emdash 0.6.0 → 1.0.0

package/src/auth/types.ts

@@ -2,7 +2,13 @@
  * Auth Provider Types
  *
  * Defines the interfaces for pluggable authentication providers.
- * Providers like Cloudflare Access implement these interfaces.
+ *
+ * Two systems coexist:
+ * - `AuthDescriptor` — transparent auth (Cloudflare Access) that authenticates
+ *   every request via headers/cookies. No login UI needed.
+ * - `AuthProviderDescriptor` — pluggable login methods (GitHub, Google,
+ *   AT Protocol, etc.) that appear as options on the login page and setup
+ *   wizard. Passkey is built-in; providers are additive.
  */
 
 /**
@@ -22,10 +28,10 @@ export interface AuthResult {
 }
 
 /**
- * Auth descriptor - returned by auth adapter functions (e.g., access())
+ * Auth descriptor — transparent auth providers (e.g., Cloudflare Access).
  *
- * Similar to DatabaseDescriptor and StorageDescriptor, this allows
- * auth providers to be configured at build time and loaded at runtime.
+ * These authenticate every request via headers/cookies. No login UI needed.
+ * The module's `authenticate()` function is called by middleware on each request.
  */
 export interface AuthDescriptor {
 	/**
@@ -64,6 +70,110 @@ export interface AuthProviderModule {
 	authenticate(request: Request, config: unknown): Promise<AuthResult>;
 }
 
+// ---------------------------------------------------------------------------
+// Pluggable Auth Providers (additive login methods)
+// ---------------------------------------------------------------------------
+
+/**
+ * Descriptor for a pluggable auth provider.
+ *
+ * Auth providers appear as login options on the login page and setup wizard.
+ * They coexist with passkey (which is built-in) and with each other.
+ * Any provider can be used to create the initial admin account.
+ *
+ * @example
+ * ```ts
+ * // astro.config.ts
+ * import { atproto } from "@emdash-cms/auth-atproto";
+ *
+ * emdash({
+ *   authProviders: [atproto(), github(), google()],
+ * })
+ * ```
+ */
+export interface AuthProviderDescriptor {
+	/** Unique provider ID (e.g., "github", "atproto") */
+	id: string;
+
+	/** Human-readable label for UI (e.g., "GitHub", "AT Protocol") */
+	label: string;
+
+	/** Provider-specific config (JSON-serializable) */
+	config?: unknown;
+
+	/**
+	 * Module exporting React components for the admin UI.
+	 * Statically imported at build time via virtual module.
+	 *
+	 * The module should export components matching `AuthProviderAdminExports`.
+	 */
+	adminEntry?: string;
+
+	/**
+	 * Astro route handlers this provider needs injected at build time.
+	 * Used for login initiation, OAuth callbacks, well-known endpoints, etc.
+	 */
+	routes?: AuthRouteDescriptor[];
+
+	/**
+	 * URL prefixes/paths that should bypass auth middleware.
+	 * Added to the public routes set so login/callback endpoints work
+	 * for unauthenticated users.
+	 */
+	publicRoutes?: string[];
+
+	/**
+	 * Storage collections for persistent auth state (e.g., OAuth sessions).
+	 * Same format as plugin storage — collections are stored in the shared
+	 * `_plugin_storage` table namespaced under `auth:<providerId>`.
+	 *
+	 * Access via `getAuthProviderStorage()` from `emdash/api/route-utils`.
+	 */
+	storage?: Record<
+		string,
+		{ indexes?: Array<string | string[]>; uniqueIndexes?: Array<string | string[]> }
+	>;
+}
+
+/**
+ * A route that an auth provider needs injected into the Astro app.
+ */
+export interface AuthRouteDescriptor {
+	/** URL pattern (e.g., "/_emdash/api/auth/atproto/login") */
+	pattern: string;
+	/** Module specifier for the Astro route handler */
+	entrypoint: string;
+}
+
+/**
+ * Expected exports from an auth provider's `adminEntry` module.
+ *
+ * All exports are optional. Providers export whichever components
+ * make sense for their auth flow.
+ */
+export interface AuthProviderAdminExports {
+	/**
+	 * Compact button for the login page (icon + label).
+	 * Used for providers with a simple redirect flow (GitHub, Google).
+	 * Rendered in the "Or continue with" section.
+	 */
+	LoginButton?: import("react").ComponentType;
+
+	/**
+	 * Full login form for providers that need custom input.
+	 * Used for providers like AT Protocol that need a handle field.
+	 * Rendered as an expandable section on the login page.
+	 */
+	LoginForm?: import("react").ComponentType;
+
+	/**
+	 * Setup wizard step for creating the admin account via this provider.
+	 * When present, this provider appears as an option in the setup wizard's
+	 * "Create admin account" step.
+	 */
+	SetupStep?: import("react").ComponentType<{ onComplete: () => void }>;
+}
+
 /**
  * Configuration options common to external auth providers
  */

package/src/cli/commands/bundle.ts

@@ -38,7 +38,7 @@ import {
 	ICON_SIZE,
 } from "./bundle-utils.js";
 
-const TS_EXT_RE = /\.tsx?$/;
+const TS_EXT_RE = /\.(tsx?|[mc]?js)$/;
 const SLASH_RE = /\//g;
 const LEADING_AT_RE = /^@/;
 const emdash_SCOPE_RE = /^@emdash-cms\//;
@@ -163,6 +163,8 @@ export const bundleCommand = defineCommand({
 		const tmpDir = join(pluginDir, ".emdash-bundle-tmp");
 
 		try {
+			// Clean up any stale temp directory from a previous failed run
+			await rm(tmpDir, { recursive: true, force: true });
 			await mkdir(tmpDir, { recursive: true });
 
 			// Build main entry to extract manifest.

package/src/components/EmDashImage.astro

@@ -20,6 +20,7 @@ import type { MediaValue } from "../fields/types.js";
 import type { HTMLAttributes } from "astro/types";
 import type { ImageEmbed } from "../media/types.js";
 import { getMediaProvider } from "../media/provider-loader.js";
+import { buildRenderMediaUrl } from "../media/url.js";
 // Standard responsive breakpoints
 const BREAKPOINTS = [640, 750, 828, 960, 1080, 1280, 1600, 1920];
 
@@ -53,14 +54,14 @@ function normalizeImage(
 }
 
 /**
- * Build the URL for a local image
+ * Build the URL for a local image. Prefers `meta.storageKey`; falls back to
+ * the internal proxy with `img.id` when no storage key is available.
  */
 function buildLocalImageUrl(img: MediaValue): string {
-	const storageKey = (img.meta?.storageKey as string) || img.id;
-	if (storageKey) {
-		return `/_emdash/api/media/file/${storageKey}`;
-	}
-	return "";
+	return buildRenderMediaUrl(Astro.locals.emdash?.getPublicMediaUrl, {
+		storageKey: img.meta?.storageKey as string | undefined,
+		id: img.id,
+	});
 }
 
 /**

package/src/components/Gallery.astro

@@ -6,6 +6,7 @@
  * Uses Astro's Image component for optimization when dimensions are available.
  */
 import { Image as AstroImage } from "astro:assets";
+import { buildRenderMediaUrl } from "../media/url.js";
 
 export interface Props {
 	node: {
@@ -39,9 +40,10 @@ if (!images.length) {
 <div class="emdash-gallery" style={`--columns: ${columns}`}>
 	{
 		images.map((image) => {
-			const src =
-				image.asset.url ||
-				`/_emdash/api/media/file/${image.asset._ref}`;
+			const src = buildRenderMediaUrl(Astro.locals.emdash?.getPublicMediaUrl, {
+				url: image.asset.url,
+				id: image.asset._ref,
+			});
 			const hasSize = image.width && image.height;
 			return (
 				<figure class="emdash-gallery-item">

package/src/components/Image.astro

@@ -7,6 +7,7 @@
  */
 import type { ImageEmbed } from "../media/types.js";
 import { getMediaProvider } from "../media/provider-loader.js";
+import { buildRenderMediaUrl } from "../media/url.js";
 // Standard responsive breakpoints
 const BREAKPOINTS = [640, 750, 828, 960, 1080, 1280, 1600, 1920];
 
@@ -122,10 +123,14 @@ if (providerId && providerId !== "local") {
 	}
 }
 
-// Fallback for local provider — prefer stored URL (includes storage key with extension),
-// fall back to _ref (bare ULID, works if media file endpoint supports ID lookup)
+// Fallback for local provider. `asset.url` carries the storage key with
+// extension when present; `asset._ref` is a bare ULID that only the internal
+// `/file/{id}` route can resolve. `buildRenderMediaUrl` picks the right shape.
 if (!src) {
-	src = asset.url || `/_emdash/api/media/file/${asset._ref}`;
+	src = buildRenderMediaUrl(Astro.locals.emdash?.getPublicMediaUrl, {
+		url: asset.url,
+		id: asset._ref,
+	});
 }
 
 // Build placeholder background style

package/src/components/InlinePortableTextEditor.tsx

@@ -1741,6 +1741,7 @@ export function InlinePortableTextEditor({
 		editorProps: {
 			attributes: {
 				class: "prose prose-sm sm:prose-base dark:prose-invert max-w-none emdash-inline-editor",
+				dir: "auto",
 			},
 		},
 		onUpdate: () => {
@@ -1795,7 +1796,7 @@ export function InlinePortableTextEditor({
 			// Don't save if focus moved to the slash menu (portalled to body)
 			if (related?.closest(".emdash-slash-menu")) return;
 			if (related?.closest(".emdash-media-picker")) return;
-			save();
+			void save();
 		},
 		[save, mediaPickerOpen],
 	);

package/src/components/LiveSearch.astro

@@ -109,13 +109,6 @@ const config = {
 </emdash-live-search>
 
 <script>
-	// Sanitization patterns for search snippets (allow only <mark> tags from FTS5)
-	const SNIPPET_AMP_RE = /&/g;
-	const SNIPPET_LT_RE = /</g;
-	const SNIPPET_GT_RE = />/g;
-	const SNIPPET_MARK_OPEN_RE = /&lt;mark&gt;/g;
-	const SNIPPET_MARK_CLOSE_RE = /&lt;\/mark&gt;/g;
-
 	interface SearchResult {
 		collection: string;
 		id: string;
@@ -396,17 +389,15 @@ const config = {
 						collectionEl.textContent = result.collection;
 					}
 
-					// Fill in snippet (sanitize to allow only <mark> tags from FTS5 highlighting)
+					// Snippets returned by /api/search are already sanitised
+					// server-side by sanitizeSnippet() — they contain only
+					// HTML-escaped text plus literal <mark>...</mark> tags
+					// around matched terms.
 					const snippetEl = link.querySelector(
 						".emdash-live-search-result-snippet"
 					);
 					if (snippetEl && this.config.showSnippets && result.snippet) {
-						snippetEl.innerHTML = result.snippet
-							.replace(SNIPPET_AMP_RE, "&amp;")
-							.replace(SNIPPET_LT_RE, "&lt;")
-							.replace(SNIPPET_GT_RE, "&gt;")
-							.replace(SNIPPET_MARK_OPEN_RE, "<mark>")
-							.replace(SNIPPET_MARK_CLOSE_RE, "</mark>");
+						snippetEl.innerHTML = result.snippet;
 					} else if (snippetEl) {
 						snippetEl.remove();
 					}

package/src/database/migrations/035_bounded_404_log.ts

@@ -0,0 +1,112 @@
+import type { Kysely } from "kysely";
+import { sql } from "kysely";
+
+/**
+ * Migration: Bounded 404 logging
+ *
+ * Hardens `_emdash_404_log` against unauthenticated DoS. Previously every 404
+ * inserted a new row, so an attacker could grow the table without bound.
+ *
+ * Changes:
+ *   - Adds `hits` (default 1, NOT NULL)
+ *   - Adds `last_seen_at` (nullable; SQLite can't add NOT NULL with a
+ *     non-constant default to a populated table, so the column is nullable
+ *     at the schema level and backfilled from `created_at` for existing rows;
+ *     new inserts via `log404` always set it)
+ *   - Deduplicates existing rows by path, keeping the most recent row per
+ *     path and summing hits
+ *   - Adds a UNIQUE index on `path` so upsert semantics work
+ */
+
+export async function up(db: Kysely<unknown>): Promise<void> {
+	// 1. Add columns.
+	await db.schema
+		.alterTable("_emdash_404_log")
+		.addColumn("hits", "integer", (col) => col.notNull().defaultTo(1))
+		.execute();
+
+	// SQLite won't accept a non-constant default when adding a NOT NULL column
+	// to a table with existing rows, so backfill in two steps: add nullable,
+	// populate, then rely on the application layer / future inserts to set it.
+	await db.schema.alterTable("_emdash_404_log").addColumn("last_seen_at", "text").execute();
+
+	// Backfill last_seen_at from created_at for existing rows.
+	await sql`
+		UPDATE _emdash_404_log
+		SET last_seen_at = created_at
+		WHERE last_seen_at IS NULL
+	`.execute(db);
+
+	// 2. Deduplicate existing rows by path.
+	//    For each path, roll up hits and pick the freshest last_seen_at onto
+	//    a single keeper row, then delete the non-keepers. Uses window
+	//    functions (ROW_NUMBER) so the dedup SQL is valid on both SQLite
+	//    (3.25+, 2018) and Postgres. The previous GROUP BY approach was
+	//    accepted by SQLite but invalid on Postgres because `id` wasn't in
+	//    the GROUP BY or wrapped in an aggregate.
+	await sql`
+		WITH ranked AS (
+			SELECT
+				id,
+				path,
+				ROW_NUMBER() OVER (
+					PARTITION BY path
+					ORDER BY created_at DESC, id DESC
+				) AS rn,
+				COUNT(*) OVER (PARTITION BY path) AS path_count,
+				MAX(created_at) OVER (PARTITION BY path) AS latest_created_at
+			FROM _emdash_404_log
+		)
+		UPDATE _emdash_404_log
+		SET
+			hits = (SELECT path_count FROM ranked WHERE ranked.id = _emdash_404_log.id),
+			last_seen_at = (SELECT latest_created_at FROM ranked WHERE ranked.id = _emdash_404_log.id)
+		WHERE id IN (SELECT id FROM ranked WHERE rn = 1)
+	`.execute(db);
+
+	// Delete the non-keepers (every row except the freshest per path).
+	await sql`
+		DELETE FROM _emdash_404_log
+		WHERE id IN (
+			SELECT id FROM (
+				SELECT
+					id,
+					ROW_NUMBER() OVER (
+						PARTITION BY path
+						ORDER BY created_at DESC, id DESC
+					) AS rn
+				FROM _emdash_404_log
+			) AS ranked
+			WHERE rn > 1
+		)
+	`.execute(db);
+
+	// 3. Add unique index on path for upsert semantics.
+	await db.schema
+		.createIndex("idx_404_log_path_unique")
+		.on("_emdash_404_log")
+		.column("path")
+		.unique()
+		.execute();
+
+	// Drop the old non-unique index; the unique one covers the same lookups.
+	await db.schema.dropIndex("idx_404_log_path").execute();
+
+	// 4. Index on last_seen_at for eviction ordering.
+	await db.schema
+		.createIndex("idx_404_log_last_seen")
+		.on("_emdash_404_log")
+		.column("last_seen_at")
+		.execute();
+}
+
+export async function down(db: Kysely<unknown>): Promise<void> {
+	await db.schema.dropIndex("idx_404_log_last_seen").execute();
+	await db.schema.dropIndex("idx_404_log_path_unique").execute();
+
+	// Restore the original non-unique path index.
+	await db.schema.createIndex("idx_404_log_path").on("_emdash_404_log").column("path").execute();
+
+	await db.schema.alterTable("_emdash_404_log").dropColumn("last_seen_at").execute();
+	await db.schema.alterTable("_emdash_404_log").dropColumn("hits").execute();
+}

package/src/database/migrations/runner.ts

@@ -35,6 +35,7 @@ import * as m031 from "./031_bylines.js";
 import * as m032 from "./032_rate_limits.js";
 import * as m033 from "./033_optimize_content_indexes.js";
 import * as m034 from "./034_published_at_index.js";
+import * as m035 from "./035_bounded_404_log.js";
 
 const MIGRATIONS: Readonly<Record<string, Migration>> = Object.freeze({
 	"001_initial": m001,
@@ -70,6 +71,7 @@ const MIGRATIONS: Readonly<Record<string, Migration>> = Object.freeze({
 	"032_rate_limits": m032,
 	"033_optimize_content_indexes": m033,
 	"034_published_at_index": m034,
+	"035_bounded_404_log": m035,
 });
 
 /** Total number of registered migrations. Exported for use in tests. */

package/src/database/repositories/audit.ts

@@ -143,14 +143,12 @@ export class AuditRepository {
 
 		if (query.cursor) {
 			const decoded = decodeCursor(query.cursor);
-			if (decoded) {
-				q = q.where((eb) =>
-					eb.or([
-						eb("timestamp", "<", decoded.orderValue),
-						eb.and([eb("timestamp", "=", decoded.orderValue), eb("id", "<", decoded.id)]),
-					]),
-				);
-			}
+			q = q.where((eb) =>
+				eb.or([
+					eb("timestamp", "<", decoded.orderValue),
+					eb.and([eb("timestamp", "=", decoded.orderValue), eb("id", "<", decoded.id)]),
+				]),
+			);
 		}
 
 		const rows = await q.execute();

package/src/database/repositories/byline.ts

@@ -123,14 +123,12 @@ export class BylineRepository {
 
 		if (options?.cursor) {
 			const decoded = decodeCursor(options.cursor);
-			if (decoded) {
-				query = query.where((eb) =>
-					eb.or([
-						eb("created_at", "<", decoded.orderValue),
-						eb.and([eb("created_at", "=", decoded.orderValue), eb("id", "<", decoded.id)]),
-					]),
-				);
-			}
+			query = query.where((eb) =>
+				eb.or([
+					eb("created_at", "<", decoded.orderValue),
+					eb.and([eb("created_at", "=", decoded.orderValue), eb("id", "<", decoded.id)]),
+				]),
+			);
 		}
 
 		const rows = await query.execute();

package/src/database/repositories/comment.ts

@@ -143,14 +143,12 @@ export class CommentRepository {
 		// Cursor pagination (ascending by created_at)
 		if (options.cursor) {
 			const decoded = decodeCursor(options.cursor);
-			if (decoded) {
-				query = query.where((eb: ExpressionBuilder<Database, "_emdash_comments">) =>
-					eb.or([
-						eb("created_at", ">", decoded.orderValue),
-						eb.and([eb("created_at", "=", decoded.orderValue), eb("id", ">", decoded.id)]),
-					]),
-				);
-			}
+			query = query.where((eb: ExpressionBuilder<Database, "_emdash_comments">) =>
+				eb.or([
+					eb("created_at", ">", decoded.orderValue),
+					eb.and([eb("created_at", "=", decoded.orderValue), eb("id", ">", decoded.id)]),
+				]),
+			);
 		}
 
 		query = query
@@ -202,14 +200,12 @@ export class CommentRepository {
 		// Cursor pagination (descending by created_at)
 		if (options.cursor) {
 			const decoded = decodeCursor(options.cursor);
-			if (decoded) {
-				query = query.where((eb: ExpressionBuilder<Database, "_emdash_comments">) =>
-					eb.or([
-						eb("created_at", "<", decoded.orderValue),
-						eb.and([eb("created_at", "=", decoded.orderValue), eb("id", "<", decoded.id)]),
-					]),
-				);
-			}
+			query = query.where((eb: ExpressionBuilder<Database, "_emdash_comments">) =>
+				eb.or([
+					eb("created_at", "<", decoded.orderValue),
+					eb.and([eb("created_at", "=", decoded.orderValue), eb("id", "<", decoded.id)]),
+				]),
+			);
 		}
 
 		query = query

package/src/database/repositories/content.ts

@@ -489,27 +489,26 @@ export class ContentRepository {
 			query = query.where("locale" as any, "=", options.where.locale);
 		}
 
-		// Handle cursor pagination
+		// Handle cursor pagination — decodeCursor throws InvalidCursorError
+		// on malformed input; let it propagate so handlers surface a
+		// structured INVALID_CURSOR rather than silently returning page 1.
 		if (options.cursor) {
-			const decoded = decodeCursor(options.cursor);
-			if (decoded) {
-				const { orderValue, id: cursorId } = decoded;
-
-				if (safeOrderDirection === "DESC") {
-					query = query.where((eb) =>
-						eb.or([
-							eb(dbField as any, "<", orderValue),
-							eb.and([eb(dbField as any, "=", orderValue), eb("id", "<", cursorId)]),
-						]),
-					);
-				} else {
-					query = query.where((eb) =>
-						eb.or([
-							eb(dbField as any, ">", orderValue),
-							eb.and([eb(dbField as any, "=", orderValue), eb("id", ">", cursorId)]),
-						]),
-					);
-				}
+			const { orderValue, id: cursorId } = decodeCursor(options.cursor);
+
+			if (safeOrderDirection === "DESC") {
+				query = query.where((eb) =>
+					eb.or([
+						eb(dbField as any, "<", orderValue),
+						eb.and([eb(dbField as any, "=", orderValue), eb("id", "<", cursorId)]),
+					]),
+				);
+			} else {
+				query = query.where((eb) =>
+					eb.or([
+						eb(dbField as any, ">", orderValue),
+						eb.and([eb(dbField as any, "=", orderValue), eb("id", ">", cursorId)]),
+					]),
+				);
 			}
 		}
 
@@ -671,27 +670,24 @@ export class ContentRepository {
 			.selectAll()
 			.where("deleted_at" as never, "is not", null);
 
-		// Handle cursor pagination
+		// Handle cursor pagination — decodeCursor throws on invalid input.
 		if (options.cursor) {
-			const decoded = decodeCursor(options.cursor);
-			if (decoded) {
-				const { orderValue, id: cursorId } = decoded;
-
-				if (safeOrderDirection === "DESC") {
-					query = query.where((eb) =>
-						eb.or([
-							eb(dbField as any, "<", orderValue),
-							eb.and([eb(dbField as any, "=", orderValue), eb("id", "<", cursorId)]),
-						]),
-					);
-				} else {
-					query = query.where((eb) =>
-						eb.or([
-							eb(dbField as any, ">", orderValue),
-							eb.and([eb(dbField as any, "=", orderValue), eb("id", ">", cursorId)]),
-						]),
-					);
-				}
+			const { orderValue, id: cursorId } = decodeCursor(options.cursor);
+
+			if (safeOrderDirection === "DESC") {
+				query = query.where((eb) =>
+					eb.or([
+						eb(dbField as any, "<", orderValue),
+						eb.and([eb(dbField as any, "=", orderValue), eb("id", "<", cursorId)]),
+					]),
+				);
+			} else {
+				query = query.where((eb) =>
+					eb.or([
+						eb(dbField as any, ">", orderValue),
+						eb.and([eb(dbField as any, "=", orderValue), eb("id", ">", cursorId)]),
+					]),
+				);
 			}
 		}
 
@@ -1018,6 +1014,7 @@ export class ContentRepository {
 			UPDATE ${sql.ref(tableName)}
 			SET live_revision_id = NULL,
 				status = 'draft',
+				published_at = NULL,
 				updated_at = ${now}
 			WHERE id = ${id}
 			AND deleted_at IS NULL
@@ -1031,6 +1028,45 @@ export class ContentRepository {
 		return updated;
 	}
 
+	/**
+	 * Set the draft revision pointer for a content item.
+	 *
+	 * Used by seed/import paths that stage a new revision's data before
+	 * promoting it to live via `publish()`.
+	 *
+	 * Validates that the content item exists and is not soft-deleted, that
+	 * the revision exists, and that the revision belongs to the same
+	 * collection and entry. Without these checks, a caller could leave the
+	 * content row pointing at a missing or unrelated revision.
+	 */
+	async setDraftRevision(type: string, id: string, revisionId: string): Promise<void> {
+		const tableName = getTableName(type);
+		const now = new Date().toISOString();
+
+		const existing = await this.findById(type, id);
+		if (!existing) {
+			throw new EmDashValidationError("Content item not found");
+		}
+
+		const revisionRepo = new RevisionRepository(this.db);
+		const revision = await revisionRepo.findById(revisionId);
+		if (!revision) {
+			throw new EmDashValidationError("Revision not found");
+		}
+
+		if (revision.collection !== type || revision.entryId !== id) {
+			throw new EmDashValidationError("Revision does not belong to the specified content item");
+		}
+
+		await sql`
+			UPDATE ${sql.ref(tableName)}
+			SET draft_revision_id = ${revisionId},
+				updated_at = ${now}
+			WHERE id = ${id}
+			AND deleted_at IS NULL
+		`.execute(this.db);
+	}
+
 	/**
 	 * Discard pending draft changes
 	 *
@@ -1159,7 +1195,10 @@ export class ContentRepository {
 			scheduledAt: "scheduled_at",
 			deletedAt: "deleted_at",
 			title: "title",
+			name: "name",
 			slug: "slug",
+			status: "status",
+			locale: "locale",
 		};
 
 		const mapped = mapping[field];

package/src/database/repositories/index.ts

@@ -27,4 +27,4 @@ export { RedirectRepository } from "./redirect.js";
 export { BylineRepository } from "./byline.js";
 export type { CreateBylineInput, UpdateBylineInput, ContentBylineInput } from "./byline.js";
 export type * from "./types.js";
-export { EmDashValidationError, encodeCursor, decodeCursor } from "./types.js";
+export { EmDashValidationError, InvalidCursorError, encodeCursor, decodeCursor } from "./types.js";