includio-cms 0.20.0 → 0.22.0

package/dist/server/security/index.js

@@ -0,0 +1,3 @@
+export { csrfGuard, isCsrfSafe } from './csrf.js';
+export { rateLimitGuard, MemoryRateLimitStore } from './rate-limit.js';
+export { buildCspHeader } from './csp.js';

package/dist/server/security/rate-limit.d.ts

@@ -0,0 +1,44 @@
+import type { Handle, RequestEvent } from '@sveltejs/kit';
+export interface RateLimitResult {
+    allowed: boolean;
+    remaining: number;
+    resetAt: number;
+}
+/**
+ * Pluggable storage for {@link rateLimitGuard}. The default implementation is
+ * in-memory; multi-node deploys should provide a Redis-backed store.
+ * @internal
+ */
+export interface RateLimitStore {
+    hit(key: string, windowMs: number, limit: number): Promise<RateLimitResult>;
+}
+/**
+ * In-memory {@link RateLimitStore}. Per-process; not safe across multiple nodes.
+ * @internal
+ */
+export declare class MemoryRateLimitStore implements RateLimitStore {
+    private buckets;
+    private cleanupInterval;
+    constructor(opts?: {
+        cleanupMs?: number;
+    });
+    hit(key: string, windowMs: number, limit: number): Promise<RateLimitResult>;
+    private cleanup;
+    reset(key?: string): void;
+    dispose(): void;
+}
+export interface RateLimitGuardOptions {
+    store?: RateLimitStore;
+    limit?: number;
+    windowMs?: number;
+    pathPrefix?: string;
+    key?: (event: RequestEvent) => string;
+}
+/**
+ * SvelteKit handle that limits requests under `pathPrefix` (default `/admin/api/`)
+ * per key (default: authenticated user id, falling back to client IP). Returns
+ * 429 with `Retry-After` when exceeded. Defaults: 200 req / 60s, override via env
+ * `INCLUDIO_RATE_LIMIT_MAX` / `INCLUDIO_RATE_LIMIT_WINDOW_MS`.
+ * @internal
+ */
+export declare function rateLimitGuard(opts?: RateLimitGuardOptions): Handle;

package/dist/server/security/rate-limit.js

@@ -0,0 +1,97 @@
+import { json } from '@sveltejs/kit';
+/**
+ * In-memory {@link RateLimitStore}. Per-process; not safe across multiple nodes.
+ * @internal
+ */
+export class MemoryRateLimitStore {
+    buckets = new Map();
+    cleanupInterval;
+    constructor(opts = {}) {
+        const cleanupMs = opts.cleanupMs ?? 60_000;
+        if (cleanupMs > 0 && typeof setInterval === 'function') {
+            this.cleanupInterval = setInterval(() => this.cleanup(), cleanupMs);
+            const i = this.cleanupInterval;
+            if (typeof i.unref === 'function')
+                i.unref();
+        }
+    }
+    async hit(key, windowMs, limit) {
+        const now = Date.now();
+        const bucket = this.buckets.get(key);
+        if (!bucket || bucket.resetAt <= now) {
+            const fresh = { count: 1, resetAt: now + windowMs };
+            this.buckets.set(key, fresh);
+            return { allowed: true, remaining: Math.max(0, limit - 1), resetAt: fresh.resetAt };
+        }
+        if (bucket.count >= limit) {
+            return { allowed: false, remaining: 0, resetAt: bucket.resetAt };
+        }
+        bucket.count += 1;
+        return { allowed: true, remaining: limit - bucket.count, resetAt: bucket.resetAt };
+    }
+    cleanup() {
+        const now = Date.now();
+        for (const [k, b] of this.buckets) {
+            if (b.resetAt <= now)
+                this.buckets.delete(k);
+        }
+    }
+    reset(key) {
+        if (key)
+            this.buckets.delete(key);
+        else
+            this.buckets.clear();
+    }
+    dispose() {
+        if (this.cleanupInterval)
+            clearInterval(this.cleanupInterval);
+        this.cleanupInterval = undefined;
+    }
+}
+function num(env, fallback) {
+    const n = env ? Number(env) : NaN;
+    return Number.isFinite(n) && n > 0 ? n : fallback;
+}
+/**
+ * SvelteKit handle that limits requests under `pathPrefix` (default `/admin/api/`)
+ * per key (default: authenticated user id, falling back to client IP). Returns
+ * 429 with `Retry-After` when exceeded. Defaults: 200 req / 60s, override via env
+ * `INCLUDIO_RATE_LIMIT_MAX` / `INCLUDIO_RATE_LIMIT_WINDOW_MS`.
+ * @internal
+ */
+export function rateLimitGuard(opts = {}) {
+    const store = opts.store ?? new MemoryRateLimitStore();
+    const limit = opts.limit ?? num(process.env.INCLUDIO_RATE_LIMIT_MAX, 200);
+    const windowMs = opts.windowMs ?? num(process.env.INCLUDIO_RATE_LIMIT_WINDOW_MS, 60_000);
+    const pathPrefix = opts.pathPrefix ?? '/admin/api/';
+    const keyFn = opts.key ??
+        ((event) => {
+            const userId = event.locals?.user?.id;
+            if (userId)
+                return `u:${userId}`;
+            try {
+                return `ip:${event.getClientAddress()}`;
+            }
+            catch {
+                return 'ip:unknown';
+            }
+        });
+    return async ({ event, resolve }) => {
+        if (!event.url.pathname.startsWith(pathPrefix))
+            return resolve(event);
+        const result = await store.hit(keyFn(event), windowMs, limit);
+        if (!result.allowed) {
+            const retryAfter = Math.max(1, Math.ceil((result.resetAt - Date.now()) / 1000));
+            return json({ error: 'rate_limited', resetAt: result.resetAt }, {
+                status: 429,
+                headers: {
+                    'retry-after': String(retryAfter),
+                    'x-ratelimit-limit': String(limit),
+                    'x-ratelimit-remaining': '0',
+                    'x-ratelimit-reset': String(Math.ceil(result.resetAt / 1000))
+                }
+            });
+        }
+        return resolve(event);
+    };
+}

package/dist/server/utils/withTimeout.d.ts

@@ -0,0 +1,21 @@
+/**
+ * Race a promise against a deadline. Resolves with the original promise's value
+ * if it settles before `ms`; otherwise rejects with {@link TimeoutError}.
+ * Cleans up the timer in both success and failure paths so it never holds the
+ * event loop.
+ * @internal
+ */
+export declare class TimeoutError extends Error {
+    readonly label: string;
+    readonly ms: number;
+    readonly name = "TimeoutError";
+    constructor(label: string, ms: number);
+}
+/** @internal */
+export declare function withTimeout<T>(promise: Promise<T>, ms: number, label: string): Promise<T>;
+/**
+ * Resolved timeout (ms) for sharp operations. Override via `INCLUDIO_SHARP_TIMEOUT_MS`.
+ * Documented in `KNOWN-RISKS.md` §4.
+ * @internal
+ */
+export declare function sharpTimeoutMs(): number;

package/dist/server/utils/withTimeout.js

@@ -0,0 +1,37 @@
+/**
+ * Race a promise against a deadline. Resolves with the original promise's value
+ * if it settles before `ms`; otherwise rejects with {@link TimeoutError}.
+ * Cleans up the timer in both success and failure paths so it never holds the
+ * event loop.
+ * @internal
+ */
+export class TimeoutError extends Error {
+    label;
+    ms;
+    name = 'TimeoutError';
+    constructor(label, ms) {
+        super(`${label} timed out after ${ms}ms`);
+        this.label = label;
+        this.ms = ms;
+    }
+}
+/** @internal */
+export function withTimeout(promise, ms, label) {
+    let timer;
+    const timeout = new Promise((_, reject) => {
+        timer = setTimeout(() => reject(new TimeoutError(label, ms)), ms);
+    });
+    return Promise.race([promise, timeout]).finally(() => {
+        if (timer)
+            clearTimeout(timer);
+    });
+}
+/**
+ * Resolved timeout (ms) for sharp operations. Override via `INCLUDIO_SHARP_TIMEOUT_MS`.
+ * Documented in `KNOWN-RISKS.md` §4.
+ * @internal
+ */
+export function sharpTimeoutMs() {
+    const n = Number(process.env.INCLUDIO_SHARP_TIMEOUT_MS);
+    return Number.isFinite(n) && n > 0 ? n : 30_000;
+}

package/dist/sveltekit/config.d.ts

@@ -14,27 +14,90 @@ type SingleInput = Omit<SingleConfig, 'fields'> & {
 };
 /**
  * Defines the root CMS configuration. Pass to `includioCMS()` in `hooks.server.ts`.
+ *
+ * Runs strict runtime validation: invalid configs throw a `ConfigValidationError`
+ * (extends `CmsError`) listing every issue with a path and a fix hint, e.g.
+ *   `languages[0].code: must be a 2-letter ISO code (e.g. 'en')`
+ *
+ * @param config - The CMSConfig (collections, singles, forms, adapters, languages, ...).
+ * @returns The same config, parsed and frozen against typos.
+ * @throws {ConfigValidationError} when validation fails — message aggregates all issues.
  * @public
+ * @example
+ * ```ts
+ * import { defineConfig } from 'includio-cms';
+ * export default defineConfig({
+ *   languages: [{ code: 'en', default: true }],
+ *   db, files,
+ *   collections: [postsCollection]
+ * });
+ * ```
  */
 export declare function defineConfig(config: CMSConfig): CMSConfig;
 /**
- * Defines a collection (multi-entry content type).
+ * Defines a collection (multi-entry content type, e.g. blog posts, products).
+ *
+ * @param config - Collection config with slug, fields, and optional layout/labels/icon.
+ * @returns A typed `CollectionConfig` ready to drop into `defineConfig({ collections: [...] })`.
  * @public
+ * @example
+ * ```ts
+ * export const posts = defineCollection({
+ *   slug: 'posts',
+ *   labels: { singular: 'Post', plural: 'Posts' },
+ *   fields: [{ slug: 'title', type: 'text', required: true }]
+ * });
+ * ```
  */
 export declare function defineCollection(config: CollectionInput): CollectionConfig;
 /**
- * Defines a singleton (single-entry content type, e.g. site settings).
+ * Defines a singleton (single-entry content type, e.g. site settings, homepage).
+ *
+ * @param config - Single config with slug, fields, and optional label/layout.
+ * @returns A typed `SingleConfig` ready to drop into `defineConfig({ singles: [...] })`.
  * @public
+ * @example
+ * ```ts
+ * export const settings = defineSingle({
+ *   slug: 'settings',
+ *   fields: [{ slug: 'siteName', type: 'text' }]
+ * });
+ * ```
  */
 export declare function defineSingle(config: SingleInput): SingleConfig;
 /**
- * Defines a public form (submitted via `/api/forms/[slug]/submit`).
+ * Defines a public form (submitted via `POST /api/forms/[slug]/submit`).
+ *
+ * @param config - Form config with slug, label, fields, and optional notification emails.
+ * @returns The `FormConfig` ready to drop into `defineConfig({ forms: [...] })`.
  * @public
+ * @example
+ * ```ts
+ * export const contact = defineForm({
+ *   slug: 'contact',
+ *   label: 'Contact us',
+ *   fields: [{ slug: 'email', type: 'email', required: true }]
+ * });
+ * ```
  */
 export declare function defineForm(config: FormConfig): FormConfig;
 /**
- * Defines a reusable object field (nested record). Use inside `fields[]`.
+ * Defines a reusable object field (nested record). Use inline inside `fields[]`
+ * or as an entry in a `blocks` field.
+ *
+ * @param config - Object field shape sans the `type` discriminator.
+ * @returns The full `ObjectField` (with `type: 'object'` injected).
  * @public
+ * @example
+ * ```ts
+ * const cta = defineObject({
+ *   slug: 'cta',
+ *   fields: [
+ *     { slug: 'label', type: 'text' },
+ *     { slug: 'href', type: 'url' }
+ *   ]
+ * });
+ * ```
  */
 export declare function defineObject(config: Omit<ObjectField, 'type'>): ObjectField;
 export {};

package/dist/sveltekit/config.js

@@ -1,34 +1,103 @@
+import { cmsConfigSchema } from '../types/cms.schema.js';
+import { formatConfigError } from '../core/errors.js';
 /**
  * Defines the root CMS configuration. Pass to `includioCMS()` in `hooks.server.ts`.
+ *
+ * Runs strict runtime validation: invalid configs throw a `ConfigValidationError`
+ * (extends `CmsError`) listing every issue with a path and a fix hint, e.g.
+ *   `languages[0].code: must be a 2-letter ISO code (e.g. 'en')`
+ *
+ * @param config - The CMSConfig (collections, singles, forms, adapters, languages, ...).
+ * @returns The same config, parsed and frozen against typos.
+ * @throws {ConfigValidationError} when validation fails — message aggregates all issues.
  * @public
+ * @example
+ * ```ts
+ * import { defineConfig } from 'includio-cms';
+ * export default defineConfig({
+ *   languages: [{ code: 'en', default: true }],
+ *   db, files,
+ *   collections: [postsCollection]
+ * });
+ * ```
  */
 export function defineConfig(config) {
+    const result = cmsConfigSchema.safeParse(config);
+    if (!result.success) {
+        throw formatConfigError(result.error);
+    }
     return config;
 }
 /**
- * Defines a collection (multi-entry content type).
+ * Defines a collection (multi-entry content type, e.g. blog posts, products).
+ *
+ * @param config - Collection config with slug, fields, and optional layout/labels/icon.
+ * @returns A typed `CollectionConfig` ready to drop into `defineConfig({ collections: [...] })`.
  * @public
+ * @example
+ * ```ts
+ * export const posts = defineCollection({
+ *   slug: 'posts',
+ *   labels: { singular: 'Post', plural: 'Posts' },
+ *   fields: [{ slug: 'title', type: 'text', required: true }]
+ * });
+ * ```
  */
 export function defineCollection(config) {
     return config;
 }
 /**
- * Defines a singleton (single-entry content type, e.g. site settings).
+ * Defines a singleton (single-entry content type, e.g. site settings, homepage).
+ *
+ * @param config - Single config with slug, fields, and optional label/layout.
+ * @returns A typed `SingleConfig` ready to drop into `defineConfig({ singles: [...] })`.
  * @public
+ * @example
+ * ```ts
+ * export const settings = defineSingle({
+ *   slug: 'settings',
+ *   fields: [{ slug: 'siteName', type: 'text' }]
+ * });
+ * ```
  */
 export function defineSingle(config) {
     return config;
 }
 /**
- * Defines a public form (submitted via `/api/forms/[slug]/submit`).
+ * Defines a public form (submitted via `POST /api/forms/[slug]/submit`).
+ *
+ * @param config - Form config with slug, label, fields, and optional notification emails.
+ * @returns The `FormConfig` ready to drop into `defineConfig({ forms: [...] })`.
  * @public
+ * @example
+ * ```ts
+ * export const contact = defineForm({
+ *   slug: 'contact',
+ *   label: 'Contact us',
+ *   fields: [{ slug: 'email', type: 'email', required: true }]
+ * });
+ * ```
  */
 export function defineForm(config) {
     return config;
 }
 /**
- * Defines a reusable object field (nested record). Use inside `fields[]`.
+ * Defines a reusable object field (nested record). Use inline inside `fields[]`
+ * or as an entry in a `blocks` field.
+ *
+ * @param config - Object field shape sans the `type` discriminator.
+ * @returns The full `ObjectField` (with `type: 'object'` injected).
  * @public
+ * @example
+ * ```ts
+ * const cta = defineObject({
+ *   slug: 'cta',
+ *   fields: [
+ *     { slug: 'label', type: 'text' },
+ *     { slug: 'href', type: 'url' }
+ *   ]
+ * });
+ * ```
  */
 export function defineObject(config) {
     return { ...config, type: 'object' };

package/dist/sveltekit/server/handle.d.ts

@@ -1,7 +1,21 @@
 import { type Handle } from '@sveltejs/kit';
 import type { CMSConfig } from '../../types/cms.js';
 /**
- * SvelteKit `Handle[]` array that initializes the CMS, generates runtime artifacts, wires auth/admin guards, and exposes `event.locals.cmsContext`. Compose with `sequence()` in `hooks.server.ts`.
+ * SvelteKit `Handle[]` array that initializes the CMS, generates runtime
+ * artifacts, wires auth/admin guards, and exposes `event.locals.cmsContext`.
+ * Compose with `sequence()` in `hooks.server.ts`.
+ *
+ * @param cmsConfig - The output of `defineConfig({ ... })`.
+ * @returns An array of `Handle` middlewares. Pass to `sequence()`.
  * @public
+ * @example
+ * ```ts
+ * // src/hooks.server.ts
+ * import { sequence } from '@sveltejs/kit/hooks';
+ * import { includioCMS } from 'includio-cms/sveltekit/server';
+ * import cmsConfig from '../../cms/cms.config';
+ *
+ * export const handle = sequence(...includioCMS(cmsConfig));
+ * ```
  */
 export declare function includioCMS(cmsConfig: CMSConfig): Handle[];

package/dist/sveltekit/server/handle.js

@@ -4,6 +4,9 @@ import { getCMS, initCMS } from '../../core/cms.js';
 import { generateRuntime } from '../../core/server/generator/generator.js';
 import { svelteKitHandler } from 'better-auth/svelte-kit';
 import { building } from '$app/environment';
+import { csrfGuard } from '../../server/security/csrf.js';
+import { rateLimitGuard } from '../../server/security/rate-limit.js';
+import { buildCspHeader } from '../../server/security/csp.js';
 const adminGuard = async ({ event, resolve }) => {
     const { user, session } = event.locals;
     // Secure the admin routes
@@ -66,25 +69,43 @@ const detectBrowserContext = async ({ event, resolve }) => {
     return resolve(event);
 };
 /**
- * SvelteKit `Handle[]` array that initializes the CMS, generates runtime artifacts, wires auth/admin guards, and exposes `event.locals.cmsContext`. Compose with `sequence()` in `hooks.server.ts`.
+ * SvelteKit `Handle[]` array that initializes the CMS, generates runtime
+ * artifacts, wires auth/admin guards, and exposes `event.locals.cmsContext`.
+ * Compose with `sequence()` in `hooks.server.ts`.
+ *
+ * @param cmsConfig - The output of `defineConfig({ ... })`.
+ * @returns An array of `Handle` middlewares. Pass to `sequence()`.
  * @public
+ * @example
+ * ```ts
+ * // src/hooks.server.ts
+ * import { sequence } from '@sveltejs/kit/hooks';
+ * import { includioCMS } from 'includio-cms/sveltekit/server';
+ * import cmsConfig from '../../cms/cms.config';
+ *
+ * export const handle = sequence(...includioCMS(cmsConfig));
+ * ```
  */
 export function includioCMS(cmsConfig) {
     generateRuntime(cmsConfig); // Generate runtime code based on the CMS config
     initCMS(cmsConfig);
     const handles = [];
     handles.push(detectBrowserContext);
+    handles.push(csrfGuard);
     if (cmsConfig.auth) {
         handles.push(handleAuth);
     }
+    handles.push(rateLimitGuard());
     handles.push(adminGuard);
     handles.push(securityHeaders);
     return handles;
 }
+const CSP_VALUE = buildCspHeader();
 const securityHeaders = async ({ event, resolve }) => {
     const response = await resolve(event);
     response.headers.set('X-Content-Type-Options', 'nosniff');
     response.headers.set('X-Frame-Options', 'SAMEORIGIN');
     response.headers.set('Referrer-Policy', 'strict-origin-when-cross-origin');
+    response.headers.set('Content-Security-Policy', CSP_VALUE);
     return response;
 };

package/dist/sveltekit/server/index.d.ts

@@ -6,3 +6,4 @@ export { parseFormDataForSubmission } from '../../core/server/forms/submissions/
 export { createConsentLog } from '../../core/server/consentLogs/operations/create.js';
 export { getPreviewEntry } from './preview.js';
 export { createRestApiHandler } from '../../admin/api/rest/handler.js';
+export { generateApiKey } from '../../admin/api/rest/middleware/generateApiKey.js';

package/dist/sveltekit/server/index.js

@@ -7,3 +7,4 @@ export { createConsentLog } from '../../core/server/consentLogs/operations/creat
 export { getPreviewEntry } from './preview.js';
 // Folded from `./admin/api/rest/handler` (dropped as separate export in 0.20.0)
 export { createRestApiHandler } from '../../admin/api/rest/handler.js';
+export { generateApiKey } from '../../admin/api/rest/middleware/generateApiKey.js';

package/dist/sveltekit/server/layout.d.ts

@@ -1,7 +1,18 @@
 import type { RequestEvent } from '@sveltejs/kit';
 /**
- * Returns `cmsContext` from `event.locals` for use in a SvelteKit layout `load`. Drop into your `+layout.server.ts`.
+ * Returns `cmsContext` from `event.locals` for use in a SvelteKit layout
+ * `load`. Drop into your `+layout.server.ts`.
+ *
+ * @param event - The SvelteKit `RequestEvent`.
+ * @returns `{ cmsContext }` with browser/UA-derived hints (e.g. `preferMp4`).
  * @public
+ * @example
+ * ```ts
+ * // src/routes/+layout.server.ts
+ * import { cmsLayoutLoad } from 'includio-cms/sveltekit/server';
+ *
+ * export const load = (event) => cmsLayoutLoad(event);
+ * ```
  */
 export declare function cmsLayoutLoad(event: RequestEvent): {
     cmsContext: any;

package/dist/sveltekit/server/layout.js

@@ -1,6 +1,17 @@
 /**
- * Returns `cmsContext` from `event.locals` for use in a SvelteKit layout `load`. Drop into your `+layout.server.ts`.
+ * Returns `cmsContext` from `event.locals` for use in a SvelteKit layout
+ * `load`. Drop into your `+layout.server.ts`.
+ *
+ * @param event - The SvelteKit `RequestEvent`.
+ * @returns `{ cmsContext }` with browser/UA-derived hints (e.g. `preferMp4`).
  * @public
+ * @example
+ * ```ts
+ * // src/routes/+layout.server.ts
+ * import { cmsLayoutLoad } from 'includio-cms/sveltekit/server';
+ *
+ * export const load = (event) => cmsLayoutLoad(event);
+ * ```
  */
 export function cmsLayoutLoad(event) {
     return {

package/dist/sveltekit/server/preview.d.ts

@@ -1,8 +1,28 @@
 import type { Entry } from '../../types/entries.js';
 import { type RequestEvent } from '@sveltejs/kit';
 /**
- * Resolves the preview entry from a `?preview=<versionId>` query param. Requires an authenticated session — throws `Unauthorized` otherwise.
+ * Resolves the preview entry from a `?preview=<versionId>` query param.
+ * Use it from a frontend page `load` to render unpublished/draft content for
+ * authenticated editors.
+ *
+ * Requires an authenticated session — throws `Unauthorized` otherwise.
+ *
+ * @param event - The SvelteKit `RequestEvent`.
+ * @param options - `language` is the locale to populate.
+ * @returns The populated preview `Entry`, or `null` when no `?preview=` param.
+ * @throws {Error} `'Unauthorized'` when the request lacks a valid session.
  * @public
+ * @example
+ * ```ts
+ * // src/routes/blog/[slug]/+page.server.ts
+ * import { getPreviewEntry } from 'includio-cms/sveltekit/server';
+ *
+ * export const load = async (event) => {
+ *   const preview = await getPreviewEntry(event, { language: 'en' });
+ *   if (preview) return { entry: preview };
+ *   // ...fall through to published lookup
+ * };
+ * ```
  */
 export declare function getPreviewEntry(event: RequestEvent, options: {
     language: string;

package/dist/sveltekit/server/preview.js

@@ -1,8 +1,28 @@
 import { getEntryVersion } from '../../core/server/entries/operations/get.js';
 import {} from '@sveltejs/kit';
 /**
- * Resolves the preview entry from a `?preview=<versionId>` query param. Requires an authenticated session — throws `Unauthorized` otherwise.
+ * Resolves the preview entry from a `?preview=<versionId>` query param.
+ * Use it from a frontend page `load` to render unpublished/draft content for
+ * authenticated editors.
+ *
+ * Requires an authenticated session — throws `Unauthorized` otherwise.
+ *
+ * @param event - The SvelteKit `RequestEvent`.
+ * @param options - `language` is the locale to populate.
+ * @returns The populated preview `Entry`, or `null` when no `?preview=` param.
+ * @throws {Error} `'Unauthorized'` when the request lacks a valid session.
  * @public
+ * @example
+ * ```ts
+ * // src/routes/blog/[slug]/+page.server.ts
+ * import { getPreviewEntry } from 'includio-cms/sveltekit/server';
+ *
+ * export const load = async (event) => {
+ *   const preview = await getPreviewEntry(event, { language: 'en' });
+ *   if (preview) return { entry: preview };
+ *   // ...fall through to published lookup
+ * };
+ * ```
  */
 export async function getPreviewEntry(event, options) {
     const preview = event.url.searchParams.get('preview');

package/dist/types/cms.d.ts

@@ -60,6 +60,10 @@ export interface ApiKeyConfig {
     key: string;
     name?: string;
     role?: 'admin' | 'editor';
+    /** Opt-in expiry. ISO-8601 timestamp; past dates → 401 on use. */
+    expiresAt?: string;
+    /** Audit-trail only; not enforced. ISO-8601 timestamp of last manual rotation. */
+    rotatedAt?: string;
 }
 export interface TypographyConfig {
     fixOrphans?: boolean;