emdash 0.4.0 → 0.6.0

package/src/astro/routes/admin.astro

@@ -9,20 +9,23 @@ import "@emdash-cms/admin/styles.css";
 // Use package-qualified import so Astro generates a proper module URL
 // (relative imports resolve to absolute paths which break client hydration)
 import AdminWrapper from "emdash/routes/PluginRegistry";
+import { Font } from "astro:assets";
 
 export const prerender = false;
 
-import { resolveLocale, loadMessages } from "@emdash-cms/admin/locales";
+import { resolveLocale, loadMessages, getLocaleDir } from "@emdash-cms/admin/locales";
 
 const resolvedLocale = resolveLocale(Astro.request);
+const resolvedDir = getLocaleDir(resolvedLocale);
 const messages = await loadMessages(resolvedLocale);
 ---
 
 <!doctype html>
-<html lang={resolvedLocale}>
+<html lang={resolvedLocale} dir={resolvedDir}>
 	<head>
 		<meta charset="UTF-8" />
 		<meta name="viewport" content="width=device-width, initial-scale=1.0" />
+		<Font cssVariable="--font-emdash" />
 		<link
 			rel="icon"
 			href="data:image/svg+xml,<svg width='75' height='75' viewBox='0 0 75 75' fill='none' xmlns='http://www.w3.org/2000/svg'> <g clip-path='url(%23clip0_50_99)'> <rect x='3' y='3' width='69' height='69' rx='10.518' stroke='url(%23paint0_linear_50_99)' stroke-width='6'/> <rect x='18' y='34' width='39.3661' height='6.56101' fill='url(%23paint1_linear_50_99)'/> </g> <defs> <linearGradient id='paint0_linear_50_99' x1='-42.9996' y1='124' x2='92.4233' y2='-41.7456' gradientUnits='userSpaceOnUse'> <stop stop-color='%230F006B'/> <stop offset='0.0833333' stop-color='%23281A81'/> <stop offset='0.166667' stop-color='%235D0C83'/> <stop offset='0.25' stop-color='%23911475'/> <stop offset='0.333333' stop-color='%23CE2F55'/> <stop offset='0.416667' stop-color='%23FF6633'/> <stop offset='0.5' stop-color='%23F6821F'/> <stop offset='0.583333' stop-color='%23FBAD41'/> <stop offset='0.666667' stop-color='%23FFCD89'/> <stop offset='0.75' stop-color='%23FFE9CB'/> <stop offset='0.833333' stop-color='%23FFF7EC'/> <stop offset='0.916667' stop-color='%23FFF8EE'/> <stop offset='1' stop-color='white'/> </linearGradient> <linearGradient id='paint1_linear_50_99' x1='91.4992' y1='27.4982' x2='28.1217' y2='54.1775' gradientUnits='userSpaceOnUse'> <stop stop-color='white'/> <stop offset='0.129253' stop-color='%23FFF8EE'/> <stop offset='0.617058' stop-color='%23FBAD41'/> <stop offset='0.848019' stop-color='%23F6821F'/> <stop offset='1' stop-color='%23FF6633'/> </linearGradient> <clipPath id='clip0_50_99'> <rect width='75' height='75' fill='white'/> </clipPath> </defs> </svg>"
@@ -62,10 +65,12 @@ const messages = await loadMessages(resolvedLocale);
 					}
 					#emdash-boot-loader p {
 						margin-top: 1rem;
-						font-family:
+						font-family: var(
+							--font-emdash,
+							ui-sans-serif,
 							system-ui,
-							-apple-system,
-							sans-serif;
+							sans-serif
+						);
 						font-size: 0.875rem;
 						color: light-dark(hsl(215.4 16.3% 46.9%), hsl(215 20.2% 65.1%));
 					}

package/src/astro/routes/api/auth/invite/register-options.ts

@@ -0,0 +1,78 @@
+/**
+ * POST /_emdash/api/auth/invite/register-options
+ *
+ * Generate WebAuthn registration options for an invited user.
+ * Validates the invite token and creates a temporary user identity
+ * for the passkey registration flow.
+ */
+
+import type { APIRoute } from "astro";
+
+export const prerender = false;
+
+import { validateInvite, InviteError } from "@emdash-cms/auth";
+import { createKyselyAdapter } from "@emdash-cms/auth/adapters/kysely";
+import { generateRegistrationOptions } from "@emdash-cms/auth/passkey";
+import { ulid } from "ulidx";
+
+import { apiError, apiSuccess, handleError } from "#api/error.js";
+import { isParseError, parseBody } from "#api/parse.js";
+import { inviteRegisterOptionsBody } from "#api/schemas.js";
+import { createChallengeStore } from "#auth/challenge-store.js";
+import { getPasskeyConfig } from "#auth/passkey-config.js";
+import { OptionsRepository } from "#db/repositories/options.js";
+
+export const POST: APIRoute = async ({ request, locals }) => {
+	const { emdash } = locals;
+
+	if (!emdash?.db) {
+		return apiError("NOT_CONFIGURED", "EmDash is not initialized", 500);
+	}
+
+	try {
+		const body = await parseBody(request, inviteRegisterOptionsBody);
+		if (isParseError(body)) return body;
+
+		// Validate the invite token to get the email
+		const adapter = createKyselyAdapter(emdash.db);
+		const invite = await validateInvite(adapter, body.token);
+
+		// Get passkey config
+		const url = new URL(request.url);
+		const options = new OptionsRepository(emdash.db);
+		const siteName = (await options.get<string>("emdash:site_title")) ?? undefined;
+		const passkeyConfig = getPasskeyConfig(url, siteName);
+
+		// Generate registration options with a temporary user identity
+		const challengeStore = createChallengeStore(emdash.db);
+		const tempUser = {
+			id: ulid(),
+			email: invite.email,
+			name: body.name || null,
+		};
+
+		const registrationOptions = await generateRegistrationOptions(
+			passkeyConfig,
+			tempUser,
+			[],
+			challengeStore,
+		);
+
+		return apiSuccess({ options: registrationOptions });
+	} catch (error) {
+		if (error instanceof InviteError) {
+			const statusMap: Record<string, number> = {
+				invalid_token: 404,
+				token_expired: 410,
+				user_exists: 409,
+			};
+			return apiError(error.code.toUpperCase(), error.message, statusMap[error.code] ?? 400);
+		}
+
+		return handleError(
+			error,
+			"Failed to generate registration options",
+			"INVITE_REGISTER_OPTIONS_ERROR",
+		);
+	}
+};

package/src/astro/routes/api/auth/passkey/verify.ts

@@ -9,7 +9,7 @@ import type { APIRoute } from "astro";
 export const prerender = false;
 
 import { createKyselyAdapter } from "@emdash-cms/auth/adapters/kysely";
-import { authenticateWithPasskey } from "@emdash-cms/auth/passkey";
+import { authenticateWithPasskey, PasskeyAuthenticationError } from "@emdash-cms/auth/passkey";
 
 import { apiError, apiSuccess, handleError } from "#api/error.js";
 import { isParseError, parseBody } from "#api/parse.js";
@@ -63,6 +63,10 @@ export const POST: APIRoute = async ({ request, locals, session }) => {
 			},
 		});
 	} catch (error) {
+		if (error instanceof PasskeyAuthenticationError) {
+			return apiError("UNAUTHORIZED", "Authentication failed", 401);
+		}
+
 		return handleError(error, "Authentication failed", "PASSKEY_VERIFY_ERROR");
 	}
 };

package/src/astro/routes/api/content/[collection]/[id]/terms/[taxonomy].ts

@@ -12,6 +12,7 @@ import { apiError, apiSuccess, handleError, requireDb } from "#api/error.js";
 import { parseBody, isParseError } from "#api/parse.js";
 import { contentTermsBody } from "#api/schemas.js";
 import { TaxonomyRepository } from "#db/repositories/taxonomy.js";
+import { invalidateTermCache } from "#taxonomies/index.js";
 
 export const prerender = false;
 
@@ -122,6 +123,10 @@ export const POST: APIRoute = async ({ params, request, locals }) => {
 		// Set the terms (replaces existing)
 		await repo.setTermsForEntry(collection, id, taxonomy, termIds);
 
+		// Term assignments changed — invalidate the hasAnyTermAssignments cache
+		// so hydration on subsequent reads issues a fresh query.
+		invalidateTermCache();
+
 		// Get the updated terms
 		const terms = await repo.getTermsForEntry(collection, id, taxonomy);
 

package/src/astro/routes/api/import/wordpress/execute.ts

@@ -271,7 +271,7 @@ async function importContent(
 			console.error(`Import error for "${post.title || "Untitled"}":`, error);
 			result.errors.push({
 				title: post.title || "Untitled",
-				error: "Failed to import item",
+				error: error instanceof Error && error.message ? error.message : "Failed to import item",
 			});
 		}
 	}

package/src/astro/routes/api/import/wordpress-plugin/execute.ts

@@ -332,7 +332,7 @@ async function importContent(
 			console.error(`Import error for "${item.title || "Untitled"}":`, error);
 			result.errors.push({
 				title: item.title || "Untitled",
-				error: "Failed to import item",
+				error: error instanceof Error && error.message ? error.message : "Failed to import item",
 			});
 		}
 	}

package/src/astro/routes/api/media/upload-url.ts

@@ -16,7 +16,7 @@ import { ulid } from "ulidx";
 import { requirePerm } from "#api/authorize.js";
 import { apiError, apiSuccess, handleError } from "#api/error.js";
 import { isParseError, parseBody } from "#api/parse.js";
-import { mediaUploadUrlBody } from "#api/schemas.js";
+import { DEFAULT_MAX_UPLOAD_SIZE, mediaUploadUrlBody } from "#api/schemas.js";
 
 export const prerender = false;
 
@@ -59,7 +59,15 @@ export const POST: APIRoute = async ({ request, locals }) => {
 	}
 
 	try {
-		const body = await parseBody(request, mediaUploadUrlBody);
+		const maxSize = emdash.config.maxUploadSize ?? DEFAULT_MAX_UPLOAD_SIZE;
+		if (!Number.isFinite(maxSize) || maxSize <= 0) {
+			return apiError(
+				"CONFIGURATION_ERROR",
+				"Invalid maxUploadSize configuration. Expected a positive finite number.",
+				500,
+			);
+		}
+		const body = await parseBody(request, mediaUploadUrlBody(maxSize));
 		if (isParseError(body)) return body;
 
 		// Validate content type

package/src/astro/routes/api/media.ts

@@ -13,7 +13,7 @@ import { ulid } from "ulidx";
 import { requirePerm } from "#api/authorize.js";
 import { apiError, apiSuccess, handleError, unwrapResult } from "#api/error.js";
 import { isParseError, parseQuery } from "#api/parse.js";
-import { mediaListQuery } from "#api/schemas.js";
+import { DEFAULT_MAX_UPLOAD_SIZE, formatFileSize, mediaListQuery } from "#api/schemas.js";
 import { MediaRepository } from "#db/repositories/media.js";
 import { generatePlaceholder } from "#media/placeholder.js";
 import { computeContentHash } from "#utils/hash.js";
@@ -22,9 +22,6 @@ import type { MediaItem } from "../../types.js";
 
 export const prerender = false;
 
-/** Maximum allowed file upload size (50 MB). */
-const MAX_UPLOAD_SIZE = 50 * 1024 * 1024;
-
 /**
  * Add URL to media items
  * Uses relative URLs to ensure portability across deployments
@@ -89,9 +86,15 @@ export const POST: APIRoute = async ({ request, locals }) => {
 	}
 
 	try {
+		const rawMax = emdash.config.maxUploadSize ?? DEFAULT_MAX_UPLOAD_SIZE;
+		if (!Number.isFinite(rawMax) || rawMax <= 0) {
+			return apiError("CONFIGURATION_ERROR", "Invalid maxUploadSize configuration", 500);
+		}
+		const maxUploadSize = rawMax;
+
 		// Best-effort size check before buffering the full multipart body
 		const contentLength = request.headers.get("Content-Length");
-		if (contentLength && parseInt(contentLength, 10) > MAX_UPLOAD_SIZE) {
+		if (contentLength && parseInt(contentLength, 10) > maxUploadSize) {
 			return apiError("PAYLOAD_TOO_LARGE", "Upload too large", 413);
 		}
 
@@ -110,10 +113,10 @@ export const POST: APIRoute = async ({ request, locals }) => {
 		}
 
 		// Check file size before buffering
-		if (file.size > MAX_UPLOAD_SIZE) {
+		if (file.size > maxUploadSize) {
 			return apiError(
 				"PAYLOAD_TOO_LARGE",
-				`File exceeds maximum size of ${MAX_UPLOAD_SIZE / 1024 / 1024}MB`,
+				`File exceeds maximum size of ${formatFileSize(maxUploadSize)}`,
 				413,
 			);
 		}

package/src/astro/routes/api/oauth/register.ts

@@ -0,0 +1,178 @@
+/**
+ * POST /_emdash/api/oauth/register
+ *
+ * RFC 7591 Dynamic Client Registration. Public, unauthenticated.
+ * MCP clients (e.g. Claude Code) call this to register themselves
+ * before starting the OAuth authorization flow.
+ */
+
+import type { APIRoute } from "astro";
+
+import { apiError, handleError } from "#api/error.js";
+import { handleOAuthClientCreate } from "#api/handlers/oauth-clients.js";
+
+export const prerender = false;
+
+const OAUTH_REGISTRATION_HEADERS: HeadersInit = {
+	"Cache-Control": "no-store",
+	Pragma: "no-cache",
+	// RFC 7591 dynamic client registration is called cross-origin by MCP clients,
+	// CLIs, and native apps. The endpoint is anonymous and carries no ambient
+	// credentials, so CORS `*` is safe.
+	"Access-Control-Allow-Origin": "*",
+};
+
+const OAUTH_PREFLIGHT_HEADERS: HeadersInit = {
+	"Access-Control-Allow-Origin": "*",
+	"Access-Control-Allow-Methods": "POST, OPTIONS",
+	"Access-Control-Allow-Headers": "Content-Type",
+	"Access-Control-Max-Age": "86400",
+};
+
+const SUPPORTED_GRANT_TYPES = new Set([
+	"authorization_code",
+	"refresh_token",
+	"urn:ietf:params:oauth:grant-type:device_code",
+]);
+const SUPPORTED_RESPONSE_TYPES = new Set(["code"]);
+
+function registrationError(description: string, status = 400): Response {
+	return Response.json(
+		{
+			error: "invalid_client_metadata",
+			error_description: description,
+		},
+		{ status, headers: OAUTH_REGISTRATION_HEADERS },
+	);
+}
+
+function isRecord(value: unknown): value is Record<string, unknown> {
+	return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+
+function isStringArray(value: unknown): value is string[] {
+	return Array.isArray(value) && value.every((item) => typeof item === "string");
+}
+
+function parseScope(value: unknown): string[] | Response | undefined {
+	if (value === undefined) return undefined;
+	if (typeof value === "string") {
+		const scopes = value.split(" ").filter(Boolean);
+		return scopes.length > 0 ? scopes : undefined;
+	}
+	if (isStringArray(value)) {
+		const scopes = value.filter(Boolean);
+		return scopes.length > 0 ? scopes : undefined;
+	}
+	return registrationError("scope must be a string or array of strings");
+}
+
+function parseSupportedStringArray(
+	value: unknown,
+	field: string,
+	supported: ReadonlySet<string>,
+): string[] | Response | undefined {
+	if (value === undefined) return undefined;
+	if (!isStringArray(value)) {
+		return registrationError(`${field} must be an array of strings`);
+	}
+	const invalidValue = value.find((item) => !supported.has(item));
+	if (invalidValue) {
+		return registrationError(`${field} contains unsupported value: ${invalidValue}`);
+	}
+	return value;
+}
+
+export const OPTIONS: APIRoute = () => {
+	return new Response(null, { status: 204, headers: OAUTH_PREFLIGHT_HEADERS });
+};
+
+export const POST: APIRoute = async ({ request, locals }) => {
+	const { emdash } = locals;
+
+	if (!emdash?.db) {
+		return apiError("NOT_CONFIGURED", "EmDash is not initialized", 500);
+	}
+
+	try {
+		let body: unknown;
+		try {
+			body = await request.json();
+		} catch {
+			return registrationError("Request body must be valid JSON");
+		}
+
+		if (!isRecord(body)) {
+			return registrationError("Request body must be a JSON object");
+		}
+
+		// redirect_uris is the only required field per RFC 7591 §2
+		if (!isStringArray(body.redirect_uris) || body.redirect_uris.length === 0) {
+			return registrationError("redirect_uris must be a non-empty array of strings");
+		}
+
+		if (
+			body.token_endpoint_auth_method !== undefined &&
+			body.token_endpoint_auth_method !== "none"
+		) {
+			return registrationError("Only token_endpoint_auth_method=none is supported");
+		}
+
+		const grantTypes = parseSupportedStringArray(
+			body.grant_types,
+			"grant_types",
+			SUPPORTED_GRANT_TYPES,
+		);
+		if (grantTypes instanceof Response) {
+			return grantTypes;
+		}
+
+		const responseTypes = parseSupportedStringArray(
+			body.response_types,
+			"response_types",
+			SUPPORTED_RESPONSE_TYPES,
+		);
+		if (responseTypes instanceof Response) {
+			return responseTypes;
+		}
+
+		const scopes = parseScope(body.scope);
+		if (scopes instanceof Response) {
+			return scopes;
+		}
+
+		const clientId = crypto.randomUUID();
+		const clientName =
+			typeof body.client_name === "string" && body.client_name
+				? body.client_name
+				: `dynamic-${clientId.slice(0, 8)}`;
+
+		const result = await handleOAuthClientCreate(emdash.db, {
+			id: clientId,
+			name: clientName,
+			redirectUris: body.redirect_uris,
+			scopes,
+		});
+
+		if (!result.success) {
+			return registrationError(result.error.message);
+		}
+
+		// RFC 7591 §3.2.1 response
+		return Response.json(
+			{
+				client_id: result.data.id,
+				client_id_issued_at: Math.floor(new Date(result.data.createdAt).getTime() / 1000),
+				redirect_uris: result.data.redirectUris,
+				client_name: result.data.name,
+				grant_types: grantTypes ?? ["authorization_code", "refresh_token"],
+				response_types: responseTypes ?? ["code"],
+				token_endpoint_auth_method: "none",
+				scope: result.data.scopes ? result.data.scopes.join(" ") : undefined,
+			},
+			{ status: 201, headers: OAUTH_REGISTRATION_HEADERS },
+		);
+	} catch (error) {
+		return handleError(error, "Failed to register OAuth client", "CLIENT_REGISTER_ERROR");
+	}
+};

package/src/astro/routes/api/oauth/token.ts

@@ -87,6 +87,10 @@ const refreshSchema = z.object({
 // Handler
 // ---------------------------------------------------------------------------
 
+export const OPTIONS: APIRoute = () => {
+	return new Response(null, { status: 204, headers: OAUTH_PREFLIGHT_HEADERS });
+};
+
 export const POST: APIRoute = async ({ request, locals }) => {
 	const { emdash } = locals;
 
@@ -166,6 +170,17 @@ const OAUTH_TOKEN_HEADERS: HeadersInit = {
 	"Content-Type": "application/json",
 	"Cache-Control": "no-store",
 	Pragma: "no-cache",
+	// OAuth 2.1 token endpoint is called cross-origin by external clients. Caller
+	// must present PKCE code_verifier / device_code / refresh_token on each request,
+	// so there is no ambient credential for CSRF to exploit.
+	"Access-Control-Allow-Origin": "*",
+};
+
+const OAUTH_PREFLIGHT_HEADERS: HeadersInit = {
+	"Access-Control-Allow-Origin": "*",
+	"Access-Control-Allow-Methods": "POST, OPTIONS",
+	"Access-Control-Allow-Headers": "Content-Type",
+	"Access-Control-Max-Age": "86400",
 };
 
 function oauthSuccess(data: unknown): Response {

package/src/astro/routes/api/openapi.json.ts

@@ -15,13 +15,23 @@ export const prerender = false;
 
 let cachedSpec: string | null = null;
 
-export const GET: APIRoute = async () => {
-	if (!cachedSpec) {
-		const doc = generateOpenApiDocument();
-		cachedSpec = JSON.stringify(doc);
+export const GET: APIRoute = async ({ locals }) => {
+	const { emdash } = locals;
+	if (!cachedSpec && emdash) {
+		try {
+			const doc = generateOpenApiDocument({ maxUploadSize: emdash.config.maxUploadSize });
+			cachedSpec = JSON.stringify(doc);
+		} catch {
+			return new Response(
+				JSON.stringify({ error: "Failed to generate OpenAPI document: invalid configuration" }),
+				{ status: 500, headers: { "Content-Type": "application/json" } },
+			);
+		}
 	}
 
-	return new Response(cachedSpec, {
+	const spec = cachedSpec ?? JSON.stringify(generateOpenApiDocument());
+
+	return new Response(spec, {
 		status: 200,
 		headers: {
 			"Content-Type": "application/json",

package/src/astro/routes/api/schema/collections/[slug]/fields/[fieldSlug].ts

@@ -57,6 +57,7 @@ export const PUT: APIRoute = async ({ params, request, locals }) => {
 		fieldSlug,
 		body as UpdateFieldInput,
 	);
+	if (result.success) emdash!.invalidateManifest();
 	return unwrapResult(result);
 };
 
@@ -72,5 +73,6 @@ export const DELETE: APIRoute = async ({ params, locals }) => {
 	if (denied) return denied;
 
 	const result = await handleSchemaFieldDelete(emdash!.db, collectionSlug, fieldSlug);
+	if (result.success) emdash!.invalidateManifest();
 	return unwrapResult(result);
 };

package/src/astro/routes/api/schema/collections/[slug]/fields/index.ts

@@ -48,5 +48,6 @@ export const POST: APIRoute = async ({ params, request, locals }) => {
 		collectionSlug,
 		body as CreateFieldInput,
 	);
+	if (result.success) emdash!.invalidateManifest();
 	return unwrapResult(result, 201);
 };

package/src/astro/routes/api/schema/collections/[slug]/fields/reorder.ts

@@ -28,5 +28,6 @@ export const POST: APIRoute = async ({ params, request, locals }) => {
 	if (isParseError(body)) return body;
 
 	const result = await handleSchemaFieldReorder(emdash!.db, collectionSlug, body.fieldSlugs);
+	if (result.success) emdash!.invalidateManifest();
 	return unwrapResult(result);
 };

package/src/astro/routes/api/search/index.ts

@@ -37,6 +37,11 @@ export const GET: APIRoute = async ({ url, locals }) => {
 		: undefined;
 
 	try {
+		// Verify FTS indexes are healthy on first use. At most once per worker
+		// lifetime; no-op after that. Moved off the cold-start hot path to
+		// keep anonymous public reads fast.
+		await emdash.ensureSearchHealthy?.();
+
 		const result = await searchWithDb(emdash.db, query.q, {
 			collections,
 			status: query.status,

package/src/astro/routes/api/search/suggest.ts

@@ -36,6 +36,9 @@ export const GET: APIRoute = async ({ url, locals }) => {
 		: undefined;
 
 	try {
+		// Verify FTS indexes are healthy on first use. See search/index.ts.
+		await emdash.ensureSearchHealthy?.();
+
 		const suggestions = await getSuggestions(emdash.db, query.q, {
 			collections,
 			locale: query.locale,

package/src/astro/routes/api/taxonomies/index.ts

@@ -52,6 +52,7 @@ export const POST: APIRoute = async ({ request, locals }) => {
 		if (isParseError(body)) return body;
 
 		const result = await handleTaxonomyCreate(emdash.db, body);
+		if (result.success) emdash.invalidateManifest();
 		return unwrapResult(result, 201);
 	} catch (error) {
 		return handleError(error, "Failed to create taxonomy", "TAXONOMY_CREATE_ERROR");

package/src/astro/routes/api/well-known/oauth-authorization-server.ts

@@ -1,8 +1,10 @@
 /**
- * GET /_emdash/.well-known/oauth-authorization-server
+ * GET /.well-known/oauth-authorization-server/_emdash
  *
- * RFC 8414 Authorization Server Metadata. Tells MCP clients which
- * endpoints to use for OAuth authorization, token exchange, etc.
+ * RFC 8414 Authorization Server Metadata. The path follows the RFC 8414
+ * convention: the issuer's pathname (/_emdash) is appended after
+ * /.well-known/oauth-authorization-server, so MCP clients can discover
+ * it automatically from the authorization_servers URL.
  *
  * Public, unauthenticated.
  */
@@ -31,8 +33,8 @@ export const GET: APIRoute = async ({ url, locals }) => {
 				"urn:ietf:params:oauth:grant-type:device_code",
 			],
 			code_challenge_methods_supported: ["S256"],
+			registration_endpoint: `${origin}/_emdash/api/oauth/register`,
 			token_endpoint_auth_methods_supported: ["none"],
-			client_id_metadata_document_supported: true,
 			device_authorization_endpoint: `${origin}/_emdash/api/oauth/device/code`,
 		},
 		{