emdash 0.7.0 → 0.9.0

package/src/astro/middleware/request-context.ts

@@ -12,6 +12,8 @@
 
 import { defineMiddleware } from "astro:middleware";
 
+import { resolveSecretsCached } from "#config/secrets.js";
+
 import { verifyPreviewToken, parseContentId } from "../../preview/tokens.js";
 import { getRequestContext, runWithContext } from "../../request-context.js";
 import { renderToolbar } from "../../visual-editing/toolbar.js";
@@ -79,17 +81,25 @@ export const onRequest = defineMiddleware(async (context, next) => {
 	// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- Astro context includes currentLocale when i18n is configured
 	const locale = (context as { currentLocale?: string }).currentLocale;
 
-	// Verify preview token if present
+	// Verify preview token if present.
+	// The preview secret is resolved via `resolveSecretsCached`: env wins,
+	// otherwise a DB-stored value is read (or generated on first need).
+	// `emdash.db` is set by the runtime middleware which runs first; the
+	// only path where it's missing is a runtime-init failure.
 	let preview: { collection: string; id: string } | undefined;
 	if (hasPreviewToken) {
-		const secret = import.meta.env.EMDASH_PREVIEW_SECRET || import.meta.env.PREVIEW_SECRET || "";
-
-		if (secret) {
-			const result = await verifyPreviewToken({ url, secret });
+		const db = context.locals.emdash?.db;
+		if (db) {
+			const { previewSecret } = await resolveSecretsCached(db);
+			const result = await verifyPreviewToken({ url, secret: previewSecret });
 			if (result.valid) {
 				const { collection, id } = parseContentId(result.payload.cid);
 				preview = { collection, id };
 			}
+		} else {
+			console.warn(
+				"[emdash] Preview token present but EmDash runtime not initialized; preview disabled.",
+			);
 		}
 	}
 

package/src/astro/middleware.ts

@@ -43,8 +43,10 @@ import {
 } from "../emdash-runtime.js";
 import { setI18nConfig } from "../i18n/config.js";
 import type { Database, Storage } from "../index.js";
+import { createPublicMediaUrlResolver } from "../media/url.js";
 import type { SandboxRunner } from "../plugins/sandbox/types.js";
 import type { ResolvedPlugin } from "../plugins/types.js";
+import { invalidateUrlPatternCache } from "../query.js";
 import { getRequestContext, runWithContext } from "../request-context.js";
 import type { EmDashConfig } from "./integration/runtime.js";
 import type { EmDashHandlers } from "./types.js";
@@ -232,6 +234,20 @@ export const onRequest = defineMiddleware(async (context, next) => {
 	const { request, locals, cookies } = context;
 	const url = context.url;
 
+	// Fast path: routes outside /_emdash/ that plugins inject (e.g.,
+	// /.well-known/atproto-client-metadata.json) skip the entire runtime
+	// init + middleware chain. External servers fetch these with tight
+	// timeouts (~1-2s) so they must respond quickly even on cold starts.
+	if (!url.pathname.startsWith("/_emdash") && virtualConfig?.authProviders) {
+		const isPluginFastRoute = virtualConfig.authProviders.some(
+			(p: { routes?: { pattern?: string }[] }) =>
+				p.routes?.some((r: { pattern?: string }) => r.pattern && url.pathname === r.pattern),
+		);
+		if (isPluginFastRoute) {
+			return finalizeResponse(await next());
+		}
+	}
+
 	const queryRecorder = isInstrumentationEnabled()
 		? createRecorder(url.pathname, request.method, request.headers.get("x-perf-phase") ?? "default")
 		: undefined;
@@ -256,8 +272,15 @@ export const onRequest = defineMiddleware(async (context, next) => {
 		// Read the Astro session user once up-front. Both the anonymous fast path
 		// and the full doInit path need this, and the session store is network-backed
 		// (KV / Durable Object) so we want to avoid re-fetching on the hot path.
-		// Skipped entirely for prerendered requests — they have no session.
-		const sessionUser = context.isPrerendered ? null : await context.session?.get("user");
+		// Skipped entirely for:
+		//   - prerendered requests (no session at build time)
+		//   - requests without an `astro-session` cookie (no session to look up)
+		// The cookie check matters on Cloudflare Workers, where Astro's session
+		// backend is KV: calling session.get() on every anonymous public request
+		// turns normal traffic into a flood of KV read misses. See #733.
+		const hasSessionCookie = cookies.get("astro-session") !== undefined;
+		const sessionUser =
+			context.isPrerendered || !hasSessionCookie ? null : await context.session?.get("user");
 
 		if (!isEmDashRoute && !isPublicRuntimeRoute && !hasEditCookie && !hasPreviewToken) {
 			if (!sessionUser && !playgroundDb) {
@@ -301,10 +324,11 @@ export const onRequest = defineMiddleware(async (context, next) => {
 					try {
 						const runtime = await getRuntime(config, initSubTimings);
 						setupVerified = true;
-						// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- partial object; getPageRuntime() only checks for these two methods
+						// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- partial object; getPageRuntime() only checks for the page-contribution methods
 						locals.emdash = {
 							collectPageMetadata: runtime.collectPageMetadata.bind(runtime),
 							collectPageFragments: runtime.collectPageFragments.bind(runtime),
+							getPublicMediaUrl: createPublicMediaUrlResolver(runtime.storage),
 						} as EmDashHandlers;
 					} catch {
 						// Non-fatal — EmDashHead will fall back to base SEO contributions
@@ -378,13 +402,13 @@ export const onRequest = defineMiddleware(async (context, next) => {
 				// Runtime init runs migrations, so the DB is guaranteed set up
 				setupVerified = true;
 
-				// Get manifest (cached after first call)
-				t0 = performance.now();
-				const manifest = await runtime.getManifest();
-				timings.push({ name: "manifest", dur: performance.now() - t0, desc: "Manifest" });
+				// The manifest is no longer pre-loaded here. It's admin-only
+				// content that public/anonymous requests never read, and
+				// loading it on every request put logged-out hot paths on
+				// the same staleness budget as admin operations. Admin
+				// routes call `emdash.getManifest()` directly.
 
 				// Attach to locals for route handlers
-				locals.emdashManifest = manifest;
 				locals.emdash = {
 					// Content handlers
 					handleContentList: runtime.handleContentList.bind(runtime),
@@ -445,6 +469,7 @@ export const onRequest = defineMiddleware(async (context, next) => {
 					// Direct access (for advanced use cases)
 					storage: runtime.storage,
 					db: runtime.db,
+					getPublicMediaUrl: createPublicMediaUrlResolver(runtime.storage),
 					hooks: runtime.hooks,
 					email: runtime.email,
 					configuredPlugins: runtime.configuredPlugins,
@@ -452,8 +477,14 @@ export const onRequest = defineMiddleware(async (context, next) => {
 					// Configuration (for checking database type, auth mode, etc.)
 					config,
 
-					// Manifest invalidation (call after schema changes)
-					invalidateManifest: runtime.invalidateManifest.bind(runtime),
+					// Lazy manifest accessor — admin-only consumers call this on
+					// demand. `requestCached` inside `getManifest` dedupes within
+					// a single request.
+					getManifest: runtime.getManifest.bind(runtime),
+
+					// Clear the URL pattern cache after schema mutations that
+					// affect collection URL patterns.
+					invalidateUrlPatternCache,
 
 					// Sandbox runner (for marketplace plugin install/update)
 					getSandboxRunner: runtime.getSandboxRunner.bind(runtime),

package/src/astro/routes/PluginRegistry.tsx

@@ -10,6 +10,8 @@ import { AdminApp } from "@emdash-cms/admin";
 import type { Messages } from "@lingui/core";
 // @ts-ignore - virtual module generated by integration
 import { pluginAdmins } from "virtual:emdash/admin-registry";
+// @ts-ignore - virtual module generated by integration
+import { authProviders } from "virtual:emdash/auth-providers";
 
 interface AdminWrapperProps {
 	locale: string;
@@ -17,5 +19,12 @@ interface AdminWrapperProps {
 }
 
 export default function AdminWrapper({ locale, messages }: AdminWrapperProps) {
-	return <AdminApp pluginAdmins={pluginAdmins} locale={locale} messages={messages} />;
+	return (
+		<AdminApp
+			pluginAdmins={pluginAdmins}
+			authProviders={authProviders}
+			locale={locale}
+			messages={messages}
+		/>
+	);
 }

package/src/astro/routes/api/auth/invite/complete.ts

@@ -17,6 +17,7 @@ import { apiError, apiSuccess, handleError } from "#api/error.js";
 import { isParseError, parseBody } from "#api/parse.js";
 import { getPublicOrigin } from "#api/public-url.js";
 import { inviteCompleteBody } from "#api/schemas.js";
+import { getConfiguredAllowedOrigins, validateAllowedOrigins } from "#auth/allowed-origins.js";
 import { createChallengeStore } from "#auth/challenge-store.js";
 import { getPasskeyConfig } from "#auth/passkey-config.js";
 import { OptionsRepository } from "#db/repositories/options.js";
@@ -39,7 +40,11 @@ export const POST: APIRoute = async ({ request, locals, session }) => {
 		const options = new OptionsRepository(emdash.db);
 		const siteName = (await options.get<string>("emdash:site_title")) ?? undefined;
 		const siteUrl = getPublicOrigin(url, emdash?.config);
-		const passkeyConfig = getPasskeyConfig(url, siteName, siteUrl);
+		const allowedOrigins = validateAllowedOrigins(
+			siteUrl,
+			getConfiguredAllowedOrigins(emdash?.config),
+		);
+		const passkeyConfig = getPasskeyConfig(url, siteName, siteUrl, allowedOrigins);
 
 		// Verify the passkey registration response
 		const challengeStore = createChallengeStore(emdash.db);

package/src/astro/routes/api/auth/mode.ts

@@ -0,0 +1,57 @@
+/**
+ * GET /_emdash/api/auth/mode
+ *
+ * Public endpoint that returns the active authentication mode.
+ * Used by the login page to determine which login UI to render.
+ *
+ * Unlike the full manifest endpoint, this is intentionally public
+ * and returns only the auth mode — no collection schemas, plugin
+ * info, or other internal details.
+ */
+
+import type { APIRoute } from "astro";
+
+import { getAuthMode } from "#auth/mode.js";
+
+export const prerender = false;
+
+export const GET: APIRoute = async ({ locals }) => {
+	const { emdash } = locals;
+
+	const authMode = getAuthMode(emdash?.config);
+
+	// Only check signup for passkey auth (external providers handle their own)
+	let signupEnabled = false;
+	if (emdash?.db && authMode.type === "passkey") {
+		try {
+			const { sql } = await import("kysely");
+			const result = await sql<{ cnt: unknown }>`
+				SELECT COUNT(*) as cnt FROM allowed_domains WHERE enabled = 1
+			`.execute(emdash.db);
+			signupEnabled = Number(result.rows[0]?.cnt ?? 0) > 0;
+		} catch {
+			// Table may not exist yet
+		}
+	}
+
+	// Collect pluggable auth providers (from authProviders config)
+	const providers = (emdash?.config?.authProviders ?? []).map((p) => ({
+		id: p.id,
+		label: p.label,
+	}));
+
+	return Response.json(
+		{
+			data: {
+				authMode: authMode.type === "external" ? authMode.providerType : "passkey",
+				signupEnabled,
+				providers,
+			},
+		},
+		{
+			headers: {
+				"Cache-Control": "private, no-store",
+			},
+		},
+	);
+};

package/src/astro/routes/api/auth/oauth/[provider]/callback.ts

@@ -18,7 +18,9 @@ import {
 import { createKyselyAdapter } from "@emdash-cms/auth/adapters/kysely";
 
 import { getPublicOrigin } from "#api/public-url.js";
+import { finalizeSetup } from "#api/setup-complete.js";
 import { createOAuthStateStore } from "#auth/oauth-state-store.js";
+import { OptionsRepository } from "#db/repositories/options.js";
 
 type ProviderName = "github" | "google";
 
@@ -126,10 +128,22 @@ export const GET: APIRoute = async ({ params, request, locals, session, redirect
 			);
 		}
 
+		const adapter = createKyselyAdapter(emdash.db);
+		const stateStore = createOAuthStateStore(emdash.db);
+
 		const config: OAuthConsumerConfig = {
 			baseUrl: `${getPublicOrigin(url, emdash?.config)}/_emdash`,
 			providers,
 			canSelfSignup: async (email: string) => {
+				// During setup: first user becomes admin.
+				// Check setup_complete flag instead of countUsers() to avoid
+				// a TOCTOU race where concurrent callbacks both see 0 users.
+				const options = new OptionsRepository(emdash.db);
+				const setupComplete = await options.get("emdash:setup_complete");
+				if (setupComplete !== true && setupComplete !== "true") {
+					return { allowed: true, role: Role.ADMIN };
+				}
+
 				// Extract domain from email
 				const domain = email.split("@")[1]?.toLowerCase();
 				if (!domain) {
@@ -168,10 +182,16 @@ export const GET: APIRoute = async ({ params, request, locals, session, redirect
 			},
 		};
 
-		const adapter = createKyselyAdapter(emdash.db);
-		const stateStore = createOAuthStateStore(emdash.db);
-
+		const options = new OptionsRepository(emdash.db);
+		const setupCompleteBefore = await options.get("emdash:setup_complete");
 		const user = await handleOAuthCallback(config, adapter, provider, code, state, stateStore);
+		const isFirstUser = setupCompleteBefore !== true && setupCompleteBefore !== "true";
+
+		// Finalize setup outside the transaction (idempotent, safe if two callbacks race).
+		if (isFirstUser) {
+			await finalizeSetup(emdash.db);
+			console.log(`[oauth] Setup complete: created admin user via ${provider} (${user.email})`);
+		}
 
 		// Create session
 		if (session) {

package/src/astro/routes/api/auth/oauth/[provider].ts

@@ -71,16 +71,22 @@ export const GET: APIRoute = async ({ params, request, locals, redirect }) => {
 	const { emdash } = locals;
 	const provider = params.provider;
 
+	// Determine where to redirect errors (setup wizard or login page)
+	const referer = request.headers.get("referer") ?? "";
+	const errorRedirectBase = referer.includes("/setup")
+		? "/_emdash/admin/setup"
+		: "/_emdash/admin/login";
+
 	// Validate provider
 	if (!provider || !isValidProvider(provider)) {
 		return redirect(
-			`/_emdash/admin/login?error=invalid_provider&message=${encodeURIComponent("Invalid OAuth provider")}`,
+			`${errorRedirectBase}?error=invalid_provider&message=${encodeURIComponent("Invalid OAuth provider")}`,
 		);
 	}
 
 	if (!emdash?.db) {
 		return redirect(
-			`/_emdash/admin/login?error=server_error&message=${encodeURIComponent("Database not configured")}`,
+			`${errorRedirectBase}?error=server_error&message=${encodeURIComponent("Database not configured")}`,
 		);
 	}
 
@@ -97,7 +103,7 @@ export const GET: APIRoute = async ({ params, request, locals, redirect }) => {
 
 		if (!providers[provider]) {
 			return redirect(
-				`/_emdash/admin/login?error=provider_not_configured&message=${encodeURIComponent(`OAuth provider ${provider} is not configured`)}`,
+				`${errorRedirectBase}?error=provider_not_configured&message=${encodeURIComponent(`OAuth provider ${provider} is not configured. Set either EMDASH_OAUTH_${provider.toUpperCase()}_CLIENT_ID and EMDASH_OAUTH_${provider.toUpperCase()}_CLIENT_SECRET, or ${provider.toUpperCase()}_CLIENT_ID and ${provider.toUpperCase()}_CLIENT_SECRET.`)}`,
 			);
 		}
 
@@ -114,7 +120,7 @@ export const GET: APIRoute = async ({ params, request, locals, redirect }) => {
 	} catch (error) {
 		console.error("OAuth initiation error:", error);
 		return redirect(
-			`/_emdash/admin/login?error=oauth_error&message=${encodeURIComponent("Failed to start OAuth flow. Please try again.")}`,
+			`${errorRedirectBase}?error=oauth_error&message=${encodeURIComponent("Failed to start OAuth flow. Please try again.")}`,
 		);
 	}
 };

package/src/astro/routes/api/auth/passkey/register/verify.ts

@@ -15,6 +15,7 @@ import { apiError, apiSuccess } from "#api/error.js";
 import { isParseError, parseBody } from "#api/parse.js";
 import { getPublicOrigin } from "#api/public-url.js";
 import { passkeyRegisterVerifyBody } from "#api/schemas.js";
+import { getConfiguredAllowedOrigins, validateAllowedOrigins } from "#auth/allowed-origins.js";
 import { createChallengeStore } from "#auth/challenge-store.js";
 import { getPasskeyConfig } from "#auth/passkey-config.js";
 import { OptionsRepository } from "#db/repositories/options.js";
@@ -60,7 +61,11 @@ export const POST: APIRoute = async ({ request, locals }) => {
 		const optionsRepo = new OptionsRepository(emdash.db);
 		const siteName = (await optionsRepo.get<string>("emdash:site_title")) ?? undefined;
 		const siteUrl = getPublicOrigin(url, emdash?.config);
-		const passkeyConfig = getPasskeyConfig(url, siteName, siteUrl);
+		const allowedOrigins = validateAllowedOrigins(
+			siteUrl,
+			getConfiguredAllowedOrigins(emdash?.config),
+		);
+		const passkeyConfig = getPasskeyConfig(url, siteName, siteUrl, allowedOrigins);
 
 		// Verify the registration response
 		const challengeStore = createChallengeStore(emdash.db);

package/src/astro/routes/api/auth/passkey/verify.ts

@@ -15,6 +15,7 @@ import { apiError, apiSuccess, handleError } from "#api/error.js";
 import { isParseError, parseBody } from "#api/parse.js";
 import { getPublicOrigin } from "#api/public-url.js";
 import { passkeyVerifyBody } from "#api/schemas.js";
+import { getConfiguredAllowedOrigins, validateAllowedOrigins } from "#auth/allowed-origins.js";
 import { createChallengeStore } from "#auth/challenge-store.js";
 import { getPasskeyConfig } from "#auth/passkey-config.js";
 import { OptionsRepository } from "#db/repositories/options.js";
@@ -35,7 +36,11 @@ export const POST: APIRoute = async ({ request, locals, session }) => {
 		const options = new OptionsRepository(emdash.db);
 		const siteName = (await options.get<string>("emdash:site_title")) ?? undefined;
 		const siteUrl = getPublicOrigin(url, emdash?.config);
-		const passkeyConfig = getPasskeyConfig(url, siteName, siteUrl);
+		const allowedOrigins = validateAllowedOrigins(
+			siteUrl,
+			getConfiguredAllowedOrigins(emdash?.config),
+		);
+		const passkeyConfig = getPasskeyConfig(url, siteName, siteUrl, allowedOrigins);
 
 		// Authenticate with passkey
 		const adapter = createKyselyAdapter(emdash.db);

package/src/astro/routes/api/auth/signup/complete.ts

@@ -17,6 +17,7 @@ import { apiError, apiSuccess, handleError } from "#api/error.js";
 import { isParseError, parseBody } from "#api/parse.js";
 import { getPublicOrigin } from "#api/public-url.js";
 import { signupCompleteBody } from "#api/schemas.js";
+import { getConfiguredAllowedOrigins, validateAllowedOrigins } from "#auth/allowed-origins.js";
 import { createChallengeStore } from "#auth/challenge-store.js";
 import { getPasskeyConfig } from "#auth/passkey-config.js";
 import { OptionsRepository } from "#db/repositories/options.js";
@@ -39,7 +40,11 @@ export const POST: APIRoute = async ({ request, locals, session }) => {
 		const options = new OptionsRepository(emdash.db);
 		const siteName = (await options.get<string>("emdash:site_title")) ?? undefined;
 		const siteUrl = getPublicOrigin(url, emdash?.config);
-		const passkeyConfig = getPasskeyConfig(url, siteName, siteUrl);
+		const allowedOrigins = validateAllowedOrigins(
+			siteUrl,
+			getConfiguredAllowedOrigins(emdash?.config),
+		);
+		const passkeyConfig = getPasskeyConfig(url, siteName, siteUrl, allowedOrigins);
 
 		// Verify the passkey registration response
 		const challengeStore = createChallengeStore(emdash.db);

package/src/astro/routes/api/comments/[collection]/[contentId]/index.ts

@@ -14,6 +14,7 @@ import { createCommentBody } from "#api/schemas.js";
 import { getSiteBaseUrl } from "#api/site-url.js";
 import { sendCommentNotification } from "#comments/notifications.js";
 import { createComment, type CommentHookRunner } from "#comments/service.js";
+import { resolveSecretsCached } from "#config/secrets.js";
 import { CommentRepository } from "#db/repositories/comment.js";
 import { validateIdentifier } from "#db/validate.js";
 import { extractRequestMeta } from "#plugins/request-meta.js";
@@ -140,8 +141,7 @@ export const POST: APIRoute = async ({ params, request, locals }) => {
 
 		// Anti-spam: Rate limiting
 		const meta = extractRequestMeta(request, emdash.config);
-		const ipSalt =
-			import.meta.env.EMDASH_AUTH_SECRET || import.meta.env.AUTH_SECRET || "emdash-ip-salt";
+		const { ipSalt } = await resolveSecretsCached(emdash.db);
 		let ipHash: string;
 		if (meta.ip) {
 			ipHash = await hashIp(meta.ip, ipSalt);

package/src/astro/routes/api/content/[collection]/[id]/discard-draft.ts

@@ -44,11 +44,13 @@ export const POST: APIRoute = async ({ params, locals, cache }) => {
 	const denied = requireOwnerPerm(user, authorId, "content:edit_own", "content:edit_any");
 	if (denied) return denied;
 
-	const result = await emdash.handleContentDiscardDraft(collection, id);
+	const resolvedId = typeof existingItem?.id === "string" ? existingItem.id : id;
+
+	const result = await emdash.handleContentDiscardDraft(collection, resolvedId);
 
 	if (!result.success) return unwrapResult(result);
 
-	if (cache.enabled) await cache.invalidate({ tags: [collection, id] });
+	if (cache.enabled) await cache.invalidate({ tags: [collection, resolvedId] });
 
 	return unwrapResult(result);
 };

package/src/astro/routes/api/content/[collection]/[id]/preview-url.ts

@@ -6,7 +6,7 @@
  * Request body:
  * {
  *   expiresIn?: string | number;  // Default: "1h"
- *   pathPattern?: string;         // Default: "/{collection}/{id}"
+ *   pathPattern?: string;         // Default: "/{collection}/{id}" (or EMDASH_PREVIEW_PATH_PATTERN)
  * }
  *
  * Response:
@@ -22,8 +22,11 @@ import { requirePerm } from "#api/authorize.js";
 import { apiError, apiSuccess, handleError, unwrapResult } from "#api/error.js";
 import { parseOptionalBody, isParseError } from "#api/parse.js";
 import { contentPreviewUrlBody } from "#api/schemas.js";
+import { resolveSecretsCached } from "#config/secrets.js";
 import { getPreviewUrl } from "#preview/index.js";
 
+import { getI18nConfig } from "../../../../../../i18n/config.js";
+
 export const prerender = false;
 
 const DURATION_PATTERN = /^(\d+)([smhdw])$/;
@@ -35,21 +38,23 @@ export const POST: APIRoute = async ({ params, request, locals }) => {
 	const collection = params.collection!;
 	const id = params.id!;
 
-	// Get the preview secret from environment
-	const previewSecret = import.meta.env.EMDASH_PREVIEW_SECRET || import.meta.env.PREVIEW_SECRET;
-
-	if (!previewSecret) {
-		return apiError(
-			"NOT_CONFIGURED",
-			"Preview not configured. Set EMDASH_PREVIEW_SECRET environment variable.",
-			500,
-		);
+	if (!emdash?.db) {
+		return apiError("NOT_CONFIGURED", "EmDash is not initialized", 500);
 	}
 
-	// Verify the content exists (optional, but good for UX)
+	// Resolve the preview secret. Env override wins; otherwise a stable
+	// site-specific value is read from (or generated into) the options table.
+	// The resolver always returns a usable secret, so this path can no
+	// longer be silently disabled by a missing env var.
+	const { previewSecret } = await resolveSecretsCached(emdash.db);
+
+	// Verify the content exists. The fetched item also yields the entry's
+	// locale, used below to resolve the `{locale}` placeholder.
+	let entryLocale: string | null = null;
 	if (emdash?.handleContentGet) {
 		const result = await emdash.handleContentGet(collection, id);
 		if (!result.success) return unwrapResult(result);
+		entryLocale = result.data?.item?.locale ?? null;
 	}
 
 	// Parse request body
@@ -57,7 +62,23 @@ export const POST: APIRoute = async ({ params, request, locals }) => {
 	if (isParseError(body)) return body;
 
 	const expiresIn = body.expiresIn || "1h";
-	const pathPattern = body.pathPattern;
+	// Allow a project-wide default `pathPattern` so the admin's "View on site"
+	// link can match the site's actual route shape without each call having
+	// to override the default `/{collection}/{id}`.
+	const defaultPathPattern = import.meta.env.EMDASH_PREVIEW_PATH_PATTERN || "/{collection}/{id}";
+	const pathPattern = body.pathPattern || defaultPathPattern;
+
+	// Resolve the locale segment substituted for `{locale}`: empty when the
+	// entry is in the default locale and `prefixDefaultLocale` is `false`,
+	// the entry's own locale otherwise.
+	const i18n = getI18nConfig();
+	let localeSegment = "";
+	if (entryLocale && i18n) {
+		const isDefault = entryLocale === i18n.defaultLocale;
+		localeSegment = isDefault && !i18n.prefixDefaultLocale ? "" : entryLocale;
+	} else if (entryLocale) {
+		localeSegment = entryLocale;
+	}
 
 	// Calculate expiry timestamp
 	const expiresInSeconds = typeof expiresIn === "number" ? expiresIn : parseExpiresIn(expiresIn);
@@ -70,6 +91,7 @@ export const POST: APIRoute = async ({ params, request, locals }) => {
 			secret: previewSecret,
 			expiresIn,
 			pathPattern,
+			locale: localeSegment,
 		});
 
 		return apiSuccess({ url, expiresAt });

package/src/astro/routes/api/content/[collection]/[id]/publish.ts

@@ -2,16 +2,25 @@
  * Publish content - promotes draft to live
  *
  * POST /_emdash/api/content/{collection}/{id}/publish
+ *
+ * Optional JSON body: { publishedAt?: string }
+ *   publishedAt — ISO 8601 datetime to backdate the publish (e.g. when
+ *   migrating content). Writing publishedAt requires content:publish_any.
+ *   Without it, the existing published_at is preserved on re-publish and
+ *   falls back to the current time on first publish.
  */
 
+import { hasPermission } from "@emdash-cms/auth";
 import type { APIRoute } from "astro";
 
 import { requireOwnerPerm } from "#api/authorize.js";
 import { apiError, mapErrorStatus, unwrapResult } from "#api/error.js";
+import { isParseError, parseOptionalBody } from "#api/parse.js";
+import { contentPublishBody } from "#api/schemas.js";
 
 export const prerender = false;
 
-export const POST: APIRoute = async ({ params, locals, cache }) => {
+export const POST: APIRoute = async ({ params, request, locals, cache }) => {
 	const { emdash, user } = locals;
 	const collection = params.collection!;
 	const id = params.id!;
@@ -20,6 +29,11 @@ export const POST: APIRoute = async ({ params, locals, cache }) => {
 		return apiError("NOT_CONFIGURED", "EmDash is not initialized", 500);
 	}
 
+	// Body is optional — empty body means use the legacy behavior (preserve
+	// or default published_at). Pass `publishedAt` to backdate.
+	const body = await parseOptionalBody(request, contentPublishBody, {});
+	if (isParseError(body)) return body;
+
 	// Fetch item to check ownership
 	const existing = await emdash.handleContentGet(collection, id);
 	if (!existing.success) {
@@ -44,9 +58,25 @@ export const POST: APIRoute = async ({ params, locals, cache }) => {
 	const denied = requireOwnerPerm(user, authorId, "content:publish_own", "content:publish_any");
 	if (denied) return denied;
 
+	// Schema narrows `publishedAt` to `string | undefined`; null is rejected
+	// at the schema layer (publish has no semantic meaning for "clear").
+	const publishedAt = body?.publishedAt;
+
+	// Backdating overwrites historical record — gate behind publish_any
+	// regardless of ownership.
+	if (publishedAt !== undefined && !hasPermission(user, "content:publish_any")) {
+		return apiError(
+			"FORBIDDEN",
+			"Setting publishedAt requires content:publish_any permission",
+			403,
+		);
+	}
+
 	const resolvedId = typeof existingItem?.id === "string" ? existingItem.id : id;
 
-	const result = await emdash.handleContentPublish(collection, resolvedId);
+	const result = await emdash.handleContentPublish(collection, resolvedId, {
+		publishedAt,
+	});
 
 	if (!result.success) return unwrapResult(result);
 

package/src/astro/routes/api/content/[collection]/[id]/restore.ts

@@ -44,11 +44,13 @@ export const POST: APIRoute = async ({ params, locals, cache }) => {
 	const denied = requireOwnerPerm(user, authorId, "content:edit_own", "content:edit_any");
 	if (denied) return denied;
 
-	const result = await emdash.handleContentRestore(collection, id);
+	const resolvedId = typeof existingItem?.id === "string" ? existingItem.id : id;
+
+	const result = await emdash.handleContentRestore(collection, resolvedId);
 
 	if (!result.success) return unwrapResult(result);
 
-	if (cache.enabled) await cache.invalidate({ tags: [collection, id] });
+	if (cache.enabled) await cache.invalidate({ tags: [collection, resolvedId] });
 
 	return unwrapResult(result);
 };

package/src/astro/routes/api/content/[collection]/[id]/revisions.ts

@@ -22,9 +22,10 @@ export const GET: APIRoute = async ({ params, url, locals }) => {
 		return apiError("NOT_CONFIGURED", "EmDash is not initialized", 500);
 	}
 
-	const limit = url.searchParams.get("limit");
+	const limitParam = url.searchParams.get("limit");
+	const parsedLimit = limitParam ? parseInt(limitParam, 10) : undefined;
 	const result = await emdash.handleRevisionList(collection, id, {
-		limit: limit ? parseInt(limit, 10) : undefined,
+		limit: parsedLimit ? Math.max(1, Math.min(parsedLimit, 100)) : undefined,
 	});
 
 	return unwrapResult(result);