showpane 0.4.1 → 0.4.2

package/bundle/scaffold/src/lib/control-plane.ts

@@ -0,0 +1,100 @@
+import { hasSafePathSegments } from "@/lib/files";
+import { type LocalPortalEventPayload, toCloudPortalEventPayload } from "@/lib/portal-contracts";
+
+export type ControlPlaneFileRecord = {
+  id: string;
+  filename: string;
+  mimeType: string;
+  size: number;
+  uploadedBy: string;
+  uploadedAt: string;
+};
+
+function getControlPlaneUrl(): string | null {
+  return process.env.SHOWPANE_CONTROL_PLANE_URL ?? null;
+}
+
+function getPortalServiceToken(): string | null {
+  return process.env.PORTAL_SERVICE_TOKEN ?? null;
+}
+
+export function isControlPlaneMode(): boolean {
+  return Boolean(getControlPlaneUrl() && getPortalServiceToken());
+}
+
+function getControlPlaneHeaders(): HeadersInit {
+  return {
+    Authorization: `Bearer ${getPortalServiceToken()}`,
+  };
+}
+
+export async function listControlPlaneFiles(portalSlug: string): Promise<ControlPlaneFileRecord[]> {
+  const baseUrl = getControlPlaneUrl();
+  if (!baseUrl) return [];
+
+  const res = await fetch(`${baseUrl}/api/runtime/files?portalSlug=${encodeURIComponent(portalSlug)}`, {
+    headers: getControlPlaneHeaders(),
+    cache: "no-store",
+  });
+  if (!res.ok) {
+    throw new Error(`Control-plane file list failed (${res.status})`);
+  }
+
+  const body = (await res.json()) as { files?: ControlPlaneFileRecord[] };
+  return body.files ?? [];
+}
+
+export async function downloadControlPlaneFile(
+  portalSlug: string,
+  pathSegments: string[]
+): Promise<Response> {
+  const baseUrl = getControlPlaneUrl();
+  if (!baseUrl || !hasSafePathSegments(pathSegments) || pathSegments.length !== 1) {
+    return new Response(null, { status: 400 });
+  }
+
+  return fetch(
+    `${baseUrl}/api/runtime/files/${encodeURIComponent(pathSegments[0])}?portalSlug=${encodeURIComponent(portalSlug)}`,
+    {
+      headers: getControlPlaneHeaders(),
+      cache: "no-store",
+    }
+  );
+}
+
+export async function sendControlPlaneEvent(
+  portalSlug: string,
+  payload: LocalPortalEventPayload
+): Promise<void> {
+  const baseUrl = getControlPlaneUrl();
+  if (!baseUrl) return;
+
+  await fetch(`${baseUrl}/api/events`, {
+    method: "POST",
+    headers: {
+      ...getControlPlaneHeaders(),
+      "Content-Type": "application/json",
+    },
+    body: JSON.stringify(toCloudPortalEventPayload(portalSlug, payload)),
+  });
+}
+
+export async function uploadControlPlaneFile(
+  portalSlug: string,
+  file: File
+): Promise<Response> {
+  const baseUrl = getControlPlaneUrl();
+  if (!baseUrl) {
+    return new Response(JSON.stringify({ error: "Control plane unavailable" }), { status: 503 });
+  }
+
+  const formData = new FormData();
+  formData.append("portalSlug", portalSlug);
+  formData.append("file", file);
+
+  return fetch(`${baseUrl}/api/runtime/files/upload`, {
+    method: "POST",
+    headers: getControlPlaneHeaders(),
+    body: formData,
+  });
+}

package/bundle/scaffold/src/lib/db.ts

@@ -0,0 +1,7 @@
+import { PrismaClient } from "@/lib/prisma-client";
+
+const globalForPrisma = globalThis as unknown as { prisma: PrismaClient };
+
+export const prisma = globalForPrisma.prisma || new PrismaClient();
+
+if (process.env.NODE_ENV !== "production") globalForPrisma.prisma = prisma;

package/bundle/scaffold/src/lib/files.ts

@@ -0,0 +1,124 @@
+const EXTENSION_CONTENT_TYPES: Record<string, string> = {
+  pdf: "application/pdf",
+  png: "image/png",
+  jpg: "image/jpeg",
+  jpeg: "image/jpeg",
+  txt: "text/plain",
+  csv: "text/csv",
+  md: "text/markdown",
+  doc: "application/msword",
+  docx: "application/vnd.openxmlformats-officedocument.wordprocessingml.document",
+  xls: "application/vnd.ms-excel",
+  xlsx: "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
+  ppt: "application/vnd.ms-powerpoint",
+  pptx: "application/vnd.openxmlformats-officedocument.presentationml.presentation",
+  zip: "application/zip",
+};
+
+const BLOCKED_UPLOAD_EXTENSIONS = new Set([
+  "svg",
+  "svgz",
+  "html",
+  "htm",
+  "xhtml",
+  "xml",
+  "js",
+  "mjs",
+  "cjs",
+]);
+
+const ALLOWED_UPLOAD_EXTENSIONS = new Set(Object.keys(EXTENSION_CONTENT_TYPES));
+
+const INLINE_CONTENT_TYPES = new Set([
+  "application/pdf",
+  "image/png",
+  "image/jpeg",
+  "text/plain",
+]);
+
+function getFileExtension(filename: string): string {
+  return filename.split(".").pop()?.toLowerCase() ?? "";
+}
+
+export function sanitizeFilename(name: string): string {
+  const sanitized = name.replace(/[^a-zA-Z0-9._-]/g, "_").slice(0, 255);
+  return sanitized || "file";
+}
+
+export function hasSafePathSegments(segments: string[]): boolean {
+  return (
+    segments.length > 0 &&
+    segments.every(
+      (segment) =>
+        Boolean(segment) &&
+        segment !== "." &&
+        segment !== ".." &&
+        !segment.includes("/") &&
+        !segment.includes("\\") &&
+        !segment.includes("\0")
+    )
+  );
+}
+
+export function isBlockedUploadFilename(filename: string): boolean {
+  return BLOCKED_UPLOAD_EXTENSIONS.has(getFileExtension(filename));
+}
+
+export function isAllowedUploadFilename(filename: string): boolean {
+  const extension = getFileExtension(filename);
+  return ALLOWED_UPLOAD_EXTENSIONS.has(extension) && !BLOCKED_UPLOAD_EXTENSIONS.has(extension);
+}
+
+export function sniffUploadContentType(
+  filename: string,
+  bytes: Buffer,
+  clientContentType?: string
+): string {
+  if (bytes.length >= 4) {
+    if (bytes.subarray(0, 4).equals(Buffer.from([0x25, 0x50, 0x44, 0x46]))) {
+      return "application/pdf";
+    }
+    if (
+      bytes.length >= 8 &&
+      bytes.subarray(0, 8).equals(
+        Buffer.from([0x89, 0x50, 0x4e, 0x47, 0x0d, 0x0a, 0x1a, 0x0a])
+      )
+    ) {
+      return "image/png";
+    }
+    if (bytes[0] === 0xff && bytes[1] === 0xd8 && bytes[2] === 0xff) {
+      return "image/jpeg";
+    }
+  }
+
+  const extension = getFileExtension(filename);
+  if (extension in EXTENSION_CONTENT_TYPES) {
+    return EXTENSION_CONTENT_TYPES[extension];
+  }
+
+  return clientContentType || "application/octet-stream";
+}
+
+export function getServedFileMetadata(
+  filename: string,
+  storedContentType?: string | null
+): { contentType: string; disposition: "inline" | "attachment" } {
+  const extension = getFileExtension(filename);
+
+  if (BLOCKED_UPLOAD_EXTENSIONS.has(extension) || storedContentType === "image/svg+xml") {
+    return {
+      contentType: "application/octet-stream",
+      disposition: "attachment",
+    };
+  }
+
+  const contentType =
+    (extension && EXTENSION_CONTENT_TYPES[extension]) ||
+    storedContentType ||
+    "application/octet-stream";
+
+  return {
+    contentType,
+    disposition: INLINE_CONTENT_TYPES.has(contentType) ? "inline" : "attachment",
+  };
+}

package/bundle/scaffold/src/lib/load-app-env.ts

@@ -0,0 +1,42 @@
+import fs from "node:fs";
+import path from "node:path";
+
+function parseEnvValue(rawValue: string) {
+  const value = rawValue.trim();
+  if (
+    (value.startsWith("\"") && value.endsWith("\"")) ||
+    (value.startsWith("'") && value.endsWith("'"))
+  ) {
+    return value.slice(1, -1);
+  }
+  return value;
+}
+
+function loadEnvFile(filePath: string) {
+  if (!fs.existsSync(filePath)) return;
+
+  for (const line of fs.readFileSync(filePath, "utf8").split(/\r?\n/)) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith("#")) continue;
+
+    const separator = trimmed.indexOf("=");
+    if (separator === -1) continue;
+
+    const key = trimmed.slice(0, separator).trim();
+    if (process.env[key] !== undefined) continue;
+
+    process.env[key] = parseEnvValue(trimmed.slice(separator + 1));
+  }
+}
+
+let loaded = false;
+
+export function ensureAppEnvLoaded() {
+  if (loaded) return;
+  loaded = true;
+
+  const envFiles = [".env.local", ".env"];
+  for (const envFile of envFiles) {
+    loadEnvFile(path.join(process.cwd(), envFile));
+  }
+}

package/bundle/scaffold/src/lib/portal-contracts.ts

@@ -0,0 +1,69 @@
+// Synced snapshot of ../../packages/portal-contracts/src/index.ts.
+// Keep the app-local copy until the app consumes the package directly.
+
+export const PORTAL_EVENT_TYPES = [
+  "portal_view",
+  "tab_switch",
+  "section_view",
+  "section_time",
+  "file_download",
+  "share_link_access",
+] as const;
+
+export type PortalEventType = (typeof PORTAL_EVENT_TYPES)[number];
+export const ORGANIZATION_REQUIRED_ERROR = "organization_required" as const;
+
+export const ANALYTICS_METADATA_KEYS = {
+  durationSeconds: "durationSeconds",
+} as const;
+
+export type PortalEventMetadata = Record<string, unknown> | null;
+
+export interface LocalPortalEventPayload {
+  event: PortalEventType;
+  detail?: string | null;
+  visitorId?: string;
+  metadata?: PortalEventMetadata;
+}
+
+export interface CloudPortalEventPayload {
+  portalSlug: string;
+  visitorId?: string;
+  eventType: PortalEventType;
+  sectionName?: string | null;
+  metadata?: PortalEventMetadata;
+}
+
+export interface PortalFileSyncManifestEntry {
+  portalSlug: string;
+  storagePath: string;
+  filename: string;
+  mimeType: string;
+  size: number;
+  uploadedBy: string;
+  uploadedAt: string;
+  checksum: string;
+}
+
+export interface PortalFileSyncManifestPayload {
+  files: PortalFileSyncManifestEntry[];
+}
+
+const PORTAL_EVENT_TYPE_SET = new Set<string>(PORTAL_EVENT_TYPES);
+
+export function isPortalEventType(value: unknown): value is PortalEventType {
+  return typeof value === "string" && PORTAL_EVENT_TYPE_SET.has(value);
+}
+
+export function toCloudPortalEventPayload(
+  portalSlug: string,
+  payload: LocalPortalEventPayload
+): CloudPortalEventPayload {
+  return {
+    portalSlug,
+    visitorId: payload.visitorId,
+    eventType: payload.event,
+    sectionName: payload.detail ?? null,
+    metadata: payload.metadata ?? null,
+  };
+}

package/bundle/scaffold/src/lib/prisma-client.ts

@@ -0,0 +1,5 @@
+import { ensureAppEnvLoaded } from "@/lib/load-app-env";
+
+ensureAppEnvLoaded();
+
+export { PrismaClient } from "@/generated/prisma/client";

package/bundle/scaffold/src/lib/runtime-state.ts

@@ -0,0 +1,69 @@
+import { readFile } from "fs/promises";
+import path from "path";
+
+export type RuntimePortalSnapshot = {
+  slug: string;
+  companyName: string;
+  logoUrl?: string | null;
+  username: string;
+  passwordHash: string;
+  credentialVersion: string;
+  isActive: boolean;
+  lastUpdated?: string | null;
+};
+
+export type RuntimeOrganizationSnapshot = {
+  id: string;
+  slug: string;
+  name: string;
+  logoUrl?: string | null;
+  primaryColor?: string;
+  portalLabel?: string;
+  websiteUrl?: string | null;
+  contactName?: string | null;
+  contactTitle?: string | null;
+  contactEmail?: string | null;
+  contactPhone?: string | null;
+  contactAvatar?: string | null;
+  supportEmail?: string | null;
+  customDomain?: string | null;
+};
+
+export type RuntimeState = {
+  organization: RuntimeOrganizationSnapshot;
+  portals: RuntimePortalSnapshot[];
+};
+
+let cachedState: RuntimeState | null | undefined;
+
+function getRuntimeStatePath(): string {
+  return process.env.SHOWPANE_RUNTIME_STATE_PATH || path.join(process.cwd(), "runtime", "runtime-state.json");
+}
+
+export function isRuntimeSnapshotMode(): boolean {
+  return Boolean(process.env.SHOWPANE_RUNTIME_STATE_PATH);
+}
+
+export async function getRuntimeState(): Promise<RuntimeState | null> {
+  if (!isRuntimeSnapshotMode()) return null;
+  if (cachedState !== undefined) return cachedState;
+
+  try {
+    const raw = await readFile(getRuntimeStatePath(), "utf8");
+    cachedState = JSON.parse(raw) as RuntimeState;
+    return cachedState;
+  } catch {
+    cachedState = null;
+    return null;
+  }
+}
+
+export async function getRuntimePortalBySlug(slug: string) {
+  const state = await getRuntimeState();
+  return state?.portals.find((portal) => portal.slug === slug && portal.isActive) ?? null;
+}
+
+export async function getRuntimePortalByUsername(username: string) {
+  const state = await getRuntimeState();
+  return state?.portals.find((portal) => portal.username === username && portal.isActive) ?? null;
+}

package/bundle/scaffold/src/lib/storage.ts

@@ -0,0 +1,204 @@
+import { mkdir, readFile, stat, writeFile } from "fs/promises";
+import path from "path";
+
+type StorageProvider = "local" | "s3" | "r2";
+
+function getProvider(): StorageProvider {
+  const provider = process.env.STORAGE_PROVIDER || "local";
+  if (provider === "s3" || provider === "r2") return provider;
+  return "local";
+}
+
+// ─── Local Storage ──────────────────────────────────────────────────────────
+
+const UPLOADS_DIR = path.resolve(process.cwd(), "uploads");
+
+function safePath(filePath: string): string {
+  const resolved = path.resolve(UPLOADS_DIR, filePath);
+  if (!resolved.startsWith(UPLOADS_DIR + path.sep) && resolved !== UPLOADS_DIR) {
+    throw new Error("Path traversal detected");
+  }
+  return resolved;
+}
+
+async function localSave(filePath: string, data: Buffer): Promise<void> {
+  const fullPath = safePath(filePath);
+  await mkdir(path.dirname(fullPath), { recursive: true });
+  await writeFile(fullPath, data);
+}
+
+async function localRead(filePath: string): Promise<Buffer | null> {
+  const fullPath = safePath(filePath);
+  try {
+    return await readFile(fullPath);
+  } catch {
+    return null;
+  }
+}
+
+async function localExists(filePath: string): Promise<boolean> {
+  const fullPath = safePath(filePath);
+  try {
+    const s = await stat(fullPath);
+    return s.isFile();
+  } catch {
+    return false;
+  }
+}
+
+// ─── S3-Compatible Storage (S3 + R2) ────────────────────────────────────────
+// @aws-sdk/client-s3 is an optional dependency — install it only if using S3/R2.
+// We use require() so webpack doesn't fail when the package is absent.
+
+function getS3Config() {
+  return {
+    bucket: process.env.S3_BUCKET || "",
+    region: process.env.S3_REGION || "auto",
+    accessKey: process.env.S3_ACCESS_KEY || "",
+    secretKey: process.env.S3_SECRET_KEY || "",
+    endpoint: process.env.S3_ENDPOINT, // Required for R2
+  };
+}
+
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+function loadS3(): any {
+  try {
+    // Dynamic require — webpack won't statically analyze this
+    // eslint-disable-next-line @typescript-eslint/no-require-imports
+    return require("@aws-sdk/client-s3");
+  } catch {
+    throw new StorageError(
+      "S3 storage requires @aws-sdk/client-s3. Install it with: npm install @aws-sdk/client-s3"
+    );
+  }
+}
+
+async function s3Save(filePath: string, data: Buffer, contentType?: string): Promise<void> {
+  const config = getS3Config();
+  const { S3Client, PutObjectCommand } = loadS3();
+
+  const client = new S3Client({
+    region: config.region,
+    credentials: {
+      accessKeyId: config.accessKey,
+      secretAccessKey: config.secretKey,
+    },
+    ...(config.endpoint ? { endpoint: config.endpoint } : {}),
+  });
+
+  try {
+    await client.send(
+      new PutObjectCommand({
+        Bucket: config.bucket,
+        Key: filePath,
+        Body: data,
+        ContentType: contentType || "application/octet-stream",
+      })
+    );
+  } catch (err) {
+    if (err instanceof StorageError) throw err;
+    console.error("S3 storage error (save):", err);
+    throw new StorageError("Failed to save file to storage");
+  }
+}
+
+async function s3Read(filePath: string): Promise<Buffer | null> {
+  const config = getS3Config();
+  const { S3Client, GetObjectCommand } = loadS3();
+
+  const client = new S3Client({
+    region: config.region,
+    credentials: {
+      accessKeyId: config.accessKey,
+      secretAccessKey: config.secretKey,
+    },
+    ...(config.endpoint ? { endpoint: config.endpoint } : {}),
+  });
+
+  try {
+    const response = await client.send(
+      new GetObjectCommand({
+        Bucket: config.bucket,
+        Key: filePath,
+      })
+    );
+    const stream = response.Body;
+    if (!stream) return null;
+    const chunks: Uint8Array[] = [];
+    for await (const chunk of stream as AsyncIterable<Uint8Array>) {
+      chunks.push(chunk);
+    }
+    return Buffer.concat(chunks);
+  } catch (err: unknown) {
+    if (err instanceof StorageError) throw err;
+    if (err && typeof err === "object" && "name" in err && (err as { name: string }).name === "NoSuchKey") {
+      return null;
+    }
+    console.error("S3 storage error (read):", err);
+    throw new StorageError("Failed to read file from storage");
+  }
+}
+
+async function s3Exists(filePath: string): Promise<boolean> {
+  const config = getS3Config();
+  const { S3Client, HeadObjectCommand } = loadS3();
+
+  const client = new S3Client({
+    region: config.region,
+    credentials: {
+      accessKeyId: config.accessKey,
+      secretAccessKey: config.secretKey,
+    },
+    ...(config.endpoint ? { endpoint: config.endpoint } : {}),
+  });
+
+  try {
+    await client.send(
+      new HeadObjectCommand({
+        Bucket: config.bucket,
+        Key: filePath,
+      })
+    );
+    return true;
+  } catch (err) {
+    if (err instanceof StorageError) throw err;
+    return false;
+  }
+}
+
+// ─── Storage Error ──────────────────────────────────────────────────────────
+
+export class StorageError extends Error {
+  constructor(message: string) {
+    super(message);
+    this.name = "StorageError";
+  }
+}
+
+// ─── Public API ─────────────────────────────────────────────────────────────
+
+export async function saveFile(filePath: string, data: Buffer, contentType?: string): Promise<void> {
+  const provider = getProvider();
+  if (provider === "local") return localSave(filePath, data);
+  return s3Save(filePath, data, contentType);
+}
+
+export async function readFile_(filePath: string): Promise<Buffer | null> {
+  const provider = getProvider();
+  if (provider === "local") return localRead(filePath);
+  return s3Read(filePath);
+}
+
+export async function fileExists(filePath: string): Promise<boolean> {
+  const provider = getProvider();
+  if (provider === "local") return localExists(filePath);
+  return s3Exists(filePath);
+}
+
+export function getStoragePath(
+  organizationId: string,
+  portalSlug: string,
+  filename: string
+): string {
+  return `orgs/${organizationId}/portals/${portalSlug}/${filename}`;
+}