emdash 0.4.0 → 0.6.0

package/dist/{version-DlTDRdpv.mjs.map → version-Uaf2ynPX.mjs.map}

@@ -1 +1 @@
-{"version":3,"file":"version-DlTDRdpv.mjs","names":[],"sources":["../src/version.ts"],"sourcesContent":["/**\n * Build-time version constants, replaced by tsdown/Vite `define`.\n * Falls back to \"dev\" when running uncompiled (tests, dev).\n */\n\ndeclare const __EMDASH_VERSION__: string;\ndeclare const __EMDASH_COMMIT__: string;\n\nexport const VERSION: string =\n\ttypeof __EMDASH_VERSION__ !== \"undefined\" ? __EMDASH_VERSION__ : \"dev\";\n\nexport const COMMIT: string = typeof __EMDASH_COMMIT__ !== \"undefined\" ? __EMDASH_COMMIT__ : \"dev\";\n"],"mappings":";AAQA,MAAa;AAGb,MAAa"}
+{"version":3,"file":"version-Uaf2ynPX.mjs","names":[],"sources":["../src/version.ts"],"sourcesContent":["/**\n * Build-time version constants, replaced by tsdown/Vite `define`.\n * Falls back to \"dev\" when running uncompiled (tests, dev).\n */\n\ndeclare const __EMDASH_VERSION__: string;\ndeclare const __EMDASH_COMMIT__: string;\n\nexport const VERSION: string =\n\ttypeof __EMDASH_VERSION__ !== \"undefined\" ? __EMDASH_VERSION__ : \"dev\";\n\nexport const COMMIT: string = typeof __EMDASH_COMMIT__ !== \"undefined\" ? __EMDASH_COMMIT__ : \"dev\";\n"],"mappings":";AAQA,MAAa;AAGb,MAAa"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "emdash",
-  "version": "0.4.0",
+  "version": "0.6.0",
   "description": "Astro-native CMS with WordPress migration support",
   "type": "module",
   "main": "dist/index.mjs",
@@ -61,6 +61,10 @@
       "types": "./dist/db/postgres.d.mts",
       "default": "./dist/db/postgres.mjs"
     },
+    "./database/instrumentation": {
+      "types": "./dist/database/instrumentation.d.mts",
+      "default": "./dist/database/instrumentation.mjs"
+    },
     "./storage/local": {
       "types": "./dist/storage/local.d.mts",
       "default": "./dist/storage/local.mjs"
@@ -142,6 +146,7 @@
     "#mcp/*": "./src/mcp/*",
     "#comments/*": "./src/comments/*",
     "#bylines/*": "./src/bylines/*",
+    "#taxonomies/*": "./src/taxonomies/*",
     "#redirects/*": "./src/redirects/*",
     "#types": "./src/astro/types.js"
   },
@@ -180,9 +185,9 @@
     "ulidx": "^2.4.1",
     "upng-js": "^2.1.0",
     "zod": "^4.3.5",
-    "@emdash-cms/admin": "0.4.0",
-    "@emdash-cms/auth": "0.4.0",
-    "@emdash-cms/gutenberg-to-portable-text": "0.4.0"
+    "@emdash-cms/auth": "0.6.0",
+    "@emdash-cms/admin": "0.6.0",
+    "@emdash-cms/gutenberg-to-portable-text": "0.6.0"
   },
   "optionalDependencies": {
     "@libsql/kysely-libsql": "^0.4.0",
@@ -210,7 +215,7 @@
     "vite": "^6.0.0",
     "vitest": "^4.0.18",
     "zod-openapi": "^5.4.6",
-    "@emdash-cms/blocks": "0.4.0"
+    "@emdash-cms/blocks": "0.6.0"
   },
   "repository": {
     "type": "git",

package/src/after.ts

@@ -0,0 +1,62 @@
+/**
+ * Defer work past the HTTP response.
+ *
+ * Use for bookkeeping that doesn't need to complete before the client
+ * gets bytes — writes that record state, maintenance queries, cache
+ * refreshes. `after()` hands the promise to the host's lifetime
+ * extender when one is available (Cloudflare's `waitUntil` under
+ * workerd), or fires-and-forgets on Node (the process lives for the
+ * next request anyway).
+ *
+ * Host binding is resolved lazily via a dynamic import of the
+ * `virtual:emdash/wait-until` virtual module. Lazy — rather than a
+ * static top-level import — so tools that walk the dist in a plain
+ * Node loader (`astro check`, Vitest, etc.) don't trip over the
+ * `virtual:` scheme: they'd only fail if they actually called
+ * `after()`, which they don't during type-checking.
+ */
+
+export type WaitUntilFn = (promise: Promise<unknown>) => void;
+
+// Resolves to the host's waitUntil if the adapter provided one, or
+// null otherwise. Kicked off once at module load; subsequent `after()`
+// calls see the cached result without re-importing.
+const waitUntilReady: Promise<WaitUntilFn | null> = (async () => {
+	try {
+		// @ts-ignore - virtual module, generated by the Astro integration
+		const mod = (await import("virtual:emdash/wait-until")) as {
+			waitUntil?: WaitUntilFn;
+		};
+		return mod.waitUntil ?? null;
+	} catch {
+		// No virtual module available (Node-side tooling, tests without the
+		// integration in scope). Fire-and-forget is the safe fallback.
+		return null;
+	}
+})();
+// Surface rejections without making the module-load fail.
+waitUntilReady.catch(() => {});
+
+/**
+ * Schedule `fn` to run without blocking the response.
+ *
+ * Errors are caught and logged — a deferred task should never surface
+ * as an unhandled rejection because the response is long gone. Callers
+ * that care about errors should handle them inside `fn`.
+ */
+export function after(fn: () => void | Promise<void>): void {
+	const promise = Promise.resolve()
+		.then(fn)
+		.catch((error) => {
+			console.error("[emdash] deferred task failed:", error);
+		});
+
+	// Defer the lifetime-extender handoff to the microtask that resolves
+	// waitUntilReady. On workerd this is effectively instant (the virtual
+	// module is already loaded in the bundle); on Node the promise
+	// resolves to null, so this is just one extra microtask and no-op.
+	void waitUntilReady.then((waitUntil) => {
+		if (waitUntil) waitUntil(promise);
+		return null;
+	});
+}

package/src/api/handlers/oauth-authorization.ts

@@ -20,6 +20,7 @@ import {
 	VALID_SCOPES,
 } from "../../auth/api-tokens.js";
 import type { Database } from "../../database/types.js";
+import { validateRedirectUri } from "../oauth/redirect-uri.js";
 import type { ApiResult } from "../types.js";
 import { lookupOAuthClient, validateClientRedirectUri } from "./oauth-clients.js";
 
@@ -76,38 +77,7 @@ function expiresAt(seconds: number): string {
 	return new Date(Date.now() + seconds * 1000).toISOString();
 }
 
-/**
- * Validate a redirect URI per OAuth 2.1 security requirements.
- * Allows localhost (loopback) over HTTP, and any HTTPS URL.
- */
-export function validateRedirectUri(uri: string): string | null {
-	try {
-		const url = new URL(uri);
-
-		// Reject protocol-relative URLs
-		if (uri.startsWith("//")) {
-			return "Protocol-relative redirect URIs are not allowed";
-		}
-
-		// Allow localhost/loopback over HTTP (for desktop MCP clients)
-		if (url.protocol === "http:") {
-			const host = url.hostname;
-			if (host === "127.0.0.1" || host === "localhost" || host === "[::1]") {
-				return null; // OK
-			}
-			return "HTTP redirect URIs are only allowed for localhost";
-		}
-
-		// Allow HTTPS
-		if (url.protocol === "https:") {
-			return null; // OK
-		}
-
-		return `Unsupported redirect URI scheme: ${url.protocol}`;
-	} catch {
-		return "Invalid redirect URI";
-	}
-}
+export { validateRedirectUri };
 
 /**
  * Validate and normalize scopes. Returns validated scope list.

package/src/api/handlers/oauth-clients.ts

@@ -9,6 +9,7 @@
 import type { Kysely } from "kysely";
 
 import type { Database } from "../../database/types.js";
+import { validateRedirectUri } from "../oauth/redirect-uri.js";
 import type { ApiResult } from "../types.js";
 
 // ---------------------------------------------------------------------------
@@ -21,6 +22,16 @@ function parseJsonColumn<T>(value: string): T {
 	return JSON.parse(value) as T;
 }
 
+function validateRegisteredRedirectUris(redirectUris: string[]): string | null {
+	for (const redirectUri of redirectUris) {
+		const error = validateRedirectUri(redirectUri);
+		if (error) {
+			return `Invalid redirect URI: ${error}`;
+		}
+	}
+	return null;
+}
+
 // ---------------------------------------------------------------------------
 // Types
 // ---------------------------------------------------------------------------
@@ -61,6 +72,17 @@ export async function handleOAuthClientCreate(
 			};
 		}
 
+		const redirectUriError = validateRegisteredRedirectUris(input.redirectUris);
+		if (redirectUriError) {
+			return {
+				success: false,
+				error: {
+					code: "VALIDATION_ERROR",
+					message: redirectUriError,
+				},
+			};
+		}
+
 		// Check for duplicate client ID
 		const existing = await db
 			.selectFrom("_emdash_oauth_clients")
@@ -83,7 +105,7 @@ export async function handleOAuthClientCreate(
 				id: input.id,
 				name: input.name,
 				redirect_uris: JSON.stringify(input.redirectUris),
-				scopes: input.scopes ? JSON.stringify(input.scopes) : null,
+				scopes: input.scopes && input.scopes.length > 0 ? JSON.stringify(input.scopes) : null,
 			})
 			.execute();
 
@@ -93,7 +115,7 @@ export async function handleOAuthClientCreate(
 				id: input.id,
 				name: input.name,
 				redirectUris: input.redirectUris,
-				scopes: input.scopes ?? null,
+				scopes: input.scopes && input.scopes.length > 0 ? input.scopes : null,
 				createdAt: now,
 				updatedAt: now,
 			},
@@ -222,7 +244,20 @@ export async function handleOAuthClientUpdate(
 			};
 		}
 
-		const updates: Record<string, string> = {
+		if (input.redirectUris !== undefined) {
+			const redirectUriError = validateRegisteredRedirectUris(input.redirectUris);
+			if (redirectUriError) {
+				return {
+					success: false,
+					error: {
+						code: "VALIDATION_ERROR",
+						message: redirectUriError,
+					},
+				};
+			}
+		}
+
+		const updates: Record<string, string | null> = {
 			updated_at: new Date().toISOString(),
 		};
 
@@ -233,7 +268,8 @@ export async function handleOAuthClientUpdate(
 			updates.redirect_uris = JSON.stringify(input.redirectUris);
 		}
 		if (input.scopes !== undefined) {
-			updates.scopes = input.scopes ? JSON.stringify(input.scopes) : "";
+			updates.scopes =
+				input.scopes && input.scopes.length > 0 ? JSON.stringify(input.scopes) : null;
 		}
 
 		await db.updateTable("_emdash_oauth_clients").set(updates).where("id", "=", clientId).execute();

package/src/api/handlers/taxonomies.ts

@@ -7,6 +7,7 @@ import { ulid } from "ulidx";
 
 import { TaxonomyRepository } from "../../database/repositories/taxonomy.js";
 import type { Database } from "../../database/types.js";
+import { invalidateTermCache } from "../../taxonomies/index.js";
 import type { ApiResult } from "../types.js";
 
 /** Taxonomy name validation pattern: lowercase alphanumeric + underscores, starts with letter */
@@ -323,6 +324,10 @@ export async function handleTermCreate(
 			data: input.description ? { description: input.description } : undefined,
 		});
 
+		// New term means `hasAnyTermAssignments` may flip from false->true next
+		// time an entry is tagged. Clear the cache so the next read re-probes.
+		invalidateTermCache();
+
 		return {
 			success: true,
 			data: {
@@ -442,6 +447,10 @@ export async function handleTermUpdate(
 			data: input.description !== undefined ? { description: input.description } : undefined,
 		});
 
+		// Term label/slug changes are reflected in hydrated entry.data.terms —
+		// invalidate so the next read doesn't short-circuit on a stale probe.
+		invalidateTermCache();
+
 		if (!updated) {
 			return {
 				success: false,
@@ -513,6 +522,10 @@ export async function handleTermDelete(
 			};
 		}
 
+		// Deleting a term cascades to content_taxonomies; invalidate so
+		// hydration no longer sees the stale assignments.
+		invalidateTermCache();
+
 		return { success: true, data: { deleted: true } };
 	} catch {
 		return {

package/src/api/oauth/redirect-uri.ts

@@ -0,0 +1,34 @@
+/**
+ * Validate a redirect URI per OAuth 2.1 security requirements.
+ *
+ * Allows localhost / loopback redirect URIs over HTTP for native clients,
+ * and any HTTPS URL for web-based flows.
+ */
+export function validateRedirectUri(uri: string): string | null {
+	try {
+		const url = new URL(uri);
+
+		// Reject protocol-relative URLs
+		if (uri.startsWith("//")) {
+			return "Protocol-relative redirect URIs are not allowed";
+		}
+
+		// Allow localhost/loopback over HTTP (for desktop MCP clients)
+		if (url.protocol === "http:") {
+			const host = url.hostname;
+			if (host === "127.0.0.1" || host === "localhost" || host === "[::1]") {
+				return null;
+			}
+			return "HTTP redirect URIs are only allowed for localhost";
+		}
+
+		// Allow HTTPS
+		if (url.protocol === "https:") {
+			return null;
+		}
+
+		return `Unsupported redirect URI scheme: ${url.protocol}`;
+	} catch {
+		return "Invalid redirect URI";
+	}
+}

package/src/api/openapi/document.ts

@@ -37,6 +37,7 @@ import {
 	trashedContentListResponseSchema,
 } from "../schemas/content.js";
 import {
+	DEFAULT_MAX_UPLOAD_SIZE,
 	mediaConfirmBody,
 	mediaConfirmResponseSchema,
 	mediaExistingResponseSchema,
@@ -623,121 +624,123 @@ const contentPaths = {
 // Media routes
 // ---------------------------------------------------------------------------
 
-const mediaPaths = {
-	"/_emdash/api/media": {
-		get: {
-			operationId: "listMedia",
-			summary: "List media items",
-			tags: ["Media"],
-			requestParams: { query: mediaListQuery },
-			responses: {
-				"200": {
-					description: "Media list",
-					content: { [JSON_CONTENT]: { schema: successEnvelope(mediaListResponseSchema) } },
+function buildMediaPaths(maxUploadSize: number) {
+	return {
+		"/_emdash/api/media": {
+			get: {
+				operationId: "listMedia",
+				summary: "List media items",
+				tags: ["Media"],
+				requestParams: { query: mediaListQuery },
+				responses: {
+					"200": {
+						description: "Media list",
+						content: { [JSON_CONTENT]: { schema: successEnvelope(mediaListResponseSchema) } },
+					},
+					...authErrors,
+					...standardErrors(500),
 				},
-				...authErrors,
-				...standardErrors(500),
 			},
 		},
-	},
-	"/_emdash/api/media/{id}": {
-		get: {
-			operationId: "getMedia",
-			summary: "Get a media item",
-			tags: ["Media"],
-			requestParams: {
-				path: z.object({ id: z.string().meta({ description: "Media ID" }) }),
-			},
-			responses: {
-				"200": {
-					description: "Media item",
-					content: { [JSON_CONTENT]: { schema: successEnvelope(mediaResponseSchema) } },
+		"/_emdash/api/media/{id}": {
+			get: {
+				operationId: "getMedia",
+				summary: "Get a media item",
+				tags: ["Media"],
+				requestParams: {
+					path: z.object({ id: z.string().meta({ description: "Media ID" }) }),
 				},
-				...authErrors,
-				...standardErrors(404, 500),
-			},
-		},
-		put: {
-			operationId: "updateMedia",
-			summary: "Update media metadata",
-			tags: ["Media"],
-			requestParams: {
-				path: z.object({ id: z.string().meta({ description: "Media ID" }) }),
-			},
-			requestBody: { content: { [JSON_CONTENT]: { schema: mediaUpdateBody } } },
-			responses: {
-				"200": {
-					description: "Updated media item",
-					content: { [JSON_CONTENT]: { schema: successEnvelope(mediaResponseSchema) } },
+				responses: {
+					"200": {
+						description: "Media item",
+						content: { [JSON_CONTENT]: { schema: successEnvelope(mediaResponseSchema) } },
+					},
+					...authErrors,
+					...standardErrors(404, 500),
+				},
+			},
+			put: {
+				operationId: "updateMedia",
+				summary: "Update media metadata",
+				tags: ["Media"],
+				requestParams: {
+					path: z.object({ id: z.string().meta({ description: "Media ID" }) }),
+				},
+				requestBody: { content: { [JSON_CONTENT]: { schema: mediaUpdateBody } } },
+				responses: {
+					"200": {
+						description: "Updated media item",
+						content: { [JSON_CONTENT]: { schema: successEnvelope(mediaResponseSchema) } },
+					},
+					...authErrors,
+					...standardErrors(400, 404, 500),
 				},
-				...authErrors,
-				...standardErrors(400, 404, 500),
 			},
-		},
-		delete: {
-			operationId: "deleteMedia",
-			summary: "Delete a media item",
-			tags: ["Media"],
-			requestParams: {
-				path: z.object({ id: z.string().meta({ description: "Media ID" }) }),
-			},
-			responses: {
-				"200": {
-					description: "Deleted",
-					content: { [JSON_CONTENT]: { schema: successEnvelope(deleteResponseSchema) } },
+			delete: {
+				operationId: "deleteMedia",
+				summary: "Delete a media item",
+				tags: ["Media"],
+				requestParams: {
+					path: z.object({ id: z.string().meta({ description: "Media ID" }) }),
 				},
-				...authErrors,
-				...standardErrors(404, 500),
-			},
-		},
-	},
-	"/_emdash/api/media/upload-url": {
-		post: {
-			operationId: "getMediaUploadUrl",
-			summary: "Get a signed URL for direct upload",
-			description:
-				"Returns a signed URL for direct-to-storage upload. Creates a pending media record.",
-			tags: ["Media"],
-			requestBody: { content: { [JSON_CONTENT]: { schema: mediaUploadUrlBody } } },
-			responses: {
-				"200": {
-					description: "Upload URL or existing media (deduplication)",
-					content: {
-						[JSON_CONTENT]: {
-							schema: successEnvelope(
-								z.union([mediaUploadUrlResponseSchema, mediaExistingResponseSchema]),
-							),
+				responses: {
+					"200": {
+						description: "Deleted",
+						content: { [JSON_CONTENT]: { schema: successEnvelope(deleteResponseSchema) } },
+					},
+					...authErrors,
+					...standardErrors(404, 500),
+				},
+			},
+		},
+		"/_emdash/api/media/upload-url": {
+			post: {
+				operationId: "getMediaUploadUrl",
+				summary: "Get a signed URL for direct upload",
+				description:
+					"Returns a signed URL for direct-to-storage upload. Creates a pending media record.",
+				tags: ["Media"],
+				requestBody: { content: { [JSON_CONTENT]: { schema: mediaUploadUrlBody(maxUploadSize) } } },
+				responses: {
+					"200": {
+						description: "Upload URL or existing media (deduplication)",
+						content: {
+							[JSON_CONTENT]: {
+								schema: successEnvelope(
+									z.union([mediaUploadUrlResponseSchema, mediaExistingResponseSchema]),
+								),
+							},
 						},
 					},
-				},
-				...authErrors,
-				...standardErrors(400, 500),
-			},
-		},
-	},
-	"/_emdash/api/media/{id}/confirm": {
-		post: {
-			operationId: "confirmMediaUpload",
-			summary: "Confirm a media upload",
-			description: "Marks a pending media record as ready after the file has been uploaded.",
-			tags: ["Media"],
-			requestParams: {
-				path: z.object({ id: z.string().meta({ description: "Media ID" }) }),
-			},
-			requestBody: { content: { [JSON_CONTENT]: { schema: mediaConfirmBody } } },
-			responses: {
-				"200": {
-					description: "Confirmed media item with URL",
-					content: {
-						[JSON_CONTENT]: { schema: successEnvelope(mediaConfirmResponseSchema) },
+					...authErrors,
+					...standardErrors(400, 500),
+				},
+			},
+		},
+		"/_emdash/api/media/{id}/confirm": {
+			post: {
+				operationId: "confirmMediaUpload",
+				summary: "Confirm a media upload",
+				description: "Marks a pending media record as ready after the file has been uploaded.",
+				tags: ["Media"],
+				requestParams: {
+					path: z.object({ id: z.string().meta({ description: "Media ID" }) }),
+				},
+				requestBody: { content: { [JSON_CONTENT]: { schema: mediaConfirmBody } } },
+				responses: {
+					"200": {
+						description: "Confirmed media item with URL",
+						content: {
+							[JSON_CONTENT]: { schema: successEnvelope(mediaConfirmResponseSchema) },
+						},
 					},
+					...authErrors,
+					...standardErrors(400, 404, 500),
 				},
-				...authErrors,
-				...standardErrors(400, 404, 500),
 			},
 		},
-	},
-} as const;
+	} as const;
+}
 
 // ---------------------------------------------------------------------------
 // Schema routes
@@ -2249,20 +2252,22 @@ const userPaths = {
 // Merge all paths
 // ---------------------------------------------------------------------------
 
-const allPaths = {
-	...contentPaths,
-	...mediaPaths,
-	...schemaPaths,
-	...commentsPaths,
-	...taxonomyPaths,
-	...menuPaths,
-	...sectionPaths,
-	...widgetPaths,
-	...settingsPaths,
-	...searchPaths,
-	...redirectPaths,
-	...userPaths,
-} as const;
+function buildAllPaths(maxUploadSize: number) {
+	return {
+		...contentPaths,
+		...buildMediaPaths(maxUploadSize),
+		...schemaPaths,
+		...commentsPaths,
+		...taxonomyPaths,
+		...menuPaths,
+		...sectionPaths,
+		...widgetPaths,
+		...settingsPaths,
+		...searchPaths,
+		...redirectPaths,
+		...userPaths,
+	} as const;
+}
 
 // ---------------------------------------------------------------------------
 // Document
@@ -2274,7 +2279,10 @@ const allPaths = {
  * Covers: Content, Media, Schema, Comments, Taxonomies, Menus,
  * Sections, Widgets, Settings, Search, Redirects, Users.
  */
-export function generateOpenApiDocument(): oas31.OpenAPIObject {
+export function generateOpenApiDocument(
+	options: { maxUploadSize?: number } = {},
+): oas31.OpenAPIObject {
+	const maxUploadSize = options.maxUploadSize ?? DEFAULT_MAX_UPLOAD_SIZE;
 	return createDocument({
 		openapi: "3.1.0",
 		info: {
@@ -2363,6 +2371,6 @@ export function generateOpenApiDocument(): oas31.OpenAPIObject {
 		},
 		security: [{ session: [] }, { bearer: [] }],
 		// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- readonly const paths are compatible at runtime
-		paths: allPaths as unknown as ZodOpenApiPathsObject,
+		paths: buildAllPaths(maxUploadSize) as unknown as ZodOpenApiPathsObject,
 	});
 }

package/src/api/schemas/auth.ts

@@ -60,6 +60,13 @@ export const inviteCreateBody = z
 	})
 	.meta({ id: "InviteCreateBody" });
 
+export const inviteRegisterOptionsBody = z
+	.object({
+		token: z.string().min(1),
+		name: z.string().optional(),
+	})
+	.meta({ id: "InviteRegisterOptionsBody" });
+
 export const inviteCompleteBody = z
 	.object({
 		token: z.string().min(1),