emdash 0.1.0 → 0.1.1

package/src/astro/integration/virtual-modules.ts

@@ -14,6 +14,8 @@ import type { MediaProviderDescriptor } from "../../media/types.js";
 import { defaultSeed } from "../../seed/default.js";
 import type { PluginDescriptor } from "./runtime.js";
 
+const TS_SOURCE_EXT_RE = /^\.(ts|tsx|mts|cts|jsx)$/;
+
 /** Pattern to remove scoped package prefix from plugin ID */
 const SCOPED_PREFIX_PATTERN = /^@[^/]+\/plugin-/;
 
@@ -435,7 +437,17 @@ export const sandboxedPlugins = [];
 
 		// Resolve the bundle to a file path using project's require context
 		const filePath = resolveModulePathFromProject(bundleSpecifier, projectRoot);
-		// Read the source code
+
+		const ext = filePath.slice(filePath.lastIndexOf("."));
+		if (TS_SOURCE_EXT_RE.test(ext)) {
+			throw new Error(
+				`Sandboxed plugin "${descriptor.id}" entrypoint "${bundleSpecifier}" resolves to ` +
+					`unbuilt source (${filePath}). Sandbox entries must be pre-built JavaScript. ` +
+					`Ensure the plugin's package.json exports point to built files (e.g. dist/*.mjs) ` +
+					`and run the plugin's build step before building the site.`,
+			);
+		}
+
 		const code = readFileSync(filePath, "utf-8");
 
 		// Create the plugin entry with embedded code and sandbox config

package/src/astro/routes/admin.astro

@@ -20,7 +20,7 @@ export const prerender = false;
 		<meta name="viewport" content="width=device-width, initial-scale=1.0" />
 		<link
 			rel="icon"
-			href="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 100 100'%3E%3Ctext y='.9em' font-size='90'%3E%F0%9F%92%AB%3C/text%3E%3C/svg%3E"
+			href="data:image/svg+xml,<svg width='75' height='75' viewBox='0 0 75 75' fill='none' xmlns='http://www.w3.org/2000/svg'> <g clip-path='url(%23clip0_50_99)'> <rect x='3' y='3' width='69' height='69' rx='10.518' stroke='url(%23paint0_linear_50_99)' stroke-width='6'/> <rect x='18' y='34' width='39.3661' height='6.56101' fill='url(%23paint1_linear_50_99)'/> </g> <defs> <linearGradient id='paint0_linear_50_99' x1='-42.9996' y1='124' x2='92.4233' y2='-41.7456' gradientUnits='userSpaceOnUse'> <stop stop-color='%230F006B'/> <stop offset='0.0833333' stop-color='%23281A81'/> <stop offset='0.166667' stop-color='%235D0C83'/> <stop offset='0.25' stop-color='%23911475'/> <stop offset='0.333333' stop-color='%23CE2F55'/> <stop offset='0.416667' stop-color='%23FF6633'/> <stop offset='0.5' stop-color='%23F6821F'/> <stop offset='0.583333' stop-color='%23FBAD41'/> <stop offset='0.666667' stop-color='%23FFCD89'/> <stop offset='0.75' stop-color='%23FFE9CB'/> <stop offset='0.833333' stop-color='%23FFF7EC'/> <stop offset='0.916667' stop-color='%23FFF8EE'/> <stop offset='1' stop-color='white'/> </linearGradient> <linearGradient id='paint1_linear_50_99' x1='91.4992' y1='27.4982' x2='28.1217' y2='54.1775' gradientUnits='userSpaceOnUse'> <stop stop-color='white'/> <stop offset='0.129253' stop-color='%23FFF8EE'/> <stop offset='0.617058' stop-color='%23FBAD41'/> <stop offset='0.848019' stop-color='%23F6821F'/> <stop offset='1' stop-color='%23FF6633'/> </linearGradient> <clipPath id='clip0_50_99'> <rect width='75' height='75' fill='white'/> </clipPath> </defs> </svg>"
 		/>
 		<title>EmDash Admin</title>
 	</head>

package/src/astro/routes/api/admin/plugins/marketplace/[id]/install.ts

@@ -41,13 +41,15 @@ export const POST: APIRoute = async ({ params, request, locals }) => {
 			emdash.configuredPlugins.map((p: { id: string }) => p.id),
 		);
 
+		const siteOrigin = new URL(request.url).origin;
+
 		const result = await handleMarketplaceInstall(
 			emdash.db,
 			emdash.storage,
 			emdash.getSandboxRunner(),
 			emdash.config.marketplace,
 			id,
-			{ version: body.version, configuredPluginIds },
+			{ version: body.version, configuredPluginIds, siteOrigin },
 		);
 
 		if (!result.success) return unwrapResult(result);

package/src/astro/routes/api/auth/invite/complete.ts

@@ -22,6 +22,7 @@ import { OptionsRepository } from "#db/repositories/options.js";
 
 export const POST: APIRoute = async ({ request, locals, session }) => {
 	const { emdash } = locals;
+	const passkeyPublicOrigin = emdash?.config.passkeyPublicOrigin;
 
 	if (!emdash?.db) {
 		return apiError("NOT_CONFIGURED", "EmDash is not initialized", 500);
@@ -37,7 +38,7 @@ export const POST: APIRoute = async ({ request, locals, session }) => {
 		const url = new URL(request.url);
 		const options = new OptionsRepository(emdash.db);
 		const siteName = (await options.get<string>("emdash:site_title")) ?? undefined;
-		const passkeyConfig = getPasskeyConfig(url, siteName);
+		const passkeyConfig = getPasskeyConfig(url, siteName, passkeyPublicOrigin);
 
 		// Verify the passkey registration response
 		const challengeStore = createChallengeStore(emdash.db);

package/src/astro/routes/api/auth/passkey/options.ts

@@ -23,6 +23,7 @@ import { OptionsRepository } from "#db/repositories/options.js";
 
 export const POST: APIRoute = async ({ request, locals }) => {
 	const { emdash } = locals;
+	const passkeyPublicOrigin = emdash?.config.passkeyPublicOrigin;
 
 	if (!emdash?.db) {
 		return apiError("NOT_CONFIGURED", "EmDash is not initialized", 500);
@@ -62,7 +63,7 @@ export const POST: APIRoute = async ({ request, locals }) => {
 		const url = new URL(request.url);
 		const options = new OptionsRepository(emdash.db);
 		const siteName = (await options.get<string>("emdash:site_title")) ?? undefined;
-		const passkeyConfig = getPasskeyConfig(url, siteName);
+		const passkeyConfig = getPasskeyConfig(url, siteName, passkeyPublicOrigin);
 
 		// Generate authentication options
 		const challengeStore = createChallengeStore(emdash.db);

package/src/astro/routes/api/auth/passkey/register/options.ts

@@ -22,6 +22,7 @@ const MAX_PASSKEYS = 10;
 
 export const POST: APIRoute = async ({ request, locals }) => {
 	const { emdash, user } = locals;
+	const passkeyPublicOrigin = emdash?.config.passkeyPublicOrigin;
 
 	if (!emdash?.db) {
 		return apiError("NOT_CONFIGURED", "EmDash is not initialized", 500);
@@ -52,7 +53,7 @@ export const POST: APIRoute = async ({ request, locals }) => {
 		const url = new URL(request.url);
 		const optionsRepo = new OptionsRepository(emdash.db);
 		const siteName = (await optionsRepo.get<string>("emdash:site_title")) ?? undefined;
-		const passkeyConfig = getPasskeyConfig(url, siteName);
+		const passkeyConfig = getPasskeyConfig(url, siteName, passkeyPublicOrigin);
 
 		// Generate registration options
 		const challengeStore = createChallengeStore(emdash.db);

package/src/astro/routes/api/auth/passkey/register/verify.ts

@@ -31,6 +31,7 @@ interface PasskeyResponse {
 
 export const POST: APIRoute = async ({ request, locals }) => {
 	const { emdash, user } = locals;
+	const passkeyPublicOrigin = emdash?.config.passkeyPublicOrigin;
 
 	if (!emdash?.db) {
 		return apiError("NOT_CONFIGURED", "EmDash is not initialized", 500);
@@ -58,7 +59,7 @@ export const POST: APIRoute = async ({ request, locals }) => {
 		const url = new URL(request.url);
 		const optionsRepo = new OptionsRepository(emdash.db);
 		const siteName = (await optionsRepo.get<string>("emdash:site_title")) ?? undefined;
-		const passkeyConfig = getPasskeyConfig(url, siteName);
+		const passkeyConfig = getPasskeyConfig(url, siteName, passkeyPublicOrigin);
 
 		// Verify the registration response
 		const challengeStore = createChallengeStore(emdash.db);

package/src/astro/routes/api/auth/passkey/verify.ts

@@ -20,6 +20,7 @@ import { OptionsRepository } from "#db/repositories/options.js";
 
 export const POST: APIRoute = async ({ request, locals, session }) => {
 	const { emdash } = locals;
+	const passkeyPublicOrigin = emdash?.config.passkeyPublicOrigin;
 
 	if (!emdash?.db) {
 		return apiError("NOT_CONFIGURED", "EmDash is not initialized", 500);
@@ -33,7 +34,7 @@ export const POST: APIRoute = async ({ request, locals, session }) => {
 		const url = new URL(request.url);
 		const options = new OptionsRepository(emdash.db);
 		const siteName = (await options.get<string>("emdash:site_title")) ?? undefined;
-		const passkeyConfig = getPasskeyConfig(url, siteName);
+		const passkeyConfig = getPasskeyConfig(url, siteName, passkeyPublicOrigin);
 
 		// Authenticate with passkey
 		const adapter = createKyselyAdapter(emdash.db);

package/src/astro/routes/api/auth/signup/complete.ts

@@ -22,6 +22,7 @@ import { OptionsRepository } from "#db/repositories/options.js";
 
 export const POST: APIRoute = async ({ request, locals, session }) => {
 	const { emdash } = locals;
+	const passkeyPublicOrigin = emdash?.config.passkeyPublicOrigin;
 
 	if (!emdash?.db) {
 		return apiError("NOT_CONFIGURED", "EmDash is not initialized", 500);
@@ -37,7 +38,7 @@ export const POST: APIRoute = async ({ request, locals, session }) => {
 		const url = new URL(request.url);
 		const options = new OptionsRepository(emdash.db);
 		const siteName = (await options.get<string>("emdash:site_title")) ?? undefined;
-		const passkeyConfig = getPasskeyConfig(url, siteName);
+		const passkeyConfig = getPasskeyConfig(url, siteName, passkeyPublicOrigin);
 
 		// Verify the passkey registration response
 		const challengeStore = createChallengeStore(emdash.db);

package/src/astro/routes/api/import/wordpress/analyze.ts

@@ -13,11 +13,14 @@ import mime from "mime/lite";
 
 import { requirePerm } from "#api/authorize.js";
 import { apiError, apiSuccess, handleError } from "#api/error.js";
+import { RESERVED_COLLECTION_SLUGS } from "#schema/types.js";
 import type { EmDashHandlers } from "#types";
 
 export const prerender = false;
 
 const NUMERIC_PATTERN = /^-?\d+(\.\d+)?$/;
+const INVALID_SLUG_CHARS = /[^a-z0-9_]/g;
+const LEADING_NON_ALPHA = /^[^a-z]+/;
 
 /** Field compatibility status */
 export type FieldCompatibility =
@@ -252,10 +255,18 @@ function analyzeWxr(
 		.toSorted((a, b) => b.count - a.count);
 
 	// Build post type analysis with schema compatibility
+	const seenSlugs = new Map<string, number>();
 	const postTypes: PostTypeAnalysis[] = [...postTypeCounts.entries()]
 		.filter(([type]) => !isInternalPostType(type))
 		.map(([name, count]) => {
-			const suggestedCollection = mapPostTypeToCollection(name);
+			let suggestedCollection = mapPostTypeToCollection(name);
+
+			// Deduplicate: if multiple post types produce the same slug, append a suffix
+			const seen = seenSlugs.get(suggestedCollection) ?? 0;
+			seenSlugs.set(suggestedCollection, seen + 1);
+			if (seen > 0) {
+				suggestedCollection = `${suggestedCollection}_${seen}`;
+			}
 			const existingCollection = existingCollections.get(suggestedCollection);
 
 			// Build required fields - add featured_image only if posts have thumbnails
@@ -445,6 +456,16 @@ function isInternalMetaKey(key: string): boolean {
 	return false;
 }
 
+function sanitizeSlug(slug: string): string {
+	const sanitized = slug
+		.toLowerCase()
+		.replace(INVALID_SLUG_CHARS, "_")
+		.replace(LEADING_NON_ALPHA, "");
+	if (!sanitized) return "imported";
+	if (RESERVED_COLLECTION_SLUGS.includes(sanitized)) return `wp_${sanitized}`;
+	return sanitized;
+}
+
 function mapPostTypeToCollection(postType: string): string {
 	const mapping: Record<string, string> = {
 		post: "posts",
@@ -457,7 +478,7 @@ function mapPostTypeToCollection(postType: string): string {
 		event: "events",
 		faq: "faqs",
 	};
-	return mapping[postType] || postType;
+	return mapping[postType] || sanitizeSlug(postType);
 }
 
 function mapMetaKeyToField(key: string): string {
@@ -507,4 +528,4 @@ function singularize(str: string): string {
 }
 
 // Export helpers for use in prepare endpoint
-export { capitalize, singularize, mapPostTypeToCollection };
+export { capitalize, sanitizeSlug, singularize, mapPostTypeToCollection };

package/src/astro/routes/api/import/wordpress/execute.ts

@@ -22,6 +22,8 @@ import { resolveImportByline } from "#import/utils.js";
 import type { EmDashHandlers, EmDashManifest } from "#types";
 import { slugify } from "#utils/slugify.js";
 
+import { sanitizeSlug } from "./analyze.js";
+
 export const prerender = false;
 
 export interface ImportConfig {
@@ -165,7 +167,9 @@ async function importContent(
 			continue;
 		}
 
-		const collection = mapping.collection;
+		// Defensive: mapping.collection is already sanitized by prepare, but the user
+		// could manually edit the import config between prepare and execute.
+		const collection = sanitizeSlug(mapping.collection);
 
 		// Check if collection exists in manifest
 		if (!manifest?.collections[collection]) {

package/src/astro/routes/api/import/wordpress/prepare.ts

@@ -16,7 +16,7 @@ import { wpPrepareBody } from "#api/schemas.js";
 import { FIELD_TYPES, type FieldType } from "#schema/types.js";
 import type { EmDashHandlers } from "#types";
 
-import { capitalize, singularize, type ImportFieldDef } from "./analyze.js";
+import { capitalize, sanitizeSlug, singularize, type ImportFieldDef } from "./analyze.js";
 
 /** Validate that a string is a known FieldType, returning undefined if not */
 function asFieldType(value: string): FieldType | undefined {
@@ -79,7 +79,7 @@ async function prepareImport(
 	};
 
 	for (const postType of request.postTypes) {
-		const collectionSlug = postType.collection;
+		const collectionSlug = sanitizeSlug(postType.collection);
 
 		try {
 			// Check if collection exists

package/src/astro/routes/api/media.ts

@@ -151,10 +151,22 @@ export const POST: APIRoute = async ({ request, locals }) => {
 		const width = widthStr ? parseInt(widthStr, 10) : undefined;
 		const height = heightStr ? parseInt(heightStr, 10) : undefined;
 
-		// Generate placeholder data for images
-		const placeholder = file.type.startsWith("image/")
-			? await generatePlaceholder(buffer, file.type)
-			: null;
+		// Generate placeholder data for images.
+		// If the client sent a thumbnail (small pre-resized image), use that
+		// instead of the full buffer to avoid OOM on memory-constrained runtimes.
+		const thumbnailEntry = formData.get("thumbnail");
+		const thumbnail = thumbnailEntry instanceof File ? thumbnailEntry : null;
+
+		let placeholder: Awaited<ReturnType<typeof generatePlaceholder>> = null;
+		if (file.type.startsWith("image/")) {
+			if (thumbnail) {
+				const thumbBuffer = new Uint8Array(await thumbnail.arrayBuffer());
+				placeholder = await generatePlaceholder(thumbBuffer, thumbnail.type);
+			} else {
+				const clientDims = width && height ? { width, height } : undefined;
+				placeholder = await generatePlaceholder(buffer, file.type, clientDims);
+			}
+		}
 
 		// Create media record
 		const result = await emdash.handleMediaCreate({

package/src/astro/routes/api/search/index.ts

@@ -6,7 +6,6 @@
 
 import type { APIRoute } from "astro";
 
-import { requirePerm } from "#api/authorize.js";
 import { apiError, apiSuccess, handleError } from "#api/error.js";
 import { isParseError, parseQuery } from "#api/parse.js";
 import { searchQuery } from "#api/schemas.js";
@@ -24,10 +23,7 @@ export const prerender = false;
  * - limit: Maximum results (optional, defaults to 20)
  */
 export const GET: APIRoute = async ({ url, locals }) => {
-	const { emdash, user } = locals;
-
-	const denied = requirePerm(user, "search:read");
-	if (denied) return denied;
+	const { emdash } = locals;
 
 	if (!emdash?.db) {
 		return apiError("NOT_CONFIGURED", "EmDash not configured", 500);

package/src/astro/routes/api/search/suggest.ts

@@ -6,7 +6,6 @@
 
 import type { APIRoute } from "astro";
 
-import { requirePerm } from "#api/authorize.js";
 import { apiError, apiSuccess, handleError } from "#api/error.js";
 import { isParseError, parseQuery } from "#api/parse.js";
 import { searchSuggestQuery } from "#api/schemas.js";
@@ -23,10 +22,7 @@ export const prerender = false;
  * - limit: Maximum suggestions (optional, defaults to 5)
  */
 export const GET: APIRoute = async ({ url, locals }) => {
-	const { emdash, user } = locals;
-
-	const denied = requirePerm(user, "search:read");
-	if (denied) return denied;
+	const { emdash } = locals;
 
 	if (!emdash?.db) {
 		return apiError("NOT_CONFIGURED", "EmDash not configured", 500);

package/src/astro/routes/api/setup/admin-verify.ts

@@ -21,6 +21,7 @@ import { OptionsRepository } from "#db/repositories/options.js";
 
 export const POST: APIRoute = async ({ request, locals }) => {
 	const { emdash } = locals;
+	const passkeyPublicOrigin = emdash?.config.passkeyPublicOrigin;
 
 	if (!emdash?.db) {
 		return apiError("NOT_CONFIGURED", "EmDash is not initialized", 500);
@@ -57,7 +58,7 @@ export const POST: APIRoute = async ({ request, locals }) => {
 		// Get passkey config
 		const url = new URL(request.url);
 		const siteName = (await options.get<string>("emdash:site_title")) ?? undefined;
-		const passkeyConfig = getPasskeyConfig(url, siteName);
+		const passkeyConfig = getPasskeyConfig(url, siteName, passkeyPublicOrigin);
 
 		// Verify the registration response
 		const challengeStore = createChallengeStore(emdash.db);

package/src/astro/routes/api/setup/admin.ts

@@ -20,6 +20,7 @@ import { OptionsRepository } from "#db/repositories/options.js";
 
 export const POST: APIRoute = async ({ request, locals }) => {
 	const { emdash } = locals;
+	const passkeyPublicOrigin = emdash?.config.passkeyPublicOrigin;
 
 	if (!emdash?.db) {
 		return apiError("NOT_CONFIGURED", "EmDash is not initialized", 500);
@@ -56,7 +57,7 @@ export const POST: APIRoute = async ({ request, locals }) => {
 		// Get passkey config
 		const url = new URL(request.url);
 		const siteName = (await options.get<string>("emdash:site_title")) ?? undefined;
-		const passkeyConfig = getPasskeyConfig(url, siteName);
+		const passkeyConfig = getPasskeyConfig(url, siteName, passkeyPublicOrigin);
 
 		// Generate registration options
 		const challengeStore = createChallengeStore(emdash.db);

package/src/astro/types.ts

@@ -28,6 +28,7 @@ export interface ManifestCollection {
 	labelSingular: string;
 	supports: string[];
 	hasSeo: boolean;
+	urlPattern?: string;
 	fields: Record<
 		string,
 		{

package/src/auth/passkey-config.ts

@@ -15,10 +15,31 @@ export interface PasskeyConfig {
 /**
  * Get passkey configuration from request URL
  *
- * @param url The request URL
- * @param siteName Optional site name for rpName (defaults to hostname)
+ * @param url The request URL (typically `new URL(Astro.request.url)` or `new URL(request.url)`)
+ * @param siteName Optional site name for rpName (defaults to hostname from `url` or public origin)
+ * @param passkeyPublicOrigin Optional browser-facing origin (see `EmDashConfig.passkeyPublicOrigin`).
+ *        When set, **origin** and **rpId** are taken from this URL so they match WebAuthn `clientData.origin`.
+ * @throws If `passkeyPublicOrigin` is non-empty but not parseable by `new URL()`.
  */
-export function getPasskeyConfig(url: URL, siteName?: string): PasskeyConfig {
+export function getPasskeyConfig(
+	url: URL,
+	siteName?: string,
+	passkeyPublicOrigin?: string,
+): PasskeyConfig {
+	if (passkeyPublicOrigin) {
+		let publicUrl: URL;
+		try {
+			publicUrl = new URL(passkeyPublicOrigin);
+		} catch (e) {
+			throw new Error(`Invalid passkeyPublicOrigin: "${passkeyPublicOrigin}"`, { cause: e });
+		}
+		return {
+			rpName: siteName || publicUrl.hostname,
+			rpId: publicUrl.hostname,
+			origin: publicUrl.origin,
+		};
+	}
+
 	return {
 		rpName: siteName || url.hostname,
 		rpId: url.hostname,

package/src/cli/commands/bundle-utils.ts

@@ -213,6 +213,32 @@ export async function resolveSourceEntry(
 	return undefined;
 }
 
+// ── Export validation ───────────────────────────────────────────────────────
+
+const TS_SOURCE_EXPORT_RE = /\.(?:ts|tsx|mts|cts|jsx)$/;
+
+/**
+ * Find package.json exports that point to source files instead of built output.
+ * Returns an array of `{ exportPath, resolvedPath }` for each offending export.
+ */
+export function findSourceExports(
+	exports: Record<string, unknown>,
+): Array<{ exportPath: string; resolvedPath: string }> {
+	const issues: Array<{ exportPath: string; resolvedPath: string }> = [];
+	for (const [exportPath, exportValue] of Object.entries(exports)) {
+		const resolved =
+			typeof exportValue === "string"
+				? exportValue
+				: exportValue && typeof exportValue === "object" && "import" in exportValue
+					? (exportValue as { import: string }).import
+					: null;
+		if (resolved && TS_SOURCE_EXPORT_RE.test(resolved)) {
+			issues.push({ exportPath, resolvedPath: resolved });
+		}
+	}
+	return issues;
+}
+
 // ── Directory helpers ────────────────────────────────────────────────────────
 
 /**

package/src/cli/commands/bundle.ts

@@ -27,6 +27,7 @@ import {
 	extractManifest,
 	findNodeBuiltinImports,
 	findBuildOutput,
+	findSourceExports,
 	resolveSourceEntry,
 	calculateDirectorySize,
 	createTarball,
@@ -495,6 +496,20 @@ export const bundleCommand = defineCommand({
 			consola.start("Validating bundle...");
 			let hasErrors = false;
 
+			// Check that package.json exports point to built files, not source.
+			// Plugins published to npm with source exports will break site builds
+			// because the sandbox module generator embeds the resolved file as-is.
+			if (pkg.exports) {
+				for (const issue of findSourceExports(pkg.exports)) {
+					consola.error(
+						`Export "${issue.exportPath}" points to source (${issue.resolvedPath}). ` +
+							`Package exports must point to built files (e.g. dist/*.mjs). ` +
+							`Add a build step and update the exports map.`,
+					);
+					hasErrors = true;
+				}
+			}
+
 			// Check for Node.js builtins in backend.js
 			const backendPath = join(bundleDir, "backend.js");
 			if (await fileExists(backendPath)) {

package/src/cli/commands/content.ts

@@ -10,7 +10,7 @@ import { defineCommand } from "citty";
 import { consola } from "consola";
 
 import { connectionArgs, createClientFromArgs } from "../client-factory.js";
-import { output } from "../output.js";
+import { configureOutputMode, output } from "../output.js";
 
 // ---------------------------------------------------------------------------
 // Helpers
@@ -77,6 +77,7 @@ const listCommand = defineCommand({
 		...connectionArgs,
 	},
 	async run({ args }) {
+		configureOutputMode(args);
 		try {
 			const client = createClientFromArgs(args);
 			const result = await client.list(args.collection, {
@@ -130,6 +131,7 @@ const getCommand = defineCommand({
 		...connectionArgs,
 	},
 	async run({ args }) {
+		configureOutputMode(args);
 		try {
 			const client = createClientFromArgs(args);
 			const item = await client.get(args.collection, args.id, {
@@ -177,6 +179,7 @@ const createCommand = defineCommand({
 		...connectionArgs,
 	},
 	async run({ args }) {
+		configureOutputMode(args);
 		try {
 			const data = await readInputData(args);
 			const client = createClientFromArgs(args);
@@ -229,6 +232,7 @@ const updateCommand = defineCommand({
 		...connectionArgs,
 	},
 	async run({ args }) {
+		configureOutputMode(args);
 		try {
 			const data = await readInputData(args);
 			const client = createClientFromArgs(args);
@@ -270,6 +274,7 @@ const deleteCommand = defineCommand({
 		...connectionArgs,
 	},
 	async run({ args }) {
+		configureOutputMode(args);
 		try {
 			const client = createClientFromArgs(args);
 			await client.delete(args.collection, args.id);
@@ -297,6 +302,7 @@ const publishCommand = defineCommand({
 		...connectionArgs,
 	},
 	async run({ args }) {
+		configureOutputMode(args);
 		try {
 			const client = createClientFromArgs(args);
 			await client.publish(args.collection, args.id);
@@ -324,6 +330,7 @@ const unpublishCommand = defineCommand({
 		...connectionArgs,
 	},
 	async run({ args }) {
+		configureOutputMode(args);
 		try {
 			const client = createClientFromArgs(args);
 			await client.unpublish(args.collection, args.id);
@@ -356,6 +363,7 @@ const scheduleCommand = defineCommand({
 		...connectionArgs,
 	},
 	async run({ args }) {
+		configureOutputMode(args);
 		try {
 			const client = createClientFromArgs(args);
 			await client.schedule(args.collection, args.id, { at: args.at });
@@ -383,6 +391,7 @@ const restoreCommand = defineCommand({
 		...connectionArgs,
 	},
 	async run({ args }) {
+		configureOutputMode(args);
 		try {
 			const client = createClientFromArgs(args);
 			await client.restore(args.collection, args.id);
@@ -410,6 +419,7 @@ const translationsCommand = defineCommand({
 		...connectionArgs,
 	},
 	async run({ args }) {
+		configureOutputMode(args);
 		try {
 			const client = createClientFromArgs(args);
 			const translations = await client.translations(args.collection, args.id);

package/src/cli/commands/login.ts

@@ -29,6 +29,7 @@ import {
 	resolveCredentialKey,
 	saveCredentials,
 } from "../credentials.js";
+import { configureOutputMode } from "../output.js";
 
 // ---------------------------------------------------------------------------
 // Types for discovery + device flow responses
@@ -423,6 +424,7 @@ export const whoamiCommand = defineCommand({
 		},
 	},
 	async run({ args }) {
+		configureOutputMode(args);
 		const baseUrl = args.url || "http://localhost:4321";
 
 		// Resolve token: --token flag > EMDASH_TOKEN env > stored credentials

package/src/cli/commands/media.ts

@@ -11,7 +11,7 @@ import { defineCommand } from "citty";
 import { consola } from "consola";
 
 import { connectionArgs, createClientFromArgs } from "../client-factory.js";
-import { output } from "../output.js";
+import { configureOutputMode, output } from "../output.js";
 
 const listCommand = defineCommand({
 	meta: {
@@ -34,6 +34,7 @@ const listCommand = defineCommand({
 		},
 	},
 	async run({ args }) {
+		configureOutputMode(args);
 		const client = createClientFromArgs(args);
 
 		try {
@@ -73,6 +74,7 @@ const uploadCommand = defineCommand({
 		},
 	},
 	async run({ args }) {
+		configureOutputMode(args);
 		const client = createClientFromArgs(args);
 		const filename = basename(args.file);
 
@@ -108,6 +110,7 @@ const getCommand = defineCommand({
 		...connectionArgs,
 	},
 	async run({ args }) {
+		configureOutputMode(args);
 		const client = createClientFromArgs(args);
 
 		try {
@@ -134,6 +137,7 @@ const deleteCommand = defineCommand({
 		...connectionArgs,
 	},
 	async run({ args }) {
+		configureOutputMode(args);
 		const client = createClientFromArgs(args);
 
 		try {

package/src/cli/commands/menu.ts

@@ -8,7 +8,7 @@ import { defineCommand } from "citty";
 import { consola } from "consola";
 
 import { connectionArgs, createClientFromArgs } from "../client-factory.js";
-import { output } from "../output.js";
+import { configureOutputMode, output } from "../output.js";
 
 const listCommand = defineCommand({
 	meta: {
@@ -19,6 +19,7 @@ const listCommand = defineCommand({
 		...connectionArgs,
 	},
 	async run({ args }) {
+		configureOutputMode(args);
 		try {
 			const client = createClientFromArgs(args);
 			const menus = await client.menus();
@@ -44,6 +45,7 @@ const getCommand = defineCommand({
 		...connectionArgs,
 	},
 	async run({ args }) {
+		configureOutputMode(args);
 		try {
 			const client = createClientFromArgs(args);
 			const menu = await client.menu(args.name);