includio-cms 0.15.3 → 0.15.5

package/CHANGELOG.md

@@ -3,6 +3,34 @@
 All notable changes to includio-cms are documented here.
 Generated from `src/lib/updates/` — do not edit manually.
 
+## 0.15.5 — 2026-04-23
+
+Media field recovers from orphan references; delete dialog shows usage breakdown + replace hint. X-Frame-Options relaxed to SAMEORIGIN. Background maintenance no longer duplicates on Vite HMR. Runtime generator no longer triggers an infinite SSR reload loop in dev.
+
+### Added
+- Admin media library: delete dialog (`FileDetails`) teraz pokazuje breakdown użyć pliku per kolekcja/single ("Plik jest używany w: Strony: 1") oraz hint wskazujący na funkcję **Zamień plik** (która zachowuje ID → wszystkie referencje). Dane ładowane asynchronicznie przez nowy remote query `findMediaReferences(id)` uruchamiany w momencie otwarcia dialogu. Scope (MVP): tylko najnowsza wersja per entry; historia poza zakresem. Walker po schematach (`media`, `file`, `seo.ogImage`, `object`, `blocks`, `content` z inline blocks) wyekstrahowany z `resolveImageFields.ts` jako reużywalne `extractMediaIdsFromData(data, fields)`.
+
+### Fixed
+- `media-field.svelte` nie blokuje już edycji entry gdy pole media wskazuje na usunięty plik (orphan reference). Wcześniej render wchodził w `{:else if singleFile}` z `singleFile=null` po nieudanym `getFileById`, co wyrzucało UI do pustego diva bez przycisków Zmień/Usuń — user zablokowany, nie mógł wstawić nowego obrazu. Nowa gałąź `{:else}` renderuje dashed warning placeholder ("Brakujący plik" / "Missing file") z zachowanymi kontrolkami. Analogicznie dla multi-media: per-item fallback pozwala usunąć pojedynczy orphan z tablicy bez czyszczenia pozostałych.
+- `X-Frame-Options` zmieniony z `DENY` na `SAMEORIGIN` w middleware `securityHeaders`. Wcześniej `DENY` blokował nawet same-origin framing, przez co admin CMS nie mógł załadować preview entry w iframe (`previewUrl` w konfiguracji kolekcji/single). Safari egzekwuje to rygorystycznie ("Refused to display ... in a frame because it set X-Frame-Options to DENY"). `SAMEORIGIN` dalej chroni przed clickjackingiem z obcych domen.
+- `startBackgroundMaintenance()` jest teraz idempotentne. Wcześniej każde wywołanie tworzyło nowy `setTimeout`/`setInterval` bez czyszczenia poprzedniego — w `pnpm dev` Vite HMR re-executuje `hooks.server.ts` (i tym samym `initCMS()`) przy każdej zmianie, więc po kilku edycjach działało N równoległych przebiegów maintenance. Stan timerów (`pendingTimeout`, `timer`, `running`, `lastResult`, `nextRunAt`) przeniesiony na `globalThis[Symbol.for("includio.maintenance.state")]`, żeby przeżył re-eval modułu w dev. Dodany guard: gdy timer już zaplanowany, kolejne `start()` loguje `already scheduled, skipping` i wychodzi. `stopBackgroundMaintenance()` teraz czyści również initial 30s `setTimeout`, nie tylko interval. Dodany `import.meta.hot.dispose()` czyszczący timery gdy Vite unlinkuje moduł.
+- `generateRuntime()` (`generator.ts`) nie zapisuje już plików gdy treść się nie zmieniła. Wcześniej każdy wywołanie `includioCMS()` (a więc każdy SSR reload Vite) bezwarunkowo `writeFileSync` na 5 plikach w `src/lib/cms/runtime/` (`api.ts`, `types.ts`, `schemas.ts`, `schema.ts`, `remote.ts`) — co aktualizowało mtime, Vite wykrywał zmianę, robił `(ssr) page reload`, znów wołał `includioCMS()` → znów zapis → nieskończona pętla reload w `pnpm dev`, blokująca pracę. Nowy helper `writeIfChanged(filePath, content)` najpierw czyta plik i zapisuje wyłącznie gdy treść się różni.
+
+## 0.15.4 — 2026-04-21
+
+Forms: auto-scaffolded public submission endpoint + decoupled notification emails from submission success.
+
+### Added
+- CLI scaffold (`pnpm includio scaffold admin`) now emits `src/routes/api/forms/[slug]/submit/+server.ts` — the public POST endpoint for form submissions. Previously each project had to hand-roll this file (the handler lives in the library, but SvelteKit does not load routes from `node_modules`). New projects get it out-of-the-box; existing projects can run `includio scaffold admin` to generate it without overwriting other admin files.
+- Added `ideas/health-check-module.md` — proposal for built-in `/api/health` + `/api/health/ready` endpoints, opt-in SMTP verify, and a ręczny "Test SMTP connection / Send test mail" section in the admin maintenance page. Context: diagnosing a silent SMTP misconfiguration in a live project required grepping through library internals; a one-click diagnostics panel would have surfaced the empty `EMAIL_HOST` immediately.
+
+### Fixed
+- `createFormSubmission()` now keeps the notification-email call in a separate `try/catch` from the DB write. Before: if SMTP was misconfigured (empty `EMAIL_HOST` locally, unreachable relay, etc.) the whole operation returned `false` → endpoint responded `500 "Submission failed"` even though the submission was already persisted. After: DB failure still returns `false` (critical path); email failure is logged via `console.error` and the submission succeeds with `200`.
+
+### Notes
+
+No SQL migration. No API signature changes. Existing projects that already have a hand-rolled `src/routes/api/forms/[slug]/submit/+server.ts` keep working — scaffold skips existing files unless `--force` is passed.
+
 ## 0.15.3 — 2026-04-16
 
 Shop: InPost carrier adapter — Geowidget v5 picker + ShipX shipment + webhook auto-status.

package/DOCS.md

@@ -1,4 +1,4 @@
-# Includio CMS Documentation (v0.15.3)
+# Includio CMS Documentation (v0.15.5)
 
 > This file is auto-generated from the docs site. For the latest version, update the package.
 
@@ -2743,9 +2743,13 @@ Forms can be submitted from your frontend via a public POST endpoint:
 
 ```
 POST /api/forms/{slug}/submit
-Content-Type: multipart/form-data
+Content-Type: multipart/form-data   # or application/json for file-less payloads
 ```
 
+> **Auto-generated endpoint:** Running `includio scaffold admin` generates `src/routes/api/forms/[slug]/submit/+server.ts` automatically — no manual setup required. To customize (extra middleware, logging, honeypot handling), edit the generated file; it won't be overwritten unless you re-run scaffold with `--force`.
+
+> **Notification emails are best-effort:** If a form has `notificationEmailAddresses` set and email sending fails (e.g. misconfigured SMTP), the submission is still saved and the endpoint returns `200`. The error is logged to `console.error` — check server logs if you stop receiving notifications.
+
 ### Submitting from Frontend
 
 ```typescript

package/ROADMAP.md

@@ -318,6 +318,12 @@
 - [x] `[feature]` `[P2]` `inpostAdapter()` — Geowidget v5 (`<InpostPicker>` Svelte + raw config endpoint), ShipX shipment create + auto-buy + label PDF + cancel, webhook → status + tracking, per-shipping-method service config, customer tracking display in `<OrderStatus>` + email templates
 - [x] `[chore]` `[P2]` Verbose logging on adapter auto-confirm flow (offer prep wait, buy POST, polling) for sandbox debugging
 
+## 0.15.4 — Forms submission scaffold + best-effort notification emails
+
+- [x] `[feature]` `[P1]` CLI scaffold emits `src/routes/api/forms/[slug]/submit/+server.ts` — public form submit endpoint auto-generated, no manual setup per project <!-- files: src/lib/cli/scaffold/admin.ts, src/lib/cli/scaffold/admin.spec.ts -->
+- [x] `[fix]` `[P0]` `createFormSubmission` — split try/catch so SMTP failure no longer returns `false` (endpoint responded 500 even though submission was persisted); notification email is best-effort, logged via `console.error` <!-- files: src/lib/core/server/forms/submissions/operations/create.ts -->
+- [ ] `[feature]` `[P1]` Built-in `/api/health` + `/api/health/ready` with per-adapter checks (db/files/email/ai) + ręczny SMTP diagnostics panel in maintenance page <!-- files: ideas/health-check-module.md -->
+
 ## 0.16.0 — SEO module
 
 - [ ] `[feature]` `[P1]` SERP preview + character limits for title/description <!-- files: src/lib/admin/components/fields/seo-field.svelte -->

package/dist/admin/components/fields/media-field.svelte

@@ -30,6 +30,7 @@
 			a11yMissingAudioDesc: string;
 			a11yMissingBoth: string;
 			a11yHint: string;
+			missingFile: string;
 		}
 	> = {
 		pl: {
@@ -41,7 +42,8 @@
 			a11yMissingTranscript: 'Brakuje transkrypcji',
 			a11yMissingAudioDesc: 'Brakuje audiodeskrypcji',
 			a11yMissingBoth: 'Brakuje transkrypcji i audiodeskrypcji',
-			a11yHint: 'Uzupełnij w bibliotece mediów'
+			a11yHint: 'Uzupełnij w bibliotece mediów',
+			missingFile: 'Brakujący plik'
 		},
 		en: {
 			selectMedia: 'Select media',
@@ -52,7 +54,8 @@
 			a11yMissingTranscript: 'Transcript missing',
 			a11yMissingAudioDesc: 'Audio description missing',
 			a11yMissingBoth: 'Transcript and audio description missing',
-			a11yHint: 'Add it in the media library'
+			a11yHint: 'Add it in the media library',
+			missingFile: 'Missing file'
 		}
 	};
 
@@ -195,6 +198,17 @@
 	</button>
 {/snippet}
 
+{#snippet missingPlaceholder()}
+	<div
+		class="flex aspect-square w-full flex-col items-center justify-center gap-2 rounded-2xl border-2 border-dashed border-warning/50 bg-warning/5 p-6"
+	>
+		<div class="rounded-full bg-warning/10 p-3">
+			<AlertTriangle class="h-6 w-6 text-warning" />
+		</div>
+		<span class="text-sm text-warning">{lang[interfaceLanguage.current].missingFile}</span>
+	</div>
+{/snippet}
+
 {#snippet mediaActions(onRemove: () => void)}
 	<div class="flex items-center justify-between gap-2 mt-1.5">
 		<Button size="sm" variant="secondary" class="h-8" onclick={openPicker}>
@@ -224,6 +238,9 @@
 						{@render imagePreview(file)}
 					{/if}
 					{@render mediaActions(() => { value = ''; })}
+				{:else}
+					{@render missingPlaceholder()}
+					{@render mediaActions(() => { value = ''; })}
 				{/if}
 			{:else if Array.isArray(value) && value.length > 0}
 				{@const valueArr = value}
@@ -262,7 +279,42 @@
 							{/if}
 						</div>
 						{@render mediaActions(() => { value = field.multiple ? [] : ''; })}
+					{:else}
+						<div class="relative">
+							{@render missingPlaceholder()}
+							{#if valueArr.length > 1}
+								<div class="absolute inset-x-0 top-1/2 flex -translate-y-1/2 justify-between px-1 pointer-events-none">
+									<button
+										type="button"
+										class="pointer-events-auto flex h-8 w-8 items-center justify-center rounded-full bg-white/80 backdrop-blur shadow-md transition hover:bg-white hover:scale-105 dark:bg-background/80 dark:hover:bg-background"
+										onclick={() => { currentIndex = currentIndex > 0 ? currentIndex - 1 : valueArr.length - 1; }}
+									>
+										<ChevronLeft class="h-5 w-5" />
+									</button>
+									<button
+										type="button"
+										class="pointer-events-auto flex h-8 w-8 items-center justify-center rounded-full bg-white/80 backdrop-blur shadow-md transition hover:bg-white hover:scale-105 dark:bg-background/80 dark:hover:bg-background"
+										onclick={() => { currentIndex = currentIndex < valueArr.length - 1 ? currentIndex + 1 : 0; }}
+									>
+										<ChevronRight class="h-5 w-5" />
+									</button>
+								</div>
+								<div class="absolute top-2 right-2 rounded-full bg-plum-darker/60 px-2 py-0.5 text-xs font-medium text-white backdrop-blur">
+									{currentIndex + 1} / {valueArr.length}
+								</div>
+							{/if}
+						</div>
+						{@render mediaActions(() => {
+							if (Array.isArray(value)) {
+								const next = value.filter((_, i) => i !== currentIndex);
+								value = field.multiple ? next : next[0] ?? '';
+								if (currentIndex >= next.length) currentIndex = Math.max(0, next.length - 1);
+							}
+						})}
 					{/if}
+				{:else}
+					{@render missingPlaceholder()}
+					{@render mediaActions(() => { value = field.multiple ? [] : ''; })}
 				{/if}
 			{/if}
 		</div>

package/dist/admin/components/media/file/file-details.svelte

@@ -31,6 +31,19 @@
 	let deleteDialogOpen = $state(false);
 	let videoError = $state(false);
 
+	type ReferenceResult = {
+		total: number;
+		byCollection: Array<{ collection: string; label: string; count: number; kind: 'collection' | 'single' }>;
+	};
+
+	const referencesQuery = $derived(
+		deleteDialogOpen ? remotes.findMediaReferences(file.id) : null
+	);
+	const referencesLoading = $derived(!!referencesQuery && !referencesQuery.ready);
+	const references = $derived(
+		referencesQuery && referencesQuery.ready ? (referencesQuery.current as ReferenceResult) : null
+	);
+
 	$effect(() => {
 		file.url;
 		videoError = false;
@@ -43,6 +56,12 @@
 			deleteConfirmTitle: string;
 			deleteConfirmDesc: string;
 			deleteCancel: string;
+			usedInLoading: string;
+			usedInTitle: string;
+			missingAfterDelete: string;
+			replaceHintBefore: string;
+			replaceHintCta: string;
+			replaceHintAfter: string;
 			fileNameLabel: string;
 			fileUrlLabel: string;
 			fileAltLabel: string;
@@ -81,6 +100,12 @@
 			deleteConfirmTitle: 'Usunąć plik?',
 			deleteConfirmDesc: 'Plik zostanie trwale usunięty.',
 			deleteCancel: 'Anuluj',
+			usedInLoading: 'Liczenie użyć…',
+			usedInTitle: 'Plik jest używany w:',
+			missingAfterDelete: 'Po usunięciu te pola zostaną oznaczone jako brakujące.',
+			replaceHintBefore: 'Jeśli chcesz tylko zmienić obraz, użyj funkcji',
+			replaceHintCta: 'Zamień plik',
+			replaceHintAfter: ' — zachowa wszystkie referencje.',
 			replaceFileLabel: 'Zamień plik',
 			fileNameLabel: 'Nazwa pliku',
 			fileUrlLabel: 'URL',
@@ -118,6 +143,12 @@
 			deleteConfirmTitle: 'Delete file?',
 			deleteConfirmDesc: 'The file will be permanently deleted.',
 			deleteCancel: 'Cancel',
+			usedInLoading: 'Counting usages…',
+			usedInTitle: 'This file is used in:',
+			missingAfterDelete: 'After deletion these fields will be marked as missing.',
+			replaceHintBefore: 'If you only want to change the image, use the',
+			replaceHintCta: 'Replace file',
+			replaceHintAfter: ' action — it keeps all references intact.',
 			fileNameLabel: 'File name',
 			fileUrlLabel: 'URL',
 			fileAltLabel: 'Alt text',
@@ -565,6 +596,40 @@
 	<AlertDialog.Content>
 		<AlertDialog.Title>{lang[interfaceLanguage.current].deleteConfirmTitle}</AlertDialog.Title>
 		<AlertDialog.Description>{lang[interfaceLanguage.current].deleteConfirmDesc}</AlertDialog.Description>
+
+		{#if referencesLoading}
+			<div class="mt-2 flex items-center gap-2 text-sm text-muted-foreground">
+				<div class="h-3 w-3 animate-pulse rounded-full bg-muted"></div>
+				<span>{lang[interfaceLanguage.current].usedInLoading}</span>
+			</div>
+		{:else if references && references.total > 0}
+			<div class="mt-2 space-y-3 text-sm">
+				<div class="rounded-md border border-warning/40 bg-warning/5 p-3">
+					<div class="flex items-start gap-2">
+						<AlertTriangle class="h-4 w-4 text-warning mt-0.5 shrink-0" />
+						<div class="flex-1 min-w-0">
+							<p class="font-medium text-foreground">{lang[interfaceLanguage.current].usedInTitle}</p>
+							<ul class="mt-1.5 space-y-0.5">
+								{#each references.byCollection as ref}
+									<li class="text-muted-foreground">
+										<span class="font-medium text-foreground">{ref.label}</span>: {ref.count}
+									</li>
+								{/each}
+							</ul>
+							<p class="mt-2 text-xs text-muted-foreground">{lang[interfaceLanguage.current].missingAfterDelete}</p>
+						</div>
+					</div>
+				</div>
+				<p class="text-xs text-muted-foreground">
+					{lang[interfaceLanguage.current].replaceHintBefore}
+					<span class="inline-flex items-center gap-1 rounded border border-border bg-muted/50 px-1.5 py-0.5 font-medium text-foreground">
+						<Replace class="h-3 w-3" />
+						{lang[interfaceLanguage.current].replaceHintCta}
+					</span>{lang[interfaceLanguage.current].replaceHintAfter}
+				</p>
+			</div>
+		{/if}
+
 		<AlertDialog.Footer>
 			<AlertDialog.Cancel>{lang[interfaceLanguage.current].deleteCancel}</AlertDialog.Cancel>
 			<AlertDialog.Action

package/dist/admin/remote/media.remote.d.ts

@@ -33,6 +33,7 @@ export declare const getMediaTagsWithCounts: import("@sveltejs/kit").RemoteQuery
     count: number;
 }[]>;
 export declare const getFileById: import("@sveltejs/kit").RemoteQueryFunction<string, MediaFile | null>;
+export declare const findMediaReferences: import("@sveltejs/kit").RemoteQueryFunction<string, import("../../core/server/media/operations/findMediaReferences.js").MediaReferenceResult>;
 export declare const deleteMediaFile: import("@sveltejs/kit").RemoteCommand<string, Promise<void>>;
 export declare const bulkDeleteMediaFiles: import("@sveltejs/kit").RemoteCommand<{
     ids: string[];

package/dist/admin/remote/media.remote.js

@@ -2,6 +2,7 @@ import { command, query } from '$app/server';
 import { setAlt, renameMediaFile as renameMediaFileOperation, updateMediaAccessibility as updateMediaAccessibilityOp } from '../../core/server/media/operations/updateFile.js';
 import z from 'zod';
 import { deleteMediaFile as deleteMediaFileFn, bulkDeleteMediaFiles as bulkDeleteMediaFilesFn } from '../../core/server/media/operations/deleteMediaFile.js';
+import { findMediaReferences as findMediaReferencesFn } from '../../core/server/media/operations/findMediaReferences.js';
 import { getFile, getFiles, countFiles, getMediaTagsWithCounts as getMediaTagsWithCountsFn } from '../../core/server/media/operations/getFiles.js';
 import { getMediaTags as getMediaTagsFn, createMediaTag as createMediaTagFn, updateMediaTag as updateMediaTagFn, deleteMediaTag as deleteMediaTagFn, setMediaFileTags as setMediaFileTagsFn, bulkSetMediaFileTags as bulkSetMediaFileTagsFn } from '../../core/server/media/operations/tags.js';
 import { requireAuth } from './middleware/auth.js';
@@ -70,6 +71,10 @@ export const getMediaTagsWithCounts = query(async () => {
 export const getFileById = query(z.string().uuid(), async (id) => {
     return getFile(id);
 });
+export const findMediaReferences = query(z.string().uuid(), async (id) => {
+    requireAuth();
+    return findMediaReferencesFn(id);
+});
 export const deleteMediaFile = command(z.string().uuid(), async (id) => {
     requireAuth();
     return deleteMediaFileFn(id);

package/dist/cli/scaffold/admin.js

@@ -340,6 +340,65 @@ export const { GET, POST, PATCH, PUT, DELETE } = createAdminApiHandler();
 import { createRestApiHandler } from 'includio-cms/admin/api/rest/handler';
 
 export const { GET, POST, PUT, DELETE } = createRestApiHandler();
+`
+        },
+        {
+            path: 'api/forms/[slug]/submit/+server.ts',
+            content: `${GENERATED_COMMENT_TS}
+import { json } from '@sveltejs/kit';
+import type { RequestHandler } from './$types';
+import { createFormSubmission, parseFormDataForSubmission } from 'includio-cms/sveltekit/server';
+import { getCMS } from 'includio-cms/core';
+
+const counts = new Map<string, { count: number; resetAt: number }>();
+const LIMIT = 5;
+const WINDOW = 60 * 60 * 1000;
+
+function checkRateLimit(ip: string): boolean {
+	const now = Date.now();
+	const entry = counts.get(ip);
+	if (!entry || now > entry.resetAt) {
+		counts.set(ip, { count: 1, resetAt: now + WINDOW });
+		return true;
+	}
+	if (entry.count >= LIMIT) return false;
+	entry.count++;
+	return true;
+}
+
+export const POST: RequestHandler = async (event) => {
+	const slug = event.params.slug;
+	const ip = event.getClientAddress();
+	if (!checkRateLimit(ip)) return json({ error: 'Rate limit exceeded' }, { status: 429 });
+
+	const contentType = event.request.headers.get('content-type') || '';
+	const isMultipart = contentType.includes('multipart/form-data');
+	let data: Record<string, unknown>;
+
+	try {
+		if (isMultipart) {
+			const config = getCMS().getFormBySlug(slug);
+			const formData = await event.request.formData();
+			data = await parseFormDataForSubmission(formData, config.fields);
+		} else {
+			data = await event.request.json();
+		}
+	} catch (err) {
+		return json({ error: err instanceof Error ? err.message : 'Invalid request' }, { status: 400 });
+	}
+
+	try {
+		const success = await createFormSubmission({
+			slug,
+			data,
+			ip,
+			userAgent: event.request.headers.get('user-agent') || undefined
+		});
+		return success ? json({ success: true }) : json({ error: 'Submission failed' }, { status: 500 });
+	} catch (err) {
+		return json({ error: err instanceof Error ? err.message : 'Unknown error' }, { status: 400 });
+	}
+};
 `
         }
     ];

package/dist/cmp/types.d.ts

@@ -0,0 +1,25 @@
+export interface ResolvedCmpConfig {
+    enabled: boolean;
+    version: string;
+    policyVersion: string;
+    gtmConsentMode: boolean;
+    categories: {
+        analytics: boolean;
+        marketing: boolean;
+        preferences: boolean;
+    };
+    strings: Record<string, CmpStrings>;
+}
+export interface CmpStrings {
+    bannerTitle?: string;
+    bannerBody?: string;
+    acceptAll?: string;
+    rejectAll?: string;
+    customize?: string;
+    settingsTitle?: string;
+    save?: string;
+    necessary?: string;
+    analytics?: string;
+    marketing?: string;
+    preferences?: string;
+}

package/dist/cmp/types.js

@@ -0,0 +1 @@
+export {};

package/dist/core/cms.d.ts

@@ -10,6 +10,7 @@ import type { AIAdapter } from '../types/adapters/ai.js';
 import type { EmailAdapter } from '../types/adapters/email.js';
 import { betterAuth } from 'better-auth';
 import type { ResolvedShopConfig } from '../shop/types.js';
+import type { ResolvedCmpConfig } from '../cmp/types.js';
 export declare class CMS implements ICMS {
     private config;
     databaseAdapter: DatabaseAdapter;
@@ -26,6 +27,7 @@ export declare class CMS implements ICMS {
     typographyConfig: TypographyConfig;
     sidebarHelp: boolean;
     shopConfig: ResolvedShopConfig | null;
+    cmpConfig: ResolvedCmpConfig | null;
     plugins: PluginConfig[];
     customFields: Map<string, CustomFieldDefinition>;
     apiKeys: ApiKeyConfig[];

package/dist/core/cms.js

@@ -20,6 +20,7 @@ export class CMS {
     typographyConfig;
     sidebarHelp;
     shopConfig;
+    cmpConfig;
     plugins = [];
     customFields = new Map();
     apiKeys = [];
@@ -34,6 +35,7 @@ export class CMS {
         this.typographyConfig = config.typography || {};
         this.sidebarHelp = config.sidebarHelp ?? true;
         this.shopConfig = config.shop ?? null;
+        this.cmpConfig = config.cmp ?? null;
         this.collections = {};
         this.singles = {};
         this.forms = {};

package/dist/core/server/cmp/getCountryFromHeaders.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Extract 2-letter ISO country code from request headers.
+ * Priority:
+ *   1. `cf-ipcountry` (Cloudflare)
+ *   2. `x-vercel-ip-country` (Vercel)
+ *   3. `x-country-code` (generic proxy)
+ *   4. Fallback: parse `Accept-Language` region subtag (e.g. `pl-PL` → `PL`)
+ * Returns 'XX' when no reliable source available.
+ */
+export declare function getCountryFromHeaders(headers: Headers): string;

package/dist/core/server/cmp/getCountryFromHeaders.js

@@ -0,0 +1,30 @@
+/**
+ * Extract 2-letter ISO country code from request headers.
+ * Priority:
+ *   1. `cf-ipcountry` (Cloudflare)
+ *   2. `x-vercel-ip-country` (Vercel)
+ *   3. `x-country-code` (generic proxy)
+ *   4. Fallback: parse `Accept-Language` region subtag (e.g. `pl-PL` → `PL`)
+ * Returns 'XX' when no reliable source available.
+ */
+export function getCountryFromHeaders(headers) {
+    const providerCountry = headers.get('cf-ipcountry') ??
+        headers.get('x-vercel-ip-country') ??
+        headers.get('x-country-code');
+    if (providerCountry) {
+        const normalized = providerCountry.trim().toUpperCase();
+        if (/^[A-Z]{2}$/.test(normalized))
+            return normalized;
+    }
+    const acceptLanguage = headers.get('accept-language');
+    if (acceptLanguage) {
+        const first = acceptLanguage.split(',')[0].trim();
+        const region = first.split('-')[1] ?? first.split('_')[1];
+        if (region) {
+            const normalized = region.split(';')[0].trim().toUpperCase();
+            if (/^[A-Z]{2}$/.test(normalized))
+                return normalized;
+        }
+    }
+    return 'XX';
+}

package/dist/core/server/cmp/operations/create.d.ts

@@ -0,0 +1,17 @@
+import type { RequestEvent } from '@sveltejs/kit';
+import type { ConsentLogData } from '../../../../types/consent.js';
+export interface CreateCmpConsentLogInput {
+    consents: ConsentLogData['consents'];
+    consentModeStatus: ConsentLogData['consentModeStatus'];
+    parentLogId?: string | null;
+}
+export interface CreateCmpConsentLogResult {
+    id: string;
+    timestamp: Date;
+}
+/**
+ * Creates a consent log from a SvelteKit request event.
+ * Extracts IP/UA/URL/language from headers, truncates the IP,
+ * pulls cmpVersion/policyVersion from the CMS cmpConfig.
+ */
+export declare function createCmpConsentLog(event: RequestEvent, input: CreateCmpConsentLogInput): Promise<CreateCmpConsentLogResult>;

package/dist/core/server/cmp/operations/create.js

@@ -0,0 +1,38 @@
+import { v4 as uuidv4 } from 'uuid';
+import { getCMS } from '../../../cms.js';
+import { truncateIpAddress } from '../truncateIpAddress.js';
+import { getCountryFromHeaders } from '../getCountryFromHeaders.js';
+/**
+ * Creates a consent log from a SvelteKit request event.
+ * Extracts IP/UA/URL/language from headers, truncates the IP,
+ * pulls cmpVersion/policyVersion from the CMS cmpConfig.
+ */
+export async function createCmpConsentLog(event, input) {
+    const cms = getCMS();
+    if (!cms.cmpConfig) {
+        throw new Error('CMP is not configured. Pass `cmp: defineCmp({...})` to your CMS config.');
+    }
+    const rawIp = event.request.headers.get('x-forwarded-for')?.split(',')[0]?.trim() ??
+        event.request.headers.get('x-real-ip') ??
+        event.getClientAddress();
+    const ipAddressTruncated = truncateIpAddress(rawIp);
+    const countryCode = getCountryFromHeaders(event.request.headers);
+    const language = event.request.headers.get('accept-language')?.split(',')[0]?.trim() ?? 'unknown';
+    const userAgent = event.request.headers.get('user-agent') ?? 'unknown';
+    const url = event.request.headers.get('referer') ?? event.url.toString();
+    const data = {
+        id: uuidv4(),
+        ipAddressTruncated,
+        countryCode,
+        language,
+        userAgent,
+        url,
+        consents: input.consents,
+        consentModeStatus: input.consentModeStatus,
+        cmpVersion: cms.cmpConfig.version,
+        policyVersion: cms.cmpConfig.policyVersion,
+        parentLogId: input.parentLogId ?? null
+    };
+    await cms.databaseAdapter.createConsentLog(data);
+    return { id: data.id, timestamp: new Date() };
+}

package/dist/core/server/cmp/operations/get.d.ts

@@ -0,0 +1,2 @@
+import type { ConsentLogRecord } from '../../../../types/consent.js';
+export declare function getConsentLog(id: string): Promise<ConsentLogRecord | null>;

package/dist/core/server/cmp/operations/get.js

@@ -0,0 +1,8 @@
+import { getCMS } from '../../../cms.js';
+export async function getConsentLog(id) {
+    const adapter = getCMS().databaseAdapter;
+    if (!adapter.getConsentLog) {
+        throw new Error('Database adapter does not implement getConsentLog. Use includio-cms db-postgres ≥ 0.16.0 or implement the method.');
+    }
+    return adapter.getConsentLog(id);
+}

package/dist/core/server/cmp/operations/list.d.ts

@@ -0,0 +1,3 @@
+import type { ConsentLogRecord, GetConsentLogsFilters } from '../../../../types/consent.js';
+export declare function getConsentLogs(filters?: GetConsentLogsFilters): Promise<ConsentLogRecord[]>;
+export declare function countConsentLogs(filters?: Omit<GetConsentLogsFilters, 'limit' | 'offset'>): Promise<number>;

package/dist/core/server/cmp/operations/list.js

@@ -0,0 +1,15 @@
+import { getCMS } from '../../../cms.js';
+export async function getConsentLogs(filters = {}) {
+    const adapter = getCMS().databaseAdapter;
+    if (!adapter.getConsentLogs) {
+        throw new Error('Database adapter does not implement getConsentLogs. Use includio-cms db-postgres ≥ 0.16.0 or implement the method.');
+    }
+    return adapter.getConsentLogs(filters);
+}
+export async function countConsentLogs(filters = {}) {
+    const adapter = getCMS().databaseAdapter;
+    if (!adapter.countConsentLogs) {
+        throw new Error('Database adapter does not implement countConsentLogs. Use includio-cms db-postgres ≥ 0.16.0 or implement the method.');
+    }
+    return adapter.countConsentLogs(filters);
+}

package/dist/core/server/cmp/truncateIpAddress.d.ts

@@ -0,0 +1,7 @@
+/**
+ * GDPR-compliant IP anonymization.
+ * IPv4: zero last octet (e.g. 192.168.1.42 → 192.168.1.0)
+ * IPv6: zero last 80 bits / keep /48 prefix (e.g. 2001:db8:abcd:1234::1 → 2001:db8:abcd::)
+ * Invalid input → 'unknown'
+ */
+export declare function truncateIpAddress(ip: string | null | undefined): string;

package/dist/core/server/cmp/truncateIpAddress.js

@@ -0,0 +1,57 @@
+/**
+ * GDPR-compliant IP anonymization.
+ * IPv4: zero last octet (e.g. 192.168.1.42 → 192.168.1.0)
+ * IPv6: zero last 80 bits / keep /48 prefix (e.g. 2001:db8:abcd:1234::1 → 2001:db8:abcd::)
+ * Invalid input → 'unknown'
+ */
+export function truncateIpAddress(ip) {
+    if (!ip)
+        return 'unknown';
+    const trimmed = ip.trim();
+    if (!trimmed)
+        return 'unknown';
+    if (trimmed.includes('.') && !trimmed.includes(':')) {
+        return truncateIpv4(trimmed);
+    }
+    if (trimmed.includes(':')) {
+        return truncateIpv6(trimmed);
+    }
+    return 'unknown';
+}
+function truncateIpv4(ip) {
+    const parts = ip.split('.');
+    if (parts.length !== 4)
+        return 'unknown';
+    for (let i = 0; i < 4; i++) {
+        const n = Number(parts[i]);
+        if (!Number.isInteger(n) || n < 0 || n > 255)
+            return 'unknown';
+    }
+    return `${parts[0]}.${parts[1]}.${parts[2]}.0`;
+}
+function truncateIpv6(ip) {
+    const stripped = ip.split('%')[0];
+    const doubleColon = stripped.indexOf('::');
+    let groups;
+    if (doubleColon !== -1) {
+        const left = stripped.slice(0, doubleColon);
+        const right = stripped.slice(doubleColon + 2);
+        const leftGroups = left ? left.split(':') : [];
+        const rightGroups = right ? right.split(':') : [];
+        const missing = 8 - leftGroups.length - rightGroups.length;
+        if (missing < 0)
+            return 'unknown';
+        groups = [...leftGroups, ...Array(missing).fill('0'), ...rightGroups];
+    }
+    else {
+        groups = stripped.split(':');
+    }
+    if (groups.length !== 8)
+        return 'unknown';
+    for (const g of groups) {
+        if (!/^[0-9a-fA-F]{0,4}$/.test(g))
+            return 'unknown';
+    }
+    const prefix = groups.slice(0, 3).map((g) => g.toLowerCase().replace(/^0+(?=.)/, '') || '0');
+    return `${prefix.join(':')}::`;
+}

package/dist/core/server/fields/resolveImageFields.d.ts

@@ -1,3 +1,8 @@
 import type { EntryData, PopulatedEntryData } from '../../../types/entries.js';
 import type { Field } from '../../../types/fields.js';
+/**
+ * Walk entry data according to the field schema and collect all media file UUID references.
+ * Covers media/file/seo/object/blocks/content (incl. inline blocks inside content).
+ */
+export declare function extractMediaIdsFromData(data: EntryData, fields: Field[]): string[];
 export declare function resolveMediaFields(data: EntryData, fields: Field[]): Promise<PopulatedEntryData>;