emdash 0.5.0 → 0.7.0

package/src/api/openapi/document.ts

@@ -37,6 +37,7 @@ import {
 	trashedContentListResponseSchema,
 } from "../schemas/content.js";
 import {
+	DEFAULT_MAX_UPLOAD_SIZE,
 	mediaConfirmBody,
 	mediaConfirmResponseSchema,
 	mediaExistingResponseSchema,
@@ -623,121 +624,123 @@ const contentPaths = {
 // Media routes
 // ---------------------------------------------------------------------------
 
-const mediaPaths = {
-	"/_emdash/api/media": {
-		get: {
-			operationId: "listMedia",
-			summary: "List media items",
-			tags: ["Media"],
-			requestParams: { query: mediaListQuery },
-			responses: {
-				"200": {
-					description: "Media list",
-					content: { [JSON_CONTENT]: { schema: successEnvelope(mediaListResponseSchema) } },
+function buildMediaPaths(maxUploadSize: number) {
+	return {
+		"/_emdash/api/media": {
+			get: {
+				operationId: "listMedia",
+				summary: "List media items",
+				tags: ["Media"],
+				requestParams: { query: mediaListQuery },
+				responses: {
+					"200": {
+						description: "Media list",
+						content: { [JSON_CONTENT]: { schema: successEnvelope(mediaListResponseSchema) } },
+					},
+					...authErrors,
+					...standardErrors(500),
 				},
-				...authErrors,
-				...standardErrors(500),
 			},
 		},
-	},
-	"/_emdash/api/media/{id}": {
-		get: {
-			operationId: "getMedia",
-			summary: "Get a media item",
-			tags: ["Media"],
-			requestParams: {
-				path: z.object({ id: z.string().meta({ description: "Media ID" }) }),
-			},
-			responses: {
-				"200": {
-					description: "Media item",
-					content: { [JSON_CONTENT]: { schema: successEnvelope(mediaResponseSchema) } },
+		"/_emdash/api/media/{id}": {
+			get: {
+				operationId: "getMedia",
+				summary: "Get a media item",
+				tags: ["Media"],
+				requestParams: {
+					path: z.object({ id: z.string().meta({ description: "Media ID" }) }),
 				},
-				...authErrors,
-				...standardErrors(404, 500),
-			},
-		},
-		put: {
-			operationId: "updateMedia",
-			summary: "Update media metadata",
-			tags: ["Media"],
-			requestParams: {
-				path: z.object({ id: z.string().meta({ description: "Media ID" }) }),
-			},
-			requestBody: { content: { [JSON_CONTENT]: { schema: mediaUpdateBody } } },
-			responses: {
-				"200": {
-					description: "Updated media item",
-					content: { [JSON_CONTENT]: { schema: successEnvelope(mediaResponseSchema) } },
+				responses: {
+					"200": {
+						description: "Media item",
+						content: { [JSON_CONTENT]: { schema: successEnvelope(mediaResponseSchema) } },
+					},
+					...authErrors,
+					...standardErrors(404, 500),
+				},
+			},
+			put: {
+				operationId: "updateMedia",
+				summary: "Update media metadata",
+				tags: ["Media"],
+				requestParams: {
+					path: z.object({ id: z.string().meta({ description: "Media ID" }) }),
+				},
+				requestBody: { content: { [JSON_CONTENT]: { schema: mediaUpdateBody } } },
+				responses: {
+					"200": {
+						description: "Updated media item",
+						content: { [JSON_CONTENT]: { schema: successEnvelope(mediaResponseSchema) } },
+					},
+					...authErrors,
+					...standardErrors(400, 404, 500),
 				},
-				...authErrors,
-				...standardErrors(400, 404, 500),
 			},
-		},
-		delete: {
-			operationId: "deleteMedia",
-			summary: "Delete a media item",
-			tags: ["Media"],
-			requestParams: {
-				path: z.object({ id: z.string().meta({ description: "Media ID" }) }),
-			},
-			responses: {
-				"200": {
-					description: "Deleted",
-					content: { [JSON_CONTENT]: { schema: successEnvelope(deleteResponseSchema) } },
+			delete: {
+				operationId: "deleteMedia",
+				summary: "Delete a media item",
+				tags: ["Media"],
+				requestParams: {
+					path: z.object({ id: z.string().meta({ description: "Media ID" }) }),
 				},
-				...authErrors,
-				...standardErrors(404, 500),
-			},
-		},
-	},
-	"/_emdash/api/media/upload-url": {
-		post: {
-			operationId: "getMediaUploadUrl",
-			summary: "Get a signed URL for direct upload",
-			description:
-				"Returns a signed URL for direct-to-storage upload. Creates a pending media record.",
-			tags: ["Media"],
-			requestBody: { content: { [JSON_CONTENT]: { schema: mediaUploadUrlBody } } },
-			responses: {
-				"200": {
-					description: "Upload URL or existing media (deduplication)",
-					content: {
-						[JSON_CONTENT]: {
-							schema: successEnvelope(
-								z.union([mediaUploadUrlResponseSchema, mediaExistingResponseSchema]),
-							),
+				responses: {
+					"200": {
+						description: "Deleted",
+						content: { [JSON_CONTENT]: { schema: successEnvelope(deleteResponseSchema) } },
+					},
+					...authErrors,
+					...standardErrors(404, 500),
+				},
+			},
+		},
+		"/_emdash/api/media/upload-url": {
+			post: {
+				operationId: "getMediaUploadUrl",
+				summary: "Get a signed URL for direct upload",
+				description:
+					"Returns a signed URL for direct-to-storage upload. Creates a pending media record.",
+				tags: ["Media"],
+				requestBody: { content: { [JSON_CONTENT]: { schema: mediaUploadUrlBody(maxUploadSize) } } },
+				responses: {
+					"200": {
+						description: "Upload URL or existing media (deduplication)",
+						content: {
+							[JSON_CONTENT]: {
+								schema: successEnvelope(
+									z.union([mediaUploadUrlResponseSchema, mediaExistingResponseSchema]),
+								),
+							},
 						},
 					},
-				},
-				...authErrors,
-				...standardErrors(400, 500),
-			},
-		},
-	},
-	"/_emdash/api/media/{id}/confirm": {
-		post: {
-			operationId: "confirmMediaUpload",
-			summary: "Confirm a media upload",
-			description: "Marks a pending media record as ready after the file has been uploaded.",
-			tags: ["Media"],
-			requestParams: {
-				path: z.object({ id: z.string().meta({ description: "Media ID" }) }),
-			},
-			requestBody: { content: { [JSON_CONTENT]: { schema: mediaConfirmBody } } },
-			responses: {
-				"200": {
-					description: "Confirmed media item with URL",
-					content: {
-						[JSON_CONTENT]: { schema: successEnvelope(mediaConfirmResponseSchema) },
+					...authErrors,
+					...standardErrors(400, 500),
+				},
+			},
+		},
+		"/_emdash/api/media/{id}/confirm": {
+			post: {
+				operationId: "confirmMediaUpload",
+				summary: "Confirm a media upload",
+				description: "Marks a pending media record as ready after the file has been uploaded.",
+				tags: ["Media"],
+				requestParams: {
+					path: z.object({ id: z.string().meta({ description: "Media ID" }) }),
+				},
+				requestBody: { content: { [JSON_CONTENT]: { schema: mediaConfirmBody } } },
+				responses: {
+					"200": {
+						description: "Confirmed media item with URL",
+						content: {
+							[JSON_CONTENT]: { schema: successEnvelope(mediaConfirmResponseSchema) },
+						},
 					},
+					...authErrors,
+					...standardErrors(400, 404, 500),
 				},
-				...authErrors,
-				...standardErrors(400, 404, 500),
 			},
 		},
-	},
-} as const;
+	} as const;
+}
 
 // ---------------------------------------------------------------------------
 // Schema routes
@@ -2249,20 +2252,22 @@ const userPaths = {
 // Merge all paths
 // ---------------------------------------------------------------------------
 
-const allPaths = {
-	...contentPaths,
-	...mediaPaths,
-	...schemaPaths,
-	...commentsPaths,
-	...taxonomyPaths,
-	...menuPaths,
-	...sectionPaths,
-	...widgetPaths,
-	...settingsPaths,
-	...searchPaths,
-	...redirectPaths,
-	...userPaths,
-} as const;
+function buildAllPaths(maxUploadSize: number) {
+	return {
+		...contentPaths,
+		...buildMediaPaths(maxUploadSize),
+		...schemaPaths,
+		...commentsPaths,
+		...taxonomyPaths,
+		...menuPaths,
+		...sectionPaths,
+		...widgetPaths,
+		...settingsPaths,
+		...searchPaths,
+		...redirectPaths,
+		...userPaths,
+	} as const;
+}
 
 // ---------------------------------------------------------------------------
 // Document
@@ -2274,7 +2279,10 @@ const allPaths = {
  * Covers: Content, Media, Schema, Comments, Taxonomies, Menus,
  * Sections, Widgets, Settings, Search, Redirects, Users.
  */
-export function generateOpenApiDocument(): oas31.OpenAPIObject {
+export function generateOpenApiDocument(
+	options: { maxUploadSize?: number } = {},
+): oas31.OpenAPIObject {
+	const maxUploadSize = options.maxUploadSize ?? DEFAULT_MAX_UPLOAD_SIZE;
 	return createDocument({
 		openapi: "3.1.0",
 		info: {
@@ -2363,6 +2371,6 @@ export function generateOpenApiDocument(): oas31.OpenAPIObject {
 		},
 		security: [{ session: [] }, { bearer: [] }],
 		// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- readonly const paths are compatible at runtime
-		paths: allPaths as unknown as ZodOpenApiPathsObject,
+		paths: buildAllPaths(maxUploadSize) as unknown as ZodOpenApiPathsObject,
 	});
 }

package/src/api/schemas/content.ts

@@ -27,6 +27,11 @@ export const contentListQuery = cursorPaginationQuery
 	})
 	.meta({ id: "ContentListQuery" });
 
+/** ISO 8601 datetime for `publishedAt` / `createdAt`. Routes gate writes behind `content:publish_any`. */
+const contentDateOverride = z.iso
+	.datetime({ offset: true, message: "must be an ISO 8601 datetime" })
+	.nullish();
+
 export const contentCreateBody = z
 	.object({
 		data: z.record(z.string(), z.unknown()),
@@ -36,6 +41,8 @@ export const contentCreateBody = z
 		locale: localeCode.optional(),
 		translationOf: z.string().optional(),
 		seo: contentSeoInput.optional(),
+		publishedAt: contentDateOverride,
+		createdAt: contentDateOverride,
 	})
 	.meta({ id: "ContentCreateBody" });
 
@@ -52,6 +59,7 @@ export const contentUpdateBody = z
 			.meta({ description: "Opaque revision token for optimistic concurrency" }),
 		skipRevision: z.boolean().optional(),
 		seo: contentSeoInput.optional(),
+		publishedAt: contentDateOverride,
 	})
 	.meta({ id: "ContentUpdateBody" });
 

package/src/api/schemas/media.ts

@@ -21,21 +21,32 @@ export const mediaUpdateBody = z
 	})
 	.meta({ id: "MediaUpdateBody" });
 
-/** Maximum allowed file upload size (50 MB). */
-const MAX_UPLOAD_SIZE = 50 * 1024 * 1024;
-
-export const mediaUploadUrlBody = z
-	.object({
-		filename: z.string().min(1, "filename is required"),
-		contentType: z.string().min(1, "contentType is required"),
-		size: z
-			.number()
-			.int()
-			.positive()
-			.max(MAX_UPLOAD_SIZE, `File size must not exceed ${MAX_UPLOAD_SIZE / 1024 / 1024}MB`),
-		contentHash: z.string().optional(),
-	})
-	.meta({ id: "MediaUploadUrlBody" });
+/** Default maximum allowed file upload size (50 MB). */
+export const DEFAULT_MAX_UPLOAD_SIZE = 50 * 1024 * 1024;
+
+export function formatFileSize(bytes: number): string {
+	if (bytes < 1024) return `${bytes}B`;
+	if (bytes < 1024 * 1024) return `${Math.floor(bytes / 1024)}KB`;
+	return `${Math.floor(bytes / 1024 / 1024)}MB`;
+}
+
+export function mediaUploadUrlBody(maxSize: number) {
+	if (!Number.isFinite(maxSize) || maxSize <= 0) {
+		throw new Error(`EmDash: maxUploadSize must be a positive finite number, got ${maxSize}`);
+	}
+	return z
+		.object({
+			filename: z.string().min(1, "filename is required"),
+			contentType: z.string().min(1, "contentType is required"),
+			size: z
+				.number()
+				.int()
+				.positive()
+				.max(maxSize, `File size must not exceed ${formatFileSize(maxSize)}`),
+			contentHash: z.string().optional(),
+		})
+		.meta({ id: "MediaUploadUrlBody" });
+}
 
 export const mediaConfirmBody = z
 	.object({

package/src/api/schemas/schema.ts

@@ -13,6 +13,7 @@ const collectionSourcePattern = /^(template:.+|import:.+|manual|discovered|seed)
 const fieldTypeValues = z.enum([
 	"string",
 	"text",
+	"url",
 	"number",
 	"integer",
 	"boolean",

package/src/astro/integration/font-provider.ts

@@ -0,0 +1,178 @@
+/**
+ * EmDash Noto Sans font provider
+ *
+ * A custom Astro font provider that wraps Google Fonts to resolve
+ * multiple Noto Sans families (Latin, Arabic, JP, etc.) under a
+ * single logical font entry. This lets all @font-face blocks share
+ * the same font-family name, so the browser picks the right file
+ * per character via unicode-range.
+ *
+ * Without this, registering "Noto Sans" and "Noto Sans Arabic" as
+ * separate font entries on the same cssVariable triggers an Astro
+ * warning and the last entry overwrites the first.
+ */
+
+import { fontProviders } from "astro/config";
+
+/**
+ * All subset names used by Google Fonts CSS responses.
+ * Passed when resolving extra script families so the unifont
+ * provider doesn't filter out any faces.
+ */
+const ALL_GOOGLE_SUBSETS = [
+	"arabic",
+	"armenian",
+	"bengali",
+	"chinese-simplified",
+	"chinese-traditional",
+	"chinese-hongkong",
+	"cyrillic",
+	"cyrillic-ext",
+	"devanagari",
+	"ethiopic",
+	"farsi",
+	"georgian",
+	"greek",
+	"greek-ext",
+	"gujarati",
+	"gurmukhi",
+	"hebrew",
+	"japanese",
+	"kannada",
+	"khmer",
+	"korean",
+	"lao",
+	"latin",
+	"latin-ext",
+	"malayalam",
+	"math",
+	"myanmar",
+	"oriya",
+	"sinhala",
+	"symbols",
+	"tamil",
+	"telugu",
+	"thai",
+	"tibetan",
+	"vietnamese",
+];
+
+/**
+ * Known Noto Sans and Sans script families on Google Fonts.
+ * Maps user-friendly script names to Google Fonts family names.
+ */
+const NOTO_SCRIPT_FAMILIES: Record<string, string> = {
+	arabic: "Noto Sans Arabic",
+	armenian: "Noto Sans Armenian",
+	bengali: "Noto Sans Bengali",
+	"chinese-simplified": "Noto Sans SC",
+	"chinese-traditional": "Noto Sans TC",
+	"chinese-hongkong": "Noto Sans HK",
+	devanagari: "Noto Sans Devanagari",
+	ethiopic: "Noto Sans Ethiopic",
+	farsi: "Vazirmatn",
+	georgian: "Noto Sans Georgian",
+	gujarati: "Noto Sans Gujarati",
+	gurmukhi: "Noto Sans Gurmukhi",
+	hebrew: "Noto Sans Hebrew",
+	japanese: "Noto Sans JP",
+	kannada: "Noto Sans Kannada",
+	khmer: "Noto Sans Khmer",
+	korean: "Noto Sans KR",
+	lao: "Noto Sans Lao",
+	malayalam: "Noto Sans Malayalam",
+	myanmar: "Noto Sans Myanmar",
+	oriya: "Noto Sans Oriya",
+	sinhala: "Noto Sans Sinhala",
+	tamil: "Noto Sans Tamil",
+	telugu: "Noto Sans Telugu",
+	thai: "Noto Sans Thai",
+	tibetan: "Noto Sans Tibetan",
+};
+
+export interface NotoSansProviderOptions {
+	/**
+	 * Additional Noto Sans script families to include.
+	 * Use script names like "arabic", "japanese", "chinese-simplified".
+	 *
+	 * @see {@link NOTO_SCRIPT_FAMILIES} for the full list of supported scripts.
+	 */
+	scripts?: string[];
+}
+
+// Use ReturnType to get the provider type without importing it directly.
+// The Astro FontProvider type is not part of the public API surface.
+type GoogleProvider = ReturnType<typeof fontProviders.google>;
+
+/**
+ * Create a font provider that resolves Noto Sans plus additional
+ * script-specific Noto families from Google Fonts, all under one
+ * font-family name.
+ */
+export function notoSans(options?: NotoSansProviderOptions): GoogleProvider {
+	// Create a single Google provider instance to share initialization
+	const googleProvider = fontProviders.google();
+
+	return {
+		name: "emdash-noto",
+		async init(context) {
+			await googleProvider.init?.(context);
+		},
+		async resolveFont(resolveFontOptions) {
+			// Resolve the base Noto Sans (Latin, Cyrillic, Greek, etc.)
+			const base = await googleProvider.resolveFont(resolveFontOptions);
+			const baseFonts = base?.fonts ?? [];
+
+			if (!options?.scripts?.length) {
+				return base;
+			}
+
+			// Collect subset names already covered by the base font so we
+			// can filter out duplicate faces from extra script families.
+			// e.g. Noto Sans Arabic includes latin/latin-ext faces that
+			// would otherwise override the base Noto Sans latin faces.
+			const baseSubsets = new Set(baseFonts.map((f) => f.meta?.subset).filter(Boolean));
+
+			// Resolve additional script families
+			const extraFonts = await Promise.all(
+				options.scripts.map(async (script) => {
+					const family = NOTO_SCRIPT_FAMILIES[script];
+					if (!family) {
+						// Silently skip subset names that are already covered
+						// by the base Noto Sans font (latin, cyrillic, etc.)
+						if (ALL_GOOGLE_SUBSETS.includes(script)) {
+							return undefined;
+						}
+						console.warn(
+							`[emdash] Unknown Noto Sans script "${script}". ` +
+								`Available: ${Object.keys(NOTO_SCRIPT_FAMILIES).join(", ")}`,
+						);
+						return undefined;
+					}
+					return googleProvider.resolveFont({
+						...resolveFontOptions,
+						familyName: family,
+						// Pass all known subset names so the unifont provider
+						// doesn't filter out any faces. Each script family
+						// only returns faces for its own subsets anyway.
+						subsets: ALL_GOOGLE_SUBSETS,
+					});
+				}),
+			);
+
+			// Merge, dropping faces from extra fonts that duplicate base subsets
+			const extraFaces = extraFonts.flatMap((r) =>
+				(r?.fonts ?? []).filter((f) => !f.meta?.subset || !baseSubsets.has(f.meta.subset)),
+			);
+
+			return {
+				fonts: [...baseFonts, ...extraFaces],
+			};
+		},
+	};
+}
+
+/** Get the list of available Noto Sans script names */
+export function getAvailableNotoScripts(): string[] {
+	return Object.keys(NOTO_SCRIPT_FAMILIES);
+}

package/src/astro/integration/index.ts

@@ -14,6 +14,7 @@ import type { AstroIntegration, AstroIntegrationLogger } from "astro";
 
 import type { ResolvedPlugin } from "../../plugins/types.js";
 import { local } from "../storage/adapters.js";
+import { notoSans } from "./font-provider.js";
 import { injectCoreRoutes, injectBuiltinAuthRoutes, injectMcpRoute } from "./routes.js";
 import type { EmDashConfig, PluginDescriptor } from "./runtime.js";
 import { createViteConfig } from "./vite-config.js";
@@ -158,6 +159,9 @@ export function emdash(config: EmDashConfig = {}): AstroIntegration {
 		auth: resolvedConfig.auth,
 		marketplace: resolvedConfig.marketplace,
 		siteUrl: resolvedConfig.siteUrl,
+		trustedProxyHeaders: resolvedConfig.trustedProxyHeaders,
+		maxUploadSize: resolvedConfig.maxUploadSize,
+		admin: resolvedConfig.admin,
 	};
 
 	// Determine auth mode for route injection
@@ -207,8 +211,48 @@ export function emdash(config: EmDashConfig = {}): AstroIntegration {
 						? { allowedDomains: [{ hostname: new URL(resolvedConfig.siteUrl).hostname }] }
 						: {}),
 				};
+
+				// Inject default Noto Sans font for the admin UI.
+				// Uses the Astro Font API so fonts are downloaded at build time
+				// and self-hosted (no runtime CDN requests).
+				//
+				// The admin CSS references var(--font-emdash) with a system font
+				// fallback. Users can add extra script coverage (Arabic, CJK, etc.)
+				// by passing fonts.scripts in the emdash() config. The custom
+				// notoSans provider resolves all script families from Google Fonts
+				// under a single font-family name, so they stack via unicode-range.
+				const fontsConfig = resolvedConfig.fonts;
+				const emdashFonts =
+					fontsConfig === false
+						? []
+						: [
+								{
+									provider: notoSans({
+										scripts: fontsConfig?.scripts,
+									}),
+									name: "Noto Sans",
+									cssVariable: "--font-emdash",
+									weights: ["100 900" as const],
+									styles: ["normal" as const, "italic" as const],
+									subsets: [
+										"latin" as const,
+										"latin-ext" as const,
+										"cyrillic" as const,
+										"cyrillic-ext" as const,
+										"devanagari" as const,
+										"greek" as const,
+										"greek-ext" as const,
+										"vietnamese" as const,
+									],
+									fallbacks: ["ui-sans-serif", "system-ui", "sans-serif"],
+								},
+							];
+
 				updateConfig({
 					security: securityConfig,
+					// fonts is a valid AstroConfig key but may not be in the
+					// type definition for the minimum supported Astro version
+					...({ fonts: emdashFonts } as Record<string, unknown>),
 					vite: createViteConfig(
 						{
 							serializableConfig,

package/src/astro/integration/routes.ts

@@ -515,6 +515,12 @@ export function injectCoreRoutes(injectRoute: InjectRoute): void {
 		entrypoint: resolveRoute("api/well-known/oauth-authorization-server.ts"),
 	});
 
+	// RFC 7591 Dynamic Client Registration
+	injectRoute({
+		pattern: "/_emdash/api/oauth/register",
+		entrypoint: resolveRoute("api/oauth/register.ts"),
+	});
+
 	// Plugin-defined API routes
 	// All plugin routes are handled by a single catch-all handler
 	injectRoute({