emdash 0.8.0 → 0.10.0

package/src/database/migrations/runner.ts

@@ -36,6 +36,7 @@ import * as m032 from "./032_rate_limits.js";
 import * as m033 from "./033_optimize_content_indexes.js";
 import * as m034 from "./034_published_at_index.js";
 import * as m035 from "./035_bounded_404_log.js";
+import * as m036 from "./036_i18n_menus_and_taxonomies.js";
 
 const MIGRATIONS: Readonly<Record<string, Migration>> = Object.freeze({
 	"001_initial": m001,
@@ -72,6 +73,7 @@ const MIGRATIONS: Readonly<Record<string, Migration>> = Object.freeze({
 	"033_optimize_content_indexes": m033,
 	"034_published_at_index": m034,
 	"035_bounded_404_log": m035,
+	"036_i18n_menus_and_taxonomies": m036,
 });
 
 /** Total number of registered migrations. Exported for use in tests. */
@@ -123,29 +125,156 @@ export async function getMigrationStatus(db: Kysely<Database>): Promise<Migratio
 	return { applied, pending };
 }
 
+/** Pattern for escaping special regex characters. Matches the shared helper in `database/repositories/content.ts`. */
+const REGEX_ESCAPE_PATTERN = /[.*+?^${}()|[\]\\]/g;
+
+/** Escape special regex characters so a string can be embedded literally in `new RegExp()`. */
+function escapeRegExp(value: string): string {
+	return value.replace(REGEX_ESCAPE_PATTERN, "\\$&");
+}
+
 /**
- * Run all pending migrations.
+ * Pattern used to detect the concurrent-migration race. The Kysely
+ * `SqliteAdapter.acquireMigrationLock` is a no-op (inherited by `kysely-d1`
+ * and our `EmDashD1Dialect`), so two isolates running migrations against the
+ * same database can both attempt `INSERT INTO _emdash_migrations` for the
+ * same migration name. The losing insert fails with a UNIQUE constraint
+ * error, which is benign: the other isolate is applying the same schema.
  *
- * Includes a fast-path: if the migration table already exists and contains
- * exactly MIGRATION_COUNT rows, all migrations have been applied and we can
- * skip the Kysely Migrator entirely. This avoids the expensive
- * `pragma_table_info` introspection that Kysely runs for every table in the
- * database (twice!) just to check if the migration tables exist.
- * On D1 with ~57 tables, that's ~116 queries saved per init.
+ * We match on the table name (not the full error text) because different
+ * SQLite drivers phrase the message differently
+ * (`UNIQUE constraint failed: _emdash_migrations.name` for better-sqlite3,
+ * `D1_ERROR: UNIQUE constraint failed: _emdash_migrations.name: SQLITE_CONSTRAINT`
+ * for D1, etc.). The pattern is built from `MIGRATION_TABLE` so a rename
+ * cannot silently disable race detection.
  */
-export async function runMigrations(db: Kysely<Database>): Promise<{ applied: string[] }> {
-	// Fast path: check if all migrations are already applied.
-	// A single cheap query vs the Migrator's full schema introspection.
+const MIGRATION_RACE_PATTERN = new RegExp(
+	`UNIQUE constraint failed: ${escapeRegExp(MIGRATION_TABLE)}\\.name`,
+	"i",
+);
+
+/** How long to wait for a concurrent migrator to finish before giving up. */
+const MIGRATION_RACE_WAIT_MS = 10_000;
+/** Polling interval while waiting for a concurrent migrator. */
+const MIGRATION_RACE_POLL_MS = 100;
+
+/**
+ * Pattern used to detect "table does not exist" errors across the dialects
+ * EmDash supports. The phrasing differs by driver:
+ *
+ *   - better-sqlite3: `no such table: _emdash_migrations`
+ *   - D1:             `D1_ERROR: no such table: _emdash_migrations: SQLITE_ERROR`
+ *   - PostgreSQL:     `relation "_emdash_migrations" does not exist`
+ *                     (also occasionally `table "_emdash_migrations" does not exist`)
+ *
+ * We deliberately match on the migration table name (rather than using the
+ * generic `isMissingTableError` helper) so an unexpected missing-table error
+ * naming a different table — implausible today since
+ * `getAppliedMigrationCount` only references `MIGRATION_TABLE`, but cheap
+ * insurance against future edits — is not silently swallowed. The pattern is
+ * built from `MIGRATION_TABLE` so a rename cannot drift.
+ */
+const MIGRATION_TABLE_MISSING_PATTERN = new RegExp(
+	`(?:no such table:\\s*${escapeRegExp(MIGRATION_TABLE)}\\b` +
+		`|(?:relation|table)\\s+"?${escapeRegExp(MIGRATION_TABLE)}"?\\s+does(?:n't| not) exist\\b)`,
+	"i",
+);
+
+/**
+ * Read the count of applied migrations.
+ *
+ * Returns `null` only when the migration table does not exist yet (which is
+ * the normal state on a fresh database before the first migration runs).
+ * Any other error is rethrown so callers — particularly
+ * `waitForConcurrentMigrator` — don't silently mask connection failures,
+ * permission errors, or other unexpected driver problems behind a 10s wait
+ * and a bogus "we're done" verdict.
+ */
+async function getAppliedMigrationCount(db: Kysely<Database>): Promise<number | null> {
 	try {
 		const result = await sql<{ count: number }>`
 			SELECT COUNT(*) as count FROM ${sql.ref(MIGRATION_TABLE)}
 		`.execute(db);
-		if (result.rows[0]?.count === MIGRATION_COUNT) {
-			return { applied: [] };
+		return Number(result.rows[0]?.count ?? 0);
+	} catch (error) {
+		if (MIGRATION_TABLE_MISSING_PATTERN.test(deepErrorMessage(error))) {
+			return null;
+		}
+		throw error;
+	}
+}
+
+/**
+ * Wait for a concurrent migrator to finish applying all migrations.
+ *
+ * Resolves to `true` once the migration table contains at least
+ * `MIGRATION_COUNT` rows (i.e. every migration this build knows about has
+ * been recorded), `false` if the deadline elapses first. We use `>=` rather
+ * than `===` so that an old isolate observing a database that has already
+ * been migrated by a newer build still treats the wait as settled instead
+ * of timing out.
+ */
+async function waitForConcurrentMigrator(db: Kysely<Database>): Promise<boolean> {
+	const deadline = Date.now() + MIGRATION_RACE_WAIT_MS;
+	while (Date.now() < deadline) {
+		const count = await getAppliedMigrationCount(db);
+		if (count !== null && count >= MIGRATION_COUNT) {
+			return true;
+		}
+		await new Promise((resolve) => setTimeout(resolve, MIGRATION_RACE_POLL_MS));
+	}
+	const finalCount = await getAppliedMigrationCount(db);
+	return finalCount !== null && finalCount >= MIGRATION_COUNT;
+}
+
+/** Extract the deepest error message available from a thrown value. */
+function deepErrorMessage(error: unknown): string {
+	if (error instanceof Error) {
+		const own = error.message ?? "";
+		if (error.cause) {
+			const causeMsg = deepErrorMessage(error.cause);
+			return own ? `${own}: ${causeMsg}` : causeMsg;
 		}
+		return own;
+	}
+	if (typeof error === "string") return error;
+	try {
+		return JSON.stringify(error);
 	} catch {
-		// Table doesn't exist yet (first run). Fall through to the Migrator
-		// which will create it.
+		return String(error);
+	}
+}
+
+/**
+ * Run all pending migrations.
+ *
+ * Includes a fast-path: if the migration table already exists and contains
+ * at least MIGRATION_COUNT rows, all migrations this build knows about have
+ * been applied and we can skip the Kysely Migrator entirely. This avoids
+ * the expensive `pragma_table_info` introspection that Kysely runs for
+ * every table in the database (twice!) just to check if the migration
+ * tables exist. On D1 with ~57 tables, that's ~116 queries saved per init.
+ *
+ * Concurrent-migration safety: the Kysely Migrator's `acquireMigrationLock`
+ * is a no-op for SQLite (and therefore D1), so two callers running this
+ * concurrently against the same database will both try to apply pending
+ * migrations. SQLite serializes the writes, but the loser still surfaces a
+ * `UNIQUE constraint failed: _emdash_migrations.name` error. We treat that
+ * specific error as benign: another caller is already applying the same
+ * schema. We wait for the concurrent migrator to finish, then return
+ * success. This matches the user-observable expectation that running
+ * migrations twice in a row is a no-op.
+ */
+export async function runMigrations(db: Kysely<Database>): Promise<{ applied: string[] }> {
+	// Fast path: check if all migrations are already applied.
+	// A single cheap query vs the Migrator's full schema introspection.
+	// We use `>=` rather than `===` so a database with extra rows from a
+	// newer build (e.g. mid-deploy old isolate, or downgrade) still skips
+	// the migrator instead of falling through to the race-recovery path
+	// unnecessarily.
+	const initialCount = await getAppliedMigrationCount(db);
+	if (initialCount !== null && initialCount >= MIGRATION_COUNT) {
+		return { applied: [] };
 	}
 
 	const migrator = new Migrator({
@@ -160,17 +289,23 @@ export async function runMigrations(db: Kysely<Database>): Promise<{ applied: st
 	const applied = results?.filter((r) => r.status === "Success").map((r) => r.migrationName) ?? [];
 
 	if (error) {
-		// Kysely sometimes wraps errors with an empty message. Check cause and
-		// failed migration results for the real error.
-		let msg = error instanceof Error ? error.message : JSON.stringify(error);
-		if (!msg && error instanceof Error && error.cause) {
-			msg = error.cause instanceof Error ? error.cause.message : JSON.stringify(error.cause);
-		}
+		// Walk error.cause to get the underlying driver message — Kysely
+		// often wraps with an empty top-level message.
+		const msg = deepErrorMessage(error);
 		const failedMigration = results?.find((r) => r.status === "Error");
-		if (failedMigration) {
-			msg = `${msg || "unknown error"} (migration: ${failedMigration.migrationName})`;
+
+		// Concurrent-migration race: another caller is applying (or just
+		// applied) the same migration. Wait for it to finish, then verify
+		// the schema is fully migrated and treat as success.
+		if (MIGRATION_RACE_PATTERN.test(msg)) {
+			const settled = await waitForConcurrentMigrator(db);
+			if (settled) {
+				return { applied };
+			}
 		}
-		throw new Error(`Migration failed: ${msg}`);
+
+		const failedSuffix = failedMigration ? ` (migration: ${failedMigration.migrationName})` : "";
+		throw new Error(`Migration failed: ${msg || "unknown error"}${failedSuffix}`);
 	}
 
 	return { applied };

package/src/database/repositories/content.ts

@@ -637,12 +637,23 @@ export class ContentRepository {
 	/**
 	 * Permanently delete content (cannot be undone)
 	 */
+	/**
+	 * Permanently delete a soft-deleted content row.
+	 *
+	 * Returns `true` only when a soft-deleted (trashed) row was removed.
+	 * Returns `false` when no row exists OR when the row exists but is live —
+	 * the caller is responsible for distinguishing these cases (typically via
+	 * a follow-up `findByIdOrSlugIncludingTrashed` to surface NOT_FOUND vs
+	 * NOT_TRASHED). The `AND deleted_at IS NOT NULL` clause is the safety net
+	 * that prevents permanent delete from bypassing the trash workflow.
+	 */
 	async permanentDelete(type: string, id: string): Promise<boolean> {
 		const tableName = getTableName(type);
 
 		const result = await sql`
 			DELETE FROM ${sql.ref(tableName)}
 			WHERE id = ${id}
+			AND deleted_at IS NOT NULL
 		`.execute(this.db);
 
 		return (result.numAffectedRows ?? 0n) > 0n;
@@ -917,8 +928,14 @@ export class ContentRepository {
 	 * Syncs the draft revision's data into the content table columns so the
 	 * content table always reflects the published version.
 	 * If no draft revision exists, creates one from current data and publishes it.
+	 *
+	 * `publishedAt` (optional) overrides the publication timestamp. If omitted,
+	 * the existing `published_at` is preserved (idempotent re-publish keeps the
+	 * original date) and falls back to the current time on first publish. Pass
+	 * an explicit value to backdate a publish (e.g. when migrating content from
+	 * another CMS).
 	 */
-	async publish(type: string, id: string): Promise<ContentItem> {
+	async publish(type: string, id: string, publishedAt?: string): Promise<ContentItem> {
 		const tableName = getTableName(type);
 		const now = new Date().toISOString();
 
@@ -956,17 +973,35 @@ export class ContentRepository {
 			}
 		}
 
-		await sql`
-			UPDATE ${sql.ref(tableName)}
-			SET live_revision_id = ${revisionToPublish},
-				draft_revision_id = NULL,
-				status = 'published',
-				scheduled_at = NULL,
-				published_at = COALESCE(published_at, ${now}),
-				updated_at = ${now}
-			WHERE id = ${id}
-			AND deleted_at IS NULL
-		`.execute(this.db);
+		if (publishedAt !== undefined) {
+			// Caller supplied an explicit timestamp, so we overwrite published_at
+			// directly (used to backdate a publish, e.g. for content migrations).
+			await sql`
+				UPDATE ${sql.ref(tableName)}
+				SET live_revision_id = ${revisionToPublish},
+					draft_revision_id = NULL,
+					status = 'published',
+					scheduled_at = NULL,
+					published_at = ${publishedAt},
+					updated_at = ${now}
+				WHERE id = ${id}
+				AND deleted_at IS NULL
+			`.execute(this.db);
+		} else {
+			// No timestamp supplied — preserve existing published_at on
+			// idempotent re-publish, fall back to `now` on first publish.
+			await sql`
+				UPDATE ${sql.ref(tableName)}
+				SET live_revision_id = ${revisionToPublish},
+					draft_revision_id = NULL,
+					status = 'published',
+					scheduled_at = NULL,
+					published_at = COALESCE(published_at, ${now}),
+					updated_at = ${now}
+				WHERE id = ${id}
+				AND deleted_at IS NULL
+			`.execute(this.db);
+		}
 
 		const updated = await this.findById(type, id);
 		if (!updated) {

package/src/database/repositories/redirect.ts

@@ -28,6 +28,9 @@ export const REFERRER_MAX_LENGTH = 512;
 /** Max stored length for the `User-Agent` header — truncated on insert. */
 export const USER_AGENT_MAX_LENGTH = 256;
 
+/** Pattern to escape LIKE wildcards: %, _, and backslash */
+const LIKE_ESCAPE_RE = /[\\%_]/g;
+
 /**
  * Truncate a header-derived string to `max` chars, preserving `null`/`undefined`
  * as `null`. Empty strings stay empty (the caller decides whether to coerce).
@@ -162,9 +165,15 @@ export class RedirectRepository {
 			.limit(limit + 1);
 
 		if (opts.search) {
-			const term = `%${opts.search}%`;
+			// Escape LIKE wildcards in the search term to prevent injection.
+			// Must include ESCAPE clause for SQLite to recognize backslash as escape char.
+			const escaped = opts.search.replace(LIKE_ESCAPE_RE, (c) => `\\${c}`);
+			const term = `%${escaped}%`;
 			query = query.where((eb) =>
-				eb.or([eb("source", "like", term), eb("destination", "like", term)]),
+				eb.or([
+					sql<boolean>`source LIKE ${term} ESCAPE '\\'`,
+					sql<boolean>`destination LIKE ${term} ESCAPE '\\'`,
+				]),
 			);
 		}
 
@@ -502,7 +511,9 @@ export class RedirectRepository {
 			.limit(limit + 1);
 
 		if (opts.search) {
-			query = query.where("path", "like", `%${opts.search}%`);
+			const escaped = opts.search.replace(LIKE_ESCAPE_RE, (c) => `\\${c}`);
+			const term = `%${escaped}%`;
+			query = query.where(sql<boolean>`path LIKE ${term} ESCAPE '\\'`);
 		}
 
 		if (opts.cursor) {