npm - emdash - Versions diffs - 0.0.0-a → 0.0.1 - Mend

emdash 0.0.0-a → 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (661) hide show

package/README.md +87 -1
package/dist/adapters-BLMa4JGD.d.mts +106 -0
package/dist/adapters-BLMa4JGD.d.mts.map +1 -0
package/dist/apply-Bjfq_b4-.mjs +1293 -0
package/dist/apply-Bjfq_b4-.mjs.map +1 -0
package/dist/astro/index.d.mts +51 -0
package/dist/astro/index.d.mts.map +1 -0
package/dist/astro/index.mjs +1333 -0
package/dist/astro/index.mjs.map +1 -0
package/dist/astro/middleware/auth.d.mts +31 -0
package/dist/astro/middleware/auth.d.mts.map +1 -0
package/dist/astro/middleware/auth.mjs +654 -0
package/dist/astro/middleware/auth.mjs.map +1 -0
package/dist/astro/middleware/redirect.d.mts +22 -0
package/dist/astro/middleware/redirect.d.mts.map +1 -0
package/dist/astro/middleware/redirect.mjs +63 -0
package/dist/astro/middleware/redirect.mjs.map +1 -0
package/dist/astro/middleware/request-context.d.mts +18 -0
package/dist/astro/middleware/request-context.d.mts.map +1 -0
package/dist/astro/middleware/request-context.mjs +1310 -0
package/dist/astro/middleware/request-context.mjs.map +1 -0
package/dist/astro/middleware/setup.d.mts +20 -0
package/dist/astro/middleware/setup.d.mts.map +1 -0
package/dist/astro/middleware/setup.mjs +47 -0
package/dist/astro/middleware/setup.mjs.map +1 -0
package/dist/astro/middleware.d.mts +13 -0
package/dist/astro/middleware.d.mts.map +1 -0
package/dist/astro/middleware.mjs +1613 -0
package/dist/astro/middleware.mjs.map +1 -0
package/dist/astro/types.d.mts +250 -0
package/dist/astro/types.d.mts.map +1 -0
package/dist/astro/types.mjs +1 -0
package/dist/base64-MBPo9ozB.mjs +59 -0
package/dist/base64-MBPo9ozB.mjs.map +1 -0
package/dist/byline-CL847F26.mjs +213 -0
package/dist/byline-CL847F26.mjs.map +1 -0
package/dist/bylines-C2a-2TGt.mjs +136 -0
package/dist/bylines-C2a-2TGt.mjs.map +1 -0
package/dist/chunk-ClPoSABd.mjs +21 -0
package/dist/cli/index.d.mts +1 -0
package/dist/cli/index.mjs +3909 -0
package/dist/cli/index.mjs.map +1 -0
package/dist/client/cf-access.d.mts +60 -0
package/dist/client/cf-access.d.mts.map +1 -0
package/dist/client/cf-access.mjs +179 -0
package/dist/client/cf-access.mjs.map +1 -0
package/dist/client/index.d.mts +398 -0
package/dist/client/index.d.mts.map +1 -0
package/dist/client/index.mjs +346 -0
package/dist/client/index.mjs.map +1 -0
package/dist/config-CKE8p9xM.mjs +55 -0
package/dist/config-CKE8p9xM.mjs.map +1 -0
package/dist/connection-B4zVnQIa.mjs +40 -0
package/dist/connection-B4zVnQIa.mjs.map +1 -0
package/dist/content-D6C2WsZC.mjs +824 -0
package/dist/content-D6C2WsZC.mjs.map +1 -0
package/dist/db/index.d.mts +4 -0
package/dist/db/index.mjs +62 -0
package/dist/db/index.mjs.map +1 -0
package/dist/db/libsql.d.mts +11 -0
package/dist/db/libsql.d.mts.map +1 -0
package/dist/db/libsql.mjs +17 -0
package/dist/db/libsql.mjs.map +1 -0
package/dist/db/postgres.d.mts +11 -0
package/dist/db/postgres.d.mts.map +1 -0
package/dist/db/postgres.mjs +30 -0
package/dist/db/postgres.mjs.map +1 -0
package/dist/db/sqlite.d.mts +11 -0
package/dist/db/sqlite.d.mts.map +1 -0
package/dist/db/sqlite.mjs +16 -0
package/dist/db/sqlite.mjs.map +1 -0
package/dist/default-Cyi4aAxu.mjs +81 -0
package/dist/default-Cyi4aAxu.mjs.map +1 -0
package/dist/dialect-helpers-B9uSp2GJ.mjs +90 -0
package/dist/dialect-helpers-B9uSp2GJ.mjs.map +1 -0
package/dist/error-Cxz0tQeO.mjs +27 -0
package/dist/error-Cxz0tQeO.mjs.map +1 -0
package/dist/index-C1xF3OGh.d.mts +4527 -0
package/dist/index-C1xF3OGh.d.mts.map +1 -0
package/dist/index.d.mts +16 -0
package/dist/index.mjs +30 -0
package/dist/load-yOOlckBj.mjs +28 -0
package/dist/load-yOOlckBj.mjs.map +1 -0
package/dist/loader-fz8Q_3EO.mjs +447 -0
package/dist/loader-fz8Q_3EO.mjs.map +1 -0
package/dist/manifest-schema-Dcl0R6nM.mjs +184 -0
package/dist/manifest-schema-Dcl0R6nM.mjs.map +1 -0
package/dist/media/index.d.mts +26 -0
package/dist/media/index.d.mts.map +1 -0
package/dist/media/index.mjs +55 -0
package/dist/media/index.mjs.map +1 -0
package/dist/media/local-runtime.d.mts +39 -0
package/dist/media/local-runtime.d.mts.map +1 -0
package/dist/media/local-runtime.mjs +133 -0
package/dist/media/local-runtime.mjs.map +1 -0
package/dist/media-DqHVh136.mjs +200 -0
package/dist/media-DqHVh136.mjs.map +1 -0
package/dist/mode-C2EzN1uE.mjs +23 -0
package/dist/mode-C2EzN1uE.mjs.map +1 -0
package/dist/page/index.d.mts +140 -0
package/dist/page/index.d.mts.map +1 -0
package/dist/page/index.mjs +416 -0
package/dist/page/index.mjs.map +1 -0
package/dist/placeholder-CmGAmqeO.d.mts +276 -0
package/dist/placeholder-CmGAmqeO.d.mts.map +1 -0
package/dist/placeholder-SmpOx-_v.mjs +243 -0
package/dist/placeholder-SmpOx-_v.mjs.map +1 -0
package/dist/plugin-utils.d.mts +58 -0
package/dist/plugin-utils.d.mts.map +1 -0
package/dist/plugin-utils.mjs +78 -0
package/dist/plugin-utils.mjs.map +1 -0
package/dist/plugins/adapt-sandbox-entry.d.mts +22 -0
package/dist/plugins/adapt-sandbox-entry.d.mts.map +1 -0
package/dist/plugins/adapt-sandbox-entry.mjs +113 -0
package/dist/plugins/adapt-sandbox-entry.mjs.map +1 -0
package/dist/query-CS_iSj34.mjs +460 -0
package/dist/query-CS_iSj34.mjs.map +1 -0
package/dist/redirect-DIfIni3r.mjs +329 -0
package/dist/redirect-DIfIni3r.mjs.map +1 -0
package/dist/registry-D_w5HW4G.mjs +863 -0
package/dist/registry-D_w5HW4G.mjs.map +1 -0
package/dist/request-context.d.mts +49 -0
package/dist/request-context.d.mts.map +1 -0
package/dist/request-context.mjs +43 -0
package/dist/request-context.mjs.map +1 -0
package/dist/runner-B-u2F2b6.mjs +1412 -0
package/dist/runner-B-u2F2b6.mjs.map +1 -0
package/dist/runner-EAtf0ZIe.d.mts +27 -0
package/dist/runner-EAtf0ZIe.d.mts.map +1 -0
package/dist/runtime.d.mts +26 -0
package/dist/runtime.d.mts.map +1 -0
package/dist/runtime.mjs +42 -0
package/dist/runtime.mjs.map +1 -0
package/dist/search-DG603UrT.mjs +9211 -0
package/dist/search-DG603UrT.mjs.map +1 -0
package/dist/seed/index.d.mts +3 -0
package/dist/seed/index.mjs +15 -0
package/dist/seo/index.d.mts +70 -0
package/dist/seo/index.d.mts.map +1 -0
package/dist/seo/index.mjs +70 -0
package/dist/seo/index.mjs.map +1 -0
package/dist/storage/local.d.mts +39 -0
package/dist/storage/local.d.mts.map +1 -0
package/dist/storage/local.mjs +166 -0
package/dist/storage/local.mjs.map +1 -0
package/dist/storage/s3.d.mts +32 -0
package/dist/storage/s3.d.mts.map +1 -0
package/dist/storage/s3.mjs +175 -0
package/dist/storage/s3.mjs.map +1 -0
package/dist/tokens-DpgrkrXK.mjs +171 -0
package/dist/tokens-DpgrkrXK.mjs.map +1 -0
package/dist/transport-BFGblqwG.d.mts +42 -0
package/dist/transport-BFGblqwG.d.mts.map +1 -0
package/dist/transport-yxiQsi8I.mjs +418 -0
package/dist/transport-yxiQsi8I.mjs.map +1 -0
package/dist/types-BRuPJGdV.d.mts +102 -0
package/dist/types-BRuPJGdV.d.mts.map +1 -0
package/dist/types-C4-fAxN3.d.mts +182 -0
package/dist/types-C4-fAxN3.d.mts.map +1 -0
package/dist/types-CMMN0pNg.mjs +31 -0
package/dist/types-CMMN0pNg.mjs.map +1 -0
package/dist/types-CUBbjgmP.mjs +16 -0
package/dist/types-CUBbjgmP.mjs.map +1 -0
package/dist/types-DRjfYOEv.d.mts +426 -0
package/dist/types-DRjfYOEv.d.mts.map +1 -0
package/dist/types-DY5zk5HN.mjs +73 -0
package/dist/types-DY5zk5HN.mjs.map +1 -0
package/dist/types-DaNLHo_T.d.mts +184 -0
package/dist/types-DaNLHo_T.d.mts.map +1 -0
package/dist/types-DvhsUmSJ.d.mts +1111 -0
package/dist/types-DvhsUmSJ.d.mts.map +1 -0
package/dist/validate-CpBtVMsD.d.mts +378 -0
package/dist/validate-CpBtVMsD.d.mts.map +1 -0
package/dist/validate-CqRJb_xU.mjs +97 -0
package/dist/validate-CqRJb_xU.mjs.map +1 -0
package/dist/validate-O7PWmlnq.mjs +328 -0
package/dist/validate-O7PWmlnq.mjs.map +1 -0
package/locals.d.ts +46 -0
package/package.json +233 -19
package/src/api/authorize.ts +63 -0
package/src/api/csrf.ts +48 -0
package/src/api/error.ts +99 -0
package/src/api/errors.ts +445 -0
package/src/api/escape.ts +9 -0
package/src/api/handlers/api-tokens.ts +240 -0
package/src/api/handlers/comments.ts +314 -0
package/src/api/handlers/content.ts +1315 -0
package/src/api/handlers/dashboard.ts +205 -0
package/src/api/handlers/device-flow.ts +687 -0
package/src/api/handlers/index.ts +163 -0
package/src/api/handlers/manifest.ts +158 -0
package/src/api/handlers/marketplace.ts +930 -0
package/src/api/handlers/media.ts +207 -0
package/src/api/handlers/menus.ts +493 -0
package/src/api/handlers/oauth-authorization.ts +429 -0
package/src/api/handlers/oauth-clients.ts +353 -0
package/src/api/handlers/oauth-user-lookup.ts +39 -0
package/src/api/handlers/plugins.ts +254 -0
package/src/api/handlers/redirects.ts +360 -0
package/src/api/handlers/revision.ts +145 -0
package/src/api/handlers/schema.ts +534 -0
package/src/api/handlers/sections.ts +289 -0
package/src/api/handlers/seo.ts +115 -0
package/src/api/handlers/settings.ts +49 -0
package/src/api/handlers/snapshot.ts +350 -0
package/src/api/handlers/taxonomies.ts +523 -0
package/src/api/index.ts +6 -0
package/src/api/openapi/document.ts +2368 -0
package/src/api/openapi/index.ts +1 -0
package/src/api/parse.ts +139 -0
package/src/api/redirect.ts +14 -0
package/src/api/rev.ts +67 -0
package/src/api/schemas/auth.ts +112 -0
package/src/api/schemas/bylines.ts +85 -0
package/src/api/schemas/comments.ts +117 -0
package/src/api/schemas/common.ts +89 -0
package/src/api/schemas/content.ts +191 -0
package/src/api/schemas/import.ts +52 -0
package/src/api/schemas/index.ts +17 -0
package/src/api/schemas/media.ts +116 -0
package/src/api/schemas/menus.ts +111 -0
package/src/api/schemas/redirects.ts +155 -0
package/src/api/schemas/schema.ts +203 -0
package/src/api/schemas/search.ts +63 -0
package/src/api/schemas/sections.ts +67 -0
package/src/api/schemas/settings.ts +63 -0
package/src/api/schemas/setup.ts +37 -0
package/src/api/schemas/taxonomies.ts +113 -0
package/src/api/schemas/users.ts +96 -0
package/src/api/schemas/widgets.ts +80 -0
package/src/api/site-url.ts +25 -0
package/src/api/types.ts +82 -0
package/src/astro/index.ts +27 -0
package/src/astro/integration/index.ts +303 -0
package/src/astro/integration/routes.ts +834 -0
package/src/astro/integration/runtime.ts +338 -0
package/src/astro/integration/virtual-modules.ts +469 -0
package/src/astro/integration/vite-config.ts +328 -0
package/src/astro/middleware/auth.ts +743 -0
package/src/astro/middleware/redirect.ts +89 -0
package/src/astro/middleware/request-context.ts +129 -0
package/src/astro/middleware/setup.ts +89 -0
package/src/astro/middleware.ts +398 -0
package/src/astro/routes/PluginRegistry.tsx +15 -0
package/src/astro/routes/admin.astro +81 -0
package/src/astro/routes/api/admin/allowed-domains/[domain].ts +112 -0
package/src/astro/routes/api/admin/allowed-domains/index.ts +108 -0
package/src/astro/routes/api/admin/api-tokens/[id].ts +40 -0
package/src/astro/routes/api/admin/api-tokens/index.ts +68 -0
package/src/astro/routes/api/admin/bylines/[id]/index.ts +87 -0
package/src/astro/routes/api/admin/bylines/index.ts +72 -0
package/src/astro/routes/api/admin/comments/[id]/status.ts +120 -0
package/src/astro/routes/api/admin/comments/[id].ts +64 -0
package/src/astro/routes/api/admin/comments/bulk.ts +42 -0
package/src/astro/routes/api/admin/comments/counts.ts +30 -0
package/src/astro/routes/api/admin/comments/index.ts +46 -0
package/src/astro/routes/api/admin/hooks/exclusive/[hookName].ts +91 -0
package/src/astro/routes/api/admin/hooks/exclusive/index.ts +51 -0
package/src/astro/routes/api/admin/oauth-clients/[id].ts +110 -0
package/src/astro/routes/api/admin/oauth-clients/index.ts +71 -0
package/src/astro/routes/api/admin/plugins/[id]/disable.ts +39 -0
package/src/astro/routes/api/admin/plugins/[id]/enable.ts +39 -0
package/src/astro/routes/api/admin/plugins/[id]/index.ts +38 -0
package/src/astro/routes/api/admin/plugins/[id]/uninstall.ts +48 -0
package/src/astro/routes/api/admin/plugins/[id]/update.ts +59 -0
package/src/astro/routes/api/admin/plugins/index.ts +32 -0
package/src/astro/routes/api/admin/plugins/marketplace/[id]/icon.ts +61 -0
package/src/astro/routes/api/admin/plugins/marketplace/[id]/index.ts +33 -0
package/src/astro/routes/api/admin/plugins/marketplace/[id]/install.ts +62 -0
package/src/astro/routes/api/admin/plugins/marketplace/index.ts +38 -0
package/src/astro/routes/api/admin/plugins/updates.ts +28 -0
package/src/astro/routes/api/admin/themes/marketplace/[id]/index.ts +33 -0
package/src/astro/routes/api/admin/themes/marketplace/[id]/thumbnail.ts +61 -0
package/src/astro/routes/api/admin/themes/marketplace/index.ts +45 -0
package/src/astro/routes/api/admin/users/[id]/disable.ts +69 -0
package/src/astro/routes/api/admin/users/[id]/enable.ts +48 -0
package/src/astro/routes/api/admin/users/[id]/index.ts +146 -0
package/src/astro/routes/api/admin/users/[id]/send-recovery.ts +72 -0
package/src/astro/routes/api/admin/users/index.ts +66 -0
package/src/astro/routes/api/auth/dev-bypass.ts +139 -0
package/src/astro/routes/api/auth/invite/accept.ts +52 -0
package/src/astro/routes/api/auth/invite/complete.ts +84 -0
package/src/astro/routes/api/auth/invite/index.ts +99 -0
package/src/astro/routes/api/auth/logout.ts +40 -0
package/src/astro/routes/api/auth/magic-link/send.ts +89 -0
package/src/astro/routes/api/auth/magic-link/verify.ts +71 -0
package/src/astro/routes/api/auth/me.ts +60 -0
package/src/astro/routes/api/auth/oauth/[provider]/callback.ts +219 -0
package/src/astro/routes/api/auth/oauth/[provider].ts +119 -0
package/src/astro/routes/api/auth/passkey/[id].ts +124 -0
package/src/astro/routes/api/auth/passkey/index.ts +54 -0
package/src/astro/routes/api/auth/passkey/options.ts +82 -0
package/src/astro/routes/api/auth/passkey/register/options.ts +86 -0
package/src/astro/routes/api/auth/passkey/register/verify.ts +117 -0
package/src/astro/routes/api/auth/passkey/verify.ts +66 -0
package/src/astro/routes/api/auth/signup/complete.ts +85 -0
package/src/astro/routes/api/auth/signup/request.ts +77 -0
package/src/astro/routes/api/auth/signup/verify.ts +53 -0
package/src/astro/routes/api/comments/[collection]/[contentId]/index.ts +312 -0
package/src/astro/routes/api/content/[collection]/[id]/compare.ts +28 -0
package/src/astro/routes/api/content/[collection]/[id]/discard-draft.ts +54 -0
package/src/astro/routes/api/content/[collection]/[id]/duplicate.ts +61 -0
package/src/astro/routes/api/content/[collection]/[id]/permanent.ts +33 -0
package/src/astro/routes/api/content/[collection]/[id]/preview-url.ts +107 -0
package/src/astro/routes/api/content/[collection]/[id]/publish.ts +56 -0
package/src/astro/routes/api/content/[collection]/[id]/restore.ts +54 -0
package/src/astro/routes/api/content/[collection]/[id]/revisions.ts +31 -0
package/src/astro/routes/api/content/[collection]/[id]/schedule.ts +105 -0
package/src/astro/routes/api/content/[collection]/[id]/terms/[taxonomy].ts +140 -0
package/src/astro/routes/api/content/[collection]/[id]/translations.ts +30 -0
package/src/astro/routes/api/content/[collection]/[id]/unpublish.ts +56 -0
package/src/astro/routes/api/content/[collection]/[id].ts +137 -0
package/src/astro/routes/api/content/[collection]/index.ts +59 -0
package/src/astro/routes/api/content/[collection]/trash.ts +33 -0
package/src/astro/routes/api/dashboard.ts +32 -0
package/src/astro/routes/api/dev/emails.ts +36 -0
package/src/astro/routes/api/import/probe.ts +47 -0
package/src/astro/routes/api/import/wordpress/analyze.ts +510 -0
package/src/astro/routes/api/import/wordpress/execute.ts +283 -0
package/src/astro/routes/api/import/wordpress/media.ts +338 -0
package/src/astro/routes/api/import/wordpress/prepare.ts +181 -0
package/src/astro/routes/api/import/wordpress/rewrite-urls.ts +393 -0
package/src/astro/routes/api/import/wordpress-plugin/analyze.ts +111 -0
package/src/astro/routes/api/import/wordpress-plugin/callback.ts +58 -0
package/src/astro/routes/api/import/wordpress-plugin/execute.ts +347 -0
package/src/astro/routes/api/manifest.ts +62 -0
package/src/astro/routes/api/mcp.ts +124 -0
package/src/astro/routes/api/media/[id]/confirm.ts +93 -0
package/src/astro/routes/api/media/[id].ts +145 -0
package/src/astro/routes/api/media/file/[key].ts +79 -0
package/src/astro/routes/api/media/providers/[providerId]/[itemId].ts +86 -0
package/src/astro/routes/api/media/providers/[providerId]/index.ts +111 -0
package/src/astro/routes/api/media/providers/index.ts +30 -0
package/src/astro/routes/api/media/upload-url.ts +137 -0
package/src/astro/routes/api/media.ts +190 -0
package/src/astro/routes/api/menus/[name]/items.ts +87 -0
package/src/astro/routes/api/menus/[name]/reorder.ts +33 -0
package/src/astro/routes/api/menus/[name].ts +65 -0
package/src/astro/routes/api/menus/index.ts +47 -0
package/src/astro/routes/api/oauth/authorize.ts +412 -0
package/src/astro/routes/api/oauth/device/authorize.ts +45 -0
package/src/astro/routes/api/oauth/device/code.ts +51 -0
package/src/astro/routes/api/oauth/device/token.ts +69 -0
package/src/astro/routes/api/oauth/token/refresh.ts +38 -0
package/src/astro/routes/api/oauth/token/revoke.ts +38 -0
package/src/astro/routes/api/oauth/token.ts +184 -0
package/src/astro/routes/api/openapi.json.ts +32 -0
package/src/astro/routes/api/plugins/[pluginId]/[...path].ts +92 -0
package/src/astro/routes/api/redirects/404s/index.ts +72 -0
package/src/astro/routes/api/redirects/404s/summary.ts +33 -0
package/src/astro/routes/api/redirects/[id].ts +84 -0
package/src/astro/routes/api/redirects/index.ts +52 -0
package/src/astro/routes/api/revisions/[revisionId]/index.ts +29 -0
package/src/astro/routes/api/revisions/[revisionId]/restore.ts +62 -0
package/src/astro/routes/api/schema/collections/[slug]/fields/[fieldSlug].ts +76 -0
package/src/astro/routes/api/schema/collections/[slug]/fields/index.ts +52 -0
package/src/astro/routes/api/schema/collections/[slug]/fields/reorder.ts +32 -0
package/src/astro/routes/api/schema/collections/[slug]/index.ts +80 -0
package/src/astro/routes/api/schema/collections/index.ts +47 -0
package/src/astro/routes/api/schema/index.ts +109 -0
package/src/astro/routes/api/schema/orphans/[slug].ts +36 -0
package/src/astro/routes/api/schema/orphans/index.ts +26 -0
package/src/astro/routes/api/search/enable.ts +64 -0
package/src/astro/routes/api/search/index.ts +55 -0
package/src/astro/routes/api/search/rebuild.ts +72 -0
package/src/astro/routes/api/search/stats.ts +35 -0
package/src/astro/routes/api/search/suggest.ts +53 -0
package/src/astro/routes/api/sections/[slug].ts +84 -0
package/src/astro/routes/api/sections/index.ts +52 -0
package/src/astro/routes/api/settings/email.ts +150 -0
package/src/astro/routes/api/settings.ts +67 -0
package/src/astro/routes/api/setup/admin-verify.ts +100 -0
package/src/astro/routes/api/setup/admin.ts +94 -0
package/src/astro/routes/api/setup/dev-bypass.ts +199 -0
package/src/astro/routes/api/setup/dev-reset.ts +40 -0
package/src/astro/routes/api/setup/index.ts +126 -0
package/src/astro/routes/api/setup/status.ts +122 -0
package/src/astro/routes/api/snapshot.ts +75 -0
package/src/astro/routes/api/taxonomies/[name]/terms/[slug].ts +95 -0
package/src/astro/routes/api/taxonomies/[name]/terms/index.ts +69 -0
package/src/astro/routes/api/taxonomies/index.ts +59 -0
package/src/astro/routes/api/themes/preview.ts +77 -0
package/src/astro/routes/api/typegen.ts +114 -0
package/src/astro/routes/api/well-known/auth.ts +68 -0
package/src/astro/routes/api/well-known/oauth-authorization-server.ts +44 -0
package/src/astro/routes/api/well-known/oauth-protected-resource.ts +37 -0
package/src/astro/routes/api/widget-areas/[name]/reorder.ts +72 -0
package/src/astro/routes/api/widget-areas/[name]/widgets/[id].ts +127 -0
package/src/astro/routes/api/widget-areas/[name]/widgets.ts +80 -0
package/src/astro/routes/api/widget-areas/[name].ts +87 -0
package/src/astro/routes/api/widget-areas/index.ts +99 -0
package/src/astro/routes/api/widget-components.ts +22 -0
package/src/astro/routes/robots.txt.ts +77 -0
package/src/astro/routes/sitemap.xml.ts +97 -0
package/src/astro/storage/adapters.ts +74 -0
package/src/astro/storage/index.ts +19 -0
package/src/astro/storage/types.ts +60 -0
package/src/astro/types.ts +346 -0
package/src/auth/api-tokens.ts +25 -0
package/src/auth/challenge-store.ts +80 -0
package/src/auth/mode.ts +96 -0
package/src/auth/oauth-state-store.ts +96 -0
package/src/auth/passkey-config.ts +27 -0
package/src/auth/rate-limit.ts +158 -0
package/src/auth/scopes.ts +33 -0
package/src/auth/types.ts +104 -0
package/src/aws-sdk.d.ts +100 -0
package/src/bylines/index.ts +237 -0
package/src/cleanup.ts +153 -0
package/src/cli/client-factory.ts +100 -0
package/src/cli/commands/auth.ts +46 -0
package/src/cli/commands/bundle-utils.ts +247 -0
package/src/cli/commands/bundle.ts +609 -0
package/src/cli/commands/content.ts +442 -0
package/src/cli/commands/dev.ts +191 -0
package/src/cli/commands/doctor.ts +211 -0
package/src/cli/commands/export-seed.ts +630 -0
package/src/cli/commands/import/wordpress.ts +1056 -0
package/src/cli/commands/init.ts +192 -0
package/src/cli/commands/login.ts +547 -0
package/src/cli/commands/media.ts +165 -0
package/src/cli/commands/menu.ts +67 -0
package/src/cli/commands/plugin-init.ts +291 -0
package/src/cli/commands/plugin-validate.ts +31 -0
package/src/cli/commands/plugin.ts +33 -0
package/src/cli/commands/publish.ts +699 -0
package/src/cli/commands/schema.ts +233 -0
package/src/cli/commands/search-cmd.ts +54 -0
package/src/cli/commands/seed.ts +288 -0
package/src/cli/commands/taxonomy.ts +128 -0
package/src/cli/commands/types.ts +68 -0
package/src/cli/credentials.ts +236 -0
package/src/cli/index.ts +70 -0
package/src/cli/output.ts +75 -0
package/src/cli/wxr/parser.ts +969 -0
package/src/client/cf-access.ts +193 -0
package/src/client/index.ts +854 -0
package/src/client/portable-text.ts +413 -0
package/src/client/transport.ts +200 -0
package/src/comments/moderator.ts +46 -0
package/src/comments/notifications.ts +144 -0
package/src/comments/query.ts +105 -0
package/src/comments/service.ts +213 -0
package/src/components/Break.astro +45 -0
package/src/components/Button.astro +71 -0
package/src/components/Buttons.astro +49 -0
package/src/components/Code.astro +59 -0
package/src/components/Columns.astro +59 -0
package/src/components/CommentForm.astro +315 -0
package/src/components/Comments.astro +232 -0
package/src/components/Cover.astro +128 -0
package/src/components/EmDashBodyEnd.astro +32 -0
package/src/components/EmDashBodyStart.astro +32 -0
package/src/components/EmDashHead.astro +53 -0
package/src/components/EmDashImage.astro +178 -0
package/src/components/EmDashMedia.astro +167 -0
package/src/components/Embed.astro +128 -0
package/src/components/File.astro +122 -0
package/src/components/Gallery.astro +93 -0
package/src/components/HtmlBlock.astro +33 -0
package/src/components/Image.astro +178 -0
package/src/components/InlineEditor.astro +27 -0
package/src/components/InlinePortableTextEditor.tsx +1905 -0
package/src/components/LiveSearch.astro +614 -0
package/src/components/PortableText.astro +51 -0
package/src/components/Pullquote.astro +51 -0
package/src/components/Table.astro +108 -0
package/src/components/WidgetArea.astro +22 -0
package/src/components/WidgetRenderer.astro +72 -0
package/src/components/index.ts +116 -0
package/src/components/marks/Link.astro +31 -0
package/src/components/marks/StrikeThrough.astro +7 -0
package/src/components/marks/Subscript.astro +7 -0
package/src/components/marks/Superscript.astro +7 -0
package/src/components/marks/Underline.astro +7 -0
package/src/components/widgets/Archives.astro +65 -0
package/src/components/widgets/Categories.astro +35 -0
package/src/components/widgets/RecentPosts.astro +51 -0
package/src/components/widgets/Search.astro +18 -0
package/src/components/widgets/Tags.astro +38 -0
package/src/content/converters/index.ts +9 -0
package/src/content/converters/portable-text-to-prosemirror.ts +385 -0
package/src/content/converters/prosemirror-to-portable-text.ts +413 -0
package/src/content/converters/types.ts +120 -0
package/src/content/index.ts +5 -0
package/src/database/connection.ts +67 -0
package/src/database/dialect-helpers.ts +138 -0
package/src/database/index.ts +5 -0
package/src/database/migrations/001_initial.ts +136 -0
package/src/database/migrations/002_media_status.ts +26 -0
package/src/database/migrations/003_schema_registry.ts +79 -0
package/src/database/migrations/004_plugins.ts +62 -0
package/src/database/migrations/005_menus.ts +67 -0
package/src/database/migrations/006_taxonomy_defs.ts +51 -0
package/src/database/migrations/007_widgets.ts +42 -0
package/src/database/migrations/008_auth.ts +194 -0
package/src/database/migrations/009_user_disabled.ts +27 -0
package/src/database/migrations/011_sections.ts +65 -0
package/src/database/migrations/012_search.ts +25 -0
package/src/database/migrations/013_scheduled_publishing.ts +51 -0
package/src/database/migrations/014_draft_revisions.ts +72 -0
package/src/database/migrations/015_indexes.ts +82 -0
package/src/database/migrations/016_api_tokens.ts +89 -0
package/src/database/migrations/017_authorization_codes.ts +45 -0
package/src/database/migrations/018_seo.ts +56 -0
package/src/database/migrations/019_i18n.ts +618 -0
package/src/database/migrations/020_collection_url_pattern.ts +23 -0
package/src/database/migrations/021_remove_section_categories.ts +43 -0
package/src/database/migrations/022_marketplace_plugin_state.ts +46 -0
package/src/database/migrations/023_plugin_metadata.ts +33 -0
package/src/database/migrations/024_media_placeholders.ts +32 -0
package/src/database/migrations/025_oauth_clients.ts +28 -0
package/src/database/migrations/026_cron_tasks.ts +49 -0
package/src/database/migrations/027_comments.ts +87 -0
package/src/database/migrations/028_drop_author_url.ts +9 -0
package/src/database/migrations/029_redirects.ts +67 -0
package/src/database/migrations/030_widen_scheduled_index.ts +48 -0
package/src/database/migrations/031_bylines.ts +90 -0
package/src/database/migrations/032_rate_limits.ts +42 -0
package/src/database/migrations/runner.ts +170 -0
package/src/database/repositories/audit.ts +294 -0
package/src/database/repositories/byline.ts +387 -0
package/src/database/repositories/comment.ts +458 -0
package/src/database/repositories/content.ts +1144 -0
package/src/database/repositories/index.ts +30 -0
package/src/database/repositories/media.ts +347 -0
package/src/database/repositories/options.ts +150 -0
package/src/database/repositories/plugin-storage.ts +373 -0
package/src/database/repositories/redirect.ts +480 -0
package/src/database/repositories/revision.ts +200 -0
package/src/database/repositories/seo.ts +176 -0
package/src/database/repositories/taxonomy.ts +294 -0
package/src/database/repositories/types.ts +132 -0
package/src/database/repositories/user.ts +258 -0
package/src/database/transaction.ts +54 -0
package/src/database/types.ts +501 -0
package/src/database/validate.ts +138 -0
package/src/db/adapters.ts +125 -0
package/src/db/index.ts +37 -0
package/src/db/libsql.ts +23 -0
package/src/db/postgres.ts +30 -0
package/src/db/sqlite.ts +27 -0
package/src/emdash-runtime.ts +2096 -0
package/src/fields/boolean.ts +34 -0
package/src/fields/datetime.ts +44 -0
package/src/fields/file.ts +41 -0
package/src/fields/image.ts +34 -0
package/src/fields/index.ts +42 -0
package/src/fields/integer.ts +50 -0
package/src/fields/json.ts +37 -0
package/src/fields/multiselect.ts +48 -0
package/src/fields/number.ts +52 -0
package/src/fields/portable-text.ts +33 -0
package/src/fields/reference.ts +29 -0
package/src/fields/richtext.ts +31 -0
package/src/fields/select.ts +46 -0
package/src/fields/slug.ts +38 -0
package/src/fields/text.ts +55 -0
package/src/fields/textarea.ts +52 -0
package/src/fields/types.ts +64 -0
package/src/i18n/config.ts +68 -0
package/src/import/index.ts +90 -0
package/src/import/menus.ts +436 -0
package/src/import/registry.ts +111 -0
package/src/import/sections.ts +103 -0
package/src/import/settings.ts +281 -0
package/src/import/sources/wordpress-plugin.ts +641 -0
package/src/import/sources/wordpress-rest.ts +191 -0
package/src/import/sources/wxr.ts +330 -0
package/src/import/ssrf.ts +260 -0
package/src/import/types.ts +418 -0
package/src/import/utils.ts +412 -0
package/src/index.ts +481 -0
package/src/loader.ts +770 -0
package/src/mcp/server.ts +1463 -0
package/src/media/index.ts +32 -0
package/src/media/local-runtime.ts +213 -0
package/src/media/local.ts +46 -0
package/src/media/normalize.ts +190 -0
package/src/media/placeholder.ts +150 -0
package/src/media/provider-loader.ts +78 -0
package/src/media/types.ts +279 -0
package/src/menus/index.ts +324 -0
package/src/menus/types.ts +112 -0
package/src/page/context.ts +93 -0
package/src/page/fragments.ts +89 -0
package/src/page/index.ts +58 -0
package/src/page/jsonld.ts +94 -0
package/src/page/metadata.ts +185 -0
package/src/page/seo-contributions.ts +136 -0
package/src/plugin-utils.ts +80 -0
package/src/plugins/adapt-sandbox-entry.ts +207 -0
package/src/plugins/context.ts +833 -0
package/src/plugins/cron.ts +361 -0
package/src/plugins/define-plugin.ts +259 -0
package/src/plugins/email-console.ts +73 -0
package/src/plugins/email.ts +209 -0
package/src/plugins/hooks.ts +1273 -0
package/src/plugins/index.ts +193 -0
package/src/plugins/manager.ts +595 -0
package/src/plugins/manifest-schema.ts +230 -0
package/src/plugins/marketplace.ts +460 -0
package/src/plugins/request-meta.ts +139 -0
package/src/plugins/routes.ts +302 -0
package/src/plugins/sandbox/index.ts +18 -0
package/src/plugins/sandbox/noop.ts +76 -0
package/src/plugins/sandbox/types.ts +173 -0
package/src/plugins/scheduler/node.ts +122 -0
package/src/plugins/scheduler/piggyback.ts +71 -0
package/src/plugins/scheduler/types.ts +27 -0
package/src/plugins/state.ts +208 -0
package/src/plugins/storage-indexes.ts +326 -0
package/src/plugins/storage-query.ts +240 -0
package/src/plugins/types.ts +1284 -0
package/src/preview/helpers.ts +27 -0
package/src/preview/index.ts +40 -0
package/src/preview/tokens.ts +279 -0
package/src/preview/urls.ts +118 -0
package/src/query.ts +674 -0
package/src/redirects/patterns.ts +224 -0
package/src/request-context.ts +67 -0
package/src/runtime.ts +21 -0
package/src/schema/index.ts +29 -0
package/src/schema/query.ts +44 -0
package/src/schema/registry.ts +965 -0
package/src/schema/types.ts +276 -0
package/src/schema/zod-generator.ts +413 -0
package/src/search/fts-manager.ts +452 -0
package/src/search/index.ts +26 -0
package/src/search/query.ts +396 -0
package/src/search/text-extraction.ts +162 -0
package/src/search/types.ts +114 -0
package/src/sections/index.ts +226 -0
package/src/sections/types.ts +86 -0
package/src/seed/apply.ts +1141 -0
package/src/seed/default.ts +86 -0
package/src/seed/index.ts +28 -0
package/src/seed/load.ts +35 -0
package/src/seed/types.ts +341 -0
package/src/seed/validate.ts +642 -0
package/src/seo/index.ts +179 -0
package/src/settings/index.ts +203 -0
package/src/settings/types.ts +58 -0
package/src/storage/index.ts +28 -0
package/src/storage/local.ts +253 -0
package/src/storage/s3.ts +271 -0
package/src/storage/types.ts +204 -0
package/src/taxonomies/index.ts +309 -0
package/src/taxonomies/types.ts +61 -0
package/src/ui.ts +75 -0
package/src/utils/base64.ts +73 -0
package/src/utils/hash.ts +36 -0
package/src/utils/sanitize.ts +20 -0
package/src/utils/slugify.ts +29 -0
package/src/utils/url.ts +48 -0
package/src/virtual-modules.d.ts +111 -0
package/src/visual-editing/editable.ts +108 -0
package/src/visual-editing/toolbar.ts +1229 -0
package/src/widgets/components.ts +105 -0
package/src/widgets/index.ts +131 -0
package/src/widgets/types.ts +81 -0

package/dist/astro/middleware/auth.mjs ADDED Viewed

@@ -0,0 +1,654 @@
+import { t as apiError } from "../../error-Cxz0tQeO.mjs";
+import { t as getAuthMode } from "../../mode-C2EzN1uE.mjs";
+import { ulid } from "ulidx";
+import { defineMiddleware } from "astro:middleware";
+import { createKyselyAdapter } from "@emdash-cms/auth/adapters/kysely";
+import { authenticate } from "virtual:emdash/auth";
+import { hasScope, hashPrefixedToken as hashApiToken } from "@emdash-cms/auth";
+//#region src/api/csrf.ts
+/**
+* CSRF protection utilities.
+*
+* Two mechanisms:
+* 1. Custom header check (X-EmDash-Request: 1) — used for authenticated API routes.
+*    Browsers block cross-origin custom headers, so presence proves same-origin.
+* 2. Origin check — used for public API routes that skip auth. Compares the Origin
+*    header against the request origin. Same approach as Astro's `checkOrigin`.
+*/
+/**
+* Origin-based CSRF check for public API routes that skip auth.
+*
+* State-changing requests (POST/PUT/DELETE) to public endpoints must either:
+*   1. Include the X-EmDash-Request: 1 header (custom header blocked cross-origin), OR
+*   2. Have an Origin header matching the request origin
+*
+* This prevents cross-origin form submissions (which can't set custom headers)
+* and cross-origin fetch (blocked by CORS unless allowed). Same-origin requests
+* always include a matching Origin header.
+*
+* Returns a 403 Response if the check fails, or null if allowed.
+*/
+function checkPublicCsrf(request, url) {
+	if (request.headers.get("X-EmDash-Request") === "1") return null;
+	const origin = request.headers.get("Origin");
+	if (origin) {
+		try {
+			if (new URL(origin).origin === url.origin) return null;
+		} catch {}
+		return apiError("CSRF_REJECTED", "Cross-origin request blocked", 403);
+	}
+	return null;
+}
+//#endregion
+//#region src/api/handlers/api-tokens.ts
+/**
+* Resolve a raw API token (ec_pat_...) to a user ID and scopes.
+* Updates last_used_at on successful lookup.
+* Returns null if the token is invalid or expired.
+*/
+async function resolveApiToken(db, rawToken) {
+	const hash = hashApiToken(rawToken);
+	const row = await db.selectFrom("_emdash_api_tokens").select([
+		"id",
+		"user_id",
+		"scopes",
+		"expires_at"
+	]).where("token_hash", "=", hash).executeTakeFirst();
+	if (!row) return null;
+	if (row.expires_at && new Date(row.expires_at) < /* @__PURE__ */ new Date()) return null;
+	db.updateTable("_emdash_api_tokens").set({ last_used_at: (/* @__PURE__ */ new Date()).toISOString() }).where("id", "=", row.id).execute().catch(() => {});
+	return {
+		userId: row.user_id,
+		scopes: JSON.parse(row.scopes)
+	};
+}
+/**
+* Resolve an OAuth access token (ec_oat_...) to a user ID and scopes.
+* Returns null if the token is invalid or expired.
+*/
+async function resolveOAuthToken(db, rawToken) {
+	const hash = hashApiToken(rawToken);
+	const row = await db.selectFrom("_emdash_oauth_tokens").select([
+		"user_id",
+		"scopes",
+		"expires_at",
+		"token_type"
+	]).where("token_hash", "=", hash).where("token_type", "=", "access").executeTakeFirst();
+	if (!row) return null;
+	if (new Date(row.expires_at) < /* @__PURE__ */ new Date()) return null;
+	return {
+		userId: row.user_id,
+		scopes: JSON.parse(row.scopes)
+	};
+}
+//#endregion
+//#region src/astro/middleware/auth.ts
+/** Cache headers for middleware error responses (matches API_CACHE_HEADERS in api/error.ts) */
+const MW_CACHE_HEADERS = { "Cache-Control": "private, no-store" };
+const ROLE_ADMIN = 50;
+/**
+* Strict Content-Security-Policy for /_emdash routes (admin + API).
+*
+* Applied via middleware header rather than Astro's built-in CSP because
+* Astro's auto-hashing defeats 'unsafe-inline' (CSP3 ignores 'unsafe-inline'
+* when hashes are present), which would break user-facing pages.
+*/
+function buildEmDashCsp(marketplaceUrl) {
+	const imgSources = [
+		"'self'",
+		"data:",
+		"blob:"
+	];
+	if (marketplaceUrl) try {
+		imgSources.push(new URL(marketplaceUrl).origin);
+	} catch {}
+	return [
+		"default-src 'self'",
+		"script-src 'self' 'unsafe-inline'",
+		"style-src 'self' 'unsafe-inline'",
+		"connect-src 'self'",
+		"form-action 'self'",
+		"frame-ancestors 'none'",
+		`img-src ${imgSources.join(" ")}`,
+		"object-src 'none'",
+		"base-uri 'self'"
+	].join("; ");
+}
+/**
+* API routes that skip auth — each handles its own access control.
+*
+* Prefix entries match any path starting with that prefix.
+* Exact entries (no trailing slash or wildcard) match that path only.
+*/
+const PUBLIC_API_PREFIXES = [
+	"/_emdash/api/setup",
+	"/_emdash/api/auth/login",
+	"/_emdash/api/auth/register",
+	"/_emdash/api/auth/dev-bypass",
+	"/_emdash/api/auth/signup/",
+	"/_emdash/api/auth/magic-link/",
+	"/_emdash/api/auth/invite/accept",
+	"/_emdash/api/auth/invite/complete",
+	"/_emdash/api/auth/oauth/",
+	"/_emdash/api/oauth/device/token",
+	"/_emdash/api/oauth/device/code",
+	"/_emdash/api/oauth/token",
+	"/_emdash/api/comments/",
+	"/_emdash/api/media/file/",
+	"/_emdash/.well-known/"
+];
+const PUBLIC_API_EXACT = new Set([
+	"/_emdash/api/auth/passkey/options",
+	"/_emdash/api/auth/passkey/verify",
+	"/_emdash/api/oauth/token",
+	"/_emdash/api/snapshot"
+]);
+function isPublicEmDashRoute(pathname) {
+	if (PUBLIC_API_EXACT.has(pathname)) return true;
+	if (PUBLIC_API_PREFIXES.some((p) => pathname.startsWith(p))) return true;
+	if (import.meta.env.DEV && pathname === "/_emdash/api/typegen") return true;
+	return false;
+}
+const onRequest = defineMiddleware(async (context, next) => {
+	const { url } = context;
+	const isAdminRoute = url.pathname.startsWith("/_emdash/admin");
+	const isSetupRoute = url.pathname.startsWith("/_emdash/admin/setup");
+	const isApiRoute = url.pathname.startsWith("/_emdash/api");
+	const isPublicApiRoute = isPublicEmDashRoute(url.pathname);
+	const isPublicRoute = !isAdminRoute && !isApiRoute;
+	if (isPublicApiRoute) {
+		const method = context.request.method.toUpperCase();
+		if (method !== "GET" && method !== "HEAD" && method !== "OPTIONS") {
+			const csrfError = checkPublicCsrf(context.request, url);
+			if (csrfError) return csrfError;
+		}
+		return next();
+	}
+	if (url.pathname.startsWith("/_emdash/api/plugins/")) {
+		const method = context.request.method.toUpperCase();
+		if (method !== "GET" && method !== "HEAD" && method !== "OPTIONS") {
+			const csrfError = checkPublicCsrf(context.request, url);
+			if (csrfError) return csrfError;
+		}
+		return handlePluginRouteAuth(context, next);
+	}
+	if (isSetupRoute) {
+		const method = context.request.method.toUpperCase();
+		if (method !== "GET" && method !== "HEAD" && method !== "OPTIONS") {
+			if (context.request.headers.get("X-EmDash-Request") !== "1") return new Response(JSON.stringify({ error: {
+				code: "CSRF_REJECTED",
+				message: "Missing required header"
+			} }), {
+				status: 403,
+				headers: {
+					"Content-Type": "application/json",
+					...MW_CACHE_HEADERS
+				}
+			});
+		}
+		return next();
+	}
+	if (isPublicRoute) return handlePublicRouteAuth(context, next);
+	const bearerResult = await handleBearerAuth(context);
+	if (bearerResult === "invalid") {
+		const headers = {
+			"Content-Type": "application/json",
+			...MW_CACHE_HEADERS
+		};
+		if (url.pathname === "/_emdash/api/mcp") headers["WWW-Authenticate"] = `Bearer resource_metadata="${url.origin}/.well-known/oauth-protected-resource"`;
+		return new Response(JSON.stringify({ error: {
+			code: "INVALID_TOKEN",
+			message: "Invalid or expired token"
+		} }), {
+			status: 401,
+			headers
+		});
+	}
+	const isTokenAuth = bearerResult === "authenticated";
+	const method = context.request.method.toUpperCase();
+	const isOAuthConsent = url.pathname.startsWith("/_emdash/oauth/authorize");
+	if (isApiRoute && !isTokenAuth && !isOAuthConsent && method !== "GET" && method !== "HEAD" && method !== "OPTIONS" && !isPublicApiRoute) {
+		if (context.request.headers.get("X-EmDash-Request") !== "1") return new Response(JSON.stringify({ error: {
+			code: "CSRF_REJECTED",
+			message: "Missing required header"
+		} }), {
+			status: 403,
+			headers: {
+				"Content-Type": "application/json",
+				...MW_CACHE_HEADERS
+			}
+		});
+	}
+	if (isTokenAuth) {
+		const scopeError = enforceTokenScope(url.pathname, method, context.locals.tokenScopes);
+		if (scopeError) return scopeError;
+		const response = await next();
+		if (!import.meta.env.DEV) {
+			const marketplaceUrl = context.locals.emdash?.config.marketplace;
+			response.headers.set("Content-Security-Policy", buildEmDashCsp(marketplaceUrl));
+		}
+		return response;
+	}
+	const response = await handleEmDashAuth(context, next);
+	if (!import.meta.env.DEV) {
+		const marketplaceUrl = context.locals.emdash?.config.marketplace;
+		response.headers.set("Content-Security-Policy", buildEmDashCsp(marketplaceUrl));
+	}
+	return response;
+});
+/**
+* Auth handling for /_emdash routes. Returns a Response from either
+* an auth error/redirect or the downstream route handler.
+*/
+async function handleEmDashAuth(context, next) {
+	const { url, locals } = context;
+	const { emdash } = locals;
+	const isLoginRoute = url.pathname.startsWith("/_emdash/admin/login");
+	const isApiRoute = url.pathname.startsWith("/_emdash/api");
+	if (!emdash?.db) return next();
+	const authMode = getAuthMode(emdash.config);
+	if (authMode.type === "external") {
+		if (import.meta.env.DEV) {
+			if (isLoginRoute) return next();
+			return handlePasskeyAuth(context, next, isApiRoute);
+		}
+		return handleExternalAuth(context, next, authMode, isApiRoute);
+	}
+	if (isLoginRoute) return next();
+	return handlePasskeyAuth(context, next, isApiRoute);
+}
+/**
+* Soft auth for plugin routes: resolve user from Bearer token or session if present,
+* but never block unauthenticated requests. The catch-all handler checks route
+* metadata to decide whether auth is required (public vs private routes).
+*/
+async function handlePluginRouteAuth(context, next) {
+	const { locals } = context;
+	const { emdash } = locals;
+	try {
+		const bearerResult = await handleBearerAuth(context);
+		if (bearerResult === "authenticated") return next();
+		if (bearerResult === "invalid") return new Response(JSON.stringify({ error: {
+			code: "INVALID_TOKEN",
+			message: "Invalid or expired token"
+		} }), {
+			status: 401,
+			headers: {
+				"Content-Type": "application/json",
+				...MW_CACHE_HEADERS
+			}
+		});
+	} catch (error) {
+		console.error("Plugin route bearer auth error:", error);
+	}
+	try {
+		const { session } = context;
+		const sessionUser = await session?.get("user");
+		if (sessionUser?.id && emdash?.db) {
+			const user = await createKyselyAdapter(emdash.db).getUserById(sessionUser.id);
+			if (user && !user.disabled) locals.user = user;
+		}
+	} catch (error) {
+		console.error("Plugin route session auth error:", error);
+	}
+	return next();
+}
+/**
+* Soft auth check for public routes with edit mode cookie.
+* Checks the session and sets locals.user if valid, but never blocks the request.
+*/
+async function handlePublicRouteAuth(context, next) {
+	const { locals, session } = context;
+	const { emdash } = locals;
+	try {
+		const sessionUser = await session?.get("user");
+		if (sessionUser?.id && emdash?.db) {
+			const user = await createKyselyAdapter(emdash.db).getUserById(sessionUser.id);
+			if (user && !user.disabled) locals.user = user;
+		}
+	} catch {}
+	return next();
+}
+/**
+* Handle external auth provider authentication (Cloudflare Access, etc.)
+*/
+async function handleExternalAuth(context, next, authMode, _isApiRoute) {
+	const { locals, request } = context;
+	const { emdash } = locals;
+	try {
+		if (typeof authenticate !== "function") throw new Error(`Auth provider ${authMode.entrypoint} does not export an authenticate function`);
+		const authResult = await authenticate(request, authMode.config);
+		const externalConfig = authMode.config;
+		const adapter = createKyselyAdapter(emdash.db);
+		let user = await adapter.getUserByEmail(authResult.email);
+		if (!user) {
+			if (externalConfig.autoProvision === false) return new Response("User not authorized", {
+				status: 403,
+				headers: {
+					"Content-Type": "text/plain",
+					...MW_CACHE_HEADERS
+				}
+			});
+			const userCount = await emdash.db.selectFrom("users").select(emdash.db.fn.count("id").as("count")).executeTakeFirst();
+			const isFirstUser = Number(userCount?.count ?? 0) === 0;
+			const role = isFirstUser ? ROLE_ADMIN : authResult.role;
+			const now = (/* @__PURE__ */ new Date()).toISOString();
+			const newUser = {
+				id: ulid(),
+				email: authResult.email,
+				name: authResult.name,
+				role,
+				email_verified: 1,
+				created_at: now,
+				updated_at: now
+			};
+			await emdash.db.insertInto("users").values(newUser).execute();
+			user = await adapter.getUserByEmail(authResult.email);
+			console.log(`[external-auth] Provisioned user: ${authResult.email} (role: ${role}, first: ${isFirstUser})`);
+		} else {
+			const updates = {};
+			let newName;
+			let newRole;
+			if (authResult.name && user.name !== authResult.name) {
+				newName = authResult.name;
+				updates.name = newName;
+			}
+			if (externalConfig.syncRoles && user.role !== authResult.role) {
+				newRole = authResult.role;
+				updates.role = newRole;
+			}
+			if (Object.keys(updates).length > 0) {
+				updates.updated_at = (/* @__PURE__ */ new Date()).toISOString();
+				await emdash.db.updateTable("users").set(updates).where("id", "=", user.id).execute();
+				user = {
+					...user,
+					...newName ? { name: newName } : {},
+					...newRole ? { role: newRole } : {}
+				};
+				console.log(`[external-auth] Updated user ${authResult.email}:`, Object.keys(updates).filter((k) => k !== "updated_at"));
+			}
+		}
+		if (!user) return new Response("Failed to provision user", {
+			status: 500,
+			headers: {
+				"Content-Type": "text/plain",
+				...MW_CACHE_HEADERS
+			}
+		});
+		if (user.disabled) return new Response("Account disabled", {
+			status: 403,
+			headers: {
+				"Content-Type": "text/plain",
+				...MW_CACHE_HEADERS
+			}
+		});
+		locals.user = user;
+		const { session } = context;
+		session?.set("user", { id: user.id });
+		return next();
+	} catch (error) {
+		console.error("[external-auth] Auth error:", error);
+		return new Response("Authentication failed", {
+			status: 401,
+			headers: {
+				"Content-Type": "text/plain",
+				...MW_CACHE_HEADERS
+			}
+		});
+	}
+}
+/**
+* Try to authenticate via Bearer token (API token or OAuth token).
+*
+* Returns:
+* - "authenticated" if token is valid and user is resolved
+* - "invalid" if a token was provided but is invalid/expired
+* - "none" if no Bearer token was provided
+*/
+async function handleBearerAuth(context) {
+	const authHeader = context.request.headers.get("Authorization");
+	if (!authHeader?.startsWith("Bearer ")) return "none";
+	const token = authHeader.slice(7);
+	if (!token) return "none";
+	const { locals } = context;
+	const { emdash } = locals;
+	if (!emdash?.db) return "none";
+	let resolved = null;
+	if (token.startsWith("ec_pat_")) resolved = await resolveApiToken(emdash.db, token);
+	else if (token.startsWith("ec_oat_")) resolved = await resolveOAuthToken(emdash.db, token);
+	else return "invalid";
+	if (!resolved) return "invalid";
+	const user = await createKyselyAdapter(emdash.db).getUserById(resolved.userId);
+	if (!user || user.disabled) return "invalid";
+	locals.user = user;
+	locals.tokenScopes = resolved.scopes;
+	return "authenticated";
+}
+/**
+* Handle passkey (session-based) authentication
+*/
+async function handlePasskeyAuth(context, next, isApiRoute) {
+	const { url, locals, session } = context;
+	const { emdash } = locals;
+	try {
+		const sessionUser = await session?.get("user");
+		if (!sessionUser?.id) {
+			if (isApiRoute) {
+				const headers = { ...MW_CACHE_HEADERS };
+				if (url.pathname === "/_emdash/api/mcp") headers["WWW-Authenticate"] = `Bearer resource_metadata="${url.origin}/.well-known/oauth-protected-resource"`;
+				return Response.json({ error: {
+					code: "NOT_AUTHENTICATED",
+					message: "Not authenticated"
+				} }, {
+					status: 401,
+					headers
+				});
+			}
+			const loginUrl = new URL("/_emdash/admin/login", url.origin);
+			loginUrl.searchParams.set("redirect", url.pathname);
+			return context.redirect(loginUrl.toString());
+		}
+		const user = await createKyselyAdapter(emdash.db).getUserById(sessionUser.id);
+		if (!user) {
+			session?.destroy();
+			if (isApiRoute) return Response.json({ error: {
+				code: "NOT_FOUND",
+				message: "User not found"
+			} }, {
+				status: 401,
+				headers: MW_CACHE_HEADERS
+			});
+			return context.redirect("/_emdash/admin/login");
+		}
+		if (user.disabled) {
+			session?.destroy();
+			if (isApiRoute) return apiError("ACCOUNT_DISABLED", "Account disabled", 403);
+			const loginUrl = new URL("/_emdash/admin/login", url.origin);
+			loginUrl.searchParams.set("error", "account_disabled");
+			return context.redirect(loginUrl.toString());
+		}
+		locals.user = user;
+	} catch (error) {
+		console.error("Auth middleware error:", error);
+		return context.redirect("/_emdash/admin/login");
+	}
+	return next();
+}
+/**
+* Scope rules: ordered list of (pathPrefix, method, requiredScope) tuples.
+* First matching rule wins. Methods: "*" = any, "WRITE" = POST/PUT/PATCH/DELETE.
+*
+* Routes not matched by any rule default to "admin" scope (fail-closed).
+*/
+const SCOPE_RULES = [
+	[
+		"/_emdash/api/content",
+		"GET",
+		"content:read"
+	],
+	[
+		"/_emdash/api/content",
+		"WRITE",
+		"content:write"
+	],
+	[
+		"/_emdash/api/media/file",
+		"*",
+		"media:read"
+	],
+	[
+		"/_emdash/api/media",
+		"GET",
+		"media:read"
+	],
+	[
+		"/_emdash/api/media",
+		"WRITE",
+		"media:write"
+	],
+	[
+		"/_emdash/api/schema",
+		"GET",
+		"schema:read"
+	],
+	[
+		"/_emdash/api/schema",
+		"WRITE",
+		"schema:write"
+	],
+	[
+		"/_emdash/api/taxonomies",
+		"GET",
+		"content:read"
+	],
+	[
+		"/_emdash/api/taxonomies",
+		"WRITE",
+		"content:write"
+	],
+	[
+		"/_emdash/api/menus",
+		"GET",
+		"content:read"
+	],
+	[
+		"/_emdash/api/menus",
+		"WRITE",
+		"content:write"
+	],
+	[
+		"/_emdash/api/sections",
+		"GET",
+		"content:read"
+	],
+	[
+		"/_emdash/api/sections",
+		"WRITE",
+		"content:write"
+	],
+	[
+		"/_emdash/api/widget-areas",
+		"GET",
+		"content:read"
+	],
+	[
+		"/_emdash/api/widget-areas",
+		"WRITE",
+		"content:write"
+	],
+	[
+		"/_emdash/api/revisions",
+		"GET",
+		"content:read"
+	],
+	[
+		"/_emdash/api/revisions",
+		"WRITE",
+		"content:write"
+	],
+	[
+		"/_emdash/api/search",
+		"GET",
+		"content:read"
+	],
+	[
+		"/_emdash/api/search",
+		"WRITE",
+		"admin"
+	],
+	[
+		"/_emdash/api/import",
+		"*",
+		"admin"
+	],
+	[
+		"/_emdash/api/admin",
+		"*",
+		"admin"
+	],
+	[
+		"/_emdash/api/settings",
+		"*",
+		"admin"
+	],
+	[
+		"/_emdash/api/plugins",
+		"*",
+		"admin"
+	],
+	[
+		"/_emdash/api/mcp",
+		"*",
+		"content:read"
+	]
+];
+const WRITE_METHODS = new Set([
+	"POST",
+	"PUT",
+	"PATCH",
+	"DELETE"
+]);
+/**
+* Enforce API token scopes based on the request URL and HTTP method.
+* Returns a 403 Response if the scope is insufficient, or null if allowed.
+*
+* Session-authenticated requests (tokenScopes === undefined) are never checked.
+*/
+function enforceTokenScope(pathname, method, tokenScopes) {
+	if (!tokenScopes) return null;
+	const isWrite = WRITE_METHODS.has(method);
+	for (const [prefix, ruleMethod, scope] of SCOPE_RULES) {
+		if (pathname !== prefix && !pathname.startsWith(prefix + "/")) continue;
+		if (ruleMethod === "*" || ruleMethod === "WRITE" && isWrite || ruleMethod === method) {
+			if (hasScope(tokenScopes, scope)) return null;
+			return new Response(JSON.stringify({ error: {
+				code: "INSUFFICIENT_SCOPE",
+				message: `Token lacks required scope: ${scope}`
+			} }), {
+				status: 403,
+				headers: {
+					"Content-Type": "application/json",
+					...MW_CACHE_HEADERS
+				}
+			});
+		}
+	}
+	if (hasScope(tokenScopes, "admin")) return null;
+	return new Response(JSON.stringify({ error: {
+		code: "INSUFFICIENT_SCOPE",
+		message: "Token lacks required scope: admin"
+	} }), {
+		status: 403,
+		headers: {
+			"Content-Type": "application/json",
+			...MW_CACHE_HEADERS
+		}
+	});
+}
+//#endregion
+export { onRequest };
+//# sourceMappingURL=auth.mjs.map