feat: update server routes to use visibility field for access control

Allow public+unlisted configs for install/view/OG, block only private.

Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-opencode)

Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>

Author: fullstackjam

src/hooks.server.ts

@@ -48,8 +48,8 @@ export const handle: Handle = async ({ event, resolve }) => {
 		const env = event.platform?.env;
 
 		if (env) {
-			const config = await env.DB.prepare('SELECT c.slug, c.custom_script, c.dotfiles_repo, u.username FROM configs c JOIN users u ON c.user_id = u.id WHERE c.alias = ? AND c.is_public = 1')
-				.bind(alias)
+			const config = await env.DB.prepare('SELECT c.slug, c.custom_script, c.dotfiles_repo, u.username FROM configs c JOIN users u ON c.user_id = u.id WHERE c.alias = ? AND c.visibility IN (?, ?)')
+				.bind(alias, 'public', 'unlisted')
 				.first<{ slug: string; username: string; custom_script: string; dotfiles_repo: string }>();
 
 			if (config) {
@@ -88,11 +88,11 @@ export const handle: Handle = async ({ event, resolve }) => {
 
 				const user = await env.DB.prepare('SELECT id FROM users WHERE username = ?').bind(username).first<{ id: string }>();
 				if (user) {
-					const config = await env.DB.prepare('SELECT custom_script, is_public, dotfiles_repo FROM configs WHERE user_id = ? AND slug = ?')
-						.bind(user.id, slug)
-						.first<{ custom_script: string; is_public: number; dotfiles_repo: string }>();
+				const config = await env.DB.prepare('SELECT custom_script, visibility, dotfiles_repo FROM configs WHERE user_id = ? AND slug = ?')
+					.bind(user.id, slug)
+					.first<{ custom_script: string; visibility: string; dotfiles_repo: string }>();
 
-					if (config && config.is_public) {
+				if (config && config.visibility !== 'private') {
 						const script = generateInstallScript(username, slug, config.custom_script, config.dotfiles_repo || '');
 
 						env.DB.prepare('UPDATE configs SET install_count = install_count + 1 WHERE user_id = ? AND slug = ?').bind(user.id, slug).run().catch(() => {});

src/routes/[username]/[slug]/+page.server.ts

@@ -23,11 +23,10 @@ export const load: PageServerLoad = async ({ params, platform, request, cookies
 
 	if (!config) throw error(404, 'Configuration not found');
 
-	// 3. Check visibility
-	if (!config.is_public) {
+	if (config.visibility === 'private') {
 		const currentUser = await getCurrentUser(request, cookies, env.DB, env.JWT_SECRET);
 		if (!currentUser || currentUser.id !== targetUser.id) {
-			throw error(404, 'Configuration not found'); // Hide private configs
+			throw error(404, 'Configuration not found');
 		}
 	}
 

src/routes/[username]/[slug]/config/+server.ts

@@ -16,16 +16,16 @@ export const GET: RequestHandler = async ({ platform, params }) => {
 	}
 
 	const config = await env.DB.prepare(
-		'SELECT slug, name, base_preset, packages, snapshot, is_public, dotfiles_repo FROM configs WHERE user_id = ? AND slug = ?'
+		'SELECT slug, name, base_preset, packages, snapshot, visibility, dotfiles_repo FROM configs WHERE user_id = ? AND slug = ?'
 	)
 		.bind(user.id, params.slug)
-		.first<{ slug: string; name: string; base_preset: string; packages: string; snapshot: string; is_public: number; dotfiles_repo: string }>();
+		.first<{ slug: string; name: string; base_preset: string; packages: string; snapshot: string; visibility: string; dotfiles_repo: string }>();
 
 	if (!config) {
 		return json({ error: 'Config not found' }, { status: 404 });
 	}
 
-	if (!config.is_public) {
+	if (config.visibility === 'private') {
 		return json({ error: 'Config is private' }, { status: 403 });
 	}
 

src/routes/[username]/[slug]/install/+server.ts

@@ -12,15 +12,15 @@ export const GET: RequestHandler = async ({ platform, params }) => {
 		return new Response('User not found', { status: 404 });
 	}
 
-	const config = await env.DB.prepare('SELECT custom_script, is_public, dotfiles_repo FROM configs WHERE user_id = ? AND slug = ?')
+	const config = await env.DB.prepare('SELECT custom_script, visibility, dotfiles_repo FROM configs WHERE user_id = ? AND slug = ?')
 		.bind(user.id, params.slug)
-		.first<{ custom_script: string; is_public: number; dotfiles_repo: string }>();
+		.first<{ custom_script: string; visibility: string; dotfiles_repo: string }>();
 
 	if (!config) {
 		return new Response('Config not found', { status: 404 });
 	}
 
-	if (!config.is_public) {
+	if (config.visibility === 'private') {
 		return new Response('Config is private', { status: 403 });
 	}
 

src/routes/[username]/[slug]/og/+server.ts

@@ -145,18 +145,18 @@ export const GET: RequestHandler = async ({ params, platform }) => {
 	if (!targetUser) return new Response('Not found', { status: 404 });
 
 	const config = await env.DB.prepare(
-		'SELECT name, description, packages, is_public, base_preset FROM configs WHERE user_id = ? AND slug = ?'
+		'SELECT name, description, packages, visibility, base_preset FROM configs WHERE user_id = ? AND slug = ?'
 	)
 		.bind(targetUser.id, slug)
 		.first<{
 			name: string;
 			description: string;
 			packages: string;
-			is_public: number;
+			visibility: string;
 			base_preset: string;
 		}>();
 
-	if (!config || !config.is_public) return new Response('Not found', { status: 404 });
+	if (!config || config.visibility === 'private') return new Response('Not found', { status: 404 });
 
 	const rawPkgs: { name: string; type: string }[] = (() => {
 		try {