@emdash-cms/cloudflare 0.0.1

package/dist/db/d1.mjs

@@ -0,0 +1,74 @@
+import { t as D1Introspector } from "../d1-introspector-bZf0_ylK.mjs";
+import { env } from "cloudflare:workers";
+import { D1Dialect } from "kysely-d1";
+
+//#region src/db/d1.ts
+/**
+* Cloudflare D1 runtime adapter - RUNTIME ENTRY
+*
+* Creates a Kysely dialect for D1.
+* Loaded at runtime via virtual module when database queries are needed.
+*
+* This module imports directly from cloudflare:workers to access the D1 binding.
+* Do NOT import this at config time - use { d1 } from "@emdash-cms/cloudflare" instead.
+*/
+/**
+* Custom D1 Dialect that uses our D1-compatible introspector
+*
+* The default kysely-d1 dialect uses SqliteIntrospector which does a
+* cross-join with pragma_table_info() that D1 doesn't allow.
+*/
+var EmDashD1Dialect = class extends D1Dialect {
+	createIntrospector(db) {
+		return new D1Introspector(db);
+	}
+};
+/**
+* Create a D1 dialect from config
+*
+* @param config - D1 configuration with binding name
+*/
+function createDialect(config) {
+	const db = env[config.binding];
+	if (!db) throw new Error(`D1 binding "${config.binding}" not found in environment. Check your wrangler.toml configuration:\n\n[[d1_databases]]\nbinding = "${config.binding}"\ndatabase_name = "your-database-name"\ndatabase_id = "your-database-id"`);
+	return new EmDashD1Dialect({ database: db });
+}
+/**
+* Whether D1 sessions are enabled in the config.
+*/
+function isSessionEnabled(config) {
+	return !!config.session && config.session !== "disabled";
+}
+/**
+* Get the raw D1 binding for creating sessions.
+* Returns null if sessions are disabled.
+*/
+function getD1Binding(config) {
+	if (!isSessionEnabled(config)) return null;
+	return env[config.binding] ?? null;
+}
+/**
+* Get the default session constraint for the config's session mode.
+*/
+function getDefaultConstraint(config) {
+	if (config.session === "primary-first") return "first-primary";
+	return "first-unconstrained";
+}
+/**
+* Get the cookie name used for storing D1 session bookmarks.
+*/
+function getBookmarkCookieName(config) {
+	return config.bookmarkCookie ?? "__ec_d1_bookmark";
+}
+/**
+* Create a Kysely dialect from a D1 session object.
+*
+* D1DatabaseSession has the same `prepare()` / `batch()` interface
+* as D1Database, so we pass it directly to D1Dialect.
+*/
+function createSessionDialect(session) {
+	return new EmDashD1Dialect({ database: session });
+}
+
+//#endregion
+export { createDialect, createSessionDialect, getBookmarkCookieName, getD1Binding, getDefaultConstraint, isSessionEnabled };

package/dist/db/do.d.mts

@@ -0,0 +1,96 @@
+import { t as PreviewDOConfig } from "../do-types-CY0G0oyh.mjs";
+import { t as EmDashPreviewDB } from "../do-class-x5Xh_G62.mjs";
+import { Dialect } from "kysely";
+import { MiddlewareHandler } from "astro";
+
+//#region src/db/do-preview.d.ts
+/** Configuration for the preview middleware */
+interface PreviewMiddlewareConfig {
+  /** Durable Object binding name (from wrangler.jsonc) */
+  binding: string;
+  /** HMAC secret for validating signed preview URLs */
+  secret: string;
+  /** TTL for preview data in seconds (default: 3600 = 1 hour) */
+  ttl?: number;
+  /** Cookie name for session token (default: "emdash_preview") */
+  cookieName?: string;
+}
+/**
+ * Create an Astro-compatible preview middleware.
+ *
+ * Returns a middleware function that can be used in `defineMiddleware()`
+ * or composed via `sequence()`.
+ */
+declare function createPreviewMiddleware(config: PreviewMiddlewareConfig): MiddlewareHandler;
+//#endregion
+//#region src/db/do-preview-routes.d.ts
+/**
+ * Preview mode route gating.
+ *
+ * Pure function — no Worker or Cloudflare dependencies.
+ * Extracted so it can be tested without mocking cloudflare:workers.
+ */
+/**
+ * Check whether a request should be blocked in preview mode.
+ *
+ * Preview is read-only with no authenticated user. All /_emdash/
+ * routes are blocked by default (admin UI, auth, setup, write APIs).
+ * Only specific read-only API prefixes are allowlisted.
+ *
+ * Non-emdash routes (site pages, assets) are always allowed.
+ */
+declare function isBlockedInPreview(pathname: string): boolean;
+//#endregion
+//#region src/db/do-preview-sign.d.ts
+/**
+ * Preview URL signing utilities.
+ *
+ * Pure functions using Web Crypto — no Worker or Cloudflare dependencies.
+ * Used by the source site to generate signed preview URLs and by the
+ * preview service to verify them.
+ */
+/**
+ * Generate a signed preview URL.
+ *
+ * The source site calls this to create a link that opens the preview service.
+ * The preview service validates the signature and populates the DO from a
+ * snapshot of the source site.
+ *
+ * @param previewBase - Base URL of the preview service (e.g. "https://theme-x.preview.emdashcms.com")
+ * @param source - URL of the source site providing the snapshot (e.g. "https://mysite.com")
+ * @param secret - Shared HMAC secret (same value configured on both sides)
+ * @param ttl - Link validity in seconds (default: 3600 = 1 hour)
+ * @returns Fully signed preview URL
+ *
+ * @example
+ * ```ts
+ * const url = await signPreviewUrl(
+ *   "https://theme-x.preview.emdashcms.com",
+ *   "https://mysite.com",
+ *   import.meta.env.PREVIEW_SECRET,
+ * );
+ * // => "https://theme-x.preview.emdashcms.com/?source=https%3A%2F%2Fmysite.com&exp=1709164800&sig=abc123..."
+ * ```
+ */
+declare function signPreviewUrl(previewBase: string, source: string, secret: string, ttl?: number): Promise<string>;
+/**
+ * Verify an HMAC-SHA256 signature on a preview URL.
+ *
+ * Uses crypto.subtle.verify for constant-time comparison.
+ *
+ * @returns true if the signature is valid
+ */
+declare function verifyPreviewSignature(source: string, exp: number, sig: string, secret: string): Promise<boolean>;
+//#endregion
+//#region src/db/do.d.ts
+/**
+ * Create a preview DO dialect from config.
+ *
+ * The caller is responsible for resolving the DO name (session token).
+ * This is passed as `config.name` by the preview middleware.
+ */
+declare function createDialect(config: PreviewDOConfig & {
+  name: string;
+}): Dialect;
+//#endregion
+export { EmDashPreviewDB, type PreviewMiddlewareConfig, createDialect, createPreviewMiddleware, isBlockedInPreview, signPreviewUrl, verifyPreviewSignature };

package/dist/db/do.mjs

@@ -0,0 +1,489 @@
+import "../d1-introspector-bZf0_ylK.mjs";
+import { t as PreviewDODialect } from "../do-dialect-BhFcRSFQ.mjs";
+import { t as EmDashPreviewDB } from "../do-class-DY2Ba2RJ.mjs";
+import { env } from "cloudflare:workers";
+import { Kysely } from "kysely";
+import { runWithContext } from "emdash/request-context";
+import { ulid } from "ulidx";
+
+//#region src/db/do-preview-routes.ts
+/**
+* Preview mode route gating.
+*
+* Pure function — no Worker or Cloudflare dependencies.
+* Extracted so it can be tested without mocking cloudflare:workers.
+*/
+/**
+* API route prefixes allowed in preview mode (read-only).
+* Everything else under /_emdash/ is blocked.
+*/
+const ALLOWED_API_PREFIXES = [
+	"/_emdash/api/content/",
+	"/_emdash/api/schema",
+	"/_emdash/api/manifest",
+	"/_emdash/api/dashboard",
+	"/_emdash/api/search",
+	"/_emdash/api/media",
+	"/_emdash/api/taxonomies",
+	"/_emdash/api/menus",
+	"/_emdash/api/snapshot"
+];
+/**
+* Check whether a request should be blocked in preview mode.
+*
+* Preview is read-only with no authenticated user. All /_emdash/
+* routes are blocked by default (admin UI, auth, setup, write APIs).
+* Only specific read-only API prefixes are allowlisted.
+*
+* Non-emdash routes (site pages, assets) are always allowed.
+*/
+function isBlockedInPreview(pathname) {
+	if (!pathname.startsWith("/_emdash/")) return false;
+	for (const prefix of ALLOWED_API_PREFIXES) if (pathname === prefix || pathname.startsWith(prefix)) return false;
+	return true;
+}
+
+//#endregion
+//#region src/db/do-preview-sign.ts
+/**
+* Preview URL signing utilities.
+*
+* Pure functions using Web Crypto — no Worker or Cloudflare dependencies.
+* Used by the source site to generate signed preview URLs and by the
+* preview service to verify them.
+*/
+/** Matches a lowercase hex string */
+const HEX_PATTERN = /^[0-9a-f]+$/;
+/**
+* Compute HMAC-SHA256 over a message and return the hex-encoded signature.
+*/
+async function hmacSign(message, secret) {
+	const encoder = new TextEncoder();
+	const key = await crypto.subtle.importKey("raw", encoder.encode(secret), {
+		name: "HMAC",
+		hash: "SHA-256"
+	}, false, ["sign"]);
+	const buffer = await crypto.subtle.sign("HMAC", key, encoder.encode(message));
+	return Array.from(new Uint8Array(buffer), (b) => b.toString(16).padStart(2, "0")).join("");
+}
+/**
+* Generate a signed preview URL.
+*
+* The source site calls this to create a link that opens the preview service.
+* The preview service validates the signature and populates the DO from a
+* snapshot of the source site.
+*
+* @param previewBase - Base URL of the preview service (e.g. "https://theme-x.preview.emdashcms.com")
+* @param source - URL of the source site providing the snapshot (e.g. "https://mysite.com")
+* @param secret - Shared HMAC secret (same value configured on both sides)
+* @param ttl - Link validity in seconds (default: 3600 = 1 hour)
+* @returns Fully signed preview URL
+*
+* @example
+* ```ts
+* const url = await signPreviewUrl(
+*   "https://theme-x.preview.emdashcms.com",
+*   "https://mysite.com",
+*   import.meta.env.PREVIEW_SECRET,
+* );
+* // => "https://theme-x.preview.emdashcms.com/?source=https%3A%2F%2Fmysite.com&exp=1709164800&sig=abc123..."
+* ```
+*/
+async function signPreviewUrl(previewBase, source, secret, ttl = 3600) {
+	const exp = Math.floor(Date.now() / 1e3) + ttl;
+	const sig = await hmacSign(`${source}:${exp}`, secret);
+	const url = new URL(previewBase);
+	url.searchParams.set("source", source);
+	url.searchParams.set("exp", String(exp));
+	url.searchParams.set("sig", sig);
+	return url.toString();
+}
+/**
+* Verify an HMAC-SHA256 signature on a preview URL.
+*
+* Uses crypto.subtle.verify for constant-time comparison.
+*
+* @returns true if the signature is valid
+*/
+async function verifyPreviewSignature(source, exp, sig, secret) {
+	if (sig.length !== 64 || !HEX_PATTERN.test(sig)) return false;
+	const sigBytes = new Uint8Array(32);
+	for (let i = 0; i < 64; i += 2) sigBytes[i / 2] = parseInt(sig.substring(i, i + 2), 16);
+	const encoder = new TextEncoder();
+	const key = await crypto.subtle.importKey("raw", encoder.encode(secret), {
+		name: "HMAC",
+		hash: "SHA-256"
+	}, false, ["verify"]);
+	return crypto.subtle.verify("HMAC", key, sigBytes, encoder.encode(`${source}:${exp}`));
+}
+
+//#endregion
+//#region src/db/preview-toolbar.ts
+const RE_AMP = /&/g;
+const RE_QUOT = /"/g;
+const RE_LT = /</g;
+const RE_GT = />/g;
+function renderPreviewToolbar(config) {
+	const { generatedAt, source, error } = config;
+	return `
+<!-- EmDash Preview Toolbar -->
+<div id="emdash-preview-toolbar"${generatedAt ? ` data-generated-at="${escapeAttr(generatedAt)}"` : ""}${source ? ` data-source="${escapeAttr(source)}"` : ""}${error ? ` data-error="${escapeAttr(error)}"` : ""}>
+  <div class="ec-ptb-inner">
+    <span class="ec-ptb-badge">Preview</span>
+
+    <div class="ec-ptb-divider"></div>
+
+    <span class="ec-ptb-status" id="ec-ptb-status"></span>
+
+    <button class="ec-ptb-btn" id="ec-ptb-reload" title="Reload snapshot">
+      <svg class="ec-ptb-icon" id="ec-ptb-reload-icon" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><polyline points="23 4 23 10 17 10"/><path d="M20.49 15a9 9 0 1 1-2.12-9.36L23 10"/></svg>
+    </button>
+
+    <button class="ec-ptb-btn ec-ptb-close" id="ec-ptb-dismiss" title="Dismiss toolbar">
+      <svg width="12" height="12" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round"><line x1="18" y1="6" x2="6" y2="18"/><line x1="6" y1="6" x2="18" y2="18"/></svg>
+    </button>
+  </div>
+</div>
+
+<style>
+  #emdash-preview-toolbar {
+    position: fixed;
+    bottom: 16px;
+    left: 50%;
+    transform: translateX(-50%);
+    z-index: 999999;
+    font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif;
+    font-size: 13px;
+    line-height: 1;
+    -webkit-font-smoothing: antialiased;
+  }
+
+  #emdash-preview-toolbar.ec-ptb-hidden {
+    display: none;
+  }
+
+  .ec-ptb-inner {
+    display: flex;
+    align-items: center;
+    gap: 10px;
+    padding: 8px 12px 8px 16px;
+    background: #1a1a1a;
+    color: #e0e0e0;
+    border-radius: 999px;
+    box-shadow: 0 4px 24px rgba(0,0,0,0.3), 0 0 0 1px rgba(255,255,255,0.08);
+    white-space: nowrap;
+    user-select: none;
+  }
+
+  .ec-ptb-badge {
+    display: inline-flex;
+    align-items: center;
+    padding: 3px 8px;
+    border-radius: 999px;
+    font-size: 11px;
+    font-weight: 600;
+    letter-spacing: 0.02em;
+    text-transform: uppercase;
+    background: rgba(139,92,246,0.2);
+    color: #a78bfa;
+  }
+
+  .ec-ptb-divider {
+    width: 1px;
+    height: 16px;
+    background: rgba(255,255,255,0.15);
+  }
+
+  .ec-ptb-status {
+    display: inline-flex;
+    align-items: center;
+    gap: 6px;
+    font-size: 12px;
+    color: #999;
+  }
+
+  .ec-ptb-status--error {
+    color: #f87171;
+  }
+
+  .ec-ptb-btn {
+    display: inline-flex;
+    align-items: center;
+    justify-content: center;
+    background: none;
+    border: none;
+    color: #888;
+    cursor: pointer;
+    padding: 4px;
+    border-radius: 4px;
+    transition: color 0.15s, background 0.15s;
+    font-family: inherit;
+  }
+
+  .ec-ptb-btn:hover {
+    color: #fff;
+    background: rgba(255,255,255,0.08);
+  }
+
+  .ec-ptb-icon {
+    transition: transform 0.3s;
+  }
+
+  .ec-ptb-btn:disabled {
+    opacity: 0.4;
+    cursor: not-allowed;
+  }
+
+  .ec-ptb-btn:disabled:hover {
+    color: #888;
+    background: none;
+  }
+
+  @keyframes ec-ptb-spin {
+    to { transform: rotate(360deg); }
+  }
+
+  .ec-ptb-spinning .ec-ptb-icon {
+    animation: ec-ptb-spin 0.8s linear infinite;
+  }
+</style>
+
+<script>
+(function() {
+  var toolbar = document.getElementById("emdash-preview-toolbar");
+  var statusEl = document.getElementById("ec-ptb-status");
+  var reloadBtn = document.getElementById("ec-ptb-reload");
+  var dismissBtn = document.getElementById("ec-ptb-dismiss");
+  if (!toolbar || !statusEl || !reloadBtn || !dismissBtn) return;
+
+  var generatedAt = toolbar.getAttribute("data-generated-at");
+  var source = toolbar.getAttribute("data-source");
+  var error = toolbar.getAttribute("data-error");
+
+  function formatAge(isoString) {
+    if (!isoString) return null;
+    var then = new Date(isoString).getTime();
+    var now = Date.now();
+    var seconds = Math.floor((now - then) / 1000);
+    if (seconds < 60) return "just now";
+    var minutes = Math.floor(seconds / 60);
+    if (minutes < 60) return minutes + "m ago";
+    var hours = Math.floor(minutes / 60);
+    if (hours < 24) return hours + "h ago";
+    return Math.floor(hours / 24) + "d ago";
+  }
+
+  function updateStatus() {
+    if (error) {
+      statusEl.className = "ec-ptb-status ec-ptb-status--error";
+      statusEl.textContent = error;
+      return;
+    }
+    var age = formatAge(generatedAt);
+    statusEl.className = "ec-ptb-status";
+    statusEl.textContent = age ? "Snapshot " + age : "Preview mode";
+  }
+
+  updateStatus();
+
+  // Update age display every 30s
+  var ageInterval = setInterval(updateStatus, 30000);
+
+  // Reload: hit the server endpoint which clears the httpOnly session cookie
+  // and redirects back with the original signed params for a fresh snapshot.
+  reloadBtn.addEventListener("click", function() {
+    reloadBtn.disabled = true;
+    reloadBtn.classList.add("ec-ptb-spinning");
+    statusEl.className = "ec-ptb-status";
+    statusEl.textContent = "Reloading\u2026";
+    location.href = "/_preview/reload";
+  });
+
+  // Dismiss
+  dismissBtn.addEventListener("click", function() {
+    toolbar.classList.add("ec-ptb-hidden");
+    clearInterval(ageInterval);
+  });
+})();
+<\/script>
+`;
+}
+function escapeAttr(str) {
+	return str.replace(RE_AMP, "&amp;").replace(RE_QUOT, "&quot;").replace(RE_LT, "&lt;").replace(RE_GT, "&gt;");
+}
+
+//#endregion
+//#region src/db/do-preview.ts
+/**
+* Simple loading interstitial HTML.
+* Auto-reloads after a short delay to check if the snapshot is ready.
+*/
+function loadingPage() {
+	return `<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="utf-8">
+<meta name="viewport" content="width=device-width, initial-scale=1">
+<meta http-equiv="refresh" content="2">
+<title>Loading preview...</title>
+<style>
+body { font-family: system-ui, sans-serif; display: flex; align-items: center; justify-content: center; min-height: 100vh; margin: 0; background: #fafafa; color: #333; }
+.spinner { width: 40px; height: 40px; border: 3px solid #e0e0e0; border-top-color: #333; border-radius: 50%; animation: spin 0.8s linear infinite; margin-right: 16px; }
+@keyframes spin { to { transform: rotate(360deg); } }
+</style>
+</head>
+<body>
+<div class="spinner"></div>
+<p>Loading preview&hellip;</p>
+</body>
+</html>`;
+}
+/**
+* Create an Astro-compatible preview middleware.
+*
+* Returns a middleware function that can be used in `defineMiddleware()`
+* or composed via `sequence()`.
+*/
+function createPreviewMiddleware(config) {
+	const { binding, secret, ttl = 3600, cookieName = "emdash_preview" } = config;
+	return async function previewMiddleware(context, next) {
+		const { url, cookies } = context;
+		if (url.pathname === "/_preview/reload") {
+			cookies.delete(cookieName, { path: "/" });
+			let redirectTo = "/";
+			const paramsCookie = cookies.get(`${cookieName}_params`)?.value;
+			if (paramsCookie) {
+				const parts = decodeURIComponent(paramsCookie).split("\n");
+				if (parts.length === 3) {
+					const reloadUrl = new URL("/", url.origin);
+					reloadUrl.searchParams.set("source", parts[0]);
+					reloadUrl.searchParams.set("exp", parts[1]);
+					reloadUrl.searchParams.set("sig", parts[2]);
+					redirectTo = reloadUrl.pathname + reloadUrl.search;
+				}
+			}
+			return context.redirect(redirectTo);
+		}
+		if (isBlockedInPreview(url.pathname)) return Response.json({ error: {
+			code: "PREVIEW_MODE",
+			message: "Not available in preview mode"
+		} }, { status: 403 });
+		let sessionToken = cookies.get(cookieName)?.value;
+		let sourceUrl = null;
+		let snapshotSignature = null;
+		if (!sessionToken) {
+			const source = url.searchParams.get("source");
+			const exp = url.searchParams.get("exp");
+			const sig = url.searchParams.get("sig");
+			if (!source || !exp || !sig) return new Response("Missing preview parameters", { status: 400 });
+			const expNum = parseInt(exp, 10);
+			if (isNaN(expNum) || expNum < Date.now() / 1e3) return new Response("Preview link expired", { status: 403 });
+			if (!await verifyPreviewSignature(source, expNum, sig, secret)) return new Response("Invalid preview signature", { status: 403 });
+			sessionToken = ulid();
+			sourceUrl = source;
+			snapshotSignature = `${source}:${exp}:${sig}`;
+			cookies.set(cookieName, sessionToken, {
+				httpOnly: true,
+				sameSite: "lax",
+				path: "/",
+				maxAge: ttl
+			});
+			cookies.set(`${cookieName}_params`, `${source}\n${exp}\n${sig}`, {
+				sameSite: "lax",
+				path: "/",
+				maxAge: ttl
+			});
+		}
+		const ns = env[binding];
+		if (!ns) {
+			console.error(`Preview binding "${binding}" not found in environment`);
+			return new Response("Preview service misconfigured", { status: 500 });
+		}
+		const namespace = ns;
+		const doId = namespace.idFromName(sessionToken);
+		const stub = namespace.get(doId);
+		let snapshotGeneratedAt;
+		let snapshotError;
+		if (!sourceUrl) try {
+			snapshotGeneratedAt = (await stub.getSnapshotMeta())?.generatedAt;
+		} catch {}
+		if (sourceUrl && snapshotSignature) try {
+			snapshotGeneratedAt = (await stub.populateFromSnapshot(sourceUrl, snapshotSignature, { ttl })).generatedAt;
+			const cleanUrl = new URL(url);
+			cleanUrl.searchParams.delete("source");
+			cleanUrl.searchParams.delete("exp");
+			cleanUrl.searchParams.delete("sig");
+			return context.redirect(cleanUrl.pathname + cleanUrl.search);
+		} catch (error) {
+			const message = error instanceof Error ? error.message : String(error);
+			console.error("Failed to populate preview snapshot:", message);
+			snapshotError = message;
+			if (!cookies.get(cookieName)?.value) return new Response(loadingPage(), {
+				status: 503,
+				headers: {
+					"Content-Type": "text/html",
+					"Retry-After": "2"
+				}
+			});
+		}
+		const getStub = () => {
+			return stub;
+		};
+		return runWithContext({
+			editMode: false,
+			db: new Kysely({ dialect: new PreviewDODialect({ getStub }) })
+		}, async () => {
+			return injectPreviewToolbar(await next(), {
+				generatedAt: snapshotGeneratedAt,
+				source: sourceUrl ?? void 0,
+				error: snapshotError
+			});
+		});
+	};
+}
+/**
+* Inject preview toolbar HTML into an HTML response.
+* Returns the original response unchanged for non-HTML responses.
+*/
+async function injectPreviewToolbar(response, config) {
+	if (!response.headers.get("content-type")?.includes("text/html")) return response;
+	const html = await response.text();
+	if (!html.includes("</body>")) return new Response(html, response);
+	const toolbarHtml = renderPreviewToolbar(config);
+	const injected = html.replace("</body>", `${toolbarHtml}</body>`);
+	return new Response(injected, {
+		status: response.status,
+		headers: response.headers
+	});
+}
+
+//#endregion
+//#region src/db/do.ts
+/**
+* Durable Object preview database — RUNTIME ENTRY
+*
+* Creates a Kysely dialect backed by a preview Durable Object.
+* Loaded at runtime via virtual module when preview database queries are needed.
+*
+* This module imports directly from cloudflare:workers to access the DO binding.
+* Do NOT import this at config time.
+*/
+/**
+* Create a preview DO dialect from config.
+*
+* The caller is responsible for resolving the DO name (session token).
+* This is passed as `config.name` by the preview middleware.
+*/
+function createDialect(config) {
+	const ns = env[config.binding];
+	if (!ns) throw new Error(`Durable Object binding "${config.binding}" not found in environment. Check your wrangler.jsonc configuration:\n\n[durable_objects]\nbindings = [\n  { name = "${config.binding}", class_name = "EmDashPreviewDB" }\n]\n\n[[migrations]]\ntag = "v1"\nnew_sqlite_classes = ["EmDashPreviewDB"]`);
+	const namespace = ns;
+	const id = namespace.idFromName(config.name);
+	const getStub = () => {
+		return namespace.get(id);
+	};
+	return new PreviewDODialect({ getStub });
+}
+
+//#endregion
+export { EmDashPreviewDB, createDialect, createPreviewMiddleware, isBlockedInPreview, signPreviewUrl, verifyPreviewSignature };

package/dist/db/playground-middleware.d.mts

@@ -0,0 +1,20 @@
+import * as astro from "astro";
+
+//#region src/db/playground-middleware.d.ts
+/**
+ * Playground middleware — injected by the EmDash integration as order: "pre".
+ *
+ * Runs BEFORE the EmDash runtime init middleware. Creates a per-session
+ * Durable Object database, runs migrations, applies the seed, creates an
+ * anonymous admin user, and sets the DB in ALS via runWithContext().
+ *
+ * By the time the runtime middleware runs, the ALS-scoped DB is ready.
+ * The runtime's `db` getter checks ALS first, so all init queries
+ * (migrations, FTS, cron, manifest) operate on the real DO database.
+ *
+ * This module is registered via `addMiddleware({ entrypoint: "..." })` in
+ * the integration, NOT in the user's src/middleware.ts.
+ */
+declare const onRequest: astro.MiddlewareHandler;
+//#endregion
+export { onRequest };