emdash 0.7.0 → 0.8.0

package/src/astro/middleware/auth.ts

@@ -17,6 +17,8 @@ import { ulid } from "ulidx";
 // Import auth provider via virtual module (statically bundled)
 // This avoids dynamic import issues in Cloudflare Workers
 import { authenticate as virtualAuthenticate } from "virtual:emdash/auth";
+// @ts-ignore - virtual module
+import virtualConfig from "virtual:emdash/config";
 
 import { checkPublicCsrf } from "../../api/csrf.js";
 import { apiError } from "../../api/error.js";
@@ -111,6 +113,7 @@ const PUBLIC_API_PREFIXES = [
 const PUBLIC_API_EXACT = new Set([
 	"/_emdash/api/auth/passkey/options",
 	"/_emdash/api/auth/passkey/verify",
+	"/_emdash/api/auth/mode",
 	"/_emdash/api/oauth/token",
 	"/_emdash/api/snapshot",
 	// Public site search — read-only. The query layer hardcodes status='published'
@@ -119,6 +122,22 @@ const PUBLIC_API_EXACT = new Set([
 	"/_emdash/api/search",
 ]);
 
+// Build merged public routes at module load from auth provider descriptors.
+// Routes ending with "/" are treated as prefixes; all others are exact matches.
+const { exact: _providerExactRoutes, prefixes: _providerPrefixRoutes } = (() => {
+	const exact = new Set<string>();
+	const prefixes: string[] = [];
+	if (!virtualConfig?.authProviders) return { exact, prefixes };
+	for (const route of virtualConfig.authProviders.flatMap((p) => p.publicRoutes ?? [])) {
+		if (route.endsWith("/")) {
+			prefixes.push(route);
+		} else {
+			exact.add(route);
+		}
+	}
+	return { exact, prefixes };
+})();
+
 /**
  * OAuth protocol endpoints that are CSRF-exempt by design.
  *
@@ -146,6 +165,8 @@ const CSRF_EXEMPT_PUBLIC_ROUTES = new Set([
 function isPublicEmDashRoute(pathname: string): boolean {
 	if (PUBLIC_API_EXACT.has(pathname)) return true;
 	if (PUBLIC_API_PREFIXES.some((p) => pathname.startsWith(p))) return true;
+	if (_providerExactRoutes.has(pathname)) return true;
+	if (_providerPrefixRoutes.some((p) => pathname.startsWith(p))) return true;
 	if (import.meta.env.DEV && pathname === "/_emdash/api/typegen") return true;
 	return false;
 }

package/src/astro/middleware.ts

@@ -43,6 +43,7 @@ import {
 } from "../emdash-runtime.js";
 import { setI18nConfig } from "../i18n/config.js";
 import type { Database, Storage } from "../index.js";
+import { createPublicMediaUrlResolver } from "../media/url.js";
 import type { SandboxRunner } from "../plugins/sandbox/types.js";
 import type { ResolvedPlugin } from "../plugins/types.js";
 import { getRequestContext, runWithContext } from "../request-context.js";
@@ -232,6 +233,20 @@ export const onRequest = defineMiddleware(async (context, next) => {
 	const { request, locals, cookies } = context;
 	const url = context.url;
 
+	// Fast path: routes outside /_emdash/ that plugins inject (e.g.,
+	// /.well-known/atproto-client-metadata.json) skip the entire runtime
+	// init + middleware chain. External servers fetch these with tight
+	// timeouts (~1-2s) so they must respond quickly even on cold starts.
+	if (!url.pathname.startsWith("/_emdash") && virtualConfig?.authProviders) {
+		const isPluginFastRoute = virtualConfig.authProviders.some(
+			(p: { routes?: { pattern?: string }[] }) =>
+				p.routes?.some((r: { pattern?: string }) => r.pattern && url.pathname === r.pattern),
+		);
+		if (isPluginFastRoute) {
+			return finalizeResponse(await next());
+		}
+	}
+
 	const queryRecorder = isInstrumentationEnabled()
 		? createRecorder(url.pathname, request.method, request.headers.get("x-perf-phase") ?? "default")
 		: undefined;
@@ -301,10 +316,11 @@ export const onRequest = defineMiddleware(async (context, next) => {
 					try {
 						const runtime = await getRuntime(config, initSubTimings);
 						setupVerified = true;
-						// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- partial object; getPageRuntime() only checks for these two methods
+						// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- partial object; getPageRuntime() only checks for the page-contribution methods
 						locals.emdash = {
 							collectPageMetadata: runtime.collectPageMetadata.bind(runtime),
 							collectPageFragments: runtime.collectPageFragments.bind(runtime),
+							getPublicMediaUrl: createPublicMediaUrlResolver(runtime.storage),
 						} as EmDashHandlers;
 					} catch {
 						// Non-fatal — EmDashHead will fall back to base SEO contributions
@@ -445,6 +461,7 @@ export const onRequest = defineMiddleware(async (context, next) => {
 					// Direct access (for advanced use cases)
 					storage: runtime.storage,
 					db: runtime.db,
+					getPublicMediaUrl: createPublicMediaUrlResolver(runtime.storage),
 					hooks: runtime.hooks,
 					email: runtime.email,
 					configuredPlugins: runtime.configuredPlugins,

package/src/astro/routes/PluginRegistry.tsx

@@ -10,6 +10,8 @@ import { AdminApp } from "@emdash-cms/admin";
 import type { Messages } from "@lingui/core";
 // @ts-ignore - virtual module generated by integration
 import { pluginAdmins } from "virtual:emdash/admin-registry";
+// @ts-ignore - virtual module generated by integration
+import { authProviders } from "virtual:emdash/auth-providers";
 
 interface AdminWrapperProps {
 	locale: string;
@@ -17,5 +19,12 @@ interface AdminWrapperProps {
 }
 
 export default function AdminWrapper({ locale, messages }: AdminWrapperProps) {
-	return <AdminApp pluginAdmins={pluginAdmins} locale={locale} messages={messages} />;
+	return (
+		<AdminApp
+			pluginAdmins={pluginAdmins}
+			authProviders={authProviders}
+			locale={locale}
+			messages={messages}
+		/>
+	);
 }

package/src/astro/routes/api/auth/mode.ts

@@ -0,0 +1,57 @@
+/**
+ * GET /_emdash/api/auth/mode
+ *
+ * Public endpoint that returns the active authentication mode.
+ * Used by the login page to determine which login UI to render.
+ *
+ * Unlike the full manifest endpoint, this is intentionally public
+ * and returns only the auth mode — no collection schemas, plugin
+ * info, or other internal details.
+ */
+
+import type { APIRoute } from "astro";
+
+import { getAuthMode } from "#auth/mode.js";
+
+export const prerender = false;
+
+export const GET: APIRoute = async ({ locals }) => {
+	const { emdash } = locals;
+
+	const authMode = getAuthMode(emdash?.config);
+
+	// Only check signup for passkey auth (external providers handle their own)
+	let signupEnabled = false;
+	if (emdash?.db && authMode.type === "passkey") {
+		try {
+			const { sql } = await import("kysely");
+			const result = await sql<{ cnt: unknown }>`
+				SELECT COUNT(*) as cnt FROM allowed_domains WHERE enabled = 1
+			`.execute(emdash.db);
+			signupEnabled = Number(result.rows[0]?.cnt ?? 0) > 0;
+		} catch {
+			// Table may not exist yet
+		}
+	}
+
+	// Collect pluggable auth providers (from authProviders config)
+	const providers = (emdash?.config?.authProviders ?? []).map((p) => ({
+		id: p.id,
+		label: p.label,
+	}));
+
+	return Response.json(
+		{
+			data: {
+				authMode: authMode.type === "external" ? authMode.providerType : "passkey",
+				signupEnabled,
+				providers,
+			},
+		},
+		{
+			headers: {
+				"Cache-Control": "private, no-store",
+			},
+		},
+	);
+};

package/src/astro/routes/api/auth/oauth/[provider]/callback.ts

@@ -18,7 +18,9 @@ import {
 import { createKyselyAdapter } from "@emdash-cms/auth/adapters/kysely";
 
 import { getPublicOrigin } from "#api/public-url.js";
+import { finalizeSetup } from "#api/setup-complete.js";
 import { createOAuthStateStore } from "#auth/oauth-state-store.js";
+import { OptionsRepository } from "#db/repositories/options.js";
 
 type ProviderName = "github" | "google";
 
@@ -126,10 +128,22 @@ export const GET: APIRoute = async ({ params, request, locals, session, redirect
 			);
 		}
 
+		const adapter = createKyselyAdapter(emdash.db);
+		const stateStore = createOAuthStateStore(emdash.db);
+
 		const config: OAuthConsumerConfig = {
 			baseUrl: `${getPublicOrigin(url, emdash?.config)}/_emdash`,
 			providers,
 			canSelfSignup: async (email: string) => {
+				// During setup: first user becomes admin.
+				// Check setup_complete flag instead of countUsers() to avoid
+				// a TOCTOU race where concurrent callbacks both see 0 users.
+				const options = new OptionsRepository(emdash.db);
+				const setupComplete = await options.get("emdash:setup_complete");
+				if (setupComplete !== true && setupComplete !== "true") {
+					return { allowed: true, role: Role.ADMIN };
+				}
+
 				// Extract domain from email
 				const domain = email.split("@")[1]?.toLowerCase();
 				if (!domain) {
@@ -168,10 +182,16 @@ export const GET: APIRoute = async ({ params, request, locals, session, redirect
 			},
 		};
 
-		const adapter = createKyselyAdapter(emdash.db);
-		const stateStore = createOAuthStateStore(emdash.db);
-
+		const options = new OptionsRepository(emdash.db);
+		const setupCompleteBefore = await options.get("emdash:setup_complete");
 		const user = await handleOAuthCallback(config, adapter, provider, code, state, stateStore);
+		const isFirstUser = setupCompleteBefore !== true && setupCompleteBefore !== "true";
+
+		// Finalize setup outside the transaction (idempotent, safe if two callbacks race).
+		if (isFirstUser) {
+			await finalizeSetup(emdash.db);
+			console.log(`[oauth] Setup complete: created admin user via ${provider} (${user.email})`);
+		}
 
 		// Create session
 		if (session) {

package/src/astro/routes/api/auth/oauth/[provider].ts

@@ -71,16 +71,22 @@ export const GET: APIRoute = async ({ params, request, locals, redirect }) => {
 	const { emdash } = locals;
 	const provider = params.provider;
 
+	// Determine where to redirect errors (setup wizard or login page)
+	const referer = request.headers.get("referer") ?? "";
+	const errorRedirectBase = referer.includes("/setup")
+		? "/_emdash/admin/setup"
+		: "/_emdash/admin/login";
+
 	// Validate provider
 	if (!provider || !isValidProvider(provider)) {
 		return redirect(
-			`/_emdash/admin/login?error=invalid_provider&message=${encodeURIComponent("Invalid OAuth provider")}`,
+			`${errorRedirectBase}?error=invalid_provider&message=${encodeURIComponent("Invalid OAuth provider")}`,
 		);
 	}
 
 	if (!emdash?.db) {
 		return redirect(
-			`/_emdash/admin/login?error=server_error&message=${encodeURIComponent("Database not configured")}`,
+			`${errorRedirectBase}?error=server_error&message=${encodeURIComponent("Database not configured")}`,
 		);
 	}
 
@@ -97,7 +103,7 @@ export const GET: APIRoute = async ({ params, request, locals, redirect }) => {
 
 		if (!providers[provider]) {
 			return redirect(
-				`/_emdash/admin/login?error=provider_not_configured&message=${encodeURIComponent(`OAuth provider ${provider} is not configured`)}`,
+				`${errorRedirectBase}?error=provider_not_configured&message=${encodeURIComponent(`OAuth provider ${provider} is not configured. Set either EMDASH_OAUTH_${provider.toUpperCase()}_CLIENT_ID and EMDASH_OAUTH_${provider.toUpperCase()}_CLIENT_SECRET, or ${provider.toUpperCase()}_CLIENT_ID and ${provider.toUpperCase()}_CLIENT_SECRET.`)}`,
 			);
 		}
 
@@ -114,7 +120,7 @@ export const GET: APIRoute = async ({ params, request, locals, redirect }) => {
 	} catch (error) {
 		console.error("OAuth initiation error:", error);
 		return redirect(
-			`/_emdash/admin/login?error=oauth_error&message=${encodeURIComponent("Failed to start OAuth flow. Please try again.")}`,
+			`${errorRedirectBase}?error=oauth_error&message=${encodeURIComponent("Failed to start OAuth flow. Please try again.")}`,
 		);
 	}
 };

package/src/astro/routes/api/content/[collection]/[id]/translations.ts

@@ -6,7 +6,7 @@
  * Returns all locale variants linked to the same translation group.
  */
 
-import { hasPermission, type Permission } from "@emdash-cms/auth";
+import { hasPermission } from "@emdash-cms/auth";
 import type { APIRoute } from "astro";
 
 import { requirePerm } from "#api/authorize.js";

package/src/astro/routes/api/content/[collection]/index.ts

@@ -61,15 +61,7 @@ export const POST: APIRoute = async ({ params, request, locals, cache }) => {
 				mapErrorStatus(source.error?.code),
 			);
 		}
-		const sourceData =
-			source.data && typeof source.data === "object"
-				? (source.data as Record<string, unknown>)
-				: undefined;
-		const sourceItem =
-			sourceData?.item && typeof sourceData.item === "object"
-				? (sourceData.item as Record<string, unknown>)
-				: sourceData;
-		const sourceAuthor = typeof sourceItem?.authorId === "string" ? sourceItem.authorId : "";
+		const sourceAuthor = source.data.item.authorId ?? "";
 		const translationDenied = requireOwnerPerm(
 			user,
 			sourceAuthor,

package/src/astro/routes/api/import/wordpress/media.ts

@@ -92,7 +92,6 @@ export const POST: APIRoute = async ({ request, locals }) => {
 						attachments,
 						emdash.db,
 						emdash.storage,
-						request.url,
 						sendProgress,
 					);
 
@@ -117,7 +116,6 @@ export const POST: APIRoute = async ({ request, locals }) => {
 			attachments,
 			emdash.db,
 			emdash.storage,
-			request.url,
 			() => {}, // No-op progress callback
 		);
 
@@ -131,12 +129,9 @@ async function importMediaWithProgress(
 	attachments: AttachmentInfo[],
 	db: NonNullable<EmDashHandlers["db"]>,
 	storage: NonNullable<EmDashHandlers["storage"]>,
-	requestUrl: string,
 	onProgress: (progress: MediaImportProgress) => void,
 ): Promise<MediaImportResult> {
 	const repo = new MediaRepository(db);
-	const url = new URL(requestUrl);
-	const baseUrl = `${url.protocol}//${url.host}`;
 	const total = attachments.length;
 
 	const result: MediaImportResult = {
@@ -237,7 +232,7 @@ async function importMediaWithProgress(
 			const existing = await repo.findByContentHash(contentHash);
 			if (existing) {
 				// Same content already exists - reuse it
-				const existingUrl = `${baseUrl}/_emdash/api/media/file/${existing.storageKey}`;
+				const existingUrl = `/_emdash/api/media/file/${existing.storageKey}`;
 				result.urlMap[attachment.url] = existingUrl;
 				result.imported.push({
 					wpId: attachment.id,
@@ -290,7 +285,7 @@ async function importMediaWithProgress(
 			});
 
 			// Build the new URL
-			const newUrl = `${baseUrl}/_emdash/api/media/file/${storageKey}`;
+			const newUrl = `/_emdash/api/media/file/${storageKey}`;
 
 			result.imported.push({
 				wpId: attachment.id,

package/src/astro/routes/api/import/wordpress/prepare.ts

@@ -58,6 +58,16 @@ export const POST: APIRoute = async ({ request, locals }) => {
 		// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- Zod schema output narrowed to PrepareRequest
 		const result = await prepareImport(emdash.db, body as PrepareRequest);
 
+		// If prepare created any new collections or fields, invalidate the
+		// persisted manifest cache (`emdash:manifest_cache` in the options
+		// table) so that the execute endpoint -- a separate request -- sees
+		// the new schema. Without this the execute step reads a stale
+		// manifest and reports `Collection "<slug>" does not exist` for
+		// every item destined for a freshly-created collection. See #747.
+		if (result.collectionsCreated.length > 0 || result.fieldsCreated.length > 0) {
+			emdash.invalidateManifest();
+		}
+
 		return apiSuccess(result, result.success ? 200 : 400);
 	} catch (error) {
 		return handleError(error, "Failed to prepare import", "WXR_PREPARE_ERROR");

package/src/astro/routes/api/settings/email.ts

@@ -49,20 +49,15 @@ export const GET: APIRoute = async ({ locals }) => {
 			`emdash:exclusive_hook:${EMAIL_DELIVER_HOOK}`,
 		);
 
-		// Get middleware hooks (beforeSend / afterSend)
+		// Get middleware hooks (beforeSend / afterSend). These are non-exclusive —
+		// many plugins can subscribe — so we enumerate non-exclusive providers.
 		const beforeSendPlugins = pipeline
-			.getExclusiveHookProviders(EMAIL_BEFORE_SEND_HOOK)
+			.getHookProviders(EMAIL_BEFORE_SEND_HOOK)
 			.map((p) => p.pluginId);
 		const afterSendPlugins = pipeline
-			.getExclusiveHookProviders(EMAIL_AFTER_SEND_HOOK)
+			.getHookProviders(EMAIL_AFTER_SEND_HOOK)
 			.map((p) => p.pluginId);
 
-		// Note: beforeSend/afterSend are NOT exclusive hooks, but getExclusiveHookProviders
-		// only finds exclusive ones. We need all hooks for those names.
-		// For now, report what we can from the exclusive hook system.
-		// Middleware is non-exclusive so we'd need a different query.
-		// TODO: Add getHookProviders() for non-exclusive hooks to the pipeline.
-
 		return apiSuccess({
 			available: emdash.email?.isAvailable() ?? false,
 			providers: providers.map((p) => ({

package/src/astro/routes/api/setup/admin.ts

@@ -49,6 +49,10 @@ export const POST: APIRoute = async ({ cookies, request, locals }) => {
 		const body = await parseBody(request, setupAdminBody);
 		if (isParseError(body)) return body;
 
+		// Preserve title/tagline from step 1 by reading existing setup state
+		// before we overwrite it below.
+		const existingState = await options.get<Record<string, unknown>>("emdash:setup_state");
+
 		// Mint a fresh session nonce. This binds the follow-up
 		// /setup/admin/verify call to the same browser that made this
 		// request, so an unauthenticated attacker on another host cannot
@@ -81,9 +85,11 @@ export const POST: APIRoute = async ({ cookies, request, locals }) => {
 			challengeStore,
 		);
 
-		// Store the nonce alongside the rest of the setup state. The verify
-		// endpoint will constant-time compare this with the incoming cookie.
+		// Store the nonce alongside the rest of the setup state, preserving
+		// title/tagline from step 1. The verify endpoint will constant-time
+		// compare the nonce with the incoming cookie.
 		await options.set("emdash:setup_state", {
+			...existingState,
 			step: "admin",
 			email: body.email.toLowerCase(),
 			name: body.name || null,

package/src/astro/routes/api/setup/index.ts

@@ -81,7 +81,7 @@ export const POST: APIRoute = async ({ request, url, locals }) => {
 
 		// 5. Store setup state
 		// In external auth mode, mark setup complete immediately (first user to login becomes admin)
-		// In passkey mode, setup_complete is set after admin user is created
+		// Otherwise, setup_complete is set after admin user is created (passkey or auth provider)
 		const authMode = getAuthMode(emdash.config);
 		const useExternalAuth = authMode.type === "external";
 
@@ -105,7 +105,7 @@ export const POST: APIRoute = async ({ request, url, locals }) => {
 					await options.set("emdash:site_tagline", body.tagline);
 				}
 			} else {
-				// Passkey mode: store state for next step (admin creation)
+				// Passkey/provider mode: store state for next step (admin creation)
 				await options.set("emdash:setup_state", {
 					step: "site_complete",
 					title: body.title,

package/src/astro/routes/api/setup/status.ts

@@ -91,7 +91,7 @@ export const GET: APIRoute = async ({ locals }) => {
 		const authMode = getAuthMode(emdash.config);
 		const useExternalAuth = authMode.type === "external";
 
-		// In external auth mode, setup is complete if flag is set (no users required initially)
+		// In external auth mode (not atproto), setup is complete if flag is set (no users required initially)
 		if (useExternalAuth && isComplete) {
 			return apiSuccess({
 				needsSetup: false,
@@ -106,6 +106,8 @@ export const GET: APIRoute = async ({ locals }) => {
 					description: seed.meta?.description || "",
 					collections: seed.collections?.length || 0,
 					hasContent: !!(seed.content && Object.keys(seed.content).length > 0),
+					title: seed.settings?.title,
+					tagline: seed.settings?.tagline,
 				}
 			: null;
 

package/src/astro/routes/api/widget-areas/[name]/widgets/[id].ts

@@ -11,6 +11,8 @@ import { requirePerm } from "#api/authorize.js";
 import { apiError, apiSuccess, handleError } from "#api/error.js";
 import { isParseError, parseBody } from "#api/parse.js";
 import { updateWidgetBody } from "#api/schemas.js";
+import { rowToWidget } from "#widgets/index.js";
+import type { WidgetRow } from "#widgets/types.js";
 
 export const prerender = false;
 
@@ -73,10 +75,11 @@ export const PUT: APIRoute = async ({ params, request, locals }) => {
 		const widget = await db
 			.selectFrom("_emdash_widgets")
 			.selectAll()
+			.$castTo<WidgetRow>()
 			.where("id", "=", id)
 			.executeTakeFirstOrThrow();
 
-		return apiSuccess(widget);
+		return apiSuccess(rowToWidget(widget));
 	} catch (error) {
 		return handleError(error, "Failed to update widget", "WIDGET_UPDATE_ERROR");
 	}

package/src/astro/routes/api/widget-areas/[name]/widgets.ts

@@ -11,6 +11,8 @@ import { requirePerm } from "#api/authorize.js";
 import { apiError, apiSuccess, handleError } from "#api/error.js";
 import { isParseError, parseBody } from "#api/parse.js";
 import { createWidgetBody } from "#api/schemas.js";
+import { rowToWidget } from "#widgets/index.js";
+import type { WidgetRow } from "#widgets/types.js";
 
 export const prerender = false;
 
@@ -70,10 +72,11 @@ export const POST: APIRoute = async ({ params, request, locals }) => {
 		const widget = await db
 			.selectFrom("_emdash_widgets")
 			.selectAll()
+			.$castTo<WidgetRow>()
 			.where("id", "=", id)
 			.executeTakeFirstOrThrow();
 
-		return apiSuccess(widget, 201);
+		return apiSuccess(rowToWidget(widget), 201);
 	} catch (error) {
 		return handleError(error, "Failed to create widget", "WIDGET_CREATE_ERROR");
 	}

package/src/astro/routes/api/widget-areas/[name].ts

@@ -9,6 +9,8 @@ import type { APIRoute } from "astro";
 
 import { requirePerm } from "#api/authorize.js";
 import { apiError, apiSuccess, handleError } from "#api/error.js";
+import { rowToWidget } from "#widgets/index.js";
+import type { WidgetRow } from "#widgets/types.js";
 
 export const prerender = false;
 
@@ -40,13 +42,14 @@ export const GET: APIRoute = async ({ params, locals }) => {
 		const widgets = await db
 			.selectFrom("_emdash_widgets")
 			.selectAll()
+			.$castTo<WidgetRow>()
 			.where("area_id", "=", area.id)
 			.orderBy("sort_order", "asc")
 			.execute();
 
 		return apiSuccess({
 			...area,
-			widgets,
+			widgets: widgets.map((row) => rowToWidget(row)),
 		});
 	} catch (error) {
 		return handleError(error, "Failed to fetch widget area", "WIDGET_AREA_GET_ERROR");

package/src/astro/routes/api/widget-areas/index.ts

@@ -12,6 +12,8 @@ import { requirePerm } from "#api/authorize.js";
 import { apiError, apiSuccess, handleError } from "#api/error.js";
 import { isParseError, parseBody } from "#api/parse.js";
 import { createWidgetAreaBody } from "#api/schemas.js";
+import { rowToWidget } from "#widgets/index.js";
+import type { WidgetRow } from "#widgets/types.js";
 
 export const prerender = false;
 
@@ -35,13 +37,14 @@ export const GET: APIRoute = async ({ locals }) => {
 				const widgets = await db
 					.selectFrom("_emdash_widgets")
 					.selectAll()
+					.$castTo<WidgetRow>()
 					.where("area_id", "=", area.id)
 					.orderBy("sort_order", "asc")
 					.execute();
 
 				return {
 					...area,
-					widgets,
+					widgets: widgets.map((row) => rowToWidget(row)),
 					widgetCount: widgets.length,
 				};
 			}),

package/src/astro/types.ts

@@ -348,6 +348,7 @@ export interface EmDashHandlers {
 	// Direct access to storage and database for advanced use cases
 	storage: import("../index.js").Storage | null;
 	db: Kysely<import("../index.js").Database>;
+	getPublicMediaUrl?: (storageKey: string) => string;
 
 	// Hook pipeline for plugin integrations
 	hooks: import("../plugins/hooks.js").HookPipeline;
@@ -380,4 +381,12 @@ export interface EmDashHandlers {
 	collectPageFragments: (
 		page: import("../plugins/types.js").PublicPageContext,
 	) => Promise<import("../plugins/types.js").PageFragmentContribution[]>;
+
+	/**
+	 * Lazy search index health check. Search routes call this before
+	 * querying so a crash-corrupted index gets repaired on first use
+	 * rather than stalling cold start. Optional because it's only
+	 * meaningful when an FTS5-capable runtime is wired in.
+	 */
+	ensureSearchHealthy?: () => Promise<void>;
 }

package/src/auth/mode.ts

@@ -6,9 +6,21 @@
  */
 
 import type { EmDashConfig } from "../astro/integration/runtime.js";
-import type { AuthDescriptor, AuthResult, ExternalAuthConfig } from "./types.js";
+import type {
+	AuthDescriptor,
+	AuthProviderDescriptor,
+	AuthRouteDescriptor,
+	AuthResult,
+	ExternalAuthConfig,
+} from "./types.js";
 
-export type { AuthDescriptor, AuthResult, ExternalAuthConfig };
+export type {
+	AuthDescriptor,
+	AuthProviderDescriptor,
+	AuthRouteDescriptor,
+	AuthResult,
+	ExternalAuthConfig,
+};
 
 /**
  * Passkey auth mode (default)
@@ -59,7 +71,7 @@ export function getAuthMode(
 ): AuthMode {
 	const auth = config?.auth;
 
-	// Check for AuthDescriptor (new style)
+	// Check for AuthDescriptor (transparent external auth like Cloudflare Access)
 	if (auth && "entrypoint" in auth && auth.entrypoint) {
 		return {
 			type: "external",

package/src/auth/providers/github-admin.tsx

@@ -0,0 +1,29 @@
+/**
+ * GitHub OAuth Admin Components
+ *
+ * LoginButton for the login page, rendered via the auth provider virtual module.
+ */
+
+import { LinkButton } from "@cloudflare/kumo";
+import * as React from "react";
+
+function GitHubIcon({ className }: { className?: string }) {
+	return (
+		<svg className={className} viewBox="0 0 24 24" fill="currentColor">
+			<path d="M12 0c-6.626 0-12 5.373-12 12 0 5.302 3.438 9.8 8.207 11.387.599.111.793-.261.793-.577v-2.234c-3.338.726-4.033-1.416-4.033-1.416-.546-1.387-1.333-1.756-1.333-1.756-1.089-.745.083-.729.083-.729 1.205.084 1.839 1.237 1.839 1.237 1.07 1.834 2.807 1.304 3.492.997.107-.775.418-1.305.762-1.604-2.665-.305-5.467-1.334-5.467-5.931 0-1.311.469-2.381 1.236-3.221-.124-.303-.535-1.524.117-3.176 0 0 1.008-.322 3.301 1.23.957-.266 1.983-.399 3.003-.404 1.02.005 2.047.138 3.006.404 2.291-1.552 3.297-1.23 3.297-1.23.653 1.653.242 2.874.118 3.176.77.84 1.235 1.911 1.235 3.221 0 4.609-2.807 5.624-5.479 5.921.43.372.823 1.102.823 2.222v3.293c0 .319.192.694.801.576 4.765-1.589 8.199-6.086 8.199-11.386 0-6.627-5.373-12-12-12z" />
+		</svg>
+	);
+}
+
+export function LoginButton() {
+	return (
+		<LinkButton
+			href="/_emdash/api/auth/oauth/github"
+			variant="outline"
+			className="w-full justify-center"
+		>
+			<GitHubIcon className="h-5 w-5" />
+			<span>GitHub</span>
+		</LinkButton>
+	);
+}