emdash 0.7.0 → 0.8.0

package/src/api/handlers/validation.ts

@@ -0,0 +1,212 @@
+/**
+ * Field-level validation for content create / update.
+ *
+ * Wires the existing `generateZodSchema()` pipeline (`schema/zod-generator.ts`)
+ * into the handler boundary so REST and MCP both get the same enforcement:
+ *
+ *  - required fields must be present and non-empty
+ *  - select / multiSelect values must match the configured options
+ *  - reference fields must resolve to a real, non-trashed target
+ *
+ * Errors surface as `{ code: "VALIDATION_ERROR", message }` with all
+ * offending fields listed in one message so callers can fix everything in
+ * a single round trip.
+ */
+
+import { sql, type Kysely } from "kysely";
+
+import type { Database } from "../../database/types.js";
+import { validateIdentifier } from "../../database/validate.js";
+import { SchemaRegistry } from "../../schema/registry.js";
+import type { Field } from "../../schema/types.js";
+import { generateZodSchema } from "../../schema/zod-generator.js";
+import { chunks, SQL_BATCH_SIZE } from "../../utils/chunks.js";
+import { isMissingTableError } from "../../utils/db-errors.js";
+
+type ValidationResult =
+	| { ok: true }
+	| { ok: false; error: { code: "VALIDATION_ERROR" | "COLLECTION_NOT_FOUND"; message: string } };
+
+/** Treat `undefined`, `null`, and `""` as "not set". */
+function isMissing(value: unknown): boolean {
+	return value === undefined || value === null || value === "";
+}
+
+/**
+ * Resolve the target collection slug for a reference field.
+ *
+ * Schema-defined reference fields (the static `reference()` factory in
+ * `fields/reference.ts`) put the target in `options.collection`. The MCP
+ * `schema_create_field` tool also puts it there. Tests and some admin paths
+ * stash it inside `validation.collection` directly; we accept both.
+ */
+function getReferenceTargetCollection(field: Field): string | undefined {
+	const fromOptions = field.options?.collection;
+	if (typeof fromOptions === "string" && fromOptions.length > 0) return fromOptions;
+	const validation = field.validation;
+	if (validation && "collection" in validation) {
+		const fromValidation: unknown = (validation as { collection?: unknown }).collection;
+		if (typeof fromValidation === "string" && fromValidation.length > 0) return fromValidation;
+	}
+	return undefined;
+}
+
+/**
+ * Format a Zod issue path into a human-readable field reference, e.g.
+ * `tags`, `tags.1`, `image.alt`.
+ */
+function formatIssuePath(path: ReadonlyArray<PropertyKey>): string {
+	if (path.length === 0) return "(root)";
+	return path.map((seg) => String(seg)).join(".");
+}
+
+/**
+ * Validate `data` against the collection's field definitions.
+ *
+ * `partial: true` switches Zod into partial mode so updates can include
+ * only the fields being changed without tripping required-field errors on
+ * fields the caller didn't touch. Required fields that ARE present in
+ * partial-mode data still get the empty-string check below.
+ */
+export async function validateContentData(
+	db: Kysely<Database>,
+	collection: string,
+	data: Record<string, unknown>,
+	options: { partial?: boolean } = {},
+): Promise<ValidationResult> {
+	const registry = new SchemaRegistry(db);
+	const collectionWithFields = await registry.getCollectionWithFields(collection);
+	if (!collectionWithFields) {
+		return {
+			ok: false,
+			error: {
+				code: "COLLECTION_NOT_FOUND",
+				message: `Collection '${collection}' not found`,
+			},
+		};
+	}
+
+	const issues: string[] = [];
+
+	// Detect unknown keys explicitly so callers get a useful error rather
+	// than silently dropped data. Leading-underscore keys (e.g. `_slug`,
+	// `_rev`) are reserved for internal handler/runtime use and aren't real
+	// fields; skip them.
+	const knownFields = new Set(collectionWithFields.fields.map((f) => f.slug));
+	for (const key of Object.keys(data)) {
+		if (key.startsWith("_")) continue;
+		if (!knownFields.has(key)) {
+			issues.push(`${key}: unknown field on collection '${collection}'`);
+		}
+	}
+
+	// Zod handles type, enum, length and missing-required (in non-partial
+	// mode) checks. Empty-string handling for required string fields is
+	// done as a separate pass below since Zod's `z.string()` accepts "".
+	const baseSchema = generateZodSchema(collectionWithFields);
+	const schema = options.partial ? baseSchema.partial() : baseSchema;
+	const parsed = schema.safeParse(data);
+	if (!parsed.success) {
+		for (const issue of parsed.error.issues) {
+			issues.push(`${formatIssuePath(issue.path)}: ${issue.message}`);
+		}
+	}
+
+	// Empty-string-on-required check. In create mode (partial=false) Zod
+	// already catches missing/null for required fields, but `z.string()`
+	// happily accepts "". In update mode (partial=true) the field is only
+	// checked if it's present in `data`.
+	for (const field of collectionWithFields.fields) {
+		if (!field.required) continue;
+		const present = Object.hasOwn(data, field.slug);
+		if (options.partial && !present) continue;
+		if (data[field.slug] === "") {
+			issues.push(`${field.slug}: required (empty value not allowed)`);
+		}
+	}
+
+	// Reference target existence. Only check fields that:
+	//   - have a value (non-missing) in `data`
+	//   - have a resolvable target collection
+	//   - in partial mode: are present in `data`
+	// Batch one IN-query per target collection to keep round-trips low.
+	const refsByTarget = new Map<string, { field: string; id: string }[]>();
+	for (const field of collectionWithFields.fields) {
+		if (field.type !== "reference") continue;
+		if (options.partial && !Object.hasOwn(data, field.slug)) continue;
+		const value = data[field.slug];
+		if (isMissing(value)) continue;
+		if (typeof value !== "string") continue; // Zod will have flagged this already
+		const target = getReferenceTargetCollection(field);
+		if (!target) continue;
+		const list = refsByTarget.get(target) ?? [];
+		list.push({ field: field.slug, id: value });
+		refsByTarget.set(target, list);
+	}
+
+	for (const [target, refs] of refsByTarget) {
+		// Validate the target collection slug before interpolating into raw
+		// SQL — defense-in-depth even though slugs are already validated at
+		// schema-create time.
+		try {
+			validateIdentifier(target, "reference target collection");
+		} catch {
+			for (const ref of refs) {
+				issues.push(`${ref.field}: invalid reference target collection '${target}'`);
+			}
+			continue;
+		}
+
+		const ids = [...new Set(refs.map((r) => r.id))];
+		const tableName = `ec_${target}`;
+
+		// Chunk the IN clause to stay below D1's bind-parameter limit. One
+		// reference per request is the common case today; chunking makes the
+		// helper safe if a future multiSelect-of-references is added.
+		const found = new Set<string>();
+		let targetTableMissing = false;
+		for (const idChunk of chunks(ids, SQL_BATCH_SIZE)) {
+			try {
+				const rows = await sql<{ id: string }>`
+					SELECT id FROM ${sql.ref(tableName)}
+					WHERE id IN (${sql.join(idChunk)})
+					AND deleted_at IS NULL
+				`.execute(db);
+				for (const row of rows.rows) {
+					found.add(row.id);
+				}
+			} catch (error) {
+				// Missing table = the target collection table doesn't exist
+				// (orphan reference). Treat all those references as missing.
+				// Any other DB error (permissions, connection, syntax) must
+				// propagate — silently dropping data integrity errors as
+				// "not found" is exactly the bug F5 fixes.
+				if (isMissingTableError(error)) {
+					targetTableMissing = true;
+					break;
+				}
+				throw error;
+			}
+		}
+		if (targetTableMissing) {
+			for (const ref of refs) {
+				issues.push(`${ref.field}: target '${ref.id}' not found in collection '${target}'`);
+			}
+			continue;
+		}
+		for (const ref of refs) {
+			if (!found.has(ref.id)) {
+				issues.push(`${ref.field}: target '${ref.id}' not found in collection '${target}'`);
+			}
+		}
+	}
+
+	if (issues.length === 0) return { ok: true };
+	return {
+		ok: false,
+		error: {
+			code: "VALIDATION_ERROR",
+			message: issues.join("; "),
+		},
+	};
+}

package/src/api/openapi/document.ts

@@ -122,6 +122,7 @@ import {
 	reorderWidgetsBody,
 	updateWidgetBody,
 	widgetAreaSchema,
+	widgetAreaWithWidgetsAndCountSchema,
 	widgetAreaWithWidgetsSchema,
 	widgetSchema,
 } from "../schemas/widgets.js";
@@ -1581,7 +1582,9 @@ const widgetPaths = {
 					description: "Widget area list",
 					content: {
 						[JSON_CONTENT]: {
-							schema: successEnvelope(z.object({ items: z.array(widgetAreaSchema) })),
+							schema: successEnvelope(
+								z.object({ items: z.array(widgetAreaWithWidgetsAndCountSchema) }),
+							),
 						},
 					},
 				},

package/src/api/public-url.ts

@@ -9,7 +9,10 @@
  * Workers-safe: no Node.js imports.
  */
 
-import type { EmDashConfig } from "../astro/integration/runtime.js";
+/** Minimal config shape — avoids importing the full EmDashConfig type tree. */
+interface SiteUrlConfig {
+	siteUrl?: string;
+}
 
 /**
  * Resolve siteUrl from runtime environment variables.
@@ -67,7 +70,7 @@ function getEnvSiteUrl(): string | undefined {
  * @param config  The EmDash config (from `locals.emdash?.config`)
  * @returns Origin string, e.g. `"https://mysite.example.com"`
  */
-export function getPublicOrigin(url: URL, config?: EmDashConfig): string {
+export function getPublicOrigin(url: URL, config?: SiteUrlConfig): string {
 	return config?.siteUrl || getEnvSiteUrl() || url.origin;
 }
 
@@ -79,6 +82,6 @@ export function getPublicOrigin(url: URL, config?: EmDashConfig): string {
  * @param path  Path to append (must start with `/`)
  * @returns Full URL string, e.g. `"https://mysite.example.com/_emdash/admin/login"`
  */
-export function getPublicUrl(url: URL, config: EmDashConfig | undefined, path: string): string {
+export function getPublicUrl(url: URL, config: SiteUrlConfig | undefined, path: string): string {
 	return `${getPublicOrigin(url, config)}${path}`;
 }

package/src/api/route-utils.ts

@@ -0,0 +1,14 @@
+/**
+ * Public API route utilities for auth provider routes.
+ *
+ * This module re-exports the utilities that auth provider route handlers
+ * need from core. Auth providers (plugins) import these via `emdash/api/route-utils`.
+ */
+
+export { apiError, apiSuccess, handleError } from "./error.js";
+export { parseBody, parseQuery, isParseError } from "./parse.js";
+export type { ParseResult } from "./parse.js";
+export { finalizeSetup } from "./setup-complete.js";
+export { OptionsRepository } from "../database/repositories/options.js";
+export { getAuthProviderStorage } from "./auth-storage.js";
+export { getPublicOrigin } from "./public-url.js";

package/src/api/schemas/common.ts

@@ -22,7 +22,7 @@ export const roleLevel = z.coerce
 /** Pagination query params — cursor-based */
 export const cursorPaginationQuery = z
 	.object({
-		cursor: z.string().optional().meta({ description: "Opaque cursor for pagination" }),
+		cursor: z.string().max(2048).optional().meta({ description: "Opaque cursor for pagination" }),
 		limit: z.coerce.number().int().min(1).max(100).optional().default(50).meta({
 			description: "Maximum number of items to return (1-100, default 50)",
 		}),

package/src/api/schemas/setup.ts

@@ -35,3 +35,11 @@ export const setupAdminBody = z.object({
 export const setupAdminVerifyBody = z.object({
 	credential: registrationCredential,
 });
+
+export const atprotoLoginBody = z.object({
+	handle: z.string().trim().min(1),
+});
+
+export const setupAtprotoAdminBody = z.object({
+	handle: z.string().trim().min(1),
+});

package/src/api/schemas/widgets.ts

@@ -60,16 +60,12 @@ export const widgetAreaSchema = z
 export const widgetSchema = z
 	.object({
 		id: z.string(),
-		area_id: z.string(),
-		type: z.string(),
-		title: z.string().nullable(),
-		content: z.string().nullable(),
-		menu_name: z.string().nullable(),
-		component_id: z.string().nullable(),
-		component_props: z.string().nullable(),
-		sort_order: z.number().int(),
-		created_at: z.string(),
-		updated_at: z.string(),
+		type: widgetType,
+		title: z.string().optional(),
+		content: z.array(z.record(z.string(), z.unknown())).optional(),
+		menuName: z.string().optional(),
+		componentId: z.string().optional(),
+		componentProps: z.record(z.string(), z.unknown()).optional(),
 	})
 	.meta({ id: "Widget" });
 
@@ -78,3 +74,9 @@ export const widgetAreaWithWidgetsSchema = widgetAreaSchema
 		widgets: z.array(widgetSchema),
 	})
 	.meta({ id: "WidgetAreaWithWidgets" });
+
+export const widgetAreaWithWidgetsAndCountSchema = widgetAreaWithWidgetsSchema
+	.extend({
+		widgetCount: z.number().int(),
+	})
+	.meta({ id: "WidgetAreaWithWidgetsAndCount" });

package/src/api/setup-complete.ts

@@ -0,0 +1,40 @@
+/**
+ * Shared setup completion logic.
+ *
+ * Called by OAuth callbacks and the passkey verify step when the first user
+ * is created during setup. Persists site title/tagline from setup state
+ * and marks setup as complete.
+ */
+
+import type { Kysely } from "kysely";
+
+import { OptionsRepository } from "../database/repositories/options.js";
+import type { Database } from "../database/types.js";
+
+/**
+ * Finalize setup after the first admin user is created.
+ *
+ * Reads the setup_state option (written by the setup wizard's step 1),
+ * persists site_title and site_tagline, then marks setup complete.
+ *
+ * Safe to call multiple times — checks setup_complete first and no-ops
+ * if already done.
+ */
+export async function finalizeSetup(db: Kysely<Database>): Promise<void> {
+	const options = new OptionsRepository(db);
+
+	const setupComplete = await options.get("emdash:setup_complete");
+	if (setupComplete === true || setupComplete === "true") return;
+
+	// Persist site title/tagline from setup state (stored in step 1)
+	const setupState = await options.get<Record<string, unknown>>("emdash:setup_state");
+	if (setupState?.title && typeof setupState.title === "string") {
+		await options.set("emdash:site_title", setupState.title);
+	}
+	if (setupState?.tagline && typeof setupState.tagline === "string") {
+		await options.set("emdash:site_tagline", setupState.tagline);
+	}
+
+	await options.set("emdash:setup_complete", true);
+	await options.delete("emdash:setup_state");
+}

package/src/astro/integration/index.ts

@@ -15,7 +15,12 @@ import type { AstroIntegration, AstroIntegrationLogger } from "astro";
 import type { ResolvedPlugin } from "../../plugins/types.js";
 import { local } from "../storage/adapters.js";
 import { notoSans } from "./font-provider.js";
-import { injectCoreRoutes, injectBuiltinAuthRoutes, injectMcpRoute } from "./routes.js";
+import {
+	injectCoreRoutes,
+	injectBuiltinAuthRoutes,
+	injectAuthProviderRoutes,
+	injectMcpRoute,
+} from "./routes.js";
 import type { EmDashConfig, PluginDescriptor } from "./runtime.js";
 import { createViteConfig } from "./vite-config.js";
 
@@ -157,6 +162,7 @@ export function emdash(config: EmDashConfig = {}): AstroIntegration {
 		database: resolvedConfig.database,
 		storage: resolvedConfig.storage,
 		auth: resolvedConfig.auth,
+		authProviders: resolvedConfig.authProviders,
 		marketplace: resolvedConfig.marketplace,
 		siteUrl: resolvedConfig.siteUrl,
 		trustedProxyHeaders: resolvedConfig.trustedProxyHeaders,
@@ -267,7 +273,12 @@ export function emdash(config: EmDashConfig = {}): AstroIntegration {
 				// Inject all core routes
 				injectCoreRoutes(injectRoute);
 
-				// Only inject passkey/oauth/magic-link routes when NOT using external auth
+				// Inject routes from pluggable auth providers (authProviders config)
+				if (resolvedConfig.authProviders?.length) {
+					injectAuthProviderRoutes(injectRoute, resolvedConfig.authProviders);
+				}
+
+				// Inject passkey/oauth/magic-link routes unless transparent external auth is active
 				if (!useExternalAuth) {
 					injectBuiltinAuthRoutes(injectRoute);
 				}

package/src/astro/integration/routes.ts

@@ -46,6 +46,12 @@ export function injectCoreRoutes(injectRoute: InjectRoute): void {
 		entrypoint: resolveRoute("api/manifest.ts"),
 	});
 
+	// Auth mode endpoint (public — used by the login page to pick the right UI)
+	injectRoute({
+		pattern: "/_emdash/api/auth/mode",
+		entrypoint: resolveRoute("api/auth/mode.ts"),
+	});
+
 	injectRoute({
 		pattern: "/_emdash/api/dashboard",
 		entrypoint: resolveRoute("api/dashboard.ts"),
@@ -747,6 +753,28 @@ export function injectMcpRoute(injectRoute: InjectRoute): void {
 	});
 }
 
+/**
+ * Injects routes from pluggable auth providers.
+ *
+ * Each provider declares the routes it needs in its `AuthProviderDescriptor.routes` array.
+ * Routes are injected at build time so Vite can bundle them.
+ */
+export function injectAuthProviderRoutes(
+	injectRoute: InjectRoute,
+	providers: Array<{ routes?: Array<{ pattern: string; entrypoint: string }> }>,
+): void {
+	for (const provider of providers) {
+		if (provider.routes) {
+			for (const route of provider.routes) {
+				injectRoute({
+					pattern: route.pattern,
+					entrypoint: route.entrypoint,
+				});
+			}
+		}
+	}
+}
+
 /**
  * Injects passkey/oauth/magic-link auth routes.
  * Only used when NOT using external auth.

package/src/astro/integration/runtime.ts

@@ -7,7 +7,7 @@
  * DO NOT import Node.js-only modules here (fs, path, module, etc.)
  */
 
-import type { AuthDescriptor } from "../../auth/types.js";
+import type { AuthDescriptor, AuthProviderDescriptor } from "../../auth/types.js";
 import type { DatabaseDescriptor } from "../../db/adapters.js";
 import type { MediaProviderDescriptor } from "../../media/types.js";
 import type { ResolvedPlugin } from "../../plugins/types.js";
@@ -222,6 +222,24 @@ export interface EmDashConfig {
 	 */
 	auth?: AuthDescriptor;
 
+	/**
+	 * Pluggable auth providers (login methods on the login page).
+	 *
+	 * Auth providers appear as options alongside passkey on the login page
+	 * and setup wizard. Any provider can be used to create the initial
+	 * admin account. Passkey is built-in; providers listed here are additive.
+	 *
+	 * @example
+	 * ```ts
+	 * import { atproto } from "@emdash-cms/auth-atproto";
+	 *
+	 * emdash({
+	 *   authProviders: [atproto()],
+	 * })
+	 * ```
+	 */
+	authProviders?: AuthProviderDescriptor[];
+
 	/**
 	 * MCP (Model Context Protocol) server endpoint.
 	 *

package/src/astro/integration/virtual-modules.ts

@@ -10,6 +10,7 @@ import { readFileSync } from "node:fs";
 import { createRequire } from "node:module";
 import { resolve } from "node:path";
 
+import type { AuthProviderDescriptor } from "../../auth/types.js";
 import type { MediaProviderDescriptor } from "../../media/types.js";
 import { defaultSeed } from "../../seed/default.js";
 import type { PluginDescriptor } from "./runtime.js";
@@ -47,6 +48,9 @@ export const RESOLVED_VIRTUAL_SANDBOXED_PLUGINS_ID = "\0" + VIRTUAL_SANDBOXED_PL
 export const VIRTUAL_AUTH_ID = "virtual:emdash/auth";
 export const RESOLVED_VIRTUAL_AUTH_ID = "\0" + VIRTUAL_AUTH_ID;
 
+export const VIRTUAL_AUTH_PROVIDERS_ID = "virtual:emdash/auth-providers";
+export const RESOLVED_VIRTUAL_AUTH_PROVIDERS_ID = "\0" + VIRTUAL_AUTH_PROVIDERS_ID;
+
 export const VIRTUAL_MEDIA_PROVIDERS_ID = "virtual:emdash/media-providers";
 export const RESOLVED_VIRTUAL_MEDIA_PROVIDERS_ID = "\0" + VIRTUAL_MEDIA_PROVIDERS_ID;
 
@@ -135,6 +139,43 @@ export const authenticate = _authenticate;
 `;
 }
 
+/**
+ * Generates the auth providers module.
+ *
+ * Statically imports each auth provider's `adminEntry` module and exports
+ * a registry keyed by provider ID. The admin UI uses this to render
+ * provider-specific login buttons/forms and setup steps.
+ *
+ * Follows the same pattern as `generateAdminRegistryModule()` for plugins.
+ */
+export function generateAuthProvidersModule(descriptors: AuthProviderDescriptor[]): string {
+	const withAdmin = descriptors.filter((d) => d.adminEntry);
+
+	if (withAdmin.length === 0) {
+		return `export const authProviders = {};`;
+	}
+
+	const imports: string[] = [];
+	const entries: string[] = [];
+
+	withAdmin.forEach((descriptor, index) => {
+		const varName = `authProvider${index}`;
+		imports.push(`import * as ${varName} from ${JSON.stringify(descriptor.adminEntry)};`);
+		entries.push(
+			`  ${JSON.stringify(descriptor.id)}: { ...${varName}, id: ${JSON.stringify(descriptor.id)}, label: ${JSON.stringify(descriptor.label)} },`,
+		);
+	});
+
+	return `
+// Auto-generated auth provider registry
+${imports.join("\n")}
+
+export const authProviders = {
+${entries.join("\n")}
+};
+`;
+}
+
 /**
  * Generates the plugins module.
  * Imports and instantiates all plugins at runtime.

package/src/astro/integration/vite-config.ts

@@ -7,7 +7,7 @@
 
 import { existsSync } from "node:fs";
 import { createRequire } from "node:module";
-import { dirname, resolve } from "node:path";
+import { dirname, isAbsolute, relative, resolve } from "node:path";
 import { fileURLToPath } from "node:url";
 
 import type { AstroConfig } from "astro";
@@ -32,6 +32,8 @@ import {
 	RESOLVED_VIRTUAL_SANDBOXED_PLUGINS_ID,
 	VIRTUAL_AUTH_ID,
 	RESOLVED_VIRTUAL_AUTH_ID,
+	VIRTUAL_AUTH_PROVIDERS_ID,
+	RESOLVED_VIRTUAL_AUTH_PROVIDERS_ID,
 	VIRTUAL_MEDIA_PROVIDERS_ID,
 	RESOLVED_VIRTUAL_MEDIA_PROVIDERS_ID,
 	VIRTUAL_BLOCK_COMPONENTS_ID,
@@ -46,6 +48,7 @@ import {
 	generateDialectModule,
 	generateStorageModule,
 	generateAuthModule,
+	generateAuthProvidersModule,
 	generatePluginsModule,
 	generateAdminRegistryModule,
 	generateSandboxRunnerModule,
@@ -104,24 +107,34 @@ function resolveAdminDist(): string {
 	return dirname(adminPath);
 }
 
+/**
+ * Check whether child is inside parent without relying on simple prefix checks.
+ */
+function isInside(parent: string, child: string): boolean {
+	const relativePath = relative(parent, child);
+	return relativePath === "" || (!relativePath.startsWith("..") && !isAbsolute(relativePath));
+}
+
 /**
  * Resolve path to the admin package source directory.
- * In dev mode, we alias @emdash-cms/admin to the source so Vite processes it
- * directly — giving instant HMR instead of requiring a rebuild + restart.
+ * In dev mode inside this repo, we alias @emdash-cms/admin to the source so
+ * Vite processes it directly — giving instant HMR instead of requiring a
+ * rebuild + restart. External apps should use the built package surface.
  */
-function resolveAdminSource(): string | undefined {
+function resolveAdminSource(projectRoot: string): string | undefined {
 	const require = createRequire(import.meta.url);
 	const adminPath = require.resolve("@emdash-cms/admin");
 	// dist/index.js -> go up to package root, then into src/
 	const packageRoot = resolve(dirname(adminPath), "..");
+	const repoRoot = resolve(packageRoot, "..", "..");
 	const srcEntry = resolve(packageRoot, "src", "index.ts");
 
 	try {
-		if (existsSync(srcEntry)) {
+		if (existsSync(srcEntry) && isInside(repoRoot, projectRoot)) {
 			return resolve(packageRoot, "src");
 		}
 	} catch {
-		// Not in monorepo — fall back to dist
+		// Not in local repo — fall back to dist
 	}
 	return undefined;
 }
@@ -170,6 +183,9 @@ export function createVirtualModulesPlugin(options: VitePluginOptions): Plugin {
 			if (id === VIRTUAL_AUTH_ID) {
 				return RESOLVED_VIRTUAL_AUTH_ID;
 			}
+			if (id === VIRTUAL_AUTH_PROVIDERS_ID) {
+				return RESOLVED_VIRTUAL_AUTH_PROVIDERS_ID;
+			}
 			if (id === VIRTUAL_MEDIA_PROVIDERS_ID) {
 				return RESOLVED_VIRTUAL_MEDIA_PROVIDERS_ID;
 			}
@@ -228,6 +244,10 @@ export function createVirtualModulesPlugin(options: VitePluginOptions): Plugin {
 				}
 				return generateAuthModule(authDescriptor.entrypoint);
 			}
+			// Generate auth providers module (pluggable login methods)
+			if (id === RESOLVED_VIRTUAL_AUTH_PROVIDERS_ID) {
+				return generateAuthProvidersModule(resolvedConfig.authProviders ?? []);
+			}
 			// Generate media providers module
 			if (id === RESOLVED_VIRTUAL_MEDIA_PROVIDERS_ID) {
 				return generateMediaProvidersModule(resolvedConfig.mediaProviders ?? []);
@@ -281,12 +301,9 @@ export function createViteConfig(
 	const adminDistPath = resolveAdminDist();
 	const cloudflare = isCloudflareAdapter(options.astroConfig);
 	const isDev = command === "dev";
+	const projectRoot = fileURLToPath(options.astroConfig.root);
 
-	// In dev mode within the monorepo, alias JS imports to source for instant HMR.
-	// CSS always comes from dist/ (pre-compiled by @tailwindcss/cli) since Tailwind's
-	// Vite plugin has native deps that don't bundle well. Run `pnpm dev` in packages/admin
-	// alongside the demo server to get CSS watch-rebuilds too.
-	const adminSourcePath = isDev ? resolveAdminSource() : undefined;
+	const adminSourcePath = isDev ? resolveAdminSource(projectRoot) : undefined;
 	const useSource = adminSourcePath !== undefined;
 
 	return {
@@ -308,6 +325,20 @@ export function createViteConfig(
 			alias: [
 				{ find: "@emdash-cms/admin/styles.css", replacement: resolve(adminDistPath, "styles.css") },
 				{ find: "@emdash-cms/admin", replacement: useSource ? adminSourcePath : adminDistPath },
+				// `use-sync-external-store/shim` is a React <18 polyfill that ships
+				// only as CJS. It's pulled in transitively by `@tiptap/react`. With
+				// pnpm's virtual store the file lives under .pnpm/, where Vite's
+				// dep scanner can't reach it for pre-bundling — so the browser is
+				// served raw `module.exports` and hydration fails with
+				// `SyntaxError: ... does not provide an export named
+				// 'useSyncExternalStore'`. Redirect both shim entry points to the
+				// main `use-sync-external-store` package, which on React >=18
+				// (our peer-dep floor) delegates to React's built-in hook.
+				{
+					find: "use-sync-external-store/shim/index.js",
+					replacement: "use-sync-external-store",
+				},
+				{ find: "use-sync-external-store/shim", replacement: "use-sync-external-store" },
 			],
 		},
 		// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- Monorepo has both vite 6 (docs) and vite 7 (core). tsgo resolves correctly.
@@ -316,7 +347,7 @@ export function createViteConfig(
 			// In dev mode with source alias, compile Lingui macros on the fly
 			// and redirect locale .mjs imports to dist/.
 			// In production, macros are pre-compiled by tsdown in the admin package.
-			...(useSource ? [linguiMacroPlugin(adminSourcePath!, adminDistPath)] : []),
+			...(useSource ? [linguiMacroPlugin(adminSourcePath, adminDistPath)] : []),
 		] as NonNullable<AstroConfig["vite"]>["plugins"],
 		// Handle native modules for SSR.
 		// On Node: external keeps native addons out of the SSR bundle.