emdash 0.6.0 → 1.0.0

package/src/api/handlers/taxonomies.ts

@@ -122,16 +122,27 @@ export async function handleTaxonomyList(
 	db: Kysely<Database>,
 ): Promise<ApiResult<TaxonomyListResponse>> {
 	try {
-		const rows = await db.selectFrom("_emdash_taxonomy_defs").selectAll().execute();
-
-		const taxonomies: TaxonomyDef[] = rows.map((row) => ({
-			id: row.id,
-			name: row.name,
-			label: row.label,
-			labelSingular: row.label_singular ?? undefined,
-			hierarchical: row.hierarchical === 1,
-			collections: row.collections ? JSON.parse(row.collections) : [],
-		}));
+		const [rows, collectionRows] = await Promise.all([
+			db.selectFrom("_emdash_taxonomy_defs").selectAll().execute(),
+			db.selectFrom("_emdash_collections").select("slug").execute(),
+		]);
+
+		// Filter orphan collection references on read so the response stays
+		// consistent with `schema_list_collections`. Storage is untouched —
+		// re-creating the collection re-links automatically.
+		const realCollections = new Set(collectionRows.map((r) => r.slug));
+
+		const taxonomies: TaxonomyDef[] = rows.map((row) => {
+			const stored: string[] = row.collections ? JSON.parse(row.collections) : [];
+			return {
+				id: row.id,
+				name: row.name,
+				label: row.label,
+				labelSingular: row.label_singular ?? undefined,
+				hierarchical: row.hierarchical === 1,
+				collections: stored.filter((slug) => realCollections.has(slug)),
+			};
+		});
 
 		return { success: true, data: { taxonomies } };
 	} catch {
@@ -290,6 +301,84 @@ export async function handleTermList(
 	}
 }
 
+/**
+ * Validate a parent term reference for create/update.
+ *
+ * Returns `null` on success or a structured error message that callers
+ * wrap in their own ApiResult.
+ *
+ *   - `parentId === undefined` -> no-op (no parent change requested).
+ *   - `parentId === null` -> caller intends to detach; no-op here.
+ *   - parent must exist (FK exists -> term row not soft-deleted).
+ *   - parent must live in the same taxonomy.
+ *   - if `termId` is provided (update path), reject `parentId === termId`
+ *     (self-parent) and walk up the parent chain to detect cycles.
+ */
+async function validateParentTerm(
+	repo: TaxonomyRepository,
+	taxonomyName: string,
+	termId: string | undefined,
+	parentId: string | null | undefined,
+): Promise<{ code: "VALIDATION_ERROR"; message: string } | null> {
+	if (parentId === undefined || parentId === null) return null;
+
+	if (termId !== undefined && parentId === termId) {
+		return {
+			code: "VALIDATION_ERROR",
+			message: "A term cannot be its own parent",
+		};
+	}
+
+	const parent = await repo.findById(parentId);
+	if (!parent) {
+		return {
+			code: "VALIDATION_ERROR",
+			message: `Parent term '${parentId}' not found`,
+		};
+	}
+	if (parent.name !== taxonomyName) {
+		return {
+			code: "VALIDATION_ERROR",
+			message: `Parent term '${parentId}' belongs to taxonomy '${parent.name}', not '${taxonomyName}'`,
+		};
+	}
+
+	// Walk up the parent chain. Two checks fold into one walk:
+	//   - Cycle detection (only on update — a non-existent term-being-
+	//     created can't be its own ancestor): if the walk revisits termId
+	//     the proposed parent makes the term a descendant of itself.
+	//   - Depth bound: refuse to extend a chain past MAX_DEPTH ancestors.
+	//     Runs on both create and update so a malicious or buggy caller
+	//     can't grow the tree without limit.
+	//
+	// The depth-exceeded error fires only when we hit the limit AND there
+	// was still chain to walk — a legitimate chain of exactly MAX_DEPTH
+	// ancestors exits with `cursor === null` and is accepted.
+	const MAX_DEPTH = 100;
+	let cursor: string | null = parent.parentId;
+	let steps = 0;
+	while (cursor !== null && steps < MAX_DEPTH) {
+		if (termId !== undefined && cursor === termId) {
+			return {
+				code: "VALIDATION_ERROR",
+				message: "Cycle detected: cannot make a descendant the parent",
+			};
+		}
+		const next = await repo.findById(cursor);
+		if (!next) break;
+		cursor = next.parentId;
+		steps++;
+	}
+	if (cursor !== null && steps >= MAX_DEPTH) {
+		return {
+			code: "VALIDATION_ERROR",
+			message: "Parent chain exceeds maximum depth",
+		};
+	}
+
+	return null;
+}
+
 /**
  * Create a new term in a taxonomy
  */
@@ -304,6 +393,10 @@ export async function handleTermCreate(
 
 		const repo = new TaxonomyRepository(db);
 
+		// Coerce empty-string parentId to undefined (treat as "no parent").
+		const parentId =
+			input.parentId === "" || input.parentId === undefined ? undefined : input.parentId;
+
 		// Check for slug conflict
 		const existing = await repo.findBySlug(taxonomyName, input.slug);
 		if (existing) {
@@ -316,11 +409,18 @@ export async function handleTermCreate(
 			};
 		}
 
+		// Validate parentId: must exist AND belong to the same taxonomy.
+		// (Cycle check is N/A on create — the term doesn't exist yet.)
+		const parentError = await validateParentTerm(repo, taxonomyName, undefined, parentId);
+		if (parentError) {
+			return { success: false, error: parentError };
+		}
+
 		const term = await repo.create({
 			name: taxonomyName,
 			slug: input.slug,
 			label: input.label,
-			parentId: input.parentId ?? undefined,
+			parentId: parentId ?? undefined,
 			data: input.description ? { description: input.description } : undefined,
 		});
 
@@ -426,24 +526,36 @@ export async function handleTermUpdate(
 			};
 		}
 
+		// Coerce empty-string slug/parentId to undefined (treat as "no change").
+		// `null` parentId is a valid request meaning "detach from parent".
+		const newSlug = input.slug === "" || input.slug === undefined ? undefined : input.slug;
+		const newParentId =
+			input.parentId === "" || input.parentId === undefined ? undefined : input.parentId;
+
 		// Check if new slug conflicts
-		if (input.slug && input.slug !== termSlug) {
-			const existing = await repo.findBySlug(taxonomyName, input.slug);
+		if (newSlug !== undefined && newSlug !== termSlug) {
+			const existing = await repo.findBySlug(taxonomyName, newSlug);
 			if (existing && existing.id !== term.id) {
 				return {
 					success: false,
 					error: {
 						code: "CONFLICT",
-						message: `Term with slug '${input.slug}' already exists in taxonomy '${taxonomyName}'`,
+						message: `Term with slug '${newSlug}' already exists in taxonomy '${taxonomyName}'`,
 					},
 				};
 			}
 		}
 
+		// Validate parentId: existence, same-taxonomy, no self-parent, no cycle.
+		const parentError = await validateParentTerm(repo, taxonomyName, term.id, newParentId);
+		if (parentError) {
+			return { success: false, error: parentError };
+		}
+
 		const updated = await repo.update(term.id, {
-			slug: input.slug,
+			slug: newSlug,
 			label: input.label,
-			parentId: input.parentId,
+			parentId: newParentId,
 			data: input.description !== undefined ? { description: input.description } : undefined,
 		});
 

package/src/api/handlers/validation.ts

@@ -0,0 +1,212 @@
+/**
+ * Field-level validation for content create / update.
+ *
+ * Wires the existing `generateZodSchema()` pipeline (`schema/zod-generator.ts`)
+ * into the handler boundary so REST and MCP both get the same enforcement:
+ *
+ *  - required fields must be present and non-empty
+ *  - select / multiSelect values must match the configured options
+ *  - reference fields must resolve to a real, non-trashed target
+ *
+ * Errors surface as `{ code: "VALIDATION_ERROR", message }` with all
+ * offending fields listed in one message so callers can fix everything in
+ * a single round trip.
+ */
+
+import { sql, type Kysely } from "kysely";
+
+import type { Database } from "../../database/types.js";
+import { validateIdentifier } from "../../database/validate.js";
+import { SchemaRegistry } from "../../schema/registry.js";
+import type { Field } from "../../schema/types.js";
+import { generateZodSchema } from "../../schema/zod-generator.js";
+import { chunks, SQL_BATCH_SIZE } from "../../utils/chunks.js";
+import { isMissingTableError } from "../../utils/db-errors.js";
+
+type ValidationResult =
+	| { ok: true }
+	| { ok: false; error: { code: "VALIDATION_ERROR" | "COLLECTION_NOT_FOUND"; message: string } };
+
+/** Treat `undefined`, `null`, and `""` as "not set". */
+function isMissing(value: unknown): boolean {
+	return value === undefined || value === null || value === "";
+}
+
+/**
+ * Resolve the target collection slug for a reference field.
+ *
+ * Schema-defined reference fields (the static `reference()` factory in
+ * `fields/reference.ts`) put the target in `options.collection`. The MCP
+ * `schema_create_field` tool also puts it there. Tests and some admin paths
+ * stash it inside `validation.collection` directly; we accept both.
+ */
+function getReferenceTargetCollection(field: Field): string | undefined {
+	const fromOptions = field.options?.collection;
+	if (typeof fromOptions === "string" && fromOptions.length > 0) return fromOptions;
+	const validation = field.validation;
+	if (validation && "collection" in validation) {
+		const fromValidation: unknown = (validation as { collection?: unknown }).collection;
+		if (typeof fromValidation === "string" && fromValidation.length > 0) return fromValidation;
+	}
+	return undefined;
+}
+
+/**
+ * Format a Zod issue path into a human-readable field reference, e.g.
+ * `tags`, `tags.1`, `image.alt`.
+ */
+function formatIssuePath(path: ReadonlyArray<PropertyKey>): string {
+	if (path.length === 0) return "(root)";
+	return path.map((seg) => String(seg)).join(".");
+}
+
+/**
+ * Validate `data` against the collection's field definitions.
+ *
+ * `partial: true` switches Zod into partial mode so updates can include
+ * only the fields being changed without tripping required-field errors on
+ * fields the caller didn't touch. Required fields that ARE present in
+ * partial-mode data still get the empty-string check below.
+ */
+export async function validateContentData(
+	db: Kysely<Database>,
+	collection: string,
+	data: Record<string, unknown>,
+	options: { partial?: boolean } = {},
+): Promise<ValidationResult> {
+	const registry = new SchemaRegistry(db);
+	const collectionWithFields = await registry.getCollectionWithFields(collection);
+	if (!collectionWithFields) {
+		return {
+			ok: false,
+			error: {
+				code: "COLLECTION_NOT_FOUND",
+				message: `Collection '${collection}' not found`,
+			},
+		};
+	}
+
+	const issues: string[] = [];
+
+	// Detect unknown keys explicitly so callers get a useful error rather
+	// than silently dropped data. Leading-underscore keys (e.g. `_slug`,
+	// `_rev`) are reserved for internal handler/runtime use and aren't real
+	// fields; skip them.
+	const knownFields = new Set(collectionWithFields.fields.map((f) => f.slug));
+	for (const key of Object.keys(data)) {
+		if (key.startsWith("_")) continue;
+		if (!knownFields.has(key)) {
+			issues.push(`${key}: unknown field on collection '${collection}'`);
+		}
+	}
+
+	// Zod handles type, enum, length and missing-required (in non-partial
+	// mode) checks. Empty-string handling for required string fields is
+	// done as a separate pass below since Zod's `z.string()` accepts "".
+	const baseSchema = generateZodSchema(collectionWithFields);
+	const schema = options.partial ? baseSchema.partial() : baseSchema;
+	const parsed = schema.safeParse(data);
+	if (!parsed.success) {
+		for (const issue of parsed.error.issues) {
+			issues.push(`${formatIssuePath(issue.path)}: ${issue.message}`);
+		}
+	}
+
+	// Empty-string-on-required check. In create mode (partial=false) Zod
+	// already catches missing/null for required fields, but `z.string()`
+	// happily accepts "". In update mode (partial=true) the field is only
+	// checked if it's present in `data`.
+	for (const field of collectionWithFields.fields) {
+		if (!field.required) continue;
+		const present = Object.hasOwn(data, field.slug);
+		if (options.partial && !present) continue;
+		if (data[field.slug] === "") {
+			issues.push(`${field.slug}: required (empty value not allowed)`);
+		}
+	}
+
+	// Reference target existence. Only check fields that:
+	//   - have a value (non-missing) in `data`
+	//   - have a resolvable target collection
+	//   - in partial mode: are present in `data`
+	// Batch one IN-query per target collection to keep round-trips low.
+	const refsByTarget = new Map<string, { field: string; id: string }[]>();
+	for (const field of collectionWithFields.fields) {
+		if (field.type !== "reference") continue;
+		if (options.partial && !Object.hasOwn(data, field.slug)) continue;
+		const value = data[field.slug];
+		if (isMissing(value)) continue;
+		if (typeof value !== "string") continue; // Zod will have flagged this already
+		const target = getReferenceTargetCollection(field);
+		if (!target) continue;
+		const list = refsByTarget.get(target) ?? [];
+		list.push({ field: field.slug, id: value });
+		refsByTarget.set(target, list);
+	}
+
+	for (const [target, refs] of refsByTarget) {
+		// Validate the target collection slug before interpolating into raw
+		// SQL — defense-in-depth even though slugs are already validated at
+		// schema-create time.
+		try {
+			validateIdentifier(target, "reference target collection");
+		} catch {
+			for (const ref of refs) {
+				issues.push(`${ref.field}: invalid reference target collection '${target}'`);
+			}
+			continue;
+		}
+
+		const ids = [...new Set(refs.map((r) => r.id))];
+		const tableName = `ec_${target}`;
+
+		// Chunk the IN clause to stay below D1's bind-parameter limit. One
+		// reference per request is the common case today; chunking makes the
+		// helper safe if a future multiSelect-of-references is added.
+		const found = new Set<string>();
+		let targetTableMissing = false;
+		for (const idChunk of chunks(ids, SQL_BATCH_SIZE)) {
+			try {
+				const rows = await sql<{ id: string }>`
+					SELECT id FROM ${sql.ref(tableName)}
+					WHERE id IN (${sql.join(idChunk)})
+					AND deleted_at IS NULL
+				`.execute(db);
+				for (const row of rows.rows) {
+					found.add(row.id);
+				}
+			} catch (error) {
+				// Missing table = the target collection table doesn't exist
+				// (orphan reference). Treat all those references as missing.
+				// Any other DB error (permissions, connection, syntax) must
+				// propagate — silently dropping data integrity errors as
+				// "not found" is exactly the bug F5 fixes.
+				if (isMissingTableError(error)) {
+					targetTableMissing = true;
+					break;
+				}
+				throw error;
+			}
+		}
+		if (targetTableMissing) {
+			for (const ref of refs) {
+				issues.push(`${ref.field}: target '${ref.id}' not found in collection '${target}'`);
+			}
+			continue;
+		}
+		for (const ref of refs) {
+			if (!found.has(ref.id)) {
+				issues.push(`${ref.field}: target '${ref.id}' not found in collection '${target}'`);
+			}
+		}
+	}
+
+	if (issues.length === 0) return { ok: true };
+	return {
+		ok: false,
+		error: {
+			code: "VALIDATION_ERROR",
+			message: issues.join("; "),
+		},
+	};
+}

package/src/api/openapi/document.ts

@@ -122,6 +122,7 @@ import {
 	reorderWidgetsBody,
 	updateWidgetBody,
 	widgetAreaSchema,
+	widgetAreaWithWidgetsAndCountSchema,
 	widgetAreaWithWidgetsSchema,
 	widgetSchema,
 } from "../schemas/widgets.js";
@@ -1581,7 +1582,9 @@ const widgetPaths = {
 					description: "Widget area list",
 					content: {
 						[JSON_CONTENT]: {
-							schema: successEnvelope(z.object({ items: z.array(widgetAreaSchema) })),
+							schema: successEnvelope(
+								z.object({ items: z.array(widgetAreaWithWidgetsAndCountSchema) }),
+							),
 						},
 					},
 				},

package/src/api/public-url.ts

@@ -9,7 +9,10 @@
  * Workers-safe: no Node.js imports.
  */
 
-import type { EmDashConfig } from "../astro/integration/runtime.js";
+/** Minimal config shape — avoids importing the full EmDashConfig type tree. */
+interface SiteUrlConfig {
+	siteUrl?: string;
+}
 
 /**
  * Resolve siteUrl from runtime environment variables.
@@ -67,7 +70,7 @@ function getEnvSiteUrl(): string | undefined {
  * @param config  The EmDash config (from `locals.emdash?.config`)
  * @returns Origin string, e.g. `"https://mysite.example.com"`
  */
-export function getPublicOrigin(url: URL, config?: EmDashConfig): string {
+export function getPublicOrigin(url: URL, config?: SiteUrlConfig): string {
 	return config?.siteUrl || getEnvSiteUrl() || url.origin;
 }
 
@@ -79,6 +82,6 @@ export function getPublicOrigin(url: URL, config?: EmDashConfig): string {
  * @param path  Path to append (must start with `/`)
  * @returns Full URL string, e.g. `"https://mysite.example.com/_emdash/admin/login"`
  */
-export function getPublicUrl(url: URL, config: EmDashConfig | undefined, path: string): string {
+export function getPublicUrl(url: URL, config: SiteUrlConfig | undefined, path: string): string {
 	return `${getPublicOrigin(url, config)}${path}`;
 }

package/src/api/route-utils.ts

@@ -0,0 +1,14 @@
+/**
+ * Public API route utilities for auth provider routes.
+ *
+ * This module re-exports the utilities that auth provider route handlers
+ * need from core. Auth providers (plugins) import these via `emdash/api/route-utils`.
+ */
+
+export { apiError, apiSuccess, handleError } from "./error.js";
+export { parseBody, parseQuery, isParseError } from "./parse.js";
+export type { ParseResult } from "./parse.js";
+export { finalizeSetup } from "./setup-complete.js";
+export { OptionsRepository } from "../database/repositories/options.js";
+export { getAuthProviderStorage } from "./auth-storage.js";
+export { getPublicOrigin } from "./public-url.js";

package/src/api/schemas/common.ts

@@ -22,7 +22,7 @@ export const roleLevel = z.coerce
 /** Pagination query params — cursor-based */
 export const cursorPaginationQuery = z
 	.object({
-		cursor: z.string().optional().meta({ description: "Opaque cursor for pagination" }),
+		cursor: z.string().max(2048).optional().meta({ description: "Opaque cursor for pagination" }),
 		limit: z.coerce.number().int().min(1).max(100).optional().default(50).meta({
 			description: "Maximum number of items to return (1-100, default 50)",
 		}),

package/src/api/schemas/content.ts

@@ -27,6 +27,11 @@ export const contentListQuery = cursorPaginationQuery
 	})
 	.meta({ id: "ContentListQuery" });
 
+/** ISO 8601 datetime for `publishedAt` / `createdAt`. Routes gate writes behind `content:publish_any`. */
+const contentDateOverride = z.iso
+	.datetime({ offset: true, message: "must be an ISO 8601 datetime" })
+	.nullish();
+
 export const contentCreateBody = z
 	.object({
 		data: z.record(z.string(), z.unknown()),
@@ -36,6 +41,8 @@ export const contentCreateBody = z
 		locale: localeCode.optional(),
 		translationOf: z.string().optional(),
 		seo: contentSeoInput.optional(),
+		publishedAt: contentDateOverride,
+		createdAt: contentDateOverride,
 	})
 	.meta({ id: "ContentCreateBody" });
 
@@ -52,6 +59,7 @@ export const contentUpdateBody = z
 			.meta({ description: "Opaque revision token for optimistic concurrency" }),
 		skipRevision: z.boolean().optional(),
 		seo: contentSeoInput.optional(),
+		publishedAt: contentDateOverride,
 	})
 	.meta({ id: "ContentUpdateBody" });
 

package/src/api/schemas/setup.ts

@@ -35,3 +35,11 @@ export const setupAdminBody = z.object({
 export const setupAdminVerifyBody = z.object({
 	credential: registrationCredential,
 });
+
+export const atprotoLoginBody = z.object({
+	handle: z.string().trim().min(1),
+});
+
+export const setupAtprotoAdminBody = z.object({
+	handle: z.string().trim().min(1),
+});

package/src/api/schemas/widgets.ts

@@ -60,16 +60,12 @@ export const widgetAreaSchema = z
 export const widgetSchema = z
 	.object({
 		id: z.string(),
-		area_id: z.string(),
-		type: z.string(),
-		title: z.string().nullable(),
-		content: z.string().nullable(),
-		menu_name: z.string().nullable(),
-		component_id: z.string().nullable(),
-		component_props: z.string().nullable(),
-		sort_order: z.number().int(),
-		created_at: z.string(),
-		updated_at: z.string(),
+		type: widgetType,
+		title: z.string().optional(),
+		content: z.array(z.record(z.string(), z.unknown())).optional(),
+		menuName: z.string().optional(),
+		componentId: z.string().optional(),
+		componentProps: z.record(z.string(), z.unknown()).optional(),
 	})
 	.meta({ id: "Widget" });
 
@@ -78,3 +74,9 @@ export const widgetAreaWithWidgetsSchema = widgetAreaSchema
 		widgets: z.array(widgetSchema),
 	})
 	.meta({ id: "WidgetAreaWithWidgets" });
+
+export const widgetAreaWithWidgetsAndCountSchema = widgetAreaWithWidgetsSchema
+	.extend({
+		widgetCount: z.number().int(),
+	})
+	.meta({ id: "WidgetAreaWithWidgetsAndCount" });

package/src/api/setup-complete.ts

@@ -0,0 +1,40 @@
+/**
+ * Shared setup completion logic.
+ *
+ * Called by OAuth callbacks and the passkey verify step when the first user
+ * is created during setup. Persists site title/tagline from setup state
+ * and marks setup as complete.
+ */
+
+import type { Kysely } from "kysely";
+
+import { OptionsRepository } from "../database/repositories/options.js";
+import type { Database } from "../database/types.js";
+
+/**
+ * Finalize setup after the first admin user is created.
+ *
+ * Reads the setup_state option (written by the setup wizard's step 1),
+ * persists site_title and site_tagline, then marks setup complete.
+ *
+ * Safe to call multiple times — checks setup_complete first and no-ops
+ * if already done.
+ */
+export async function finalizeSetup(db: Kysely<Database>): Promise<void> {
+	const options = new OptionsRepository(db);
+
+	const setupComplete = await options.get("emdash:setup_complete");
+	if (setupComplete === true || setupComplete === "true") return;
+
+	// Persist site title/tagline from setup state (stored in step 1)
+	const setupState = await options.get<Record<string, unknown>>("emdash:setup_state");
+	if (setupState?.title && typeof setupState.title === "string") {
+		await options.set("emdash:site_title", setupState.title);
+	}
+	if (setupState?.tagline && typeof setupState.tagline === "string") {
+		await options.set("emdash:site_tagline", setupState.tagline);
+	}
+
+	await options.set("emdash:setup_complete", true);
+	await options.delete("emdash:setup_state");
+}

package/src/astro/integration/font-provider.ts

@@ -30,6 +30,7 @@ const ALL_GOOGLE_SUBSETS = [
 	"cyrillic-ext",
 	"devanagari",
 	"ethiopic",
+	"farsi",
 	"georgian",
 	"greek",
 	"greek-ext",
@@ -57,7 +58,7 @@ const ALL_GOOGLE_SUBSETS = [
 ];
 
 /**
- * Known Noto Sans script families on Google Fonts.
+ * Known Noto Sans and Sans script families on Google Fonts.
  * Maps user-friendly script names to Google Fonts family names.
  */
 const NOTO_SCRIPT_FAMILIES: Record<string, string> = {
@@ -69,6 +70,7 @@ const NOTO_SCRIPT_FAMILIES: Record<string, string> = {
 	"chinese-hongkong": "Noto Sans HK",
 	devanagari: "Noto Sans Devanagari",
 	ethiopic: "Noto Sans Ethiopic",
+	farsi: "Vazirmatn",
 	georgian: "Noto Sans Georgian",
 	gujarati: "Noto Sans Gujarati",
 	gurmukhi: "Noto Sans Gurmukhi",

package/src/astro/integration/index.ts

@@ -15,7 +15,12 @@ import type { AstroIntegration, AstroIntegrationLogger } from "astro";
 import type { ResolvedPlugin } from "../../plugins/types.js";
 import { local } from "../storage/adapters.js";
 import { notoSans } from "./font-provider.js";
-import { injectCoreRoutes, injectBuiltinAuthRoutes, injectMcpRoute } from "./routes.js";
+import {
+	injectCoreRoutes,
+	injectBuiltinAuthRoutes,
+	injectAuthProviderRoutes,
+	injectMcpRoute,
+} from "./routes.js";
 import type { EmDashConfig, PluginDescriptor } from "./runtime.js";
 import { createViteConfig } from "./vite-config.js";
 
@@ -157,9 +162,12 @@ export function emdash(config: EmDashConfig = {}): AstroIntegration {
 		database: resolvedConfig.database,
 		storage: resolvedConfig.storage,
 		auth: resolvedConfig.auth,
+		authProviders: resolvedConfig.authProviders,
 		marketplace: resolvedConfig.marketplace,
 		siteUrl: resolvedConfig.siteUrl,
+		trustedProxyHeaders: resolvedConfig.trustedProxyHeaders,
 		maxUploadSize: resolvedConfig.maxUploadSize,
+		admin: resolvedConfig.admin,
 	};
 
 	// Determine auth mode for route injection
@@ -265,7 +273,12 @@ export function emdash(config: EmDashConfig = {}): AstroIntegration {
 				// Inject all core routes
 				injectCoreRoutes(injectRoute);
 
-				// Only inject passkey/oauth/magic-link routes when NOT using external auth
+				// Inject routes from pluggable auth providers (authProviders config)
+				if (resolvedConfig.authProviders?.length) {
+					injectAuthProviderRoutes(injectRoute, resolvedConfig.authProviders);
+				}
+
+				// Inject passkey/oauth/magic-link routes unless transparent external auth is active
 				if (!useExternalAuth) {
 					injectBuiltinAuthRoutes(injectRoute);
 				}