npm - emdash - Versions diffs - 0.0.0-b → 0.0.2 - Mend

emdash 0.0.0-b → 0.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (661) hide show

package/README.md +87 -43
package/dist/adapters-BLMa4JGD.d.mts +106 -0
package/dist/adapters-BLMa4JGD.d.mts.map +1 -0
package/dist/apply-Bjfq_b4-.mjs +1293 -0
package/dist/apply-Bjfq_b4-.mjs.map +1 -0
package/dist/astro/index.d.mts +51 -0
package/dist/astro/index.d.mts.map +1 -0
package/dist/astro/index.mjs +1336 -0
package/dist/astro/index.mjs.map +1 -0
package/dist/astro/middleware/auth.d.mts +31 -0
package/dist/astro/middleware/auth.d.mts.map +1 -0
package/dist/astro/middleware/auth.mjs +654 -0
package/dist/astro/middleware/auth.mjs.map +1 -0
package/dist/astro/middleware/redirect.d.mts +22 -0
package/dist/astro/middleware/redirect.d.mts.map +1 -0
package/dist/astro/middleware/redirect.mjs +63 -0
package/dist/astro/middleware/redirect.mjs.map +1 -0
package/dist/astro/middleware/request-context.d.mts +18 -0
package/dist/astro/middleware/request-context.d.mts.map +1 -0
package/dist/astro/middleware/request-context.mjs +1310 -0
package/dist/astro/middleware/request-context.mjs.map +1 -0
package/dist/astro/middleware/setup.d.mts +20 -0
package/dist/astro/middleware/setup.d.mts.map +1 -0
package/dist/astro/middleware/setup.mjs +47 -0
package/dist/astro/middleware/setup.mjs.map +1 -0
package/dist/astro/middleware.d.mts +13 -0
package/dist/astro/middleware.d.mts.map +1 -0
package/dist/astro/middleware.mjs +1613 -0
package/dist/astro/middleware.mjs.map +1 -0
package/dist/astro/types.d.mts +250 -0
package/dist/astro/types.d.mts.map +1 -0
package/dist/astro/types.mjs +1 -0
package/dist/base64-MBPo9ozB.mjs +59 -0
package/dist/base64-MBPo9ozB.mjs.map +1 -0
package/dist/byline-CL847F26.mjs +213 -0
package/dist/byline-CL847F26.mjs.map +1 -0
package/dist/bylines-C2a-2TGt.mjs +136 -0
package/dist/bylines-C2a-2TGt.mjs.map +1 -0
package/dist/chunk-ClPoSABd.mjs +21 -0
package/dist/cli/index.d.mts +1 -0
package/dist/cli/index.mjs +3909 -0
package/dist/cli/index.mjs.map +1 -0
package/dist/client/cf-access.d.mts +60 -0
package/dist/client/cf-access.d.mts.map +1 -0
package/dist/client/cf-access.mjs +179 -0
package/dist/client/cf-access.mjs.map +1 -0
package/dist/client/index.d.mts +398 -0
package/dist/client/index.d.mts.map +1 -0
package/dist/client/index.mjs +346 -0
package/dist/client/index.mjs.map +1 -0
package/dist/config-CKE8p9xM.mjs +55 -0
package/dist/config-CKE8p9xM.mjs.map +1 -0
package/dist/connection-B4zVnQIa.mjs +40 -0
package/dist/connection-B4zVnQIa.mjs.map +1 -0
package/dist/content-D6C2WsZC.mjs +824 -0
package/dist/content-D6C2WsZC.mjs.map +1 -0
package/dist/db/index.d.mts +4 -0
package/dist/db/index.mjs +62 -0
package/dist/db/index.mjs.map +1 -0
package/dist/db/libsql.d.mts +11 -0
package/dist/db/libsql.d.mts.map +1 -0
package/dist/db/libsql.mjs +17 -0
package/dist/db/libsql.mjs.map +1 -0
package/dist/db/postgres.d.mts +11 -0
package/dist/db/postgres.d.mts.map +1 -0
package/dist/db/postgres.mjs +30 -0
package/dist/db/postgres.mjs.map +1 -0
package/dist/db/sqlite.d.mts +11 -0
package/dist/db/sqlite.d.mts.map +1 -0
package/dist/db/sqlite.mjs +16 -0
package/dist/db/sqlite.mjs.map +1 -0
package/dist/default-Cyi4aAxu.mjs +81 -0
package/dist/default-Cyi4aAxu.mjs.map +1 -0
package/dist/dialect-helpers-B9uSp2GJ.mjs +90 -0
package/dist/dialect-helpers-B9uSp2GJ.mjs.map +1 -0
package/dist/error-Cxz0tQeO.mjs +27 -0
package/dist/error-Cxz0tQeO.mjs.map +1 -0
package/dist/index-C1xF3OGh.d.mts +4527 -0
package/dist/index-C1xF3OGh.d.mts.map +1 -0
package/dist/index.d.mts +16 -0
package/dist/index.mjs +30 -0
package/dist/load-yOOlckBj.mjs +28 -0
package/dist/load-yOOlckBj.mjs.map +1 -0
package/dist/loader-fz8Q_3EO.mjs +447 -0
package/dist/loader-fz8Q_3EO.mjs.map +1 -0
package/dist/manifest-schema-Dcl0R6nM.mjs +184 -0
package/dist/manifest-schema-Dcl0R6nM.mjs.map +1 -0
package/dist/media/index.d.mts +26 -0
package/dist/media/index.d.mts.map +1 -0
package/dist/media/index.mjs +55 -0
package/dist/media/index.mjs.map +1 -0
package/dist/media/local-runtime.d.mts +39 -0
package/dist/media/local-runtime.d.mts.map +1 -0
package/dist/media/local-runtime.mjs +133 -0
package/dist/media/local-runtime.mjs.map +1 -0
package/dist/media-DqHVh136.mjs +200 -0
package/dist/media-DqHVh136.mjs.map +1 -0
package/dist/mode-C2EzN1uE.mjs +23 -0
package/dist/mode-C2EzN1uE.mjs.map +1 -0
package/dist/page/index.d.mts +140 -0
package/dist/page/index.d.mts.map +1 -0
package/dist/page/index.mjs +416 -0
package/dist/page/index.mjs.map +1 -0
package/dist/placeholder-CmGAmqeO.d.mts +276 -0
package/dist/placeholder-CmGAmqeO.d.mts.map +1 -0
package/dist/placeholder-SmpOx-_v.mjs +243 -0
package/dist/placeholder-SmpOx-_v.mjs.map +1 -0
package/dist/plugin-utils.d.mts +58 -0
package/dist/plugin-utils.d.mts.map +1 -0
package/dist/plugin-utils.mjs +78 -0
package/dist/plugin-utils.mjs.map +1 -0
package/dist/plugins/adapt-sandbox-entry.d.mts +22 -0
package/dist/plugins/adapt-sandbox-entry.d.mts.map +1 -0
package/dist/plugins/adapt-sandbox-entry.mjs +113 -0
package/dist/plugins/adapt-sandbox-entry.mjs.map +1 -0
package/dist/query-CS_iSj34.mjs +460 -0
package/dist/query-CS_iSj34.mjs.map +1 -0
package/dist/redirect-DIfIni3r.mjs +329 -0
package/dist/redirect-DIfIni3r.mjs.map +1 -0
package/dist/registry-D_w5HW4G.mjs +863 -0
package/dist/registry-D_w5HW4G.mjs.map +1 -0
package/dist/request-context.d.mts +49 -0
package/dist/request-context.d.mts.map +1 -0
package/dist/request-context.mjs +43 -0
package/dist/request-context.mjs.map +1 -0
package/dist/runner-C0hCbYnD.mjs +1412 -0
package/dist/runner-C0hCbYnD.mjs.map +1 -0
package/dist/runner-EAtf0ZIe.d.mts +27 -0
package/dist/runner-EAtf0ZIe.d.mts.map +1 -0
package/dist/runtime.d.mts +26 -0
package/dist/runtime.d.mts.map +1 -0
package/dist/runtime.mjs +42 -0
package/dist/runtime.mjs.map +1 -0
package/dist/search-DG603UrT.mjs +9211 -0
package/dist/search-DG603UrT.mjs.map +1 -0
package/dist/seed/index.d.mts +3 -0
package/dist/seed/index.mjs +15 -0
package/dist/seo/index.d.mts +70 -0
package/dist/seo/index.d.mts.map +1 -0
package/dist/seo/index.mjs +70 -0
package/dist/seo/index.mjs.map +1 -0
package/dist/storage/local.d.mts +39 -0
package/dist/storage/local.d.mts.map +1 -0
package/dist/storage/local.mjs +166 -0
package/dist/storage/local.mjs.map +1 -0
package/dist/storage/s3.d.mts +32 -0
package/dist/storage/s3.d.mts.map +1 -0
package/dist/storage/s3.mjs +175 -0
package/dist/storage/s3.mjs.map +1 -0
package/dist/tokens-DpgrkrXK.mjs +171 -0
package/dist/tokens-DpgrkrXK.mjs.map +1 -0
package/dist/transport-BFGblqwG.d.mts +42 -0
package/dist/transport-BFGblqwG.d.mts.map +1 -0
package/dist/transport-yxiQsi8I.mjs +418 -0
package/dist/transport-yxiQsi8I.mjs.map +1 -0
package/dist/types-BRuPJGdV.d.mts +102 -0
package/dist/types-BRuPJGdV.d.mts.map +1 -0
package/dist/types-C4-fAxN3.d.mts +182 -0
package/dist/types-C4-fAxN3.d.mts.map +1 -0
package/dist/types-CMMN0pNg.mjs +31 -0
package/dist/types-CMMN0pNg.mjs.map +1 -0
package/dist/types-CUBbjgmP.mjs +16 -0
package/dist/types-CUBbjgmP.mjs.map +1 -0
package/dist/types-DRjfYOEv.d.mts +426 -0
package/dist/types-DRjfYOEv.d.mts.map +1 -0
package/dist/types-DY5zk5HN.mjs +73 -0
package/dist/types-DY5zk5HN.mjs.map +1 -0
package/dist/types-DaNLHo_T.d.mts +184 -0
package/dist/types-DaNLHo_T.d.mts.map +1 -0
package/dist/types-DvhsUmSJ.d.mts +1111 -0
package/dist/types-DvhsUmSJ.d.mts.map +1 -0
package/dist/validate-CpBtVMsD.d.mts +378 -0
package/dist/validate-CpBtVMsD.d.mts.map +1 -0
package/dist/validate-CqRJb_xU.mjs +97 -0
package/dist/validate-CqRJb_xU.mjs.map +1 -0
package/dist/validate-O7PWmlnq.mjs +328 -0
package/dist/validate-O7PWmlnq.mjs.map +1 -0
package/locals.d.ts +46 -0
package/package.json +233 -19
package/src/api/authorize.ts +63 -0
package/src/api/csrf.ts +48 -0
package/src/api/error.ts +99 -0
package/src/api/errors.ts +445 -0
package/src/api/escape.ts +9 -0
package/src/api/handlers/api-tokens.ts +240 -0
package/src/api/handlers/comments.ts +314 -0
package/src/api/handlers/content.ts +1315 -0
package/src/api/handlers/dashboard.ts +205 -0
package/src/api/handlers/device-flow.ts +684 -0
package/src/api/handlers/index.ts +163 -0
package/src/api/handlers/manifest.ts +158 -0
package/src/api/handlers/marketplace.ts +930 -0
package/src/api/handlers/media.ts +207 -0
package/src/api/handlers/menus.ts +493 -0
package/src/api/handlers/oauth-authorization.ts +429 -0
package/src/api/handlers/oauth-clients.ts +349 -0
package/src/api/handlers/oauth-user-lookup.ts +39 -0
package/src/api/handlers/plugins.ts +254 -0
package/src/api/handlers/redirects.ts +360 -0
package/src/api/handlers/revision.ts +145 -0
package/src/api/handlers/schema.ts +534 -0
package/src/api/handlers/sections.ts +289 -0
package/src/api/handlers/seo.ts +115 -0
package/src/api/handlers/settings.ts +49 -0
package/src/api/handlers/snapshot.ts +350 -0
package/src/api/handlers/taxonomies.ts +523 -0
package/src/api/index.ts +6 -0
package/src/api/openapi/document.ts +2368 -0
package/src/api/openapi/index.ts +1 -0
package/src/api/parse.ts +139 -0
package/src/api/redirect.ts +14 -0
package/src/api/rev.ts +67 -0
package/src/api/schemas/auth.ts +112 -0
package/src/api/schemas/bylines.ts +85 -0
package/src/api/schemas/comments.ts +117 -0
package/src/api/schemas/common.ts +89 -0
package/src/api/schemas/content.ts +191 -0
package/src/api/schemas/import.ts +52 -0
package/src/api/schemas/index.ts +17 -0
package/src/api/schemas/media.ts +116 -0
package/src/api/schemas/menus.ts +111 -0
package/src/api/schemas/redirects.ts +155 -0
package/src/api/schemas/schema.ts +203 -0
package/src/api/schemas/search.ts +63 -0
package/src/api/schemas/sections.ts +67 -0
package/src/api/schemas/settings.ts +63 -0
package/src/api/schemas/setup.ts +37 -0
package/src/api/schemas/taxonomies.ts +113 -0
package/src/api/schemas/users.ts +96 -0
package/src/api/schemas/widgets.ts +80 -0
package/src/api/site-url.ts +25 -0
package/src/api/types.ts +82 -0
package/src/astro/index.ts +27 -0
package/src/astro/integration/index.ts +303 -0
package/src/astro/integration/routes.ts +834 -0
package/src/astro/integration/runtime.ts +338 -0
package/src/astro/integration/virtual-modules.ts +469 -0
package/src/astro/integration/vite-config.ts +335 -0
package/src/astro/middleware/auth.ts +743 -0
package/src/astro/middleware/redirect.ts +89 -0
package/src/astro/middleware/request-context.ts +129 -0
package/src/astro/middleware/setup.ts +89 -0
package/src/astro/middleware.ts +398 -0
package/src/astro/routes/PluginRegistry.tsx +15 -0
package/src/astro/routes/admin.astro +81 -0
package/src/astro/routes/api/admin/allowed-domains/[domain].ts +112 -0
package/src/astro/routes/api/admin/allowed-domains/index.ts +108 -0
package/src/astro/routes/api/admin/api-tokens/[id].ts +40 -0
package/src/astro/routes/api/admin/api-tokens/index.ts +68 -0
package/src/astro/routes/api/admin/bylines/[id]/index.ts +87 -0
package/src/astro/routes/api/admin/bylines/index.ts +72 -0
package/src/astro/routes/api/admin/comments/[id]/status.ts +116 -0
package/src/astro/routes/api/admin/comments/[id].ts +64 -0
package/src/astro/routes/api/admin/comments/bulk.ts +42 -0
package/src/astro/routes/api/admin/comments/counts.ts +30 -0
package/src/astro/routes/api/admin/comments/index.ts +46 -0
package/src/astro/routes/api/admin/hooks/exclusive/[hookName].ts +91 -0
package/src/astro/routes/api/admin/hooks/exclusive/index.ts +51 -0
package/src/astro/routes/api/admin/oauth-clients/[id].ts +110 -0
package/src/astro/routes/api/admin/oauth-clients/index.ts +71 -0
package/src/astro/routes/api/admin/plugins/[id]/disable.ts +39 -0
package/src/astro/routes/api/admin/plugins/[id]/enable.ts +39 -0
package/src/astro/routes/api/admin/plugins/[id]/index.ts +38 -0
package/src/astro/routes/api/admin/plugins/[id]/uninstall.ts +48 -0
package/src/astro/routes/api/admin/plugins/[id]/update.ts +59 -0
package/src/astro/routes/api/admin/plugins/index.ts +32 -0
package/src/astro/routes/api/admin/plugins/marketplace/[id]/icon.ts +61 -0
package/src/astro/routes/api/admin/plugins/marketplace/[id]/index.ts +33 -0
package/src/astro/routes/api/admin/plugins/marketplace/[id]/install.ts +62 -0
package/src/astro/routes/api/admin/plugins/marketplace/index.ts +38 -0
package/src/astro/routes/api/admin/plugins/updates.ts +28 -0
package/src/astro/routes/api/admin/themes/marketplace/[id]/index.ts +33 -0
package/src/astro/routes/api/admin/themes/marketplace/[id]/thumbnail.ts +61 -0
package/src/astro/routes/api/admin/themes/marketplace/index.ts +45 -0
package/src/astro/routes/api/admin/users/[id]/disable.ts +69 -0
package/src/astro/routes/api/admin/users/[id]/enable.ts +48 -0
package/src/astro/routes/api/admin/users/[id]/index.ts +146 -0
package/src/astro/routes/api/admin/users/[id]/send-recovery.ts +72 -0
package/src/astro/routes/api/admin/users/index.ts +66 -0
package/src/astro/routes/api/auth/dev-bypass.ts +139 -0
package/src/astro/routes/api/auth/invite/accept.ts +52 -0
package/src/astro/routes/api/auth/invite/complete.ts +84 -0
package/src/astro/routes/api/auth/invite/index.ts +99 -0
package/src/astro/routes/api/auth/logout.ts +40 -0
package/src/astro/routes/api/auth/magic-link/send.ts +89 -0
package/src/astro/routes/api/auth/magic-link/verify.ts +71 -0
package/src/astro/routes/api/auth/me.ts +60 -0
package/src/astro/routes/api/auth/oauth/[provider]/callback.ts +219 -0
package/src/astro/routes/api/auth/oauth/[provider].ts +119 -0
package/src/astro/routes/api/auth/passkey/[id].ts +124 -0
package/src/astro/routes/api/auth/passkey/index.ts +54 -0
package/src/astro/routes/api/auth/passkey/options.ts +82 -0
package/src/astro/routes/api/auth/passkey/register/options.ts +86 -0
package/src/astro/routes/api/auth/passkey/register/verify.ts +115 -0
package/src/astro/routes/api/auth/passkey/verify.ts +66 -0
package/src/astro/routes/api/auth/signup/complete.ts +85 -0
package/src/astro/routes/api/auth/signup/request.ts +77 -0
package/src/astro/routes/api/auth/signup/verify.ts +53 -0
package/src/astro/routes/api/comments/[collection]/[contentId]/index.ts +312 -0
package/src/astro/routes/api/content/[collection]/[id]/compare.ts +28 -0
package/src/astro/routes/api/content/[collection]/[id]/discard-draft.ts +54 -0
package/src/astro/routes/api/content/[collection]/[id]/duplicate.ts +61 -0
package/src/astro/routes/api/content/[collection]/[id]/permanent.ts +33 -0
package/src/astro/routes/api/content/[collection]/[id]/preview-url.ts +107 -0
package/src/astro/routes/api/content/[collection]/[id]/publish.ts +56 -0
package/src/astro/routes/api/content/[collection]/[id]/restore.ts +54 -0
package/src/astro/routes/api/content/[collection]/[id]/revisions.ts +31 -0
package/src/astro/routes/api/content/[collection]/[id]/schedule.ts +101 -0
package/src/astro/routes/api/content/[collection]/[id]/terms/[taxonomy].ts +140 -0
package/src/astro/routes/api/content/[collection]/[id]/translations.ts +30 -0
package/src/astro/routes/api/content/[collection]/[id]/unpublish.ts +56 -0
package/src/astro/routes/api/content/[collection]/[id].ts +137 -0
package/src/astro/routes/api/content/[collection]/index.ts +59 -0
package/src/astro/routes/api/content/[collection]/trash.ts +33 -0
package/src/astro/routes/api/dashboard.ts +32 -0
package/src/astro/routes/api/dev/emails.ts +36 -0
package/src/astro/routes/api/import/probe.ts +47 -0
package/src/astro/routes/api/import/wordpress/analyze.ts +510 -0
package/src/astro/routes/api/import/wordpress/execute.ts +283 -0
package/src/astro/routes/api/import/wordpress/media.ts +338 -0
package/src/astro/routes/api/import/wordpress/prepare.ts +181 -0
package/src/astro/routes/api/import/wordpress/rewrite-urls.ts +393 -0
package/src/astro/routes/api/import/wordpress-plugin/analyze.ts +111 -0
package/src/astro/routes/api/import/wordpress-plugin/callback.ts +58 -0
package/src/astro/routes/api/import/wordpress-plugin/execute.ts +347 -0
package/src/astro/routes/api/manifest.ts +62 -0
package/src/astro/routes/api/mcp.ts +124 -0
package/src/astro/routes/api/media/[id]/confirm.ts +93 -0
package/src/astro/routes/api/media/[id].ts +145 -0
package/src/astro/routes/api/media/file/[key].ts +79 -0
package/src/astro/routes/api/media/providers/[providerId]/[itemId].ts +86 -0
package/src/astro/routes/api/media/providers/[providerId]/index.ts +111 -0
package/src/astro/routes/api/media/providers/index.ts +30 -0
package/src/astro/routes/api/media/upload-url.ts +137 -0
package/src/astro/routes/api/media.ts +190 -0
package/src/astro/routes/api/menus/[name]/items.ts +87 -0
package/src/astro/routes/api/menus/[name]/reorder.ts +33 -0
package/src/astro/routes/api/menus/[name].ts +65 -0
package/src/astro/routes/api/menus/index.ts +47 -0
package/src/astro/routes/api/oauth/authorize.ts +412 -0
package/src/astro/routes/api/oauth/device/authorize.ts +45 -0
package/src/astro/routes/api/oauth/device/code.ts +51 -0
package/src/astro/routes/api/oauth/device/token.ts +69 -0
package/src/astro/routes/api/oauth/token/refresh.ts +38 -0
package/src/astro/routes/api/oauth/token/revoke.ts +38 -0
package/src/astro/routes/api/oauth/token.ts +184 -0
package/src/astro/routes/api/openapi.json.ts +32 -0
package/src/astro/routes/api/plugins/[pluginId]/[...path].ts +92 -0
package/src/astro/routes/api/redirects/404s/index.ts +72 -0
package/src/astro/routes/api/redirects/404s/summary.ts +33 -0
package/src/astro/routes/api/redirects/[id].ts +84 -0
package/src/astro/routes/api/redirects/index.ts +52 -0
package/src/astro/routes/api/revisions/[revisionId]/index.ts +29 -0
package/src/astro/routes/api/revisions/[revisionId]/restore.ts +58 -0
package/src/astro/routes/api/schema/collections/[slug]/fields/[fieldSlug].ts +76 -0
package/src/astro/routes/api/schema/collections/[slug]/fields/index.ts +52 -0
package/src/astro/routes/api/schema/collections/[slug]/fields/reorder.ts +32 -0
package/src/astro/routes/api/schema/collections/[slug]/index.ts +80 -0
package/src/astro/routes/api/schema/collections/index.ts +47 -0
package/src/astro/routes/api/schema/index.ts +109 -0
package/src/astro/routes/api/schema/orphans/[slug].ts +36 -0
package/src/astro/routes/api/schema/orphans/index.ts +26 -0
package/src/astro/routes/api/search/enable.ts +64 -0
package/src/astro/routes/api/search/index.ts +55 -0
package/src/astro/routes/api/search/rebuild.ts +72 -0
package/src/astro/routes/api/search/stats.ts +35 -0
package/src/astro/routes/api/search/suggest.ts +53 -0
package/src/astro/routes/api/sections/[slug].ts +84 -0
package/src/astro/routes/api/sections/index.ts +52 -0
package/src/astro/routes/api/settings/email.ts +150 -0
package/src/astro/routes/api/settings.ts +67 -0
package/src/astro/routes/api/setup/admin-verify.ts +100 -0
package/src/astro/routes/api/setup/admin.ts +94 -0
package/src/astro/routes/api/setup/dev-bypass.ts +199 -0
package/src/astro/routes/api/setup/dev-reset.ts +40 -0
package/src/astro/routes/api/setup/index.ts +126 -0
package/src/astro/routes/api/setup/status.ts +122 -0
package/src/astro/routes/api/snapshot.ts +75 -0
package/src/astro/routes/api/taxonomies/[name]/terms/[slug].ts +95 -0
package/src/astro/routes/api/taxonomies/[name]/terms/index.ts +69 -0
package/src/astro/routes/api/taxonomies/index.ts +59 -0
package/src/astro/routes/api/themes/preview.ts +77 -0
package/src/astro/routes/api/typegen.ts +114 -0
package/src/astro/routes/api/well-known/auth.ts +68 -0
package/src/astro/routes/api/well-known/oauth-authorization-server.ts +44 -0
package/src/astro/routes/api/well-known/oauth-protected-resource.ts +37 -0
package/src/astro/routes/api/widget-areas/[name]/reorder.ts +68 -0
package/src/astro/routes/api/widget-areas/[name]/widgets/[id].ts +127 -0
package/src/astro/routes/api/widget-areas/[name]/widgets.ts +80 -0
package/src/astro/routes/api/widget-areas/[name].ts +87 -0
package/src/astro/routes/api/widget-areas/index.ts +99 -0
package/src/astro/routes/api/widget-components.ts +22 -0
package/src/astro/routes/robots.txt.ts +77 -0
package/src/astro/routes/sitemap.xml.ts +97 -0
package/src/astro/storage/adapters.ts +74 -0
package/src/astro/storage/index.ts +19 -0
package/src/astro/storage/types.ts +60 -0
package/src/astro/types.ts +346 -0
package/src/auth/api-tokens.ts +25 -0
package/src/auth/challenge-store.ts +80 -0
package/src/auth/mode.ts +96 -0
package/src/auth/oauth-state-store.ts +96 -0
package/src/auth/passkey-config.ts +27 -0
package/src/auth/rate-limit.ts +158 -0
package/src/auth/scopes.ts +33 -0
package/src/auth/types.ts +104 -0
package/src/aws-sdk.d.ts +100 -0
package/src/bylines/index.ts +237 -0
package/src/cleanup.ts +153 -0
package/src/cli/client-factory.ts +100 -0
package/src/cli/commands/auth.ts +46 -0
package/src/cli/commands/bundle-utils.ts +247 -0
package/src/cli/commands/bundle.ts +609 -0
package/src/cli/commands/content.ts +442 -0
package/src/cli/commands/dev.ts +191 -0
package/src/cli/commands/doctor.ts +211 -0
package/src/cli/commands/export-seed.ts +630 -0
package/src/cli/commands/import/wordpress.ts +1056 -0
package/src/cli/commands/init.ts +192 -0
package/src/cli/commands/login.ts +547 -0
package/src/cli/commands/media.ts +165 -0
package/src/cli/commands/menu.ts +67 -0
package/src/cli/commands/plugin-init.ts +291 -0
package/src/cli/commands/plugin-validate.ts +31 -0
package/src/cli/commands/plugin.ts +33 -0
package/src/cli/commands/publish.ts +697 -0
package/src/cli/commands/schema.ts +233 -0
package/src/cli/commands/search-cmd.ts +54 -0
package/src/cli/commands/seed.ts +286 -0
package/src/cli/commands/taxonomy.ts +128 -0
package/src/cli/commands/types.ts +68 -0
package/src/cli/credentials.ts +236 -0
package/src/cli/index.ts +70 -0
package/src/cli/output.ts +75 -0
package/src/cli/wxr/parser.ts +969 -0
package/src/client/cf-access.ts +193 -0
package/src/client/index.ts +854 -0
package/src/client/portable-text.ts +413 -0
package/src/client/transport.ts +200 -0
package/src/comments/moderator.ts +46 -0
package/src/comments/notifications.ts +144 -0
package/src/comments/query.ts +105 -0
package/src/comments/service.ts +213 -0
package/src/components/Break.astro +45 -0
package/src/components/Button.astro +71 -0
package/src/components/Buttons.astro +49 -0
package/src/components/Code.astro +59 -0
package/src/components/Columns.astro +59 -0
package/src/components/CommentForm.astro +315 -0
package/src/components/Comments.astro +232 -0
package/src/components/Cover.astro +128 -0
package/src/components/EmDashBodyEnd.astro +32 -0
package/src/components/EmDashBodyStart.astro +32 -0
package/src/components/EmDashHead.astro +53 -0
package/src/components/EmDashImage.astro +178 -0
package/src/components/EmDashMedia.astro +167 -0
package/src/components/Embed.astro +128 -0
package/src/components/File.astro +122 -0
package/src/components/Gallery.astro +93 -0
package/src/components/HtmlBlock.astro +33 -0
package/src/components/Image.astro +178 -0
package/src/components/InlineEditor.astro +27 -0
package/src/components/InlinePortableTextEditor.tsx +1905 -0
package/src/components/LiveSearch.astro +614 -0
package/src/components/PortableText.astro +51 -0
package/src/components/Pullquote.astro +51 -0
package/src/components/Table.astro +108 -0
package/src/components/WidgetArea.astro +22 -0
package/src/components/WidgetRenderer.astro +72 -0
package/src/components/index.ts +116 -0
package/src/components/marks/Link.astro +31 -0
package/src/components/marks/StrikeThrough.astro +7 -0
package/src/components/marks/Subscript.astro +7 -0
package/src/components/marks/Superscript.astro +7 -0
package/src/components/marks/Underline.astro +7 -0
package/src/components/widgets/Archives.astro +65 -0
package/src/components/widgets/Categories.astro +35 -0
package/src/components/widgets/RecentPosts.astro +51 -0
package/src/components/widgets/Search.astro +18 -0
package/src/components/widgets/Tags.astro +38 -0
package/src/content/converters/index.ts +9 -0
package/src/content/converters/portable-text-to-prosemirror.ts +385 -0
package/src/content/converters/prosemirror-to-portable-text.ts +413 -0
package/src/content/converters/types.ts +120 -0
package/src/content/index.ts +5 -0
package/src/database/connection.ts +67 -0
package/src/database/dialect-helpers.ts +138 -0
package/src/database/index.ts +5 -0
package/src/database/migrations/001_initial.ts +170 -0
package/src/database/migrations/002_media_status.ts +26 -0
package/src/database/migrations/003_schema_registry.ts +79 -0
package/src/database/migrations/004_plugins.ts +62 -0
package/src/database/migrations/005_menus.ts +67 -0
package/src/database/migrations/006_taxonomy_defs.ts +51 -0
package/src/database/migrations/007_widgets.ts +42 -0
package/src/database/migrations/008_auth.ts +194 -0
package/src/database/migrations/009_user_disabled.ts +27 -0
package/src/database/migrations/011_sections.ts +65 -0
package/src/database/migrations/012_search.ts +25 -0
package/src/database/migrations/013_scheduled_publishing.ts +51 -0
package/src/database/migrations/014_draft_revisions.ts +72 -0
package/src/database/migrations/015_indexes.ts +82 -0
package/src/database/migrations/016_api_tokens.ts +89 -0
package/src/database/migrations/017_authorization_codes.ts +45 -0
package/src/database/migrations/018_seo.ts +56 -0
package/src/database/migrations/019_i18n.ts +618 -0
package/src/database/migrations/020_collection_url_pattern.ts +23 -0
package/src/database/migrations/021_remove_section_categories.ts +43 -0
package/src/database/migrations/022_marketplace_plugin_state.ts +46 -0
package/src/database/migrations/023_plugin_metadata.ts +33 -0
package/src/database/migrations/024_media_placeholders.ts +32 -0
package/src/database/migrations/025_oauth_clients.ts +28 -0
package/src/database/migrations/026_cron_tasks.ts +49 -0
package/src/database/migrations/027_comments.ts +87 -0
package/src/database/migrations/028_drop_author_url.ts +9 -0
package/src/database/migrations/029_redirects.ts +67 -0
package/src/database/migrations/030_widen_scheduled_index.ts +48 -0
package/src/database/migrations/031_bylines.ts +90 -0
package/src/database/migrations/032_rate_limits.ts +39 -0
package/src/database/migrations/runner.ts +170 -0
package/src/database/repositories/audit.ts +294 -0
package/src/database/repositories/byline.ts +387 -0
package/src/database/repositories/comment.ts +458 -0
package/src/database/repositories/content.ts +1144 -0
package/src/database/repositories/index.ts +30 -0
package/src/database/repositories/media.ts +347 -0
package/src/database/repositories/options.ts +150 -0
package/src/database/repositories/plugin-storage.ts +373 -0
package/src/database/repositories/redirect.ts +480 -0
package/src/database/repositories/revision.ts +200 -0
package/src/database/repositories/seo.ts +176 -0
package/src/database/repositories/taxonomy.ts +294 -0
package/src/database/repositories/types.ts +132 -0
package/src/database/repositories/user.ts +258 -0
package/src/database/transaction.ts +54 -0
package/src/database/types.ts +501 -0
package/src/database/validate.ts +138 -0
package/src/db/adapters.ts +125 -0
package/src/db/index.ts +37 -0
package/src/db/libsql.ts +23 -0
package/src/db/postgres.ts +30 -0
package/src/db/sqlite.ts +27 -0
package/src/emdash-runtime.ts +2096 -0
package/src/fields/boolean.ts +34 -0
package/src/fields/datetime.ts +44 -0
package/src/fields/file.ts +41 -0
package/src/fields/image.ts +34 -0
package/src/fields/index.ts +42 -0
package/src/fields/integer.ts +50 -0
package/src/fields/json.ts +37 -0
package/src/fields/multiselect.ts +48 -0
package/src/fields/number.ts +52 -0
package/src/fields/portable-text.ts +33 -0
package/src/fields/reference.ts +29 -0
package/src/fields/richtext.ts +31 -0
package/src/fields/select.ts +46 -0
package/src/fields/slug.ts +38 -0
package/src/fields/text.ts +55 -0
package/src/fields/textarea.ts +52 -0
package/src/fields/types.ts +64 -0
package/src/i18n/config.ts +68 -0
package/src/import/index.ts +90 -0
package/src/import/menus.ts +436 -0
package/src/import/registry.ts +111 -0
package/src/import/sections.ts +103 -0
package/src/import/settings.ts +281 -0
package/src/import/sources/wordpress-plugin.ts +641 -0
package/src/import/sources/wordpress-rest.ts +191 -0
package/src/import/sources/wxr.ts +330 -0
package/src/import/ssrf.ts +260 -0
package/src/import/types.ts +418 -0
package/src/import/utils.ts +412 -0
package/src/index.ts +481 -0
package/src/loader.ts +770 -0
package/src/mcp/server.ts +1463 -0
package/src/media/index.ts +32 -0
package/src/media/local-runtime.ts +213 -0
package/src/media/local.ts +46 -0
package/src/media/normalize.ts +190 -0
package/src/media/placeholder.ts +150 -0
package/src/media/provider-loader.ts +78 -0
package/src/media/types.ts +279 -0
package/src/menus/index.ts +324 -0
package/src/menus/types.ts +112 -0
package/src/page/context.ts +93 -0
package/src/page/fragments.ts +89 -0
package/src/page/index.ts +58 -0
package/src/page/jsonld.ts +94 -0
package/src/page/metadata.ts +185 -0
package/src/page/seo-contributions.ts +136 -0
package/src/plugin-utils.ts +80 -0
package/src/plugins/adapt-sandbox-entry.ts +207 -0
package/src/plugins/context.ts +833 -0
package/src/plugins/cron.ts +361 -0
package/src/plugins/define-plugin.ts +259 -0
package/src/plugins/email-console.ts +73 -0
package/src/plugins/email.ts +209 -0
package/src/plugins/hooks.ts +1273 -0
package/src/plugins/index.ts +193 -0
package/src/plugins/manager.ts +595 -0
package/src/plugins/manifest-schema.ts +230 -0
package/src/plugins/marketplace.ts +460 -0
package/src/plugins/request-meta.ts +139 -0
package/src/plugins/routes.ts +302 -0
package/src/plugins/sandbox/index.ts +18 -0
package/src/plugins/sandbox/noop.ts +76 -0
package/src/plugins/sandbox/types.ts +173 -0
package/src/plugins/scheduler/node.ts +122 -0
package/src/plugins/scheduler/piggyback.ts +71 -0
package/src/plugins/scheduler/types.ts +27 -0
package/src/plugins/state.ts +208 -0
package/src/plugins/storage-indexes.ts +326 -0
package/src/plugins/storage-query.ts +240 -0
package/src/plugins/types.ts +1284 -0
package/src/preview/helpers.ts +27 -0
package/src/preview/index.ts +40 -0
package/src/preview/tokens.ts +279 -0
package/src/preview/urls.ts +118 -0
package/src/query.ts +674 -0
package/src/redirects/patterns.ts +224 -0
package/src/request-context.ts +67 -0
package/src/runtime.ts +21 -0
package/src/schema/index.ts +29 -0
package/src/schema/query.ts +44 -0
package/src/schema/registry.ts +965 -0
package/src/schema/types.ts +276 -0
package/src/schema/zod-generator.ts +413 -0
package/src/search/fts-manager.ts +452 -0
package/src/search/index.ts +26 -0
package/src/search/query.ts +396 -0
package/src/search/text-extraction.ts +162 -0
package/src/search/types.ts +114 -0
package/src/sections/index.ts +226 -0
package/src/sections/types.ts +86 -0
package/src/seed/apply.ts +1141 -0
package/src/seed/default.ts +86 -0
package/src/seed/index.ts +28 -0
package/src/seed/load.ts +35 -0
package/src/seed/types.ts +341 -0
package/src/seed/validate.ts +642 -0
package/src/seo/index.ts +179 -0
package/src/settings/index.ts +203 -0
package/src/settings/types.ts +58 -0
package/src/storage/index.ts +28 -0
package/src/storage/local.ts +249 -0
package/src/storage/s3.ts +263 -0
package/src/storage/types.ts +204 -0
package/src/taxonomies/index.ts +309 -0
package/src/taxonomies/types.ts +61 -0
package/src/ui.ts +75 -0
package/src/utils/base64.ts +73 -0
package/src/utils/hash.ts +36 -0
package/src/utils/sanitize.ts +20 -0
package/src/utils/slugify.ts +29 -0
package/src/utils/url.ts +48 -0
package/src/virtual-modules.d.ts +111 -0
package/src/visual-editing/editable.ts +108 -0
package/src/visual-editing/toolbar.ts +1229 -0
package/src/widgets/components.ts +105 -0
package/src/widgets/index.ts +131 -0
package/src/widgets/types.ts +81 -0

package/src/astro/middleware/auth.ts ADDED Viewed

@@ -0,0 +1,743 @@
+/**
+ * Auth middleware for admin routes
+ *
+ * Checks if the user is authenticated and has appropriate permissions.
+ * Supports two auth modes:
+ * - Passkey (default): Session-based auth with passkey login
+ * - External providers: JWT-based auth (Cloudflare Access, etc.)
+ *
+ * This middleware runs AFTER the setup middleware - so if we get here,
+ * we know setup is complete and users exist.
+ */
+import type { User, RoleLevel } from "@emdash-cms/auth";
+import { createKyselyAdapter } from "@emdash-cms/auth/adapters/kysely";
+import { defineMiddleware } from "astro:middleware";
+import { ulid } from "ulidx";
+// Import auth provider via virtual module (statically bundled)
+// This avoids dynamic import issues in Cloudflare Workers
+import { authenticate as virtualAuthenticate } from "virtual:emdash/auth";
+import { checkPublicCsrf } from "../../api/csrf.js";
+import { apiError } from "../../api/error.js";
+/** Cache headers for middleware error responses (matches API_CACHE_HEADERS in api/error.ts) */
+const MW_CACHE_HEADERS = {
+	"Cache-Control": "private, no-store",
+} as const;
+import { resolveApiToken, resolveOAuthToken } from "../../api/handlers/api-tokens.js";
+import { hasScope } from "../../auth/api-tokens.js";
+import { getAuthMode, type ExternalAuthMode } from "../../auth/mode.js";
+import type { ExternalAuthConfig } from "../../auth/types.js";
+import type { EmDashHandlers, EmDashManifest } from "../types.js";
+declare global {
+	namespace App {
+		interface Locals {
+			user?: User;
+			/** Token scopes when authenticated via API token or OAuth token. Undefined for session auth. */
+			tokenScopes?: string[];
+			emdash?: EmDashHandlers;
+			emdashManifest?: EmDashManifest;
+		}
+		interface SessionData {
+			user: { id: string };
+			hasSeenWelcome: boolean;
+		}
+	}
+}
+// Role level constants (matching @emdash-cms/auth)
+const ROLE_ADMIN = 50;
+/**
+ * Strict Content-Security-Policy for /_emdash routes (admin + API).
+ *
+ * Applied via middleware header rather than Astro's built-in CSP because
+ * Astro's auto-hashing defeats 'unsafe-inline' (CSP3 ignores 'unsafe-inline'
+ * when hashes are present), which would break user-facing pages.
+ */
+function buildEmDashCsp(marketplaceUrl?: string): string {
+	const imgSources = ["'self'", "data:", "blob:"];
+	if (marketplaceUrl) {
+		try {
+			imgSources.push(new URL(marketplaceUrl).origin);
+		} catch {
+			// ignore invalid marketplace URL
+		}
+	}
+	return [
+		"default-src 'self'",
+		"script-src 'self' 'unsafe-inline'",
+		"style-src 'self' 'unsafe-inline'",
+		"connect-src 'self'",
+		"form-action 'self'",
+		"frame-ancestors 'none'",
+		`img-src ${imgSources.join(" ")}`,
+		"object-src 'none'",
+		"base-uri 'self'",
+	].join("; ");
+}
+/**
+ * API routes that skip auth — each handles its own access control.
+ *
+ * Prefix entries match any path starting with that prefix.
+ * Exact entries (no trailing slash or wildcard) match that path only.
+ */
+const PUBLIC_API_PREFIXES = [
+	"/_emdash/api/setup",
+	"/_emdash/api/auth/login",
+	"/_emdash/api/auth/register",
+	"/_emdash/api/auth/dev-bypass",
+	"/_emdash/api/auth/signup/",
+	"/_emdash/api/auth/magic-link/",
+	"/_emdash/api/auth/invite/accept",
+	"/_emdash/api/auth/invite/complete",
+	"/_emdash/api/auth/oauth/",
+	"/_emdash/api/oauth/device/token",
+	"/_emdash/api/oauth/device/code",
+	"/_emdash/api/oauth/token",
+	"/_emdash/api/comments/",
+	"/_emdash/api/media/file/",
+	"/_emdash/.well-known/",
+];
+const PUBLIC_API_EXACT = new Set([
+	"/_emdash/api/auth/passkey/options",
+	"/_emdash/api/auth/passkey/verify",
+	"/_emdash/api/oauth/token",
+	"/_emdash/api/snapshot",
+]);
+function isPublicEmDashRoute(pathname: string): boolean {
+	if (PUBLIC_API_EXACT.has(pathname)) return true;
+	if (PUBLIC_API_PREFIXES.some((p) => pathname.startsWith(p))) return true;
+	if (import.meta.env.DEV && pathname === "/_emdash/api/typegen") return true;
+	return false;
+}
+export const onRequest = defineMiddleware(async (context, next) => {
+	const { url } = context;
+	// Only check auth on admin routes and API routes
+	const isAdminRoute = url.pathname.startsWith("/_emdash/admin");
+	const isSetupRoute = url.pathname.startsWith("/_emdash/admin/setup");
+	const isApiRoute = url.pathname.startsWith("/_emdash/api");
+	const isPublicApiRoute = isPublicEmDashRoute(url.pathname);
+	const isPublicRoute = !isAdminRoute && !isApiRoute;
+	// Public API routes skip auth but still need CSRF protection on state-changing methods.
+	// We check Origin header against the request host (same approach as Astro's checkOrigin).
+	// This prevents cross-origin form submissions and fetch requests from malicious sites.
+	if (isPublicApiRoute) {
+		const method = context.request.method.toUpperCase();
+		if (method !== "GET" && method !== "HEAD" && method !== "OPTIONS") {
+			const csrfError = checkPublicCsrf(context.request, url);
+			if (csrfError) return csrfError;
+		}
+		return next();
+	}
+	// Plugin routes: soft auth (resolve user if credentials present, but never block).
+	// The catch-all handler decides per-route whether auth is required (public vs private).
+	// Public plugin routes that accept POST are vulnerable to cross-origin form submissions,
+	// so we apply the same Origin-based CSRF check as other public routes.
+	const isPluginRoute = url.pathname.startsWith("/_emdash/api/plugins/");
+	if (isPluginRoute) {
+		const method = context.request.method.toUpperCase();
+		if (method !== "GET" && method !== "HEAD" && method !== "OPTIONS") {
+			const csrfError = checkPublicCsrf(context.request, url);
+			if (csrfError) return csrfError;
+		}
+		return handlePluginRouteAuth(context, next);
+	}
+	// Setup routes: skip auth but still enforce CSRF on state-changing methods
+	if (isSetupRoute) {
+		const method = context.request.method.toUpperCase();
+		if (method !== "GET" && method !== "HEAD" && method !== "OPTIONS") {
+			const csrfHeader = context.request.headers.get("X-EmDash-Request");
+			if (csrfHeader !== "1") {
+				return new Response(
+					JSON.stringify({
+						error: { code: "CSRF_REJECTED", message: "Missing required header" },
+					}),
+					{
+						status: 403,
+						headers: { "Content-Type": "application/json", ...MW_CACHE_HEADERS },
+					},
+				);
+			}
+		}
+		return next();
+	}
+	// For public routes: soft auth check (set locals.user if session exists, but never block)
+	if (isPublicRoute) {
+		return handlePublicRouteAuth(context, next);
+	}
+	// --- Everything below is /_emdash (admin + API) ---
+	// Try Bearer token auth first (API tokens and OAuth tokens).
+	// If successful, skip CSRF (tokens aren't ambient credentials like cookies).
+	const bearerResult = await handleBearerAuth(context);
+	if (bearerResult === "invalid") {
+		const headers: Record<string, string> = {
+			"Content-Type": "application/json",
+			...MW_CACHE_HEADERS,
+		};
+		// Add WWW-Authenticate header on MCP endpoint 401s to trigger OAuth discovery
+		if (url.pathname === "/_emdash/api/mcp") {
+			headers["WWW-Authenticate"] =
+				`Bearer resource_metadata="${url.origin}/.well-known/oauth-protected-resource"`;
+		}
+		return new Response(
+			JSON.stringify({ error: { code: "INVALID_TOKEN", message: "Invalid or expired token" } }),
+			{ status: 401, headers },
+		);
+	}
+	const isTokenAuth = bearerResult === "authenticated";
+	// CSRF protection: require X-EmDash-Request header on state-changing requests.
+	// Skip for token-authenticated requests (tokens aren't ambient credentials).
+	// Browsers block cross-origin custom headers, so this prevents CSRF without tokens.
+	// OAuth authorize consent is exempt: it's a standard HTML form POST that can't
+	// include custom headers. The consent flow is protected by session + single-use codes.
+	const method = context.request.method.toUpperCase();
+	const isOAuthConsent = url.pathname.startsWith("/_emdash/oauth/authorize");
+	if (
+		isApiRoute &&
+		!isTokenAuth &&
+		!isOAuthConsent &&
+		method !== "GET" &&
+		method !== "HEAD" &&
+		method !== "OPTIONS" &&
+		!isPublicApiRoute
+	) {
+		const csrfHeader = context.request.headers.get("X-EmDash-Request");
+		if (csrfHeader !== "1") {
+			return new Response(
+				JSON.stringify({ error: { code: "CSRF_REJECTED", message: "Missing required header" } }),
+				{
+					status: 403,
+					headers: { "Content-Type": "application/json", ...MW_CACHE_HEADERS },
+				},
+			);
+		}
+	}
+	// If already authenticated via Bearer token, enforce scope then skip session/external auth
+	if (isTokenAuth) {
+		// Enforce API token scopes based on URL pattern + HTTP method
+		const scopeError = enforceTokenScope(url.pathname, method, context.locals.tokenScopes);
+		if (scopeError) return scopeError;
+		const response = await next();
+		if (!import.meta.env.DEV) {
+			const marketplaceUrl = context.locals.emdash?.config.marketplace;
+			response.headers.set("Content-Security-Policy", buildEmDashCsp(marketplaceUrl));
+		}
+		return response;
+	}
+	const response = await handleEmDashAuth(context, next);
+	// Set strict CSP on all /_emdash responses (prod only)
+	if (!import.meta.env.DEV) {
+		const marketplaceUrl = context.locals.emdash?.config.marketplace;
+		response.headers.set("Content-Security-Policy", buildEmDashCsp(marketplaceUrl));
+	}
+	return response;
+});
+/**
+ * Auth handling for /_emdash routes. Returns a Response from either
+ * an auth error/redirect or the downstream route handler.
+ */
+async function handleEmDashAuth(
+	context: Parameters<Parameters<typeof defineMiddleware>[0]>[0],
+	next: Parameters<Parameters<typeof defineMiddleware>[0]>[1],
+): Promise<Response> {
+	const { url, locals } = context;
+	const { emdash } = locals;
+	const isLoginRoute = url.pathname.startsWith("/_emdash/admin/login");
+	const isApiRoute = url.pathname.startsWith("/_emdash/api");
+	if (!emdash?.db) {
+		// No database - let the admin handle this error
+		return next();
+	}
+	// Determine auth mode from config
+	const authMode = getAuthMode(emdash.config);
+	if (authMode.type === "external") {
+		// In dev mode, fall back to passkey auth since external JWT won't be present
+		if (import.meta.env.DEV) {
+			if (isLoginRoute) {
+				return next();
+			}
+			return handlePasskeyAuth(context, next, isApiRoute);
+		}
+		// External auth provider (Cloudflare Access, etc.)
+		return handleExternalAuth(context, next, authMode, isApiRoute);
+	}
+	// Passkey authentication (default)
+	if (isLoginRoute) {
+		return next();
+	}
+	return handlePasskeyAuth(context, next, isApiRoute);
+}
+/**
+ * Soft auth for plugin routes: resolve user from Bearer token or session if present,
+ * but never block unauthenticated requests. The catch-all handler checks route
+ * metadata to decide whether auth is required (public vs private routes).
+ */
+async function handlePluginRouteAuth(
+	context: Parameters<Parameters<typeof defineMiddleware>[0]>[0],
+	next: Parameters<Parameters<typeof defineMiddleware>[0]>[1],
+): Promise<Response> {
+	const { locals } = context;
+	const { emdash } = locals;
+	try {
+		// Try Bearer token auth first (API tokens and OAuth tokens)
+		const bearerResult = await handleBearerAuth(context);
+		if (bearerResult === "authenticated") {
+			// User and tokenScopes are set on locals by handleBearerAuth
+			return next();
+		}
+		if (bearerResult === "invalid") {
+			// A token was presented but is invalid/expired — return 401 so the
+			// caller knows their token is bad (don't silently downgrade to no-auth).
+			return new Response(
+				JSON.stringify({ error: { code: "INVALID_TOKEN", message: "Invalid or expired token" } }),
+				{
+					status: 401,
+					headers: { "Content-Type": "application/json", ...MW_CACHE_HEADERS },
+				},
+			);
+		}
+		// "none" — no token presented, try session auth below.
+	} catch (error) {
+		console.error("Plugin route bearer auth error:", error);
+	}
+	try {
+		// Try session auth (sets locals.user if session exists)
+		const { session } = context;
+		const sessionUser = await session?.get("user");
+		if (sessionUser?.id && emdash?.db) {
+			const adapter = createKyselyAdapter(emdash.db);
+			const user = await adapter.getUserById(sessionUser.id);
+			if (user && !user.disabled) {
+				locals.user = user;
+			}
+		}
+	} catch (error) {
+		// Log but don't block — public routes should still work without session
+		console.error("Plugin route session auth error:", error);
+	}
+	return next();
+}
+/**
+ * Soft auth check for public routes with edit mode cookie.
+ * Checks the session and sets locals.user if valid, but never blocks the request.
+ */
+async function handlePublicRouteAuth(
+	context: Parameters<Parameters<typeof defineMiddleware>[0]>[0],
+	next: Parameters<Parameters<typeof defineMiddleware>[0]>[1],
+): Promise<Response> {
+	const { locals, session } = context;
+	const { emdash } = locals;
+	try {
+		const sessionUser = await session?.get("user");
+		if (sessionUser?.id && emdash?.db) {
+			const adapter = createKyselyAdapter(emdash.db);
+			const user = await adapter.getUserById(sessionUser.id);
+			if (user && !user.disabled) {
+				locals.user = user;
+			}
+		}
+	} catch {
+		// Silently continue — public page should render normally
+	}
+	return next();
+}
+/**
+ * Handle external auth provider authentication (Cloudflare Access, etc.)
+ */
+async function handleExternalAuth(
+	context: Parameters<Parameters<typeof defineMiddleware>[0]>[0],
+	next: Parameters<Parameters<typeof defineMiddleware>[0]>[1],
+	authMode: ExternalAuthMode,
+	_isApiRoute: boolean,
+): Promise<Response> {
+	const { locals, request } = context;
+	const { emdash } = locals;
+	try {
+		// Use the authenticate function from the virtual module
+		// (statically imported at build time to work with Cloudflare Workers)
+		if (typeof virtualAuthenticate !== "function") {
+			throw new Error(
+				`Auth provider ${authMode.entrypoint} does not export an authenticate function`,
+			);
+		}
+		// Authenticate via the provider
+		const authResult = await virtualAuthenticate(request, authMode.config);
+		// Get external auth config for auto-provision settings
+		// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- narrowing AuthModeConfig to ExternalAuthConfig after provider check
+		const externalConfig = authMode.config as ExternalAuthConfig;
+		// Find or create user
+		const adapter = createKyselyAdapter(emdash!.db);
+		let user = await adapter.getUserByEmail(authResult.email);
+		if (!user) {
+			// User doesn't exist
+			if (externalConfig.autoProvision === false) {
+				return new Response("User not authorized", {
+					status: 403,
+					headers: { "Content-Type": "text/plain", ...MW_CACHE_HEADERS },
+				});
+			}
+			// Check if this is the first user (they become admin)
+			const userCount = await emdash!.db
+				.selectFrom("users")
+				.select(emdash!.db.fn.count("id").as("count"))
+				.executeTakeFirst();
+			const isFirstUser = Number(userCount?.count ?? 0) === 0;
+			const role = isFirstUser ? ROLE_ADMIN : authResult.role;
+			// Create user
+			const now = new Date().toISOString();
+			const newUser = {
+				id: ulid(),
+				email: authResult.email,
+				name: authResult.name,
+				role,
+				email_verified: 1,
+				created_at: now,
+				updated_at: now,
+			};
+			await emdash!.db.insertInto("users").values(newUser).execute();
+			user = await adapter.getUserByEmail(authResult.email);
+			console.log(
+				`[external-auth] Provisioned user: ${authResult.email} (role: ${role}, first: ${isFirstUser})`,
+			);
+		} else {
+			// User exists - check if we need to sync anything
+			const updates: Record<string, unknown> = {};
+			let newName: string | undefined;
+			let newRole: RoleLevel | undefined;
+			// Sync name from provider if provider provides one and local differs
+			if (authResult.name && user.name !== authResult.name) {
+				newName = authResult.name;
+				updates.name = newName;
+			}
+			// Sync role if enabled
+			if (externalConfig.syncRoles && user.role !== authResult.role) {
+				newRole = authResult.role;
+				updates.role = newRole;
+			}
+			if (Object.keys(updates).length > 0) {
+				updates.updated_at = new Date().toISOString();
+				await emdash!.db.updateTable("users").set(updates).where("id", "=", user.id).execute();
+				user = {
+					...user,
+					...(newName ? { name: newName } : {}),
+					...(newRole ? { role: newRole } : {}),
+				};
+				console.log(
+					`[external-auth] Updated user ${authResult.email}:`,
+					Object.keys(updates).filter((k) => k !== "updated_at"),
+				);
+			}
+		}
+		if (!user) {
+			// This shouldn't happen, but handle it gracefully
+			return new Response("Failed to provision user", {
+				status: 500,
+				headers: { "Content-Type": "text/plain", ...MW_CACHE_HEADERS },
+			});
+		}
+		// Check if user is disabled locally
+		if (user.disabled) {
+			return new Response("Account disabled", {
+				status: 403,
+				headers: { "Content-Type": "text/plain", ...MW_CACHE_HEADERS },
+			});
+		}
+		// Set user in locals
+		locals.user = user;
+		// Persist to session so public pages can identify the user
+		// (external auth headers are only verified on /_emdash routes)
+		const { session } = context;
+		session?.set("user", { id: user.id });
+		return next();
+	} catch (error) {
+		console.error("[external-auth] Auth error:", error);
+		return new Response("Authentication failed", {
+			status: 401,
+			headers: { "Content-Type": "text/plain", ...MW_CACHE_HEADERS },
+		});
+	}
+}
+/**
+ * Try to authenticate via Bearer token (API token or OAuth token).
+ *
+ * Returns:
+ * - "authenticated" if token is valid and user is resolved
+ * - "invalid" if a token was provided but is invalid/expired
+ * - "none" if no Bearer token was provided
+ */
+async function handleBearerAuth(
+	context: Parameters<Parameters<typeof defineMiddleware>[0]>[0],
+): Promise<"authenticated" | "invalid" | "none"> {
+	const authHeader = context.request.headers.get("Authorization");
+	if (!authHeader?.startsWith("Bearer ")) return "none";
+	const token = authHeader.slice(7);
+	if (!token) return "none";
+	const { locals } = context;
+	const { emdash } = locals;
+	if (!emdash?.db) return "none";
+	// Resolve token based on prefix
+	let resolved: { userId: string; scopes: string[] } | null = null;
+	if (token.startsWith("ec_pat_")) {
+		resolved = await resolveApiToken(emdash.db, token);
+	} else if (token.startsWith("ec_oat_")) {
+		resolved = await resolveOAuthToken(emdash.db, token);
+	} else {
+		// Unknown token format
+		return "invalid";
+	}
+	if (!resolved) return "invalid";
+	// Look up the user
+	const adapter = createKyselyAdapter(emdash.db);
+	const user = await adapter.getUserById(resolved.userId);
+	if (!user || user.disabled) return "invalid";
+	// Set user and scopes on locals
+	locals.user = user;
+	locals.tokenScopes = resolved.scopes;
+	return "authenticated";
+}
+/**
+ * Handle passkey (session-based) authentication
+ */
+async function handlePasskeyAuth(
+	context: Parameters<Parameters<typeof defineMiddleware>[0]>[0],
+	next: Parameters<Parameters<typeof defineMiddleware>[0]>[1],
+	isApiRoute: boolean,
+): Promise<Response> {
+	const { url, locals, session } = context;
+	const { emdash } = locals;
+	try {
+		// Check session for user (session.get returns a Promise)
+		const sessionUser = await session?.get("user");
+		if (!sessionUser?.id) {
+			// Not authenticated
+			if (isApiRoute) {
+				const headers: Record<string, string> = { ...MW_CACHE_HEADERS };
+				// Add WWW-Authenticate on MCP endpoint 401s to trigger OAuth discovery
+				if (url.pathname === "/_emdash/api/mcp") {
+					headers["WWW-Authenticate"] =
+						`Bearer resource_metadata="${url.origin}/.well-known/oauth-protected-resource"`;
+				}
+				return Response.json(
+					{ error: { code: "NOT_AUTHENTICATED", message: "Not authenticated" } },
+					{ status: 401, headers },
+				);
+			}
+			const loginUrl = new URL("/_emdash/admin/login", url.origin);
+			loginUrl.searchParams.set("redirect", url.pathname);
+			return context.redirect(loginUrl.toString());
+		}
+		// Get full user from database
+		const adapter = createKyselyAdapter(emdash!.db);
+		const user = await adapter.getUserById(sessionUser.id);
+		if (!user) {
+			// User no longer exists - clear session
+			session?.destroy();
+			if (isApiRoute) {
+				return Response.json(
+					{ error: { code: "NOT_FOUND", message: "User not found" } },
+					{ status: 401, headers: MW_CACHE_HEADERS },
+				);
+			}
+			return context.redirect("/_emdash/admin/login");
+		}
+		// Check if user is disabled
+		if (user.disabled) {
+			session?.destroy();
+			if (isApiRoute) {
+				return apiError("ACCOUNT_DISABLED", "Account disabled", 403);
+			}
+			const loginUrl = new URL("/_emdash/admin/login", url.origin);
+			loginUrl.searchParams.set("error", "account_disabled");
+			return context.redirect(loginUrl.toString());
+		}
+		// Set user in locals for use by routes
+		locals.user = user;
+	} catch (error) {
+		console.error("Auth middleware error:", error);
+		// On error, redirect to login
+		return context.redirect("/_emdash/admin/login");
+	}
+	return next();
+}
+// =============================================================================
+// Token scope enforcement
+// =============================================================================
+/**
+ * Scope rules: ordered list of (pathPrefix, method, requiredScope) tuples.
+ * First matching rule wins. Methods: "*" = any, "WRITE" = POST/PUT/PATCH/DELETE.
+ *
+ * Routes not matched by any rule default to "admin" scope (fail-closed).
+ */
+const SCOPE_RULES: Array<[prefix: string, method: string, scope: string]> = [
+	// Content routes
+	["/_emdash/api/content", "GET", "content:read"],
+	["/_emdash/api/content", "WRITE", "content:write"],
+	// Media routes (excluding /file/ which is public)
+	["/_emdash/api/media/file", "*", "media:read"], // public anyway, but scope if token-authed
+	["/_emdash/api/media", "GET", "media:read"],
+	["/_emdash/api/media", "WRITE", "media:write"],
+	// Schema routes
+	["/_emdash/api/schema", "GET", "schema:read"],
+	["/_emdash/api/schema", "WRITE", "schema:write"],
+	// Taxonomy, menu, section, widget, revision — all content domain
+	["/_emdash/api/taxonomies", "GET", "content:read"],
+	["/_emdash/api/taxonomies", "WRITE", "content:write"],
+	["/_emdash/api/menus", "GET", "content:read"],
+	["/_emdash/api/menus", "WRITE", "content:write"],
+	["/_emdash/api/sections", "GET", "content:read"],
+	["/_emdash/api/sections", "WRITE", "content:write"],
+	["/_emdash/api/widget-areas", "GET", "content:read"],
+	["/_emdash/api/widget-areas", "WRITE", "content:write"],
+	["/_emdash/api/revisions", "GET", "content:read"],
+	["/_emdash/api/revisions", "WRITE", "content:write"],
+	// Search
+	["/_emdash/api/search", "GET", "content:read"],
+	["/_emdash/api/search", "WRITE", "admin"],
+	// Import, admin, settings, plugins — all require admin scope
+	["/_emdash/api/import", "*", "admin"],
+	["/_emdash/api/admin", "*", "admin"],
+	["/_emdash/api/settings", "*", "admin"],
+	["/_emdash/api/plugins", "*", "admin"],
+	// MCP endpoint — scopes enforced per-tool inside mcp/server.ts
+	["/_emdash/api/mcp", "*", "content:read"],
+];
+const WRITE_METHODS = new Set(["POST", "PUT", "PATCH", "DELETE"]);
+/**
+ * Enforce API token scopes based on the request URL and HTTP method.
+ * Returns a 403 Response if the scope is insufficient, or null if allowed.
+ *
+ * Session-authenticated requests (tokenScopes === undefined) are never checked.
+ */
+function enforceTokenScope(
+	pathname: string,
+	method: string,
+	tokenScopes: string[] | undefined,
+): Response | null {
+	// Session auth — implicit full access, no scope restrictions
+	if (!tokenScopes) return null;
+	const isWrite = WRITE_METHODS.has(method);
+	for (const [prefix, ruleMethod, scope] of SCOPE_RULES) {
+		// Match exact prefix or prefix followed by /
+		if (pathname !== prefix && !pathname.startsWith(prefix + "/")) continue;
+		// Check method match
+		if (ruleMethod === "*" || (ruleMethod === "WRITE" && isWrite) || ruleMethod === method) {
+			if (hasScope(tokenScopes, scope)) return null;
+			return new Response(
+				JSON.stringify({
+					error: {
+						code: "INSUFFICIENT_SCOPE",
+						message: `Token lacks required scope: ${scope}`,
+					},
+				}),
+				{ status: 403, headers: { "Content-Type": "application/json", ...MW_CACHE_HEADERS } },
+			);
+		}
+	}
+	// No rule matched — default to admin scope (fail-closed)
+	if (hasScope(tokenScopes, "admin")) return null;
+	return new Response(
+		JSON.stringify({
+			error: {
+				code: "INSUFFICIENT_SCOPE",
+				message: "Token lacks required scope: admin",
+			},
+		}),
+		{ status: 403, headers: { "Content-Type": "application/json", ...MW_CACHE_HEADERS } },
+	);
+}