emdash 0.8.0 → 0.9.0

package/src/auth/allowed-origins.ts

@@ -0,0 +1,168 @@
+/**
+ * Resolution and validation of multi-origin passkey verification.
+ *
+ * `allowedOrigins` lets one EmDash deployment accept passkey assertions from
+ * several hostnames sharing the same `rpId` (e.g. apex + preview/staging
+ * subdomains under one registrable parent). Origins come from two sources:
+ *
+ *   - `EmDashConfig.allowedOrigins` (declared in `astro.config.mjs`)
+ *   - `EMDASH_ALLOWED_ORIGINS` (comma-separated runtime env var)
+ *
+ * Sources are merged (union of permissions, deduplicated). Each entry is
+ * validated against `siteUrl` to fail loud on dead config the browser would
+ * never honor.
+ */
+
+import { getEnvAllowedOrigins } from "../api/public-url.js";
+import type { EmDashConfig } from "../astro/integration/runtime.js";
+
+export type AllowedOriginSource = "config.allowedOrigins" | "EMDASH_ALLOWED_ORIGINS";
+
+export interface TaggedOrigin {
+	/** Raw entry as declared by the operator. */
+	origin: string;
+	/** Where the entry came from (used for source-attributed errors). */
+	source: AllowedOriginSource;
+}
+
+/**
+ * Collect raw allowedOrigins from config and env, source-tagged.
+ *
+ * Returns raw values — the caller is expected to pass the result through
+ * `validateAllowedOrigins()` before use in passkey verification.
+ */
+export function getConfiguredAllowedOrigins(config?: EmDashConfig): TaggedOrigin[] {
+	const tagged: TaggedOrigin[] = [];
+	if (config?.allowedOrigins) {
+		for (const origin of config.allowedOrigins) {
+			if (origin) tagged.push({ origin, source: "config.allowedOrigins" });
+		}
+	}
+	for (const origin of getEnvAllowedOrigins()) {
+		tagged.push({ origin, source: "EMDASH_ALLOWED_ORIGINS" });
+	}
+	return tagged;
+}
+
+/**
+ * Validate per-entry shape rules (no `siteUrl` needed):
+ *   - parses as `URL`
+ *   - protocol is `http:` or `https:`
+ *   - hostname has no trailing dot (`example.com.` rejected)
+ *   - hostname has no empty labels (`foo..example.com` rejected)
+ *
+ * Returns the deduplicated, normalized origin form (`URL.origin`) of every
+ * input, in input order. Throws on the first violation with a source-tagged
+ * error message.
+ */
+export function validateOriginShape(tagged: TaggedOrigin[]): string[] {
+	const normalized: string[] = [];
+	const seen = new Set<string>();
+	for (const { origin, source } of tagged) {
+		let parsed: URL;
+		try {
+			parsed = new URL(origin);
+		} catch (e) {
+			throw configError(source, `invalid URL: "${origin}"`, e);
+		}
+		if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+			throw configError(
+				source,
+				`origin must be http or https: "${origin}" (got ${parsed.protocol})`,
+			);
+		}
+		if (parsed.hostname.endsWith(".")) {
+			throw configError(
+				source,
+				`hostname has a trailing dot: "${origin}". Remove the trailing dot — assertion origins from the browser do not include it.`,
+			);
+		}
+		if (parsed.hostname.split(".").includes("")) {
+			throw configError(source, `hostname has empty labels: "${origin}"`);
+		}
+		if (!seen.has(parsed.origin)) {
+			seen.add(parsed.origin);
+			normalized.push(parsed.origin);
+		}
+	}
+	return normalized;
+}
+
+/**
+ * Validate the effective merged allowedOrigins set against `siteUrl`.
+ *
+ * Performs `validateOriginShape()` plus the siteUrl-dependent rules:
+ *   - Rule A: non-empty origins ⇒ `siteUrl` is set
+ *   - `siteUrl` hostname is not an IP literal (multi-origin requires a domain)
+ *   - `siteUrl` hostname has no trailing dot (cannot match assertion origins)
+ *   - Rule B: each origin's hostname is `siteHost` exactly or a subdomain
+ *
+ * Throws on first violation. Returns the deduplicated normalized origins.
+ *
+ * Use this at the runtime chokepoint (where config + env are merged into the
+ * effective set). At Astro integration init, prefer `validateOriginShape()`
+ * for shape-only checks on `config.allowedOrigins`, since `siteUrl` may be
+ * supplied at runtime via `EMDASH_SITE_URL`.
+ */
+export function validateAllowedOrigins(
+	siteUrl: string | undefined,
+	tagged: TaggedOrigin[],
+): string[] {
+	const normalized = validateOriginShape(tagged);
+	if (normalized.length === 0) return normalized;
+
+	if (!siteUrl) {
+		throw new Error(
+			`EmDash config error: allowedOrigins is set (${normalized.length} ${
+				normalized.length === 1 ? "entry" : "entries"
+			}) but siteUrl is not. Without a canonical siteUrl, rpId is derived from the request hostname, defeating multi-origin passkeys. Set siteUrl in astro.config.mjs or via EMDASH_SITE_URL.`,
+		);
+	}
+
+	let siteHost: string;
+	try {
+		siteHost = new URL(siteUrl).hostname;
+	} catch (e) {
+		throw new Error(`EmDash config error: siteUrl is not a valid URL: "${siteUrl}"`, {
+			cause: e,
+		});
+	}
+
+	if (siteHost.endsWith(".")) {
+		throw new Error(
+			`EmDash config error: siteUrl "${siteUrl}" has a trailing-dot hostname, which cannot match assertion origins. Remove the trailing dot when using allowedOrigins.`,
+		);
+	}
+	if (isIPLiteralHostname(siteHost)) {
+		throw new Error(
+			`EmDash config error: siteUrl "${siteUrl}" uses an IP-literal hostname. Multi-origin passkeys require a domain-based siteUrl — IP addresses cannot have valid subdomains for WebAuthn rpId.`,
+		);
+	}
+
+	for (const { origin, source } of tagged) {
+		const h = new URL(origin).hostname;
+		if (h !== siteHost && !h.endsWith("." + siteHost)) {
+			throw configError(
+				source,
+				`"${origin}" is not a subdomain of siteUrl "${siteUrl}". Allowed origins must be the same hostname as siteUrl or a subdomain of it.`,
+			);
+		}
+	}
+
+	return normalized;
+}
+
+function configError(source: AllowedOriginSource, detail: string, cause?: unknown): Error {
+	const err = new Error(`EmDash config error in ${source}: ${detail}`);
+	if (cause !== undefined) (err as Error & { cause?: unknown }).cause = cause;
+	return err;
+}
+
+const IPV4_DOTTED_DECIMAL_RE = /^\d+(\.\d+){3}$/;
+
+function isIPLiteralHostname(h: string): boolean {
+	// IPv6 hostnames are bracketed by URL.hostname, e.g. "[::1]"
+	if (h.startsWith("[")) return true;
+	// IPv4 dotted-decimal
+	return IPV4_DOTTED_DECIMAL_RE.test(h);
+}

package/src/auth/passkey-config.ts

@@ -9,7 +9,12 @@
 export interface PasskeyConfig {
 	rpName: string;
 	rpId: string;
-	origin: string;
+	/**
+	 * Accepted client-data origins. First entry is the canonical/preferred origin;
+	 * additional entries support multi-origin deployments (e.g. apex + preview
+	 * subdomain sharing the same `rpId`). See `allowedOrigins` parameter.
+	 */
+	origins: string[];
 }
 
 /**
@@ -18,10 +23,22 @@ export interface PasskeyConfig {
  * @param url The request URL (typically `new URL(Astro.request.url)` or `new URL(request.url)`)
  * @param siteName Optional site name for rpName (defaults to hostname from `url` or public origin)
  * @param siteUrl Optional browser-facing origin (see `EmDashConfig.siteUrl`).
- *        When set, **origin** and **rpId** are taken from this URL so they match WebAuthn `clientData.origin`.
+ *        When set, the canonical **origin** and **rpId** are taken from this URL.
+ * @param allowedOrigins Optional list of additional accepted origins for verification.
+ *        Each must share `rpId` with the canonical origin (WebAuthn requirement).
+ *        Typical use: apex + preview subdomain on the same registrable domain.
  * @throws If `siteUrl` is non-empty but not parseable by `new URL()`.
  */
-export function getPasskeyConfig(url: URL, siteName?: string, siteUrl?: string): PasskeyConfig {
+export function getPasskeyConfig(
+	url: URL,
+	siteName?: string,
+	siteUrl?: string,
+	allowedOrigins?: string[],
+): PasskeyConfig {
+	let rpName: string;
+	let rpId: string;
+	let canonicalOrigin: string;
+
 	if (siteUrl) {
 		let publicUrl: URL;
 		try {
@@ -29,16 +46,21 @@ export function getPasskeyConfig(url: URL, siteName?: string, siteUrl?: string):
 		} catch (e) {
 			throw new Error(`Invalid siteUrl: "${siteUrl}"`, { cause: e });
 		}
-		return {
-			rpName: siteName || publicUrl.hostname,
-			rpId: publicUrl.hostname,
-			origin: publicUrl.origin,
-		};
+		rpName = siteName || publicUrl.hostname;
+		rpId = publicUrl.hostname;
+		canonicalOrigin = publicUrl.origin;
+	} else {
+		rpName = siteName || url.hostname;
+		rpId = url.hostname;
+		canonicalOrigin = url.origin;
+	}
+
+	const origins = [canonicalOrigin];
+	if (allowedOrigins) {
+		for (const extra of allowedOrigins) {
+			if (extra && !origins.includes(extra)) origins.push(extra);
+		}
 	}
 
-	return {
-		rpName: siteName || url.hostname,
-		rpId: url.hostname,
-		origin: url.origin,
-	};
+	return { rpName, rpId, origins };
 }

package/src/bylines/index.ts

@@ -12,7 +12,6 @@ import { BylineRepository } from "../database/repositories/byline.js";
 import type { BylineSummary, ContentBylineCredit } from "../database/repositories/types.js";
 import { validateIdentifier } from "../database/validate.js";
 import { getDb } from "../loader.js";
-import { chunks, SQL_BATCH_SIZE } from "../utils/chunks.js";
 import { isMissingTableError } from "../utils/db-errors.js";
 
 /**
@@ -73,15 +72,11 @@ export async function getBylineBySlug(slug: string): Promise<BylineSummary | nul
  * but the entry has an `authorId`, falls back to the user-linked byline
  * (marked as source: "inferred").
  *
- * @example
- * ```ts
- * import { getEntryBylines } from "emdash";
- *
- * const bylines = await getEntryBylines("posts", post.data.id);
- * for (const credit of bylines) {
- *   console.log(credit.byline.displayName, credit.roleLabel);
- * }
- * ```
+ * Internal: not re-exported from the `emdash` package entry point. Every
+ * entry returned by `getEmDashCollection` / `getEmDashEntry` already has
+ * `data.bylines` populated by `hydrateEntryBylines` (which uses the batch
+ * helper `getBylinesForEntries` directly). Site code should read those
+ * fields rather than calling this function.
  */
 export async function getEntryBylines(
 	collection: string,
@@ -108,55 +103,55 @@ export async function getEntryBylines(
 	return [];
 }
 
+/**
+ * An entry reference for batch byline lookups.
+ *
+ * `authorId` is read directly from the row when computing the inferred-byline
+ * fallback — passing it in avoids a redundant `SELECT id, author_id` against
+ * the content table after every list/entry fetch.
+ */
+export interface BylineEntry {
+	id: string;
+	authorId: string | null;
+}
+
 /**
  * Batch-fetch byline credits for multiple content entries in a single query.
  *
- * This is more efficient than calling getEntryBylines for each entry
- * when you need bylines for a list of entries (e.g., a blog index page).
+ * Internal: consumed by `hydrateEntryBylines` in `query.ts` so that every
+ * entry returned from `getEmDashCollection` / `getEmDashEntry` already has
+ * `data.bylines` populated. Site code should rely on that eager hydration
+ * rather than calling this directly -- this function is not re-exported
+ * from the `emdash` package entry point.
  *
  * @param collection - The collection slug (e.g., "posts")
- * @param entryIds - Array of entry IDs
+ * @param entries - Entry id + authorId pairs (authorId is already on the row)
  * @returns Map from entry ID to array of byline credits
- *
- * @example
- * ```ts
- * import { getBylinesForEntries, getEmDashCollection } from "emdash";
- *
- * const { entries } = await getEmDashCollection("posts");
- * const ids = entries.map(e => e.data.id);
- * const bylinesMap = await getBylinesForEntries("posts", ids);
- *
- * for (const entry of entries) {
- *   const bylines = bylinesMap.get(entry.data.id) ?? [];
- *   // render bylines
- * }
- * ```
  */
 export async function getBylinesForEntries(
 	collection: string,
-	entryIds: string[],
+	entries: BylineEntry[],
 ): Promise<Map<string, ContentBylineCredit[]>> {
 	validateIdentifier(collection, "collection");
 	const result = new Map<string, ContentBylineCredit[]>();
 
-	// Initialize all entry IDs with empty arrays
-	for (const id of entryIds) {
+	for (const { id } of entries) {
 		result.set(id, []);
 	}
 
-	if (entryIds.length === 0) {
+	if (entries.length === 0) {
 		return result;
 	}
 
 	const db = await getDb();
 	const repo = new BylineRepository(db);
+	const entryIds = entries.map((e) => e.id);
 
-	// 1. Batch fetch all explicit byline credits. Sites with no bylines
-	// get an empty map back for one query — the previous "has any bylines"
-	// probe traded an extra round-trip on every request to save that one
-	// query on empty sites, which is exactly backwards for the common case.
-	// Pre-migration databases (bylines table missing) fall through to the
-	// `isMissingTableError` catch below and return empty results.
+	// Sites with no bylines get an empty map back for one query — the previous
+	// "has any bylines" probe traded an extra round-trip on every request to
+	// save that one query on empty sites, which is exactly backwards for the
+	// common case. Pre-migration databases (bylines table missing) fall
+	// through to the `isMissingTableError` catch below and return empty.
 	let bylinesMap;
 	try {
 		bylinesMap = await repo.getContentBylinesMany(collection, entryIds);
@@ -165,32 +160,17 @@ export async function getBylinesForEntries(
 		throw error;
 	}
 
-	// 2. Collect entry IDs that need fallback lookup
-	const fallbackEntryIds: string[] = [];
-	const needsFallback: Map<string, string> = new Map(); // entryId -> authorId
-
-	for (const id of entryIds) {
-		if (!bylinesMap.has(id)) {
-			// Need to check author_id for this entry — but we only have the IDs,
-			// so batch-fetch them from the content table
-			fallbackEntryIds.push(id);
+	const needsFallback = new Map<string, string>();
+	for (const { id, authorId } of entries) {
+		if (!bylinesMap.has(id) && authorId) {
+			needsFallback.set(id, authorId);
 		}
 	}
 
-	// Batch-fetch author_ids for entries that need fallback
-	if (fallbackEntryIds.length > 0) {
-		const authorMap = await getAuthorIds(db, collection, fallbackEntryIds);
-		for (const [entryId, authorId] of authorMap) {
-			needsFallback.set(entryId, authorId);
-		}
-	}
-
-	// 3. Batch fetch user-linked bylines for fallback
 	const uniqueAuthorIds = [...new Set(needsFallback.values())];
 	const authorBylineMap = await repo.findByUserIds(uniqueAuthorIds);
 
-	// 4. Assign results
-	for (const id of entryIds) {
+	for (const { id } of entries) {
 		const explicit = bylinesMap.get(id);
 		if (explicit && explicit.length > 0) {
 			result.set(
@@ -205,11 +185,8 @@ export async function getBylinesForEntries(
 			const fallback = authorBylineMap.get(authorId);
 			if (fallback) {
 				result.set(id, [{ byline: fallback, sortOrder: 0, roleLabel: null, source: "inferred" }]);
-				continue;
 			}
 		}
-
-		// Already initialized with empty array
 	}
 
 	return result;
@@ -235,31 +212,3 @@ async function getAuthorId(
 
 	return result.rows[0]?.author_id ?? null;
 }
-
-/**
- * Batch-fetch author_ids for multiple content entries.
- * Returns Map<entryId, authorId> (only entries with non-null author_id).
- */
-async function getAuthorIds(
-	db: Awaited<ReturnType<typeof getDb>>,
-	collection: string,
-	entryIds: string[],
-): Promise<Map<string, string>> {
-	validateIdentifier(collection, "collection");
-	const tableName = `ec_${collection}`;
-
-	const map = new Map<string, string>();
-	for (const chunk of chunks(entryIds, SQL_BATCH_SIZE)) {
-		const result = await sql<{ id: string; author_id: string | null }>`
-			SELECT id, author_id FROM ${sql.ref(tableName)}
-			WHERE id IN (${sql.join(chunk.map((id) => sql`${id}`))})
-		`.execute(db);
-
-		for (const row of result.rows) {
-			if (row.author_id) {
-				map.set(row.id, row.author_id);
-			}
-		}
-	}
-	return map;
-}

package/src/cli/commands/auth.ts

@@ -1,5 +1,22 @@
 /**
- * Auth CLI commands
+ * Auth CLI commands (deprecated)
+ *
+ * Kept as a deprecated alias for backwards compatibility. The original
+ * `emdash auth secret` was documented in published docs and is plausibly
+ * scripted in user CI (e.g. `npx emdash auth secret >> .env`). Removing
+ * it outright would break those scripts on minor-version upgrade.
+ *
+ * The command still emits an `EMDASH_AUTH_SECRET=<32-byte-base64url>`
+ * line, unchanged. `EMDASH_AUTH_SECRET` itself is now legacy: it's only
+ * read as a fallback source for the commenter-IP hash salt so installs
+ * upgrading from a prior version keep stable IP hashes (and therefore
+ * stable rate-limit buckets). New installs don't need to set it.
+ *
+ * The deprecation note steers users toward `emdash secrets generate`
+ * (which emits a different, versioned `emdash_enc_v1_*` value for
+ * `EMDASH_ENCRYPTION_KEY` — used to encrypt plugin secrets at rest).
+ *
+ * Will be removed in a future minor.
  */
 
 import { defineCommand } from "citty";
@@ -8,9 +25,6 @@ import pc from "picocolors";
 
 import { encodeBase64url } from "../../utils/base64.js";
 
-/**
- * Generate a cryptographically secure auth secret
- */
 function generateAuthSecret(): string {
 	const bytes = new Uint8Array(32);
 	crypto.getRandomValues(bytes);
@@ -20,11 +34,13 @@ function generateAuthSecret(): string {
 const secretCommand = defineCommand({
 	meta: {
 		name: "secret",
-		description: "Generate a secure auth secret",
+		description: "[DEPRECATED] Generate a value for legacy EMDASH_AUTH_SECRET",
 	},
 	run() {
 		const secret = generateAuthSecret();
 
+		// Match the original behavior verbatim: pretty-printed name=value
+		// on stdout (most scripts piped this to a file expecting that shape).
 		consola.log("");
 		consola.log(pc.bold("Generated auth secret:"));
 		consola.log("");
@@ -32,13 +48,19 @@ const secretCommand = defineCommand({
 		consola.log("");
 		consola.log(pc.dim("Add this to your environment variables."));
 		consola.log("");
+		// Deprecation note on stderr so it doesn't break stdout consumers.
+		process.stderr.write(
+			`${pc.yellow("Note:")} ${pc.bold("emdash auth secret")} is deprecated and will be removed in a future minor. ` +
+				`${pc.cyan("EMDASH_AUTH_SECRET")} itself is now optional — it's only used as a legacy fallback for the commenter-IP hash salt. ` +
+				`For encrypting plugin secrets at rest, use ${pc.bold("emdash secrets generate")} (a different secret: ${pc.cyan("EMDASH_ENCRYPTION_KEY")}).\n`,
+		);
 	},
 });
 
 export const authCommand = defineCommand({
 	meta: {
 		name: "auth",
-		description: "Authentication utilities",
+		description: "[DEPRECATED] Authentication utilities (use `emdash secrets` for new flows)",
 	},
 	subCommands: {
 		secret: secretCommand,

package/src/cli/commands/bundle-utils.ts

@@ -30,8 +30,17 @@ export const ICON_SIZE = 256;
 
 // ── Regex patterns (module-scope to avoid re-compilation) ────────────────────
 
-/** Matches require("node:xxx") / require("xxx") / import("node:xxx") in bundled output */
-const NODE_BUILTIN_IMPORT_RE = /(?:import|require)\s*\(?["'](?:node:)?([a-z_]+)["']\)?/g;
+/**
+ * Matches Node.js built-in imports in bundled output:
+ * - require("node:xxx") / require("xxx")
+ * - import("node:xxx") / import("xxx")
+ * - import X from "node:xxx" / import { X } from "node:xxx"
+ * - import * as X from "node:xxx"
+ * - export { X } from "node:xxx"
+ * Captures the base module name (e.g. "fs" from "node:fs/promises").
+ */
+const NODE_BUILTIN_IMPORT_RE =
+	/(?:import|export|require)\s*(?:\(|[^(]*?\bfrom\s+)["'](?:node:)?([a-z_]+)(?:\/[^"']*)?\s*["']\)?/g;
 const LEADING_DOT_SLASH_RE = /^\.\//;
 const DIST_PREFIX_RE = /^dist\//;
 const MJS_EXT_RE = /\.m?js$/;

package/src/cli/commands/bundle.ts

@@ -20,6 +20,7 @@ import { resolve, join, extname, basename } from "node:path";
 import { defineCommand } from "citty";
 import consola from "consola";
 
+import { CAPABILITY_RENAMES, isDeprecatedCapability } from "../../plugins/types.js";
 import type { ResolvedPlugin } from "../../plugins/types.js";
 import {
 	fileExists,
@@ -524,20 +525,39 @@ export const bundleCommand = defineCommand({
 				}
 			}
 
-			// Check capabilities warnings
-			if (manifest.capabilities.includes("network:fetch:any")) {
+			// Check capabilities warnings — use canonical names. Deprecated
+			// names are accepted (and warned about separately below) so we
+			// also check the legacy aliases here for the duration of the
+			// deprecation window.
+			const declaresUnrestricted =
+				manifest.capabilities.includes("network:request:unrestricted") ||
+				manifest.capabilities.includes("network:fetch:any");
+			const declaresHostRestricted =
+				manifest.capabilities.includes("network:request") ||
+				manifest.capabilities.includes("network:fetch");
+			if (declaresUnrestricted) {
 				consola.warn(
-					"Plugin declares unrestricted network access (network:fetch:any) — it can make requests to any host",
+					"Plugin declares unrestricted network access (network:request:unrestricted) — it can make requests to any host",
 				);
-			} else if (
-				manifest.capabilities.includes("network:fetch") &&
-				manifest.allowedHosts.length === 0
-			) {
+			} else if (declaresHostRestricted && manifest.allowedHosts.length === 0) {
 				consola.warn(
-					"Plugin declares network:fetch capability but no allowedHosts — all fetch requests will be blocked",
+					"Plugin declares network:request capability but no allowedHosts — all requests will be blocked",
 				);
 			}
 
+			// Warn for each deprecated capability used. The warning points
+			// to the new name so the fix is mechanical. We continue (not
+			// error) here — the hard fail lives in `publish` so authors
+			// can still build and test locally.
+			const deprecatedCaps = manifest.capabilities.filter(isDeprecatedCapability);
+			if (deprecatedCaps.length > 0) {
+				consola.warn("Plugin uses deprecated capability names. Rename them before publishing:");
+				for (const cap of deprecatedCaps) {
+					const replacement = CAPABILITY_RENAMES[cap];
+					consola.warn(`  ${cap} → ${replacement}`);
+				}
+			}
+
 			// Check for features that won't work in sandboxed mode
 			if (
 				resolvedPlugin.admin?.portableTextBlocks &&

package/src/cli/commands/content.ts

@@ -9,6 +9,7 @@ import { readFile } from "node:fs/promises";
 import { defineCommand } from "citty";
 import { consola } from "consola";
 
+import { convertDataForRead } from "../../client/portable-text.js";
 import { connectionArgs, createClientFromArgs } from "../client-factory.js";
 import { configureOutputMode, output } from "../output.js";
 
@@ -144,6 +145,13 @@ const getCommand = defineCommand({
 				const comparison = await client.compare(args.collection, args.id);
 				if (comparison.hasChanges && comparison.draft) {
 					item.data = comparison.draft;
+					// The comparison endpoint returns raw PT data. Apply the same
+					// PT-to-markdown conversion that `client.get` does, unless --raw.
+					if (!args.raw && item.data) {
+						const col = await client.collection(args.collection);
+						const fields = col.fields.map((f) => ({ slug: f.slug, type: f.type }));
+						item.data = convertDataForRead(item.data, fields, false);
+					}
 				}
 			}
 
@@ -278,6 +286,7 @@ const deleteCommand = defineCommand({
 		try {
 			const client = createClientFromArgs(args);
 			await client.delete(args.collection, args.id);
+			output({ success: true }, args);
 			consola.success(`Deleted ${args.collection}/${args.id}`);
 		} catch (error) {
 			consola.error(error instanceof Error ? error.message : "Unknown error");
@@ -306,6 +315,7 @@ const publishCommand = defineCommand({
 		try {
 			const client = createClientFromArgs(args);
 			await client.publish(args.collection, args.id);
+			output({ success: true }, args);
 			consola.success(`Published ${args.collection}/${args.id}`);
 		} catch (error) {
 			consola.error(error instanceof Error ? error.message : "Unknown error");
@@ -334,6 +344,7 @@ const unpublishCommand = defineCommand({
 		try {
 			const client = createClientFromArgs(args);
 			await client.unpublish(args.collection, args.id);
+			output({ success: true }, args);
 			consola.success(`Unpublished ${args.collection}/${args.id}`);
 		} catch (error) {
 			consola.error(error instanceof Error ? error.message : "Unknown error");
@@ -367,6 +378,7 @@ const scheduleCommand = defineCommand({
 		try {
 			const client = createClientFromArgs(args);
 			await client.schedule(args.collection, args.id, { at: args.at });
+			output({ success: true }, args);
 			consola.success(`Scheduled ${args.collection}/${args.id} for ${args.at}`);
 		} catch (error) {
 			consola.error(error instanceof Error ? error.message : "Unknown error");
@@ -395,6 +407,7 @@ const restoreCommand = defineCommand({
 		try {
 			const client = createClientFromArgs(args);
 			await client.restore(args.collection, args.id);
+			output({ success: true }, args);
 			consola.success(`Restored ${args.collection}/${args.id}`);
 		} catch (error) {
 			consola.error(error instanceof Error ? error.message : "Unknown error");

package/src/cli/commands/login.ts

@@ -459,7 +459,14 @@ export const whoamiCommand = defineCommand({
 							},
 						);
 						if (refreshRes.ok) {
-							const refreshed = (await refreshRes.json()) as TokenResponse;
+							const json = (await refreshRes.json()) as Record<string, unknown>;
+							// Token endpoint wraps response in { data: ... } via apiSuccess.
+							// Handle both wrapped and bare shapes for robustness.
+							const refreshed = (
+								json.data && typeof json.data === "object" && "access_token" in json.data
+									? json.data
+									: json
+							) as TokenResponse;
 							token = refreshed.access_token;
 							saveCredentials(baseUrl, {
 								...cred,