includio-cms 0.1.1 → 0.1.3

package/CHANGELOG.md

@@ -3,6 +3,57 @@
 All notable changes to includio-cms are documented here.
 Generated from `src/lib/updates/` — do not edit manually.
 
+## 0.1.3 — 2026-02-18
+
+Admin DX — route scaffolding & boilerplate reduction
+
+### Added
+- CLI: `includio scaffold admin` generates all admin route files (14 files, 0 page.server.ts)
+- CollectionPage reads page.params.collection directly (no +page.server.ts needed)
+- EntryPage reads page.params.entryId directly (no +page.server.ts needed)
+- Catch-all API handler: createAdminApiHandler() routes upload/orphaned/replace/invite/accept-invite
+- accept-invite handler factory: createAcceptInviteHandler(auth) for project-specific auth injection
+- AcceptInvitePage exported from includio-cms/admin/client
+- AccountPage exported via includio-cms/admin/client/account
+
+## 0.1.2 — 2026-02-18
+
+User management & RBAC
+
+### Added
+- Role type system (admin/user) with UserRole type
+- RBAC middleware: requireRole() for server-side role checks
+- Admin users page: list, search, pagination via authClient.admin.listUsers
+- Create user dialog: email, password, name, role via authClient.admin.createUser
+- Edit user dialog: name, email, role with self-demotion protection
+- Delete user dialog with self-deletion protection
+- Route gating: /admin/users restricted to admin role
+- Sidebar gating: Users nav item visible only for admins
+- Auth client: adminClient() plugin added
+- CLI: addUser rewritten to use better-auth API with role prompt
+- Admin session management: view/revoke other users' sessions
+- Email invitation system: invite users by email with role assignment
+- Accept invite page: public registration via invite token
+- Pending invitations list with cancel and resend support
+- Email adapter now optional in CMS config
+
+### Migration
+
+```sql
+CREATE TABLE IF NOT EXISTS invitation (
+  id TEXT PRIMARY KEY,
+  email TEXT NOT NULL,
+  role TEXT NOT NULL DEFAULT 'user',
+  token TEXT NOT NULL UNIQUE,
+  expires_at TIMESTAMP NOT NULL,
+  created_at TIMESTAMP NOT NULL DEFAULT NOW(),
+  created_by TEXT NOT NULL REFERENCES "user"(id) ON DELETE CASCADE,
+  used_at TIMESTAMP
+);
+
+CREATE INDEX IF NOT EXISTS invitation_token_idx ON invitation (token);
+```
+
 ## 0.1.1 — 2026-02-18
 
 Field constraint UI — visible limits, counters, and hints

package/ROADMAP.md

@@ -31,20 +31,22 @@
 
 ### Phase 1 — Core
 
-- [ ] `[feature]` `[P0]` RBAC middleware — `requireRole()`, role check w `requireAuth()` <!-- files: src/lib/admin/remote/middleware/auth.ts -->
-- [ ] `[feature]` `[P0]` Admin users page — list, search, pagination via `authClient.admin.listUsers` <!-- files: src/lib/admin/client/users/ -->
-- [ ] `[feature]` `[P0]` Create user — dialog z email/password/name/role via `authClient.admin.createUser` <!-- files: src/lib/admin/client/users/create-user-dialog.svelte -->
-- [ ] `[feature]` `[P0]` Edit user — name, email, role via `adminUpdateUser` + `setRole` <!-- files: src/lib/admin/client/users/edit-user-dialog.svelte -->
-- [ ] `[feature]` `[P0]` Delete user — confirmation dialog via `removeUser` <!-- files: src/lib/admin/client/users/ -->
-- [ ] `[feature]` `[P0]` Route/sidebar gating — ukryj Users nav + chroń `/admin/users` dla non-admin <!-- files: src/lib/admin/components/layout/nav-main.svelte, src/lib/sveltekit/server/handle.ts -->
-- [ ] `[feature]` `[P0]` First user bootstrap — pierwszy utworzony user auto-gets role `admin` <!-- files: src/lib/server/auth.ts -->
+- [x] `[feature]` `[P0]` RBAC middleware — `requireRole()`, role check w `requireAuth()` <!-- files: src/lib/admin/remote/middleware/auth.ts -->
+- [x] `[feature]` `[P0]` Admin users page — list, search, pagination via `authClient.admin.listUsers` <!-- files: src/lib/admin/client/users/ -->
+- [x] `[feature]` `[P0]` Create user — dialog z email/password/name/role via `authClient.admin.createUser` <!-- files: src/lib/admin/client/users/create-user-dialog.svelte -->
+- [x] `[feature]` `[P0]` Edit user — name, email, role via `adminUpdateUser` + `setRole` <!-- files: src/lib/admin/client/users/edit-user-dialog.svelte -->
+- [x] `[feature]` `[P0]` Delete user — confirmation dialog via `removeUser` <!-- files: src/lib/admin/client/users/ -->
+- [x] `[feature]` `[P0]` Route/sidebar gating — ukryj Users nav + chroń `/admin/users` dla non-admin <!-- files: src/lib/admin/components/layout/nav-main.svelte, src/lib/sveltekit/server/handle.ts -->
+- [x] `[feature]` `[P0]` First user bootstrap — pierwszy utworzony user auto-gets role `admin` <!-- files: src/lib/server/auth.ts -->
 
 ### Phase 2 — Extended
 
-- [ ] `[feature]` `[P1]` Ban/unban UI — reason + expiry, `banUser`/`unbanUser` <!-- files: src/lib/admin/client/users/ban-user-dialog.svelte -->
-- [ ] `[feature]` `[P1]` Admin session mgmt — list/revoke sesji innych userów <!-- files: src/lib/admin/client/users/user-sessions-sheet.svelte -->
-- [ ] `[feature]` `[P1]` Impersonation UI — impersonate/stop bar <!-- files: src/lib/admin/client/users/impersonation-bar.svelte -->
-- [ ] `[feature]` `[P2]` Email invitation system — invite link generation (custom, nie w better-auth) <!-- files: src/lib/core/server/auth/invite.ts -->
+- [x] `[feature]` `[P1]` Admin session mgmt — list/revoke sesji innych userów <!-- files: src/lib/admin/client/users/user-sessions-sheet.svelte -->
+- [x] `[feature]` `[P2]` Email invitation system — invite link generation (custom, nie w better-auth) <!-- files: src/lib/admin/remote/invite.ts -->
+
+## 0.1.3 — Admin DX
+
+- [x] `[feature]` `[P1]` Admin route scaffolding — CLI `includio scaffold admin`, catch-all API handler, page.params fallbacks for CollectionPage/EntryPage <!-- files: src/lib/cli/scaffold/admin.ts, src/lib/admin/api/handler.ts, src/lib/admin/client/collection/collection-page.svelte, src/lib/admin/client/entry/entry-page.svelte -->
 
 ## 0.2.0 — Plugin system
 
@@ -57,6 +59,8 @@
 - [ ] `[feature]` `[P1]` Server-side pagination API (formalize 0.1.0 fix)
 - [ ] `[feature]` `[P1]` Improved type generation <!-- files: src/lib/core/server/generator/ -->
 - [ ] `[feature]` `[P1]` Proper filtering API (SQL-level, not JS post-query)
+- [ ] `[feature]` `[breaking]` `[P1]` Simple array field — `type: 'array'` with `of: 'text' | 'number' | ...` for flat lists (tags, categories) <!-- files: src/lib/types/fields.ts, src/lib/admin/components/fields/array-field.svelte, src/lib/core/fields/fieldSchemaToTs.ts -->
+- [ ] `[feature]` `[breaking]` `[P1]` Rename array → blocks — current array becomes `type: 'blocks'`, keeps `of: ObjectField[]` and accordion/DnD UI <!-- files: src/lib/types/fields.ts, src/lib/admin/components/fields/array-field.svelte, src/lib/admin/components/fields/field-renderer.svelte, src/lib/core/server/fields/resolve*.ts -->
 
 ## 0.3.0 — Admin experience
 
@@ -87,6 +91,8 @@
 
 ## Backlog
 
+- [ ] `[feature]` `[P1]` Ban/unban UI — reason + expiry, `banUser`/`unbanUser` <!-- files: src/lib/admin/client/users/ban-user-dialog.svelte -->
+- [ ] `[feature]` `[P1]` Impersonation UI — impersonate/stop bar <!-- files: src/lib/admin/client/users/impersonation-bar.svelte -->
 - [ ] `[feature]` `[P2]` Alternative richtext editor — Word-like mode, single richtext field instead of blocks
 - [ ] `[chore]` `[P2]` Caching/performance layer (scope TBD)
 - [ ] `[feature]` `[P2]` API/CLI for configuration (setup DX for less technical users)

package/dist/admin/api/accept-invite.d.ts

@@ -0,0 +1,2 @@
+import { type RequestHandler } from '@sveltejs/kit';
+export declare const POST: RequestHandler;

package/dist/admin/api/accept-invite.js

@@ -0,0 +1,30 @@
+import { getInvitationByToken, markInvitationUsed } from '../remote/invite.js';
+import { getCMS } from '../../core/cms.js';
+import { json } from '@sveltejs/kit';
+export const POST = async ({ request }) => {
+    const auth = getCMS().auth;
+    if (!auth) {
+        return json({ error: 'Auth adapter not configured' }, { status: 500 });
+    }
+    const { token, name, password } = await request.json();
+    if (!token || !name || !password) {
+        return json({ error: 'Token, name and password are required' }, { status: 400 });
+    }
+    const inv = await getInvitationByToken(token);
+    if (!inv) {
+        return json({ error: 'Invalid or expired invitation' }, { status: 400 });
+    }
+    const response = await auth.api.createUser({
+        body: {
+            email: inv.email,
+            password,
+            name,
+            role: inv.role
+        }
+    });
+    if (!response?.user) {
+        return json({ error: 'Failed to create user' }, { status: 500 });
+    }
+    await markInvitationUsed(inv.id);
+    return json({ success: true });
+};

package/dist/admin/api/handler.d.ts

@@ -0,0 +1,13 @@
+import { type RequestHandler } from '@sveltejs/kit';
+type Handlers = Partial<Record<'GET' | 'POST' | 'PATCH' | 'PUT' | 'DELETE', RequestHandler>>;
+type AdminApiOptions = {
+    extraRoutes?: Record<string, Handlers>;
+};
+export declare function createAdminApiHandler(options?: AdminApiOptions): {
+    GET: RequestHandler;
+    POST: RequestHandler;
+    PATCH: RequestHandler;
+    PUT: RequestHandler;
+    DELETE: RequestHandler;
+};
+export {};

package/dist/admin/api/handler.js

@@ -0,0 +1,36 @@
+import { json } from '@sveltejs/kit';
+import * as uploadHandlers from './upload.js';
+import * as orphanedHandlers from './orphaned.js';
+import * as replaceHandlers from './replace.js';
+import * as inviteHandlers from './invite.js';
+import * as acceptInviteHandlers from './accept-invite.js';
+export function createAdminApiHandler(options) {
+    const routes = {
+        upload: uploadHandlers,
+        orphaned: orphanedHandlers,
+        replace: replaceHandlers,
+        invite: inviteHandlers,
+        'accept-invite': acceptInviteHandlers,
+        ...options?.extraRoutes
+    };
+    function handle(method) {
+        return (event) => {
+            const path = event.params.path;
+            if (!path) {
+                return json({ error: 'Not found' }, { status: 404 });
+            }
+            const handler = routes[path]?.[method];
+            if (!handler) {
+                return json({ error: 'Not found' }, { status: 404 });
+            }
+            return handler(event);
+        };
+    }
+    return {
+        GET: handle('GET'),
+        POST: handle('POST'),
+        PATCH: handle('PATCH'),
+        PUT: handle('PUT'),
+        DELETE: handle('DELETE')
+    };
+}

package/dist/admin/api/invite.d.ts

@@ -0,0 +1,5 @@
+import { type RequestHandler } from '@sveltejs/kit';
+export declare const POST: RequestHandler;
+export declare const GET: RequestHandler;
+export declare const PATCH: RequestHandler;
+export declare const DELETE: RequestHandler;

package/dist/admin/api/invite.js

@@ -0,0 +1,78 @@
+import { requireRole } from '../remote/middleware/auth.js';
+import { createInvitation, getPendingInvitations, deleteInvitation, checkEmailExists, getInvitationById } from '../remote/invite.js';
+import { getCMS } from '../../core/cms.js';
+import { json } from '@sveltejs/kit';
+export const POST = async ({ request, url }) => {
+    const { user } = requireRole('admin');
+    const { email, role } = await request.json();
+    if (!email || !role) {
+        return json({ error: 'Email and role are required' }, { status: 400 });
+    }
+    const emailAdapter = getCMS().emailAdapter;
+    if (!emailAdapter) {
+        return json({ error: 'Email adapter not configured' }, { status: 400 });
+    }
+    const exists = await checkEmailExists(email);
+    if (exists) {
+        return json({ error: 'Email already registered' }, { status: 409 });
+    }
+    const inv = await createInvitation(email, role, user.id);
+    const inviteUrl = `${url.origin}/admin/accept-invite?token=${inv.token}`;
+    try {
+        await emailAdapter.sendMail({
+            to: [email],
+            subject: 'You have been invited to includio CMS',
+            html: `<p>You have been invited to join the CMS as <strong>${role}</strong>.</p>
+				   <p><a href="${inviteUrl}">Click here to accept the invitation</a></p>
+				   <p>This link expires in 7 days.</p>`
+        });
+    }
+    catch (err) {
+        await deleteInvitation(inv.id);
+        return json({ error: 'Failed to send email: ' + (err instanceof Error ? err.message : 'Unknown error') }, { status: 502 });
+    }
+    return json({ success: true, invitationId: inv.id });
+};
+export const GET = async () => {
+    requireRole('admin');
+    const invitations = await getPendingInvitations();
+    return json({ invitations });
+};
+export const PATCH = async ({ request, url }) => {
+    requireRole('admin');
+    const { id } = await request.json();
+    if (!id) {
+        return json({ error: 'Invitation id is required' }, { status: 400 });
+    }
+    const emailAdapter = getCMS().emailAdapter;
+    if (!emailAdapter) {
+        return json({ error: 'Email adapter not configured' }, { status: 400 });
+    }
+    const inv = await getInvitationById(id);
+    if (!inv) {
+        return json({ error: 'Invitation not found or expired' }, { status: 404 });
+    }
+    const inviteUrl = `${url.origin}/admin/accept-invite?token=${inv.token}`;
+    try {
+        await emailAdapter.sendMail({
+            to: [inv.email],
+            subject: 'You have been invited to includio CMS',
+            html: `<p>You have been invited to join the CMS as <strong>${inv.role}</strong>.</p>
+				   <p><a href="${inviteUrl}">Click here to accept the invitation</a></p>
+				   <p>This link expires in 7 days.</p>`
+        });
+    }
+    catch (err) {
+        return json({ error: 'Failed to send email: ' + (err instanceof Error ? err.message : 'Unknown error') }, { status: 502 });
+    }
+    return json({ success: true });
+};
+export const DELETE = async ({ request }) => {
+    requireRole('admin');
+    const { id } = await request.json();
+    if (!id) {
+        return json({ error: 'Invitation id is required' }, { status: 400 });
+    }
+    await deleteInvitation(id);
+    return json({ success: true });
+};