emdash 0.7.0 → 0.9.0

package/src/api/handlers/menus.ts

@@ -42,26 +42,33 @@ export interface MenuWithItems extends MenuRow {
  */
 export async function handleMenuList(db: Kysely<Database>): Promise<ApiResult<MenuListItem[]>> {
 	try {
-		const menus = await db
-			.selectFrom("_emdash_menus")
-			.select(["id", "name", "label", "created_at", "updated_at"])
-			.orderBy("name", "asc")
+		// Single query: LEFT JOIN + GROUP BY for the per-menu item count.
+		// Avoids the N+1 of one count query per menu.
+		const rows = await db
+			.selectFrom("_emdash_menus as m")
+			.leftJoin("_emdash_menu_items as i", "i.menu_id", "m.id")
+			.select(({ fn }) => [
+				"m.id",
+				"m.name",
+				"m.label",
+				"m.created_at",
+				"m.updated_at",
+				fn.count<number>("i.id").as("itemCount"),
+			])
+			.groupBy(["m.id", "m.name", "m.label", "m.created_at", "m.updated_at"])
+			.orderBy("m.name", "asc")
 			.execute();
 
-		const menusWithCounts = await Promise.all(
-			menus.map(async (menu) => {
-				const { count } = await db
-					.selectFrom("_emdash_menu_items")
-					.select(({ fn }) => fn.countAll<number>().as("count"))
-					.where("menu_id", "=", menu.id)
-					.executeTakeFirstOrThrow();
-
-				return {
-					...menu,
-					itemCount: count,
-				};
-			}),
-		);
+		// SQLite returns count as `number`, but some dialects (Postgres)
+		// return `string` from a count() aggregate. Normalize to number.
+		const menusWithCounts: MenuListItem[] = rows.map((row) => ({
+			id: row.id,
+			name: row.name,
+			label: row.label,
+			created_at: row.created_at,
+			updated_at: row.updated_at,
+			itemCount: typeof row.itemCount === "string" ? Number(row.itemCount) : row.itemCount,
+		}));
 
 		return { success: true, data: menusWithCounts };
 	} catch {
@@ -135,7 +142,7 @@ export async function handleMenuGet(
 		if (!menu) {
 			return {
 				success: false,
-				error: { code: "NOT_FOUND", message: "Menu not found" },
+				error: { code: "NOT_FOUND", message: `Menu '${name}' not found` },
 			};
 		}
 
@@ -173,7 +180,7 @@ export async function handleMenuUpdate(
 		if (!menu) {
 			return {
 				success: false,
-				error: { code: "NOT_FOUND", message: "Menu not found" },
+				error: { code: "NOT_FOUND", message: `Menu '${name}' not found` },
 			};
 		}
 
@@ -217,10 +224,14 @@ export async function handleMenuDelete(
 		if (!menu) {
 			return {
 				success: false,
-				error: { code: "NOT_FOUND", message: "Menu not found" },
+				error: { code: "NOT_FOUND", message: `Menu '${name}' not found` },
 			};
 		}
 
+		// D1 has FOREIGN KEYS off by default, so the migration's `ON DELETE
+		// CASCADE` won't fire there. Delete items explicitly first — this is
+		// idempotent on SQLite/Postgres where the cascade also fires.
+		await db.deleteFrom("_emdash_menu_items").where("menu_id", "=", menu.id).execute();
 		await db.deleteFrom("_emdash_menus").where("id", "=", menu.id).execute();
 
 		return { success: true, data: { deleted: true } };
@@ -443,6 +454,134 @@ export interface ReorderItem {
 	sortOrder: number;
 }
 
+// ---------------------------------------------------------------------------
+// Atomic-replace menu items (used by the MCP `menu_set_items` tool)
+// ---------------------------------------------------------------------------
+
+export interface MenuSetItemsInput {
+	label: string;
+	type: "custom" | "page" | "post" | "taxonomy" | "collection";
+	customUrl?: string;
+	referenceCollection?: string;
+	referenceId?: string;
+	titleAttr?: string;
+	target?: string;
+	cssClasses?: string;
+	/**
+	 * Index of the parent item in this same array. Must be strictly less
+	 * than the current item's index so the insert order resolves parents
+	 * before children. `undefined` makes the item top-level.
+	 */
+	parentIndex?: number;
+}
+
+/**
+ * Replace the entire set of items for a menu in one atomic transaction.
+ *
+ * Existing items are deleted and the new list is inserted in the order
+ * provided. `parentIndex` references resolve to actual parent IDs as the
+ * insert proceeds.
+ */
+export async function handleMenuSetItems(
+	db: Kysely<Database>,
+	menuName: string,
+	items: MenuSetItemsInput[],
+): Promise<ApiResult<{ name: string; itemCount: number }>> {
+	// Validate parentIndex references — must be strictly earlier so
+	// the array can be inserted in order with parents resolved first.
+	// Negative indices are out of range; only Zod's `.nonnegative()` at
+	// the MCP boundary catches them today, so guard explicitly here for
+	// any caller that bypasses Zod (REST routes, direct handler use).
+	for (let i = 0; i < items.length; i++) {
+		const item = items[i];
+		if (item?.parentIndex !== undefined) {
+			if (item.parentIndex < 0 || item.parentIndex >= i) {
+				return {
+					success: false,
+					error: {
+						code: "VALIDATION_ERROR",
+						message: `item[${i}].parentIndex (${item.parentIndex}) must reference an earlier item`,
+					},
+				};
+			}
+		}
+	}
+
+	try {
+		// Sentinel for "menu not found" thrown from inside the transaction
+		// so the rollback fires before we return the structured error.
+		const notFoundSentinel = Symbol("menu-not-found");
+
+		try {
+			await withTransaction(db, async (trx) => {
+				// Existence check INSIDE the transaction so a concurrent
+				// menu_delete between lookup and write can't leave orphan
+				// items on D1 (FKs disabled by default).
+				const menu = await trx
+					.selectFrom("_emdash_menus")
+					.select("id")
+					.where("name", "=", menuName)
+					.executeTakeFirst();
+
+				if (!menu) {
+					throw notFoundSentinel;
+				}
+
+				await trx.deleteFrom("_emdash_menu_items").where("menu_id", "=", menu.id).execute();
+
+				const insertedIds: string[] = [];
+				for (let i = 0; i < items.length; i++) {
+					const item = items[i];
+					if (!item) continue;
+					const id = ulid();
+					const parentId =
+						item.parentIndex !== undefined ? (insertedIds[item.parentIndex] ?? null) : null;
+					await trx
+						.insertInto("_emdash_menu_items")
+						.values({
+							id,
+							menu_id: menu.id,
+							parent_id: parentId,
+							sort_order: i,
+							type: item.type,
+							reference_collection: item.referenceCollection ?? null,
+							reference_id: item.referenceId ?? null,
+							custom_url: item.customUrl ?? null,
+							label: item.label,
+							title_attr: item.titleAttr ?? null,
+							target: item.target ?? null,
+							css_classes: item.cssClasses ?? null,
+						})
+						.execute();
+					insertedIds.push(id);
+				}
+
+				await trx
+					.updateTable("_emdash_menus")
+					.set({ updated_at: new Date().toISOString() })
+					.where("id", "=", menu.id)
+					.execute();
+			});
+		} catch (error) {
+			if (error === notFoundSentinel) {
+				return {
+					success: false,
+					error: { code: "NOT_FOUND", message: `Menu '${menuName}' not found` },
+				};
+			}
+			throw error;
+		}
+
+		return { success: true, data: { name: menuName, itemCount: items.length } };
+	} catch (error) {
+		console.error("[emdash] handleMenuSetItems failed:", error);
+		return {
+			success: false,
+			error: { code: "MENU_SET_ITEMS_ERROR", message: "Failed to set menu items" },
+		};
+	}
+}
+
 /**
  * Batch reorder menu items.
  */

package/src/api/handlers/oauth-authorization.ts

@@ -8,7 +8,7 @@
  * utilities. Token infrastructure is shared with the device flow.
  */
 
-import { clampScopes, computeS256Challenge } from "@emdash-cms/auth";
+import { clampScopes, computeS256Challenge, secureCompare } from "@emdash-cms/auth";
 import type { RoleLevel } from "@emdash-cms/auth";
 import { generateCodeVerifier } from "arctic";
 import type { Kysely } from "kysely";
@@ -19,10 +19,12 @@ import {
 	TOKEN_PREFIXES,
 	VALID_SCOPES,
 } from "../../auth/api-tokens.js";
+import { withTransaction } from "../../database/transaction.js";
 import type { Database } from "../../database/types.js";
 import { validateRedirectUri } from "../oauth/redirect-uri.js";
 import type { ApiResult } from "../types.js";
 import { lookupOAuthClient, validateClientRedirectUri } from "./oauth-clients.js";
+import { lookupUserRoleAndStatus } from "./oauth-user-lookup.js";
 
 // ---------------------------------------------------------------------------
 // Constants
@@ -296,8 +298,9 @@ export async function handleAuthorizationCodeExchange(
 		}
 
 		// PKCE verification: SHA256(code_verifier) must match stored code_challenge
+		// Use constant-time comparison to prevent timing side-channels
 		const derivedChallenge = computeS256Challenge(params.code_verifier);
-		if (derivedChallenge !== row.code_challenge) {
+		if (!secureCompare(derivedChallenge, row.code_challenge)) {
 			return {
 				success: false,
 				error: { code: "invalid_grant", message: "PKCE verification failed" },
@@ -312,44 +315,80 @@ export async function handleAuthorizationCodeExchange(
 			};
 		}
 
-		// Issue tokens (same as device flow)
-		const scopes = JSON.parse(row.scopes) as string[];
+		// Revalidate user role before issuing tokens (same pattern as handleTokenRefresh).
+		// The user's role may have changed since the authorization code was issued.
+		const userInfo = await lookupUserRoleAndStatus(db, row.user_id);
+		if (!userInfo) {
+			return {
+				success: false,
+				error: { code: "invalid_grant", message: "User not found" },
+			};
+		}
 
+		if (userInfo.disabled) {
+			return {
+				success: false,
+				error: { code: "invalid_grant", message: "User account is disabled" },
+			};
+		}
+
+		// Re-clamp scopes against the user's current role
+		const storedScopes = JSON.parse(row.scopes) as string[];
+		let scopes = clampScopes(storedScopes, userInfo.role);
+
+		// Intersect with client's registered scopes (if restricted)
+		const client = await lookupOAuthClient(db, row.client_id);
+		if (client?.scopes?.length) {
+			scopes = scopes.filter((s: string) => client.scopes!.includes(s));
+		}
+
+		if (scopes.length === 0) {
+			return {
+				success: false,
+				error: {
+					code: "invalid_grant",
+					message: "User role no longer supports any of the requested scopes",
+				},
+			};
+		}
+
+		// Issue tokens (same as device flow)
 		const accessToken = generatePrefixedToken(TOKEN_PREFIXES.OAUTH_ACCESS);
 		const accessExpires = expiresAt(ACCESS_TOKEN_TTL_SECONDS);
 
 		const refreshToken = generatePrefixedToken(TOKEN_PREFIXES.OAUTH_REFRESH);
 		const refreshExpires = expiresAt(REFRESH_TOKEN_TTL_SECONDS);
 
-		// Store access token
-		await db
-			.insertInto("_emdash_oauth_tokens")
-			.values({
-				token_hash: accessToken.hash,
-				token_type: "access",
-				user_id: row.user_id,
-				scopes: JSON.stringify(scopes),
-				client_type: "mcp",
-				expires_at: accessExpires,
-				refresh_token_hash: refreshToken.hash,
-				client_id: row.client_id,
-			})
-			.execute();
-
-		// Store refresh token
-		await db
-			.insertInto("_emdash_oauth_tokens")
-			.values({
-				token_hash: refreshToken.hash,
-				token_type: "refresh",
-				user_id: row.user_id,
-				scopes: JSON.stringify(scopes),
-				client_type: "mcp",
-				expires_at: refreshExpires,
-				refresh_token_hash: null,
-				client_id: row.client_id,
-			})
-			.execute();
+		// Atomically store both tokens in a transaction
+		await withTransaction(db, async (trx) => {
+			await trx
+				.insertInto("_emdash_oauth_tokens")
+				.values({
+					token_hash: accessToken.hash,
+					token_type: "access",
+					user_id: row.user_id,
+					scopes: JSON.stringify(scopes),
+					client_type: "mcp",
+					expires_at: accessExpires,
+					refresh_token_hash: refreshToken.hash,
+					client_id: row.client_id,
+				})
+				.execute();
+
+			await trx
+				.insertInto("_emdash_oauth_tokens")
+				.values({
+					token_hash: refreshToken.hash,
+					token_type: "refresh",
+					user_id: row.user_id,
+					scopes: JSON.stringify(scopes),
+					client_type: "mcp",
+					expires_at: refreshExpires,
+					refresh_token_hash: null,
+					client_id: row.client_id,
+				})
+				.execute();
+		});
 
 		return {
 			success: true,

package/src/api/handlers/redirects.ts

@@ -11,6 +11,7 @@ import {
 	type NotFoundEntry,
 	type NotFoundSummary,
 } from "../../database/repositories/redirect.js";
+import { InvalidCursorError } from "../../database/repositories/types.js";
 import type { FindManyResult } from "../../database/repositories/types.js";
 import type { Database } from "../../database/types.js";
 import { wouldCreateLoop, detectLoops, type RedirectEdge } from "../../redirects/loops.js";
@@ -48,7 +49,13 @@ export async function handleRedirectList(
 				...(loopRedirectIds.length > 0 ? { loopRedirectIds } : {}),
 			},
 		};
-	} catch {
+	} catch (error) {
+		if (error instanceof InvalidCursorError) {
+			return {
+				success: false,
+				error: { code: "INVALID_CURSOR", message: error.message },
+			};
+		}
 		return {
 			success: false,
 			error: { code: "REDIRECT_LIST_ERROR", message: "Failed to fetch redirects" },
@@ -318,7 +325,7 @@ export async function handleRedirectDelete(
 function loopError(loopPath: string[]): ApiResult<never> {
 	const hops = loopPath
 		.slice(0, -1)
-		.map((p, i) => `${p} \u2192 ${loopPath[i + 1]!}`)
+		.map((p, i) => `${p} \u2192 ${loopPath[i + 1]}`)
 		.join("\n");
 	return {
 		success: false,
@@ -387,7 +394,13 @@ export async function handleNotFoundList(
 		const repo = new RedirectRepository(db);
 		const result = await repo.find404s(params);
 		return { success: true, data: result };
-	} catch {
+	} catch (error) {
+		if (error instanceof InvalidCursorError) {
+			return {
+				success: false,
+				error: { code: "INVALID_CURSOR", message: error.message },
+			};
+		}
 		return {
 			success: false,
 			error: { code: "NOT_FOUND_LIST_ERROR", message: "Failed to fetch 404 log" },

package/src/api/handlers/revision.ts

@@ -6,6 +6,7 @@ import type { Kysely } from "kysely";
 
 import { ContentRepository } from "../../database/repositories/content.js";
 import { RevisionRepository, type Revision } from "../../database/repositories/revision.js";
+import { withTransaction } from "../../database/transaction.js";
 import type { Database } from "../../database/types.js";
 import type { ApiResult, ContentResponse } from "../types.js";
 
@@ -95,7 +96,6 @@ export async function handleRevisionRestore(
 ): Promise<ApiResult<ContentResponse>> {
 	try {
 		const revisionRepo = new RevisionRepository(db);
-		const contentRepo = new ContentRepository(db);
 
 		// Get the revision
 		const revision = await revisionRepo.findById(revisionId);
@@ -112,22 +112,31 @@ export async function handleRevisionRestore(
 		// Extract _slug from revision data (stored as metadata, not a real column)
 		const { _slug, ...fieldData } = revision.data;
 
-		// Update the content with the revision's data
-		const item = await contentRepo.update(revision.collection, revision.entryId, {
-			data: fieldData,
-			slug: typeof _slug === "string" ? _slug : undefined,
-		});
-
-		// Create a new revision to record the restore, attributed to the caller
-		await revisionRepo.create({
-			collection: revision.collection,
-			entryId: revision.entryId,
-			data: revision.data,
-			authorId: callerUserId,
+		// Atomically update content and create a new revision to record the restore.
+		// If either operation fails, neither is committed (on engines that support
+		// transactions; on D1, withTransaction falls back to sequential execution).
+		const item = await withTransaction(db, async (trx) => {
+			const trxContentRepo = new ContentRepository(trx);
+			const trxRevisionRepo = new RevisionRepository(trx);
+
+			const updated = await trxContentRepo.update(revision.collection, revision.entryId, {
+				data: fieldData,
+				slug: typeof _slug === "string" ? _slug : undefined,
+			});
+
+			await trxRevisionRepo.create({
+				collection: revision.collection,
+				entryId: revision.entryId,
+				data: revision.data,
+				authorId: callerUserId,
+			});
+
+			return updated;
 		});
 
 		// Fire-and-forget: prune old revisions to prevent unbounded growth
-		void revisionRepo.pruneOldRevisions(revision.collection, revision.entryId, 50).catch(() => {});
+		const pruneRepo = new RevisionRepository(db);
+		void pruneRepo.pruneOldRevisions(revision.collection, revision.entryId, 50).catch(() => {});
 
 		return {
 			success: true,

package/src/api/handlers/sections.ts

@@ -5,6 +5,7 @@
 import type { Kysely } from "kysely";
 import { ulid } from "ulidx";
 
+import { InvalidCursorError } from "../../database/repositories/types.js";
 import type { FindManyResult } from "../../database/repositories/types.js";
 import type { Database } from "../../database/types.js";
 import {
@@ -36,7 +37,13 @@ export async function handleSectionList(
 		});
 
 		return { success: true, data: result };
-	} catch {
+	} catch (error) {
+		if (error instanceof InvalidCursorError) {
+			return {
+				success: false,
+				error: { code: "INVALID_CURSOR", message: error.message },
+			};
+		}
 		return {
 			success: false,
 			error: { code: "SECTION_LIST_ERROR", message: "Failed to fetch sections" },