emdash 0.7.0 → 0.8.0

package/src/media/normalize.ts

@@ -11,7 +11,7 @@
 
 import type { MediaProvider, MediaProviderItem, MediaValue } from "./types.js";
 
-const INTERNAL_MEDIA_PREFIX = "/_emdash/api/media/file/";
+export const INTERNAL_MEDIA_PREFIX = "/_emdash/api/media/file/";
 const URL_PATTERN = /^https?:\/\//;
 
 /**

package/src/media/url.ts

@@ -0,0 +1,78 @@
+/**
+ * Public media URL resolution.
+ *
+ * Used at render time by the Image components to decide whether a storage
+ * key should be served from the configured `publicUrl` (R2 custom domain,
+ * S3 CDN) or through the internal `/_emdash/api/media/file/{key}` route.
+ */
+import type { Storage } from "../storage/types.js";
+import { INTERNAL_MEDIA_PREFIX } from "./normalize.js";
+
+// Keys accepted by the public-URL rewrite: the `{ulid}{ext}` shape produced by
+// the upload pipeline, with letters, digits, dots, dashes, and underscores.
+// Slashes, `?`, `#`, and `%` are rejected so attacker-controlled content in a
+// portable-text `asset.url` cannot traverse or reroute on the CDN origin.
+const SAFE_STORAGE_KEY = /^[A-Za-z0-9._-]+$/;
+
+/**
+ * Resolve the public URL for a locally stored media key. Returns an empty
+ * string when no key is given. When a storage adapter is supplied, defers to
+ * `storage.getPublicUrl()`; otherwise returns the internal proxy route.
+ */
+export function resolvePublicMediaUrl(
+	storage: Storage | null | undefined,
+	storageKey: string,
+): string {
+	if (!storageKey) return "";
+	if (storage) return storage.getPublicUrl(storageKey);
+	return `/_emdash/api/media/file/${storageKey}`;
+}
+
+/**
+ * Build the `getPublicMediaUrl` closure attached to `Astro.locals.emdash`.
+ * Shared by the anonymous fast path and the full-runtime path in middleware.
+ *
+ * @internal
+ */
+export function createPublicMediaUrlResolver(
+	storage: Storage | null | undefined,
+): (key: string) => string {
+	return (key) => resolvePublicMediaUrl(storage, key);
+}
+
+/** Input shape for {@link buildRenderMediaUrl}. */
+export interface RenderMediaRef {
+	/** Storage key with extension (the canonical shape from the upload pipeline). */
+	storageKey?: string;
+	/** Pre-baked URL (either an internal proxy URL or an external URL). */
+	url?: string;
+	/** Bare media id (ULID without extension); only the internal proxy can look this up. */
+	id?: string;
+}
+
+/**
+ * Build a render-time media URL. Prefers `storageKey`, then rewrites an
+ * internal `url` via `resolve`, then falls back to the internal proxy for a
+ * bare `id`. External URLs and non-matching internal-looking URLs pass
+ * through untouched. Returns `""` when nothing usable is present.
+ *
+ * @internal
+ */
+export function buildRenderMediaUrl(
+	resolve: ((key: string) => string) | undefined,
+	ref: RenderMediaRef,
+): string {
+	const { storageKey, url, id } = ref;
+	if (storageKey) {
+		return resolve ? resolve(storageKey) : `${INTERNAL_MEDIA_PREFIX}${storageKey}`;
+	}
+	if (url) {
+		if (resolve && url.startsWith(INTERNAL_MEDIA_PREFIX)) {
+			const key = url.slice(INTERNAL_MEDIA_PREFIX.length);
+			if (SAFE_STORAGE_KEY.test(key)) return resolve(key);
+		}
+		return url;
+	}
+	if (id) return `${INTERNAL_MEDIA_PREFIX}${id}`;
+	return "";
+}

package/src/plugins/email-console.ts

@@ -30,9 +30,16 @@ export interface StoredEmail {
  * instances (the runtime and the route handler may load separate copies
  * of this module, but globalThis is always the same object).
  */
-const GLOBAL_KEY = "__emdash_dev_emails__" as const;
-const storedEmails: StoredEmail[] = ((globalThis as Record<string, unknown>)[GLOBAL_KEY] ??=
-	[]) as StoredEmail[];
+const GLOBAL_KEY = Symbol.for("emdash:dev-emails");
+const g = globalThis as Record<symbol, unknown>;
+const storedEmails: StoredEmail[] = (() => {
+	// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- globalThis singleton pattern (see request-context.ts)
+	const existing = g[GLOBAL_KEY] as StoredEmail[] | undefined;
+	if (existing) return existing;
+	const fresh: StoredEmail[] = [];
+	g[GLOBAL_KEY] = fresh;
+	return fresh;
+})();
 
 /**
  * Get all stored dev emails (most recent first).

package/src/plugins/hooks.ts

@@ -1218,6 +1218,17 @@ export class HookPipeline {
 		return hooks.filter((h) => h.exclusive).map((h) => ({ pluginId: h.pluginId }));
 	}
 
+	/**
+	 * Get all plugins that registered a non-exclusive handler for a given
+	 * hook (e.g. `email:beforeSend`, `email:afterSend`), preserving priority
+	 * order. Partitions with `getExclusiveHookProviders()`, which returns
+	 * plugins whose registration is marked `exclusive: true`.
+	 */
+	getHookProviders(hookName: string): Array<{ pluginId: string }> {
+		const hooks = this.hooks.get(hookName as HookNameV2) ?? [];
+		return hooks.filter((h) => !h.exclusive).map((h) => ({ pluginId: h.pluginId }));
+	}
+
 	/**
 	 * Invoke an exclusive hook — dispatch only to the selected provider.
 	 * Returns null if no provider is selected or if the selected hook

package/src/plugins/manifest-schema.ts

@@ -131,6 +131,18 @@ const settingFieldSchema = z.discriminatedUnion("type", [
 		default: z.string().optional(),
 	}),
 	z.object({ ...baseSettingFields, type: z.literal("secret") }),
+	z.object({
+		...baseSettingFields,
+		type: z.literal("url"),
+		default: z.string().optional(),
+		placeholder: z.string().optional(),
+	}),
+	z.object({
+		...baseSettingFields,
+		type: z.literal("email"),
+		default: z.string().optional(),
+		placeholder: z.string().optional(),
+	}),
 ]);
 
 const adminPageSchema = z.object({

package/src/plugins/types.ts

@@ -1114,7 +1114,14 @@ export interface PluginDashboardWidget {
 /**
  * Settings field types (for admin UI generation)
  */
-export type SettingFieldType = "string" | "number" | "boolean" | "select" | "secret";
+export type SettingFieldType =
+	| "string"
+	| "number"
+	| "boolean"
+	| "select"
+	| "secret"
+	| "url"
+	| "email";
 
 export interface BaseSettingField {
 	type: SettingFieldType;
@@ -1150,12 +1157,26 @@ export interface SecretSettingField extends BaseSettingField {
 	type: "secret";
 }
 
+export interface UrlSettingField extends BaseSettingField {
+	type: "url";
+	default?: string;
+	placeholder?: string;
+}
+
+export interface EmailSettingField extends BaseSettingField {
+	type: "email";
+	default?: string;
+	placeholder?: string;
+}
+
 export type SettingField =
 	| StringSettingField
 	| NumberSettingField
 	| BooleanSettingField
 	| SelectSettingField
-	| SecretSettingField;
+	| SecretSettingField
+	| UrlSettingField
+	| EmailSettingField;
 
 /**
  * Block Kit element for block editing fields.

package/src/query.ts

@@ -478,7 +478,7 @@ export async function getEmDashEntry<T extends string, D = InferCollectionData<T
 			// Edit mode (authenticated editors) has collection-wide draft access.
 			if (isPreviewMode && !isEditMode) {
 				const dbId = entryDatabaseId(baseEntry);
-				if (preview!.id !== dbId && preview!.id !== id) {
+				if (preview.id !== dbId && preview.id !== id) {
 					// Token doesn't match — serve only if publicly visible, without draft access
 					if (isVisible(baseEntry)) {
 						return successResult(wrapEntry(baseEntry), {

package/src/request-cache.ts

@@ -22,6 +22,7 @@ type CacheStore = WeakMap<EmDashRequestContext, Map<string, Promise<unknown>>>;
 const STORE_KEY = Symbol.for("emdash:request-cache");
 const g = globalThis as Record<symbol, unknown>;
 const store: CacheStore =
+	// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- globalThis singleton pattern (see request-context.ts)
 	(g[STORE_KEY] as CacheStore | undefined) ??
 	(() => {
 		const wm: CacheStore = new WeakMap();
@@ -47,6 +48,7 @@ export function requestCached<T>(key: string, fn: () => Promise<T>): Promise<T>
 	}
 
 	const existing = cache.get(key);
+	// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- heterogeneous cache; key namespacing guarantees the stored promise resolves to T
 	if (existing) return existing as Promise<T>;
 
 	const promise = Promise.resolve()
@@ -74,6 +76,7 @@ export function peekRequestCache<T>(key: string): Promise<T> | undefined {
 	const ctx = getRequestContext();
 	if (!ctx) return undefined;
 	const cache = store.get(ctx);
+	// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- heterogeneous cache; caller is responsible for using a T-compatible key
 	return cache?.get(key) as Promise<T> | undefined;
 }
 

package/src/schema/registry.ts

@@ -11,6 +11,7 @@ import { FTSManager } from "../search/fts-manager.js";
 import {
 	type Collection,
 	type CollectionSource,
+	type CollectionSupport,
 	type ColumnType,
 	type Field,
 	type CreateCollectionInput,
@@ -49,6 +50,34 @@ function isColumnType(value: string): value is ColumnType {
 	return COLUMN_TYPES.has(value);
 }
 
+const VALID_COLLECTION_SUPPORTS: ReadonlySet<string> = new Set<CollectionSupport>([
+	"drafts",
+	"revisions",
+	"preview",
+	"scheduling",
+	"search",
+	"seo",
+]);
+
+function isCollectionSupport(value: unknown): value is CollectionSupport {
+	return typeof value === "string" && VALID_COLLECTION_SUPPORTS.has(value);
+}
+
+/**
+ * Parse a collection's `supports` column (stored as a JSON array of
+ * CollectionSupport keys). Unknown/invalid entries are filtered out so the
+ * runtime value matches the declared `CollectionSupport[]` type.
+ *
+ * Throws on malformed JSON so corruption surfaces loudly; returns an empty
+ * array only for explicitly null/empty values or non-array JSON.
+ */
+function parseSupports(raw: string | null | undefined): CollectionSupport[] {
+	if (!raw) return [];
+	const parsed: unknown = JSON.parse(raw);
+	if (!Array.isArray(parsed)) return [];
+	return parsed.filter(isCollectionSupport);
+}
+
 /**
  * Error thrown when a schema operation fails
  */
@@ -132,11 +161,18 @@ export class SchemaRegistry {
 
 		const id = ulid();
 
+		// Default `supports` to drafts + revisions when the caller didn't
+		// specify it. Explicit empty array (`[]`) is preserved as an opt-out
+		// — only `undefined` triggers the default. This is the canonical
+		// default for new collections; the MCP and admin UI layers used to
+		// duplicate this default but now defer to the registry.
+		const supports = input.supports ?? ["drafts", "revisions"];
+
 		// Insert collection record and create content table in a transaction
 		// so a failure in table creation doesn't leave an orphaned row.
 		// Uses withTransaction for D1 compatibility (no transaction support).
 		// Derive hasSeo from supports array if not explicitly set
-		const hasSeo = input.hasSeo ?? input.supports?.includes("seo") ?? false;
+		const hasSeo = input.hasSeo ?? supports.includes("seo") ?? false;
 
 		await withTransaction(this.db, async (trx) => {
 			await trx
@@ -148,7 +184,7 @@ export class SchemaRegistry {
 					label_singular: input.labelSingular ?? null,
 					description: input.description ?? null,
 					icon: input.icon ?? null,
-					supports: input.supports ? JSON.stringify(input.supports) : null,
+					supports: JSON.stringify(supports),
 					source: input.source ?? "manual",
 					has_seo: hasSeo ? 1 : 0,
 					comments_enabled: input.commentsEnabled ? 1 : 0,
@@ -243,7 +279,7 @@ export class SchemaRegistry {
 			// Sync FTS state when the supports array changes (e.g. search toggled on/off)
 			if (input.supports !== undefined) {
 				const hadSearch = existing.supports.includes("search");
-				const hasSearch = (JSON.parse(row.supports ?? "[]") as string[]).includes("search");
+				const hasSearch = parseSupports(row.supports).includes("search");
 				if (hadSearch !== hasSearch) {
 					await this.syncSearchState(slug, trx);
 				}
@@ -525,7 +561,7 @@ export class SchemaRegistry {
 			.executeTakeFirst();
 		if (!row) return;
 
-		const wantsSearch = (JSON.parse(row.supports ?? "[]") as string[]).includes("search");
+		const wantsSearch = parseSupports(row.supports).includes("search");
 		const searchableFields = await ftsManager.getSearchableFields(collectionSlug);
 		const config = await ftsManager.getSearchConfig(collectionSlug);
 		const ftsActive = config?.enabled === true;
@@ -881,7 +917,7 @@ export class SchemaRegistry {
 			labelSingular: row.label_singular ?? undefined,
 			description: row.description ?? undefined,
 			icon: row.icon ?? undefined,
-			supports: row.supports ? JSON.parse(row.supports) : [],
+			supports: parseSupports(row.supports),
 			source: row.source && isCollectionSource(row.source) ? row.source : undefined,
 			hasSeo: row.has_seo === 1,
 			urlPattern: row.url_pattern ?? undefined,

package/src/search/fts-manager.ts

@@ -418,8 +418,6 @@ export class FTSManager {
 			console.warn(
 				`FTS index for "${collectionSlug}" has ${ftsRows} rows but content table has ${contentRows}. Rebuilding.`,
 			);
-			const fields = await this.getSearchableFields(collectionSlug);
-			const config = await this.getSearchConfig(collectionSlug);
 			if (fields.length > 0) {
 				await this.rebuildIndex(collectionSlug, fields, config?.weights);
 			}

package/src/search/query.ts

@@ -26,6 +26,23 @@ const WHITESPACE_SPLIT_PATTERN = /\s+/;
 const FTS_OPERATORS_PATTERN = /\b(AND|OR|NOT|NEAR)\b/i;
 const DOUBLE_QUOTE_PATTERN = /"/g;
 
+/**
+ * Detect FTS5 query syntax errors. Match specifically on the SQLite FTS5
+ * error fingerprints rather than a broad "fts5" / "syntax error" filter
+ * (which would also swallow internal table-corruption errors). The two
+ * fingerprints we care about are:
+ *
+ *  - "fts5: syntax error near …" — unbalanced quotes, stray operators,
+ *    other malformed user input
+ *  - "unknown special query: …" — bare special tokens like `^*` that
+ *    parse but don't resolve to a real FTS5 directive
+ */
+function isFts5SyntaxError(error: unknown): boolean {
+	if (!(error instanceof Error)) return false;
+	const message = error.message.toLowerCase();
+	return message.includes("fts5: syntax error") || message.includes("unknown special query");
+}
+
 /**
  * Search across multiple collections
  *
@@ -198,14 +215,16 @@ async function searchSingleCollection(
 	const bm25Expr = bm25Args ? `bm25("${ftsTable}", ${bm25Args})` : `bm25("${ftsTable}")`;
 
 	// Snippet column index is 2 (after id=0, locale=1, first searchable field=2)
-	const results = await sql<{
-		id: string;
-		slug: string | null;
-		locale: string;
-		title: string | null;
-		snippet: string;
-		score: number;
-	}>`
+	let results;
+	try {
+		results = await sql<{
+			id: string;
+			slug: string | null;
+			locale: string;
+			title: string | null;
+			snippet: string | null;
+			score: number;
+		}>`
 		SELECT 
 			c.id,
 			c.slug,
@@ -222,6 +241,20 @@ async function searchSingleCollection(
 		ORDER BY score
 		LIMIT ${limit}
 	`.execute(db);
+	} catch (error) {
+		// FTS5 returns syntax errors for queries with unbalanced quotes,
+		// stray operators, or other malformed input. Treat these as
+		// "no matches" so the user gets an empty result rather than an
+		// internals-leaking error. Other errors (table missing, IO) still
+		// propagate. Intentionally not logged: any anonymous client can
+		// trigger this path, and the underlying error message embeds the
+		// raw query, so logging would be both noisy and a log-injection
+		// vector.
+		if (isFts5SyntaxError(error)) {
+			return [];
+		}
+		throw error;
+	}
 
 	return results.rows.map((row) => ({
 		collection,
@@ -229,11 +262,51 @@ async function searchSingleCollection(
 		slug: row.slug,
 		locale: row.locale,
 		title: row.title ?? undefined,
-		snippet: row.snippet,
+		// SQLite's snippet() returns NULL when the targeted column is
+		// NULL for that row — even if the row matched via a different
+		// searchable column. Skip sanitization in that case so we don't
+		// throw on `null.replace`. The SearchResult.snippet field is
+		// already optional, so omitting it is the documented contract.
+		snippet: row.snippet === null ? undefined : sanitizeSnippet(row.snippet),
 		score: Math.abs(row.score), // bm25 returns negative scores
 	}));
 }
 
+// Module-scope regexes so the engine doesn't recompile per call —
+// snippet sanitization runs on every search result.
+const SNIPPET_AMP_RE = /&/g;
+const SNIPPET_LT_RE = /</g;
+const SNIPPET_GT_RE = />/g;
+const SNIPPET_QUOT_RE = /"/g;
+const SNIPPET_APOS_RE = /'/g;
+
+/**
+ * Make an FTS5 snippet safe to render with `set:html` / `innerHTML`.
+ *
+ * SQLite's `snippet()` function splices literal `<mark>` and `</mark>`
+ * markers around matched terms but does not escape the surrounding
+ * source text. Posts that legitimately contain `<`, `>`, `&`, `"` or
+ * `'` would render as broken markup, and a `<script>` literal in a
+ * title (or any other indexed field) would execute when displayed.
+ *
+ * The fix: HTML-escape the whole string, which turns the markers into
+ * `&lt;mark&gt;` / `&lt;/mark&gt;`. Then restore those two patterns to
+ * their original tag form. The result is "the indexed text with all
+ * HTML metacharacters escaped, plus a small set of literal `<mark>`
+ * highlight tags around matched terms" — which matches the API's
+ * documented contract.
+ */
+function sanitizeSnippet(snippet: string): string {
+	return snippet
+		.replace(SNIPPET_AMP_RE, "&amp;")
+		.replace(SNIPPET_LT_RE, "&lt;")
+		.replace(SNIPPET_GT_RE, "&gt;")
+		.replace(SNIPPET_QUOT_RE, "&quot;")
+		.replace(SNIPPET_APOS_RE, "&#39;")
+		.replaceAll("&lt;mark&gt;", "<mark>")
+		.replaceAll("&lt;/mark&gt;", "</mark>");
+}
+
 /**
  * Get search suggestions for autocomplete
  *
@@ -282,23 +355,35 @@ export async function getSuggestions(
 			continue;
 		}
 
-		const results = await sql<{
-			id: string;
-			title: string;
-		}>`
-			SELECT 
-				c.id,
-				c.title
-			FROM "${sql.raw(ftsTable)}" f
-			JOIN "${sql.raw(contentTable)}" c ON f.id = c.id
-			WHERE "${sql.raw(ftsTable)}" MATCH ${prefixQuery}
-			AND c.status = 'published'
-			AND c.deleted_at IS NULL
-			AND c.title IS NOT NULL
-			${locale ? sql`AND c.locale = ${locale}` : sql``}
-			ORDER BY bm25("${sql.raw(ftsTable)}")
-			LIMIT ${limit}
-		`.execute(db);
+		let results;
+		try {
+			results = await sql<{
+				id: string;
+				title: string;
+			}>`
+				SELECT 
+					c.id,
+					c.title
+				FROM "${sql.raw(ftsTable)}" f
+				JOIN "${sql.raw(contentTable)}" c ON f.id = c.id
+				WHERE "${sql.raw(ftsTable)}" MATCH ${prefixQuery}
+				AND c.status = 'published'
+				AND c.deleted_at IS NULL
+				AND c.title IS NOT NULL
+				${locale ? sql`AND c.locale = ${locale}` : sql``}
+				ORDER BY bm25("${sql.raw(ftsTable)}")
+				LIMIT ${limit}
+			`.execute(db);
+		} catch (error) {
+			// Same swallow as searchSingleCollection: malformed prefix
+			// queries should yield no suggestions, not surface DB errors.
+			// Intentionally not logged (anonymous-triggerable, echoes
+			// user input -- see searchSingleCollection for rationale).
+			if (isFts5SyntaxError(error)) {
+				continue;
+			}
+			throw error;
+		}
 
 		for (const row of results.rows) {
 			suggestions.push({

package/src/search/types.ts

@@ -58,7 +58,14 @@ export interface SearchResult {
 	locale: string;
 	/** Entry title (if available) */
 	title?: string;
-	/** Highlighted snippet showing match context */
+	/**
+	 * Highlighted snippet showing match context.
+	 *
+	 * Sanitized server-side to be safe for `set:html` / `innerHTML`:
+	 * all HTML metacharacters in the source text are escaped, and
+	 * matched terms are wrapped in literal `<mark>...</mark>` tags
+	 * (the only HTML the snippet is allowed to contain).
+	 */
 	snippet?: string;
 	/** Relevance score (higher = more relevant) */
 	score: number;

package/src/sections/index.ts

@@ -137,17 +137,15 @@ export async function getSectionsWithDb(
 	// Order by title ASC, id ASC for stable cursor pagination
 	query = query.orderBy("title", "asc").orderBy("id", "asc");
 
-	// Cursor-based pagination
+	// Cursor-based pagination — throws on invalid cursor.
 	if (options.cursor) {
 		const decoded = decodeCursor(options.cursor);
-		if (decoded) {
-			query = query.where((eb) =>
-				eb.or([
-					eb("title", ">", decoded.orderValue),
-					eb.and([eb("title", "=", decoded.orderValue), eb("id", ">", decoded.id)]),
-				]),
-			);
-		}
+		query = query.where((eb) =>
+			eb.or([
+				eb("title", ">", decoded.orderValue),
+				eb.and([eb("title", "=", decoded.orderValue), eb("id", ">", decoded.id)]),
+			]),
+		);
 	}
 
 	query = query.limit(limit + 1);

package/src/storage/s3.ts

@@ -7,6 +7,7 @@
 
 import {
 	S3Client,
+	type S3ClientConfig,
 	PutObjectCommand,
 	GetObjectCommand,
 	DeleteObjectCommand,
@@ -131,9 +132,14 @@ export class S3Storage implements Storage {
 		this.publicUrl = config.publicUrl;
 		this.endpoint = config.endpoint;
 
-		this.client = new S3Client({
+		// S3ClientConfig types `credentials` as required, but the SDK accepts
+		// omitted credentials at runtime (falls back to the provider chain).
+		/* eslint-disable typescript-eslint(no-unsafe-type-assertion) -- upstream @aws-sdk/client-s3 overstates required fields */
+		const clientConfig = {
 			endpoint: config.endpoint,
 			region: config.region || "auto",
+			// Required for R2 and some S3-compatible services
+			forcePathStyle: true,
 			...(config.accessKeyId && config.secretAccessKey
 				? {
 						credentials: {
@@ -142,9 +148,9 @@ export class S3Storage implements Storage {
 						},
 					}
 				: {}),
-			// Required for R2 and some S3-compatible services
-			forcePathStyle: true,
-		} as ConstructorParameters<typeof S3Client>[0]);
+		} as S3ClientConfig;
+		/* eslint-enable typescript-eslint(no-unsafe-type-assertion) */
+		this.client = new S3Client(clientConfig);
 	}
 
 	async upload(options: {
@@ -317,8 +323,8 @@ export class S3Storage implements Storage {
 		if (this.publicUrl) {
 			return `${this.publicUrl.replace(TRAILING_SLASH_PATTERN, "")}/${key}`;
 		}
-		// Default to endpoint + bucket + key
-		return `${this.endpoint.replace(TRAILING_SLASH_PATTERN, "")}/${this.bucket}/${key}`;
+		// No public URL configured; defer to the /_emdash/api/media/file route.
+		return `/_emdash/api/media/file/${key}`;
 	}
 }
 

package/src/virtual-modules.d.ts

@@ -7,12 +7,18 @@
 
 declare module "virtual:emdash/config" {
 	import type { I18nConfig } from "./i18n/config.js";
-	import type { DatabaseDescriptor, StorageDescriptor, AuthDescriptor } from "./index.js";
+	import type {
+		AuthDescriptor,
+		AuthProviderDescriptor,
+		DatabaseDescriptor,
+		StorageDescriptor,
+	} from "./index.js";
 
 	interface VirtualConfig {
 		database?: DatabaseDescriptor;
 		storage?: StorageDescriptor;
 		auth?: AuthDescriptor;
+		authProviders?: AuthProviderDescriptor[];
 		i18n?: I18nConfig | null;
 	}
 
@@ -103,6 +109,20 @@ declare module "virtual:emdash/block-components" {
 	export const pluginBlockComponents: Record<string, unknown>;
 }
 
+declare module "virtual:emdash/auth-providers" {
+	import type { ComponentType } from "react";
+
+	interface AuthProviderEntry {
+		id: string;
+		label: string;
+		LoginButton?: ComponentType;
+		LoginForm?: ComponentType;
+		SetupStep?: ComponentType<{ onComplete: () => void }>;
+	}
+
+	export const authProviders: Record<string, AuthProviderEntry>;
+}
+
 declare module "virtual:emdash/wait-until" {
 	/**
 	 * Optional host-provided lifetime extender for work deferred past the

package/src/widgets/index.ts

@@ -125,7 +125,7 @@ export function getWidgetComponents(): WidgetComponentDef[] {
 /**
  * Convert a widget row to the API type
  */
-function rowToWidget(row: WidgetRow): Widget {
+export function rowToWidget(row: WidgetRow): Widget {
 	const widget: Widget = {
 		id: row.id,
 		type: row.type,