emdash 0.7.0 → 0.9.0

package/src/astro/routes/api/content/[collection]/[id]/terms/[taxonomy].ts

@@ -98,6 +98,10 @@ export const POST: APIRoute = async ({ params, request, locals }) => {
 	const editDenied = requireOwnerPerm(user, authorId, "content:edit_own", "content:edit_any");
 	if (editDenied) return editDenied;
 
+	// Resolve the canonical content ID from the handler result.
+	// The URL `id` param may be a slug; we must use the real ID for term storage.
+	const canonicalId = typeof existingItem?.id === "string" ? existingItem.id : id;
+
 	try {
 		const body = await parseBody(request, contentTermsBody);
 		if (isParseError(body)) return body;
@@ -120,15 +124,15 @@ export const POST: APIRoute = async ({ params, request, locals }) => {
 			}
 		}
 
-		// Set the terms (replaces existing)
-		await repo.setTermsForEntry(collection, id, taxonomy, termIds);
+		// Set the terms (replaces existing) using the canonical ID
+		await repo.setTermsForEntry(collection, canonicalId, taxonomy, termIds);
 
 		// Term assignments changed — invalidate the hasAnyTermAssignments cache
 		// so hydration on subsequent reads issues a fresh query.
 		invalidateTermCache();
 
-		// Get the updated terms
-		const terms = await repo.getTermsForEntry(collection, id, taxonomy);
+		// Get the updated terms using the canonical ID
+		const terms = await repo.getTermsForEntry(collection, canonicalId, taxonomy);
 
 		return apiSuccess({
 			terms: terms.map((t) => ({

package/src/astro/routes/api/content/[collection]/[id]/translations.ts

@@ -6,7 +6,7 @@
  * Returns all locale variants linked to the same translation group.
  */
 
-import { hasPermission, type Permission } from "@emdash-cms/auth";
+import { hasPermission } from "@emdash-cms/auth";
 import type { APIRoute } from "astro";
 
 import { requirePerm } from "#api/authorize.js";

package/src/astro/routes/api/content/[collection]/[id].ts

@@ -47,6 +47,18 @@ export const GET: APIRoute = async ({ params, url, locals }) => {
 		if (status !== "published") {
 			return apiError("NOT_FOUND", `Content item not found: ${id}`, 404);
 		}
+
+		// Strip draft hydration data from response for users without read_drafts.
+		// handleContentGet overlays draft revision data onto item.data and exposes
+		// the published values in item.liveData. Without this, subscribers see
+		// unpublished edits in the data field.
+		if (item) {
+			if (item.liveData && typeof item.liveData === "object") {
+				item.data = item.liveData;
+			}
+			delete item.liveData;
+			delete item.draftRevisionId;
+		}
 	}
 
 	return unwrapResult(result);

package/src/astro/routes/api/content/[collection]/index.ts

@@ -61,15 +61,7 @@ export const POST: APIRoute = async ({ params, request, locals, cache }) => {
 				mapErrorStatus(source.error?.code),
 			);
 		}
-		const sourceData =
-			source.data && typeof source.data === "object"
-				? (source.data as Record<string, unknown>)
-				: undefined;
-		const sourceItem =
-			sourceData?.item && typeof sourceData.item === "object"
-				? (sourceData.item as Record<string, unknown>)
-				: sourceData;
-		const sourceAuthor = typeof sourceItem?.authorId === "string" ? sourceItem.authorId : "";
+		const sourceAuthor = source.data.item.authorId ?? "";
 		const translationDenied = requireOwnerPerm(
 			user,
 			sourceAuthor,

package/src/astro/routes/api/import/wordpress/execute.ts

@@ -60,7 +60,7 @@ export interface ImportResult {
 }
 
 export const POST: APIRoute = async ({ request, locals }) => {
-	const { emdash, emdashManifest, user } = locals;
+	const { emdash, user } = locals;
 
 	const denied = requirePerm(user, "import:execute");
 	if (denied) return denied;
@@ -70,6 +70,8 @@ export const POST: APIRoute = async ({ request, locals }) => {
 	}
 
 	try {
+		const emdashManifest = await emdash.getManifest();
+
 		const formData = await request.formData();
 		const fileEntry = formData.get("file");
 		const file = fileEntry instanceof File ? fileEntry : null;

package/src/astro/routes/api/import/wordpress/media.ts

@@ -92,7 +92,6 @@ export const POST: APIRoute = async ({ request, locals }) => {
 						attachments,
 						emdash.db,
 						emdash.storage,
-						request.url,
 						sendProgress,
 					);
 
@@ -117,7 +116,6 @@ export const POST: APIRoute = async ({ request, locals }) => {
 			attachments,
 			emdash.db,
 			emdash.storage,
-			request.url,
 			() => {}, // No-op progress callback
 		);
 
@@ -131,12 +129,9 @@ async function importMediaWithProgress(
 	attachments: AttachmentInfo[],
 	db: NonNullable<EmDashHandlers["db"]>,
 	storage: NonNullable<EmDashHandlers["storage"]>,
-	requestUrl: string,
 	onProgress: (progress: MediaImportProgress) => void,
 ): Promise<MediaImportResult> {
 	const repo = new MediaRepository(db);
-	const url = new URL(requestUrl);
-	const baseUrl = `${url.protocol}//${url.host}`;
 	const total = attachments.length;
 
 	const result: MediaImportResult = {
@@ -237,7 +232,7 @@ async function importMediaWithProgress(
 			const existing = await repo.findByContentHash(contentHash);
 			if (existing) {
 				// Same content already exists - reuse it
-				const existingUrl = `${baseUrl}/_emdash/api/media/file/${existing.storageKey}`;
+				const existingUrl = `/_emdash/api/media/file/${existing.storageKey}`;
 				result.urlMap[attachment.url] = existingUrl;
 				result.imported.push({
 					wpId: attachment.id,
@@ -290,7 +285,7 @@ async function importMediaWithProgress(
 			});
 
 			// Build the new URL
-			const newUrl = `${baseUrl}/_emdash/api/media/file/${storageKey}`;
+			const newUrl = `/_emdash/api/media/file/${storageKey}`;
 
 			result.imported.push({
 				wpId: attachment.id,

package/src/astro/routes/api/import/wordpress/prepare.ts

@@ -58,6 +58,15 @@ export const POST: APIRoute = async ({ request, locals }) => {
 		// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- Zod schema output narrowed to PrepareRequest
 		const result = await prepareImport(emdash.db, body as PrepareRequest);
 
+		// Invalidate the URL pattern cache when prepare adds new collections so
+		// public routing picks up their patterns immediately. The manifest
+		// itself is built fresh per admin request, so cross-request
+		// staleness (the original failure mode in #747) is no longer
+		// possible — the execute step always reads live schema.
+		if (result.collectionsCreated.length > 0) {
+			emdash.invalidateUrlPatternCache();
+		}
+
 		return apiSuccess(result, result.success ? 200 : 400);
 	} catch (error) {
 		return handleError(error, "Failed to prepare import", "WXR_PREPARE_ERROR");

package/src/astro/routes/api/import/wordpress-plugin/execute.ts

@@ -36,7 +36,7 @@ export interface WpPluginImportResponse {
 }
 
 export const POST: APIRoute = async ({ request, locals }) => {
-	const { emdash, emdashManifest, user } = locals;
+	const { emdash, user } = locals;
 
 	const denied = requirePerm(user, "import:execute");
 	if (denied) return denied;
@@ -46,6 +46,8 @@ export const POST: APIRoute = async ({ request, locals }) => {
 	}
 
 	try {
+		const emdashManifest = await emdash.getManifest();
+
 		const body = await parseBody(request, wpPluginExecuteBody);
 		if (isParseError(body)) return body;
 

package/src/astro/routes/api/manifest.ts

@@ -9,64 +9,81 @@
 
 import type { APIRoute } from "astro";
 
+import { handleError } from "#api/error.js";
 import { getAuthMode } from "#auth/mode.js";
 
 import { COMMIT, VERSION } from "../../../version.js";
-import { getStoredConfig } from "../../integration/runtime.js";
 import type { EmDashManifest } from "../../types.js";
 
 export const prerender = false;
 
 export const GET: APIRoute = async ({ locals }) => {
-	const { emdashManifest, emdash } = locals;
+	const { emdash } = locals;
 
-	// Determine auth mode from config
-	const authMode = getAuthMode(emdash?.config);
+	try {
+		// Manifest is built fresh from the live database per admin request.
+		// `requestCached` inside `getManifest` dedupes if multiple consumers
+		// share the request. Wrapped in try/catch so any future DB-touching
+		// additions to `getManifest()` (plugin manifest loading, marketplace
+		// lookup, etc.) return the standard error envelope rather than an
+		// unstructured 500 — matches the pattern used by the WP execute
+		// routes.
+		const emdashManifest = emdash ? await emdash.getManifest() : null;
 
-	// Read admin branding from build-time config
-	const storedConfig = getStoredConfig();
-	const adminBranding = storedConfig?.admin;
+		// Determine auth mode from config
+		const authMode = getAuthMode(emdash?.config);
 
-	// Check if self-signup is enabled (any allowed domain with enabled = 1)
-	// Only relevant for passkey auth — external auth providers handle their own signup
-	let signupEnabled = false;
-	if (emdash?.db && authMode.type === "passkey") {
-		try {
-			const { sql } = await import("kysely");
-			const result = await sql<{ cnt: unknown }>`
-				SELECT COUNT(*) as cnt FROM allowed_domains WHERE enabled = 1
-			`.execute(emdash.db);
-			signupEnabled = Number(result.rows[0]?.cnt ?? 0) > 0;
-		} catch {
-			// Table may not exist yet, that's fine
-		}
-	}
+		// Read admin branding from the per-request config plumbed through middleware
+		// (same source admin.astro reads from). Reading from a build-time global
+		// here was unreliable -- the virtual config module exports the config but
+		// doesn't assign it to globalThis, so getStoredConfig() always returned
+		// null and the React SPA never received custom logo/siteName/favicon.
+		// See issue #835.
+		const adminBranding = emdash?.config?.admin;
 
-	const manifest: EmDashManifest = emdashManifest
-		? {
-				...emdashManifest,
-				authMode: authMode.type === "external" ? authMode.providerType : "passkey",
-				signupEnabled,
-				admin: adminBranding,
+		// Check if self-signup is enabled (any allowed domain with enabled = 1)
+		// Only relevant for passkey auth — external auth providers handle their own signup
+		let signupEnabled = false;
+		if (emdash?.db && authMode.type === "passkey") {
+			try {
+				const { sql } = await import("kysely");
+				const result = await sql<{ cnt: unknown }>`
+					SELECT COUNT(*) as cnt FROM allowed_domains WHERE enabled = 1
+				`.execute(emdash.db);
+				signupEnabled = Number(result.rows[0]?.cnt ?? 0) > 0;
+			} catch {
+				// Table may not exist yet, that's fine
 			}
-		: {
-				version: VERSION,
-				commit: COMMIT,
-				hash: "default",
-				collections: {},
-				plugins: {},
-				taxonomies: [],
-				authMode: "passkey",
-				signupEnabled,
-				admin: adminBranding,
-			};
+		}
 
-	return Response.json(
-		{ data: manifest },
-		{
-			headers: {
-				"Cache-Control": "private, no-store",
+		const manifest: EmDashManifest = emdashManifest
+			? {
+					...emdashManifest,
+					authMode: authMode.type === "external" ? authMode.providerType : "passkey",
+					signupEnabled,
+					admin: adminBranding,
+				}
+			: {
+					version: VERSION,
+					commit: COMMIT,
+					hash: "default",
+					collections: {},
+					plugins: {},
+					taxonomies: [],
+					authMode: "passkey",
+					signupEnabled,
+					admin: adminBranding,
+				};
+
+		return Response.json(
+			{ data: manifest },
+			{
+				headers: {
+					"Cache-Control": "private, no-store",
+				},
 			},
-		},
-	);
+		);
+	} catch (error) {
+		return handleError(error, "Failed to build manifest", "MANIFEST_BUILD_ERROR");
+	}
 };

package/src/astro/routes/api/media/[id]/confirm.ts

@@ -10,7 +10,7 @@
 import type { APIRoute } from "astro";
 import { MediaRepository } from "emdash";
 
-import { requirePerm } from "#api/authorize.js";
+import { requireOwnerPerm, requirePerm } from "#api/authorize.js";
 import { apiError, apiSuccess, handleError } from "#api/error.js";
 import { isParseError, parseOptionalBody } from "#api/parse.js";
 import { mediaConfirmBody } from "#api/schemas.js";
@@ -62,6 +62,15 @@ export const POST: APIRoute = async ({ params, request, locals }) => {
 			return apiError("INVALID_STATE", `Media item is not pending: ${existing.status}`, 400);
 		}
 
+		// Only the uploader or a user with media:edit_any can confirm/fail a pending upload
+		const ownerDenied = requireOwnerPerm(
+			user,
+			existing.authorId ?? "",
+			"media:edit_own",
+			"media:edit_any",
+		);
+		if (ownerDenied) return ownerDenied;
+
 		// Optionally verify the file exists in storage
 		if (emdash.storage) {
 			const exists = await emdash.storage.exists(existing.storageKey);

package/src/astro/routes/api/media/providers/[providerId]/index.ts

@@ -37,9 +37,8 @@ export const GET: APIRoute = async ({ params, request, locals }) => {
 
 	const url = new URL(request.url);
 	const cursor = url.searchParams.get("cursor") || undefined;
-	const limit = url.searchParams.get("limit")
-		? parseInt(url.searchParams.get("limit")!, 10)
-		: undefined;
+	const rawLimit = url.searchParams.get("limit");
+	const limit = rawLimit ? Math.max(1, Math.min(parseInt(rawLimit, 10) || 50, 100)) : undefined;
 	const query = url.searchParams.get("query") || undefined;
 	const mimeType = url.searchParams.get("mimeType") || undefined;
 
@@ -98,6 +97,16 @@ export const POST: APIRoute = async ({ params, request, locals }) => {
 			return apiError("NO_FILE", "No file provided", 400);
 		}
 
+		// Basic size validation (default 50MB, configurable via maxUploadSize)
+		const maxSize = emdash.config?.maxUploadSize ?? 50 * 1024 * 1024;
+		if (file.size > maxSize) {
+			return apiError(
+				"FILE_TOO_LARGE",
+				`File exceeds maximum size of ${Math.round(maxSize / 1024 / 1024)}MB`,
+				413,
+			);
+		}
+
 		const item = await provider.upload({
 			file,
 			filename: file.name,

package/src/astro/routes/api/openapi.json.ts

@@ -9,33 +9,50 @@
 
 import type { APIRoute } from "astro";
 
+import { handleError } from "../../../api/error.js";
 import { generateOpenApiDocument } from "../../../api/openapi/index.js";
 
 export const prerender = false;
 
-let cachedSpec: string | null = null;
+// Use globalThis with Symbol.for to survive Vite's SSR module duplication
+const OPENAPI_CACHE_KEY = Symbol.for("emdash.openapi.cachedSpec");
+
+function getCachedSpec(): string | null {
+	const val = (globalThis as Record<symbol, unknown>)[OPENAPI_CACHE_KEY];
+	return typeof val === "string" ? val : null;
+}
+
+function setCachedSpec(spec: string): void {
+	(globalThis as Record<symbol, unknown>)[OPENAPI_CACHE_KEY] = spec;
+}
 
 export const GET: APIRoute = async ({ locals }) => {
 	const { emdash } = locals;
-	if (!cachedSpec && emdash) {
+
+	let spec = getCachedSpec();
+	if (!spec && emdash) {
 		try {
 			const doc = generateOpenApiDocument({ maxUploadSize: emdash.config.maxUploadSize });
-			cachedSpec = JSON.stringify(doc);
-		} catch {
-			return new Response(
-				JSON.stringify({ error: "Failed to generate OpenAPI document: invalid configuration" }),
-				{ status: 500, headers: { "Content-Type": "application/json" } },
-			);
+			spec = JSON.stringify(doc);
+			setCachedSpec(spec);
+		} catch (error) {
+			return handleError(error, "Failed to generate OpenAPI document", "OPENAPI_ERROR");
 		}
 	}
 
-	const spec = cachedSpec ?? JSON.stringify(generateOpenApiDocument());
+	if (!spec) {
+		try {
+			spec = JSON.stringify(generateOpenApiDocument());
+		} catch (error) {
+			return handleError(error, "Failed to generate OpenAPI document", "OPENAPI_ERROR");
+		}
+	}
 
 	return new Response(spec, {
 		status: 200,
 		headers: {
 			"Content-Type": "application/json",
-			"Cache-Control": "public, max-age=3600",
+			"Cache-Control": "private, no-store",
 			"Access-Control-Allow-Origin": "*",
 		},
 	});

package/src/astro/routes/api/redirects/404s/index.ts

@@ -9,7 +9,7 @@
 import type { APIRoute } from "astro";
 
 import { requirePerm } from "#api/authorize.js";
-import { handleError, unwrapResult } from "#api/error.js";
+import { handleError, requireDb, unwrapResult } from "#api/error.js";
 import {
 	handleNotFoundClear,
 	handleNotFoundList,
@@ -22,7 +22,9 @@ export const prerender = false;
 
 export const GET: APIRoute = async ({ url, locals }) => {
 	const { emdash, user } = locals;
-	const db = emdash.db;
+	const dbErr = requireDb(emdash?.db);
+	if (dbErr) return dbErr;
+	const db = emdash!.db;
 
 	const denied = requirePerm(user, "redirects:read");
 	if (denied) return denied;
@@ -40,7 +42,9 @@ export const GET: APIRoute = async ({ url, locals }) => {
 
 export const DELETE: APIRoute = async ({ locals }) => {
 	const { emdash, user } = locals;
-	const db = emdash.db;
+	const dbErr = requireDb(emdash?.db);
+	if (dbErr) return dbErr;
+	const db = emdash!.db;
 
 	const denied = requirePerm(user, "redirects:manage");
 	if (denied) return denied;
@@ -55,7 +59,9 @@ export const DELETE: APIRoute = async ({ locals }) => {
 
 export const POST: APIRoute = async ({ request, locals }) => {
 	const { emdash, user } = locals;
-	const db = emdash.db;
+	const dbErr = requireDb(emdash?.db);
+	if (dbErr) return dbErr;
+	const db = emdash!.db;
 
 	const denied = requirePerm(user, "redirects:manage");
 	if (denied) return denied;

package/src/astro/routes/api/redirects/404s/summary.ts

@@ -7,7 +7,7 @@
 import type { APIRoute } from "astro";
 
 import { requirePerm } from "#api/authorize.js";
-import { handleError, unwrapResult } from "#api/error.js";
+import { handleError, requireDb, unwrapResult } from "#api/error.js";
 import { handleNotFoundSummary } from "#api/handlers/redirects.js";
 import { isParseError, parseQuery } from "#api/parse.js";
 import { notFoundSummaryQuery } from "#api/schemas.js";
@@ -16,7 +16,9 @@ export const prerender = false;
 
 export const GET: APIRoute = async ({ url, locals }) => {
 	const { emdash, user } = locals;
-	const db = emdash.db;
+	const dbErr = requireDb(emdash?.db);
+	if (dbErr) return dbErr;
+	const db = emdash!.db;
 
 	const denied = requirePerm(user, "redirects:read");
 	if (denied) return denied;

package/src/astro/routes/api/redirects/[id].ts

@@ -9,7 +9,7 @@
 import type { APIRoute } from "astro";
 
 import { requirePerm } from "#api/authorize.js";
-import { apiError, handleError, unwrapResult } from "#api/error.js";
+import { apiError, handleError, requireDb, unwrapResult } from "#api/error.js";
 import {
 	handleRedirectDelete,
 	handleRedirectGet,
@@ -23,7 +23,9 @@ export const prerender = false;
 
 export const GET: APIRoute = async ({ params, locals }) => {
 	const { emdash, user } = locals;
-	const db = emdash.db;
+	const dbErr = requireDb(emdash?.db);
+	if (dbErr) return dbErr;
+	const db = emdash!.db;
 	const { id } = params;
 
 	const denied = requirePerm(user, "redirects:read");
@@ -43,7 +45,9 @@ export const GET: APIRoute = async ({ params, locals }) => {
 
 export const PUT: APIRoute = async ({ params, request, locals }) => {
 	const { emdash, user } = locals;
-	const db = emdash.db;
+	const dbErr = requireDb(emdash?.db);
+	if (dbErr) return dbErr;
+	const db = emdash!.db;
 	const { id } = params;
 
 	const denied = requirePerm(user, "redirects:manage");
@@ -67,7 +71,9 @@ export const PUT: APIRoute = async ({ params, request, locals }) => {
 
 export const DELETE: APIRoute = async ({ params, locals }) => {
 	const { emdash, user } = locals;
-	const db = emdash.db;
+	const dbErr = requireDb(emdash?.db);
+	if (dbErr) return dbErr;
+	const db = emdash!.db;
 	const { id } = params;
 
 	const denied = requirePerm(user, "redirects:manage");

package/src/astro/routes/api/redirects/index.ts

@@ -8,7 +8,7 @@
 import type { APIRoute } from "astro";
 
 import { requirePerm } from "#api/authorize.js";
-import { handleError, unwrapResult } from "#api/error.js";
+import { handleError, requireDb, unwrapResult } from "#api/error.js";
 import { handleRedirectCreate, handleRedirectList } from "#api/handlers/redirects.js";
 import { isParseError, parseBody, parseQuery } from "#api/parse.js";
 import { createRedirectBody, redirectsListQuery } from "#api/schemas.js";
@@ -18,7 +18,9 @@ export const prerender = false;
 
 export const GET: APIRoute = async ({ url, locals }) => {
 	const { emdash, user } = locals;
-	const db = emdash.db;
+	const dbErr = requireDb(emdash?.db);
+	if (dbErr) return dbErr;
+	const db = emdash!.db;
 
 	const denied = requirePerm(user, "redirects:read");
 	if (denied) return denied;
@@ -36,7 +38,9 @@ export const GET: APIRoute = async ({ url, locals }) => {
 
 export const POST: APIRoute = async ({ request, locals }) => {
 	const { emdash, user } = locals;
-	const db = emdash.db;
+	const dbErr = requireDb(emdash?.db);
+	if (dbErr) return dbErr;
+	const db = emdash!.db;
 
 	const denied = requirePerm(user, "redirects:manage");
 	if (denied) return denied;

package/src/astro/routes/api/revisions/[revisionId]/index.ts

@@ -16,7 +16,7 @@ export const GET: APIRoute = async ({ params, locals }) => {
 	const { emdash, user } = locals;
 	const revisionId = params.revisionId!;
 
-	const denied = requirePerm(user, "content:read");
+	const denied = requirePerm(user, "content:read_drafts");
 	if (denied) return denied;
 
 	if (!emdash?.handleRevisionGet) {

package/src/astro/routes/api/schema/collections/[slug]/fields/[fieldSlug].ts

@@ -57,7 +57,6 @@ export const PUT: APIRoute = async ({ params, request, locals }) => {
 		fieldSlug,
 		body as UpdateFieldInput,
 	);
-	if (result.success) emdash!.invalidateManifest();
 	return unwrapResult(result);
 };
 
@@ -73,6 +72,5 @@ export const DELETE: APIRoute = async ({ params, locals }) => {
 	if (denied) return denied;
 
 	const result = await handleSchemaFieldDelete(emdash!.db, collectionSlug, fieldSlug);
-	if (result.success) emdash!.invalidateManifest();
 	return unwrapResult(result);
 };

package/src/astro/routes/api/schema/collections/[slug]/fields/index.ts

@@ -48,6 +48,5 @@ export const POST: APIRoute = async ({ params, request, locals }) => {
 		collectionSlug,
 		body as CreateFieldInput,
 	);
-	if (result.success) emdash!.invalidateManifest();
 	return unwrapResult(result, 201);
 };

package/src/astro/routes/api/schema/collections/[slug]/fields/reorder.ts

@@ -28,6 +28,5 @@ export const POST: APIRoute = async ({ params, request, locals }) => {
 	if (isParseError(body)) return body;
 
 	const result = await handleSchemaFieldReorder(emdash!.db, collectionSlug, body.fieldSlugs);
-	if (result.success) emdash!.invalidateManifest();
 	return unwrapResult(result);
 };

package/src/astro/routes/api/schema/collections/[slug]/index.ts

@@ -59,7 +59,7 @@ export const PUT: APIRoute = async ({ params, request, locals }) => {
 		// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- parseBody validates via Zod
 		body as UpdateCollectionInput,
 	);
-	emdash!.invalidateManifest();
+	emdash!.invalidateUrlPatternCache();
 	return unwrapResult(result);
 };
 
@@ -77,6 +77,6 @@ export const DELETE: APIRoute = async ({ params, url, locals }) => {
 	const result = await handleSchemaCollectionDelete(emdash!.db, slug, {
 		force,
 	});
-	emdash!.invalidateManifest();
+	emdash!.invalidateUrlPatternCache();
 	return unwrapResult(result);
 };

package/src/astro/routes/api/schema/collections/index.ts

@@ -43,6 +43,6 @@ export const POST: APIRoute = async ({ request, locals }) => {
 
 	// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- Zod schema output narrowed to CreateCollectionInput
 	const result = await handleSchemaCollectionCreate(emdash!.db, body as CreateCollectionInput);
-	emdash!.invalidateManifest();
+	emdash!.invalidateUrlPatternCache();
 	return unwrapResult(result, 201);
 };