emdash 0.6.0 → 1.0.0

package/src/database/repositories/media.ts

@@ -202,20 +202,17 @@ export class MediaRepository {
 			.orderBy("id", "desc")
 			.limit(limit + 1);
 
-		// Handle cursor-based pagination
+		// Handle cursor-based pagination — throws on invalid cursor.
 		if (options.cursor) {
-			const decoded = decodeCursor(options.cursor);
-			if (decoded) {
-				const { orderValue: createdAt, id: cursorId } = decoded;
-
-				// Keyset pagination: get items where (created_at, id) < cursor
-				query = query.where((eb) =>
-					eb.or([
-						eb("created_at", "<", createdAt),
-						eb.and([eb("created_at", "=", createdAt), eb("id", "<", cursorId)]),
-					]),
-				);
-			}
+			const { orderValue: createdAt, id: cursorId } = decodeCursor(options.cursor);
+
+			// Keyset pagination: get items where (created_at, id) < cursor
+			query = query.where((eb) =>
+				eb.or([
+					eb("created_at", "<", createdAt),
+					eb.and([eb("created_at", "=", createdAt), eb("id", "<", cursorId)]),
+				]),
+			);
 		}
 
 		if (options.mimeType) {

package/src/database/repositories/options.ts

@@ -55,6 +55,31 @@ export class OptionsRepository {
 			.execute();
 	}
 
+	/**
+	 * Set an option value only if no row with that name exists. Atomic at the
+	 * database level via INSERT ... ON CONFLICT DO NOTHING, so concurrent
+	 * callers can't race past the check.
+	 *
+	 * Returns true when the row was inserted, false when a row already
+	 * existed (regardless of its value — even an empty string or null).
+	 */
+	async setIfAbsent<T = unknown>(name: string, value: T): Promise<boolean> {
+		const row: OptionTable = {
+			name,
+			value: JSON.stringify(value),
+		};
+
+		const result = await this.db
+			.insertInto("options")
+			.values(row)
+			.onConflict((oc) => oc.column("name").doNothing())
+			.executeTakeFirst();
+
+		// SQLite reports numInsertedOrUpdatedRows; Postgres reports the same.
+		// When the ON CONFLICT branch fires and does nothing, the count is 0.
+		return (result.numInsertedOrUpdatedRows ?? 0n) > 0n;
+	}
+
 	/**
 	 * Delete an option
 	 */

package/src/database/repositories/plugin-storage.ts

@@ -226,14 +226,12 @@ export class PluginStorageRepository<T = unknown> implements StorageCollection<T
 			query = query.where(({ eb }) => eb(sql.join(whereSqlParts, sql.raw("")), "=", sql.raw("1")));
 		}
 
-		// Handle cursor-based pagination
+		// Handle cursor-based pagination — throws on invalid cursor.
 		if (cursor) {
 			const decoded = decodeCursor(cursor);
-			if (decoded) {
-				query = query.where(({ eb }) =>
-					eb(sql`(created_at, id)`, ">", sql`(${decoded.orderValue}, ${decoded.id})`),
-				);
-			}
+			query = query.where(({ eb }) =>
+				eb(sql`(created_at, id)`, ">", sql`(${decoded.orderValue}, ${decoded.id})`),
+			);
 		}
 
 		// Build ORDER BY using sql template

package/src/database/repositories/redirect.ts

@@ -11,6 +11,32 @@ import { currentTimestampValue } from "../dialect-helpers.js";
 import type { Database, RedirectTable } from "../types.js";
 import { encodeCursor, decodeCursor, type FindManyResult } from "./types.js";
 
+// ---------------------------------------------------------------------------
+// Bounded 404 logging
+// ---------------------------------------------------------------------------
+
+/**
+ * Hard cap on rows stored in `_emdash_404_log`. When exceeded, the oldest
+ * rows (by `last_seen_at`) are evicted on insert. Prevents an unauthenticated
+ * attacker from growing the table without bound by requesting unique URLs.
+ */
+export const MAX_404_LOG_ROWS = 10_000;
+
+/** Max stored length for the `Referer` header — truncated on insert. */
+export const REFERRER_MAX_LENGTH = 512;
+
+/** Max stored length for the `User-Agent` header — truncated on insert. */
+export const USER_AGENT_MAX_LENGTH = 256;
+
+/**
+ * Truncate a header-derived string to `max` chars, preserving `null`/`undefined`
+ * as `null`. Empty strings stay empty (the caller decides whether to coerce).
+ */
+function truncateOrNull(value: string | null | undefined, max: number): string | null {
+	if (value === null || value === undefined) return null;
+	return value.length > max ? value.slice(0, max) : value;
+}
+
 // ---------------------------------------------------------------------------
 // Types
 // ---------------------------------------------------------------------------
@@ -156,14 +182,12 @@ export class RedirectRepository {
 
 		if (opts.cursor) {
 			const decoded = decodeCursor(opts.cursor);
-			if (decoded) {
-				query = query.where((eb) =>
-					eb.or([
-						eb("created_at", "<", decoded.orderValue),
-						eb.and([eb("created_at", "=", decoded.orderValue), eb("id", "<", decoded.id)]),
-					]),
-				);
-			}
+			query = query.where((eb) =>
+				eb.or([
+					eb("created_at", "<", decoded.orderValue),
+					eb.and([eb("created_at", "=", decoded.orderValue), eb("id", "<", decoded.id)]),
+				]),
+			);
 		}
 
 		const rows = await query.execute();
@@ -369,22 +393,97 @@ export class RedirectRepository {
 
 	// --- 404 log ------------------------------------------------------------
 
+	/**
+	 * Record a 404 hit for `entry.path`.
+	 *
+	 * Dedups by path: repeat hits increment `hits` and refresh `last_seen_at`
+	 * on the existing row instead of inserting a new one. Referrer and
+	 * user-agent are truncated to bounded lengths so a malicious client can't
+	 * blow up storage with huge headers. When the table would exceed
+	 * MAX_404_LOG_ROWS, the oldest entries (by `last_seen_at`) are evicted.
+	 *
+	 * This is called from the public redirect middleware on every 404 and
+	 * must never throw for an unauthenticated caller — failures bubble up to
+	 * the middleware, which swallows them.
+	 */
 	async log404(entry: {
 		path: string;
 		referrer?: string | null;
 		userAgent?: string | null;
 		ip?: string | null;
 	}): Promise<void> {
+		const now = new Date().toISOString();
+		const referrer = truncateOrNull(entry.referrer, REFERRER_MAX_LENGTH);
+		const userAgent = truncateOrNull(entry.userAgent, USER_AGENT_MAX_LENGTH);
+		const ip = entry.ip ?? null;
+
+		// Atomic upsert by path. The UNIQUE index on `path` makes this safe
+		// under concurrency: two requests for the same new path can't both
+		// insert — the second one hits the conflict branch and increments
+		// hits instead of failing with a uniqueness error.
 		await this.db
 			.insertInto("_emdash_404_log")
 			.values({
 				id: ulid(),
 				path: entry.path,
-				referrer: entry.referrer ?? null,
-				user_agent: entry.userAgent ?? null,
-				ip: entry.ip ?? null,
-				created_at: new Date().toISOString(),
+				referrer,
+				user_agent: userAgent,
+				ip,
+				hits: 1,
+				last_seen_at: now,
+				created_at: now,
 			})
+			.onConflict((oc) =>
+				oc.column("path").doUpdateSet({
+					hits: sql`hits + 1`,
+					last_seen_at: now,
+					referrer,
+					user_agent: userAgent,
+					ip,
+				}),
+			)
+			.execute();
+
+		// Enforce the row cap. Cheap when the table is under cap (single
+		// COUNT(*) query); evicts oldest rows if we're over. Updates (dedup
+		// hits) don't grow the table so this is a no-op for repeat paths.
+		await this.enforce404Cap();
+	}
+
+	/**
+	 * Delete the oldest rows from `_emdash_404_log` if the row count exceeds
+	 * MAX_404_LOG_ROWS. "Oldest" is by `last_seen_at`, so a path that keeps
+	 * getting hit stays in the table even if it was first seen long ago.
+	 *
+	 * Private — callers use `log404`, which invokes this after every upsert.
+	 */
+	private async enforce404Cap(): Promise<void> {
+		const countRow = await this.db
+			.selectFrom("_emdash_404_log")
+			.select((eb) => eb.fn.countAll<number>().as("c"))
+			.executeTakeFirst();
+		const count = Number(countRow?.c ?? 0);
+		if (count <= MAX_404_LOG_ROWS) return;
+
+		const excess = count - MAX_404_LOG_ROWS;
+
+		// Evict the oldest rows in a single SQL statement. Using a subquery
+		// (rather than materialising the victim IDs in JS and passing them
+		// back as bind parameters) keeps the statement bounded regardless of
+		// how far over cap the table is — important for existing installs
+		// that crossed the threshold before this cap was introduced.
+		await this.db
+			.deleteFrom("_emdash_404_log")
+			.where(
+				"id",
+				"in",
+				this.db
+					.selectFrom("_emdash_404_log")
+					.select("id")
+					.orderBy("last_seen_at", "asc")
+					.orderBy("id", "asc")
+					.limit(excess),
+			)
 			.execute();
 	}
 
@@ -408,14 +507,12 @@ export class RedirectRepository {
 
 		if (opts.cursor) {
 			const decoded = decodeCursor(opts.cursor);
-			if (decoded) {
-				query = query.where((eb) =>
-					eb.or([
-						eb("created_at", "<", decoded.orderValue),
-						eb.and([eb("created_at", "=", decoded.orderValue), eb("id", "<", decoded.id)]),
-					]),
-				);
-			}
+			query = query.where((eb) =>
+				eb.or([
+					eb("created_at", "<", decoded.orderValue),
+					eb.and([eb("created_at", "=", decoded.orderValue), eb("id", "<", decoded.id)]),
+				]),
+			);
 		}
 
 		const rows = await query.execute();
@@ -438,6 +535,10 @@ export class RedirectRepository {
 	}
 
 	async get404Summary(limit = 50): Promise<NotFoundSummary[]> {
+		// Since rows are now deduped by path, each path has exactly one row
+		// with `hits` as the running count and `last_seen_at` as the latest
+		// timestamp. The subquery for `top_referrer` collapses to a simple
+		// pick of the row's stored referrer (the most recent one seen).
 		const rows = await sql<{
 			path: string;
 			count: number;
@@ -446,14 +547,12 @@ export class RedirectRepository {
 		}>`
 			SELECT
 				path,
-				COUNT(*) as count,
-				MAX(created_at) as last_seen,
+				SUM(hits) as count,
+				MAX(last_seen_at) as last_seen,
 				(
 					SELECT referrer FROM _emdash_404_log AS inner_log
 					WHERE inner_log.path = _emdash_404_log.path
 						AND referrer IS NOT NULL AND referrer != ''
-					GROUP BY referrer
-					ORDER BY COUNT(*) DESC
 					LIMIT 1
 				) as top_referrer
 			FROM _emdash_404_log

package/src/database/repositories/taxonomy.ts

@@ -41,12 +41,15 @@ export class TaxonomyRepository {
 	async create(input: CreateTaxonomyInput): Promise<Taxonomy> {
 		const id = ulid();
 
+		// Empty-string parentId is coerced to null defensively. Higher layers
+		// also normalize this — see handleTermCreate / handleTermUpdate.
+		const parentId = input.parentId === undefined || input.parentId === "" ? null : input.parentId;
 		const row: TaxonomyTable = {
 			id,
 			name: input.name,
 			slug: input.slug,
 			label: input.label,
-			parent_id: input.parentId ?? null,
+			parent_id: parentId,
 			data: input.data ? JSON.stringify(input.data) : null,
 		};
 
@@ -90,11 +93,15 @@ export class TaxonomyRepository {
 	 * Get all terms for a taxonomy (e.g., all categories)
 	 */
 	async findByName(name: string, options: { parentId?: string | null } = {}): Promise<Taxonomy[]> {
+		// `id asc` is a stable tiebreaker for terms that share a label.
+		// Without it the SQL ordering is implementation-defined when labels
+		// match, which breaks keyset pagination over `(label, id)`.
 		let query = this.db
 			.selectFrom("taxonomies")
 			.selectAll()
 			.where("name", "=", name)
-			.orderBy("label", "asc");
+			.orderBy("label", "asc")
+			.orderBy("id", "asc");
 
 		if (options.parentId !== undefined) {
 			if (options.parentId === null) {
@@ -117,6 +124,7 @@ export class TaxonomyRepository {
 			.selectAll()
 			.where("parent_id", "=", parentId)
 			.orderBy("label", "asc")
+			.orderBy("id", "asc")
 			.execute();
 
 		return rows.map((row) => this.rowToTaxonomy(row));
@@ -132,7 +140,10 @@ export class TaxonomyRepository {
 		const updates: Partial<TaxonomyTable> = {};
 		if (input.slug !== undefined) updates.slug = input.slug;
 		if (input.label !== undefined) updates.label = input.label;
-		if (input.parentId !== undefined) updates.parent_id = input.parentId;
+		if (input.parentId !== undefined) {
+			// Defense in depth: empty-string parentId means null (no parent).
+			updates.parent_id = input.parentId === "" ? null : input.parentId;
+		}
 		if (input.data !== undefined) updates.data = JSON.stringify(input.data);
 
 		if (Object.keys(updates).length > 0) {

package/src/database/repositories/types.ts

@@ -1,5 +1,15 @@
 import { encodeBase64, decodeBase64 } from "../../utils/base64.js";
 
+/**
+ * Hard cap on cursor length. Cursors we issue are short JSON-in-base64
+ * blobs; a real cursor is well under 200 chars. This guards against
+ * malicious callers passing megabyte-sized strings to force the base64
+ * decoder to allocate (decodeBase64 is O(N) in input size). The MCP and
+ * REST schemas also clamp at 2048 — this 4096 cap is a defense-in-depth
+ * floor inside the repository helpers.
+ */
+const MAX_CURSOR_LENGTH = 4096;
+
 export interface CreateContentInput {
 	type: string;
 	slug?: string | null;
@@ -87,17 +97,45 @@ export function encodeCursor(orderValue: string, id: string): string {
 	return encodeBase64(JSON.stringify({ orderValue, id }));
 }
 
-/** Decode a cursor to order value + id. Returns null if invalid. */
-export function decodeCursor(cursor: string): { orderValue: string; id: string } | null {
+/**
+ * Thrown when a pagination cursor cannot be decoded.
+ *
+ * Repository callers should let this propagate; handler catch blocks
+ * map it to a structured `INVALID_CURSOR` error so client pagination
+ * bugs surface immediately rather than silently re-fetching the first
+ * page.
+ */
+export class InvalidCursorError extends Error {
+	constructor(cursor: string) {
+		const display = cursor.length > 50 ? `${cursor.slice(0, 47)}...` : cursor;
+		super(`Invalid pagination cursor: ${display}`);
+		this.name = "InvalidCursorError";
+	}
+}
+
+/**
+ * Decode a cursor to order value + id.
+ *
+ * Throws `InvalidCursorError` if the cursor is empty, not valid base64,
+ * not valid JSON, or doesn't contain string `orderValue` and `id` fields.
+ */
+export function decodeCursor(cursor: string): { orderValue: string; id: string } {
+	if (!cursor) throw new InvalidCursorError(cursor);
+	if (cursor.length > MAX_CURSOR_LENGTH) throw new InvalidCursorError(cursor);
+	let parsed: unknown;
 	try {
-		const parsed = JSON.parse(decodeBase64(cursor));
-		if (typeof parsed.orderValue === "string" && typeof parsed.id === "string") {
-			return parsed;
-		}
-		return null;
+		parsed = JSON.parse(decodeBase64(cursor));
 	} catch {
-		return null;
+		throw new InvalidCursorError(cursor);
+	}
+	if (parsed === null || typeof parsed !== "object") {
+		throw new InvalidCursorError(cursor);
+	}
+	const candidate = parsed as { orderValue?: unknown; id?: unknown };
+	if (typeof candidate.orderValue !== "string" || typeof candidate.id !== "string") {
+		throw new InvalidCursorError(cursor);
 	}
+	return { orderValue: candidate.orderValue, id: candidate.id };
 }
 
 export interface ContentItem {
@@ -121,6 +159,17 @@ export interface ContentItem {
 	translationGroup: string | null;
 	/** SEO metadata — only populated for collections with `has_seo` enabled */
 	seo?: ContentSeo;
+	/**
+	 * For collections that support `revisions`: when a draft revision exists,
+	 * `data` reflects the unsaved draft and `liveData` carries the currently-
+	 * published values. When no draft exists, `liveData` is undefined.
+	 *
+	 * Hydrated by `EmDashRuntime.hydrateDraftData()` — repositories themselves
+	 * never set this field; it's purely a runtime-overlay concept that gives
+	 * agents a clear picture of "draft vs. live" without re-fetching the
+	 * revision history.
+	 */
+	liveData?: Record<string, unknown>;
 }
 
 export class EmDashValidationError extends Error {

package/src/database/repositories/user.ts

@@ -123,14 +123,12 @@ export class UserRepository {
 
 		if (options.cursor) {
 			const decoded = decodeCursor(options.cursor);
-			if (decoded) {
-				query = query.where((eb) =>
-					eb.or([
-						eb("created_at", "<", decoded.orderValue),
-						eb.and([eb("created_at", "=", decoded.orderValue), eb("id", "<", decoded.id)]),
-					]),
-				);
-			}
+			query = query.where((eb) =>
+				eb.or([
+					eb("created_at", "<", decoded.orderValue),
+					eb.and([eb("created_at", "=", decoded.orderValue), eb("id", "<", decoded.id)]),
+				]),
+			);
 		}
 
 		const rows = await query.execute();

package/src/database/types.ts

@@ -466,6 +466,15 @@ export interface NotFoundLogTable {
 	referrer: string | null;
 	user_agent: string | null;
 	ip: string | null;
+	hits: number;
+	/**
+	 * Migration 035 adds this as a nullable column (SQLite can't add a
+	 * NOT NULL column with a non-constant default to an existing table).
+	 * The `log404` upsert always writes a value, so new and updated rows
+	 * always have one, but existing rows pre-migration were backfilled
+	 * without a NOT NULL constraint. Typed as nullable to match the schema.
+	 */
+	last_seen_at: string | null;
 	created_at: string;
 }