mirror of
https://github.com/Memo-2023/mana-monorepo.git
synced 2026-05-15 07:41:09 +02:00
57be0f61b1
Adds two new block types and the server-side infrastructure for untrusted input + cross-module data embedding. Forms: - packages/website-blocks/src/form: declarative fields (text, email, tel, url, textarea, number) with required / maxLength / placeholder per field. Honeypot hidden input in the renderer; public-mode POST to a same-origin SvelteKit proxy that forwards to mana-api. - apps/api: website.submissions table (schema.ts + 0001_submissions.sql) + POST /public/submit/:siteSlug/:blockId. Loads the current published snapshot, finds the form block, validates payload against its declared fields (trim, type check, length cap), rejects honeypot submissions silently, rate-limits per IP (10 / 5 min) in-memory. Unknown keys are dropped — clients can only submit declared fields. - Owner-facing: GET/DELETE /sites/:id/submissions + SubmissionsView component + /(app)/website/[siteId]/submissions route. Shows incoming submissions with status pill + payload preview + delete. - apps/mana/.../routes/s/[siteSlug]/__submit/[blockId]/+server.ts: same-origin proxy so form posts don't trigger CORS and IP / user- agent headers are forwarded via SvelteKit's trusted getClientAddress. M4 first-pass does NOT wire target-module delivery (contacts / notify). Submissions stay in the inbox until owner-side tool handlers land (M4.x). `target` enum is intentionally `['inbox']` only for now. moduleEmbed: - packages/website-blocks/src/moduleEmbed: source dropdown (picture.board | library.entries), max-items, layout (grid | list), optional filter object. The `resolved` field on props is populated at publish time by the editor-side resolver — public renderer reads it directly, no Dexie / API round-trip needed. - apps/mana/.../website/embeds.ts: per-source resolvers. picture.board enforces `isPublic=true`; library.entries respects filter.isFavorite / kind / status so owners can expose a subset (e.g. "my favorites"). - buildSnapshot() walks the tree after assembly and fills in block.props.resolved for every moduleEmbed. Publish slower, public visits fast. No cross-service call at render time. Validation: - pnpm run validate:all: 6/6 gates green - pnpm run check (web): 0 errors, 0 warnings - apps/api type-check: green Apply Postgres with: psql "$DATABASE_URL" -f apps/api/drizzle/website/0001_submissions.sql Plan: docs/plans/website-builder.md (M4 shipped) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| credits | ||
| eslint-config | ||
| feedback | ||
| help | ||
| local-llm | ||
| local-store | ||
| local-stt | ||
| mana-tool-registry | ||
| notify-client | ||
| qr-export | ||
| shared-ai | ||
| shared-auth | ||
| shared-auth-ui | ||
| shared-branding | ||
| shared-crypto | ||
| shared-drizzle-config | ||
| shared-error-tracking | ||
| shared-go | ||
| shared-hono | ||
| shared-i18n | ||
| shared-icons | ||
| shared-landing-ui | ||
| shared-links | ||
| shared-llm | ||
| shared-logger | ||
| shared-pwa | ||
| shared-python/manacore_auth | ||
| shared-research | ||
| shared-rss | ||
| shared-storage | ||
| shared-stores | ||
| shared-tags | ||
| shared-tailwind | ||
| shared-theme | ||
| shared-theme-ui | ||
| shared-types | ||
| shared-ui | ||
| shared-uload | ||
| shared-utils | ||
| shared-vite-config | ||
| spiral-db | ||
| test-config | ||
| wallpaper-generator | ||
| website-blocks | ||