emdash 0.7.0 → 0.9.0

package/src/astro/routes/api/search/index.ts

@@ -4,6 +4,7 @@
  * GET /_emdash/api/search?q=query&collections=posts,pages&limit=20
  */
 
+import { hasPermission } from "@emdash-cms/auth";
 import type { APIRoute } from "astro";
 
 import { apiError, apiSuccess, handleError } from "#api/error.js";
@@ -23,7 +24,7 @@ export const prerender = false;
  * - limit: Maximum results (optional, defaults to 20)
  */
 export const GET: APIRoute = async ({ url, locals }) => {
-	const { emdash } = locals;
+	const { emdash, user } = locals;
 
 	if (!emdash?.db) {
 		return apiError("NOT_CONFIGURED", "EmDash not configured", 500);
@@ -36,6 +37,13 @@ export const GET: APIRoute = async ({ url, locals }) => {
 		? query.collections.split(",").map((c: string) => c.trim())
 		: undefined;
 
+	// Only users with content:read_drafts may search non-published statuses.
+	// Anonymous and subscriber requests are forced to "published".
+	const status =
+		query.status && query.status !== "published" && hasPermission(user, "content:read_drafts")
+			? query.status
+			: "published";
+
 	try {
 		// Verify FTS indexes are healthy on first use. At most once per worker
 		// lifetime; no-op after that. Moved off the cold-start hot path to
@@ -44,7 +52,7 @@ export const GET: APIRoute = async ({ url, locals }) => {
 
 		const result = await searchWithDb(emdash.db, query.q, {
 			collections,
-			status: query.status,
+			status,
 			locale: query.locale,
 			limit: query.limit,
 		});

package/src/astro/routes/api/sections/[slug].ts

@@ -9,7 +9,7 @@
 import type { APIRoute } from "astro";
 
 import { requirePerm } from "#api/authorize.js";
-import { apiError, handleError, unwrapResult } from "#api/error.js";
+import { apiError, handleError, requireDb, unwrapResult } from "#api/error.js";
 import {
 	handleSectionDelete,
 	handleSectionGet,
@@ -22,7 +22,9 @@ export const prerender = false;
 
 export const GET: APIRoute = async ({ params, locals }) => {
 	const { emdash, user } = locals;
-	const db = emdash.db;
+	const dbErr = requireDb(emdash?.db);
+	if (dbErr) return dbErr;
+	const db = emdash!.db;
 	const { slug } = params;
 
 	const denied = requirePerm(user, "sections:read");
@@ -42,7 +44,9 @@ export const GET: APIRoute = async ({ params, locals }) => {
 
 export const PUT: APIRoute = async ({ params, request, locals }) => {
 	const { emdash, user } = locals;
-	const db = emdash.db;
+	const dbErr = requireDb(emdash?.db);
+	if (dbErr) return dbErr;
+	const db = emdash!.db;
 	const { slug } = params;
 
 	const denied = requirePerm(user, "sections:manage");
@@ -65,7 +69,9 @@ export const PUT: APIRoute = async ({ params, request, locals }) => {
 
 export const DELETE: APIRoute = async ({ params, locals }) => {
 	const { emdash, user } = locals;
-	const db = emdash.db;
+	const dbErr = requireDb(emdash?.db);
+	if (dbErr) return dbErr;
+	const db = emdash!.db;
 	const { slug } = params;
 
 	const denied = requirePerm(user, "sections:manage");

package/src/astro/routes/api/sections/index.ts

@@ -8,7 +8,7 @@
 import type { APIRoute } from "astro";
 
 import { requirePerm } from "#api/authorize.js";
-import { handleError, unwrapResult } from "#api/error.js";
+import { handleError, requireDb, unwrapResult } from "#api/error.js";
 import { handleSectionCreate, handleSectionList } from "#api/handlers/sections.js";
 import { isParseError, parseBody, parseQuery } from "#api/parse.js";
 import { createSectionBody, sectionsListQuery } from "#api/schemas.js";
@@ -17,7 +17,9 @@ export const prerender = false;
 
 export const GET: APIRoute = async ({ url, locals }) => {
 	const { emdash, user } = locals;
-	const db = emdash.db;
+	const dbErr = requireDb(emdash?.db);
+	if (dbErr) return dbErr;
+	const db = emdash!.db;
 
 	const denied = requirePerm(user, "sections:read");
 	if (denied) return denied;
@@ -35,7 +37,9 @@ export const GET: APIRoute = async ({ url, locals }) => {
 
 export const POST: APIRoute = async ({ request, locals }) => {
 	const { emdash, user } = locals;
-	const db = emdash.db;
+	const dbErr = requireDb(emdash?.db);
+	if (dbErr) return dbErr;
+	const db = emdash!.db;
 
 	const denied = requirePerm(user, "sections:manage");
 	if (denied) return denied;

package/src/astro/routes/api/settings/email.ts

@@ -49,20 +49,15 @@ export const GET: APIRoute = async ({ locals }) => {
 			`emdash:exclusive_hook:${EMAIL_DELIVER_HOOK}`,
 		);
 
-		// Get middleware hooks (beforeSend / afterSend)
+		// Get middleware hooks (beforeSend / afterSend). These are non-exclusive —
+		// many plugins can subscribe — so we enumerate non-exclusive providers.
 		const beforeSendPlugins = pipeline
-			.getExclusiveHookProviders(EMAIL_BEFORE_SEND_HOOK)
+			.getHookProviders(EMAIL_BEFORE_SEND_HOOK)
 			.map((p) => p.pluginId);
 		const afterSendPlugins = pipeline
-			.getExclusiveHookProviders(EMAIL_AFTER_SEND_HOOK)
+			.getHookProviders(EMAIL_AFTER_SEND_HOOK)
 			.map((p) => p.pluginId);
 
-		// Note: beforeSend/afterSend are NOT exclusive hooks, but getExclusiveHookProviders
-		// only finds exclusive ones. We need all hooks for those names.
-		// For now, report what we can from the exclusive hook system.
-		// Middleware is non-exclusive so we'd need a different query.
-		// TODO: Add getHookProviders() for non-exclusive hooks to the pipeline.
-
 		return apiSuccess({
 			available: emdash.email?.isAvailable() ?? false,
 			providers: providers.map((p) => ({

package/src/astro/routes/api/setup/admin-verify.ts

@@ -16,6 +16,7 @@ import { apiError, apiSuccess, handleError } from "#api/error.js";
 import { isParseError, parseBody } from "#api/parse.js";
 import { getPublicOrigin } from "#api/public-url.js";
 import { setupAdminVerifyBody } from "#api/schemas.js";
+import { getConfiguredAllowedOrigins, validateAllowedOrigins } from "#auth/allowed-origins.js";
 import { createChallengeStore } from "#auth/challenge-store.js";
 import { getPasskeyConfig } from "#auth/passkey-config.js";
 import { SETUP_NONCE_COOKIE } from "#auth/setup-nonce.js";
@@ -83,7 +84,11 @@ export const POST: APIRoute = async ({ cookies, request, locals }) => {
 		const url = new URL(request.url);
 		const siteName = (await options.get<string>("emdash:site_title")) ?? undefined;
 		const siteUrl = getPublicOrigin(url, emdash?.config);
-		const passkeyConfig = getPasskeyConfig(url, siteName, siteUrl);
+		const allowedOrigins = validateAllowedOrigins(
+			siteUrl,
+			getConfiguredAllowedOrigins(emdash?.config),
+		);
+		const passkeyConfig = getPasskeyConfig(url, siteName, siteUrl, allowedOrigins);
 
 		// Verify the registration response
 		const challengeStore = createChallengeStore(emdash.db);

package/src/astro/routes/api/setup/admin.ts

@@ -49,6 +49,10 @@ export const POST: APIRoute = async ({ cookies, request, locals }) => {
 		const body = await parseBody(request, setupAdminBody);
 		if (isParseError(body)) return body;
 
+		// Preserve title/tagline from step 1 by reading existing setup state
+		// before we overwrite it below.
+		const existingState = await options.get<Record<string, unknown>>("emdash:setup_state");
+
 		// Mint a fresh session nonce. This binds the follow-up
 		// /setup/admin/verify call to the same browser that made this
 		// request, so an unauthenticated attacker on another host cannot
@@ -81,9 +85,11 @@ export const POST: APIRoute = async ({ cookies, request, locals }) => {
 			challengeStore,
 		);
 
-		// Store the nonce alongside the rest of the setup state. The verify
-		// endpoint will constant-time compare this with the incoming cookie.
+		// Store the nonce alongside the rest of the setup state, preserving
+		// title/tagline from step 1. The verify endpoint will constant-time
+		// compare the nonce with the incoming cookie.
 		await options.set("emdash:setup_state", {
+			...existingState,
 			step: "admin",
 			email: body.email.toLowerCase(),
 			name: body.name || null,

package/src/astro/routes/api/setup/index.ts

@@ -81,7 +81,7 @@ export const POST: APIRoute = async ({ request, url, locals }) => {
 
 		// 5. Store setup state
 		// In external auth mode, mark setup complete immediately (first user to login becomes admin)
-		// In passkey mode, setup_complete is set after admin user is created
+		// Otherwise, setup_complete is set after admin user is created (passkey or auth provider)
 		const authMode = getAuthMode(emdash.config);
 		const useExternalAuth = authMode.type === "external";
 
@@ -105,7 +105,7 @@ export const POST: APIRoute = async ({ request, url, locals }) => {
 					await options.set("emdash:site_tagline", body.tagline);
 				}
 			} else {
-				// Passkey mode: store state for next step (admin creation)
+				// Passkey/provider mode: store state for next step (admin creation)
 				await options.set("emdash:setup_state", {
 					step: "site_complete",
 					title: body.title,

package/src/astro/routes/api/setup/status.ts

@@ -91,7 +91,7 @@ export const GET: APIRoute = async ({ locals }) => {
 		const authMode = getAuthMode(emdash.config);
 		const useExternalAuth = authMode.type === "external";
 
-		// In external auth mode, setup is complete if flag is set (no users required initially)
+		// In external auth mode (not atproto), setup is complete if flag is set (no users required initially)
 		if (useExternalAuth && isComplete) {
 			return apiSuccess({
 				needsSetup: false,
@@ -106,6 +106,8 @@ export const GET: APIRoute = async ({ locals }) => {
 					description: seed.meta?.description || "",
 					collections: seed.collections?.length || 0,
 					hasContent: !!(seed.content && Object.keys(seed.content).length > 0),
+					title: seed.settings?.title,
+					tagline: seed.settings?.tagline,
 				}
 			: null;
 

package/src/astro/routes/api/snapshot.ts

@@ -7,6 +7,7 @@
  * - Excludes auth/user/session/token tables
  */
 
+import type { User } from "@emdash-cms/auth";
 import type { APIRoute } from "astro";
 
 import { requirePerm } from "#api/authorize.js";
@@ -17,11 +18,31 @@ import {
 	verifyPreviewSignature,
 } from "#api/handlers/snapshot.js";
 import { getPublicOrigin } from "#api/public-url.js";
+import { resolveSecretsCached } from "#config/secrets.js";
 
 export const prerender = false;
 
-export const GET: APIRoute = async ({ request, locals, url }) => {
-	const { emdash, user } = locals;
+export const GET: APIRoute = async ({ request, locals, url, session }) => {
+	const { emdash } = locals;
+	// This route is in PUBLIC_API_EXACT (for preview-signature callers with no session),
+	// so auth middleware skips user resolution. Manually resolve the session user here
+	// to support session-authenticated admin users alongside preview-signature auth.
+	let user: User | undefined = (locals as { user?: User }).user;
+	if (!user && session && emdash?.db) {
+		try {
+			const { createKyselyAdapter } = await import("@emdash-cms/auth/adapters/kysely");
+			const sessionUser = await session.get("user");
+			if (sessionUser?.id) {
+				const adapter = createKyselyAdapter(emdash.db);
+				const resolved = await adapter.getUserById(sessionUser.id);
+				if (resolved && !resolved.disabled) {
+					user = resolved;
+				}
+			}
+		} catch {
+			// Session resolution failed, continue to preview-signature check
+		}
+	}
 
 	if (!emdash?.db) {
 		return apiError("NOT_CONFIGURED", "EmDash is not initialized", 500);
@@ -32,24 +53,29 @@ export const GET: APIRoute = async ({ request, locals, url }) => {
 	let authorized = false;
 
 	if (previewSig) {
-		const secret = import.meta.env.EMDASH_PREVIEW_SECRET || import.meta.env.PREVIEW_SECRET || "";
-		if (!secret) {
-			console.warn(
-				"[snapshot] X-Preview-Signature header present but no PREVIEW_SECRET configured",
-			);
+		// Resolves env override or DB-stored value. Always non-empty after
+		// resolution, so the signature path is never silently disabled.
+		// Note: a signing process without access to this database (e.g. a
+		// remote preview Worker) must set the same `EMDASH_PREVIEW_SECRET`
+		// env var on both sides.
+		const { previewSecret: secret, previewSecretSource } = await resolveSecretsCached(emdash.db);
+		const parsed = parsePreviewSignatureHeader(previewSig);
+		if (!parsed) {
+			console.warn("[snapshot] Failed to parse X-Preview-Signature header");
 		} else {
-			const parsed = parsePreviewSignatureHeader(previewSig);
-			if (!parsed) {
-				console.warn("[snapshot] Failed to parse X-Preview-Signature header");
-			} else {
-				authorized = await verifyPreviewSignature(parsed.source, parsed.exp, parsed.sig, secret);
-				if (!authorized) {
-					console.warn("[snapshot] Preview signature verification failed", {
-						source: parsed.source,
-						exp: parsed.exp,
-						expired: parsed.exp < Date.now() / 1000,
-					});
+			authorized = await verifyPreviewSignature(parsed.source, parsed.exp, parsed.sig, secret);
+			if (!authorized) {
+				const fields: Record<string, unknown> = {
+					source: parsed.source,
+					exp: parsed.exp,
+					expired: parsed.exp < Date.now() / 1000,
+					secretSource: previewSecretSource,
+				};
+				if (previewSecretSource === "db") {
+					fields.hint =
+						"Set EMDASH_PREVIEW_SECRET in both this process and the signing process to share secrets across deployments";
 				}
+				console.warn("[snapshot] Preview signature verification failed", fields);
 			}
 		}
 	}

package/src/astro/routes/api/taxonomies/index.ts

@@ -52,7 +52,6 @@ export const POST: APIRoute = async ({ request, locals }) => {
 		if (isParseError(body)) return body;
 
 		const result = await handleTaxonomyCreate(emdash.db, body);
-		if (result.success) emdash.invalidateManifest();
 		return unwrapResult(result, 201);
 	} catch (error) {
 		return handleError(error, "Failed to create taxonomy", "TAXONOMY_CREATE_ERROR");

package/src/astro/routes/api/themes/preview.ts

@@ -4,7 +4,13 @@
  * POST /_emdash/api/themes/preview
  *
  * Generates a signed preview URL for the "Try with my data" feature.
- * The PREVIEW_SECRET must be set in the environment (shared with preview Workers).
+ *
+ * Uses the resolved preview secret: env override (`EMDASH_PREVIEW_SECRET`)
+ * wins, otherwise an auto-generated stable per-site value persisted in the
+ * options table is used. Processes that share the same database converge on
+ * the same auto-generated value; only set `EMDASH_PREVIEW_SECRET` in both
+ * processes when the verifying side runs without access to the EmDash DB
+ * (e.g. a remote preview Worker).
  */
 
 import type { APIRoute } from "astro";
@@ -12,6 +18,7 @@ import type { APIRoute } from "astro";
 import { requirePerm } from "#api/authorize.js";
 import { apiError, apiSuccess } from "#api/error.js";
 import { getPublicOrigin } from "#api/public-url.js";
+import { resolveSecretsCached } from "#config/secrets.js";
 
 export const prerender = false;
 
@@ -25,10 +32,9 @@ export const POST: APIRoute = async ({ request, url, locals }) => {
 	const denied = requirePerm(user, "plugins:read");
 	if (denied) return denied;
 
-	const secret = import.meta.env.EMDASH_PREVIEW_SECRET || import.meta.env.PREVIEW_SECRET || "";
-	if (!secret) {
-		return apiError("NOT_CONFIGURED", "PREVIEW_SECRET is not configured", 500);
-	}
+	// Always non-empty after resolution; env override wins, otherwise a
+	// stable DB-stored value is used.
+	const { previewSecret: secret } = await resolveSecretsCached(emdash.db);
 
 	let body: { previewUrl: string };
 	try {

package/src/astro/routes/api/widget-areas/[name]/widgets/[id].ts

@@ -11,6 +11,8 @@ import { requirePerm } from "#api/authorize.js";
 import { apiError, apiSuccess, handleError } from "#api/error.js";
 import { isParseError, parseBody } from "#api/parse.js";
 import { updateWidgetBody } from "#api/schemas.js";
+import { rowToWidget } from "#widgets/index.js";
+import type { WidgetRow } from "#widgets/types.js";
 
 export const prerender = false;
 
@@ -73,10 +75,11 @@ export const PUT: APIRoute = async ({ params, request, locals }) => {
 		const widget = await db
 			.selectFrom("_emdash_widgets")
 			.selectAll()
+			.$castTo<WidgetRow>()
 			.where("id", "=", id)
 			.executeTakeFirstOrThrow();
 
-		return apiSuccess(widget);
+		return apiSuccess(rowToWidget(widget));
 	} catch (error) {
 		return handleError(error, "Failed to update widget", "WIDGET_UPDATE_ERROR");
 	}

package/src/astro/routes/api/widget-areas/[name]/widgets.ts

@@ -11,6 +11,8 @@ import { requirePerm } from "#api/authorize.js";
 import { apiError, apiSuccess, handleError } from "#api/error.js";
 import { isParseError, parseBody } from "#api/parse.js";
 import { createWidgetBody } from "#api/schemas.js";
+import { rowToWidget } from "#widgets/index.js";
+import type { WidgetRow } from "#widgets/types.js";
 
 export const prerender = false;
 
@@ -70,10 +72,11 @@ export const POST: APIRoute = async ({ params, request, locals }) => {
 		const widget = await db
 			.selectFrom("_emdash_widgets")
 			.selectAll()
+			.$castTo<WidgetRow>()
 			.where("id", "=", id)
 			.executeTakeFirstOrThrow();
 
-		return apiSuccess(widget, 201);
+		return apiSuccess(rowToWidget(widget), 201);
 	} catch (error) {
 		return handleError(error, "Failed to create widget", "WIDGET_CREATE_ERROR");
 	}

package/src/astro/routes/api/widget-areas/[name].ts

@@ -9,6 +9,8 @@ import type { APIRoute } from "astro";
 
 import { requirePerm } from "#api/authorize.js";
 import { apiError, apiSuccess, handleError } from "#api/error.js";
+import { rowToWidget } from "#widgets/index.js";
+import type { WidgetRow } from "#widgets/types.js";
 
 export const prerender = false;
 
@@ -40,13 +42,14 @@ export const GET: APIRoute = async ({ params, locals }) => {
 		const widgets = await db
 			.selectFrom("_emdash_widgets")
 			.selectAll()
+			.$castTo<WidgetRow>()
 			.where("area_id", "=", area.id)
 			.orderBy("sort_order", "asc")
 			.execute();
 
 		return apiSuccess({
 			...area,
-			widgets,
+			widgets: widgets.map((row) => rowToWidget(row)),
 		});
 	} catch (error) {
 		return handleError(error, "Failed to fetch widget area", "WIDGET_AREA_GET_ERROR");

package/src/astro/routes/api/widget-areas/index.ts

@@ -12,6 +12,8 @@ import { requirePerm } from "#api/authorize.js";
 import { apiError, apiSuccess, handleError } from "#api/error.js";
 import { isParseError, parseBody } from "#api/parse.js";
 import { createWidgetAreaBody } from "#api/schemas.js";
+import { rowToWidget } from "#widgets/index.js";
+import type { WidgetRow } from "#widgets/types.js";
 
 export const prerender = false;
 
@@ -35,13 +37,14 @@ export const GET: APIRoute = async ({ locals }) => {
 				const widgets = await db
 					.selectFrom("_emdash_widgets")
 					.selectAll()
+					.$castTo<WidgetRow>()
 					.where("area_id", "=", area.id)
 					.orderBy("sort_order", "asc")
 					.execute();
 
 				return {
 					...area,
-					widgets,
+					widgets: widgets.map((row) => rowToWidget(row)),
 					widgetCount: widgets.length,
 				};
 			}),

package/src/astro/types.ts

@@ -228,6 +228,15 @@ export interface EmDashHandlers {
 			slug?: string;
 			status?: string;
 			authorId?: string | null;
+			bylines?: Array<{ bylineId: string; roleLabel?: string | null }>;
+			seo?: {
+				title?: string | null;
+				description?: string | null;
+				image?: string | null;
+				canonical?: string | null;
+				noIndex?: boolean;
+			};
+			publishedAt?: string | null;
 			_rev?: string;
 		},
 	) => Promise<HandlerResponse>;
@@ -255,7 +264,11 @@ export interface EmDashHandlers {
 	) => Promise<HandlerResponse>;
 
 	// Publishing & Scheduling handlers
-	handleContentPublish: (collection: string, id: string) => Promise<HandlerResponse>;
+	handleContentPublish: (
+		collection: string,
+		id: string,
+		options?: { publishedAt?: string },
+	) => Promise<HandlerResponse>;
 
 	handleContentUnpublish: (collection: string, id: string) => Promise<HandlerResponse>;
 
@@ -348,6 +361,7 @@ export interface EmDashHandlers {
 	// Direct access to storage and database for advanced use cases
 	storage: import("../index.js").Storage | null;
 	db: Kysely<import("../index.js").Database>;
+	getPublicMediaUrl?: (storageKey: string) => string;
 
 	// Hook pipeline for plugin integrations
 	hooks: import("../plugins/hooks.js").HookPipeline;
@@ -361,8 +375,15 @@ export interface EmDashHandlers {
 	// Configuration (for checking database type, auth mode, etc.)
 	config: import("./integration/runtime.js").EmDashConfig;
 
-	// Manifest invalidation (call after schema changes)
-	invalidateManifest: () => void;
+	// Build the admin manifest from the live database. Only used by admin
+	// routes; logged-out requests don't need it. Per-request, deduplicated
+	// by `requestCached`.
+	getManifest: () => Promise<EmDashManifest>;
+
+	// Clear the cached URL patterns used by `resolveEmDashPath`. Call after
+	// any schema mutation that creates/updates/deletes a collection's
+	// `urlPattern` so public routing picks up the change immediately.
+	invalidateUrlPatternCache: () => void;
 
 	// Sandbox runner (for marketplace plugin install/update)
 	getSandboxRunner: () => import("../plugins/sandbox/types.js").SandboxRunner | null;
@@ -380,4 +401,12 @@ export interface EmDashHandlers {
 	collectPageFragments: (
 		page: import("../plugins/types.js").PublicPageContext,
 	) => Promise<import("../plugins/types.js").PageFragmentContribution[]>;
+
+	/**
+	 * Lazy search index health check. Search routes call this before
+	 * querying so a crash-corrupted index gets repaired on first use
+	 * rather than stalling cold start. Optional because it's only
+	 * meaningful when an FTS5-capable runtime is wired in.
+	 */
+	ensureSearchHealthy?: () => Promise<void>;
 }