emdash 0.14.0 → 0.15.0

package/src/astro/routes/api/admin/plugins/registry/[id]/update.ts

@@ -0,0 +1,79 @@
+/**
+ * Registry plugin update endpoint (experimental)
+ *
+ * POST /_emdash/api/admin/plugins/registry/:id/update — Update a
+ * registry-source plugin to a newer release. Mirrors the marketplace
+ * update route's escalation gates: `CAPABILITY_ESCALATION` if the new
+ * version declares new capabilities and `confirmCapabilityChanges` is
+ * absent, and `ROUTE_VISIBILITY_ESCALATION` if it newly exposes public
+ * routes and `confirmRouteVisibilityChanges` is absent.
+ */
+
+import type { APIRoute } from "astro";
+import { z } from "zod";
+
+import { requirePerm } from "#api/authorize.js";
+import { apiError, handleError, unwrapResult } from "#api/error.js";
+import { handleRegistryUpdate } from "#api/index.js";
+import { isParseError, parseOptionalBody } from "#api/parse.js";
+
+export const prerender = false;
+
+const updateBodySchema = z.object({
+	/** Optional explicit target version. Defaults to the aggregator's latest. */
+	version: z.string().min(1).max(64).optional(),
+	/**
+	 * Set by the admin's capability re-consent dialog when the new version
+	 * declares capabilities the installed version did not. Without this,
+	 * the handler returns `CAPABILITY_ESCALATION` carrying the diff.
+	 */
+	confirmCapabilityChanges: z.boolean().optional(),
+	/**
+	 * Set by the admin's route-visibility re-consent dialog when the new
+	 * version newly exposes a public (unauthenticated) route.
+	 */
+	confirmRouteVisibilityChanges: z.boolean().optional(),
+});
+
+export const POST: APIRoute = async ({ params, request, locals }) => {
+	try {
+		const { emdash, user } = locals;
+		const { id } = params;
+
+		if (!emdash?.db) {
+			return apiError("NOT_CONFIGURED", "EmDash is not initialized", 500);
+		}
+
+		const denied = requirePerm(user, "plugins:manage");
+		if (denied) return denied;
+
+		if (!id) {
+			return apiError("INVALID_REQUEST", "Plugin ID required", 400);
+		}
+
+		const body = await parseOptionalBody(request, updateBodySchema, {});
+		if (isParseError(body)) return body;
+
+		const result = await handleRegistryUpdate(
+			emdash.db,
+			emdash.storage,
+			emdash.getSandboxRunner(),
+			emdash.config.experimental?.registry,
+			id,
+			{
+				version: body.version,
+				confirmCapabilityChanges: body.confirmCapabilityChanges,
+				confirmRouteVisibilityChanges: body.confirmRouteVisibilityChanges,
+			},
+		);
+
+		if (!result.success) return unwrapResult(result);
+
+		await emdash.syncRegistryPlugins();
+
+		return unwrapResult(result);
+	} catch (error) {
+		console.error("[registry-update] Unhandled error:", error);
+		return handleError(error, "Failed to update plugin from registry", "UPDATE_FAILED");
+	}
+};

package/src/astro/routes/api/admin/plugins/updates.ts

@@ -1,14 +1,22 @@
 /**
- * Marketplace update check endpoint
+ * Plugin update check endpoint
  *
- * GET /_emdash/api/admin/plugins/updates - Check for marketplace plugin updates
+ * GET /_emdash/api/admin/plugins/updates - Check for available updates
+ * across every installed plugin source (marketplace + experimental
+ * registry). Items are returned in a single flat list; admins correlate
+ * items to plugins by `pluginId` and read `source` from the existing
+ * `/_emdash/api/admin/plugins` list (the pluginId prefix is not a
+ * reliable discriminator on its own).
+ *
+ * A failure in one source does NOT blank the other — a registry-side
+ * aggregator outage still returns marketplace updates and vice versa.
  */
 
 import type { APIRoute } from "astro";
 
 import { requirePerm } from "#api/authorize.js";
-import { apiError, unwrapResult } from "#api/error.js";
-import { handleMarketplaceUpdateCheck } from "#api/index.js";
+import { apiError } from "#api/error.js";
+import { handleMarketplaceUpdateCheck, handleRegistryUpdateCheck } from "#api/index.js";
 
 export const prerender = false;
 
@@ -22,7 +30,36 @@ export const GET: APIRoute = async ({ locals }) => {
 	const denied = requirePerm(user, "plugins:read");
 	if (denied) return denied;
 
-	const result = await handleMarketplaceUpdateCheck(emdash.db, emdash.config.marketplace);
+	// Run both checks in parallel. Catch each independently so one source's
+	// failure doesn't blank the other. Both throws and structured `success:
+	// false` returns are logged with the source name so a misconfigured
+	// registry doesn't disappear silently from telemetry.
+	const [marketplace, registry] = await Promise.all([
+		handleMarketplaceUpdateCheck(emdash.db, emdash.config.marketplace).catch((err) => {
+			console.warn("[plugins/updates] marketplace check threw:", err);
+			return null;
+		}),
+		handleRegistryUpdateCheck(emdash.db, emdash.config.experimental?.registry).catch((err) => {
+			console.warn("[plugins/updates] registry check threw:", err);
+			return null;
+		}),
+	]);
+	if (marketplace && !marketplace.success) {
+		console.warn(
+			`[plugins/updates] marketplace check failed: ${marketplace.error.code} ${marketplace.error.message}`,
+		);
+	}
+	if (registry && !registry.success) {
+		console.warn(
+			`[plugins/updates] registry check failed: ${registry.error.code} ${registry.error.message}`,
+		);
+	}
+
+	const items: unknown[] = [];
+	if (marketplace?.success) items.push(...marketplace.data.items);
+	if (registry?.success) items.push(...registry.data.items);
 
-	return unwrapResult(result);
+	// Match the rest of the admin API envelope (`{ data: ... }`) so the
+	// admin client's `parseApiResponse` unwraps `body.data`.
+	return Response.json({ data: { items } });
 };

package/src/astro/routes/api/admin/themes/marketplace/index.ts

@@ -28,7 +28,7 @@ export const GET: APIRoute = async ({ url, locals }) => {
 	const validSorts = new Set(["name", "created", "updated"]);
 	let sort: "name" | "created" | "updated" | undefined;
 	if (sortParam && validSorts.has(sortParam)) {
-		sort = sortParam as "name" | "created" | "updated"; // eslint-disable-line typescript-eslint(no-unsafe-type-assertion) -- validated by Set.has()
+		sort = sortParam as "name" | "created" | "updated"; // eslint-disable-line typescript/no-unsafe-type-assertion -- validated by Set.has()
 	}
 	const cursor = url.searchParams.get("cursor") ?? undefined;
 	const limitParam = url.searchParams.get("limit");

package/src/astro/routes/api/auth/oauth/[provider]/callback.ts

@@ -116,9 +116,9 @@ export const GET: APIRoute = async ({ params, request, locals, session, redirect
 
 	try {
 		// Get OAuth providers from environment
-		// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- locals.runtime is injected by the Cloudflare adapter at runtime; not declared on App.Locals since the adapter is optional
+		// eslint-disable-next-line typescript/no-unsafe-type-assertion -- locals.runtime is injected by the Cloudflare adapter at runtime; not declared on App.Locals since the adapter is optional
 		const runtimeLocals = locals as unknown as { runtime?: { env?: Record<string, unknown> } };
-		// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- import.meta.env is typed as ImportMetaEnv but we need Record<string, unknown> for getOAuthConfig
+		// eslint-disable-next-line typescript/no-unsafe-type-assertion -- import.meta.env is typed as ImportMetaEnv but we need Record<string, unknown> for getOAuthConfig
 		const env = runtimeLocals.runtime?.env ?? (import.meta.env as Record<string, unknown>);
 		const providers = getOAuthConfig(env);
 

package/src/astro/routes/api/auth/oauth/[provider].ts

@@ -95,9 +95,9 @@ export const GET: APIRoute = async ({ params, request, locals, redirect }) => {
 
 		// Get OAuth providers from environment
 		// Access via locals.runtime for Cloudflare, or import.meta.env for Node
-		// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- locals.runtime is injected by the Cloudflare adapter at runtime; not declared on App.Locals since the adapter is optional
+		// eslint-disable-next-line typescript/no-unsafe-type-assertion -- locals.runtime is injected by the Cloudflare adapter at runtime; not declared on App.Locals since the adapter is optional
 		const runtimeLocals = locals as unknown as { runtime?: { env?: Record<string, unknown> } };
-		// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- import.meta.env is typed as ImportMetaEnv but we need Record<string, unknown> for getOAuthConfig
+		// eslint-disable-next-line typescript/no-unsafe-type-assertion -- import.meta.env is typed as ImportMetaEnv but we need Record<string, unknown> for getOAuthConfig
 		const env = runtimeLocals.runtime?.env ?? (import.meta.env as Record<string, unknown>);
 		const providers = getOAuthConfig(env);
 

package/src/astro/routes/api/content/[collection]/[id]/discard-draft.ts

@@ -31,13 +31,13 @@ export const POST: APIRoute = async ({ params, locals, cache }) => {
 	}
 	const existingData =
 		existing.data && typeof existing.data === "object"
-			? // eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- handler returns unknown data; narrowed by typeof check above
+			? // eslint-disable-next-line typescript/no-unsafe-type-assertion -- handler returns unknown data; narrowed by typeof check above
 				(existing.data as Record<string, unknown>)
 			: undefined;
 	// Handler returns { item, _rev } — extract the item for ownership check
 	const existingItem =
 		existingData?.item && typeof existingData.item === "object"
-			? // eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- narrowed by typeof check above
+			? // eslint-disable-next-line typescript/no-unsafe-type-assertion -- narrowed by typeof check above
 				(existingData.item as Record<string, unknown>)
 			: existingData;
 	const authorId = typeof existingItem?.authorId === "string" ? existingItem.authorId : "";

package/src/astro/routes/api/content/[collection]/[id]/duplicate.ts

@@ -35,13 +35,13 @@ export const POST: APIRoute = async ({ params, locals, cache }) => {
 
 	const existingData =
 		existing.data && typeof existing.data === "object"
-			? // eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- handler returns unknown data; narrowed by typeof check above
+			? // eslint-disable-next-line typescript/no-unsafe-type-assertion -- handler returns unknown data; narrowed by typeof check above
 				(existing.data as Record<string, unknown>)
 			: undefined;
 	// Handler returns { item, _rev } — extract the item for ownership check
 	const existingItem =
 		existingData?.item && typeof existingData.item === "object"
-			? // eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- narrowed by typeof check above
+			? // eslint-disable-next-line typescript/no-unsafe-type-assertion -- narrowed by typeof check above
 				(existingData.item as Record<string, unknown>)
 			: existingData;
 	const authorId = typeof existingItem?.authorId === "string" ? existingItem.authorId : "";

package/src/astro/routes/api/content/[collection]/[id]/publish.ts

@@ -46,12 +46,12 @@ export const POST: APIRoute = async ({ params, request, locals, cache }) => {
 
 	const existingData =
 		existing.data && typeof existing.data === "object"
-			? // eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- handler returns unknown data; narrowed by typeof check above
+			? // eslint-disable-next-line typescript/no-unsafe-type-assertion -- handler returns unknown data; narrowed by typeof check above
 				(existing.data as Record<string, unknown>)
 			: undefined;
 	const existingItem =
 		existingData?.item && typeof existingData.item === "object"
-			? // eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- narrowed by typeof check above
+			? // eslint-disable-next-line typescript/no-unsafe-type-assertion -- narrowed by typeof check above
 				(existingData.item as Record<string, unknown>)
 			: existingData;
 	const authorId = typeof existingItem?.authorId === "string" ? existingItem.authorId : "";

package/src/astro/routes/api/content/[collection]/[id]/restore.ts

@@ -31,13 +31,13 @@ export const POST: APIRoute = async ({ params, locals, cache }) => {
 	}
 	const existingData =
 		existing.data && typeof existing.data === "object"
-			? // eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- handler returns unknown data; narrowed by typeof check above
+			? // eslint-disable-next-line typescript/no-unsafe-type-assertion -- handler returns unknown data; narrowed by typeof check above
 				(existing.data as Record<string, unknown>)
 			: undefined;
 	// Handler returns { item, _rev } — extract the item for ownership check
 	const existingItem =
 		existingData?.item && typeof existingData.item === "object"
-			? // eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- narrowed by typeof check above
+			? // eslint-disable-next-line typescript/no-unsafe-type-assertion -- narrowed by typeof check above
 				(existingData.item as Record<string, unknown>)
 			: existingData;
 	const authorId = typeof existingItem?.authorId === "string" ? existingItem.authorId : "";

package/src/astro/routes/api/content/[collection]/[id]/schedule.ts

@@ -20,12 +20,12 @@ export const prerender = false;
 function extractOwnership(data: unknown): { authorId: string; resolvedId: string | undefined } {
 	const obj =
 		data && typeof data === "object"
-			? // eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- handler returns unknown; narrowed by typeof
+			? // eslint-disable-next-line typescript/no-unsafe-type-assertion -- handler returns unknown; narrowed by typeof
 				(data as Record<string, unknown>)
 			: undefined;
 	const item =
 		obj?.item && typeof obj.item === "object"
-			? // eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- narrowed by typeof
+			? // eslint-disable-next-line typescript/no-unsafe-type-assertion -- narrowed by typeof
 				(obj.item as Record<string, unknown>)
 			: obj;
 	return {

package/src/astro/routes/api/content/[collection]/[id]/terms/[taxonomy].ts

@@ -34,7 +34,7 @@ export const GET: APIRoute = async ({ params, locals }) => {
 	if (dbErr) return dbErr;
 
 	try {
-		const repo = new TaxonomyRepository(emdash!.db);
+		const repo = new TaxonomyRepository(emdash.db);
 		const terms = await repo.getTermsForEntry(collection, id, taxonomy);
 
 		return apiSuccess({
@@ -68,12 +68,12 @@ export const POST: APIRoute = async ({ params, request, locals }) => {
 	const dbErr = requireDb(emdash?.db);
 	if (dbErr) return dbErr;
 
-	if (!emdash!.handleContentGet) {
+	if (!emdash.handleContentGet) {
 		return apiError("NOT_CONFIGURED", "EmDash is not initialized", 500);
 	}
 
 	// Verify the content exists before modifying its terms
-	const existing = await emdash!.handleContentGet(collection, id);
+	const existing = await emdash.handleContentGet(collection, id);
 	if (!existing.success) {
 		return apiError(
 			existing.error?.code ?? "NOT_FOUND",
@@ -85,13 +85,13 @@ export const POST: APIRoute = async ({ params, request, locals }) => {
 	// Check ownership for edit permission
 	const existingData =
 		existing.data && typeof existing.data === "object"
-			? // eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- handler returns unknown data; narrowed by typeof check above
+			? // eslint-disable-next-line typescript/no-unsafe-type-assertion -- handler returns unknown data; narrowed by typeof check above
 				(existing.data as Record<string, unknown>)
 			: undefined;
 	// Handler returns { item, _rev } — extract the item for ownership check
 	const existingItem =
 		existingData?.item && typeof existingData.item === "object"
-			? // eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- narrowed by typeof check above
+			? // eslint-disable-next-line typescript/no-unsafe-type-assertion -- narrowed by typeof check above
 				(existingData.item as Record<string, unknown>)
 			: existingData;
 	const authorId = typeof existingItem?.authorId === "string" ? existingItem.authorId : "";
@@ -107,7 +107,7 @@ export const POST: APIRoute = async ({ params, request, locals }) => {
 		if (isParseError(body)) return body;
 		const { termIds } = body;
 
-		const repo = new TaxonomyRepository(emdash!.db);
+		const repo = new TaxonomyRepository(emdash.db);
 
 		// Verify all term IDs exist and belong to the correct taxonomy
 		for (const termId of termIds) {

package/src/astro/routes/api/content/[collection]/[id]/translations.ts

@@ -41,7 +41,7 @@ export const GET: APIRoute = async ({ params, locals }) => {
 	if (result.success && !hasPermission(user, "content:read_drafts")) {
 		const data =
 			result.data && typeof result.data === "object"
-				? // eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- handler returns unknown data; narrowed by typeof check
+				? // eslint-disable-next-line typescript/no-unsafe-type-assertion -- handler returns unknown data; narrowed by typeof check
 					(result.data as Record<string, unknown>)
 				: undefined;
 		const translations = Array.isArray(data?.translations) ? data.translations : [];

package/src/astro/routes/api/content/[collection]/[id]/unpublish.ts

@@ -32,12 +32,12 @@ export const POST: APIRoute = async ({ params, locals, cache }) => {
 
 	const existingData =
 		existing.data && typeof existing.data === "object"
-			? // eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- handler returns unknown data; narrowed by typeof check above
+			? // eslint-disable-next-line typescript/no-unsafe-type-assertion -- handler returns unknown data; narrowed by typeof check above
 				(existing.data as Record<string, unknown>)
 			: undefined;
 	const existingItem =
 		existingData?.item && typeof existingData.item === "object"
-			? // eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- narrowed by typeof check above
+			? // eslint-disable-next-line typescript/no-unsafe-type-assertion -- narrowed by typeof check above
 				(existingData.item as Record<string, unknown>)
 			: existingData;
 	const authorId = typeof existingItem?.authorId === "string" ? existingItem.authorId : "";

package/src/astro/routes/api/content/[collection]/[id].ts

@@ -35,12 +35,12 @@ export const GET: APIRoute = async ({ params, url, locals }) => {
 	if (result.success && !hasPermission(user, "content:read_drafts")) {
 		const data =
 			result.data && typeof result.data === "object"
-				? // eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- handler returns unknown data; narrowed by typeof check
+				? // eslint-disable-next-line typescript/no-unsafe-type-assertion -- handler returns unknown data; narrowed by typeof check
 					(result.data as Record<string, unknown>)
 				: undefined;
 		const item =
 			data?.item && typeof data.item === "object"
-				? // eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- narrowed by typeof check
+				? // eslint-disable-next-line typescript/no-unsafe-type-assertion -- narrowed by typeof check
 					(data.item as Record<string, unknown>)
 				: undefined;
 		const status = typeof item?.status === "string" ? item.status : null;
@@ -87,13 +87,13 @@ export const PUT: APIRoute = async ({ params, request, locals, cache }) => {
 
 	const existingData =
 		existing.data && typeof existing.data === "object"
-			? // eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- handler returns unknown data; narrowed by typeof check above
+			? // eslint-disable-next-line typescript/no-unsafe-type-assertion -- handler returns unknown data; narrowed by typeof check above
 				(existing.data as Record<string, unknown>)
 			: undefined;
 	// Handler returns { item, _rev } — extract the item for ownership and ID resolution
 	const existingItem =
 		existingData?.item && typeof existingData.item === "object"
-			? // eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- narrowed by typeof check above
+			? // eslint-disable-next-line typescript/no-unsafe-type-assertion -- narrowed by typeof check above
 				(existingData.item as Record<string, unknown>)
 			: existingData;
 	const authorId = typeof existingItem?.authorId === "string" ? existingItem.authorId : "";
@@ -151,13 +151,13 @@ export const DELETE: APIRoute = async ({ params, locals, cache }) => {
 
 	const deleteData =
 		existing.data && typeof existing.data === "object"
-			? // eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- handler returns unknown data; narrowed by typeof check above
+			? // eslint-disable-next-line typescript/no-unsafe-type-assertion -- handler returns unknown data; narrowed by typeof check above
 				(existing.data as Record<string, unknown>)
 			: undefined;
 	// Handler returns { item, _rev } — extract the item for ownership and ID resolution
 	const deleteItem =
 		deleteData?.item && typeof deleteData.item === "object"
-			? // eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- narrowed by typeof check above
+			? // eslint-disable-next-line typescript/no-unsafe-type-assertion -- narrowed by typeof check above
 				(deleteData.item as Record<string, unknown>)
 			: deleteData;
 	const authorId = typeof deleteItem?.authorId === "string" ? deleteItem.authorId : "";

package/src/astro/routes/api/import/wordpress/execute.ts

@@ -376,7 +376,7 @@ export async function importContent(
 				// `api/handlers/content.ts`). `HandlerResponse.data` is
 				// typed as `unknown` to avoid coupling the route surface to
 				// internal handler types, so we narrow here.
-				// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- handler contract documented at handleContentCreate
+				// eslint-disable-next-line typescript/no-unsafe-type-assertion -- handler contract documented at handleContentCreate
 				const createdItem = (createResult.data as { item: { id: string } } | undefined)?.item;
 
 				// Track translation group: the first imported post in a group

package/src/astro/routes/api/import/wordpress/prepare.ts

@@ -20,7 +20,7 @@ import { capitalize, sanitizeSlug, singularize, type ImportFieldDef } from "./an
 
 /** Validate that a string is a known FieldType, returning undefined if not */
 function asFieldType(value: string): FieldType | undefined {
-	// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- validated by includes check
+	// eslint-disable-next-line typescript/no-unsafe-type-assertion -- validated by includes check
 	return (FIELD_TYPES as readonly string[]).includes(value) ? (value as FieldType) : undefined;
 }
 
@@ -55,7 +55,7 @@ export const POST: APIRoute = async ({ request, locals }) => {
 		const body = await parseBody(request, wpPrepareBody);
 		if (isParseError(body)) return body;
 
-		// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- Zod schema output narrowed to PrepareRequest
+		// eslint-disable-next-line typescript/no-unsafe-type-assertion -- Zod schema output narrowed to PrepareRequest
 		const result = await prepareImport(emdash.db, body as PrepareRequest);
 
 		// Invalidate the URL pattern cache when prepare adds new collections so

package/src/astro/routes/api/import/wordpress/rewrite-urls.ts

@@ -134,7 +134,7 @@ async function rewriteUrls(
 					if (!value || typeof value !== "string") continue;
 
 					try {
-						// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- JSON.parse returns unknown; validated by Array.isArray below
+						// eslint-disable-next-line typescript/no-unsafe-type-assertion -- JSON.parse returns unknown; validated by Array.isArray below
 						const blocks = JSON.parse(value) as PortableTextBlock[];
 						if (!Array.isArray(blocks)) continue;
 
@@ -192,11 +192,11 @@ async function rewriteUrls(
 				if (rowUpdated) {
 					try {
 						// Build update query dynamically
-						// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- Kysely dynamic table requires type assertion
+						// eslint-disable-next-line typescript/no-unsafe-type-assertion -- Kysely dynamic table requires type assertion
 						let query = db.updateTable(tableName as any).where("id", "=", row.id);
 
 						for (const [key, value] of Object.entries(updates)) {
-							// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- Kysely dynamic column update requires type assertion
+							// eslint-disable-next-line typescript/no-unsafe-type-assertion -- Kysely dynamic column update requires type assertion
 							query = query.set({ [key]: value } as any);
 						}
 

package/src/astro/routes/api/import/wordpress-plugin/execute.ts

@@ -60,7 +60,7 @@ export const POST: APIRoute = async ({ request, locals }) => {
 			return apiError("SSRF_BLOCKED", msg, 400);
 		}
 
-		// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- Zod schema output narrowed to WpPluginImportConfig
+		// eslint-disable-next-line typescript/no-unsafe-type-assertion -- Zod schema output narrowed to WpPluginImportConfig
 		const config = body.config as unknown as WpPluginImportConfig;
 
 		// Get the WordPress plugin source
@@ -316,7 +316,7 @@ async function importContent(
 
 				// Track translation group: first item in a group establishes the mapping
 				if (item.translationGroup && !translationGroupMap.has(item.translationGroup)) {
-					// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- handler success data includes id
+					// eslint-disable-next-line typescript/no-unsafe-type-assertion -- handler success data includes id
 					const createdData = createResult.data as { id?: string } | undefined;
 					if (createdData?.id) {
 						translationGroupMap.set(item.translationGroup, createdData.id);

package/src/astro/routes/api/media/upload-url.ts

@@ -136,7 +136,7 @@ export const POST: APIRoute = async ({ request, locals }) => {
 		if (
 			error instanceof Error &&
 			"code" in error &&
-			// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- narrowing error to check custom code property after "code" in error guard
+			// eslint-disable-next-line typescript/no-unsafe-type-assertion -- narrowing error to check custom code property after "code" in error guard
 			(error as { code: string }).code === "NOT_SUPPORTED"
 		) {
 			return apiError(

package/src/astro/routes/api/redirects/404s/index.ts

@@ -24,7 +24,7 @@ export const GET: APIRoute = async ({ url, locals }) => {
 	const { emdash, user } = locals;
 	const dbErr = requireDb(emdash?.db);
 	if (dbErr) return dbErr;
-	const db = emdash!.db;
+	const db = emdash.db;
 
 	const denied = requirePerm(user, "redirects:read");
 	if (denied) return denied;
@@ -44,7 +44,7 @@ export const DELETE: APIRoute = async ({ locals }) => {
 	const { emdash, user } = locals;
 	const dbErr = requireDb(emdash?.db);
 	if (dbErr) return dbErr;
-	const db = emdash!.db;
+	const db = emdash.db;
 
 	const denied = requirePerm(user, "redirects:manage");
 	if (denied) return denied;
@@ -61,7 +61,7 @@ export const POST: APIRoute = async ({ request, locals }) => {
 	const { emdash, user } = locals;
 	const dbErr = requireDb(emdash?.db);
 	if (dbErr) return dbErr;
-	const db = emdash!.db;
+	const db = emdash.db;
 
 	const denied = requirePerm(user, "redirects:manage");
 	if (denied) return denied;

package/src/astro/routes/api/redirects/404s/summary.ts

@@ -18,7 +18,7 @@ export const GET: APIRoute = async ({ url, locals }) => {
 	const { emdash, user } = locals;
 	const dbErr = requireDb(emdash?.db);
 	if (dbErr) return dbErr;
-	const db = emdash!.db;
+	const db = emdash.db;
 
 	const denied = requirePerm(user, "redirects:read");
 	if (denied) return denied;

package/src/astro/routes/api/redirects/[id].ts

@@ -25,7 +25,7 @@ export const GET: APIRoute = async ({ params, locals }) => {
 	const { emdash, user } = locals;
 	const dbErr = requireDb(emdash?.db);
 	if (dbErr) return dbErr;
-	const db = emdash!.db;
+	const db = emdash.db;
 	const { id } = params;
 
 	const denied = requirePerm(user, "redirects:read");
@@ -47,7 +47,7 @@ export const PUT: APIRoute = async ({ params, request, locals }) => {
 	const { emdash, user } = locals;
 	const dbErr = requireDb(emdash?.db);
 	if (dbErr) return dbErr;
-	const db = emdash!.db;
+	const db = emdash.db;
 	const { id } = params;
 
 	const denied = requirePerm(user, "redirects:manage");
@@ -73,7 +73,7 @@ export const DELETE: APIRoute = async ({ params, locals }) => {
 	const { emdash, user } = locals;
 	const dbErr = requireDb(emdash?.db);
 	if (dbErr) return dbErr;
-	const db = emdash!.db;
+	const db = emdash.db;
 	const { id } = params;
 
 	const denied = requirePerm(user, "redirects:manage");

package/src/astro/routes/api/redirects/index.ts

@@ -20,7 +20,7 @@ export const GET: APIRoute = async ({ url, locals }) => {
 	const { emdash, user } = locals;
 	const dbErr = requireDb(emdash?.db);
 	if (dbErr) return dbErr;
-	const db = emdash!.db;
+	const db = emdash.db;
 
 	const denied = requirePerm(user, "redirects:read");
 	if (denied) return denied;
@@ -40,7 +40,7 @@ export const POST: APIRoute = async ({ request, locals }) => {
 	const { emdash, user } = locals;
 	const dbErr = requireDb(emdash?.db);
 	if (dbErr) return dbErr;
-	const db = emdash!.db;
+	const db = emdash.db;
 
 	const denied = requirePerm(user, "redirects:manage");
 	if (denied) return denied;

package/src/astro/routes/api/schema/collections/[slug]/fields/[fieldSlug].ts

@@ -32,7 +32,7 @@ export const GET: APIRoute = async ({ params, locals }) => {
 	const denied = requirePerm(user, "schema:read");
 	if (denied) return denied;
 
-	const result = await handleSchemaFieldGet(emdash!.db, collectionSlug, fieldSlug);
+	const result = await handleSchemaFieldGet(emdash.db, collectionSlug, fieldSlug);
 	return unwrapResult(result);
 };
 
@@ -50,9 +50,9 @@ export const PUT: APIRoute = async ({ params, request, locals }) => {
 	const body = await parseBody(request, updateFieldBody);
 	if (isParseError(body)) return body;
 
-	// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- body is Zod-validated via parseBody(request, updateFieldBody) above
+	// eslint-disable-next-line typescript/no-unsafe-type-assertion -- body is Zod-validated via parseBody(request, updateFieldBody) above
 	const result = await handleSchemaFieldUpdate(
-		emdash!.db,
+		emdash.db,
 		collectionSlug,
 		fieldSlug,
 		body as UpdateFieldInput,
@@ -71,6 +71,6 @@ export const DELETE: APIRoute = async ({ params, locals }) => {
 	const denied = requirePerm(user, "schema:manage");
 	if (denied) return denied;
 
-	const result = await handleSchemaFieldDelete(emdash!.db, collectionSlug, fieldSlug);
+	const result = await handleSchemaFieldDelete(emdash.db, collectionSlug, fieldSlug);
 	return unwrapResult(result);
 };

package/src/astro/routes/api/schema/collections/[slug]/fields/index.ts

@@ -26,7 +26,7 @@ export const GET: APIRoute = async ({ params, locals }) => {
 	const denied = requirePerm(user, "schema:read");
 	if (denied) return denied;
 
-	const result = await handleSchemaFieldList(emdash!.db, collectionSlug);
+	const result = await handleSchemaFieldList(emdash.db, collectionSlug);
 	return unwrapResult(result);
 };
 
@@ -43,10 +43,6 @@ export const POST: APIRoute = async ({ params, request, locals }) => {
 	const body = await parseBody(request, createFieldBody);
 	if (isParseError(body)) return body;
 
-	const result = await handleSchemaFieldCreate(
-		emdash!.db,
-		collectionSlug,
-		body as CreateFieldInput,
-	);
+	const result = await handleSchemaFieldCreate(emdash.db, collectionSlug, body as CreateFieldInput);
 	return unwrapResult(result, 201);
 };

package/src/astro/routes/api/schema/collections/[slug]/fields/reorder.ts

@@ -27,6 +27,6 @@ export const POST: APIRoute = async ({ params, request, locals }) => {
 	const body = await parseBody(request, fieldReorderBody);
 	if (isParseError(body)) return body;
 
-	const result = await handleSchemaFieldReorder(emdash!.db, collectionSlug, body.fieldSlugs);
+	const result = await handleSchemaFieldReorder(emdash.db, collectionSlug, body.fieldSlugs);
 	return unwrapResult(result);
 };