npm - emdash - Versions diffs - 0.5.0 → 0.7.0 - Mend

emdash 0.5.0 → 0.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (252) hide show

package/dist/{adapters-C2BzVy0p.d.mts → adapters-Di31kZ28.d.mts} +16 -1
package/dist/adapters-Di31kZ28.d.mts.map +1 -0
package/dist/{apply-Cma_PiF6.mjs → apply-5uslYdUu.mjs} +197 -25
package/dist/apply-5uslYdUu.mjs.map +1 -0
package/dist/astro/index.d.mts +6 -6
package/dist/astro/index.d.mts.map +1 -1
package/dist/astro/index.mjs +203 -33
package/dist/astro/index.mjs.map +1 -1
package/dist/astro/middleware/auth.d.mts +5 -5
package/dist/astro/middleware/auth.d.mts.map +1 -1
package/dist/astro/middleware/auth.mjs +30 -4
package/dist/astro/middleware/auth.mjs.map +1 -1
package/dist/astro/middleware/redirect.mjs +2 -2
package/dist/astro/middleware/request-context.d.mts.map +1 -1
package/dist/astro/middleware/request-context.mjs +11 -4
package/dist/astro/middleware/request-context.mjs.map +1 -1
package/dist/astro/middleware/setup.mjs +1 -1
package/dist/astro/middleware.d.mts.map +1 -1
package/dist/astro/middleware.mjs +467 -186
package/dist/astro/middleware.mjs.map +1 -1
package/dist/astro/types.d.mts +17 -9
package/dist/astro/types.d.mts.map +1 -1
package/dist/{byline-WuOq9MFJ.mjs → byline-C4OVd8b3.mjs} +3 -19
package/dist/byline-C4OVd8b3.mjs.map +1 -0
package/dist/{bylines-C_Wsnz4L.mjs → bylines-hPTW79hw.mjs} +20 -33
package/dist/bylines-hPTW79hw.mjs.map +1 -0
package/dist/{cache-E3Dts-yT.mjs → cache-BkKBuIvS.mjs} +1 -1
package/dist/{cache-E3Dts-yT.mjs.map → cache-BkKBuIvS.mjs.map} +1 -1
package/dist/chunks-HGz06Soa.mjs +19 -0
package/dist/chunks-HGz06Soa.mjs.map +1 -0
package/dist/cli/index.mjs +12 -11
package/dist/cli/index.mjs.map +1 -1
package/dist/client/cf-access.d.mts +1 -1
package/dist/client/index.d.mts +1 -1
package/dist/client/index.mjs +1 -1
package/dist/{config-DkxPrM9l.mjs → config-BXwuX8Bx.mjs} +1 -1
package/dist/{config-DkxPrM9l.mjs.map → config-BXwuX8Bx.mjs.map} +1 -1
package/dist/{connection-B4zVnQIa.mjs → connection-2igzM-AT.mjs} +19 -2
package/dist/connection-2igzM-AT.mjs.map +1 -0
package/dist/{content-BsBoyj8G.mjs → content-D7J5y73J.mjs} +27 -1
package/dist/{content-BsBoyj8G.mjs.map → content-D7J5y73J.mjs.map} +1 -1
package/dist/database/instrumentation.d.mts +45 -0
package/dist/database/instrumentation.d.mts.map +1 -0
package/dist/database/instrumentation.mjs +61 -0
package/dist/database/instrumentation.mjs.map +1 -0
package/dist/db/index.d.mts +3 -3
package/dist/db/index.mjs +1 -1
package/dist/db/index.mjs.map +1 -1
package/dist/db/libsql.d.mts +1 -1
package/dist/db/postgres.d.mts +1 -1
package/dist/db/sqlite.d.mts +1 -1
package/dist/db-errors-D0UT85nC.mjs +41 -0
package/dist/db-errors-D0UT85nC.mjs.map +1 -0
package/dist/{default-PUx9RK6u.mjs → default-CME5YdZ3.mjs} +1 -1
package/dist/{default-PUx9RK6u.mjs.map → default-CME5YdZ3.mjs.map} +1 -1
package/dist/{error-HBeQbVhV.mjs → error-CiYn9yDu.mjs} +1 -1
package/dist/{error-HBeQbVhV.mjs.map → error-CiYn9yDu.mjs.map} +1 -1
package/dist/{index-CCWzlriB.d.mts → index-De6_Xv3v.d.mts} +209 -19
package/dist/index-De6_Xv3v.d.mts.map +1 -0
package/dist/index.d.mts +11 -11
package/dist/index.mjs +23 -21
package/dist/{load-BhSSm-TS.mjs → load-CBcmDIot.mjs} +1 -1
package/dist/{load-BhSSm-TS.mjs.map → load-CBcmDIot.mjs.map} +1 -1
package/dist/{loader-BYzwzORf.mjs → loader-DeiBJEMe.mjs} +18 -12
package/dist/loader-DeiBJEMe.mjs.map +1 -0
package/dist/{manifest-schema-BsXINkQD.mjs → manifest-schema-V30qsMft.mjs} +1 -1
package/dist/{manifest-schema-BsXINkQD.mjs.map → manifest-schema-V30qsMft.mjs.map} +1 -1
package/dist/media/index.d.mts +1 -1
package/dist/media/index.mjs +1 -1
package/dist/media/local-runtime.d.mts +7 -7
package/dist/{mode-CyPLdO3C.mjs → mode-CpNnGkPz.mjs} +1 -1
package/dist/{mode-CyPLdO3C.mjs.map → mode-CpNnGkPz.mjs.map} +1 -1
package/dist/page/index.d.mts +11 -2
package/dist/page/index.d.mts.map +1 -1
package/dist/page/index.mjs +23 -1
package/dist/page/index.mjs.map +1 -1
package/dist/{placeholder-DntBEQo7.mjs → placeholder-C-fk5hYI.mjs} +1 -1
package/dist/{placeholder-DntBEQo7.mjs.map → placeholder-C-fk5hYI.mjs.map} +1 -1
package/dist/{placeholder-BBCtpTES.d.mts → placeholder-tzpqGWII.d.mts} +1 -1
package/dist/{placeholder-BBCtpTES.d.mts.map → placeholder-tzpqGWII.d.mts.map} +1 -1
package/dist/plugins/adapt-sandbox-entry.d.mts +5 -5
package/dist/plugins/adapt-sandbox-entry.mjs +1 -1
package/dist/{query-B6Vu0d2i.mjs → query-g4Ug-9j9.mjs} +79 -12
package/dist/query-g4Ug-9j9.mjs.map +1 -0
package/dist/{redirect-7lGhLBNZ.mjs → redirect-CN0Rt9Ob.mjs} +66 -10
package/dist/redirect-CN0Rt9Ob.mjs.map +1 -0
package/dist/{registry-BgnP3ysR.mjs → registry-Ci3WxVAr.mjs} +133 -97
package/dist/registry-Ci3WxVAr.mjs.map +1 -0
package/dist/request-cache-DiR961CV.mjs +79 -0
package/dist/request-cache-DiR961CV.mjs.map +1 -0
package/dist/request-context.d.mts +19 -16
package/dist/request-context.d.mts.map +1 -1
package/dist/request-context.mjs.map +1 -1
package/dist/{runner-DYv3rX8P.d.mts → runner-BR2xKwhn.d.mts} +2 -2
package/dist/{runner-DYv3rX8P.d.mts.map → runner-BR2xKwhn.d.mts.map} +1 -1
package/dist/{runner-Cd-_WyDo.mjs → runner-tQ7BJ4T7.mjs} +211 -134
package/dist/runner-tQ7BJ4T7.mjs.map +1 -0
package/dist/runtime.d.mts +6 -6
package/dist/runtime.mjs +1 -1
package/dist/{search-Cn1SYvYF.mjs → search-B0effn3j.mjs} +210 -226
package/dist/search-B0effn3j.mjs.map +1 -0
package/dist/seed/index.d.mts +2 -2
package/dist/seed/index.mjs +10 -9
package/dist/seo/index.d.mts +1 -1
package/dist/storage/local.d.mts +1 -1
package/dist/storage/local.mjs +1 -1
package/dist/storage/s3.d.mts +1 -1
package/dist/storage/s3.mjs +1 -1
package/dist/taxonomies-K2z0Uhnj.mjs +308 -0
package/dist/taxonomies-K2z0Uhnj.mjs.map +1 -0
package/dist/{tokens-DKHiCYCB.mjs → tokens-BFPFx3CA.mjs} +1 -1
package/dist/{tokens-DKHiCYCB.mjs.map → tokens-BFPFx3CA.mjs.map} +1 -1
package/dist/{transport-BtcQ-Z7T.mjs → transport-BykRfpyy.mjs} +1 -1
package/dist/{transport-BtcQ-Z7T.mjs.map → transport-BykRfpyy.mjs.map} +1 -1
package/dist/{transport-CKQA_G44.d.mts → transport-H4Iwx7tC.d.mts} +1 -1
package/dist/{transport-CKQA_G44.d.mts.map → transport-H4Iwx7tC.d.mts.map} +1 -1
package/dist/{types-BmkQR1En.d.mts → types-6CUZRrZP.d.mts} +1 -1
package/dist/{types-BmkQR1En.d.mts.map → types-6CUZRrZP.d.mts.map} +1 -1
package/dist/{types-Dz9_WMS6.mjs → types-BH2L167P.mjs} +1 -1
package/dist/{types-Dz9_WMS6.mjs.map → types-BH2L167P.mjs.map} +1 -1
package/dist/{types-B6BzlZxx.d.mts → types-C2v0c34j.d.mts} +10 -1
package/dist/{types-B6BzlZxx.d.mts.map → types-C2v0c34j.d.mts.map} +1 -1
package/dist/{types-DNZpaCBk.d.mts → types-CFWjXmus.d.mts} +1 -1
package/dist/{types-DNZpaCBk.d.mts.map → types-CFWjXmus.d.mts.map} +1 -1
package/dist/{types-DeG21anB.d.mts → types-CnZYHyLW.d.mts} +55 -5
package/dist/types-CnZYHyLW.d.mts.map +1 -0
package/dist/{types-xxCWI3j0.mjs → types-DDS4MxsT.mjs} +11 -3
package/dist/types-DDS4MxsT.mjs.map +1 -0
package/dist/{types-C3ronwXb.d.mts → types-DgrIP0tF.d.mts} +102 -4
package/dist/types-DgrIP0tF.d.mts.map +1 -0
package/dist/{validate-DuZDIxfy.mjs → validate-CqsNItbt.mjs} +2 -2
package/dist/{validate-DuZDIxfy.mjs.map → validate-CqsNItbt.mjs.map} +1 -1
package/dist/{validate-Db1yNL3i.d.mts → validate-kM8Pjuf7.d.mts} +5 -52
package/dist/validate-kM8Pjuf7.d.mts.map +1 -0
package/dist/version-BnTKdfam.mjs +7 -0
package/dist/{version-CMMjTuqu.mjs.map → version-BnTKdfam.mjs.map} +1 -1
package/package.json +10 -5
package/src/after.ts +62 -0
package/src/api/handlers/content.ts +2 -0
package/src/api/handlers/oauth-authorization.ts +2 -32
package/src/api/handlers/oauth-clients.ts +40 -4
package/src/api/handlers/taxonomies.ts +13 -0
package/src/api/oauth/redirect-uri.ts +34 -0
package/src/api/openapi/document.ts +126 -118
package/src/api/schemas/content.ts +8 -0
package/src/api/schemas/media.ts +26 -15
package/src/api/schemas/schema.ts +1 -0
package/src/astro/integration/font-provider.ts +178 -0
package/src/astro/integration/index.ts +44 -0
package/src/astro/integration/routes.ts +6 -0
package/src/astro/integration/runtime.ts +117 -0
package/src/astro/integration/virtual-modules.ts +41 -39
package/src/astro/integration/vite-config.ts +16 -5
package/src/astro/middleware/auth.ts +33 -1
package/src/astro/middleware/request-context.ts +15 -3
package/src/astro/middleware.ts +340 -263
package/src/astro/routes/admin.astro +21 -10
package/src/astro/routes/api/auth/magic-link/send.ts +2 -1
package/src/astro/routes/api/auth/passkey/options.ts +2 -1
package/src/astro/routes/api/auth/passkey/verify.ts +5 -1
package/src/astro/routes/api/auth/signup/request.ts +26 -8
package/src/astro/routes/api/comments/[collection]/[contentId]/index.ts +10 -6
package/src/astro/routes/api/content/[collection]/[id]/compare.ts +1 -1
package/src/astro/routes/api/content/[collection]/[id]/preview-url.ts +1 -1
package/src/astro/routes/api/content/[collection]/[id]/revisions.ts +1 -1
package/src/astro/routes/api/content/[collection]/[id]/terms/[taxonomy].ts +5 -0
package/src/astro/routes/api/content/[collection]/[id]/translations.ts +26 -0
package/src/astro/routes/api/content/[collection]/[id].ts +30 -2
package/src/astro/routes/api/content/[collection]/index.ts +19 -1
package/src/astro/routes/api/content/[collection]/trash.ts +1 -1
package/src/astro/routes/api/import/wordpress/execute.ts +1 -1
package/src/astro/routes/api/import/wordpress-plugin/analyze.ts +4 -3
package/src/astro/routes/api/import/wordpress-plugin/execute.ts +5 -4
package/src/astro/routes/api/manifest.ts +7 -0
package/src/astro/routes/api/media/upload-url.ts +10 -2
package/src/astro/routes/api/media.ts +10 -7
package/src/astro/routes/api/oauth/device/code.ts +2 -1
package/src/astro/routes/api/oauth/device/token.ts +2 -1
package/src/astro/routes/api/oauth/register.ts +178 -0
package/src/astro/routes/api/oauth/token.ts +15 -0
package/src/astro/routes/api/openapi.json.ts +15 -5
package/src/astro/routes/api/schema/collections/[slug]/fields/[fieldSlug].ts +2 -0
package/src/astro/routes/api/schema/collections/[slug]/fields/index.ts +1 -0
package/src/astro/routes/api/schema/collections/[slug]/fields/reorder.ts +1 -0
package/src/astro/routes/api/search/index.ts +5 -0
package/src/astro/routes/api/search/suggest.ts +3 -0
package/src/astro/routes/api/setup/admin-verify.ts +30 -5
package/src/astro/routes/api/setup/admin.ts +32 -8
package/src/astro/routes/api/setup/index.ts +5 -2
package/src/astro/routes/api/taxonomies/index.ts +1 -0
package/src/astro/routes/api/well-known/oauth-authorization-server.ts +1 -1
package/src/astro/types.ts +9 -0
package/src/auth/rate-limit.ts +50 -22
package/src/auth/setup-nonce.ts +22 -0
package/src/auth/trusted-proxy.ts +92 -0
package/src/bylines/index.ts +22 -45
package/src/components/EmDashHead.astro +23 -7
package/src/database/connection.ts +23 -1
package/src/database/instrumentation.ts +98 -0
package/src/database/migrations/035_bounded_404_log.ts +112 -0
package/src/database/migrations/runner.ts +2 -0
package/src/database/repositories/content.ts +39 -0
package/src/database/repositories/options.ts +25 -0
package/src/database/repositories/redirect.ts +111 -8
package/src/database/types.ts +9 -0
package/src/db/adapters.ts +15 -0
package/src/emdash-runtime.ts +312 -92
package/src/import/registry.ts +4 -3
package/src/import/ssrf.ts +253 -12
package/src/index.ts +6 -0
package/src/loader.ts +19 -24
package/src/mcp/server.ts +76 -3
package/src/menus/index.ts +6 -3
package/src/page/index.ts +1 -1
package/src/page/seo-contributions.ts +36 -0
package/src/plugins/context.ts +15 -3
package/src/plugins/manager.ts +6 -0
package/src/plugins/request-meta.ts +66 -15
package/src/plugins/routes.ts +3 -1
package/src/query.ts +104 -7
package/src/request-cache.ts +106 -0
package/src/request-context.ts +19 -0
package/src/schema/query.ts +5 -2
package/src/schema/registry.ts +243 -166
package/src/schema/types.ts +13 -2
package/src/schema/zod-generator.ts +4 -0
package/src/search/fts-manager.ts +19 -5
package/src/search/query.ts +4 -3
package/src/seed/apply.ts +41 -1
package/src/settings/index.ts +24 -5
package/src/taxonomies/index.ts +324 -124
package/src/utils/db-errors.ts +46 -0
package/src/virtual-modules.d.ts +31 -10
package/src/visual-editing/toolbar.ts +6 -1
package/src/widgets/index.ts +54 -25
package/dist/adapters-C2BzVy0p.d.mts.map +0 -1
package/dist/apply-Cma_PiF6.mjs.map +0 -1
package/dist/byline-WuOq9MFJ.mjs.map +0 -1
package/dist/bylines-C_Wsnz4L.mjs.map +0 -1
package/dist/connection-B4zVnQIa.mjs.map +0 -1
package/dist/index-CCWzlriB.d.mts.map +0 -1
package/dist/loader-BYzwzORf.mjs.map +0 -1
package/dist/query-B6Vu0d2i.mjs.map +0 -1
package/dist/redirect-7lGhLBNZ.mjs.map +0 -1
package/dist/registry-BgnP3ysR.mjs.map +0 -1
package/dist/runner-Cd-_WyDo.mjs.map +0 -1
package/dist/search-Cn1SYvYF.mjs.map +0 -1
package/dist/types-C3ronwXb.d.mts.map +0 -1
package/dist/types-DeG21anB.d.mts.map +0 -1
package/dist/types-xxCWI3j0.mjs.map +0 -1
package/dist/validate-Db1yNL3i.d.mts.map +0 -1
package/dist/version-CMMjTuqu.mjs +0 -7

package/src/astro/routes/api/oauth/register.ts ADDED Viewed

@@ -0,0 +1,178 @@
+/**
+ * POST /_emdash/api/oauth/register
+ *
+ * RFC 7591 Dynamic Client Registration. Public, unauthenticated.
+ * MCP clients (e.g. Claude Code) call this to register themselves
+ * before starting the OAuth authorization flow.
+ */
+import type { APIRoute } from "astro";
+import { apiError, handleError } from "#api/error.js";
+import { handleOAuthClientCreate } from "#api/handlers/oauth-clients.js";
+export const prerender = false;
+const OAUTH_REGISTRATION_HEADERS: HeadersInit = {
+	"Cache-Control": "no-store",
+	Pragma: "no-cache",
+	// RFC 7591 dynamic client registration is called cross-origin by MCP clients,
+	// CLIs, and native apps. The endpoint is anonymous and carries no ambient
+	// credentials, so CORS `*` is safe.
+	"Access-Control-Allow-Origin": "*",
+};
+const OAUTH_PREFLIGHT_HEADERS: HeadersInit = {
+	"Access-Control-Allow-Origin": "*",
+	"Access-Control-Allow-Methods": "POST, OPTIONS",
+	"Access-Control-Allow-Headers": "Content-Type",
+	"Access-Control-Max-Age": "86400",
+};
+const SUPPORTED_GRANT_TYPES = new Set([
+	"authorization_code",
+	"refresh_token",
+	"urn:ietf:params:oauth:grant-type:device_code",
+]);
+const SUPPORTED_RESPONSE_TYPES = new Set(["code"]);
+function registrationError(description: string, status = 400): Response {
+	return Response.json(
+		{
+			error: "invalid_client_metadata",
+			error_description: description,
+		},
+		{ status, headers: OAUTH_REGISTRATION_HEADERS },
+	);
+}
+function isRecord(value: unknown): value is Record<string, unknown> {
+	return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+function isStringArray(value: unknown): value is string[] {
+	return Array.isArray(value) && value.every((item) => typeof item === "string");
+}
+function parseScope(value: unknown): string[] | Response | undefined {
+	if (value === undefined) return undefined;
+	if (typeof value === "string") {
+		const scopes = value.split(" ").filter(Boolean);
+		return scopes.length > 0 ? scopes : undefined;
+	}
+	if (isStringArray(value)) {
+		const scopes = value.filter(Boolean);
+		return scopes.length > 0 ? scopes : undefined;
+	}
+	return registrationError("scope must be a string or array of strings");
+}
+function parseSupportedStringArray(
+	value: unknown,
+	field: string,
+	supported: ReadonlySet<string>,
+): string[] | Response | undefined {
+	if (value === undefined) return undefined;
+	if (!isStringArray(value)) {
+		return registrationError(`${field} must be an array of strings`);
+	}
+	const invalidValue = value.find((item) => !supported.has(item));
+	if (invalidValue) {
+		return registrationError(`${field} contains unsupported value: ${invalidValue}`);
+	}
+	return value;
+}
+export const OPTIONS: APIRoute = () => {
+	return new Response(null, { status: 204, headers: OAUTH_PREFLIGHT_HEADERS });
+};
+export const POST: APIRoute = async ({ request, locals }) => {
+	const { emdash } = locals;
+	if (!emdash?.db) {
+		return apiError("NOT_CONFIGURED", "EmDash is not initialized", 500);
+	}
+	try {
+		let body: unknown;
+		try {
+			body = await request.json();
+		} catch {
+			return registrationError("Request body must be valid JSON");
+		}
+		if (!isRecord(body)) {
+			return registrationError("Request body must be a JSON object");
+		}
+		// redirect_uris is the only required field per RFC 7591 §2
+		if (!isStringArray(body.redirect_uris) || body.redirect_uris.length === 0) {
+			return registrationError("redirect_uris must be a non-empty array of strings");
+		}
+		if (
+			body.token_endpoint_auth_method !== undefined &&
+			body.token_endpoint_auth_method !== "none"
+		) {
+			return registrationError("Only token_endpoint_auth_method=none is supported");
+		}
+		const grantTypes = parseSupportedStringArray(
+			body.grant_types,
+			"grant_types",
+			SUPPORTED_GRANT_TYPES,
+		);
+		if (grantTypes instanceof Response) {
+			return grantTypes;
+		}
+		const responseTypes = parseSupportedStringArray(
+			body.response_types,
+			"response_types",
+			SUPPORTED_RESPONSE_TYPES,
+		);
+		if (responseTypes instanceof Response) {
+			return responseTypes;
+		}
+		const scopes = parseScope(body.scope);
+		if (scopes instanceof Response) {
+			return scopes;
+		}
+		const clientId = crypto.randomUUID();
+		const clientName =
+			typeof body.client_name === "string" && body.client_name
+				? body.client_name
+				: `dynamic-${clientId.slice(0, 8)}`;
+		const result = await handleOAuthClientCreate(emdash.db, {
+			id: clientId,
+			name: clientName,
+			redirectUris: body.redirect_uris,
+			scopes,
+		});
+		if (!result.success) {
+			return registrationError(result.error.message);
+		}
+		// RFC 7591 §3.2.1 response
+		return Response.json(
+			{
+				client_id: result.data.id,
+				client_id_issued_at: Math.floor(new Date(result.data.createdAt).getTime() / 1000),
+				redirect_uris: result.data.redirectUris,
+				client_name: result.data.name,
+				grant_types: grantTypes ?? ["authorization_code", "refresh_token"],
+				response_types: responseTypes ?? ["code"],
+				token_endpoint_auth_method: "none",
+				scope: result.data.scopes ? result.data.scopes.join(" ") : undefined,
+			},
+			{ status: 201, headers: OAUTH_REGISTRATION_HEADERS },
+		);
+	} catch (error) {
+		return handleError(error, "Failed to register OAuth client", "CLIENT_REGISTER_ERROR");
+	}
+};

package/src/astro/routes/api/oauth/token.ts CHANGED Viewed

@@ -87,6 +87,10 @@ const refreshSchema = z.object({
 // Handler
 // ---------------------------------------------------------------------------
+export const OPTIONS: APIRoute = () => {
+	return new Response(null, { status: 204, headers: OAUTH_PREFLIGHT_HEADERS });
+};
 export const POST: APIRoute = async ({ request, locals }) => {
 	const { emdash } = locals;
@@ -166,6 +170,17 @@ const OAUTH_TOKEN_HEADERS: HeadersInit = {
 	"Content-Type": "application/json",
 	"Cache-Control": "no-store",
 	Pragma: "no-cache",
+	// OAuth 2.1 token endpoint is called cross-origin by external clients. Caller
+	// must present PKCE code_verifier / device_code / refresh_token on each request,
+	// so there is no ambient credential for CSRF to exploit.
+	"Access-Control-Allow-Origin": "*",
+};
+const OAUTH_PREFLIGHT_HEADERS: HeadersInit = {
+	"Access-Control-Allow-Origin": "*",
+	"Access-Control-Allow-Methods": "POST, OPTIONS",
+	"Access-Control-Allow-Headers": "Content-Type",
+	"Access-Control-Max-Age": "86400",
 };
 function oauthSuccess(data: unknown): Response {

package/src/astro/routes/api/openapi.json.ts CHANGED Viewed

@@ -15,13 +15,23 @@ export const prerender = false;
 let cachedSpec: string | null = null;
-export const GET: APIRoute = async () => {
-	if (!cachedSpec) {
-		const doc = generateOpenApiDocument();
-		cachedSpec = JSON.stringify(doc);
+export const GET: APIRoute = async ({ locals }) => {
+	const { emdash } = locals;
+	if (!cachedSpec && emdash) {
+		try {
+			const doc = generateOpenApiDocument({ maxUploadSize: emdash.config.maxUploadSize });
+			cachedSpec = JSON.stringify(doc);
+		} catch {
+			return new Response(
+				JSON.stringify({ error: "Failed to generate OpenAPI document: invalid configuration" }),
+				{ status: 500, headers: { "Content-Type": "application/json" } },
+			);
+		}
 	}
-	return new Response(cachedSpec, {
+	const spec = cachedSpec ?? JSON.stringify(generateOpenApiDocument());
+	return new Response(spec, {
 		status: 200,
 		headers: {
 			"Content-Type": "application/json",

package/src/astro/routes/api/schema/collections/[slug]/fields/[fieldSlug].ts CHANGED Viewed

@@ -57,6 +57,7 @@ export const PUT: APIRoute = async ({ params, request, locals }) => {
 		fieldSlug,
 		body as UpdateFieldInput,
 	);
+	if (result.success) emdash!.invalidateManifest();
 	return unwrapResult(result);
 };
@@ -72,5 +73,6 @@ export const DELETE: APIRoute = async ({ params, locals }) => {
 	if (denied) return denied;
 	const result = await handleSchemaFieldDelete(emdash!.db, collectionSlug, fieldSlug);
+	if (result.success) emdash!.invalidateManifest();
 	return unwrapResult(result);
 };

package/src/astro/routes/api/schema/collections/[slug]/fields/index.ts CHANGED Viewed

@@ -48,5 +48,6 @@ export const POST: APIRoute = async ({ params, request, locals }) => {
 		collectionSlug,
 		body as CreateFieldInput,
 	);
+	if (result.success) emdash!.invalidateManifest();
 	return unwrapResult(result, 201);
 };

package/src/astro/routes/api/schema/collections/[slug]/fields/reorder.ts CHANGED Viewed

@@ -28,5 +28,6 @@ export const POST: APIRoute = async ({ params, request, locals }) => {
 	if (isParseError(body)) return body;
 	const result = await handleSchemaFieldReorder(emdash!.db, collectionSlug, body.fieldSlugs);
+	if (result.success) emdash!.invalidateManifest();
 	return unwrapResult(result);
 };

package/src/astro/routes/api/search/index.ts CHANGED Viewed

@@ -37,6 +37,11 @@ export const GET: APIRoute = async ({ url, locals }) => {
 		: undefined;
 	try {
+		// Verify FTS indexes are healthy on first use. At most once per worker
+		// lifetime; no-op after that. Moved off the cold-start hot path to
+		// keep anonymous public reads fast.
+		await emdash.ensureSearchHealthy?.();
 		const result = await searchWithDb(emdash.db, query.q, {
 			collections,
 			status: query.status,

package/src/astro/routes/api/search/suggest.ts CHANGED Viewed

@@ -36,6 +36,9 @@ export const GET: APIRoute = async ({ url, locals }) => {
 		: undefined;
 	try {
+		// Verify FTS indexes are healthy on first use. See search/index.ts.
+		await emdash.ensureSearchHealthy?.();
 		const suggestions = await getSuggestions(emdash.db, query.q, {
 			collections,
 			locale: query.locale,

package/src/astro/routes/api/setup/admin-verify.ts CHANGED Viewed

@@ -8,7 +8,7 @@ import type { APIRoute } from "astro";
 export const prerender = false;
-import { Role } from "@emdash-cms/auth";
+import { Role, secureCompare } from "@emdash-cms/auth";
 import { createKyselyAdapter } from "@emdash-cms/auth/adapters/kysely";
 import { verifyRegistrationResponse, registerPasskey } from "@emdash-cms/auth/passkey";
@@ -18,9 +18,10 @@ import { getPublicOrigin } from "#api/public-url.js";
 import { setupAdminVerifyBody } from "#api/schemas.js";
 import { createChallengeStore } from "#auth/challenge-store.js";
 import { getPasskeyConfig } from "#auth/passkey-config.js";
+import { SETUP_NONCE_COOKIE } from "#auth/setup-nonce.js";
 import { OptionsRepository } from "#db/repositories/options.js";
-export const POST: APIRoute = async ({ request, locals }) => {
+export const POST: APIRoute = async ({ cookies, request, locals }) => {
 	const { emdash } = locals;
 	if (!emdash?.db) {
@@ -45,12 +46,35 @@ export const POST: APIRoute = async ({ request, locals }) => {
 		}
 		// Get setup state
-		const setupState = await options.get("emdash:setup_state");
+		const setupState = await options.get<{
+			step?: string;
+			email?: string;
+			name?: string | null;
+			nonce?: string;
+		}>("emdash:setup_state");
 		if (!setupState || setupState.step !== "admin") {
 			return apiError("INVALID_STATE", "Invalid setup state. Please restart setup.", 400);
 		}
+		// Verify the session nonce. The cookie was minted by POST /setup/admin
+		// and stored alongside setup_state; presenting a matching cookie is
+		// proof that this verify call comes from the same browser that
+		// started the admin step. Constant-time compare to avoid leaking the
+		// stored value through timing.
+		const cookieNonce = cookies.get(SETUP_NONCE_COOKIE)?.value;
+		if (!setupState.nonce || !cookieNonce || !secureCompare(cookieNonce, setupState.nonce)) {
+			return apiError(
+				"INVALID_STATE",
+				"Setup session expired or tampered with. Please restart the admin step.",
+				400,
+			);
+		}
+		if (!setupState.email) {
+			return apiError("INVALID_STATE", "Invalid setup state. Please restart setup.", 400);
+		}
 		// Parse request body
 		const body = await parseBody(request, setupAdminVerifyBody);
 		if (isParseError(body)) return body;
@@ -73,7 +97,7 @@ export const POST: APIRoute = async ({ request, locals }) => {
 		// Create the admin user
 		const user = await adapter.createUser({
 			email: setupState.email,
-			name: setupState.name,
+			name: setupState.name ?? null,
 			role: Role.ADMIN,
 			emailVerified: false, // No email verification for first user
 		});
@@ -84,8 +108,9 @@ export const POST: APIRoute = async ({ request, locals }) => {
 		// Mark setup as complete
 		await options.set("emdash:setup_complete", true);
-		// Clean up setup state
+		// Clean up setup state and the session nonce cookie
 		await options.delete("emdash:setup_state");
+		cookies.delete(SETUP_NONCE_COOKIE, { path: "/_emdash/" });
 		return apiSuccess({
 			success: true,

package/src/astro/routes/api/setup/admin.ts CHANGED Viewed

@@ -8,6 +8,7 @@ import type { APIRoute } from "astro";
 export const prerender = false;
+import { generateToken } from "@emdash-cms/auth";
 import { createKyselyAdapter } from "@emdash-cms/auth/adapters/kysely";
 import { generateRegistrationOptions } from "@emdash-cms/auth/passkey";
@@ -17,9 +18,10 @@ import { getPublicOrigin } from "#api/public-url.js";
 import { setupAdminBody } from "#api/schemas.js";
 import { createChallengeStore } from "#auth/challenge-store.js";
 import { getPasskeyConfig } from "#auth/passkey-config.js";
+import { SETUP_NONCE_COOKIE, SETUP_NONCE_MAX_AGE_SECONDS } from "#auth/setup-nonce.js";
 import { OptionsRepository } from "#db/repositories/options.js";
-export const POST: APIRoute = async ({ request, locals }) => {
+export const POST: APIRoute = async ({ cookies, request, locals }) => {
 	const { emdash } = locals;
 	if (!emdash?.db) {
@@ -47,12 +49,13 @@ export const POST: APIRoute = async ({ request, locals }) => {
 		const body = await parseBody(request, setupAdminBody);
 		if (isParseError(body)) return body;
-		// Store admin info in setup state for later
-		await options.set("emdash:setup_state", {
-			step: "admin",
-			email: body.email.toLowerCase(),
-			name: body.name || null,
-		});
+		// Mint a fresh session nonce. This binds the follow-up
+		// /setup/admin/verify call to the same browser that made this
+		// request, so an unauthenticated attacker on another host cannot
+		// substitute their own email into the setup state during the
+		// setup window. Rotates on every call so a legitimate retry
+		// always gets a working session.
+		const nonce = generateToken();
 		// Get passkey config
 		const url = new URL(request.url);
@@ -78,12 +81,33 @@ export const POST: APIRoute = async ({ request, locals }) => {
 			challengeStore,
 		);
-		// Store the temp user ID with the setup state
+		// Store the nonce alongside the rest of the setup state. The verify
+		// endpoint will constant-time compare this with the incoming cookie.
 		await options.set("emdash:setup_state", {
 			step: "admin",
 			email: body.email.toLowerCase(),
 			name: body.name || null,
 			tempUserId: tempUser.id,
+			nonce,
+		});
+		// HttpOnly + SameSite=Strict + path-scoped. The cookie must not be
+		// accessible to JS (nothing in the admin UI needs to read it) and
+		// must not be sent on cross-site navigations. The /_emdash/ path
+		// scope keeps it away from user-authored frontend code.
+		//
+		// Derive `secure` from the public origin, not the internal request
+		// URL. Behind a TLS-terminating reverse proxy the internal hop is
+		// often `http:` while the browser-facing origin is `https:` —
+		// using `url.protocol` there would drop the Secure flag on a
+		// sensitive cookie over the public HTTPS connection.
+		const publicOrigin = new URL(siteUrl);
+		cookies.set(SETUP_NONCE_COOKIE, nonce, {
+			path: "/_emdash/",
+			httpOnly: true,
+			sameSite: "strict",
+			secure: publicOrigin.protocol === "https:",
+			maxAge: SETUP_NONCE_MAX_AGE_SECONDS,
 		});
 		return apiSuccess({

package/src/astro/routes/api/setup/index.ts CHANGED Viewed

@@ -89,9 +89,12 @@ export const POST: APIRoute = async ({ request, url, locals }) => {
 			const options = new OptionsRepository(emdash.db);
 			// Store the canonical site URL from the setup request.
-			// This is trusted because setup runs on the real domain.
+			// Write-once at the DB level so concurrent setup POSTs can't both
+			// observe an empty value and race to write. A spoofed Host header
+			// on a later call during the wizard window must not be able to
+			// replace the first value.
 			const siteUrl = getPublicOrigin(url, emdash.config);
-			await options.set("emdash:site_url", siteUrl);
+			await options.setIfAbsent("emdash:site_url", siteUrl);
 			if (useExternalAuth) {
 				// External auth mode: mark setup complete now

package/src/astro/routes/api/taxonomies/index.ts CHANGED Viewed

@@ -52,6 +52,7 @@ export const POST: APIRoute = async ({ request, locals }) => {
 		if (isParseError(body)) return body;
 		const result = await handleTaxonomyCreate(emdash.db, body);
+		if (result.success) emdash.invalidateManifest();
 		return unwrapResult(result, 201);
 	} catch (error) {
 		return handleError(error, "Failed to create taxonomy", "TAXONOMY_CREATE_ERROR");

package/src/astro/routes/api/well-known/oauth-authorization-server.ts CHANGED Viewed

@@ -33,8 +33,8 @@ export const GET: APIRoute = async ({ url, locals }) => {
 				"urn:ietf:params:oauth:grant-type:device_code",
 			],
 			code_challenge_methods_supported: ["S256"],
+			registration_endpoint: `${origin}/_emdash/api/oauth/register`,
 			token_endpoint_auth_methods_supported: ["none"],
-			client_id_metadata_document_supported: true,
 			device_authorization_endpoint: `${origin}/_emdash/api/oauth/device/code`,
 		},
 		{

package/src/astro/types.ts CHANGED Viewed

@@ -142,6 +142,15 @@ export interface EmDashManifest {
 	 * When true, the admin UI can show marketplace browse/install features.
 	 */
 	marketplace?: boolean;
+	/**
+	 * Admin branding overrides for white-labeling.
+	 * Set via the `admin` config in `astro.config.mjs`.
+	 */
+	admin?: {
+		logo?: string;
+		siteName?: string;
+		favicon?: string;
+	};
 }
 /**

package/src/auth/rate-limit.ts CHANGED Viewed

@@ -100,44 +100,72 @@ export function rateLimitResponse(retryAfterSeconds: number): Response {
  *
  * Resolution order:
  * 1. `CF-Connecting-IP` — trusted only when the Cloudflare `cf` object is
- *    present (proving the request traversed Cloudflare's edge, which
- *    strips/overwrites client-supplied values).
- * 2. `X-Forwarded-For` (first entry) — also trusted only on Cloudflare.
- *    Without a trusted reverse proxy the header is trivially spoofable,
- *    so we don't use it for standalone deployments.
- * 3. `null` — no trusted IP available. Callers must handle this gracefully
+ *    present. CF edge overwrites any client-supplied value, so this is the
+ *    cryptographically trustworthy path on Workers. Operator-declared
+ *    trusted headers cannot override it.
+ * 2. `X-Forwarded-For` (first entry) — trusted only when the `cf` object
+ *    is present (CF sets this reliably).
+ * 3. Operator-declared trusted proxy headers (ordered list) — used as a
+ *    fallback for non-CF deployments behind a reverse proxy the operator
+ *    controls. Also applies as a fill-in on CF when the CF headers are
+ *    absent (e.g. internal cron handlers).
+ * 4. `null` — no trusted IP available. Callers must handle this gracefully
  *    (e.g. skip rate limiting).
  *
+ * Pass `trustedHeaders` from `getTrustedProxyHeaders(emdash.config)` so
+ * self-hosted non-CF deployments can opt into reading a specific header.
+ *
  * Aligned with `extractRequestMeta` in `plugins/request-meta.ts`.
  */
-export function getClientIp(request: Request): string | null {
+export function getClientIp(request: Request, trustedHeaders: string[] = []): string | null {
 	const headers = request.headers;
 	// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- CF Workers runtime shape
 	const cf = (request as unknown as { cf?: Record<string, unknown> }).cf;
-	if (!cf) {
-		// Not on Cloudflare — no trusted source of client IP
-		return null;
-	}
+	// On Cloudflare, prefer the cryptographically trustworthy headers. An
+	// attacker can't spoof these — the CF edge strips/overwrites them.
+	if (cf) {
+		const cfIp = headers.get("cf-connecting-ip")?.trim();
+		if (cfIp && IP_PATTERN.test(cfIp)) {
+			return cfIp;
+		}
-	// Trust CF-Connecting-IP when the cf object confirms Cloudflare
-	const cfIp = headers.get("cf-connecting-ip")?.trim();
-	if (cfIp && IP_PATTERN.test(cfIp)) {
-		return cfIp;
+		const xff = headers.get("x-forwarded-for");
+		if (xff) {
+			const first = xff.split(",")[0]?.trim();
+			if (first && IP_PATTERN.test(first)) {
+				return first;
+			}
+		}
 	}
-	// Fallback to XFF on Cloudflare (CF sets this reliably)
-	const xff = headers.get("x-forwarded-for");
-	if (xff) {
-		const first = xff.split(",")[0]?.trim();
-		if (first && IP_PATTERN.test(first)) {
-			return first;
-		}
+	// Fall through to operator-declared trusted headers. On CF this fills
+	// in when the CF headers are absent; off-CF it's the primary source.
+	for (const name of trustedHeaders) {
+		const value = readIpFromHeader(headers, name);
+		if (value) return value;
 	}
 	return null;
 }
+/**
+ * Read an IP from an operator-declared trusted header. XFF-style headers
+ * are parsed as comma-separated lists and the first entry is used.
+ */
+function readIpFromHeader(headers: Headers, name: string): string | null {
+	const value = headers.get(name);
+	if (!value) return null;
+	if (name.toLowerCase().endsWith("forwarded-for")) {
+		const first = value.split(",")[0]?.trim();
+		if (!first) return null;
+		return IP_PATTERN.test(first) ? first : null;
+	}
+	const trimmed = value.trim();
+	if (!trimmed) return null;
+	return IP_PATTERN.test(trimmed) ? trimmed : null;
+}
 /**
  * Delete expired rate limit entries.
  *

package/src/auth/setup-nonce.ts ADDED Viewed

@@ -0,0 +1,22 @@
+/**
+ * Session binding for the first-setup admin-creation flow.
+ *
+ * Shared constants for the nonce cookie that ties /_emdash/api/setup/admin
+ * and /_emdash/api/setup/admin/verify to the same browser. Without this
+ * binding, any unauthenticated caller could POST /setup/admin during the
+ * setup window and substitute their own email into the stored setup state
+ * before the legitimate admin completes passkey verification.
+ *
+ * Implementation lives in the two route handlers; this module is just
+ * the name / lifetime so both ends agree.
+ */
+/** Cookie name carrying the setup-admin session nonce. */
+export const SETUP_NONCE_COOKIE = "emdash_setup_nonce";
+/**
+ * Cookie max-age in seconds. One hour is plenty of time to complete
+ * a passkey registration; if the user lingers longer the admin step
+ * can simply be retried.
+ */
+export const SETUP_NONCE_MAX_AGE_SECONDS = 60 * 60;