npm - emdash - Versions diffs - 0.2.0 → 0.4.0 - Mend

emdash 0.2.0 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (197) hide show

package/dist/{adapters-N6BF7RCD.d.mts → adapters-C2BzVy0p.d.mts} +1 -1
package/dist/{adapters-N6BF7RCD.d.mts.map → adapters-C2BzVy0p.d.mts.map} +1 -1
package/dist/{apply-wmVEOSbR.mjs → apply-Cma_PiF6.mjs} +38 -23
package/dist/apply-Cma_PiF6.mjs.map +1 -0
package/dist/astro/index.d.mts +25 -11
package/dist/astro/index.d.mts.map +1 -1
package/dist/astro/index.mjs +38 -25
package/dist/astro/index.mjs.map +1 -1
package/dist/astro/middleware/auth.d.mts +5 -5
package/dist/astro/middleware/auth.mjs +2 -2
package/dist/astro/middleware/redirect.d.mts.map +1 -1
package/dist/astro/middleware/redirect.mjs +20 -8
package/dist/astro/middleware/redirect.mjs.map +1 -1
package/dist/astro/middleware/request-context.mjs +12 -2
package/dist/astro/middleware/request-context.mjs.map +1 -1
package/dist/astro/middleware/setup.mjs +1 -1
package/dist/astro/middleware.d.mts.map +1 -1
package/dist/astro/middleware.mjs +52 -45
package/dist/astro/middleware.mjs.map +1 -1
package/dist/astro/types.d.mts +9 -9
package/dist/astro/types.d.mts.map +1 -1
package/dist/{byline-1WQPlISL.mjs → byline-WuOq9MFJ.mjs} +5 -4
package/dist/byline-WuOq9MFJ.mjs.map +1 -0
package/dist/{bylines-BYdTYmia.mjs → bylines-C_Wsnz4L.mjs} +38 -6
package/dist/bylines-C_Wsnz4L.mjs.map +1 -0
package/dist/cache-E3Dts-yT.mjs +56 -0
package/dist/cache-E3Dts-yT.mjs.map +1 -0
package/dist/cli/index.mjs +13 -13
package/dist/cli/index.mjs.map +1 -1
package/dist/client/cf-access.d.mts +1 -1
package/dist/client/index.d.mts +1 -1
package/dist/client/index.mjs +1 -1
package/dist/{config-Cq8H0SfX.mjs → config-DkxPrM9l.mjs} +1 -1
package/dist/{config-Cq8H0SfX.mjs.map → config-DkxPrM9l.mjs.map} +1 -1
package/dist/{content-BmXndhdi.mjs → content-BsBoyj8G.mjs} +20 -3
package/dist/content-BsBoyj8G.mjs.map +1 -0
package/dist/db/index.d.mts +3 -3
package/dist/db/index.mjs +2 -2
package/dist/db/libsql.d.mts +1 -1
package/dist/db/postgres.d.mts +1 -1
package/dist/db/sqlite.d.mts +1 -1
package/dist/{default-WYlzADZL.mjs → default-PUx9RK6u.mjs} +1 -1
package/dist/{default-WYlzADZL.mjs.map → default-PUx9RK6u.mjs.map} +1 -1
package/dist/{dialect-helpers-B9uSp2GJ.mjs → dialect-helpers-DhTzaUxP.mjs} +4 -1
package/dist/dialect-helpers-DhTzaUxP.mjs.map +1 -0
package/dist/{error-DrxtnGPg.mjs → error-HBeQbVhV.mjs} +1 -1
package/dist/{error-DrxtnGPg.mjs.map → error-HBeQbVhV.mjs.map} +1 -1
package/dist/{index-UHEVQMus.d.mts → index-CRg3PWfZ.d.mts} +59 -33
package/dist/index-CRg3PWfZ.d.mts.map +1 -0
package/dist/index.d.mts +11 -11
package/dist/index.mjs +20 -20
package/dist/{load-Veizk2cT.mjs → load-BhSSm-TS.mjs} +1 -1
package/dist/{load-Veizk2cT.mjs.map → load-BhSSm-TS.mjs.map} +1 -1
package/dist/{loader-CHb2v0jm.mjs → loader-BYzwzORf.mjs} +4 -2
package/dist/loader-BYzwzORf.mjs.map +1 -0
package/dist/{manifest-schema-CuMio1A9.mjs → manifest-schema-BsXINkQD.mjs} +1 -1
package/dist/{manifest-schema-CuMio1A9.mjs.map → manifest-schema-BsXINkQD.mjs.map} +1 -1
package/dist/media/index.d.mts +1 -1
package/dist/media/index.mjs +1 -1
package/dist/media/local-runtime.d.mts +7 -7
package/dist/{mode-CYeM2rPt.mjs → mode-CyPLdO3C.mjs} +1 -1
package/dist/{mode-CYeM2rPt.mjs.map → mode-CyPLdO3C.mjs.map} +1 -1
package/dist/page/index.d.mts +1 -1
package/dist/patterns-CrCYkMBb.mjs +93 -0
package/dist/patterns-CrCYkMBb.mjs.map +1 -0
package/dist/{placeholder-bOx1xCTY.d.mts → placeholder-BBCtpTES.d.mts} +1 -1
package/dist/{placeholder-bOx1xCTY.d.mts.map → placeholder-BBCtpTES.d.mts.map} +1 -1
package/dist/{placeholder-aiCD8aSZ.mjs → placeholder-DntBEQo7.mjs} +1 -1
package/dist/{placeholder-aiCD8aSZ.mjs.map → placeholder-DntBEQo7.mjs.map} +1 -1
package/dist/plugins/adapt-sandbox-entry.d.mts +5 -5
package/dist/plugins/adapt-sandbox-entry.mjs +1 -1
package/dist/{query-5Hcv_5ER.mjs → query-B6Vu0d2i.mjs} +35 -16
package/dist/{query-5Hcv_5ER.mjs.map → query-B6Vu0d2i.mjs.map} +1 -1
package/dist/{redirect-DIfIni3r.mjs → redirect-7lGhLBNZ.mjs} +10 -93
package/dist/redirect-7lGhLBNZ.mjs.map +1 -0
package/dist/{registry-1EvbAfsC.mjs → registry-BgnP3ysR.mjs} +27 -37
package/dist/registry-BgnP3ysR.mjs.map +1 -0
package/dist/{runner-BoN0-FPi.mjs → runner-Cd-_WyDo.mjs} +18 -6
package/dist/runner-Cd-_WyDo.mjs.map +1 -0
package/dist/{runner-DTqkzOzc.d.mts → runner-DYv3rX8P.d.mts} +10 -3
package/dist/runner-DYv3rX8P.d.mts.map +1 -0
package/dist/runtime.d.mts +6 -6
package/dist/runtime.mjs +2 -2
package/dist/{search-BsYMed12.mjs → search-B5p9D36n.mjs} +108 -57
package/dist/search-B5p9D36n.mjs.map +1 -0
package/dist/seed/index.d.mts +2 -2
package/dist/seed/index.mjs +10 -10
package/dist/seo/index.d.mts +1 -1
package/dist/storage/local.d.mts +1 -1
package/dist/storage/local.mjs +1 -1
package/dist/storage/s3.d.mts +11 -3
package/dist/storage/s3.d.mts.map +1 -1
package/dist/storage/s3.mjs +76 -15
package/dist/storage/s3.mjs.map +1 -1
package/dist/{tokens-DrB-W6Q-.mjs → tokens-DKHiCYCB.mjs} +1 -1
package/dist/{tokens-DrB-W6Q-.mjs.map → tokens-DKHiCYCB.mjs.map} +1 -1
package/dist/transaction-Cn2rjY78.mjs +28 -0
package/dist/transaction-Cn2rjY78.mjs.map +1 -0
package/dist/{transport-Bl8cTdYt.mjs → transport-BtcQ-Z7T.mjs} +1 -1
package/dist/{transport-Bl8cTdYt.mjs.map → transport-BtcQ-Z7T.mjs.map} +1 -1
package/dist/{transport-COOs9GSE.d.mts → transport-CKQA_G44.d.mts} +1 -1
package/dist/{transport-COOs9GSE.d.mts.map → transport-CKQA_G44.d.mts.map} +1 -1
package/dist/{types-7-UjSEyB.d.mts → types-B6BzlZxx.d.mts} +1 -1
package/dist/{types-7-UjSEyB.d.mts.map → types-B6BzlZxx.d.mts.map} +1 -1
package/dist/{types-6dqxBqsH.d.mts → types-BYWYxLcp.d.mts} +109 -5
package/dist/types-BYWYxLcp.d.mts.map +1 -0
package/dist/{types-CIsTnQvJ.d.mts → types-BmkQR1En.d.mts} +1 -1
package/dist/{types-CIsTnQvJ.d.mts.map → types-BmkQR1En.d.mts.map} +1 -1
package/dist/{types-BljtYPSd.d.mts → types-DNZpaCBk.d.mts} +14 -6
package/dist/types-DNZpaCBk.d.mts.map +1 -0
package/dist/{types-Bec-r_3_.mjs → types-Dz9_WMS6.mjs} +1 -1
package/dist/types-Dz9_WMS6.mjs.map +1 -0
package/dist/{types-CcreFIIH.d.mts → types-gLYVCXCQ.d.mts} +1 -1
package/dist/{types-CcreFIIH.d.mts.map → types-gLYVCXCQ.d.mts.map} +1 -1
package/dist/{types-DuNbGKjF.mjs → types-xxCWI3j0.mjs} +1 -1
package/dist/{types-DuNbGKjF.mjs.map → types-xxCWI3j0.mjs.map} +1 -1
package/dist/{validate-B7KP7VLM.d.mts → validate-CcNRWH6I.d.mts} +4 -4
package/dist/{validate-B7KP7VLM.d.mts.map → validate-CcNRWH6I.d.mts.map} +1 -1
package/dist/{validate-CXnRKfJK.mjs → validate-DuZDIxfy.mjs} +2 -2
package/dist/{validate-CXnRKfJK.mjs.map → validate-DuZDIxfy.mjs.map} +1 -1
package/dist/{validate-CqRJb_xU.mjs → validate-VPnKoIzW.mjs} +11 -11
package/dist/{validate-CqRJb_xU.mjs.map → validate-VPnKoIzW.mjs.map} +1 -1
package/dist/version-DlTDRdpv.mjs +7 -0
package/dist/version-DlTDRdpv.mjs.map +1 -0
package/package.json +7 -5
package/src/api/handlers/content.ts +36 -25
package/src/api/handlers/menus.ts +19 -16
package/src/api/handlers/redirects.ts +95 -3
package/src/api/schemas/redirects.ts +1 -0
package/src/astro/integration/index.ts +2 -3
package/src/astro/integration/runtime.ts +8 -14
package/src/astro/integration/vite-config.ts +14 -4
package/src/astro/middleware/redirect.ts +30 -15
package/src/astro/middleware.ts +11 -19
package/src/astro/routes/admin.astro +2 -2
package/src/astro/routes/api/admin/bylines/[id]/index.ts +3 -0
package/src/astro/routes/api/admin/bylines/index.ts +2 -0
package/src/astro/routes/api/comments/[collection]/[contentId]/index.ts +2 -0
package/src/astro/routes/api/import/wordpress/rewrite-urls.ts +2 -0
package/src/astro/routes/api/manifest.ts +3 -1
package/src/astro/routes/api/redirects/[id].ts +3 -0
package/src/astro/routes/api/redirects/index.ts +2 -0
package/src/astro/routes/api/schema/collections/[slug]/index.ts +2 -0
package/src/astro/routes/api/schema/collections/index.ts +1 -0
package/src/astro/storage/adapters.ts +19 -5
package/src/astro/storage/types.ts +12 -4
package/src/astro/types.ts +1 -0
package/src/bylines/index.ts +50 -2
package/src/cleanup.ts +3 -3
package/src/cli/commands/bundle-utils.ts +5 -5
package/src/database/dialect-helpers.ts +3 -0
package/src/database/migrations/011_sections.ts +2 -2
package/src/database/migrations/runner.ts +23 -2
package/src/database/repositories/byline.ts +2 -1
package/src/database/repositories/content.ts +5 -0
package/src/database/repositories/redirect.ts +13 -0
package/src/database/validate.ts +10 -10
package/src/emdash-runtime.ts +23 -9
package/src/index.ts +3 -0
package/src/loader.ts +2 -0
package/src/mcp/server.ts +40 -67
package/src/menus/index.ts +4 -0
package/src/plugins/context.ts +28 -4
package/src/plugins/cron.ts +29 -4
package/src/plugins/hooks.ts +22 -10
package/src/plugins/index.ts +1 -0
package/src/plugins/manager.ts +6 -2
package/src/plugins/marketplace.ts +33 -3
package/src/plugins/routes.ts +3 -3
package/src/plugins/types.ts +7 -0
package/src/query.ts +37 -14
package/src/redirects/cache.ts +68 -0
package/src/redirects/loops.ts +318 -0
package/src/schema/registry.ts +3 -0
package/src/search/fts-manager.ts +24 -11
package/src/search/query.ts +8 -9
package/src/seed/apply.ts +49 -28
package/src/storage/s3.ts +94 -25
package/src/storage/types.ts +13 -5
package/src/utils/slugify.ts +11 -0
package/src/version.ts +12 -0
package/src/visual-editing/toolbar.ts +11 -1
package/dist/apply-wmVEOSbR.mjs.map +0 -1
package/dist/byline-1WQPlISL.mjs.map +0 -1
package/dist/bylines-BYdTYmia.mjs.map +0 -1
package/dist/content-BmXndhdi.mjs.map +0 -1
package/dist/dialect-helpers-B9uSp2GJ.mjs.map +0 -1
package/dist/index-UHEVQMus.d.mts.map +0 -1
package/dist/loader-CHb2v0jm.mjs.map +0 -1
package/dist/redirect-DIfIni3r.mjs.map +0 -1
package/dist/registry-1EvbAfsC.mjs.map +0 -1
package/dist/runner-BoN0-FPi.mjs.map +0 -1
package/dist/runner-DTqkzOzc.d.mts.map +0 -1
package/dist/search-BsYMed12.mjs.map +0 -1
package/dist/types-6dqxBqsH.d.mts.map +0 -1
package/dist/types-Bec-r_3_.mjs.map +0 -1
package/dist/types-BljtYPSd.d.mts.map +0 -1

package/dist/{validate-CqRJb_xU.mjs.map → validate-VPnKoIzW.mjs.map} RENAMED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"validate-~~CqRJb_xU~~.mjs","names":[],"sources":["../src/database/validate.ts"],"sourcesContent":["/*\n SQL Identifier Validation\n \n Validates identifiers (table names, column names, index names) before\n * they are used in raw SQL expressions. This is the primary defense against\n * SQL injection via dynamic identifier interpolation.\n \n @see AGENTS.md § Database: Never Interpolate Into SQL\n /\n\n/\n Pattern for safe SQL identifiers.\n * Must start with a lowercase letter, followed by lowercase letters, digits, or underscores.\n /\nconst IDENTIFIER_PATTERN = /^[a-z][a-z0-9_]$/;\n\n/*\n Pattern for generic alphanumeric identifiers (case-insensitive).\n * Must start with a letter, followed by letters, digits, or underscores.\n /\nconst GENERIC_IDENTIFIER_PATTERN = /^[a-zA-Z][a-zA-Z0-9_]$/;\n\n/*\n Pattern for plugin identifiers.\n * Must start with a lowercase letter, followed by lowercase letters, digits, underscores, or hyphens.\n /\nconst PLUGIN_IDENTIFIER_PATTERN = /^[a-z][a-z0-9_-]$/;\n\n/*\n Maximum length for SQL identifiers.\n * SQLite has no formal limit, but we cap at 128 for sanity.\n /\nconst MAX_IDENTIFIER_LENGTH = 128;\n\n/\n Error thrown when an identifier fails validation.\n /\nexport class IdentifierError extends Error {\n\tconstructor(\n\t\tmessage: string,\n\t\tpublic identifier: string,\n\t) {\n\t\tsuper(message);\n\t\tthis.name = \"IdentifierError\";\n\t}\n}\n\n/\n Validate that a string is a safe SQL identifier.\n \n Safe identifiers match `/^[a-z][a-z0-9_]$/` and are at most 128 characters.\n This prevents SQL injection when identifiers must be interpolated into raw SQL\n * (e.g., dynamic table names, column names in json_extract paths).\n \n @param value - The string to validate\n * @param label - Human-readable label for error messages (e.g., \"field name\", \"table name\")\n * @throws {IdentifierError} If the value is not a valid identifier\n \n @example\n * ```typescript\n * validateIdentifier(fieldName, \"field name\");\n * // safe to use in: json_extract(data, '$.${fieldName}')\n * ```\n /\nexport function validateIdentifier(value: string, label = \"identifier\"): void {\n\tif (!value \|\| typeof value !== \"string\") {\n\t\tthrow new IdentifierError(`${label} must be a non-empty string`, String(value));\n\t}\n\n\tif (value.length > MAX_IDENTIFIER_LENGTH) {\n\t\tthrow new IdentifierError(\n\t\t\t`${label} must be ${MAX_IDENTIFIER_LENGTH} characters or less, got ${value.length}`,\n\t\t\tvalue,\n\t\t);\n\t}\n\n\tif (!IDENTIFIER_PATTERN.test(value)) {\n\t\tthrow new IdentifierError(`${label} must match /^[a-z][a-z0-9_]$/ (got \"${value}\")`, value);\n\t}\n}\n\n/*\n Validate that a string is a safe SQL identifier, allowing hyphens.\n \n Like `validateIdentifier` but also permits hyphens, which appear in\n * plugin IDs (e.g., \"my-plugin\"). Matches `/^[a-z][a-z0-9_-]$/`.\n \n * @param value - The string to validate\n * @param label - Human-readable label for error messages\n * @throws {IdentifierError} If the value is not valid\n /\n/\n Validate that a string is a safe JSON field name for use in json_extract paths.\n \n More permissive than `validateIdentifier` — allows camelCase (mixed case)\n * since JSON keys in plugin storage data blobs commonly use camelCase.\n * Matches `/^[a-zA-Z][a-zA-Z0-9_]$/`.\n \n * @param value - The string to validate\n * @param label - Human-readable label for error messages\n * @throws {IdentifierError} If the value is not valid\n /\nexport function validateJsonFieldName(value: string, label = \"JSON field name\"): void {\n\tif (!value \|\| typeof value !== \"string\") {\n\t\tthrow new IdentifierError(`${label} must be a non-empty string`, String(value));\n\t}\n\n\tif (value.length > MAX_IDENTIFIER_LENGTH) {\n\t\tthrow new IdentifierError(\n\t\t\t`${label} must be ${MAX_IDENTIFIER_LENGTH} characters or less, got ${value.length}`,\n\t\t\tvalue,\n\t\t);\n\t}\n\n\tif (!GENERIC_IDENTIFIER_PATTERN.test(value)) {\n\t\tthrow new IdentifierError(\n\t\t\t`${label} must match /^[a-zA-Z][a-zA-Z0-9_]$/ (got \"${value}\")`,\n\t\t\tvalue,\n\t\t);\n\t}\n}\n\nexport function validatePluginIdentifier(value: string, label = \"plugin identifier\"): void {\n\tif (!value \|\| typeof value !== \"string\") {\n\t\tthrow new IdentifierError(`${label} must be a non-empty string`, String(value));\n\t}\n\n\tif (value.length > MAX_IDENTIFIER_LENGTH) {\n\t\tthrow new IdentifierError(\n\t\t\t`${label} must be ${MAX_IDENTIFIER_LENGTH} characters or less, got ${value.length}`,\n\t\t\tvalue,\n\t\t);\n\t}\n\n\tif (!PLUGIN_IDENTIFIER_PATTERN.test(value)) {\n\t\tthrow new IdentifierError(`${label} must match /^[a-z][a-z0-9_-]*$/ (got \"${value}\")`, value);\n\t}\n}\n"],"mappings":";;;;;;;;;;;;;;AAcA,MAAM,qBAAqB;;;;;AAM3B,MAAM,6BAA6B;;;;;AAMnC,MAAM,4BAA4B;;;;;AAMlC,MAAM,wBAAwB;;;;AAK9B,IAAa,kBAAb,cAAqC,MAAM;CAC1C,YACC,SACA,AAAO,YACN;AACD,QAAM,QAAQ;EAFP;AAGP,OAAK,OAAO;;;;;;;;;;;;;;;;;;;;AAqBd,SAAgB,mBAAmB,OAAe,QAAQ,cAAoB;AAC7E,KAAI,CAAC,SAAS,OAAO,UAAU,SAC9B,OAAM,IAAI,gBAAgB,GAAG,MAAM,8BAA8B,OAAO,MAAM,CAAC;AAGhF,KAAI,MAAM,SAAS,sBAClB,OAAM,IAAI,gBACT,GAAG,MAAM,WAAW,sBAAsB,2BAA2B,MAAM,UAC3E,MACA;AAGF,KAAI,CAAC,mBAAmB,KAAK,MAAM,CAClC,OAAM,IAAI,gBAAgB,GAAG,MAAM,wCAAwC,MAAM,KAAK,MAAM~~;;;;;;;;;;;;;;;;;;;;;;;AAyB9F~~,SAAgB,sBAAsB,OAAe,QAAQ,mBAAyB;AACrF,KAAI,CAAC,SAAS,OAAO,UAAU,SAC9B,OAAM,IAAI,gBAAgB,GAAG,MAAM,8BAA8B,OAAO,MAAM,CAAC;AAGhF,KAAI,MAAM,SAAS,sBAClB,OAAM,IAAI,gBACT,GAAG,MAAM,WAAW,sBAAsB,2BAA2B,MAAM,UAC3E,MACA;AAGF,KAAI,CAAC,2BAA2B,KAAK,MAAM,CAC1C,OAAM,IAAI,gBACT,GAAG,MAAM,8CAA8C,MAAM,KAC7D,MACA~~;;AAIH~~,SAAgB,yBAAyB,OAAe,QAAQ,qBAA2B;AAC1F,KAAI,CAAC,SAAS,OAAO,UAAU,SAC9B,OAAM,IAAI,gBAAgB,GAAG,MAAM,8BAA8B,OAAO,MAAM,CAAC;AAGhF,KAAI,MAAM,SAAS,sBAClB,OAAM,IAAI,gBACT,GAAG,MAAM,WAAW,sBAAsB,2BAA2B,MAAM,UAC3E,MACA;AAGF,KAAI,CAAC,0BAA0B,KAAK,MAAM,CACzC,OAAM,IAAI,gBAAgB,GAAG,MAAM,yCAAyC,MAAM,KAAK,MAAM"}
1	+ {"version":3,"file":"validate-VPnKoIzW.mjs","names":[],"sources":["../src/database/validate.ts"],"sourcesContent":["/*\n SQL Identifier Validation\n \n Validates identifiers (table names, column names, index names) before\n * they are used in raw SQL expressions. This is the primary defense against\n * SQL injection via dynamic identifier interpolation.\n \n @see AGENTS.md § Database: Never Interpolate Into SQL\n /\n\n/\n Pattern for safe SQL identifiers.\n * Must start with a lowercase letter, followed by lowercase letters, digits, or underscores.\n /\nconst IDENTIFIER_PATTERN = /^[a-z][a-z0-9_]$/;\n\n/*\n Pattern for generic alphanumeric identifiers (case-insensitive).\n * Must start with a letter, followed by letters, digits, or underscores.\n /\nconst GENERIC_IDENTIFIER_PATTERN = /^[a-zA-Z][a-zA-Z0-9_]$/;\n\n/*\n Pattern for plugin identifiers.\n * Must start with a lowercase letter, followed by lowercase letters, digits, underscores, or hyphens.\n /\nconst PLUGIN_IDENTIFIER_PATTERN = /^[a-z][a-z0-9_-]$/;\n\n/*\n Maximum length for SQL identifiers.\n * SQLite has no formal limit, but we cap at 128 for sanity.\n /\nconst MAX_IDENTIFIER_LENGTH = 128;\n\n/\n Error thrown when an identifier fails validation.\n /\nexport class IdentifierError extends Error {\n\tconstructor(\n\t\tmessage: string,\n\t\tpublic identifier: string,\n\t) {\n\t\tsuper(message);\n\t\tthis.name = \"IdentifierError\";\n\t}\n}\n\n/\n Validate that a string is a safe SQL identifier.\n \n Safe identifiers match `/^[a-z][a-z0-9_]$/` and are at most 128 characters.\n This prevents SQL injection when identifiers must be interpolated into raw SQL\n * (e.g., dynamic table names, column names in json_extract paths).\n \n @param value - The string to validate\n * @param label - Human-readable label for error messages (e.g., \"field name\", \"table name\")\n * @throws {IdentifierError} If the value is not a valid identifier\n \n @example\n * ```typescript\n * validateIdentifier(fieldName, \"field name\");\n * // safe to use in: json_extract(data, '$.${fieldName}')\n * ```\n /\nexport function validateIdentifier(value: string, label = \"identifier\"): void {\n\tif (!value \|\| typeof value !== \"string\") {\n\t\tthrow new IdentifierError(`${label} must be a non-empty string`, String(value));\n\t}\n\n\tif (value.length > MAX_IDENTIFIER_LENGTH) {\n\t\tthrow new IdentifierError(\n\t\t\t`${label} must be ${MAX_IDENTIFIER_LENGTH} characters or less, got ${value.length}`,\n\t\t\tvalue,\n\t\t);\n\t}\n\n\tif (!IDENTIFIER_PATTERN.test(value)) {\n\t\tthrow new IdentifierError(`${label} must match /^[a-z][a-z0-9_]$/ (got \"${value}\")`, value);\n\t}\n}\n\n/*\n Validate that a string is a safe JSON field name for use in json_extract paths.\n \n More permissive than `validateIdentifier` — allows camelCase (mixed case)\n * since JSON keys in plugin storage data blobs commonly use camelCase.\n * Matches `/^[a-zA-Z][a-zA-Z0-9_]$/`.\n \n * @param value - The string to validate\n * @param label - Human-readable label for error messages\n * @throws {IdentifierError} If the value is not valid\n /\nexport function validateJsonFieldName(value: string, label = \"JSON field name\"): void {\n\tif (!value \|\| typeof value !== \"string\") {\n\t\tthrow new IdentifierError(`${label} must be a non-empty string`, String(value));\n\t}\n\n\tif (value.length > MAX_IDENTIFIER_LENGTH) {\n\t\tthrow new IdentifierError(\n\t\t\t`${label} must be ${MAX_IDENTIFIER_LENGTH} characters or less, got ${value.length}`,\n\t\t\tvalue,\n\t\t);\n\t}\n\n\tif (!GENERIC_IDENTIFIER_PATTERN.test(value)) {\n\t\tthrow new IdentifierError(\n\t\t\t`${label} must match /^[a-zA-Z][a-zA-Z0-9_]$/ (got \"${value}\")`,\n\t\t\tvalue,\n\t\t);\n\t}\n}\n\n/*\n Validate that a string is a safe SQL identifier, allowing hyphens.\n \n Like `validateIdentifier` but also permits hyphens, which appear in\n * plugin IDs (e.g., \"my-plugin\"). Matches `/^[a-z][a-z0-9_-]$/`.\n \n * @param value - The string to validate\n * @param label - Human-readable label for error messages\n * @throws {IdentifierError} If the value is not valid\n /\nexport function validatePluginIdentifier(value: string, label = \"plugin identifier\"): void {\n\tif (!value \|\| typeof value !== \"string\") {\n\t\tthrow new IdentifierError(`${label} must be a non-empty string`, String(value));\n\t}\n\n\tif (value.length > MAX_IDENTIFIER_LENGTH) {\n\t\tthrow new IdentifierError(\n\t\t\t`${label} must be ${MAX_IDENTIFIER_LENGTH} characters or less, got ${value.length}`,\n\t\t\tvalue,\n\t\t);\n\t}\n\n\tif (!PLUGIN_IDENTIFIER_PATTERN.test(value)) {\n\t\tthrow new IdentifierError(`${label} must match /^[a-z][a-z0-9_-]$/ (got \"${value}\")`, value);\n\t}\n}\n"],"mappings":";;;;;;;;;;;;;;AAcA,MAAM,qBAAqB;;;;;AAM3B,MAAM,6BAA6B;;;;;AAMnC,MAAM,4BAA4B;;;;;AAMlC,MAAM,wBAAwB;;;;AAK9B,IAAa,kBAAb,cAAqC,MAAM;CAC1C,YACC,SACA,AAAO,YACN;AACD,QAAM,QAAQ;EAFP;AAGP,OAAK,OAAO;;;;;;;;;;;;;;;;;;;;AAqBd,SAAgB,mBAAmB,OAAe,QAAQ,cAAoB;AAC7E,KAAI,CAAC,SAAS,OAAO,UAAU,SAC9B,OAAM,IAAI,gBAAgB,GAAG,MAAM,8BAA8B,OAAO,MAAM,CAAC;AAGhF,KAAI,MAAM,SAAS,sBAClB,OAAM,IAAI,gBACT,GAAG,MAAM,WAAW,sBAAsB,2BAA2B,MAAM,UAC3E,MACA;AAGF,KAAI,CAAC,mBAAmB,KAAK,MAAM,CAClC,OAAM,IAAI,gBAAgB,GAAG,MAAM,wCAAwC,MAAM,KAAK,MAAM;;;;;;;;;;;;;AAe9F,SAAgB,sBAAsB,OAAe,QAAQ,mBAAyB;AACrF,KAAI,CAAC,SAAS,OAAO,UAAU,SAC9B,OAAM,IAAI,gBAAgB,GAAG,MAAM,8BAA8B,OAAO,MAAM,CAAC;AAGhF,KAAI,MAAM,SAAS,sBAClB,OAAM,IAAI,gBACT,GAAG,MAAM,WAAW,sBAAsB,2BAA2B,MAAM,UAC3E,MACA;AAGF,KAAI,CAAC,2BAA2B,KAAK,MAAM,CAC1C,OAAM,IAAI,gBACT,GAAG,MAAM,8CAA8C,MAAM,KAC7D,MACA;;;;;;;;;;;;AAcH,SAAgB,yBAAyB,OAAe,QAAQ,qBAA2B;AAC1F,KAAI,CAAC,SAAS,OAAO,UAAU,SAC9B,OAAM,IAAI,gBAAgB,GAAG,MAAM,8BAA8B,OAAO,MAAM,CAAC;AAGhF,KAAI,MAAM,SAAS,sBAClB,OAAM,IAAI,gBACT,GAAG,MAAM,WAAW,sBAAsB,2BAA2B,MAAM,UAC3E,MACA;AAGF,KAAI,CAAC,0BAA0B,KAAK,MAAM,CACzC,OAAM,IAAI,gBAAgB,GAAG,MAAM,yCAAyC,MAAM,KAAK,MAAM"}

package/dist/version-DlTDRdpv.mjs ADDED Viewed

@@ -0,0 +1,7 @@
+//#region src/version.ts
+const VERSION = "0.4.0";
+const COMMIT = "8fb9145";
+//#endregion
+export { VERSION as n, COMMIT as t };
+//# sourceMappingURL=version-DlTDRdpv.mjs.map

package/dist/version-DlTDRdpv.mjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"version-DlTDRdpv.mjs","names":[],"sources":["../src/version.ts"],"sourcesContent":["/**\n * Build-time version constants, replaced by tsdown/Vite `define`.\n * Falls back to \"dev\" when running uncompiled (tests, dev).\n */\n\ndeclare const __EMDASH_VERSION__: string;\ndeclare const __EMDASH_COMMIT__: string;\n\nexport const VERSION: string =\n\ttypeof __EMDASH_VERSION__ !== \"undefined\" ? __EMDASH_VERSION__ : \"dev\";\n\nexport const COMMIT: string = typeof __EMDASH_COMMIT__ !== \"undefined\" ? __EMDASH_COMMIT__ : \"dev\";\n"],"mappings":";AAQA,MAAa;AAGb,MAAa"}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "emdash",
-  "version": "0.2.0",
+  "version": "0.4.0",
   "description": "Astro-native CMS with WordPress migration support",
   "type": "module",
   "main": "dist/index.mjs",
@@ -141,6 +141,8 @@
     "#media/*": "./src/media/*",
     "#mcp/*": "./src/mcp/*",
     "#comments/*": "./src/comments/*",
+    "#bylines/*": "./src/bylines/*",
+    "#redirects/*": "./src/redirects/*",
     "#types": "./src/astro/types.js"
   },
   "dependencies": {
@@ -178,9 +180,9 @@
     "ulidx": "^2.4.1",
     "upng-js": "^2.1.0",
     "zod": "^4.3.5",
-    "@emdash-cms/admin": "0.2.0",
-    "@emdash-cms/auth": "0.2.0",
-    "@emdash-cms/gutenberg-to-portable-text": "0.2.0"
+    "@emdash-cms/admin": "0.4.0",
+    "@emdash-cms/auth": "0.4.0",
+    "@emdash-cms/gutenberg-to-portable-text": "0.4.0"
   },
   "optionalDependencies": {
     "@libsql/kysely-libsql": "^0.4.0",
@@ -208,7 +210,7 @@
     "vite": "^6.0.0",
     "vitest": "^4.0.18",
     "zod-openapi": "^5.4.6",
-    "@emdash-cms/blocks": "0.2.0"
+    "@emdash-cms/blocks": "0.4.0"
   },
   "repository": {
     "type": "git",

package/src/api/handlers/content.ts CHANGED Viewed

@@ -22,6 +22,7 @@ import { withTransaction } from "../../database/transaction.js";
 import type { Database } from "../../database/types.js";
 import { validateIdentifier } from "../../database/validate.js";
 import { isI18nEnabled } from "../../i18n/config.js";
+import { invalidateRedirectCache } from "../../redirects/cache.js";
 import { encodeRev, validateRev } from "../rev.js";
 import type { ApiResult, ContentListResponse, ContentResponse } from "../types.js";
@@ -503,37 +504,37 @@ export async function handleContentUpdate(
 		// Resolve slug → ID if needed
 		const resolvedId = (await resolveId(repo, collection, id)) ?? id;
-		// Validate _rev if provided (optimistic concurrency)
-		if (body._rev) {
-			const existing = await repo.findById(collection, resolvedId);
-			if (!existing) {
-				return {
-					success: false,
-					error: { code: "NOT_FOUND", message: `Content item not found: ${id}` },
-				};
-			}
-			const revCheck = validateRev(body._rev, existing);
-			if (!revCheck.valid) {
-				return {
-					success: false,
-					error: { code: "CONFLICT", message: revCheck.message },
-				};
-			}
-		}
-		// Wrap content + SEO writes in a transaction for atomicity
+		// Wrap content + SEO writes in a transaction for atomicity.
+		// The _rev check is inside the transaction so the read-then-write
+		// is atomic -- no concurrent write can slip between the check and update.
 		const item = await withTransaction(db, async (trx) => {
 			const trxRepo = new ContentRepository(trx);
 			const bylineRepo = new BylineRepository(trx);
+			// Read existing item once for both _rev check and old slug capture
+			const existing =
+				body._rev || body.slug ? await trxRepo.findById(collection, resolvedId) : null;
+			// Validate _rev if provided (optimistic concurrency)
+			if (body._rev) {
+				if (!existing) {
+					throw Object.assign(new Error(`Content item not found: ${id}`), {
+						apiError: { code: "NOT_FOUND" as const },
+					});
+				}
+				const revCheck = validateRev(body._rev, existing);
+				if (!revCheck.valid) {
+					throw Object.assign(new Error(revCheck.message), {
+						apiError: { code: "CONFLICT" as const },
+					});
+				}
+			}
 			// Capture old slug before update for auto-redirect
 			let oldSlug: string | undefined;
-			if (body.slug) {
-				const existing = await trxRepo.findById(collection, resolvedId);
-				if (existing?.slug && existing.slug !== body.slug) {
-					oldSlug = existing.slug;
-				}
+			if (body.slug && existing?.slug && existing.slug !== body.slug) {
+				oldSlug = existing.slug;
 			}
 			const updated = await trxRepo.update(collection, resolvedId, {
@@ -564,6 +565,7 @@ export async function handleContentUpdate(
 					resolvedId,
 					collectionRow?.url_pattern ?? null,
 				);
+				invalidateRedirectCache();
 			}
 			// Sync non-translatable fields to sibling locales in the same
@@ -598,6 +600,15 @@ export async function handleContentUpdate(
 			data: { item, _rev: encodeRev(item) },
 		};
 	} catch (error) {
+		// Handle structured errors thrown from inside the transaction
+		// (rev check failures, not-found)
+		if (error instanceof Error && "apiError" in error) {
+			const { code } = (error as Error & { apiError: { code: string } }).apiError;
+			return {
+				success: false,
+				error: { code, message: error.message },
+			};
+		}
 		console.error("Content update error:", error);
 		return {
 			success: false,

package/src/api/handlers/menus.ts CHANGED Viewed

@@ -8,6 +8,7 @@
 import type { Kysely } from "kysely";
 import { ulid } from "ulidx";
+import { withTransaction } from "../../database/transaction.js";
 import type { Database, MenuItemTable, MenuTable } from "../../database/types.js";
 import type { ApiResult } from "../types.js";
@@ -464,24 +465,26 @@ export async function handleMenuItemReorder(
 			};
 		}
-		for (const item of items) {
-			await db
-				.updateTable("_emdash_menu_items")
-				.set({
-					parent_id: item.parentId,
-					sort_order: item.sortOrder,
-				})
-				.where("id", "=", item.id)
+		const updatedItems = await withTransaction(db, async (trx) => {
+			for (const item of items) {
+				await trx
+					.updateTable("_emdash_menu_items")
+					.set({
+						parent_id: item.parentId,
+						sort_order: item.sortOrder,
+					})
+					.where("id", "=", item.id)
+					.where("menu_id", "=", menu.id)
+					.execute();
+			}
+			return trx
+				.selectFrom("_emdash_menu_items")
+				.selectAll()
 				.where("menu_id", "=", menu.id)
+				.orderBy("sort_order", "asc")
 				.execute();
-		}
-		const updatedItems = await db
-			.selectFrom("_emdash_menu_items")
-			.selectAll()
-			.where("menu_id", "=", menu.id)
-			.orderBy("sort_order", "asc")
-			.execute();
+		});
 		return { success: true, data: updatedItems };
 	} catch {

package/src/api/handlers/redirects.ts CHANGED Viewed

@@ -4,6 +4,7 @@
 import type { Kysely } from "kysely";
+import { OptionsRepository } from "../../database/repositories/options.js";
 import {
 	RedirectRepository,
 	type Redirect,
@@ -12,6 +13,7 @@ import {
 } from "../../database/repositories/redirect.js";
 import type { FindManyResult } from "../../database/repositories/types.js";
 import type { Database } from "../../database/types.js";
+import { wouldCreateLoop, detectLoops, type RedirectEdge } from "../../redirects/loops.js";
 import { validatePattern, validateDestinationParams, isPattern } from "../../redirects/patterns.js";
 import type { ApiResult } from "../types.js";
@@ -32,11 +34,20 @@ export async function handleRedirectList(
 		enabled?: boolean;
 		auto?: boolean;
 	},
-): Promise<ApiResult<FindManyResult<Redirect>>> {
+): Promise<ApiResult<FindManyResult<Redirect> & { loopRedirectIds?: string[] }>> {
 	try {
 		const repo = new RedirectRepository(db);
 		const result = await repo.findMany(params);
-		return { success: true, data: result };
+		const loopRedirectIds = await getLoopRedirectIds(db);
+		return {
+			success: true,
+			data: {
+				...result,
+				...(loopRedirectIds.length > 0 ? { loopRedirectIds } : {}),
+			},
+		};
 	} catch {
 		return {
 			success: false,
@@ -105,6 +116,13 @@ export async function handleRedirectCreate(
 			};
 		}
+		// Check for redirect loops (skip if creating as disabled)
+		if (input.enabled !== false) {
+			const edges = toEdges(await repo.findAllEnabled());
+			const loopPath = wouldCreateLoop(input.source, input.destination, edges);
+			if (loopPath) return loopError(loopPath);
+		}
 		const redirect = await repo.create({
 			source: input.source,
 			destination: input.destination,
@@ -219,7 +237,8 @@ export async function handleRedirectUpdate(
 		}
 		// Validate destination params against the (possibly updated) source
-		if (isPattern(newSource)) {
+		const newSourceIsPattern = isPattern(newSource);
+		if (newSourceIsPattern) {
 			const destError = validateDestinationParams(newSource, newDest);
 			if (destError) {
 				return {
@@ -229,6 +248,13 @@ export async function handleRedirectUpdate(
 			}
 		}
+		// Check for redirect loops if source or destination changed
+		if (input.source !== undefined || input.destination !== undefined) {
+			const edges = toEdges(await repo.findAllEnabled());
+			const loopPath = wouldCreateLoop(newSource, newDest, edges, id);
+			if (loopPath) return loopError(loopPath);
+		}
 		const updated = await repo.update(id, {
 			source: input.source,
 			destination: input.destination,
@@ -244,6 +270,9 @@ export async function handleRedirectUpdate(
 			};
 		}
+		// Recompute cache — redirect was modified, so re-fetch
+		await updateLoopCache(db);
 		return { success: true, data: updated };
 	} catch {
 		return {
@@ -271,6 +300,8 @@ export async function handleRedirectDelete(
 			};
 		}
+		await updateLoopCache(db);
 		return { success: true, data: { deleted: true } };
 	} catch {
 		return {
@@ -280,6 +311,67 @@ export async function handleRedirectDelete(
 	}
 }
+// ---------------------------------------------------------------------------
+// Loop analysis cache
+// ---------------------------------------------------------------------------
+function loopError(loopPath: string[]): ApiResult<never> {
+	const hops = loopPath
+		.slice(0, -1)
+		.map((p, i) => `${p} \u2192 ${loopPath[i + 1]!}`)
+		.join("\n");
+	return {
+		success: false,
+		error: {
+			code: "VALIDATION_ERROR",
+			message: `This redirect would create a loop:\n${hops}`,
+		},
+	};
+}
+function toEdges(redirects: Redirect[]): RedirectEdge[] {
+	return redirects.map((r) => ({
+		id: r.id,
+		source: r.source,
+		destination: r.destination,
+		enabled: r.enabled,
+		isPattern: r.isPattern,
+	}));
+}
+const LOOP_CACHE_KEY = "_redirect_loop_ids";
+/**
+ * Recompute loop redirect IDs and store in the options table.
+ */
+async function updateLoopCache(db: Kysely<Database>): Promise<void> {
+	try {
+		const options = new OptionsRepository(db);
+		const edges = toEdges(await new RedirectRepository(db).findAllEnabled());
+		const loopRedirectIds = detectLoops(edges);
+		await options.set(LOOP_CACHE_KEY, loopRedirectIds);
+	} catch (error) {
+		console.error("Failed to update redirect loop cache:", error);
+	}
+}
+/**
+ * Get loop redirect IDs from cache, computing lazily on first access.
+ */
+async function getLoopRedirectIds(db: Kysely<Database>): Promise<string[]> {
+	try {
+		const options = new OptionsRepository(db);
+		const cached = await options.get<string[]>(LOOP_CACHE_KEY);
+		if (cached !== null) return cached;
+		// First access after upgrade — compute and cache
+		await updateLoopCache(db);
+		return (await options.get<string[]>(LOOP_CACHE_KEY)) ?? [];
+	} catch {
+		return [];
+	}
+}
 // ---------------------------------------------------------------------------
 // 404 Log
 // ---------------------------------------------------------------------------

package/src/api/schemas/redirects.ts CHANGED Viewed

@@ -120,6 +120,7 @@ export const redirectListResponseSchema = z
 	.object({
 		items: z.array(redirectSchema),
 		nextCursor: z.string().optional(),
+		loopRedirectIds: z.array(z.string()).optional(),
 	})
 	.meta({ id: "RedirectListResponse" });

package/src/astro/integration/index.ts CHANGED Viewed

@@ -228,10 +228,9 @@ export function emdash(config: EmDashConfig = {}): AstroIntegration {
 					injectBuiltinAuthRoutes(injectRoute);
 				}
-				// Inject MCP endpoint when enabled
-				if (resolvedConfig.mcp) {
+				// Inject MCP endpoint (always on — bearer-token-only, no cost if unused)
+				if (resolvedConfig.mcp !== false) {
 					injectMcpRoute(injectRoute);
-					logger.info("MCP server enabled at /_emdash/api/mcp");
 				}
 				// In playground mode, inject the playground middleware FIRST.

package/src/astro/integration/runtime.ts CHANGED Viewed

@@ -223,23 +223,17 @@ export interface EmDashConfig {
 	auth?: AuthDescriptor;
 	/**
-	 * Enable the MCP (Model Context Protocol) server endpoint.
+	 * MCP (Model Context Protocol) server endpoint.
 	 *
-	 * When enabled, exposes an MCP Streamable HTTP server at
-	 * `/_emdash/api/mcp` that allows AI agents and tools to interact
-	 * with the CMS using the standardized MCP protocol.
+	 * Exposes an MCP Streamable HTTP server at `/_emdash/api/mcp`
+	 * that allows AI agents and tools to interact with the CMS using
+	 * the standardized MCP protocol.
 	 *
-	 * Authentication is handled by the existing EmDash auth middleware —
-	 * agents must authenticate with an API token or session cookie.
+	 * Enabled by default. The endpoint requires bearer token auth, so
+	 * it has no effect unless the user creates an API token and
+	 * configures a client. Set to `false` to disable.
 	 *
-	 * @default false
-	 *
-	 * @example
-	 * ```ts
-	 * emdash({
-	 *   mcp: true,
-	 * })
-	 * ```
+	 * @default true
 	 */
 	mcp?: boolean;

package/src/astro/integration/vite-config.ts CHANGED Viewed

@@ -13,6 +13,7 @@ import { fileURLToPath } from "node:url";
 import type { AstroConfig } from "astro";
 import type { Plugin } from "vite";
+import { COMMIT, VERSION } from "../../version.js";
 import type { EmDashConfig, PluginDescriptor } from "./runtime.js";
 import {
 	VIRTUAL_CONFIG_ID,
@@ -278,6 +279,15 @@ export function createViteConfig(
 	const useSource = adminSourcePath !== undefined;
 	return {
+		// Astro SSR routes resolve version.ts from source (not tsdown dist),
+		// so Vite needs its own define pass for the __EMDASH_*__ placeholders.
+		define: {
+			__EMDASH_VERSION__: JSON.stringify(VERSION),
+			__EMDASH_COMMIT__: JSON.stringify(COMMIT),
+			__EMDASH_PSEUDO_LOCALE__: JSON.stringify(
+				isDev && process.env["EMDASH_PSEUDO_LOCALE"] === "1",
+			),
+		},
 		resolve: {
 			dedupe: ["@emdash-cms/admin", "react", "react-dom"],
 			// Array form so more-specific entries are checked first.
@@ -286,10 +296,6 @@ export function createViteConfig(
 			// "@emdash-cms/admin/styles.css" through the source directory.
 			alias: [
 				{ find: "@emdash-cms/admin/styles.css", replacement: resolve(adminDistPath, "styles.css") },
-				{
-					find: "@emdash-cms/admin/locales/*",
-					replacement: resolve(adminDistPath, "locales", "*"),
-				},
 				{ find: "@emdash-cms/admin", replacement: useSource ? adminSourcePath : adminDistPath },
 			],
 		},
@@ -342,6 +348,10 @@ export function createViteConfig(
 							"emdash > @emdash-cms/auth > @oslojs/crypto/ecdsa",
 							"emdash > @emdash-cms/auth > @oslojs/crypto/sha2",
 							"emdash > @emdash-cms/auth > @oslojs/webauthn",
+							// MCP SDK — server/index.js statically imports ajv (CJS-only).
+							// Pre-bundling converts CJS to ESM so workerd can load it.
+							"emdash > @modelcontextprotocol/sdk > ajv",
+							"emdash > @modelcontextprotocol/sdk > ajv-formats",
 							// React (commonly used, may be hoisted)
 							"react",
 							"react/jsx-dev-runtime",

package/src/astro/middleware/redirect.ts CHANGED Viewed

@@ -17,6 +17,11 @@
 import { defineMiddleware } from "astro:middleware";
 import { RedirectRepository } from "../../database/repositories/redirect.js";
+import {
+	getCachedPatternRules,
+	matchCachedPatterns,
+	setCachedPatternRules,
+} from "../../redirects/cache.js";
 /** Paths that should never be intercepted by redirects */
 const SKIP_PREFIXES = ["/_emdash", "/_image"];
@@ -48,21 +53,31 @@ export const onRequest = defineMiddleware(async (context, next) => {
 	try {
 		const repo = new RedirectRepository(emdash.db);
-		const match = await repo.matchPath(pathname);
-		if (match) {
-			// Reject protocol-relative URLs (e.g. //evil.com or /\evil.com) from interpolation.
-			// Browsers normalize backslashes to forward slashes, so /\ is equivalent to //.
-			if (
-				match.resolvedDestination.startsWith("//") ||
-				match.resolvedDestination.startsWith("/\\")
-			) {
-				return next();
-			}
-			// Fire-and-forget hit recording (don't block the redirect)
-			repo.recordHit(match.redirect.id).catch(() => {});
-			const code = isRedirectCode(match.redirect.type) ? match.redirect.type : 301;
-			return context.redirect(match.resolvedDestination, code);
+		// 1. Exact match (fast, indexed)
+		const exact = await repo.findExactMatch(pathname);
+		if (exact) {
+			const dest = exact.destination;
+			if (dest.startsWith("//") || dest.startsWith("/\\")) return next();
+			repo.recordHit(exact.id).catch(() => {});
+			const code = isRedirectCode(exact.type) ? exact.type : 301;
+			return context.redirect(dest, code);
+		}
+		// 2. Pattern match (cached: compile once, match every request)
+		let rules = getCachedPatternRules();
+		if (!rules) {
+			const patterns = await repo.findEnabledPatternRules();
+			rules = setCachedPatternRules(patterns);
+		}
+		const patternMatch = matchCachedPatterns(rules, pathname);
+		if (patternMatch) {
+			const { redirect, destination } = patternMatch;
+			if (destination.startsWith("//") || destination.startsWith("/\\")) return next();
+			repo.recordHit(redirect.id).catch(() => {});
+			const code = isRedirectCode(redirect.type) ? redirect.type : 301;
+			return context.redirect(destination, code);
 		}
 		// No redirect matched -- proceed and check for 404

package/src/astro/middleware.ts CHANGED Viewed

@@ -160,20 +160,15 @@ async function getRuntime(config: EmDashConfig): Promise<EmDashRuntime> {
  * Baseline security headers applied to all responses.
  * Admin routes get additional headers (strict CSP) from auth middleware.
  */
-function setBaselineSecurityHeaders(response: Response): void {
-	// Prevent MIME type sniffing
-	response.headers.set("X-Content-Type-Options", "nosniff");
-	// Control referrer information
-	response.headers.set("Referrer-Policy", "strict-origin-when-cross-origin");
-	// Restrict access to sensitive browser APIs
-	response.headers.set(
-		"Permissions-Policy",
-		"camera=(), microphone=(), geolocation=(), payment=()",
-	);
-	// Prevent clickjacking (non-admin routes; admin CSP uses frame-ancestors)
-	if (!response.headers.has("Content-Security-Policy")) {
-		response.headers.set("X-Frame-Options", "SAMEORIGIN");
+function setBaselineSecurityHeaders(response: Response): Response {
+	const res = new Response(response.body, response);
+	res.headers.set("X-Content-Type-Options", "nosniff");
+	res.headers.set("Referrer-Policy", "strict-origin-when-cross-origin");
+	res.headers.set("Permissions-Policy", "camera=(), microphone=(), geolocation=(), payment=()");
+	if (!res.headers.has("Content-Security-Policy")) {
+		res.headers.set("X-Frame-Options", "SAMEORIGIN");
 	}
+	return res;
 }
 /** Public routes that require the runtime (sitemap, robots.txt, etc.) */
@@ -245,8 +240,7 @@ export const onRequest = defineMiddleware(async (context, next) => {
 			}
 			const response = await next();
-			setBaselineSecurityHeaders(response);
-			return response;
+			return setBaselineSecurityHeaders(response);
 		}
 	}
@@ -416,8 +410,7 @@ export const onRequest = defineMiddleware(async (context, next) => {
 				// Wrap the request in ALS with the per-request db
 				return runWithContext({ editMode: false, db: sessionDb }, async () => {
-					const response = await next();
-					setBaselineSecurityHeaders(response);
+					const response = setBaselineSecurityHeaders(await next());
 					// Set bookmark cookie for authenticated users only — they need
 					// read-your-writes consistency across requests. Anonymous visitors
@@ -445,8 +438,7 @@ export const onRequest = defineMiddleware(async (context, next) => {
 		}
 		const response = await next();
-		setBaselineSecurityHeaders(response);
-		return response;
+		return setBaselineSecurityHeaders(response);
 	}; // end doInit
 	if (playgroundDb) {

package/src/astro/routes/admin.astro CHANGED Viewed

@@ -12,10 +12,10 @@ import AdminWrapper from "emdash/routes/PluginRegistry";
 export const prerender = false;
-import { resolveLocale } from "@emdash-cms/admin/locales";
+import { resolveLocale, loadMessages } from "@emdash-cms/admin/locales";
 const resolvedLocale = resolveLocale(Astro.request);
-const { messages } = await import(`@emdash-cms/admin/locales/${resolvedLocale}/messages.mjs`);
+const messages = await loadMessages(resolvedLocale);
 ---
 <!doctype html>

package/src/astro/routes/api/admin/bylines/[id]/index.ts CHANGED Viewed

@@ -5,6 +5,7 @@ import { requirePerm } from "#api/authorize.js";
 import { apiError, apiSuccess, handleError } from "#api/error.js";
 import { isParseError, parseBody } from "#api/parse.js";
 import { bylineUpdateBody } from "#api/schemas.js";
+import { invalidateBylineCache } from "#bylines/index.js";
 import { BylineRepository } from "#db/repositories/byline.js";
 export const prerender = false;
@@ -61,6 +62,7 @@ export const PUT: APIRoute = async ({ params, request, locals }) => {
 		});
 		if (!byline) return apiError("NOT_FOUND", "Byline not found", 404);
+		invalidateBylineCache();
 		return apiSuccess(byline);
 	} catch (error) {
 		return handleError(error, "Failed to update byline", "BYLINE_UPDATE_ERROR");
@@ -80,6 +82,7 @@ export const DELETE: APIRoute = async ({ params, locals }) => {
 		const repo = new BylineRepository(emdash.db);
 		const deleted = await repo.delete(params.id!);
 		if (!deleted) return apiError("NOT_FOUND", "Byline not found", 404);
+		invalidateBylineCache();
 		return apiSuccess({ deleted: true });
 	} catch (error) {
 		return handleError(error, "Failed to delete byline", "BYLINE_DELETE_ERROR");

package/src/astro/routes/api/admin/bylines/index.ts CHANGED Viewed

@@ -5,6 +5,7 @@ import { requirePerm } from "#api/authorize.js";
 import { apiError, apiSuccess, handleError } from "#api/error.js";
 import { isParseError, parseBody, parseQuery } from "#api/parse.js";
 import { bylineCreateBody, bylinesListQuery } from "#api/schemas.js";
+import { invalidateBylineCache } from "#bylines/index.js";
 import { BylineRepository } from "#db/repositories/byline.js";
 export const prerender = false;
@@ -65,6 +66,7 @@ export const POST: APIRoute = async ({ request, locals }) => {
 			isGuest: body.isGuest,
 		});
+		invalidateBylineCache();
 		return apiSuccess(byline, 201);
 	} catch (error) {
 		return handleError(error, "Failed to create byline", "BYLINE_CREATE_ERROR");