emdash 0.8.0 → 0.9.0

package/src/astro/middleware/request-context.ts

@@ -12,6 +12,8 @@
 
 import { defineMiddleware } from "astro:middleware";
 
+import { resolveSecretsCached } from "#config/secrets.js";
+
 import { verifyPreviewToken, parseContentId } from "../../preview/tokens.js";
 import { getRequestContext, runWithContext } from "../../request-context.js";
 import { renderToolbar } from "../../visual-editing/toolbar.js";
@@ -79,17 +81,25 @@ export const onRequest = defineMiddleware(async (context, next) => {
 	// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- Astro context includes currentLocale when i18n is configured
 	const locale = (context as { currentLocale?: string }).currentLocale;
 
-	// Verify preview token if present
+	// Verify preview token if present.
+	// The preview secret is resolved via `resolveSecretsCached`: env wins,
+	// otherwise a DB-stored value is read (or generated on first need).
+	// `emdash.db` is set by the runtime middleware which runs first; the
+	// only path where it's missing is a runtime-init failure.
 	let preview: { collection: string; id: string } | undefined;
 	if (hasPreviewToken) {
-		const secret = import.meta.env.EMDASH_PREVIEW_SECRET || import.meta.env.PREVIEW_SECRET || "";
-
-		if (secret) {
-			const result = await verifyPreviewToken({ url, secret });
+		const db = context.locals.emdash?.db;
+		if (db) {
+			const { previewSecret } = await resolveSecretsCached(db);
+			const result = await verifyPreviewToken({ url, secret: previewSecret });
 			if (result.valid) {
 				const { collection, id } = parseContentId(result.payload.cid);
 				preview = { collection, id };
 			}
+		} else {
+			console.warn(
+				"[emdash] Preview token present but EmDash runtime not initialized; preview disabled.",
+			);
 		}
 	}
 

package/src/astro/middleware.ts

@@ -46,6 +46,7 @@ import type { Database, Storage } from "../index.js";
 import { createPublicMediaUrlResolver } from "../media/url.js";
 import type { SandboxRunner } from "../plugins/sandbox/types.js";
 import type { ResolvedPlugin } from "../plugins/types.js";
+import { invalidateUrlPatternCache } from "../query.js";
 import { getRequestContext, runWithContext } from "../request-context.js";
 import type { EmDashConfig } from "./integration/runtime.js";
 import type { EmDashHandlers } from "./types.js";
@@ -271,8 +272,15 @@ export const onRequest = defineMiddleware(async (context, next) => {
 		// Read the Astro session user once up-front. Both the anonymous fast path
 		// and the full doInit path need this, and the session store is network-backed
 		// (KV / Durable Object) so we want to avoid re-fetching on the hot path.
-		// Skipped entirely for prerendered requests — they have no session.
-		const sessionUser = context.isPrerendered ? null : await context.session?.get("user");
+		// Skipped entirely for:
+		//   - prerendered requests (no session at build time)
+		//   - requests without an `astro-session` cookie (no session to look up)
+		// The cookie check matters on Cloudflare Workers, where Astro's session
+		// backend is KV: calling session.get() on every anonymous public request
+		// turns normal traffic into a flood of KV read misses. See #733.
+		const hasSessionCookie = cookies.get("astro-session") !== undefined;
+		const sessionUser =
+			context.isPrerendered || !hasSessionCookie ? null : await context.session?.get("user");
 
 		if (!isEmDashRoute && !isPublicRuntimeRoute && !hasEditCookie && !hasPreviewToken) {
 			if (!sessionUser && !playgroundDb) {
@@ -394,13 +402,13 @@ export const onRequest = defineMiddleware(async (context, next) => {
 				// Runtime init runs migrations, so the DB is guaranteed set up
 				setupVerified = true;
 
-				// Get manifest (cached after first call)
-				t0 = performance.now();
-				const manifest = await runtime.getManifest();
-				timings.push({ name: "manifest", dur: performance.now() - t0, desc: "Manifest" });
+				// The manifest is no longer pre-loaded here. It's admin-only
+				// content that public/anonymous requests never read, and
+				// loading it on every request put logged-out hot paths on
+				// the same staleness budget as admin operations. Admin
+				// routes call `emdash.getManifest()` directly.
 
 				// Attach to locals for route handlers
-				locals.emdashManifest = manifest;
 				locals.emdash = {
 					// Content handlers
 					handleContentList: runtime.handleContentList.bind(runtime),
@@ -469,8 +477,14 @@ export const onRequest = defineMiddleware(async (context, next) => {
 					// Configuration (for checking database type, auth mode, etc.)
 					config,
 
-					// Manifest invalidation (call after schema changes)
-					invalidateManifest: runtime.invalidateManifest.bind(runtime),
+					// Lazy manifest accessor — admin-only consumers call this on
+					// demand. `requestCached` inside `getManifest` dedupes within
+					// a single request.
+					getManifest: runtime.getManifest.bind(runtime),
+
+					// Clear the URL pattern cache after schema mutations that
+					// affect collection URL patterns.
+					invalidateUrlPatternCache,
 
 					// Sandbox runner (for marketplace plugin install/update)
 					getSandboxRunner: runtime.getSandboxRunner.bind(runtime),

package/src/astro/routes/api/auth/invite/complete.ts

@@ -17,6 +17,7 @@ import { apiError, apiSuccess, handleError } from "#api/error.js";
 import { isParseError, parseBody } from "#api/parse.js";
 import { getPublicOrigin } from "#api/public-url.js";
 import { inviteCompleteBody } from "#api/schemas.js";
+import { getConfiguredAllowedOrigins, validateAllowedOrigins } from "#auth/allowed-origins.js";
 import { createChallengeStore } from "#auth/challenge-store.js";
 import { getPasskeyConfig } from "#auth/passkey-config.js";
 import { OptionsRepository } from "#db/repositories/options.js";
@@ -39,7 +40,11 @@ export const POST: APIRoute = async ({ request, locals, session }) => {
 		const options = new OptionsRepository(emdash.db);
 		const siteName = (await options.get<string>("emdash:site_title")) ?? undefined;
 		const siteUrl = getPublicOrigin(url, emdash?.config);
-		const passkeyConfig = getPasskeyConfig(url, siteName, siteUrl);
+		const allowedOrigins = validateAllowedOrigins(
+			siteUrl,
+			getConfiguredAllowedOrigins(emdash?.config),
+		);
+		const passkeyConfig = getPasskeyConfig(url, siteName, siteUrl, allowedOrigins);
 
 		// Verify the passkey registration response
 		const challengeStore = createChallengeStore(emdash.db);

package/src/astro/routes/api/auth/passkey/register/verify.ts

@@ -15,6 +15,7 @@ import { apiError, apiSuccess } from "#api/error.js";
 import { isParseError, parseBody } from "#api/parse.js";
 import { getPublicOrigin } from "#api/public-url.js";
 import { passkeyRegisterVerifyBody } from "#api/schemas.js";
+import { getConfiguredAllowedOrigins, validateAllowedOrigins } from "#auth/allowed-origins.js";
 import { createChallengeStore } from "#auth/challenge-store.js";
 import { getPasskeyConfig } from "#auth/passkey-config.js";
 import { OptionsRepository } from "#db/repositories/options.js";
@@ -60,7 +61,11 @@ export const POST: APIRoute = async ({ request, locals }) => {
 		const optionsRepo = new OptionsRepository(emdash.db);
 		const siteName = (await optionsRepo.get<string>("emdash:site_title")) ?? undefined;
 		const siteUrl = getPublicOrigin(url, emdash?.config);
-		const passkeyConfig = getPasskeyConfig(url, siteName, siteUrl);
+		const allowedOrigins = validateAllowedOrigins(
+			siteUrl,
+			getConfiguredAllowedOrigins(emdash?.config),
+		);
+		const passkeyConfig = getPasskeyConfig(url, siteName, siteUrl, allowedOrigins);
 
 		// Verify the registration response
 		const challengeStore = createChallengeStore(emdash.db);

package/src/astro/routes/api/auth/passkey/verify.ts

@@ -15,6 +15,7 @@ import { apiError, apiSuccess, handleError } from "#api/error.js";
 import { isParseError, parseBody } from "#api/parse.js";
 import { getPublicOrigin } from "#api/public-url.js";
 import { passkeyVerifyBody } from "#api/schemas.js";
+import { getConfiguredAllowedOrigins, validateAllowedOrigins } from "#auth/allowed-origins.js";
 import { createChallengeStore } from "#auth/challenge-store.js";
 import { getPasskeyConfig } from "#auth/passkey-config.js";
 import { OptionsRepository } from "#db/repositories/options.js";
@@ -35,7 +36,11 @@ export const POST: APIRoute = async ({ request, locals, session }) => {
 		const options = new OptionsRepository(emdash.db);
 		const siteName = (await options.get<string>("emdash:site_title")) ?? undefined;
 		const siteUrl = getPublicOrigin(url, emdash?.config);
-		const passkeyConfig = getPasskeyConfig(url, siteName, siteUrl);
+		const allowedOrigins = validateAllowedOrigins(
+			siteUrl,
+			getConfiguredAllowedOrigins(emdash?.config),
+		);
+		const passkeyConfig = getPasskeyConfig(url, siteName, siteUrl, allowedOrigins);
 
 		// Authenticate with passkey
 		const adapter = createKyselyAdapter(emdash.db);

package/src/astro/routes/api/auth/signup/complete.ts

@@ -17,6 +17,7 @@ import { apiError, apiSuccess, handleError } from "#api/error.js";
 import { isParseError, parseBody } from "#api/parse.js";
 import { getPublicOrigin } from "#api/public-url.js";
 import { signupCompleteBody } from "#api/schemas.js";
+import { getConfiguredAllowedOrigins, validateAllowedOrigins } from "#auth/allowed-origins.js";
 import { createChallengeStore } from "#auth/challenge-store.js";
 import { getPasskeyConfig } from "#auth/passkey-config.js";
 import { OptionsRepository } from "#db/repositories/options.js";
@@ -39,7 +40,11 @@ export const POST: APIRoute = async ({ request, locals, session }) => {
 		const options = new OptionsRepository(emdash.db);
 		const siteName = (await options.get<string>("emdash:site_title")) ?? undefined;
 		const siteUrl = getPublicOrigin(url, emdash?.config);
-		const passkeyConfig = getPasskeyConfig(url, siteName, siteUrl);
+		const allowedOrigins = validateAllowedOrigins(
+			siteUrl,
+			getConfiguredAllowedOrigins(emdash?.config),
+		);
+		const passkeyConfig = getPasskeyConfig(url, siteName, siteUrl, allowedOrigins);
 
 		// Verify the passkey registration response
 		const challengeStore = createChallengeStore(emdash.db);

package/src/astro/routes/api/comments/[collection]/[contentId]/index.ts

@@ -14,6 +14,7 @@ import { createCommentBody } from "#api/schemas.js";
 import { getSiteBaseUrl } from "#api/site-url.js";
 import { sendCommentNotification } from "#comments/notifications.js";
 import { createComment, type CommentHookRunner } from "#comments/service.js";
+import { resolveSecretsCached } from "#config/secrets.js";
 import { CommentRepository } from "#db/repositories/comment.js";
 import { validateIdentifier } from "#db/validate.js";
 import { extractRequestMeta } from "#plugins/request-meta.js";
@@ -140,8 +141,7 @@ export const POST: APIRoute = async ({ params, request, locals }) => {
 
 		// Anti-spam: Rate limiting
 		const meta = extractRequestMeta(request, emdash.config);
-		const ipSalt =
-			import.meta.env.EMDASH_AUTH_SECRET || import.meta.env.AUTH_SECRET || "emdash-ip-salt";
+		const { ipSalt } = await resolveSecretsCached(emdash.db);
 		let ipHash: string;
 		if (meta.ip) {
 			ipHash = await hashIp(meta.ip, ipSalt);

package/src/astro/routes/api/content/[collection]/[id]/discard-draft.ts

@@ -44,11 +44,13 @@ export const POST: APIRoute = async ({ params, locals, cache }) => {
 	const denied = requireOwnerPerm(user, authorId, "content:edit_own", "content:edit_any");
 	if (denied) return denied;
 
-	const result = await emdash.handleContentDiscardDraft(collection, id);
+	const resolvedId = typeof existingItem?.id === "string" ? existingItem.id : id;
+
+	const result = await emdash.handleContentDiscardDraft(collection, resolvedId);
 
 	if (!result.success) return unwrapResult(result);
 
-	if (cache.enabled) await cache.invalidate({ tags: [collection, id] });
+	if (cache.enabled) await cache.invalidate({ tags: [collection, resolvedId] });
 
 	return unwrapResult(result);
 };

package/src/astro/routes/api/content/[collection]/[id]/preview-url.ts

@@ -6,7 +6,7 @@
  * Request body:
  * {
  *   expiresIn?: string | number;  // Default: "1h"
- *   pathPattern?: string;         // Default: "/{collection}/{id}"
+ *   pathPattern?: string;         // Default: "/{collection}/{id}" (or EMDASH_PREVIEW_PATH_PATTERN)
  * }
  *
  * Response:
@@ -22,8 +22,11 @@ import { requirePerm } from "#api/authorize.js";
 import { apiError, apiSuccess, handleError, unwrapResult } from "#api/error.js";
 import { parseOptionalBody, isParseError } from "#api/parse.js";
 import { contentPreviewUrlBody } from "#api/schemas.js";
+import { resolveSecretsCached } from "#config/secrets.js";
 import { getPreviewUrl } from "#preview/index.js";
 
+import { getI18nConfig } from "../../../../../../i18n/config.js";
+
 export const prerender = false;
 
 const DURATION_PATTERN = /^(\d+)([smhdw])$/;
@@ -35,21 +38,23 @@ export const POST: APIRoute = async ({ params, request, locals }) => {
 	const collection = params.collection!;
 	const id = params.id!;
 
-	// Get the preview secret from environment
-	const previewSecret = import.meta.env.EMDASH_PREVIEW_SECRET || import.meta.env.PREVIEW_SECRET;
-
-	if (!previewSecret) {
-		return apiError(
-			"NOT_CONFIGURED",
-			"Preview not configured. Set EMDASH_PREVIEW_SECRET environment variable.",
-			500,
-		);
+	if (!emdash?.db) {
+		return apiError("NOT_CONFIGURED", "EmDash is not initialized", 500);
 	}
 
-	// Verify the content exists (optional, but good for UX)
+	// Resolve the preview secret. Env override wins; otherwise a stable
+	// site-specific value is read from (or generated into) the options table.
+	// The resolver always returns a usable secret, so this path can no
+	// longer be silently disabled by a missing env var.
+	const { previewSecret } = await resolveSecretsCached(emdash.db);
+
+	// Verify the content exists. The fetched item also yields the entry's
+	// locale, used below to resolve the `{locale}` placeholder.
+	let entryLocale: string | null = null;
 	if (emdash?.handleContentGet) {
 		const result = await emdash.handleContentGet(collection, id);
 		if (!result.success) return unwrapResult(result);
+		entryLocale = result.data?.item?.locale ?? null;
 	}
 
 	// Parse request body
@@ -57,7 +62,23 @@ export const POST: APIRoute = async ({ params, request, locals }) => {
 	if (isParseError(body)) return body;
 
 	const expiresIn = body.expiresIn || "1h";
-	const pathPattern = body.pathPattern;
+	// Allow a project-wide default `pathPattern` so the admin's "View on site"
+	// link can match the site's actual route shape without each call having
+	// to override the default `/{collection}/{id}`.
+	const defaultPathPattern = import.meta.env.EMDASH_PREVIEW_PATH_PATTERN || "/{collection}/{id}";
+	const pathPattern = body.pathPattern || defaultPathPattern;
+
+	// Resolve the locale segment substituted for `{locale}`: empty when the
+	// entry is in the default locale and `prefixDefaultLocale` is `false`,
+	// the entry's own locale otherwise.
+	const i18n = getI18nConfig();
+	let localeSegment = "";
+	if (entryLocale && i18n) {
+		const isDefault = entryLocale === i18n.defaultLocale;
+		localeSegment = isDefault && !i18n.prefixDefaultLocale ? "" : entryLocale;
+	} else if (entryLocale) {
+		localeSegment = entryLocale;
+	}
 
 	// Calculate expiry timestamp
 	const expiresInSeconds = typeof expiresIn === "number" ? expiresIn : parseExpiresIn(expiresIn);
@@ -70,6 +91,7 @@ export const POST: APIRoute = async ({ params, request, locals }) => {
 			secret: previewSecret,
 			expiresIn,
 			pathPattern,
+			locale: localeSegment,
 		});
 
 		return apiSuccess({ url, expiresAt });

package/src/astro/routes/api/content/[collection]/[id]/publish.ts

@@ -2,16 +2,25 @@
  * Publish content - promotes draft to live
  *
  * POST /_emdash/api/content/{collection}/{id}/publish
+ *
+ * Optional JSON body: { publishedAt?: string }
+ *   publishedAt — ISO 8601 datetime to backdate the publish (e.g. when
+ *   migrating content). Writing publishedAt requires content:publish_any.
+ *   Without it, the existing published_at is preserved on re-publish and
+ *   falls back to the current time on first publish.
  */
 
+import { hasPermission } from "@emdash-cms/auth";
 import type { APIRoute } from "astro";
 
 import { requireOwnerPerm } from "#api/authorize.js";
 import { apiError, mapErrorStatus, unwrapResult } from "#api/error.js";
+import { isParseError, parseOptionalBody } from "#api/parse.js";
+import { contentPublishBody } from "#api/schemas.js";
 
 export const prerender = false;
 
-export const POST: APIRoute = async ({ params, locals, cache }) => {
+export const POST: APIRoute = async ({ params, request, locals, cache }) => {
 	const { emdash, user } = locals;
 	const collection = params.collection!;
 	const id = params.id!;
@@ -20,6 +29,11 @@ export const POST: APIRoute = async ({ params, locals, cache }) => {
 		return apiError("NOT_CONFIGURED", "EmDash is not initialized", 500);
 	}
 
+	// Body is optional — empty body means use the legacy behavior (preserve
+	// or default published_at). Pass `publishedAt` to backdate.
+	const body = await parseOptionalBody(request, contentPublishBody, {});
+	if (isParseError(body)) return body;
+
 	// Fetch item to check ownership
 	const existing = await emdash.handleContentGet(collection, id);
 	if (!existing.success) {
@@ -44,9 +58,25 @@ export const POST: APIRoute = async ({ params, locals, cache }) => {
 	const denied = requireOwnerPerm(user, authorId, "content:publish_own", "content:publish_any");
 	if (denied) return denied;
 
+	// Schema narrows `publishedAt` to `string | undefined`; null is rejected
+	// at the schema layer (publish has no semantic meaning for "clear").
+	const publishedAt = body?.publishedAt;
+
+	// Backdating overwrites historical record — gate behind publish_any
+	// regardless of ownership.
+	if (publishedAt !== undefined && !hasPermission(user, "content:publish_any")) {
+		return apiError(
+			"FORBIDDEN",
+			"Setting publishedAt requires content:publish_any permission",
+			403,
+		);
+	}
+
 	const resolvedId = typeof existingItem?.id === "string" ? existingItem.id : id;
 
-	const result = await emdash.handleContentPublish(collection, resolvedId);
+	const result = await emdash.handleContentPublish(collection, resolvedId, {
+		publishedAt,
+	});
 
 	if (!result.success) return unwrapResult(result);
 

package/src/astro/routes/api/content/[collection]/[id]/restore.ts

@@ -44,11 +44,13 @@ export const POST: APIRoute = async ({ params, locals, cache }) => {
 	const denied = requireOwnerPerm(user, authorId, "content:edit_own", "content:edit_any");
 	if (denied) return denied;
 
-	const result = await emdash.handleContentRestore(collection, id);
+	const resolvedId = typeof existingItem?.id === "string" ? existingItem.id : id;
+
+	const result = await emdash.handleContentRestore(collection, resolvedId);
 
 	if (!result.success) return unwrapResult(result);
 
-	if (cache.enabled) await cache.invalidate({ tags: [collection, id] });
+	if (cache.enabled) await cache.invalidate({ tags: [collection, resolvedId] });
 
 	return unwrapResult(result);
 };

package/src/astro/routes/api/content/[collection]/[id]/revisions.ts

@@ -22,9 +22,10 @@ export const GET: APIRoute = async ({ params, url, locals }) => {
 		return apiError("NOT_CONFIGURED", "EmDash is not initialized", 500);
 	}
 
-	const limit = url.searchParams.get("limit");
+	const limitParam = url.searchParams.get("limit");
+	const parsedLimit = limitParam ? parseInt(limitParam, 10) : undefined;
 	const result = await emdash.handleRevisionList(collection, id, {
-		limit: limit ? parseInt(limit, 10) : undefined,
+		limit: parsedLimit ? Math.max(1, Math.min(parsedLimit, 100)) : undefined,
 	});
 
 	return unwrapResult(result);

package/src/astro/routes/api/content/[collection]/[id]/terms/[taxonomy].ts

@@ -98,6 +98,10 @@ export const POST: APIRoute = async ({ params, request, locals }) => {
 	const editDenied = requireOwnerPerm(user, authorId, "content:edit_own", "content:edit_any");
 	if (editDenied) return editDenied;
 
+	// Resolve the canonical content ID from the handler result.
+	// The URL `id` param may be a slug; we must use the real ID for term storage.
+	const canonicalId = typeof existingItem?.id === "string" ? existingItem.id : id;
+
 	try {
 		const body = await parseBody(request, contentTermsBody);
 		if (isParseError(body)) return body;
@@ -120,15 +124,15 @@ export const POST: APIRoute = async ({ params, request, locals }) => {
 			}
 		}
 
-		// Set the terms (replaces existing)
-		await repo.setTermsForEntry(collection, id, taxonomy, termIds);
+		// Set the terms (replaces existing) using the canonical ID
+		await repo.setTermsForEntry(collection, canonicalId, taxonomy, termIds);
 
 		// Term assignments changed — invalidate the hasAnyTermAssignments cache
 		// so hydration on subsequent reads issues a fresh query.
 		invalidateTermCache();
 
-		// Get the updated terms
-		const terms = await repo.getTermsForEntry(collection, id, taxonomy);
+		// Get the updated terms using the canonical ID
+		const terms = await repo.getTermsForEntry(collection, canonicalId, taxonomy);
 
 		return apiSuccess({
 			terms: terms.map((t) => ({

package/src/astro/routes/api/content/[collection]/[id].ts

@@ -47,6 +47,18 @@ export const GET: APIRoute = async ({ params, url, locals }) => {
 		if (status !== "published") {
 			return apiError("NOT_FOUND", `Content item not found: ${id}`, 404);
 		}
+
+		// Strip draft hydration data from response for users without read_drafts.
+		// handleContentGet overlays draft revision data onto item.data and exposes
+		// the published values in item.liveData. Without this, subscribers see
+		// unpublished edits in the data field.
+		if (item) {
+			if (item.liveData && typeof item.liveData === "object") {
+				item.data = item.liveData;
+			}
+			delete item.liveData;
+			delete item.draftRevisionId;
+		}
 	}
 
 	return unwrapResult(result);

package/src/astro/routes/api/import/wordpress/execute.ts

@@ -60,7 +60,7 @@ export interface ImportResult {
 }
 
 export const POST: APIRoute = async ({ request, locals }) => {
-	const { emdash, emdashManifest, user } = locals;
+	const { emdash, user } = locals;
 
 	const denied = requirePerm(user, "import:execute");
 	if (denied) return denied;
@@ -70,6 +70,8 @@ export const POST: APIRoute = async ({ request, locals }) => {
 	}
 
 	try {
+		const emdashManifest = await emdash.getManifest();
+
 		const formData = await request.formData();
 		const fileEntry = formData.get("file");
 		const file = fileEntry instanceof File ? fileEntry : null;

package/src/astro/routes/api/import/wordpress/prepare.ts

@@ -58,14 +58,13 @@ export const POST: APIRoute = async ({ request, locals }) => {
 		// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- Zod schema output narrowed to PrepareRequest
 		const result = await prepareImport(emdash.db, body as PrepareRequest);
 
-		// If prepare created any new collections or fields, invalidate the
-		// persisted manifest cache (`emdash:manifest_cache` in the options
-		// table) so that the execute endpoint -- a separate request -- sees
-		// the new schema. Without this the execute step reads a stale
-		// manifest and reports `Collection "<slug>" does not exist` for
-		// every item destined for a freshly-created collection. See #747.
-		if (result.collectionsCreated.length > 0 || result.fieldsCreated.length > 0) {
-			emdash.invalidateManifest();
+		// Invalidate the URL pattern cache when prepare adds new collections so
+		// public routing picks up their patterns immediately. The manifest
+		// itself is built fresh per admin request, so cross-request
+		// staleness (the original failure mode in #747) is no longer
+		// possible — the execute step always reads live schema.
+		if (result.collectionsCreated.length > 0) {
+			emdash.invalidateUrlPatternCache();
 		}
 
 		return apiSuccess(result, result.success ? 200 : 400);

package/src/astro/routes/api/import/wordpress-plugin/execute.ts

@@ -36,7 +36,7 @@ export interface WpPluginImportResponse {
 }
 
 export const POST: APIRoute = async ({ request, locals }) => {
-	const { emdash, emdashManifest, user } = locals;
+	const { emdash, user } = locals;
 
 	const denied = requirePerm(user, "import:execute");
 	if (denied) return denied;
@@ -46,6 +46,8 @@ export const POST: APIRoute = async ({ request, locals }) => {
 	}
 
 	try {
+		const emdashManifest = await emdash.getManifest();
+
 		const body = await parseBody(request, wpPluginExecuteBody);
 		if (isParseError(body)) return body;
 

package/src/astro/routes/api/manifest.ts

@@ -9,64 +9,81 @@
 
 import type { APIRoute } from "astro";
 
+import { handleError } from "#api/error.js";
 import { getAuthMode } from "#auth/mode.js";
 
 import { COMMIT, VERSION } from "../../../version.js";
-import { getStoredConfig } from "../../integration/runtime.js";
 import type { EmDashManifest } from "../../types.js";
 
 export const prerender = false;
 
 export const GET: APIRoute = async ({ locals }) => {
-	const { emdashManifest, emdash } = locals;
+	const { emdash } = locals;
 
-	// Determine auth mode from config
-	const authMode = getAuthMode(emdash?.config);
+	try {
+		// Manifest is built fresh from the live database per admin request.
+		// `requestCached` inside `getManifest` dedupes if multiple consumers
+		// share the request. Wrapped in try/catch so any future DB-touching
+		// additions to `getManifest()` (plugin manifest loading, marketplace
+		// lookup, etc.) return the standard error envelope rather than an
+		// unstructured 500 — matches the pattern used by the WP execute
+		// routes.
+		const emdashManifest = emdash ? await emdash.getManifest() : null;
 
-	// Read admin branding from build-time config
-	const storedConfig = getStoredConfig();
-	const adminBranding = storedConfig?.admin;
+		// Determine auth mode from config
+		const authMode = getAuthMode(emdash?.config);
 
-	// Check if self-signup is enabled (any allowed domain with enabled = 1)
-	// Only relevant for passkey auth — external auth providers handle their own signup
-	let signupEnabled = false;
-	if (emdash?.db && authMode.type === "passkey") {
-		try {
-			const { sql } = await import("kysely");
-			const result = await sql<{ cnt: unknown }>`
-				SELECT COUNT(*) as cnt FROM allowed_domains WHERE enabled = 1
-			`.execute(emdash.db);
-			signupEnabled = Number(result.rows[0]?.cnt ?? 0) > 0;
-		} catch {
-			// Table may not exist yet, that's fine
-		}
-	}
+		// Read admin branding from the per-request config plumbed through middleware
+		// (same source admin.astro reads from). Reading from a build-time global
+		// here was unreliable -- the virtual config module exports the config but
+		// doesn't assign it to globalThis, so getStoredConfig() always returned
+		// null and the React SPA never received custom logo/siteName/favicon.
+		// See issue #835.
+		const adminBranding = emdash?.config?.admin;
 
-	const manifest: EmDashManifest = emdashManifest
-		? {
-				...emdashManifest,
-				authMode: authMode.type === "external" ? authMode.providerType : "passkey",
-				signupEnabled,
-				admin: adminBranding,
+		// Check if self-signup is enabled (any allowed domain with enabled = 1)
+		// Only relevant for passkey auth — external auth providers handle their own signup
+		let signupEnabled = false;
+		if (emdash?.db && authMode.type === "passkey") {
+			try {
+				const { sql } = await import("kysely");
+				const result = await sql<{ cnt: unknown }>`
+					SELECT COUNT(*) as cnt FROM allowed_domains WHERE enabled = 1
+				`.execute(emdash.db);
+				signupEnabled = Number(result.rows[0]?.cnt ?? 0) > 0;
+			} catch {
+				// Table may not exist yet, that's fine
 			}
-		: {
-				version: VERSION,
-				commit: COMMIT,
-				hash: "default",
-				collections: {},
-				plugins: {},
-				taxonomies: [],
-				authMode: "passkey",
-				signupEnabled,
-				admin: adminBranding,
-			};
+		}
 
-	return Response.json(
-		{ data: manifest },
-		{
-			headers: {
-				"Cache-Control": "private, no-store",
+		const manifest: EmDashManifest = emdashManifest
+			? {
+					...emdashManifest,
+					authMode: authMode.type === "external" ? authMode.providerType : "passkey",
+					signupEnabled,
+					admin: adminBranding,
+				}
+			: {
+					version: VERSION,
+					commit: COMMIT,
+					hash: "default",
+					collections: {},
+					plugins: {},
+					taxonomies: [],
+					authMode: "passkey",
+					signupEnabled,
+					admin: adminBranding,
+				};
+
+		return Response.json(
+			{ data: manifest },
+			{
+				headers: {
+					"Cache-Control": "private, no-store",
+				},
 			},
-		},
-	);
+		);
+	} catch (error) {
+		return handleError(error, "Failed to build manifest", "MANIFEST_BUILD_ERROR");
+	}
 };