npm - emdash - Versions diffs - 0.0.0-b → 0.0.2 - Mend

emdash 0.0.0-b → 0.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (661) hide show

package/README.md +87 -43
package/dist/adapters-BLMa4JGD.d.mts +106 -0
package/dist/adapters-BLMa4JGD.d.mts.map +1 -0
package/dist/apply-Bjfq_b4-.mjs +1293 -0
package/dist/apply-Bjfq_b4-.mjs.map +1 -0
package/dist/astro/index.d.mts +51 -0
package/dist/astro/index.d.mts.map +1 -0
package/dist/astro/index.mjs +1336 -0
package/dist/astro/index.mjs.map +1 -0
package/dist/astro/middleware/auth.d.mts +31 -0
package/dist/astro/middleware/auth.d.mts.map +1 -0
package/dist/astro/middleware/auth.mjs +654 -0
package/dist/astro/middleware/auth.mjs.map +1 -0
package/dist/astro/middleware/redirect.d.mts +22 -0
package/dist/astro/middleware/redirect.d.mts.map +1 -0
package/dist/astro/middleware/redirect.mjs +63 -0
package/dist/astro/middleware/redirect.mjs.map +1 -0
package/dist/astro/middleware/request-context.d.mts +18 -0
package/dist/astro/middleware/request-context.d.mts.map +1 -0
package/dist/astro/middleware/request-context.mjs +1310 -0
package/dist/astro/middleware/request-context.mjs.map +1 -0
package/dist/astro/middleware/setup.d.mts +20 -0
package/dist/astro/middleware/setup.d.mts.map +1 -0
package/dist/astro/middleware/setup.mjs +47 -0
package/dist/astro/middleware/setup.mjs.map +1 -0
package/dist/astro/middleware.d.mts +13 -0
package/dist/astro/middleware.d.mts.map +1 -0
package/dist/astro/middleware.mjs +1613 -0
package/dist/astro/middleware.mjs.map +1 -0
package/dist/astro/types.d.mts +250 -0
package/dist/astro/types.d.mts.map +1 -0
package/dist/astro/types.mjs +1 -0
package/dist/base64-MBPo9ozB.mjs +59 -0
package/dist/base64-MBPo9ozB.mjs.map +1 -0
package/dist/byline-CL847F26.mjs +213 -0
package/dist/byline-CL847F26.mjs.map +1 -0
package/dist/bylines-C2a-2TGt.mjs +136 -0
package/dist/bylines-C2a-2TGt.mjs.map +1 -0
package/dist/chunk-ClPoSABd.mjs +21 -0
package/dist/cli/index.d.mts +1 -0
package/dist/cli/index.mjs +3909 -0
package/dist/cli/index.mjs.map +1 -0
package/dist/client/cf-access.d.mts +60 -0
package/dist/client/cf-access.d.mts.map +1 -0
package/dist/client/cf-access.mjs +179 -0
package/dist/client/cf-access.mjs.map +1 -0
package/dist/client/index.d.mts +398 -0
package/dist/client/index.d.mts.map +1 -0
package/dist/client/index.mjs +346 -0
package/dist/client/index.mjs.map +1 -0
package/dist/config-CKE8p9xM.mjs +55 -0
package/dist/config-CKE8p9xM.mjs.map +1 -0
package/dist/connection-B4zVnQIa.mjs +40 -0
package/dist/connection-B4zVnQIa.mjs.map +1 -0
package/dist/content-D6C2WsZC.mjs +824 -0
package/dist/content-D6C2WsZC.mjs.map +1 -0
package/dist/db/index.d.mts +4 -0
package/dist/db/index.mjs +62 -0
package/dist/db/index.mjs.map +1 -0
package/dist/db/libsql.d.mts +11 -0
package/dist/db/libsql.d.mts.map +1 -0
package/dist/db/libsql.mjs +17 -0
package/dist/db/libsql.mjs.map +1 -0
package/dist/db/postgres.d.mts +11 -0
package/dist/db/postgres.d.mts.map +1 -0
package/dist/db/postgres.mjs +30 -0
package/dist/db/postgres.mjs.map +1 -0
package/dist/db/sqlite.d.mts +11 -0
package/dist/db/sqlite.d.mts.map +1 -0
package/dist/db/sqlite.mjs +16 -0
package/dist/db/sqlite.mjs.map +1 -0
package/dist/default-Cyi4aAxu.mjs +81 -0
package/dist/default-Cyi4aAxu.mjs.map +1 -0
package/dist/dialect-helpers-B9uSp2GJ.mjs +90 -0
package/dist/dialect-helpers-B9uSp2GJ.mjs.map +1 -0
package/dist/error-Cxz0tQeO.mjs +27 -0
package/dist/error-Cxz0tQeO.mjs.map +1 -0
package/dist/index-C1xF3OGh.d.mts +4527 -0
package/dist/index-C1xF3OGh.d.mts.map +1 -0
package/dist/index.d.mts +16 -0
package/dist/index.mjs +30 -0
package/dist/load-yOOlckBj.mjs +28 -0
package/dist/load-yOOlckBj.mjs.map +1 -0
package/dist/loader-fz8Q_3EO.mjs +447 -0
package/dist/loader-fz8Q_3EO.mjs.map +1 -0
package/dist/manifest-schema-Dcl0R6nM.mjs +184 -0
package/dist/manifest-schema-Dcl0R6nM.mjs.map +1 -0
package/dist/media/index.d.mts +26 -0
package/dist/media/index.d.mts.map +1 -0
package/dist/media/index.mjs +55 -0
package/dist/media/index.mjs.map +1 -0
package/dist/media/local-runtime.d.mts +39 -0
package/dist/media/local-runtime.d.mts.map +1 -0
package/dist/media/local-runtime.mjs +133 -0
package/dist/media/local-runtime.mjs.map +1 -0
package/dist/media-DqHVh136.mjs +200 -0
package/dist/media-DqHVh136.mjs.map +1 -0
package/dist/mode-C2EzN1uE.mjs +23 -0
package/dist/mode-C2EzN1uE.mjs.map +1 -0
package/dist/page/index.d.mts +140 -0
package/dist/page/index.d.mts.map +1 -0
package/dist/page/index.mjs +416 -0
package/dist/page/index.mjs.map +1 -0
package/dist/placeholder-CmGAmqeO.d.mts +276 -0
package/dist/placeholder-CmGAmqeO.d.mts.map +1 -0
package/dist/placeholder-SmpOx-_v.mjs +243 -0
package/dist/placeholder-SmpOx-_v.mjs.map +1 -0
package/dist/plugin-utils.d.mts +58 -0
package/dist/plugin-utils.d.mts.map +1 -0
package/dist/plugin-utils.mjs +78 -0
package/dist/plugin-utils.mjs.map +1 -0
package/dist/plugins/adapt-sandbox-entry.d.mts +22 -0
package/dist/plugins/adapt-sandbox-entry.d.mts.map +1 -0
package/dist/plugins/adapt-sandbox-entry.mjs +113 -0
package/dist/plugins/adapt-sandbox-entry.mjs.map +1 -0
package/dist/query-CS_iSj34.mjs +460 -0
package/dist/query-CS_iSj34.mjs.map +1 -0
package/dist/redirect-DIfIni3r.mjs +329 -0
package/dist/redirect-DIfIni3r.mjs.map +1 -0
package/dist/registry-D_w5HW4G.mjs +863 -0
package/dist/registry-D_w5HW4G.mjs.map +1 -0
package/dist/request-context.d.mts +49 -0
package/dist/request-context.d.mts.map +1 -0
package/dist/request-context.mjs +43 -0
package/dist/request-context.mjs.map +1 -0
package/dist/runner-C0hCbYnD.mjs +1412 -0
package/dist/runner-C0hCbYnD.mjs.map +1 -0
package/dist/runner-EAtf0ZIe.d.mts +27 -0
package/dist/runner-EAtf0ZIe.d.mts.map +1 -0
package/dist/runtime.d.mts +26 -0
package/dist/runtime.d.mts.map +1 -0
package/dist/runtime.mjs +42 -0
package/dist/runtime.mjs.map +1 -0
package/dist/search-DG603UrT.mjs +9211 -0
package/dist/search-DG603UrT.mjs.map +1 -0
package/dist/seed/index.d.mts +3 -0
package/dist/seed/index.mjs +15 -0
package/dist/seo/index.d.mts +70 -0
package/dist/seo/index.d.mts.map +1 -0
package/dist/seo/index.mjs +70 -0
package/dist/seo/index.mjs.map +1 -0
package/dist/storage/local.d.mts +39 -0
package/dist/storage/local.d.mts.map +1 -0
package/dist/storage/local.mjs +166 -0
package/dist/storage/local.mjs.map +1 -0
package/dist/storage/s3.d.mts +32 -0
package/dist/storage/s3.d.mts.map +1 -0
package/dist/storage/s3.mjs +175 -0
package/dist/storage/s3.mjs.map +1 -0
package/dist/tokens-DpgrkrXK.mjs +171 -0
package/dist/tokens-DpgrkrXK.mjs.map +1 -0
package/dist/transport-BFGblqwG.d.mts +42 -0
package/dist/transport-BFGblqwG.d.mts.map +1 -0
package/dist/transport-yxiQsi8I.mjs +418 -0
package/dist/transport-yxiQsi8I.mjs.map +1 -0
package/dist/types-BRuPJGdV.d.mts +102 -0
package/dist/types-BRuPJGdV.d.mts.map +1 -0
package/dist/types-C4-fAxN3.d.mts +182 -0
package/dist/types-C4-fAxN3.d.mts.map +1 -0
package/dist/types-CMMN0pNg.mjs +31 -0
package/dist/types-CMMN0pNg.mjs.map +1 -0
package/dist/types-CUBbjgmP.mjs +16 -0
package/dist/types-CUBbjgmP.mjs.map +1 -0
package/dist/types-DRjfYOEv.d.mts +426 -0
package/dist/types-DRjfYOEv.d.mts.map +1 -0
package/dist/types-DY5zk5HN.mjs +73 -0
package/dist/types-DY5zk5HN.mjs.map +1 -0
package/dist/types-DaNLHo_T.d.mts +184 -0
package/dist/types-DaNLHo_T.d.mts.map +1 -0
package/dist/types-DvhsUmSJ.d.mts +1111 -0
package/dist/types-DvhsUmSJ.d.mts.map +1 -0
package/dist/validate-CpBtVMsD.d.mts +378 -0
package/dist/validate-CpBtVMsD.d.mts.map +1 -0
package/dist/validate-CqRJb_xU.mjs +97 -0
package/dist/validate-CqRJb_xU.mjs.map +1 -0
package/dist/validate-O7PWmlnq.mjs +328 -0
package/dist/validate-O7PWmlnq.mjs.map +1 -0
package/locals.d.ts +46 -0
package/package.json +233 -19
package/src/api/authorize.ts +63 -0
package/src/api/csrf.ts +48 -0
package/src/api/error.ts +99 -0
package/src/api/errors.ts +445 -0
package/src/api/escape.ts +9 -0
package/src/api/handlers/api-tokens.ts +240 -0
package/src/api/handlers/comments.ts +314 -0
package/src/api/handlers/content.ts +1315 -0
package/src/api/handlers/dashboard.ts +205 -0
package/src/api/handlers/device-flow.ts +684 -0
package/src/api/handlers/index.ts +163 -0
package/src/api/handlers/manifest.ts +158 -0
package/src/api/handlers/marketplace.ts +930 -0
package/src/api/handlers/media.ts +207 -0
package/src/api/handlers/menus.ts +493 -0
package/src/api/handlers/oauth-authorization.ts +429 -0
package/src/api/handlers/oauth-clients.ts +349 -0
package/src/api/handlers/oauth-user-lookup.ts +39 -0
package/src/api/handlers/plugins.ts +254 -0
package/src/api/handlers/redirects.ts +360 -0
package/src/api/handlers/revision.ts +145 -0
package/src/api/handlers/schema.ts +534 -0
package/src/api/handlers/sections.ts +289 -0
package/src/api/handlers/seo.ts +115 -0
package/src/api/handlers/settings.ts +49 -0
package/src/api/handlers/snapshot.ts +350 -0
package/src/api/handlers/taxonomies.ts +523 -0
package/src/api/index.ts +6 -0
package/src/api/openapi/document.ts +2368 -0
package/src/api/openapi/index.ts +1 -0
package/src/api/parse.ts +139 -0
package/src/api/redirect.ts +14 -0
package/src/api/rev.ts +67 -0
package/src/api/schemas/auth.ts +112 -0
package/src/api/schemas/bylines.ts +85 -0
package/src/api/schemas/comments.ts +117 -0
package/src/api/schemas/common.ts +89 -0
package/src/api/schemas/content.ts +191 -0
package/src/api/schemas/import.ts +52 -0
package/src/api/schemas/index.ts +17 -0
package/src/api/schemas/media.ts +116 -0
package/src/api/schemas/menus.ts +111 -0
package/src/api/schemas/redirects.ts +155 -0
package/src/api/schemas/schema.ts +203 -0
package/src/api/schemas/search.ts +63 -0
package/src/api/schemas/sections.ts +67 -0
package/src/api/schemas/settings.ts +63 -0
package/src/api/schemas/setup.ts +37 -0
package/src/api/schemas/taxonomies.ts +113 -0
package/src/api/schemas/users.ts +96 -0
package/src/api/schemas/widgets.ts +80 -0
package/src/api/site-url.ts +25 -0
package/src/api/types.ts +82 -0
package/src/astro/index.ts +27 -0
package/src/astro/integration/index.ts +303 -0
package/src/astro/integration/routes.ts +834 -0
package/src/astro/integration/runtime.ts +338 -0
package/src/astro/integration/virtual-modules.ts +469 -0
package/src/astro/integration/vite-config.ts +335 -0
package/src/astro/middleware/auth.ts +743 -0
package/src/astro/middleware/redirect.ts +89 -0
package/src/astro/middleware/request-context.ts +129 -0
package/src/astro/middleware/setup.ts +89 -0
package/src/astro/middleware.ts +398 -0
package/src/astro/routes/PluginRegistry.tsx +15 -0
package/src/astro/routes/admin.astro +81 -0
package/src/astro/routes/api/admin/allowed-domains/[domain].ts +112 -0
package/src/astro/routes/api/admin/allowed-domains/index.ts +108 -0
package/src/astro/routes/api/admin/api-tokens/[id].ts +40 -0
package/src/astro/routes/api/admin/api-tokens/index.ts +68 -0
package/src/astro/routes/api/admin/bylines/[id]/index.ts +87 -0
package/src/astro/routes/api/admin/bylines/index.ts +72 -0
package/src/astro/routes/api/admin/comments/[id]/status.ts +116 -0
package/src/astro/routes/api/admin/comments/[id].ts +64 -0
package/src/astro/routes/api/admin/comments/bulk.ts +42 -0
package/src/astro/routes/api/admin/comments/counts.ts +30 -0
package/src/astro/routes/api/admin/comments/index.ts +46 -0
package/src/astro/routes/api/admin/hooks/exclusive/[hookName].ts +91 -0
package/src/astro/routes/api/admin/hooks/exclusive/index.ts +51 -0
package/src/astro/routes/api/admin/oauth-clients/[id].ts +110 -0
package/src/astro/routes/api/admin/oauth-clients/index.ts +71 -0
package/src/astro/routes/api/admin/plugins/[id]/disable.ts +39 -0
package/src/astro/routes/api/admin/plugins/[id]/enable.ts +39 -0
package/src/astro/routes/api/admin/plugins/[id]/index.ts +38 -0
package/src/astro/routes/api/admin/plugins/[id]/uninstall.ts +48 -0
package/src/astro/routes/api/admin/plugins/[id]/update.ts +59 -0
package/src/astro/routes/api/admin/plugins/index.ts +32 -0
package/src/astro/routes/api/admin/plugins/marketplace/[id]/icon.ts +61 -0
package/src/astro/routes/api/admin/plugins/marketplace/[id]/index.ts +33 -0
package/src/astro/routes/api/admin/plugins/marketplace/[id]/install.ts +62 -0
package/src/astro/routes/api/admin/plugins/marketplace/index.ts +38 -0
package/src/astro/routes/api/admin/plugins/updates.ts +28 -0
package/src/astro/routes/api/admin/themes/marketplace/[id]/index.ts +33 -0
package/src/astro/routes/api/admin/themes/marketplace/[id]/thumbnail.ts +61 -0
package/src/astro/routes/api/admin/themes/marketplace/index.ts +45 -0
package/src/astro/routes/api/admin/users/[id]/disable.ts +69 -0
package/src/astro/routes/api/admin/users/[id]/enable.ts +48 -0
package/src/astro/routes/api/admin/users/[id]/index.ts +146 -0
package/src/astro/routes/api/admin/users/[id]/send-recovery.ts +72 -0
package/src/astro/routes/api/admin/users/index.ts +66 -0
package/src/astro/routes/api/auth/dev-bypass.ts +139 -0
package/src/astro/routes/api/auth/invite/accept.ts +52 -0
package/src/astro/routes/api/auth/invite/complete.ts +84 -0
package/src/astro/routes/api/auth/invite/index.ts +99 -0
package/src/astro/routes/api/auth/logout.ts +40 -0
package/src/astro/routes/api/auth/magic-link/send.ts +89 -0
package/src/astro/routes/api/auth/magic-link/verify.ts +71 -0
package/src/astro/routes/api/auth/me.ts +60 -0
package/src/astro/routes/api/auth/oauth/[provider]/callback.ts +219 -0
package/src/astro/routes/api/auth/oauth/[provider].ts +119 -0
package/src/astro/routes/api/auth/passkey/[id].ts +124 -0
package/src/astro/routes/api/auth/passkey/index.ts +54 -0
package/src/astro/routes/api/auth/passkey/options.ts +82 -0
package/src/astro/routes/api/auth/passkey/register/options.ts +86 -0
package/src/astro/routes/api/auth/passkey/register/verify.ts +115 -0
package/src/astro/routes/api/auth/passkey/verify.ts +66 -0
package/src/astro/routes/api/auth/signup/complete.ts +85 -0
package/src/astro/routes/api/auth/signup/request.ts +77 -0
package/src/astro/routes/api/auth/signup/verify.ts +53 -0
package/src/astro/routes/api/comments/[collection]/[contentId]/index.ts +312 -0
package/src/astro/routes/api/content/[collection]/[id]/compare.ts +28 -0
package/src/astro/routes/api/content/[collection]/[id]/discard-draft.ts +54 -0
package/src/astro/routes/api/content/[collection]/[id]/duplicate.ts +61 -0
package/src/astro/routes/api/content/[collection]/[id]/permanent.ts +33 -0
package/src/astro/routes/api/content/[collection]/[id]/preview-url.ts +107 -0
package/src/astro/routes/api/content/[collection]/[id]/publish.ts +56 -0
package/src/astro/routes/api/content/[collection]/[id]/restore.ts +54 -0
package/src/astro/routes/api/content/[collection]/[id]/revisions.ts +31 -0
package/src/astro/routes/api/content/[collection]/[id]/schedule.ts +101 -0
package/src/astro/routes/api/content/[collection]/[id]/terms/[taxonomy].ts +140 -0
package/src/astro/routes/api/content/[collection]/[id]/translations.ts +30 -0
package/src/astro/routes/api/content/[collection]/[id]/unpublish.ts +56 -0
package/src/astro/routes/api/content/[collection]/[id].ts +137 -0
package/src/astro/routes/api/content/[collection]/index.ts +59 -0
package/src/astro/routes/api/content/[collection]/trash.ts +33 -0
package/src/astro/routes/api/dashboard.ts +32 -0
package/src/astro/routes/api/dev/emails.ts +36 -0
package/src/astro/routes/api/import/probe.ts +47 -0
package/src/astro/routes/api/import/wordpress/analyze.ts +510 -0
package/src/astro/routes/api/import/wordpress/execute.ts +283 -0
package/src/astro/routes/api/import/wordpress/media.ts +338 -0
package/src/astro/routes/api/import/wordpress/prepare.ts +181 -0
package/src/astro/routes/api/import/wordpress/rewrite-urls.ts +393 -0
package/src/astro/routes/api/import/wordpress-plugin/analyze.ts +111 -0
package/src/astro/routes/api/import/wordpress-plugin/callback.ts +58 -0
package/src/astro/routes/api/import/wordpress-plugin/execute.ts +347 -0
package/src/astro/routes/api/manifest.ts +62 -0
package/src/astro/routes/api/mcp.ts +124 -0
package/src/astro/routes/api/media/[id]/confirm.ts +93 -0
package/src/astro/routes/api/media/[id].ts +145 -0
package/src/astro/routes/api/media/file/[key].ts +79 -0
package/src/astro/routes/api/media/providers/[providerId]/[itemId].ts +86 -0
package/src/astro/routes/api/media/providers/[providerId]/index.ts +111 -0
package/src/astro/routes/api/media/providers/index.ts +30 -0
package/src/astro/routes/api/media/upload-url.ts +137 -0
package/src/astro/routes/api/media.ts +190 -0
package/src/astro/routes/api/menus/[name]/items.ts +87 -0
package/src/astro/routes/api/menus/[name]/reorder.ts +33 -0
package/src/astro/routes/api/menus/[name].ts +65 -0
package/src/astro/routes/api/menus/index.ts +47 -0
package/src/astro/routes/api/oauth/authorize.ts +412 -0
package/src/astro/routes/api/oauth/device/authorize.ts +45 -0
package/src/astro/routes/api/oauth/device/code.ts +51 -0
package/src/astro/routes/api/oauth/device/token.ts +69 -0
package/src/astro/routes/api/oauth/token/refresh.ts +38 -0
package/src/astro/routes/api/oauth/token/revoke.ts +38 -0
package/src/astro/routes/api/oauth/token.ts +184 -0
package/src/astro/routes/api/openapi.json.ts +32 -0
package/src/astro/routes/api/plugins/[pluginId]/[...path].ts +92 -0
package/src/astro/routes/api/redirects/404s/index.ts +72 -0
package/src/astro/routes/api/redirects/404s/summary.ts +33 -0
package/src/astro/routes/api/redirects/[id].ts +84 -0
package/src/astro/routes/api/redirects/index.ts +52 -0
package/src/astro/routes/api/revisions/[revisionId]/index.ts +29 -0
package/src/astro/routes/api/revisions/[revisionId]/restore.ts +58 -0
package/src/astro/routes/api/schema/collections/[slug]/fields/[fieldSlug].ts +76 -0
package/src/astro/routes/api/schema/collections/[slug]/fields/index.ts +52 -0
package/src/astro/routes/api/schema/collections/[slug]/fields/reorder.ts +32 -0
package/src/astro/routes/api/schema/collections/[slug]/index.ts +80 -0
package/src/astro/routes/api/schema/collections/index.ts +47 -0
package/src/astro/routes/api/schema/index.ts +109 -0
package/src/astro/routes/api/schema/orphans/[slug].ts +36 -0
package/src/astro/routes/api/schema/orphans/index.ts +26 -0
package/src/astro/routes/api/search/enable.ts +64 -0
package/src/astro/routes/api/search/index.ts +55 -0
package/src/astro/routes/api/search/rebuild.ts +72 -0
package/src/astro/routes/api/search/stats.ts +35 -0
package/src/astro/routes/api/search/suggest.ts +53 -0
package/src/astro/routes/api/sections/[slug].ts +84 -0
package/src/astro/routes/api/sections/index.ts +52 -0
package/src/astro/routes/api/settings/email.ts +150 -0
package/src/astro/routes/api/settings.ts +67 -0
package/src/astro/routes/api/setup/admin-verify.ts +100 -0
package/src/astro/routes/api/setup/admin.ts +94 -0
package/src/astro/routes/api/setup/dev-bypass.ts +199 -0
package/src/astro/routes/api/setup/dev-reset.ts +40 -0
package/src/astro/routes/api/setup/index.ts +126 -0
package/src/astro/routes/api/setup/status.ts +122 -0
package/src/astro/routes/api/snapshot.ts +75 -0
package/src/astro/routes/api/taxonomies/[name]/terms/[slug].ts +95 -0
package/src/astro/routes/api/taxonomies/[name]/terms/index.ts +69 -0
package/src/astro/routes/api/taxonomies/index.ts +59 -0
package/src/astro/routes/api/themes/preview.ts +77 -0
package/src/astro/routes/api/typegen.ts +114 -0
package/src/astro/routes/api/well-known/auth.ts +68 -0
package/src/astro/routes/api/well-known/oauth-authorization-server.ts +44 -0
package/src/astro/routes/api/well-known/oauth-protected-resource.ts +37 -0
package/src/astro/routes/api/widget-areas/[name]/reorder.ts +68 -0
package/src/astro/routes/api/widget-areas/[name]/widgets/[id].ts +127 -0
package/src/astro/routes/api/widget-areas/[name]/widgets.ts +80 -0
package/src/astro/routes/api/widget-areas/[name].ts +87 -0
package/src/astro/routes/api/widget-areas/index.ts +99 -0
package/src/astro/routes/api/widget-components.ts +22 -0
package/src/astro/routes/robots.txt.ts +77 -0
package/src/astro/routes/sitemap.xml.ts +97 -0
package/src/astro/storage/adapters.ts +74 -0
package/src/astro/storage/index.ts +19 -0
package/src/astro/storage/types.ts +60 -0
package/src/astro/types.ts +346 -0
package/src/auth/api-tokens.ts +25 -0
package/src/auth/challenge-store.ts +80 -0
package/src/auth/mode.ts +96 -0
package/src/auth/oauth-state-store.ts +96 -0
package/src/auth/passkey-config.ts +27 -0
package/src/auth/rate-limit.ts +158 -0
package/src/auth/scopes.ts +33 -0
package/src/auth/types.ts +104 -0
package/src/aws-sdk.d.ts +100 -0
package/src/bylines/index.ts +237 -0
package/src/cleanup.ts +153 -0
package/src/cli/client-factory.ts +100 -0
package/src/cli/commands/auth.ts +46 -0
package/src/cli/commands/bundle-utils.ts +247 -0
package/src/cli/commands/bundle.ts +609 -0
package/src/cli/commands/content.ts +442 -0
package/src/cli/commands/dev.ts +191 -0
package/src/cli/commands/doctor.ts +211 -0
package/src/cli/commands/export-seed.ts +630 -0
package/src/cli/commands/import/wordpress.ts +1056 -0
package/src/cli/commands/init.ts +192 -0
package/src/cli/commands/login.ts +547 -0
package/src/cli/commands/media.ts +165 -0
package/src/cli/commands/menu.ts +67 -0
package/src/cli/commands/plugin-init.ts +291 -0
package/src/cli/commands/plugin-validate.ts +31 -0
package/src/cli/commands/plugin.ts +33 -0
package/src/cli/commands/publish.ts +697 -0
package/src/cli/commands/schema.ts +233 -0
package/src/cli/commands/search-cmd.ts +54 -0
package/src/cli/commands/seed.ts +286 -0
package/src/cli/commands/taxonomy.ts +128 -0
package/src/cli/commands/types.ts +68 -0
package/src/cli/credentials.ts +236 -0
package/src/cli/index.ts +70 -0
package/src/cli/output.ts +75 -0
package/src/cli/wxr/parser.ts +969 -0
package/src/client/cf-access.ts +193 -0
package/src/client/index.ts +854 -0
package/src/client/portable-text.ts +413 -0
package/src/client/transport.ts +200 -0
package/src/comments/moderator.ts +46 -0
package/src/comments/notifications.ts +144 -0
package/src/comments/query.ts +105 -0
package/src/comments/service.ts +213 -0
package/src/components/Break.astro +45 -0
package/src/components/Button.astro +71 -0
package/src/components/Buttons.astro +49 -0
package/src/components/Code.astro +59 -0
package/src/components/Columns.astro +59 -0
package/src/components/CommentForm.astro +315 -0
package/src/components/Comments.astro +232 -0
package/src/components/Cover.astro +128 -0
package/src/components/EmDashBodyEnd.astro +32 -0
package/src/components/EmDashBodyStart.astro +32 -0
package/src/components/EmDashHead.astro +53 -0
package/src/components/EmDashImage.astro +178 -0
package/src/components/EmDashMedia.astro +167 -0
package/src/components/Embed.astro +128 -0
package/src/components/File.astro +122 -0
package/src/components/Gallery.astro +93 -0
package/src/components/HtmlBlock.astro +33 -0
package/src/components/Image.astro +178 -0
package/src/components/InlineEditor.astro +27 -0
package/src/components/InlinePortableTextEditor.tsx +1905 -0
package/src/components/LiveSearch.astro +614 -0
package/src/components/PortableText.astro +51 -0
package/src/components/Pullquote.astro +51 -0
package/src/components/Table.astro +108 -0
package/src/components/WidgetArea.astro +22 -0
package/src/components/WidgetRenderer.astro +72 -0
package/src/components/index.ts +116 -0
package/src/components/marks/Link.astro +31 -0
package/src/components/marks/StrikeThrough.astro +7 -0
package/src/components/marks/Subscript.astro +7 -0
package/src/components/marks/Superscript.astro +7 -0
package/src/components/marks/Underline.astro +7 -0
package/src/components/widgets/Archives.astro +65 -0
package/src/components/widgets/Categories.astro +35 -0
package/src/components/widgets/RecentPosts.astro +51 -0
package/src/components/widgets/Search.astro +18 -0
package/src/components/widgets/Tags.astro +38 -0
package/src/content/converters/index.ts +9 -0
package/src/content/converters/portable-text-to-prosemirror.ts +385 -0
package/src/content/converters/prosemirror-to-portable-text.ts +413 -0
package/src/content/converters/types.ts +120 -0
package/src/content/index.ts +5 -0
package/src/database/connection.ts +67 -0
package/src/database/dialect-helpers.ts +138 -0
package/src/database/index.ts +5 -0
package/src/database/migrations/001_initial.ts +170 -0
package/src/database/migrations/002_media_status.ts +26 -0
package/src/database/migrations/003_schema_registry.ts +79 -0
package/src/database/migrations/004_plugins.ts +62 -0
package/src/database/migrations/005_menus.ts +67 -0
package/src/database/migrations/006_taxonomy_defs.ts +51 -0
package/src/database/migrations/007_widgets.ts +42 -0
package/src/database/migrations/008_auth.ts +194 -0
package/src/database/migrations/009_user_disabled.ts +27 -0
package/src/database/migrations/011_sections.ts +65 -0
package/src/database/migrations/012_search.ts +25 -0
package/src/database/migrations/013_scheduled_publishing.ts +51 -0
package/src/database/migrations/014_draft_revisions.ts +72 -0
package/src/database/migrations/015_indexes.ts +82 -0
package/src/database/migrations/016_api_tokens.ts +89 -0
package/src/database/migrations/017_authorization_codes.ts +45 -0
package/src/database/migrations/018_seo.ts +56 -0
package/src/database/migrations/019_i18n.ts +618 -0
package/src/database/migrations/020_collection_url_pattern.ts +23 -0
package/src/database/migrations/021_remove_section_categories.ts +43 -0
package/src/database/migrations/022_marketplace_plugin_state.ts +46 -0
package/src/database/migrations/023_plugin_metadata.ts +33 -0
package/src/database/migrations/024_media_placeholders.ts +32 -0
package/src/database/migrations/025_oauth_clients.ts +28 -0
package/src/database/migrations/026_cron_tasks.ts +49 -0
package/src/database/migrations/027_comments.ts +87 -0
package/src/database/migrations/028_drop_author_url.ts +9 -0
package/src/database/migrations/029_redirects.ts +67 -0
package/src/database/migrations/030_widen_scheduled_index.ts +48 -0
package/src/database/migrations/031_bylines.ts +90 -0
package/src/database/migrations/032_rate_limits.ts +39 -0
package/src/database/migrations/runner.ts +170 -0
package/src/database/repositories/audit.ts +294 -0
package/src/database/repositories/byline.ts +387 -0
package/src/database/repositories/comment.ts +458 -0
package/src/database/repositories/content.ts +1144 -0
package/src/database/repositories/index.ts +30 -0
package/src/database/repositories/media.ts +347 -0
package/src/database/repositories/options.ts +150 -0
package/src/database/repositories/plugin-storage.ts +373 -0
package/src/database/repositories/redirect.ts +480 -0
package/src/database/repositories/revision.ts +200 -0
package/src/database/repositories/seo.ts +176 -0
package/src/database/repositories/taxonomy.ts +294 -0
package/src/database/repositories/types.ts +132 -0
package/src/database/repositories/user.ts +258 -0
package/src/database/transaction.ts +54 -0
package/src/database/types.ts +501 -0
package/src/database/validate.ts +138 -0
package/src/db/adapters.ts +125 -0
package/src/db/index.ts +37 -0
package/src/db/libsql.ts +23 -0
package/src/db/postgres.ts +30 -0
package/src/db/sqlite.ts +27 -0
package/src/emdash-runtime.ts +2096 -0
package/src/fields/boolean.ts +34 -0
package/src/fields/datetime.ts +44 -0
package/src/fields/file.ts +41 -0
package/src/fields/image.ts +34 -0
package/src/fields/index.ts +42 -0
package/src/fields/integer.ts +50 -0
package/src/fields/json.ts +37 -0
package/src/fields/multiselect.ts +48 -0
package/src/fields/number.ts +52 -0
package/src/fields/portable-text.ts +33 -0
package/src/fields/reference.ts +29 -0
package/src/fields/richtext.ts +31 -0
package/src/fields/select.ts +46 -0
package/src/fields/slug.ts +38 -0
package/src/fields/text.ts +55 -0
package/src/fields/textarea.ts +52 -0
package/src/fields/types.ts +64 -0
package/src/i18n/config.ts +68 -0
package/src/import/index.ts +90 -0
package/src/import/menus.ts +436 -0
package/src/import/registry.ts +111 -0
package/src/import/sections.ts +103 -0
package/src/import/settings.ts +281 -0
package/src/import/sources/wordpress-plugin.ts +641 -0
package/src/import/sources/wordpress-rest.ts +191 -0
package/src/import/sources/wxr.ts +330 -0
package/src/import/ssrf.ts +260 -0
package/src/import/types.ts +418 -0
package/src/import/utils.ts +412 -0
package/src/index.ts +481 -0
package/src/loader.ts +770 -0
package/src/mcp/server.ts +1463 -0
package/src/media/index.ts +32 -0
package/src/media/local-runtime.ts +213 -0
package/src/media/local.ts +46 -0
package/src/media/normalize.ts +190 -0
package/src/media/placeholder.ts +150 -0
package/src/media/provider-loader.ts +78 -0
package/src/media/types.ts +279 -0
package/src/menus/index.ts +324 -0
package/src/menus/types.ts +112 -0
package/src/page/context.ts +93 -0
package/src/page/fragments.ts +89 -0
package/src/page/index.ts +58 -0
package/src/page/jsonld.ts +94 -0
package/src/page/metadata.ts +185 -0
package/src/page/seo-contributions.ts +136 -0
package/src/plugin-utils.ts +80 -0
package/src/plugins/adapt-sandbox-entry.ts +207 -0
package/src/plugins/context.ts +833 -0
package/src/plugins/cron.ts +361 -0
package/src/plugins/define-plugin.ts +259 -0
package/src/plugins/email-console.ts +73 -0
package/src/plugins/email.ts +209 -0
package/src/plugins/hooks.ts +1273 -0
package/src/plugins/index.ts +193 -0
package/src/plugins/manager.ts +595 -0
package/src/plugins/manifest-schema.ts +230 -0
package/src/plugins/marketplace.ts +460 -0
package/src/plugins/request-meta.ts +139 -0
package/src/plugins/routes.ts +302 -0
package/src/plugins/sandbox/index.ts +18 -0
package/src/plugins/sandbox/noop.ts +76 -0
package/src/plugins/sandbox/types.ts +173 -0
package/src/plugins/scheduler/node.ts +122 -0
package/src/plugins/scheduler/piggyback.ts +71 -0
package/src/plugins/scheduler/types.ts +27 -0
package/src/plugins/state.ts +208 -0
package/src/plugins/storage-indexes.ts +326 -0
package/src/plugins/storage-query.ts +240 -0
package/src/plugins/types.ts +1284 -0
package/src/preview/helpers.ts +27 -0
package/src/preview/index.ts +40 -0
package/src/preview/tokens.ts +279 -0
package/src/preview/urls.ts +118 -0
package/src/query.ts +674 -0
package/src/redirects/patterns.ts +224 -0
package/src/request-context.ts +67 -0
package/src/runtime.ts +21 -0
package/src/schema/index.ts +29 -0
package/src/schema/query.ts +44 -0
package/src/schema/registry.ts +965 -0
package/src/schema/types.ts +276 -0
package/src/schema/zod-generator.ts +413 -0
package/src/search/fts-manager.ts +452 -0
package/src/search/index.ts +26 -0
package/src/search/query.ts +396 -0
package/src/search/text-extraction.ts +162 -0
package/src/search/types.ts +114 -0
package/src/sections/index.ts +226 -0
package/src/sections/types.ts +86 -0
package/src/seed/apply.ts +1141 -0
package/src/seed/default.ts +86 -0
package/src/seed/index.ts +28 -0
package/src/seed/load.ts +35 -0
package/src/seed/types.ts +341 -0
package/src/seed/validate.ts +642 -0
package/src/seo/index.ts +179 -0
package/src/settings/index.ts +203 -0
package/src/settings/types.ts +58 -0
package/src/storage/index.ts +28 -0
package/src/storage/local.ts +249 -0
package/src/storage/s3.ts +263 -0
package/src/storage/types.ts +204 -0
package/src/taxonomies/index.ts +309 -0
package/src/taxonomies/types.ts +61 -0
package/src/ui.ts +75 -0
package/src/utils/base64.ts +73 -0
package/src/utils/hash.ts +36 -0
package/src/utils/sanitize.ts +20 -0
package/src/utils/slugify.ts +29 -0
package/src/utils/url.ts +48 -0
package/src/virtual-modules.d.ts +111 -0
package/src/visual-editing/editable.ts +108 -0
package/src/visual-editing/toolbar.ts +1229 -0
package/src/widgets/components.ts +105 -0
package/src/widgets/index.ts +131 -0
package/src/widgets/types.ts +81 -0

package/src/api/handlers/oauth-authorization.ts ADDED Viewed

@@ -0,0 +1,429 @@
+/**
+ * OAuth 2.1 Authorization Code + PKCE handlers.
+ *
+ * Implements the server side of the authorization code grant for MCP clients
+ * (Claude Desktop, VS Code, etc.) per the MCP authorization spec (draft).
+ *
+ * Uses arctic for PKCE challenge generation and @emdash-cms/auth for token
+ * utilities. Token infrastructure is shared with the device flow.
+ */
+import { clampScopes, computeS256Challenge } from "@emdash-cms/auth";
+import type { RoleLevel } from "@emdash-cms/auth";
+import { generateCodeVerifier } from "arctic";
+import type { Kysely } from "kysely";
+import {
+	generatePrefixedToken,
+	hashApiToken,
+	TOKEN_PREFIXES,
+	VALID_SCOPES,
+} from "../../auth/api-tokens.js";
+import type { Database } from "../../database/types.js";
+import type { ApiResult } from "../types.js";
+import { lookupOAuthClient, validateClientRedirectUri } from "./oauth-clients.js";
+// ---------------------------------------------------------------------------
+// Constants
+// ---------------------------------------------------------------------------
+/** Authorization codes expire after 10 minutes (RFC 6749 §4.1.2 recommends short-lived) */
+const AUTH_CODE_TTL_SECONDS = 10 * 60;
+/** Access token TTL: 1 hour */
+const ACCESS_TOKEN_TTL_SECONDS = 60 * 60;
+/** Refresh token TTL: 90 days */
+const REFRESH_TOKEN_TTL_SECONDS = 90 * 24 * 60 * 60;
+// ---------------------------------------------------------------------------
+// Types
+// ---------------------------------------------------------------------------
+export interface AuthorizationParams {
+	response_type: string;
+	client_id: string;
+	redirect_uri: string;
+	scope?: string;
+	state?: string;
+	code_challenge: string;
+	code_challenge_method: string;
+	resource?: string;
+}
+export interface TokenExchangeParams {
+	grant_type: string;
+	code: string;
+	redirect_uri: string;
+	client_id: string;
+	code_verifier: string;
+	resource?: string;
+}
+export interface TokenResponse {
+	access_token: string;
+	refresh_token: string;
+	token_type: "Bearer";
+	expires_in: number;
+	scope: string;
+}
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+function expiresAt(seconds: number): string {
+	return new Date(Date.now() + seconds * 1000).toISOString();
+}
+/**
+ * Validate a redirect URI per OAuth 2.1 security requirements.
+ * Allows localhost (loopback) over HTTP, and any HTTPS URL.
+ */
+export function validateRedirectUri(uri: string): string | null {
+	try {
+		const url = new URL(uri);
+		// Reject protocol-relative URLs
+		if (uri.startsWith("//")) {
+			return "Protocol-relative redirect URIs are not allowed";
+		}
+		// Allow localhost/loopback over HTTP (for desktop MCP clients)
+		if (url.protocol === "http:") {
+			const host = url.hostname;
+			if (host === "127.0.0.1" || host === "localhost" || host === "[::1]") {
+				return null; // OK
+			}
+			return "HTTP redirect URIs are only allowed for localhost";
+		}
+		// Allow HTTPS
+		if (url.protocol === "https:") {
+			return null; // OK
+		}
+		return `Unsupported redirect URI scheme: ${url.protocol}`;
+	} catch {
+		return "Invalid redirect URI";
+	}
+}
+/**
+ * Validate and normalize scopes. Returns validated scope list.
+ */
+function normalizeScopes(requested?: string): string[] {
+	if (!requested) return [];
+	const validSet = new Set<string>(VALID_SCOPES);
+	const scopes = requested
+		.split(" ")
+		.filter(Boolean)
+		.filter((s) => validSet.has(s));
+	return scopes;
+}
+// ---------------------------------------------------------------------------
+// Handlers
+// ---------------------------------------------------------------------------
+/**
+ * Process an authorization request after the user approves consent.
+ *
+ * Generates an authorization code, stores it with the PKCE challenge,
+ * and returns the redirect URL with the code appended.
+ *
+ * Scopes are clamped to the user's role to prevent scope escalation.
+ */
+export async function handleAuthorizationApproval(
+	db: Kysely<Database>,
+	userId: string,
+	userRole: RoleLevel,
+	params: AuthorizationParams,
+): Promise<ApiResult<{ redirect_url: string }>> {
+	try {
+		// Validate response_type
+		if (params.response_type !== "code") {
+			return {
+				success: false,
+				error: {
+					code: "UNSUPPORTED_RESPONSE_TYPE",
+					message: "Only response_type=code is supported",
+				},
+			};
+		}
+		// Validate redirect_uri scheme/host (basic security check)
+		const uriError = validateRedirectUri(params.redirect_uri);
+		if (uriError) {
+			return {
+				success: false,
+				error: { code: "INVALID_REDIRECT_URI", message: uriError },
+			};
+		}
+		// Look up the registered OAuth client
+		const client = await lookupOAuthClient(db, params.client_id);
+		if (!client) {
+			return {
+				success: false,
+				error: {
+					code: "INVALID_CLIENT",
+					message: "Unknown client_id",
+				},
+			};
+		}
+		// Validate redirect_uri against client's registered URIs
+		const clientUriError = validateClientRedirectUri(params.redirect_uri, client.redirectUris);
+		if (clientUriError) {
+			return {
+				success: false,
+				error: { code: "INVALID_REDIRECT_URI", message: clientUriError },
+			};
+		}
+		// Validate code_challenge_method
+		if (params.code_challenge_method !== "S256") {
+			return {
+				success: false,
+				error: {
+					code: "INVALID_REQUEST",
+					message: "Only S256 code_challenge_method is supported",
+				},
+			};
+		}
+		// Validate code_challenge is present
+		if (!params.code_challenge) {
+			return {
+				success: false,
+				error: { code: "INVALID_REQUEST", message: "code_challenge is required" },
+			};
+		}
+		// Validate scopes, then clamp to user's role
+		const userScopes = clampScopes(normalizeScopes(params.scope), userRole);
+		// SEC-41: Intersect with client's registered scopes (if restricted).
+		// A client registered with scopes: ["content:read"] should never receive
+		// admin or schema:write, regardless of the approving user's role.
+		const clientScopes = client.scopes;
+		const scopes = clientScopes?.length
+			? userScopes.filter((s: string) => clientScopes.includes(s))
+			: userScopes;
+		if (scopes.length === 0) {
+			return {
+				success: false,
+				error: { code: "INVALID_SCOPE", message: "No valid scopes requested" },
+			};
+		}
+		// Generate authorization code (high entropy, base64url)
+		const code = generateCodeVerifier(); // 32 bytes random, base64url
+		const codeHash = hashApiToken(code);
+		// Store the authorization code
+		await db
+			.insertInto("_emdash_authorization_codes")
+			.values({
+				code_hash: codeHash,
+				client_id: params.client_id,
+				redirect_uri: params.redirect_uri,
+				user_id: userId,
+				scopes: JSON.stringify(scopes),
+				code_challenge: params.code_challenge,
+				code_challenge_method: params.code_challenge_method,
+				resource: params.resource ?? null,
+				expires_at: expiresAt(AUTH_CODE_TTL_SECONDS),
+			})
+			.execute();
+		// Build the redirect URL
+		const redirectUrl = new URL(params.redirect_uri);
+		redirectUrl.searchParams.set("code", code);
+		if (params.state) {
+			redirectUrl.searchParams.set("state", params.state);
+		}
+		return {
+			success: true,
+			data: { redirect_url: redirectUrl.toString() },
+		};
+	} catch (error) {
+		console.error("Authorization error:", error);
+		return {
+			success: false,
+			error: {
+				code: "AUTHORIZATION_ERROR",
+				message: "Failed to process authorization",
+			},
+		};
+	}
+}
+/**
+ * Exchange an authorization code for access + refresh tokens.
+ *
+ * Validates the code, verifies PKCE, and issues tokens using the same
+ * infrastructure as the device flow (ec_oat_*, ec_ort_*).
+ */
+export async function handleAuthorizationCodeExchange(
+	db: Kysely<Database>,
+	params: TokenExchangeParams,
+): Promise<ApiResult<TokenResponse>> {
+	try {
+		// Validate grant_type
+		if (params.grant_type !== "authorization_code") {
+			return {
+				success: false,
+				error: { code: "unsupported_grant_type", message: "Invalid grant_type" },
+			};
+		}
+		// SEC-39: Atomically consume the authorization code using DELETE...RETURNING.
+		// This prevents TOCTOU double-exchange: two concurrent requests with the
+		// same code will race on the DELETE, and only one will get a row back.
+		const codeHash = hashApiToken(params.code);
+		const row = await db
+			.deleteFrom("_emdash_authorization_codes")
+			.where("code_hash", "=", codeHash)
+			.returningAll()
+			.executeTakeFirst();
+		if (!row) {
+			return {
+				success: false,
+				error: { code: "invalid_grant", message: "Invalid authorization code" },
+			};
+		}
+		// Check expiry
+		if (new Date(row.expires_at) < new Date()) {
+			return {
+				success: false,
+				error: { code: "invalid_grant", message: "Authorization code expired" },
+			};
+		}
+		// Verify redirect_uri matches exactly
+		if (row.redirect_uri !== params.redirect_uri) {
+			return {
+				success: false,
+				error: { code: "invalid_grant", message: "redirect_uri mismatch" },
+			};
+		}
+		// Verify client_id matches
+		if (row.client_id !== params.client_id) {
+			return {
+				success: false,
+				error: { code: "invalid_grant", message: "client_id mismatch" },
+			};
+		}
+		// PKCE verification: SHA256(code_verifier) must match stored code_challenge
+		const derivedChallenge = computeS256Challenge(params.code_verifier);
+		if (derivedChallenge !== row.code_challenge) {
+			return {
+				success: false,
+				error: { code: "invalid_grant", message: "PKCE verification failed" },
+			};
+		}
+		// Verify resource matches (if stored)
+		if (row.resource && params.resource && row.resource !== params.resource) {
+			return {
+				success: false,
+				error: { code: "invalid_grant", message: "resource mismatch" },
+			};
+		}
+		// Issue tokens (same as device flow)
+		const scopes = JSON.parse(row.scopes) as string[];
+		const accessToken = generatePrefixedToken(TOKEN_PREFIXES.OAUTH_ACCESS);
+		const accessExpires = expiresAt(ACCESS_TOKEN_TTL_SECONDS);
+		const refreshToken = generatePrefixedToken(TOKEN_PREFIXES.OAUTH_REFRESH);
+		const refreshExpires = expiresAt(REFRESH_TOKEN_TTL_SECONDS);
+		// Store access token
+		await db
+			.insertInto("_emdash_oauth_tokens")
+			.values({
+				token_hash: accessToken.hash,
+				token_type: "access",
+				user_id: row.user_id,
+				scopes: JSON.stringify(scopes),
+				client_type: "mcp",
+				expires_at: accessExpires,
+				refresh_token_hash: refreshToken.hash,
+				client_id: row.client_id,
+			})
+			.execute();
+		// Store refresh token
+		await db
+			.insertInto("_emdash_oauth_tokens")
+			.values({
+				token_hash: refreshToken.hash,
+				token_type: "refresh",
+				user_id: row.user_id,
+				scopes: JSON.stringify(scopes),
+				client_type: "mcp",
+				expires_at: refreshExpires,
+				refresh_token_hash: null,
+				client_id: row.client_id,
+			})
+			.execute();
+		return {
+			success: true,
+			data: {
+				access_token: accessToken.raw,
+				refresh_token: refreshToken.raw,
+				token_type: "Bearer",
+				expires_in: ACCESS_TOKEN_TTL_SECONDS,
+				scope: scopes.join(" "),
+			},
+		};
+	} catch (error) {
+		console.error("Token exchange error:", error);
+		return {
+			success: false,
+			error: {
+				code: "TOKEN_EXCHANGE_ERROR",
+				message: "Failed to exchange authorization code",
+			},
+		};
+	}
+}
+/**
+ * Build the authorization denied redirect URL.
+ */
+export function buildDeniedRedirect(redirectUri: string, state?: string): string {
+	const url = new URL(redirectUri);
+	url.searchParams.set("error", "access_denied");
+	url.searchParams.set("error_description", "The user denied the authorization request");
+	if (state) {
+		url.searchParams.set("state", state);
+	}
+	return url.toString();
+}
+/**
+ * Clean up expired authorization codes.
+ */
+export async function cleanupExpiredAuthorizationCodes(db: Kysely<Database>): Promise<number> {
+	const result = await db
+		.deleteFrom("_emdash_authorization_codes")
+		.where("expires_at", "<", new Date().toISOString())
+		.executeTakeFirst();
+	return Number(result.numDeletedRows);
+}