emdash 0.5.0 → 0.7.0

package/dist/{search-Cn1SYvYF.mjs → search-B0effn3j.mjs}

@@ -1,23 +1,25 @@
 import { n as validateJsonFieldName, r as validatePluginIdentifier, t as validateIdentifier } from "./validate-VPnKoIzW.mjs";
 import { o as jsonExtractExpr } from "./dialect-helpers-DhTzaUxP.mjs";
-import { a as slugify, r as RevisionRepository, t as ContentRepository } from "./content-BsBoyj8G.mjs";
+import { a as slugify, r as RevisionRepository, t as ContentRepository } from "./content-D7J5y73J.mjs";
 import { r as encodeBase64, t as decodeBase64 } from "./base64-MBPo9ozB.mjs";
 import { n as decodeCursor, r as encodeCursor, t as EmDashValidationError } from "./types-CMMN0pNg.mjs";
 import { t as MediaRepository } from "./media-DqHVh136.mjs";
-import { a as stripCredentialHeaders, f as OptionsRepository, i as ssrfSafeFetch, o as validateExternalUrl, r as SsrfError } from "./apply-Cma_PiF6.mjs";
+import { a as ssrfSafeFetch, i as resolveAndValidateExternalUrl, o as stripCredentialHeaders, p as OptionsRepository, r as SsrfError, s as validateExternalUrl } from "./apply-5uslYdUu.mjs";
 import { t as withTransaction } from "./transaction-Cn2rjY78.mjs";
-import { t as RedirectRepository } from "./redirect-7lGhLBNZ.mjs";
-import { n as SQL_BATCH_SIZE, r as chunks, t as BylineRepository } from "./byline-WuOq9MFJ.mjs";
-import { r as isI18nEnabled } from "./config-DkxPrM9l.mjs";
-import { r as invalidateRedirectCache } from "./cache-E3Dts-yT.mjs";
-import { i as FTSManager, n as SchemaRegistry } from "./registry-BgnP3ysR.mjs";
-import { n as getDb } from "./loader-BYzwzORf.mjs";
-import { i as pluginManifestSchema } from "./manifest-schema-BsXINkQD.mjs";
-import { t as generatePreviewToken } from "./tokens-DKHiCYCB.mjs";
+import { t as RedirectRepository } from "./redirect-CN0Rt9Ob.mjs";
+import { n as chunks, t as SQL_BATCH_SIZE } from "./chunks-HGz06Soa.mjs";
+import { t as BylineRepository } from "./byline-C4OVd8b3.mjs";
+import { r as isI18nEnabled } from "./config-BXwuX8Bx.mjs";
+import { r as invalidateRedirectCache } from "./cache-BkKBuIvS.mjs";
+import { i as FTSManager, n as SchemaRegistry } from "./registry-Ci3WxVAr.mjs";
+import { n as getDb } from "./loader-DeiBJEMe.mjs";
+import { n as requestCached } from "./request-cache-DiR961CV.mjs";
+import { i as pluginManifestSchema } from "./manifest-schema-V30qsMft.mjs";
+import { t as generatePreviewToken } from "./tokens-BFPFx3CA.mjs";
 import { sql } from "kysely";
+import { AsyncLocalStorage } from "node:async_hooks";
 import { ulid } from "ulidx";
 import { z } from "astro/zod";
-import { AsyncLocalStorage } from "node:async_hooks";
 import { z as z$1 } from "zod";
 import { createGzipDecoder, unpackTar } from "modern-tar";
 import sax from "sax";
@@ -1296,7 +1298,8 @@ async function handleContentUpdate(db, collection, id, body) {
 				data: body.data,
 				slug: body.slug,
 				status: body.status,
-				authorId: body.authorId
+				authorId: body.authorId,
+				publishedAt: body.publishedAt
 			});
 			if (body.bylines !== void 0) {
 				await bylineRepo.setContentBylines(collection, resolvedId, body.bylines);
@@ -2229,7 +2232,9 @@ async function handleMediaDelete(db, id) {
 * ```
 */
 async function getCollectionInfo(slug) {
-	return getCollectionInfoWithDb(await getDb(), slug);
+	return requestCached(`collection-info:${slug}`, async () => {
+		return getCollectionInfoWithDb(await getDb(), slug);
+	});
 }
 /**
 * Get collection metadata with an explicit db handle.
@@ -2636,6 +2641,11 @@ const contentListQuery = cursorPaginationQuery.extend({
 	order: z$1.enum(["asc", "desc"]).optional(),
 	locale: localeCode.optional()
 }).meta({ id: "ContentListQuery" });
+/** ISO 8601 datetime for `publishedAt` / `createdAt`. Routes gate writes behind `content:publish_any`. */
+const contentDateOverride = z$1.iso.datetime({
+	offset: true,
+	message: "must be an ISO 8601 datetime"
+}).nullish();
 const contentCreateBody = z$1.object({
 	data: z$1.record(z$1.string(), z$1.unknown()),
 	slug: z$1.string().nullish(),
@@ -2643,7 +2653,9 @@ const contentCreateBody = z$1.object({
 	bylines: z$1.array(contentBylineInputSchema).optional(),
 	locale: localeCode.optional(),
 	translationOf: z$1.string().optional(),
-	seo: contentSeoInput.optional()
+	seo: contentSeoInput.optional(),
+	publishedAt: contentDateOverride,
+	createdAt: contentDateOverride
 }).meta({ id: "ContentCreateBody" });
 const contentUpdateBody = z$1.object({
 	data: z$1.record(z$1.string(), z$1.unknown()).optional(),
@@ -2653,7 +2665,8 @@ const contentUpdateBody = z$1.object({
 	bylines: z$1.array(contentBylineInputSchema).optional(),
 	_rev: z$1.string().optional().meta({ description: "Opaque revision token for optimistic concurrency" }),
 	skipRevision: z$1.boolean().optional(),
-	seo: contentSeoInput.optional()
+	seo: contentSeoInput.optional(),
+	publishedAt: contentDateOverride
 }).meta({ id: "ContentUpdateBody" });
 const contentScheduleBody = z$1.object({ scheduledAt: z$1.string().min(1, "scheduledAt is required").meta({
 	description: "ISO 8601 datetime for scheduled publishing",
@@ -2751,14 +2764,8 @@ const mediaUpdateBody = z$1.object({
 	width: z$1.number().int().positive().optional(),
 	height: z$1.number().int().positive().optional()
 }).meta({ id: "MediaUpdateBody" });
-/** Maximum allowed file upload size (50 MB). */
-const MAX_UPLOAD_SIZE = 50 * 1024 * 1024;
-const mediaUploadUrlBody = z$1.object({
-	filename: z$1.string().min(1, "filename is required"),
-	contentType: z$1.string().min(1, "contentType is required"),
-	size: z$1.number().int().positive().max(MAX_UPLOAD_SIZE, `File size must not exceed ${MAX_UPLOAD_SIZE / 1024 / 1024}MB`),
-	contentHash: z$1.string().optional()
-}).meta({ id: "MediaUploadUrlBody" });
+/** Default maximum allowed file upload size (50 MB). */
+const DEFAULT_MAX_UPLOAD_SIZE = 50 * 1024 * 1024;
 const mediaConfirmBody = z$1.object({
 	size: z$1.number().int().positive().optional(),
 	width: z$1.number().int().positive().optional(),
@@ -2824,6 +2831,7 @@ const collectionSourcePattern = /^(template:.+|import:.+|manual|discovered|seed)
 const fieldTypeValues = z$1.enum([
 	"string",
 	"text",
+	"url",
 	"number",
 	"integer",
 	"boolean",
@@ -4221,6 +4229,33 @@ function convertCodeBlock(block) {
 	};
 }
 
+//#endregion
+//#region src/after.ts
+const waitUntilReady = (async () => {
+	try {
+		return (await import("virtual:emdash/wait-until")).waitUntil ?? null;
+	} catch {
+		return null;
+	}
+})();
+waitUntilReady.catch(() => {});
+/**
+* Schedule `fn` to run without blocking the response.
+*
+* Errors are caught and logged — a deferred task should never surface
+* as an unhandled rejection because the response is long gone. Callers
+* that care about errors should handle them inside `fn`.
+*/
+function after(fn) {
+	const promise = Promise.resolve().then(fn).catch((error) => {
+		console.error("[emdash] deferred task failed:", error);
+	});
+	waitUntilReady.then((waitUntil) => {
+		if (waitUntil) waitUntil(promise);
+		return null;
+	});
+}
+
 //#endregion
 //#region src/cli/wxr/parser.ts
 const PHP_SERIALIZED_STRING_PATTERN = /s:\d+:"([^"]+)"/g;
@@ -4957,6 +4992,55 @@ function resolveHook(hook, pluginId) {
 	};
 }
 
+//#endregion
+//#region src/auth/trusted-proxy.ts
+/**
+* RFC 7230 token — valid characters for an HTTP header name. Invalid names
+* passed to `Headers.get()` throw a TypeError at runtime, which would
+* otherwise surface as a 500 from every auth route.
+*/
+const HEADER_NAME_PATTERN = /^[!#$%&'*+\-.^_`|~0-9a-z]+$/;
+/**
+* Normalise a list of header names the way both the config path and any
+* caller passing a pre-resolved list should do: trim, lowercase, drop
+* empty, drop anything that isn't a valid RFC 7230 token. Invalid names
+* would crash `Headers.get()` at runtime.
+*/
+function normalizeTrustedHeaders(names) {
+	return names.map((h) => h.trim().toLowerCase()).filter((h) => h.length > 0 && HEADER_NAME_PATTERN.test(h));
+}
+function isValidHeaderName(name) {
+	return HEADER_NAME_PATTERN.test(name);
+}
+/** Cache for the env-derived value. `null` means "not yet parsed". */
+let _envCache = null;
+function getEnvTrustedHeaders() {
+	if (_envCache !== null) return _envCache;
+	let raw;
+	try {
+		const importMetaEnv = import.meta.env;
+		raw = (typeof process !== "undefined" ? process.env?.EMDASH_TRUSTED_PROXY_HEADERS : void 0) || importMetaEnv?.EMDASH_TRUSTED_PROXY_HEADERS;
+	} catch {
+		raw = void 0;
+	}
+	if (!raw) {
+		_envCache = [];
+		return _envCache;
+	}
+	_envCache = raw.split(",").map((s) => s.trim().toLowerCase()).filter((s) => s.length > 0 && isValidHeaderName(s));
+	return _envCache;
+}
+/**
+* Return the lowercased list of headers to trust for client-IP resolution.
+*
+* When `config?.trustedProxyHeaders` is explicitly set (even to `[]`), it
+* wins. Otherwise fall through to the env var, then to `[]`.
+*/
+function getTrustedProxyHeaders(config) {
+	if (config && config.trustedProxyHeaders !== void 0) return config.trustedProxyHeaders.map((h) => h.trim().toLowerCase()).filter((h) => h.length > 0 && isValidHeaderName(h));
+	return getEnvTrustedHeaders();
+}
+
 //#endregion
 //#region src/plugins/request-meta.ts
 /**
@@ -4978,6 +5062,20 @@ function parseFirstForwardedIp(header) {
 	return IP_PATTERN.test(trimmed) ? trimmed : null;
 }
 /**
+* Read an IP from an operator-declared trusted header. XFF-style headers
+* (any name ending in `forwarded-for`) are parsed as comma-separated lists
+* and the first entry is used; everything else is treated as a single
+* trimmed value.
+*/
+function readIpFromHeader(headers, name) {
+	const value = headers.get(name);
+	if (!value) return null;
+	if (name.endsWith("forwarded-for")) return parseFirstForwardedIp(value);
+	const trimmed = value.trim();
+	if (!trimmed) return null;
+	return IP_PATTERN.test(trimmed) ? trimmed : null;
+}
+/**
 * Get the Cloudflare `cf` object from the request, if present.
 * Returns undefined when not running on Cloudflare Workers.
 */
@@ -5004,24 +5102,39 @@ function extractGeo(cf) {
 * Extract normalized request metadata from a Request object.
 *
 * IP resolution order:
-* 1. `CF-Connecting-IP` header — only trusted when a `cf` object is
-*    present on the request (proving the request came through Cloudflare's
-*    edge, which strips/overwrites client-supplied values).
-* 2. `X-Forwarded-For` header (first entry) — best-effort, spoofable
-*    when there is no trusted reverse proxy.
-* 3. `null`
-*/
-function extractRequestMeta(request) {
+* 1. `CF-Connecting-IP` — trusted only when a `cf` object is present on the
+*    request. CF edge overwrites any client-supplied value, so this is the
+*    cryptographically trustworthy path on Workers. Operator-declared
+*    trusted headers cannot override it.
+* 2. `X-Forwarded-For` first entry — trusted only with a `cf` object.
+* 3. Operator-declared trusted proxy headers (from `config.trustedProxyHeaders`
+*    or the `EMDASH_TRUSTED_PROXY_HEADERS` env var), tried in order. Used as
+*    the primary source off-CF and as a fill-in on CF.
+* 4. `null`
+*
+* The second argument accepts either the EmDash config or a pre-resolved
+* list of trusted headers, so callers that already have the list don't have
+* to round-trip through the config every request.
+*/
+function extractRequestMeta(request, configOrTrustedHeaders) {
 	const headers = request.headers;
 	const cf = getCfObject(request);
+	const trusted = resolveTrustedHeaders(configOrTrustedHeaders);
 	let ip = null;
 	if (cf) {
 		const cfIp = headers.get("cf-connecting-ip")?.trim();
 		if (cfIp && IP_PATTERN.test(cfIp)) ip = cfIp;
+		if (!ip) {
+			const xff = headers.get("x-forwarded-for");
+			ip = xff ? parseFirstForwardedIp(xff) : null;
+		}
 	}
-	if (!ip && cf) {
-		const xff = headers.get("x-forwarded-for");
-		ip = xff ? parseFirstForwardedIp(xff) : null;
+	if (!ip) for (const name of trusted) {
+		const value = readIpFromHeader(headers, name);
+		if (value) {
+			ip = value;
+			break;
+		}
 	}
 	const userAgent = headers.get("user-agent")?.trim() || null;
 	const referer = headers.get("referer")?.trim() || null;
@@ -5033,6 +5146,10 @@ function extractRequestMeta(request) {
 		geo
 	};
 }
+function resolveTrustedHeaders(value) {
+	if (Array.isArray(value)) return normalizeTrustedHeaders(value);
+	return getTrustedProxyHeaders(value);
+}
 /**
 * Headers that must never cross the RPC boundary to sandboxed plugins.
 * Session tokens, auth credentials, and infrastructure headers are stripped
@@ -5681,7 +5798,7 @@ function createUnrestrictedHttpAccess(pluginId) {
 		let currentInit = init;
 		for (let i = 0; i <= MAX_PLUGIN_REDIRECTS; i++) {
 			try {
-				validateExternalUrl(currentUrl);
+				await resolveAndValidateExternalUrl(currentUrl);
 			} catch (e) {
 				const msg = e instanceof SsrfError ? e.message : "SSRF validation failed";
 				throw new Error(`Plugin "${pluginId}": blocked fetch to "${new URL(currentUrl).hostname}": ${msg}`, { cause: e });
@@ -6975,9 +7092,11 @@ async function devConsoleEmailDeliver(event, _ctx) {
 var PluginRouteHandler = class {
 	contextFactory;
 	plugin;
+	trustedProxyHeaders;
 	constructor(plugin, factoryOptions) {
 		this.plugin = plugin;
 		this.contextFactory = new PluginContextFactory(factoryOptions);
+		this.trustedProxyHeaders = factoryOptions.trustedProxyHeaders ?? [];
 	}
 	/**
 	* Invoke a route by name
@@ -7010,7 +7129,7 @@ var PluginRouteHandler = class {
 			...this.contextFactory.createContext(this.plugin),
 			input: validatedInput,
 			request: options.request,
-			requestMeta: extractRequestMeta(options.request)
+			requestMeta: extractRequestMeta(options.request, this.trustedProxyHeaders)
 		};
 		try {
 			return {
@@ -7189,7 +7308,8 @@ var PluginManager = class {
 		this.factoryOptions = {
 			db: options.db,
 			storage: options.storage,
-			getUploadUrl: options.getUploadUrl
+			getUploadUrl: options.getUploadUrl,
+			trustedProxyHeaders: options.trustedProxyHeaders
 		};
 	}
 	/**
@@ -7686,7 +7806,7 @@ async function probeUrl(url) {
 	let normalizedUrl = url.trim();
 	if (!normalizedUrl.startsWith("http")) normalizedUrl = `https://${normalizedUrl}`;
 	normalizedUrl = normalizedUrl.replace(TRAILING_SLASHES_PATTERN, "");
-	validateExternalUrl(normalizedUrl);
+	await resolveAndValidateExternalUrl(normalizedUrl);
 	const results = [];
 	const probePromises = getUrlSources().map(async (source) => {
 		try {
@@ -8682,8 +8802,10 @@ async function getCommentCountWithDb(db, collection, contentId) {
 * }
 * ```
 */
-async function getMenu(name) {
-	return getMenuWithDb(name, await getDb());
+function getMenu(name) {
+	return requestCached(`menu:${name}`, async () => {
+		return getMenuWithDb(name, await getDb());
+	});
 }
 /**
 * Get menu by name with resolved URLs (with explicit db)
@@ -8850,179 +8972,6 @@ async function resolveTaxonomyUrl(taxonomyId, db) {
 	return `/${taxonomy.name}/${taxonomy.slug}`;
 }
 
-//#endregion
-//#region src/taxonomies/index.ts
-/**
-* Runtime API for taxonomies
-*
-* Provides functions to query taxonomy definitions and terms.
-*/
-/**
-* Get all taxonomy definitions
-*/
-async function getTaxonomyDefs() {
-	return (await (await getDb()).selectFrom("_emdash_taxonomy_defs").selectAll().execute()).map((row) => ({
-		id: row.id,
-		name: row.name,
-		label: row.label,
-		labelSingular: row.label_singular ?? void 0,
-		hierarchical: row.hierarchical === 1,
-		collections: row.collections ? JSON.parse(row.collections) : []
-	}));
-}
-/**
-* Get a single taxonomy definition by name
-*/
-async function getTaxonomyDef(name) {
-	const row = await (await getDb()).selectFrom("_emdash_taxonomy_defs").selectAll().where("name", "=", name).executeTakeFirst();
-	if (!row) return null;
-	return {
-		id: row.id,
-		name: row.name,
-		label: row.label,
-		labelSingular: row.label_singular ?? void 0,
-		hierarchical: row.hierarchical === 1,
-		collections: row.collections ? JSON.parse(row.collections) : []
-	};
-}
-/**
-* Get all terms for a taxonomy (as tree for hierarchical, flat for tags)
-*/
-async function getTaxonomyTerms(taxonomyName) {
-	const db = await getDb();
-	const def = await getTaxonomyDef(taxonomyName);
-	if (!def) return [];
-	const rows = await db.selectFrom("taxonomies").selectAll().where("name", "=", taxonomyName).orderBy("label", "asc").execute();
-	const countsResult = await db.selectFrom("content_taxonomies").select(["taxonomy_id"]).select((eb) => eb.fn.count("entry_id").as("count")).groupBy("taxonomy_id").execute();
-	const counts = /* @__PURE__ */ new Map();
-	for (const row of countsResult) counts.set(row.taxonomy_id, row.count);
-	const flatTerms = rows.map((row) => ({
-		id: row.id,
-		name: row.name,
-		slug: row.slug,
-		label: row.label,
-		parent_id: row.parent_id,
-		data: row.data
-	}));
-	if (def.hierarchical) return buildTree(flatTerms, counts);
-	return flatTerms.map((term) => ({
-		id: term.id,
-		name: term.name,
-		slug: term.slug,
-		label: term.label,
-		children: [],
-		count: counts.get(term.id) ?? 0
-	}));
-}
-/**
-* Get a single term by taxonomy and slug
-*/
-async function getTerm(taxonomyName, slug) {
-	const db = await getDb();
-	const row = await db.selectFrom("taxonomies").selectAll().where("name", "=", taxonomyName).where("slug", "=", slug).executeTakeFirst();
-	if (!row) return null;
-	const count = (await db.selectFrom("content_taxonomies").select((eb) => eb.fn.count("entry_id").as("count")).where("taxonomy_id", "=", row.id).executeTakeFirst())?.count ?? 0;
-	const children = (await db.selectFrom("taxonomies").selectAll().where("parent_id", "=", row.id).orderBy("label", "asc").execute()).map((child) => ({
-		id: child.id,
-		name: child.name,
-		slug: child.slug,
-		label: child.label,
-		parentId: child.parent_id ?? void 0,
-		children: []
-	}));
-	return {
-		id: row.id,
-		name: row.name,
-		slug: row.slug,
-		label: row.label,
-		parentId: row.parent_id ?? void 0,
-		description: row.data ? JSON.parse(row.data).description : void 0,
-		children,
-		count
-	};
-}
-/**
-* Get terms assigned to an entry
-*/
-async function getEntryTerms(collection, entryId, taxonomyName) {
-	let query = (await getDb()).selectFrom("content_taxonomies").innerJoin("taxonomies", "taxonomies.id", "content_taxonomies.taxonomy_id").selectAll("taxonomies").where("content_taxonomies.collection", "=", collection).where("content_taxonomies.entry_id", "=", entryId);
-	if (taxonomyName) query = query.where("taxonomies.name", "=", taxonomyName);
-	return (await query.execute()).map((row) => ({
-		id: row.id,
-		name: row.name,
-		slug: row.slug,
-		label: row.label,
-		parentId: row.parent_id ?? void 0,
-		children: []
-	}));
-}
-/**
-* Get terms for multiple entries in a single query (batched API)
-*
-* This is more efficient than calling getEntryTerms for each entry
-* when you need terms for a list of entries.
-*
-* @param collection - The collection type (e.g., "posts")
-* @param entryIds - Array of entry IDs
-* @param taxonomyName - The taxonomy name (e.g., "categories")
-* @returns Map from entry ID to array of terms
-*/
-async function getTermsForEntries(collection, entryIds, taxonomyName) {
-	const result = /* @__PURE__ */ new Map();
-	for (const id of entryIds) result.set(id, []);
-	if (entryIds.length === 0) return result;
-	const rows = await (await getDb()).selectFrom("content_taxonomies").innerJoin("taxonomies", "taxonomies.id", "content_taxonomies.taxonomy_id").select([
-		"content_taxonomies.entry_id",
-		"taxonomies.id",
-		"taxonomies.name",
-		"taxonomies.slug",
-		"taxonomies.label",
-		"taxonomies.parent_id"
-	]).where("content_taxonomies.collection", "=", collection).where("content_taxonomies.entry_id", "in", entryIds).where("taxonomies.name", "=", taxonomyName).execute();
-	for (const row of rows) {
-		const entryId = row.entry_id;
-		const term = {
-			id: row.id,
-			name: row.name,
-			slug: row.slug,
-			label: row.label,
-			parentId: row.parent_id ?? void 0,
-			children: []
-		};
-		const terms = result.get(entryId);
-		if (terms) terms.push(term);
-	}
-	return result;
-}
-/**
-* Get entries by term (wraps getEmDashCollection)
-*/
-async function getEntriesByTerm(collection, taxonomyName, termSlug) {
-	const { getEmDashCollection } = await import("./query-B6Vu0d2i.mjs").then((n) => n.o);
-	const { entries } = await getEmDashCollection(collection, { where: { [taxonomyName]: termSlug } });
-	return entries;
-}
-/**
-* Build tree structure from flat terms
-*/
-function buildTree(flatTerms, counts) {
-	const map = /* @__PURE__ */ new Map();
-	const roots = [];
-	for (const term of flatTerms) map.set(term.id, {
-		id: term.id,
-		name: term.name,
-		slug: term.slug,
-		label: term.label,
-		parentId: term.parent_id ?? void 0,
-		description: term.data ? JSON.parse(term.data).description : void 0,
-		children: [],
-		count: counts.get(term.id) ?? 0
-	});
-	for (const term of map.values()) if (term.parentId && map.has(term.parentId)) map.get(term.parentId).children.push(term);
-	else roots.push(term);
-	return roots;
-}
-
 //#endregion
 //#region src/widgets/components.ts
 /**
@@ -9132,18 +9081,53 @@ function getWidgetComponents$1() {
 //#endregion
 //#region src/widgets/index.ts
 /**
-* Get a widget area by name, with all its widgets
+* Get a widget area by name, with all its widgets.
+*
+* Single query with a left join rather than area-then-widgets so the
+* common case costs one round-trip. An area with no widgets yields one
+* row with null widget columns, which we skip when mapping.
 */
 async function getWidgetArea(name) {
-	const db = await getDb();
-	const areaRow = await db.selectFrom("_emdash_widget_areas").selectAll().where("name", "=", name).executeTakeFirst();
-	if (!areaRow) return null;
-	const widgets = (await db.selectFrom("_emdash_widgets").selectAll().$castTo().where("area_id", "=", areaRow.id).orderBy("sort_order", "asc").execute()).map((row) => rowToWidget(row));
+	const rows = await (await getDb()).selectFrom("_emdash_widget_areas as a").leftJoin("_emdash_widgets as w", "w.area_id", "a.id").select([
+		"a.id as a_id",
+		"a.name as a_name",
+		"a.label as a_label",
+		"a.description as a_description",
+		"w.id as w_id",
+		"w.type as w_type",
+		"w.title as w_title",
+		"w.content as w_content",
+		"w.menu_name as w_menu_name",
+		"w.component_id as w_component_id",
+		"w.component_props as w_component_props",
+		"w.area_id as w_area_id",
+		"w.sort_order as w_sort_order",
+		"w.created_at as w_created_at"
+	]).where("a.name", "=", name).orderBy("w.sort_order", "asc").execute();
+	const first = rows[0];
+	if (!first) return null;
+	const widgets = [];
+	for (const row of rows) {
+		if (row.w_id === null) continue;
+		const widgetRow = {
+			id: row.w_id,
+			type: row.w_type,
+			title: row.w_title,
+			content: row.w_content,
+			menu_name: row.w_menu_name,
+			component_id: row.w_component_id,
+			component_props: row.w_component_props,
+			area_id: row.w_area_id,
+			sort_order: row.w_sort_order,
+			created_at: row.w_created_at
+		};
+		widgets.push(rowToWidget(widgetRow));
+	}
 	return {
-		id: areaRow.id,
-		name: areaRow.name,
-		label: areaRow.label,
-		description: areaRow.description ?? void 0,
+		id: first.a_id,
+		name: first.a_name,
+		label: first.a_label,
+		description: first.a_description ?? void 0,
 		widgets
 	};
 }
@@ -9345,8 +9329,8 @@ async function getSuggestions(db, query, options = {}) {
 		validateIdentifier(collection, "collection slug");
 		const ftsTable = ftsManager.getFtsTableName(collection);
 		const contentTable = ftsManager.getContentTableName(collection);
-		const prefixQuery = `${escapeQuery(query)}*`;
-		if (!prefixQuery || prefixQuery === "*") continue;
+		const prefixQuery = escapeQuery(query);
+		if (!prefixQuery) continue;
 		const results = await sql`
 			SELECT 
 				c.id,
@@ -9506,5 +9490,5 @@ function extractSearchableFields(entry, fields) {
 }
 
 //#endregion
-export { sanitizeHeadersForSandbox as $, getAllSources as A, handleContentGet as At, createNoopSandboxRunner as B, handleContentUnschedule as Bt, isPreviewRequest as C, handleContentCompare as Ct, parseWxrDate as D, handleContentDelete as Dt, wordpressRestSource as E, handleContentCreate as Et, registerSource as F, handleContentPublish as Ft, DEV_CONSOLE_EMAIL_PLUGIN_ID as G, image as Gt, createPluginManager as H, validateRev as Ht, importReusableBlocksAsSections as I, handleContentRestore as It, HookPipeline as J, devConsoleEmailDeliver as K, isStandardPluginDefinition as L, handleContentSchedule as Lt, getSource as M, handleContentList as Mt, getUrlSources as N, handleContentListTrashed as Nt, wxrSource as O, handleContentDiscardDraft as Ot, probeUrl as P, handleContentPermanentDelete as Pt, extractRequestMeta as Q, NoopSandboxRunner as R, handleContentTranslations as Rt, getPreviewToken as S, hashString as St, getPreviewUrl as T, handleContentCountTrashed as Tt, PluginRouteError as U, portableText as Ut, PluginManager as V, handleContentUpdate as Vt, PluginRouteRegistry as W, reference as Wt, resolveExclusiveHooks as X, createHookPipeline as Y, CronExecutor as Z, getTermsForEntries as _, handleRevisionGet as _t, search as a, isSafeHref as at, getCommentCount as b, generateManifest as bt, getWidgetArea as c, getSection as ct, getEntriesByTerm as d, getCollectionInfo as dt, definePlugin as et, getEntryTerms as f, handleMediaCreate as ft, getTerm as g, handleMediaUpdate as gt, getTaxonomyTerms as h, handleMediaList as ht, getSuggestions as i, prosemirrorToPortableText as it, getFileSources as j, handleContentGetIncludingTrashed as jt, clearSources as k, handleContentDuplicate as kt, getWidgetAreas as l, getSections as lt, getTaxonomyDefs as m, handleMediaGet as mt, extractSearchableFields as n, parseWxrString as nt, searchCollection as o, sanitizeHref as ot, getTaxonomyDef as p, handleMediaDelete as pt, EmailPipeline as q, getSearchStats as r, portableTextToProsemirror as rt, searchWithDb as s, loadBundleFromR2 as st, extractPlainText as t, parseWxr as tt, getWidgetComponents as u, PluginStateRepository as ut, getMenu as v, handleRevisionList as vt, buildPreviewUrl as w, handleContentCountScheduled as wt, getComments as x, computeContentHash as xt, getMenus as y, handleRevisionRestore as yt, SandboxNotAvailableError as z, handleContentUnpublish as zt };
-//# sourceMappingURL=search-Cn1SYvYF.mjs.map
+export { prosemirrorToPortableText as $, isStandardPluginDefinition as A, handleContentPublish as At, EmailPipeline as B, image as Bt, getAllSources as C, handleContentDiscardDraft as Ct, probeUrl as D, handleContentList as Dt, getUrlSources as E, handleContentGetIncludingTrashed as Et, createPluginManager as F, handleContentUnschedule as Ft, extractRequestMeta as G, createHookPipeline as H, PluginRouteError as I, handleContentUpdate as It, definePlugin as J, sanitizeHeadersForSandbox as K, PluginRouteRegistry as L, validateRev as Lt, SandboxNotAvailableError as M, handleContentSchedule as Mt, createNoopSandboxRunner as N, handleContentTranslations as Nt, registerSource as O, handleContentListTrashed as Ot, PluginManager as P, handleContentUnpublish as Pt, portableTextToProsemirror as Q, DEV_CONSOLE_EMAIL_PLUGIN_ID as R, portableText as Rt, clearSources as S, handleContentDelete as St, getSource as T, handleContentGet as Tt, resolveExclusiveHooks as U, HookPipeline as V, CronExecutor as W, parseWxrString as X, parseWxr as Y, after as Z, buildPreviewUrl as _, hashString as _t, search as a, PluginStateRepository as at, parseWxrDate as b, handleContentCountTrashed as bt, getWidgetArea as c, handleMediaDelete as ct, getMenu as d, handleMediaUpdate as dt, isSafeHref as et, getMenus as f, handleRevisionGet as ft, isPreviewRequest as g, computeContentHash as gt, getPreviewToken as h, generateManifest as ht, getSuggestions as i, getSections as it, NoopSandboxRunner as j, handleContentRestore as jt, importReusableBlocksAsSections as k, handleContentPermanentDelete as kt, getWidgetAreas as l, handleMediaGet as lt, getComments as m, handleRevisionRestore as mt, extractSearchableFields as n, loadBundleFromR2 as nt, searchCollection as o, getCollectionInfo as ot, getCommentCount as p, handleRevisionList as pt, getTrustedProxyHeaders as q, getSearchStats as r, getSection as rt, searchWithDb as s, handleMediaCreate as st, extractPlainText as t, sanitizeHref as tt, getWidgetComponents as u, handleMediaList as ut, getPreviewUrl as v, handleContentCompare as vt, getFileSources as w, handleContentDuplicate as wt, wxrSource as x, handleContentCreate as xt, wordpressRestSource as y, handleContentCountScheduled as yt, devConsoleEmailDeliver as z, reference as zt };
+//# sourceMappingURL=search-B0effn3j.mjs.map