includio-cms 0.15.4 → 0.16.0

package/CHANGELOG.md

@@ -3,6 +3,33 @@
 All notable changes to includio-cms are documented here.
 Generated from `src/lib/updates/` — do not edit manually.
 
+## 0.16.0 — 2026-04-29
+
+Hard reset martwego kodu — start drogi do v1.0.0. Wycięte: prototyp inline-edit, demo seed, demo routes. Zostają: cmp/ (backend działa), mockups/ (designy), isomorphic-dompurify (Faza 5), tippy.js (slash-command).
+
+### Breaking
+- `src/lib/inline-edit-proto/` — usunięty. Prototyp hybrid editor (`HybridEditor`, `EditableInline`, `EditablePanel`, `BlockWrapper`, `ModeToggle` itd.) skasowany w całości. Inline edit zostanie zaprojektowany od zera w v1.x z innym podejściem. Pełen kod zarchiwizowany lokalnie na branchu `archive/inline-edit-proto` (niepublikowany na origin). Projekty importujące cokolwiek z `$lib/inline-edit-proto/*` lub `includio-cms/inline-edit-proto` muszą wyciąć te wywołania — moduł nigdy nie był publikowany w `package.json` exports, więc realnie żadna external integracja się nie zerwie.
+- `src/lib/demo/seed.ts` — usunięte. Funkcja `seedDemoData()` (wpisywanie demo użytkownika `demo@includio.dev`) skasowana. Demo content zostanie zaprojektowany od zera w v1.x.
+- `src/routes/(site)/demo/` i `src/routes/admin/(afterLogin)/demo/` — usunięte. Demo pages (`/demo`, `/demo/inline-edit-test`, `/admin/demo/hybrid-editor`) skasowane razem z modułami. Live preview demo trzeba odbudować od zera.
+- `ROADMAP-EDITOR.md` — usunięty. Plan unified editora (Faza 0.2.0–0.5.0) zarchiwizowany razem z prototypem na branchu `archive/inline-edit-proto`.
+
+### Notes
+
+Brak SQL migration. Brak zmian publicznego API w `package.json` exports — `inline-edit-proto`, `demo`, ani `cmp` nigdy nie były tam wymienione, więc `pnpm i` w projekcie konsumującym przejdzie clean. `cmp/` ZOSTAJE: backend CMP (operations, `consent_logs` schema, public `createConsentLog`) i typy publiczne (`ResolvedCmpConfig`, `CmpStrings` w `CMSConfig.cmp`) działają bez zmian. Frontend banner dla CMP wróci jako feature w v1.x. Backlog `ideas/*.md` przeniesiony do `ideas/post-v1/` (lokalnie, katalog w `.gitignore`); `select-field-defaultvalue-bug.md` promowany do ROADMAP jako fix do v1.0. Bundle delta: `dist/` 8.8M → 8.5M (−0.3 MB) — mniej niż meta-plan szacował (−1.5 MB+), bo `inline-edit-proto/` był w `.gitignore` i nigdy nie trafiał do `dist/`. Realny zysk to czystsza struktura repo + zero martwego kodu w gałęzi roboczej.
+
+## 0.15.5 — 2026-04-23
+
+Media field recovers from orphan references; delete dialog shows usage breakdown + replace hint. X-Frame-Options relaxed to SAMEORIGIN. Background maintenance no longer duplicates on Vite HMR. Runtime generator no longer triggers an infinite SSR reload loop in dev.
+
+### Added
+- Admin media library: delete dialog (`FileDetails`) teraz pokazuje breakdown użyć pliku per kolekcja/single ("Plik jest używany w: Strony: 1") oraz hint wskazujący na funkcję **Zamień plik** (która zachowuje ID → wszystkie referencje). Dane ładowane asynchronicznie przez nowy remote query `findMediaReferences(id)` uruchamiany w momencie otwarcia dialogu. Scope (MVP): tylko najnowsza wersja per entry; historia poza zakresem. Walker po schematach (`media`, `file`, `seo.ogImage`, `object`, `blocks`, `content` z inline blocks) wyekstrahowany z `resolveImageFields.ts` jako reużywalne `extractMediaIdsFromData(data, fields)`.
+
+### Fixed
+- `media-field.svelte` nie blokuje już edycji entry gdy pole media wskazuje na usunięty plik (orphan reference). Wcześniej render wchodził w `{:else if singleFile}` z `singleFile=null` po nieudanym `getFileById`, co wyrzucało UI do pustego diva bez przycisków Zmień/Usuń — user zablokowany, nie mógł wstawić nowego obrazu. Nowa gałąź `{:else}` renderuje dashed warning placeholder ("Brakujący plik" / "Missing file") z zachowanymi kontrolkami. Analogicznie dla multi-media: per-item fallback pozwala usunąć pojedynczy orphan z tablicy bez czyszczenia pozostałych.
+- `X-Frame-Options` zmieniony z `DENY` na `SAMEORIGIN` w middleware `securityHeaders`. Wcześniej `DENY` blokował nawet same-origin framing, przez co admin CMS nie mógł załadować preview entry w iframe (`previewUrl` w konfiguracji kolekcji/single). Safari egzekwuje to rygorystycznie ("Refused to display ... in a frame because it set X-Frame-Options to DENY"). `SAMEORIGIN` dalej chroni przed clickjackingiem z obcych domen.
+- `startBackgroundMaintenance()` jest teraz idempotentne. Wcześniej każde wywołanie tworzyło nowy `setTimeout`/`setInterval` bez czyszczenia poprzedniego — w `pnpm dev` Vite HMR re-executuje `hooks.server.ts` (i tym samym `initCMS()`) przy każdej zmianie, więc po kilku edycjach działało N równoległych przebiegów maintenance. Stan timerów (`pendingTimeout`, `timer`, `running`, `lastResult`, `nextRunAt`) przeniesiony na `globalThis[Symbol.for("includio.maintenance.state")]`, żeby przeżył re-eval modułu w dev. Dodany guard: gdy timer już zaplanowany, kolejne `start()` loguje `already scheduled, skipping` i wychodzi. `stopBackgroundMaintenance()` teraz czyści również initial 30s `setTimeout`, nie tylko interval. Dodany `import.meta.hot.dispose()` czyszczący timery gdy Vite unlinkuje moduł.
+- `generateRuntime()` (`generator.ts`) nie zapisuje już plików gdy treść się nie zmieniła. Wcześniej każdy wywołanie `includioCMS()` (a więc każdy SSR reload Vite) bezwarunkowo `writeFileSync` na 5 plikach w `src/lib/cms/runtime/` (`api.ts`, `types.ts`, `schemas.ts`, `schema.ts`, `remote.ts`) — co aktualizowało mtime, Vite wykrywał zmianę, robił `(ssr) page reload`, znów wołał `includioCMS()` → znów zapis → nieskończona pętla reload w `pnpm dev`, blokująca pracę. Nowy helper `writeIfChanged(filePath, content)` najpierw czyta plik i zapisuje wyłącznie gdy treść się różni.
+
 ## 0.15.4 — 2026-04-21
 
 Forms: auto-scaffolded public submission endpoint + decoupled notification emails from submission success.

package/DOCS.md

@@ -1,4 +1,4 @@
-# Includio CMS Documentation (v0.15.4)
+# Includio CMS Documentation (v0.16.0)
 
 > This file is auto-generated from the docs site. For the latest version, update the package.
 

package/ROADMAP.md

@@ -324,17 +324,31 @@
 - [x] `[fix]` `[P0]` `createFormSubmission` — split try/catch so SMTP failure no longer returns `false` (endpoint responded 500 even though submission was persisted); notification email is best-effort, logged via `console.error` <!-- files: src/lib/core/server/forms/submissions/operations/create.ts -->
 - [ ] `[feature]` `[P1]` Built-in `/api/health` + `/api/health/ready` with per-adapter checks (db/files/email/ai) + ręczny SMTP diagnostics panel in maintenance page <!-- files: ideas/health-check-module.md -->
 
-## 0.16.0 — SEO module
+## 0.16.0 — Hard reset
 
-- [ ] `[feature]` `[P1]` SERP preview + character limits for title/description <!-- files: src/lib/admin/components/fields/seo-field.svelte -->
-- [ ] `[feature]` `[P1]` Global SEO settings
-- [ ] `[feature]` `[P1]` Dedicated frontend SEO components <!-- files: src/lib/sveltekit/components/seo.svelte -->
-- [ ] `[feature]` `[P2]` Sitemap generation
+> Start drogi do v1.0.0. Decyzje: **[V1-DECISIONS.md](./V1-DECISIONS.md)** | Workflow: **[V1-WORKFLOW.md](./V1-WORKFLOW.md)**
 
-## 0.17.0 — WCAG/ATAG compliance
+- [x] `[breaking]` `[P0]` Wycięty `src/lib/inline-edit-proto/` (kod na lokalnym branchu `archive/inline-edit-proto`) — inline edit od zera w v1.x
+- [x] `[breaking]` `[P0]` Wycięty `src/lib/demo/seed.ts` + demo routes (`/demo/*`, `/admin/demo/*`) — demo content od zera w v1.x
+- [x] `[breaking]` `[P0]` Skasowany `ROADMAP-EDITOR.md` (treść na archive branch)
+- [x] `[chore]` `[P2]` `ideas/*.md` przeniesione do `ideas/post-v1/` (lokalnie, w `.gitignore`); `select-field-defaultvalue-bug` promowany do v1.0 fix
+- [x] `[chore]` `[P2]` `V1-DECISIONS.md` jako referencja decyzji v1 dla każdej kolejnej sesji
 
-- [ ] `[chore]` `[P0]` Full WCAG/ATAG audit
-- [ ] `[feature]` `[P0]` Accessibility rework based on audit findings
+## v1.0.0 — Stabilizacja (in progress)
+
+> 13 faz w ~16 sesjach, droga 0.16 → 1.0.0. Lean scope: stabilizacja, security, testy, docs, audit + polish shopa. Bez nowych feature'ów.
+
+- [ ] `[fix]` `[P1]` Select field — `defaultValue` propagacja do zod schema (full repro: `ideas/post-v1/select-field-defaultvalue-bug.md`); fix planowany w Fazie 12 (RC)
+
+## v1.x — Post-v1.0 deferred
+
+- [ ] `[feature]` `[P1]` SEO module — SERP preview, char limits, global settings, frontend components, sitemap (full plan: `ideas/post-v1/seo-aeo-geo-module.md`)
+- [ ] `[feature]` `[P0]` WCAG/ATAG compliance — full audit + accessibility rework
+- [ ] `[feature]` `[P1]` CMP frontend banner — backend już działa (operations, `consent_logs`, `createConsentLog`); brakuje banner UI (`ideas/post-v1/cmp-module.md`)
+- [ ] `[feature]` `[P1]` Health check module — `/api/health` + `/api/health/ready` (`ideas/post-v1/health-check-module.md`)
+- [ ] `[feature]` `[P2]` Cache layer dla `getEntries` / `getEntry` / `countEntries` (`ideas/post-v1/cache-layer.md`)
+- [ ] `[feature]` `[P2]` Configurable sidebar (`ideas/post-v1/configurable-sidebar.md`)
+- [ ] `[feature]` `[P0]` Plugin hooks in CRUD ops + plugin registration API
 
 ## Security hardening
 

package/dist/admin/components/fields/media-field.svelte

@@ -30,6 +30,7 @@
 			a11yMissingAudioDesc: string;
 			a11yMissingBoth: string;
 			a11yHint: string;
+			missingFile: string;
 		}
 	> = {
 		pl: {
@@ -41,7 +42,8 @@
 			a11yMissingTranscript: 'Brakuje transkrypcji',
 			a11yMissingAudioDesc: 'Brakuje audiodeskrypcji',
 			a11yMissingBoth: 'Brakuje transkrypcji i audiodeskrypcji',
-			a11yHint: 'Uzupełnij w bibliotece mediów'
+			a11yHint: 'Uzupełnij w bibliotece mediów',
+			missingFile: 'Brakujący plik'
 		},
 		en: {
 			selectMedia: 'Select media',
@@ -52,7 +54,8 @@
 			a11yMissingTranscript: 'Transcript missing',
 			a11yMissingAudioDesc: 'Audio description missing',
 			a11yMissingBoth: 'Transcript and audio description missing',
-			a11yHint: 'Add it in the media library'
+			a11yHint: 'Add it in the media library',
+			missingFile: 'Missing file'
 		}
 	};
 
@@ -195,6 +198,17 @@
 	</button>
 {/snippet}
 
+{#snippet missingPlaceholder()}
+	<div
+		class="flex aspect-square w-full flex-col items-center justify-center gap-2 rounded-2xl border-2 border-dashed border-warning/50 bg-warning/5 p-6"
+	>
+		<div class="rounded-full bg-warning/10 p-3">
+			<AlertTriangle class="h-6 w-6 text-warning" />
+		</div>
+		<span class="text-sm text-warning">{lang[interfaceLanguage.current].missingFile}</span>
+	</div>
+{/snippet}
+
 {#snippet mediaActions(onRemove: () => void)}
 	<div class="flex items-center justify-between gap-2 mt-1.5">
 		<Button size="sm" variant="secondary" class="h-8" onclick={openPicker}>
@@ -224,6 +238,9 @@
 						{@render imagePreview(file)}
 					{/if}
 					{@render mediaActions(() => { value = ''; })}
+				{:else}
+					{@render missingPlaceholder()}
+					{@render mediaActions(() => { value = ''; })}
 				{/if}
 			{:else if Array.isArray(value) && value.length > 0}
 				{@const valueArr = value}
@@ -262,7 +279,42 @@
 							{/if}
 						</div>
 						{@render mediaActions(() => { value = field.multiple ? [] : ''; })}
+					{:else}
+						<div class="relative">
+							{@render missingPlaceholder()}
+							{#if valueArr.length > 1}
+								<div class="absolute inset-x-0 top-1/2 flex -translate-y-1/2 justify-between px-1 pointer-events-none">
+									<button
+										type="button"
+										class="pointer-events-auto flex h-8 w-8 items-center justify-center rounded-full bg-white/80 backdrop-blur shadow-md transition hover:bg-white hover:scale-105 dark:bg-background/80 dark:hover:bg-background"
+										onclick={() => { currentIndex = currentIndex > 0 ? currentIndex - 1 : valueArr.length - 1; }}
+									>
+										<ChevronLeft class="h-5 w-5" />
+									</button>
+									<button
+										type="button"
+										class="pointer-events-auto flex h-8 w-8 items-center justify-center rounded-full bg-white/80 backdrop-blur shadow-md transition hover:bg-white hover:scale-105 dark:bg-background/80 dark:hover:bg-background"
+										onclick={() => { currentIndex = currentIndex < valueArr.length - 1 ? currentIndex + 1 : 0; }}
+									>
+										<ChevronRight class="h-5 w-5" />
+									</button>
+								</div>
+								<div class="absolute top-2 right-2 rounded-full bg-plum-darker/60 px-2 py-0.5 text-xs font-medium text-white backdrop-blur">
+									{currentIndex + 1} / {valueArr.length}
+								</div>
+							{/if}
+						</div>
+						{@render mediaActions(() => {
+							if (Array.isArray(value)) {
+								const next = value.filter((_, i) => i !== currentIndex);
+								value = field.multiple ? next : next[0] ?? '';
+								if (currentIndex >= next.length) currentIndex = Math.max(0, next.length - 1);
+							}
+						})}
 					{/if}
+				{:else}
+					{@render missingPlaceholder()}
+					{@render mediaActions(() => { value = field.multiple ? [] : ''; })}
 				{/if}
 			{/if}
 		</div>

package/dist/admin/components/media/file/file-details.svelte

@@ -31,6 +31,19 @@
 	let deleteDialogOpen = $state(false);
 	let videoError = $state(false);
 
+	type ReferenceResult = {
+		total: number;
+		byCollection: Array<{ collection: string; label: string; count: number; kind: 'collection' | 'single' }>;
+	};
+
+	const referencesQuery = $derived(
+		deleteDialogOpen ? remotes.findMediaReferences(file.id) : null
+	);
+	const referencesLoading = $derived(!!referencesQuery && !referencesQuery.ready);
+	const references = $derived(
+		referencesQuery && referencesQuery.ready ? (referencesQuery.current as ReferenceResult) : null
+	);
+
 	$effect(() => {
 		file.url;
 		videoError = false;
@@ -43,6 +56,12 @@
 			deleteConfirmTitle: string;
 			deleteConfirmDesc: string;
 			deleteCancel: string;
+			usedInLoading: string;
+			usedInTitle: string;
+			missingAfterDelete: string;
+			replaceHintBefore: string;
+			replaceHintCta: string;
+			replaceHintAfter: string;
 			fileNameLabel: string;
 			fileUrlLabel: string;
 			fileAltLabel: string;
@@ -81,6 +100,12 @@
 			deleteConfirmTitle: 'Usunąć plik?',
 			deleteConfirmDesc: 'Plik zostanie trwale usunięty.',
 			deleteCancel: 'Anuluj',
+			usedInLoading: 'Liczenie użyć…',
+			usedInTitle: 'Plik jest używany w:',
+			missingAfterDelete: 'Po usunięciu te pola zostaną oznaczone jako brakujące.',
+			replaceHintBefore: 'Jeśli chcesz tylko zmienić obraz, użyj funkcji',
+			replaceHintCta: 'Zamień plik',
+			replaceHintAfter: ' — zachowa wszystkie referencje.',
 			replaceFileLabel: 'Zamień plik',
 			fileNameLabel: 'Nazwa pliku',
 			fileUrlLabel: 'URL',
@@ -118,6 +143,12 @@
 			deleteConfirmTitle: 'Delete file?',
 			deleteConfirmDesc: 'The file will be permanently deleted.',
 			deleteCancel: 'Cancel',
+			usedInLoading: 'Counting usages…',
+			usedInTitle: 'This file is used in:',
+			missingAfterDelete: 'After deletion these fields will be marked as missing.',
+			replaceHintBefore: 'If you only want to change the image, use the',
+			replaceHintCta: 'Replace file',
+			replaceHintAfter: ' action — it keeps all references intact.',
 			fileNameLabel: 'File name',
 			fileUrlLabel: 'URL',
 			fileAltLabel: 'Alt text',
@@ -565,6 +596,40 @@
 	<AlertDialog.Content>
 		<AlertDialog.Title>{lang[interfaceLanguage.current].deleteConfirmTitle}</AlertDialog.Title>
 		<AlertDialog.Description>{lang[interfaceLanguage.current].deleteConfirmDesc}</AlertDialog.Description>
+
+		{#if referencesLoading}
+			<div class="mt-2 flex items-center gap-2 text-sm text-muted-foreground">
+				<div class="h-3 w-3 animate-pulse rounded-full bg-muted"></div>
+				<span>{lang[interfaceLanguage.current].usedInLoading}</span>
+			</div>
+		{:else if references && references.total > 0}
+			<div class="mt-2 space-y-3 text-sm">
+				<div class="rounded-md border border-warning/40 bg-warning/5 p-3">
+					<div class="flex items-start gap-2">
+						<AlertTriangle class="h-4 w-4 text-warning mt-0.5 shrink-0" />
+						<div class="flex-1 min-w-0">
+							<p class="font-medium text-foreground">{lang[interfaceLanguage.current].usedInTitle}</p>
+							<ul class="mt-1.5 space-y-0.5">
+								{#each references.byCollection as ref}
+									<li class="text-muted-foreground">
+										<span class="font-medium text-foreground">{ref.label}</span>: {ref.count}
+									</li>
+								{/each}
+							</ul>
+							<p class="mt-2 text-xs text-muted-foreground">{lang[interfaceLanguage.current].missingAfterDelete}</p>
+						</div>
+					</div>
+				</div>
+				<p class="text-xs text-muted-foreground">
+					{lang[interfaceLanguage.current].replaceHintBefore}
+					<span class="inline-flex items-center gap-1 rounded border border-border bg-muted/50 px-1.5 py-0.5 font-medium text-foreground">
+						<Replace class="h-3 w-3" />
+						{lang[interfaceLanguage.current].replaceHintCta}
+					</span>{lang[interfaceLanguage.current].replaceHintAfter}
+				</p>
+			</div>
+		{/if}
+
 		<AlertDialog.Footer>
 			<AlertDialog.Cancel>{lang[interfaceLanguage.current].deleteCancel}</AlertDialog.Cancel>
 			<AlertDialog.Action

package/dist/admin/remote/media.remote.d.ts

@@ -33,6 +33,7 @@ export declare const getMediaTagsWithCounts: import("@sveltejs/kit").RemoteQuery
     count: number;
 }[]>;
 export declare const getFileById: import("@sveltejs/kit").RemoteQueryFunction<string, MediaFile | null>;
+export declare const findMediaReferences: import("@sveltejs/kit").RemoteQueryFunction<string, import("../../core/server/media/operations/findMediaReferences.js").MediaReferenceResult>;
 export declare const deleteMediaFile: import("@sveltejs/kit").RemoteCommand<string, Promise<void>>;
 export declare const bulkDeleteMediaFiles: import("@sveltejs/kit").RemoteCommand<{
     ids: string[];

package/dist/admin/remote/media.remote.js

@@ -2,6 +2,7 @@ import { command, query } from '$app/server';
 import { setAlt, renameMediaFile as renameMediaFileOperation, updateMediaAccessibility as updateMediaAccessibilityOp } from '../../core/server/media/operations/updateFile.js';
 import z from 'zod';
 import { deleteMediaFile as deleteMediaFileFn, bulkDeleteMediaFiles as bulkDeleteMediaFilesFn } from '../../core/server/media/operations/deleteMediaFile.js';
+import { findMediaReferences as findMediaReferencesFn } from '../../core/server/media/operations/findMediaReferences.js';
 import { getFile, getFiles, countFiles, getMediaTagsWithCounts as getMediaTagsWithCountsFn } from '../../core/server/media/operations/getFiles.js';
 import { getMediaTags as getMediaTagsFn, createMediaTag as createMediaTagFn, updateMediaTag as updateMediaTagFn, deleteMediaTag as deleteMediaTagFn, setMediaFileTags as setMediaFileTagsFn, bulkSetMediaFileTags as bulkSetMediaFileTagsFn } from '../../core/server/media/operations/tags.js';
 import { requireAuth } from './middleware/auth.js';
@@ -70,6 +71,10 @@ export const getMediaTagsWithCounts = query(async () => {
 export const getFileById = query(z.string().uuid(), async (id) => {
     return getFile(id);
 });
+export const findMediaReferences = query(z.string().uuid(), async (id) => {
+    requireAuth();
+    return findMediaReferencesFn(id);
+});
 export const deleteMediaFile = command(z.string().uuid(), async (id) => {
     requireAuth();
     return deleteMediaFileFn(id);

package/dist/cmp/types.d.ts

@@ -0,0 +1,25 @@
+export interface ResolvedCmpConfig {
+    enabled: boolean;
+    version: string;
+    policyVersion: string;
+    gtmConsentMode: boolean;
+    categories: {
+        analytics: boolean;
+        marketing: boolean;
+        preferences: boolean;
+    };
+    strings: Record<string, CmpStrings>;
+}
+export interface CmpStrings {
+    bannerTitle?: string;
+    bannerBody?: string;
+    acceptAll?: string;
+    rejectAll?: string;
+    customize?: string;
+    settingsTitle?: string;
+    save?: string;
+    necessary?: string;
+    analytics?: string;
+    marketing?: string;
+    preferences?: string;
+}

package/dist/cmp/types.js

@@ -0,0 +1 @@
+export {};

package/dist/core/cms.d.ts

@@ -10,6 +10,7 @@ import type { AIAdapter } from '../types/adapters/ai.js';
 import type { EmailAdapter } from '../types/adapters/email.js';
 import { betterAuth } from 'better-auth';
 import type { ResolvedShopConfig } from '../shop/types.js';
+import type { ResolvedCmpConfig } from '../cmp/types.js';
 export declare class CMS implements ICMS {
     private config;
     databaseAdapter: DatabaseAdapter;
@@ -26,6 +27,7 @@ export declare class CMS implements ICMS {
     typographyConfig: TypographyConfig;
     sidebarHelp: boolean;
     shopConfig: ResolvedShopConfig | null;
+    cmpConfig: ResolvedCmpConfig | null;
     plugins: PluginConfig[];
     customFields: Map<string, CustomFieldDefinition>;
     apiKeys: ApiKeyConfig[];

package/dist/core/cms.js

@@ -20,6 +20,7 @@ export class CMS {
     typographyConfig;
     sidebarHelp;
     shopConfig;
+    cmpConfig;
     plugins = [];
     customFields = new Map();
     apiKeys = [];
@@ -34,6 +35,7 @@ export class CMS {
         this.typographyConfig = config.typography || {};
         this.sidebarHelp = config.sidebarHelp ?? true;
         this.shopConfig = config.shop ?? null;
+        this.cmpConfig = config.cmp ?? null;
         this.collections = {};
         this.singles = {};
         this.forms = {};

package/dist/core/server/cmp/getCountryFromHeaders.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Extract 2-letter ISO country code from request headers.
+ * Priority:
+ *   1. `cf-ipcountry` (Cloudflare)
+ *   2. `x-vercel-ip-country` (Vercel)
+ *   3. `x-country-code` (generic proxy)
+ *   4. Fallback: parse `Accept-Language` region subtag (e.g. `pl-PL` → `PL`)
+ * Returns 'XX' when no reliable source available.
+ */
+export declare function getCountryFromHeaders(headers: Headers): string;

package/dist/core/server/cmp/getCountryFromHeaders.js

@@ -0,0 +1,30 @@
+/**
+ * Extract 2-letter ISO country code from request headers.
+ * Priority:
+ *   1. `cf-ipcountry` (Cloudflare)
+ *   2. `x-vercel-ip-country` (Vercel)
+ *   3. `x-country-code` (generic proxy)
+ *   4. Fallback: parse `Accept-Language` region subtag (e.g. `pl-PL` → `PL`)
+ * Returns 'XX' when no reliable source available.
+ */
+export function getCountryFromHeaders(headers) {
+    const providerCountry = headers.get('cf-ipcountry') ??
+        headers.get('x-vercel-ip-country') ??
+        headers.get('x-country-code');
+    if (providerCountry) {
+        const normalized = providerCountry.trim().toUpperCase();
+        if (/^[A-Z]{2}$/.test(normalized))
+            return normalized;
+    }
+    const acceptLanguage = headers.get('accept-language');
+    if (acceptLanguage) {
+        const first = acceptLanguage.split(',')[0].trim();
+        const region = first.split('-')[1] ?? first.split('_')[1];
+        if (region) {
+            const normalized = region.split(';')[0].trim().toUpperCase();
+            if (/^[A-Z]{2}$/.test(normalized))
+                return normalized;
+        }
+    }
+    return 'XX';
+}

package/dist/core/server/cmp/operations/create.d.ts

@@ -0,0 +1,17 @@
+import type { RequestEvent } from '@sveltejs/kit';
+import type { ConsentLogData } from '../../../../types/consent.js';
+export interface CreateCmpConsentLogInput {
+    consents: ConsentLogData['consents'];
+    consentModeStatus: ConsentLogData['consentModeStatus'];
+    parentLogId?: string | null;
+}
+export interface CreateCmpConsentLogResult {
+    id: string;
+    timestamp: Date;
+}
+/**
+ * Creates a consent log from a SvelteKit request event.
+ * Extracts IP/UA/URL/language from headers, truncates the IP,
+ * pulls cmpVersion/policyVersion from the CMS cmpConfig.
+ */
+export declare function createCmpConsentLog(event: RequestEvent, input: CreateCmpConsentLogInput): Promise<CreateCmpConsentLogResult>;

package/dist/core/server/cmp/operations/create.js

@@ -0,0 +1,38 @@
+import { v4 as uuidv4 } from 'uuid';
+import { getCMS } from '../../../cms.js';
+import { truncateIpAddress } from '../truncateIpAddress.js';
+import { getCountryFromHeaders } from '../getCountryFromHeaders.js';
+/**
+ * Creates a consent log from a SvelteKit request event.
+ * Extracts IP/UA/URL/language from headers, truncates the IP,
+ * pulls cmpVersion/policyVersion from the CMS cmpConfig.
+ */
+export async function createCmpConsentLog(event, input) {
+    const cms = getCMS();
+    if (!cms.cmpConfig) {
+        throw new Error('CMP is not configured. Pass `cmp: defineCmp({...})` to your CMS config.');
+    }
+    const rawIp = event.request.headers.get('x-forwarded-for')?.split(',')[0]?.trim() ??
+        event.request.headers.get('x-real-ip') ??
+        event.getClientAddress();
+    const ipAddressTruncated = truncateIpAddress(rawIp);
+    const countryCode = getCountryFromHeaders(event.request.headers);
+    const language = event.request.headers.get('accept-language')?.split(',')[0]?.trim() ?? 'unknown';
+    const userAgent = event.request.headers.get('user-agent') ?? 'unknown';
+    const url = event.request.headers.get('referer') ?? event.url.toString();
+    const data = {
+        id: uuidv4(),
+        ipAddressTruncated,
+        countryCode,
+        language,
+        userAgent,
+        url,
+        consents: input.consents,
+        consentModeStatus: input.consentModeStatus,
+        cmpVersion: cms.cmpConfig.version,
+        policyVersion: cms.cmpConfig.policyVersion,
+        parentLogId: input.parentLogId ?? null
+    };
+    await cms.databaseAdapter.createConsentLog(data);
+    return { id: data.id, timestamp: new Date() };
+}

package/dist/core/server/cmp/operations/get.d.ts

@@ -0,0 +1,2 @@
+import type { ConsentLogRecord } from '../../../../types/consent.js';
+export declare function getConsentLog(id: string): Promise<ConsentLogRecord | null>;

package/dist/core/server/cmp/operations/get.js

@@ -0,0 +1,8 @@
+import { getCMS } from '../../../cms.js';
+export async function getConsentLog(id) {
+    const adapter = getCMS().databaseAdapter;
+    if (!adapter.getConsentLog) {
+        throw new Error('Database adapter does not implement getConsentLog. Use includio-cms db-postgres ≥ 0.16.0 or implement the method.');
+    }
+    return adapter.getConsentLog(id);
+}

package/dist/core/server/cmp/operations/list.d.ts

@@ -0,0 +1,3 @@
+import type { ConsentLogRecord, GetConsentLogsFilters } from '../../../../types/consent.js';
+export declare function getConsentLogs(filters?: GetConsentLogsFilters): Promise<ConsentLogRecord[]>;
+export declare function countConsentLogs(filters?: Omit<GetConsentLogsFilters, 'limit' | 'offset'>): Promise<number>;

package/dist/core/server/cmp/operations/list.js

@@ -0,0 +1,15 @@
+import { getCMS } from '../../../cms.js';
+export async function getConsentLogs(filters = {}) {
+    const adapter = getCMS().databaseAdapter;
+    if (!adapter.getConsentLogs) {
+        throw new Error('Database adapter does not implement getConsentLogs. Use includio-cms db-postgres ≥ 0.16.0 or implement the method.');
+    }
+    return adapter.getConsentLogs(filters);
+}
+export async function countConsentLogs(filters = {}) {
+    const adapter = getCMS().databaseAdapter;
+    if (!adapter.countConsentLogs) {
+        throw new Error('Database adapter does not implement countConsentLogs. Use includio-cms db-postgres ≥ 0.16.0 or implement the method.');
+    }
+    return adapter.countConsentLogs(filters);
+}

package/dist/core/server/cmp/truncateIpAddress.d.ts

@@ -0,0 +1,7 @@
+/**
+ * GDPR-compliant IP anonymization.
+ * IPv4: zero last octet (e.g. 192.168.1.42 → 192.168.1.0)
+ * IPv6: zero last 80 bits / keep /48 prefix (e.g. 2001:db8:abcd:1234::1 → 2001:db8:abcd::)
+ * Invalid input → 'unknown'
+ */
+export declare function truncateIpAddress(ip: string | null | undefined): string;

package/dist/core/server/cmp/truncateIpAddress.js

@@ -0,0 +1,57 @@
+/**
+ * GDPR-compliant IP anonymization.
+ * IPv4: zero last octet (e.g. 192.168.1.42 → 192.168.1.0)
+ * IPv6: zero last 80 bits / keep /48 prefix (e.g. 2001:db8:abcd:1234::1 → 2001:db8:abcd::)
+ * Invalid input → 'unknown'
+ */
+export function truncateIpAddress(ip) {
+    if (!ip)
+        return 'unknown';
+    const trimmed = ip.trim();
+    if (!trimmed)
+        return 'unknown';
+    if (trimmed.includes('.') && !trimmed.includes(':')) {
+        return truncateIpv4(trimmed);
+    }
+    if (trimmed.includes(':')) {
+        return truncateIpv6(trimmed);
+    }
+    return 'unknown';
+}
+function truncateIpv4(ip) {
+    const parts = ip.split('.');
+    if (parts.length !== 4)
+        return 'unknown';
+    for (let i = 0; i < 4; i++) {
+        const n = Number(parts[i]);
+        if (!Number.isInteger(n) || n < 0 || n > 255)
+            return 'unknown';
+    }
+    return `${parts[0]}.${parts[1]}.${parts[2]}.0`;
+}
+function truncateIpv6(ip) {
+    const stripped = ip.split('%')[0];
+    const doubleColon = stripped.indexOf('::');
+    let groups;
+    if (doubleColon !== -1) {
+        const left = stripped.slice(0, doubleColon);
+        const right = stripped.slice(doubleColon + 2);
+        const leftGroups = left ? left.split(':') : [];
+        const rightGroups = right ? right.split(':') : [];
+        const missing = 8 - leftGroups.length - rightGroups.length;
+        if (missing < 0)
+            return 'unknown';
+        groups = [...leftGroups, ...Array(missing).fill('0'), ...rightGroups];
+    }
+    else {
+        groups = stripped.split(':');
+    }
+    if (groups.length !== 8)
+        return 'unknown';
+    for (const g of groups) {
+        if (!/^[0-9a-fA-F]{0,4}$/.test(g))
+            return 'unknown';
+    }
+    const prefix = groups.slice(0, 3).map((g) => g.toLowerCase().replace(/^0+(?=.)/, '') || '0');
+    return `${prefix.join(':')}::`;
+}

package/dist/core/server/fields/resolveImageFields.d.ts

@@ -1,3 +1,8 @@
 import type { EntryData, PopulatedEntryData } from '../../../types/entries.js';
 import type { Field } from '../../../types/fields.js';
+/**
+ * Walk entry data according to the field schema and collect all media file UUID references.
+ * Covers media/file/seo/object/blocks/content (incl. inline blocks inside content).
+ */
+export declare function extractMediaIdsFromData(data: EntryData, fields: Field[]): string[];
 export declare function resolveMediaFields(data: EntryData, fields: Field[]): Promise<PopulatedEntryData>;

package/dist/core/server/fields/resolveImageFields.js

@@ -4,7 +4,11 @@ import { getCMS } from '../../cms.js';
 import z from 'zod';
 import { getImageStyles } from './utils/imageStyles.js';
 import { extractMediaIds as extractMediaIdsFromDoc, walkMediaNodes, walkInlineBlockNodes, cloneDoc } from '../../../admin/components/tiptap/structured-content-utils.js';
-export async function resolveMediaFields(data, fields) {
+/**
+ * Walk entry data according to the field schema and collect all media file UUID references.
+ * Covers media/file/seo/object/blocks/content (incl. inline blocks inside content).
+ */
+export function extractMediaIdsFromData(data, fields) {
     const mediaIds = [];
     // eslint-disable-next-line @typescript-eslint/no-explicit-any
     const collectIds = (value, fields) => {
@@ -71,6 +75,10 @@ export async function resolveMediaFields(data, fields) {
         }
     };
     collectIds(data, fields);
+    return mediaIds;
+}
+export async function resolveMediaFields(data, fields) {
+    const mediaIds = extractMediaIdsFromData(data, fields);
     if (mediaIds.length === 0)
         return data;
     const media = await getCMS().databaseAdapter.getMediaFiles({