npm - emdash - Versions diffs - 0.1.1 → 0.2.0 - Mend

emdash 0.1.1 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (192) hide show

package/dist/{adapters-BLMa4JGD.d.mts → adapters-N6BF7RCD.d.mts} +1 -1
package/dist/{adapters-BLMa4JGD.d.mts.map → adapters-N6BF7RCD.d.mts.map} +1 -1
package/dist/{apply-kC39ev1Z.mjs → apply-wmVEOSbR.mjs} +56 -9
package/dist/apply-wmVEOSbR.mjs.map +1 -0
package/dist/astro/index.d.mts +6 -6
package/dist/astro/index.mjs +80 -27
package/dist/astro/index.mjs.map +1 -1
package/dist/astro/middleware/auth.d.mts +5 -5
package/dist/astro/middleware/auth.d.mts.map +1 -1
package/dist/astro/middleware/auth.mjs +127 -56
package/dist/astro/middleware/auth.mjs.map +1 -1
package/dist/astro/middleware/request-context.mjs +1 -1
package/dist/astro/middleware/setup.mjs +1 -1
package/dist/astro/middleware.d.mts.map +1 -1
package/dist/astro/middleware.mjs +74 -39
package/dist/astro/middleware.mjs.map +1 -1
package/dist/astro/types.d.mts +30 -9
package/dist/astro/types.d.mts.map +1 -1
package/dist/{byline-CL847F26.mjs → byline-1WQPlISL.mjs} +51 -29
package/dist/byline-1WQPlISL.mjs.map +1 -0
package/dist/{bylines-C2a-2TGt.mjs → bylines-BYdTYmia.mjs} +10 -8
package/dist/{bylines-C2a-2TGt.mjs.map → bylines-BYdTYmia.mjs.map} +1 -1
package/dist/cli/index.mjs +15 -12
package/dist/cli/index.mjs.map +1 -1
package/dist/client/cf-access.d.mts +1 -1
package/dist/client/index.d.mts +1 -1
package/dist/client/index.mjs +1 -1
package/dist/{config-CKE8p9xM.mjs → config-Cq8H0SfX.mjs} +2 -10
package/dist/{config-CKE8p9xM.mjs.map → config-Cq8H0SfX.mjs.map} +1 -1
package/dist/{content-D6C2WsZC.mjs → content-BmXndhdi.mjs} +16 -3
package/dist/content-BmXndhdi.mjs.map +1 -0
package/dist/db/index.d.mts +3 -3
package/dist/db/index.mjs +1 -1
package/dist/db/libsql.d.mts +1 -1
package/dist/db/postgres.d.mts +1 -1
package/dist/db/sqlite.d.mts +1 -1
package/dist/{default-Cyi4aAxu.mjs → default-WYlzADZL.mjs} +1 -1
package/dist/{default-Cyi4aAxu.mjs.map → default-WYlzADZL.mjs.map} +1 -1
package/dist/{error-Cxz0tQeO.mjs → error-DrxtnGPg.mjs} +1 -1
package/dist/{error-Cxz0tQeO.mjs.map → error-DrxtnGPg.mjs.map} +1 -1
package/dist/{index-CLBc4gw-.d.mts → index-UHEVQMus.d.mts} +55 -17
package/dist/index-UHEVQMus.d.mts.map +1 -0
package/dist/index.d.mts +11 -11
package/dist/index.mjs +17 -17
package/dist/{load-yOOlckBj.mjs → load-Veizk2cT.mjs} +1 -1
package/dist/{load-yOOlckBj.mjs.map → load-Veizk2cT.mjs.map} +1 -1
package/dist/{loader-fz8Q_3EO.mjs → loader-CHb2v0jm.mjs} +1 -1
package/dist/{loader-fz8Q_3EO.mjs.map → loader-CHb2v0jm.mjs.map} +1 -1
package/dist/{manifest-schema-CL8DWO9b.mjs → manifest-schema-CuMio1A9.mjs} +1 -1
package/dist/{manifest-schema-CL8DWO9b.mjs.map → manifest-schema-CuMio1A9.mjs.map} +1 -1
package/dist/media/index.d.mts +1 -1
package/dist/media/local-runtime.d.mts +7 -7
package/dist/{mode-C2EzN1uE.mjs → mode-CYeM2rPt.mjs} +1 -1
package/dist/{mode-C2EzN1uE.mjs.map → mode-CYeM2rPt.mjs.map} +1 -1
package/dist/page/index.d.mts +10 -1
package/dist/page/index.d.mts.map +1 -1
package/dist/page/index.mjs +8 -4
package/dist/page/index.mjs.map +1 -1
package/dist/{placeholder-SvFCKbz_.d.mts → placeholder-bOx1xCTY.d.mts} +1 -1
package/dist/{placeholder-SvFCKbz_.d.mts.map → placeholder-bOx1xCTY.d.mts.map} +1 -1
package/dist/plugins/adapt-sandbox-entry.d.mts +5 -5
package/dist/plugins/adapt-sandbox-entry.mjs +1 -1
package/dist/{query-BVYN0PJ6.mjs → query-5Hcv_5ER.mjs} +20 -8
package/dist/{query-BVYN0PJ6.mjs.map → query-5Hcv_5ER.mjs.map} +1 -1
package/dist/{registry-BNYQKX_d.mjs → registry-1EvbAfsC.mjs} +6 -2
package/dist/{registry-BNYQKX_d.mjs.map → registry-1EvbAfsC.mjs.map} +1 -1
package/dist/{runner-BraqvGYk.mjs → runner-BoN0-FPi.mjs} +155 -130
package/dist/runner-BoN0-FPi.mjs.map +1 -0
package/dist/{runner-EAtf0ZIe.d.mts → runner-DTqkzOzc.d.mts} +2 -2
package/dist/{runner-EAtf0ZIe.d.mts.map → runner-DTqkzOzc.d.mts.map} +1 -1
package/dist/runtime.d.mts +6 -6
package/dist/runtime.mjs +1 -1
package/dist/{search-C1gg67nN.mjs → search-BsYMed12.mjs} +235 -105
package/dist/search-BsYMed12.mjs.map +1 -0
package/dist/seed/index.d.mts +2 -2
package/dist/seed/index.mjs +8 -8
package/dist/seo/index.d.mts +1 -1
package/dist/storage/local.d.mts +1 -1
package/dist/storage/local.mjs +1 -1
package/dist/storage/s3.d.mts +1 -1
package/dist/storage/s3.mjs +1 -1
package/dist/{tokens-DpgrkrXK.mjs → tokens-DrB-W6Q-.mjs} +1 -1
package/dist/{tokens-DpgrkrXK.mjs.map → tokens-DrB-W6Q-.mjs.map} +1 -1
package/dist/{transport-yxiQsi8I.mjs → transport-Bl8cTdYt.mjs} +1 -1
package/dist/{transport-yxiQsi8I.mjs.map → transport-Bl8cTdYt.mjs.map} +1 -1
package/dist/{transport-BFGblqwG.d.mts → transport-COOs9GSE.d.mts} +1 -1
package/dist/{transport-BFGblqwG.d.mts.map → transport-COOs9GSE.d.mts.map} +1 -1
package/dist/{types-BQo5JS0J.d.mts → types-6dqxBqsH.d.mts} +80 -106
package/dist/types-6dqxBqsH.d.mts.map +1 -0
package/dist/{types-DRjfYOEv.d.mts → types-7-UjSEyB.d.mts} +1 -1
package/dist/{types-DRjfYOEv.d.mts.map → types-7-UjSEyB.d.mts.map} +1 -1
package/dist/{types-CUBbjgmP.mjs → types-Bec-r_3_.mjs} +1 -1
package/dist/{types-CUBbjgmP.mjs.map → types-Bec-r_3_.mjs.map} +1 -1
package/dist/{types-DaNLHo_T.d.mts → types-BljtYPSd.d.mts} +1 -1
package/dist/{types-DaNLHo_T.d.mts.map → types-BljtYPSd.d.mts.map} +1 -1
package/dist/{types-BRuPJGdV.d.mts → types-CIsTnQvJ.d.mts} +3 -1
package/dist/types-CIsTnQvJ.d.mts.map +1 -0
package/dist/types-CMMN0pNg.mjs.map +1 -1
package/dist/{types-DPfzHnjW.d.mts → types-CcreFIIH.d.mts} +1 -1
package/dist/{types-DPfzHnjW.d.mts.map → types-CcreFIIH.d.mts.map} +1 -1
package/dist/{types-CiA5Gac0.mjs → types-DuNbGKjF.mjs} +1 -1
package/dist/{types-CiA5Gac0.mjs.map → types-DuNbGKjF.mjs.map} +1 -1
package/dist/{validate-HtxZeaBi.d.mts → validate-B7KP7VLM.d.mts} +4 -4
package/dist/{validate-HtxZeaBi.d.mts.map → validate-B7KP7VLM.d.mts.map} +1 -1
package/dist/{validate-_rsF-Dx_.mjs → validate-CXnRKfJK.mjs} +2 -2
package/dist/{validate-_rsF-Dx_.mjs.map → validate-CXnRKfJK.mjs.map} +1 -1
package/package.json +6 -6
package/src/api/csrf.ts +13 -2
package/src/api/handlers/content.ts +7 -0
package/src/api/handlers/dashboard.ts +4 -8
package/src/api/handlers/device-flow.ts +55 -37
package/src/api/handlers/index.ts +6 -1
package/src/api/handlers/seo.ts +48 -21
package/src/api/public-url.ts +84 -0
package/src/api/schemas/content.ts +2 -2
package/src/api/schemas/menus.ts +12 -2
package/src/astro/integration/index.ts +30 -7
package/src/astro/integration/routes.ts +13 -2
package/src/astro/integration/runtime.ts +7 -5
package/src/astro/integration/vite-config.ts +52 -9
package/src/astro/middleware/auth.ts +60 -56
package/src/astro/middleware/csp.ts +25 -0
package/src/astro/middleware.ts +31 -3
package/src/astro/routes/PluginRegistry.tsx +8 -2
package/src/astro/routes/admin.astro +7 -2
package/src/astro/routes/api/admin/users/[id]/disable.ts +18 -12
package/src/astro/routes/api/admin/users/[id]/index.ts +26 -5
package/src/astro/routes/api/auth/invite/complete.ts +3 -2
package/src/astro/routes/api/auth/oauth/[provider]/callback.ts +2 -1
package/src/astro/routes/api/auth/oauth/[provider].ts +2 -1
package/src/astro/routes/api/auth/passkey/options.ts +3 -2
package/src/astro/routes/api/auth/passkey/register/options.ts +3 -2
package/src/astro/routes/api/auth/passkey/register/verify.ts +3 -2
package/src/astro/routes/api/auth/passkey/verify.ts +3 -2
package/src/astro/routes/api/auth/signup/complete.ts +3 -2
package/src/astro/routes/api/content/[collection]/index.ts +31 -3
package/src/astro/routes/api/import/wordpress/execute.ts +9 -0
package/src/astro/routes/api/import/wordpress-plugin/execute.ts +10 -0
package/src/astro/routes/api/manifest.ts +1 -0
package/src/astro/routes/api/media/providers/[providerId]/[itemId].ts +7 -2
package/src/astro/routes/api/oauth/authorize.ts +12 -7
package/src/astro/routes/api/oauth/device/code.ts +5 -1
package/src/astro/routes/api/setup/admin-verify.ts +3 -2
package/src/astro/routes/api/setup/admin.ts +3 -2
package/src/astro/routes/api/setup/dev-bypass.ts +2 -1
package/src/astro/routes/api/setup/index.ts +3 -2
package/src/astro/routes/api/snapshot.ts +2 -1
package/src/astro/routes/api/themes/preview.ts +2 -1
package/src/astro/routes/api/well-known/auth.ts +1 -0
package/src/astro/routes/api/well-known/oauth-authorization-server.ts +3 -2
package/src/astro/routes/api/well-known/oauth-protected-resource.ts +3 -2
package/src/astro/routes/robots.txt.ts +5 -1
package/src/astro/routes/sitemap-[collection].xml.ts +104 -0
package/src/astro/routes/sitemap.xml.ts +18 -23
package/src/astro/types.ts +27 -1
package/src/auth/passkey-config.ts +6 -10
package/src/bylines/index.ts +11 -8
package/src/cli/commands/login.ts +5 -2
package/src/components/InlinePortableTextEditor.tsx +5 -3
package/src/content/converters/portable-text-to-prosemirror.ts +50 -2
package/src/database/migrations/034_published_at_index.ts +29 -0
package/src/database/migrations/runner.ts +2 -0
package/src/database/repositories/byline.ts +48 -42
package/src/database/repositories/content.ts +23 -1
package/src/database/repositories/options.ts +9 -3
package/src/database/repositories/seo.ts +34 -17
package/src/database/repositories/types.ts +2 -0
package/src/emdash-runtime.ts +61 -18
package/src/import/index.ts +1 -1
package/src/import/sources/wxr.ts +45 -2
package/src/index.ts +9 -1
package/src/mcp/server.ts +85 -5
package/src/menus/index.ts +2 -1
package/src/page/context.ts +13 -1
package/src/page/jsonld.ts +10 -6
package/src/page/seo-contributions.ts +1 -1
package/src/plugins/context.ts +145 -35
package/src/plugins/manager.ts +12 -0
package/src/plugins/types.ts +80 -4
package/src/query.ts +18 -0
package/src/schema/registry.ts +5 -0
package/src/settings/index.ts +64 -0
package/src/utils/chunks.ts +17 -0
package/dist/apply-kC39ev1Z.mjs.map +0 -1
package/dist/byline-CL847F26.mjs.map +0 -1
package/dist/content-D6C2WsZC.mjs.map +0 -1
package/dist/index-CLBc4gw-.d.mts.map +0 -1
package/dist/runner-BraqvGYk.mjs.map +0 -1
package/dist/search-C1gg67nN.mjs.map +0 -1
package/dist/types-BQo5JS0J.d.mts.map +0 -1
package/dist/types-BRuPJGdV.d.mts.map +0 -1
/package/src/astro/routes/api/media/file/{[key].ts → [...key].ts} +0 -0

package/src/astro/routes/api/auth/signup/complete.ts CHANGED Viewed

@@ -15,6 +15,7 @@ import { verifyRegistrationResponse, registerPasskey } from "@emdash-cms/auth/pa
 import { apiError, apiSuccess, handleError } from "#api/error.js";
 import { isParseError, parseBody } from "#api/parse.js";
+import { getPublicOrigin } from "#api/public-url.js";
 import { signupCompleteBody } from "#api/schemas.js";
 import { createChallengeStore } from "#auth/challenge-store.js";
 import { getPasskeyConfig } from "#auth/passkey-config.js";
@@ -22,7 +23,6 @@ import { OptionsRepository } from "#db/repositories/options.js";
 export const POST: APIRoute = async ({ request, locals, session }) => {
 	const { emdash } = locals;
-	const passkeyPublicOrigin = emdash?.config.passkeyPublicOrigin;
 	if (!emdash?.db) {
 		return apiError("NOT_CONFIGURED", "EmDash is not initialized", 500);
@@ -38,7 +38,8 @@ export const POST: APIRoute = async ({ request, locals, session }) => {
 		const url = new URL(request.url);
 		const options = new OptionsRepository(emdash.db);
 		const siteName = (await options.get<string>("emdash:site_title")) ?? undefined;
-		const passkeyConfig = getPasskeyConfig(url, siteName, passkeyPublicOrigin);
+		const siteUrl = getPublicOrigin(url, emdash?.config);
+		const passkeyConfig = getPasskeyConfig(url, siteName, siteUrl);
 		// Verify the passkey registration response
 		const challengeStore = createChallengeStore(emdash.db);

package/src/astro/routes/api/content/[collection]/index.ts CHANGED Viewed

@@ -7,8 +7,8 @@
 import type { APIRoute } from "astro";
-import { requirePerm } from "#api/authorize.js";
-import { apiError, unwrapResult } from "#api/error.js";
+import { requirePerm, requireOwnerPerm } from "#api/authorize.js";
+import { apiError, mapErrorStatus, unwrapResult } from "#api/error.js";
 import { parseBody, parseQuery, isParseError } from "#api/parse.js";
 import { contentListQuery, contentCreateBody } from "#api/schemas.js";
@@ -39,10 +39,38 @@ export const POST: APIRoute = async ({ params, request, locals, cache }) => {
 	const body = await parseBody(request, contentCreateBody);
 	if (isParseError(body)) return body;
-	if (!emdash?.handleContentCreate) {
+	if (!emdash?.handleContentCreate || !emdash?.handleContentGet) {
 		return apiError("NOT_CONFIGURED", "EmDash is not initialized", 500);
 	}
+	// Creating a translation requires edit permission on the source item
+	if (body.translationOf) {
+		const source = await emdash.handleContentGet(collection, body.translationOf);
+		if (!source.success) {
+			return apiError(
+				source.error?.code ?? "NOT_FOUND",
+				source.error?.message ?? "Translation source not found",
+				mapErrorStatus(source.error?.code),
+			);
+		}
+		const sourceData =
+			source.data && typeof source.data === "object"
+				? (source.data as Record<string, unknown>)
+				: undefined;
+		const sourceItem =
+			sourceData?.item && typeof sourceData.item === "object"
+				? (sourceData.item as Record<string, unknown>)
+				: sourceData;
+		const sourceAuthor = typeof sourceItem?.authorId === "string" ? sourceItem.authorId : "";
+		const translationDenied = requireOwnerPerm(
+			user,
+			sourceAuthor,
+			"content:edit_own",
+			"content:edit_any",
+		);
+		if (translationDenied) return translationDenied;
+	}
 	// Auto-set authorId to current user when creating content
 	const result = await emdash.handleContentCreate(collection, {
 		...body,

package/src/astro/routes/api/import/wordpress/execute.ts CHANGED Viewed

@@ -13,6 +13,7 @@ import {
 	ContentRepository,
 	importReusableBlocksAsSections,
 	type WxrPost,
+	parseWxrDate,
 } from "emdash";
 import { requirePerm } from "#api/authorize.js";
@@ -236,6 +237,12 @@ async function importContent(
 				bylineCache,
 			);
+			// Preserve original WordPress dates using the shared WXR date parser.
+			// Fallback chain: postDateGmt (UTC) → pubDate (RFC 2822) → postDate (site-local).
+			const parsedDate = parseWxrDate(post.postDateGmt, post.pubDate, post.postDate);
+			const createdAt = parsedDate ? parsedDate.toISOString() : undefined;
+			const publishedAt = status === "published" && createdAt ? createdAt : undefined;
 			// Create the content item
 			const createResult = await emdash.handleContentCreate(collection, {
 				data,
@@ -244,6 +251,8 @@ async function importContent(
 				authorId,
 				bylines: bylineId ? [{ bylineId }] : undefined,
 				locale,
+				createdAt,
+				publishedAt,
 			});
 			if (createResult.success) {

package/src/astro/routes/api/import/wordpress-plugin/execute.ts CHANGED Viewed

@@ -286,6 +286,14 @@ async function importContent(
 				}
 			}
+			// Preserve original dates from the source
+			const itemDateTime = item.date?.getTime();
+			const createdAt =
+				itemDateTime !== undefined && !Number.isNaN(itemDateTime)
+					? item.date.toISOString()
+					: undefined;
+			const publishedAt = status === "published" && createdAt ? createdAt : undefined;
 			// Create the content item
 			const createResult = await emdash.handleContentCreate(collection, {
 				data,
@@ -295,6 +303,8 @@ async function importContent(
 				bylines: bylineId ? [{ bylineId }] : undefined,
 				locale: item.locale,
 				translationOf,
+				createdAt,
+				publishedAt,
 			});
 			if (createResult.success) {

package/src/astro/routes/api/manifest.ts CHANGED Viewed

@@ -47,6 +47,7 @@ export const GET: APIRoute = async ({ locals }) => {
 				hash: "default",
 				collections: {},
 				plugins: {},
+				taxonomies: [],
 				authMode: "passkey",
 				signupEnabled,
 			};

package/src/astro/routes/api/media/providers/[providerId]/[itemId].ts CHANGED Viewed

@@ -7,6 +7,7 @@
 import type { APIRoute } from "astro";
+import { requirePerm } from "#api/authorize.js";
 import { apiError, apiSuccess, handleError } from "#api/error.js";
 export const prerender = false;
@@ -15,7 +16,9 @@ export const prerender = false;
  * Get a single media item from a provider
  */
 export const GET: APIRoute = async ({ params, locals }) => {
-	const { emdash } = locals;
+	const { emdash, user } = locals;
+	const denied = requirePerm(user, "media:read");
+	if (denied) return denied;
 	const { providerId, itemId } = params;
 	if (!providerId || !itemId) {
@@ -56,7 +59,9 @@ export const GET: APIRoute = async ({ params, locals }) => {
  * Delete a media item from a provider
  */
 export const DELETE: APIRoute = async ({ params, locals }) => {
-	const { emdash } = locals;
+	const { emdash, user } = locals;
+	const denied = requirePerm(user, "media:delete_any");
+	if (denied) return denied;
 	const { providerId, itemId } = params;
 	if (!providerId || !itemId) {

package/src/astro/routes/api/oauth/authorize.ts CHANGED Viewed

@@ -22,6 +22,7 @@ import {
 	validateRedirectUri,
 } from "#api/handlers/oauth-authorization.js";
 import { lookupOAuthClient, validateClientRedirectUri } from "#api/handlers/oauth-clients.js";
+import { getPublicOrigin } from "#api/public-url.js";
 import { VALID_SCOPES } from "#auth/api-tokens.js";
 export const prerender = false;
@@ -40,14 +41,18 @@ function generateCsrfToken(): string {
 }
 /** Build the Set-Cookie header value for the CSRF token. */
-function csrfCookieHeader(token: string, request: Request): string {
+function csrfCookieHeader(token: string, request: Request, siteUrl?: string): string {
 	// SameSite=Strict prevents cross-site form submission.
 	// HttpOnly: the token value is embedded in the form hidden field server-side,
 	// so JS never needs to read the cookie. HttpOnly adds defense-in-depth.
-	// Secure is only set over HTTPS — omitting it on localhost allows the cookie
-	// to be sent over plain HTTP during development.
-	const secure = new URL(request.url).protocol === "https:" ? "; Secure" : "";
-	return `${CSRF_COOKIE_NAME}=${token}; Path=/_emdash/api/oauth/authorize; HttpOnly; SameSite=Strict${secure}`;
+	// Secure is set when:
+	//   - siteUrl is configured and uses https (proxy case — request may be http internally), OR
+	//   - the actual request is over https (non-proxy case, preserve existing behaviour)
+	const isSecure = siteUrl
+		? siteUrl.startsWith("https:")
+		: new URL(request.url).protocol === "https:";
+	const secure = isSecure ? "; Secure" : "";
+	return `${CSRF_COOKIE_NAME}=${token}; Path=/_emdash/oauth/authorize; HttpOnly; SameSite=Strict${secure}`;
 }
 /** Extract the CSRF token from the request's cookies. */
@@ -130,7 +135,7 @@ export const GET: APIRoute = async ({ url, request, locals }) => {
 	// If not authenticated, redirect to login with return URL
 	if (!user) {
-		const loginUrl = new URL("/_emdash/admin/login", url.origin);
+		const loginUrl = new URL("/_emdash/admin/login", getPublicOrigin(url, emdash?.config));
 		loginUrl.searchParams.set("redirect", url.pathname + url.search);
 		return Response.redirect(loginUrl.toString(), 302);
 	}
@@ -169,7 +174,7 @@ export const GET: APIRoute = async ({ url, request, locals }) => {
 	return new Response(html, {
 		headers: {
 			"Content-Type": "text/html; charset=utf-8",
-			"Set-Cookie": csrfCookieHeader(csrfToken, request),
+			"Set-Cookie": csrfCookieHeader(csrfToken, request, getPublicOrigin(url, emdash?.config)),
 		},
 	});
 };

package/src/astro/routes/api/oauth/device/code.ts CHANGED Viewed

@@ -13,6 +13,7 @@ import { z } from "zod";
 import { apiError, handleError, unwrapResult } from "#api/error.js";
 import { handleDeviceCodeRequest } from "#api/handlers/device-flow.js";
 import { isParseError, parseBody } from "#api/parse.js";
+import { getPublicOrigin } from "#api/public-url.js";
 import { checkRateLimit, getClientIp, rateLimitResponse } from "#auth/rate-limit.js";
 export const prerender = false;
@@ -41,7 +42,10 @@ export const POST: APIRoute = async ({ request, locals, url }) => {
 		}
 		// Build the verification URI — device page lives inside the admin SPA
-		const verificationUri = new URL("/_emdash/admin/device", url.origin).toString();
+		const verificationUri = new URL(
+			"/_emdash/admin/device",
+			getPublicOrigin(url, emdash?.config),
+		).toString();
 		const result = await handleDeviceCodeRequest(emdash.db, body, verificationUri);
 		return unwrapResult(result);

package/src/astro/routes/api/setup/admin-verify.ts CHANGED Viewed

@@ -14,6 +14,7 @@ import { verifyRegistrationResponse, registerPasskey } from "@emdash-cms/auth/pa
 import { apiError, apiSuccess, handleError } from "#api/error.js";
 import { isParseError, parseBody } from "#api/parse.js";
+import { getPublicOrigin } from "#api/public-url.js";
 import { setupAdminVerifyBody } from "#api/schemas.js";
 import { createChallengeStore } from "#auth/challenge-store.js";
 import { getPasskeyConfig } from "#auth/passkey-config.js";
@@ -21,7 +22,6 @@ import { OptionsRepository } from "#db/repositories/options.js";
 export const POST: APIRoute = async ({ request, locals }) => {
 	const { emdash } = locals;
-	const passkeyPublicOrigin = emdash?.config.passkeyPublicOrigin;
 	if (!emdash?.db) {
 		return apiError("NOT_CONFIGURED", "EmDash is not initialized", 500);
@@ -58,7 +58,8 @@ export const POST: APIRoute = async ({ request, locals }) => {
 		// Get passkey config
 		const url = new URL(request.url);
 		const siteName = (await options.get<string>("emdash:site_title")) ?? undefined;
-		const passkeyConfig = getPasskeyConfig(url, siteName, passkeyPublicOrigin);
+		const siteUrl = getPublicOrigin(url, emdash?.config);
+		const passkeyConfig = getPasskeyConfig(url, siteName, siteUrl);
 		// Verify the registration response
 		const challengeStore = createChallengeStore(emdash.db);

package/src/astro/routes/api/setup/admin.ts CHANGED Viewed

@@ -13,6 +13,7 @@ import { generateRegistrationOptions } from "@emdash-cms/auth/passkey";
 import { apiError, apiSuccess, handleError } from "#api/error.js";
 import { isParseError, parseBody } from "#api/parse.js";
+import { getPublicOrigin } from "#api/public-url.js";
 import { setupAdminBody } from "#api/schemas.js";
 import { createChallengeStore } from "#auth/challenge-store.js";
 import { getPasskeyConfig } from "#auth/passkey-config.js";
@@ -20,7 +21,6 @@ import { OptionsRepository } from "#db/repositories/options.js";
 export const POST: APIRoute = async ({ request, locals }) => {
 	const { emdash } = locals;
-	const passkeyPublicOrigin = emdash?.config.passkeyPublicOrigin;
 	if (!emdash?.db) {
 		return apiError("NOT_CONFIGURED", "EmDash is not initialized", 500);
@@ -57,7 +57,8 @@ export const POST: APIRoute = async ({ request, locals }) => {
 		// Get passkey config
 		const url = new URL(request.url);
 		const siteName = (await options.get<string>("emdash:site_title")) ?? undefined;
-		const passkeyConfig = getPasskeyConfig(url, siteName, passkeyPublicOrigin);
+		const siteUrl = getPublicOrigin(url, emdash?.config);
+		const passkeyConfig = getPasskeyConfig(url, siteName, siteUrl);
 		// Generate registration options
 		const challengeStore = createChallengeStore(emdash.db);

package/src/astro/routes/api/setup/dev-bypass.ts CHANGED Viewed

@@ -24,6 +24,7 @@ import { ulid } from "ulidx";
 import { apiError, apiSuccess, handleError } from "#api/error.js";
 import { escapeHtml } from "#api/escape.js";
 import { handleApiTokenCreate } from "#api/handlers/api-tokens.js";
+import { getPublicOrigin } from "#api/public-url.js";
 import { isSafeRedirect } from "#api/redirect.js";
 import { runMigrations } from "#db/migrations/runner.js";
 import { OptionsRepository } from "#db/repositories/options.js";
@@ -120,7 +121,7 @@ async function handleDevBypass(context: Parameters<APIRoute>[0]): Promise<Respon
 		}
 		// Store canonical site URL (used by magic-link/recovery emails)
-		await options.set("emdash:site_url", url.origin);
+		await options.set("emdash:site_url", getPublicOrigin(url, emdash?.config));
 		// Mark setup complete
 		await options.set("emdash:setup_complete", true);

package/src/astro/routes/api/setup/index.ts CHANGED Viewed

@@ -10,6 +10,7 @@ export const prerender = false;
 import { apiError, apiSuccess, handleError } from "#api/error.js";
 import { isParseError, parseBody } from "#api/parse.js";
+import { getPublicOrigin } from "#api/public-url.js";
 import { setupBody } from "#api/schemas.js";
 import { getAuthMode } from "#auth/mode.js";
 import { runMigrations } from "#db/migrations/runner.js";
@@ -18,7 +19,7 @@ import { applySeed } from "#seed/apply.js";
 import { loadSeed } from "#seed/load.js";
 import { validateSeed } from "#seed/validate.js";
-export const POST: APIRoute = async ({ request, locals }) => {
+export const POST: APIRoute = async ({ request, url, locals }) => {
 	const { emdash } = locals;
 	if (!emdash?.db) {
@@ -89,7 +90,7 @@ export const POST: APIRoute = async ({ request, locals }) => {
 			// Store the canonical site URL from the setup request.
 			// This is trusted because setup runs on the real domain.
-			const siteUrl = new URL(request.url).origin;
+			const siteUrl = getPublicOrigin(url, emdash.config);
 			await options.set("emdash:site_url", siteUrl);
 			if (useExternalAuth) {

package/src/astro/routes/api/snapshot.ts CHANGED Viewed

@@ -16,6 +16,7 @@ import {
 	parsePreviewSignatureHeader,
 	verifyPreviewSignature,
 } from "#api/handlers/snapshot.js";
+import { getPublicOrigin } from "#api/public-url.js";
 export const prerender = false;
@@ -65,7 +66,7 @@ export const GET: APIRoute = async ({ request, locals, url }) => {
 		const includeDrafts = url.searchParams.get("drafts") === "true";
 		const snapshot = await generateSnapshot(emdash.db, {
 			includeDrafts,
-			origin: url.origin,
+			origin: getPublicOrigin(url, emdash.config),
 		});
 		return apiSuccess(snapshot);

package/src/astro/routes/api/themes/preview.ts CHANGED Viewed

@@ -11,6 +11,7 @@ import type { APIRoute } from "astro";
 import { requirePerm } from "#api/authorize.js";
 import { apiError, apiSuccess } from "#api/error.js";
+import { getPublicOrigin } from "#api/public-url.js";
 export const prerender = false;
@@ -52,7 +53,7 @@ export const POST: APIRoute = async ({ request, url, locals }) => {
 		return apiError("INVALID_REQUEST", "previewUrl must use HTTPS", 400);
 	}
-	const source = url.origin;
+	const source = getPublicOrigin(url, emdash?.config);
 	const ttl = 3600; // 1 hour
 	const exp = Math.floor(Date.now() / 1000) + ttl;

package/src/astro/routes/api/well-known/auth.ts CHANGED Viewed

@@ -45,6 +45,7 @@ export const GET: APIRoute = async ({ locals }) => {
 			methods: {
 				device_flow: !isExternal
 					? {
+							client_id: "emdash-cli",
 							device_authorization_endpoint: "/_emdash/api/oauth/device/code",
 							token_endpoint: "/_emdash/api/oauth/device/token",
 						}

package/src/astro/routes/api/well-known/oauth-authorization-server.ts CHANGED Viewed

@@ -9,12 +9,13 @@
 import type { APIRoute } from "astro";
+import { getPublicOrigin } from "#api/public-url.js";
 import { VALID_SCOPES } from "#auth/api-tokens.js";
 export const prerender = false;
-export const GET: APIRoute = async ({ url }) => {
-	const origin = url.origin;
+export const GET: APIRoute = async ({ url, locals }) => {
+	const origin = getPublicOrigin(url, locals.emdash?.config);
 	const issuer = `${origin}/_emdash`;
 	return Response.json(

package/src/astro/routes/api/well-known/oauth-protected-resource.ts CHANGED Viewed

@@ -13,12 +13,13 @@
 import type { APIRoute } from "astro";
+import { getPublicOrigin } from "#api/public-url.js";
 import { VALID_SCOPES } from "#auth/api-tokens.js";
 export const prerender = false;
-export const GET: APIRoute = async ({ url }) => {
-	const origin = url.origin;
+export const GET: APIRoute = async ({ url, locals }) => {
+	const origin = getPublicOrigin(url, locals.emdash?.config);
 	return Response.json(
 		{

package/src/astro/routes/robots.txt.ts CHANGED Viewed

@@ -10,6 +10,7 @@
 import type { APIRoute } from "astro";
+import { getPublicOrigin } from "#api/public-url.js";
 import { getSiteSettingsWithDb } from "#settings/index.js";
 export const prerender = false;
@@ -29,7 +30,10 @@ export const GET: APIRoute = async ({ locals, url }) => {
 	try {
 		const settings = await getSiteSettingsWithDb(emdash.db);
-		const siteUrl = (settings.url || url.origin).replace(TRAILING_SLASH_RE, "");
+		const siteUrl = (settings.url || getPublicOrigin(url, emdash?.config)).replace(
+			TRAILING_SLASH_RE,
+			"",
+		);
 		const sitemapUrl = `${siteUrl}/sitemap.xml`;
 		// Use custom robots.txt if configured

package/src/astro/routes/sitemap-[collection].xml.ts ADDED Viewed

@@ -0,0 +1,104 @@
+/**
+ * Per-collection sitemap endpoint
+ *
+ * GET /sitemap-{collection}.xml - Sitemap for a single content collection.
+ *
+ * Uses the collection's url_pattern to build URLs. Falls back to
+ * /{collection}/{slug} when no pattern is configured.
+ */
+import type { APIRoute } from "astro";
+import { handleSitemapData } from "#api/handlers/seo.js";
+import { getSiteSettingsWithDb } from "#settings/index.js";
+export const prerender = false;
+const TRAILING_SLASH_RE = /\/$/;
+const AMP_RE = /&/g;
+const LT_RE = /</g;
+const GT_RE = />/g;
+const QUOT_RE = /"/g;
+const APOS_RE = /'/g;
+const SLUG_PLACEHOLDER = "{slug}";
+const ID_PLACEHOLDER = "{id}";
+export const GET: APIRoute = async ({ params, locals, url }) => {
+	const { emdash } = locals;
+	const collectionSlug = params.collection;
+	if (!emdash?.db || !collectionSlug) {
+		return new Response("<!-- EmDash not configured -->", {
+			status: 500,
+			headers: { "Content-Type": "application/xml" },
+		});
+	}
+	try {
+		const settings = await getSiteSettingsWithDb(emdash.db);
+		const siteUrl = (settings.url || url.origin).replace(TRAILING_SLASH_RE, "");
+		const result = await handleSitemapData(emdash.db, collectionSlug);
+		if (!result.success || !result.data) {
+			return new Response("<!-- Failed to generate sitemap -->", {
+				status: 500,
+				headers: { "Content-Type": "application/xml" },
+			});
+		}
+		const col = result.data.collections[0];
+		if (!col) {
+			return new Response("<!-- Collection not found or empty -->", {
+				status: 404,
+				headers: { "Content-Type": "application/xml" },
+			});
+		}
+		const lines: string[] = [
+			'<?xml version="1.0" encoding="UTF-8"?>',
+			'<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">',
+		];
+		for (const entry of col.entries) {
+			const slug = entry.slug || entry.id;
+			const path = col.urlPattern
+				? col.urlPattern
+						.replace(SLUG_PLACEHOLDER, encodeURIComponent(slug))
+						.replace(ID_PLACEHOLDER, encodeURIComponent(entry.id))
+				: `/${encodeURIComponent(col.collection)}/${encodeURIComponent(slug)}`;
+			const loc = `${siteUrl}${path}`;
+			lines.push("  <url>");
+			lines.push(`    <loc>${escapeXml(loc)}</loc>`);
+			lines.push(`    <lastmod>${escapeXml(entry.updatedAt)}</lastmod>`);
+			lines.push("  </url>");
+		}
+		lines.push("</urlset>");
+		return new Response(lines.join("\n"), {
+			status: 200,
+			headers: {
+				"Content-Type": "application/xml; charset=utf-8",
+				"Cache-Control": "public, max-age=3600",
+			},
+		});
+	} catch {
+		return new Response("<!-- Internal error generating sitemap -->", {
+			status: 500,
+			headers: { "Content-Type": "application/xml" },
+		});
+	}
+};
+/** Escape special XML characters in a string */
+function escapeXml(str: string): string {
+	return str
+		.replace(AMP_RE, "&amp;")
+		.replace(LT_RE, "&lt;")
+		.replace(GT_RE, "&gt;")
+		.replace(QUOT_RE, "&quot;")
+		.replace(APOS_RE, "&apos;");
+}

package/src/astro/routes/sitemap.xml.ts CHANGED Viewed

@@ -1,18 +1,17 @@
 /**
- * Sitemap XML endpoint
+ * Sitemap index endpoint
  *
- * GET /sitemap.xml - Auto-generated sitemap from published content
+ * GET /sitemap.xml - Sitemap index listing one sitemap per collection.
  *
- * Includes all published, non-noindex content across all collections.
- * The site URL is read from site settings or the request URL origin.
- *
- * Default URL pattern: /{collection}/{slug-or-id}. Users can override
- * by creating their own /sitemap.xml route in their Astro project.
+ * Each collection with published, indexable content gets its own
+ * child sitemap at /sitemap-{collection}.xml. The index includes
+ * a <lastmod> per child derived from the most recently updated entry.
  */
 import type { APIRoute } from "astro";
 import { handleSitemapData } from "#api/handlers/seo.js";
+import { getPublicOrigin } from "#api/public-url.js";
 import { getSiteSettingsWithDb } from "#settings/index.js";
 export const prerender = false;
@@ -35,9 +34,11 @@ export const GET: APIRoute = async ({ locals, url }) => {
 	}
 	try {
-		// Determine site URL from settings or request origin
 		const settings = await getSiteSettingsWithDb(emdash.db);
-		const siteUrl = (settings.url || url.origin).replace(TRAILING_SLASH_RE, "");
+		const siteUrl = (settings.url || getPublicOrigin(url, emdash?.config)).replace(
+			TRAILING_SLASH_RE,
+			"",
+		);
 		const result = await handleSitemapData(emdash.db);
@@ -48,28 +49,22 @@ export const GET: APIRoute = async ({ locals, url }) => {
 			});
 		}
-		const entries = result.data.entries;
+		const { collections } = result.data;
-		// Build XML
 		const lines: string[] = [
 			'<?xml version="1.0" encoding="UTF-8"?>',
-			'<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">',
+			'<sitemapindex xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">',
 		];
-		for (const entry of entries) {
-			// Default URL pattern: /{collection}/{identifier}
-			// Encode path segments to handle slugs with spaces/unicode/reserved chars
-			const loc = `${siteUrl}/${encodeURIComponent(entry.collection)}/${encodeURIComponent(entry.identifier)}`;
-			lines.push("  <url>");
+		for (const col of collections) {
+			const loc = `${siteUrl}/sitemap-${encodeURIComponent(col.collection)}.xml`;
+			lines.push("  <sitemap>");
 			lines.push(`    <loc>${escapeXml(loc)}</loc>`);
-			lines.push(`    <lastmod>${escapeXml(entry.updatedAt)}</lastmod>`);
-			lines.push("    <changefreq>weekly</changefreq>");
-			lines.push("    <priority>0.7</priority>");
-			lines.push("  </url>");
+			lines.push(`    <lastmod>${escapeXml(col.lastmod)}</lastmod>`);
+			lines.push("  </sitemap>");
 		}
-		lines.push("</urlset>");
+		lines.push("</sitemapindex>");
 		return new Response(lines.join("\n"), {
 			status: 200,