emdash 0.5.0 → 0.6.0

package/src/astro/routes/admin.astro

@@ -9,6 +9,7 @@ import "@emdash-cms/admin/styles.css";
 // Use package-qualified import so Astro generates a proper module URL
 // (relative imports resolve to absolute paths which break client hydration)
 import AdminWrapper from "emdash/routes/PluginRegistry";
+import { Font } from "astro:assets";
 
 export const prerender = false;
 
@@ -24,6 +25,7 @@ const messages = await loadMessages(resolvedLocale);
 	<head>
 		<meta charset="UTF-8" />
 		<meta name="viewport" content="width=device-width, initial-scale=1.0" />
+		<Font cssVariable="--font-emdash" />
 		<link
 			rel="icon"
 			href="data:image/svg+xml,<svg width='75' height='75' viewBox='0 0 75 75' fill='none' xmlns='http://www.w3.org/2000/svg'> <g clip-path='url(%23clip0_50_99)'> <rect x='3' y='3' width='69' height='69' rx='10.518' stroke='url(%23paint0_linear_50_99)' stroke-width='6'/> <rect x='18' y='34' width='39.3661' height='6.56101' fill='url(%23paint1_linear_50_99)'/> </g> <defs> <linearGradient id='paint0_linear_50_99' x1='-42.9996' y1='124' x2='92.4233' y2='-41.7456' gradientUnits='userSpaceOnUse'> <stop stop-color='%230F006B'/> <stop offset='0.0833333' stop-color='%23281A81'/> <stop offset='0.166667' stop-color='%235D0C83'/> <stop offset='0.25' stop-color='%23911475'/> <stop offset='0.333333' stop-color='%23CE2F55'/> <stop offset='0.416667' stop-color='%23FF6633'/> <stop offset='0.5' stop-color='%23F6821F'/> <stop offset='0.583333' stop-color='%23FBAD41'/> <stop offset='0.666667' stop-color='%23FFCD89'/> <stop offset='0.75' stop-color='%23FFE9CB'/> <stop offset='0.833333' stop-color='%23FFF7EC'/> <stop offset='0.916667' stop-color='%23FFF8EE'/> <stop offset='1' stop-color='white'/> </linearGradient> <linearGradient id='paint1_linear_50_99' x1='91.4992' y1='27.4982' x2='28.1217' y2='54.1775' gradientUnits='userSpaceOnUse'> <stop stop-color='white'/> <stop offset='0.129253' stop-color='%23FFF8EE'/> <stop offset='0.617058' stop-color='%23FBAD41'/> <stop offset='0.848019' stop-color='%23F6821F'/> <stop offset='1' stop-color='%23FF6633'/> </linearGradient> <clipPath id='clip0_50_99'> <rect width='75' height='75' fill='white'/> </clipPath> </defs> </svg>"
@@ -63,10 +65,12 @@ const messages = await loadMessages(resolvedLocale);
 					}
 					#emdash-boot-loader p {
 						margin-top: 1rem;
-						font-family:
+						font-family: var(
+							--font-emdash,
+							ui-sans-serif,
 							system-ui,
-							-apple-system,
-							sans-serif;
+							sans-serif
+						);
 						font-size: 0.875rem;
 						color: light-dark(hsl(215.4 16.3% 46.9%), hsl(215 20.2% 65.1%));
 					}

package/src/astro/routes/api/auth/passkey/verify.ts

@@ -9,7 +9,7 @@ import type { APIRoute } from "astro";
 export const prerender = false;
 
 import { createKyselyAdapter } from "@emdash-cms/auth/adapters/kysely";
-import { authenticateWithPasskey } from "@emdash-cms/auth/passkey";
+import { authenticateWithPasskey, PasskeyAuthenticationError } from "@emdash-cms/auth/passkey";
 
 import { apiError, apiSuccess, handleError } from "#api/error.js";
 import { isParseError, parseBody } from "#api/parse.js";
@@ -63,6 +63,10 @@ export const POST: APIRoute = async ({ request, locals, session }) => {
 			},
 		});
 	} catch (error) {
+		if (error instanceof PasskeyAuthenticationError) {
+			return apiError("UNAUTHORIZED", "Authentication failed", 401);
+		}
+
 		return handleError(error, "Authentication failed", "PASSKEY_VERIFY_ERROR");
 	}
 };

package/src/astro/routes/api/content/[collection]/[id]/terms/[taxonomy].ts

@@ -12,6 +12,7 @@ import { apiError, apiSuccess, handleError, requireDb } from "#api/error.js";
 import { parseBody, isParseError } from "#api/parse.js";
 import { contentTermsBody } from "#api/schemas.js";
 import { TaxonomyRepository } from "#db/repositories/taxonomy.js";
+import { invalidateTermCache } from "#taxonomies/index.js";
 
 export const prerender = false;
 
@@ -122,6 +123,10 @@ export const POST: APIRoute = async ({ params, request, locals }) => {
 		// Set the terms (replaces existing)
 		await repo.setTermsForEntry(collection, id, taxonomy, termIds);
 
+		// Term assignments changed — invalidate the hasAnyTermAssignments cache
+		// so hydration on subsequent reads issues a fresh query.
+		invalidateTermCache();
+
 		// Get the updated terms
 		const terms = await repo.getTermsForEntry(collection, id, taxonomy);
 

package/src/astro/routes/api/import/wordpress/execute.ts

@@ -271,7 +271,7 @@ async function importContent(
 			console.error(`Import error for "${post.title || "Untitled"}":`, error);
 			result.errors.push({
 				title: post.title || "Untitled",
-				error: "Failed to import item",
+				error: error instanceof Error && error.message ? error.message : "Failed to import item",
 			});
 		}
 	}

package/src/astro/routes/api/import/wordpress-plugin/execute.ts

@@ -332,7 +332,7 @@ async function importContent(
 			console.error(`Import error for "${item.title || "Untitled"}":`, error);
 			result.errors.push({
 				title: item.title || "Untitled",
-				error: "Failed to import item",
+				error: error instanceof Error && error.message ? error.message : "Failed to import item",
 			});
 		}
 	}

package/src/astro/routes/api/media/upload-url.ts

@@ -16,7 +16,7 @@ import { ulid } from "ulidx";
 import { requirePerm } from "#api/authorize.js";
 import { apiError, apiSuccess, handleError } from "#api/error.js";
 import { isParseError, parseBody } from "#api/parse.js";
-import { mediaUploadUrlBody } from "#api/schemas.js";
+import { DEFAULT_MAX_UPLOAD_SIZE, mediaUploadUrlBody } from "#api/schemas.js";
 
 export const prerender = false;
 
@@ -59,7 +59,15 @@ export const POST: APIRoute = async ({ request, locals }) => {
 	}
 
 	try {
-		const body = await parseBody(request, mediaUploadUrlBody);
+		const maxSize = emdash.config.maxUploadSize ?? DEFAULT_MAX_UPLOAD_SIZE;
+		if (!Number.isFinite(maxSize) || maxSize <= 0) {
+			return apiError(
+				"CONFIGURATION_ERROR",
+				"Invalid maxUploadSize configuration. Expected a positive finite number.",
+				500,
+			);
+		}
+		const body = await parseBody(request, mediaUploadUrlBody(maxSize));
 		if (isParseError(body)) return body;
 
 		// Validate content type

package/src/astro/routes/api/media.ts

@@ -13,7 +13,7 @@ import { ulid } from "ulidx";
 import { requirePerm } from "#api/authorize.js";
 import { apiError, apiSuccess, handleError, unwrapResult } from "#api/error.js";
 import { isParseError, parseQuery } from "#api/parse.js";
-import { mediaListQuery } from "#api/schemas.js";
+import { DEFAULT_MAX_UPLOAD_SIZE, formatFileSize, mediaListQuery } from "#api/schemas.js";
 import { MediaRepository } from "#db/repositories/media.js";
 import { generatePlaceholder } from "#media/placeholder.js";
 import { computeContentHash } from "#utils/hash.js";
@@ -22,9 +22,6 @@ import type { MediaItem } from "../../types.js";
 
 export const prerender = false;
 
-/** Maximum allowed file upload size (50 MB). */
-const MAX_UPLOAD_SIZE = 50 * 1024 * 1024;
-
 /**
  * Add URL to media items
  * Uses relative URLs to ensure portability across deployments
@@ -89,9 +86,15 @@ export const POST: APIRoute = async ({ request, locals }) => {
 	}
 
 	try {
+		const rawMax = emdash.config.maxUploadSize ?? DEFAULT_MAX_UPLOAD_SIZE;
+		if (!Number.isFinite(rawMax) || rawMax <= 0) {
+			return apiError("CONFIGURATION_ERROR", "Invalid maxUploadSize configuration", 500);
+		}
+		const maxUploadSize = rawMax;
+
 		// Best-effort size check before buffering the full multipart body
 		const contentLength = request.headers.get("Content-Length");
-		if (contentLength && parseInt(contentLength, 10) > MAX_UPLOAD_SIZE) {
+		if (contentLength && parseInt(contentLength, 10) > maxUploadSize) {
 			return apiError("PAYLOAD_TOO_LARGE", "Upload too large", 413);
 		}
 
@@ -110,10 +113,10 @@ export const POST: APIRoute = async ({ request, locals }) => {
 		}
 
 		// Check file size before buffering
-		if (file.size > MAX_UPLOAD_SIZE) {
+		if (file.size > maxUploadSize) {
 			return apiError(
 				"PAYLOAD_TOO_LARGE",
-				`File exceeds maximum size of ${MAX_UPLOAD_SIZE / 1024 / 1024}MB`,
+				`File exceeds maximum size of ${formatFileSize(maxUploadSize)}`,
 				413,
 			);
 		}

package/src/astro/routes/api/oauth/register.ts

@@ -0,0 +1,178 @@
+/**
+ * POST /_emdash/api/oauth/register
+ *
+ * RFC 7591 Dynamic Client Registration. Public, unauthenticated.
+ * MCP clients (e.g. Claude Code) call this to register themselves
+ * before starting the OAuth authorization flow.
+ */
+
+import type { APIRoute } from "astro";
+
+import { apiError, handleError } from "#api/error.js";
+import { handleOAuthClientCreate } from "#api/handlers/oauth-clients.js";
+
+export const prerender = false;
+
+const OAUTH_REGISTRATION_HEADERS: HeadersInit = {
+	"Cache-Control": "no-store",
+	Pragma: "no-cache",
+	// RFC 7591 dynamic client registration is called cross-origin by MCP clients,
+	// CLIs, and native apps. The endpoint is anonymous and carries no ambient
+	// credentials, so CORS `*` is safe.
+	"Access-Control-Allow-Origin": "*",
+};
+
+const OAUTH_PREFLIGHT_HEADERS: HeadersInit = {
+	"Access-Control-Allow-Origin": "*",
+	"Access-Control-Allow-Methods": "POST, OPTIONS",
+	"Access-Control-Allow-Headers": "Content-Type",
+	"Access-Control-Max-Age": "86400",
+};
+
+const SUPPORTED_GRANT_TYPES = new Set([
+	"authorization_code",
+	"refresh_token",
+	"urn:ietf:params:oauth:grant-type:device_code",
+]);
+const SUPPORTED_RESPONSE_TYPES = new Set(["code"]);
+
+function registrationError(description: string, status = 400): Response {
+	return Response.json(
+		{
+			error: "invalid_client_metadata",
+			error_description: description,
+		},
+		{ status, headers: OAUTH_REGISTRATION_HEADERS },
+	);
+}
+
+function isRecord(value: unknown): value is Record<string, unknown> {
+	return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+
+function isStringArray(value: unknown): value is string[] {
+	return Array.isArray(value) && value.every((item) => typeof item === "string");
+}
+
+function parseScope(value: unknown): string[] | Response | undefined {
+	if (value === undefined) return undefined;
+	if (typeof value === "string") {
+		const scopes = value.split(" ").filter(Boolean);
+		return scopes.length > 0 ? scopes : undefined;
+	}
+	if (isStringArray(value)) {
+		const scopes = value.filter(Boolean);
+		return scopes.length > 0 ? scopes : undefined;
+	}
+	return registrationError("scope must be a string or array of strings");
+}
+
+function parseSupportedStringArray(
+	value: unknown,
+	field: string,
+	supported: ReadonlySet<string>,
+): string[] | Response | undefined {
+	if (value === undefined) return undefined;
+	if (!isStringArray(value)) {
+		return registrationError(`${field} must be an array of strings`);
+	}
+	const invalidValue = value.find((item) => !supported.has(item));
+	if (invalidValue) {
+		return registrationError(`${field} contains unsupported value: ${invalidValue}`);
+	}
+	return value;
+}
+
+export const OPTIONS: APIRoute = () => {
+	return new Response(null, { status: 204, headers: OAUTH_PREFLIGHT_HEADERS });
+};
+
+export const POST: APIRoute = async ({ request, locals }) => {
+	const { emdash } = locals;
+
+	if (!emdash?.db) {
+		return apiError("NOT_CONFIGURED", "EmDash is not initialized", 500);
+	}
+
+	try {
+		let body: unknown;
+		try {
+			body = await request.json();
+		} catch {
+			return registrationError("Request body must be valid JSON");
+		}
+
+		if (!isRecord(body)) {
+			return registrationError("Request body must be a JSON object");
+		}
+
+		// redirect_uris is the only required field per RFC 7591 §2
+		if (!isStringArray(body.redirect_uris) || body.redirect_uris.length === 0) {
+			return registrationError("redirect_uris must be a non-empty array of strings");
+		}
+
+		if (
+			body.token_endpoint_auth_method !== undefined &&
+			body.token_endpoint_auth_method !== "none"
+		) {
+			return registrationError("Only token_endpoint_auth_method=none is supported");
+		}
+
+		const grantTypes = parseSupportedStringArray(
+			body.grant_types,
+			"grant_types",
+			SUPPORTED_GRANT_TYPES,
+		);
+		if (grantTypes instanceof Response) {
+			return grantTypes;
+		}
+
+		const responseTypes = parseSupportedStringArray(
+			body.response_types,
+			"response_types",
+			SUPPORTED_RESPONSE_TYPES,
+		);
+		if (responseTypes instanceof Response) {
+			return responseTypes;
+		}
+
+		const scopes = parseScope(body.scope);
+		if (scopes instanceof Response) {
+			return scopes;
+		}
+
+		const clientId = crypto.randomUUID();
+		const clientName =
+			typeof body.client_name === "string" && body.client_name
+				? body.client_name
+				: `dynamic-${clientId.slice(0, 8)}`;
+
+		const result = await handleOAuthClientCreate(emdash.db, {
+			id: clientId,
+			name: clientName,
+			redirectUris: body.redirect_uris,
+			scopes,
+		});
+
+		if (!result.success) {
+			return registrationError(result.error.message);
+		}
+
+		// RFC 7591 §3.2.1 response
+		return Response.json(
+			{
+				client_id: result.data.id,
+				client_id_issued_at: Math.floor(new Date(result.data.createdAt).getTime() / 1000),
+				redirect_uris: result.data.redirectUris,
+				client_name: result.data.name,
+				grant_types: grantTypes ?? ["authorization_code", "refresh_token"],
+				response_types: responseTypes ?? ["code"],
+				token_endpoint_auth_method: "none",
+				scope: result.data.scopes ? result.data.scopes.join(" ") : undefined,
+			},
+			{ status: 201, headers: OAUTH_REGISTRATION_HEADERS },
+		);
+	} catch (error) {
+		return handleError(error, "Failed to register OAuth client", "CLIENT_REGISTER_ERROR");
+	}
+};

package/src/astro/routes/api/oauth/token.ts

@@ -87,6 +87,10 @@ const refreshSchema = z.object({
 // Handler
 // ---------------------------------------------------------------------------
 
+export const OPTIONS: APIRoute = () => {
+	return new Response(null, { status: 204, headers: OAUTH_PREFLIGHT_HEADERS });
+};
+
 export const POST: APIRoute = async ({ request, locals }) => {
 	const { emdash } = locals;
 
@@ -166,6 +170,17 @@ const OAUTH_TOKEN_HEADERS: HeadersInit = {
 	"Content-Type": "application/json",
 	"Cache-Control": "no-store",
 	Pragma: "no-cache",
+	// OAuth 2.1 token endpoint is called cross-origin by external clients. Caller
+	// must present PKCE code_verifier / device_code / refresh_token on each request,
+	// so there is no ambient credential for CSRF to exploit.
+	"Access-Control-Allow-Origin": "*",
+};
+
+const OAUTH_PREFLIGHT_HEADERS: HeadersInit = {
+	"Access-Control-Allow-Origin": "*",
+	"Access-Control-Allow-Methods": "POST, OPTIONS",
+	"Access-Control-Allow-Headers": "Content-Type",
+	"Access-Control-Max-Age": "86400",
 };
 
 function oauthSuccess(data: unknown): Response {

package/src/astro/routes/api/openapi.json.ts

@@ -15,13 +15,23 @@ export const prerender = false;
 
 let cachedSpec: string | null = null;
 
-export const GET: APIRoute = async () => {
-	if (!cachedSpec) {
-		const doc = generateOpenApiDocument();
-		cachedSpec = JSON.stringify(doc);
+export const GET: APIRoute = async ({ locals }) => {
+	const { emdash } = locals;
+	if (!cachedSpec && emdash) {
+		try {
+			const doc = generateOpenApiDocument({ maxUploadSize: emdash.config.maxUploadSize });
+			cachedSpec = JSON.stringify(doc);
+		} catch {
+			return new Response(
+				JSON.stringify({ error: "Failed to generate OpenAPI document: invalid configuration" }),
+				{ status: 500, headers: { "Content-Type": "application/json" } },
+			);
+		}
 	}
 
-	return new Response(cachedSpec, {
+	const spec = cachedSpec ?? JSON.stringify(generateOpenApiDocument());
+
+	return new Response(spec, {
 		status: 200,
 		headers: {
 			"Content-Type": "application/json",

package/src/astro/routes/api/schema/collections/[slug]/fields/[fieldSlug].ts

@@ -57,6 +57,7 @@ export const PUT: APIRoute = async ({ params, request, locals }) => {
 		fieldSlug,
 		body as UpdateFieldInput,
 	);
+	if (result.success) emdash!.invalidateManifest();
 	return unwrapResult(result);
 };
 
@@ -72,5 +73,6 @@ export const DELETE: APIRoute = async ({ params, locals }) => {
 	if (denied) return denied;
 
 	const result = await handleSchemaFieldDelete(emdash!.db, collectionSlug, fieldSlug);
+	if (result.success) emdash!.invalidateManifest();
 	return unwrapResult(result);
 };

package/src/astro/routes/api/schema/collections/[slug]/fields/index.ts

@@ -48,5 +48,6 @@ export const POST: APIRoute = async ({ params, request, locals }) => {
 		collectionSlug,
 		body as CreateFieldInput,
 	);
+	if (result.success) emdash!.invalidateManifest();
 	return unwrapResult(result, 201);
 };

package/src/astro/routes/api/schema/collections/[slug]/fields/reorder.ts

@@ -28,5 +28,6 @@ export const POST: APIRoute = async ({ params, request, locals }) => {
 	if (isParseError(body)) return body;
 
 	const result = await handleSchemaFieldReorder(emdash!.db, collectionSlug, body.fieldSlugs);
+	if (result.success) emdash!.invalidateManifest();
 	return unwrapResult(result);
 };

package/src/astro/routes/api/search/index.ts

@@ -37,6 +37,11 @@ export const GET: APIRoute = async ({ url, locals }) => {
 		: undefined;
 
 	try {
+		// Verify FTS indexes are healthy on first use. At most once per worker
+		// lifetime; no-op after that. Moved off the cold-start hot path to
+		// keep anonymous public reads fast.
+		await emdash.ensureSearchHealthy?.();
+
 		const result = await searchWithDb(emdash.db, query.q, {
 			collections,
 			status: query.status,

package/src/astro/routes/api/search/suggest.ts

@@ -36,6 +36,9 @@ export const GET: APIRoute = async ({ url, locals }) => {
 		: undefined;
 
 	try {
+		// Verify FTS indexes are healthy on first use. See search/index.ts.
+		await emdash.ensureSearchHealthy?.();
+
 		const suggestions = await getSuggestions(emdash.db, query.q, {
 			collections,
 			locale: query.locale,

package/src/astro/routes/api/taxonomies/index.ts

@@ -52,6 +52,7 @@ export const POST: APIRoute = async ({ request, locals }) => {
 		if (isParseError(body)) return body;
 
 		const result = await handleTaxonomyCreate(emdash.db, body);
+		if (result.success) emdash.invalidateManifest();
 		return unwrapResult(result, 201);
 	} catch (error) {
 		return handleError(error, "Failed to create taxonomy", "TAXONOMY_CREATE_ERROR");

package/src/astro/routes/api/well-known/oauth-authorization-server.ts

@@ -33,8 +33,8 @@ export const GET: APIRoute = async ({ url, locals }) => {
 				"urn:ietf:params:oauth:grant-type:device_code",
 			],
 			code_challenge_methods_supported: ["S256"],
+			registration_endpoint: `${origin}/_emdash/api/oauth/register`,
 			token_endpoint_auth_methods_supported: ["none"],
-			client_id_metadata_document_supported: true,
 			device_authorization_endpoint: `${origin}/_emdash/api/oauth/device/code`,
 		},
 		{

package/src/bylines/index.ts

@@ -13,47 +13,19 @@ import type { BylineSummary, ContentBylineCredit } from "../database/repositorie
 import { validateIdentifier } from "../database/validate.js";
 import { getDb } from "../loader.js";
 import { chunks, SQL_BATCH_SIZE } from "../utils/chunks.js";
+import { isMissingTableError } from "../utils/db-errors.js";
 
 /**
- * Cached result of "does any byline exist in the database?"
- * null = not yet checked, true/false = cached result.
- * Invalidated when bylines are created or deleted.
- */
-let hasBylines: boolean | null = null;
-
-/**
- * Invalidate the cached "has any bylines" check.
- * Call this when bylines are created, updated, or deleted.
+ * No-op — kept for API compatibility.
+ *
+ * Used to invalidate a worker-lifetime "has any byline?" probe. That
+ * probe added a query on every cold isolate to save one query on sites
+ * with zero bylines (i.e. the wrong tradeoff), so we dropped it. The
+ * batch byline join below returns an empty map for empty sites at the
+ * same cost as the probe, without the pre-check.
  */
 export function invalidateBylineCache(): void {
-	hasBylines = null;
-}
-
-/**
- * Check if any bylines exist in the database. Result is cached
- * for the lifetime of the worker/process and invalidated on writes.
- */
-async function hasAnyBylines(): Promise<boolean> {
-	if (hasBylines !== null) return hasBylines;
-
-	try {
-		const db = await getDb();
-		const result = await sql<{ id: string }>`
-			SELECT id FROM _emdash_bylines LIMIT 1
-		`.execute(db);
-		hasBylines = result.rows.length > 0;
-	} catch (error: unknown) {
-		// Only treat "no such table" as a safe false -- anything else should
-		// not be cached so the next request retries.
-		const message = error instanceof Error ? error.message : "";
-		if (message.includes("no such table")) {
-			hasBylines = false;
-		} else {
-			return false;
-		}
-	}
-
-	return hasBylines;
+	// Intentionally empty.
 }
 
 /**
@@ -176,17 +148,22 @@ export async function getBylinesForEntries(
 		return result;
 	}
 
-	// Skip DB queries entirely when no bylines have been created.
-	// The cache is invalidated when bylines are created/deleted.
-	if (!(await hasAnyBylines())) {
-		return result;
-	}
-
 	const db = await getDb();
 	const repo = new BylineRepository(db);
 
-	// 1. Batch fetch all explicit byline credits
-	const bylinesMap = await repo.getContentBylinesMany(collection, entryIds);
+	// 1. Batch fetch all explicit byline credits. Sites with no bylines
+	// get an empty map back for one query — the previous "has any bylines"
+	// probe traded an extra round-trip on every request to save that one
+	// query on empty sites, which is exactly backwards for the common case.
+	// Pre-migration databases (bylines table missing) fall through to the
+	// `isMissingTableError` catch below and return empty results.
+	let bylinesMap;
+	try {
+		bylinesMap = await repo.getContentBylinesMany(collection, entryIds);
+	} catch (error) {
+		if (isMissingTableError(error)) return result;
+		throw error;
+	}
 
 	// 2. Collect entry IDs that need fallback lookup
 	const fallbackEntryIds: string[] = [];

package/src/components/EmDashHead.astro

@@ -16,8 +16,12 @@
 import type { PublicPageContext, PageMetadataContribution } from "../plugins/types.js";
 import { resolvePageMetadata, renderPageMetadata } from "../page/metadata.js";
 import { renderFragments } from "../page/fragments.js";
-import { generateBaseSeoContributions } from "../page/seo-contributions.js";
+import {
+	generateBaseSeoContributions,
+	generateSiteSeoContributions,
+} from "../page/seo-contributions.js";
 import { getPageRuntime } from "../page/index.js";
+import { getSiteSetting } from "../settings/index.js";
 
 interface Props {
 	page: PublicPageContext;
@@ -33,14 +37,26 @@ let metadataHtml = "";
 let fragmentsHtml = "";
 
 if (runtime) {
-	// Plugin contributions come BEFORE base, so resolvePageMetadata's
-	// first-wins dedup lets plugins override base SEO defaults
-	const pluginContributions = await runtime.collectPageMetadata(page);
-	const allContributions = [...pluginContributions, ...baseContributions];
+	// Run independent async loads in parallel: site SEO settings (for
+	// search engine verification meta tags) and plugin page-metadata
+	// contributions. Plugin contributions come BEFORE site/base in the
+	// array, so resolvePageMetadata's first-wins dedup lets plugins
+	// override defaults.
+	//
+	// `getSiteSetting("seo")` is request-cached and — crucially — reads
+	// from `getSiteSettings()`'s cached batch when a parent template has
+	// already called it. So this is either a single-key query or free,
+	// not a second round-trip.
+	const [seoSettings, pluginContributions, fragments] = await Promise.all([
+		getSiteSetting("seo"),
+		runtime.collectPageMetadata(page),
+		runtime.collectPageFragments(page),
+	]);
+
+	const siteContributions = generateSiteSeoContributions(seoSettings);
+	const allContributions = [...pluginContributions, ...siteContributions, ...baseContributions];
 	const resolved = resolvePageMetadata(allContributions);
 	metadataHtml = renderPageMetadata(resolved);
-
-	const fragments = await runtime.collectPageFragments(page);
 	fragmentsHtml = renderFragments(fragments, "head");
 } else {
 	// No runtime (EmDash not initialized) — still render base SEO