emdash 0.1.1 → 0.3.0

package/src/astro/integration/runtime.ts

@@ -263,17 +263,19 @@ export interface EmDashConfig {
 	marketplace?: string;
 
 	/**
-	 * Public browser origin for passkey verification (rpId + expected WebAuthn origin).
+	 * Public browser-facing origin for the site.
 	 *
 	 * Use when `Astro.url` / `request.url` do not match what users open — common with a
 	 * **TLS-terminating reverse proxy**: the app often sees `http://` on the internal hop
-	 * while the browser uses `https://`, which breaks WebAuthn origin checks.
+	 * while the browser uses `https://`, which breaks WebAuthn, CSRF, OAuth, and redirect URLs.
 	 *
 	 * Set to the full origin users type in the address bar (no path), e.g.
-	 * `https://emdash.local:8443`. Prefer fixing `security.allowedDomains` for the proxy first;
-	 * use this when the reconstructed URL still diverges from the browser.
+	 * `https://mysite.example.com`. When not set, falls back to environment variables
+	 * `EMDASH_SITE_URL` > `SITE_URL`, then to the request URL's origin.
+	 *
+	 * Replaces `passkeyPublicOrigin` (which only fixed passkeys).
 	 */
-	passkeyPublicOrigin?: string;
+	siteUrl?: string;
 
 	/**
 	 * Enable playground mode for ephemeral "try EmDash" sites.

package/src/astro/integration/vite-config.ts

@@ -5,6 +5,7 @@
  * Vite-specific configuration for EmDash.
  */
 
+import { existsSync } from "node:fs";
 import { createRequire } from "node:module";
 import { dirname, resolve } from "node:path";
 import { fileURLToPath } from "node:url";
@@ -12,6 +13,7 @@ import { fileURLToPath } from "node:url";
 import type { AstroConfig } from "astro";
 import type { Plugin } from "vite";
 
+import { COMMIT, VERSION } from "../../version.js";
 import type { EmDashConfig, PluginDescriptor } from "./runtime.js";
 import {
 	VIRTUAL_CONFIG_ID,
@@ -49,6 +51,45 @@ import {
 	generateBlockComponentsModule,
 } from "./virtual-modules.js";
 
+const LOCALE_MESSAGES_RE = /[/\\]([a-z]{2}(?:-[A-Z]{2})?)[/\\]messages\.mjs$/;
+/**
+ * Vite plugin that compiles Lingui macros in admin source files.
+ * Only active in dev mode when the admin package is aliased to source for HMR.
+ * @babel/core is dynamically imported from admin's devDependencies —
+ * not declared by core, never ships to end users.
+ */
+function linguiMacroPlugin(adminSourcePath: string, adminDistPath: string): Plugin {
+	// Resolve @babel/core from admin's devDependencies, not core's.
+	const adminRequire = createRequire(resolve(adminDistPath, "index.js"));
+	const babelCorePath = adminRequire.resolve("@babel/core");
+
+	return {
+		name: "emdash-lingui-macro",
+		enforce: "pre",
+		resolveId(id, importer) {
+			// Redirect relative locale catalog imports (e.g. ./de/messages.mjs) from
+			// within admin source to the compiled dist/locales/ directory, since
+			// lingui compile only runs during build — not in dev watch mode.
+			if (!importer?.startsWith(adminSourcePath)) return;
+			const match = id.match(LOCALE_MESSAGES_RE);
+			if (match?.[1]) {
+				return resolve(adminDistPath, "locales", match[1], "messages.mjs");
+			}
+		},
+		async transform(code, id) {
+			if (!id.startsWith(adminSourcePath) || !code.includes("@lingui")) return;
+			const { transformAsync } = (await import(babelCorePath)) as typeof import("@babel/core");
+			const result = await transformAsync(code, {
+				filename: id,
+				plugins: ["@lingui/babel-plugin-lingui-macro"],
+				parserOpts: { plugins: ["jsx", "typescript"] },
+			});
+			if (!result?.code) return;
+			return { code: result.code, map: result.map ?? undefined };
+		},
+	};
+}
+
 /**
  * Resolve path to the admin package dist directory.
  * Used for Vite alias to ensure the package is found in pnpm's isolated node_modules.
@@ -72,13 +113,8 @@ function resolveAdminSource(): string | undefined {
 	const packageRoot = resolve(dirname(adminPath), "..");
 	const srcEntry = resolve(packageRoot, "src", "index.ts");
 
-	// Only use source alias if the source directory actually exists
-	// (won't exist in published packages, only in the monorepo)
 	try {
-		// Use require.resolve mechanics — if the file exists, return the source dir
-		// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- CJS require returns any
-		const fs = require("node:fs") as typeof import("node:fs");
-		if (fs.existsSync(srcEntry)) {
+		if (existsSync(srcEntry)) {
 			return resolve(packageRoot, "src");
 		}
 	} catch {
@@ -243,6 +279,12 @@ export function createViteConfig(
 	const useSource = adminSourcePath !== undefined;
 
 	return {
+		// Astro SSR routes resolve version.ts from source (not tsdown dist),
+		// so Vite needs its own define pass for the __EMDASH_*__ placeholders.
+		define: {
+			__EMDASH_VERSION__: JSON.stringify(VERSION),
+			__EMDASH_COMMIT__: JSON.stringify(COMMIT),
+		},
 		resolve: {
 			dedupe: ["@emdash-cms/admin", "react", "react-dom"],
 			// Array form so more-specific entries are checked first.
@@ -250,14 +292,18 @@ export function createViteConfig(
 			// Vite's prefix matching on "@emdash-cms/admin" would resolve
 			// "@emdash-cms/admin/styles.css" through the source directory.
 			alias: [
-				// CSS: always dist (pre-compiled by @tailwindcss/cli)
 				{ find: "@emdash-cms/admin/styles.css", replacement: resolve(adminDistPath, "styles.css") },
-				// JS: source in dev (HMR), dist in build
 				{ find: "@emdash-cms/admin", replacement: useSource ? adminSourcePath : adminDistPath },
 			],
 		},
 		// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- Monorepo has both vite 6 (docs) and vite 7 (core). tsgo resolves correctly.
-		plugins: [createVirtualModulesPlugin(options)] as NonNullable<AstroConfig["vite"]>["plugins"],
+		plugins: [
+			createVirtualModulesPlugin(options),
+			// In dev mode with source alias, compile Lingui macros on the fly
+			// and redirect locale .mjs imports to dist/.
+			// In production, macros are pre-compiled by tsdown in the admin package.
+			...(useSource ? [linguiMacroPlugin(adminSourcePath!, adminDistPath)] : []),
+		] as NonNullable<AstroConfig["vite"]>["plugins"],
 		// Handle native modules for SSR.
 		// On Node: external keeps native addons out of the SSR bundle.
 		// On Cloudflare: skip — the adapter handles externalization, and setting

package/src/astro/middleware/auth.ts

@@ -20,6 +20,7 @@ import { authenticate as virtualAuthenticate } from "virtual:emdash/auth";
 
 import { checkPublicCsrf } from "../../api/csrf.js";
 import { apiError } from "../../api/error.js";
+import { getPublicOrigin } from "../../api/public-url.js";
 
 /** Cache headers for middleware error responses (matches API_CACHE_HEADERS in api/error.ts) */
 const MW_CACHE_HEADERS = {
@@ -30,6 +31,7 @@ import { hasScope } from "../../auth/api-tokens.js";
 import { getAuthMode, type ExternalAuthMode } from "../../auth/mode.js";
 import type { ExternalAuthConfig } from "../../auth/types.js";
 import type { EmDashHandlers, EmDashManifest } from "../types.js";
+import { buildEmDashCsp } from "./csp.js";
 
 declare global {
 	namespace App {
@@ -49,34 +51,37 @@ declare global {
 
 // Role level constants (matching @emdash-cms/auth)
 const ROLE_ADMIN = 50;
+const MCP_ENDPOINT_PATH = "/_emdash/api/mcp";
 
-/**
- * Strict Content-Security-Policy for /_emdash routes (admin + API).
- *
- * Applied via middleware header rather than Astro's built-in CSP because
- * Astro's auto-hashing defeats 'unsafe-inline' (CSP3 ignores 'unsafe-inline'
- * when hashes are present), which would break user-facing pages.
- */
-function buildEmDashCsp(marketplaceUrl?: string): string {
-	const imgSources = ["'self'", "data:", "blob:"];
-	if (marketplaceUrl) {
-		try {
-			imgSources.push(new URL(marketplaceUrl).origin);
-		} catch {
-			// ignore invalid marketplace URL
-		}
-	}
-	return [
-		"default-src 'self'",
-		"script-src 'self' 'unsafe-inline'",
-		"style-src 'self' 'unsafe-inline'",
-		"connect-src 'self'",
-		"form-action 'self'",
-		"frame-ancestors 'none'",
-		`img-src ${imgSources.join(" ")}`,
-		"object-src 'none'",
-		"base-uri 'self'",
-	].join("; ");
+function isUnsafeMethod(method: string): boolean {
+	return method !== "GET" && method !== "HEAD" && method !== "OPTIONS";
+}
+
+function csrfRejectedResponse(): Response {
+	return new Response(
+		JSON.stringify({ error: { code: "CSRF_REJECTED", message: "Missing required header" } }),
+		{
+			status: 403,
+			headers: { "Content-Type": "application/json", ...MW_CACHE_HEADERS },
+		},
+	);
+}
+
+function mcpUnauthorizedResponse(
+	url: URL,
+	config?: Parameters<typeof getPublicOrigin>[1],
+): Response {
+	const origin = getPublicOrigin(url, config);
+	return Response.json(
+		{ error: { code: "NOT_AUTHENTICATED", message: "Not authenticated" } },
+		{
+			status: 401,
+			headers: {
+				"WWW-Authenticate": `Bearer resource_metadata="${origin}/.well-known/oauth-protected-resource"`,
+				...MW_CACHE_HEADERS,
+			},
+		},
+	);
 }
 
 /**
@@ -108,6 +113,10 @@ const PUBLIC_API_EXACT = new Set([
 	"/_emdash/api/auth/passkey/verify",
 	"/_emdash/api/oauth/token",
 	"/_emdash/api/snapshot",
+	// Public site search — read-only. The query layer hardcodes status='published'
+	// so unauthenticated callers only see published content. Admin endpoints
+	// (/enable, /rebuild, /stats) remain private because they're not in this set.
+	"/_emdash/api/search",
 ]);
 
 function isPublicEmDashRoute(pathname: string): boolean {
@@ -134,7 +143,8 @@ export const onRequest = defineMiddleware(async (context, next) => {
 	if (isPublicApiRoute) {
 		const method = context.request.method.toUpperCase();
 		if (method !== "GET" && method !== "HEAD" && method !== "OPTIONS") {
-			const csrfError = checkPublicCsrf(context.request, url);
+			const publicOrigin = getPublicOrigin(url, context.locals.emdash?.config);
+			const csrfError = checkPublicCsrf(context.request, url, publicOrigin);
 			if (csrfError) return csrfError;
 		}
 		return next();
@@ -148,7 +158,8 @@ export const onRequest = defineMiddleware(async (context, next) => {
 	if (isPluginRoute) {
 		const method = context.request.method.toUpperCase();
 		if (method !== "GET" && method !== "HEAD" && method !== "OPTIONS") {
-			const csrfError = checkPublicCsrf(context.request, url);
+			const publicOrigin = getPublicOrigin(url, context.locals.emdash?.config);
+			const csrfError = checkPublicCsrf(context.request, url, publicOrigin);
 			if (csrfError) return csrfError;
 		}
 		return handlePluginRouteAuth(context, next);
@@ -192,8 +203,9 @@ export const onRequest = defineMiddleware(async (context, next) => {
 		};
 		// Add WWW-Authenticate header on MCP endpoint 401s to trigger OAuth discovery
 		if (url.pathname === "/_emdash/api/mcp") {
+			const origin = getPublicOrigin(url, context.locals.emdash?.config);
 			headers["WWW-Authenticate"] =
-				`Bearer resource_metadata="${url.origin}/.well-known/oauth-protected-resource"`;
+				`Bearer resource_metadata="${origin}/.well-known/oauth-protected-resource"`;
 		}
 		return new Response(
 			JSON.stringify({ error: { code: "INVALID_TOKEN", message: "Invalid or expired token" } }),
@@ -203,31 +215,31 @@ export const onRequest = defineMiddleware(async (context, next) => {
 
 	const isTokenAuth = bearerResult === "authenticated";
 
+	// MCP discovery/tooling is bearer-only. Session/external auth should never
+	// be consulted for this endpoint, and unauthenticated requests must return
+	// the OAuth discovery-style 401 response.
+	const method = context.request.method.toUpperCase();
+	const isMcpEndpoint = url.pathname === MCP_ENDPOINT_PATH;
+	if (isMcpEndpoint && !isTokenAuth) {
+		return mcpUnauthorizedResponse(url, context.locals.emdash?.config);
+	}
+
 	// CSRF protection: require X-EmDash-Request header on state-changing requests.
 	// Skip for token-authenticated requests (tokens aren't ambient credentials).
 	// Browsers block cross-origin custom headers, so this prevents CSRF without tokens.
 	// OAuth authorize consent is exempt: it's a standard HTML form POST that can't
 	// include custom headers. The consent flow is protected by session + single-use codes.
-	const method = context.request.method.toUpperCase();
 	const isOAuthConsent = url.pathname.startsWith("/_emdash/oauth/authorize");
 	if (
 		isApiRoute &&
 		!isTokenAuth &&
 		!isOAuthConsent &&
-		method !== "GET" &&
-		method !== "HEAD" &&
-		method !== "OPTIONS" &&
+		isUnsafeMethod(method) &&
 		!isPublicApiRoute
 	) {
 		const csrfHeader = context.request.headers.get("X-EmDash-Request");
 		if (csrfHeader !== "1") {
-			return new Response(
-				JSON.stringify({ error: { code: "CSRF_REJECTED", message: "Missing required header" } }),
-				{
-					status: 403,
-					headers: { "Content-Type": "application/json", ...MW_CACHE_HEADERS },
-				},
-			);
+			return csrfRejectedResponse();
 		}
 	}
 
@@ -239,8 +251,7 @@ export const onRequest = defineMiddleware(async (context, next) => {
 
 		const response = await next();
 		if (!import.meta.env.DEV) {
-			const marketplaceUrl = context.locals.emdash?.config.marketplace;
-			response.headers.set("Content-Security-Policy", buildEmDashCsp(marketplaceUrl));
+			response.headers.set("Content-Security-Policy", buildEmDashCsp());
 		}
 		return response;
 	}
@@ -249,8 +260,7 @@ export const onRequest = defineMiddleware(async (context, next) => {
 
 	// Set strict CSP on all /_emdash responses (prod only)
 	if (!import.meta.env.DEV) {
-		const marketplaceUrl = context.locals.emdash?.config.marketplace;
-		response.headers.set("Content-Security-Policy", buildEmDashCsp(marketplaceUrl));
+		response.headers.set("Content-Security-Policy", buildEmDashCsp());
 	}
 
 	return response;
@@ -584,20 +594,13 @@ async function handlePasskeyAuth(
 		const sessionUser = await session?.get("user");
 
 		if (!sessionUser?.id) {
-			// Not authenticated
 			if (isApiRoute) {
-				const headers: Record<string, string> = { ...MW_CACHE_HEADERS };
-				// Add WWW-Authenticate on MCP endpoint 401s to trigger OAuth discovery
-				if (url.pathname === "/_emdash/api/mcp") {
-					headers["WWW-Authenticate"] =
-						`Bearer resource_metadata="${url.origin}/.well-known/oauth-protected-resource"`;
-				}
 				return Response.json(
 					{ error: { code: "NOT_AUTHENTICATED", message: "Not authenticated" } },
-					{ status: 401, headers },
+					{ status: 401, headers: MW_CACHE_HEADERS },
 				);
 			}
-			const loginUrl = new URL("/_emdash/admin/login", url.origin);
+			const loginUrl = new URL("/_emdash/admin/login", getPublicOrigin(url, emdash?.config));
 			loginUrl.searchParams.set("redirect", url.pathname);
 			return context.redirect(loginUrl.toString());
 		}
@@ -615,7 +618,8 @@ async function handlePasskeyAuth(
 					{ status: 401, headers: MW_CACHE_HEADERS },
 				);
 			}
-			return context.redirect("/_emdash/admin/login");
+			const loginUrl = new URL("/_emdash/admin/login", getPublicOrigin(url, emdash?.config));
+			return context.redirect(loginUrl.toString());
 		}
 
 		// Check if user is disabled
@@ -624,7 +628,7 @@ async function handlePasskeyAuth(
 			if (isApiRoute) {
 				return apiError("ACCOUNT_DISABLED", "Account disabled", 403);
 			}
-			const loginUrl = new URL("/_emdash/admin/login", url.origin);
+			const loginUrl = new URL("/_emdash/admin/login", getPublicOrigin(url, emdash?.config));
 			loginUrl.searchParams.set("error", "account_disabled");
 			return context.redirect(loginUrl.toString());
 		}

package/src/astro/middleware/csp.ts

@@ -0,0 +1,25 @@
+/**
+ * Strict Content-Security-Policy for /_emdash routes (admin + API).
+ *
+ * Applied via middleware header rather than Astro's built-in CSP because
+ * Astro's auto-hashing defeats 'unsafe-inline' (CSP3 ignores 'unsafe-inline'
+ * when hashes are present), which would break user-facing pages.
+ *
+ * img-src allows any HTTPS origin because the admin renders user content that
+ * may reference external images (migrations, external hosting, embeds).
+ * Plugin security does not rely on img-src -- plugins run in V8 isolates with
+ * no DOM access, and connect-src 'self' blocks fetch-based exfiltration.
+ */
+export function buildEmDashCsp(): string {
+	return [
+		"default-src 'self'",
+		"script-src 'self' 'unsafe-inline'",
+		"style-src 'self' 'unsafe-inline'",
+		"connect-src 'self'",
+		"form-action 'self'",
+		"frame-ancestors 'none'",
+		"img-src 'self' https: data: blob:",
+		"object-src 'none'",
+		"base-uri 'self'",
+	].join("; ");
+}

package/src/astro/middleware.ts

@@ -45,6 +45,7 @@ import type { SandboxRunner } from "../plugins/sandbox/types.js";
 import type { ResolvedPlugin } from "../plugins/types.js";
 import { runWithContext } from "../request-context.js";
 import type { EmDashConfig } from "./integration/runtime.js";
+import type { EmDashHandlers } from "./types.js";
 
 // Cached runtime instance (persists across requests within worker)
 let runtimeInstance: EmDashRuntime | null = null;
@@ -177,6 +178,7 @@ function setBaselineSecurityHeaders(response: Response): void {
 
 /** Public routes that require the runtime (sitemap, robots.txt, etc.) */
 const PUBLIC_RUNTIME_ROUTES = new Set(["/sitemap.xml", "/robots.txt"]);
+const SITEMAP_COLLECTION_RE = /^\/sitemap-[a-z][a-z0-9_]*\.xml$/;
 
 export const onRequest = defineMiddleware(async (context, next) => {
 	const { request, locals, cookies } = context;
@@ -185,7 +187,8 @@ export const onRequest = defineMiddleware(async (context, next) => {
 	// Process /_emdash routes and public routes with an active session
 	// (logged-in editors need the runtime for toolbar/visual editing on public pages)
 	const isEmDashRoute = url.pathname.startsWith("/_emdash");
-	const isPublicRuntimeRoute = PUBLIC_RUNTIME_ROUTES.has(url.pathname);
+	const isPublicRuntimeRoute =
+		PUBLIC_RUNTIME_ROUTES.has(url.pathname) || SITEMAP_COLLECTION_RE.test(url.pathname);
 
 	// Check for edit mode cookie - editors viewing public pages need the runtime
 	// so auth middleware can verify their session for visual editing
@@ -198,7 +201,7 @@ export const onRequest = defineMiddleware(async (context, next) => {
 	const playgroundDb = locals.__playgroundDb;
 
 	if (!isEmDashRoute && !isPublicRuntimeRoute && !hasEditCookie && !hasPreviewToken) {
-		const sessionUser = await context.session?.get("user");
+		const sessionUser = context.isPrerendered ? null : await context.session?.get("user");
 		if (!sessionUser && !playgroundDb) {
 			// On a fresh deployment the database may be completely empty.
 			// Public pages call getSiteSettings() / getMenu() via getDb(), which
@@ -222,6 +225,25 @@ export const onRequest = defineMiddleware(async (context, next) => {
 				}
 			}
 
+			// Initialize the runtime for page:metadata and page:fragments hooks.
+			// The runtime is a cached singleton — after the first request,
+			// getRuntime() is just a null-check. This enables SEO plugins to
+			// contribute meta tags for all visitors, not just logged-in editors.
+			const config = getConfig();
+			if (config) {
+				try {
+					const runtime = await getRuntime(config);
+					setupVerified = true;
+					// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- partial object; getPageRuntime() only checks for these two methods
+					locals.emdash = {
+						collectPageMetadata: runtime.collectPageMetadata.bind(runtime),
+						collectPageFragments: runtime.collectPageFragments.bind(runtime),
+					} as EmDashHandlers;
+				} catch {
+					// Non-fatal — EmDashHead will fall back to base SEO contributions
+				}
+			}
+
 			const response = await next();
 			setBaselineSecurityHeaders(response);
 			return response;
@@ -298,6 +320,10 @@ export const onRequest = defineMiddleware(async (context, next) => {
 				getMediaProvider: runtime.getMediaProvider.bind(runtime),
 				getMediaProviderList: runtime.getMediaProviderList.bind(runtime),
 
+				// Page contribution methods (for EmDashHead/EmDashBodyStart/EmDashBodyEnd)
+				collectPageMetadata: runtime.collectPageMetadata.bind(runtime),
+				collectPageFragments: runtime.collectPageFragments.bind(runtime),
+
 				// Direct access (for advanced use cases)
 				storage: runtime.storage,
 				db: runtime.db,
@@ -350,7 +376,9 @@ export const onRequest = defineMiddleware(async (context, next) => {
 			const d1Binding = (virtualGetD1Binding as (config: unknown) => unknown)(dbConfig);
 
 			if (d1Binding && typeof d1Binding === "object" && "withSession" in d1Binding) {
-				const isAuthenticated = !!(await context.session?.get("user"));
+				const isAuthenticated = context.isPrerendered
+					? false
+					: !!(await context.session?.get("user"));
 				const isWrite = request.method !== "GET" && request.method !== "HEAD";
 
 				// Determine session constraint:

package/src/astro/routes/PluginRegistry.tsx

@@ -7,9 +7,15 @@
  */
 
 import { AdminApp } from "@emdash-cms/admin";
+import type { Messages } from "@lingui/core";
 // @ts-ignore - virtual module generated by integration
 import { pluginAdmins } from "virtual:emdash/admin-registry";
 
-export default function AdminWrapper() {
-	return <AdminApp pluginAdmins={pluginAdmins} />;
+interface AdminWrapperProps {
+	locale: string;
+	messages: Messages;
+}
+
+export default function AdminWrapper({ locale, messages }: AdminWrapperProps) {
+	return <AdminApp pluginAdmins={pluginAdmins} locale={locale} messages={messages} />;
 }

package/src/astro/routes/admin.astro

@@ -11,10 +11,15 @@ import "@emdash-cms/admin/styles.css";
 import AdminWrapper from "emdash/routes/PluginRegistry";
 
 export const prerender = false;
+
+import { resolveLocale, loadMessages } from "@emdash-cms/admin/locales";
+
+const resolvedLocale = resolveLocale(Astro.request);
+const messages = await loadMessages(resolvedLocale);
 ---
 
 <!doctype html>
-<html lang="en">
+<html lang={resolvedLocale}>
 	<head>
 		<meta charset="UTF-8" />
 		<meta name="viewport" content="width=device-width, initial-scale=1.0" />
@@ -75,7 +80,7 @@ export const prerender = false;
 					<p>Loading EmDash...</p>
 				</div>
 			</div>
-			<AdminWrapper client:only="react" />
+			<AdminWrapper client:only="react" locale={resolvedLocale} messages={messages} />
 		</div>
 	</body>
 </html>

package/src/astro/routes/api/admin/users/[id]/disable.ts

@@ -9,6 +9,7 @@ import { createKyselyAdapter } from "@emdash-cms/auth/adapters/kysely";
 import type { APIRoute } from "astro";
 
 import { apiError, apiSuccess, handleError } from "#api/error.js";
+import { withTransaction } from "#db/transaction.js";
 
 export const prerender = false;
 
@@ -43,20 +44,25 @@ export const POST: APIRoute = async ({ params, locals }) => {
 			return apiError("NOT_FOUND", "User not found", 404);
 		}
 
-		// Check if this would leave no active admins
-		if (targetUser.role === Role.ADMIN) {
-			const adminCount = await adapter.countAdmins();
-			if (adminCount <= 1) {
-				return apiError(
-					"VALIDATION_ERROR",
-					"Cannot disable the last admin. Promote another user first.",
-					400,
-				);
+		// Wrap admin check + disable in a transaction to prevent two
+		// concurrent requests from both passing the count check.
+		const lastAdminBlocked = await withTransaction(emdash.db, async (trx) => {
+			const trxAdapter = createKyselyAdapter(trx);
+			if (targetUser.role === Role.ADMIN) {
+				const adminCount = await trxAdapter.countAdmins();
+				if (adminCount <= 1) return true;
 			}
-		}
+			await trxAdapter.updateUser(id, { disabled: true });
+			return false;
+		});
 
-		// Disable user
-		await adapter.updateUser(id, { disabled: true });
+		if (lastAdminBlocked) {
+			return apiError(
+				"VALIDATION_ERROR",
+				"Cannot disable the last admin. Promote another user first.",
+				400,
+			);
+		}
 
 		// SEC-43: Revoke all OAuth tokens for the disabled user.
 		// Without this, existing refresh tokens remain valid for up to 90 days.

package/src/astro/routes/api/admin/users/[id]/index.ts

@@ -12,6 +12,7 @@ import type { APIRoute } from "astro";
 import { apiError, apiSuccess, handleError } from "#api/error.js";
 import { isParseError, parseBody } from "#api/parse.js";
 import { userUpdateBody } from "#api/schemas.js";
+import { withTransaction } from "#db/transaction.js";
 
 export const prerender = false;
 
@@ -117,13 +118,33 @@ export const PUT: APIRoute = async ({ params, request, locals }) => {
 			}
 		}
 
-		// Update user
-		await adapter.updateUser(id, {
-			name: body.name,
-			email: body.email,
-			role,
+		// Wrap admin demotion guard + update in a transaction to prevent
+		// two concurrent demotions from both passing the count check.
+		const isDemotingAdmin =
+			role !== undefined && role < Role.ADMIN && targetUser.role === Role.ADMIN;
+
+		const lastAdminBlocked = await withTransaction(emdash.db, async (trx) => {
+			const trxAdapter = createKyselyAdapter(trx);
+			if (isDemotingAdmin) {
+				const adminCount = await trxAdapter.countAdmins();
+				if (adminCount <= 1) return true;
+			}
+			await trxAdapter.updateUser(id, {
+				name: body.name,
+				email: body.email,
+				role,
+			});
+			return false;
 		});
 
+		if (lastAdminBlocked) {
+			return apiError(
+				"LAST_ADMIN",
+				"Cannot demote the last admin. Promote another user first.",
+				400,
+			);
+		}
+
 		// Fetch updated user
 		const updated = await adapter.getUserById(id);
 

package/src/astro/routes/api/auth/invite/complete.ts

@@ -15,6 +15,7 @@ import { verifyRegistrationResponse, registerPasskey } from "@emdash-cms/auth/pa
 
 import { apiError, apiSuccess, handleError } from "#api/error.js";
 import { isParseError, parseBody } from "#api/parse.js";
+import { getPublicOrigin } from "#api/public-url.js";
 import { inviteCompleteBody } from "#api/schemas.js";
 import { createChallengeStore } from "#auth/challenge-store.js";
 import { getPasskeyConfig } from "#auth/passkey-config.js";
@@ -22,7 +23,6 @@ import { OptionsRepository } from "#db/repositories/options.js";
 
 export const POST: APIRoute = async ({ request, locals, session }) => {
 	const { emdash } = locals;
-	const passkeyPublicOrigin = emdash?.config.passkeyPublicOrigin;
 
 	if (!emdash?.db) {
 		return apiError("NOT_CONFIGURED", "EmDash is not initialized", 500);
@@ -38,7 +38,8 @@ export const POST: APIRoute = async ({ request, locals, session }) => {
 		const url = new URL(request.url);
 		const options = new OptionsRepository(emdash.db);
 		const siteName = (await options.get<string>("emdash:site_title")) ?? undefined;
-		const passkeyConfig = getPasskeyConfig(url, siteName, passkeyPublicOrigin);
+		const siteUrl = getPublicOrigin(url, emdash?.config);
+		const passkeyConfig = getPasskeyConfig(url, siteName, siteUrl);
 
 		// Verify the passkey registration response
 		const challengeStore = createChallengeStore(emdash.db);

package/src/astro/routes/api/auth/oauth/[provider]/callback.ts

@@ -17,6 +17,7 @@ import {
 } from "@emdash-cms/auth";
 import { createKyselyAdapter } from "@emdash-cms/auth/adapters/kysely";
 
+import { getPublicOrigin } from "#api/public-url.js";
 import { createOAuthStateStore } from "#auth/oauth-state-store.js";
 
 type ProviderName = "github" | "google";
@@ -126,7 +127,7 @@ export const GET: APIRoute = async ({ params, request, locals, session, redirect
 		}
 
 		const config: OAuthConsumerConfig = {
-			baseUrl: `${url.origin}/_emdash`,
+			baseUrl: `${getPublicOrigin(url, emdash?.config)}/_emdash`,
 			providers,
 			canSelfSignup: async (email: string) => {
 				// Extract domain from email