feat(website): M4 — forms + moduleEmbed

Adds two new block types and the server-side infrastructure for untrusted input + cross-module data embedding. Forms: - packages/website-blocks/src/form: declarative fields (text, email, tel, url, textarea, number) with required / maxLength / placeholder per field. Honeypot hidden input in the renderer; public-mode POST to a same-origin SvelteKit proxy that forwards to mana-api. - apps/api: website.submissions table (schema.ts + 0001_submissions.sql) + POST /public/submit/:siteSlug/:blockId. Loads the current published snapshot, finds the form block, validates payload against its declared fields (trim, type check, length cap), rejects honeypot submissions silently, rate-limits per IP (10 / 5 min) in-memory. Unknown keys are dropped — clients can only submit declared fields. - Owner-facing: GET/DELETE /sites/:id/submissions + SubmissionsView component + /(app)/website/[siteId]/submissions route. Shows incoming submissions with status pill + payload preview + delete. - apps/mana/.../routes/s/[siteSlug]/__submit/[blockId]/+server.ts: same-origin proxy so form posts don't trigger CORS and IP / user- agent headers are forwarded via SvelteKit's trusted getClientAddress. M4 first-pass does NOT wire target-module delivery (contacts / notify). Submissions stay in the inbox until owner-side tool handlers land (M4.x). `target` enum is intentionally `['inbox']` only for now. moduleEmbed: - packages/website-blocks/src/moduleEmbed: source dropdown (picture.board | library.entries), max-items, layout (grid | list), optional filter object. The `resolved` field on props is populated at publish time by the editor-side resolver — public renderer reads it directly, no Dexie / API round-trip needed. - apps/mana/.../website/embeds.ts: per-source resolvers. picture.board enforces `isPublic=true`; library.entries respects filter.isFavorite / kind / status so owners can expose a subset (e.g. "my favorites"). - buildSnapshot() walks the tree after assembly and fills in block.props.resolved for every moduleEmbed. Publish slower, public visits fast. No cross-service call at render time. Validation: - pnpm run validate:all: 6/6 gates green - pnpm run check (web): 0 errors, 0 warnings - apps/api type-check: green Apply Postgres with: psql "$DATABASE_URL" -f apps/api/drizzle/website/0001_submissions.sql Plan: docs/plans/website-builder.md (M4 shipped) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-16 13:59:40 +02:00 · 2026-04-23 14:36:52 +02:00 · 2026-04-23 14:36:52 +02:00 · 57be0f61b1
commit 57be0f61b1
parent 79d112657c
20 changed files with 1817 additions and 2 deletions
--- a/packages/website-blocks/src/moduleEmbed/ModuleEmbedInspectorFallback.svelte
+++ b/packages/website-blocks/src/moduleEmbed/ModuleEmbedInspectorFallback.svelte
@ -0,0 +1,98 @@
+<script lang="ts">
+	/**
+	 * URL-style fallback for the pure-package inspector — the app-side
+	 * override adds a board picker that queries Dexie.
+	 */
+	import type { BlockInspectorProps } from '../types';
+	import type { ModuleEmbedProps } from './schema';
+
+	let { block, onChange }: BlockInspectorProps<ModuleEmbedProps> = $props();
+</script>
+
+<div class="wb-inspector">
+	<label class="wb-field">
+		<span>Quelle</span>
+		<select
+			value={block.props.source}
+			onchange={(e) => onChange({ source: e.currentTarget.value as ModuleEmbedProps['source'] })}
+		>
+			<option value="picture.board">Picture-Board</option>
+			<option value="library.entries">Bibliothek</option>
+		</select>
+	</label>
+
+	<label class="wb-field">
+		<span>Quellen-ID</span>
+		<input
+			type="text"
+			value={block.props.sourceId}
+			oninput={(e) => onChange({ sourceId: e.currentTarget.value })}
+			placeholder="Board-ID oder leer für 'alle'"
+		/>
+	</label>
+
+	<label class="wb-field">
+		<span>Titel (optional)</span>
+		<input
+			type="text"
+			value={block.props.title}
+			oninput={(e) => onChange({ title: e.currentTarget.value })}
+		/>
+	</label>
+
+	<div class="wb-row">
+		<label class="wb-field">
+			<span>Layout</span>
+			<select
+				value={block.props.layout}
+				onchange={(e) => onChange({ layout: e.currentTarget.value as ModuleEmbedProps['layout'] })}
+			>
+				<option value="grid">Grid</option>
+				<option value="list">Liste</option>
+			</select>
+		</label>
+
+		<label class="wb-field">
+			<span>Max. Einträge</span>
+			<input
+				type="number"
+				min="1"
+				max="48"
+				value={block.props.maxItems}
+				oninput={(e) => onChange({ maxItems: parseInt(e.currentTarget.value, 10) || 12 })}
+			/>
+		</label>
+	</div>
+</div>
+
+<style>
+	.wb-inspector {
+		display: flex;
+		flex-direction: column;
+		gap: 1rem;
+	}
+	.wb-field {
+		display: flex;
+		flex-direction: column;
+		gap: 0.25rem;
+	}
+	.wb-field > span {
+		font-size: 0.75rem;
+		font-weight: 500;
+		opacity: 0.7;
+	}
+	.wb-field input,
+	.wb-field select {
+		padding: 0.4rem 0.6rem;
+		border-radius: 0.375rem;
+		border: 1px solid rgba(255, 255, 255, 0.12);
+		background: rgba(255, 255, 255, 0.04);
+		color: inherit;
+		font-size: 0.8125rem;
+	}
+	.wb-row {
+		display: grid;
+		grid-template-columns: 1fr 1fr;
+		gap: 0.5rem;
+	}
+</style>