emdash 0.6.0 → 1.0.0

package/dist/{search-DI4bM2w9.mjs → search-BoZYFuUk.mjs}

@@ -1,21 +1,23 @@
 import { n as validateJsonFieldName, r as validatePluginIdentifier, t as validateIdentifier } from "./validate-VPnKoIzW.mjs";
 import { o as jsonExtractExpr } from "./dialect-helpers-DhTzaUxP.mjs";
-import { a as slugify, r as RevisionRepository, t as ContentRepository } from "./content-BsBoyj8G.mjs";
+import { a as slugify, r as RevisionRepository, t as ContentRepository } from "./content-BcQPYxdV.mjs";
 import { r as encodeBase64, t as decodeBase64 } from "./base64-MBPo9ozB.mjs";
-import { n as decodeCursor, r as encodeCursor, t as EmDashValidationError } from "./types-CMMN0pNg.mjs";
-import { t as MediaRepository } from "./media-DqHVh136.mjs";
-import { a as stripCredentialHeaders, f as OptionsRepository, i as ssrfSafeFetch, o as validateExternalUrl, r as SsrfError } from "./apply-B4MsLM-w.mjs";
+import { i as encodeCursor, n as InvalidCursorError, r as decodeCursor, t as EmDashValidationError } from "./types-BIgulNsW.mjs";
+import { t as MediaRepository } from "./media-D8FbNsl0.mjs";
+import { a as ssrfSafeFetch, i as resolveAndValidateExternalUrl, o as stripCredentialHeaders, p as OptionsRepository, r as SsrfError, s as validateExternalUrl } from "./apply-x0eMK1lX.mjs";
 import { t as withTransaction } from "./transaction-Cn2rjY78.mjs";
-import { t as RedirectRepository } from "./redirect-7lGhLBNZ.mjs";
+import { t as RedirectRepository } from "./redirect-D_pshWdf.mjs";
 import { n as chunks, t as SQL_BATCH_SIZE } from "./chunks-HGz06Soa.mjs";
-import { t as BylineRepository } from "./byline-C4OVd8b3.mjs";
+import { t as BylineRepository } from "./byline-Chbr2GoP.mjs";
 import { r as isI18nEnabled } from "./config-BXwuX8Bx.mjs";
 import { r as invalidateRedirectCache } from "./cache-BkKBuIvS.mjs";
-import { i as FTSManager, n as SchemaRegistry } from "./registry-Ci3WxVAr.mjs";
-import { n as getDb } from "./loader-DeiBJEMe.mjs";
-import { n as requestCached } from "./request-cache-DiR961CV.mjs";
-import { i as pluginManifestSchema } from "./manifest-schema-V30qsMft.mjs";
-import { t as generatePreviewToken } from "./tokens-BFPFx3CA.mjs";
+import { t as isMissingTableError } from "./db-errors-l1Qh2RPR.mjs";
+import { r as hashString } from "./zod-generator-CpwccCIv.mjs";
+import { i as FTSManager, n as SchemaRegistry } from "./registry-C3Mr0ODu.mjs";
+import { n as getDb } from "./loader-CndGj8kM.mjs";
+import { n as requestCached } from "./request-cache-Ci7f5pBb.mjs";
+import { i as pluginManifestSchema } from "./manifest-schema-DH9xhc6t.mjs";
+import { t as generatePreviewToken } from "./tokens-D9vnZqYS.mjs";
 import { sql } from "kysely";
 import { AsyncLocalStorage } from "node:async_hooks";
 import { ulid } from "ulidx";
@@ -78,7 +80,7 @@ var UserRepository = class UserRepository {
 		if (options.role !== void 0) query = query.where("role", "=", UserRepository.resolveRole(options.role));
 		if (options.cursor) {
 			const decoded = decodeCursor(options.cursor);
-			if (decoded) query = query.where((eb) => eb.or([eb("created_at", "<", decoded.orderValue), eb.and([eb("created_at", "=", decoded.orderValue), eb("id", "<", decoded.id)])]));
+			query = query.where((eb) => eb.or([eb("created_at", "<", decoded.orderValue), eb.and([eb("created_at", "=", decoded.orderValue), eb("id", "<", decoded.id)])]));
 		}
 		const rows = await query.execute();
 		const items = rows.slice(0, limit).map((row) => this.rowToUser(row));
@@ -228,7 +230,7 @@ var CommentRepository = class CommentRepository {
 		if (options.status) query = query.where("status", "=", options.status);
 		if (options.cursor) {
 			const decoded = decodeCursor(options.cursor);
-			if (decoded) query = query.where((eb) => eb.or([eb("created_at", ">", decoded.orderValue), eb.and([eb("created_at", "=", decoded.orderValue), eb("id", ">", decoded.id)])]));
+			query = query.where((eb) => eb.or([eb("created_at", ">", decoded.orderValue), eb.and([eb("created_at", "=", decoded.orderValue), eb("id", ">", decoded.id)])]));
 		}
 		query = query.orderBy("created_at", "asc").orderBy("id", "asc").limit(limit + 1);
 		const rows = await query.execute();
@@ -259,7 +261,7 @@ var CommentRepository = class CommentRepository {
 		}
 		if (options.cursor) {
 			const decoded = decodeCursor(options.cursor);
-			if (decoded) query = query.where((eb) => eb.or([eb("created_at", "<", decoded.orderValue), eb.and([eb("created_at", "=", decoded.orderValue), eb("id", "<", decoded.id)])]));
+			query = query.where((eb) => eb.or([eb("created_at", "<", decoded.orderValue), eb.and([eb("created_at", "=", decoded.orderValue), eb("id", "<", decoded.id)])]));
 		}
 		query = query.orderBy("created_at", "desc").orderBy("id", "desc").limit(limit + 1);
 		const rows = await query.execute();
@@ -683,7 +685,7 @@ var PluginStorageRepository = class {
 		}
 		if (cursor) {
 			const decoded = decodeCursor(cursor);
-			if (decoded) query = query.where(({ eb }) => eb(sql`(created_at, id)`, ">", sql`(${decoded.orderValue}, ${decoded.id})`));
+			query = query.where(({ eb }) => eb(sql`(created_at, id)`, ">", sql`(${decoded.orderValue}, ${decoded.id})`));
 		}
 		if (Object.keys(orderBy).length > 0) for (const [field, direction] of Object.entries(orderBy)) {
 			const extract = jsonExtract(this.db, field);
@@ -976,6 +978,16 @@ function validateRev(rev, item) {
 //#endregion
 //#region src/api/handlers/content.ts
 /**
+* Narrow a caught error to one carrying a structured `apiError` discriminant.
+* Used by transaction callbacks that want to surface a specific error code
+* through the standard Error throwing path.
+*/
+function hasApiError(error) {
+	if (!(error instanceof Error) || !("apiError" in error)) return false;
+	const { apiError } = error;
+	return typeof apiError === "object" && apiError !== null && "code" in apiError && typeof apiError.code === "string";
+}
+/**
 * Extract a slug source (title or name) from content data.
 * Returns null if no suitable string field is found.
 */
@@ -1125,6 +1137,27 @@ async function handleContentList(db, collection, params) {
 			}
 		};
 	} catch (error) {
+		if (error instanceof InvalidCursorError) return {
+			success: false,
+			error: {
+				code: "INVALID_CURSOR",
+				message: error.message
+			}
+		};
+		if (isMissingTableError(error)) return {
+			success: false,
+			error: {
+				code: "COLLECTION_NOT_FOUND",
+				message: `Collection '${collection}' not found`
+			}
+		};
+		if (error instanceof EmDashValidationError) return {
+			success: false,
+			error: {
+				code: "VALIDATION_ERROR",
+				message: error.message
+			}
+		};
 		console.error("Content list error:", error);
 		return {
 			success: false,
@@ -1255,6 +1288,37 @@ async function handleContentCreate(db, collection, body) {
 			}
 		};
 	} catch (error) {
+		if (isMissingTableError(error)) return {
+			success: false,
+			error: {
+				code: "COLLECTION_NOT_FOUND",
+				message: `Collection '${collection}' not found`
+			}
+		};
+		if (error instanceof EmDashValidationError) return {
+			success: false,
+			error: {
+				code: "VALIDATION_ERROR",
+				message: error.message
+			}
+		};
+		const message = error instanceof Error ? error.message.toLowerCase() : "";
+		if (message.includes("unique constraint failed") || message.includes("duplicate key")) {
+			if (message.includes("slug")) return {
+				success: false,
+				error: {
+					code: "SLUG_CONFLICT",
+					message: `Slug '${body.slug ?? "(auto-generated)"}' already exists in collection '${collection}'`
+				}
+			};
+			return {
+				success: false,
+				error: {
+					code: "CONFLICT",
+					message: "Unique constraint violation"
+				}
+			};
+		}
 		console.error("Content create error:", error);
 		return {
 			success: false,
@@ -1298,7 +1362,8 @@ async function handleContentUpdate(db, collection, id, body) {
 				data: body.data,
 				slug: body.slug,
 				status: body.status,
-				authorId: body.authorId
+				authorId: body.authorId,
+				publishedAt: body.publishedAt
 			});
 			if (body.bylines !== void 0) {
 				await bylineRepo.setContentBylines(collection, resolvedId, body.bylines);
@@ -1323,13 +1388,41 @@ async function handleContentUpdate(db, collection, id, body) {
 			}
 		};
 	} catch (error) {
-		if (error instanceof Error && "apiError" in error) {
-			const { code } = error.apiError;
+		if (hasApiError(error)) return {
+			success: false,
+			error: {
+				code: error.apiError.code,
+				message: error.message
+			}
+		};
+		if (isMissingTableError(error)) return {
+			success: false,
+			error: {
+				code: "COLLECTION_NOT_FOUND",
+				message: `Collection '${collection}' not found`
+			}
+		};
+		if (error instanceof EmDashValidationError) return {
+			success: false,
+			error: {
+				code: "VALIDATION_ERROR",
+				message: error.message
+			}
+		};
+		const message = error instanceof Error ? error.message.toLowerCase() : "";
+		if (message.includes("unique constraint failed") || message.includes("duplicate key")) {
+			if (message.includes("slug")) return {
+				success: false,
+				error: {
+					code: "SLUG_CONFLICT",
+					message: `Slug '${body.slug ?? id}' already exists in collection '${collection}'`
+				}
+			};
 			return {
 				success: false,
 				error: {
-					code,
-					message: error.message
+					code: "CONFLICT",
+					message: "Unique constraint violation"
 				}
 			};
 		}
@@ -1518,6 +1611,13 @@ async function handleContentListTrashed(db, collection, options = {}) {
 			}
 		};
 	} catch (error) {
+		if (error instanceof InvalidCursorError) return {
+			success: false,
+			error: {
+				code: "INVALID_CURSOR",
+				message: error.message
+			}
+		};
 		console.error("Content list trashed error:", error);
 		return {
 			success: false,
@@ -1840,37 +1940,6 @@ async function syncNonTranslatableFields(trx, collectionSlug, updatedItemId, tra
 	`.execute(trx);
 }
 
-//#endregion
-//#region src/utils/hash.ts
-/**
-* SHA-256 hash of a string, truncated to 16 hex chars (64 bits).
-* For cache invalidation / ETags — not for security.
-*/
-async function hashString(content) {
-	const buf = await crypto.subtle.digest("SHA-256", new TextEncoder().encode(content));
-	return Array.from(new Uint8Array(buf).slice(0, 8), (b) => b.toString(16).padStart(2, "0")).join("");
-}
-/**
-* Compute content hash using Web Crypto API
-*
-* Uses SHA-1 which is the fastest option in SubtleCrypto.
-* SHA-1 is cryptographically weak but fine for content deduplication
-* where we only need to detect identical files, not resist attacks.
-*
-* Returns hex string prefixed with "sha1:" for future-proofing
-*/
-async function computeContentHash(content) {
-	let buf;
-	if (content instanceof ArrayBuffer) buf = content;
-	else {
-		buf = new ArrayBuffer(content.byteLength);
-		new Uint8Array(buf).set(content);
-	}
-	const hashBuffer = await crypto.subtle.digest("SHA-1", buf);
-	const hashArray = new Uint8Array(hashBuffer);
-	return `sha1:${Array.from(hashArray, (b) => b.toString(16).padStart(2, "0")).join("")}`;
-}
-
 //#endregion
 //#region src/api/handlers/manifest.ts
 /**
@@ -2105,7 +2174,14 @@ async function handleMediaList(db, params) {
 				nextCursor: result.nextCursor
 			}
 		};
-	} catch {
+	} catch (error) {
+		if (error instanceof InvalidCursorError) return {
+			success: false,
+			error: {
+				code: "INVALID_CURSOR",
+				message: error.message
+			}
+		};
 		return {
 			success: false,
 			error: {
@@ -2435,7 +2511,7 @@ async function getSectionsWithDb(db, options = {}) {
 	query = query.orderBy("title", "asc").orderBy("id", "asc");
 	if (options.cursor) {
 		const decoded = decodeCursor(options.cursor);
-		if (decoded) query = query.where((eb) => eb.or([eb("title", ">", decoded.orderValue), eb.and([eb("title", "=", decoded.orderValue), eb("id", ">", decoded.id)])]));
+		query = query.where((eb) => eb.or([eb("title", ">", decoded.orderValue), eb.and([eb("title", "=", decoded.orderValue), eb("id", ">", decoded.id)])]));
 	}
 	query = query.limit(limit + 1);
 	const rows = await query.$castTo().execute();
@@ -2541,7 +2617,7 @@ const VALID_ROLE_LEVELS = new Set([
 const roleLevel = z$1.coerce.number().int().refine((n) => VALID_ROLE_LEVELS.has(n), { message: "Invalid role level. Must be 10, 20, 30, 40, or 50" });
 /** Pagination query params — cursor-based */
 const cursorPaginationQuery = z$1.object({
-	cursor: z$1.string().optional().meta({ description: "Opaque cursor for pagination" }),
+	cursor: z$1.string().max(2048).optional().meta({ description: "Opaque cursor for pagination" }),
 	limit: z$1.coerce.number().int().min(1).max(100).optional().default(50).meta({ description: "Maximum number of items to return (1-100, default 50)" })
 }).meta({ id: "CursorPaginationQuery" });
 /** Pagination query params — offset-based */
@@ -2640,6 +2716,11 @@ const contentListQuery = cursorPaginationQuery.extend({
 	order: z$1.enum(["asc", "desc"]).optional(),
 	locale: localeCode.optional()
 }).meta({ id: "ContentListQuery" });
+/** ISO 8601 datetime for `publishedAt` / `createdAt`. Routes gate writes behind `content:publish_any`. */
+const contentDateOverride = z$1.iso.datetime({
+	offset: true,
+	message: "must be an ISO 8601 datetime"
+}).nullish();
 const contentCreateBody = z$1.object({
 	data: z$1.record(z$1.string(), z$1.unknown()),
 	slug: z$1.string().nullish(),
@@ -2647,7 +2728,9 @@ const contentCreateBody = z$1.object({
 	bylines: z$1.array(contentBylineInputSchema).optional(),
 	locale: localeCode.optional(),
 	translationOf: z$1.string().optional(),
-	seo: contentSeoInput.optional()
+	seo: contentSeoInput.optional(),
+	publishedAt: contentDateOverride,
+	createdAt: contentDateOverride
 }).meta({ id: "ContentCreateBody" });
 const contentUpdateBody = z$1.object({
 	data: z$1.record(z$1.string(), z$1.unknown()).optional(),
@@ -2657,7 +2740,8 @@ const contentUpdateBody = z$1.object({
 	bylines: z$1.array(contentBylineInputSchema).optional(),
 	_rev: z$1.string().optional().meta({ description: "Opaque revision token for optimistic concurrency" }),
 	skipRevision: z$1.boolean().optional(),
-	seo: contentSeoInput.optional()
+	seo: contentSeoInput.optional(),
+	publishedAt: contentDateOverride
 }).meta({ id: "ContentUpdateBody" });
 const contentScheduleBody = z$1.object({ scheduledAt: z$1.string().min(1, "scheduledAt is required").meta({
 	description: "ISO 8601 datetime for scheduled publishing",
@@ -3489,6 +3573,8 @@ const setupAdminBody = z$1.object({
 	name: z$1.string().optional()
 });
 const setupAdminVerifyBody = z$1.object({ credential: registrationCredential });
+const atprotoLoginBody = z$1.object({ handle: z$1.string().trim().min(1) });
+const setupAtprotoAdminBody = z$1.object({ handle: z$1.string().trim().min(1) });
 
 //#endregion
 //#region src/api/schemas/users.ts
@@ -3592,18 +3678,15 @@ const widgetAreaSchema = z$1.object({
 }).meta({ id: "WidgetArea" });
 const widgetSchema = z$1.object({
 	id: z$1.string(),
-	area_id: z$1.string(),
-	type: z$1.string(),
-	title: z$1.string().nullable(),
-	content: z$1.string().nullable(),
-	menu_name: z$1.string().nullable(),
-	component_id: z$1.string().nullable(),
-	component_props: z$1.string().nullable(),
-	sort_order: z$1.number().int(),
-	created_at: z$1.string(),
-	updated_at: z$1.string()
+	type: widgetType,
+	title: z$1.string().optional(),
+	content: z$1.array(z$1.record(z$1.string(), z$1.unknown())).optional(),
+	menuName: z$1.string().optional(),
+	componentId: z$1.string().optional(),
+	componentProps: z$1.record(z$1.string(), z$1.unknown()).optional()
 }).meta({ id: "Widget" });
 const widgetAreaWithWidgetsSchema = widgetAreaSchema.extend({ widgets: z$1.array(widgetSchema) }).meta({ id: "WidgetAreaWithWidgets" });
+const widgetAreaWithWidgetsAndCountSchema = widgetAreaWithWidgetsSchema.extend({ widgetCount: z$1.number().int() }).meta({ id: "WidgetAreaWithWidgetsAndCount" });
 
 //#endregion
 //#region src/api/schemas/redirects.ts
@@ -4983,6 +5066,55 @@ function resolveHook(hook, pluginId) {
 	};
 }
 
+//#endregion
+//#region src/auth/trusted-proxy.ts
+/**
+* RFC 7230 token — valid characters for an HTTP header name. Invalid names
+* passed to `Headers.get()` throw a TypeError at runtime, which would
+* otherwise surface as a 500 from every auth route.
+*/
+const HEADER_NAME_PATTERN = /^[!#$%&'*+\-.^_`|~0-9a-z]+$/;
+/**
+* Normalise a list of header names the way both the config path and any
+* caller passing a pre-resolved list should do: trim, lowercase, drop
+* empty, drop anything that isn't a valid RFC 7230 token. Invalid names
+* would crash `Headers.get()` at runtime.
+*/
+function normalizeTrustedHeaders(names) {
+	return names.map((h) => h.trim().toLowerCase()).filter((h) => h.length > 0 && HEADER_NAME_PATTERN.test(h));
+}
+function isValidHeaderName(name) {
+	return HEADER_NAME_PATTERN.test(name);
+}
+/** Cache for the env-derived value. `null` means "not yet parsed". */
+let _envCache = null;
+function getEnvTrustedHeaders() {
+	if (_envCache !== null) return _envCache;
+	let raw;
+	try {
+		const importMetaEnv = import.meta.env;
+		raw = (typeof process !== "undefined" ? process.env?.EMDASH_TRUSTED_PROXY_HEADERS : void 0) || importMetaEnv?.EMDASH_TRUSTED_PROXY_HEADERS;
+	} catch {
+		raw = void 0;
+	}
+	if (!raw) {
+		_envCache = [];
+		return _envCache;
+	}
+	_envCache = raw.split(",").map((s) => s.trim().toLowerCase()).filter((s) => s.length > 0 && isValidHeaderName(s));
+	return _envCache;
+}
+/**
+* Return the lowercased list of headers to trust for client-IP resolution.
+*
+* When `config?.trustedProxyHeaders` is explicitly set (even to `[]`), it
+* wins. Otherwise fall through to the env var, then to `[]`.
+*/
+function getTrustedProxyHeaders(config) {
+	if (config && config.trustedProxyHeaders !== void 0) return config.trustedProxyHeaders.map((h) => h.trim().toLowerCase()).filter((h) => h.length > 0 && isValidHeaderName(h));
+	return getEnvTrustedHeaders();
+}
+
 //#endregion
 //#region src/plugins/request-meta.ts
 /**
@@ -5004,6 +5136,20 @@ function parseFirstForwardedIp(header) {
 	return IP_PATTERN.test(trimmed) ? trimmed : null;
 }
 /**
+* Read an IP from an operator-declared trusted header. XFF-style headers
+* (any name ending in `forwarded-for`) are parsed as comma-separated lists
+* and the first entry is used; everything else is treated as a single
+* trimmed value.
+*/
+function readIpFromHeader(headers, name) {
+	const value = headers.get(name);
+	if (!value) return null;
+	if (name.endsWith("forwarded-for")) return parseFirstForwardedIp(value);
+	const trimmed = value.trim();
+	if (!trimmed) return null;
+	return IP_PATTERN.test(trimmed) ? trimmed : null;
+}
+/**
 * Get the Cloudflare `cf` object from the request, if present.
 * Returns undefined when not running on Cloudflare Workers.
 */
@@ -5030,24 +5176,39 @@ function extractGeo(cf) {
 * Extract normalized request metadata from a Request object.
 *
 * IP resolution order:
-* 1. `CF-Connecting-IP` header — only trusted when a `cf` object is
-*    present on the request (proving the request came through Cloudflare's
-*    edge, which strips/overwrites client-supplied values).
-* 2. `X-Forwarded-For` header (first entry) — best-effort, spoofable
-*    when there is no trusted reverse proxy.
-* 3. `null`
-*/
-function extractRequestMeta(request) {
+* 1. `CF-Connecting-IP` — trusted only when a `cf` object is present on the
+*    request. CF edge overwrites any client-supplied value, so this is the
+*    cryptographically trustworthy path on Workers. Operator-declared
+*    trusted headers cannot override it.
+* 2. `X-Forwarded-For` first entry — trusted only with a `cf` object.
+* 3. Operator-declared trusted proxy headers (from `config.trustedProxyHeaders`
+*    or the `EMDASH_TRUSTED_PROXY_HEADERS` env var), tried in order. Used as
+*    the primary source off-CF and as a fill-in on CF.
+* 4. `null`
+*
+* The second argument accepts either the EmDash config or a pre-resolved
+* list of trusted headers, so callers that already have the list don't have
+* to round-trip through the config every request.
+*/
+function extractRequestMeta(request, configOrTrustedHeaders) {
 	const headers = request.headers;
 	const cf = getCfObject(request);
+	const trusted = resolveTrustedHeaders(configOrTrustedHeaders);
 	let ip = null;
 	if (cf) {
 		const cfIp = headers.get("cf-connecting-ip")?.trim();
 		if (cfIp && IP_PATTERN.test(cfIp)) ip = cfIp;
+		if (!ip) {
+			const xff = headers.get("x-forwarded-for");
+			ip = xff ? parseFirstForwardedIp(xff) : null;
+		}
 	}
-	if (!ip && cf) {
-		const xff = headers.get("x-forwarded-for");
-		ip = xff ? parseFirstForwardedIp(xff) : null;
+	if (!ip) for (const name of trusted) {
+		const value = readIpFromHeader(headers, name);
+		if (value) {
+			ip = value;
+			break;
+		}
 	}
 	const userAgent = headers.get("user-agent")?.trim() || null;
 	const referer = headers.get("referer")?.trim() || null;
@@ -5059,6 +5220,10 @@ function extractRequestMeta(request) {
 		geo
 	};
 }
+function resolveTrustedHeaders(value) {
+	if (Array.isArray(value)) return normalizeTrustedHeaders(value);
+	return getTrustedProxyHeaders(value);
+}
 /**
 * Headers that must never cross the RPC boundary to sandboxed plugins.
 * Session tokens, auth credentials, and infrastructure headers are stripped
@@ -5707,7 +5872,7 @@ function createUnrestrictedHttpAccess(pluginId) {
 		let currentInit = init;
 		for (let i = 0; i <= MAX_PLUGIN_REDIRECTS; i++) {
 			try {
-				validateExternalUrl(currentUrl);
+				await resolveAndValidateExternalUrl(currentUrl);
 			} catch (e) {
 				const msg = e instanceof SsrfError ? e.message : "SSRF validation failed";
 				throw new Error(`Plugin "${pluginId}": blocked fetch to "${new URL(currentUrl).hostname}": ${msg}`, { cause: e });
@@ -6724,6 +6889,15 @@ var HookPipeline = class HookPipeline {
 		return (this.hooks.get(hookName) ?? []).filter((h) => h.exclusive).map((h) => ({ pluginId: h.pluginId }));
 	}
 	/**
+	* Get all plugins that registered a non-exclusive handler for a given
+	* hook (e.g. `email:beforeSend`, `email:afterSend`), preserving priority
+	* order. Partitions with `getExclusiveHookProviders()`, which returns
+	* plugins whose registration is marked `exclusive: true`.
+	*/
+	getHookProviders(hookName) {
+		return (this.hooks.get(hookName) ?? []).filter((h) => !h.exclusive).map((h) => ({ pluginId: h.pluginId }));
+	}
+	/**
 	* Invoke an exclusive hook — dispatch only to the selected provider.
 	* Returns null if no provider is selected or if the selected hook
 	* is not found in the pipeline.
@@ -6967,8 +7141,15 @@ const MAX_STORED_EMAILS = 100;
 * instances (the runtime and the route handler may load separate copies
 * of this module, but globalThis is always the same object).
 */
-const GLOBAL_KEY = "__emdash_dev_emails__";
-const storedEmails = globalThis[GLOBAL_KEY] ??= [];
+const GLOBAL_KEY = Symbol.for("emdash:dev-emails");
+const g = globalThis;
+const storedEmails = (() => {
+	const existing = g[GLOBAL_KEY];
+	if (existing) return existing;
+	const fresh = [];
+	g[GLOBAL_KEY] = fresh;
+	return fresh;
+})();
 /**
 * The email:deliver handler for the dev console provider.
 * Logs to console and stores in memory.
@@ -7001,9 +7182,11 @@ async function devConsoleEmailDeliver(event, _ctx) {
 var PluginRouteHandler = class {
 	contextFactory;
 	plugin;
+	trustedProxyHeaders;
 	constructor(plugin, factoryOptions) {
 		this.plugin = plugin;
 		this.contextFactory = new PluginContextFactory(factoryOptions);
+		this.trustedProxyHeaders = factoryOptions.trustedProxyHeaders ?? [];
 	}
 	/**
 	* Invoke a route by name
@@ -7036,7 +7219,7 @@ var PluginRouteHandler = class {
 			...this.contextFactory.createContext(this.plugin),
 			input: validatedInput,
 			request: options.request,
-			requestMeta: extractRequestMeta(options.request)
+			requestMeta: extractRequestMeta(options.request, this.trustedProxyHeaders)
 		};
 		try {
 			return {
@@ -7215,7 +7398,8 @@ var PluginManager = class {
 		this.factoryOptions = {
 			db: options.db,
 			storage: options.storage,
-			getUploadUrl: options.getUploadUrl
+			getUploadUrl: options.getUploadUrl,
+			trustedProxyHeaders: options.trustedProxyHeaders
 		};
 	}
 	/**
@@ -7712,7 +7896,7 @@ async function probeUrl(url) {
 	let normalizedUrl = url.trim();
 	if (!normalizedUrl.startsWith("http")) normalizedUrl = `https://${normalizedUrl}`;
 	normalizedUrl = normalizedUrl.replace(TRAILING_SLASHES_PATTERN, "");
-	validateExternalUrl(normalizedUrl);
+	await resolveAndValidateExternalUrl(normalizedUrl);
 	const results = [];
 	const probePromises = getUrlSources().map(async (source) => {
 		try {
@@ -9092,6 +9276,22 @@ const WHITESPACE_SPLIT_PATTERN = /\s+/;
 const FTS_OPERATORS_PATTERN = /\b(AND|OR|NOT|NEAR)\b/i;
 const DOUBLE_QUOTE_PATTERN = /"/g;
 /**
+* Detect FTS5 query syntax errors. Match specifically on the SQLite FTS5
+* error fingerprints rather than a broad "fts5" / "syntax error" filter
+* (which would also swallow internal table-corruption errors). The two
+* fingerprints we care about are:
+*
+*  - "fts5: syntax error near …" — unbalanced quotes, stray operators,
+*    other malformed user input
+*  - "unknown special query: …" — bare special tokens like `^*` that
+*    parse but don't resolve to a real FTS5 directive
+*/
+function isFts5SyntaxError(error) {
+	if (!(error instanceof Error)) return false;
+	const message = error.message.toLowerCase();
+	return message.includes("fts5: syntax error") || message.includes("unknown special query");
+}
+/**
 * Search across multiple collections
 *
 * Public API that auto-injects the database.
@@ -9188,7 +9388,9 @@ async function searchSingleCollection(db, collection, query, options, weights) {
 		bm25Args = weightValues.join(", ");
 	}
 	const bm25Expr = bm25Args ? `bm25("${ftsTable}", ${bm25Args})` : `bm25("${ftsTable}")`;
-	return (await sql`
+	let results;
+	try {
+		results = await sql`
 		SELECT 
 			c.id,
 			c.slug,
@@ -9204,16 +9406,45 @@ async function searchSingleCollection(db, collection, query, options, weights) {
 		${locale ? sql`AND c.locale = ${locale}` : sql``}
 		ORDER BY score
 		LIMIT ${limit}
-	`.execute(db)).rows.map((row) => ({
+	`.execute(db);
+	} catch (error) {
+		if (isFts5SyntaxError(error)) return [];
+		throw error;
+	}
+	return results.rows.map((row) => ({
 		collection,
 		id: row.id,
 		slug: row.slug,
 		locale: row.locale,
 		title: row.title ?? void 0,
-		snippet: row.snippet,
+		snippet: row.snippet === null ? void 0 : sanitizeSnippet(row.snippet),
 		score: Math.abs(row.score)
 	}));
 }
+const SNIPPET_AMP_RE = /&/g;
+const SNIPPET_LT_RE = /</g;
+const SNIPPET_GT_RE = />/g;
+const SNIPPET_QUOT_RE = /"/g;
+const SNIPPET_APOS_RE = /'/g;
+/**
+* Make an FTS5 snippet safe to render with `set:html` / `innerHTML`.
+*
+* SQLite's `snippet()` function splices literal `<mark>` and `</mark>`
+* markers around matched terms but does not escape the surrounding
+* source text. Posts that legitimately contain `<`, `>`, `&`, `"` or
+* `'` would render as broken markup, and a `<script>` literal in a
+* title (or any other indexed field) would execute when displayed.
+*
+* The fix: HTML-escape the whole string, which turns the markers into
+* `&lt;mark&gt;` / `&lt;/mark&gt;`. Then restore those two patterns to
+* their original tag form. The result is "the indexed text with all
+* HTML metacharacters escaped, plus a small set of literal `<mark>`
+* highlight tags around matched terms" — which matches the API's
+* documented contract.
+*/
+function sanitizeSnippet(snippet) {
+	return snippet.replace(SNIPPET_AMP_RE, "&amp;").replace(SNIPPET_LT_RE, "&lt;").replace(SNIPPET_GT_RE, "&gt;").replace(SNIPPET_QUOT_RE, "&quot;").replace(SNIPPET_APOS_RE, "&#39;").replaceAll("&lt;mark&gt;", "<mark>").replaceAll("&lt;/mark&gt;", "</mark>");
+}
 /**
 * Get search suggestions for autocomplete
 *
@@ -9237,20 +9468,26 @@ async function getSuggestions(db, query, options = {}) {
 		const contentTable = ftsManager.getContentTableName(collection);
 		const prefixQuery = escapeQuery(query);
 		if (!prefixQuery) continue;
-		const results = await sql`
-			SELECT 
-				c.id,
-				c.title
-			FROM "${sql.raw(ftsTable)}" f
-			JOIN "${sql.raw(contentTable)}" c ON f.id = c.id
-			WHERE "${sql.raw(ftsTable)}" MATCH ${prefixQuery}
-			AND c.status = 'published'
-			AND c.deleted_at IS NULL
-			AND c.title IS NOT NULL
-			${locale ? sql`AND c.locale = ${locale}` : sql``}
-			ORDER BY bm25("${sql.raw(ftsTable)}")
-			LIMIT ${limit}
-		`.execute(db);
+		let results;
+		try {
+			results = await sql`
+				SELECT 
+					c.id,
+					c.title
+				FROM "${sql.raw(ftsTable)}" f
+				JOIN "${sql.raw(contentTable)}" c ON f.id = c.id
+				WHERE "${sql.raw(ftsTable)}" MATCH ${prefixQuery}
+				AND c.status = 'published'
+				AND c.deleted_at IS NULL
+				AND c.title IS NOT NULL
+				${locale ? sql`AND c.locale = ${locale}` : sql``}
+				ORDER BY bm25("${sql.raw(ftsTable)}")
+				LIMIT ${limit}
+			`.execute(db);
+		} catch (error) {
+			if (isFts5SyntaxError(error)) continue;
+			throw error;
+		}
 		for (const row of results.rows) suggestions.push({
 			collection,
 			id: row.id,
@@ -9396,5 +9633,5 @@ function extractSearchableFields(entry, fields) {
 }
 
 //#endregion
-export { isSafeHref as $, isStandardPluginDefinition as A, handleContentRestore as At, EmailPipeline as B, getAllSources as C, handleContentDuplicate as Ct, probeUrl as D, handleContentListTrashed as Dt, getUrlSources as E, handleContentList as Et, createPluginManager as F, handleContentUpdate as Ft, extractRequestMeta as G, createHookPipeline as H, PluginRouteError as I, validateRev as It, parseWxr as J, sanitizeHeadersForSandbox as K, PluginRouteRegistry as L, portableText as Lt, SandboxNotAvailableError as M, handleContentTranslations as Mt, createNoopSandboxRunner as N, handleContentUnpublish as Nt, registerSource as O, handleContentPermanentDelete as Ot, PluginManager as P, handleContentUnschedule as Pt, prosemirrorToPortableText as Q, DEV_CONSOLE_EMAIL_PLUGIN_ID as R, reference as Rt, clearSources as S, handleContentDiscardDraft as St, getSource as T, handleContentGetIncludingTrashed as Tt, resolveExclusiveHooks as U, HookPipeline as V, CronExecutor as W, after as X, parseWxrString as Y, portableTextToProsemirror as Z, buildPreviewUrl as _, handleContentCompare as _t, search as a, getCollectionInfo as at, parseWxrDate as b, handleContentCreate as bt, getWidgetArea as c, handleMediaGet as ct, getMenu as d, handleRevisionGet as dt, sanitizeHref as et, getMenus as f, handleRevisionList as ft, isPreviewRequest as g, hashString as gt, getPreviewToken as h, computeContentHash as ht, getSuggestions as i, PluginStateRepository as it, NoopSandboxRunner as j, handleContentSchedule as jt, importReusableBlocksAsSections as k, handleContentPublish as kt, getWidgetAreas as l, handleMediaList as lt, getComments as m, generateManifest as mt, extractSearchableFields as n, getSection as nt, searchCollection as o, handleMediaCreate as ot, getCommentCount as p, handleRevisionRestore as pt, definePlugin as q, getSearchStats as r, getSections as rt, searchWithDb as s, handleMediaDelete as st, extractPlainText as t, loadBundleFromR2 as tt, getWidgetComponents as u, handleMediaUpdate as ut, getPreviewUrl as v, handleContentCountScheduled as vt, getFileSources as w, handleContentGet as wt, wxrSource as x, handleContentDelete as xt, wordpressRestSource as y, handleContentCountTrashed as yt, devConsoleEmailDeliver as z, image as zt };
-//# sourceMappingURL=search-DI4bM2w9.mjs.map
+export { prosemirrorToPortableText as $, isStandardPluginDefinition as A, handleContentSchedule as At, EmailPipeline as B, getAllSources as C, handleContentGet as Ct, probeUrl as D, handleContentPermanentDelete as Dt, getUrlSources as E, handleContentListTrashed as Et, createPluginManager as F, validateRev as Ft, extractRequestMeta as G, createHookPipeline as H, PluginRouteError as I, portableText as It, definePlugin as J, sanitizeHeadersForSandbox as K, PluginRouteRegistry as L, reference as Lt, SandboxNotAvailableError as M, handleContentUnpublish as Mt, createNoopSandboxRunner as N, handleContentUnschedule as Nt, registerSource as O, handleContentPublish as Ot, PluginManager as P, handleContentUpdate as Pt, portableTextToProsemirror as Q, DEV_CONSOLE_EMAIL_PLUGIN_ID as R, image as Rt, clearSources as S, handleContentDuplicate as St, getSource as T, handleContentList as Tt, resolveExclusiveHooks as U, HookPipeline as V, CronExecutor as W, parseWxrString as X, parseWxr as Y, after as Z, buildPreviewUrl as _, handleContentCountScheduled as _t, search as a, PluginStateRepository as at, parseWxrDate as b, handleContentDelete as bt, getWidgetArea as c, handleMediaDelete as ct, getMenu as d, handleMediaUpdate as dt, isSafeHref as et, getMenus as f, handleRevisionGet as ft, isPreviewRequest as g, handleContentCompare as gt, getPreviewToken as h, generateManifest as ht, getSuggestions as i, getSections as it, NoopSandboxRunner as j, handleContentTranslations as jt, importReusableBlocksAsSections as k, handleContentRestore as kt, getWidgetAreas as l, handleMediaGet as lt, getComments as m, handleRevisionRestore as mt, extractSearchableFields as n, loadBundleFromR2 as nt, searchCollection as o, getCollectionInfo as ot, getCommentCount as p, handleRevisionList as pt, getTrustedProxyHeaders as q, getSearchStats as r, getSection as rt, searchWithDb as s, handleMediaCreate as st, extractPlainText as t, sanitizeHref as tt, getWidgetComponents as u, handleMediaList as ut, getPreviewUrl as v, handleContentCountTrashed as vt, getFileSources as w, handleContentGetIncludingTrashed as wt, wxrSource as x, handleContentDiscardDraft as xt, wordpressRestSource as y, handleContentCreate as yt, devConsoleEmailDeliver as z };
+//# sourceMappingURL=search-BoZYFuUk.mjs.map