includio-cms 0.20.0 → 0.22.0

package/dist/core/server/media/styles/sharp/generateImageStyle.js

@@ -1,6 +1,7 @@
 import { getCMS } from '../../../../cms.js';
 import sharp from 'sharp';
 import { calculateFocalCropRegion } from '../../utils/calculateFocalCropRegion.js';
+import { withTimeout, sharpTimeoutMs } from '../../../../../server/utils/withTimeout.js';
 export async function generateImageStyle(mediaFileId, style) {
     const mediaFile = await getCMS().databaseAdapter.getMediaFile({
         data: {
@@ -19,7 +20,7 @@ export async function generateImageStyle(mediaFileId, style) {
 }
 export async function generateImageStyleFromBuffer(buf, mediaFile, style) {
     // Read EXIF orientation before processing
-    const metadata = await sharp(buf).metadata();
+    const metadata = await withTimeout(sharp(buf).metadata(), sharpTimeoutMs(), 'sharp.metadata');
     // .rotate() applies EXIF orientation to pixels AND strips the tag from output.
     // Prevents double-rotation in WebP/JPEG where EXIF orientation tag may persist.
     let sharpInstance = sharp(buf).rotate();
@@ -79,7 +80,7 @@ export async function generateImageStyleFromBuffer(buf, mediaFile, style) {
     const originalExt = mediaFile.mimeType?.split('/').pop() ?? mediaFile.url.split('.').pop();
     const format = style.format ?? originalExt ?? 'jpeg';
     sharpInstance = sharpInstance.toFormat(format, style.quality != null ? { quality: Math.max(1, Math.min(100, style.quality)) } : undefined);
-    const outputBuffer = await sharpInstance.toBuffer();
+    const outputBuffer = await withTimeout(sharpInstance.toBuffer(), sharpTimeoutMs(), 'sharp.toBuffer');
     return getCMS().filesAdapter.uploadFile(new File([new Uint8Array(outputBuffer)], `${mediaFile.id}_${style.name}_${Date.now().toString(36)}.${format}`, {
         type: `image/${format}`
     }));

package/dist/core/server/media/utils/generateAdminThumbnail.js

@@ -1,14 +1,15 @@
 import { getCMS } from '../../../cms.js';
 import { isProcessableImage } from '../../fields/utils/imageStyles.js';
 import sharp from 'sharp';
+import { withTimeout, sharpTimeoutMs } from '../../../../server/utils/withTimeout.js';
 const THUMB_WIDTH = 400;
 const THUMB_QUALITY = 70;
 export async function generateAdminThumbnail(buffer, mediaFile) {
-    const output = await sharp(buffer)
+    const output = await withTimeout(sharp(buffer)
         .rotate()
         .resize(THUMB_WIDTH, undefined, { withoutEnlargement: true })
         .toFormat('webp', { quality: THUMB_QUALITY })
-        .toBuffer();
+        .toBuffer(), sharpTimeoutMs(), 'sharp.adminThumbnail');
     const filename = `${mediaFile.id}_admin_thumb_${Date.now().toString(36)}.webp`;
     const uploaded = await getCMS().filesAdapter.uploadFile(new File([new Uint8Array(output)], filename, { type: 'image/webp' }));
     return uploaded.url;

package/dist/core/server/media/utils/generateBlurDataUrl.js

@@ -1,5 +1,6 @@
 import sharp from 'sharp';
+import { withTimeout, sharpTimeoutMs } from '../../../../server/utils/withTimeout.js';
 export async function generateBlurDataUrl(buffer) {
-    const blurBuffer = await sharp(buffer).resize(20).blur(10).toFormat('webp').toBuffer();
+    const blurBuffer = await withTimeout(sharp(buffer).resize(20).blur(10).toFormat('webp').toBuffer(), sharpTimeoutMs(), 'sharp.blurDataUrl');
     return `data:image/webp;base64,${blurBuffer.toString('base64')}`;
 }

package/dist/db-postgres/index.d.ts

@@ -9,6 +9,16 @@ export type DatabaseAdapterWithDrizzle = DatabaseAdapter & {
 };
 /**
  * Postgres database adapter (drizzle + `postgres`).
+ *
+ * @param config - Connection options. `databaseUrl` is required.
+ * @returns A `DatabaseAdapter` wired to drizzle, plus `_drizzle` for advanced
+ *   queries from project code.
  * @public
+ * @example
+ * ```ts
+ * import { pg } from 'includio-cms/db-postgres';
+ *
+ * const db = pg({ databaseUrl: process.env.DATABASE_URL! });
+ * ```
  */
 export declare function pg(config: Config): DatabaseAdapterWithDrizzle;

package/dist/db-postgres/index.js

@@ -267,7 +267,17 @@ export * from './schema/index.js';
 export * from '../server/db/schema/auth-schema.js';
 /**
  * Postgres database adapter (drizzle + `postgres`).
+ *
+ * @param config - Connection options. `databaseUrl` is required.
+ * @returns A `DatabaseAdapter` wired to drizzle, plus `_drizzle` for advanced
+ *   queries from project code.
  * @public
+ * @example
+ * ```ts
+ * import { pg } from 'includio-cms/db-postgres';
+ *
+ * const db = pg({ databaseUrl: process.env.DATABASE_URL! });
+ * ```
  */
 export function pg(config) {
     const client = postgres(config.databaseUrl);

package/dist/email-nodemailer/index.d.ts

@@ -10,9 +10,21 @@ interface Options {
  *
  * `nodemailer` is an **optional peer dependency** — install it in your project
  * (`pnpm add nodemailer`) when using this adapter. The SDK loads lazily on first
- * `sendMail()`; missing peer throws a clear error.
+ * `sendMail()`; a missing peer throws a clear error.
  *
+ * @param options - SMTP transport options + default From address/name.
+ * @returns An `EmailAdapter` ready to use in `defineConfig({ email })`.
  * @public
+ * @example
+ * ```ts
+ * import { nodemailerAdapter } from 'includio-cms/email-nodemailer';
+ *
+ * const email = nodemailerAdapter({
+ *   defaultFromAddress: 'no-reply@example.com',
+ *   defaultFromName: 'Example',
+ *   transportOptions: { host: 'smtp.example.com', port: 587 }
+ * });
+ * ```
  */
 export declare function nodemailerAdapter(options: Options): EmailAdapter;
 export {};

package/dist/email-nodemailer/index.js

@@ -3,9 +3,21 @@
  *
  * `nodemailer` is an **optional peer dependency** — install it in your project
  * (`pnpm add nodemailer`) when using this adapter. The SDK loads lazily on first
- * `sendMail()`; missing peer throws a clear error.
+ * `sendMail()`; a missing peer throws a clear error.
  *
+ * @param options - SMTP transport options + default From address/name.
+ * @returns An `EmailAdapter` ready to use in `defineConfig({ email })`.
  * @public
+ * @example
+ * ```ts
+ * import { nodemailerAdapter } from 'includio-cms/email-nodemailer';
+ *
+ * const email = nodemailerAdapter({
+ *   defaultFromAddress: 'no-reply@example.com',
+ *   defaultFromName: 'Example',
+ *   transportOptions: { host: 'smtp.example.com', port: 587 }
+ * });
+ * ```
  */
 export function nodemailerAdapter(options) {
     let transporter = null;

package/dist/entity/index.d.ts

@@ -8,8 +8,23 @@ interface CreateOptions {
     sortOrder?: number;
 }
 /**
- * Creates a high-level Entity API (CRUD + publish/archive) bound to a CMS instance and a user.
+ * Creates a high-level Entity API (CRUD + publish/archive) bound to a CMS
+ * instance and a user. Use it from scripts, migrations, webhooks, or anywhere
+ * server-side that needs programmatic content access.
+ *
+ * @param cms - The CMS instance (typically from `getCMS()`).
+ * @param opts - Optional. `userId` is recorded as the `createdBy` for every
+ *   write (default: `'system'`).
+ * @returns An object with `create`, `update`, `publish`, `unpublish`,
+ *   `archive`, `unarchive`, `delete`, `list`, and `createAndPublish` methods.
  * @public
+ * @example
+ * ```ts
+ * import { getCMS, createEntityAPI } from 'includio-cms';
+ *
+ * const api = createEntityAPI(getCMS(), { userId: 'migration-script' });
+ * await api.createAndPublish('posts', { title: { en: 'Hello' } });
+ * ```
  */
 export declare function createEntityAPI(cms: CMS, opts?: EntityAPIOptions): {
     create(slug: string, data?: EntryData, options?: CreateOptions & {

package/dist/entity/index.js

@@ -2,8 +2,23 @@ import { generateZodSchemaFromFields } from '../core/fields/fieldSchemaToTs.js';
 import { getFieldsFromConfig } from '../core/fields/layoutUtils.js';
 import { _getRawEntries as getRawEntries } from '../core/server/entries/operations/get.js';
 /**
- * Creates a high-level Entity API (CRUD + publish/archive) bound to a CMS instance and a user.
+ * Creates a high-level Entity API (CRUD + publish/archive) bound to a CMS
+ * instance and a user. Use it from scripts, migrations, webhooks, or anywhere
+ * server-side that needs programmatic content access.
+ *
+ * @param cms - The CMS instance (typically from `getCMS()`).
+ * @param opts - Optional. `userId` is recorded as the `createdBy` for every
+ *   write (default: `'system'`).
+ * @returns An object with `create`, `update`, `publish`, `unpublish`,
+ *   `archive`, `unarchive`, `delete`, `list`, and `createAndPublish` methods.
  * @public
+ * @example
+ * ```ts
+ * import { getCMS, createEntityAPI } from 'includio-cms';
+ *
+ * const api = createEntityAPI(getCMS(), { userId: 'migration-script' });
+ * await api.createAndPublish('posts', { title: { en: 'Hello' } });
+ * ```
  */
 export function createEntityAPI(cms, opts) {
     const db = cms.databaseAdapter;

package/dist/files-local/index.d.ts

@@ -6,7 +6,18 @@ export interface LocalFilesConfig {
     ffprobePath?: string;
 }
 /**
- * Local-disk files adapter. Stores uploads under `./static/uploads` (dev) or `/data/uploads` (prod).
+ * Local-disk files adapter. Stores uploads under `./static/uploads` (dev) or
+ * `/data/uploads` (prod, switched on `NODE_ENV`).
+ *
+ * @param config - Optional. Override `ffmpegPath` / `ffprobePath` if the
+ *   binaries are not on `PATH`.
+ * @returns A `FilesAdapter` for local filesystem uploads.
  * @public
+ * @example
+ * ```ts
+ * import { local } from 'includio-cms/files-local';
+ *
+ * const files = local();
+ * ```
  */
 export declare function local(config?: LocalFilesConfig): FilesAdapter;

package/dist/files-local/index.js

@@ -21,8 +21,19 @@ async function ensureDir(dir) {
     }
 }
 /**
- * Local-disk files adapter. Stores uploads under `./static/uploads` (dev) or `/data/uploads` (prod).
+ * Local-disk files adapter. Stores uploads under `./static/uploads` (dev) or
+ * `/data/uploads` (prod, switched on `NODE_ENV`).
+ *
+ * @param config - Optional. Override `ffmpegPath` / `ffprobePath` if the
+ *   binaries are not on `PATH`.
+ * @returns A `FilesAdapter` for local filesystem uploads.
  * @public
+ * @example
+ * ```ts
+ * import { local } from 'includio-cms/files-local';
+ *
+ * const files = local();
+ * ```
  */
 export function local(config) {
     if (config?.ffmpegPath || config?.ffprobePath) {

package/dist/paraglide/messages/_index.d.ts

@@ -1,36 +1,3 @@
-export function hello_world(inputs: {
-    name: NonNullable<unknown>;
-}, options?: {
-    locale?: "en" | "pl";
-}): string;
-/**
-* This function has been compiled by [Paraglide JS](https://inlang.com/m/gerre34r).
-*
-* - Changing this function will be over-written by the next build.
-*
-* - If you want to change the translations, you can either edit the source files e.g. `en.json`, or
-* use another inlang app like [Fink](https://inlang.com/m/tdozzpar) or the [VSCode extension Sherlock](https://inlang.com/m/r7kp499g).
-*
-* @param {{}} inputs
-* @param {{ locale?: "en" | "pl" }} options
-* @returns {string}
-*/
-declare function login_hello(inputs?: {}, options?: {
-    locale?: "en" | "pl";
-}): string;
-/**
-* This function has been compiled by [Paraglide JS](https://inlang.com/m/gerre34r).
-*
-* - Changing this function will be over-written by the next build.
-*
-* - If you want to change the translations, you can either edit the source files e.g. `en.json`, or
-* use another inlang app like [Fink](https://inlang.com/m/tdozzpar) or the [VSCode extension Sherlock](https://inlang.com/m/r7kp499g).
-*
-* @param {{}} inputs
-* @param {{ locale?: "en" | "pl" }} options
-* @returns {string}
-*/
-declare function login_please_login(inputs?: {}, options?: {
-    locale?: "en" | "pl";
-}): string;
-export { login_hello as login.hello, login_please_login as login.please_login };
+export * from "./hello_world.js";
+export * from "./login_hello.js";
+export * from "./login_please_login.js";

package/dist/paraglide/messages/_index.js

@@ -1,72 +1,4 @@
 /* eslint-disable */
-import { getLocale, trackMessageCall, experimentalMiddlewareLocaleSplitting, isServer } from "../runtime.js"
-import * as en from "./en.js"
-import * as pl from "./pl.js"
-/**
-* This function has been compiled by [Paraglide JS](https://inlang.com/m/gerre34r).
-*
-* - Changing this function will be over-written by the next build.
-*
-* - If you want to change the translations, you can either edit the source files e.g. `en.json`, or
-* use another inlang app like [Fink](https://inlang.com/m/tdozzpar) or the [VSCode extension Sherlock](https://inlang.com/m/r7kp499g).
-* 
-* @param {{ name: NonNullable<unknown> }} inputs
-* @param {{ locale?: "en" | "pl" }} options
-* @returns {string}
-*/
-/* @__NO_SIDE_EFFECTS__ */
-export const hello_world = (inputs, options = {}) => {
-	if (experimentalMiddlewareLocaleSplitting && isServer === false) {
-		return /** @type {any} */ (globalThis).__paraglide_ssr.hello_world(inputs) 
-	}
-	const locale = options.locale ?? getLocale()
-	trackMessageCall("hello_world", locale)
-	if (locale === "en") return en.hello_world(inputs)
-	return pl.hello_world(inputs)
-};
-/**
-* This function has been compiled by [Paraglide JS](https://inlang.com/m/gerre34r).
-*
-* - Changing this function will be over-written by the next build.
-*
-* - If you want to change the translations, you can either edit the source files e.g. `en.json`, or
-* use another inlang app like [Fink](https://inlang.com/m/tdozzpar) or the [VSCode extension Sherlock](https://inlang.com/m/r7kp499g).
-* 
-* @param {{}} inputs
-* @param {{ locale?: "en" | "pl" }} options
-* @returns {string}
-*/
-/* @__NO_SIDE_EFFECTS__ */
-const login_hello = (inputs = {}, options = {}) => {
-	if (experimentalMiddlewareLocaleSplitting && isServer === false) {
-		return /** @type {any} */ (globalThis).__paraglide_ssr.login_hello(inputs) 
-	}
-	const locale = options.locale ?? getLocale()
-	trackMessageCall("login_hello", locale)
-	if (locale === "en") return en.login_hello(inputs)
-	return pl.login_hello(inputs)
-};
-export { login_hello as "login.hello" }
-/**
-* This function has been compiled by [Paraglide JS](https://inlang.com/m/gerre34r).
-*
-* - Changing this function will be over-written by the next build.
-*
-* - If you want to change the translations, you can either edit the source files e.g. `en.json`, or
-* use another inlang app like [Fink](https://inlang.com/m/tdozzpar) or the [VSCode extension Sherlock](https://inlang.com/m/r7kp499g).
-* 
-* @param {{}} inputs
-* @param {{ locale?: "en" | "pl" }} options
-* @returns {string}
-*/
-/* @__NO_SIDE_EFFECTS__ */
-const login_please_login = (inputs = {}, options = {}) => {
-	if (experimentalMiddlewareLocaleSplitting && isServer === false) {
-		return /** @type {any} */ (globalThis).__paraglide_ssr.login_please_login(inputs) 
-	}
-	const locale = options.locale ?? getLocale()
-	trackMessageCall("login_please_login", locale)
-	if (locale === "en") return en.login_please_login(inputs)
-	return pl.login_please_login(inputs)
-};
-export { login_please_login as "login.please_login" }
+export * from './hello_world.js'
+export * from './login_hello.js'
+export * from './login_please_login.js'

package/dist/paraglide/messages/hello_world.d.ts

@@ -0,0 +1,5 @@
+export function hello_world(inputs: {
+    name: NonNullable<unknown>;
+}, options?: {
+    locale?: "en" | "pl";
+}): string;

package/dist/paraglide/messages/hello_world.js

@@ -0,0 +1,33 @@
+/* eslint-disable */
+import { getLocale, trackMessageCall, experimentalMiddlewareLocaleSplitting, isServer } from '../runtime.js';
+
+const en_hello_world = /** @type {(inputs: { name: NonNullable<unknown> }) => string} */ (i) => {
+	return `Hello, ${i.name} from en!`
+};
+
+const pl_hello_world = /** @type {(inputs: { name: NonNullable<unknown> }) => string} */ (i) => {
+	return `Hello, ${i.name} from pl!`
+};
+
+/**
+* This function has been compiled by [Paraglide JS](https://inlang.com/m/gerre34r).
+*
+* - Changing this function will be over-written by the next build.
+*
+* - If you want to change the translations, you can either edit the source files e.g. `en.json`, or
+* use another inlang app like [Fink](https://inlang.com/m/tdozzpar) or the [VSCode extension Sherlock](https://inlang.com/m/r7kp499g).
+* 
+* @param {{ name: NonNullable<unknown> }} inputs
+* @param {{ locale?: "en" | "pl" }} options
+* @returns {string}
+*/
+/* @__NO_SIDE_EFFECTS__ */
+export const hello_world = (inputs, options = {}) => {
+	if (experimentalMiddlewareLocaleSplitting && isServer === false) {
+		return /** @type {any} */ (globalThis).__paraglide_ssr.hello_world(inputs) 
+	}
+	const locale = options.locale ?? getLocale()
+	trackMessageCall("hello_world", locale)
+	if (locale === "en") return en_hello_world(inputs)
+	return pl_hello_world(inputs)
+};

package/dist/paraglide/messages/login_hello.d.ts

@@ -0,0 +1,16 @@
+export { login_hello as login.hello };
+/**
+* This function has been compiled by [Paraglide JS](https://inlang.com/m/gerre34r).
+*
+* - Changing this function will be over-written by the next build.
+*
+* - If you want to change the translations, you can either edit the source files e.g. `en.json`, or
+* use another inlang app like [Fink](https://inlang.com/m/tdozzpar) or the [VSCode extension Sherlock](https://inlang.com/m/r7kp499g).
+*
+* @param {{}} inputs
+* @param {{ locale?: "en" | "pl" }} options
+* @returns {string}
+*/
+declare function login_hello(inputs?: {}, options?: {
+    locale?: "en" | "pl";
+}): string;

package/dist/paraglide/messages/login_hello.js

@@ -0,0 +1,34 @@
+/* eslint-disable */
+import { getLocale, trackMessageCall, experimentalMiddlewareLocaleSplitting, isServer } from '../runtime.js';
+
+const en_login_hello = /** @type {(inputs: {}) => string} */ () => {
+	return `Welcome back`
+};
+
+const pl_login_hello = /** @type {(inputs: {}) => string} */ () => {
+	return `Witaj ponownie`
+};
+
+/**
+* This function has been compiled by [Paraglide JS](https://inlang.com/m/gerre34r).
+*
+* - Changing this function will be over-written by the next build.
+*
+* - If you want to change the translations, you can either edit the source files e.g. `en.json`, or
+* use another inlang app like [Fink](https://inlang.com/m/tdozzpar) or the [VSCode extension Sherlock](https://inlang.com/m/r7kp499g).
+* 
+* @param {{}} inputs
+* @param {{ locale?: "en" | "pl" }} options
+* @returns {string}
+*/
+/* @__NO_SIDE_EFFECTS__ */
+const login_hello = (inputs = {}, options = {}) => {
+	if (experimentalMiddlewareLocaleSplitting && isServer === false) {
+		return /** @type {any} */ (globalThis).__paraglide_ssr.login_hello(inputs) 
+	}
+	const locale = options.locale ?? getLocale()
+	trackMessageCall("login_hello", locale)
+	if (locale === "en") return en_login_hello(inputs)
+	return pl_login_hello(inputs)
+};
+export { login_hello as "login.hello" }

package/dist/paraglide/messages/login_please_login.d.ts

@@ -0,0 +1,16 @@
+export { login_please_login as login.please_login };
+/**
+* This function has been compiled by [Paraglide JS](https://inlang.com/m/gerre34r).
+*
+* - Changing this function will be over-written by the next build.
+*
+* - If you want to change the translations, you can either edit the source files e.g. `en.json`, or
+* use another inlang app like [Fink](https://inlang.com/m/tdozzpar) or the [VSCode extension Sherlock](https://inlang.com/m/r7kp499g).
+*
+* @param {{}} inputs
+* @param {{ locale?: "en" | "pl" }} options
+* @returns {string}
+*/
+declare function login_please_login(inputs?: {}, options?: {
+    locale?: "en" | "pl";
+}): string;

package/dist/paraglide/messages/login_please_login.js

@@ -0,0 +1,34 @@
+/* eslint-disable */
+import { getLocale, trackMessageCall, experimentalMiddlewareLocaleSplitting, isServer } from '../runtime.js';
+
+const en_login_please_login = /** @type {(inputs: {}) => string} */ () => {
+	return `Login to your account`
+};
+
+const pl_login_please_login = /** @type {(inputs: {}) => string} */ () => {
+	return `Zaloguj się na swoje konto`
+};
+
+/**
+* This function has been compiled by [Paraglide JS](https://inlang.com/m/gerre34r).
+*
+* - Changing this function will be over-written by the next build.
+*
+* - If you want to change the translations, you can either edit the source files e.g. `en.json`, or
+* use another inlang app like [Fink](https://inlang.com/m/tdozzpar) or the [VSCode extension Sherlock](https://inlang.com/m/r7kp499g).
+* 
+* @param {{}} inputs
+* @param {{ locale?: "en" | "pl" }} options
+* @returns {string}
+*/
+/* @__NO_SIDE_EFFECTS__ */
+const login_please_login = (inputs = {}, options = {}) => {
+	if (experimentalMiddlewareLocaleSplitting && isServer === false) {
+		return /** @type {any} */ (globalThis).__paraglide_ssr.login_please_login(inputs) 
+	}
+	const locale = options.locale ?? getLocale()
+	trackMessageCall("login_please_login", locale)
+	if (locale === "en") return en_login_please_login(inputs)
+	return pl_login_please_login(inputs)
+};
+export { login_please_login as "login.please_login" }

package/dist/server/auth.d.ts

@@ -1,5 +1,16 @@
 /**
  * Returns the underlying `better-auth` instance from the initialized CMS.
+ * Use it to integrate with custom auth flows or read session data.
+ *
+ * @returns The `better-auth` instance configured by the CMS.
+ * @throws {Error} when the CMS was started without `auth` config.
  * @public
+ * @example
+ * ```ts
+ * import { getAuth } from 'includio-cms/sveltekit/server';
+ *
+ * const auth = getAuth();
+ * const session = await auth.api.getSession({ headers: request.headers });
+ * ```
  */
 export declare function getAuth(): import("better-auth", { with: { "resolution-mode": "require" } }).Auth<import("better-auth", { with: { "resolution-mode": "require" } }).BetterAuthOptions>;

package/dist/server/auth.js

@@ -1,7 +1,18 @@
 import { getCMS } from '../core/cms.js';
 /**
  * Returns the underlying `better-auth` instance from the initialized CMS.
+ * Use it to integrate with custom auth flows or read session data.
+ *
+ * @returns The `better-auth` instance configured by the CMS.
+ * @throws {Error} when the CMS was started without `auth` config.
  * @public
+ * @example
+ * ```ts
+ * import { getAuth } from 'includio-cms/sveltekit/server';
+ *
+ * const auth = getAuth();
+ * const session = await auth.api.getSession({ headers: request.headers });
+ * ```
  */
 export function getAuth() {
     return getCMS().auth;

package/dist/server/security/csp.d.ts

@@ -0,0 +1,16 @@
+export interface CspOptions {
+    scriptSrc?: string[];
+    styleSrc?: string[];
+    imgSrc?: string[];
+    mediaSrc?: string[];
+    fontSrc?: string[];
+    connectSrc?: string[];
+    frameAncestors?: string[];
+}
+/**
+ * Build a Content-Security-Policy header value with v1.0 defaults.
+ * `'unsafe-inline'` is allowed on `script-src`/`style-src` because TipTap and
+ * paraglide emit inline code; documented in `KNOWN-RISKS.md`.
+ * @internal
+ */
+export declare function buildCspHeader(opts?: CspOptions): string;

package/dist/server/security/csp.js

@@ -0,0 +1,33 @@
+const DEFAULTS = {
+    scriptSrc: ["'self'", "'unsafe-inline'"],
+    styleSrc: ["'self'", "'unsafe-inline'"],
+    imgSrc: ["'self'", 'data:', 'blob:'],
+    mediaSrc: ["'self'", 'blob:'],
+    fontSrc: ["'self'", 'data:'],
+    connectSrc: ["'self'"],
+    frameAncestors: ["'self'"]
+};
+/**
+ * Build a Content-Security-Policy header value with v1.0 defaults.
+ * `'unsafe-inline'` is allowed on `script-src`/`style-src` because TipTap and
+ * paraglide emit inline code; documented in `KNOWN-RISKS.md`.
+ * @internal
+ */
+export function buildCspHeader(opts = {}) {
+    const merge = (key, extra) => {
+        const base = DEFAULTS[key];
+        return extra && extra.length ? Array.from(new Set([...base, ...extra])) : [...base];
+    };
+    return [
+        `default-src 'self'`,
+        `script-src ${merge('scriptSrc', opts.scriptSrc).join(' ')}`,
+        `style-src ${merge('styleSrc', opts.styleSrc).join(' ')}`,
+        `img-src ${merge('imgSrc', opts.imgSrc).join(' ')}`,
+        `media-src ${merge('mediaSrc', opts.mediaSrc).join(' ')}`,
+        `font-src ${merge('fontSrc', opts.fontSrc).join(' ')}`,
+        `connect-src ${merge('connectSrc', opts.connectSrc).join(' ')}`,
+        `object-src 'none'`,
+        `base-uri 'self'`,
+        `frame-ancestors ${merge('frameAncestors', opts.frameAncestors).join(' ')}`
+    ].join('; ');
+}

package/dist/server/security/csrf.d.ts

@@ -0,0 +1,13 @@
+import type { Handle, RequestEvent } from '@sveltejs/kit';
+/**
+ * Returns true when a request is CSRF-safe: a non-mutating method, or a mutating
+ * method whose Origin/Referer matches the request URL origin (or the env allowlist).
+ * @internal
+ */
+export declare function isCsrfSafe(event: RequestEvent): boolean;
+/**
+ * SvelteKit handle that rejects mutating requests under `/admin/api/*` lacking a
+ * matching Origin/Referer header. Other paths and safe methods pass through.
+ * @internal
+ */
+export declare const csrfGuard: Handle;

package/dist/server/security/csrf.js

@@ -0,0 +1,49 @@
+const MUTATING_METHODS = new Set(['POST', 'PUT', 'PATCH', 'DELETE']);
+function getAllowedOrigins() {
+    const env = process.env.INCLUDIO_CSRF_ALLOWED_ORIGINS ?? '';
+    return new Set(env
+        .split(',')
+        .map((s) => s.trim())
+        .filter(Boolean));
+}
+/**
+ * Returns true when a request is CSRF-safe: a non-mutating method, or a mutating
+ * method whose Origin/Referer matches the request URL origin (or the env allowlist).
+ * @internal
+ */
+export function isCsrfSafe(event) {
+    const method = event.request.method.toUpperCase();
+    if (!MUTATING_METHODS.has(method))
+        return true;
+    const expected = event.url.origin;
+    const allowed = getAllowedOrigins();
+    const origin = event.request.headers.get('origin');
+    if (origin)
+        return origin === expected || allowed.has(origin);
+    const referer = event.request.headers.get('referer');
+    if (referer) {
+        try {
+            const refOrigin = new URL(referer).origin;
+            return refOrigin === expected || allowed.has(refOrigin);
+        }
+        catch {
+            return false;
+        }
+    }
+    return false;
+}
+/**
+ * SvelteKit handle that rejects mutating requests under `/admin/api/*` lacking a
+ * matching Origin/Referer header. Other paths and safe methods pass through.
+ * @internal
+ */
+export const csrfGuard = async ({ event, resolve }) => {
+    if (!event.url.pathname.startsWith('/admin/api/'))
+        return resolve(event);
+    if (isCsrfSafe(event))
+        return resolve(event);
+    return new Response(JSON.stringify({ error: 'csrf_rejected' }), {
+        status: 403,
+        headers: { 'content-type': 'application/json' }
+    });
+};

package/dist/server/security/index.d.ts

@@ -0,0 +1,3 @@
+export { csrfGuard, isCsrfSafe } from './csrf.js';
+export { rateLimitGuard, MemoryRateLimitStore, type RateLimitStore, type RateLimitResult, type RateLimitGuardOptions } from './rate-limit.js';
+export { buildCspHeader, type CspOptions } from './csp.js';