includio-cms 0.19.0 → 0.21.0

package/dist/server/security/csrf.js

@@ -0,0 +1,49 @@
+const MUTATING_METHODS = new Set(['POST', 'PUT', 'PATCH', 'DELETE']);
+function getAllowedOrigins() {
+    const env = process.env.INCLUDIO_CSRF_ALLOWED_ORIGINS ?? '';
+    return new Set(env
+        .split(',')
+        .map((s) => s.trim())
+        .filter(Boolean));
+}
+/**
+ * Returns true when a request is CSRF-safe: a non-mutating method, or a mutating
+ * method whose Origin/Referer matches the request URL origin (or the env allowlist).
+ * @internal
+ */
+export function isCsrfSafe(event) {
+    const method = event.request.method.toUpperCase();
+    if (!MUTATING_METHODS.has(method))
+        return true;
+    const expected = event.url.origin;
+    const allowed = getAllowedOrigins();
+    const origin = event.request.headers.get('origin');
+    if (origin)
+        return origin === expected || allowed.has(origin);
+    const referer = event.request.headers.get('referer');
+    if (referer) {
+        try {
+            const refOrigin = new URL(referer).origin;
+            return refOrigin === expected || allowed.has(refOrigin);
+        }
+        catch {
+            return false;
+        }
+    }
+    return false;
+}
+/**
+ * SvelteKit handle that rejects mutating requests under `/admin/api/*` lacking a
+ * matching Origin/Referer header. Other paths and safe methods pass through.
+ * @internal
+ */
+export const csrfGuard = async ({ event, resolve }) => {
+    if (!event.url.pathname.startsWith('/admin/api/'))
+        return resolve(event);
+    if (isCsrfSafe(event))
+        return resolve(event);
+    return new Response(JSON.stringify({ error: 'csrf_rejected' }), {
+        status: 403,
+        headers: { 'content-type': 'application/json' }
+    });
+};

package/dist/server/security/index.d.ts

@@ -0,0 +1,3 @@
+export { csrfGuard, isCsrfSafe } from './csrf.js';
+export { rateLimitGuard, MemoryRateLimitStore, type RateLimitStore, type RateLimitResult, type RateLimitGuardOptions } from './rate-limit.js';
+export { buildCspHeader, type CspOptions } from './csp.js';

package/dist/server/security/index.js

@@ -0,0 +1,3 @@
+export { csrfGuard, isCsrfSafe } from './csrf.js';
+export { rateLimitGuard, MemoryRateLimitStore } from './rate-limit.js';
+export { buildCspHeader } from './csp.js';

package/dist/server/security/rate-limit.d.ts

@@ -0,0 +1,44 @@
+import type { Handle, RequestEvent } from '@sveltejs/kit';
+export interface RateLimitResult {
+    allowed: boolean;
+    remaining: number;
+    resetAt: number;
+}
+/**
+ * Pluggable storage for {@link rateLimitGuard}. The default implementation is
+ * in-memory; multi-node deploys should provide a Redis-backed store.
+ * @internal
+ */
+export interface RateLimitStore {
+    hit(key: string, windowMs: number, limit: number): Promise<RateLimitResult>;
+}
+/**
+ * In-memory {@link RateLimitStore}. Per-process; not safe across multiple nodes.
+ * @internal
+ */
+export declare class MemoryRateLimitStore implements RateLimitStore {
+    private buckets;
+    private cleanupInterval;
+    constructor(opts?: {
+        cleanupMs?: number;
+    });
+    hit(key: string, windowMs: number, limit: number): Promise<RateLimitResult>;
+    private cleanup;
+    reset(key?: string): void;
+    dispose(): void;
+}
+export interface RateLimitGuardOptions {
+    store?: RateLimitStore;
+    limit?: number;
+    windowMs?: number;
+    pathPrefix?: string;
+    key?: (event: RequestEvent) => string;
+}
+/**
+ * SvelteKit handle that limits requests under `pathPrefix` (default `/admin/api/`)
+ * per key (default: authenticated user id, falling back to client IP). Returns
+ * 429 with `Retry-After` when exceeded. Defaults: 200 req / 60s, override via env
+ * `INCLUDIO_RATE_LIMIT_MAX` / `INCLUDIO_RATE_LIMIT_WINDOW_MS`.
+ * @internal
+ */
+export declare function rateLimitGuard(opts?: RateLimitGuardOptions): Handle;

package/dist/server/security/rate-limit.js

@@ -0,0 +1,97 @@
+import { json } from '@sveltejs/kit';
+/**
+ * In-memory {@link RateLimitStore}. Per-process; not safe across multiple nodes.
+ * @internal
+ */
+export class MemoryRateLimitStore {
+    buckets = new Map();
+    cleanupInterval;
+    constructor(opts = {}) {
+        const cleanupMs = opts.cleanupMs ?? 60_000;
+        if (cleanupMs > 0 && typeof setInterval === 'function') {
+            this.cleanupInterval = setInterval(() => this.cleanup(), cleanupMs);
+            const i = this.cleanupInterval;
+            if (typeof i.unref === 'function')
+                i.unref();
+        }
+    }
+    async hit(key, windowMs, limit) {
+        const now = Date.now();
+        const bucket = this.buckets.get(key);
+        if (!bucket || bucket.resetAt <= now) {
+            const fresh = { count: 1, resetAt: now + windowMs };
+            this.buckets.set(key, fresh);
+            return { allowed: true, remaining: Math.max(0, limit - 1), resetAt: fresh.resetAt };
+        }
+        if (bucket.count >= limit) {
+            return { allowed: false, remaining: 0, resetAt: bucket.resetAt };
+        }
+        bucket.count += 1;
+        return { allowed: true, remaining: limit - bucket.count, resetAt: bucket.resetAt };
+    }
+    cleanup() {
+        const now = Date.now();
+        for (const [k, b] of this.buckets) {
+            if (b.resetAt <= now)
+                this.buckets.delete(k);
+        }
+    }
+    reset(key) {
+        if (key)
+            this.buckets.delete(key);
+        else
+            this.buckets.clear();
+    }
+    dispose() {
+        if (this.cleanupInterval)
+            clearInterval(this.cleanupInterval);
+        this.cleanupInterval = undefined;
+    }
+}
+function num(env, fallback) {
+    const n = env ? Number(env) : NaN;
+    return Number.isFinite(n) && n > 0 ? n : fallback;
+}
+/**
+ * SvelteKit handle that limits requests under `pathPrefix` (default `/admin/api/`)
+ * per key (default: authenticated user id, falling back to client IP). Returns
+ * 429 with `Retry-After` when exceeded. Defaults: 200 req / 60s, override via env
+ * `INCLUDIO_RATE_LIMIT_MAX` / `INCLUDIO_RATE_LIMIT_WINDOW_MS`.
+ * @internal
+ */
+export function rateLimitGuard(opts = {}) {
+    const store = opts.store ?? new MemoryRateLimitStore();
+    const limit = opts.limit ?? num(process.env.INCLUDIO_RATE_LIMIT_MAX, 200);
+    const windowMs = opts.windowMs ?? num(process.env.INCLUDIO_RATE_LIMIT_WINDOW_MS, 60_000);
+    const pathPrefix = opts.pathPrefix ?? '/admin/api/';
+    const keyFn = opts.key ??
+        ((event) => {
+            const userId = event.locals?.user?.id;
+            if (userId)
+                return `u:${userId}`;
+            try {
+                return `ip:${event.getClientAddress()}`;
+            }
+            catch {
+                return 'ip:unknown';
+            }
+        });
+    return async ({ event, resolve }) => {
+        if (!event.url.pathname.startsWith(pathPrefix))
+            return resolve(event);
+        const result = await store.hit(keyFn(event), windowMs, limit);
+        if (!result.allowed) {
+            const retryAfter = Math.max(1, Math.ceil((result.resetAt - Date.now()) / 1000));
+            return json({ error: 'rate_limited', resetAt: result.resetAt }, {
+                status: 429,
+                headers: {
+                    'retry-after': String(retryAfter),
+                    'x-ratelimit-limit': String(limit),
+                    'x-ratelimit-remaining': '0',
+                    'x-ratelimit-reset': String(Math.ceil(result.resetAt / 1000))
+                }
+            });
+        }
+        return resolve(event);
+    };
+}

package/dist/server/utils/withTimeout.d.ts

@@ -0,0 +1,21 @@
+/**
+ * Race a promise against a deadline. Resolves with the original promise's value
+ * if it settles before `ms`; otherwise rejects with {@link TimeoutError}.
+ * Cleans up the timer in both success and failure paths so it never holds the
+ * event loop.
+ * @internal
+ */
+export declare class TimeoutError extends Error {
+    readonly label: string;
+    readonly ms: number;
+    readonly name = "TimeoutError";
+    constructor(label: string, ms: number);
+}
+/** @internal */
+export declare function withTimeout<T>(promise: Promise<T>, ms: number, label: string): Promise<T>;
+/**
+ * Resolved timeout (ms) for sharp operations. Override via `INCLUDIO_SHARP_TIMEOUT_MS`.
+ * Documented in `KNOWN-RISKS.md` §4.
+ * @internal
+ */
+export declare function sharpTimeoutMs(): number;

package/dist/server/utils/withTimeout.js

@@ -0,0 +1,37 @@
+/**
+ * Race a promise against a deadline. Resolves with the original promise's value
+ * if it settles before `ms`; otherwise rejects with {@link TimeoutError}.
+ * Cleans up the timer in both success and failure paths so it never holds the
+ * event loop.
+ * @internal
+ */
+export class TimeoutError extends Error {
+    label;
+    ms;
+    name = 'TimeoutError';
+    constructor(label, ms) {
+        super(`${label} timed out after ${ms}ms`);
+        this.label = label;
+        this.ms = ms;
+    }
+}
+/** @internal */
+export function withTimeout(promise, ms, label) {
+    let timer;
+    const timeout = new Promise((_, reject) => {
+        timer = setTimeout(() => reject(new TimeoutError(label, ms)), ms);
+    });
+    return Promise.race([promise, timeout]).finally(() => {
+        if (timer)
+            clearTimeout(timer);
+    });
+}
+/**
+ * Resolved timeout (ms) for sharp operations. Override via `INCLUDIO_SHARP_TIMEOUT_MS`.
+ * Documented in `KNOWN-RISKS.md` §4.
+ * @internal
+ */
+export function sharpTimeoutMs() {
+    const n = Number(process.env.INCLUDIO_SHARP_TIMEOUT_MS);
+    return Number.isFinite(n) && n > 0 ? n : 30_000;
+}

package/dist/shop/client/index.d.ts

@@ -125,3 +125,7 @@ export declare function createShopClient(options?: ShopClientOptions): ShopClien
 export type { CartSnapshot, CartLine, CartItemRef } from '../cart/types.js';
 export { createOrderState } from './use-order.svelte.js';
 export type { OrderState, CreateOrderStateOptions, OrderPaymentPhase } from './use-order.svelte.js';
+export { default as OrderStatus } from '../svelte/OrderStatus.svelte';
+export { default as InpostPicker } from '../svelte/InpostPicker.svelte';
+export { DEFAULT_LABELS_PL } from '../svelte/labels.js';
+export type { OrderStatusLabels } from '../svelte/labels.js';

package/dist/shop/client/index.js

@@ -47,3 +47,7 @@ function tokenQuery(token) {
     return token ? `?token=${encodeURIComponent(token)}` : '';
 }
 export { createOrderState } from './use-order.svelte.js';
+// Folded from `./shop/svelte` (dropped as separate export in 0.20.0)
+export { default as OrderStatus } from '../svelte/OrderStatus.svelte';
+export { default as InpostPicker } from '../svelte/InpostPicker.svelte';
+export { DEFAULT_LABELS_PL } from '../svelte/labels.js';

package/dist/sveltekit/config.d.ts

@@ -12,9 +12,29 @@ type SingleInput = Omit<SingleConfig, 'fields'> & {
     fields: Field[];
     layout?: Layout;
 };
+/**
+ * Defines the root CMS configuration. Pass to `includioCMS()` in `hooks.server.ts`.
+ * @public
+ */
 export declare function defineConfig(config: CMSConfig): CMSConfig;
+/**
+ * Defines a collection (multi-entry content type).
+ * @public
+ */
 export declare function defineCollection(config: CollectionInput): CollectionConfig;
+/**
+ * Defines a singleton (single-entry content type, e.g. site settings).
+ * @public
+ */
 export declare function defineSingle(config: SingleInput): SingleConfig;
+/**
+ * Defines a public form (submitted via `/api/forms/[slug]/submit`).
+ * @public
+ */
 export declare function defineForm(config: FormConfig): FormConfig;
+/**
+ * Defines a reusable object field (nested record). Use inside `fields[]`.
+ * @public
+ */
 export declare function defineObject(config: Omit<ObjectField, 'type'>): ObjectField;
 export {};

package/dist/sveltekit/config.js

@@ -1,15 +1,35 @@
+/**
+ * Defines the root CMS configuration. Pass to `includioCMS()` in `hooks.server.ts`.
+ * @public
+ */
 export function defineConfig(config) {
     return config;
 }
+/**
+ * Defines a collection (multi-entry content type).
+ * @public
+ */
 export function defineCollection(config) {
     return config;
 }
+/**
+ * Defines a singleton (single-entry content type, e.g. site settings).
+ * @public
+ */
 export function defineSingle(config) {
     return config;
 }
+/**
+ * Defines a public form (submitted via `/api/forms/[slug]/submit`).
+ * @public
+ */
 export function defineForm(config) {
     return config;
 }
+/**
+ * Defines a reusable object field (nested record). Use inside `fields[]`.
+ * @public
+ */
 export function defineObject(config) {
     return { ...config, type: 'object' };
 }

package/dist/sveltekit/server/handle.d.ts

@@ -1,3 +1,7 @@
 import { type Handle } from '@sveltejs/kit';
 import type { CMSConfig } from '../../types/cms.js';
+/**
+ * SvelteKit `Handle[]` array that initializes the CMS, generates runtime artifacts, wires auth/admin guards, and exposes `event.locals.cmsContext`. Compose with `sequence()` in `hooks.server.ts`.
+ * @public
+ */
 export declare function includioCMS(cmsConfig: CMSConfig): Handle[];

package/dist/sveltekit/server/handle.js

@@ -4,6 +4,9 @@ import { getCMS, initCMS } from '../../core/cms.js';
 import { generateRuntime } from '../../core/server/generator/generator.js';
 import { svelteKitHandler } from 'better-auth/svelte-kit';
 import { building } from '$app/environment';
+import { csrfGuard } from '../../server/security/csrf.js';
+import { rateLimitGuard } from '../../server/security/rate-limit.js';
+import { buildCspHeader } from '../../server/security/csp.js';
 const adminGuard = async ({ event, resolve }) => {
     const { user, session } = event.locals;
     // Secure the admin routes
@@ -65,22 +68,30 @@ const detectBrowserContext = async ({ event, resolve }) => {
     };
     return resolve(event);
 };
+/**
+ * SvelteKit `Handle[]` array that initializes the CMS, generates runtime artifacts, wires auth/admin guards, and exposes `event.locals.cmsContext`. Compose with `sequence()` in `hooks.server.ts`.
+ * @public
+ */
 export function includioCMS(cmsConfig) {
     generateRuntime(cmsConfig); // Generate runtime code based on the CMS config
     initCMS(cmsConfig);
     const handles = [];
     handles.push(detectBrowserContext);
+    handles.push(csrfGuard);
     if (cmsConfig.auth) {
         handles.push(handleAuth);
     }
+    handles.push(rateLimitGuard());
     handles.push(adminGuard);
     handles.push(securityHeaders);
     return handles;
 }
+const CSP_VALUE = buildCspHeader();
 const securityHeaders = async ({ event, resolve }) => {
     const response = await resolve(event);
     response.headers.set('X-Content-Type-Options', 'nosniff');
     response.headers.set('X-Frame-Options', 'SAMEORIGIN');
     response.headers.set('Referrer-Policy', 'strict-origin-when-cross-origin');
+    response.headers.set('Content-Security-Policy', CSP_VALUE);
     return response;
 };

package/dist/sveltekit/server/index.d.ts

@@ -5,3 +5,5 @@ export { createFormSubmission } from '../../core/server/forms/submissions/operat
 export { parseFormDataForSubmission } from '../../core/server/forms/submissions/utils/parseMultipart.js';
 export { createConsentLog } from '../../core/server/consentLogs/operations/create.js';
 export { getPreviewEntry } from './preview.js';
+export { createRestApiHandler } from '../../admin/api/rest/handler.js';
+export { generateApiKey } from '../../admin/api/rest/middleware/generateApiKey.js';

package/dist/sveltekit/server/index.js

@@ -5,3 +5,6 @@ export { createFormSubmission } from '../../core/server/forms/submissions/operat
 export { parseFormDataForSubmission } from '../../core/server/forms/submissions/utils/parseMultipart.js';
 export { createConsentLog } from '../../core/server/consentLogs/operations/create.js';
 export { getPreviewEntry } from './preview.js';
+// Folded from `./admin/api/rest/handler` (dropped as separate export in 0.20.0)
+export { createRestApiHandler } from '../../admin/api/rest/handler.js';
+export { generateApiKey } from '../../admin/api/rest/middleware/generateApiKey.js';

package/dist/sveltekit/server/layout.d.ts

@@ -1,4 +1,8 @@
 import type { RequestEvent } from '@sveltejs/kit';
+/**
+ * Returns `cmsContext` from `event.locals` for use in a SvelteKit layout `load`. Drop into your `+layout.server.ts`.
+ * @public
+ */
 export declare function cmsLayoutLoad(event: RequestEvent): {
     cmsContext: any;
 };

package/dist/sveltekit/server/layout.js

@@ -1,3 +1,7 @@
+/**
+ * Returns `cmsContext` from `event.locals` for use in a SvelteKit layout `load`. Drop into your `+layout.server.ts`.
+ * @public
+ */
 export function cmsLayoutLoad(event) {
     return {
         cmsContext: event.locals.cmsContext ?? {}

package/dist/sveltekit/server/preview.d.ts

@@ -1,5 +1,9 @@
 import type { Entry } from '../../types/entries.js';
 import { type RequestEvent } from '@sveltejs/kit';
+/**
+ * Resolves the preview entry from a `?preview=<versionId>` query param. Requires an authenticated session — throws `Unauthorized` otherwise.
+ * @public
+ */
 export declare function getPreviewEntry(event: RequestEvent, options: {
     language: string;
 }): Promise<Entry | null>;

package/dist/sveltekit/server/preview.js

@@ -1,5 +1,9 @@
 import { getEntryVersion } from '../../core/server/entries/operations/get.js';
 import {} from '@sveltejs/kit';
+/**
+ * Resolves the preview entry from a `?preview=<versionId>` query param. Requires an authenticated session — throws `Unauthorized` otherwise.
+ * @public
+ */
 export async function getPreviewEntry(event, options) {
     const preview = event.url.searchParams.get('preview');
     if (!preview) {

package/dist/types/cms.d.ts

@@ -60,6 +60,10 @@ export interface ApiKeyConfig {
     key: string;
     name?: string;
     role?: 'admin' | 'editor';
+    /** Opt-in expiry. ISO-8601 timestamp; past dates → 401 on use. */
+    expiresAt?: string;
+    /** Audit-trail only; not enforced. ISO-8601 timestamp of last manual rotation. */
+    rotatedAt?: string;
 }
 export interface TypographyConfig {
     fixOrphans?: boolean;

package/dist/types/index.d.ts

@@ -14,3 +14,4 @@ export { type PluginConfig, type CustomFieldDefinition } from './plugins.js';
 export { type Language, type Localized } from './languages.js';
 export { type Layout, type LayoutNode, type LayoutPreset, type LayoutNodeType, type ColumnRatio, type SectionNode, type ColumnsNode, type CardNode, type AccordionNode, type StackNode } from './layout.js';
 export { type CmsContext } from './cms-context.js';
+export { type UserData, type Breadcrumb } from '../admin/types.js';

package/dist/types/index.js

@@ -14,3 +14,4 @@ export {} from './plugins.js';
 export {} from './languages.js';
 export {} from './layout.js';
 export {} from './cms-context.js';
+export {} from '../admin/types.js';

package/dist/types/plugins.d.ts

@@ -3,6 +3,10 @@ import type { z } from 'zod';
 import type { RawEntry } from './entries.js';
 import type { CustomField } from './fields.js';
 import type { PopulateCtx } from '../core/server/entries/operations/resolveEntry.js';
+/**
+ * Defines a custom field type contributed by a plugin.
+ * @experimental Plugin system finalizes in 1.x — shape may change.
+ */
 export interface CustomFieldDefinition {
     /** Unique field type slug, e.g. 'photo-grid' */
     fieldType: string;
@@ -20,6 +24,10 @@ export interface CustomFieldDefinition {
      */
     populateResolver?: (value: unknown, field: CustomField, ctx: PopulateCtx) => Promise<unknown>;
 }
+/**
+ * CMS plugin configuration — register custom field types and CRUD lifecycle hooks.
+ * @experimental Plugin hooks API not finalized — may change in 1.x without breaking semver.
+ */
 export interface PluginConfig {
     slug: string;
     fields?: CustomFieldDefinition[];

package/dist/updates/0.20.0/index.d.ts

@@ -0,0 +1,2 @@
+import type { CmsUpdate } from '../index.js';
+export declare const update: CmsUpdate;

package/dist/updates/0.20.0/index.js

@@ -0,0 +1,54 @@
+export const update = {
+    version: '0.20.0',
+    date: '2026-04-29',
+    description: 'API Surface Lock — exports trim 26→15, JSDoc tagi (`@public`/`@experimental`/`@internal`), autogenerowany `API.md`. Powierzchnia publiczna zamrożona w v1.0 — w 1.x tylko `@experimental` może się zmienić bez breaking semver.',
+    features: [
+        '`API.md` w root — autogenerowany przez `scripts/generate-api-md.ts` (ts-morph). 15 entry pointów, ~345 stable, 2 experimental. Skrypt wpięty w `prepublishOnly`.',
+        'Wszystkie publiczne `define*` helpery (`defineConfig`, `defineCollection`, `defineSingle`, `defineForm`, `defineObject`) oznaczone `@public`.',
+        '`getCMS`, `getAuth`, `createEntityAPI`, `resolveMediaWithStyles`, `includioCMS`, `cmsLayoutLoad`, `getPreviewEntry`, `createFormSubmission`, `parseFormDataForSubmission`, `createConsentLog`, `createRestApiHandler` — `@public`.',
+        '`PluginConfig` + `CustomFieldDefinition` oznaczone `@experimental` — plugin hooks API finalizujemy w 1.x.'
+    ],
+    fixes: [],
+    breakingChanges: [
+        '**`package.json` exports trim 26→15.** Usunięte / scalone entry pointy poniżej. Każdy import wymaga jednorazowej migracji (znajdź-i-zamień).',
+        '`includio-cms/admin` → `includio-cms/types` (typy `UserData`, `Breadcrumb` przeniesione do publicznych typów).',
+        '`includio-cms/admin/helpers` → `includio-cms/admin/client` (re-eksport — zmień tylko ścieżkę importu).',
+        '`includio-cms/admin/ui` → `includio-cms/admin/client` (re-eksport — zmień tylko ścieżkę importu).',
+        '`includio-cms/admin/client/account` → `includio-cms/admin/client` (re-eksport — `AccountPage` dostępny pod nową ścieżką).',
+        '`includio-cms/admin/api/*` (wildcard) → **usunięte**. Były to internalsy (media-gc, upload, transcode, replace) — nie powinny być publiczne. Brak migracji.',
+        '`includio-cms/admin/api/rest/handler` → `includio-cms/sveltekit/server` (`createRestApiHandler` — zmień ścieżkę importu).',
+        '`includio-cms/admin/client/*.svelte` (wildcard) → użyj nazwanych eksportów z `includio-cms/admin/client`.',
+        '`includio-cms/sveltekit/components/*.svelte` (wildcard) → użyj nazwanych eksportów z `includio-cms/sveltekit`.',
+        '`includio-cms/db-postgres/schema-core` + `includio-cms/db-postgres/schema-shop` + `includio-cms/auth-schema` → `includio-cms/db-postgres` (jeden barrel — wszystkie tabele, w tym auth, dostępne pod jedną ścieżką).',
+        '`includio-cms/auth` → `includio-cms/core` (`getAuth` — zmień ścieżkę importu).',
+        '`includio-cms/entity` → `includio-cms/core` (`createEntityAPI` — zmień ścieżkę importu).',
+        '`includio-cms/shop/svelte` → `includio-cms/shop/client` (`OrderStatus`, `InpostPicker`, `DEFAULT_LABELS_PL`, `OrderStatusLabels` — zmień ścieżkę importu).',
+        '`includio-cms/updates` → **usunięte** (internal CLI tooling, nigdy nie powinno być w runtime API).'
+    ],
+    notes: `Migracja (znajdź-i-zamień):
+
+\`\`\`bash
+# Przykładowe sed'y (dostosuj do swojego edytora):
+sed -i '' "s|'includio-cms/admin/helpers'|'includio-cms/admin/client'|g" src/**/*.ts
+sed -i '' "s|'includio-cms/admin/ui'|'includio-cms/admin/client'|g" src/**/*.ts
+sed -i '' "s|'includio-cms/auth'|'includio-cms/core'|g" src/**/*.ts
+sed -i '' "s|'includio-cms/entity'|'includio-cms/core'|g" src/**/*.ts
+sed -i '' "s|'includio-cms/shop/svelte'|'includio-cms/shop/client'|g" src/**/*.ts
+sed -i '' "s|'includio-cms/auth-schema'|'includio-cms/db-postgres'|g" src/**/*.ts
+sed -i '' "s|'includio-cms/db-postgres/schema-core'|'includio-cms/db-postgres'|g" src/**/*.ts
+sed -i '' "s|'includio-cms/db-postgres/schema-shop'|'includio-cms/db-postgres'|g" src/**/*.ts
+sed -i '' "s|'includio-cms/admin/api/rest/handler'|'includio-cms/sveltekit/server'|g" src/**/*.ts
+\`\`\`
+
+Po migracji uruchom \`pnpm check\` — TypeScript zweryfikuje czy wszystkie symbole są dostępne pod nową ścieżką.
+
+API Surface freeze v1.0:
+
+- **\`@public\`** — stabilne, semver-protected w v1.0. Breaking change wymaga major bump.
+- **\`@experimental\`** — może się zmienić w 1.x bez breaking semver (np. \`PluginConfig\` — plugin hooks API).
+- **\`@internal\`** — implementation detail, NIE importować. Nie listowane w \`API.md\`.
+
+Pełna lista publicznych symboli per entry point: \`API.md\` w root paczki (regenerowany przy każdym \`npm publish\`).
+
+Brak SQL migration. Zmiana czysto package-level.`
+};

package/dist/updates/0.21.0/index.d.ts

@@ -0,0 +1,2 @@
+import type { CmsUpdate } from '../index.js';
+export declare const update: CmsUpdate;

package/dist/updates/0.21.0/index.js

@@ -0,0 +1,55 @@
+export const update = {
+    version: '0.21.0',
+    date: '2026-04-30',
+    description: 'Faza 5 część 2 — security finish: form rate-limit DRY refactor, API keys `expiresAt` / `rotatedAt`, sharp timeout 30s, `{@html}` audit close. `KNOWN-RISKS.md` w root jako single source of truth dla zaakceptowanych ryzyk v1.0. Plus: faza 6 setup — vitest coverage (info-only), docker test profile, integration test scaffolding (`tests/`).',
+    features: [
+        '`KNOWN-RISKS.md` w root paczki — 5 ryzyk udokumentowanych: CSP `\'unsafe-inline\'`, API key rotation opt-in, in-memory rate-limit, sharp 30s timeout, ffmpeg/sharp args audit. Każde z mitygacją i triggerem fix.',
+        '`ApiKeyConfig.expiresAt?: string` (ISO-8601) — opt-in expiry, enforced w `validateApiKey()`. Wygasły klucz → 401 generic (no leak). Brak `expiresAt` = klucz nigdy nie wygasa (backward compat).',
+        '`ApiKeyConfig.rotatedAt?: string` — info-only audit-trail, nie enforced.',
+        '`generateApiKey()` (`includio-cms/sveltekit/server`) — crypto-random 32B base64url. Pełna rotacja = update `cms.config.ts` + redeploy (statyczny model, patrz KNOWN-RISKS §2).',
+        '`withTimeout<T>(promise, ms, label)` + `TimeoutError` (`$lib/server/utils/withTimeout`). Wrap dookoła wszystkich sharp calls (metadata, toBuffer, blur, admin thumbnail, downscale resize). Default 30s, env override `INCLUDIO_SHARP_TIMEOUT_MS`.',
+        'Form submit rate-limit: refaktor `src/routes/api/forms/[slug]/submit/+server.ts` — używa shared `MemoryRateLimitStore` z `$lib/server/security/rate-limit.js` (DRY z `/admin/api/*` rate-limit). Limity 5/h per IP zachowane. Env: `INCLUDIO_FORM_RATE_LIMIT_MAX`, `INCLUDIO_FORM_RATE_LIMIT_WINDOW_MS`.',
+        'Faza 6 setup: docker `test` profile (`db_test` na porcie 5434, tmpfs, `fsync=off`), `tests/helpers/{db,api,auth}.ts`, `tests/setup.ts` z TRUNCATE strategy, vitest project `integration` (sequential, `singleFork`), sanity test `tests/integration/db-sanity.spec.ts`.',
+        'Vitest coverage config (info-only, bez threshold) — `pnpm test:coverage` generuje `coverage/`. Reporter: text/json/html. Devdep: `@vitest/coverage-v8`.'
+    ],
+    fixes: [
+        '`{@html}` w `src/lib/admin/client/users/delete-user-dialog.svelte` (linie 85, 93) zastąpione safe Svelte template `{...}<strong>{...}</strong>{...}`. Defense-in-depth — content był admin-controlled, ale eliminuje wektor regresji XSS gdyby ktoś kiedyś dodał user-supplied input do tych komunikatów.'
+    ],
+    breakingChanges: [
+        'Brak hard breakages. `ApiKeyConfig.expiresAt` / `rotatedAt` są opcjonalne — istniejące configi działają bez zmian.',
+        '`usersLang.deleteWarningDesc` zmienia sygnaturę z `(name: string) => string` na statyczny obiekt `{ before: string; after: string }`. `usersLang.deleteConfirmType` analogicznie ze stringa na `{ before: string; after: string }`. Wpływ tylko na fork\'i admin UI z customowym lang — szybki `pnpm check` zwróci błąd typu, fix = przepisz wartości w lang.'
+    ],
+    notes: `## Setup integration tests (opt-in)
+
+\`\`\`bash
+docker compose --profile test up -d db_test
+pnpm prepack                    # buduje dist/ wymagany przez drizzle-kit push schema
+pnpm db:test:migrate            # drizzle-kit push do test DB
+pnpm test:integration           # uruchamia tests/integration/**
+docker compose --profile test down
+\`\`\`
+
+## API key expiry (opt-in)
+
+\`\`\`ts
+// cms.config.ts
+apiKeys: [
+    { key: 'sk-...', name: 'ci', role: 'admin', expiresAt: '2027-01-01T00:00:00Z' }
+]
+\`\`\`
+
+Generowanie nowego klucza:
+
+\`\`\`ts
+import { generateApiKey } from 'includio-cms/sveltekit/server';
+console.log(generateApiKey()); // → 43-char base64url, 32B entropii
+\`\`\`
+
+Pełna rotacja wymaga update'u \`cms.config.ts\` + redeploy. Pole \`rotatedAt\` jest info-only (audit trail) — admin ustawia ręcznie przy rotacji.
+
+## Known risks
+
+Lista zaakceptowanych ryzyk v1.0 — \`KNOWN-RISKS.md\` w root paczki. 5 sekcji: CSP \`unsafe-inline\`, API key rotation opt-in, in-memory rate-limit (multi-node = wymaga Redis adapter), sharp 30s timeout, ffmpeg/sharp shell audit (SAFE).
+
+Brak SQL migration.`
+};

package/dist/updates/index.js

@@ -53,7 +53,9 @@ import { update as update0155 } from './0.15.5/index.js';
 import { update as update0160 } from './0.16.0/index.js';
 import { update as update0180 } from './0.18.0/index.js';
 import { update as update0190 } from './0.19.0/index.js';
-export const updates = [update0065, update0066, update0067, update0068, update0069, update010, update011, update012, update013, update014, update015, update020, update022, update050, update051, update052, update053, update054, update055, update056, update057, update058, update060, update061, update062, update070, update071, update072, update073, update080, update090, update0100, update0110, update0120, update0130, update0131, update0132, update0133, update0134, update0140, update0141, update0142, update0143, update0144, update0145, update0146, update0150, update0151, update0152, update0153, update0154, update0155, update0160, update0180, update0190];
+import { update as update0200 } from './0.20.0/index.js';
+import { update as update0210 } from './0.21.0/index.js';
+export const updates = [update0065, update0066, update0067, update0068, update0069, update010, update011, update012, update013, update014, update015, update020, update022, update050, update051, update052, update053, update054, update055, update056, update057, update058, update060, update061, update062, update070, update071, update072, update073, update080, update090, update0100, update0110, update0120, update0130, update0131, update0132, update0133, update0134, update0140, update0141, update0142, update0143, update0144, update0145, update0146, update0150, update0151, update0152, update0153, update0154, update0155, update0160, update0180, update0190, update0200, update0210];
 export const getUpdatesFrom = (fromVersion) => {
     const fromParts = fromVersion.split('.').map(Number);
     return updates.filter((update) => {