includio-cms 0.15.4 → 0.15.5

package/CHANGELOG.md

@@ -3,6 +3,19 @@
 All notable changes to includio-cms are documented here.
 Generated from `src/lib/updates/` — do not edit manually.
 
+## 0.15.5 — 2026-04-23
+
+Media field recovers from orphan references; delete dialog shows usage breakdown + replace hint. X-Frame-Options relaxed to SAMEORIGIN. Background maintenance no longer duplicates on Vite HMR. Runtime generator no longer triggers an infinite SSR reload loop in dev.
+
+### Added
+- Admin media library: delete dialog (`FileDetails`) teraz pokazuje breakdown użyć pliku per kolekcja/single ("Plik jest używany w: Strony: 1") oraz hint wskazujący na funkcję **Zamień plik** (która zachowuje ID → wszystkie referencje). Dane ładowane asynchronicznie przez nowy remote query `findMediaReferences(id)` uruchamiany w momencie otwarcia dialogu. Scope (MVP): tylko najnowsza wersja per entry; historia poza zakresem. Walker po schematach (`media`, `file`, `seo.ogImage`, `object`, `blocks`, `content` z inline blocks) wyekstrahowany z `resolveImageFields.ts` jako reużywalne `extractMediaIdsFromData(data, fields)`.
+
+### Fixed
+- `media-field.svelte` nie blokuje już edycji entry gdy pole media wskazuje na usunięty plik (orphan reference). Wcześniej render wchodził w `{:else if singleFile}` z `singleFile=null` po nieudanym `getFileById`, co wyrzucało UI do pustego diva bez przycisków Zmień/Usuń — user zablokowany, nie mógł wstawić nowego obrazu. Nowa gałąź `{:else}` renderuje dashed warning placeholder ("Brakujący plik" / "Missing file") z zachowanymi kontrolkami. Analogicznie dla multi-media: per-item fallback pozwala usunąć pojedynczy orphan z tablicy bez czyszczenia pozostałych.
+- `X-Frame-Options` zmieniony z `DENY` na `SAMEORIGIN` w middleware `securityHeaders`. Wcześniej `DENY` blokował nawet same-origin framing, przez co admin CMS nie mógł załadować preview entry w iframe (`previewUrl` w konfiguracji kolekcji/single). Safari egzekwuje to rygorystycznie ("Refused to display ... in a frame because it set X-Frame-Options to DENY"). `SAMEORIGIN` dalej chroni przed clickjackingiem z obcych domen.
+- `startBackgroundMaintenance()` jest teraz idempotentne. Wcześniej każde wywołanie tworzyło nowy `setTimeout`/`setInterval` bez czyszczenia poprzedniego — w `pnpm dev` Vite HMR re-executuje `hooks.server.ts` (i tym samym `initCMS()`) przy każdej zmianie, więc po kilku edycjach działało N równoległych przebiegów maintenance. Stan timerów (`pendingTimeout`, `timer`, `running`, `lastResult`, `nextRunAt`) przeniesiony na `globalThis[Symbol.for("includio.maintenance.state")]`, żeby przeżył re-eval modułu w dev. Dodany guard: gdy timer już zaplanowany, kolejne `start()` loguje `already scheduled, skipping` i wychodzi. `stopBackgroundMaintenance()` teraz czyści również initial 30s `setTimeout`, nie tylko interval. Dodany `import.meta.hot.dispose()` czyszczący timery gdy Vite unlinkuje moduł.
+- `generateRuntime()` (`generator.ts`) nie zapisuje już plików gdy treść się nie zmieniła. Wcześniej każdy wywołanie `includioCMS()` (a więc każdy SSR reload Vite) bezwarunkowo `writeFileSync` na 5 plikach w `src/lib/cms/runtime/` (`api.ts`, `types.ts`, `schemas.ts`, `schema.ts`, `remote.ts`) — co aktualizowało mtime, Vite wykrywał zmianę, robił `(ssr) page reload`, znów wołał `includioCMS()` → znów zapis → nieskończona pętla reload w `pnpm dev`, blokująca pracę. Nowy helper `writeIfChanged(filePath, content)` najpierw czyta plik i zapisuje wyłącznie gdy treść się różni.
+
 ## 0.15.4 — 2026-04-21
 
 Forms: auto-scaffolded public submission endpoint + decoupled notification emails from submission success.

package/DOCS.md

@@ -1,4 +1,4 @@
-# Includio CMS Documentation (v0.15.4)
+# Includio CMS Documentation (v0.15.5)
 
 > This file is auto-generated from the docs site. For the latest version, update the package.
 

package/dist/admin/components/fields/media-field.svelte

@@ -30,6 +30,7 @@
 			a11yMissingAudioDesc: string;
 			a11yMissingBoth: string;
 			a11yHint: string;
+			missingFile: string;
 		}
 	> = {
 		pl: {
@@ -41,7 +42,8 @@
 			a11yMissingTranscript: 'Brakuje transkrypcji',
 			a11yMissingAudioDesc: 'Brakuje audiodeskrypcji',
 			a11yMissingBoth: 'Brakuje transkrypcji i audiodeskrypcji',
-			a11yHint: 'Uzupełnij w bibliotece mediów'
+			a11yHint: 'Uzupełnij w bibliotece mediów',
+			missingFile: 'Brakujący plik'
 		},
 		en: {
 			selectMedia: 'Select media',
@@ -52,7 +54,8 @@
 			a11yMissingTranscript: 'Transcript missing',
 			a11yMissingAudioDesc: 'Audio description missing',
 			a11yMissingBoth: 'Transcript and audio description missing',
-			a11yHint: 'Add it in the media library'
+			a11yHint: 'Add it in the media library',
+			missingFile: 'Missing file'
 		}
 	};
 
@@ -195,6 +198,17 @@
 	</button>
 {/snippet}
 
+{#snippet missingPlaceholder()}
+	<div
+		class="flex aspect-square w-full flex-col items-center justify-center gap-2 rounded-2xl border-2 border-dashed border-warning/50 bg-warning/5 p-6"
+	>
+		<div class="rounded-full bg-warning/10 p-3">
+			<AlertTriangle class="h-6 w-6 text-warning" />
+		</div>
+		<span class="text-sm text-warning">{lang[interfaceLanguage.current].missingFile}</span>
+	</div>
+{/snippet}
+
 {#snippet mediaActions(onRemove: () => void)}
 	<div class="flex items-center justify-between gap-2 mt-1.5">
 		<Button size="sm" variant="secondary" class="h-8" onclick={openPicker}>
@@ -224,6 +238,9 @@
 						{@render imagePreview(file)}
 					{/if}
 					{@render mediaActions(() => { value = ''; })}
+				{:else}
+					{@render missingPlaceholder()}
+					{@render mediaActions(() => { value = ''; })}
 				{/if}
 			{:else if Array.isArray(value) && value.length > 0}
 				{@const valueArr = value}
@@ -262,7 +279,42 @@
 							{/if}
 						</div>
 						{@render mediaActions(() => { value = field.multiple ? [] : ''; })}
+					{:else}
+						<div class="relative">
+							{@render missingPlaceholder()}
+							{#if valueArr.length > 1}
+								<div class="absolute inset-x-0 top-1/2 flex -translate-y-1/2 justify-between px-1 pointer-events-none">
+									<button
+										type="button"
+										class="pointer-events-auto flex h-8 w-8 items-center justify-center rounded-full bg-white/80 backdrop-blur shadow-md transition hover:bg-white hover:scale-105 dark:bg-background/80 dark:hover:bg-background"
+										onclick={() => { currentIndex = currentIndex > 0 ? currentIndex - 1 : valueArr.length - 1; }}
+									>
+										<ChevronLeft class="h-5 w-5" />
+									</button>
+									<button
+										type="button"
+										class="pointer-events-auto flex h-8 w-8 items-center justify-center rounded-full bg-white/80 backdrop-blur shadow-md transition hover:bg-white hover:scale-105 dark:bg-background/80 dark:hover:bg-background"
+										onclick={() => { currentIndex = currentIndex < valueArr.length - 1 ? currentIndex + 1 : 0; }}
+									>
+										<ChevronRight class="h-5 w-5" />
+									</button>
+								</div>
+								<div class="absolute top-2 right-2 rounded-full bg-plum-darker/60 px-2 py-0.5 text-xs font-medium text-white backdrop-blur">
+									{currentIndex + 1} / {valueArr.length}
+								</div>
+							{/if}
+						</div>
+						{@render mediaActions(() => {
+							if (Array.isArray(value)) {
+								const next = value.filter((_, i) => i !== currentIndex);
+								value = field.multiple ? next : next[0] ?? '';
+								if (currentIndex >= next.length) currentIndex = Math.max(0, next.length - 1);
+							}
+						})}
 					{/if}
+				{:else}
+					{@render missingPlaceholder()}
+					{@render mediaActions(() => { value = field.multiple ? [] : ''; })}
 				{/if}
 			{/if}
 		</div>

package/dist/admin/components/media/file/file-details.svelte

@@ -31,6 +31,19 @@
 	let deleteDialogOpen = $state(false);
 	let videoError = $state(false);
 
+	type ReferenceResult = {
+		total: number;
+		byCollection: Array<{ collection: string; label: string; count: number; kind: 'collection' | 'single' }>;
+	};
+
+	const referencesQuery = $derived(
+		deleteDialogOpen ? remotes.findMediaReferences(file.id) : null
+	);
+	const referencesLoading = $derived(!!referencesQuery && !referencesQuery.ready);
+	const references = $derived(
+		referencesQuery && referencesQuery.ready ? (referencesQuery.current as ReferenceResult) : null
+	);
+
 	$effect(() => {
 		file.url;
 		videoError = false;
@@ -43,6 +56,12 @@
 			deleteConfirmTitle: string;
 			deleteConfirmDesc: string;
 			deleteCancel: string;
+			usedInLoading: string;
+			usedInTitle: string;
+			missingAfterDelete: string;
+			replaceHintBefore: string;
+			replaceHintCta: string;
+			replaceHintAfter: string;
 			fileNameLabel: string;
 			fileUrlLabel: string;
 			fileAltLabel: string;
@@ -81,6 +100,12 @@
 			deleteConfirmTitle: 'Usunąć plik?',
 			deleteConfirmDesc: 'Plik zostanie trwale usunięty.',
 			deleteCancel: 'Anuluj',
+			usedInLoading: 'Liczenie użyć…',
+			usedInTitle: 'Plik jest używany w:',
+			missingAfterDelete: 'Po usunięciu te pola zostaną oznaczone jako brakujące.',
+			replaceHintBefore: 'Jeśli chcesz tylko zmienić obraz, użyj funkcji',
+			replaceHintCta: 'Zamień plik',
+			replaceHintAfter: ' — zachowa wszystkie referencje.',
 			replaceFileLabel: 'Zamień plik',
 			fileNameLabel: 'Nazwa pliku',
 			fileUrlLabel: 'URL',
@@ -118,6 +143,12 @@
 			deleteConfirmTitle: 'Delete file?',
 			deleteConfirmDesc: 'The file will be permanently deleted.',
 			deleteCancel: 'Cancel',
+			usedInLoading: 'Counting usages…',
+			usedInTitle: 'This file is used in:',
+			missingAfterDelete: 'After deletion these fields will be marked as missing.',
+			replaceHintBefore: 'If you only want to change the image, use the',
+			replaceHintCta: 'Replace file',
+			replaceHintAfter: ' action — it keeps all references intact.',
 			fileNameLabel: 'File name',
 			fileUrlLabel: 'URL',
 			fileAltLabel: 'Alt text',
@@ -565,6 +596,40 @@
 	<AlertDialog.Content>
 		<AlertDialog.Title>{lang[interfaceLanguage.current].deleteConfirmTitle}</AlertDialog.Title>
 		<AlertDialog.Description>{lang[interfaceLanguage.current].deleteConfirmDesc}</AlertDialog.Description>
+
+		{#if referencesLoading}
+			<div class="mt-2 flex items-center gap-2 text-sm text-muted-foreground">
+				<div class="h-3 w-3 animate-pulse rounded-full bg-muted"></div>
+				<span>{lang[interfaceLanguage.current].usedInLoading}</span>
+			</div>
+		{:else if references && references.total > 0}
+			<div class="mt-2 space-y-3 text-sm">
+				<div class="rounded-md border border-warning/40 bg-warning/5 p-3">
+					<div class="flex items-start gap-2">
+						<AlertTriangle class="h-4 w-4 text-warning mt-0.5 shrink-0" />
+						<div class="flex-1 min-w-0">
+							<p class="font-medium text-foreground">{lang[interfaceLanguage.current].usedInTitle}</p>
+							<ul class="mt-1.5 space-y-0.5">
+								{#each references.byCollection as ref}
+									<li class="text-muted-foreground">
+										<span class="font-medium text-foreground">{ref.label}</span>: {ref.count}
+									</li>
+								{/each}
+							</ul>
+							<p class="mt-2 text-xs text-muted-foreground">{lang[interfaceLanguage.current].missingAfterDelete}</p>
+						</div>
+					</div>
+				</div>
+				<p class="text-xs text-muted-foreground">
+					{lang[interfaceLanguage.current].replaceHintBefore}
+					<span class="inline-flex items-center gap-1 rounded border border-border bg-muted/50 px-1.5 py-0.5 font-medium text-foreground">
+						<Replace class="h-3 w-3" />
+						{lang[interfaceLanguage.current].replaceHintCta}
+					</span>{lang[interfaceLanguage.current].replaceHintAfter}
+				</p>
+			</div>
+		{/if}
+
 		<AlertDialog.Footer>
 			<AlertDialog.Cancel>{lang[interfaceLanguage.current].deleteCancel}</AlertDialog.Cancel>
 			<AlertDialog.Action

package/dist/admin/remote/media.remote.d.ts

@@ -33,6 +33,7 @@ export declare const getMediaTagsWithCounts: import("@sveltejs/kit").RemoteQuery
     count: number;
 }[]>;
 export declare const getFileById: import("@sveltejs/kit").RemoteQueryFunction<string, MediaFile | null>;
+export declare const findMediaReferences: import("@sveltejs/kit").RemoteQueryFunction<string, import("../../core/server/media/operations/findMediaReferences.js").MediaReferenceResult>;
 export declare const deleteMediaFile: import("@sveltejs/kit").RemoteCommand<string, Promise<void>>;
 export declare const bulkDeleteMediaFiles: import("@sveltejs/kit").RemoteCommand<{
     ids: string[];

package/dist/admin/remote/media.remote.js

@@ -2,6 +2,7 @@ import { command, query } from '$app/server';
 import { setAlt, renameMediaFile as renameMediaFileOperation, updateMediaAccessibility as updateMediaAccessibilityOp } from '../../core/server/media/operations/updateFile.js';
 import z from 'zod';
 import { deleteMediaFile as deleteMediaFileFn, bulkDeleteMediaFiles as bulkDeleteMediaFilesFn } from '../../core/server/media/operations/deleteMediaFile.js';
+import { findMediaReferences as findMediaReferencesFn } from '../../core/server/media/operations/findMediaReferences.js';
 import { getFile, getFiles, countFiles, getMediaTagsWithCounts as getMediaTagsWithCountsFn } from '../../core/server/media/operations/getFiles.js';
 import { getMediaTags as getMediaTagsFn, createMediaTag as createMediaTagFn, updateMediaTag as updateMediaTagFn, deleteMediaTag as deleteMediaTagFn, setMediaFileTags as setMediaFileTagsFn, bulkSetMediaFileTags as bulkSetMediaFileTagsFn } from '../../core/server/media/operations/tags.js';
 import { requireAuth } from './middleware/auth.js';
@@ -70,6 +71,10 @@ export const getMediaTagsWithCounts = query(async () => {
 export const getFileById = query(z.string().uuid(), async (id) => {
     return getFile(id);
 });
+export const findMediaReferences = query(z.string().uuid(), async (id) => {
+    requireAuth();
+    return findMediaReferencesFn(id);
+});
 export const deleteMediaFile = command(z.string().uuid(), async (id) => {
     requireAuth();
     return deleteMediaFileFn(id);

package/dist/cmp/types.d.ts

@@ -0,0 +1,25 @@
+export interface ResolvedCmpConfig {
+    enabled: boolean;
+    version: string;
+    policyVersion: string;
+    gtmConsentMode: boolean;
+    categories: {
+        analytics: boolean;
+        marketing: boolean;
+        preferences: boolean;
+    };
+    strings: Record<string, CmpStrings>;
+}
+export interface CmpStrings {
+    bannerTitle?: string;
+    bannerBody?: string;
+    acceptAll?: string;
+    rejectAll?: string;
+    customize?: string;
+    settingsTitle?: string;
+    save?: string;
+    necessary?: string;
+    analytics?: string;
+    marketing?: string;
+    preferences?: string;
+}

package/dist/cmp/types.js

@@ -0,0 +1 @@
+export {};

package/dist/core/cms.d.ts

@@ -10,6 +10,7 @@ import type { AIAdapter } from '../types/adapters/ai.js';
 import type { EmailAdapter } from '../types/adapters/email.js';
 import { betterAuth } from 'better-auth';
 import type { ResolvedShopConfig } from '../shop/types.js';
+import type { ResolvedCmpConfig } from '../cmp/types.js';
 export declare class CMS implements ICMS {
     private config;
     databaseAdapter: DatabaseAdapter;
@@ -26,6 +27,7 @@ export declare class CMS implements ICMS {
     typographyConfig: TypographyConfig;
     sidebarHelp: boolean;
     shopConfig: ResolvedShopConfig | null;
+    cmpConfig: ResolvedCmpConfig | null;
     plugins: PluginConfig[];
     customFields: Map<string, CustomFieldDefinition>;
     apiKeys: ApiKeyConfig[];

package/dist/core/cms.js

@@ -20,6 +20,7 @@ export class CMS {
     typographyConfig;
     sidebarHelp;
     shopConfig;
+    cmpConfig;
     plugins = [];
     customFields = new Map();
     apiKeys = [];
@@ -34,6 +35,7 @@ export class CMS {
         this.typographyConfig = config.typography || {};
         this.sidebarHelp = config.sidebarHelp ?? true;
         this.shopConfig = config.shop ?? null;
+        this.cmpConfig = config.cmp ?? null;
         this.collections = {};
         this.singles = {};
         this.forms = {};

package/dist/core/server/cmp/getCountryFromHeaders.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Extract 2-letter ISO country code from request headers.
+ * Priority:
+ *   1. `cf-ipcountry` (Cloudflare)
+ *   2. `x-vercel-ip-country` (Vercel)
+ *   3. `x-country-code` (generic proxy)
+ *   4. Fallback: parse `Accept-Language` region subtag (e.g. `pl-PL` → `PL`)
+ * Returns 'XX' when no reliable source available.
+ */
+export declare function getCountryFromHeaders(headers: Headers): string;

package/dist/core/server/cmp/getCountryFromHeaders.js

@@ -0,0 +1,30 @@
+/**
+ * Extract 2-letter ISO country code from request headers.
+ * Priority:
+ *   1. `cf-ipcountry` (Cloudflare)
+ *   2. `x-vercel-ip-country` (Vercel)
+ *   3. `x-country-code` (generic proxy)
+ *   4. Fallback: parse `Accept-Language` region subtag (e.g. `pl-PL` → `PL`)
+ * Returns 'XX' when no reliable source available.
+ */
+export function getCountryFromHeaders(headers) {
+    const providerCountry = headers.get('cf-ipcountry') ??
+        headers.get('x-vercel-ip-country') ??
+        headers.get('x-country-code');
+    if (providerCountry) {
+        const normalized = providerCountry.trim().toUpperCase();
+        if (/^[A-Z]{2}$/.test(normalized))
+            return normalized;
+    }
+    const acceptLanguage = headers.get('accept-language');
+    if (acceptLanguage) {
+        const first = acceptLanguage.split(',')[0].trim();
+        const region = first.split('-')[1] ?? first.split('_')[1];
+        if (region) {
+            const normalized = region.split(';')[0].trim().toUpperCase();
+            if (/^[A-Z]{2}$/.test(normalized))
+                return normalized;
+        }
+    }
+    return 'XX';
+}

package/dist/core/server/cmp/operations/create.d.ts

@@ -0,0 +1,17 @@
+import type { RequestEvent } from '@sveltejs/kit';
+import type { ConsentLogData } from '../../../../types/consent.js';
+export interface CreateCmpConsentLogInput {
+    consents: ConsentLogData['consents'];
+    consentModeStatus: ConsentLogData['consentModeStatus'];
+    parentLogId?: string | null;
+}
+export interface CreateCmpConsentLogResult {
+    id: string;
+    timestamp: Date;
+}
+/**
+ * Creates a consent log from a SvelteKit request event.
+ * Extracts IP/UA/URL/language from headers, truncates the IP,
+ * pulls cmpVersion/policyVersion from the CMS cmpConfig.
+ */
+export declare function createCmpConsentLog(event: RequestEvent, input: CreateCmpConsentLogInput): Promise<CreateCmpConsentLogResult>;

package/dist/core/server/cmp/operations/create.js

@@ -0,0 +1,38 @@
+import { v4 as uuidv4 } from 'uuid';
+import { getCMS } from '../../../cms.js';
+import { truncateIpAddress } from '../truncateIpAddress.js';
+import { getCountryFromHeaders } from '../getCountryFromHeaders.js';
+/**
+ * Creates a consent log from a SvelteKit request event.
+ * Extracts IP/UA/URL/language from headers, truncates the IP,
+ * pulls cmpVersion/policyVersion from the CMS cmpConfig.
+ */
+export async function createCmpConsentLog(event, input) {
+    const cms = getCMS();
+    if (!cms.cmpConfig) {
+        throw new Error('CMP is not configured. Pass `cmp: defineCmp({...})` to your CMS config.');
+    }
+    const rawIp = event.request.headers.get('x-forwarded-for')?.split(',')[0]?.trim() ??
+        event.request.headers.get('x-real-ip') ??
+        event.getClientAddress();
+    const ipAddressTruncated = truncateIpAddress(rawIp);
+    const countryCode = getCountryFromHeaders(event.request.headers);
+    const language = event.request.headers.get('accept-language')?.split(',')[0]?.trim() ?? 'unknown';
+    const userAgent = event.request.headers.get('user-agent') ?? 'unknown';
+    const url = event.request.headers.get('referer') ?? event.url.toString();
+    const data = {
+        id: uuidv4(),
+        ipAddressTruncated,
+        countryCode,
+        language,
+        userAgent,
+        url,
+        consents: input.consents,
+        consentModeStatus: input.consentModeStatus,
+        cmpVersion: cms.cmpConfig.version,
+        policyVersion: cms.cmpConfig.policyVersion,
+        parentLogId: input.parentLogId ?? null
+    };
+    await cms.databaseAdapter.createConsentLog(data);
+    return { id: data.id, timestamp: new Date() };
+}

package/dist/core/server/cmp/operations/get.d.ts

@@ -0,0 +1,2 @@
+import type { ConsentLogRecord } from '../../../../types/consent.js';
+export declare function getConsentLog(id: string): Promise<ConsentLogRecord | null>;

package/dist/core/server/cmp/operations/get.js

@@ -0,0 +1,8 @@
+import { getCMS } from '../../../cms.js';
+export async function getConsentLog(id) {
+    const adapter = getCMS().databaseAdapter;
+    if (!adapter.getConsentLog) {
+        throw new Error('Database adapter does not implement getConsentLog. Use includio-cms db-postgres ≥ 0.16.0 or implement the method.');
+    }
+    return adapter.getConsentLog(id);
+}

package/dist/core/server/cmp/operations/list.d.ts

@@ -0,0 +1,3 @@
+import type { ConsentLogRecord, GetConsentLogsFilters } from '../../../../types/consent.js';
+export declare function getConsentLogs(filters?: GetConsentLogsFilters): Promise<ConsentLogRecord[]>;
+export declare function countConsentLogs(filters?: Omit<GetConsentLogsFilters, 'limit' | 'offset'>): Promise<number>;

package/dist/core/server/cmp/operations/list.js

@@ -0,0 +1,15 @@
+import { getCMS } from '../../../cms.js';
+export async function getConsentLogs(filters = {}) {
+    const adapter = getCMS().databaseAdapter;
+    if (!adapter.getConsentLogs) {
+        throw new Error('Database adapter does not implement getConsentLogs. Use includio-cms db-postgres ≥ 0.16.0 or implement the method.');
+    }
+    return adapter.getConsentLogs(filters);
+}
+export async function countConsentLogs(filters = {}) {
+    const adapter = getCMS().databaseAdapter;
+    if (!adapter.countConsentLogs) {
+        throw new Error('Database adapter does not implement countConsentLogs. Use includio-cms db-postgres ≥ 0.16.0 or implement the method.');
+    }
+    return adapter.countConsentLogs(filters);
+}

package/dist/core/server/cmp/truncateIpAddress.d.ts

@@ -0,0 +1,7 @@
+/**
+ * GDPR-compliant IP anonymization.
+ * IPv4: zero last octet (e.g. 192.168.1.42 → 192.168.1.0)
+ * IPv6: zero last 80 bits / keep /48 prefix (e.g. 2001:db8:abcd:1234::1 → 2001:db8:abcd::)
+ * Invalid input → 'unknown'
+ */
+export declare function truncateIpAddress(ip: string | null | undefined): string;

package/dist/core/server/cmp/truncateIpAddress.js

@@ -0,0 +1,57 @@
+/**
+ * GDPR-compliant IP anonymization.
+ * IPv4: zero last octet (e.g. 192.168.1.42 → 192.168.1.0)
+ * IPv6: zero last 80 bits / keep /48 prefix (e.g. 2001:db8:abcd:1234::1 → 2001:db8:abcd::)
+ * Invalid input → 'unknown'
+ */
+export function truncateIpAddress(ip) {
+    if (!ip)
+        return 'unknown';
+    const trimmed = ip.trim();
+    if (!trimmed)
+        return 'unknown';
+    if (trimmed.includes('.') && !trimmed.includes(':')) {
+        return truncateIpv4(trimmed);
+    }
+    if (trimmed.includes(':')) {
+        return truncateIpv6(trimmed);
+    }
+    return 'unknown';
+}
+function truncateIpv4(ip) {
+    const parts = ip.split('.');
+    if (parts.length !== 4)
+        return 'unknown';
+    for (let i = 0; i < 4; i++) {
+        const n = Number(parts[i]);
+        if (!Number.isInteger(n) || n < 0 || n > 255)
+            return 'unknown';
+    }
+    return `${parts[0]}.${parts[1]}.${parts[2]}.0`;
+}
+function truncateIpv6(ip) {
+    const stripped = ip.split('%')[0];
+    const doubleColon = stripped.indexOf('::');
+    let groups;
+    if (doubleColon !== -1) {
+        const left = stripped.slice(0, doubleColon);
+        const right = stripped.slice(doubleColon + 2);
+        const leftGroups = left ? left.split(':') : [];
+        const rightGroups = right ? right.split(':') : [];
+        const missing = 8 - leftGroups.length - rightGroups.length;
+        if (missing < 0)
+            return 'unknown';
+        groups = [...leftGroups, ...Array(missing).fill('0'), ...rightGroups];
+    }
+    else {
+        groups = stripped.split(':');
+    }
+    if (groups.length !== 8)
+        return 'unknown';
+    for (const g of groups) {
+        if (!/^[0-9a-fA-F]{0,4}$/.test(g))
+            return 'unknown';
+    }
+    const prefix = groups.slice(0, 3).map((g) => g.toLowerCase().replace(/^0+(?=.)/, '') || '0');
+    return `${prefix.join(':')}::`;
+}

package/dist/core/server/fields/resolveImageFields.d.ts

@@ -1,3 +1,8 @@
 import type { EntryData, PopulatedEntryData } from '../../../types/entries.js';
 import type { Field } from '../../../types/fields.js';
+/**
+ * Walk entry data according to the field schema and collect all media file UUID references.
+ * Covers media/file/seo/object/blocks/content (incl. inline blocks inside content).
+ */
+export declare function extractMediaIdsFromData(data: EntryData, fields: Field[]): string[];
 export declare function resolveMediaFields(data: EntryData, fields: Field[]): Promise<PopulatedEntryData>;

package/dist/core/server/fields/resolveImageFields.js

@@ -4,7 +4,11 @@ import { getCMS } from '../../cms.js';
 import z from 'zod';
 import { getImageStyles } from './utils/imageStyles.js';
 import { extractMediaIds as extractMediaIdsFromDoc, walkMediaNodes, walkInlineBlockNodes, cloneDoc } from '../../../admin/components/tiptap/structured-content-utils.js';
-export async function resolveMediaFields(data, fields) {
+/**
+ * Walk entry data according to the field schema and collect all media file UUID references.
+ * Covers media/file/seo/object/blocks/content (incl. inline blocks inside content).
+ */
+export function extractMediaIdsFromData(data, fields) {
     const mediaIds = [];
     // eslint-disable-next-line @typescript-eslint/no-explicit-any
     const collectIds = (value, fields) => {
@@ -71,6 +75,10 @@ export async function resolveMediaFields(data, fields) {
         }
     };
     collectIds(data, fields);
+    return mediaIds;
+}
+export async function resolveMediaFields(data, fields) {
+    const mediaIds = extractMediaIdsFromData(data, fields);
     if (mediaIds.length === 0)
         return data;
     const media = await getCMS().databaseAdapter.getMediaFiles({

package/dist/core/server/generator/generator.js

@@ -1,4 +1,4 @@
-import { mkdirSync, writeFileSync } from 'node:fs';
+import { mkdirSync, readFileSync, writeFileSync, existsSync } from 'node:fs';
 import { join } from 'node:path';
 import { generateTsTypeFromFields, generateFlatTsTypeFromFields, generateInlineBlockTypeString, setGeneratorCustomFields } from './fields.js';
 import { generateTsTypeFromFormFields } from './formFields.js';
@@ -9,6 +9,22 @@ function createCmsRuntimeDir() {
     const cmsDir = join(process.cwd(), 'src/lib/cms/runtime');
     mkdirSync(cmsDir, { recursive: true });
 }
+// Avoids touching mtime when content is unchanged — otherwise Vite's file
+// watcher triggers an SSR reload, which re-runs the generator, which rewrites
+// the same content, looping forever in dev.
+function writeIfChanged(filePath, content) {
+    if (existsSync(filePath)) {
+        try {
+            const current = readFileSync(filePath, 'utf8');
+            if (current === content)
+                return;
+        }
+        catch {
+            // fall through and write
+        }
+    }
+    writeFileSync(filePath, content);
+}
 function generateTypesStringForRecords(type, records) {
     const recordTypeString = type.charAt(0).toUpperCase() + type.slice(1);
     const singleSlugs = records.map((s) => s.slug) || [];
@@ -156,7 +172,7 @@ function generateTypes(config) {
         }
     }
     code += `\n export type SiteLanguage =  ${config.languages.map((lang) => JSON.stringify(lang)).join(' | ')};\n\n`;
-    writeFileSync(filePath, code);
+    writeIfChanged(filePath, code);
 }
 function generateAPI(config) {
     const cmsDir = join(process.cwd(), 'src/lib/cms/runtime');
@@ -232,7 +248,7 @@ function generateAPI(config) {
         : ''}
 
 	`;
-    writeFileSync(filePath, code);
+    writeIfChanged(filePath, code);
 }
 function generateSchemas(config) {
     const cmsDir = join(process.cwd(), 'src/lib/cms/runtime');
@@ -247,7 +263,7 @@ function generateSchemas(config) {
 			export const ${varName}FormSchema = ${generateZodSchemaStringFromFormFieldsAsString(form.fields)} \n
 		`;
     });
-    writeFileSync(filePath, code);
+    writeIfChanged(filePath, code);
 }
 function generateDrizzleSchema(config) {
     const cmsDir = join(process.cwd(), 'src/lib/cms/runtime');
@@ -259,7 +275,7 @@ function generateDrizzleSchema(config) {
     if (config.shop) {
         code += `export * from 'includio-cms/db-postgres/schema-shop';\n`;
     }
-    writeFileSync(filePath, code);
+    writeIfChanged(filePath, code);
 }
 function generateRemote(config) {
     if (!config.forms || config.forms.length === 0)
@@ -282,7 +298,7 @@ function generateRemote(config) {
         code += `\t}\n`;
         code += `);\n\n`;
     });
-    writeFileSync(filePath, code);
+    writeIfChanged(filePath, code);
 }
 export function generateRuntime(config) {
     // Build custom fields map from plugins for type generation

package/dist/core/server/media/operations/backgroundMaintenance.js

@@ -1,22 +1,36 @@
 import { getCMS } from '../../../cms.js';
-let running = false;
-let timer = null;
-let lastResult = null;
-let nextRunAt = null;
+// State held on globalThis so it survives Vite HMR module re-evaluation in dev;
+// without this, each re-eval would leak a new timer while the old one kept ticking.
+const STATE_KEY = Symbol.for('includio.maintenance.state');
+function getState() {
+    const g = globalThis;
+    if (!g[STATE_KEY]) {
+        g[STATE_KEY] = {
+            running: false,
+            pendingTimeout: null,
+            timer: null,
+            lastResult: null,
+            nextRunAt: null
+        };
+    }
+    return g[STATE_KEY];
+}
 export function getMaintenanceStatus() {
+    const state = getState();
     return {
-        running,
-        lastRun: lastResult?.ranAt ?? null,
-        nextRun: nextRunAt,
-        lastResult
+        running: state.running,
+        lastRun: state.lastResult?.ranAt ?? null,
+        nextRun: state.nextRunAt,
+        lastResult: state.lastResult
     };
 }
 async function runMaintenance() {
-    if (running) {
+    const state = getState();
+    if (state.running) {
         console.info('[maintenance] Skipping — previous run still active');
         return;
     }
-    running = true;
+    state.running = true;
     console.info('[maintenance] Starting background maintenance...');
     const result = {
         stylesCreated: 0,
@@ -59,8 +73,8 @@ async function runMaintenance() {
         console.warn('[maintenance] Error during background maintenance:', err);
     }
     finally {
-        running = false;
-        lastResult = result;
+        state.running = false;
+        state.lastResult = result;
         const parts = [];
         if (result.stylesCreated > 0)
             parts.push(`${result.stylesCreated} styles`);
@@ -79,27 +93,44 @@ async function runMaintenance() {
     }
 }
 export function startBackgroundMaintenance() {
+    const state = getState();
+    if (state.pendingTimeout || state.timer) {
+        console.info('[maintenance] Already scheduled, skipping');
+        return;
+    }
     const config = getCMS().mediaConfig?.maintenance;
     if (config?.autoRun === false)
         return;
     const intervalHours = config?.intervalHours ?? 6;
     const intervalMs = intervalHours * 60 * 60 * 1000;
     // First run after 30s delay
-    setTimeout(() => {
+    state.pendingTimeout = setTimeout(() => {
+        state.pendingTimeout = null;
         runMaintenance();
         // Then repeat on interval
-        nextRunAt = new Date(Date.now() + intervalMs);
-        timer = setInterval(() => {
-            nextRunAt = new Date(Date.now() + intervalMs);
+        state.nextRunAt = new Date(Date.now() + intervalMs);
+        state.timer = setInterval(() => {
+            state.nextRunAt = new Date(Date.now() + intervalMs);
             runMaintenance();
         }, intervalMs);
     }, 30_000);
     console.info(`[maintenance] Scheduled: first run in 30s, then every ${intervalHours}h`);
 }
 export function stopBackgroundMaintenance() {
-    if (timer) {
-        clearInterval(timer);
-        timer = null;
-        nextRunAt = null;
+    const state = getState();
+    if (state.pendingTimeout) {
+        clearTimeout(state.pendingTimeout);
+        state.pendingTimeout = null;
+    }
+    if (state.timer) {
+        clearInterval(state.timer);
+        state.timer = null;
     }
+    state.nextRunAt = null;
+}
+// Clean up on Vite HMR so timers don't accumulate across module re-evaluations.
+if (import.meta.hot) {
+    import.meta.hot.dispose(() => {
+        stopBackgroundMaintenance();
+    });
 }

package/dist/core/server/media/operations/findMediaReferences.d.ts

@@ -0,0 +1,16 @@
+export interface MediaReferenceBreakdown {
+    collection: string;
+    label: string;
+    count: number;
+    kind: 'collection' | 'single';
+}
+export interface MediaReferenceResult {
+    total: number;
+    byCollection: MediaReferenceBreakdown[];
+}
+/**
+ * Find how many entries (across all collections + singles) reference a given media file.
+ * Scans only the latest version per entry per language (MVP — history is not inspected).
+ * Grouping is by collection/single slug with a human-readable label.
+ */
+export declare function findMediaReferences(fileId: string): Promise<MediaReferenceResult>;

package/dist/core/server/media/operations/findMediaReferences.js

@@ -0,0 +1,60 @@
+import { getCMS } from '../../../cms.js';
+import { getFieldsFromConfig } from '../../../fields/layoutUtils.js';
+import { extractMediaIdsFromData } from '../../fields/resolveImageFields.js';
+function pickLabel(lang, localized, fallback) {
+    if (!localized)
+        return fallback ?? '';
+    return localized[lang] ?? Object.values(localized)[0] ?? fallback ?? '';
+}
+/**
+ * Find how many entries (across all collections + singles) reference a given media file.
+ * Scans only the latest version per entry per language (MVP — history is not inspected).
+ * Grouping is by collection/single slug with a human-readable label.
+ */
+export async function findMediaReferences(fileId) {
+    const cms = getCMS();
+    const lang = cms.languages[0];
+    const db = cms.databaseAdapter;
+    const breakdown = [];
+    let total = 0;
+    const scanSlug = async (slug, label, fields, kind) => {
+        const entries = await db.getEntries({ slug });
+        if (entries.length === 0)
+            return;
+        const alive = entries.filter((e) => e.archivedAt == null);
+        if (alive.length === 0)
+            return;
+        const versions = await db.getEntryVersions({
+            entryIds: alive.map((e) => e.id),
+            lang
+        });
+        // Pick the latest version per entryId.
+        const latestByEntry = new Map();
+        for (const v of versions) {
+            const prev = latestByEntry.get(v.entryId);
+            if (!prev || v.versionNumber > prev.versionNumber) {
+                latestByEntry.set(v.entryId, v);
+            }
+        }
+        let count = 0;
+        for (const v of latestByEntry.values()) {
+            const ids = extractMediaIdsFromData(v.data, fields);
+            if (ids.includes(fileId))
+                count += 1;
+        }
+        if (count > 0) {
+            breakdown.push({ collection: slug, label, count, kind });
+            total += count;
+        }
+    };
+    for (const col of Object.values(cms.collections)) {
+        const label = pickLabel(lang, col.labels?.plural, col.slug);
+        await scanSlug(col.slug, label, getFieldsFromConfig(col), 'collection');
+    }
+    for (const single of Object.values(cms.singles)) {
+        const label = pickLabel(lang, single.label, single.slug);
+        await scanSlug(single.slug, label, getFieldsFromConfig(single), 'single');
+    }
+    breakdown.sort((a, b) => b.count - a.count);
+    return { total, byCollection: breakdown };
+}

package/dist/db-postgres/index.js

@@ -1,7 +1,7 @@
 import { drizzle } from 'drizzle-orm/postgres-js';
 import postgres from 'postgres';
 import * as schema from './schema/index.js';
-import { eq, and, inArray, sql, isNull, desc, asc, SQL, ilike, or, count } from 'drizzle-orm';
+import { eq, and, inArray, sql, isNull, desc, asc, SQL, ilike, or, count, gte, lte } from 'drizzle-orm';
 const SAFE_JSON_KEY = /^[a-zA-Z0-9_]+$/;
 function validateJsonPathKeys(path) {
     for (const key of path) {
@@ -527,6 +527,51 @@ export function pg(config) {
         createConsentLog: async (data) => {
             await db.insert(schema.consentLogsTable).values(data);
         },
+        getConsentLogs: async (filters) => {
+            const conditions = [];
+            if (filters.startDate) {
+                conditions.push(gte(schema.consentLogsTable.timestamp, filters.startDate));
+            }
+            if (filters.endDate) {
+                conditions.push(lte(schema.consentLogsTable.timestamp, filters.endDate));
+            }
+            if (filters.country) {
+                conditions.push(eq(schema.consentLogsTable.countryCode, filters.country.toUpperCase()));
+            }
+            const rows = await db
+                .select()
+                .from(schema.consentLogsTable)
+                .where(conditions.length ? and(...conditions) : undefined)
+                .orderBy(desc(schema.consentLogsTable.timestamp))
+                .limit(filters.limit ?? 50)
+                .offset(filters.offset ?? 0);
+            return rows;
+        },
+        countConsentLogs: async (filters) => {
+            const conditions = [];
+            if (filters.startDate) {
+                conditions.push(gte(schema.consentLogsTable.timestamp, filters.startDate));
+            }
+            if (filters.endDate) {
+                conditions.push(lte(schema.consentLogsTable.timestamp, filters.endDate));
+            }
+            if (filters.country) {
+                conditions.push(eq(schema.consentLogsTable.countryCode, filters.country.toUpperCase()));
+            }
+            const [row] = await db
+                .select({ value: count() })
+                .from(schema.consentLogsTable)
+                .where(conditions.length ? and(...conditions) : undefined);
+            return row?.value ?? 0;
+        },
+        getConsentLog: async (id) => {
+            const [row] = await db
+                .select()
+                .from(schema.consentLogsTable)
+                .where(eq(schema.consentLogsTable.id, id))
+                .limit(1);
+            return row ?? null;
+        },
         // --- Media Tags ---
         getMediaTags: async () => {
             return db.select().from(schema.mediaTagsTable).orderBy(schema.mediaTagsTable.name);

package/dist/db-postgres/schema/consentLog.d.ts

@@ -189,6 +189,23 @@ export declare const consentLogsTable: import("drizzle-orm/pg-core/table", { wit
             identity: undefined;
             generated: undefined;
         }, {}, {}>;
+        parentLogId: import("drizzle-orm/pg-core", { with: { "resolution-mode": "require" } }).PgColumn<{
+            name: "parent_log_id";
+            tableName: "consent_logs";
+            dataType: "string";
+            columnType: "PgUUID";
+            data: string;
+            driverParam: string;
+            notNull: false;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: undefined;
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
     };
     dialect: "pg";
 }>;

package/dist/db-postgres/schema/consentLog.js

@@ -10,5 +10,8 @@ export const consentLogsTable = pgTable('consent_logs', {
     consents: jsonb('consents').notNull(),
     consentModeStatus: jsonb('consent_mode_status').notNull(),
     cmpVersion: text('cmp_version').notNull(),
-    policyVersion: text('policy_version').notNull()
+    policyVersion: text('policy_version').notNull(),
+    parentLogId: uuid('parent_log_id').references(() => consentLogsTable.id, {
+        onDelete: 'set null'
+    })
 });

package/dist/sveltekit/server/handle.js

@@ -80,7 +80,7 @@ export function includioCMS(cmsConfig) {
 const securityHeaders = async ({ event, resolve }) => {
     const response = await resolve(event);
     response.headers.set('X-Content-Type-Options', 'nosniff');
-    response.headers.set('X-Frame-Options', 'DENY');
+    response.headers.set('X-Frame-Options', 'SAMEORIGIN');
     response.headers.set('Referrer-Policy', 'strict-origin-when-cross-origin');
     return response;
 };

package/dist/types/adapters/db.d.ts

@@ -1,4 +1,4 @@
-import type { ConsentLogData } from '../consent.js';
+import type { ConsentLogData, ConsentLogRecord, GetConsentLogsFilters } from '../consent.js';
 import type { DbEntry, DbEntryInsert, DbEntryVersion, DbEntryVersionInsert, GetDbEntriesOptions, GetDbEntryVersionsOptions, GetPaginatedEntriesOptions, PaginatedEntryRow, PaginationOptions } from '../entries.js';
 import type { ImageFieldStyle } from '../fields.js';
 import type { FormSubmission } from '../forms.js';
@@ -23,6 +23,9 @@ export interface DatabaseAdapter {
     getPaginatedEntries?: GetPaginatedEntries;
     countPaginatedEntries?: CountPaginatedEntries;
     createConsentLog: CreateConsentLog;
+    getConsentLogs?: GetConsentLogs;
+    countConsentLogs?: CountConsentLogs;
+    getConsentLog?: GetConsentLog;
     getMediaTags: GetMediaTags;
     createMediaTag: CreateMediaTag;
     updateMediaTag: UpdateMediaTag;
@@ -86,6 +89,9 @@ export type GetFormSubmission = (id: string) => Promise<FormSubmission | null>;
 export type UpdateFormSubmission = (id: string, data: Partial<FormSubmission>) => Promise<FormSubmission>;
 export type DeleteFormSubmission = (id: string) => Promise<void>;
 export type CreateConsentLog = (data: ConsentLogData) => Promise<void>;
+export type GetConsentLogs = (filters: GetConsentLogsFilters) => Promise<ConsentLogRecord[]>;
+export type CountConsentLogs = (filters: Omit<GetConsentLogsFilters, 'limit' | 'offset'>) => Promise<number>;
+export type GetConsentLog = (id: string) => Promise<ConsentLogRecord | null>;
 export interface GetMediaFilesOptions {
     data: {
         tagIds?: string[];

package/dist/types/cms.d.ts

@@ -8,6 +8,7 @@ import type { FormConfig } from './forms.js';
 import type { AIAdapter } from './adapters/ai.js';
 import type { EmailAdapter } from './adapters/email.js';
 import type { ResolvedShopConfig } from '../shop/types.js';
+import type { ResolvedCmpConfig } from '../cmp/types.js';
 export interface VideoTranscodeConfig {
     /** Enable/disable auto-transcoding on upload (default: true) */
     transcode?: boolean;
@@ -79,6 +80,7 @@ export interface CMSConfig {
     typography?: TypographyConfig;
     sidebarHelp?: boolean;
     shop?: ResolvedShopConfig;
+    cmp?: ResolvedCmpConfig;
 }
 export interface ICMS {
     collections: Record<string, CollectionConfigWithType>;
@@ -96,4 +98,5 @@ export interface ICMS {
     apiKeys: ApiKeyConfig[];
     typographyConfig: TypographyConfig;
     shopConfig: ResolvedShopConfig | null;
+    cmpConfig: ResolvedCmpConfig | null;
 }

package/dist/types/consent.d.ts

@@ -19,4 +19,15 @@ export interface ConsentLogData {
     };
     cmpVersion: string;
     policyVersion: string;
+    parentLogId?: string | null;
+}
+export interface ConsentLogRecord extends ConsentLogData {
+    timestamp: Date;
+}
+export interface GetConsentLogsFilters {
+    startDate?: Date;
+    endDate?: Date;
+    country?: string;
+    limit?: number;
+    offset?: number;
 }

package/dist/updates/0.15.5/index.d.ts

@@ -0,0 +1,2 @@
+import type { CmsUpdate } from '../index.js';
+export declare const update: CmsUpdate;

package/dist/updates/0.15.5/index.js

@@ -0,0 +1,15 @@
+export const update = {
+    version: '0.15.5',
+    date: '2026-04-23',
+    description: 'Media field recovers from orphan references; delete dialog shows usage breakdown + replace hint. X-Frame-Options relaxed to SAMEORIGIN. Background maintenance no longer duplicates on Vite HMR. Runtime generator no longer triggers an infinite SSR reload loop in dev.',
+    features: [
+        'Admin media library: delete dialog (`FileDetails`) teraz pokazuje breakdown użyć pliku per kolekcja/single ("Plik jest używany w: Strony: 1") oraz hint wskazujący na funkcję **Zamień plik** (która zachowuje ID → wszystkie referencje). Dane ładowane asynchronicznie przez nowy remote query `findMediaReferences(id)` uruchamiany w momencie otwarcia dialogu. Scope (MVP): tylko najnowsza wersja per entry; historia poza zakresem. Walker po schematach (`media`, `file`, `seo.ogImage`, `object`, `blocks`, `content` z inline blocks) wyekstrahowany z `resolveImageFields.ts` jako reużywalne `extractMediaIdsFromData(data, fields)`.'
+    ],
+    fixes: [
+        '`media-field.svelte` nie blokuje już edycji entry gdy pole media wskazuje na usunięty plik (orphan reference). Wcześniej render wchodził w `{:else if singleFile}` z `singleFile=null` po nieudanym `getFileById`, co wyrzucało UI do pustego diva bez przycisków Zmień/Usuń — user zablokowany, nie mógł wstawić nowego obrazu. Nowa gałąź `{:else}` renderuje dashed warning placeholder ("Brakujący plik" / "Missing file") z zachowanymi kontrolkami. Analogicznie dla multi-media: per-item fallback pozwala usunąć pojedynczy orphan z tablicy bez czyszczenia pozostałych.',
+        '`X-Frame-Options` zmieniony z `DENY` na `SAMEORIGIN` w middleware `securityHeaders`. Wcześniej `DENY` blokował nawet same-origin framing, przez co admin CMS nie mógł załadować preview entry w iframe (`previewUrl` w konfiguracji kolekcji/single). Safari egzekwuje to rygorystycznie ("Refused to display ... in a frame because it set X-Frame-Options to DENY"). `SAMEORIGIN` dalej chroni przed clickjackingiem z obcych domen.',
+        '`startBackgroundMaintenance()` jest teraz idempotentne. Wcześniej każde wywołanie tworzyło nowy `setTimeout`/`setInterval` bez czyszczenia poprzedniego — w `pnpm dev` Vite HMR re-executuje `hooks.server.ts` (i tym samym `initCMS()`) przy każdej zmianie, więc po kilku edycjach działało N równoległych przebiegów maintenance. Stan timerów (`pendingTimeout`, `timer`, `running`, `lastResult`, `nextRunAt`) przeniesiony na `globalThis[Symbol.for("includio.maintenance.state")]`, żeby przeżył re-eval modułu w dev. Dodany guard: gdy timer już zaplanowany, kolejne `start()` loguje `already scheduled, skipping` i wychodzi. `stopBackgroundMaintenance()` teraz czyści również initial 30s `setTimeout`, nie tylko interval. Dodany `import.meta.hot.dispose()` czyszczący timery gdy Vite unlinkuje moduł.',
+        '`generateRuntime()` (`generator.ts`) nie zapisuje już plików gdy treść się nie zmieniła. Wcześniej każdy wywołanie `includioCMS()` (a więc każdy SSR reload Vite) bezwarunkowo `writeFileSync` na 5 plikach w `src/lib/cms/runtime/` (`api.ts`, `types.ts`, `schemas.ts`, `schema.ts`, `remote.ts`) — co aktualizowało mtime, Vite wykrywał zmianę, robił `(ssr) page reload`, znów wołał `includioCMS()` → znów zapis → nieskończona pętla reload w `pnpm dev`, blokująca pracę. Nowy helper `writeIfChanged(filePath, content)` najpierw czyta plik i zapisuje wyłącznie gdy treść się różni.'
+    ],
+    breakingChanges: []
+};

package/dist/updates/index.js

@@ -49,7 +49,8 @@ import { update as update0151 } from './0.15.1/index.js';
 import { update as update0152 } from './0.15.2/index.js';
 import { update as update0153 } from './0.15.3/index.js';
 import { update as update0154 } from './0.15.4/index.js';
-export const updates = [update0065, update0066, update0067, update0068, update0069, update010, update011, update012, update013, update014, update015, update020, update022, update050, update051, update052, update053, update054, update055, update056, update057, update058, update060, update061, update062, update070, update071, update072, update073, update080, update090, update0100, update0110, update0120, update0130, update0131, update0132, update0133, update0134, update0140, update0141, update0142, update0143, update0144, update0145, update0146, update0150, update0151, update0152, update0153, update0154];
+import { update as update0155 } from './0.15.5/index.js';
+export const updates = [update0065, update0066, update0067, update0068, update0069, update010, update011, update012, update013, update014, update015, update020, update022, update050, update051, update052, update053, update054, update055, update056, update057, update058, update060, update061, update062, update070, update071, update072, update073, update080, update090, update0100, update0110, update0120, update0130, update0131, update0132, update0133, update0134, update0140, update0141, update0142, update0143, update0144, update0145, update0146, update0150, update0151, update0152, update0153, update0154, update0155];
 export const getUpdatesFrom = (fromVersion) => {
     const fromParts = fromVersion.split('.').map(Number);
     return updates.filter((update) => {

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "includio-cms",
-	"version": "0.15.4",
+	"version": "0.15.5",
 	"scripts": {
 		"dev": "vite dev",
 		"build": "vite build && npm run prepack",