emdash 0.14.0 → 0.16.0

package/src/astro/routes/api/admin/plugins/registry/artifact.ts

@@ -0,0 +1,388 @@
+/**
+ * Registry artifact proxy
+ *
+ * GET /_emdash/api/admin/plugins/registry/artifact?did=&slug=&version=&kind=&index=
+ *
+ * Proxies an icon / screenshot / banner image referenced by a registry
+ * release record so the admin UI can display it without cross-origin
+ * requests to arbitrary publisher hosting.
+ *
+ * Trust model (CRITICAL): the proxy never accepts an artifact URL from the
+ * client. The caller addresses an artifact by its coordinates
+ * `(did, slug, version, kind, index)`; the server resolves the *declared*
+ * URL from the validated release record fetched from the configured
+ * aggregator. The proxy can therefore only ever fetch a URL the publisher
+ * declared in their signed release — not an arbitrary caller-supplied URL.
+ *
+ * The publisher-declared URL is still untrusted (an attacker who controls a
+ * publisher record, or the aggregator, can point it anywhere), so the
+ * resolved URL passes through the SSRF defences (`assertSafeArtifactUrl`,
+ * re-validated on every redirect hop) before any fetch, and only allowlisted
+ * image content types are served back.
+ */
+
+import type { Did } from "@atcute/lexicons";
+import type { APIRoute } from "astro";
+
+import { requirePerm } from "#api/authorize.js";
+import { apiError } from "#api/error.js";
+import { assertSafeArtifactUrl } from "#api/index.js";
+
+import { coerceRegistryConfig, validateAggregatorUrl } from "../../../../../../registry/config.js";
+
+export const prerender = false;
+
+/**
+ * Image content types the proxy will pass through. Anything else is rejected.
+ *
+ * SVG is deliberately excluded: it is active content (an `<svg><script>`
+ * executes when navigated to as a top-level document), and the publisher
+ * supplies the bytes. Rather than serve it behind mitigations, we refuse it
+ * end-to-end — the publish CLI rejects SVG artifacts too, so a conforming
+ * release never references one. AVIF is included.
+ */
+const ALLOWED_IMAGE_TYPES = new Set([
+	"image/png",
+	"image/jpeg",
+	"image/webp",
+	"image/gif",
+	"image/avif",
+]);
+
+/** Artifact kinds the proxy can resolve. `screenshot` additionally needs `index`. */
+const ALLOWED_KINDS = new Set(["icon", "banner", "screenshot"]);
+
+/** Loose DID shape (`did:method:id`); the aggregator lexicon is authoritative. */
+const DID_PATTERN = /^did:[a-z]+:.+/;
+/** Slug grammar: ASCII letter then letters / digits / `-` / `_`. Mirrors the install route. */
+const SLUG_PATTERN = /^[a-zA-Z][a-zA-Z0-9_-]*$/;
+/** Non-negative integer, for the screenshot index param. */
+const INDEX_PATTERN = /^\d+$/;
+
+/** Cap proxied images so a hostile host can't stream an unbounded body. */
+const MAX_IMAGE_BYTES = 5 * 1024 * 1024;
+
+/** Redirect hops to follow, re-validating each target against SSRF rules. */
+const MAX_REDIRECTS = 5;
+
+/** Wall-clock budget covering connect + headers + body for the artifact fetch. */
+const FETCH_TIMEOUT_MS = 15_000;
+
+/** Per-aggregator-request timeout and overall budget for release resolution. */
+const AGGREGATOR_REQUEST_TIMEOUT_MS = 15_000;
+const AGGREGATOR_TOTAL_BUDGET_MS = 30_000;
+
+/** Bound the version search: 20 pages * 50 per page = 1000 releases worth. */
+const MAX_LIST_PAGES = 20;
+
+/** Build a fetch that enforces a per-request and per-budget timeout. Mirrors the install handler. */
+function timedFetch(totalDeadline: number): typeof fetch {
+	return (input: Parameters<typeof fetch>[0], init?: Parameters<typeof fetch>[1]) => {
+		const now = Date.now();
+		const remaining = Math.max(0, totalDeadline - now);
+		if (remaining === 0) {
+			return Promise.reject(new Error("Aggregator request budget exhausted"));
+		}
+		const timeout = Math.min(AGGREGATOR_REQUEST_TIMEOUT_MS, remaining);
+		const controller = new AbortController();
+		const timer = setTimeout(() => controller.abort(), timeout);
+		const callerSignal = init?.signal;
+		if (callerSignal) {
+			if (callerSignal.aborted) controller.abort(callerSignal.reason);
+			else callerSignal.addEventListener("abort", () => controller.abort(callerSignal.reason));
+		}
+		return fetch(input, { ...init, signal: controller.signal }).finally(() => {
+			clearTimeout(timer);
+		});
+	};
+}
+
+/**
+ * Narrow one entry of a release's `artifacts` map to a usable image URL.
+ *
+ * The embedded `release` record is lexicon-validated at the DiscoveryClient
+ * boundary, but `artifacts` is an aggregator pass-through typed `unknown`, so
+ * the entry's shape is not guaranteed. Returns the `url` string only when the
+ * value is an object carrying a non-empty string `url`; everything else
+ * (missing key, wrong type, no `url`) yields `null`.
+ */
+function declaredArtifactUrl(value: unknown): string | null {
+	if (!value || typeof value !== "object") return null;
+	// eslint-disable-next-line @typescript-eslint/no-unsafe-type-assertion -- narrowed to non-null object above; url checked below
+	const entry = value as Record<string, unknown>;
+	const url = entry.url;
+	if (typeof url !== "string" || url.length === 0) return null;
+	return url;
+}
+
+/**
+ * Resolve the declared artifact URL for `(kind, index)` from a release's
+ * `artifacts` map. Returns `null` when the requested artifact isn't present
+ * or doesn't carry a usable URL.
+ */
+function resolveDeclaredUrl(artifacts: unknown, kind: string, index: number): string | null {
+	if (!artifacts || typeof artifacts !== "object") return null;
+	// eslint-disable-next-line @typescript-eslint/no-unsafe-type-assertion -- narrowed to non-null object above; each entry shape-narrowed by declaredArtifactUrl
+	const map = artifacts as Record<string, unknown>;
+
+	if (kind === "icon") return declaredArtifactUrl(map.icon);
+	if (kind === "banner") return declaredArtifactUrl(map.banner);
+	// kind === "screenshot"
+	const screenshots = map.screenshots;
+	if (!Array.isArray(screenshots)) return null;
+	if (index < 0 || index >= screenshots.length) return null;
+	return declaredArtifactUrl(screenshots[index]);
+}
+
+export const GET: APIRoute = async ({ url, locals }) => {
+	const { emdash, user } = locals;
+
+	if (!emdash?.db) {
+		return apiError("NOT_CONFIGURED", "EmDash is not initialized", 500);
+	}
+
+	const denied = requirePerm(user, "plugins:read");
+	if (denied) return denied;
+
+	const did = url.searchParams.get("did");
+	const slug = url.searchParams.get("slug");
+	const kind = url.searchParams.get("kind");
+	const versionParam = url.searchParams.get("version");
+	const indexParam = url.searchParams.get("index");
+
+	if (!did || !slug || !kind) {
+		return apiError("INVALID_REQUEST", "Missing did, slug, or kind", 400);
+	}
+	if (did.length > 256 || !DID_PATTERN.test(did)) {
+		return apiError("INVALID_REQUEST", "Invalid did", 400);
+	}
+	if (slug.length > 64 || !SLUG_PATTERN.test(slug)) {
+		return apiError("INVALID_REQUEST", "Invalid slug", 400);
+	}
+	if (!ALLOWED_KINDS.has(kind)) {
+		return apiError("INVALID_REQUEST", "Invalid kind", 400);
+	}
+
+	let index = 0;
+	if (kind === "screenshot") {
+		if (indexParam === null) {
+			return apiError("INVALID_REQUEST", "Missing index for screenshot", 400);
+		}
+		if (!INDEX_PATTERN.test(indexParam)) {
+			return apiError("INVALID_REQUEST", "Invalid index", 400);
+		}
+		index = Number(indexParam);
+		if (!Number.isSafeInteger(index)) {
+			return apiError("INVALID_REQUEST", "Invalid index", 400);
+		}
+	}
+
+	let version: string | undefined;
+	if (versionParam !== null && versionParam.length > 0) {
+		if (versionParam.length > 64) {
+			return apiError("INVALID_REQUEST", "Invalid version", 400);
+		}
+		version = versionParam;
+	}
+
+	const registryConfig = coerceRegistryConfig(emdash.config.experimental?.registry);
+	if (!registryConfig) {
+		return apiError("REGISTRY_NOT_CONFIGURED", "Registry is not configured", 400);
+	}
+	try {
+		validateAggregatorUrl(registryConfig.aggregatorUrl);
+	} catch {
+		return apiError("REGISTRY_NOT_CONFIGURED", "Registry aggregator URL is invalid", 500);
+	}
+
+	// Resolve the publisher-declared artifact URL from the release record.
+	let declaredUrl: string;
+	try {
+		const resolved = await resolveArtifactUrl(registryConfig, did, slug, version, kind, index);
+		if (resolved === null) {
+			return apiError("ARTIFACT_NOT_FOUND", "Artifact not found", 404);
+		}
+		declaredUrl = resolved;
+	} catch {
+		return apiError("ARTIFACT_RESOLVE_FAILED", "Failed to resolve artifact", 502);
+	}
+
+	const controller = new AbortController();
+	const timer = setTimeout(() => controller.abort(), FETCH_TIMEOUT_MS);
+	try {
+		// `assertSafeArtifactUrl` validates scheme / credentials / loopback +
+		// resolves the hostname and rejects private / link-local / metadata
+		// targets (DNS-rebinding defence). It throws a plain Error on any
+		// block, so a rejection here means the URL is unsafe.
+		let current: URL;
+		try {
+			current = await assertSafeArtifactUrl(declaredUrl);
+		} catch {
+			return apiError("ARTIFACT_URL_REJECTED", "Artifact URL is not allowed", 400);
+		}
+
+		let response: Response;
+		for (let hop = 0; ; hop++) {
+			response = await fetch(current.href, { redirect: "manual", signal: controller.signal });
+			if (response.status < 300 || response.status >= 400) break;
+			const location = response.headers.get("location");
+			if (!location) break;
+			if (hop === MAX_REDIRECTS) {
+				return apiError("ARTIFACT_URL_REJECTED", "Too many redirects", 502);
+			}
+			let next: URL;
+			try {
+				next = await assertSafeArtifactUrl(new URL(location, current).href);
+			} catch {
+				return apiError("ARTIFACT_URL_REJECTED", "Redirect target is not allowed", 400);
+			}
+			current = next;
+		}
+
+		if (!response.ok) {
+			return apiError("ARTIFACT_FETCH_FAILED", "Failed to fetch artifact", 502);
+		}
+
+		// Content-Type allowlist: only image types are proxied. A non-image
+		// (HTML error page, JSON, octet-stream) is rejected so the admin
+		// never renders publisher-controlled markup from the EmDash origin.
+		const rawType = response.headers.get("content-type") ?? "";
+		const contentType = rawType.split(";", 1)[0]!.trim().toLowerCase();
+		if (!ALLOWED_IMAGE_TYPES.has(contentType)) {
+			return apiError("ARTIFACT_NOT_IMAGE", "Artifact is not an allowed image type", 415);
+		}
+
+		const declaredLength = response.headers.get("content-length");
+		if (declaredLength) {
+			const declared = Number(declaredLength);
+			if (Number.isFinite(declared) && declared > MAX_IMAGE_BYTES) {
+				return apiError("ARTIFACT_TOO_LARGE", "Artifact exceeds size limit", 413);
+			}
+		}
+
+		const bytes = await readCapped(response, MAX_IMAGE_BYTES);
+		if (bytes === null) {
+			return apiError("ARTIFACT_TOO_LARGE", "Artifact exceeds size limit", 413);
+		}
+
+		// Only the allowlisted Content-Type is forwarded — never copy other
+		// upstream headers. `private, no-store` keeps publisher images out of
+		// shared caches in the authenticated admin origin.
+		//
+		// SVG is not in the allowlist, so active-content bytes never reach
+		// here. `Content-Disposition: attachment`, the sandbox CSP, and
+		// `nosniff` remain as defence-in-depth: they force a download and
+		// neutralise script/plugins for any image type if a client navigates
+		// directly to the proxy URL.
+		return new Response(bytes, {
+			headers: {
+				"Content-Type": contentType,
+				"Cache-Control": "private, no-store",
+				"X-Content-Type-Options": "nosniff",
+				"Content-Disposition": "attachment",
+				"Content-Security-Policy": "default-src 'none'; sandbox",
+			},
+		});
+	} catch {
+		return apiError("ARTIFACT_FETCH_FAILED", "Failed to fetch artifact", 502);
+	} finally {
+		clearTimeout(timer);
+	}
+};
+
+/**
+ * Resolve the declared artifact URL for `(did, slug, version, kind, index)`
+ * from the aggregator's release record. Mirrors the install handler's release
+ * lookup. Returns `null` when the package/release/artifact isn't found.
+ *
+ * Self-contained to this route: the install/update handlers are intentionally
+ * left untouched, so a small amount of resolution-pattern duplication is
+ * accepted here.
+ */
+async function resolveArtifactUrl(
+	registryConfig: { aggregatorUrl: string; acceptLabelers?: string },
+	did: string,
+	slug: string,
+	version: string | undefined,
+	kind: string,
+	index: number,
+): Promise<string | null> {
+	// Lazy-load the discovery client so the `@atcute/client` dependency only
+	// loads when the registry path is exercised.
+	const { DiscoveryClient } = await import("@emdash-cms/registry-client/discovery");
+
+	const aggregatorDeadline = Date.now() + AGGREGATOR_TOTAL_BUDGET_MS;
+	const discovery = new DiscoveryClient({
+		aggregatorUrl: registryConfig.aggregatorUrl,
+		acceptLabelers: registryConfig.acceptLabelers,
+		fetch: timedFetch(aggregatorDeadline),
+	});
+
+	// eslint-disable-next-line @typescript-eslint/no-unsafe-type-assertion -- DID shape validated by the route before this call
+	const publisherDid = did as Did;
+
+	const releaseView = await (async () => {
+		if (!version) {
+			return discovery.getLatestRelease({ did: publisherDid, package: slug });
+		}
+		let cursor: string | undefined;
+		const seenCursors = new Set<string>();
+		for (let page = 0; page < MAX_LIST_PAGES; page++) {
+			if (cursor !== undefined) {
+				if (seenCursors.has(cursor)) break;
+				seenCursors.add(cursor);
+			}
+			const result = await discovery.listReleases({
+				did: publisherDid,
+				package: slug,
+				cursor,
+				limit: 50,
+			});
+			for (const r of result.releases) {
+				if (r.version === version) return r;
+			}
+			if (!result.cursor) break;
+			cursor = result.cursor;
+		}
+		return undefined;
+	})();
+
+	if (!releaseView?.release) return null;
+
+	return resolveDeclaredUrl(releaseView.release.artifacts, kind, index);
+}
+
+/**
+ * Read a response body into memory, aborting once it exceeds `limit`. Returns
+ * `null` when the cap is breached (the streamed body lied about / omitted
+ * Content-Length). The cap is the real defence against an unbounded body.
+ */
+async function readCapped(response: Response, limit: number): Promise<Uint8Array | null> {
+	const body = response.body;
+	if (!body) {
+		const buf = new Uint8Array(await response.arrayBuffer());
+		return buf.length > limit ? null : buf;
+	}
+	const reader = body.getReader();
+	const chunks: Uint8Array[] = [];
+	let total = 0;
+	while (true) {
+		const { done, value } = await reader.read();
+		if (done) break;
+		if (value) {
+			total += value.length;
+			if (total > limit) {
+				await reader.cancel();
+				return null;
+			}
+			chunks.push(value);
+		}
+	}
+	const combined = new Uint8Array(total);
+	let offset = 0;
+	for (const chunk of chunks) {
+		combined.set(chunk, offset);
+		offset += chunk.length;
+	}
+	return combined;
+}

package/src/astro/routes/api/admin/plugins/registry/install.ts

@@ -12,6 +12,7 @@
  * view time (handle is best-effort per the lexicon).
  */
 
+import { hostEnvFromVersions } from "@emdash-cms/registry-client/env";
 import type { APIRoute } from "astro";
 import { z } from "zod";
 
@@ -20,6 +21,8 @@ import { apiError, handleError, unwrapResult } from "#api/error.js";
 import { handleRegistryInstall } from "#api/index.js";
 import { isParseError, parseBody } from "#api/parse.js";
 
+import { VERSION } from "../../../../../../version.js";
+
 export const prerender = false;
 
 const installBodySchema = z.object({
@@ -91,7 +94,10 @@ export const POST: APIRoute = async ({ request, locals }) => {
 				version: body.version,
 				acknowledgedDeclaredAccess: body.acknowledgedDeclaredAccess,
 			},
-			{ configuredPluginIds: reservedPluginIds },
+			{
+				configuredPluginIds: reservedPluginIds,
+				hostEnv: hostEnvFromVersions(VERSION, emdash.config.astroVersion),
+			},
 		);
 
 		if (!result.success) return unwrapResult(result);

package/src/astro/routes/api/admin/plugins/updates.ts

@@ -1,14 +1,22 @@
 /**
- * Marketplace update check endpoint
+ * Plugin update check endpoint
  *
- * GET /_emdash/api/admin/plugins/updates - Check for marketplace plugin updates
+ * GET /_emdash/api/admin/plugins/updates - Check for available updates
+ * across every installed plugin source (marketplace + experimental
+ * registry). Items are returned in a single flat list; admins correlate
+ * items to plugins by `pluginId` and read `source` from the existing
+ * `/_emdash/api/admin/plugins` list (the pluginId prefix is not a
+ * reliable discriminator on its own).
+ *
+ * A failure in one source does NOT blank the other — a registry-side
+ * aggregator outage still returns marketplace updates and vice versa.
  */
 
 import type { APIRoute } from "astro";
 
 import { requirePerm } from "#api/authorize.js";
-import { apiError, unwrapResult } from "#api/error.js";
-import { handleMarketplaceUpdateCheck } from "#api/index.js";
+import { apiError } from "#api/error.js";
+import { handleMarketplaceUpdateCheck, handleRegistryUpdateCheck } from "#api/index.js";
 
 export const prerender = false;
 
@@ -22,7 +30,36 @@ export const GET: APIRoute = async ({ locals }) => {
 	const denied = requirePerm(user, "plugins:read");
 	if (denied) return denied;
 
-	const result = await handleMarketplaceUpdateCheck(emdash.db, emdash.config.marketplace);
+	// Run both checks in parallel. Catch each independently so one source's
+	// failure doesn't blank the other. Both throws and structured `success:
+	// false` returns are logged with the source name so a misconfigured
+	// registry doesn't disappear silently from telemetry.
+	const [marketplace, registry] = await Promise.all([
+		handleMarketplaceUpdateCheck(emdash.db, emdash.config.marketplace).catch((err) => {
+			console.warn("[plugins/updates] marketplace check threw:", err);
+			return null;
+		}),
+		handleRegistryUpdateCheck(emdash.db, emdash.config.experimental?.registry).catch((err) => {
+			console.warn("[plugins/updates] registry check threw:", err);
+			return null;
+		}),
+	]);
+	if (marketplace && !marketplace.success) {
+		console.warn(
+			`[plugins/updates] marketplace check failed: ${marketplace.error.code} ${marketplace.error.message}`,
+		);
+	}
+	if (registry && !registry.success) {
+		console.warn(
+			`[plugins/updates] registry check failed: ${registry.error.code} ${registry.error.message}`,
+		);
+	}
+
+	const items: unknown[] = [];
+	if (marketplace?.success) items.push(...marketplace.data.items);
+	if (registry?.success) items.push(...registry.data.items);
 
-	return unwrapResult(result);
+	// Match the rest of the admin API envelope (`{ data: ... }`) so the
+	// admin client's `parseApiResponse` unwraps `body.data`.
+	return Response.json({ data: { items } });
 };

package/src/astro/routes/api/admin/themes/marketplace/index.ts

@@ -28,7 +28,7 @@ export const GET: APIRoute = async ({ url, locals }) => {
 	const validSorts = new Set(["name", "created", "updated"]);
 	let sort: "name" | "created" | "updated" | undefined;
 	if (sortParam && validSorts.has(sortParam)) {
-		sort = sortParam as "name" | "created" | "updated"; // eslint-disable-line typescript-eslint(no-unsafe-type-assertion) -- validated by Set.has()
+		sort = sortParam as "name" | "created" | "updated"; // eslint-disable-line typescript/no-unsafe-type-assertion -- validated by Set.has()
 	}
 	const cursor = url.searchParams.get("cursor") ?? undefined;
 	const limitParam = url.searchParams.get("limit");

package/src/astro/routes/api/auth/oauth/[provider]/callback.ts

@@ -116,9 +116,9 @@ export const GET: APIRoute = async ({ params, request, locals, session, redirect
 
 	try {
 		// Get OAuth providers from environment
-		// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- locals.runtime is injected by the Cloudflare adapter at runtime; not declared on App.Locals since the adapter is optional
+		// eslint-disable-next-line typescript/no-unsafe-type-assertion -- locals.runtime is injected by the Cloudflare adapter at runtime; not declared on App.Locals since the adapter is optional
 		const runtimeLocals = locals as unknown as { runtime?: { env?: Record<string, unknown> } };
-		// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- import.meta.env is typed as ImportMetaEnv but we need Record<string, unknown> for getOAuthConfig
+		// eslint-disable-next-line typescript/no-unsafe-type-assertion -- import.meta.env is typed as ImportMetaEnv but we need Record<string, unknown> for getOAuthConfig
 		const env = runtimeLocals.runtime?.env ?? (import.meta.env as Record<string, unknown>);
 		const providers = getOAuthConfig(env);
 

package/src/astro/routes/api/auth/oauth/[provider].ts

@@ -95,9 +95,9 @@ export const GET: APIRoute = async ({ params, request, locals, redirect }) => {
 
 		// Get OAuth providers from environment
 		// Access via locals.runtime for Cloudflare, or import.meta.env for Node
-		// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- locals.runtime is injected by the Cloudflare adapter at runtime; not declared on App.Locals since the adapter is optional
+		// eslint-disable-next-line typescript/no-unsafe-type-assertion -- locals.runtime is injected by the Cloudflare adapter at runtime; not declared on App.Locals since the adapter is optional
 		const runtimeLocals = locals as unknown as { runtime?: { env?: Record<string, unknown> } };
-		// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- import.meta.env is typed as ImportMetaEnv but we need Record<string, unknown> for getOAuthConfig
+		// eslint-disable-next-line typescript/no-unsafe-type-assertion -- import.meta.env is typed as ImportMetaEnv but we need Record<string, unknown> for getOAuthConfig
 		const env = runtimeLocals.runtime?.env ?? (import.meta.env as Record<string, unknown>);
 		const providers = getOAuthConfig(env);
 

package/src/astro/routes/api/content/[collection]/[id]/discard-draft.ts

@@ -31,13 +31,13 @@ export const POST: APIRoute = async ({ params, locals, cache }) => {
 	}
 	const existingData =
 		existing.data && typeof existing.data === "object"
-			? // eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- handler returns unknown data; narrowed by typeof check above
+			? // eslint-disable-next-line typescript/no-unsafe-type-assertion -- handler returns unknown data; narrowed by typeof check above
 				(existing.data as Record<string, unknown>)
 			: undefined;
 	// Handler returns { item, _rev } — extract the item for ownership check
 	const existingItem =
 		existingData?.item && typeof existingData.item === "object"
-			? // eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- narrowed by typeof check above
+			? // eslint-disable-next-line typescript/no-unsafe-type-assertion -- narrowed by typeof check above
 				(existingData.item as Record<string, unknown>)
 			: existingData;
 	const authorId = typeof existingItem?.authorId === "string" ? existingItem.authorId : "";

package/src/astro/routes/api/content/[collection]/[id]/duplicate.ts

@@ -35,13 +35,13 @@ export const POST: APIRoute = async ({ params, locals, cache }) => {
 
 	const existingData =
 		existing.data && typeof existing.data === "object"
-			? // eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- handler returns unknown data; narrowed by typeof check above
+			? // eslint-disable-next-line typescript/no-unsafe-type-assertion -- handler returns unknown data; narrowed by typeof check above
 				(existing.data as Record<string, unknown>)
 			: undefined;
 	// Handler returns { item, _rev } — extract the item for ownership check
 	const existingItem =
 		existingData?.item && typeof existingData.item === "object"
-			? // eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- narrowed by typeof check above
+			? // eslint-disable-next-line typescript/no-unsafe-type-assertion -- narrowed by typeof check above
 				(existingData.item as Record<string, unknown>)
 			: existingData;
 	const authorId = typeof existingItem?.authorId === "string" ? existingItem.authorId : "";

package/src/astro/routes/api/content/[collection]/[id]/publish.ts

@@ -46,12 +46,12 @@ export const POST: APIRoute = async ({ params, request, locals, cache }) => {
 
 	const existingData =
 		existing.data && typeof existing.data === "object"
-			? // eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- handler returns unknown data; narrowed by typeof check above
+			? // eslint-disable-next-line typescript/no-unsafe-type-assertion -- handler returns unknown data; narrowed by typeof check above
 				(existing.data as Record<string, unknown>)
 			: undefined;
 	const existingItem =
 		existingData?.item && typeof existingData.item === "object"
-			? // eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- narrowed by typeof check above
+			? // eslint-disable-next-line typescript/no-unsafe-type-assertion -- narrowed by typeof check above
 				(existingData.item as Record<string, unknown>)
 			: existingData;
 	const authorId = typeof existingItem?.authorId === "string" ? existingItem.authorId : "";

package/src/astro/routes/api/content/[collection]/[id]/restore.ts

@@ -31,13 +31,13 @@ export const POST: APIRoute = async ({ params, locals, cache }) => {
 	}
 	const existingData =
 		existing.data && typeof existing.data === "object"
-			? // eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- handler returns unknown data; narrowed by typeof check above
+			? // eslint-disable-next-line typescript/no-unsafe-type-assertion -- handler returns unknown data; narrowed by typeof check above
 				(existing.data as Record<string, unknown>)
 			: undefined;
 	// Handler returns { item, _rev } — extract the item for ownership check
 	const existingItem =
 		existingData?.item && typeof existingData.item === "object"
-			? // eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- narrowed by typeof check above
+			? // eslint-disable-next-line typescript/no-unsafe-type-assertion -- narrowed by typeof check above
 				(existingData.item as Record<string, unknown>)
 			: existingData;
 	const authorId = typeof existingItem?.authorId === "string" ? existingItem.authorId : "";

package/src/astro/routes/api/content/[collection]/[id]/schedule.ts

@@ -20,12 +20,12 @@ export const prerender = false;
 function extractOwnership(data: unknown): { authorId: string; resolvedId: string | undefined } {
 	const obj =
 		data && typeof data === "object"
-			? // eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- handler returns unknown; narrowed by typeof
+			? // eslint-disable-next-line typescript/no-unsafe-type-assertion -- handler returns unknown; narrowed by typeof
 				(data as Record<string, unknown>)
 			: undefined;
 	const item =
 		obj?.item && typeof obj.item === "object"
-			? // eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- narrowed by typeof
+			? // eslint-disable-next-line typescript/no-unsafe-type-assertion -- narrowed by typeof
 				(obj.item as Record<string, unknown>)
 			: obj;
 	return {

package/src/astro/routes/api/content/[collection]/[id]/terms/[taxonomy].ts

@@ -34,7 +34,7 @@ export const GET: APIRoute = async ({ params, locals }) => {
 	if (dbErr) return dbErr;
 
 	try {
-		const repo = new TaxonomyRepository(emdash!.db);
+		const repo = new TaxonomyRepository(emdash.db);
 		const terms = await repo.getTermsForEntry(collection, id, taxonomy);
 
 		return apiSuccess({
@@ -68,12 +68,12 @@ export const POST: APIRoute = async ({ params, request, locals }) => {
 	const dbErr = requireDb(emdash?.db);
 	if (dbErr) return dbErr;
 
-	if (!emdash!.handleContentGet) {
+	if (!emdash.handleContentGet) {
 		return apiError("NOT_CONFIGURED", "EmDash is not initialized", 500);
 	}
 
 	// Verify the content exists before modifying its terms
-	const existing = await emdash!.handleContentGet(collection, id);
+	const existing = await emdash.handleContentGet(collection, id);
 	if (!existing.success) {
 		return apiError(
 			existing.error?.code ?? "NOT_FOUND",
@@ -85,13 +85,13 @@ export const POST: APIRoute = async ({ params, request, locals }) => {
 	// Check ownership for edit permission
 	const existingData =
 		existing.data && typeof existing.data === "object"
-			? // eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- handler returns unknown data; narrowed by typeof check above
+			? // eslint-disable-next-line typescript/no-unsafe-type-assertion -- handler returns unknown data; narrowed by typeof check above
 				(existing.data as Record<string, unknown>)
 			: undefined;
 	// Handler returns { item, _rev } — extract the item for ownership check
 	const existingItem =
 		existingData?.item && typeof existingData.item === "object"
-			? // eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- narrowed by typeof check above
+			? // eslint-disable-next-line typescript/no-unsafe-type-assertion -- narrowed by typeof check above
 				(existingData.item as Record<string, unknown>)
 			: existingData;
 	const authorId = typeof existingItem?.authorId === "string" ? existingItem.authorId : "";
@@ -107,7 +107,7 @@ export const POST: APIRoute = async ({ params, request, locals }) => {
 		if (isParseError(body)) return body;
 		const { termIds } = body;
 
-		const repo = new TaxonomyRepository(emdash!.db);
+		const repo = new TaxonomyRepository(emdash.db);
 
 		// Verify all term IDs exist and belong to the correct taxonomy
 		for (const termId of termIds) {

package/src/astro/routes/api/content/[collection]/[id]/translations.ts

@@ -41,7 +41,7 @@ export const GET: APIRoute = async ({ params, locals }) => {
 	if (result.success && !hasPermission(user, "content:read_drafts")) {
 		const data =
 			result.data && typeof result.data === "object"
-				? // eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- handler returns unknown data; narrowed by typeof check
+				? // eslint-disable-next-line typescript/no-unsafe-type-assertion -- handler returns unknown data; narrowed by typeof check
 					(result.data as Record<string, unknown>)
 				: undefined;
 		const translations = Array.isArray(data?.translations) ? data.translations : [];