includio-cms 0.20.0 → 0.21.0

package/API.md

@@ -1,8 +1,8 @@
-# includio-cms — Public API v0.20.0
+# includio-cms — Public API v0.21.0
 
 > Auto-generated by `scripts/generate-api-md.ts`. Do not edit by hand.
 
-Entry points: **15** · Stable: **345** · Experimental: **2**
+Entry points: **15** · Stable: **346** · Experimental: **2**
 
 Tags:
 - `@public` — frozen for v1.0; semver-protected.
@@ -273,6 +273,7 @@ Tags:
 - `const createConsentLog: <inferred>`
 - `const createFormSubmission: <inferred>`
 - `createRestApiHandler(): <inferred>` — REST API handler factory. Returns `{ GET, POST, PUT, DELETE }` `RequestHandler`s authenticated via `x-api-key` header. Mount in `src/routes/admin/api/rest/[...restPath]/+server.ts`.
+- `generateApiKey(): string` — Generate a cryptographically random API key (32 bytes, base64url-encoded).
 - `getPreviewEntry(event: RequestEvent, options: { language: string }): Promise<Entry | null>` — Resolves the preview entry from a `?preview=<versionId>` query param. Requires an authenticated session — throws `Unauthorized` otherwise.
 - `includioCMS(cmsConfig: CMSConfig): Handle[]` — SvelteKit `Handle[]` array that initializes the CMS, generates runtime artifacts, wires auth/admin guards, and exposes `event.locals.cmsContext`. Compose with `sequence()` in `hooks.server.ts`.
 - `parseFormDataForSubmission(formData: FormData, fields: FormField[]): Promise<Record<string, unknown>>` — Parses multipart `FormData` into a typed record of field values, handling file uploads via the configured files adapter.

package/CHANGELOG.md

@@ -3,6 +3,63 @@
 All notable changes to includio-cms are documented here.
 Generated from `src/lib/updates/` — do not edit manually.
 
+## 0.21.0 — 2026-04-30
+
+Faza 5 część 2 — security finish: form rate-limit DRY refactor, API keys `expiresAt` / `rotatedAt`, sharp timeout 30s, `{@html}` audit close. `KNOWN-RISKS.md` w root jako single source of truth dla zaakceptowanych ryzyk v1.0. Plus: faza 6 setup — vitest coverage (info-only), docker test profile, integration test scaffolding (`tests/`).
+
+### Added
+- `KNOWN-RISKS.md` w root paczki — 5 ryzyk udokumentowanych: CSP `'unsafe-inline'`, API key rotation opt-in, in-memory rate-limit, sharp 30s timeout, ffmpeg/sharp args audit. Każde z mitygacją i triggerem fix.
+- `ApiKeyConfig.expiresAt?: string` (ISO-8601) — opt-in expiry, enforced w `validateApiKey()`. Wygasły klucz → 401 generic (no leak). Brak `expiresAt` = klucz nigdy nie wygasa (backward compat).
+- `ApiKeyConfig.rotatedAt?: string` — info-only audit-trail, nie enforced.
+- `generateApiKey()` (`includio-cms/sveltekit/server`) — crypto-random 32B base64url. Pełna rotacja = update `cms.config.ts` + redeploy (statyczny model, patrz KNOWN-RISKS §2).
+- `withTimeout<T>(promise, ms, label)` + `TimeoutError` (`$lib/server/utils/withTimeout`). Wrap dookoła wszystkich sharp calls (metadata, toBuffer, blur, admin thumbnail, downscale resize). Default 30s, env override `INCLUDIO_SHARP_TIMEOUT_MS`.
+- Form submit rate-limit: refaktor `src/routes/api/forms/[slug]/submit/+server.ts` — używa shared `MemoryRateLimitStore` z `$lib/server/security/rate-limit.js` (DRY z `/admin/api/*` rate-limit). Limity 5/h per IP zachowane. Env: `INCLUDIO_FORM_RATE_LIMIT_MAX`, `INCLUDIO_FORM_RATE_LIMIT_WINDOW_MS`.
+- Faza 6 setup: docker `test` profile (`db_test` na porcie 5434, tmpfs, `fsync=off`), `tests/helpers/{db,api,auth}.ts`, `tests/setup.ts` z TRUNCATE strategy, vitest project `integration` (sequential, `singleFork`), sanity test `tests/integration/db-sanity.spec.ts`.
+- Vitest coverage config (info-only, bez threshold) — `pnpm test:coverage` generuje `coverage/`. Reporter: text/json/html. Devdep: `@vitest/coverage-v8`.
+
+### Fixed
+- `{@html}` w `src/lib/admin/client/users/delete-user-dialog.svelte` (linie 85, 93) zastąpione safe Svelte template `{...}<strong>{...}</strong>{...}`. Defense-in-depth — content był admin-controlled, ale eliminuje wektor regresji XSS gdyby ktoś kiedyś dodał user-supplied input do tych komunikatów.
+
+### Breaking
+- Brak hard breakages. `ApiKeyConfig.expiresAt` / `rotatedAt` są opcjonalne — istniejące configi działają bez zmian.
+- `usersLang.deleteWarningDesc` zmienia sygnaturę z `(name: string) => string` na statyczny obiekt `{ before: string; after: string }`. `usersLang.deleteConfirmType` analogicznie ze stringa na `{ before: string; after: string }`. Wpływ tylko na fork'i admin UI z customowym lang — szybki `pnpm check` zwróci błąd typu, fix = przepisz wartości w lang.
+
+### Notes
+
+## Setup integration tests (opt-in)
+
+```bash
+docker compose --profile test up -d db_test
+pnpm prepack                    # buduje dist/ wymagany przez drizzle-kit push schema
+pnpm db:test:migrate            # drizzle-kit push do test DB
+pnpm test:integration           # uruchamia tests/integration/**
+docker compose --profile test down
+```
+
+## API key expiry (opt-in)
+
+```ts
+// cms.config.ts
+apiKeys: [
+    { key: 'sk-...', name: 'ci', role: 'admin', expiresAt: '2027-01-01T00:00:00Z' }
+]
+```
+
+Generowanie nowego klucza:
+
+```ts
+import { generateApiKey } from 'includio-cms/sveltekit/server';
+console.log(generateApiKey()); // → 43-char base64url, 32B entropii
+```
+
+Pełna rotacja wymaga update'u `cms.config.ts` + redeploy. Pole `rotatedAt` jest info-only (audit trail) — admin ustawia ręcznie przy rotacji.
+
+## Known risks
+
+Lista zaakceptowanych ryzyk v1.0 — `KNOWN-RISKS.md` w root paczki. 5 sekcji: CSP `unsafe-inline`, API key rotation opt-in, in-memory rate-limit (multi-node = wymaga Redis adapter), sharp 30s timeout, ffmpeg/sharp shell audit (SAFE).
+
+Brak SQL migration.
+
 ## 0.20.0 — 2026-04-29
 
 API Surface Lock — exports trim 26→15, JSDoc tagi (`@public`/`@experimental`/`@internal`), autogenerowany `API.md`. Powierzchnia publiczna zamrożona w v1.0 — w 1.x tylko `@experimental` może się zmienić bez breaking semver.

package/DOCS.md

@@ -1,4 +1,4 @@
-# Includio CMS Documentation (v0.20.0)
+# Includio CMS Documentation (v0.21.0)
 
 > This file is auto-generated from the docs site. For the latest version, update the package.
 

package/ROADMAP.md

@@ -354,10 +354,13 @@
 ## Security hardening
 
 - [ ] `[feature]` `[P1]` `sanitizeHTML` utility — general HTML sanitization outside richtext (text fields, SEO fields)
-- [ ] `[feature]` `[P1]` CSP headers — Content-Security-Policy middleware
-- [ ] `[feature]` `[P1]` CSRF protection — tokens for mutating operations
-- [x] `[feature]` `[P1]` Rate limiting — form submit endpoints (done in 0.13.3; admin/auth endpoints remaining)
-- [x] `[chore]` `[P1]` Security audit — timing attacks, MIME validation, demo endpoint, rate limiting (done in 0.13.3; `{@html}` review remaining)
+- [x] `[feature]` `[P1]` CSP headers — Content-Security-Policy middleware (0.20.0/0.21.0; `unsafe-inline` zaakceptowany — KNOWN-RISKS §1)
+- [x] `[feature]` `[P1]` CSRF protection — origin/referer guard na `/admin/api/*` (0.20.0/0.21.0)
+- [x] `[feature]` `[P1]` Rate limiting — form submit + `/admin/api/*` (form 0.13.3, admin 0.20.0, DRY refactor 0.21.0)
+- [x] `[chore]` `[P1]` Security audit — timing attacks, MIME, demo endpoint, rate limiting, `{@html}` w admin UI, ffmpeg/sharp shell args (0.13.3 + 0.21.0)
+- [x] `[feature]` `[P1]` API key expiry (opt-in `expiresAt`) + `generateApiKey()` helper (0.21.0; pełna rotacja = manual config + redeploy, KNOWN-RISKS §2)
+- [x] `[feature]` `[P1]` Sharp timeout 30s (`withTimeout` + `INCLUDIO_SHARP_TIMEOUT_MS`, 0.21.0)
+- [x] `[chore]` `[P0]` `KNOWN-RISKS.md` — single source of truth dla zaakceptowanych ryzyk v1.0 (0.21.0)
 - [ ] `[chore]` `[P1]` Input sanitization audit — review all fields for XSS
 
 ## Backlog

package/dist/admin/api/rest/middleware/apiKey.js

@@ -14,7 +14,15 @@ function safeEqual(a, b) {
 }
 export function validateApiKey(key) {
     const cms = getCMS();
-    return cms.apiKeys.find((k) => safeEqual(k.key, key)) ?? null;
+    const found = cms.apiKeys.find((k) => safeEqual(k.key, key));
+    if (!found)
+        return null;
+    if (found.expiresAt) {
+        const exp = Date.parse(found.expiresAt);
+        if (Number.isFinite(exp) && exp < Date.now())
+            return null;
+    }
+    return found;
 }
 export function setSyntheticUser(event, apiKey) {
     const name = apiKey.name || 'api';

package/dist/admin/api/rest/middleware/generateApiKey.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Generate a cryptographically random API key (32 bytes, base64url-encoded).
+ * Use the result for `ApiKeyConfig.key`. Full rotation requires updating
+ * `cms.config.ts` and redeploying — see `KNOWN-RISKS.md` §2.
+ * @public
+ */
+export declare function generateApiKey(): string;

package/dist/admin/api/rest/middleware/generateApiKey.js

@@ -0,0 +1,10 @@
+import { randomBytes } from 'node:crypto';
+/**
+ * Generate a cryptographically random API key (32 bytes, base64url-encoded).
+ * Use the result for `ApiKeyConfig.key`. Full rotation requires updating
+ * `cms.config.ts` and redeploying — see `KNOWN-RISKS.md` §2.
+ * @public
+ */
+export function generateApiKey() {
+    return randomBytes(32).toString('base64url');
+}

package/dist/admin/client/users/delete-user-dialog.svelte

@@ -82,7 +82,7 @@
 							{lang.deleteWarningTitle}
 						</p>
 						<p class="mt-1 text-sm" style="color: var(--muted-foreground);">
-							{@html lang.deleteWarningDesc(user.name)}
+							{lang.deleteWarningDesc.before}<strong>{user.name}</strong>{lang.deleteWarningDesc.after}
 						</p>
 					</div>
 				</div>
@@ -90,7 +90,7 @@
 				<!-- Confirm input -->
 				<div class="space-y-2">
 					<Label for="delete-confirm">
-						{@html lang.deleteConfirmType}
+						{lang.deleteConfirmType.before}<strong>{lang.deleteConfirmWord}</strong>{lang.deleteConfirmType.after}
 					</Label>
 					<Input
 						id="delete-confirm"

package/dist/admin/client/users/lang.d.ts

@@ -24,8 +24,16 @@ export declare const usersLang: Record<InterfaceLanguage, {
     deleteConfirmTitle: string;
     deleteConfirmDescription: string;
     deleteWarningTitle: string;
-    deleteWarningDesc: (name: string) => string;
-    deleteConfirmType: string;
+    /** Split into `before` / `after`; the user name is rendered between them in template (avoids `{@html}`). */
+    deleteWarningDesc: {
+        before: string;
+        after: string;
+    };
+    /** Split into `before` / `after`; `deleteConfirmWord` is rendered between them. */
+    deleteConfirmType: {
+        before: string;
+        after: string;
+    };
     deleteConfirmWord: string;
     userCreated: string;
     userUpdated: string;

package/dist/admin/client/users/lang.js

@@ -24,8 +24,11 @@ export const usersLang = {
         deleteConfirmTitle: 'Delete user?',
         deleteConfirmDescription: 'This action cannot be undone. The user will be permanently deleted.',
         deleteWarningTitle: 'This action cannot be undone',
-        deleteWarningDesc: (name) => `User <strong>${name}</strong> will be permanently deleted along with all their data.`,
-        deleteConfirmType: 'Type <strong>DELETE</strong> to confirm',
+        deleteWarningDesc: {
+            before: 'User ',
+            after: ' will be permanently deleted along with all their data.'
+        },
+        deleteConfirmType: { before: 'Type ', after: ' to confirm' },
         deleteConfirmWord: 'DELETE',
         userCreated: 'User created',
         userUpdated: 'User updated',
@@ -107,8 +110,11 @@ export const usersLang = {
         deleteConfirmTitle: 'Usunąć użytkownika?',
         deleteConfirmDescription: 'Ta akcja jest nieodwracalna. Użytkownik zostanie trwale usunięty.',
         deleteWarningTitle: 'Tej operacji nie można cofnąć',
-        deleteWarningDesc: (name) => `Użytkownik <strong>${name}</strong> zostanie trwale usunięty wraz ze wszystkimi danymi.`,
-        deleteConfirmType: 'Wpisz <strong>USUŃ</strong>, żeby potwierdzić',
+        deleteWarningDesc: {
+            before: 'Użytkownik ',
+            after: ' zostanie trwale usunięty wraz ze wszystkimi danymi.'
+        },
+        deleteConfirmType: { before: 'Wpisz ', after: ', żeby potwierdzić' },
         deleteConfirmWord: 'USUŃ',
         userCreated: 'Użytkownik utworzony',
         userUpdated: 'Użytkownik zaktualizowany',

package/dist/core/server/media/operations/uploadFile.js

@@ -4,6 +4,7 @@ import { generateAdminThumbnail } from '../utils/generateAdminThumbnail.js';
 import { generateDefaultStylesInBackground } from '../styles/operations/generateDefaultStyles.js';
 import { generateDefaultVideoStylesInBackground } from '../styles/operations/generateDefaultVideoStyles.js';
 import sharp from 'sharp';
+import { withTimeout, sharpTimeoutMs } from '../../../../server/utils/withTimeout.js';
 async function maybeDownscale(file) {
     const cms = getCMS();
     const { maxOriginalWidth, maxOriginalHeight } = cms.mediaConfig;
@@ -14,19 +15,19 @@ async function maybeDownscale(file) {
         return file;
     try {
         const buffer = Buffer.from(await file.arrayBuffer());
-        const metadata = await sharp(buffer).metadata();
+        const metadata = await withTimeout(sharp(buffer).metadata(), sharpTimeoutMs(), 'sharp.metadata');
         const w = metadata.width || 0;
         const h = metadata.height || 0;
         const exceedsWidth = maxOriginalWidth && w > maxOriginalWidth;
         const exceedsHeight = maxOriginalHeight && h > maxOriginalHeight;
         if (!exceedsWidth && !exceedsHeight)
             return file;
-        const resized = await sharp(buffer)
+        const resized = await withTimeout(sharp(buffer)
             .resize(maxOriginalWidth, maxOriginalHeight, {
             fit: 'inside',
             withoutEnlargement: true
         })
-            .toBuffer();
+            .toBuffer(), sharpTimeoutMs(), 'sharp.resize');
         return new File([new Uint8Array(resized)], file.name, { type: file.type });
     }
     catch (e) {

package/dist/core/server/media/styles/sharp/generateImageStyle.js

@@ -1,6 +1,7 @@
 import { getCMS } from '../../../../cms.js';
 import sharp from 'sharp';
 import { calculateFocalCropRegion } from '../../utils/calculateFocalCropRegion.js';
+import { withTimeout, sharpTimeoutMs } from '../../../../../server/utils/withTimeout.js';
 export async function generateImageStyle(mediaFileId, style) {
     const mediaFile = await getCMS().databaseAdapter.getMediaFile({
         data: {
@@ -19,7 +20,7 @@ export async function generateImageStyle(mediaFileId, style) {
 }
 export async function generateImageStyleFromBuffer(buf, mediaFile, style) {
     // Read EXIF orientation before processing
-    const metadata = await sharp(buf).metadata();
+    const metadata = await withTimeout(sharp(buf).metadata(), sharpTimeoutMs(), 'sharp.metadata');
     // .rotate() applies EXIF orientation to pixels AND strips the tag from output.
     // Prevents double-rotation in WebP/JPEG where EXIF orientation tag may persist.
     let sharpInstance = sharp(buf).rotate();
@@ -79,7 +80,7 @@ export async function generateImageStyleFromBuffer(buf, mediaFile, style) {
     const originalExt = mediaFile.mimeType?.split('/').pop() ?? mediaFile.url.split('.').pop();
     const format = style.format ?? originalExt ?? 'jpeg';
     sharpInstance = sharpInstance.toFormat(format, style.quality != null ? { quality: Math.max(1, Math.min(100, style.quality)) } : undefined);
-    const outputBuffer = await sharpInstance.toBuffer();
+    const outputBuffer = await withTimeout(sharpInstance.toBuffer(), sharpTimeoutMs(), 'sharp.toBuffer');
     return getCMS().filesAdapter.uploadFile(new File([new Uint8Array(outputBuffer)], `${mediaFile.id}_${style.name}_${Date.now().toString(36)}.${format}`, {
         type: `image/${format}`
     }));

package/dist/core/server/media/utils/generateAdminThumbnail.js

@@ -1,14 +1,15 @@
 import { getCMS } from '../../../cms.js';
 import { isProcessableImage } from '../../fields/utils/imageStyles.js';
 import sharp from 'sharp';
+import { withTimeout, sharpTimeoutMs } from '../../../../server/utils/withTimeout.js';
 const THUMB_WIDTH = 400;
 const THUMB_QUALITY = 70;
 export async function generateAdminThumbnail(buffer, mediaFile) {
-    const output = await sharp(buffer)
+    const output = await withTimeout(sharp(buffer)
         .rotate()
         .resize(THUMB_WIDTH, undefined, { withoutEnlargement: true })
         .toFormat('webp', { quality: THUMB_QUALITY })
-        .toBuffer();
+        .toBuffer(), sharpTimeoutMs(), 'sharp.adminThumbnail');
     const filename = `${mediaFile.id}_admin_thumb_${Date.now().toString(36)}.webp`;
     const uploaded = await getCMS().filesAdapter.uploadFile(new File([new Uint8Array(output)], filename, { type: 'image/webp' }));
     return uploaded.url;

package/dist/core/server/media/utils/generateBlurDataUrl.js

@@ -1,5 +1,6 @@
 import sharp from 'sharp';
+import { withTimeout, sharpTimeoutMs } from '../../../../server/utils/withTimeout.js';
 export async function generateBlurDataUrl(buffer) {
-    const blurBuffer = await sharp(buffer).resize(20).blur(10).toFormat('webp').toBuffer();
+    const blurBuffer = await withTimeout(sharp(buffer).resize(20).blur(10).toFormat('webp').toBuffer(), sharpTimeoutMs(), 'sharp.blurDataUrl');
     return `data:image/webp;base64,${blurBuffer.toString('base64')}`;
 }

package/dist/server/security/csp.d.ts

@@ -0,0 +1,16 @@
+export interface CspOptions {
+    scriptSrc?: string[];
+    styleSrc?: string[];
+    imgSrc?: string[];
+    mediaSrc?: string[];
+    fontSrc?: string[];
+    connectSrc?: string[];
+    frameAncestors?: string[];
+}
+/**
+ * Build a Content-Security-Policy header value with v1.0 defaults.
+ * `'unsafe-inline'` is allowed on `script-src`/`style-src` because TipTap and
+ * paraglide emit inline code; documented in `KNOWN-RISKS.md`.
+ * @internal
+ */
+export declare function buildCspHeader(opts?: CspOptions): string;

package/dist/server/security/csp.js

@@ -0,0 +1,33 @@
+const DEFAULTS = {
+    scriptSrc: ["'self'", "'unsafe-inline'"],
+    styleSrc: ["'self'", "'unsafe-inline'"],
+    imgSrc: ["'self'", 'data:', 'blob:'],
+    mediaSrc: ["'self'", 'blob:'],
+    fontSrc: ["'self'", 'data:'],
+    connectSrc: ["'self'"],
+    frameAncestors: ["'self'"]
+};
+/**
+ * Build a Content-Security-Policy header value with v1.0 defaults.
+ * `'unsafe-inline'` is allowed on `script-src`/`style-src` because TipTap and
+ * paraglide emit inline code; documented in `KNOWN-RISKS.md`.
+ * @internal
+ */
+export function buildCspHeader(opts = {}) {
+    const merge = (key, extra) => {
+        const base = DEFAULTS[key];
+        return extra && extra.length ? Array.from(new Set([...base, ...extra])) : [...base];
+    };
+    return [
+        `default-src 'self'`,
+        `script-src ${merge('scriptSrc', opts.scriptSrc).join(' ')}`,
+        `style-src ${merge('styleSrc', opts.styleSrc).join(' ')}`,
+        `img-src ${merge('imgSrc', opts.imgSrc).join(' ')}`,
+        `media-src ${merge('mediaSrc', opts.mediaSrc).join(' ')}`,
+        `font-src ${merge('fontSrc', opts.fontSrc).join(' ')}`,
+        `connect-src ${merge('connectSrc', opts.connectSrc).join(' ')}`,
+        `object-src 'none'`,
+        `base-uri 'self'`,
+        `frame-ancestors ${merge('frameAncestors', opts.frameAncestors).join(' ')}`
+    ].join('; ');
+}

package/dist/server/security/csrf.d.ts

@@ -0,0 +1,13 @@
+import type { Handle, RequestEvent } from '@sveltejs/kit';
+/**
+ * Returns true when a request is CSRF-safe: a non-mutating method, or a mutating
+ * method whose Origin/Referer matches the request URL origin (or the env allowlist).
+ * @internal
+ */
+export declare function isCsrfSafe(event: RequestEvent): boolean;
+/**
+ * SvelteKit handle that rejects mutating requests under `/admin/api/*` lacking a
+ * matching Origin/Referer header. Other paths and safe methods pass through.
+ * @internal
+ */
+export declare const csrfGuard: Handle;

package/dist/server/security/csrf.js

@@ -0,0 +1,49 @@
+const MUTATING_METHODS = new Set(['POST', 'PUT', 'PATCH', 'DELETE']);
+function getAllowedOrigins() {
+    const env = process.env.INCLUDIO_CSRF_ALLOWED_ORIGINS ?? '';
+    return new Set(env
+        .split(',')
+        .map((s) => s.trim())
+        .filter(Boolean));
+}
+/**
+ * Returns true when a request is CSRF-safe: a non-mutating method, or a mutating
+ * method whose Origin/Referer matches the request URL origin (or the env allowlist).
+ * @internal
+ */
+export function isCsrfSafe(event) {
+    const method = event.request.method.toUpperCase();
+    if (!MUTATING_METHODS.has(method))
+        return true;
+    const expected = event.url.origin;
+    const allowed = getAllowedOrigins();
+    const origin = event.request.headers.get('origin');
+    if (origin)
+        return origin === expected || allowed.has(origin);
+    const referer = event.request.headers.get('referer');
+    if (referer) {
+        try {
+            const refOrigin = new URL(referer).origin;
+            return refOrigin === expected || allowed.has(refOrigin);
+        }
+        catch {
+            return false;
+        }
+    }
+    return false;
+}
+/**
+ * SvelteKit handle that rejects mutating requests under `/admin/api/*` lacking a
+ * matching Origin/Referer header. Other paths and safe methods pass through.
+ * @internal
+ */
+export const csrfGuard = async ({ event, resolve }) => {
+    if (!event.url.pathname.startsWith('/admin/api/'))
+        return resolve(event);
+    if (isCsrfSafe(event))
+        return resolve(event);
+    return new Response(JSON.stringify({ error: 'csrf_rejected' }), {
+        status: 403,
+        headers: { 'content-type': 'application/json' }
+    });
+};

package/dist/server/security/index.d.ts

@@ -0,0 +1,3 @@
+export { csrfGuard, isCsrfSafe } from './csrf.js';
+export { rateLimitGuard, MemoryRateLimitStore, type RateLimitStore, type RateLimitResult, type RateLimitGuardOptions } from './rate-limit.js';
+export { buildCspHeader, type CspOptions } from './csp.js';

package/dist/server/security/index.js

@@ -0,0 +1,3 @@
+export { csrfGuard, isCsrfSafe } from './csrf.js';
+export { rateLimitGuard, MemoryRateLimitStore } from './rate-limit.js';
+export { buildCspHeader } from './csp.js';

package/dist/server/security/rate-limit.d.ts

@@ -0,0 +1,44 @@
+import type { Handle, RequestEvent } from '@sveltejs/kit';
+export interface RateLimitResult {
+    allowed: boolean;
+    remaining: number;
+    resetAt: number;
+}
+/**
+ * Pluggable storage for {@link rateLimitGuard}. The default implementation is
+ * in-memory; multi-node deploys should provide a Redis-backed store.
+ * @internal
+ */
+export interface RateLimitStore {
+    hit(key: string, windowMs: number, limit: number): Promise<RateLimitResult>;
+}
+/**
+ * In-memory {@link RateLimitStore}. Per-process; not safe across multiple nodes.
+ * @internal
+ */
+export declare class MemoryRateLimitStore implements RateLimitStore {
+    private buckets;
+    private cleanupInterval;
+    constructor(opts?: {
+        cleanupMs?: number;
+    });
+    hit(key: string, windowMs: number, limit: number): Promise<RateLimitResult>;
+    private cleanup;
+    reset(key?: string): void;
+    dispose(): void;
+}
+export interface RateLimitGuardOptions {
+    store?: RateLimitStore;
+    limit?: number;
+    windowMs?: number;
+    pathPrefix?: string;
+    key?: (event: RequestEvent) => string;
+}
+/**
+ * SvelteKit handle that limits requests under `pathPrefix` (default `/admin/api/`)
+ * per key (default: authenticated user id, falling back to client IP). Returns
+ * 429 with `Retry-After` when exceeded. Defaults: 200 req / 60s, override via env
+ * `INCLUDIO_RATE_LIMIT_MAX` / `INCLUDIO_RATE_LIMIT_WINDOW_MS`.
+ * @internal
+ */
+export declare function rateLimitGuard(opts?: RateLimitGuardOptions): Handle;

package/dist/server/security/rate-limit.js

@@ -0,0 +1,97 @@
+import { json } from '@sveltejs/kit';
+/**
+ * In-memory {@link RateLimitStore}. Per-process; not safe across multiple nodes.
+ * @internal
+ */
+export class MemoryRateLimitStore {
+    buckets = new Map();
+    cleanupInterval;
+    constructor(opts = {}) {
+        const cleanupMs = opts.cleanupMs ?? 60_000;
+        if (cleanupMs > 0 && typeof setInterval === 'function') {
+            this.cleanupInterval = setInterval(() => this.cleanup(), cleanupMs);
+            const i = this.cleanupInterval;
+            if (typeof i.unref === 'function')
+                i.unref();
+        }
+    }
+    async hit(key, windowMs, limit) {
+        const now = Date.now();
+        const bucket = this.buckets.get(key);
+        if (!bucket || bucket.resetAt <= now) {
+            const fresh = { count: 1, resetAt: now + windowMs };
+            this.buckets.set(key, fresh);
+            return { allowed: true, remaining: Math.max(0, limit - 1), resetAt: fresh.resetAt };
+        }
+        if (bucket.count >= limit) {
+            return { allowed: false, remaining: 0, resetAt: bucket.resetAt };
+        }
+        bucket.count += 1;
+        return { allowed: true, remaining: limit - bucket.count, resetAt: bucket.resetAt };
+    }
+    cleanup() {
+        const now = Date.now();
+        for (const [k, b] of this.buckets) {
+            if (b.resetAt <= now)
+                this.buckets.delete(k);
+        }
+    }
+    reset(key) {
+        if (key)
+            this.buckets.delete(key);
+        else
+            this.buckets.clear();
+    }
+    dispose() {
+        if (this.cleanupInterval)
+            clearInterval(this.cleanupInterval);
+        this.cleanupInterval = undefined;
+    }
+}
+function num(env, fallback) {
+    const n = env ? Number(env) : NaN;
+    return Number.isFinite(n) && n > 0 ? n : fallback;
+}
+/**
+ * SvelteKit handle that limits requests under `pathPrefix` (default `/admin/api/`)
+ * per key (default: authenticated user id, falling back to client IP). Returns
+ * 429 with `Retry-After` when exceeded. Defaults: 200 req / 60s, override via env
+ * `INCLUDIO_RATE_LIMIT_MAX` / `INCLUDIO_RATE_LIMIT_WINDOW_MS`.
+ * @internal
+ */
+export function rateLimitGuard(opts = {}) {
+    const store = opts.store ?? new MemoryRateLimitStore();
+    const limit = opts.limit ?? num(process.env.INCLUDIO_RATE_LIMIT_MAX, 200);
+    const windowMs = opts.windowMs ?? num(process.env.INCLUDIO_RATE_LIMIT_WINDOW_MS, 60_000);
+    const pathPrefix = opts.pathPrefix ?? '/admin/api/';
+    const keyFn = opts.key ??
+        ((event) => {
+            const userId = event.locals?.user?.id;
+            if (userId)
+                return `u:${userId}`;
+            try {
+                return `ip:${event.getClientAddress()}`;
+            }
+            catch {
+                return 'ip:unknown';
+            }
+        });
+    return async ({ event, resolve }) => {
+        if (!event.url.pathname.startsWith(pathPrefix))
+            return resolve(event);
+        const result = await store.hit(keyFn(event), windowMs, limit);
+        if (!result.allowed) {
+            const retryAfter = Math.max(1, Math.ceil((result.resetAt - Date.now()) / 1000));
+            return json({ error: 'rate_limited', resetAt: result.resetAt }, {
+                status: 429,
+                headers: {
+                    'retry-after': String(retryAfter),
+                    'x-ratelimit-limit': String(limit),
+                    'x-ratelimit-remaining': '0',
+                    'x-ratelimit-reset': String(Math.ceil(result.resetAt / 1000))
+                }
+            });
+        }
+        return resolve(event);
+    };
+}

package/dist/server/utils/withTimeout.d.ts

@@ -0,0 +1,21 @@
+/**
+ * Race a promise against a deadline. Resolves with the original promise's value
+ * if it settles before `ms`; otherwise rejects with {@link TimeoutError}.
+ * Cleans up the timer in both success and failure paths so it never holds the
+ * event loop.
+ * @internal
+ */
+export declare class TimeoutError extends Error {
+    readonly label: string;
+    readonly ms: number;
+    readonly name = "TimeoutError";
+    constructor(label: string, ms: number);
+}
+/** @internal */
+export declare function withTimeout<T>(promise: Promise<T>, ms: number, label: string): Promise<T>;
+/**
+ * Resolved timeout (ms) for sharp operations. Override via `INCLUDIO_SHARP_TIMEOUT_MS`.
+ * Documented in `KNOWN-RISKS.md` §4.
+ * @internal
+ */
+export declare function sharpTimeoutMs(): number;

package/dist/server/utils/withTimeout.js

@@ -0,0 +1,37 @@
+/**
+ * Race a promise against a deadline. Resolves with the original promise's value
+ * if it settles before `ms`; otherwise rejects with {@link TimeoutError}.
+ * Cleans up the timer in both success and failure paths so it never holds the
+ * event loop.
+ * @internal
+ */
+export class TimeoutError extends Error {
+    label;
+    ms;
+    name = 'TimeoutError';
+    constructor(label, ms) {
+        super(`${label} timed out after ${ms}ms`);
+        this.label = label;
+        this.ms = ms;
+    }
+}
+/** @internal */
+export function withTimeout(promise, ms, label) {
+    let timer;
+    const timeout = new Promise((_, reject) => {
+        timer = setTimeout(() => reject(new TimeoutError(label, ms)), ms);
+    });
+    return Promise.race([promise, timeout]).finally(() => {
+        if (timer)
+            clearTimeout(timer);
+    });
+}
+/**
+ * Resolved timeout (ms) for sharp operations. Override via `INCLUDIO_SHARP_TIMEOUT_MS`.
+ * Documented in `KNOWN-RISKS.md` §4.
+ * @internal
+ */
+export function sharpTimeoutMs() {
+    const n = Number(process.env.INCLUDIO_SHARP_TIMEOUT_MS);
+    return Number.isFinite(n) && n > 0 ? n : 30_000;
+}

package/dist/sveltekit/server/handle.js

@@ -4,6 +4,9 @@ import { getCMS, initCMS } from '../../core/cms.js';
 import { generateRuntime } from '../../core/server/generator/generator.js';
 import { svelteKitHandler } from 'better-auth/svelte-kit';
 import { building } from '$app/environment';
+import { csrfGuard } from '../../server/security/csrf.js';
+import { rateLimitGuard } from '../../server/security/rate-limit.js';
+import { buildCspHeader } from '../../server/security/csp.js';
 const adminGuard = async ({ event, resolve }) => {
     const { user, session } = event.locals;
     // Secure the admin routes
@@ -74,17 +77,21 @@ export function includioCMS(cmsConfig) {
     initCMS(cmsConfig);
     const handles = [];
     handles.push(detectBrowserContext);
+    handles.push(csrfGuard);
     if (cmsConfig.auth) {
         handles.push(handleAuth);
     }
+    handles.push(rateLimitGuard());
     handles.push(adminGuard);
     handles.push(securityHeaders);
     return handles;
 }
+const CSP_VALUE = buildCspHeader();
 const securityHeaders = async ({ event, resolve }) => {
     const response = await resolve(event);
     response.headers.set('X-Content-Type-Options', 'nosniff');
     response.headers.set('X-Frame-Options', 'SAMEORIGIN');
     response.headers.set('Referrer-Policy', 'strict-origin-when-cross-origin');
+    response.headers.set('Content-Security-Policy', CSP_VALUE);
     return response;
 };

package/dist/sveltekit/server/index.d.ts

@@ -6,3 +6,4 @@ export { parseFormDataForSubmission } from '../../core/server/forms/submissions/
 export { createConsentLog } from '../../core/server/consentLogs/operations/create.js';
 export { getPreviewEntry } from './preview.js';
 export { createRestApiHandler } from '../../admin/api/rest/handler.js';
+export { generateApiKey } from '../../admin/api/rest/middleware/generateApiKey.js';

package/dist/sveltekit/server/index.js

@@ -7,3 +7,4 @@ export { createConsentLog } from '../../core/server/consentLogs/operations/creat
 export { getPreviewEntry } from './preview.js';
 // Folded from `./admin/api/rest/handler` (dropped as separate export in 0.20.0)
 export { createRestApiHandler } from '../../admin/api/rest/handler.js';
+export { generateApiKey } from '../../admin/api/rest/middleware/generateApiKey.js';

package/dist/types/cms.d.ts

@@ -60,6 +60,10 @@ export interface ApiKeyConfig {
     key: string;
     name?: string;
     role?: 'admin' | 'editor';
+    /** Opt-in expiry. ISO-8601 timestamp; past dates → 401 on use. */
+    expiresAt?: string;
+    /** Audit-trail only; not enforced. ISO-8601 timestamp of last manual rotation. */
+    rotatedAt?: string;
 }
 export interface TypographyConfig {
     fixOrphans?: boolean;

package/dist/updates/0.21.0/index.d.ts

@@ -0,0 +1,2 @@
+import type { CmsUpdate } from '../index.js';
+export declare const update: CmsUpdate;

package/dist/updates/0.21.0/index.js

@@ -0,0 +1,55 @@
+export const update = {
+    version: '0.21.0',
+    date: '2026-04-30',
+    description: 'Faza 5 część 2 — security finish: form rate-limit DRY refactor, API keys `expiresAt` / `rotatedAt`, sharp timeout 30s, `{@html}` audit close. `KNOWN-RISKS.md` w root jako single source of truth dla zaakceptowanych ryzyk v1.0. Plus: faza 6 setup — vitest coverage (info-only), docker test profile, integration test scaffolding (`tests/`).',
+    features: [
+        '`KNOWN-RISKS.md` w root paczki — 5 ryzyk udokumentowanych: CSP `\'unsafe-inline\'`, API key rotation opt-in, in-memory rate-limit, sharp 30s timeout, ffmpeg/sharp args audit. Każde z mitygacją i triggerem fix.',
+        '`ApiKeyConfig.expiresAt?: string` (ISO-8601) — opt-in expiry, enforced w `validateApiKey()`. Wygasły klucz → 401 generic (no leak). Brak `expiresAt` = klucz nigdy nie wygasa (backward compat).',
+        '`ApiKeyConfig.rotatedAt?: string` — info-only audit-trail, nie enforced.',
+        '`generateApiKey()` (`includio-cms/sveltekit/server`) — crypto-random 32B base64url. Pełna rotacja = update `cms.config.ts` + redeploy (statyczny model, patrz KNOWN-RISKS §2).',
+        '`withTimeout<T>(promise, ms, label)` + `TimeoutError` (`$lib/server/utils/withTimeout`). Wrap dookoła wszystkich sharp calls (metadata, toBuffer, blur, admin thumbnail, downscale resize). Default 30s, env override `INCLUDIO_SHARP_TIMEOUT_MS`.',
+        'Form submit rate-limit: refaktor `src/routes/api/forms/[slug]/submit/+server.ts` — używa shared `MemoryRateLimitStore` z `$lib/server/security/rate-limit.js` (DRY z `/admin/api/*` rate-limit). Limity 5/h per IP zachowane. Env: `INCLUDIO_FORM_RATE_LIMIT_MAX`, `INCLUDIO_FORM_RATE_LIMIT_WINDOW_MS`.',
+        'Faza 6 setup: docker `test` profile (`db_test` na porcie 5434, tmpfs, `fsync=off`), `tests/helpers/{db,api,auth}.ts`, `tests/setup.ts` z TRUNCATE strategy, vitest project `integration` (sequential, `singleFork`), sanity test `tests/integration/db-sanity.spec.ts`.',
+        'Vitest coverage config (info-only, bez threshold) — `pnpm test:coverage` generuje `coverage/`. Reporter: text/json/html. Devdep: `@vitest/coverage-v8`.'
+    ],
+    fixes: [
+        '`{@html}` w `src/lib/admin/client/users/delete-user-dialog.svelte` (linie 85, 93) zastąpione safe Svelte template `{...}<strong>{...}</strong>{...}`. Defense-in-depth — content był admin-controlled, ale eliminuje wektor regresji XSS gdyby ktoś kiedyś dodał user-supplied input do tych komunikatów.'
+    ],
+    breakingChanges: [
+        'Brak hard breakages. `ApiKeyConfig.expiresAt` / `rotatedAt` są opcjonalne — istniejące configi działają bez zmian.',
+        '`usersLang.deleteWarningDesc` zmienia sygnaturę z `(name: string) => string` na statyczny obiekt `{ before: string; after: string }`. `usersLang.deleteConfirmType` analogicznie ze stringa na `{ before: string; after: string }`. Wpływ tylko na fork\'i admin UI z customowym lang — szybki `pnpm check` zwróci błąd typu, fix = przepisz wartości w lang.'
+    ],
+    notes: `## Setup integration tests (opt-in)
+
+\`\`\`bash
+docker compose --profile test up -d db_test
+pnpm prepack                    # buduje dist/ wymagany przez drizzle-kit push schema
+pnpm db:test:migrate            # drizzle-kit push do test DB
+pnpm test:integration           # uruchamia tests/integration/**
+docker compose --profile test down
+\`\`\`
+
+## API key expiry (opt-in)
+
+\`\`\`ts
+// cms.config.ts
+apiKeys: [
+    { key: 'sk-...', name: 'ci', role: 'admin', expiresAt: '2027-01-01T00:00:00Z' }
+]
+\`\`\`
+
+Generowanie nowego klucza:
+
+\`\`\`ts
+import { generateApiKey } from 'includio-cms/sveltekit/server';
+console.log(generateApiKey()); // → 43-char base64url, 32B entropii
+\`\`\`
+
+Pełna rotacja wymaga update'u \`cms.config.ts\` + redeploy. Pole \`rotatedAt\` jest info-only (audit trail) — admin ustawia ręcznie przy rotacji.
+
+## Known risks
+
+Lista zaakceptowanych ryzyk v1.0 — \`KNOWN-RISKS.md\` w root paczki. 5 sekcji: CSP \`unsafe-inline\`, API key rotation opt-in, in-memory rate-limit (multi-node = wymaga Redis adapter), sharp 30s timeout, ffmpeg/sharp shell audit (SAFE).
+
+Brak SQL migration.`
+};

package/dist/updates/index.js

@@ -54,7 +54,8 @@ import { update as update0160 } from './0.16.0/index.js';
 import { update as update0180 } from './0.18.0/index.js';
 import { update as update0190 } from './0.19.0/index.js';
 import { update as update0200 } from './0.20.0/index.js';
-export const updates = [update0065, update0066, update0067, update0068, update0069, update010, update011, update012, update013, update014, update015, update020, update022, update050, update051, update052, update053, update054, update055, update056, update057, update058, update060, update061, update062, update070, update071, update072, update073, update080, update090, update0100, update0110, update0120, update0130, update0131, update0132, update0133, update0134, update0140, update0141, update0142, update0143, update0144, update0145, update0146, update0150, update0151, update0152, update0153, update0154, update0155, update0160, update0180, update0190, update0200];
+import { update as update0210 } from './0.21.0/index.js';
+export const updates = [update0065, update0066, update0067, update0068, update0069, update010, update011, update012, update013, update014, update015, update020, update022, update050, update051, update052, update053, update054, update055, update056, update057, update058, update060, update061, update062, update070, update071, update072, update073, update080, update090, update0100, update0110, update0120, update0130, update0131, update0132, update0133, update0134, update0140, update0141, update0142, update0143, update0144, update0145, update0146, update0150, update0151, update0152, update0153, update0154, update0155, update0160, update0180, update0190, update0200, update0210];
 export const getUpdatesFrom = (fromVersion) => {
     const fromParts = fromVersion.split('.').map(Number);
     return updates.filter((update) => {

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "includio-cms",
-	"version": "0.20.0",
+	"version": "0.21.0",
 	"scripts": {
 		"dev": "vite dev",
 		"build": "vite build && npm run prepack",
@@ -14,10 +14,16 @@
 		"test:unit": "vitest",
 		"test": "npm run test:unit -- --run && npm run test:e2e",
 		"test:e2e": "playwright test",
+		"test:coverage": "vitest run --coverage",
+		"pretest:integration": "pnpm prepack",
+		"test:integration": "TEST_DATABASE_URL=postgres://root:mysecretpassword@localhost:5434/test vitest run --project=integration",
 		"db:start": "docker compose up",
 		"db:push": "drizzle-kit push",
 		"db:migrate": "drizzle-kit migrate",
 		"db:studio": "drizzle-kit studio",
+		"db:test:up": "docker compose --profile test up -d db_test",
+		"db:test:down": "docker compose --profile test down db_test",
+		"db:test:migrate": "DATABASE_URL=postgres://root:mysecretpassword@localhost:5434/test drizzle-kit push --force",
 		"storybook": "storybook dev -p 6006",
 		"build-storybook": "storybook build",
 		"create:user": "tsx cli/addUser/index.ts",
@@ -229,7 +235,8 @@
 		"typescript": "^5.0.0",
 		"typescript-eslint": "^8.20.0",
 		"vite": "^7.2.2",
-		"vitest": "^3.2.3"
+		"vitest": "^3.2.3",
+		"@vitest/coverage-v8": "^3.2.3"
 	},
 	"keywords": [
 		"svelte"