emdash 0.8.0 → 0.10.0

package/src/auth/passkey-config.ts

@@ -9,7 +9,12 @@
 export interface PasskeyConfig {
 	rpName: string;
 	rpId: string;
-	origin: string;
+	/**
+	 * Accepted client-data origins. First entry is the canonical/preferred origin;
+	 * additional entries support multi-origin deployments (e.g. apex + preview
+	 * subdomain sharing the same `rpId`). See `allowedOrigins` parameter.
+	 */
+	origins: string[];
 }
 
 /**
@@ -18,10 +23,22 @@ export interface PasskeyConfig {
  * @param url The request URL (typically `new URL(Astro.request.url)` or `new URL(request.url)`)
  * @param siteName Optional site name for rpName (defaults to hostname from `url` or public origin)
  * @param siteUrl Optional browser-facing origin (see `EmDashConfig.siteUrl`).
- *        When set, **origin** and **rpId** are taken from this URL so they match WebAuthn `clientData.origin`.
+ *        When set, the canonical **origin** and **rpId** are taken from this URL.
+ * @param allowedOrigins Optional list of additional accepted origins for verification.
+ *        Each must share `rpId` with the canonical origin (WebAuthn requirement).
+ *        Typical use: apex + preview subdomain on the same registrable domain.
  * @throws If `siteUrl` is non-empty but not parseable by `new URL()`.
  */
-export function getPasskeyConfig(url: URL, siteName?: string, siteUrl?: string): PasskeyConfig {
+export function getPasskeyConfig(
+	url: URL,
+	siteName?: string,
+	siteUrl?: string,
+	allowedOrigins?: string[],
+): PasskeyConfig {
+	let rpName: string;
+	let rpId: string;
+	let canonicalOrigin: string;
+
 	if (siteUrl) {
 		let publicUrl: URL;
 		try {
@@ -29,16 +46,21 @@ export function getPasskeyConfig(url: URL, siteName?: string, siteUrl?: string):
 		} catch (e) {
 			throw new Error(`Invalid siteUrl: "${siteUrl}"`, { cause: e });
 		}
-		return {
-			rpName: siteName || publicUrl.hostname,
-			rpId: publicUrl.hostname,
-			origin: publicUrl.origin,
-		};
+		rpName = siteName || publicUrl.hostname;
+		rpId = publicUrl.hostname;
+		canonicalOrigin = publicUrl.origin;
+	} else {
+		rpName = siteName || url.hostname;
+		rpId = url.hostname;
+		canonicalOrigin = url.origin;
+	}
+
+	const origins = [canonicalOrigin];
+	if (allowedOrigins) {
+		for (const extra of allowedOrigins) {
+			if (extra && !origins.includes(extra)) origins.push(extra);
+		}
 	}
 
-	return {
-		rpName: siteName || url.hostname,
-		rpId: url.hostname,
-		origin: url.origin,
-	};
+	return { rpName, rpId, origins };
 }

package/src/bylines/index.ts

@@ -12,7 +12,6 @@ import { BylineRepository } from "../database/repositories/byline.js";
 import type { BylineSummary, ContentBylineCredit } from "../database/repositories/types.js";
 import { validateIdentifier } from "../database/validate.js";
 import { getDb } from "../loader.js";
-import { chunks, SQL_BATCH_SIZE } from "../utils/chunks.js";
 import { isMissingTableError } from "../utils/db-errors.js";
 
 /**
@@ -73,15 +72,11 @@ export async function getBylineBySlug(slug: string): Promise<BylineSummary | nul
  * but the entry has an `authorId`, falls back to the user-linked byline
  * (marked as source: "inferred").
  *
- * @example
- * ```ts
- * import { getEntryBylines } from "emdash";
- *
- * const bylines = await getEntryBylines("posts", post.data.id);
- * for (const credit of bylines) {
- *   console.log(credit.byline.displayName, credit.roleLabel);
- * }
- * ```
+ * Internal: not re-exported from the `emdash` package entry point. Every
+ * entry returned by `getEmDashCollection` / `getEmDashEntry` already has
+ * `data.bylines` populated by `hydrateEntryBylines` (which uses the batch
+ * helper `getBylinesForEntries` directly). Site code should read those
+ * fields rather than calling this function.
  */
 export async function getEntryBylines(
 	collection: string,
@@ -108,55 +103,55 @@ export async function getEntryBylines(
 	return [];
 }
 
+/**
+ * An entry reference for batch byline lookups.
+ *
+ * `authorId` is read directly from the row when computing the inferred-byline
+ * fallback — passing it in avoids a redundant `SELECT id, author_id` against
+ * the content table after every list/entry fetch.
+ */
+export interface BylineEntry {
+	id: string;
+	authorId: string | null;
+}
+
 /**
  * Batch-fetch byline credits for multiple content entries in a single query.
  *
- * This is more efficient than calling getEntryBylines for each entry
- * when you need bylines for a list of entries (e.g., a blog index page).
+ * Internal: consumed by `hydrateEntryBylines` in `query.ts` so that every
+ * entry returned from `getEmDashCollection` / `getEmDashEntry` already has
+ * `data.bylines` populated. Site code should rely on that eager hydration
+ * rather than calling this directly -- this function is not re-exported
+ * from the `emdash` package entry point.
  *
  * @param collection - The collection slug (e.g., "posts")
- * @param entryIds - Array of entry IDs
+ * @param entries - Entry id + authorId pairs (authorId is already on the row)
  * @returns Map from entry ID to array of byline credits
- *
- * @example
- * ```ts
- * import { getBylinesForEntries, getEmDashCollection } from "emdash";
- *
- * const { entries } = await getEmDashCollection("posts");
- * const ids = entries.map(e => e.data.id);
- * const bylinesMap = await getBylinesForEntries("posts", ids);
- *
- * for (const entry of entries) {
- *   const bylines = bylinesMap.get(entry.data.id) ?? [];
- *   // render bylines
- * }
- * ```
  */
 export async function getBylinesForEntries(
 	collection: string,
-	entryIds: string[],
+	entries: BylineEntry[],
 ): Promise<Map<string, ContentBylineCredit[]>> {
 	validateIdentifier(collection, "collection");
 	const result = new Map<string, ContentBylineCredit[]>();
 
-	// Initialize all entry IDs with empty arrays
-	for (const id of entryIds) {
+	for (const { id } of entries) {
 		result.set(id, []);
 	}
 
-	if (entryIds.length === 0) {
+	if (entries.length === 0) {
 		return result;
 	}
 
 	const db = await getDb();
 	const repo = new BylineRepository(db);
+	const entryIds = entries.map((e) => e.id);
 
-	// 1. Batch fetch all explicit byline credits. Sites with no bylines
-	// get an empty map back for one query — the previous "has any bylines"
-	// probe traded an extra round-trip on every request to save that one
-	// query on empty sites, which is exactly backwards for the common case.
-	// Pre-migration databases (bylines table missing) fall through to the
-	// `isMissingTableError` catch below and return empty results.
+	// Sites with no bylines get an empty map back for one query — the previous
+	// "has any bylines" probe traded an extra round-trip on every request to
+	// save that one query on empty sites, which is exactly backwards for the
+	// common case. Pre-migration databases (bylines table missing) fall
+	// through to the `isMissingTableError` catch below and return empty.
 	let bylinesMap;
 	try {
 		bylinesMap = await repo.getContentBylinesMany(collection, entryIds);
@@ -165,32 +160,17 @@ export async function getBylinesForEntries(
 		throw error;
 	}
 
-	// 2. Collect entry IDs that need fallback lookup
-	const fallbackEntryIds: string[] = [];
-	const needsFallback: Map<string, string> = new Map(); // entryId -> authorId
-
-	for (const id of entryIds) {
-		if (!bylinesMap.has(id)) {
-			// Need to check author_id for this entry — but we only have the IDs,
-			// so batch-fetch them from the content table
-			fallbackEntryIds.push(id);
+	const needsFallback = new Map<string, string>();
+	for (const { id, authorId } of entries) {
+		if (!bylinesMap.has(id) && authorId) {
+			needsFallback.set(id, authorId);
 		}
 	}
 
-	// Batch-fetch author_ids for entries that need fallback
-	if (fallbackEntryIds.length > 0) {
-		const authorMap = await getAuthorIds(db, collection, fallbackEntryIds);
-		for (const [entryId, authorId] of authorMap) {
-			needsFallback.set(entryId, authorId);
-		}
-	}
-
-	// 3. Batch fetch user-linked bylines for fallback
 	const uniqueAuthorIds = [...new Set(needsFallback.values())];
 	const authorBylineMap = await repo.findByUserIds(uniqueAuthorIds);
 
-	// 4. Assign results
-	for (const id of entryIds) {
+	for (const { id } of entries) {
 		const explicit = bylinesMap.get(id);
 		if (explicit && explicit.length > 0) {
 			result.set(
@@ -205,11 +185,8 @@ export async function getBylinesForEntries(
 			const fallback = authorBylineMap.get(authorId);
 			if (fallback) {
 				result.set(id, [{ byline: fallback, sortOrder: 0, roleLabel: null, source: "inferred" }]);
-				continue;
 			}
 		}
-
-		// Already initialized with empty array
 	}
 
 	return result;
@@ -235,31 +212,3 @@ async function getAuthorId(
 
 	return result.rows[0]?.author_id ?? null;
 }
-
-/**
- * Batch-fetch author_ids for multiple content entries.
- * Returns Map<entryId, authorId> (only entries with non-null author_id).
- */
-async function getAuthorIds(
-	db: Awaited<ReturnType<typeof getDb>>,
-	collection: string,
-	entryIds: string[],
-): Promise<Map<string, string>> {
-	validateIdentifier(collection, "collection");
-	const tableName = `ec_${collection}`;
-
-	const map = new Map<string, string>();
-	for (const chunk of chunks(entryIds, SQL_BATCH_SIZE)) {
-		const result = await sql<{ id: string; author_id: string | null }>`
-			SELECT id, author_id FROM ${sql.ref(tableName)}
-			WHERE id IN (${sql.join(chunk.map((id) => sql`${id}`))})
-		`.execute(db);
-
-		for (const row of result.rows) {
-			if (row.author_id) {
-				map.set(row.id, row.author_id);
-			}
-		}
-	}
-	return map;
-}

package/src/cli/commands/auth.ts

@@ -1,5 +1,22 @@
 /**
- * Auth CLI commands
+ * Auth CLI commands (deprecated)
+ *
+ * Kept as a deprecated alias for backwards compatibility. The original
+ * `emdash auth secret` was documented in published docs and is plausibly
+ * scripted in user CI (e.g. `npx emdash auth secret >> .env`). Removing
+ * it outright would break those scripts on minor-version upgrade.
+ *
+ * The command still emits an `EMDASH_AUTH_SECRET=<32-byte-base64url>`
+ * line, unchanged. `EMDASH_AUTH_SECRET` itself is now legacy: it's only
+ * read as a fallback source for the commenter-IP hash salt so installs
+ * upgrading from a prior version keep stable IP hashes (and therefore
+ * stable rate-limit buckets). New installs don't need to set it.
+ *
+ * The deprecation note steers users toward `emdash secrets generate`
+ * (which emits a different, versioned `emdash_enc_v1_*` value for
+ * `EMDASH_ENCRYPTION_KEY` — used to encrypt plugin secrets at rest).
+ *
+ * Will be removed in a future minor.
  */
 
 import { defineCommand } from "citty";
@@ -8,9 +25,6 @@ import pc from "picocolors";
 
 import { encodeBase64url } from "../../utils/base64.js";
 
-/**
- * Generate a cryptographically secure auth secret
- */
 function generateAuthSecret(): string {
 	const bytes = new Uint8Array(32);
 	crypto.getRandomValues(bytes);
@@ -20,11 +34,13 @@ function generateAuthSecret(): string {
 const secretCommand = defineCommand({
 	meta: {
 		name: "secret",
-		description: "Generate a secure auth secret",
+		description: "[DEPRECATED] Generate a value for legacy EMDASH_AUTH_SECRET",
 	},
 	run() {
 		const secret = generateAuthSecret();
 
+		// Match the original behavior verbatim: pretty-printed name=value
+		// on stdout (most scripts piped this to a file expecting that shape).
 		consola.log("");
 		consola.log(pc.bold("Generated auth secret:"));
 		consola.log("");
@@ -32,13 +48,19 @@ const secretCommand = defineCommand({
 		consola.log("");
 		consola.log(pc.dim("Add this to your environment variables."));
 		consola.log("");
+		// Deprecation note on stderr so it doesn't break stdout consumers.
+		process.stderr.write(
+			`${pc.yellow("Note:")} ${pc.bold("emdash auth secret")} is deprecated and will be removed in a future minor. ` +
+				`${pc.cyan("EMDASH_AUTH_SECRET")} itself is now optional — it's only used as a legacy fallback for the commenter-IP hash salt. ` +
+				`For encrypting plugin secrets at rest, use ${pc.bold("emdash secrets generate")} (a different secret: ${pc.cyan("EMDASH_ENCRYPTION_KEY")}).\n`,
+		);
 	},
 });
 
 export const authCommand = defineCommand({
 	meta: {
 		name: "auth",
-		description: "Authentication utilities",
+		description: "[DEPRECATED] Authentication utilities (use `emdash secrets` for new flows)",
 	},
 	subCommands: {
 		secret: secretCommand,

package/src/cli/commands/bundle-utils.ts

@@ -30,8 +30,17 @@ export const ICON_SIZE = 256;
 
 // ── Regex patterns (module-scope to avoid re-compilation) ────────────────────
 
-/** Matches require("node:xxx") / require("xxx") / import("node:xxx") in bundled output */
-const NODE_BUILTIN_IMPORT_RE = /(?:import|require)\s*\(?["'](?:node:)?([a-z_]+)["']\)?/g;
+/**
+ * Matches Node.js built-in imports in bundled output:
+ * - require("node:xxx") / require("xxx")
+ * - import("node:xxx") / import("xxx")
+ * - import X from "node:xxx" / import { X } from "node:xxx"
+ * - import * as X from "node:xxx"
+ * - export { X } from "node:xxx"
+ * Captures the base module name (e.g. "fs" from "node:fs/promises").
+ */
+const NODE_BUILTIN_IMPORT_RE =
+	/(?:import|export|require)\s*(?:\(|[^(]*?\bfrom\s+)["'](?:node:)?([a-z_]+)(?:\/[^"']*)?\s*["']\)?/g;
 const LEADING_DOT_SLASH_RE = /^\.\//;
 const DIST_PREFIX_RE = /^dist\//;
 const MJS_EXT_RE = /\.m?js$/;

package/src/cli/commands/bundle.ts

@@ -20,6 +20,7 @@ import { resolve, join, extname, basename } from "node:path";
 import { defineCommand } from "citty";
 import consola from "consola";
 
+import { CAPABILITY_RENAMES, isDeprecatedCapability } from "../../plugins/types.js";
 import type { ResolvedPlugin } from "../../plugins/types.js";
 import {
 	fileExists,
@@ -524,20 +525,39 @@ export const bundleCommand = defineCommand({
 				}
 			}
 
-			// Check capabilities warnings
-			if (manifest.capabilities.includes("network:fetch:any")) {
+			// Check capabilities warnings — use canonical names. Deprecated
+			// names are accepted (and warned about separately below) so we
+			// also check the legacy aliases here for the duration of the
+			// deprecation window.
+			const declaresUnrestricted =
+				manifest.capabilities.includes("network:request:unrestricted") ||
+				manifest.capabilities.includes("network:fetch:any");
+			const declaresHostRestricted =
+				manifest.capabilities.includes("network:request") ||
+				manifest.capabilities.includes("network:fetch");
+			if (declaresUnrestricted) {
 				consola.warn(
-					"Plugin declares unrestricted network access (network:fetch:any) — it can make requests to any host",
+					"Plugin declares unrestricted network access (network:request:unrestricted) — it can make requests to any host",
 				);
-			} else if (
-				manifest.capabilities.includes("network:fetch") &&
-				manifest.allowedHosts.length === 0
-			) {
+			} else if (declaresHostRestricted && manifest.allowedHosts.length === 0) {
 				consola.warn(
-					"Plugin declares network:fetch capability but no allowedHosts — all fetch requests will be blocked",
+					"Plugin declares network:request capability but no allowedHosts — all requests will be blocked",
 				);
 			}
 
+			// Warn for each deprecated capability used. The warning points
+			// to the new name so the fix is mechanical. We continue (not
+			// error) here — the hard fail lives in `publish` so authors
+			// can still build and test locally.
+			const deprecatedCaps = manifest.capabilities.filter(isDeprecatedCapability);
+			if (deprecatedCaps.length > 0) {
+				consola.warn("Plugin uses deprecated capability names. Rename them before publishing:");
+				for (const cap of deprecatedCaps) {
+					const replacement = CAPABILITY_RENAMES[cap];
+					consola.warn(`  ${cap} → ${replacement}`);
+				}
+			}
+
 			// Check for features that won't work in sandboxed mode
 			if (
 				resolvedPlugin.admin?.portableTextBlocks &&

package/src/cli/commands/content.ts

@@ -9,6 +9,7 @@ import { readFile } from "node:fs/promises";
 import { defineCommand } from "citty";
 import { consola } from "consola";
 
+import { convertDataForRead } from "../../client/portable-text.js";
 import { connectionArgs, createClientFromArgs } from "../client-factory.js";
 import { configureOutputMode, output } from "../output.js";
 
@@ -144,6 +145,13 @@ const getCommand = defineCommand({
 				const comparison = await client.compare(args.collection, args.id);
 				if (comparison.hasChanges && comparison.draft) {
 					item.data = comparison.draft;
+					// The comparison endpoint returns raw PT data. Apply the same
+					// PT-to-markdown conversion that `client.get` does, unless --raw.
+					if (!args.raw && item.data) {
+						const col = await client.collection(args.collection);
+						const fields = col.fields.map((f) => ({ slug: f.slug, type: f.type }));
+						item.data = convertDataForRead(item.data, fields, false);
+					}
 				}
 			}
 
@@ -278,6 +286,7 @@ const deleteCommand = defineCommand({
 		try {
 			const client = createClientFromArgs(args);
 			await client.delete(args.collection, args.id);
+			output({ success: true }, args);
 			consola.success(`Deleted ${args.collection}/${args.id}`);
 		} catch (error) {
 			consola.error(error instanceof Error ? error.message : "Unknown error");
@@ -306,6 +315,7 @@ const publishCommand = defineCommand({
 		try {
 			const client = createClientFromArgs(args);
 			await client.publish(args.collection, args.id);
+			output({ success: true }, args);
 			consola.success(`Published ${args.collection}/${args.id}`);
 		} catch (error) {
 			consola.error(error instanceof Error ? error.message : "Unknown error");
@@ -334,6 +344,7 @@ const unpublishCommand = defineCommand({
 		try {
 			const client = createClientFromArgs(args);
 			await client.unpublish(args.collection, args.id);
+			output({ success: true }, args);
 			consola.success(`Unpublished ${args.collection}/${args.id}`);
 		} catch (error) {
 			consola.error(error instanceof Error ? error.message : "Unknown error");
@@ -367,6 +378,7 @@ const scheduleCommand = defineCommand({
 		try {
 			const client = createClientFromArgs(args);
 			await client.schedule(args.collection, args.id, { at: args.at });
+			output({ success: true }, args);
 			consola.success(`Scheduled ${args.collection}/${args.id} for ${args.at}`);
 		} catch (error) {
 			consola.error(error instanceof Error ? error.message : "Unknown error");
@@ -395,6 +407,7 @@ const restoreCommand = defineCommand({
 		try {
 			const client = createClientFromArgs(args);
 			await client.restore(args.collection, args.id);
+			output({ success: true }, args);
 			consola.success(`Restored ${args.collection}/${args.id}`);
 		} catch (error) {
 			consola.error(error instanceof Error ? error.message : "Unknown error");

package/src/cli/commands/export-seed.ts

@@ -212,41 +212,69 @@ async function exportCollections(db: Kysely<Database>): Promise<SeedCollection[]
  * Export taxonomy definitions and terms
  */
 async function exportTaxonomies(db: Kysely<Database>): Promise<SeedTaxonomy[]> {
-	// Get taxonomy definitions
-	const defs = await db.selectFrom("_emdash_taxonomy_defs").selectAll().execute();
+	const i18nEnabled = isI18nEnabled();
+
+	// Mirrors the content export pattern: one entry per (name, locale), stable
+	// seed-local id, translations linked via `translationOf` to the anchor's id.
+	const defs = await db
+		.selectFrom("_emdash_taxonomy_defs")
+		.selectAll()
+		.orderBy(["name", "locale"])
+		.execute();
 
 	const result: SeedTaxonomy[] = [];
 	const termRepo = new TaxonomyRepository(db);
 
+	// translation_group -> seed-local id of first def we emitted in that group.
+	const defGroupToSeedId = new Map<string, string>();
+
 	for (const def of defs) {
-		// Get terms for this taxonomy
-		const terms = await termRepo.findByName(def.name);
+		const defSeedId =
+			i18nEnabled && def.locale ? `tax:${def.name}:${def.locale}` : `tax:${def.name}`;
 
-		// Build term tree for hierarchical taxonomies
-		const seedTerms: SeedTaxonomyTerm[] = [];
+		// Terms in this def's locale.
+		const terms = await termRepo.findByName(def.name, { locale: def.locale });
 
-		// First, create a map of id -> slug for parent resolution
+		// id -> slug for parent resolution within this locale.
 		const idToSlug = new Map<string, string>();
-		for (const term of terms) {
-			idToSlug.set(term.id, term.slug);
-		}
+		for (const term of terms) idToSlug.set(term.id, term.slug);
+
+		// translation_group -> seed id of the anchor term.
+		const termGroupToSeedId = new Map<string, string>();
 
+		const seedTerms: SeedTaxonomyTerm[] = [];
 		for (const term of terms) {
+			const termSeedId =
+				i18nEnabled && term.locale
+					? `term:${def.name}:${term.slug}:${term.locale}`
+					: `term:${def.name}:${term.slug}`;
+
 			const seedTerm: SeedTaxonomyTerm = {
+				id: termSeedId,
 				slug: term.slug,
 				label: term.label,
 				description: typeof term.data?.description === "string" ? term.data.description : undefined,
 			};
 
-			// Resolve parent slug
-			if (term.parentId) {
-				seedTerm.parent = idToSlug.get(term.parentId);
+			if (term.parentId) seedTerm.parent = idToSlug.get(term.parentId);
+
+			if (i18nEnabled && term.locale) {
+				seedTerm.locale = term.locale;
+				if (term.translationGroup) {
+					const anchor = termGroupToSeedId.get(term.translationGroup);
+					if (anchor) seedTerm.translationOf = anchor;
+					else termGroupToSeedId.set(term.translationGroup, termSeedId);
+				}
 			}
 
 			seedTerms.push(seedTerm);
 		}
 
+		// Anchors first so import can resolve `translationOf`.
+		seedTerms.sort((a, b) => Number(!!a.translationOf) - Number(!!b.translationOf));
+
 		const taxonomy: SeedTaxonomy = {
+			id: defSeedId,
 			name: def.name,
 			label: def.label,
 			labelSingular: def.label_singular || undefined,
@@ -254,13 +282,23 @@ async function exportTaxonomies(db: Kysely<Database>): Promise<SeedTaxonomy[]> {
 			collections: def.collections ? JSON.parse(def.collections) : [],
 		};
 
-		if (seedTerms.length > 0) {
-			taxonomy.terms = seedTerms;
+		if (i18nEnabled && def.locale) {
+			taxonomy.locale = def.locale;
+			if (def.translation_group) {
+				const anchor = defGroupToSeedId.get(def.translation_group);
+				if (anchor) taxonomy.translationOf = anchor;
+				else defGroupToSeedId.set(def.translation_group, defSeedId);
+			}
 		}
 
+		if (seedTerms.length > 0) taxonomy.terms = seedTerms;
+
 		result.push(taxonomy);
 	}
 
+	// Anchors first at def level too.
+	result.sort((a, b) => Number(!!a.translationOf) - Number(!!b.translationOf));
+
 	return result;
 }
 
@@ -268,13 +306,22 @@ async function exportTaxonomies(db: Kysely<Database>): Promise<SeedTaxonomy[]> {
  * Export menus with their items
  */
 async function exportMenus(db: Kysely<Database>): Promise<SeedMenu[]> {
-	// Get all menus
-	const menus = await db.selectFrom("_emdash_menus").selectAll().execute();
+	const i18nEnabled = isI18nEnabled();
+
+	const menus = await db
+		.selectFrom("_emdash_menus")
+		.selectAll()
+		.orderBy(["name", "locale"])
+		.execute();
 
 	const result: SeedMenu[] = [];
+	// translation_group -> seed-local id of the anchor menu in that group.
+	const groupToSeedId = new Map<string, string>();
 
 	for (const menu of menus) {
-		// Get menu items
+		const seedId =
+			i18nEnabled && menu.locale ? `menu:${menu.name}:${menu.locale}` : `menu:${menu.name}`;
+
 		const items = await db
 			.selectFrom("_emdash_menu_items")
 			.selectAll()
@@ -282,16 +329,30 @@ async function exportMenus(db: Kysely<Database>): Promise<SeedMenu[]> {
 			.orderBy("sort_order", "asc")
 			.execute();
 
-		// Build item tree
 		const seedItems = buildMenuItemTree(items);
 
-		result.push({
+		const seedMenu: SeedMenu = {
+			id: seedId,
 			name: menu.name,
 			label: menu.label,
 			items: seedItems,
-		});
+		};
+
+		if (i18nEnabled && menu.locale) {
+			seedMenu.locale = menu.locale;
+			if (menu.translation_group) {
+				const anchor = groupToSeedId.get(menu.translation_group);
+				if (anchor) seedMenu.translationOf = anchor;
+				else groupToSeedId.set(menu.translation_group, seedId);
+			}
+		}
+
+		result.push(seedMenu);
 	}
 
+	// Anchors first so import can resolve `translationOf`.
+	result.sort((a, b) => Number(!!a.translationOf) - Number(!!b.translationOf));
+
 	return result;
 }
 

package/src/cli/commands/login.ts

@@ -459,7 +459,14 @@ export const whoamiCommand = defineCommand({
 							},
 						);
 						if (refreshRes.ok) {
-							const refreshed = (await refreshRes.json()) as TokenResponse;
+							const json = (await refreshRes.json()) as Record<string, unknown>;
+							// Token endpoint wraps response in { data: ... } via apiSuccess.
+							// Handle both wrapped and bare shapes for robustness.
+							const refreshed = (
+								json.data && typeof json.data === "object" && "access_token" in json.data
+									? json.data
+									: json
+							) as TokenResponse;
 							token = refreshed.access_token;
 							saveCredentials(baseUrl, {
 								...cred,