emdash 0.8.0 → 0.10.0

package/src/api/public-url.ts

@@ -29,9 +29,10 @@ interface SiteUrlConfig {
  */
 let _envSiteUrl: string | undefined | null = null;
 
-/** @internal Reset cached env value — test-only. */
-export function _resetEnvSiteUrlCache(): void {
+/** @internal Reset cached env values — test-only. */
+export function _resetEnvCache(): void {
 	_envSiteUrl = null;
+	_envAllowedOrigins = null;
 }
 
 function getEnvSiteUrl(): string | undefined {
@@ -74,6 +75,51 @@ export function getPublicOrigin(url: URL, config?: SiteUrlConfig): string {
 	return config?.siteUrl || getEnvSiteUrl() || url.origin;
 }
 
+/**
+ * Resolve additional accepted passkey origins from runtime environment.
+ *
+ * Reads `EMDASH_ALLOWED_ORIGINS` (comma-separated list of origins) for
+ * multi-origin deployments where the same RP is reachable under several
+ * hostnames sharing the registrable parent domain (e.g. apex + preview).
+ *
+ * Each entry is parsed via `new URL()` and reduced to its `origin`. Unlike
+ * `getEnvSiteUrl` (which silently falls back to `url.origin` on bad input),
+ * this throws on any unparseable or non-http(s) entry — `EMDASH_ALLOWED_ORIGINS`
+ * is an allowlist for passkey verification, so silently dropping a typo would
+ * surface as "I can't authenticate on this origin" with no diagnostic. Fail
+ * loud at first read.
+ *
+ * Uses `process.env` (Vite leaves it untouched at runtime). Result is cached
+ * on success.
+ */
+let _envAllowedOrigins: string[] | null = null;
+
+export function getEnvAllowedOrigins(): string[] {
+	if (_envAllowedOrigins !== null) return _envAllowedOrigins;
+	const raw = typeof process !== "undefined" ? process.env?.EMDASH_ALLOWED_ORIGINS || "" : "";
+	const parsed: string[] = [];
+	for (const entry of raw.split(",")) {
+		const trimmed = entry.trim();
+		if (!trimmed) continue;
+		let u: URL;
+		try {
+			u = new URL(trimmed);
+		} catch (e) {
+			throw new Error(`EmDash config error in EMDASH_ALLOWED_ORIGINS: invalid URL: "${trimmed}"`, {
+				cause: e,
+			});
+		}
+		if (u.protocol !== "http:" && u.protocol !== "https:") {
+			throw new Error(
+				`EmDash config error in EMDASH_ALLOWED_ORIGINS: origin must be http or https: "${trimmed}" (got ${u.protocol})`,
+			);
+		}
+		parsed.push(u.origin);
+	}
+	_envAllowedOrigins = parsed;
+	return parsed;
+}
+
 /**
  * Build a full public URL by appending a path to the public origin.
  *

package/src/api/schemas/comments.ts

@@ -33,8 +33,8 @@ export const commentListQuery = z
 		status: z.enum(["pending", "approved", "spam", "trash"]).optional(),
 		collection: z.string().optional(),
 		search: z.string().optional(),
-		limit: z.coerce.number().int().min(1).max(100).optional(),
-		cursor: z.string().optional(),
+		limit: z.coerce.number().int().min(1).max(100).optional().default(50),
+		cursor: z.string().max(2048).optional(),
 	})
 	.meta({ id: "CommentListQuery" });
 

package/src/api/schemas/common.ts

@@ -59,6 +59,13 @@ export const localeCode = z
 	.regex(/^[a-z]{2,3}(-[a-z0-9]{2,8})*$/i, "Invalid locale code")
 	.transform((v) => v.toLowerCase());
 
+/** Shared `?locale=xx` query shape for endpoints that filter by locale. */
+export const localeFilterQuery = z
+	.object({
+		locale: z.string().min(1).optional(),
+	})
+	.meta({ id: "LocaleFilterQuery" });
+
 // ---------------------------------------------------------------------------
 // OpenAPI: Shared response schemas
 // ---------------------------------------------------------------------------

package/src/api/schemas/content.ts

@@ -72,6 +72,23 @@ export const contentScheduleBody = z
 	})
 	.meta({ id: "ContentScheduleBody" });
 
+export const contentPublishBody = z
+	.object({
+		// .optional() rather than .nullish(): publishing has no semantic
+		// meaning for `null` (you can't "clear" a publish timestamp by
+		// publishing). Tightening the schema here means callers either
+		// pass a valid datetime or omit the field, and the route doesn't
+		// have to silently drop a null that snuck through.
+		publishedAt: z.iso
+			.datetime({ offset: true, message: "must be an ISO 8601 datetime" })
+			.optional()
+			.meta({
+				description:
+					"Optional ISO 8601 datetime to backdate the publish (e.g. when migrating content). Requires content:publish_any permission. Without this, existing published_at is preserved on re-publish.",
+			}),
+	})
+	.meta({ id: "ContentPublishBody" });
+
 export const contentPreviewUrlBody = z
 	.object({
 		expiresIn: z.union([z.string(), z.number()]).optional(),

package/src/api/schemas/menus.ts

@@ -20,6 +20,10 @@ export const createMenuBody = z
 	.object({
 		name: z.string().min(1),
 		label: z.string().min(1),
+		locale: z.string().min(1).optional(),
+		/** When set, clones the items from the source menu. The new menu joins
+		 * the source's translation_group. */
+		translationOf: z.string().min(1).optional(),
 	})
 	.meta({ id: "CreateMenuBody" });
 
@@ -87,6 +91,8 @@ export const menuSchema = z
 		label: z.string(),
 		created_at: z.string(),
 		updated_at: z.string(),
+		locale: z.string(),
+		translation_group: z.string().nullable(),
 	})
 	.meta({ id: "Menu" });
 
@@ -105,9 +111,26 @@ export const menuItemSchema = z
 		target: z.string().nullable(),
 		css_classes: z.string().nullable(),
 		created_at: z.string(),
+		locale: z.string(),
+		translation_group: z.string().nullable(),
 	})
 	.meta({ id: "MenuItem" });
 
+export const menuTranslationsSchema = z
+	.object({
+		translationGroup: z.string().nullable(),
+		translations: z.array(
+			z.object({
+				id: z.string(),
+				name: z.string(),
+				label: z.string(),
+				locale: z.string(),
+				updatedAt: z.string(),
+			}),
+		),
+	})
+	.meta({ id: "MenuTranslations" });
+
 export const menuListItemSchema = menuSchema
 	.extend({
 		itemCount: z.number().int(),

package/src/api/schemas/sections.ts

@@ -10,8 +10,8 @@ export const sectionsListQuery = z
 	.object({
 		source: sectionSource.optional(),
 		search: z.string().optional(),
-		limit: z.coerce.number().int().min(1).max(100).optional(),
-		cursor: z.string().optional(),
+		limit: z.coerce.number().int().min(1).max(100).optional().default(50),
+		cursor: z.string().max(2048).optional(),
 	})
 	.meta({ id: "SectionsListQuery" });
 
@@ -23,7 +23,7 @@ export const createSectionBody = z
 		keywords: z.array(z.string()).optional(),
 		content: z.array(z.record(z.string(), z.unknown())),
 		previewMediaId: z.string().optional(),
-		source: sectionSource.optional(),
+		source: z.enum(["user", "import"]).optional(),
 		themeId: z.string().optional(),
 	})
 	.meta({ id: "CreateSectionBody" });

package/src/api/schemas/taxonomies.ts

@@ -15,6 +15,7 @@ export const createTaxonomyDefBody = z
 			.max(63)
 			.regex(/^[a-z][a-z0-9_]*$/, "Name must be lowercase alphanumeric with underscores"),
 		label: z.string().min(1).max(200),
+		labelSingular: z.string().min(1).max(200).optional(),
 		hierarchical: z.boolean().optional().default(false),
 		collections: z
 			.array(
@@ -23,6 +24,8 @@ export const createTaxonomyDefBody = z
 			.max(100)
 			.optional()
 			.default([]),
+		locale: z.string().min(1).optional(),
+		translationOf: z.string().min(1).optional(),
 	})
 	.meta({ id: "CreateTaxonomyDefBody" });
 
@@ -36,6 +39,8 @@ export const createTermBody = z
 		label: z.string().min(1),
 		parentId: z.string().nullish(),
 		description: z.string().optional(),
+		locale: z.string().min(1).optional(),
+		translationOf: z.string().min(1).optional(),
 	})
 	.meta({ id: "CreateTermBody" });
 
@@ -60,9 +65,25 @@ export const taxonomyDefSchema = z
 		labelSingular: z.string().optional(),
 		hierarchical: z.boolean(),
 		collections: z.array(z.string()),
+		locale: z.string(),
+		translationGroup: z.string().nullable(),
 	})
 	.meta({ id: "TaxonomyDef" });
 
+export const taxonomyDefTranslationsSchema = z
+	.object({
+		translationGroup: z.string().nullable(),
+		translations: z.array(
+			z.object({
+				id: z.string(),
+				name: z.string(),
+				label: z.string(),
+				locale: z.string(),
+			}),
+		),
+	})
+	.meta({ id: "TaxonomyDefTranslations" });
+
 export const taxonomyListResponseSchema = z
 	.object({ taxonomies: z.array(taxonomyDefSchema) })
 	.meta({ id: "TaxonomyListResponse" });
@@ -75,9 +96,25 @@ export const termSchema = z
 		label: z.string(),
 		parentId: z.string().nullable(),
 		description: z.string().optional(),
+		locale: z.string(),
+		translationGroup: z.string().nullable(),
 	})
 	.meta({ id: "Term" });
 
+export const termTranslationsSchema = z
+	.object({
+		translationGroup: z.string().nullable(),
+		translations: z.array(
+			z.object({
+				id: z.string(),
+				slug: z.string(),
+				label: z.string(),
+				locale: z.string(),
+			}),
+		),
+	})
+	.meta({ id: "TermTranslations" });
+
 export const termWithCountSchema: z.ZodType = z
 	.object({
 		id: z.string(),
@@ -88,6 +125,8 @@ export const termWithCountSchema: z.ZodType = z
 		description: z.string().optional(),
 		count: z.number().int(),
 		children: z.array(z.lazy(() => termWithCountSchema)),
+		locale: z.string(),
+		translationGroup: z.string().nullable(),
 	})
 	.meta({ id: "TermWithCount" });
 

package/src/api/schemas/users.ts

@@ -10,7 +10,7 @@ export const usersListQuery = z
 	.object({
 		search: z.string().optional(),
 		role: z.string().optional(),
-		cursor: z.string().optional(),
+		cursor: z.string().max(2048).optional(),
 		limit: z.coerce.number().int().min(1).max(100).optional().default(50),
 	})
 	.meta({ id: "UsersListQuery" });

package/src/api/types.ts

@@ -51,7 +51,11 @@ export interface FieldDescriptor {
 	kind: string;
 	label?: string;
 	required?: boolean;
-	options?: Array<{ value: string; label: string }>;
+	/**
+	 * For `select` / `multiSelect`: the list of enum choices.
+	 * For `json` fields driven by a plugin `widget`: arbitrary widget config.
+	 */
+	options?: Array<{ value: string; label: string }> | Record<string, unknown>;
 }
 
 /**

package/src/astro/integration/index.ts

@@ -12,6 +12,7 @@
 
 import type { AstroIntegration, AstroIntegrationLogger } from "astro";
 
+import { validateAllowedOrigins, validateOriginShape } from "../../auth/allowed-origins.js";
 import type { ResolvedPlugin } from "../../plugins/types.js";
 import { local } from "../storage/adapters.js";
 import { notoSans } from "./font-provider.js";
@@ -117,6 +118,22 @@ export function emdash(config: EmDashConfig = {}): AstroIntegration {
 		}
 	}
 
+	// Validate config.allowedOrigins shape at startup (per-entry rules: parseable,
+	// http(s), no trailing dots, no empty labels). The siteUrl-dependent rules
+	// (Rule A: requires siteUrl; Rule B: must be a subdomain of siteUrl) are
+	// deferred to runtime when config.siteUrl is absent — EMDASH_SITE_URL may
+	// supply it post-build, just like the env-var fallback for siteUrl above.
+	// When config.siteUrl IS present, run the full validator here for fail-fast.
+	if (resolvedConfig.allowedOrigins?.length) {
+		const tagged = resolvedConfig.allowedOrigins.map((origin) => ({
+			origin,
+			source: "config.allowedOrigins" as const,
+		}));
+		resolvedConfig.allowedOrigins = resolvedConfig.siteUrl
+			? validateAllowedOrigins(resolvedConfig.siteUrl, tagged)
+			: validateOriginShape(tagged);
+	}
+
 	// Plugin descriptors from config
 	const pluginDescriptors = resolvedConfig.plugins ?? [];
 	const sandboxedDescriptors = resolvedConfig.sandboxed ?? [];

package/src/astro/integration/routes.ts

@@ -313,6 +313,11 @@ export function injectCoreRoutes(injectRoute: InjectRoute): void {
 		entrypoint: resolveRoute("api/taxonomies/[name]/terms/[slug].ts"),
 	});
 
+	injectRoute({
+		pattern: "/_emdash/api/taxonomies/[name]/terms/[slug]/translations",
+		entrypoint: resolveRoute("api/taxonomies/[name]/terms/[slug]/translations.ts"),
+	});
+
 	injectRoute({
 		pattern: "/_emdash/api/content/[collection]/[id]/terms/[taxonomy]",
 		entrypoint: resolveRoute("api/content/[collection]/[id]/terms/[taxonomy].ts"),
@@ -555,6 +560,11 @@ export function injectCoreRoutes(injectRoute: InjectRoute): void {
 		entrypoint: resolveRoute("api/menus/[name]/reorder.ts"),
 	});
 
+	injectRoute({
+		pattern: "/_emdash/api/menus/[name]/translations",
+		entrypoint: resolveRoute("api/menus/[name]/translations.ts"),
+	});
+
 	// Widget area routes
 	injectRoute({
 		pattern: "/_emdash/api/widget-areas",

package/src/astro/integration/runtime.ts

@@ -303,6 +303,36 @@ export interface EmDashConfig {
 	siteUrl?: string;
 
 	/**
+	 * Additional origins accepted by passkey verification.
+	 *
+	 * When the same EmDash deployment is reachable under several hostnames sharing
+	 * a registrable parent (e.g. `https://example.com` plus
+	 * `https://preview.example.com`), the canonical `siteUrl` defines the `rpId`
+	 * and the entries here are the *additional* origins from which assertions
+	 * are accepted. Each entry must be the same hostname as `siteUrl` or a
+	 * subdomain of it — WebAuthn requires `rpId` to be a registrable suffix of
+	 * every origin.
+	 *
+	 * Merged at runtime with the `EMDASH_ALLOWED_ORIGINS` env var (comma-separated).
+	 * Validation:
+	 *   - Config-declared entries are shape-checked at Astro startup.
+	 *   - Subdomain relationship to `siteUrl` is checked at startup when
+	 *     `siteUrl` is also config-declared, otherwise at first passkey
+	 *     verification (since `siteUrl` may come from `EMDASH_SITE_URL`).
+	 *
+	 * Mismatches throw with a source-attributed message naming
+	 * `config.allowedOrigins` or `EMDASH_ALLOWED_ORIGINS`.
+	 *
+	 * @example
+	 * ```ts
+	 * emdash({
+	 *   siteUrl: "https://example.com",
+	 *   allowedOrigins: ["https://preview.example.com"],
+	 * })
+	 * ```
+	 */
+	allowedOrigins?: string[];
+	/*
 	 * Headers to trust for client IP resolution when running behind a reverse
 	 * proxy. The first header in this list that is present on the request
 	 * wins. Applies to rate limiting for auth endpoints and comment

package/src/astro/integration/virtual-modules.ts

@@ -401,9 +401,20 @@ export function generateWaitUntilModule(adapterName: string | undefined): string
  * Reads the user's seed file at build time (in Node context) and embeds it,
  * so the runtime doesn't need filesystem access (required for workerd).
  *
+ * Search order:
+ *   1. `.emdash/seed.json`
+ *   2. `package.json` → `emdash.seed` reference
+ *   3. `seed/seed.json` (conventional template path)
+ *
  * Exports `userSeed` (user's seed or null) and `seed` (user's seed or default).
+ *
+ * When no user seed is found, falls back to the built-in default seed and
+ * (if `warnOnFallback` is true) logs a warning so misconfiguration is visible
+ * during `astro dev`. Build/preview/sync stay silent so sites that
+ * intentionally use the default seed (e.g. the blank template) don't
+ * generate noisy logs.
  */
-export function generateSeedModule(projectRoot: string): string {
+export function generateSeedModule(projectRoot: string, warnOnFallback = false): string {
 	let userSeedJson: string | null = null;
 
 	// Try .emdash/seed.json
@@ -434,11 +445,30 @@ export function generateSeedModule(projectRoot: string): string {
 		}
 	}
 
+	// Try conventional seed/seed.json fallback
+	if (!userSeedJson) {
+		try {
+			const seedPath = resolve(projectRoot, "seed", "seed.json");
+			const content = readFileSync(seedPath, "utf-8");
+			JSON.parse(content); // validate
+			userSeedJson = content;
+		} catch {
+			// Not found
+		}
+	}
+
 	if (userSeedJson) {
 		return [`export const userSeed = ${userSeedJson};`, `export const seed = userSeed;`].join("\n");
 	}
 
-	// No user seed — inline the default
+	// No user seed — inline the default. Caller (the Vite plugin) gates this
+	// to dev-only so production builds stay quiet for sites that intentionally
+	// rely on the default seed.
+	if (warnOnFallback) {
+		console.warn(
+			"[emdash] No user seed found at .emdash/seed.json, package.json#emdash.seed, or seed/seed.json. Falling back to the built-in default seed; the setup wizard will not offer demo content for this site.",
+		);
+	}
 	return [
 		`export const userSeed = null;`,
 		`export const seed = ${JSON.stringify(defaultSeed)};`,

package/src/astro/integration/vite-config.ts

@@ -156,8 +156,13 @@ export interface VitePluginOptions {
 export function createVirtualModulesPlugin(options: VitePluginOptions): Plugin {
 	const { serializableConfig, resolvedConfig, pluginDescriptors, astroConfig } = options;
 
+	let viteCommand: "build" | "serve" | undefined;
+
 	return {
 		name: "emdash-virtual-modules",
+		configResolved(config) {
+			viteCommand = config.command;
+		},
 		resolveId(id: string) {
 			if (id === VIRTUAL_CONFIG_ID) {
 				return RESOLVED_VIRTUAL_CONFIG_ID;
@@ -259,7 +264,7 @@ export function createVirtualModulesPlugin(options: VitePluginOptions): Plugin {
 			// Generate seed module — embeds user seed or default at build time
 			if (id === RESOLVED_VIRTUAL_SEED_ID) {
 				const projectRoot = fileURLToPath(astroConfig.root);
-				return generateSeedModule(projectRoot);
+				return generateSeedModule(projectRoot, viteCommand === "serve");
 			}
 			// Generate wait-until module — re-exports cloudflare:workers'
 			// waitUntil under the Cloudflare adapter, undefined otherwise.

package/src/astro/middleware/auth.ts

@@ -32,7 +32,7 @@ import { resolveApiToken, resolveOAuthToken } from "../../api/handlers/api-token
 import { hasScope } from "../../auth/api-tokens.js";
 import { getAuthMode, type ExternalAuthMode } from "../../auth/mode.js";
 import type { ExternalAuthConfig } from "../../auth/types.js";
-import type { EmDashHandlers, EmDashManifest } from "../types.js";
+import type { EmDashHandlers } from "../types.js";
 import { buildEmDashCsp } from "./csp.js";
 
 declare global {
@@ -42,7 +42,6 @@ declare global {
 			/** Token scopes when authenticated via API token or OAuth token. Undefined for session auth. */
 			tokenScopes?: string[];
 			emdash?: EmDashHandlers;
-			emdashManifest?: EmDashManifest;
 		}
 		interface SessionData {
 			user: { id: string };
@@ -723,10 +722,14 @@ const SCOPE_RULES: Array<[prefix: string, method: string, scope: string]> = [
 	["/_emdash/api/schema", "WRITE", "schema:write"],
 
 	// Taxonomy, menu, section, widget, revision — all content domain
+	// GET uses content:read (implicit from taxonomies:read / menus:read via role).
+	// WRITE uses the granular scope so tokens with only taxonomies:manage or
+	// menus:manage are not rejected. content:write implicitly grants these via
+	// IMPLICIT_SCOPE_GRANTS in @emdash-cms/auth.
 	["/_emdash/api/taxonomies", "GET", "content:read"],
-	["/_emdash/api/taxonomies", "WRITE", "content:write"],
+	["/_emdash/api/taxonomies", "WRITE", "taxonomies:manage"],
 	["/_emdash/api/menus", "GET", "content:read"],
-	["/_emdash/api/menus", "WRITE", "content:write"],
+	["/_emdash/api/menus", "WRITE", "menus:manage"],
 	["/_emdash/api/sections", "GET", "content:read"],
 	["/_emdash/api/sections", "WRITE", "content:write"],
 	["/_emdash/api/widget-areas", "GET", "content:read"],
@@ -738,12 +741,16 @@ const SCOPE_RULES: Array<[prefix: string, method: string, scope: string]> = [
 	["/_emdash/api/search", "GET", "content:read"],
 	["/_emdash/api/search", "WRITE", "admin"],
 
-	// Import, admin, settings, plugins — all require admin scope
+	// Import, admin, plugins — all require admin scope
 	["/_emdash/api/import", "*", "admin"],
 	["/_emdash/api/admin", "*", "admin"],
-	["/_emdash/api/settings", "*", "admin"],
 	["/_emdash/api/plugins", "*", "admin"],
 
+	// Settings — use granular scopes so tokens with settings:read or
+	// settings:manage are not rejected at the middleware level.
+	["/_emdash/api/settings", "GET", "settings:read"],
+	["/_emdash/api/settings", "WRITE", "settings:manage"],
+
 	// MCP endpoint — scopes enforced per-tool inside mcp/server.ts
 	["/_emdash/api/mcp", "*", "content:read"],
 ];

package/src/astro/middleware/redirect.ts

@@ -17,10 +17,11 @@
 import { defineMiddleware } from "astro:middleware";
 
 import { RedirectRepository } from "../../database/repositories/redirect.js";
+import { getDb } from "../../loader.js";
 import {
-	getCachedPatternRules,
+	getCachedRedirects,
 	matchCachedPatterns,
-	setCachedPatternRules,
+	setCachedRedirects,
 } from "../../redirects/cache.js";
 
 /** Paths that should never be intercepted by redirects */
@@ -46,16 +47,34 @@ export const onRequest = defineMiddleware(async (context, next) => {
 		return next();
 	}
 
-	const { emdash } = context.locals;
-	if (!emdash?.db) {
-		return next();
+	// Public visitors hit the runtime's anonymous fast path, which intentionally
+	// omits `db` from `locals.emdash` to keep the public render boundary minimal
+	// (issue #808). Fall back to `getDb()`, which transparently returns the
+	// per-request scoped db (set in ALS by the runtime middleware) or the
+	// singleton — same path the loader and template helpers use.
+	let db = context.locals.emdash?.db;
+	if (!db) {
+		try {
+			db = await getDb();
+		} catch {
+			return next();
+		}
 	}
 
 	try {
-		const repo = new RedirectRepository(emdash.db);
+		const repo = new RedirectRepository(db);
+
+		// One query loads both exact and pattern rules into the cache; warm
+		// requests issue zero queries. Empty-redirect sites cache an empty
+		// Map + array, so the next request returns immediately without probing.
+		let cached = getCachedRedirects();
+		if (!cached) {
+			const all = await repo.findAllEnabled();
+			cached = setCachedRedirects(all);
+		}
 
-		// 1. Exact match (fast, indexed)
-		const exact = await repo.findExactMatch(pathname);
+		// 1. Exact match (O(1) Map lookup)
+		const exact = cached.exact.get(pathname);
 		if (exact) {
 			const dest = exact.destination;
 			if (dest.startsWith("//") || dest.startsWith("/\\")) return next();
@@ -64,14 +83,8 @@ export const onRequest = defineMiddleware(async (context, next) => {
 			return context.redirect(dest, code);
 		}
 
-		// 2. Pattern match (cached: compile once, match every request)
-		let rules = getCachedPatternRules();
-		if (!rules) {
-			const patterns = await repo.findEnabledPatternRules();
-			rules = setCachedPatternRules(patterns);
-		}
-
-		const patternMatch = matchCachedPatterns(rules, pathname);
+		// 2. Pattern match (compile once, match every request)
+		const patternMatch = matchCachedPatterns(cached.patterns, pathname);
 		if (patternMatch) {
 			const { redirect, destination } = patternMatch;
 			if (destination.startsWith("//") || destination.startsWith("/\\")) return next();

package/src/astro/middleware/request-context.ts

@@ -12,6 +12,8 @@
 
 import { defineMiddleware } from "astro:middleware";
 
+import { resolveSecretsCached } from "#config/secrets.js";
+
 import { verifyPreviewToken, parseContentId } from "../../preview/tokens.js";
 import { getRequestContext, runWithContext } from "../../request-context.js";
 import { renderToolbar } from "../../visual-editing/toolbar.js";
@@ -79,17 +81,25 @@ export const onRequest = defineMiddleware(async (context, next) => {
 	// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- Astro context includes currentLocale when i18n is configured
 	const locale = (context as { currentLocale?: string }).currentLocale;
 
-	// Verify preview token if present
+	// Verify preview token if present.
+	// The preview secret is resolved via `resolveSecretsCached`: env wins,
+	// otherwise a DB-stored value is read (or generated on first need).
+	// `emdash.db` is set by the runtime middleware which runs first; the
+	// only path where it's missing is a runtime-init failure.
 	let preview: { collection: string; id: string } | undefined;
 	if (hasPreviewToken) {
-		const secret = import.meta.env.EMDASH_PREVIEW_SECRET || import.meta.env.PREVIEW_SECRET || "";
-
-		if (secret) {
-			const result = await verifyPreviewToken({ url, secret });
+		const db = context.locals.emdash?.db;
+		if (db) {
+			const { previewSecret } = await resolveSecretsCached(db);
+			const result = await verifyPreviewToken({ url, secret: previewSecret });
 			if (result.valid) {
 				const { collection, id } = parseContentId(result.payload.cid);
 				preview = { collection, id };
 			}
+		} else {
+			console.warn(
+				"[emdash] Preview token present but EmDash runtime not initialized; preview disabled.",
+			);
 		}
 	}