emdash 0.6.0 → 0.7.0

package/src/astro/routes/api/content/[collection]/[id]/compare.ts

@@ -13,7 +13,7 @@ export const prerender = false;
 
 export const GET: APIRoute = async ({ params, locals }) => {
 	const { emdash, user } = locals;
-	const denied = requirePerm(user, "content:read");
+	const denied = requirePerm(user, "content:read_drafts");
 	if (denied) return denied;
 	const collection = params.collection!;
 	const id = params.id!;

package/src/astro/routes/api/content/[collection]/[id]/preview-url.ts

@@ -30,7 +30,7 @@ const DURATION_PATTERN = /^(\d+)([smhdw])$/;
 
 export const POST: APIRoute = async ({ params, request, locals }) => {
 	const { emdash, user } = locals;
-	const denied = requirePerm(user, "content:read");
+	const denied = requirePerm(user, "content:read_drafts");
 	if (denied) return denied;
 	const collection = params.collection!;
 	const id = params.id!;

package/src/astro/routes/api/content/[collection]/[id]/revisions.ts

@@ -13,7 +13,7 @@ export const prerender = false;
 
 export const GET: APIRoute = async ({ params, url, locals }) => {
 	const { emdash, user } = locals;
-	const denied = requirePerm(user, "content:read");
+	const denied = requirePerm(user, "content:read_drafts");
 	if (denied) return denied;
 	const collection = params.collection!;
 	const id = params.id!;

package/src/astro/routes/api/content/[collection]/[id]/translations.ts

@@ -6,6 +6,7 @@
  * Returns all locale variants linked to the same translation group.
  */
 
+import { hasPermission, type Permission } from "@emdash-cms/auth";
 import type { APIRoute } from "astro";
 
 import { requirePerm } from "#api/authorize.js";
@@ -13,6 +14,15 @@ import { apiError, unwrapResult } from "#api/error.js";
 
 export const prerender = false;
 
+function isPublished(t: unknown): boolean {
+	return (
+		typeof t === "object" &&
+		t !== null &&
+		"status" in t &&
+		(t as Record<string, unknown>).status === "published"
+	);
+}
+
 export const GET: APIRoute = async ({ params, locals }) => {
 	const { emdash, user } = locals;
 	const denied = requirePerm(user, "content:read");
@@ -26,5 +36,21 @@ export const GET: APIRoute = async ({ params, locals }) => {
 
 	const result = await emdash.handleContentTranslations(collection, id);
 
+	// Filter out non-published translations for users without read_drafts so a
+	// subscriber can't enumerate locales that aren't yet live.
+	if (result.success && !hasPermission(user, "content:read_drafts")) {
+		const data =
+			result.data && typeof result.data === "object"
+				? // eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- handler returns unknown data; narrowed by typeof check
+					(result.data as Record<string, unknown>)
+				: undefined;
+		const translations = Array.isArray(data?.translations) ? data.translations : [];
+		const filtered = translations.filter(isPublished);
+		return unwrapResult({
+			success: true,
+			data: { ...data, translations: filtered },
+		});
+	}
+
 	return unwrapResult(result);
 };

package/src/astro/routes/api/content/[collection]/[id].ts

@@ -6,7 +6,7 @@
  * DELETE /_emdash/api/content/{collection}/{id} - Delete content
  */
 
-import { hasPermission, type Permission } from "@emdash-cms/auth";
+import { hasPermission } from "@emdash-cms/auth";
 import type { APIRoute } from "astro";
 
 import { requirePerm, requireOwnerPerm } from "#api/authorize.js";
@@ -30,6 +30,25 @@ export const GET: APIRoute = async ({ params, url, locals }) => {
 
 	const result = await emdash.handleContentGet(collection, id, locale);
 
+	// Hide non-published items from users without content:read_drafts. Return
+	// 404 (not 403) so subscribers can't enumerate draft IDs by status code.
+	if (result.success && !hasPermission(user, "content:read_drafts")) {
+		const data =
+			result.data && typeof result.data === "object"
+				? // eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- handler returns unknown data; narrowed by typeof check
+					(result.data as Record<string, unknown>)
+				: undefined;
+		const item =
+			data?.item && typeof data.item === "object"
+				? // eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- narrowed by typeof check
+					(data.item as Record<string, unknown>)
+				: undefined;
+		const status = typeof item?.status === "string" ? item.status : null;
+		if (status !== "published") {
+			return apiError("NOT_FOUND", `Content item not found: ${id}`, 404);
+		}
+	}
+
 	return unwrapResult(result);
 };
 
@@ -69,12 +88,21 @@ export const PUT: APIRoute = async ({ params, request, locals, cache }) => {
 	const editDenied = requireOwnerPerm(user, authorId, "content:edit_own", "content:edit_any");
 	if (editDenied) return editDenied;
 
+	// Only EDITOR+ can write publishedAt directly — incl. clearing to null.
+	if (body.publishedAt !== undefined && !hasPermission(user, "content:publish_any")) {
+		return apiError(
+			"FORBIDDEN",
+			"Writing publishedAt requires content:publish_any permission",
+			403,
+		);
+	}
+
 	// Use the resolved ID (handles slug → ID resolution)
 	const resolvedId = typeof existingItem?.id === "string" ? existingItem.id : id;
 
 	// Only allow authorId changes if user has content:edit_any permission (editor+)
 	const canChangeAuthor =
-		body.authorId !== undefined && user && hasPermission(user, "content:edit_any" as Permission);
+		body.authorId !== undefined && user && hasPermission(user, "content:edit_any");
 	const updateBody = canChangeAuthor ? body : { ...body, authorId: undefined };
 
 	// Pass _rev through for optimistic concurrency validation

package/src/astro/routes/api/content/[collection]/index.ts

@@ -5,6 +5,7 @@
  * POST /_emdash/api/content/{collection} - Create content
  */
 
+import { hasPermission } from "@emdash-cms/auth";
 import type { APIRoute } from "astro";
 
 import { requirePerm, requireOwnerPerm } from "#api/authorize.js";
@@ -26,7 +27,14 @@ export const GET: APIRoute = async ({ params, url, locals }) => {
 		return apiError("NOT_CONFIGURED", "EmDash is not initialized", 500);
 	}
 
-	const result = await emdash.handleContentList(collection, query);
+	// Subscribers must only see published content; force the status filter
+	// regardless of caller-supplied value. Any user with content:read_drafts
+	// (CONTRIBUTOR+) keeps the requested filter.
+	const params_ = hasPermission(user, "content:read_drafts")
+		? query
+		: { ...query, status: "published" };
+
+	const result = await emdash.handleContentList(collection, params_);
 
 	return unwrapResult(result);
 };
@@ -71,6 +79,16 @@ export const POST: APIRoute = async ({ params, request, locals, cache }) => {
 		if (translationDenied) return translationDenied;
 	}
 
+	// Only EDITOR+ can write publishedAt / createdAt directly — incl. clearing to null.
+	const hasDateOverride = body.publishedAt !== undefined || body.createdAt !== undefined;
+	if (hasDateOverride && !hasPermission(user, "content:publish_any")) {
+		return apiError(
+			"FORBIDDEN",
+			"Writing publishedAt or createdAt requires content:publish_any permission",
+			403,
+		);
+	}
+
 	// Auto-set authorId to current user when creating content
 	const result = await emdash.handleContentCreate(collection, {
 		...body,

package/src/astro/routes/api/content/[collection]/trash.ts

@@ -17,7 +17,7 @@ export const GET: APIRoute = async ({ params, url, locals }) => {
 	const { emdash, user } = locals;
 	const collection = params.collection!;
 
-	const denied = requirePerm(user, "content:read");
+	const denied = requirePerm(user, "content:read_drafts");
 	if (denied) return denied;
 
 	if (!emdash?.handleContentListTrashed) {

package/src/astro/routes/api/import/wordpress-plugin/analyze.ts

@@ -15,7 +15,7 @@ import { apiError, apiSuccess, handleError } from "#api/error.js";
 import { isParseError, parseBody } from "#api/parse.js";
 import { wpPluginAnalyzeBody } from "#api/schemas.js";
 import { getSource } from "#import/index.js";
-import { validateExternalUrl, SsrfError } from "#import/ssrf.js";
+import { resolveAndValidateExternalUrl, SsrfError } from "#import/ssrf.js";
 import type { ImportAnalysis } from "#import/types.js";
 import type { EmDashHandlers } from "#types";
 
@@ -37,9 +37,10 @@ export const POST: APIRoute = async ({ request, locals }) => {
 		const body = await parseBody(request, wpPluginAnalyzeBody);
 		if (isParseError(body)) return body;
 
-		// SSRF: reject internal/private network targets
+		// SSRF: reject internal/private network targets. Uses DNS resolution
+		// to catch hostnames that resolve to private addresses.
 		try {
-			validateExternalUrl(body.url);
+			await resolveAndValidateExternalUrl(body.url);
 		} catch (e) {
 			const msg = e instanceof SsrfError ? e.message : "Invalid URL";
 			return apiError("SSRF_BLOCKED", msg, 400);

package/src/astro/routes/api/import/wordpress-plugin/execute.ts

@@ -15,7 +15,7 @@ import { isParseError, parseBody } from "#api/parse.js";
 import { wpPluginExecuteBody } from "#api/schemas.js";
 import { BylineRepository } from "#db/repositories/byline.js";
 import { getSource } from "#import/index.js";
-import { validateExternalUrl, SsrfError } from "#import/ssrf.js";
+import { resolveAndValidateExternalUrl, SsrfError } from "#import/ssrf.js";
 import type { ImportConfig, ImportResult, NormalizedItem } from "#import/types.js";
 import { resolveImportByline } from "#import/utils.js";
 import type { FieldType } from "#schema/types.js";
@@ -49,9 +49,10 @@ export const POST: APIRoute = async ({ request, locals }) => {
 		const body = await parseBody(request, wpPluginExecuteBody);
 		if (isParseError(body)) return body;
 
-		// SSRF: reject internal/private network targets
+		// SSRF: reject internal/private network targets. Uses DNS resolution
+		// to catch hostnames that resolve to private addresses.
 		try {
-			validateExternalUrl(body.url);
+			await resolveAndValidateExternalUrl(body.url);
 		} catch (e) {
 			const msg = e instanceof SsrfError ? e.message : "Invalid URL";
 			return apiError("SSRF_BLOCKED", msg, 400);

package/src/astro/routes/api/manifest.ts

@@ -12,6 +12,7 @@ import type { APIRoute } from "astro";
 import { getAuthMode } from "#auth/mode.js";
 
 import { COMMIT, VERSION } from "../../../version.js";
+import { getStoredConfig } from "../../integration/runtime.js";
 import type { EmDashManifest } from "../../types.js";
 
 export const prerender = false;
@@ -22,6 +23,10 @@ export const GET: APIRoute = async ({ locals }) => {
 	// Determine auth mode from config
 	const authMode = getAuthMode(emdash?.config);
 
+	// Read admin branding from build-time config
+	const storedConfig = getStoredConfig();
+	const adminBranding = storedConfig?.admin;
+
 	// Check if self-signup is enabled (any allowed domain with enabled = 1)
 	// Only relevant for passkey auth — external auth providers handle their own signup
 	let signupEnabled = false;
@@ -42,6 +47,7 @@ export const GET: APIRoute = async ({ locals }) => {
 				...emdashManifest,
 				authMode: authMode.type === "external" ? authMode.providerType : "passkey",
 				signupEnabled,
+				admin: adminBranding,
 			}
 		: {
 				version: VERSION,
@@ -52,6 +58,7 @@ export const GET: APIRoute = async ({ locals }) => {
 				taxonomies: [],
 				authMode: "passkey",
 				signupEnabled,
+				admin: adminBranding,
 			};
 
 	return Response.json(

package/src/astro/routes/api/oauth/device/code.ts

@@ -15,6 +15,7 @@ import { handleDeviceCodeRequest } from "#api/handlers/device-flow.js";
 import { isParseError, parseBody } from "#api/parse.js";
 import { getPublicOrigin } from "#api/public-url.js";
 import { checkRateLimit, getClientIp, rateLimitResponse } from "#auth/rate-limit.js";
+import { getTrustedProxyHeaders } from "#auth/trusted-proxy.js";
 
 export const prerender = false;
 
@@ -35,7 +36,7 @@ export const POST: APIRoute = async ({ request, locals, url }) => {
 		if (isParseError(body)) return body;
 
 		// Rate limit: 10 requests per 60 seconds per IP
-		const ip = getClientIp(request);
+		const ip = getClientIp(request, getTrustedProxyHeaders(emdash.config));
 		const rateLimit = await checkRateLimit(emdash.db, ip, "device/code", 10, 60);
 		if (!rateLimit.allowed) {
 			return rateLimitResponse(60);

package/src/astro/routes/api/oauth/device/token.ts

@@ -17,6 +17,7 @@ import { apiError, handleError, unwrapResult } from "#api/error.js";
 import { handleDeviceTokenExchange } from "#api/handlers/device-flow.js";
 import { isParseError, parseBody } from "#api/parse.js";
 import { checkRateLimit, getClientIp, rateLimitResponse } from "#auth/rate-limit.js";
+import { getTrustedProxyHeaders } from "#auth/trusted-proxy.js";
 
 export const prerender = false;
 
@@ -37,7 +38,7 @@ export const POST: APIRoute = async ({ request, locals }) => {
 		if (isParseError(body)) return body;
 
 		// Rate limit: 12 requests per 60 seconds per IP
-		const ip = getClientIp(request);
+		const ip = getClientIp(request, getTrustedProxyHeaders(emdash.config));
 		const rateLimit = await checkRateLimit(emdash.db, ip, "device/token", 12, 60);
 		if (!rateLimit.allowed) {
 			return rateLimitResponse(60);

package/src/astro/routes/api/setup/admin-verify.ts

@@ -8,7 +8,7 @@ import type { APIRoute } from "astro";
 
 export const prerender = false;
 
-import { Role } from "@emdash-cms/auth";
+import { Role, secureCompare } from "@emdash-cms/auth";
 import { createKyselyAdapter } from "@emdash-cms/auth/adapters/kysely";
 import { verifyRegistrationResponse, registerPasskey } from "@emdash-cms/auth/passkey";
 
@@ -18,9 +18,10 @@ import { getPublicOrigin } from "#api/public-url.js";
 import { setupAdminVerifyBody } from "#api/schemas.js";
 import { createChallengeStore } from "#auth/challenge-store.js";
 import { getPasskeyConfig } from "#auth/passkey-config.js";
+import { SETUP_NONCE_COOKIE } from "#auth/setup-nonce.js";
 import { OptionsRepository } from "#db/repositories/options.js";
 
-export const POST: APIRoute = async ({ request, locals }) => {
+export const POST: APIRoute = async ({ cookies, request, locals }) => {
 	const { emdash } = locals;
 
 	if (!emdash?.db) {
@@ -45,12 +46,35 @@ export const POST: APIRoute = async ({ request, locals }) => {
 		}
 
 		// Get setup state
-		const setupState = await options.get("emdash:setup_state");
+		const setupState = await options.get<{
+			step?: string;
+			email?: string;
+			name?: string | null;
+			nonce?: string;
+		}>("emdash:setup_state");
 
 		if (!setupState || setupState.step !== "admin") {
 			return apiError("INVALID_STATE", "Invalid setup state. Please restart setup.", 400);
 		}
 
+		// Verify the session nonce. The cookie was minted by POST /setup/admin
+		// and stored alongside setup_state; presenting a matching cookie is
+		// proof that this verify call comes from the same browser that
+		// started the admin step. Constant-time compare to avoid leaking the
+		// stored value through timing.
+		const cookieNonce = cookies.get(SETUP_NONCE_COOKIE)?.value;
+		if (!setupState.nonce || !cookieNonce || !secureCompare(cookieNonce, setupState.nonce)) {
+			return apiError(
+				"INVALID_STATE",
+				"Setup session expired or tampered with. Please restart the admin step.",
+				400,
+			);
+		}
+
+		if (!setupState.email) {
+			return apiError("INVALID_STATE", "Invalid setup state. Please restart setup.", 400);
+		}
+
 		// Parse request body
 		const body = await parseBody(request, setupAdminVerifyBody);
 		if (isParseError(body)) return body;
@@ -73,7 +97,7 @@ export const POST: APIRoute = async ({ request, locals }) => {
 		// Create the admin user
 		const user = await adapter.createUser({
 			email: setupState.email,
-			name: setupState.name,
+			name: setupState.name ?? null,
 			role: Role.ADMIN,
 			emailVerified: false, // No email verification for first user
 		});
@@ -84,8 +108,9 @@ export const POST: APIRoute = async ({ request, locals }) => {
 		// Mark setup as complete
 		await options.set("emdash:setup_complete", true);
 
-		// Clean up setup state
+		// Clean up setup state and the session nonce cookie
 		await options.delete("emdash:setup_state");
+		cookies.delete(SETUP_NONCE_COOKIE, { path: "/_emdash/" });
 
 		return apiSuccess({
 			success: true,

package/src/astro/routes/api/setup/admin.ts

@@ -8,6 +8,7 @@ import type { APIRoute } from "astro";
 
 export const prerender = false;
 
+import { generateToken } from "@emdash-cms/auth";
 import { createKyselyAdapter } from "@emdash-cms/auth/adapters/kysely";
 import { generateRegistrationOptions } from "@emdash-cms/auth/passkey";
 
@@ -17,9 +18,10 @@ import { getPublicOrigin } from "#api/public-url.js";
 import { setupAdminBody } from "#api/schemas.js";
 import { createChallengeStore } from "#auth/challenge-store.js";
 import { getPasskeyConfig } from "#auth/passkey-config.js";
+import { SETUP_NONCE_COOKIE, SETUP_NONCE_MAX_AGE_SECONDS } from "#auth/setup-nonce.js";
 import { OptionsRepository } from "#db/repositories/options.js";
 
-export const POST: APIRoute = async ({ request, locals }) => {
+export const POST: APIRoute = async ({ cookies, request, locals }) => {
 	const { emdash } = locals;
 
 	if (!emdash?.db) {
@@ -47,12 +49,13 @@ export const POST: APIRoute = async ({ request, locals }) => {
 		const body = await parseBody(request, setupAdminBody);
 		if (isParseError(body)) return body;
 
-		// Store admin info in setup state for later
-		await options.set("emdash:setup_state", {
-			step: "admin",
-			email: body.email.toLowerCase(),
-			name: body.name || null,
-		});
+		// Mint a fresh session nonce. This binds the follow-up
+		// /setup/admin/verify call to the same browser that made this
+		// request, so an unauthenticated attacker on another host cannot
+		// substitute their own email into the setup state during the
+		// setup window. Rotates on every call so a legitimate retry
+		// always gets a working session.
+		const nonce = generateToken();
 
 		// Get passkey config
 		const url = new URL(request.url);
@@ -78,12 +81,33 @@ export const POST: APIRoute = async ({ request, locals }) => {
 			challengeStore,
 		);
 
-		// Store the temp user ID with the setup state
+		// Store the nonce alongside the rest of the setup state. The verify
+		// endpoint will constant-time compare this with the incoming cookie.
 		await options.set("emdash:setup_state", {
 			step: "admin",
 			email: body.email.toLowerCase(),
 			name: body.name || null,
 			tempUserId: tempUser.id,
+			nonce,
+		});
+
+		// HttpOnly + SameSite=Strict + path-scoped. The cookie must not be
+		// accessible to JS (nothing in the admin UI needs to read it) and
+		// must not be sent on cross-site navigations. The /_emdash/ path
+		// scope keeps it away from user-authored frontend code.
+		//
+		// Derive `secure` from the public origin, not the internal request
+		// URL. Behind a TLS-terminating reverse proxy the internal hop is
+		// often `http:` while the browser-facing origin is `https:` —
+		// using `url.protocol` there would drop the Secure flag on a
+		// sensitive cookie over the public HTTPS connection.
+		const publicOrigin = new URL(siteUrl);
+		cookies.set(SETUP_NONCE_COOKIE, nonce, {
+			path: "/_emdash/",
+			httpOnly: true,
+			sameSite: "strict",
+			secure: publicOrigin.protocol === "https:",
+			maxAge: SETUP_NONCE_MAX_AGE_SECONDS,
 		});
 
 		return apiSuccess({

package/src/astro/routes/api/setup/index.ts

@@ -89,9 +89,12 @@ export const POST: APIRoute = async ({ request, url, locals }) => {
 			const options = new OptionsRepository(emdash.db);
 
 			// Store the canonical site URL from the setup request.
-			// This is trusted because setup runs on the real domain.
+			// Write-once at the DB level so concurrent setup POSTs can't both
+			// observe an empty value and race to write. A spoofed Host header
+			// on a later call during the wizard window must not be able to
+			// replace the first value.
 			const siteUrl = getPublicOrigin(url, emdash.config);
-			await options.set("emdash:site_url", siteUrl);
+			await options.setIfAbsent("emdash:site_url", siteUrl);
 
 			if (useExternalAuth) {
 				// External auth mode: mark setup complete now

package/src/astro/types.ts

@@ -142,6 +142,15 @@ export interface EmDashManifest {
 	 * When true, the admin UI can show marketplace browse/install features.
 	 */
 	marketplace?: boolean;
+	/**
+	 * Admin branding overrides for white-labeling.
+	 * Set via the `admin` config in `astro.config.mjs`.
+	 */
+	admin?: {
+		logo?: string;
+		siteName?: string;
+		favicon?: string;
+	};
 }
 
 /**

package/src/auth/rate-limit.ts

@@ -100,44 +100,72 @@ export function rateLimitResponse(retryAfterSeconds: number): Response {
  *
  * Resolution order:
  * 1. `CF-Connecting-IP` — trusted only when the Cloudflare `cf` object is
- *    present (proving the request traversed Cloudflare's edge, which
- *    strips/overwrites client-supplied values).
- * 2. `X-Forwarded-For` (first entry) — also trusted only on Cloudflare.
- *    Without a trusted reverse proxy the header is trivially spoofable,
- *    so we don't use it for standalone deployments.
- * 3. `null` — no trusted IP available. Callers must handle this gracefully
+ *    present. CF edge overwrites any client-supplied value, so this is the
+ *    cryptographically trustworthy path on Workers. Operator-declared
+ *    trusted headers cannot override it.
+ * 2. `X-Forwarded-For` (first entry) — trusted only when the `cf` object
+ *    is present (CF sets this reliably).
+ * 3. Operator-declared trusted proxy headers (ordered list) — used as a
+ *    fallback for non-CF deployments behind a reverse proxy the operator
+ *    controls. Also applies as a fill-in on CF when the CF headers are
+ *    absent (e.g. internal cron handlers).
+ * 4. `null` — no trusted IP available. Callers must handle this gracefully
  *    (e.g. skip rate limiting).
  *
+ * Pass `trustedHeaders` from `getTrustedProxyHeaders(emdash.config)` so
+ * self-hosted non-CF deployments can opt into reading a specific header.
+ *
  * Aligned with `extractRequestMeta` in `plugins/request-meta.ts`.
  */
-export function getClientIp(request: Request): string | null {
+export function getClientIp(request: Request, trustedHeaders: string[] = []): string | null {
 	const headers = request.headers;
 	// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- CF Workers runtime shape
 	const cf = (request as unknown as { cf?: Record<string, unknown> }).cf;
 
-	if (!cf) {
-		// Not on Cloudflare — no trusted source of client IP
-		return null;
-	}
+	// On Cloudflare, prefer the cryptographically trustworthy headers. An
+	// attacker can't spoof these — the CF edge strips/overwrites them.
+	if (cf) {
+		const cfIp = headers.get("cf-connecting-ip")?.trim();
+		if (cfIp && IP_PATTERN.test(cfIp)) {
+			return cfIp;
+		}
 
-	// Trust CF-Connecting-IP when the cf object confirms Cloudflare
-	const cfIp = headers.get("cf-connecting-ip")?.trim();
-	if (cfIp && IP_PATTERN.test(cfIp)) {
-		return cfIp;
+		const xff = headers.get("x-forwarded-for");
+		if (xff) {
+			const first = xff.split(",")[0]?.trim();
+			if (first && IP_PATTERN.test(first)) {
+				return first;
+			}
+		}
 	}
 
-	// Fallback to XFF on Cloudflare (CF sets this reliably)
-	const xff = headers.get("x-forwarded-for");
-	if (xff) {
-		const first = xff.split(",")[0]?.trim();
-		if (first && IP_PATTERN.test(first)) {
-			return first;
-		}
+	// Fall through to operator-declared trusted headers. On CF this fills
+	// in when the CF headers are absent; off-CF it's the primary source.
+	for (const name of trustedHeaders) {
+		const value = readIpFromHeader(headers, name);
+		if (value) return value;
 	}
 
 	return null;
 }
 
+/**
+ * Read an IP from an operator-declared trusted header. XFF-style headers
+ * are parsed as comma-separated lists and the first entry is used.
+ */
+function readIpFromHeader(headers: Headers, name: string): string | null {
+	const value = headers.get(name);
+	if (!value) return null;
+	if (name.toLowerCase().endsWith("forwarded-for")) {
+		const first = value.split(",")[0]?.trim();
+		if (!first) return null;
+		return IP_PATTERN.test(first) ? first : null;
+	}
+	const trimmed = value.trim();
+	if (!trimmed) return null;
+	return IP_PATTERN.test(trimmed) ? trimmed : null;
+}
+
 /**
  * Delete expired rate limit entries.
  *

package/src/auth/setup-nonce.ts

@@ -0,0 +1,22 @@
+/**
+ * Session binding for the first-setup admin-creation flow.
+ *
+ * Shared constants for the nonce cookie that ties /_emdash/api/setup/admin
+ * and /_emdash/api/setup/admin/verify to the same browser. Without this
+ * binding, any unauthenticated caller could POST /setup/admin during the
+ * setup window and substitute their own email into the stored setup state
+ * before the legitimate admin completes passkey verification.
+ *
+ * Implementation lives in the two route handlers; this module is just
+ * the name / lifetime so both ends agree.
+ */
+
+/** Cookie name carrying the setup-admin session nonce. */
+export const SETUP_NONCE_COOKIE = "emdash_setup_nonce";
+
+/**
+ * Cookie max-age in seconds. One hour is plenty of time to complete
+ * a passkey registration; if the user lingers longer the admin step
+ * can simply be retried.
+ */
+export const SETUP_NONCE_MAX_AGE_SECONDS = 60 * 60;