emdash 0.13.0 → 0.15.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (605) hide show
  1. package/dist/{adapters-9DybjTO6.d.mts → adapters-C4yd_UJR.d.mts} +1 -1
  2. package/dist/{adapters-9DybjTO6.d.mts.map → adapters-C4yd_UJR.d.mts.map} +1 -1
  3. package/dist/{allowed-origins-CDdG-4Gd.mjs → allowed-origins-D0fFk9a6.mjs} +2 -2
  4. package/dist/{allowed-origins-CDdG-4Gd.mjs.map → allowed-origins-D0fFk9a6.mjs.map} +1 -1
  5. package/dist/api/route-utils.d.mts +3 -3
  6. package/dist/api/route-utils.mjs +15 -15
  7. package/dist/api/schemas/index.d.mts +2 -2
  8. package/dist/api/schemas/index.mjs +3 -3
  9. package/dist/{api-ayIQ7rIe.mjs → api-CLwG_3dh.mjs} +523 -59
  10. package/dist/api-CLwG_3dh.mjs.map +1 -0
  11. package/dist/{api-tokens-eYymBhIT.mjs → api-tokens-ucpcNXDt.mjs} +2 -2
  12. package/dist/{api-tokens-eYymBhIT.mjs.map → api-tokens-ucpcNXDt.mjs.map} +1 -1
  13. package/dist/{apply-v4DBgjPw.mjs → apply-wJhM_bwU.mjs} +17 -17
  14. package/dist/{apply-v4DBgjPw.mjs.map → apply-wJhM_bwU.mjs.map} +1 -1
  15. package/dist/astro/index.d.mts +10 -10
  16. package/dist/astro/index.mjs +21 -5
  17. package/dist/astro/index.mjs.map +1 -1
  18. package/dist/astro/middleware/auth.d.mts +9 -9
  19. package/dist/astro/middleware/auth.mjs +6 -6
  20. package/dist/astro/middleware/auth.mjs.map +1 -1
  21. package/dist/astro/middleware/redirect.mjs +4 -4
  22. package/dist/astro/middleware/request-context.mjs +2 -2
  23. package/dist/astro/middleware/request-context.mjs.map +1 -1
  24. package/dist/astro/middleware/setup.mjs +1 -1
  25. package/dist/astro/middleware.d.mts.map +1 -1
  26. package/dist/astro/middleware.mjs +353 -71
  27. package/dist/astro/middleware.mjs.map +1 -1
  28. package/dist/astro/routes/api/admin/allowed-domains/_domain_.mjs +5 -5
  29. package/dist/astro/routes/api/admin/allowed-domains/index.mjs +5 -5
  30. package/dist/astro/routes/api/admin/api-tokens/_id_.mjs +4 -4
  31. package/dist/astro/routes/api/admin/api-tokens/index.mjs +5 -5
  32. package/dist/astro/routes/api/admin/bylines/_id_/index.d.mts.map +1 -1
  33. package/dist/astro/routes/api/admin/bylines/_id_/index.mjs +14 -17
  34. package/dist/astro/routes/api/admin/bylines/_id_/index.mjs.map +1 -1
  35. package/dist/astro/routes/api/admin/bylines/_id_/translations.d.mts +9 -0
  36. package/dist/astro/routes/api/admin/bylines/_id_/translations.d.mts.map +1 -0
  37. package/dist/astro/routes/api/admin/bylines/_id_/translations.mjs +70 -0
  38. package/dist/astro/routes/api/admin/bylines/_id_/translations.mjs.map +1 -0
  39. package/dist/astro/routes/api/admin/bylines/index.d.mts.map +1 -1
  40. package/dist/astro/routes/api/admin/bylines/index.mjs +25 -16
  41. package/dist/astro/routes/api/admin/bylines/index.mjs.map +1 -1
  42. package/dist/astro/routes/api/admin/comments/_id_/status.mjs +10 -10
  43. package/dist/astro/routes/api/admin/comments/_id_.mjs +5 -5
  44. package/dist/astro/routes/api/admin/comments/bulk.mjs +8 -8
  45. package/dist/astro/routes/api/admin/comments/counts.mjs +5 -5
  46. package/dist/astro/routes/api/admin/comments/index.mjs +8 -8
  47. package/dist/astro/routes/api/admin/hooks/exclusive/_hookName_.mjs +4 -4
  48. package/dist/astro/routes/api/admin/hooks/exclusive/index.mjs +3 -3
  49. package/dist/astro/routes/api/admin/oauth-clients/_id_.mjs +4 -4
  50. package/dist/astro/routes/api/admin/oauth-clients/index.mjs +4 -4
  51. package/dist/astro/routes/api/admin/plugins/_id_/disable.mjs +32 -31
  52. package/dist/astro/routes/api/admin/plugins/_id_/disable.mjs.map +1 -1
  53. package/dist/astro/routes/api/admin/plugins/_id_/enable.mjs +32 -31
  54. package/dist/astro/routes/api/admin/plugins/_id_/enable.mjs.map +1 -1
  55. package/dist/astro/routes/api/admin/plugins/_id_/index.mjs +31 -30
  56. package/dist/astro/routes/api/admin/plugins/_id_/index.mjs.map +1 -1
  57. package/dist/astro/routes/api/admin/plugins/_id_/uninstall.mjs +31 -30
  58. package/dist/astro/routes/api/admin/plugins/_id_/uninstall.mjs.map +1 -1
  59. package/dist/astro/routes/api/admin/plugins/_id_/update.mjs +33 -31
  60. package/dist/astro/routes/api/admin/plugins/_id_/update.mjs.map +1 -1
  61. package/dist/astro/routes/api/admin/plugins/index.mjs +31 -30
  62. package/dist/astro/routes/api/admin/plugins/index.mjs.map +1 -1
  63. package/dist/astro/routes/api/admin/plugins/marketplace/_id_/icon.mjs +3 -3
  64. package/dist/astro/routes/api/admin/plugins/marketplace/_id_/index.mjs +31 -30
  65. package/dist/astro/routes/api/admin/plugins/marketplace/_id_/index.mjs.map +1 -1
  66. package/dist/astro/routes/api/admin/plugins/marketplace/_id_/install.mjs +33 -31
  67. package/dist/astro/routes/api/admin/plugins/marketplace/_id_/install.mjs.map +1 -1
  68. package/dist/astro/routes/api/admin/plugins/marketplace/index.mjs +31 -30
  69. package/dist/astro/routes/api/admin/plugins/marketplace/index.mjs.map +1 -1
  70. package/dist/astro/routes/api/admin/plugins/registry/_id_/uninstall.d.mts +8 -0
  71. package/dist/astro/routes/api/admin/plugins/registry/_id_/uninstall.d.mts.map +1 -0
  72. package/dist/astro/routes/api/admin/plugins/registry/_id_/uninstall.mjs +59 -0
  73. package/dist/astro/routes/api/admin/plugins/registry/_id_/uninstall.mjs.map +1 -0
  74. package/dist/astro/routes/api/admin/plugins/registry/_id_/update.d.mts +8 -0
  75. package/dist/astro/routes/api/admin/plugins/registry/_id_/update.d.mts.map +1 -0
  76. package/dist/astro/routes/api/admin/plugins/registry/_id_/update.mjs +72 -0
  77. package/dist/astro/routes/api/admin/plugins/registry/_id_/update.mjs.map +1 -0
  78. package/dist/astro/routes/api/admin/plugins/registry/install.mjs +31 -30
  79. package/dist/astro/routes/api/admin/plugins/registry/install.mjs.map +1 -1
  80. package/dist/astro/routes/api/admin/plugins/updates.d.mts.map +1 -1
  81. package/dist/astro/routes/api/admin/plugins/updates.mjs +44 -31
  82. package/dist/astro/routes/api/admin/plugins/updates.mjs.map +1 -1
  83. package/dist/astro/routes/api/admin/themes/marketplace/_id_/index.mjs +31 -30
  84. package/dist/astro/routes/api/admin/themes/marketplace/_id_/index.mjs.map +1 -1
  85. package/dist/astro/routes/api/admin/themes/marketplace/_id_/thumbnail.mjs +3 -3
  86. package/dist/astro/routes/api/admin/themes/marketplace/index.mjs +31 -30
  87. package/dist/astro/routes/api/admin/themes/marketplace/index.mjs.map +1 -1
  88. package/dist/astro/routes/api/admin/users/_id_/disable.mjs +2 -2
  89. package/dist/astro/routes/api/admin/users/_id_/enable.mjs +2 -2
  90. package/dist/astro/routes/api/admin/users/_id_/index.mjs +5 -5
  91. package/dist/astro/routes/api/admin/users/_id_/send-recovery.mjs +3 -3
  92. package/dist/astro/routes/api/admin/users/index.mjs +5 -5
  93. package/dist/astro/routes/api/auth/dev-bypass.mjs +5 -5
  94. package/dist/astro/routes/api/auth/invite/accept.mjs +2 -2
  95. package/dist/astro/routes/api/auth/invite/complete.mjs +9 -9
  96. package/dist/astro/routes/api/auth/invite/index.mjs +6 -6
  97. package/dist/astro/routes/api/auth/invite/register-options.mjs +8 -8
  98. package/dist/astro/routes/api/auth/logout.mjs +3 -3
  99. package/dist/astro/routes/api/auth/magic-link/send.mjs +8 -8
  100. package/dist/astro/routes/api/auth/magic-link/verify.mjs +3 -3
  101. package/dist/astro/routes/api/auth/me.mjs +5 -5
  102. package/dist/astro/routes/api/auth/mode.mjs +1 -1
  103. package/dist/astro/routes/api/auth/oauth/_provider_/callback.mjs +3 -3
  104. package/dist/astro/routes/api/auth/oauth/_provider_/callback.mjs.map +1 -1
  105. package/dist/astro/routes/api/auth/oauth/_provider_.mjs +2 -2
  106. package/dist/astro/routes/api/auth/oauth/_provider_.mjs.map +1 -1
  107. package/dist/astro/routes/api/auth/passkey/_id_.mjs +5 -5
  108. package/dist/astro/routes/api/auth/passkey/index.mjs +2 -2
  109. package/dist/astro/routes/api/auth/passkey/options.mjs +10 -10
  110. package/dist/astro/routes/api/auth/passkey/register/options.mjs +8 -8
  111. package/dist/astro/routes/api/auth/passkey/register/verify.mjs +9 -9
  112. package/dist/astro/routes/api/auth/passkey/verify.mjs +9 -9
  113. package/dist/astro/routes/api/auth/signup/complete.mjs +9 -9
  114. package/dist/astro/routes/api/auth/signup/request.mjs +8 -8
  115. package/dist/astro/routes/api/auth/signup/verify.mjs +2 -2
  116. package/dist/astro/routes/api/comments/_collection_/_contentId_/index.mjs +11 -11
  117. package/dist/astro/routes/api/content/_collection_/_id_/compare.mjs +3 -3
  118. package/dist/astro/routes/api/content/_collection_/_id_/discard-draft.mjs +3 -3
  119. package/dist/astro/routes/api/content/_collection_/_id_/discard-draft.mjs.map +1 -1
  120. package/dist/astro/routes/api/content/_collection_/_id_/duplicate.mjs +3 -3
  121. package/dist/astro/routes/api/content/_collection_/_id_/duplicate.mjs.map +1 -1
  122. package/dist/astro/routes/api/content/_collection_/_id_/permanent.mjs +3 -3
  123. package/dist/astro/routes/api/content/_collection_/_id_/preview-url.mjs +9 -9
  124. package/dist/astro/routes/api/content/_collection_/_id_/publish.mjs +6 -6
  125. package/dist/astro/routes/api/content/_collection_/_id_/publish.mjs.map +1 -1
  126. package/dist/astro/routes/api/content/_collection_/_id_/restore.mjs +3 -3
  127. package/dist/astro/routes/api/content/_collection_/_id_/restore.mjs.map +1 -1
  128. package/dist/astro/routes/api/content/_collection_/_id_/revisions.mjs +3 -3
  129. package/dist/astro/routes/api/content/_collection_/_id_/schedule.mjs +6 -6
  130. package/dist/astro/routes/api/content/_collection_/_id_/schedule.mjs.map +1 -1
  131. package/dist/astro/routes/api/content/_collection_/_id_/terms/_taxonomy_.mjs +10 -9
  132. package/dist/astro/routes/api/content/_collection_/_id_/terms/_taxonomy_.mjs.map +1 -1
  133. package/dist/astro/routes/api/content/_collection_/_id_/translations.mjs +3 -3
  134. package/dist/astro/routes/api/content/_collection_/_id_/translations.mjs.map +1 -1
  135. package/dist/astro/routes/api/content/_collection_/_id_/unpublish.mjs +3 -3
  136. package/dist/astro/routes/api/content/_collection_/_id_/unpublish.mjs.map +1 -1
  137. package/dist/astro/routes/api/content/_collection_/_id_.mjs +6 -6
  138. package/dist/astro/routes/api/content/_collection_/_id_.mjs.map +1 -1
  139. package/dist/astro/routes/api/content/_collection_/index.mjs +6 -6
  140. package/dist/astro/routes/api/content/_collection_/trash.mjs +6 -6
  141. package/dist/astro/routes/api/dashboard.mjs +7 -7
  142. package/dist/astro/routes/api/dev/emails.mjs +3 -3
  143. package/dist/astro/routes/api/import/probe.d.mts +3 -3
  144. package/dist/astro/routes/api/import/probe.mjs +10 -10
  145. package/dist/astro/routes/api/import/wordpress/analyze.mjs +3 -3
  146. package/dist/astro/routes/api/import/wordpress/execute.d.mts +9 -9
  147. package/dist/astro/routes/api/import/wordpress/execute.mjs +9 -8
  148. package/dist/astro/routes/api/import/wordpress/execute.mjs.map +1 -1
  149. package/dist/astro/routes/api/import/wordpress/media.mjs +8 -8
  150. package/dist/astro/routes/api/import/wordpress/prepare.mjs +8 -8
  151. package/dist/astro/routes/api/import/wordpress/prepare.mjs.map +1 -1
  152. package/dist/astro/routes/api/import/wordpress/rewrite-urls.mjs +7 -7
  153. package/dist/astro/routes/api/import/wordpress/rewrite-urls.mjs.map +1 -1
  154. package/dist/astro/routes/api/import/wordpress-plugin/analyze.d.mts +1 -1
  155. package/dist/astro/routes/api/import/wordpress-plugin/analyze.mjs +10 -10
  156. package/dist/astro/routes/api/import/wordpress-plugin/execute.d.mts +1 -1
  157. package/dist/astro/routes/api/import/wordpress-plugin/execute.mjs +11 -11
  158. package/dist/astro/routes/api/import/wordpress-plugin/execute.mjs.map +1 -1
  159. package/dist/astro/routes/api/manifest.mjs +4 -4
  160. package/dist/astro/routes/api/mcp.mjs +29 -29
  161. package/dist/astro/routes/api/mcp.mjs.map +1 -1
  162. package/dist/astro/routes/api/media/_id_/confirm.mjs +6 -6
  163. package/dist/astro/routes/api/media/_id_.mjs +6 -6
  164. package/dist/astro/routes/api/media/file/_...key_.mjs +2 -2
  165. package/dist/astro/routes/api/media/providers/_providerId_/_itemId_.mjs +3 -3
  166. package/dist/astro/routes/api/media/providers/_providerId_/index.mjs +3 -3
  167. package/dist/astro/routes/api/media/providers/index.mjs +3 -3
  168. package/dist/astro/routes/api/media/upload-url.mjs +7 -7
  169. package/dist/astro/routes/api/media/upload-url.mjs.map +1 -1
  170. package/dist/astro/routes/api/media.mjs +8 -8
  171. package/dist/astro/routes/api/menus/_name_/items/_id_.mjs +7 -7
  172. package/dist/astro/routes/api/menus/_name_/items.mjs +7 -7
  173. package/dist/astro/routes/api/menus/_name_/reorder.mjs +7 -7
  174. package/dist/astro/routes/api/menus/_name_/translations.mjs +7 -7
  175. package/dist/astro/routes/api/menus/_name_.mjs +7 -7
  176. package/dist/astro/routes/api/menus/index.mjs +7 -7
  177. package/dist/astro/routes/api/oauth/authorize.mjs +6 -6
  178. package/dist/astro/routes/api/oauth/device/authorize.mjs +6 -6
  179. package/dist/astro/routes/api/oauth/device/code.mjs +9 -9
  180. package/dist/astro/routes/api/oauth/device/token.mjs +8 -8
  181. package/dist/astro/routes/api/oauth/register.mjs +3 -3
  182. package/dist/astro/routes/api/oauth/token/refresh.mjs +6 -6
  183. package/dist/astro/routes/api/oauth/token/revoke.mjs +6 -6
  184. package/dist/astro/routes/api/oauth/token.mjs +6 -6
  185. package/dist/astro/routes/api/openapi.json.mjs +3 -3
  186. package/dist/astro/routes/api/openapi.json.mjs.map +1 -1
  187. package/dist/astro/routes/api/plugins/_pluginId_/_...path_.mjs +4 -4
  188. package/dist/astro/routes/api/redirects/404s/index.mjs +8 -8
  189. package/dist/astro/routes/api/redirects/404s/index.mjs.map +1 -1
  190. package/dist/astro/routes/api/redirects/404s/summary.mjs +8 -8
  191. package/dist/astro/routes/api/redirects/404s/summary.mjs.map +1 -1
  192. package/dist/astro/routes/api/redirects/_id_.mjs +9 -9
  193. package/dist/astro/routes/api/redirects/_id_.mjs.map +1 -1
  194. package/dist/astro/routes/api/redirects/index.mjs +9 -9
  195. package/dist/astro/routes/api/redirects/index.mjs.map +1 -1
  196. package/dist/astro/routes/api/revisions/_revisionId_/index.mjs +3 -3
  197. package/dist/astro/routes/api/revisions/_revisionId_/restore.mjs +3 -3
  198. package/dist/astro/routes/api/schema/collections/_slug_/fields/_fieldSlug_.mjs +31 -30
  199. package/dist/astro/routes/api/schema/collections/_slug_/fields/_fieldSlug_.mjs.map +1 -1
  200. package/dist/astro/routes/api/schema/collections/_slug_/fields/index.mjs +31 -30
  201. package/dist/astro/routes/api/schema/collections/_slug_/fields/index.mjs.map +1 -1
  202. package/dist/astro/routes/api/schema/collections/_slug_/fields/reorder.mjs +31 -30
  203. package/dist/astro/routes/api/schema/collections/_slug_/fields/reorder.mjs.map +1 -1
  204. package/dist/astro/routes/api/schema/collections/_slug_/index.mjs +31 -30
  205. package/dist/astro/routes/api/schema/collections/_slug_/index.mjs.map +1 -1
  206. package/dist/astro/routes/api/schema/collections/index.mjs +31 -30
  207. package/dist/astro/routes/api/schema/collections/index.mjs.map +1 -1
  208. package/dist/astro/routes/api/schema/index.mjs +6 -6
  209. package/dist/astro/routes/api/schema/index.mjs.map +1 -1
  210. package/dist/astro/routes/api/schema/orphans/_slug_.mjs +31 -30
  211. package/dist/astro/routes/api/schema/orphans/_slug_.mjs.map +1 -1
  212. package/dist/astro/routes/api/schema/orphans/index.mjs +31 -30
  213. package/dist/astro/routes/api/schema/orphans/index.mjs.map +1 -1
  214. package/dist/astro/routes/api/search/enable.mjs +9 -9
  215. package/dist/astro/routes/api/search/index.mjs +8 -8
  216. package/dist/astro/routes/api/search/rebuild.mjs +9 -9
  217. package/dist/astro/routes/api/search/stats.mjs +6 -6
  218. package/dist/astro/routes/api/search/suggest.mjs +8 -8
  219. package/dist/astro/routes/api/sections/_slug_.mjs +8 -8
  220. package/dist/astro/routes/api/sections/_slug_.mjs.map +1 -1
  221. package/dist/astro/routes/api/sections/index.mjs +8 -8
  222. package/dist/astro/routes/api/sections/index.mjs.map +1 -1
  223. package/dist/astro/routes/api/settings/email.mjs +4 -4
  224. package/dist/astro/routes/api/settings.mjs +10 -10
  225. package/dist/astro/routes/api/setup/admin-verify.mjs +10 -10
  226. package/dist/astro/routes/api/setup/admin.mjs +9 -9
  227. package/dist/astro/routes/api/setup/dev-bypass.mjs +22 -22
  228. package/dist/astro/routes/api/setup/dev-reset.mjs +2 -2
  229. package/dist/astro/routes/api/setup/index.mjs +22 -22
  230. package/dist/astro/routes/api/setup/status.mjs +4 -4
  231. package/dist/astro/routes/api/snapshot.mjs +5 -5
  232. package/dist/astro/routes/api/taxonomies/_name_/terms/_slug_/translations.mjs +11 -10
  233. package/dist/astro/routes/api/taxonomies/_name_/terms/_slug_/translations.mjs.map +1 -1
  234. package/dist/astro/routes/api/taxonomies/_name_/terms/_slug_.mjs +11 -10
  235. package/dist/astro/routes/api/taxonomies/_name_/terms/_slug_.mjs.map +1 -1
  236. package/dist/astro/routes/api/taxonomies/_name_/terms/index.mjs +11 -10
  237. package/dist/astro/routes/api/taxonomies/_name_/terms/index.mjs.map +1 -1
  238. package/dist/astro/routes/api/taxonomies/index.mjs +11 -10
  239. package/dist/astro/routes/api/taxonomies/index.mjs.map +1 -1
  240. package/dist/astro/routes/api/themes/preview.mjs +5 -5
  241. package/dist/astro/routes/api/typegen.mjs +5 -5
  242. package/dist/astro/routes/api/well-known/auth.mjs +1 -1
  243. package/dist/astro/routes/api/well-known/oauth-authorization-server.mjs +2 -2
  244. package/dist/astro/routes/api/well-known/oauth-protected-resource.mjs +2 -2
  245. package/dist/astro/routes/api/widget-areas/_name_/reorder.mjs +6 -6
  246. package/dist/astro/routes/api/widget-areas/_name_/widgets/_id_.mjs +8 -8
  247. package/dist/astro/routes/api/widget-areas/_name_/widgets.mjs +8 -8
  248. package/dist/astro/routes/api/widget-areas/_name_.mjs +5 -5
  249. package/dist/astro/routes/api/widget-areas/index.mjs +8 -8
  250. package/dist/astro/routes/api/widget-components.mjs +3 -3
  251. package/dist/astro/routes/robots.txt.mjs +5 -5
  252. package/dist/astro/routes/sitemap-_collection_.xml.mjs +4 -4
  253. package/dist/astro/routes/sitemap.xml.mjs +5 -5
  254. package/dist/astro/types.d.mts +13 -12
  255. package/dist/astro/types.d.mts.map +1 -1
  256. package/dist/auth/providers/github.d.mts +1 -1
  257. package/dist/auth/providers/google.d.mts +1 -1
  258. package/dist/{authorize-BlyCH-96.mjs → authorize-Bkwe8kuL.mjs} +2 -2
  259. package/dist/{authorize-BlyCH-96.mjs.map → authorize-Bkwe8kuL.mjs.map} +1 -1
  260. package/dist/byline-CTaWkMh5.mjs +404 -0
  261. package/dist/byline-CTaWkMh5.mjs.map +1 -0
  262. package/dist/bylines-BYHWU3T7.mjs +174 -0
  263. package/dist/bylines-BYHWU3T7.mjs.map +1 -0
  264. package/dist/{bylines-C6eYUWlZ.d.mts → bylines-DtDRNF1n.d.mts} +63 -18
  265. package/dist/bylines-DtDRNF1n.d.mts.map +1 -0
  266. package/dist/bylines-H0Xh5TMy.mjs +118 -0
  267. package/dist/bylines-H0Xh5TMy.mjs.map +1 -0
  268. package/dist/{cache-CXCpjWiL.mjs → cache-CNk1jIxp.mjs} +2 -2
  269. package/dist/{cache-CXCpjWiL.mjs.map → cache-CNk1jIxp.mjs.map} +1 -1
  270. package/dist/{challenge-store-CJ0OOHOr.mjs → challenge-store-Dng1SxKT.mjs} +1 -1
  271. package/dist/{challenge-store-CJ0OOHOr.mjs.map → challenge-store-Dng1SxKT.mjs.map} +1 -1
  272. package/dist/{chunks-DyGtu1Bv.mjs → chunks-BkfVdD-3.mjs} +2 -2
  273. package/dist/{chunks-DyGtu1Bv.mjs.map → chunks-BkfVdD-3.mjs.map} +1 -1
  274. package/dist/cli/index.mjs +21 -29
  275. package/dist/cli/index.mjs.map +1 -1
  276. package/dist/client/cf-access.d.mts +1 -1
  277. package/dist/client/index.d.mts +1 -1
  278. package/dist/client/index.mjs +1 -1
  279. package/dist/client/index.mjs.map +1 -1
  280. package/dist/{comment-Dd9MI82-.mjs → comment-_yzlBYPx.mjs} +2 -2
  281. package/dist/{comment-Dd9MI82-.mjs.map → comment-_yzlBYPx.mjs.map} +1 -1
  282. package/dist/{comments-koGI0FrK.mjs → comments-DxID-rsd.mjs} +3 -3
  283. package/dist/{comments-koGI0FrK.mjs.map → comments-DxID-rsd.mjs.map} +1 -1
  284. package/dist/{components-mZem7pbe.mjs → components-Dx3DM0gg.mjs} +1 -1
  285. package/dist/{components-mZem7pbe.mjs.map → components-Dx3DM0gg.mjs.map} +1 -1
  286. package/dist/config-CVssduLe.mjs.map +1 -1
  287. package/dist/{content-D6YG26WG.mjs → content-C0ooIs-f.mjs} +3 -3
  288. package/dist/{content-D6YG26WG.mjs.map → content-C0ooIs-f.mjs.map} +1 -1
  289. package/dist/{context-qF8d3IPR.mjs → context-sAnCaUIR.mjs} +10 -10
  290. package/dist/context-sAnCaUIR.mjs.map +1 -0
  291. package/dist/{cron-H8eJ46dv.mjs → cron-Bd3b3iuj.mjs} +1 -1
  292. package/dist/{cron-H8eJ46dv.mjs.map → cron-Bd3b3iuj.mjs.map} +1 -1
  293. package/dist/{dashboard-BmWSIUwY.mjs → dashboard-Cqw3ay2X.mjs} +4 -4
  294. package/dist/{dashboard-BmWSIUwY.mjs.map → dashboard-Cqw3ay2X.mjs.map} +1 -1
  295. package/dist/db/index.d.mts +3 -3
  296. package/dist/db/index.mjs +1 -1
  297. package/dist/db/libsql.d.mts +1 -1
  298. package/dist/db/postgres.d.mts +1 -1
  299. package/dist/db/sqlite.d.mts +1 -1
  300. package/dist/{default-Dbs22Gg4.mjs → default-BvTAYCzx.mjs} +1 -1
  301. package/dist/{default-Dbs22Gg4.mjs.map → default-BvTAYCzx.mjs.map} +1 -1
  302. package/dist/{device-flow-BqJRxa0Q.mjs → device-flow-B9oG8PwP.mjs} +4 -4
  303. package/dist/{device-flow-BqJRxa0Q.mjs.map → device-flow-B9oG8PwP.mjs.map} +1 -1
  304. package/dist/{email-console-Dmp5Q-P2.mjs → email-console-CubRll9q.mjs} +1 -1
  305. package/dist/email-console-CubRll9q.mjs.map +1 -0
  306. package/dist/{error-tSQWIl5U.mjs → error-CPh_8eLq.mjs} +16 -8
  307. package/dist/error-CPh_8eLq.mjs.map +1 -0
  308. package/dist/{escape-B8bdIryO.mjs → escape-Cg6kMELH.mjs} +1 -1
  309. package/dist/{escape-B8bdIryO.mjs.map → escape-Cg6kMELH.mjs.map} +1 -1
  310. package/dist/{fts-manager-B633C-kQ.mjs → fts-manager-Mnrtn-r2.mjs} +2 -2
  311. package/dist/{fts-manager-B633C-kQ.mjs.map → fts-manager-Mnrtn-r2.mjs.map} +1 -1
  312. package/dist/{import-CNfLOgDE.mjs → import-DG80rC_I.mjs} +3 -3
  313. package/dist/{import-CNfLOgDE.mjs.map → import-DG80rC_I.mjs.map} +1 -1
  314. package/dist/{index-UmOMt9T-.d.mts → index-Bv1Wf1zB.d.mts} +235 -18
  315. package/dist/index-Bv1Wf1zB.d.mts.map +1 -0
  316. package/dist/{index-D2gvztOP.d.mts → index-CC42STEm.d.mts} +3 -3
  317. package/dist/{index-D2gvztOP.d.mts.map → index-CC42STEm.d.mts.map} +1 -1
  318. package/dist/index.d.mts +17 -17
  319. package/dist/index.mjs +50 -49
  320. package/dist/{load-QzYRpVN3.mjs → load-DmXNVhst.mjs} +2 -2
  321. package/dist/{load-QzYRpVN3.mjs.map → load-DmXNVhst.mjs.map} +1 -1
  322. package/dist/{loader-Cs6-Bqe6.mjs → loader-Chm5h7Gr.mjs} +3 -3
  323. package/dist/loader-Chm5h7Gr.mjs.map +1 -0
  324. package/dist/{manifest-schema-HCtSh4Jq.mjs → manifest-schema-Czqf0TLu.mjs} +1 -1
  325. package/dist/{manifest-schema-HCtSh4Jq.mjs.map → manifest-schema-Czqf0TLu.mjs.map} +1 -1
  326. package/dist/media/index.d.mts +1 -1
  327. package/dist/media/local-runtime.d.mts +11 -11
  328. package/dist/media/local-runtime.mjs +4 -4
  329. package/dist/{media-allowlist-B8EX01DH.mjs → media-allowlist-BNloC69x.mjs} +1 -1
  330. package/dist/{media-allowlist-B8EX01DH.mjs.map → media-allowlist-BNloC69x.mjs.map} +1 -1
  331. package/dist/{media-Dg7he9uK.mjs → media-oqRcNiQf.mjs} +2 -2
  332. package/dist/media-oqRcNiQf.mjs.map +1 -0
  333. package/dist/{menus-DOzIecHi.mjs → menus-Bjf5R1Qq.mjs} +2 -2
  334. package/dist/menus-Bjf5R1Qq.mjs.map +1 -0
  335. package/dist/{menus-X4Z-eBA1.mjs → menus-C75SSmRy.mjs} +30 -11
  336. package/dist/menus-C75SSmRy.mjs.map +1 -0
  337. package/dist/mime-KV5TqkMN.mjs.map +1 -1
  338. package/dist/{mode-DPRPvJYm.mjs → mode-CaaiebZI.mjs} +1 -1
  339. package/dist/{mode-DPRPvJYm.mjs.map → mode-CaaiebZI.mjs.map} +1 -1
  340. package/dist/{oauth-authorization-62GmpGIH.mjs → oauth-authorization-CTMeVfvj.mjs} +4 -4
  341. package/dist/{oauth-authorization-62GmpGIH.mjs.map → oauth-authorization-CTMeVfvj.mjs.map} +1 -1
  342. package/dist/{oauth-clients-D_B0_-Bz.mjs → oauth-clients-eJCbkVSG.mjs} +1 -1
  343. package/dist/oauth-clients-eJCbkVSG.mjs.map +1 -0
  344. package/dist/{oauth-state-store-DpsZViTu.mjs → oauth-state-store-vOSdOeGe.mjs} +1 -1
  345. package/dist/{oauth-state-store-DpsZViTu.mjs.map → oauth-state-store-vOSdOeGe.mjs.map} +1 -1
  346. package/dist/{oauth-user-lookup-meyS2oB1.mjs → oauth-user-lookup-3JwsVw6N.mjs} +1 -1
  347. package/dist/{oauth-user-lookup-meyS2oB1.mjs.map → oauth-user-lookup-3JwsVw6N.mjs.map} +1 -1
  348. package/dist/options-BL4X94qY.mjs.map +1 -1
  349. package/dist/{options-Cq64Wx0O.d.mts → options-DhV-gwJb.d.mts} +4 -4
  350. package/dist/options-DhV-gwJb.d.mts.map +1 -0
  351. package/dist/page/index.d.mts +2 -2
  352. package/dist/{parse-BFTPon-J.mjs → parse-3-caTKgt.mjs} +2 -2
  353. package/dist/{parse-BFTPon-J.mjs.map → parse-3-caTKgt.mjs.map} +1 -1
  354. package/dist/{passkey-config-Cg86_ISa.mjs → passkey-config-BloQOT3y.mjs} +1 -1
  355. package/dist/{passkey-config-Cg86_ISa.mjs.map → passkey-config-BloQOT3y.mjs.map} +1 -1
  356. package/dist/{placeholder-D3cFCU9y.d.mts → placeholder-KCkkCtgQ.d.mts} +1 -1
  357. package/dist/{placeholder-D3cFCU9y.d.mts.map → placeholder-KCkkCtgQ.d.mts.map} +1 -1
  358. package/dist/plugin-types.d.mts +1 -1
  359. package/dist/plugins/adapt-sandbox-entry.d.mts +9 -9
  360. package/dist/plugins/adapt-sandbox-entry.d.mts.map +1 -1
  361. package/dist/plugins/adapt-sandbox-entry.mjs +26 -15
  362. package/dist/plugins/adapt-sandbox-entry.mjs.map +1 -1
  363. package/dist/{preview-C1LOEbWZ.mjs → preview-D4z0WONU.mjs} +2 -2
  364. package/dist/{preview-C1LOEbWZ.mjs.map → preview-D4z0WONU.mjs.map} +1 -1
  365. package/dist/{public-url-CseXl9Fv.mjs → public-url-CUWWFME2.mjs} +1 -1
  366. package/dist/{public-url-CseXl9Fv.mjs.map → public-url-CUWWFME2.mjs.map} +1 -1
  367. package/dist/{query-axZmO6Tn.mjs → query-BJn8TOPk.mjs} +16 -13
  368. package/dist/{query-axZmO6Tn.mjs.map → query-BJn8TOPk.mjs.map} +1 -1
  369. package/dist/{rate-limit-t5CVjCO6.mjs → rate-limit-D_-gAeJ0.mjs} +2 -2
  370. package/dist/{rate-limit-t5CVjCO6.mjs.map → rate-limit-D_-gAeJ0.mjs.map} +1 -1
  371. package/dist/{redirect-DGRsLO2I.mjs → redirect-BINiRYq4.mjs} +1 -1
  372. package/dist/{redirect-DGRsLO2I.mjs.map → redirect-BINiRYq4.mjs.map} +1 -1
  373. package/dist/{redirect-DkaDxq8e.mjs → redirect-CNv4mHX2.mjs} +2 -2
  374. package/dist/{redirect-DkaDxq8e.mjs.map → redirect-CNv4mHX2.mjs.map} +1 -1
  375. package/dist/{redirects-D1fdd68T.mjs → redirects-B-CUZ1Xh.mjs} +3 -3
  376. package/dist/{redirects-D1fdd68T.mjs.map → redirects-B-CUZ1Xh.mjs.map} +1 -1
  377. package/dist/{redirects-Dmj6KRU3.mjs → redirects-COMLwsV5.mjs} +19 -5
  378. package/dist/redirects-COMLwsV5.mjs.map +1 -0
  379. package/dist/{registry-BnCeHYsf.mjs → registry-DqrAQDXH.mjs} +4 -4
  380. package/dist/{registry-BnCeHYsf.mjs.map → registry-DqrAQDXH.mjs.map} +1 -1
  381. package/dist/request-cache-dzCt8TZB.mjs.map +1 -1
  382. package/dist/request-context.mjs.map +1 -1
  383. package/dist/{request-meta-CLCwSQOS.mjs → request-meta-C_Cjii-T.mjs} +2 -2
  384. package/dist/{request-meta-CLCwSQOS.mjs.map → request-meta-C_Cjii-T.mjs.map} +1 -1
  385. package/dist/resolve-Cj98DuqN.mjs +39 -0
  386. package/dist/resolve-Cj98DuqN.mjs.map +1 -0
  387. package/dist/{runner-DdnQIwz_.mjs → runner-CGlojznK.mjs} +472 -165
  388. package/dist/runner-CGlojznK.mjs.map +1 -0
  389. package/dist/{runner-DcfZewkO.d.mts → runner-CNHRo1mT.d.mts} +2 -2
  390. package/dist/{runner-DcfZewkO.d.mts.map → runner-CNHRo1mT.d.mts.map} +1 -1
  391. package/dist/runtime.d.mts +10 -10
  392. package/dist/runtime.mjs +2 -2
  393. package/dist/{schema-BmqagCwG.mjs → schema-Djdlfi5G.mjs} +4 -4
  394. package/dist/{schema-BmqagCwG.mjs.map → schema-Djdlfi5G.mjs.map} +1 -1
  395. package/dist/{search-CPrvO5u8.mjs → search-By-NN3da.mjs} +4 -4
  396. package/dist/{search-CPrvO5u8.mjs.map → search-By-NN3da.mjs.map} +1 -1
  397. package/dist/{secrets-6pgZyq0K.mjs → secrets-rPdhEBkD.mjs} +1 -1
  398. package/dist/{secrets-6pgZyq0K.mjs.map → secrets-rPdhEBkD.mjs.map} +1 -1
  399. package/dist/{sections-Cm-zb-gZ.mjs → sections-DcBIlOq1.mjs} +3 -3
  400. package/dist/{sections-Cm-zb-gZ.mjs.map → sections-DcBIlOq1.mjs.map} +1 -1
  401. package/dist/seed/index.d.mts +2 -2
  402. package/dist/seed/index.mjs +16 -16
  403. package/dist/seo/index.d.mts +1 -1
  404. package/dist/{seo-DRq9-EPP.mjs → seo-bjDoq9Eg.mjs} +2 -2
  405. package/dist/{seo-DRq9-EPP.mjs.map → seo-bjDoq9Eg.mjs.map} +1 -1
  406. package/dist/{service-vByySp-2.mjs → service-BuuTdGAT.mjs} +3 -3
  407. package/dist/{service-vByySp-2.mjs.map → service-BuuTdGAT.mjs.map} +1 -1
  408. package/dist/{settings-CBBj7HUd.mjs → settings-CJnKiWuR.mjs} +3 -3
  409. package/dist/{settings-CBBj7HUd.mjs.map → settings-CJnKiWuR.mjs.map} +1 -1
  410. package/dist/{settings-xQKsWnzQ.mjs → settings-hcubRfkr.mjs} +3 -3
  411. package/dist/settings-hcubRfkr.mjs.map +1 -0
  412. package/dist/{setup-BGAJ2uXs.mjs → setup-Cf_TyOv5.mjs} +2 -2
  413. package/dist/{setup-BGAJ2uXs.mjs.map → setup-Cf_TyOv5.mjs.map} +1 -1
  414. package/dist/{setup-complete-C6ZCLhKo.mjs → setup-complete-MzzN9u0b.mjs} +1 -1
  415. package/dist/{setup-complete-C6ZCLhKo.mjs.map → setup-complete-MzzN9u0b.mjs.map} +1 -1
  416. package/dist/{setup-nonce-CY1gQiAU.mjs → setup-nonce-DXuriHsg.mjs} +1 -1
  417. package/dist/{setup-nonce-CY1gQiAU.mjs.map → setup-nonce-DXuriHsg.mjs.map} +1 -1
  418. package/dist/{site-url-D-M4Fd8O.mjs → site-url-xkhw1tcz.mjs} +1 -1
  419. package/dist/{site-url-D-M4Fd8O.mjs.map → site-url-xkhw1tcz.mjs.map} +1 -1
  420. package/dist/{ssrf-DzFN_qV-.mjs → ssrf-MZ-zrG6-.mjs} +1 -1
  421. package/dist/{ssrf-DzFN_qV-.mjs.map → ssrf-MZ-zrG6-.mjs.map} +1 -1
  422. package/dist/storage/local.d.mts +1 -1
  423. package/dist/storage/local.mjs +1 -1
  424. package/dist/storage/local.mjs.map +1 -1
  425. package/dist/storage/s3.d.mts +1 -1
  426. package/dist/storage/s3.mjs +1 -1
  427. package/dist/storage/s3.mjs.map +1 -1
  428. package/dist/{taxonomies-Dc0mzlms.mjs → taxonomies-CLs9HPE2.mjs} +4 -4
  429. package/dist/{taxonomies-Dc0mzlms.mjs.map → taxonomies-CLs9HPE2.mjs.map} +1 -1
  430. package/dist/{taxonomies-Cn9UpaR2.mjs → taxonomies-WamPVA2x.mjs} +7 -42
  431. package/dist/taxonomies-WamPVA2x.mjs.map +1 -0
  432. package/dist/{taxonomy-wPfusMK9.mjs → taxonomy-D4Uc2LsZ.mjs} +3 -3
  433. package/dist/{taxonomy-wPfusMK9.mjs.map → taxonomy-D4Uc2LsZ.mjs.map} +1 -1
  434. package/dist/{tokens-DILYNZMi.mjs → tokens-N8otWMmj.mjs} +1 -1
  435. package/dist/{tokens-DILYNZMi.mjs.map → tokens-N8otWMmj.mjs.map} +1 -1
  436. package/dist/{transport-fw-mKJzT.mjs → transport-B6CHddbu.mjs} +1 -1
  437. package/dist/{transport-fw-mKJzT.mjs.map → transport-B6CHddbu.mjs.map} +1 -1
  438. package/dist/{transport-GeXlLscf.d.mts → transport-DOxLfUir.d.mts} +1 -1
  439. package/dist/{transport-GeXlLscf.d.mts.map → transport-DOxLfUir.d.mts.map} +1 -1
  440. package/dist/{trusted-proxy-CJhQIk65.mjs → trusted-proxy-97pajC2f.mjs} +1 -1
  441. package/dist/{trusted-proxy-CJhQIk65.mjs.map → trusted-proxy-97pajC2f.mjs.map} +1 -1
  442. package/dist/{types-CwXMEPRr.mjs → types-ByV5sgsv.mjs} +2 -2
  443. package/dist/types-ByV5sgsv.mjs.map +1 -0
  444. package/dist/{types-Dz9CGX_d.mjs → types-Cd9UCu3t.mjs} +1 -1
  445. package/dist/{types-Dz9CGX_d.mjs.map → types-Cd9UCu3t.mjs.map} +1 -1
  446. package/dist/{types-DmxPPXGf.d.mts → types-CkDSF81F.d.mts} +1 -1
  447. package/dist/{types-DmxPPXGf.d.mts.map → types-CkDSF81F.d.mts.map} +1 -1
  448. package/dist/{types-BWhaSS7U.d.mts → types-CpUuGcd5.d.mts} +1 -1
  449. package/dist/{types-BWhaSS7U.d.mts.map → types-CpUuGcd5.d.mts.map} +1 -1
  450. package/dist/{types-DFowNO60.d.mts → types-D599-ruj.d.mts} +1 -1
  451. package/dist/{types-DFowNO60.d.mts.map → types-D599-ruj.d.mts.map} +1 -1
  452. package/dist/{types-B05e2naf.d.mts → types-DGHWRQgr.d.mts} +3 -3
  453. package/dist/{types-B05e2naf.d.mts.map → types-DGHWRQgr.d.mts.map} +1 -1
  454. package/dist/{types-CzvJd1ND.d.mts → types-DaYDYW6g.d.mts} +14 -1
  455. package/dist/types-DaYDYW6g.d.mts.map +1 -0
  456. package/dist/{types-C1KKK4VP.d.mts → types-DaqNzqVt.d.mts} +16 -1
  457. package/dist/{types-C1KKK4VP.d.mts.map → types-DaqNzqVt.d.mts.map} +1 -1
  458. package/dist/{types-DW1l0gCv.d.mts → types-Dgo6y-Ut.d.mts} +1 -1
  459. package/dist/{types-DW1l0gCv.d.mts.map → types-Dgo6y-Ut.d.mts.map} +1 -1
  460. package/dist/{types-Cb2UCDJg.d.mts → types-bYmRn_Uy.d.mts} +1 -1
  461. package/dist/{types-Cb2UCDJg.d.mts.map → types-bYmRn_Uy.d.mts.map} +1 -1
  462. package/dist/{user-Dr1bOCqS.mjs → user-D3BD5zdT.mjs} +2 -2
  463. package/dist/{user-Dr1bOCqS.mjs.map → user-D3BD5zdT.mjs.map} +1 -1
  464. package/dist/{utils-_F-rWBTN.mjs → utils-C3wTAP-P.mjs} +1 -1
  465. package/dist/{utils-_F-rWBTN.mjs.map → utils-C3wTAP-P.mjs.map} +1 -1
  466. package/dist/{validate-BpQGsmd7.d.mts → validate-DQtHw9NT.d.mts} +5 -5
  467. package/dist/{validate-BpQGsmd7.d.mts.map → validate-DQtHw9NT.d.mts.map} +1 -1
  468. package/dist/{validate-DlFxcVVK.mjs → validate-mz87i8_1.mjs} +2 -2
  469. package/dist/{validate-DlFxcVVK.mjs.map → validate-mz87i8_1.mjs.map} +1 -1
  470. package/dist/{validation-BiFJqUp5.mjs → validation-DKHhXjPr.mjs} +5 -5
  471. package/dist/{validation-BiFJqUp5.mjs.map → validation-DKHhXjPr.mjs.map} +1 -1
  472. package/dist/version-Ct7C6RSo.mjs +7 -0
  473. package/dist/{version-Dw7Z5PVU.mjs.map → version-Ct7C6RSo.mjs.map} +1 -1
  474. package/dist/{widgets-B9j_yzlk.mjs → widgets-lShIQXU5.mjs} +3 -3
  475. package/dist/widgets-lShIQXU5.mjs.map +1 -0
  476. package/dist/{zod-generator-DSyz01KE.mjs → zod-generator-dvxgmd1M.mjs} +2 -2
  477. package/dist/{zod-generator-DSyz01KE.mjs.map → zod-generator-dvxgmd1M.mjs.map} +1 -1
  478. package/package.json +10 -8
  479. package/src/api/error.ts +18 -3
  480. package/src/api/errors.ts +6 -0
  481. package/src/api/handlers/bylines.ts +161 -0
  482. package/src/api/handlers/content.ts +125 -43
  483. package/src/api/handlers/index.ts +6 -0
  484. package/src/api/handlers/marketplace.ts +27 -5
  485. package/src/api/handlers/oauth-clients.ts +1 -1
  486. package/src/api/handlers/registry.ts +568 -22
  487. package/src/api/openapi/document.ts +1 -1
  488. package/src/api/schemas/bylines.ts +46 -0
  489. package/src/astro/integration/index.ts +1 -1
  490. package/src/astro/integration/routes.ts +5 -0
  491. package/src/astro/integration/runtime.ts +12 -1
  492. package/src/astro/integration/virtual-modules.ts +19 -2
  493. package/src/astro/integration/vite-config.ts +2 -2
  494. package/src/astro/middleware/auth.ts +7 -7
  495. package/src/astro/middleware/request-context.ts +1 -1
  496. package/src/astro/middleware.ts +31 -20
  497. package/src/astro/routes/api/admin/bylines/[id]/index.ts +3 -12
  498. package/src/astro/routes/api/admin/bylines/[id]/translations.ts +99 -0
  499. package/src/astro/routes/api/admin/bylines/index.ts +22 -11
  500. package/src/astro/routes/api/admin/plugins/[id]/update.ts +1 -0
  501. package/src/astro/routes/api/admin/plugins/marketplace/[id]/install.ts +6 -1
  502. package/src/astro/routes/api/admin/plugins/registry/[id]/uninstall.ts +51 -0
  503. package/src/astro/routes/api/admin/plugins/registry/[id]/update.ts +79 -0
  504. package/src/astro/routes/api/admin/plugins/updates.ts +43 -6
  505. package/src/astro/routes/api/admin/themes/marketplace/index.ts +1 -1
  506. package/src/astro/routes/api/auth/oauth/[provider]/callback.ts +2 -2
  507. package/src/astro/routes/api/auth/oauth/[provider].ts +2 -2
  508. package/src/astro/routes/api/content/[collection]/[id]/discard-draft.ts +2 -2
  509. package/src/astro/routes/api/content/[collection]/[id]/duplicate.ts +2 -2
  510. package/src/astro/routes/api/content/[collection]/[id]/publish.ts +2 -2
  511. package/src/astro/routes/api/content/[collection]/[id]/restore.ts +2 -2
  512. package/src/astro/routes/api/content/[collection]/[id]/schedule.ts +2 -2
  513. package/src/astro/routes/api/content/[collection]/[id]/terms/[taxonomy].ts +6 -6
  514. package/src/astro/routes/api/content/[collection]/[id]/translations.ts +1 -1
  515. package/src/astro/routes/api/content/[collection]/[id]/unpublish.ts +2 -2
  516. package/src/astro/routes/api/content/[collection]/[id].ts +6 -6
  517. package/src/astro/routes/api/import/wordpress/execute.ts +1 -1
  518. package/src/astro/routes/api/import/wordpress/prepare.ts +2 -2
  519. package/src/astro/routes/api/import/wordpress/rewrite-urls.ts +3 -3
  520. package/src/astro/routes/api/import/wordpress-plugin/execute.ts +2 -2
  521. package/src/astro/routes/api/media/upload-url.ts +1 -1
  522. package/src/astro/routes/api/redirects/404s/index.ts +3 -3
  523. package/src/astro/routes/api/redirects/404s/summary.ts +1 -1
  524. package/src/astro/routes/api/redirects/[id].ts +3 -3
  525. package/src/astro/routes/api/redirects/index.ts +2 -2
  526. package/src/astro/routes/api/schema/collections/[slug]/fields/[fieldSlug].ts +4 -4
  527. package/src/astro/routes/api/schema/collections/[slug]/fields/index.ts +2 -6
  528. package/src/astro/routes/api/schema/collections/[slug]/fields/reorder.ts +1 -1
  529. package/src/astro/routes/api/schema/collections/[slug]/index.ts +6 -6
  530. package/src/astro/routes/api/schema/collections/index.ts +4 -4
  531. package/src/astro/routes/api/schema/index.ts +1 -1
  532. package/src/astro/routes/api/schema/orphans/[slug].ts +1 -1
  533. package/src/astro/routes/api/schema/orphans/index.ts +1 -1
  534. package/src/astro/routes/api/sections/[slug].ts +3 -3
  535. package/src/astro/routes/api/sections/index.ts +2 -2
  536. package/src/astro/types.ts +4 -0
  537. package/src/auth/rate-limit.ts +1 -1
  538. package/src/auth/trusted-proxy.ts +1 -1
  539. package/src/bylines/index.ts +154 -55
  540. package/src/cli/commands/init.ts +4 -8
  541. package/src/client/index.ts +1 -1
  542. package/src/components/InlinePortableTextEditor.tsx +5 -1
  543. package/src/components/inline-code-block.tsx +343 -0
  544. package/src/config/secrets.ts +3 -3
  545. package/src/database/migrations/006_taxonomy_defs.ts +1 -1
  546. package/src/database/migrations/014_draft_revisions.ts +6 -6
  547. package/src/database/migrations/040_byline_i18n.ts +497 -0
  548. package/src/database/migrations/runner.ts +4 -1
  549. package/src/database/repositories/audit.ts +2 -2
  550. package/src/database/repositories/byline.ts +320 -50
  551. package/src/database/repositories/media.ts +2 -2
  552. package/src/database/repositories/menu.ts +1 -1
  553. package/src/database/repositories/options.ts +3 -3
  554. package/src/database/repositories/plugin-storage.ts +3 -3
  555. package/src/database/repositories/types.ts +13 -0
  556. package/src/database/types.ts +15 -0
  557. package/src/emdash-runtime.ts +492 -20
  558. package/src/i18n/config.ts +1 -1
  559. package/src/index.ts +7 -0
  560. package/src/loader.ts +1 -1
  561. package/src/mcp/server.ts +3 -3
  562. package/src/media/mime.ts +1 -1
  563. package/src/page/absolute-url.ts +1 -1
  564. package/src/plugins/adapt-sandbox-entry.ts +45 -40
  565. package/src/plugins/email-console.ts +1 -1
  566. package/src/plugins/index.ts +1 -0
  567. package/src/plugins/marketplace.ts +1 -1
  568. package/src/plugins/sandbox/index.ts +1 -0
  569. package/src/plugins/sandbox/noop.ts +11 -3
  570. package/src/plugins/sandbox/types.ts +28 -0
  571. package/src/query.ts +17 -2
  572. package/src/registry/config.ts +1 -1
  573. package/src/request-cache.ts +3 -3
  574. package/src/request-context.ts +1 -1
  575. package/src/settings/index.ts +4 -4
  576. package/src/storage/local.ts +1 -1
  577. package/src/storage/s3.ts +3 -3
  578. package/src/widgets/index.ts +1 -1
  579. package/dist/api-ayIQ7rIe.mjs.map +0 -1
  580. package/dist/byline-D09BaS4j.mjs +0 -220
  581. package/dist/byline-D09BaS4j.mjs.map +0 -1
  582. package/dist/bylines-BTM2xtP8.mjs +0 -113
  583. package/dist/bylines-BTM2xtP8.mjs.map +0 -1
  584. package/dist/bylines-C6eYUWlZ.d.mts.map +0 -1
  585. package/dist/context-qF8d3IPR.mjs.map +0 -1
  586. package/dist/email-console-Dmp5Q-P2.mjs.map +0 -1
  587. package/dist/error-tSQWIl5U.mjs.map +0 -1
  588. package/dist/index-UmOMt9T-.d.mts.map +0 -1
  589. package/dist/loader-Cs6-Bqe6.mjs.map +0 -1
  590. package/dist/media-Dg7he9uK.mjs.map +0 -1
  591. package/dist/menus-DOzIecHi.mjs.map +0 -1
  592. package/dist/menus-X4Z-eBA1.mjs.map +0 -1
  593. package/dist/oauth-clients-D_B0_-Bz.mjs.map +0 -1
  594. package/dist/options-Cq64Wx0O.d.mts.map +0 -1
  595. package/dist/redirects-Dmj6KRU3.mjs.map +0 -1
  596. package/dist/runner-DdnQIwz_.mjs.map +0 -1
  597. package/dist/settings-xQKsWnzQ.mjs.map +0 -1
  598. package/dist/taxonomies-Cn9UpaR2.mjs.map +0 -1
  599. package/dist/types-CwXMEPRr.mjs.map +0 -1
  600. package/dist/types-CzvJd1ND.d.mts.map +0 -1
  601. package/dist/version-Dw7Z5PVU.mjs +0 -7
  602. package/dist/widgets-B9j_yzlk.mjs.map +0 -1
  603. /package/dist/{api-tokens-D3C9v02m.mjs → api-tokens-iPIHAY8N.mjs} +0 -0
  604. /package/dist/{ssrf-CTul4uQi.mjs → ssrf-BIcd-aXW.mjs} +0 -0
  605. /package/dist/{types-Db67HHlU.mjs → types-1NNkmTIn.mjs} +0 -0
package/dist/astro/middleware/auth.d.mts CHANGED
@@ -1,12 +1,12 @@
1
- import "../../options-Cq64Wx0O.mjs";
2
- import "../../types-C1KKK4VP.mjs";
3
- import "../../types-B05e2naf.mjs";
4
- import "../../bylines-C6eYUWlZ.mjs";
5
- import "../../index-UmOMt9T-.mjs";
6
- import "../../runner-DcfZewkO.mjs";
7
- import "../../index-D2gvztOP.mjs";
8
- import "../../types-Cb2UCDJg.mjs";
9
- import "../../validate-BpQGsmd7.mjs";
1
+ import "../../options-DhV-gwJb.mjs";
2
+ import "../../types-DaqNzqVt.mjs";
3
+ import "../../types-DGHWRQgr.mjs";
4
+ import "../../bylines-DtDRNF1n.mjs";
5
+ import "../../index-Bv1Wf1zB.mjs";
6
+ import "../../runner-CNHRo1mT.mjs";
7
+ import "../../index-CC42STEm.mjs";
8
+ import "../../types-bYmRn_Uy.mjs";
9
+ import "../../validate-DQtHw9NT.mjs";
10
10
  import { EmDashHandlers } from "../types.mjs";
11
11
  import { User } from "@emdash-cms/auth";
12
12
  import * as astro from "astro";
package/dist/astro/middleware/auth.mjs CHANGED
@@ -1,10 +1,10 @@
1
1
  import "../../base64-CqR-7kqF.mjs";
2
- import "../../types-CwXMEPRr.mjs";
3
- import { t as apiError } from "../../error-tSQWIl5U.mjs";
4
- import { n as getPublicOrigin } from "../../public-url-CseXl9Fv.mjs";
5
- import { t as getAuthMode } from "../../mode-DPRPvJYm.mjs";
6
- import { i as hasScope } from "../../api-tokens-D3C9v02m.mjs";
7
- import { a as resolveOAuthToken, i as resolveApiToken } from "../../api-tokens-eYymBhIT.mjs";
2
+ import "../../types-ByV5sgsv.mjs";
3
+ import { t as apiError } from "../../error-CPh_8eLq.mjs";
4
+ import { n as getPublicOrigin } from "../../public-url-CUWWFME2.mjs";
5
+ import { t as getAuthMode } from "../../mode-CaaiebZI.mjs";
6
+ import { i as hasScope } from "../../api-tokens-iPIHAY8N.mjs";
7
+ import { a as resolveOAuthToken, i as resolveApiToken } from "../../api-tokens-ucpcNXDt.mjs";
8
8
  import { ulid } from "ulidx";
9
9
  import { defineMiddleware } from "astro:middleware";
10
10
  import virtualConfig from "virtual:emdash/config";
package/dist/astro/middleware/auth.mjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"auth.mjs","names":["virtualAuthenticate"],"sources":["../../../src/api/csrf.ts","../../../src/astro/middleware/csp.ts","../../../src/astro/middleware/auth.ts"],"sourcesContent":["/**\n * CSRF protection utilities.\n *\n * Two mechanisms:\n * 1. Custom header check (X-EmDash-Request: 1) — used for authenticated API routes.\n * Browsers block cross-origin custom headers, so presence proves same-origin.\n * 2. Origin check — used for public API routes that skip auth. Compares the Origin\n * header against the request origin. Same approach as Astro's `checkOrigin`.\n */\n\nimport { apiError } from \"./error.js\";\n\n/**\n * Origin-based CSRF check for public API routes that skip auth.\n *\n * State-changing requests (POST/PUT/DELETE) to public endpoints must either:\n * 1. Include the X-EmDash-Request: 1 header (custom header blocked cross-origin), OR\n * 2. Have an Origin header matching the request origin (or the configured public origin)\n *\n * This prevents cross-origin form submissions (which can't set custom headers)\n * and cross-origin fetch (blocked by CORS unless allowed). Same-origin requests\n * always include a matching Origin header.\n *\n * Returns a 403 Response if the check fails, or null if allowed.\n *\n * @param request The incoming request\n * @param url The request URL (internal origin)\n * @param publicOrigin The public-facing origin from config.siteUrl. Must be\n * `undefined` when absent — never `null` or `\"\"` (security invariant H-1a).\n */\nexport function checkPublicCsrf(\n\trequest: Request,\n\turl: URL,\n\tpublicOrigin?: string,\n): Response | null {\n\t// Custom header present — browser blocks cross-origin custom headers\n\tconst csrfHeader = request.headers.get(\"X-EmDash-Request\");\n\tif (csrfHeader === \"1\") return null;\n\n\t// Check Origin header — present on all POST/PUT/DELETE from browsers\n\tconst origin = request.headers.get(\"Origin\");\n\tif (origin) {\n\t\ttry {\n\t\t\tconst originUrl = new URL(origin);\n\t\t\t// Accept if Origin matches either the internal or public origin\n\t\t\tif (originUrl.origin === url.origin) return null;\n\t\t\tif (publicOrigin && originUrl.origin === publicOrigin) return null;\n\t\t} catch {\n\t\t\t// Malformed Origin — fall through to reject\n\t\t}\n\n\t\treturn apiError(\"CSRF_REJECTED\", \"Cross-origin request blocked\", 403);\n\t}\n\n\t// No Origin header — non-browser client (curl, server-to-server).\n\t// Allow these through since CSRF is a browser-specific attack vector.\n\t// Server-to-server requests don't carry ambient credentials (cookies).\n\treturn null;\n}\n","/**\n * Strict Content-Security-Policy for /_emdash routes (admin + API).\n *\n * Applied via middleware header rather than Astro's built-in CSP because\n * Astro's auto-hashing defeats 'unsafe-inline' (CSP3 ignores 'unsafe-inline'\n * when hashes are present), which would break user-facing pages.\n *\n * img-src allows any HTTPS origin because the admin renders user content that\n * may reference external images (migrations, external hosting, embeds).\n * Plugin security does not rely on img-src -- plugins run in V8 isolates with\n * no DOM access. connect-src stays at 'self' unless the experimental registry\n * is configured, in which case the configured aggregator origin is allowed.\n */\nimport type { RegistryConfigInput } from \"../../registry/types.js\";\n\nfunction getRegistryAggregatorOrigin(\n\tregistry: RegistryConfigInput | undefined,\n): string | undefined {\n\tconst aggregatorUrl = typeof registry === \"string\" ? registry : registry?.aggregatorUrl;\n\tif (!aggregatorUrl) return undefined;\n\n\ttry {\n\t\tconst url = new URL(aggregatorUrl);\n\t\tif (url.protocol !== \"http:\" && url.protocol !== \"https:\") return undefined;\n\t\treturn url.origin;\n\t} catch {\n\t\treturn undefined;\n\t}\n}\n\nexport function buildEmDashCsp(registry?: RegistryConfigInput): string {\n\tconst connectSrc = [\"connect-src 'self'\"];\n\tconst registryAggregatorOrigin = getRegistryAggregatorOrigin(registry);\n\tif (registryAggregatorOrigin) connectSrc.push(registryAggregatorOrigin);\n\n\treturn [\n\t\t\"default-src 'self'\",\n\t\t\"script-src 'self' 'unsafe-inline'\",\n\t\t\"style-src 'self' 'unsafe-inline'\",\n\t\tconnectSrc.join(\" \"),\n\t\t\"form-action 'self'\",\n\t\t\"frame-ancestors 'none'\",\n\t\t\"img-src 'self' https: data: blob:\",\n\t\t\"object-src 'none'\",\n\t\t\"base-uri 'self'\",\n\t].join(\"; \");\n}\n","/**\n * Auth middleware for admin routes\n *\n * Checks if the user is authenticated and has appropriate permissions.\n * Supports two auth modes:\n * - Passkey (default): Session-based auth with passkey login\n * - External providers: JWT-based auth (Cloudflare Access, etc.)\n *\n * This middleware runs AFTER the setup middleware - so if we get here,\n * we know setup is complete and users exist.\n */\n\nimport type { User, RoleLevel } from \"@emdash-cms/auth\";\nimport { createKyselyAdapter } from \"@emdash-cms/auth/adapters/kysely\";\nimport { defineMiddleware } from \"astro:middleware\";\nimport { ulid } from \"ulidx\";\n// Import auth provider via virtual module (statically bundled)\n// This avoids dynamic import issues in Cloudflare Workers\nimport { authenticate as virtualAuthenticate } from \"virtual:emdash/auth\";\n// @ts-ignore - virtual module\nimport virtualConfig from \"virtual:emdash/config\";\n\nimport { checkPublicCsrf } from \"../../api/csrf.js\";\nimport { apiError } from \"../../api/error.js\";\nimport { getPublicOrigin } from \"../../api/public-url.js\";\n\n/** Cache headers for middleware error responses (matches API_CACHE_HEADERS in api/error.ts) */\nconst MW_CACHE_HEADERS = {\n\t\"Cache-Control\": \"private, no-store\",\n} as const;\nimport { resolveApiToken, resolveOAuthToken } from \"../../api/handlers/api-tokens.js\";\nimport { hasScope } from \"../../auth/api-tokens.js\";\nimport { getAuthMode, type ExternalAuthMode } from \"../../auth/mode.js\";\nimport type { ExternalAuthConfig } from \"../../auth/types.js\";\nimport type { EmDashHandlers } from \"../types.js\";\nimport { buildEmDashCsp } from \"./csp.js\";\n\ndeclare global {\n\tnamespace App {\n\t\tinterface Locals {\n\t\t\tuser?: User;\n\t\t\t/** Token scopes when authenticated via API token or OAuth token. Undefined for session auth. */\n\t\t\ttokenScopes?: string[];\n\t\t\temdash?: EmDashHandlers;\n\t\t}\n\t\tinterface SessionData {\n\t\t\tuser: { id: string };\n\t\t\thasSeenWelcome: boolean;\n\t\t}\n\t}\n}\n\n// Role level constants (matching @emdash-cms/auth)\nconst ROLE_ADMIN = 50;\nconst MCP_ENDPOINT_PATH = \"/_emdash/api/mcp\";\n\nfunction isUnsafeMethod(method: string): boolean {\n\treturn method !== \"GET\" && method !== \"HEAD\" && method !== \"OPTIONS\";\n}\n\nfunction csrfRejectedResponse(): Response {\n\treturn new Response(\n\t\tJSON.stringify({ error: { code: \"CSRF_REJECTED\", message: \"Missing required header\" } }),\n\t\t{\n\t\t\tstatus: 403,\n\t\t\theaders: { \"Content-Type\": \"application/json\", ...MW_CACHE_HEADERS },\n\t\t},\n\t);\n}\n\nfunction mcpUnauthorizedResponse(\n\turl: URL,\n\tconfig?: Parameters<typeof getPublicOrigin>[1],\n): Response {\n\tconst origin = getPublicOrigin(url, config);\n\treturn Response.json(\n\t\t{ error: { code: \"NOT_AUTHENTICATED\", message: \"Not authenticated\" } },\n\t\t{\n\t\t\tstatus: 401,\n\t\t\theaders: {\n\t\t\t\t\"WWW-Authenticate\": `Bearer resource_metadata=\"${origin}/.well-known/oauth-protected-resource\"`,\n\t\t\t\t...MW_CACHE_HEADERS,\n\t\t\t},\n\t\t},\n\t);\n}\n\n/**\n * API routes that skip auth — each handles its own access control.\n *\n * Prefix entries match any path starting with that prefix.\n * Exact entries (no trailing slash or wildcard) match that path only.\n */\nconst PUBLIC_API_PREFIXES = [\n\t\"/_emdash/api/setup\",\n\t\"/_emdash/api/auth/login\",\n\t\"/_emdash/api/auth/register\",\n\t\"/_emdash/api/auth/dev-bypass\",\n\t\"/_emdash/api/auth/signup/\",\n\t\"/_emdash/api/auth/magic-link/\",\n\t\"/_emdash/api/auth/invite/\",\n\t\"/_emdash/api/auth/oauth/\",\n\t\"/_emdash/api/oauth/device/token\",\n\t\"/_emdash/api/oauth/device/code\",\n\t\"/_emdash/api/oauth/token\",\n\t\"/_emdash/api/oauth/register\",\n\t\"/_emdash/api/comments/\",\n\t\"/_emdash/api/media/file/\",\n\t\"/_emdash/.well-known/\",\n];\n\nconst PUBLIC_API_EXACT = new Set([\n\t\"/_emdash/api/auth/passkey/options\",\n\t\"/_emdash/api/auth/passkey/verify\",\n\t\"/_emdash/api/auth/mode\",\n\t\"/_emdash/api/oauth/token\",\n\t\"/_emdash/api/snapshot\",\n\t// Public site search — read-only. The query layer hardcodes status='published'\n\t// so unauthenticated callers only see published content. Admin endpoints\n\t// (/enable, /rebuild, /stats) remain private because they're not in this set.\n\t\"/_emdash/api/search\",\n]);\n\n// Build merged public routes at module load from auth provider descriptors.\n// Routes ending with \"/\" are treated as prefixes; all others are exact matches.\nconst { exact: _providerExactRoutes, prefixes: _providerPrefixRoutes } = (() => {\n\tconst exact = new Set<string>();\n\tconst prefixes: string[] = [];\n\tif (!virtualConfig?.authProviders) return { exact, prefixes };\n\tfor (const route of virtualConfig.authProviders.flatMap((p) => p.publicRoutes ?? [])) {\n\t\tif (route.endsWith(\"/\")) {\n\t\t\tprefixes.push(route);\n\t\t} else {\n\t\t\texact.add(route);\n\t\t}\n\t}\n\treturn { exact, prefixes };\n})();\n\n/**\n * OAuth protocol endpoints that are CSRF-exempt by design.\n *\n * These are RFC-defined endpoints (RFC 6749 §3.2, RFC 7591 §3, RFC 8628 §3.1/§3.4)\n * specified to be called cross-origin by external clients (MCP clients, CLIs,\n * native apps). They authenticate each request on its own merits:\n *\n * - /oauth/token: requires PKCE code_verifier, device_code, or refresh_token\n * - /oauth/register: RFC 7591 dynamic client registration — anonymous by design\n * - /oauth/device/code: RFC 8628 device flow initiation — anonymous by design\n * - /oauth/device/token: requires device_code the client already holds\n *\n * None of these rely on ambient cookie credentials, so browser-based CSRF\n * attacks have nothing to exploit. The endpoints themselves advertise\n * `Access-Control-Allow-Origin: *`. Note: /oauth/device/authorize (the user\n * consent step) is NOT in this list — it is session-authenticated.\n */\nconst CSRF_EXEMPT_PUBLIC_ROUTES = new Set([\n\t\"/_emdash/api/oauth/token\",\n\t\"/_emdash/api/oauth/register\",\n\t\"/_emdash/api/oauth/device/code\",\n\t\"/_emdash/api/oauth/device/token\",\n]);\n\nfunction isPublicEmDashRoute(pathname: string): boolean {\n\tif (PUBLIC_API_EXACT.has(pathname)) return true;\n\tif (PUBLIC_API_PREFIXES.some((p) => pathname.startsWith(p))) return true;\n\tif (_providerExactRoutes.has(pathname)) return true;\n\tif (_providerPrefixRoutes.some((p) => pathname.startsWith(p))) return true;\n\tif (import.meta.env.DEV && pathname === \"/_emdash/api/typegen\") return true;\n\treturn false;\n}\n\nfunction isCsrfExemptPublicRoute(pathname: string): boolean {\n\treturn CSRF_EXEMPT_PUBLIC_ROUTES.has(pathname);\n}\n\nexport const onRequest = defineMiddleware(async (context, next) => {\n\tconst { url } = context;\n\n\t// Only check auth on admin routes and API routes\n\tconst isAdminRoute = url.pathname.startsWith(\"/_emdash/admin\");\n\tconst isSetupRoute = url.pathname.startsWith(\"/_emdash/admin/setup\");\n\tconst isApiRoute = url.pathname.startsWith(\"/_emdash/api\");\n\tconst isPublicApiRoute = isPublicEmDashRoute(url.pathname);\n\n\tconst isPublicRoute = !isAdminRoute && !isApiRoute;\n\n\t// Public API routes skip auth but still need CSRF protection on state-changing methods.\n\t// We check Origin header against the request host (same approach as Astro's checkOrigin).\n\t// This prevents cross-origin form submissions and fetch requests from malicious sites.\n\tif (isPublicApiRoute) {\n\t\tconst method = context.request.method.toUpperCase();\n\t\tif (\n\t\t\tisUnsafeMethod(method) &&\n\t\t\t!isCsrfExemptPublicRoute(url.pathname) // OAuth protocol endpoints — cross-origin by design\n\t\t) {\n\t\t\tconst publicOrigin = getPublicOrigin(url, context.locals.emdash?.config);\n\t\t\tconst csrfError = checkPublicCsrf(context.request, url, publicOrigin);\n\t\t\tif (csrfError) return csrfError;\n\t\t}\n\t\treturn next();\n\t}\n\n\t// Plugin routes: soft auth (resolve user if credentials present, but never block).\n\t// The catch-all handler decides per-route whether auth is required (public vs private).\n\t// Public plugin routes that accept POST are vulnerable to cross-origin form submissions,\n\t// so we apply the same Origin-based CSRF check as other public routes.\n\tconst isPluginRoute = url.pathname.startsWith(\"/_emdash/api/plugins/\");\n\tif (isPluginRoute) {\n\t\tconst method = context.request.method.toUpperCase();\n\t\tif (method !== \"GET\" && method !== \"HEAD\" && method !== \"OPTIONS\") {\n\t\t\tconst publicOrigin = getPublicOrigin(url, context.locals.emdash?.config);\n\t\t\tconst csrfError = checkPublicCsrf(context.request, url, publicOrigin);\n\t\t\tif (csrfError) return csrfError;\n\t\t}\n\t\treturn handlePluginRouteAuth(context, next);\n\t}\n\n\t// Setup routes: skip auth but still enforce CSRF on state-changing methods\n\tif (isSetupRoute) {\n\t\tconst method = context.request.method.toUpperCase();\n\t\tif (method !== \"GET\" && method !== \"HEAD\" && method !== \"OPTIONS\") {\n\t\t\tconst csrfHeader = context.request.headers.get(\"X-EmDash-Request\");\n\t\t\tif (csrfHeader !== \"1\") {\n\t\t\t\treturn new Response(\n\t\t\t\t\tJSON.stringify({\n\t\t\t\t\t\terror: { code: \"CSRF_REJECTED\", message: \"Missing required header\" },\n\t\t\t\t\t}),\n\t\t\t\t\t{\n\t\t\t\t\t\tstatus: 403,\n\t\t\t\t\t\theaders: { \"Content-Type\": \"application/json\", ...MW_CACHE_HEADERS },\n\t\t\t\t\t},\n\t\t\t\t);\n\t\t\t}\n\t\t}\n\t\treturn next();\n\t}\n\n\t// For public routes: soft auth check (set locals.user if session exists, but never block)\n\tif (isPublicRoute) {\n\t\treturn handlePublicRouteAuth(context, next);\n\t}\n\n\t// --- Everything below is /_emdash (admin + API) ---\n\n\t// Try Bearer token auth first (API tokens and OAuth tokens).\n\t// If successful, skip CSRF (tokens aren't ambient credentials like cookies).\n\tconst bearerResult = await handleBearerAuth(context);\n\n\tif (bearerResult === \"invalid\") {\n\t\tconst headers: Record<string, string> = {\n\t\t\t\"Content-Type\": \"application/json\",\n\t\t\t...MW_CACHE_HEADERS,\n\t\t};\n\t\t// Add WWW-Authenticate header on MCP endpoint 401s to trigger OAuth discovery\n\t\tif (url.pathname === \"/_emdash/api/mcp\") {\n\t\t\tconst origin = getPublicOrigin(url, context.locals.emdash?.config);\n\t\t\theaders[\"WWW-Authenticate\"] =\n\t\t\t\t`Bearer resource_metadata=\"${origin}/.well-known/oauth-protected-resource\"`;\n\t\t}\n\t\treturn new Response(\n\t\t\tJSON.stringify({ error: { code: \"INVALID_TOKEN\", message: \"Invalid or expired token\" } }),\n\t\t\t{ status: 401, headers },\n\t\t);\n\t}\n\n\tconst isTokenAuth = bearerResult === \"authenticated\";\n\n\t// MCP discovery/tooling is bearer-only. Session/external auth should never\n\t// be consulted for this endpoint, and unauthenticated requests must return\n\t// the OAuth discovery-style 401 response.\n\tconst method = context.request.method.toUpperCase();\n\tconst isMcpEndpoint = url.pathname === MCP_ENDPOINT_PATH;\n\tif (isMcpEndpoint && !isTokenAuth) {\n\t\treturn mcpUnauthorizedResponse(url, context.locals.emdash?.config);\n\t}\n\n\t// CSRF protection: require X-EmDash-Request header on state-changing requests.\n\t// Skip for token-authenticated requests (tokens aren't ambient credentials).\n\t// Browsers block cross-origin custom headers, so this prevents CSRF without tokens.\n\t// OAuth authorize consent is exempt: it's a standard HTML form POST that can't\n\t// include custom headers. The consent flow is protected by session + single-use codes.\n\tconst isOAuthConsent = url.pathname.startsWith(\"/_emdash/oauth/authorize\");\n\tif (\n\t\tisApiRoute &&\n\t\t!isTokenAuth &&\n\t\t!isOAuthConsent &&\n\t\tisUnsafeMethod(method) &&\n\t\t!isPublicApiRoute\n\t) {\n\t\tconst csrfHeader = context.request.headers.get(\"X-EmDash-Request\");\n\t\tif (csrfHeader !== \"1\") {\n\t\t\treturn csrfRejectedResponse();\n\t\t}\n\t}\n\n\t// If already authenticated via Bearer token, enforce scope then skip session/external auth\n\tif (isTokenAuth) {\n\t\t// Enforce API token scopes based on URL pattern + HTTP method\n\t\tconst scopeError = enforceTokenScope(url.pathname, method, context.locals.tokenScopes);\n\t\tif (scopeError) return scopeError;\n\n\t\tconst response = await next();\n\t\tif (!import.meta.env.DEV) {\n\t\t\tresponse.headers.set(\n\t\t\t\t\"Content-Security-Policy\",\n\t\t\t\tbuildEmDashCsp(context.locals.emdash?.config.experimental?.registry),\n\t\t\t);\n\t\t}\n\t\treturn response;\n\t}\n\n\tconst response = await handleEmDashAuth(context, next);\n\n\t// Set strict CSP on all /_emdash responses (prod only)\n\tif (!import.meta.env.DEV) {\n\t\tresponse.headers.set(\n\t\t\t\"Content-Security-Policy\",\n\t\t\tbuildEmDashCsp(context.locals.emdash?.config.experimental?.registry),\n\t\t);\n\t}\n\n\treturn response;\n});\n\n/**\n * Auth handling for /_emdash routes. Returns a Response from either\n * an auth error/redirect or the downstream route handler.\n */\nasync function handleEmDashAuth(\n\tcontext: Parameters<Parameters<typeof defineMiddleware>[0]>[0],\n\tnext: Parameters<Parameters<typeof defineMiddleware>[0]>[1],\n): Promise<Response> {\n\tconst { url, locals } = context;\n\tconst { emdash } = locals;\n\n\tconst isPublicAdminRoute =\n\t\turl.pathname.startsWith(\"/_emdash/admin/login\") ||\n\t\turl.pathname.startsWith(\"/_emdash/admin/invite/accept\");\n\tconst isApiRoute = url.pathname.startsWith(\"/_emdash/api\");\n\n\tif (!emdash?.db) {\n\t\t// No database - let the admin handle this error\n\t\treturn next();\n\t}\n\n\t// Determine auth mode from config\n\tconst authMode = getAuthMode(emdash.config);\n\n\tif (authMode.type === \"external\") {\n\t\t// In dev mode, fall back to passkey auth since external JWT won't be present\n\t\tif (import.meta.env.DEV) {\n\t\t\tif (isPublicAdminRoute) {\n\t\t\t\treturn next();\n\t\t\t}\n\n\t\t\treturn handlePasskeyAuth(context, next, isApiRoute);\n\t\t}\n\n\t\t// External auth provider (Cloudflare Access, etc.)\n\t\treturn handleExternalAuth(context, next, authMode, isApiRoute);\n\t}\n\n\t// Passkey authentication (default)\n\tif (isPublicAdminRoute) {\n\t\treturn next();\n\t}\n\n\treturn handlePasskeyAuth(context, next, isApiRoute);\n}\n\n/**\n * Soft auth for plugin routes: resolve user from Bearer token or session if present,\n * but never block unauthenticated requests. The catch-all handler checks route\n * metadata to decide whether auth is required (public vs private routes).\n */\nasync function handlePluginRouteAuth(\n\tcontext: Parameters<Parameters<typeof defineMiddleware>[0]>[0],\n\tnext: Parameters<Parameters<typeof defineMiddleware>[0]>[1],\n): Promise<Response> {\n\tconst { locals } = context;\n\tconst { emdash } = locals;\n\n\ttry {\n\t\t// Try Bearer token auth first (API tokens and OAuth tokens)\n\t\tconst bearerResult = await handleBearerAuth(context);\n\t\tif (bearerResult === \"authenticated\") {\n\t\t\t// User and tokenScopes are set on locals by handleBearerAuth\n\t\t\treturn next();\n\t\t}\n\t\tif (bearerResult === \"invalid\") {\n\t\t\t// A token was presented but is invalid/expired — return 401 so the\n\t\t\t// caller knows their token is bad (don't silently downgrade to no-auth).\n\t\t\treturn new Response(\n\t\t\t\tJSON.stringify({ error: { code: \"INVALID_TOKEN\", message: \"Invalid or expired token\" } }),\n\t\t\t\t{\n\t\t\t\t\tstatus: 401,\n\t\t\t\t\theaders: { \"Content-Type\": \"application/json\", ...MW_CACHE_HEADERS },\n\t\t\t\t},\n\t\t\t);\n\t\t}\n\t\t// \"none\" — no token presented, try session auth below.\n\t} catch (error) {\n\t\tconsole.error(\"Plugin route bearer auth error:\", error);\n\t}\n\n\ttry {\n\t\t// Try session auth (sets locals.user if session exists)\n\t\tconst { session } = context;\n\t\tconst sessionUser = await session?.get(\"user\");\n\t\tif (sessionUser?.id && emdash?.db) {\n\t\t\tconst adapter = createKyselyAdapter(emdash.db);\n\t\t\tconst user = await adapter.getUserById(sessionUser.id);\n\t\t\tif (user && !user.disabled) {\n\t\t\t\tlocals.user = user;\n\t\t\t}\n\t\t}\n\t} catch (error) {\n\t\t// Log but don't block — public routes should still work without session\n\t\tconsole.error(\"Plugin route session auth error:\", error);\n\t}\n\n\treturn next();\n}\n\n/**\n * Soft auth check for public routes with edit mode cookie.\n * Checks the session and sets locals.user if valid, but never blocks the request.\n */\nasync function handlePublicRouteAuth(\n\tcontext: Parameters<Parameters<typeof defineMiddleware>[0]>[0],\n\tnext: Parameters<Parameters<typeof defineMiddleware>[0]>[1],\n): Promise<Response> {\n\tconst { locals, session } = context;\n\tconst { emdash } = locals;\n\n\ttry {\n\t\tconst sessionUser = await session?.get(\"user\");\n\t\tif (sessionUser?.id && emdash?.db) {\n\t\t\tconst adapter = createKyselyAdapter(emdash.db);\n\t\t\tconst user = await adapter.getUserById(sessionUser.id);\n\t\t\tif (user && !user.disabled) {\n\t\t\t\tlocals.user = user;\n\t\t\t}\n\t\t}\n\t} catch {\n\t\t// Silently continue — public page should render normally\n\t}\n\n\treturn next();\n}\n\n/**\n * Handle external auth provider authentication (Cloudflare Access, etc.)\n */\nasync function handleExternalAuth(\n\tcontext: Parameters<Parameters<typeof defineMiddleware>[0]>[0],\n\tnext: Parameters<Parameters<typeof defineMiddleware>[0]>[1],\n\tauthMode: ExternalAuthMode,\n\t_isApiRoute: boolean,\n): Promise<Response> {\n\tconst { locals, request } = context;\n\tconst { emdash } = locals;\n\n\ttry {\n\t\t// Use the authenticate function from the virtual module\n\t\t// (statically imported at build time to work with Cloudflare Workers)\n\t\tif (typeof virtualAuthenticate !== \"function\") {\n\t\t\tthrow new Error(\n\t\t\t\t`Auth provider ${authMode.entrypoint} does not export an authenticate function`,\n\t\t\t);\n\t\t}\n\n\t\t// Authenticate via the provider\n\t\tconst authResult = await virtualAuthenticate(request, authMode.config);\n\n\t\t// Get external auth config for auto-provision settings\n\t\t// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- narrowing AuthModeConfig to ExternalAuthConfig after provider check\n\t\tconst externalConfig = authMode.config as ExternalAuthConfig;\n\n\t\t// Find or create user\n\t\tconst adapter = createKyselyAdapter(emdash!.db);\n\t\tlet user = await adapter.getUserByEmail(authResult.email);\n\n\t\tif (!user) {\n\t\t\t// User doesn't exist\n\t\t\tif (externalConfig.autoProvision === false) {\n\t\t\t\treturn new Response(\"User not authorized\", {\n\t\t\t\t\tstatus: 403,\n\t\t\t\t\theaders: { \"Content-Type\": \"text/plain\", ...MW_CACHE_HEADERS },\n\t\t\t\t});\n\t\t\t}\n\n\t\t\t// Check if this is the first user (they become admin)\n\t\t\tconst userCount = await emdash!.db\n\t\t\t\t.selectFrom(\"users\")\n\t\t\t\t.select(emdash!.db.fn.count(\"id\").as(\"count\"))\n\t\t\t\t.executeTakeFirst();\n\n\t\t\tconst isFirstUser = Number(userCount?.count ?? 0) === 0;\n\t\t\tconst role = isFirstUser ? ROLE_ADMIN : authResult.role;\n\n\t\t\t// Create user\n\t\t\tconst now = new Date().toISOString();\n\t\t\tconst newUser = {\n\t\t\t\tid: ulid(),\n\t\t\t\temail: authResult.email,\n\t\t\t\tname: authResult.name,\n\t\t\t\trole,\n\t\t\t\temail_verified: 1,\n\t\t\t\tcreated_at: now,\n\t\t\t\tupdated_at: now,\n\t\t\t};\n\n\t\t\tawait emdash!.db.insertInto(\"users\").values(newUser).execute();\n\n\t\t\tuser = await adapter.getUserByEmail(authResult.email);\n\n\t\t\tconsole.log(\n\t\t\t\t`[external-auth] Provisioned user: ${authResult.email} (role: ${role}, first: ${isFirstUser})`,\n\t\t\t);\n\t\t} else {\n\t\t\t// User exists - check if we need to sync anything\n\t\t\tconst updates: Record<string, unknown> = {};\n\t\t\tlet newName: string | undefined;\n\t\t\tlet newRole: RoleLevel | undefined;\n\n\t\t\t// Sync name from provider if provider provides one and local differs\n\t\t\tif (authResult.name && user.name !== authResult.name) {\n\t\t\t\tnewName = authResult.name;\n\t\t\t\tupdates.name = newName;\n\t\t\t}\n\n\t\t\t// Sync role if enabled\n\t\t\tif (externalConfig.syncRoles && user.role !== authResult.role) {\n\t\t\t\tnewRole = authResult.role;\n\t\t\t\tupdates.role = newRole;\n\t\t\t}\n\n\t\t\tif (Object.keys(updates).length > 0) {\n\t\t\t\tupdates.updated_at = new Date().toISOString();\n\t\t\t\tawait emdash!.db.updateTable(\"users\").set(updates).where(\"id\", \"=\", user.id).execute();\n\n\t\t\t\tuser = {\n\t\t\t\t\t...user,\n\t\t\t\t\t...(newName ? { name: newName } : {}),\n\t\t\t\t\t...(newRole ? { role: newRole } : {}),\n\t\t\t\t};\n\n\t\t\t\tconsole.log(\n\t\t\t\t\t`[external-auth] Updated user ${authResult.email}:`,\n\t\t\t\t\tObject.keys(updates).filter((k) => k !== \"updated_at\"),\n\t\t\t\t);\n\t\t\t}\n\t\t}\n\n\t\tif (!user) {\n\t\t\t// This shouldn't happen, but handle it gracefully\n\t\t\treturn new Response(\"Failed to provision user\", {\n\t\t\t\tstatus: 500,\n\t\t\t\theaders: { \"Content-Type\": \"text/plain\", ...MW_CACHE_HEADERS },\n\t\t\t});\n\t\t}\n\n\t\t// Check if user is disabled locally\n\t\tif (user.disabled) {\n\t\t\treturn new Response(\"Account disabled\", {\n\t\t\t\tstatus: 403,\n\t\t\t\theaders: { \"Content-Type\": \"text/plain\", ...MW_CACHE_HEADERS },\n\t\t\t});\n\t\t}\n\n\t\t// Set user in locals\n\t\tlocals.user = user;\n\n\t\t// Persist to session so public pages can identify the user\n\t\t// (external auth headers are only verified on /_emdash routes)\n\t\tconst { session } = context;\n\t\tsession?.set(\"user\", { id: user.id });\n\n\t\treturn next();\n\t} catch (error) {\n\t\tconsole.error(\"[external-auth] Auth error:\", error);\n\n\t\treturn new Response(\"Authentication failed\", {\n\t\t\tstatus: 401,\n\t\t\theaders: { \"Content-Type\": \"text/plain\", ...MW_CACHE_HEADERS },\n\t\t});\n\t}\n}\n\n/**\n * Try to authenticate via Bearer token (API token or OAuth token).\n *\n * Returns:\n * - \"authenticated\" if token is valid and user is resolved\n * - \"invalid\" if a token was provided but is invalid/expired\n * - \"none\" if no Bearer token was provided\n */\nasync function handleBearerAuth(\n\tcontext: Parameters<Parameters<typeof defineMiddleware>[0]>[0],\n): Promise<\"authenticated\" | \"invalid\" | \"none\"> {\n\tconst authHeader = context.request.headers.get(\"Authorization\");\n\tif (!authHeader?.startsWith(\"Bearer \")) return \"none\";\n\n\tconst token = authHeader.slice(7);\n\tif (!token) return \"none\";\n\n\tconst { locals } = context;\n\tconst { emdash } = locals;\n\tif (!emdash?.db) return \"none\";\n\n\t// Resolve token based on prefix\n\tlet resolved: { userId: string; scopes: string[] } | null = null;\n\n\tif (token.startsWith(\"ec_pat_\")) {\n\t\tresolved = await resolveApiToken(emdash.db, token);\n\t} else if (token.startsWith(\"ec_oat_\")) {\n\t\tresolved = await resolveOAuthToken(emdash.db, token);\n\t} else {\n\t\t// Unknown token format\n\t\treturn \"invalid\";\n\t}\n\n\tif (!resolved) return \"invalid\";\n\n\t// Look up the user\n\tconst adapter = createKyselyAdapter(emdash.db);\n\tconst user = await adapter.getUserById(resolved.userId);\n\n\tif (!user || user.disabled) return \"invalid\";\n\n\t// Set user and scopes on locals\n\tlocals.user = user;\n\tlocals.tokenScopes = resolved.scopes;\n\n\treturn \"authenticated\";\n}\n\n/**\n * Handle passkey (session-based) authentication\n */\nasync function handlePasskeyAuth(\n\tcontext: Parameters<Parameters<typeof defineMiddleware>[0]>[0],\n\tnext: Parameters<Parameters<typeof defineMiddleware>[0]>[1],\n\tisApiRoute: boolean,\n): Promise<Response> {\n\tconst { url, locals, session } = context;\n\tconst { emdash } = locals;\n\n\ttry {\n\t\t// Check session for user (session.get returns a Promise)\n\t\tconst sessionUser = await session?.get(\"user\");\n\n\t\tif (!sessionUser?.id) {\n\t\t\tif (isApiRoute) {\n\t\t\t\treturn Response.json(\n\t\t\t\t\t{ error: { code: \"NOT_AUTHENTICATED\", message: \"Not authenticated\" } },\n\t\t\t\t\t{ status: 401, headers: MW_CACHE_HEADERS },\n\t\t\t\t);\n\t\t\t}\n\t\t\tconst loginUrl = new URL(\"/_emdash/admin/login\", getPublicOrigin(url, emdash?.config));\n\t\t\tloginUrl.searchParams.set(\"redirect\", url.pathname);\n\t\t\treturn context.redirect(loginUrl.toString());\n\t\t}\n\n\t\t// Get full user from database\n\t\tconst adapter = createKyselyAdapter(emdash!.db);\n\t\tconst user = await adapter.getUserById(sessionUser.id);\n\n\t\tif (!user) {\n\t\t\t// User no longer exists - clear session\n\t\t\tsession?.destroy();\n\t\t\tif (isApiRoute) {\n\t\t\t\treturn Response.json(\n\t\t\t\t\t{ error: { code: \"NOT_FOUND\", message: \"User not found\" } },\n\t\t\t\t\t{ status: 401, headers: MW_CACHE_HEADERS },\n\t\t\t\t);\n\t\t\t}\n\t\t\tconst loginUrl = new URL(\"/_emdash/admin/login\", getPublicOrigin(url, emdash?.config));\n\t\t\treturn context.redirect(loginUrl.toString());\n\t\t}\n\n\t\t// Check if user is disabled\n\t\tif (user.disabled) {\n\t\t\tsession?.destroy();\n\t\t\tif (isApiRoute) {\n\t\t\t\treturn apiError(\"ACCOUNT_DISABLED\", \"Account disabled\", 403);\n\t\t\t}\n\t\t\tconst loginUrl = new URL(\"/_emdash/admin/login\", getPublicOrigin(url, emdash?.config));\n\t\t\tloginUrl.searchParams.set(\"error\", \"account_disabled\");\n\t\t\treturn context.redirect(loginUrl.toString());\n\t\t}\n\n\t\t// Set user in locals for use by routes\n\t\tlocals.user = user;\n\t} catch (error) {\n\t\tconsole.error(\"Auth middleware error:\", error);\n\t\t// On error, redirect to login\n\t\treturn context.redirect(\"/_emdash/admin/login\");\n\t}\n\n\treturn next();\n}\n\n// =============================================================================\n// Token scope enforcement\n// =============================================================================\n\n/**\n * Scope rules: ordered list of (pathPrefix, method, requiredScope) tuples.\n * First matching rule wins. Methods: \"*\" = any, \"WRITE\" = POST/PUT/PATCH/DELETE.\n *\n * Routes not matched by any rule default to \"admin\" scope (fail-closed).\n */\nconst SCOPE_RULES: Array<[prefix: string, method: string, scope: string]> = [\n\t// Content routes\n\t[\"/_emdash/api/content\", \"GET\", \"content:read\"],\n\t[\"/_emdash/api/content\", \"WRITE\", \"content:write\"],\n\n\t// Media routes (excluding /file/ which is public)\n\t[\"/_emdash/api/media/file\", \"*\", \"media:read\"], // public anyway, but scope if token-authed\n\t[\"/_emdash/api/media\", \"GET\", \"media:read\"],\n\t[\"/_emdash/api/media\", \"WRITE\", \"media:write\"],\n\n\t// Schema routes\n\t[\"/_emdash/api/schema\", \"GET\", \"schema:read\"],\n\t[\"/_emdash/api/schema\", \"WRITE\", \"schema:write\"],\n\n\t// Taxonomy, menu, section, widget, revision — all content domain\n\t// GET uses content:read (implicit from taxonomies:read / menus:read via role).\n\t// WRITE uses the granular scope so tokens with only taxonomies:manage or\n\t// menus:manage are not rejected. content:write implicitly grants these via\n\t// IMPLICIT_SCOPE_GRANTS in @emdash-cms/auth.\n\t[\"/_emdash/api/taxonomies\", \"GET\", \"content:read\"],\n\t[\"/_emdash/api/taxonomies\", \"WRITE\", \"taxonomies:manage\"],\n\t[\"/_emdash/api/menus\", \"GET\", \"content:read\"],\n\t[\"/_emdash/api/menus\", \"WRITE\", \"menus:manage\"],\n\t[\"/_emdash/api/sections\", \"GET\", \"content:read\"],\n\t[\"/_emdash/api/sections\", \"WRITE\", \"content:write\"],\n\t[\"/_emdash/api/widget-areas\", \"GET\", \"content:read\"],\n\t[\"/_emdash/api/widget-areas\", \"WRITE\", \"content:write\"],\n\t[\"/_emdash/api/revisions\", \"GET\", \"content:read\"],\n\t[\"/_emdash/api/revisions\", \"WRITE\", \"content:write\"],\n\n\t// Search\n\t[\"/_emdash/api/search\", \"GET\", \"content:read\"],\n\t[\"/_emdash/api/search\", \"WRITE\", \"admin\"],\n\n\t// Import, admin, plugins — all require admin scope\n\t[\"/_emdash/api/import\", \"*\", \"admin\"],\n\t[\"/_emdash/api/admin\", \"*\", \"admin\"],\n\t[\"/_emdash/api/plugins\", \"*\", \"admin\"],\n\n\t// Settings — use granular scopes so tokens with settings:read or\n\t// settings:manage are not rejected at the middleware level.\n\t[\"/_emdash/api/settings\", \"GET\", \"settings:read\"],\n\t[\"/_emdash/api/settings\", \"WRITE\", \"settings:manage\"],\n\n\t// MCP endpoint — scopes enforced per-tool inside mcp/server.ts\n\t[\"/_emdash/api/mcp\", \"*\", \"content:read\"],\n];\n\nconst WRITE_METHODS = new Set([\"POST\", \"PUT\", \"PATCH\", \"DELETE\"]);\n\n/**\n * Enforce API token scopes based on the request URL and HTTP method.\n * Returns a 403 Response if the scope is insufficient, or null if allowed.\n *\n * Session-authenticated requests (tokenScopes === undefined) are never checked.\n */\nfunction enforceTokenScope(\n\tpathname: string,\n\tmethod: string,\n\ttokenScopes: string[] | undefined,\n): Response | null {\n\t// Session auth — implicit full access, no scope restrictions\n\tif (!tokenScopes) return null;\n\n\tconst isWrite = WRITE_METHODS.has(method);\n\n\tfor (const [prefix, ruleMethod, scope] of SCOPE_RULES) {\n\t\t// Match exact prefix or prefix followed by /\n\t\tif (pathname !== prefix && !pathname.startsWith(prefix + \"/\")) continue;\n\n\t\t// Check method match\n\t\tif (ruleMethod === \"*\" || (ruleMethod === \"WRITE\" && isWrite) || ruleMethod === method) {\n\t\t\tif (hasScope(tokenScopes, scope)) return null;\n\n\t\t\treturn new Response(\n\t\t\t\tJSON.stringify({\n\t\t\t\t\terror: {\n\t\t\t\t\t\tcode: \"INSUFFICIENT_SCOPE\",\n\t\t\t\t\t\tmessage: `Token lacks required scope: ${scope}`,\n\t\t\t\t\t},\n\t\t\t\t}),\n\t\t\t\t{ status: 403, headers: { \"Content-Type\": \"application/json\", ...MW_CACHE_HEADERS } },\n\t\t\t);\n\t\t}\n\t}\n\n\t// No rule matched — default to admin scope (fail-closed)\n\tif (hasScope(tokenScopes, \"admin\")) return null;\n\n\treturn new Response(\n\t\tJSON.stringify({\n\t\t\terror: {\n\t\t\t\tcode: \"INSUFFICIENT_SCOPE\",\n\t\t\t\tmessage: \"Token lacks required scope: admin\",\n\t\t\t},\n\t\t}),\n\t\t{ status: 403, headers: { \"Content-Type\": \"application/json\", ...MW_CACHE_HEADERS } },\n\t);\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA8BA,SAAgB,gBACf,SACA,KACA,cACkB;AAGlB,KADmB,QAAQ,QAAQ,IAAI,mBAAmB,KACvC,IAAK,QAAO;CAG/B,MAAM,SAAS,QAAQ,QAAQ,IAAI,SAAS;AAC5C,KAAI,QAAQ;AACX,MAAI;GACH,MAAM,YAAY,IAAI,IAAI,OAAO;AAEjC,OAAI,UAAU,WAAW,IAAI,OAAQ,QAAO;AAC5C,OAAI,gBAAgB,UAAU,WAAW,aAAc,QAAO;UACvD;AAIR,SAAO,SAAS,iBAAiB,gCAAgC,IAAI;;AAMtE,QAAO;;;;;AC1CR,SAAS,4BACR,UACqB;CACrB,MAAM,gBAAgB,OAAO,aAAa,WAAW,WAAW,UAAU;AAC1E,KAAI,CAAC,cAAe,QAAO;AAE3B,KAAI;EACH,MAAM,MAAM,IAAI,IAAI,cAAc;AAClC,MAAI,IAAI,aAAa,WAAW,IAAI,aAAa,SAAU,QAAO;AAClE,SAAO,IAAI;SACJ;AACP;;;AAIF,SAAgB,eAAe,UAAwC;CACtE,MAAM,aAAa,CAAC,qBAAqB;CACzC,MAAM,2BAA2B,4BAA4B,SAAS;AACtE,KAAI,yBAA0B,YAAW,KAAK,yBAAyB;AAEvE,QAAO;EACN;EACA;EACA;EACA,WAAW,KAAK,IAAI;EACpB;EACA;EACA;EACA;EACA;EACA,CAAC,KAAK,KAAK;;;;;;AClBb,MAAM,mBAAmB,EACxB,iBAAiB,qBACjB;AAwBD,MAAM,aAAa;AACnB,MAAM,oBAAoB;AAE1B,SAAS,eAAe,QAAyB;AAChD,QAAO,WAAW,SAAS,WAAW,UAAU,WAAW;;AAG5D,SAAS,uBAAiC;AACzC,QAAO,IAAI,SACV,KAAK,UAAU,EAAE,OAAO;EAAE,MAAM;EAAiB,SAAS;EAA2B,EAAE,CAAC,EACxF;EACC,QAAQ;EACR,SAAS;GAAE,gBAAgB;GAAoB,GAAG;GAAkB;EACpE,CACD;;AAGF,SAAS,wBACR,KACA,QACW;CACX,MAAM,SAAS,gBAAgB,KAAK,OAAO;AAC3C,QAAO,SAAS,KACf,EAAE,OAAO;EAAE,MAAM;EAAqB,SAAS;EAAqB,EAAE,EACtE;EACC,QAAQ;EACR,SAAS;GACR,oBAAoB,6BAA6B,OAAO;GACxD,GAAG;GACH;EACD,CACD;;;;;;;;AASF,MAAM,sBAAsB;CAC3B;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;AAED,MAAM,mBAAmB,IAAI,IAAI;CAChC;CACA;CACA;CACA;CACA;CAIA;CACA,CAAC;AAIF,MAAM,EAAE,OAAO,sBAAsB,UAAU,iCAAiC;CAC/E,MAAM,wBAAQ,IAAI,KAAa;CAC/B,MAAM,WAAqB,EAAE;AAC7B,KAAI,CAAC,eAAe,cAAe,QAAO;EAAE;EAAO;EAAU;AAC7D,MAAK,MAAM,SAAS,cAAc,cAAc,SAAS,MAAM,EAAE,gBAAgB,EAAE,CAAC,CACnF,KAAI,MAAM,SAAS,IAAI,CACtB,UAAS,KAAK,MAAM;KAEpB,OAAM,IAAI,MAAM;AAGlB,QAAO;EAAE;EAAO;EAAU;IACvB;;;;;;;;;;;;;;;;;;AAmBJ,MAAM,4BAA4B,IAAI,IAAI;CACzC;CACA;CACA;CACA;CACA,CAAC;AAEF,SAAS,oBAAoB,UAA2B;AACvD,KAAI,iBAAiB,IAAI,SAAS,CAAE,QAAO;AAC3C,KAAI,oBAAoB,MAAM,MAAM,SAAS,WAAW,EAAE,CAAC,CAAE,QAAO;AACpE,KAAI,qBAAqB,IAAI,SAAS,CAAE,QAAO;AAC/C,KAAI,sBAAsB,MAAM,MAAM,SAAS,WAAW,EAAE,CAAC,CAAE,QAAO;AACtE,KAAI,OAAO,KAAK,IAAI,OAAO,aAAa,uBAAwB,QAAO;AACvE,QAAO;;AAGR,SAAS,wBAAwB,UAA2B;AAC3D,QAAO,0BAA0B,IAAI,SAAS;;AAG/C,MAAa,YAAY,iBAAiB,OAAO,SAAS,SAAS;CAClE,MAAM,EAAE,QAAQ;CAGhB,MAAM,eAAe,IAAI,SAAS,WAAW,iBAAiB;CAC9D,MAAM,eAAe,IAAI,SAAS,WAAW,uBAAuB;CACpE,MAAM,aAAa,IAAI,SAAS,WAAW,eAAe;CAC1D,MAAM,mBAAmB,oBAAoB,IAAI,SAAS;CAE1D,MAAM,gBAAgB,CAAC,gBAAgB,CAAC;AAKxC,KAAI,kBAAkB;AAErB,MACC,eAFc,QAAQ,QAAQ,OAAO,aAAa,CAE5B,IACtB,CAAC,wBAAwB,IAAI,SAAS,EACrC;GACD,MAAM,eAAe,gBAAgB,KAAK,QAAQ,OAAO,QAAQ,OAAO;GACxE,MAAM,YAAY,gBAAgB,QAAQ,SAAS,KAAK,aAAa;AACrE,OAAI,UAAW,QAAO;;AAEvB,SAAO,MAAM;;AAQd,KADsB,IAAI,SAAS,WAAW,wBAAwB,EACnD;EAClB,MAAM,SAAS,QAAQ,QAAQ,OAAO,aAAa;AACnD,MAAI,WAAW,SAAS,WAAW,UAAU,WAAW,WAAW;GAClE,MAAM,eAAe,gBAAgB,KAAK,QAAQ,OAAO,QAAQ,OAAO;GACxE,MAAM,YAAY,gBAAgB,QAAQ,SAAS,KAAK,aAAa;AACrE,OAAI,UAAW,QAAO;;AAEvB,SAAO,sBAAsB,SAAS,KAAK;;AAI5C,KAAI,cAAc;EACjB,MAAM,SAAS,QAAQ,QAAQ,OAAO,aAAa;AACnD,MAAI,WAAW,SAAS,WAAW,UAAU,WAAW,WAEvD;OADmB,QAAQ,QAAQ,QAAQ,IAAI,mBAAmB,KAC/C,IAClB,QAAO,IAAI,SACV,KAAK,UAAU,EACd,OAAO;IAAE,MAAM;IAAiB,SAAS;IAA2B,EACpE,CAAC,EACF;IACC,QAAQ;IACR,SAAS;KAAE,gBAAgB;KAAoB,GAAG;KAAkB;IACpE,CACD;;AAGH,SAAO,MAAM;;AAId,KAAI,cACH,QAAO,sBAAsB,SAAS,KAAK;CAO5C,MAAM,eAAe,MAAM,iBAAiB,QAAQ;AAEpD,KAAI,iBAAiB,WAAW;EAC/B,MAAM,UAAkC;GACvC,gBAAgB;GAChB,GAAG;GACH;AAED,MAAI,IAAI,aAAa,mBAEpB,SAAQ,sBACP,6BAFc,gBAAgB,KAAK,QAAQ,OAAO,QAAQ,OAAO,CAE7B;AAEtC,SAAO,IAAI,SACV,KAAK,UAAU,EAAE,OAAO;GAAE,MAAM;GAAiB,SAAS;GAA4B,EAAE,CAAC,EACzF;GAAE,QAAQ;GAAK;GAAS,CACxB;;CAGF,MAAM,cAAc,iBAAiB;CAKrC,MAAM,SAAS,QAAQ,QAAQ,OAAO,aAAa;AAEnD,KADsB,IAAI,aAAa,qBAClB,CAAC,YACrB,QAAO,wBAAwB,KAAK,QAAQ,OAAO,QAAQ,OAAO;CAQnE,MAAM,iBAAiB,IAAI,SAAS,WAAW,2BAA2B;AAC1E,KACC,cACA,CAAC,eACD,CAAC,kBACD,eAAe,OAAO,IACtB,CAAC,kBAGD;MADmB,QAAQ,QAAQ,QAAQ,IAAI,mBAAmB,KAC/C,IAClB,QAAO,sBAAsB;;AAK/B,KAAI,aAAa;EAEhB,MAAM,aAAa,kBAAkB,IAAI,UAAU,QAAQ,QAAQ,OAAO,YAAY;AACtF,MAAI,WAAY,QAAO;EAEvB,MAAM,WAAW,MAAM,MAAM;AAC7B,MAAI,CAAC,OAAO,KAAK,IAAI,IACpB,UAAS,QAAQ,IAChB,2BACA,eAAe,QAAQ,OAAO,QAAQ,OAAO,cAAc,SAAS,CACpE;AAEF,SAAO;;CAGR,MAAM,WAAW,MAAM,iBAAiB,SAAS,KAAK;AAGtD,KAAI,CAAC,OAAO,KAAK,IAAI,IACpB,UAAS,QAAQ,IAChB,2BACA,eAAe,QAAQ,OAAO,QAAQ,OAAO,cAAc,SAAS,CACpE;AAGF,QAAO;EACN;;;;;AAMF,eAAe,iBACd,SACA,MACoB;CACpB,MAAM,EAAE,KAAK,WAAW;CACxB,MAAM,EAAE,WAAW;CAEnB,MAAM,qBACL,IAAI,SAAS,WAAW,uBAAuB,IAC/C,IAAI,SAAS,WAAW,+BAA+B;CACxD,MAAM,aAAa,IAAI,SAAS,WAAW,eAAe;AAE1D,KAAI,CAAC,QAAQ,GAEZ,QAAO,MAAM;CAId,MAAM,WAAW,YAAY,OAAO,OAAO;AAE3C,KAAI,SAAS,SAAS,YAAY;AAEjC,MAAI,OAAO,KAAK,IAAI,KAAK;AACxB,OAAI,mBACH,QAAO,MAAM;AAGd,UAAO,kBAAkB,SAAS,MAAM,WAAW;;AAIpD,SAAO,mBAAmB,SAAS,MAAM,UAAU,WAAW;;AAI/D,KAAI,mBACH,QAAO,MAAM;AAGd,QAAO,kBAAkB,SAAS,MAAM,WAAW;;;;;;;AAQpD,eAAe,sBACd,SACA,MACoB;CACpB,MAAM,EAAE,WAAW;CACnB,MAAM,EAAE,WAAW;AAEnB,KAAI;EAEH,MAAM,eAAe,MAAM,iBAAiB,QAAQ;AACpD,MAAI,iBAAiB,gBAEpB,QAAO,MAAM;AAEd,MAAI,iBAAiB,UAGpB,QAAO,IAAI,SACV,KAAK,UAAU,EAAE,OAAO;GAAE,MAAM;GAAiB,SAAS;GAA4B,EAAE,CAAC,EACzF;GACC,QAAQ;GACR,SAAS;IAAE,gBAAgB;IAAoB,GAAG;IAAkB;GACpE,CACD;UAGM,OAAO;AACf,UAAQ,MAAM,mCAAmC,MAAM;;AAGxD,KAAI;EAEH,MAAM,EAAE,YAAY;EACpB,MAAM,cAAc,MAAM,SAAS,IAAI,OAAO;AAC9C,MAAI,aAAa,MAAM,QAAQ,IAAI;GAElC,MAAM,OAAO,MADG,oBAAoB,OAAO,GAAG,CACnB,YAAY,YAAY,GAAG;AACtD,OAAI,QAAQ,CAAC,KAAK,SACjB,QAAO,OAAO;;UAGR,OAAO;AAEf,UAAQ,MAAM,oCAAoC,MAAM;;AAGzD,QAAO,MAAM;;;;;;AAOd,eAAe,sBACd,SACA,MACoB;CACpB,MAAM,EAAE,QAAQ,YAAY;CAC5B,MAAM,EAAE,WAAW;AAEnB,KAAI;EACH,MAAM,cAAc,MAAM,SAAS,IAAI,OAAO;AAC9C,MAAI,aAAa,MAAM,QAAQ,IAAI;GAElC,MAAM,OAAO,MADG,oBAAoB,OAAO,GAAG,CACnB,YAAY,YAAY,GAAG;AACtD,OAAI,QAAQ,CAAC,KAAK,SACjB,QAAO,OAAO;;SAGT;AAIR,QAAO,MAAM;;;;;AAMd,eAAe,mBACd,SACA,MACA,UACA,aACoB;CACpB,MAAM,EAAE,QAAQ,YAAY;CAC5B,MAAM,EAAE,WAAW;AAEnB,KAAI;AAGH,MAAI,OAAOA,iBAAwB,WAClC,OAAM,IAAI,MACT,iBAAiB,SAAS,WAAW,2CACrC;EAIF,MAAM,aAAa,MAAMA,aAAoB,SAAS,SAAS,OAAO;EAItE,MAAM,iBAAiB,SAAS;EAGhC,MAAM,UAAU,oBAAoB,OAAQ,GAAG;EAC/C,IAAI,OAAO,MAAM,QAAQ,eAAe,WAAW,MAAM;AAEzD,MAAI,CAAC,MAAM;AAEV,OAAI,eAAe,kBAAkB,MACpC,QAAO,IAAI,SAAS,uBAAuB;IAC1C,QAAQ;IACR,SAAS;KAAE,gBAAgB;KAAc,GAAG;KAAkB;IAC9D,CAAC;GAIH,MAAM,YAAY,MAAM,OAAQ,GAC9B,WAAW,QAAQ,CACnB,OAAO,OAAQ,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,QAAQ,CAAC,CAC7C,kBAAkB;GAEpB,MAAM,cAAc,OAAO,WAAW,SAAS,EAAE,KAAK;GACtD,MAAM,OAAO,cAAc,aAAa,WAAW;GAGnD,MAAM,uBAAM,IAAI,MAAM,EAAC,aAAa;GACpC,MAAM,UAAU;IACf,IAAI,MAAM;IACV,OAAO,WAAW;IAClB,MAAM,WAAW;IACjB;IACA,gBAAgB;IAChB,YAAY;IACZ,YAAY;IACZ;AAED,SAAM,OAAQ,GAAG,WAAW,QAAQ,CAAC,OAAO,QAAQ,CAAC,SAAS;AAE9D,UAAO,MAAM,QAAQ,eAAe,WAAW,MAAM;AAErD,WAAQ,IACP,qCAAqC,WAAW,MAAM,UAAU,KAAK,WAAW,YAAY,GAC5F;SACK;GAEN,MAAM,UAAmC,EAAE;GAC3C,IAAI;GACJ,IAAI;AAGJ,OAAI,WAAW,QAAQ,KAAK,SAAS,WAAW,MAAM;AACrD,cAAU,WAAW;AACrB,YAAQ,OAAO;;AAIhB,OAAI,eAAe,aAAa,KAAK,SAAS,WAAW,MAAM;AAC9D,cAAU,WAAW;AACrB,YAAQ,OAAO;;AAGhB,OAAI,OAAO,KAAK,QAAQ,CAAC,SAAS,GAAG;AACpC,YAAQ,8BAAa,IAAI,MAAM,EAAC,aAAa;AAC7C,UAAM,OAAQ,GAAG,YAAY,QAAQ,CAAC,IAAI,QAAQ,CAAC,MAAM,MAAM,KAAK,KAAK,GAAG,CAAC,SAAS;AAEtF,WAAO;KACN,GAAG;KACH,GAAI,UAAU,EAAE,MAAM,SAAS,GAAG,EAAE;KACpC,GAAI,UAAU,EAAE,MAAM,SAAS,GAAG,EAAE;KACpC;AAED,YAAQ,IACP,gCAAgC,WAAW,MAAM,IACjD,OAAO,KAAK,QAAQ,CAAC,QAAQ,MAAM,MAAM,aAAa,CACtD;;;AAIH,MAAI,CAAC,KAEJ,QAAO,IAAI,SAAS,4BAA4B;GAC/C,QAAQ;GACR,SAAS;IAAE,gBAAgB;IAAc,GAAG;IAAkB;GAC9D,CAAC;AAIH,MAAI,KAAK,SACR,QAAO,IAAI,SAAS,oBAAoB;GACvC,QAAQ;GACR,SAAS;IAAE,gBAAgB;IAAc,GAAG;IAAkB;GAC9D,CAAC;AAIH,SAAO,OAAO;EAId,MAAM,EAAE,YAAY;AACpB,WAAS,IAAI,QAAQ,EAAE,IAAI,KAAK,IAAI,CAAC;AAErC,SAAO,MAAM;UACL,OAAO;AACf,UAAQ,MAAM,+BAA+B,MAAM;AAEnD,SAAO,IAAI,SAAS,yBAAyB;GAC5C,QAAQ;GACR,SAAS;IAAE,gBAAgB;IAAc,GAAG;IAAkB;GAC9D,CAAC;;;;;;;;;;;AAYJ,eAAe,iBACd,SACgD;CAChD,MAAM,aAAa,QAAQ,QAAQ,QAAQ,IAAI,gBAAgB;AAC/D,KAAI,CAAC,YAAY,WAAW,UAAU,CAAE,QAAO;CAE/C,MAAM,QAAQ,WAAW,MAAM,EAAE;AACjC,KAAI,CAAC,MAAO,QAAO;CAEnB,MAAM,EAAE,WAAW;CACnB,MAAM,EAAE,WAAW;AACnB,KAAI,CAAC,QAAQ,GAAI,QAAO;CAGxB,IAAI,WAAwD;AAE5D,KAAI,MAAM,WAAW,UAAU,CAC9B,YAAW,MAAM,gBAAgB,OAAO,IAAI,MAAM;UACxC,MAAM,WAAW,UAAU,CACrC,YAAW,MAAM,kBAAkB,OAAO,IAAI,MAAM;KAGpD,QAAO;AAGR,KAAI,CAAC,SAAU,QAAO;CAItB,MAAM,OAAO,MADG,oBAAoB,OAAO,GAAG,CACnB,YAAY,SAAS,OAAO;AAEvD,KAAI,CAAC,QAAQ,KAAK,SAAU,QAAO;AAGnC,QAAO,OAAO;AACd,QAAO,cAAc,SAAS;AAE9B,QAAO;;;;;AAMR,eAAe,kBACd,SACA,MACA,YACoB;CACpB,MAAM,EAAE,KAAK,QAAQ,YAAY;CACjC,MAAM,EAAE,WAAW;AAEnB,KAAI;EAEH,MAAM,cAAc,MAAM,SAAS,IAAI,OAAO;AAE9C,MAAI,CAAC,aAAa,IAAI;AACrB,OAAI,WACH,QAAO,SAAS,KACf,EAAE,OAAO;IAAE,MAAM;IAAqB,SAAS;IAAqB,EAAE,EACtE;IAAE,QAAQ;IAAK,SAAS;IAAkB,CAC1C;GAEF,MAAM,WAAW,IAAI,IAAI,wBAAwB,gBAAgB,KAAK,QAAQ,OAAO,CAAC;AACtF,YAAS,aAAa,IAAI,YAAY,IAAI,SAAS;AACnD,UAAO,QAAQ,SAAS,SAAS,UAAU,CAAC;;EAK7C,MAAM,OAAO,MADG,oBAAoB,OAAQ,GAAG,CACpB,YAAY,YAAY,GAAG;AAEtD,MAAI,CAAC,MAAM;AAEV,YAAS,SAAS;AAClB,OAAI,WACH,QAAO,SAAS,KACf,EAAE,OAAO;IAAE,MAAM;IAAa,SAAS;IAAkB,EAAE,EAC3D;IAAE,QAAQ;IAAK,SAAS;IAAkB,CAC1C;GAEF,MAAM,WAAW,IAAI,IAAI,wBAAwB,gBAAgB,KAAK,QAAQ,OAAO,CAAC;AACtF,UAAO,QAAQ,SAAS,SAAS,UAAU,CAAC;;AAI7C,MAAI,KAAK,UAAU;AAClB,YAAS,SAAS;AAClB,OAAI,WACH,QAAO,SAAS,oBAAoB,oBAAoB,IAAI;GAE7D,MAAM,WAAW,IAAI,IAAI,wBAAwB,gBAAgB,KAAK,QAAQ,OAAO,CAAC;AACtF,YAAS,aAAa,IAAI,SAAS,mBAAmB;AACtD,UAAO,QAAQ,SAAS,SAAS,UAAU,CAAC;;AAI7C,SAAO,OAAO;UACN,OAAO;AACf,UAAQ,MAAM,0BAA0B,MAAM;AAE9C,SAAO,QAAQ,SAAS,uBAAuB;;AAGhD,QAAO,MAAM;;;;;;;;AAad,MAAM,cAAsE;CAE3E;EAAC;EAAwB;EAAO;EAAe;CAC/C;EAAC;EAAwB;EAAS;EAAgB;CAGlD;EAAC;EAA2B;EAAK;EAAa;CAC9C;EAAC;EAAsB;EAAO;EAAa;CAC3C;EAAC;EAAsB;EAAS;EAAc;CAG9C;EAAC;EAAuB;EAAO;EAAc;CAC7C;EAAC;EAAuB;EAAS;EAAe;CAOhD;EAAC;EAA2B;EAAO;EAAe;CAClD;EAAC;EAA2B;EAAS;EAAoB;CACzD;EAAC;EAAsB;EAAO;EAAe;CAC7C;EAAC;EAAsB;EAAS;EAAe;CAC/C;EAAC;EAAyB;EAAO;EAAe;CAChD;EAAC;EAAyB;EAAS;EAAgB;CACnD;EAAC;EAA6B;EAAO;EAAe;CACpD;EAAC;EAA6B;EAAS;EAAgB;CACvD;EAAC;EAA0B;EAAO;EAAe;CACjD;EAAC;EAA0B;EAAS;EAAgB;CAGpD;EAAC;EAAuB;EAAO;EAAe;CAC9C;EAAC;EAAuB;EAAS;EAAQ;CAGzC;EAAC;EAAuB;EAAK;EAAQ;CACrC;EAAC;EAAsB;EAAK;EAAQ;CACpC;EAAC;EAAwB;EAAK;EAAQ;CAItC;EAAC;EAAyB;EAAO;EAAgB;CACjD;EAAC;EAAyB;EAAS;EAAkB;CAGrD;EAAC;EAAoB;EAAK;EAAe;CACzC;AAED,MAAM,gBAAgB,IAAI,IAAI;CAAC;CAAQ;CAAO;CAAS;CAAS,CAAC;;;;;;;AAQjE,SAAS,kBACR,UACA,QACA,aACkB;AAElB,KAAI,CAAC,YAAa,QAAO;CAEzB,MAAM,UAAU,cAAc,IAAI,OAAO;AAEzC,MAAK,MAAM,CAAC,QAAQ,YAAY,UAAU,aAAa;AAEtD,MAAI,aAAa,UAAU,CAAC,SAAS,WAAW,SAAS,IAAI,CAAE;AAG/D,MAAI,eAAe,OAAQ,eAAe,WAAW,WAAY,eAAe,QAAQ;AACvF,OAAI,SAAS,aAAa,MAAM,CAAE,QAAO;AAEzC,UAAO,IAAI,SACV,KAAK,UAAU,EACd,OAAO;IACN,MAAM;IACN,SAAS,+BAA+B;IACxC,EACD,CAAC,EACF;IAAE,QAAQ;IAAK,SAAS;KAAE,gBAAgB;KAAoB,GAAG;KAAkB;IAAE,CACrF;;;AAKH,KAAI,SAAS,aAAa,QAAQ,CAAE,QAAO;AAE3C,QAAO,IAAI,SACV,KAAK,UAAU,EACd,OAAO;EACN,MAAM;EACN,SAAS;EACT,EACD,CAAC,EACF;EAAE,QAAQ;EAAK,SAAS;GAAE,gBAAgB;GAAoB,GAAG;GAAkB;EAAE,CACrF"}
1
+ {"version":3,"file":"auth.mjs","names":["virtualAuthenticate"],"sources":["../../../src/api/csrf.ts","../../../src/astro/middleware/csp.ts","../../../src/astro/middleware/auth.ts"],"sourcesContent":["/**\n * CSRF protection utilities.\n *\n * Two mechanisms:\n * 1. Custom header check (X-EmDash-Request: 1) — used for authenticated API routes.\n * Browsers block cross-origin custom headers, so presence proves same-origin.\n * 2. Origin check — used for public API routes that skip auth. Compares the Origin\n * header against the request origin. Same approach as Astro's `checkOrigin`.\n */\n\nimport { apiError } from \"./error.js\";\n\n/**\n * Origin-based CSRF check for public API routes that skip auth.\n *\n * State-changing requests (POST/PUT/DELETE) to public endpoints must either:\n * 1. Include the X-EmDash-Request: 1 header (custom header blocked cross-origin), OR\n * 2. Have an Origin header matching the request origin (or the configured public origin)\n *\n * This prevents cross-origin form submissions (which can't set custom headers)\n * and cross-origin fetch (blocked by CORS unless allowed). Same-origin requests\n * always include a matching Origin header.\n *\n * Returns a 403 Response if the check fails, or null if allowed.\n *\n * @param request The incoming request\n * @param url The request URL (internal origin)\n * @param publicOrigin The public-facing origin from config.siteUrl. Must be\n * `undefined` when absent — never `null` or `\"\"` (security invariant H-1a).\n */\nexport function checkPublicCsrf(\n\trequest: Request,\n\turl: URL,\n\tpublicOrigin?: string,\n): Response | null {\n\t// Custom header present — browser blocks cross-origin custom headers\n\tconst csrfHeader = request.headers.get(\"X-EmDash-Request\");\n\tif (csrfHeader === \"1\") return null;\n\n\t// Check Origin header — present on all POST/PUT/DELETE from browsers\n\tconst origin = request.headers.get(\"Origin\");\n\tif (origin) {\n\t\ttry {\n\t\t\tconst originUrl = new URL(origin);\n\t\t\t// Accept if Origin matches either the internal or public origin\n\t\t\tif (originUrl.origin === url.origin) return null;\n\t\t\tif (publicOrigin && originUrl.origin === publicOrigin) return null;\n\t\t} catch {\n\t\t\t// Malformed Origin — fall through to reject\n\t\t}\n\n\t\treturn apiError(\"CSRF_REJECTED\", \"Cross-origin request blocked\", 403);\n\t}\n\n\t// No Origin header — non-browser client (curl, server-to-server).\n\t// Allow these through since CSRF is a browser-specific attack vector.\n\t// Server-to-server requests don't carry ambient credentials (cookies).\n\treturn null;\n}\n","/**\n * Strict Content-Security-Policy for /_emdash routes (admin + API).\n *\n * Applied via middleware header rather than Astro's built-in CSP because\n * Astro's auto-hashing defeats 'unsafe-inline' (CSP3 ignores 'unsafe-inline'\n * when hashes are present), which would break user-facing pages.\n *\n * img-src allows any HTTPS origin because the admin renders user content that\n * may reference external images (migrations, external hosting, embeds).\n * Plugin security does not rely on img-src -- plugins run in V8 isolates with\n * no DOM access. connect-src stays at 'self' unless the experimental registry\n * is configured, in which case the configured aggregator origin is allowed.\n */\nimport type { RegistryConfigInput } from \"../../registry/types.js\";\n\nfunction getRegistryAggregatorOrigin(\n\tregistry: RegistryConfigInput | undefined,\n): string | undefined {\n\tconst aggregatorUrl = typeof registry === \"string\" ? registry : registry?.aggregatorUrl;\n\tif (!aggregatorUrl) return undefined;\n\n\ttry {\n\t\tconst url = new URL(aggregatorUrl);\n\t\tif (url.protocol !== \"http:\" && url.protocol !== \"https:\") return undefined;\n\t\treturn url.origin;\n\t} catch {\n\t\treturn undefined;\n\t}\n}\n\nexport function buildEmDashCsp(registry?: RegistryConfigInput): string {\n\tconst connectSrc = [\"connect-src 'self'\"];\n\tconst registryAggregatorOrigin = getRegistryAggregatorOrigin(registry);\n\tif (registryAggregatorOrigin) connectSrc.push(registryAggregatorOrigin);\n\n\treturn [\n\t\t\"default-src 'self'\",\n\t\t\"script-src 'self' 'unsafe-inline'\",\n\t\t\"style-src 'self' 'unsafe-inline'\",\n\t\tconnectSrc.join(\" \"),\n\t\t\"form-action 'self'\",\n\t\t\"frame-ancestors 'none'\",\n\t\t\"img-src 'self' https: data: blob:\",\n\t\t\"object-src 'none'\",\n\t\t\"base-uri 'self'\",\n\t].join(\"; \");\n}\n","/**\n * Auth middleware for admin routes\n *\n * Checks if the user is authenticated and has appropriate permissions.\n * Supports two auth modes:\n * - Passkey (default): Session-based auth with passkey login\n * - External providers: JWT-based auth (Cloudflare Access, etc.)\n *\n * This middleware runs AFTER the setup middleware - so if we get here,\n * we know setup is complete and users exist.\n */\n\nimport type { User, RoleLevel } from \"@emdash-cms/auth\";\nimport { createKyselyAdapter } from \"@emdash-cms/auth/adapters/kysely\";\nimport { defineMiddleware } from \"astro:middleware\";\nimport { ulid } from \"ulidx\";\n// Import auth provider via virtual module (statically bundled)\n// This avoids dynamic import issues in Cloudflare Workers\nimport { authenticate as virtualAuthenticate } from \"virtual:emdash/auth\";\n// @ts-ignore - virtual module\nimport virtualConfig from \"virtual:emdash/config\";\n\nimport { checkPublicCsrf } from \"../../api/csrf.js\";\nimport { apiError } from \"../../api/error.js\";\nimport { getPublicOrigin } from \"../../api/public-url.js\";\n\n/** Cache headers for middleware error responses (matches API_CACHE_HEADERS in api/error.ts) */\nconst MW_CACHE_HEADERS = {\n\t\"Cache-Control\": \"private, no-store\",\n} as const;\nimport { resolveApiToken, resolveOAuthToken } from \"../../api/handlers/api-tokens.js\";\nimport { hasScope } from \"../../auth/api-tokens.js\";\nimport { getAuthMode, type ExternalAuthMode } from \"../../auth/mode.js\";\nimport type { ExternalAuthConfig } from \"../../auth/types.js\";\nimport type { EmDashHandlers } from \"../types.js\";\nimport { buildEmDashCsp } from \"./csp.js\";\n\ndeclare global {\n\tnamespace App {\n\t\tinterface Locals {\n\t\t\tuser?: User;\n\t\t\t/** Token scopes when authenticated via API token or OAuth token. Undefined for session auth. */\n\t\t\ttokenScopes?: string[];\n\t\t\temdash?: EmDashHandlers;\n\t\t}\n\t\tinterface SessionData {\n\t\t\tuser: { id: string };\n\t\t\thasSeenWelcome: boolean;\n\t\t}\n\t}\n}\n\n// Role level constants (matching @emdash-cms/auth)\nconst ROLE_ADMIN = 50;\nconst MCP_ENDPOINT_PATH = \"/_emdash/api/mcp\";\n\nfunction isUnsafeMethod(method: string): boolean {\n\treturn method !== \"GET\" && method !== \"HEAD\" && method !== \"OPTIONS\";\n}\n\nfunction csrfRejectedResponse(): Response {\n\treturn new Response(\n\t\tJSON.stringify({ error: { code: \"CSRF_REJECTED\", message: \"Missing required header\" } }),\n\t\t{\n\t\t\tstatus: 403,\n\t\t\theaders: { \"Content-Type\": \"application/json\", ...MW_CACHE_HEADERS },\n\t\t},\n\t);\n}\n\nfunction mcpUnauthorizedResponse(\n\turl: URL,\n\tconfig?: Parameters<typeof getPublicOrigin>[1],\n): Response {\n\tconst origin = getPublicOrigin(url, config);\n\treturn Response.json(\n\t\t{ error: { code: \"NOT_AUTHENTICATED\", message: \"Not authenticated\" } },\n\t\t{\n\t\t\tstatus: 401,\n\t\t\theaders: {\n\t\t\t\t\"WWW-Authenticate\": `Bearer resource_metadata=\"${origin}/.well-known/oauth-protected-resource\"`,\n\t\t\t\t...MW_CACHE_HEADERS,\n\t\t\t},\n\t\t},\n\t);\n}\n\n/**\n * API routes that skip auth — each handles its own access control.\n *\n * Prefix entries match any path starting with that prefix.\n * Exact entries (no trailing slash or wildcard) match that path only.\n */\nconst PUBLIC_API_PREFIXES = [\n\t\"/_emdash/api/setup\",\n\t\"/_emdash/api/auth/login\",\n\t\"/_emdash/api/auth/register\",\n\t\"/_emdash/api/auth/dev-bypass\",\n\t\"/_emdash/api/auth/signup/\",\n\t\"/_emdash/api/auth/magic-link/\",\n\t\"/_emdash/api/auth/invite/\",\n\t\"/_emdash/api/auth/oauth/\",\n\t\"/_emdash/api/oauth/device/token\",\n\t\"/_emdash/api/oauth/device/code\",\n\t\"/_emdash/api/oauth/token\",\n\t\"/_emdash/api/oauth/register\",\n\t\"/_emdash/api/comments/\",\n\t\"/_emdash/api/media/file/\",\n\t\"/_emdash/.well-known/\",\n];\n\nconst PUBLIC_API_EXACT = new Set([\n\t\"/_emdash/api/auth/passkey/options\",\n\t\"/_emdash/api/auth/passkey/verify\",\n\t\"/_emdash/api/auth/mode\",\n\t\"/_emdash/api/oauth/token\",\n\t\"/_emdash/api/snapshot\",\n\t// Public site search — read-only. The query layer hardcodes status='published'\n\t// so unauthenticated callers only see published content. Admin endpoints\n\t// (/enable, /rebuild, /stats) remain private because they're not in this set.\n\t\"/_emdash/api/search\",\n]);\n\n// Build merged public routes at module load from auth provider descriptors.\n// Routes ending with \"/\" are treated as prefixes; all others are exact matches.\nconst { exact: _providerExactRoutes, prefixes: _providerPrefixRoutes } = (() => {\n\tconst exact = new Set<string>();\n\tconst prefixes: string[] = [];\n\tif (!virtualConfig?.authProviders) return { exact, prefixes };\n\tfor (const route of virtualConfig.authProviders.flatMap((p) => p.publicRoutes ?? [])) {\n\t\tif (route.endsWith(\"/\")) {\n\t\t\tprefixes.push(route);\n\t\t} else {\n\t\t\texact.add(route);\n\t\t}\n\t}\n\treturn { exact, prefixes };\n})();\n\n/**\n * OAuth protocol endpoints that are CSRF-exempt by design.\n *\n * These are RFC-defined endpoints (RFC 6749 §3.2, RFC 7591 §3, RFC 8628 §3.1/§3.4)\n * specified to be called cross-origin by external clients (MCP clients, CLIs,\n * native apps). They authenticate each request on its own merits:\n *\n * - /oauth/token: requires PKCE code_verifier, device_code, or refresh_token\n * - /oauth/register: RFC 7591 dynamic client registration — anonymous by design\n * - /oauth/device/code: RFC 8628 device flow initiation — anonymous by design\n * - /oauth/device/token: requires device_code the client already holds\n *\n * None of these rely on ambient cookie credentials, so browser-based CSRF\n * attacks have nothing to exploit. The endpoints themselves advertise\n * `Access-Control-Allow-Origin: *`. Note: /oauth/device/authorize (the user\n * consent step) is NOT in this list — it is session-authenticated.\n */\nconst CSRF_EXEMPT_PUBLIC_ROUTES = new Set([\n\t\"/_emdash/api/oauth/token\",\n\t\"/_emdash/api/oauth/register\",\n\t\"/_emdash/api/oauth/device/code\",\n\t\"/_emdash/api/oauth/device/token\",\n]);\n\nfunction isPublicEmDashRoute(pathname: string): boolean {\n\tif (PUBLIC_API_EXACT.has(pathname)) return true;\n\tif (PUBLIC_API_PREFIXES.some((p) => pathname.startsWith(p))) return true;\n\tif (_providerExactRoutes.has(pathname)) return true;\n\tif (_providerPrefixRoutes.some((p) => pathname.startsWith(p))) return true;\n\tif (import.meta.env.DEV && pathname === \"/_emdash/api/typegen\") return true;\n\treturn false;\n}\n\nfunction isCsrfExemptPublicRoute(pathname: string): boolean {\n\treturn CSRF_EXEMPT_PUBLIC_ROUTES.has(pathname);\n}\n\nexport const onRequest = defineMiddleware(async (context, next) => {\n\tconst { url } = context;\n\n\t// Only check auth on admin routes and API routes\n\tconst isAdminRoute = url.pathname.startsWith(\"/_emdash/admin\");\n\tconst isSetupRoute = url.pathname.startsWith(\"/_emdash/admin/setup\");\n\tconst isApiRoute = url.pathname.startsWith(\"/_emdash/api\");\n\tconst isPublicApiRoute = isPublicEmDashRoute(url.pathname);\n\n\tconst isPublicRoute = !isAdminRoute && !isApiRoute;\n\n\t// Public API routes skip auth but still need CSRF protection on state-changing methods.\n\t// We check Origin header against the request host (same approach as Astro's checkOrigin).\n\t// This prevents cross-origin form submissions and fetch requests from malicious sites.\n\tif (isPublicApiRoute) {\n\t\tconst method = context.request.method.toUpperCase();\n\t\tif (\n\t\t\tisUnsafeMethod(method) &&\n\t\t\t!isCsrfExemptPublicRoute(url.pathname) // OAuth protocol endpoints — cross-origin by design\n\t\t) {\n\t\t\tconst publicOrigin = getPublicOrigin(url, context.locals.emdash?.config);\n\t\t\tconst csrfError = checkPublicCsrf(context.request, url, publicOrigin);\n\t\t\tif (csrfError) return csrfError;\n\t\t}\n\t\treturn next();\n\t}\n\n\t// Plugin routes: soft auth (resolve user if credentials present, but never block).\n\t// The catch-all handler decides per-route whether auth is required (public vs private).\n\t// Public plugin routes that accept POST are vulnerable to cross-origin form submissions,\n\t// so we apply the same Origin-based CSRF check as other public routes.\n\tconst isPluginRoute = url.pathname.startsWith(\"/_emdash/api/plugins/\");\n\tif (isPluginRoute) {\n\t\tconst method = context.request.method.toUpperCase();\n\t\tif (method !== \"GET\" && method !== \"HEAD\" && method !== \"OPTIONS\") {\n\t\t\tconst publicOrigin = getPublicOrigin(url, context.locals.emdash?.config);\n\t\t\tconst csrfError = checkPublicCsrf(context.request, url, publicOrigin);\n\t\t\tif (csrfError) return csrfError;\n\t\t}\n\t\treturn handlePluginRouteAuth(context, next);\n\t}\n\n\t// Setup routes: skip auth but still enforce CSRF on state-changing methods\n\tif (isSetupRoute) {\n\t\tconst method = context.request.method.toUpperCase();\n\t\tif (method !== \"GET\" && method !== \"HEAD\" && method !== \"OPTIONS\") {\n\t\t\tconst csrfHeader = context.request.headers.get(\"X-EmDash-Request\");\n\t\t\tif (csrfHeader !== \"1\") {\n\t\t\t\treturn new Response(\n\t\t\t\t\tJSON.stringify({\n\t\t\t\t\t\terror: { code: \"CSRF_REJECTED\", message: \"Missing required header\" },\n\t\t\t\t\t}),\n\t\t\t\t\t{\n\t\t\t\t\t\tstatus: 403,\n\t\t\t\t\t\theaders: { \"Content-Type\": \"application/json\", ...MW_CACHE_HEADERS },\n\t\t\t\t\t},\n\t\t\t\t);\n\t\t\t}\n\t\t}\n\t\treturn next();\n\t}\n\n\t// For public routes: soft auth check (set locals.user if session exists, but never block)\n\tif (isPublicRoute) {\n\t\treturn handlePublicRouteAuth(context, next);\n\t}\n\n\t// --- Everything below is /_emdash (admin + API) ---\n\n\t// Try Bearer token auth first (API tokens and OAuth tokens).\n\t// If successful, skip CSRF (tokens aren't ambient credentials like cookies).\n\tconst bearerResult = await handleBearerAuth(context);\n\n\tif (bearerResult === \"invalid\") {\n\t\tconst headers: Record<string, string> = {\n\t\t\t\"Content-Type\": \"application/json\",\n\t\t\t...MW_CACHE_HEADERS,\n\t\t};\n\t\t// Add WWW-Authenticate header on MCP endpoint 401s to trigger OAuth discovery\n\t\tif (url.pathname === \"/_emdash/api/mcp\") {\n\t\t\tconst origin = getPublicOrigin(url, context.locals.emdash?.config);\n\t\t\theaders[\"WWW-Authenticate\"] =\n\t\t\t\t`Bearer resource_metadata=\"${origin}/.well-known/oauth-protected-resource\"`;\n\t\t}\n\t\treturn new Response(\n\t\t\tJSON.stringify({ error: { code: \"INVALID_TOKEN\", message: \"Invalid or expired token\" } }),\n\t\t\t{ status: 401, headers },\n\t\t);\n\t}\n\n\tconst isTokenAuth = bearerResult === \"authenticated\";\n\n\t// MCP discovery/tooling is bearer-only. Session/external auth should never\n\t// be consulted for this endpoint, and unauthenticated requests must return\n\t// the OAuth discovery-style 401 response.\n\tconst method = context.request.method.toUpperCase();\n\tconst isMcpEndpoint = url.pathname === MCP_ENDPOINT_PATH;\n\tif (isMcpEndpoint && !isTokenAuth) {\n\t\treturn mcpUnauthorizedResponse(url, context.locals.emdash?.config);\n\t}\n\n\t// CSRF protection: require X-EmDash-Request header on state-changing requests.\n\t// Skip for token-authenticated requests (tokens aren't ambient credentials).\n\t// Browsers block cross-origin custom headers, so this prevents CSRF without tokens.\n\t// OAuth authorize consent is exempt: it's a standard HTML form POST that can't\n\t// include custom headers. The consent flow is protected by session + single-use codes.\n\tconst isOAuthConsent = url.pathname.startsWith(\"/_emdash/oauth/authorize\");\n\tif (\n\t\tisApiRoute &&\n\t\t!isTokenAuth &&\n\t\t!isOAuthConsent &&\n\t\tisUnsafeMethod(method) &&\n\t\t!isPublicApiRoute\n\t) {\n\t\tconst csrfHeader = context.request.headers.get(\"X-EmDash-Request\");\n\t\tif (csrfHeader !== \"1\") {\n\t\t\treturn csrfRejectedResponse();\n\t\t}\n\t}\n\n\t// If already authenticated via Bearer token, enforce scope then skip session/external auth\n\tif (isTokenAuth) {\n\t\t// Enforce API token scopes based on URL pattern + HTTP method\n\t\tconst scopeError = enforceTokenScope(url.pathname, method, context.locals.tokenScopes);\n\t\tif (scopeError) return scopeError;\n\n\t\tconst response = await next();\n\t\tif (!import.meta.env.DEV) {\n\t\t\tresponse.headers.set(\n\t\t\t\t\"Content-Security-Policy\",\n\t\t\t\tbuildEmDashCsp(context.locals.emdash?.config.experimental?.registry),\n\t\t\t);\n\t\t}\n\t\treturn response;\n\t}\n\n\tconst response = await handleEmDashAuth(context, next);\n\n\t// Set strict CSP on all /_emdash responses (prod only)\n\tif (!import.meta.env.DEV) {\n\t\tresponse.headers.set(\n\t\t\t\"Content-Security-Policy\",\n\t\t\tbuildEmDashCsp(context.locals.emdash?.config.experimental?.registry),\n\t\t);\n\t}\n\n\treturn response;\n});\n\n/**\n * Auth handling for /_emdash routes. Returns a Response from either\n * an auth error/redirect or the downstream route handler.\n */\nasync function handleEmDashAuth(\n\tcontext: Parameters<Parameters<typeof defineMiddleware>[0]>[0],\n\tnext: Parameters<Parameters<typeof defineMiddleware>[0]>[1],\n): Promise<Response> {\n\tconst { url, locals } = context;\n\tconst { emdash } = locals;\n\n\tconst isPublicAdminRoute =\n\t\turl.pathname.startsWith(\"/_emdash/admin/login\") ||\n\t\turl.pathname.startsWith(\"/_emdash/admin/invite/accept\");\n\tconst isApiRoute = url.pathname.startsWith(\"/_emdash/api\");\n\n\tif (!emdash?.db) {\n\t\t// No database - let the admin handle this error\n\t\treturn next();\n\t}\n\n\t// Determine auth mode from config\n\tconst authMode = getAuthMode(emdash.config);\n\n\tif (authMode.type === \"external\") {\n\t\t// In dev mode, fall back to passkey auth since external JWT won't be present\n\t\tif (import.meta.env.DEV) {\n\t\t\tif (isPublicAdminRoute) {\n\t\t\t\treturn next();\n\t\t\t}\n\n\t\t\treturn handlePasskeyAuth(context, next, isApiRoute);\n\t\t}\n\n\t\t// External auth provider (Cloudflare Access, etc.)\n\t\treturn handleExternalAuth(context, next, authMode, isApiRoute);\n\t}\n\n\t// Passkey authentication (default)\n\tif (isPublicAdminRoute) {\n\t\treturn next();\n\t}\n\n\treturn handlePasskeyAuth(context, next, isApiRoute);\n}\n\n/**\n * Soft auth for plugin routes: resolve user from Bearer token or session if present,\n * but never block unauthenticated requests. The catch-all handler checks route\n * metadata to decide whether auth is required (public vs private routes).\n */\nasync function handlePluginRouteAuth(\n\tcontext: Parameters<Parameters<typeof defineMiddleware>[0]>[0],\n\tnext: Parameters<Parameters<typeof defineMiddleware>[0]>[1],\n): Promise<Response> {\n\tconst { locals } = context;\n\tconst { emdash } = locals;\n\n\ttry {\n\t\t// Try Bearer token auth first (API tokens and OAuth tokens)\n\t\tconst bearerResult = await handleBearerAuth(context);\n\t\tif (bearerResult === \"authenticated\") {\n\t\t\t// User and tokenScopes are set on locals by handleBearerAuth\n\t\t\treturn next();\n\t\t}\n\t\tif (bearerResult === \"invalid\") {\n\t\t\t// A token was presented but is invalid/expired — return 401 so the\n\t\t\t// caller knows their token is bad (don't silently downgrade to no-auth).\n\t\t\treturn new Response(\n\t\t\t\tJSON.stringify({ error: { code: \"INVALID_TOKEN\", message: \"Invalid or expired token\" } }),\n\t\t\t\t{\n\t\t\t\t\tstatus: 401,\n\t\t\t\t\theaders: { \"Content-Type\": \"application/json\", ...MW_CACHE_HEADERS },\n\t\t\t\t},\n\t\t\t);\n\t\t}\n\t\t// \"none\" — no token presented, try session auth below.\n\t} catch (error) {\n\t\tconsole.error(\"Plugin route bearer auth error:\", error);\n\t}\n\n\ttry {\n\t\t// Try session auth (sets locals.user if session exists)\n\t\tconst { session } = context;\n\t\tconst sessionUser = await session?.get(\"user\");\n\t\tif (sessionUser?.id && emdash?.db) {\n\t\t\tconst adapter = createKyselyAdapter(emdash.db);\n\t\t\tconst user = await adapter.getUserById(sessionUser.id);\n\t\t\tif (user && !user.disabled) {\n\t\t\t\tlocals.user = user;\n\t\t\t}\n\t\t}\n\t} catch (error) {\n\t\t// Log but don't block — public routes should still work without session\n\t\tconsole.error(\"Plugin route session auth error:\", error);\n\t}\n\n\treturn next();\n}\n\n/**\n * Soft auth check for public routes with edit mode cookie.\n * Checks the session and sets locals.user if valid, but never blocks the request.\n */\nasync function handlePublicRouteAuth(\n\tcontext: Parameters<Parameters<typeof defineMiddleware>[0]>[0],\n\tnext: Parameters<Parameters<typeof defineMiddleware>[0]>[1],\n): Promise<Response> {\n\tconst { locals, session } = context;\n\tconst { emdash } = locals;\n\n\ttry {\n\t\tconst sessionUser = await session?.get(\"user\");\n\t\tif (sessionUser?.id && emdash?.db) {\n\t\t\tconst adapter = createKyselyAdapter(emdash.db);\n\t\t\tconst user = await adapter.getUserById(sessionUser.id);\n\t\t\tif (user && !user.disabled) {\n\t\t\t\tlocals.user = user;\n\t\t\t}\n\t\t}\n\t} catch {\n\t\t// Silently continue — public page should render normally\n\t}\n\n\treturn next();\n}\n\n/**\n * Handle external auth provider authentication (Cloudflare Access, etc.)\n */\nasync function handleExternalAuth(\n\tcontext: Parameters<Parameters<typeof defineMiddleware>[0]>[0],\n\tnext: Parameters<Parameters<typeof defineMiddleware>[0]>[1],\n\tauthMode: ExternalAuthMode,\n\t_isApiRoute: boolean,\n): Promise<Response> {\n\tconst { locals, request } = context;\n\tconst { emdash } = locals;\n\n\ttry {\n\t\t// Use the authenticate function from the virtual module\n\t\t// (statically imported at build time to work with Cloudflare Workers)\n\t\tif (typeof virtualAuthenticate !== \"function\") {\n\t\t\tthrow new Error(\n\t\t\t\t`Auth provider ${authMode.entrypoint} does not export an authenticate function`,\n\t\t\t);\n\t\t}\n\n\t\t// Authenticate via the provider\n\t\tconst authResult = await virtualAuthenticate(request, authMode.config);\n\n\t\t// Get external auth config for auto-provision settings\n\t\t// eslint-disable-next-line typescript/no-unsafe-type-assertion -- narrowing AuthModeConfig to ExternalAuthConfig after provider check\n\t\tconst externalConfig = authMode.config as ExternalAuthConfig;\n\n\t\t// Find or create user\n\t\tconst adapter = createKyselyAdapter(emdash.db);\n\t\tlet user = await adapter.getUserByEmail(authResult.email);\n\n\t\tif (!user) {\n\t\t\t// User doesn't exist\n\t\t\tif (externalConfig.autoProvision === false) {\n\t\t\t\treturn new Response(\"User not authorized\", {\n\t\t\t\t\tstatus: 403,\n\t\t\t\t\theaders: { \"Content-Type\": \"text/plain\", ...MW_CACHE_HEADERS },\n\t\t\t\t});\n\t\t\t}\n\n\t\t\t// Check if this is the first user (they become admin)\n\t\t\tconst userCount = await emdash.db\n\t\t\t\t.selectFrom(\"users\")\n\t\t\t\t.select(emdash.db.fn.count(\"id\").as(\"count\"))\n\t\t\t\t.executeTakeFirst();\n\n\t\t\tconst isFirstUser = Number(userCount?.count ?? 0) === 0;\n\t\t\tconst role = isFirstUser ? ROLE_ADMIN : authResult.role;\n\n\t\t\t// Create user\n\t\t\tconst now = new Date().toISOString();\n\t\t\tconst newUser = {\n\t\t\t\tid: ulid(),\n\t\t\t\temail: authResult.email,\n\t\t\t\tname: authResult.name,\n\t\t\t\trole,\n\t\t\t\temail_verified: 1,\n\t\t\t\tcreated_at: now,\n\t\t\t\tupdated_at: now,\n\t\t\t};\n\n\t\t\tawait emdash.db.insertInto(\"users\").values(newUser).execute();\n\n\t\t\tuser = await adapter.getUserByEmail(authResult.email);\n\n\t\t\tconsole.log(\n\t\t\t\t`[external-auth] Provisioned user: ${authResult.email} (role: ${role}, first: ${isFirstUser})`,\n\t\t\t);\n\t\t} else {\n\t\t\t// User exists - check if we need to sync anything\n\t\t\tconst updates: Record<string, unknown> = {};\n\t\t\tlet newName: string | undefined;\n\t\t\tlet newRole: RoleLevel | undefined;\n\n\t\t\t// Sync name from provider if provider provides one and local differs\n\t\t\tif (authResult.name && user.name !== authResult.name) {\n\t\t\t\tnewName = authResult.name;\n\t\t\t\tupdates.name = newName;\n\t\t\t}\n\n\t\t\t// Sync role if enabled\n\t\t\tif (externalConfig.syncRoles && user.role !== authResult.role) {\n\t\t\t\tnewRole = authResult.role;\n\t\t\t\tupdates.role = newRole;\n\t\t\t}\n\n\t\t\tif (Object.keys(updates).length > 0) {\n\t\t\t\tupdates.updated_at = new Date().toISOString();\n\t\t\t\tawait emdash.db.updateTable(\"users\").set(updates).where(\"id\", \"=\", user.id).execute();\n\n\t\t\t\tuser = {\n\t\t\t\t\t...user,\n\t\t\t\t\t...(newName ? { name: newName } : {}),\n\t\t\t\t\t...(newRole ? { role: newRole } : {}),\n\t\t\t\t};\n\n\t\t\t\tconsole.log(\n\t\t\t\t\t`[external-auth] Updated user ${authResult.email}:`,\n\t\t\t\t\tObject.keys(updates).filter((k) => k !== \"updated_at\"),\n\t\t\t\t);\n\t\t\t}\n\t\t}\n\n\t\tif (!user) {\n\t\t\t// This shouldn't happen, but handle it gracefully\n\t\t\treturn new Response(\"Failed to provision user\", {\n\t\t\t\tstatus: 500,\n\t\t\t\theaders: { \"Content-Type\": \"text/plain\", ...MW_CACHE_HEADERS },\n\t\t\t});\n\t\t}\n\n\t\t// Check if user is disabled locally\n\t\tif (user.disabled) {\n\t\t\treturn new Response(\"Account disabled\", {\n\t\t\t\tstatus: 403,\n\t\t\t\theaders: { \"Content-Type\": \"text/plain\", ...MW_CACHE_HEADERS },\n\t\t\t});\n\t\t}\n\n\t\t// Set user in locals\n\t\tlocals.user = user;\n\n\t\t// Persist to session so public pages can identify the user\n\t\t// (external auth headers are only verified on /_emdash routes)\n\t\tconst { session } = context;\n\t\tsession?.set(\"user\", { id: user.id });\n\n\t\treturn next();\n\t} catch (error) {\n\t\tconsole.error(\"[external-auth] Auth error:\", error);\n\n\t\treturn new Response(\"Authentication failed\", {\n\t\t\tstatus: 401,\n\t\t\theaders: { \"Content-Type\": \"text/plain\", ...MW_CACHE_HEADERS },\n\t\t});\n\t}\n}\n\n/**\n * Try to authenticate via Bearer token (API token or OAuth token).\n *\n * Returns:\n * - \"authenticated\" if token is valid and user is resolved\n * - \"invalid\" if a token was provided but is invalid/expired\n * - \"none\" if no Bearer token was provided\n */\nasync function handleBearerAuth(\n\tcontext: Parameters<Parameters<typeof defineMiddleware>[0]>[0],\n): Promise<\"authenticated\" | \"invalid\" | \"none\"> {\n\tconst authHeader = context.request.headers.get(\"Authorization\");\n\tif (!authHeader?.startsWith(\"Bearer \")) return \"none\";\n\n\tconst token = authHeader.slice(7);\n\tif (!token) return \"none\";\n\n\tconst { locals } = context;\n\tconst { emdash } = locals;\n\tif (!emdash?.db) return \"none\";\n\n\t// Resolve token based on prefix\n\tlet resolved: { userId: string; scopes: string[] } | null = null;\n\n\tif (token.startsWith(\"ec_pat_\")) {\n\t\tresolved = await resolveApiToken(emdash.db, token);\n\t} else if (token.startsWith(\"ec_oat_\")) {\n\t\tresolved = await resolveOAuthToken(emdash.db, token);\n\t} else {\n\t\t// Unknown token format\n\t\treturn \"invalid\";\n\t}\n\n\tif (!resolved) return \"invalid\";\n\n\t// Look up the user\n\tconst adapter = createKyselyAdapter(emdash.db);\n\tconst user = await adapter.getUserById(resolved.userId);\n\n\tif (!user || user.disabled) return \"invalid\";\n\n\t// Set user and scopes on locals\n\tlocals.user = user;\n\tlocals.tokenScopes = resolved.scopes;\n\n\treturn \"authenticated\";\n}\n\n/**\n * Handle passkey (session-based) authentication\n */\nasync function handlePasskeyAuth(\n\tcontext: Parameters<Parameters<typeof defineMiddleware>[0]>[0],\n\tnext: Parameters<Parameters<typeof defineMiddleware>[0]>[1],\n\tisApiRoute: boolean,\n): Promise<Response> {\n\tconst { url, locals, session } = context;\n\tconst { emdash } = locals;\n\n\ttry {\n\t\t// Check session for user (session.get returns a Promise)\n\t\tconst sessionUser = await session?.get(\"user\");\n\n\t\tif (!sessionUser?.id) {\n\t\t\tif (isApiRoute) {\n\t\t\t\treturn Response.json(\n\t\t\t\t\t{ error: { code: \"NOT_AUTHENTICATED\", message: \"Not authenticated\" } },\n\t\t\t\t\t{ status: 401, headers: MW_CACHE_HEADERS },\n\t\t\t\t);\n\t\t\t}\n\t\t\tconst loginUrl = new URL(\"/_emdash/admin/login\", getPublicOrigin(url, emdash?.config));\n\t\t\tloginUrl.searchParams.set(\"redirect\", url.pathname);\n\t\t\treturn context.redirect(loginUrl.toString());\n\t\t}\n\n\t\t// Get full user from database\n\t\tconst adapter = createKyselyAdapter(emdash.db);\n\t\tconst user = await adapter.getUserById(sessionUser.id);\n\n\t\tif (!user) {\n\t\t\t// User no longer exists - clear session\n\t\t\tsession?.destroy();\n\t\t\tif (isApiRoute) {\n\t\t\t\treturn Response.json(\n\t\t\t\t\t{ error: { code: \"NOT_FOUND\", message: \"User not found\" } },\n\t\t\t\t\t{ status: 401, headers: MW_CACHE_HEADERS },\n\t\t\t\t);\n\t\t\t}\n\t\t\tconst loginUrl = new URL(\"/_emdash/admin/login\", getPublicOrigin(url, emdash?.config));\n\t\t\treturn context.redirect(loginUrl.toString());\n\t\t}\n\n\t\t// Check if user is disabled\n\t\tif (user.disabled) {\n\t\t\tsession?.destroy();\n\t\t\tif (isApiRoute) {\n\t\t\t\treturn apiError(\"ACCOUNT_DISABLED\", \"Account disabled\", 403);\n\t\t\t}\n\t\t\tconst loginUrl = new URL(\"/_emdash/admin/login\", getPublicOrigin(url, emdash?.config));\n\t\t\tloginUrl.searchParams.set(\"error\", \"account_disabled\");\n\t\t\treturn context.redirect(loginUrl.toString());\n\t\t}\n\n\t\t// Set user in locals for use by routes\n\t\tlocals.user = user;\n\t} catch (error) {\n\t\tconsole.error(\"Auth middleware error:\", error);\n\t\t// On error, redirect to login\n\t\treturn context.redirect(\"/_emdash/admin/login\");\n\t}\n\n\treturn next();\n}\n\n// =============================================================================\n// Token scope enforcement\n// =============================================================================\n\n/**\n * Scope rules: ordered list of (pathPrefix, method, requiredScope) tuples.\n * First matching rule wins. Methods: \"*\" = any, \"WRITE\" = POST/PUT/PATCH/DELETE.\n *\n * Routes not matched by any rule default to \"admin\" scope (fail-closed).\n */\nconst SCOPE_RULES: Array<[prefix: string, method: string, scope: string]> = [\n\t// Content routes\n\t[\"/_emdash/api/content\", \"GET\", \"content:read\"],\n\t[\"/_emdash/api/content\", \"WRITE\", \"content:write\"],\n\n\t// Media routes (excluding /file/ which is public)\n\t[\"/_emdash/api/media/file\", \"*\", \"media:read\"], // public anyway, but scope if token-authed\n\t[\"/_emdash/api/media\", \"GET\", \"media:read\"],\n\t[\"/_emdash/api/media\", \"WRITE\", \"media:write\"],\n\n\t// Schema routes\n\t[\"/_emdash/api/schema\", \"GET\", \"schema:read\"],\n\t[\"/_emdash/api/schema\", \"WRITE\", \"schema:write\"],\n\n\t// Taxonomy, menu, section, widget, revision — all content domain\n\t// GET uses content:read (implicit from taxonomies:read / menus:read via role).\n\t// WRITE uses the granular scope so tokens with only taxonomies:manage or\n\t// menus:manage are not rejected. content:write implicitly grants these via\n\t// IMPLICIT_SCOPE_GRANTS in @emdash-cms/auth.\n\t[\"/_emdash/api/taxonomies\", \"GET\", \"content:read\"],\n\t[\"/_emdash/api/taxonomies\", \"WRITE\", \"taxonomies:manage\"],\n\t[\"/_emdash/api/menus\", \"GET\", \"content:read\"],\n\t[\"/_emdash/api/menus\", \"WRITE\", \"menus:manage\"],\n\t[\"/_emdash/api/sections\", \"GET\", \"content:read\"],\n\t[\"/_emdash/api/sections\", \"WRITE\", \"content:write\"],\n\t[\"/_emdash/api/widget-areas\", \"GET\", \"content:read\"],\n\t[\"/_emdash/api/widget-areas\", \"WRITE\", \"content:write\"],\n\t[\"/_emdash/api/revisions\", \"GET\", \"content:read\"],\n\t[\"/_emdash/api/revisions\", \"WRITE\", \"content:write\"],\n\n\t// Search\n\t[\"/_emdash/api/search\", \"GET\", \"content:read\"],\n\t[\"/_emdash/api/search\", \"WRITE\", \"admin\"],\n\n\t// Import, admin, plugins — all require admin scope\n\t[\"/_emdash/api/import\", \"*\", \"admin\"],\n\t[\"/_emdash/api/admin\", \"*\", \"admin\"],\n\t[\"/_emdash/api/plugins\", \"*\", \"admin\"],\n\n\t// Settings — use granular scopes so tokens with settings:read or\n\t// settings:manage are not rejected at the middleware level.\n\t[\"/_emdash/api/settings\", \"GET\", \"settings:read\"],\n\t[\"/_emdash/api/settings\", \"WRITE\", \"settings:manage\"],\n\n\t// MCP endpoint — scopes enforced per-tool inside mcp/server.ts\n\t[\"/_emdash/api/mcp\", \"*\", \"content:read\"],\n];\n\nconst WRITE_METHODS = new Set([\"POST\", \"PUT\", \"PATCH\", \"DELETE\"]);\n\n/**\n * Enforce API token scopes based on the request URL and HTTP method.\n * Returns a 403 Response if the scope is insufficient, or null if allowed.\n *\n * Session-authenticated requests (tokenScopes === undefined) are never checked.\n */\nfunction enforceTokenScope(\n\tpathname: string,\n\tmethod: string,\n\ttokenScopes: string[] | undefined,\n): Response | null {\n\t// Session auth — implicit full access, no scope restrictions\n\tif (!tokenScopes) return null;\n\n\tconst isWrite = WRITE_METHODS.has(method);\n\n\tfor (const [prefix, ruleMethod, scope] of SCOPE_RULES) {\n\t\t// Match exact prefix or prefix followed by /\n\t\tif (pathname !== prefix && !pathname.startsWith(prefix + \"/\")) continue;\n\n\t\t// Check method match\n\t\tif (ruleMethod === \"*\" || (ruleMethod === \"WRITE\" && isWrite) || ruleMethod === method) {\n\t\t\tif (hasScope(tokenScopes, scope)) return null;\n\n\t\t\treturn new Response(\n\t\t\t\tJSON.stringify({\n\t\t\t\t\terror: {\n\t\t\t\t\t\tcode: \"INSUFFICIENT_SCOPE\",\n\t\t\t\t\t\tmessage: `Token lacks required scope: ${scope}`,\n\t\t\t\t\t},\n\t\t\t\t}),\n\t\t\t\t{ status: 403, headers: { \"Content-Type\": \"application/json\", ...MW_CACHE_HEADERS } },\n\t\t\t);\n\t\t}\n\t}\n\n\t// No rule matched — default to admin scope (fail-closed)\n\tif (hasScope(tokenScopes, \"admin\")) return null;\n\n\treturn new Response(\n\t\tJSON.stringify({\n\t\t\terror: {\n\t\t\t\tcode: \"INSUFFICIENT_SCOPE\",\n\t\t\t\tmessage: \"Token lacks required scope: admin\",\n\t\t\t},\n\t\t}),\n\t\t{ status: 403, headers: { \"Content-Type\": \"application/json\", ...MW_CACHE_HEADERS } },\n\t);\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA8BA,SAAgB,gBACf,SACA,KACA,cACkB;AAGlB,KADmB,QAAQ,QAAQ,IAAI,mBAAmB,KACvC,IAAK,QAAO;CAG/B,MAAM,SAAS,QAAQ,QAAQ,IAAI,SAAS;AAC5C,KAAI,QAAQ;AACX,MAAI;GACH,MAAM,YAAY,IAAI,IAAI,OAAO;AAEjC,OAAI,UAAU,WAAW,IAAI,OAAQ,QAAO;AAC5C,OAAI,gBAAgB,UAAU,WAAW,aAAc,QAAO;UACvD;AAIR,SAAO,SAAS,iBAAiB,gCAAgC,IAAI;;AAMtE,QAAO;;;;;AC1CR,SAAS,4BACR,UACqB;CACrB,MAAM,gBAAgB,OAAO,aAAa,WAAW,WAAW,UAAU;AAC1E,KAAI,CAAC,cAAe,QAAO;AAE3B,KAAI;EACH,MAAM,MAAM,IAAI,IAAI,cAAc;AAClC,MAAI,IAAI,aAAa,WAAW,IAAI,aAAa,SAAU,QAAO;AAClE,SAAO,IAAI;SACJ;AACP;;;AAIF,SAAgB,eAAe,UAAwC;CACtE,MAAM,aAAa,CAAC,qBAAqB;CACzC,MAAM,2BAA2B,4BAA4B,SAAS;AACtE,KAAI,yBAA0B,YAAW,KAAK,yBAAyB;AAEvE,QAAO;EACN;EACA;EACA;EACA,WAAW,KAAK,IAAI;EACpB;EACA;EACA;EACA;EACA;EACA,CAAC,KAAK,KAAK;;;;;;AClBb,MAAM,mBAAmB,EACxB,iBAAiB,qBACjB;AAwBD,MAAM,aAAa;AACnB,MAAM,oBAAoB;AAE1B,SAAS,eAAe,QAAyB;AAChD,QAAO,WAAW,SAAS,WAAW,UAAU,WAAW;;AAG5D,SAAS,uBAAiC;AACzC,QAAO,IAAI,SACV,KAAK,UAAU,EAAE,OAAO;EAAE,MAAM;EAAiB,SAAS;EAA2B,EAAE,CAAC,EACxF;EACC,QAAQ;EACR,SAAS;GAAE,gBAAgB;GAAoB,GAAG;GAAkB;EACpE,CACD;;AAGF,SAAS,wBACR,KACA,QACW;CACX,MAAM,SAAS,gBAAgB,KAAK,OAAO;AAC3C,QAAO,SAAS,KACf,EAAE,OAAO;EAAE,MAAM;EAAqB,SAAS;EAAqB,EAAE,EACtE;EACC,QAAQ;EACR,SAAS;GACR,oBAAoB,6BAA6B,OAAO;GACxD,GAAG;GACH;EACD,CACD;;;;;;;;AASF,MAAM,sBAAsB;CAC3B;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;AAED,MAAM,mBAAmB,IAAI,IAAI;CAChC;CACA;CACA;CACA;CACA;CAIA;CACA,CAAC;AAIF,MAAM,EAAE,OAAO,sBAAsB,UAAU,iCAAiC;CAC/E,MAAM,wBAAQ,IAAI,KAAa;CAC/B,MAAM,WAAqB,EAAE;AAC7B,KAAI,CAAC,eAAe,cAAe,QAAO;EAAE;EAAO;EAAU;AAC7D,MAAK,MAAM,SAAS,cAAc,cAAc,SAAS,MAAM,EAAE,gBAAgB,EAAE,CAAC,CACnF,KAAI,MAAM,SAAS,IAAI,CACtB,UAAS,KAAK,MAAM;KAEpB,OAAM,IAAI,MAAM;AAGlB,QAAO;EAAE;EAAO;EAAU;IACvB;;;;;;;;;;;;;;;;;;AAmBJ,MAAM,4BAA4B,IAAI,IAAI;CACzC;CACA;CACA;CACA;CACA,CAAC;AAEF,SAAS,oBAAoB,UAA2B;AACvD,KAAI,iBAAiB,IAAI,SAAS,CAAE,QAAO;AAC3C,KAAI,oBAAoB,MAAM,MAAM,SAAS,WAAW,EAAE,CAAC,CAAE,QAAO;AACpE,KAAI,qBAAqB,IAAI,SAAS,CAAE,QAAO;AAC/C,KAAI,sBAAsB,MAAM,MAAM,SAAS,WAAW,EAAE,CAAC,CAAE,QAAO;AACtE,KAAI,OAAO,KAAK,IAAI,OAAO,aAAa,uBAAwB,QAAO;AACvE,QAAO;;AAGR,SAAS,wBAAwB,UAA2B;AAC3D,QAAO,0BAA0B,IAAI,SAAS;;AAG/C,MAAa,YAAY,iBAAiB,OAAO,SAAS,SAAS;CAClE,MAAM,EAAE,QAAQ;CAGhB,MAAM,eAAe,IAAI,SAAS,WAAW,iBAAiB;CAC9D,MAAM,eAAe,IAAI,SAAS,WAAW,uBAAuB;CACpE,MAAM,aAAa,IAAI,SAAS,WAAW,eAAe;CAC1D,MAAM,mBAAmB,oBAAoB,IAAI,SAAS;CAE1D,MAAM,gBAAgB,CAAC,gBAAgB,CAAC;AAKxC,KAAI,kBAAkB;AAErB,MACC,eAFc,QAAQ,QAAQ,OAAO,aAAa,CAE5B,IACtB,CAAC,wBAAwB,IAAI,SAAS,EACrC;GACD,MAAM,eAAe,gBAAgB,KAAK,QAAQ,OAAO,QAAQ,OAAO;GACxE,MAAM,YAAY,gBAAgB,QAAQ,SAAS,KAAK,aAAa;AACrE,OAAI,UAAW,QAAO;;AAEvB,SAAO,MAAM;;AAQd,KADsB,IAAI,SAAS,WAAW,wBAAwB,EACnD;EAClB,MAAM,SAAS,QAAQ,QAAQ,OAAO,aAAa;AACnD,MAAI,WAAW,SAAS,WAAW,UAAU,WAAW,WAAW;GAClE,MAAM,eAAe,gBAAgB,KAAK,QAAQ,OAAO,QAAQ,OAAO;GACxE,MAAM,YAAY,gBAAgB,QAAQ,SAAS,KAAK,aAAa;AACrE,OAAI,UAAW,QAAO;;AAEvB,SAAO,sBAAsB,SAAS,KAAK;;AAI5C,KAAI,cAAc;EACjB,MAAM,SAAS,QAAQ,QAAQ,OAAO,aAAa;AACnD,MAAI,WAAW,SAAS,WAAW,UAAU,WAAW,WAEvD;OADmB,QAAQ,QAAQ,QAAQ,IAAI,mBAAmB,KAC/C,IAClB,QAAO,IAAI,SACV,KAAK,UAAU,EACd,OAAO;IAAE,MAAM;IAAiB,SAAS;IAA2B,EACpE,CAAC,EACF;IACC,QAAQ;IACR,SAAS;KAAE,gBAAgB;KAAoB,GAAG;KAAkB;IACpE,CACD;;AAGH,SAAO,MAAM;;AAId,KAAI,cACH,QAAO,sBAAsB,SAAS,KAAK;CAO5C,MAAM,eAAe,MAAM,iBAAiB,QAAQ;AAEpD,KAAI,iBAAiB,WAAW;EAC/B,MAAM,UAAkC;GACvC,gBAAgB;GAChB,GAAG;GACH;AAED,MAAI,IAAI,aAAa,mBAEpB,SAAQ,sBACP,6BAFc,gBAAgB,KAAK,QAAQ,OAAO,QAAQ,OAAO,CAE7B;AAEtC,SAAO,IAAI,SACV,KAAK,UAAU,EAAE,OAAO;GAAE,MAAM;GAAiB,SAAS;GAA4B,EAAE,CAAC,EACzF;GAAE,QAAQ;GAAK;GAAS,CACxB;;CAGF,MAAM,cAAc,iBAAiB;CAKrC,MAAM,SAAS,QAAQ,QAAQ,OAAO,aAAa;AAEnD,KADsB,IAAI,aAAa,qBAClB,CAAC,YACrB,QAAO,wBAAwB,KAAK,QAAQ,OAAO,QAAQ,OAAO;CAQnE,MAAM,iBAAiB,IAAI,SAAS,WAAW,2BAA2B;AAC1E,KACC,cACA,CAAC,eACD,CAAC,kBACD,eAAe,OAAO,IACtB,CAAC,kBAGD;MADmB,QAAQ,QAAQ,QAAQ,IAAI,mBAAmB,KAC/C,IAClB,QAAO,sBAAsB;;AAK/B,KAAI,aAAa;EAEhB,MAAM,aAAa,kBAAkB,IAAI,UAAU,QAAQ,QAAQ,OAAO,YAAY;AACtF,MAAI,WAAY,QAAO;EAEvB,MAAM,WAAW,MAAM,MAAM;AAC7B,MAAI,CAAC,OAAO,KAAK,IAAI,IACpB,UAAS,QAAQ,IAChB,2BACA,eAAe,QAAQ,OAAO,QAAQ,OAAO,cAAc,SAAS,CACpE;AAEF,SAAO;;CAGR,MAAM,WAAW,MAAM,iBAAiB,SAAS,KAAK;AAGtD,KAAI,CAAC,OAAO,KAAK,IAAI,IACpB,UAAS,QAAQ,IAChB,2BACA,eAAe,QAAQ,OAAO,QAAQ,OAAO,cAAc,SAAS,CACpE;AAGF,QAAO;EACN;;;;;AAMF,eAAe,iBACd,SACA,MACoB;CACpB,MAAM,EAAE,KAAK,WAAW;CACxB,MAAM,EAAE,WAAW;CAEnB,MAAM,qBACL,IAAI,SAAS,WAAW,uBAAuB,IAC/C,IAAI,SAAS,WAAW,+BAA+B;CACxD,MAAM,aAAa,IAAI,SAAS,WAAW,eAAe;AAE1D,KAAI,CAAC,QAAQ,GAEZ,QAAO,MAAM;CAId,MAAM,WAAW,YAAY,OAAO,OAAO;AAE3C,KAAI,SAAS,SAAS,YAAY;AAEjC,MAAI,OAAO,KAAK,IAAI,KAAK;AACxB,OAAI,mBACH,QAAO,MAAM;AAGd,UAAO,kBAAkB,SAAS,MAAM,WAAW;;AAIpD,SAAO,mBAAmB,SAAS,MAAM,UAAU,WAAW;;AAI/D,KAAI,mBACH,QAAO,MAAM;AAGd,QAAO,kBAAkB,SAAS,MAAM,WAAW;;;;;;;AAQpD,eAAe,sBACd,SACA,MACoB;CACpB,MAAM,EAAE,WAAW;CACnB,MAAM,EAAE,WAAW;AAEnB,KAAI;EAEH,MAAM,eAAe,MAAM,iBAAiB,QAAQ;AACpD,MAAI,iBAAiB,gBAEpB,QAAO,MAAM;AAEd,MAAI,iBAAiB,UAGpB,QAAO,IAAI,SACV,KAAK,UAAU,EAAE,OAAO;GAAE,MAAM;GAAiB,SAAS;GAA4B,EAAE,CAAC,EACzF;GACC,QAAQ;GACR,SAAS;IAAE,gBAAgB;IAAoB,GAAG;IAAkB;GACpE,CACD;UAGM,OAAO;AACf,UAAQ,MAAM,mCAAmC,MAAM;;AAGxD,KAAI;EAEH,MAAM,EAAE,YAAY;EACpB,MAAM,cAAc,MAAM,SAAS,IAAI,OAAO;AAC9C,MAAI,aAAa,MAAM,QAAQ,IAAI;GAElC,MAAM,OAAO,MADG,oBAAoB,OAAO,GAAG,CACnB,YAAY,YAAY,GAAG;AACtD,OAAI,QAAQ,CAAC,KAAK,SACjB,QAAO,OAAO;;UAGR,OAAO;AAEf,UAAQ,MAAM,oCAAoC,MAAM;;AAGzD,QAAO,MAAM;;;;;;AAOd,eAAe,sBACd,SACA,MACoB;CACpB,MAAM,EAAE,QAAQ,YAAY;CAC5B,MAAM,EAAE,WAAW;AAEnB,KAAI;EACH,MAAM,cAAc,MAAM,SAAS,IAAI,OAAO;AAC9C,MAAI,aAAa,MAAM,QAAQ,IAAI;GAElC,MAAM,OAAO,MADG,oBAAoB,OAAO,GAAG,CACnB,YAAY,YAAY,GAAG;AACtD,OAAI,QAAQ,CAAC,KAAK,SACjB,QAAO,OAAO;;SAGT;AAIR,QAAO,MAAM;;;;;AAMd,eAAe,mBACd,SACA,MACA,UACA,aACoB;CACpB,MAAM,EAAE,QAAQ,YAAY;CAC5B,MAAM,EAAE,WAAW;AAEnB,KAAI;AAGH,MAAI,OAAOA,iBAAwB,WAClC,OAAM,IAAI,MACT,iBAAiB,SAAS,WAAW,2CACrC;EAIF,MAAM,aAAa,MAAMA,aAAoB,SAAS,SAAS,OAAO;EAItE,MAAM,iBAAiB,SAAS;EAGhC,MAAM,UAAU,oBAAoB,OAAO,GAAG;EAC9C,IAAI,OAAO,MAAM,QAAQ,eAAe,WAAW,MAAM;AAEzD,MAAI,CAAC,MAAM;AAEV,OAAI,eAAe,kBAAkB,MACpC,QAAO,IAAI,SAAS,uBAAuB;IAC1C,QAAQ;IACR,SAAS;KAAE,gBAAgB;KAAc,GAAG;KAAkB;IAC9D,CAAC;GAIH,MAAM,YAAY,MAAM,OAAO,GAC7B,WAAW,QAAQ,CACnB,OAAO,OAAO,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,QAAQ,CAAC,CAC5C,kBAAkB;GAEpB,MAAM,cAAc,OAAO,WAAW,SAAS,EAAE,KAAK;GACtD,MAAM,OAAO,cAAc,aAAa,WAAW;GAGnD,MAAM,uBAAM,IAAI,MAAM,EAAC,aAAa;GACpC,MAAM,UAAU;IACf,IAAI,MAAM;IACV,OAAO,WAAW;IAClB,MAAM,WAAW;IACjB;IACA,gBAAgB;IAChB,YAAY;IACZ,YAAY;IACZ;AAED,SAAM,OAAO,GAAG,WAAW,QAAQ,CAAC,OAAO,QAAQ,CAAC,SAAS;AAE7D,UAAO,MAAM,QAAQ,eAAe,WAAW,MAAM;AAErD,WAAQ,IACP,qCAAqC,WAAW,MAAM,UAAU,KAAK,WAAW,YAAY,GAC5F;SACK;GAEN,MAAM,UAAmC,EAAE;GAC3C,IAAI;GACJ,IAAI;AAGJ,OAAI,WAAW,QAAQ,KAAK,SAAS,WAAW,MAAM;AACrD,cAAU,WAAW;AACrB,YAAQ,OAAO;;AAIhB,OAAI,eAAe,aAAa,KAAK,SAAS,WAAW,MAAM;AAC9D,cAAU,WAAW;AACrB,YAAQ,OAAO;;AAGhB,OAAI,OAAO,KAAK,QAAQ,CAAC,SAAS,GAAG;AACpC,YAAQ,8BAAa,IAAI,MAAM,EAAC,aAAa;AAC7C,UAAM,OAAO,GAAG,YAAY,QAAQ,CAAC,IAAI,QAAQ,CAAC,MAAM,MAAM,KAAK,KAAK,GAAG,CAAC,SAAS;AAErF,WAAO;KACN,GAAG;KACH,GAAI,UAAU,EAAE,MAAM,SAAS,GAAG,EAAE;KACpC,GAAI,UAAU,EAAE,MAAM,SAAS,GAAG,EAAE;KACpC;AAED,YAAQ,IACP,gCAAgC,WAAW,MAAM,IACjD,OAAO,KAAK,QAAQ,CAAC,QAAQ,MAAM,MAAM,aAAa,CACtD;;;AAIH,MAAI,CAAC,KAEJ,QAAO,IAAI,SAAS,4BAA4B;GAC/C,QAAQ;GACR,SAAS;IAAE,gBAAgB;IAAc,GAAG;IAAkB;GAC9D,CAAC;AAIH,MAAI,KAAK,SACR,QAAO,IAAI,SAAS,oBAAoB;GACvC,QAAQ;GACR,SAAS;IAAE,gBAAgB;IAAc,GAAG;IAAkB;GAC9D,CAAC;AAIH,SAAO,OAAO;EAId,MAAM,EAAE,YAAY;AACpB,WAAS,IAAI,QAAQ,EAAE,IAAI,KAAK,IAAI,CAAC;AAErC,SAAO,MAAM;UACL,OAAO;AACf,UAAQ,MAAM,+BAA+B,MAAM;AAEnD,SAAO,IAAI,SAAS,yBAAyB;GAC5C,QAAQ;GACR,SAAS;IAAE,gBAAgB;IAAc,GAAG;IAAkB;GAC9D,CAAC;;;;;;;;;;;AAYJ,eAAe,iBACd,SACgD;CAChD,MAAM,aAAa,QAAQ,QAAQ,QAAQ,IAAI,gBAAgB;AAC/D,KAAI,CAAC,YAAY,WAAW,UAAU,CAAE,QAAO;CAE/C,MAAM,QAAQ,WAAW,MAAM,EAAE;AACjC,KAAI,CAAC,MAAO,QAAO;CAEnB,MAAM,EAAE,WAAW;CACnB,MAAM,EAAE,WAAW;AACnB,KAAI,CAAC,QAAQ,GAAI,QAAO;CAGxB,IAAI,WAAwD;AAE5D,KAAI,MAAM,WAAW,UAAU,CAC9B,YAAW,MAAM,gBAAgB,OAAO,IAAI,MAAM;UACxC,MAAM,WAAW,UAAU,CACrC,YAAW,MAAM,kBAAkB,OAAO,IAAI,MAAM;KAGpD,QAAO;AAGR,KAAI,CAAC,SAAU,QAAO;CAItB,MAAM,OAAO,MADG,oBAAoB,OAAO,GAAG,CACnB,YAAY,SAAS,OAAO;AAEvD,KAAI,CAAC,QAAQ,KAAK,SAAU,QAAO;AAGnC,QAAO,OAAO;AACd,QAAO,cAAc,SAAS;AAE9B,QAAO;;;;;AAMR,eAAe,kBACd,SACA,MACA,YACoB;CACpB,MAAM,EAAE,KAAK,QAAQ,YAAY;CACjC,MAAM,EAAE,WAAW;AAEnB,KAAI;EAEH,MAAM,cAAc,MAAM,SAAS,IAAI,OAAO;AAE9C,MAAI,CAAC,aAAa,IAAI;AACrB,OAAI,WACH,QAAO,SAAS,KACf,EAAE,OAAO;IAAE,MAAM;IAAqB,SAAS;IAAqB,EAAE,EACtE;IAAE,QAAQ;IAAK,SAAS;IAAkB,CAC1C;GAEF,MAAM,WAAW,IAAI,IAAI,wBAAwB,gBAAgB,KAAK,QAAQ,OAAO,CAAC;AACtF,YAAS,aAAa,IAAI,YAAY,IAAI,SAAS;AACnD,UAAO,QAAQ,SAAS,SAAS,UAAU,CAAC;;EAK7C,MAAM,OAAO,MADG,oBAAoB,OAAO,GAAG,CACnB,YAAY,YAAY,GAAG;AAEtD,MAAI,CAAC,MAAM;AAEV,YAAS,SAAS;AAClB,OAAI,WACH,QAAO,SAAS,KACf,EAAE,OAAO;IAAE,MAAM;IAAa,SAAS;IAAkB,EAAE,EAC3D;IAAE,QAAQ;IAAK,SAAS;IAAkB,CAC1C;GAEF,MAAM,WAAW,IAAI,IAAI,wBAAwB,gBAAgB,KAAK,QAAQ,OAAO,CAAC;AACtF,UAAO,QAAQ,SAAS,SAAS,UAAU,CAAC;;AAI7C,MAAI,KAAK,UAAU;AAClB,YAAS,SAAS;AAClB,OAAI,WACH,QAAO,SAAS,oBAAoB,oBAAoB,IAAI;GAE7D,MAAM,WAAW,IAAI,IAAI,wBAAwB,gBAAgB,KAAK,QAAQ,OAAO,CAAC;AACtF,YAAS,aAAa,IAAI,SAAS,mBAAmB;AACtD,UAAO,QAAQ,SAAS,SAAS,UAAU,CAAC;;AAI7C,SAAO,OAAO;UACN,OAAO;AACf,UAAQ,MAAM,0BAA0B,MAAM;AAE9C,SAAO,QAAQ,SAAS,uBAAuB;;AAGhD,QAAO,MAAM;;;;;;;;AAad,MAAM,cAAsE;CAE3E;EAAC;EAAwB;EAAO;EAAe;CAC/C;EAAC;EAAwB;EAAS;EAAgB;CAGlD;EAAC;EAA2B;EAAK;EAAa;CAC9C;EAAC;EAAsB;EAAO;EAAa;CAC3C;EAAC;EAAsB;EAAS;EAAc;CAG9C;EAAC;EAAuB;EAAO;EAAc;CAC7C;EAAC;EAAuB;EAAS;EAAe;CAOhD;EAAC;EAA2B;EAAO;EAAe;CAClD;EAAC;EAA2B;EAAS;EAAoB;CACzD;EAAC;EAAsB;EAAO;EAAe;CAC7C;EAAC;EAAsB;EAAS;EAAe;CAC/C;EAAC;EAAyB;EAAO;EAAe;CAChD;EAAC;EAAyB;EAAS;EAAgB;CACnD;EAAC;EAA6B;EAAO;EAAe;CACpD;EAAC;EAA6B;EAAS;EAAgB;CACvD;EAAC;EAA0B;EAAO;EAAe;CACjD;EAAC;EAA0B;EAAS;EAAgB;CAGpD;EAAC;EAAuB;EAAO;EAAe;CAC9C;EAAC;EAAuB;EAAS;EAAQ;CAGzC;EAAC;EAAuB;EAAK;EAAQ;CACrC;EAAC;EAAsB;EAAK;EAAQ;CACpC;EAAC;EAAwB;EAAK;EAAQ;CAItC;EAAC;EAAyB;EAAO;EAAgB;CACjD;EAAC;EAAyB;EAAS;EAAkB;CAGrD;EAAC;EAAoB;EAAK;EAAe;CACzC;AAED,MAAM,gBAAgB,IAAI,IAAI;CAAC;CAAQ;CAAO;CAAS;CAAS,CAAC;;;;;;;AAQjE,SAAS,kBACR,UACA,QACA,aACkB;AAElB,KAAI,CAAC,YAAa,QAAO;CAEzB,MAAM,UAAU,cAAc,IAAI,OAAO;AAEzC,MAAK,MAAM,CAAC,QAAQ,YAAY,UAAU,aAAa;AAEtD,MAAI,aAAa,UAAU,CAAC,SAAS,WAAW,SAAS,IAAI,CAAE;AAG/D,MAAI,eAAe,OAAQ,eAAe,WAAW,WAAY,eAAe,QAAQ;AACvF,OAAI,SAAS,aAAa,MAAM,CAAE,QAAO;AAEzC,UAAO,IAAI,SACV,KAAK,UAAU,EACd,OAAO;IACN,MAAM;IACN,SAAS,+BAA+B;IACxC,EACD,CAAC,EACF;IAAE,QAAQ;IAAK,SAAS;KAAE,gBAAgB;KAAoB,GAAG;KAAkB;IAAE,CACrF;;;AAKH,KAAI,SAAS,aAAa,QAAQ,CAAE,QAAO;AAE3C,QAAO,IAAI,SACV,KAAK,UAAU,EACd,OAAO;EACN,MAAM;EACN,SAAS;EACT,EACD,CAAC,EACF;EAAE,QAAQ;EAAK,SAAS;GAAE,gBAAgB;GAAoB,GAAG;GAAkB;EAAE,CACrF"}
package/dist/astro/middleware/redirect.mjs CHANGED
@@ -1,9 +1,9 @@
1
1
  import "../../dialect-helpers-BKCvISIQ.mjs";
2
2
  import "../../base64-CqR-7kqF.mjs";
3
- import "../../types-CwXMEPRr.mjs";
4
- import { t as RedirectRepository } from "../../redirect-DkaDxq8e.mjs";
5
- import { a as setCachedRedirects, i as matchCachedPatterns, n as getCachedRedirects } from "../../cache-CXCpjWiL.mjs";
6
- import { r as getDb } from "../../loader-Cs6-Bqe6.mjs";
3
+ import "../../types-ByV5sgsv.mjs";
4
+ import { t as RedirectRepository } from "../../redirect-CNv4mHX2.mjs";
5
+ import { a as setCachedRedirects, i as matchCachedPatterns, n as getCachedRedirects } from "../../cache-CNk1jIxp.mjs";
6
+ import { r as getDb } from "../../loader-Chm5h7Gr.mjs";
7
7
  import { defineMiddleware } from "astro:middleware";
8
8
 
9
9
  //#region src/astro/middleware/redirect.ts
package/dist/astro/middleware/request-context.mjs CHANGED
@@ -1,8 +1,8 @@
1
1
  import { getRequestContext, runWithContext } from "../../request-context.mjs";
2
2
  import "../../base64-CqR-7kqF.mjs";
3
3
  import "../../options-BL4X94qY.mjs";
4
- import { n as parseContentId, r as verifyPreviewToken } from "../../tokens-DILYNZMi.mjs";
5
- import { i as resolveSecretsCached } from "../../secrets-6pgZyq0K.mjs";
4
+ import { n as parseContentId, r as verifyPreviewToken } from "../../tokens-N8otWMmj.mjs";
5
+ import { i as resolveSecretsCached } from "../../secrets-rPdhEBkD.mjs";
6
6
  import { defineMiddleware } from "astro:middleware";
7
7
 
8
8
  //#region src/visual-editing/toolbar.ts
package/dist/astro/middleware/request-context.mjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"request-context.mjs","names":[],"sources":["../../../src/visual-editing/toolbar.ts","../../../src/astro/middleware/request-context.ts"],"sourcesContent":["/**\n * EmDash Visual Editing Toolbar\n *\n * A floating pill injected via middleware for authenticated editors.\n * Renders as a plain HTML string with inline styles and a <script> tag.\n * No dependencies — works on any page with a </body> tag.\n */\n\ninterface ToolbarConfig {\n\teditMode: boolean;\n\tisPreview: boolean;\n}\n\nexport function renderToolbar(config: ToolbarConfig): string {\n\tconst { editMode, isPreview } = config;\n\n\treturn `\n<!-- EmDash Visual Editing Toolbar -->\n<div id=\"emdash-toolbar\" data-edit-mode=\"${editMode}\" data-preview=\"${isPreview}\">\n <div class=\"emdash-tb-inner\">\n <span class=\"emdash-tb-logo\">EmDash</span>\n\n <div class=\"emdash-tb-divider\"></div>\n\n <label class=\"emdash-tb-toggle\" title=\"Toggle edit mode\">\n <input type=\"checkbox\" id=\"emdash-edit-toggle\" ${editMode ? \"checked\" : \"\"} />\n <span class=\"emdash-tb-toggle-track\">\n <span class=\"emdash-tb-toggle-thumb\"></span>\n </span>\n <span class=\"emdash-tb-toggle-label\">Edit</span>\n </label>\n\n <span class=\"emdash-tb-status\" id=\"emdash-tb-status\"></span>\n\n <span class=\"emdash-tb-save-status\" id=\"emdash-tb-save-status\"></span>\n\n <a class=\"emdash-tb-admin\" id=\"emdash-tb-admin\" href=\"#\" target=\"emdash-admin\" style=\"display:none\" title=\"Open in admin\">\n <svg width=\"14\" height=\"14\" viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><path d=\"M18 13v6a2 2 0 0 1-2 2H5a2 2 0 0 1-2-2V8a2 2 0 0 1 2-2h6\"/><polyline points=\"15 3 21 3 21 9\"/><line x1=\"10\" y1=\"14\" x2=\"21\" y2=\"3\"/></svg>\n </a>\n\n <button class=\"emdash-tb-publish\" id=\"emdash-tb-publish\" style=\"display:none\">Publish</button>\n </div>\n</div>\n\n<style>\n #emdash-toolbar {\n position: fixed;\n bottom: 16px;\n left: 50%;\n transform: translateX(-50%);\n z-index: 999999;\n font-family: -apple-system, BlinkMacSystemFont, \"Segoe UI\", Roboto, sans-serif;\n font-size: 13px;\n line-height: 1;\n -webkit-font-smoothing: antialiased;\n }\n\n .emdash-tb-inner {\n display: flex;\n align-items: center;\n gap: 10px;\n padding: 8px 16px;\n background: #1a1a1a;\n color: #e0e0e0;\n border-radius: 999px;\n box-shadow: 0 4px 24px rgba(0,0,0,0.3), 0 0 0 1px rgba(255,255,255,0.08);\n white-space: nowrap;\n user-select: none;\n }\n\n .emdash-tb-logo {\n font-weight: 600;\n font-size: 12px;\n letter-spacing: 0.02em;\n color: #fff;\n opacity: 0.7;\n }\n\n .emdash-tb-divider {\n width: 1px;\n height: 16px;\n background: rgba(255,255,255,0.15);\n }\n\n /* Toggle switch */\n .emdash-tb-toggle {\n display: flex;\n align-items: center;\n gap: 6px;\n cursor: pointer;\n }\n\n .emdash-tb-toggle input {\n position: absolute;\n opacity: 0;\n width: 0;\n height: 0;\n }\n\n .emdash-tb-toggle-track {\n position: relative;\n width: 32px;\n height: 18px;\n background: #444;\n border-radius: 9px;\n transition: background 0.2s;\n }\n\n .emdash-tb-toggle input:checked + .emdash-tb-toggle-track {\n background: #3b82f6;\n }\n\n .emdash-tb-toggle-thumb {\n position: absolute;\n top: 2px;\n left: 2px;\n width: 14px;\n height: 14px;\n background: #fff;\n border-radius: 50%;\n transition: transform 0.2s;\n }\n\n .emdash-tb-toggle input:checked + .emdash-tb-toggle-track .emdash-tb-toggle-thumb {\n transform: translateX(14px);\n }\n\n .emdash-tb-toggle-label {\n font-size: 12px;\n color: #aaa;\n }\n\n .emdash-tb-toggle input:checked ~ .emdash-tb-toggle-label {\n color: #fff;\n }\n\n /* Status area — flex for multiple badges */\n .emdash-tb-status {\n display: inline-flex;\n gap: 6px;\n align-items: center;\n }\n\n /* Badges */\n .emdash-tb-badge {\n display: inline-flex;\n align-items: center;\n padding: 3px 8px;\n border-radius: 999px;\n font-size: 11px;\n font-weight: 600;\n letter-spacing: 0.02em;\n text-transform: uppercase;\n }\n\n .emdash-tb-badge--preview {\n background: rgba(139,92,246,0.2);\n color: #a78bfa;\n }\n\n .emdash-tb-badge--draft {\n background: rgba(245,158,11,0.2);\n color: #fbbf24;\n }\n\n .emdash-tb-badge--published {\n background: rgba(34,197,94,0.2);\n color: #4ade80;\n }\n\n .emdash-tb-badge--pending {\n background: rgba(59,130,246,0.2);\n color: #60a5fa;\n }\n\n .emdash-tb-badge--unsaved {\n background: rgba(245,158,11,0.2);\n color: #fbbf24;\n }\n\n .emdash-tb-badge--saving {\n background: rgba(148,163,184,0.2);\n color: #94a3b8;\n }\n\n .emdash-tb-badge--saved {\n background: rgba(34,197,94,0.2);\n color: #4ade80;\n transition: opacity 0.3s;\n }\n\n .emdash-tb-badge--error {\n background: rgba(239,68,68,0.2);\n color: #f87171;\n }\n\n /* Admin link */\n .emdash-tb-admin {\n display: inline-flex;\n align-items: center;\n justify-content: center;\n color: #888;\n text-decoration: none;\n padding: 2px;\n border-radius: 4px;\n transition: color 0.15s;\n }\n\n .emdash-tb-admin:hover {\n color: #fff;\n }\n\n /* Publish button */\n .emdash-tb-publish {\n padding: 4px 12px;\n background: #3b82f6;\n color: #fff;\n border: none;\n border-radius: 999px;\n font-size: 12px;\n font-weight: 600;\n cursor: pointer;\n transition: background 0.15s;\n font-family: inherit;\n }\n\n .emdash-tb-publish:hover {\n background: #2563eb;\n }\n\n .emdash-tb-publish:disabled {\n opacity: 0.5;\n cursor: not-allowed;\n }\n\n /* Edit mode: editable hover styles — uses :has() to check toolbar state */\n body:has(#emdash-toolbar[data-edit-mode=\"true\"]) [data-emdash-ref] {\n transition: box-shadow 0.15s, background-color 0.15s;\n }\n\n body:has(#emdash-toolbar[data-edit-mode=\"true\"]) [data-emdash-ref]:hover {\n box-shadow: 0 0 0 2px rgba(59,130,246,0.5);\n border-radius: 4px;\n background-color: rgba(59,130,246,0.04);\n cursor: text;\n }\n\n /* Active editing state — override hover pencil cursor */\n [data-emdash-editing] {\n box-shadow: 0 0 0 2px #3b82f6 !important;\n border-radius: 4px !important;\n background-color: rgba(59,130,246,0.04) !important;\n cursor: text !important;\n }\n\n /* Suppress browser focus ring on contenteditable and tiptap editor */\n [data-emdash-editing]:focus,\n [data-emdash-ref] .tiptap:focus,\n [data-emdash-ref] .ProseMirror:focus {\n outline: none !important;\n }\n\n /* Image editor popover */\n .emdash-img-popover {\n position: fixed;\n z-index: 1000000;\n background: #1a1a1a;\n border-radius: 12px;\n box-shadow: 0 8px 32px rgba(0,0,0,0.4), 0 0 0 1px rgba(255,255,255,0.08);\n color: #e0e0e0;\n font-family: -apple-system, BlinkMacSystemFont, \"Segoe UI\", Roboto, sans-serif;\n font-size: 13px;\n width: 320px;\n overflow: hidden;\n animation: emdash-img-fadein 0.15s ease-out;\n }\n\n @keyframes emdash-img-fadein {\n from { opacity: 0; transform: translateY(4px); }\n to { opacity: 1; transform: translateY(0); }\n }\n\n .emdash-img-popover-header {\n display: flex;\n align-items: center;\n justify-content: space-between;\n padding: 10px 12px;\n border-bottom: 1px solid rgba(255,255,255,0.08);\n }\n\n .emdash-img-popover-title {\n font-weight: 600;\n font-size: 12px;\n text-transform: uppercase;\n letter-spacing: 0.04em;\n color: #999;\n }\n\n .emdash-img-popover-close {\n background: none;\n border: none;\n color: #666;\n cursor: pointer;\n padding: 2px;\n line-height: 1;\n font-size: 16px;\n border-radius: 4px;\n transition: color 0.15s;\n }\n\n .emdash-img-popover-close:hover {\n color: #fff;\n }\n\n .emdash-img-popover-body {\n padding: 12px;\n display: flex;\n flex-direction: column;\n gap: 10px;\n }\n\n .emdash-img-preview {\n width: 100%;\n max-height: 160px;\n object-fit: contain;\n border-radius: 6px;\n background: #111;\n }\n\n .emdash-img-empty {\n display: flex;\n align-items: center;\n justify-content: center;\n height: 80px;\n border: 2px dashed rgba(255,255,255,0.15);\n border-radius: 6px;\n color: #666;\n font-size: 12px;\n }\n\n .emdash-img-field {\n display: flex;\n flex-direction: column;\n gap: 4px;\n }\n\n .emdash-img-field label {\n font-size: 11px;\n font-weight: 600;\n color: #888;\n text-transform: uppercase;\n letter-spacing: 0.04em;\n }\n\n .emdash-img-field input[type=\"text\"] {\n background: #111;\n border: 1px solid rgba(255,255,255,0.12);\n border-radius: 6px;\n color: #e0e0e0;\n padding: 6px 8px;\n font-size: 13px;\n font-family: inherit;\n outline: none;\n transition: border-color 0.15s;\n }\n\n .emdash-img-field input[type=\"text\"]:focus {\n border-color: #3b82f6;\n }\n\n .emdash-img-actions {\n display: flex;\n gap: 6px;\n }\n\n .emdash-img-btn {\n flex: 1;\n padding: 6px 10px;\n border: 1px solid rgba(255,255,255,0.12);\n border-radius: 6px;\n background: #222;\n color: #e0e0e0;\n font-size: 12px;\n font-family: inherit;\n cursor: pointer;\n transition: background 0.15s, border-color 0.15s;\n text-align: center;\n white-space: nowrap;\n }\n\n .emdash-img-btn:hover {\n background: #333;\n border-color: rgba(255,255,255,0.2);\n }\n\n .emdash-img-btn--primary {\n background: #3b82f6;\n border-color: #3b82f6;\n color: #fff;\n }\n\n .emdash-img-btn--primary:hover {\n background: #2563eb;\n border-color: #2563eb;\n }\n\n .emdash-img-btn--danger {\n color: #f87171;\n border-color: rgba(248,113,113,0.3);\n }\n\n .emdash-img-btn--danger:hover {\n background: rgba(248,113,113,0.1);\n border-color: rgba(248,113,113,0.5);\n }\n\n /* Media browser within the popover */\n .emdash-img-browser {\n border-top: 1px solid rgba(255,255,255,0.08);\n padding: 12px;\n }\n\n .emdash-img-browser-header {\n display: flex;\n align-items: center;\n justify-content: space-between;\n margin-bottom: 8px;\n }\n\n .emdash-img-browser-title {\n font-size: 12px;\n font-weight: 600;\n color: #999;\n }\n\n .emdash-img-browser-back {\n background: none;\n border: none;\n color: #3b82f6;\n cursor: pointer;\n font-size: 12px;\n font-family: inherit;\n padding: 2px 4px;\n }\n\n .emdash-img-browser-back:hover {\n text-decoration: underline;\n }\n\n .emdash-img-grid {\n display: grid;\n grid-template-columns: repeat(3, 1fr);\n gap: 6px;\n max-height: 240px;\n overflow-y: auto;\n }\n\n .emdash-img-grid-item {\n aspect-ratio: 1;\n border-radius: 4px;\n overflow: hidden;\n cursor: pointer;\n border: 2px solid transparent;\n transition: border-color 0.15s;\n background: #111;\n }\n\n .emdash-img-grid-item:hover {\n border-color: rgba(59,130,246,0.5);\n }\n\n .emdash-img-grid-item--selected {\n border-color: #3b82f6;\n }\n\n .emdash-img-grid-item img {\n width: 100%;\n height: 100%;\n object-fit: cover;\n }\n\n .emdash-img-loading {\n display: flex;\n align-items: center;\n justify-content: center;\n height: 80px;\n color: #666;\n font-size: 12px;\n }\n\n .emdash-img-drop {\n border: 2px dashed #3b82f6;\n background: rgba(59,130,246,0.05);\n }\n\n .emdash-img-uploading {\n display: flex;\n align-items: center;\n gap: 8px;\n padding: 8px 0;\n color: #999;\n font-size: 12px;\n }\n\n .emdash-img-popover-backdrop {\n position: fixed;\n inset: 0;\n z-index: 999999;\n }\n</style>\n\n<script>\n(function() {\n var toolbar = document.getElementById(\"emdash-toolbar\");\n var toggle = document.getElementById(\"emdash-edit-toggle\");\n var statusEl = document.getElementById(\"emdash-tb-status\");\n var saveStatusEl = document.getElementById(\"emdash-tb-save-status\");\n var publishBtn = document.getElementById(\"emdash-tb-publish\");\n if (!toolbar || !toggle || !statusEl || !publishBtn || !saveStatusEl) return;\n\n var isEditMode = toolbar.getAttribute(\"data-edit-mode\") === \"true\";\n\n // CSRF-protected fetch — adds X-EmDash-Request header to all API calls\n function ecFetch(url, init) {\n init = init || {};\n init.headers = Object.assign({ \"X-EmDash-Request\": \"1\" }, init.headers || {});\n return fetch(url, init);\n }\n\n // --- Save status tracking ---\n var saveState = \"idle\"; // idle | unsaved | saving | saved | error\n var saveHideTimer = null;\n var pendingSavePromise = null;\n\n function setSaveState(state) {\n saveState = state;\n clearTimeout(saveHideTimer);\n\n switch (state) {\n case \"unsaved\":\n saveStatusEl.innerHTML = '<span class=\"emdash-tb-badge emdash-tb-badge--unsaved\">Unsaved</span>';\n break;\n case \"saving\":\n saveStatusEl.innerHTML = '<span class=\"emdash-tb-badge emdash-tb-badge--saving\">Saving\\u2026</span>';\n break;\n case \"saved\":\n saveStatusEl.innerHTML = '<span class=\"emdash-tb-badge emdash-tb-badge--saved\">Saved</span>';\n saveHideTimer = setTimeout(function() {\n saveStatusEl.innerHTML = \"\";\n saveState = \"idle\";\n }, 2000);\n break;\n case \"error\":\n saveStatusEl.innerHTML = '<span class=\"emdash-tb-badge emdash-tb-badge--error\">Save failed</span>';\n saveHideTimer = setTimeout(function() {\n saveStatusEl.innerHTML = \"\";\n saveState = \"idle\";\n }, 3000);\n break;\n default:\n saveStatusEl.innerHTML = \"\";\n }\n }\n\n // Listen for save events from inline editors (e.g. PT editor)\n document.addEventListener(\"emdash:save\", function(e) {\n var detail = e.detail || {};\n if (detail.state) {\n setSaveState(detail.state);\n }\n });\n\n document.addEventListener(\"emdash:content-changed\", function(e) {\n var detail = e.detail || {};\n if (detail.collection && detail.id) {\n showUnpublishedChanges(detail.collection, detail.id);\n }\n });\n\n // --- Entry status ---\n var entryRef = null;\n\n function updateStatus() {\n if (!isEditMode) {\n statusEl.innerHTML = \"\";\n publishBtn.style.display = \"none\";\n return;\n }\n\n var first = document.querySelector(\"[data-emdash-ref]\");\n if (!first) {\n statusEl.innerHTML = \"\";\n publishBtn.style.display = \"none\";\n return;\n }\n\n try {\n var ref = JSON.parse(first.getAttribute(\"data-emdash-ref\"));\n entryRef = ref;\n if (!ref.status) return;\n\n // Show admin link\n var adminLink = document.getElementById(\"emdash-tb-admin\");\n if (adminLink) {\n adminLink.href = \"/_emdash/admin/content/\" + encodeURIComponent(ref.collection) + \"/\" + encodeURIComponent(ref.id);\n adminLink.style.display = \"\";\n }\n\n if (ref.status === \"draft\") {\n statusEl.innerHTML = '<span class=\"emdash-tb-badge emdash-tb-badge--draft\">Draft</span>';\n publishBtn.style.display = \"\";\n publishBtn.onclick = function() { publish(ref.collection, ref.id); };\n } else if (ref.status === \"published\" && ref.hasDraft) {\n statusEl.innerHTML = '<span class=\"emdash-tb-badge emdash-tb-badge--pending\">Unpublished changes</span>';\n publishBtn.style.display = \"\";\n publishBtn.onclick = function() { publish(ref.collection, ref.id); };\n } else if (ref.status === \"published\") {\n statusEl.innerHTML = '<span class=\"emdash-tb-badge emdash-tb-badge--published\">Published</span>';\n publishBtn.style.display = \"none\";\n }\n } catch (e) {\n // ignore parse errors\n }\n }\n\n // Publish action\n function publish(collection, id) {\n if (pendingSavePromise) {\n pendingSavePromise.then(function() { publish(collection, id); });\n return;\n }\n\n publishBtn.disabled = true;\n publishBtn.textContent = \"Publishing\\u2026\";\n\n ecFetch(\"/_emdash/api/content/\" + encodeURIComponent(collection) + \"/\" + encodeURIComponent(id) + \"/publish\", {\n method: \"POST\",\n credentials: \"same-origin\",\n })\n .then(function(res) {\n if (res.ok) {\n if (document.startViewTransition) {\n document.startViewTransition(function() { location.reload(); });\n } else {\n location.reload();\n }\n } else {\n publishBtn.disabled = false;\n publishBtn.textContent = \"Publish\";\n console.error(\"Publish failed:\", res.status);\n }\n })\n .catch(function(err) {\n publishBtn.disabled = false;\n publishBtn.textContent = \"Publish\";\n console.error(\"Publish failed:\", err);\n });\n }\n\n // Edit mode toggle\n toggle.addEventListener(\"change\", function() {\n if (toggle.checked) {\n document.cookie = \"emdash-edit-mode=true;path=/;samesite=lax\";\n } else {\n document.cookie = \"emdash-edit-mode=;path=/;expires=Thu, 01 Jan 1970 00:00:00 GMT\";\n }\n\n if (document.startViewTransition) {\n document.startViewTransition(function() { location.replace(location.href); });\n } else {\n location.replace(location.href);\n }\n });\n\n // --- Inline editing ---\n\n // Cached manifest (fetched once on first edit click)\n var manifestCache = null;\n var manifestPromise = null;\n\n function fetchManifest() {\n if (manifestCache) return Promise.resolve(manifestCache);\n if (manifestPromise) return manifestPromise;\n manifestPromise = ecFetch(\"/_emdash/api/manifest\", { credentials: \"same-origin\" })\n .then(function(r) { return r.json(); })\n .then(function(m) {\n // The manifest endpoint wraps the payload in a { data } envelope (ApiResponse shape).\n // Unwrap it so getFieldKind can read manifest.collections directly.\n manifestCache = m && m.data ? m.data : m;\n return manifestCache;\n });\n return manifestPromise;\n }\n\n function getFieldKind(manifest, collection, field) {\n var col = manifest.collections && manifest.collections[collection];\n if (!col || !col.fields) return null;\n var f = col.fields[field];\n return f ? f.kind : null;\n }\n\n // Load manifest early so the first click can resolve field kinds without racing the event.\n if (isEditMode) {\n fetchManifest();\n }\n\n // Save a single field value\n function saveField(collection, id, field, value) {\n setSaveState(\"saving\");\n return ecFetch(\"/_emdash/api/content/\" + encodeURIComponent(collection) + \"/\" + encodeURIComponent(id), {\n method: \"PUT\",\n credentials: \"same-origin\",\n headers: { \"Content-Type\": \"application/json\" },\n body: JSON.stringify({ data: { [field]: value } }),\n })\n .then(function(res) {\n if (res.ok) {\n setSaveState(\"saved\");\n // A save creates/updates a draft — show unpublished changes\n showUnpublishedChanges(collection, id);\n } else {\n setSaveState(\"error\");\n console.error(\"Save failed:\", res.status);\n }\n })\n .catch(function(err) {\n setSaveState(\"error\");\n console.error(\"Save failed:\", err);\n });\n }\n\n function showUnpublishedChanges(collection, id) {\n statusEl.innerHTML = '<span class=\"emdash-tb-badge emdash-tb-badge--pending\">Unpublished changes</span>';\n publishBtn.style.display = \"\";\n publishBtn.disabled = false;\n publishBtn.textContent = \"Publish\";\n publishBtn.onclick = function() { publish(collection, id); };\n }\n\n // Plain text inline editing (contenteditable)\n var currentlyEditing = null;\n\n function startTextEdit(element, annotation) {\n if (currentlyEditing === element) return;\n if (currentlyEditing) endCurrentEdit();\n\n currentlyEditing = element;\n var originalText = element.textContent || \"\";\n\n element.setAttribute(\"data-emdash-editing\", \"\");\n element.contentEditable = \"plaintext-only\";\n element.focus();\n\n // Select all text\n var range = document.createRange();\n range.selectNodeContents(element);\n var sel = window.getSelection();\n sel.removeAllRanges();\n sel.addRange(range);\n\n // Track dirty state via input events\n function handleInput() {\n var current = (element.textContent || \"\").trim();\n if (current !== originalText.trim()) {\n setSaveState(\"unsaved\");\n } else {\n setSaveState(\"idle\");\n }\n }\n\n function handleBlur() {\n element.removeEventListener(\"blur\", handleBlur);\n element.removeEventListener(\"keydown\", handleKeydown);\n element.removeEventListener(\"input\", handleInput);\n element.contentEditable = \"false\";\n element.removeAttribute(\"data-emdash-editing\");\n currentlyEditing = null;\n\n var newValue = (element.textContent || \"\").trim();\n if (newValue !== originalText.trim()) {\n pendingSavePromise = saveField(annotation.collection, annotation.id, annotation.field, newValue).then(function() {\n pendingSavePromise = null;\n }, function() {\n pendingSavePromise = null;\n });\n } else {\n setSaveState(\"idle\");\n }\n }\n\n function handleKeydown(e) {\n if (e.key === \"Enter\" && !e.shiftKey) {\n e.preventDefault();\n element.blur();\n }\n if (e.key === \"Escape\") {\n element.textContent = originalText;\n setSaveState(\"idle\");\n element.blur();\n }\n }\n\n element.addEventListener(\"input\", handleInput);\n element.addEventListener(\"blur\", handleBlur);\n element.addEventListener(\"keydown\", handleKeydown);\n }\n\n function endCurrentEdit() {\n if (currentlyEditing) {\n currentlyEditing.blur();\n }\n }\n\n // Fallback: open admin\n function openAdmin(annotation) {\n var url = \"/_emdash/admin/content/\" + encodeURIComponent(annotation.collection) + \"/\" + encodeURIComponent(annotation.id);\n if (annotation.field) {\n url += \"?field=\" + encodeURIComponent(annotation.field);\n }\n window.open(url, \"emdash-admin\");\n }\n\n // --- Inline image editing ---\n var activeImagePopover = null;\n\n function closeImagePopover() {\n if (activeImagePopover) {\n activeImagePopover.backdrop.remove();\n activeImagePopover.popover.remove();\n if (activeImagePopover.escapeHandler) {\n document.removeEventListener(\"keydown\", activeImagePopover.escapeHandler);\n }\n activeImagePopover = null;\n }\n }\n\n function startImageEdit(element, annotation) {\n closeImagePopover();\n\n // Find the current image value by fetching the entry\n var collection = annotation.collection;\n var id = annotation.id;\n var field = annotation.field;\n\n // Find img element inside the annotated container (or the element itself if it's an img)\n var imgEl = element.tagName === \"IMG\" ? element : element.querySelector(\"img\");\n\n // Fetch current field value from the content API\n ecFetch(\"/_emdash/api/content/\" + encodeURIComponent(collection) + \"/\" + encodeURIComponent(id), {\n credentials: \"same-origin\"\n })\n .then(function(r) { return r.json(); })\n .then(function(entry) {\n var currentValue = entry.data && entry.data[field];\n showImagePopover(element, imgEl, annotation, currentValue);\n })\n .catch(function() {\n // If fetch fails, still show popover with what we can infer from DOM\n showImagePopover(element, imgEl, annotation, null);\n });\n }\n\n function showImagePopover(element, imgEl, annotation, currentValue) {\n closeImagePopover();\n\n var collection = annotation.collection;\n var id = annotation.id;\n var field = annotation.field;\n\n // Position near the element\n var rect = element.getBoundingClientRect();\n var viewportH = window.innerHeight;\n var viewportW = window.innerWidth;\n\n // Create backdrop for click-outside-to-close\n var backdrop = document.createElement(\"div\");\n backdrop.className = \"emdash-img-popover-backdrop\";\n backdrop.addEventListener(\"click\", function(e) {\n if (e.target === backdrop) closeImagePopover();\n });\n\n // Create popover\n var popover = document.createElement(\"div\");\n popover.className = \"emdash-img-popover\";\n\n var currentSrc = currentValue ? (currentValue.previewUrl || currentValue.src) : (imgEl ? imgEl.src : null);\n var currentAlt = currentValue ? (currentValue.alt || \"\") : (imgEl ? (imgEl.alt || \"\") : \"\");\n\n // Build popover HTML\n var html = '';\n html += '<div class=\"emdash-img-popover-header\">';\n html += ' <span class=\"emdash-img-popover-title\">Image</span>';\n html += ' <button class=\"emdash-img-popover-close\" data-action=\"close\">&times;</button>';\n html += '</div>';\n html += '<div class=\"emdash-img-popover-body\" id=\"emdash-img-main\">';\n\n if (currentSrc) {\n html += '<img class=\"emdash-img-preview\" src=\"' + escapeAttr(currentSrc) + '\" alt=\"\" />';\n } else {\n html += '<div class=\"emdash-img-empty\">No image selected</div>';\n }\n\n html += '<div class=\"emdash-img-field\">';\n html += ' <label for=\"emdash-img-alt\">Alt text</label>';\n html += ' <input type=\"text\" id=\"emdash-img-alt\" value=\"' + escapeAttr(currentAlt) + '\" placeholder=\"Describe the image\" />';\n html += '</div>';\n\n html += '<div class=\"emdash-img-actions\">';\n html += ' <button class=\"emdash-img-btn emdash-img-btn--primary\" data-action=\"browse\">Replace</button>';\n html += ' <label class=\"emdash-img-btn\" style=\"cursor:pointer\">';\n html += ' Upload';\n html += ' <input type=\"file\" accept=\"image/*\" id=\"emdash-img-upload\" style=\"display:none\" />';\n html += ' </label>';\n if (currentSrc) {\n html += ' <button class=\"emdash-img-btn emdash-img-btn--danger\" data-action=\"remove\">Remove</button>';\n }\n html += '</div>';\n html += '</div>';\n\n popover.innerHTML = html;\n\n backdrop.appendChild(popover);\n document.body.appendChild(backdrop);\n\n // Position the popover\n positionPopover(popover, rect, viewportW, viewportH);\n\n // Escape key handler\n function handleEscape(e) {\n if (e.key === \"Escape\") {\n closeImagePopover();\n document.removeEventListener(\"keydown\", handleEscape);\n }\n }\n document.addEventListener(\"keydown\", handleEscape);\n\n activeImagePopover = {\n backdrop: backdrop,\n popover: popover,\n annotation: annotation,\n currentValue: currentValue,\n element: element,\n imgEl: imgEl,\n escapeHandler: handleEscape\n };\n\n // Event handlers\n popover.querySelector('[data-action=\"close\"]').addEventListener(\"click\", closeImagePopover);\n\n popover.querySelector('[data-action=\"browse\"]').addEventListener(\"click\", function() {\n showMediaBrowser(popover, annotation, currentValue, element, imgEl);\n });\n\n var uploadInput = popover.querySelector(\"#emdash-img-upload\");\n uploadInput.addEventListener(\"change\", function(e) {\n var file = e.target.files && e.target.files[0];\n if (file) handleImageUpload(file, popover, annotation, element, imgEl);\n });\n\n var removeBtn = popover.querySelector('[data-action=\"remove\"]');\n if (removeBtn) {\n removeBtn.addEventListener(\"click\", function() {\n saveField(collection, id, field, null).then(function() {\n if (imgEl) {\n imgEl.style.display = \"none\";\n }\n closeImagePopover();\n });\n });\n }\n\n // Save alt text on change (debounced)\n var altInput = popover.querySelector(\"#emdash-img-alt\");\n var altTimer = null;\n altInput.addEventListener(\"input\", function() {\n clearTimeout(altTimer);\n altTimer = setTimeout(function() {\n var newAlt = altInput.value;\n if (currentValue) {\n var updated = Object.assign({}, currentValue, { alt: newAlt });\n saveField(collection, id, field, updated);\n if (imgEl) imgEl.alt = newAlt;\n }\n }, 500);\n });\n\n // Handle drag and drop on the popover body\n var body = popover.querySelector(\".emdash-img-popover-body\");\n body.addEventListener(\"dragover\", function(e) {\n e.preventDefault();\n body.classList.add(\"emdash-img-drop\");\n });\n body.addEventListener(\"dragleave\", function() {\n body.classList.remove(\"emdash-img-drop\");\n });\n body.addEventListener(\"drop\", function(e) {\n e.preventDefault();\n body.classList.remove(\"emdash-img-drop\");\n var file = e.dataTransfer && e.dataTransfer.files && e.dataTransfer.files[0];\n if (file && file.type.startsWith(\"image/\")) {\n handleImageUpload(file, popover, annotation, element, imgEl);\n }\n });\n }\n\n function positionPopover(popover, targetRect, viewportW, viewportH) {\n var popoverW = 320;\n var gap = 8;\n\n // Try to place to the right of the element\n var left = targetRect.right + gap;\n var top = targetRect.top;\n\n // If it overflows right, place to the left\n if (left + popoverW > viewportW - 16) {\n left = targetRect.left - popoverW - gap;\n }\n // If it still overflows (narrow viewport), center below\n if (left < 16) {\n left = Math.max(16, (viewportW - popoverW) / 2);\n top = targetRect.bottom + gap;\n }\n // Clamp vertically\n if (top + 400 > viewportH - 80) { // 80 for toolbar\n top = Math.max(16, viewportH - 480);\n }\n if (top < 16) top = 16;\n\n popover.style.left = left + \"px\";\n popover.style.top = top + \"px\";\n }\n\n function escapeAttr(str) {\n return String(str || \"\").replace(/&/g, \"&amp;\").replace(/\"/g, \"&quot;\").replace(/</g, \"&lt;\").replace(/>/g, \"&gt;\");\n }\n\n function showMediaBrowser(popover, annotation, currentValue, element, imgEl) {\n var mainBody = popover.querySelector(\"#emdash-img-main\");\n if (mainBody) mainBody.style.display = \"none\";\n\n // Remove existing browser if any\n var existing = popover.querySelector(\".emdash-img-browser\");\n if (existing) existing.remove();\n\n var browser = document.createElement(\"div\");\n browser.className = \"emdash-img-browser\";\n\n browser.innerHTML = '<div class=\"emdash-img-browser-header\">' +\n '<span class=\"emdash-img-browser-title\">Media Library</span>' +\n '<button class=\"emdash-img-browser-back\">Back</button>' +\n '</div>' +\n '<div class=\"emdash-img-loading\">Loading\\u2026</div>';\n\n popover.appendChild(browser);\n\n browser.querySelector(\".emdash-img-browser-back\").addEventListener(\"click\", function() {\n browser.remove();\n if (mainBody) mainBody.style.display = \"\";\n });\n\n // Fetch media\n ecFetch(\"/_emdash/api/media?mimeType=image/&limit=30\", { credentials: \"same-origin\" })\n .then(function(r) { return r.json(); })\n .then(function(data) {\n var items = data.items || [];\n var loadingEl = browser.querySelector(\".emdash-img-loading\");\n if (loadingEl) loadingEl.remove();\n\n if (items.length === 0) {\n var empty = document.createElement(\"div\");\n empty.className = \"emdash-img-loading\";\n empty.textContent = \"No images found\";\n browser.appendChild(empty);\n return;\n }\n\n var grid = document.createElement(\"div\");\n grid.className = \"emdash-img-grid\";\n\n items.forEach(function(item) {\n var thumb = document.createElement(\"div\");\n thumb.className = \"emdash-img-grid-item\";\n if (currentValue && currentValue.id === item.id) {\n thumb.classList.add(\"emdash-img-grid-item--selected\");\n }\n var thumbUrl = item.url || item.previewUrl || (\"/_emdash/api/media/file/\" + item.storageKey);\n thumb.innerHTML = '<img src=\"' + escapeAttr(thumbUrl) + '\" alt=\"' + escapeAttr(item.alt || item.filename || \"\") + '\" loading=\"lazy\" />';\n\n thumb.addEventListener(\"click\", function() {\n selectMediaItem(item, annotation, element, imgEl);\n });\n\n grid.appendChild(thumb);\n });\n\n browser.appendChild(grid);\n })\n .catch(function(err) {\n var loadingEl = browser.querySelector(\".emdash-img-loading\");\n if (loadingEl) loadingEl.textContent = \"Failed to load media\";\n console.error(\"Media fetch error:\", err);\n });\n }\n\n function selectMediaItem(item, annotation, element, imgEl) {\n var collection = annotation.collection;\n var id = annotation.id;\n var field = annotation.field;\n\n var isLocal = !item.provider || item.provider === \"local\";\n var itemUrl = item.url || item.previewUrl || (\"/_emdash/api/media/file/\" + item.storageKey);\n\n var newValue = {\n id: item.id,\n provider: item.provider || \"local\",\n src: isLocal ? itemUrl : undefined,\n previewUrl: isLocal ? undefined : itemUrl,\n alt: item.alt || \"\",\n width: item.width,\n height: item.height,\n meta: item.meta\n };\n\n // Clean undefined fields\n Object.keys(newValue).forEach(function(k) {\n if (newValue[k] === undefined) delete newValue[k];\n });\n\n saveField(collection, id, field, newValue).then(function() {\n // Update the image in the DOM\n if (imgEl) {\n imgEl.src = itemUrl;\n imgEl.alt = item.alt || \"\";\n imgEl.style.display = \"\";\n }\n closeImagePopover();\n });\n }\n\n function handleImageUpload(file, popover, annotation, element, imgEl) {\n var collection = annotation.collection;\n var id = annotation.id;\n var field = annotation.field;\n\n // Show uploading state\n var mainBody = popover.querySelector(\"#emdash-img-main\");\n var browserEl = popover.querySelector(\".emdash-img-browser\");\n if (browserEl) browserEl.remove();\n if (mainBody) {\n mainBody.innerHTML = '<div class=\"emdash-img-uploading\">' +\n '<span>Uploading ' + escapeAttr(file.name) + '\\u2026</span>' +\n '</div>';\n mainBody.style.display = \"\";\n }\n\n // Detect dimensions before upload\n var dimPromise = new Promise(function(resolve) {\n if (!file.type.startsWith(\"image/\")) return resolve({});\n var img = new Image();\n img.onload = function() {\n resolve({ width: img.naturalWidth, height: img.naturalHeight });\n URL.revokeObjectURL(img.src);\n };\n img.onerror = function() {\n resolve({});\n URL.revokeObjectURL(img.src);\n };\n img.src = URL.createObjectURL(file);\n });\n\n dimPromise.then(function(dims) {\n // Generate a thumbnail for large images to avoid OOM in server-side\n // blurhash generation on memory-constrained runtimes (Workers).\n // Thumbnail fits within a 64x64 box (scale by max dimension) so that\n // extreme aspect ratios don't explode into a huge canvas client-side.\n var thumbPromise;\n if (dims.width && dims.height && dims.width * dims.height * 4 > 32 * 1024 * 1024) {\n thumbPromise = new Promise(function(resolve) {\n try {\n var maxDim = Math.max(dims.width, dims.height);\n var scale = Math.min(1, 64 / maxDim);\n var thumbW = Math.max(1, Math.round(dims.width * scale));\n var thumbH = Math.max(1, Math.round(dims.height * scale));\n var canvas = document.createElement(\"canvas\");\n canvas.width = thumbW;\n canvas.height = thumbH;\n var ctx = canvas.getContext(\"2d\");\n if (ctx) {\n var img = new Image();\n img.onload = function() {\n try {\n ctx.drawImage(img, 0, 0, thumbW, thumbH);\n canvas.toBlob(function(blob) {\n URL.revokeObjectURL(img.src);\n resolve(blob);\n }, \"image/png\");\n } catch (e) {\n URL.revokeObjectURL(img.src);\n resolve(null);\n }\n };\n img.onerror = function() {\n URL.revokeObjectURL(img.src);\n resolve(null);\n };\n img.src = URL.createObjectURL(file);\n } else {\n resolve(null);\n }\n } catch (e) {\n resolve(null);\n }\n });\n } else {\n thumbPromise = Promise.resolve(null);\n }\n\n return thumbPromise.then(function(thumbnail) {\n var formData = new FormData();\n formData.append(\"file\", file);\n if (dims.width) formData.append(\"width\", String(dims.width));\n if (dims.height) formData.append(\"height\", String(dims.height));\n if (thumbnail) formData.append(\"thumbnail\", thumbnail, \"thumb.png\");\n\n return ecFetch(\"/_emdash/api/media\", {\n method: \"POST\",\n credentials: \"same-origin\",\n body: formData\n });\n });\n })\n .then(function(r) { return r.json(); })\n .then(function(data) {\n if (!data.item) throw new Error(\"Upload failed\");\n var item = data.item;\n selectMediaItem(item, annotation, element, imgEl);\n })\n .catch(function(err) {\n console.error(\"Upload error:\", err);\n setSaveState(\"error\");\n closeImagePopover();\n });\n }\n\n // Click handler for edit mode\n if (isEditMode) {\n document.addEventListener(\"click\", function(e) {\n var target = e.target;\n\n // Don't intercept clicks on elements currently being edited\n if (target.hasAttribute && target.hasAttribute(\"data-emdash-editing\")) return;\n\n // Walk up to find annotated element\n while (target && target !== document.body) {\n if (target.hasAttribute && target.hasAttribute(\"data-emdash-editing\")) return;\n\n var ref = target.getAttribute && target.getAttribute(\"data-emdash-ref\");\n if (ref) {\n try {\n var annotation = JSON.parse(ref);\n\n // Entry-level annotation (no field) — keep walking for a field-level ancestor\n if (!annotation.field) {\n target = target.parentElement;\n continue;\n }\n\n function dispatchInline(kind) {\n closeImagePopover();\n // Portable Text is edited in-page by InlinePortableTextEditor — do not open admin\n if (kind === \"portableText\") {\n return;\n }\n e.preventDefault();\n e.stopPropagation();\n if (kind === \"string\" || kind === \"text\") {\n startTextEdit(target, annotation);\n } else if (kind === \"image\") {\n startImageEdit(target, annotation);\n } else {\n openAdmin(annotation);\n }\n }\n\n if (manifestCache) {\n dispatchInline(getFieldKind(manifestCache, annotation.collection, annotation.field));\n } else {\n fetchManifest().then(function(manifest) {\n dispatchInline(getFieldKind(manifest, annotation.collection, annotation.field));\n });\n }\n } catch (err) {\n console.error(\"Failed to parse emdash ref:\", err);\n }\n return;\n }\n target = target.parentElement;\n }\n }, true);\n }\n\n updateStatus();\n})();\n</script>\n`;\n}\n","/**\n * EmDash Request Context Middleware\n *\n * Sets up AsyncLocalStorage-based request context for query functions.\n * Skips ALS entirely for logged-out users with no CMS signals (fast path).\n *\n * Handles:\n * - Preview tokens: _preview query param with signed HMAC token\n * - Edit mode: emdash-edit-mode cookie (for visual editing)\n * - Toolbar injection: floating pill for authenticated editors\n */\n\nimport { defineMiddleware } from \"astro:middleware\";\n\nimport { resolveSecretsCached } from \"#config/secrets.js\";\n\nimport { verifyPreviewToken, parseContentId } from \"../../preview/tokens.js\";\nimport { getRequestContext, runWithContext } from \"../../request-context.js\";\nimport { renderToolbar } from \"../../visual-editing/toolbar.js\";\n\n/**\n * Inject toolbar HTML into a response if it's an HTML page.\n * Returns the original response if not HTML.\n */\nasync function injectToolbar(response: Response, toolbarHtml: string): Promise<Response> {\n\tconst contentType = response.headers.get(\"content-type\");\n\tif (!contentType?.includes(\"text/html\")) return response;\n\n\tconst html = await response.text();\n\tif (!html.includes(\"</body>\")) return new Response(html, response);\n\n\tconst injected = html.replace(\"</body>\", `${toolbarHtml}</body>`);\n\treturn new Response(injected, {\n\t\tstatus: response.status,\n\t\theaders: response.headers,\n\t});\n}\n\nexport const onRequest = defineMiddleware(async (context, next) => {\n\tconst { cookies, url } = context;\n\n\t// Skip /_emdash routes (admin has its own UI, no rendering context needed)\n\tif (url.pathname.startsWith(\"/_emdash\")) {\n\t\treturn next();\n\t}\n\n\t// Check for authenticated editor (role >= 30)\n\tconst { user } = context.locals;\n\tconst isEditor = !!user && user.role >= 30;\n\n\t// Playground mode: the playground middleware (from @emdash-cms/cloudflare) stashes\n\t// the per-session DO database on locals.__playgroundDb. We set it via ALS here\n\t// (same module instance as the loader) so getDb() picks it up correctly.\n\t//\n\t// `dbIsIsolated: true` tells schema-derived caches (manifest, taxonomy defs,\n\t// byline/term existence probes) to bypass module-scope memoization — each\n\t// playground session is its own database with its own schema, so a cached\n\t// value from another session would be wrong.\n\tconst playgroundDb = context.locals.__playgroundDb;\n\tif (playgroundDb) {\n\t\t// Check if playground user has toggled edit mode on\n\t\tconst hasEditCookie = cookies.get(\"emdash-edit-mode\")?.value === \"true\";\n\t\treturn runWithContext({ editMode: hasEditCookie, db: playgroundDb, dbIsIsolated: true }, () =>\n\t\t\tnext(),\n\t\t);\n\t}\n\n\t// Fast path: check for CMS signals before doing any work\n\tconst hasEditCookie = cookies.get(\"emdash-edit-mode\")?.value === \"true\";\n\tconst hasPreviewToken = url.searchParams.has(\"_preview\");\n\n\t// No CMS signals and not an editor → skip everything (zero overhead)\n\tif (!hasEditCookie && !hasPreviewToken && !isEditor) {\n\t\treturn next();\n\t}\n\n\t// Determine edit mode: cookie AND authenticated editor\n\tconst editMode = hasEditCookie && isEditor;\n\n\t// Read locale from Astro's i18n routing\n\t// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- Astro context includes currentLocale when i18n is configured\n\tconst locale = (context as { currentLocale?: string }).currentLocale;\n\n\t// Verify preview token if present.\n\t// The preview secret is resolved via `resolveSecretsCached`: env wins,\n\t// otherwise a DB-stored value is read (or generated on first need).\n\t// `emdash.db` is set by the runtime middleware which runs first; the\n\t// only path where it's missing is a runtime-init failure.\n\tlet preview: { collection: string; id: string } | undefined;\n\tif (hasPreviewToken) {\n\t\tconst db = context.locals.emdash?.db;\n\t\tif (db) {\n\t\t\tconst { previewSecret } = await resolveSecretsCached(db);\n\t\t\tconst result = await verifyPreviewToken({ url, secret: previewSecret });\n\t\t\tif (result.valid) {\n\t\t\t\tconst { collection, id } = parseContentId(result.payload.cid);\n\t\t\t\tpreview = { collection, id };\n\t\t\t}\n\t\t} else {\n\t\t\tconsole.warn(\n\t\t\t\t\"[emdash] Preview token present but EmDash runtime not initialized; preview disabled.\",\n\t\t\t);\n\t\t}\n\t}\n\n\t// If we have CMS signals, wrap in ALS context\n\tconst needsContext = hasEditCookie || hasPreviewToken;\n\n\tif (needsContext) {\n\t\t// Merge with any outer ALS context (e.g. the per-request D1 session db\n\t\t// set by the runtime middleware). `storage.run()` replaces the store\n\t\t// wholesale, so without the spread the outer `db` would be lost and\n\t\t// loaders would fall back to the singleton non-session dialect.\n\t\tconst parent = getRequestContext();\n\t\treturn runWithContext({ ...parent, editMode, preview, locale }, async () => {\n\t\t\tlet response = await next();\n\n\t\t\t// Preview responses must not be cached -- draft content could leak past token expiry.\n\t\t\t// Clone the response before modifying headers — the original may be immutable.\n\t\t\tif (preview) {\n\t\t\t\tresponse = new Response(response.body, response);\n\t\t\t\tresponse.headers.set(\"Cache-Control\", \"private, no-store\");\n\t\t\t}\n\n\t\t\t// Inject toolbar for authenticated editors\n\t\t\tif (isEditor) {\n\t\t\t\tconst toolbarHtml = renderToolbar({\n\t\t\t\t\teditMode,\n\t\t\t\t\tisPreview: !!preview,\n\t\t\t\t});\n\t\t\t\treturn injectToolbar(response, toolbarHtml);\n\t\t\t}\n\n\t\t\treturn response;\n\t\t});\n\t}\n\n\t// Editor without CMS signals — no ALS needed, but inject toolbar\n\tif (isEditor) {\n\t\tconst response = await next();\n\t\tconst toolbarHtml = renderToolbar({\n\t\t\teditMode: false,\n\t\t\tisPreview: false,\n\t\t});\n\t\treturn injectToolbar(response, toolbarHtml);\n\t}\n\n\treturn next();\n});\n\nexport default onRequest;\n"],"mappings":";;;;;;;;AAaA,SAAgB,cAAc,QAA+B;CAC5D,MAAM,EAAE,UAAU,cAAc;AAEhC,QAAO;;2CAEmC,SAAS,kBAAkB,UAAU;;;;;;;uDAOzB,WAAW,YAAY,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;ACDjF,eAAe,cAAc,UAAoB,aAAwC;AAExF,KAAI,CADgB,SAAS,QAAQ,IAAI,eAAe,EACtC,SAAS,YAAY,CAAE,QAAO;CAEhD,MAAM,OAAO,MAAM,SAAS,MAAM;AAClC,KAAI,CAAC,KAAK,SAAS,UAAU,CAAE,QAAO,IAAI,SAAS,MAAM,SAAS;CAElE,MAAM,WAAW,KAAK,QAAQ,WAAW,GAAG,YAAY,SAAS;AACjE,QAAO,IAAI,SAAS,UAAU;EAC7B,QAAQ,SAAS;EACjB,SAAS,SAAS;EAClB,CAAC;;AAGH,MAAa,YAAY,iBAAiB,OAAO,SAAS,SAAS;CAClE,MAAM,EAAE,SAAS,QAAQ;AAGzB,KAAI,IAAI,SAAS,WAAW,WAAW,CACtC,QAAO,MAAM;CAId,MAAM,EAAE,SAAS,QAAQ;CACzB,MAAM,WAAW,CAAC,CAAC,QAAQ,KAAK,QAAQ;CAUxC,MAAM,eAAe,QAAQ,OAAO;AACpC,KAAI,aAGH,QAAO,eAAe;EAAE,UADF,QAAQ,IAAI,mBAAmB,EAAE,UAAU;EAChB,IAAI;EAAc,cAAc;EAAM,QACtF,MAAM,CACN;CAIF,MAAM,gBAAgB,QAAQ,IAAI,mBAAmB,EAAE,UAAU;CACjE,MAAM,kBAAkB,IAAI,aAAa,IAAI,WAAW;AAGxD,KAAI,CAAC,iBAAiB,CAAC,mBAAmB,CAAC,SAC1C,QAAO,MAAM;CAId,MAAM,WAAW,iBAAiB;CAIlC,MAAM,SAAU,QAAuC;CAOvD,IAAI;AACJ,KAAI,iBAAiB;EACpB,MAAM,KAAK,QAAQ,OAAO,QAAQ;AAClC,MAAI,IAAI;GACP,MAAM,EAAE,kBAAkB,MAAM,qBAAqB,GAAG;GACxD,MAAM,SAAS,MAAM,mBAAmB;IAAE;IAAK,QAAQ;IAAe,CAAC;AACvE,OAAI,OAAO,OAAO;IACjB,MAAM,EAAE,YAAY,OAAO,eAAe,OAAO,QAAQ,IAAI;AAC7D,cAAU;KAAE;KAAY;KAAI;;QAG7B,SAAQ,KACP,uFACA;;AAOH,KAFqB,iBAAiB,gBAQrC,QAAO,eAAe;EAAE,GADT,mBAAmB;EACC;EAAU;EAAS;EAAQ,EAAE,YAAY;EAC3E,IAAI,WAAW,MAAM,MAAM;AAI3B,MAAI,SAAS;AACZ,cAAW,IAAI,SAAS,SAAS,MAAM,SAAS;AAChD,YAAS,QAAQ,IAAI,iBAAiB,oBAAoB;;AAI3D,MAAI,UAAU;GACb,MAAM,cAAc,cAAc;IACjC;IACA,WAAW,CAAC,CAAC;IACb,CAAC;AACF,UAAO,cAAc,UAAU,YAAY;;AAG5C,SAAO;GACN;AAIH,KAAI,SAMH,QAAO,cALU,MAAM,MAAM,EACT,cAAc;EACjC,UAAU;EACV,WAAW;EACX,CAAC,CACyC;AAG5C,QAAO,MAAM;EACZ"}
1
+ {"version":3,"file":"request-context.mjs","names":[],"sources":["../../../src/visual-editing/toolbar.ts","../../../src/astro/middleware/request-context.ts"],"sourcesContent":["/**\n * EmDash Visual Editing Toolbar\n *\n * A floating pill injected via middleware for authenticated editors.\n * Renders as a plain HTML string with inline styles and a <script> tag.\n * No dependencies — works on any page with a </body> tag.\n */\n\ninterface ToolbarConfig {\n\teditMode: boolean;\n\tisPreview: boolean;\n}\n\nexport function renderToolbar(config: ToolbarConfig): string {\n\tconst { editMode, isPreview } = config;\n\n\treturn `\n<!-- EmDash Visual Editing Toolbar -->\n<div id=\"emdash-toolbar\" data-edit-mode=\"${editMode}\" data-preview=\"${isPreview}\">\n <div class=\"emdash-tb-inner\">\n <span class=\"emdash-tb-logo\">EmDash</span>\n\n <div class=\"emdash-tb-divider\"></div>\n\n <label class=\"emdash-tb-toggle\" title=\"Toggle edit mode\">\n <input type=\"checkbox\" id=\"emdash-edit-toggle\" ${editMode ? \"checked\" : \"\"} />\n <span class=\"emdash-tb-toggle-track\">\n <span class=\"emdash-tb-toggle-thumb\"></span>\n </span>\n <span class=\"emdash-tb-toggle-label\">Edit</span>\n </label>\n\n <span class=\"emdash-tb-status\" id=\"emdash-tb-status\"></span>\n\n <span class=\"emdash-tb-save-status\" id=\"emdash-tb-save-status\"></span>\n\n <a class=\"emdash-tb-admin\" id=\"emdash-tb-admin\" href=\"#\" target=\"emdash-admin\" style=\"display:none\" title=\"Open in admin\">\n <svg width=\"14\" height=\"14\" viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><path d=\"M18 13v6a2 2 0 0 1-2 2H5a2 2 0 0 1-2-2V8a2 2 0 0 1 2-2h6\"/><polyline points=\"15 3 21 3 21 9\"/><line x1=\"10\" y1=\"14\" x2=\"21\" y2=\"3\"/></svg>\n </a>\n\n <button class=\"emdash-tb-publish\" id=\"emdash-tb-publish\" style=\"display:none\">Publish</button>\n </div>\n</div>\n\n<style>\n #emdash-toolbar {\n position: fixed;\n bottom: 16px;\n left: 50%;\n transform: translateX(-50%);\n z-index: 999999;\n font-family: -apple-system, BlinkMacSystemFont, \"Segoe UI\", Roboto, sans-serif;\n font-size: 13px;\n line-height: 1;\n -webkit-font-smoothing: antialiased;\n }\n\n .emdash-tb-inner {\n display: flex;\n align-items: center;\n gap: 10px;\n padding: 8px 16px;\n background: #1a1a1a;\n color: #e0e0e0;\n border-radius: 999px;\n box-shadow: 0 4px 24px rgba(0,0,0,0.3), 0 0 0 1px rgba(255,255,255,0.08);\n white-space: nowrap;\n user-select: none;\n }\n\n .emdash-tb-logo {\n font-weight: 600;\n font-size: 12px;\n letter-spacing: 0.02em;\n color: #fff;\n opacity: 0.7;\n }\n\n .emdash-tb-divider {\n width: 1px;\n height: 16px;\n background: rgba(255,255,255,0.15);\n }\n\n /* Toggle switch */\n .emdash-tb-toggle {\n display: flex;\n align-items: center;\n gap: 6px;\n cursor: pointer;\n }\n\n .emdash-tb-toggle input {\n position: absolute;\n opacity: 0;\n width: 0;\n height: 0;\n }\n\n .emdash-tb-toggle-track {\n position: relative;\n width: 32px;\n height: 18px;\n background: #444;\n border-radius: 9px;\n transition: background 0.2s;\n }\n\n .emdash-tb-toggle input:checked + .emdash-tb-toggle-track {\n background: #3b82f6;\n }\n\n .emdash-tb-toggle-thumb {\n position: absolute;\n top: 2px;\n left: 2px;\n width: 14px;\n height: 14px;\n background: #fff;\n border-radius: 50%;\n transition: transform 0.2s;\n }\n\n .emdash-tb-toggle input:checked + .emdash-tb-toggle-track .emdash-tb-toggle-thumb {\n transform: translateX(14px);\n }\n\n .emdash-tb-toggle-label {\n font-size: 12px;\n color: #aaa;\n }\n\n .emdash-tb-toggle input:checked ~ .emdash-tb-toggle-label {\n color: #fff;\n }\n\n /* Status area — flex for multiple badges */\n .emdash-tb-status {\n display: inline-flex;\n gap: 6px;\n align-items: center;\n }\n\n /* Badges */\n .emdash-tb-badge {\n display: inline-flex;\n align-items: center;\n padding: 3px 8px;\n border-radius: 999px;\n font-size: 11px;\n font-weight: 600;\n letter-spacing: 0.02em;\n text-transform: uppercase;\n }\n\n .emdash-tb-badge--preview {\n background: rgba(139,92,246,0.2);\n color: #a78bfa;\n }\n\n .emdash-tb-badge--draft {\n background: rgba(245,158,11,0.2);\n color: #fbbf24;\n }\n\n .emdash-tb-badge--published {\n background: rgba(34,197,94,0.2);\n color: #4ade80;\n }\n\n .emdash-tb-badge--pending {\n background: rgba(59,130,246,0.2);\n color: #60a5fa;\n }\n\n .emdash-tb-badge--unsaved {\n background: rgba(245,158,11,0.2);\n color: #fbbf24;\n }\n\n .emdash-tb-badge--saving {\n background: rgba(148,163,184,0.2);\n color: #94a3b8;\n }\n\n .emdash-tb-badge--saved {\n background: rgba(34,197,94,0.2);\n color: #4ade80;\n transition: opacity 0.3s;\n }\n\n .emdash-tb-badge--error {\n background: rgba(239,68,68,0.2);\n color: #f87171;\n }\n\n /* Admin link */\n .emdash-tb-admin {\n display: inline-flex;\n align-items: center;\n justify-content: center;\n color: #888;\n text-decoration: none;\n padding: 2px;\n border-radius: 4px;\n transition: color 0.15s;\n }\n\n .emdash-tb-admin:hover {\n color: #fff;\n }\n\n /* Publish button */\n .emdash-tb-publish {\n padding: 4px 12px;\n background: #3b82f6;\n color: #fff;\n border: none;\n border-radius: 999px;\n font-size: 12px;\n font-weight: 600;\n cursor: pointer;\n transition: background 0.15s;\n font-family: inherit;\n }\n\n .emdash-tb-publish:hover {\n background: #2563eb;\n }\n\n .emdash-tb-publish:disabled {\n opacity: 0.5;\n cursor: not-allowed;\n }\n\n /* Edit mode: editable hover styles — uses :has() to check toolbar state */\n body:has(#emdash-toolbar[data-edit-mode=\"true\"]) [data-emdash-ref] {\n transition: box-shadow 0.15s, background-color 0.15s;\n }\n\n body:has(#emdash-toolbar[data-edit-mode=\"true\"]) [data-emdash-ref]:hover {\n box-shadow: 0 0 0 2px rgba(59,130,246,0.5);\n border-radius: 4px;\n background-color: rgba(59,130,246,0.04);\n cursor: text;\n }\n\n /* Active editing state — override hover pencil cursor */\n [data-emdash-editing] {\n box-shadow: 0 0 0 2px #3b82f6 !important;\n border-radius: 4px !important;\n background-color: rgba(59,130,246,0.04) !important;\n cursor: text !important;\n }\n\n /* Suppress browser focus ring on contenteditable and tiptap editor */\n [data-emdash-editing]:focus,\n [data-emdash-ref] .tiptap:focus,\n [data-emdash-ref] .ProseMirror:focus {\n outline: none !important;\n }\n\n /* Image editor popover */\n .emdash-img-popover {\n position: fixed;\n z-index: 1000000;\n background: #1a1a1a;\n border-radius: 12px;\n box-shadow: 0 8px 32px rgba(0,0,0,0.4), 0 0 0 1px rgba(255,255,255,0.08);\n color: #e0e0e0;\n font-family: -apple-system, BlinkMacSystemFont, \"Segoe UI\", Roboto, sans-serif;\n font-size: 13px;\n width: 320px;\n overflow: hidden;\n animation: emdash-img-fadein 0.15s ease-out;\n }\n\n @keyframes emdash-img-fadein {\n from { opacity: 0; transform: translateY(4px); }\n to { opacity: 1; transform: translateY(0); }\n }\n\n .emdash-img-popover-header {\n display: flex;\n align-items: center;\n justify-content: space-between;\n padding: 10px 12px;\n border-bottom: 1px solid rgba(255,255,255,0.08);\n }\n\n .emdash-img-popover-title {\n font-weight: 600;\n font-size: 12px;\n text-transform: uppercase;\n letter-spacing: 0.04em;\n color: #999;\n }\n\n .emdash-img-popover-close {\n background: none;\n border: none;\n color: #666;\n cursor: pointer;\n padding: 2px;\n line-height: 1;\n font-size: 16px;\n border-radius: 4px;\n transition: color 0.15s;\n }\n\n .emdash-img-popover-close:hover {\n color: #fff;\n }\n\n .emdash-img-popover-body {\n padding: 12px;\n display: flex;\n flex-direction: column;\n gap: 10px;\n }\n\n .emdash-img-preview {\n width: 100%;\n max-height: 160px;\n object-fit: contain;\n border-radius: 6px;\n background: #111;\n }\n\n .emdash-img-empty {\n display: flex;\n align-items: center;\n justify-content: center;\n height: 80px;\n border: 2px dashed rgba(255,255,255,0.15);\n border-radius: 6px;\n color: #666;\n font-size: 12px;\n }\n\n .emdash-img-field {\n display: flex;\n flex-direction: column;\n gap: 4px;\n }\n\n .emdash-img-field label {\n font-size: 11px;\n font-weight: 600;\n color: #888;\n text-transform: uppercase;\n letter-spacing: 0.04em;\n }\n\n .emdash-img-field input[type=\"text\"] {\n background: #111;\n border: 1px solid rgba(255,255,255,0.12);\n border-radius: 6px;\n color: #e0e0e0;\n padding: 6px 8px;\n font-size: 13px;\n font-family: inherit;\n outline: none;\n transition: border-color 0.15s;\n }\n\n .emdash-img-field input[type=\"text\"]:focus {\n border-color: #3b82f6;\n }\n\n .emdash-img-actions {\n display: flex;\n gap: 6px;\n }\n\n .emdash-img-btn {\n flex: 1;\n padding: 6px 10px;\n border: 1px solid rgba(255,255,255,0.12);\n border-radius: 6px;\n background: #222;\n color: #e0e0e0;\n font-size: 12px;\n font-family: inherit;\n cursor: pointer;\n transition: background 0.15s, border-color 0.15s;\n text-align: center;\n white-space: nowrap;\n }\n\n .emdash-img-btn:hover {\n background: #333;\n border-color: rgba(255,255,255,0.2);\n }\n\n .emdash-img-btn--primary {\n background: #3b82f6;\n border-color: #3b82f6;\n color: #fff;\n }\n\n .emdash-img-btn--primary:hover {\n background: #2563eb;\n border-color: #2563eb;\n }\n\n .emdash-img-btn--danger {\n color: #f87171;\n border-color: rgba(248,113,113,0.3);\n }\n\n .emdash-img-btn--danger:hover {\n background: rgba(248,113,113,0.1);\n border-color: rgba(248,113,113,0.5);\n }\n\n /* Media browser within the popover */\n .emdash-img-browser {\n border-top: 1px solid rgba(255,255,255,0.08);\n padding: 12px;\n }\n\n .emdash-img-browser-header {\n display: flex;\n align-items: center;\n justify-content: space-between;\n margin-bottom: 8px;\n }\n\n .emdash-img-browser-title {\n font-size: 12px;\n font-weight: 600;\n color: #999;\n }\n\n .emdash-img-browser-back {\n background: none;\n border: none;\n color: #3b82f6;\n cursor: pointer;\n font-size: 12px;\n font-family: inherit;\n padding: 2px 4px;\n }\n\n .emdash-img-browser-back:hover {\n text-decoration: underline;\n }\n\n .emdash-img-grid {\n display: grid;\n grid-template-columns: repeat(3, 1fr);\n gap: 6px;\n max-height: 240px;\n overflow-y: auto;\n }\n\n .emdash-img-grid-item {\n aspect-ratio: 1;\n border-radius: 4px;\n overflow: hidden;\n cursor: pointer;\n border: 2px solid transparent;\n transition: border-color 0.15s;\n background: #111;\n }\n\n .emdash-img-grid-item:hover {\n border-color: rgba(59,130,246,0.5);\n }\n\n .emdash-img-grid-item--selected {\n border-color: #3b82f6;\n }\n\n .emdash-img-grid-item img {\n width: 100%;\n height: 100%;\n object-fit: cover;\n }\n\n .emdash-img-loading {\n display: flex;\n align-items: center;\n justify-content: center;\n height: 80px;\n color: #666;\n font-size: 12px;\n }\n\n .emdash-img-drop {\n border: 2px dashed #3b82f6;\n background: rgba(59,130,246,0.05);\n }\n\n .emdash-img-uploading {\n display: flex;\n align-items: center;\n gap: 8px;\n padding: 8px 0;\n color: #999;\n font-size: 12px;\n }\n\n .emdash-img-popover-backdrop {\n position: fixed;\n inset: 0;\n z-index: 999999;\n }\n</style>\n\n<script>\n(function() {\n var toolbar = document.getElementById(\"emdash-toolbar\");\n var toggle = document.getElementById(\"emdash-edit-toggle\");\n var statusEl = document.getElementById(\"emdash-tb-status\");\n var saveStatusEl = document.getElementById(\"emdash-tb-save-status\");\n var publishBtn = document.getElementById(\"emdash-tb-publish\");\n if (!toolbar || !toggle || !statusEl || !publishBtn || !saveStatusEl) return;\n\n var isEditMode = toolbar.getAttribute(\"data-edit-mode\") === \"true\";\n\n // CSRF-protected fetch — adds X-EmDash-Request header to all API calls\n function ecFetch(url, init) {\n init = init || {};\n init.headers = Object.assign({ \"X-EmDash-Request\": \"1\" }, init.headers || {});\n return fetch(url, init);\n }\n\n // --- Save status tracking ---\n var saveState = \"idle\"; // idle | unsaved | saving | saved | error\n var saveHideTimer = null;\n var pendingSavePromise = null;\n\n function setSaveState(state) {\n saveState = state;\n clearTimeout(saveHideTimer);\n\n switch (state) {\n case \"unsaved\":\n saveStatusEl.innerHTML = '<span class=\"emdash-tb-badge emdash-tb-badge--unsaved\">Unsaved</span>';\n break;\n case \"saving\":\n saveStatusEl.innerHTML = '<span class=\"emdash-tb-badge emdash-tb-badge--saving\">Saving\\u2026</span>';\n break;\n case \"saved\":\n saveStatusEl.innerHTML = '<span class=\"emdash-tb-badge emdash-tb-badge--saved\">Saved</span>';\n saveHideTimer = setTimeout(function() {\n saveStatusEl.innerHTML = \"\";\n saveState = \"idle\";\n }, 2000);\n break;\n case \"error\":\n saveStatusEl.innerHTML = '<span class=\"emdash-tb-badge emdash-tb-badge--error\">Save failed</span>';\n saveHideTimer = setTimeout(function() {\n saveStatusEl.innerHTML = \"\";\n saveState = \"idle\";\n }, 3000);\n break;\n default:\n saveStatusEl.innerHTML = \"\";\n }\n }\n\n // Listen for save events from inline editors (e.g. PT editor)\n document.addEventListener(\"emdash:save\", function(e) {\n var detail = e.detail || {};\n if (detail.state) {\n setSaveState(detail.state);\n }\n });\n\n document.addEventListener(\"emdash:content-changed\", function(e) {\n var detail = e.detail || {};\n if (detail.collection && detail.id) {\n showUnpublishedChanges(detail.collection, detail.id);\n }\n });\n\n // --- Entry status ---\n var entryRef = null;\n\n function updateStatus() {\n if (!isEditMode) {\n statusEl.innerHTML = \"\";\n publishBtn.style.display = \"none\";\n return;\n }\n\n var first = document.querySelector(\"[data-emdash-ref]\");\n if (!first) {\n statusEl.innerHTML = \"\";\n publishBtn.style.display = \"none\";\n return;\n }\n\n try {\n var ref = JSON.parse(first.getAttribute(\"data-emdash-ref\"));\n entryRef = ref;\n if (!ref.status) return;\n\n // Show admin link\n var adminLink = document.getElementById(\"emdash-tb-admin\");\n if (adminLink) {\n adminLink.href = \"/_emdash/admin/content/\" + encodeURIComponent(ref.collection) + \"/\" + encodeURIComponent(ref.id);\n adminLink.style.display = \"\";\n }\n\n if (ref.status === \"draft\") {\n statusEl.innerHTML = '<span class=\"emdash-tb-badge emdash-tb-badge--draft\">Draft</span>';\n publishBtn.style.display = \"\";\n publishBtn.onclick = function() { publish(ref.collection, ref.id); };\n } else if (ref.status === \"published\" && ref.hasDraft) {\n statusEl.innerHTML = '<span class=\"emdash-tb-badge emdash-tb-badge--pending\">Unpublished changes</span>';\n publishBtn.style.display = \"\";\n publishBtn.onclick = function() { publish(ref.collection, ref.id); };\n } else if (ref.status === \"published\") {\n statusEl.innerHTML = '<span class=\"emdash-tb-badge emdash-tb-badge--published\">Published</span>';\n publishBtn.style.display = \"none\";\n }\n } catch (e) {\n // ignore parse errors\n }\n }\n\n // Publish action\n function publish(collection, id) {\n if (pendingSavePromise) {\n pendingSavePromise.then(function() { publish(collection, id); });\n return;\n }\n\n publishBtn.disabled = true;\n publishBtn.textContent = \"Publishing\\u2026\";\n\n ecFetch(\"/_emdash/api/content/\" + encodeURIComponent(collection) + \"/\" + encodeURIComponent(id) + \"/publish\", {\n method: \"POST\",\n credentials: \"same-origin\",\n })\n .then(function(res) {\n if (res.ok) {\n if (document.startViewTransition) {\n document.startViewTransition(function() { location.reload(); });\n } else {\n location.reload();\n }\n } else {\n publishBtn.disabled = false;\n publishBtn.textContent = \"Publish\";\n console.error(\"Publish failed:\", res.status);\n }\n })\n .catch(function(err) {\n publishBtn.disabled = false;\n publishBtn.textContent = \"Publish\";\n console.error(\"Publish failed:\", err);\n });\n }\n\n // Edit mode toggle\n toggle.addEventListener(\"change\", function() {\n if (toggle.checked) {\n document.cookie = \"emdash-edit-mode=true;path=/;samesite=lax\";\n } else {\n document.cookie = \"emdash-edit-mode=;path=/;expires=Thu, 01 Jan 1970 00:00:00 GMT\";\n }\n\n if (document.startViewTransition) {\n document.startViewTransition(function() { location.replace(location.href); });\n } else {\n location.replace(location.href);\n }\n });\n\n // --- Inline editing ---\n\n // Cached manifest (fetched once on first edit click)\n var manifestCache = null;\n var manifestPromise = null;\n\n function fetchManifest() {\n if (manifestCache) return Promise.resolve(manifestCache);\n if (manifestPromise) return manifestPromise;\n manifestPromise = ecFetch(\"/_emdash/api/manifest\", { credentials: \"same-origin\" })\n .then(function(r) { return r.json(); })\n .then(function(m) {\n // The manifest endpoint wraps the payload in a { data } envelope (ApiResponse shape).\n // Unwrap it so getFieldKind can read manifest.collections directly.\n manifestCache = m && m.data ? m.data : m;\n return manifestCache;\n });\n return manifestPromise;\n }\n\n function getFieldKind(manifest, collection, field) {\n var col = manifest.collections && manifest.collections[collection];\n if (!col || !col.fields) return null;\n var f = col.fields[field];\n return f ? f.kind : null;\n }\n\n // Load manifest early so the first click can resolve field kinds without racing the event.\n if (isEditMode) {\n fetchManifest();\n }\n\n // Save a single field value\n function saveField(collection, id, field, value) {\n setSaveState(\"saving\");\n return ecFetch(\"/_emdash/api/content/\" + encodeURIComponent(collection) + \"/\" + encodeURIComponent(id), {\n method: \"PUT\",\n credentials: \"same-origin\",\n headers: { \"Content-Type\": \"application/json\" },\n body: JSON.stringify({ data: { [field]: value } }),\n })\n .then(function(res) {\n if (res.ok) {\n setSaveState(\"saved\");\n // A save creates/updates a draft — show unpublished changes\n showUnpublishedChanges(collection, id);\n } else {\n setSaveState(\"error\");\n console.error(\"Save failed:\", res.status);\n }\n })\n .catch(function(err) {\n setSaveState(\"error\");\n console.error(\"Save failed:\", err);\n });\n }\n\n function showUnpublishedChanges(collection, id) {\n statusEl.innerHTML = '<span class=\"emdash-tb-badge emdash-tb-badge--pending\">Unpublished changes</span>';\n publishBtn.style.display = \"\";\n publishBtn.disabled = false;\n publishBtn.textContent = \"Publish\";\n publishBtn.onclick = function() { publish(collection, id); };\n }\n\n // Plain text inline editing (contenteditable)\n var currentlyEditing = null;\n\n function startTextEdit(element, annotation) {\n if (currentlyEditing === element) return;\n if (currentlyEditing) endCurrentEdit();\n\n currentlyEditing = element;\n var originalText = element.textContent || \"\";\n\n element.setAttribute(\"data-emdash-editing\", \"\");\n element.contentEditable = \"plaintext-only\";\n element.focus();\n\n // Select all text\n var range = document.createRange();\n range.selectNodeContents(element);\n var sel = window.getSelection();\n sel.removeAllRanges();\n sel.addRange(range);\n\n // Track dirty state via input events\n function handleInput() {\n var current = (element.textContent || \"\").trim();\n if (current !== originalText.trim()) {\n setSaveState(\"unsaved\");\n } else {\n setSaveState(\"idle\");\n }\n }\n\n function handleBlur() {\n element.removeEventListener(\"blur\", handleBlur);\n element.removeEventListener(\"keydown\", handleKeydown);\n element.removeEventListener(\"input\", handleInput);\n element.contentEditable = \"false\";\n element.removeAttribute(\"data-emdash-editing\");\n currentlyEditing = null;\n\n var newValue = (element.textContent || \"\").trim();\n if (newValue !== originalText.trim()) {\n pendingSavePromise = saveField(annotation.collection, annotation.id, annotation.field, newValue).then(function() {\n pendingSavePromise = null;\n }, function() {\n pendingSavePromise = null;\n });\n } else {\n setSaveState(\"idle\");\n }\n }\n\n function handleKeydown(e) {\n if (e.key === \"Enter\" && !e.shiftKey) {\n e.preventDefault();\n element.blur();\n }\n if (e.key === \"Escape\") {\n element.textContent = originalText;\n setSaveState(\"idle\");\n element.blur();\n }\n }\n\n element.addEventListener(\"input\", handleInput);\n element.addEventListener(\"blur\", handleBlur);\n element.addEventListener(\"keydown\", handleKeydown);\n }\n\n function endCurrentEdit() {\n if (currentlyEditing) {\n currentlyEditing.blur();\n }\n }\n\n // Fallback: open admin\n function openAdmin(annotation) {\n var url = \"/_emdash/admin/content/\" + encodeURIComponent(annotation.collection) + \"/\" + encodeURIComponent(annotation.id);\n if (annotation.field) {\n url += \"?field=\" + encodeURIComponent(annotation.field);\n }\n window.open(url, \"emdash-admin\");\n }\n\n // --- Inline image editing ---\n var activeImagePopover = null;\n\n function closeImagePopover() {\n if (activeImagePopover) {\n activeImagePopover.backdrop.remove();\n activeImagePopover.popover.remove();\n if (activeImagePopover.escapeHandler) {\n document.removeEventListener(\"keydown\", activeImagePopover.escapeHandler);\n }\n activeImagePopover = null;\n }\n }\n\n function startImageEdit(element, annotation) {\n closeImagePopover();\n\n // Find the current image value by fetching the entry\n var collection = annotation.collection;\n var id = annotation.id;\n var field = annotation.field;\n\n // Find img element inside the annotated container (or the element itself if it's an img)\n var imgEl = element.tagName === \"IMG\" ? element : element.querySelector(\"img\");\n\n // Fetch current field value from the content API\n ecFetch(\"/_emdash/api/content/\" + encodeURIComponent(collection) + \"/\" + encodeURIComponent(id), {\n credentials: \"same-origin\"\n })\n .then(function(r) { return r.json(); })\n .then(function(entry) {\n var currentValue = entry.data && entry.data[field];\n showImagePopover(element, imgEl, annotation, currentValue);\n })\n .catch(function() {\n // If fetch fails, still show popover with what we can infer from DOM\n showImagePopover(element, imgEl, annotation, null);\n });\n }\n\n function showImagePopover(element, imgEl, annotation, currentValue) {\n closeImagePopover();\n\n var collection = annotation.collection;\n var id = annotation.id;\n var field = annotation.field;\n\n // Position near the element\n var rect = element.getBoundingClientRect();\n var viewportH = window.innerHeight;\n var viewportW = window.innerWidth;\n\n // Create backdrop for click-outside-to-close\n var backdrop = document.createElement(\"div\");\n backdrop.className = \"emdash-img-popover-backdrop\";\n backdrop.addEventListener(\"click\", function(e) {\n if (e.target === backdrop) closeImagePopover();\n });\n\n // Create popover\n var popover = document.createElement(\"div\");\n popover.className = \"emdash-img-popover\";\n\n var currentSrc = currentValue ? (currentValue.previewUrl || currentValue.src) : (imgEl ? imgEl.src : null);\n var currentAlt = currentValue ? (currentValue.alt || \"\") : (imgEl ? (imgEl.alt || \"\") : \"\");\n\n // Build popover HTML\n var html = '';\n html += '<div class=\"emdash-img-popover-header\">';\n html += ' <span class=\"emdash-img-popover-title\">Image</span>';\n html += ' <button class=\"emdash-img-popover-close\" data-action=\"close\">&times;</button>';\n html += '</div>';\n html += '<div class=\"emdash-img-popover-body\" id=\"emdash-img-main\">';\n\n if (currentSrc) {\n html += '<img class=\"emdash-img-preview\" src=\"' + escapeAttr(currentSrc) + '\" alt=\"\" />';\n } else {\n html += '<div class=\"emdash-img-empty\">No image selected</div>';\n }\n\n html += '<div class=\"emdash-img-field\">';\n html += ' <label for=\"emdash-img-alt\">Alt text</label>';\n html += ' <input type=\"text\" id=\"emdash-img-alt\" value=\"' + escapeAttr(currentAlt) + '\" placeholder=\"Describe the image\" />';\n html += '</div>';\n\n html += '<div class=\"emdash-img-actions\">';\n html += ' <button class=\"emdash-img-btn emdash-img-btn--primary\" data-action=\"browse\">Replace</button>';\n html += ' <label class=\"emdash-img-btn\" style=\"cursor:pointer\">';\n html += ' Upload';\n html += ' <input type=\"file\" accept=\"image/*\" id=\"emdash-img-upload\" style=\"display:none\" />';\n html += ' </label>';\n if (currentSrc) {\n html += ' <button class=\"emdash-img-btn emdash-img-btn--danger\" data-action=\"remove\">Remove</button>';\n }\n html += '</div>';\n html += '</div>';\n\n popover.innerHTML = html;\n\n backdrop.appendChild(popover);\n document.body.appendChild(backdrop);\n\n // Position the popover\n positionPopover(popover, rect, viewportW, viewportH);\n\n // Escape key handler\n function handleEscape(e) {\n if (e.key === \"Escape\") {\n closeImagePopover();\n document.removeEventListener(\"keydown\", handleEscape);\n }\n }\n document.addEventListener(\"keydown\", handleEscape);\n\n activeImagePopover = {\n backdrop: backdrop,\n popover: popover,\n annotation: annotation,\n currentValue: currentValue,\n element: element,\n imgEl: imgEl,\n escapeHandler: handleEscape\n };\n\n // Event handlers\n popover.querySelector('[data-action=\"close\"]').addEventListener(\"click\", closeImagePopover);\n\n popover.querySelector('[data-action=\"browse\"]').addEventListener(\"click\", function() {\n showMediaBrowser(popover, annotation, currentValue, element, imgEl);\n });\n\n var uploadInput = popover.querySelector(\"#emdash-img-upload\");\n uploadInput.addEventListener(\"change\", function(e) {\n var file = e.target.files && e.target.files[0];\n if (file) handleImageUpload(file, popover, annotation, element, imgEl);\n });\n\n var removeBtn = popover.querySelector('[data-action=\"remove\"]');\n if (removeBtn) {\n removeBtn.addEventListener(\"click\", function() {\n saveField(collection, id, field, null).then(function() {\n if (imgEl) {\n imgEl.style.display = \"none\";\n }\n closeImagePopover();\n });\n });\n }\n\n // Save alt text on change (debounced)\n var altInput = popover.querySelector(\"#emdash-img-alt\");\n var altTimer = null;\n altInput.addEventListener(\"input\", function() {\n clearTimeout(altTimer);\n altTimer = setTimeout(function() {\n var newAlt = altInput.value;\n if (currentValue) {\n var updated = Object.assign({}, currentValue, { alt: newAlt });\n saveField(collection, id, field, updated);\n if (imgEl) imgEl.alt = newAlt;\n }\n }, 500);\n });\n\n // Handle drag and drop on the popover body\n var body = popover.querySelector(\".emdash-img-popover-body\");\n body.addEventListener(\"dragover\", function(e) {\n e.preventDefault();\n body.classList.add(\"emdash-img-drop\");\n });\n body.addEventListener(\"dragleave\", function() {\n body.classList.remove(\"emdash-img-drop\");\n });\n body.addEventListener(\"drop\", function(e) {\n e.preventDefault();\n body.classList.remove(\"emdash-img-drop\");\n var file = e.dataTransfer && e.dataTransfer.files && e.dataTransfer.files[0];\n if (file && file.type.startsWith(\"image/\")) {\n handleImageUpload(file, popover, annotation, element, imgEl);\n }\n });\n }\n\n function positionPopover(popover, targetRect, viewportW, viewportH) {\n var popoverW = 320;\n var gap = 8;\n\n // Try to place to the right of the element\n var left = targetRect.right + gap;\n var top = targetRect.top;\n\n // If it overflows right, place to the left\n if (left + popoverW > viewportW - 16) {\n left = targetRect.left - popoverW - gap;\n }\n // If it still overflows (narrow viewport), center below\n if (left < 16) {\n left = Math.max(16, (viewportW - popoverW) / 2);\n top = targetRect.bottom + gap;\n }\n // Clamp vertically\n if (top + 400 > viewportH - 80) { // 80 for toolbar\n top = Math.max(16, viewportH - 480);\n }\n if (top < 16) top = 16;\n\n popover.style.left = left + \"px\";\n popover.style.top = top + \"px\";\n }\n\n function escapeAttr(str) {\n return String(str || \"\").replace(/&/g, \"&amp;\").replace(/\"/g, \"&quot;\").replace(/</g, \"&lt;\").replace(/>/g, \"&gt;\");\n }\n\n function showMediaBrowser(popover, annotation, currentValue, element, imgEl) {\n var mainBody = popover.querySelector(\"#emdash-img-main\");\n if (mainBody) mainBody.style.display = \"none\";\n\n // Remove existing browser if any\n var existing = popover.querySelector(\".emdash-img-browser\");\n if (existing) existing.remove();\n\n var browser = document.createElement(\"div\");\n browser.className = \"emdash-img-browser\";\n\n browser.innerHTML = '<div class=\"emdash-img-browser-header\">' +\n '<span class=\"emdash-img-browser-title\">Media Library</span>' +\n '<button class=\"emdash-img-browser-back\">Back</button>' +\n '</div>' +\n '<div class=\"emdash-img-loading\">Loading\\u2026</div>';\n\n popover.appendChild(browser);\n\n browser.querySelector(\".emdash-img-browser-back\").addEventListener(\"click\", function() {\n browser.remove();\n if (mainBody) mainBody.style.display = \"\";\n });\n\n // Fetch media\n ecFetch(\"/_emdash/api/media?mimeType=image/&limit=30\", { credentials: \"same-origin\" })\n .then(function(r) { return r.json(); })\n .then(function(data) {\n var items = data.items || [];\n var loadingEl = browser.querySelector(\".emdash-img-loading\");\n if (loadingEl) loadingEl.remove();\n\n if (items.length === 0) {\n var empty = document.createElement(\"div\");\n empty.className = \"emdash-img-loading\";\n empty.textContent = \"No images found\";\n browser.appendChild(empty);\n return;\n }\n\n var grid = document.createElement(\"div\");\n grid.className = \"emdash-img-grid\";\n\n items.forEach(function(item) {\n var thumb = document.createElement(\"div\");\n thumb.className = \"emdash-img-grid-item\";\n if (currentValue && currentValue.id === item.id) {\n thumb.classList.add(\"emdash-img-grid-item--selected\");\n }\n var thumbUrl = item.url || item.previewUrl || (\"/_emdash/api/media/file/\" + item.storageKey);\n thumb.innerHTML = '<img src=\"' + escapeAttr(thumbUrl) + '\" alt=\"' + escapeAttr(item.alt || item.filename || \"\") + '\" loading=\"lazy\" />';\n\n thumb.addEventListener(\"click\", function() {\n selectMediaItem(item, annotation, element, imgEl);\n });\n\n grid.appendChild(thumb);\n });\n\n browser.appendChild(grid);\n })\n .catch(function(err) {\n var loadingEl = browser.querySelector(\".emdash-img-loading\");\n if (loadingEl) loadingEl.textContent = \"Failed to load media\";\n console.error(\"Media fetch error:\", err);\n });\n }\n\n function selectMediaItem(item, annotation, element, imgEl) {\n var collection = annotation.collection;\n var id = annotation.id;\n var field = annotation.field;\n\n var isLocal = !item.provider || item.provider === \"local\";\n var itemUrl = item.url || item.previewUrl || (\"/_emdash/api/media/file/\" + item.storageKey);\n\n var newValue = {\n id: item.id,\n provider: item.provider || \"local\",\n src: isLocal ? itemUrl : undefined,\n previewUrl: isLocal ? undefined : itemUrl,\n alt: item.alt || \"\",\n width: item.width,\n height: item.height,\n meta: item.meta\n };\n\n // Clean undefined fields\n Object.keys(newValue).forEach(function(k) {\n if (newValue[k] === undefined) delete newValue[k];\n });\n\n saveField(collection, id, field, newValue).then(function() {\n // Update the image in the DOM\n if (imgEl) {\n imgEl.src = itemUrl;\n imgEl.alt = item.alt || \"\";\n imgEl.style.display = \"\";\n }\n closeImagePopover();\n });\n }\n\n function handleImageUpload(file, popover, annotation, element, imgEl) {\n var collection = annotation.collection;\n var id = annotation.id;\n var field = annotation.field;\n\n // Show uploading state\n var mainBody = popover.querySelector(\"#emdash-img-main\");\n var browserEl = popover.querySelector(\".emdash-img-browser\");\n if (browserEl) browserEl.remove();\n if (mainBody) {\n mainBody.innerHTML = '<div class=\"emdash-img-uploading\">' +\n '<span>Uploading ' + escapeAttr(file.name) + '\\u2026</span>' +\n '</div>';\n mainBody.style.display = \"\";\n }\n\n // Detect dimensions before upload\n var dimPromise = new Promise(function(resolve) {\n if (!file.type.startsWith(\"image/\")) return resolve({});\n var img = new Image();\n img.onload = function() {\n resolve({ width: img.naturalWidth, height: img.naturalHeight });\n URL.revokeObjectURL(img.src);\n };\n img.onerror = function() {\n resolve({});\n URL.revokeObjectURL(img.src);\n };\n img.src = URL.createObjectURL(file);\n });\n\n dimPromise.then(function(dims) {\n // Generate a thumbnail for large images to avoid OOM in server-side\n // blurhash generation on memory-constrained runtimes (Workers).\n // Thumbnail fits within a 64x64 box (scale by max dimension) so that\n // extreme aspect ratios don't explode into a huge canvas client-side.\n var thumbPromise;\n if (dims.width && dims.height && dims.width * dims.height * 4 > 32 * 1024 * 1024) {\n thumbPromise = new Promise(function(resolve) {\n try {\n var maxDim = Math.max(dims.width, dims.height);\n var scale = Math.min(1, 64 / maxDim);\n var thumbW = Math.max(1, Math.round(dims.width * scale));\n var thumbH = Math.max(1, Math.round(dims.height * scale));\n var canvas = document.createElement(\"canvas\");\n canvas.width = thumbW;\n canvas.height = thumbH;\n var ctx = canvas.getContext(\"2d\");\n if (ctx) {\n var img = new Image();\n img.onload = function() {\n try {\n ctx.drawImage(img, 0, 0, thumbW, thumbH);\n canvas.toBlob(function(blob) {\n URL.revokeObjectURL(img.src);\n resolve(blob);\n }, \"image/png\");\n } catch (e) {\n URL.revokeObjectURL(img.src);\n resolve(null);\n }\n };\n img.onerror = function() {\n URL.revokeObjectURL(img.src);\n resolve(null);\n };\n img.src = URL.createObjectURL(file);\n } else {\n resolve(null);\n }\n } catch (e) {\n resolve(null);\n }\n });\n } else {\n thumbPromise = Promise.resolve(null);\n }\n\n return thumbPromise.then(function(thumbnail) {\n var formData = new FormData();\n formData.append(\"file\", file);\n if (dims.width) formData.append(\"width\", String(dims.width));\n if (dims.height) formData.append(\"height\", String(dims.height));\n if (thumbnail) formData.append(\"thumbnail\", thumbnail, \"thumb.png\");\n\n return ecFetch(\"/_emdash/api/media\", {\n method: \"POST\",\n credentials: \"same-origin\",\n body: formData\n });\n });\n })\n .then(function(r) { return r.json(); })\n .then(function(data) {\n if (!data.item) throw new Error(\"Upload failed\");\n var item = data.item;\n selectMediaItem(item, annotation, element, imgEl);\n })\n .catch(function(err) {\n console.error(\"Upload error:\", err);\n setSaveState(\"error\");\n closeImagePopover();\n });\n }\n\n // Click handler for edit mode\n if (isEditMode) {\n document.addEventListener(\"click\", function(e) {\n var target = e.target;\n\n // Don't intercept clicks on elements currently being edited\n if (target.hasAttribute && target.hasAttribute(\"data-emdash-editing\")) return;\n\n // Walk up to find annotated element\n while (target && target !== document.body) {\n if (target.hasAttribute && target.hasAttribute(\"data-emdash-editing\")) return;\n\n var ref = target.getAttribute && target.getAttribute(\"data-emdash-ref\");\n if (ref) {\n try {\n var annotation = JSON.parse(ref);\n\n // Entry-level annotation (no field) — keep walking for a field-level ancestor\n if (!annotation.field) {\n target = target.parentElement;\n continue;\n }\n\n function dispatchInline(kind) {\n closeImagePopover();\n // Portable Text is edited in-page by InlinePortableTextEditor — do not open admin\n if (kind === \"portableText\") {\n return;\n }\n e.preventDefault();\n e.stopPropagation();\n if (kind === \"string\" || kind === \"text\") {\n startTextEdit(target, annotation);\n } else if (kind === \"image\") {\n startImageEdit(target, annotation);\n } else {\n openAdmin(annotation);\n }\n }\n\n if (manifestCache) {\n dispatchInline(getFieldKind(manifestCache, annotation.collection, annotation.field));\n } else {\n fetchManifest().then(function(manifest) {\n dispatchInline(getFieldKind(manifest, annotation.collection, annotation.field));\n });\n }\n } catch (err) {\n console.error(\"Failed to parse emdash ref:\", err);\n }\n return;\n }\n target = target.parentElement;\n }\n }, true);\n }\n\n updateStatus();\n})();\n</script>\n`;\n}\n","/**\n * EmDash Request Context Middleware\n *\n * Sets up AsyncLocalStorage-based request context for query functions.\n * Skips ALS entirely for logged-out users with no CMS signals (fast path).\n *\n * Handles:\n * - Preview tokens: _preview query param with signed HMAC token\n * - Edit mode: emdash-edit-mode cookie (for visual editing)\n * - Toolbar injection: floating pill for authenticated editors\n */\n\nimport { defineMiddleware } from \"astro:middleware\";\n\nimport { resolveSecretsCached } from \"#config/secrets.js\";\n\nimport { verifyPreviewToken, parseContentId } from \"../../preview/tokens.js\";\nimport { getRequestContext, runWithContext } from \"../../request-context.js\";\nimport { renderToolbar } from \"../../visual-editing/toolbar.js\";\n\n/**\n * Inject toolbar HTML into a response if it's an HTML page.\n * Returns the original response if not HTML.\n */\nasync function injectToolbar(response: Response, toolbarHtml: string): Promise<Response> {\n\tconst contentType = response.headers.get(\"content-type\");\n\tif (!contentType?.includes(\"text/html\")) return response;\n\n\tconst html = await response.text();\n\tif (!html.includes(\"</body>\")) return new Response(html, response);\n\n\tconst injected = html.replace(\"</body>\", `${toolbarHtml}</body>`);\n\treturn new Response(injected, {\n\t\tstatus: response.status,\n\t\theaders: response.headers,\n\t});\n}\n\nexport const onRequest = defineMiddleware(async (context, next) => {\n\tconst { cookies, url } = context;\n\n\t// Skip /_emdash routes (admin has its own UI, no rendering context needed)\n\tif (url.pathname.startsWith(\"/_emdash\")) {\n\t\treturn next();\n\t}\n\n\t// Check for authenticated editor (role >= 30)\n\tconst { user } = context.locals;\n\tconst isEditor = !!user && user.role >= 30;\n\n\t// Playground mode: the playground middleware (from @emdash-cms/cloudflare) stashes\n\t// the per-session DO database on locals.__playgroundDb. We set it via ALS here\n\t// (same module instance as the loader) so getDb() picks it up correctly.\n\t//\n\t// `dbIsIsolated: true` tells schema-derived caches (manifest, taxonomy defs,\n\t// byline/term existence probes) to bypass module-scope memoization — each\n\t// playground session is its own database with its own schema, so a cached\n\t// value from another session would be wrong.\n\tconst playgroundDb = context.locals.__playgroundDb;\n\tif (playgroundDb) {\n\t\t// Check if playground user has toggled edit mode on\n\t\tconst hasEditCookie = cookies.get(\"emdash-edit-mode\")?.value === \"true\";\n\t\treturn runWithContext({ editMode: hasEditCookie, db: playgroundDb, dbIsIsolated: true }, () =>\n\t\t\tnext(),\n\t\t);\n\t}\n\n\t// Fast path: check for CMS signals before doing any work\n\tconst hasEditCookie = cookies.get(\"emdash-edit-mode\")?.value === \"true\";\n\tconst hasPreviewToken = url.searchParams.has(\"_preview\");\n\n\t// No CMS signals and not an editor → skip everything (zero overhead)\n\tif (!hasEditCookie && !hasPreviewToken && !isEditor) {\n\t\treturn next();\n\t}\n\n\t// Determine edit mode: cookie AND authenticated editor\n\tconst editMode = hasEditCookie && isEditor;\n\n\t// Read locale from Astro's i18n routing\n\t// eslint-disable-next-line typescript/no-unsafe-type-assertion -- Astro context includes currentLocale when i18n is configured\n\tconst locale = (context as { currentLocale?: string }).currentLocale;\n\n\t// Verify preview token if present.\n\t// The preview secret is resolved via `resolveSecretsCached`: env wins,\n\t// otherwise a DB-stored value is read (or generated on first need).\n\t// `emdash.db` is set by the runtime middleware which runs first; the\n\t// only path where it's missing is a runtime-init failure.\n\tlet preview: { collection: string; id: string } | undefined;\n\tif (hasPreviewToken) {\n\t\tconst db = context.locals.emdash?.db;\n\t\tif (db) {\n\t\t\tconst { previewSecret } = await resolveSecretsCached(db);\n\t\t\tconst result = await verifyPreviewToken({ url, secret: previewSecret });\n\t\t\tif (result.valid) {\n\t\t\t\tconst { collection, id } = parseContentId(result.payload.cid);\n\t\t\t\tpreview = { collection, id };\n\t\t\t}\n\t\t} else {\n\t\t\tconsole.warn(\n\t\t\t\t\"[emdash] Preview token present but EmDash runtime not initialized; preview disabled.\",\n\t\t\t);\n\t\t}\n\t}\n\n\t// If we have CMS signals, wrap in ALS context\n\tconst needsContext = hasEditCookie || hasPreviewToken;\n\n\tif (needsContext) {\n\t\t// Merge with any outer ALS context (e.g. the per-request D1 session db\n\t\t// set by the runtime middleware). `storage.run()` replaces the store\n\t\t// wholesale, so without the spread the outer `db` would be lost and\n\t\t// loaders would fall back to the singleton non-session dialect.\n\t\tconst parent = getRequestContext();\n\t\treturn runWithContext({ ...parent, editMode, preview, locale }, async () => {\n\t\t\tlet response = await next();\n\n\t\t\t// Preview responses must not be cached -- draft content could leak past token expiry.\n\t\t\t// Clone the response before modifying headers — the original may be immutable.\n\t\t\tif (preview) {\n\t\t\t\tresponse = new Response(response.body, response);\n\t\t\t\tresponse.headers.set(\"Cache-Control\", \"private, no-store\");\n\t\t\t}\n\n\t\t\t// Inject toolbar for authenticated editors\n\t\t\tif (isEditor) {\n\t\t\t\tconst toolbarHtml = renderToolbar({\n\t\t\t\t\teditMode,\n\t\t\t\t\tisPreview: !!preview,\n\t\t\t\t});\n\t\t\t\treturn injectToolbar(response, toolbarHtml);\n\t\t\t}\n\n\t\t\treturn response;\n\t\t});\n\t}\n\n\t// Editor without CMS signals — no ALS needed, but inject toolbar\n\tif (isEditor) {\n\t\tconst response = await next();\n\t\tconst toolbarHtml = renderToolbar({\n\t\t\teditMode: false,\n\t\t\tisPreview: false,\n\t\t});\n\t\treturn injectToolbar(response, toolbarHtml);\n\t}\n\n\treturn next();\n});\n\nexport default onRequest;\n"],"mappings":";;;;;;;;AAaA,SAAgB,cAAc,QAA+B;CAC5D,MAAM,EAAE,UAAU,cAAc;AAEhC,QAAO;;2CAEmC,SAAS,kBAAkB,UAAU;;;;;;;uDAOzB,WAAW,YAAY,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;ACDjF,eAAe,cAAc,UAAoB,aAAwC;AAExF,KAAI,CADgB,SAAS,QAAQ,IAAI,eAAe,EACtC,SAAS,YAAY,CAAE,QAAO;CAEhD,MAAM,OAAO,MAAM,SAAS,MAAM;AAClC,KAAI,CAAC,KAAK,SAAS,UAAU,CAAE,QAAO,IAAI,SAAS,MAAM,SAAS;CAElE,MAAM,WAAW,KAAK,QAAQ,WAAW,GAAG,YAAY,SAAS;AACjE,QAAO,IAAI,SAAS,UAAU;EAC7B,QAAQ,SAAS;EACjB,SAAS,SAAS;EAClB,CAAC;;AAGH,MAAa,YAAY,iBAAiB,OAAO,SAAS,SAAS;CAClE,MAAM,EAAE,SAAS,QAAQ;AAGzB,KAAI,IAAI,SAAS,WAAW,WAAW,CACtC,QAAO,MAAM;CAId,MAAM,EAAE,SAAS,QAAQ;CACzB,MAAM,WAAW,CAAC,CAAC,QAAQ,KAAK,QAAQ;CAUxC,MAAM,eAAe,QAAQ,OAAO;AACpC,KAAI,aAGH,QAAO,eAAe;EAAE,UADF,QAAQ,IAAI,mBAAmB,EAAE,UAAU;EAChB,IAAI;EAAc,cAAc;EAAM,QACtF,MAAM,CACN;CAIF,MAAM,gBAAgB,QAAQ,IAAI,mBAAmB,EAAE,UAAU;CACjE,MAAM,kBAAkB,IAAI,aAAa,IAAI,WAAW;AAGxD,KAAI,CAAC,iBAAiB,CAAC,mBAAmB,CAAC,SAC1C,QAAO,MAAM;CAId,MAAM,WAAW,iBAAiB;CAIlC,MAAM,SAAU,QAAuC;CAOvD,IAAI;AACJ,KAAI,iBAAiB;EACpB,MAAM,KAAK,QAAQ,OAAO,QAAQ;AAClC,MAAI,IAAI;GACP,MAAM,EAAE,kBAAkB,MAAM,qBAAqB,GAAG;GACxD,MAAM,SAAS,MAAM,mBAAmB;IAAE;IAAK,QAAQ;IAAe,CAAC;AACvE,OAAI,OAAO,OAAO;IACjB,MAAM,EAAE,YAAY,OAAO,eAAe,OAAO,QAAQ,IAAI;AAC7D,cAAU;KAAE;KAAY;KAAI;;QAG7B,SAAQ,KACP,uFACA;;AAOH,KAFqB,iBAAiB,gBAQrC,QAAO,eAAe;EAAE,GADT,mBAAmB;EACC;EAAU;EAAS;EAAQ,EAAE,YAAY;EAC3E,IAAI,WAAW,MAAM,MAAM;AAI3B,MAAI,SAAS;AACZ,cAAW,IAAI,SAAS,SAAS,MAAM,SAAS;AAChD,YAAS,QAAQ,IAAI,iBAAiB,oBAAoB;;AAI3D,MAAI,UAAU;GACb,MAAM,cAAc,cAAc;IACjC;IACA,WAAW,CAAC,CAAC;IACb,CAAC;AACF,UAAO,cAAc,UAAU,YAAY;;AAG5C,SAAO;GACN;AAIH,KAAI,SAMH,QAAO,cALU,MAAM,MAAM,EACT,cAAc;EACjC,UAAU;EACV,WAAW;EACX,CAAC,CACyC;AAG5C,QAAO,MAAM;EACZ"}
package/dist/astro/middleware/setup.mjs CHANGED
@@ -1,4 +1,4 @@
1
- import { t as getAuthMode } from "../../mode-DPRPvJYm.mjs";
1
+ import { t as getAuthMode } from "../../mode-CaaiebZI.mjs";
2
2
  import { defineMiddleware } from "astro:middleware";
3
3
 
4
4
  //#region src/astro/middleware/setup.ts
package/dist/astro/middleware.d.mts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"middleware.d.mts","names":[],"sources":["../../src/astro/middleware.ts"],"mappings":";;;;;;AAwQA;;;cAAa,SAAA,EA4UX,KAAA,CA5UoB,iBAAA"}
1
+ {"version":3,"file":"middleware.d.mts","names":[],"sources":["../../src/astro/middleware.ts"],"mappings":";;;;;;AAkRA;;;cAAa,SAAA,EA6UX,KAAA,CA7UoB,iBAAA"}