emdash 0.7.0 → 0.9.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "emdash",
-  "version": "0.7.0",
+  "version": "0.9.0",
   "description": "Astro-native CMS with WordPress migration support",
   "type": "module",
   "main": "dist/index.mjs",
@@ -45,6 +45,12 @@
       "default": "./dist/cli/index.mjs"
     },
     "./routes/*": "./src/astro/routes/*",
+    "./api/route-utils": "./src/api/route-utils.ts",
+    "./api/schemas": "./src/api/schemas/index.ts",
+    "./auth/providers/github": "./src/auth/providers/github.ts",
+    "./auth/providers/github-admin": "./src/auth/providers/github-admin.tsx",
+    "./auth/providers/google": "./src/auth/providers/google.ts",
+    "./auth/providers/google-admin": "./src/auth/providers/google-admin.tsx",
     "./db": {
       "types": "./dist/db/index.d.mts",
       "default": "./dist/db/index.mjs"
@@ -128,6 +134,7 @@
   "imports": {
     "#api/schemas.js": "./src/api/schemas/index.js",
     "#api/*": "./src/api/*",
+    "#config/*": "./src/config/*",
     "#db/*": "./src/database/*",
     "#auth/*": "./src/auth/*",
     "#schema/*": "./src/schema/*",
@@ -153,6 +160,8 @@
   "dependencies": {
     "@floating-ui/react": "^0.27.16",
     "@modelcontextprotocol/sdk": "^1.26.0",
+    "@oslojs/crypto": "^1.0.1",
+    "@oslojs/encoding": "^1.1.0",
     "@portabletext/toolkit": "^5.0.1",
     "@tiptap/core": "^3.20.0",
     "@tiptap/extension-focus": "^3.20.0",
@@ -185,9 +194,9 @@
     "ulidx": "^2.4.1",
     "upng-js": "^2.1.0",
     "zod": "^4.3.5",
-    "@emdash-cms/admin": "0.7.0",
-    "@emdash-cms/auth": "0.7.0",
-    "@emdash-cms/gutenberg-to-portable-text": "0.7.0"
+    "@emdash-cms/admin": "0.9.0",
+    "@emdash-cms/auth": "0.9.0",
+    "@emdash-cms/gutenberg-to-portable-text": "0.9.0"
   },
   "optionalDependencies": {
     "@libsql/kysely-libsql": "^0.4.0",
@@ -195,16 +204,21 @@
   },
   "peerDependencies": {
     "@astrojs/react": ">=5.0.0-beta.0",
-    "@tanstack/react-query": ">=5.0.0",
-    "@tanstack/react-router": ">=1.100.0",
+    "@emdash-cms/auth-atproto": ">=0.2.1",
     "astro": ">=6.0.0-beta.0",
     "react": ">=18.0.0",
     "react-dom": ">=18.0.0"
   },
+  "peerDependenciesMeta": {
+    "@emdash-cms/auth-atproto": {
+      "optional": true
+    }
+  },
   "devDependencies": {
     "@apidevtools/swagger-parser": "^12.1.0",
     "@arethetypeswrong/cli": "^0.18.2",
     "@types/better-sqlite3": "^7.6.12",
+    "@types/react": "19.2.14",
     "@types/pg": "^8.16.0",
     "@types/sanitize-html": "^2.16.0",
     "@types/sax": "^1.2.7",
@@ -215,7 +229,7 @@
     "vite": "^6.0.0",
     "vitest": "^4.0.18",
     "zod-openapi": "^5.4.6",
-    "@emdash-cms/blocks": "0.7.0"
+    "@emdash-cms/blocks": "0.9.0"
   },
   "repository": {
     "type": "git",

package/src/api/auth-storage.ts

@@ -0,0 +1,37 @@
+/**
+ * Auth provider storage helper.
+ *
+ * Gives auth provider routes access to plugin-style storage collections
+ * namespaced under `auth:<providerId>`. Reuses the existing `_plugin_storage`
+ * table and `PluginStorageRepository` infrastructure.
+ */
+
+import type { Kysely } from "kysely";
+
+import type { Database } from "../database/types.js";
+import { createStorageAccess } from "../plugins/context.js";
+import type { StorageCollection, StorageCollectionConfig } from "../plugins/types.js";
+
+/**
+ * Get storage collections for an auth provider.
+ *
+ * Returns a record of `StorageCollection` instances, one per declared
+ * collection in the provider's `storage` config. Data is stored in the
+ * shared `_plugin_storage` table under the namespace `auth:<providerId>`.
+ *
+ * @example
+ * ```ts
+ * const storage = getAuthProviderStorage(emdash.db, "atproto", {
+ *   states: { indexes: [] },
+ *   sessions: { indexes: [] },
+ * });
+ * const session = await storage.sessions.get(sessionId);
+ * ```
+ */
+export function getAuthProviderStorage(
+	db: Kysely<Database>,
+	providerId: string,
+	storageConfig: Record<string, StorageCollectionConfig>,
+): Record<string, StorageCollection> {
+	return createStorageAccess(db, `auth:${providerId}`, storageConfig);
+}

package/src/api/error.ts

@@ -5,6 +5,7 @@
  * `new Response(JSON.stringify({ error: ... }), ...)` patterns.
  */
 
+import { InvalidCursorError } from "../database/repositories/types.js";
 import { mapErrorStatus } from "./errors.js";
 import type { ApiResult } from "./types.js";
 
@@ -54,6 +55,11 @@ export function handleError(
 	fallbackMessage: string,
 	fallbackCode: string,
 ): Response {
+	// Bubble malformed-cursor errors as a structured 400 instead of a
+	// generic 500.
+	if (error instanceof InvalidCursorError) {
+		return apiError("INVALID_CURSOR", error.message, 400);
+	}
 	console.error(`[${fallbackCode}]`, error);
 	return apiError(fallbackCode, fallbackMessage, 500);
 }

package/src/api/errors.ts

@@ -12,7 +12,9 @@ export const ErrorCode = {
 	VALIDATION_ERROR: "VALIDATION_ERROR",
 	INVALID_INPUT: "INVALID_INPUT",
 	INVALID_JSON: "INVALID_JSON",
+	INVALID_CURSOR: "INVALID_CURSOR",
 	CONFLICT: "CONFLICT",
+	SLUG_CONFLICT: "SLUG_CONFLICT",
 	NOT_CONFIGURED: "NOT_CONFIGURED",
 	UNAUTHORIZED: "UNAUTHORIZED",
 	FORBIDDEN: "FORBIDDEN",
@@ -152,6 +154,8 @@ export const ErrorCode = {
 	INVALID_CODE: "INVALID_CODE",
 	EXPIRED_CODE: "EXPIRED_CODE",
 	INSUFFICIENT_ROLE: "INSUFFICIENT_ROLE",
+	INSUFFICIENT_SCOPE: "INSUFFICIENT_SCOPE",
+	INSUFFICIENT_PERMISSIONS: "INSUFFICIENT_PERMISSIONS",
 	TOKEN_EXCHANGE_ERROR: "TOKEN_EXCHANGE_ERROR",
 	TOKEN_REFRESH_ERROR: "TOKEN_REFRESH_ERROR",
 	TOKEN_REVOKE_ERROR: "TOKEN_REVOKE_ERROR",
@@ -335,6 +339,7 @@ export function mapErrorStatus(code: string | undefined): number {
 		case ErrorCode.VALIDATION_ERROR:
 		case ErrorCode.INVALID_INPUT:
 		case ErrorCode.INVALID_JSON:
+		case ErrorCode.INVALID_CURSOR:
 		case ErrorCode.MISSING_PARAM:
 		case ErrorCode.INVALID_REQUEST:
 		case ErrorCode.NOT_SUPPORTED:
@@ -373,6 +378,8 @@ export function mapErrorStatus(code: string | undefined): number {
 		case ErrorCode.COMMENT_REJECTED:
 		case ErrorCode.DOMAIN_NOT_ALLOWED:
 		case ErrorCode.INSUFFICIENT_ROLE:
+		case ErrorCode.INSUFFICIENT_SCOPE:
+		case ErrorCode.INSUFFICIENT_PERMISSIONS:
 		case ErrorCode.CAPABILITY_ESCALATION:
 		case ErrorCode.ROUTE_VISIBILITY_ESCALATION:
 		case ErrorCode.AUDIT_FAILED:
@@ -388,6 +395,7 @@ export function mapErrorStatus(code: string | undefined): number {
 
 		// 409 Conflict
 		case ErrorCode.CONFLICT:
+		case ErrorCode.SLUG_CONFLICT:
 		case ErrorCode.COLLECTION_EXISTS:
 		case ErrorCode.FIELD_EXISTS:
 		case ErrorCode.CREDENTIAL_EXISTS:

package/src/api/handlers/comments.ts

@@ -8,6 +8,7 @@ import type { Kysely } from "kysely";
 
 import { CommentRepository } from "../../database/repositories/comment.js";
 import type { Comment, CommentStatus, PublicComment } from "../../database/repositories/comment.js";
+import { InvalidCursorError } from "../../database/repositories/types.js";
 import type { Database } from "../../database/types.js";
 import type { ApiResult } from "../types.js";
 
@@ -60,6 +61,12 @@ export async function handleCommentList(
 			},
 		};
 	} catch (error) {
+		if (error instanceof InvalidCursorError) {
+			return {
+				success: false,
+				error: { code: "INVALID_CURSOR", message: error.message },
+			};
+		}
 		console.error("Comment list error:", error);
 		return {
 			success: false,
@@ -104,6 +111,12 @@ export async function handleCommentInbox(
 			},
 		};
 	} catch (error) {
+		if (error instanceof InvalidCursorError) {
+			return {
+				success: false,
+				error: { code: "INVALID_CURSOR", message: error.message },
+			};
+		}
 		console.error("Comment inbox error:", error);
 		return {
 			success: false,
@@ -303,11 +316,13 @@ export async function checkRateLimit(
 /**
  * Hash an IP address for storage (never store cleartext IPs).
  *
- * Uses full SHA-256 with an application salt to prevent rainbow-table
- * recovery of IPs. The caller should pass a site-specific secret;
- * falls back to a static salt if none is provided.
+ * Uses full SHA-256 with a site-specific salt to prevent rainbow-table
+ * recovery of IPs. The salt must be provided by the caller — typically
+ * via `resolveSecretsCached(db).ipSalt` from `#config/secrets.js`. The
+ * salt is generated and persisted on first need so it's stable across
+ * requests within a deployment but unique per install.
  */
-export async function hashIp(ip: string, salt: string = "emdash-ip-salt"): Promise<string> {
+export async function hashIp(ip: string, salt: string): Promise<string> {
 	const data = `ip:${salt}:${ip}`;
 	const buf = await crypto.subtle.digest("SHA-256", new TextEncoder().encode(data));
 	return Array.from(new Uint8Array(buf), (b) => b.toString(16).padStart(2, "0")).join("");

package/src/api/handlers/content.ts

@@ -14,6 +14,7 @@ import { RevisionRepository } from "../../database/repositories/revision.js";
 import { SeoRepository } from "../../database/repositories/seo.js";
 import {
 	EmDashValidationError,
+	InvalidCursorError,
 	type ContentItem,
 	type ContentSeo,
 	type ContentSeoInput,
@@ -23,9 +24,26 @@ import type { Database } from "../../database/types.js";
 import { validateIdentifier } from "../../database/validate.js";
 import { isI18nEnabled } from "../../i18n/config.js";
 import { invalidateRedirectCache } from "../../redirects/cache.js";
+import { isMissingTableError } from "../../utils/db-errors.js";
 import { encodeRev, validateRev } from "../rev.js";
 import type { ApiResult, ContentListResponse, ContentResponse } from "../types.js";
 
+/**
+ * Narrow a caught error to one carrying a structured `apiError` discriminant.
+ * Used by transaction callbacks that want to surface a specific error code
+ * through the standard Error throwing path.
+ */
+function hasApiError(error: unknown): error is Error & { apiError: { code: string } } {
+	if (!(error instanceof Error) || !("apiError" in error)) return false;
+	const { apiError } = error;
+	return (
+		typeof apiError === "object" &&
+		apiError !== null &&
+		"code" in apiError &&
+		typeof apiError.code === "string"
+	);
+}
+
 /**
  * Extract a slug source (title or name) from content data.
  * Returns null if no suitable string field is found.
@@ -267,6 +285,28 @@ export async function handleContentList(
 			},
 		};
 	} catch (error) {
+		if (error instanceof InvalidCursorError) {
+			return {
+				success: false,
+				error: { code: "INVALID_CURSOR", message: error.message },
+			};
+		}
+		if (isMissingTableError(error)) {
+			return {
+				success: false,
+				error: {
+					code: "COLLECTION_NOT_FOUND",
+					message: `Collection '${collection}' not found`,
+				},
+			};
+		}
+		if (error instanceof EmDashValidationError) {
+			// e.g. invalid orderBy field
+			return {
+				success: false,
+				error: { code: "VALIDATION_ERROR", message: error.message },
+			};
+		}
 		console.error("Content list error:", error);
 		return {
 			success: false,
@@ -453,6 +493,46 @@ export async function handleContentCreate(
 			data: { item, _rev: encodeRev(item) },
 		};
 	} catch (error) {
+		if (isMissingTableError(error)) {
+			return {
+				success: false,
+				error: {
+					code: "COLLECTION_NOT_FOUND",
+					message: `Collection '${collection}' not found`,
+				},
+			};
+		}
+		if (error instanceof EmDashValidationError) {
+			return {
+				success: false,
+				error: { code: "VALIDATION_ERROR", message: error.message },
+			};
+		}
+		// SQLite UNIQUE constraint OR Postgres unique_violation — slug
+		// collisions and any other unique violations land here. Match
+		// specifically on "unique constraint failed" / "duplicate key" so we
+		// don't false-positive on NOT NULL or CHECK violations whose
+		// messages also contain "constraint failed".
+		const message = error instanceof Error ? error.message.toLowerCase() : "";
+		if (message.includes("unique constraint failed") || message.includes("duplicate key")) {
+			// Detect slug-specific collisions by message fingerprint
+			if (message.includes("slug")) {
+				return {
+					success: false,
+					error: {
+						code: "SLUG_CONFLICT",
+						message: `Slug '${body.slug ?? "(auto-generated)"}' already exists in collection '${collection}'`,
+					},
+				};
+			}
+			return {
+				success: false,
+				error: {
+					code: "CONFLICT",
+					message: "Unique constraint violation",
+				},
+			};
+		}
 		console.error("Content create error:", error);
 		return {
 			success: false,
@@ -604,11 +684,44 @@ export async function handleContentUpdate(
 	} catch (error) {
 		// Handle structured errors thrown from inside the transaction
 		// (rev check failures, not-found)
-		if (error instanceof Error && "apiError" in error) {
-			const { code } = (error as Error & { apiError: { code: string } }).apiError;
+		if (hasApiError(error)) {
 			return {
 				success: false,
-				error: { code, message: error.message },
+				error: { code: error.apiError.code, message: error.message },
+			};
+		}
+		if (isMissingTableError(error)) {
+			return {
+				success: false,
+				error: {
+					code: "COLLECTION_NOT_FOUND",
+					message: `Collection '${collection}' not found`,
+				},
+			};
+		}
+		if (error instanceof EmDashValidationError) {
+			return {
+				success: false,
+				error: { code: "VALIDATION_ERROR", message: error.message },
+			};
+		}
+		const message = error instanceof Error ? error.message.toLowerCase() : "";
+		if (message.includes("unique constraint failed") || message.includes("duplicate key")) {
+			if (message.includes("slug")) {
+				return {
+					success: false,
+					error: {
+						code: "SLUG_CONFLICT",
+						message: `Slug '${body.slug ?? id}' already exists in collection '${collection}'`,
+					},
+				};
+			}
+			return {
+				success: false,
+				error: {
+					code: "CONFLICT",
+					message: "Unique constraint violation",
+				},
 			};
 		}
 		console.error("Content update error:", error);
@@ -869,6 +982,12 @@ export async function handleContentListTrashed(
 			},
 		};
 	} catch (error) {
+		if (error instanceof InvalidCursorError) {
+			return {
+				success: false,
+				error: { code: "INVALID_CURSOR", message: error.message },
+			};
+		}
 		console.error("Content list trashed error:", error);
 		return {
 			success: false,
@@ -974,6 +1093,15 @@ export async function handleContentUnschedule(
 			data: { item },
 		};
 	} catch (error) {
+		if (error instanceof EmDashValidationError) {
+			return {
+				success: false,
+				error: {
+					code: "VALIDATION_ERROR",
+					message: error.message,
+				},
+			};
+		}
 		console.error("Content unschedule error:", error);
 		return {
 			success: false,
@@ -996,12 +1124,13 @@ export async function handleContentPublish(
 	db: Kysely<Database>,
 	collection: string,
 	id: string,
+	options: { publishedAt?: string } = {},
 ): Promise<ApiResult<ContentResponse>> {
 	try {
 		const item = await withTransaction(db, async (trx) => {
 			const repo = new ContentRepository(trx);
 			const resolvedId = (await resolveId(repo, collection, id)) ?? id;
-			return repo.publish(collection, resolvedId);
+			return repo.publish(collection, resolvedId, options.publishedAt);
 		});
 
 		const hasSeo = await collectionHasSeo(db, collection);
@@ -1012,6 +1141,15 @@ export async function handleContentPublish(
 			data: { item },
 		};
 	} catch (error) {
+		if (error instanceof EmDashValidationError) {
+			return {
+				success: false,
+				error: {
+					code: "VALIDATION_ERROR",
+					message: error.message,
+				},
+			};
+		}
 		console.error("Content publish error:", error);
 		return {
 			success: false,
@@ -1049,6 +1187,15 @@ export async function handleContentUnpublish(
 			data: { item },
 		};
 	} catch (error) {
+		if (error instanceof EmDashValidationError) {
+			return {
+				success: false,
+				error: {
+					code: "VALIDATION_ERROR",
+					message: error.message,
+				},
+			};
+		}
 		console.error("Content unpublish error:", error);
 		return {
 			success: false,

package/src/api/handlers/device-flow.ts

@@ -135,6 +135,11 @@ export async function handleDeviceCodeRequest(
 	verificationUri: string,
 ): Promise<ApiResult<DeviceCodeResponse>> {
 	try {
+		// Note: client_id is accepted but not validated against _emdash_oauth_clients
+		// because the CLI uses a well-known built-in client ID ("emdash-cli") that
+		// isn't stored in the DB. Full client_id validation + scope clamping for the
+		// device flow is tracked as a follow-up.
+
 		// Parse and validate scopes
 		const requestedScopes = input.scope ? input.scope.split(" ").filter(Boolean) : [];
 		const scopes = normalizeScopes(requestedScopes);

package/src/api/handlers/index.ts

@@ -113,11 +113,13 @@ export {
 	handleMenuItemUpdate,
 	handleMenuItemDelete,
 	handleMenuItemReorder,
+	handleMenuSetItems,
 	type MenuListItem,
 	type MenuWithItems,
 	type CreateMenuItemInput,
 	type UpdateMenuItemInput,
 	type ReorderItem,
+	type MenuSetItemsInput,
 } from "./menus.js";
 
 // Section handlers

package/src/api/handlers/marketplace.ts

@@ -24,6 +24,7 @@ import {
 } from "../../plugins/marketplace.js";
 import type { SandboxRunner } from "../../plugins/sandbox/types.js";
 import { PluginStateRepository } from "../../plugins/state.js";
+import { normalizeCapabilities } from "../../plugins/types.js";
 import type { PluginManifest } from "../../plugins/types.js";
 import { EmDashStorageError } from "../../storage/types.js";
 import type { Storage } from "../../storage/types.js";
@@ -95,11 +96,17 @@ function diffCapabilities(
 	oldCaps: string[],
 	newCaps: string[],
 ): { added: string[]; removed: string[] } {
-	const oldSet = new Set(oldCaps);
-	const newSet = new Set(newCaps);
+	// Normalize both sides before diffing so that an installed v1 manifest
+	// declaring `read:content` and an upgrade v2 manifest declaring
+	// `content:read` produces an empty diff — users should not see a
+	// spurious "capability changed" prompt for a pure rename.
+	const oldNorm = normalizeCapabilities(oldCaps);
+	const newNorm = normalizeCapabilities(newCaps);
+	const oldSet = new Set(oldNorm);
+	const newSet = new Set(newNorm);
 	return {
-		added: newCaps.filter((c) => !oldSet.has(c)),
-		removed: oldCaps.filter((c) => !newSet.has(c)),
+		added: newNorm.filter((c) => !oldSet.has(c)),
+		removed: oldNorm.filter((c) => !newSet.has(c)),
 	};
 }
 

package/src/api/handlers/media.ts

@@ -5,6 +5,7 @@
 import type { Kysely } from "kysely";
 
 import { MediaRepository, type MediaItem } from "../../database/repositories/media.js";
+import { InvalidCursorError } from "../../database/repositories/types.js";
 import type { Database } from "../../database/types.js";
 import type { ApiResult } from "../types.js";
 
@@ -43,7 +44,13 @@ export async function handleMediaList(
 				nextCursor: result.nextCursor,
 			},
 		};
-	} catch {
+	} catch (error) {
+		if (error instanceof InvalidCursorError) {
+			return {
+				success: false,
+				error: { code: "INVALID_CURSOR", message: error.message },
+			};
+		}
 		return {
 			success: false,
 			error: {