feat: update API config CRUD to use visibility with input validation

POST/PUT validate visibility is one of public/unlisted/private. Default unlisted.

Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-opencode)

Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>

Author: fullstackjam

src/routes/api/configs/+server.ts

@@ -17,7 +17,7 @@ export const GET: RequestHandler = async ({ platform, cookies, request }) => {
 		return json({ error: 'Rate limit exceeded' }, { status: 429, headers: { 'Retry-After': String(Math.ceil(rl.retryAfter! / 1000)) } });
 	}
 
-	const { results } = await env.DB.prepare('SELECT id, slug, name, description, base_preset, is_public, alias, updated_at, snapshot, snapshot_at FROM configs WHERE user_id = ? ORDER BY updated_at DESC')
+	const { results } = await env.DB.prepare('SELECT id, slug, name, description, base_preset, visibility, alias, updated_at, snapshot, snapshot_at FROM configs WHERE user_id = ? ORDER BY updated_at DESC')
 		.bind(user.id)
 		.all();
 
@@ -43,7 +43,11 @@ export const POST: RequestHandler = async ({ platform, cookies, request }) => {
 		return json({ error: 'Invalid request body' }, { status: 400 });
 	}
 
-	const { name, description, base_preset, packages, custom_script, is_public, alias, dotfiles_repo, snapshot, snapshot_at } = body;
+	const { name, description, base_preset, packages, custom_script, visibility, alias, dotfiles_repo, snapshot, snapshot_at } = body;
+
+	if (visibility !== undefined && !['public', 'unlisted', 'private'].includes(visibility)) {
+		return json({ error: 'Invalid visibility. Must be public, unlisted, or private' }, { status: 400 });
+	}
 
 	const rlKeyW = getRateLimitKey('config-write', user.id);
 	const rlW = checkRateLimit(rlKeyW, RATE_LIMITS.CONFIG_WRITE);
@@ -92,11 +96,11 @@ export const POST: RequestHandler = async ({ platform, cookies, request }) => {
 	try {
 		await env.DB.prepare(
 			`
-			INSERT INTO configs (id, user_id, slug, name, description, base_preset, packages, custom_script, is_public, alias, dotfiles_repo, snapshot, snapshot_at)
+			INSERT INTO configs (id, user_id, slug, name, description, base_preset, packages, custom_script, visibility, alias, dotfiles_repo, snapshot, snapshot_at)
 			VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
 		`
 		)
-			.bind(id, user.id, slug, name, description || '', base_preset || 'developer', JSON.stringify(packages || []), custom_script || '', is_public !== false ? 1 : 0, cleanAlias, dotfiles_repo || '', snapshot ? JSON.stringify(snapshot) : null, snapshot_at || null)
+			.bind(id, user.id, slug, name, description || '', base_preset || 'developer', JSON.stringify(packages || []), custom_script || '', visibility || 'unlisted', cleanAlias, dotfiles_repo || '', snapshot ? JSON.stringify(snapshot) : null, snapshot_at || null)
 			.run();
 	} catch (e) {
 		console.error('POST /api/configs error:', e);

src/routes/api/configs/[slug]/+server.ts

@@ -70,7 +70,11 @@ export const PUT: RequestHandler = async ({ platform, cookies, params, request }
 		return json({ error: 'Invalid request body' }, { status: 400 });
 	}
 
-	const { name, description, base_preset, packages, custom_script, is_public, alias, dotfiles_repo, snapshot, snapshot_at } = body;
+	const { name, description, base_preset, packages, custom_script, visibility, alias, dotfiles_repo, snapshot, snapshot_at } = body;
+
+	if (visibility !== undefined && !['public', 'unlisted', 'private'].includes(visibility)) {
+		return json({ error: 'Invalid visibility. Must be public, unlisted, or private' }, { status: 400 });
+	}
 
 	const rlKeyW = getRateLimitKey('config-write', user.id);
 	const rlW = checkRateLimit(rlKeyW, RATE_LIMITS.CONFIG_WRITE);
@@ -127,7 +131,7 @@ export const PUT: RequestHandler = async ({ platform, cookies, params, request }
 				base_preset = COALESCE(?, base_preset),
 				packages = COALESCE(?, packages),
 				custom_script = COALESCE(?, custom_script),
-				is_public = COALESCE(?, is_public),
+				visibility = COALESCE(?, visibility),
 				alias = ?,
 				dotfiles_repo = COALESCE(?, dotfiles_repo),
 				snapshot = ?,
@@ -143,7 +147,7 @@ export const PUT: RequestHandler = async ({ platform, cookies, params, request }
 				base_preset || null,
 				packages ? JSON.stringify(packages) : null,
 				custom_script !== undefined ? custom_script : null,
-				is_public !== undefined ? (is_public ? 1 : 0) : null,
+				visibility !== undefined ? visibility : null,
 				newAlias,
 				dotfiles_repo !== undefined ? dotfiles_repo : null,
 				snapshot !== undefined ? (snapshot ? JSON.stringify(snapshot) : null) : null,

src/routes/api/configs/from-snapshot/+server.ts

@@ -58,8 +58,8 @@ export const POST: RequestHandler = async ({ platform, cookies, request }) => {
 			.run();
 
 		const updated = await env.DB.prepare(
-			'SELECT id, slug, name, description, base_preset, packages, snapshot, snapshot_at, is_public FROM configs WHERE user_id = ? AND slug = ?'
-		).bind(user.id, config_slug).first();
+		'SELECT id, slug, name, description, base_preset, packages, snapshot, snapshot_at, visibility FROM configs WHERE user_id = ? AND slug = ?'
+	).bind(user.id, config_slug).first();
 
 		return json({
 			...updated,
@@ -96,8 +96,8 @@ export const POST: RequestHandler = async ({ platform, cookies, request }) => {
 
 	try {
 		await env.DB.prepare(
-			`INSERT INTO configs (id, user_id, slug, name, description, base_preset, packages, snapshot, snapshot_at, is_public)
-			VALUES (?, ?, ?, ?, ?, ?, ?, ?, datetime('now'), 1)`
+			`INSERT INTO configs (id, user_id, slug, name, description, base_preset, packages, snapshot, snapshot_at, visibility)
+			VALUES (?, ?, ?, ?, ?, ?, ?, ?, datetime('now'), 'unlisted')`
 		)
 			.bind(
 				id,
@@ -116,7 +116,7 @@ export const POST: RequestHandler = async ({ platform, cookies, request }) => {
 	}
 
 	const created = await env.DB.prepare(
-		'SELECT id, slug, name, description, base_preset, packages, snapshot, snapshot_at, is_public FROM configs WHERE id = ?'
+		'SELECT id, slug, name, description, base_preset, packages, snapshot, snapshot_at, visibility FROM configs WHERE id = ?'
 	).bind(id).first();
 
 	return json({