npm - emdash - Versions diffs - 0.8.0 → 0.10.0 - Mend

emdash 0.8.0 → 0.10.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (317) hide show

package/dist/{adapters-BKSf3T9R.d.mts → adapters-BktHA7EO.d.mts} +1 -1
package/dist/{adapters-BKSf3T9R.d.mts.map → adapters-BktHA7EO.d.mts.map} +1 -1
package/dist/{apply-x0eMK1lX.mjs → apply-UsrFuO7l.mjs} +207 -355
package/dist/apply-UsrFuO7l.mjs.map +1 -0
package/dist/astro/index.d.mts +6 -6
package/dist/astro/index.d.mts.map +1 -1
package/dist/astro/index.mjs +118 -4
package/dist/astro/index.mjs.map +1 -1
package/dist/astro/middleware/auth.d.mts +6 -7
package/dist/astro/middleware/auth.d.mts.map +1 -1
package/dist/astro/middleware/auth.mjs +14 -57
package/dist/astro/middleware/auth.mjs.map +1 -1
package/dist/astro/middleware/redirect.d.mts.map +1 -1
package/dist/astro/middleware/redirect.mjs +15 -10
package/dist/astro/middleware/redirect.mjs.map +1 -1
package/dist/astro/middleware/request-context.d.mts.map +1 -1
package/dist/astro/middleware/request-context.mjs +8 -5
package/dist/astro/middleware/request-context.mjs.map +1 -1
package/dist/astro/middleware/setup.mjs +1 -1
package/dist/astro/middleware.d.mts.map +1 -1
package/dist/astro/middleware.mjs +70 -121
package/dist/astro/middleware.mjs.map +1 -1
package/dist/astro/types.d.mts +25 -10
package/dist/astro/types.d.mts.map +1 -1
package/dist/{byline-Chbr2GoP.mjs → byline-C3vnhIpU.mjs} +4 -4
package/dist/{byline-Chbr2GoP.mjs.map → byline-C3vnhIpU.mjs.map} +1 -1
package/dist/bylines-esI7ioa9.mjs +113 -0
package/dist/bylines-esI7ioa9.mjs.map +1 -0
package/dist/cache-fTzxgMFJ.mjs +65 -0
package/dist/cache-fTzxgMFJ.mjs.map +1 -0
package/dist/{chunks-HGz06Soa.mjs → chunks-Da2-b-oA.mjs} +8 -2
package/dist/{chunks-HGz06Soa.mjs.map → chunks-Da2-b-oA.mjs.map} +1 -1
package/dist/cli/index.mjs +456 -90
package/dist/cli/index.mjs.map +1 -1
package/dist/client/cf-access.d.mts +1 -1
package/dist/client/index.d.mts +1 -1
package/dist/client/index.mjs +3 -3
package/dist/client/index.mjs.map +1 -1
package/dist/{config-BXwuX8Bx.mjs → config-CVssduLe.mjs} +1 -1
package/dist/{config-BXwuX8Bx.mjs.map → config-CVssduLe.mjs.map} +1 -1
package/dist/{content-BcQPYxdV.mjs → content-C7G4QXkK.mjs} +42 -14
package/dist/content-C7G4QXkK.mjs.map +1 -0
package/dist/db/index.d.mts +3 -3
package/dist/db/index.mjs +2 -2
package/dist/db/libsql.d.mts +1 -1
package/dist/db/libsql.d.mts.map +1 -1
package/dist/db/libsql.mjs +7 -2
package/dist/db/libsql.mjs.map +1 -1
package/dist/db/postgres.d.mts +1 -1
package/dist/db/sqlite.d.mts +1 -1
package/dist/db/sqlite.d.mts.map +1 -1
package/dist/db/sqlite.mjs +8 -3
package/dist/db/sqlite.mjs.map +1 -1
package/dist/{db-errors-l1Qh2RPR.mjs → db-errors-B7P2pSCn.mjs} +1 -1
package/dist/{db-errors-l1Qh2RPR.mjs.map → db-errors-B7P2pSCn.mjs.map} +1 -1
package/dist/{default-DCVqE5ib.mjs → default-pHuz9WF6.mjs} +1 -1
package/dist/{default-DCVqE5ib.mjs.map → default-pHuz9WF6.mjs.map} +1 -1
package/dist/{dialect-helpers-DhTzaUxP.mjs → dialect-helpers-BKCvISIQ.mjs} +19 -2
package/dist/dialect-helpers-BKCvISIQ.mjs.map +1 -0
package/dist/{error-zG5T1UGA.mjs → error-DqnRMM5z.mjs} +1 -1
package/dist/{error-zG5T1UGA.mjs.map → error-DqnRMM5z.mjs.map} +1 -1
package/dist/{index-DIb-CzNx.d.mts → index-DjPMOfO0.d.mts} +162 -87
package/dist/index-DjPMOfO0.d.mts.map +1 -0
package/dist/index.d.mts +11 -11
package/dist/index.mjs +27 -24
package/dist/{load-CyEoextb.mjs → load-sXRuM7Us.mjs} +2 -2
package/dist/{load-CyEoextb.mjs.map → load-sXRuM7Us.mjs.map} +1 -1
package/dist/{loader-CndGj8kM.mjs → loader-Bx2_9-5e.mjs} +53 -8
package/dist/loader-Bx2_9-5e.mjs.map +1 -0
package/dist/{manifest-schema-DH9xhc6t.mjs → manifest-schema-CXAbd1vH.mjs} +33 -3
package/dist/manifest-schema-CXAbd1vH.mjs.map +1 -0
package/dist/media/index.d.mts +1 -1
package/dist/media/index.mjs +1 -1
package/dist/media/local-runtime.d.mts +7 -7
package/dist/{mode-BnAOqItE.mjs → mode-YhqNVef_.mjs} +1 -1
package/dist/{mode-BnAOqItE.mjs.map → mode-YhqNVef_.mjs.map} +1 -1
package/dist/options-nPxWnrya.mjs +117 -0
package/dist/options-nPxWnrya.mjs.map +1 -0
package/dist/page/index.d.mts +2 -2
package/dist/{patterns-CrCYkMBb.mjs → patterns-DsUZ4uxI.mjs} +1 -1
package/dist/{patterns-CrCYkMBb.mjs.map → patterns-DsUZ4uxI.mjs.map} +1 -1
package/dist/{placeholder-D29tWZ7o.d.mts → placeholder-CDPtkelt.d.mts} +1 -1
package/dist/{placeholder-D29tWZ7o.d.mts.map → placeholder-CDPtkelt.d.mts.map} +1 -1
package/dist/{placeholder-C-fk5hYI.mjs → placeholder-Ci0RLeCk.mjs} +1 -1
package/dist/{placeholder-C-fk5hYI.mjs.map → placeholder-Ci0RLeCk.mjs.map} +1 -1
package/dist/plugins/adapt-sandbox-entry.d.mts +5 -5
package/dist/plugins/adapt-sandbox-entry.d.mts.map +1 -1
package/dist/plugins/adapt-sandbox-entry.mjs +6 -5
package/dist/plugins/adapt-sandbox-entry.mjs.map +1 -1
package/dist/public-url-B1AxbbbQ.mjs +51 -0
package/dist/public-url-B1AxbbbQ.mjs.map +1 -0
package/dist/{query-fqEdLFms.mjs → query-Bo-msrmu.mjs} +114 -16
package/dist/query-Bo-msrmu.mjs.map +1 -0
package/dist/{redirect-D_pshWdf.mjs → redirect-C5H7VGIX.mjs} +11 -6
package/dist/redirect-C5H7VGIX.mjs.map +1 -0
package/dist/{registry-C3Mr0ODu.mjs → registry-Beb7wxFc.mjs} +39 -5
package/dist/registry-Beb7wxFc.mjs.map +1 -0
package/dist/{request-cache-Ci7f5pBb.mjs → request-cache-C-tIpYIw.mjs} +1 -1
package/dist/{request-cache-Ci7f5pBb.mjs.map → request-cache-C-tIpYIw.mjs.map} +1 -1
package/dist/runner-Clwe4Mme.d.mts +44 -0
package/dist/runner-Clwe4Mme.d.mts.map +1 -0
package/dist/{runner-tQ7BJ4T7.mjs → runner-DMnlIkh4.mjs} +616 -191
package/dist/runner-DMnlIkh4.mjs.map +1 -0
package/dist/runtime.d.mts +6 -6
package/dist/runtime.mjs +2 -2
package/dist/{search-BoZYFuUk.mjs → search-DkN-BqsS.mjs} +270 -152
package/dist/search-DkN-BqsS.mjs.map +1 -0
package/dist/secrets-CZ8rxLX3.mjs +314 -0
package/dist/secrets-CZ8rxLX3.mjs.map +1 -0
package/dist/seed/index.d.mts +2 -2
package/dist/seed/index.mjs +13 -11
package/dist/seo/index.d.mts +1 -1
package/dist/storage/local.d.mts +1 -1
package/dist/storage/local.mjs +1 -1
package/dist/storage/s3.d.mts +1 -1
package/dist/storage/s3.mjs +1 -1
package/dist/taxonomies-CTtewrSQ.mjs +407 -0
package/dist/taxonomies-CTtewrSQ.mjs.map +1 -0
package/dist/taxonomy-DSxx2K2L.mjs +218 -0
package/dist/taxonomy-DSxx2K2L.mjs.map +1 -0
package/dist/{tokens-D9vnZqYS.mjs → tokens-CyRDPVW2.mjs} +1 -1
package/dist/{tokens-D9vnZqYS.mjs.map → tokens-CyRDPVW2.mjs.map} +1 -1
package/dist/{transaction-Cn2rjY78.mjs → transaction-D44LBXvU.mjs} +1 -1
package/dist/{transaction-Cn2rjY78.mjs.map → transaction-D44LBXvU.mjs.map} +1 -1
package/dist/{transport-CUnEL3Vs.d.mts → transport-DX_5rpsq.d.mts} +1 -1
package/dist/{transport-CUnEL3Vs.d.mts.map → transport-DX_5rpsq.d.mts.map} +1 -1
package/dist/{transport-C9ugt2Nr.mjs → transport-xpzIjCIB.mjs} +6 -5
package/dist/{transport-C9ugt2Nr.mjs.map → transport-xpzIjCIB.mjs.map} +1 -1
package/dist/{types-BrA0xf5I.d.mts → types-B_CXXnzh.d.mts} +1 -1
package/dist/{types-BrA0xf5I.d.mts.map → types-B_CXXnzh.d.mts.map} +1 -1
package/dist/{types-DIMwPFub.d.mts → types-C-aFbqmA.d.mts} +1 -1
package/dist/{types-DIMwPFub.d.mts.map → types-C-aFbqmA.d.mts.map} +1 -1
package/dist/types-CoO6mpV3.mjs +68 -0
package/dist/types-CoO6mpV3.mjs.map +1 -0
package/dist/{types-i36XcA_X.d.mts → types-D19uBYWn.d.mts} +83 -7
package/dist/types-D19uBYWn.d.mts.map +1 -0
package/dist/{types-BmPPSUEx.d.mts → types-Dl1fgFjn.d.mts} +24 -2
package/dist/{types-BmPPSUEx.d.mts.map → types-Dl1fgFjn.d.mts.map} +1 -1
package/dist/{types-CS8FIX7L.d.mts → types-Dtx1mSMX.d.mts} +9 -1
package/dist/types-Dtx1mSMX.d.mts.map +1 -0
package/dist/{types-Bm1dn-q3.mjs → types-Eg829jj9.mjs} +1 -1
package/dist/{types-Bm1dn-q3.mjs.map → types-Eg829jj9.mjs.map} +1 -1
package/dist/{types-CgqmmMJB.mjs → types-K-EkEQCI.mjs} +1 -1
package/dist/{types-CgqmmMJB.mjs.map → types-K-EkEQCI.mjs.map} +1 -1
package/dist/{validate-CxVsLehf.mjs → validate-CBIbxM3L.mjs} +14 -10
package/dist/validate-CBIbxM3L.mjs.map +1 -0
package/dist/{validate-DHxmpFJt.d.mts → validate-DHGwADqO.d.mts} +18 -5
package/dist/validate-DHGwADqO.d.mts.map +1 -0
package/dist/{validation-C-ZpN2GI.mjs → validation-B1NYiEos.mjs} +6 -6
package/dist/{validation-C-ZpN2GI.mjs.map → validation-B1NYiEos.mjs.map} +1 -1
package/dist/version-CMD42IRC.mjs +7 -0
package/dist/{version-Bbq8TCrz.mjs.map → version-CMD42IRC.mjs.map} +1 -1
package/dist/{zod-generator-CpwccCIv.mjs → zod-generator-BNJDQBSZ.mjs} +11 -6
package/dist/{zod-generator-CpwccCIv.mjs.map → zod-generator-BNJDQBSZ.mjs.map} +1 -1
package/locals.d.ts +1 -6
package/package.json +9 -8
package/src/api/handlers/comments.ts +6 -4
package/src/api/handlers/content.ts +40 -1
package/src/api/handlers/dashboard.ts +29 -36
package/src/api/handlers/device-flow.ts +5 -0
package/src/api/handlers/marketplace.ts +11 -4
package/src/api/handlers/menus.ts +256 -75
package/src/api/handlers/oauth-authorization.ts +72 -33
package/src/api/handlers/revision.ts +23 -14
package/src/api/handlers/taxonomies.ts +273 -100
package/src/api/public-url.ts +48 -2
package/src/api/schemas/comments.ts +2 -2
package/src/api/schemas/common.ts +7 -0
package/src/api/schemas/content.ts +17 -0
package/src/api/schemas/menus.ts +23 -0
package/src/api/schemas/sections.ts +3 -3
package/src/api/schemas/taxonomies.ts +39 -0
package/src/api/schemas/users.ts +1 -1
package/src/api/types.ts +5 -1
package/src/astro/integration/index.ts +17 -0
package/src/astro/integration/routes.ts +10 -0
package/src/astro/integration/runtime.ts +30 -0
package/src/astro/integration/virtual-modules.ts +32 -2
package/src/astro/integration/vite-config.ts +6 -1
package/src/astro/middleware/auth.ts +13 -6
package/src/astro/middleware/redirect.ts +29 -16
package/src/astro/middleware/request-context.ts +15 -5
package/src/astro/middleware.ts +23 -9
package/src/astro/routes/api/auth/invite/complete.ts +6 -1
package/src/astro/routes/api/auth/passkey/register/verify.ts +6 -1
package/src/astro/routes/api/auth/passkey/verify.ts +6 -1
package/src/astro/routes/api/auth/signup/complete.ts +6 -1
package/src/astro/routes/api/comments/[collection]/[contentId]/index.ts +2 -2
package/src/astro/routes/api/content/[collection]/[id]/discard-draft.ts +4 -2
package/src/astro/routes/api/content/[collection]/[id]/permanent.ts +1 -1
package/src/astro/routes/api/content/[collection]/[id]/preview-url.ts +34 -12
package/src/astro/routes/api/content/[collection]/[id]/publish.ts +32 -2
package/src/astro/routes/api/content/[collection]/[id]/restore.ts +4 -2
package/src/astro/routes/api/content/[collection]/[id]/revisions.ts +3 -2
package/src/astro/routes/api/content/[collection]/[id]/terms/[taxonomy].ts +8 -4
package/src/astro/routes/api/content/[collection]/[id].ts +12 -0
package/src/astro/routes/api/import/wordpress/execute.ts +3 -1
package/src/astro/routes/api/import/wordpress/prepare.ts +7 -8
package/src/astro/routes/api/import/wordpress/rewrite-url-helpers.ts +196 -0
package/src/astro/routes/api/import/wordpress/rewrite-urls.ts +9 -177
package/src/astro/routes/api/import/wordpress-plugin/execute.ts +3 -1
package/src/astro/routes/api/manifest.ts +62 -45
package/src/astro/routes/api/media/[id]/confirm.ts +10 -1
package/src/astro/routes/api/media/providers/[providerId]/index.ts +12 -3
package/src/astro/routes/api/menus/[name]/items.ts +16 -6
package/src/astro/routes/api/menus/[name]/reorder.ts +8 -3
package/src/astro/routes/api/menus/[name]/translations.ts +82 -0
package/src/astro/routes/api/menus/[name].ts +19 -10
package/src/astro/routes/api/menus/index.ts +9 -6
package/src/astro/routes/api/openapi.json.ts +27 -10
package/src/astro/routes/api/redirects/404s/index.ts +10 -4
package/src/astro/routes/api/redirects/404s/summary.ts +4 -2
package/src/astro/routes/api/redirects/[id].ts +10 -4
package/src/astro/routes/api/redirects/index.ts +7 -3
package/src/astro/routes/api/revisions/[revisionId]/index.ts +1 -1
package/src/astro/routes/api/schema/collections/[slug]/fields/[fieldSlug].ts +0 -2
package/src/astro/routes/api/schema/collections/[slug]/fields/index.ts +0 -1
package/src/astro/routes/api/schema/collections/[slug]/fields/reorder.ts +0 -1
package/src/astro/routes/api/schema/collections/[slug]/index.ts +2 -2
package/src/astro/routes/api/schema/collections/index.ts +1 -1
package/src/astro/routes/api/search/index.ts +10 -2
package/src/astro/routes/api/sections/[slug].ts +10 -4
package/src/astro/routes/api/sections/index.ts +7 -3
package/src/astro/routes/api/setup/admin-verify.ts +6 -1
package/src/astro/routes/api/snapshot.ts +44 -18
package/src/astro/routes/api/taxonomies/[name]/terms/[slug]/translations.ts +89 -0
package/src/astro/routes/api/taxonomies/[name]/terms/[slug].ts +22 -22
package/src/astro/routes/api/taxonomies/[name]/terms/index.ts +11 -14
package/src/astro/routes/api/taxonomies/index.ts +9 -7
package/src/astro/routes/api/themes/preview.ts +11 -5
package/src/astro/types.ts +23 -3
package/src/auth/allowed-origins.ts +168 -0
package/src/auth/passkey-config.ts +35 -13
package/src/bylines/index.ts +37 -88
package/src/cli/commands/auth.ts +28 -6
package/src/cli/commands/bundle-utils.ts +11 -2
package/src/cli/commands/bundle.ts +28 -8
package/src/cli/commands/content.ts +13 -0
package/src/cli/commands/export-seed.ts +82 -21
package/src/cli/commands/login.ts +8 -1
package/src/cli/commands/plugin-init.ts +216 -90
package/src/cli/commands/publish.ts +24 -0
package/src/cli/commands/secrets.ts +183 -0
package/src/cli/credentials.ts +1 -1
package/src/cli/index.ts +5 -1
package/src/client/index.ts +4 -4
package/src/client/transport.ts +17 -7
package/src/components/Break.astro +2 -2
package/src/components/EmDashHead.astro +18 -13
package/src/components/Embed.astro +1 -1
package/src/components/Gallery.astro +1 -1
package/src/components/Image.astro +1 -1
package/src/components/InlinePortableTextEditor.tsx +104 -18
package/src/config/secrets.ts +528 -0
package/src/database/dialect-helpers.ts +50 -0
package/src/database/migrations/034_published_at_index.ts +1 -1
package/src/database/migrations/035_bounded_404_log.ts +56 -39
package/src/database/migrations/036_i18n_menus_and_taxonomies.ts +477 -0
package/src/database/migrations/runner.ts +158 -23
package/src/database/repositories/content.ts +47 -12
package/src/database/repositories/redirect.ts +14 -3
package/src/database/repositories/taxonomy.ts +212 -82
package/src/database/types.ts +10 -2
package/src/db/libsql.ts +1 -3
package/src/db/sqlite.ts +2 -5
package/src/emdash-runtime.ts +84 -159
package/src/i18n/resolve.ts +37 -0
package/src/index.ts +9 -0
package/src/loader.ts +73 -3
package/src/mcp/server.ts +180 -54
package/src/menus/index.ts +143 -124
package/src/menus/types.ts +15 -1
package/src/page/site-identity.ts +58 -0
package/src/plugins/adapt-sandbox-entry.ts +22 -10
package/src/plugins/context.ts +13 -10
package/src/plugins/define-plugin.ts +40 -12
package/src/plugins/hooks.ts +23 -19
package/src/plugins/index.ts +9 -0
package/src/plugins/manifest-schema.ts +37 -2
package/src/plugins/types.ts +151 -11
package/src/preview/urls.ts +23 -3
package/src/query.ts +148 -5
package/src/redirects/cache.ts +38 -18
package/src/schema/registry.ts +56 -0
package/src/schema/zod-generator.ts +39 -7
package/src/seed/apply.ts +142 -54
package/src/seed/types.ts +14 -1
package/src/seed/validate.ts +27 -13
package/src/settings/index.ts +80 -6
package/src/settings/types.ts +23 -1
package/src/taxonomies/index.ts +237 -210
package/src/taxonomies/types.ts +10 -0
package/dist/apply-x0eMK1lX.mjs.map +0 -1
package/dist/bylines-CRNsVG88.mjs +0 -157
package/dist/bylines-CRNsVG88.mjs.map +0 -1
package/dist/cache-BkKBuIvS.mjs +0 -56
package/dist/cache-BkKBuIvS.mjs.map +0 -1
package/dist/chunk-ClPoSABd.mjs +0 -21
package/dist/content-BcQPYxdV.mjs.map +0 -1
package/dist/dialect-helpers-DhTzaUxP.mjs.map +0 -1
package/dist/index-DIb-CzNx.d.mts.map +0 -1
package/dist/loader-CndGj8kM.mjs.map +0 -1
package/dist/manifest-schema-DH9xhc6t.mjs.map +0 -1
package/dist/query-fqEdLFms.mjs.map +0 -1
package/dist/redirect-D_pshWdf.mjs.map +0 -1
package/dist/registry-C3Mr0ODu.mjs.map +0 -1
package/dist/runner-OURCaApa.d.mts +0 -34
package/dist/runner-OURCaApa.d.mts.map +0 -1
package/dist/runner-tQ7BJ4T7.mjs.map +0 -1
package/dist/search-BoZYFuUk.mjs.map +0 -1
package/dist/taxonomies-B4IAshV8.mjs +0 -308
package/dist/taxonomies-B4IAshV8.mjs.map +0 -1
package/dist/types-CS8FIX7L.d.mts.map +0 -1
package/dist/types-i36XcA_X.d.mts.map +0 -1
package/dist/validate-CxVsLehf.mjs.map +0 -1
package/dist/validate-DHxmpFJt.d.mts.map +0 -1
package/dist/version-Bbq8TCrz.mjs +0 -7

package/src/astro/routes/api/snapshot.ts CHANGED Viewed

@@ -7,6 +7,7 @@
  * - Excludes auth/user/session/token tables
  */
+import type { User } from "@emdash-cms/auth";
 import type { APIRoute } from "astro";
 import { requirePerm } from "#api/authorize.js";
@@ -17,11 +18,31 @@ import {
 	verifyPreviewSignature,
 } from "#api/handlers/snapshot.js";
 import { getPublicOrigin } from "#api/public-url.js";
+import { resolveSecretsCached } from "#config/secrets.js";
 export const prerender = false;
-export const GET: APIRoute = async ({ request, locals, url }) => {
-	const { emdash, user } = locals;
+export const GET: APIRoute = async ({ request, locals, url, session }) => {
+	const { emdash } = locals;
+	// This route is in PUBLIC_API_EXACT (for preview-signature callers with no session),
+	// so auth middleware skips user resolution. Manually resolve the session user here
+	// to support session-authenticated admin users alongside preview-signature auth.
+	let user: User | undefined = (locals as { user?: User }).user;
+	if (!user && session && emdash?.db) {
+		try {
+			const { createKyselyAdapter } = await import("@emdash-cms/auth/adapters/kysely");
+			const sessionUser = await session.get("user");
+			if (sessionUser?.id) {
+				const adapter = createKyselyAdapter(emdash.db);
+				const resolved = await adapter.getUserById(sessionUser.id);
+				if (resolved && !resolved.disabled) {
+					user = resolved;
+				}
+			}
+		} catch {
+			// Session resolution failed, continue to preview-signature check
+		}
+	}
 	if (!emdash?.db) {
 		return apiError("NOT_CONFIGURED", "EmDash is not initialized", 500);
@@ -32,24 +53,29 @@ export const GET: APIRoute = async ({ request, locals, url }) => {
 	let authorized = false;
 	if (previewSig) {
-		const secret = import.meta.env.EMDASH_PREVIEW_SECRET || import.meta.env.PREVIEW_SECRET || "";
-		if (!secret) {
-			console.warn(
-				"[snapshot] X-Preview-Signature header present but no PREVIEW_SECRET configured",
-			);
+		// Resolves env override or DB-stored value. Always non-empty after
+		// resolution, so the signature path is never silently disabled.
+		// Note: a signing process without access to this database (e.g. a
+		// remote preview Worker) must set the same `EMDASH_PREVIEW_SECRET`
+		// env var on both sides.
+		const { previewSecret: secret, previewSecretSource } = await resolveSecretsCached(emdash.db);
+		const parsed = parsePreviewSignatureHeader(previewSig);
+		if (!parsed) {
+			console.warn("[snapshot] Failed to parse X-Preview-Signature header");
 		} else {
-			const parsed = parsePreviewSignatureHeader(previewSig);
-			if (!parsed) {
-				console.warn("[snapshot] Failed to parse X-Preview-Signature header");
-			} else {
-				authorized = await verifyPreviewSignature(parsed.source, parsed.exp, parsed.sig, secret);
-				if (!authorized) {
-					console.warn("[snapshot] Preview signature verification failed", {
-						source: parsed.source,
-						exp: parsed.exp,
-						expired: parsed.exp < Date.now() / 1000,
-					});
+			authorized = await verifyPreviewSignature(parsed.source, parsed.exp, parsed.sig, secret);
+			if (!authorized) {
+				const fields: Record<string, unknown> = {
+					source: parsed.source,
+					exp: parsed.exp,
+					expired: parsed.exp < Date.now() / 1000,
+					secretSource: previewSecretSource,
+				};
+				if (previewSecretSource === "db") {
+					fields.hint =
+						"Set EMDASH_PREVIEW_SECRET in both this process and the signing process to share secrets across deployments";
 				}
+				console.warn("[snapshot] Preview signature verification failed", fields);
 			}
 		}
 	}

package/src/astro/routes/api/taxonomies/[name]/terms/[slug]/translations.ts ADDED Viewed

@@ -0,0 +1,89 @@
+/**
+ * Term translation endpoints
+ *
+ * GET  /_emdash/api/taxonomies/:name/terms/:slug/translations[?locale=xx]
+ * POST /_emdash/api/taxonomies/:name/terms/:slug/translations
+ *    body: { locale, label?, slug? }
+ */
+import type { APIRoute } from "astro";
+import { z } from "zod";
+import { requirePerm } from "#api/authorize.js";
+import { apiError, handleError, requireDb, unwrapResult } from "#api/error.js";
+import {
+	handleTermCreate,
+	handleTermGet,
+	handleTermTranslations,
+} from "#api/handlers/taxonomies.js";
+import { isParseError, parseBody, parseQuery } from "#api/parse.js";
+import { localeFilterQuery } from "#api/schemas.js";
+export const prerender = false;
+const createTermTranslationBody = z
+	.object({
+		locale: z.string().min(1),
+		label: z.string().min(1).optional(),
+		slug: z.string().min(1).optional(),
+	})
+	.meta({ id: "CreateTermTranslationBody" });
+export const GET: APIRoute = async ({ params, request, locals }) => {
+	const { emdash, user } = locals;
+	const { name, slug } = params;
+	if (!name || !slug) return apiError("VALIDATION_ERROR", "Taxonomy name and slug required", 400);
+	const dbErr = requireDb(emdash?.db);
+	if (dbErr) return dbErr;
+	const denied = requirePerm(user, "taxonomies:read");
+	if (denied) return denied;
+	const query = parseQuery(new URL(request.url), localeFilterQuery);
+	if (isParseError(query)) return query;
+	try {
+		const anchor = await handleTermGet(emdash.db, name, slug, { locale: query.locale });
+		if (!anchor.success) return unwrapResult(anchor);
+		const result = await handleTermTranslations(emdash.db, anchor.data.term.id);
+		return unwrapResult(result);
+	} catch (error) {
+		return handleError(error, "Failed to list term translations", "TERM_TRANSLATIONS_ERROR");
+	}
+};
+export const POST: APIRoute = async ({ params, request, locals }) => {
+	const { emdash, user } = locals;
+	const { name, slug } = params;
+	if (!name || !slug) return apiError("VALIDATION_ERROR", "Taxonomy name and slug required", 400);
+	const dbErr = requireDb(emdash?.db);
+	if (dbErr) return dbErr;
+	const denied = requirePerm(user, "taxonomies:manage");
+	if (denied) return denied;
+	const query = parseQuery(new URL(request.url), localeFilterQuery);
+	if (isParseError(query)) return query;
+	try {
+		const body = await parseBody(request, createTermTranslationBody);
+		if (isParseError(body)) return body;
+		const source = await handleTermGet(emdash.db, name, slug, { locale: query.locale });
+		if (!source.success) return unwrapResult(source);
+		const result = await handleTermCreate(emdash.db, name, {
+			slug: body.slug ?? source.data.term.slug,
+			label: body.label ?? source.data.term.label,
+			parentId: source.data.term.parentId,
+			description: source.data.term.description,
+			locale: body.locale,
+			translationOf: source.data.term.id,
+		});
+		return unwrapResult(result, 201);
+	} catch (error) {
+		return handleError(error, "Failed to create term translation", "TERM_TRANSLATION_CREATE_ERROR");
+	}
+};

package/src/astro/routes/api/taxonomies/[name]/terms/[slug].ts CHANGED Viewed

@@ -1,9 +1,9 @@
 /**
  * Single term endpoint
  *
- * GET /_emdash/api/taxonomies/:name/terms/:slug - Get a single term
- * PUT /_emdash/api/taxonomies/:name/terms/:slug - Update a term
- * DELETE /_emdash/api/taxonomies/:name/terms/:slug - Delete a term
+ * GET    /_emdash/api/taxonomies/:name/terms/:slug[?locale=xx]
+ * PUT    /_emdash/api/taxonomies/:name/terms/:slug[?locale=xx]
+ * DELETE /_emdash/api/taxonomies/:name/terms/:slug[?locale=xx]
  */
 import type { APIRoute } from "astro";
@@ -11,21 +11,18 @@ import type { APIRoute } from "astro";
 import { requirePerm } from "#api/authorize.js";
 import { apiError, handleError, requireDb, unwrapResult } from "#api/error.js";
 import { handleTermDelete, handleTermGet, handleTermUpdate } from "#api/handlers/taxonomies.js";
-import { isParseError, parseBody } from "#api/parse.js";
-import { updateTermBody } from "#api/schemas.js";
+import { isParseError, parseBody, parseQuery } from "#api/parse.js";
+import { localeFilterQuery, updateTermBody } from "#api/schemas.js";
 export const prerender = false;
 /**
  * Get a single term
  */
-export const GET: APIRoute = async ({ params, locals }) => {
+export const GET: APIRoute = async ({ params, request, locals }) => {
 	const { emdash, user } = locals;
 	const { name, slug } = params;
-	if (!name || !slug) {
-		return apiError("VALIDATION_ERROR", "Taxonomy name and slug required", 400);
-	}
+	if (!name || !slug) return apiError("VALIDATION_ERROR", "Taxonomy name and slug required", 400);
 	const dbErr = requireDb(emdash?.db);
 	if (dbErr) return dbErr;
@@ -33,8 +30,11 @@ export const GET: APIRoute = async ({ params, locals }) => {
 	const denied = requirePerm(user, "taxonomies:read");
 	if (denied) return denied;
+	const query = parseQuery(new URL(request.url), localeFilterQuery);
+	if (isParseError(query)) return query;
 	try {
-		const result = await handleTermGet(emdash.db, name, slug);
+		const result = await handleTermGet(emdash.db, name, slug, { locale: query.locale });
 		return unwrapResult(result);
 	} catch (error) {
 		return handleError(error, "Failed to get term", "TERM_GET_ERROR");
@@ -47,10 +47,7 @@ export const GET: APIRoute = async ({ params, locals }) => {
 export const PUT: APIRoute = async ({ params, request, locals }) => {
 	const { emdash, user } = locals;
 	const { name, slug } = params;
-	if (!name || !slug) {
-		return apiError("VALIDATION_ERROR", "Taxonomy name and slug required", 400);
-	}
+	if (!name || !slug) return apiError("VALIDATION_ERROR", "Taxonomy name and slug required", 400);
 	const dbErr = requireDb(emdash?.db);
 	if (dbErr) return dbErr;
@@ -58,11 +55,14 @@ export const PUT: APIRoute = async ({ params, request, locals }) => {
 	const denied = requirePerm(user, "taxonomies:manage");
 	if (denied) return denied;
+	const query = parseQuery(new URL(request.url), localeFilterQuery);
+	if (isParseError(query)) return query;
 	try {
 		const body = await parseBody(request, updateTermBody);
 		if (isParseError(body)) return body;
-		const result = await handleTermUpdate(emdash.db, name, slug, body);
+		const result = await handleTermUpdate(emdash.db, name, slug, body, { locale: query.locale });
 		return unwrapResult(result);
 	} catch (error) {
 		return handleError(error, "Failed to update term", "TERM_UPDATE_ERROR");
@@ -72,13 +72,10 @@ export const PUT: APIRoute = async ({ params, request, locals }) => {
 /**
  * Delete a term
  */
-export const DELETE: APIRoute = async ({ params, locals }) => {
+export const DELETE: APIRoute = async ({ params, request, locals }) => {
 	const { emdash, user } = locals;
 	const { name, slug } = params;
-	if (!name || !slug) {
-		return apiError("VALIDATION_ERROR", "Taxonomy name and slug required", 400);
-	}
+	if (!name || !slug) return apiError("VALIDATION_ERROR", "Taxonomy name and slug required", 400);
 	const dbErr = requireDb(emdash?.db);
 	if (dbErr) return dbErr;
@@ -86,8 +83,11 @@ export const DELETE: APIRoute = async ({ params, locals }) => {
 	const denied = requirePerm(user, "taxonomies:manage");
 	if (denied) return denied;
+	const query = parseQuery(new URL(request.url), localeFilterQuery);
+	if (isParseError(query)) return query;
 	try {
-		const result = await handleTermDelete(emdash.db, name, slug);
+		const result = await handleTermDelete(emdash.db, name, slug, { locale: query.locale });
 		return unwrapResult(result);
 	} catch (error) {
 		return handleError(error, "Failed to delete term", "TERM_DELETE_ERROR");

package/src/astro/routes/api/taxonomies/[name]/terms/index.ts CHANGED Viewed

@@ -1,8 +1,8 @@
 /**
  * Taxonomy terms list and create endpoint
  *
- * GET /_emdash/api/taxonomies/:name/terms - List all terms (tree for hierarchical)
- * POST /_emdash/api/taxonomies/:name/terms - Create a new term
+ * GET  /_emdash/api/taxonomies/:name/terms[?locale=xx] - List terms (tree for hierarchical)
+ * POST /_emdash/api/taxonomies/:name/terms              - Create a new term (body may include locale & translationOf)
  */
 import type { APIRoute } from "astro";
@@ -10,21 +10,18 @@ import type { APIRoute } from "astro";
 import { requirePerm } from "#api/authorize.js";
 import { apiError, handleError, requireDb, unwrapResult } from "#api/error.js";
 import { handleTermCreate, handleTermList } from "#api/handlers/taxonomies.js";
-import { isParseError, parseBody } from "#api/parse.js";
-import { createTermBody } from "#api/schemas.js";
+import { isParseError, parseBody, parseQuery } from "#api/parse.js";
+import { createTermBody, localeFilterQuery } from "#api/schemas.js";
 export const prerender = false;
 /**
  * List all terms for a taxonomy
  */
-export const GET: APIRoute = async ({ params, locals }) => {
+export const GET: APIRoute = async ({ params, request, locals }) => {
 	const { emdash, user } = locals;
 	const { name } = params;
-	if (!name) {
-		return apiError("VALIDATION_ERROR", "Taxonomy name required", 400);
-	}
+	if (!name) return apiError("VALIDATION_ERROR", "Taxonomy name required", 400);
 	const dbErr = requireDb(emdash?.db);
 	if (dbErr) return dbErr;
@@ -32,8 +29,11 @@ export const GET: APIRoute = async ({ params, locals }) => {
 	const denied = requirePerm(user, "taxonomies:read");
 	if (denied) return denied;
+	const query = parseQuery(new URL(request.url), localeFilterQuery);
+	if (isParseError(query)) return query;
 	try {
-		const result = await handleTermList(emdash.db, name);
+		const result = await handleTermList(emdash.db, name, { locale: query.locale });
 		return unwrapResult(result);
 	} catch (error) {
 		return handleError(error, "Failed to list terms", "TERM_LIST_ERROR");
@@ -46,10 +46,7 @@ export const GET: APIRoute = async ({ params, locals }) => {
 export const POST: APIRoute = async ({ params, request, locals }) => {
 	const { emdash, user } = locals;
 	const { name } = params;
-	if (!name) {
-		return apiError("VALIDATION_ERROR", "Taxonomy name required", 400);
-	}
+	if (!name) return apiError("VALIDATION_ERROR", "Taxonomy name required", 400);
 	const dbErr = requireDb(emdash?.db);
 	if (dbErr) return dbErr;

package/src/astro/routes/api/taxonomies/index.ts CHANGED Viewed

@@ -1,8 +1,8 @@
 /**
  * Taxonomy definitions endpoint
  *
- * GET  /_emdash/api/taxonomies - List all taxonomy definitions
- * POST /_emdash/api/taxonomies - Create a custom taxonomy definition
+ * GET  /_emdash/api/taxonomies[?locale=xx] - List taxonomy definitions
+ * POST /_emdash/api/taxonomies              - Create a custom taxonomy definition
  */
 import type { APIRoute } from "astro";
@@ -10,15 +10,15 @@ import type { APIRoute } from "astro";
 import { requirePerm } from "#api/authorize.js";
 import { handleError, requireDb, unwrapResult } from "#api/error.js";
 import { handleTaxonomyCreate, handleTaxonomyList } from "#api/handlers/taxonomies.js";
-import { isParseError, parseBody } from "#api/parse.js";
-import { createTaxonomyDefBody } from "#api/schemas.js";
+import { isParseError, parseBody, parseQuery } from "#api/parse.js";
+import { createTaxonomyDefBody, localeFilterQuery } from "#api/schemas.js";
 export const prerender = false;
 /**
  * List taxonomy definitions
  */
-export const GET: APIRoute = async ({ locals }) => {
+export const GET: APIRoute = async ({ request, locals }) => {
 	const { emdash, user } = locals;
 	const dbErr = requireDb(emdash?.db);
@@ -27,8 +27,11 @@ export const GET: APIRoute = async ({ locals }) => {
 	const denied = requirePerm(user, "taxonomies:read");
 	if (denied) return denied;
+	const query = parseQuery(new URL(request.url), localeFilterQuery);
+	if (isParseError(query)) return query;
 	try {
-		const result = await handleTaxonomyList(emdash.db);
+		const result = await handleTaxonomyList(emdash.db, { locale: query.locale });
 		return unwrapResult(result);
 	} catch (error) {
 		return handleError(error, "Failed to list taxonomies", "TAXONOMY_LIST_ERROR");
@@ -52,7 +55,6 @@ export const POST: APIRoute = async ({ request, locals }) => {
 		if (isParseError(body)) return body;
 		const result = await handleTaxonomyCreate(emdash.db, body);
-		if (result.success) emdash.invalidateManifest();
 		return unwrapResult(result, 201);
 	} catch (error) {
 		return handleError(error, "Failed to create taxonomy", "TAXONOMY_CREATE_ERROR");

package/src/astro/routes/api/themes/preview.ts CHANGED Viewed

@@ -4,7 +4,13 @@
  * POST /_emdash/api/themes/preview
  *
  * Generates a signed preview URL for the "Try with my data" feature.
- * The PREVIEW_SECRET must be set in the environment (shared with preview Workers).
+ *
+ * Uses the resolved preview secret: env override (`EMDASH_PREVIEW_SECRET`)
+ * wins, otherwise an auto-generated stable per-site value persisted in the
+ * options table is used. Processes that share the same database converge on
+ * the same auto-generated value; only set `EMDASH_PREVIEW_SECRET` in both
+ * processes when the verifying side runs without access to the EmDash DB
+ * (e.g. a remote preview Worker).
  */
 import type { APIRoute } from "astro";
@@ -12,6 +18,7 @@ import type { APIRoute } from "astro";
 import { requirePerm } from "#api/authorize.js";
 import { apiError, apiSuccess } from "#api/error.js";
 import { getPublicOrigin } from "#api/public-url.js";
+import { resolveSecretsCached } from "#config/secrets.js";
 export const prerender = false;
@@ -25,10 +32,9 @@ export const POST: APIRoute = async ({ request, url, locals }) => {
 	const denied = requirePerm(user, "plugins:read");
 	if (denied) return denied;
-	const secret = import.meta.env.EMDASH_PREVIEW_SECRET || import.meta.env.PREVIEW_SECRET || "";
-	if (!secret) {
-		return apiError("NOT_CONFIGURED", "PREVIEW_SECRET is not configured", 500);
-	}
+	// Always non-empty after resolution; env override wins, otherwise a
+	// stable DB-stored value is used.
+	const { previewSecret: secret } = await resolveSecretsCached(emdash.db);
 	let body: { previewUrl: string };
 	try {

package/src/astro/types.ts CHANGED Viewed

@@ -228,6 +228,15 @@ export interface EmDashHandlers {
 			slug?: string;
 			status?: string;
 			authorId?: string | null;
+			bylines?: Array<{ bylineId: string; roleLabel?: string | null }>;
+			seo?: {
+				title?: string | null;
+				description?: string | null;
+				image?: string | null;
+				canonical?: string | null;
+				noIndex?: boolean;
+			};
+			publishedAt?: string | null;
 			_rev?: string;
 		},
 	) => Promise<HandlerResponse>;
@@ -255,7 +264,11 @@ export interface EmDashHandlers {
 	) => Promise<HandlerResponse>;
 	// Publishing & Scheduling handlers
-	handleContentPublish: (collection: string, id: string) => Promise<HandlerResponse>;
+	handleContentPublish: (
+		collection: string,
+		id: string,
+		options?: { publishedAt?: string },
+	) => Promise<HandlerResponse>;
 	handleContentUnpublish: (collection: string, id: string) => Promise<HandlerResponse>;
@@ -362,8 +375,15 @@ export interface EmDashHandlers {
 	// Configuration (for checking database type, auth mode, etc.)
 	config: import("./integration/runtime.js").EmDashConfig;
-	// Manifest invalidation (call after schema changes)
-	invalidateManifest: () => void;
+	// Build the admin manifest from the live database. Only used by admin
+	// routes; logged-out requests don't need it. Per-request, deduplicated
+	// by `requestCached`.
+	getManifest: () => Promise<EmDashManifest>;
+	// Clear the cached URL patterns used by `resolveEmDashPath`. Call after
+	// any schema mutation that creates/updates/deletes a collection's
+	// `urlPattern` so public routing picks up the change immediately.
+	invalidateUrlPatternCache: () => void;
 	// Sandbox runner (for marketplace plugin install/update)
 	getSandboxRunner: () => import("../plugins/sandbox/types.js").SandboxRunner | null;

package/src/auth/allowed-origins.ts ADDED Viewed

@@ -0,0 +1,168 @@
+/**
+ * Resolution and validation of multi-origin passkey verification.
+ *
+ * `allowedOrigins` lets one EmDash deployment accept passkey assertions from
+ * several hostnames sharing the same `rpId` (e.g. apex + preview/staging
+ * subdomains under one registrable parent). Origins come from two sources:
+ *
+ *   - `EmDashConfig.allowedOrigins` (declared in `astro.config.mjs`)
+ *   - `EMDASH_ALLOWED_ORIGINS` (comma-separated runtime env var)
+ *
+ * Sources are merged (union of permissions, deduplicated). Each entry is
+ * validated against `siteUrl` to fail loud on dead config the browser would
+ * never honor.
+ */
+import { getEnvAllowedOrigins } from "../api/public-url.js";
+import type { EmDashConfig } from "../astro/integration/runtime.js";
+export type AllowedOriginSource = "config.allowedOrigins" | "EMDASH_ALLOWED_ORIGINS";
+export interface TaggedOrigin {
+	/** Raw entry as declared by the operator. */
+	origin: string;
+	/** Where the entry came from (used for source-attributed errors). */
+	source: AllowedOriginSource;
+}
+/**
+ * Collect raw allowedOrigins from config and env, source-tagged.
+ *
+ * Returns raw values — the caller is expected to pass the result through
+ * `validateAllowedOrigins()` before use in passkey verification.
+ */
+export function getConfiguredAllowedOrigins(config?: EmDashConfig): TaggedOrigin[] {
+	const tagged: TaggedOrigin[] = [];
+	if (config?.allowedOrigins) {
+		for (const origin of config.allowedOrigins) {
+			if (origin) tagged.push({ origin, source: "config.allowedOrigins" });
+		}
+	}
+	for (const origin of getEnvAllowedOrigins()) {
+		tagged.push({ origin, source: "EMDASH_ALLOWED_ORIGINS" });
+	}
+	return tagged;
+}
+/**
+ * Validate per-entry shape rules (no `siteUrl` needed):
+ *   - parses as `URL`
+ *   - protocol is `http:` or `https:`
+ *   - hostname has no trailing dot (`example.com.` rejected)
+ *   - hostname has no empty labels (`foo..example.com` rejected)
+ *
+ * Returns the deduplicated, normalized origin form (`URL.origin`) of every
+ * input, in input order. Throws on the first violation with a source-tagged
+ * error message.
+ */
+export function validateOriginShape(tagged: TaggedOrigin[]): string[] {
+	const normalized: string[] = [];
+	const seen = new Set<string>();
+	for (const { origin, source } of tagged) {
+		let parsed: URL;
+		try {
+			parsed = new URL(origin);
+		} catch (e) {
+			throw configError(source, `invalid URL: "${origin}"`, e);
+		}
+		if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+			throw configError(
+				source,
+				`origin must be http or https: "${origin}" (got ${parsed.protocol})`,
+			);
+		}
+		if (parsed.hostname.endsWith(".")) {
+			throw configError(
+				source,
+				`hostname has a trailing dot: "${origin}". Remove the trailing dot — assertion origins from the browser do not include it.`,
+			);
+		}
+		if (parsed.hostname.split(".").includes("")) {
+			throw configError(source, `hostname has empty labels: "${origin}"`);
+		}
+		if (!seen.has(parsed.origin)) {
+			seen.add(parsed.origin);
+			normalized.push(parsed.origin);
+		}
+	}
+	return normalized;
+}
+/**
+ * Validate the effective merged allowedOrigins set against `siteUrl`.
+ *
+ * Performs `validateOriginShape()` plus the siteUrl-dependent rules:
+ *   - Rule A: non-empty origins ⇒ `siteUrl` is set
+ *   - `siteUrl` hostname is not an IP literal (multi-origin requires a domain)
+ *   - `siteUrl` hostname has no trailing dot (cannot match assertion origins)
+ *   - Rule B: each origin's hostname is `siteHost` exactly or a subdomain
+ *
+ * Throws on first violation. Returns the deduplicated normalized origins.
+ *
+ * Use this at the runtime chokepoint (where config + env are merged into the
+ * effective set). At Astro integration init, prefer `validateOriginShape()`
+ * for shape-only checks on `config.allowedOrigins`, since `siteUrl` may be
+ * supplied at runtime via `EMDASH_SITE_URL`.
+ */
+export function validateAllowedOrigins(
+	siteUrl: string | undefined,
+	tagged: TaggedOrigin[],
+): string[] {
+	const normalized = validateOriginShape(tagged);
+	if (normalized.length === 0) return normalized;
+	if (!siteUrl) {
+		throw new Error(
+			`EmDash config error: allowedOrigins is set (${normalized.length} ${
+				normalized.length === 1 ? "entry" : "entries"
+			}) but siteUrl is not. Without a canonical siteUrl, rpId is derived from the request hostname, defeating multi-origin passkeys. Set siteUrl in astro.config.mjs or via EMDASH_SITE_URL.`,
+		);
+	}
+	let siteHost: string;
+	try {
+		siteHost = new URL(siteUrl).hostname;
+	} catch (e) {
+		throw new Error(`EmDash config error: siteUrl is not a valid URL: "${siteUrl}"`, {
+			cause: e,
+		});
+	}
+	if (siteHost.endsWith(".")) {
+		throw new Error(
+			`EmDash config error: siteUrl "${siteUrl}" has a trailing-dot hostname, which cannot match assertion origins. Remove the trailing dot when using allowedOrigins.`,
+		);
+	}
+	if (isIPLiteralHostname(siteHost)) {
+		throw new Error(
+			`EmDash config error: siteUrl "${siteUrl}" uses an IP-literal hostname. Multi-origin passkeys require a domain-based siteUrl — IP addresses cannot have valid subdomains for WebAuthn rpId.`,
+		);
+	}
+	for (const { origin, source } of tagged) {
+		const h = new URL(origin).hostname;
+		if (h !== siteHost && !h.endsWith("." + siteHost)) {
+			throw configError(
+				source,
+				`"${origin}" is not a subdomain of siteUrl "${siteUrl}". Allowed origins must be the same hostname as siteUrl or a subdomain of it.`,
+			);
+		}
+	}
+	return normalized;
+}
+function configError(source: AllowedOriginSource, detail: string, cause?: unknown): Error {
+	const err = new Error(`EmDash config error in ${source}: ${detail}`);
+	if (cause !== undefined) (err as Error & { cause?: unknown }).cause = cause;
+	return err;
+}
+const IPV4_DOTTED_DECIMAL_RE = /^\d+(\.\d+){3}$/;
+function isIPLiteralHostname(h: string): boolean {
+	// IPv6 hostnames are bracketed by URL.hostname, e.g. "[::1]"
+	if (h.startsWith("[")) return true;
+	// IPv4 dotted-decimal
+	return IPV4_DOTTED_DECIMAL_RE.test(h);
+}