emdash 0.6.0 → 1.0.0

package/src/emdash-runtime.ts

@@ -19,6 +19,7 @@ import type {
 } from "./astro/integration/runtime.js";
 import type { EmDashManifest, ManifestCollection } from "./astro/types.js";
 import { getAuthMode } from "./auth/mode.js";
+import { getTrustedProxyHeaders } from "./auth/trusted-proxy.js";
 import { isSqlite } from "./database/dialect-helpers.js";
 import { kyselyLogOption } from "./database/instrumentation.js";
 import { runMigrations } from "./database/migrations/runner.js";
@@ -45,6 +46,20 @@ import { COMMIT, VERSION } from "./version.js";
 
 const LEADING_SLASH_PATTERN = /^\//;
 
+/**
+ * Parse a JSON column expected to contain an array of strings.
+ *
+ * Throws on malformed JSON rather than returning []; callers are responsible
+ * for deciding how to handle/log the error. Empty string / null inputs return
+ * [] (they represent "no value"). Non-string array entries are filtered out.
+ */
+function parseStringArray(raw: string | null | undefined): string[] {
+	if (!raw) return [];
+	const parsed: unknown = JSON.parse(raw);
+	if (!Array.isArray(parsed)) return [];
+	return parsed.filter((v): v is string => typeof v === "string");
+}
+
 /** Combined result from a single-pass page contribution collection */
 interface PageContributions {
 	metadata: PageMetadataContribution[];
@@ -236,6 +251,45 @@ export interface RuntimeDependencies {
 	createSandboxRunner: ((opts: { db: Kysely<Database> }) => SandboxRunner) | null;
 }
 
+/**
+ * Constructor parameters for `EmDashRuntime`.
+ *
+ * Production code should use `EmDashRuntime.create()` which discovers and
+ * loads all parts (database, plugins, hooks, cron, etc.) and then calls the
+ * constructor. Direct construction is supported for callers that already
+ * have all the dependencies in hand — for example, integration tests that
+ * supply a pre-migrated database and an empty plugin set.
+ *
+ * Every field corresponds 1:1 to internal state set on the runtime — none of
+ * these are derived. If you don't have a value for one, see what `create()`
+ * passes for that field as the canonical default.
+ */
+export interface EmDashRuntimeParts {
+	db: Kysely<Database>;
+	storage: Storage | null;
+	configuredPlugins: ResolvedPlugin[];
+	sandboxedPlugins: Map<string, SandboxedPlugin>;
+	sandboxedPluginEntries: SandboxedPluginEntry[];
+	hooks: HookPipeline;
+	enabledPlugins: Set<string>;
+	pluginStates: Map<string, string>;
+	config: EmDashConfig;
+	mediaProviders: Map<string, MediaProvider>;
+	mediaProviderEntries: MediaProviderEntry[];
+	cronExecutor: CronExecutor | null;
+	cronScheduler: CronScheduler | null;
+	emailPipeline: EmailPipeline | null;
+	allPipelinePlugins: ResolvedPlugin[];
+	pipelineFactoryOptions: {
+		db: Kysely<Database>;
+		storage?: Storage;
+		siteInfo?: { siteName?: string; siteUrl?: string; locale?: string };
+	};
+	runtimeDeps: RuntimeDependencies;
+	pipelineRef: { current: HookPipeline };
+	manifestCacheKey: string;
+}
+
 /**
  * Convert a ContentItem to Record<string, unknown> for hook consumption.
  * Hooks receive the full item as a flat record.
@@ -336,51 +390,27 @@ export class EmDashRuntime {
 		return this._db;
 	}
 
-	private constructor(
-		db: Kysely<Database>,
-		storage: Storage | null,
-		configuredPlugins: ResolvedPlugin[],
-		sandboxedPlugins: Map<string, SandboxedPlugin>,
-		sandboxedPluginEntries: SandboxedPluginEntry[],
-		hooks: HookPipeline,
-		enabledPlugins: Set<string>,
-		pluginStates: Map<string, string>,
-		config: EmDashConfig,
-		mediaProviders: Map<string, MediaProvider>,
-		mediaProviderEntries: MediaProviderEntry[],
-		cronExecutor: CronExecutor | null,
-		cronScheduler: CronScheduler | null,
-		emailPipeline: EmailPipeline | null,
-		allPipelinePlugins: ResolvedPlugin[],
-		pipelineFactoryOptions: {
-			db: Kysely<Database>;
-			storage?: Storage;
-			siteInfo?: { siteName?: string; siteUrl?: string; locale?: string };
-		},
-		runtimeDeps: RuntimeDependencies,
-		pipelineRef: { current: HookPipeline },
-		manifestCacheKey: string,
-	) {
-		this._db = db;
-		this.storage = storage;
-		this.configuredPlugins = configuredPlugins;
-		this.sandboxedPlugins = sandboxedPlugins;
-		this.sandboxedPluginEntries = sandboxedPluginEntries;
-		this.schemaRegistry = new SchemaRegistry(db);
-		this._hooks = hooks;
-		this.enabledPlugins = enabledPlugins;
-		this.pluginStates = pluginStates;
-		this.config = config;
-		this.mediaProviders = mediaProviders;
-		this.mediaProviderEntries = mediaProviderEntries;
-		this.cronExecutor = cronExecutor;
-		this.cronScheduler = cronScheduler;
-		this.email = emailPipeline;
-		this.allPipelinePlugins = allPipelinePlugins;
-		this.pipelineFactoryOptions = pipelineFactoryOptions;
-		this.runtimeDeps = runtimeDeps;
-		this.pipelineRef = pipelineRef;
-		this._manifestCacheKey = manifestCacheKey;
+	constructor(parts: EmDashRuntimeParts) {
+		this._db = parts.db;
+		this.storage = parts.storage;
+		this.configuredPlugins = parts.configuredPlugins;
+		this.sandboxedPlugins = parts.sandboxedPlugins;
+		this.sandboxedPluginEntries = parts.sandboxedPluginEntries;
+		this.schemaRegistry = new SchemaRegistry(parts.db);
+		this._hooks = parts.hooks;
+		this.enabledPlugins = parts.enabledPlugins;
+		this.pluginStates = parts.pluginStates;
+		this.config = parts.config;
+		this.mediaProviders = parts.mediaProviders;
+		this.mediaProviderEntries = parts.mediaProviderEntries;
+		this.cronExecutor = parts.cronExecutor;
+		this.cronScheduler = parts.cronScheduler;
+		this.email = parts.emailPipeline;
+		this.allPipelinePlugins = parts.allPipelinePlugins;
+		this.pipelineFactoryOptions = parts.pipelineFactoryOptions;
+		this.runtimeDeps = parts.runtimeDeps;
+		this.pipelineRef = parts.pipelineRef;
+		this._manifestCacheKey = parts.manifestCacheKey;
 	}
 
 	/**
@@ -857,16 +887,16 @@ export class EmDashRuntime {
 			].join("|"),
 		);
 
-		return new EmDashRuntime(
+		return new EmDashRuntime({
 			db,
 			storage,
-			deps.plugins,
+			configuredPlugins: deps.plugins,
 			sandboxedPlugins,
-			deps.sandboxedPluginEntries,
-			pipeline,
+			sandboxedPluginEntries: deps.sandboxedPluginEntries,
+			hooks: pipeline,
 			enabledPlugins,
 			pluginStates,
-			deps.config,
+			config: deps.config,
 			mediaProviders,
 			mediaProviderEntries,
 			cronExecutor,
@@ -874,10 +904,10 @@ export class EmDashRuntime {
 			emailPipeline,
 			allPipelinePlugins,
 			pipelineFactoryOptions,
-			deps,
+			runtimeDeps: deps,
 			pipelineRef,
 			manifestCacheKey,
-		);
+		});
 	}
 
 	/**
@@ -1488,7 +1518,7 @@ export class EmDashRuntime {
 				label: row.label,
 				labelSingular: row.label_singular ?? undefined,
 				hierarchical: row.hierarchical === 1,
-				collections: row.collections ? (JSON.parse(row.collections) as string[]).toSorted() : [],
+				collections: parseStringArray(row.collections).toSorted(),
 			}));
 		} catch (error) {
 			console.debug("EmDash: Could not load taxonomy definitions:", error);
@@ -1614,11 +1644,75 @@ export class EmDashRuntime {
 	}
 
 	async handleContentGet(collection: string, id: string, locale?: string) {
-		return handleContentGet(this.db, collection, id, locale);
+		const result = await handleContentGet(this.db, collection, id, locale);
+		return this.hydrateDraftData(result);
 	}
 
 	async handleContentGetIncludingTrashed(collection: string, id: string, locale?: string) {
-		return handleContentGetIncludingTrashed(this.db, collection, id, locale);
+		const result = await handleContentGetIncludingTrashed(this.db, collection, id, locale);
+		return this.hydrateDraftData(result);
+	}
+
+	/**
+	 * If the response item has a `draftRevisionId`, replace `item.data` with
+	 * the draft revision's data and expose the original published values as
+	 * `liveData`. This makes the content_get / content_update round-trip
+	 * intuitive — read returns the latest content the caller has saved
+	 * (their pending draft), with the previously-published values still
+	 * accessible for compare-style flows.
+	 *
+	 * No-op when no draft exists or the response is an error.
+	 */
+	private async hydrateDraftData<T>(result: T): Promise<T> {
+		if (!result || typeof result !== "object") return result;
+		// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- shape probed below
+		const r = result as {
+			success?: boolean;
+			data?: { item?: Record<string, unknown> };
+		};
+		if (!r.success || !r.data?.item) return result;
+		const item = r.data.item;
+		const draftRevisionId = typeof item.draftRevisionId === "string" ? item.draftRevisionId : null;
+		if (!draftRevisionId) return result;
+		try {
+			const revision = await new RevisionRepository(this.db).findById(draftRevisionId);
+			if (!revision) return result;
+			const liveData =
+				item.data && typeof item.data === "object"
+					? // eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- narrowed to object above
+						(item.data as Record<string, unknown>)
+					: {};
+			// Strip leading-underscore keys (`_slug`, `_rev`, etc.) from the
+			// revision data — those are handler-internal markers and don't
+			// belong in the surfaced `data` field. Match syncDataColumns at
+			// content.ts:~1119.
+			const revisionData: Record<string, unknown> = {};
+			for (const [key, value] of Object.entries(revision.data)) {
+				if (!key.startsWith("_")) revisionData[key] = value;
+			}
+			const mergedData = { ...liveData, ...revisionData };
+			// Return a clone rather than mutating in place. The response
+			// object isn't retained by the runtime today, but a future
+			// request-cache layer would observe stale-after-mutation bugs;
+			// cloning closes that footgun.
+			// `r.data` was narrowed to `{ item?: ... }` at the top of this
+			// method; spread its other keys (e.g. `_rev`) alongside the
+			// hydrated item without going back through `unknown`.
+			return {
+				...result,
+				// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- shape preserved; result has been narrowed to the {success,data:{item}} envelope
+				data: {
+					...r.data,
+					item: { ...item, data: mergedData, liveData },
+				},
+			} as T;
+		} catch (error) {
+			// Non-fatal — fall back to the unhydrated response. Log so the
+			// failure isn't completely silent (the response will look stale
+			// to the caller but no error is raised).
+			console.error("[emdash] draft hydration failed:", error);
+			return result;
+		}
 	}
 
 	async handleContentCreate(
@@ -1646,6 +1740,20 @@ export class EmDashRuntime {
 		// Normalize media fields (fill dimensions, storageKey, etc.)
 		processedData = await this.normalizeMediaFields(collection, processedData);
 
+		// Validate against the collection schema. Hook output is validated
+		// rather than `body.data` so plugins that mutate field values can't
+		// sneak invalid data past.
+		const { validateContentData } = await import("./api/handlers/validation.js");
+		const validation = await validateContentData(this.db, collection, processedData, {
+			partial: false,
+		});
+		if (!validation.ok) {
+			return {
+				success: false as const,
+				error: validation.error,
+			};
+		}
+
 		// Create the content
 		const result = await handleContentCreate(this.db, collection, {
 			...body,
@@ -1719,6 +1827,19 @@ export class EmDashRuntime {
 
 			// Normalize media fields (fill dimensions, storageKey, etc.)
 			processedData = await this.normalizeMediaFields(collection, processedData);
+
+			// Validate field-level shape BEFORE the draft-revision write so
+			// invalid updates can't silently land in revision history.
+			const { validateContentData } = await import("./api/handlers/validation.js");
+			const validation = await validateContentData(this.db, collection, processedData, {
+				partial: true,
+			});
+			if (!validation.ok) {
+				return {
+					success: false as const,
+					error: validation.error,
+				};
+			}
 		}
 
 		// Draft-aware revision handling (if collection supports revisions)
@@ -1794,12 +1915,18 @@ export class EmDashRuntime {
 			bylines: bodyWithoutRev.bylines,
 		});
 
+		// Hydrate draft data BEFORE firing afterSave hooks so the hook sees
+		// the same effective data the response surfaces — for revision-
+		// supporting collections, that's the just-saved draft, not the live
+		// columns.
+		const hydrated = await this.hydrateDraftData(result);
+
 		// Run afterSave hooks (fire-and-forget)
-		if (result.success && result.data) {
-			this.runAfterSaveHooks(contentItemToRecord(result.data.item), collection, false);
+		if (hydrated.success && hydrated.data) {
+			this.runAfterSaveHooks(contentItemToRecord(hydrated.data.item), collection, false);
 		}
 
-		return result;
+		return hydrated;
 	}
 
 	async handleContentDelete(collection: string, id: string) {
@@ -1946,6 +2073,7 @@ export class EmDashRuntime {
 		contentHash?: string;
 		blurhash?: string;
 		dominantColor?: string;
+		authorId?: string;
 	}) {
 		// Run beforeUpload hooks
 		let processedInput = input;
@@ -2009,7 +2137,74 @@ export class EmDashRuntime {
 	}
 
 	async handleRevisionRestore(revisionId: string, callerUserId: string) {
-		return handleRevisionRestore(this.db, revisionId, callerUserId);
+		// Discover the parent entry up front so we can branch on whether
+		// the collection uses draft revisions.
+		const revisionRepo = new RevisionRepository(this.db);
+		const revision = await revisionRepo.findById(revisionId);
+		if (!revision) {
+			return {
+				success: false as const,
+				error: {
+					code: "NOT_FOUND",
+					message: `Revision not found: ${revisionId}`,
+				},
+			};
+		}
+
+		const collectionInfo = await this.schemaRegistry.getCollectionWithFields(revision.collection);
+		const usesDraftRevisions = collectionInfo?.supports?.includes("revisions") ?? false;
+
+		// Non-revision collections: keep the legacy behavior of writing the
+		// revision's data straight onto the live row. This preserves
+		// behavior for collections that opt out of the draft model.
+		if (!usesDraftRevisions) {
+			const result = await handleRevisionRestore(this.db, revisionId, callerUserId);
+			return this.hydrateDraftData(result);
+		}
+
+		// Revision-capable collections: restore is "make this revision the
+		// current draft". The live row's data columns are left untouched
+		// (only `draft_revision_id` and `updated_at` change). The caller
+		// must then `content_publish` to promote the restored draft to
+		// live, matching the documented tool contract.
+		try {
+			const newDraft = await revisionRepo.create({
+				collection: revision.collection,
+				entryId: revision.entryId,
+				data: revision.data,
+				authorId: callerUserId,
+			});
+
+			validateIdentifier(revision.collection, "collection");
+			const tableName = `ec_${revision.collection}`;
+			await sql`
+				UPDATE ${sql.ref(tableName)}
+				SET draft_revision_id = ${newDraft.id},
+					updated_at = ${new Date().toISOString()}
+				WHERE id = ${revision.entryId}
+			`.execute(this.db);
+
+			// Fire-and-forget: prune old revisions to prevent unbounded growth
+			void revisionRepo
+				.pruneOldRevisions(revision.collection, revision.entryId, 50)
+				.catch(() => {});
+
+			// Return the freshly-fetched item with the new draft hydrated
+			// onto `data`. Without this the response would echo the live
+			// columns and the next `content_get` would surface different
+			// values (the bug that motivated this rewrite).
+			const refetched = await handleContentGet(this.db, revision.collection, revision.entryId);
+			return this.hydrateDraftData(refetched);
+		} catch (error) {
+			console.error("[emdash] revision restore failed:", error);
+			return {
+				success: false as const,
+				error: {
+					code: "REVISION_RESTORE_ERROR",
+					message: "Failed to restore revision",
+				},
+			};
+		}
 	}
 
 	// =========================================================================
@@ -2080,6 +2275,7 @@ export class EmDashRuntime {
 			const routeRegistry = new PluginRouteRegistry({
 				db: this.db,
 				emailPipeline: this.email ?? undefined,
+				trustedProxyHeaders: getTrustedProxyHeaders(this.config),
 			});
 			routeRegistry.register(trustedPlugin);
 
@@ -2220,22 +2416,34 @@ export class EmDashRuntime {
 		collection: string,
 		isNew: boolean,
 	): void {
-		// Trusted plugins
-		if (this.hooks.hasHooks("content:afterSave")) {
-			this.hooks
-				.runContentAfterSave(content, collection, isNew)
-				.catch((err) => console.error("EmDash afterSave hook error:", err));
-		}
-
-		// Sandboxed plugins
-		for (const [pluginKey, plugin] of this.sandboxedPlugins) {
-			const [id] = pluginKey.split(":");
-			if (!id || !this.isPluginEnabled(id)) continue;
+		after(async () => {
+			// Trusted plugins
+			if (this.hooks.hasHooks("content:afterSave")) {
+				try {
+					await this.hooks.runContentAfterSave(content, collection, isNew);
+				} catch (err) {
+					console.error("EmDash afterSave hook error:", err);
+				}
+			}
 
-			plugin
-				.invokeHook("content:afterSave", { content, collection, isNew })
-				.catch((err) => console.error(`EmDash: Sandboxed plugin ${id} afterSave error:`, err));
-		}
+			// Sandboxed plugins
+			const tasks: Promise<void>[] = [];
+			for (const [pluginKey, plugin] of this.sandboxedPlugins) {
+				const [id] = pluginKey.split(":");
+				if (!id || !this.isPluginEnabled(id)) continue;
+
+				tasks.push(
+					(async () => {
+						try {
+							await plugin.invokeHook("content:afterSave", { content, collection, isNew });
+						} catch (err) {
+							console.error(`EmDash: Sandboxed plugin ${id} afterSave error:`, err);
+						}
+					})(),
+				);
+			}
+			await Promise.allSettled(tasks);
+		});
 	}
 
 	private runAfterDeleteHooks(id: string, collection: string, permanent: boolean): void {
@@ -2260,24 +2468,34 @@ export class EmDashRuntime {
 	}
 
 	private runAfterPublishHooks(content: Record<string, unknown>, collection: string): void {
-		// Trusted plugins
-		if (this.hooks.hasHooks("content:afterPublish")) {
-			this.hooks
-				.runContentAfterPublish(content, collection)
-				.catch((err) => console.error("EmDash afterPublish hook error:", err));
-		}
-
-		// Sandboxed plugins
-		for (const [pluginKey, plugin] of this.sandboxedPlugins) {
-			const [pluginId] = pluginKey.split(":");
-			if (!pluginId || !this.isPluginEnabled(pluginId)) continue;
+		after(async () => {
+			// Trusted plugins
+			if (this.hooks.hasHooks("content:afterPublish")) {
+				try {
+					await this.hooks.runContentAfterPublish(content, collection);
+				} catch (err) {
+					console.error("EmDash afterPublish hook error:", err);
+				}
+			}
 
-			plugin
-				.invokeHook("content:afterPublish", { content, collection })
-				.catch((err) =>
-					console.error(`EmDash: Sandboxed plugin ${pluginId} afterPublish error:`, err),
+			// Sandboxed plugins
+			const tasks: Promise<void>[] = [];
+			for (const [pluginKey, plugin] of this.sandboxedPlugins) {
+				const [pluginId] = pluginKey.split(":");
+				if (!pluginId || !this.isPluginEnabled(pluginId)) continue;
+
+				tasks.push(
+					(async () => {
+						try {
+							await plugin.invokeHook("content:afterPublish", { content, collection });
+						} catch (err) {
+							console.error(`EmDash: Sandboxed plugin ${pluginId} afterPublish error:`, err);
+						}
+					})(),
 				);
-		}
+			}
+			await Promise.allSettled(tasks);
+		});
 	}
 
 	private runAfterUnpublishHooks(content: Record<string, unknown>, collection: string): void {
@@ -2321,7 +2539,7 @@ export class EmDashRuntime {
 
 		try {
 			const headers = sanitizeHeadersForSandbox(request.headers);
-			const meta = extractRequestMeta(request);
+			const meta = extractRequestMeta(request, this.config);
 			const result = await plugin.invokeRoute(routeName, body, {
 				url: request.url,
 				method: request.method,

package/src/import/registry.ts

@@ -4,7 +4,7 @@
  * Manages available import sources and provides URL probing.
  */
 
-import { validateExternalUrl } from "./ssrf.js";
+import { resolveAndValidateExternalUrl } from "./ssrf.js";
 import type { ImportSource, ProbeResult, SourceProbeResult } from "./types.js";
 
 // Regex pattern for URL normalization
@@ -63,8 +63,9 @@ export async function probeUrl(url: string): Promise<ProbeResult> {
 	// Remove trailing slash for consistency
 	normalizedUrl = normalizedUrl.replace(TRAILING_SLASHES_PATTERN, "");
 
-	// SSRF: reject internal/private network targets
-	validateExternalUrl(normalizedUrl);
+	// SSRF: reject internal/private network targets. DNS resolution
+	// catches hostnames that resolve to private addresses.
+	await resolveAndValidateExternalUrl(normalizedUrl);
 
 	const results: SourceProbeResult[] = [];
 	const urlSources = getUrlSources();