package/dist/validation/template-impact.d.ts.map +1 -0
package/dist/validation/template-impact.js +53 -0
package/dist/validation/template-impact.js.map +1 -0
package/dist/validation/types.d.ts +123 -0
package/dist/validation/types.d.ts.map +1 -0
package/dist/validation/types.js +7 -0
package/dist/validation/types.js.map +1 -0
package/dist/validation/validators/accessibility.d.ts +3 -0
package/dist/validation/validators/accessibility.d.ts.map +1 -0
package/dist/validation/validators/accessibility.js +106 -0
package/dist/validation/validators/accessibility.js.map +1 -0
package/dist/validation/validators/aliasof-points-to-archived.d.ts +40 -0
package/dist/validation/validators/aliasof-points-to-archived.d.ts.map +1 -0
package/dist/validation/validators/aliasof-points-to-archived.js +34 -0
package/dist/validation/validators/aliasof-points-to-archived.js.map +1 -0
package/dist/validation/validators/alt-required.d.ts +3 -0
package/dist/validation/validators/alt-required.d.ts.map +1 -0
package/dist/validation/validators/alt-required.js +118 -0
package/dist/validation/validators/alt-required.js.map +1 -0
package/dist/validation/validators/archive-not-supported-on-target.d.ts +3 -0
package/dist/validation/validators/archive-not-supported-on-target.d.ts.map +1 -0
package/dist/validation/validators/archive-not-supported-on-target.js +38 -0
package/dist/validation/validators/archive-not-supported-on-target.js.map +1 -0
package/dist/validation/validators/broken-links.d.ts +3 -0
package/dist/validation/validators/broken-links.d.ts.map +1 -0
package/dist/validation/validators/broken-links.js +190 -0
package/dist/validation/validators/broken-links.js.map +1 -0
package/dist/validation/validators/circular-alias.d.ts +36 -0
package/dist/validation/validators/circular-alias.d.ts.map +1 -0
package/dist/validation/validators/circular-alias.js +63 -0
package/dist/validation/validators/circular-alias.js.map +1 -0
package/dist/validation/validators/circular-fragment.d.ts +15 -0
package/dist/validation/validators/circular-fragment.d.ts.map +1 -0
package/dist/validation/validators/circular-fragment.js +97 -0
package/dist/validation/validators/circular-fragment.js.map +1 -0
package/dist/validation/validators/dangling-alias.d.ts +38 -0
package/dist/validation/validators/dangling-alias.d.ts.map +1 -0
package/dist/validation/validators/dangling-alias.js +31 -0
package/dist/validation/validators/dangling-alias.js.map +1 -0
package/dist/validation/validators/deploy-target-type-supported.d.ts +3 -0
package/dist/validation/validators/deploy-target-type-supported.d.ts.map +1 -0
package/dist/validation/validators/deploy-target-type-supported.js +32 -0
package/dist/validation/validators/deploy-target-type-supported.js.map +1 -0
package/dist/validation/validators/dynamic-route-conflict.d.ts +18 -0
package/dist/validation/validators/dynamic-route-conflict.d.ts.map +1 -0
package/dist/validation/validators/dynamic-route-conflict.js +80 -0
package/dist/validation/validators/dynamic-route-conflict.js.map +1 -0
package/dist/validation/validators/html-validity.d.ts +3 -0
package/dist/validation/validators/html-validity.d.ts.map +1 -0
package/dist/validation/validators/html-validity.js +89 -0
package/dist/validation/validators/html-validity.js.map +1 -0
package/dist/validation/validators/orphaned-locale-file.d.ts +21 -0
package/dist/validation/validators/orphaned-locale-file.d.ts.map +1 -0
package/dist/validation/validators/orphaned-locale-file.js +84 -0
package/dist/validation/validators/orphaned-locale-file.js.map +1 -0
package/dist/validation/validators/referenced-archived-without-alias.d.ts +3 -0
package/dist/validation/validators/referenced-archived-without-alias.d.ts.map +1 -0
package/dist/validation/validators/referenced-archived-without-alias.js +65 -0
package/dist/validation/validators/referenced-archived-without-alias.js.map +1 -0
package/dist/validation/validators/referenced-asset-exists.d.ts +13 -0
package/dist/validation/validators/referenced-asset-exists.d.ts.map +1 -0
package/dist/validation/validators/referenced-asset-exists.js +80 -0
package/dist/validation/validators/referenced-asset-exists.js.map +1 -0
package/dist/validation/validators/referenced-fragment-exists.d.ts +9 -0
package/dist/validation/validators/referenced-fragment-exists.d.ts.map +1 -0
package/dist/validation/validators/referenced-fragment-exists.js +52 -0
package/dist/validation/validators/referenced-fragment-exists.js.map +1 -0
package/dist/validation/validators/referenced-template-exists.d.ts +10 -0
package/dist/validation/validators/referenced-template-exists.d.ts.map +1 -0
package/dist/validation/validators/referenced-template-exists.js +74 -0
package/dist/validation/validators/referenced-template-exists.js.map +1 -0
package/dist/validation/validators/schema-conformance.d.ts +17 -0
package/dist/validation/validators/schema-conformance.d.ts.map +1 -0
package/dist/validation/validators/schema-conformance.js +94 -0
package/dist/validation/validators/schema-conformance.js.map +1 -0
package/dist/validation/validators/target-deploy-coverage.d.ts +3 -0
package/dist/validation/validators/target-deploy-coverage.d.ts.map +1 -0
package/dist/validation/validators/target-deploy-coverage.js +37 -0
package/dist/validation/validators/target-deploy-coverage.js.map +1 -0
package/dist/validation/validators/unused-fragment.d.ts +16 -0
package/dist/validation/validators/unused-fragment.d.ts.map +1 -0
package/dist/validation/validators/unused-fragment.js +86 -0
package/dist/validation/validators/unused-fragment.js.map +1 -0
package/package.json +54 -31
package/admin-dist/assets/index-BO9-CXmW.css +0 -1
package/admin-dist/assets/index-Ufu8zZH_.js +0 -668
package/admin-dist/assets/rolldown-runtime-COnpUsM8.js +0 -1
package/admin-dist/assets/vendor-rjsf-HKBAjOmQ.js +0 -32
package/admin-dist/assets/vendor-tiptap-IyO99U4R.js +0 -142
package/admin-dist/assets/vendor-vue-D3wBSmDf.js +0 -1
package/dist/publish-locale.d.ts +0 -44
package/dist/publish-locale.d.ts.map +0 -1
package/dist/publish-locale.js +0 -103
package/dist/publish-locale.js.map +0 -1

package/dist/auth/providers/cloudflare-access.js ADDED Viewed

@@ -0,0 +1,120 @@
+/**
+ * `cloudflare-access` trust mode — Cloudflare Zero Trust / Access
+ * fronting the admin. The platform issues a signed JWT in the
+ * `Cf-Access-Jwt-Assertion` header (or cookie); Gazetta verifies
+ * the signature against Cloudflare's published JWKS and reads the
+ * subject + email from the verified payload.
+ *
+ * # Why JWT verification, not header trust
+ *
+ * Cloudflare Access's JWT carries a real signature. Anyone behind
+ * the Worker boundary can claim a header value, but only Cloudflare's
+ * private key can produce a valid token. Verifying the signature is
+ * the security contract — without it, this trust mode is no safer
+ * than `forwarded-user` without a whitelist.
+ *
+ * # JWKS endpoint shape
+ *
+ * Cloudflare publishes per-team-domain JWKS at:
+ *
+ *     https://{teamDomain}.cloudflareaccess.com/cdn-cgi/access/certs
+ *
+ * Operators set `teamDomain` in `site.config.ts admin.auth`; the
+ * provider builds the URL and uses `jose`'s `createRemoteJWKSet`
+ * for verification + automatic key rotation.
+ *
+ * # Failure modes
+ *
+ *   - JWT missing / expired / signature invalid → `AuthenticationError`
+ *     (middleware → 401)
+ *   - JWKS endpoint unreachable → `AuthenticationError` (fail-CLOSED
+ *     here, NOT fail-open like Universal Provider Requirement #5
+ *     suggests for transport errors — auth is the security boundary;
+ *     a JWKS outage that fails open would let unsigned tokens
+ *     through)
+ *   - `aud` claim mismatch (when configured) → `AuthenticationError`
+ *
+ * # SOLID lenses
+ *
+ *   - SRP: JWT verification only. Source-IP extraction is not this
+ *     provider's concern (Cloudflare's signed assertion IS the trust;
+ *     the source IP would be Cloudflare's edge anyway).
+ *   - DIP: jose's `createRemoteJWKSet` is the verifier dependency;
+ *     test injects a different verifier via the optional
+ *     `jwksFactory` constructor option for unit tests.
+ */
+import { jwtVerify, createRemoteJWKSet } from 'jose';
+import { AuthenticationError, AuthConfigurationError } from '../errors.js';
+import { expandRole } from '../capabilities.js';
+export function createCloudflareAccessAuthProvider(config) {
+    if (!config.teamDomain || config.teamDomain.length === 0) {
+        throw new AuthConfigurationError('cloudflare-access trust mode requires teamDomain (your Cloudflare Zero Trust team domain, e.g. "acme")');
+    }
+    // Validate the teamDomain shape — Cloudflare team domains are
+    // lowercase alphanumeric + hyphens; reject obvious typos.
+    if (!/^[a-z0-9][a-z0-9-]*$/.test(config.teamDomain)) {
+        throw new AuthConfigurationError(`Invalid teamDomain "${config.teamDomain}": must be lowercase alphanumeric + hyphens (the part before .cloudflareaccess.com)`);
+    }
+    const jwksUrl = new URL(`https://${config.teamDomain}.cloudflareaccess.com/cdn-cgi/access/certs`);
+    const expectedIssuer = `https://${config.teamDomain}.cloudflareaccess.com`;
+    const jwks = (config.jwksFactory ?? createRemoteJWKSet)(jwksUrl);
+    const defaultRole = config.defaultRole ?? 'editor';
+    return {
+        trustMode: 'cloudflare-access',
+        async extractPrincipal(req) {
+            // Cloudflare Access can deliver the assertion in either a
+            // header or cookie. We accept both; header takes precedence
+            // because it's the documented integration path.
+            const token = req.headers.get('cf-access-jwt-assertion') ?? extractFromCookie(req.headers.get('cookie'));
+            if (!token) {
+                // No Cloudflare-Access token at all — anonymous. Middleware
+                // turns this into 401.
+                return null;
+            }
+            let payload;
+            try {
+                const result = await jwtVerify(token, jwks, {
+                    issuer: expectedIssuer,
+                    audience: config.audience,
+                });
+                payload = result.payload;
+            }
+            catch (err) {
+                // jose throws JOSEError subclasses for signature / expiry /
+                // claim mismatches. We don't differentiate — every failure
+                // surfaces as AuthenticationError → 401 per Universal
+                // Provider Requirement (auth fails closed on token failure).
+                throw new AuthenticationError(`Cloudflare Access JWT verification failed: ${err.message}`);
+            }
+            const id = payload.sub ?? payload.identity_nonce;
+            if (!id) {
+                throw new AuthenticationError('Cloudflare Access JWT has no sub or identity_nonce claim');
+            }
+            return {
+                id,
+                email: payload.email,
+                role: defaultRole,
+                trustMode: 'cloudflare-access',
+                capabilities: expandRole(defaultRole) ?? [],
+            };
+        },
+    };
+}
+/**
+ * Cloudflare Access also delivers the JWT via the
+ * `CF_Authorization` cookie. Extract it from the Cookie header
+ * if present.
+ */
+function extractFromCookie(cookieHeader) {
+    if (!cookieHeader)
+        return null;
+    const cookies = cookieHeader.split(';');
+    for (const cookie of cookies) {
+        const trimmed = cookie.trim();
+        if (trimmed.startsWith('CF_Authorization=')) {
+            return trimmed.slice('CF_Authorization='.length);
+        }
+    }
+    return null;
+}
+//# sourceMappingURL=cloudflare-access.js.map

package/dist/auth/providers/cloudflare-access.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"cloudflare-access.js","sourceRoot":"","sources":["../../../src/auth/providers/cloudflare-access.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4CG;AACH,OAAO,EAAE,SAAS,EAAE,kBAAkB,EAAyC,MAAM,MAAM,CAAA;AAG3F,OAAO,EAAE,mBAAmB,EAAE,sBAAsB,EAAE,MAAM,cAAc,CAAA;AAC1E,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAA;AAuC/C,MAAM,UAAU,kCAAkC,CAAC,MAA8B;IAC/E,IAAI,CAAC,MAAM,CAAC,UAAU,IAAI,MAAM,CAAC,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzD,MAAM,IAAI,sBAAsB,CAC9B,wGAAwG,CACzG,CAAA;IACH,CAAC;IACD,8DAA8D;IAC9D,0DAA0D;IAC1D,IAAI,CAAC,sBAAsB,CAAC,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,CAAC;QACpD,MAAM,IAAI,sBAAsB,CAC9B,uBAAuB,MAAM,CAAC,UAAU,qFAAqF,CAC9H,CAAA;IACH,CAAC;IAED,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,WAAW,MAAM,CAAC,UAAU,4CAA4C,CAAC,CAAA;IACjG,MAAM,cAAc,GAAG,WAAW,MAAM,CAAC,UAAU,uBAAuB,CAAA;IAC1E,MAAM,IAAI,GAAG,CAAC,MAAM,CAAC,WAAW,IAAI,kBAAkB,CAAC,CAAC,OAAO,CAAC,CAAA;IAChE,MAAM,WAAW,GAAG,MAAM,CAAC,WAAW,IAAI,QAAQ,CAAA;IAElD,OAAO;QACL,SAAS,EAAE,mBAAmB;QAC9B,KAAK,CAAC,gBAAgB,CAAC,GAAgB;YACrC,0DAA0D;YAC1D,4DAA4D;YAC5D,gDAAgD;YAChD,MAAM,KAAK,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,yBAAyB,CAAC,IAAI,iBAAiB,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAA;YACxG,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,4DAA4D;gBAC5D,uBAAuB;gBACvB,OAAO,IAAI,CAAA;YACb,CAAC;YAED,IAAI,OAA+B,CAAA;YACnC,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,MAAM,SAAS,CAAyB,KAAK,EAAE,IAAI,EAAE;oBAClE,MAAM,EAAE,cAAc;oBACtB,QAAQ,EAAE,MAAM,CAAC,QAAQ;iBAC1B,CAAC,CAAA;gBACF,OAAO,GAAG,MAAM,CAAC,OAAO,CAAA;YAC1B,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,4DAA4D;gBAC5D,2DAA2D;gBAC3D,sDAAsD;gBACtD,6DAA6D;gBAC7D,MAAM,IAAI,mBAAmB,CAAC,8CAA+C,GAAa,CAAC,OAAO,EAAE,CAAC,CAAA;YACvG,CAAC;YAED,MAAM,EAAE,GAAG,OAAO,CAAC,GAAG,IAAI,OAAO,CAAC,cAAc,CAAA;YAChD,IAAI,CAAC,EAAE,EAAE,CAAC;gBACR,MAAM,IAAI,mBAAmB,CAAC,0DAA0D,CAAC,CAAA;YAC3F,CAAC;YAED,OAAO;gBACL,EAAE;gBACF,KAAK,EAAE,OAAO,CAAC,KAAK;gBACpB,IAAI,EAAE,WAAW;gBACjB,SAAS,EAAE,mBAAmB;gBAC9B,YAAY,EAAE,UAAU,CAAC,WAAW,CAAC,IAAI,EAAE;aAC5C,CAAA;QACH,CAAC;KACF,CAAA;AACH,CAAC;AAED;;;;GAIG;AACH,SAAS,iBAAiB,CAAC,YAAgC;IACzD,IAAI,CAAC,YAAY;QAAE,OAAO,IAAI,CAAA;IAC9B,MAAM,OAAO,GAAG,YAAY,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IACvC,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,EAAE,CAAA;QAC7B,IAAI,OAAO,CAAC,UAAU,CAAC,mBAAmB,CAAC,EAAE,CAAC;YAC5C,OAAO,OAAO,CAAC,KAAK,CAAC,mBAAmB,CAAC,MAAM,CAAC,CAAA;QAClD,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAA;AACb,CAAC"}

package/dist/auth/providers/forwarded-user.d.ts ADDED Viewed

@@ -0,0 +1,31 @@
+import type { AuthIdentityProvider } from '../provider.js';
+export interface ForwardedUserConfig {
+    /**
+     * Whitelisted source IPs / CIDRs that may set the forwarded
+     * headers. Empty (or undefined) when `allowAnyOrigin: true`.
+     * Validated at config-load.
+     */
+    trustedProxies?: readonly string[];
+    /**
+     * Explicit opt-out of source-IP protection. Required when
+     * `trustedProxies` is empty. Use only in dev or trusted private
+     * networks.
+     */
+    allowAnyOrigin?: boolean;
+    /**
+     * Group claim → role mapping from the upstream layer's
+     * `X-Forwarded-Groups` header. Resolver (Cut 6) consumes this;
+     * the provider just exposes the raw groups via Principal.role.
+     * Until Cut 6 lands, the provider returns `role: 'editor'` as a
+     * sensible default — overridden once role-resolver wires up.
+     */
+    defaultRole?: string;
+}
+/**
+ * Construct a `forwarded-user` provider. Validates `trustedProxies`
+ * at construction (per Universal Provider Requirement #6 — config
+ * errors throw; transport errors fail-open). Returned provider is
+ * stateless after construction; safe to share across requests.
+ */
+export declare function createForwardedUserAuthProvider(config: ForwardedUserConfig): AuthIdentityProvider;
+//# sourceMappingURL=forwarded-user.d.ts.map

package/dist/auth/providers/forwarded-user.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"forwarded-user.d.ts","sourceRoot":"","sources":["../../../src/auth/providers/forwarded-user.ts"],"names":[],"mappings":"AAuCA,OAAO,KAAK,EAAE,oBAAoB,EAAe,MAAM,gBAAgB,CAAA;AAKvE,MAAM,WAAW,mBAAmB;IAClC;;;;OAIG;IACH,cAAc,CAAC,EAAE,SAAS,MAAM,EAAE,CAAA;IAClC;;;;OAIG;IACH,cAAc,CAAC,EAAE,OAAO,CAAA;IACxB;;;;;;OAMG;IACH,WAAW,CAAC,EAAE,MAAM,CAAA;CACrB;AAED;;;;;GAKG;AACH,wBAAgB,+BAA+B,CAAC,MAAM,EAAE,mBAAmB,GAAG,oBAAoB,CAsEjG"}

package/dist/auth/providers/forwarded-user.js ADDED Viewed

@@ -0,0 +1,72 @@
+import { AuthenticationError, AuthConfigurationError } from '../errors.js';
+import { ipMatchesAny, parseRules } from '../ip-match.js';
+import { expandRole } from '../capabilities.js';
+/**
+ * Construct a `forwarded-user` provider. Validates `trustedProxies`
+ * at construction (per Universal Provider Requirement #6 — config
+ * errors throw; transport errors fail-open). Returned provider is
+ * stateless after construction; safe to share across requests.
+ */
+export function createForwardedUserAuthProvider(config) {
+    // Pre-parse the trustedProxies list at construction so per-request
+    // checks are O(N) over already-parsed rules. Throws AuthConfigurationError
+    // at boot if any rule is malformed — operator sees the failure
+    // before requests start arriving.
+    let parsedRules = [];
+    if (config.trustedProxies && config.trustedProxies.length > 0) {
+        try {
+            parsedRules = parseRules(config.trustedProxies);
+        }
+        catch (err) {
+            throw new AuthConfigurationError(`Invalid trustedProxies entry: ${err.message}. Each entry must be an IP literal (e.g. "10.0.0.1") or CIDR (e.g. "10.0.0.0/8").`);
+        }
+    }
+    if (!config.allowAnyOrigin && parsedRules.length === 0) {
+        // Schema-level refine should catch this, but defense-in-depth:
+        // if a caller bypasses the schema (e.g., constructed by a plugin
+        // with a wrong shape), surface the error at construction.
+        throw new AuthConfigurationError('forwarded-user trust mode requires trustedProxies (IP whitelist) OR allowAnyOrigin: true');
+    }
+    const defaultRole = config.defaultRole ?? 'editor';
+    return {
+        trustMode: 'forwarded-user',
+        async extractPrincipal(req) {
+            // Source-IP protection FIRST — before any header read. A
+            // request from an untrusted source has its forwarded headers
+            // ignored entirely; we treat it as if the headers weren't
+            // set. Returning null lets the middleware decide between 401
+            // (require auth) and synthetic anonymous (none-mode-style).
+            // For forwarded-user we always require auth — middleware
+            // surfaces this as 401.
+            if (!config.allowAnyOrigin) {
+                if (!req.sourceIp || !ipMatchesAny(req.sourceIp, parsedRules)) {
+                    throw new AuthenticationError(req.sourceIp
+                        ? `Request source IP ${req.sourceIp} is not in the configured trustedProxies whitelist`
+                        : 'Request source IP is unknown; trusted-proxy verification cannot run');
+                }
+            }
+            const user = req.headers.get('x-forwarded-user');
+            if (!user || user.length === 0) {
+                // No identity header — anonymous. Middleware turns this
+                // into 401.
+                return null;
+            }
+            const email = req.headers.get('x-forwarded-email') ?? undefined;
+            // Capabilities = the default role's built-in capability set.
+            // Group-claim → role mapping (via roleMapping config + the
+            // X-Forwarded-Groups header) is a follow-up. For v1 every
+            // authenticated forwarded-user gets the configured defaultRole's
+            // capabilities; operators wanting role-by-group set the
+            // roleMapping in admin.auth and override defaultRole.
+            const capabilities = expandRole(defaultRole) ?? [];
+            return {
+                id: user,
+                email,
+                role: defaultRole,
+                trustMode: 'forwarded-user',
+                capabilities,
+            };
+        },
+    };
+}
+//# sourceMappingURL=forwarded-user.js.map

package/dist/auth/providers/forwarded-user.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"forwarded-user.js","sourceRoot":"","sources":["../../../src/auth/providers/forwarded-user.ts"],"names":[],"mappings":"AAwCA,OAAO,EAAE,mBAAmB,EAAE,sBAAsB,EAAE,MAAM,cAAc,CAAA;AAC1E,OAAO,EAAE,YAAY,EAAmB,UAAU,EAAE,MAAM,gBAAgB,CAAA;AAC1E,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAA;AAyB/C;;;;;GAKG;AACH,MAAM,UAAU,+BAA+B,CAAC,MAA2B;IACzE,mEAAmE;IACnE,2EAA2E;IAC3E,+DAA+D;IAC/D,kCAAkC;IAClC,IAAI,WAAW,GAAiB,EAAE,CAAA;IAClC,IAAI,MAAM,CAAC,cAAc,IAAI,MAAM,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC9D,IAAI,CAAC;YACH,WAAW,GAAG,UAAU,CAAC,MAAM,CAAC,cAAc,CAAC,CAAA;QACjD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,IAAI,sBAAsB,CAC9B,iCAAkC,GAAa,CAAC,OAAO,mFAAmF,CAC3I,CAAA;QACH,CAAC;IACH,CAAC;IACD,IAAI,CAAC,MAAM,CAAC,cAAc,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvD,+DAA+D;QAC/D,iEAAiE;QACjE,0DAA0D;QAC1D,MAAM,IAAI,sBAAsB,CAC9B,0FAA0F,CAC3F,CAAA;IACH,CAAC;IAED,MAAM,WAAW,GAAG,MAAM,CAAC,WAAW,IAAI,QAAQ,CAAA;IAElD,OAAO;QACL,SAAS,EAAE,gBAAgB;QAC3B,KAAK,CAAC,gBAAgB,CAAC,GAAgB;YACrC,yDAAyD;YACzD,6DAA6D;YAC7D,0DAA0D;YAC1D,6DAA6D;YAC7D,4DAA4D;YAC5D,yDAAyD;YACzD,wBAAwB;YACxB,IAAI,CAAC,MAAM,CAAC,cAAc,EAAE,CAAC;gBAC3B,IAAI,CAAC,GAAG,CAAC,QAAQ,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,QAAQ,EAAE,WAAW,CAAC,EAAE,CAAC;oBAC9D,MAAM,IAAI,mBAAmB,CAC3B,GAAG,CAAC,QAAQ;wBACV,CAAC,CAAC,qBAAqB,GAAG,CAAC,QAAQ,oDAAoD;wBACvF,CAAC,CAAC,qEAAqE,CAC1E,CAAA;gBACH,CAAC;YACH,CAAC;YAED,MAAM,IAAI,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAA;YAChD,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC/B,wDAAwD;gBACxD,YAAY;gBACZ,OAAO,IAAI,CAAA;YACb,CAAC;YAED,MAAM,KAAK,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,IAAI,SAAS,CAAA;YAC/D,6DAA6D;YAC7D,2DAA2D;YAC3D,0DAA0D;YAC1D,iEAAiE;YACjE,wDAAwD;YACxD,sDAAsD;YACtD,MAAM,YAAY,GAAG,UAAU,CAAC,WAAW,CAAC,IAAI,EAAE,CAAA;YAClD,OAAO;gBACL,EAAE,EAAE,IAAI;gBACR,KAAK;gBACL,IAAI,EAAE,WAAW;gBACjB,SAAS,EAAE,gBAAgB;gBAC3B,YAAY;aACb,CAAA;QACH,CAAC;KACF,CAAA;AACH,CAAC"}

package/dist/auth/providers/none.d.ts ADDED Viewed

@@ -0,0 +1,6 @@
+import type { AuthIdentityProvider } from '../provider.js';
+/** Reserved subject identifier for unauthenticated / pre-RBAC contexts. */
+export declare const UNKNOWN_ACTOR_ID = "unknown";
+/** Singleton instance — `none` mode has no per-instance state. */
+export declare const noneAuthProvider: AuthIdentityProvider;
+//# sourceMappingURL=none.d.ts.map

package/dist/auth/providers/none.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"none.d.ts","sourceRoot":"","sources":["../../../src/auth/providers/none.ts"],"names":[],"mappings":"AAmCA,OAAO,KAAK,EAAE,oBAAoB,EAAe,MAAM,gBAAgB,CAAA;AAEvE,2EAA2E;AAC3E,eAAO,MAAM,gBAAgB,YAAY,CAAA;AAEzC,kEAAkE;AAClE,eAAO,MAAM,gBAAgB,EAAE,oBAc9B,CAAA"}

package/dist/auth/providers/none.js ADDED Viewed

@@ -0,0 +1,19 @@
+/** Reserved subject identifier for unauthenticated / pre-RBAC contexts. */
+export const UNKNOWN_ACTOR_ID = 'unknown';
+/** Singleton instance — `none` mode has no per-instance state. */
+export const noneAuthProvider = {
+    trustMode: 'none',
+    async extractPrincipal(_req) {
+        // Always returns the canonical unknown principal with full
+        // capabilities. Never returns null (would force middleware to
+        // synthesize an anonymous principal anyway — cleaner to do it
+        // here once).
+        return {
+            id: UNKNOWN_ACTOR_ID,
+            role: 'admin',
+            trustMode: 'none',
+            capabilities: ['*'],
+        };
+    },
+};
+//# sourceMappingURL=none.js.map

package/dist/auth/providers/none.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"none.js","sourceRoot":"","sources":["../../../src/auth/providers/none.ts"],"names":[],"mappings":"AAqCA,2EAA2E;AAC3E,MAAM,CAAC,MAAM,gBAAgB,GAAG,SAAS,CAAA;AAEzC,kEAAkE;AAClE,MAAM,CAAC,MAAM,gBAAgB,GAAyB;IACpD,SAAS,EAAE,MAAM;IACjB,KAAK,CAAC,gBAAgB,CAAC,IAAiB;QACtC,2DAA2D;QAC3D,8DAA8D;QAC9D,8DAA8D;QAC9D,cAAc;QACd,OAAO;YACL,EAAE,EAAE,gBAAgB;YACpB,IAAI,EAAE,OAAO;YACb,SAAS,EAAE,MAAM;YACjB,YAAY,EAAE,CAAC,GAAG,CAAC;SACpB,CAAA;IACH,CAAC;CACF,CAAA"}

package/dist/auth/providers/tailscale.d.ts ADDED Viewed

@@ -0,0 +1,7 @@
+import type { AuthIdentityProvider } from '../provider.js';
+export interface TailscaleConfig {
+    /** Optional default role until Cut 6's role-resolver wires up. */
+    defaultRole?: string;
+}
+export declare function createTailscaleAuthProvider(config?: TailscaleConfig): AuthIdentityProvider;
+//# sourceMappingURL=tailscale.d.ts.map

package/dist/auth/providers/tailscale.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"tailscale.d.ts","sourceRoot":"","sources":["../../../src/auth/providers/tailscale.ts"],"names":[],"mappings":"AA6BA,OAAO,KAAK,EAAE,oBAAoB,EAAe,MAAM,gBAAgB,CAAA;AAGvE,MAAM,WAAW,eAAe;IAC9B,kEAAkE;IAClE,WAAW,CAAC,EAAE,MAAM,CAAA;CACrB;AAED,wBAAgB,2BAA2B,CAAC,MAAM,GAAE,eAAoB,GAAG,oBAAoB,CA4B9F"}

package/dist/auth/providers/tailscale.js ADDED Viewed

@@ -0,0 +1,30 @@
+import { expandRole } from '../capabilities.js';
+export function createTailscaleAuthProvider(config = {}) {
+    const defaultRole = config.defaultRole ?? 'editor';
+    return {
+        trustMode: 'tailscale',
+        async extractPrincipal(req) {
+            const login = req.headers.get('tailscale-user-login');
+            if (!login || login.length === 0) {
+                // No tailscale identity — request bypassed Tailscale's
+                // serve. Either the operator misconfigured, or a request
+                // arrived through a different listener. Anonymous → 401.
+                return null;
+            }
+            // Tailscale-User-Login is shaped `user@tailnet.ts.net`.
+            // We treat the whole string as id; operators wanting a
+            // shorter display name can map via roleMapping or use the
+            // tailscale-user-name header if present.
+            return {
+                id: login,
+                // Tailscale's email-shaped login is functionally the user's
+                // email for display purposes.
+                email: login,
+                role: defaultRole,
+                trustMode: 'tailscale',
+                capabilities: expandRole(defaultRole) ?? [],
+            };
+        },
+    };
+}
+//# sourceMappingURL=tailscale.js.map

package/dist/auth/providers/tailscale.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"tailscale.js","sourceRoot":"","sources":["../../../src/auth/providers/tailscale.ts"],"names":[],"mappings":"AA8BA,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAA;AAO/C,MAAM,UAAU,2BAA2B,CAAC,SAA0B,EAAE;IACtE,MAAM,WAAW,GAAG,MAAM,CAAC,WAAW,IAAI,QAAQ,CAAA;IAClD,OAAO;QACL,SAAS,EAAE,WAAW;QACtB,KAAK,CAAC,gBAAgB,CAAC,GAAgB;YACrC,MAAM,KAAK,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC,CAAA;YACrD,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACjC,uDAAuD;gBACvD,yDAAyD;gBACzD,yDAAyD;gBACzD,OAAO,IAAI,CAAA;YACb,CAAC;YAED,wDAAwD;YACxD,uDAAuD;YACvD,0DAA0D;YAC1D,yCAAyC;YACzC,OAAO;gBACL,EAAE,EAAE,KAAK;gBACT,4DAA4D;gBAC5D,8BAA8B;gBAC9B,KAAK,EAAE,KAAK;gBACZ,IAAI,EAAE,WAAW;gBACjB,SAAS,EAAE,WAAW;gBACtB,YAAY,EAAE,UAAU,CAAC,WAAW,CAAC,IAAI,EAAE;aAC5C,CAAA;QACH,CAAC;KACF,CAAA;AACH,CAAC"}

package/dist/auth/role-resolver.d.ts ADDED Viewed

@@ -0,0 +1,38 @@
+import { type RoleMapping } from './types.js';
+export interface ResolveRoleArgs {
+    /** Group names from the upstream auth provider's claim. */
+    groups: ReadonlyArray<string>;
+    /** Operator's roleMapping config (claim + map + defaultRole). */
+    mapping?: RoleMapping;
+    /** Custom role declarations from `site.config.ts admin.auth.roles`. */
+    customRoles?: Readonly<Record<string, ReadonlyArray<string>>>;
+}
+export interface ResolvedRole {
+    /** The chosen Gazetta role name. */
+    name: string;
+    /** The role's capability set after alias expansion. */
+    capabilities: ReadonlyArray<string>;
+}
+/**
+ * Resolve the principal's role + capability set.
+ *
+ * Returns `null` when:
+ *   - No group matches AND `defaultRole` is null (deny access)
+ *   - Resolved role name doesn't expand (unknown role)
+ *
+ * Caller (middleware) translates `null` into 403 / 401 per request
+ * shape.
+ */
+export declare function resolveRole(args: ResolveRoleArgs): ResolvedRole | null;
+/**
+ * Validate that a custom role's capabilities don't redefine
+ * built-in roles with surprising semantics. Per design-auth-rbac.md
+ * Q3: unknown capabilities flagged; reserved built-in role names
+ * cannot be redeclared.
+ *
+ * Returns the list of validation issues; empty array means valid.
+ * Caller decides strict-mode (throw) vs warn-mode (log) per
+ * `admin.auth.strict`.
+ */
+export declare function validateCustomRoles(customRoles: Readonly<Record<string, ReadonlyArray<string>>>): string[];
+//# sourceMappingURL=role-resolver.d.ts.map

package/dist/auth/role-resolver.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"role-resolver.d.ts","sourceRoot":"","sources":["../../src/auth/role-resolver.ts"],"names":[],"mappings":"AA8BA,OAAO,EAAkB,KAAK,WAAW,EAAE,MAAM,YAAY,CAAA;AAE7D,MAAM,WAAW,eAAe;IAC9B,2DAA2D;IAC3D,MAAM,EAAE,aAAa,CAAC,MAAM,CAAC,CAAA;IAC7B,iEAAiE;IACjE,OAAO,CAAC,EAAE,WAAW,CAAA;IACrB,uEAAuE;IACvE,WAAW,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC,CAAA;CAC9D;AAED,MAAM,WAAW,YAAY;IAC3B,oCAAoC;IACpC,IAAI,EAAE,MAAM,CAAA;IACZ,uDAAuD;IACvD,YAAY,EAAE,aAAa,CAAC,MAAM,CAAC,CAAA;CACpC;AAED;;;;;;;;;GASG;AACH,wBAAgB,WAAW,CAAC,IAAI,EAAE,eAAe,GAAG,YAAY,GAAG,IAAI,CAiCtE;AAED;;;;;;;;;GASG;AACH,wBAAgB,mBAAmB,CAAC,WAAW,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,MAAM,EAAE,CAU1G"}

package/dist/auth/role-resolver.js ADDED Viewed

@@ -0,0 +1,92 @@
+/**
+ * Role resolution — translates upstream group claims into a Gazetta
+ * role + the role's capability set.
+ *
+ * # The resolution chain
+ *
+ *   1. Pull the group list from the principal's claims (header /
+ *      JWT payload — provider-specific, surfaces as a `string[]`)
+ *   2. Walk the operator's `roleMapping.map` from `site.config.ts`;
+ *      first matching upstream group → Gazetta role name
+ *   3. Fall back to `roleMapping.defaultRole` if no group matches;
+ *      `null` means deny access
+ *   4. Expand the role name to its capability set via
+ *      `expandRole(name, customRoles)`
+ *
+ * # Why "first match wins" not "highest precedence"
+ *
+ * Per `design-auth-rbac.md` Q3 lock: priority is array order in the
+ * map config. Operators control precedence by ordering their map.
+ * Predictable, deterministic, no implicit precedence.
+ *
+ * # SOLID lenses
+ *
+ *   - SRP: pure function over (groups, mapping, customRoles);
+ *     doesn't read `site.config.ts` directly, doesn't depend on
+ *     specific provider shape.
+ *   - DIP: providers pass the resolved groups; this module doesn't
+ *     know about JWT claims or HTTP headers.
+ */
+import { expandRole } from './capabilities.js';
+import { BUILT_IN_ROLES } from './types.js';
+/**
+ * Resolve the principal's role + capability set.
+ *
+ * Returns `null` when:
+ *   - No group matches AND `defaultRole` is null (deny access)
+ *   - Resolved role name doesn't expand (unknown role)
+ *
+ * Caller (middleware) translates `null` into 403 / 401 per request
+ * shape.
+ */
+export function resolveRole(args) {
+    const { groups, mapping, customRoles } = args;
+    let roleName;
+    if (mapping) {
+        // First-match-wins per array order. Iteration order of an object
+        // literal is insertion-order in modern JS; operator's config
+        // ordering IS the precedence.
+        for (const [group, role] of Object.entries(mapping.map)) {
+            if (groups.includes(group)) {
+                roleName = role;
+                break;
+            }
+        }
+        // Fall through to defaultRole if no group matched.
+        if (!roleName) {
+            roleName = mapping.defaultRole;
+        }
+    }
+    // Without a mapping (or with an empty map + null defaultRole),
+    // there's no role to assign.
+    if (!roleName)
+        return null;
+    const capabilities = expandRole(roleName, customRoles);
+    if (!capabilities) {
+        // Unknown role — operator misconfiguration. The site-loader
+        // should catch this at boot via strict validation; this is the
+        // defense-in-depth check.
+        return null;
+    }
+    return { name: roleName, capabilities };
+}
+/**
+ * Validate that a custom role's capabilities don't redefine
+ * built-in roles with surprising semantics. Per design-auth-rbac.md
+ * Q3: unknown capabilities flagged; reserved built-in role names
+ * cannot be redeclared.
+ *
+ * Returns the list of validation issues; empty array means valid.
+ * Caller decides strict-mode (throw) vs warn-mode (log) per
+ * `admin.auth.strict`.
+ */
+export function validateCustomRoles(customRoles) {
+    const issues = [];
+    for (const name of Object.keys(customRoles)) {
+        if (name in BUILT_IN_ROLES) {
+            issues.push(`Custom role "${name}" conflicts with a built-in role. Choose a different name; built-in roles can't be redefined.`);
+        }
+    }
+    return issues;
+}
+//# sourceMappingURL=role-resolver.js.map

package/dist/auth/role-resolver.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"role-resolver.js","sourceRoot":"","sources":["../../src/auth/role-resolver.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AACH,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAA;AAC9C,OAAO,EAAE,cAAc,EAAoB,MAAM,YAAY,CAAA;AAkB7D;;;;;;;;;GASG;AACH,MAAM,UAAU,WAAW,CAAC,IAAqB;IAC/C,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,GAAG,IAAI,CAAA;IAC7C,IAAI,QAAmC,CAAA;IAEvC,IAAI,OAAO,EAAE,CAAC;QACZ,iEAAiE;QACjE,6DAA6D;QAC7D,8BAA8B;QAC9B,KAAK,MAAM,CAAC,KAAK,EAAE,IAAI,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;YACxD,IAAI,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC3B,QAAQ,GAAG,IAAI,CAAA;gBACf,MAAK;YACP,CAAC;QACH,CAAC;QACD,mDAAmD;QACnD,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,QAAQ,GAAG,OAAO,CAAC,WAAW,CAAA;QAChC,CAAC;IACH,CAAC;IAED,+DAA+D;IAC/D,6BAA6B;IAC7B,IAAI,CAAC,QAAQ;QAAE,OAAO,IAAI,CAAA;IAE1B,MAAM,YAAY,GAAG,UAAU,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAA;IACtD,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,4DAA4D;QAC5D,+DAA+D;QAC/D,0BAA0B;QAC1B,OAAO,IAAI,CAAA;IACb,CAAC;IAED,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,YAAY,EAAE,CAAA;AACzC,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,mBAAmB,CAAC,WAA4D;IAC9F,MAAM,MAAM,GAAa,EAAE,CAAA;IAC3B,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;QAC5C,IAAI,IAAI,IAAI,cAAc,EAAE,CAAC;YAC3B,MAAM,CAAC,IAAI,CACT,gBAAgB,IAAI,+FAA+F,CACpH,CAAA;QACH,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAA;AACf,CAAC"}

package/dist/auth/types.d.ts ADDED Viewed

@@ -0,0 +1,150 @@
+/**
+ * Auth + RBAC types — the load-bearing primitives every downstream
+ * foundation (audit, hooks, review-workflow) consumes.
+ *
+ * # Why these types live here
+ *
+ * Gazetta does NOT do authentication itself. Operators put admin
+ * behind upstream auth (Cloudflare Access, oauth2-proxy, Tailscale,
+ * etc.) and Gazetta reads identity from configured request headers.
+ * This module defines the shape of that identity AFTER the upstream
+ * layer has authenticated — what audit records, what hooks see, what
+ * the capability middleware checks.
+ *
+ * # Trust modes
+ *
+ * Each `TrustMode` corresponds to a documented upstream platform.
+ * The auth provider for that mode knows how to extract identity from
+ * that platform's request shape (signed JWT, custom header, etc.).
+ *
+ * # Single role per principal
+ *
+ * Per `design-auth-rbac.md` Q2 lock. Multi-role complexity (precedence
+ * conflicts, role intersection) deferred until concrete operator
+ * demand. Operators who need multi-role today compose custom roles
+ * with the union of needed capabilities.
+ *
+ * # SOLID lenses
+ *
+ *   - SRP: this module owns the type vocabulary; doesn't read or
+ *     write storage; pure data shapes.
+ *   - DIP: downstream consumers (audit, hooks, middleware) depend on
+ *     `Principal` interface, not on which trust mode produced it.
+ *   - ISP: trust modes are a closed enum, not a capability interface
+ *     each provider must implement methods for.
+ */
+/**
+ * The closed set of trust modes Gazetta knows how to extract identity
+ * from. Adding a new mode requires:
+ *   1. New entry in this enum
+ *   2. New `AuthIdentityProvider` implementation under `auth/providers/`
+ *   3. Registration in the trust-mode dispatcher
+ *
+ * Plugin promotion (per design-auth-rbac.md Q1): 3+ operator requests
+ * for an unlisted platform within 6 months → either add in-tree (if
+ * mainstream) OR promote to plugin extension surface.
+ */
+export type TrustMode =
+/** Default. No upstream auth assumed. Single-author behavior. */
+'none'
+/** Generic reverse-proxy mode (Caddy, oauth2-proxy, Authelia). */
+ | 'forwarded-user'
+/** Cloudflare Access — signed JWT in `Cf-Access-Jwt-Assertion`. */
+ | 'cloudflare-access'
+/** Azure App Service Easy Auth — base64 `X-MS-CLIENT-PRINCIPAL`. */
+ | 'azure-easy-auth'
+/** AWS ALB + Cognito — JWT in `x-amzn-oidc-data`. */
+ | 'aws-cognito'
+/** Tailscale Funnel / serve — `Tailscale-User-Login` header. */
+ | 'tailscale';
+/**
+ * Snapshot of the authenticated user as it reaches Gazetta handlers.
+ * Per `design-auth-rbac.md`'s "Actor is a snapshot, not a live
+ * reference" invariant: subsequent role changes don't rewrite
+ * recorded events.
+ */
+export interface Principal {
+    /**
+     * Stable upstream subject identifier. OIDC `sub`, OAuth subject,
+     * Cloudflare Access `identity_nonce`, etc. NOT email — email
+     * rotates; sub is stable. `'unknown'` for `none` trust mode and
+     * pre-RBAC revisions read post-migration.
+     */
+    id: string;
+    /**
+     * Optional human-readable identifier. Surfaces in audit drawer +
+     * activity feed. Only present when the auth provider exposes it;
+     * pseudonymization (per `design-audit.md`) drops it.
+     */
+    email?: string;
+    /**
+     * Resolved Gazetta role at decision time. Snapshot, not live —
+     * recorded events preserve the role active when the action ran.
+     */
+    role: string;
+    /**
+     * Trust mode that produced this principal. Audit records this so
+     * forensic queries can scope by trust mode (e.g., "all events
+     * where trust=tailscale").
+     */
+    trustMode: TrustMode;
+    /**
+     * Effective capabilities — the role's capability set after alias
+     * expansion. Computed once per request; downstream middleware
+     * reads this directly without re-resolving the role.
+     */
+    capabilities: ReadonlyArray<string>;
+}
+/**
+ * Configured role definition — either built-in (alias of capability
+ * set) or custom (operator-declared in `site.config.ts`'s
+ * `admin.auth.roles` block).
+ */
+export interface Role {
+    /** Role name. Used in `roleMapping` and audit. */
+    name: string;
+    /**
+     * Capabilities granted by this role. Wildcards allowed
+     * (`'read:*'`, `'*'`). Capability validation runs at config-load
+     * (per Q3 lock — unknown capabilities flagged).
+     */
+    capabilities: ReadonlyArray<string>;
+}
+/**
+ * Group-claim → role mapping. Configured per-site; consumed by the
+ * resolver after the auth provider extracts the upstream group list.
+ */
+export interface RoleMapping {
+    /**
+     * Which JSON claim / header field on the upstream principal carries
+     * the group list. Convention: `groups` for OIDC; varies per provider.
+     */
+    claim: string;
+    /** Map from upstream group name to Gazetta role name. */
+    map: Readonly<Record<string, string>>;
+    /**
+     * Fallback when no group matches. `null` means deny access (401);
+     * a role name means assign that role.
+     */
+    defaultRole?: string | null;
+}
+/**
+ * Reserved capability prefixes — first segment of a capability name
+ * (`read:pages` → `read`). Plugin-supplied capabilities use plugin-
+ * scoped prefixes (e.g., `@my-org/search:rebuild-index`).
+ */
+export declare const RESERVED_CAPABILITY_PREFIXES: readonly ["read", "edit", "delete", "publish", "configure", "review", "restore"];
+/**
+ * Capability vocabulary — the closed set of built-in capabilities
+ * that Gazetta routes gate on. Plugin-contributed capabilities
+ * (when plugin foundation ships) extend via plugin-scoped prefixes
+ * — they don't overlap this list.
+ */
+export type BuiltInCapability = 'read:pages' | 'read:fragments' | 'read:assets' | 'read:audit-log' | 'edit:pages' | 'edit:fragments' | 'edit:assets' | 'edit:locale-variants' | 'delete:pages' | 'delete:fragments' | 'delete:assets' | 'publish:non-production' | 'publish:production' | 'configure:site' | 'configure:targets' | 'restore:history' | 'read:*' | 'edit:*' | 'delete:*' | 'publish:*' | '*';
+/**
+ * Built-in role aliases — predefined as capability sets. Custom
+ * roles in `site.config.ts admin.auth.roles` declare capabilities
+ * directly.
+ */
+export declare const BUILT_IN_ROLES: Readonly<Record<string, ReadonlyArray<BuiltInCapability>>>;
+//# sourceMappingURL=types.d.ts.map

package/dist/auth/types.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/auth/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkCG;AAEH;;;;;;;;;;GAUG;AACH,MAAM,MAAM,SAAS;AACnB,iEAAiE;AAC/D,MAAM;AACR,kEAAkE;GAChE,gBAAgB;AAClB,mEAAmE;GACjE,mBAAmB;AACrB,oEAAoE;GAClE,iBAAiB;AACnB,qDAAqD;GACnD,aAAa;AACf,gEAAgE;GAC9D,WAAW,CAAA;AAEf;;;;;GAKG;AACH,MAAM,WAAW,SAAS;IACxB;;;;;OAKG;IACH,EAAE,EAAE,MAAM,CAAA;IACV;;;;OAIG;IACH,KAAK,CAAC,EAAE,MAAM,CAAA;IACd;;;OAGG;IACH,IAAI,EAAE,MAAM,CAAA;IACZ;;;;OAIG;IACH,SAAS,EAAE,SAAS,CAAA;IACpB;;;;OAIG;IACH,YAAY,EAAE,aAAa,CAAC,MAAM,CAAC,CAAA;CACpC;AAED;;;;GAIG;AACH,MAAM,WAAW,IAAI;IACnB,kDAAkD;IAClD,IAAI,EAAE,MAAM,CAAA;IACZ;;;;OAIG;IACH,YAAY,EAAE,aAAa,CAAC,MAAM,CAAC,CAAA;CACpC;AAED;;;GAGG;AACH,MAAM,WAAW,WAAW;IAC1B;;;OAGG;IACH,KAAK,EAAE,MAAM,CAAA;IACb,yDAAyD;IACzD,GAAG,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAA;IACrC;;;OAGG;IACH,WAAW,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;CAC5B;AAED;;;;GAIG;AACH,eAAO,MAAM,4BAA4B,kFAQ/B,CAAA;AAEV;;;;;GAKG;AACH,MAAM,MAAM,iBAAiB,GAEzB,YAAY,GACZ,gBAAgB,GAChB,aAAa,GACb,gBAAgB,GAEhB,YAAY,GACZ,gBAAgB,GAChB,aAAa,GACb,sBAAsB,GAEtB,cAAc,GACd,kBAAkB,GAClB,eAAe,GAEf,wBAAwB,GACxB,oBAAoB,GAEpB,gBAAgB,GAChB,mBAAmB,GAEnB,iBAAiB,GAEjB,QAAQ,GACR,QAAQ,GACR,UAAU,GACV,WAAW,GACX,GAAG,CAAA;AAEP;;;;GAIG;AACH,eAAO,MAAM,cAAc,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,iBAAiB,CAAC,CAAC,CAIrF,CAAA"}