emdash 0.3.0 → 0.4.0

package/src/astro/middleware.ts

@@ -160,20 +160,15 @@ async function getRuntime(config: EmDashConfig): Promise<EmDashRuntime> {
  * Baseline security headers applied to all responses.
  * Admin routes get additional headers (strict CSP) from auth middleware.
  */
-function setBaselineSecurityHeaders(response: Response): void {
-	// Prevent MIME type sniffing
-	response.headers.set("X-Content-Type-Options", "nosniff");
-	// Control referrer information
-	response.headers.set("Referrer-Policy", "strict-origin-when-cross-origin");
-	// Restrict access to sensitive browser APIs
-	response.headers.set(
-		"Permissions-Policy",
-		"camera=(), microphone=(), geolocation=(), payment=()",
-	);
-	// Prevent clickjacking (non-admin routes; admin CSP uses frame-ancestors)
-	if (!response.headers.has("Content-Security-Policy")) {
-		response.headers.set("X-Frame-Options", "SAMEORIGIN");
+function setBaselineSecurityHeaders(response: Response): Response {
+	const res = new Response(response.body, response);
+	res.headers.set("X-Content-Type-Options", "nosniff");
+	res.headers.set("Referrer-Policy", "strict-origin-when-cross-origin");
+	res.headers.set("Permissions-Policy", "camera=(), microphone=(), geolocation=(), payment=()");
+	if (!res.headers.has("Content-Security-Policy")) {
+		res.headers.set("X-Frame-Options", "SAMEORIGIN");
 	}
+	return res;
 }
 
 /** Public routes that require the runtime (sitemap, robots.txt, etc.) */
@@ -245,8 +240,7 @@ export const onRequest = defineMiddleware(async (context, next) => {
 			}
 
 			const response = await next();
-			setBaselineSecurityHeaders(response);
-			return response;
+			return setBaselineSecurityHeaders(response);
 		}
 	}
 
@@ -416,8 +410,7 @@ export const onRequest = defineMiddleware(async (context, next) => {
 
 				// Wrap the request in ALS with the per-request db
 				return runWithContext({ editMode: false, db: sessionDb }, async () => {
-					const response = await next();
-					setBaselineSecurityHeaders(response);
+					const response = setBaselineSecurityHeaders(await next());
 
 					// Set bookmark cookie for authenticated users only — they need
 					// read-your-writes consistency across requests. Anonymous visitors
@@ -445,8 +438,7 @@ export const onRequest = defineMiddleware(async (context, next) => {
 		}
 
 		const response = await next();
-		setBaselineSecurityHeaders(response);
-		return response;
+		return setBaselineSecurityHeaders(response);
 	}; // end doInit
 
 	if (playgroundDb) {

package/src/astro/routes/api/admin/bylines/[id]/index.ts

@@ -5,6 +5,7 @@ import { requirePerm } from "#api/authorize.js";
 import { apiError, apiSuccess, handleError } from "#api/error.js";
 import { isParseError, parseBody } from "#api/parse.js";
 import { bylineUpdateBody } from "#api/schemas.js";
+import { invalidateBylineCache } from "#bylines/index.js";
 import { BylineRepository } from "#db/repositories/byline.js";
 
 export const prerender = false;
@@ -61,6 +62,7 @@ export const PUT: APIRoute = async ({ params, request, locals }) => {
 		});
 
 		if (!byline) return apiError("NOT_FOUND", "Byline not found", 404);
+		invalidateBylineCache();
 		return apiSuccess(byline);
 	} catch (error) {
 		return handleError(error, "Failed to update byline", "BYLINE_UPDATE_ERROR");
@@ -80,6 +82,7 @@ export const DELETE: APIRoute = async ({ params, locals }) => {
 		const repo = new BylineRepository(emdash.db);
 		const deleted = await repo.delete(params.id!);
 		if (!deleted) return apiError("NOT_FOUND", "Byline not found", 404);
+		invalidateBylineCache();
 		return apiSuccess({ deleted: true });
 	} catch (error) {
 		return handleError(error, "Failed to delete byline", "BYLINE_DELETE_ERROR");

package/src/astro/routes/api/admin/bylines/index.ts

@@ -5,6 +5,7 @@ import { requirePerm } from "#api/authorize.js";
 import { apiError, apiSuccess, handleError } from "#api/error.js";
 import { isParseError, parseBody, parseQuery } from "#api/parse.js";
 import { bylineCreateBody, bylinesListQuery } from "#api/schemas.js";
+import { invalidateBylineCache } from "#bylines/index.js";
 import { BylineRepository } from "#db/repositories/byline.js";
 
 export const prerender = false;
@@ -65,6 +66,7 @@ export const POST: APIRoute = async ({ request, locals }) => {
 			isGuest: body.isGuest,
 		});
 
+		invalidateBylineCache();
 		return apiSuccess(byline, 201);
 	} catch (error) {
 		return handleError(error, "Failed to create byline", "BYLINE_CREATE_ERROR");

package/src/astro/routes/api/redirects/[id].ts

@@ -17,6 +17,7 @@ import {
 } from "#api/handlers/redirects.js";
 import { isParseError, parseBody } from "#api/parse.js";
 import { updateRedirectBody } from "#api/schemas.js";
+import { invalidateRedirectCache } from "#redirects/cache.js";
 
 export const prerender = false;
 
@@ -57,6 +58,7 @@ export const PUT: APIRoute = async ({ params, request, locals }) => {
 		if (isParseError(body)) return body;
 
 		const result = await handleRedirectUpdate(db, id, body);
+		invalidateRedirectCache();
 		return unwrapResult(result);
 	} catch (error) {
 		return handleError(error, "Failed to update redirect", "REDIRECT_UPDATE_ERROR");
@@ -77,6 +79,7 @@ export const DELETE: APIRoute = async ({ params, locals }) => {
 
 	try {
 		const result = await handleRedirectDelete(db, id);
+		invalidateRedirectCache();
 		return unwrapResult(result);
 	} catch (error) {
 		return handleError(error, "Failed to delete redirect", "REDIRECT_DELETE_ERROR");

package/src/astro/routes/api/redirects/index.ts

@@ -12,6 +12,7 @@ import { handleError, unwrapResult } from "#api/error.js";
 import { handleRedirectCreate, handleRedirectList } from "#api/handlers/redirects.js";
 import { isParseError, parseBody, parseQuery } from "#api/parse.js";
 import { createRedirectBody, redirectsListQuery } from "#api/schemas.js";
+import { invalidateRedirectCache } from "#redirects/cache.js";
 
 export const prerender = false;
 
@@ -45,6 +46,7 @@ export const POST: APIRoute = async ({ request, locals }) => {
 		if (isParseError(body)) return body;
 
 		const result = await handleRedirectCreate(db, body);
+		invalidateRedirectCache();
 		return unwrapResult(result, 201);
 	} catch (error) {
 		return handleError(error, "Failed to create redirect", "REDIRECT_CREATE_ERROR");

package/src/astro/routes/api/schema/collections/[slug]/index.ts

@@ -59,6 +59,7 @@ export const PUT: APIRoute = async ({ params, request, locals }) => {
 		// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- parseBody validates via Zod
 		body as UpdateCollectionInput,
 	);
+	emdash!.invalidateManifest();
 	return unwrapResult(result);
 };
 
@@ -76,5 +77,6 @@ export const DELETE: APIRoute = async ({ params, url, locals }) => {
 	const result = await handleSchemaCollectionDelete(emdash!.db, slug, {
 		force,
 	});
+	emdash!.invalidateManifest();
 	return unwrapResult(result);
 };

package/src/astro/routes/api/schema/collections/index.ts

@@ -43,5 +43,6 @@ export const POST: APIRoute = async ({ request, locals }) => {
 
 	// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- Zod schema output narrowed to CreateCollectionInput
 	const result = await handleSchemaCollectionCreate(emdash!.db, body as CreateCollectionInput);
+	emdash!.invalidateManifest();
 	return unwrapResult(result, 201);
 };

package/src/bylines/index.ts

@@ -14,6 +14,48 @@ import { validateIdentifier } from "../database/validate.js";
 import { getDb } from "../loader.js";
 import { chunks, SQL_BATCH_SIZE } from "../utils/chunks.js";
 
+/**
+ * Cached result of "does any byline exist in the database?"
+ * null = not yet checked, true/false = cached result.
+ * Invalidated when bylines are created or deleted.
+ */
+let hasBylines: boolean | null = null;
+
+/**
+ * Invalidate the cached "has any bylines" check.
+ * Call this when bylines are created, updated, or deleted.
+ */
+export function invalidateBylineCache(): void {
+	hasBylines = null;
+}
+
+/**
+ * Check if any bylines exist in the database. Result is cached
+ * for the lifetime of the worker/process and invalidated on writes.
+ */
+async function hasAnyBylines(): Promise<boolean> {
+	if (hasBylines !== null) return hasBylines;
+
+	try {
+		const db = await getDb();
+		const result = await sql<{ id: string }>`
+			SELECT id FROM _emdash_bylines LIMIT 1
+		`.execute(db);
+		hasBylines = result.rows.length > 0;
+	} catch (error: unknown) {
+		// Only treat "no such table" as a safe false -- anything else should
+		// not be cached so the next request retries.
+		const message = error instanceof Error ? error.message : "";
+		if (message.includes("no such table")) {
+			hasBylines = false;
+		} else {
+			return false;
+		}
+	}
+
+	return hasBylines;
+}
+
 /**
  * Get a byline by ID.
  *
@@ -134,6 +176,12 @@ export async function getBylinesForEntries(
 		return result;
 	}
 
+	// Skip DB queries entirely when no bylines have been created.
+	// The cache is invalidated when bylines are created/deleted.
+	if (!(await hasAnyBylines())) {
+		return result;
+	}
+
 	const db = await getDb();
 	const repo = new BylineRepository(db);
 

package/src/cleanup.ts

@@ -121,11 +121,11 @@ export async function runSystemCleanup(
  * them down to REVISION_KEEP_COUNT.
  */
 async function pruneExcessiveRevisions(db: Kysely<Database>): Promise<number> {
-	const entries = await sql<{ collection: string; entry_id: string; cnt: number }>`
-		SELECT collection, entry_id, COUNT(*) as cnt
+	const entries = await sql<{ collection: string; entry_id: string }>`
+		SELECT collection, entry_id
 		FROM revisions
 		GROUP BY collection, entry_id
-		HAVING cnt > ${REVISION_PRUNE_THRESHOLD}
+		HAVING COUNT(*) > ${REVISION_PRUNE_THRESHOLD}
 	`.execute(db);
 
 	if (entries.rows.length === 0) return 0;

package/src/cli/commands/bundle-utils.ts

@@ -196,11 +196,7 @@ export async function resolveSourceEntry(
 ): Promise<string | undefined> {
 	const cleaned = distPath.replace(LEADING_DOT_SLASH_RE, "");
 
-	// Try the path directly (might be source already)
-	const direct = resolve(pluginDir, cleaned);
-	if (await fileExists(direct)) return direct;
-
-	// Convert dist path to src: dist/foo.mjs → src/foo.ts
+	// Prefer source over dist — dist/foo.mjs → src/foo.ts
 	const srcPath = cleaned.replace(DIST_PREFIX_RE, "src/").replace(MJS_EXT_RE, ".ts");
 	const srcFull = resolve(pluginDir, srcPath);
 	if (await fileExists(srcFull)) return srcFull;
@@ -210,6 +206,10 @@ export async function resolveSourceEntry(
 	const tsxFull = resolve(pluginDir, tsxPath);
 	if (await fileExists(tsxFull)) return tsxFull;
 
+	// Fall back to direct path (might be source already, or pre-compiled plugin)
+	const direct = resolve(pluginDir, cleaned);
+	if (await fileExists(direct)) return direct;
+
 	return undefined;
 }
 

package/src/database/migrations/011_sections.ts

@@ -58,8 +58,8 @@ export async function up(db: Kysely<unknown>): Promise<void> {
 }
 
 export async function down(db: Kysely<unknown>): Promise<void> {
-	await db.schema.dropIndex("idx_content_taxonomies_term").execute();
-	await db.schema.dropIndex("idx_media_mime_type").execute();
+	await db.schema.dropIndex("idx_sections_source").execute();
+	await db.schema.dropIndex("idx_sections_category").execute();
 	await db.schema.dropTable("_emdash_sections").execute();
 	await db.schema.dropTable("_emdash_section_categories").execute();
 }

package/src/database/migrations/runner.ts

@@ -1,4 +1,4 @@
-import { type Kysely, type Migration, type MigrationProvider, Migrator } from "kysely";
+import { type Kysely, type Migration, type MigrationProvider, Migrator, sql } from "kysely";
 
 import type { Database } from "../types.js";
 // Import migrations statically for bundling
@@ -122,9 +122,30 @@ export async function getMigrationStatus(db: Kysely<Database>): Promise<Migratio
 }
 
 /**
- * Run all pending migrations
+ * Run all pending migrations.
+ *
+ * Includes a fast-path: if the migration table already exists and contains
+ * exactly MIGRATION_COUNT rows, all migrations have been applied and we can
+ * skip the Kysely Migrator entirely. This avoids the expensive
+ * `pragma_table_info` introspection that Kysely runs for every table in the
+ * database (twice!) just to check if the migration tables exist.
+ * On D1 with ~57 tables, that's ~116 queries saved per init.
  */
 export async function runMigrations(db: Kysely<Database>): Promise<{ applied: string[] }> {
+	// Fast path: check if all migrations are already applied.
+	// A single cheap query vs the Migrator's full schema introspection.
+	try {
+		const result = await sql<{ count: number }>`
+			SELECT COUNT(*) as count FROM ${sql.ref(MIGRATION_TABLE)}
+		`.execute(db);
+		if (result.rows[0]?.count === MIGRATION_COUNT) {
+			return { applied: [] };
+		}
+	} catch {
+		// Table doesn't exist yet (first run). Fall through to the Migrator
+		// which will create it.
+	}
+
 	const migrator = new Migrator({
 		db,
 		provider: new StaticMigrationProvider(),

package/src/database/repositories/byline.ts

@@ -3,6 +3,7 @@ import { ulid } from "ulidx";
 
 import { chunks, SQL_BATCH_SIZE } from "../../utils/chunks.js";
 import { listTablesLike } from "../dialect-helpers.js";
+import { withTransaction } from "../transaction.js";
 import type { BylineTable, Database } from "../types.js";
 import { validateIdentifier } from "../validate.js";
 import {
@@ -197,7 +198,7 @@ export class BylineRepository {
 		const existing = await this.findById(id);
 		if (!existing) return false;
 
-		await this.db.transaction().execute(async (trx) => {
+		await withTransaction(this.db, async (trx) => {
 			await trx.deleteFrom("_emdash_content_bylines").where("byline_id", "=", id).execute();
 
 			await trx.deleteFrom("_emdash_bylines").where("id", "=", id).execute();

package/src/emdash-runtime.ts

@@ -37,6 +37,7 @@ import type {
 	PageMetadataContribution,
 	PageFragmentContribution,
 } from "./plugins/types.js";
+import { invalidateUrlPatternCache } from "./query.js";
 import type { FieldType } from "./schema/types.js";
 import { hashString } from "./utils/hash.js";
 import { COMMIT, VERSION } from "./version.js";
@@ -57,6 +58,7 @@ const VALID_LINK_REL = new Set([
 	"alternate",
 	"author",
 	"license",
+	"nlweb",
 	"site.standard.document",
 ]);
 
@@ -1367,11 +1369,12 @@ export class EmDashRuntime {
 	}
 
 	/**
-	 * Invalidate the cached manifest (no-op now that we don't cache).
-	 * Kept for API compatibility.
+	 * Invalidate cached data derived from the manifest/schema.
+	 * Called when collections are created, updated, or deleted.
 	 */
 	invalidateManifest(): void {
-		// No-op - manifest is rebuilt on each request
+		// Invalidate the URL pattern cache used by resolveEmDashPath
+		invalidateUrlPatternCache();
 	}
 
 	// =========================================================================
@@ -1613,7 +1616,7 @@ export class EmDashRuntime {
 
 		// Run afterDelete hooks (fire-and-forget)
 		if (result.success) {
-			this.runAfterDeleteHooks(id, collection);
+			this.runAfterDeleteHooks(id, collection, false);
 		}
 
 		return result;
@@ -1635,7 +1638,14 @@ export class EmDashRuntime {
 	}
 
 	async handleContentPermanentDelete(collection: string, id: string) {
-		return handleContentPermanentDelete(this.db, collection, id);
+		const result = await handleContentPermanentDelete(this.db, collection, id);
+
+		// Run afterDelete hooks so plugins (e.g. AI Search) can clean up
+		if (result.success) {
+			this.runAfterDeleteHooks(id, collection, true);
+		}
+
+		return result;
 	}
 
 	async handleContentCountTrashed(collection: string) {
@@ -2010,11 +2020,11 @@ export class EmDashRuntime {
 		}
 	}
 
-	private runAfterDeleteHooks(id: string, collection: string): void {
+	private runAfterDeleteHooks(id: string, collection: string, permanent: boolean): void {
 		// Trusted plugins
 		if (this.hooks.hasHooks("content:afterDelete")) {
 			this.hooks
-				.runContentAfterDelete(id, collection)
+				.runContentAfterDelete(id, collection, permanent)
 				.catch((err) => console.error("EmDash afterDelete hook error:", err));
 		}
 
@@ -2024,7 +2034,7 @@ export class EmDashRuntime {
 			if (!pluginId || !this.isPluginEnabled(pluginId)) continue;
 
 			plugin
-				.invokeHook("content:afterDelete", { id, collection })
+				.invokeHook("content:afterDelete", { id, collection, permanent })
 				.catch((err) =>
 					console.error(`EmDash: Sandboxed plugin ${pluginId} afterDelete error:`, err),
 				);

package/src/index.ts

@@ -213,6 +213,8 @@ export type {
 	ResolvedHook,
 	ResolvedPluginHooks,
 	ContentHookEvent,
+	ContentDeleteEvent,
+	ContentPublishStateChangeEvent,
 	MediaUploadEvent,
 	HookResult,
 	PluginRoute,

package/src/mcp/server.ts

@@ -1257,26 +1257,8 @@ export function createMcpServer(): McpServer {
 			requireScope(extra, "content:read");
 			const ec = getEmDash(extra);
 			try {
-				const rows = (await ec.db
-					.selectFrom("_emdash_taxonomy_defs" as never)
-					.selectAll()
-					.execute()) as Array<{
-					id: string;
-					name: string;
-					label: string;
-					label_singular: string | null;
-					hierarchical: number;
-					collections: string | null;
-				}>;
-				const taxonomies = rows.map((row) => ({
-					id: row.id,
-					name: row.name,
-					label: row.label,
-					labelSingular: row.label_singular ?? undefined,
-					hierarchical: row.hierarchical === 1,
-					collections: row.collections ? JSON.parse(row.collections) : [],
-				}));
-				return jsonResult(taxonomies);
+				const { handleTaxonomyList } = await import("../api/handlers/taxonomies.js");
+				return unwrap(await handleTaxonomyList(ec.db));
 			} catch (error) {
 				return errorResult(error);
 			}
@@ -1302,32 +1284,44 @@ export function createMcpServer(): McpServer {
 			requireScope(extra, "content:read");
 			const ec = getEmDash(extra);
 			try {
-				const taxonomy = (await ec.db
-					.selectFrom("_emdash_taxonomy_defs" as never)
-					.select("id" as never)
-					.where("name" as never, "=", args.taxonomy as never)
-					.executeTakeFirst()) as { id: string } | undefined;
-
+				// Verify taxonomy exists via handler layer
+				const { handleTaxonomyList } = await import("../api/handlers/taxonomies.js");
+				const listResult = await handleTaxonomyList(ec.db);
+				if (!listResult.success) return unwrap(listResult);
+
+				const taxonomies = (listResult.data as { taxonomies: Array<{ name: string; id?: string }> })
+					.taxonomies;
+				const taxonomy = taxonomies.find((t: { name: string }) => t.name === args.taxonomy);
 				if (!taxonomy) return errorResult(`Taxonomy '${args.taxonomy}' not found`);
 
+				// Paginated term query via repository (avoids N+1 of handleTermList)
+				const { TaxonomyRepository } = await import("../database/repositories/taxonomy.js");
+				const repo = new TaxonomyRepository(ec.db);
 				const limit = Math.min(args.limit ?? 50, 100);
-				let query = ec.db
-					.selectFrom("_emdash_taxonomy_terms" as never)
-					.selectAll()
-					.where("taxonomy_id" as never, "=", taxonomy.id as never)
-					.orderBy("label" as never, "asc")
-					.limit(limit + 1);
+				const terms = await repo.findByName(args.taxonomy);
 
+				// Manual cursor pagination over the sorted results
+				let startIdx = 0;
 				if (args.cursor) {
-					query = query.where("id" as never, ">" as never, args.cursor as never);
+					const cursorIdx = terms.findIndex((t) => t.id === args.cursor);
+					if (cursorIdx >= 0) startIdx = cursorIdx + 1;
 				}
 
-				const rows = (await query.execute()) as Array<{ id: string }>;
-				const hasMore = rows.length > limit;
-				const items = hasMore ? rows.slice(0, limit) : rows;
-				const nextCursor = hasMore ? items.at(-1)?.id : undefined;
-
-				return jsonResult({ items, nextCursor });
+				const page = terms.slice(startIdx, startIdx + limit);
+				const hasMore = startIdx + limit < terms.length;
+				const nextCursor = hasMore ? page.at(-1)?.id : undefined;
+
+				return jsonResult({
+					items: page.map((t) => ({
+						id: t.id,
+						name: t.name,
+						slug: t.slug,
+						label: t.label,
+						parentId: t.parentId,
+						description: typeof t.data?.description === "string" ? t.data.description : undefined,
+					})),
+					nextCursor,
+				});
 			} catch (error) {
 				return errorResult(error);
 			}
@@ -1354,36 +1348,15 @@ export function createMcpServer(): McpServer {
 			requireRole(extra, Role.EDITOR);
 			const ec = getEmDash(extra);
 			try {
-				const { ulid } = await import("ulidx");
-
-				const taxonomy = (await ec.db
-					.selectFrom("_emdash_taxonomy_defs" as never)
-					.select("id" as never)
-					.where("name" as never, "=", args.taxonomy as never)
-					.executeTakeFirst()) as { id: string } | undefined;
-
-				if (!taxonomy) return errorResult(`Taxonomy '${args.taxonomy}' not found`);
-
-				const id = ulid();
-				await ec.db
-					.insertInto("_emdash_taxonomy_terms" as never)
-					.values({
-						id,
-						taxonomy_id: taxonomy.id,
+				const { handleTermCreate } = await import("../api/handlers/taxonomies.js");
+				return unwrap(
+					await handleTermCreate(ec.db, args.taxonomy, {
 						slug: args.slug,
 						label: args.label,
-						parent_id: args.parentId ?? null,
-						description: args.description ?? null,
-					} as never)
-					.execute();
-
-				const term = await ec.db
-					.selectFrom("_emdash_taxonomy_terms" as never)
-					.selectAll()
-					.where("id" as never, "=", id as never)
-					.executeTakeFirstOrThrow();
-
-				return jsonResult(term);
+						parentId: args.parentId,
+						description: args.description,
+					}),
+				);
 			} catch (error) {
 				return errorResult(error);
 			}

package/src/plugins/context.ts

@@ -202,9 +202,13 @@ export function createContentAccess(db: Kysely<Database>): ContentAccess {
 			const result: ContentItem = {
 				id: item.id,
 				type: item.type,
+				slug: item.slug,
+				status: item.status,
 				data: item.data,
 				createdAt: item.createdAt,
 				updatedAt: item.updatedAt,
+				locale: item.locale,
+				publishedAt: item.publishedAt,
 			};
 
 			if (await seoRepo.isEnabled(collection)) {
@@ -237,9 +241,13 @@ export function createContentAccess(db: Kysely<Database>): ContentAccess {
 			const items: ContentItem[] = result.items.map((item) => ({
 				id: item.id,
 				type: item.type,
+				slug: item.slug,
+				status: item.status,
 				data: item.data,
 				createdAt: item.createdAt,
 				updatedAt: item.updatedAt,
+				locale: item.locale,
+				publishedAt: item.publishedAt,
 			}));
 
 			if (items.length > 0 && (await seoRepo.isEnabled(collection))) {
@@ -294,9 +302,13 @@ export function createContentAccessWithWrite(db: Kysely<Database>): ContentAcces
 				const result: ContentItem = {
 					id: item.id,
 					type: item.type,
+					slug: item.slug,
+					status: item.status,
 					data: item.data,
 					createdAt: item.createdAt,
 					updatedAt: item.updatedAt,
+					locale: item.locale,
+					publishedAt: item.publishedAt,
 				};
 
 				if (hasSeo) {
@@ -336,9 +348,13 @@ export function createContentAccessWithWrite(db: Kysely<Database>): ContentAcces
 				const result: ContentItem = {
 					id: item.id,
 					type: item.type,
+					slug: item.slug,
+					status: item.status,
 					data: item.data,
 					createdAt: item.createdAt,
 					updatedAt: item.updatedAt,
+					locale: item.locale,
+					publishedAt: item.publishedAt,
 				};
 
 				if (hasSeo) {
@@ -439,12 +455,13 @@ export function createMediaAccessWithWrite(
 				);
 			}
 
-			const mediaId = ulid();
+			// Generate a storage key with a unique prefix
+			const keyPrefix = ulid();
 			// Extract extension from basename (ignore path separators)
 			const basename = filename.split("/").pop() ?? filename;
 			const dotIdx = basename.lastIndexOf(".");
 			const ext = dotIdx > 0 ? basename.slice(dotIdx).toLowerCase() : "";
-			const storageKey = `${mediaId}${ext}`;
+			const storageKey = `${keyPrefix}${ext}`;
 
 			// Upload to storage first
 			await storage.upload({
@@ -454,8 +471,9 @@ export function createMediaAccessWithWrite(
 			});
 
 			// Create DB record — clean up storage on failure
+			let media;
 			try {
-				await mediaRepo.create({
+				media = await mediaRepo.create({
 					filename: basename,
 					mimeType: contentType,
 					size: bytes.byteLength,
@@ -472,7 +490,7 @@ export function createMediaAccessWithWrite(
 			}
 
 			return {
-				mediaId,
+				mediaId: media.id,
 				storageKey,
 				url: `/_emdash/api/media/file/${storageKey}`,
 			};
@@ -491,11 +509,17 @@ export function createMediaAccessWithWrite(
 /** Maximum number of redirects to follow in plugin HTTP access */
 const MAX_PLUGIN_REDIRECTS = 5;
 
+/**
+ * Check if a hostname matches any pattern in the allowed list.
+ * Patterns: "*" matches all, "*.example.com" matches subdomains AND bare "example.com",
+ * "api.example.com" matches exactly.
+ */
 function isHostAllowed(host: string, allowedHosts: string[]): boolean {
 	return allowedHosts.some((pattern) => {
 		if (pattern === "*") return true;
 		if (pattern.startsWith("*.")) {
 			const suffix = pattern.slice(1); // ".example.com"
+			// Match subdomains (foo.example.com) and bare domain (example.com)
 			return host.endsWith(suffix) || host === pattern.slice(2);
 		}
 		return host === pattern;