till/cards
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1
cards/docs/marketplace/archive/code/routes/moderation.ts
Till JS 7dbbf63523 Phase 12 R2: Marketplace-Backend α + β — Authors + Deck-Init + Publish 
Routes (additiv unter /api/v1/marketplace/*):
- POST/GET /authors/me — eigenes Author-Profil anlegen/updaten/lesen
- GET /authors/:slug — public Profile-Lookup (banned-reason gestrippt)
- POST /decks — Deck-Init (Slug-Validation + Pflicht-Author-Profil +
  CHECK auf paid + Pro-License)
- POST /decks/:slug/publish — Versions-Snapshot mit per-Karte
  cardContentHash aus @cards/domain, per-Version-Hash, AI-Mod-Stub-Log,
  atomarer latest_version_id-Bump in Drizzle-Transaction
- PATCH /decks/:slug — Metadaten-Update (Owner-Only)
- GET /decks/:slug — Public-Detail mit optional-auth-Middleware

Geport aus cards-decommission-base:services/cards-server/, mit
Greenfield-Anpassungen:
- Hashing über @cards/domain.cardContentHash (gemeinsame SoT
  zwischen privatem cards.cards und marketplace.deck_cards), per-
  Version-Hash als SHA-256 über sortierte Karten-Hashes mit Ord-Prefix
- AI-Moderation als R2-Stub (pass+rationale+model='stub'),
  echte mana-llm-Anbindung in späterer Welle
- Auth-Middleware-Shape an Greenfield (userId/tier/authMode in
  c.get(...) statt user-Object), optional-auth als Schwester für
  anonymen Public-Read
- Hono-typing: outer Marketplace-Decks-Router ist Partial<AuthVars>
  weil Public-GET kein JWT braucht; Auth-Subroute ist strict

Lese-Referenz:
- 3331 LOC altes cards-server-Code (routes, services, middleware,
  lib) unter docs/marketplace/archive/code/ archiviert. Read-only,
  nicht im Build-Path.

Verifikation:
- 16 neue Vitest-Tests (Slug + Version-Hash), 72 gesamt grün
- type-check 0 errors
- E2E-Smoke gegen lokale cards-api: Cardecky-Author + Deck
  r2-stoische-ethik mit 3 Karten v1.0.0 (basic + basic + cloze),
  per-Karten-Hashes geschrieben, ai_moderation_log-Row da, semver-409
  + paid-422-Errors verifiziert. Smoke-Daten danach aufgeräumt.

Verbleibend für R3+: Discovery (explore + search), Engagement (stars/
subscribe/fork), Smart-Merge mit FSRS-State-Erhalt; danach R4 PRs +
Card-Discussions, R5 Frontend-Routes.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-09 15:13:58 +02:00

96 lines
3.2 KiB
TypeScript
Raw Blame History

import { Hono } from 'hono';
import { z } from 'zod';
import type { AuthUser } from '../middleware/jwt-auth';
import type { ModerationService } from '../services/moderation';
import { BadRequestError, ForbiddenError, UnauthorizedError } from '../lib/errors';
function requireUser(user: AuthUser | undefined): AuthUser {
if (!user || !user.userId) throw new UnauthorizedError();
return user;
}
function requireAdmin(user: AuthUser | undefined): AuthUser {
const u = requireUser(user);
if (u.role !== 'admin') throw new ForbiddenError('Admin role required');
return u;
}
const reportSchema = z.object({
deckSlug: z.string().min(1),
cardContentHash: z.string().min(1).optional(),
category: z.enum(['spam', 'copyright', 'nsfw', 'misinformation', 'hate', 'other']),
body: z.string().max(2000).optional(),
});
const resolveSchema = z.object({
action: z.enum(['dismiss', 'takedown', 'ban-author']),
notes: z.string().max(1000).optional(),
});
const takedownSchema = z.object({
reason: z.string().max(1000).optional(),
});
const verifySchema = z.object({
verifiedMana: z.boolean(),
});
export function createModerationRoutes(service: ModerationService) {
const router = new Hono<{ Variables: { user?: AuthUser } }>();
// User-facing — anyone authed can file a report.
router.post('/reports', async (c) => {
const user = requireUser(c.get('user'));
const parsed = reportSchema.safeParse(await c.req.json().catch(() => ({})));
if (!parsed.success) throw new BadRequestError('Invalid body', parsed.error.format());
const row = await service.createReport(user.userId, parsed.data);
return c.json(row, 201);
});
// Admin inbox + actions.
router.get('/admin/reports', async (c) => {
requireAdmin(c.get('user'));
const list = await service.listOpen();
return c.json(list);
});
router.post('/admin/reports/:id/resolve', async (c) => {
const admin = requireAdmin(c.get('user'));
const parsed = resolveSchema.safeParse(await c.req.json().catch(() => ({})));
if (!parsed.success) throw new BadRequestError('Invalid body', parsed.error.format());
const result = await service.resolveReport(admin.userId, c.req.param('id'), parsed.data);
return c.json(result);
});
router.post('/admin/decks/:slug/takedown', async (c) => {
const admin = requireAdmin(c.get('user'));
const parsed = takedownSchema.safeParse(await c.req.json().catch(() => ({})));
if (!parsed.success) throw new BadRequestError('Invalid body', parsed.error.format());
const result = await service.takedownDeck(
admin.userId,
c.req.param('slug'),
parsed.data.reason
);
return c.json(result);
});
router.post('/admin/decks/:slug/restore', async (c) => {
const admin = requireAdmin(c.get('user'));
const result = await service.restoreDeck(admin.userId, c.req.param('slug'));
return c.json(result);
});
router.post('/admin/authors/:slug/verify', async (c) => {
const admin = requireAdmin(c.get('user'));
const parsed = verifySchema.safeParse(await c.req.json().catch(() => ({})));
if (!parsed.success) throw new BadRequestError('Invalid body', parsed.error.format());
const result = await service.setVerifiedMana(
admin.userId,
c.req.param('slug'),
parsed.data.verifiedMana
);
return c.json(result);
});
return router;
}
Reference in a new issue View git blame Copy permalink