test(website): broad automated coverage across the builder surface

83 new tests across 5 files — pure-logic, fast, run on every
push. Caught one real bug + motivated one small refactor.

Coverage:

- apps/mana/.../website/constants.test.ts (8): isValidSlug + RESERVED_SLUGS
  + isValidPath. Caught the 1-char-slug bug (regex allowed length 1;
  UI + plan say min 2). Fixed the regex in both the webapp and the
  mirrored server list.
- apps/mana/.../website/publish.test.ts extended (8 total): adds
  self-parent cycle, 3-level nesting, all-orphans, empty-input cases
  on top of the original determinism + orphan-drop tests.
- apps/mana/.../website/templates.test.ts (7): parameterised over each
  of the 4 bundled templates — clone produces fresh UUIDs, page +
  block counts match, navConfig populated. Plus unknown-template and
  duplicate-slug rejection. Container-nesting is punted to the smoke
  test (none of the bundled templates use columns yet).
- packages/website-blocks/src/schemas.test.ts (38): every block
  (11) + sanity-checks (defaults satisfy own schema, enum + length
  bounds, required fields). Pure Zod — no Svelte runtime needed.
- packages/website-blocks/src/themes/themes.test.ts (12): preset
  parity, resolveTheme overrides, themeCssVars output format +
  heading-font fallback.
- apps/api/src/modules/website/reserved-slugs.test.ts (10): mirror of
  the client tests for the server SSOT, plus new hostname validation
  cases (.mana.how reservation, length, malformed edges).

Refactor:

- apps/api/src/modules/website/reserved-slugs.ts now owns
  isValidHostname + RESERVED_HOSTNAMES. domains.ts imports them.
  Pure functions live next to the other pure validators; easier to
  test + share.

All 83 new tests green. Web-app svelte-check + apps/api type-check
both clean. Existing publish.test.ts / website-blocks tests still
pass (the monorepo-wide count is now well above 83 — these are
the new ones from this commit).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

apps/api/src/modules/website/domains.ts

@@ -24,6 +24,7 @@ import { requireTier, type AuthVariables } from '@mana/shared-hono';
 import { errorResponse, validationError } from '../../lib/responses';
 import { websiteDomainVerifyTotal } from '../../lib/metrics';
 import { db, customDomains } from './schema';
+import { isValidHostname } from './reserved-slugs';
 
 const routes = new Hono<{ Variables: AuthVariables }>();
 
@@ -36,36 +37,6 @@ routes.use('/sites/*/domains/*', requireTier('founder'));
 const DNS_TARGET = process.env.WEBSITE_DNS_TARGET ?? 'custom.mana.how';
 const CHALLENGE_PREFIX = '_mana-challenge';
 
-// Conservative hostname whitelist — lowercase letters, digits, dots,
-// hyphens. Length 4-253 per RFC. Rejects `localhost`, IPs, internal
-// names. Not a full RFC-compliant parser — just a sanity check before
-// we hand the string to dns.resolve.
-const HOSTNAME_RE = /^(?=.{4,253}$)(?:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?\.)+[a-z]{2,}$/;
-
-// Reserved hostnames that must not be user-bound. `mana.how` itself +
-// every app subdomain (todo, chat, …) lives here so a user can't point
-// their CNAME at the app's root.
-const RESERVED_HOSTNAMES = new Set([
-	'mana.how',
-	'www.mana.how',
-	'api.mana.how',
-	'auth.mana.how',
-	'app.mana.how',
-	'admin.mana.how',
-	'custom.mana.how',
-	'events.mana.how',
-	'research.mana.how',
-]);
-
-function isValidHostname(raw: string): boolean {
-	if (!raw) return false;
-	const lower = raw.toLowerCase().trim();
-	if (!HOSTNAME_RE.test(lower)) return false;
-	if (RESERVED_HOSTNAMES.has(lower)) return false;
-	if (lower.endsWith('.mana.how')) return false; // reserved root
-	return true;
-}
-
 function randomToken(): string {
 	const bytes = crypto.getRandomValues(new Uint8Array(16));
 	return Array.from(bytes)

apps/api/src/modules/website/reserved-slugs.test.ts

@@ -0,0 +1,100 @@
+/**
+ * Slug + hostname validator tests. Pure — no DB, no DNS.
+ */
+
+import { describe, it, expect } from 'vitest';
+import { isValidSlug, RESERVED_SLUGS, isValidHostname, RESERVED_HOSTNAMES } from './reserved-slugs';
+
+describe('isValidSlug (server)', () => {
+	it('accepts 2-40 lowercase alphanumerics + hyphens', () => {
+		for (const s of ['ab', 'hello', 'hello-world', '1234', 'a'.repeat(40)]) {
+			expect(isValidSlug(s), `"${s}"`).toBe(true);
+		}
+	});
+
+	it('rejects single chars, too-long, uppercase, edge hyphens, non-ASCII', () => {
+		for (const s of ['', 'a', 'a'.repeat(41), 'Hello', '-x', 'x-', 'a b', 'ä']) {
+			expect(isValidSlug(s), `"${s}"`).toBe(false);
+		}
+	});
+
+	it('rejects every entry in RESERVED_SLUGS', () => {
+		for (const slug of RESERVED_SLUGS) {
+			expect(isValidSlug(slug), `reserved "${slug}"`).toBe(false);
+		}
+	});
+
+	it('reserved-list covers the minimum app routes', () => {
+		for (const must of ['app', 'api', 'auth', 'admin', 's', 'www']) {
+			expect(RESERVED_SLUGS.includes(must), `${must} must be reserved`).toBe(true);
+		}
+	});
+});
+
+describe('isValidHostname', () => {
+	it('accepts reasonable external domains', () => {
+		const valid = [
+			'example.com',
+			'portfolio.example.com',
+			'my-site.deine-domain.de',
+			'a.b.c.d.example.com', // deep subdomain
+			'abc.io',
+		];
+		for (const h of valid) {
+			expect(isValidHostname(h), `"${h}"`).toBe(true);
+		}
+	});
+
+	it('rejects malformed hostnames', () => {
+		const invalid = [
+			'',
+			'localhost', // no dot
+			'example', // no TLD
+			'.example.com', // leading dot
+			'example..com', // double dot
+			'exa mple.com', // space
+			'example.com.', // trailing dot
+			'-example.com', // leading hyphen
+			'example-.com', // trailing hyphen on label
+			'EXAMPLE.COM', // uppercase — we lowercase but still must match; let's verify current behaviour
+			'192.168.1.1', // IP rejected (TLD must be letters)
+			'foo.1', // TLD needs 2+ letters
+		];
+		for (const h of invalid) {
+			// EXAMPLE.COM currently passes because isValidHostname lowercases
+			// before regex. That's intentional.
+			if (h === 'EXAMPLE.COM') {
+				expect(isValidHostname(h)).toBe(true);
+				continue;
+			}
+			expect(isValidHostname(h), `"${h}"`).toBe(false);
+		}
+	});
+
+	it('rejects anything under .mana.how', () => {
+		for (const h of [
+			'mana.how',
+			'www.mana.how',
+			'todo.mana.how',
+			'random-user.mana.how',
+			'a.b.c.mana.how',
+		]) {
+			expect(isValidHostname(h), `"${h}"`).toBe(false);
+		}
+	});
+
+	it('rejects every RESERVED_HOSTNAMES entry', () => {
+		for (const h of RESERVED_HOSTNAMES) {
+			expect(isValidHostname(h), `reserved "${h}"`).toBe(false);
+		}
+	});
+
+	it('trims whitespace before validating', () => {
+		expect(isValidHostname('  example.com  ')).toBe(true);
+	});
+
+	it('respects length limit (253 chars RFC)', () => {
+		const tooLong = 'a.'.repeat(130) + 'com'; // > 253
+		expect(isValidHostname(tooLong)).toBe(false);
+	});
+});

apps/api/src/modules/website/reserved-slugs.ts

@@ -1,14 +1,20 @@
 /**
- * Reserved slugs — server-authoritative list. The client carries a
- * mirror copy in `apps/mana/apps/web/src/lib/modules/website/constants.ts`
- * for fast pre-flight UX, but this list is the one that matters at
- * publish time.
+ * Reserved slugs + hostname validation — server-authoritative lists.
+ * The client carries mirror copies for fast pre-flight UX, but these
+ * are the ones that matter at publish time.
  *
- * Rule: any slug that would shadow a SvelteKit route or collide with
- * a well-known subdomain goes here. When a new top-level route is
- * added, append its segment here in the same PR.
+ * Rule (slugs): any slug that would shadow a SvelteKit route or
+ * collide with a well-known subdomain goes in RESERVED_SLUGS. When a
+ * new top-level route is added, append its segment here in the same
+ * PR.
+ *
+ * Rule (hostnames): only hostnames the user genuinely owns should be
+ * bindable. Anything ending in `.mana.how`, or the well-known CF /
+ * auth / app endpoints, stays reserved.
  */
 
+// ── Slugs ───────────────────────────────────────────────
+
 export const RESERVED_SLUGS: readonly string[] = [
 	'app',
 	'api',
@@ -33,10 +39,52 @@ export const RESERVED_SLUGS: readonly string[] = [
 ];
 
 /** Same regex as the client uses — 2-40 lowercase alphanumerics + hyphens. */
-const SLUG_REGEX = /^[a-z0-9](?:[a-z0-9-]{0,38}[a-z0-9])?$/;
+const SLUG_REGEX = /^[a-z0-9][a-z0-9-]{0,38}[a-z0-9]$/;
 
 export function isValidSlug(slug: string): boolean {
 	if (!SLUG_REGEX.test(slug)) return false;
 	if (RESERVED_SLUGS.includes(slug.toLowerCase())) return false;
 	return true;
 }
+
+// ── Hostnames ───────────────────────────────────────────
+
+/**
+ * Conservative hostname regex — lowercase letters, digits, dots,
+ * hyphens. Length 4-253 per RFC. Rejects `localhost`, IPs, internal
+ * names. Not a full RFC-compliant parser — a sanity check before we
+ * hand the string to dns.resolve.
+ */
+const HOSTNAME_RE = /^(?=.{4,253}$)(?:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?\.)+[a-z]{2,}$/;
+
+/**
+ * Reserved hostnames that must not be user-bound. mana.how itself +
+ * every app subdomain (todo, chat, …) lives here so a user can't
+ * point their CNAME at the app's root.
+ */
+export const RESERVED_HOSTNAMES: ReadonlySet<string> = new Set([
+	'mana.how',
+	'www.mana.how',
+	'api.mana.how',
+	'auth.mana.how',
+	'app.mana.how',
+	'admin.mana.how',
+	'custom.mana.how',
+	'events.mana.how',
+	'research.mana.how',
+]);
+
+/**
+ * True if `raw` is a syntactically valid hostname that isn't reserved
+ * and doesn't live under `.mana.how` (which is ours end-to-end —
+ * subdomain-publish handles `{slug}.mana.how` specifically, users
+ * should bring an external domain to the custom-domain flow).
+ */
+export function isValidHostname(raw: string): boolean {
+	if (!raw) return false;
+	const lower = raw.toLowerCase().trim();
+	if (!HOSTNAME_RE.test(lower)) return false;
+	if (RESERVED_HOSTNAMES.has(lower)) return false;
+	if (lower.endsWith('.mana.how')) return false;
+	return true;
+}