@jant/core 0.3.42 → 0.3.43

package/src/lib/hosted-signin.ts

@@ -3,10 +3,15 @@ import {
   getHostedControlPlaneProviderLabel as getConfiguredHostedControlPlaneProviderLabel,
   getSiteResolutionMode,
 } from "./env.js";
+import { isSafeInternalRedirect } from "./url.js";
 
-function getHostedAdminContinuationPath(publicRequestUrl: string): string {
+function getHostedAdminContinuationPath(
+  publicRequestUrl: string,
+  redirect?: string,
+): string {
   const currentHost = new URL(publicRequestUrl).host;
-  return `/auth/handoff/start?host=${encodeURIComponent(currentHost)}&redirect=${encodeURIComponent("/")}`;
+  const safeRedirect = isSafeInternalRedirect(redirect) ? redirect : "/";
+  return `/auth/handoff/start?host=${encodeURIComponent(currentHost)}&redirect=${encodeURIComponent(safeRedirect)}`;
 }
 
 function buildHostedControlPlaneUrl(
@@ -31,11 +36,12 @@ function buildHostedControlPlaneUrl(
 export function getHostedControlPlaneSigninUrl(
   env: object | undefined | null,
   publicRequestUrl: string,
+  redirect?: string,
 ): string | null {
   return buildHostedControlPlaneUrl(
     env,
     "/auth/handoff/start",
-    getHostedAdminContinuationPath(publicRequestUrl).replace(
+    getHostedAdminContinuationPath(publicRequestUrl, redirect).replace(
       /^\/auth\/handoff\/start/,
       "",
     ),

package/src/lib/navigation.ts

@@ -60,8 +60,15 @@ export function getHomeDefaultViewFromNavItems(
  * });
  * ```
  */
-export async function getNavigationData(c: Context): Promise<NavigationData> {
-  const items = await c.var.services.navItems.list();
+export async function getNavigationData(
+  c: Context,
+  options?: { preloadedItems?: NavItem[] },
+): Promise<NavigationData> {
+  // Callers that already fetched nav items (e.g. home route, which needs
+  // `homeDefaultView` before deciding which timeline to assemble) can pass
+  // them in to avoid a redundant DB round-trip.
+  const items =
+    options?.preloadedItems ?? (await c.var.services.navItems.list());
   const currentPath = c.var.publicPath;
   const appConfig = c.var.appConfig;
 
@@ -86,17 +93,9 @@ export async function getNavigationData(c: Context): Promise<NavigationData> {
   // Render footer markdown
   const siteFooterHtml = siteFooter ? renderMarkdown(siteFooter) : undefined;
 
-  // Check auth status (needed for compose button and system nav items)
-  let isAuthenticated = false;
+  // Auth state is populated once per request by `attachSession` middleware.
+  const isAuthenticated = c.var.isAuthenticated;
   let collections: Collection[] = [];
-  try {
-    const session = await c.var.auth.api.getSession({
-      headers: c.req.raw.headers,
-    });
-    isAuthenticated = !!session?.user;
-  } catch {
-    // Not authenticated
-  }
 
   // Compute freshness for collection nav items
   const collectionNavIds: string[] = [];

package/src/lib/post-meta.ts

@@ -1,9 +1,27 @@
 import type { Post } from "../types.js";
 import { extractDisplayDomain } from "./url.js";
+import { extractBodyText } from "./summary.js";
 
 const TITLE_MAX_CHARS = 72;
 const DESCRIPTION_MAX_CHARS = 160;
 
+/**
+ * Derive a clean plain-text projection of the body for human-facing meta.
+ *
+ * We cannot reuse `post.bodyText` here: that column is written with
+ * `includeLinkHrefs: true` so inline link URLs land in the FTS index, which
+ * pollutes the stored text with trailing URLs. Re-derive from the source
+ * TipTap JSON (`post.body`) without that option.
+ */
+function getCleanBodyText(post: Post): string {
+  // Prefer re-derivation from `post.body` (TipTap JSON). Fall back to
+  // `post.bodyText` only when `body` is absent (legacy rows / fixtures);
+  // without link marks in the source, there is no URL pollution to worry
+  // about.
+  if (post.body) return extractBodyText(post.body) ?? "";
+  return post.bodyText ?? "";
+}
+
 function normalizeText(text: string | null | undefined): string {
   return (text ?? "").replace(/\s+/g, " ").trim();
 }
@@ -49,7 +67,7 @@ function getTitleCandidate(post: Post): string {
   const summarySnippet = getFirstParagraph(post.summary);
   if (summarySnippet) return clipText(summarySnippet, TITLE_MAX_CHARS);
 
-  const bodySnippet = getFirstParagraph(post.bodyText);
+  const bodySnippet = getFirstParagraph(getCleanBodyText(post));
   if (bodySnippet) return clipText(bodySnippet, TITLE_MAX_CHARS);
 
   if (post.format === "link" && post.url) {
@@ -68,7 +86,7 @@ function getDescriptionCandidate(post: Post): string {
   const summaryText = normalizeText(post.summary);
   if (summaryText) return clipText(summaryText, DESCRIPTION_MAX_CHARS);
 
-  const bodyText = normalizeText(post.bodyText);
+  const bodyText = normalizeText(getCleanBodyText(post));
   if (bodyText) return clipText(bodyText, DESCRIPTION_MAX_CHARS);
 
   const quoteText = normalizeText(post.quoteText);

package/src/lib/rate-limit-d1.ts

@@ -0,0 +1,99 @@
+/**
+ * D1 Sliding-Window Rate Limiter
+ *
+ * Used by the Cloudflare Workers runtime where isolates are ephemeral and
+ * memory-based limiters would silently drop state between requests. Each
+ * check performs one SELECT (over a two-row range) plus one UPSERT — both
+ * hit a composite primary key so the round-trips are cheap.
+ *
+ * Algorithm: two-window weighted counter. The previous window's tally
+ * decays linearly as the current window fills, giving a smoother limit
+ * than a naive fixed window (which would allow a 2x burst at the
+ * boundary) while remaining a single-key storage primitive.
+ *
+ * For Node deployments use `createMemoryRateLimiter` instead.
+ */
+
+import { and, eq, inArray, lt, sql } from "drizzle-orm";
+import type { Database } from "../db/index.js";
+import type { DatabaseSchema } from "../db/schema-bundle.js";
+import type {
+  RateLimitCheckOptions,
+  RateLimitResult,
+  RateLimiter,
+} from "./rate-limit.js";
+
+/**
+ * Probability of running opportunistic cleanup on any given write.
+ * 1% strikes a balance between bounded table growth and per-request cost.
+ */
+const CLEANUP_PROBABILITY = 0.01;
+
+export function createD1RateLimiter(
+  db: Database,
+  schema: DatabaseSchema,
+  now: () => number = () => Math.floor(Date.now() / 1000),
+): RateLimiter {
+  const { rateLimit } = schema;
+
+  return {
+    async check(
+      key: string,
+      opts: RateLimitCheckOptions,
+    ): Promise<RateLimitResult> {
+      const { limit, windowSec } = opts;
+      const nowSec = now();
+      const currentWindow = Math.floor(nowSec / windowSec) * windowSec;
+      const previousWindow = currentWindow - windowSec;
+
+      const rows = await db
+        .select({
+          windowStart: rateLimit.windowStart,
+          count: rateLimit.count,
+        })
+        .from(rateLimit)
+        .where(
+          and(
+            eq(rateLimit.key, key),
+            inArray(rateLimit.windowStart, [currentWindow, previousWindow]),
+          ),
+        );
+
+      let currentCount = 0;
+      let previousCount = 0;
+      for (const row of rows) {
+        if (row.windowStart === currentWindow) currentCount = row.count;
+        else if (row.windowStart === previousWindow) previousCount = row.count;
+      }
+
+      const elapsed = nowSec - currentWindow;
+      const prevWeight = 1 - elapsed / windowSec;
+      const estimate = previousCount * prevWeight + currentCount;
+
+      if (estimate >= limit) {
+        // Don't record the rejected hit — otherwise a sustained flood
+        // would keep increasing `count` past the limit for no benefit.
+        const retryAfterSec = Math.max(1, windowSec - elapsed);
+        return { ok: false, retryAfterSec };
+      }
+
+      await db
+        .insert(rateLimit)
+        .values({ key, windowStart: currentWindow, count: 1 })
+        .onConflictDoUpdate({
+          target: [rateLimit.key, rateLimit.windowStart],
+          set: { count: sql`${rateLimit.count} + 1` },
+        });
+
+      // Opportunistic cleanup: keep the table bounded without writing
+      // a DELETE on every request.
+      if (Math.random() < CLEANUP_PROBABILITY) {
+        await db
+          .delete(rateLimit)
+          .where(lt(rateLimit.windowStart, currentWindow - windowSec * 2));
+      }
+
+      return { ok: true };
+    },
+  };
+}

package/src/lib/rate-limit-memory.ts

@@ -0,0 +1,105 @@
+/**
+ * In-Memory Rate Limiter
+ *
+ * Used by the Node runtime. The server process is long-lived and
+ * single-instance, so a local `Map` is reliable and avoids unnecessary DB
+ * round-trips. Uses the classic sliding-window-counter algorithm (two
+ * aligned buckets with a weighted estimate) for smooth limiting without
+ * the 2x boundary burst of a fixed window.
+ *
+ * On Cloudflare Workers use `createD1RateLimiter` instead — isolates are
+ * ephemeral and cannot share memory across requests.
+ */
+
+import type {
+  RateLimitCheckOptions,
+  RateLimitResult,
+  RateLimiter,
+} from "./rate-limit.js";
+
+interface Bucket {
+  /** Unix seconds, aligned to the start of the current window. */
+  windowStart: number;
+  /** Hits recorded in the current window. */
+  count: number;
+  /** Hits recorded in the previous window (used for weighted estimate). */
+  prevCount: number;
+}
+
+/**
+ * Number of live keys after which we prune old buckets on the next write.
+ * Keeps the Map bounded under abuse without paying for eager sweeps.
+ */
+const SWEEP_THRESHOLD = 10_000;
+
+/**
+ * Creates an isolated in-memory limiter. Tests construct one per test app;
+ * the Node runtime holds a single module-level instance across requests.
+ *
+ * `now` is injectable so tests can assert window-rollover behavior without
+ * relying on real time.
+ */
+export function createMemoryRateLimiter(
+  now: () => number = () => Math.floor(Date.now() / 1000),
+): RateLimiter {
+  const buckets = new Map<string, Bucket>();
+
+  function sweep(nowSec: number) {
+    if (buckets.size < SWEEP_THRESHOLD) return;
+    // Drop entries whose window is older than 2 windows in the past. We
+    // use the bucket's stored windowSize via the difference between prev
+    // hits existing and the current time; since the sweep runs rarely we
+    // simply drop anything with windowStart < nowSec - 2 * largestWindow.
+    // In practice callers use a single window size; we approximate by
+    // dropping anything more than 10 minutes stale, which is generous.
+    const cutoff = nowSec - 600;
+    for (const [key, bucket] of buckets) {
+      if (bucket.windowStart < cutoff) buckets.delete(key);
+    }
+  }
+
+  return {
+    async check(
+      key: string,
+      opts: RateLimitCheckOptions,
+    ): Promise<RateLimitResult> {
+      const { limit, windowSec } = opts;
+      const nowSec = now();
+      const currentWindow = Math.floor(nowSec / windowSec) * windowSec;
+
+      let bucket = buckets.get(key);
+      if (!bucket) {
+        bucket = { windowStart: currentWindow, count: 0, prevCount: 0 };
+        buckets.set(key, bucket);
+      } else if (bucket.windowStart !== currentWindow) {
+        // Roll forward: if exactly one window ago, preserve prev count for
+        // the weighted estimate; otherwise treat the gap as cold-start.
+        if (bucket.windowStart === currentWindow - windowSec) {
+          bucket.prevCount = bucket.count;
+        } else {
+          bucket.prevCount = 0;
+        }
+        bucket.count = 0;
+        bucket.windowStart = currentWindow;
+      }
+
+      const elapsed = nowSec - currentWindow;
+      const prevWeight = 1 - elapsed / windowSec;
+      const estimate = bucket.prevCount * prevWeight + bucket.count;
+
+      if (estimate >= limit) {
+        // Suggest waiting until the current window ends. This is
+        // deliberately coarse; a more precise retry-after would require
+        // computing when the weighted estimate drops back under the
+        // limit, which is more complexity than this DoS-mitigation
+        // feature warrants.
+        const retryAfterSec = Math.max(1, windowSec - elapsed);
+        return { ok: false, retryAfterSec };
+      }
+
+      bucket.count += 1;
+      sweep(nowSec);
+      return { ok: true };
+    },
+  };
+}

package/src/lib/rate-limit.ts

@@ -0,0 +1,63 @@
+/**
+ * Rate Limiting Abstraction
+ *
+ * Shared interface for per-key rate limiting. Runtimes provide their own
+ * implementation: Cloudflare Workers uses a D1-backed sliding-window table
+ * (ephemeral isolates can't hold memory state), while Node uses an
+ * in-process Map (the process is persistent and avoids DB round-trips).
+ *
+ * Consumers depend only on this interface; they are runtime-agnostic.
+ */
+
+import type { Context } from "hono";
+
+export interface RateLimitCheckOptions {
+  /** Max requests allowed within `windowSec`. */
+  limit: number;
+  /** Sliding window size in seconds. */
+  windowSec: number;
+}
+
+export interface RateLimitResult {
+  /** True when the request is under the limit (already counted). */
+  ok: boolean;
+  /**
+   * When `ok` is false, suggested seconds the client should wait before
+   * retrying. Implementations may return the full window as a safe default.
+   */
+  retryAfterSec?: number;
+}
+
+export interface RateLimiter {
+  /**
+   * Records a hit against `key` and reports whether the request is under
+   * the configured limit. Implementations must be race-safe enough that
+   * concurrent callers cannot durably exceed the limit.
+   */
+  check(key: string, opts: RateLimitCheckOptions): Promise<RateLimitResult>;
+}
+
+/**
+ * Extracts the client IP from a Hono request context.
+ *
+ * On Cloudflare Workers, `cf-connecting-ip` is set by the edge and is
+ * authoritative. On Node deployments we fall back to the leftmost
+ * `x-forwarded-for` entry, which is the conventional client IP when the
+ * app sits behind a single trusted proxy. When neither header is
+ * available we return `"unknown"` so all such requests share a bucket —
+ * preferable to skipping the rate limit entirely.
+ *
+ * Note: this helper does not verify proxy trust. It is used for DoS
+ * protection, not authentication. If header-forgery resistance becomes
+ * important, gate the `x-forwarded-for` branch on `shouldTrustProxy`.
+ */
+export function getClientIp(c: Context): string {
+  const cf = c.req.header("cf-connecting-ip");
+  if (cf) return cf;
+  const fwd = c.req.header("x-forwarded-for");
+  if (fwd) {
+    const first = fwd.split(",")[0]?.trim();
+    if (first) return first;
+  }
+  return "unknown";
+}

package/src/lib/render.tsx

@@ -24,6 +24,13 @@ export interface RenderPublicPageOptions {
   appleTouchHref?: string;
   /** Optional explicit social image href */
   socialImageUrl?: string;
+  /**
+   * Absolute canonical URL for this page. Forwarded to `BaseLayout` and
+   * rendered as `<link rel="canonical">`. Only set when the page has a
+   * different canonical location (e.g. thread reply pages point back to the
+   * thread root).
+   */
+  canonicalHref?: string;
   /** Navigation data (from getNavigationData) */
   navData: NavigationData;
   /** Page content JSX to render inside SiteLayout */
@@ -66,6 +73,7 @@ export function renderPublicPage(c: Context, options: RenderPublicPageOptions) {
     faviconHref,
     appleTouchHref,
     socialImageUrl,
+    canonicalHref,
     navData,
     content,
     sidebar,
@@ -116,6 +124,7 @@ export function renderPublicPage(c: Context, options: RenderPublicPageOptions) {
       faviconHref={faviconHref}
       appleTouchHref={appleTouchHref}
       socialImageUrl={socialImageUrl}
+      canonicalHref={canonicalHref}
       faviconUrl={faviconUrl}
       faviconVersion={faviconVersion}
       noindex={noindex}

package/src/lib/resolve-config.ts

@@ -228,6 +228,15 @@ export function resolveConfig(
     siteAvatarUrl,
     faviconVersion: allSettings["SITE_FAVICON_VERSION"] ?? "",
 
+    // Rate limiting (ENV only). Defaults are conservative enough for a
+    // human typing in the search UI but reject bot floods.
+    rateLimit: {
+      disabled: getEnvString(env, "RATE_LIMIT_DISABLED") === "true",
+      searchPerMinute:
+        parseInt(getEnvString(env, "RATE_LIMIT_SEARCH_PER_MIN") ?? "30", 10) ||
+        30,
+    },
+
     // Settings form placeholders (ENV > Default, without DB)
     fallbacks: {
       siteName: resolveFallback("SITE_NAME", env),

package/src/lib/summary.ts

@@ -93,15 +93,25 @@ const SEARCHABLE_TYPES = new Set([
  * matching.
  *
  * @param bodyJson - TipTap JSON string (the `body` column)
+ * @param options.includeLinkHrefs
+ *   When `true`, URLs from inline link marks are appended after the link text
+ *   so they get indexed for search. Default `false` keeps the output clean for
+ *   plain-text consumers like `toPlainText`/`extractTitle`.
  * @returns Plain text for FTS indexing, or null if parsing fails or doc is empty
  *
  * @example
  * ```ts
  * const text = extractBodyText(body);
  * // "Hello world Some code here"
+ *
+ * const indexed = extractBodyText(body, { includeLinkHrefs: true });
+ * // "See this page https://example.com"
  * ```
  */
-export function extractBodyText(bodyJson: string): string | null {
+export function extractBodyText(
+  bodyJson: string,
+  options: { includeLinkHrefs?: boolean } = {},
+): string | null {
   let doc: TiptapNode;
   try {
     doc = JSON.parse(bodyJson) as TiptapNode;
@@ -111,9 +121,23 @@ export function extractBodyText(bodyJson: string): string | null {
 
   if (doc.type !== "doc" || !doc.content) return null;
 
+  const includeLinkHrefs = options.includeLinkHrefs === true;
+
   function collectText(node: TiptapNode): string {
     if (!SEARCHABLE_TYPES.has(node.type)) return "";
-    if (node.type === "text") return node.text ?? "";
+    if (node.type === "text") {
+      const text = node.text ?? "";
+      if (!includeLinkHrefs || !node.marks || node.marks.length === 0) {
+        return text;
+      }
+      const hrefs: string[] = [];
+      for (const mark of node.marks) {
+        if (mark.type !== "link") continue;
+        const href = mark.attrs?.href;
+        if (typeof href === "string" && href.trim()) hrefs.push(href);
+      }
+      return hrefs.length > 0 ? `${text} ${hrefs.join(" ")}` : text;
+    }
     if (node.type === "hardBreak") return " ";
     if (!node.content) return "";
     return node.content.map(collectText).join(" ");
@@ -190,19 +214,22 @@ export function extractSummary(
  * @param bodyJson - Tiptap JSON string
  * @param maxBlocks - Maximum number of top-level blocks to include
  * @param maxChars - Maximum total plain-text character count
- * @returns HTML summary and whether content was truncated, or null
+ * @returns HTML summary, whether content was truncated, and the index in
+ *   `doc.content` where the content after the summary boundary begins, or null.
+ *   `breakAtIndex` lets callers align the summary with the full-body rendering
+ *   when splitting at the "read more" boundary (e.g. to insert an anchor).
  *
  * @example
  * ```ts
  * const result = extractSummaryHtml(body, 5, 500);
- * // { html: "<ul><li><p>Item</p></li></ul>", hasMore: true }
+ * // { html: "<ul><li><p>Item</p></li></ul>", hasMore: true, breakAtIndex: 1 }
  * ```
  */
 export function extractSummaryHtml(
   bodyJson: string,
   maxBlocks: number = 5,
   maxChars: number = 500,
-): { html: string; hasMore: boolean } | null {
+): { html: string; hasMore: boolean; breakAtIndex: number } | null {
   let doc: TiptapNode;
   try {
     doc = JSON.parse(bodyJson) as TiptapNode;
@@ -231,15 +258,21 @@ export function extractSummaryHtml(
     return {
       html: renderTiptapDocument(subDoc),
       hasMore: true,
+      // Anchor goes in place of the moreBreak marker, so the marker itself
+      // is NOT part of the pre-anchor body. It remains in the post-anchor
+      // body as an inert HTML comment.
+      breakAtIndex: moreBreakIdx,
     };
   }
 
   // No moreBreak — accumulate blocks up to limits
   const selected: TiptapNode[] = [];
   let totalChars = 0;
+  let lastSelectedIdx = -1;
 
-  for (const node of nodes) {
-    if (!SUMMARY_BLOCK_TYPES.has(node.type)) continue;
+  for (let i = 0; i < nodes.length; i++) {
+    const node = nodes[i];
+    if (!node || !SUMMARY_BLOCK_TYPES.has(node.type)) continue;
 
     const text = extractPlainText(node).trim();
     if (
@@ -250,6 +283,7 @@ export function extractSummaryHtml(
 
     selected.push(node);
     totalChars += text.length;
+    lastSelectedIdx = i;
   }
 
   if (selected.length === 0) return null;
@@ -261,5 +295,6 @@ export function extractSummaryHtml(
   return {
     html: renderTiptapDocument(subDoc),
     hasMore: selected.length < totalContentNodes,
+    breakAtIndex: lastSelectedIdx + 1,
   };
 }

package/src/lib/url.ts

@@ -303,6 +303,40 @@ export function toPublicHref(href: string, sitePathPrefix = ""): string {
   return toPublicPath(href, sitePathPrefix);
 }
 
+/**
+ * Check whether a path is a safe same-origin redirect target.
+ *
+ * Accepts only paths that start with a single `/` (no protocol-relative
+ * `//host`, no scheme, no control characters). Callers should use this to
+ * validate user-supplied `redirect` query parameters before issuing a
+ * `Location` header.
+ *
+ * @param path - Candidate redirect path
+ * @returns `true` when the path is safe to use as an internal redirect
+ *
+ * @example
+ * ```ts
+ * isSafeInternalRedirect("/settings") // true
+ * isSafeInternalRedirect("//evil.example") // false
+ * isSafeInternalRedirect("https://evil.example") // false
+ * ```
+ */
+export function isSafeInternalRedirect(
+  path: string | null | undefined,
+): path is string {
+  if (typeof path !== "string") return false;
+  if (!path.startsWith("/")) return false;
+  if (path.startsWith("//")) return false;
+  // Disallow backslash-prefixed paths (some browsers treat `/\host` as
+  // protocol-relative) and control characters that could smuggle headers.
+  if (path.startsWith("/\\")) return false;
+  for (let i = 0; i < path.length; i += 1) {
+    const code = path.charCodeAt(i);
+    if (code < 0x20 || code === 0x7f) return false;
+  }
+  return true;
+}
+
 /**
  * Remove the site path prefix from a public request pathname.
  *

package/src/lib/view.ts

@@ -35,7 +35,8 @@ import {
 } from "./time.js";
 import { getCollectionPagePath } from "./collection-paths.js";
 import { getMediaUrl, getImageUrl, getPublicUrlForProvider } from "./image.js";
-import { extractSummaryHtml } from "./summary.js";
+import { extractSummaryHtml, extractBodyText } from "./summary.js";
+import { renderTiptapDocument } from "./tiptap-render.js";
 import { highlightText } from "./search-snippet.js";
 import { toPublicPath } from "./url.js";
 
@@ -159,8 +160,17 @@ function getPlainSummary(post: PostWithMedia): string | undefined {
     return normalizePreviewText(post.quoteText);
   }
 
+  // `post.bodyText` is written with `includeLinkHrefs: true` for FTS search
+  // indexing, so it's polluted with trailing link URLs. For human-facing
+  // preview text, prefer a clean re-derivation from the source TipTap JSON.
+  // Fall back to `post.bodyText` when the body isn't valid JSON (legacy rows
+  // or fixtures); that path predates link-href injection and carries no
+  // pollution risk.
+  const cleanBody = post.body ? extractBodyText(post.body) : null;
+
   return (
     normalizePreviewText(post.summary) ||
+    normalizePreviewText(cleanBody) ||
     normalizePreviewText(post.bodyText) ||
     getLegacyBodyPreview(post) ||
     normalizePreviewText(post.url)
@@ -216,14 +226,38 @@ export function toPostView(
       summaryHasMore = result.hasMore;
 
       // Inject #continue anchor at the excerpt boundary for scroll targeting.
-      // Both summaryHtml and bodyHtml are rendered by the same renderTiptapJson,
-      // so the excerpt HTML is a prefix of bodyHtml.
+      // The summary HTML is NOT a byte-prefix of bodyHtml — structural nodes
+      // like `horizontalRule` and `moreBreak` appear in bodyHtml but are
+      // excluded from the summary, so slicing bodyHtml by summary.length lands
+      // mid-tag and corrupts the markup. Instead, render the pre-boundary
+      // doc slice and splice the anchor at that exact block boundary.
       if (result.hasMore && post.bodyHtml) {
-        const pos = result.html.length;
-        bodyHtmlWithAnchor =
-          post.bodyHtml.slice(0, pos) +
-          '<span id="continue"></span>' +
-          post.bodyHtml.slice(pos);
+        try {
+          const doc = JSON.parse(post.body) as {
+            type?: string;
+            content?: unknown[];
+          };
+          if (
+            doc.type === "doc" &&
+            Array.isArray(doc.content) &&
+            result.breakAtIndex > 0 &&
+            result.breakAtIndex <= doc.content.length
+          ) {
+            const beforeHtml = renderTiptapDocument({
+              type: "doc",
+              content: doc.content.slice(0, result.breakAtIndex) as never[],
+            });
+            if (post.bodyHtml.startsWith(beforeHtml)) {
+              bodyHtmlWithAnchor =
+                beforeHtml +
+                '<span id="continue"></span>' +
+                post.bodyHtml.slice(beforeHtml.length);
+            }
+          }
+        } catch {
+          // Fallback: leave bodyHtml untouched if the split can't be computed
+          // safely. Better no anchor than a broken document.
+        }
       }
     }
   }