feat(domains): add allowed-domain repository and whitelist check

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/lib/server/domains/repository.ts

@@ -0,0 +1,33 @@
+import type Database from 'better-sqlite3';
+import type { AllowedDomain } from '$lib/types';
+
+export function normalizeDomain(raw: string): string {
+  return raw.trim().toLowerCase().replace(/^www\./, '');
+}
+
+export function listDomains(db: Database.Database): AllowedDomain[] {
+  return db
+    .prepare('SELECT id, domain, display_name FROM allowed_domain ORDER BY domain')
+    .all() as AllowedDomain[];
+}
+
+export function addDomain(
+  db: Database.Database,
+  domain: string,
+  displayName: string | null = null,
+  addedByProfileId: number | null = null
+): AllowedDomain {
+  const normalized = normalizeDomain(domain);
+  const row = db
+    .prepare(
+      `INSERT INTO allowed_domain(domain, display_name, added_by_profile_id)
+       VALUES (?, ?, ?)
+       RETURNING id, domain, display_name`
+    )
+    .get(normalized, displayName, addedByProfileId) as AllowedDomain;
+  return row;
+}
+
+export function removeDomain(db: Database.Database, id: number): void {
+  db.prepare('DELETE FROM allowed_domain WHERE id = ?').run(id);
+}

src/lib/server/domains/whitelist.ts

@@ -0,0 +1,16 @@
+import type Database from 'better-sqlite3';
+import { normalizeDomain } from './repository';
+
+export function isDomainAllowed(db: Database.Database, urlString: string): boolean {
+  let host: string;
+  try {
+    host = new URL(urlString).hostname;
+  } catch {
+    return false;
+  }
+  const normalized = normalizeDomain(host);
+  const row = db
+    .prepare('SELECT 1 AS ok FROM allowed_domain WHERE domain = ? LIMIT 1')
+    .get(normalized);
+  return row !== undefined;
+}